verification of architectural memory models by model checking shaz qadeer compaq systems research...
TRANSCRIPT
![Page 1: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/1.jpg)
Verification of architectural memory models
by model checking
Shaz QadeerCompaq Systems Research Center
![Page 2: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/2.jpg)
Outline
• Introduction to shared-memory systems and models
• Model checking method for verifying models on systems
![Page 3: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/3.jpg)
Compiler
Multiprocessor
Multithreaded program
Executable code
Languagememory model(Java, Modula-3, C with threads)
![Page 4: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/4.jpg)
Multiprocessor
P P P
P P P
INTERCONNECT NETWORK
![Page 5: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/5.jpg)
Architecturalmemory model(SC, Alpha, Sun)
Multiprocessor
![Page 6: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/6.jpg)
Compiler
Multiprocessor
Multithreaded program
Executable code
Languagememory model(Java, Modula-3, C with threads)
![Page 7: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/7.jpg)
Compiler
Multithreaded program
Executable code
Languagememory model(Java, Modula-3, C with threads)
Architecturalmemory model(SC, Alpha, Sun)
![Page 8: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/8.jpg)
Verification Problem
Architecturalmemory model(SC, Alpha, Sun)
Multiprocessor ?
![Page 9: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/9.jpg)
Uniprocessor
Memory
PA := 1;if (B = 0) { ...}
Initially A = B = 0
![Page 10: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/10.jpg)
Shared-memory multiprocessor
Memory
PA := 1;if (B = 0) { ...}
Initially A = B = 0
PB := 1;if (A = 0) { ...}
![Page 11: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/11.jpg)
Memory
PW(A, 1)
R(B, ?)
Initially A = B = 0
PW(B, 1)
R(A, ?)
Shared-memory model
![Page 12: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/12.jpg)
Sequential consistency
Memory
PW(A, 1)
R(B, 1)
Initially A = B = 0
PW(B, 1)
R(A, 1)
![Page 13: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/13.jpg)
Sequential consistency
Memory
PW(A, 1)
R(B, 0)
Initially A = B = 0
PW(B, 1)
R(A, 1)
![Page 14: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/14.jpg)
Sequential consistency
Memory
PW(A, 1)
R(B, 1)
Initially A = B = 0
PW(B, 1)
R(A, 0)
![Page 15: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/15.jpg)
Sequential consistency
Memory
PW(A, 1)
R(B, 0)
Initially A = B = 0
PW(B, 1)
R(A, 0)
![Page 16: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/16.jpg)
Dekker’s algorithm
Memory
PA := 1;if (B = 0) { CS}
Initially A = B = 0
PB := 1;if (A = 0) { CS}
![Page 17: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/17.jpg)
Interconnect network
P1
C1
Memory +Directory
P2
C2
state[A] = INV state[A] = EXC
WR_REQ(A)
RDEX(A) FWD_RDEX(A, P1)
![Page 18: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/18.jpg)
Interconnect network
P1
C1
Memory +Directory
P2
C2
state[A] = INV state[A] = INV
WR_REQ(A)
RDEX(A) FWD_RDEX(A, P1)
RDEX_ACK(A)
![Page 19: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/19.jpg)
Interconnect network
P1
C1
Memory +Directory
P2
C2
state[A] = EXC state[A] = INV
WR_REQ(A)
RDEX(A) FWD_RDEX(A, P1)
RDEX_ACK(A)
WR_ACK(A)
![Page 20: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/20.jpg)
• Programmers program according to a memory model
• System must satisfy memory model for software correctness
• Shared-memory systems are very complex
![Page 21: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/21.jpg)
Parameterized shared-memory systems
Parameters: processors n, addresses mMemory actions: {R,W} {1,..,n} {1,..,m} ValInternal actions: I {1,..,n} {1,..,m}
State transition system: State variablesInitial predicateGuarded command for each action
![Page 22: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/22.jpg)
State transition systemcache: array [1..n] of array [1..m] of {s: State, d: Val}queue: array [1..n] of Queue[m: Msg, a: [1..m]]…
(R,i,j,v) [] cache[i][j].s INV cache[i][j].d = v
(W,i,j,v) [] cache[i][j].s = EXC cache[i][j].d := v
(RRQ,i,j) [] cache[i][j].s = INV queue[i].enqueue(RD_REQ, j)…
![Page 23: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/23.jpg)
(EventId, Proc, Addr, Data)
(WRQ, 2, 1)(WRP, 2, 1)(W, 2, 1, 1)(R, 1, 1, 0)(R, 2, 1, 1)(WRQ, 1, 1)(WRP, 1, 1)(R, 1, 1, 1)(W, 1, 1, 2)(RRQ, 2, 1)(RRP, 2, 1)(R, 2, 1, 2)
Run: finite action sequence
executable from initial state
![Page 24: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/24.jpg)
Verification problem
Impl: state transition system with actions
Spec:1. Invariants, e.g., 1 i, j n. cache[i].s = EXC i j cache[j].s = INV2. Memory models, e.g., sequential consistency, Alpha memory model
Does Impl satisfy Spec?
![Page 25: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/25.jpg)
(EventId, Proc, Addr, Data)
(WRQ, 2, 1)(WRP, 2, 1)(W, 2, 1, 1)(R, 1, 1, 0)(R, 2, 1, 1)(WRQ, 1, 1)(WRP, 1, 1)(R, 1, 1, 1)(W, 1, 1, 2)(RRQ, 2, 1)(RRP, 2, 1)(R, 2, 1, 2)
Run: finite action sequence
executable from initial state
![Page 26: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/26.jpg)
Memory model
(R,1,1,0)
(R,1,1,1)
(W,1,1,2)
(EventId, Proc, Addr, Data)
(W,2,1,1)
(R,2,1,1)
(R,2,1,2)
Processor 1 Processor 2
• n partial orders, one for each processor• i th partial order on memory actions at processor i
![Page 27: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/27.jpg)
Sequential consistency
(R,1,1,0)
(R,1,1,1)
(W,1,1,2)
(EventId, Proc, Addr, Data)
(W,2,1,1)
(R,2,1,1)
(R,2,1,2)
Processor 1 Processor 2
![Page 28: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/28.jpg)
Sequential consistency(EventId, Proc, Addr, Data)
(R,1,1,0)
(W,2,1,1)
(R,2,1,1)
(R,1,1,1)
(W,1,1,2)
(R,2,1,2)
0
1
1
1
2
2
Addr 1(W,2,1,1)
(R,1,1,0)
(R,2,1,1)
(R,1,1,1)
(W,1,1,2)
(R,2,1,2)
swap!
![Page 29: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/29.jpg)
Sequential consistency(EventId, Proc, Addr, Data)
(R,1,1,0)
(W,2,1,1)
(R,2,1,1)
(R,1,1,1)
(W,1,1,2)
(R,2,1,2)
Witness order
System S satisfies Model M iff
there is a witness order for every run
![Page 30: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/30.jpg)
Debugging vs. Verification
McMillan, Schwalbe 91 Clarke et al. 93
Eiriksson, McMillan 95 Ip, Dill 96
Katz, Peled 92Alur et al. 96
Nalumasu et al. 98Henzinger et al. 99
Loewenstein, Dill 92Pong, Dubois 95
Park, Dill 96 Delzanno 00
Graf 94Henzinger et al. 99
TLA Plakal et al. 98
Invariants
ImplSpec
Memory models
Fixed parameters
Arbitraryparameters
needed in practice
![Page 31: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/31.jpg)
Verifying Memory Models is Hard
Alur, McMillan, Peled 96 :
Checking sequential consistency for finiteparameter values is undecidable.
![Page 32: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/32.jpg)
Contribution
Model checking algorithm to verify
a number of shared-memory models on
a useful class of shared-memory systemsfor
finite number of processors and addressesby
reduction to invariant verification.
![Page 33: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/33.jpg)
Outline
• Introduction to shared-memory systems and models
• Model checking method for verifying models on systems
![Page 34: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/34.jpg)
State transition systemcache: array [1..n] of array [1..m] of {s: State, d: Val}queue: array [1..n] of Queue[m: Msg, a: [1..m]]…
(R,i,j,v) [] cache[i][j].s INV cache[i][j].d = v
(W,i,j,v) [] cache[i][j].s = EXC cache[i][j].d := v
(RRQ,i,j) [] cache[i][j].s = INV queue[i].enqueue(RD_REQ, j)…
![Page 35: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/35.jpg)
(EventId, Proc, Addr, Data)
(WRQ, 2, 1)(WRP, 2, 1)(W, 2, 1, 1)(R, 1, 1, 0)(R, 2, 1, 1)(WRQ, 1, 1)(WRP, 1, 1)(R, 1, 1, 1)(W, 1, 1, 2)(RRQ, 2, 1)(RRP, 2, 1)(R, 2, 1, 2)
Run: finite action sequence
executable from initial state
![Page 36: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/36.jpg)
Data independence• Memory systems do not conjure up data values• Data values copied but not examined by actions
(except for read and write actions)• Every run can be generated from an unambiguous
run by suitably renaming data values.
(R,1,1,0)
(R,1,1,1)
(W,1,1,2)
(W,2,1,1)
(R,2,1,1)
(R,2,1,2)
Unambiguous run:
Suffices to analyze unambiguous runs!
(EventId, Proc, Addr, Data)
![Page 37: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/37.jpg)
(R,1,1,0)
(R,1,1,1)
(W,1,1,2)
(W,2,1,1)
(R,2,1,1)
(R,2,1,2)
Unambiguous run:
Witness write order for address 1(W,2,1,1) (W,1,1,2)
System S satisfies Model M ifffor every run there are witness write orders for all addresses
acyclic graph
witness order
(EventId, Proc, Addr, Data)
![Page 38: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/38.jpg)
Recipe for verification
For every unambiguous run,1. guess write order for each address2. generate graph and check for cycles
![Page 39: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/39.jpg)
Interconnect network
P1
C1
Memory +Directory
P2
C2
state[A] = EXC state[A] = INV
WR_REQ(A)
RDEX(A) FWD_RDEX(A, P1)
RDEX_ACK(A)
WR_ACK(A)
![Page 40: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/40.jpg)
Simple write order
For each location, order write events according to
actual occurrence order !!
![Page 41: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/41.jpg)
Examples
• Piranha chip multiprocessor (Compaq)
• Wildfire challenge problem (Compaq)
• DASH multiprocessor (Stanford)
![Page 42: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/42.jpg)
Recipe for verification
For every unambiguous run,1. guess write order for each address
• simple write order2. generate graph and check for cycles
![Page 43: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/43.jpg)
![Page 44: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/44.jpg)
. . .
(*,i,z,*)
. . .
(*,i,x,*)
. . .
. . .
(*,j,x,*)
. . .
(*,j,y,*)
. . .
. . .
(*,k,y,*)
. . .
(*,k,z,*)
. . .
Nice cycles
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
3-nice cycle:•3 processors i, j, k•3 addresses x, y, z
k-nice cycle involves k processors and k addresses
(EventId, Proc, Addr, Data)
![Page 45: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/45.jpg)
Nice cycles
S has a cycle iff
S has a k-nice cycle for 1 k min(n,m)
S: memory system with n processors, m addresses
Lemma:
![Page 46: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/46.jpg)
Recipe for verification
For every unambiguous run,1. guess write orders for each address
• simple write order2. generate graph and check for cycles
• reduce to nice cycles• detecting nice cycles by model checking
![Page 47: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/47.jpg)
Detecting nice cycles
min(n,m) model checking lemmas: kth lemma checks for k-nice cycles
S has a cycle iff
S has a k-nice cycle for 1 k min(n,m)
S: memory system with n processors, m addresses
Lemma:
![Page 48: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/48.jpg)
•Supj supplies write values for address j.
•Moni monitors memory events at processor i.
Memorysystem
Sup1 Mon1Model checker
Property = i. Moni@err1-nice cycle
Detecting nice cycles
![Page 49: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/49.jpg)
Memorysystem
Sup1
Sup2
Mon1
Mon2
Model checker
Property = i. Moni@err
Detecting nice cycles
2-nice cycle
•Supj supplies write values for address j.
•Moni monitors memory events at processor i.
![Page 50: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/50.jpg)
Memorysystem
Sup1
Sup2
Sup3
Mon1
Mon2
Mon3
Model checker
Property = i. Moni@err
Detecting nice cycles
3-nice cycle
•Supj supplies write values for address j.
•Moni monitors memory events at processor i.
![Page 51: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/51.jpg)
. . .
(*,i,z,*)
. . .
(*,i,x,*)
. . .
. . .
(*,j,x,*)
. . .
(*,j,y,*)
. . .
. . .
(*,k,y,*)
. . .
(*,k,z,*)
. . .
Nice cycles
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
3-nice cycle:•3 processors i, j, k•3 addresses x, y, z
(EventId, Proc, Addr, Data)
![Page 52: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/52.jpg)
Unambiguous run:
(R,1,1,0)
(R,1,1,1)
(W,1,1,2)
(W,2,1,1)
(R,2,1,1)
(R,2,1,2)
(EventId, Proc, Addr, Data)
Witness write order for address 1(W,2,1,1) (W,1,1,2)
Causal edges
Anti-causal edges
![Page 53: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/53.jpg)
Supplier automata
Supplies 0 upto some nondeterministicallychosen write and then supplies 1 forever.
0
1
1
Supx (supplier for address x):
![Page 54: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/54.jpg)
. . .
(*,i,z,1)
. . .
(*,i,x,0)
. . .
. . .
(*,j,x,1)
. . .
(*,j,y,0)
. . .
. . .
(*,k,y,1)
. . .
(*,k,z,0)
. . .
Nice cycles
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
3-nice cycle:•3 processors i, j, k•3 addresses x, y, z
(EventId, Proc, Addr, Data)
![Page 55: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/55.jpg)
Monitor automata
Monj:
(*,j,x,1) (*,j,y,0)err
![Page 56: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/56.jpg)
Analysis for sequential consistency
Number of processors = nNumber of addresses = mNumber of model checking runs = min(n,m)
Number of Sup automata = kNumber of Mon automata = kFor all j, number of states in Supj = 3
For all i, number of states in Moni = 3States in model checked system = |S|3k3k
kth model checking run (1 k min(n,m)):
![Page 57: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/57.jpg)
Model checker
Property = i. Moni@err
Other memory models?Alpha memory model, partial store order,
release consistency, weak ordering
Memorysystem
Sup1
Sup2
Sup3
Mon1
Mon2
Mon3
![Page 58: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/58.jpg)
Model checker
Property = i. Moni@err
Other write orders?
Can be generalized !!
Memorysystem
Sup1
Sup2
Sup3
Mon1
Mon2
Mon3
![Page 59: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/59.jpg)
Wildfire challenge problem
• 2 processor, 2 location system– Supplier and monitor automata constructed– Seeded bug was found by invariant
verification on composed system by model checker TLC
![Page 60: Verification of architectural memory models by model checking Shaz Qadeer Compaq Systems Research Center Shaz.Qadeer@compaq.com](https://reader036.vdocument.in/reader036/viewer/2022081518/5513ef3e5503463a298b5f2b/html5/thumbnails/60.jpg)
Summary
Model checking algorithm to verify
a number of shared-memory models on
a useful class of shared-memory systemsfor
finite number of processors and addressesby
reduction to invariant verification.