Common Compiler Optimisations are Invalid in the C11 Memory Model and what we can do about it

Vafeiadis, Viktor; Balabonski, Thibaut; Chakraborty, Soham; Morisset, Robin; Nardelli, Francesco Zappa

doi:10.1145/2676726.2676995

Cited by 102 publications

(88 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As part of this process, they produced a verified compilation scheme from C11/C++11 onto the x86, ARM, and Power MCMs [8,45]. Vafeiadis et al developed various methods for proving the correctness of operations performed within a C11 compiler [53,54]. Petri et al developed an operational model of Java which specifically focused on its mapping onto x86 and Power [42].…”

Section: Related Workmentioning

confidence: 99%

TriCheck

Trippel

Manerkar

Lustig

et al. 2017

Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Syst

View full text Add to dashboard Cite

Memory consistency models (MCMs) which govern intermodule interactions in a shared memory system, are a significant, yet often under-appreciated, aspect of system design. MCMs are defined at the various layers of the hardwaresoftware stack, requiring thoroughly verified specifications, compilers, and implementations at the interfaces between layers. Current verification techniques evaluate segments of the system stack in isolation, such as proving compiler mappings from a high-level language (HLL) to an ISA or proving validity of a microarchitectural implementation of an ISA. This paper makes a case for full-stack MCM verification and provides a toolflow, TriCheck, capable of verifying that the HLL, compiler, ISA, and implementation collectively uphold MCM requirements. The work showcases TriCheck's ability to evaluate a proposed ISA MCM in order to ensure that each layer and each mapping is correct and complete. Specifically, we apply TriCheck to the open source RISC-V ISA [55], seeking to verify accurate, efficient, and legal compilations from C11. We uncover under-specifications and potential inefficiencies in the current RISC-V ISA documentation and identify possible solutions for each. As an example, we find that a RISC-V-compliant microarchitecture allows 144 outcomes forbidden by C11 to be observed out of 1,701 litmus tests examined. Overall, this paper demonstrates the necessity of full-stack verification for detecting MCM-related bugs in the hardware-software stack.Keywords computer architecture, heterogeneous parallelism, memory consistency, shared memory, verification, compilation, C11, RISC-V Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and /or a fee. Request permissions from permissions@acm.org.

show abstract

Section: Related Workmentioning

confidence: 99%

TriCheck

Trippel

Manerkar

Lustig

et al. 2017

Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Syst

View full text Add to dashboard Cite

show abstract

“…• the reads-from relation links write events to read events, such that every read observes exactly one write, and the locations and 5 This set is sometimes called the 'pre-executions' [7] or the 'opsems' [39]. values match; that is,…”

Section: C11 Executionsmentioning

confidence: 99%

“…The C11 memory model has been formalised by several researchers, in varying degrees of completeness, and with varying degrees of fidelity to the standard [2,7,38]. These formalisation efforts have proved fruitful; they have, for instance, enabled the construction of simulators that automatically explore the allowed behaviours of small C11 programs (called litmus tests) [2,7,13,29], underpinned the design of program logics for specifying and verifying C11 programs [37,38], and they provide a firm foundation for ongoing debate about the design of the C11 memory model itself [10,39]. The OpenCL memory model (introduced in version 2.0 of the standard) has received comparatively little academic attention, with the notable exception of the work of Gaster et al [17], which we discuss further in §7.…”

Section: Introductionmentioning

confidence: 99%

Overhauling SC atomics in C11 and OpenCL

Batty

Donaldson

Wickerson

2016

Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages

View full text Add to dashboard Cite

Despite the conceptual simplicity of sequential consistency (SC), the semantics of SC atomic operations and fences in the C11 and OpenCL memory models is subtle, leading to convoluted prose descriptions that translate to complex axiomatic formalisations. We conduct an overhaul of SC atomics in C11, reducing the associated axioms in both number and complexity. A consequence of our simplification is that the SC operations in an execution no longer need to be totally ordered. This relaxation enables, for the first time, efficient and exhaustive simulation of litmus tests that use SC atomics. We extend our improved C11 model to obtain the first rigorous memory model formalisation for OpenCL (which extends C11 with support for heterogeneous many-core programming). In the OpenCL setting, we refine the SC axioms still further to give a sensible semantics to SC operations that employ a 'memory scope' to restrict their visibility to specific threads. Our overhaul requires slight strengthenings of both the C11 and the OpenCL memory models, causing some behaviours to become disallowed. We argue that these strengthenings are natural, and that all of the formalised C11 and OpenCL compilation schemes of which we are aware (Power and x86 CPUs for C11, AMD GPUs for OpenCL) remain valid in our revised models. Using the HERD memory model simulator, we show that our overhaul leads to an exponential improvement in simulation time for C11 litmus tests compared with the original model, making exhaustive simulation competitive, time-wise, with the non-exhaustive CDSChecker tool.[Copyright notice will appear here once 'preprint' option is removed.] 1 Threads in OpenCL are also called work-items. 2015/11/4 33 [23 (49/29-33)] 34 [23 (58/24-27)] 35 [23 (51/15-17)] 36 [23 (51/18-20)] 37 [23 (49/12-13)]

show abstract

“…In this section, we try to give some intuition for the semantics of these operations. Thorough, formal presentations of the C11 memory model can be found in Batty et al [3] and Vafeiadis et al [20].…”

Section: Release-acquire Semanticsmentioning

confidence: 99%

“…There are several reasons. First, the semantics of C11's release-acquire mode has been fully formalized [3], rendering our RCU implementation amenable to formal verification, and unlike several other features of the C11 model [20], its semantics is relatively uncontroversial. Second, release-acquire semantics, while significantly weaker than SC, nevertheless provides sufficiently strong synchronization to guarantee safety of our RCU implementation.…”

Section: Introductionmentioning

confidence: 99%

Verifying read-copy-update in a logic for weak memory

Tassarotti

Dreyer

Vafeiadis

2015

Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation

Self Cite

View full text Add to dashboard Cite

Read-Copy-Update (RCU) is a technique for letting multiple readers safely access a data structure while a writer concurrently modifies it. It is used heavily in the Linux kernel in situations where fast reads are important and writes are infrequent. Optimized implementations rely only on the weaker memory orderings provided by modern hardware, avoiding the need for expensive synchronization instructions (such as memory barriers) as much as possible.Using GPS, a recently developed program logic for the C/C++11 memory model, we verify an implementation of RCU for a singlylinked list assuming "release-acquire" semantics. Although releaseacquire synchronization is stronger than what is required by real RCU implementations, it is nonetheless significantly weaker than the assumption of sequential consistency made in prior work on RCU verification. Ours is the first formal proof of correctness for an implementation of RCU under a weak memory model.

show abstract

Common Compiler Optimisations are Invalid in the C11 Memory Model and what we can do about it

Cited by 102 publications

References 22 publications

TriCheck

TriCheck

Overhauling SC atomics in C11 and OpenCL

Verifying read-copy-update in a logic for weak memory

Contact Info

Product

Resources

About