Software Model Checking - PowerPoint PPT Presentation


PPT – Software Model Checking PowerPoint presentation | free to download - id: 8f819-MjNiZ


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Software Model Checking


Lamport (1979): Sequential consistency semantics for correctness of ... Shared Memory Consistency Models ... Sequential Consistency (Lamport 79): Concurrent ... – PowerPoint PPT presentation

Number of Views:416
Avg rating:3.0/5.0
Slides: 45
Provided by: radug
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Software Model Checking

Software Model Checking
Rajeev Alur University of Pennsylvania
University of Edinburgh, July 2008
Systems Software
do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while(nPackets! nPacketsOld) KeReleaseSpinLo
  • Can Microsoft Windows version X be bug-free?
  • Millions of lines of code
  • Types of bugs that cause crashes well-known
  • Enormous effort spent on debugging/testing code
  • Certifying third-party code (e.g. device drivers)

Do lock operations, acquire and release
strictly alternate on every program execution?
Concurrency Libraries Exploiting concurrency
efficiently and correctly
  • dequeue(queue_t queue, value_t pvalue)
  • node_t head
  • node_t tail
  • node_t next
  • while (true)
  • head queue-gthead
  • tail queue-gttail
  • next head-gtnext
  • if (head queue-gthead)
  • if (head tail)
  • if (next 0)
  • return false
  • cas(queue-gttail, tail, next)
  • else
  • pvalue next-gtvalue
  • if (cas(queue-gthead, head, next))
  • break

Shared Memory
Can the code deadlock? Is sequential semantics
of a queue preserved? (Sequential consistency)
Security Checks for Java Applets
public VectorltStringgt phoneBook public String
number public int Selected public void
sendEvent() phoneBook getPhoneBook()
selected chhoseReceiver() numberphoneBook.el
ementAt(selected) if ((numbernull)(number
)) //output error else
String message inputMessage()
sendMessage(number, message)
EventSharingMidlet from J2ME
How to certify applications for data integrity /
confidentiality ? By listening to messages, can
one infer whether a particular entry is in the
In Search of the Holy Grail…
correctness specification
  • Correctness is formalized as a mathematical claim
    to be proved or falsified rigorously
  • always with respect to the given specification
  • Challenge Impossibility results for automated
  • Verification problem is undecidable (Turing 1936)
  • Even approximate versions are computationally
    intractable (model checking is Pspace-hard)

1970s Proof calculi for program correctness
Key to proof Finding suitable loop invariants
BubbleSort (A array1..n of int) B A
array1..n of int for (i0 iltn i)
Permute(A,B) Sorted(Bn-i,n) for
0ltkltn-i-1 and n-iltkltn BkltBk for
(j0 jltn-i j) Permute(A,B),
Sorted(Bn-i,n, for 0ltkltn-i-1 and n-iltkltn
BkltBk for 0ltkltj Bk lt Bj if
(BjgtBj1) swap(B,j,j1) return B
BubbleSort (A array1..n of int) B A
array1..n of int for (i0 iltn i)
for (j0 jltn-i j) if
(BjgtBj1) swap(B,j,j1) return B
Deductive Program Verification
  • Powerful mathematical logic (e.g. first-order
    logic, Higher-order logics) needed for
  • Great progress in decision procedures
  • Finding proof decomposition requires expertise,
    but modern tools support many built-in proof
  • Contemporary theorem provers HOL, PVS, ACL2,
    ESC-Java, Boogie
  • In practice …
  • User partially annotates the program with
    invariants, and the tool infers remaining
    invariants needed to complete the proof
  • Checks are modular (per function)
  • Success story Windows developers must add enough
    annotations to be able to prove absence of buffer
    overflow errors

1980s Finite-state Protocol Analysis
  • Automated analysis of finite-state protocols with
    respect to temporal logic specifications
  • Network protocols, Distributed algorithms

Specs Is there a deadlock? Does every req get
ack? Does a buffer overflow? Tools SPIN,
Murphi, CADP…
Battling State-space Explosion
  • Analysis is basically a reachability problem in a
    HUGE graph
  • Size of graph grows exponentially as the number
    of bits required for state encoding
  • Graph is constructed only incrementally,
  • Many techniques for exploiting structure
    symmetry, data independence, hashing, partial
    order reduction …
  • Great flexibility in modeling Scale down
    parameters (buffer size, number of network nodes…)

Bad states
1990s Symbolic Model Checking
  • Constraint-based analysis of Boolean systems
  • Symbolic Boolean representations (propositional
    formulas, OBDDs) used to encode system dynamics
  • Success in finding high-quality bugs in hardware
    applications (VHDL/Verilog code)

Global bus
Deadlock found in cache coherency protocol
Gigamax by model checker SMV
Cluster bus
Symbolic Reachability Problem
  • Model variables X x1, … xn
  • Each var is of finite type, say, boolean
  • Initialization I(X) a formula over X e.g. (x1
  • Update T(X,X)
  • How new vars X are related to old vars X as a
    result of executing one step of the program
    Disjunction of clauses obtained by compiling
    individual instructions e.g. (x1 x1 x1
    x2 x2 x3 x3)
  • Target set F(X) e.g. (x2 x3)
  • Computational problem
  • Can F be satisfied starting with I by repeatedly
    applying T ?
  • K-step reachability reduces to propositional
    satisfiability (SAT) Bounded Model Checking
  • I(X0) T(X0,X1) T(X1,X2) ---
    T(Xk-1,Xk) F(Xk)

The Story of SAT
  • Propositional Satisfiability Given a formula
    over Boolean variables, is there an assignment of
    0/1s to vars which makes the formula true
  • Canonical NP-hard problem (Cook 1971)
  • Enormous progress in tools that can solve
    instances with 1000s of variables and millions of

1960 DP ?10 var
1996 GRASP ?1k var
1994 Hannibal ? 3k var
2002 Berkmin ?10k var
1988 SOCRATES ? 3k var
1996 Stålmarck ? 1000 var
1986 BDDs ? 100 var
2001 Chaff ?10k var
1992 GSAT ? 300 var
1962 DLL ? 10 var
1952 Quine ? 10 var
1996 SATO ?1k var
Source Malik 2004
2000s Model Checking of C code
  • Phase 1 Given a program P, build an abstract
    finite-state (Boolean) model A such that set of
    behaviors of P is a subset of those of A
    (conservative abstraction)
  • Phase 2 Model check A wrt specification this
    can prove P to be correct, or reveal a bug in P,
    or suggest inadequacy of A
  • Shown to be effective on Windows device drivers
    in Microsoft Research project SLAM

do KeAcquireSpinLock() nPacketsOld
nPackets if(request) request
request-gtNext KeReleaseSpinLock() nPackets
while(nPackets! nPacketsOld) KeReleaseSpinLo
Do lock operations, acquire and release,
strictly alternate on every program execution?
Program Abstraction
int x, y if xgt0 ………… yx1 ………. else
………… yx1 ……….
bool bx, by if bx ………… bytrue
………. else ………… bytrue,false ……….
Software Model Checking
  • Tools for verifying source code combine many
  • Program analysis techniques such as slicing,
    range analysis
  • Abstraction
  • Model checking
  • Refinement from counter-examples
  • New challenges for model checking (beyond
    finite-state reachability analysis)
  • Recursion gives pushdown control
  • Pointers, dynamic creation of objects,
  • A very active and emerging research area
  • Abstraction-based tools SLAM, BLAST,…
  • Direct state encoding F-SOFT, CBMC, CheckFence…

Coming Up …
  • CheckFence Project at Penn
  • Concurrent Executions on Relaxed Memory Models
  • Analysis tool for Concurrent Data Types
  • Joint work with Sebastian Burckhardt and Milo
  • Not covered How to check that a Java midlet does
    not leak user-specified secrets (Ongoing work
    with Pavol Cerny)

Challenge Exploiting Concurrency, Correctly
Concurrency on Multiprocessors
Initially x y 0
thread 1 x 1 y 1
thread 2 r1 y r2 x
Standard Interleavings
x 1 y 1 r1 y r2 x r1r21
x 1 r1 y y 1 r2 x r10,r21
x 1 r1 y r2 x y 1 r10,r21
r1 y x 1 y 1 r2 x r10,r21
r1 y x 1 r2 x y 1 r10,r21
r1 y r2 x x 1 y 1 r1r20
Can we conclude that if r1 1 then r2 must be 1 ?
No! On real multiprocessors, possible to have
r11 and r20
Architectures with Weak Memory Models
  • A modern multiprocessor does not enforce global
    ordering of all instructions for performance
  • Lamport (1979) Sequential consistency semantics
    for correctness of multiprocessor shared memory
    (like interleaving)
  • Considered too limiting, and many relaxations
  • In theory TSO, RMO, Relaxed …
  • In practice Alpha, Intel IA-32, IBM 370, Sun
    SPARC, PowerPC …

Main Memory
Concurrency in Theory CCS (1978)
Concurrency in Practice Intel (2007)
CCS Syntax P e a.P PP PP P\a CCS
Operational Semantics (sample rules) a.P -a-gt
P P a-gt P P -a-gt P PQ a-gt PQ
QP -a-gt QP P a-gt P Q a-gt Q PQ
t-gt PQ
Intel 64 memory ordering obeys following
principles 1. Loads are not reordered with other
loads 2. Stores are not reordered with other
stores 3. Stores are not reordered with older
loads 4. Loads may be reordered with older stores
to different locations but not with older stores
to same locations 4 more rules Illustrative
Programming with Weak Memory Models
  • Concurrent programming is already hard, shouldnt
    the effects of weaker models be hidden from the
  • Mostly yes …
  • Safe programming using extensive use of
    synchronization primitives
  • Use locks for every access to shared data
  • Compilers use memory fences to enforce ordering
  • Not always …
  • Non-blocking data structures
  • Highly optimized library code for concurrency
  • Code for lock/unlock instructions
  • OS code managing process queues etc.

Non-blocking Queue (MS96)
  • boolean_t dequeue(queue_t queue, value_t
  • node_t head
  • node_t tail
  • node_t next
  • while (true)
  • head queue-gthead
  • tail queue-gttail
  • next head-gtnext
  • if (head queue-gthead)
  • if (head tail)
  • if (next 0)
  • return false
  • cas(queue-gttail, (uint32) tail, (uint32)
  • else
  • pvalue next-gtvalue
  • if (cas(queue-gthead, (uint32) head,
    (uint32) next))
  • break

Queue is being possibly updated concurrently
Atomic compare-and-swap for synchronization
Simple Usable by programmers
  • Programs (multi-threaded)

Application level concurrency model
System-level code Concurrency libraries
Architecture-aware Concurrency Analysis
Architecture level concurrency model
Highly parallel hardware -- multicores, SoCs
Complex Efficient use of parallelism
Software Model Checking for Concurrent Code on
  • Why? Real bugs in real code
  • Opportunities
  • 10s100s lines of low-level library C code
  • Hard to design and verify -gt buggy
  • Effects of weak memory models, fences …
  • Challenges
  • Lots of behaviors possible high level of
  • How to formalize and reason about weak memory

Shared Memory Consistency Models
  • Specifies restrictions on what values a read from
    shared memory can return
  • Program Order x ltp y if x and y are instructions
    belonging to the same thread and x appears before
  • Sequential Consistency (Lamport 79) Concurrent
    execution is correct if there exists a global
    order lt of all accesses such that
  • If x ltp y then x lt y
  • Each load returns value of most recent, according
    to lt, store to the same location (or initial
    value, if no such store exists)
  • Clean abstraction for programmers, but high
    implementation cost

Effect of Memory Model
Initially flag1 flag2 0
  • Ensures mutual exclusion if architecture supports
    SC memory
  • Most architectures do not enforce ordering of
    accesses to different memory locations
  • Does not ensure mutual exclusion under weaker
  • Ordering can be enforced using fence
  • Insert MEMBAR between lines 1 and 2 to ensure
    mutual exclusion

thread 2
thread 1
1. flag1 1 2. if (flag2 0) crit. sect.
1. flag2 1 2. if (flag1 0) crit. sect.
Weak Memory Models
  • A large variety of models exist a good starting
  • Shared Memory Consistency Models A tutorial
  • IEEE Computer 96, Adve Gharachorloo
  • How to relax memory order requirement?
  • Operations of same thread to different locations
    need not be globally ordered
  • How to relax write atomicity requirement?
  • Read may return value of a write not yet globally
  • Uniprocessor semantics preserved
  • Typically defined in architecture manuals (e.g.
    SPARC manual)

Which Memory Model should a Verifier use?
Formalization of Relaxed
  • Program Order x ltp y if x and y are instructions
    belonging to the same thread and x appears before
  • Concurrent execution over a set X of accesses is
    correct wrt Relaxed if there exists a total order
    lt over X such that
  • If x ltp y, and both x and y are accesses to the
    same address, and y is a store, then x lt y must
  • For a load l and a store s visible to l, either s
    and l have same value, or there exists another
    store s visible to l with s lt s
  • A store s is visible to load l if they are to the
    same address and either s lt l or s ltp l
  • Constraint-based specification that can be easily
    encoded in logical formulas

Pass all executions of the test are
observationally equivalent to a serial
execution Fail
Inconclusive runs out of time or memory
How To Bound Executions
  • Verify individual symbolic tests
  • finite number of concurrent threads
  • finite number of operations/thread
  • nondeterministic input values
  • Example
  • User creates suite of tests of increasing size

Why Symbolic Test Programs?
  • 1) Make everything finite
  • State is unbounded (dynamic memory
    allocation) ... is bounded for individual test
  • Checking sequential consistency is undecidable
    (AMP 96) ... is decidable for individual test
  • 2) Gives us finite instruction sequence to work
  • State space too large for interleaved system
    model .... can directly encode value flow
    between instructions
  • Memory model specified by axioms .... can
    directly encode ordering axioms on instructions

Tool Architecture
C code
Memory model
Symbolic Test
Symbolic test gives exponentially many
executions (symbolic inputs, dynamic memory
allocation, ordering of instructions). CheckFence
solves for incorrect executions.
construct CNF formula whose solutions correspond
precisely to the concurrent executions
C code
Memory model
Symbolic Test
Symbolic Test
automatic, lazy loop unrolling
automatic specification mining (enumerate correct
Specification Mining
Possible Operation-level Interleavings
enqueue(X) enqueue(Y) dequeue() -gt Z
enqueue(X) dequeue() -gt Z enqueue(Y)
dequeue() -gt Z enqueue(X) enqueue(Y)
For each interleaving, obtain symbolic constraint
by encoding corresponding executions in SAT
solver Spec is disjunction of all
possibilities Spec (ZX) (Znull)
To find bugs, check satisfiability of Phi
Spec where Phi encodes all possible concurrent
Encoding Memory Order
thread 1
thread 2
s1 store s2 store
l1 load l2 load
  • Variables for encoding
  • Use boolean vars for relative order (xlty) of
    memory accesses
  • Use bitvector variables Ax and Dx for address and
    data values associated with memory access x
  • Encode constraints
  • encode transitivity of memory order
  • encode ordering axioms of the memory
    model Example (for SC) (s1lts2) (l1ltl2)
  • encode value flow Loaded value must match last
    value stored to same address Example value must
    flow from s1 to l1 under following
    conditions ((s1ltl1)(As1 Al1)((s2lts1)(l1lts2)
    (As2 ! Al1))) -gt (Ds1 Dl1)

Example Memory Model Bug
  • Processor 1
  • links new node into list

Processor 1 reorders the stores! memory accesses
happen in order 1 2 3
adding a fence between lines on left side
prevents reordering
Algorithms Analyzed
  • snark algorithm has 2 known bugs
  • lazy list-based set had a unknown bug (missing
    initialization missed by formal correctness
    proof CAV 2006 because of hand-translation of

Typical Tool Performance
  • Very efficient on small testcases (lt 100 memory
    accesses) Example (nonblocking queue) T0 i (e
    d) T1 i (e e d d ) - find
    counterexamples within a few seconds - verify
    within a few minutes - enough to cover all 9
    fences in nonblocking queue
  • Slows down with increasing number of memory
    accesses in test Example (snark deque) Dq
    pop_l pop_l pop_r pop_r push_l push_l
    push_r push_r
  • - has 134 memory accesses (77 loads, 57
    stores) - Dq finds second snark bug within 1
  • Does not scale past 300 memory accesses

CheckFence Summary
  • Software model checking of low-level concurrent
    software requires encoding of memory models
  • Challenge for model checking due to high level of
    concurrency and axiomatic specifications
  • Opportunity to find bugs in library code thats
    hard to design and verify
  • CheckFence project at Penn
  • SAT-based bounded model checking for concurrent
    data types
  • Bugs in real code with fences

Ongoing Research
  • Whats the best way to verify C code (on relaxed
    memory models)?
  • SAT-based encoding seems suitable to capture
    specifications of memory models, but many
    opportunities for improvement
  • Can one develop abstract operational abstract
    models for multiprocessor architectures?
  • Proof methods for relaxed memory models
  • Hardware support for transactional memory
  • Current interest in industry and architecture
  • Can formal verification influence

Software Model Checker
correctness specification
  • Impressive progress on an intractable problem
  • Device drivers
  • Concurrency libraries
  • Buffer overflows in OS
  • Network protocols …
  • Academic research with industrial impact
  • Ingredients for success
  • SAT almost feasible
  • Logic Algorithms Tools
  • Focus on specific problems
  • Scalability not necessary
  • Flexibility in setting up the problem
  • Unmet challenge Lack of robustness of tools -gt
    lot of user expertise needed