Owicki-Gries for Weak Memory Models Ori Lahav Viktor Vafeiadis Max - - PowerPoint PPT Presentation

Owicki-Gries for Weak Memory Models

Ori Lahav Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) Uppsala, 23 February 2015

Weak memory models

◮ Sequential consistency (a.k.a. “interleaving semantics") is

the standard memory model for reasoning.

◮ However, in the presence of races, SC is invalidated by

hardware implementations and compiler optimizations.

◮ Weak memory models provide formal sound semantics for

realistic high-performance concurrency. Example (Store Buffering) Initially x = y = 0. x := 1 a := y y := 1 b := x This can return a = b = 0 (observed on x86/Power/ARM).

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 2/23

C11 memory model

◮ Introduced in the recent standard for C and C++

(ISO/IEC 14882:2011, ISO/IEC 9899:2011).

◮ Formalized in Batty et al. (POPL’11). ◮ Memory accesses are labeled with memory orders (e.g.,

SC, release/acquire, relaxed, nonatomic). In this work we study the “release/acquire” fragment of C11. (exhibits good balance between efficiency and sanity)

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 3/23

Release/acquire memory model

◮ Each program a set of graphs (called: executions). ◮ An execution is consistent if it can be augmented with

relations:

◮ reads-from: associates each read with a corresponding write ◮ memory-order: total order on all writes to the same location

s.t. happens-before = (prog-order ∪ reads-from)+ is acyclic and none of the following occur:

Wx, v Wx, v ′ Wx, v Wx, v ′ Rx, v

Example (Store Buffering)

x = y = 0 x := 1 a := y y := 1 b := x [x = y = 0] Wx, 1 Ry, vy Wy, 1 Rx, vx Wa, vy Wb, vx [x = y = 0] Wx, 1 Ry, 1 Wy, 1 Rx, 1 Wa, 1 Wb, 1 [x = y = 0] Wx, 1 Ry, 0 Wy, 1 Rx, 0 Wa, 0 Wb, 0

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 4/23

Our work

Goals:

◮ Verify concurrent programs under WM. ◮ Investigate what program logics are sound under WM.

Contributions:

◮ We show that Owicki-Gries is unsound for WM

(even without ghost variables and atomic blocks).

◮ We identify a simple weakening of OG that is sound for

the release/acquire memory model.

◮ We demonstrate that this simple program logic is useful. ◮ We investigate automation of the logic.

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 5/23

Related work

Separation logics for C11:

◮ Relaxed separation logic (V. & Narayan, OOPSLA’13) ◮ GPS (Turon et al., OOPSLA’14)

Other program logics:

◮ Rely/guarantee for TSO (Ridge, VSTTE’10) ◮ Verifying TSO programs (Jacobs, 2014) ◮ iCAP-TSO (Sieczkowski et al., ESOP’15) ◮ Coherent causal memory (Cohen, coRR 2014)

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 6/23

Owicki-Gries method (1976)

OG = Hoare logic + rule for parallel composition {P1} c1 {Q1} {P2} c2 {Q2} the two proofs are non-interfering {P1 ∧ P2} c1 c2 {Q1 ∧ Q2} Non-interference R ∧ P ⊢ R{u/x} for every:

◮ assertion R in the proof outline of one thread ◮ assignment x := u with precondition P in the proof

• utline of the other thread

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 7/23

Example SB: store buffering

• a = 0
• x := 1;

a := y y := 1; b := x

• a = 0 ∨ b = 0
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 8/23

Example SB: store buffering

• a = 0
• a = 0
• x := 1;

a := y

• ⊤
• y := 1;

b := x

• a = 0 ∨ b = 0
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 8/23

Example SB: store buffering

• a = 0
• a = 0
• x := 1;
• x = 0
• a := y
• ⊤
• y := 1;

b := x

• a = 0 ∨ b = 0
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 8/23

Example SB: store buffering

• a = 0
• a = 0
• x := 1;
• x = 0
• a := y
• x = 0
• ⊤
• y := 1;

b := x

• a = 0 ∨ b = 0
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 8/23

Example SB: store buffering

• a = 0
• a = 0
• x := 1;
• x = 0
• a := y
• x = 0
• ⊤
• y := 1;
• y = 0
• b := x
• a = 0 ∨ b = 0
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 8/23

Example SB: store buffering

• a = 0
• a = 0
• x := 1;
• x = 0
• a := y
• x = 0
• ⊤
• y := 1;
• y = 0
• b := x
• y = 0 ∧ (a = 0 ∨ b = x)
• a = 0 ∨ b = 0
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 8/23

Example SB: store buffering

• a = 0
• a = 0
• x := 1;
• x = 0
• a := y
• x = 0
• ⊤
• y := 1;
• y = 0
• b := x
• y = 0 ∧ (a = 0 ∨ b = x)
• a = 0 ∨ b = 0
• Standard OG is unsound under weak memory!

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 8/23

Stronger non-interference condition

{P1} c1 {Q1} {P2} c2 {Q2} the two proofs are non-interfering {P1 ∧ P2} c1 c2 {Q1 ∧ Q2} Non-interference under weak memory R ∧ P ⊢ R{v/x} for every:

◮ assertion R in the proof outline of one thread ◮ assignment x := u with precondition P in the proof

• utline of the other thread

◮ value v such that P ∧ R′ ∧ u = v is satisfiable for some

assertion R′ above R

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 9/23

Example MP: message passing

• x = 0
• m := 42;

x := 1 while x = 0 do skip; a := m

• a = 42
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 10/23

Example MP: message passing

• x = 0
• ⊤
• m := 42;
• m = 42
• x := 1
• ⊤
• x = 0 → m = 42
• while x = 0 do skip;
• m = 42
• a := m
• a = 42
• a = 42
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 10/23

Example CoRR2: read-read coherence

• x = a = b = c = d = 0
• x := 1

x := 2 a := x b := x c := x d := x

• a = 1 ∨ b = 2 ∨ c = 2 ∨ d = 1
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 11/23

Example CoRR2: read-read coherence

• x = a = b = c = d = 0
• x = 1 ∧

a = 1

• x := 1
• x = 2 ∧

c = 2

• x := 2
• ⊤
• a := x

b := x

• ⊤
• c := x

d := x

• a = 1 ∨ b = 2 ∨ c = 2 ∨ d = 1
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 11/23

Example CoRR2: read-read coherence

• x = a = b = c = d = 0
• x = 1 ∧

a = 1

• x := 1
• ⊤
• x = 2 ∧

c = 2

• x := 2
• ⊤
• ⊤
• a := x

b := x

• ⊤
• c := x

d := x

• a = 1 ∨ b = 2 ∨ c = 2 ∨ d = 1
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 11/23

Example CoRR2: read-read coherence

• x = a = b = c = d = 0
• x = 1 ∧

a = 1

• x := 1
• ⊤
• x = 2 ∧

c = 2

• x := 2
• ⊤
• ⊤
• a := x
• ⊤
• b := x
• ⊤
• c := x

d := x

• a = 1 ∨ b = 2 ∨ c = 2 ∨ d = 1
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 11/23

Example CoRR2: read-read coherence

• x = a = b = c = d = 0
• x = 1 ∧

a = 1

• x := 1
• ⊤
• x = 2 ∧

c = 2

• x := 2
• ⊤
• ⊤
• a := x
• ⊤
• b := x

    

a = 1 ∨ b = 2 ∨ x = 2

    

• ⊤
• c := x

d := x

• a = 1 ∨ b = 2 ∨ c = 2 ∨ d = 1
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 11/23

Example CoRR2: read-read coherence

• x = a = b = c = d = 0
• x = 1 ∧

a = 1

• x := 1
• ⊤
• x = 2 ∧

c = 2

• x := 2
• ⊤
• ⊤
• a := x
• ⊤
• b := x

    

a = 1 ∨ b = 2 ∨ x = 2

    

• ⊤
• c := x
• ⊤
• d := x

    

c = 2 ∨ d = 1 ∨ x = 1

    

• a = 1 ∨ b = 2 ∨ c = 2 ∨ d = 1
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 11/23

Formal set up

Programming language: c ::= skip | c ; c | c c | if e(x) then c else c | while e(x) do c | x := v | x := e(y) | x

y,z

:= e(y, z) | x

at

:= e(x) Program executions, G = A, lab, E where:

◮ Set of nodes, A ⊆ N ◮ Labelling, lab : A → Label

Label ::= S | R, x, vr | W, x, vw | U, x, vr, vw

◮ Set of edges, E ⊆ (A × A)

• po

∪ (A × A × Loc)

• rf: reads-from

.

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 12/23

Mapping programs to executions

skip SG — graph with one node labelled “skip” x := v WG(x, v) — graph with node labelled “W(x, v)” x := e(y) {RG(y, v); WG(x, e(v)) | v ∈ Val} x

y,z

:= e(y, z)

• RG(y, vy); RG(z, vz); WG(x, e(vy, vz)) |

vy, vz ∈ Val

• x

at

:= e(x) {UG(x, v, e(v)) | v ∈ Val} c1; c2 c1 ; c2 c1 c2 SG; (c1 c2); SG

• if e(x)

then c1 else c2

• {RG(x, v); c1 | v ∈ Val, e(v) = 0} ∪

{RG(x, v); c2 | v ∈ Val, e(v) = 0}

• while e(x)

do c

• n≥0({RG(x, v); c | v ∈ Val, e(v) = 0})n;

{RG(x, v) | v ∈ Val, e(v) = 0}

• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 13/23

Owicki-Gries judgments

An OG judgment has the form R; G {P} c {Q} where:

◮ {P} c {Q} is a Hoare triple. ◮ R is a set of pairs RC, where R and C are assertions. ◮ G is a set of guarded assignments, {R}c, where R is an

assertion and c is an assignment command. RR

• {R | R_ ∈ R}

RC

• {C | _C ∈ R}

R ≤ R′ ∀RC ∈ R. ∃RC ′ ∈ R′. C ⊢ C ′ G ≤ G′ ∀{R}c ∈ G. ∃{R′}c ∈ G′. R ⊢ R′

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 14/23

Proof rules (1)

(conseq)

R; G {P} c {Q} P′ ⊢ P Q ⊢ Q′ R ≤ R′ G ≤ G′ R′; G′

P′ c Q′ (skip)

{PP} ≤ R R; ∅ {P} skip {P}

(seq)

R1; G1 {P} c1 {R} R2; G2 {R} c2 {Q} RR

1 ⊢ RC 2

R1 ∪ R2; G1 ∪ G2 {P} c1; c2 {Q}

(par)

R1; G1 {P1} c1 {Q1} R2; G2 {P2} c2 {Q2} Q1 ∧ Q2 ⊢ Q R1; G1 and R2; G2 are non-interfering R1 ∪ R2 ∪ {Q(RR

1 ∨ RR 2 ∨ Q)}; G1 ∪ G2 {P1 ∧ P2} c1 c2 {Q}

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 15/23

Non-interference

A pair RC is stable under {P}c if the following hold:

◮ If c = (x := v), then R ∧ P ⊢ R[v/x]. ◮ If c = (x := e(y)), then R ∧ P ⊢ R[e(vy)/x] for every

vy ∈ Val such that C ∧ P ∧ y = vy is satisfiable.

◮ If c = (x y,z

:= e(y, z)), then R ∧ P ⊢ R[e(vy, vz)/x] for every vy, vz ∈ Val such that C ∧ P ∧ y = vy and C ∧ P ∧ z = vz are satisfiable.

◮ If c = (x at

:= e(x)), then R ∧ P ⊢ R[e/x]. Definition (Non-interference) R1; G1 and R2; G2 are non-interfering if every RC ∈ Ri is stable under every {P}c ∈ Gj for i = j.

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 16/23

Proof rules (2)

(assn0) P ⊢ Q[v/x]

{PP, Q(P ∨ Q)} ≤ R R; {{P}x := v} {P} x := v {Q}

(assn1) P ⊢ Q[e(y)/x]

{PP, Q(P ∨ Q)} ≤ R R; {{P}x := e(y)} {P} x := e(y) {Q}

(assn2)

P ⊢ Q[e(y, z)/x] {PP, Q(P ∨ Q)} ≤ R {(P ∧ (y = v))P | v ∈ Val} ≤ R R; {{P}x

y,z

:= e(y, z)} {P} x

y,z

:= e(y, z) {Q}

(assnat) P ⊢ Q[e(x)/x]

{PP, Q(P ∨ Q)} ≤ R R; {{P}x

at

:= e(x)} {P} x

at

:= e(x) {Q}

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 17/23

Soundness proof

Challenges in a weak memory setting:

◮ No intuitive operational semantics ◮ No notion of global state

Main proof steps:

◮ Define the notion of a visible state at a given node of the

execution.

◮ Study properties of visibility under the RA model. ◮ Show that edges of consistent executions can be

annotated with the assertions from the OG proof such that every state visible at a node satisfies its annotation.

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 18/23

Visible states at a node in an execution graph

Let G = (A, lab, E) be an execution and let a ∈ A.

◮ G|a is the prefix of G containing a

(and all prior nodes and edges).

◮ A state σ is visible at a if there is a function D : Loc → A

such that ∀x, D(x) ∈ Wx ∪ Ux and valw(D(x)) = σ(x), and the execution (G ∪ (D[Loc] × {a}))|a is coherent.

◮ An assertion P holds at a if σ |

= P for every state σ visible at a.

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 19/23

Meaning of Hoare triples

Definition (Initialization) Given a state σ, a σ-initialization is any execution in WG(σ) (WG(ν1, σ(ν1)) . . . WG(νM, σ(νM))); SG . Given an assertion P, WG(P) {WG(σ) | σ | = P}. Definition (Triple validity) {P} c {Q} is valid if Q holds at the terminal node of every complete and coherent reads-from extension of an execution in WG(P); c; SG. Theorem (Soundness) If R; G {P} c {Q}, then {P} c {Q} is valid.

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 20/23

Stronger assignment rule

• w = 0 ∧ r = 0
• w = 0
• w := 1;
• ⊤
• while r = 1 do skip
• r = 1
• r = 0
• r := w;
• r = 1 → w = 1
• r := w

  

w = 1 for 1 r = 1

• therwise
• ⊤
• r = 1
• (assn′

1)

P ⊢ Q[e(y)/x] {PP, Q(P ∨ Q)} ≤ R ∀v ∈ Val: P ∧ (y = v) ⊢ Pv {PvP} ≤ R R; {{Pv}x := e(y) | v ∈ Val} {P} x := e(y) {Q}

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 21/23

Modelling fences as RMWs

• f = 0
• x := 1;

f

at

:= 10f + 1; a := y y := 1; f

at

:= 10f + 2; b := x

• a = 1 ∨ b = 1
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 22/23

Modelling fences as RMWs

• f = 0
• f ∈ {0, 2} ∧

(f = 2 → y = 1)

• x := 1;
• f ∈ {0, 2} ∧ x = 1 ∧

(f = 2 → y = 1)

• f

at

:= 10f + 1;

• f ∈ {1, 12, 21} ∧

(f = 21 → y = 1)

• a := y
• f ∈ {1, 12, 21} ∧

(f = 21 → a = 1)

• f ∈ {0, 1} ∧

(f = 1 → x = 1)

• y := 1;
• f ∈ {0, 1} ∧ y = 1 ∧

(f = 1 → x = 1)

• f

at

:= 10f + 2;

• f ∈ {2, 12, 21} ∧

(f = 12 → x = 1)

• b := x
• f ∈ {2, 12, 21} ∧

(f = 12 → b = 1)

• a = 1 ∨ b = 1
• Ori Lahav, Viktor Vafeiadis

Owicki-Gries for Weak Memory Models 22/23

Conclusion

Summary of contributions:

◮ Owicki-Gries is unsound for TSO. ◮ Weakening the stability condition gives soundness for RA. ◮ The weak OG is fairly useful and allows some automation.

Further work:

◮ Improve automation, apply to bigger examples ◮ Support ghost variables ◮ Investigate completeness, rely/guarantee ◮ Revisit the separation logics for weak memory

Ori Lahav, Viktor Vafeiadis Owicki-Gries for Weak Memory Models 23/23