Static and Precise Detection of Concurrency Errors in Systems Code Using SMT Solvers

We present layered concurrent programs, a compact and expressive notation for specifying refinement proofs of concurrent programs. A layered concurrent program specifies a sequence of connected concurrent programs, from most concrete to most abstract, such that common parts of different programs are written exactly once. These programs are expressed in the ordinary syntax of imperative concurrent programs using gated atomic actions, sequencing, choice, and (recursive) procedure calls. Each concurrent program is automatically extracted from the layered program. We reduce refinement to the safety of a sequence of concurrent checker programs, one each to justify the connection between every two consecutive concurrent programs. These checker programs are also automatically extracted from the layered program. Layered concurrent programs have been implemented in the Civl verifier which has been successfully used for the verification of several complex concurrent programs.

Verification of Concurrent Assembly Programs with a Petri Net Based Safety Policy

We show that any concurrent program that is amenable to compositional reasoning can be effectively translated to a sequential program. More precisely, we give a reduction from the verification problem for concurrent programs against safety specifications to the verification of sequential programs against safety specifications, where the reduction is parameterized by a set of auxiliary variables A, such that the concurrent program compositionally satisfies its specification using auxiliary variables A iff the sequentialization satisfies its specification. Existing sequentializations for concurrent programs work only for underapproximations like bounded context-switching, while our sequentialization has the salient feature that it can prove concurrent programs entirely correct, as long as it has a compositional proof. The sequentialization allows us to use sequential verification tools (including deductive verification tools and predicate abstraction tools) to analyze and prove concurrent programs correct. We also report on our experience in the deductive verification of concurrent programs by proving their sequential counterparts using the program verifier BOOGIE.

We present a framework for the specification and verification of reactive concurrent programs using general-purpose mechanical theorem proving. We define specifications for concurrent programs by formalizing a notion of refinements analogous to stuttering trace containment. The formalization supports the definition of intuitive specifications of the intended behavior of a program. We present a collection of proof rules that can be effectively orchestrated by a theorem prover to reason about complex programs using refinements. The proof rules systematically reduce the correctness proof for a concurrent program to the definition and proof of an invariant. We include automated support for discharging this invariant proof with a predicate abstraction tool that leverages the existing theorems proven about the components of the concurrent programs. The framework is integrated with the ACL2 theorem prover and we demonstrate its use in the verification of several concurrent programs in ACL2.

A Coq Library for Verification of Concurrent Programs

The verification of programs that contain mutually recursive procedures is a difficult task, and one which has not been satisfactorily addressed in the literature. Published proof rules have been later discovered to be unsound. Verification Condition Generator (VCG) tools have been effective in partially automating the verification of programs, but in the past these VCG tools have in general not themselves been proven, so any proof using and depending on these VCGs might not be sound. In this paper we present a set of proof rules for proving the partial correctness of programs with mutually recursive procedures, together with a VCG that automates the use of the proof rules in program correctness proofs. The soundness of the proof rules and the VCG itself have been mechanically proven within the Higher Order Logic theorem prover, with respect to the underlying structural operational semantics of the programming language. This proof of soundness then forms the core of an implementation of the VCG that significantly eases the verification of individual programs with complete security.

This work utilizes the plethora of work on verification of sequential programs for the purpose of verifying concurrent programs. We reduce the verification of a concurrent program to a series of verification tasks of sequential programs. Our approach is modular in the sense that each sequential verification task roughly corresponds to the verification of a single thread, with some additional information about the environment in which it operates. Information regarding the environment is gathered during the run of the algorithm, by need. While our approach is general, it specializes on concurrent programs where the threads are structured hierarchically. The idea is to exploit the hierarchy in order to minimize the amount of information that needs to be transferred between threads. To that end, we verify one of the threads, considered “main”, as a sequential program. Its verification process initiates queries to its “environment” (which may contain multiple threads). Those queries are answered by sequential verification, if the environment consists of a single thread, or, otherwise, by applying the same hierarchical algorithm on the environment. Our technique is fully automatic, and allows us to use any off-the-shelf sequential model checker. We implemented our technique in a tool called CoMuS and evaluated it against established tools for concurrent verification. Our experiments show that it works particularly well on hierarchically structured programs.

Read-write locking is an important mechanism to improve concurrent granularity, but it is difficult to reason about the safety of concurrent programs with read-write locks. Concurrent separation logic (CSL) provides a simple but powerful technique for locally reasoning about concurrent programs with mutual exclusive locks. Unfortunately, CSL cannot be directly applied to reasoning about concurrent programs with read-write locks due to the different concurrent control mechanisms. This paper focuses on extending CSL and presenting a proof-carrying code (PCC) system for reasoning about concurrent programs with read-write locks. We extend the heap model with a writing permission set, denoted as logical heap, then define “strong separation” and “weak separation” over logical heap. Following CSL’s local-reasoning idea, we develop a novel program logic to enforce weak separations of heap between different threads and provide verification of concurrent programs with read-write locks.

In this paper we report on our experiments in using the currently popular Smt (Sat Modulo Theories) solvers Yices [10] and Cvc3 [1] and the Simplify theorem prover [9] to discharge verification conditions (VCs) from programs written in the Spark language [5]. Spark is a subset of Ada used primarily in high-integrity systems in the aerospace, defence, rail and security industries. Formal verification of Spark programs is supported by tools produced by the UK company Praxis High Integrity Systems. These tools include a VC generator and an automatic prover for VCs.We find that Praxis's prover can prove more VCs than Yices, Cvc3 or Simplify because it can handle some relatively simple non-linear problems, though, by adding some axioms about division and modulo operators to Yices, Cvc3 and Simplify, we can narrow the gap. One advantage of Yices, Cvc3 and Simplify is their ability to produce counterexample witnesses to VCs that are not valid.This work is the first step in a project to increase the fraction of VCs from current Spark programs that can be proved automatically and to broaden the range of properties that can be automatically checked. For example, we are interested in improving support for non-linear arithmetic and automatic loop invariant generation.

Secure mechanical verification of mutually recursive procedures

Concurrent program verification is challenging because it involves exploring a large number of possible thread interleavings together with complex sequential reasoning. As a result, concurrent program verifiers resort to bi-modal reasoning, which alternates between reasoning over intra-thread (sequential) semantics and inter-thread (concurrent) semantics. Such reasoning often involves repeated intra-thread reasoning for exploring each interleaving (inter-thread reasoning) and leads to inefficiency. In this paper, we present a new two-stage analysis which completely separates intra- and inter-thread reasoning. The first stage uses sequential program semantics to obtain a precise summary of each thread in terms of the global accesses made by the thread. The second stage performs inter-thread reasoning by composing these thread-modular summaries using the notion of sequential consistency. Assertion violations and other concurrency errors are then checked in this composition with the help of an off-the-shelf SMT solver. We have implemented our approach in the FUSION framework for checking concurrent C programs shows that avoiding redundant bi-modal reasoning makes the analysis more scalable.

Verification condition generators (VCGs) can reduce overall correctness statements about sequential programs to verification conditions (VCs) that can then be proved independently by automatic theorem provers like SMT solvers. SMT solvers became not only more powerful in recent years in that they can now solve much bigger problems than before, they can now also solve problems of less restricted logics, for example, by covering non-linear arithmetic as required by some hybrid systems. However, there is so far still no VCG procedure that could generate VCs of hybrid programs for these SMT solvers. We therefore propose in this paper a first VCG procedure for hybrid systems that is based on induction proofs on the strongly connected components (SCCs) of the underlying state transition diagrams. Given the right invariants for a safety property, the VCs can be automatically generated for the considered hybrid system. The validity of the VCs is then independently proved by SMT solvers and implies the correctness of the considered safety property.

The Java programming language is a modem object-oriented language that supports concurrency. Ensuring concurrent programs are correct is difficult. Additional problems encountered in concurrent programs, compared with sequential programs, include deadlock, livelock, starvation, and dormancy. Often these problems are related and are sometimes side effects of one another Furthermore, different programming languages attach different meanings to these terms. Sun Microsystems provides a textual description of the Java concurrency model which is inadequate for reasoning with such programs. Formal specifications are required for verifying concurrent programs through the use of tools and methods such as static analysis, dynamic analysis, model-checking, and theorem proving. It is clear that the behaviour of the Java concurrency model must be unambiguous and well-understood for these tools to operate effectively. This paper presents a formal specification of the Java concurrency model using the Z specification language. A number of important correctness properties of concurrent programs are constructed from the model, and their application to the implementation of verification and testing tools for concurrent Java programs is discussed.

Traditional fault localization techniques are well equipped for identifying faults in sequential programs. Faults in concurrent programs are caused due to interleaving of the threads during run-time. Finding the faults in concurrent programs are more difficult in comparison with sequential programs. In this paper, we have proposed a fault localization framework based on spectrum-based fault localization for concurrent programs to find the faults occurs during execution of multiple threads. The technique finds the most suspicious function or branch for effective fault localization. We have tested the proposed the technique with two different concurrent example programs to check the accuracy of the technique.

It is essential to deal with the interference of the environment between programs in concurrent program verification. This has led to the development of concurrent program reasoning techniques such as rely-guarantee. However, the source code of the programs to be verified often involves language features such as exceptions and procedures which are not supported by the existing mechanizations of those concurrent reasoning techniques. Schirmer et al. have solved a similar problem for sequential programs by developing a verification framework in the Isabelle/HOL theorem prover called Simpl, which provides a rich sequential language that can encode most of the features in real world programming languages. However Simpl only aims to verify sequential programs, and it does not support the specification nor the verification of concurrent programs. In this paper we introduce CSimpl, an extension of Simpl with concurrency-oriented language features and verification techniques. We prove the compositionality of the CSimpl semantics and we provide inference rules for the language constructors to reason about CSimpl programs using rely-guarantee, showing that the inference rules are sound w.r.t. the language semantics. Finally, we run a case study where we use CSimpl to specify and prove functional correctness of an abstract communication model of the XtratuM partitioning separation micro-kernel.