Compositional, dependency-aware C++ concurrency
Lead Research Organisation:
University of Kent
Department Name: Sch of Computing
Abstract
We address a difficult technical problem that is drawn from outside of the strict bounds of academic research: we seek a solution to fundamental problems found in the standards of the C and C++ programming languages. C and C++ code is not just prevalent -- it is used to form the lowest and most trusted levels of our systems. The kernel of every mainstream operating system uses some combination of the two, including Windows, MacOS, iOS, Android, Linux and Unix, as do the swathe of embedded controllers with essential functions like engine management. Having a good specification of the language is the first step in verifying the correctness of these vital system components.
-- Combatting software failure --
This work is part of a larger effort to combat software failure by developing techniques to verify the correctness of software. Currently, developers of computer systems rely predominantly on testing to ensure that systems behave as they should. The system is run for some time over various inputs and monitored for failure. The hope is that this will expose enough of the flaws in the system to have it behave reliably once it is deployed. But it is increasingly expensive to achieve good coverage: systems like cars experience varied inputs, and a fleet of a particular model runs collectively for far longer than the time its computer systems are tested. Worse still, modern systems are concurrent -- using multiple communicating processors to complete a task. The delicate interplay between the concurrent processors makes the output of the system dependent on the timing of communication, so that some behaviours occur only a handfull of times in billions of runs, leaving testing little hope of finding associated bugs.
There is evidence that this approach is breaking down and some bugs are evading discovery even in critical systems: for example a concurrency bug caused some of Toyota's cars to suddenly and relentlessly accelerate, killing 83 over 10 years. The wider economic cost of software failure was estimated by the U.S. National Institute of Standards and Technology to cost USD 60bn each year. Improving our approach to software failure would have substantial economic and societal impact.
Verification offers an alternative to testing: one defines desirable properties of the system -- it will not crash, fuel metering will be proportional to accelerator input, and so on -- and mathematically proves that the code satisfies them. In the ideal of verification, there is no space for bugs to creep in and the mathematical proof of correctness is absolute. Unfortunately, verification techniques are invariably built above an idealised model of the computer system, e.g. the assumption that memory accesses take place in a global sequential order, so called sequential consistency (SC). The distance between the ideal and the reality leaves ample space for bugs to persist. In fact the status quo is much worse because we do not have a characterisation of the reality of the system's behaviour: our best models of programming-language behaviour are known to be broken, e.g. in C, C++ and Java.
In this broad context, our project will develop a description of concurrency in the C and C++ languages that matches the reality, permitting the sorts of concurrent behaviour exhibited by compiler optimisations and the underlying concurrent processors. At the same time, we will support components written under the idealised SC assumption, enabling for the first time the use of the most powerful automatic verification techniques in a setting that correctly models the subtle concurrency behaviour of modern languages, dovetailing these previously disparate views of the system. Our work will make verification of concurrent systems more viable, helping to address the economic and social costs of software failure.
-- Combatting software failure --
This work is part of a larger effort to combat software failure by developing techniques to verify the correctness of software. Currently, developers of computer systems rely predominantly on testing to ensure that systems behave as they should. The system is run for some time over various inputs and monitored for failure. The hope is that this will expose enough of the flaws in the system to have it behave reliably once it is deployed. But it is increasingly expensive to achieve good coverage: systems like cars experience varied inputs, and a fleet of a particular model runs collectively for far longer than the time its computer systems are tested. Worse still, modern systems are concurrent -- using multiple communicating processors to complete a task. The delicate interplay between the concurrent processors makes the output of the system dependent on the timing of communication, so that some behaviours occur only a handfull of times in billions of runs, leaving testing little hope of finding associated bugs.
There is evidence that this approach is breaking down and some bugs are evading discovery even in critical systems: for example a concurrency bug caused some of Toyota's cars to suddenly and relentlessly accelerate, killing 83 over 10 years. The wider economic cost of software failure was estimated by the U.S. National Institute of Standards and Technology to cost USD 60bn each year. Improving our approach to software failure would have substantial economic and societal impact.
Verification offers an alternative to testing: one defines desirable properties of the system -- it will not crash, fuel metering will be proportional to accelerator input, and so on -- and mathematically proves that the code satisfies them. In the ideal of verification, there is no space for bugs to creep in and the mathematical proof of correctness is absolute. Unfortunately, verification techniques are invariably built above an idealised model of the computer system, e.g. the assumption that memory accesses take place in a global sequential order, so called sequential consistency (SC). The distance between the ideal and the reality leaves ample space for bugs to persist. In fact the status quo is much worse because we do not have a characterisation of the reality of the system's behaviour: our best models of programming-language behaviour are known to be broken, e.g. in C, C++ and Java.
In this broad context, our project will develop a description of concurrency in the C and C++ languages that matches the reality, permitting the sorts of concurrent behaviour exhibited by compiler optimisations and the underlying concurrent processors. At the same time, we will support components written under the idealised SC assumption, enabling for the first time the use of the most powerful automatic verification techniques in a setting that correctly models the subtle concurrency behaviour of modern languages, dovetailing these previously disparate views of the system. Our work will make verification of concurrent systems more viable, helping to address the economic and social costs of software failure.
Planned Impact
The concurrency that lies at the heart of our computer systems is not understood. This lack of a sound foundation makes it impossible to be sure of the security and robustness of our systems. This project will produce a mathematical description of currently ill-defined concurrency in C and C++, and provide an ability to consider programs as an aggregate of components, matching programming practice. We strive for industrial adoption of our approach, targeting the International Standards Organisation and others with tailored impact-driven dissemination.
The problems in C and C++ that we seek to solve are fundamental, and analogous problems are found in the specifications of the Linux concurrency macros, Java, OpenCL, CUDA, LLVM IR and every other programming language that provides efficient low-level access to memory and an optimising compiler.
This project has the potential for broad impact in both academia and industry. We will construct a new scheme for specifying concurrent memory that solves the problems in the state-of-the-art. This new approach to concurrency will produce 3 kinds of impact: it will fix problems in current industrial specifications, it will enable formal verification of compiler optimisations, and it will provide a sound footing for cutting-edge SC verification techniques. We expand on each below.
1. A concrete basis for language concurrency.
Throughout the development of our models we will endeavour to match the style of the existing C++ model and minimise differences. We intend our model to serve as the cleanest and most straightforward replacement for the current flawed model, maximising the potential for impact on future revisions of the C++ specification. Our new concurrency model will be mathematically defined, with a simulator that experts can use to run the model, and test their intuitions. In this way, we will produce a superior alternative to current concurrency specifications, and it is our intent that these should replace the status quo.
The prior experience and contacts of the PI, Batty, place him in a unique position to press for impact across many languages: he has key contacts concerned with the definitions of the Linux concurrency macros, Java and CUDA. Moreover, Batty has been particularly involved in the definition of the C and C++ languages, where developments are keenly watched by other language specifiers, and often adopted more or less verbatim (as in OpenCL and LLVM IR).
This context suggests the following strategy for industrial impact: Batty will present the model defined by this project to the specifiers of C++ and disseminate it to key players in the definition of the Linux concurrency macros, Java, and CUDA.
2. Optimisation validation.
Key processor vendors have engaged with recent research on relaxed memory and sought to limit the introduction of new behaviours, while releasing increasingly detailed and accurate micro-architectural specifications. Compiler writers have not engaged in the same way, but the development of a dependency-aware model of language concurrency will provide all that is needed begin a new line of academic/industrial collaboration. As part of the project, we will validate optimisations using our simulation tools: we hope that these tools might be exported to industry in the future.
3. Supporting SC verification.
A central goal of the project is to provide a sound basis for mature SC verification techniques over a relaxed-memory language, and this has the potential for major impact. It would unify two currently disparate strands of research and would pave the way for verification of industrially-relevant bodies of code that use relaxed concurrency, like the Linux kernel. Future work would leverage this ability and showcase its value to industry.
The problems in C and C++ that we seek to solve are fundamental, and analogous problems are found in the specifications of the Linux concurrency macros, Java, OpenCL, CUDA, LLVM IR and every other programming language that provides efficient low-level access to memory and an optimising compiler.
This project has the potential for broad impact in both academia and industry. We will construct a new scheme for specifying concurrent memory that solves the problems in the state-of-the-art. This new approach to concurrency will produce 3 kinds of impact: it will fix problems in current industrial specifications, it will enable formal verification of compiler optimisations, and it will provide a sound footing for cutting-edge SC verification techniques. We expand on each below.
1. A concrete basis for language concurrency.
Throughout the development of our models we will endeavour to match the style of the existing C++ model and minimise differences. We intend our model to serve as the cleanest and most straightforward replacement for the current flawed model, maximising the potential for impact on future revisions of the C++ specification. Our new concurrency model will be mathematically defined, with a simulator that experts can use to run the model, and test their intuitions. In this way, we will produce a superior alternative to current concurrency specifications, and it is our intent that these should replace the status quo.
The prior experience and contacts of the PI, Batty, place him in a unique position to press for impact across many languages: he has key contacts concerned with the definitions of the Linux concurrency macros, Java and CUDA. Moreover, Batty has been particularly involved in the definition of the C and C++ languages, where developments are keenly watched by other language specifiers, and often adopted more or less verbatim (as in OpenCL and LLVM IR).
This context suggests the following strategy for industrial impact: Batty will present the model defined by this project to the specifiers of C++ and disseminate it to key players in the definition of the Linux concurrency macros, Java, and CUDA.
2. Optimisation validation.
Key processor vendors have engaged with recent research on relaxed memory and sought to limit the introduction of new behaviours, while releasing increasingly detailed and accurate micro-architectural specifications. Compiler writers have not engaged in the same way, but the development of a dependency-aware model of language concurrency will provide all that is needed begin a new line of academic/industrial collaboration. As part of the project, we will validate optimisations using our simulation tools: we hope that these tools might be exported to industry in the future.
3. Supporting SC verification.
A central goal of the project is to provide a sound basis for mature SC verification techniques over a relaxed-memory language, and this has the potential for major impact. It would unify two currently disparate strands of research and would pave the way for verification of industrially-relevant bodies of code that use relaxed concurrency, like the Linux kernel. Future work would leverage this ability and showcase its value to industry.
People |
ORCID iD |
| Mark Batty (Principal Investigator) |
| Description | The memory behaviour of modern systems is extremely subtle. Processor vendors avoid the cost of fully hiding micro-architectural details, such as buffering and speculation, by permitting unintuitive program executions. Compiler optimisations alter accesses to memory to similar effect. The end result is a system with relaxed memory behaviour: behaviour that deviates from sequential consistency (SC), where concurrent memory accesses are simply interleaved. Relaxed memory breaks intuitions about system behaviour leading to bugs in language specifications, deployed processors, compilers, and vendor endorsed programming idioms - it is clear that current engineering practice is severely lacking. We have shown that the state-of-the-art definitions of C and C++ concurrency are fundamentally broken -- a problem that stems from a tension between performance and the strength of ordering guarantees provided to programmers. To provide secure systems, we must solve this problem, and that is the core aim of this project. Our solution to longstanding problems in the C and C++ language was accepted for publication in ESOP 2020. We took our solution to the International Standards Organisation (ISO), who define both C and C++. The ISO voted unanimously that ours is the "best path forward [and they] wish to continue to pursue this direction". This is a significant endorsement: the committee has not endorsed our competitors. |
| Exploitation Route | We will further develop our solution to the problems of the C and C++ specifications and work with the ISO to change the international standards that define the languages. This will affect all users of the C and C++ languages, and all code built above either language, including all mainstream operating systems. |
| Sectors | Digital/Communication/Information Technologies (including Software) |
| URL | http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2019/p1780r0.html |
| Description | Our work is leading the International Standards Organisation (ISO) towards a fix for a major problem in two of their key programming language definitions. The ISO unanimously passed the following motion endorsing our semantics: "OOTA is a major problem for C++, modular relaxed dependencies is the best path forward we have seen, and we wish to continue to pursue this direction" |
| First Year Of Impact | 2019 |
| Sector | Digital/Communication/Information Technologies (including Software) |
| Impact Types | Policy & public services |
| Description | Fixing the thin-air problem: ISO dissemination |
| Amount | £60,455 (GBP) |
| Organisation | National Cyber Security Centre |
| Sector | Public |
| Country | United Kingdom |
| Start | 04/2020 |
| End | 03/2021 |
| Description | International Standards Organisation (ISO) |
| Organisation | International Standards Organization |
| Country | Switzerland |
| Sector | Charity/Non Profit |
| PI Contribution | The work of this grant forms part of a continued partnership with the ISO seeking to help them refine the definition of concurrency in the C and C++ languages. The partnership started in 2009, and early contributions (before the start of this grant) suggested changes to the international standards of these two languages. These changes were accepted and became part of the official definitions of the languages. This process led to Batty becoming a voting member of the ISO's Workgroup 21 (WG21), responsible for the definition of the C++ language. This earlier work also brought to light a major problem in the definition of the language: the current specification fails to take into account the interaction of concurrency and dependency-removing compiler optimisations. Batty took these concerns to the ISO and helped them to understand that this problem could not be solved with a minor fix, and it was the underlying paradigm of of the concurrency definition that was at fault. WG21 formed Subgroup 1 (SG1) to discuss this and other issues related to the C++ concurrency definition. This grant funded the development of a new model of C++ concurrency called Modular Relaxed Dependencies (MRD). MRD solves the fundamental problems that we found in C++ by defining when a compiler can remove a dependency between two memory accesses, and when it cannot. It tightens the language definition to exclude behaviours that we showed make formal reasoning, like establishing security properties, impossible. MRD does have a significantly different underlying paradigm to the existing C++ memory definition, but we constructed it in such a way that it can be incorporated into the current definition with a surprisingly small list of changes. We presented MRD to SG1 at ISO meetings in Cologne (2019) and Belfast (2019), producing two white papers D1780R0 and D1780R1. These papers presented the workings of MRD and a concrete textual change to the C++ standard that implements MRD in the existing document. The change was complex yet concise and consisted of adding 2 new pages to the 1,622-page document. The committee found this to be palatable and were pleased to have a possible fix to a 10-year problem. SG1 voted unanimously to pursue the solution, recognising it as "the best path forward". Unfortunately, the pandemic caused an end to ISO meetings for some time in the next year. In response, we developed MRDer, an online tool that automatically evaluates MRD over small test programs. In our previous experience, our web tools have allowed ISO members to experiment with our models, and gain intuitions about the design decisions they embody. When meetings restarted online, we presented MRDer to SG1, and it was well received. We would like to push further for the incorporation of MRD into the C++ specification, but the online ISO meetings are sub optimal for this: the ones we have been to have had poor attendance, they were centred on discussing smaller issues, and the dynamics of the interactions seemed prone to confusion. We will return to this in 2021: momentum seems to be building to discuss more involved issues in the online meetings, and there is a chance of in-person meetings on the horizon. |
| Collaborator Contribution | The ISO act as gatekeepers for changes to the official definitions of the C and C++ languages. The ISO's SG1 is particularly influential in concurrency definitions, with many other languages adopting a minor extension of the C++ concurrency definition. SG1 is made up of global experts in concurrency who can provide us with feedback on our definitions. We received valuable and notably positive feedback 3 times from the committee at meetings at Belfast, Cologne and at an online meeting. The committee held a vote and unanimously recognised our technical solution to problems in the C++ specification as something they will pursue, and as the "the best path forward". |
| Impact | Two white papers at the ISO (despite being labelled as revisions, they have almost entirely different contents): D1780R0 -- Modular Relaxed Dependencies: A new approach to the Out-Of-Thin-Air Problem, 2019, Mark Batty, Simon Cooksey, Scott Owens, Anouk Paradis, Marco Paviotti, Daniel Wright D1780R1 -- Modular Relaxed Dependencies: A new approach to the Out-Of-Thin-Air Problem, 2019, Mark Batty, Simon Cooksey, Scott Owens, Anouk Paradis, Marco Paviotti, Daniel Wright The vote on the proposals made: Giroux, O (SG1 chair), 2019. ISO WG21 SG1 concurrency subgroup vote, unanimously approved: OOTA is a major problem for C++, modular relaxed dependencies is the best path forward we have seen, and we wish to continue to pursue this direction. |
| Start Year | 2018 |
| Title | MRDer |
| Description | MRDer is an automatic evaluator for MRD, our new semantics that solves longstanding problems in the definition of concurrency in C and C++. The web interface allows one to automatically evaluate small tests under the formal model to test one's intuitions about the new concurrency design. It is intended for use by the experts who define the C++ language. |
| Type Of Technology | Webtool/Application |
| Year Produced | 2020 |
| Impact | MRDer was presented at a meeting of the International Standard Organisation's subgroup responsible for C++ concurrency. It has helped in discussions with the committee, allowing members to test their intuitions about our proposed changes to the C++ concurrency specification. |
| URL | https://www.cs.kent.ac.uk/projects/MRDer/ |
| Description | D1780R0 Modular Relaxed Dependencies: A new approach to the Out-Of-Thin-Air Problem |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Industry/Business |
| Results and Impact | We presented two papers to the International Standards Organisation (D1780R0 and D1780R1), who define the C and C++ programming languages. They have a longstanding technical problem with the languages which is the focus of this research. They voted on our solution and unanimously agreed that it is the "best path forward we have seen", adding that "we wish to continue to pursue this direction". This places us ahead of other solutions developed in Germany and the US. This interaction took place at three meetings of the International Standards Organisation's C++ committee in 2019. One was held at Cologne, one at Belfast and one online. |
| Year(s) Of Engagement Activity | 2019,2020 |
| URL | http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2019/p1780r0.html |