AVM'24, Freiburg

# Challenges (and Solutions) in Memory-Model-Aware Verification

### Levente Bajczi

September 6, 2024





Program



Program

 $\mathbf{x} := 0$   $\mathbf{x} := 1$   $\mathbf{x} := 2$   $a := \mathbf{x}$   $b := \mathbf{x}$   $\mathbf{x} := 2$   $co \qquad rf$   $demory update \qquad rf$   $demory update \qquad rf$   $demory update \qquad rf$ 

$$\begin{array}{c} \forall r^{\mathbf{x}} \exists w^{\mathbf{x}} : w^{\mathbf{x}} \xrightarrow{\boldsymbol{\eta}} r^{\mathbf{x}} \\ \forall w_{1}^{\mathbf{x}}, w_{2}^{\mathbf{x}} : w_{1}^{\mathbf{x}} \xrightarrow{\boldsymbol{co}} w_{2}^{\mathbf{x}} \lor w_{2}^{\mathbf{x}} \xrightarrow{\boldsymbol{co}} w_{1}^{\mathbf{x}} \end{array}$$



Program Memory model (example)  $2 \xrightarrow{\text{po}} 2$  $\mathbf{X} := 0$  $W \xrightarrow{co} W \rightarrow 2 \xrightarrow{hb} 2$  $\begin{array}{c|c} \mathbf{X} := 1 \\ \mathbf{X} := 2 \end{array} \quad \begin{array}{c|c} a := \mathbf{X} \\ b := \mathbf{X} \end{array}$ W <u>rf</u> R ро co rf Instruction Memory update Dataflow order order  $(W \rightarrow W)$   $(W \rightarrow R)$  $\forall r^{\mathbf{x}} \exists w^{\mathbf{x}} : w^{\mathbf{x}} \xrightarrow{\mathbf{ff}} r^{\mathbf{x}}$  $\forall w^{\mathbf{x}}_{\mathbf{x}}, w^{\mathbf{x}}_{\mathbf{x}} : w^{\mathbf{x}}_{\mathbf{x}} \xrightarrow{\mathbf{co}} w^{\mathbf{x}}_{\mathbf{x}} \lor w^{\mathbf{x}}_{\mathbf{x}} \xrightarrow{\mathbf{co}} w^{\mathbf{x}}_{\mathbf{x}}$ 

Challenges (and Solutions) in Memory-Model-Aware Verification



| Program                                                                                                                                                                                                                                                                                                                                                                                                     | Memory model (example)                                                                                                                                                                       |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                                                                                                                                                                                                                                                                                                                                                                                             | $\begin{array}{ccc} & & & po \\ ? & \longrightarrow & ? \\ W & \longrightarrow & W & \rightarrow & ? \stackrel{hb}{\longrightarrow} ? \\ W & \stackrel{rf}{\longrightarrow} & R \end{array}$ |
| $\begin{array}{c} \overbrace{\text{Instruction}}^{\text{PO}} & \overbrace{\text{Memory update}}^{\text{cO}} & \overbrace{\text{Dataflow}}^{\text{rf}} \\ \overrightarrow{\text{Dataflow}} \\ (W -> R) \end{array}$ $\forall r^{x} \exists w^{x} : w^{x} \xrightarrow{f} r^{x} \\ \forall w_{1}^{x}, w_{2}^{x} : w_{1}^{x} \xrightarrow{co} w_{2}^{x} \lor w_{2}^{x} \xrightarrow{co} w_{1}^{x} \end{array}$ | $W \xrightarrow{rf} R \qquad W \qquad hb \overset{R}{\underset{W}{\overset{R}{\longrightarrow}}} \to W \qquad W \qquad hb \overset{R}{\underset{W}{\overset{R}{\longrightarrow}}} $          |





Challenges (and Solutions) in Memory-Model-Aware Verification







$$\begin{aligned} \mathbf{x} &:= 0, \mathbf{y} &:= 0 \\ \mathbf{x} &:= 1 \\ \mathbf{y} &:= 1 \end{aligned} \begin{vmatrix} i &:= \mathbf{y} \\ j &:= \mathbf{x} \\ \neg (i = 1 \land j = 0) \end{aligned}$$

Program with property



$$\begin{aligned} \mathbf{x} &:= 0, \mathbf{y} &:= 0 \\ \mathbf{x} &:= 1 & | \quad i &:= \mathbf{y} \\ \mathbf{y} &:= 1 & | \quad j &:= \mathbf{x} \\ \neg(i = 1 \land j = 0) \end{aligned}$$

$$\begin{array}{c} \begin{array}{c} \begin{array}{c} \rho o \\ \hline \mathbf{x} := 0 \\ \end{array} \\ \begin{array}{c} \mathbf{y} := 0 \\ \end{array} \\ \begin{array}{c} \begin{array}{c} \mathbf{y} := 0 \\ \hline \mathbf{x} := 1 \\ \end{array} \\ \begin{array}{c} \mathbf{y} := 1 \\ \end{array} \\ \begin{array}{c} \mathbf{y} := 1 \\ \end{array} \\ \begin{array}{c} \begin{array}{c} \mathbf{y} := \mathbf{y} \\ \end{array} \\ \begin{array}{c} \mathbf{y} := 1 \\ \end{array} \\ \begin{array}{c} \mathbf{y} := \mathbf{x} \end{array} \end{array}$$

Program with property

CEx. candidate(s) (obeying axioms)



$$\mathbf{x} := 0, \mathbf{y} := 0$$
$$\mathbf{x} := 1 \qquad | \begin{array}{c} i := \mathbf{y} \\ j := 1 \end{array} \\ \neg(i = 1 \land j = 0) \end{array}$$

$$\begin{array}{c} \begin{array}{c} \begin{array}{c} \rho o \\ \hline \mathbf{x} := 0 \\ \end{array} \\ \begin{array}{c} \mathbf{y} := 0 \\ \end{array} \\ \begin{array}{c} \begin{array}{c} \mathbf{y} := 0 \\ \hline \mathbf{x} := 1 \\ \end{array} \\ \begin{array}{c} \mathbf{y} := 1 \\ \end{array} \\ \begin{array}{c} \mathbf{y} := 1 \\ \end{array} \\ \begin{array}{c} \begin{array}{c} \mathbf{y} := \mathbf{y} \\ \end{array} \\ \begin{array}{c} \mathbf{y} := 1 \\ \end{array} \\ \begin{array}{c} \mathbf{y} := \mathbf{x} \end{array} \end{array}$$

Program with property

CEx. candidate(s) (obeying axioms)

Sequential Consistency

All instructions execute in-order Safe (inconsistent)



$$\mathbf{x} := 0, \mathbf{y} := 0$$
$$\mathbf{x} := 1 \qquad | \begin{array}{c} i := \mathbf{y} \\ j := 1 \end{array} \\ \neg(i = 1 \land j = 0) \end{array}$$

Program with property

CEx. candidate(s) (obeying axioms)

#### Sequential Consistency

All instructions execute in-order Safe (inconsistent)

### Total Store Order

Indep. W->R order is not obeyed Safe (inconsistent)



$$\begin{aligned} \mathbf{x} &:= 0, \mathbf{y} &:= 0 \\ \mathbf{x} &:= 1 & | i &:= \mathbf{y} \\ \mathbf{y} &:= 1 & | j &:= \mathbf{x} \\ \neg(i = 1 \land j = 0) \end{aligned}$$

$$\begin{array}{c} \rho o \\ \hline \mathbf{x} := 0 \\ \mathbf{y} := 0 \\ \hline \mathbf{x} := 1 \\ \mathbf{y} := 1 \\ \mathbf{y} := \mathbf{x} \end{array}$$

Program with property

CEx. candidate(s) (obeying axioms)

#### Sequential Consistency

All instructions execute in-order Safe (inconsistent)

### Total Store Order

Indep. W->R order is not obeyed Safe (inconsistent)

### Partial Store Order

Indep. W->? order is not obeyed Unsafe (consistent)



Challenges (and Solutions) in Memory-Model-Aware Verification

#### Exhaustive Enumeration

 Generate execution candidates, and check their consistency

#### Herd7

(memory model simulator)

### Litmus tests

CAT memory model



Exhaustive Enumeration

 Generate execution candidates, and check their consistency

### Herd7

(memory model simulator)

- Litmus tests
- CAT memory model

### Stateless Model Checking

 Generate increasingly larger, always consistent executions (traces)

### GenMC, Nidhugg, ...

- (Subset of) C11
- Custom library / hardcoded



### Exhaustive Enumeration

 Generate execution candidates, and check their consistency

#### Herd7

(memory model simulator)

- Litmus tests
- CAT memory model

### Stateless Model Checking

 Generate increasingly larger, always consistent executions (traces)

### GenMC, Nidhugg, ...

- (Subset of) C11
- Custom library / hardcoded

### Bounded Model Checking

 Encode constraints of the memory model in the SMT query

### Dartagnan

- (SV-COMP flavored) C
- Subset of CAT



### Exhaustive Enumeration

 Generate execution candidates, and check their consistency

### Herd7

(memory model simulator)

- Litmus tests
- CAT memory model

### Stateless Model Checking

 Generate increasingly larger, always consistent executions (traces)

### GenMC, Nidhugg, ...

- (Subset of) C11
- Custom library / hardcoded

### Bounded Model Checking

 Encode constraints of the memory model in the SMT query

### Dartagnan

- (SV-COMP flavored) C
- Subset of CAT

- (Almost) no interoperability
- Verdicts are not verifiable (Dartagnan does produce witnesses for SC)





#### PSO

Indep. W->? order is not obeyed Unsafe (consistent)

AVM'24. Freiburg





Unsafe (consistent)



| Thread 0             | waypoint type | value | line | column | po rf co                                                                                                |
|----------------------|---------------|-------|------|--------|---------------------------------------------------------------------------------------------------------|
| Thread 1<br>Thread 2 | thread_start  | 1, 2  | 1    | 0      | $\mathbf{x} := 0 \mathbf{y} := 0$ $\mathbf{x} := 1  i := \mathbf{y}$ $\mathbf{y} := 1  j := \mathbf{x}$ |
|                      |               |       |      |        | PSO                                                                                                     |
|                      | target        | -     | 2    | end    | Indep. W->? order is not obeyed<br>Unsafe (consistent)                                                  |





- \at(e, id): Built-in ACSL construct (abused a bit)
  - [...] referring to the value of the expression *e* in the state at label *id* [ACSL 1.20]
     Our state labels are integers, and denote ordering of memory events.



| Thread 0 | waypoint type    | value                                                                                      | line   | column        | po rf co                                                         |
|----------|------------------|--------------------------------------------------------------------------------------------|--------|---------------|------------------------------------------------------------------|
|          | assume<br>assume | $\begin{array}{l} \langle at(\mathbf{x},0)=0\\ \langle at(\mathbf{y},0)=0\\ 1 \end{array}$ | 0<br>0 | middle<br>end | $\mathbf{x} := 0 \mathbf{y} := 0$                                |
| Thread 1 | thread_start     | 1, 2                                                                                       | I      | 0             | $egin{array}{ccc} \mathbf{x} := 1 & i := \mathbf{y} \end{array}$ |
| Thread 2 | assume<br>assume | $\begin{array}{l} \langle at(\mathbf{X},1)=1\\ \langle at(\mathbf{Y},1)=1 \end{array}$     | 1<br>2 | end<br>end    | $\mathbf{y} := 1$ $j := \mathbf{x}$                              |
|          |                  |                                                                                            |        |               | PSO                                                              |
|          | target           | -                                                                                          | 2      | end           | Indep. W->? order is not obeyed<br>Unsafe (consistent)           |

- \at(e, id): Built-in ACSL construct (abused a bit)
  - [...] referring to the value of the expression *e* in the state at label *id* [ACSL 1.20]
     Our state labels are integers, and denote ordering of memory events.



| Thread 0 | waypoint type | value                                   | line | column |
|----------|---------------|-----------------------------------------|------|--------|
|          | assume        | $\backslash at(\mathbf{X},0)=0$         | 0    | middle |
|          | assume        | $\setminus at(\mathbf{y}, 0) = 0$       | 0    | end    |
|          | thread_start  | 1, 2                                    | 1    | 0      |
| Thread 1 |               |                                         |      |        |
|          | assume        | $\backslash at(\mathbf{X},1)=1$         | 1    | end    |
|          | assume        | $\setminus at(\mathbf{y}, 1) = 1$       | 2    | end    |
| Thread 2 |               |                                         |      |        |
|          | assume        | $i = \backslash at(\mathbf{X}, 1)$      | 1    | end    |
|          | assume        | $j = \langle at(\mathbf{y}, 0) \rangle$ | 2    | end    |
|          | target        | -                                       | 2    | end    |
|          |               |                                         |      |        |



#### PSO

Indep. W->? order is not obeyed Unsafe (consistent)



- $\blacktriangleright$   $at(\mathbf{e}, \mathbf{id})$ : Built-in ACSL construct (abused a bit)
  - [...] referring to the value of the expression e in the state at label id [ACSL 1.20]
  - Our state labels are integers, and denote ordering of memory events.



$$\mathbf{x} := 0, \mathbf{y} := 0$$
$$\mathbf{x} := 1 \qquad | \quad i := \mathbf{y}$$
$$\mathbf{y} := 1 \qquad | \quad j := \mathbf{x}$$
$$\neg (i = 1 \land j = 0)$$



All instructions execute in-order Safe (inconsistent)

AVM'24, Freiburg



Challenges (and Solutions) in Memory-Model-Aware Verification

invariant type value line column





All instructions execute in-order Safe (inconsistent)

AVM'24. Freiburg



Challenges (and Solutions) in Memory-Model-Aware Verification

| invariant type                   | value                                                                                                                           | line                      | column               |
|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------------------|
| location<br>location<br>location | $egin{array}{l} & \langle at(\mathbf{x},0)=0 \ \langle at(\mathbf{y},0)=0 \ \langle at(\mathbf{x},1)=1 \end{array} \end{array}$ | 0<br>0<br>1 <i>(left)</i> | middle<br>end<br>end |
| location                         | $\setminus at(\mathbf{y}, 1) = 1$                                                                                               | 2 (left)                  | end                  |





All instructions execute in-order Safe (inconsistent)

AVM'24, Freiburg



| invariant type       | value                                                                    | line                 | column     |
|----------------------|--------------------------------------------------------------------------|----------------------|------------|
| location             | $\langle at(\mathbf{x}, 0) = 0 \rangle$                                  | 0                    | middle     |
| location<br>location | $egin{array}{l} & at(\mathbf{y},0)=0 \ & at(\mathbf{x},1)=1 \end{array}$ | 0<br>1 <i>(left)</i> | end<br>end |
| location             | $\backslash at(\mathbf{y},1)=1$                                          | 2 (left)             | end        |
| location             | $egin{array}{l} \exists a:a\in\{0,1\}\ i=ig at({f x},a) \end{array}$     | 1 <i>(right)</i>     | end        |

$$\mathbf{x} := 0, \mathbf{y} := 0$$
$$\mathbf{x} := 1 \qquad | \begin{array}{c} i := \mathbf{y} \\ j := 1 \end{array} \\ \neg (i = 1 \land j = 0) \end{array}$$



All instructions execute in-order Safe (inconsistent)

#### **b** state labels are **symbolic** integers, and denote ordering of memory events.



| invariant type | value                                                                                                                                                       | line             | column |  |
|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------|--------|--|
| location       | $\setminus at(\mathbf{X}, 0) = 0$                                                                                                                           | 0                | middle |  |
| location       | $\langle at(\mathbf{y},0)=0$                                                                                                                                | 0                | end    |  |
| location       | $ig ig at(\mathbf{x},1)=1$                                                                                                                                  | 1 <i>(left)</i>  | end    |  |
| location       | $\backslash at(\mathbf{y},1)=1$                                                                                                                             | 2 (left)         | end    |  |
| location       | $\begin{array}{l} \exists a:a\in\{0,1\}\\ i=\backslash at(\mathbf{X},a) \end{array}$                                                                        | 1 <i>(right)</i> | end    |  |
| location       | $ \begin{aligned} \exists a,b:a,b \in \{0,1\} \\ j = \backslash at(\mathbf{y},a) \\ i = \backslash at(\mathbf{x},b) \\ b = 1 \implies a = 1 \end{aligned} $ | 2 (right)        | end    |  |
|                |                                                                                                                                                             |                  |        |  |

 $\begin{aligned} \mathbf{x} &:= 0, \mathbf{y} := 0 \\ \mathbf{x} &:= 1 \\ \mathbf{y} &:= 1 \end{aligned} \begin{vmatrix} i := \mathbf{y} \\ j := \mathbf{x} \\ \neg (i = 1 \land j = 0) \end{aligned}$ 

SC

All instructions execute in-order Safe (inconsistent)

**b** state labels are **symbolic** integers, and denote ordering of memory events.



| invariant type | value                                                                                                                                                       | line             | column |
|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------|--------|
| location       | $\setminus at(\mathbf{X}, 0) = 0$                                                                                                                           | 0                | middle |
| location       | $\langle at(\mathbf{y},0)=0$                                                                                                                                | 0                | end    |
| location       | $ig ig at(\mathbf{x},1)=1$                                                                                                                                  | 1 <i>(left)</i>  | end    |
| location       | $\backslash at(\mathbf{y},1)=1$                                                                                                                             | 2 (left)         | end    |
| location       | $\begin{array}{l} \exists a: a \in \{0,1\} \\ i = \backslash at(\mathbf{X},a) \end{array}$                                                                  | 1 <i>(right)</i> | end    |
| location       | $ \begin{aligned} \exists a,b:a,b \in \{0,1\} \\ j = \backslash at(\mathbf{y},a) \\ i = \backslash at(\mathbf{x},b) \\ b = 1 \implies a = 1 \end{aligned} $ | 2 (right)        | end    |
| location       | $\neg(i=1 \wedge j=0)$                                                                                                                                      | 2 (right)        | end    |

 $\begin{aligned} \mathbf{x} &:= 0, \mathbf{y} := 0 \\ \mathbf{x} &:= 1 \\ \mathbf{y} &:= 1 \end{aligned} \begin{vmatrix} i := \mathbf{y} \\ j := \mathbf{x} \\ \neg (i = 1 \land j = 0) \end{aligned}$ 

#### SC

All instructions execute in-order Safe (inconsistent)

**b** state labels are **symbolic** integers, and denote ordering of memory events.



| invariant type | value                                                                                                                                                       | line             | column |
|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------|--------|
| location       | $\setminus at(\mathbf{X},0) = 0$                                                                                                                            | 0                | middle |
| location       | $\langle at(\mathbf{y},0)=0$                                                                                                                                | 0                | end    |
| location       | $\setminus at(\mathbf{X},1) = 1$                                                                                                                            | 1 <i>(left)</i>  | end    |
| location       | $ar{\mathbf{y}},1)=1$                                                                                                                                       | 2 (left)         | end    |
| location       | $\begin{array}{l} \exists a:a\in\{0,1\}\\ i=\backslash at(\mathbf{X},a) \end{array}$                                                                        | 1 <i>(right)</i> | end    |
| location       | $ \begin{aligned} \exists a,b:a,b \in \{0,1\} \\ j = \backslash at(\mathbf{y},a) \\ i = \backslash at(\mathbf{x},b) \\ b = 1 \implies a = 1 \end{aligned} $ | 2 (right)        | end    |
| location       | $\neg(i=1 \wedge j=0)$                                                                                                                                      | 2 (right)        | end    |

 $\begin{aligned} \mathbf{x} &:= 0, \mathbf{y} := 0 \\ \mathbf{x} &:= 1 \\ \mathbf{y} &:= 1 \end{aligned} \begin{vmatrix} i := \mathbf{y} \\ j := \mathbf{x} \\ \neg (i = 1 \land j = 0) \end{aligned}$ 

#### SC

All instructions execute in-order Safe (inconsistent)

#### **b** state labels are **symbolic** integers, and denote ordering of memory events.

#### Where do invariants come from?









$$TARGET(vars') \leftarrow SRC(vars) \land edge(vars, vars')$$

Challenges (and Solutions) in Memory-Model-Aware Verification





$$\begin{array}{lll} \textit{TARGET}(vars') \longleftarrow \textit{SRC}(vars) \land edge(vars, vars') \\ \\ L_0(x) & \longleftarrow & \top \end{array}$$

Challenges (and Solutions) in Memory-Model-Aware Verification

















x++; assert(x == 5):

































Challenges (and Solutions) in Memory-Model-Aware Verification





| $flag_{0} := 0, flag_{1} := 0, turn := 0, cnt := 0$ |                               |                               |  |
|-----------------------------------------------------|-------------------------------|-------------------------------|--|
| $L_0$                                               | $flag_{0} := 1$               | $flag_{1} := 1$               |  |
| $L_1$                                               | $\mathbf{turn} := 1$          | turn := 0                     |  |
|                                                     | do {                          | do {                          |  |
| $L_2$                                               | $a := flag_1$                 | $a := flag_{0}$               |  |
| $L_3$                                               | b := turn                     | b := turn                     |  |
| $L_4$                                               | $while(a \land b)$            | $while(a \land \neg b)$       |  |
| $C_0$                                               | $c := \mathbf{cnt}$           | c := cnt                      |  |
| $C_1$                                               | $\operatorname{cnt} := c + 1$ | $\operatorname{cnt} := c + 1$ |  |
| $C_2$                                               | $\mathbf{cnt} := 0$           | $\mathbf{cnt} := 0$           |  |
| $L_5$                                               | $flag_0 := 0$                 | $flag_1 := 0$                 |  |

1



| $flag_0 := 0, flag_1 := 0, turn := 0, cnt := 0$ |                               |                               |
|-------------------------------------------------|-------------------------------|-------------------------------|
| $L_0$                                           | $flag_{0} := 1$               | $flag_{1} := 1$               |
| $L_1$                                           | $\mathbf{turn} := 1$          | turn := 0                     |
|                                                 | do {                          | do {                          |
| $L_2$                                           | $a := flag_1$                 | $a := flag_{0}$               |
| $L_3$                                           | b := turn                     | b := turn                     |
| $L_4$                                           | $while(a \land b)$            | $while(a \land \neg b)$       |
| $C_0$                                           | $c := \operatorname{cnt}$     | c := cnt                      |
| $C_1$                                           | $\operatorname{cnt} := c + 1$ | $\operatorname{cnt} := c + 1$ |
| $C_2$                                           | $\mathbf{cnt} := 0$           | $\mathbf{cnt} := 0$           |
| $L_5$                                           | $flag_0 := 0$                 | $flag_1 := 0$                 |

- Encode threads independently
  - Write: NOP
  - Read: havoc



| $\mathbf{flag_0}:=0, \mathbf{flag_1}:=0, \mathbf{turn}:=0, \mathbf{cnt}:=0$ |                               |                               |
|-----------------------------------------------------------------------------|-------------------------------|-------------------------------|
| $L_0$                                                                       | $flag_{0} := 1$               | $flag_1 := 1$                 |
| $L_1$                                                                       | $\mathbf{turn} := 1$          | turn := 0                     |
|                                                                             | do {                          | do {                          |
| $L_2$                                                                       | $a := flag_1$                 | $a := flag_{0}$               |
| $L_3$                                                                       | b := turn                     | b := turn                     |
| $L_4$                                                                       | $while(a \land b)$            | $while(a \land \neg b)$       |
| $C_0$                                                                       | c := cnt                      | c := cnt                      |
| $C_1$                                                                       | $\operatorname{cnt} := c + 1$ | $\operatorname{cnt} := c + 1$ |
| $C_2$                                                                       | $\mathbf{cnt} := 0$           | $\mathbf{cnt} := 0$           |
| $L_5$                                                                       | $flag_{0} := 0$               | $flag_1 := 0$                 |

|                                                                                                              | -            | -                                                      |           |
|--------------------------------------------------------------------------------------------------------------|--------------|--------------------------------------------------------|-----------|
| Encode thre                                                                                                  | ads i        | ndependen                                              | tly       |
| 🕨 Write: No                                                                                                  | ЭP           |                                                        |           |
| 🕨 Read: ha                                                                                                   |              |                                                        |           |
| $\begin{array}{c} L_0^{T_0}(a,b,c) \\ L_1^{T_0}(a,b,c) \\ L_2^{T_0}(a,b,c) \\ L_3^{T_0}(a',b,c) \end{array}$ | $\leftarrow$ | Τ_                                                     | //init    |
| $L_{1}^{T_{0}}(a,b,c)$                                                                                       | $\leftarrow$ | $L_0^{T_0}(a,b,c)\ L_1^{T_0}(a,b,c)\ L_2^{T_0}(a,b,c)$ | //skip    |
| $L_{2_{0}}^{T_{0}}(a,b,c)$                                                                                   | $\leftarrow$ | $L_{1_{\mathbf{r}}}^{T_{0}}(a,b,c)$                    | //skip    |
| $L_3^{T_0}(a^\prime,b,c)$                                                                                    | $\leftarrow$ | $L_2^{T_0}(a,b,c)$                                     | //havoc a |
| $T_{2}$                                                                                                      |              | Ta                                                     |           |
| $L_0^{T_0}(a,b,c)$                                                                                           | $\leftarrow$ | $L_{5}^{T_{0}}(a,b,c) \ C_{1}^{T_{0}}(a,b,c) \wedge$   | //repeat  |
| $\perp$                                                                                                      | $\leftarrow$ | $C_1^{10}(a,b,c)\wedge$                                | 1100000   |
|                                                                                                              |              | $\neg(c=0)$                                            | //error   |



| $flag_0 := 0, flag_1 := 0, turn := 0, cnt := 0$ |                               |                               |
|-------------------------------------------------|-------------------------------|-------------------------------|
| $L_0$                                           | $\mathbf{flag}_{0} := 1$      | $flag_1 := 1$                 |
| $L_1$                                           | $\mathbf{turn} := 1$          | turn := 0                     |
|                                                 | do {                          | do {                          |
| $L_2$                                           | $a := flag_1$                 | $a := flag_{0}$               |
| $L_3$                                           | b := turn                     | b := turn                     |
| $L_4$                                           | $while(a \land b)$            | $while(a \land \neg b)$       |
| $C_0$                                           | $c := \operatorname{cnt}$     | c := cnt                      |
| $C_1$                                           | $\operatorname{cnt} := c + 1$ | $\operatorname{cnt} := c + 1$ |
| $C_2$                                           | $\mathbf{cnt} := 0$           | $\mathbf{cnt} := 0$           |
| $L_5$                                           | $flag_0 := 0$                 | $flag_1 := 0$                 |

| <ul> <li>Encode threads independently</li> <li>Write: NOP</li> <li>Read: havoc</li> </ul>   |              |                                                          |           |
|---------------------------------------------------------------------------------------------|--------------|----------------------------------------------------------|-----------|
| $L_0^{T_0}(a,b,c)\ L_1^{T_0}(a,b,c)\ L_2^{T_0}(a,b,c)\ L_2^{T_0}(a,b,c)\ L_3^{T_0}(a',b,c)$ | $\leftarrow$ | Т                                                        | //init    |
| $L_1^{T_0}(a,b,c)$                                                                          | $\leftarrow$ | $L_0^{T_0}(a,b,c) \ L_1^{T_0}(a,b,c) \ L_2^{T_0}(a,b,c)$ | //skip    |
| $L_{2_{-}}^{T_0}(a,b,c)$                                                                    | $\leftarrow$ | $L_{1}^{T_0}(a,b,c)$                                     | //skip    |
| $L_3^{T_0}(a^\prime,b,c)$                                                                   | $\leftarrow$ | $L_2^{T_0}(a,b,c)$                                       | //havoc a |
| -                                                                                           |              |                                                          |           |
| $L_0^{T_0}(a,b,c)$                                                                          | $\leftarrow$ | $L_{5}^{I_{0}}(a,b,c)$                                   | //repeat  |
| $\perp$                                                                                     | $\leftarrow$ | $L_5^{T_0}(a,b,c)\ C_1^{T_0}(a,b,c)\wedge\  abla(c=0)$   | //        |
|                                                                                             |              | $\neg(c=0)$                                              | //error   |

### SAT: There is a safety proof.

Challenges (and Solutions) in Memory-Model-Aware Verification



| $flag_0 := 0, flag_1 := 0, turn := 0, cnt := 0$ |                               |                               |
|-------------------------------------------------|-------------------------------|-------------------------------|
| $L_0$                                           | $\mathbf{flag}_{0} := 1$      | $flag_1 := 1$                 |
| $L_1$                                           | $\mathbf{turn} := 1$          | turn := 0                     |
|                                                 | do {                          | do {                          |
| $L_2$                                           | $a := flag_{1}$               | $a := flag_{0}$               |
| $L_3$                                           | b := turn                     | b := turn                     |
| $L_4$                                           | $while(a \land b)$            | $while(a \land \neg b)$       |
| $C_0$                                           | $c := \mathbf{cnt}$           | c := cnt                      |
| $C_1$                                           | $\operatorname{cnt} := c + 1$ | $\operatorname{cnt} := c + 1$ |
| $C_2$                                           | $\mathbf{cnt} := 0$           | $\mathbf{cnt} := 0$           |
| $L_5$                                           | $flag_0 := 0$                 | $flag_1 := 0$                 |

| Encode threads independently |                              |                                                                                     |  |
|------------------------------|------------------------------|-------------------------------------------------------------------------------------|--|
|                              |                              |                                                                                     |  |
|                              |                              |                                                                                     |  |
| $\leftarrow$                 | Т                            | //init                                                                              |  |
| $\leftarrow$                 | $L_0^{T_0}(a,b,c)$           | //skip                                                                              |  |
| $\leftarrow$                 | $L_1^{T_0}(a,b,c)$           | //skip                                                                              |  |
| $\leftarrow$                 | $L_2^{T_0}(a,b,c)$           | //havoc a                                                                           |  |
|                              |                              |                                                                                     |  |
| $\leftarrow$                 | $L_{5r}^{T_0}(a,b,c)$        | //repeat                                                                            |  |
| $\leftarrow$                 | $C_{1}^{T_{0}}(a,b,c)\wedge$ |                                                                                     |  |
|                              | $\neg(c=0)$                  | //error                                                                             |  |
|                              | OP<br>ivoc                   | $\begin{array}{c} \begin{array}{c} & \\ & \\ & \\ & \\ & \\ & \\ & \\ & \\ & \\ & $ |  |

### SAT: There is a safety proof.

UNSAT: *May* be a counterexample.



| $flag_{0} := 0, flag_{1} := 0, turn := 0, cnt := 0$ |                               |                               |
|-----------------------------------------------------|-------------------------------|-------------------------------|
| $L_0$                                               | $flag_{0} := 1$               | $flag_{1} := 1$               |
| $L_1$                                               | $\mathbf{turn} := 1$          | turn := 0                     |
|                                                     | do {                          | do {                          |
| $L_2$                                               | $a := flag_1$                 | $a := flag_{0}$               |
| $L_3$                                               | b := turn                     | b := turn                     |
| $L_4$                                               | $while(a \land b)$            | $while(a \land \neg b)$       |
| $C_0$                                               | $c := \operatorname{cnt}$     | c := cnt                      |
| $C_1$                                               | $\operatorname{cnt} := c + 1$ | $\operatorname{cnt} := c + 1$ |
| $C_2$                                               | $\mathbf{cnt} := 0$           | $\mathbf{cnt} := 0$           |
| $L_5$                                               | $flag_0 := 0$                 | $flag_1 := 0$                 |

No temporal ordering
 Write: entails W(var, value)
 Read: asserts W(var, value)

 $\begin{array}{cccc} W(0,0) & \longleftarrow & L_0^{T_0}(a,b,c) \\ & & //\mathsf{flag}_0 := 1 \end{array}$ 

$$\begin{array}{rcl} L_4^{T_0}(a,b',c) & \longleftarrow & L_3^{T_0}(a,b,c) \wedge W(2,b') \\ & & //b \coloneqq {\rm turn} \end{array}$$



| $Hag_{0} := 0, flag_{1} := 0, turn := 0, cnt := 0$ |                        |                               |  |
|----------------------------------------------------|------------------------|-------------------------------|--|
| $L_0$                                              | $\mathbf{flag_0} := 1$ | $flag_{1} := 1$               |  |
| $L_1$                                              | $\mathbf{turn} := 1$   | turn := 0                     |  |
|                                                    | do {                   | do {                          |  |
| $L_2$                                              | $a := flag_1$          | $a := flag_{0}$               |  |
| $L_3$                                              | b := turn              | b := turn                     |  |
| $L_4$                                              | $while(a \land b)$     | $while(a \land \neg b)$       |  |
| $C_0$                                              | c := cnt               | c := cnt                      |  |
| $C_1$                                              | $\mathbf{cnt} := c+1$  | $\operatorname{cnt} := c + 1$ |  |
| $C_2$                                              | $\mathbf{cnt} := 0$    | $\mathbf{cnt} := 0$           |  |
| $L_5$                                              | $flag_0 := 0$          | $flag_1 := 0$                 |  |

No temporal ordering
 Write: entails W(var, value)
 Read: asserts W(var, value)

 $\begin{array}{cccc} W(0,0) & \longleftarrow & L_0^{T_0}(a,b,c) \\ & & //\mathsf{flag}_0 := 1 \end{array}$ 

$$\begin{array}{rcl} L_4^{T_0}(a,b',c) & \longleftarrow & L_3^{T_0}(a,b,c) \wedge W(2,b') \\ & & //b \coloneqq {\rm turn} \end{array}$$

#### SAT: There is a safety proof.

UNSAT: *May* be a counterexample.



| $flag_0 := 0, flag_1 := 0, turn := 0, cnt := 0$ |                               |                               |  |
|-------------------------------------------------|-------------------------------|-------------------------------|--|
| $L_0$                                           | $\mathbf{flag}_{0} := 1$      | $flag_1 := 1$                 |  |
| $L_1$                                           | $\mathbf{turn} := 1$          | turn := 0                     |  |
|                                                 | do {                          | do {                          |  |
| $L_2$                                           | $a := flag_{1}$               | $a := flag_{0}$               |  |
| $L_3$                                           | b := turn                     | b := turn                     |  |
| $L_4$                                           | $while(a \land b)$            | $while(a \land \neg b)$       |  |
| $C_0$                                           | $c := \mathbf{cnt}$           | c := cnt                      |  |
| $C_1$                                           | $\operatorname{cnt} := c + 1$ | $\operatorname{cnt} := c + 1$ |  |
| $C_2$                                           | $\mathbf{cnt} := 0$           | $\mathbf{cnt} := 0$           |  |
| $L_5$                                           | $flag_0 := 0$                 | $flag_1 := 0$                 |  |

- Single temporal ordering
  - Write: entails W(var, value)
  - Read: asserts W(var, value)
  - Every predicate: ordering metadata

1



 $\blacktriangleright \ SRC(vars) \land edge(vars, vars') \implies TARGET(vars')$ 

 $\blacktriangleright SRC(vars, \mathbf{ord}) \land edge(vars, vars') \land \mathbf{consistent}(\mathbf{ord}, ...) \implies T.(vars', \mathbf{ord})$ 



- $\blacktriangleright \ \textit{SRC}(vars) \land edge(vars, vars') \implies \textit{TARGET}(vars')$
- $\blacktriangleright SRC(vars, \mathbf{ord}) \land edge(vars, vars') \land \mathbf{consistent}(\mathbf{ord}, ...) \implies T.(vars', \mathbf{ord})$ 
  - the current edge can be added without causing new inconsistencies



- $\blacktriangleright \ \textit{SRC}(vars) \land edge(vars, vars') \implies \textit{TARGET}(vars')$
- $\blacktriangleright \ \textit{SRC}(vars, \textit{ord}) \land edge(vars, vars') \land \textit{consistent}(\textit{ord}, ...) \implies \textit{T}.(vars', \textit{ord})$ 
  - the current edge can be added without causing new inconsistencies

SAT: There is a safety proof.

UNSAT: *Must* be a counterexample.



- $\blacktriangleright \ \textit{SRC}(vars) \land edge(vars, vars') \implies \textit{TARGET}(vars')$
- $\blacktriangleright \ \textit{SRC}(vars, \textit{ord}) \land edge(vars, vars') \land \textit{consistent}(\textit{ord}, ...) \implies \textit{T}.(vars', \textit{ord})$ 
  - the current edge can be added without causing new inconsistencies

SAT: There is a safety proof.

UNSAT: *Must* be a counterexample.

- Proof-of-concept implementation: 
   Thorn (Theta + HORN)
   Thorn (Theta + HORN)
- Full Peterson example: CHCs for Weak Memory Peterson.smt2 Thank you, Gidon!



- $\blacktriangleright \ \textit{SRC}(vars) \land edge(vars, vars') \implies \textit{TARGET}(vars')$
- $\blacktriangleright \ \textit{SRC}(vars, \textit{ord}) \land edge(vars, vars') \land \textit{consistent}(\textit{ord}, ...) \implies \textit{T}.(vars', \textit{ord})$ 
  - the current edge can be added without causing new inconsistencies

SAT: There is a safety proof.

UNSAT: *Must* be a counterexample.

- Proof-of-concept implementation: O Thorn (Theta + HORN)
- Full Peterson example: La CHCs for Weak Memory 
  Peterson.smt2
  Thank you, Gidon!
- Witnesses proposal: Software Verification Witnesses for Weak Memory Thank you, Marian!

