Lazy TSO Reachability

TL;DR

This paper introduces a lazy, iterative algorithm for TSO reachability checking that combines SC semantics with TSO approximations, enabling efficient bug detection in concurrent programs.

Contribution

It presents a novel semi-decision procedure that under-approximates TSO reachability by lazily integrating TSO semantics into SC analysis, improving efficiency.

Findings

Algorithm is sound and complete for bug detection.

Implemented as an extension to Trencher tool.

Compared favorably to Memorax and CBMC in experiments.

Abstract

We address the problem of checking state reachability for programs running under Total Store Order (TSO). The problem has been shown to be decidable but the cost is prohibitive, namely non-primitive recursive. We propose here to give up completeness. Our contribution is a new algorithm for TSO reachability: it uses the standard SC semantics and introduces the TSO semantics lazily and only where needed. At the heart of our algorithm is an iterative refinement of the program of interest. If the program's goal state is SC-reachable, we are done. If the goal state is not SC-reachable, this may be due to the fact that SC under-approximates TSO. We employ a second algorithm that determines TSO computations which are infeasible under SC, and hence likely to lead to new states. We enrich the program to emulate, under SC, these TSO computations. Altogether, this yields an iterative under-approximation that we prove sound and complete for bug hunting, i.e., a semi-decision procedure halting for positive cases of reachability. We have implemented the procedure as an extension to the tool Trencher and compared it to the Memorax and CBMC model checkers.