# Synthesizing Memory Models from Framework Sketches and Litmus Tests James Bornholt Emina Torlak **University of Washington** ...correctness of my compiler... Compiler writers ...rules to verify against... Verification tools ...correctness of my compiler... Compiler writers Verification tools ...possible lowlevel behaviors... Kernel/library developers ...correctness of my compiler... Compiler writers ...rules to verify against... Verification tools ...possible lowlevel behaviors... Kernel/library developers ...correctness of my compiler... Compiler writers Verification tools ...possible lowlevel behaviors... Kernel/library developers Formal specifications ...correctness of my compiler... Compiler writers ...rules to verify against... Verification tools level Kernel/library developers Formal specifications Synthesize specifications Formal specifications #### Framework sketches define a class of memory models #### Framework sketches define a class of memory models ### MemSynth engine verification, equivalence, synthesis, ambiguity #### Framework sketches define a class of memory models ### MemSynth engine verification, equivalence, synthesis, ambiguity #### Results synthesize real-world memory model specs ## Memory models and framework sketches #### Thread 1 Thread 2 $$1 X = 1$$ $3 Y = 1$ $$3 Y = 1$$ $$^{2} r1 = Y$$ $$2 r1 = Y$$ $4 r2 = X$ Can $r1 = 0 \land r2 = 0$ ? #### Thread 1 Thread 2 $$1 X = 1$$ $3 Y = 1$ $$3 Y = 1$$ $$2 r1 = Y$$ $$2 r1 = Y$$ $4 r2 = X$ Can $$r1 = 0 \land r2 = 0$$ ? Sequential consistency: no #### Thread 1 Thread 2 $$1 X = 1$$ $3 Y = 1$ $$3 Y = 1$$ $$^{2} r1 = Y$$ $$2 r1 = Y$$ $4 r2 = X$ Can $$r1 = 0 \land r2 = 0$$ ? Sequential consistency: no **x86**: yes! #### Thread 1 #### Thread 2 $$1 X = 1$$ $$^{3} Y = 1$$ $$2 r1 = Y$$ $4 r2 = X$ $$4 r2 = X$$ Can $$r1 = 0 \land r2 = 0$$ ? **Sequential consistency**: no **x86**: yes! A memory model M is a set of constraints that define the possible executions (outcomes) of a program. #### Thread 1 Thread 2 $$1 X = 1$$ $$^{3} Y = 1$$ $$2 r1 = Y$$ $$2 r1 = Y$$ $4 r2 = X$ Can $r1 = 0 \land r2 = 0$ ? **Sequential consistency**: no **x86**: yes! A memory model M is a set of constraints that define the possible executions (outcomes) of a program. Memory model M allows litmus test T if there exists an execution that satisfies M's constraints. #### Thread 1 #### Thread 2 Memory model M allows test T: ∃ E. M(T,E) $$1 X = 1$$ $$^{3} Y = 1$$ $$2 r1 = Y$$ $$4 r2 = X$$ Can $$r1 = 0 \land r2 = 0$$ ? Sequential consistency: no x86: yes! A memory model M is a set of constraints that define the possible executions (outcomes) of a program. Common formalizations based on relational logic Memory model M allows test T: 3 E. M(T,E) Example for sequential consistency: Common formalizations based on relational logic Memory model M allows test T: ∃ E. M(T,E) Example for sequential consistency: Binary relations over program instructions Common formalizations based on relational logic Memory model M allows test T: 3 E. M(T,E) Example for sequential consistency: Binary relations over program instructions Common formalizations based on relational logic Memory model M allows test T: 3 E. M(T,E) Example for sequential consistency: happens-before order is acyclic no $$^{\text{happens-before order}}$$ is acyclic $^{\text{happens-before order}}$ $^{\text{happens-before order}}$ is acyclic $^{\text{happens-before order}}$ Binary relations over program instructions Common formalizations based on relational logic Memory model M allows test T: 3 E. M(T,E) Example for sequential consistency: Common formalizations based on relational logic Memory model M allows test T: 3 E. M(T,E) Example for sequential consistency: From program syntax Binary relations over program instructions #### Thread 1 #### Thread 2 $$1 X = 1$$ $$3 Y = 1$$ $$2 r1 = Y$$ $$4 r2 = X$$ Can $$r1 = 0 \land r2 = 0$$ ? Common formalizations based on relational logic Memory model M allows test T: ∃ E. M(T,E) Example for sequential consistency: From program syntax Binary relations over program instructions #### Thread 1 #### Thread 2 $$1 X = 1$$ $$3 Y = 1$$ $$2 r1 = Y$$ $$4 r2 = X$$ Can $$r1 = 0 \land r2 = 0$$ ? Program order: $$po = \{(1,2), (3,4)\}$$ Common formalizations based on relational logic Memory model M allows test T: 3 E. M(T,E) #### Example for sequential consistency: Part of execution; implicitly existentially quantified happens-before order is acyclic From program syntax Binary relations over program instructions #### Thread 1 #### Thread 2 $$1 X = 1$$ $$3 Y = 1$$ $$2 r1 = Y$$ $$4 r2 = X$$ Can $$r1 = 0 \land r2 = 0$$ ? Program order: $$po = \{(1,2), (3,4)\}$$ ### Framework sketches A framework sketch defines the search space for synthesizing a memory model M by including holes in constraints ### Framework sketches A framework sketch defines the search space for synthesizing a memory model M by including holes in constraints **Expression holes** for a synthesizer to complete ### Framework sketches A framework sketch defines the search space for synthesizing a memory model M by including holes in constraints Expression holes for a synthesizer to complete no $$^(ws + fr + ?? + ?? + ??)$$ & iden Framework sketches are the **key design tool** for synthesizing memory model specifications — they define the "interesting" candidate models ## Memory model frameworks #### Memory model frameworks #### Memory model frameworks #### Memory model frameworks #### Memory model frameworks are common Global time relational model [Alglave et al, CAV'10] Axiomatic "mustnot-reorder" functions [Mador-Haim et al, DAC'11] Exexcutable distributed consistency models [Yang et al, IPDPS'04] • • • A relational logic DSL with synthesis support Built on the Rosette solver-aided language [Torlak & Bodik, PLDI'14] **Expression holes** for a synthesizer to complete $$no ^(ws + fr + ?? + ?? + ??) \& iden$$ Available as a Racket package: raco pkg install ocelot A relational logic DSL with synthesis support Built on the Rosette solver-aided language [Torlak & Bodik, PLDI'14] **Expression holes** for a synthesizer to complete $$no ^(ws + fr + ?? + ?? + ??) \& iden$$ Completions are expressions in relational logic with chosen operators, terminals, and depth. Available as a Racket package: raco pkg install ocelot A relational logic DSL with synthesis support Built on the Rosette solver-aided language [Torlak & Bodik, PLDI'14] #### **Expression holes** for a synthesizer to complete $$no ^(ws + fr + ?? + ?? + ??) \& iden$$ Completions are expressions in relational logic with chosen operators, terminals, and depth. A relational logic DSL with synthesis support Built on the Rosette solver-aided language [Torlak & Bodik, PLDI'14] #### **Expression holes** for a synthesizer to complete $$no ^(ws + fr + ?? + ?? + ?? ) & iden$$ Completions are expressions in relational logic with chosen operators, terminals, and depth. ``` operators = \{+, \&\} terminals = \{po, ws\} depth = 1 po po WS po + WS po \& WS ``` Available as a Racket package: raco pkg install ocelot # Queries - Verification - Equivalence - Synthesis - Ambiguity Common queries for automated memory model reasoning tools Memory model M allows test T: 3 E. M(T,E) Common queries for automated memory model reasoning tools Memory model M allows test T: 3 E. M(T,E) Common queries for automated memory model reasoning tools Memory model M allows test T: 3 E. M(T,E) Common queries for automated memory model reasoning tools Memory model M allows test T: 3 E. M(T,E) Common queries for automated memory model reasoning tools Memory model M allows test T: 3 E. M(T,E) Find a memory model consistent with a set of litmus tests Memory model M allows test T: ∃ E. M(T,E) Find a memory model consistent with a set of litmus tests Memory model M allows test T: ∃ E. M(T,E) Allowed litmus tests $$T^+ \Rightarrow \bigwedge_{T \in T^+} \exists E. M(T,E)$$ Memory model Forbidden litmus tests Framework sketch Find a memory model consistent with a set of litmus tests Memory model M allows test T: ∃ E. M(T,E) $$T^+ \rightarrow \bigwedge_{T \in T^+} \exists E. M(T,E)$$ Allowed litmus tests $$T^+ \Rightarrow \bigwedge_{T \in T^+} \exists E. M(T,E)$$ Forbidden litmus tests $T^- \Rightarrow \bigwedge_{T \in T^-} \forall E. \neg M(T,E)$ Framework sketch Memory model Find a memory model consistent with a set of litmus tests Memory model M allows test T: ∃ E. M(T,E) $$T^+ \rightarrow \bigwedge_{T \in T^+} \exists E. M(T,E)$$ Allowed litmus tests $$T^+ \Rightarrow \bigwedge_{T \in T^+} \exists E. M(T,E)$$ Forbidden litmus tests $T^- \Rightarrow \bigwedge_{T \in T^-} \forall E. \neg M(T,E)$ Solved incrementally, like counterexample-guided inductive synthesis (CEGIS) Framework sketch Memory model Find a distinguishing litmus test that exposes an ambiguity in a model **Key idea**: after synthesis, is there a *different* memory model that explains the tests? Find a distinguishing litmus test that exposes an ambiguity in a model Key idea: after synthesis, is there a different memory model that explains the tests? Allowed litmus tests → AMBIG Find a distinguishing litmus test that exposes an ambiguity in a model Key idea: after synthesis, is there a different memory model that explains the tests? Allowed litmus tests Forbidden litmus tests → AMBIG Memory model MA Find a distinguishing litmus test that exposes an ambiguity in a model > Key idea: after synthesis, is there a different memory model that explains the tests? Framework sketch The new memory model must be **semantically different** from the input: M<sub>A</sub> and M<sub>B</sub> must disagree about a new test T Similar to oracle-guided synthesis [Jha et al, ICSE'10] # The Synthesis-Ambiguity Cycle 3 5 1 2 4 Litmus tests # The Synthesis-Ambiguity Cycle Litmus tests # The Synthesis-Ambiguity Cycle 3 5 Litmus tests ## The Synthesis-Ambiguity Cycle ## The Synthesis-Ambiguity Cycle #### The Synthesis-Ambiguity Cycle ## Results **PowerPC** x86 **PowerPC** 768 tests [Alglave et al, CAV'10] x86 10 tests PowerPC 768 tests [Alglave et al, CAV'10] **Synthesis** √ 12 seconds Search space: 2<sup>1406</sup> x86 10 tests ✓ 2 seconds Search space: 2<sup>624</sup> **Synthesis** **PowerPC** 768 tests [Alglave et al, CAV'10] √ 12 seconds Search space: 2<sup>1406</sup> Not equivalent to published model! x86 10 tests ✓ 2 seconds Search space: 2<sup>624</sup> PowerPC 768 tests [Alglave et al, CAV'10] #### **Synthesis** √ 12 seconds Search space: 2<sup>1406</sup> Not equivalent to published model! x86 10 tests √ 2 seconds Search space: 2<sup>624</sup> Not equivalent to TSO! **PowerPC** 768 tests [Alglave et al, CAV'10] **Synthesis** ✓ 12 seconds Search space: 2<sup>1406</sup> Not equivalent to published model! **Ambiguity** 9 new tests sync, lwsync, etc. x86 10 tests √ 2 seconds Search space: 2<sup>624</sup> Not equivalent to TSO! 4 new tests mfence, xchg #### Other results Implemented another framework sketch [Mador-Haim et al, DAC'11] Found typo in paper; couldn't fix by hand, but synthesized repair #### Other results Implemented another framework sketch [Mador-Haim et al, DAC'11] Found typo in paper; couldn't fix by hand, but synthesized repair Order of magnitude faster than the Alloy general-purpose relational solver for verification and equivalence Ocelot offers finer-grained control over relational constraints #### Other results Implemented another framework sketch [Mador-Haim et al, DAC'11] Found typo in paper; couldn't fix by hand, but synthesized repair Order of magnitude faster than the Alloy general-purpose relational solver for verification and equivalence Ocelot offers finer-grained control over relational constraints Comparable performance to existing custom memory model tool for verification (Herd [Alglave et al, CAV'10]) # Framework sketches define a class of memory models MemSynth engine verification, equivalence, synthesis, ambiguity #### Results synthesize real-world memory model specs memsynth.uwplse.org