



# Detection of Software Vulnerabilities: Static Analysis (Part II)

Lucas Cordeiro Department of Computer Science

lucas.cordeiro@manchester.ac.uk

# Static Analysis (Part II)

- Lucas Cordeiro (Formal Methods Group)
  - lucas.cordeiro@manchester.ac.uk
  - Office: 2.28
  - Office hours: 15-16 Tuesday, 14-15 Wednesday
- References:
  - Clarke et al., Model checking (Chapter 14)
  - Cordeiro and Fischer: Verifying multi-threaded software using smt-based context-bounded model checking. ICSE 2011

These slides are based on the lecture notes "SAT/SMT-Based Bounded Model Checking of Software" by Fischer, Parlato and La Torre

# Intended learning outcomes

- Introduce typical BMC architectures for verifying software systems
- Understand communication models and typical errors when writing concurrent programs
- Explain explicit schedule exploration of multithreaded software
- Explain sequentialization methods to convert concurrent programs into sequential ones

# Intended learning outcomes

- Introduce typical BMC architectures for verifying software systems
- Understand communication models and typical errors when writing concurrent programs
- Explain explicit schedule exploration of multithreaded software
- Explain sequentialization methods to convert concurrent programs into sequential ones

- CBMC (C Bounded Model Checker)
  - http://www.cprover.org/
  - SAT-based (MiniSat) "workhorse"
  - also SystemC frontend

- CBMC (C Bounded Model Checker)
  - http://www.cprover.org/
  - SAT-based (MiniSat) "workhorse"
  - also SystemC frontend
- ESBMC (Embedded Systems Bounded Model Checker)
  - http://esbmc.org
  - SMT-based (Z3, Boolector)
  - branched off CBMC, also (rudimentary) C++ frontend

- CBMC (C Bounded Model Checker)
  - http://www.cprover.org/
  - SAT-based (MiniSat) "workhorse"
  - also SystemC frontend
- ESBMC (Embedded Systems Bounded Model Checker)
  - http://esbmc.org
  - SMT-based (Z3, Boolector)
  - branched off CBMC, also (rudimentary) C++ frontend
- LLBMC (Low-level Bounded Model Checker)
  - http://llbmc.org
  - SMT-based (Boolector or STP)
  - uses LLVM intermediate language
- ⇒share common high-level architecture

- full language support
  - bit-precise operations, structs, arrays, ...
  - heap-allocated memory
  - concurrency

- full language support
  - bit-precise operations, structs, arrays, ...
  - heap-allocated memory
  - concurrency
- built-in safety checks
  - overflow, div-by-zero, array out-of-bounds indexing, ...
  - memory safety: nil pointer deref, memory leaks, ...
  - deadlocks, race conditions

- full language support
  - bit-precise operations, structs, arrays, ...
  - heap-allocated memory
  - concurrency
- built-in safety checks
  - overflow, div-by-zero, array out-of-bounds indexing, ...
  - memory safety: nil pointer deref, memory leaks, ...
  - deadlocks, race conditions
- user-specified assertions and error labels

- full language support
  - bit-precise operations, structs, arrays, ...
  - heap-allocated memory
  - concurrency
- built-in safety checks
  - overflow, div-by-zero, array out-of-bounds indexing, ...
  - memory safety: nil pointer deref, memory leaks, ...
  - deadlocks, race conditions
- user-specified assertions and error labels
- non-deterministic modelling
  - nondeterministic assignments
  - assume-statements

#### **High-level architecture:**



#### **General approach:**

- 1. Simplify control flow
- 2. Unwind all of the loops
- 3. Convert into single static assignment (SSA) form
- 4. Convert into equations and simplify
- 5.(Bit-blast)
- 6. Solve with a SAT/SMT solver
- 7. Convert SAT assignment into a counterexample

- remove all side effects
  - e.g., j = ++i; becomes i = i+1; j = i;

- remove all side effects
  - e.g., j = ++i; becomes i = i+1; j = i;
- simplify all control flow structures into core forms
  - e.g., replace for, do while by while
  - e.g., replace case by if

- remove all side effects
  - e.g., j = ++i; becomes i = i+1; j = i;
- simplify all control flow structures into core forms
  - e.g., replace for, do while by while
  - e.g., replace case by if
- make control flow explicit
  - e.g., replace continue, break by goto
  - e.g., replace if, while by goto

Demo: esbmc --goto-functions-only example-1.c

```
int main() {
  int i,j;
  for(i=0; i<6; i++) {
    j=i;
  }
  assert(j==i);
  return j;
}</pre>
```

```
main (c::main):
      int i;
      int j;
      i = 0;
   1: IF !(i < 6) THEN GOTO 2
      i = i;
      i = i + 1;
     GOTO 1
   2: ASSERT | == i
     RETURN: j
     END FUNCTION
```

- all loops are "unwound", i.e., replaced by several guarded copies of the loop body
  - same for backward gotos and recursive functions
  - can use different unwinding bounds for different loops
- ⇒each statement is executed at most once

- all loops are "unwound", i.e., replaced by several guarded copies of the loop body
  - same for backward gotos and recursive functions
  - can use different unwinding bounds for different loops
- ⇒each statement is executed at most once
- to check whether unwinding is sufficient special "unwinding assertion" claims are added
- ⇒if a program satisfies all of its claims and all unwinding assertions then it is correct!

```
void f(...) {
  while(cond) {
    Body;
  Remainder;
```

```
void f(...) {
                unwind one
  if(cond) {
               iteration
    Body;
    while(cond) {
      Body;
  Remainder;
```

```
void f(...) {
                unwind one
  if(cond)
                 unwind one
    Body;
                 iteration
    if(cond)
      Body;
      while(cond) {
        Body;
  Remainder;
```

```
void f(...) {
                unwind one
  if(cond)
                  unwind one
    Body;
    if(cond)
                    unwind one
      Body;
                    iteration...
      if(cond)
        Body;
        while(cond) {
          Body;
  Remainder;
}
```

```
void f(...) {
                unwind one
  if(cond)
                  unwind one
    Body;
    if(cond)
                    unwind one
      Body;
                    iteration...
      if(cond)
        Body;
        assert(!cond);
                unwinding
                assertion
  Remainder;
}
```

#### unwinding assertion

- inserted after last unwound iteration
- violated if program runs longer than bound permits
- ⇒ if not violated: (real) correctness result!

```
void f(...) {
  for(i=0; i<N; i++) {
    b[i]=a[i];
  for(i=0; i<N; i++) {
    assert(b[i]-a[i]>0);
  Remainder;
}
```

- unwinding assertion
  - inserted after last unwound iteration
  - violated if program runs longer than bound permits
  - ⇒ if not violated: (real) correctness result!
- ⇒what about multiple loops?
  - use --partial-loops to suppress insertion
  - ⇒ unsound

# Safety conditions

 Built-in safety checks converted into explicit assertions:

```
e.g., array safety:
a[i]=...;
⇒ assert(0 <= i && i <= N); a[i]=...;
```

# Safety conditions

 Built-in safety checks converted into explicit assertions:

```
e.g., array safety:
a[i]=...;
⇒ assert(0 <= i && i <= N); a[i]=...;
```

⇒ sometimes easier at intermediate representation or formula level

e.g., word-aligned pointer access, overflow, ...

High-level architecture:



# Transforming straight-line programs into equations

simple if each variable is assigned only once:



• still simple if variables are assigned multiple times:



introduce fresh copy for each occurrence (static single assignment (SSA) form)

# Transforming loop-free programs into equations

But what about control flow branches (if-statements)?



- for each control flow join point, add a new variable with guarded assignment as definition
  - also called φ-function

# Transforming loop-free programs into equations

But what about control flow branches (if-statements)?



- for each control flow join point, add a new variable with guarded assignment as definition
  - also called φ-function

### **Bit-blasting**

Conversion of equations into SAT problem:

simple assignments:

$$|[x = y]| = \bigwedge_i x_i \Leftrightarrow y_i$$



- ⇒ static analysis must approximate effective bitwidth well
- φ-functions:

$$|[x = v ? y : z]| \triangleq (v \Rightarrow |[x = y]|) \land (\neg v \Rightarrow |[x = z]|)$$

Boolean operations:

$$|[x = y \mid z]| = \bigwedge_i x_i \Leftrightarrow (y_i \lor z_i)$$

Exercise: relational operations

# Bit-blasting arithmetic operations

Build circuits that implement the operations!

#### 1-bit addition:



#### Full adder as CNF:

$$(a \lor b \lor \neg o) \land (a \lor \neg b \lor i \lor \neg o) \land (a \lor \neg b \lor \neg i \lor o) \land (\neg a \lor b \lor i \lor \neg o) \land (\neg a \lor b \lor \neg i \lor o) \land (\neg a \lor a \lor a \lor o)$$

#### Bit-blasting arithmetic operations

Build circuits that implement the operations!



- ⇒adds w variables, 6\*w clauses
- multiplication / division much more complicated

# Intended learning outcomes

- Introduce typical BMC architectures for verifying software systems
- Understand communication models and typical errors when writing concurrent programs
- Explain explicit schedule exploration of multithreaded software
- Explain sequentialization methods to convert concurrent programs into sequential ones

# **Concurrency verification**

#### Writing concurrent programs is DIFFICULT

- programmers have to guarantee
  - correctness of sequential execution of each individual process
  - with nondeterministic interferences from other processes (schedules)



#### Writing concurrent programs is DIFFICULT

- programmers have to guarantee
  - correctness of sequential execution of each individual process
  - with nondeterministic interferences from other processes (schedules)



- rare schedules result in errors that are difficult to find, reproduce, and repair
  - testers can spend weeks chasing a single bug
- ⇒ huge productivity problem

What happens here...???

```
int n=0; //shared variable
void* P(void* arg) {
  int tmp, i=1;
  while (i<=10) {
    tmp = n;
    n = tmp + 1;
    1++;
  return NULL;
int main (void) {
  pthread_t id1, id2;
  pthread_create(&id1, NULL, P, NULL);
  pthread_create(&id2, NULL, P, NULL);
  pthread_join(id1, NULL);
  pthread_join(id2, NULL);
  assert(n == 20);
```

Which values can *n* actually have?

#### What happens here...???

```
int n=0; //shared variable
void* P(void* arg) {
  int tmp, i=1;
  while (i<=10) {
    tmp = n;
    n = tmp + 1;
    1++;
  return NULL;
int main (void) {
  pthread_t id1, id2;
  pthread_create(&id1, NULL, P, NULL);
  pthread_create(&id2, NULL, P, NULL);
  pthread_join(id1, NULL);
  pthread_join(id2, NULL);
  assert(n == 20);
```

```
$gcc example-2.c -o
example-2
$./example-2
$./example-2
$./example-2
$./example-2
$./example-2
$./example-2
Assertion failed: (n
== 20), function main,
file example-2.c, line
22.
```

Which values can *n* actually have?

What happens here...???

```
int n=0; //shared variable
void* P(void* arg) {
  int tmp, i=1;
  while (i<=10) {
    tmp = n;
    n = tmp + 1;
    1++;
  return NULL;
int main (void) {
  pthread_t id1, id2;
  pthread_create(&id1, NULL, P, NULL);
  pthread_create(&id2, NULL, P, NULL);
  pthread_join(id1, NULL);
  pthread_join(id2, NULL);
  assert(n >= 10 \&\& n <= 20);
```

What happens here...???

```
int n=0; //shared variable
pthread_mutex_t mutex;
void* P(void* arg) {
  int tmp, i=1;
  while (i \le 10) {
    pthread_mutex_lock(&mutex);
    tmp = n;
    n = tmp + 1;
    pthread_mutex_unlock(&mutex);
    1++;
  return NULL;
int main (void) {
  pthread_t id1, id2;
  pthread_mutex_init(&mutex, NULL);
  pthread_create(&id1, NULL, P, NULL);
  pthread_create(&id2, NULL, P, NULL);
  pthread_join(id1, NULL);
  pthread_join(id2, NULL);
  assert(n == 20);
}
```

#### **Concurrency errors**

There are two main kinds of concurrency errors:

- progress errors: deadlock, starvation, ...
  - typically caused by wrong synchronization
  - requires modeling of synchronization primitives
     o mutex locking / unlocking
  - requires modeling of (global) error condition

#### **Concurrency errors**

There are two main kinds of concurrency errors:

- progress errors: deadlock, starvation, ...
  - typically caused by wrong synchronization
  - requires modeling of synchronization primitives o mutex locking / unlocking
  - requires modeling of (global) error condition
- safety errors: assertion violation, ...
  - typically caused by data races (i.e., unsynchronized access to shared data)
  - requires modeling of synchronization primitives
  - can be checked locally

#### **Concurrency errors**

There are two main kinds of concurrency errors:

- progress errors: deadlock, starvation, ...
  - typically caused by wrong synchronization
  - requires modeling of synchronization primitives
     o mutex locking / unlocking
  - requires modeling of (global) error condition
- safety errors: assertion violation, ...
  - typically caused by data races (i.e., unsynchronized access to shared data)
  - requires modeling of synchronization primitives
  - can be checked locally
- ⇒ focus here on safety errors

# Shared memory concurrent programs

#### Concurrent programming styles:

- communication via message passing
  - "truly" parallel distributed systems
  - multiple computations advancing simultaneously

# Shared memory concurrent programs

#### Concurrent programming styles:

- communication via message passing
  - "truly" parallel distributed systems
  - multiple computations advancing simultaneously
- communication via shared memory
  - multi-threaded programs
  - only one thread active at any given time (conceptually), but active thread can be changed at any given time
    - o active == uncontested access to shared memory
    - o can be single-core or multi-core

# Shared memory concurrent programs

#### Concurrent programming styles:

- communication via message passing
  - "truly" parallel distributed systems
  - multiple computations advancing simultaneously
- communication via shared memory
  - multi-threaded programs
  - only one thread active at any given time (conceptually), but active thread can be changed at any given time
    - o active == uncontested access to shared memory
    - o can be single-core or multi-core
- ⇒ focus here on multi-threaded, shared memory programs

• typical C-implementation: pthreads

- typical C-implementation: pthreads
- formed of individual sequential programs (threads)
  - can be created and destroyed on the fly
  - typically for BMC: assume upper bound
  - each possibly with loops and recursive function calls
  - each with local variables

- typical C-implementation: pthreads
- formed of individual sequential programs (threads)
  - can be created and destroyed on the fly
  - typically for BMC: assume upper bound
  - each possibly with loops and recursive function calls
  - each with local variables
- each thread can read and write shared variables
  - assume sequential consistency: writes are immediately visible to all the other programs
  - weak memory models can be modeled

- typical C-implementation: pthreads
- formed of individual sequential programs (threads)
  - can be created and destroyed on the fly
  - typically for BMC: assume upper bound
  - each possibly with loops and recursive function calls
  - each with local variables
- each thread can read and write shared variables
  - assume sequential consistency: writes are immediately visible to all the other programs
  - weak memory models can be modeled
- execution is interleaving of thread executions
  - only valid for sequential consistency

• context: segment of a run of an active thread  $t_i$ 



- context: segment of a run of an active thread  $t_i$
- context switch: change of active thread from  $t_i$  to  $t_k$ 
  - global state is passed on to t<sub>k</sub>
  - context switch back to t<sub>i</sub> resumes at old local state (incl. pc)



- context: segment of a run of an active thread  $t_i$
- context switch: change of active thread from  $t_i$  to  $t_k$ 
  - global state is passed on to t<sub>k</sub>
  - context switch back to t<sub>i</sub> resumes at old local state (incl. pc)
- round: formed of one context of each thread



- context: segment of a run of an active thread  $t_i$
- context switch: change of active thread from  $t_i$  to  $t_k$ 
  - global state is passed on to t<sub>k</sub>
  - context switch back to t<sub>i</sub> resumes at old local state (incl. pc)
- round: formed of one context of each thread
- round robin schedule: same order of threads in each round



- context: segment of a run of an active thread  $t_i$
- context switch: change of active thread from  $t_i$  to  $t_k$ 
  - global state is passed on to t<sub>k</sub>
  - context switch back to t<sub>i</sub> resumes at old local state (incl. pc)
- round: formed of one context of each thread
- round robin schedule: same order of threads in each round
- can simulate all schedules by round robin schedules



#### **Context-bounded analysis**

Important observation:

Most concurrency errors are shallow!

i.e., require only few context switches

- ⇒ limit the search space by bounding the number of
- context switches
- rounds

# Concurrency verification approaches

- Explicit schedule exploration (ESBMC)
  - lazy exploration
  - schedule recording

# Concurrency verification approaches

- Explicit schedule exploration (ESBMC)
  - lazy exploration
  - schedule recording
- Partial order methods (CBMC)

# Concurrency verification approaches

- Explicit schedule exploration (ESBMC)
  - lazy exploration
  - schedule recording
- Partial order methods (CBMC)
- Sequentialization
  - KISS
  - Lal / Reps (eager sequentialization)
  - Lazy CSeq
  - memory unwinding

### Intended learning outcomes

- Introduce typical BMC architectures for verifying software systems
- Understand communication models and typical errors when writing concurrent programs
- Explain explicit schedule exploration of multithreaded software
- Explain sequentialization methods to convert concurrent programs into sequential ones

#### **BMC** of Multi-threaded Software

Idea: iteratively generate all possible interleavings and call the BMC procedure on each interleaving



### Running Example

- the program has sequences of operations that need to be protected together to avoid atomicity violation
  - requirement: the region of code (val1 and val2) should execute atomically

```
Thread twoStage
1: lock(m1);
2: val1 = 1;
3: unlock(m1);
4: lock(m2);
5: val2 = val1 + 1;
6: unlock(m2);
```

global variables: val1=0; val2=0;

local variabes: t1 = -1; t2 = -1;

program counter: 0

mutexes: m1=0; m2=0;

of all program variables

... unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1));

A state  $s \in S$  consists of

the value of the program

counter pc and the values

```
statements:
val1-access:
val2-access:
```

```
Thread twoStage
1: lock(m1);
2: val1 = 1;
3: unlock(m1);
4: lock(m2);
5: val2 = val1 + 1;
6: unlock(m2);
```

```
program counter: 0
mutexes: m1=0; m2=0;
global variables: val1=0; val2=0;
local variabes: t1=-1; t2=-1;
```

```
Thread reader
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2 = = (t1+1));
```

```
val1-access:

val2-access:

Thread twoStage

1: lock(m1);
2: val1 = 1;
3: unlock(m1);
4: lock(m2);
5: val2 = val1 + 1;
6: unlock(m2);
```

statements: 1

```
program counter: 1
mutexes: m1=1; m2=0;
global variables: val1=0; val2=0;
local variabes: t1= -1; t2= -1;
```

```
Thread reader
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2 = = (t1 + 1));
```

statements: 1-2

val1-access: W<sub>twoStage,2</sub>

val2-access:

write access to the shared variable val1 in statement 2 of the thread twoStage

```
Thread twoStage

1: lock(m1);

2: val1 = 1;

3: unlock(m1);

4: lock(m2);

5: val2 = val1 + 1;

6: unlock(m2);
```

#### program counter: 2

```
mutexes: m1=1; m2=0;
global variables: val1=1; val2=0;
local variabes: t1=-1; t2=-1;
```

```
Thread reader
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2 = = (t1 + 1));
```

```
statements: 1-2-3
val1-access: W<sub>twoStage,2</sub>
val2-access:
```

```
Thread twoStage
1: lock(m1);
2: val1 = 1;

3: unlock(m1);
4: lock(m2);
5: val2 = val1 + 1;
6: unlock(m2);
```

# program counter: 3 mutexes: m1=0; m2=0; global variables: val1=1; val2=0; local variabes: t1= -1; t2= -1;

```
Thread reader
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2 = = (t1 + 1));
```

```
statements: 1-2-3-7
val1-access: W<sub>twoStage,2</sub>
val2-access:
```

#### program counter: 7

```
mutexes: m1=1; m2=0;
global variables: val1=1; val2=0;
local variabes: t1= -1; t2= -1;
```

```
Thread reader

7: lock(m1);

8: if (val1 == 0) {

9: unlock(m1);

10: return NULL; }

11: t1 = val1;

12: unlock(m1);

13: lock(m2);

14: t2 = val2;

15: unlock(m2);

16: assert(t2==(t1+1));
```

Lazy exploration: interleaving I

statements: 1-2-3-7-8

val1-access: W<sub>twoStage,2</sub> - R<sub>reader,8</sub>

val2-access:

#### program counter: 8

```
mutexes: m1=1; m2=0;
global variables: val1=1; val2=0;
local variabes: t1= -1; t2= -1;
```

read access to the shared variable val1 in statement 8 of the thread reader

```
Thread reader
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2 = = (t1 + 1));
```

```
statements: 1-2-3-7-8-11
val1-access: W<sub>twoStage,2</sub> - R<sub>reader,8</sub> - R<sub>reader,11</sub>
val2-access:
```

#### program counter: 11

```
mutexes: m1=1; m2=0;
global variables: val1=1; val2=0;
local variabes: t1= 1; t2= -1;
```

```
Thread reader
  7: lock(m1);
  8: if (val1 == 0) {
  9: unlock(m1);
  10: return NULL; }
12: unlock(m1);
  13: lock(m2);
  14: t2 = val2;
  15: unlock(m2);
  16: assert(t2 = = (t1+1));
```

```
statements: 1-2-3-7-8-11-12 val1-access: W_{twoStage,_2} - R_{reader,_8} - R_{reader,_{11}} val2-access:
```

#### program counter: 12 mutexes: m1=0; m2=0; global variables: val1=1; val2=0; local variabes: t1= 1; t2= -1;

```
Thread reader
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;

12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1));
```

```
statements: 1-2-3-7-8-11-12 val1-access: W_{twoStage,_2} - R_{reader,_8} - R_{reader,_{11}} val2-access:
```

```
Thread twoStage
                                    Thread reader
                                    7: lock(m1);
  1: lock(m1);
                          CS1
  2: val1 = 1;
                                    8: if (val1 == 0) {
  3: unlock(m1);
                                    9: unlock(m1);
  4: lock(m2); ←
                                    10: return NULL; }
                          CS2
  5: val2 = val1 + 1;
                                    11: t1 = val1;
  6: unlock(m2);
                                   -12: unlock(m1);
                                    13: lock(m2);
                                    14: t2 = val2;
program counter: 4
                                    15: unlock(m2);
mutexes: m1=0; m2=0;
                                    16: assert(t2 = = (t1 + 1));
global variables: val1=1; val2=0;
local variabes: t1 = 1; t2 = -1;
```

statements: 1-2-3-7-8-11-12-4

```
val1-access: W<sub>twoStage,2</sub> - R<sub>reader,2</sub> - R<sub>reader,11</sub>
val2-access:
  Thread twoStage
                                       Thread reader
                                       7: lock(m1);
  1: lock(m1);
                            CS1
  2: val1 = 1;
                                       8: if (val1 == 0) {
  3: unlock(m1);
                                       9: unlock(m1);
  4: lock(m2); ←
                                       10: return NULL; }
                             CS2
  5: val2 = val1 + 1;
                                       11: t1 = val1;
  6: unlock(m2);
                                       -12: unlock(m1);
                                       13: lock(m2);
                                       14: t2 = val2;
program counter: 4
                                       15: unlock(m2);
mutexes: m1=0; m2=1;
                                       16: assert(t2 = = (t1 + 1));
global variables: val1=1; val2=0;
local variabes: t1 = 1; t2 = -1;
```

statements: 1-2-3-7-8-11-12-4-5

local variabes: t1 = 1; t2 = -1;

```
val1-access: W<sub>twoStage,2</sub> - R<sub>reader,2</sub> - R<sub>reader,11</sub> - R<sub>twoStage,5</sub>
val2-access: W<sub>twoStage,5</sub>
  Thread twoStage
                                        Thread reader
                                        7: lock(m1);
  1: lock(m1);
                             CS1
  2: val1 = 1;
                                        8: if (val1 == 0) {
  3: unlock(m1);
                                        9: unlock(m1);
  4: lock(m2); ←
                                        10: return NULL; }
                              CS2
  5: val2 = val1 + 1;
                                        11: t1 = val1;
  6: unlock(m2);
                                        -12: unlock(m1);
                                        13: lock(m2);
                                        14: t2 = val2;
program counter: 5
                                        15: unlock(m2);
mutexes: m1=0; m2=1;
                                        16: assert(t2 = = (t1 + 1));
global variables: val1=1; val2=2;
```

```
statements: 1-2-3-7-8-11-12-4-5-6
val1-access: W<sub>twoStage,2</sub> - R<sub>reader,2</sub> - R<sub>reader,11</sub> - R<sub>twoStage,5</sub>
val2-access: W<sub>twoStage,5</sub>
  Thread twoStage
                                        Thread reader
                                        7: lock(m1);
  1: lock(m1);
                             CS1
  2: val1 = 1;
                                        8: if (val1 == 0) {
                                        9: unlock(m1);
  3: unlock(m1);
  4: lock(m2); ←
                                        10: return NULL; }
                              CS2
  5: val2 = val1 + 1;
                                        11: t1 = val1;
  6: unlock(m2);
                                        -12: unlock(m1);
                                        13: lock(m2);
                                        14: t2 = val2;
program counter: 6
                                        15: unlock(m2);
mutexes: m1=0; m2=0;
                                        16: assert(t2 = = (t1 + 1));
global variables: val1=1; val2=2;
local variabes: t1 = 1; t2 = -1;
```

```
statements: 1-2-3-7-8-11-12-4-5-6 val1-access: W_{twoStage,_2} - R_{reader,_8} - R_{reader,_{11}} - R_{twoStage,_5} val2-access: W_{twoStage,_5}
```

```
Thread twoStage
                                   Thread reader
                                   7: lock(m1);
  1: lock(m1);
                          CS1
  2: val1 = 1;
                                   8: if (val1 == 0) {
                                   9: unlock(m1);
  3: unlock(m1);
  4: lock(m2); ←
                                   10: return NULL; }
                          CS2
  5: val2 = val1 + 1;
                                   11: t1 = val1;
  6: unlock(m2); —___
                                   -12: unlock(m1);
                        CS3
                                   13: lock(m2);
                                   14: t2 = val2;
program counter: 13
                                   15: unlock(m2);
mutexes: m1=0; m2=0;
                                   16: assert(t2 = = (t1 + 1));
global variables: val1=1; val2=2;
local variabes: t1 = 1; t2 = -1;
```

statements: 1-2-3-7-8-11-12-4-5-6-13

local variabes: t1 = 1; t2 = -1;

```
val1-access: W<sub>twoStage,2</sub> - R<sub>reader,8</sub> - R<sub>reader,11</sub> - R<sub>twoStage,5</sub>
val2-access: W<sub>twoStage,5</sub>
  Thread twoStage
                                        Thread reader
                                        7: lock(m1);
  1: lock(m1);
                             CS1
                                        8: if (val1 == 0) {
  2: val1 = 1;
                                        9: unlock(m1);
  3: unlock(m1);
  4: lock(m2); ←
                                        10: return NULL; }
                              CS2
  5: val2 = val1 + 1;
                                        11: t1 = val1;
  6: unlock(m2); —
                                       -12: unlock(m1);
                           CS3
                                      13: lock(m2);
                                        14: t2 = val2;
program counter: 13
                                        15: unlock(m2);
mutexes: m1=0; m2=1;
                                        16: assert(t2 = = (t1 + 1));
global variables: val1=1; val2=2;
```

```
statements: 1-2-3-7-8-11-12-4-5-6-13-14
val1-access: W<sub>twoStage,2</sub> - R<sub>reader,8</sub> - R<sub>reader,11</sub> - R<sub>twoStage,5</sub>
val2-access: W<sub>twoStage,5</sub> - R<sub>reader,14</sub>
  Thread twoStage
                                       Thread reader
                                       7: lock(m1);
  1: lock(m1);
                            CS1
  2: val1 = 1;
                                       8: if (val1 == 0) {
  3: unlock(m1);
                                       9: unlock(m1);
  4: lock(m2); ←
                                       10: return NULL; }
                             CS2
  5: val2 = val1 + 1;
                                       11: t1 = val1;
  6: unlock(m2); —___
                                       -12: unlock(m1);
                          CS3
                                       13: lock(m2);
                                    program counter: 14
                                       15: unlock(m2);
mutexes: m1=0; m2=1;
                                       16: assert(t2 = = (t1 + 1));
global variables: val1=1; val2=2;
local variabes: t1 = 1; t2 = 2;
```

statements: 1-2-3-7-8-11-12-4-5-6-13-14-15

```
val1-access: W<sub>twoStage,2</sub> - R<sub>reader,2</sub> - R<sub>reader,11</sub> - R<sub>twoStage,5</sub>
val2-access: W<sub>twoStage,5</sub> - R<sub>reader,14</sub>
  Thread twoStage
                                         Thread reader
                                         7: lock(m1);
  1: lock(m1);
                              CS1
  2: val1 = 1;
                                         8: if (val1 == 0) {
  3: unlock(m1);
                                         9: unlock(m1);
  4: lock(m2); ←
                                         10: return NULL; }
                              CS2
  5: val2 = val1 + 1;
                                         11: t1 = val1;
  6: unlock(m2); —___
                                        -12: unlock(m1);
                           CS3
                                         -13: lock(m2);
                                         14: t2 = val2;
program counter: 15
                                      • 15: unlock(m2);
mutexes: m1=0; m2=0;
                                         16: assert(t2 = = (t1 + 1));
global variables: val1=1; val2=2;
local variabes: t1 = 1; t2 = 2;
```

statements: 1-2-3-7-8-11-12-4-5-6-13-14-15-16

```
val1-access: W<sub>twoStage,2</sub> - R<sub>reader,2</sub> - R<sub>reader,11</sub> - R<sub>twoStage,5</sub>
val2-access: W<sub>twoStage,5</sub> - R<sub>reader,14</sub>
  Thread twoStage
                                         Thread reader
                                         7: lock(m1);
  1: lock(m1);
                              CS1
                                         8: if (val1 == 0) {
  2: val1 = 1;
  3: unlock(m1);
                                         9: unlock(m1);
  4: lock(m2); ←
                                         10: return NULL; }
                              CS2
  5: val2 = val1 + 1;
                                         11: t1 = val1;
  6: unlock(m2); —___
                                        -12: unlock(m1);
                           CS3
                                         -13: lock(m2);
                                         14: t2 = val2;
program counter: 16
                                         15: unlock(m2);
mutexes: m1=0; m2=0;
                                         16: assert(t2 = = (t1+1));
global variables: val1=1; val2=2; ●
local variabes: t1 = 1; t2 = 2;
```

statements: 1-2-3-7-8-11-12-4-5-6-13-14-15-16

```
val1-access: W<sub>twoStage,2</sub> - R<sub>reader,2</sub> - R<sub>reader,11</sub> - R<sub>twoStage,5</sub>
val2-access: W<sub>twoStage,5</sub> - R<sub>reader,14</sub>
  Thread twoStage
                                          Thread reader
                                          7: lock(m1);
  1: lock(m1);
                              CS1
  2: val1 = 1;
                                         8: if (val1 == 0) {
  3: unlock(m1);
                                         9: unlock(m1);
  4: lock(m2); ←
                                          10: return NULL; }
                               CS2
  5: val2 = val1 + 1;
                                          11: t1 = val1;
  6: unlock(m2); —___
                            CS3
                                         -12: unlock(m1);
                                         -13: lock(m2);
                                         14: t2 = val2;
                                         15: unlock(m2);
 QF formula is unsatisfiable,
                                          16: assert(t2==(t1+1));
  i.e., assertion holds
```

```
statements:
val1-access:
val2-access:
```

```
Thread twoStage

1: lock(m1);

2: val1 = 1;

3: unlock(m1);

4: lock(m2);

5: val2 = val1 + 1;

6: unlock(m2);
```

```
program counter: 0
mutexes: m1=0; m2=0;
global variables: val1=0; val2=0;
local variabes: t1=-1; t2=-1;
```

```
Thread reader
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2 = = (t1 + 1));
```

statements: 1-2-3
val1-access: W<sub>twoStage,2</sub>
val2-access:

```
Thread twoStage

1: lock(m1);

2: val1 = 1;

3: unlock(m1);

4: lock(m2);

5: val2 = val1 + 1;

6: unlock(m2);
```

### program counter: 3

```
mutexes: m1=0; m2=0;
global variables: val1=1; val2=0;
local variabes: t1=-1; t2=-1;
```

```
Thread reader
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2 = = (t1 + 1));
```

```
statements: 1-2-3
val1-access: W<sub>twoStage,2</sub>
val2-access:
```

#### program counter: 7

```
mutexes: m1=0; m2=0;
global variables: val1=1; val2=0;
local variabes: t1= -1; t2= -1;
```

```
Thread reader
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2 = = (t1 + 1));
```

```
statements: 1-2-3-7-8-11-12-13-14-15-16 val1-access: W_{twoStage,2}- R_{reader,8}- R_{reader,11} val2-access: R_{reader,14}
```

#### program counter: 16

```
mutexes: m1=0; m2=0; global\ variables: val1=1; val2=0; local\ variabes: t1=1; t2=0;
```

```
Thread reader
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2 = = (t1+1));
```

```
statements: 1-2-3-7-8-11-12-13-14-15-16 val1-access: W<sub>twoStage,2</sub>- R<sub>reader,8</sub>- R<sub>reader,11</sub>
```

val2-access: R<sub>reader,14</sub>

```
Thread twoStage
                                    Thread reader
                                    7: lock(m1);
  1: lock(m1);
                           CS1
  2: val1 = 1;
                                    8: if (val1 == 0) {
  3: unlock(m1);
                                    9: unlock(m1);
  4: lock(m2); <
                                    10: return NULL; }
  5: val2 = val1 \rightarrow
                                    11: t1 = val1;
  6: unlock(m2);
                                    12: unlock(m1);
                                    13: lock(m2);
                              CS2
                                    14: t2 = val2;
program counter: 4
                                    15: unlock(m2);
mutexes: m1=0; m2=0;
                                    16: assert(t2 = = (t1 + 1));
global variables: val1=1; val2=0;
local variabes: t1 = 1; t2 = 0;
```

statements: 1-2-3-7-8-11-12-13-14-15-16-4-5-6

```
val1-access: W<sub>twoStage,2</sub>- R<sub>reader,8</sub>- R<sub>reader,11</sub> - R<sub>twoStage,5</sub>
val2-access: R<sub>reader,14</sub>- W<sub>twoStage,5</sub>
  Thread twoStage
                                         Thread reader
                                         7: lock(m1);
  1: lock(m1);
                              CS1
  2: val1 = 1;
                                         8: if (val1 == 0) {
  3: unlock(m1);
                                         9: unlock(m1);
  4: lock(m2); <
                                         10: return NULL; }
  5: val2 = val1 +
                                         11: t1 = val1;
  6: unlock(m2);
                                         12: unlock(m1);
                                         13: lock(m2);
                                  CS2
                                         14: t2 = val2;
program counter: 6
                                         15: unlock(m2);
mutexes: m1=0; m2=0;
                                         16: assert(t2==(t1+1));
global variables: val1=1; val2=2;
local variabes: t1 = 1; t2 = 0;
```

statements: 1-2-3-7-8-11-12-13-14-15-16-4-5-6

```
val1-access: W<sub>twoStage,2</sub>- R<sub>reader,8</sub>- R<sub>reader,11</sub> - R<sub>twoStage,5</sub>
val2-access: R<sub>reader,14</sub>- W<sub>twoStage,5</sub>
  Thread twoStage
                                          Thread reader
                                          7: lock(m1);
  1: lock(m1);
                               CS1
  2: val1 = 1;
                                          8: if (val1 == 0) {
  3: unlock(m1);
                                          9: unlock(m1);
                                          10: return NULL; }
  4: lock(m2); √
  5: val2 = val1 →
                                          11: t1 = val1;
  6: unlock(m2);
                                          12: unlock(m1);
                                          13: lock(m2);
                                  CS2
                                          14: t2 = val2;
                                          15: unlock(m2);
  QF formula is satisfiable,
                                          16: assert(t2 = = (t1 + 1));
 i.e., assertion does not hold
```

## Lazy exploration of interleavings

Idea: iteratively generate all possible interleavings and call the BMC procedure on each interleaving

#### ... combines

- symbolic model checking: on each individual interleaving
- explicit state model checking: explore all interleavings

# Lazy exploration of interleavings - Reachability Tree



# Lazy exploration of interleavings - Reachability Tree



# Lazy exploration of interleavings - Reachability Tree



 Use a reachability tree (RT) to describe reachable states of a multi-threaded program

- Use a reachability tree (RT) to describe reachable states of a multi-threaded program
- Each node in the RT is a tuple  $v = \left(A_i, C_i, s_i, \left\langle l_i^j, G_i^j \right\rangle_{j=1}^n \right)_i$  for a given time step i, where:

- Use a reachability tree (RT) to describe reachable states of a multi-threaded program
- Each node in the RT is a tuple  $v = \left(A_i, C_i, s_i, \left\langle l_i^j, G_i^j \right\rangle_{j=1}^n \right)_i$  for a given time step i, where:
  - A<sub>i</sub> represents the currently active thread

- Use a reachability tree (RT) to describe reachable states of a multi-threaded program
- Each node in the RT is a tuple  $v = \left(A_i, C_i, s_i, \left\langle l_i^j, G_i^j \right\rangle_{j=1}^n \right)_i$  for a given time step i, where:
  - A<sub>i</sub> represents the currently active thread
  - C<sub>i</sub> represents the context switch number

- Use a reachability tree (RT) to describe reachable states of a multi-threaded program
- Each node in the RT is a tuple  $v = \left(A_i, C_i, s_i, \left\langle l_i^j, G_i^j \right\rangle_{j=1}^n \right)_i$  for a given time step i, where:
  - A<sub>i</sub> represents the currently active thread
  - C<sub>i</sub> represents the context switch number
  - s<sub>i</sub> represents the current state

- Use a reachability tree (RT) to describe reachable states of a multi-threaded program
- Each node in the RT is a tuple  $v = \left(A_i, C_i, s_i, \left\langle l_i^j, G_i^j \right\rangle_{j=1}^n \right)_i$  for a given time step i, where:
  - A<sub>i</sub> represents the currently active thread
  - C<sub>i</sub> represents the context switch number
  - *s*<sub>i</sub> represents the current state
  - $l_i^j$  represents the current location of thread j

- Use a reachability tree (RT) to describe reachable states of a multi-threaded program
- Each node in the RT is a tuple  $v = \left(A_i, C_i, s_i, \left\langle l_i^j, G_i^j \right\rangle_{j=1}^n \right)_i$  for a given time step i, where:
  - A<sub>i</sub> represents the currently active thread
  - C<sub>i</sub> represents the context switch number
  - *s*<sub>i</sub> represents the current state
  - $l_i^j$  represents the current location of thread j
  - $G_i^j$  represents the control flow guards accumulated in thread j along the path from  $l_0^j$  to  $l_i^j$

**R1** (assign): If I is an assignment, we execute I, which generates  $s_{i+1}$ . We add as child to v a new node v

$$v' = \left(A_i, C_i, S_{i+1}, \left\langle l_{i+1}^j, G_i^j \right\rangle \right)_{i+1} \to l_{i+1}^{A_i} = l_i^{A_i} + 1$$

- we have fully expanded  $\upsilon$  if
  - I within an atomic block; or
  - I contains no global variable; or
  - the upper bound of context switches  $(C_i = C)$  is reached
- if v is not fully expanded, for each thread  $j \neq A_i$  where  $G_i^j$  is enabled in  $s_{i+1}$ , we thus create a new child node

$$v_j' = \left(j, C_i + 1, S_{i+1}, \left\langle l_i^j, G_i^j \right\rangle\right)_{i+1}$$

**R2 (skip):** If *I* is a *skip*-statement with target *I*, we increment the location of the current thread and continue with it. We explore no context switches:

$$\upsilon' = \left(A_{i}, C_{i}, s_{i}, \left\langle \underline{l_{i+1}^{j}}, G_{i}^{j} \right\rangle\right)_{i+1}$$

$$\downarrow l_{i+1}^{j} = \begin{cases} l_{i}^{j} + 1 : j = A_{i} \\ l_{i}^{j} : otherwise \end{cases}$$

**R2 (skip):** If *I* is a *skip*-statement with target *I*, we increment the location of the current thread and continue with it. We explore no context switches:

$$\upsilon' = \left(A_{i}, C_{i}, s_{i}, \left\langle \underline{l_{i+1}^{j}}, G_{i}^{j} \right\rangle \right)_{i+1}$$

$$\downarrow l_{i+1}^{j} = \begin{cases} l_{i}^{j} + 1 : j = A_{i} \\ l_{i}^{j} : otherwise \end{cases}$$

**R3 (unconditional goto):** If *I* is an unconditional *goto*-statement with target *I*, we set the location of the current thread and continue with it. We explore no context switches:

$$\upsilon' = \left(A_{i}, C_{i}, s_{i}, \left\langle \underline{l_{i+1}^{j}}, G_{i}^{j} \right\rangle\right)_{i+1}$$

$$l_{i+1}^{j} = \begin{cases} l : j = A_{i} \\ l_{i}^{j} : otherwise \end{cases}$$

**R4 (conditional goto):** If I is a conditional goto-statement with test c and target I, we create two child nodes v and v.

- for v', we assume that c is *true* and proceed with the target instruction of the jump:

$$v' = \left(A_i, C_i, s_i, \left\langle \underline{l_{i+1}^j}, c \wedge G_i^j \right\rangle \right)_{i+1}$$

$$l_{i+1}^j = \begin{cases} l : j = A_i \\ l_i^j : otherwise \end{cases}$$

- for  $\upsilon$ ', we add  $\neg c$  to the guards and continue with the next instruction in the current thread

$$\upsilon'' = \left(A_{i}, C_{i}, s_{i}, \left\langle \underline{l_{i+1}^{j}}, \neg c \wedge G_{i}^{j} \right\rangle \right)_{i+1} = \begin{cases} l_{i}^{j} + 1 & : \quad j = A_{i} \\ l_{i}^{j} & : \quad otherwise \end{cases}$$

prune one of the nodes if the condition is determined statically

**R5 (assume):** If *I* is an *assume*-statement with argument *c*, we proceed similar to R1.

- we continue with the unchanged state  $s_i$  but add c to all guards, as described in R4
- If  $c \wedge G_i^J$  evaluates to *false*, we prune the execution path

**R5 (assume):** If *I* is an *assume*-statement with argument *c*, we proceed similar to R1.

- we continue with the unchanged state  $s_i$  but add c to all guards, as described in R4
- If  $c \wedge G_i^j$  evaluates to *false*, we prune the execution path

**R6 (assert):** If *I* is an *assert*-statement with argument *c*, we proceed similar to R1.

- we continue with the unchanged state  $s_i$  but add c to all guards, as described in R4
- we generate a verification condition to check the validity of c

**R5 (start\_thread):** If *I* is a *start\_thread* instruction, we add the indicated thread to the set of active threads:

$$\boldsymbol{v}' = \left(A_i, C_i, S_i, \left\langle l_{i+1}^j, G_{i+1}^j \right\rangle_{j=1}^{n+1}\right)_{i+1}$$

- where  $l_{i+1}^{n+1}$  is the initial location of the thread and  $G_{i+1}^{n+1} = G_i^{A_i}$
- the thread starts with the guards of the currently active thread

**R5 (start\_thread):** If *I* is a *start\_thread* instruction, we add the indicated thread to the set of active threads:

$$\boldsymbol{v}' = \left(A_i, C_i, S_i, \left\langle l_{i+1}^j, G_{i+1}^j \right\rangle_{j=1}^{n+1}\right)_{i+1}$$

- where  $l_{i+1}^{n+1}$  is the initial location of the thread and  $G_{i+1}^{n+1} = G_i^{A_i}$
- the thread starts with the guards of the currently active thread

**R6 (join\_thread):** If *I* is a *join\_thread* instruction with argument *Id*, we add a child node:

$$v' = \left(A_i, C_i, s_i, \left\langle \underline{l_{i+1}^j}, G_i^j \right\rangle \right)_{i+1}$$

- where  $l_{i+1}^{j} = l_{i}^{A_{i}} + 1$  only if the joining thread Id has exited

## Lazy exploration of interleavings

- Main steps of the algorithm:
  - 1. Initialize the stack with the initial node  $v_0$  and the initial path  $\pi_0$  =  $\langle v_0 \rangle$
  - 2. If the stack is empty, terminate with "no error".
  - 3.Pop the current node  $\upsilon$  and current path  $\pi$  off the stack and compute the set  $\upsilon'$  of successors of  $\upsilon$  using rules R1-R8.
  - 4. If  $\upsilon$ ' is empty, derive the VC  $\varphi_k^{\pi}$  for  $\pi$  and call the SMT solver on it. If  $\varphi_k^{\pi}$  is satisfiable, terminate with "error"; otherwise, goto step 2.
  - 5. If  $\upsilon$ ' is not empty, then for each node  $\upsilon \in \upsilon$ ', add  $\upsilon$  to  $\pi$ , and push node and extended path on the stack. goto step 3.

computation path 
$$\pi = \{v_1, \dots v_n\}$$

$$\varphi_k^{\pi} = I(s_0) \wedge R(s_0, s_1) \wedge \dots \wedge R(s_{k-1}, s_k) \wedge \neg \phi_k$$
bound

- naïve but useful:
  - bugs usually manifest with few context switches [Qadeer&Rehof'05]

- naïve but useful:
  - bugs usually manifest with few context switches [Qadeer&Rehof'05]
  - keep in memory the parent nodes of all unexplored paths only

- naïve but useful:
  - bugs usually manifest with few context switches [Qadeer&Rehof'05]
  - keep in memory the parent nodes of all unexplored paths only
  - exploit which transitions are enabled in a given state

- naïve but useful:
  - bugs usually manifest with few context switches [Qadeer&Rehof'05]
  - keep in memory the parent nodes of all unexplored paths only
  - exploit which transitions are enabled in a given state
  - bound the number of preemptions (C) allowed per threads
    - ⊳ number of executions: O(n<sup>c</sup>)

- naïve but useful:
  - bugs usually manifest with few context switches [Qadeer&Rehof'05]
  - keep in memory the parent nodes of all unexplored paths only
  - exploit which transitions are enabled in a given state
  - bound the number of preemptions (C) allowed per threads
     ▷ number of executions: O(n<sup>c</sup>)
  - as each formula corresponds to one possible path only, its size is relatively small

- naïve but useful:
  - bugs usually manifest with few context switches [Qadeer&Rehof'05]
  - keep in memory the parent nodes of all unexplored paths only
  - exploit which transitions are enabled in a given state
  - bound the number of preemptions (C) allowed per threads
    - ¬ number of executions: O(n<sup>c</sup>)
  - as each formula corresponds to one possible path only, its size is relatively small
- can suffer performance degradation:
  - in particular for correct programs where we need to invoke the SMT solver once for each possible execution path

## Schedule Recording

## Idea: systematically encode all possible interleavings into one formula

- explore reachability tree in same way as lazy approach
- ... but call SMT solver only once
- add a schedule guard ts<sub>i</sub> for each context switch block i (0 < ts<sub>i</sub> ≤ #threads)
  - record in which order the scheduler has executed the program
  - SMT solver determines the order in which threads are simulated
- add scheduler guards only to effective statements (assignments and assertions)
  - record effective context switches (ECS)
  - ECS block: sequence of program statements that are executed with no intervening ECS

statements:

twoStage-ECS:

reader-ECS:

```
Thread twoStage
1: lock(m1);
2: val1 = 1;
3: unlock(m1);
4: lock(m2);
5: val2 = val1 + 1;
6: unlock(m2);
```

#### **ECS** block

```
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1));
```

statements: 1

twoStage-ECS: (1,1)

reader-ECS:

guarded statement can only be executed if statement 1 is scheduled in ECS block 1

#### Thread twoStage

1: lock(m1);  $ts_1 == 1$ 

2: val1 = 1;

3: unlock(m1);

4: lock(m2);

5: val2 = val1 + 1;

6: unlock(m2);

#### Thread reader

each program statement is then prefixed by a schedule guard  $ts_i = j$ , where:

- i is the ECS block number
- j is the thread identifier

4. L. VAIL,

15: unlock(m2);

16: assert(t2==(t1+1));

statements: 1-2

twoStage-ECS: (1,1)-(2,2)

reader-ECS:

```
Thread twoStage

1: lock(m1); ts_1 == 1

2: val1 = 1; ts_2 == 1

3: unlock(m1);

4: lock(m2);

5: val2 = val1 + 1;

6: unlock(m2);
```

```
Thread reader
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1));
```

statements: 1-2-3

twoStage-ECS: (1,1)-(2,2)-(3,3)

reader-ECS:

```
Thread twoStage

1: lock(m1); ts_1 == 1

2: val1 = 1; ts_2 == 1

3: unlock(m1); ts_3 == 1

4: lock(m2);

5: val2 = val1 + 1;

6: unlock(m2);
```

```
Thread reader
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1));
```

statements: 1-2-3-7

twoStage-ECS: (1,1)-(2,2)-(3,3)

reader-ECS: (7,4)

```
Thread twoStage

1: lock(m1); ts_1 == 1

2: val1 = 1; ts_2 == 1

3: unlock(m1); ts_3 == 1

4: lock(m2);

5: val2 = val1 + 1;

6: unlock(m2);
```

```
Thread reader
                            ts_{4} == 2
7: lock(m1);
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1));
```

statements: 1-2-3-7-8

twoStage-ECS: (1,1)-(2,2)-(3,3)

reader-ECS: (7,4)-(8,5)

```
Thread twoStage

1: lock(m1); ts_1 == 1

2: val1 = 1; ts_2 == 1

3: unlock(m1); ts_3 == 1

4: lock(m2);

5: val2 = val1 + 1;

6: unlock(m2);
```

```
Thread reader
                            ts_4 == 2
7: lock(m1);
                            ts_5 == 2
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1));
```

statements: 1-2-3-7-8-11

twoStage-ECS: (1,1)-(2,2)-(3,3)

reader-ECS: (7,4)-(8,5)-(11,6)

```
Thread twoStage

1: lock(m1); ts_1 == 1

2: val1 = 1; ts_2 == 1

3: unlock(m1); ts_3 == 1

4: lock(m2);

5: val2 = val1 + 1;

6: unlock(m2);
```

```
Thread reader
                             ts_4 == 2
7: lock(m1);
                            ts_5 == 2
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
                             ts_6 == 2
11: t1 = val1;
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1));
```

statements: 1-2-3-7-8-11-12

twoStage-ECS: (1,1)-(2,2)-(3,3)

```
Thread twoStage

1: lock(m1); ts_1 == 1

2: val1 = 1; ts_2 == 1

3: unlock(m1); ts_3 == 1

4: lock(m2);

5: val2 = val1 + 1;

6: unlock(m2);
```

```
Thread reader
                             ts_4 == 2
7: lock(m1);
                            ts_5 == 2
8: if (val1 == 0) {
9: unlock(m1);
10: return NULL; }
11: t1 = val1;
                             ts_6 == 2
                             ts_7 == 2
12: unlock(m1);
13: lock(m2);
14: t2 = val2;
15: unlock(m2);
16: assert(t2==(t1+1));
```

statements: 1-2-3-7-8-11-12-4

twoStage-ECS: (1,1)-(2,2)-(3,3)-(4,8)

```
Thread reader
Thread twoStage
                       ts_1 == 1
                                                                     ts_4 == 2
                                        7: lock(m1);
1: lock(m1);
                                         8: if (val1 == 0) {
                                                                     ts_5 == 2
2: val1 = 1;
                       ts_2 == 1
                                         9: unlock(m1);
3: unlock(m1);
                       ts_3 == 1
                                         10: return NULL; }
4: lock(m2);
                       ts_8 == 1
                                         11: t1 = val1;
                                                                     ts_6 == 2
5: val2 = val1 + 1;
                                   CS
                                                                     ts_7 == 2
6: unlock(m2);
                                        -12: unlock(m1);
                                         13: lock(m2);
                                         14: t2 = val2;
                                         15: unlock(m2);
                                         16: assert(t2==(t1+1));
```

statements: 1-2-3-7-8-11-12-4-5

twoStage-ECS: (1,1)-(2,2)-(3,3)-(4,8)-(5,9)

```
Thread reader
Thread twoStage
                       ts_1 == 1
                                                                     ts_4 == 2
                                        7: lock(m1);
1: lock(m1);
                                         8: if (val1 == 0) {
                                                                     ts_5 == 2
2: val1 = 1;
                       ts_2 == 1
                                         9: unlock(m1);
3: unlock(m1);
                       ts_3 == 1
                                         10: return NULL; }
4: lock(m2);
                       ts_8 == 1
5: val2 = val1 + 1;
                                        11: t1 = val1;
                                                                     ts_6 == 2
                                   CS
                       ts_o =
                                                                     ts_7 == 2
6: unlock(m2);
                                        -12: unlock(m1);
                                         13: lock(m2);
                                         14: t2 = val2;
                                         15: unlock(m2);
                                         16: assert(t2==(t1+1));
```

statements: 1-2-3-7-8-11-12-4-5-6

twoStage-ECS: (1,1)-(2,2)-(3,3)-(4,8)-(5,9)-(6,10)

```
Thread reader
Thread twoStage
                        ts_1 == 1
                                                                      ts_4 == 2
                                        7: lock(m1);
1: lock(m1);
                                         8: if (val1 == 0) {
                                                                      ts_5 == 2
2: val1 = 1;
                        ts_2 == 1
                                         9: unlock(m1);
3: unlock(m1);
                       ts_3 == 1
                                         10: return NULL; }
4: lock(m2);
                        ts_8 == 1
                                        11: t1 = val1;
                                                                      ts_6 == 2
5: val2 = val1 + 1;
                       ts_0 = 1
                                    CS
                       ts_{10} = 1
                                                                      ts_7 == 2
6: unlock(m2);
                                         -12: unlock(m1);
                                         13: lock(m2);
                                         14: t2 = val2;
                                         15: unlock(m2);
                                         16: assert(t2==(t1+1));
```

statements: 1-2-3-7-8-11-12-4-5-6-13

twoStage-ECS: (1,1)-(2,2)-(3,3)-(4,8)-(5,9)-(6,10)

```
Thread reader
Thread twoStage
                        ts_1 == 1
                                                                      ts_4 == 2
                                         7: lock(m1);
1: lock(m1);
                                         8: if (val1 == 0) {
                                                                       ts_5 == 2
2: val1 = 1;
                        ts_2 == 1
                                         9: unlock(m1);
3: unlock(m1);
                        ts_3 == 1
                                         10: return NULL; }
4: lock(m2);
                        ts_8 == 1
5: val2 = val1 + 1;
                                         11: t1 = val1;
                                                                       ts_6 == 2
                        ts_0 = 1
                                    CS
                        ts_{10} = 1
                                                                       ts_7 == 2
6: unlock(m2);
                                         -12: unlock(m1);
                                                                      ts_{11} == 2
                                         -13: lock(m2);
                                CS
                                         14: t2 = val2;
                                         15: unlock(m2);
                                         16: assert(t2==(t1+1));
```

statements: 1-2-3-7-8-11-12-4-5-6-13-14

twoStage-ECS: (1,1)-(2,2)-(3,3)-(4,8)-(5,9)-(6,10)

reader-ECS: (7,4)-(8,5)-(11,6)-(12,7)-(13,11)-(14,12)

```
Thread reader
Thread twoStage
                        ts_1 == 1
                                                                       ts_4 == 2
                                         7: lock(m1);
1: lock(m1);
                                         8: if (val1 == 0) {
                                                                       ts_5 == 2
2: val1 = 1;
                        ts_2 == 1
                                         9: unlock(m1);
3: unlock(m1);
                        ts_3 == 1
                                          10: return NULL; }
4: lock(m2);
                        ts_8 == 1
5: val2 = val1 + 1;
                                         11: t1 = val1;
                                                                       ts_6 == 2
                        ts_0 = 1
                                    CS
                        ts_{10} = 1
                                                                       ts_7 == 2
6: unlock(m2);
                                         -12: unlock(m1);
                                                                       ts_{11} = 2
                                         13: lock(m2);
                                CS
                                                                       ts_{12} = 2
                                          14: t2 = val2;
                                          15: unlock(m2);
                                          16: assert(t2==(t1+1));
```

statements: 1-2-3-7-8-11-12-4-5-6-13-14-15

twoStage-ECS: (1,1)-(2,2)-(3,3)-(4,8)-(5,9)-(6,10)

reader-ECS: (7,4)-(8,5)-(11,6)-(12,7)-(13,11)-(14,12)-(15,13)

```
Thread reader
Thread twoStage
                        ts_1 == 1
                                                                       ts_4 == 2
                                         7: lock(m1);
1: lock(m1);
                                          8: if (val1 == 0) {
                                                                       ts_5 == 2
2: val1 = 1;
                        ts_2 == 1
                                          9: unlock(m1);
3: unlock(m1);
                        ts_3 == 1
                                          10: return NULL; }
4: lock(m2);
                        ts_8 == 1
5: val2 = val1 + 1;
                                         11: t1 = val1;
                                                                       ts_6 == 2
                        ts_0 = 1
                                    CS
                                         -12: unlock(m1);
                        ts_{10} = 1
                                                                       ts_7 == 2
6: unlock(m2);
                                                                       ts_{11} = 2
                                         -13: lock(m2);
                                 CS
                                                                       ts_{12} = 2
                                          14: t2 = val2;
                                                                       ts_{13} == 2
                                          15: unlock(m2);
                                          16: assert(t2==(t1+1));
```

statements: 1-2-3-7-8-11-12-4-5-6-13-14-15-16

twoStage-ECS: (1,1)-(2,2)-(3,3)-(4,8)-(5,9)-(6,10)

reader-ECS: (7,4)-(8,5)-(11,6)-(12,7)-(13,11)-(14,12)-(15,13)-(16,14)

```
Thread reader
Thread twoStage
                        ts_1 == 1
                                                                        ts_4 == 2
                                          7: lock(m1);
1: lock(m1);
                                                                        ts_5 == 2
                                          8: if (val1 == 0) {
2: val1 = 1;
                        ts_2 == 1
                                               unlock(m1);
3: uplock(m1):
                                               return NULL; }
4: I interleaving completed, so
                                              t1 = val1;
                                                                        ts_6 == 2
    build constraints for interleaving
                                              unlock(m1);
                                                                        ts_7 == 2
     (but do not call SMT solver)
                                                                        ts_{11} = 2
                                           <del>ಗತ:</del> lock(m2);
                                                                        ts_{12} = 2
                                          14: t2 = val2;
                                                                        ts_{13} = 2
                                           15: unlock(m2);
                                          16: assert(t2==(t1+1));
                                                                       ts_{14} == 2
```

statements: 1-2-3-7-8-11-12-13-14-15-16-4-5-6

twoStage-ECS: (1,1)-(2,3)-(3,4)-(4,12)-(5,13)-(6,14)

reader-ECS: (7,4)-(8,5)-(11,6)-(12,7)-(13,8)-(14,9)-(15,10)-(16,11)

```
Thread reader
Thread twoStage
                         ts_1 == 1
                                                                          ts_4 == 2
                                           7: lock(m1);
1: lock(m1);
                                           8: if (val1 == 0) {
                                                                          ts_5 == 2
2: val1 = 1;
                         ts_2 == 1
                                           9: unlock(m1);
3: unlock(m1);
                         ts_3 == 1
                                            10: return NULL; }
4: lock(m2);
                         ts_{12} = 1
5: val2 = val1 + 1;
                         ts_{13} == 1
                                            11: t1 = val1;
                                                                          ts_6 == 2
                                           12: unlock(m1);
                         ts<sub>14</sub>== 1
                                                                          ts_7 == 2
6: unlock(m2);
                                                                          ts_8 == 2
                                            13: lock(m2);
                                                                          ts_9 == 2
                                            14: t2 = val2;
                                                                          ts_{10} = 2
                                            15: unlock(m2);
                                                                          ts_{11} = 2
                                            16: assert(t2==(t1+1));
```

#### **Schedule Recording: Execution Paths**



# Observations about the schedule recoding approach

- systematically explore the thread interleavings as before, but:
  - add schedule guards to record in which order the scheduler has executed the program
  - encode all execution paths into one formula
    - o bound the number of context switches
    - o exploit which transitions are enabled in a given state
- number of threads and context switches grows very large quickly, and easily "blow-up" the solver:
  - there is a clear trade-off between usage of time and memory resources

## Intended learning outcomes

- Introduce typical BMC architectures for verifying software systems
- Understand communication models and typical errors when writing concurrent programs
- Explain explicit schedule exploration of multithreaded software
- Explain sequentialization methods to convert concurrent programs into sequential ones

## Sequentialization

#### Observation:

Building verification tools for full-fledged concurrent languages is difficult and expensive...

- ... but scalable verification techniques exist for sequential languages
  - Abstraction techniques
  - SAT/SMT techniques (i.e., bounded model checking)

⇒ How can we leverage these?

## Sequentialization

⇒ How can we leverage these?

#### Sequentialization:

convert concurrent programs into sequential programs such that reachability is preserved

- replace control non-determinism by data non-determinism
- P' simulates all computations (within certain bounds) of P
- source-to-source transformation: T₁ // T₂ ¬¬ T¹₁; T²₂
- ⇒ reuse existing tools (largely) unchanged
- ⇒ easy to target multiple back-ends
- ⇒ easy to experiment with different approaches

## A first sequentialization: KISS

KISS: Keep It Simple and Sequential [Quadeer-Wu, PLDI' 04]

**Under-approximation** (subset of interleavings)

#### Thread creation → function call

- at context-switches either:
  - o the active thread is terminated or
  - o a not yet scheduled thread is started (by calling its main function)
- when a thread is terminated either:
  - o the thread that has called it is resumed (if any) or
  - o a not yet scheduled thread is started

#### KISS schedules





- 1. Start T₁
- 2. Start T<sub>2</sub>
- 3. Terminate T<sub>2</sub>
- 4. start T<sub>3</sub>
- 5. terminate T<sub>3</sub>
- 6. Resume T<sub>1</sub>



#### Schedule 2:

- 1. start T₁
- 2. start T<sub>2</sub>
- 3. start T<sub>3</sub>
- 4. terminate T<sub>3</sub>
- 5. resume T<sub>2</sub>
- 6. terminate T<sub>2</sub>
- 7. resume T₁



- 2. start T<sub>2</sub>
- 3. terminate T<sub>2</sub>
- 4. resume T₁
- 5. start T<sub>3</sub>
- 6. terminate T<sub>3</sub>
- 7. resume T₁

 considers only round-robin schedules with k rounds



considers only round-robin schedules with k rounds

■ thread → function, run to completion



- considers only round-robin schedules with k rounds
  - thread → function, run to completion
- global memory copy for each round
  - scalar → array



- considers only round-robin schedules with k rounds
  - thread → function, run to completion
- global memory copy for each round
  - scalar → array
- context switch → round counter++



- considers only round-robin schedules with k rounds
  - thread → function, run to completion
- global memory copy for each round
  - scalar → array
- context switch → round counter++
- first thread starts with non-deterministic memory contents
  - other threads continue with content left by predecessor



- considers only round-robin schedules with k rounds
  - thread → function, run to completion
- global memory copy for each round
  - scalar → array
- context switch → round counter++
- first thread starts with non-deterministic memory contents
  - other threads continue with content left by predecessor
- checker prunes away inconsistent simulations
  - assume( $S_{k+1,0} == S_{k,n}$ );
  - requires second set of memory copies
  - errors can only be checked at end of simulation o requires explicit error checks



#### LR sequentialization - implementation

```
//shared vars
type<sub>q1</sub> g1; type<sub>q2</sub> g2; ...
//thread functions
t(){
   type_{x1} x1; type_{x2} x2; ...
   stmt<sub>1</sub>;
   stmt,;
main(){
```

```
//shared vars
type<sub>q1</sub> g1[K]; type<sub>q2</sub> g2[K]; ...
uint round=0; bool ret=0; //aux vars
// context-switch simulation
cs() {
  unsigned int j; j= nondet();
  assume(round +j < K); round+=j;</pre>
  if (round==K-1 && nondet()) ret=1;
//thread functions
t(){
 type_{x1} x1; type_{x2} x2; ...
  cs(); if (ret) return; stmt1[round];
  cs(); if (ret) return; stmt<sub>2</sub>[round];
main thread(){
                   //next slide
main(){ ... }
```

#### LR sequentialization - implementation

```
main(){
   type_{g1} _g1[K]; type_{g2} _g2[K]; ...
   // first thread starts with non-deterministic memory contents
   for (i=1; i<K; i++){
      g1[i] = g1[i] = nondet();
      g2[i] = g2[i] = nondet();
   // thread simulations
   t[0] = main thread;
   round born[0] = 0; is created[0] = 1;
   for (i=0; i< N; i++){
      if(is created[i]){
         ret=0;
         round = round born[i];
         t[i](); }
   // consistency check
   for (i=0; i< K-1; i++){
      assume(g1[i+1] == g1[i]);
      assume( q2[i+1] == q2[i]);
   // error detection
   assert(err == 0); }
```

#### LR sequentialization - implementation

- Corral (SMT-based analysis for Boogie programs)
  - [ Lal–Qadeer–Lahiri, CAV'12 ]
  - [ Lal–Qadeer, FSE'14 ]
- CSeq (code-to-code translation for C + pthreads)
  - [ Fischer–Inverso–Parlato, ASE'13 ]
- Rek (for Real-time Embedded Software Systems)
  - [Chaki-Gurfinkel-Strichman, FMCAD'11]
- Storm: implementation for C programs
  - [ Lahiri–Qadeer–Rakamaric, CAV'09 ]
  - [Rakamaric, ICSE'10]

#### **Summary**

- Described typical architectures employed by BMC tools (e.g., CBMC, ESBMC and LLBMC):
  - language support, built-in safety checks, and nondeterministic modelling
  - general approach to verify programs, including program transformations and bit-blasting

## Summary

- Described typical architectures employed by BMC tools (e.g., CBMC, ESBMC and LLBMC):
  - language support, built-in safety checks, and nondeterministic modelling
  - general approach to verify programs, including program transformations and bit-blasting
- Introduced the difficulties to write concurrent programs, typical concurrency errors and communication models

## Summary

- Described typical architectures employed by BMC tools (e.g., CBMC, ESBMC and LLBMC):
  - language support, built-in safety checks, and nondeterministic modelling
  - general approach to verify programs, including program transformations and bit-blasting
- Introduced the difficulties to write concurrent programs, typical concurrency errors and communication models
- Presented state-of-the-art concurrency verification approaches, including: explicit schedule exploration and sequentialization