# **Deciding Reachability under Persistent x86-TS0**

# K Narayan Kumar, Prakash Saivasan

Parosh Aziz Abdulla, Faouzi Atig, Ahmed Bouajjani,

# **Deciding Reachability under Persistent x86-TS0**

(Program Verification: from Sequential Consistency to Weak Consistency)

# Parosh Aziz Abdulla, Faouzi Atig, Ahmed Bouajjani, K Narayan Kumar, Prakash Saivasan

Sequential Consistency (SC) + simple & intuitive - expensive Sequential Consistency (SC) + simple & intuitive - expensive

# Program Verification (SC)



# Sequential Consistency (SC) + simple & intuitive - expensive

# Program Verification (SC)



# Sequential Consistency (SC) + simple & intuitive - expensive

# Program Verification (weak consistency)

# Program Verification (SC)



# Sequential Consistency (SC) + simple & intuitive - expensive

# Program Verification (weak consistency)

Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic Architecture

Last updated: November 16, 2020







Intel<sup>®</sup> 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic Architecture

Last updated: November 16, 2020







Intel<sup>®</sup> 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic Architecture

Last updated: November 16, 2020







Intel<sup>®</sup> 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic Architecture

Last updated: November 16, 2020





### **Program Verification** (SC)



### **Program Verification** (weak consistency)

main stream Intel architecture: persistent x86-TSO Intel<sup>®</sup> 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic this work Architecture Last updated: November 16, 2020 **Total Store Order** Persistency -----**Persistent TSO** (TSO)classical weak **NVRAM:** data persist memory model over crashes operational semantics unbounded data structures -----





### **Program Verification** (SC)

### **Program Verification** (weak consistency)

main stream Intel architecture: persistent x86-TSO Intel<sup>®</sup> 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic this work Architecture Last updated: November 16, 2020 **Total Store Order** Persistency -----**Persistent TSO** (TSO)classical weak **NVRAM:** data persist memory model over crashes operational semantics unbounded data structures -----





### **Program Verification** (SC)

### **Program Verification** (weak consistency)

main stream Intel architecture: persistent x86-TSO Intel<sup>®</sup> 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic this work Architecture Last updated: November 16, 2020 **Total Store Order** Persistency **Persistent TSO** (TSO)classical weak **NVRAM:** data persist memory model over crashes operational semantics unbounded data structures -----**Program Verification Program Verification** (weak consistency) (SC) semantics, decidability, complexity,





model checking, abstraction, under-approximation, ...

Architecture







main stream Intel architecture: persistent x86-TSO Intel<sup>®</sup> 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic this work Architecture Last updated: November 16, 2020 **Total Store Order** Persistency **Persistent TSO** (TSO)**NVRAM:** classical weak memory model data persist over crashes





unbounded data structures

**Reachability for** finite-state programs is decidable

**Program Verification** (weak consistency)

model checking, abstraction, under-approximation, ...





# adapting SC techniques semantics decidability



AZALEA RAAD, MPI-SWS, Germany JOHN WICKERSON, Imperial College London, UK GIL NEIGER, Intel Labs, US VIKTOR VAFEIADIS, MPI-SWS, Germany

Emerging non-volatile memory (NVM) technologies promise the durability of disks with the performance of RAM. To describe the persistency guarantees of NVM, several memory persistency models have been proposed in the literature. However, the persistency semantics of the ubiquitous x86 architecture remains unexplored to date. To close this gap, we develop the Px86 ('persistent x86') model, formalising the persistency semantics of Intel-x86 for the first time. We formulate Px86 both operationally and declaratively, and prove that the two characterisations are equivalent. To demonstrate the application of Px86, we develop two persistent libraries over Px86: a persistent transactional library, and a persistent variant of the Michael-Scott queue. Finally, we encode our declarative Px86 model in Alloy and use it to generate persistency litmus tests automatically.

CCS Concepts: • Theory of computation → Concurrency; Semantics and reasoning.

Additional Key Words and Phrases: weak memory, memory persistency, non-volatile memory, Intel-x86

### **POPL'2020**

#### Persistency Semantics of the Intel-x86 Architecture

11

# adapting SC techniques semantics decidability



AZALEA RAAD, MPI-SWS, Germany JOHN WICKERSON, Imperial College London, UK GIL NEIGER, Intel Labs, US VIKTOR VAFEIADIS, MPI-SWS, Germany

Emerging non-volatile memory (NVM) technologies promise the durability of disks with the performance of RAM. To describe the persistency guarantees of NVM, several memory persistency models have been proposed in the literature. However, the persistency semantics of the ubiquitous x86 architecture remains unexplored to date. To close this gap, we develop the Px86 ('persistent x86') model, formalising the persistency semantics of Intel-x86 for the *first time*. We formulate Px86 both operationally and declaratively, and prove that the two characterisations are *equivalent*. To demonstrate the application of Px86, we develop two *persistent libraries* over Px86: a persistent transactional library, and a persistent variant of the Michael-Scott queue. Finally, we encode our declarative Px86 model in Alloy and use it to generate persistency litmus tests automatically.

CCS Concepts: • Theory of computation → Concurrency; Semantics and reasoning.

Additional Key Words and Phrases: weak memory, memory persistency, non-volatile memory, Intel-x86

#### Taming x86-TSO Persistency

Artem Khyzha Tel Aviv University, Ori Lahav Tel Aviv University

PerSeVerE: Persistency Semantics for Verification under Ext4 Michalis Kokologiannakis MPI-SWS, Germany, Ilya Kaysin National Research University Higher School of Economics, JetBrains Research, Azalea Raad Imperial College London, Viktor **POPL'2021** Vafeiadis MPI-SWS

### **POPL'2020**

#### Persistency Semantics of the Intel-x86 Architecture

### **POPL'2021**





# adapting SC techniques



AZALEA RAAD, MPI-SWS, Germany JOHN WICKERSON, Imperial College London, UK GIL NEIGER, Intel Labs, US VIKTOR VAFEIADIS, MPI-SWS, Germany

Emerging non-volatile memory (NVM) technologies promise the durability of disks with the performance of RAM. To describe the persistency guarantees of NVM, several memory persistency models have been proposed in the literature. However, the persistency semantics of the ubiquitous x86 architecture remains unexplored to date. To close this gap, we develop the Px86 ('persistent x86') model, formalising the persistency semantics of Intel-x86 for the *first time*. We formulate Px86 both operationally and declaratively, and prove that the two characterisations are equivalent. To demonstrate the application of Px86, we develop two persistent libraries over Px86: a persistent transactional library, and a persistent variant of the Michael-Scott queue. Finally, we encode our declarative Px86 model in Alloy and use it to generate persistency litmus tests automatically.

CCS Concepts: • Theory of computation → Concurrency; Semantics and reasoning.

Additional Key Words and Phrases: weak memory, memory persistency, non-volatile memory, Intel-x86

#### Taming x86-TSO Persistency

Artem Khyzha Tel Aviv University, Ori Lahav Tel Aviv University

PerSeVerE: Persistency Semantics for Verification under Ext4 Michalis Kokologiannakis MPI-SWS, Germany, Ilya Kaysin National Research University Higher School of Economics, JetBrains Research, Azalea Raad Imperial College London, Viktor **POPL'2021** Vafeiadis MPI-SWS

> • Equivelant to the Raad et al semantics • Allows applying classical (SC) techniques • "Nice" datastructures



### **POPL'2020**

#### Persistency Semantics of the Intel-x86 Architecture

### **POPL'2021**





this work:

ew semantics

# adapting SC techniques





semantics decidability complexity



















# adapting SC techniques







semantics decidability

# adapting SC techniques







#### semantics decidability



# adapting SC techniques







semantics decidability



# adapting SC techniques







semantics decidability



# adapting SC techniques







semantics decidability



# adapting SC techniques







#### semantics decidability



# adapting SC techniques





semantics decidability



# adapting SC techniques







#### semantics decidability



# adapting SC techniques









## adapting SC techniques









## adapting SC techniques









## adapting SC techniques









## adapting SC techniques









## adapting SC techniques









## adapting SC techniques









## adapting SC techniques









## adapting SC techniques















































































# adapting SC techniques



























































unbounded • Equivelant to the Raad et al semantics • Allows applying classical (SC) techniques • "Nice" datastructures process memory • Make the buffers: finite-state 1. FIFO 2. Monotone



































Make the buffers:
1. FIFO
2. Monotone

### **Persistent TSO**





Make the buffers:
1. FIFO
2. Monotone

## **Persistent TSO**





• Make the buffers: 1. FIFO unboundedFFO 2. Monotone x=0 **Persistent TSO** x=1 y=1 *y=0* persistent memory writes on different variables can be re-ordered











































unbounded adapting SC techniques semantics decidability • Equivelant to the Raad et al semantics • Allows applying classical (SC) techniques • "Nice" datastructures process memory • Make the buffers: finite-state 1. FIFO 2. Monotone







unbounded • Equivelant to the Raad et al semantics • Allows applying classical (SC) techniques • "Nice" datastructures process 🚽 memory

> • Make the buffers: 1. FIFO 2. Monotone

finite-state





unbounded





"solutions require interaction across reach communities"

"solutions require interaction across reach communities"

"POPL is an excellent forum to achieve that"

"solutions require interaction across reach communities"



AZALEA RAAD, MPI-SWS, Germany JOHN WICKERSON, Imperial College London, UK GIL NEIGER, Intel Labs, US VIKTOR VAFEIADIS, MPI-SWS, Germany

"POPL is an excellent forum to achieve that"

### **POPL'2020**

Persistency Semantics of the Intel-x86 Architecture

## architecture + programming languages

"solutions require interaction across reach communities"



AZALEA RAAD, MPI-SWS, Germany JOHN WICKERSON, Imperial College London, UK GIL NEIGER, Intel Labs, US VIKTOR VAFEIADIS, MPI-SWS, Germany

architecture + programming languages

this work: programming languages + program verification

"POPL is an excellent forum to achieve that"

### **POPL'2020**

Persistency Semantics of the Intel-x86 Architecture