A Widening Approach to Multithreaded Program Verification

Pthread-style multithreaded programs feature rich thread communication mechanisms, such as shared variables, signals, and broadcasts. In this article, we consider the automated verification of such programs where an unknown number of threads execute a given finite-data procedure in parallel. Such procedures are typically obtained as predicate abstractions of recursion-free source code written in C or Java. Many safety problems over finite-data replicated multithreaded programs are decidable via a reduction to the coverability problem in certain types of well-ordered infinite-state transition systems. On the other hand, in full generality, this problem is Ackermann-hard, which seems to rule out efficient algorithmic treatment. We present a novel, sound, and complete yet empirically efficient solution. Our approach is to judiciously widen the original set of coverability targets by configurations that involve fewer threads and are thus easier to decide, and whose exploration may well be sufficient: if they turn out uncoverable, so are the original targets. To soften the impact of “bad guesses”—configurations that turn out coverable—the exploration is accompanied by a parallel engine that generates coverable configurations; none of these is ever selected for widening. Its job being merely to prevent bad widening choices, such an engine need not be complete for coverability analysis, which enables a range of existing partial (e.g., nonterminating) techniques. We present extensive experiments on multithreaded C programs, including device driver code from FreeBSD, Solaris, and Linux distributions. Our approach outperforms existing coverability methods by orders of magnitude.

[1]  Daniel Kroening,et al.  Counterexample-guided abstraction refinement for symmetric concurrent programs , 2012, Formal Methods in System Design.

[2]  Aletta Nylén,et al.  SAT-Solving the Coverability Problem for Petri Nets , 2004, Formal Methods Syst. Des..

[3]  Alain Finkel,et al.  On the omega-language Expressive Power of Extended Petri Nets , 2004, EXPRESS.

[4]  Cormac Flanagan,et al.  Thread-Modular Model Checking , 2003, SPIN.

[5]  Daniel Kroening,et al.  Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs , 2011, CAV.

[6]  Pierre Ganty,et al.  Le problème de couverture pour les réseaux de Petri. Résultats classiques et développements récents , 2009, Tech. Sci. Informatiques.

[7]  Zachary Kincaid,et al.  Verification of parameterized concurrent programs by modular reasoning about data and control , 2012, POPL '12.

[8]  Ashutosh Gupta,et al.  Predicate abstraction and refinement for verifying multi-threaded programs , 2011, POPL '11.

[9]  Serge Haddad,et al.  Application and Theory of Petri Nets , 2012, Lecture Notes in Computer Science.

[10]  Roland Meyer,et al.  Petruchio: From Dynamic Networks to Nets , 2010, CAV.

[11]  Philippe Schnoebelen,et al.  Well-structured transition systems everywhere! , 2001, Theor. Comput. Sci..

[12]  Parosh Aziz Abdulla,et al.  All for the Price of Few , 2013, VMCAI.

[13]  Richard M. Karp,et al.  Parallel Program Schemata , 1969, J. Comput. Syst. Sci..

[14]  Philippe Schnoebelen,et al.  Ackermannian and Primitive-Recursive Bounds with Dickson's Lemma , 2010, 2011 IEEE 26th Annual Symposium on Logic in Computer Science.

[15]  Daniel Kroening,et al.  Symbolic Counter Abstraction for Concurrent Software , 2009, CAV.

[16]  A. Ens,et al.  Asynchronous Rendez-vous in Distributed Logic Programming , 1993 .

[17]  Pierre-Alain Reynier,et al.  Minimal Coverability Set for Petri Nets: Karp and Miller Algorithm with Pruning , 2013, Fundam. Informaticae.

[18]  Richard J. Lipton,et al.  Exponential space complete problems for Petri nets and commutative semigroups (Preliminary Report) , 1976, STOC '76.

[19]  Antti Valmari,et al.  Old and New Algorithms for Minimal Coverability Sets , 2014, Fundam. Informaticae.

[20]  Pierre-Alain Reynier,et al.  Minimal Coverability Set for Petri Nets: Karp and Miller Algorithm with Pruning , 2011, Petri Nets.

[21]  Thomas A. Henzinger,et al.  Ideal Abstractions for Well-Structured Transition Systems , 2012, VMCAI.

[22]  Helko Lehmann,et al.  Coverability of Reset Petri Nets and Other Well-Structured Transition Systems by Partial Deduction , 2000, Computational Logic.

[23]  Susan S. Owicki,et al.  Axiomatic Proof Techniques for Parallel Programs , 1975, Outstanding Dissertations in the Computer Sciences.

[24]  Jean-François Raskin,et al.  Expand, Enlarge and Check: New algorithms for the coverability problem of WSTS , 2006, J. Comput. Syst. Sci..

[25]  RybalchenkoAndrey,et al.  Predicate abstraction and refinement for verifying multi-threaded programs , 2011 .

[26]  Alain Finkel,et al.  On the omega-language expressive power of extended Petri nets , 2006, Theor. Comput. Sci..

[27]  Jean-François Raskin,et al.  On the Efficient Computation of the Minimal Coverability Set for Petri Nets , 2007, ATVA.

[28]  Ruzica Piskac,et al.  Incremental, Inductive Coverability , 2013, CAV.

[29]  Parosh Aziz Abdulla,et al.  General decidability theorems for infinite-state systems , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[30]  Parosh Aziz Abdulla,et al.  Well (and Better) Quasi-Ordered Transition Systems , 2010, The Bulletin of Symbolic Logic.

[31]  Kedar S. Namjoshi,et al.  On model checking for non-deterministic infinite-state systems , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[32]  Ashutosh Gupta,et al.  Threader: A Constraint-Based Verifier for Multi-threaded Programs , 2011, CAV.

[33]  Yuanyuan Zhou,et al.  Learning from mistakes: a comprehensive study on real world concurrency bug characteristics , 2008, ASPLOS.

[34]  David Holmes,et al.  Java Concurrency in Practice , 2006 .

[35]  Jean Goubault-Larrecq,et al.  Forward Analysis for WSTS, Part II: Complete WSTS , 2009, ICALP.

[36]  Andreas Podelski,et al.  Inductive data flow graphs , 2013, POPL.

[37]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[38]  Amir Pnueli,et al.  Liveness with (0, 1, infty)-Counter Abstraction , 2002, CAV.

[39]  Gianfranco Ciardo,et al.  Petri Nets with Marking-Dependent Ar Cardinality: Properties and Analysis , 1994, Application and Theory of Petri Nets.

[40]  Pierre Ganty,et al.  A Complete Abstract Interpretation Framework for Coverability Properties of Wsts , 2006 .

[41]  Philippe Schnoebelen,et al.  Revisiting Ackermann-Hardness for Lossy Counter Machines and Reset Petri Nets , 2010, MFCS.

[42]  Charles Rackoff,et al.  The Covering and Boundedness Problems for Vector Addition Systems , 1978, Theor. Comput. Sci..

[43]  Alain Finkel,et al.  Monotonic Extensions of Petri Nets: Forward and Backward Search Revisited , 2002, INFINITY.

[44]  Daniel Kroening,et al.  Dynamic Cutoff Detection in Parameterized Concurrent Programs , 2010, CAV.

[45]  A. Prasad Sistla,et al.  Reasoning about systems with many processes , 1992, JACM.

[46]  Giorgio Delzanno,et al.  Symbolic Data Structure for Sets of k-uples of Integers , 2007 .

[47]  Alain Finkel,et al.  On the verification of broadcast protocols , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[48]  Amir Pnueli,et al.  Liveness with (0, 1, ∞)-counter abstraction , 2002 .

[49]  Roberto Giacobazzi,et al.  Verification, Model Checking, and Abstract Interpretation , 2013, Lecture Notes in Computer Science.

[50]  Philippe Schnoebelen,et al.  Reset Nets Between Decidability and Undecidability , 1998, ICALP.

[51]  Giorgio Delzanno,et al.  Towards the Automated Verification of Multithreaded Java Programs , 2002, TACAS.