Thank you.
> We've used Spin (
http://spinroot.com/spin/whatispin.html) for modeling
> racy algorithms in the past. It's strong point is that it can search
> a very large search space because it can apply algebraic techniques.
> But as noted, writing the models in a separate language is a pain, and
> the fidelity of the model is always an issue. In particular, Spin
> does not model memory consistency.
>
> At the other extreme is CHESS(
http://research.microsoft.com/projects/
> CHESS/) which runs real code, but it's not clear to me if it models
> memory consistency issues.
Yes, I am aware of those tools.
The goal of my tool is testing of "real life" C/C++ algorithms (and I
hope Java/C# in near future). I.e. one must be able to test *any*
algorithm he wrote. Including low bit stealing from pointers, pointer
compression, bit fields, C++ templates, dynamic memory allocation,
benign data races, relaxed atomic operations, stand-alone memory
fences and so on. And at the same time tool must model execution as
precise as possible, and catch as much different error types as
possible. Currently tool precisely models very relaxed memory model,
i.e. relaxed, acquire, release, acquire_release,
sequentially_consistent operations and memory fences. Also it models
such things as spurious failures in CAS (yes, it's permitted by C+
+0x), and whether malloc() will return recently freed block or brand
new block (useful for ABA detection).
Also I was trying to make it possible to test real production code.
It's possible with thin macros layer. If you want I can elaborate on
this.
As for Spin. For me it looks very... scholastic. Maybe it's useful for
protocol verification, but not for real-life synchronization
algorithms. Where is dynamic memory allocation? Where is relaxed
memory model? And as you said, what is Promela?
As for large state space. Relacy Race Detector can search arbitrary
size state spaces, because it's stateless (it takes around 624KB of
memory over all execution). But of course execution time is concern. I
was trying to optimize implementation as much as possible, currently
it goes at speed around 10^5-10^6 test executions per second. And it
includes random scheduler, which makes it possible to reveal 99% of
errors within 1 second.
As for CHESS. It looks much closer to real life. Actually I take few
ideas from CHESS. First is context bound scheduler, which gives
reasonable compromise between state space size and obtained
confidence. Second is fair scheduler, which gives ability to test
formally non-terminating algorithms.
What I don't like in CHESS. It's imprecise. It doesn't capture all
memory references (which can be crucial). It doesn't model relaxed
memory model. It doesn't model such things like spurious failures in
CAS. So basically I treat CHESS as *program* verifier (with not very
precise checking), and Relacy as *algorithm* verifier (with precise
checking). The strength of CHESS is that it allows execution of
unmodified code.
Btw, there are some attempts to incorporate relaxed memory model into
CHESS, but currently they model only "store-buffer relaxations", and
they treat them in interesting way: basically, if there exists some
execution which is possible with store buffers and not possible w/o
store buffers it's an error. Why? Maybe it's reasonable for
"application level" code, but not for synchronization algorithms.
This is exactly kind of error which will be reported as error by
CHESS:
http://softwarecommunity.intel.com/isn/Community/en-US/forums/thread/30254599.aspx
But you reasonably conclude that this is "intended" behavior.
See this for details:
http://research.microsoft.com/projects/CHESS/sober.pdf
> Basing the Relacy checking on std::atomic interactions is a neat
> idea. It sounds like a practical sweet spot for checkers.
C++0x's atomics seems to be the first "standardized" atomics library.
And C++0x clearly separate atomic variables (which is subject for
concurrent assess) and usual variables (which is subject for single-
threaded access and race detection). I am forcedly comparing C++0x's
approach to Java's approach. In Java mode I just have to simply turn-
off data race detection. This is bad... for Java programmers.
Dmitriy V'jukov