Reasoning about the C/C++ weak memory model

Transcription

1 Reasoning about the C/C++ weak memory model Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 13 October 2014

2 Talk outline I. Introduction Weak memory models The C11 concurrency model II. Verifying concurrent C11 programs Relaxed separation logic III. Verifying C11 compilers Which program transformations are allowed? IV. Debugging the model Checking for mathematical sanity Viktor Vafeiadis Reasoning about the C/C++ weak memory model 2/32

3 Sequential consistency Sequential consistency (SC): Interleave each thread s atomic accesses. The standard model for concurrency. Almost all verification work assumes it. Fairly intuitive. Initially, x = y = 0. x := 1; print(y); y := 1; print(x); In SC, this program can print 01, 10, or 11. Viktor Vafeiadis Reasoning about the C/C++ weak memory model 3/32

4 Sequential consistency Sequential consistency (SC): Interleave each thread s atomic accesses. The standard model for concurrency. Almost But allsc verification is invalidated workby: assumes it. Fairly intuitive. Compiler optimisations Initially, x = Hardware y = 0. implementations x := 1; print(y); y := 1; print(x); In SC, this program can print 01, 10, or 11. Viktor Vafeiadis Reasoning about the C/C++ weak memory model 3/32

5 Store buffering in x86-tso cpu 1 write... cpu n read... write-back Memory Initially, x = y = 0. x := 1; print(y); y := 1; print(x); This program can also print 00. Viktor Vafeiadis Reasoning about the C/C++ weak memory model 4/32

6 IRIW: Not just store buffering Initially, x = y = 0. x := 1 y := 1 print(x); no-reord-fence print(y); print(y); no-reord-fence print(x); Both threads can print 10. x:=1 y:=1 print(x) print(y) print(y) print(x) Viktor Vafeiadis Reasoning about the C/C++ weak memory model 5/32

7 The C11 memory model Two types of locations: ordinary and atomic Races on ordinary accesses error A spectrum of atomic accesses: Relaxed no fence Release writes no fence (x86); lwsync (PPC) Acquire reads no fence (x86); isync (PPC) Seq. consistent full memory fence A few advanced features (fences, consume reads) Viktor Vafeiadis Reasoning about the C/C++ weak memory model 6/32

8 Relaxed behaviour: store buffering Initially x = y = 0. x.store(1, rlx); t 1 = y.load(rlx); y.store(1, rlx); t 2 = x.load(rlx); This can return t 1 = t 2 = 0. Justification: W rlx (x, 1) R rlx (y, 0) [x = y = 0] W rlx (y, 1) R rlx (x, 0) Behaviour observed on x86/power/arm Viktor Vafeiadis Reasoning about the C/C++ weak memory model 7/32

9 Release-acquire synchronization: message passing Initially a = x = 0. a = 5; x.store(1, release); while (x.load(acq) == 0); print(a); This will always print 5. Justification: W na (a, 5) R acq (x, 1) W rel (x, 1) R na (a, 5) Release-acquire synchronization Viktor Vafeiadis Reasoning about the C/C++ weak memory model 8/32

10 Relaxed accesses don t synchronize Initially a = x = 0. a = 5; x.store(1, rlx); while (x.load(rlx) == 0); print(a); The program is racy undefined semantics. Justification: W na (a, 5) W rlx (x, 1) R rlx (x, 1) race R na (a,?) Relaxed accesses don t synchronize Viktor Vafeiadis Reasoning about the C/C++ weak memory model 9/32

11 Dependency cycles Initially x = y = 0. if (x.load(rlx) == 1) y.store(1, rlx); if (y.load(rlx) == 1) x.store(1, rlx); C11 allows the outcome x = y = 1. Justification: R rlx (x, 1) R rlx (y, 1) W rlx (y, 1) W rlx (x, 1) Relaxed accesses don t synchronize Viktor Vafeiadis Reasoning about the C/C++ weak memory model 10/32

12 Part II Verifying concurrent C11 programs Separation logic Relaxed separation logic

13 Separation logic Key concept of ownership : Resourceful reading of Hoare triples. P} C Q} To access a normal location, you must own it: x v } t = x x v t = v } x v } x = v x v } Disjoint parallelism: P1 } C1 Q1 } P2 } C2 Q2 } P1 P 2 } C1 C 2 Q1 Q 2 } Viktor Vafeiadis Reasoning about the C/C++ weak memory model 12/32

14 Relaxed separation logic (simplified) Joint work with Chinmay Narayan, published at OOPSLA 13 Ownership transfer by rel-acq synchronizations. Atomic allocation pick loc. invariant Q. Q(v) } x = alloc(v); WQ (x) R Q (x) } Release write give away permissions. Q(v) WQ (x) } x.store(v, rel); true } Acquire read gain permissions. RQ (x) } t = x.load(acq); Q(t) } Viktor Vafeiadis Reasoning about the C/C++ weak memory model 13/32

15 Message passing in RSL Let Q(v) def = v = 0 &a 7. true } atomic_int x = 0; int a = 0; &a 0 WQ (x) R Q (x) } &a 0 WQ (x) } a = 7; &a 7 WQ (x) } x.store(1, release); } true true } t = x.load(acq); t = 0 &a 7) } if (t 0) &a 7 } print(a); true } Viktor Vafeiadis Reasoning about the C/C++ weak memory model 14/32

16 Multiple readers/writers Write permissions can be duplicated: W Q (l) W Q (l) W Q (l) Read permissions cannot, but may be split: R Q1 Q 2 (l) R Q1 (l) R Q2 (l) a = 7; b = 8; x.store(1, rel); t = x.load(acq); if (t 0) print(a); t = x.load(acq); if (t 0) print(b); Viktor Vafeiadis Reasoning about the C/C++ weak memory model 15/32

17 Relaxed accesses Basically, disallow ownership transfer. Relaxed reads: RQ (x) } x.load(rlx) y. Q(y) false } Relaxed writes: Q(v) = emp WQ (x) } x.store(v, rlx) true } Viktor Vafeiadis Reasoning about the C/C++ weak memory model 16/32

18 Relaxed accesses Basically, disallow ownership transfer. Relaxed reads: RQ (x) } x.load(rlx) y. Q(y) false } Relaxed writes: Q(v) = emp WQ (x) } x.store(v, rlx) true } Unfortunately not sound because of a bug in the C11 memory model. Viktor Vafeiadis Reasoning about the C/C++ weak memory model 16/32

19 Dependency cycles in C11 Initially x = y = 0. if (x.load(rlx) == 1) y.store(1, rlx); if (y.load(rlx) == 1) x.store(1, rlx); The formal C11 model allows x = y = 1. Justification: R rlx (x, 1) W rlx (y, 1) R rlx (y, 1) W rlx (x, 1) Relaxed accesses don t synchronize Viktor Vafeiadis Reasoning about the C/C++ weak memory model 17/32

20 Dependency cycles in C11 Initially x = y = 0. if (x.load(rlx) == 1) y.store(1, rlx); if (y.load(rlx) == 1) x.store(1, rlx); The formal C11 model allows x = y = 1. What goes wrong: Non-relational invariants are unsound. x = 0 y = 0 The DRF-property does not hold. Viktor Vafeiadis Reasoning about the C/C++ weak memory model 17/32

21 Dependency cycles in C11 Initially x = y = 0. if (x.load(rlx) == 1) y.store(1, rlx); if (y.load(rlx) == 1) x.store(1, rlx); The formal C11 model allows x = y = 1. How to fix this: Don t use relaxed writes Require acyclic(sb rf ). (Disallow RW reodering.) Viktor Vafeiadis Reasoning about the C/C++ weak memory model 17/32

22 Part III Towards verifying C11 compilers Which program transformations are allowed?

23 A study of optimisations under C11 Reorderings of memory accesses Elimination of redundant accesses (overwritten write, read after same R/W) (write after same read is invalid) Introduction of unused reads (invalid may race) Elimination of unused reads (only non-atomic, others may synchronise) Caveat: We must correct the model... Viktor Vafeiadis Reasoning about the C/C++ weak memory model 19/32

24 Valid instruction reorderings a ; b b ; a a \ b R sc R sc W na W rlx W rel C rlx acq C rel F acq F rel R na ( ) ( ) ( ) R rlx ( ) ( ) ( ) R acq W sc W sc C rlx rel ( ) ( ) ( ) C acq F acq = F rel = Roach motel semantics: Cannot move accesses out of critical regions Viktor Vafeiadis Reasoning about the C/C++ weak memory model 20/32

25 Redundant instruction eliminations Overwritten write: x.store(v, M) ; C ; x.store(v, M) C ; x.store(v, M) Read after write: x.store(v, M) ; C ; t = x.load(m ) x.store(v, M) ; C ; t = v C has no rel & no x accesses C has no acq & no x accesses Read after read: t = x.load(m) ; C ; t = x.load(m) C has no acq t = x.load(m) ; C ; t = t & no x accesses Viktor Vafeiadis Reasoning about the C/C++ weak memory model 21/32

26 Write-after-read elimination is invalid t = x.load(m) ; x.store(t, rlx) t = x.load(m) There could be a CAS in between y.store(1, rlx); fence(release); t 1 = x.load(rlx); x.store(t 1, rlx); x = y = 0; t 2 = x.cas(0, 1, acq); t 3 = y.load(rlx); t 4 = x.load(rlx); Can we get t 1 = t 2 = t 3 = 0 and t 4 = 1? Viktor Vafeiadis Reasoning about the C/C++ weak memory model 22/32

27 Part IV Debugging the model Checking mathematical sanity Monotonicity Prefix closure

28 Monotonicity Examples: Adding synchronisation should not introduce new behaviours Adding a memory fence Strengthening the access mode of an operation Reducing parallelism, C 1 C 2 C 1 ; C 2 Expression evaluation linearisation: x = a + b ; t 1 = a ; t 2 = b ; x = t 1 + t 2 ; (Roach motel reorderings) Viktor Vafeiadis Reasoning about the C/C++ weak memory model 24/32

29 Obstacles to monotonicity 1. The axiom for non-atomic reads rf(b) = a (isna(a) isna(b)) = hb(a, b) (in combination with dependency cycles) 2. The axiom for SC reads 3. No intra-thread synchronisation Viktor Vafeiadis Reasoning about the C/C++ weak memory model 25/32

30 Sequentialisation is invalid a = 1; if (x.load(rlx) == 1) if (a == 1) y.store(1, rlx); if (y.load(rlx) == 1) x.store(1, rlx); [a = x = y = 0] W na (a, 1) R rlx (x, 1) R na (a, 1) R rlx (y, 1) W rlx (x, 1) W rlx (y, 1) rf(b) = a (isna(a) isna(b)) = hb(a, b) Viktor Vafeiadis Reasoning about the C/C++ weak memory model 26/32

31 SC read restriction There shall be a single total order S on all seq_cst operations [... ] such that each seq_cst operation B that loads a value from an atomic object M observes one of the following values: the result of the last modification A of M that precedes B in S, if it exists, or if A exists, the result of some modification of M in the visible sequence of side effects with respect to B that is not seq_cst and that does not happen before A, or if A does not exist, [... ] [N1570, ] rf(b) = c issc(b) = iscr(c, b) issc(c) a. hb(c, a) iscr(a, b) where iscr(c, b) def = scr(c, b) d. scr(c, d) scr(d, b) scr(c, b) def = iswrite locs(b) (c) sc(c, b) Viktor Vafeiadis Reasoning about the C/C++ weak memory model 27/32

32 Strengthening is invalid x.store(1, rlx); x.store(2, sc); y.store(1, sc); x.store(3, rlx); y.store(2, sc); y.store(3, sc); r = x.load(sc); s 1 = x.load(rlx); s 2 = x.load(rlx); s 3 = x.load(rlx); t 1 = y.load(rlx); t 2 = y.load(rlx); t 3 = y.load(rlx); r = s 1 = t 1 = 1 s 2 = t 2 = 2 s 3 = t 3 = 3 Disallowed W rlx (x, 1) W sc (x, 2) sc W sc (y, 1) sc W rlx (x, 3) W sc (y, 2) W sc (y, 3) sc sc R sc (x, 1) Viktor Vafeiadis Reasoning about the C/C++ weak memory model 28/32

33 Strengthening is invalid x.store(1, rlx); x.store(2, sc); y.store(1, sc); x.store(3, sc); y.store(2, sc); y.store(3, sc); r = x.load(sc); r = s 1 = t 1 = 1 s 2 = t 2 = 2 s 3 = t 3 = 3 Allowed s 1 = x.load(rlx); s 2 = x.load(rlx); s 3 = x.load(rlx); t 1 = y.load(rlx); t 2 = y.load(rlx); t 3 = y.load(rlx); W rlx (x, 1) W sc (x, 2) sc W sc (y, 1) sc sc W sc (x, 3) sc W sc (y, 2) W sc (y, 3) sc sc R sc (x, 1) Viktor Vafeiadis Reasoning about the C/C++ weak memory model 28/32

34 No intra-thread synchronisation Initially x = y = 0. a = 1; x.store(1, rel); if (x.load(cons)) y.store(1, rel); if (y.load(acq)) a = 2; sequentialise threads 2 & 3 a = 1; x.store(1, rel); if (x.load(cons)) y.store(1, rel); if (y.load(acq)) a = 2; Only different thread rel-acq synchronize. Proposed fix: drop this restriction Viktor Vafeiadis Reasoning about the C/C++ weak memory model 29/32

35 Prefix closure Removing (hb rf)-maximal events should preserve consistency Maximal events should not affect other events Does not hold because of release sequences Viktor Vafeiadis Reasoning about the C/C++ weak memory model 30/32

36 Release sequences are too strong Initially x = y = 0. a = 1; x.store(1, rel); x.store(3, rlx); while (x.load(acq) 3); a = 2; This program is not racy. The acquire synchronizes with the release. rselem(a, b) def = samethread(a, b) isrmw(b) rseq(a, b) def = a = b rselem(a, b) mo(a, b) ( c. mo(a, c) mo(c, b) rselem(a, c)) Viktor Vafeiadis Reasoning about the C/C++ weak memory model 31/32

37 Release sequences are too strong Initially x = y = 0. a = 1; x.store(1, rel); x.store(3, rlx); while (x.load(acq) 3); a = 2; x.store(2, rlx); But this one is racy according to C11. The acquire no longer synchronizes with the release. rselem(a, b) def = samethread(a, b) isrmw(b) rseq(a, b) def = a = b rselem(a, b) mo(a, b) ( c. mo(a, c) mo(c, b) rselem(a, c)) Viktor Vafeiadis Reasoning about the C/C++ weak memory model 31/32

38 Summary The C11 memory model is broken But is largely fixable Dependency cycles still an open problem Tools for understanding weak memory models: Source-to-source program transformations Relaxed program logics Viktor Vafeiadis Reasoning about the C/C++ weak memory model 32/32