### **Automated Analysis of Weak Memory Models**

#### Artem Yushkovskiy<sup>1,2</sup>

MSc Candidate

Supervisors: Assoc. Prof. Keijo Heljanko<sup>1</sup>

Docent Igor I. Komarov<sup>2</sup>

<sup>1</sup>Department of Computer Science, School of Science, **Aalto University** (Espoo, Finland)

<sup>2</sup>Faculty of Information Security and Computer Technologies, ITMO University (Saint Petersburg, Russia)

Espoo, Saint Petersburg, 2018

## Outline

## Outline

## Problem statement (Цель работы)

To rework the proof-of-concept memory model-aware analysis tool Porthos [Porthos17a] by:

- extending the C-like input language,
- revising its architecture and
- re-implementing the tool in order to enhance performance, extensibility, reliability and maintainability

## Task specification (Задачи работы)

- Study the general framework for memory model-aware analysis of concurrent programs [alglave2010shared];
- Review existing tools for memory model-aware analysis;
- Investigate existing architecture of Porthos, its strengths and weaknesses;
- Design a new architecture for PorthosC that allow to easily support the C input language, be robust, transparent, efficient and extensible.

Example: Write-write reordering (compiler relaxations)

| { x=0; y=0; }         |   |                                      |                         |                    |  |  |
|-----------------------|---|--------------------------------------|-------------------------|--------------------|--|--|
| P                     |   | Q                                    |                         |                    |  |  |
| <i>p</i> <sub>0</sub> | : | $x \leftarrow 1 \\ r_p \leftarrow y$ | <i>q</i> <sub>0</sub> : | $y \leftarrow 1$   |  |  |
| $p_1$                 | : | $r_p \leftarrow y$                   | $q_1$ :                 | $r_q \leftarrow x$ |  |  |

Example: Write-write reordering (compiler relaxations)

| { x=0; y=0; }                                                                           |                         |  |  |  |  |  |
|-----------------------------------------------------------------------------------------|-------------------------|--|--|--|--|--|
| P                                                                                       | Q                       |  |  |  |  |  |
| $\begin{array}{ccc} p_0 & : & x \leftarrow 1 \\ p_1 & : & r_p \leftarrow y \end{array}$ | $q_0: y \leftarrow 1$   |  |  |  |  |  |
| $p_1: r_p \leftarrow y$                                                                 | $q_1: r_q \leftarrow x$ |  |  |  |  |  |

SC

$$p_0, p_1, q_0, q_1$$
 (0; 1)  
 $q_0, q_1, p_0, p_1$  (1; 0)

Example: Write-write reordering (compiler relaxations)

| { x=0; y=0; }         |                                                                                               |  |  |  |  |  |
|-----------------------|-----------------------------------------------------------------------------------------------|--|--|--|--|--|
| P                     | Q                                                                                             |  |  |  |  |  |
| $p_0 : x \leftarrow$  | $ \begin{array}{c ccc} 1 & q_0: & y \leftarrow 1 \\ y & q_1: & r_q \leftarrow x \end{array} $ |  |  |  |  |  |
| $p_1: r_p \leftarrow$ | $y   q_1: r_q \leftarrow x$                                                                   |  |  |  |  |  |

SC

```
p_0, p_1, q_0, q_1 (0; 1)

q_0, q_1, p_0, p_1 (1; 0)

p_0, q_0, p_1, q_1 (1; 1)

p_0, q_0, q_1, p_1 (1; 1)

q_0, p_0, p_1, q_1 (1; 1)

q_0, p_0, q_1, p_1 (1; 1)
```

Example: Write-write reordering (compiler relaxations)

| { x=0; y=0; }           |                         |  |  |  |  |  |
|-------------------------|-------------------------|--|--|--|--|--|
| P                       | Q                       |  |  |  |  |  |
| $p_0: x \leftarrow 1$   | $q_0: y \leftarrow 1$   |  |  |  |  |  |
| $p_1: r_p \leftarrow y$ | $q_1: r_q \leftarrow x$ |  |  |  |  |  |

**TSO** SC  $p_1, p_0, q_0, q_1$  (0; 1)  $| p_0, p_1, q_1, q_0$  (0; 1)  $| p_1, p_0, q_1, q_0$ (0;1) $p_0, p_1, q_0, q_1$ (0;1) $q_0, q_1, p_1, p_0$  (1; 0)  $| q_1, q_0, p_0, p_1$  (1; 0) |(1;0) $q_0, q_1, p_0, p_1$ (1;0) $p_0, q_0, p_1, q_1$  (1; 1)  $p_1, q_0, p_0, q_1$  (0; 1)  $p_0, q_1, p_1, q_0$  (0; 1)  $p_1, q_1, p_0, q_0$ (0;0) $p_1, q_0, q_1, p_0$  (0; 0)  $| p_0, q_1, q_0, p_1$  (1; 1)  $| p_1, q_1, q_0, p_0$ (0;0) $p_0, q_0, q_1, p_1$ (1;1)(1;1) $q_0, p_1, p_0, q_1$  (1; 1) |  $q_1, p_0, p_1, q_0$  (0; 0) |  $q_1, p_1, p_0, q_0$  $q_0, p_0, p_1, q_1$ (0;0) $q_0, p_0, q_1, p_1$  $q_0, p_1, q_1, p_0$  (1; 0)  $| q_1, p_0, q_0, p_1$  (1; 0)  $| q_1, p_1, q_0, p_0$ (0;0)

Example: Store buffering (hardware relaxations)

|                         | { x=0; y=0; }      |         |                    |  |  |  |  |
|-------------------------|--------------------|---------|--------------------|--|--|--|--|
|                         | P                  | Q       |                    |  |  |  |  |
| <i>p</i> <sub>0</sub> : | <i>x</i> ← 1       | $q_0$ : | <i>y</i> ← 1       |  |  |  |  |
| <i>p</i> <sub>1</sub> : | $r_p \leftarrow y$ | $q_1$ : | $r_q \leftarrow x$ |  |  |  |  |



Figure: An x86-TSO abstract machine [sewell2010x86]

### The weak memory model

#### Axiomatic semantics: The definition

- **Event**  $\in \mathbb{E}$ , a low-level primitive operation:
  - memory event  $\in \mathbb{M} = \mathbb{R} \cup \mathbb{W}$ : access to a local/shared memory,
  - computational event  $\in \mathbb{C}$ : computation over local memory, and
  - barrier event ∈ B: synchronisation fences;
- Relation  $\subseteq \mathbb{E} \times \mathbb{E}$ :
  - basic relations:
    - program-order relation po  $\subseteq \mathbb{E} \times \mathbb{E}$ : (control-flow),
    - read-from relation  $\mathtt{rf} \subseteq \mathbb{W} \times \mathbb{R}$ : (data-flow), and
    - coherence-order relation  $co \subseteq \mathbb{W} \times \mathbb{W}$ : (data-flow);
  - derived relations:
    - union r1 | r2,
    - sequence r1; r2,
    - transitive closure r+,
    - •
- Assertion over relations or sets of events:
  - acyclicity, irreflexivity or emptiness



#### The weak memory model

#### Testing the candidate executions



Figure: The four candidate executions allowed under x86-TSO

#### The weak memory model

#### Testing the candidate executions



Figure: The four candidate executions allowed under x86-TSO

### Tools for memory model-aware analysis

- diy tool suite:
  - diy, diycross and diyone, litmus tests generators,
  - litmus, a litmus test concrete executor, and
  - herd, a weak memory model simulator;
- the stateless model checkers (CHESS, Nidhugg);
- the tool for automated synthesis of the synchronisation primitives musketeer;
- the instrumenting compiler goto-cc which is a part of CBMC model checker;
- the tool Porthos for analysing the portability of the C programs;
- and others.

### Portability analysis

The Porthos tool

• Let the function  $cons_{\mathcal{M}}(P)$  calculate the set of executions of program P consistent under the memory model  $\mathcal{M}$ .

#### Definition (Portability [Porthos17a])

Let  $\mathcal{M}_{\mathcal{S}}$ ,  $\mathcal{M}_{\mathcal{T}}$  be two weak memory models. The program P is portable from  $\mathcal{M}_{\mathcal{S}}$  to  $\mathcal{M}_{\mathcal{T}}$  if  $cons_{\mathcal{M}_{\mathcal{T}}}(P) \subseteq cons_{\mathcal{M}_{\mathcal{S}}}(P)$ 

- Portability as an SMT-based bounded reachability problem:  $\phi = \phi_{CF} \wedge \phi_{DF} \wedge \phi_{\mathcal{M}_{\mathcal{T}}} \wedge \phi_{\neg \mathcal{M}_{\mathcal{S}}}$
- SAT $(\phi) \implies$  the portability bug

### Encoding for the control-flow: An example



Figure: Example of encoding for the control-flow of the event-flow graph

#### Encoding for the data-flow

- SSA-indices are computed as following:
  - any access to a shared variable (both read and write) increments its SSA-index;
  - only writes to a local variable increment its SSA-index (reads preserve indices);
  - no access to a constant variable or computed (evaluated) expression changes their SSA-index.

The data-flow of an event is encoded as following:

$$\phi_{DF_{e=\text{load}(r\leftarrow l)}} = [\mathsf{x}(e) \Rightarrow (r_{i+1} = l_{i+1})]$$

$$\phi_{DF_{e=\text{store}(l\leftarrow r)}} = [\mathsf{x}(e) \Rightarrow (l_{i+1} = r_i)]$$

$$\phi_{DF_{e=\text{eval}(\cdot)}} = [\mathsf{x}(e) \Rightarrow \mathsf{v}(e)]$$

(1)

## Outline

### The input language

The input language parser used by Porthos suffered from several disadvantages:

- it contained the parser code inlined directly into the grammar (hardly maintainable);
- the semantics of operations and kinds of variables (global or shared) were determined syntactically (4 different types of assignment: '=', ':=', '<-' and '<:-', each for different kinds of arguments);
- restricted syntax for expressions.
- In contrast, PorthosC uses the full C language grammar of proposed in the C11 standard [jtc2011sc22] and the visitor that converts the ANTLR grammar to the AST (Y-tree).

#### Architecture



### The X-graph internal representation



Figure: The inheritance tree of main X-graph interfaces

### The X-graph compiler



Figure: Main components of the X-compilation processing unit

## X-graph unrolling



Figure: Example of the flow graph unrolling up to bound k = 6

## Outline

#### **Evaluation**

[to be done]

#### Summary

- The general framework for memory model-aware analysis was implemented in PorthosC;
- The input language has been extended;
- The old architecture of Porthos has been analysed and considered while designing the new architecture for PorthosC;
- to be done: more

# Bibliography I