@let@token Relational @let@token Thread

Relational Thread-Modular Static Value Analysis
by Abstract Interpretation
Antoine Miné
CNRS & École normale supérieure
Paris, France
Verification, Model Checking, and Abstract Interpretation
19 January 2014
San Diego
Introduction
Introduction
Goal:
static analysis of concurrent programs
discover properties of the dynamic behaviors of programs:
in an automated, terminating way
with approximations
(computability and efficiency)
soundly
(full coverage of all behaviors)
we use the theory of abstract interpretation
Key characteristics:
scalability: thread-modular analysis
parameterization: by abstract domains
(full control on precision / scalability, design specialized analyses)
Key contribution
We extend an existing analysis (ESOP’11)
with more precise abstractions of thread interferences
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 2 / 26
Introduction
Outline
Introduction
running example
previous analysis
(ESOP’11, limited to coarse, non-relational interferences)
Rely–guarantee as abstract interpretation
constructive thread-modular formalization in fixpoint form
complete for safety properties, uncomputable
Abstractions
retrieving non-relational interferences
relational abstraction examples
(invariant interferences, monotonicity, etc.)
Experimental results
application in the AstréeA static analyzer
(checks for run-time errors in embedded avionic concurrent C programs)
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 3 / 26
Introduction
Running example
Example: counter threads
t1
1a
while random do
if x < y then
3a
x ←x +1
2a
t2
1b
while random do
if y < 100 then
3b
y ← y + [1, 3]
2b
Threads executing in a shared memory:
t1 increments x while x < y
t2 increments y while y < 100, by any value in [1, 3]
Concurrent execution model: (sequential consistency)
start at control state (1a, 1b) in memory state I : x = y = 0
interleave (arbitrarily many) execution steps from t1 and t2
step = assignment or comparisons (atomic)
=⇒ we have 0 ≤ x ≤ y ≤ 102
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 4 / 26
Introduction
Failed attempt: Reduction to sequential analysis
t1
1a
while random do
if x < y then
3a
x ←x +1
2a
t2
1b
while random do
if y < 100 then
3b
y ← y + [1, 3]
2b
X`,`0 ⊆ Z2 , ` ∈ {1a, 2a, 3a}, `0 ∈ {1b, 2b, 3b}
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 5 / 26
Introduction
Failed attempt: Reduction to sequential analysis
t1
1a
while random do
if x < y then
3a
x ←x +1
2a
t2
1b
while random do
if y < 100 then
3b
y ← y + [1, 3]
2b
X`,`0 ⊆ Z2 , ` ∈ {1a, 2a, 3a}, `0 ∈ {1b, 2b, 3b}
X1a,1b
X2a,1b
X3a,1b
X2a,2b
X3a,2b
X2a,3b
X3a,3b
=I
= X1a,1b ∪ J x ≥ y KX2a,1b ∪ J x ← x + 1 KX3a,1b
= J x < y KX2a,1b
= X1a,2b ∪ J x ≥ y KX2a,2b ∪ J x ← x + 1 KX3a,2b ∪
X2a,1b ∪ J y ≥ 100 KX2a,2b ∪ J y ← y + [1, 3] KX2a,3b
= J x < y KX2a,2b ∪ X3a,1b ∪ J y ≥ 100 KX3a,2b ∪ J y ← y + [1, 3] KX3a,3b
= X1a,3b ∪ J x ≥ y KX2a,3b ∪ J x ← x + 1 KX3a,3b ∪ J y < 100 KX2a,2b
= J x < y KX2a,3b ∪ J y < 100 KX3a,2b
=⇒ large number of variables and equations
large equations
impractical
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 5 / 26
Modular Techniques
Modular Techniques
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 6 / 26
Modular Techniques
Simple interference-based analysis
t2
t1
1a
while random do
if x < y then
3a
x ←x +1
2a
1b
while random do
if y < 100 then
3b
y ← y + [1, 3]
2b
Principle:
analyze each thread in isolation
gather interferences
(abstract set of values stored into each variable by each thread)
re-analyze the threads taking interferences into account
gather new sets of interferences
iterate until stabilization
(ESOP 2011, Carré & Hymans 2009)
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 7 / 26
Modular Techniques
Simple interference-based analysis
t2
t1
1a
while random do
if x < y then
3a
x ←x +1
2a
1b
while random do
if y < 100 then
3b
y ← y + [1, 3]
2b
Analysis of t1 in isolation
(1a): x
(2a): x
=y =0
=y =0
(3a): ⊥
VMCAI’14 – 19 Jan. 2014
X1a = I
X2a = X1a ∪ J x ← x + 1 KX3a ∪ J x ≥ y KX2a
X3a = J x < y KX2a
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 7 / 26
Modular Techniques
Simple interference-based analysis
t2
t1
1a
while random do
if x < y then
3a
x ←x +1
2a
1b
while random do
if y < 100 then
3b
y ← y + [1, 3]
2b
Analysis of t2 in isolation
(1b): x
=y =0
= 0, y ∈ [0, 102]
(3b): x = 0, y ∈ [0, 99]
(2b): x
X1b = I
X2b = X1b ∪ J y ← y + [1, 3] KX3b ∪ J y ≥ 100 KX2b
X3b = J y < 100 KX2b
output interferences: y ← [1, 102]
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 7 / 26
Modular Techniques
Simple interference-based analysis
t2
t1
1a
while random do
if x < y then
3a
x ←x +1
2a
1b
while random do
if y < 100 then
3b
y ← y + [1, 3]
2b
Re-analysis of t1 with interferences from t2
input interferences: y ← [1, 102]
(1a): x
=y =0
∈ [0, 102], y = 0
(3a): x ∈ [0, 102], y = 0
(2a): x
X1a = I
X2a = X1a ∪ J x ← x + 1 KX3a ∪ J x ≥ (y | [1, 102]) KX2a
X3a = J x < (y | [1, 102]) KX2a
output interferences: x ← [1, 102]
subsequent re-analyses are identical (fixpoint reached)
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 7 / 26
Modular Techniques
Simple interference-based analysis
t2
t1
1a
while random do
if x < y then
3a
x ←x +1
2a
1b
while random do
if y < 100 then
3b
y ← y + [1, 3]
2b
Analysis result:
we get x , y ∈ [0, 102]
we don’t get that x ≤ y
Analysis characteristic:
similar to sequential program analyses (iterated)
(can be parameterized by arbitrary abstract domains)
efficient
(few re-analyses required in practice)
interferences are non-relational and flow-insensitive
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 7 / 26
Modular Techniques
Rely–guarantee reasoning
checking t1
t1
1a
t2
while random do
2a
if x < y then
x ←x +1
3a
Rely–guarantee: proof method introduced by Jones in 1981
generalized Hoare logics
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 8 / 26
Modular Techniques
Rely–guarantee reasoning
checking t1
t1
1a
t2
while random do
2a
if x < y then
x ←x +1
3a
:x =y =0
: x , y ∈ [0, 102], x ≤ y
(3a) : x ∈ [0, 101], y ∈ [1, 102], x < y
(1a)
(2a)
Rely–guarantee: proof method introduced by Jones in 1981
generalized Hoare logics
annotate thread points with invariant assertions
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 8 / 26
Modular Techniques
Rely–guarantee reasoning
checking t1
t1
1a
while random do
2a
if x < y then
3a x ← x + 1
t2
x unchanged
y incremented
0 ≤ y ≤ 102
:x =y =0
: x , y ∈ [0, 102], x ≤ y
(3a) : x ∈ [0, 101], y ∈ [1, 102], x < y
(1a)
(2a)
Rely–guarantee: proof method introduced by Jones in 1981
generalized Hoare logics
annotate thread points with invariant assertions
annotate threads with guarantees on transitions
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 8 / 26
Modular Techniques
Rely–guarantee reasoning
checking t2
checking t1
t1
1a
while random do
2a
if x < y then
3a x ← x + 1
t1
t2
x unchanged
y unchanged
y incremented
0 ≤ y ≤ 102
0≤x ≤y
:x =y =0
: x , y ∈ [0, 102], x ≤ y
(3a) : x ∈ [0, 101], y ∈ [1, 102], x < y
t2
1b
while random do
2b
if y < 100 then
y ← y + [1, 3]
3b
:x =y =0
: x , y ∈ [0, 102], x ≤ y
(3b) : x , y ∈ [0, 99], x ≤ y
(1a)
(1b)
(2a)
(2b)
Rely–guarantee: proof method introduced by Jones in 1981
generalized Hoare logics
annotate thread points with invariant assertions
annotate threads with guarantees on transitions
check invariants and guarantees
=⇒ check each thread against an abstraction of the other threads
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 8 / 26
Modular Techniques
Rely–guarantee reasoning
checking t2
checking t1
t1
1a
while random do
2a
if x < y then
3a x ← x + 1
t1
t2
x unchanged
y unchanged
y incremented
0 ≤ y ≤ 102
0≤x ≤y
:x =y =0
: x , y ∈ [0, 102], x ≤ y
(3a) : x ∈ [0, 101], y ∈ [1, 102], x < y
t2
1b
while random do
2b
if y < 100 then
y ← y + [1, 3]
3b
:x =y =0
: x , y ∈ [0, 102], x ≤ y
(3b) : x , y ∈ [0, 99], x ≤ y
(1a)
(1b)
(2a)
(2b)
pro: we can prove that x ≤ y holds
cons: rely–guarantee is a proof method, we want a static analysis:
infer automatically invariants and guarantees
expressed using fixpoints
amenable to abstraction
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 8 / 26
Rely-Guarantee as Abstract Interpretation
Rely-Guarantee as Abstract Interpretation
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 9 / 26
Rely-Guarantee as Abstract Interpretation
Thread-based trace decomposition
a
b
b
b
a
b
Concrete trace semantics:
a
F
def
threads: T = {a, b, . . .}.
def
states: Σ = C × M = {•, •, . . .}
def
control state: C = T → L
def
memory state: M = V → V
transition relation τ ⊆ Σ × T × Σ:
(maps threads to locations)
(maps variables to values)
a
σ →τ σ 0
trace semantics in fixpoint form:
F = lfp F where
ai+1
ai+1
a
a
def
F = λX . I ∪ { σ0 →1 · · · σi → σi+1 | σ0 →1 · · · σi ∈ X ∧ σi → τ σi+1 }
(partial finite)
def
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 10 / 26
Rely-Guarantee as Abstract Interpretation
Thread-based trace decomposition
Reachable states:
a
b
b
b
a
b
a
R
αreach (F)
R=
⊆ Σ where
a
def
reach
α
(T ) = { σ | ∃σ0 →1 · · · σn ∈ T : ∃i ≤ n : σ = σi }
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 10 / 26
Rely-Guarantee as Abstract Interpretation
Thread-based trace decomposition
a
b
b
b
a
b
a
a
Thread-local reachable states:
R`(t)
(' invariant assertions)
def
R`(t) = πt (R)
def
π t (hL, ρi) = hL(t), ρ [∀t 0 6= t : pc t 0 7→ L(t 0 )]i
def
outputs states in Σt = L × Mt
def
def
Mt = Vt → V and Vt = V ∪ { pc t 0 | t 0 6= t }
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
(extended element-wise)
(attached to thread locations)
(auxiliary variables)
Antoine Miné
p. 10 / 26
Rely-Guarantee as Abstract Interpretation
Thread-based trace decomposition
a
b
b
b
a
b
a
a
Interferences:
I(t)
(' guarantees on transitions)
def
I(t) = αitf (F)(t) where
a
a
def
αitf (X )(t) = { hσi , σi+1 i | ∃σ0 →1 σ1 · · · →n σn ∈ X : ai+1 = t }
subset of τ spawned by t and observed in F
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 10 / 26
Rely-Guarantee as Abstract Interpretation
Computing thread traces with interferences
Principle: express R`(t) directly, without computing F
a
Thread
b
x=0
while x<y
x++;
/* bla bla */
Given I:
R`(t) = lfp Rt (I), where
def
t
Rt (Y )(X ) = πt (I) ∪ { πt (σ 0 ) | ∃πt (σ) ∈ X : σ →τ σ 0 }
transitions from thread t
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 11 / 26
Rely-Guarantee as Abstract Interpretation
Computing thread traces with interferences
Principle: express R`(t) directly, without computing F
a
b
b
Thread
b
x=0
while x<y
x++;
/* bla bla */
Given I:
R`(t) = lfp Rt (I), where
def
t
Rt (Y )(X ) = πt (I) ∪ { πt (σ 0 ) | ∃πt (σ) ∈ X : σ →τ σ 0 } ∪
{ πt (σ 0 ) | ∃πt (σ) ∈ X : ∃t 0 6= t : hσ, σ 0 i ∈ Y (t 0 ) }
transitions from thread t
transitions from interferences Y
=⇒ similar to reachability for a sequential program in L → Mt
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 11 / 26
Rely-Guarantee as Abstract Interpretation
Computing thread traces with interferences
Principle: express R`(t) directly, without computing F
a
b
b
Thread
a
b
x=0
while x<y
x++;
/* bla bla */
Given I:
R`(t) = lfp Rt (I), where
def
t
Rt (Y )(X ) = πt (I) ∪ { πt (σ 0 ) | ∃πt (σ) ∈ X : σ →τ σ 0 } ∪
{ πt (σ 0 ) | ∃πt (σ) ∈ X : ∃t 0 6= t : hσ, σ 0 i ∈ Y (t 0 ) }
transitions from thread t
transitions from interferences Y
=⇒ similar to reachability for a sequential program in L → Mt
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 11 / 26
Rely-Guarantee as Abstract Interpretation
Computing thread traces with interferences
Principle: express R`(t) directly, without computing F
a
b
b
a
Thread
x=0
while x<y
x++;
/* bla bla */
a
Given R`:
I(t) = B(R`)(t), where
def
t
B(Z )(t) = { hσ, σ 0 i | πt (σ) ∈ Z (t) ∧ σ →τ σ 0 }
collect transitions from thread t
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 11 / 26
Rely-Guarantee as Abstract Interpretation
Computing thread traces with interferences
Principle: express R`(t) directly, without computing F
b
a
b
a
Thread
a
x=0
while x<y
x++;
/* bla bla */
Recursive definition:
R`(t) = lfp Rt (I)
I(t) = B(R`)(t)
=⇒ express the
(most precise)
solution as a fixpoint:
def
R` = lfp H where H = λZ . λt. lfp Rt (B(Z ))
Completeness: ∀t : R`(t) ' R
VMCAI’14 – 19 Jan. 2014
(πt is bijective thanks to auxiliary variables)
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 11 / 26
Rely-Guarantee as Abstract Interpretation
Abstract rely-guarantee
Suggested algorithm:
nested iterations with acceleration
chose abstract domains for states and interferences
start from R`]0 = I0] = λt. ⊥]
def
def
while In] is not stable
def
compute ∀t ∈ T : R`]n+1 (t) = lfp Rt] (In] )
by iteration with widening O
(' separate analysis of each thread)
def
]
= In] O B ] (R`]n+1 )
compute In+1
]
when In] = In+1
, return R`]n
=⇒ thread-modular
parameterized by abstract domains
able to easily reuse existing sequential analyses
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 12 / 26
Abstractions
Abstractions
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 13 / 26
Abstractions
Retrieving the simple interference-based analysis
Flow-insensitive abstraction:
remove auxiliary variables in states
def
f
αR
(X ) = { h`, ρ|V i | h`, ρi ∈ X }
remove all control states in interferences
def
αIf (Y ) = { hρ, ρ0 i | ∃L, L0 ∈ C : hhL, ρi, hL0 , ρ0 ii ∈ Y }
each thread analysis is still flow-sensitive
we lose completeness
(states in L → P(Σ))
Cartesian abstraction:
forget variable relations in interferences
and input-output relations
def
αIc (Y ) = λV . { x ∈ V | ∃hρ, ρ0 i ∈ Y : ρ(V ) 6= x ∧ ρ0 (V ) = x }
(remember only which variables have changed, and their new values)
each thread analysis is still relational (states in P(Σ))
=⇒ we get back our simple interference analysis!
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 14 / 26
Abstractions
Relational invariant interferences
Abstraction:
keep relations maintained by interferences
def
αIinv (Y ) = { ρ | ∃ρ0 : hρ, ρ0 i ∈ Y ∨ hρ0 , ρi ∈ Y }
forgets input-output relationships in interferences
flow-insensitive interferences (combined with αfI )
Static analysis:
infer interferences: join ∪] at all states
]
Irel
(t) = ∪] { R`] (t) at ` | ` ∈ L }
apply interferences at all program points of t
(reduced product with non-relational interferences αcI )
apply non-relational interferences: ∪]t 0 6=t Ic] (t 0 )
]
refine by asserting invariants: ∩] ∪]t 0 6=t Irel
(t 0 )
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 15 / 26
Abstractions
Monotonicity interference
Abstraction:
keep some input-output relations
map variables to 1
(monotonic)
or >
(don’t know)
def
αImon (Y ) = λV . if ∀hρ, ρ0 i ∈ Y : ρ(V ) ≤ ρ0 (V ) then 1 else >
flow-insensitive, forget variable relationships
Static analysis:
]
gather: Imon
(t)(V ) =1 ⇐⇒ all assignments to V in t have the
form V ← V + e, with e ≥ 0
]
use: if ∀t : Imon
(t)(V ) =1, a test with interference
J X ≤ (V | [a, b]) K can be strengthened into J X ≤ V K
Application:
on our running example
reduced product of αIinv , αIc , and αImon
octagon domain for invariant interferences and states
=⇒ we can infer x ≤ y
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 16 / 26
Abstractions
Relational lock invariants
t1
t2
(equivalent to t1 )
while random do
lock(m)
X ←X +1
if X > 100 then X ← 0
unlock(m)
while random do
lock(m)
X ←X +1
if X > 100 then X ← 0
unlock(m)
variation on relational invariant interferences
infer relations between variables that hold outside locks
can be violated within critical sections
always restored before releasing the lock
(not observable by other threads if the variables are property protected)
e.g.: X ∈ [0, 100]
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 17 / 26
Abstractions
Relational lock invariants
lock
unlock
t1
t2
lock
unlock
Static analysis:
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 18 / 26
Abstractions
Relational lock invariants
lock
unlock
t1
non−rel
t2
lock
unlock
Static analysis:
partition non-relational flow-insensitive interferences by lock state
apply them unless threads hold a common lock (mutual exclusion)
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 18 / 26
Abstractions
Relational lock invariants
lock
unlock
t1
rel
t2
lock
unlock
Static analysis:
partition non-relational flow-insensitive interferences by lock state
apply them unless threads hold a common lock (mutual exclusion)
gather relational interferences at all unlock points
apply relational interferences at all lock points
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 18 / 26
Abstractions
Relational lock invariants
lock
unlock
t1
rel
non−rel
t2
lock
unlock
Static analysis:
partition non-relational flow-insensitive interferences by lock state
apply them unless threads hold a common lock (mutual exclusion)
gather relational interferences at all unlock points
apply relational interferences at all lock points
Benefits:
more efficient than tracking & applying relations at all points
still valid in the presence of weakly consistent memory
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 18 / 26
Abstractions
Subsequence interference
t1 : clock in H
t2 : sample H into C
t3 : accumulate elapsed time in T
while random do
if H < 10, 000 then
H ←H +1
while random do
C ←H
while random do
if random then T ← 0
else T ← T + (C − L)
L←C
Problem:
we wish to prove that T ≤ L ≤ C ≤ H
it is sufficient to prove the monotony of H, C , and L
but monotony is not transitive
(X is only assigned monotonic variables =
6 ⇒ X is monotonic)
=⇒ we infer an additional property implying monotony
Abstraction:
subsequence
]
Isub
(t)(V ) = { W ∈ V | V ’s values are a subsequence of W ’s values }
def
αsub
R (X )(V ) = { W | ∀hh`0 , ρ0 i, . . . , h`n , ρn ii ∈ X : ∃i0 , . . . , in :
∀k : ik ≤ k ∧ ik ≤ ik+1 ∧ ∀j : ρj (V ) = ρij (W ) }
based on a trace version of the modular semantics
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 19 / 26
Experiments
Experiments
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 20 / 26
Experiments
AstréeA analyzer
AstréeA:
Analyse statique de programmes temps-réels asynchrones
static analyzer for concurrent embedded C codes
checks for run-time errors
(arithmetic overflows, divisions by zero, invalid operations, pointer and memory
errors, out-of-bound array accesses, assertion failures)
sound for the C & IEEE 754 semantics
(no false negative, sound modular, float & pointer arithmetic, low-level memory)
based on the Astrée analyzer
(industrialized by AbsInt since 2009)
reuses its iterator and its state abstract domains
added an interference iterator and interference domains
aimed towards high precision by specialization
still at the prototype stage
(zero false alarm)
(NOT zero false alarm)
http://www.astreea.ens.fr
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 21 / 26
Experiments
Analysis target
Concurrency model:
ARINC 653 OS
fixed number of threads
preemptive real-time scheduling on a single processor
shared memory, locks
2.6 Kloc hand-written OS model
(C + analyzer intrinsincs)
Analyzed program:
embedded avionic code
1.6 Mloc of C, 15 threads
reactive code + network code + lists, strings, pointers
many variables, large arrays, many loops, shallow call graph
no dynamic memory allocation, no recursivity
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 22 / 26
Experiments
Analysis results
monotonicity
domain
×
relational lock
invariants
×
analysis time
memory
25h 26mn
22 GB
iterations
alarms
6
4616
started with flow-insensitive non-relational interferences (ESOP’11)
(efficiency on-par with sequential analysis)
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 23 / 26
Experiments
Analysis results
monotonicity
domain
×
X
relational lock
invariants
×
×
analysis time
memory
25h 26mn
30h 30mn
22 GB
24 GB
iterations
alarms
6
7
4616
1100
started with flow-insensitive non-relational interferences (ESOP’11)
(efficiency on-par with sequential analysis)
added monotonicity and subsequence domains
=⇒ large improvements, modest cost
(adapted to clock-related manipulations)
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 23 / 26
Experiments
Analysis results
monotonicity
domain
×
X
X
relational lock
invariants
×
×
X
analysis time
memory
25h 26mn
30h 30mn
110h 38mn
22 GB
24 GB
90 GB
iterations
alarms
6
7
7
4616
1100
1009
started with flow-insensitive non-relational interferences (ESOP’11)
(efficiency on-par with sequential analysis)
added monotonicity and subsequence domains
=⇒ large improvements, modest cost
(adapted to clock-related manipulations)
added relational lock invariants
=⇒ modest improvement, high cost
need to chose adapted relational domain parameters
need adapted packing strategy
(which variables to relate)
(currently, we inherit Astrée’s domains and strategy)
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 23 / 26
Conclusion
Conclusion: summary
We proposed a static analysis framework for concurrent programs:
sound for all interleavings
(and in some cases weakly consistent memories)
thread-modular
(scalable, ability to reuse existing analyzers)
parameterized by abstract domains
(ability to reuse existing domains)
constructed by abstraction of a complete method
(enable refinement to arbitrary precision)
generalized previous works
(ESOP’11)
defined novel relational interference domains
presented encouraging experimental results
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 24 / 26
Conclusion
Conclusion: future work
design new interference domains
application to AstréeA: towards zero false alarm
design application-specific abstract domains
parameterize existing domains
explore more thoroughly the interaction with:
weakly consistent memory models
(real-time) schedulers and synchronization mechanisms
explore trace-related and backward semantics
towards liveness properties
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 25 / 26
Conclusion
The End
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 26 / 26
Incompleteness of the flow-insensitive abstraction
t1
1a
t2
X ←X +1
2a
With auxiliary variables:
at
(2a)
1
2
1b
X ←X +1
2b
pc 1 , pc 2
: (pc 2 = 1b ∧ X = 1) ∨ (pc 2 = 2b ∧ X = 2)
X ∈ [1, 2]
t2 only increments X when pc 2 = 1b, i.e., X = 1
Without auxiliary variables:
: X ∈ X where
0∈X
x ∈ X =⇒ (x + 1) ∈ X
=⇒ X = [0, +∞]
at
(2a)
VMCAI’14 – 19 Jan. 2014
(by interference by t2 )
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 1 / 7
Concrete fixpoint semantics
Concrete fixpoint semantics:
R` = lfp λZ . λt. lfp Rt (B(Z ))
t
def
B(Z )(t) = { hσ, σ 0 i | πt (σ) ∈ Z (t) ∧ σ →τ σ 0 }
def
Rt (Y )(X ) = πt (I) ∪
t
{ πt (σ 0 ) | ∃πt (σ) ∈ X : σ →τ σ 0 } ∪
0
0
{ πt (σ ) | ∃πt (σ) ∈ X : ∃t 6= t : hσ, σ 0 i ∈ Y (t 0 ) }
def
πt (hL, ρi) = hL(t), ρ [∀t 0 6= t : pc t 0 7→ L(t 0 )]i
def
πt (X ) = { πt (x ) | x ∈ X }
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 2 / 7
Flow-insensitive abstraction
Abstraction:
def
f
αR
(X ) = { h`, ρ|V i | h`, ρi ∈ X }
def
αIf (Y ) = { hρ, ρ0 i | ∃L, L0 ∈ C : hhL, ρi, hL0 , ρ0 ii ∈ Y }
Abstract fixpoint semantics:
def
R`f = lfp λZ . λt. lfp Rtf (B f (Z ))
def
B f (Z )(t) = { hρ, ρ0 i | ∃`, `0 ∈ L : h`, ρi ∈ Z (t) ∧ h`, ρi →t h`0 , ρ0 i }
def
Rtf (Y )(X ) = Rtloc (X ) ∪ Aft (Y )(X )
def
Rtloc (X ) = {het , λV . 0i}∪{ h`0 , ρ0 i | ∃h`, ρi ∈ X : h`, ρi →t h`0 , ρ0 i }
def
Aft (Y )(X ) = { h`, ρ0 i | ∃ρ, t 0 6= t : h`, ρi ∈ X ∧ hρ, ρ0 i ∈ Y (t 0 ) }
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 3 / 7
Non-relational flow-insensitive abstraction
Abstraction:
def
αIc (Y ) = λV . { x ∈ V | ∃hρ, ρ0 i ∈ Y : ρ(V ) 6= x ∧ ρ0 (V ) = x }
Abstract fixpoint semantics:
def
R`c = lfp λZ . λt. lfp Rtc (B c (Z ))
def
B c (Z )(t) = αIc (B f (Z )(t))
def
B f (Z )(t) = { hρ, ρ0 i | ∃`, `0 ∈ L : h`, ρi ∈ Z (t) ∧ h`, ρi →t h`0 , ρ0 i }
def
Rtc (Y )(X ) = Rtloc (X ) ∪ Act (Y )(X )
def
Rtloc (X ) = {het , λV . 0i}∪{ h`0 , ρ0 i | ∃h`, ρi ∈ X : h`, ρi →t h`0 , ρ0 i }
def
Act (Y )(X ) =
{ h`, ρ[V 7→ v ]i | h`, ρi ∈ X , V ∈ V, ∃t 0 6= t : v ∈ Y (t 0 )(V ) }
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 4 / 7
Invariant interference abstraction
Abstraction:
def
αIinv (Y ) = { ρ | ∃ρ0 : hρ, ρ0 i ∈ Y ∨ hρ0 , ρi ∈ Y }
Abstract fixpoint semantics:
def
R`rel = lfp λZ . λt. lfp Rtrel (B rel (Z ))
def
B rel (Z ) = hλt. αIc (B f (Z )(t)), λt. αIinv (B f (Z )(t))i
def
inv
Rtrel (hY c , Y inv i)(X ) = Rtloc (X ) ∪ (Act (Y c )(X ) ∩ Ainv
))
t (Y
def
Rtloc (X ) = {het , λV . 0i}∪{ h`0 , ρ0 i | ∃h`, ρi ∈ X : h`, ρi →t h`0 , ρ0 i }
def
Act (Y c )(X ) =
{ h`, ρ[V 7→ v ]i | h`, ρi ∈ X , V ∈ V, ∃t 0 6= t : v ∈ Y c (t 0 )(V ) }
def
inv
Ainv
) = { h`, ρi | ` ∈ L, ρ ∈ Y inv (t) }
t (Y
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 5 / 7
Unbounded thread instances
assume a finite set Ts of syntactic threads
Ts = T∞ ∪ T 1
T1 : threads with a single instance in T
T∞ : threads with two or more instances in T
(e.g.: web server)
We use flow-insensitive and non-relational interferences
all thread instances are isomorphic
we iterate the analyses on Ts (finite)
we must take self-interference into account:
def
Act (Y )(X ) =
{ h`, ρ[V 7→ v ]i | h`, ρi ∈ X ∧ ∃t 0 : (t 6= t 0 ∨ t ∈ T∞ ) ∧ v ∈ Y (t 0 )(V ) }
(instead of
def
Act (Y )(X ) = { h`, ρ[V 7→ v ]i | h`, ρi ∈ X , V ∈ V, ∃t 0 6= t : v ∈ Y (t 0 )(V ) })
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 6 / 7
Weakly consistent memories
the concrete fixpoint semantics is not sound for weakly consistent
memories
nevertheless, some of its abstractions may be sound:
flow-insensitive interferences
soundness proved in ESOP’11 and Alglave & al. TACAS’11
lock invariants
lock and unlock instructions enforce memory consistency
monotonicity and subsequence
sound in the Total Store Ordering model
VMCAI’14 – 19 Jan. 2014
Relational Thread-Modular Abstract Interpretation
Antoine Miné
p. 7 / 7

Download Report