ebook img

Lazy TSO Reachability PDF

0.35 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Lazy TSO Reachability

Lazy TSO Reachability Ahmed Bouajjani1, Georgel Calin2, Egor Derevenetc2,3, and Roland Meyer2 1LIAFA,University Paris 7 2University of Kaiserslautern 3Fraunhofer ITWM Abstract. We address the problem of checking state reachability for programsrunningunderTotalStoreOrder(TSO).Theproblemhasbeen shown to be decidable but the cost is prohibitive, namely non-primitive 5 recursive. Weproposeheretogiveupcompleteness. Ourcontribution is 1 anewalgorithmforTSOreachability:itusesthestandardSCsemantics 0 and introduces the TSO semantics lazily and only where needed. At 2 the heart of our algorithm is an iterative refinement of the program of n interest. If theprogram’s goal state is SC-reachable, we are done. If the a goalstateisnotSC-reachable,thismaybeduetothefactthatSCunder- J approximatesTSO.WeemployasecondalgorithmthatdeterminesTSO 2 computations which are infeasible underSC,and hencelikely to lead to 1 new states. We enrich the program to emulate, under SC, these TSO computations. Altogether, this yields an iterative under-approximation ] L that we prove sound and complete for bug hunting, i.e., a semi-decision P procedurehaltingforpositivecasesofreachability.Wehaveimplemented . the procedure as an extension to the tool Trencher [1] and compared it s to theMemorax [2] and CBMC [14] model checkers. c [ 1 1 Introduction v 3 8 Sequential consistency (SC) [21] is the semantics typically assumed for parallel 6 programs.UnderSC,instructionsareexecutedatomicallyandinprogramorder. 2 When programs are executed on an Intel x86 processor, however, they are only 0 guaranteedaweakersemanticsknownasTotalStoreOrder(TSO).TSOweakens . 1 thesynchronizationguaranteesgivenbySC,whichinturnmayleadtoerroneous 0 behavior.TSO reflectsthe architecturaloptimizationofstore buffers.Toreduce 5 the latency of memory accesses, store commands are added to a thread-local 1 : FIFO buffer and only later executed on memory. v To check for correct behavior, reachability techniques have proven useful. i X Given a program and a goal state, the task is to check whether the state is r reachable. To give an example, assertion failures can be phrased as reachability a problems. Reachability depends on the underlying semantics. Under SC, the problem is known to be PSpace-complete [18]. Under TSO, it is considerably more difficult: although decidable, it is non-primitive recursive-hard[8]. Duetothehighcomplexity,toolsrarelyprovidedecisionprocedures[2,23,24]. Instead, most approaches implement approximations. Typical approximations of TSO reachability bound the number of loop iterations [5,6], the number of context switches between threads [9], or the size of store buffers [19,20]. What 2 A.Bouajjani, G. Calin, E. Derevenetc, R.Meyer all these approaches have in common is that they introduce store buffering in the whole program. We claim that such a comprehensive instrumentation is unnecessarily heavy. The idea of our method is to introduce store buffering lazily and only where needed.Unlike[2],wedonottargetcompleteness.Instead,wearguethatourlazy TSOreachabilitycheckerisusefulforafastdetectionofbugsthatareduetothe TSOsemantics.Atahighlevel,wesolvetheexpensiveTSOreachabilityproblem with a series of cheap SC reachability checks — very much like SAT solvers are invoked as subroutines of costlier analyses. The SC checks run interleaved with queriestoanoracle.Thetaskoftheoracleistosuggestsequencesofinstructions that should be considered under TSO, which means they are likely to lead to TSO-reachable states outside SC. To be more precise, the algorithm iteratively repeats the following steps. First, it checks whether the goal state is SC-reachable. If this is the case, the statewillbeTSO-reachableaswellandthealgorithmreturns.Ifthe stateisnot SC-reachable, the algorithm asks the oracle for a sequence of instructions and encodes the TSO behavior of the sequence into the input program. As a result, preciselythis TSO behaviorbecomesavailableunder SC. The encoding is linear in the size of the input program and in the length of the sequence. Thealgorithmisasemi-decisionprocedure:italwaysreturnscorrectanswers andisguaranteedtoterminateifthegoalstateisTSO-reachable.Thisguarantee reliesononeassumptiononthe oracle.Ifthe oraclereturnstheemptysequence, thentheSC-andtheTSO-reachablestatesoftheinputprogramhavetocoincide. We also come up with a good oracle: robustness checkers naturally meet the above requirement. Intuitively, a program is robust against TSO if its partial order-behaviors(reflectingdataandcontroldependencies)underTSOandunder SCcoincide.RobustnessismucheasierthanTSOreachability,actuallyPSpace- complete [10,11], and hence well-suited for iterative invocations. We have implemented lazy TSO reachability as an extension to our tool Trencher [1], reusing the robustness checking algorithms of Trencher to derive an oracle. The implementation is able to solve positive instances of TSO reachabilityaswellascorrectlydeterminesafetyforrobustprograms.Thesource code and experiments are available online [1]. Thestructureofthepaperisasfollows.Weintroduceparallelprogramswith their TSO and their SC semantics in Section 2. Section 3 presents our main contribution,the lazy approachto solvingTSO reachability.Section4 describes the robustness-based oracle. The experimental evaluation is given in Section 5. Details and proofs missing in the main text can be found in the appendix. Related Work Asalreadymentioned,TSOreachabilitywasprovendecidablebutnon-primitive recursive[8]inthecaseofafinitenumberofthreadsandafinitedatadomain.In the same setting, robustness was shown to be PSpace-complete [11]. Checking and enforcing robustness against weak memory models has been addressed in Lazy TSO Reachability 3 [3,7,10–13,26]. The first work to give an efficient sound and complete decision procedure for checking robustness is [10]. The works [2,23,24] propose state-based techniques to solve TSO reacha- bility. An under-approximative method that uses bounded context switching is given in [9]. It encodes store buffers into a linear-size instrumentation, and the instrumented program is checked for SC reachability. The under-approximative techniques of [5,6] are able to guaranteesafety only for programswith bounded loops. On the other side of the spectrum, over-approximative analyses abstract store buffers into sets combined with bounded queues [19,20]. 2 Parallel Programs Weuseautomatatodefinethesyntaxandthesemanticsofparallelprograms.A (non-deterministic) automaton overan alphabet Σ is a tuple A=(Σ,S,→,s ), 0 where S is a set of states, →⊆ S ×(Σ ∪{ε})×S is a set of transitions, and s ∈ S is an initial state. The automaton is finite if the transition relation → 0 is finite. We write s −→a s′ if (s,a,s′) ∈→, and extend the transition relation to sequences w ∈ Σ∗ as expected. The language of A with final states F ⊆ S is L (A) := {w ∈ Σ∗ | s −→w s ∈ F}. We say that state s ∈ S is reachable if F 0 s −→w s for some sequencew ∈Σ∗. Letter a precedes b in w, denotedby a< b, 0 w if w =w ·a·w ·b·w for some w ,w ,w ∈Σ∗. 1 2 3 1 2 3 A parallel program P is a finite sequence of threads that are identified by indicestfromTID.Eachthreadt:=(Com ,Q ,I ,q )isafiniteautomatonwith t t t 0,t transitionsI thatwecallinstructions.InstructionsI arelabelledbycommands t t fromthesetCom whichwedefineinthenextparagraph.Weassume,wlog.,that t states of different threads are disjoint. This implies that the sets of instructions of different threads are distinct. We use I := U I for all instructions and t∈TID t Com := S Com for all commands. For an instruction inst := (s,cmd,s′) t∈TID t in I, we define cmd(inst):=cmd, src(inst):=s, and dst(inst):=s′. To define the set of commands, let tt11 q0,1 tt22 q0,2 DOM be a finite domain of values that mem[x]←1 mem[y]←1 we also use as addresses. We assume that value 0 is in DOM. For each thread q1,1 q1,2 t, let REGt be a finite set of registers r1 ←mem[y] r2 ←mem[x] that take their values from DOM. We q2,1 q2,2 assume per-thread disjoint sets of reg- assume r =0 assume r =0 1 2 isters. The set of expressions of thread qg,1 qg,2 t, denoted by EXP , is defined over reg- t Fig.1. Simplified Dekker’salgorithm. isters from REG , constants from DOM, t and (unspecified) operators over DOM. If r ∈ REG and e,e′ ∈ EXP , the t t set of commands Com consists of loads from memory r ← mem[e], stores t to memory mem[e] ← e′, memory fences mfence, assignments r ← e, and conditionals assume e. We write REG := U REG for all registers and t∈TID t EXP:=S EXP for all expressions. t∈TID t 4 A.Bouajjani, G. Calin, E. Derevenetc, R.Meyer The program in Figure 1 serves as our running example. It consists of two threads t and t implementing a mutual exclusion protocol. Initially, the ad- 1 2 dresses x and y contain0. The first thread signals its intent to enter the critical section by setting variable x to 1. Next, the thread checks whether the second thread wants to enter the critical section, too. It reads variable y and, if it is 0, the first thread enters its critical section. The critical section actually is the state q . The second thread behaves symmetrically. g,1 2.1 Semantics of Parallel Programs The semantics of a parallel program P under memory model M = TSO and M=SCfollows[25].Wedefinethesemanticsintermsofastate-spaceautomaton X (P) := (E,S ,∆ ,s ). Each state s = (pc,val,buf) ∈ S is a tuple where M M M 0 M theprogramcounterpc: TID→Qholdsthecurrentcontrolstateofeachthread, the valuation val: REG ∪ DOM→DOM holds the values stored in registersand at memory addresses,and the buffer configurationbuf: TID→(DOM×DOM)∗ holds a sequence of address-value pairs. In the initial state s := (pc ,val ,buf ), the program counter holds the 0 0 0 0 initial control states, pc (t) := q for all t ∈ TID, all registers and addresses 0 0,t contain value 0, and all buffers are empty, buf (t):=ε for all t∈TID. 0 The transition relation ∆ for TSO satisfies the rules given in Figure 2. TSO There are two more rules for register assignments and conditionals that are standard and omitted. TSO architectures implement (FIFO) store buffering, whichmeansstoresarebufferedforlaterexecutiononthesharedmemory.Loads fromanaddressataketheirvaluefromthemostrecentstoretoaddressathatis buffered.Ifthereisnosuchbufferedstore,theyaccessthemainmemory.Thisis modelled by the Rules (LB) and (LM). Rule (ST) enqueues store operations as address-value pairs to the buffer. Rule (MEM) non-deterministically dequeues storeoperationsandexecutesthemonmemory.Rule(F)statesthatathreadcan execute a fence only if its buffer is empty. As can be seen from Figure 2, events labellingTSOtransitionstakethe formE ⊆TID×(I ∪{flush})×(DOM∪{⊥}). The SC [21] semantics is simpler than TSO in that stores are not buffered. Technically,wekeepthesetofstatesbutchangethetransitionssothatRule(ST) is immediately followed by Rule (MEM). We are interested in the computations of programP under M∈{TSO,SC}. TheyaregivenbyC (P):=L (X (P)),whereF isthesetofstateswithempty M F M buffers. With this choice of final states, we avoid incomplete computations that havependingstores.NotethatallSCstateshaveemptybuffers,whichmeansthe SC computations form a subset of the TSO computations: C (P) ⊆ C (P). SC TSO WewillusenotationReach (P)forthesetofallstatess∈F thatarereachable M by some computation in C (P). M Togiveanexample,theprogramfromFigure1admitstheTSOcomputation τ below where the store of the first thread is flushed at the end: wit τ = store ·load ·store ·flush ·load ·flush . wit 1 1 2 2 2 1 Lazy TSO Reachability 5 cmd= r←mem[ea] buf(t)↓({a}×DOM)=(a,v)·β (LB) s−(−t−,in−s−t,−a→) (pc′,val[r:=v],buf) cmd= r←mem[ea] buf(t)↓({a}×DOM)=ε (LM) s−(−t−,in−s−t,−a→) (pc′,val[r:=val(a)],buf) cmd= mem[ea]←ev (ST) s−(−t−,in−s−t,−a→) (pc′,val,buf[t:=(a,v)·buf(t)]) buf(t)=β·(a,v) cmd= mfence buf(t)=ε (MEM) (F) s−(−t,−fl−us−h−,a→) (pc,val[a:=v],buf[t:=β]) s−(−t,−in−s−t,−⊥→) (pc′,val,buf) Fig.2. Transition rules for X (P) assuming s = (pc,val,buf) with pc(t) = q and TSO inst =(q,cmd,q′) in thread t. The program counter is always set to pc′ =pc[t:=q′]. We assume a=eba to be the address returned by an address expression ea and v=ebv the value returned by a value expression ev. We use buf(t)↓({a}×DOM) to project thebuffercontent buf(t) tostore operations that access address a. Consider an event e = (t,inst,a). By thread(e) := t we refer to the thread that produced the event. Function inst(e) := inst returns the instruction. For flush events, inst(e) gives the instruction of the matching store event. By addr(e) := a we denote the address that is accessed (if any). In the example, thread(store )=t , inst(store )=q −m−e−m[−x−]←−→1 q , and addr(store )=x. 1 1 1 0,1 1,1 1 3 Lazy TSO Reachability We introduce the reachability problem and present our main contribution: an algorithmthatchecksTSOreachabilitylazily.Theiterativealgorithmqueriesan oracle to identify sequences of instructions that, under the TSO semantics,lead to states not reachable under SC. In Section 3.1, we show that the algorithm yields a sound and complete semi-decision procedure. GivenamemorymodelM∈{SC,TSO},theMreachabilityproblemexpects asinputaprogramP andasetofgoal states G⊆S .We aremostlyinterested M in the control state of each thread. Therefore, goal states (pc,val,buf) typically specify a program counter pc but leave the memory valuation unconstrained. Formally, the M reachability problem asks if some state in G is reachable in the automaton X (P). M Given: A parallel programP and goal states G. Problem: Decide LF∩G(XM(P)) 6= ∅. We use notation Reach (P)∩G for the set of reachable final goal states in P. M InsteadofsolvingreachabilityunderTSOdirectly,the algorithmwepropose solves SC reachability and, if no goalstate is reachable,tries to lazily introduce storebufferingonacertaincontrolpathoftheprogram.Thealgorithmdelegates choosing the control path to an oracle function O. Given an input program R, 6 A.Bouajjani, G. Calin, E. Derevenetc, R.Meyer the oracle returns a sequence of instructions I∗ in that program. Formally, the oracle satisfies the following requirements: – If O(R)=ε then Reach (R)=Reach (R). SC TSO – Otherwise, O(R)=inst inst ...inst with cmd(inst ) a store, cmd(inst ) 1 2 n 1 n a load, cmd(inst )6=mfence,anddst(inst )=src(inst ) fori∈[1..n−1]. i i i+1 The lazy TSO reachability checker is outlined in Algorithm 1. As input, it takes a program P and an oracle O. We assume some control states in each thread to be marked to define a set of goal states. The algorithm returns true iff the program can reach a goal state under TSO. It works as follows. First, it createsacopyR oftheprogramP.Next,itchecksifagoalstateisSC-reachable in R (Line 3). If that is the case, the algorithm returns true. Otherwise, it asks the oracle O where in the program to introduce store buffering. If O(R) 6= ε, the algorithmextends R to emulate store buffering on the path O(R) under SC (Line8).Thenitgoesbacktothebeginningoftheloop.IfO(R)=ε,bythefirst property of oracles, R has the same reachable states under SC and under TSO. This means the algorithm can safely return false (Line 10). Note that, since R emulates TSO behavior of P, the algorithm solves TSO reachability for P. Algorithm 1 Lazy TSO reachability Checker Input: Marked programP and oracle O Output: true if some goal state is TSO-reachable in P false if no goal state is TSO-reachable in P 1: R :=P; 2: while true do 3: if ReachSC(P)∩G6=∅ then {check if some goal state is SC-reachable} 4: return true; 5: else 6: σ :=O(R); {ask the oracle where to use store buffering} 7: if σ 6=ε then 8: R :=R⊕σ; 9: else 10: return false; Let σ := O(R) = inst inst ...inst and let t := (Com ,Q ,I ,q ) be 1 2 n t t t 0,t the thread of the instructions in σ. The modified program R⊕σ replaces t by a new thread t ⊕ σ. The new thread emulates under SC the TSO semantics of σ. Formally, the extension of t by σ is t ⊕ σ := (Com′,Q′,I′,q ). The t t t 0,t thread is obtained from t by adding sequences of instructions starting from q := src(inst ). To remember the addresses and values of the buffered stores, 0 1 we use auxiliary registersar ,...,ar and vr ,...,vr , where max≤n−1 is 1 max 1 max thetotalnumberofstoreinstructionsinσ.ThesetsCom′ ⊇Com andQ′ ⊇Q t t t t are extended as necessary. Lazy TSO Reachability 7 We define the extension by describing the new transitions that are added to I′ for each inst . In our construction, we use a variable count to keep track t i of the number of store instructions already processed. Initially, Q′ := Q and t t count:=0.Basedonthetypeofinstructions,wedistinguishthefollowingcases. If cmd(inst ) = mem[e] ← e′, we increment count by 1 and add instructions i that remember the address and the value being written in ar and vr . count count If cmd(inst ) = r ← mem[e], we add instructions to I′ that perform a load i t from memory only when a load from the simulated buffer is not possible. More precisely, if j ∈ [1,count] is found so that ar = e, register r is assigned the j value of vr . Otherwise, r receives its value from the address indicated by e. j assume ar 6=e assume ar 6=e r ←mem[e] q count ··· 1 q i−1 i assume ar =e 1 assume ar =e count ··· r ←vr1 r ←vr count Ifcmd(inst )isanassignmentoraconditional,weadd(q , cmd(inst ), q ) i i−1 i i to I′. By the definition of an oracle, cmd(inst ) is never a fence. t i Theabovecaseshandleallinstructionsinσ.Sofar,theextensionaddednew instructions to I′ that lead through the fresh states q ,...,q . Out of control t 1 n state q , we now recreate the sequence of stores remembered by the auxiliary n registers. Then we return to the control flow of the original thread t. mem[ar ]←vr mem[ar ]←vr 1 1 max max q ··· dst(inst ) n n Next, we remove inst from the program. This prevents the oracle from 1 discovering in the future another instruction sequence that is essentially the same as σ. As we will show, this is key to guaranteeing termination of the algorithm for acyclic programs. However, the removal of inst may reduce the 1 set of TSO-reachable states. To overcome this problem, we insert additional instructions. Consider an instruction inst ∈ I with src(inst) = src(inst ) for t i some i∈[1..n] and assume that inst 6=inst . We add instructions that recreate i the stores buffered in the auxiliary registers and return to dst(inst). mem[ar ]←vr mem[ar ]←vr cmd(inst) 1 1 count count q ··· dst(inst) i Similarly,forallloadinstructionsinst aswellasoutofq weaddinstructions i 1 that flush and fence the pair (ar ,vr ), make visible the remaining buffered 1 1 stores,andreturntostateq intheoriginalcontrolflow.Below,q :=src(inst )if i inst isaloadandq :=dst(inst ),otherwise.Intuitively,thiscapturesbehaviors i 1 that delay inst past loads earlier than inst , and that do not delay inst past 1 n 1 the first load in σ. mem[ar ]←vr mfence mem[ar ]←vr 1 1 count count q ··· q i 8 A.Bouajjani, G. Calin, E. Derevenetc, R.Meyer tt tt 11 22 q q0,1 ar1←x vr1←1 1 assume ar16=y q0,2 ← v r 1 assume ar1=y mem[y]←1 q1,1 m e m[a r 1] q1,2 mfence r1←mem[y] r1←vr1 r2←mem[x] q2,1 mem[ar1]←vr1 q r1←mem[y] q2,2 assume r1=0 2 assume r2=0 qg,1 qg,2 Fig.3.Extension byinst(store )·inst(load )of theprogram in Figure1.Goal state 1 1 (pc,val,buf) with val(x)=val(y)=1 and val(r )=val(r )=0 is now SC-reachable. 1 2 Figure 3 shows the extension of the program in Figure 1 by the instruction sequence inst(store )·inst(load ):=q −m−e−m[−x−]←−→1 q −r−1←−−m−em−[y→] q . 1 1 0,1 1,1 1,2 3.1 Soundness and Completeness We show that Algorithm 1 is a decision procedure for acyclic programs. From here until (inclusively) Theorem3 we assume that all programsare acyclic, i.e., their instructions and control states form directed acyclic graphs. Theorem 4 thenexplainshowAlgorithm1yieldsasemi-decisionprocedureforallprograms. We first prove the extension sound and complete (Lemma 1): extending R by sequence σ := O(R) does neither add nor remove TSO-reachable states. Afterwards, Lemma 2 shows that if Algorithm 1 extends R by σ (Line 8) then, insubsequentiterationsofthealgorithm,nonewsequencereturnedbytheoracle is the same as σ (projected back to P). Next, by the first condition of an oracle and using Lemma 2, we establish that Algorithm 1 is a decision procedure for acyclicprograms(Theorem3).Finally,weshowthatAlgorithm1canbe turned into asemi-decisionprocedurefor allprogramsusing aboundedmodelchecking approach (Theorem 4). Lemma 1 Let DOM∪REG be the addresses and registers of program R and let σ := O(R). Then we have (pc,val,buf) ∈ Reach (R) if and only if TSO (pc,val′,buf)∈Reach (R⊕σ) with val(a)=val′(a) for all a∈DOM∪REG. TSO LettbethethreadthatdiffersinR andR⊕σ.ToproveLemma1,onecanshow that for any prefix α′ of α ∈ C (R) there is a prefix β′ of β ∈ C (R⊕σ), TSO TSO and vice versa, that maintain the following invariants. Inv-0 s −α→′ (pc,val,buf) and s −β→′ (pc′,val′,buf′). 0 0 Inv-1 Ifpcandpc′ differ,theyonlydifferforthreadt.Ifpc(t)6=pc′(t),then pc(t)=dst(inst ) and pc′(t)=q for some i∈[1..n−1]. i i Inv-2 val′(a)=val(a) for all a∈DOM∪REG. Inv-3 buf and buf′ differ at most for t. If buf(t) 6= buf′(t), then pc′(t) = q i for some i∈[1..n−1] and buf(t)=(a\r ,v\r )···(ar ,vr )·buf′(t) where count count 1 1 count stores are seen along σ from src(inst ) to dst(instc). c 1 i Lazy TSO Reachability 9 Wenowshowthattheoracleneversuggeststhesamesequenceσ twice.Since in R ⊕σ we introduce new instructions that correspond to instructions in R, we have to map back sequences of instructions I⊕ in R ⊕ σ to sequences of instructions I inR.Intuitively, the mapping givesthe originalinstructionsfrom which the sequence was produced. Formally, we define a family of projection functions h : I∗ →I∗ with h (ε):=ε and h (w·inst):=h (w)·h (inst). For σ ⊕ σ σ σ σ an instruction inst ∈ I⊕, we define hσ(inst) := inst provided inst ∈ I. We set h (inst) := inst if inst is a first instruction on the path between q and q σ i i−1 i for some i ∈ [1..n]. In all other cases, we delete the instruction, h (inst) := ε. σ Then, if R := P is the original program, σ is the sequence that the oracle 0 j returns in iteration j ∈N of the while loop, and w is a sequence of instructions inR ,we define h(w):=h (...h (w)). This latter functionmaps sequences j+1 σ0 σj of instructions in programR back to sequences of instructions in P. j+1 Wearereadytostateourkeylemma.Intuitively,iftheoracleinAlgorithm1 returns σ :=O(R) and σ′ :=O(R⊕σ) then, necessarily, h(σ′)6=h(σ). Lemma 2 Let R :=P and R :=R ⊕σ for σ :=O(R ) as in Algorithm 1. 0 i+1 i i i i If σ 6=ε then h(σ )6=h(σ ) for all i≤j. j+1 j+1 i Proof. Assume, to the contrary, that h(σ ) = h(σ ) for some i ≤ j where j+1 i σ := O(R ) and σ := O(R ). Let inst be the first (store) instruction j+1 j+1 i i first and inst the last(load) instructionof σ . Similarly,let inst′ andinst′ last j+1 first last be the first and last instructions of σ . Since h(σ ) = h(σ ) it means that i j+1 i h(inst )=h(inst′ ) and h(inst )=h(inst′ ). first first last last However, since all control flows of R := R ⊕σ that recreate h(inst′ ) i+1 i i first before h(inst′ ) also place a fence between the two, no other later sequences last thattheoraclereturnshaveh(inst′ )comebeforeh(inst′ ).Thisinparticular first last means that σ =O(R ) where h(inst ) comes before h(inst ) does not j+1 j+1 first last exist. In conclusion, the initial assumption is false. ⊓⊔ We can now prove Algorithm 1 sound and complete for acyclic programs (Theorem 3). Lemma 2 and the assumption that the input program is acyclic ensure that if no goal state is found SC-reachable (Line 4), then Algorithm 1 eventually runs out of sequences σ to return (Line 7). If that is the case, O(R) returns ε in the last iteration of Algorithm 1. By the first oracle condition, we know that the SC- and TSO-reachable states of R are the same. Hence, no goal state is TSO-reachable in R and, by Lemma 1, no goal state is TSO-reachable in the input program P either. Otherwise, a goal state s is SC-reachable by some computation τ in R for some j ∈ N and, by Lemma 1, there is a TSO j computation in P corresponding to τ that reaches s. Theorem 3 Foracyclic programs,Algorithm1terminates.Moreover,itreturns true on input P if and only if Reach (P)∩G6=∅. TSO Proof. ItisimmediatethatAlgorithm1alwaysterminatesforacyclicprograms. On the one hand, the number of instruction sequences that start with a store and end with a load as in the second oracle condition are finite in P. On the 10 A.Bouajjani, G. Calin, E. Derevenetc, R.Meyer other hand, by Lemma 2, at each iteration the oracle returns a sequence that differs (in P) from the previous ones. These two facts imply termination. We now prove that Reach (P) ∩ G 6= ∅ iff. Algorithm 1 returns true TSO on input P. For the easy direction, assume that Algorithm 1 returns true on input P. This means that Reach (R) ∩ G 6= ∅ in the last iteration of the SC algorithm’sloop.Then, byReach (R)⊆Reach (R) andLemma 1,we know SC TSO that Reach (R)⊆Reach (P). Hence, Reach (P)∩G6=∅. SC TSO TSO For the reverse direction, assume that Reach (P)∩G 6= ∅. Furthermore, TSO let R := P and R := R ⊕σ for σ := O(R ). By the initial termination 0 i+1 i i i i argument we know there exists j ∈ N such that the algorithm terminates with R =R initslastloopiteration.ThatmeansthateitherthecheckinLine3ofthe j algorithmsucceeds,inwhichcaseAlgorithm1returnstrue,orthecheckinLine7 of the algorithm fails, i.e. O(R ) = ǫ and Reach (R )∩G = ∅. In the latter j SC j case, by the first oracle condition we know that Reach (R )∩G=∅ and, by TSO j Lemma 1, we get Reach (R )⊆Reach (R ). Then, Reach (P)∩G=∅ TSO j TSO 0 TSO contradicts the above assumption and concludes the proof. ⊓⊔ To establish that Algorithm 1 is a semi-decision procedure for all programs, one can use an iterative bounded model checking approach. Bounded model checking unrolls the input program P up to a bound k ∈ N on the length of computations. Then Algorithm 1 is applied to the resulting programs P . k If it finds a goal state TSO-reachable in P , this state corresponds to a TSO- k reachablegoalstateinP.Otherwise,weincreasekandtryagain.ByTheorem3, we know that Algorithm 1 is a decision procedure for each P . This implies k that Algorithm1 together with iterativebounded model checkingyields a semi- decisionprocedurethatterminatesforallpositiveinstancesofTSOreachability. FornegativeinstancesofTSOreachability,however,theprocedureisguaranteed to terminate only if the input programP is acyclic. Theorem 4 We have G∩Reach (P) 6= ∅ if and only if, for large enough TSO k ∈N, Algorithm 1 returns true on input P . k Proof. Assume that G∩Reach (P) 6= ∅. Then there exist some state s ∈ G TSO and α ∈ C (P) such that s −→α s. Let k be the length of α and G′ be the TSO 0 goalstatesofX (P ). Thereexists acomputationβ ∈C (P ) thatmimics TSO k TSO k α and reaches s′ ∈ G′. Hence, G′ ∩ Reach (P ) 6= ∅ and, by Theorem 3, TSO k Algorithm 1 returns true on input P . k For the reversedirection, assume that Algorithm 1 returns true on input P k forsomek ∈N.Lets′ be theinitialstateofX (P )and,asbefore,G′ be the 0 TSO k goal states of X (P ). By Theorem 3, there exists s′ ∈ G′ ∩Reach (P ) TSO k TSO k and β ∈ C (P ) such that s′ −→β s′. Since P unrolls P up to bound k, there TSO k 0 k exists a computation α∈C (P) that mimics β and reachess∈G. Therefore, TSO G∩Reach (P)6=∅. ⊓⊔ TSO

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.