Xinyu Feng,Zhong Shao,Yu Guo,Yuan Dong

DOI: https://doi.org/10.1007/s10817-009-9118-9

2009-01-01

Journal of Automated Reasoning

Abstract:Hardware interrupts are widely used in the world’s critical software systems to support preemptive threads, device drivers, operating system kernels, and hypervisors. Handling interrupts properly is an essential component of low-level system programming. Unfortunately, interrupts are also extremely hard to reason about: they dramatically alter the program control flow and complicate the invariants in low-level concurrent code (e.g., implementation of synchronization primitives). Existing formal verification techniques—including Hoare logic, typed assembly language, concurrent separation logic, and the assume-guarantee method—have consistently ignored the issues of interrupts; this severely limits the applicability and power of today’s program verification systems. In this paper we present a novel Hoare-logic-like framework for certifying low-level system programs involving both hardware interrupts and preemptive threads. We show that enabling and disabling interrupts can be formalized precisely using simple ownership-transfer semantics, and the same technique also extends to the concurrent setting. By carefully reasoning about the interaction among interrupt handlers, context switching, and synchronization libraries, we are able to—for the first time—successfully certify a preemptive thread implementation and a large number of common synchronization primitives. Our work provides a foundation for reasoning about interrupt-based kernel programs and makes an important advance toward building fully certified operating system kernels and hypervisors.

Qingkai Shi,Jeff Huang,Zhenyu Chen,Baowen Xu

DOI: https://doi.org/10.1109/tse.2015.2477820

IF: 7.4

2016-01-01

IEEE Transactions on Software Engineering

Abstract:Atomicity is a fundamental property to guarantee the isolation of a work unit (i.e., a sequence of related events in a thread) from concurrent threads. However, ensuring atomicity is often very challenging due to complex thread interactions. We present an approach to help developers verify whether such work units, which have triggered bugs due to certain violations of atomicity, are sufficiently synchronized or not by locks introduced for fixing the bugs. A key feature of our approach is that it combines the fortes of both bug-driven and change-aware techniques, which enables it to effectively verify synchronizations by testing only a minimal set of suspicious atomicity violations without any knowledge on the to-be-isolated work units, thus being more efficient and practical than other approaches. Besides, unlike existing approaches, our approach effectively utilizes all the inferred execution traces even they may not be completely feasible, such that the verification algorithm can converge much faster. We demonstrate via extensive evaluation that our approach is much more effective and efficient than the state-of-the-arts. Besides, we show that although there have existed sound automatic fixing techniques for atomicity violations, our approach is still necessary and useful for quality assurance of concurrent programs, because the assumption behind our approach is much weaker. We have also investigated one of the largest bug databases and found that insufficient synchronizations are common and difficult to be found in software development.

Minxue Pan,Shouyu Chen,Yu Pei,Tian Zhang,Xuandong Li

DOI: https://doi.org/10.1109/icse.2019.00037

2019-01-01

Abstract:The widespread real-time and embedded systems are mostly interrupt-driven because their heavy interaction with the environment is often initiated by interrupts. With the interrupt arrival being unpredictable and the interrupt handling being preemptive, a large number of possible system behaviours are generated, which makes the correctness assurance of such systems difficult and costly. Model checking is considered to be one of the effective methods for exhausting behavioural state space for correctness. However, existing modelling approaches for interrupt-driven systems are based on either calculus or automata theory, and have a steep learning curve. To address this problem, we propose a new modelling language called interrupt sequence diagram (ISD). By extending the popular UML sequence diagram notations, the ISD supports the modelling of interrupts' essential features visually and concisely. We also propose an automata-based semantics for ISD, based on which ISD can be transformed to a subset of hybrid automata so as to leverage the abundant off-the-shelf checkers. Experiments on examples from both real-world and existing literature were conducted, and the results demonstrate our approach's usability and effectiveness.

Han Liu,Yu Jiang,Huafeng Zhang,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1007/978-3-319-48989-6_48

2016-01-01

Abstract:Multifunction Vehicle Bus controllers (MVBC) are safety-critical sub-systems in the industrial train communication network. As an interrupt-driven system, MVBC is practically hard to verify. The reasons are twofold. First, MVBC introduces the concurrency semantics of deferred interrupt handlers and communication via hardware registers, making existing formalism infeasible. Second, verifying MVBC requires considering the environmental features (i.e., interrupt ordering), which is hard to model and reason. To overcome these limitations, we proposed a novel framework for formal verification on MVBC. First, we formalized the concurrency semantics of MVBC and described a sequentialization technique so that well-designed sequential analyses can be performed. Moreover, we introduced the happen-before interrupt graph to model interrupt dependency and further eliminate false alarms. The framework scaled well on an industrial MVBC product from CRRC Inc. and found 3 severe software bugs, which were all confirmed by engineers.

Kedar S. Namjoshi

DOI: https://doi.org/10.4204/EPTCS.129.25

2013-09-20

Abstract:Fully automated verification of concurrent programs is a difficult problem, primarily because of state explosion: the exponential growth of a program state space with the number of its concurrently active components. It is natural to apply a divide and conquer strategy to ameliorate state explosion, by analyzing only a single component at a time. We show that this strategy leads to the notion of a "split" invariant, an assertion which is globally inductive, while being structured as the conjunction of a number of local, per-component invariants. This formulation is closely connected to the classical Owicki-Gries method and to Rely-Guarantee reasoning. We show how the division of an invariant into a number of pieces with limited scope makes it possible to apply new, localized forms of symmetry and abstraction to drastically simplify its computation. Split invariance also has interesting connections to parametric verification. A quantified invariant for a parametric system is a split invariant for every instance. We show how it is possible, in some cases, to invert this connection, and to automatically generalize from a split invariant for a small instance of a system to a quantified invariant which holds for the entire family of instances.

Logic in Computer Science

Dirk Beyer,Po-Chun Chien,Nian-Ze Lee

2024-10-25

Abstract:Software model checking is a challenging problem, and generating relevant invariants is a key factor in proving the safety properties of a program. Program invariants can be obtained by various approaches, including lightweight procedures based on data-flow analysis and intensive techniques using Craig interpolation. Although data-flow analysis runs efficiently, it often produces invariants that are too weak to prove the properties. By contrast, interpolation-based approaches build strong invariants from interpolants, but they might not scale well due to expensive interpolation procedures. Invariants can also be injected into model-checking algorithms to assist the analysis. Invariant injection has been studied for many well-known approaches, including k-induction, predicate abstraction, and symbolic execution. We propose an augmented interpolation-based verification algorithm that injects external invariants into interpolation-based model checking (McMillan, 2003), a hardware model-checking algorithm recently adopted for software verification. The auxiliary invariants help prune unreachable states in Craig interpolants and confine the analysis to the reachable parts of a program. We implemented the proposed technique in the verification framework CPAchecker and evaluated it against mature SMT-based methods in CPAchecker as well as other state-of-the-art software verifiers. We found that injecting invariants reduces the number of interpolation queries needed to prove safety properties and improves the run-time efficiency. Consequently, the proposed invariant-injection approach verified difficult tasks that none of its plain version (i.e., without invariants), the invariant generator, or any compared tools could solve.

Software Engineering

Mingxing Zhang,Yongwei Wu,Shan Lu,Shanxiang Qi,Jinglei Ren,Weimin Zheng

DOI: https://doi.org/10.1109/tse.2016.2531666

IF: 7.4

2016-01-01

IEEE Transactions on Software Engineering

Abstract:Concurrency bugs are notoriously difficult to eradicate during software testing because of their non-deterministic nature. Moreover, fixing concurrency bugs is time-consuming and error-prone. Thus, tolerating concurrency bugs during production runs is an attractive complementary approach to bug detection and testing. Unfortunately, existing bug-tolerating tools are usually either 1) constrained in types of bugs they can handle or 2) requiring roll-back mechanism, which can hitherto not be fully achieved efficiently without hardware supports. This paper presents a novel program invariant, called Anticipating Invariant (AI), which can help anticipate bugs before any irreversible changes are made. Benefiting from this ability of anticipating bugs beforehand, our software-only system is able to forestall the failures with a simple thread stalling technique, which does not rely on execution roll-back and hence has good performance Experiments with 35 real-world concurrency bugs demonstrate that AI is capable of detecting and tolerating most types of concurrency bugs, including both atomicity and order violations. Two new bugs have been detected and confirmed by the corresponding developers. Performance evaluation with 6 representative parallel programs shows that AI incurs negligible overhead (<1%) for many nontrivial desktop and server applications.

Yu Wang,Junjing Shi,Linzhang Wang,Jianhua Zhao,Xuandong Li

DOI: https://doi.org/10.1145/2875913.2875943

2015-01-01

Abstract:Interrupt-driven programs are often embedded in safety-critical systems to perform hardware/resource dependent data operation tasks, such as data acquisition, processing, and transformation. The interrupt programs and tasks may happen in parallel which in a result causes indeterminist concurrent problems at runtime. Data race is one of the most popular problems challenging researchers and practitioners. Various static analysis, software testing approaches have been proposed to detect data races in source code, testing, and even production run. However, static analysis may report too many false positives due to the lack of execution information. Dynamic testing may miss some important races since it could not generate adequate test cases to test all possible execution scenarios. In this paper, we propose a hybrid approach to detect data races in interrupt-driven programs based on static analysis and dynamic simulation. We implemented a prototype tool and conducted a controlled experiment to demonstrate the applicability of our approach.

Weiyu Luo,Brian Demsky

DOI: https://doi.org/10.48550/arXiv.2102.07901

2021-02-25

Abstract:Writing correct concurrent code that uses atomics under the C/C++ memory model is extremely difficult. We present C11Tester, a race detector for the C/C++ memory model that can explore executions in a larger fragment of the C/C++ memory model than previous race detector tools. Relative to previous work, C11Tester's larger fragment includes behaviors that are exhibited by ARM processors. C11Tester uses a new constraint-based algorithm to implement modification order that is optimized to allow C11Tester to make decisions in terms of application-visible behaviors. We evaluate C11Tester on several benchmark applications, and compare C11Tester's performance to both tsan11rec, the state of the art tool that controls scheduling for C/C++; and tsan11, the state of the art tool that does not control scheduling.

Programming Languages

Kuanjiu Zhou,Jiawei Yong,Xiaolong Wang,Longtao Ren,Gang Hou,Junwang Chang

DOI: https://doi.org/10.1007/978-3-642-45293-2_26

2013-01-01

Abstract:Model checking technique has been gradually applied to verify the reliability of software systems. However, as to software with large scale and complex structure, the verification procedure suffers from the state space explosion, thus leading to a low efficiency or resource exhaustion. In this paper, we propose a method of accelerating software model checking based on program backbone to verify the properties in ANSI-C source codes. We prune the program with respect to the assertion property, and compress the circular paths by maximal strongly connected components to extract the program backbone. Subsequently, the Hoare theory is used to generate an invariant from the compressed circular nodes, which reduces the length of path encoding. The assertion property is finally translated into a quantifier-free formula and checked for satisfiability by the SMT solver Z3. The experiments show that this method substantially improves the efficiency of program verification.

Sanjana Singh,Divyanjali Sharma,Subodh Sharma

DOI: https://doi.org/10.48550/arXiv.2103.01553

2021-03-02

Programming Languages

Abstract:We investigate the problem of runtime analysis of C11 programs under Multi-Copy-Atomic semantics (MCA). Under MCA, one can analyze program outcomes solely through interleaving and reordering of thread events. As a result, obtaining intuitive explanations of program outcomes becomes straightforward. Newer versions of ARM (ARMv8 and later), Alpha, and Intel's x-86 support MCA. Our tests reveal that state-of-the-art dynamic verification techniques that analyze program executions under the C11 memory model generate safety property violations that can be interpreted as false alarms under MCA semantics. Sorting the true from false violations puts an undesirable burden on the user. In this work, we provide a dynamic verification technique (MoCA) to analyze C11 program executions which are permitted under the MCA model. We design a happens-before relation and introduce coherence rules to capture precisely those C11 program executions which are allowed under the MCA model. MoCA's exploration of the state-space is based on the state-of-the-art dynamic verification algorithm, source-DPOR. Our experiments validate that MoCA captures all coherent C11 program executions, and is precise for the MCA model.

Yong Li,Yu Zhang,Yiyun Chen,Ming Fu

DOI: https://doi.org/10.1109/ssiri.2009.8

2009-01-01

Abstract:Transactional memory(TM) provides an easy-using and high-performance parallel programming model for multicore systems. It simplifies parallel programming by supporting that transactions appear to execute atomically and in isolation. Despite the large amount of recent works on various TM implementations, very little has been devoted to precisely guarantee that these implementations have implemented the atomicity and isolation properties. In previous work we have proposed a framework on the correctness of STM programs by formally certifying the shared memory invariant at assembly level. Now the framework is extended and we certify the strong atomicity property of programs using STM in this paper. In particular, we formalize the strong atomicity as the shared memory consistence of states in our model and use a notion of "local guarantee" to check the shared memory consistence for verification. Our work provides a foundation for certifying realistic transactional programs and makes an important advance toward generating proof-carrying code.

Chang Liu,Xiwei Wu,Yuan Feng,Qinxiang Cao,Junchi Yan

2024-06-07

Abstract:Program verification is vital for ensuring software reliability, especially in the context of increasingly complex systems. Loop invariants, remaining true before and after each iteration of loops, are crucial for this verification process. Traditional provers and machine learning based methods for generating loop invariants often require expert intervention or extensive labeled data, and typically only handle numerical property verification. These methods struggle with programs involving complex data structures and memory manipulations, limiting their applicability and automation capabilities. In this paper, we introduce a new benchmark named LIG-MM, specifically for programs with complex data structures and memory manipulations. We collect 312 programs from various sources, including daily programs from college homework, the international competition (SV-COMP), benchmarks from previous papers (SLING), and programs from real-world software systems (Linux Kernel, GlibC, LiteOS, and Zephyr). Based on LIG-MM, our findings indicate that previous methods, including GPT-4, fail to automate verification for these programs. Consequently, we propose a novel LLM-SE framework that coordinates LLM with symbolic execution, fine-tuned using self-supervised learning, to generate loop invariants. Experimental results on LIG-MM demonstrate that our LLM-SE outperforms state-of-the-art methods, offering a new direction toward automated program verification in real-world scenarios.

Programming Languages

Wei He

DOI: https://doi.org/10.48550/arXiv.1906.11929

2019-06-28

Abstract:Compilers can specialize programs having invariants for performance improvement. Detecting program invariants that span large and complex code, however, is difficult for compilers. Traditional compilers do not perform very expensive analysis and thus only identify limited invariants, which limits the potential of subsequent optimizations. We would like to address the invariant detection problem via more sophisticated analyses using program verification tools. In this paper, we reveal pitfalls of choosing program verification tools for invariant detection, identify challenges of modeling program behavior using one of these tools---CVC4, and propose some ideas about how to address the challenges.

Programming Languages

Ashish Darbari,Iain Singleton

DOI: https://doi.org/10.48550/arXiv.1606.02347

2017-04-30

Abstract:Verification of concurrent systems with thousands of multiple threads and transactions is a challenging problem not just for simulation or emulation but also for formal. To get designs to work correctly and provide optimal PPA the designers often use complex optimizations requiring sharing of multiple resources amongst active threads and transactions using FIFOs, stallers, pipelining, out-of-order scheduling, and complex layered arbitration. This is true of most non-trivial designs irrespective of a specific application domain such as CPU, GPU or communication. At the outset a lot of these application domains look diverse and complex; however at some level of detail all of these employ common design principles of sequencing, load balancing, arbitration and hazard prevention. We present in this paper a key abstraction based methodology for verifying ordering correctness and arbitration across a range of designs which are derived from different application domains. We show how by using abstractions and supporting them with invariants one can not only find deep corner case bugs in sequentially very deep designs; we can also build exhaustive proofs to prove the absence of critical bugs such as deadlock, starvation, and loss of data integrity. We present experimental results on a range of different designs and show that on some of the designs such as FIFOs we can verify over 100 different types of FIFOs for ordering correctness using a single assertion in a single testbench. We also show how the methodology of FIFO verification can be adapted to verify over half-a-dozen different types of arbiters including a very complex memory subsystem arbiter. We verify a multi-clocked synchronizer and a packet based design from a networking domain using the same abstraction as used in FIFO verification. The results demonstrate the strength of our methodology which is both reusable and compact.

Software Engineering,Logic in Computer Science

Paul Eichler,Swen Jacobs,Chana Weil-Kennedy

2024-08-12

Abstract:We introduce a new framework for verifying systems with a parametric number of concurrently running processes. The systems we consider are well-structured with respect to a specific well-quasi order. This allows us to decide a wide range of verification problems, including control-state reachability, coverability, and target, in a fixed finite abstraction of the infinite state-space, called a 01-counter system. We show that several systems from the parameterized verification literature fall into this class, including reconfigurable broadcast networks (or systems with lossy broadcast), disjunctive systems, synchronizations and systems with a fixed number of shared finite-domain variables. Our framework provides a simple and unified explanation for the properties of these systems, which have so far been investigated separately. Additionally, it extends and improves on a range of the existing results, and gives rise to other systems with similar properties.

Formal Languages and Automata Theory

Ying Zhao,Jinhao Tan,Guoqiang Li

2021-01-01

Abstract: Program verification on concurrent programs is a big challenge due to general undecidable results. Petri nets and its extensions are used in most works. However, existing verifiers based on Petri nets are difficult to be complete and efficient. Basic Parallel Process (BPP), as a subclass of Petri nets, can be used as a model for describing and verifying concurrent programs with lower complexity. We propose and implement BPPChecker, the first model checker for verifying CTL on BPP. We propose constraint-based algorithms for the problem of model checking CTL on BPPs and handle formulas by SMT solver Z3. For EF operator, we reduce the model checking of EF-formulas to the satisfiability problem of existential Presburger formula. For EG operator, we provide a $k$-step bounded semantics and reduce the model checking of EG-formulas to the satisfiability problem of linear integer arithmetic. Besides, we give Actor Communicating System (ACS) the over-approximation BPP-based semantics and evaluate BPPChecker on ACSs generated from real Erlang programs. Experimental results show that BPPChecker performs more efficiently than the existing tools for a series of branching-time property verification problems of Erlang programs.

Asankhaya Sharma

DOI: https://doi.org/10.48550/arXiv.1909.09324

2019-09-20

Abstract:Integer overflow accounts for one of the major source of bugs in software. Verification systems typically assume a well defined underlying semantics for various integer operations and do not explicitly check for integer overflow in programs. In this paper we present a specification mechanism for expressing integer overflow. We develop an automated procedure for integer overflow checking during program verification. We have implemented a prototype integer overflow checker and tested it on a benchmark consisting of already verified programs (over 14k LOC). We have found 43 bugs in these programs due to integer overflow.

Programming Languages

Patrick Metzler,Habib Saissi,Péter Bokor,Neeraj Suri

DOI: https://doi.org/10.48550/arXiv.1809.01955

2020-04-14

Abstract:Automated software verification of concurrent programs is challenging because of exponentially large state spaces with respect to the number of threads and number of events per thread. Verification techniques such as model checking need to explore a large number of possible executions that are possible under a non-deterministic scheduler. State space reduction techniques such as partial order reduction simplify the verification problem, however, the reduced state space may still be exponentially large and intractable. This paper discusses \emph{Iteratively Relaxed Scheduling}, a framework that uses scheduling constraints in order to simplify the verification problem and enable automated verification of programs which could not be handled with fully non-deterministic scheduling. Program executions are safe as long as the same scheduling constraints are enforced under which the program has been verified, e.g., by instrumenting a program with additional synchronization. As strict enforcement of scheduling constraints may induce a high execution time overhead, we present optimizations over a naive solution that reduce this overhead. Our evaluation of a prototype implementation on well-known benchmark programs shows the effect of scheduling constraints on the execution time overhead and how this overhead can be reduced by relaxing and choosing constraints.

Programming Languages

Yun-min ZHU,Li-wei ZHANG,Sheng-yuan WANG,Yuan DONG,Su-qin ZHANG

DOI: https://doi.org/10.3321/j.issn:0372-2112.2009.z1.001

2009-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:2 Abstract As the multi-core processor is widely used and advanced high-trusted software is required, the verification of parallel programs for multi-core processor becomes more and more important. This paper presents a proof framework about the verification of parallel programs, including the definition of our abstract machine, the formal specification for object code, logic inference rules and the proof of soundness theory. We certify the code at an assembly-level directly in order to disregard the correctness of compilers. The classic spin-lock technology is introduced to implement the mutually exclusive access to shared memory. Our proof framework supports Hoare-logic style reasoning. In addition, we use high-order logic to describe both operational semantics and security-policy, so the partial correctness of multi-core parallel programs can be verified in our system.