Owicki-Gries Reasoning for C11 RAR

Dalvandi, Sadegh; Doherty, Simon; Dongol, Brijesh; Wehrheim, Heike

doi:10.4230/lipics.ecoop.2020.11

Cited by 16 publications

(41 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the literature reasoning about memory models is often with respect to orderings over global event traces, rather than per-process reorderings. Our approach, e.g., to prepare for the application of the Owicki-Gries method, appears to be simpler than techniques that incorporate memory model constraints directly [13,33,61]. Furthermore, we could have instead chosen to apply rely/guarantee reasoning [51,52] once the programs were reduced to concurrent sequential processes.…”

Section: Discussionmentioning

confidence: 99%

Parallelized sequential composition, pipelines, and hardware weak memory models

Colvin

2021

Preprint

View full text Add to dashboard Cite

Since the introduction of the CDC 6600 in 1965 and its "scoreboarding" technique processors have not (necessarily) executed instructions in program order. Programmers of highlevel code may sequence independent instructions in arbitrary order, and it is a matter of significant programming abstraction and computational efficiency that the processor can be relied upon to make sensible parallelizations/reorderings of low-level instructions to take advantage of, for instance, multiple arithmetic units. At the architectural level such reordering is typically implemented via a per-processor pipeline, into which instructions are fetched in order, but possibly committed out of order depending on local considerations, provided any reordering preserves sequential semantics from that processor's perspective. However, multiprocessing and multicore architectures, where several pipelines run in parallel, can expose these processor-level reorderings as unexpected, or "weak", behaviours. Such weak behaviours are hard to reason about, and (via speculative execution) underlie at least one class of widespread security vulnerability.In this paper we introduce a novel program operator, parallelized sequential composition, which can be instantiated with a function that controls the reordering of atomic instructions. The operator generalises both standard sequential composition and parallel composition, and when appropriately instantiated exhibits many of the weak behaviours of the well-known hardware weak memory models TSO, Release Consistency, ARM, and RISC-V. We show that the use of this program-level operator is equivalent to sequential execution with reordering via a pipeline. Encoding reordering as a programming language operator admits the application of established compositional techniques (such as Owicki-Gries) for reasoning about weak behaviours, and is convenient for abstractly expressing properties from the literature such as sequential consistency. The semantics and theory is encoded and verified in the Isabelle/HOL theorem prover, and we give an implementation of the pipeline semantics in the Maude rewriting engine and use it empirically to show conformance of the semantics against established models of ARM and RISC-V, and elucidate some stereotypical weak behaviours from the literature.

show abstract

Section: Discussionmentioning

confidence: 99%

Parallelized sequential composition, pipelines, and hardware weak memory models

Colvin

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…This can be achieved when the processor under test is a component of a system-on-chip (SoC) FPGA [Jain et al 2018]. Lastly, we will develop verification techniques for Ex86 and PEx86, including program logics such as those of [Dalvandi et al 2020;Vafeiadis 2016, 2017;Kaiser et al 2017;Raad et al 2020a;Turon et al 2014;Vafeiadis and Narayan 2013], and stateless model checking [Kokologiannakis et al 2021[Kokologiannakis et al , 2019aKokologiannakis and Vafeiadis 2020]. The latter would allow us to verify an Ex86/PEx86 program by exhaustively generating its executions and inspecting them for consistency/persistency violations.…”

Section: Related and Future Workmentioning

confidence: 99%

Extending Intel-x86 consistency and persistency: formalising the semantics of Intel-x86 memory types and non-temporal stores

Raad

Maranget

Vafeiadis

2022

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Existing semantic formalisations of the Intel-x86 architecture cover only a small fragment of its available features that are relevant for the consistency semantics of multi-threaded programs as well as the persistency semantics of programs interfacing with non-volatile memory. We extend these formalisations to cover: (1) non-temporal writes, which provide higher performance and are used to ensure that updates are flushed to memory; (2) reads and writes to other Intel-x86 memory types, namely uncacheable, write-combined, and write-through; as well as (3) the interaction between these features. We develop our formal model in both operational and declarative styles, and prove that the two characterisations are equivalent. We have empirically validated our formalisation of the consistency semantics of these additional features and their subtle interactions by extensive testing on different Intel-x86 implementations.

show abstract

“…Following Lahav et al [18], the so-called repairing or restricted C11 model (which is the model in [7,10,15]) instantiates sequence-before order to the program order relation [2]. This disallows statements within a thread from being executed out-of-order (although writes may be propagated to other threads in a relaxed manner).…”

Section: Operational Semantics With Relaxed Write Propagationmentioning

confidence: 99%

“…The proof described above has actually been encoded and checked using our existing Isabelle/HOL development [7,8] by manually encoding the re-ordering in thread 2. We aim to develop full mechanisation support as future work.…”

Section: Example Proofmentioning

confidence: 99%

“…Due to the complexity of C11 [4], many reasoning techniques have restricted themselves to particular fragments of the language by only allowing certain types of memory accesses and/or reordering behaviours. Several works (e.g., [7,10,15,17]) assume a memory model that guarantees that program order (aka sequenced-before order) is maintained [18]. While this restriction makes the logics and proofs of program correctness more manageable, it precludes reasoning about observable executions displaying certain real-world phenomena, e.g., those exhibited by the load-buffering litmus test under Power or ARMv7.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Owicki-Gries Reasoning for C11 Programs with Relaxed Dependencies (Extended Version)

Wright,

Batty,

Dongol

2021

Preprint

Self Cite

View full text Add to dashboard Cite

Deductive verification techniques for C11 programs have advanced significantly in recent years with the development of operational semantics and associated logics for increasingly large fragments of C11. However, these semantics and logics have been developed in a restricted setting to avoid the thin-air-read problem. In this paper, we propose an operational semantics that leverages an intra-thread partial order (called semantic dependencies) induced by a recently developed denotational event-structure-based semantics. We prove that our operational semantics is sound and complete with respect to the denotational semantics. We present an associated logic that generalises a recent Owicki-Gries framework for RC11 (repaired C11), and demonstrate the use of this logic over several example proofs.

show abstract

Owicki-Gries Reasoning for C11 RAR

Cited by 16 publications

References 0 publications

Parallelized sequential composition, pipelines, and hardware weak memory models

Parallelized sequential composition, pipelines, and hardware weak memory models

Extending Intel-x86 consistency and persistency: formalising the semantics of Intel-x86 memory types and non-temporal stores

Owicki-Gries Reasoning for C11 Programs with Relaxed Dependencies (Extended Version)

Contact Info

Product

Resources

About