Owicki-Gries for Weak Memory Models Ori Lahav Viktor Vafeiadis Max - PowerPoint PPT Presentation

Owicki-Gries for Weak Memory Models Ori Lahav Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) Uppsala, 23 February 2015

Weak memory models ◮ Sequential consistency (a.k.a. “interleaving semantics") is the standard memory model for reasoning. ◮ However, in the presence of races, SC is invalidated by hardware implementations and compiler optimizations. ◮ Weak memory models provide formal sound semantics for realistic high-performance concurrency. Example (Store Buffering) Initially x = y = 0. x := 1 y := 1 a := y b := x This can return a = b = 0 (observed on x86/Power/ARM). Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 2/23

C11 memory model ◮ Introduced in the recent standard for C and C++ (ISO/IEC 14882:2011, ISO/IEC 9899:2011). ◮ Formalized in Batty et al. (POPL’11). ◮ Memory accesses are labeled with memory orders (e.g., SC, release/acquire, relaxed, nonatomic). In this work we study the “release/acquire” fragment of C11. (exhibits good balance between efficiency and sanity) Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 3/23

Release/acquire memory model ◮ Each program � a set of graphs (called: executions ). ◮ An execution is consistent if it can be augmented with relations: ◮ reads-from : associates each read with a corresponding write ◮ memory-order : total order on all writes to the same location s.t. happens-before = ( prog-order ∪ reads-from ) + is acyclic Wx , v Wx , v Wx , v ′ and none of the following occur: Wx , v ′ Rx , v Example (Store Buffering) [ x = y = 0] [ x = y = 0] [ x = y = 0] Wx , 1 Wy , 1 Wx , 1 Wy , 1 Wx , 1 Wy , 1 x = y = 0 x := 1 y := 1 a := y b := x Ry , v y Rx , v x Ry , 1 Rx , 1 Ry , 0 Rx , 0 Wa , v y Wb , v x Wa , 1 Wb , 1 Wa , 0 Wb , 0 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 4/23

Our work Goals: ◮ Verify concurrent programs under WM. ◮ Investigate what program logics are sound under WM. Contributions: ◮ We show that Owicki-Gries is unsound for WM (even without ghost variables and atomic blocks) . ◮ We identify a simple weakening of OG that is sound for the release/acquire memory model. ◮ We demonstrate that this simple program logic is useful. ◮ We investigate automation of the logic. Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 5/23

Related work Separation logics for C11: ◮ Relaxed separation logic (V. & Narayan, OOPSLA’13) ◮ GPS (Turon et al., OOPSLA’14) Other program logics: ◮ Rely/guarantee for TSO (Ridge, VSTTE’10) ◮ Verifying TSO programs (Jacobs, 2014) ◮ iCAP-TSO (Sieczkowski et al., ESOP’15) ◮ Coherent causal memory (Cohen, coRR 2014) Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 6/23

Owicki-Gries method (1976) OG = Hoare logic + rule for parallel composition { P 1 } c 1 { Q 1 } { P 2 } c 2 { Q 2 } the two proofs are non-interfering { P 1 ∧ P 2 } c 1 � c 2 { Q 1 ∧ Q 2 } Non-interference R ∧ P ⊢ R { u / x } for every: ◮ assertion R in the proof outline of one thread ◮ assignment x := u with precondition P in the proof outline of the other thread Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 7/23

Example SB: store buffering � � a � = 0 x := 1; y := 1; a := y b := x � � a � = 0 ∨ b � = 0 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 8/23

Example SB: store buffering � � a � = 0 � � � � a � = 0 ⊤ x := 1; y := 1; a := y b := x � � a � = 0 ∨ b � = 0 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 8/23

Example SB: store buffering � � a � = 0 � � � � a � = 0 ⊤ x := 1; y := 1; � � x � = 0 a := y b := x � � a � = 0 ∨ b � = 0 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 8/23

Example SB: store buffering � � a � = 0 � � � � a � = 0 ⊤ x := 1; y := 1; � � x � = 0 a := y b := x � � x � = 0 � � a � = 0 ∨ b � = 0 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 8/23

Example SB: store buffering � � a � = 0 � � � � a � = 0 ⊤ x := 1; y := 1; � � � � x � = 0 y � = 0 a := y b := x � � x � = 0 � � a � = 0 ∨ b � = 0 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 8/23

Example SB: store buffering � � a � = 0 � � � � a � = 0 ⊤ x := 1; y := 1; � � � � x � = 0 y � = 0 a := y b := x � � � � x � = 0 y � = 0 ∧ ( a � = 0 ∨ b = x ) � � a � = 0 ∨ b � = 0 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 8/23

Example SB: store buffering � � a � = 0 � � � � a � = 0 ⊤ x := 1; y := 1; � � � � x � = 0 y � = 0 a := y b := x � � � � x � = 0 y � = 0 ∧ ( a � = 0 ∨ b = x ) � � a � = 0 ∨ b � = 0 Standard OG is unsound under weak memory! Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 8/23

Stronger non-interference condition { P 1 } c 1 { Q 1 } { P 2 } c 2 { Q 2 } the two proofs are non-interfering { P 1 ∧ P 2 } c 1 � c 2 { Q 1 ∧ Q 2 } Non-interference under weak memory R ∧ P ⊢ R { v / x } for every: ◮ assertion R in the proof outline of one thread ◮ assignment x := u with precondition P in the proof outline of the other thread ◮ value v such that P ∧ R ′ ∧ u = v is satisfiable for some assertion R ′ above R Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 9/23

Example MP: message passing � � x = 0 m := 42; while x = 0 do skip ; x := 1 a := m � � a = 42 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 10/23

Example MP: message passing � � x = 0 � � � � ⊤ x � = 0 → m = 42 m := 42; while x = 0 do skip ; � � � � m = 42 m = 42 x := 1 a := m � � � � ⊤ a = 42 � � a = 42 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 10/23

Example CoRR2: read-read coherence � � x = a = b = c = d = 0 a := x c := x b := x d := x x := 1 x := 2 � � a � = 1 ∨ b � = 2 ∨ c � = 2 ∨ d � = 1 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 11/23

Example CoRR2: read-read coherence � � x = a = b = c = d = 0 � � � � ⊤ ⊤ � � � � a := x c := x x � = 1 ∧ x � = 2 ∧ a � = 1 c � = 2 b := x d := x x := 1 x := 2 � � a � = 1 ∨ b � = 2 ∨ c � = 2 ∨ d � = 1 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 11/23

Example CoRR2: read-read coherence � � x = a = b = c = d = 0 � � � � ⊤ ⊤ � � � � a := x c := x x � = 1 ∧ x � = 2 ∧ a � = 1 c � = 2 b := x d := x x := 1 x := 2 � � � � ⊤ ⊤ � � a � = 1 ∨ b � = 2 ∨ c � = 2 ∨ d � = 1 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 11/23

Example CoRR2: read-read coherence � � x = a = b = c = d = 0 � � � � ⊤ ⊤ � � � � a := x c := x x � = 1 ∧ x � = 2 ∧ � � ⊤ a � = 1 c � = 2 b := x d := x x := 1 x := 2 � � � � ⊤ ⊤ � � a � = 1 ∨ b � = 2 ∨ c � = 2 ∨ d � = 1 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 11/23

Example CoRR2: read-read coherence � � x = a = b = c = d = 0 � � � � ⊤ ⊤ � � � � a := x c := x x � = 1 ∧ x � = 2 ∧ � � ⊤ a � = 1 c � = 2 b := x d := x x := 1 x := 2   � � � � a � = 1 ∨ ⊤ ⊤     b � = 2 ∨    x = 2  � � a � = 1 ∨ b � = 2 ∨ c � = 2 ∨ d � = 1 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 11/23

Example CoRR2: read-read coherence � � x = a = b = c = d = 0 � � � � ⊤ ⊤ � � � � a := x c := x x � = 1 ∧ x � = 2 ∧ � � � � ⊤ ⊤ a � = 1 c � = 2 b := x d := x x := 1 x := 2     � � � � a � = 1 ∨ c � = 2 ∨ ⊤ ⊤         b � = 2 ∨ d � = 1 ∨      x = 2   x = 1  � � a � = 1 ∨ b � = 2 ∨ c � = 2 ∨ d � = 1 Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 11/23

Formal set up Programming language: c ::= skip | c ; c | c � c | if e ( x ) then c else c | while e ( x ) do c | y , z at x := v | x := e ( y ) | x := e ( y , z ) | x := e ( x ) Program executions , G = � A , lab , E � where: ◮ Set of nodes, A ⊆ N ◮ Labelling, lab : A → Label Label ::= � S � | � R , x , v r � | � W , x , v w � | � U , x , v r , v w � ◮ Set of edges, E ⊆ ( A × A ) ∪ ( A × A × Loc) . � �� � � �� � po rf: reads-from Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 12/23