1 CDSChecker: A Model Checker for C11 and C++11 Atomics
2 =====================================================
4 Copyright © 2013 Regents of the University of California. All rights reserved.
6 CDSChecker is distributed under the GPL v2. See the LICENSE file for details.
12 CDSChecker is a model checker for C11/C++11 which exhaustively explores the
13 behaviors of code under the C/C++ memory model. It uses partial order reduction
14 as well as a few other novel techniques to eliminate time spent on redundant
15 execution behaviors and to significantly shrink the state space. The model
16 checking algorithm is described in more detail in this paper (published in
19 > <http://demsky.eecs.uci.edu/publications/c11modelcheck.pdf>
21 It is designed to support unit tests on concurrent data structure written using
24 CDSChecker is constructed as a dynamically-linked shared library which
25 implements the C and C++ atomic types and portions of the other thread-support
26 libraries of C/C++ (e.g., std::atomic, std::mutex, etc.). Notably, we only
27 support the C version of threads (i.e., `thrd_t` and similar, from `<threads.h>`),
28 because C++ threads require features which are only available to a C++11
29 compiler (and we want to support others, at least for now).
31 CDSChecker should compile on Linux and Mac OSX with no dependencies and has been
32 tested with LLVM (clang/clang++) and GCC. It likely can be ported to other \*NIX
33 flavors. We have not attempted to port to Windows.
39 If you haven't done so already, you may download CDSChecker using
40 [git](http://git-scm.com/):
42 git clone git://demsky.eecs.uci.edu/model-checker.git
44 Source code can also be downloaded via the snapshot links on Gitweb (found in
45 the __See Also__ section).
47 Get the benchmarks (not required; distributed separately), placing them as a
48 subdirectory under the `model-checker` directory:
51 git clone git://demsky.eecs.uci.edu/model-checker-benchmarks.git benchmarks
53 Compile the model checker:
57 Compile the benchmarks:
61 Run a simple example (the `run.sh` script does some very minimal processing for
64 ./run.sh test/userprog.o
66 To see the help message on how to run CDSChecker, execute:
76 > Controls the liveness of the memory system. Note that multithreaded programs
77 > often rely on memory liveness for termination, so this parameter is
78 > necessary for such programs.
80 > Liveness is controlled by `num`: the number of times a load is allowed to
81 > see the same store when a newer store exists---one that is ordered later in
82 > the modification order.
86 > Turns on CHESS-like yield-based fairness support (requires `thrd_yield()`
87 > instrumentation in test program).
91 > Turns on alternative fairness support (less desirable than `-y`). A
92 > necessary alternative for some programs that do not support yield-based
97 > Verbose: show all executions and not just buggy ones.
101 > Constrain how long we will run to wait for a future value past when it is
106 > Value to provide to atomics loads from uninitialized memory locations. The
107 > default is 0, but this may cause some programs to throw exceptions
108 > (segfault) before the model checker prints a trace.
122 Many simple tests are located in the `tests/` directory. You may also want to
123 try the larger benchmarks (distributed separately), which can be placed under
124 the `benchmarks/` directory. After building CDSChecker, you can build and run
125 the benchmarks as follows:
130 > # run barrier test with fairness/memory liveness
131 > ./run.sh barrier/barrier -y -m 2
133 > # Linux reader/write lock test with fairness/memory liveness
134 > ./run.sh linuxrwlocks/linuxrwlocks -y -m 2
136 > # run all benchmarks and provide timing results
140 Running your own code
141 ---------------------
143 You likely want to test your own code, not just our simple tests. To do so, you
144 need to perform a few steps.
146 First, because CDSChecker executes your program dozens (if not hundreds or
147 thousands) of times, you will have the most success if your code is written as a
148 unit test and not as a full-blown program.
150 Second, because CDSChecker must be able to manage your program for you, your
151 program should declare its main entry point as `user_main(int, char**)` rather
152 than `main(int, char**)`.
154 Third, test programs must use the standard C11/C++11 library headers (see below
155 for supported APIs) and must compile against the versions provided in
156 CDSChecker's `include/` directory. Notably, we only support C11 thread syntax
157 (`thrd_t`, etc. from `<thread.h>`).
159 Test programs may also use our included happens-before race detector by
160 including <librace.h> and utilizing the appropriate functions
161 (`store_{8,16,32,64}()` and `load_{8,16,32,64}()`) for storing/loading data
162 to/from non-atomic shared memory.
164 CDSChecker can also check boolean assertions in your test programs. Just
165 include `<model-assert.h>` and use the `MODEL_ASSERT()` macro in your test program.
166 CDSChecker will report a bug in any possible execution in which the argument to
167 `MODEL_ASSERT()` evaluates to false (that is, 0).
169 Test programs should be compiled against our shared library (libmodel.so) using
170 the headers in the `include/` directory. Then the shared library must be made
171 available to the dynamic linker, using the `LD_LIBRARY_PATH` environment
172 variable, for instance.
175 ### Supported C11/C++11 APIs ###
177 To model-check multithreaded code properly, CDSChecker needs to instrument any
178 concurrency-related API calls made in your code. Currently, we support parts of
179 the following thread-support libraries. The C versions can be used in either C
182 * `<atomic>`, `<cstdatomic>`, `<stdatomic.h>`
183 * `<condition_variable>`
187 Because we want to extend support to legacy (i.e., non-C++11) compilers, we do
188 not support some new C++11 features that can't be implemented in C++03 (e.g.,
191 Reading an execution trace
192 --------------------------
194 When CDSChecker detects a bug in your program (or when run with the `--verbose`
195 flag), it prints the output of the program run (STDOUT) along with some summary
196 trace information for the execution in question. The trace is given as a
197 sequence of lines, where each line represents an operation in the execution
198 trace. These lines are ordered by the order in which they were run by CDSChecker
199 (i.e., the "execution order"), which does not necessarily align with the "order"
200 of the values observed (i.e., the modification order or the reads-from
203 The following list describes each of the columns in the execution trace output:
205 * \#: The sequence number within the execution. That is, sequence number "9"
206 means the operation was the 9th operation executed by CDSChecker. Note that
207 this represents the execution order, not necessarily any other order (e.g.,
208 modification order or reads-from).
210 * t: The thread number
212 * Action type: The type of operation performed
214 * MO: The memory-order for this operation (i.e., `memory_order_XXX`, where `XXX` is
215 `relaxed`, `release`, `acquire`, `rel_acq`, or `seq_cst`)
217 * Location: The memory location on which this operation is operating. This is
218 well-defined for atomic write/read/RMW, but other operations are subject to
219 CDSChecker implementation details.
221 * Value: For reads/writes/RMW, the value returned by the operation. Note that
222 for RMW, this is the value that is *read*, not the value that was *written*.
223 For other operations, 'value' may have some CDSChecker-internal meaning, or
224 it may simply be a don't-care (such as `0xdeadbeef`).
226 * Rf: For reads, the sequence number of the operation from which it reads.
227 [Note: If the execution is a partial, infeasible trace (labeled INFEASIBLE),
228 as printed during `--verbose` execution, reads may not be resolved and so may
229 have Rf=? or Rf=Px, where x is a promised future value.]
231 * CV: The clock vector, encapsulating the happens-before relation (see our
232 paper, or the C/C++ memory model itself). We use a Lamport-style clock vector
233 similar to [1]. The "clock" is just the sequence number (#). The clock vector
234 can be read as follows:
236 Each entry is indexed as CV[i], where
238 i = 0, 1, 2, ..., <number of threads>
240 So for any thread i, we say CV[i] is the sequence number of the most recent
241 operation in thread i such that operation i happens-before this operation.
242 Notably, thread 0 is reserved as a dummy thread for certain CDSChecker
245 See the following example trace:
247 ------------------------------------------------------------------------------------
248 # t Action type MO Location Value Rf CV
249 ------------------------------------------------------------------------------------
250 1 1 thread start seq_cst 0x7f68ff11e7c0 0xdeadbeef ( 0, 1)
251 2 1 init atomic relaxed 0x601068 0 ( 0, 2)
252 3 1 init atomic relaxed 0x60106c 0 ( 0, 3)
253 4 1 thread create seq_cst 0x7f68fe51c710 0x7f68fe51c6e0 ( 0, 4)
254 5 2 thread start seq_cst 0x7f68ff11ebc0 0xdeadbeef ( 0, 4, 5)
255 6 2 atomic read relaxed 0x60106c 0 3 ( 0, 4, 6)
256 7 1 thread create seq_cst 0x7f68fe51c720 0x7f68fe51c6e0 ( 0, 7)
257 8 3 thread start seq_cst 0x7f68ff11efc0 0xdeadbeef ( 0, 7, 0, 8)
258 9 2 atomic write relaxed 0x601068 0 ( 0, 4, 9)
259 10 3 atomic read relaxed 0x601068 0 2 ( 0, 7, 0, 10)
260 11 2 thread finish seq_cst 0x7f68ff11ebc0 0xdeadbeef ( 0, 4, 11)
261 12 3 atomic write relaxed 0x60106c 0x2a ( 0, 7, 0, 12)
262 13 1 thread join seq_cst 0x7f68ff11ebc0 0x2 ( 0, 13, 11)
263 14 3 thread finish seq_cst 0x7f68ff11efc0 0xdeadbeef ( 0, 7, 0, 14)
264 15 1 thread join seq_cst 0x7f68ff11efc0 0x3 ( 0, 15, 11, 14)
265 16 1 thread finish seq_cst 0x7f68ff11e7c0 0xdeadbeef ( 0, 16, 11, 14)
267 ------------------------------------------------------------------------------------
269 Now consider, for example, operation 10:
271 This is the 10th operation in the execution order. It is an atomic read-relaxed
272 operation performed by thread 3 at memory address `0x601068`. It reads the value
273 "0", which was written by the 2nd operation in the execution order. Its clock
274 vector consists of the following values:
276 CV[0] = 0, CV[1] = 7, CV[2] = 0, CV[3] = 10
278 End of Execution Summary
279 ------------------------
281 CDSChecker prints summary statistics at the end of each execution. These
282 summaries are based off of a few different properties of an execution, which we
283 will break down here:
285 * An _infeasible_ execution is an execution which is not consistent with the
286 memory model. Such an execution can be considered overhead for the
287 model-checker, since it should never appear in practice.
289 * A _buggy_ execution is an execution in which CDSChecker has found a real
290 bug: a data race, a deadlock, failure of a user-provided assertion, or an
291 uninitialized load, for instance. CDSChecker will only report bugs in feasible
294 * A _redundant_ execution is a feasible execution that is exploring the same
295 state space explored by a previous feasible execution. Such exploration is
296 another instance of overhead, so CDSChecker terminates these executions as
297 soon as they are detected. CDSChecker is mostly able to avoid such executions
298 but may encounter them if a fairness option is enabled.
300 Now, we can examine the end-of-execution summary of one test program:
302 $ ./run.sh test/rmwprog.o
304 ******* Model-checking complete: *******
305 Number of complete, bug-free executions: 6
306 Number of redundant executions: 0
307 Number of buggy executions: 0
308 Number of infeasible executions: 29
311 * _Number of complete, bug-free executions:_ these are feasible, non-buggy, and
312 non-redundant executions. They each represent different, legal behaviors you
313 can expect to see in practice.
315 * _Number of redundant executions:_ these are feasible but redundant executions
316 that were terminated as soon as CDSChecker noticed the redundancy.
318 * _Number of buggy executions:_ these are feasible, buggy executions. These are
319 the trouble spots where your program is triggering a bug or assertion.
320 Ideally, this number should be 0.
322 * _Number of infeasible executions:_ these are infeasible executions,
323 representing some of the overhead of model-checking.
325 * _Total executions:_ the total number of executions explored by CDSChecker.
326 Should be the sum of the above categories, since they are mutually exclusive.
329 Other Notes and Pitfalls
330 ------------------------
332 * Many programs require some form of fairness in order to terminate in a finite
333 amount of time. CDSChecker supports the `-y num` and `-f num` flags for these
334 cases. The `-y` option (yield-based fairness) is preferable, but it requires
335 careful usage of yields (i.e., `thrd_yield()`) in the test program. For
336 programs without proper `thrd_yield()`, you may consider using `-f` instead.
338 * Deadlock detection: CDSChecker can detect deadlocks. For instance, try the
339 following test program.
341 > ./run.sh test/deadlock.o
343 Deadlock detection currently detects when a thread is about to step into a
344 deadlock, without actually including the final step in the trace. But you can
345 examine the program to see the next step.
347 * CDSChecker has to speculatively explore many execution behaviors due to the
348 relaxed memory model, and many of these turn out to be infeasible (that is,
349 they cannot be legally produced by the memory model). CDSChecker discards
350 these executions as soon as it identifies them (see the "Number of infeasible
351 executions" statistic); however, the speculation can occasionally cause
352 CDSChecker to hit unexpected parts of the unit test program (causing a
353 division by 0, for instance). In such programs, you might consider running
354 CDSChecker with the `-u num` option.
356 * Related to the previous point, CDSChecker may report more than one bug for a
357 particular candidate execution. This is because some bugs may not be
358 reportable until CDSChecker has explored more of the program, and in the
359 time between initial discovery and final assessment of the bug, CDSChecker may
360 discover another bug.
362 * Data races may be reported as multiple bugs, one for each byte-address of the
363 data race in question. See, for example, this run:
365 $ ./run.sh test/releaseseq.o
367 Bug report: 4 bugs detected
368 [BUG] Data race detected @ address 0x601078:
369 Access 1: write in thread 2 @ clock 4
370 Access 2: read in thread 3 @ clock 9
371 [BUG] Data race detected @ address 0x601079:
372 Access 1: write in thread 2 @ clock 4
373 Access 2: read in thread 3 @ clock 9
374 [BUG] Data race detected @ address 0x60107a:
375 Access 1: write in thread 2 @ clock 4
376 Access 2: read in thread 3 @ clock 9
377 [BUG] Data race detected @ address 0x60107b:
378 Access 1: write in thread 2 @ clock 4
379 Access 2: read in thread 3 @ clock 9
385 The CDSChecker project page:
387 > <http://demsky.eecs.uci.edu/c11modelchecker.php>
389 The CDSChecker source and accompanying benchmarks on Gitweb:
391 > <http://demsky.eecs.uci.edu/git/?p=model-checker.git>
393 > <http://demsky.eecs.uci.edu/git/?p=model-checker-benchmarks.git>
399 Please feel free to contact us for more information. Bug reports are welcome,
400 and we are happy to hear from our users. We are also very interested to know if
401 CDSChecker catches bugs in your programs.
403 Contact Brian Norris at <banorris@uci.edu> or Brian Demsky at <bdemsky@uci.edu>.
409 [1] L. Lamport. Time, clocks, and the ordering of events in a distributed
410 system. CACM, 21(7):558-565, July 1978.