Robustness against Power is PSPACE-complete

Power is a RISC architecture developed by IBM, Freescale, and several other companies and implemented in a series of POWER processors. The architecture features a relaxed memory model providing very weak guarantees with respect to the ordering and atomicity of memory accesses. Due to these weaknesses, some programs that are correct under sequential consistency (SC) show undesirable effects when run under Power. We call these programs not robust against the Power memory model. Formally, a program is robust if every computation under Power has the same data and control dependencies as some SC computation. Our contribution is a decision procedure for robustness of concurrent programs against the Power memory model. It is based on three ideas. First, we reformulate robustness in terms of the acyclicity of a happens-before relation. Second, we prove that among the computations with cyclic happens-before relation there is one in a certain normal form. Finally, we reduce the existence of such a normal-form computation to a language emptiness problem. Altogether, this yields a PSPACE algorithm for checking robustness against Power. We complement it by a matching lower bound to show PSPACE-completeness

Locality and Singularity for Store-Atomic Memory Models

Robustness is a correctness notion for concurrent programs running under relaxed consistency models. The task is to check that the relaxed behavior coincides (up to traces) with sequential consistency (SC). Although computationally simple on paper (robustness has been shown to be PSPACE-complete for TSO, PGAS, and Power), building a practical robustness checker remains a challenge. The problem is that the various relaxations lead to a dramatic number of computations, only few of which violate robustness. In the present paper, we set out to reduce the search space for robustness checkers. We focus on store-atomic consistency models and establish two completeness results. The first result, called locality, states that a non-robust program always contains a violating computation where only one thread delays commands. The second result, called singularity, is even stronger but restricted to programs without lightweight fences. It states that there is a violating computation where a single store is delayed. As an application of the results, we derive a linear-size source-to-source translation of robustness to SC-reachability. It applies to general programs, regardless of the data domain and potentially with an unbounded number of threads and with unbounded buffers. We have implemented the translation and verified, for the first time, PGAS algorithms in a fully automated fashion. For TSO, our analysis outperforms existing tools

AUTSEG: Automatic Test Set Generator for Embedded Reactive Systems

Part 2: Tools and FrameworksInternational audienceOne of the biggest challenges in hardware and software design is to ensure that a system is error-free. Small errors in reactive embedded systems can have disastrous and costly consequences for a project. Preventing such errors by identifying the most probable cases of erratic system behavior is quite challenging. In this paper, we introduce an automatic test set generator called AUTSEG. Its input is a generic model of the target system, generated using the synchronous approach. Our tool finds the optimal preconditions for restricting the state space of the model. It only works locally on significant subspaces. Our approach exhibits a simpler and efficient quasi-flattening algorithm than existing techniques and a useful compiled form to check security properties and reduce the combinatorial explosion problem of state space. To illustrate our approach, AUTSEG was applied to the case of a transportation contactless card

Retinal lipid and glucose metabolism dictates angiogenesis through the lipid sensor Ffar1

Tissues with high metabolic rates often use lipids, as well as glucose, for energy, conferring a survival advantage during feast and famine1. Current dogma suggests that high-energy–consuming photoreceptors depend on glucose2, 3. Here we show that the retina also uses fatty acid β-oxidation for energy. Moreover, we identify a lipid sensor, free fatty acid receptor 1 (Ffar1), that curbs glucose uptake when fatty acids are available. Very-low-density lipoprotein receptor (Vldlr), which is present in photoreceptors4 and is expressed in other tissues with a high metabolic rate, facilitates the uptake of triglyceride-derived fatty acid5, 6. In the retinas of Vldlr−/− mice with low fatty acid uptake6 but high circulating lipid levels, we found that Ffar1 suppresses expression of the glucose transporter Glut1. Impaired glucose entry into photoreceptors results in a dual (lipid and glucose) fuel shortage and a reduction in the levels of the Krebs cycle intermediate α-ketoglutarate (α-KG). Low α-KG levels promotes stabilization of hypoxia-induced factor 1a (Hif1a) and secretion of vascular endothelial growth factor A (Vegfa) by starved Vldlr−/− photoreceptors, leading to neovascularization. The aberrant vessels in the Vldlr−/− retinas, which invade normally avascular photoreceptors, are reminiscent of the vascular defects in retinal angiomatous proliferation, a subset of neovascular age-related macular degeneration (AMD)7, which is associated with high vitreous VEGFA levels in humans. Dysregulated lipid and glucose photoreceptor energy metabolism may therefore be a driving force in macular telangiectasia, neovascular AMD and other retinal diseases

Counter-Example Guided Fence Insertion under TSO

UPMARCWeak Memory Model

A Verification-Based Approach to Memory Fence Insertion in PSO Memory Systems

peer reviewedThis paper addresses the problem of verifying and correcting programs when they are moved from a sequential consistency execution environment to a relaxed memory context. Specifically, it considers the PSO (Partial Store Order) memory model, which corresponds to the use of a store buffer for each shared variable and each process. We also will consider, as an intermediate step, the TSO (Total Store Order) memory model, which corresponds to the use of one store buffer per process. The proposed approach extends a previously developed verification tool that uses finite automata to symbolically represent the possible contents of the store buffers. Its starting point is a program that is correct for the usual Sequential Consistency (SC) memory model, but that might be incorrect under PSO with respect to safety properties. This program is then first analyzed and corrected for the TSO memory model, and then this TSO-safe program is analyzed and corrected under PSO, producing a PSO-safe program. To obtain a TSO-safe program, only store-load fences (TSO only allows store-load relaxations) are introduced into the program. Finaly, to produce a PSO-safe program, only store-store fences (PSO additionally allows store-store relaxations) are introduced. An advantage of our technique is that the underlying symbolic verification tool makes a full exploration of program behaviors possible even for cyclic programs, which makes our approach broadly applicable. The method has been tested with an experimental implementation and can effectively handle a series of classical examples