Robustness against Relaxed Memory Models Memory Models Roland - - PowerPoint PPT Presentation

Robustness against Relaxed Memory Models

Memory Models Roland Meyer

Technische Universit¨ at Kaiserslautern

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 1 / 27

Concurrent Programs with Shared Memory

Finite number of shared variables {x, y, x1, . . .} Finite data domain {d, d0, d1, . . .} Finite number of finite-control threads T1, . . . , Tn with operations: w(x, d), r(x, d)

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Dekker’s mutual exclusion protocol.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 2 / 27

Sequential Consistency (SC) Semantics [Lamport 1979]

Threads directly write to and read from memory Classical interleaving semantics

◮ Computations of different threads are shuffled ◮ Program order is preserved for each thread

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = a Thread 2 pc = p Mem

x y

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 3 / 27

Sequential Consistency (SC) Semantics [Lamport 1979]

Threads directly write to and read from memory Classical interleaving semantics

◮ Computations of different threads are shuffled ◮ Program order is preserved for each thread

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = b Thread 2 pc = p Mem

x 1 y

w(x, 1)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 3 / 27

Sequential Consistency (SC) Semantics [Lamport 1979]

Threads directly write to and read from memory Classical interleaving semantics

◮ Computations of different threads are shuffled ◮ Program order is preserved for each thread

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = c Thread 2 pc = p Mem

x 1 y

w(x, 1) · r(y, 0)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 3 / 27

Sequential Consistency (SC) Semantics [Lamport 1979]

Threads directly write to and read from memory Classical interleaving semantics

◮ Computations of different threads are shuffled ◮ Program order is preserved for each thread

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = c Thread 2 pc = q Mem

x 1 y 1

w(x, 1) · r(y, 0) · w(y, 1)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 3 / 27

Sequential Consistency (SC) Semantics [Lamport 1979]

Threads directly write to and read from memory Classical interleaving semantics

◮ Computations of different threads are shuffled ◮ Program order is preserved for each thread

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = c Thread 2 pc = q Mem

x 1 y 1

Mutual exclusion holds!

w(x, 1) · r(y, 0) · w(y, 1) ·

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 3 / 27

Total Store Ordering (TSO) Semantics [SPARC 1994, x86]

Sequential Consistency forbids compiler and hardware optimizations Hence is not implemented by any processor Processors have various buffers to reduce latency of memory accesses Behavior captured by relaxed memory models Here: Total Store Ordering (TSO) memory model

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 4 / 27

Total Store Ordering (TSO) Semantics [SPARC 1994, x86]

TSO architectures have write buffers (FIFO) Read takes value from memory if no write to that variable is buffered Otherwise read value of last write to that variable in the buffer

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = a Thread 2 pc = p Mem

x y

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 5 / 27

Total Store Ordering (TSO) Semantics [SPARC 1994, x86]

TSO architectures have write buffers (FIFO) Read takes value from memory if no write to that variable is buffered Otherwise read value of last write to that variable in the buffer

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = b Thread 2 pc = p w(x, 1) Mem

x y

isu

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 5 / 27

Total Store Ordering (TSO) Semantics [SPARC 1994, x86]

TSO architectures have write buffers (FIFO) Read takes value from memory if no write to that variable is buffered Otherwise read value of last write to that variable in the buffer

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = c Thread 2 pc = p w(x, 1) Mem

x y

isu · r(y, 0)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 5 / 27

Total Store Ordering (TSO) Semantics [SPARC 1994, x86]

TSO architectures have write buffers (FIFO) Read takes value from memory if no write to that variable is buffered Otherwise read value of last write to that variable in the buffer

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = c Thread 2 pc = q w(x, 1) w(y, 1) Mem

x y

isu · r(y, 0) · isu

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 5 / 27

Total Store Ordering (TSO) Semantics [SPARC 1994, x86]

TSO architectures have write buffers (FIFO) Read takes value from memory if no write to that variable is buffered Otherwise read value of last write to that variable in the buffer

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = c Thread 2 pc = q w(x, 1) Mem

x y 1

isu · r(y, 0) · isu · w(y, 1)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 5 / 27

Total Store Ordering (TSO) Semantics [SPARC 1994, x86]

TSO architectures have write buffers (FIFO) Read takes value from memory if no write to that variable is buffered Otherwise read value of last write to that variable in the buffer

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = c Thread 2 pc = r w(x, 1) Mem

x y 1

isu · r(y, 0) · isu · w(y, 1) · r(x, 0)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 5 / 27

Total Store Ordering (TSO) Semantics [SPARC 1994, x86]

TSO architectures have write buffers (FIFO) Read takes value from memory if no write to that variable is buffered Otherwise read value of last write to that variable in the buffer

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = c Thread 2 pc = r Mem

x 1 y 1

isu · r(y, 0) · isu · w(y, 1) · r(x, 0) · w(x, 1)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 5 / 27

Total Store Ordering (TSO) Semantics [SPARC 1994, x86]

TSO architectures have write buffers (FIFO) Read takes value from memory if no write to that variable is buffered Otherwise read value of last write to that variable in the buffer

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = c Thread 2 pc = r Mem

x y 1

Mutual exclusion fails!!!

isu · r(y, 0) · isu · w(y, 1) · r(x, 0) · w(x, 1)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 5 / 27

Total Store Ordering (TSO) Semantics [SPARC 1994, x86]

TSO architectures have write buffers (FIFO) Read takes value from memory if no write to that variable is buffered Otherwise read value of last write to that variable in the buffer

x = y = 0

Thread 1

a : x = 1 b : if (y == 0){ c :

• crit. sect. 1

d : }

Thread 2

p : y = 1 q : if (x == 0){ r :

• crit. sect. 2

s : }

Thread 1 pc = c Thread 2 pc = r Mem

x y 1

isu · r(y, 0) · isu · w(y, 1) · r(x, 0) · w(x, 1)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 5 / 27

Verification Required?!

Relaxed executions may lead to bad behavior

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 6 / 27

Verification Required?!

Relaxed executions may lead to bad behavior

If this is the real world, why does anything work?

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 6 / 27

Verification Required?!

Relaxed executions may lead to bad behavior

If this is the real world, why does anything work?

Theorem [Adve, Hill 1993]: If a program is data-race-free, then SC and TSO semantics coincide.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 6 / 27

Verification Required?!

Relaxed executions may lead to bad behavior

If this is the real world, why does anything work?

Theorem [Adve, Hill 1993]: If a program is data-race-free, then SC and TSO semantics coincide.

So, go and write data-race-free programs!

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 6 / 27

Verification Required?!

Relaxed executions may lead to bad behavior

If this is the real world, why does anything work?

Theorem [Adve, Hill 1993]: If a program is data-race-free, then SC and TSO semantics coincide.

So, go and write data-race-free programs!

Works in 90% of the cases

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 6 / 27

Verification Required?!

Relaxed executions may lead to bad behavior

If this is the real world, why does anything work?

Theorem [Adve, Hill 1993]: If a program is data-race-free, then SC and TSO semantics coincide.

So, go and write data-race-free programs!

Works in 90% of the cases

Performance-critical code does have data races

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 6 / 27

Verification Required?!

Relaxed executions may lead to bad behavior

If this is the real world, why does anything work?

Theorem [Adve, Hill 1993]: If a program is data-race-free, then SC and TSO semantics coincide.

So, go and write data-race-free programs!

Works in 90% of the cases

Performance-critical code does have data races

Concurrency libraries Operating systems HPC@Fraunhofer ITWM

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 6 / 27

Verification Required?!

Relaxed executions may lead to bad behavior

If this is the real world, why does anything work?

Theorem [Adve, Hill 1993]: If a program is data-race-free, then SC and TSO semantics coincide.

So, go and write data-race-free programs!

Works in 90% of the cases

Performance-critical code does have data races

Concurrency libraries Operating systems HPC@Fraunhofer ITWM

This is where our verification techniques apply

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 6 / 27

Robustness

Idea: SC semantics is specification

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 7 / 27

Robustness

Idea: SC semantics is specification Relaxed behavior may contain bugs because programmers only had SC in mind

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 7 / 27

Robustness

Idea: SC semantics is specification Relaxed behavior may contain bugs because programmers only had SC in mind Every relaxed behavior has an SC equivalent (up to traces)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 7 / 27

Robustness

Idea: SC semantics is specification Relaxed behavior may contain bugs because programmers only had SC in mind Every relaxed behavior has an SC equivalent (up to traces) Every relaxed behavior that deviates from SC is a programming error

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 7 / 27

Robustness

Idea: SC semantics is specification Relaxed behavior may contain bugs because programmers only had SC in mind Every relaxed behavior has an SC equivalent (up to traces) Every relaxed behavior that deviates from SC is a programming error Robustness Problem against relaxed memory model RMM

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 7 / 27

Robustness

Idea: SC semantics is specification Relaxed behavior may contain bugs because programmers only had SC in mind Every relaxed behavior has an SC equivalent (up to traces) Every relaxed behavior that deviates from SC is a programming error Robustness Problem against relaxed memory model RMM Input: Program P.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 7 / 27

Robustness

Idea: SC semantics is specification Relaxed behavior may contain bugs because programmers only had SC in mind Every relaxed behavior has an SC equivalent (up to traces) Every relaxed behavior that deviates from SC is a programming error Robustness Problem against relaxed memory model RMM Input: Program P. Problem: Does TracesRMM(P) ⊆ TracesSC(P) hold?

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 7 / 27

Robustness

Idea: SC semantics is specification Relaxed behavior may contain bugs because programmers only had SC in mind Every relaxed behavior has an SC equivalent (up to traces) Every relaxed behavior that deviates from SC is a programming error Robustness Problem against relaxed memory model RMM Input: Program P. Problem: Does TracesRMM(P) ⊆ TracesSC(P) hold? Decidability / Complexity ?

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 7 / 27

Outline

1

Shared Memory Concurrency Sequential Consistency Semantics Total Store Ordering Semantics

2

Robustness: General Solution Combinatorics Algorithmics

3

Robustness: Efficient Solution Combinatorics

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 8 / 27

Robustness: General Solution

[Calin, Derevenetc, Majumdar, M., FSTTCS’13] [Derevenetc, M., ICALP’14]

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 9 / 27

Robustness: General Solution

[Calin, Derevenetc, Majumdar, M., FSTTCS’13] [Derevenetc, M., ICALP’14]

Decision procedure for robustness that

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 9 / 27

Robustness: General Solution

[Calin, Derevenetc, Majumdar, M., FSTTCS’13] [Derevenetc, M., ICALP’14]

Decision procedure for robustness that applies to most memory models (checked TSO, PSO, PGAS, Power)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 9 / 27

Robustness: General Solution

[Calin, Derevenetc, Majumdar, M., FSTTCS’13] [Derevenetc, M., ICALP’14]

Decision procedure for robustness that applies to most memory models (checked TSO, PSO, PGAS, Power) gives precise complexity

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 9 / 27

Robustness: General Solution

[Calin, Derevenetc, Majumdar, M., FSTTCS’13] [Derevenetc, M., ICALP’14]

Decision procedure for robustness that applies to most memory models (checked TSO, PSO, PGAS, Power) gives precise complexity ... but relies on a new automaton model and lots of guessing

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 9 / 27

Robustness: General Solution

RMM-computations Robust Computations Minimal Violations = ∅ ?

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 10 / 27

Robustness: General Solution

RMM-computations Robust Computations Minimal Violations = ∅ ? Combinatorics: Violations can be assumed to be in normal form

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 10 / 27

Robustness: General Solution

RMM-computations Robust Computations Minimal Violations = ∅ ? Combinatorics: Violations can be assumed to be in normal form Algorithmics: Check whether normal form violations exist

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 10 / 27

Robustness: General Solution

RMM-computations Robust Computations Minimal Violations = ∅ ? Combinatorics: Violations can be assumed to be in normal form Algorithmics: Check whether normal form violations exist Together: Reduce robustness to an emptiness check Lnf ∩ Rcyc

?

= ∅.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 10 / 27

Robustness: General Solution

Reduce robustness to an emptiness check Lnf ∩ Rcyc

?

= ∅.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 11 / 27

Robustness: General Solution

Reduce robustness to an emptiness check Lnf ∩ Rcyc

?

= ∅. Combinatorics:

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 11 / 27

Robustness: General Solution

Reduce robustness to an emptiness check Lnf ∩ Rcyc

?

= ∅. Combinatorics: Violations to SC (if any) have a representative in normal form.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 11 / 27

Robustness: General Solution

Reduce robustness to an emptiness check Lnf ∩ Rcyc

?

= ∅. Combinatorics: Violations to SC (if any) have a representative in normal form. Algorithmics:

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 11 / 27

Robustness: General Solution

Reduce robustness to an emptiness check Lnf ∩ Rcyc

?

= ∅. Combinatorics: Violations to SC (if any) have a representative in normal form. Algorithmics: Language Lnf consists of all normal-form computations.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 11 / 27

Robustness: General Solution

Reduce robustness to an emptiness check Lnf ∩ Rcyc

?

= ∅. Combinatorics: Violations to SC (if any) have a representative in normal form. Algorithmics: Language Lnf consists of all normal-form computations. ∩ Rcyc filters only violating computations.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 11 / 27

Robustness: General Solution

Reduce robustness to an emptiness check Lnf ∩ Rcyc

?

= ∅. Combinatorics: Violations to SC (if any) have a representative in normal form. Algorithmics: Language Lnf consists of all normal-form computations. ∩ Rcyc filters only violating computations. Decide Lnf ∩ Rcyc

?

= ∅.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 11 / 27

Robustness: General Solution

Reduce robustness to an emptiness check Lnf ∩ Rcyc

?

= ∅. Combinatorics: Violations to SC (if any) have a representative in normal form. Algorithmics: Language Lnf consists of all normal-form computations. ∩ Rcyc filters only violating computations. Decide Lnf ∩ Rcyc

?

= ∅.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 12 / 27

Combinatorics: Normal Form Violations

Lemma (Shasha and Snir, 1988) A computation violates SC iff it has a cyclic happens-before relation. Thread 1 Thread 2 initx a: w(x, 1) d : r(x, 0) inity b: r(y, 0) c : w(y, 1)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 13 / 27

Combinatorics: Normal Form Violations

Lemma (Shasha and Snir, 1988) A computation violates SC iff it has a cyclic happens-before relation. Happens-before relation of computation τ = isu · r(y, 0) · isu · w(y, 1) · r(x, 0) · w(x, 1) : Thread 1 Thread 2 initx a: w(x, 1) d : r(x, 0) inity b: r(y, 0) c : w(y, 1)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 13 / 27

Combinatorics: Normal Form Violations

Lemma (Shasha and Snir, 1988) A computation violates SC iff it has a cyclic happens-before relation. Happens-before relation of computation τ = isu · r(y, 0) · isu · w(y, 1) · r(x, 0) · w(x, 1) : Thread 1 Thread 2 initx a: w(x, 1) d : r(x, 0) inity b: r(y, 0) c : w(y, 1) po po Program order

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 13 / 27

Combinatorics: Normal Form Violations

Lemma (Shasha and Snir, 1988) A computation violates SC iff it has a cyclic happens-before relation. Happens-before relation of computation τ = isu · r(y, 0) · isu · w(y, 1) · r(x, 0) · w(x, 1) : Thread 1 Thread 2 initx a: w(x, 1) d : r(x, 0) inity b: r(y, 0) c : w(y, 1) po po st st Program order, store order

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 13 / 27

Combinatorics: Normal Form Violations

Lemma (Shasha and Snir, 1988) A computation violates SC iff it has a cyclic happens-before relation. Happens-before relation of computation τ = isu · r(y, 0) · isu · w(y, 1) · r(x, 0) · w(x, 1) : Thread 1 Thread 2 initx a: w(x, 1) d : r(x, 0) inity b: r(y, 0) c : w(y, 1) po po st st src src Program order, store order, source relation

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 13 / 27

Combinatorics: Normal Form Violations

Lemma (Shasha and Snir, 1988) A computation violates SC iff it has a cyclic happens-before relation. Happens-before relation of computation τ = isu · r(y, 0) · isu · w(y, 1) · r(x, 0) · w(x, 1) : Thread 1 Thread 2 initx a: w(x, 1) d : r(x, 0) inity b: r(y, 0) c : w(y, 1) po po st st src src cf cf Program order, store order, source relation, conflict relation

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 13 / 27

Combinatorics: Normal Form Violations

Normal Form:

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 14 / 27

Combinatorics: Normal Form Violations

Normal Form: Computation has two parts τ = τ1 · τ2

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 14 / 27

Combinatorics: Normal Form Violations

Normal Form: Computation has two parts τ = τ1 · τ2 Delays in τ2 respect ordering in τ1

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 14 / 27

Combinatorics: Normal Form Violations

Normal Form: Computation has two parts τ = τ1 · τ2 Delays in τ2 respect ordering in τ1 In normal form . . . isu . . . isu . . . ⏟ ⏞

τ1

. . . w(x, 1) . . . w(y, 1) . . . ⏟ ⏞

τ2

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 14 / 27

Combinatorics: Normal Form Violations

Normal Form: Computation has two parts τ = τ1 · τ2 Delays in τ2 respect ordering in τ1 In normal form . . . isu . . . isu . . . ⏟ ⏞

τ1

. . . w(x, 1) . . . w(y, 1) . . . ⏟ ⏞

τ2

Not in normal form . . . isu . . . isu . . . ⏟ ⏞

τ1

. . . w(y, 1) . . . w(x, 1) . . . ⏟ ⏞

τ2

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 14 / 27

Combinatorics: Normal Form Violations

Theorem (Normal form): If a program is not robust, it has a violation in normal form.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 15 / 27

Combinatorics: Normal Form Violations

Theorem (Normal form): If a program is not robust, it has a violation in normal form. Proof: Take a shortest computation τ with cyclic happens-before relation.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 15 / 27

Combinatorics: Normal Form Violations

Theorem (Normal form): If a program is not robust, it has a violation in normal form. Proof: Take a shortest computation τ with cyclic happens-before relation. There is (may be non-trivial, depending on RMM) an event that can be cancelled: τ = τ1 · a · τ2 .

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 15 / 27

Combinatorics: Normal Form Violations

Theorem (Normal form): If a program is not robust, it has a violation in normal form. Proof: Take a shortest computation τ with cyclic happens-before relation. There is (may be non-trivial, depending on RMM) an event that can be cancelled: τ = τ1 · a · τ2 . Computation τ1 · τ2 is shorter

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 15 / 27

Combinatorics: Normal Form Violations

Theorem (Normal form): If a program is not robust, it has a violation in normal form. Proof: Take a shortest computation τ with cyclic happens-before relation. There is (may be non-trivial, depending on RMM) an event that can be cancelled: τ = τ1 · a · τ2 . Computation τ1 · τ2 is shorter, hence not violating.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 15 / 27

Combinatorics: Normal Form Violations

Theorem (Normal form): If a program is not robust, it has a violation in normal form. Proof: Take a shortest computation τ with cyclic happens-before relation. There is (may be non-trivial, depending on RMM) an event that can be cancelled: τ = τ1 · a · τ2 . Computation τ1 · τ2 is shorter, hence not violating. There is an SC computation σ with same happens-before relation.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 15 / 27

Combinatorics: Normal Form Violations

Theorem (Normal form): If a program is not robust, it has a violation in normal form. Proof: Take a shortest computation τ with cyclic happens-before relation. There is (may be non-trivial, depending on RMM) an event that can be cancelled: τ = τ1 · a · τ2 . Computation τ1 · τ2 is shorter, hence not violating. There is an SC computation σ with same happens-before relation. Now (σ ↓ τ1) · a · (σ ↓ τ2)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 15 / 27

Combinatorics: Normal Form Violations

Theorem (Normal form): If a program is not robust, it has a violation in normal form. Proof: Take a shortest computation τ with cyclic happens-before relation. There is (may be non-trivial, depending on RMM) an event that can be cancelled: τ = τ1 · a · τ2 . Computation τ1 · τ2 is shorter, hence not violating. There is an SC computation σ with same happens-before relation. Now (σ ↓ τ1) · a · (σ ↓ τ2) is in normal form

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 15 / 27

Combinatorics: Normal Form Violations

Theorem (Normal form): If a program is not robust, it has a violation in normal form. Proof: Take a shortest computation τ with cyclic happens-before relation. There is (may be non-trivial, depending on RMM) an event that can be cancelled: τ = τ1 · a · τ2 . Computation τ1 · τ2 is shorter, hence not violating. There is an SC computation σ with same happens-before relation. Now (σ ↓ τ1) · a · (σ ↓ τ2) is in normal form and violating.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 15 / 27

Robustness: General Solution

Reduce robustness to an emptiness check Lnf ∩ Rcyc

?

= ∅. Combinatorics: Violations to SC (if any) have a representative in normal form. Algorithmics: Language Lnf consists of all normal-form computations. ∩ Rcyc filters only violating computations. Decide Lnf ∩ Rcyc

?

= ∅.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 16 / 27

Algorithmics: Generating Normal-Form Computations

Challenge Describe language Lnf of all normal-form computations

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 17 / 27

Algorithmics: Generating Normal-Form Computations

Challenge Describe language Lnf of all normal-form computations Need a language class that

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 17 / 27

Algorithmics: Generating Normal-Form Computations

Challenge Describe language Lnf of all normal-form computations Need a language class that includes Lnf ,

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 17 / 27

Algorithmics: Generating Normal-Form Computations

Challenge Describe language Lnf of all normal-form computations Need a language class that includes Lnf , is closed under regular intersection (Lnf ∩ Rcyc),

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 17 / 27

Algorithmics: Generating Normal-Form Computations

Challenge Describe language Lnf of all normal-form computations Need a language class that includes Lnf , is closed under regular intersection (Lnf ∩ Rcyc), has decidable emptiness problem (Lnf ∩ Rcyc

?

= ∅).

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 17 / 27

Algorithmics: Generating Normal-Form Computations

Challenge Describe language Lnf of all normal-form computations Need a language class that includes Lnf , is closed under regular intersection (Lnf ∩ Rcyc), has decidable emptiness problem (Lnf ∩ Rcyc

?

= ∅). Properties of Lnf

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 17 / 27

Algorithmics: Generating Normal-Form Computations

Challenge Describe language Lnf of all normal-form computations Need a language class that includes Lnf , is closed under regular intersection (Lnf ∩ Rcyc), has decidable emptiness problem (Lnf ∩ Rcyc

?

= ∅). Properties of Lnf Number of concurrently executed instructions is unbounded

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 17 / 27

Algorithmics: Generating Normal-Form Computations

Challenge Describe language Lnf of all normal-form computations Need a language class that includes Lnf , is closed under regular intersection (Lnf ∩ Rcyc), has decidable emptiness problem (Lnf ∩ Rcyc

?

= ∅). Properties of Lnf Number of concurrently executed instructions is unbounded May include computations like isun · w(x, 1)n

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 17 / 27

Algorithmics: Generating Normal-Form Computations

Challenge Describe language Lnf of all normal-form computations Need a language class that includes Lnf , is closed under regular intersection (Lnf ∩ Rcyc), has decidable emptiness problem (Lnf ∩ Rcyc

?

= ∅). Properties of Lnf Number of concurrently executed instructions is unbounded May include computations like isun · w(x, 1)n ⇒ not regular

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 17 / 27

Algorithmics: Generating Normal-Form Computations

Solution Define Lnf as language of a multiheaded automaton . . . isu . . . isu . . . ⏟ ⏞

τ1

. . . w(x, 1) . . . w(y, 1) . . . ⏟ ⏞

τ2

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 18 / 27

Algorithmics: Generating Normal-Form Computations

Solution Define Lnf as language of a multiheaded automaton Multiheaded automata . . . isu . . . isu . . . ⏟ ⏞

τ1

. . . w(x, 1) . . . w(y, 1) . . . ⏟ ⏞

τ2

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 18 / 27

Algorithmics: Generating Normal-Form Computations

Solution Define Lnf as language of a multiheaded automaton Multiheaded automata Extension of NFA . . . isu . . . isu . . . ⏟ ⏞

τ1

. . . w(x, 1) . . . w(y, 1) . . . ⏟ ⏞

τ2

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 18 / 27

Algorithmics: Generating Normal-Form Computations

Solution Define Lnf as language of a multiheaded automaton Multiheaded automata Extension of NFA Generates parts τ1 and τ2 of a computation τ1 · τ2 simultaneously . . . isu . . . isu . . . ⏟ ⏞

τ1

. . . w(x, 1) . . . w(y, 1) . . . ⏟ ⏞

τ2

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 18 / 27

Algorithmics: Generating Normal-Form Computations

Solution Define Lnf as language of a multiheaded automaton Multiheaded automata Extension of NFA Generates parts τ1 and τ2 of a computation τ1 · τ2 simultaneously Transitions q

1,a

− − → q′ and q

2,b

− − → q′ labeled by head i = 1, 2 . . . isu . . . isu . . . ⏟ ⏞

τ1

. . . w(x, 1) . . . w(y, 1) . . . ⏟ ⏞

τ2

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 18 / 27

Algorithmics: Generating Normal-Form Computations

Solution Define Lnf as language of a multiheaded automaton Multiheaded automata Extension of NFA Generates parts τ1 and τ2 of a computation τ1 · τ2 simultaneously Transitions q

1,a

− − → q′ and q

2,b

− − → q′ labeled by head i = 1, 2 Example: . . . isu . . . isu . . . ⏟ ⏞

τ1

. . . w(x, 1) . . . w(y, 1) . . . ⏟ ⏞

τ2

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 18 / 27

Algorithmics: Generating Normal-Form Computations

Solution Define Lnf as language of a multiheaded automaton Multiheaded automata Extension of NFA Generates parts τ1 and τ2 of a computation τ1 · τ2 simultaneously Transitions q

1,a

− − → q′ and q

2,b

− − → q′ labeled by head i = 1, 2 Example:

↑ . . . isu . . . isu . . .

⏟ ⏞

τ1 ↑ . . . w(x, 1) . . . w(y, 1) . . .

⏟ ⏞

τ2

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 18 / 27

Algorithmics: Generating Normal-Form Computations

Solution Define Lnf as language of a multiheaded automaton Multiheaded automata Extension of NFA Generates parts τ1 and τ2 of a computation τ1 · τ2 simultaneously Transitions q

1,a

− − → q′ and q

2,b

− − → q′ labeled by head i = 1, 2 Example: . . . ↑isu . . . isu . . . ⏟ ⏞

τ1 ↑ . . . w(x, 1) . . . w(y, 1) . . .

⏟ ⏞

τ2

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 18 / 27

Algorithmics: Generating Normal-Form Computations

Solution Define Lnf as language of a multiheaded automaton Multiheaded automata Extension of NFA Generates parts τ1 and τ2 of a computation τ1 · τ2 simultaneously Transitions q

1,a

− − → q′ and q

2,b

− − → q′ labeled by head i = 1, 2 Example: . . . ↑isu . . . isu . . . ⏟ ⏞

τ1

. . . ↑w(x, 1) . . . w(y, 1) . . . ⏟ ⏞

τ2

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 18 / 27

Algorithmics: Generating Normal-Form Computations

Solution Define Lnf as language of a multiheaded automaton Multiheaded automata Extension of NFA Generates parts τ1 and τ2 of a computation τ1 · τ2 simultaneously Transitions q

1,a

− − → q′ and q

2,b

− − → q′ labeled by head i = 1, 2 Example: . . . ↑isu . . . isu . . . ⏟ ⏞

τ1

. . . ↑w(x, 1) . . . w(y, 1) . . . ⏟ ⏞

τ2

Transitions: q1

1,isu

− − − → q2

2,w(x,1)

− − − − − → q3

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 18 / 27

Algorithmics: Generating Normal-Form Computations

Solution Define Lnf as language of a multiheaded automaton Multiheaded automata Extension of NFA Generates parts τ1 and τ2 of a computation τ1 · τ2 simultaneously Transitions q

1,a

− − → q′ and q

2,b

− − → q′ labeled by head i = 1, 2 Example: . . . isu↑ . . . isu . . . ⏟ ⏞

τ1

. . . ↑w(x, 1) . . . w(y, 1) . . . ⏟ ⏞

τ2

Transitions: q1

1,isu

− − − → q2

2,w(x,1)

− − − − − → q3

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 18 / 27

Algorithmics: Generating Normal-Form Computations

Solution Define Lnf as language of a multiheaded automaton Multiheaded automata Extension of NFA Generates parts τ1 and τ2 of a computation τ1 · τ2 simultaneously Transitions q

1,a

− − → q′ and q

2,b

− − → q′ labeled by head i = 1, 2 Example: . . . isu↑ . . . isu . . . ⏟ ⏞

τ1

. . . w(x, 1)↑ . . . w(y, 1) . . . ⏟ ⏞

τ2

Transitions: q1

1,isu

− − − → q2

2,w(x,1)

− − − − − → q3

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 18 / 27

Robustness: General Solution

Reduce robustness to an emptiness check Lnf ∩ Rcyc

?

= ∅. Combinatorics: Violations to SC (if any) have a representative in normal form. Algorithmics: Language Lnf consists of all normal-form computations. ∩ Rcyc filters only violating computations. Decide Lnf ∩ Rcyc

?

= ∅.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 19 / 27

Algorithmics: Checking Cyclicity

Happens-before relation from the example: Thread 1 Thread 2 initx a: w(x, 1) d : r(x, 0) inity b: r(y, 0) c : w(y, 1) po po st st src src cf cf

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 20 / 27

Algorithmics: Checking Cyclicity

Happens-before relation from the example: Thread 1 Thread 2 initx a: w(x, 1) d : r(x, 0) inity b: r(y, 0) c : w(y, 1) po po st st src src cf cf Checking cyclicity

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 20 / 27

Algorithmics: Checking Cyclicity

Happens-before relation from the example: Thread 1 Thread 2 initx a: w(x, 1) d : r(x, 0) inity b: r(y, 0) c : w(y, 1) po po st st src src cf cf Checking cyclicity Finitely many types of cycles

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 20 / 27

Algorithmics: Checking Cyclicity

Happens-before relation from the example: Thread 1 Thread 2 initx a: w(x, 1) d : r(x, 0) inity b: r(y, 0) c : w(y, 1) po po st st src src cf cf Checking cyclicity Finitely many types of cycles Guess per thread two instructions in program order

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 20 / 27

Algorithmics: Checking Cyclicity

Happens-before relation from the example: Thread 1 Thread 2 initx a: w(x, 1) d : r(x, 0) inity b: r(y, 0) c : w(y, 1) po po st st src src cf cf Checking cyclicity Finitely many types of cycles Guess per thread two instructions in program order Finite automata check edges between guessed instructions from different threads

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 20 / 27

Robustness: General Solution

Reduce robustness to an emptiness check Lnf ∩ Rcyc

?

= ∅. Combinatorics: Violations to SC (if any) have a representative in normal form. Algorithmics: Language Lnf consists of all normal-form computations. ∩ Rcyc filters only violating computations. Decide Lnf ∩ Rcyc

?

= ∅.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 21 / 27

Algorithmics: Emptiness

Theorem: Assuming finite memory, robustness is PSpace-complete.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 22 / 27

Algorithmics: Emptiness

Theorem: Assuming finite memory, robustness is PSpace-complete. Proof:

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 22 / 27

Algorithmics: Emptiness

Theorem: Assuming finite memory, robustness is PSpace-complete. Proof: Upper bound: Lnf ∩ Rcyc

?

= ∅.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 22 / 27

Algorithmics: Emptiness

Theorem: Assuming finite memory, robustness is PSpace-complete. Proof: Upper bound: Lnf ∩ Rcyc

?

= ∅. Lower bound: SC state reachability [Kozen 1977].

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 22 / 27

Robustness: Efficient Solution

[Bouajjani, M., M¨

• hlmann, ICALP’11]

[Bouajjani, Derevenetc, M., ESOP’13]

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 23 / 27

Robustness: Efficient Solution

[Bouajjani, M., M¨

• hlmann, ICALP’11]

[Bouajjani, Derevenetc, M., ESOP’13]

Decision procedure for robustness that

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 23 / 27

Robustness: Efficient Solution

[Bouajjani, M., M¨

• hlmann, ICALP’11]

[Bouajjani, Derevenetc, M., ESOP’13]

Decision procedure for robustness that uses standard SC reachability in ordinary parallel programs

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 23 / 27

Robustness: Efficient Solution

[Bouajjani, M., M¨

• hlmann, ICALP’11]

[Bouajjani, Derevenetc, M., ESOP’13]

Decision procedure for robustness that uses standard SC reachability in ordinary parallel programs (rather than emptiness in multiheaded automata)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 23 / 27

Robustness: Efficient Solution

[Bouajjani, M., M¨

• hlmann, ICALP’11]

[Bouajjani, Derevenetc, M., ESOP’13]

Decision procedure for robustness that uses standard SC reachability in ordinary parallel programs (rather than emptiness in multiheaded automata) avoids non-determinism for finding cycles (regular intersection)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 23 / 27

Robustness: Efficient Solution

[Bouajjani, M., M¨

• hlmann, ICALP’11]

[Bouajjani, Derevenetc, M., ESOP’13]

Decision procedure for robustness that uses standard SC reachability in ordinary parallel programs (rather than emptiness in multiheaded automata) avoids non-determinism for finding cycles (regular intersection) ... but is hard to apply (so far only works for TSO)

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 23 / 27

Robustness: Efficient Solution

RMM-computations Robust Computations Minimal Violations = ∅ ?

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 24 / 27

Robustness: Efficient Solution

RMM-computations Robust Computations Minimal Violations = ∅ ? Combinatorics: Violations can be assumed to be local

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 24 / 27

Robustness: Efficient Solution

RMM-computations Robust Computations Minimal Violations = ∅ ? Combinatorics: Violations can be assumed to be local — one thread delays

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 24 / 27

Robustness: Efficient Solution

RMM-computations Robust Computations Minimal Violations = ∅ ? Combinatorics: Violations can be assumed to be local — one thread delays Algorithmics: Check whether local violations exist

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 24 / 27

Robustness: Efficient Solution

RMM-computations Robust Computations Minimal Violations = ∅ ? Combinatorics: Violations can be assumed to be local — one thread delays Algorithmics: Check whether local violations exist Together: Reduce robustness to SC reachability in an instrumented program

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 24 / 27

Combinatorics: Locality Theorem

Theorem (Locality): If a program is not robust against TSO, then there is a violating computation where only one thread delays writes.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 25 / 27

Combinatorics: Locality Theorem

Theorem (Locality): If a program is not robust against TSO, then there is a violating computation where only one thread delays writes. Combinatorial set-up: Consider a violating computation, where

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 25 / 27

Combinatorics: Locality Theorem

Theorem (Locality): If a program is not robust against TSO, then there is a violating computation where only one thread delays writes. Combinatorial set-up: Consider a violating computation, where number of delays is minimal.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 25 / 27

Combinatorics: Locality Theorem

Theorem (Locality): If a program is not robust against TSO, then there is a violating computation where only one thread delays writes. Combinatorial set-up: Consider a violating computation, where number of delays is minimal. Lemma: In a minimal violation τ1 · a · τ2 · b · τ3 with thread(a) = thread(b), there is a happens-before path between a and b through τ2.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 25 / 27

Combinatorics: Locality Theorem

Proof (Locality Theorem): Three cases: . . . isu . . . w(y, 1) . . . . . . isu . . . w(x, 1) . . . . . . isu . . . isu . . . . . . w(y, 1) . . . w(y, 1) . . . . . . isu . . . isu . . . . . . w(x, 1) . . . w(y, 1) . . . Non-trivial

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 26 / 27

Conclusion

Robustness Compares relaxed behaviors against SC

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 27 / 27

Conclusion

Robustness Compares relaxed behaviors against SC Problem is PSPACE-complete for many models

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 27 / 27

Conclusion

Robustness Compares relaxed behaviors against SC Problem is PSPACE-complete for many models Upper bound uses unified approach

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 27 / 27

Conclusion

Robustness Compares relaxed behaviors against SC Problem is PSPACE-complete for many models Upper bound uses unified approach based on normal forms and multiheaded automata

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 27 / 27

Conclusion

Robustness Compares relaxed behaviors against SC Problem is PSPACE-complete for many models Upper bound uses unified approach based on normal forms and multiheaded automata Efficient implementations rely on locality

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 27 / 27

Conclusion

Robustness Compares relaxed behaviors against SC Problem is PSPACE-complete for many models Upper bound uses unified approach based on normal forms and multiheaded automata Efficient implementations rely on locality Alternative: Reachability

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 27 / 27

Conclusion

Robustness Compares relaxed behaviors against SC Problem is PSPACE-complete for many models Upper bound uses unified approach based on normal forms and multiheaded automata Efficient implementations rely on locality Alternative: Reachability Decidable for TSO (and beyond), but non-primitive recursive [Atig et

• al. POPL’10, ESOP’12]

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 27 / 27

Conclusion

Robustness Compares relaxed behaviors against SC Problem is PSPACE-complete for many models Upper bound uses unified approach based on normal forms and multiheaded automata Efficient implementations rely on locality Alternative: Reachability Decidable for TSO (and beyond), but non-primitive recursive [Atig et

• al. POPL’10, ESOP’12]

Abstraction-based techniques [Kuperstein, Vechev, Yahav, PLDI’11]

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 27 / 27

Conclusion

Robustness Compares relaxed behaviors against SC Problem is PSPACE-complete for many models Upper bound uses unified approach based on normal forms and multiheaded automata Efficient implementations rely on locality Alternative: Reachability Decidable for TSO (and beyond), but non-primitive recursive [Atig et

• al. POPL’10, ESOP’12]

Abstraction-based techniques [Kuperstein, Vechev, Yahav, PLDI’11] Symbolic techniques [Abdulla et al., TACAS’12][Linden, Wolper, SPIN’10’11]

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 27 / 27

Conclusion

Robustness Compares relaxed behaviors against SC Problem is PSPACE-complete for many models Upper bound uses unified approach based on normal forms and multiheaded automata Efficient implementations rely on locality Alternative: Reachability Decidable for TSO (and beyond), but non-primitive recursive [Atig et

• al. POPL’10, ESOP’12]

Abstraction-based techniques [Kuperstein, Vechev, Yahav, PLDI’11] Symbolic techniques [Abdulla et al., TACAS’12][Linden, Wolper, SPIN’10’11] Pros: Robustness does not need a spec.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 27 / 27

Conclusion

Robustness Compares relaxed behaviors against SC Problem is PSPACE-complete for many models Upper bound uses unified approach based on normal forms and multiheaded automata Efficient implementations rely on locality Alternative: Reachability Decidable for TSO (and beyond), but non-primitive recursive [Atig et

• al. POPL’10, ESOP’12]

Abstraction-based techniques [Kuperstein, Vechev, Yahav, PLDI’11] Symbolic techniques [Abdulla et al., TACAS’12][Linden, Wolper, SPIN’10’11] Pros: Robustness does not need a spec. Reachability checks what is needed.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 27 / 27

Conclusion

Robustness Compares relaxed behaviors against SC Problem is PSPACE-complete for many models Upper bound uses unified approach based on normal forms and multiheaded automata Efficient implementations rely on locality Alternative: Reachability Decidable for TSO (and beyond), but non-primitive recursive [Atig et

• al. POPL’10, ESOP’12]

Abstraction-based techniques [Kuperstein, Vechev, Yahav, PLDI’11] Symbolic techniques [Abdulla et al., TACAS’12][Linden, Wolper, SPIN’10’11] Pros: Robustness does not need a spec. Reachability checks what is

• needed. Robustness is cheaper.

Roland Meyer (TU KL) Robustness against Relaxed Memory Models MM February 2015 27 / 27