symmetry-aware predicate abstraction for shared-variable concurrent programs

Symmetry-Aware Predicate Abstraction for Shared-

Variable Concurrent Programs

Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl

Computer Science Department, Oxford University, United Kingdom

Limor Goldberg

15.4.2012

Outline

Introduction Symmetry-Aware Predicate Abstraction Symmetry-Aware Predicate Abstraction

with aliasing Closing the CEGAR Loop Experimental results Conclusion

Introduction

Introduction

Overview Predicate Abstraction Example Uses of predicate abstraction Naïve solution

Overview

Enables applying finite- state model checkers to programs written in mainstream languages

The use of predicate abstraction till now

Goal: present an application of PA to shared variable concurrent

software

• Overview• Predicate Abstraction• Example• Uses of predicate abstraction• Naïve solution

Overview

A symmetry aware predicate abstraction: Consider the replicated structure of a C

program consists of many threads Generate a boolean program


Predicate Abstraction

Predicate: A first order atomic formula over variables V

Examples: x+y<z2, x=5

Let Þ be a program and let φ be an ACTL* formula,AP = {P1,….,Pk} ,includes:• Atoms(φ), the set of predicates appearing in φ• Some of the conditions in control statements in




The abstract states: {B1,…,Bk} when each predicate Pj is associated with a boolean

variable Bj

The Abstraction mapping h: h(s)=

ˆ 0,1 kS

States label: • A concrete state labeled with all the

predicates it satisfied.

• An abstract states labeled with predicate the corresponding bit is 1 in that state.

Example:



• let be a program with variable x,y and a single transition x:=x+1.

• AP={P1,P2,P3} where:• P1 = ( x 1 )• P2 = ( x>y )• P3 = ( y=2 )

Some of the labels are:• L((0,0)) = L((1,1)) = L((0,1)) = {P1} • L((0,2)) = L((1,2)) = {P1, P3}• L((2,0)) = {P2}

Example


Example



• AP={P1,P2,P3} where: P1 = ( x 1 ) , P2 = ( x>y ) , P3 = ( y=2 )

• S = {s, t} • s(x) = s(y) = 0• t(x) = 1, t(y) = 2

• L(s) = {P1} , L(t) = {P1, P3}

Example



• AP={P1,P2,P3} where: P1 = ( x 1 ) , P2 = ( x>y ) , P3 = ( y=2 )

• {0,1}3 .• We define the abstraction mapping h:

• h((0,0)) = h((1,1)) = h((0,1)) = (1,0,0)• h((0,2)) = h((1,2)) = (1,0,1)• h((2,0)) = {P2} = (0,1,0)

Example



• AP={P1,P2,P3} where: P1 = ( x 1 ) , P2 = ( x>y ) , P3 = ( y=2 )• S = {s, t} : s(x) = s(y) = 0 , t(x) = 1, t(y) = 2• L(s) = {P1} , L(t) = {P1, P3}

• the abstraction mapping h:• h(s) = (1,0,0), h(t) = (1,0,1).

• ( ) = (1,0,0) = L(s) = {P1} • ( ) = (1,0,1) = L(t) = {P1, P3}

Example


1 2 3 1 2 3

1 1 2 2 3 3

1 1 2 2 3 3

ˆ , , , ', ', '

, , ,, , ', ' ' 1 '

', ' ' ', ' ' ', ' '

R B B B B B B

P x y B P x y B P x y Bx y x y x x y y

P x y B P x y B P x y B

(1,1)

(2,1)

(1,0,0)

(0,1,0)

⇔

• Example:• For (1,0,0) and (0,1,0) :

• They are in iff exist x,y,x’,y’ which satisfied the formula above.

• We can see that (1,1) and (2,1) provide all we need

Uses of predicate abstraction


Predicate abstraction introduces as a way of dealing with data state explosion

It turns C programs into finite state boolean programs which can be model checked

Analyzing sequential software: In the SLAM project at Microsoft, using this

approach, was able to discover numerous control-dominated errors in low level operating system code.



The bottleneck of PA in shared variable concurrent programs: the exponential dependence of the generate state

apace on the number of running threads.

Solution – exploit symmetry



Our goal is a scheme that:

Translate a non-recursive C program with global scope and procedure scope into a Boolean program

The n-thread Boolean program (n), shell soundly overapproximates the n-thread C program (n)

Such an abstraction method called – symmetry aware Permits predicates over arbitrary C programs variables,

local or global.



We present program as code fragments that declare shred and local variables.

such code is to be understood as a procedure to be executed by any number of threads

The code can declare shared variables – declared at the global scope (the complete program)

Can declare local variables (within the procedure)

Naïve solution


Since the program B is executed by parallel threads its variables have to be partitioned into “shared” and “local” .

The “shared” and “local” attribute of B’s variables depend on the attributes of P’s variables a predicate is formulated over.

Definition:- A local predicate refers solely to a local C program variables- A shared predicate refers solely to a shared C program

variables- A mixed predicate is neither local nor shared.

Naïve solution


Definition:- A local predicate refers solely to a local C program variables- A shared predicate refers solely to a shared C program variables- A mixed predicate is neither local nor shared.

Example to mix predicate:let s and l be a shared and local variables

respectively.b is a boolean corresponding to the predicate: s !=

l Thus b is a mix variable

Naïve solution


The decision whether a mix predicate should be track in the shared or local space in the Boolean program is non-obvious.

Example: local variable b track the mix predicate s != l

: :

shared int s = 0;local int l = 1;assert s != l;++s;

local bool b = 1;

assert b;b = b ? * : 1 ;

Naïve solution


: :

What’s the problem?

Consider the program 2 : we can see that execute this program can lead to an assertion violation.But, the corresponding concurrent Boolean program 2 is correct. 2 is an unsound abstraction for 2

shared int s = 0;local int l = 1;assert s != l;++s;

local bool b = 1;

assert b;b = b ? * : 1 ;

Naïve solution


So, we’ll try to track a mix predicate with a shared Boolean variable:

Example: shared variable b tracks the mix predicate s == l

: :

shared int s = 0;shared bool t = 0;local int l = 0;If * then if t then assert s != l;l = s + 1;t = 1;

shared bool b = 1;shared bool t = 0;

If * then if t then assert ! b;b = 0;t = 1;

Naïve solution


: :

Still, we have the same problem!

2 is an unsound abstraction for ’2

shared int s = 0;shared bool t = 0;local int l = 0;If * then if t then assert s != l;l = s + 1;t = 1;

shared bool b = 1;shared bool t = 0;

If * then if t then assert ! b;b = 0;t = 1;

Naïve solution


The unsoundness can be eliminated by making b local in .

But, an analogous reasoning removes the unsoundness in as abstraction to .

Conclusion: a predicate of the form s == l that genuinely depends on s and l cannot be tracked by a shared or a local variable

The assertion in this program cannotcannot be violated

We can prove that over a set od nonmixed predicates, no invariant is computable that is strong enoughto prove s == l.

Naïve solution


0: shared int s = 0;1: shared int r = 0;2: local int l = 0;3: ++r;4: if ( r == 1 ) then5: ++s; ++l;6: assert s == l;7: goto 5

Naïve solution


Solution:

• Instantiate the template n times into programs {1, . . ., n}

• Every predicate refers to local variables instantiated n times

Naïve solution - summarize


Mixed predicate as local Make unsound abstraction

Mixed predicate as shared Make unsound abstraction

Use only shared or local predicate Cannot verify a simple bug-free program

Instantiate the template as the number of threads The program is no longer symmetric – cause state explosion Symmetry oblivious – will not scale beyond a very small

number of threads

Symmetry Aware Predicate Abstraction


Definitions Mixed predicate and notify all updates Implementing Notify-All updates The predicate abstraction algorithm

Definitions VS : a set of shared variables VL : a set of local variables Loc() = {v: v occurs in } affects(v, ) = variable v affects must_notify(v, ) = the shared variable v

affects the mixed predicate A predicate i is :

shared iff Loc(i) VS local iff Loc(i) VL mixed iff Loc(i)VSand Loc(i)VL

• Definitions• Mixed predicate• Notify All implementation• The algorithm

Let be a program defined over a set of variables V = VS VL

The parallel execution of by n threads is a program defined over VS and n copies of VL .

• No aliasing • Assignment to v cannot modify another variable

but v• An expression depends only on the variables

occurring in it


Mix predicates and Notify-All updates

Let E = {1, … , m} be a set of predicates over .

{b1, … , bm} is the Boolean variables in program .

bi tracks over predicate i .

We partition the boolean variables:bi is shared if i is shared.otherwise, bi is local.



We have noticed that mixed predicate are tracked in local variables

Why?

Declaring bi shared would lose information,

declaring it local doesn’t – though, it is insufficient to guarantee a sound abstraction. This is a problem we can solve!



Each statement in is translated into a corresponding statement in

Handling assignments:consider an assignment to variable v in and a

Boolean variable b of with associated predicate :- First we check affects (v, )

- if it evaluates to false – b does not change- otherwise, code needs to be generated to update b.



We need to consider three different update of b:

1. Shared update - v and are both shared :

we generate code to update b according to the

(*)standard sequential predicate abstraction rule.



2. Local update - v is local and is local or mixed:

the value of b changes only for the active thread.



3. Notify-All update - v is shared and is mixed:

the mixed predicate is tracked by local variable b.1. We generate code to update b locally (like in previous cases)2. We notify all passive threads about the modification of shared

variable v (and they will update their local copy of b)

this formula evaluates to true exactly when its necessary to notify passive threads of an update to v


_ , , S Lmust notif y v aff ects v v V Loc V

Weakest precondition

For a statement st and a predicate WP(st , ) is the weakest predicate whose truth before s

entails the truth of after st terminates.

For example: WP (x=x+1 , x<5) = (x<4)


Weakest preconditionStatement st occurs between program points p and p’. is a predicate in E with corresponding boolean b.

it is safe to assign b:=true between p and p’ if the boolean variable , b’ , corresponding to WP(st, ) is true at point p.

But , what happened if WP(st, ) isn’t in E ?


Weakest preconditionExample:

E = {(x<5) , (x=2) }we have seen that WP(x=x+1,x<5) = x<4but x<4 is not in E.

In that case we need to strengthen the WP to an expression over the predicated in E.

(x = 2) (x<4)if (x=2) is true before x:=x+1, then x<5 is true afterwards


Weakest preconditionExample:

E = {(x<5) , (x=2) }we have seen that WP(x=x+1,x<5) = x<4but x<4 is not in E.

In that case we need to strengthen the WP to an expression over the predicated in E.

(x = 2) (x<4)if (x=2) is true before x:=x+1, then x<5 is true afterwards

(WP(st, )) the strengthens of WP.


Weakest precondition(*) sequential predicate abstraction:

Given a set E = {1, … , m} of predicates tracked by variable {b1, … , bm} , assignment statement st is translated into the following code, for each i {1,…,m}:

if (WP(st, i)) then bi = 1else if (WP(st,i)) then bi = 0else bi = *


Weakest preconditionFor example: : (l<10) tracked by b,

E={} , st: (++l)

( WP(st, ) ) = ( l < 9 ) = false( WP(st, ) ) = ( l 9) = l 10 =

So, according to the previous formula:b = ( b ? * : 0 )


Weakest precondition

In general, the formula is often abbreviated using the assignment:

bi = choose (( WP(st, i) ) , ( WP(st, i) ) )

Where choose (x,y) return 1 if x evaluates to true, 0 if x y evaluates to true * otherwise


Implementing Notify-All updates

If must_notify( v, ) evaluated to true tracked in by a local boolean , b.

Predicate abstracting an assignment of the form v = is implemented using two assignments.

(1) b = choose (( WP(st, ) ) , ( WP(st, ) ) )(2) [b] = choose (( WP(st, []) ) , ( WP(st, ]) ) )



[b] stands for the copy of local variable b owned by some passive thread

Similarly, [] stands for the expression defining predicate , but with every local variable occurring in the expression replaced by the copy owned by the passive thread



(1) b = choose (( WP(st, ) ) , ( WP(st, ) ) )(2) [b] = choose (( WP(st, []) ) , ( WP(st, ]) ) )

Example:Statement: (s = l) shared and local variableMixed predicate, : (s == l)

The code generated for this is:b = true[b] = choose (( WP(s=l, s==[l]) ) , ( WP(s=l, (s==[l]) ) ))

[b] = choose ((l==[l]) , ( WP(s=l, (l==[l]) ) ))


The Algorithm


𝒢 (𝜙 )=¬ℱ (¬ (𝜙 ))

The Algorithm


Indexes of all the predicate that that effected by v

The Algorithm


When v is shared, indexes of mixed predicate s.t the corresponding boolean predicate is local and needs to be updated separately


with Aliasing

Symmetry Aware Predicate Abstraction with

Aliasing

Assumptions Definitions The algorithm

Assumptions We don’t consider programs where a shared pointer

variable, or pointer variable local to thread i, can point to a variable local to thread j (when i j).

When p is a local variable of type int*, and predicate :(*p ==1), is local if p can never point to a shared variable, otherwise, is classed as mixed.

We have a black box pointer alias analysis for concurrent programs. For a program over variable v, it yields the relation d VxV for each program location d.

• Assumptions• Definitions• The algorithm

Definitions For v,w V, if vdw then v doesn’t point to w at d. loc(,d) = the set of variables that it may be necessary to

access in order to evaluate expression in point d. loc(z, d) = for a constant value z loc(v, d) = {v} loc(&v, d) = loc v, d) = {v} {loc( w,d) | v d w}

Loc() = loc(,d) targets(x,d) = the set of variables that may be modified by

writing to l-value x at program point d. targets(v, d) = {v} targets(*v, d) = {w V | v d w}


Predicate Abstraction Algorithm with Aliasing

We define predicate to be shared local or mixed with respect to alias information with the new definition of Loc.

Without pointers we defined affects(v, ) = (v Loc() ) indicate that updating v may affect the truth of .

with pointers this definition is not sufficient.the truth of may be affected by assigning to l-value x

if some variable that depends on points to x.

Now: affects(x, , d) = (target(x,d) loc(, d) )


must_notify Again, we need to determine whether an update affects

the truth of a predicate only for the threads executing the update, or for all threads.

We need to define must_notify like we did without aliasing.


must_notify – first try The previous definition (without aliasing) was:

So, we can try to adapt it to this situation with the new definitions:

_ , , S Lmust notif y v aff ects v v V Loc V

_ , , , ,arg , S L

must notif y x d aff ects x d

t ets x d V Loc V


must_notify – first trySuppose we have the following variables:

• shared s, t• local l• local pointer p

s.t : p d t and p d l• : ( s < l )

Consider an assignment to *p at point d:The only shared variable that can be modified is t, and the truth of doesn’t depend on it.


must_notify – second trySecond Try

Meaning: is mixed and , and exists variable v that may changed as a results of writing to x at point d, and one must access v to evaluate .

The predicate abstraction algorithm can now be adapted to handle pointers

_ , , arg , S

L

must notif y x d t ets x d V Loc

Loc V


The Algorithm


The CEGAR loop

The CEGAR Loop

Reminder Adept CEGAR loop to handle concurrency

Remainder

Th is not spuriouscheck spuriouscounterexample

Th

stop

Mh |=

generatecounterexample Th

Mh |= model check

Mh

generate initialabstraction

M and

refinement

This spurious

• Remainder• CEGAR loop with concurrency

spuriouscounterexample

x1

x2

y1

y2

X Y

Considering the counterexample Y X Y :This path exists only in the abstract model


Remainder

Th is not spuriouscheck spuriouscounterexample

Th

stop

Mh |=

generatecounterexample Th

Mh |= model check

Mh

generate initialabstraction

M and

refinement

This spurious


Adept CEGAR loop to handle concurrency

Model checking boolean broadcast program

Simulation

Refinement


Model checking boolean broadcast program

We can no longer use existing concurrent Boolean program model checkers such as Boom (*).

A prototype extension of Boom which called B-Boom can overcome the problem that the new syntax and semantics for broadcasts created.

B-Boom extends the capabilities of Boom to support broadcast operations.


Simulation

The existing SATABS simulator: extracts the control flow from the trace Mapped it back to the original C program Translate it into a propositional formulaThe error is spurious exactly if the formula is unsatisfiable

For concurrent case the control flow information of an abstract trace includes which thread executes actively in each steps.

An extended version of the SATABS create a trace over a replicated C program which can be checked using SAT


Refinement

The implementation performs refinement by extracting new predicates from counterexample via WP calculations.


Experimental results

Experimental results

Symmetry-aware vs. Symmetry oblivious

Sound abstraction vs. unsound abstraction

Symmetry awarevs.

Symmetry oblivious Reminder:

SOPA: an n-thread symmetric concurrent program expanded so that variables for all threads are

explicitly duplicated and n copies of all non-shared predicate are generated.

Sound Absvs.

Unsound AbsReminder:

we saw Unsound Abstraction in the two naïve solutions to the mixed predicate problem.

symmetry-aware predicate abstraction for shared-variable concurrent programs

Documents

use of predicate abstraction

abstract state

abs state

finite state boolean

given concrete state

data state explosion

c programs

finite state model checkers