verification and counterexamples
play

Verification, and Counterexamples Yatin Manerkar Princeton - PowerPoint PPT Presentation

Sep 04, 2022 •100 likes •591 views

C11 Compiler Mappings: Exploration, Verification, and Counterexamples Yatin Manerkar Princeton University manerkar@princeton.edu http://check.cs.princeton.edu November 22 nd , 2016 1 Compilers Must Uphold HLL Guarantees High-Level Assembly

  1. C11 Compiler Mappings: Exploration, Verification, and Counterexamples Yatin Manerkar Princeton University manerkar@princeton.edu http://check.cs.princeton.edu November 22 nd , 2016 1

  2. Compilers Must Uphold HLL Guarantees High-Level Assembly Compiler Language (HLL) Language Program Program • Compiler translates HLL statements into assembly instructions • Code generated by compiler must provide functionality required by HLL program 2

  3. Compilers Must Uphold HLL Guarantees Compiler X86 Assembly C11 Program Language Program X86 C11 Atomic x.store(1); mov [eax], 1 Mapping r1 = y.load(); MFENCE mov ebx, [ebx] • C/C++11 standards introduced atomic operations – Portable, high-performance concurrent code • Compiler uses mapping to translate from atomic ops to assembly instructions 3

  4. Compilers Must Uphold HLL Guarantees Compiler X86 Assembly C11 Program Language Program X86 C11 Atomic x.store(1); mov [eax], 1 Mapping r1 = y.load(); MFENCE mov ebx, [ebx] If mapping is correct, then for all programs: ISA-Level Outcome C11 Outcome implies Forbidden Forbidden 4

  5. Exploring Mappings with TriCheck C11 Atomic ISA-level C11 Litmus Mapping litmus tests Test Variants How do HLL outcomes compare to ISA-level outcomes? µCheck Herd ? C11 Outcomes ISA-Level Outcomes 5

  6. Exploring Mappings with TriCheck C11 Atomic ISA-level C11 Litmus Mapping litmus tests Test Variants If a mapping is correct, then for all programs: µCheck Herd C11 Outcome ISA-Level Outcome implies Forbidden Forbidden 6

  7. Counterexamples Detected! C11 → Power/ C11 Litmus Power/ARMv7 ARMv7-like Test Variants Trailing-Sync litmus tests Atomic Mapping µCheck Herd C11 Outcome ISA-Level Outcome but Forbidden Allowed 7

  8. Counterexamples Detected! C11 → Power/ C11 Litmus Power/ARMv7 ARMv7-like Test Variants Trailing-Sync litmus tests Atomic Mapping • Counterexample implies mapping is flawed • But mapping previously proven correct [Batty et al. POPL 2012] µCheck Herd • Must be an error in the proof! C11 Outcome ISA-Level Outcome but Forbidden Allowed 8

  9. Outline • Introduction • Background on C11 model and mappings • IRIW Counterexample and Analysis • Loophole in Proof of Batty et al. • IBM XL C++ Bugs • Conclusions and Future Work 9

  10. C11 Memory Model • C11 memory model specifies a C11 program’s allowed and forbidden outcomes • Axiomatic model defined in terms of program executions – Executions that satisfy C11 axioms are consistent – Executions that do not satisfy axioms are forbidden – Outcome only allowed if consistent execution exists • C11 axioms defined in terms of various relations on an execution 10

  11. C11 atomic operations • Used to write portable, high-performance concurrent code • Atomic ops can have different memory orders – seq_cst , acquire , release , relaxed … – Stronger guarantees: easier correctness, lower performance – Weaker guarantees: harder correctness, higher performance • Example ( y is an atomic variable): y.store(1, memory_order_release); int b = y.load(memory_order_acquire); 11

  12. Relevant C11 Memory Model Relations • Happens-before ( ℎ𝑐 ) = 𝑡𝑐 ∪ 𝑡𝑥 + – Transitive closure of statement order and synchronization order Wsc x = 1 • Total order on SC operations ( 𝑡𝑑 ) hb sc – Must be acyclic Rsc y = 0 – 𝑡𝑑 edges must not be in opposite direction to ℎ𝑐 edges ( 𝑡𝑑 must be “consistent with” ℎ𝑐 ) – SC read operations cannot read from overwritten writes 12

  13. Power and ARMv7 Compiler Mappings • Trailing-sync mapping: – [Boehm 2011][Batty et al. POPL 2012] Power lwsync and ARMv7 dmb prior to releases ensure that prior accesses are made visible before the release 13

  14. Power and ARMv7 Compiler Mappings • Trailing-sync mapping: – [Boehm 2011][Batty et al. POPL 2012] Power ctrlisync/sync and ARMv7 ctrlisb/dmb after acquires enforce that subsequent accesses are made visible after the acquire Use of sync/dmb for SC loads helps enforce the required C11 total order on SC operations 14

  15. Power and ARMv7 Compiler Mappings • Trailing-sync mapping: – [Boehm 2011][Batty et al. POPL 2012] Power sync and ARMv7 dmb after SC stores (“trailing - sync”) prevent reordering with subsequent SC loads Ostensibly, this ordering can also be enforced by putting fences before SC loads… 15

  16. Power and ARMv7 Compiler Mappings • Leading-sync mapping: – [McKenney and Silvera 2011] Leading-sync mapping places these fences *before* SC loads Only translations of SC atomics change between the two mappings 16

  17. Both Mappings are Currently Invalid • Both supposedly proven correct [Batty et al. POPL 2012] • We discovered two counterexamples to trailing-sync mappings on Power and ARMv7 – Isolated the proof loophole that allowed flaw • Vafeiadis et al. found counterexamples for leading-sync mapping, and have proposed solution 17

  18. Outline • Introduction • Background on C11 model and mappings • IRIW Counterexample and Analysis • Loophole in Proof of Batty et al. • IBM XL C++ Bugs • Conclusions and Future Work 18

  19. IRIW Trailing-Sync Counterexample T0 T1 T2 T3 x.store(1, seq_cst); y.store(1, seq_cst); r1 = x.load(acquire); r3 = y.load(acquire); r2 = y.load(seq_cst); r4 = x .load(seq_cst); Outcome: r1 = 1, r2 = 0, r3 = 1, r4 = 0 • Variant of IRIW (Independent-Reads- Independent-Writes) litmus test • IRIW corresponds to two cores observing stores to different addresses in different orders • At least one of first loads on T2 and T3 is an acquire; all other accesses are SC 19

  20. IRIW Counterexample Compilation T0 T1 T2 T3 x.store(1, seq_cst); y.store(1, seq_cst); r1 = x.load(acquire); r3 = y.load(acquire); r2 = y.load(seq_cst); r4 = x .load(seq_cst); Outcome: r1 = 1, r2 = 0, r3 = 1, r4 = 0 With trailing sync mapping, effectively compiles down to C0 C1 C2 C3 St x = 1 St y = 1 r1 = Ld x r3 = Ld y ctrlisync/ctrlisb ctrlisync/ctrlisb r2 = Ld y r4 = Ld x Allowed by Power model and hardware [Alglave et al. TOPLAS 2014] Allowed by ARMv7 model [Alglave et al. TOPLAS 2014] 20

  21. IRIW Counterexample Compilation T0 T1 T2 T3 x.store(1, seq_cst); y.store(1, seq_cst); r1 = x.load(acquire); r3 = y.load(acquire); r2 = y.load(seq_cst); r4 = x .load(seq_cst); Outcome: r1 = 1, r2 = 0, r3 = 1, r4 = 0 With trailing sync mapping, effectively compiles down to C0 C1 C2 C3 St x = 1 St y = 1 r1 = Ld x r3 = Ld y ctrlisync/ctrlisb ctrlisync/ctrlisb r2 = Ld y r4 = Ld x ctrlisync/ctrlisb are not strong enough to forbid outcome Allowed by Power model and hardware [Alglave et al. TOPLAS 2014] Allowed by ARMv7 model [Alglave et al. TOPLAS 2014] 21

  22. IRIW Trailing-Sync Counterexample T0 T1 T2 T3 x.store(1, seq_cst); y.store(1, seq_cst); r1 = x.load(acquire); r3 = y.load(acquire); r2 = y.load(seq_cst); r4 = x .load(seq_cst); Outcome: r1 = 1, r2 = 0, r3 = 1, r4 = 0 Happens-before edges from c → f and from d → h by transitivity 22

  23. IRIW Trailing-Sync Counterexample T0 T1 T2 T3 x.store(1, seq_cst); y.store(1, seq_cst); r1 = x.load(acquire); r3 = y.load(acquire); r2 = y.load(seq_cst); r4 = x .load(seq_cst); Outcome: r1 = 1, r2 = 0, r3 = 1, r4 = 0 Happens-before edges from c → f and from d → h by transitivity 23

  24. IRIW Trailing-Sync Counterexample T0 T1 T2 T3 x.store(1, seq_cst); y.store(1, seq_cst); r1 = x.load(acquire); r3 = y.load(acquire); r2 = y.load(seq_cst); r4 = x .load(seq_cst); Outcome: r1 = 1, r2 = 0, r3 = 1, r4 = 0 Happens-before edges from c → f and from d → h by transitivity 24

  25. IRIW Trailing-Sync Counterexample • SC order must contain edges from c → f and from d → h to match direction of hb edges • Shown below as sc_hb edges c: Wsc x = 1 d: Wsc y = 1 f: Rsc y = 0 h: Rsc x = 0 25

  26. IRIW Trailing-Sync Counterexample • SC reads f and h must read from non-SC writes b and a before they are overwritten • The SC order must contain f → d and h → c to satisfy this condition c: Wsc x = 1 d: Wsc y = 1 f: Rsc y = 0 h: Rsc x = 0 26

  27. IRIW Trailing-Sync Counterexample • SC reads f and h must read from non-SC writes b and a before they are overwritten • The SC order must contain f → d and h → c to • Cycle in the SC order satisfy this condition • Outcome is forbidden as there is no c: Wsc x = 1 d: Wsc y = 1 corresponding consistent execution • But compiled code allows the behaviour! f: Rsc y = 0 h: Rsc x = 0 27

  28. What went wrong? • SC axioms required SC order to contain edges from c → f and from d → h to match direction of hb edges • This requires a sync/dmb ish between e and f as well as between g and h on Power and ARMv7 • These fences are NOT provided by trailing-sync mapping 28

Recommend

Counterexamples in the Work of Karl Weierstra Tom Archibald Dept. of Mathematics Simon Fraser

Counterexamples in the Work of Karl Weierstra Tom Archibald Dept. of Mathematics Simon Fraser

Counterexamples Counterexamples in the Work of Karl Weierstra Tom Archibald Dept. of Mathematics Simon Fraser University tarchi@sfu.ca Weierstra 200, BBAW, Oct. 31, 2015 1 / 22 Counterexamples Outline 1 Introduction 2 The Dirichlet

499 views • 22 slides
Generalized Counterexamples to Liveness Properties Gadi Aleksandrowicz Jason Baumgartner

Generalized Counterexamples to Liveness Properties Gadi Aleksandrowicz Jason Baumgartner

Generalized Counterexamples to Liveness Properties Gadi Aleksandrowicz Jason Baumgartner Alexander Ivrii Ziv Nevo IBM Outline Generalized counterexamples to liveness and why they are especially interesting How to detect that a

135 views • 12 slides
Counterexamples in Computable Continuum Theory Takayuki Kihara Mathematical Institute, Tohoku

Counterexamples in Computable Continuum Theory Takayuki Kihara Mathematical Institute, Tohoku

Counterexamples in Computable Continuum Theory Takayuki Kihara Mathematical Institute, Tohoku University Dagstuhl Seminar, October 11, 2011 Takayuki Kihara Counterexamples in Computable Continuum Theory Introduction Local Computability: 1

1.44k views • 109 slides
Counterexamples to commonly held Assumptions on Unit Commitment and Market Power Assessment

Counterexamples to commonly held Assumptions on Unit Commitment and Market Power Assessment

Counterexamples to commonly held Assumptions on Unit Commitment and Market Power Assessment NAPS Conference Tempe, 14. October 2002 Wolfgang Gatterbauer, Marija Ilic Presented by Audun Botterud Massachusetts Institute of Technology 2 Topics

444 views • 30 slides
DefiningRules, Proofsand Counterexamples Greg Restall vii workshop on philosophical logic

DefiningRules, Proofsand Counterexamples Greg Restall vii workshop on philosophical logic

DefiningRules, Proofsand Counterexamples Greg Restall vii workshop on philosophical logic buenos aires august 3, 2018 My Aim To present an account of defining rules , with the aim of explaining these rules they play a central role in

1.64k views • 124 slides
Executable Counterexamples in Software Model Checking J. Gennari 1 and A. Gurfinkel 2 and T. Kahsai

Executable Counterexamples in Software Model Checking J. Gennari 1 and A. Gurfinkel 2 and T. Kahsai

Executable Counterexamples in Software Model Checking J. Gennari 1 and A. Gurfinkel 2 and T. Kahsai 3 and J. A. Navas 4 and E. J. Schwartz 1 Presenter: Natarajan Shankar 4 1 Carnegie Mellon University 2 University of Waterloo 3 Amazon Web Services 4

332 views • 18 slides
Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and

Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and

Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and Zohar Manna Stanford University (Aaron is visiting EPFL and will be at CU Boulder) Benchmark: intel_005 #latch vars: 170 #coi vars: 69 Solved:

207 views • 17 slides
Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties Viktor Schuppan Computer Systems Institute, ETH Z urich http://www.inf.ethz.ch/schuppan/ Defense Thesis ETH 16268 September 28, 2005, Z

382 views • 19 slides
Projection methods: convergence and counterexamples 4 January 2019 Hangzhou Dianzi University

Projection methods: convergence and counterexamples 4 January 2019 Hangzhou Dianzi University

Projection methods: convergence and counterexamples 4 January 2019 Hangzhou Dianzi University Vera Roshchina School of Mathematics and Statistics UNSW Sydney v.roshchina@unsw.edu.au Based on joint work with Hong-Kun Xu , Roberto Cominetti

575 views • 29 slides
Introduction to Electronic Verification Electronic Verification of Educational Records

Introduction to Electronic Verification Electronic Verification of Educational Records

Introduction to Electronic Verification Electronic Verification of Educational Records OVERVIEW 01 04 Scope of Verification Peggys Picks Types of verification, Verifying exam results or parameters, privacy graduation using databases

1.25k views • 81 slides
Probabilistic Counterexamples Albert-Ludwigs-Universitt Freiburg Ralf Wimmer

Probabilistic Counterexamples Albert-Ludwigs-Universitt Freiburg Ralf Wimmer

Probabilistic Counterexamples Albert-Ludwigs-Universitt Freiburg Ralf Wimmer Albert-Ludwigs-Universitt Freiburg, Germany Saarland University, Saarbrcken, Germany 2 nd AVACS Autumn School, Oldenburg, October 2, 2015 Acknowledgements Most

1.18k views • 103 slides
Optimal Counterexamples for Discrete-Time Markov Models Albert-Ludwigs-Universitt Freiburg

Optimal Counterexamples for Discrete-Time Markov Models Albert-Ludwigs-Universitt Freiburg

Optimal Counterexamples for Discrete-Time Markov Models Albert-Ludwigs-Universitt Freiburg Ralf Wimmer Albert-Ludwigs-Universitt Freiburg, Germany Joint work with Nils Jansen, Erika brahm, Joost Pieter Katoen, Bernd Becker Outline

475 views • 34 slides
DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification Projects Birth Record Verification State to State Verification DIVS State to State Verification Service (S2S) Program Benefits Mission

349 views • 8 slides
Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

The Center for Verification and Evaluation (CVE) Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive Support Services Agenda What is Re-Verification? o Simplified Reverification Program VIP

320 views • 21 slides
A SAT + CAS Approach to Finding Good Matrices: New Examples and Counterexamples Curtis Bright

A SAT + CAS Approach to Finding Good Matrices: New Examples and Counterexamples Curtis Bright

A SAT + CAS Approach to Finding Good Matrices: New Examples and Counterexamples Curtis Bright University of Waterloo Dragomir okovi University of Waterloo Ilias Kotsireas Wilfrid Laurier University Vijay Ganesh University of Waterloo

449 views • 44 slides
Counterexamples in Cubical Sets Andrew W Swan ILLC, University of Amsterdam August 20, 2019

Counterexamples in Cubical Sets Andrew W Swan ILLC, University of Amsterdam August 20, 2019

Counterexamples in Cubical Sets Andrew W Swan ILLC, University of Amsterdam August 20, 2019 Definition Brouwers principle states that all functions N N N are continuous. Theorem (S.) Working in a metatheory where Brouwers principle

830 views • 26 slides
A Statistical Analysis of Luck Isaac Wilhelm Rutgers University Foundations of Probability

A Statistical Analysis of Luck Isaac Wilhelm Rutgers University Foundations of Probability

Introduction The PAL Counterexamples to the PAL The SAL Advantages of the SAL A Statistical Analysis of Luck Isaac Wilhelm Rutgers University Foundations of Probability Seminar, September 19, 2016 Introduction The PAL Counterexamples to

582 views • 36 slides
Verification & Validation Verification is getting the system right : Verification and

Verification & Validation Verification is getting the system right : Verification and

Verification & Validation Verification is getting the system right : Verification and Validation Does the program you built do what you designed it to do? Dr. James A. Bednar Validation is getting the right system : jbednar@inf.ed.ac.uk

331 views • 8 slides
Verification and Validation Steven Zeil February 13, 2013 Verification and Validation

Verification and Validation Steven Zeil February 13, 2013 Verification and Validation

Verification and Validation Verification and Validation Steven Zeil February 13, 2013 Verification and Validation Outline The Process 1 Non-Testing V&V 2 Code Review Mathematically-based verification Static analysis tools

790 views • 55 slides
Verification regulations: Description Draft to define model for meeting verification

Verification regulations: Description Draft to define model for meeting verification

Verification regulations: Description Draft to define model for meeting verification regulations Verification Code Extension (draft-gould-eppext-verificationcode) Purpose Separate verification details from registry interface

167 views • 6 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Welcome! Asset Verification Service (AVS) The purpose of AVS is to automate verification of

Welcome! Asset Verification Service (AVS) The purpose of AVS is to automate verification of

Welcome! Asset Verification Service (AVS) The purpose of AVS is to automate verification of assets for initial and re-determinations for OSIP-M consumers without SSI. Asset Verification Service Kick-Off 11/8/18 Introduce Project Team

253 views • 14 slides
Test and Verification Solutions The Verification Experts Essentials for Developing and Deploying

Test and Verification Solutions The Verification Experts Essentials for Developing and Deploying

Test and Verification Solutions The Verification Experts Essentials for Developing and Deploying SV-based VIP DV Club Presentation (23 April 2012) NEED FOR VERIFICATION IP Why do we need VIPs? Time To Market Ready-to-integrate models

403 views • 22 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (11/26/07) I E S R C E O V

UMBC A B M A L T F O U M B C I M Y O R T 1 (11/26/07) I E S R C E O V

VLSI Design Verification and Test Simulation CMPE 646 Design Verification Simulation used for 1) design verification : verify the correctness of the design and 2) test verification. Design verification: Specification Critical or

426 views • 15 slides

More recommend