# Program logics for relaxed consistency UPMARC Summer School 2014 #### Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 2nd Lecture, 29 July 2014 #### Recap #### Topics covered yesterday: - The C11 memory model - Separation logic - Relaxed separation logic #### Today: - Compare and swap - GPS - Advanced features # Recap: Rules for release/acquire accesses Ownership transfer by rel-acq synchronizations. ▶ Atomic allocation $\sim$ pick loc. invariant Q. $$\{Q(v)\}\ x = \operatorname{alloc}(v);\ \{\mathbf{W}_{Q}(x) * \mathbf{R}_{Q}(x)\}$$ ▶ Release write ~> give away permissions. $$\{\mathbf{W}_{\mathcal{Q}}(x) * \mathcal{Q}(v)\}\ x.store(v, rel);\ \{\mathbf{W}_{\mathcal{Q}}(x)\}$$ ▶ Acquire read ~> gain permissions. $$\left\{ \mathsf{R}_{\mathcal{Q}}(x) \right\} t = x.\mathsf{load}(\mathit{acq}); \ \left\{ \mathcal{Q}(t) * \mathsf{R}_{\mathcal{Q}[t:=\mathsf{emp}]}(x) \right\}$$ #### Recap: relaxed accesses Basically, disallow ownership transfer. Relaxed reads: $$\left\{ \mathbf{R}_{\mathcal{Q}}(x) \right\} \ t = x.load(rlx) \left\{ egin{align*} \mathbf{R}_{\mathcal{Q}}(x) \land \\ (\mathcal{Q}(t) \not\equiv \mathsf{false}) \end{array} \right\}$$ Relaxed writes: $$\frac{\mathcal{Q}(v) = emp}{\{\mathbf{W}_{\mathcal{Q}}(x)\} \ x.store(v, rlx) \ \{\mathbf{W}_{\mathcal{Q}}(x)\}}$$ # Compare and swap (CAS) A standard primitive for implementing concurrent algorithms ``` x.\mathsf{CAS}(v,v',M) \stackrel{\mathrm{def}}{=} atomic { \mathbf{if}(x.\mathsf{load}(M) == v){ x.store(v', M); return true: return false: ``` #### Reasoning about CAS in RSL - ▶ New assertion form, $P := ... \mid \mathbf{C}_{\mathcal{Q}}(x)$ . - "Permission to do a CAS" - Duplicable: $$\mathbf{C}_{\mathcal{Q}}(x) \iff \mathbf{C}_{\mathcal{Q}}(x) * \mathbf{C}_{\mathcal{Q}}(x)$$ Also allows writing: $$\mathbf{C}_{\mathcal{Q}}(x) \iff \mathbf{C}_{\mathcal{Q}}(x) * \mathbf{W}_{\mathcal{Q}}(x)$$ And reading without ownership transfer: $$\mathbf{C}_{\mathcal{Q}}(x) \iff \mathbf{C}_{\mathcal{Q}}(x) * \mathbf{R}_{emp}(x)$$ #### Reasoning about CAS in RSL #### Allocation rule: $$\{Q(v)\}\ x = \operatorname{alloc}(v);\ \{C_Q(x)\}$$ #### CAS rule: $$t \wedge P * \mathcal{Q}(v) \Rightarrow \mathcal{Q}(v') * R$$ $$\neg t \wedge P \Rightarrow R$$ $$X \in \{rel, rlx\} \Rightarrow \mathcal{Q}(v) \equiv emp$$ $$X \in \{acq, rlx\} \Rightarrow \mathcal{Q}(v') \equiv emp$$ $$\overline{\left\{\mathbf{C}_{\mathcal{Q}}(x) * P\right\} \ t = x.\mathsf{CAS}(v, v', X) \ \left\{R\right\}}$$ #### Mutual exclusion locks Attach a 'resource invariant' at each lock: $$Lock(x, J) \iff Lock(x, J) * Lock(x, J)$$ Specifications for mutex operations: $$\{J\} \ x = \textit{new-lock}() \ \{\textit{Lock}(x, J)\}$$ $$\{\textit{Lock}(x, J)\} \quad \textit{lock}(x) \quad \{\textit{Lock}(x, J) * J\}$$ $$\{J * \textit{Lock}(x, J)\} \quad \textit{unlock}(x) \quad \{\textit{Lock}(x, J)\}$$ #### Mutual exclusion locks Let $$Q_J(v) \stackrel{\text{def}}{=} (v = 0 \land \text{emp}) \lor (v = 1 \land J)$$ $Lock(x, J) \stackrel{\text{def}}{=} \mathbf{C}_{Q_J}(x)$ $new-lock() \stackrel{\text{def}}{=} \{J\}$ $res = \text{alloc}(1)$ $\{Lock(res, J)\}$ $unlock(x) \stackrel{\text{def}}{=} \{Lock(x, J)\}$ $unlock(x) \stackrel{\text{def}}{=} \{Lock(x, J)\}$ $unlock(x, J) \stackrel{\text{def}}{=} \{Lock(x, J)\}$ $unlock(x, J) \stackrel{\text{def}}{=} \{Lock(x, J)\}$ $unlock(x, J) \stackrel{\text{def}}{=} \{Lock(x, J)\}$ $unlock(x, J) \stackrel{\text{def}}{=} \{Lock(x, J)\}$ $unlock(x, J) \stackrel{\text{def}}{=} \{Lock(x, J)\}$ # GPS: Towards a better logic for C11 - Protocols - ► Ghosts & escrows # GPS: A better logic for release-acquire #### Three key features: - Location invariants protocols - ► Ghost state/tokens 🌕 Escrows for ownership transfer # Example (Racy message passing) Initially, x = y = 0. $$x.store(1, rel)$$ ; $||x.store(1, rel)$ ; $||t = y.load(acq)$ ; $y.store(1, rel)$ ; $||x = y.load(acq)$ ; Cannot get $t = 1 \land t' = 0$ . # Racy message passing in GPS Protocol for $$x$$ : **A:** $x = 0$ **B:** $x = 1$ Protocol for y: $$\mathbf{C}: y = 0 \longrightarrow \mathbf{D}: y = 1 \land x.st \ge \mathbf{B}$$ Acquire reads gain knowledge, not ownership. $$\begin{cases} x.st \geq \mathbf{A} \land y.st \geq \mathbf{C} \\ x.store(1, rel); \\ \{x.st \geq \mathbf{B} \land y.st \geq \mathbf{C} \} \\ y.store(1, rel); \\ \{x.st \geq \mathbf{B} \land y.st \geq \mathbf{D} \} \end{cases} \begin{cases} x.st \geq \mathbf{A} \land y.st \geq \mathbf{C} \\ t = y.load(acq); \\ \{t = 0 \land x.st \geq \mathbf{A} \\ \lor t = 1 \land x.st \geq \mathbf{B} \} \end{cases}$$ $$t' = x.load(acq); \\ \{t = 0 \lor (t = 1 \land t' = 1) \}$$ #### Rules for reads and writes #### Read rule: $$orall s' \geq_{ au} s. \; \mathbf{inv}_{ au}(s',t) * P \Rightarrow Q \ Q \Leftrightarrow Q * Q \ \hline \left\{ egin{array}{l} x.st \geq_{ au} s \ * P \end{array} ight\} t = x. \mathsf{load}(\mathit{acq}); \; \left\{ egin{array}{l} \exists s'. \; x.st \geq_{ au} s' \ * P * Q \end{array} ight\} \end{array}$$ #### Write rule: $$P \Rightarrow \operatorname{inv}_{\tau}(s'', v) * Q$$ $$\forall s' \geq_{\tau} s. \operatorname{inv}_{\tau}(s', \underline{\hspace{0.5cm}}) * P \Rightarrow s'' \geq_{\tau} s'$$ $$\{x.st \geq_{\tau} s * P\} x.\operatorname{store}(v, rel); \{x.st \geq_{\tau} s'' * Q\}$$ # GPS ghosts and escrows We can create ghost unduplicable tokens: $$\frac{K \text{ is fresh}}{P \Rightarrow P * K} \qquad \frac{K * K \Rightarrow \text{false}}{K}$$ We can also create escrows: $$\frac{P*P\Rightarrow\mathsf{false}}{Q\Rightarrow\mathsf{Esc}(P,Q)}\qquad \overline{\mathsf{Esc}(P,Q)*P\Rightarrow Q}$$ Escrows are duplicable: $$\mathsf{Esc}(P,Q) \iff \mathsf{Esc}(P,Q) * \mathsf{Esc}(P,Q)$$ but only one component can 'unlock' them. #### GPS ghosts and escrows To gain ownership, we use ghost state & escrows. $$\frac{P*P\Rightarrow\mathsf{false}}{Q\Rightarrow\mathsf{Esc}(P,Q)}\qquad \overline{\mathsf{Esc}(P,Q)*P\Rightarrow Q}$$ # Example (Message passing using escrows) Invariant for x: $x = 0 \lor \mathbf{Esc}(K, \&a \mapsto 7)$ . $\begin{cases} \&a \mapsto 0 \\ a = 7; \\ \&a \mapsto 7 \end{cases}$ $\begin{cases} \&a \mapsto 7 \\ \mathbf{Esc}(K, \&a \mapsto 7) \end{cases}$ x.store(1, rel); $\begin{cases} K \\ \mathbf{if}(x.load(acq) \neq 0) \\ \{K * \mathbf{Esc}(K, \&a \mapsto 7) \} \\ \&a \mapsto 7 \} \\ \mathbf{print}(a); \end{cases}$ #### Rule for CAS With a successful CAS we can gain not only knowledge, but also ownership: $$\forall s'' \geq_{\tau} s. \quad \mathbf{inv}_{\tau}(s'', v) * P \Rightarrow \mathbf{inv}_{\tau}(s', v') * Q \wedge s' \geq_{\tau} s''$$ $$\forall s'' \geq_{\tau} s. \quad \forall v'' \neq v. \quad \mathbf{inv}_{\tau}(s'', v'') * P \Rightarrow R$$ $$R \Leftrightarrow R * R$$ $$\begin{cases} x.st \geq_{\tau} s \\ * P \end{cases} \begin{cases} t = x.\mathsf{CAS} \\ (v, v', rel-acq); \end{cases} \begin{cases} (t \wedge x.st \geq_{\tau} s' * Q) \\ \forall \neg t \wedge P * R \end{cases}$$ # Reasoning about advanced C11 features (Work in progress) - Fences - Consume reads #### Message passing $$\begin{array}{l} \textbf{int } a; \ \textbf{atomic\_int } x = 0; \\ \left( \begin{array}{l} a = 7; \\ x. \text{store}(1, \textit{rel}); \end{array} \right| \begin{array}{l} \textbf{if } (x. \text{load}(acq) \neq 0) \{ \\ \textbf{print}(a); \end{array} \right) \end{array}$$ #### Incorrect message passing $$\begin{array}{c|c} & \textbf{int } a; \textbf{ atomic\_int } x = 0; \\ (a = 7; & \textbf{if } (x.\mathsf{load}(\textit{rlx}) \neq 0) \{\\ x.\mathsf{store}(1, \textit{rlx}); & \textbf{print}(a); \} \end{array} )$$ # Message passing with C11 memory fences ``` int a; atomic_int x = 0; \begin{pmatrix} a = 7; & \text{if } (x.\text{load}(rlx) \neq 0) \\ \text{fence}(release); & \text{fence}(acq); \\ x.\text{store}(1, rlx); & \text{print}(a); \\ \end{pmatrix} ``` #### Reasoning about fences Introduce two 'modalities' in the logic. $$\begin{split} \left\{P\right\} \; \mathsf{fence}(\mathit{release}) \; \left\{\triangle P\right\} \\ \left\{\nabla P\right\} \; \mathsf{fence}(\mathit{acq}) \; \left\{P\right\} \\ \left\{\mathbf{R}_{\mathcal{Q}}(x)\right\} \; t := x.\mathsf{load}(\mathit{rlx}) \; \left\{\mathbf{R}_{\mathcal{Q}[t:=\mathsf{emp}]}(x) * \nabla \mathcal{Q}(t)\right\} \\ \left\{\mathbf{W}_{\mathcal{Q}}(x) * \triangle \mathcal{Q}(v)\right\} \; x.\mathsf{store}(v,\mathit{rlx}) \; \left\{\mathbf{W}_{\mathcal{Q}}(x)\right\} \end{split}$$ #### Reasoning about fences Let $$\mathcal{Q}(v) \stackrel{\text{def}}{=} v = 0 \lor \&a \mapsto 5$$ . $$\left\{ \&a \mapsto 0 * \mathbf{W}_{\mathcal{Q}}(x) * \mathbf{R}_{\mathcal{Q}}(x) \right\}$$ $$\left\{ \&a \mapsto 0 * \mathbf{W}_{\mathcal{Q}}(x) \right\}$$ $$a = 5;$$ $$\left\{ \&a \mapsto 5 * \mathbf{W}_{\mathcal{Q}}(x) \right\}$$ $$\text{fence}(\textit{release});$$ $$\left\{ \triangle(\&a \mapsto 5) * \mathbf{W}_{\mathcal{Q}}(x) \right\}$$ $$\textit{rence}(acq);$$ $$\left\{ \&a \mapsto 5 \right\}$$ $$\textit{rence}(acq);$$ $$\left\{ \&a \mapsto 5 \right\}$$ $$\textit{rence}(acq);$$ $$\left\{ \&a \mapsto 5 \right\}$$ $$\textit{print}(a);$$ $$\left\{ \text{true} \right\}$$ # Why two modalities? Consider the program, where initially x = y = 0: $$\begin{array}{l} a = 5; \\ \text{fence}(\textit{release}); \\ x. \text{store}(1, \textit{rlx}); \\ \end{array} \begin{array}{l} t = x. \text{load}(\textit{rlx}); \\ \textbf{if} \ (t \neq 0) \\ y. \text{store}(1, \textit{rlx}); \\ \end{array} \begin{array}{l} t' = y. \text{load}(\textit{rlx}); \\ \textbf{if} \ (t' \neq 0) \ \{ \\ \text{fence}(\textit{acq}); \\ \textbf{print}(\textit{a}); \\ \} \end{array}$$ If $\nabla P \Rightarrow \triangle P$ , we can 'verify' this program. But the program is racy. #### Release-consume synchronization Initially $$a = x = 0$$ . $$a = 5;$$ $t = x.load(consume);$ $x.store(release, &a);$ **if** $(t \neq 0)$ $print(*t);$ This program cannot crash nor print 0. # Justification: $W_{\rm na}(a,5)$ $R_{\rm con}(x,\&a)$ Release-consume $W_{\rm rel}(x,\&a)$ $R_{\rm na}(a,5)$ synchronization #### Release-consume synchronization Initially $$a = x = 0$$ . Let $J(t) \stackrel{\text{def}}{=} t = 0 \lor t \mapsto 5$ . $$\left\{ &a \mapsto 0 * \mathbf{W}_{J}(x) \right\}$$ $$a = 5;$$ $$\left\{ &a \mapsto 5 * \mathbf{W}_{J}(x) \right\}$$ $$x.store(release, &a);$$ $$\left\{ \nabla_{t}(t = 0 \lor t \mapsto 5) \right\}$$ $$\mathbf{if} (t \neq 0) \ print(*t);$$ This program cannot crash nor print 0. $\begin{array}{l} \text{Index the } \nabla \text{ with program variable } t. \\ t \text{ data dependence } \Longrightarrow \text{ locally open } \nabla_t. \end{array}$ #### Proposed rules for consume accesses $$\begin{aligned} \left\{ \mathbf{R}_{\mathcal{Q}}(x) \right\} \; t &:= x. \mathsf{load}(\mathit{cons}) \; \left\{ \mathbf{R}_{\mathcal{Q}[t:=\mathsf{emp}]}(x) * \nabla_t \; \mathcal{Q}(t) \right\} \\ & \qquad \qquad \left\{ P \right\} \; C \; \left\{ Q \right\} \\ & \qquad \qquad C \; \mathsf{is \; basic \; command \; mentioning \; } t \\ & \qquad \qquad \left\{ \nabla_t \; P \right\} \; C \; \left\{ \nabla_t \; Q \right\} \end{aligned}$$ Question: Is the following valid? $$\left\{ \mathbf{W}_{\mathcal{Q}}(x) * \nabla_t \mathcal{Q}(v) \right\} x.store(v, rel); \left\{ \mathbf{W}_{\mathcal{Q}}(x) \right\}$$ # Release-acquire too weak in the presence of consume Initially x = y = 0. while $$(x.read(consume) \neq 1)$$ ; $a = 1$ ; $y.store(1, release)$ ; $x.store(1, release)$ ; $(*)$ while $(y.load(acquire) \neq 1)$ ; $(*)$ $a = 2$ ; #### C11 deems this program racy. Only different thread rel-acq synchronize. #### What goes wrong in PL: On ownership transfers, we must prove that we don't read from the same thread. # Release-acquire too weak in the presence of consume Initially x = y = 0. ``` while (x.read(consume) \neq 1); y.store(1, release); (*) while (y.load(acquire) \neq 1); (*) a = 2; ``` C11 deems this program racy. But, it is not racy: - ▶ On x86-TSO, Power, ARM, and Itanium. - Or if we move the (\*) lines to a new thread. So, drop the "different thread" restriction. # Summary so far #### We know how to reason about: - Release-acquire - Consume reads - ▶ C11 memory fences #### We found a number of bugs in the model: - Dependency cycles (also in [Batty et al. '03]) - Same thread rel-acq don't synchronize - ► Semantics of SC accesses odd and too weak... ... when mixed with non-SC accesses - ► Release sequences too strong #### Soundness proof challenges - Assertions in heaps - ⇒ Store syntactic assertions (modulo \*-ACI) - No (global) notions of state and time - ⇒ Define a *logical* local notion of state - ⇒ Annotate hb edges with logical state - No operational semantics - ⇒ Use the axiomatic semantics - ⇒ Induct over max hb-path distance from top #### Basic structure Annotate hb edges of executions with heaps. - ▶ Local annot. validity: $\sum ins + node-effect = \sum outs$ . - Configuration safety: can extend a valid annotation for n further events. #### A key lemma # Definition (Pairwise independence) $\mathcal{T}$ is pairwise independent iff $\forall (a, a'), (b, b') \in \mathcal{T}$ , $(a', b) \notin hb^*$ . # Lemma (Independent heap compatibility) If hmap is a valid annotation, and $\mathcal{T} \subseteq hb$ is pairwise independent, then $\bigoplus_{x \in \mathcal{T}} hmap(x)$ is defined. #### Conclusion Formal reasoning about weak memory is possible & not too difficult. We're not quite there yet; there's still a lot to do: Liveness, refinement, tool support, ... #### A final remark Relaxed program logics are a useful tool for understanding weak memory models