0 Correct Programming Compiler Compiler Hardware Language P - - PowerPoint PPT Presentation

Bridging the Gap between Programming Languages and Hardware Weak Memory Models

Anton Podkopaev Ori Lahav Viktor Vafeiadis

1

Bridging the Gap between PL and Hardware Weak MMs Programming Language Hardware Compiler Correct Compiler P Syntax PL P PL compile P

HW PL HW is Memory Model

1

Bridging the Gap between PL and Hardware Weak MMs Programming Language Hardware Compiler Correct Compiler P Syntax PL P PL compile P

HW PL HW is Memory Model

1

Bridging the Gap between PL and Hardware Weak MMs Programming Language Hardware Compiler Correct Compiler P Syntax PL P PL compile P

HW PL HW is Memory Model

1

Bridging the Gap between PL and Hardware Weak MMs Programming Language Hardware Compiler Correct Compiler P Syntax PL P PL compile P

HW PL HW is Memory Model

1

Bridging the Gap between PL and Hardware Weak MMs Programming Language Hardware Compiler Correct Compiler ∀P ∈ Syntax(PL). PPL compile(P)HW

PL HW is Memory Model

1

Bridging the Gap between PL and Hardware Weak MMs Programming Language Hardware Compiler Correct Compiler ∀P ∈ Syntax(PL). PPL compile(P)HW −{PL,HW} is Memory Model

1

Bridging the Gap between PL and Hardware Weak MMs Programming Language Hardware Compiler Correct Compiler ∀P ∈ Syntax(PL). PPL compile(P)HW −{PL,HW} is Memory Model

2 Strong (SC) MM disallows a b 1

Memory ; [x] ← 0 [y] ← 0 Values ; a = ⊥ b = ⊥ a := [x]; [y] := 1; b := [y]; [x] := b; ARM and POWER weak MMs allow a b 1!

2 Strong (SC) MM disallows a b 1

Memory ; [x] ← 0 [y] ← 0 Values ; a = ⊥ b = ⊥ a := [x]; [y] := 1; b := [y]; [x] := b; ARM and POWER weak MMs allow a b 1!

2 Strong (SC) MM disallows a b 1

Memory ; [x] ← 0 [y] ← 0 Values ; a = 0 b = ⊥ a := [x]; [y] := 1; b := [y]; [x] := b; ARM and POWER weak MMs allow a b 1!

2 Strong (SC) MM disallows a b 1

Memory ; [x] ← 0 [y] ← 1 Values ; a = 0 b = ⊥ a := [x]; [y] := 1; b := [y]; [x] := b; ARM and POWER weak MMs allow a b 1!

2 Strong (SC) MM disallows a b 1

Memory ; [x] ← 0 [y] ← 1 Values ; a = 0 b = 1 a := [x]; [y] := 1; b := [y]; [x] := b; ARM and POWER weak MMs allow a b 1!

2 Strong (SC) MM disallows a b 1

Memory ; [x] ← 1 [y] ← 1 Values ; a = 0 b = 1 a := [x]; [y] := 1; b := [y]; [x] := b; ARM and POWER weak MMs allow a b 1!

2 Strong (SC) MM disallows a b 1

Memory ; [x] ← 1 [y] ← 1 Values ; a = 0 b = 1 a := [x]; [y] := 1; b := [y]; [x] := b; ARM and POWER weak MMs allow a b 1!

2 Strong (SC) MM disallows a = b = 1

Memory ; [x] ← 1 [y] ← 1 Values ; a = 0 b = 1 a := [x]; [y] := 1; b := [y]; [x] := b; ARM and POWER weak MMs allow a b 1!

2 Strong (SC) MM disallows a = b = 1

Memory ; [x] ← 1 [y] ← 1 Values ; a = 0 b = 1 a := [x]; [y] := 1; b := [y]; [x] := b; ARM and POWER weak MMs allow a = b = 1!

3

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

3

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

3

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

3

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

3

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

3

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

3

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

3

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

3

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

4 (Declarative) Executions in IMM

a := [x]; [y] := 1; b := [y]; [x] := b;

Rx0 Wy1 Ry0 Wx0

fr

,

Rx0 Wy1 Ry1 Wx1

data fr rf

,

Rx1 Wy1 Ry1 Wx1

data rf

Rx1 Wy1 Ry1 Wx1

po data rf

Axioms:

• 1. data

rf is acyclic …

4 (Declarative) Executions in IMM

a := [x]; [y] := 1; b := [y]; [x] := b;

Rx0 Wy1 Ry0 Wx0

fr

,

Rx0 Wy1 Ry1 Wx1

data fr rf

,

Rx1 Wy1 Ry1 Wx1

data rf

Rx1 Wy1 Ry1 Wx1

po data rf

Axioms:

• 1. data

rf is acyclic …

4 (Declarative) Executions in IMM

a := [x]; [y] := 1; b := [y]; [x] := b;

Rx0 Wy1 Ry0 Wx0

fr

,

Rx0 Wy1 Ry1 Wx1

data fr rf

,

Rx1 Wy1 Ry1 Wx1

data rf

Rx1 Wy1 Ry1 Wx1

po data rf

Axioms:

• 1. data

rf is acyclic …

4 (Declarative) Executions in IMM

a := [x]; [y] := 1; b := [y]; [x] := b;

Rx0 Wy1 Ry0 Wx0

fr

,

Rx0 Wy1 Ry1 Wx1

data fr rf

,

Rx1 Wy1 Ry1 Wx1

data rf

Rx1 Wy1 Ry1 Wx1

po data rf

Axioms:

• 1. data ∪ rf is acyclic

…

5

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

5

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

(deps ∪ rf is acyclic)

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

5

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

(deps ∪ rf is acyclic)

• 3. Uses C11-style coherence

(hb; eco? is irreflexive)

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

5

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

(deps ∪ rf is acyclic)

• 3. Uses C11-style coherence

(hb; eco? is irreflexive)

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

5

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

5

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

5

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

6 (Operational) Execution in Promise

Promised a := [x]; [y] := 1; b := [y]; [x] := b; Requires certification Values ; a = ⊥ b = ⊥

6 (Operational) Execution in Promise

Promised a := [x]; [y] := 1; b := [y]; [x] := b; Requires certification Values ; a = ⊥ b = ⊥

6 (Operational) Execution in Promise

Promised a := [x]; [y] := 1; b := [y]; [x] := b; Requires certification Values ; a = ⊥ b = ⊥

6 (Operational) Execution in Promise

Promised a := [x]; [y] := 1; b := [y]; [x] := b; Requires certification Values ; a = ⊥ b = ⊥

6 (Operational) Execution in Promise

Promised a := [x]; [y] := 1; b := [y]; [x] := b; Requires certification Values ; a = ⊥ b = 1

6 (Operational) Execution in Promise

Promised a := [x]; [y] := 1; b := [y]; [x] := b; Requires certification Values ; a = ⊥ b = 1

6 (Operational) Execution in Promise

Promised a := [x]; [y] := 1; b := [y]; [x] := b; Requires certification Values ; a = 1 b = 1

6 (Operational) Execution in Promise

Promised a := [x]; [y] := 1; b := [y]; [x] := b; Requires certification Values ; a = 1 b = 1

7

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

8

How to prove correctness of compilation? Simulation How to simulate graphs? Traverse in proper order!

8

How to prove correctness of compilation? Simulation How to simulate graphs? Traverse in proper order!

8

How to prove correctness of compilation? Simulation How to simulate graphs? Traverse in proper order!

8

How to prove correctness of compilation? Simulation How to simulate graphs? Traverse in proper order!

9 Traversal of IMM execution

a := [x]; [y] := 1; b := [y]; [x] := b; Promised Promised

Rx1 Wy1 Ry1 Wx1

Covered Issued

10

Promise → IMM compilation correctness proof

• 1. Operational semantics of IMM’s traversal:

G ⊢ ⟨C, I⟩ → ⟨C ′, I ′⟩

• 2. Completeness of traversal:

G P IMM G initTraverse G Events G Writes

• 3. Simulation theorems:

initTraverse initPromise

simulated by

traverse traverse promise promise

simulated by simulated by

Promise’s certification Promise’s certification via traversal of certification graph

10

Promise → IMM compilation correctness proof

• 1. Operational semantics of IMM’s traversal:

G ⊢ ⟨C, I⟩ → ⟨C ′, I ′⟩

• 2. Completeness of traversal:

∀G ∈ PIMM. G ⊢ initTraverse →∗ ⟨G.Events, G.Writes⟩

• 3. Simulation theorems:

initTraverse initPromise

simulated by

traverse traverse promise promise

simulated by simulated by

Promise’s certification Promise’s certification via traversal of certification graph

10

Promise → IMM compilation correctness proof

• 1. Operational semantics of IMM’s traversal:

G ⊢ ⟨C, I⟩ → ⟨C ′, I ′⟩

• 2. Completeness of traversal:

∀G ∈ PIMM. G ⊢ initTraverse →∗ ⟨G.Events, G.Writes⟩

• 3. Simulation theorems:

initTraverse initPromise

simulated by

traverse traverse′ promise ∃ promise′

simulated by simulated by

Promise’s certification Promise’s certification via traversal of certification graph

10

Promise → IMM compilation correctness proof

• 1. Operational semantics of IMM’s traversal:

G ⊢ ⟨C, I⟩ → ⟨C ′, I ′⟩

• 2. Completeness of traversal:

∀G ∈ PIMM. G ⊢ initTraverse →∗ ⟨G.Events, G.Writes⟩

• 3. Simulation theorems:

initTraverse initPromise

simulated by

traverse traverse′ promise ∃ promise′

simulated by simulated by

Promise’s certification Promise’s certification via traversal of certification graph

10

Promise → IMM compilation correctness proof

• 1. Operational semantics of IMM’s traversal:

G ⊢ ⟨C, I⟩ → ⟨C ′, I ′⟩

• 2. Completeness of traversal:

∀G ∈ PIMM. G ⊢ initTraverse →∗ ⟨G.Events, G.Writes⟩

• 3. Simulation theorems:

initTraverse initPromise

simulated by

traverse traverse′ promise ∃ promise′

simulated by simulated by

Promise’s certification Promise’s certification via traversal of certification graph

10

Promise → IMM compilation correctness proof

• 1. Operational semantics of IMM’s traversal:

G ⊢ ⟨C, I⟩ → ⟨C ′, I ′⟩

• 2. Completeness of traversal:

∀G ∈ PIMM. G ⊢ initTraverse →∗ ⟨G.Events, G.Writes⟩

• 3. Simulation theorems:

initTraverse initPromise

simulated by

traverse traverse′ promise ∃ promise′

simulated by simulated by

Promise’s certification Promise’s certification via traversal of certification graph

11 Traversal of IMM execution

a := [x]; [y] := 1; b := [y]; [x] := b; Promised Promised

Rx1 Wy1 Ry1 Wx1

Covered Issued

11 Traversal of IMM execution

a := [x]; [y] := 1; b := [y]; [x] := b; Promised Promised

Rx1 Wy1 Ry1 Wx1

Covered Issued

11 Traversal of IMM execution

a := [x]; [y] := 1; b := [y]; [x] := b; Promised Promised

Rx1 Wy1 Ry1 Wx1

Covered Issued

11 Traversal of IMM execution

a := [x]; [y] := 1; b := [y]; [x] := b; Promised Promised

Rx1 Wy1 Ry1 Wx1

Covered Issued

11 Traversal of IMM execution

a := [x]; [y] := 1; b := [y]; [x] := b; Promised Promised

Rx1 Wy1 Ry1 Wx1

Covered Issued

11 Traversal of IMM execution

a := [x]; [y] := 1; b := [y]; [x] := b; Promised Promised

Rx1 Wy1 Ry1 Wx1

Covered Issued

11 Traversal of IMM execution

a := [x]; [y] := 1; b := [y]; [x] := b; Promised Promised

Rx1 Wy1 Ry1 Wx1

Covered Issued

12

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

12

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

12

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

12

Bridging the Gap between PL and Hardware Weak MMs Promise (R)C11 WeakestMO

[Chakraborty and Vafeiadis, 2019]

IMM x86-TSO ARMv7 ARMv8.3 RISC-V POWER

CompCert Weak MMs

• 1. Declarative
• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 1. Declarative
• 2. Preserves syntactic dependencies

deps rf is acyclic

• 3. Uses C11-style coherence

hb eco is irreflexive

• 4. Non-multicopy-atomic

w/o mutually recursive relations

plv.mpi-sws.org/imm/ Thank you!

13

Links I

Chakraborty, S. and Vafeiadis, V. (2019). Grounding thin-air reads with event structures. In POPL 2019. ACM. Kang, J., Hur, C.-K., Lahav, O., Vafeiadis, V., and Dreyer, D. (2017). A promising semantics for relaxed-memory concurrency. In POPL 2017. ACM.

14

Backup slides

15

IMM definition

• Def. G is called IMM-consistent if the following hold:
• codom(G.rf) = G.R.
• For every location ℓ ∈ Loc, G.co totally orders G.Wℓ.
• G.rmw ∩ (G.fre ; G.coe) = ∅.
• G.hb ; G.eco? is irreflexive.
• G.ar is acyclic.

ar ≜ rfe ∪ bob ∪ ppo ∪ detour ∪ psc ∪ [Wstrong] ; po ; [W] bob ≜ po ; [Wrel] ∪ [Racq] ; po ∪ po ; [F] ∪ [F] ; po ∪ [Wrel] ; po|loc ; [W] ppo ≜ [R] ; (deps ∪ rfi)+ ; [W] deps ≜ data ∪ ctrl ∪ addr ; po? ∪ casdep ∪ [Rex] ; po

16

Traversal definition

a ∈ Next(G, C) ∩ Coverable(G, C, I) G ⊢ ⟨C, I⟩ → ⟨C ∪ {a}, I⟩ w ∈ Issuable(G, C, I) \ I G ⊢ ⟨C, I⟩ → ⟨C, I ∪ {w}⟩

• Def. w ∈ Issuable(G, C, I) iff w ∈ G.W and the following hold:
• dom(([G.Wrel] ; G.po|G.loc ∪ [G.F] ; G.po) ; [w]) ⊆ C
• dom((G.detour ∪ G.rfe) ; G.ppo ; [w]) ⊆ I
• dom((G.detour ∪ G.rfe) ; [G.Racq] ; G.po ; [w]) ⊆ I
• dom([G.Wstrong] ; G.po ; [w]) ⊆ I
• Def. e ∈ Coverable(G, C, I) iff e ∈ G.E, dom(G.po ; [e]) ⊆ C and either

(i) e ∈ G.W ∩ I; (ii) e ∈ G.R and dom(G.rf ; [e]) ⊆ I; (iii) e ∈ G.Fsc;

• r (iv) e ∈ G.Fsc and dom(G.sc ; [e]) ⊆ C.

17

Mistake in Kang et al.17’s compilation to POWER correctness proof

Rrlxz1 Fsc Wrlxx1 Wrlxx2 Fsc Wrlxy1 Rrlxy1 Wrlxz1

rf co rf Consistent in Strong-POWER. Not consistent in the promise-free declarative model of [Kang et al., 2017].

18

Promise → IMM compilation of RMWs

a := [y]rlx / / 1 [z]rlx := a b := [z]rlx / / 1 c := FADDrlx,rel

strong (x, 1) /

/ 0 [y]rlx := c + 1

Rrlxy1 Wrlxz1 Rrlxz1 Rrlxx0 Wrel

strongx1

Wrlxy1

data rmw data bob rfe