On partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency

Size: px

Start display at page:

Download "On partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency"

Emory Young
5 years ago
Views:

1 On partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency Alex Horn and Daniel Kroening University of Oxford April 30, 2015

2 Outline What s Our Problem? Motivation and Example Background and Our Approach Our Theorems: Part I Definitions: Partial String, (Elementary) Programs Elementary Least Fixed Point Reduction Theorem Decidability Result for Elementary Programs Our Theorems: Part II Characterization of a weak memory semantics A new symbolic partial-order encoding 2 / 36

3 Motivation: The Real World Analyzing concurrent systems is hard. But today s computer architectures make this problem even harder! /* insertion sort ascending order */!! #include <stdio.h>!! thread() {! int n, array[1000], c, d, t;! printf("enter %d integers\n", n);! for (c = 0; c < n; c++) {! scanf("%d", &array[c]);! }! for (c = 1 ; c <= n - 1; c++) {! d = c;! while ( d > 0 && array[d] < array[d-1]) {! t = array[d];! array[d] = array[d-1];! array[d-1] = t;! d--;! }! }! }! thread() { printf( Hi there!\n ); }!! /* insertion sort ascending order */!! #include <stdio.h>!! thread() {! int n, array[1000], c, d, t;! printf("enter %d integers\n", n);! for (c = 0; c < n; c++) {! scanf("%d", &array[c]);! }! for (c = 1 ; c <= n - 1; c++) {! d = c;! while ( d > 0 && array[d] < array[d-1]) {! t = array[d];! array[d] = array[d-1];! array[d-1] = t;! d--;! }! }! }! thread() { printf( Hi there!\n ); }! Past Present This has renewed interest in partial-order concurrency semantics. 3 / 36

4 The Real World: An Example Let x and y be a memory location that are initialized to zero, i.e. initially [x] = [y] = 0. Here s a concurrent program T 1 T 2 : Thread T 1 Thread T 2 [x] := 1 [y] := 1 local i 1 := [y] local i 2 := [x] Is it possible that i i = i 2 = 0? 4 / 36

5 The Real World: An Example Let x and y be a memory location that are initialized to zero, i.e. initially [x] = [y] = 0. Here s a concurrent program T 1 T 2 : Thread T 1 Thread T 2 [x] := 1 [y] := 1 local i 1 := [y] local i 2 := [x] Is it possible that i i = i 2 = 0? That depends... It is impossible that i 1 = i 2 = 0 under sequential consistency (SC). But i 1 = i 2 = 0 is allowed by weaker forms of consistency (WMM). Such behaviours have been recently formalized by Alglave et al. WMMs exist for x86, Power, ARM etc. 5 / 36

SAT/SMT-based Verification Techniques The

procedures: CBMC: /* insertion sort ascending order

$printf("enter %d integers\n", n);!$ for (c = 0; c < n; c++) {! scanf("%d", &array[c]);!

while ( d > 0 && array[d] < array[d-1]) {!

$}! }! thread() { printf( Hi there!\n ); }!$

6 SAT/SMT-based Verification Techniques The state-of-the-art bounded model checker (CBMC) by Tautschnig et al. supports WMMs by leveraging off-the-shelf decision procedures: CBMC: /* insertion sort ascending order */!! #include <stdio.h>!! thread() {! int n, array[1000], c, d, t;! printf("enter %d integers\n", n);! for (c = 0; c < n; c++) {! scanf("%d", &array[c]);! }! for (c = 1 ; c <= n - 1; c++) {! d = c;! while ( d > 0 && array[d] < array[d-1]) {! t = array[d];! array[d] = array[d-1];! array[d-1] = t;! d--;! }! }! }! thread() { printf( Hi there!\n ); }! Boolean Formula ϕ Input Output CBMC symbolically encodes the concurrency exhibited by the unrolled program. This way CBMC found concurrency bugs in, and. 6 / 36

7 CKA: A Unifying Concurrency Semantics Over 40 years of research have gone into concurrency semantics. Most recently, Hoare et al. have proposed an algebraic concurrency semantics, called Concurrent Kleene Algebra (CKA). Hoare and van Staden show that CKA unifies classical programming and process calculi, including those due to Hoare, Milner and Kahn. Crucially, CKA s unifying power rests on the uniform treatment of specifications and programs, and sequential (;) and parallel ( ) operators which together satisfy the so-called exchange law (U V); (X Y) (U; X ) (V; Y), among other laws. O Hearn shows that there is a strong connection between CKA (particularly its exchange law) and separation logic. 7 / 36

8 Our Approach WMM SAT/SMT CKA Partial strings Example: A string abac versus, say, partial string (ab) (ac). Partial strings resemble Gischer s pomsets except that we use Ésik s monotonic bijective morphism to define a refinement relation ( ). Example: e 0 e 2 e 0 e 2 e 1 e 3 }{{} x e 1 e 3 }{{} y where α x (e 0 ) = α y (e 0) etc. 8 / 36

9 Our Approach WMM SAT/SMT CKA Partial strings Example: A string abac versus, say, partial string (ab) (ac). Partial strings resemble Gischer s pomsets except that we use Ésik s monotonic bijective morphism to define a refinement relation ( ). Example: e 0 e 2 e 0 e 2 e 1 e 3 }{{} x e 1 e 3 }{{} y where α x (e 0 ) = α y (e 0) etc. 9 / 36

10 Problems 1. The decidability of the equational theory of the pomset (partial-string) language closed under least fixed point, sequential and concurrent operators, and the exchange law is an open problem The best known upper bound for the size of symbolic partial-order encodings of WMMs is cubic in the maximal number of shared memory accesses. 2 This is prohibitively large. 1 Laurence, M.R., Struth, G.: Completeness theorems for Bi-Kleene algebras and series-parallel rational pomset languages. RAMiCS Alglave, J., Kroening, D., Tautschnig, M.: Partial orders for efficient bounded model checking of concurrent software. CAV / 36

11 Our Contributions We give new fundamental results on partial-order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency: 1. We give a decidability result for a fragment of the partial-string model of CKA using our least fixed point reduction theorem. 2. By further restricting our partial-string model, we interpret a particular form of weak memory (SC-relaxed consistency) which, on a certain subset of reads and writes, is shown to be equivalent to the conjunction of three fundamental and extensively studied weak memory axioms by Alglave et al. 3. Under the assumptions of bounded model checking, we prove the existence of an asymptotically smaller quantifier-free first-order logic formula that has only O(N 2 ) constraints compared to the state-of-the-art O(N 3 ) partial-order encoding in CBMC. 11 / 36

12 Part I How does CKA connect to SAT/SMT-based encodings? WMM SAT/SMT CKA Partial strings 12 / 36

13 Example: Partial String e 0 e 2 e 1 e 3 Thread T 1 Thread T 2 [x] := 1 [y] := 1 local i 1 := [y] local i 2 := [x] A partial string p = E p, α p, p where E p {e 0, e 1, e 2, e 3 } is a set of events, partially ordered by p, e.g. e 0 p e 1 but e 0 p e 3. Here, p may be seen as a happens-before relation, e.g. e 0 happens-before e 1. We call α p : E p Γ the labelling function, e.g. α p (e 0 ) = [x] := 1. We therefore can distinguish events as loads and stores on a memory location. The set of all memory locations is denoted by ADDRESS. Denote with P f the set of finite partial strings. That is to say, for all partial strings p in P f, the event set E p is finite. 13 / 36

14 Example: Partial String Operators e 0 e 0 e 0 e 1 e 1 e 2 e 1 e 2 e 2 (a) (b) (c) (d) Figure (c) and (d) depict a b and a; b, respectively. With an appropriate coproduct construction, it can be then shown that P f is closed under both and ; operators. 14 / 36

15 Towards Programs A single partial string is not always expressive enough. Example: if * then P else Q So we lift ; and on partial strings to sets of partial strings. 3 It is well-known that these should not be any kind of sets. They must be downward-closed with respect to (see next slide). 3 Rather than using Winskel et al. s conflict relation, we resort to the simpler Hoare powerdomain construction. 15 / 36

16 Program Abstraction Definition (Partial string refinement) Let x, y P be partial strings such that x = E x, α x x and y = E y, α y, y. A monotonic bijective morphism from y to x, written f : y x, is a one-to-one and onto function f from E y to E x such that, for all events e, e E y, if e y e, then f (e) x f (e ) and α y (e) = α x (f (e)). Then x is said to refine y, denoted by x y, if there exists a monotonic bijective morphism f : y x from y to x. Definition (Program) A program is a downward-closed set of finite partial strings with respect to ; equivalently X P f is a program if X = X where X {y P f x X : y x}. Let P be the family of programs. Lift both partial string operators to programs, e.g. P Q and P; Q. When convenient, we abbreviate P Q or P; Q by P Q. 16 / 36

17 Remarks: Downward Closure of Programs Recall that a program X in P satisfies X = X where X {y P f x X : y x}. Remarks: Note that X should not be confused with the prefix closure in configurations of (prime) event structures. Instead (like Gischer s subsumption ordering) X = X says that a program over-approximates all its possible implementations. This can serve as the basis for modelling data flow. Example: e 0 e 2 e 0 X = e 1 e 3, e 1 e 2 e 0 e 3, e 1 e 2 e 3, / 36

18 Theorem (Folklore) The structure S = P,,, 0, 1, ;, is a complete lattice, ordered by subset inclusion (i.e. X Y exactly if X Y = Y), such that and ; form unital quantales over where S satisfies the following: (U V); (X Y) (U; X ) (V; Y) X (Y Z) = (X Y) Z X X = X X Y = Y X X 1 = 1 X = X X 0 = 0 X = X X Y = Y X X ; 1 = 1; X = X X 0 = 0 X = 0 X ; 0 = 0; X = 0 X (Y Z) = (X Y) (X Z) X ; (Y Z) = (X ; Y) (X ; Z) (X Y) Z = (X Z) (Y Z) (X Y); Z = (X ; Z) (Y; Z) X (Y Z) = (X Y) Z X ; (Y; Z) = (X ; Y); Z P = µx.1 (P X ) P ; = µx.1 (P; X ) 18 / 36

19 Theorem (Folklore) The structure S = P,,, 0, 1, ;, is a complete lattice, ordered by subset inclusion (i.e. X Y exactly if X Y = Y), such that and ; form unital quantales over where S satisfies the following: (U V); (X Y) (U; X ) (V; Y) X (Y Z) = (X Y) Z X X = X X Y = Y X X 1 = 1 X = X X 0 = 0 X = X X Y = Y X X ; 1 = 1; X = X X 0 = 0 X = 0 X ; 0 = 0; X = 0 X (Y Z) = (X Y) (X Z) X ; (Y Z) = (X ; Y) (X ; Z) (X Y) Z = (X Z) (Y Z) (X Y); Z = (X ; Z) (Y; Z) X (Y Z) = (X Y) Z X ; (Y; Z) = (X ; Y); Z P = µx.1 (P X ) P P ; = µx.1 (P; X ) 19 / 36

20 Elementary Least Fixed Point Reduction Definition (Elementary program) A program P in P is called elementary whenever P = Q for some finite and nonempty set of finite partial strings Q. Denote with P l the set of elementary programs. Definition (n-iterated- -program-composition) For every program P in P and non-negative integer n in N 0, define P 0 1 to be the identity program and P (n+1) P P n. Theorem (Elementary least fixed point reduction) For every elementary program X and Y in P l, if 1 Y, then X Y is equivalent to X n k 0 Yk with n = lx ly where l X max { x x X } and l Y min { y y Y} is the length of the longest and shortest partial strings in X and Y, respectively. 20 / 36

21 Decision problem/procedure Partial string refinement (PSR) INPUT: Let x and y be finite partial strings. QUESTION: Is x y? Elementary program refinement- (EPR ) INPUT: Let X and Y be elementary programs in P l. QUESTION: Is X Y? Theorem (Decidability) The PSR problem is NP-complete. The EPR problem can be decided by calling an NP-complete decision procedure O ( X Y n ) times where n = lx ly (see previous slide). 21 / 36

22 Part II How do WMMs connect with SAT/SMT-based encodings? WMM SAT/SMT CKA Partial strings 22 / 36

23 Three Memory Axioms We adopt three memory axioms in the style of Alglave et al.: 1. Write consistency axiom 2. Read-from and synchronizes-with axiom 3. From-read axiom On the next slides, we recall those in turn. In this talk, we take the liberty to paraphrase some of our results. 23 / 36

24 Definition (Write consistency) Henceforth, let x be a partial string. Write-coherence means that all stores s, s on the same memory location are totally ordered by x. Example: We can think of stores per memory location ordered along a timeline. s 1 s 2 s 2 s 1 Quote (among many potential others): [A]ll writes to the same location are serialized in some order and are performed in that order with respect to any processor. 4 4 Gharachorloo, K., Lenoski, D.,Laudon, J., Gibbons, P., Gupta, A., Hennessy, J.: Memory consistency and event ordering in scalable shared-memory multiprocessors. SIGARCH Comput. Archit. News 18(2SI) (May 1990) / 36

25 Definition (Read-from and synchronizes-with) The read-from function, written rf, is defined to map every load to some store on the same memory location. A load l synchronizes-with a store s if rf(l) = s implies s x l. Example: s l s 25 / 36

26 Definition (Read-from and synchronizes-with) The read-from function, written rf, is defined to map every load to some store on the same memory location. A load l synchronizes-with a store s if rf(l) = s implies s x l. Example: l rf s s 26 / 36

27 Definition (From-read) The from-read axiom holds whenever, for all loads l and stores s, s on the same memory location, if rf(l) = s and s x s, then l x s. Example: l rf s s 27 / 36

28 Definition (From-read) The from-read axiom holds whenever, for all loads l and stores s, s on the same memory location, if rf(l) = s and s x s, then l x s. Example: l rf s s hb 28 / 36

29 Definition (From-read) The from-read axiom holds whenever, for all loads l and stores s, s on the same memory location, if rf(l) = s and s x s, then l x s. Example: l rf fr s s hb 29 / 36

30 Characterization of SC-relaxed Programs Definition (SC-relaxed program) A program X is called SC-relaxed if, for all a ADDRESS and partial string x in X, all stores on a are totally ordered by x and, for every load l E x and store s E x on a, l x s or s x l. 30 / 36

31 Characterization of SC-relaxed Programs Definition (SC-relaxed program) A program X is called SC-relaxed if, for all a ADDRESS and partial string x in X, all stores on a are totally ordered by x and, for every load l E x and store s E x on a, l x s or s x l. Definition (Read consistency) Let a ADDRESS and x P f. For all loads l E x on memory location a, define H x (l) {s E x : s x l and s is a store on a}. The read-from function rf is said to satisfy weak read consistency if, for all loads l E x and stores s E x on memory location a, the least upper bound H x (l) exists, and rf(l) = s implies H x (l) x s; strong read consistency implies rf(l) = s = H x (l). 31 / 36

32 Characterization of SC-relaxed Programs Definition (SC-relaxed program) A program X is called SC-relaxed if, for all a ADDRESS and partial string x in X, all stores on a are totally ordered by x and, for every load l E x and store s E x on a, l x s or s x l. Definition (Read consistency) Let a ADDRESS and x P f. For all loads l E x on memory location a, define H x (l) {s E x : s x l and s is a store on a}. The read-from function rf is said to satisfy weak read consistency if, for all loads l E x and stores s E x on memory location a, the least upper bound H x (l) exists, and rf(l) = s implies H x (l) x s; strong read consistency implies rf(l) = s = H x (l). Definition (SC-relaxed consistency) We speak of SC-relaxed consistency whenever a program is SC-relaxed and it satisfies read consistency. 32 / 36

33 Characterization of SC-relaxed Programs Theorem (SC-relaxed Consistency Characterization) SC-relaxed consistency is equivalent to the conjunction of the synchronizes-with, write-coherence and from-read axioms with respect to all events on the same memory location. This theorem has as consequence a new symbolic partial-order encoding (next slide). 33 / 36

34 Theorem (Asymptotically smaller partial-order encoding) Given an elementary program that satisfies SC-relaxed consistency, there exists an asymptotically smaller quantifier-free first-order logic encoding of the from-read axiom. Recall: the purpose of the from-read axiom is to say how values are overwritten in memory. The idea behind the theorem is to encode this as a supremum of write events that happen-before a read. This theorem matters because it can significantly decrease the intermediate steps required in CBMC to build the Boolean formula φ. 34 / 36

35 Concluding Remarks Our work gives denotational concurrency semantics a new practical dimension because we show how partial-strings connect to solving NP-hard problems with highly optimized optimized SAT/SMT solvers: Elementary least fixed point reduction theorem Asymptotically smaller partial-order encoding In upcoming work, we experimentally evaluate the cubic- and quadratic-size encoding using four state-of-the-art SMT solvers and four SMT-LIB theory combinations, including QF_LIA and QF_BV. 35 / 36

36 Concluding Remarks Our work gives denotational concurrency semantics a new practical dimension because we show how partial-strings connect to solving NP-hard problems with highly optimized optimized SAT/SMT solvers: Elementary least fixed point reduction theorem Asymptotically smaller partial-order encoding In upcoming work, we experimentally evaluate the cubic- and quadratic-size encoding using four state-of-the-art SMT solvers and four SMT-LIB theory combinations, including QF_LIA and QF_BV. Thank you! 36 / 36

Categorical models of type theory

1 / 59 Categorical models of type theory Michael Shulman February 28, 2012 2 / 59 Outline 1 Type theory and category theory 2 Categorical type constructors 3 Dependent types and display maps 4 Fibrations