Synthesizing Memory Models from Framework Sketches and Litmus Tests - - PowerPoint PPT Presentation

Synthesizing Memory Models

from Framework Sketches


and Litmus Tests

James Bornholt
 Emina Torlak

University of Washington

Memory consistency models define memory reordering behaviors on mul>processors

Memory consistency models define memory reordering behaviors on mul>processors

…correctness of my compiler…

Compiler writers 

Memory consistency models define memory reordering behaviors on mul>processors

…correctness of my compiler…

Compiler writers 

…rules to verify against…

Verifica@on tools 🤗

Memory consistency models define memory reordering behaviors on mul>processors

…correctness of my compiler…

Compiler writers 

…rules to verify against…

Verifica@on tools 🤗

…possible low- level behaviors…

Kernel/library developers

Memory consistency models define memory reordering behaviors on mul>processors

Litmus tests
 and prose …correctness of my compiler…

Compiler writers 

…rules to verify against…

Verifica@on tools 🤗

…possible low- level behaviors…

Kernel/library developers

Memory consistency models define memory reordering behaviors on mul>processors

Litmus tests
 and prose

∀ ∃ ∈ ∧ ∨ ∩ ∪ ⊂ ⋈ ⇒

Formal
 specifica@ons …correctness of my compiler…

Compiler writers 

…rules to verify against…

Verifica@on tools 🤗

…possible low- level behaviors…

Kernel/library developers

Memory consistency models define memory reordering behaviors on mul>processors

Litmus tests
 and prose

∀ ∃ ∈ ∧ ∨ ∩ ∪ ⊂ ⋈ ⇒

Formal
 specifica@ons …correctness of my compiler…

Compiler writers 

…rules to verify against…

Verifica@on tools 🤗

…possible low- level behaviors…

Kernel/library developers

x86 [Sewell et al, CACM’10] PowerPC [Alglave et al, CAV’10, etc] ARM [Flur et al, POPL’16]

Litmus tests Formal
 specifica@ons

∀ ∃ ∈ ∧ ∨ ∩ ∪ ⊂ ⋈ ⇒

MemSynth

Litmus tests Formal
 specifica@ons

Synthesize specifica>ons ∀ ∃ ∈ ∧ ∨ ∩ ∪ ⊂ ⋈ ⇒

MemSynth

Litmus tests Formal
 specifica@ons

Synthesize specifica>ons

Framework sketch

∀ ∃ ∈ ∧ ∨ ∩ ∪ ⊂ ⋈ ⇒

MemSynth

Litmus tests Formal
 specifica@ons

Synthesize specifica>ons Detect ambigui>es

Framework sketch

∀ ∃ ∈ ∧ ∨ ∩ ∪ ⊂ ⋈ ⇒

MemSynth

Litmus tests
 Formal
 specifica@ons Framework sketch

Synthesize specifica>ons Detect ambigui>es ∀ ∃ ∈ ∧ ∨ ∩ ∪ ⊂ ⋈ ⇒

MemSynth

MemSynth

Synthesize specifica>ons Detect ambigui>es ∀ ∃ ∈ ∧ ∨ ∩ ∪ ⊂ ⋈ ⇒

MemSynth

Framework sketches

define a class of memory models Synthesize specifica>ons Detect ambigui>es ∀ ∃ ∈ ∧ ∨ ∩ ∪ ⊂ ⋈ ⇒

MemSynth

Framework sketches

define a class of memory models

MemSynth engine

verifica@on, equivalence, synthesis, ambiguity Synthesize specifica>ons Detect ambigui>es ∀ ∃ ∈ ∧ ∨ ∩ ∪ ⊂ ⋈ ⇒

MemSynth

Framework sketches

define a class of memory models

MemSynth engine

verifica@on, equivalence, synthesis, ambiguity

Results

synthesize real-world memory model specs Synthesize specifica>ons Detect ambigui>es ∀ ∃ ∈ ∧ ∨ ∩ ∪ ⊂ ⋈ ⇒

Memory models and framework sketches

Litmus tests illustrate memory model behavior

Thread 1 Thread 2

X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0?

Litmus tests illustrate memory model behavior

Thread 1 Thread 2

X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0? Sequen>al consistency: no

Litmus tests illustrate memory model behavior

Thread 1 Thread 2

X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0? Sequen>al consistency: no x86: yes!

Litmus tests illustrate memory model behavior

Thread 1 Thread 2

X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0? Sequen>al consistency: no x86: yes!

A memory model M is a set of constraints that define the possible execu@ons (outcomes) of a program.

Litmus tests illustrate memory model behavior

Thread 1 Thread 2

X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0? Sequen>al consistency: no x86: yes!

A memory model M is a set of constraints that define the possible execu@ons (outcomes) of a program. Memory model M allows litmus test T if there exists an execu@on that sa@sfies M’s constraints.

Litmus tests illustrate memory model behavior

Thread 1 Thread 2

X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0? Sequen>al consistency: no x86: yes!

A memory model M is a set of constraints that define the possible execu@ons (outcomes) of a program. Me

Memory model M allows test T: ∃ E. M(T,E)

Memory models, formally

Common formaliza@ons based on rela>onal logic Example for sequen>al consistency:

no ^(ws + fr + po + rf + fences) & iden

[Alglave et al, CAV’10]

Memory model M allows test T: ∃ E. M(T,E)

Memory models, formally

Common formaliza@ons based on rela>onal logic Example for sequen>al consistency:

no ^(ws + fr + po + rf + fences) & iden

[Alglave et al, CAV’10]

Memory model M allows test T: ∃ E. M(T,E) Binary rela@ons over program instruc@ons

happens-before order

Memory models, formally

Common formaliza@ons based on rela>onal logic Example for sequen>al consistency:

no ^(ws + fr + po + rf + fences) & iden

[Alglave et al, CAV’10]

Memory model M allows test T: ∃ E. M(T,E) Binary rela@ons over program instruc@ons

happens-before order is acyclic

Memory models, formally

Common formaliza@ons based on rela>onal logic Example for sequen>al consistency:

no ^(ws + fr + po + rf + fences) & iden

[Alglave et al, CAV’10]

Memory model M allows test T: ∃ E. M(T,E) Binary rela@ons over program instruc@ons

happens-before order is acyclic

Memory models, formally

Common formaliza@ons based on rela>onal logic Example for sequen>al consistency:

no ^(ws + fr + po + rf + fences) & iden

[Alglave et al, CAV’10]

From program syntax Memory model M allows test T: ∃ E. M(T,E) Binary rela@ons over program instruc@ons

happens-before order is acyclic

Memory models, formally

Common formaliza@ons based on rela>onal logic Example for sequen>al consistency:

no ^(ws + fr + po + rf + fences) & iden

[Alglave et al, CAV’10]

From program syntax Memory model M allows test T: ∃ E. M(T,E)

Thread 1 Thread 2

X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0?

Binary rela@ons over program instruc@ons

happens-before order is acyclic

Memory models, formally

Common formaliza@ons based on rela>onal logic Example for sequen>al consistency:

no ^(ws + fr + po + rf + fences) & iden

[Alglave et al, CAV’10]

po = {( , ), ( , )}

3 4 2 1

Program order:

From program syntax Memory model M allows test T: ∃ E. M(T,E)

Thread 1 Thread 2

X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0?

Binary rela@ons over program instruc@ons

happens-before order is acyclic

Memory models, formally

Common formaliza@ons based on rela>onal logic Example for sequen>al consistency:

no ^(ws + fr + po + rf + fences) & iden

[Alglave et al, CAV’10]

po = {( , ), ( , )}

3 4 2 1

Program order:

From program syntax Part of execu@on; implicitly existen@ally quan@fied Memory model M allows test T: ∃ E. M(T,E)

Thread 1 Thread 2

X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0?

Binary rela@ons over program instruc@ons

no ^(ws + fr + po + rf + fences) & iden

Framework sketches

A framework sketch defines the search space for synthesizing a memory model M by including holes in constraints

no ^(ws + fr + po + rf + fences) & iden

Framework sketches

A framework sketch defines the search space for synthesizing a memory model M by including holes in constraints

Expression holes for a synthesizer to complete

?? ?? ??

no ^(ws + fr + po + rf + fences) & iden

Framework sketches

A framework sketch defines the search space for synthesizing a memory model M by including holes in constraints

Expression holes for a synthesizer to complete

Framework sketches are the key design tool for synthesizing memory model specifica@ons — they define the “interes@ng” candidate models ?? ?? ??

Memory model frameworks

no ^(ws + fr + po + rf + fences) & iden

[Alglave et al, CAV’10]

?? ?? ??

Memory model frameworks

no ^(ws + fr + ppo + grf + fences) & iden

[Alglave et al, CAV’10]

Preserved program

• rder (same-thread

reorderings) Global reads from (inter- thread order) Fence cumula>vity (for Power, ARM, etc)

Memory model frameworks

no ^(ws + fr + ppo + grf + fences) & iden

[Alglave et al, CAV’10]

Sequen>al consistency

Preserved program

• rder (same-thread

reorderings) Global reads from (inter- thread order) Fence cumula>vity (for Power, ARM, etc)

po rf

∅

Memory model frameworks

no ^(ws + fr + ppo + grf + fences) & iden

[Alglave et al, CAV’10]

Sequen>al consistency

Preserved program

• rder (same-thread

reorderings) Global reads from (inter- thread order) Fence cumula>vity (for Power, ARM, etc)

po rf

∅ Total store

• rder (x86)

po - (Wr→Rd) rf & SameThd

∅

Memory model frameworks are common

Global @me rela@onal model

[Alglave et al, CAV’10]

Axioma@c “must- not-reorder” func@ons

[Mador-Haim et al, DAC’11]

Exexcutable distributed consistency models

[Yang et al, IPDPS’04]

…

Ocelot: rela>onal logic with holes

A rela>onal logic DSL with synthesis support no ^(ws + fr + ppo + grf + fences) & iden ?? ?? ??

Expression holes for a synthesizer to complete

Built on the Roseoe solver-aided language [Torlak & Bodik, PLDI’14] Available as a Racket package: raco pkg install ocelot

Ocelot: rela>onal logic with holes

A rela>onal logic DSL with synthesis support no ^(ws + fr + ppo + grf + fences) & iden ?? ?? ??

Expression holes for a synthesizer to complete Comple@ons are expressions in rela@onal logic with chosen

• perators, terminals, and depth.

Built on the Roseoe solver-aided language [Torlak & Bodik, PLDI’14] Available as a Racket package: raco pkg install ocelot

Ocelot: rela>onal logic with holes

A rela>onal logic DSL with synthesis support no ^(ws + fr + ppo + grf + fences) & iden ?? ?? ??

Expression holes for a synthesizer to complete Comple@ons are expressions in rela@onal logic with chosen

• perators, terminals, and depth.

Built on the Roseoe solver-aided language [Torlak & Bodik, PLDI’14]

• perators = {+, &}

terminals = {po, ws} depth = 1

Available as a Racket package: raco pkg install ocelot

Ocelot: rela>onal logic with holes

A rela>onal logic DSL with synthesis support no ^(ws + fr + ppo + grf + fences) & iden ?? ?? ??

Expression holes for a synthesizer to complete Comple@ons are expressions in rela@onal logic with chosen

• perators, terminals, and depth.

Built on the Roseoe solver-aided language [Torlak & Bodik, PLDI’14]

• perators = {+, &}

terminals = {po, ws} depth = 1

po ws po + ws po & ws

Available as a Racket package: raco pkg install ocelot

Queries

• Verifica@on
• Equivalence
• Synthesis
• Ambiguity

Verifica>on and equivalence

Memory model M allows test T: ∃ E. M(T,E)

Common queries for automated memory model reasoning tools

Herd [Alglave et al, CAV’10]; MemAlloy [Wickerson et al, POPL’17]; etc.

Verifica>on and equivalence

Memory model M allows test T: ∃ E. M(T,E)

Common queries for automated memory model reasoning tools

Herd [Alglave et al, CAV’10]; MemAlloy [Wickerson et al, POPL’17]; etc.

Litmus test Memory model VERIFY SAT

• r

UNSAT

Verifica>on and equivalence

Memory model M allows test T: ∃ E. M(T,E)

Common queries for automated memory model reasoning tools

Herd [Alglave et al, CAV’10]; MemAlloy [Wickerson et al, POPL’17]; etc.

Litmus test Memory model VERIFY SAT

• r

UNSAT

Reduces to SAT (since litmus tests are loop-free)

Verifica>on and equivalence

Memory model M allows test T: ∃ E. M(T,E)

Common queries for automated memory model reasoning tools

Herd [Alglave et al, CAV’10]; MemAlloy [Wickerson et al, POPL’17]; etc.

Litmus test Memory model VERIFY SAT

• r

UNSAT EQUIV Litmus test

• r

UNSAT Memory model MB Memory model MA

Reduces to SAT (since litmus tests are loop-free)

Verifica>on and equivalence

Memory model M allows test T: ∃ E. M(T,E)

Common queries for automated memory model reasoning tools

Herd [Alglave et al, CAV’10]; MemAlloy [Wickerson et al, POPL’17]; etc.

Litmus test Memory model VERIFY SAT

• r

UNSAT EQUIV Litmus test

• r

UNSAT Memory model MB Memory model MA

Reduces to SAT (since litmus tests are loop-free) UNSAT = bounded equivalence (“equivalent up to tests of size k”)

Synthesis

Find a memory model consistent with a set

• f litmus tests

Memory model SYNTH Framework sketch Allowed litmus tests Forbidden litmus tests

Synthesis

Find a memory model consistent with a set

• f litmus tests

SYNTH Framework sketch

Synthesis

Find a memory model consistent with a set

• f litmus tests

SYNTH Framework sketch

x86

Synthesis

Find a memory model consistent with a set

• f litmus tests

SYNTH Framework sketch

5 3

2 allowed tests

1 2 4 6 7 8 9 10

8 forbidden tests

x86

Synthesis

Find a memory model consistent with a set

• f litmus tests

SYNTH Framework sketch

5 3

2 allowed tests

1 2 4 6 7 8 9 10

8 forbidden tests

Total store order x86

Synthesis

Find a memory model consistent with a set

• f litmus tests

Memory model M allows test T: ∃ E. M(T,E)

Allowed litmus tests Forbidden litmus tests Framework sketch

M T+ T-

Memory model

Synthesis

Find a memory model consistent with a set

• f litmus tests

Memory model M allows test T: ∃ E. M(T,E)

Allowed litmus tests Forbidden litmus tests Framework sketch

M T+ T- ∃ E. M(T,E)

⋀ T∈T+

Memory model

Synthesis

Find a memory model consistent with a set

• f litmus tests

Memory model M allows test T: ∃ E. M(T,E)

Allowed litmus tests Forbidden litmus tests Framework sketch

M T+ T- ∃ E. M(T,E)

⋀ T∈T+

∀ E. ¬M(T,E)

⋀ T∈T-

Memory model

Synthesis

Find a memory model consistent with a set

• f litmus tests

Memory model M allows test T: ∃ E. M(T,E)

Allowed litmus tests Forbidden litmus tests Framework sketch

M T+ T- ∃ E. M(T,E)

⋀ T∈T+

∀ E. ¬M(T,E)

⋀ T∈T-

Memory model

Solved incrementally, like counterexample-guided induc@ve synthesis (CEGIS)

Ambiguity

Find a dis@nguishing litmus test that exposes an ambiguity in a model

AMBIG

Key idea: axer synthesis, is there a different memory model that explains the tests?

Ambiguity

Find a dis@nguishing litmus test that exposes an ambiguity in a model

AMBIG Allowed litmus tests Forbidden litmus tests

Key idea: axer synthesis, is there a different memory model that explains the tests?

Ambiguity

Find a dis@nguishing litmus test that exposes an ambiguity in a model

AMBIG Allowed litmus tests Forbidden litmus tests

Key idea: axer synthesis, is there a different memory model that explains the tests?

Memory model MA

Ambiguity

Find a dis@nguishing litmus test that exposes an ambiguity in a model

AMBIG Framework sketch Allowed litmus tests Forbidden litmus tests

Key idea: axer synthesis, is there a different memory model that explains the tests?

Memory model MA

Ambiguity

Find a dis@nguishing litmus test that exposes an ambiguity in a model

AMBIG Framework sketch Allowed litmus tests Forbidden litmus tests

Key idea: axer synthesis, is there a different memory model that explains the tests?

Memory model MA Litmus test Memory model MB

Ambiguity

Find a dis@nguishing litmus test that exposes an ambiguity in a model

AMBIG Framework sketch Allowed litmus tests Forbidden litmus tests

Key idea: axer synthesis, is there a different memory model that explains the tests?

Memory model MA Litmus test Memory model MB

The new memory model must be seman>cally different from the input: MA and MB must disagree about a new test T Similar to oracle-guided synthesis [Jha et al, ICSE’10]

Ambiguity

Find a dis@nguishing litmus test that exposes an ambiguity in a model

AMBIG

Total store order (x86)

✓

Thread 1 Thread 2 X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0?

Ambiguity

Find a dis@nguishing litmus test that exposes an ambiguity in a model

AMBIG

Total store order (x86)

✓

Is there another seman>cally different memory model that also allows this test? Thread 1 Thread 2 X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0?

Ambiguity

Find a dis@nguishing litmus test that exposes an ambiguity in a model

AMBIG

Total store order (x86) Par@al store order (SPARC)

✓

Is there another seman>cally different memory model that also allows this test? Thread 1 Thread 2 X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0?

Ambiguity

Find a dis@nguishing litmus test that exposes an ambiguity in a model

AMBIG

Total store order (x86) Par@al store order (SPARC) ✓ PSO ✗ TSO

✓

Is there another seman>cally different memory model that also allows this test? Thread 1 Thread 2 X = 1

1

r1 = Y

2

Y = 1

3

r2 = X

4

Can r1 = 0 ∧ r2 = 0? Thread 1 Thread 2 X = 1

1

Y = 1

2

r1 = Y

3

r2 = X

4

Can r1 = 1 ∧ r2 = 0?

The Synthesis-Ambiguity Cycle

5 3 1 2 4

Litmus tests

The Synthesis-Ambiguity Cycle

5 3 1 2 4

Litmus tests

Documenta@on

🎳 🎳

Random/systema@c
 genera@on

 Architects

The Synthesis-Ambiguity Cycle

5 3 1 2 4

Litmus tests

The Synthesis-Ambiguity Cycle

5 3 1 2 4

Litmus tests Memory model
 specifica>on SYNTH

The Synthesis-Ambiguity Cycle

5 3 1 2 4

Litmus tests Memory model
 specifica>on SYNTH AMBIG

6

The Synthesis-Ambiguity Cycle

5 3 1 2 4

Litmus tests Memory model
 specifica>on SYNTH AMBIG

Unique memory model (within framework sketch)

6

Results

Synthesizing exis>ng memory models

PowerPC x86

Synthesizing exis>ng memory models

PowerPC x86 768 tests

[Alglave et al, CAV’10]

10 tests

Synthesis

Synthesizing exis>ng memory models

PowerPC x86 768 tests

[Alglave et al, CAV’10]

10 tests ✓ 12 seconds ✓ 2 seconds

Search space: 21406 Search space: 2624

Synthesis

Synthesizing exis>ng memory models

PowerPC x86 768 tests

[Alglave et al, CAV’10]

10 tests ✓ 12 seconds ✓ 2 seconds

Not equivalent to published model! Search space: 21406 Search space: 2624

Synthesis

Synthesizing exis>ng memory models

PowerPC x86 768 tests

[Alglave et al, CAV’10]

10 tests ✓ 12 seconds ✓ 2 seconds

Not equivalent to TSO! Not equivalent to published model! Search space: 21406 Search space: 2624

Synthesis

Synthesizing exis>ng memory models

PowerPC x86 768 tests

[Alglave et al, CAV’10]

10 tests ✓ 12 seconds ✓ 2 seconds

Not equivalent to TSO!

9 new tests 4 new tests Ambiguity

Not equivalent to published model! Search space: 21406 Search space: 2624 sync, lwsync, etc. mfence, xchg

Other results

Implemented another framework sketch [Mador-Haim et al, DAC’11]

Found typo in paper; couldn’t fix by hand, but synthesized repair

Other results

Implemented another framework sketch [Mador-Haim et al, DAC’11]

Found typo in paper; couldn’t fix by hand, but synthesized repair

Order of magnitude faster than the Alloy general-purpose rela>onal solver for verifica@on and equivalence

Ocelot offers finer-grained control over rela@onal constraints

Other results

Implemented another framework sketch [Mador-Haim et al, DAC’11]

Found typo in paper; couldn’t fix by hand, but synthesized repair

Order of magnitude faster than the Alloy general-purpose rela>onal solver for verifica@on and equivalence

Ocelot offers finer-grained control over rela@onal constraints

Comparable performance to exis@ng custom memory model tool for verifica@on (Herd [Alglave et al, CAV’10])

∀ ∃ ∈ ∧ ∨ ∩ ∪ ⊂ ⋈ ⇒

MemSynth

Framework sketches

define a class of memory models

MemSynth engine

verifica@on, equivalence, synthesis, ambiguity

Results

synthesize real-world memory model specs

memsynth.uwplse.org