Predicate Abstraction for Relaxed Memory Models Andrei Dan Yuri - - PowerPoint PPT Presentation

Predicate Abstraction for Relaxed Memory Models

Andrei Dan Yuri Meshman Martin Vechev Eran Yahav ETH Zurich Technion ETH Zurich Technion

Motivation

Modern processors' memory operations are not executed in the order specified by the program code Objective: Automatically verify concurrent programs

• n relaxed memory models, both finite and infinite

state.

Example: Initial state: X = 0, Y = 0 Thread 1: Thread 2: Y = 1; X = 1; r1 = X; r2 = Y; The final state r1 = 0, r2 = 0 can occur on Intel x86 memory model and cannot occur under SC.

Classic predicate abstraction

Predicate Abstraction Cube Size = N Model Checker verified counter example SMT Solver ... store B1 = choose(B2, ¬B2); ... Boolean Program BSC ... load f1 = Flag1; ... Program PSC (f1 = 0) (Flag1 = 0) ... Set of predicates VSC

(Ball et al., PLDI '01)

Specification

Predicate abstraction for RMM

Predicate Abstraction Cube Size = N Model Checker verified counter example SMT Solver ... store B1 = choose(B2, ¬B2); ... Boolean Program BSC ... load f1 = Flag1; ... Program PSC (f1 = 0) (Flag1 = 0) ... Set of predicates VSC Specification

Predicate abstraction for RMM

Predicate Abstraction Cube Size = N Model Checker verified counter example SMT Solver ... load f1 = Flag1; ... Program PSC ... store B1 = choose(B2, ¬B2); ... Boolean Program BSC SC to RMM ... Program PRMM (f1 = 0) (Flag1 = 0) ... Set of predicates VSC Specification

Predicate abstraction for RMM

Predicate Abstraction Cube Size = N Model Checker verified counter example SMT Solver ... load f1 = Flag1; ... Program PSC (f1 = 0) (Flag1 = 0) ... Set of predicates VSC ... Boolean Program BRMM SC to RMM ... Program PRMM Predicate Adjustment ... Set of predicates VRMM Specification

Predicate abstraction for RMM

Predicate Abstraction Cube Size = N Model Checker verified counter example SMT Solver ... load f1 = Flag1; ... Program PSC (f1 = 0) (Flag1 = 0) ... Set of predicates VSC ... Boolean Program BRMM SC to RMM ... Program PRMM Predicate Adjustment ... Set of predicates VRMM

Classic predicate abstraction on RMM input SC → RMM adaptation

RMM: PSO & TSO Specification

O((#preds)^N) The problem

Problem: too many calls to the SMT solver

Predicate Abstraction Cube Size = N Model Checker verified counter example SMT Solver ... load f1 = Flag1; ... Program PSC (f1 = 0) (Flag1 = 0) ... Set of predicates VSC ... Boolean Program BRMM SC to RMM ... Program PRMM Predicate Adjustment ... Set of predicates VRMM

Classic predicate abstraction on RMM input SC → RMM adaptation

Experimental data for PSO model

Algorithm Memory model # predicates # calls to SMT ABP SC 8 4,000 PSO 15 44,000 Dekker SC 7 1,500 PSO 20 102,000 Peterson SC 7 1,400 PSO 20 102,000 Bakery SC 15 1,600,000 PSO (1 var) 23 91,000,000 For Bakery, the Cube Size has to be 4 to prove SC correctness. Building the boolean program for 35 predicates times out.

Predicate Abstraction Cube Size = N Model Checker verified counter example SC to RMM Predicate Adjustment SMT Solver Set of predicates VSC Program PSC Set of predicates VRMM Program PRMM Boolean Program BRMM

O((#preds)^N)

The problem

Problem: too many calls to the SMT solver

Build RMM proof:

Idea: Leverage the SC proof

Predicate Abstraction Cube Size = 1 Model Checker verified counter example SC to RMM Predicate Adjustment SMT Solver Extract SC cubes

Reuse predicate updating information from SC boolean program

Set of predicates VSC Program PSC Set of predicates VRMM Program PRMM Boolean Program BRMM Predicate Abstraction Cube Size = N SMT Solver Program PSC Set of predicates VSC Boolean Program BSC Model Checker verified Specification Specification

Build SC proof: Build RMM proof:

Idea: Leverage the SC proof

Predicate Abstraction Cube Size = 1 Model Checker verified counter example SC to RMM Predicate Adjustment SMT Solver

O(#preds + #cubes)

Reuse predicate updating information from SC boolean program

Linear complexity

Set of predicates VSC Program PSC Set of predicates VRMM Program PRMM Boolean Program BRMM Predicate Abstraction Cube Size = N SMT Solver Program PSC Set of predicates VSC Boolean Program BSC Model Checker verified

Build SC proof: Build RMM proof:

Extract SC cubes Specification Specification

Results for Bakery 1 variable PSO

25x less calls to the SMT solver (Yices) by reusing the SC boolean program Classic Predicate Abstraction adapted for PSO Our method: Leverage SC proof Build SC proof Build PSO proof # calls to SMT 91,000,000 1,600,000 2,000,000 Time (min) 492 7 10 Total calls to SMT 91,000,000 3,600,000 Total time (min) 492 17

Thank you! Questions?