# PROGRAM VERIFICATION UNDER FORMALIZED MEMORY CONSISTENT MODELS

## TATSUYA ABE RIKEN AICS (Joint Work with Toshiyuki Maeda)

SLACS / NSA May 26, 2014 Q. What is Memory Consistent Model (MCM)?

A. MCM is a rule to share a memory among multiple threads.



There exist many MCMs



We have to understand such MCMs since the MCMs are rules. But,

There exist non-intuitive MCMs!

An example of curious executions

Under Itanium MCM,

Memory: [x] == [y] == 0
Thread 1
[x] = 1;
r1 = [x];
[y] = r1;

# Reordering under Itanium MCM

Under Itanium MCM,

 Memory: [x] == [y] == 0 

 Thread 1
 Thread 2

 [x] = 1; r3 = [x]; 

 r1 = [x]; r2 = [y]; 

 [y] = r1; 

Since r2 == 1 and r3 == 0 can be reordered,

r2 == 1 & r3 == 0 is allowed!

#### Speculative behaviors under UPC MCM

| Thread 1  | Thread 2  |
|-----------|-----------|
| r1 = [x]; | r2 = [x]; |
| [x] = 2;  | [x] = 1;  |

r1 == 1 & r2 == 2 is allowed!

#### Speculative behaviors under UPC MCM

| Thread 1  | Thread 2  |
|-----------|-----------|
| r1 = [x]; | r2 = [x]; |
| [x] = 2;  | [x] = 1;  |

#### r1 == 1 & r2 == 2 is allowed!

| Thread 1           | Thread 2             |
|--------------------|----------------------|
| speculate: [x] = 1 | speculate: $[x] = 2$ |
| r1 = [x];          | r2 = [x];            |
| [x] = 2;           | [x] = 1;             |

## Reordering depends on an MCM

#### Can

r2 = [y]; r3 = [x];

be reordered?

| Sequential consistency: | No  |
|-------------------------|-----|
| Total Store Ordering:   | No  |
| Partial Store Ordering: | Yes |
| Itanium MCM:            | Yes |
| UPC MCM:                | No  |

Our approach to handle various MCMs simultaneously

- 1. Give a general model (called base model),
- 2. define an MCM as a constraint on base model,
- 3. develop a model checker generator



Base model for reorderings



Threads have their own memories, and read-from/write-to a shared memory is simulated by communication among them.

## Base model for reorderings and speculative behaviors



Each thread has its own base model (at the previous slide) for a speculation.

How to define an MCM

Issue<sub>1</sub> Rflct<sub>1</sub> Issue<sub>2</sub> Rflct<sub>2</sub> Issue<sub>3</sub> Rflct<sub>3</sub> ...

Each pair can be reordered on base model.

 $\checkmark$  Issue<sub>1</sub> Issue<sub>2</sub> Rflct<sub>1</sub> Rflct<sub>2</sub> Issue<sub>3</sub> Rflct<sub>3</sub> ...

✓ Issue<sub>1</sub> Issue<sub>2</sub> Issue<sub>3</sub> Rflct<sub>1</sub> Rflct<sub>2</sub> Rflct<sub>3</sub> ...

MCMs are constraints for base model.

. . .

 $\checkmark$  Issue<sub>1</sub> Issue<sub>2</sub> Rflct<sub>1</sub> Rflct<sub>2</sub> Issue<sub>3</sub> Rflct<sub>3</sub> ...

 $\times$  Issue<sub>1</sub> Issue<sub>2</sub> Issue<sub>3</sub> Rflct<sub>1</sub> Rflct<sub>2</sub> Rflct<sub>3</sub> ...

# Formal definition of MCMs

Define an MCM as a set of formulas in mathematical logic.

<u>Definition of formula.</u> A formula is a combination of atomic formulas by logical connectives  $\neg$  (negation),  $\supset$  (implication), and  $\forall$  (universal quantifier).

<u>Atomic formulas.</u> o < o' (o' must be performed after o) where o and o' are either of the following:

• Issue T(i, a)

T's instruction i with attributes a is issued.

• Rflct  $[\Rightarrow T](i, a)$ 

Issue of i is reflected to T, i.e., T can observe i's issue.

# Acquire and release semantics of Itanium MCM

Any instruction must wait for all reflections of an instruction with an attribute **release** that is issued before.

[x] = 1:release; r1 = [x];

r1 = [x] must wait for reflections of [x] = 1:release.

```
Issue T(i, \{\text{release}\}) < \text{Issue } T(i', A\}) \supset
Rflct T(i, \{\text{release}\}) < \text{Issue } T(i', A)
```

We confirmed that it was possible to write Itanium MCMs.

## Lock and unlock of UPC MCM

If T locks x, then T' cannot lock x until T unlocks x.

Issue T (Nop, {lock(x)}) < Issue  $T'(i', {lock(x)}) \supset$ Issue T (Nop, {lock(x)}) < Issue T (Nop, {unlock(x)})  $\land$ Issue T (Nop, {unlock(x)}) < Issue  $T'(i', {lock(x)})$ 

We confirmed that it was possible to write UPC MCMs.

## Implementation: model checker generator

Skip!

# Experiments: model checking under MCMs

Skip!

## Related work

. . .

Relaxed memory consistency model is a hot topic.

[Yang et al. '05] proposes an operational specification framework UMM, which cannot handle speculative behaviors.

[Saraswat et al. '07] uses program transformations to reason about it.

[Boudol et al. '09] uses a process calculus to reason about it.

[Shen et al. '99] uses term rewriting to reason about it.

#### State explosion

A verification under an MCM suffers from state explosion.

Consider m threads with n instructions. Under an MCM that allows interleavings,



there exist  $_{m \cdot n}C_n \cdot _{(m-1) \cdot n}C_n \cdot _{2 \cdot n}C_n \cdot _nC_n$  execution traces.

#### Partial order reduction based on a verified property

To check o < o', use time counter, *ABCD* means a state { $t_A = 1, t_B = 2, t_C = 3, t_D = 4$ }, and *ACBD* means a state { $t_A = 1, t_B = 3, t_C = 2, t_D = 4$ }.

Let us use pairs of terms that occur in an MCM.

Assume a MCM is  $A < B \supset C < D$ .

Then, pairs of terms that occur in an MCM are  $\{\langle A, B \rangle, \langle C, D \rangle\}$ .

*ABCD* means a state { $t_{A < B}$  = true,  $t_{C < D}$  = true}, and *ACBD* means a state { $t_{A < B}$  = true,  $t_{C < D}$  = true}, too.

### Theorem proving using partial order reduction

| Thread 1                      | Thread 2                     |
|-------------------------------|------------------------------|
| store $x \leftrightarrow 1$ ; | store $y \leftrightarrow 2;$ |
| flush x;                      | flush $y$ ;                  |
| barrier;                      | barrier;                     |
| load $r_1 \leftrightarrow y$  | load $r_2 \leftrightarrow x$ |

Question.  $r_1 = 2 \land r_2 = 1$ ?

## Merging triples in backward searches

$$\Pi_1(G_1) \quad \left\{ y = 2 \land r_2 = 1 \right\} \quad \{1 \text{oad}^1 \ r_1 \leftrightarrow y\} \quad \left\{ r_1 = 2 \land r_2 = 1 \right\}$$
$$\left\{ ? \right\} \quad G \quad \left\{ r_1 = 2 \land r_2 = 1 \right\}$$

$$\{y = 2 \land x = 1\} \quad \{10ad^{*} r_{1} \leftrightarrow y\} \quad \{r_{1} = 2 \land x = 1\}$$
$$\{?\} \quad G_{2} \quad \{r_{1} = 2 \land x = 1\}$$

#### Semantics of programs with shared memories

$$\mathsf{load}^i r \leftrightarrow x, \langle \sigma, s \rangle \Downarrow \langle \sigma[r \coloneqq \langle x \rangle_{\sigma}], s \rangle$$

$$\mathsf{store}^{i} x \leftarrow e, \langle \sigma, s \rangle \Downarrow \langle \sigma, s[x \coloneqq \langle e \rangle_{\sigma}] \rangle$$

$$\frac{G, \langle \sigma, s \rangle \Downarrow \langle \sigma', s' \rangle}{G, \langle \sigma, s \rangle \Downarrow \langle \sigma'', s'' \rangle} \xrightarrow{\langle \sigma', s' \rangle \Rightarrow \langle \sigma'', s'' \rangle}$$

The  $\Rightarrow$  on  $\langle \sigma, s \rangle$  is defined as the smallest reflexive and transitive closure that contains  $\langle \sigma, s \rangle \Rightarrow \langle \sigma[s \upharpoonright \{x\}], s \setminus \{x\} \rangle$ .

$$\begin{array}{c|c} G \setminus \{C\}, \langle \sigma, s \rangle \Downarrow \langle \sigma', s' \rangle & \{C\}, \langle \sigma', s' \rangle \Downarrow \langle \sigma'', s'' \rangle & C \text{ is not } \dots \\ & G, \langle \sigma, s \rangle \Downarrow \langle \sigma'', s'' \rangle \end{array}$$

#### Hoare logic for dependence graphs

Define a dependence graph from a program and an MCM.

$$E := r \mid x \mid \overline{x}$$
$$\Phi := E = E \mid E \le E \mid \neg \Phi \mid \Phi \supset \Phi \mid \forall r. \Phi \mid \forall x. \Phi \mid \forall \overline{x}. \Phi$$

 $\{[x/r]\Phi\} \text{ load}^i r \leftrightarrow x \{\Phi\}$ 

 $\{[e/\overline{x}](\Phi \land [e/x]\Phi)\}$  store<sup>*i*</sup>  $x \leftrightarrow e \{\Phi\}$ 

$$\begin{array}{ll} \forall C \in L(G) & \{\varPhi\} G \setminus C \left\{\varUpsilon\right\} & \{\varUpsilon\} C \left\{\varPsi\right\} \\ & \left\{\varPhi\} G \left\{\varPsi\right\} \end{array}$$

It is sound and relatively complete to the semantics.

#### Related work

[Owicki & Gries 1976] gives a Hoare logic for parallel programs.

[Jones 1981] gives a compositional Hoare logic by using the so-called rely/guarantee method.

[O'Hearn 2007] gives a separation logic for concurrent programs with shared memories

[Kojima & Igarashi 2013] gives a Hoare logic for Single Instruction Multiple Data (SIMD) programs.

# Summary

- Propose a base model on which we discuss MCMs,
- define a set of formulas to describe MCMs,
  - confirm possible to write Itanium and UPC MCMs.
- develop a model checker generator that takes an MCM, and
- demonstrate some experiments.
- Give semantics of programs with shared memories,
- define MCMs as translations from programs into graphs, and
- give sound and relatively complete Hoare logic for graphs.