Wenrui Meng,Fei He,Bow-Yaw Wang,Qiang Liu

DOI: https://doi.org/10.1007/978-3-642-28891-3_24

2012-01-01

Abstract:Thread-modular analysis is an incomplete compositional technique for verifying concurrent systems. The heuristic works rather well when there is limited interaction among system components. In this paper, we develop a refinement algorithm that makes thread-modular model checking complete. Our algorithm refines abstract reachable states by exposing local information through auxiliary variables. The experiments show that our complete thread-modular model checking can outperform other complete compositional reasoning techniques.

Fuyuan Zhang,Yongwang Zhao,David Sanán,Yang Liu,Alwen Tiu,Shang-Wei Lin,Zhimin Wu,Jun Sun

DOI: https://doi.org/10.1007/978-3-319-95582-7_31

2018-01-01

Abstract:Scalable and automatic formal verification for concurrent systems is always demanding. In this paper, we propose a verification framework to support automated compositional reasoning for concurrent programs with shared variables. Our framework models concurrent programs as succinct automata and supports the verification of multiple important properties. Safety verification and simulations of succinct automata are parallel compositional, and safety properties of succinct automata are preserved under refinements. We generate succinct automata from infinite state concurrent programs in an automated manner. Furthermore, we propose the first automated approach to checking rely-guarantee based simulations between infinite state concurrent programs. We have prototyped our algorithms and applied our tool to the verification of multiple refinements.

Qingyu Jiang,Jing Liu,Haodong Hu

DOI: https://doi.org/10.1109/apsec.2018.00026

2018-01-01

Abstract:Ensuring the reliability of concurrency software systems is difficult due to the interaction between threads. This article discusses the requirements for formal verification of concurrent embedded software and proposes a constraint-based flow-sensitive static analysis for concurrent avionics software by iteratively composing thread-modular abstract interpreters. These constraint are based on data-flow graphs and used to rule out patterns of thread interference that can not occur in a real program execution. Our new method has the advantage of being more accurate than existing, flow-insensitive, static avionics analyzers while remaining scalable and providing the expected soundness and termination guarantees. We implemented our method and evaluated it on an industrial setting, hinting at the maturity of our approach.

Jinjiang Lei,Zongyan Qiu

DOI: https://doi.org/10.1007/978-3-319-10882-7_17

2014-01-01

Abstract:Verification of concurrent systems is difficult because of the inherent nondeterminism. Modern verification requires better locality and modularity. Reasoning of shared memory systems has gained much progress in these aspects. However, modular verification of distributed systems is still in demand. In this paper, we propose a new reasoning system for message-passing programs. It is a novel logic that supports Hoare style triples to specify and verify distributed programs modularly. We concretize the concept of event traces to represent interactions among distributed agents, and specify behaviors of agents by their local traces with regard to environmental assumptions. Based on trace semantics, the verification is compositional in both temporal and spatial dimensions. As an example, we show how to modularly verify an implementation of merging network.

Junrui Zhou,Hong An,Yunyun Wang,Junshi Chen

DOI: https://doi.org/10.1007/978-3-319-27140-8_36

2015-01-01

Abstract:Applying model checking to detect concurrency errors in larger-scale multithreaded programs is limited by state explosion problem stemming from nondeterminism. We propose a novel approach established on the insight into the relationship between thread interference and nondeterminism to break the limitation. The approach works for particular parallel region that can be divided into disjoint groups among which there is no thread interference. We demonstrate that the set of reachable states of the parallel region is the Cartesian product of reachable states of each disjoint group. Local states of disjoint groups explored in previous runs can be reused to avoid redundant state transitions such that the time consumed by successive runs is decreased. The empirical results indicate that the efficiency of model checking can be improved by orders of magnitude through local state reusing.

Fei He,Zhihang Sun,Hongyu Fan

DOI: https://doi.org/10.1145/3453483.3454108

2021-01-01

Abstract:Analyzing multi-threaded programs is hard due to the number of thread interleavings. Partial orders can be used for modeling and analyzing multi-threaded programs. However, there is no dedicated decision procedure for solving partial-order constraints. In this paper, we propose a novel ordering consistency theory for multi-threaded program verification under sequential consistency, and we elaborate its theory solver, which realizes incremental consistency checking, minimal conflict clause generation, and specialized theory propagation to improve the efficiency of SMT solving. We conducted extensive experiments on credible benchmarks; the results show significant promotion of our approach.

Fei Xie,Guowu Yang,Xiaoyu Song

DOI: https://doi.org/10.1007/11901914_14

2006-01-01

Abstract:In this paper, we present and illustrate an approach to compositional reasoning for hardware/software co-verification of embedded systems. The major challenges in compositional reasoning for co-verification include: (1) the hardware/software semantic gaps, (2) lack of common property specification languages for hardware and software, and (3) lack of compositional reasoning rules that are applicable across the hardware/software boundaries. Our approach addresses these challenges by (1) filling the hardware/software semantic gaps via translation of hardware and software into a common formal language, (2) defining a unified property specification language for hardware, software, and entire systems, and (3) enabling application of existing compositional reasoning rules across the hardware/software boundaries based on translation, developing a new rule for compositional reasoning with components that share sub-components, and extending the applicability of these rules via dependency refinement. Our approach has been applied to co-verification of networked sensors. The case studies have shown that our approach is very effective in enabling application of compositional reasoning to co-verification of non-trivial embedded systems.

Tao CHEN,M WANG

DOI: https://doi.org/10.3969/j.issn.1673-629X.2019.02.006

2019-01-01

Abstract:Runtime verification is a new lightweight automatic verification technique.The verification software used in this technology is composed of two parts:one part is the monitored target program;the other is the monitor.The main idea of the runtime verification method based on formalized language is to input a formal specification syntax that represents events and properties and target program, and output a new program.The new program with inserting pile will execute the corresponding function to judge whether it satisfies the formal specification grammar when it meets the point that needs to be monitored.However, when the traditional single thread runtime verification monitor has many properties that the target program needs to monitor, the regenerated program may slow down the performance of the program because of the more specified nature.In this paper, we optimize the prototype tool Movec by using multi-core parallel technology.Through the way of serial program monitor assigned to multithreading, Clang compiler's piling technology and multi-core task allocation method have realized the optimization of Movec prototype tools.The optimized Movec is compared with the experimental data without the improved tools, which shows that the multithread operation method has a better effect.

Jinjiang Let,Zongyan Qiu

DOI: https://doi.org/10.7561/sacs.2014.2.217

2014-01-01

Scientific Annals of Computer Science

Abstract:The difficulties of verifying concurrent programs lie in their inherent non-determinism and interferences. Rely-Guarantee reasoning is one useful approach to solve this problem for its capability in formally specifying inter- thread interferences. However, modern verification requires better locality and modularity. It is still a great challenge to verify a message-passing program in a modular and composable way. In this paper, we propose a new reasoning system for message-passing programs. It is a novel logic that supports Hoare style triples to specify and verify distributed programs modularly. We concretize the concept of event traces to represent interactions among distributed agents, and specify behav- iors of agents by their local traces with regard to environmental assumptions — an idea inspired by Rely-Guarantee reasoning. Based on trace semantics, the verification is compositional in both temporal and spatial dimensions. To show validity, we apply our logic to modularly prove several examples.

Markus Kusano,Chao Wang

DOI: https://doi.org/10.48550/arXiv.1709.10116

2017-09-29

Abstract:We propose a constraint-based flow-sensitive static analysis for concurrent programs by iteratively composing thread-modular abstract interpreters via the use of a system of lightweight constraints. Our method is compositional in that it first applies sequential abstract interpreters to individual threads and then composes their results. It is flow-sensitive in that the causality ordering of interferences (flow of data from global writes to reads) is modeled by a system of constraints. These interference constraints are lightweight since they only refer to the execution order of program statements as opposed to their numerical properties: they can be decided efficiently using an off-the-shelf Datalog engine. Our new method has the advantage of being more accurate than existing, flow-insensitive, static analyzers while remaining scalable and providing the expected soundness and termination guarantees even for programs with unbounded data. We implemented our method and evaluated it on a large number of benchmarks, demonstrating its effectiveness at increasing the accuracy of thread-modular abstract interpretation.

Programming Languages

Hongjin Liang,Xinyu Feng,Zhong Shao

DOI: https://doi.org/10.1145/2603088.2603123

2014-01-01

Abstract:Many verification problems can be reduced to refinement verification. However, existing work on verifying refinement of concurrent programs either fails to prove the preservation of termination, allowing a diverging program to trivially refine any programs, or is difficult to apply in compositional thread-local reasoning. In this paper, we first propose a new simulation technique, which establishes termination-preserving refinement and is a congruence with respect to parallel composition. We then give a proof theory for the simulation, which is the first Hoare-style concurrent program logic supporting termination-preserving refinement proofs. We show two key applications of our logic, i.e., verifying linearizability and lock-freedom together for fine-grained concurrent objects, and verifying full correctness of optimizations of concurrent algorithms.

Liangze Yin,Wei Dong,Wanwei Liu,Ji Wang

DOI: https://doi.org/10.1109/icse.2019.00074

2019-01-01

Abstract:Program verification is one of the most important methods to ensuring the correctness of concurrent programs. However, due to the path explosion problem, concurrent program verification is usually time consuming, which hinders its scalability to industrial programs. Parallel processing is a mainstream technique to deal with those problems which require mass computing. Hence, designing parallel algorithms to improve the performance of concurrent program verification is highly desired. This paper focuses on parallelization of the abstraction refinement technique, one of the most efficient techniques for concurrent program verification. We present a parallel refinement framework which employs multiple engines to refine the abstraction in parallel. Different from existing work which parallelizes the search process, our method achieves the effect of parallelization by refinement constraint and learnt clause sharing, so that the number of required iterations can be significantly reduced. We have implemented this framework on the scheduling constraint based abstraction refinement method, one of the best methods for concurrent program verification. Experiments on SV-COMP 2018 show the encouraging results of our method. For those complex programs requiring a large number of iterations, our method can obtain a linear reduction of the iteration number and significantly improve the verification performance.

Fei He,Xiaowei Gao,Bow-Yaw Wang,Lijun Zhang

DOI: https://doi.org/10.1145/2775051.2676998

2015-01-01

Abstract:We propose the first sound and complete learning-based compositional verification technique for probabilistic safety properties on concurrent systems where each component is an Markov decision process. Different from previous works, weighted assumptions are introduced to attain completeness of our framework. Since weighted assumptions can be implicitly represented by multi-terminal binary decision diagrams (MTBDD's), we give an L*-based learning algorithm for MTBDD's to infer weighted assumptions. Experimental results suggest promising outlooks for our compositional technique.

Liangze Yin,Wei Dong,Wanwei Liu,Ji Wang

DOI: https://doi.org/10.1109/tse.2018.2864122

IF: 7.4

2020-01-01

IEEE Transactions on Software Engineering

Abstract:Bounded model checking is among the most efficient techniques for the automated verification of concurrent programs. However, due to the nondeterministic thread interleavings, a large and complex formula is usually required to give an exact encoding of all possible behaviors, which significantly limits the scalability. Observing that the large formula is usually dominated by the exact encoding of the scheduling constraint, this paper proposes a novel scheduling constraint based abstraction refinement method for multi-threaded C program verification. Our method is both efficient in practice and complete in theory, which is challenging for existing techniques. To achieve this, we first proposed an effective and powerful technique which works well for nearly all benchmarks we evaluated. We have proposed the notion of Event Order Graph (EOG), and have devised two graph-based algorithms over EOG for counterexample validation and refinement generation, which can often obtain a small yet effective refinement constraint. Then, to ensure completeness, our method was enhanced with two constraint-based algorithms for counterexample validation and refinement generation. Experimental results on SV-COMP 2017 benchmarks and two real-world server systems indicate that our method is promising and significantly outperforms the state-of-the-art tools.

Hongyu Fan,Weiting Liu,Fei He

DOI: https://doi.org/10.1145/3503221.3508424

2022-01-01

Abstract:Concurrent program verification is challenging due to a large number of thread interferences. A popular approach is to encode concurrent programs as SMT formulas and then rely on off-the-shelf SMT solvers to accomplish the verification. In most existing works, an SMT solver is simply treated as the backend. There is little research on improving SMT solving for concurrent program verification. In this paper, we recognize the characteristics of interference relation in multi-threaded programs and propose a novel approach for utilizing the interference relation in the SMT solving of multi-threaded program verification under various memory models. We show that the backend SMT solver can benefit a lot from the domain knowledge of concurrent programs. We implemented our approach in a prototype tool called Zpre. We compared it with the state-of-the-art Z3 tool on credible benchmarks from the ConcurrencySafety category of SV-COMP 2019. Experimental results show promising improvements attributed to our approach.

Giorgio Delzanno

DOI: https://doi.org/10.48550/arXiv.cs/0601038

2006-01-10

Abstract:We present a technique for the automated verification of abstract models of multithreaded programs providing fresh name generation, name mobility, and unbounded control. As high level specification language we adopt here an extension of communication finite-state machines with local variables ranging over an infinite name domain, called TDL programs. Communication machines have been proved very effective for representing communication protocols as well as for representing abstractions of multithreaded software. The verification method that we propose is based on the encoding of TDL programs into a low level language based on multiset rewriting and constraints that can be viewed as an extension of Petri Nets. By means of this encoding, the symbolic verification procedure developed for the low level language in our previous work can now be applied to TDL programs. Furthermore, the encoding allows us to isolate a decidable class of verification problems for TDL programs that still provide fresh name generation, name mobility, and unbounded control. Our syntactic restrictions are in fact defined on the internal structure of threads: In order to obtain a complete and terminating method, threads are only allowed to have at most one local variable (ranging over an infinite domain of names).

Logic in Computer Science,Programming Languages

Jinjiang Lei,Zongyan Qiu,Zhong Shao

DOI: https://doi.org/10.1109/TASE.2014.14

2014-01-01

Abstract:Verification of concurrent systems is difficult because of their inherent nondeterminism. Modern verification requires clean specifications of inter-thread interferences and modular reasoning over separated components. But for message-passing models, a general reasoning system, which meets these standards, is still in demand. Here we propose a new logic for verifying distributed programs modularly. We concretize the concept of event traces to represent interactions among distributed agents, and constrain the environmental interferences by logical invariants. The verification is compositional w.r.t. agents as long as some inter-agent constraints are satisfied. Using this logic we successfully verified two classic message-passing algorithms: leader election and merging network.

Marc Brockschmidt,Daniel Larraz,Albert Oliveras,Enric Rodriguez-Carbonell,Albert Rubio

DOI: https://doi.org/10.48550/arXiv.1507.03851

2015-08-04

Abstract:We present an automated compositional program verification technique for safety properties based on conditional inductive invariants. For a given program part (e.g., a single loop) and a postcondition $\varphi$, we show how to, using a Max-SMT solver, an inductive invariant together with a precondition can be synthesized so that the precondition ensures the validity of the invariant and that the invariant implies $\varphi$. From this, we build a bottom-up program verification framework that propagates preconditions of small program parts as postconditions for preceding program parts. The method recovers from failures to prove the validity of a precondition, using the obtained intermediate results to restrict the search space for further proof attempts. As only small program parts need to be handled at a time, our method is scalable and distributable. The derived conditions can be viewed as implicit contracts between different parts of the program, and thus enable an incremental program analysis.

Logic in Computer Science

Ling Zhang,Yuting Wang,Jinhua Wu,Jérémie Koenig,Zhong Shao

DOI: https://doi.org/10.1145/3632914

2023-11-18

Abstract:Verified compilation of open modules (i.e., modules whose functionality depends on other modules) provides a foundation for end-to-end verification of modular programs ubiquitous in contemporary software. However, despite intensive investigation in this topic for decades, the proposed approaches are still difficult to use in practice as they rely on assumptions about the internal working of compilers which make it difficult for external users to apply the verification results. We propose an approach to verified compositional compilation without such assumptions in the setting of verifying compilation of heterogeneous modules written in first-order languages supporting global memory and pointers. Our approach is based on the memory model of CompCert and a new discovery that a Kripke relation with a notion of memory protection can serve as a uniform and composable semantic interface for the compiler passes. By absorbing the rely-guarantee conditions on memory evolution for all compiler passes into this Kripke Memory Relation and by piggybacking requirements on compiler optimizations onto it, we get compositional correctness theorems for realistic optimizing compilers as refinements that directly relate native semantics of open modules and that are ignorant of intermediate compilation processes. Such direct refinements support all the compositionality and adequacy properties essential for verified compilation of open modules. We have applied this approach to the full compilation chain of CompCert with its Clight source language and demonstrated that our compiler correctness theorem is open to composition and intuitive to use with reduced verification complexity through end-to-end verification of non-trivial heterogeneous modules that may freely invoke each other (e.g., mutually recursively).

Programming Languages

Fei He,He Zhu,William N. N. Hung,Xiaoyu Song,Ming Gu

DOI: https://doi.org/10.1109/tase.2010.27

2010-01-01

Abstract:Model checking suffers from the state explosion problem. Compositional abstraction and abstraction refinement have been investigated in many areas to address this problem. This paper considers the compositional model checking for timed systems. We present an automated approach which combines compositional abstraction and counter-example guided abstraction refinement (CEGAR). The proposed approach exploits the semantics of a timed automaton to procure its over-approximative abstraction. Any safety property which holds on the abstraction is guaranteed to hold on the concrete model. In the case of a spurious counter-example, our proposed approach refines and strengthens the abstraction in a component-wise method. We implemented our method with the model checking tool Uppaal. Experimental results show promising improvements.