## TransForm: Formally Specifying Transistency Models and Synthesizing Enhanced Litmus Tests

Naorin Hossain Princeton University Caroline Trippel Stanford University Margaret Martonosi Princeton University

ISCA 2020

Memory Consistency Models (MCMs) are used to specify legal memory access orderings

 MCMs specify rules for legal values that can be returned when software loads from memory on a shared memory system

In **Problem:** can't reason about program executions impacted by shared virtual memory (VM) state with existing MCM constructs  $W_1 y = 1$   $R_2 y = ?$  $W_1 y = 1$   $R_3 x = ?$ Litmus test: small diagnostic

**This work: Memory Transistency Models (MTMs)** – the superset of MCMs that additionally capture VM-aware ordering specifications

## How does VM affect consistency?

Virtual-to-physical address (VA-to-PA) mappings are stored in **page table entries (PTEs)**...

Page table

...and cached in the translation lookaside buffer (TLB).

| Status bits |   |   | oits | VA-to-PA mapping        |
|-------------|---|---|------|-------------------------|
| Α           | D | R | W    | VA x $\rightarrow$ PA a |
| Α           | D | R | W    | VA y $\rightarrow$ PA b |



When a mapping is changed in the page table, corresponding TLB entries must be **invalidated**.

## How does VM affect consistency?

Virtual-to-physical address (VA-to-PA) mappings are stored in **page table entries (PTEs)**...

...and cached in the translation lookaside buffer (TLB).



When a mapping is changed in the page table, corresponding TLB entries must be **invalidated**.

## How does VM affect consistency?

Virtual-to-physical address (VA-to-PA) mappings are stored in **page table entries (PTEs)**...

...and cached in the translation lookaside buffer (TLB).



AMD Athlon<sup>™</sup> 64 and AMD Opteron<sup>™</sup> Processor bug:

INVLPG (x86 TLB entry invalidation instruction) fails to invalidate TLB entry in certain cases

# TransForm introduces constructs for ISA-level MTM specification and ELT synthesis

- Formal MTM vocabulary captures system- and hardware-level VM events and interactions with user-facing program instructions
- Enables ISA-level MTM specification
- Enables automated *enhanced litmus test (ELT)* synthesis





## Outline

- Background on ISA-level MCM vocabulary
- Introduction to ISA-level MTM vocabulary
- Automating synthesis of ELTs
- Case Study: an estimated MTM for x86
- Conclusions

# ISA-level MCM relations can describe programs and their *candidate executions*

#### **Program**

| Core 0           |
|------------------|
| W <sub>0</sub> x |
| R <sub>1</sub> x |
| W <sub>2</sub> x |

#### **Instructions**

Event =  $\{W_0, R_1, W_2\}$ MemoryEvent =  $\{W_0, R_1, W_2\}$ Location =  $\{x\}$ address  $\{W_0 \rightarrow x, R_1 \rightarrow x, W_2 \rightarrow x\}$ program order (po) po =  $\{W_0 \rightarrow R_1, R_1 \rightarrow W_2\}$ 

#### **Candidate execution**

| Core 0               |
|----------------------|
| W <sub>0</sub> x = 1 |
| R <sub>1</sub> x = 1 |
| $W_2 x = 2$          |

Communication (com) relations reads from (rf)  $\mathbf{rf} = \{W_0 \rightarrow R_1\}$ coherence order (co)  $\mathbf{co} = \{W_0 \rightarrow W_2\}$ from reads (fr)  $\mathbf{fr} = \{R_1 \rightarrow W_2\}$ 

#### <u>Graph</u>





Accessed data (outcome) symbolically represented by com relations

## MCM specifications place constraints on permitted execution behaviors

**Consistency predicates** constrain candidate execution behavior based on MCM specifications

Intel x86 processors use the total store order (TSO) memory model (x86-TSO)



## Augmenting MCMs to include MTM features

| What MCMs have                                                         | What is needed for MTM interactions                                                                                        |
|------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
| Support for static VA-to-PA mappings without aliasing.                 | Support for VA-to-PA mappings<br>that can be modified during a<br>program's execution.                                     |
| Support for user-level instruction interactions through shared memory. | Support for shared memory<br>interactions between user-level<br>instructions and system- and<br>hardware-level operations. |

transistency operations /

## Outline

- Background on ISA-level MCM vocabulary
- Introduction to ISA-level MTM vocabulary
- Automating synthesis of ELTs
- Case Study: a estimated MTM for x86
- Conclusions

## MTM Vocabulary: Hardware-level operations

#### TransForm supports **page table walks (PT walks)** and **dirty bit updates Ghost instructions**

**PT walk**: loads translation lookaside buffer (TLB) entry

**dirty bit update**: modifies dirty bit in page table entry (PTE)



### MTM Vocabulary: Hardware-level operations

#### TransForm supports **page table walks (PT walks)** and **dirty bit updates Ghost instructions**

**PT walk**: loads translation lookaside buffer (TLB) entry

**dirty bit update**: modifies dirty bit in page table entry (PTE)

ghost - relates user-facing MemoryEvent to
invoked ghost instructions (numerical subscripts)



## MTM Vocabulary: Hardware-level operations

#### TransForm supports **page table walks (PT walks)** and **dirty bit updates Ghost instructions**

**PT walk**: loads translation lookaside buffer (TLB) entry

**dirty bit update**: modifies dirty bit in page table entry (PTE)

ghost - relates user-facing MemoryEvent to
invoked ghost instructions (numerical subscripts)

rf\_ptw - relates PT walk to user-facing
MemoryEvents that access loaded TLB entry



TransForm supports address remappings via PTE Writes and TLB entry invalidations

#### **Support instructions**

**PTE Write**: changes address mapping stored in a PTE for some VA v

C0C1
$$ff\_ptw$$
 $W_0 x = 1$  $W_{PTE3} v = VA y \rightarrow PA a$  $W_{db0} z = VA x \rightarrow PA a$  $\downarrow po$  $W_{db0} z = VA x \rightarrow PA a$  $W_5 y = 2$  $R_{ptw0} z = VA x \rightarrow PA a$  $W_{db5} v = VA y \rightarrow PA b$  $po$  $R_2 y = 2$  $rf\_ptw\uparrow$  $R_{ptw5} v = VA y \rightarrow PA b$  $R_{ptw2} v = VA y \rightarrow PA b$  $R_6 x = 1$  $\uparrow rf\_ptw$  $PA a$ 

#### TransForm supports address remappings via PTE Writes and TLB entry invalidations

#### **Support instructions**

**PTE Write**: changes address mapping stored in a PTE for some VA v

**INVLPG**: invalidates TLB entry

remap – relates PTE Writes to invoked INVLPGs



#### TransForm supports address remappings via PTE Writes and TLB entry invalidations

#### **Support instructions**

**PTE Write**: changes address mapping stored in a PTE for some VA v

**INVLPG**: invalidates TLB entry

remap – relates PTE Writes to invoked INVLPGs

**rf\_pa** – relates PTE Write for VA v  $\rightarrow$  PA p to user-facing MemoryEvents accessing PA p via VA v **co\_pa**, **fr\_pa**, and **fr\_va** follow similarly

| С0                                                                                                             | <b>C1</b>                                |
|----------------------------------------------------------------------------------------------------------------|------------------------------------------|
| $rf_ptw \longrightarrow W_0 x = 1$                                                                             | $W_{PTE3} v = VA y \rightarrow PA a_{N}$ |
|                                                                                                                | remap // ↓po                             |
| $// W_{db0} z = VA x \rightarrow PA a$                                                                         | INVLPG <sub>4</sub> y                    |
|                                                                                                                | ↓po remap                                |
| $\bigwedge R_{ptw0} z = VA x \rightarrow PA a$                                                                 | $W_5 y = 2$                              |
| 202                                                                                                            |                                          |
| po >> INVLPG <sub>1</sub> y                                                                                    | $W_{db5} v = VA y \rightarrow PA a$      |
| $po \downarrow rf_pa$<br>$R_2 y = 2$                                                                           |                                          |
| $R_2 y = 2 \checkmark$                                                                                         | $R_{ptw5} v = VA y \rightarrow PA a$     |
| rf_ptw↑                                                                                                        | rf_ptw/                                  |
| $\mathbf{R}_{ptw2} \mathbf{v} = \mathbf{V} \mathbf{A} \mathbf{y} \rightarrow \mathbf{P} \mathbf{A} \mathbf{a}$ | $R_6 x = 1$                              |
|                                                                                                                | ↑rf_ptw po                               |
|                                                                                                                | $R_{ptw6} z = VA x \rightarrow PA a$     |

#### TransForm supports address remappings via PTE Writes and TLB entry invalidations

#### **Support instructions**

**PTE Write**: changes address mapping stored in a PTE for some VA v

**INVLPG**: invalidates TLB entry

**remap** – relates PTE Writes to invoked INVLPGs

**rf\_pa** – relates PTE Write for VA v  $\rightarrow$  PA p to user-facing MemoryEvents accessing PA p via VA v **co\_pa**, **fr\_pa**, and **fr\_va** follow similarly



## Outline

- Background on ISA-level MCM vocabulary
- Introduction to ISA-level MTM vocabulary
- Automating synthesis of ELTs
- Case Study: an estimated MTM for x86
- Conclusions

## From Specification to Test Synthesis



- ELTs include MTM vocabulary and support verification against an MTM spec
  - Goals:
    - Automated
    - Interesting and minimal ("Spanning set")
    - Deduplicated
    - Comprehensive (to a bound)

TransForm's synthesis engine starts by synthesizing all possible candidate executions up to a bound



## Candidate executions are pruned for interesting ELT behaviors and checked for minimality



# Unique ELTs are found by deduplicating synthesized ELTs with a post-processing script



## Outline

- Background on ISA-level MCM vocabulary
- Introduction to ISA-level MTM vocabulary
- Automating synthesis of ELTs
- Case Study: an estimated MTM for x86
- Conclusions

**x86t\_elt** transistency predicates are composed of TSO axioms and new transistency-specific axioms

- **x86t\_elt**: an approximate x86 transistency model based on prior work and publicly available documentation
- x86-TSO: sc\_per\_loc, rmw\_atomicity, causality invlpg (required) acylic[fr\_va + remap + ^po]





# A per-axiom suite was synthesized for each **x86t\_elt** axiom



#### **103 total unique ELTs!**

(98 for hardware verification/validation, 5 for diagnosing TLB implementation bugs)

The synthesized x86t\_elt suite consisted of all relevant ELTs from prior work (up to the bound) and more

- 21 of 22 relevant ELTs from prior work synthesized
  - 6 ELTs synthesized verbatim  $\rightarrow$  map to 3 ELT programs in x86t\_elt suite
  - 15 ELTs can be reduced to a minimal ELT that is synthesized
  - 1 ELT requires a higher bound for synthesis
- 3 ELTs from prior work, 100 new ELTs

### Conclusions

- **TransForm**: framework for formal specification of MTMs and ELT synthesis
- Enables modern ISAs to have a formal specification that includes VM
- Offers systems programmers and hardware designers a stronger opportunity for verification of full systems

#### • Future work:

- Empirical x86 processor testing
- RISC-V MTM specification
- Available at: <a href="https://github.com/naorinh/TransForm">https://github.com/naorinh/TransForm</a>

## TransForm: Formally Specifying Transistency Models and Synthesizing Enhanced Litmus Tests

Naorin Hossain Princeton University Caroline Trippel Stanford University Margaret Martonosi Princeton University

ISCA 2020

https://github.com/naorinh/TransForm