Reducing Context-bounded Concurrent Reachability to Sequential Reachability
Gennaro ParlatoUniversity of Illinois at Urbana-Champaign
Salvatore La Torre (U. Salerno, Italy)P. Madhusudan (U . Illinois U.-C., U.S.A.)
What is this talk about? Translation from concurrent recursive programs to
sequential programs that preserves reachability
Use existing technique for sequential programs to analyze concurrent programs Model checkers, Deductive verification, …
T1 T2 Tn
shared vars
…Seq.
program
From concurrent to sequential
Always possible but can be inefficient simulate the global behavior (track all locals of each thread) current techniques do not work
What do we want? avoid the extreme blow-up track at any point only the locals of one thread
What we want is not always possible
But is possible restricted : bounded context-switching reahability [Quadeer,Wu, PLDI’04] errors manifest within few contest-switches [Musuvathi, Qadeer, PLDI’07]
Concurrent programs fixed number of (recursive) threads running in parallel
each thread Ti has its own local variables
threads communicate through shared variables
T1 T2 Tn
shared vars
…loc loc loc
Anatomy of a k-CS execution
(l, s1)
(l, s2)
(l’1,s1)
(l’2,s2)
T1 T2
A transformation already exists [Lal, Reps CAV’08]
Sequential program
1. Execute T1 to completion
2. Remember s1, s2,…, sk
3. Execute T2 to completion
(l1,s1)
s1
s2
s3
s4
s5
T1
(l1,s2)
(l2,s3)
(l2,s4)
(l3,s5)
store s1
guess s2
store s3
guess s4
store s5
T2
A transformation already exists [Lal, Reps CAV’08]
Sequential program
1. Execute T1 to completion
2. Remember s1, s2,…, sk
3. Execute T2 to completion
(l’1,s1)
s1
s2
s3
s4
s5
T1
(l’2,s2)
(l’2,s3)
(l’3,s4)
(l’3,s5)
T2
s2-> s3
s4-> s5
A transformation already exists [Lal, Reps CAV’08]
s1
s2
s3
s4
s5
T1
s2 is guesseds2 may be unreachable
EAGER
T2
Eager transformation: disadvantages
void thread1() { while (blocked) skip; x = x/y; if (x%2==1) ERROR; }
void thread2() { x=12; y=2;
//unblock thread2 blocked=false;}
// shared variablesbool blocked=true;int x=0, y=0;
Inv: y != 0
blocked=true
blocked=false
guess y=0
We want a lazy transformation
The lazy sequential program explores only reachable states of the concurrent program
Why is it desirable?
In model-checking it can drastically reduce the explored state-space Better invariants for deductive verification
A lazy transformation to sequential programs was not known
Our contribution
Lazy transformation from concurrent to sequential programs that reduces the k context-switches reachability problem
Model-checking Lazy => unreachable states not explored Implementation of translation for Boolean programs Evaluation on a Bluetooth device driver
Lazy transformation
Lazy transformation: main idea
Execute T1
Context-switch: store s1
and abort
Execute T2 from s1
store s2 and abort
(l1,s1)
(l’1,s1)
(l’2,s2)
T1(l0,s0)
T2
store s1
& abort store s2
& abort
Lazy transformation: main idea
Re-execute T1 till it reaches s1
May reach a new local state!
But is anyway correct !!
(l1,s1)
(l’1,s1)
(l’2,s2)
T1(l0,s0)
T2
store s1
& abort store s2
& abort(l’’1,s1)
store s3
& abort
(l’’1,s2)
Lazy transformation: main idea
Switch to T2
Execute till it reaches s2
Continue computation
(l1,s1)
(l’1,s1)
(l’2,s2)
T1(l0,s0)
T2
store s1
& abort store s2
& abort(l’’1,s1)
store s3
& abort
(l’’’1,s2)
(l’’1,s2) (l’’’1,s3)
store s4
& abort
Lazy transformation: main idea
T1 T2
store s1
store s2
store s3
store s4
store s5
end
s1
s2
s3s4
s1
s2
s3
s4
s5
Lazy translation scheme
main()
Thread1()
Output is a sequential program consisting of:
Thread2()
Lazy translation scheme
main()
Thread1()
stmt1;
stmt2;
Output is a sequential program consisting of:
Thread2()
Guess scheduling Orchestrate calls to threads
Nondet jump to next context where this thread is active At last context-switch, store shared state, abort, and return to main
Reduction of bounded context-switch reachability
Theorem:Let C be a concurrent program, k>0 and pc be a program counter of C
pc is reachable in C within k context switches iff pc is reachable in SeqProgk(C)
Lazy translation
Explores only reachable states
Preserves invariants across the translation
Tracks local state of one thread at any time
Tracks values of shared variables at context switches (s1, s2, …, sk)
Requires recomputation of local states
Experiments
Model checking concurrent Boolean programs
Boolean programs Concurrent Boolean programs Boolean programs
We have implemented the eager and lazy translator for concurrent Boolean programs
Download: http://www.cs.uiuc.edu/~madhu/getafix/cbp2bp Eager => explores unreachable states Lazy => explores only reachable states
Experiments: Windows NT Bluetooth driver
Contextswitches
1-adder1-stopper
2-adders1-stopper
1-adder 2-stoppers
2-adders 2-stoppers
eager lazy eager lazy eager lazy eager lazy
123456
NNNNNN
0.10.3
43.373.6
930.0-
0.10.21.45.5
20.266.8
NNNYYY
0.20.9
135.91601.0
--
0.10.86.32.6
18.0122.9
NNYYYY
0.10.7
70.1597.2
--
0.10.90.42.9
14.066.1
NNYYYY
0.21.6
177.6out of mem.out of mem.out of mem.
0.12.00.87.5
66.5535.9
Related Work
KISS project [Qadeer-Wu,PLDI’04]
Decidability of context-bounded analysis [Qadeer-Rehof,TACAS05]
Automata-based symbolic solution [Suwimonteerabuth-Esparza-Schwoon,SPIN’08]]
Symbolic fixed-point solution to lazy computation of reachable states [La Torre-Madhusudan-Parlato,PLDI’09]
Eager translation and symbolic algorithm to compute reachable states lazily
[Lal-Reps,CAV’08]
Translation for deductive verification [Lahiri-Qadeer-Rakamaric, CAV09]
next talk!!
Future work
We have a lazy transformation for unbounded number of threads!!!
Top Related