Alexander Malkis

Thread-modular verification is cartesian abstract interpretation

Verification of multithreaded programs is difficult. It requires reasoning about state spaces that grow exponentially in the number of concurrent threads. Successful verification techniques based on modular composition of over-approximations of thread behaviors have been designed for this task. These techniques have been traditionally described in assume-guarantee style, which does not admit reasoning about the abstraction properties of the involved compositional argument. Flanagan and Qadeer thread-modular algorithm is a characteristic representative of such techniques. In this paper, we investigate the formalization of this algorithm in the framework of abstract interpretation. We identify the ion that the algorithm implements; its definition involves Cartesian products of sets. Our result provides a basis for the systematic study of similar abstractions for dealing with the state explosion problem. As a first step in this direction, our result provides a characterization of a minimal increase in the precision of the Flanagan and Qadeer algorithm that leads to the loss of its polynomial complexity.

Thread-modular counterexample-guided abstraction refinement

We consider the refinement of a static analysis method called thread-modular verification. It was an open question whether such a refinement can be done automatically. We present a counterexampleguided abstraction refinement algorithm for thread-modular verification and demonstrate its potential, both theoretically and practically.

Precise thread-modular verification

Thread-modular verification is a promising approach for the verification of concurrent programs. Its high efficiency is achieved by abstracting the interaction between threads. The resulting polynomial complexity (in the number of threads) has its price: many interesting concurrent programs cannot be handled due to the imprecision of the abstraction. We propose a new abstraction algorithm for threadmodular verification that offers both high degree precision and polynomial complexity. Our algorithm is based on a new abstraction domain that combines Cartesian abstraction with exception sets, which allow one to handle particular thread interactions precisely. Our experimental results demonstrate the practical applicability of the algorithm.

A Model of Layered Architectures.

Architectural styles and patterns play an important role in software engineering. One of the most known ones is the layered architecture style. However, this style is usually only stated informally, which may cause problems such as ambiguity, wrong conclusions, and difficulty when checking the conformance of a system to the style. We address these problems by providing a formal, denotational semantics of the layered architecture style. Mainly, we present a sufficiently abstract and rigorous description of layered architectures. Loosely speaking, a layered architecture consists of a hierarchy of layers, in which services communicate via ports. A layer is modeled as a relation between used and provided services, and layer composition is defined by means of relational composition. Furthermore, we provide a formal definition for the notions of syntactic and semantic dependency between the layers. We show that these dependencies are not comparable in general. Moreover, we identify sufficient conditions under which, in an intuitive sense which we make precise in our treatment, the semantic dependency implies, is implied by, or even coincides with the reflexive-transitive closure of the syntactic dependency. Our results provide a technology-independent characterization of the layered architecture style, which may be used by software architects to ensure that a system is indeed built according to that style.

Verification of software barriers

This paper describes frontiers in verification of the software barrier synchronization primitive. So far most software barrier algorithms have not been mechanically verified. We show preliminary results in automatically proving the correctness of the major software barriers.

Abstract threads

Verification of large multithreaded programs is challenging. Automatic approaches cannot overcome the state explosion in the number of threads; semi-automatic methods require expensive human time for finding global inductive invariants. Ideally, automatic methods should not deal with the composition of the original threads and a human should not supply a global invariant. We provide such an approach. In our approach, a human supplies a specification of each thread in the program. Here he has the freedom to ignore or to use the knowledge about the other threads. The checks whether specifications of threads are sound as well as whether the composition of the specifications is error-free are handed over to the off-the-shelf verifiers. We show how to apply this divide-and-conquer approach for the interleaving semantics with shared variables communication where specifications are targeted to real-world programmers: a specification of a thread is simply another thread. The new approach extends thread-modular reasoning by relaxing the structure of the transition relation of a specification. We demonstrate the feasibility of our approach by verifying two protocols governing the teardown of important data structures in Windows device drivers.

A Model of Service-Oriented Architectures

Architectural styles and patterns play an important role in software engineering. Over the last years, a new style based on the notion of services emerged, which we call the service-oriented architecture style. However, this style is usually only stated informally, which may cause inherent problems such as ambiguity, wrong conclusions, and the difficulty of checking the conformance of a system to the style. We address these problems by providing a formal, denotational semantics of the service-oriented architecture style and two variants thereof: the layered architecture style and the strict architecture style. Loosely speaking, in our model of the service-oriented architecture style, services are a means of communication. Components exchange services between each other via ports. The layered architecture variant imposes a well-foundedness constraint on the communication structure, while the strict variant imposes an antitransitivity constraint. We analyze the notions of syntactic and semantic dependencies for service-oriented architectures and investigate their relationship. Moreover, the expected informal properties of the styles are formulated as theorems. Finally, we present a method for soundly analyzing instances of the style. Our rigorous approach enables building higher-quality architectures, for which properties can be mathematically stated and proven, by enforcing formal discipline on the inter-component scale.

Multithreaded-Cartesian Abstract Interpretation of Multithreaded Recursive Programs Is Polynomial

Undecidability is the scourge of verification for many program classes. We consider the class of shared-memory multithreaded programs in the interleaving semantics such that the number of threads is finite and constant throughout all executions, each thread has an unbounded stack, and the shared memory and the stack-frame memory are finite. Verifying that a given program state does not occur in executions of such a program is undecidable. We show that the complexity of verification drops to polynomial time under multithreaded-Cartesian abstraction. Furthermore, we demonstrate that multithreaded-Cartesian abstract interpretation generates an inductive invariant which is a regular language. Under logarithmic cost measure, both proving non-reachability and creating a finite automaton can be attained in \(\mathcal {O}(n\log _2n)\) time in the number of threads \(n\) and in polynomial time in all other quantities.

On the strength of owicki-gries for resources

In multithreaded programs data are often separated into lock- protected resources. Properties of those resources are typically verified by modular, Owicki-Gries-like methods. The modularity of the Owicki-Gries method has its price: proving some properties may require manual introduction of auxiliary variables. What properties can be proven without the burden of introducing auxiliary variables? We answer this question in the abstract interpretation framework. On one hand, we reveal a lattice structure of the method and supply a syntax-based abstract transformer that describes the method exactly. On the other hand, we bound the loss of precision from above and below by transition-relation-independent weakly relational closures. On infinitely many programs the closures coincide and describe the precision loss exactly; in general, the bounds are strict. We prove the absence of a general exact closure-based fixpoint characterization of the accuracy of the Owicki-Gries method, both in the collecting semantics and in certain trace semantics.

Reachability in Binary Multithreaded Programs Is Polynomial

Automatic finding of bugs in multithreaded programs is an important but inherently difficult task, even in the finite-state interleaving-semantics case. The complexity of this task has only been partially explored so far. We measure quantities such as the diameter, which is the longest finite distance realizable in the transition graph of the program, the local diameter, which is the maximum distance from any program state to any thread-local state, and the computational complexity of bugfinding. For the subclass of so-called binary multithreaded programs, we prove new bounds: all these quantities are majorized by a polynomial and, in certain cases, by a linear, logarithmic, or even constant function. Our bounds present a preparation step towards the corresponding polynomial-bound claims for general programs. These claims contrast sharply with the common belief that the main obstacle to analyzing concurrent programs is the exponential state explosion in the number of threads.