# Verification of Concurrent Programs under Release Acquire S. Krishna # Sequential Consistency #### Processes read from and write to shared memory program order preserved by each process classical interleaving semantics ### Dekker Mutual Exclusion Protocol **Process 2** ### Init: x=y=0 ``` 1. x=1; 2. ry=y; 3. if (ry==0) { 4. //cs1; 5. } 1. y=1; 2. rx=x; 3. if (rx==0) { 4. //cs2; 5. } ``` Specification S: not (cs1 && cs2) Process 1 An SC execution x=0 y=0 ### Dekker Mutual Exclusion Protocol **Process 2** **Init: x=y=0** ``` 1. x=1; 2. ry=y; 3. if (ry==0) { 4. //cs1; 5. } 1. y=1; 2. rx=x; 4. //cs2; 5. } ``` Process 1 w(x,1)r(y,0) w(y,1) An SC execution Specification S: not (cs1 && cs2) x=0 y=0 # Weak Memory Models - Modern processors and/or compilers: - Reorder instructions - Use caches and buffers - Behaviors described by weak memory models: - The Release-Aquire fragment of C11 ### **Init: x=y=0** ``` 1. x=1; 2. ry=y; 3. if (ry==0) { 4. //cs1; 5. } 1. y=1; 2. rx=x; 3. if (rx==0) { 4. //cs2; 5. } ``` #### A RA execution Specification S: not (cs1 && cs2) $$x=0$$ $y=0$ ### **Init: x=y=0** ``` 1. x=1; 2. ry=y; 3. if (ry==0) { 4. //cs1; 5. } Process 1 1. rx=x; 2. y=1; 3. if (rx==0) { 4. //cs2; 5. } ``` #### A RA execution Specification S: not (cs1 && cs2) $$x=0$$ $y=0$ **Init: x=y=0** ``` 1. x=1; 2. ry=y; 3. if (ry==0) { 4. //cs1; 5. } 1. rx=x; 2. y=1; 3. if (rx==0) { 4. //cs2; 5. } ``` #### A RA execution Specification S: not (cs1 && cs2) **Init: x=y=0** ``` 1. x=1; 2. ry=y; 3. if (ry==0) { 4. //cs1; 5. } 1. rx=x; 2. y=1; 3. if (rx==0) { 4. //cs2; 5. } Process 1 Process 2 ``` Specification S: not (cs1 && cs2) ### Problem of Interest Given a **program P** and a (control + memory) **state s** • State Reachability Problem (Safety) Is s reachable in P under RA? Decidability/ Complexity? Each process is finite-state - For **SC**, the reachability problem is PSPACE-complete - Nontrivial for RA since the set of paths is nonregular # Operational Model for RA [J. Kang et al. POPL 2017, A. Podkopaev et al. 2016, Arxiv] y := 5 y := 1 local view $P_1: a := x$ $P_1: x := 2$ $P_1: b := y$ Read - 1 select view in memory - 2. variable time stamp≥ yours - 3. update local view $$\begin{array}{c|c} y := 5 \\ \hline y := 1 \\ \hline 9 & 0 \end{array}$$ $P_1: a := x$ $P_1: x := 2$ $P_1: b := y$ ### Read - 1. select view in memory - 2. variable time stamp≥ yours - 3. update local view $$x := 1$$ $4 \quad 1$ $$x := 3$$ $$y := 1$$ $$y := 5$$ $$4$$ $$7$$ $P_1: a := 1$ $P_1: x := 2$ $P_1: b := y$ ### Read - 1. select view in memory - 2. variable time stamp≥ yours - 3. update local view $$x := 1$$ 4 | 1 $$x := 3$$ 1 6 $$y := 1$$ 9 $$y := 5$$ $4 \mid 7$ y := 1 $P_1: a := 1$ $P_1: x := 2$ $P_1: b := y$ local view x := 1x := 36 y := 5 # RA: High Level Parintian - $P_1: a := 1$ - $P_1: x := 2$ - $P_1: b := y$ - x := 2 P1 - 5 2 local view - 1. create new local view - 2. variable time stamp: - i. newer than yours - ii. not in memory - 3. copy new view to memory 4 1 $$x := 3$$ 1 6 $$y := 5$$ 4 7 $$x := 2$$ $5$ $2$ $$y := 1$$ $9 \mid 0$ $P_1: a := 1$ $P_1: x := 2$ $P_1: b := y$ local view x := 1x := 36 x := 2y := 5y := 1 $P_1: a := 1$ $P_1: x := 2$ $P_1: b := y$ ### Read - 1. select view in memory - 2. variable time stamp≥ yours - 3. update local view $$x := 1$$ $$x := 3$$ $1 \quad 6$ $$egin{array}{c|c} x := 2 \ \hline 5 & 2 \ \hline \end{array}$$ Process 1 1. $$$r1 = x;$$ $$2.y = 1;$$ $$3. r3 = x;$$ x := 0 0 $$2. x = 1;$$ $$3. x = 2;$$ $$y := 0$$ Reachable: \$r1 = 0, \$r2 = 1 and \$r3 = 2? Process 1 1. $$$r1 = 0;$$ $$2.y = 1;$$ $$3. r3 = x;$$ 1. $$r2 = y;$$ $$2. x = 1;$$ $$3. x = 2;$$ $$x := 0$$ $0$ $0$ $$y := 0$$ Reachable: \$r1 =0, \$r2 = 1 and \$r3=2? ### RA run r(x,0) Process 1 1. $$$r1 = 0;$$ $$2.y = 1;$$ $$3. r3 = x;$$ $0 \mid 2$ Process 2 1. $$r2 = y$$ ; $$2. x = 1;$$ $$3. x = 2;$$ 0 0 $$y := 1$$ 0 2 $$x := 0$$ $0$ $0$ $$y := 0$$ Reachable: \$r1 = 0, \$r2 = 1 and \$r3 = 2? #### Process 1 1. $$$r1 = 0;$$ $$2.y = 1;$$ $$3. r3 = x;$$ 0 2 #### Process 2 $$2. x = 1;$$ $$3. x = 2;$$ 0 2 $$y := 1$$ $0 \mid 2$ $$x := 0$$ $0$ $$y := 0$$ ### Reachable: \$r1 = 0, \$r2 = 1 and \$r3 = 2? #### Process 1 1. $$$r1 = 0;$$ $$2.y = 1;$$ $$3. r3 = x;$$ #### Process 2 $$2. x = 1;$$ $$3. x = 2;$$ $$x := 1$$ $$y := 1$$ $$x := 0$$ $$y := 0$$ Reachable: \$r1 = 0, \$r2 = 1 and \$r3 = 2? #### Process 1 1. $$$r1 = 0;$$ $$2.y = 1;$$ $$3. r3 = x;$$ 0 2 #### Process 2 $$2. x = 1;$$ $$3. x = 2;$$ 3 2 $$x := 2$$ $$egin{array}{c|c} x := 1 \ \hline 1 & 2 \ \hline \end{array}$$ $$y := 1$$ 0 2 $$x := 0$$ $$y := 0$$ $$0 \mid 0$$ Reachable: \$r1 = 0, \$r2 = 1 and \$r3 = 2? #### Process 1 1. $$$r1 = 0;$$ $$2.y = 1;$$ $$3. r3 = 2;$$ #### Process 2 $$2. x = 1;$$ $$3. x = 2;$$ $$x := 2$$ $$egin{array}{c|c} x := 1 \ \hline 1 & 2 \ \hline \end{array}$$ $$y := 1$$ $$x := 0$$ $0$ $$y := 0$$ $$0 \mid 0$$ Reachable: \$r1 = 0, \$r2 = 1 and \$r3 = 2? # (Non parameterized) Reachability under RA PLDI 2019 ### Given a program P and a (control + memory) state s • State Reachability Problem (Safety) Is s reachable in P? The state reachability problem is undecidable for RA ### **Proof Idea:** Possible workaround? By reduction from the Post's correspondence Problem # Context-bounded Analysis (CBA) - ◆ Efficient under-approximation technique for SC [Qadeer et al. 2005, Lal et al. 2009, Torre et al. 2009] - Several tools: CHESS, Corral, CSeq, etc. The state reachability problem is still undecidable for **RA**with a bounded number (3) of context switches (context: only one "active" process) Pl runs; P2 runs; P3 runs; P4 runs # Context-bounded Analysis (CBA) ◆ Efficient under-approximation technique for SC [Qadeer et al. 2005, Lal et al. 2009, Torrest al. 2009] Several toq Need a different under approximation for RA The state reachability problem is still undecidable for RA with a bounded number (3) of context switches (context: only one "active" process) Pl runs; P2 runs; P3 runs; P4 runs ### View Switch A view-switch happens when a process reads a value written by another process, and changes its view Bounding the number of essential views in the memory $$x := 2$$ $$5 \quad 3$$ $$x := 1$$ $$y := 3$$ $$0 \quad 3$$ $$y := 1$$ $$0 \quad 2$$ $$x := 0$$ $$0$$ $$y := 0$$ $$0$$ ## K-bounded Reachability Problem #### Definition Reachability problem restricted to K-bounded runs Code-to-code translation #### Theorem The K-bounded reachability for RA is reducible to K+n bounded context reachability under SC #### Corollary The K-bounded reachability for RA is decidable for finite-state programs # Key Ideas Simulate P2 under SC ## View Bounded Model Checker (VBMC) Using CBMC as backend model checker ## View Bounded Model Checker (VBMC) - ◆ Tested with 4004 litmus tests [Sarkar et al. 2011]: - Same results as Herd [Alglave et al. 2014] - **♦** Tested on concurrent benchmarks: - Few number of contexts sufficient for bug detection under RA - Catches isolated bugs faster than state of the art SMC tools Tracer, RCMC and CDSChecker # Parameterized Reachability Arxiv. 2021 Allowing CAS operations render state reachability undecidable for parameterized **RA**, even with acyclic, identical threads Simulate the non parameterized setting of PLDI'19 QBF Sat Query evaluation in linear Datalog PSPACE completeness ### NEXPTIME completeness Non primitive recursive Open # Thankyou