Lecture 09 Synthesis of Synchronization PROGRAM ANALYSIS SYNTHESIS

Lecture 09 – Synthesis of Synchronization PROGRAM ANALYSIS & SYNTHESIS Eran Yahav 1

Previously Predicate abstraction Abstraction refinement at a high level 2

Today Synthesis of Synchronization 3

Verification Challenge ? P� S 4

With abstraction ? P� S 5

Now what? P� S ’ abstraction refinement 6

A Standard Approach: Abstraction Refinement Valid program specification abstraction Verify � Abstract counter example Abstraction Refinement Abstract counter example Change the abstraction to match the program 7

Alternatively… P� S P’ � S program modification 8

Abstraction-Guided Synthesis [VYY-POPL’ 10] program specification abstraction Program Restriction Verify Abstract counter example � Abstraction Refinement Implement P’ Abstract counter example Change the program to match the abstraction 9

Alternatively… P� S’ change specification (but to what? ) 10

Focus on Program Modification Given a program P, specification S, and an abstraction such that P � S find a modified program P’ such that P’ � S how do you find such a program? very hard in general there is some hope when considering equivalent programs or restricted programs �changing a program to add new legal behaviors is hard program restriction natural in concurrent programs �reducing permitted schedules 11

Example int x, y, sign; x = ? ; x� [- , ], sign � � if (x<0) { sign = -1; x �[- , -1], sign �[-1, -1] } else { sign = 1; x �[0, ], sign �[1, 1] } x� [- , ], sign � [-1, 1] y = x/sign; Specification S: no division by zero. Abstract domain : intervals Example from “The Trace Partitioning Abstract Domain” Rival&Mauborgne 0 [-1, 1] division by zero seems possible P� S 12

Now what? Can use a more refined abstract domain Disjunctive completion abstract value = set (disjunction) of intervals int x, y, sign; x = ? ; x� {[- , ]}, sign � � if (x<0) { sign = -1; x� {[- , -1]}, sign � {[-1, -1]} 0� [-1, -1] and 0 � [1, 1] division by zero impossible } else { sign = 1; } y = x/sign; x� {[0, ]}, sign � {[1, 1]} P� ’ S x� {[- , -1], [0, ]}, sign � {[-1, -1], [1, 1]} Specification S: no division by zero. Abstract domain ’: set of intervals 13

Are we done? Exponential cost ! Can we do better? Idea: track relationship between x and sign x<0� sign = -1 x >= 0 � sign = 1 Problem: again, expensive Which relationships should I track? Domains such as polyhedra won’t help (convex) 14

Trace partitioning abstract domain refine abstraction by adding some control history won’t get into that further reading Rival and Mauborgne. The trace partitioning abstract domain. TOPLAS’ 07. Holley and Rosen. Qualified data flow problems. POPL'80 15

We can also change the program int x, y, sign; x = ? ; if (x<0) { sign = -1; } else { sign = 1; } y = x/sign; P int x, y, sign; x = ? ; if (x<0) { sign = -1; y = x/sign; } else { sign = 1; y = x/sign; } P’ 16

Modified Program int x, y, sign; x� [- , ], sign � � x = ? ; if (x<0) { sign = -1; x �[- , -1], sign �[-1, -1] y = x/sign; } else { sign = 1; x �[0, ], sign �[1, 1] y = x/sign; } 0� [-1, -1] division by zero impossible 0� [1, 1] division by zero impossible x� [- , ], sign � [-1, 1] Specification S: no division by zero. Abstract domain : intervals 17

Another Example while(e) { s; } … P if (e) { s; while(e) { s; } } … P’ 18

Challenge: Correct and Efficient Synchronization Process 1 Process 2 Process 3 Shared memory concurrent program No synchronization: often incorrect (but “efficient”) Coarse-grained synchronization: easy to reason about, often inefficient Fine-grained synchronization: hard to reason about, programmer often gets this wrong 19

Challenge: Correct and Efficient Synchronization Process 1 Process 2 Process 3 Shared memory concurrent program No synchronization: often incorrect (but “efficient”) Coarse-grained synchronization: easy to reason about, often inefficient Fine-grained synchronization: hard to reason about, programmer often gets this wrong 20

Challenge: Correct and Efficient Synchronization Process 1 Process 2 Process 3 Shared memory concurrent program No synchronization: often incorrect (but “efficient”) Coarse-grained synchronization: easy to reason about, often inefficient Fine-grained synchronization: hard to reason about, programmer often gets this wrong 21

Challenge Process 1 Process 2 Process 3 How to synchronize processes to achieve correctness and efficiency? 22

Synchronization Primitives Atomic sections Conditional critical region (CCR) Memory barriers (fences) CAS Semaphores Monitors Locks. . 23

Example: Correct and Efficient Synchronization with Atomic Sections P 1() { P 3() { { ………………. … } atomic ……………… …… ………………… } P 2() …………………. . …… …………………… } Safety Specification: S 24

Example: Correct and Efficient Synchronization with Atomic Sections P 1() { ……………… …… ………………… } P 2() P 3() { { …………………. . …… …………………… …………. … } } Safety Specification: S Assist the programmer by automatically inferring correct and efficient synchronization 25

Challenge Find minimal synchronization that makes the program satisfy the specification Avoid all bad interleavings while permitting as many good interleavings as possible Assumption: we can prove that serial executions satisfy the specification Interested in bad behaviors due to concurrency Handle infinite-state programs 26

Abstraction-Guided Synthesis of Synchronization Synthesis of synchronization via abstract interpretation Compute over-approximation of all possible program executions Add minimal synchronization to avoid (over-approximation of) bad interleavings Interplay between abstraction and synchronization Finer abstraction may enable finer synchronization Coarse synchronization may enable coarser abstraction 27

Abstraction-Guided Synthesis program specification abstraction Program Restriction Verify Abstract counter example � Abstraction Refinement Implement P’ Abstract counter example Change the program to match the abstraction 28

AGS Algorithm – High Level Input: Program P, Specification S, Abstraction � Output: Program P’ satisfying S under � = true while(true) { Bad. Traces = { | (� P� � ) and � � �S } if (Bad. Traces is empty) return implement(P, ) select Bad. Traces if (? ) { = avoid( ) if ( false) = else abort } else { � ’ = refine(� , ) if (� ’ � ) �= � ’ else abort } } 29

Avoid and Implement Desired output – program satisfying the spec Implementability guides the choice of constraint language Examples Atomic sections [POPL’ 10] Conditional critical regions (CCRs) [TACAS’ 09] Memory fences (for weak memory models) [FMCAD’ 10 + abstractions in progress] … 30

Avoiding an interleaving with atomic sections Adding atomicity constraints Atomicity predicate [l 1, l 2] – no context switch allowed between execution of statements at l 1 and l 2 avoid( ) A disjunction of all possible atomicity predicates that would prevent Thread A A 1 A 2 Thread B B 1 B 2 = A 1 B 1 A 2 B 2 avoid( ) = [A 1, A 2] �[B 1, B 2] 31

Avoid and abstraction = avoid( ) Enforcing avoids any abstract trace ’ such that ’ � Potentially avoiding “good traces” Abstraction may affect our ability to avoid a smaller set of traces 32

Example T 1 1: x += z 2: x += z T 2 1: z++ 2: z++ T 3 1: y 1 = f(x) 2: y 2 = x 3: assert(y 1 != y 2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 } 33

Example: Concrete Values y 1 6 5 4 3 2 1 x += z; z++; y 1=f(x); y 2=x; assert y 1=5, y 2=0 z++; x+=z; y 1=f(x); z++; x+=z; y 2=x; assert y 1=3, y 2=3 y 2 … 0 1 2 3 4 Concrete values T 1 1: x += z 2: x += z T 2 1: z++ 2: z++ T 3 1: y 1 = f(x) 2: y 2 = x 3: assert(y 1 != y 2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 } 34

Example: Parity Abstraction y 1 6 5 4 3 2 1 0 1 2 3 4 y 2 0 1 2 3 4 Concrete values y 2 Parity abstraction (even/odd) x += z; z++; y 1=f(x); y 2=x; assert y 1=Odd, y 2=Even T 1 1: x += z 2: x += z T 2 1: z++ 2: z++ T 3 1: y 1 = f(x) 2: y 2 = x 3: assert(y 1 != y 2) f(x) { if (x == 1) return 3 else if (x == 2) return 6 else return 5 } 35

Example: Avoiding Bad Interleavings = true while(true) { Bad. Traces={ | (� P� � ) and � � � S } if (Bad. Traces is empty) return implement(P, ) select Bad. Traces if (? ) { = avoid( ) } else { �= refine(� , ) } } avoid( 1) = [z++, z++] true 36

Example: Avoiding Bad Interleavings = true while(true) { Bad. Traces={ | (� P� � ) and � � �S } if (Bad. Traces is empty) return implement(P, ) select Bad. Traces if (? ) { = avoid( ) } else { �= refine(� , ) } } avoid( 2) =[x+=z, x+=z] = [z++, z++] [x+=z, x+=z] 37

Example: Avoiding Bad Interleavings = true while(true) { Bad. Traces={ | (� P� � ) and � � �S } if (Bad. Traces is empty) return implement(P, ) select Bad. Traces if (? ) { = avoid( ) } else { �= refine(� , ) } } = [z++, z++] [x+=z, x+=z] T 1 1: x += z 2: x += z T 2 1: z++ 2: z++ T 3 1: y 1 = f(x) 2: y 2 = x 3: assert(y 1 != y 2) 38

Example: Avoiding Bad Interleavings parity T 1 x+=z; x+=z T 2 z++; T 3 y 1=f(x) y 2=x assert y 1!= y 2 y 1 6 5 4 3 2 1 0 1 2 3 4 y 2 parity T 1 x+=z; x+=z T 2 z++; T 3 y 1=f(x) y 2=x assert y 1!= y 2 6 5 4 3 2 1 parity T 1 x+=z; x+=z T 2 z++; T 3 y 1=f(x) y 2=x assert y 1!= y 2 0 1 2 3 4 6 5 4 3 2 1 0 1 2 3 4 But we can also refine the abstraction… 39

parity T 1 x+=z; x+=z T 2 z++; T 3 y 1=f(x) y 2=x assert y 1!= y 2 y 1 6 5 4 3 2 1 0 1 2 3 4 (a) interval T 1 x+=z; x+=z T 2 z++; T 3 y 1=f(x) y 2=x assert y 1!= y 2 6 5 4 3 2 1 octagon T 1 x+=z; x+=z T 2 z++; T 3 y 1=f(x) y 2=x assert y 1!= y 2 interval T 1 x+=z; x+=z T 2 z++; T 3 y 1=f(x) y 2=x assert y 1!= y 2 0 1 2 3 4 (g) T 1 x+=z; x+=z T 2 z++; (c) 6 5 4 3 2 1 0 1 2 3 4 octagon T 1 x+=z; x+=z T 2 z++; parity T 3 y 1=f(x) y 2=x assert y 1!= y 2 0 1 2 3 4 (e) 6 5 4 3 2 1 (b) T 3 y 1=f(x) y 2=x assert y 1!= y 2 0 1 2 3 4 (d) (f) y 2 parity 6 5 4 3 2 1 0 1 2 3 4 40

Multiple Solutions Performance: smallest atomic sections Interval abstraction for our example produces the atomicity constraint: ([x+=z, x+=z] ∨ [z++, z++]) ∧ ([y 1=f(x), y 2=x] ∨ [x+=z, x+=z] ∨ [z++, z++]) Minimal satisfying assignments � 1 = [z++, z++] � 2 = [x+=z, x+=z] 41

AGS Algorithm – More Details Forward Abstract Input: Program P, Specification S, Abstraction � Interpretation, taking Output: Program P’ satisfying S under into � account for pruning infeasible interleavings Order of selection matters = true while(true) { Bad. Traces = { | (� P� � ) and � � �S } if (Bad. Traces is empty) return implement(P, ) select Bad. Traces if (? ) { Backward exploration of Choosing between abstraction invalid Interleavings using if ( false) = refinement and program restriction to prune infeasible not always possible to refine/avoid else abort Up to this point did not commit to interleavings. - may try and backtrack a synchronization mechanism } else { = avoid( ) � ’ = refine(� , ) if (� ’ � ) �= � ’ else abort } } 42

Choosing a trace to avoid y=2 0, 0 if (y==0) 0, 1 0, 2 if (y==0) 1, 1 0, 2 y=2 2, 0 E, E if (y==0) 1, 1 E, E 2, 1 0, 2 y=2 x++ x+=1 2, 1 1, 2 if (y==0) 0, 1 E, E 2, 0 0, 0 x++ 0, 0 E, E 2, 2 1, 2 2, 1 T, E x+=1 2, 2 T, E T 1 T 2 0: if (y==0) goto L 1: x++ 2: L: 0: y=2 1: x+=1 2: assert x !=y legend pc 1, pc 2 x, y 43

Implementability Separation between schedule constraints and how they are realized Can realize in program: atomic sections, locks, … Can realize in scheduler: benevolent scheduler T 1 1: while(*) { 2: x++ 3: x++ 4: } T 2 1: assert (x != 1) No program transformations (e. g. , loop unrolling) Memoryless strategy 44

Atomic sections results If we can show disjoint access we can avoid synchronization Parity Requires abstractions rich enough to capture access pattern to shared data Intervals Program Refine Steps Avoid Steps Double buffering 1 2 Defragmentation 1 8 3 D array update 2 23 Array Removal 1 17 Array Init 1 56 45

AGS with guarded commands Implementation mechanism: conditional critical region (CCR) guard stmt Constraint language: Boolean combinations of equalities over variables (x == c) Abstraction: what variables a guard can observe 46

Avoiding a transition using a guard x=1, y=1, z=0 y=x+1 s 2 x=1, y=2, z=0 s 1 z=y+1 x=1, y=1, z=2 s 3 Add guard to z = y+1 to prevent execution from state s 1 Guard for s 1 : (x � 1� y� 1� z� 0) Can affect other transitions where z = y+1 is executed 47

Example: full observability T 1 T 2 1: x = z + 1 1: y = x + 1 T 3 1: z = y + 1 Specification: • � (y = 2 � z = 1) • No Stuck States Abstraction: { x, y, z } 48

Build Transition System PC 2 PC 1 1, 1, 1 0, 0, 0 e, 1, 1 1, 0, 0 y=x+1 X 1, e, 1 0, 1, 0 x=z+1 e, e, 1 1, 2, 0 e, 1, e 1, 0, 1 z=y+1 e, e, e 1, 2, 3 e, e, 1 1, 1, 0 y=x+1 e, e, e 1, 2, 1 1, e, e 0, 1, 2 e, 1, e 2, 0, 1 x=z+1 z=y+1 e, e, e 1, 1, 2 Z 1, 1, e 0, 0, 1 z=y+1 Y legend z=y+1 y=x+1 x=z+1 PC 3 e, e, e 3, 1, 2 y=x+1 1, e, e 0, 1, 1 y=x+1 e, e, e, 2, 3, 1 x=z+1 e, e, e 2, 1, 1 49

Avoid transition 1, 1, 1 0, 0, 0 e, 1, 1 1, 0, 0 y=x+1 z=y+1 y=x+1 x=z+1 1, e, 1 0, 1, 0 1, 1, e 0, 0, 1 z=y+1 x=z+1 e, e, 1 1, 2, 0 e, 1, e 1, 0, 1 z=y+1 e, e, e 1, 2, 3 e, e, 1 1, 1, 0 y=x+1 e, e, e 1, 2, 1 1, e, e 0, 1, 2 x=z+1 z=y+1 e, e, e 1, 1, 2 e, 1, e 2, 0, 1 e, e, e 3, 1, 2 y=x+1 1, e, e 0, 1, 1 y=x+1 e, e, e, 2, 3, 1 x=z+1 e, e, e 2, 1, 1 50

Result is valid Correct and Maximally Permissive 1, 1, 1 0, 0, 0 e, 1, 1 1, 0, 0 y=x+1 x� 1 �y� 0 �z� 0 z=y+1 y=x+1 x=z+1 1, e, 1 0, 1, 0 1, 1, e 0, 0, 1 x� 1 �y� 0 �z� 0 z=y+1 x=z+1 e, e, 1 1, 2, 0 x� 1 �y� 0 �z� 0 z=y+1 e, e, e 1, 2, 3 e, 1, e 1, 0, 1 y=x+1 e, e, e 1, 2, 1 e, e, 1 1, 1, 0 1, e, e 0, 1, 2 x� 1 �y� 0 �z� 0 z=y+1 e, e, e 1, 1, 2 e, 1, e 2, 0, 1 x=z+1 e, e, e 3, 1, 2 y=x+1 1, e, e 0, 1, 1 y=x+1 e, e, e, 2, 3, 1 x=z+1 e, e, e 2, 1, 1 51

Resulting program T 1 T 2 1: x = z + 1 1: y = x + 1 T 3 1: z = y + 1 Specification: Abstraction: • �� (y = 2 � z = 1) • No Stuck States { x, y, z } T 1 1: x = z + 1 T 2 1: y = x + 1 T 3 1: (x � 1 � y � 0 � z � 0) z = y + 1 52

Example: limited observability T 1 T 2 1: x = z + 1 1: y = x + 1 T 3 1: z = y + 1 Specification: • �� (y = 2 � z = 1) • No Stuck States Abstraction: { x, z } 53

Build transition system PC 2 PC 1 1, 1, 1 0, 0, 0 e, 1, 1 1, 0, 0 y=x+1 X z=y+1 y=x+1 x=z+1 1, e, 1 0, 1, 0 e, 1, e 1, 0, 1 z=y+1 e, e, e 1, 2, 3 e, e, 1 1, 1, 0 y=x+1 e, e, e 1, 2, 1 x=z+1 1, e, e 0, 1, 2 e, 1, e 2, 0, 1 x=z+1 z=y+1 e, e, e 1, 1, 2 Z 1, 1, e 0, 0, 1 x=z+1 e, e, 1 1, 2, 0 Y legend z=y+1 PC 3 e, e, e 3, 1, 2 y=x+1 1, e, e 0, 1, 1 y=x+1 e, e, e, 2, 3, 1 x=z+1 e, e, e 2, 1, 1 54

Avoid bad state 1, 1, 1 0, 0, 0 e, 1, 1 1, 0, 0 y=x+1 z=y+1 y=x+1 x=z+1 1, e, 1 0, 1, 0 1, 1, e 0, 0, 1 z=y+1 x=z+1 e, e, 1 1, 2, 0 e, 1, e 1, 0, 1 z=y+1 e, e, e 1, 2, 3 e, e, 1 1, 1, 0 y=x+1 e, e, e 1, 2, 1 1, e, e 0, 1, 2 x=z+1 z=y+1 e, e, e 1, 1, 2 e, 1, e 2, 0, 1 e, e, e 3, 1, 2 y=x+1 1, e, e 0, 1, 1 y=x+1 e, e, e, 2, 3, 1 x=z+1 e, e, e 2, 1, 1 55

Select all equivalent transitions 1, 1, 1 0, 0, 0 e, 1, 1 1, 0, 0 y=x+1 z=y+1 y=x+1 x=z+1 1, e, 1 0, 1, 0 1, 1, e 0, 0, 1 z=y+1 x=z+1 e, e, 1 1, 2, 0 e, 1, e 1, 0, 1 z=y+1 e, e, e 1, 2, 3 e, e, 1 1, 1, 0 y=x+1 e, e, e 1, 2, 1 Implementability 1, e, e 0, 1, 2 x=z+1 z=y+1 e, e, e 1, 1, 2 e, 1, e 2, 0, 1 e, e, e 3, 1, 2 y=x+1 1, e, e 0, 1, 1 y=x+1 e, e, e, 2, 3, 1 x=z+1 e, e, e 2, 1, 1 56

Result has stuck states 1, 1, 1 0, 0, 0 y=x+1 x=z+1 e, 1, 1 1, 0, 0 y=x+1 x� 1 �z� 0 z=y+1 1, e, 1 0, 1, 0 1, 1, e 0, 0, 1 x� 1 �z� 0 z=y+1 x=z+1 e, e, 1 1, 2, 0 x� 1 �z� 0 z=y+1 e, e, e 1, 2, 3 e, 1, e 1, 0, 1 e, e, 1 1, 1, 0 y=x+1 e, e, e 1, 2, 1 side-effects 1, e, e 0, 1, 2 x=z+1 z=y+1 e, e, e 1, 1, 2 e, 1, e 2, 0, 1 e, e, e 3, 1, 2 y=x+1 1, e, e 0, 1, 1 y=x+1 e, e, e, 2, 3, 1 x=z+1 e, e, e 2, 1, 1 57

Select transition to remove 1, 1, 1 0, 0, 0 y=x+1 x=z+1 e, 1, 1 1, 0, 0 y=x+1 x� 1 �z� 0 z=y+1 1, e, 1 0, 1, 0 1, 1, e 0, 0, 1 x� 1 �z� 0 z=y+1 x=z+1 e, e, 1 1, 2, 0 x � 1 �z � 0 z=y+1 e, e, e 1, 2, 3 e, 1, e 1, 0, 1 e, e, 1 1, 1, 0 y=x+1 e, e, e 1, 2, 1 1, e, e 0, 1, 2 x=z+1 z=y+1 e, e, e 1, 1, 2 e, 1, e 2, 0, 1 e, e, e 3, 1, 2 y=x+1 1, e, e 0, 1, 1 y=x+1 e, e, e, 2, 3, 1 x=z+1 e, e, e 2, 1, 1 58

Result is valid Correct and Maximally Permissive 1, 1, 1 0, 0, 0 x� 0 �z� 0 x=z+1 y=x+1 e, e, 3 1, 2, 0 x� 1 �z� 0 z=y+1 e, e, e 1, 2, 3 1, e, 1 0, 1, 0 x� 1 �z� 0 z=y+1 e, 2, e 1, 0, 1 y=x+1 e, e, e 1, 2, 1 x � 1 �z � 0 z=y+1 y=x+1 e, 1, 1 1, 0, 0 x� 0 �z� 0 x=z+1 e, e, 3 1, 1, 0 x� 1 �z� 0 z=y+1 e, e, e 1, 1, 2 1, 1, e 0, 0, 1 x � 1 �z � 0 z=y+1 1, e, e 0, 1, 2 x � 0 �z � 0 x=z+1 e, e, e 3, 1, 2 x � 0 � z � 0 x=z+1 e, 1, e 2, 0, 1 y=x+1 e, e, e, 2, 3, 1 y=x+1 1, e, e 0, 1, 1 x� 0 �z� 0 x=z+1 e, e, e 2, 1, 1 59

Resulting program T 1 T 2 1: x = z + 1 T 3 1: y = x + 1 Abstraction: Specification: • ! (y = 2 && z = 1) • No Stuck States T 1 1: (x � 0� z� 0) x=z+1 1: z = y + 1 { x, z } T 2 1: y = x + 1 T 3 1: (x � 1� z� 0) z=y+1 60

{x} T 1 x=z+1 T 2 y=x+1 T 3 z=y+1 { x, z } T 1 x=z+1 T 2 y=x+1 T 3 z=y+1 { x, y, z } T 1 x=z+1 T 2 y=x+1 T 3 z=y+1 T 1 x=z+1 T 2 y=x+1 T 3 (x � 1) z = y + 1 T 1 x=z+1 T 2 y=x+1 T 3 (x � 1� z� 0) z = y + 1 T 1 x=z+1 T 2 y=x+1 T 3 (x � 1 � y � 0 � z � 0) z=y+1 T 1 (x � 0) x = z + 1 T 2 y=x+1 T 3 (x � 1) z = y + 1 T 1 (x � 0� z� 0) x = z + 1 T 2 y=x+1 T 3 (x � 1� z� 0) z = y + 1 61

AGS with memory fences Avoidable transition more tricky to define Operational semantics of weak memory models Special abstraction required to deal with potentially unbounded store-buffers Even for finite-state programs Informally “finer abstraction = fewer fences” 62

Synthesis Results Mostly mutual exclusion primitives Different variations of the abstraction Program FD k=0 FD k=1 PD k=0 PD k=1 PD k=2 Sense 0 � � Pet 0 � � Dek 0 � � Lam 0 T/O � � T/O Fast 0 T/O T/O Fast 1 a � � Fast 1 b � � � Fast 1 c T/O � 63

Chase-Lev Work-Stealing Queue 1 void push(int task) { 1 int steal() { 1 int take() { 2 long b = bottom; 2 long t = top; 2 long b = bottom – 1; 3 long t = top; 3 fence(“load-load”); 3 item_t * q = wsq; 4 long b = bottom; 4 bottom = b 5 if (b – t >= q->size – 1) { 5 fence(“load-load”); 5 fence(“store-load”); 6 wsq = expand(); 6 item_t * q = wsq; 6 long t = top 7 q = wsq; 7 if (t >= b) 7 if (b < t) { 8 } 8 return EMPTY; 8 bottom = t; 9 q->ap[b % q->size] = task; 9 task = q->ap[t % q->size]; 9 return EMPTY; 10 fence(“store-store”); 10 fence(“load-store”); 10 } 11 bottom = b + 1; 11 if (!CAS(&top, t, t+1)) 11 task = q->ap[b % q->size]; 12 } 12 return ABORT; 12 if (b > t) 13 return task; 13 return task 14 } 14 if (!CAS(&top, t, t+1)) 15 return EMPTY; 16 bottom = t + 1; 17 return task; 18 } 1 item_t* expand() { 2 int newsize = wsq->size * 2; 3 int* newitems = (int *) malloc(newsize*sizeof(int)); 4 item_t *newq = (item_t *)malloc(sizeof(item_t)); 5 for (long i = top; i < bottom; i++) { 6 newitems[i % newsize] = wsq->ap[i % wsq->size]; 7 } 8 newq->size = newsize; 9 newq->ap = newitems; 10 fence("store-store"); 11 wsq = newq; 12 return newq; } Specification: no lost items, no phantom items, memory safety

Results

Performance

Some AGS instances Avoid Implementation Mechanism Abstraction Space (examples) Reference Context switch Atomic sections Numerical abstractions [POPL’ 10] Transition Conditional critical Observability regions (CCRs) [TACAS’ 09] Reordering Memory fences [FMCAD’ 10] [PLDI’ 11] Partial-Coherence abstractions for Store buffers … 67

General Setting Revisited program specification Program Restriction Verify Abstract counter example Implement Spec Weakening abstraction � Abstraction Refinement P’ S’ Abstract counter example Change the specification to match the abstraction 68

Summary Modifying the program to fit an abstraction examples inspired by the trace partitioning domain (trace partitioning domain capture these effects, and more, without changing the program) An algorithm for Abstraction-Guided Synthesis Synthesize efficient and correct synchronization Handles infinite-state systems based on abstract interpretation Refine the abstraction and/or restrict program behavior Interplay between abstraction and synchronization Separate characterization of solution from choosing optimal solutions (e. g. , smallest atomic sections) 69