BOOM: Taking Boolean Program Model Checking One Step Further*

BOOM: Taking Boolean Program Model Checking One Step Further? Gerard Basler, Matthew Hague, Daniel Kroening, C.-H. Luke Ong, Thomas Wahl, and Haoxian Zhao Oxford University Computing Laboratory, Oxford, United Kingdom

Abstract. We present Boom, an analysis tool for Boolean programs. We focus in this paper on model-checking non-recursive replicated programs. Boom implements a recent variant of counter abstraction; efficiency is achieved using thread counters in a program context-aware way. While designed for bounded counters, this method also integrates well with the Karp-Miller tree construction for vector addition systems, resulting in a reachability engine for Boolean programs with unbounded thread creation. The concurrent version of Boom is implemented using BDDs and includes partial order reduction methods. Boom is intended for model checking system-level code via predicate abstraction. We present experimental results for the verification of Boolean device driver models.

1

Introduction

Over the past decade, predicate abstraction has established itself as a viable strategy for model checking software, as witnessed by the success of device driver verification in Microsoft’s Slam project. The input program is converted into a finite-state Boolean program, whose paths overapproximate the original behavior. Recently, concurrent software has gained tremendous stimulus due to the advent of multi-core computing architectures. The software is executed by asynchronous parallel threads, communicating, in the most general case, through fully shared variables. Bugs in such programming environments are known to be subtle and hard to detect by means of testing, strongly motivating formal analysis techniques for concurrent programs. In this paper, we present Boom, a model checker for Boolean programs. While Boom has many features that make it useful for sequential programs [4], we focus here on analyzing the set of reachable states of a replicated non-recursive Boolean program. Replication often induces symmetry, which can and must be exploited for the analysis to scale. We present our implementation of a contextaware form of counter-abstraction [3], and compare its performance to alternative reduction techniques also implemented in Boom, and to other tools. ?

Work supported by the Swiss National Science Foundation (SNF) under grant 200021-109594 and by the Engineering and Physical Sciences Research Council (EPSRC) under grant no. EP/G026254/1 and EP/D037085/1.

Replication materializes in practice as dynamic thread creation. Even without a bound on the number of running threads, the reachability problem for nonrecursive concurrent Boolean programs is decidable. We have extended Boom by a variant of the Karp-Miller tree, which operates directly on Boolean programs. We demonstrate that our implementation performs much better in practice than the worst-case complexity of the construction seems to suggest. The result is a practically useful and exact reachability analysis for realistic concurrent Boolean programs with arbitrarily many threads.

2

Concurrent Boolean Program Analysis with BOOM

Boom is capable of analyzing the reachable state space of replicated programs, where threads may dynamically create other threads during the execution. The Boolean variables are declared either local or shared. Each thread has its own private copy of the local variables. The shared variables, in contrast, are fully accessible to every thread. Shared-variable concurrency is very powerful and able to simulate many other communication primitives, such as locks. Concurrent Boolean programs with replicated threads are naturally symmetric: the set of transitions of a derived Kripke model is invariant under permutations of the threads. Symmetry is the concurrency-related cause for state explosion in replicated Boolean programs. Boom tackles this problem using a form of counter abstraction: global states are represented as vectors of counters, one per local state. Each counter tracks the number of threads in the corresponding local state. A transition by a thread translates into an update of the counters for the source (−1) and target (+1) local state. The idea of using process counters has long proved useful for verifying replicated local-state transition diagrams. Unfortunately, statically converting a concurrent Boolean program into such a diagram suffers from the local state explosion problem: the number of local states is exponential in the program text size. We recently proposed context-awareness as a solution [3]: at exploration time, the context in which a statement is executed is known and exposes the localstate counters that need to be updated. As a natural optimization, a global state in Boom only keeps counters for local states that at least one thread resides in. The number of occupied local states is obviously bounded by the number of running threads, which tends to be a tiny fraction of all local states. Extending BOOM to Unbounded Thread Creation If there is no limit to how many threads may be running, the thread counters become unbounded non-negative integers. The induced transition system is an instance of a vector addition system with control states (VASS); the control state represents the values of the shared program variables. The reachability of a thread state (s, l) (combination of shared and local state) in a concurrent Boolean program is easily reducible to a VASS coverability problem. The latter problem is decidable, using a tree construction proposed by Karp and Miller [8]. 2

Boom uses the Karp-Miller construction as the starting point for an algorithm to decide thread-state reachability. The local state explosion problem materializes here as the dimensionality problem for VASS and Petri nets. Fortunately, our earlier solution of a context-aware, on-the-fly translation carries over quite seamlessly to the unbounded case. Our implementation can be seen as a version of the Karp-Miller procedure that operates directly on a Boolean program. Bypassing the VASS gives us the opportunity to avoid the blowup that a static translation into any type of addition system invariably entails. Furthermore, to ameliorate the exponential-space complexity of the Karp-Miller construction, we exploit the special form of vector-addition systems derived from Boolean programs. For example, our implementation keeps a copy of those tree nodes that are maximal with respect to the covering relation as partial order. Newly discovered nodes are compared against these maximal nodes only.

3

Results

Boom and our benchmarks are available at http://www.cprover.org/boom; we refer the reader to this website for more details on the tool and the benchmarks. The left chart below compares a plain symbolic exploration of the concurrent Boolean program against Boom’s implementation of (bounded) counter abstraction. Each data point specifies the numbers of threads running. The message of this chart is obvious. The right chart compares plain exploration against Boom’s implementations of partial-order reduction. Comparing left and right, we see that counter abstraction performs somewhat better. In other experiments (not shown), we observed that combining the two gives yet better performance.

Symbolic Boom

100

10

1

14 16 30 14 9 11 11 311 16 9 117 16 12 17 15 3 917 15 9 17 17 34 12 16 12 3 5 18 10 13 3 13 6 18 819 8 16 18 8710 19 17 10 10 38913 19 410 13 1718 9 19 13 10 20 4 10 0 20 18 14 42 14 1 14 4 20 21 11 21 44 2122 319 4 14 1920 414 2122 5 7 11 11 9 22 9 47 6 915 20 48 2223 11 7 8 49 11 23 23 232425 8 2324252627282930313233 15 2122 15 21222324252627282930 12 23 24 16 12 242526272829303132 12 252627282930313233 25 16 10 2324252627282930 12 10 10 16 7 17 717 2627282930313233 26272829303132 13 17 8 17 27282930313233 17 13 13 5 18 68 9 813 13 618 11 18 6 11 14 19 76513 19 619 10 7 19 6 14 14 20 20 15 6 20 810 6 33 15 12 15 21 12 7 3132 3334 34 15 921 34 15 22 21 35 6 16 22 36 11 33 3334 35 6 4 16 22 6 36 34 37 36 13 23 16 13 37 7 16 38 6 8 38 35 17 37 23 5 38 23 39 36 24 838 7 17 17 39 6 9 40 39 24 37 40 17 10 12 41 5 5 17 24 41 25 6 938 40 18 38 14 41 714 6 7 41 25 6 39 3 42 18 39 743 4 43 26 6 2627 12 42 40 6 43 40 44 18 712 444 18 26 627 43 41 7 5 19 45 4 5 41 26 27 45 4545 42 4 13 442 46 15 11 27 4 15 19 45 6 4 47 46 6 4 5 28 47 43 19 28293031323334353637 4 9 3 19 411 7 44 6 5 20 10 48 9 10 7 9 44 28 6 2930313233343536373839 4 7 4 2829303132333435363738 4 293031323334353637 28 5 2930313233343536373839 20 29303132333435363738 282930313233343536373839 2829303132333435363738 8 13 45 7 4 8 9 6 8 46 29303132333435363738 4 20 8 9 16 7 20 4 16 21 5 293031323334353637 14 8 7 64 957 7 4621 7 44 8 4 821 12 49 921 22 12 14 17 8 22 7 87 49 522 15 11 722 8 10 22 23 4 10 611 11 6 23 4 8 715 7 18 7 5 18 75 24 23 15 616 5 9 5 8 79 13 824 4 924 7 19 419 25 12 46 3839 8 25 26 711 12 17 25 16 12 11 6 839 7 16 26 5 11 38 6 20 6 4041 20 6 39 40 8 27 9 3940 9 14 26 3940 4 9 40 41 9 740 18 8 5 626 27 28 8 46 41 42 4 27 41 21 8 6 21 2 17 28 10 9 43 13 42 528 42 10 42 28 29 4 13 28 44 10 12 43 43 29 8 6 19 29 8 22 15 422 9 44 22 911 12 5 8 8 29 718 67 55762 20 419 687 6 20 2 3 16 25 16 23 11 12 6 8 2 99 732 28 12 9 18 8 2 18 29 18 9 8 30 3 12 3 0 19 3 1920 3 11 10 3 2 20 2 3 13 3 34 3 13 32021 3 421 2122 5 7 35 36 314 22 14 7 22 3 10 14 38 9 15 11 8 3 11 8 3 7 11 11 4 9 23 2324252627282930313233 9 2324 88 4 0 4 8 15 41 42 115 24 43 16 2 424 242526272829303132 24252627282930313233 44 43242526 11 45 252627282930313233 4 2526272829303132 4 12 46 547 12 16 47 6 16 8 17 48 48 4 49 9 7 997 17 12 9 18 9 8 13 9 13 13 718 11 19 714 9 14 14 19 20 14 10 10 10 33 20 21 20 12 3334 912 14 8 15 34 9 34 815 7 9 15 8 7 35 6 35 6 21 735 10 36 36 15 9 37 16 11 8 23 37 22 22 16 16 13 11 38 11 11 67 39 8 24 39 23 10 10 40 16 17 40 10 79 17 10 17 25 41 24 11 5 4 42 14 42 42 92 12 26 43 5 18 17 25 11 18 25 12 18 44 18 8 8 8 4 45 2728 4 26 8 45 46 519 5 9 19 18 6 28 19 7 27 19 27 12 11 7 4 611 7 4 13 8 4 293031323334353637383940 5 8 2930313233343536373839 8 28 13 49 28293031323334353637 9 10 20 95 19 13 20 5 20 10 29 2930313233343536 13 8 21 7 3031323334353637 20 21 13 14 12 12 9 5 14 9 10 14 17 917 22 14 21 14 22 5 7 5 6 23 11 14 23 23 22 8 23 18 13 15 15 15 24 13 24 6 13 8 24 5 23 625 25 9 25 11 15 16 25 7 10 25 24 5 10 3738 10 16 6 10 16 3839 26 3839 14 12 26 40 5 26 14 25 14 39 52 541 27 27 16 17 27 17 27 42 17 41 17 5 96 28 43 8 28 27 15 12 6 44 6 15 43 15 18 13 17 10 29 11 28 44 18 11 18 59 21 322 4 2 4 4 4 3 5 4 5 5 3 3 4 5 4 3 4 6 4 5 77777 6 3 2 6 6 55 4 77 6 5 2 5 5 5 4 5 6 74 6 5 4 3 46 4 5 65 6 6 5 55 2 6 5 4 5 4 4 4 4 5 4 4 66 2 3 4 44 6 44 4 5 55 55 6 4 4 66 5 4 4 4 3 3 5 2 4 4 5 4 6 5 5 4 4 24 3 5 5 5 4 4 4 3 5 3 4 4 4 44 6 5 3 3 4 4 53 5 45 4 4 3 5 3 5 4 33 3 4 3 5 3 33 4 44 4 43 4 43 3 4 43 3 3 33 2 4 444 4 4 3 3 3 3 3 3 3 34 4 5 33 4 4 44 4 3 3 3 4 3 3 3 3 2 2 2 3 4 3 3 33 3 3 33 3 4 32 3 3 32 2 3 23 2 2 2 3 22 2 3 2 23 2 2 2 2

0.1 0.1

1

10

100

[sec] 1000

3 4

100 Symbolic Boom

[sec] 1000

10

1

12 8887 8657 17 13 10 16 7 776 17 513 12 12 18 4 7 7 11 15 8165711 85 912 14 9 614 799 59 689 8 698914 18 65 913 565 156 10 9 86 10 8 510 686 715 7 856810 10 16 10 410 5 10 8 464510 912 10 9 11 6497520 10 5 617 7 11 5611 611 11 4 17 5 9411 4 11 11 6 8997876 811 7 921 4 11 9611 65818 86 5 7 10 11 18 12 911 7 46 5 78 7 12 7 54 12 722 47614 58 510 64 10 612 10 46 7 547710 495 10 65 714 6 876 87 13 46652 6 4 652 7 15 6 108 788 816 956585 10 917 10 56 68 11 9 615 8 7 810 11 10 19 10 7616 7 14 10 9 64 12 54 9 11 95 7569 15 811 98911 13 5 74811 77 810 5 10 16 12 5 1210 10 12 76 9417 5 88467453756 4 2 4 4 4 3 5 3 45 5 3 3 4 5 4 4 8 3 4 6 4 7 57 7 7 6 7 3 9 5 62 7 4 76 6 55 2 5 5 4 6 4 7 6 5 4 3 9 6 5 5 13 4 4 5 5 9 65 7 6 99 7 7 7 13 20 52 8 7 4 58 4 4 888 84 4 8 4 4 5 6 8 2 3 8 4 4 10 475 4 5 5 4 5 6 5 5 19 4 7 5 4 63 7 7 77 6 3 4 7 4 7 7 7 7 5 12 7 87 4 2 7 7 6 5 12 4 4 2 5 4 46 6 5 55 3 64 4 8 18 66 6 8 4 5 4 6 3 4 4 3 88 4 4 6 4 4 3354 7 5 3 5 7 4 4 777 9 5 7 44 77 11 6 3 5 17 33 4 3367 11 3 53 3 3 5 44 4 6 5 4 33 3 4 4 43 6 55 3 16 64 6 33 4 6 3 63 6 6 4 2 5 7 66 4 3 35 4 10 3 3 3 53 7 77 4 4 5 38 5 34 15 4 4 55 5 33 55 6 5 66 36 4 3 33 3 6 6 22 3 2 44 4 14 34 333 433 5 3 4 3 5 24 2 2 6 3 44 4 72 6 13 45 2 25 3 3 2 3 32 3 3 2 3 4 3 32 32 12 22 2 5

0.1 0.1

1000 [sec]

Symbolic Boom with Counter Abstraction

10 14 14 9776

1

10

100

1000 [sec]

Symbolic Boom with POR

The chart on page 4 (left) compares the bounded version of Boom with counter abstraction against the lazy version of GetaFix [9] (which performs better than eager). GetaFix targets recursive Boolean programs with a bounded number of context-switches. To compare with Boom, we chose a non-recursive example provided on the GetaFix website. The time for GetaFix to convert the example into a sequential program is tiny and omitted. The table illustrates the time to explore the sequentialized program using Moped-1, for different context-switch bounds. Note that Boom, in contrast, explores any interleaving. 3

The graph on page 4 (right) shows our preliminary thread-state analysis of Boolean programs with unbounded thread creation. We see that for many examples, the running times are very small. On the other hand, 301 of 570 cases did not terminate within 60 min. We observed no more than 43 non-zero counters in any global state, despite millions of conceivable local states.

2 3 4 5 6

[sec] 1000

GetaFix/cont. bd. [sec] 1 2 3 4 5 6 0.1 0.4 2.0 8.7 41 139 0.1 1.0 0.6 4.8 30 187 0.1 1.9 1.2 12.2 146 1318 0.14 2.8 2.3 30.6 426 — 0.2 3.9 3.1 51.7 901 —

100 Symbolic Karp-Miller

n

Boom [sec] < 0.1 0.1 1.2 12.1 88.8

10

1

0.1

Benchmarks on Intel 3GHz, with timeout 60 mins, memory-out 4 GB.

0.01 Boolean program

4

Related Work and Conclusion

There are a few tools for the analysis of sequential Boolean programs [2, 6]. When extended to multiple threads, the problem becomes undecidable. To allow an algorithmic solution, Boom disallows recursion. There are many tools available for the analysis of VASS. Closest to our work are the applications of these tools to Java [5, 7] and to Boolean programs [1]. These tools compile their input into an explicit-state transition system, which may result in a high-dimensional VASS. Our experiments with explicit-state encodings (not shown) indicate that encoding Boolean programs symbolically is mandatory. We believe Boom to be the first exact tool able to analyze non-recursive concurrent Boolean programs with bounded replication efficiently, and to extend the underlying technique to the unbounded case with reasonable performance.

References 1. T. Ball, S. Chaki, and S. Rajamani. Parameterized verification of multithreaded software libraries. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), 2001. 2. T. Ball and S. Rajamani. Bebop: A symbolic model checker for Boolean programs. In Model Checking of Software (SPIN), 2000. 3. G. Basler, D. Kroening, M. Mazzucchi, and T. Wahl. Symbolic counter abstraction for concurrent software. In Computer-Aided Verification (CAV), 2009. 4. G. Basler, D. Kroening, and G. Weissenbacher. SAT-based summarization for boolean programs. In SPIN, 2007. 5. G. Delzanno, J.-F. Raskin, and L. V. Begin. Towards the automated verification of multithreaded Java programs. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), 2002.

4

6. J. Esparza and S. Schwoon. A BDD-based model checker for recursive programs. In Computer-Aided Verification (CAV), 2001. 7. G. Geeraerts, J.-F. Raskin, and L. V. Begin. Expand, enlarge and check... made efficient. In Computer Aided Verification (CAV), 2005. 8. R. Karp and R. Miller. Parallel program schemata. Computer and System Sciences, 1969. 9. S. L. Torre, P. Madhusudan, and G. Parlato. Reducing context-bounded concurrent reachability to sequential reachability. In CAV, 2009.

5

Appendix A

Presentation

The presentation will be split roughly half-and-half into background information (Boolean programs, counter abstraction and the extension to the Karp-Miller construction) and tool demonstration. The presentation will feature the different algorithms and options offered by Boom in increasing difficulty and power, applied to a single, more or less easily readable Boolean program. At each stage, we will demonstrate Boom’s performance, by comparing it to alternative implementations and tools, as we have in part already done in this submission. The demonstration will at least cover the following capabilities: – how SatAbs generates a Boolean program from a C program: http://www.cprover.org/boolean-programs/example1

While this is not done using Boom, it clearly is part of predicate abstraction and required for understanding the whole story. – a comparison of how the performance of the different algorithms (sequential exploration, symbolic concurrent exploration, counter abstraction, karpmiller) with and without partial-order reduction. This emphasizes the capabilities of Boom. – for longer computations, how statistical information is printed along the way: http://www.cprover.org/boom/screenshots.shtml#run

This emphasizes the user-friendliness of Boom. – explanations of the statistics indicated after the analysis: http://www.cprover.org/boom/screenshots.shtml#statistics

B

Development and Applications of Boom

Boom has been developed in the context of the PhD thesis of one of the authors of this paper. The goal was a competitive reachability checker for the SatAbsframework. It started as the first tool that implemented the summarization algorithm for Boolean programs using solvers for SAT and QBF formulas. Currently, MiniSat, Quantor and sKizzo are supported. In the course of about the past two years, support for concurrent Boolean programs has been added; we focused here on BDD-based data structures. Beginning with a simple symbolic exploration engine, we added various forms of partial-order reduction to optimize the performance. This was followed by our implementation of counter abstraction, which is conceptually easy, but technically non-trivial in a symbolic setting, especially when tackling the local-state explosion problem mentioned in this paper. From there, it was a relatively small step to extend the method to unbounded threads, realizing that converting a Boolean program to a vector-addition system is tantamount to applying unbounded counter abstraction to it. The challenge is rather to make the exploration of the resulting counter machine efficient. 6

Currently, researchers from ETH Zurich and Oxford University are building tools that use Boom as the underlying reachability engine for Boolean programs. Among these are the SystemC simulator Scoot (http://www.cprover. org/scoot) and SatAbs (http://www.cprover.org/satabs). Embedded in the DDverify driver harness (http://www.cprover.org/ddverify), the combination of SatAbs and Boom is able to verify properties on a large set of concurrent Linux drivers.

C

Availability of Boom

Boom is available at http://www.cprover.org/boom. This website contains – detailed instructions on how to download and install Boom, – screen-shots of using the tool, as mentioned in Section A. A detailed explanation of the syntax and semantics of Boolean programs including a parser skeleton and a benchmark set is available at: http://www.cprover.org/boolean-programs.

7