research-article

Armada: low-effort verification of high-performance concurrent programs

Authors:
Jacob R. Lorch

Microsoft Research, USA

Microsoft Research, USA
View Profile

,
Yixuan Chen

University of Michigan, USA / Yale University, USA

University of Michigan, USA / Yale University, USA
View Profile

,
Manos Kapritsos

University of Michigan, USA

University of Michigan, USA
View Profile

,
Bryan Parno

Carnegie Mellon University, USA

Carnegie Mellon University, USA
View Profile

,
Shaz Qadeer

Calibra, USA

Calibra, USA
View Profile

,
Upamanyu Sharma

University of Michigan, USA

University of Michigan, USA
View Profile

,
James R. Wilcox

Certora, USA

Certora, USA
View Profile

,
Xueyuan Zhao

Carnegie Mellon University, USA

Carnegie Mellon University, USA
View Profile

PLDI 2020: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and ImplementationJune 2020Pages 197–210https://doi.org/10.1145/3385412.3385971

Published:11 June 2020Publication History

PLDI 2020: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 197–210

ABSTRACT

Safely writing high-performance concurrent programs is notoriously difficult. To aid developers, we introduce Armada, a language and tool designed to formally verify such programs with relatively little effort. Via a C-like language and a small-step, state-machine-based semantics, Armada gives developers the flexibility to choose arbitrary memory layout and synchronization primitives so they are never constrained in their pursuit of performance. To reduce developer effort, Armada leverages SMT-powered automation and a library of powerful reasoning techniques, including rely-guarantee, TSO elimination, reduction, and alias analysis. All these techniques are proven sound, and Armada can be soundly extended with additional strategies over time. Using Armada, we verify four concurrent case studies and show that we can achieve performance equivalent to that of unverified code.

References

Martín Abadi and Leslie Lamport. 1991. The Existence of Refinement Mappings. Theoretical Computer Science 82, 2 (May 1991), 253–284.Google ScholarDigital Library
Sarita V. Adve and Mark D. Hill. 1990. Weak ordering—a new definition. In Proc. International Symposium on Computer Architecture (ISCA). 2– 14.Google Scholar
Mike Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K. Rustan M. Leino. 2006.Google Scholar
Boogie: A modular reusable verifier for PLDI ’20, June 15–20, 2020, London, UK J. R. Lorch, Y. Chen, M. Kapritsos, B. Parno, S. Qadeer, U. Sharma, J. R. Wilcox, X. Zhao object-oriented programs. Proceedings of Formal Methods for Components and Objects (FMCO) (2006).Google Scholar
Sandrine Blazy, Zaynah Dargaye, and Xavier Leroy. 2006.Google Scholar
Formal verification of a C compiler front-end. In Proc. International Symposium on Formal Methods (FM). 460–475.Google Scholar
Gérard Boudol and Gustavo Petri. 2009.Google Scholar
Relaxed memory models: An operational approach. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 392–403.Google Scholar
Tej Chajed, M. Frans Kaashoek, Butler W. Lampson, and Nickolai Zeldovich. 2018. Verifying concurrent software using movers in CSPEC. In Proc. USENIX Symposium on Operating Systems Design and Implementation (OSDI). 306–322.Google Scholar
Tej Chajed, Joseph Tassarotti, M. Frans Kaashoek, and Nickolai Zeldovich. 2019. Verifying concurrent, crash-safe systems with Perennial. In Proc. ACM Symposium on Operating Systems Principles (SOSP). 243– 258.Google ScholarDigital Library
Michael R. Clarkson and Fred B. Schneider. 2010.Google ScholarDigital Library
Hyperproperties. Journal of Computer Security 18, 6 (2010), 1157–1210.Google Scholar
Ernie Cohen and Leslie Lamport. 1998. Reduction in TLA. In Concurrency Theory (CONCUR). 317–331.Google Scholar
Pedro da Rocha Pinto, Thomas Dinsdale-Young, and Philippa Gardner. 2014. TaDA: A logic for time and data abstraction. In Proc. European Conference on Object-Oriented Programming (ECOOP). 207–231.Google ScholarDigital Library
Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In Proc. Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). 337–340.Google ScholarCross Ref
Thomas Dinsdale-Young, Lars Birkedal, Philippa Gardner, Matthew J. Parkinson, and Hongseok Yang. 2013. Views: Compositional reasoning for concurrent programs. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 287–300.Google ScholarDigital Library
Mike Dodds, Xinyu Feng, Matthew J. Parkinson, and Viktor Vafeiadis. 2009. Deny-Guarantee Reasoning. In Proc. European Symposium on Programming (ESOP). 363–377.Google Scholar
Tayfun Elmas, Shaz Qadeer, and Serdar Tasiran. 2009. A calculus of atomic actions. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 2–15.Google ScholarDigital Library
Cormac Flanagan, Stephen N. Freund, and Shaz Qadeer. 2004. Exploiting purity for atomicity. In Proc. ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA). 221–231.Google ScholarDigital Library
Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep specifications and certified abstraction layers. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 595–608.Google ScholarDigital Library
Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An extensible architecture for building certified concurrent OS kernels. In Proc. USENIX Conference on Operating Systems Design and Implementation (OSDI). 653–669.Google Scholar
Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified concurrent abstraction layers. In Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 646–661.Google ScholarDigital Library
Chris Hawblitzel, Erez Petrank, Shaz Qadeer, and Serdar Tasiran. 2015.Google Scholar
Automated and modular refinement reasoning for concurrent programs. In Proc. Computer Aided Verification (CAV). 449–465.Google Scholar
C. B. Jones. 1983. Tentative Steps Toward a Development Method for Interfering Programs. ACM Transactions on Programming Languages and Systems (TOPLAS) 5, 4 (Oct. 1983), 596–619.Google ScholarDigital Library
Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris From the Ground Up: A Modular Foundation for Higher-order Concurrent Separation Logic. Journal of Functional Programming 28, e20 (2018).Google ScholarCross Ref
Jeehoon Kang, Chung-Kil Hur, Ori Lahav, Viktor Vafeiadis, and Derek Dreyer. 2017. A promising semantics for relaxed-memory concurrency. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 175–189.Google ScholarDigital Library
Jieung Kim, Vilhelm Sjöberg, Ronghui Gu, and Zhong Shao. 2017.Google Scholar
Safety and liveness of MCS lock—layer by layer. In Proc. Asian Symposium on Programming Languages and Systems (APLAS). 273–297.Google Scholar
Bernhard Kragl and Shaz Qadeer. 2018. Layered concurrent programs. In Proc. International Conference on Computer Aided Verification (CAV). 79–102.Google ScholarCross Ref
Robbert Krebbers, Ralf Jung, Ale˘ s Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017. The essence of higher-order concurrent separation logic. In Proc. European Symposium on Programming (ESOP). 696–723.Google ScholarDigital Library
Siddharth Krishna, Dennis E. Shasha, and Thomas Wies. 2018. Go With the Flow: Compositional Abstractions for Concurrent Data Structures. Proceedings of the ACM on Programming Languages 2, POPL (Jan. 2018), 37:1–37:31.Google ScholarDigital Library
K. Rustan M. Leino. 2010. Dafny: An automatic program verifier for functional correctness. In Proc. Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR). 348–370.Google ScholarCross Ref
Hongjin Liang, Xinyu Feng, and Ming Fu. 2012.Google Scholar
A rely-guaranteebased simulation for verifying concurrent program transformations. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 455–468.Google Scholar
LibLFDS. 2019.Google Scholar
LFDS 7.11 queue implementation. https: //github.com/liblfds/liblfds7.1.1/tree/master/liblfds7.1.1/liblfds711/ src/lfds711_queue_bounded_singleproducer_singleconsumer.Google Scholar
Richard J. Lipton. 1975. Reduction: A Method of Proving Properties of Parallel Programs. Commun. ACM 18, 12 (Dec. 1975), 717–721.Google ScholarDigital Library
John M. Mellor-Crummey and Michael L. Scott. 1991. Algorithms for Scalable Synchronization on Shared-Memory Multiprocessors. ACM Transactions on Computer Systems 9, 1 (Feb. 1991), 21–65.Google ScholarDigital Library
Maged M. Michael and Michael L. Scott. 2006. Simple, fast, and practical non-blocking and blocking concurrent queue algorithms. In Proc. ACM Symposium on Principles of Distributed Computing (PODC). 267–275.Google Scholar
Peter W. O’Hearn. 2007. Resources, Concurrency, and Local Reasoning. Theoretical Computer Science 375, 1–3 (2007), 271–307.Google ScholarDigital Library
Scott Owens. 2010. Reasoning about the implementation of concurrency abstractions on x86-TSO. In Proc. European Conference on Object-Oriented Programming. 478–503.Google ScholarCross Ref
Scott Owens, Susmit Sarkar, and Peter Sewell. 2009.Google Scholar
A better x86 memory model: x86-TSO. In Proc. Theorem Proving in Higher Order Logics (TPHOLs). 391–407.Google Scholar
Shaz Qadeer. 2019. Private Communication.Google Scholar
John Rushby. 1992. Noninterference, Transitivity, and Channel-control Security Policies. Technical Report CSL-92-02, SRI International.Google Scholar
Norbert Schirmer and Ernie Cohen. 2010. From total store order to sequential consistency: A practical reduction theorem. In Proc. Interactive Theorem Proving (ITP). 403–418.Google Scholar
Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang. 2018. Nickel: a framework for design and verification of information flow control systems. In Proc. USENIX Symposium on Operating Systems Design and Implementation (OSDI). 287–305.Google Scholar
Bjarne Steensgaard. 1996. Points-to Analysis in Almost Linear Time. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 32–41.Google ScholarDigital Library
Jaroslav Ševčík, Viktor Vafeiadis, Francesco Zappa Nardelli, Suresh Jagannathan, and Peter Sewell. 2011. Relaxed-memory concurrency and verified compilation. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 43–54.Google Scholar
David A. Wheeler. 2004.Google Scholar

Index Terms

Armada: low-effort verification of high-performance concurrent programs
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification
  2. Software notations and tools
    1. General programming languages
      1. Language types
        Concurrent programming languages

Recommendations

Armada: Automated Verification of Concurrent Code with Sound Semantic Extensibility
Safely writing high-performance concurrent programs is notoriously difficult. To aid developers, we introduce Armada, a language and tool designed to formally verify such programs with relatively little effort. Via a C-like language and a small-step, ...
Read More
Specification, Refinement and Verification of Concurrent Systems—An Integration of Object-Z and CSP

This paper presents a method of formally specifying, refining and verifying concurrent systems which uses the object-oriented state-based specification language Object-Z together with the process algebra CSP. Object-Z provides a convenient way of ...
Read More
Validating optimizations of concurrent C/C++ programs
CGO '16: Proceedings of the 2016 International Symposium on Code Generation and Optimization

We present a validator for checking the correctness of LLVM compiler optimizations on C11 programs as far as concurrency is concerned. Our validator checks that optimizations do not change memory accesses in ways disallowed by the C11 and/or LLVM ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
PLDI 2020: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2020
1174 pages
ISBN:9781450376136
DOI:10.1145/3385412
General Chair:
Alastair F. Donaldson
Imperial College London, UK
,
Program Chair:
Emina Torlak
University of Washington, USA
Copyright © 2020 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 11 June 2020
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
Author Tags
refinement
weak memory models
x86-TSO
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate406of2,067submissions,20%
Upcoming Conference
PLDI '24

Sponsor:

sigplan

ACM SIGPLAN Conference on Programming Language Design and Implementation

June 24 - 28, 2024

Copenhagen , Denmark
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 16
  Total Citations
  View Citations
- 1,210
  Total Downloads
- Downloads (Last 12 months)49
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Armada: low-effort verification of high-performance concurrent programs

PLDI 2020: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation

ABSTRACT

References

Cited By

Index Terms

Recommendations

Armada: Automated Verification of Concurrent Code with Sound Semantic Extensibility

Specification, Refinement and Verification of Concurrent Systems—An Integration of Object-Z and CSP

Validating optimizations of concurrent C/C++ programs