1 / 22

Effective Program Verification for Relaxed Memory Models

Effective Program Verification for Relaxed Memory Models. Sebastian Burckhardt Madanlal Musuvathi Microsoft Research CAV, July 10, 2008. Motivation: Memory Model Vulnerabilities. Programmers do not always follow strict locking discipline in performance-critical code

gregory-pallas
Download Presentation

Effective Program Verification for Relaxed Memory Models

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Effective Program Verificationfor Relaxed Memory Models Sebastian BurckhardtMadanlal Musuvathi Microsoft Research CAV, July 10, 2008

  2. Motivation: Memory Model Vulnerabilities • Programmers do not always follow strict locking discipline in performance-critical code • Ad-hoc synchronization with normal loads and stores or interlocked operations is faster • Result: “benign” or “intentional” data races • Such code can break on relaxed memory models • Most multicore machines are not sequentially consistent • Both compilers and actual hardware can contribute to effect • Vulnerabilities are hard to find, reproduce, and analyze • May require specific hardware configuration and schedule

  3. C# Example volatile boolisIdling; volatile boolhasWork; //Consumer thread void BlockOnIdle(){ lock (condVariable){ isIdling = true; if (!hasWork) Monitor.Wait(condVariable); isIdling = false; } } //Producer thread void NotifyPotentialWork(){ hasWork = true; if (isIdling) lock (condVariable) { Monitor.Pulse(condVariable); } }

  4. Example: Store Buffer Vulnerability volatile int ii = 0; volatile int hw = 0; Consumer Producer Store ii, 1 Store ii, 1 Load hw, 0 Store hw, 1 Load ii, 1 0 Key pieces of code on previous slide: On x86, hardware may perform store late Bug: Producer thread does not notice waiting Consumer, does not send signal

  5. Abstract View of Memory Models Given a program P, a memory model Y defines the subset TP,Y T of traces corresponding to some (partial or complete) execution of P on Y. TP, SC TP, Y T SC (sequential consistency) Is strongest memory model More executions may be possible on a relaxed memory model Y 5

  6. Example: TSO Under TSO, processors can buffer stores in FIFO queue. TP, SC TP, TSO T 1.1 Store ii, 1 2.1 Store hw, 1 Trace corresponding to code on slide 4 1.2 Load hw, 0 2.2 Load ii, 0 6

  7. Why TSO? • Memory models are platform dependent & ridden with details • We focus on TSO because it models store buffers, the most common relaxation • In practice, TSO is almost the same as the x86 hardware model RMO PSO TSO z6 SC Alpha IA-32 IA-64

  8. Model Checking Programs on Relaxed Memory Models • Covering all relaxed executions is challenging • Highly nondeterministic(exposed to low-level hardware concurrency) • Memory models are usually not finite-state • Memory models are often a matter of negotiation(formal descriptions are the exception) • State of the art has limited scalability • Model checking using simplified operational models • Bounded model checking using axiomatic models (CheckFence)

  9. Memory Model Safety Observation: Programmer writes code for SC • Resorts to {locks, fences, volatiles, interlocked operations} to maintain SC behavior where needed • If program P exhibits non-SC behavior, it is most likely a bug Definition: A program P is Y-safe if TP,SC= TP,Y

  10. Decomposed Program Verification on Relaxed Memory Models TP, SC TP, Y T • Verify sequentially consistent executions(show that all executions in TP,SC are correct) • Verify memory model safety(show that TP,SC= TP,Y ) Can we do 1 and 2 at the same time?Yes.

  11. Borderline Executions TP,SC TP,TSO Def.: A borderline execution for P is an execution with a successor in TP,TSO- TP,SC Thm.: A program P is TSO-safe if and only if it has no borderline executions.

  12. Borderline Executions We can verify / falsify this as a safety property of sequentially consistent executions! TP,SC TP,TSO Def.: A borderline execution for P is an execution with a successor in TP,TSO- TP,SC Thm.: A program P is TSO-safe if and only if it has no borderline executions.

  13. Example: TSO Borderline Execution TP, SC 1.1 Store ii, 1 2.1 Store hw, 1 TP, TSO 1.2 Load hw, 0 1.1 Store ii, 1 2.1 Store hw, 1 1.2 Load hw, 0 2.2 Load ii, 1 1.1 Store ii, 1 2.1 Store hw, 1 1.2 Load hw, 0 2.2 Load ii, 0 • Successor traces are traces with one more instruction.

  14. Sober Tool Structure Event Stream (shared memory accesses, sync ops) InstrumentedProgram Borderline Monitor Scheduler EnumeratesTraces Stateless Model Checker (CHESS) Outputs: (1) P correct (2) P not TSO-safe (+cex) (3) P has SC-bug (+cex) Program output is always sound. Tool may not terminate exploration if # of executions is too large.

  15. Define SC using hb relation This trace is SC: This trace is not SC: 1.1 Store ii, 1 1.1 Store ii, 1 1.2 Load hw, 0 1.2 Load hw, 0 2.1 Store hw, 1 2.1 Store hw, 1 2.2 Load ii, 1 2.2 Load ii, 0 • Trace = Set of Instructions (Vertices) with attributes • [processor]. [issue index] [operation] [address], [coherence index]coh.index is the position of the value within the sequence of values written to the same location (i.e., “we replace each value with its sequence number”) • Add edges: program order p /conflict order c • Define happens-before order hb = (p  c) • Trace is sequentially consistent if and only if hb is acyclic.

  16. Define TSO by Relaxing hb This trace is TSO, but not SC: Thm.: Def. Is equivalent to operational TSO model (see Tech Report) 1.1 Store ii, 1 1.2 Load hw, 0 2.1 Store hw, 1 2.2 Load ii, 0 1.1 Store ii, 1 1.1 Store ii, 1 1.2 Load hw, 0 1.2 Load hw, 0 hb rhb 2.1 Store hw, 1 2.1 Store hw, 1 Define relaxed happens-before orderrhb = (p  c) \ { (s,l) | s is store, l is load, and s p l } Trace is possible on TSO if and only if (1) rhb is acyclic (2) there do not exist s, l such that s p l and l c s 2.2 Load ii, 0 2.2 Load ii, 0

  17. Borderline Monitor Implementation Receiving a stream of memory accesses: Record all stores to all locations. For each load L, check if there exists a reordering of L with prior stores to the same location such that (1) hb has a cycle(2) rhb is acyclic(3) there do not exist s, l such that s p l and l c s Implementation: use standard vector clock to compute hb ,and custom vector clock (twice the width) to compute rhb 17

  18. Equivalent Interleavings • Typically, many different interleavings map to the same (Mazurkiewic) trace. • By construction, our monitor is insensitive to the choice of interleaving • Checks all hb-equivalent ones simultaneously • Makes it compatible with partial order reduction • Improves probability of finding bugs 18

  19. Results • Good at finding bugs even if only a small number of schedules is explored • Monitor checks all hb-equivalent interleavings • Chess heuristic (iterative context bounding) seems to mix well • Found expected store buffer vulnerabilities in standard examples (Dekker, Bakery) • Detected 2 store buffer vulnerabilities in a production-level concurrency library. • Overall code size ~ 33 kloc • Used existing test harness written by product team (slightly adapted for use with CHESS) • Bugs not previously known

  20. Some Numbers

  21. Conclusion With increasing use of multicores, more and more programs are likely to exhibit failures caused by the memory model. Such failures are hard to find by conventional means (code inspection, testing). Our combination of borderline monitor & stateless model checking makes it practical to detect memory model safety violations in a unit test environment.

  22. Future Work • Run on larger programs (runtime verification) • Handle more memory models • Which memory models guarantee borderline executions? • Prove memory model safety of concurrent data type implementations • Develop borderline monitors for other relaxed concurrent APIs • Transactional memory • Concurrency Libraries

More Related