9,878 research outputs found
Safety Verification of Parameterized Systems under Release-Acquire
We study the safety verification problem for parameterized systems under the
release-acquire (RA) semantics. It has been shown that the problem is
intractable for systems with unlimited access to atomic compare-and-swap (CAS)
instructions. We show that, from a verification perspective where approximate
results help, this is overly pessimistic. We study parameterized systems
consisting of an unbounded number of environment threads executing identical
but CAS-free programs and a fixed number of distinguished threads that are
unrestricted.
Our first contribution is a new semantics that considerably simplifies RA but
is still equivalent for the above systems as far as safety verification is
concerned. We apply this (general) result to two subclasses of our model. We
show that safety verification is only \pspace-complete for the bounded model
checking problem where the distinguished threads are loop-free. Interestingly,
we can still afford the unbounded environment. We show that the complexity
jumps to \nexp-complete for thread-modular verification where an unrestricted
distinguished `ego' thread interacts with an environment of CAS-free threads
plus loop-free distinguished threads (as in the earlier setting). Besides the
usefulness for verification, the results are strong in that they delineate the
tractability border for an established semantics
TriCheck: Memory Model Verification at the Trisection of Software, Hardware, and ISA
Memory consistency models (MCMs) which govern inter-module interactions in a
shared memory system, are a significant, yet often under-appreciated, aspect of
system design. MCMs are defined at the various layers of the hardware-software
stack, requiring thoroughly verified specifications, compilers, and
implementations at the interfaces between layers. Current verification
techniques evaluate segments of the system stack in isolation, such as proving
compiler mappings from a high-level language (HLL) to an ISA or proving
validity of a microarchitectural implementation of an ISA.
This paper makes a case for full-stack MCM verification and provides a
toolflow, TriCheck, capable of verifying that the HLL, compiler, ISA, and
implementation collectively uphold MCM requirements. The work showcases
TriCheck's ability to evaluate a proposed ISA MCM in order to ensure that each
layer and each mapping is correct and complete. Specifically, we apply TriCheck
to the open source RISC-V ISA, seeking to verify accurate, efficient, and legal
compilations from C11. We uncover under-specifications and potential
inefficiencies in the current RISC-V ISA documentation and identify possible
solutions for each. As an example, we find that a RISC-V-compliant
microarchitecture allows 144 outcomes forbidden by C11 to be observed out of
1,701 litmus tests examined. Overall, this paper demonstrates the necessity of
full-stack verification for detecting MCM-related bugs in the hardware-software
stack.Comment: Proceedings of the Twenty-Second International Conference on
Architectural Support for Programming Languages and Operating System
On partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency
Concurrent systems are notoriously difficult to analyze, and technological
advances such as weak memory architectures greatly compound this problem. This
has renewed interest in partial order semantics as a theoretical foundation for
formal verification techniques. Among these, symbolic techniques have been
shown to be particularly effective at finding concurrency-related bugs because
they can leverage highly optimized decision procedures such as SAT/SMT solvers.
This paper gives new fundamental results on partial order semantics for
SAT/SMT-based symbolic encodings of weak memory concurrency. In particular, we
give the theoretical basis for a decision procedure that can handle a fragment
of concurrent programs endowed with least fixed point operators. In addition,
we show that a certain partial order semantics of relaxed sequential
consistency is equivalent to the conjunction of three extensively studied weak
memory axioms by Alglave et al. An important consequence of this equivalence is
an asymptotically smaller symbolic encoding for bounded model checking which
has only a quadratic number of partial order constraints compared to the
state-of-the-art cubic-size encoding.Comment: 15 pages, 3 figure
Automating Deductive Verification for Weak-Memory Programs
Writing correct programs for weak memory models such as the C11 memory model
is challenging because of the weak consistency guarantees these models provide.
The first program logics for the verification of such programs have recently
been proposed, but their usage has been limited thus far to manual proofs.
Automating proofs in these logics via first-order solvers is non-trivial, due
to reasoning features such as higher-order assertions, modalities and rich
permission resources. In this paper, we provide the first implementation of a
weak memory program logic using existing deductive verification tools. We
tackle three recent program logics: Relaxed Separation Logic and two forms of
Fenced Separation Logic, and show how these can be encoded using the Viper
verification infrastructure. In doing so, we illustrate several novel encoding
techniques which could be employed for other logics. Our work is implemented,
and has been evaluated on examples from existing papers as well as the Facebook
open-source Folly library.Comment: Extended version of TACAS 2018 publicatio
Reasoning algebraically about refinement on TSO architectures
The Total Store Order memory model is widely implemented by modern multicore architectures such as x86, where local buffers are used for optimisation, allowing limited forms of instruction reordering. The presence of buffers and hardware-controlled buffer flushes increases the level of non-determinism from the level specified by a program, complicating the already difficult task of concurrent programming. This paper presents a new notion of refinement for weak memory models, based on the observation that pending writes to a process' local variables may be treated as if the effect of the update has already occurred in shared memory. We develop an interval-based model with algebraic rules for various programming constructs. In this framework, several decomposition rules for our new notion of refinement are developed. We apply our approach to verify the spinlock algorithm from the literature
Logical Concurrency Control from Sequential Proofs
We are interested in identifying and enforcing the isolation requirements of
a concurrent program, i.e., concurrency control that ensures that the program
meets its specification. The thesis of this paper is that this can be done
systematically starting from a sequential proof, i.e., a proof of correctness
of the program in the absence of concurrent interleavings. We illustrate our
thesis by presenting a solution to the problem of making a sequential library
thread-safe for concurrent clients. We consider a sequential library annotated
with assertions along with a proof that these assertions hold in a sequential
execution. We show how we can use the proof to derive concurrency control that
ensures that any execution of the library methods, when invoked by concurrent
clients, satisfies the same assertions. We also present an extension to
guarantee that the library methods are linearizable or atomic
A Graph-Based Semantics Workbench for Concurrent Asynchronous Programs
A number of novel programming languages and libraries have been proposed that
offer simpler-to-use models of concurrency than threads. It is challenging,
however, to devise execution models that successfully realise their
abstractions without forfeiting performance or introducing unintended
behaviours. This is exemplified by SCOOP---a concurrent object-oriented
message-passing language---which has seen multiple semantics proposed and
implemented over its evolution. We propose a "semantics workbench" with fully
and semi-automatic tools for SCOOP, that can be used to analyse and compare
programs with respect to different execution models. We demonstrate its use in
checking the consistency of semantics by applying it to a set of representative
programs, and highlighting a deadlock-related discrepancy between the principal
execution models of the language. Our workbench is based on a modular and
parameterisable graph transformation semantics implemented in the GROOVE tool.
We discuss how graph transformations are leveraged to atomically model
intricate language abstractions, and how the visual yet algebraic nature of the
model can be used to ascertain soundness.Comment: Accepted for publication in the proceedings of FASE 2016 (to appear
Dynamic Race Prediction in Linear Time
Writing reliable concurrent software remains a huge challenge for today's
programmers. Programmers rarely reason about their code by explicitly
considering different possible inter-leavings of its execution. We consider the
problem of detecting data races from individual executions in a sound manner.
The classical approach to solving this problem has been to use Lamport's
happens-before (HB) relation. Until now HB remains the only approach that runs
in linear time. Previous efforts in improving over HB such as causally-precedes
(CP) and maximal causal models fall short due to the fact that they are not
implementable efficiently and hence have to compromise on their race detecting
ability by limiting their techniques to bounded sized fragments of the
execution. We present a new relation weak-causally-precedes (WCP) that is
provably better than CP in terms of being able to detect more races, while
still remaining sound. Moreover it admits a linear time algorithm which works
on the entire execution without having to fragment it.Comment: 22 pages, 8 figures, 1 algorithm, 1 tabl
- …