1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software...

73
Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification

Transcript of 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software...

Page 1: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

1

Chao Wang

NEC Labs, Princeton, NJ

COS 598d

3/5/2010

SMT and its Application in Software Verification

Page 2: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

2

What is SMT?

Satisfiability Modulo Theories (SMT) Decision problem for logic formulas expressed in classical first-

order logic with equality, with respect to combinations of some background theories

It is a generalization of SAT, where some Boolean variables are replaced by predicates from a variety of underlying theories.

Page 3: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

3

Boolean Satisfiability (SAT)

or

and

not

or

and

or

.

.

.

p2

p1

pn

Is there an assignment to the p1, p2, …, pn variables such that evaluates to 1?

Page 4: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

4

Satisfiability Modulo Theories (SMT)

.

.

.

p2

p1

pn

Is there an assignment to the x, y, z, w variables s.t. evaluates to 1?

x + 2 z <1

x % 26 = v

w & 0xFFFF = x

x = y

or

and

not

or

and

or

Page 5: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

5

SMT Solvers: A Brief History

Early work in the late 1970s Nelson and Oppen, Shostak, Boyer and Moore

Modern SMT solvers started in the late 1990s Attempts to build scalable solvers Influenced by SAT solvers (GRASP and Chaff)

Last few years: tremendous progress Efficient SMT solvers

(SMT-LIB benchmarks, SMT-COMP solver competition) Wide-spread applications

Page 6: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

6

Many of its Applications

Verification systems HOL, Isabelle, and PVS, etc. ACL2, Caduceus, SAL, UCLID, etc.

Extended static checkers and model checkers Boogie, ESC/Java 2, etc. BLAST, Eureka, MAGIC, SLAM, F-Soft, etc.

Certifying compliers Touchstone, TVOC, etc.

Test case generation DART, EXE, CUTE, PEX, etc.

Page 7: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

7

Outline

What’s SMT?

Some Useful Theories

Inside SMT Solvers

How to Use It?

Application in Software Verification

Page 8: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

8

First-Order Logic (quantifier-free)

Logical Symbols Propositional connectives: AND, OR, NEGATION,etc. Boolean variables: v1, v2, . . .

Non-logical symbols/Parameters Equality: = Functions: +, -, %, bit-wise &, f(), concat, … Predicates: ·, is_substring, … Constant symbols: 0, 1.0, null, …

Page 9: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

9

Some Useful Theories

QF_UF: Theory of equality (with uninterpreted functions)

QF_LIA, QF_LIR: Theories of linear arithmetic (over Q or Z)

QF_IDL, QF_RDL: Theories of difference logic (over Q or Z)

QF_BV: Theories of fixed-size bit-vectors

QF_A, QF_AX: Theory of arrays (with and w/o extensionality)

Misc.: Non-linear arithmetic, …

Page 10: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

10

Example: QF_UF Formula

(x = y) & (y = z) & (f(x) f(z))

Transitivity:

(x = y) & (y = z) (x = z)

Congruence:

(x = z) (f(x) = f(z))

Page 11: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

11

x0x1

x2

xn-1

QF_UF in Processor Verification (datapath)

ALU

x

f

Bit-vectors to Abstract Domain (e.g. Z)

Functional units to Uninterpreted Functions a = x & b = y f(a,b) = f(x,y)

Common Operations

1

0

x

y

p

ITE(p, x, y)

If-then-else

x

y x = y=

Test for equality

Page 12: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

12

QF_UF in Equivalence Checking

int fun1(int y) { int x, z; z = y; y = x; x = z;

return x*x;}

int fun2(int y) { return y*y;}

SMT formulaSatisfiable not equivalent

( z = y & y1 = x & x1 = z & ret1 = x1*x1) &( ret2 = y*y ) &( ret1 ret2 )

Using SAT to check equivalence (w/ Minisat) 32 bits for y: Did not finish in over 5 hours 16 bits for y: 37 sec. 8 bits for y: 0.5 sec. Using EUF solver: 0.01 sec.

By Sanjit Seshia, UC Berkeley

Page 13: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

13

Bit-Vector Arithmetic (QF_BV)

Fixed width data words Can model int, short, long, etc.

Arithmetic operations E.g., add/subtract/multiply/divide & comparisons Two’s complement and unsigned operations

Bit-wise logical operations E.g., and/or/xor, shift/extract and equality

Boolean connectives

(define b1::(bitvector 32))

(define b2::(bitvector 32))

(assert (and (= (bv-add b1 (mk-bv 32 1)) b2)

(/= (bv-add (mk-bv 32 0) (bv-add (mk-bv 32 1) b1)) b2)))

(check)

Page 14: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

14

Linear Arithmetic (QF_LRA, QF_LIA)

Boolean combination of linear constraints

(a1 x1 + a2 x2 + … + an xn <= b)

where xi’s could be in Q or Z

Many applications, including: Verification of analog circuits Software verification, e.g., of array bounds

Page 15: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

15

Difference Logic (QF_IDL, QF_RDL)

Boolean combination of linear constraints

xi – xj <= cij

where xi, xj, cij, are in Q or Z

Applications: Software verification (most linear constraints are of this form) Processor data-path verification Job shop scheduling

Page 16: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

16

Theory of Arrays (QF_AX)

Two interpreted functions: select and store select(A,i) Read from array A at index i store(A,i,d) Write d to array A at index i

Two main axioms: select( store(A,i,d), I ) = d select( store(A,i,d), j ) = select(A,j) for i j

Extentionality axiom: (forall index i. select(A,i) = select(B,i)) (A = B)

Page 17: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

17C. Barrett & S. A. Seshia

Example: QF_AX in Equivalence Checking

int fun1(int y) { int x[2]; x[0] = y; y = x[1]; x[1] = x[0];

return x[1]*x[1];}

int fun2(int y) { return y*y;}

SMT formula

x1 = store( x,0,y ) & y1 = select( x1,1 ) & x2 = store( x1,1,select(x1,0) ) & ret1 = sq( select(x2,1) ) & ret2 = sq(y) & ( ret1 ret2 )

Page 18: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

18

Outline

What’s SMT?

Some Useful Theories

Inside SMT Solvers

How to Use It?

Application in Software Verification

Page 19: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

19

SMT Solvers: “Eager” vs. “Lazy”

Eager approach: Translating input formula into an “equi-satisfable” Boolean formula using enough consequences of the underlying theory

Lazy approach: Writing a dedicated “theory solver” for conjunction of literals in the underlying theory, embedded as a submodule into a Boolean SAT solver

Page 20: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

20

Example: Solvers for difference logic

Eager approach Small domain encoding Per constraint encoding

[Pnueli et al. 2002], [Shtrichman et al. 2002][Seshia et al. 2003]

Lazy approach Sateen, Z3, Yices

Top-3 in 2009 competition

input formula in IDL

Equi-SAT Boolean Formula(all transitivity constraints are added)

Boolean SAT

Input formula in IDL

Boolean Abstraction

Boolean SAT

Check theory consistency

Add trans. constraint

inconsistent ?

Page 21: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

21

Integer Difference Logic (IDL)

Logic to model systems at the “word-level” Subset of a quantifier-free first-order logic Boolean connectives + predicates like (x – y ≤ c)

Formal verification applications Pipelined processors, timed systems, embedded software e.g., back-end of the UCLID Verifier

Page 22: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

22

IDL Preliminaries

Difference logic formula

Difference predicates

Boolean skeleton

Constraint graph for assignment (A,¬B,C,D)

x y

wz

A:2

D:10C:3

¬B:-7

A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )

A: ( x – y ≤ 2 ), B: ( z – x ≤ -7 )C: ( y - z ≤ 3 ), D: ( w - y ≤ 10 )

Page 23: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

23

Theory Solver: minimal requirement

For the theory solver

Input: a conjunction set of literals

Output: consistent or inconsistent

x y

wz

A:2

D:10C:3

¬B:-7

A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )

Page 24: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

24

Page 25: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

25

Theory Solver: can be more helpful

Conflict analysis: why inconsistent? Negative weighted cycle Theory conflict add a Lemma or blocking clause trigger a Boolean conflict

A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )

x y

wz

A:2

D:10C:3

¬B:-7

Lemma learned:

(¬A + B + ¬C)

A:2

C:3

¬B:-7

Conflicting clause: (false + false + false)

Page 26: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

26

Theory Solver: can be even more helpful

Deriving Theory Implications: look-ahead If adding an edge creates a negative cycle negated edge is implied Theory implication var assignment Boolean implication (BCP)

A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )

x y

wz

A:2

D:10C:3

¬B:-7

Theory implication:

A ^ ¬B → (¬C)

C:3

Implied Boolean assignment trigger a series of BCP

Page 27: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

27

Theory Solver: other desired features

Model generation

Conflict set generation

Deduction of unassigned literals

Incremental don’t start from scratch for each call

Backtrackable can “undo” steps to a previous state

Deduction of interface equalities (eij-deduction)

Page 28: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

28

Negative Cycle Detection (standard)

Bellman-Ford shortest-paths algorithm Detect negative cycles as by-product Take O(n*m) time sounds good!

However, inside SMT Theory solver will be invoked many times, Each time on a very similar sub-problem

Page 29: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

29

Bellman-Ford Algorithmrelax (u,v) {

if (d[v] > d[u] + w[u,v])

d[v] = d[u] + w[u,v];

}

Bellman_Ford ( ) {

for each node v, initialize d[v] = 0;

for (i=1; i<N; i++) {

for each edge (u,v) relax(u,v);

}

for each edge (u,v)

if ( d[v] > d[u] + w[u,v] )

return NEGATIVE_CYCLE;

return;

}

x y

wz

A:2

D:10C:3

¬B:-7

A: ( x – y ≤ 2 ) ¬ B: ( z – x ≤ -7 ) C: ( y - z ≤ 3 ) D: ( w - y ≤ 10 )

u,v nodes in graphd[u] node score d[v] node score

0

0

Page 30: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

30

Incremental Algorithm

//… after adding the edge (u,v)

if ( d[v] > d[u] + w[u,v] ) {

relax (u,v)

enqueue (v)

}

while ( (x=dequeu()) != null) {

for each edge (x,y) {

if (d[y] > d[x] + w[x,y] ) {

relax (x,y)

if (u==x && v==y) return NEGATIVE_CYCLE;

else enqueue (y);

} } }

return;

u

v

Keep relaxing till it stablize…

But before that, if node v is

relaxed again, there is a cycle!

Page 31: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

31

0

Incremental conflict detection

Relax (u,v): if (d[v] > d[u]+w[u,v]) { d[v] = d[u]+w[u,v]; pi[v] = u }

x y

wz

2

10

-7

0

-7 0

3

X -4

(z,y) d[y]=-4 pi[y]=z

X 6

(y,w) d[w]=6 pi[w]=y

(y,x) d[x]=-2 pi[x]=y

X -2

(x,z) d[z]=-9 pi[z]=x

X -9

•Add an edge relax, relax, relax, …, till stablization•Remove an edge ???

(z,y) CONFLICT !!!

Page 32: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

32

Theory Solver: other desired features

Model generation

Conflict set generation

Deduction of unassigned literals

Incremental

Backtrackable can “undo” steps to a previous state

Deduction of interface equalities (eij-deduction)

Page 33: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

33

Fast Backtracking (edge removal)

The number of backtracks is very large in practice Should have low runtime overhead can’t start from scratch Should be scalable in terms of memory usage can’t checkpoint

Key Observation { d[v] } remains a solution after removing some edges No need to restore the theory solver’s state

After the edge removal, nothing needs to be done!

Backtracking Cost constant-time!!!

Page 34: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

34

Incremental Algorithm: an example[Wang et al. LPAR 2005][Wang et al. DAC 2006]

Page 35: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

35

35

Diamonds: with O(2^n) negative cycles

-1

e1 e2

e0

Observations:

With existing predicates (e1,e2,…) exponential number of lemmas

Add new predicates (E1,E2,E3) linear number of lemmas

Previous eager chordal transitivity method used by [Strichmann et al. FMCAD’02]

E1 E2 E3

Page 36: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

36

36

Heuristics to add “chordal predicates”

x y wz

Heuristics to choose GOOD predicates (short-cuts)

Nodes that show up frequently in negative cycles

Nodes that are re-convergence points of the graph

E3: x – y <= (d[x] - d[y])

Predicates: E1: x – y < 5 E2: y – x < 5Lemma: ( ! E1 + ! E2 )

Page 37: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

37

Outline

What’s SMT?

Some Useful Theories

Inside SMT Solvers The “lazy” approach

The “eager” approach

How to Use It?

Application in Software Verification

Page 38: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

38

Remove Functions: QF_UF SAT

Ackermann’s Reduction (1954) For each “function symbol occurrence”, add a new variable xf For each pair (xf1, xf2), add “function consistency constraints”

Input formula: f(a1) & f(a2) & f(a3)

Output formula: xf1 & xf2 & xf3 &

(a1 = a2) (xf1 = xf2) &

(a1 = a3) (xf1 = xf3) &

(a2 = a3) (xf2 = xf3)

Page 39: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

39

Remove Functions: QF_UF SAT

Bryant-German-Velev Reduction (2001) Exploits a property of function applications called “positive equality” Eliminate functions using a nested If-Then-Else expressins

Input formula: f(a1) & f(a2) & f(a3)

Output formula: xf1 &

ITE(a2=a1, xf1, xf2) &

ITE(a3=a1, xf1, ITE(a3=a2, xf2, xf3) )

Further Improvement (Lahiri et al. 2004)

Page 40: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

40

Small-Domain Encoding: QF_LIA SAT

For Linear Integer Arithmetic

If there is a satisfying solution to a formula, there is one whose size, measured in bits, is polynomially bounded in the problem size

With “bounded” integers, one can translate the LIA formula into a pure Boolean formula

Page 41: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

41

Small-Domain Encoding: Example

Equality constraints of the form

(x = y), or (x != y)

For a formula with (n) variables, the solution size (d) is bounded by (n).

Page 42: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

42C. Barrett & S. A. Seshia ICCAD 2009 Tutorial42

Summary of Solution Bounds

Logic Solution Bound d

Equality logic n

Difference logic n * ( bmax + 1 )

UTVPI logic (Gen2SAT) 2 * n * ( bmax + 1 )

Full Integer Linear Arithmetic

n *(bmax + 1) * (amaxk * w k)

Page 43: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

43

Direct Encoding of Theory Axioms

Alternative to “small-domain” encoding Also called “per-constraint” encoding

For QF_UF (equality logic), Bryant and Velev (2001) Cubic – worst-case formula size

For QF_IDL (difference logic), Strichman et al (2002) Exponential – worst-case formula size

For QF_LIA (integer arithmetic), Strichman (2002) Double-exponential – worst-case formula size

Page 44: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

44

Theory Combination: briefly

Problem Statement:

Is it possible to combine theory solvers for several component theories, denoted T1, …, Tn, into a theory solver that decides ground satisfiability modulo their combination?

The answer is negative, in general There are theories with decidable ground satisfiability

problems, whose combination is undecidable…

Page 45: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

45

Theory Combination: briefly

Nelson and Oppen (1979,1980):

It is possible, if one imposes some restrictions on the component theories and their combination…

Sufficient conditions (for theories T1 and T2)1. They are signature-disjoint2. They are both “stably infinite”

Page 46: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

46

Theory Combination: briefly

DTC: Delayed Theory Combination (2005, 2006) Rely on DPLL Boolean SAT Little requirement for Theory Solver

Eij-Deduction does not need to be complete

Delayed Theory Combination vs. Nelson-Oppen for Satisfiability Modulo Theories: a Comparative Analysis, by Bruttomesso et al. in LPAR 2006

Page 47: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

47

Outline

What’s SMT?

Some Useful Theories

Inside SMT Solvers

How to Use It?

Application in Software Verification

Page 48: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

48

In Practice: the Yices SMT Solver

Features: Producing models, for satisfiable formulas Producing proofs, for unsatisfiable formulas Identifying UNSAT cores

subset of the original formula that is also UNSAT Retracting clauses, MAX-SAT, etc.

Command-lineyices < file.ys or // native input formatyices --smt < file.smt // smt-lib input formula

API (programming interface)

Page 49: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

49

Outline

What’s SMT?

Some Useful Theories

Inside SMT Solvers

How to Use It?

Application in Software Verification

Page 50: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

50

Chao Wang NEC Labs, Princeton, NJ

Sudipta Kundu UC San Diego

Malay Ganai NEC Labs, Princeton, NJ

Aarti Gupta NEC Labs, Princeton, NJ

Symbolic Predictive Analysis for Concurrent Programs

Related publications

[Wang et al. FM 2009][Wang et al. FSE 2009][Wang et al. TACAS2010]

Page 51: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

51

Main thread

Multithreaded C/C++ ProgramHeap (storing shared objects)

Thread 1 Thread 2 Thread 3

Test Input

POSIX Threads Library

(Pthreads)

Rest of the Linux OS

Your expectation: If the program fails the given test, you want to see the bug

The reality:Even if the program may fail (under a certain schedule), you perhaps won’t see it

Why? Thread scheduling is controlled by the OS and the Pthreads library

What is the Problem?

Page 52: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

52

Main thread

Multithreaded C/C++ ProgramHeap (storing shared objects)

Thread 1 Thread 2 Thread 3

Test Input

POSIX Threads Library

(Pthreads)

Rest of the Linux OS

Our Solution

FUSION:

our scheduler/ trace logger /dynamic model

checker

Run the test once, and log the execution trace

Check (symbolically) all alternative interleavings of events of that trace

Page 53: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

53

Predictive Analysis

Detecting errors by statically analyzing the recorded execution traces of a concurrent program

without re-running the program…

Page 54: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

54

Given a concrete trace (logged during execution) some properties (e.g. embedded assertions)

Checking whether the properties hold in all possible interleavings of events of that trace Symbolically, using a SMT solver

Page 55: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

55

C program:

multi-threaded, using Pthreads

Execution trace

“assume( c )” means the (c)-branch is taken

Page 56: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

56

Execution trace

CTP (concurrent trace program)

Think of abounded, straight-line,

concurrent program

Page 57: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

57

Detecting Violations (symbolically)

Build a SAT formula (in some quantifier-free first-order logic)

F_program : any feasible thread interleaving of CTP

F_property : assertion is violated

Solve

( F_program & F_property )

Sat found a real error

Unsat ……

Page 58: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

58

Concurrent Static Single Assignment (CSSA)

F_po: HB(t0,t1) & HB(t1,t2) & HB(t2,t3) & HB(t3,t4) & HB(t4,t5)

HB(t0,t11) & HB(t11,t12) & HB(t12,t13) & HB(t13,t14) & HB(t14,15) & HB(t15,t18) & HB(t18,t5)

HB(t1,t21) & HB(t21,t26) & HB(t26,t27) & HB(t27,t28) & HB(t28,t4)

F_vd: (x0=0) & (y0=0) &

(a1=Y_1) & & (b1 = X_1)

(a1=0) & & (b1 != 0)

(x1=1) & & (y1 = 0)

(a2=X_2) &

(x2=a2)

F_property: (X_3 == Y_2)

F_pi: &( (Y_1=y0) & HB(t11,t27) OR

(Y_1=y1) & HB(t27,t11) )

& ( (X_1=x0) & HB(t21,t13) OR

(X_1=x1) & HB(t13,t21) & HB(t21,t15) OR

(X_1=x2) & HB(t15,t21) )

& (X_2=x1)

& (X_3=x2)

& (Y_2=y1)

Page 59: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

59

HB (Happens-Before) Constraints

How is HB(t1,t2) implemented? Event t1 happens strictly before t2

HB(t1,t2) := t1 < t2 where t1,t2 are integer variables

Page 60: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

60

Outline

Motivation

Symbolic Predictive Analysis

Related Work

Context Bounding (SAT-based)

Experiments

Conclusions

Page 61: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

61

Related Work (predicting errors)

Methods that do not miss errors (over-approximate) Lockset methods: e.g. Eraser, RacerX

Problem: False alarms (sometimes, lots of them)

Methods with no bogus errors (under-approximate) Inspired by Lamport’s happens-before causality Recent causal models

Generalized Predictive Analysis [Sen,Rosu,Agha,2005] Parametric and Sliced Causality [Chen,Rosu,2007] Maximal Causal Model [Serbanuta,Chen,Rosu,2008]

– Subsume other causal models

Page 62: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

62

Example (MCM works)counting semaphore: l=1 initiallyshared variables: x=y=0 initially

x:= 1 + a

t1: RD(x) = 0

t2: RD(l)=1,WR(l)=0

t3: WR(x) = 1

t4: WR(l)=1

t5: WR(y)=1

t6: RD(l)=1,WR(l)=0

t7: WR(x)=1

t8: WR(l)=1

t9 :

t10: RD(l)=1,WR(l)=0

t11: RD(x)=1

t12: assert(y==1)

t13: WR(l)=1

The View of Maximal Causal Model

observe “events” instead of “statements”

Page 63: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

63

Example (MCM works)counting semaphore: l=1 initiallyshared variables: x=y=0 initially

x:= 1 + a

t1: RD(x) = 0

t2: RD(l)=1,WR(l)=0

t3: WR(x) = 1

t4: WR(l)=1

t5: WR(y)=1

t6: RD(l)=1,WR(l)=0

t7: WR(x)=1

t8: WR(l)=1

t9 :

t10: RD(l)=1,WR(l)=0

t11: RD(x)=1

t12: assert(y==1)

t13: WR(l)=1

Why is it feasible to move t11 ahead of t7?

t11 still reads in the value (x==1)

Page 64: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

64

Example (MCM works)

t1: RD(x) = 0

t2: RD(l)=0,WR(l)=1

t3: WR(x) = 1

t4: WR(l)=1

t5: WR(y)=1

t6: RD(l)=0,WR(l)=1

t7: WR(x)=1

t8: WR(l)=0

t9 :

t10: RD(l)=0,WR(l)=1

t11: RD(x)=1

t12: assert(y==1)

t13: WR(l)=0

Page 65: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

65

Example (MCM will miss real errors)counting semaphore: l=1 initiallyshared variables: x=y=0 initially

t1: RD(x) = 0

t2: RD(l)=0,WR(l)=1

t3: WR(x) = 2

t4: WR(l)=1

t5: WR(y)=1

t6: RD(l)=0,WR(l)=1

t7: WR(x)=1

t8: WR(l)=0

t9 :

t10: RD(l)=0,WR(l)=1

t11: RD(x)=1

t12: assert(y==1)

t13: WR(l)=0

MCM will miss this real error

x:= 1 + a

Page 66: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

66

Using CTP (will catch the real error)

Page 67: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

67

Outline

Motivation

Symbolic Predictive Analysis

Related Work

Context Bounding (SAT-based)

Experiments

Conclusions

Page 68: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

72

Outline

Motivation

Symbolic Analysis

Related Work

Context Bounding (SAT-based)

Experiments

Conclusions

Page 69: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

73

FUSION: runtime analysis + symbolic analysis

Target Program

test input

API

CSV

Online parsing

CTP building

CTP simplify

Symbolic Encoding

cssa …

Calling the SMTSolver

Static Analysis …

symbolic analysis

Dynamic MC(e.g. INSPECT, CHESS,VeriSoft)

Pick and Runa schedule

DPOR backtracking

sleep set, context bound

Search Stack

socket

Consulting CSV

SAT Check Prunecsv2inspect

Page 70: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

74

Experiments

Benchmarks Multithreaded C programs (Linux/Pthreads) With embedded assertions

Details Indexer examples from [Flanagan & Godefroid, POPL 2005]

Multiple threads sharing a hash table 11 threads or less, no hash collision 12 threads or more, heavy hash collision

Bank examples from [Farchi, Nir, Ur, PDPS 2003]

Small programs with pointers, arrays, and structures,

Page 71: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

75

Experimental Results

MO: run out of 800 MB memory

Page 72: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

76

Conclusions

New method: symbolic predictive analysis Coverage: subsumes known causal models (MCM) Efficiency: SAT-based search vs. explicit enumeration

Highlights CTP (Concurrent Trace Program) CSSA (Concurrent Static Single Assignment) SAT-based context bounding

Future work Predicting atomicity violations

Page 73: 1 Chao Wang NEC Labs, Princeton, NJ COS 598d 3/5/2010 SMT and its Application in Software Verification.

77

References

SMT

“Satisfiability Modulo Theories” (book chapter) Clark Barrett, Roberto Sebastiani, Sanjit A. Seshia, and Cesare Tinelli. In the Handbook of Satisfiability, IOS Press, 2009. (available from the authors’ web pages)

Concurrent Software Verification

“Symbolic Predictive Analysis for Concurrent Programs”, FM 2009 Chao Wang, Sudipta Kundu, Malay Ganai, and Aarti Gupta“Trace based Symbolic Analysis for Atomicity Violations”, TACAS 2010 Chao Wang, Rhishikesh Limaye, Malay Ganai, and Aarti Gupta (available from the authors’ web pages)