Can we efficiently verify concurrent programs under relaxed memory models in Maude?
-
Upload
alberto-lluch-lafuente -
Category
Science
-
view
298 -
download
2
description
Transcript of Can we efficiently verify concurrent programs under relaxed memory models in Maude?
![Page 1: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/1.jpg)
Can we efficiently verify concurrent programs under relaxed memory
models in Maude?
Yehia Abd Arrahman, Marina Andric,Alessandro Beggiato, and Alberto Lluch Lafuente
WRLA 2014, 5-6 April 2014, Grenoble
![Page 2: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/2.jpg)
I would say yes.
Worth investigating
Can we efficiently verify concurrent programsunder relaxed memory models in Maude?
![Page 3: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/3.jpg)
SOMEMOTIVATIONS
![Page 4: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/4.jpg)
x := 1;if y == 0 then u := 1else skip
y := 1;if x == 0 then v := 1else skip
A SIMPLE PROGRAM
u v=== 0 0 0 11 01 1
What are the possible outcomes for u and v?
![Page 5: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/5.jpg)
x := 1;if y == 0 then u := 1else skip
y := 1;if x == 0 then v := 1else skip
A SIMPLE PROGRAM
u v=== 0 0 0 11 01 1 ✓
???
✓✓
What are the possible outcomes for u and v?
✓
![Page 6: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/6.jpg)
MORE ANNOYANCES...
x := 1
Maude> search P =>* Q ....States: 10!?
x := 2P =
![Page 7: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/7.jpg)
while true do x := 0
Maude> search P =>* Q .Zzz...
P =
MORE ANNOYANCES...
![Page 8: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/8.jpg)
THE FREE LUNCH IS OVER
Herb Sutter. “The free lunch is over”, Dr. Dobb's Journal, 30(3), March 2005 and C/C++ Users Journal, 23(2), February 2005.
“Software and the concurrency revolution” ACM Queue:Tomorrow’s Computing Today, 3(7):54–62, Sept. 2005.
<
“some optimizations are actually far more than optimizations, in that they can change the meaning of programs and cause visible effects that can break reasonable programmer expectations.
CPU designers are generally sane and well-adjusted folks but they are under so much pressure that they'll risk changing the meaning of your program, and possibly break it, in order to make it run faster. “
![Page 9: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/9.jpg)
Dekker Peterson Lamport Szymanski0
100
200
300
400
500
600
700
800
900
1000Sequentially ConsistentRelaxed (incorrect)Relaxed (corrected)
STATE SPACE SIZE: SC vs RMM
![Page 10: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/10.jpg)
Dekker Peterson Lamport Szymanski
0
200
400
600
800
1000
1200
No reductionSome approximationSome other approximationPartial-Order-ReductionSome combination
REDUCTIONS (verification)
![Page 11: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/11.jpg)
Dekker Peterson Lamport Szymanski
0
50
100
150
200
250
300
350
400
450 Breadth-First SearchBest-First with some heuristicBest-First with some other heuristicBest-First with yet another heuristic
REDUCTIONS (bug-finding)
![Page 12: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/12.jpg)
RELAXEDMEMORY MODELS
![Page 13: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/13.jpg)
SEQUENTIAL CONSISTENCY“A multiprocessor system is sequentially consistent if the result of any execution is the same as if the operations of all the processors were executed in some sequential order, and the operations of each individual processor appear in this sequence in the order specified by its program.”
- Leslie Lamport, "How to Make a Multiprocessor Computer That Correctly Executes Multiprocess Programs", IEEE Trans. Comput, 1979
Program order: among operations from individual processorsAtomicity: memory operations must execute atomically with respect to each other
![Page 14: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/14.jpg)
RELAXING CONSISTENCY
Relaxing program order: Write-to-Read Write-to-Write Read-to-Read Read-to-Write
Relaxing atomicity: Read own write early Read others’ write early
![Page 15: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/15.jpg)
HIERARCHY OF RELAXATIONSSC
TSO IBM-370
PC
RCscPowerPC
WO Alpha
RCPcRMO
PSO
Write-to-Read
Write-to-Write
Read-to-ReadRead-to-Write
source: http://wiki.expertiza.ncsu.edu/index.php/CSC/ECE_506_Spring_2013/10c_ks
![Page 16: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/16.jpg)
TOTAL STORE ORDERING (TSO)
Relaxations: Write-to-Read Read own write early
Why? Mitigate write latency Some programs may still be “correct”
(e.g. sequentially consistent)
![Page 17: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/17.jpg)
TSO “AXIOMATICALLY”TSO-executions are sequences of reads and writes
r(x,u) < r(y,v) < w(z,w) < ...
![Page 18: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/18.jpg)
TSO “AXIOMATICALLY”TSO-executions are sequences of reads and writes
r(x,u) < r(y,v) < w(z,w) < ...
such thatr <p r' => r < r' [r-r preserved]r <p w' => r < w' [r-w preserved]w <p w' => w < w' [w-w preserved]
w-r allowed
![Page 19: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/19.jpg)
TSO “AXIOMATICALLY”TSO-executions are sequences of reads and writes
r(x,u) < r(y,v) < w(z,w) < ...
such thatr <p r' => r < r' [r-r preserved]r <p w' => r < w' [r-w preserved]w <p w' => w < w' [w-w preserved]
and r(x,u) are such that
(1) v if s(x,v) is the max wrt. < among all s(x,v) s.t.s(x,v) < r(x,u) ors(x,v) <p r(x,u)
(2) x0 (initial value for x) if there is no s(x,v) above.
(read own's write early)
w-r allowed
![Page 20: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/20.jpg)
TSO “OPERATIONALLY”
SHARED MEMORY
THREAD THREAD
![Page 21: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/21.jpg)
TSO “OPERATIONALLY”
SHARED MEMORY
THREAD THREAD
WRITE BUFFER WRITE BUFFER
![Page 22: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/22.jpg)
Formalization of memory models Axiomatic [Adve, Alglage, Sewel, Owens, Higham,...] Operational [Boudol, Petri, Atig, Bouajjani, Burckhardt,...] Adequacy, generality, etc.
Correctness criteria Sequential consistency, linearizability, serializability,
quiescent/eventual consistency... [Herlihy, Shavit, Shapiro,...] “Fundamental property” (data-race free programs are
sequential consistent) [Saraswat et al.]
Portability of programs Check whether P/SC ≈ P/RMM Otherwise repair P e.g. inserting fences [Wolper, Bouajjani...]
SOME KEY ISSUES
![Page 23: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/23.jpg)
Verification approaches Directly use SC verification tools
e.g. for programs that are linearizable even under RMMs [Burckhardt, Cohen, Owens]
Program Transformation and then SC toolse.g. [Alglave, Bouajjani]
Ad-hoc verification under RMMs.e.g. Some... (see later)
Some tools CBMC [Alglave et al] CheckFence [Burckhardt et al] DFENCE [Lui et al]
SOME KEY ISSUES
![Page 24: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/24.jpg)
THIS TALK'sPERSPECTIVE
![Page 25: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/25.jpg)
OUR SPIRIT HERE
Language designers prototyping new RMM-aware languages with Maude (the natural framework!).
Interested in “search” for P/RMM (for checking properties, for fence insertions, etc.).
Willing to make search efficient but not willing to modify the Maude engine.
![Page 26: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/26.jpg)
A SIMPLEMULTI-THREADEDLANGUAGE
![Page 27: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/27.jpg)
A SIMPLE LANGUAGE
![Page 28: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/28.jpg)
CONFIGURATIONS
![Page 29: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/29.jpg)
MEMORIES AND VIEWSMemory updates
Local to Global
In the following abbreviates
![Page 30: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/30.jpg)
SEMANTICS: thread interleaving
sorry...
![Page 31: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/31.jpg)
SEMANTICS: skip
![Page 32: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/32.jpg)
SEMANTICS: assignments
![Page 33: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/33.jpg)
SEMANTICS: fences
![Page 34: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/34.jpg)
SEMANTICS: sequential composition
![Page 35: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/35.jpg)
SEMANTICS: branches
![Page 36: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/36.jpg)
SEMANTICS: loops
![Page 37: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/37.jpg)
SEMANTICS: wait
![Page 38: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/38.jpg)
SEMANTICS: buffer commits
![Page 39: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/39.jpg)
MORE ANNOYANCES...
x := 1
Maude> search P =>* Q ....States: 10!?
x := 2P =
![Page 40: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/40.jpg)
x|->0===============
||---------------x:=1; || x:=2;
x|->0===============x|->1 || --------------- skip || x:=2;
x|->0=============== || x|->2
--------------- x:=1 || skip
x|->0===============x|->1 || x|->2---------------skip || skip
x|->1===============
||--------------- skip || x:=2;
x|->2===============
||---------------x:=1 || skip
x|->1=============== || x|->2
---------------skip || skip
x|->1===============
||---------------skip || skip
x|->2===============x|->1 || ---------------skip || skip
x:=1;
x:=1;
x:=1;
x:=2;
x:=2;
x:=2;
commit commit
commit commit
commitcommit
x|->2===============
||---------------skip || skip
state
Shared memory
Thread buffer
Thread program
![Page 41: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/41.jpg)
x|->0===============
||---------------x:=1; || x:=2;
x|->0===============x|->1 || --------------- skip || x:=2;
x|->0=============== || x|->2
--------------- x:=1 || skip
x|->0===============x|->1 || x|->2---------------skip || skip
x|->1===============
||--------------- skip || x:=2;
x|->2===============
||---------------x:=1 || skip
x|->1=============== || x|->2
---------------skip || skip
x|->1===============
||---------------skip || skip
x|->2===============x|->1 || ---------------skip || skip
x:=1;
x:=1;
x:=1;
x:=2;
x:=2;
x:=2;
commit commit
commit commit
commitcommit
x|->2===============
||---------------skip || skip
state
Shared memory
Thread buffer
Thread program
Usual state space with SC
![Page 42: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/42.jpg)
while true do x := 0
Maude> search P =>* Q .Zzz...
P =
MORE ANNOYANCES...
![Page 43: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/43.jpg)
x|->0====================--------------------while(true) do x:=0
x|->0====================--------------------x:=0;while(true) do x:=0
while(true)
x:=0;
x|->0====================
x|->0--------------------while(true) do x:=0
x|->0====================
x|->0--------------------x:=0;while(true) do x:=0
while(true)
x|->0====================
x|->0x|->0
--------------------while(true) do x:=0
while(true)
x:=0;
commit
commit
commit
...
![Page 44: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/44.jpg)
SOME REDUCTIONTECHNIQUES
![Page 45: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/45.jpg)
Partial Order Reduction Techniques Partial Orders [Alglave et al. @ CAV 2013] Persistent Sets [Linden&Wolper @ TACAS 2013] Ample sets (via SPIN) [Jonson @ CAN2009]
Approximation/abstraction techniques Predicate abstraction [Dan et al. @ SAS 2013] Bounded context-switches [Abdulla et al. @ TACAS 2012] Single-buffer semantics [Atig et al. @ CAV 2011] Buffers-as-sets abstraction [Kuperstein et al. @ PLDI 2011] Bounded buffers [Kuperstein et al. @ FMCAD 2011]
Other SAT/BMC [Burckhardt et al @ CAV 6/7/8, Gopalakrishnan et al. @ CAV 04] Buffer automata [Linden&Wolper @ SPIN2010, TACAS 2013] Monitors [Burnim et al. @ TACAS 2011, Burckhardt&Musuvathi @ CAV 2008]
TEN+ YEARS OF RESEARCH
Equational abstractions? [Meseguer&Palomino&Martí-Oliet @ TCS 2008]
Partial-order reduction? [Farzan&Meseguer @ TERMGRAPH 2006]
Search strategies? [Martí-Oliet&Meseguer&Verdejo @ WRLA 2004]
![Page 46: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/46.jpg)
SOME SIMPLEAPPROXIMATIONS FOR TSO
Disclaimer: proof-of-concepts, for the “good” ones see the above cited papers.
![Page 47: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/47.jpg)
ONE OF OUR ANOYANCES
while true do x := 0
Maude> search P =>* Q .Zzz..
![Page 48: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/48.jpg)
BUFFERS AS SETS OF UPDATES
Abstract buffers as sets of updates: Make ACI1 (i.e. buffer becomes sets of updates); Make commit non-deterministic (usual+no effect); Make evaluation of expressions non-deterministic.
You get an over-approximation: Finite state space; Preservation of reachability properties. (Possibly) some “spurious” behaviours;
![Page 49: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/49.jpg)
Dekker Peterson Lamport Szymanski
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000No reductionBuffers-as-SetsBuffers-as-Ordered-MapsForce-Flush
MORE STATES
![Page 50: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/50.jpg)
BUFFERS AS ORDERED MAPS
Approximation that Guarantees finite state space; Introduces some executions; Preserves some reachability properties???
(under investigation)
![Page 51: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/51.jpg)
“SPURIOUS” EXECUTIONS
x:=1;y:=1;x:=2
wait x=0 & y=1
![Page 52: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/52.jpg)
x|->0 , y |->0 ===============
|| ---------------
x:=1; || wait(...)y:=1; || x:=2 ||
x|->0 , y |->0 ===============
x|->1 || ---------------
y:=1; || wait(...)x:=2; ||
x|->0 , y |->0 ===============
x|->1 || y|->1 || ---------------
x:=2; || wait(...)
x|->0 , y |->0 ===============
x|->1 || y|->1 || x|->2 || ---------------
skip || wait(...)
x|->1 , y |->0 =============== || ---------------
y:=1; || wait(...)x:=2; ||
x|->1 , y |->0 ===============
y|->1 || ---------------
x:=2; || wait(...)
x|->1 , y |->0 =============== y|->1 || x|->2 || ---------------
skip || wait(...)
x|->1 , y |->1 ===============
|| ---------------
x:=2; || wait(...)
x|->1 , y |->1 =============== x|->2 || ---------------
skip || wait(...)
x|->2 , y |->1 =============== || ---------------
skip || wait(...)
commit
commitcommit
commit
commit
commit
x|->0 , y |->0 ===============
y|->1 || x|->2 || ---------------
skip || wait(...)
wait!
ONE “SPURIOUS” EXECUTION
x|->0 , y |->1 ===============
y|->1 || ---------------
skip || wait(...)
commit
![Page 53: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/53.jpg)
Dekker Peterson Lamport Szymanski
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000No reductionBuffers-as-SetsBuffers-as-Ordered-MapsForce-Flush
REDUCTIONS
![Page 54: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/54.jpg)
FORCE-FLUSH APPROXIMATION
Under-approximation that Does not guarantee finite state space ; Some behaviours may be lost; Does not introduce spurious behaviours.
(up to some equivalence: stuttering and depending on the state observations).
![Page 55: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/55.jpg)
M===============x|->u || ... || x|->v || ---------------
S || T
M ◦ x|->u===============
... || x|->v || ---------------
S || T
NO “SPURIOUS” EXECUTION
M===============x|->u || ... || ||
--------------- x:=v; S || T
M ◦ x|->u===============
... || ||
--------------- x:=v; S || T
commit
x:=v x:=v
(up to some equivalence: stuttering and depending on the state observations).
![Page 56: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/56.jpg)
Dekker Peterson Lamport Szymanski
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000No reductionBuffers-as-SetsBuffers-as-Ordered-MapsForce-Flush
REDUCTIONS
![Page 57: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/57.jpg)
PARTIAL-ORDERREDUCTIONFOR RMMs
![Page 58: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/58.jpg)
AMPLE SETS
Main idea Explore only a subset ample(s) of the succesors of s... ...such that ample(s):
C0: ample(s) empty only if s is a deadlock;C1: ample(s) contains invisible actions;C2: no transition that is dependent on a transition in
ample(s) occurs in the original system without atransition in ample(s) occurring first;
C3: no action outside ample(s) is delayed forever. You will get a stutter equivalent transition system.
![Page 59: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/59.jpg)
SIMPLE POR FOR TSOSimple heuristic: assignments
x := u
are independent of actions of other threads since their effect is local (on the buffer).
They are also invisible unless one wants to observe buffers or programs.
![Page 60: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/60.jpg)
Dekker Peterson Lamport Szymanski
0
100
200
300
400
500
600
700
800
900
1000
No reductionPartial-Order Reduction
REDUCTIONS (verification)
![Page 61: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/61.jpg)
SEARCH STRATEGIESFOR RMMs
![Page 62: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/62.jpg)
DIRECTED MODEL CHECKINGMain idea Replace the exploration algorithm (NDFS/BFS)
by a “guided” algorithm (A*, Best-First, etc.) Domain/property-based “heuristic” functions
to rank states or executions
“Heuristics for model checking Java” [Groce&Visser] Promote interleavings (we think “sequentially”) Promote code coverageDone for JPF, SPIN, etc.
![Page 63: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/63.jpg)
x|->0 , y|->0===============
||---------------x:=1; || y:=1;y==0? || x==0?
x|->0 , y|->0===============x->1 ||
--------------- y==0? || y:=1;
|| x==0?
x|->0 , y|->0=============== || y->1
--------------- x:=1 || x==0? y==0? ||
x|->0 , y|->0===============x->1 || y->1
---------------y==0? || x==0?
x|->1 , y|->0===============
||---------------
y==0? || y:=1; || x==0?
x|->0 , y|->1===============
||--------------- X:=1 || x==0?
y==0? ||
x:=1;
x:=1;
y:=1;
y:=1;flush flush
... ...x|->0 , y|->0===============x->1 || y->1
--------------- cs || x==0?
x|->0 , y|->0===============x->1 || y->1
---------------y==0? || cs
![Page 64: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/64.jpg)
x|->0 , y|->0===============
||---------------x:=1; || y:=1;y==0? || x==0?
x|->0 , y|->0===============x->1 ||
--------------- y==0? || y:=1;
|| x==0?
x|->0 , y|->0=============== || y->1
--------------- x:=1 || x==0? y==0? ||
x|->0 , y|->0===============x->1 || y->1
---------------y==0? || x==0?
x|->1 , y|->0===============
||---------------
y==0? || y:=1; || x==0?
x|->0 , y|->1===============
||--------------- X:=1 || x==0?
y==0? ||
x:=1;
x:=1;
y:=1;
y:=1;flush flush
0
0
0
2
1
0
0
0
1
... ...x|->0 , y|->0===============x->1 || y->1
--------------- cs || x==0?
x|->0 , y|->0===============x->1 || y->1
---------------y==0? || cs
2 2
Count number ofnon-empty buffers
![Page 65: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/65.jpg)
Dekker Peterson Lamport Szymanski
0
50
100
150
200
250
300
350
400
450 Breadth-First SearchBest-First + "number of non-empty buffers" heuristicBest-First + "number of pending writes" heuristicBest-First + "number of inconsistent pending writes" heuristic
REDUCTIONS (bug-finding)
![Page 66: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/66.jpg)
CONCLUDINGREMARKS
![Page 67: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/67.jpg)
I would say yes.
Worth investigating
Can we efficiently verify concurrent programsunder relaxed memory models in Maude?
![Page 68: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/68.jpg)
Beyond TSO: PSO, RMO, etc.1
2
FUTURE WORK?
Other languages/primitives: see e.g. KernelC/x86-TSO in K [Serbanuta]
3 Proof techniques (with Maude)
![Page 69: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/69.jpg)
TAHNSK!
![Page 70: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/70.jpg)
REFERENCES
![Page 71: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/71.jpg)
[Linden&Wolper @ TACAS 2013]Alexander Linden, Pierre Wolper: A Verification-Based Approach to Memory Fence Insertion in PSO Memory Systems. TACAS 2013: 339-353
[Dan&MMeshman&Vechev&Yahav @ SAS 2013]Andrei Marian Dan, Yuri Meshman, Martin T. Vechev, Eran Yahav: Predicate Abstraction for Relaxed Memory Models. SAS 2013: 84-104
[Alglave et al. @ CAV 2013]Jade Alglave, Daniel Kroening, Michael Tautschnig: Partial Orders for Efficient Bounded Model Checking of Concurrent Software. CAV 2013: 141-157
[Abdulla&Atig&Chen&Leonardsson&Rezine @ TACAS 2012]Abdulla, P.A., Atig, M.F., Chen, Y.-F., Leonardsson, C., Rezine, A.: Counter- Example Guided Fence Insertion under TSO. In: TACAS 2012. LNCS, vol. 7214 (2012)
[Atig&Bouajjani&Parlato @ CAV 2011]Atig, M.F., Bouajjani, A., Parlato, G.: Getting Rid of Store-Buffers in TSO Analysis. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806 (2011)
[Kuperstein&Vechev&Yahav @ PLDI 2011]Kuperstein, M., Vechev, M., Yahav, E.: Partial-coherence abstractions for relaxed memory models. In: PLDI 2011 (2011)
REFERENCES (1)
![Page 72: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/72.jpg)
[Burnim&Sen&Stergiou @ TACAS 2011]Jacob Burnim, Koushik Sen, Christos Stergiou: Sound and Complete Monitoring of Sequential Consistency for Relaxed Memory Models. TACAS 2011: 11-25
[Burnim&Sen& C. Stergiou @ TACAS 2011]J. Burnim, K. Sen, and C. Stergiou. Sound and complete monitoring of sequential consistency in relaxed memory models. In TACAS, 2011.
[Kuperstein&Vechev&Yahav @ FMCAD 2011]M. Kuperstein, M. Vechev, and E. Yahav. Automatic inference of memory fences. In FMCAD, 2011.
[Linedn&Wolper @ SPIN 2010] A. Linden and P. Wolper. An automata-based symbolic approach for verifying programs on relaxed memory models. In SPIN, 2010.
[Jonson @ CAN2009]Jonsson, B.: State-space exploration for concurrent algorithms under weak memory orderings: (preliminary version). SIGARCH Comput. Archit. News 36, 65–71 (2009)
[Burckhardt&Musuvathi @ CAV 2008]Burckhardt,S.,Musuvathi,M.: Effective Program Verification for Relaxed Memory Models. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 107–120. Springer, Heidelberg (2008)
REFERENCES (2)
![Page 73: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/73.jpg)
[Burckhardt&Alur&Martin @ CAV 2007]Burckhardt, S., Alur, R., Martin, M.M.K.: Checkfence: checking consistency of concurrent data types on relaxed memory models. In: ACM SIGPLAN 2007 Conference on Programming Lan- guage Design and Implementation (2007)
[Burckhardt&Alur&Martin @ CAV 2006]Burckhardt,S.,Alur,R.,Martin,M.M.K.: Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study. In: CAV 2006. LNCS 4144. (2006)
[Gopalakrishnan&Yang&Sivaraj @ CAV 2004]Gopalakrishnan, G., Yang, Y., Sivaraj, H.: QB or not QB: An efficient execution verification tool for memory orderings. In: CAV 2004. LNCS, vol. 3114 (2004)
[Park&Dill @ PAA 1995]Park, S., Dill, D.L.: An executable specification, analyzer and verifier for rmo (relaxed memory order). In: SPAA 1995: Proceedings of the Seventh Annual ACM Symposium on Parallel Algorithms and Architectures, pp. 34–41. ACM, New York (1995)
REFERENCES (3)
![Page 74: Can we efficiently verify concurrent programs under relaxed memory models in Maude?](https://reader034.fdocuments.us/reader034/viewer/2022042715/559138111a28abfb488b468d/html5/thumbnails/74.jpg)
[Meseguer&Palomino&Martí-Oliet @ TCS 2008]José Meseguer, Miguel Palomino, Narciso Martí-Oliet: Equational abstractions. Theor. Comput. Sci. 403(2-3): 239-264 (2008)
[Farzan&Meseguer @ TERMGRAPH 2006]Azadeh Farzan, José Meseguer: Partial Order Reduction for Rewriting Semantics of Programming Languages. Electr. Notes Theor. Comput. Sci. 176(4): 61-78 (2007)
[Rodríguez 2009 @ WRLA 2009]Rodríguez, D.E.: Combining techniques to reduce state space and prove strongproperties. In: WRLA. Volume 238(3) of ENTCS. (2009) 267 – 280
[Lluch&Meseguer&Vandin @ ICFEM 2012]Alberto Lluch-Lafuente, José Meseguer, Andrea Vandin: State Space c-Reductions of Concurrent Systems in Rewriting Logic. ICFEM 2012: 430-446
[Martí-Oliet&Meseguer&Verdejo @ WRLA 2004]Narciso Martí-Oliet, José Meseguer, Alberto Verdejo: Towards a Strategy Language for Maude. Electr. Notes Theor. Comput. Sci. 117: 417-441 (2005)
[Groce&Visser @ STTT 2004]Alex Groce, Willem Visser: Heuristics for model checking Java programs. STTT 6(4): 260-276 (2004)
REFERENCES (4)