verification and counterexamples
play

Verification, and Counterexamples Yatin Manerkar Princeton - PowerPoint PPT Presentation

Sep 04, 2022 •100 likes •591 views

C11 Compiler Mappings: Exploration, Verification, and Counterexamples Yatin Manerkar Princeton University manerkar@princeton.edu http://check.cs.princeton.edu November 22 nd , 2016 1 Compilers Must Uphold HLL Guarantees High-Level Assembly

  1. C11 Compiler Mappings: Exploration, Verification, and Counterexamples Yatin Manerkar Princeton University manerkar@princeton.edu http://check.cs.princeton.edu November 22 nd , 2016 1

  2. Compilers Must Uphold HLL Guarantees High-Level Assembly Compiler Language (HLL) Language Program Program • Compiler translates HLL statements into assembly instructions • Code generated by compiler must provide functionality required by HLL program 2

  3. Compilers Must Uphold HLL Guarantees Compiler X86 Assembly C11 Program Language Program X86 C11 Atomic x.store(1); mov [eax], 1 Mapping r1 = y.load(); MFENCE mov ebx, [ebx] • C/C++11 standards introduced atomic operations – Portable, high-performance concurrent code • Compiler uses mapping to translate from atomic ops to assembly instructions 3

  4. Compilers Must Uphold HLL Guarantees Compiler X86 Assembly C11 Program Language Program X86 C11 Atomic x.store(1); mov [eax], 1 Mapping r1 = y.load(); MFENCE mov ebx, [ebx] If mapping is correct, then for all programs: ISA-Level Outcome C11 Outcome implies Forbidden Forbidden 4

  5. Exploring Mappings with TriCheck C11 Atomic ISA-level C11 Litmus Mapping litmus tests Test Variants How do HLL outcomes compare to ISA-level outcomes? µCheck Herd ? C11 Outcomes ISA-Level Outcomes 5

  6. Exploring Mappings with TriCheck C11 Atomic ISA-level C11 Litmus Mapping litmus tests Test Variants If a mapping is correct, then for all programs: µCheck Herd C11 Outcome ISA-Level Outcome implies Forbidden Forbidden 6

  7. Counterexamples Detected! C11 → Power/ C11 Litmus Power/ARMv7 ARMv7-like Test Variants Trailing-Sync litmus tests Atomic Mapping µCheck Herd C11 Outcome ISA-Level Outcome but Forbidden Allowed 7

  8. Counterexamples Detected! C11 → Power/ C11 Litmus Power/ARMv7 ARMv7-like Test Variants Trailing-Sync litmus tests Atomic Mapping • Counterexample implies mapping is flawed • But mapping previously proven correct [Batty et al. POPL 2012] µCheck Herd • Must be an error in the proof! C11 Outcome ISA-Level Outcome but Forbidden Allowed 8

  9. Outline • Introduction • Background on C11 model and mappings • IRIW Counterexample and Analysis • Loophole in Proof of Batty et al. • IBM XL C++ Bugs • Conclusions and Future Work 9

  10. C11 Memory Model • C11 memory model specifies a C11 program’s allowed and forbidden outcomes • Axiomatic model defined in terms of program executions – Executions that satisfy C11 axioms are consistent – Executions that do not satisfy axioms are forbidden – Outcome only allowed if consistent execution exists • C11 axioms defined in terms of various relations on an execution 10

  11. C11 atomic operations • Used to write portable, high-performance concurrent code • Atomic ops can have different memory orders – seq_cst , acquire , release , relaxed … – Stronger guarantees: easier correctness, lower performance – Weaker guarantees: harder correctness, higher performance • Example ( y is an atomic variable): y.store(1, memory_order_release); int b = y.load(memory_order_acquire); 11

  12. Relevant C11 Memory Model Relations • Happens-before ( ℎ𝑐 ) = 𝑡𝑐 ∪ 𝑡𝑥 + – Transitive closure of statement order and synchronization order Wsc x = 1 • Total order on SC operations ( 𝑡𝑑 ) hb sc – Must be acyclic Rsc y = 0 – 𝑡𝑑 edges must not be in opposite direction to ℎ𝑐 edges ( 𝑡𝑑 must be “consistent with” ℎ𝑐 ) – SC read operations cannot read from overwritten writes 12

  13. Power and ARMv7 Compiler Mappings • Trailing-sync mapping: – [Boehm 2011][Batty et al. POPL 2012] Power lwsync and ARMv7 dmb prior to releases ensure that prior accesses are made visible before the release 13

  14. Power and ARMv7 Compiler Mappings • Trailing-sync mapping: – [Boehm 2011][Batty et al. POPL 2012] Power ctrlisync/sync and ARMv7 ctrlisb/dmb after acquires enforce that subsequent accesses are made visible after the acquire Use of sync/dmb for SC loads helps enforce the required C11 total order on SC operations 14

  15. Power and ARMv7 Compiler Mappings • Trailing-sync mapping: – [Boehm 2011][Batty et al. POPL 2012] Power sync and ARMv7 dmb after SC stores (“trailing - sync”) prevent reordering with subsequent SC loads Ostensibly, this ordering can also be enforced by putting fences before SC loads… 15

  16. Power and ARMv7 Compiler Mappings • Leading-sync mapping: – [McKenney and Silvera 2011] Leading-sync mapping places these fences *before* SC loads Only translations of SC atomics change between the two mappings 16

  17. Both Mappings are Currently Invalid • Both supposedly proven correct [Batty et al. POPL 2012] • We discovered two counterexamples to trailing-sync mappings on Power and ARMv7 – Isolated the proof loophole that allowed flaw • Vafeiadis et al. found counterexamples for leading-sync mapping, and have proposed solution 17

  18. Outline • Introduction • Background on C11 model and mappings • IRIW Counterexample and Analysis • Loophole in Proof of Batty et al. • IBM XL C++ Bugs • Conclusions and Future Work 18

  19. IRIW Trailing-Sync Counterexample T0 T1 T2 T3 x.store(1, seq_cst); y.store(1, seq_cst); r1 = x.load(acquire); r3 = y.load(acquire); r2 = y.load(seq_cst); r4 = x .load(seq_cst); Outcome: r1 = 1, r2 = 0, r3 = 1, r4 = 0 • Variant of IRIW (Independent-Reads- Independent-Writes) litmus test • IRIW corresponds to two cores observing stores to different addresses in different orders • At least one of first loads on T2 and T3 is an acquire; all other accesses are SC 19

  20. IRIW Counterexample Compilation T0 T1 T2 T3 x.store(1, seq_cst); y.store(1, seq_cst); r1 = x.load(acquire); r3 = y.load(acquire); r2 = y.load(seq_cst); r4 = x .load(seq_cst); Outcome: r1 = 1, r2 = 0, r3 = 1, r4 = 0 With trailing sync mapping, effectively compiles down to C0 C1 C2 C3 St x = 1 St y = 1 r1 = Ld x r3 = Ld y ctrlisync/ctrlisb ctrlisync/ctrlisb r2 = Ld y r4 = Ld x Allowed by Power model and hardware [Alglave et al. TOPLAS 2014] Allowed by ARMv7 model [Alglave et al. TOPLAS 2014] 20

  21. IRIW Counterexample Compilation T0 T1 T2 T3 x.store(1, seq_cst); y.store(1, seq_cst); r1 = x.load(acquire); r3 = y.load(acquire); r2 = y.load(seq_cst); r4 = x .load(seq_cst); Outcome: r1 = 1, r2 = 0, r3 = 1, r4 = 0 With trailing sync mapping, effectively compiles down to C0 C1 C2 C3 St x = 1 St y = 1 r1 = Ld x r3 = Ld y ctrlisync/ctrlisb ctrlisync/ctrlisb r2 = Ld y r4 = Ld x ctrlisync/ctrlisb are not strong enough to forbid outcome Allowed by Power model and hardware [Alglave et al. TOPLAS 2014] Allowed by ARMv7 model [Alglave et al. TOPLAS 2014] 21

  22. IRIW Trailing-Sync Counterexample T0 T1 T2 T3 x.store(1, seq_cst); y.store(1, seq_cst); r1 = x.load(acquire); r3 = y.load(acquire); r2 = y.load(seq_cst); r4 = x .load(seq_cst); Outcome: r1 = 1, r2 = 0, r3 = 1, r4 = 0 Happens-before edges from c → f and from d → h by transitivity 22

  23. IRIW Trailing-Sync Counterexample T0 T1 T2 T3 x.store(1, seq_cst); y.store(1, seq_cst); r1 = x.load(acquire); r3 = y.load(acquire); r2 = y.load(seq_cst); r4 = x .load(seq_cst); Outcome: r1 = 1, r2 = 0, r3 = 1, r4 = 0 Happens-before edges from c → f and from d → h by transitivity 23

  24. IRIW Trailing-Sync Counterexample T0 T1 T2 T3 x.store(1, seq_cst); y.store(1, seq_cst); r1 = x.load(acquire); r3 = y.load(acquire); r2 = y.load(seq_cst); r4 = x .load(seq_cst); Outcome: r1 = 1, r2 = 0, r3 = 1, r4 = 0 Happens-before edges from c → f and from d → h by transitivity 24

  25. IRIW Trailing-Sync Counterexample • SC order must contain edges from c → f and from d → h to match direction of hb edges • Shown below as sc_hb edges c: Wsc x = 1 d: Wsc y = 1 f: Rsc y = 0 h: Rsc x = 0 25

  26. IRIW Trailing-Sync Counterexample • SC reads f and h must read from non-SC writes b and a before they are overwritten • The SC order must contain f → d and h → c to satisfy this condition c: Wsc x = 1 d: Wsc y = 1 f: Rsc y = 0 h: Rsc x = 0 26

  27. IRIW Trailing-Sync Counterexample • SC reads f and h must read from non-SC writes b and a before they are overwritten • The SC order must contain f → d and h → c to • Cycle in the SC order satisfy this condition • Outcome is forbidden as there is no c: Wsc x = 1 d: Wsc y = 1 corresponding consistent execution • But compiled code allows the behaviour! f: Rsc y = 0 h: Rsc x = 0 27

  28. What went wrong? • SC axioms required SC order to contain edges from c → f and from d → h to match direction of hb edges • This requires a sync/dmb ish between e and f as well as between g and h on Power and ARMv7 • These fences are NOT provided by trailing-sync mapping 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Counterexamples in the Work of Karl Weierstra Tom Archibald Dept. of Mathematics Simon Fraser

Counterexamples in the Work of Karl Weierstra Tom Archibald Dept. of Mathematics Simon Fraser

Counterexamples Counterexamples in the Work of Karl Weierstra Tom Archibald Dept. of Mathematics Simon Fraser University tarchi@sfu.ca Weierstra 200, BBAW, Oct. 31, 2015 1 / 22 Counterexamples Outline 1 Introduction 2 The Dirichlet

499 views • 22 slides
Generalized Counterexamples to Liveness Properties Gadi Aleksandrowicz Jason Baumgartner

Generalized Counterexamples to Liveness Properties Gadi Aleksandrowicz Jason Baumgartner

Generalized Counterexamples to Liveness Properties Gadi Aleksandrowicz Jason Baumgartner Alexander Ivrii Ziv Nevo IBM Outline Generalized counterexamples to liveness and why they are especially interesting How to detect that a

135 views • 12 slides
Counterexamples in Computable Continuum Theory Takayuki Kihara Mathematical Institute, Tohoku

Counterexamples in Computable Continuum Theory Takayuki Kihara Mathematical Institute, Tohoku

Counterexamples in Computable Continuum Theory Takayuki Kihara Mathematical Institute, Tohoku University Dagstuhl Seminar, October 11, 2011 Takayuki Kihara Counterexamples in Computable Continuum Theory Introduction Local Computability: 1

1.44k views • 109 slides
Counterexamples to commonly held Assumptions on Unit Commitment and Market Power Assessment

Counterexamples to commonly held Assumptions on Unit Commitment and Market Power Assessment

Counterexamples to commonly held Assumptions on Unit Commitment and Market Power Assessment NAPS Conference Tempe, 14. October 2002 Wolfgang Gatterbauer, Marija Ilic Presented by Audun Botterud Massachusetts Institute of Technology 2 Topics

444 views • 30 slides
DefiningRules, Proofsand Counterexamples Greg Restall vii workshop on philosophical logic

DefiningRules, Proofsand Counterexamples Greg Restall vii workshop on philosophical logic

DefiningRules, Proofsand Counterexamples Greg Restall vii workshop on philosophical logic buenos aires august 3, 2018 My Aim To present an account of defining rules , with the aim of explaining these rules they play a central role in

1.64k views • 124 slides
Executable Counterexamples in Software Model Checking J. Gennari 1 and A. Gurfinkel 2 and T. Kahsai

Executable Counterexamples in Software Model Checking J. Gennari 1 and A. Gurfinkel 2 and T. Kahsai

Executable Counterexamples in Software Model Checking J. Gennari 1 and A. Gurfinkel 2 and T. Kahsai 3 and J. A. Navas 4 and E. J. Schwartz 1 Presenter: Natarajan Shankar 4 1 Carnegie Mellon University 2 University of Waterloo 3 Amazon Web Services 4

332 views • 18 slides
Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and

Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and

Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and Zohar Manna Stanford University (Aaron is visiting EPFL and will be at CU Boulder) Benchmark: intel_005 #latch vars: 170 #coi vars: 69 Solved:

207 views • 17 slides
Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties Viktor Schuppan Computer Systems Institute, ETH Z urich http://www.inf.ethz.ch/schuppan/ Defense Thesis ETH 16268 September 28, 2005, Z

382 views • 19 slides
Projection methods: convergence and counterexamples 4 January 2019 Hangzhou Dianzi University

Projection methods: convergence and counterexamples 4 January 2019 Hangzhou Dianzi University

Projection methods: convergence and counterexamples 4 January 2019 Hangzhou Dianzi University Vera Roshchina School of Mathematics and Statistics UNSW Sydney v.roshchina@unsw.edu.au Based on joint work with Hong-Kun Xu , Roberto Cominetti

575 views • 29 slides
Introduction to Electronic Verification Electronic Verification of Educational Records

Introduction to Electronic Verification Electronic Verification of Educational Records

Introduction to Electronic Verification Electronic Verification of Educational Records OVERVIEW 01 04 Scope of Verification Peggys Picks Types of verification, Verifying exam results or parameters, privacy graduation using databases

1.25k views • 81 slides
Probabilistic Counterexamples Albert-Ludwigs-Universitt Freiburg Ralf Wimmer

Probabilistic Counterexamples Albert-Ludwigs-Universitt Freiburg Ralf Wimmer

Probabilistic Counterexamples Albert-Ludwigs-Universitt Freiburg Ralf Wimmer Albert-Ludwigs-Universitt Freiburg, Germany Saarland University, Saarbrcken, Germany 2 nd AVACS Autumn School, Oldenburg, October 2, 2015 Acknowledgements Most

1.18k views • 103 slides
Optimal Counterexamples for Discrete-Time Markov Models Albert-Ludwigs-Universitt Freiburg

Optimal Counterexamples for Discrete-Time Markov Models Albert-Ludwigs-Universitt Freiburg

Optimal Counterexamples for Discrete-Time Markov Models Albert-Ludwigs-Universitt Freiburg Ralf Wimmer Albert-Ludwigs-Universitt Freiburg, Germany Joint work with Nils Jansen, Erika brahm, Joost Pieter Katoen, Bernd Becker Outline

475 views • 34 slides
DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification Projects Birth Record Verification State to State Verification DIVS State to State Verification Service (S2S) Program Benefits Mission

349 views • 8 slides
Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

The Center for Verification and Evaluation (CVE) Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive Support Services Agenda What is Re-Verification? o Simplified Reverification Program VIP

320 views • 21 slides
A SAT + CAS Approach to Finding Good Matrices: New Examples and Counterexamples Curtis Bright

A SAT + CAS Approach to Finding Good Matrices: New Examples and Counterexamples Curtis Bright

A SAT + CAS Approach to Finding Good Matrices: New Examples and Counterexamples Curtis Bright University of Waterloo Dragomir okovi University of Waterloo Ilias Kotsireas Wilfrid Laurier University Vijay Ganesh University of Waterloo

449 views • 44 slides
Counterexamples in Cubical Sets Andrew W Swan ILLC, University of Amsterdam August 20, 2019

Counterexamples in Cubical Sets Andrew W Swan ILLC, University of Amsterdam August 20, 2019

Counterexamples in Cubical Sets Andrew W Swan ILLC, University of Amsterdam August 20, 2019 Definition Brouwers principle states that all functions N N N are continuous. Theorem (S.) Working in a metatheory where Brouwers principle

830 views • 26 slides
Consistency of RTL Designs Yatin A. Manerkar , Daniel Lustig*, Margaret Martonosi, and Michael

Consistency of RTL Designs Yatin A. Manerkar , Daniel Lustig*, Margaret Martonosi, and Michael

RTLCheck: Verifying the Memory Consistency of RTL Designs Yatin A. Manerkar , Daniel Lustig*, Margaret Martonosi, and Michael Pellauer* Princeton University *NVIDIA MICRO-50 http:/ ://check.cs.p .princeton.edu/ Memory Consistency Models

1.11k views • 73 slides
Synthesizing Memory Models from Framework Sketches and Litmus Tests James Bornholt Emina

Synthesizing Memory Models from Framework Sketches and Litmus Tests James Bornholt Emina

Synthesizing Memory Models from Framework Sketches and Litmus Tests James Bornholt Emina Torlak University of Washington Memory consistency models define memory reordering behaviors on mul>processors Memory consistency models define

1.06k views • 86 slides
LITMUSRT: A Hands-On Primer Manohar Vanga, Mahircan Gl, Bjrn Brandenburg MPI-SWS,

LITMUSRT: A Hands-On Primer Manohar Vanga, Mahircan Gl, Bjrn Brandenburg MPI-SWS,

LITMUSRT: A Hands-On Primer Manohar Vanga, Mahircan Gl, Bjrn Brandenburg MPI-SWS, Kaiserslautern, Germany Goals A whirlwind tour of LITMUSRT Working with scheduler plugins. Running real-time tasks under global & partitioned

1.01k views • 84 slides
Surgical Problems in Primary Care Stories from My Life Ronald H. Labuguen, MD Ronald H.

Surgical Problems in Primary Care Stories from My Life Ronald H. Labuguen, MD Ronald H.

3/26/2013 Surgical Problems in Primary Care: Surgical Problems in Primary Care Stories from My Life Ronald H. Labuguen, MD Ronald H. Labuguen, MD Associate Clinical Professor Associate Clinical Professor UCSF Department of Family and

635 views • 42 slides
Litmus Testing at Rack Scale We're Going to Build a Large Program Collider ad Collide instructions

Litmus Testing at Rack Scale We're Going to Build a Large Program Collider ad Collide instructions

Litmus Testing at Rack Scale We're Going to Build a Large Program Collider ad Collide instructions at 0.99 c , and observe the decay products. Images: CERN; Chaix & Morel et associs David Cock | 19. September 20 | 2 16 Programmers

539 views • 24 slides
Tests and Testing p. 1 Empirical Science of the Artificial Treating these human-made

Tests and Testing p. 1 Empirical Science of the Artificial Treating these human-made

Tests and Testing p. 1 Empirical Science of the Artificial Treating these human-made artifacts as objects of empirical science In principle (modulo manufacturing defects): their structure and behaviour are completely known. In

372 views • 23 slides
An integrated concurrency and core- ISA architectural envelope definition, and test oracle, for

An integrated concurrency and core- ISA architectural envelope definition, and test oracle, for

An integrated concurrency and core- ISA architectural envelope definition, and test oracle, for IBM POWER multiprocessors Kathryn E. Gray 1 Gabriel Kerneis 1+ Dominic Mulligan 1 Christopher Pulte 1 Susmit Sarkar 2 Peter Sewell 1 1 University of

745 views • 45 slides
Definitions Early Acids turns blue litmus red tastes sour neutralizes bases

Definitions Early Acids turns blue litmus red tastes sour neutralizes bases

CEE 680 Lecture #7 1/29/2020 Print version Updated: 29 January 2020 Lecture #6 Acids & Bases: Analytical Solutions (Stumm & Morgan, Chapt.3 ) (Benjamin, Chapt. 3; pg.131-150) David Reckhow CEE 680 #6 1 Definitions Early

578 views • 12 slides

More recommend