Abstract:Static analyzers are typically complex tools and thus prone to contain bugs themselves. To increase the trust in the verdict of such tools, witnesses encode key reasoning steps underlying the verdict in an exchangeable format, enabling independent validation of the reasoning by other tools. For the correctness of concurrent programs, no agreed-upon witness format exists -- in no small part due to the divide between the semantics considered by analyzers, ranging from interleaving to thread-modular approaches, making it challenging to exchange information. We propose a format that leverages the well-known notion of ghosts to embed the claims a tool makes about a program into a modified program with ghosts, such that the validity of a witness can be decided by analyzing this program. Thus, the validity of witnesses with respect to the interleaving and the thread-modular semantics coincides. Further, thread-modular invariants computed by an abstract interpreter can naturally be expressed in the new format using ghost statements. We evaluate the approach by generating such ghost witnesses for a subset of concurrent programs from the SV-COMP benchmark suite, and pass them to a model checker. It can confirm 75% of these witnesses -- indicating that ghost witnesses can bridge the semantic divide between interleaving and thread-modular approaches.

What problem does this paper attempt to address?

### Problems the paper attempts to solve This paper aims to solve a key problem in the correctness verification of concurrent programs: **How to establish a unified correctness proof format between different semantic models (such as interleaving semantics and thread - modular semantics)**. Specifically, the author proposes a method based on "ghost variables" to bridge the semantic differences between different static analysis tools, thereby increasing the confidence in the correctness of concurrent programs. #### Background and motivation 1. **Limitations of static analysis tools**: - Although static analysis tools can help developers write error - free programs, these tools themselves may have flaws, resulting in unreliable conclusions. - To increase confidence in the conclusions of static analysis tools, researchers have proposed the concept of "witnesses", that is, key reasoning steps containing static analysis results, so that other tools can independently verify these reasonings. 2. **Complexity of concurrent programs**: - For the correctness verification of concurrent programs, there is currently no unified witness format. This is mainly because different analysis tools adopt different semantic models, such as interleaving semantics and thread - modular semantics, making information exchange difficult. #### Proposed solutions The author proposes a new witness format, embedding the tool's assertions about the program into the modified program by introducing "ghost variables". The core ideas of this method are: - **Ghost variables**: These are additional variables introduced to simplify the specification and verification of complex program properties. They can encode the progress of other threads, thus correlating the observations of the current thread with its progress. - **Atomic blocks**: To ensure that the update of ghost variables does not affect the behavior of the original program, the author introduces "atomic blocks", that is, encapsulating multiple operations into an indivisible whole for execution. #### Main contributions 1. **Unified witness format**: By introducing ghost variables, the author proposes a witness format that is effective under both interleaving semantics and thread - modular semantics. 2. **Verification method**: The author shows how to use a model checker to verify the generated ghost witnesses, and experiments show that 75% of the witnesses can be confirmed to be valid. 3. **Extension of SV - COMP format**: The ghost witness format proposed by the author extends the existing SV - COMP witness format, facilitating adoption by other software verification tools. Through these improvements, the author hopes to provide a more reliable and trustworthy method in the correctness verification of concurrent programs, thereby increasing the credibility of static analysis tools.

Correctness Witnesses for Concurrent Programs: Bridging the Semantic Divide with Ghosts (Extended Version)

Applying Rely-Guarantee Reasoning on Concurrent Memory Management and Mailbox in C/OS-II: A Case Study

Applying Rely-Guarantee Reasoning on Concurrent Memory Management and Mailbox in μC/OS-II: A Case Study.

Scenario-Based Proofs for Concurrent Objects [Extended Version]

CommCSL: Proving Information Flow Security for Concurrent Programs using Abstract Commutativity

The Right Kind of Non-Determinism: Using Concurrency to Verify C Programs with Underspecified Semantics

Development of parallel programs on shared data-structures -- Revised version

Csimpl: A Rely-Guarantee-Based Framework For Verifying Concurrent Programs

Lifting the Reasoning Level in Generic Weak Memory Verification (Extended Version)

Certificates and Witnesses for Multi-Objective Queries in Markov Decision Processes

SNIP: Speculative Execution and Non-Interference Preservation for Compiler Transformations

Datalog-based Scalable Semantic Diffing of Concurrent Programs

Chiefly Symmetric: Results on the Scalability of Probabilistic Model Checking for Operating-System Code

Compositional Symbolic Execution for Correctness and Incorrectness Reasoning (Extended Version)

Fully Composable and Adequate Verified Compilation with Direct Refinements between Open Modules (Technical Report)

Verified Compilation for Shared-Memory C

Verifying Parallel Low-Level Programs for Multi-core Processor

Towards certified separate compilation for concurrent programs

Operationally Proving Memory Access Violations in Isabelle/HOL

A Framework for the Verification of Certifying Computations

Integrating Owicki-Gries for C11-Style Memory Models into Isabelle/HOL