Model Checking Multithreaded C Code with SPIN

1
Model Checking Multithreaded C Code with
SPIN Anna Zaks Rajeev Joshi SPIN
2008 10 August, Los Angeles, USA
2
The Goal Check Multithreaded C Code
/ Peterson's algorithm (adapted from Wikipedia)?
/ static int sh_f0, sh_f1, sh_last void
run_thread0 () struct pa_desc d d.f0
sh_f0 d.f1 sh_f1 d.last 1
for () (d.f0)1 sh_lastd.last
while ((d.f1)1 (lastd.last))
/ busy wait / / critical
section / d.f00
bool turn, flag2 active proctype run_thread0
() again flag0 1 turn 1
(flag1 0 turn 0) -gt
/ busy wait / / critical section /
flag0 0 goto again ...
express design as a PROMELA model

• Limitations
• need to redo manual translation whenever
  implementation changes
• the absence of errors in the design does not
  guarantee that the implementation (the
  executable) is error free

3
Model-Driven Verification
Embed C code within PROMELA - C code is executed
by SPIN during search
static int sh_f0, sh_f1, sh_last void
run_thread0 () struct pa_desc d d.f0
sh_f0 d.f1 sh_f1 d.last 1
for () (d.f0)1 sh_lastd.last
while ((d.f1)1 (lastd.last))
/ busy wait / / critical
section / d.f00
c_decl extern void run_thread0 (void )
extern void run_thread1 (void )
...active proctype main() init()
do choose(thread0) -gt c_code run_thread0
() choose(thread1) -gt c_code
run_thread1 () ... od

• Main drawback
• Not useful for verification of multithreaded C
  programs
• Need to explore the interleavings within the
  function

Ref Model-Driven Software Verification,
G.J.Holzmann R.Joshi, SPIN 2004
4
Our Solution Introducing pancam

• Build pancam interpreter that can be embedded
  within an existing model checker
• pancam inherits all SPIN optimizations and future
  enhancements
• bit-state verification
• hash compression
• multi-core checking
• pancam does not rely on any customization of SPIN

5
The LLVM Compiler Infrastructure

• pancam interprets optimized LLVM bytecode (a
  typed bytecode language)
• catches errors that manifest themselves only
  after the optimization phase

/ Peterson's algorithm (adapted from Wikipedia)?
/ static volatile int sh_f0, sh_f1, sh_last
void run_thread0 () struct pa_desc d
d.f0 sh_f0 d.f1 sh_f1 d.last
1 for () (d.f0)1
sh_lastd.last while ((d.f1)1
(sh_lastd.last)) / busy wait /
/ critical section /
d.f00
Ref LLVM compiler (originated from University of
Illinois Urbana-Champaign), http//llvm.org
6
The pancam Checker
Spin (pan.c)
take_step (thread_id, granularity, state)
pancam
state

• SPIN orchestrates the state space search
• - decides which thread to execute next
• - stores visited states in the hash
• - restores to the previous step during DFS
  backtracking
• pancam computes the transition by code
  interpretation
• - can execute any number of instructions of a
  specific thread
• - can check predicates at any point

7
Spin Model for pancam
active proctype main() c_code
pancam_init(petersons.bc)
init_thread(0, run_thread0)
init_thread(1, run_thread1) do
c_expr is_enabled(0) -gt c_code
take_step(0) c_expr is_enabled(1)
-gt c_code take_step(1) od
8
Program State csN
global state
system heap
program stack
FREE
enabled
c_track cs N Matched active proctype
main() c_code pancam_init(petersons
.bc) init_thread(0, run_thread0)
init_thread(1, run_thread1)
do c_expr is_enabled(0) -gt c_code
take_step(0) c_expr is_enabled(1)
-gt c_code take_step(1) od
9
Addressing State Space Explosion

• Three Strategies
• support user-defined abstraction functions
• use context-bounded checking
• do on-the-fly partial-order reduction

10
User Defined Abstractions
system heap
program stack
FREE
user defined
global state
enabled
Abstract StateasK
Concrete State csN
as is populated through the user defined
function compute_abst(void as)

• cs is stored on Spins stack, which is used for
  DFS backtracking
• as is used for state hashing

c_track cs N UnMatched c_track as
K Matched
11
Context-Bounded Checking

• Enforce upper bound on number of allowed
  preemptivecontext-switches
• a switch from p to q is preemptive provided p is
  enabled
• explore state space exhaustively with
  increasingly larger bounds
• works well in practice - most concurrency bugs
  can be triggered with a small number of switches

Ref Iterative context bounding for systematic
testing of multithreaded programs, M. Musuvathi,
S. Qadeer, POPL 2007
12
pancam Implementation of Context Bounding

• Implemented as an optional extension
• requires no modification to Spin

13
Experimental Results Context Bounding
peterson.c without abstraction
14
On-the-fly Partial-order Reduction
take_step (th_id, s)
Spin
pancam

• pancam transitions have no structure
• c_code take_step (th_id, s)
• Spins traditional partial-order reduction
  doesnt apply
• even if we modified Spin, computing independence
  relation is too hard
• Shift the burden to pancam by
• increasing the granularity of a pancam step
• hiding unnecessary states from Spin

s
15
On-the-fly Partial-order Reduction
take_step (th_id, s)
Spin
pancam

• pancam transitions have no structure
• c_code take_step (th_id, s)
• Spins traditional partial-order reduction
  doesnt apply
• even if we modified Spin, computing independence
  relation is too hard
• Shift the burden to pancam by
• increasing the granularity of a pancam step
• hiding unnecessary states from Spin
• Example
• execute a thread until it accesses a global
  variable or the shared heap
• Can we do better?

s
16
Superstep Reduction Key Ideas
S
?2
?1

• Unlike classical POR, which considers subsets of
  enabled transitions from state s, we consider
  subsets of enabled finite paths from s

17
Superstep Reduction Key Ideas
S
?2
?1

• Unlike classical POR, which considers subsets of
  enabled transitions from state s, we consider
  subsets of enabled finite paths from s
• Each selected path is replaced with a single
  superstep transition

18
Superstep Reduction Key Ideas
S
?2
?1

• Unlike classical POR, which considers subsets of
  enabled transitions from state s, we consider
  subsets of enabled finite paths from s
• Each selected path is replaced with a single
  superstep transition
• The conflicts (dependencies) are computed
  dynamically

19
Superstep Requirments

• Compute superstep ?i for each enabled thread i
• a superstep is finite and nonempty
• only the last transition in a superstepmay
  conflict with transitions in other supersteps
• only the last transition of a superstepcan be
  visible

From these, we can show thatsuperstep reduction
is sound and complete for checking any LTL
property without the next-time operator
Can be seen as an extension of the Cartesian
partial-order reduction to LTL
Ref Cartesian partial-order reduction, G. Gueta,
C. Flanagan, E. Yahav, M. Sagiv, SPIN 2007
20
Efficient DFS Implementation

• DFS is essential for liveness support
• Precomputing the supersteps leads to run time
  overhead
• Supersteps are computed on-the-fly using a scheme
  that maintains bookkeeping information across
  Spin backtracking steps
• no modification to SPIN is required

21
Experimental Results Superstep Reduction

robots.c benchmark
22
Other Related Work

• Modex tool extracts PROMELA models from C
  implementations
• A practical method for verifying event-driven
  software, G. Holzmann, M. Smith, SE1999
• Java Pathfinder integrates model checking with
  the virtual machine
• Model checking programs, W. Visser, K.
  Havelund, G. Brat, S. Park, F. Lerda, ASE 2003
• VeriSoft God97 and Inspect YCGK07 tools are
  state-less model checkers for C
• Model checking for programming languages using
  VeriSoft, P. Godefroid, POPL 1997
• Dynamic partial-order reduction for model
  checking software, C. Flanagan, P. Godefroid,
  POPL 2005
• CHESS model checker for concurrent C code checks
  for livelocks
• Fair stateless model checking, M. Musuvathi, S.
  Qadeer, PLDI 2008
• CMC explicit-state model checking requires manual
  translation from C
• A pragmatic approach to model checking real
  code, M. Musuvathi, et al., OSDI 2002
• In CodeSurfer tool, program analysis is applied
  to a model constructed from an executable
• Wysinwyx What you see is not what you execute,
  G. Balakrishnan, et al., VSTTE 2005

23
Summary

• First version of pancam completed
• implements abstraction support, context-bounding,
  superstep reduction
• applied to several small programs (200 lines of
  C)
• applied to an inter-process communication module
  (2800 lines of C)
• fixed bug in Wikipedia implementation of
  Petersons protocol
• extended the tool to support liveness properties
• Ongoing work
• reduce the size of a concrete state
• combine superstep reduction with static POR
• make some conservative approximations to reduce
  overhead of POR
• reduce run time overhead

24
Questions?
25
Cap Sets

• Unlike classical POR, which looks at subsets of
  enabled transitions from state s, we look at
  subsets of enabled finite paths from s
• Given a state s, choose Cap(s) - a subset of
  finite prefixes of paths from s
• ?? ? ? paths from s (? ?, ? ? ? Cap(s) ? ? ?
  ext(?) ??? ? ? )

26
Reduced System

• Given a transition state graph M ? S, T, S0, L
  ?
• The reduced graph M ? S, T, S0, L ?, such
  that
• T s ? ? s?S, ??Cap(s) , where s ? ?
  is a superstep transition summarizing execution
  of path ?
• If M and M' are stuttering equivalent, for any
  LTL formula Af without the next time operator,
  and every initial state s
• s Af in M if and only if s Af in M'

27
Independence Requirement

• ?? ? ? paths from s (? ?, ? ? ? Cap(s) ? ?
  ? ext(?) ? ? ???) let ? ???
• Independence Requirement
• transitions of ? ? ? are independent from ?
• ? ? ? ? ? is enabled at s, and results in the
  same state as ?
• then choose ? ? ? ? ? ?

s
?
?
? ? ?
?
28
Visibility Requirement

• have to show that ( ? ? ? ) ? ( ?? ??? ? ? )
• Visibility Requirement
• both ? and ? have the same visible transition and
  at most one is allowed
• All states on the paths ? and ?? ??? can be
  partitioned into two sets Seq and Req
• ? s ? Seq L(s) L(s)
• ? r ? Req L(r) L(r)

L(s)
s
L(s)
?
?
L(r)
???
?
L(r)
29
Visibility Requirement

• have to show that ( ? ? ? ) ? ( s??? ??? ? ? )
  
• Visibility Requirement
• both ? and ? have the same visible transition and
  at most one is allowed
• All states on the paths ? and ?? ??? can be
  partitioned into two sets Seq and Req
• ? s ? Seq L(s) L(s)
• ? r ? Req L(r) L(r)
• No need to show the intermediate states
• Path ? is substituted by one superstep transition
  

L(s)
s
s??
?
L(r)
???
?
L(r)