slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Model Checking Multithreaded C Code with SPIN Anna Zaks & Rajeev Joshi SPIN 2008 10 August, Los Angeles, USA PowerPoint Presentation
Download Presentation
Model Checking Multithreaded C Code with SPIN Anna Zaks & Rajeev Joshi SPIN 2008 10 August, Los Angeles, USA

Loading in 2 Seconds...

play fullscreen
1 / 29

Model Checking Multithreaded C Code with SPIN Anna Zaks & Rajeev Joshi SPIN 2008 10 August, Los Angeles, USA - PowerPoint PPT Presentation


  • 308 Views
  • Uploaded on

Model Checking Multithreaded C Code with SPIN Anna Zaks & Rajeev Joshi SPIN 2008 10 August, Los Angeles, USA. The Goal: Check Multithreaded C Code. /* Peterson's algorithm (adapted from Wikipedia) ‏ */ static int sh_f0, sh_f1, sh_last; void * run_thread0 () {

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Model Checking Multithreaded C Code with SPIN Anna Zaks & Rajeev Joshi SPIN 2008 10 August, Los Angeles, USA' - johana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Model Checking Multithreaded C Code with SPIN

Anna Zaks & Rajeev Joshi

SPIN 2008

10 August, Los Angeles, USA

the goal check multithreaded c code
Checking Multithreaded C CodeThe Goal: Check Multithreaded C Code

/* Peterson's algorithm (adapted from Wikipedia)‏ */

static int sh_f0, sh_f1, sh_last;

void * run_thread0 () {

struct pa_desc d;d.f0 = &sh_f0;

d.f1 = &sh_f1;

d.last = 1;

for (;;) {

*(d.f0)=1;

sh_last=d.last ;

while (*(d.f1)==1 && (last==d.last)) {

; /* busy wait */

}

/* critical section */ d.f0=0;

}

}

bool turn, flag[2];

active proctype run_thread0 () {

again:

flag[0] = 1;

turn = 1;

(flag[1] == 0 || turn == 0) ->

/* busy wait */

/* critical section */

flag[0] = 0;

goto again;

}...

express design as a PROMELA model

Limitations

  • need to redo manual translation whenever implementation changes
  • the absence of errors in the design does not guarantee that the implementation (the executable) is error free
model driven verification
Checking Multithreaded C CodeModel-Driven Verification

Embed C code within PROMELA - C code is executed by SPIN during search

static int sh_f0, sh_f1, sh_last;

void * run_thread0 () {

struct pa_desc d;d.f0 = &sh_f0;

d.f1 = &sh_f1;

d.last = 1;

for (;;) {

*(d.f0)=1;

sh_last=d.last ;

while (*(d.f1)==1 && (last==d.last)) {

; /* busy wait */

}

/* critical section */ d.f0=0;

}

}

c_decl {

extern void * run_thread0 (void *);

extern void * run_thread1 (void *);

} ;

...active proctype main() { init() ; do :: choose(thread0) -> c_code {run_thread0 (); } :: choose(thread1) -> c_code {run_thread1 (); } ... od}

  • Main drawback:
  • Not useful for verification of multithreaded C programs
  • Need to explore the interleavings within the function

Ref: Model-Driven Software Verification, G.J.Holzmann & R.Joshi, SPIN 2004

our solution introducing pancam
Checking Multithreaded C CodeOur Solution – Introducing pancam

Build pancam interpreter that can be embedded within an existing model checker

pancam inherits all SPIN optimizations and future enhancements:

  • bit-state verification
  • hash compression
  • multi-core checking

pancam does not rely on any customization of SPIN

the llvm compiler infrastructure
Checking Multithreaded C CodeThe LLVM Compiler Infrastructure

pancam interprets optimized LLVM bytecode (a typed bytecode language)

catches errors that manifest themselves only after the optimization phase

/* Peterson's algorithm (adapted from Wikipedia)‏ */

static volatileint sh_f0, sh_f1, sh_last;

void * run_thread0 () {

struct pa_desc d;d.f0 = &sh_f0;

d.f1 = &sh_f1;

d.last = 1;

for (;;) {

*(d.f0)=1;

sh_last=d.last ;

while (*(d.f1)==1 && (sh_last==d.last)) {

; /* busy wait */

}

/* critical section */ d.f0=0;

}}

Ref:LLVM compiler (originated from University of Illinois Urbana-Champaign), http://llvm.org

the pancam checker
Checking Multithreaded C CodeThe pancam Checker

Spin

(pan.c)

take_step (thread_id, granularity, &state)

pancam

SPIN orchestrates the state space search

- decides which thread to execute next

- stores visited states in the hash

- restores to the previous step during DFS backtracking

pancam computes the transition by code interpretation

- can execute any number of instructions of a specific thread

- can check predicates at any point

&state

spin m odel for pancam
Checking Multithreaded C CodeSpin Model for pancam
  • active proctype main() {
  • c_code { pancam_init(“petersons.bc”);
  • init_thread(0, “run_thread0”);
  • init_thread(1, “run_thread1”);
  • };
  • do
  • :: c_expr { is_enabled(0)} -> c_code { take_step(0);}
  • :: c_expr { is_enabled(1)} -> c_code { take_step(1);}
  • od
  • }
program state cs n
Checking Multithreaded C CodeProgram State cs[N]

enabled

global

state

system

heap

FREE

program

stack

c_track “cs” “N” “Matched”;

active proctype main() {

c_code { pancam_init(“petersons.bc”);

init_thread(0, “run_thread0”);

init_thread(1, “run_thread1”);

};

do

:: c_expr { is_enabled(0)} -> c_code { take_step(0);}

:: c_expr { is_enabled(1)} -> c_code { take_step(1);}

od

}

addressing state space explosion
Checking Multithreaded C CodeAddressing State Space Explosion

Three Strategies

  • support user-defined abstraction functions
  • use context-bounded checking
  • do on-the-fly partial-order reduction
user defined abstractions
Checking Multithreaded C CodeUser Defined Abstractions

enabled

global

state

system

heap

FREE

program

stack

user

defined

Concrete State cs[N]

Abstract Stateas[K]

asis populated through the user defined function compute_abst(void *as)

  • cs is stored on Spin’s stack, which is used for DFS backtracking
  • as is used for state hashing

c_track “cs” “N” “UnMatched”;

c_track “as” “K” “Matched”;

context bounded checking
Checking Multithreaded C CodeContext-Bounded Checking

Enforce upper bound on number of allowed preemptivecontext-switches

  • a switch from p to q is preemptive provided p is enabled
  • explore state space exhaustively with increasingly larger bounds
  • works well in practice - most concurrency bugs can be triggered with a small number of switches

Ref:Iterative context bounding for systematic testing of multithreaded programs,

M. Musuvathi, S. Qadeer, POPL 2007

pancam implementation of context b ounding
Checking Multithreaded C Codepancam Implementation of Context Bounding
  • Implemented as an optional extension
    • requires no modification to Spin
on the fly partial order r eduction
Checking Multithreaded C CodeOn-the-fly Partial-order Reduction

take_step (th_id, s)

Spin

pancam

  • pancam “transitions” have no structure :

c_code { take_step (th_id, s); }

Spin’s traditional partial-order reduction doesn’t apply

    • even if we modified Spin, computing independence relation is too hard
  • Shift the burden to pancam by
    • increasing the granularity of a “pancam step”
    • hiding unnecessary states from Spin

s’

on the fly partial order r eduction1
Checking Multithreaded C CodeOn-the-fly Partial-order Reduction

take_step (th_id, s)

Spin

pancam

  • pancam “transitions” have no structure :

c_code { take_step (th_id, s); }

Spin’s traditional partial-order reduction doesn’t apply

    • even if we modified Spin, computing independence relation is too hard
  • Shift the burden to pancam by
    • increasing the granularity of a “pancam step”
    • hiding unnecessary states from Spin
  • Example
    • execute a thread until it accesses a global variable or the shared heap
    • Can we do better?

s’

superstep reduction key ideas
Checking Multithreaded C CodeSuperstep Reduction: Key Ideas

S

2

  • Unlike classical POR, which considers subsets of enabled transitions from state s, we consider subsets of enabled finite paths from s

1

superstep reduction key ideas1
Checking Multithreaded C CodeSuperstep Reduction: Key Ideas

S

2

  • Unlike classical POR, which considers subsets of enabled transitions from state s, we consider subsets of enabled finite paths from s
  • Each selected path is replaced with a single superstep transition

1

superstep reduction key ideas2
Checking Multithreaded C CodeSuperstep Reduction: Key Ideas

S

2

  • Unlike classical POR, which considers subsets of enabled transitions from state s, we consider subsets of enabled finite paths from s
  • Each selected path is replaced with a single superstep transition
  • The conflicts (dependencies) are computed dynamically

1

superstep requirments
Checking Multithreaded C CodeSuperstep Requirments

Compute superstep ifor each enabled thread i

  • a superstep is finite and nonempty
  • only the last transition in a superstepmay conflict with transitions in other supersteps
  • only the last transition of a superstepcan be visible

From these, we can show thatsuperstep reduction is sound and complete for checking any LTL property without the next-time operator

Can be seen as an extension of the Cartesian partial-order reduction to LTL

Ref:Cartesian partial-order reduction, G. Gueta, C. Flanagan, E. Yahav, M. Sagiv, SPIN 2007

efficient dfs implementation
Checking Multithreaded C CodeEfficient DFS Implementation
  • DFS is essential for liveness support
  • Precomputing the supersteps leads to run time overhead
  • Supersteps are computed on-the-fly using a scheme that maintains bookkeeping information across Spin backtracking steps
  • no modification to SPIN is required
other related work
Checking Multithreaded C CodeOther Related Work
  • Modex tool extracts PROMELA models from C implementations

A practical method for verifying event-driven software, G. Holzmann, M. Smith, SE1999

  • Java Pathfinder integrates model checking with the virtual machine

Model checking programs, W. Visser, K. Havelund, G. Brat, S. Park, F. Lerda, ASE 2003

  • VeriSoft [God97] and Inspect [YCGK07] tools are state-less model checkers for C

Model checking for programming languages using VeriSoft, P. Godefroid, POPL 1997

Dynamic partial-order reduction for model checking software, C. Flanagan, P. Godefroid, POPL 2005

  • CHESS model checker for concurrent C code checks for livelocks

Fair stateless model checking, M. Musuvathi, S. Qadeer, PLDI 2008

  • CMC explicit-state model checking requires manual translation from C

A pragmatic approach to model checking real code, M. Musuvathi, et al., OSDI 2002

  • In CodeSurfer tool, program analysis is applied to a model constructed from an executable

Wysinwyx : What you see is not what you execute, G. Balakrishnan, et al., VSTTE 2005

summary
Checking Multithreaded C CodeSummary
  • First version of pancam completed
    • implements abstraction support, context-bounding, superstep reduction
    • applied to several small programs (~200 lines of C)
    • applied to an inter-process communication module (~2800 lines of C)
    • fixed bug in Wikipedia implementation of Peterson’s protocol
    • extended the tool to support liveness properties
  • Ongoing work
    • reduce the size of a concrete state
    • combine superstep reduction with static POR
    • make some conservative approximations to reduce overhead of POR
    • reduce run time overhead
cap sets

S

2

1



Cap Sets
  • Unlike classical POR, which looks at subsets of enabled transitions from state s, we look at subsets of enabled finite paths from s
  • Given a state s, choose Cap(s) - a subset of finite prefixes of paths from s:

:   paths from s : ( ,  :  Cap(s)  ext():   )

reduced system
Reduced System
  • Given a transition state graph M = S, T, S0, L
  • The reduced graphM‘ = S, T’, S0, L,such that

T’ = { s  :sS, Cap(s) } , where s  is a superstep transition summarizing execution of path 

  • If M and M' are stuttering equivalent, for any LTL formulaAf without the next time operator, and every initial state s:

s╞Af in M if and only if s╞Af in M'

independence requirement

r’

r

Independence Requirement

[:   paths from s : ( ,  :  Cap(s)  ext():  ); let = ]

Independence Requirement:

transitions of   are independent from 

  •      is enabled at s, and results in the same state as 
  • then choose =  

s

  

visibility requirement

r’

r

Visibility Requirement

[ have to show that(  )(    )]

Visibility Requirement:

bothandhave the same visible transition and at most one is allowed

  • All states on the paths  and   can be partitioned into two sets Seq and Req:
    • s’Seq: L(s) = L(s’)
    • r’Req: L(r) = L(r’)

L(s)

L(s)

s

L(r)



L(r)

visibility requirement1

r’

r

Visibility Requirement

[ have to show that(  )( s   )]

Visibility Requirement:

bothandhave the same visible transition and at most one is allowed

  • All states on the paths  and   can be partitioned into two sets Seq and Req:
    • s’Seq: L(s) = L(s’)
    • r’Req: L(r) = L(r’)
  • No need to show the intermediate states
  • Path  is substituted by one superstep transition

L(s)

s

s

L(r)



L(r)