Relaxed Separation Logic Tutorial @ POPL14 Viktor Vafeiadis - PowerPoint PPT Presentation

Relaxed Separation Logic Tutorial @ POPL’14 Viktor Vafeiadis MPI-SWS 20 January 2014

Tutorial outline Part I. Weak memory models 1. Introduction to relaxed concurrency 2. The C11 relaxed memory model Part II. Relaxed program logics 3. Concurrent separation logic 4. Relaxed separation logic 5. RSL extensions (ongoing) http://www.mpi-sws.org/~viktor/rsl/ Viktor Vafeiadis Relaxed Separation Logic 2/28

Sequential consistency Sequential consistency (SC): ◮ Interleave each thread’s atomic accesses. ◮ The standard model for concurrency. ◮ Almost all verification work assumes it. ◮ Fairly intuitive. Initially, x = y = 0. x := 1 ; y := 1 ; print ( y ); print ( x ); In SC, this program can print 01, 10, or 11. Viktor Vafeiadis Relaxed Separation Logic 3/28

Sequential consistency Sequential consistency (SC): ◮ Interleave each thread’s atomic accesses. ◮ The standard model for concurrency. ◮ Almost all verification work assumes it. But SC is invalidated by: ◮ Fairly intuitive. ◮ Hardware implementations Initially, x = y = 0. ◮ Compiler optimisations x := 1 ; y := 1 ; print ( y ); print ( x ); In SC, this program can print 01, 10, or 11. Viktor Vafeiadis Relaxed Separation Logic 3/28

Store buffering in x86-TSO . . . cpu 1 cpu n write . . . read write-back Memory Initially, x = y = 0. x := 1 ; y := 1 ; print ( y ); print ( x ); This program can also print 00. Viktor Vafeiadis Relaxed Separation Logic 4/28

IRIW: Not just reordering Initially, x = y = 0. print ( x ); print ( y ); x := 1 y := 1 print ( y ); print ( x ); Both threads can print 10. y:=1 x:=1 print(x) print(y) print(y) print(x) Viktor Vafeiadis Relaxed Separation Logic 5/28

Basic compiler optimisations break SC Initially, x = y = 0. print ( x ); x := 1 ; print ( y ); y := 1 ; print ( x ); The program can print 010. Justification: The compiler may perform CSE: Load x into a temporary t and print t , y , and t . Viktor Vafeiadis Relaxed Separation Logic 6/28

When should we care about relaxed memory? All sane memory models satisfy the DRF property: Theorem (DRF-property) If � Prg � SC contains no data races, then � Prg � Relaxed = � Prg � SC . ◮ Program logics that disallow data races are trivially sound. ◮ What about racy programs? Viktor Vafeiadis Relaxed Separation Logic 7/28

The C11 memory model Two types of locations: ordinary and atomic ◮ Races on ordinary accesses ❀ error A spectrum of atomic accesses: ◮ Relaxed ❀ no fence ◮ Consume reads ❀ no fence, but preserve deps ◮ Release writes ❀ no fence (x86); lwsync (PPC) ◮ Acquire reads ❀ no fence (x86); isync (PPC) ◮ Seq. consistent ❀ full memory fence Primitives for explicit fences Viktor Vafeiadis Relaxed Separation Logic 8/28

C11 executions ◮ Execution = set of events & a few relations: ◮ sb: sequenced before ◮ rf: reads-from map ◮ mo: memory order per location ◮ sc: seq.consistency order ◮ sw [derived]: synchronized with ◮ hb [derived]: happens before ◮ Axioms constraining the consistent executions. ◮ C ( | prog | ) = set of all consistent exec’s. ◮ if all C ( | prog | ) race-free on ordinary accesses, � prog � = C ( | prog | ) ; otherwise, � prog � = “error” Viktor Vafeiadis Relaxed Separation Logic 9/28

� � � �� � � � � Release-acquire synchronization: message passing in C11 atomic_int x = 0 ; int a = 0 ; � � a = 7 ; if ( x . load ( acq ) � = 0 ) x . store ( 1 , release ); print ( a ); W na ( x , 0 ) sb W na ( a , 0 ) sb sb � W na ( a , 7 ) R acq ( x , 1 ) rf , sw sb sb W rel ( x , 1 ) R na ( a , ? ) rf sb sb happens-before def = ( sequenced-before ∪ sync-with ) + sync-with ( a , b ) def = reads-from ( b ) = a ∧ release ( a ) ∧ acquire ( b ) Viktor Vafeiadis Relaxed Separation Logic 10/28

Rel-acq synchronization is weaker than SC Example (SB) Initially, x = y = 0. x . store ( 1 , release ); y . store ( 1 , release ); t ′ = x . load ( acquire ); t = y . load ( acquire ); This program may produce t = t ′ = 0. Example (IRIW) Initially, x = y = 0. x . store y . store a = x . load ( acq ); c = y . load ( acq ); ( 1 , rel ); ( 1 , rel ); b = y . load ( acq ); d = x . load ( acq ); May produce a = c = 1 ∧ b = d = 0. Viktor Vafeiadis Relaxed Separation Logic 11/28

Coherence Example (Read-Read Coherence) Initially, x = 0. x . store x . store a = x . load ( acq ); c = x . load ( acq ); ( 1 , rel ); ( 2 , rel ); b = x . load ( acq ); d = x . load ( acq ); Cannot get a = d = 1 ∧ b = c = 2. ◮ Plus similar WR, RW, WW coherence properties. ◮ Ensure SC behaviour for a single variable. ◮ Also guaranteed for relaxed atomics (the weakest kind of atomics in C11). Viktor Vafeiadis Relaxed Separation Logic 12/28

Part II Relaxed Program Logics ◮ Concurrent separation logic ◮ Relaxed separation logic ◮ RSL extensions (ongoing)

Separation logic Key concept of ownership : ◮ Resourceful reading of Hoare triples. { P } C { Q } ◮ To access a normal location, you must own it: { x �→ v } ∗ x { t . t = v ∧ x �→ v } { x �→ v } ∗ x = v ′ ; { x �→ v ′ } ◮ Disjoint parallelism: { P 1 } C 1 { Q 1 } { P 2 } C 2 { Q 2 } { P 1 ∗ P 2 } C 1 � C 2 { Q 1 ∗ Q 2 } Viktor Vafeiadis Relaxed Separation Logic 14/28

Relaxed separation logic (simplified) Joint work with Chinmay Narayan, published at OOPSLA’13 Ownership transfer by rel-acq synchronizations. ◮ Atomic allocation ❀ pick loc. invariant Q . {Q ( v ) } x = alloc ( v ); { W Q ( x ) ∗ R Q ( x ) } ◮ Release write ❀ give away permissions. {Q ( v ) ∗ W Q ( x ) } x . store ( v , rel ); { true } ◮ Acquire read ❀ gain permissions. { R Q ( x ) } t = x . load ( acq ); {Q ( t ) } Viktor Vafeiadis Relaxed Separation Logic 15/28

Message passing in RSL Let Q ( v ) def = v = 0 ∨ & a �→ 7. { true } atomic_int x = 0 ; int a = 0 ; { & a �→ 0 ∗ W Q ( x ) ∗ R Q ( x ) }   { & a �→ 0 ∗ W Q ( x ) } t = x . load ( acq );   a = 7 ; { t = 0 ∨ & a �→ 7 ) }       { & a �→ 7 ∗ W Q ( x ) } if ( t � = 0 ) { & a �→ 7 }       x . store ( 1 , release ); print ( a );       { true } { true } { true } Viktor Vafeiadis Relaxed Separation Logic 16/28

Multiple readers/writers Write permissions can be duplicated: W Q ( ℓ ) ⇐ ⇒ W Q ( ℓ ) ∗ W Q ( ℓ ) Read permissions cannot, but may be split: R Q 1 ∗Q 2 ( ℓ ) ⇐ ⇒ R Q 1 ( ℓ ) ∗ R Q 2 ( ℓ ) t ′ = x . load ( acq ); a = 7 ; t = x . load ( acq ); if ( t ′ � = 0 ) b = 8 ; if ( t � = 0 ) x . store ( 1 , rel ); print ( a ); print ( b ); Viktor Vafeiadis Relaxed Separation Logic 17/28

Relaxed accesses Basically, disallow ownership transfer. ◮ Relaxed reads: { R Q ( x ) } x . load ( rlx ) { y . Q ( y ) �≡ false } ◮ Relaxed writes: Q ( v ) = emp { W Q ( x ) } x . store ( v , rlx ) { true } Viktor Vafeiadis Relaxed Separation Logic 18/28

Relaxed accesses Basically, disallow ownership transfer. ◮ Relaxed reads: { R Q ( x ) } x . load ( rlx ) { y . Q ( y ) �≡ false } ◮ Relaxed writes: Q ( v ) = emp { W Q ( x ) } x . store ( v , rlx ) { true } Unfortunately not sound because of a bug in the C11 memory model. Viktor Vafeiadis Relaxed Separation Logic 18/28

� � � � Dependency cycles in C11 Initially x = y = 0. if ( x . load ( rlx ) == 1 ) if ( y . load ( rlx ) == 1 ) y . store ( 1 , rlx ); x . store ( 1 , rlx ); The formal C11 model allows x = y = 1. Justification: R rlx ( x , 1 ) R rlx ( y , 1 ) Relaxed accesses don’t synchronize W rlx ( y , 1 ) W rlx ( x , 1 ) Viktor Vafeiadis Relaxed Separation Logic 19/28

Dependency cycles in C11 Initially x = y = 0. if ( x . load ( rlx ) == 1 ) if ( y . load ( rlx ) == 1 ) y . store ( 1 , rlx ); x . store ( 1 , rlx ); The formal C11 model allows x = y = 1. What goes wrong: Non-relational invariants are unsound. x = 0 ∧ y = 0 The DRF-property does not hold. Viktor Vafeiadis Relaxed Separation Logic 19/28

Dependency cycles in C11 Initially x = y = 0. if ( x . load ( rlx ) == 1 ) if ( y . load ( rlx ) == 1 ) y . store ( 1 , rlx ); x . store ( 1 , rlx ); The formal C11 model allows x = y = 1. How to fix this: Don’t use relaxed writes ∨ Require acyclic ( sb ∪ rf ) . (Disallow RW reodering.) Viktor Vafeiadis Relaxed Separation Logic 19/28

Compare and swap (CAS) ◮ New assertion form, P := . . . | R U Q ( x ) . ◮ Duplicable, R U ⇒ R U Q ( x ) ∗ R U Q ( x ) ⇐ Q ( x ) . X ∈ { rel , rlx } ⇒ Q ( v ) ≡ emp X ∈ { acq , rlx } ⇒ Q ( v ′ ) ≡ emp P ∗ Q ( v ) ⇒ Q ( v ′ ) ∗ R [ v / z ] { P } x . load ( Y ) { z . z � = v ⇒ R } { R U Q ( x ) ∗ W Q ( x ) ∗ P } x . CAS ( v , v ′ , X , Y ) { z . R } Viktor Vafeiadis Relaxed Separation Logic 20/28

Mutual exclusion locks Q J ( v ) def Let = ( v = 0 ∧ emp ) ∨ ( v = 1 ∧ J ) Lock ( x , J ) def = W Q J ( x ) ∗ R U Q J ( x ) lock ( x ) def = new-lock () def = { Lock ( x , J ) } { J } repeat res = alloc ( 1 ) { Lock ( x , J ) } { Lock ( res , J ) } y = x . CAS ( 1 , 0 , acq , rlx ) unlock ( x ) def =      y = 0 ∧ emp    Lock ( x , J ) ∗ { J ∗ Lock ( x , J ) }  ∨ y = 1 ∧ J  x . store ( 1 , rel ) until y � = 0 { Lock ( x , J ) } { J ∗ Lock ( x , J ) } Viktor Vafeiadis Relaxed Separation Logic 21/28