Wireless Communications and Mobile Computing

Volume 2018 (2018), Article ID 3193974, 8 pages

https://doi.org/10.1155/2018/3193974

## An SAT-Based Method to Multithreaded Program Verification for Mobile Crowdsourcing Networks

^{1}College of Computer, National University of Defense Technology, Changsha, China^{2}The University of British Columbia, Vancouver, BC, Canada V6T 1Z4

Correspondence should be addressed to Wanxia Qu; nc.ude.tdun@aixnawuq

Received 23 September 2017; Revised 24 December 2017; Accepted 1 January 2018; Published 28 January 2018

Academic Editor: Edith Ngai

Copyright © 2018 Long Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

This paper focused on the safety verification of the multithreaded programs for mobile crowdsourcing networks. A novel algorithm was proposed to find a way to apply IC3, which is typically the fastest algorithm for SAT-based finite state model checking, in a very clever manner to solve the safety problem of multithreaded programs. By computing a series of overapproximation reachability, the safety properties can be verified by the SAT-based model checking algorithms. The results show that the new algorithm outperforms all the recently published works, especially on memory consumption (an advantage that comes from IC3).

#### 1. Introduction

The mobile crowdsourcing network is a promising network architecture to perform tasks with human involvement and numerous mobile devices but suffers from security and privacy concerns [1, 2]. Pthread-style multithreaded programs play an important role in crowdsourcing computing [3, 4] and crowdsourcing sensing [5, 6] for supporting concurrent programming. Multithreaded programming used much existing system-level code such as device drivers, operating system, and distributed computing. The mobile crowdsourcing networks [7, 8] distribute tasks and collect the results and must make sure safely access for the shared data. Therefore, it is important to verify the safety properties for multithreaded programs.

In this paper, we consider the multithreaded programs with an unbounded number of threads. Each thread executes a finite, nonrecursive state machine. Mutexes, which can be expressed using Boolean variables, are used for synchronization in this kinds of multithreaded programs. The illegal access of mutexes will lead to safety problem. We assume all mutexes are shared variables. The safety problems is to verify if the illegal access of mutexes exists.

The safety property for multithreaded programs which was expressed as upward-closed sets of the target (“bad”) states can be verified by reduction to the coverability problem of* well-structured transition systems* (WSTS) [9, 10]. WSTS are a very broad class of infinite-state systems, including thread transition system (TTS) [11], Petri nets and their monotonic extensions [12–16], broadcast protocols [17, 18], lossy channel systems [19] and context-free grammars [10]. Coverability is the base verification task for WSTS: the question is whether the system can reach an unsafe or illegal configuration among some subset of its (possibly unbounded number of) components. There have been several algorithms published for WSTS coverability problem [9–11, 20–22], but none perform as efficiently as finite state model checking.

The IC3 algorithm [23] is an SAT-based model checking algorithm and introduced as an efficient technique for safety properties verification of finite state systems, especially in hardware verification. It computes an inductive invariant by maintaining a sequence of overapproximation of reachability from initial states and strengthens them incrementally. An efficient implementation of the procedure shows good performance on hardware benchmarks [24].

This paper focuses on the multithreaded programs for mobile crowdsourcing networks. All multithreaded programs are pthread-style ANSI-C source code and transformed into TTS by using predicate abstraction [25, 26]. We introduce a novel, highly efficient algorithm for the coverability problem of TTS. The new algorithm is to find a way to apply conventional, finite state IC3, which is typically the fastest algorithm for finite state model checking, in a very clever manner to solve the coverability problem. IC3 algorithm is a finite state model checking algorithm, and the original input is an FSM. We try to use the finite state model checker to solve the infinite-state systems. The bounded TTS is transformed into an FSM and described as the inputs format for IC3 engine. The significant contributions of this paper are as follows:(1)Our approach requires very novel and intricate reasoning because IC3 produces a series of overapproximation reachability results. A novel algorithm which is based on IC3 engine is proposed to solve the coverability problem of TTS.(2)We introduce new encoding techniques to make the verification of infinite-state systems possible by using finite state algorithms.(3)We implement tool’s combination, which is a good way to improve the total rate of successfully solved instances.

The experimental results show that our new algorithm outperforms all the recently published works, uses far less memory (an advantage that comes from IC3), and can solve more benchmarks successfully. The new method can solve 97.2% instances within 1 GB.

The rest of this paper is organized as follows. In Section 2, we review the related work. Section 3 presents necessary preliminaries used in this paper. In Section 4, we propose our new method based on IC3 and give more details of the implementation. Section 5 shows the experimental evaluation on multithreaded programs. Section 6 concludes this paper and discusses future works.

#### 2. Related Works

A general decidability result showed that the coverability problem is decidable for WSTS [9], which backward-explore states starting from the target states. Bingham and Hu [20] proposed a new algorithm to compute fix-points over a series of finite state systems of increasing size. A new subclass of WSTS, named Nice Sliceable WSTS, was introduced. Starting from the target states, it computed the exact backward reachability by using finite state symbolic model checking [27] based on BDDs [28] to solve the coverability problem of NSW. Kaiser et al. [11, 22] introduced a new algorithm to solve the safety properties of multithreaded programs with an unbounded number of threads executing a finite state, nonrecursive procedure. By using many inexpensive uncoverability proofs, this new approach combined forward propagation under-approximations with backward propagation of overapproximations to the coverability problem in TTS. Inspired by the success of IC3 algorithm in finite state model checking, Kloos et al. [21] proposed an incremental, inductive procedure to check coverability of downward-finite WSTS, which contains Petri nets, broadcast protocols, and lossy channel systems. All those algorithms are based on the backward reachability and suffered from complex computational consumption. Esparza et al. [29] introduced an incomplete but empirically efficient solution to the coverability problem. The new approach was based on classical Petri nets analysis techniques, the marking equation and traps [30, 31], and utilized an SMT solver to implement the constraint approach. Inspired by Esparza’s work, Athanasiou et al. [32] introduced an approximate coverability method by using thread state equations and implemented it in a tool named TSE. TSE is very capable on Boolean programs but theoretically incomplete.

#### 3. Preliminaries

##### 3.1. Nicely Sliceable WSTS

*Definition 1 (well-quasi-ordering). *A well-quasi-ordering (wqo) is a reflexive and transitive binary relation over set , and for every infinite sequence of elements from , there exists such that .

For , the upward-closure of is the set . A basis of an upward-closed set is a set such that . A set is said to be -upward-closed (or simply upward-closed if is clear from the context) if . It is known that if is a , then any -upward-closed set has a unique finite basis such that for all we have and [33]. Given upward-closed , we let denote the unique finite basis of . Moreover, it is known that any infinite increasing sequence of upward-closed sets eventually stabilizes; that is, there exists such that .

*Definition 2 (discrete wqo). *A wqo is a discrete wqo (dwqo) over if for all there exists such that for any sequence , we have . The weight function maps each to the minimum such as . For the -upward-closed set , the base weight of is .

The weight function slices the state space into a countable number of finite sets , where . This property allows for finite state model checking techniques to be used to the reachability for each weighted bounded .

*Definition 3 (nicely sliceable well-structured transition systems). *A nicely sliceable well-structured transition system (NSW) is a transition system equipped with a dwqo on its states that satisfies the following properties:(1) is the (possibly infinite) state space.(2) is transition relation.(3) is a dwqo over .(4)For all , if and , there exists such that and .(5)Weight-respecting: for all , .(6)-deflatable: for if whenever and , there exists and such that the following properties hold: , , , , and .

##### 3.2. Thread Transition Systems

Thread transition systems (TTS) are motivated by the verification task of multithread asynchronous programs, which is the subset of NSW. Let and be finite sets for* local* and* shared* states, respectively. The elements of are called* thread states*.

*Definition 4 (thread transition system). *A thread transition system (TTS) is a pair , where is a binary relation on , partitioned into .

Let . The elements of are called* states*. We write them in the form . A TTS gives rise to a transition system with if one of the following conditions holds.

*Thread Transitions*. and there exists and such that , , and, for all , .

*Spawn Transitions*. and there exists and such that , , and for all , .

Let be a set of initial local states and be a set of initial shared states. We define the set of initial states to be . An execution of the transition system is a finite or infinite sequence of states in whose adjacent states are related by , which started at initial states. A state is reachable if it appears in some execution.

In order to state the coverability problem, define the relation over as if and , where denotes a* multiset*.

Give target states , if is coverable; that is, does there exists a path in leading to a state that covers : ? The safety property is described as the upward-closed set of and converts into the coverability analysis problem.

A* cover* relation is neither symmetric nor antisymmetric, thus a quasi-order, and in fact a well-quasi-order (wqo) on : any infinite sequence of elements from contains an increasing pair with . It is easy to see that fulfills the definition of WSTS. A TTS with standard thread and spawn transition can be expressed as plain Petri nets [22] and is the subset class of NSW [20].

#### 4. Multithreaded Programs Safety Verification

In this section, we introduce a new method for the safety verification of multithread programs. The input source code is translated into TTS by using SATABS [34]. Then, we propose a novel TTS coverability analysis algorithm to verify the safety properties. Finally, the implementation details are described.

##### 4.1. The Input Languages

Most popular programming languages such as Java and C/C++ embrace concurrent programming via their* pthread* or* thread* class APIs, respectively. In this paper, we focus on the pthread-style multithreaded ANSI-C programs. ANSI-C is one of the most popular programming languages for safety critical embedded software. The mobile crowdsourcing networks contains most embedded devices which are based on multithreaded programs to support the crowdsourcing computing and communications. SATABS is an SAT-based model checker by predicate abstraction, and can be used to model the ANSI-C programs into TTS format. We follow the introduction from the SATABS website (http://www.cprover.org/satabs/) to transform the ANSI-C programs into TTS. All ANSI-C programs can be translated into Boolean programs by SATABS, completely. The safety properties can be reserved during the formalization process.

##### 4.2. IC3-Based Thread Transition System Coverability Analysis Algorithm

IC3 is SAT-based and computes inductive overapproximations of reachable sets. Let and be initial states and the property states, respectively. Also let denote the transition relation over the current and the next states. IC3 maintains a trace: []. The first element is the initial states. For , is a set of clauses that AND-ed together and represent an overapproximation of the states reachable from the initial states in steps or less. , and the clauses are a subset of , except for . The IC3 algorithm will terminate if a counterexample is found or an inductive proof is got.

This section develops our new algorithm, TTSCov, which is based on the IC3 algorithm. For a target set and , presents the set of weight limited by . From the base weight of , the algorithm computes the overapproximation for the backward reachable set . is an inductive overapproximation of the states from which is reachable along a path that never exceeds weight . We use IC3, an SAT-based finite state model checker, to compute this weight limited and inductive overapproximation of .

As shown in Algorithm 1, the input is a TTS , a set of initial states , and an -upward-closed set of target states . The variable is the current weight boundary, which is initially the base weight of and increases by 1 each loop iteration. is an overapproximation of , which initially is set as . is an overapproximation of bounded by the weight , which is computed by IC3 engine. If intersected with the initial states , the counterexample was found, and the algorithm terminated. In line , we check if and are equal, if not, the variable was assigned as the current . If the condition of line fails times consecutively, we have , and thus the verification is successful.