SLIDE 1
Compositional reasoning about concurrent libraries
- n the axiomatic
TSO memory model
Artem Khyzha IMDEA Software Institute, Madrid, Spain
Joint work with Alexey Gotsman (IMDEA Software)
Compositional reasoning about concurrent libraries on the axiomatic - - PowerPoint PPT Presentation
Compositional reasoning about concurrent libraries on the axiomatic - - PowerPoint PPT Presentation
Compositional reasoning about concurrent libraries on the axiomatic TSO memory model Artem Khyzha IMDEA Software Institute, Madrid, Spain Joint work with Alexey Gotsman (IMDEA Software) Weak memory x = y = 0; x = 1; y = 1; a = y; b = x;
SLIDE 2
SLIDE 3
Weak memory
x = 1; a = y; y = 1; b = x;
{ a = b = 0 } x = y = 0;
SLIDE 4
Weak memory
x = 1; a = y; y = 1; b = x;
{ a = b = 0 } x = y = 0;
SLIDE 5
Weak memory
x = 1; a = y; y = 1; b = x;
{ a = b = 0 } x = y = 0;
SLIDE 6
Weak memory
x = 1; a = y; y = 1; b = x;
{ a = b = 0 } x = y = 0;
Possible on a weak memory model
SLIDE 7
The TSO memory model (x86)
...
RAM
SLIDE 8
The TSO memory model (x86)
*x = a; *y = b;
Writes stored into the write buffer in the order of issue
RAM
SLIDE 9
The TSO memory model (x86)
*x = a; *y = b;
x:a
Writes stored into the write buffer in the order of issue
RAM
SLIDE 10
The TSO memory model (x86)
*x = a; *y = b;
x:a y:b
Writes stored into the write buffer in the order of issue
RAM
SLIDE 11
The TSO memory model (x86)
x:a y:b Writes flushed in FIFO order
*x = a; *y = b;
SLIDE 12
The TSO memory model (x86)
y:b Writes flushed in FIFO order
*x = a; *y = b;
x:a RAM
SLIDE 13
The TSO memory model (x86)
Writes flushed in FIFO order
*x = a; *y = b;
x:a y:b RAM
SLIDE 14
C
- Is compositional reasoning on weak memory
possible?
C
Our goal
abstracted by
struct Node { Node *next; int val; } *T
- p;
void push(int v) { Node *t, *x; x = new Node; x->val = v; do { t = T
- p; x->next = t;
} while(!CAS(&T
- p,t,x));
} Sequence S; void push(int v) { atomic { S = v⋅S; } }
L (Implementation) L' (Specification)
SLIDE 15
C
- Is compositional reasoning on weak memory
possible?
C
Our goal
linearized by
struct Node { Node *next; int val; } *T
- p;
void push(int v) { Node *t, *x; x = new Node; x->val = v; do { t = T
- p; x->next = t;
} while(!CAS(&T
- p,t,x));
} Sequence S; void push(int v) { atomic { S = v⋅S; } }
L (Implementation) L' (Specification) Linearizability [Herlihy, Wing]
SLIDE 16
f() { *x = a; *y = b; }
Challenge
Store buffer
- Writes can be flushed after f returns
- Just parameters and return values not enough
x:a y:b
SLIDE 17
x = 1; a = y; y = 1; b = x; x = y = a = b = 0
po po
Axiomatic model
An execution of C(L) is (A, po, rf, mo, ..., hb)
- Actions A: reads, writes, calls, returns
read y = 0 read x = 1 write x = 1 write y = 1
SLIDE 18
x = 1; a = y; y = 1; b = x; x = y = a = b = 0
po po
Axiomatic model
An execution of C(L) is (A, po, rf, mo, ..., hb)
- po – program order
relates actions by the same thread
SLIDE 19
x = 1; a = y; y = 1; b = x; x = y = a = b = 0
po po mo rf rf
Axiomatic model
An execution of C(L) is (A, po, rf, mo, ..., hb)
- mo – modification order
- rder in which writes hit the memory
- rf – “reads from” relation
relates reads to correspondent writes
read y = 0 read x = 1
(x = 1) is flushed before (y = 1)
SLIDE 20
x = 1; a = y; y = 1; b = x; x = y = a = b = 0
po po rf
Axiomatic model
An execution of C(L) is (A, po, rf, mo, ..., hb)
- hb – “happens before” relation
indicates precedence in the whole execution
rf mo
SLIDE 21
Axioms
SLIDE 22
Axioms
- Filter out impossible executions
- Capture the effect of store buffering
Disallows “writing to the future”
SLIDE 23
Assume that L L'. Then
Abstraction Theorem
C L C L’
L L’
⇒
L’ specifies L:
SLIDE 24
Subgraph replacement
C L L'
SLIDE 25
Subgraph replacement
C L
History - several relations on boundary actions
L'
SLIDE 26
Subgraph replacement
C L L'
SLIDE 27
Computing histories
- Take a library L on TSO or SC
- Take the most general client:
- Get all possible library executions:
SLIDE 28
Any number of threads Any methods, in any order, with any parameters
Computing histories
- Take a library L on TSO or SC
- Take the most general client:
- Get all possible library executions:
SLIDE 29
Guarantee relation
- Histories include the projection of happens-
before to calls and returns:
data = 1; call signal f = 1 ret signal
data = f = 0;
call wait while (!f) {} ret wait b = data;
rf po po
SLIDE 30
Guarantee relation
- Histories include the projection of happens-
before to calls and returns:
data = 1; call signal f = 1 ret signal
data = f = 0;
call wait while (!f) {} ret wait b = data;
hb
SLIDE 31
Guarantee relation
- Histories include the projection of happens-
before to calls and returns:
data = 1; call signal f = 1 ret signal
{ b = 1 } data = f = 0;
call wait while (!f) {} ret wait b = data;
rf po po
SLIDE 32
Conclusions
- Through thorns to the stars – compositional
reasoning is possible on TSO.
- Axiomatic semantics can be straightforwardly
implemented in SAT solvers
- Can be applied to more complicated models
(IBM Power, ARM)
SLIDE 33
SLIDE 34
Related work
- Concurrent library correctness on the TSO
memory model
- S. Burckhardt et al. (ESOP'12)
- Library abstraction for C/C++ concurrency
- M. Batty et al. (POPL'13)
SLIDE 35
Linearizability
- History: (Interface, Guarantee, Deny)
- Specification can guarantee and deny less to
the client
- So client has more behaviours when using
specification instead of implementation
SLIDE 36
(t1, call push(42)) (t1, ret push) (t1, call isEmpty) (t2, call pop) (t2, ret pop(42))
(t2, call push(11)) (t2, ret push)
t1: t2:
(t1, call push(42)) (t1, ret push) (t1, call isEmpty) (t1, ret isEmpty(yes)) (t2, call pop) (t2, ret pop(42)) (t2, call push(11)) (t2, ret push)
- We can permute calls and returns by different threads
- But non-overlapping method invocations can’t be
rearranged
(t1, ret isEmpty(yes))
Linearizability
SLIDE 37
- How it fails:
x = 1; m(); a = y; y = 1; m(); b = x;
{ a = b = 0 } x = y = 0;
Linearizability
SLIDE 38
- How it fails:
x = 1; m(); a = y; y = 1; m(); b = x;
{ a = b = 0 } x = y = 0;
- Not possible, if m contains a fence.