Verifying Concurrent Message-Passing C Programs with Recursive Calls

We consider the model-checking problem for C programs with (1) data ranging over very large domains, (2) (recursive) procedure calls, and (3) concurrent parallel components that communicate via synchronizing actions. We model such programs using communicating pushdown systems, and reduce the reachability problem for this model to deciding the emptiness of the intersection of two context-free languages L1 and L2. We tackle this undecidable problem using a CounterExample Guided Abstraction Refinement (CEGAR) scheme. We implemented our technique in the model checker MAGIC and found a previously unknown bug in a version of a Windows NT Bluetooth driver.

[1]  Edmund M. Clarke,et al.  Counterexample-Guided Abstraction Refinement , 2000, CAV.

[2]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[3]  Charles Gregory Nelson,et al.  Techniques for program verification , 1979 .

[4]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[5]  Javier Esparza,et al.  A BDD-Based Model Checker for Recursive Programs , 2001, CAV.

[6]  Joseph M. Morris Assignment and Linked Data Structures , 1982 .

[7]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[8]  Patrick Cousot,et al.  Static Determination of Dynamic Properties of Recursive Procedures , 1977, Formal Description of Programming Concepts.

[9]  Ken Kennedy,et al.  Interprocedural side-effect analysis in linear time , 1988, PLDI '88.

[10]  Thomas Reps,et al.  WPDS++: A C++ library for weighted pushdown systems , 2005 .

[11]  Stefan Schwoon,et al.  Model checking pushdown systems , 2002 .

[12]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[13]  G. Ramalingam,et al.  Context-sensitive synchronization-sensitive analysis is undecidable , 2000, TOPL.

[14]  Jakob Rehof,et al.  Context-Bounded Model Checking of Concurrent Software , 2005, TACAS.

[15]  Jakob Rehof,et al.  Summarizing procedures in concurrent programs , 2004, POPL.

[16]  Tayssir Touili,et al.  A Generic Approach to the Static Analysis of Concurrent Programs with Procedures , 2003, Int. J. Found. Comput. Sci..

[17]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[18]  H. T. Kung,et al.  Concurrent manipulation of binary search trees , 1980, TODS.

[19]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[20]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[21]  Jens Knoop,et al.  An Automata-Theoretic Approach to Interprocedural Data-Flow Analysis , 1999, FoSSaCS.

[22]  Dinghao Wu,et al.  KISS: keep it simple and sequential , 2004, PLDI '04.

[23]  Vineet Kahlon,et al.  Reasoning About Threads Communicating via Locks , 2005, CAV.

[24]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[25]  Somesh Jha,et al.  Weighted pushdown systems and their application to interprocedural dataflow analysis , 2003, Sci. Comput. Program..

[26]  Sagar Chaki,et al.  The ComFoRT Reasoning Framework , 2005, CAV.

[27]  Pierre Wolper,et al.  A direct symbolic approach to model checking pushdown systems , 1997, INFINITY.