## CS766: Analysis of concurrent programs 2022

Lecture 19: Bounded model-checking for concurrent programs

Instructor: Ashutosh Gupta

IITB, India

Compile date: 2022-02-09

#### Limited verification

Full verification is a very hard goal.

Soundiness: May be reduced objectives give us reasonable guarantees.

We will look at a popular method that have been widely used.

# Bounded model checking(BMC)

**Topic 19.1** 

Basics of BMC



#### **BMC**

We get a program and a property as input.

We verify that the program does not violate the property in a given number of steps.

Only only consider safety. No liveness properties such as starvation or deadlock.(why?)

#### Implementing BMC

The program goes via several transformation steps.

- 1. Loop unrolling
- 2. SSA renaming
- 3. Translation to a giant formula
- 4. Use a sat solver to check the property.

### Step 1: Bounding using loop unrolling

- ▶ Unroll the loops a fixed number of times, say *n*, and add appropriate if-conditions for early exists from the loop.
- Modify recursive function calls similarly

In some execution of the original program, if a loop executes more than n times then the modified program will reach a dead end.

## Example: bounded loop unrolling

```
y=y+x;
x++;
assert(y < 5);
}

Let us unroll the loop three times.

The program transformation does not pay attention to the logic of the program. It simply unrolls even if there are fewer iterations.
```

```
x=0:
if(x < 2) {
  y = y + x;
  x ++ :
  assert(y < 5);
  if(x < 2) {
    y = y + x;
    x++;
    assert(y < 5);
    if(x < 2) {
       y = y + x;
       x++:
       assert (v < 5);
       if((x < 2)) goto DEAD_END;</pre>
```

Example 19.1

x=0:

Original program

while (x < 2) {

### Step 2: SSA encoding and SMT formula

The loop free program is translated into single static assignment(SSA) form.

- ▶ After every assignment fresh names are given to the variables
- ▶ At join points instructions are added to feed in correct values

CS766: Analysis of concurrent programs 2022

@(1)(\$)(0)

#### Program after SSA transformation foo(x0,y0) { Example 19.2 x1 = x0 + v0; Original program if ( x1 != 1 ) { foo(x,y) { $path_b = 1$ x=x+y; x2 = 2: if (x!=1)}else{ x=2; $path_b = 0$ else x3 = x1 + 1;x++; assert(x<=3): $x4 = path_b ? x2 : x3;$ assert( $x4 \le 3$ ):

IITB, India

Instructor: Ashutosh Gupta

#### Step 3: SSA to SMT formula

An SSA program can be easily translated into a formula.

#### Example 19.3

```
Original program
foo(x0,y0) {
  x1 = x0 + y0;
  if ( x1 != 1 )
    path_b = 1
    x2 = 2:
  else
    path_b = 0
    x3 = x1 + 1:
  x4=path_b?x2:x3;
```

 $assert(x4 \le 3):$ 

```
QF_BV formula for the SSA program
(assert (= x1 (bvadd x0 v0) )
(assert (= x2 #x00000002)
(assert (= x3 (bvadd x1 #x00000001)) )
(assert (= path_b (distinct x1 1))
(assert (ite path_b (= x4 x2) (= x4 x3)) )
(assert (not (bysle x4 3) )
   If the above is sat, the program has a bug
```

## Step 4: SMT Input

The SMT input with all the needed declarations.

```
(set-logic QF_BV)
(declare-fun x0 () ( BitVec 32))
(declare-fun x1 () ( BitVec 32))
(declare-fun x2 () ( BitVec 32))
(declare-fun x3 () ( BitVec 32))
(declare-fun x4 () (_ BitVec 32))
                                   Let us feed the
(declare-fun y0 () (_ BitVec 32)) problem to Z3
(declare-fun path_b () (Bool))
(assert (= x1 (bvadd x0 y0) )
(assert (= x2 #x00000002))
(assert (= x3 (byadd x1 #x00000001)))
(assert (= path_b (distinct x1 #x00000001) ) )
(assert (ite path_b (= x4 x2) (= x4 x3)) )
(assert (not (bysle x4 #x00000003) ) )
(check-sat)
```

#### An effective technology

- ▶ There are very successful BMC tools, e. g., CBMC
- ▶ Not a full verification method, but somewhat better than testing

**Topic** 19.2

Concurrent BMC



#### BMC for concurrent programs

- ▶ Full verification of concurrent programs is even more hard.
- ▶ Most tools use some form of Bounded verification
- Let us see how to do BMC for a concurrent program

#### Set of Events

An execution of program generates a set of read/write events E.

We define a relation po over E as follows.

#### Definition 19.1

For  $e_1, e_2 \in E$ ,  $(e_1, e_2) \in po$  if  $e_1$  was generated before  $e_2$  by the same thread.

#### Memory operation relation

The read write operations create the following relations  $\subseteq E \times E$ .

- rf: every read reads from exactly one write
- ws: all writes on a global are totally ordered
- ▶ fr : no other write comes between the write-read pairs in rf

#### Recall: Execution relations and condition

We have the following relations over events.

- po program order
- rf read from
- ws write serialization
- **fr** from read

#### Theorem 19.1

In a valid execution,  $po \cup rf \cup ws \cup fr$  is acyclic

We need to encode the acyclic requirement using integer. Every event will get a distinct integer time point.

#### Example: execution

#### Invalid execution:



### Constraints generation

If we want to do bounded model checking, we not only need to encode the behavior of a thread but also the concurrent interaction.

The formula F that encodes violating executions has following parts

- 1.  $F_{po}$  = program ordering constraints
- 2.  $F_{ssa} = SSA$  formula
- 3.  $F_{rf}$  = well-formed rf
- 4.  $F_{fr} = fr$  constraints

Let us discuss the constraints in detail.

## po condition $(F_{po})$

We need to encode the intra-thread order of events.

We use integer variables to encode the timing of the events. Integer variable

 $t_{
m W3}$ 

encodes the time when the write at w3 occurred.

$$w1.Wx = 0$$

$$po$$

$$r1.Ry = 0$$

 $t_{\mathtt{W1}} < t_{\mathtt{r1}}$ 

### Example: $F_{po}$

 $F_{po}$  consists of the following formulas.

#### Example 19.4

Let us consider our example again.

post:  $(a1=1\&\&a2=1) \Rightarrow c1+c2=2*v$ 

 $t_{w1} < t_{w2} < t_{w3} < t_{w4}$ 

po for T2:

po for T1:

 $t_{\texttt{pre.m1}} < t_{\texttt{r1}} \land t_{\texttt{pre.s1}} < t_{\texttt{r1}} \land \ t_{\texttt{pre.m2}} < t_{\texttt{r1}} \land \ t_{\texttt{pre.s2}} < t_{\texttt{r1}} \land$ 

 $t_{\mathtt{pre.m1}} < t_{\mathtt{w1}} \wedge t_{\mathtt{pre.s1}} < t_{\mathtt{w1}} \wedge t_{\mathtt{pre.m2}} < t_{\mathtt{w1}} \wedge t_{\mathtt{pre.s2}} < t_{\mathtt{w1}} \wedge$ 

$$t_{r1} < t_{r2} < t_{r3} < t_{r4}$$

## SSA formula( $F_{ssa}$ )

We translate each loop free thread into single static assignment(SSA) form.

- ▶ fresh names to the local variables after every assignment
- ▶ add instructions at join points to feed in correct values
- ▶ give a fresh name at each read and write of global variables

## Example : $F_{ssa}$

#### Example 19.5

Let us consider our example again.

post: 
$$(a1=1\&\&a2=1) \Rightarrow c1+c2=2*v$$

 $F_{ssa}$  consists of the following formulas.

The SSA encoding of pre condition.

$$\texttt{W.pre.m1} = \texttt{0} \land \texttt{W.pre.s1} = \texttt{0} \land \texttt{W.pre.m2} = \texttt{0} \land \texttt{W.pre.s2} = \texttt{0}$$

SSA encoding of thread T1.

$$\texttt{W.w1.m1} = \texttt{v} \land \texttt{W.w2.m2} = \texttt{v} \land \texttt{W.w3.s1} = 1 \land \texttt{W.w4.s2} = 1$$

SSA encoding of thread T2.

$$\mathtt{a1} = \mathtt{R.r1.s1} \land \mathtt{c1} = \mathtt{R.r2.m1} \land \mathtt{a2} = \mathtt{R.r3.s2} \land \mathtt{c2} = \mathtt{R.r4.m2}$$

SSA encoding of post condition.

$$ho \neg ((a1 = 1 \land a2 = 1) \Rightarrow c1 + c2 = 2v)$$

Locals are not given fresh names because they are not modified.

#### $F_{rf}$ : Well-formed rf

Every read reads from exactly one write and the write happens before the read.

We need to introduce a Boolean variable for each potential write-read pair. Boolean

$$b_{\mathtt{W.r.s1}}$$

indicates that the read at location r of variable x is reading from the write at w.

$$egin{aligned} exttt{w}:=.. \ exttt{rf} & b_{ exttt{W}. exttt{r.x}} \Rightarrow ( exttt{w}. exttt{x} = exttt{r.x} \wedge t_{ exttt{W}} < t_{ exttt{r}}) \ exttt{r} & exttt{:= x} \end{aligned}$$

#### Example: $F_{rf}$

#### Example 19.6

Let us consider our example again.

```
thread T1: thread T2:
```

pre: m1 := s1 := m2 := s2 := 0

post:(a1=1&&a2=1)
$$\Rightarrow$$
c1+c2=2\*v

Consider the read of s1 at r1. It may read from two writes, which are write at pre and w3.

This is encoded as follows.

- Read from exactly one.  $(b_{pre.r1.s1} \lor b_{w3.r1.s1})$
- ▶ If reads from  $\mathtt{pre}$   $b_{\mathtt{pre.r1.s1}} \Rightarrow (\mathtt{W.pre.s1} = \mathtt{R.r1.s1} \land t_{\mathtt{pre.s1}} < t_{\mathtt{r1}})$
- ► If reads from w3  $b_{\text{w3 r1 s1}} \Rightarrow (\text{W.w3.s1} = \text{R.r1.s1} \land t_{\text{w3}} < t_{\text{r1}})$

Similar constraints are

generated for each read.

#### Exercise 19.1

Is exactly one write encoding correct?

### $F_{\rm fr}$ : relation between ws and fr

lf

- read r is reading from write w1 and
- ▶ write w2 is serialized after w1

then w2 is after read r.



 $b_{\mathtt{W1.r.x}} \wedge t_{\mathtt{W1}} < t_{\mathtt{W2}} \Rightarrow t_{\mathtt{r}} < t_{\mathtt{W2}}$ 

#### Example:

#### Example 19.7

Let us consider our example again.

```
thread T1: thread T2: w1: m1 := v r1: a1 := s1 w2: m2 := v || r2: c1 := m1 w3: s1 := 1 r3: a2 := s2 w4: s2 := 1 r4: c2 := m2
```

post: 
$$(a1=1\&\&a2=1) \Rightarrow c1+c2=2*v$$

Here are the fr constraints.

- lackbox When r1 reads from pre  $(b_{ exttt{pre.r1.s1}} \land t_{ exttt{pre.s1}} < t_{ exttt{W3}} \Rightarrow t_{ exttt{r1}} < t_{ exttt{W3}})$
- $lackbox{When r1 reads from w3} \ (b_{ exttt{w3.r1.s1}} \land t_{ exttt{w3}} < t_{ exttt{pre.s1}} \Rightarrow t_{ exttt{r1}} < t_{ exttt{pre.s1}})$

## End of Lecture 19

