Prakash Saivasan The Institute of Mathematical Sciences

> Joint work with Parosh Azíz Abdulla Mohamed Faouzí Atig Ahmed Bouajjani K. Narayan Kumar









### Outline

- Concurrent Programs



### Outline

- Concurrent Programs



- Concurrent Programs
- Weak Memory models



- Concurrent Programs
- Weak Memory models



- Concurrent Programs
- Weak Memory models
- Persistency



- Concurrent Programs
- Weak Memory models
- Persistency



- Concurrent Programs
- Weak Memory models
- Persistency
- Verification



### Outline

### - Concurrent Programs

- Weak Memory models
- Persistency
- Verification





### Outline

### - Concurrent Programs

- Weak Memory models
- Persistency
- Verification

### Intel x86 model

### **Extending Intel-x86 Consistency and Persistency**

Formalising the Semantics of Intel-x86 Memory Types and Non-temporal Stores

AZALEA RAAD, Imperial College London, United Kingdom LUC MARANGET, Inria, France VIKTOR VAFEIADIS, MPI-SWS, Germany





### CONCURRENT PROGRAMS

In the concurrent world, imperative is a wrong default - Tim Sweeny







### Multiple Threads







Shared variables









### Reads

### Thread-1



Assert y = 0

**Critical Section** 

0

Χ

### Thread-2

y=1



Assert x = 0

**Critical Section** 

0

### Thread-1

x=1

 $\rightarrow$  Assert y = 0

### **Critical Section**

Χ

### Thread-2

y=1



Assert x = 0

**Critical Section** 

0

### Thread-1

x=1

Assert y = 0

**Critical Section** 

### Thread-2

y=1



Assert x = 0

**Critical Section** 

0

Χ

### Thread-1

x=1

Assert y = 0

**Critical Section** 



y=1

Assert x = 0

**Critical Section** 

1

1

Χ

### WEAK MEMORY MODELS

don't communicate by sharing memory; share memory by communicating

# Sequential Consistency



### Sequential Consistency

Operations are atomic



### Sequential Consistency

Operations are atomic



Operations can be re-ordered

# Memory Models Sequential Consistency Weak Consistency **Operations are atomic** Operations can be re-ordered TSO, PSO, EX86

# Sequentíal Consistency

# Sequentíal Consistency







### Instructions are sequential and immediate







### Instructions are sequential and immediate





# Sequentíal Consistency







### Write modifies the value of a variable







### Write modifies the value of a variable







### Read fetches value of a variable







### Rmw tests and sets a variable







### Rmw tests and sets a variable







### Rmw tests and sets a variable







Instructions













#### Instructions













#### Instructions













#### Instructions















#### Instructions













#### Instructions











#### Instructions













Y

Ζ

Х

Propagated to memory non-deterministically

#### Instructions















Propagated to memory non-deterministically

Instructions



















#### Reads are either from buffer or memory

In that order!!

RMW(x,b,d)

















RMW(x,b,d)









Mf





Υ

Ζ

Х



























#### Instructions















#### Instructions













Memory fence ensures buffer is empty

#### Instructions













Memory fence ensures buffer is empty

#### Instructions













Memory fence ensures buffer is empty

#### Thread-1



Assert y = 0

**Critical Section** 



#### Thread-2

y=1

Assert x = 0

**Critical Section** 





#### Thread-2

y=1

Assert x = 0

**Critical Section** 



x=1

Assert y = 0







#### Thread-2

y=1

Assert x = 0

**Critical Section** 



x=1

Assert y = 0





#### Thread-2

y=1

#### Assert x = 0

**Critical Section** 

(y,1)





#### Thread-2

y=1

#### Assert x = 0

**Critical Section** 

(y,1)



Sf

















## Partial Store Order



















## Partial Store Order















### Partial Store Order



### Partial Store Order



### Partial Store Order



### Partial Store Order

Propagated to memory non-deterministically



### Partial Store Order

#### Propagated to memory non-deterministically

Reorders writes to different variables



















### Partial Store Order

#### Propagated to memory non-deterministically

Reorders writes to different variables





## Partial Store Order

#### Store fence restricts re-ordering between writes







## Partial Store Order





## Partial Store Order











## Partial Store Order







## Partial Store Order





## Partial Store Order





Sf













## Partial Store Order





#### Atomic operations



#### Atomic operations



Atomic operations + Simple and intuitive



Atomic operations

+ Simple and intuitive

- Expensive



Atomic operations

+ Simple and intuitive

- Expensive

# Memory Models Istency Weak Consistency ions Operations can be referenced

Operations can be re-ordered

+ Optimised for efficiency

Atomic operations

+ Simple and intuitive

- Expensive

# Memory Models

## Weak Consistency

- + Optimised for efficiency
- Complicated



Atomic operations

+ Simple and intuitive

- Expensive

# Memory Models

## Weak Consistency

- + Optimised for efficiency
- Complicated



Atomic operations

+ Simple and intuitive

- Expensive

- + Optimised for efficiency
- Complicated

Instructions







#### Instructions







#### Writes are of type Ntw or Wb

#### Instructions





Original model has a complicated semantics with more kinds of writes.





#### Instructions







#### Writes are of type Ntw or Wb

#### Verification under Intel-x86 with Persistency

PAROSH ABDULLA, Uppsala University, Sweden MOHAMED FAOUZI ATIG, Uppsala University, Sweden AHMED BOUAJJANI, Université Paris Cité, France K. NARAYAN KUMAR, Chennai Mathematical Institute and IRL ReLaX, India PRAKASH SAIVASAN, Institute of Mathematical Sciences, HBNI and IRL ReLaX, India

#### For reachability, the two kinds of writes are sufficient

Instructions







### Both types of writes are stored in buffer

Instructions



### Both types of writes are stored in buffer

Instructions



#### Ntw writes re-order with writes of other variables



Instructions



#### Wb writes do not re-order with each other



Instructions



#### Wb writes do not re-order with each other



Instructions



#### Wb writes do not re-order with each other



Instructions



#### FI, Sf disallows any re-orderings

Instructions



#### Fo(x) cannot re-order with Sf and earlier writes to x





## PERSISTENCY

Energy and persistence conquer all things - Benjamin Franklin

## Concurrent Memory Systems + Persístency



## Concurrent Memory Systems + Persístency











Archives writes, not necessarily in order





Archives writes, not necessarily in order

**Re-orders incoming writes** 





Archives writes, not necessarily in order

**Re-orders incoming writes** 

Fences can impose ordering





### Persistency

Archives writes, not necessarily in order

**Re-orders incoming writes** 

Fences can impose ordering

Useful in case of a crash













EX86 PERSISTENT SYSTEM





EX86 PERSISTENT SYSTEM

## Extended x86 Persístent System

#### Wb writes are buffered





## Extended x86 Persístent System

#### Wb writes are buffered





## Extended x86 Persistent System

### Propagated non-deterministically Only per variable ordering





## Extended x86 Persistent System

### Propagated non-deterministically Only per variable ordering

Instructions







### Propagated non-deterministically Only per variable ordering

Instructions







### Ntw writes are propagated directly



Instructions





### Ntw writes are propagated directly



Instructions





### Ntw writes are propagated directly



Instructions



EX86 MEMORY MODEL



### Ntw writes are propagated directly



#### Instructions







### Ntw writes are propagated directly



#### Instructions









#### Instructions









#### Instructions





### Fo is buffered with thread information

### SF ensures no pending Fo of that thread



#### Instructions





### Fo is buffered with thread information

### SF ensures no pending Fo of that thread

Ensures prior writes by the thread are persisted



### VERIFICATION

Crisis and deadlocks when they occur have at least this advantage: they force us to think

Verifying Concurrent Systems

Verifying Concurrent Systems



Verifying Concurrent Systems



Correctness **Specification** 

Verifying Concurrent Systems



Correctness **Specification** 

Verifying Concurrent Systems



Correctness **Specification** 

Mutual exclusion . . . . . . . . . . . . . . .

Verifying Concurrent Systems





Verifying Concurrent Systems



#### Sequential Consistency **PSPACE-Complete** TSO Non-primitive recursive Non-primitive recursive PSO

Correctness **Specification** 

Mutual exclusion

Verifying Concurrent Systems









Theory of Well Structured **Transition Systems** 



Persistent reachability: Whether programs can reach a program location in presence of crashes





Persistent reachability: Whether programs can reach a program location in presence of crashes

**Persistent memory** 

Whether a persistent memory can be reached







Persistent reachability: Whether programs can reach a program location in presence of crashes

> Crash free reachability

Persistent memory

State reachability without crashes







Persistent reachability: Whether programs can reach a program location in presence of crashes





### VERIFYING EX86 WITH PERSISTENCY

All stable processes we shall predict, all unstable processes we shall control - John Von Neumann

### VERIFYING EX86 WITH PERSISTENCY

All stable processes we shall predict, all unstable processes we shall control - John Von Neumann

- Persistent Memory Reachability

#### VERIFYING EX86 WITH PERSISTENCY

All stable processes we shall predict, all unstable processes we shall control - John Von Neumann

- Persistent Memory Reachability
- Crash Free Reachability

#### VERIFYING EX86 WITH PERSISTENCY

All stable processes we shall predict, all unstable processes we shall control - John Von Neumann

#### 

- Crash Free Reachability

#### VERIFYING EX86 WITH PERSISTENCY

All stable processes we shall predict, all unstable processes we shall control - John Von Neumann

#### 

- Crash Free Reachability

#### Verification under Intel-x86 with Persistency

PAROSH ABDULLA, Uppsala University, Sweden MOHAMED FAOUZI ATIG, Uppsala University, Sweden AHMED BOUAJJANI, Université Paris Cité, France K. NARAYAN KUMAR, Chennai Mathematical Institute and IRL ReLaX, India PRAKASH SAIVASAN, Institute of Mathematical Sciences, HBNI and IRL ReLaX, India

Persistent reachability problem reduces to crash free reachability in a new program

Original program

**P4 P2 P**3 Reachability **Persist Reach** 

#### Persistent reachability problem reduces to crash free reachability in a new program

New program



Original program

**P4 P3 P2** Reachability **Persist Reach** 

#### Persistent reachability problem reduces to crash free reachability in a new program



Manager

#### Persistent reachability problem reduces to crash free reachability in a new program



Original program

**P4 P2 P**3 Reachability **Persist Reach** 

#### Persistent reachability problem reduces to crash free reachability in a new program

New program







#### Persistent reachability problem reduces to crash free reachability in a new program





#### Persistent reachability problem reduces to crash free reachability in a new program

Translation employs a guess and verify technique

Guess the writes that will persist last

Original program **P**3 **P4** P2 **Persist Reach** 

Ensure that the guessed writes are not overwritten

#### Persistent reachability problem reduces to crash free reachability in a new program







Man



Man

Idea involves the manager speculating a write that will persist





#### Manager cannot observe all writes



Man

Introduce per process memory





**U U** x Y

#### Threads write to their copy





#### Manager transfers to the main memory



#### Needs to ensure update order is maintained





#### Needs to ensure update order is maintained

#### No more updates during a copy





#### Reads now are from the copy or the main memory





Manager non-deterministically picks a write that will persist



Manager non-deterministically picks a write that will persist

Needs to ensure the value is not over-written



Manager non-deterministically picks a write that will persist

Needs to ensure the value is not over-written

Frozen write

Manager tries to avoid these spoilers / bad patterns

Manager tries to avoid these spoilers / bad patterns







Manager tries to avoid these spoilers / bad patterns



Manager tries to avoid these spoilers / bad patterns



Manager tries to avoid these spoilers / bad patterns



#### Spoilers

Manager can miss an ntw writes esp if it is followed by a wb write



Manager tries to avoid these spoilers / bad patterns



Manager tries to avoid these spoilers / bad patterns



Manager tries to avoid these spoilers / bad patterns



Manager tries to avoid these spoilers / bad patterns



Manager tries to avoid these spoilers / bad patterns



There are other spoilers involving Fo, we wont consider them



### Threads

### Speculates the position of freeze for each variable

Tracks potential spoilers to report to the manager



### Speculates the position of freeze for each variable

Tracks potential spoilers to report to the manager

Manager



Speculates the position of freeze for each variable

Tracks potential spoilers to report to the manager

Manager

Verifies the speculation of the threads

Ensures that the potential spoilers are never seen



Speculates the position of freeze for each variable

Tracks potential spoilers to report to the manager

### Manager

Verifies the speculation of the threads

Ensures that the potential spoilers are never seen

Difficult in presence of re-orderings



Speculates the position of freeze for each variable

Tracks potential spoilers to report to the manager

### Manager

Verifies the speculation of the threads

Ensures that the potential spoilers are never seen

Persistent memory reachability reduces to crash free reachability

Difficult in presence of re-orderings

### VERIFYING EX86 WITH PERSISTENCY

All stable processes we shall predict, all unstable processes we shall control - Benjamin Franklin

- Persistent Memory Reachability

Crash-free reachability is undecidable

Crash-free reachability is undecidable

Reduction from well known Post Correspondence Problem

Crash-free reachability is undecidable

Reduction from well known Post Correspondence Problem

Crash-free reachability is undecidable

Reduction from well known Post Correspondence Problem

Crux of the reduction involves ability to implement alternating bit protocol

#### Thread 1:

| 1 | repeat             |  |
|---|--------------------|--|
| 2 | Wb(x, 1);          |  |
| 3 | Wb( <i>y</i> , 1); |  |
| 4 | until n times;     |  |

| Tł                             | Thread 2:                     |  |
|--------------------------------|-------------------------------|--|
| 1 <b>r</b>                     | epeat                         |  |
| 2                              | $\operatorname{assert}(x=0);$ |  |
| 3                              | RMW( <i>x</i> , 1, 0);        |  |
| 4                              | assert(y = 0);                |  |
| 5                              | RMW( <i>y</i> , 1, 0);        |  |
| 6                              | $\operatorname{assert}(x=0);$ |  |
| 7 <b>until</b> <i>n</i> times; |                               |  |
| 8 '                            |                               |  |





Crash-free reachability is undecidable

Reduction from well known Post Correspondence Problem

Crux of the reduction involves ability to implement alternating bit protocol

#### Thread 1:

| 1 | repeat             |
|---|--------------------|
| 2 | Wb(x, 1);          |
| 3 | Wb( <i>y</i> , 1); |
| 4 | until n times;     |

| Thread 2: |                               |
|-----------|-------------------------------|
| 1 r       | epeat                         |
| 2         | $\operatorname{assert}(x=0);$ |
| 3         | RMW( <i>x</i> , 1, 0);        |
| 4         | assert(y = 0);                |
| 5         | RMW( <i>y</i> , 1, 0);        |
| 6         | $\operatorname{assert}(x=0);$ |
| 7 U       | n <b>til</b> n times;         |
| 8 '       |                               |
|           |                               |





Crash-free reachability is undecidable

Reduction from well known Post Correspondence Problem



| 1 | repeat             |
|---|--------------------|
| 2 | Wb(x, 1);          |
| 3 | Wb( <i>y</i> , 1); |
| 4 | until n times;     |

| Thread 2: |                                 |
|-----------|---------------------------------|
| 1         | repeat                          |
| 2         | $\operatorname{assert}(x=0);$   |
| 3         | RMW( <i>x</i> , 1, 0);          |
| 4         | $\operatorname{assert}(y = 0);$ |
| 5         | RMW( <i>y</i> , 1, 0);          |
| 6         | $\operatorname{assert}(x=0);$   |
| 7         | until n times;                  |
| 8         | ٤                               |





Crash-free reachability is undecidable

Reduction from well known Post Correspondence Problem



| 1 | repeat             |
|---|--------------------|
| 2 | Wb(x, 1);          |
| 3 | Wb( <i>y</i> , 1); |
| 4 | until n times;     |

| Thread 2: |                                 |
|-----------|---------------------------------|
| 1         | repeat                          |
| 2         | $\operatorname{assert}(x=0);$   |
| 3         | RMW( <i>x</i> , 1, 0);          |
| 4         | $\operatorname{assert}(y = 0);$ |
| 5         | RMW( <i>y</i> , 1, 0);          |
| 6         | $\operatorname{assert}(x=0);$   |
| 7         | until n times;                  |
| 8         | ٤                               |



Crash-free reachability is undecidable

Reduction from well known Post Correspondence Problem



| 1 | repeat             |
|---|--------------------|
| 2 | Wb(x, 1);          |
| 3 | Wb( <i>y</i> , 1); |
| 4 | until n times;     |

| Thread 2: |                               |
|-----------|-------------------------------|
| 1         | repeat                        |
| 2         | assert(x = 0);                |
| 3         | RMW( <i>x</i> , 1, 0);        |
| 4         | assert(y = 0);                |
| 5         | RMW( <i>y</i> , 1, 0);        |
| 6         | $\operatorname{assert}(x=0);$ |
| 7         | until n times;                |
| 8         | 4                             |
|           |                               |





Crash-free reachability is undecidable

Reduction from well known Post Correspondence Problem



| Thread 2:  |                                 |  |
|------------|---------------------------------|--|
| 11         | repeat                          |  |
| 2          | $\operatorname{assert}(x=0);$   |  |
| 3          | RMW( <i>x</i> , 1, 0);          |  |
| 4          | assert(y = 0);                  |  |
| 5          | RMW( <i>y</i> , 1, 0);          |  |
| 6          | $\operatorname{assert}(x = 0);$ |  |
| 7 <b>I</b> | a <b>ntil</b> n times;          |  |
| 8 '        |                                 |  |
|            |                                 |  |





Crash-free reachability is undecidable

Reduction from well known Post Correspondence Problem



| Thread 2:  |                                 |  |
|------------|---------------------------------|--|
| 11         | repeat                          |  |
| 2          | $\operatorname{assert}(x=0);$   |  |
| 3          | RMW( <i>x</i> , 1, 0);          |  |
| 4          | assert(y = 0);                  |  |
| 5          | RMW( <i>y</i> , 1, 0);          |  |
| 6          | $\operatorname{assert}(x = 0);$ |  |
| 7 <b>I</b> | a <b>ntil</b> n times;          |  |
| 8 '        |                                 |  |
|            |                                 |  |



Crash-free reachability is undecidable

Reduction from well known Post Correspondence Problem

Crux of the reduction involves ability to implement alternating bit protocol

#### Thread 1:

| 1 | repeat             |
|---|--------------------|
| 2 | Wb(x, 1);          |
| 3 | Wb( <i>y</i> , 1); |
| 4 | until n times;     |

| Th         | Thread 2:                      |  |  |  |  |  |  |
|------------|--------------------------------|--|--|--|--|--|--|
| 1 <b>r</b> | 1 repeat                       |  |  |  |  |  |  |
| 2          | $\operatorname{assert}(x=0);$  |  |  |  |  |  |  |
| 3          | RMW( <i>x</i> , 1, 0);         |  |  |  |  |  |  |
| 4          | assert(y = 0);                 |  |  |  |  |  |  |
| 5          | RMW( <i>y</i> , 1, 0);         |  |  |  |  |  |  |
| 6          | $\operatorname{assert}(x=0);$  |  |  |  |  |  |  |
| 🔶 7 u      | 7 <b>until</b> <i>n</i> times; |  |  |  |  |  |  |
| 8 '        |                                |  |  |  |  |  |  |
|            |                                |  |  |  |  |  |  |



Crash-free reachability is undecidable

Reduction from well known Post Correspondence Problem

Crux of the reduction involves ability to implement alternating bit protocol

#### Thread 1:

| 1 | repeat             |
|---|--------------------|
| 2 | Wb(x, 1);          |
| 3 | Wb( <i>y</i> , 1); |
| 4 | until n times;     |

| Th         | Thread 2:                      |  |  |  |  |  |  |
|------------|--------------------------------|--|--|--|--|--|--|
| 1 <b>r</b> | 1 repeat                       |  |  |  |  |  |  |
| 2          | $\operatorname{assert}(x=0);$  |  |  |  |  |  |  |
| 3          | RMW( <i>x</i> , 1, 0);         |  |  |  |  |  |  |
| 4          | assert(y = 0);                 |  |  |  |  |  |  |
| 5          | RMW( <i>y</i> , 1, 0);         |  |  |  |  |  |  |
| 6          | $\operatorname{assert}(x=0);$  |  |  |  |  |  |  |
| 🔶 7 u      | 7 <b>until</b> <i>n</i> times; |  |  |  |  |  |  |
| 8 '        |                                |  |  |  |  |  |  |
|            |                                |  |  |  |  |  |  |





PCP:  $U = \{u_1, \dots, u_\ell\}$   $V = \{v_1, \dots, v_\ell\}$  $\exists i_1 \dots i_n : u_{i_1} \cdot u_{i_2} \dots u_{i_n} = v_{i_1} \cdot v_{i_2} \dots v_{i_n}$ 

PCP: 
$$U = \{u_1, \dots, u_{\ell'}\}$$
  $V = \{v_1, \dots, v_{\ell'}\}$   
 $\exists i_1 \dots i_n : u_{i_1} \cdot u_{i_2} \dots u_{i_n} = v_{i_1} \cdot v_{i_2} \dots v_{i_n}$   
Crash-free reachability  
Algorithm 1: PCPGen  
1 Global Vars  $x, y, s, t$   
2 Local Vars  $i, j, flg := true$   
3 while  $\star$  do  
4  $|$  Let  $i \in [1, \ell]$   
5  $|$   $s :=_{ntw} u_i$   
6  $|$   $t :=_{ntw} v_i$   
6  $|$   $t :=_{ntw} v_i$   
7  $|$   $j := |u_i| + |v_i|$   
8 while  $j > 0$  do  
9  $|$   $x := 1$   
1  $global Vars  $x, y, s, t$   
9  $|$   $x := 1$   
1  $y := 1$   
1  $|$   $|$   $z := x$   
1  $|$$ 

PCP: 
$$U = \{u_1, \dots, u_{\ell'}\}$$
  $V = \{v_1, \dots, v_{\ell'}\}$   
 $\exists i_1 \dots i_n : u_{i_1} \cdot u_{i_2} \dots u_{i_n} = v_{i_1} \cdot v_{i_2} \dots v_{i_n}$   
Crash-free reachability  
Algorithm 1: PCPGen  
1 Global Vars  $x, y, s, t$   
2 Local Vars  $i, j, flg := true$   
3 while  $\star$  do  
4 Let  $i \in [1, \ell]$   
5  $s :=_{ntw} u_i$   
6  $t :=_{ntw} v_i$   
7  $j := |u_i| + |v_i|$   
7  $j := |u_i| + |v_i|$   
8 while  $j > 0$  do  
8 while  $j > 0$  do  
9  $|x := 1$   
1 Global Vars  $x, y, s, t$   
2 Local Vars  $a, b$   
3 while  $(a \neq \#)$  do  
4  $rmw(x, 1, 0)$   
5  $rmw(y, 0, 0)$   
4  $rmw(s, b, 0)$   
7  $mw(s, b, 0)$   
8  $rmw(t, b, 0)$   
9  $|x := 1$   
10  $rmw(y, 1, 0)$   
10  $|y := 1$   
10  $rmw(x, 0, 0)$   
11  $|z = j - 1$   
12  $x := \#$   
12  $x := 4$   
13  $Halt$ 



| P           | PCP: $U = \{u_1, \dots, u_\ell\}$ $V = \{v_1, \dots, v_\ell\}$                                      |      |                            |  |  |  |
|-------------|-----------------------------------------------------------------------------------------------------|------|----------------------------|--|--|--|
|             | $\exists i_1 \dots i_n : u_{i_1} \cdot u_{i_2} \dots u_{i_n} = v_{i_1} \cdot v_{i_2} \dots v_{i_n}$ |      |                            |  |  |  |
| C           | rash-free reachability                                                                              |      |                            |  |  |  |
| Al          | gorithm 1: PCPGen                                                                                   | Al   | gorithm 2: PCPVerif        |  |  |  |
| 1 0         | 1 Global Vars x, y, s, t                                                                            |      | lobal Vars x, y, s, t      |  |  |  |
| 2 L         | 2 Local Vars $i, j, flg := true$                                                                    |      | 2 Local Vars $a, b$        |  |  |  |
| 3 W         | 3 while <b>*</b> do                                                                                 |      | 3 while ( <i>a</i> ≠ #) do |  |  |  |
| 4           | Let $i \in [1, \ell]$                                                                               | 4    | rmw(x, 1, 0)               |  |  |  |
| 5           | $s :=_{ntw} u_i$                                                                                    | 5    | rmw(y,0,0)                 |  |  |  |
| 6           | $t :=_{ntw} v_i$                                                                                    | 6    | Let $b \in \Sigma$         |  |  |  |
| 7           | $j :=  u_i  +  v_i $                                                                                | 7    | rmw(s, b, 0)               |  |  |  |
| 8           | while $j > 0$ do                                                                                    | 8    | rmw(t, b, 0)               |  |  |  |
| 9           | x := 1                                                                                              | 9    | rmw(y, 1, 0)               |  |  |  |
| 10          | y := 1                                                                                              | 10   | rmw(x,0,0)                 |  |  |  |
| 11          | j = j - 1                                                                                           | 11   | a := x                     |  |  |  |
| 12 $x := #$ |                                                                                                     | 12 H | 12 Halt                    |  |  |  |



| P                                | PCP: $U = \{u_1,, u_\ell\}$ $V = \{v_1,, v_\ell\}$                                                  |                            |                          |  |  |  |
|----------------------------------|-----------------------------------------------------------------------------------------------------|----------------------------|--------------------------|--|--|--|
|                                  | $\exists i_1 \dots i_n : u_{i_1} \cdot u_{i_2} \dots u_{i_n} = v_{i_1} \cdot v_{i_2} \dots v_{i_n}$ |                            |                          |  |  |  |
|                                  |                                                                                                     |                            |                          |  |  |  |
| C                                | Crash-free reachability                                                                             |                            |                          |  |  |  |
| Algorithm 1: PCPGen              |                                                                                                     |                            | gorithm 2: PCPVerif      |  |  |  |
| 1 Global Vars x, y, s, t         |                                                                                                     | 1 G                        | 1 Global Vars x, y, s, t |  |  |  |
| 2 Local Vars $i, j, flg := true$ |                                                                                                     | 2 Local Vars a, b          |                          |  |  |  |
| 3 while <b>*</b> do              |                                                                                                     | 3 while ( <i>a</i> ≠ #) do |                          |  |  |  |
| 4                                | Let $i \in [1, \ell]$                                                                               | 4                          | rmw(x, 1, 0)             |  |  |  |
| 5                                | $s :=_{ntw} u_i$                                                                                    | 5                          | rmw(y,0,0)               |  |  |  |
| 6                                | $t :=_{ntw} v_i$                                                                                    | 6                          | Let $b \in \Sigma$       |  |  |  |
| 7                                | $j :=  u_i  +  v_i $                                                                                | 7                          | rmw(s, b, 0)             |  |  |  |
| 8                                | while $j > 0$ do                                                                                    | 8                          | rmw(t, b, 0)             |  |  |  |
| 9                                | x := 1                                                                                              | 9                          | rmw(y, 1, 0)             |  |  |  |
| 10                               | y := 1                                                                                              | 10                         | rmw(x,0,0)               |  |  |  |
| 11                               | j = j - 1                                                                                           | 11                         | a := x                   |  |  |  |
| 12 $x := #$                      |                                                                                                     | 12 H                       | Ialt                     |  |  |  |



Writes the corresponding words as ntw writes

PCP: 
$$U = \{u_1, \dots, u_\ell\}$$
  $V = \{v_1, \dots, v_\ell\}$   
 $\exists i_1 \dots i_n : u_{i_1} \cdot u_{i_2} \dots u_{i_n} = v_{i_1} \cdot v_{i_2} \dots v_{i_n}$   
  
**Algorithm 1:** PCPGen  
**Algorithm 2:** PCPVerif  
**I** Global Vars  $x, y, s, t$   
**I** Crash-free reachability  
**Algorithm 2:** PCPVerif  
**I** Global Vars  $x, y, s, t$   
**I** Global Vars  $x,$ 



Writes the corresponding words as ntw writes

Encodes the size into the alt-bit protocol

PCP: 
$$U = \{u_1, \dots, u_\ell\}$$
  $V = \{v_1, \dots, v_\ell\}$   
 $\exists i_1 \dots i_n : u_{i_1} \cdot u_{i_2} \dots u_{i_n} = v_{i_1} \cdot v_{i_2} \dots v_{i_n}$   
Crash-free reachability  
Algorithm 1: PCPGen  
1 Global Vars  $x, y, s, t$   
2 Local Vars  $i, j, flg := true$   
3 while  $\star$  do  
4 Let  $i \in [1, \ell]$   
5  $s :=_{ntw} u_i$   
6  $t :=_{ntw} v_i$   
7  $j := |u_i| + |v_i|$   
8 while  $j > 0$  do  
9  $|x := 1$   
1  $global Vars x, y, s, t$   
1  $Global Vars x, y, s, t$   
2 Local Vars  $a, b$   
3 while  $(a \neq \#)$  do  
4  $| \text{Let } i \in [1, \ell]$   
5  $| rmw(x, 1, 0)$   
7  $rmw(s, b, 0)$   
8  $| while j > 0$  do  
9  $| x := 1$   
1  $| y := 1$   



Writes the corresponding words as ntw writes

Encodes the size into the alt-bit protocol

PCP: 
$$U = \{u_1, \dots, u_\ell\}$$
  $V = \{v_1, \dots, v_\ell\}$   
 $\exists i_1 \dots i_n : u_{i_1} \cdot u_{i_2} \dots u_{i_n} = v_{i_1} \cdot v_{i_2} \dots v_{i_n}$   
Crash-free reachability  
Algorithm 1: PCPGen  
1 Global Vars  $x, y, s, t$   
2 Local Vars  $i, j, flg := true$   
3 while  $\star$  do  
4 Let  $i \in [1, \ell]$   
5  $s :=_{ntw} u_i$   
6  $t :=_{ntw} v_i$   
7  $j := |u_i| + |v_i|$   
8 while  $j > 0$  do  
9  $|x := 1$   
1  $global Vars x, y, s, t$   
1  $Global Vars x, y, s, t$   
2 Local Vars  $a, b$   
3 while  $(a \neq \#)$  do  
4  $| \text{Let } i \in [1, \ell]$   
5  $| rmw(x, 1, 0)$   
7  $rmw(s, b, 0)$   
8  $| while j > 0$  do  
9  $| x := 1$   
1  $| y := 1$   



Writes the corresponding words as ntw writes

Encodes the size into the alt-bit protocol



PCP: 
$$U = \{u_1, \dots, u_\ell\}$$
  $V = \{v_1, \dots, v_\ell\}$   
 $\exists i_1 \dots i_n : u_{i_1} \cdot u_{i_2} \dots u_{i_n} = v_{i_1} \cdot v_{i_2} \dots v_{i_n}$   
  
**Algorithm 1:** PCPGen  
**Algorithm 2:** PCPVerif  
**I** Global Vars  $x, y, s, t$   
**I** Global Var



Writes the corresponding words as ntw writes

Encodes the size into the alt-bit protocol

PCPVerif

Alt bit ensures no symbol is lost

PCP: 
$$U = \{u_1, \dots, u_\ell\}$$
  $V = \{v_1, \dots, v_\ell\}$   
 $\exists i_1 \dots i_n : u_{i_1} \cdot u_{i_2} \dots u_{i_n} = v_{i_1} \cdot v_{i_2} \dots v_{i_n}$   
  
**Algorithm 1:** PCPGen  
**Algorithm 2:** PCPVerif  
**I** Global Vars  $x, y, s, t$   
**I** Global Var



Writes the corresponding words as ntw writes

Encodes the size into the alt-bit protocol

PCPVerif

Alt bit ensures no symbol is lost Verfies that the generated words are same

PCP: 
$$U = \{u_1, \dots, u_\ell\}$$
  $V = \{v_1, \dots, v_\ell\}$   
 $\exists i_1 \dots i_n : u_{i_1} \cdot u_{i_2} \dots u_{i_n} = v_{i_1} \cdot v_{i_2} \dots v_{i_n}$   
Crash-free reachability  
Algorithm 1: PCPGen  
1 Global Vars  $x, y, s, t$   
2 Local Vars  $i, j, flg := true$   
3 while  $\star$  do  
4 Let  $i \in [1, \ell]$   
5  $s :=_{ntw} u_i$   
6  $t :=_{ntw} v_i$   
7  $j := |u_i| + |v_i|$   
8 while  $j > 0$  do  
9  $|x := 1$   
1  $global Vars x, y, s, t$   
1  $Global Vars x, y, s, t$   
2 Local Vars  $a, b$   
3 while  $(a \neq \#)$  do  
4  $| \text{Let } i \in [1, \ell]$   
5  $| rmw(x, 1, 0)$   
7  $rmw(s, b, 0)$   
8  $| while j > 0$  do  
9  $| x := 1$   
1  $| y := 1$   



Writes the corresponding words as ntw writes

Encodes the size into the alt-bit protocol

PCPVerif

Alt bit ensures no symbol is lost Verfies that the generated words are same

Crash free reachability is undecidable





### VERIFYING EX86 WITH PERSISTENCY

All stable processes we shall predict, all unstable processes we shall control - Benjamin Franklin

- Persistent Memory Reachability
- Crash Free Reachability

# Alternation Bounded Reachability

# Alternation Bounded Reachability

One source of undecidability is unbounded alternations between ntw and wb writes.

# Alternation Bounded Reachability

K Alternation Bounded: An thread execution is kalternation bounded if the thread alternates between wb and ntw writes at-most k times.



# Alternation Bounded Reachability



K Alternation Bounded: An thread execution is kalternation bounded if the thread alternates between wb and ntw writes at-most k times.



# Alternation Bounded Reachability

K Alternation Bounded reachability asks if a final config can be reached by an execution in which every thread is k-alternation bounded



# Alternation Bounded Reachability



K Alternation Bounded reachability asks if a final config can be reached by an execution in which every thread is k-alternation bounded









## The writes between alternation blocks can re-order









## Execution within each block is like TSO or PSO









## Decidability by reduction to reachability on PSO system









## Each alternation block is executed in parallel as a **PSO** thread









## Each alternation block is executed in parallel as a **PSO** thread

Later blocks depend on earlier blocks







## Memory is duplicated as per thread and per phase







## Memory is duplicated as per thread and per phase







## Manager moves the writes to main memory







## Manager ensures that the semantics is maintained







## Manager ensures that the semantics is maintained





The Cafeteria Potential Well Why you end up eating there almost every day. Effort Gross CHAM © 2010 Optimal Mediocrity Cost WHERE SHOULD WE GO FOR LUNCH? LET'S GO OFF-\_\_\_\_\_CAMPUS! Vending Machine Cafeteria "Food" Instant Noodles lunch Lunch Options

WWW. PHDCOMICS. COM

