ABSTRACT
Safely writing high-performance concurrent programs is notoriously difficult. To aid developers, we introduce Armada, a language and tool designed to formally verify such programs with relatively little effort. Via a C-like language and a small-step, state-machine-based semantics, Armada gives developers the flexibility to choose arbitrary memory layout and synchronization primitives so they are never constrained in their pursuit of performance. To reduce developer effort, Armada leverages SMT-powered automation and a library of powerful reasoning techniques, including rely-guarantee, TSO elimination, reduction, and alias analysis. All these techniques are proven sound, and Armada can be soundly extended with additional strategies over time. Using Armada, we verify four concurrent case studies and show that we can achieve performance equivalent to that of unverified code.
- Martín Abadi and Leslie Lamport. 1991. The Existence of Refinement Mappings. Theoretical Computer Science 82, 2 (May 1991), 253–284.Google ScholarDigital Library
- Sarita V. Adve and Mark D. Hill. 1990. Weak ordering—a new definition. In Proc. International Symposium on Computer Architecture (ISCA). 2– 14.Google Scholar
- Mike Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K. Rustan M. Leino. 2006.Google Scholar
- Boogie: A modular reusable verifier for PLDI ’20, June 15–20, 2020, London, UK J. R. Lorch, Y. Chen, M. Kapritsos, B. Parno, S. Qadeer, U. Sharma, J. R. Wilcox, X. Zhao object-oriented programs. Proceedings of Formal Methods for Components and Objects (FMCO) (2006).Google Scholar
- Sandrine Blazy, Zaynah Dargaye, and Xavier Leroy. 2006.Google Scholar
- Formal verification of a C compiler front-end. In Proc. International Symposium on Formal Methods (FM). 460–475.Google Scholar
- Gérard Boudol and Gustavo Petri. 2009.Google Scholar
- Relaxed memory models: An operational approach. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 392–403.Google Scholar
- Tej Chajed, M. Frans Kaashoek, Butler W. Lampson, and Nickolai Zeldovich. 2018. Verifying concurrent software using movers in CSPEC. In Proc. USENIX Symposium on Operating Systems Design and Implementation (OSDI). 306–322.Google Scholar
- Tej Chajed, Joseph Tassarotti, M. Frans Kaashoek, and Nickolai Zeldovich. 2019. Verifying concurrent, crash-safe systems with Perennial. In Proc. ACM Symposium on Operating Systems Principles (SOSP). 243– 258.Google ScholarDigital Library
- Michael R. Clarkson and Fred B. Schneider. 2010.Google ScholarDigital Library
- Hyperproperties. Journal of Computer Security 18, 6 (2010), 1157–1210.Google Scholar
- Ernie Cohen and Leslie Lamport. 1998. Reduction in TLA. In Concurrency Theory (CONCUR). 317–331.Google Scholar
- Pedro da Rocha Pinto, Thomas Dinsdale-Young, and Philippa Gardner. 2014. TaDA: A logic for time and data abstraction. In Proc. European Conference on Object-Oriented Programming (ECOOP). 207–231.Google ScholarDigital Library
- Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In Proc. Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). 337–340.Google ScholarCross Ref
- Thomas Dinsdale-Young, Lars Birkedal, Philippa Gardner, Matthew J. Parkinson, and Hongseok Yang. 2013. Views: Compositional reasoning for concurrent programs. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 287–300.Google ScholarDigital Library
- Mike Dodds, Xinyu Feng, Matthew J. Parkinson, and Viktor Vafeiadis. 2009. Deny-Guarantee Reasoning. In Proc. European Symposium on Programming (ESOP). 363–377.Google Scholar
- Tayfun Elmas, Shaz Qadeer, and Serdar Tasiran. 2009. A calculus of atomic actions. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 2–15.Google ScholarDigital Library
- Cormac Flanagan, Stephen N. Freund, and Shaz Qadeer. 2004. Exploiting purity for atomicity. In Proc. ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA). 221–231.Google ScholarDigital Library
- Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep specifications and certified abstraction layers. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 595–608.Google ScholarDigital Library
- Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An extensible architecture for building certified concurrent OS kernels. In Proc. USENIX Conference on Operating Systems Design and Implementation (OSDI). 653–669.Google Scholar
- Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified concurrent abstraction layers. In Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 646–661.Google ScholarDigital Library
- Chris Hawblitzel, Erez Petrank, Shaz Qadeer, and Serdar Tasiran. 2015.Google Scholar
- Automated and modular refinement reasoning for concurrent programs. In Proc. Computer Aided Verification (CAV). 449–465.Google Scholar
- C. B. Jones. 1983. Tentative Steps Toward a Development Method for Interfering Programs. ACM Transactions on Programming Languages and Systems (TOPLAS) 5, 4 (Oct. 1983), 596–619.Google ScholarDigital Library
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris From the Ground Up: A Modular Foundation for Higher-order Concurrent Separation Logic. Journal of Functional Programming 28, e20 (2018).Google ScholarCross Ref
- Jeehoon Kang, Chung-Kil Hur, Ori Lahav, Viktor Vafeiadis, and Derek Dreyer. 2017. A promising semantics for relaxed-memory concurrency. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 175–189.Google ScholarDigital Library
- Jieung Kim, Vilhelm Sjöberg, Ronghui Gu, and Zhong Shao. 2017.Google Scholar
- Safety and liveness of MCS lock—layer by layer. In Proc. Asian Symposium on Programming Languages and Systems (APLAS). 273–297.Google Scholar
- Bernhard Kragl and Shaz Qadeer. 2018. Layered concurrent programs. In Proc. International Conference on Computer Aided Verification (CAV). 79–102.Google ScholarCross Ref
- Robbert Krebbers, Ralf Jung, Ale˘ s Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017. The essence of higher-order concurrent separation logic. In Proc. European Symposium on Programming (ESOP). 696–723.Google ScholarDigital Library
- Siddharth Krishna, Dennis E. Shasha, and Thomas Wies. 2018. Go With the Flow: Compositional Abstractions for Concurrent Data Structures. Proceedings of the ACM on Programming Languages 2, POPL (Jan. 2018), 37:1–37:31.Google ScholarDigital Library
- K. Rustan M. Leino. 2010. Dafny: An automatic program verifier for functional correctness. In Proc. Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR). 348–370.Google ScholarCross Ref
- Hongjin Liang, Xinyu Feng, and Ming Fu. 2012.Google Scholar
- A rely-guaranteebased simulation for verifying concurrent program transformations. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 455–468.Google Scholar
- LibLFDS. 2019.Google Scholar
- LFDS 7.11 queue implementation. https: //github.com/liblfds/liblfds7.1.1/tree/master/liblfds7.1.1/liblfds711/ src/lfds711_queue_bounded_singleproducer_singleconsumer.Google Scholar
- Richard J. Lipton. 1975. Reduction: A Method of Proving Properties of Parallel Programs. Commun. ACM 18, 12 (Dec. 1975), 717–721.Google ScholarDigital Library
- John M. Mellor-Crummey and Michael L. Scott. 1991. Algorithms for Scalable Synchronization on Shared-Memory Multiprocessors. ACM Transactions on Computer Systems 9, 1 (Feb. 1991), 21–65.Google ScholarDigital Library
- Maged M. Michael and Michael L. Scott. 2006. Simple, fast, and practical non-blocking and blocking concurrent queue algorithms. In Proc. ACM Symposium on Principles of Distributed Computing (PODC). 267–275.Google Scholar
- Peter W. O’Hearn. 2007. Resources, Concurrency, and Local Reasoning. Theoretical Computer Science 375, 1–3 (2007), 271–307.Google ScholarDigital Library
- Scott Owens. 2010. Reasoning about the implementation of concurrency abstractions on x86-TSO. In Proc. European Conference on Object-Oriented Programming. 478–503.Google ScholarCross Ref
- Scott Owens, Susmit Sarkar, and Peter Sewell. 2009.Google Scholar
- A better x86 memory model: x86-TSO. In Proc. Theorem Proving in Higher Order Logics (TPHOLs). 391–407.Google Scholar
- Shaz Qadeer. 2019. Private Communication.Google Scholar
- John Rushby. 1992. Noninterference, Transitivity, and Channel-control Security Policies. Technical Report CSL-92-02, SRI International.Google Scholar
- Norbert Schirmer and Ernie Cohen. 2010. From total store order to sequential consistency: A practical reduction theorem. In Proc. Interactive Theorem Proving (ITP). 403–418.Google Scholar
- Helgi Sigurbjarnarson, Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang. 2018. Nickel: a framework for design and verification of information flow control systems. In Proc. USENIX Symposium on Operating Systems Design and Implementation (OSDI). 287–305.Google Scholar
- Bjarne Steensgaard. 1996. Points-to Analysis in Almost Linear Time. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 32–41.Google ScholarDigital Library
- Jaroslav Ševčík, Viktor Vafeiadis, Francesco Zappa Nardelli, Suresh Jagannathan, and Peter Sewell. 2011. Relaxed-memory concurrency and verified compilation. In Proc. ACM Symposium on Principles of Programming Languages (POPL). 43–54.Google Scholar
- David A. Wheeler. 2004.Google Scholar
Index Terms
- Armada: low-effort verification of high-performance concurrent programs
Recommendations
Armada: Automated Verification of Concurrent Code with Sound Semantic Extensibility
Safely writing high-performance concurrent programs is notoriously difficult. To aid developers, we introduce Armada, a language and tool designed to formally verify such programs with relatively little effort. Via a C-like language and a small-step, ...
Specification, Refinement and Verification of Concurrent Systems—An Integration of Object-Z and CSP
This paper presents a method of formally specifying, refining and verifying concurrent systems which uses the object-oriented state-based specification language Object-Z together with the process algebra CSP. Object-Z provides a convenient way of ...
Validating optimizations of concurrent C/C++ programs
CGO '16: Proceedings of the 2016 International Symposium on Code Generation and OptimizationWe present a validator for checking the correctness of LLVM compiler optimizations on C11 programs as far as concurrency is concerned. Our validator checks that optimizations do not change memory accesses in ways disallowed by the C11 and/or LLVM ...
Comments