The Benefits of Duality in Verifying Concurrent Programs under TSO - - PowerPoint PPT Presentation

the benefits of duality in verifying concurrent programs
SMART_READER_LITE
LIVE PREVIEW

The Benefits of Duality in Verifying Concurrent Programs under TSO - - PowerPoint PPT Presentation

Dec 29, 2022 462 likes •1.66k views

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed Bouajjani 2 Mohamed Faouzi Atig 1 Tuan Phong Ngo 1 1 Uppsala University 2 IRIF, Universit Paris Diderot & IUF CONCUR 2016 1 Motivation

slide-1
SLIDE 1

The Benefits of Duality in Verifying Concurrent Programs under TSO

Parosh Aziz Abdulla1

Ahmed Bouajjani2

Mohamed Faouzi Atig1

Tuan Phong Ngo1

1Uppsala University 2IRIF, Université Paris Diderot & IUF

CONCUR 2016

1

slide-2
SLIDE 2

Motivation

Sequential Consistency

  • Processes (atomically)write to/read from

shared memory

  • Program order is persevered for each process
  • Interleaving of the operations

Characteristics

😁 Simple and intuitive model 😟 Disallows many hardware/compiler optimizations

Processes Execution

memory

P0 P1

write write read read P0 P1 P0 P0

2

slide-3
SLIDE 3

Weak Memory Models

Hardware Optimizations

  • Processors execute instructions out-of-order:

😁 Better performance and energy 😟 Non-intuitive behaviors: bugs Weak memory model: captures the semantics of out-of-

  • rder execution

Goal

  • Efficient verification technique for checking

safety properties

3

slide-4
SLIDE 4

Outline

  • Classical TSO (Total Store Order) semantics
  • New semantics (Single-Buffer) allows:
  • applying well quasi-order framework
  • New semantics (Dual-TSO) allows:
  • Efficient verification
  • Parameterized verification
  • Verification under Dual-TSO
  • Experimental Results
  • Conclusions

4

slide-5
SLIDE 5

TSO - Total Store Order

Widely Used

  • Used by Sun SPARCv9
  • Current formalization of

Intel x86

5

slide-6
SLIDE 6

TSO - Total Store Order

Optimize Memory Access

  • Memory writes are slow
  • Introduce (perfect) store

buffers x = 0 y = 0

P0 P1

classical semantics

Widely Used

  • Used by Sun SPARCv9
  • Current formalisation of

Intel x86

process shared variables

6

slide-7
SLIDE 7

TSO - Total Store Order

Optimise Memory Access

  • Memory writes are slow
  • Introduce (perfect) store

buffers x = 0 y = 0

P0 P1

classical semantics

Widely Used

  • Used by Sun SPARCv9
  • Current formalisation of

Intel x86

store buffer First In First Out (FIFO)

7

slide-8
SLIDE 8

Classical TSO Semantics

x = 0 y = 0

P0 P1

P0: read: x = 2 P0: write: x = 1 P0: read: y = 0

8

P0: write: x = 2

slide-9
SLIDE 9

Classical TSO Semantics

x = 0 y = 0

P0 P1

P0: read: x = 2 P0: write: x = 1 P0: read: y = 0

9

P0: write: x = 2 writes to the buffer x=1

slide-10
SLIDE 10

Classical TSO Semantics

x = 0 y = 0

P0 P1

P0: read: x = 2 P0: write: x = 1 P0: read: y = 0

10

P0: write: x = 2 writes to the buffer x=1 x=2

slide-11
SLIDE 11

Classical TSO Semantics

x = 0 y = 0

P0 P1

P0: read: x = 2 P0: write: x = 1 P0: read: y = 0

11

P0: write: x = 2 x=1 x=2

slide-12
SLIDE 12

Classical TSO Semantics

x = 0 y = 0

P0 P1

P0: read: x = 2 P0: write: x = 1 P0: read: y = 0

12

P0: write: x = 2 x=1 x=2 reads from the buffer

slide-13
SLIDE 13

Classical TSO Semantics

x = 0 y = 0

P0 P1

P0: read: x = 2 P0: write: x = 1 P0: read: y = 0

13

P0: write: x = 2 x=1 x=2

slide-14
SLIDE 14

Classical TSO Semantics

x = 0 y = 0

P0 P1

P0: read: x = 2 P0: write: x = 1 P0: read: y = 0

14

P0: write: x = 2 x=1 x=2 reads from the memory

slide-15
SLIDE 15

Classical TSO Semantics

x = 0 y = 0

P0 P1

P0: read: x = 2 P0: write: x = 1 P0: read: y = 0

15

P0: write: x = 2 x=1 x=2 updates to the memory

slide-16
SLIDE 16

Classical TSO Semantics

x = 0 y = 0

P0 P1

P0: read: x = 2 P0: write: x = 1 P0: read: y = 0

16

P0: write: x = 2 x=1 x=2 update the memory

slide-17
SLIDE 17

Classical TSO Semantics

y = 0

P0 P1

P0: read: x = 2 P0: write: x = 1 P0: read: y = 0

17

P0: write: x = 2 x=2 x = 1 updates to the memory

slide-18
SLIDE 18

18

Potentially Bad Behaviors - Dekker

slide-19
SLIDE 19

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 read: x = 0 critical section Sequential Consistency = Interleaving At most one process at its CS at any time P0 P1

19

slide-20
SLIDE 20

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 read: x = 0 critical section TSO P0 P1

20

slide-21
SLIDE 21

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 read: x = 0 critical section TSO P0 P1

21

slide-22
SLIDE 22

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 read: x = 0 critical section TSO P0 P1

22

slide-23
SLIDE 23

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 read: x = 0 critical section TSO P0 P1

23

x=1 writes to buffer

slide-24
SLIDE 24

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 read: x = 0 critical section TSO P0 P1

24

x=1

slide-25
SLIDE 25

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 critical section write: y = 1 read: x = 0 critical section TSO P0 P1

25

x=1 read: y = 0

slide-26
SLIDE 26

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 critical section write: y = 1 read: x = 0 critical section TSO P0 P1

26

x=1 reads from memory read: y = 0

slide-27
SLIDE 27

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 critical section write: y = 1 read: x = 0 critical section TSO P0 P1

27

x=1 enters CS read: y = 0

slide-28
SLIDE 28

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 critical section write: y = 1 read: x = 0 critical section TSO P0 P1

28

x=1 read: y = 0

slide-29
SLIDE 29

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 read: x = 0 critical section TSO P0 P1

29

x=1

slide-30
SLIDE 30

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 read: x = 0 critical section TSO P0 P1

30

x=1 writes to buffer y=1

slide-31
SLIDE 31

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

31

x=1 y=1 read: x = 0

slide-32
SLIDE 32

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

32

x=1 y=1 read: x = 0 reads from memory

slide-33
SLIDE 33

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

33

x=1 y=1 read: x = 0 enters CS

slide-34
SLIDE 34

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

34

x=1 y=1 read: x = 0 2 processes in CS at the same time

slide-35
SLIDE 35

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

35

x=1 y=1 read: x = 0

slide-36
SLIDE 36

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

36

x=1 y=1 read: x = 0

“read

  • vertaking

write” “read

  • vertaking

write”

slide-37
SLIDE 37

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

37

x=1 y=1 read: x = 0 mfence mfence fence instruction flushes the buffer prevents re-ordeirng

slide-38
SLIDE 38

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

38

x=1 y=1 read: x = 0 mfence mfence

slide-39
SLIDE 39

Potentially Bad Behaviours - Dekker

x = 0 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

39

x=1 y=1 read: x = 0 mfence mfence

slide-40
SLIDE 40

Potentially Bad Behaviours - Dekker

x = 1 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

40

y=1 read: x = 0 mfence mfence

slide-41
SLIDE 41

Potentially Bad Behaviours - Dekker

x = 1 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

41

y=1 read: x = 0 mfence mfence execute fence

slide-42
SLIDE 42

Potentially Bad Behaviours - Dekker

x = 1 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

42

y=1 read: x = 0 mfence mfence

slide-43
SLIDE 43

Potentially Bad Behaviours - Dekker

x = 1 y = 0

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

43

y=1 read: x = 0 mfence mfence

slide-44
SLIDE 44

Potentially Bad Behaviours - Dekker

x = 1 y = 1

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

44

read: x = 0 mfence mfence

slide-45
SLIDE 45

Potentially Bad Behaviours - Dekker

x = 1 y = 1

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

45

read: x = 0 mfence mfence execute fence

slide-46
SLIDE 46

Potentially Bad Behaviours - Dekker

x = 1 y = 1

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

46

read: x = 0 mfence mfence

slide-47
SLIDE 47

Potentially Bad Behaviours - Dekker

x = 1 y = 1

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

47

read: x = 0 mfence mfence

slide-48
SLIDE 48

Potentially Bad Behaviours - Dekker

x = 1 y = 1

P0 P1

Initially: x = y = 0 write: x = 1 read: y = 0 critical section write: y = 1 critical section TSO P0 P1

48

read: x = 0 mfence mfence At most one process executes its CS at any time

slide-49
SLIDE 49

49

Verification and Correction

slide-50
SLIDE 50

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect specification no yes yes no insert fences

50

program

slide-51
SLIDE 51

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

51

specification program

slide-52
SLIDE 52

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

52

specification program

slide-53
SLIDE 53

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

53

specification program

slide-54
SLIDE 54

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

54

specification program

slide-55
SLIDE 55

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

55

specification program

slide-56
SLIDE 56

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

56

no reordering = bug not due to memory model specification program

slide-57
SLIDE 57

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

57

specification program find reordering and prevent it

slide-58
SLIDE 58

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

58

specification program try again

  • ptimality = smallest set of fences

needed for correctness

slide-59
SLIDE 59

P0

x = 0 y = 0

Verification under TSO is Difficult

while (1) write: x=1 P0: write: x = 1 P0: write: x = 1 P0: write: x = 1 … …

59

slide-60
SLIDE 60

P0

x = 0 y = 0

Verification under TSO is Difficult

while (1) write: x=1 P0: write: x = 1 P0: write: x = 1 P0: write: x = 1 … … x=1

60

slide-61
SLIDE 61

P0

x = 0 y = 0

Verification under TSO is Difficult

while (1) write: x=1 P0: write: x = 1 P0: write: x = 1 P0: write: x = 1 … … x=1 x=1

61

slide-62
SLIDE 62

P0

x = 0 y = 0

Verification under TSO is Difficult

while (1) write: x=1 P0: write: x = 1 P0: write: x = 1 P0: write: x = 1 … … x=1 x=1

x=1 infinite state space unbounded buffer

62

slide-63
SLIDE 63

Existing Methods

  • Under approximation

😟 miss bugs: under-fencing

  • Over approximation

😟 spurious bugs: over-fencing

  • Exact verification techniques

😁 find real bugs iff they exist: optimal fencing

Verification under TSO is Difficult

63

slide-64
SLIDE 64

WQO for TSO

  • Sub-word ordering on store buffers:
  • monotone?

Exact Verification Techniques

Well-Quasi Ordering (WQO) Framework

  • ordering on state space:
  • Well-quasi ordering
  • Monotonic transition system

x=1

x=1 y=1 y=2 y=2

64

read: y = 2 possible read: y = 2 not possible

slide-65
SLIDE 65

WQO for TSO

  • Sub-word ordering on store buffers:
  • monotone?

Exact Verification Techniques

Well-Quasi Ordering (WQO) Framework

  • ordering on state space:
  • Well-quasi ordering
  • Monotonic transition system

65

P0

x = 0 y = 0 x=1 y=1

P0

x = 0 y = 0 x=1

Monotonicity

s1 s2 s3 s4

slide-66
SLIDE 66

WQO for TSO

  • Sub-word ordering on store buffers:
  • monotone?

Exact Verification Techniques

Well-Quasi Ordering (WQO) Framework

  • ordering on state space:
  • Well-quasi ordering
  • Monotonic transition system

66

P0

x = 0 y = 0 x=1 y=1

P0

x = 0 y = 0 x=1

slide-67
SLIDE 67

WQO for TSO

  • Sub-word ordering on store buffers:
  • monotone?

Exact Verification Techniques

Well-Quasi Ordering (WQO) Framework

  • ordering on state space:
  • Well-quasi ordering
  • Monotonic transition system

67

P0

x = 0 y = 0 x=1 y=1

P0

x = 1 y = 0

slide-68
SLIDE 68

WQO for TSO

  • Sub-word ordering on store buffers:
  • monotone? NO!

Exact Verification Techniques

Well-Quasi Ordering (WQO) Framework

  • ordering on state space:
  • Well-quasi ordering
  • Monotonic transition system

68

P0

x = 0 y = 0 x=1 y=1

P0

x = 1 y = 0

slide-69
SLIDE 69

Exact Verification Techniques

Well-Quasi Ordering (WQO) Framework

  • ordering on state space:
  • Well-quasi ordering
  • Monotonic transition system

WQO for TSO

  • Sub-word ordering on store buffers?
  • Not monotone!
  • WQO cannot be applied easily to TSO

69

slide-70
SLIDE 70

Semantics 2: Single Buffer Model [TACAS’12+13]

P0 P1

P1 y,P1

x=0 y=1

P0: write: x = 2 P1: write: y = 3 … x,P0

x=1 y=1

written variable writing process

70

memory snapshot view pointer P1: memory content P1: pending update

slide-71
SLIDE 71

P0 P1

P1 y,P0

x=0 y=1

P0: write: x = 2 P1: write: y = 3 … x,P1

x=1 y=1

written variable writing process

71

memory snapshot view pointer P0: memory content P0: no pending update P0

Semantics 2: Single Buffer Model [TACAS’12+13]

slide-72
SLIDE 72

P0 P1

P1 y,P0

x=0 y=1

P0: write: x = 2 P1: write: y = 3 … x,P1

x=1 y=1

72

P0

Semantics 2: Single Buffer Model [TACAS’12+13]

slide-73
SLIDE 73

P0 P1

P1 y,P0

x=0 y=1

P0: write: x = 2 P1: write: y = 3 … x,P1

x=1 y=1

73

P0 x,P0

x=2 y=1 Semantics 2: Single Buffer Model [TACAS’12+13]

slide-74
SLIDE 74

P0 P1

P1 y,P0

x=0 y=1

P0: write: x = 2 P1: write: y = 3 … x,P1

x=1 y=1

74

P0 x,P0

x=2 y=1

y,P1

x=2 y=3 Semantics 2: Single Buffer Model [TACAS’12+13]

slide-75
SLIDE 75

P0 P1

P1 y,P0

x=0 y=1

P0: write: x = 2 P1: write: y = 3 … x,P1

x=1 y=1

75

P0 x,P0

x=2 y=1

y,P1

x=2 y=3

update view of P0

Semantics 2: Single Buffer Model [TACAS’12+13]

slide-76
SLIDE 76

P0 P1

P1 y,P0

x=0 y=1

P0: write: x = 2 P1: write: y = 3 … x,P1

x=1 y=1

76

P0 x,P0

x=2 y=1

y,P1

x=1 y=3

equivalent to classical TSO modulo reachability Sub-word relation on the content of the single buffer is a monotonic WQO

Semantics 2: Single Buffer Model [TACAS’12+13]

slide-77
SLIDE 77

memory snapshot viewing pointer ID of writing process costly

  • verhead

cannot be directly applied to parameterized verification

77

Semantics 2: Single Buffer Model [TACAS’12+13]

slide-78
SLIDE 78

Parameterized Verification

P P P P P P P P P P P P P

example: mutual exclusion protocols unbounded number of processes correctness: lock taken by at most

  • ne process

78

slide-79
SLIDE 79

Exact Verification Technique

  • Efficient analysis technique based on WQO
  • Applicable to parameterized verification

Semantics 3: Dual-TSO

  • Store buffers are replaced by load buffers
  • Equivalent to classical TSO

79

slide-80
SLIDE 80

x = 1 y = 0

P0 P1

x,1,other x,1,self

Store Buffers ☛ Load Buffers

  • Write operations immediately

update the memory

  • Load buffers contain expected

read operations load buffer self message

  • ther

message

80

Semantics 3: Dual-TSO

slide-81
SLIDE 81

x = 0 y = 0

P0 P1

P0: read: y = 0 P0: write: x = 1

81

Semantics 3: Dual-TSO

slide-82
SLIDE 82

y = 0

P0 P1

P0: read: y = 0 P0: write: x = 1 writes to the memory x,1,self x = 1 adds self message

82

Semantics 3: Dual-TSO

slide-83
SLIDE 83

y = 0

P0 P1

P0: read: y = 0 P0: write: x = 1 x,1,self x = 1 x,1,other propagates from the memory

83

Semantics 3: Dual-TSO

slide-84
SLIDE 84

y = 0

P0 P1

P0: read: y = 0 P0: write: x = 1 propagates from the memory x,1,self x = 1 x,1,other y,0,other

84

Semantics 3: Dual-TSO

slide-85
SLIDE 85

y = 0

P0 P1

P0: read: y = 0 P0: write: x = 1 x = 1 x,1,other y,0,other

85

x,1,self deletes the

  • ldest message

Semantics 3: Dual-TSO

slide-86
SLIDE 86

y = 0

P0 P1

x = 1 x,1,other y,0,other reads the

  • ldest message

P0: read: y = 0 P0: write: x = 1

86

Semantics 3: Dual-TSO

slide-87
SLIDE 87

87

Theorem

The Dual-TSO semantics is equivalent to the TSO semantics with respect to the reachability problem.

Semantics 3: Dual-TSO

slide-88
SLIDE 88

Outline

  • Classical TSO semantics
  • New semantics (Dual-TSO) allows:
  • Efficient verification
  • Parameterised verification
  • Verification under Dual-TSO
  • Experimental Results
  • Conclusions

88

slide-89
SLIDE 89

x,2,self y,1,self y,0,self

partition of load buffer

WQO under Dual-TSO

x,1,other x,0,other

Old New

newest self message on x newest self message on y

89

slide-90
SLIDE 90

x,2,self y,1,self y,0,self x,1,other x,0,other x,2,self y,1,self y,0,self x,0,other

= =

90

WQO under Dual-TSO

Extension of sub-word ordering

slide-91
SLIDE 91

x,2,self y,1,self y,0,self x,1,other x,0,other x,2,self y,1,self y,0,self x,0,other

= =

⊑ ⊑

91

WQO under Dual-TSO

Extension of sub-word ordering

slide-92
SLIDE 92

WQO for Dual-TSO

  • Same local states of processes
  • Same shared memory
  • Sub-word relation on load buffers

x = 1 y = 0

P0 P1 x,1,other x,1,self

… … … …

P0 P1

92

WQO under Dual-TSO

slide-93
SLIDE 93

WQO for Dual-TSO

  • Same local states of processes
  • Same shared memory
  • Sub-word relation on load buffers

x = 1 y = 0

P0 P1 x,1,other x,1,self

… … … …

P0 P1

93

WQO under Dual-TSO

slide-94
SLIDE 94

x = 1 y = 0

P0 P1 x,1,other x,1,self

… … … …

P0 P1

94

WQO under Dual-TSO

WQO for Dual-TSO

  • Same local states of processes
  • Same shared memory
  • Sub-word relation on load buffers
slide-95
SLIDE 95

Dual-TSO vs Single Buffer

Dual-TSO Single Buffer

NO memory snapshot Need memory snapshot

No viewing pointer, ID of

process Need viewing pointers, IDs of processes Several channels: one channel per process Only one channel Buffers have read

  • perations

Buffers have write

  • perations

efficient can be applied to parameterised verification

slide-96
SLIDE 96

Outline

  • Classical TSO semantics
  • New semantics (Dual-TSO) allows:
  • Efficient verification
  • Parameterised verification
  • Verification under Dual-TSO
  • Experimental Results
  • Conclusions

96

slide-97
SLIDE 97

Dual-TSO vs Memorax

  • Running time
  • Memory consumption

Experimental Results

Single buffer approach (exact method [TACAS12+13]) https://www.it.uu.se/katalog/tuang296/dual-tso

97

slide-98
SLIDE 98

Dual-TSO vs Memorax

  • Running time
  • Memory consumption

Experimental Results

standard benchmarks: litmus tests and mutual algorithms

98

slide-99
SLIDE 99

Dual-TSO vs Memorax

  • Running time
  • Memory consumption

Experimental Results

running time in seconds

99

slide-100
SLIDE 100

Dual-TSO vs Memorax

  • Running time
  • Memory consumption

Experimental Results

generated configurations Dual-TSO is faster and uses less memory in most of examples

100

slide-101
SLIDE 101

Experimental Results Parameterised Cases

unbounded number of processes

101

slide-102
SLIDE 102

increasing the number of processes

102

Experimental Results Parameterised Cases

slide-103
SLIDE 103

Dual-TSO is more scalable

103

200 400 600 2 3 4 5 6 7 8 9 10

LB

Dual-TSO Memorax

Experimental Results Parameterised Cases

slide-104
SLIDE 104

Dual-TSO is more efficient and scalable

104

Experimental Results Parameterised Cases

slide-105
SLIDE 105

Summary

Dual-TSO Model

  • Exact (parameterised) reachability method:
  • Dual-TSO: Load buffers instead of store buffers
  • Using well quasi-ordering framework:
  • Efficient verification
  • Parameterized verification
  • Prototype implementation

105

slide-106
SLIDE 106

Future Work

Possible Extension

  • Infinite data domain: predicate abstraction
  • Apply to more memory models: e.g. PSO

106

slide-107
SLIDE 107

Thank you! Question?

107

slide-108
SLIDE 108

Appendix

108

slide-109
SLIDE 109

109

Verification and Correction

slide-110
SLIDE 110

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect specification no yes yes no insert fences

110

program

slide-111
SLIDE 111

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

111

specification program

slide-112
SLIDE 112

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

112

specification program

slide-113
SLIDE 113

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

113

specification program

slide-114
SLIDE 114

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

114

specification program

slide-115
SLIDE 115

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

115

specification program

slide-116
SLIDE 116

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

116

no reordering = bug not due to memory model specification program

slide-117
SLIDE 117

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

117

specification program find reordering and prevent it

slide-118
SLIDE 118

Verification and Correction

reachability analysis reachable? execution analysis preventable? program correct program incorrect no yes yes no insert fences

118

specification program try again

  • ptimality = smallest set of fences

needed for correctness