Thread-Modular Abstraction Refinement

We present an algorithm called Tar (“Thread-modular Abstraction Refinement”) for model checking safety properties of concurrent software. The Tar algorithm uses thread-modular assume-guarantee reasoning to overcome the exponential complexity in the control state of multithreaded programs. Thread modularity means that Tar explores the state space of one thread at a time, making assumptions about how the environment can interfere. The Tar algorithm uses counterexample-guided predicate-abstraction refinement to overcome the usually infinite complexity in the data state of C programs. A successive approximation scheme automatically infers the necessary precision on data variables as well as suitable environment assumptions. The scheme is novel in that transition relations are approximated from above, while at the same time environment assumptions are approximated from below. In our software verification tool Blast we have implemented a fully automatic race checker for multithreaded C programs which is based on the Tar algorithm. This tool has verified a wide variety of commonly used locking idioms, including locking schemes that are not amenable to existing dynamic and static race checkers such as Eraser or Warlock.

[1]  Stephen N. Freund,et al.  Detecting race conditions in large programs , 2001, PASTE '01.

[2]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[3]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[4]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[5]  Sanjit A. Seshia,et al.  A Modular Checker for Multithreaded Programs , 2002, CAV.

[6]  Cormac Flanagan,et al.  Thread-Modular Model Checking , 2003, SPIN.

[7]  Thomas A. Henzinger,et al.  Reactive Modules , 1999, Formal Methods Syst. Des..

[8]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[9]  Stephen N. Freund,et al.  Thread-Modular Verification for Shared-Memory Programs , 2002, ESOP.

[10]  Gerard J. Holzmann,et al.  Logic Verification of ANSI-C Code with SPIN , 2000, SPIN.

[11]  Martin C. Rinard,et al.  A parameterized type system for race-free Java programs , 2001, OOPSLA '01.

[12]  Martín Abadi,et al.  Conjoining specifications , 1995, TOPL.

[13]  Alon Itai,et al.  Timing Verification by Successive Approximation , 1992, CAV.

[14]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[15]  Matthew B. Dwyer,et al.  Bandera: extracting finite-state models from Java source code , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[16]  Nicholas Sterling,et al.  WARLOCK - A Static Data Race Analysis Tool , 1993, USENIX Winter.

[17]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[18]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[19]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[20]  Eran Yahav,et al.  Verifying safety properties of concurrent Java programs using 3-valued logic , 2001, POPL '01.

[21]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..