Periodic Reporting for period 2 - VAPLCS (Verification-Aware Programming Language Concurrency Semantics)
Reporting period: 2022-10-01 to 2024-03-31
The concept of concurrent programming involves the simultaneous execution of multiple program threads. It holds a pivotal role in critical systems such as operating system kernels, where both speed and safety are of paramount importance. To formally verify these concurrent programs, a well-specified concurrency semantics, also known as a memory model, is essential.
Sequential Consistency (SC) stands as the canonical model of concurrency, where a program's behaviors stem from the interleaving of thread operations. However, while SC provides strong intuitive assurances to programmers, it faces significant challenges. Implementing SC on processors like Intel's x86, IBM's POWER, and ARM multiprocessors is intricate. These processors execute memory operations speculatively or out of order, leading to weak behaviors that do not align with the SC model. Achieving SC semantics on such architectures requires expensive barriers, impacting performance. Additionally, common compiler optimizations that reorder memory operations are unsound under SC, adding another layer of performance impact.
Furthermore, automatic verification of concurrent programs under SC, using established methods such as bounded model checking, encounters significant hurdles. The "state explosion problem" arises, where exploring the vast number of possible thread interleavings becomes computationally infeasible, even for relatively small concurrent programs.
This research project focuses on exploring alternatives to SC as the fundamental semantics for high-level programming languages. In essence, the project seeks to redefine the concurrency model, with specific goals:
Implementability: It should support common compiler optimizations and work efficiently on modern architectures, including allowing various types of instruction reordering done by these architectures.
Programmability: The model should allow programmers to prevent weak behaviors by using adequate synchronization and support high-level reasoning principles.
Amenability to Verification: It should enable verification and formal reasoning, using existing techniques for sequential programs and for SC.
The challenge is to fulfill all three goals simultaneously. Notably, focusing on amenability to verification as a design goal for a concurrency model from the outset is a new approach, diverging from the traditional sequence of defining a model first and then addressing the verification problem.
By aiming to enhance both software reliability and performance, this project holds promise for critical systems' programming and safety.
Sequential Consistency (SC) stands as the canonical model of concurrency, where a program's behaviors stem from the interleaving of thread operations. However, while SC provides strong intuitive assurances to programmers, it faces significant challenges. Implementing SC on processors like Intel's x86, IBM's POWER, and ARM multiprocessors is intricate. These processors execute memory operations speculatively or out of order, leading to weak behaviors that do not align with the SC model. Achieving SC semantics on such architectures requires expensive barriers, impacting performance. Additionally, common compiler optimizations that reorder memory operations are unsound under SC, adding another layer of performance impact.
Furthermore, automatic verification of concurrent programs under SC, using established methods such as bounded model checking, encounters significant hurdles. The "state explosion problem" arises, where exploring the vast number of possible thread interleavings becomes computationally infeasible, even for relatively small concurrent programs.
This research project focuses on exploring alternatives to SC as the fundamental semantics for high-level programming languages. In essence, the project seeks to redefine the concurrency model, with specific goals:
Implementability: It should support common compiler optimizations and work efficiently on modern architectures, including allowing various types of instruction reordering done by these architectures.
Programmability: The model should allow programmers to prevent weak behaviors by using adequate synchronization and support high-level reasoning principles.
Amenability to Verification: It should enable verification and formal reasoning, using existing techniques for sequential programs and for SC.
The challenge is to fulfill all three goals simultaneously. Notably, focusing on amenability to verification as a design goal for a concurrency model from the outset is a new approach, diverging from the traditional sequence of defining a model first and then addressing the verification problem.
By aiming to enhance both software reliability and performance, this project holds promise for critical systems' programming and safety.
We have made progress in several directions, and understood much better the tension between the different desiderata. Some examples of results we achieved:
1) We showed that by using sequential reasoning, it is possible to confirm the correctness of different compiler optimizations under efficiently implemantable shared-memory concurrency models. Specifically, we introduced a sequential model and proved that refining behaviors in that model implies refinement under a weakly consistent model. This work was the first to accomplish this for a comprehensive model with various concurrency aspects. As a case study, we developed a simplified optimizer for a simple concurrent language and validated it (using the Coq proof assistant) based solely on the sequential model for reasoning. This approach offers a valuable method for compiler developers and validators, establishing a strong base for certified optimizing compilers in scenarios of weakly consistent shared-memory concurrency.
2) Ensuring liveness of shared-memory concurrent programs typically relies on fairness assumptions about the scheduler, even for simple programs under sequential consistency. However, under weak memory models, the usual thread fairness notions fall short. In this context, we introduced an additional fairness aspect called "memory fairness."
We suggested a straightforward definition for memory fairness that can be applied to any declarative memory model while ensuring the acyclicity of the program order and reads-from relation union. For well-known models like SC, x86-TSO, which have both operational and declarative presentations, we demonstrated that our declarative memory fairness condition aligns with an intuitive, model-specific operational concept of memory fairness. Additionally, it facilitates the first formal proofs of termination for mutual exclusion lock implementations under declarative weak memory models.
3) We explored the development of an "in-order" shared-memory concurrency model for languages like C and C++, which executes instructions in the order they appear in the program, aiming to enhance reasoning and verification compared to more complex out-of-order execution models. Our approach fully supports non-atomic (non-synchronization) accesses without compromising the validity of compiler optimizations, including irrelevant load introduction. The key lies in distinguishing between the source model (with, so called, catch-fire semantics) and an intermediate representation (IR) model (with undefined values for racy reads). We formally established the soundness of mapping from the source to IR, allowing for robust support of non-atomic accesses. This work is the first to formally relate an in-order source model and an out-of-order IR model, with the ultimate goal of achieving in-order source semantics without incurring any performance overhead for non-atomics.
1) We showed that by using sequential reasoning, it is possible to confirm the correctness of different compiler optimizations under efficiently implemantable shared-memory concurrency models. Specifically, we introduced a sequential model and proved that refining behaviors in that model implies refinement under a weakly consistent model. This work was the first to accomplish this for a comprehensive model with various concurrency aspects. As a case study, we developed a simplified optimizer for a simple concurrent language and validated it (using the Coq proof assistant) based solely on the sequential model for reasoning. This approach offers a valuable method for compiler developers and validators, establishing a strong base for certified optimizing compilers in scenarios of weakly consistent shared-memory concurrency.
2) Ensuring liveness of shared-memory concurrent programs typically relies on fairness assumptions about the scheduler, even for simple programs under sequential consistency. However, under weak memory models, the usual thread fairness notions fall short. In this context, we introduced an additional fairness aspect called "memory fairness."
We suggested a straightforward definition for memory fairness that can be applied to any declarative memory model while ensuring the acyclicity of the program order and reads-from relation union. For well-known models like SC, x86-TSO, which have both operational and declarative presentations, we demonstrated that our declarative memory fairness condition aligns with an intuitive, model-specific operational concept of memory fairness. Additionally, it facilitates the first formal proofs of termination for mutual exclusion lock implementations under declarative weak memory models.
3) We explored the development of an "in-order" shared-memory concurrency model for languages like C and C++, which executes instructions in the order they appear in the program, aiming to enhance reasoning and verification compared to more complex out-of-order execution models. Our approach fully supports non-atomic (non-synchronization) accesses without compromising the validity of compiler optimizations, including irrelevant load introduction. The key lies in distinguishing between the source model (with, so called, catch-fire semantics) and an intermediate representation (IR) model (with undefined values for racy reads). We formally established the soundness of mapping from the source to IR, allowing for robust support of non-atomic accesses. This work is the first to formally relate an in-order source model and an out-of-order IR model, with the ultimate goal of achieving in-order source semantics without incurring any performance overhead for non-atomics.
We will continue to investigate ways to allow verification of programs, and of compiler transformations, under weak memory concurrency. We will include more realistic and needed features in our models. We hope to also study connections to consistency in distributed systems, and try to understand better the inherent limitations of weakly consistent memories.