A Generic Formalised Framework for Reasoning About Weak Memory Models

This paper describes Coq libraries devoted to the semantic of relaxed memory models. These libraries formalise a framework which covers a large class of industrial models. Implementing this framework inside a proof assistant has significantly helped improving its design and crafting the most concise and relevant specifications. Similarly the use of a proof assistant has been instrumental in the study of the semantic of synchronisation primitives, which we illustrate by the formal proof of a barrier placement theorem. We explain the choices we made to re-design our Coq libraries, and in particular what we gained from adopting a small-scale reflection methodology

Fences and Synchronisation Idioms in Weak Memory Models

We present an axiomatic framework, implemented in the Coq proof assistant, to define weak memory models in terms of several parameters: local reorderings of reads and writes, and visibility of inter and intra processor communications through memory, including full store atomicity relaxation. Thereby, we give a formal hierarchy of weak memory models, in which we provide a formal study of what should be the action and placement of fences to restore a given model such as SC from a weaker one. Finally, we provide formal requirements for abstract locks that guarantee SC semantics to data race free programs, and show that a particular implementation of locks matches these requirements

Fences in Weak Memory Models

We present here an axiomatic framework, implemented in the Coq proof assistant, for defining weak memory models in terms of several parameters: local reorderings of reads and writes, and visibility of inter and intra processor communications through memory. In this context, we provide formal definition of weak memory models induced by architectures, illustrated by definitions of SC and Sparc TSO. Moreover, we define a comparison over architectures, an architecture A1 being weaker than another one A2 when A1 allows more behaviours than A2. In addition, we provide a characterisation of behaviours allowed by A1 which are also valid on A2. By that means, we provide a simple characterisation of SC and TSO behaviours on any weaker architecture. We also provide an abstract notion of what should be the action and placement of fences to restore a given model from a weaker one. Our framework led us to a model of a significant fragment of PowerPC with fences. In the absence of any public formal model of PowerPC, we base our study on intensive testing. We illustrate our approach by providing several tests that highlight the parameters of our model

Synchronising C/C++ and POWER

Shared memory concurrency relies on synchronisation primitives: compare-and-swap, load-reserve/store-conditional (aka LL/SC), language-level mutexes, and so on. In a sequentially consistent setting, or even in the TSO setting of x86 and Sparc, these have well-understood semantics. But in the very relaxed settings of IBM®, POWER®, ARM, or C/C++, it remains surprisingly unclear exactly what the programmer can depend on. This paper studies relaxed-memory synchronisation. On the hardware side, we give a clear semantic characterisation of the load-reserve/store-conditional primitives as provided by POWER multiprocessors, for the first time since they were introduced 20 years ago; we cover their interaction with relaxed loads, stores, barriers, and dependencies. Our model, while not officially sanctioned by the vendor, is validated by extensive testing, comparing actual implementation behaviour against an oracle generated from the model, and by detailed discussion with IBM staff. We believe the ARM semantics to be similar. On the software side, we prove sound a proposed compilation scheme of the C/C++ synchronisation constructs to POWER, including C/C++ spinlock mutexes, fences, and read-modify-write operations, together with the simpler atomic operations for which soundness is already known from our previous work; this is a first step in verifying concurrent algorithms that use load-reserve/store-conditional with respect to a realistic semantics. We also build confidence in the C/C++ model in its own terms, fixing some omissions and contributing to the C standards committee adoption of the C++11 concurrency model

PERBEDAAN PENGGUNAAN MODEL PEMBELAJARAN TWO STAY TWO STRAY (TSTS) BERBANTUAN MEDIA AUDIO VISUAL DENGAN MODEL KONVENSIONAL TERHADAP PENGUASAAN MATERI PADA KOMPETENSI DASAR MENGURAIKAN PENTINGNYA KEMERDEKAAN MENGELUARKAN PENDAPAT SECARA BEBAS DAN BERTANGGUNG JAWAB (Studi Siswa Kelas VII di SMP Negeri 14 Surakarta Tahun Ajaran 2015/2016)

ABSTRAK Sartika Lusiana Dewi. K6412064. PERBEDAAN PENGGUNAAN MODEL PEMBELAJARAN TWO STAY TWO STRAY (TSTS)BERBANTUAN MEDIA AUDIO VISUAL DENGAN MODEL KONVENSIONAL TERHADAP PENGUASAAN MATERI PADA KOMPETENSI DASAR MENGURAIKAN PENTINGNYA KEMERDEKAAN MENGELUARKAN PENDAPAT SECARA BEBAS DAN BERTANGGUNG JAWAB (Studi Siswa Kelas VII di SMP Negeri 14 Surakarta Tahun Ajaran 2015/2016). Skripsi, Surakarta : Fakultas Keguruan dan Ilmu Pendidikan Universitas Sebelas Maret Surakarta, Juli 2016. Tujuan penelitian adalah untuk mengetahui perbedaan penggunaan model pembelajaran two stay two stray berbantuan media audio visual dengan model konvensional terhadap penguasaan materi pada kompetensi dasar menguraikan pentingnya kemerdekaan mengeluarkan pendapat secara bebas dan bertanggungjawab pada siswa kelas VII SMP Negeri 14 Surakarta pada tahun ajaran 2015/2016. Metode yang digunakan dalam penelitian ini adalah metode penelitian eksperimen, dengan desain penelitian yaitu true eksperimental design. Populasi penelitian adalah peserta didik kelas VII SMP Negeri 14 Surakarta. Sampel diambil dengan teknik pengambilan sampel berupa simple random sampling. Sampel dalam penelitian ini adalah sebanyak 80 peserta didik, 40 peserta didik sebagai kelompok eksperimen dan 40 peserta didik sebagai kelompok kontrol. Instrumen yang digunakan dalam penelitian ini berupa dokumentasi, observasi, tes objektif, dan angket. Validitas yang digunakan adalah validitas isi. Pengujian validitas tes dengan menggunakan rumus product moment dari Pearson dengan taraf signifikansi 5% atau (α=0,05), sedangkan uji reliabilitas dalam penelitian ini menggunakan rumus Spearman Brown. Hasil penelitian menunjukkan bahwa terdapat perbedaan secara signifikan antara penguasaan materi peserta didik dengan menggunakan model pembelajaran two stay two stray berbantuan media audio visual dengan penguasaan materi peserta didik dengan menggunakan metode konvensional.Hal tersebut didasarkan pada nilai rata-rata hasil belajar kelas eksperimen yang lebih tinggi jika dibandingkan dengan kelas kontrol, yaitu kelas eksperimen (86,75) > kelas kontrol (79,15). Perbedaan tersebut juga didasarkan pada hasil analisis data dengan uji t.test yang menyatakan bahwa t hitung ≥ t tabel, yaitu 4,2991 ≥ 1,99085. Berdasarkan hasil tersebut dapat disimpulkan bahwa dalam penelitian ini terdapat perbedaan yang signifikan antara penggunaan model pembelajaran two stay two stray berbantuan media audio visual dengan metode konvensional terhadap penguasaan materi pada kompetensi dasar menguraikan pentingnya kemerdekaan mengeluarkan pendapat secara bebas dan bertanngung jawab pada siswa kelas VII di SMP Negeri 14 Surakarta tahun ajaran 2015/2016. Kata Kunci:Two Stay Two Stray, Audio Visual, Model Konvensiona

Promising-ARM/RISC-V: A Simpler and Faster Operational Concurrency Model

For ARMv8 and RISC-V, there are concurrency models in two styles, extensionally equivalent: axiomatic models, expressing the concurrency semantics in terms of global properties of complete executions; and operational models, that compute incrementally. The latter are in an abstract microarchitectural style: they execute each instruction in multiple steps, out-of-order and with explicit branch speculation. This similarity to hardware implementations has been important in developing the models and in establishing confidence, but involves complexity that, for programming and model-checking, one would prefer to avoid. We present new more abstract operational models for ARMv8 and RISC-V, and an exploration tool based on them. The models compute the allowed concurrency behaviours incrementally based on thread-local conditions and are significantly simpler than the existing operational models: executing instructions in a single step and (with the exception of early writes) in program order, and without branch speculation. We prove the models equivalent to the existing ARMv8 and RISC-V axiomatic models in Coq. The exploration tool is the first such tool for ARMv8 and RISC-V fast enough for exhaustively checking the concurrency behaviour of a number of interesting examples. We demonstrate using the tool for checking several standard concurrent datastructure and lock implementations, and for interactively stepping through model-allowed executions for debugging.EP/K008528/

Cerberus-BMC: A Principled Reference Semantics and Exploration Tool for Concurrent and Sequential C

C remains central to our infrastructure, making verification of C code an essential and much-researched topic, but the semantics of C is remarkably complex, and important aspects of it are still unsettled, leaving programmers and verification tool builders on shaky ground. This paper describes a tool, Cerberus-BMC, that for the first time provides a principled reference semantics that simultaneously supports (1) a choice of concurrency memory model (including substantial fragments of the C11, RC11, and Linux kernel memory models), (2) a modern memory object model, and (3) a well-validated thread-local semantics for a large fragment of the language. The tool should be useful for C programmers, compiler writers, verification tool builders, and members of the C/C++ standards committees

Armed Cats: formal concurrency modelling at Arm

International audienceWe report on the process for formal concurrency modelling at Arm. An initial formal consistency model of the Arm achitecture, written in the cat language, was published and upstreamed to the herd+diy tool suite in 2017. Since then, we have extended the original model with extra features, for example mixed-size accesses, and produced two provably equivalent alternative formulations. In this paper, we present a comprehensive review of work done at Arm on the consistency model. Along the way, we also show that our principle for handling mixed-size accesses applies to x86: we confirm this via vast experimental campaigns. We also show that our alternative formulations are applicable to any model phrased in a style similar to the one chosen by Arm

On the Semantics of Snapshot Isolation

Snapshot isolation (SI) is a standard transactional consistency model used in databases, distributed systems and software transactional memory (STM). Its semantics is formally defined both declaratively as an acyclicity axiom, and operationally as a concurrent algorithm with memory bearing timestamps. We develop two simpler equivalent operational definitions of SI as lock-based reference implementations that do not use timestamps. Our first locking implementation is prescient in that requires a priori knowledge of the data accessed by a transaction and carries out transactional writes eagerly (in-place). Our second implementation is non-prescient and performs transactional writes lazily by recording them in a local log and propagating them to memory at commit time. Whilst our first implementation is simpler and may be better suited for developing a program logic for SI transactions, our second implementation is more practical due to its non-prescience. We show that both implementations are sound and complete against the declarative SI specification and thus yield equivalent operational definitions for SI. We further consider, for the first time formally, the use of SI in a context with racy non-transactional accesses, as can arise in STM implementations of SI. We introduce robust snapshot isolation (RSI), an adaptation of SI with similar semantics and guarantees in this mixed setting. We present a declarative specification of RSI as an acyclicity axiom and analogously develop two operational models as lock-based reference implementations (one eager, one lazy). We show that these operational models are both sound and complete against the declarative RSI model

Frightening Small Children and Disconcerting Grown-ups: Concurrency in the Linux Kernel

International audienceConcurrency in the Linux kernel can be a contentious topic. The Linux kernel mailing list features numerous discussions related to consistency models, including those of the more than 30 CPU architectures supported by the kernel and that of the kernel itself. How are Linux programs supposed to behave? Do they behave correctly on exotic hardware? A formal model can help address such questions. Better yet, an executable model allows programmers to experiment with the model to develop their intuition. Thus we offer a model written in the cat language, making it not only formal, but also executable by the herd simulator. We tested our model against hardware and refined it in consultation with maintainers. Finally, we formalised the fundamental law of the Read-Copy-Update synchronisation mechanism, and proved that one of its implementations satisfies this law