55 research outputs found
Thread-Modular Static Analysis for Relaxed Memory Models
We propose a memory-model-aware static program analysis method for accurately
analyzing the behavior of concurrent software running on processors with weak
consistency models such as x86-TSO, SPARC-PSO, and SPARC-RMO. At the center of
our method is a unified framework for deciding the feasibility of inter-thread
interferences to avoid propagating spurious data flows during static analysis
and thus boost the performance of the static analyzer. We formulate the
checking of interference feasibility as a set of Datalog rules which are both
efficiently solvable and general enough to capture a range of hardware-level
memory models. Compared to existing techniques, our method can significantly
reduce the number of bogus alarms as well as unsound proofs. We implemented the
method and evaluated it on a large set of multithreaded C programs. Our
experiments showthe method significantly outperforms state-of-the-art
techniques in terms of accuracy with only moderate run-time overhead.Comment: revised version of the ESEC/FSE 2017 pape
The Reads-From Equivalence for the TSO and PSO Memory Models
The verification of concurrent programs remains an open challenge due to the
non-determinism in inter-process communication. Instead of exploring concrete
executions, stateless model-checking (SMC) techniques partition the execution
space into equivalence classes, and explore each class as opposed to each
execution. For the relaxed memory models of TSO and PSO (total/partial store
order), the standard equivalence has been Shasha-Snir traces, seen as an
extension of the classic Mazurkiewicz equivalence from SC (sequential
consistency) to TSO and PSO. The reads-from (RF) equivalence was recently shown
to be coarser than the Mazurkiewicz equivalence, leading to impressive
scalability improvements for SMC under SC. The generalization of RF to TSO and
PSO requires to overcome two challenges, namely, verifying execution
consistency and SMC algorithm. We address these two fundamental problems in
this work.
Our first set of contributions is on the problem of verifying TSO- and
PSO-consistent executions given a reads-from map, VTSO-rf and VPSO-rf,
respectively. The problem has been heavily studied under SC due to its numerous
applications, but little is known for TSO and PSO. For an execution of
events over threads and variables, we establish novel bounds that scale
as for TSO and as for PSO.
Our second contribution is an algorithm for SMC under TSO and PSO using the RF
equivalence. Our algorithm is exploration-optimal, in the sense that it is
guaranteed to explore each class of the RF partitioning exactly once, and
spends polynomial time per class when is bounded. Our experimental
evaluation shows that the RF equivalence is often exponentially coarser than
Shasha-Snir traces, and our SMC algorithm scales much better than
state-of-the-art tools based on Shasha-Snir traces
IST Austria Thesis
The design and verification of concurrent systems remains an open challenge due to the non-determinism that arises from the inter-process communication. In particular, concurrent programs are notoriously difficult both to be written correctly and to be analyzed formally, as complex thread interaction has to be accounted for. The difficulties are further exacerbated when concurrent programs get executed on modern-day hardware, which contains various buffering and caching mechanisms for efficiency reasons. This causes further subtle non-determinism, which can often produce very unintuitive behavior of the concurrent programs. Model checking is at the forefront of tackling the verification problem, where the task is to decide, given as input a concurrent system and a desired property, whether the system satisfies the property. The inherent state-space explosion problem in model checking of concurrent systems causes naïve explicit methods not to scale, thus more inventive methods are required. One such method is stateless model checking (SMC), which explores in memory-efficient manner the program executions rather than the states of the program. State-of-the-art SMC is typically coupled with partial order reduction (POR) techniques, which argue that certain executions provably produce identical system behavior, thus limiting the amount of executions one needs to explore in order to cover all possible behaviors. Another method to tackle the state-space explosion is symbolic model checking, where the considered techniques operate on a succinct implicit representation of the input system rather than explicitly accessing the system. In this thesis we present new techniques for verification of concurrent systems. We present several novel POR methods for SMC of concurrent programs under various models of semantics, some of which account for write-buffering mechanisms. Additionally, we present novel algorithms for symbolic model checking of finite-state concurrent systems, where the desired property of the systems is to ensure a formally defined notion of fairness
Persistency semantics of the Intel-x86 architecture
Emerging non-volatile memory (NVM) technologies promise the durability of disks with the performance of RAM. To describe the persistency guarantees of NVM, several memory persistency models have been proposed in the literature. However, the persistency semantics of the ubiquitous x86 architecture remains unexplored to date. To close this gap, we develop the Px86 (‘persistent x86’) model, formalising the persistency semantics of Intel-x86 for the first time. We formulate Px86 both operationally and declaratively, and prove that the two characterisations are equivalent. To demonstrate the application of Px86, we develop two persistent libraries over Px86: a persistent transactional library, and a persistent variant of the Michael–Scott queue. Finally, we encode our declarative Px86 model in Alloy and use it to generate persistency litmus tests automatically
Proceedings of the 21st Conference on Formal Methods in Computer-Aided Design – FMCAD 2021
The Conference on Formal Methods in Computer-Aided Design (FMCAD) is an annual conference on the theory and applications of formal methods in hardware and system verification. FMCAD provides a leading forum to researchers in academia and industry for presenting and discussing groundbreaking methods, technologies, theoretical results, and tools for reasoning formally about computing systems. FMCAD covers formal aspects of computer-aided system design including verification, specification, synthesis, and testing
Coarser Equivalences for Causal Concurrency
Trace theory is a principled framework for defining equivalence relations for
concurrent program runs based on a commutativity relation over the set of
atomic steps taken by individual program threads. Its simplicity, elegance, and
algorithmic efficiency makes it useful in many different contexts including
program verification and testing. We study relaxations of trace equivalence
with the goal of maintaining its algorithmic advantages.
We first prove that the largest appropriate relaxation of trace equivalence,
an equivalence relation that preserves the order of steps taken by each thread
and what write operation each read operation observes, does not yield efficient
algorithms. We prove a linear space lower bound for the problem of checking, in
a streaming setting, if two arbitrary steps of a concurrent program run are
causally concurrent (i.e. they can be reordered in an equivalent run) or
causally ordered (i.e. they always appear in the same order in all equivalent
runs). The same problem can be decided in constant space for trace equivalence.
Next, we propose a new commutativity-based notion of equivalence called grain
equivalence that is strictly more relaxed than trace equivalence, and yet
yields a constant space algorithm for the same problem. This notion of
equivalence uses commutativity of grains, which are sequences of atomic steps,
in addition to the standard commutativity from trace theory. We study the two
distinct cases when the grains are contiguous subwords of the input program run
and when they are not, formulate the precise definition of causal concurrency
in each case, and show that they can be decided in constant space, despite
being strict relaxations of the notion of causal concurrency based on trace
equivalence
- …