Cerberus-BMC: A Principled Reference Semantics and Exploration Tool for Concurrent and Sequential C

Lau, Stella; Gomes, Victor B. F.; Memarian, Kayvan; Pichon-Pharabod, Jean; Sewell, Peter

doi:10.1007/978-3-030-25540-4_22

Cited by 9 publications

(4 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We note that the difficulties that arise in the attempt to formalise the C memory model stem from the tension between well-established compiler transformations as well as the need to support a multitude of hardware-level memory models seamlessly versus the well-known intricacies of programming correct shared-variable algorithms [48]. This will be an ongoing balancing act that involves many competing factors, especially and including efficiency, and, increasingly, safety and security [50]; if we were to take a position, it would be that sections of code -hopefully, relatively small and localised -can be protected from arbitrary transformations from compiler theory and practice.…”

Section: Discussionmentioning

confidence: 99%

Separation of concerning things: a simpler basis for defining and programming with the C/C++ memory model (extended version)

Colvin¹

2022

Preprint

View full text Add to dashboard Cite

The C/C++ memory model provides an interface and execution model for programmers of concurrent (sharedvariable) code. It provides a range of mechanisms that abstract from underlying hardware memory modelsthat govern how multicore architectures handle concurrent accesses to main memory -as well as abstracting from compiler transformations. The C standard describes the memory model in terms of cross-thread relationships between events, and has been influenced by several research works that are similarly based. In this paper we provide a thread-local definition of the fundamental principles of the C memory model, which, for concise concurrent code, serves as a basis for relatively straightforward reasoning about the effects of the C ordering mechanisms. We argue that this definition is more practical from a programming perspective and is amenable to analysis by already established techniques for concurrent code. The key aspect is that the memory model definition is separate to other considerations of a rich programming language such as C, in particular, expression evaluation and optimisations, though we show how to reason about those considerations in the presence of C concurrency. A major simplification of our framework compared to the description in the C standard and related work in the literature is separating out considerations around the "lack of multicopy atomicity", a concept that is in any case irrelevant to developers of code for x86, Arm, RISC-V or SPARC architectures. We show how the framework is convenient for reasoning about well-structured code, and for formally addressing unintuitive behaviours such as "out-of-thin-air" writes.

show abstract

Section: Discussionmentioning

confidence: 99%

Separation of concerning things: a simpler basis for defining and programming with the C/C++ memory model (extended version)

Colvin¹

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Figure 2 shows the web interface we have developed for our tool, based on the web interface for the C memory model tool Cerberus-BMC by Lau et al [16]. This can either be run locally, or via a website, https://isla-axiomatic.cl.cam.ac.…”

Section: Web Interfacementioning

confidence: 99%

Isla: Integrating Full-Scale ISA Semantics and Axiomatic Concurrency Models

Armstrong,

Campbell,

Simner

et al. 2021

Computer Aided Verification

Self Cite

View full text Add to dashboard Cite

Architecture specifications such as Armv8-A and RISC-V are the ultimate foundation for software verification and the correctness criteria for hardware verification. They should define the allowed sequential and relaxed-memory concurrency behaviour of programs, but hitherto there has been no integration of full-scale instruction-set architecture (ISA) semantics with axiomatic concurrency models, either in mathematics or in tools. These ISA semantics can be surprisingly large and intricate, e.g. 100k+ lines for Armv8-A. In this paper we present a tool, Isla, for computing the allowed behaviours of concurrent litmus tests with respect to full-scale ISA definitions, in Sail, and arbitrary axiomatic relaxed-memory concurrency models, in the Cat language. It is based on a generic symbolic engine for Sail ISA specifications, which should be valuable also for other verification tasks. We equip the tool with a web interface to make it widely accessible, and illustrate and evaluate it for Armv8-A and RISC-V. By using full-scale and authoritative ISA semantics, this lets one evaluate litmus tests using arbitrary user instructions with high confidence. Moreover, because these ISA specifications give detailed and validated definitions of the sequential aspects of systems functionality, as used by hypervisors and operating systems, e.g. instruction fetch, exceptions, and address translation, our tool provides a basis for developing concurrency semantics for these. We demonstrate this for the Armv8-A instruction-fetch model and self-modifying code examples of Simner et al.

show abstract

“…Relation analysis improves the performance up to two orders of magnitude [4,5]. We remark that related approaches represent each candidate execution explicitly [1,6]. Thanks to the symbolic representation of executions and static analysis techniques such as relation analysis, Dartagnan is often more efficient [4,5].…”

Section: Overview and Software Architecturementioning

confidence: 99%

Dartagnan: Bounded Model Checking for Weak Memory Models (Competition Contribution)

León

Furbach

Heljanko

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Dartagnanis a bounded model checker for concurrent programs under weak memory models. What makes it different from other tools is that the memory model is not hard-coded inside Dartagnanbut taken as part of the input. For SV-COMP’20, we take as input sequential consistency (i.e. the standard interleaving memory model) extended by support for atomic blocks. Our point is to demonstrate that a universal tool can be competitive and perform well in SV-COMP. Being a bounded model checker, Dartagnan’s focus is on disproving safety properties by finding counterexample executions. For programs with bounded loops, Dartagnanperforms an iterative unwinding that results in a complete analysis. The SV-COMP’20 version of Dartagnanworks on Boogiecode. The C programs of the competition are translated internally to Boogieusing SMACK.

show abstract

Cerberus-BMC: A Principled Reference Semantics and Exploration Tool for Concurrent and Sequential C

Cited by 9 publications

References 29 publications

Separation of concerning things: a simpler basis for defining and programming with the C/C++ memory model (extended version)

Separation of concerning things: a simpler basis for defining and programming with the C/C++ memory model (extended version)

Isla: Integrating Full-Scale ISA Semantics and Axiomatic Concurrency Models

Dartagnan: Bounded Model Checking for Weak Memory Models (Competition Contribution)

Contact Info

Product

Resources

About