INTERPROCEDURAL ANALYSIS AND THE VERIFICATION OF CONCURRENT PROGRAMS by Akash Lal A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Sciences Department) at the UNIVERSITY OF WISCONSIN–MADISON 2009 (cid:13)c Copyright by Akash Lal 2009 All Rights Reserved i To mom and dad ... ii ACKNOWLEDGMENTS First of all, I would like to thank my family for their love and constant support. They gavemethestrengthtocompletemygraduatestudies. Iam, asever, indebtedtomyparents, Dr. Ashok Kumar and Dr. Vinod Lal. They encouraged me to pursue a doctorate degree. I would like to thank my brother Vikrant for teaching me the basics of computer science in the sixth grade and instilling a curiosity in me for the subject. These have brought me this far in the area. I would like to thank my wife Ira for making even the difficult times seem easy. I am especially grateful to my advisor, Prof. Thomas Reps, for his guidance and support, without which this dissertation would not have been possible. He has always encouraged me to think creatively, aim higher and to believe in myself. He shared my disappointment when a paper was not accepted; he shared my excitement at a new research idea; and also my stress while facing a tough job market. His commitment and enthusiasm have constantly motivated me. He has patiently helped me develop my writing and speaking skills. I would also like to thank him for taking me along during his sabbatical in Paris. That was an amazing experience. I would like to thank Prof. Susan Horwitz, Prof. Somesh Jha, Prof. Ben Liblit, and Prof. Parmesh Ramanathan for being on my final defense committee. I would specially like to thank Prof. Susan Horwitz and Prof. Tom Reps for their insightful comments on my dissertation, which have helped greatly to improve the quality of this dissertation. I would also like to thank Dr. David Melski, my mentor during my internship at GrammaTech. He introduced me to Weighted Pushdown Systems, which I continued to use for most of my dissertation research. The experience I gained during that internship was iii invaluable for my research. I would also like to thank my mentors at Microsoft Research, Dr. Sumit Gulwani and Dr. Ganesan Ramalingam, for teaching me about working in research labs. I would especially like to thank Nick Kidd for sharing an office with me. Our numerous discussions and his constant feedback were instrumental in developing my research work. His friendship helped ease the stress of graduate school, not to mention the countless games of chess that we played in our office. I would also like to thank the PL group: Piramanayagam Arumuga, Gogul Balakrishnan, Evan Driscoll, Matt Elder, Denis Gopan, Junghee Lim, Alexey Loginov, Marina Polishchuk, Cindy Rubio Gonz´alez, and Aditya Thakur for always finding the time to attend my practice talks and give feedback. In addition, I would like to thank Dr. Tayssir Touili for collaborating with me on a number of projects, and also for helping me obtain a French student visa for my stay in Paris. I would also like to thank Prof. Ben Liblit for never being short on words of encourage- ment. Moreover, it was always a pleasure sitting in his class. My dissertation research was supported by a UW CS Departmental Research Assis- tantship award, ONR grant N00014-01-1-0796, NSF grant CCF-0524051, NSF grant CCF- 0540955, IBM Scholarship, and a Microsoft Graduate Fellowship. DISCARD THIS PAGE iv TABLE OF CONTENTS Page LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 The Need for Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.1 Abstraction Refinement . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1.2 Example: Predicate Abstraction and Boolean Programs . . . . . . . . 4 1.2 Challenges in Verification of Programs . . . . . . . . . . . . . . . . . . . . . 6 1.2.1 Interprocedural Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2.2 Analysis of Concurrent Programs . . . . . . . . . . . . . . . . . . . . 9 1.3 Contributions and Organization of the Dissertation . . . . . . . . . . . . . . 11 1.3.1 New Technology for Sequential Programs . . . . . . . . . . . . . . . . 11 1.3.2 New Technology for Concurrent Programs . . . . . . . . . . . . . . . 15 2 Background: Abstract Models and Their Analysis . . . . . . . . . . . . . 20 2.1 The Dataflow Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.1.1 Join Over All Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.1.2 Example: Copy-Constant Propagation . . . . . . . . . . . . . . . . . 23 2.1.3 Interprocedural Join Over All Paths . . . . . . . . . . . . . . . . . . . 25 2.1.4 Solving for JOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.2 Boolean Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.3 Pushdown Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.3.1 Encoding Boolean programs using PDSs . . . . . . . . . . . . . . . . 32 2.3.2 Solving Reachability on PDSs using Saturation-Based Algorithms . . 33 2.3.3 Solving Pre-Reachability on PDSs using Context-Free Grammars . . 34 2.3.4 Solving Post-Reachability on PDSs using Context-Free Grammars . . 38 2.4 Weighted Pushdown Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.4.1 Solving for the IJOP Value . . . . . . . . . . . . . . . . . . . . . . . 44 v Page 2.4.2 Weight Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.4.3 Verifying Finite-State Properties . . . . . . . . . . . . . . . . . . . . 52 3 Extended Weighted Pushdown Systems . . . . . . . . . . . . . . . . . . . . 54 3.1 Defining the EWPDS Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.2 Solving Reachability Problems in EWPDSs . . . . . . . . . . . . . . . . . . . 61 3.2.1 Solving GPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.2.2 Solving GPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.2.3 Relaxing Merge Function Requirements . . . . . . . . . . . . . . . . . 65 3.3 Knoop and Steffen’s Coincidence Theorem . . . . . . . . . . . . . . . . . . . 67 3.4 EWPDS Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.5 Applications of EWPDSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.5.1 Boolean Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.5.2 Affine Relation Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 74 3.5.3 Single-Level Pointer Analysis . . . . . . . . . . . . . . . . . . . . . . 79 3.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 3.7 Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 4 Faster Interprocedural Analysis Using WPDSs . . . . . . . . . . . . . . . 93 4.1 Solving WPDS Reachability Problems . . . . . . . . . . . . . . . . . . . . . 96 4.1.1 Intraprocedural Iteration . . . . . . . . . . . . . . . . . . . . . . . . . 98 4.1.2 Interprocedural Iteration . . . . . . . . . . . . . . . . . . . . . . . . . 100 4.1.3 Solving EWPDS Reachability Problems . . . . . . . . . . . . . . . . . 105 4.2 Solving other WPDS Problems . . . . . . . . . . . . . . . . . . . . . . . . . 106 4.2.1 Witness Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 4.2.2 Differential Propagation . . . . . . . . . . . . . . . . . . . . . . . . . 107 4.2.3 Incremental Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 4.3 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 4.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 5 Error Projection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 5.1 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 5.2 Computing an Error Projection . . . . . . . . . . . . . . . . . . . . . . . . . 124 5.2.1 Computing Error Projections for EWPDSs . . . . . . . . . . . . . . . 130 5.3 Computing an Annotated Error Projection . . . . . . . . . . . . . . . . . . . 135 5.3.1 Computing Witnesses . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 5.3.2 Computing Data Values . . . . . . . . . . . . . . . . . . . . . . . . . 137 vi Page 5.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 5.5 Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 5.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 6 Interprocedural Analysis of Concurrent Programs Under a Context Bound145 6.1 Problem Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 6.2 Context Bounded Model Checking . . . . . . . . . . . . . . . . . . . . . . . . 154 6.3 A New Algorithm for CBMC Using Transducers . . . . . . . . . . . . . . . . 156 6.4 Weighted Transducers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 6.5 Composing Weighted Transducers . . . . . . . . . . . . . . . . . . . . . . . . 166 6.5.1 The Sequential Product of Two Weighted Automata . . . . . . . . . 166 6.5.2 Sequentializable Tensor Product . . . . . . . . . . . . . . . . . . . . . 170 6.5.3 Composing Transducers . . . . . . . . . . . . . . . . . . . . . . . . . 173 6.6 Implementing CBA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 6.7 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 7 Reducing Concurrent Analysis Under a Context Bound to Sequential Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 7.1 A General Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 7.1.1 The reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 7.1.2 Multiple threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 7.1.3 Ability of the reduction to harness different analyses for CBA . . . . 188 7.2 The Reduction for Boolean Programs . . . . . . . . . . . . . . . . . . . . . . 189 7.2.1 Analysis of sequential Boolean programs . . . . . . . . . . . . . . . . 189 7.2.2 Context-bounded analysis of concurrent Boolean programs . . . . . . 190 7.3 The Reduction for PDSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 7.4 The Reduction for Symbolic PDSs . . . . . . . . . . . . . . . . . . . . . . . . 194 7.5 The Reduction for WPDSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 7.6 Lazy CBA of Concurrent Boolean Programs . . . . . . . . . . . . . . . . . . 197 7.7 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 7.8 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 7.9 Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 7.9.1 Proof of Thm. 7.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 7.9.2 Complexity argument for Thm. 7.3.1 . . . . . . . . . . . . . . . . . . 209 7.9.3 Proof of Thm. 7.6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 vii Page LIST OF REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222