ABSTRACT
Verifying concurrent programs is challenging due to the exponentially large thread interleaving space. The problem is exacerbated by relaxed memory models such as Total Store Order (TSO) and Partial Store Order (PSO) which further explode the interleaving space by reordering instructions. A recent advance, Maximal Causality Reduction (MCR), has shown great promise to improve verification effectiveness by maximally reducing redundant explorations. However, the original MCR only works for the Sequential Consistency (SC) memory model, but not for TSO and PSO. In this paper, we develop novel extensions to MCR by solving two key problems under TSO and PSO: 1) generating interleavings that can reach new states by encoding the operational semantics of TSO and PSO with first-order logical constraints and solving them with SMT solvers, and 2) enforcing TSO and PSO interleavings by developing novel replay algorithms that allow executions out of the program order. We show that our approach successfully enables MCR to effectively explore TSO and PSO interleavings. We have compared our approach with a recent Dynamic Partial Order Reduction (DPOR) algorithm for TSO and PSO and a SAT-based stateless model checking approach. Our results show that our approach is much more effective than the other approaches for both state-space exploration and bug finding – on average it explores 5-10X fewer executions and finds many bugs that the other tools cannot find.
- ASM bytecode analysis framework. http://asm.ow2.org/.Google Scholar
- A real-world bug caused by relaxed consistency. http: //stackoverflow.com/questions/16159203/.Google Scholar
- P. Abdulla, S. Aronis, B. Jonsson, and K. Sagonas. Optimal dynamic partial order reduction. In Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2014. Google ScholarDigital Library
- P. A. Abdulla, S. Aronis, M. F. Atig, B. Jonsson, C. Leonardsson, and K. F. Sagonas. Stateless model checking for TSO and PSO. CoRR, 2015.Google ScholarDigital Library
- S. V. Adve and K. Gharachorloo. Shared memory consistency models: A tutorial. computer, 29(12):66–76, 1996. Google ScholarDigital Library
- M. F. Atig, A. Bouajjani, S. Burckhardt, and M. Musuvathi. On the verification problem for weak memory models. In Proceedings of the 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2010. Google ScholarDigital Library
- M. F. Atig, A. Bouajjani, S. Burckhardt, and M. Musuvathi. What’s decidable about weak memory models? In Programming Languages and Systems, pages 26–46. Springer, 2012. Google ScholarDigital Library
- S. Burckhardt, R. Alur, and M. M. K. Martin. Checkfence: Checking consistency of concurrent data types on relaxed memory models. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2007. Google ScholarDigital Library
- S. Burckhardt, P. Kothari, M. Musuvathi, and S. Nagarakatte. A randomized scheduler with probabilistic guarantees of finding bugs. In Proceedings of the Fifteenth Edition of ASPLOS on Architectural Support for Programming Languages and Operating Systems, 2010. Google ScholarDigital Library
- S. Burckhardt and M. Musuvathi. Effective program verification for relaxed memory models. In Computer Aided Verification, pages 107–120. Springer, 2008. Google ScholarDigital Library
- J. Burnim, K. Sen, and C. Stergiou. Testing concurrent programs on relaxed memory models. In Proceedings of the 2011 International Symposium on Software Testing and Analysis, pages 122–132. ACM, 2011. Google ScholarDigital Library
- E. M. Clarke, O. Grumberg, and D. Peled. Model checking. MIT press, 1999. Google ScholarDigital Library
- K. E. Coons, M. Musuvathi, and K. S. Mckinley. Bounded partial-order reduction. In In Proceedings of the 2013 Annual ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 833–848, 2013. Google ScholarDigital Library
- L. De Moura and N. Bjørner. Z3: An efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems, pages 337–340. Springer, 2008. Google ScholarDigital Library
- B. Demsky and P. Lam. SATCheck: SAT-directed stateless model checking for SC and TSO. In Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications. ACM, 2015. Google ScholarDigital Library
- C. Flanagan and P. Godefroid. Dynamic partial-order reduction for model checking software. In Proceedings of the 32Nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2005. Google ScholarDigital Library
- P. Godefroid. Model checking for programming languages using verisoft. In Proceedings of the 24th ACM SIGPLANSIGACT symposium on Principles of programming languages. ACM, 1997. Google ScholarDigital Library
- P. Godefroid. Software model checking: The VeriSoft approach. Formal Methods in System Design, 2005. Google ScholarDigital Library
- P. Godefroid, J. van Leeuwen, J. Hartmanis, G. Goos, and P. Wolper. Partial-order methods for the verification of concurrent systems: an approach to the state-explosion problem, volume 1032. Springer Heidelberg, 1996. Google ScholarCross Ref
- G. J. Holzmann. The SPIN model checker: Primer and reference manual, volume 1003. Addison-Wesley Reading, 2004. Google ScholarDigital Library
- J. Huang. Stateless model checking concurrent programs with maximal causality reduction. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2015. Google ScholarDigital Library
- J. Huang, P. O. Meredith, and G. Rosu. Maximal sound predictive race detection with control flow abstraction. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2014. Google ScholarDigital Library
- S. International. The SPARC Architecture Manual: Version 8. 1992.Google Scholar
- L. Lamport. How to make a multiprocessor computer that correctly executes multiprocess programs. Computers, IEEE Transactions on, 100(9):690–691, 1979. Google ScholarDigital Library
- A. Linden and P. Wolper. An automata-based symbolic approach for verifying programs on relaxed memory models. In Proceedings of the 17th International SPIN Conference on Model Checking Software, SPIN’10, 2010. Google ScholarDigital Library
- A. Linden and P. Wolper. A verification-based approach to memory fence insertion in relaxed memory systems. In Proceedings of the 18th International SPIN Conference on Model Checking Software, 2011. Google ScholarDigital Library
- S. Lu, W. Jiang, and Y. Zhou. A study of interleaving coverage criteria. In Joint European Software Engineering Conference and ACM SIGSOFT Symposium on Foundations of Software Engineering, pages 533–536, 2007. Google ScholarDigital Library
- J. Manson, W. Pugh, and S. V. Adve. The java memory model. In Proceedings of the 32Nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL, 2005. Google ScholarDigital Library
- A. Mazurkiewicz. Trace theory. In Petri nets: applications and relationships to other models of concurrency, pages 278–324. Springer, 1986. Google ScholarDigital Library
- T. Mitra, A. Roychoudhury, and Q. Shen. Impact of Java Memory Model on Out-of-Order Multiprocessors. In Proceedings of the 13th International Conference on Parallel Architectures and Compilation Techniques, PACT, 2004. Google ScholarDigital Library
- M. Musuvathi and S. Qadeer. Partial-order reduction for context-bounded state exploration. Technical report, MSRTR-2007-12, Microsoft Research, 2007.Google Scholar
- M. Musuvathi, S. Qadeer, T. Ball, G. Basler, P. A. Nainar, and I. Neamtiu. Finding and reproducing heisenbugs in concurrent programs. In OSDI, volume 8, pages 267–280, 2008. Google ScholarDigital Library
- S. Owens, S. Sarkar, P. Sewell, and A. Better. x86 Memory Model: x86-TSO. In Proceedings of the 22nd International Conference on Theorem Proving in Higher Order Logics, 2009. Google ScholarDigital Library
- A. Roychoudhury. Formal reasoning about hardware and software memory models. In Proceedings of the 4th International Conference on Formal Engineering Methods: Formal Methods and Software Engineering, ICFEM, 2002. Google ScholarDigital Library
- T. F. ¸Serbănu¸tă, F. Chen, and G. Ro¸su. Maximal causal models for sequentially consistent systems. In Runtime Verification, pages 136–150. Springer, 2013.Google Scholar
- E. Torlak, M. Vaziri, and J. Dolby. MemSAT: Checking Axiomatic Specifications of Memory Models. In Proceedings of the 31st ACM SIGPLAN Conference on Programming Language Design and Implementation, 2010. Google ScholarDigital Library
- Y. Yang, X. Chen, G. Gopalakrishnan, and R. M. Kirby. Efficient stateful dynamic partial order reduction. In Proceedings of the 15th International Workshop on Model Checking Software, SPIN, 2008. Google ScholarDigital Library
- N. Zhang, M. Kusano, and C. Wang. Dynamic partial order reduction for relaxed memory models. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2015. Google ScholarDigital Library
Index Terms
- Maximal causality reduction for TSO and PSO
Recommendations
Maximal causality reduction for TSO and PSO
OOPSLA '16Verifying concurrent programs is challenging due to the exponentially large thread interleaving space. The problem is exacerbated by relaxed memory models such as Total Store Order (TSO) and Partial Store Order (PSO) which further explode the ...
Dynamic partial order reduction for relaxed memory models
PLDI '15: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and ImplementationUnder a relaxed memory model such as TSO or PSO, a concurrent program running on a shared-memory multiprocessor may observe two types of nondeterminism: the nondeterminism in thread scheduling and the nondeterminism in store buffering. Although there ...
Modelling concurrent objects running on the TSO and ARMv8 memory models
Highlights- Presents a method for using a standard linearizability proof method on hardware weak memory models.
AbstractHardware weak memory models, such as TSO and ARM, are used to increase the performance of concurrent programs by allowing program instructions to be executed on the hardware in a different order to that specified by the software. This ...
Comments