Skip to content

Add concurrency checking based on GenMC #523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
KurtWu10 wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

Add concurrency checking based on GenMC #523

KurtWu10 wants to merge 10 commits into from

Conversation

@KurtWu10
Copy link
Contributor

@KurtWu10 KurtWu10 commented Oct 9, 2025
edited
Loading

This PR introduces concurrency testing of the single-producer single-consumer queue in the network subsystem using the GenMC model checker. This enables lightweight and reliable CI testing of the queue's concurrency. To pass GenMC's verification, this PR also refactors the queue implementation.

  1. Testing is performed using a standard multi-threaded C program (ci/genmc/network/test1.c) that uses the queue and embeds functional correctness requirements. This allows the same program to be simulated by the GenMC tool or compiled and run on real hardware without significant modification.

    In the current test program, the queue is tested using busy loops, because the test only consider partial correctness of the queue. The test also does not consider deadlock-freedom of the queue. The test only covers the free queue currently, but not the active queue. Interactions with the signaling protocol are not considered in the PR.

    Tests for queues in other subsystems will be added in future PRs.

  2. The following changes were made to the queue implementation to pass GenMC's checks:

    • Certain accesses are explicitly labelled as atomic accesses, following a similar implementation in LionsOS. These atomic accesses use the release-acquire subset of the C memory model. Each access is annotated to indicate which other atomic access it synchronises with.

    • The distinction of whether the queue will be run on SMP Microkit is removed, following sddf queue functional correctness #511 (comment).

      In a later revision of this PR, the distinction is retained due to the overhead from stlr (~8% on cpu utilisation on Maaxboard under full load). Compiler fences, whose semantic are similar to the pancake implementation, have been introduced explicitly.

    • The net_queue_length function is removed because It is not used.

    Functional correctness of the modified queue does not include synchronisations induced by the queue.

These changes may have both functional correctness and performance implications that should be addressed before merging:

  • On the correctness side, on AArch64, the compiled program now will usually use the ldar instruction instead of the dmb ish instruction on existing platforms. Since the former is usually weaker than the latter in the Arm memory model, it might reveal under-synchronisation issues in the system, because the GenMC testing only cover correctness of the queue itself.
  • On the performance side, especially under the non-SMP setting, the atomic instruction may introduce overhead there should be no performance overhead from the current implementation under the non-SMP setting. Under the SMP setting, it is claimed that the dmb st barrier is faster than stlr for store-store ordering, which should be validated on our platforms.

Finally, under the non-SMP pancake configuration, the proposed solution introduces discrepancy in the queue implementation the latest proposed solution remains implementable and existing code does not need to be modified. The proposed solution does not change the number of FFIs required under the SMP pancake configuration.

Ivan-Velickovic and others added 3 commits October 9, 2025 16:19
@Ivan-Velickovic
genmc
ba29d7b 
Signed-off-by: Ivan Velickovic <i.velickovic@unsw.edu.au>
@KurtWu10
genmc: add README.md
4091a91 
Signed-off-by: Kurt Wu <rihui.wu@unsw.edu.au>
@KurtWu10
genmc: format code
91b8a27 
Signed-off-by: Kurt Wu <rihui.wu@unsw.edu.au>
@Ivan-Velickovic
minor fixes/moving things around
9f4d095 
Signed-off-by: Ivan Velickovic <i.velickovic@unsw.edu.au>
@Ivan-Velickovic
fix
9ba89e5 
Signed-off-by: Ivan Velickovic <i.velickovic@unsw.edu.au>
@Ivan-Velickovic
another fix
335359f 
Signed-off-by: Ivan Velickovic <i.velickovic@unsw.edu.au>
@Ivan-Velickovic
genmc.yaml: remove genmc branch builds
d16d473 
Signed-off-by: Ivan Velickovic <i.velickovic@unsw.edu.au>
@Ivan-Velickovic
Copy link
Collaborator

Ivan-Velickovic commented Oct 9, 2025
edited
Loading

Made some minor fixes to make CI pass.

terryzbai and others added 3 commits October 10, 2025 00:55
@terryzbai @KurtWu10
benchmark: fix config checks in idle
ace0a8b 
move benchmark config macro to the header file referenced
by both benchmark.c and idle.c

Signed-off-by: Terry Bai <terry.z.bai@gmail.com>
@KurtWu10
queue: use compiler fence under non-SMP
752de9b 
Signed-off-by: Kurt Wu <rihui.wu@unsw.edu.au>
@KurtWu10
ci: test SMP implementation
b3b954d 
Signed-off-by: Kurt Wu <rihui.wu@unsw.edu.au>
@Ivan-Velickovic Ivan-Velickovic mentioned this pull request Oct 17, 2025
Closed
@KurtWu10 KurtWu10 mentioned this pull request Nov 17, 2025
Merged
@Courtney3141 Courtney3141 mentioned this pull request Dec 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@KurtWu10 @Ivan-Velickovic @terryzbai