6 research outputs found
Optimal Stateless Model Checking under the Release-Acquire Semantics
We present a framework for the efficient application of stateless model
checking (SMC) to concurrent programs running under the Release-Acquire (RA)
fragment of the C/C++11 memory model. Our approach is based on exploring the
possible program orders, which define the order in which instructions of a
thread are executed, and read-from relations, which specify how reads obtain
their values from writes. This is in contrast to previous approaches, which
also explore the possible coherence orders, i.e., orderings between conflicting
writes. Since unexpected test results such as program crashes or assertion
violations depend only on the read-from relation, we avoid a potentially
significant source of redundancy. Our framework is based on a novel technique
for determining whether a particular read-from relation is feasible under the
RA semantics. We define an SMC algorithm which is provably optimal in the sense
that it explores each program order and read-from relation exactly once. This
optimality result is strictly stronger than previous analogous optimality
results, which also take coherence order into account. We have implemented our
framework in the tool Tracer. Experiments show that Tracer can be significantly
faster than state-of-the-art tools that can handle the RA semantics.Comment: Accepted paper in OOPSLA'1
The Reads-From Equivalence for the TSO and PSO Memory Models
The verification of concurrent programs remains an open challenge due to the
non-determinism in inter-process communication. Instead of exploring concrete
executions, stateless model-checking (SMC) techniques partition the execution
space into equivalence classes, and explore each class as opposed to each
execution. For the relaxed memory models of TSO and PSO (total/partial store
order), the standard equivalence has been Shasha-Snir traces, seen as an
extension of the classic Mazurkiewicz equivalence from SC (sequential
consistency) to TSO and PSO. The reads-from (RF) equivalence was recently shown
to be coarser than the Mazurkiewicz equivalence, leading to impressive
scalability improvements for SMC under SC. The generalization of RF to TSO and
PSO requires to overcome two challenges, namely, verifying execution
consistency and SMC algorithm. We address these two fundamental problems in
this work.
Our first set of contributions is on the problem of verifying TSO- and
PSO-consistent executions given a reads-from map, VTSO-rf and VPSO-rf,
respectively. The problem has been heavily studied under SC due to its numerous
applications, but little is known for TSO and PSO. For an execution of
events over threads and variables, we establish novel bounds that scale
as for TSO and as for PSO.
Our second contribution is an algorithm for SMC under TSO and PSO using the RF
equivalence. Our algorithm is exploration-optimal, in the sense that it is
guaranteed to explore each class of the RF partitioning exactly once, and
spends polynomial time per class when is bounded. Our experimental
evaluation shows that the RF equivalence is often exponentially coarser than
Shasha-Snir traces, and our SMC algorithm scales much better than
state-of-the-art tools based on Shasha-Snir traces
The Decidability of Verification under Promising 2.0
In PLDI'20, Lee et al. introduced the \emph{promising } semantics PS 2.0 of
the C++ concurrency that captures most of the common program transformations
while satisfying the DRF guarantee. The reachability problem for finite-state
programs under PS 2.0 with only release-acquire accesses is already known to be
undecidable. Therefore, we address, in this paper, the reachability problem for
programs running under PS 2.0 with relaxed accesses together with promises. We
show that this problem is undecidable even in the case where the input program
has finite state. Given this undecidability result, we consider the fragment of
PS 2.0 with only relaxed accesses allowing bounded number of promises. We show
that under this restriction, the reachability is decidable, albeit very
expensive: it is non-primitive recursive. Given this high complexity with
bounded number of promises and the undecidability result for the RA fragment of
PS 2.0, we consider a bounded version of the reachability problem. To this end,
we bound both the number of promises and the "view-switches", i.e, the number
of times the processes may switch their local views of the global memory. We
provide a code-to-code translation from an input program under PS 2.0, with
relaxed and release-acquire memory accesses along with promises, to a program
under SC. This leads to a reduction of the bounded reachability problem under
PS 2.0 to the bounded context-switching problem under SC. We have implemented a
prototype tool and tested it on a set of benchmarks, demonstrating that many
bugs in programs can be found using a small bound
IST Austria Thesis
The design and verification of concurrent systems remains an open challenge due to the non-determinism that arises from the inter-process communication. In particular, concurrent programs are notoriously difficult both to be written correctly and to be analyzed formally, as complex thread interaction has to be accounted for. The difficulties are further exacerbated when concurrent programs get executed on modern-day hardware, which contains various buffering and caching mechanisms for efficiency reasons. This causes further subtle non-determinism, which can often produce very unintuitive behavior of the concurrent programs. Model checking is at the forefront of tackling the verification problem, where the task is to decide, given as input a concurrent system and a desired property, whether the system satisfies the property. The inherent state-space explosion problem in model checking of concurrent systems causes naïve explicit methods not to scale, thus more inventive methods are required. One such method is stateless model checking (SMC), which explores in memory-efficient manner the program executions rather than the states of the program. State-of-the-art SMC is typically coupled with partial order reduction (POR) techniques, which argue that certain executions provably produce identical system behavior, thus limiting the amount of executions one needs to explore in order to cover all possible behaviors. Another method to tackle the state-space explosion is symbolic model checking, where the considered techniques operate on a succinct implicit representation of the input system rather than explicitly accessing the system. In this thesis we present new techniques for verification of concurrent systems. We present several novel POR methods for SMC of concurrent programs under various models of semantics, some of which account for write-buffering mechanisms. Additionally, we present novel algorithms for symbolic model checking of finite-state concurrent systems, where the desired property of the systems is to ensure a formally defined notion of fairness
Proceedings of the 21st Conference on Formal Methods in Computer-Aided Design – FMCAD 2021
The Conference on Formal Methods in Computer-Aided Design (FMCAD) is an annual conference on the theory and applications of formal methods in hardware and system verification. FMCAD provides a leading forum to researchers in academia and industry for presenting and discussing groundbreaking methods, technologies, theoretical results, and tools for reasoning formally about computing systems. FMCAD covers formal aspects of computer-aided system design including verification, specification, synthesis, and testing