Nitpicking c++ concurrency

Jasmin Christian Blanchette, Tjark Weber, Mark Batty, Scott Owens, Susmit Sarkar
2011 Proceedings of the 13th international ACM SIGPLAN symposium on Principles and practices of declarative programming - PPDP '11  
Previous work formalized the C++ memory model in Isabelle/HOL in an effort to clarify the proposed standard's semantics. Here we employ the model finder Nitpick to check litmus test programs that exercise the memory model, including a simple locking algorithm. Nitpick is built on Kodkod (Alloy's backend) but understands Isabelle's richer logic; hence it can be applied directly to the C++ memory model. We only need to give it a few hints, and thanks to the underlying SAT solver it scales much
more » ... ter than the CPPMEM explicit-state model checker. This case study inspired optimizations in Nitpick from which other formalizations can now benefit. • They give a rigorous (and ideally readable) description of the language that can serve as a contract between designers, implementers, and users. • They enable machine-checked proofs of theoretical results; in particular, they are an integral part of any verified compiler. • They can be used in conjunction with lightweight formal methods, such as model checkers and model finders, to explore the consequences of the specification. Newer Isabelle versions include an efficient SAT-based model finder, Nitpick (Sect. 4). The reduction to SAT is delegated to Kodkod [28], which also serves as a backend to MemSAT and the Alloy Analyzer [13] . Nitpick and its predecessor Refute [32] featured in several case studies [5, 6, 14, 21, 31] but were, to our knowledge, never successfully applied to a specification as complex as the C++ memory model. Although the memory model specification was not designed with SAT solving in mind, we expected that with some adjustments it should be within Nitpick's reach. The specification is written in a fairly abstract and axiomatic style, which should favor SAT solvers. Various Kodkod optimizations help cope with large problems. Moreover, although the memory model is subtle and complicated, the specification is mostly restricted to first-order logic with sets, transitive closure, and inductive datatypes, all of which are handled efficiently in Nitpick or Kodkod. Initially, though, we had to make drastic semantics-preserving changes to the Isabelle specification so that Nitpick would scale to handle the simplest litmus tests in reasonable time (Sect. 5). These early results had been obtained at the cost of several days of work by people who understood Nitpick's internals. Based on our experience adapting the specification by hand, we proceeded to address scalability issues directly in Nitpick (Sect. 6). With the optimizations in place, a few minor adjustments to the original memory model specification sufficed to support efficient model finding (Sect. 7). We applied the optimized version of Nitpick to several litmus tests (Sect. 8), including a simple sequential locking algorithm, thereby increasing our confidence in the specification's adequacy. Litmus tests that were previously too large for CPPMEM can now be checked within minutes.
doi:10.1145/2003476.2003493 dblp:conf/ppdp/BlanchetteWBOS11 fatcat:qv5ktwhmdfc4flhw7iytvisddm