Reducing Context-bounded Concurrent Reachability to Sequential Reachability

Gennaro ParlatoUniversity of Illinois at Urbana-Champaign

Salvatore La Torre (U. Salerno, Italy)P. Madhusudan (U . Illinois U.-C., U.S.A.)

What is this talk about? Translation from concurrent recursive programs to

sequential programs that preserves reachability

Use existing technique for sequential programs to analyze concurrent programs Model checkers, Deductive verification, …

T1 T2 Tn

shared vars

…Seq.

program

From concurrent to sequential

Always possible but can be inefficient simulate the global behavior (track all locals of each thread) current techniques do not work

What do we want? avoid the extreme blow-up track at any point only the locals of one thread

What we want is not always possible

But is possible restricted : bounded context-switching reahability [Quadeer,Wu, PLDI’04] errors manifest within few contest-switches [Musuvathi, Qadeer, PLDI’07]

Concurrent programs fixed number of (recursive) threads running in parallel

each thread Ti has its own local variables

threads communicate through shared variables

T1 T2 Tn

shared vars

…loc loc loc

Anatomy of a k-CS execution

(l, s1)

(l, s2)

(l’1,s1)

(l’2,s2)

T1 T2

A transformation already exists [Lal, Reps CAV’08]

Sequential program

1. Execute T1 to completion

2. Remember s1, s2,…, sk

3. Execute T2 to completion

(l1,s1)

s1

s2

s3

s4

s5

T1

(l1,s2)

(l2,s3)

(l2,s4)

(l3,s5)

store s1

guess s2

store s3

guess s4

store s5

T2

A transformation already exists [Lal, Reps CAV’08]

Sequential program

1. Execute T1 to completion

2. Remember s1, s2,…, sk

3. Execute T2 to completion

(l’1,s1)

s1

s2

s3

s4

s5

T1

(l’2,s2)

(l’2,s3)

(l’3,s4)

(l’3,s5)

T2

s2-> s3

s4-> s5

A transformation already exists [Lal, Reps CAV’08]

s1

s2

s3

s4

s5

T1

s2 is guesseds2 may be unreachable

EAGER

T2

Eager transformation: disadvantages

void thread1() { while (blocked) skip; x = x/y; if (x%2==1) ERROR; }

void thread2() { x=12; y=2;

//unblock thread2 blocked=false;}

// shared variablesbool blocked=true;int x=0, y=0;

Inv: y != 0

blocked=true

blocked=false

guess y=0

We want a lazy transformation

The lazy sequential program explores only reachable states of the concurrent program

Why is it desirable?

In model-checking it can drastically reduce the explored state-space Better invariants for deductive verification

A lazy transformation to sequential programs was not known

Our contribution

Lazy transformation from concurrent to sequential programs that reduces the k context-switches reachability problem

Model-checking Lazy => unreachable states not explored Implementation of translation for Boolean programs Evaluation on a Bluetooth device driver

Lazy transformation

Lazy transformation: main idea

Execute T1

Context-switch: store s1

and abort

Execute T2 from s1

store s2 and abort

(l1,s1)

(l’1,s1)

(l’2,s2)

T1(l0,s0)

T2

store s1

& abort store s2

& abort

Lazy transformation: main idea

Re-execute T1 till it reaches s1

May reach a new local state!

But is anyway correct !!

(l1,s1)

(l’1,s1)

(l’2,s2)

T1(l0,s0)

T2

store s1

& abort store s2

& abort(l’’1,s1)

store s3

& abort

(l’’1,s2)

Lazy transformation: main idea

Switch to T2

Execute till it reaches s2

Continue computation

(l1,s1)

(l’1,s1)

(l’2,s2)

T1(l0,s0)

T2

store s1

& abort store s2

& abort(l’’1,s1)

store s3

& abort

(l’’’1,s2)

(l’’1,s2) (l’’’1,s3)

store s4

& abort

Lazy transformation: main idea

T1 T2

store s1

store s2

store s3

store s4

store s5

end

s1

s2

s3s4

s1

s2

s3

s4

s5

Lazy translation scheme

main()

Thread1()

Output is a sequential program consisting of:

Thread2()

Lazy translation scheme

main()

Thread1()

stmt1;

stmt2;

Output is a sequential program consisting of:

Thread2()

Guess scheduling Orchestrate calls to threads

Nondet jump to next context where this thread is active At last context-switch, store shared state, abort, and return to main

Reduction of bounded context-switch reachability

Theorem:Let C be a concurrent program, k>0 and pc be a program counter of C

pc is reachable in C within k context switches iff pc is reachable in SeqProgk(C)

Lazy translation

Explores only reachable states

Preserves invariants across the translation

Tracks local state of one thread at any time

Tracks values of shared variables at context switches (s1, s2, …, sk)

Requires recomputation of local states

Experiments

Model checking concurrent Boolean programs

Boolean programs Concurrent Boolean programs Boolean programs

We have implemented the eager and lazy translator for concurrent Boolean programs

Download: http://www.cs.uiuc.edu/~madhu/getafix/cbp2bp Eager => explores unreachable states Lazy => explores only reachable states

Experiments: Windows NT Bluetooth driver

Contextswitches

1-adder1-stopper

2-adders1-stopper

1-adder 2-stoppers

2-adders 2-stoppers

eager lazy eager lazy eager lazy eager lazy

123456

NNNNNN

0.10.3

43.373.6

930.0-

0.10.21.45.5

20.266.8

NNNYYY

0.20.9

135.91601.0

--

0.10.86.32.6

18.0122.9

NNYYYY

0.10.7

70.1597.2

--

0.10.90.42.9

14.066.1

NNYYYY

0.21.6

177.6out of mem.out of mem.out of mem.

0.12.00.87.5

66.5535.9

Related Work

KISS project [Qadeer-Wu,PLDI’04]

Decidability of context-bounded analysis [Qadeer-Rehof,TACAS05]

Automata-based symbolic solution [Suwimonteerabuth-Esparza-Schwoon,SPIN’08]]

Symbolic fixed-point solution to lazy computation of reachable states [La Torre-Madhusudan-Parlato,PLDI’09]

Eager translation and symbolic algorithm to compute reachable states lazily

[Lal-Reps,CAV’08]

Translation for deductive verification [Lahiri-Qadeer-Rakamaric, CAV09]

next talk!!

Future work

We have a lazy transformation for unbounded number of threads!!!