PosterPDF Available

Ultimate GemCutter: Commutativity in Concurrent Program Verification

Authors:

Abstract

The poster presents Ultimate GemCutter, an automated verifier for concurrent C programs based on commutativity / partial order reduction and abstraction refinement.
Ultimate GemCutter: Commutativity in Concurrent Program Verification
Dominik Klumpp, Daniel Dietsch, Matthias Heizmann, Frank Schüssele, Azadeh Farzan, Andreas Podelski
ultimate-pa.org github.com/ultimate-pa/ultimate
Commutativity Simplifies Proofs of Concurrent Programs
Concurrent Program
{x=y=i=j=0}
while (i<n) {
x+= A[i];
i++;
}
while (j<n) {
y+= A[j];
j++;
}
{x=y}
All Interleavings
i<n
x+=A[i]
i++
j<n y+=A[j]
j++
j>=n
j>=n
j>=n
i<n
x+=A[i]
i++
i>=n
i>=n
i>=n
j<n y+=A[j]
j++
j>=ni>=n
complex invariant: x=i
X
k=0
A[k]y=
j
X
k=0
A[k]injn
A Sound Reduction
i<n
i++
j++
j<n
y+=A[j]
j>=n
i<nx+=A[i]
i++
i>=n
j<n y+=A[j]
j++
j>=ni>=n
simple invariant: x=yi=j
small control flow graph
Commutativity
Many pairs of statements commute:
i.e., order of execution does not matter
Example: x+=A[i] y+=A[j] y+=A[j] x+=A[i]
Extension: proof-sensitive commutativity
Example: *x = 0 *y = 1 *y = 1 *x = 0
if we have proven that x=y
swapping adjacent commuting statements
equivalent traces
Reduction
representative subset of program traces: at least one
representative per equivalence class
Soundness:
one trace correct all equivalent traces correct
correctness of reduction correctness of program
Verification Principle
GemCutter generalizes from spurious counterexamples τ
to larger sets of correct traces:
trace abstraction
generalizes across
loop iterations to a
set of traces L
commutativity allows
for generalization
across interleavings to
the set cl(L)of all
equivalent traces interleavings
iterations
cl(L)
L=(a1a2)b
equivalence class [τ]
τ=a1a2b a1ba2ba1a2
(a1a2)2b
(a1a2)3b
If cl(L)contains all program traces, the program is correct.
Equivalently: If Lcontains all traces of a reduction, then
the program is correct.
Performance
Evaluation shows significant advantages over a
state-of-the-art verifier (Ultimate Automizer):
200 400 600 800 1,000 1,200
10
100
4
900
CPU time (s)
Automizer (all interleavings) GemCutter (commutativity-based)
200 400 600 800 1,000 1,200
200
250
500
1,000
2,000
4,000
8,000
Memory (MB)
Competitions:
SV-COMP’24: 2nd place in ConcurrencySafety
SV-COMP’23: 3rd place in ConcurrencySafety
SV-COMP’22: 3rd place in ConcurrencySafety,
1st place in NoDataRace (demo)
Commutativity & Verification
choice of representatives affects proof simplicity
challenge: select suitable representatives
choice of proof affects possible commutativity
challenge: find useful abstract commutativity
partial order reduction algorithms speed up verification
challenge: adapt classical POR algorithms
commutativity reasoning is widely applicable
challenge: extend to more programs & properties
[SV-COMP’22] Ultimate GemCutter and the Axes of Generalization,
Klumpp, Dietsch, Heizmann, Schüssele, Ebbinghaus, Farzan and Podelski, 2022
[PLDI’22] Sound Sequentialization for Concurrent Program Verification,
Farzan, Klumpp and Podelski, 2022
[POPL’23] Stratified Commutativity in Verification Algorithms for Concurrent
Programs, Farzan, Klumpp and Podelski, 2023
[POPL’24] Commutativity Simplifies Proofs of Parameterized Programs,
Farzan, Klumpp and Podelski, 2024
Can commutativity-based ver-
ification compete in practice?
Our algorithmic verification tool Ultimate
GemCutter
tightly integrates commutativity-based
reduction with trace abstraction
refinement
constructs a reduction on-demand as
needed for verification
is built on top of the Ultimate program
analysis platform
GemCutter generalizes from spurious
counterexamples τto larger sets of correct
traces:
trace abstraction
generalizes across
iterations of a loop
to a set of traces L
commutativity
allows for orthogonal
generalization across
interleavings to the
union of equivalence
classes for all traces
in L, i.e., the closure
cl(L).
If cl(L)contains all
traces of the program,
the program is correct.
interleavings
iterations
cl(L)
L=(a1a2)b
equivalence class [τ]
τ=a1a2b a1ba2ba1a2
(a1a2)2b
(a1a2)3b
Evaluation shows significant advantages
over a state-of-the-art verifier based on naïve
sequentialization (Ultimate Automizer):
200 400 600 800 1,000 1,200
10
100
4
900
CPU time (s)
Automizer (naïve sequentialization) GemCutter (commutativity-based)
200 400 600 800 1,000 1,200
316
1,000
3,160
200
8,000
Memory (MB)
11th International Competition on
Software Verification (SV-COMP’22):
3rd place in category ConcurrencySafety
1st place in category NoDataRace
[SV-COMP’22] Dominik Klumpp et al. Ultimate
GemCutter and the axes of generalization
(competition contribution).
In TACAS (2), volume 13244 of Lecture Notes in
Computer Science, pages 479–483. Springer,
2022
How does the choice of repre-
sentatives impact verification?
On the right: a different
reduction of the example
(different representatives
chosen for equivalence
classes)
even smaller control flow
graph
more efficient
proof checking
but very complicated
invariant needed
algorithmic
verification cannot find
a proof
Conclusions:
Choice of representatives
affects proof simplicity
and size of reduction
tradeoff: smallest
reduction does not
always have simplest
proof
i<n
x+=A[i]
i++
i>=n
j<n y+=A[j]
j++
j>=n
invariant: x=n
X
k=0
A[k]y=
j
X
k=0
A[k]jn
Preference orders characterize possible
choices of representatives:
(total) order over program traces
representative = most preferred (i.e.,
minimal) trace in equivalence class
allows comparing different representative
selections independent of commutativity
Positional lexicographic preference
orders:
lexicographic order, but underlying order
on statements depends on program
location
effective construction of reductions
using partial order reduction
algorithms:
sleep sets and weakly persistent
membranes
best-case linear-size representation of
reductions
Evaluation of 5 prefer-
ence orders shows:
Best preference order
depends on program
Portfolio of preference
orders successfully
analyzes more
programs than any
fixed preference order
On the right: incorrect and
correct programs with the
best preference order
seq
lockstep
rand(1)
rand(2)
rand(3)
121
76
60
66
62
277
113
153
168
137
[PLDI’22] Azadeh Farzan, Dominik Klumpp, and
Andreas Podelski. Sound sequentialization for
concurrent program verification.
In PLDI, pages 506–521. ACM, 2022
How can commutativity be de-
fined?
Intuition: statements st1and st2commute ˆ=
their execution order “does not matter”
Concrete Commutativity: st1and st2
commute if st1st2behaves exactly as st2st1:
Jst1st2K
| {z }
semantics: binary relation over program states
=Jst2st1K
order “does not matter” for any program
and wrt. any (safety) property
often unnecessarily strict: for a given
program and a given property,
more commutativity is possible
Idea: Let st1and st2commute if st1st2
behaves similarly enough to st2st1
abstract away irrelevant details, preserve
relevant details
relevance is determined by a (partial)
proof constructed by the verification
a notion of commutativity is safe wrt. a
proof Πif no trace proven by Π
is equivalent to an incorrect trace.
Abstract Commutativity: Given a
statement abstraction α:Stmt Stmt,
statements st1and st2commute under αif
α(st1)and α(st2)commute concretely.
If αpreserves a proof Π, commutativity
under αis safe wrt. Π
preservation: {φ}st {ψ}used by Π {φ}α(st){ψ}valid
Evaluation shows: even very coarse
abstraction highly beneficial for
light-weight properties (e.g. memory
safety)
Stratified Commutativity: fully benefit
from concrete and abstract commutativity
neither commutativity
subsumes the other
combination of
commutativity notions is
non-trivial
τ1ατ2τ3
(1) abstract (2) concrete
proven correct
new proof rule, generalized
to ncommutativity notions
new partial order reduction
algorithms to compute
reductions up to n
commutativity notions
Π
clα(Π)
clconcr(clα))
Stratified proof (for
concrete and
abstract
commutativity)
[POPL’23] Azadeh Farzan, Dominik Klumpp, and
Andreas Podelski. Stratified commutativity in
verification algorithms for concurrent programs.
In POPL, pages 1426–1453. ACM, 2023
ResearchGate has not been able to resolve any citations for this publication.
ResearchGate has not been able to resolve any references for this publication.