4 Copyright © 2013 Regents of the University of California. All rights reserved.
6 CDSChecker is distributed under the GPL v2. See the LICENSE file for details.
12 CDSChecker is a model checker for C11/C++11 which exhaustively explores the
13 behaviors of code under the C/C++ memory model. It uses partial order reduction
14 as well as a few other novel techniques to eliminate time spent on redundant
15 execution behaviors and to significantly shrink the state space. The model
16 checking algorithm is described in more detail in this paper (published in
19 > <http://demsky.eecs.uci.edu/publications/c11modelcheck.pdf>
21 It is designed to support unit tests on concurrent data structure written using
24 CDSChecker is constructed as a dynamically-linked shared library which
25 implements the C and C++ atomic types and portions of the other thread-support
26 libraries of C/C++ (e.g., std::atomic, std::mutex, etc.). Notably, we only
27 support the C version of threads (i.e., `thrd_t` and similar, from `<threads.h>`),
28 because C++ threads require features which are only available to a C++11
29 compiler (and we want to support others, at least for now).
31 CDSChecker should compile on Linux and Mac OSX with no dependencies and has been
32 tested with LLVM (clang/clang++) and GCC. It likely can be ported to other \*NIX
33 flavors. We have not attempted to port to Windows.
39 If you haven't done so already, you may download CDSChecker using
40 [git](http://git-scm.com/):
42 git clone git://demsky.eecs.uci.edu/model-checker.git
44 Get the benchmarks (not required; distributed separately):
47 git clone git://demsky.eecs.uci.edu/model-checker-benchmarks.git benchmarks
49 Compile the model checker:
53 Compile the benchmarks:
57 Run a simple example (the `run.sh` script does some very minimal processing for
60 ./run.sh test/userprog.o
62 To see the help message on how to run CDSChecker, execute:
72 > Controls the liveness of the memory system. Note that multithreaded programs
73 > often rely on memory liveness for termination, so this parameter is
74 > necessary for such programs.
76 > Liveness is controlled by `num`: the number of times a load is allowed to
77 > see the same store when a newer store exists---one that is ordered later in
78 > the modification order.
82 > Turns on CHESS-like yield-based fairness support (requires `thrd_yield()`
83 > instrumentation in test program).
87 > Turns on alternative fairness support (less desirable than `-y`).
91 > Verbose: show all executions and not just buggy ones.
95 > Constrain how long we will run to wait for a future value past when it is
100 > Value to provide to atomics loads from uninitialized memory locations. The
101 > default is 0, but this may cause some programs to throw exceptions
102 > (segfault) before the model checker prints a trace.
116 Many simple tests are located in the `tests/` directory. You may also want to
117 try the larger benchmarks (distributed separately), which can be placed under
118 the `benchmarks/` directory. After building CDSChecker, you can build and run
119 the benchmarks as follows:
123 > ./run.sh barrier/barrier -y -m 2 # runs barrier test with fairness/memory liveness
124 > ./bench.sh # run all benchmarks and provide timing results
127 Running your own code
128 ---------------------
130 You likely want to test your own code, not just our simple tests. To do so, you
131 need to perform a few steps.
133 First, because CDSChecker executes your program dozens (if not hundreds or
134 thousands) of times, you will have the most success if your code is written as a
135 unit test and not as a full-blown program.
137 Second, because CDSChecker must be able to manage your program for you, your
138 program should declare its main entry point as `user_main(int, char**)` rather
139 than `main(int, char**)`.
141 Third, test programs should use the standard C11/C++11 library headers
142 (`<atomic>`/`<stdatomic.h>`, `<mutex>`, `<condition_variable>`, `<thread.h>`).
143 As of now, we only support C11 thread syntax (`thrd_t`, etc. from
146 Test programs may also use our included happens-before race detector by
147 including <librace.h> and utilizing the appropriate functions
148 (`store_{8,16,32,64}()` and `load_{8,16,32,64}()`) for loading/storing data from/to
149 non-atomic shared memory.
151 CDSChecker can also check boolean assertions in your test programs. Just
152 include `<model-assert.h>` and use the `MODEL_ASSERT()` macro in your test program.
153 CDSChecker will report a bug in any possible execution in which the argument to
154 `MODEL_ASSERT()` evaluates to false (that is, 0).
156 Test programs should be compiled against our shared library (libmodel.so) using
157 the headers in the `include/` directory. Then the shared library must be made
158 available to the dynamic linker, using the `LD_LIBRARY_PATH` environment
159 variable, for instance.
162 Reading an execution trace
163 --------------------------
165 When CDSChecker detects a bug in your program (or when run with the `--verbose`
166 flag), it prints the output of the program run (STDOUT) along with some summary
167 trace information for the execution in question. The trace is given as a
168 sequence of lines, where each line represents an operation in the execution
169 trace. These lines are ordered by the order in which they were run by CDSChecker
170 (i.e., the "execution order"), which does not necessarily align with the "order"
171 of the values observed (i.e., the modification order or the reads-from
174 The following list describes each of the columns in the execution trace output:
176 * \#: The sequence number within the execution. That is, sequence number "9"
177 means the operation was the 9th operation executed by CDSChecker. Note that
178 this represents the execution order, not necessarily any other order (e.g.,
179 modification order or reads-from).
181 * t: The thread number
183 * Action type: The type of operation performed
185 * MO: The memory-order for this operation (i.e., `memory_order_XXX`, where `XXX` is
186 `relaxed`, `release`, `acquire`, `rel_acq`, or `seq_cst`)
188 * Location: The memory location on which this operation is operating. This is
189 well-defined for atomic write/read/RMW, but other operations are subject to
190 CDSChecker implementation details.
192 * Value: For reads/writes/RMW, the value returned by the operation. Note that
193 for RMW, this is the value that is *read*, not the value that was *written*.
194 For other operations, 'value' may have some CDSChecker-internal meaning, or
195 it may simply be a don't-care (such as `0xdeadbeef`).
197 * Rf: For reads, the sequence number of the operation from which it reads.
198 [Note: If the execution is a partial, infeasible trace (labeled INFEASIBLE),
199 as printed during `--verbose` execution, reads may not be resolved and so may
200 have Rf=? or Rf=Px, where x is a promised future value.]
202 * CV: The clock vector, encapsulating the happens-before relation (see our
203 paper, or the C/C++ memory model itself). We use a Lamport-style clock vector
204 similar to [1]. The "clock" is just the sequence number (#). The clock vector
205 can be read as follows:
207 Each entry is indexed as CV[i], where
209 i = 0, 1, 2, ..., <number of threads>
211 So for any thread i, we say CV[i] is the sequence number of the most recent
212 operation in thread i such that operation i happens-before this operation.
213 Notably, thread 0 is reserved as a dummy thread for certain CDSChecker
216 See the following example trace:
219 ------------------------------------------------------------------------------------
220 # t Action type MO Location Value Rf CV
221 ------------------------------------------------------------------------------------
222 1 1 thread start seq_cst 0x7f68ff11e7c0 0xdeadbeef ( 0, 1)
223 2 1 init atomic relaxed 0x601068 0 ( 0, 2)
224 3 1 init atomic relaxed 0x60106c 0 ( 0, 3)
225 4 1 thread create seq_cst 0x7f68fe51c710 0x7f68fe51c6e0 ( 0, 4)
226 5 2 thread start seq_cst 0x7f68ff11ebc0 0xdeadbeef ( 0, 4, 5)
227 6 2 atomic read relaxed 0x60106c 0 3 ( 0, 4, 6)
228 7 1 thread create seq_cst 0x7f68fe51c720 0x7f68fe51c6e0 ( 0, 7)
229 8 3 thread start seq_cst 0x7f68ff11efc0 0xdeadbeef ( 0, 7, 0, 8)
230 9 2 atomic write relaxed 0x601068 0 ( 0, 4, 9)
231 10 3 atomic read relaxed 0x601068 0 2 ( 0, 7, 0, 10)
232 11 2 thread finish seq_cst 0x7f68ff11ebc0 0xdeadbeef ( 0, 4, 11)
233 12 3 atomic write relaxed 0x60106c 0x2a ( 0, 7, 0, 12)
234 13 1 thread join seq_cst 0x7f68ff11ebc0 0x2 ( 0, 13, 11)
235 14 3 thread finish seq_cst 0x7f68ff11efc0 0xdeadbeef ( 0, 7, 0, 14)
236 15 1 thread join seq_cst 0x7f68ff11efc0 0x3 ( 0, 15, 11, 14)
237 16 1 thread finish seq_cst 0x7f68ff11e7c0 0xdeadbeef ( 0, 16, 11, 14)
239 ------------------------------------------------------------------------------------
242 Now consider, for example, operation 10:
244 This is the 10th operation in the execution order. It is an atomic read-relaxed
245 operation performed by thread 3 at memory address `0x601068`. It reads the value
246 "0", which was written by the 2nd operation in the execution order. Its clock
247 vector consists of the following values:
249 CV[0] = 0, CV[1] = 7, CV[2] = 0, CV[3] = 10
255 * Deadlock detection: CDSChecker can detect deadlocks. For instance, try the
256 following test program.
258 > ./run.sh test/deadlock.o
260 Deadlock detection currently detects when a thread is about to step into a
261 deadlock, without actually including the final step in the trace. But you can
262 examine the program to see the next step.
264 * CDSChecker has to speculatively explore many execution behaviors due to the
265 relaxed memory model, and many of these turn out to be infeasible (that is,
266 they cannot be legally produced by the memory model). CDSChecker discards
267 these executions as soon as it identifies them (see the "Number of infeasible
268 executions" statistic); however, the speculation can occasionally cause
269 CDSChecker to hit unexpected parts of the unit test program (causing a
270 division by 0, for instance). In such programs, you might consider running
271 CDSChecker with the `-u num` option.
277 The CDSChecker project page:
279 > <http://demsky.eecs.uci.edu/c11modelchecker.php>
281 The CDSChecker source and accompanying benchmarks on Gitweb:
283 > <http://demsky.eecs.uci.edu/git/?p=model-checker.git>
285 > <http://demsky.eecs.uci.edu/git/?p=model-checker-benchmarks.git>
291 Please feel free to contact us for more information. Bug reports are welcome,
292 and we are happy to hear from our users. We are also very interested to know if
293 CDSChecker catches bugs in your programs.
295 Contact Brian Norris at <banorris@uci.edu> or Brian Demsky at <bdemsky@uci.edu>.
301 [1] L. Lamport. Time, clocks, and the ordering of events in a distributed
302 system. CACM, 21(7):558-565, July 1978.