Program logics for relaxed consistency UPMARC Summer School 2014 - PowerPoint PPT Presentation

Program logics for relaxed consistency UPMARC Summer School 2014 Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 1st Lecture, 28 July 2014

Outline Part I. Weak memory models 1. Intro to relaxed memory consistency 2. The C11 memory model Part II. Program logics 3. Separation logic 4. Relaxed separation logic 5. GPS : ghosts & protocols 6. Advanced features http://www.mpi-sws.org/~viktor/rsl/ Viktor Vafeiadis Program logics for relaxed consistency 2/29

Sequential consistency Sequential consistency (SC): ◮ Interleave each thread’s atomic accesses. ◮ The standard model for concurrency. ◮ Almost all verification work assumes it. ◮ Fairly intuitive. Initially, x = y = 0. x := 1; y := 1; print ( y ); print ( x ); In SC, this program can print 01, 10, or 11. Viktor Vafeiadis Program logics for relaxed consistency 3/29

Sequential consistency Sequential consistency (SC): ◮ Interleave each thread’s atomic accesses. ◮ The standard model for concurrency. ◮ Almost all verification work assumes it. But SC is invalidated by: ◮ Fairly intuitive. ◮ Hardware implementations Initially, x = y = 0. ◮ Compiler optimisations x := 1; y := 1; print ( y ); print ( x ); In SC, this program can print 01, 10, or 11. Viktor Vafeiadis Program logics for relaxed consistency 3/29

Store buffering in x86-TSO . . . cpu 1 cpu n write . . . read write-back Memory Initially, x = y = 0. x := 1; y := 1; print ( y ); print ( x ); This program can also print 00. Viktor Vafeiadis Program logics for relaxed consistency 4/29

Basic compiler optimisations break SC / TSO Initially, x = y = 0. print ( x ); x := 1; print ( y ); y := 1; print ( x ); Can the program print 010? Justification: The compiler may perform CSE: Load x into a temporary t and print t , y , and t . Viktor Vafeiadis Program logics for relaxed consistency 5/29

IRIW: Not just store buffering Initially, x = y = 0. print ( x ); print ( y ); x := 1 y := 1 print ( y ); print ( x ); Both threads can print 10. y:=1 x:=1 print(x) print(y) print(y) print(x) Viktor Vafeiadis Program logics for relaxed consistency 6/29

From IRIW to the store buffering example Take the IRIW example: print ( x ); print ( y ); x := 1 y := 1 print ( y ); print ( x ); Linearize twice (threads 1-3 and 2-4): x := 1; y := 1; print ( x ); print ( y ); print ( y ); print ( x ); That’s the store buffering example (with two extra print statements). Viktor Vafeiadis Program logics for relaxed consistency 7/29

Coherence Initially, x = 0. x = 1; print ( x ); x = 2; print ( x ); Cannot print 10 nor 20 nor 21. ◮ Programs with one shared variable have SC semantics. ◮ Ensured by the cache coherence protocol. Viktor Vafeiadis Program logics for relaxed consistency 8/29

Message passing Initially, x = y = 0. x = 1; print ( y ); [WW fence] [RR fence] y = 1; print ( x ); Cannot print 10. ◮ No fences needed on x86-TSO ◮ lwsync/isync on Power ◮ dmb/isync on ARM Viktor Vafeiadis Program logics for relaxed consistency 9/29

Understanding weak memory consistency Read the architecture/language specs? ◮ Too informal, often wrong. Read the formalisations? ◮ Fairly complex. Run benchmarks / Litmus tests? ◮ Observe only subset of behaviours. We need a better methodology. . . Viktor Vafeiadis Program logics for relaxed consistency 10/29

Which memory model? Hardware or language models? ◮ Want to reason at “high level” ◮ TSO ❀ good robustness theorems C/C++ or Java? ◮ JMM is broken [Ševčík & Aspinall, ECOOP’08] ◮ So, only C11 left Goals: ◮ Understand the memory model ◮ Verify intricate concurrent programs Viktor Vafeiadis Program logics for relaxed consistency 11/29

The C11 memory model Two types of locations: ordinary and atomic ◮ Races on ordinary accesses ❀ error A spectrum of atomic accesses: ◮ Relaxed ❀ no fence ◮ Consume reads ❀ no fence, but preserve deps ◮ Release writes ❀ no fence (x86); lwsync (PPC) ◮ Acquire reads ❀ no fence (x86); isync (PPC) ◮ Seq. consistent ❀ full memory fence Primitives for explicit fences Viktor Vafeiadis Program logics for relaxed consistency 12/29

C11 executions ◮ Execution = set of events & a few relations: ◮ sb: sequenced before ◮ rf: reads-from map ◮ mo: memory order per location ◮ sc: seq.consistency order ◮ sw [derived]: synchronized with ◮ hb [derived]: happens before ◮ Axioms constraining the consistent executions. ◮ C ( ) = set of all consistent exec’s. | prog | ◮ if all C ( ) race-free on ordinary accesses, | prog | � prog � = C ( ); otherwise, � prog � =“error” | prog | Viktor Vafeiadis Program logics for relaxed consistency 13/29

� � � �� � � � � Release-acquire synchronization: message passing in C11 atomic_int x = 0; int a = 0; � a = 7; if ( x . load( acq ) � = 0) � x . store(1 , release ); print ( a ); W na ( x , 0) sb W na ( a , 0) sb sb � W na ( a , 7) R acq ( x , 1) rf , sw sb sb W rel ( x , 1) R na ( a , ? ) rf sb sb happens-before def = (sequenced-before ∪ sync-with) + sync-with( a , b ) def = reads-from( b ) = a ∧ release( a ) ∧ acquire( b ) Viktor Vafeiadis Program logics for relaxed consistency 14/29

Rel-acq synchronization is weaker than SC Example (SB) Initially, x = y = 0. x . store (1 , release ); y . store (1 , release ); t ′ = x . load ( acquire ); t = y . load ( acquire ); This program may produce t = t ′ = 0. Example (IRIW) Initially, x = y = 0. a = x . load ( acq ); c = y . load ( acq ); x . store y . store (1 , rel ); (1 , rel ); b = y . load ( acq ); d = x . load ( acq ); May produce a = c = 1 ∧ b = d = 0. Viktor Vafeiadis Program logics for relaxed consistency 15/29

Coherence Example (Read-Read Coherence) Initially, x = 0. a = x . load ( acq ); c = x . load ( acq ); x . store x . store (1 , rel ); (2 , rel ); b = x . load ( acq ); d = x . load ( acq ); Cannot get a = d = 1 ∧ b = c = 2. ◮ Plus similar WR, RW, WW coherence properties. ◮ Ensure SC behaviour for a single variable. ◮ Also guaranteed for relaxed atomics (the weakest kind of atomics in C11). Viktor Vafeiadis Program logics for relaxed consistency 16/29

Part II Relaxed Program Logics Today: ◮ Separation logic ◮ Relaxed separation logic

When should we care about relaxed memory? All sane memory models satisfy the DRF property: Theorem (DRF-property) If � Prg � SC contains no data races, then � Prg � Relaxed = � Prg � SC . ◮ Program logics that disallow data races are trivially sound. ◮ What about racy programs? Viktor Vafeiadis Program logics for relaxed consistency 18/29

Separation logic assertions Assertions describe the heap ( Loc ⇀ Val ): ◮ emp: the empty heap ◮ ℓ �→ v : a cell at address ℓ containing v = ℓ �→ v ⇐ ⇒ h = { ℓ �→ v } h | ◮ P ∗ Q : separating conjunction = P ∗ Q ⇐ h | ⇒ ∃ h 1 h 2 . h = h 1 ⊎ h 2 ∧ h 1 | = P ∧ h 2 | = Q ◮ ∧ , ∨ , ¬ , true , false , ∀ , ∃ : as usual Viktor Vafeiadis Program logics for relaxed consistency 19/29

The separating conjunction Some basic properties: ◮ ∗ is commutative & associative. ◮ P ∗ emp ⇐ ⇒ emp ∗ P ⇐ ⇒ P ◮ ℓ �→ v ∗ ℓ �→ v ′ = ⇒ false Useful for describing inductive data structures: ◮ list ( x ) def = ( x = 0 ∧ emp) ∨ ∃ y . x �→ y ∗ list ( y ) ◮ ls ( x , z ) def = ( x = z ∧ emp) ∨ ∃ y . x �→ y ∗ ls ( y , z ) ◮ tree ( x ) def = ( x = 0 ∧ emp) ∨ ∃ y , z . x �→ y ∗ x +1 �→ z ∗ tree ( y ) ∗ tree ( z ) Viktor Vafeiadis Program logics for relaxed consistency 20/29

Separation logic Key concept of ownership : ◮ Resourceful reading of Hoare triples � � � � � � � � P 1 C 1 Q 1 P 2 C 2 Q 2 (Par) � � � � P 1 ∗ P 2 C 1 � C 2 Q 1 ∗ Q 2 � � � � P C Q (Frame) � � � � P ∗ R Q ∗ R C ◮ Ensure memory safety & race-freedom Viktor Vafeiadis Program logics for relaxed consistency 21/29

Separation logic rules for non-atomic accesses ◮ Allocation gives you permission to access x . � emp � x = alloc(); � � ∃ v . x �→ v ◮ To access a normal location, you must own it: � � t = ∗ x ; � x �→ v ∧ t = v � x �→ v ∗ x = v ′ ; � � � x �→ v ′ � x �→ v Viktor Vafeiadis Program logics for relaxed consistency 22/29

� � � � Release-acquire synchronization: message passing Initially a = x = 0. a = 5; while ( x . load( acq ) == 0); x . store( release , 1); print( a ); This will always print 5. Justification: W na ( a , 5) R acq ( x , 1) Release-acquire synchronization W rel ( x , 1) R na ( x , 5) Viktor Vafeiadis Program logics for relaxed consistency 23/29

Rules for release/acquire accesses Relaxed separation logic [OOPSLA’13] Ownership transfer by rel-acq synchronizations. ◮ Atomic allocation ❀ pick loc. invariant Q . � Q ( v ) � x = alloc( v ); � W Q ( x ) ∗ R Q ( x ) � ◮ Release write ❀ give away permissions. � W Q ( x ) ∗ Q ( v ) � x . store( v , rel ); � W Q ( x ) � ◮ Acquire read ❀ gain permissions. � R Q ( x ) � t = x . load( acq ); � Q ( t ) ∗ R Q [ t :=emp] ( x ) � Viktor Vafeiadis Program logics for relaxed consistency 24/29