Software Model Checking - PowerPoint PPT Presentation

About This Presentation
Title:

Software Model Checking

Description:

Lamport (1979): Sequential consistency semantics for correctness of ... Shared Memory Consistency Models ... Sequential Consistency (Lamport 79): Concurrent ... – PowerPoint PPT presentation

Number of Views:474
Avg rating:3.0/5.0
Slides: 45
Provided by: radug
Category:

less

Transcript and Presenter's Notes

Title: Software Model Checking


1
Software Model Checking
Rajeev Alur University of Pennsylvania
University of Edinburgh, July 2008
2
Systems Software
do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while(nPackets! nPacketsOld) KeReleaseSpinLo
ck()
  • Can Microsoft Windows version X be bug-free?
  • Millions of lines of code
  • Types of bugs that cause crashes well-known
  • Enormous effort spent on debugging/testing code
  • Certifying third-party code (e.g. device drivers)

Do lock operations, acquire and release
strictly alternate on every program execution?
3
Concurrency LibrariesExploiting concurrency
efficiently and correctly
  • dequeue(queue_t queue, value_t pvalue)
  • node_t head
  • node_t tail
  • node_t next
  • while (true)
  • head queue-gthead
  • tail queue-gttail
  • next head-gtnext
  • if (head queue-gthead)
  • if (head tail)
  • if (next 0)
  • return false
  • cas(queue-gttail, tail, next)
  • else
  • pvalue next-gtvalue
  • if (cas(queue-gthead, head, next))
  • break

Shared Memory
Can the code deadlock? Is sequential semantics
of a queue preserved? (Sequential consistency)
4
Security Checks for Java Applets
https//java.sun.com/javame/
public VectorltStringgt phoneBook public String
number public int Selected public void
sendEvent() phoneBook getPhoneBook()
selected chhoseReceiver() numberphoneBook.el
ementAt(selected) if ((numbernull)(number
)) //output error else
String message inputMessage()
sendMessage(number, message)
EventSharingMidlet from J2ME
How to certify applications for data integrity /
confidentiality ? By listening to messages, can
one infer whether a particular entry is in the
addressbook?
5
Verifier
In Search of the Holy Grail
yes/proof
software/model
correctness specification
no/bug
  • Correctness is formalized as a mathematical claim
    to be proved or falsified rigorously
  • always with respect to the given specification
  • Challenge Impossibility results for automated
    verifier
  • Verification problem is undecidable (Turing 1936)
  • Even approximate versions are computationally
    intractable (model checking is Pspace-hard)

6
1970s Proof calculi for program correctness
Key to proof Finding suitable loop invariants
BubbleSort (A array1..n of int) B A
array1..n of int for (i0 iltn i)
Permute(A,B) Sorted(Bn-i,n) for
0ltkltn-i-1 and n-iltkltn BkltBk for
(j0 jltn-i j) Permute(A,B),
Sorted(Bn-i,n, for 0ltkltn-i-1 and n-iltkltn
BkltBk for 0ltkltj Bk lt Bj if
(BjgtBj1) swap(B,j,j1) return B
BubbleSort (A array1..n of int) B A
array1..n of int for (i0 iltn i)
for (j0 jltn-i j) if
(BjgtBj1) swap(B,j,j1) return B
7
Deductive Program Verification
  • Powerful mathematical logic (e.g. first-order
    logic, Higher-order logics) needed for
    formalization
  • Great progress in decision procedures
  • Finding proof decomposition requires expertise,
    but modern tools support many built-in proof
    tactics
  • Contemporary theorem provers HOL, PVS, ACL2,
    ESC-Java, Boogie
  • In practice
  • User partially annotates the program with
    invariants, and the tool infers remaining
    invariants needed to complete the proof
  • Checks are modular (per function)
  • Success story Windows developers must add enough
    annotations to be able to prove absence of buffer
    overflow errors

8
1980s Finite-state Protocol Analysis
  • Automated analysis of finite-state protocols with
    respect to temporal logic specifications
  • Network protocols, Distributed algorithms

Specs Is there a deadlock? Does every req get
ack? Does a buffer overflow? Tools SPIN,
Murphi, CADP
9
Battling State-space Explosion
  • Analysis is basically a reachability problem in a
    HUGE graph
  • Size of graph grows exponentially as the number
    of bits required for state encoding
  • Graph is constructed only incrementally,
    on-the-fly
  • Many techniques for exploiting structure
    symmetry, data independence, hashing, partial
    order reduction
  • Great flexibility in modeling Scale down
    parameters (buffer size, number of network nodes)

State
Transition
Bad states
10
1990s Symbolic Model Checking
  • Constraint-based analysis of Boolean systems
  • Symbolic Boolean representations (propositional
    formulas, OBDDs) used to encode system dynamics
  • Success in finding high-quality bugs in hardware
    applications (VHDL/Verilog code)

Global bus
Deadlock found in cache coherency protocol
Gigamax by model checker SMV
UIC
UIC
UIC
Cluster bus
P
M
P
M
Read-shared/read-owned/write-invalid/write-shared/

11
Symbolic Reachability Problem
  • Model variables X x1, xn
  • Each var is of finite type, say, boolean
  • Initialization I(X) a formula over X e.g. (x1
    x2)
  • Update T(X,X)
  • How new vars X are related to old vars X as a
    result of executing one step of the program
    Disjunction of clauses obtained by compiling
    individual instructions e.g. (x1 x1 x1
    x2 x2 x3 x3)
  • Target set F(X) e.g. (x2 x3)
  • Computational problem
  • Can F be satisfied starting with I by repeatedly
    applying T ?
  • K-step reachability reduces to propositional
    satisfiability (SAT) Bounded Model Checking
  • I(X0) T(X0,X1) T(X1,X2) ---
    T(Xk-1,Xk) F(Xk)

12
The Story of SAT
  • Propositional Satisfiability Given a formula
    over Boolean variables, is there an assignment of
    0/1s to vars which makes the formula true
  • Canonical NP-hard problem (Cook 1971)
  • Enormous progress in tools that can solve
    instances with 1000s of variables and millions of
    clauses

1960 DP ?10 var
1996 GRASP ?1k var
1994 Hannibal ? 3k var
2002 Berkmin ?10k var
1988 SOCRATES ? 3k var
1996 Stålmarck ? 1000 var
1986 BDDs ? 100 var
2001 Chaff ?10k var
1992 GSAT ? 300 var
1962 DLL ? 10 var
1952 Quine ? 10 var
1996 SATO ?1k var
Source Malik 2004
13
2000s Model Checking of C code
  • Phase 1 Given a program P, build an abstract
    finite-state (Boolean) model A such that set of
    behaviors of P is a subset of those of A
    (conservative abstraction)
  • Phase 2 Model check A wrt specification this
    can prove P to be correct, or reveal a bug in P,
    or suggest inadequacy of A
  • Shown to be effective on Windows device drivers
    in Microsoft Research project SLAM

do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while(nPackets! nPacketsOld) KeReleaseSpinLo
ck()
Do lock operations, acquire and release,
strictly alternate on every program execution?
14
Program Abstraction
int x, y if xgt0 yx1 . else
yx1 .
bool bx, by if bx bytrue
. else bytrue,false .
15
Software Model Checking
  • Tools for verifying source code combine many
    techniques
  • Program analysis techniques such as slicing,
    range analysis
  • Abstraction
  • Model checking
  • Refinement from counter-examples
  • New challenges for model checking (beyond
    finite-state reachability analysis)
  • Recursion gives pushdown control
  • Pointers, dynamic creation of objects,
    inheritence.
  • A very active and emerging research area
  • Abstraction-based tools SLAM, BLAST,
  • Direct state encoding F-SOFT, CBMC, CheckFence

16
Coming Up
  • CheckFence Project at Penn
  • Concurrent Executions on Relaxed Memory Models
  • Analysis tool for Concurrent Data Types
  • Joint work with Sebastian Burckhardt and Milo
    Martin
  • Not covered How to check that a Java midlet does
    not leak user-specified secrets (Ongoing work
    with Pavol Cerny)

17
Challenge Exploiting Concurrency, Correctly
18
Concurrency on Multiprocessors
Initially x y 0
thread 1 x 1 y 1
thread 2 r1 y r2 x
Standard Interleavings
x 1 y 1 r1 y r2 x r1r21
x 1 r1 y y 1 r2 x r10,r21
x 1 r1 y r2 x y 1 r10,r21
r1 y x 1 y 1 r2 x r10,r21
r1 y x 1 r2 x y 1 r10,r21
r1 y r2 x x 1 y 1 r1r20
Can we conclude that if r1 1 then r2 must be 1 ?
No! On real multiprocessors, possible to have
r11 and r20
19
Architectures with Weak Memory Models
  • A modern multiprocessor does not enforce global
    ordering of all instructions for performance
    reasons
  • Lamport (1979) Sequential consistency semantics
    for correctness of multiprocessor shared memory
    (like interleaving)
  • Considered too limiting, and many relaxations
    proposed
  • In theory TSO, RMO, Relaxed
  • In practice Alpha, Intel IA-32, IBM 370, Sun
    SPARC, PowerPC

cache
Main Memory
20
Concurrency in TheoryCCS (1978)
Concurrency in PracticeIntel (2007)
CCS Syntax P e a.P PP PP P\a CCS
Operational Semantics (sample rules) a.P -a-gt
P P a-gt P P -a-gt P PQ a-gt PQ
QP -a-gt QP P a-gt P Q a-gt Q PQ
t-gt PQ
Intel 64 memory ordering obeys following
principles 1. Loads are not reordered with other
loads 2. Stores are not reordered with other
stores 3. Stores are not reordered with older
loads 4. Loads may be reordered with older stores
to different locations but not with older stores
to same locations 4 more rules Illustrative
examples
21
Programming with Weak Memory Models
  • Concurrent programming is already hard, shouldnt
    the effects of weaker models be hidden from the
    programmer?
  • Mostly yes
  • Safe programming using extensive use of
    synchronization primitives
  • Use locks for every access to shared data
  • Compilers use memory fences to enforce ordering
  • Not always
  • Non-blocking data structures
  • Highly optimized library code for concurrency
  • Code for lock/unlock instructions
  • OS code managing process queues etc.

22
Non-blocking Queue (MS96)
  • boolean_t dequeue(queue_t queue, value_t
    pvalue)
  • node_t head
  • node_t tail
  • node_t next
  • while (true)
  • head queue-gthead
  • tail queue-gttail
  • next head-gtnext
  • if (head queue-gthead)
  • if (head tail)
  • if (next 0)
  • return false
  • cas(queue-gttail, (uint32) tail, (uint32)
    next)
  • else
  • pvalue next-gtvalue
  • if (cas(queue-gthead, (uint32) head,
    (uint32) next))
  • break

Queue is being possibly updated concurrently
head
tail
Atomic compare-and-swap for synchronization
23
Simple Usable by programmers
  • Programs (multi-threaded)

Application level concurrency model
System-level code Concurrency libraries
Architecture-aware Concurrency Analysis
Architecture level concurrency model
Highly parallel hardware -- multicores, SoCs
Complex Efficient use of parallelism
24
Software Model Checking for Concurrent Code on
Multiprocessors
  • Why? Real bugs in real code
  • Opportunities
  • 10s100s lines of low-level library C code
  • Hard to design and verify -gt buggy
  • Effects of weak memory models, fences
  • Challenges
  • Lots of behaviors possible high level of
    concurrency
  • How to formalize and reason about weak memory
    models?

25
Shared Memory Consistency Models
  • Specifies restrictions on what values a read from
    shared memory can return
  • Program Order x ltp y if x and y are instructions
    belonging to the same thread and x appears before
    y
  • Sequential Consistency (Lamport 79) Concurrent
    execution is correct if there exists a global
    order lt of all accesses such that
  • If x ltp y then x lt y
  • Each load returns value of most recent, according
    to lt, store to the same location (or initial
    value, if no such store exists)
  • Clean abstraction for programmers, but high
    implementation cost

26
Effect of Memory Model
Initially flag1 flag2 0
  • Ensures mutual exclusion if architecture supports
    SC memory
  • Most architectures do not enforce ordering of
    accesses to different memory locations
  • Does not ensure mutual exclusion under weaker
    models
  • Ordering can be enforced using fence
    instructions
  • Insert MEMBAR between lines 1 and 2 to ensure
    mutual exclusion

thread 2
thread 1
1. flag1 1 2. if (flag2 0) crit. sect.
1. flag2 1 2. if (flag1 0) crit. sect.
27
Weak Memory Models
  • A large variety of models exist a good starting
    point
  • Shared Memory Consistency Models A tutorial
  • IEEE Computer 96, Adve Gharachorloo
  • How to relax memory order requirement?
  • Operations of same thread to different locations
    need not be globally ordered
  • How to relax write atomicity requirement?
  • Read may return value of a write not yet globally
    visible
  • Uniprocessor semantics preserved
  • Typically defined in architecture manuals (e.g.
    SPARC manual)

28
Which Memory Model should a Verifier use?
RMO
PSO
TSO
390
SC
IA-32
Alpha
Relaxed
29
Formalization of Relaxed
  • Program Order x ltp y if x and y are instructions
    belonging to the same thread and x appears before
    y
  • Concurrent execution over a set X of accesses is
    correct wrt Relaxed if there exists a total order
    lt over X such that
  • If x ltp y, and both x and y are accesses to the
    same address, and y is a store, then x lt y must
    hold
  • For a load l and a store s visible to l, either s
    and l have same value, or there exists another
    store s visible to l with s lt s
  • A store s is visible to load l if they are to the
    same address and either s lt l or s ltp l
  • Constraint-based specification that can be easily
    encoded in logical formulas

30
Pass all executions of the test are
observationally equivalent to a serial
execution Fail
Inconclusive runs out of time or memory
31
How To Bound Executions
  • Verify individual symbolic tests
  • finite number of concurrent threads
  • finite number of operations/thread
  • nondeterministic input values
  • Example
  • User creates suite of tests of increasing size

32
Why Symbolic Test Programs?
  • 1) Make everything finite
  • State is unbounded (dynamic memory
    allocation)... is bounded for individual test
  • Checking sequential consistency is undecidable
    (AMP 96)... is decidable for individual test
  • 2) Gives us finite instruction sequence to work
    with
  • State space too large for interleaved system
    model .... can directly encode value flow
    between instructions
  • Memory model specified by axioms .... can
    directly encode ordering axioms on instructions

33
Tool Architecture
C code
Memory model
Symbolic Test
Symbolic test gives exponentially many
executions (symbolic inputs, dynamic memory
allocation, ordering of instructions). CheckFence
solves for incorrect executions.
34
construct CNF formula whose solutions correspond
precisely to the concurrent executions
C code
Memory model
Symbolic Test
Symbolic Test
automatic, lazyloop unrolling
automatic specification mining (enumerate correct
observations)
35
Specification Mining
Possible Operation-level Interleavings
enqueue(X) enqueue(Y) dequeue() -gt Z
enqueue(X) dequeue() -gt Z enqueue(Y)
dequeue() -gt Z enqueue(X) enqueue(Y)
For each interleaving, obtain symbolic constraint
by encoding corresponding executions in SAT
solver Spec is disjunction of all
possibilities Spec (ZX) (Znull)
To find bugs, check satisfiability of Phi
Spec where Phi encodes all possible concurrent
executions
36
Encoding Memory Order
thread 1
thread 2
s1 store s2 store
l1 load l2 load
  • Variables for encoding
  • Use boolean vars for relative order (xlty) of
    memory accesses
  • Use bitvector variables Ax and Dx for address and
    data values associated with memory access x
  • Encode constraints
  • encode transitivity of memory order
  • encode ordering axioms of the memory
    modelExample (for SC) (s1lts2) (l1ltl2)
  • encode value flow Loaded value must match last
    value stored to same addressExample value must
    flow from s1 to l1 under following
    conditions((s1ltl1)(As1 Al1)((s2lts1)(l1lts2)
    (As2 ! Al1))) -gt (Ds1 Dl1)

37
Example Memory Model Bug
head
  • Processor 1
  • links new node into list

Processor 1 reorders the stores! memory accesses
happen in order 1 2 3
adding a fence between lines on left side
prevents reordering
38
Algorithms Analyzed
Type Description LOC Source
Queue Two-lock queue 80 M. Michael and L. Scott (PODC 1996)
Queue Non-blocking queue 98 M. Michael and L. Scott (PODC 1996)
Set Lazy list-based set 141 Heller et al. (OPODIS 2005)
Set Nonblocking list 174 T. Harris (DISC 2001)
Deque snark algorithm 159 D. Detlefs et al. (DISC 2000)
LL/VL/SC CAS-based 74 M. Moir (PODC 1997)
LL/VL/SC Bounded Tags 198 M. Moir (PODC 1997)
39
Results
  • snark algorithm has 2 known bugs
  • lazy list-based set had a unknown bug(missing
    initialization missed by formal correctness
    proof CAV 2006 because of hand-translation of
    pseudocode)

40
Results
41
Typical Tool Performance
  • Very efficient on small testcases (lt 100 memory
    accesses)Example (nonblocking queue) T0 i (e
    d) T1 i (e e d d )- find
    counterexamples within a few seconds- verify
    within a few minutes- enough to cover all 9
    fences in nonblocking queue
  • Slows down with increasing number of memory
    accesses in testExample (snark deque)Dq
    pop_l pop_l pop_r pop_r push_l push_l
    push_r push_r
  • - has 134 memory accesses (77 loads, 57
    stores)- Dq finds second snark bug within 1
    hour
  • Does not scale past 300 memory accesses

42
CheckFence Summary
  • Software model checking of low-level concurrent
    software requires encoding of memory models
  • Challenge for model checking due to high level of
    concurrency and axiomatic specifications
  • Opportunity to find bugs in library code thats
    hard to design and verify
  • CheckFence project at Penn
  • SAT-based bounded model checking for concurrent
    data types
  • Bugs in real code with fences

43
Ongoing Research
  • Whats the best way to verify C code (on relaxed
    memory models)?
  • SAT-based encoding seems suitable to capture
    specifications of memory models, but many
    opportunities for improvement
  • Can one develop abstract operational abstract
    models for multiprocessor architectures?
  • Proof methods for relaxed memory models
  • Hardware support for transactional memory
  • Current interest in industry and architecture
    research
  • Can formal verification influence
    designs/standards?

44
SoftwareModel Checker
yes/proof
software/model
correctness specification
no/bug
  • Impressive progress on an intractable problem
  • Device drivers
  • Concurrency libraries
  • Buffer overflows in OS
  • Network protocols
  • Academic research with industrial impact
  • Ingredients for success
  • SAT almost feasible
  • Logic Algorithms Tools
  • Focus on specific problems
  • Scalability not necessary
  • Flexibility in setting up the problem
  • Unmet challenge Lack of robustness of tools -gt
    lot of user expertise needed
Write a Comment
User Comments (0)
About PowerShow.com