Decidable Verification under a Causally Consistent Shared Memory Ori Lahav Udi Boker Tel Aviv University Interdisciplinary Center (IDC) Herzliya Israel Israel [email protected] [email protected] Abstract ACM Reference Format: Causal consistency is one of the most fundamental and Ori Lahav and Udi Boker. 2020. Decidable Verification under a widely used consistency models weaker than sequential con- Causally Consistent Shared Memory. In Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language sistency. In this paper, we study the verification of safety Design and Implementation (PLDI ’20), June 15ś20, 2020, London, properties for finite-state concurrent programs running un- UK. ACM, New York, NY, USA, 16 pages. https://doi.org/10.1145/ der a causally consistent shared memory model. We estab- 3385412.3385966 lish the decidability of this problem for a standard model of causal consistency (called also łCausal Convergencež and łStrong-Release-Acquirež). Our proof proceeds by developing an alternative operational semantics, based on the notion of a thread potential, that is equivalent to the existing declara- 1 Introduction tive semantics and constitutes a well-structured transition Suppose that one wants to verify that a given sequential system. In particular, our result allows for the verification of program satisfies a certain safety specification (e.g., that a large family of programs in the Release/Acquire fragment it never crashes). If the data domain is bounded, we can of C/C++11 (RA). Indeed, while verification under RA was re- represent the program as a finite-state transition system, cently shown to be undecidable for general programs, since and this verification problem is trivially decidable. Moving RA coincides with the model we study here for write/write- to concurrent programs, assuming (non-realistic) sequen- race-free programs, the decidability of verification under RA tially consistent shared memory semantics, does not change for this widely used class of programs follows from our result. muchÐthe memory constitutes another finite-state system, The novel operational semantics may also be of independent and its synchronization with the interleaving of the systems use in the investigation of weakly consistent shared memory representing the different threads is easily expressible asa models and their verification. finite-state system as well. On the other hand, if the memory does not ensure sequential consistency, but rather provides → CCS Concepts: · Software and its engineering Soft- weaker consistency guarantees, the decidability of the safety ware verification; Concurrent programming languages; verification problem is completely unclear. → · Theory of computation Concurrency; Logic and In this paper, we are interested in the safety verification verification; Program verification; · Information sys- problem under causally consistent shared memory. Causal → tems Distributed database transactions. consistency is one of the most fundamental consistency mod- els weaker than sequential consistency. It is especially com- Keywords: weak memory models, causal consistency, re- mon and well studied in distributed databases (see, e.g., [37] lease/acquire, shared-memory, concurrency, verification, de- and the mongoDB documentation [40]). Roughly speaking, cidability, well-structured transition systems by allowing nodes to disagree on the relative order of some memory operations, and require global consensus only on the order of łcausally relatedž operations, causal consistency Permission to make digital or hard copies of all or part of this work for allows scalable, partition-tolerant and available implementa- personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear tions. this notice and the full citation on the first page. Copyrights for components Nowadays, causal consistency models have become cen- of this work owned by others than ACM must be honored. Abstracting with tral also in multithreaded programming. In particular, the credit is permitted. To copy otherwise, or republish, to post on servers or to Release/Acquire model (RA) is a form of causal consistency redistribute to lists, requires prior specific permission and/or a fee. Request that specifies the semantics of C/C++11 for synchroniza- permissions from [email protected]. tion accesses annotated with memory_order_release and PLDI ’20, June 15ś20, 2020, London, UK © 2020 Association for Computing Machinery. memory_order_acquire [14, 23, 24]. A stronger form of ACM ISBN 978-1-4503-7613-6/20/06. causal consistency, called SRA (for Strong Release/Acquire), https://doi.org/10.1145/3385412.3385966 which is equivalent to the standard causal consistency model 211 PLDI ’20, June 15ś20, 2020, London, UK Ori Lahav and Udi Boker in distributed databases [18],1 characterizes the guarantees this semantics is to maintain the potential of future reads provided by łmulti-copy atomicž multiprocessor architec- of each thread in the machine state. This semantics can be tures, such as POWER. Specifically, as shown in[30], SRA straightforwardly made łlossyž, as losing some parts of the precisely captures the guarantees provided by the POWER possible potential never allows for additional behaviors. In architecture for programs compiled from the C/C++’s re- addition, potentials can be represented using total orders, lease/acquire fragment. whose embedding relation (based on the ordinary subse- Despite its centrality, until recently not much was known quence relation) is a well-quasi-ordering. In this semantics, about the safety verification problem under causal consis- read transitions are very simple, they only consume a prefix tency. The challenge arises first since the standard semantics of the potential. The complexity is left for write transitions of causal consistency models is declarative (identifying pro- that need to properly increase the potentials of the different gram behaviors with partially ordered execution histories threads in a way that ensures causal consistency. Our funda- that obey certain formal consistency constraints), while veri- mental observation is that the way the potential of a certain fication is typically applied on operational models. Moreover, thread increases when another thread writes to memory can operational versions of causal consistency are inherently be defined solely in terms of the existing potentials ofthe infinite-state, as threads may generally read from an un- two threads. This intuition is made precise in our formalized bounded past. In fact, the reduction of Atig et al.[11] from (and mechanized in Coq) correspondence proofs, which es- reachability in lossy FIFO channel machines to safety veri- tablish simulations (forward for one direction and backward fication under x86-TSO semantics can be straightforwardly for the converse) between the novel lossy semantics and the adapted to causally consistent models (specifically, RA and straightforward łoperationalizationž of SRA’s declarative SRA). This implies a non-primitive recursive lower bound on semantics. the safety verification problem under causal consistency. Very recently, Abdulla et al.[3] proved that the safety verifi- Related Work. Causally consistent shared memory mod- cation problem is undecidable under one instance of causal els, their verification problems and approaches to address consistency, namely the the RA model. these problems were recently outlined in [29], where the Our main contribution in this paper is to establish the problem we resolve is left open. As mentioned above, Ab- decidability of safety verification under the SRA model. If dulla et al.[3] proved that safety verification under RA is one is specifically interested in verification under RA, our undecidable. Operational łmessage-passingž semantics for result provides a (rather tight) under-approximation (a bug SRA was developed in [30]. It is inadequate for our purposes under SRA implies a bug under RA), and, since RA and SRA as it cannot be made łlossyž without affecting its allowed coincide on write/write-race-free programs, we obtain the outcomes. decidability of safety verification under RA for this large and The safety verification problem was previously investi- widely used class of programs. gated under TSOÐthe łtotal store orderingž model of x86 To obtain decidability, we use the framework of well- multiprocessors, which, being multi-copy-atomic, is stronger structured transition systems [2, 7, 22]. Intuitively speaking, than any of the models studied here. Atig et al.[11, 12] estab- this framework allows one to establish decidability of infinite- lish the decidability of this problem (and the non-primitive state łlossyž systems, where (i) states may non-deterministi- recursive lower bound) by reducing it to (and from) reach- cally forget some information they include; and (ii) the rela- ability in lossy channel systems. Since causal consistency tion determining whether one state is obtained from another models are not multi-copy atomic and they lack any notion by losing information constitutes a well-quasi-ordering. This of a global mapping from locations to values, the idea be- approach, however, cannot be applied for (an operationalized hind their reduction cannot be applied for SRA. Notably, version of) SRA directly, whose natural states are execution SRA cannot be fully explained by program transformations histories. First, forgetting information from the history