# Mensat

#### checking axiomatic specifications of memory models

**Emina Torlak · Mandana Vaziri · Julian Dolby** 

MIT SAT/SMT Summer School · June 16, 2011

## Introduction

#### memory model

- contract between programmer and programming environment
- specifies which writes can be seen by a read

| x = 0, y = 0 |        |  |
|--------------|--------|--|
| rI = x       | r2 = y |  |
| y = 1        | x = 1  |  |
| rl==r2==l?   |        |  |

# Introduction

#### memory model

- contract between programmer and programming environment
- specifies which writes can be seen by a read
- described (in)formally by a set of axioms and litmus tests



# Introduction

#### memory model

- contract between programmer and programming environment
- specifies which writes can be seen by a read
- described (in)formally by a set of axioms and litmus tests
- hard to design and reason about















# Specifying a litmus test

$$x = 0, y = 0$$

$$rI = x$$

$$y = I$$

$$r2 = y$$

$$x = I$$

- method calls
- field and array accesses
- assertions



#### @thread

}

```
public static void thread1() {
    final int r1 = x;
    y = 1;
    assert r1==1;
}
```

```
@thread
public static void thread2() {
    final int r2 = y;
    x = 1;
    assert r2==1;
}
```





first order logic ( $\forall$ ,  $\exists$ ,  $\land$ ,  $\lor$ ,  $\neg$ ) relational algebra (.,  $\cup$ ,  $\cap$ , /,  $\times$ ,  $\subseteq$ ) bitvector arithmetic (+, -, \*, /,)

▶ co, control flow

**•** to, thread order



first order logic ( $\forall$ ,  $\exists$ ,  $\land$ ,  $\lor$ ,  $\neg$ ) relational algebra (.,  $\cup$ ,  $\cap$ , /, ×,  $\subseteq$ ) bitvector arithmetic (+, -, \*, /,)

























- interleaved semantics -

all statements appear to execute in a total order that agrees with the program text

- 1. Execution order is total,
- 2. antisymmetric, and
- 3. transitive.
- 4. It respects the control flow and
- 5. thread order.
- 6. Reads cannot see out of order writes.
- 7. No write interferes between a read and the write seen by that read.

- interleaved semantics -

all statements appear to execute in a total order that agrees with the program text

- 1.  $\forall$  i, j: A | i  $\neq$  j  $\Rightarrow$  ord[i, j]  $\lor$  ord[j, i]
- 2. antisymmetric, and
- 3. transitive.
- 4. It respects the control flow and
- 5. thread order.
- 6. Reads cannot see out of order writes.
- 7. No write interferes between a read and the write seen by that read.

Execution order is total,

- interleaved semantics -

all statements appear to execute in a total order that agrees with the program text

- 1.  $\forall$  i, j: A | i  $\neq$  j  $\Rightarrow$  ord[i, j]  $\lor$  ord[j, i]
- 2.  $\forall$  i, j: A | ord[i, j]  $\Rightarrow \neg$ ord[j, i]
- 3. transitive.
- 4. It respects the control flow and
- 5. thread order.
- 6. Reads cannot see out of order writes.
- 7. No write interferes between a read and the write seen by that read.

Execution order is total, antisymmetric, and

- interleaved semantics -

all statements appear to execute in a total order that agrees with the program text

- 1.  $\forall$  i, j: A | i  $\neq$  j  $\Rightarrow$  ord[i, j]  $\lor$  ord[j, i]
- 2.  $\forall$  i, j: A | ord[i, j]  $\Rightarrow \neg$ ord[j, i]
- 3.  $\forall$  i, j, k: A | (ord[i, j]  $\land$  ord[j, k])  $\Rightarrow$  ord[i, k]
- 4. It respects the control flow and
- 5. thread order.
- 6. Reads cannot see out of order writes.
- 7. No write interferes between a read and the write seen by that read.

Execution order is total, antisymmetric, and transitive.

- interleaved semantics -

all statements appear to execute in a total order that agrees with the program text

- 1.  $\forall$  i, j: A | i  $\neq$  j  $\Rightarrow$  ord[i, j]  $\lor$  ord[j, i]
- 2.  $\forall$  i, j: A | ord[i, j]  $\Rightarrow \neg$ ord[j, i]
- 3.  $\forall$  i, j, k: A | (ord[i, j]  $\land$  ord[j, k])  $\Rightarrow$  ord[i, k]
- 4.  $\forall$  i, j: A | (t[i] = t[j]  $\land$  co<sup>+</sup>[i, j])  $\Rightarrow$  ord[i, j]
- 5. thread order.
- 6. Reads cannot see out of order writes.
- 7. No write interferes between a read and the write seen by that read.

Execution order is total, antisymmetric, and transitive. It respects the control flow and

#### - interleaved semantics -

all statements appear to execute in a total order that agrees with the program text

- 1.  $\forall$  i, j: A | i  $\neq$  j  $\Rightarrow$  ord[i, j]  $\lor$  ord[j, i]
- 2.  $\forall$  i, j: A | ord[i, j]  $\Rightarrow \neg$ ord[j, i]
- 3.  $\forall$  i, j, k: A | (ord[i, j]  $\land$  ord[j, k])  $\Rightarrow$  ord[i, k]
- 4.  $\forall$  i, j: A | (t[i] = t[j]  $\land$  co<sup>+</sup>[i, j])  $\Rightarrow$  ord[i, j]
- 5.  $\forall$  i, j: A | (t[i]  $\neq$  t[j]  $\land$  to<sup>+</sup>[t[i], t[j]])  $\Rightarrow$  ord[i, j]
- 6. Reads cannot see out of order writes.
- 7. No write interferes between a read and the write seen by that read.

Execution order is total, antisymmetric, and transitive. It respects the control flow and thread order.

#### - interleaved semantics -

all statements appear to execute in a total order that agrees with the program text

- 1.  $\forall$  i, j: A | i  $\neq$  j  $\Rightarrow$  ord[i, j]  $\lor$  ord[j, i]
- 2.  $\forall$  i, j: A | ord[i, j]  $\Rightarrow \neg$ ord[j, i]
- 3.  $\forall$  i, j, k: A | (ord[i, j]  $\land$  ord[j, k])  $\Rightarrow$  ord[i, k]
- 4.  $\forall$  i, j: A | (t[i] = t[j]  $\land$  co<sup>+</sup>[i, j])  $\Rightarrow$  ord[i, j]
- 5.  $\forall$  i, j: A | (t[i]  $\neq$  t[j]  $\land$  to<sup>+</sup>[t[i], t[j]])  $\Rightarrow$  ord[i, j]
- 6.  $\forall$  k: A  $\cap$  Read  $|\neg$  ord[k, W[k]]
- 7. No write interferes between a read and the write seen by that read.

- Execution order is total, antisymmetric, and
- transitive.
- It respects the control flow and
- thread order.
- Reads cannot see out of order writes.

#### - interleaved semantics

all statements appear to execute in a total order that agrees with the program text

- 1.  $\forall$  i, j: A | i  $\neq$  j  $\Rightarrow$  ord[i, j]  $\lor$  ord[j, i]
- 2.  $\forall$  i, j: A | ord[i, j]  $\Rightarrow \neg$ ord[j, i]
- 3.  $\forall$  i, j, k: A | (ord[i, j]  $\land$  ord[j, k])  $\Rightarrow$  ord[i, k]
- 4.  $\forall$  i, j: A | (t[i] = t[j]  $\land$  co<sup>+</sup>[i, j])  $\Rightarrow$  ord[i, j]
- 5.  $\forall$  i, j: A | (t[i]  $\neq$  t[j]  $\land$  to<sup>+</sup>[t[i], t[j]])  $\Rightarrow$  ord[i, j]
- 6.  $\forall$  k: A  $\cap$  Read  $|\neg$  ord[k, W[k]]
- 7. ∀ k: A ∩ Read, j: A ∩ Write | ¬ ( I[k] = I[i] ∧ ord[W[k], i] ∧ ord[i, k] )

- Execution order is total,
- antisymmetric, and
- transitive.
- It respects the control flow and
- thread order.
- Reads cannot see out of order writes.
- No write interferes between a read and the write seen by that read.

#### **Example: Java memory model**

- committing semantics

an execution is legal if it can be derived by committing and executing actions in a sequence of speculative executions

- 1.  $\forall$  i: [1..k] |  $C_i \subseteq A_i$
- 2. ∀ i: [1..k], r: C<sub>i</sub> ∩ Read | (hb[W[r], r] ⇔ hb<sub>i</sub>[W[r], r]) ∧ ¬ hb<sub>i</sub>[r, W[r]]
- 3.  $\forall$  i:  $[1..k] | C_i \triangleleft V_i = C_i \triangleleft V$
- **4.**  $\forall$  i: [1..k] |  $C_{i-1} \triangleleft W_i = C_{i-1} \triangleleft W$
- 5.  $\forall$  i: [1..k], r: (A<sub>i</sub> \ C<sub>i</sub>)  $\cap$  Read | hb<sub>i</sub>[W<sub>i</sub>[r], r]
- 6.  $\forall$  i: [1..k], r: (C<sub>i</sub> \ C<sub>i-1</sub>)  $\cap$  Read | W<sub>i</sub>[r]  $\subseteq$  C<sub>i-1</sub>
- 7. ∀ i: [1..k], y: C<sub>i</sub>, x: A<sub>i</sub> | (y ⊆ Special ∧ hb[x, y]) ⇒ x ⊆ C<sub>i-1</sub>



| E <sub>1</sub> -∿                 | $\rightarrow$ E <sub>2</sub> $^{\sim}$ | ∽ E <sub>k</sub> -∿                                | → E      |
|-----------------------------------|----------------------------------------|----------------------------------------------------|----------|
| $A_1, W_1, V_1,$                  | $A_2,W_2,V_2,$                         | A <sub>k</sub> , W <sub>k</sub> , V <sub>k</sub> , | A, W, V, |
| l <sub>1</sub> , m <sub>1</sub> , | l <sub>2</sub> , m <sub>2</sub> ,      | l <sub>k</sub> , m <sub>k</sub> ,                  | l, m,    |
| <b>po</b> 1, <b>so</b> 1,         | <b>po</b> 2, <b>so</b> 2,              | po <sub>k</sub> , so <sub>k</sub> ,                | po, so,  |
| sw <sub>1</sub> , hb <sub>1</sub> | sw <sub>2</sub> , hb <sub>2</sub>      | sw <sub>k</sub> , hb <sub>k</sub>                  | sw, hb   |
#### – committing semantics

an execution is legal if it can be derived by committing and executing actions in a sequence of speculative executions

- 1.  $\forall$  i: [1..k] |  $C_i \subseteq A_i$
- 2. ∀ i: [1..k], r: C<sub>i</sub> ∩ Read | (hb[W[r], r] ⇔ hb<sub>i</sub>[W[r], r]) ∧ ¬ hb<sub>i</sub>[r, W[r]]
- 3.  $\forall$  i:  $[1..k] | C_i \triangleleft V_i = C_i \triangleleft V$
- **4.**  $\forall$  **i**:  $[1..k] | C_{i-1} \triangleleft W_i = C_{i-1} \triangleleft W$
- 5.  $\forall$  i: [1..k], r: (A<sub>i</sub> \ C<sub>i</sub>)  $\cap$  Read | hb<sub>i</sub>[W<sub>i</sub>[r], r]
- 6.  $\forall$  i: [1..k], r: (C<sub>i</sub> \ C<sub>i-1</sub>)  $\cap$  Read | W<sub>i</sub>[r]  $\subseteq$  C<sub>i-1</sub>
- 7. ∀ i: [1..k], y:  $C_i$ , x:  $A_i$  | (y ⊆ Special ∧ hb[x, y]) ⇒ x ⊆  $C_{i-1}$

#### initial execution: reads can only see writes that happen-before them



| E <sub>1</sub> -∿                 | $\rightarrow$ <b>E</b> <sub>2</sub> $\neg$ | ∿≻ E <sub>k</sub> -∿                               | <pre></pre> |
|-----------------------------------|--------------------------------------------|----------------------------------------------------|-------------|
| $A_1, W_1, V_1,$                  | $A_2,W_2,V_2,$                             | A <sub>k</sub> , W <sub>k</sub> , V <sub>k</sub> , | A, W, V,    |
| l <sub>1</sub> , m <sub>1</sub> , | l <sub>2</sub> , m <sub>2</sub> ,          | l <sub>k</sub> , m <sub>k</sub> ,                  | l, m,       |
| <b>po</b> 1, <b>so</b> 1,         | <b>po</b> 2, <b>so</b> 2,                  | po <sub>k</sub> , so <sub>k</sub> ,                | po, so,     |
| <b>sw</b> 1, <b>hb</b> 1          | sw <sub>2</sub> , hb <sub>2</sub>          | sw <sub>k</sub> , hb <sub>k</sub>                  | sw, hb      |

#### – committing semantics

an execution is legal if it can be derived by committing and executing actions in a sequence of speculative executions

- 1.  $\forall$  i: [1..k] |  $C_i \subseteq A_i$
- 2. ∀ i: [1..k], r: C<sub>i</sub> ∩ Read | (hb[W[r], r] ⇔ hb<sub>i</sub>[W[r], r]) ∧ ¬ hb<sub>i</sub>[r, W[r]]
- 3.  $\forall$  i:  $[1..k] | C_i \triangleleft V_i = C_i \triangleleft V$
- **4.**  $\forall$  **i**:  $[1..k] | C_{i-1} \triangleleft W_i = C_{i-1} \triangleleft W$
- 5.  $\forall$  i: [1..k], r: (A<sub>i</sub> \ C<sub>i</sub>)  $\cap$  Read | hb<sub>i</sub>[W<sub>i</sub>[r], r]
- 6.  $\forall$  i: [1..k], r: (C<sub>i</sub> \ C<sub>i-1</sub>)  $\cap$  Read | W<sub>i</sub>[r]  $\subseteq$  C<sub>i-1</sub>
- 7. ∀ i: [1..k], y: C<sub>i</sub>, x: A<sub>i</sub> | (y ⊆ Special ∧ hb[x, y]) ⇒ x ⊆ C<sub>i-1</sub>

#### initial execution: reads can only see writes that happen-before them



| <b>E</b> <sub>1</sub> -∿          | $\leftrightarrow$ E <sub>2</sub> $\neg$ | ↔ E <sub>k</sub> -∾                 | → E      |
|-----------------------------------|-----------------------------------------|-------------------------------------|----------|
| $A_1, W_1, V_1,$                  | $A_2,W_2,V_2,$                          | $A_k, W_k, V_k,$                    | A, W, V, |
| l <sub>1</sub> , m <sub>1</sub> , | l <sub>2</sub> , m <sub>2</sub> ,       | l <sub>k</sub> , m <sub>k</sub> ,   | l, m,    |
| <b>po</b> 1, <b>so</b> 1,         | <b>po</b> 2, <b>so</b> 2,               | po <sub>k</sub> , so <sub>k</sub> , | po, so,  |
| <b>sw</b> 1, <b>hb</b> 1          | sw <sub>2</sub> , hb <sub>2</sub>       | sw <sub>k</sub> , hb <sub>k</sub>   | sw, hb   |

#### **committing semantics**

an execution is legal if it can be derived by committing and executing actions in a sequence of speculative executions

- 1. ∀ i: [1..k] | C<sub>i</sub> ⊆ A<sub>i</sub>
- 2.  $\forall$  i: [1..k], r:  $C_i \cap \text{Read} \mid (\text{hb}[W[r], r] \Leftrightarrow$  $hb_i[W[r], r]) \land \neg hb_i[r, W[r]]$
- 3.  $\forall$  i:  $[1..k] \mid C_i \triangleleft V_i = C_i \triangleleft V$
- **4.**  $\forall$  **i**:  $[1..k] | C_{i-1} \triangleleft W_i = C_{i-1} \triangleleft W$
- 5.  $\forall$  i: [1..k], r: (A<sub>i</sub> \ C<sub>i</sub>)  $\cap$  Read | hb<sub>i</sub>[W<sub>i</sub>[r], r]
- 6.  $\forall$  i: [1..k], r: (C<sub>i</sub> \ C<sub>i-1</sub>)  $\cap$  Read | W<sub>i</sub>[r]  $\subseteq$  C<sub>i-1</sub>
- 7.  $\forall$  i: [1..k], y: C<sub>i</sub>, x: A<sub>i</sub> | (y  $\subseteq$  Special  $\land$  $hb[x, y] \Rightarrow x \subseteq C_{i-1}$



С

| <b>⊑</b> 1 -∿                                   | ∧→ ⊑2 … ~√                                      | ···· <b>⊏</b> k <sup>-</sup> ··                    |         |
|-------------------------------------------------|-------------------------------------------------|----------------------------------------------------|---------|
| $A_1, W_1, V_1,$                                | $A_2, W_2, V_2,$                                | A <sub>k</sub> , W <sub>k</sub> , V <sub>k</sub> , | A, W, V |
| <b>l</b> <sub>1</sub> , <b>m</b> <sub>1</sub> , | I <sub>2</sub> , m <sub>2</sub> ,               | l <sub>k</sub> , m <sub>k</sub> ,                  | l, m,   |
| <b>po</b> 1, <b>so</b> 1,                       | <b>po</b> 2, <b>so</b> 2,                       | po <sub>k</sub> , so <sub>k</sub> ,                | po, so  |
| <b>sw</b> <sub>1</sub> , <b>hb</b> <sub>1</sub> | <b>sw</b> <sub>2</sub> , <b>hb</b> <sub>2</sub> | sw <sub>k</sub> , hb <sub>k</sub>                  | sw, hb  |

С

#### - committing semantics

- 1.  $\forall$  i: [1..k] |  $C_i \subseteq A_i$
- 2. ∀ i: [1..k], r: C<sub>i</sub> ∩ Read | (hb[W[r], r] ⇔ hb<sub>i</sub>[W[r], r]) ∧ ¬ hb<sub>i</sub>[r, W[r]]
- 3.  $\forall$  i:  $[1..k] | C_i \triangleleft V_i = C_i \triangleleft V$
- **4.**  $\forall$  **i**:  $[1..k] | C_{i-1} \triangleleft W_i = C_{i-1} \triangleleft W$
- 5.  $\forall$  i: [1..k], r: (A<sub>i</sub> \ C<sub>i</sub>)  $\cap$  Read | hb<sub>i</sub>[W<sub>i</sub>[r], r]
- 6.  $\forall$  i: [1..k], r: (C<sub>i</sub> \ C<sub>i-1</sub>)  $\cap$  Read | W<sub>i</sub>[r]  $\subseteq$  C<sub>i-1</sub>
- 7. ∀ i: [1..k], y: C<sub>i</sub>, x: A<sub>i</sub> | (y ⊆ Special ∧ hb[x, y]) ⇒ x ⊆ C<sub>i-1</sub>



| <b>E</b> 1 - \                              | ∧→ <b>Ľ</b> 2…⊸ | ^→ <b>E</b> k                     | -~~>               | E .     |
|---------------------------------------------|-----------------|-----------------------------------|--------------------|---------|
| $\mathbf{A}_1, \mathbf{W}_1, \mathbf{V}_1,$ | $A_2,W_2,V_2,$  | A <sub>k</sub> , W <sub>k</sub> , | V <sub>k</sub> , A | , W, V, |

| <b>I</b> <sub>1</sub> , <b>m</b> <sub>1</sub> , | l <sub>2</sub> , m <sub>2</sub> ,               | l <sub>k</sub> , m <sub>k</sub> ,   | <b>I</b> , m, |
|-------------------------------------------------|-------------------------------------------------|-------------------------------------|---------------|
| <b>po</b> 1, <b>so</b> 1,                       | <b>po</b> 2, <b>so</b> 2,                       | po <sub>k</sub> , so <sub>k</sub> , | po, so,       |
| <b>sw</b> <sub>1</sub> . hb <sub>1</sub>        | <b>sw</b> <sub>2</sub> , <b>hb</b> <sub>2</sub> | sw <sub>k</sub> , hb <sub>k</sub>   | sw. hb        |

#### – committing semantics

- 1.  $\forall$  i: [1..k] |  $C_i \subseteq A_i$
- 2. ∀ i: [1..k], r: C<sub>i</sub> ∩ Read | (hb[W[r], r] ⇔ hb<sub>i</sub>[W[r], r]) ∧ ¬ hb<sub>i</sub>[r, W[r]]
- 3.  $\forall$  i:  $[1..k] | C_i \triangleleft V_i = C_i \triangleleft V$
- **4.**  $\forall$  **i**:  $[1..k] | C_{i-1} \triangleleft W_i = C_{i-1} \triangleleft W$
- 5.  $\forall$  i: [1..k], r: (A<sub>i</sub> \ C<sub>i</sub>)  $\cap$  Read | hb<sub>i</sub>[W<sub>i</sub>[r], r]
- 6.  $\forall$  i: [1..k], r: (C<sub>i</sub> \ C<sub>i-1</sub>) ∩ Read | W<sub>i</sub>[r] ⊆ C<sub>i-1</sub>
- 7. ∀ i: [1..k], y:  $C_i$ , x:  $A_i$  | (y ⊆ Special ∧ hb[x, y]) ⇒ x ⊆  $C_{i-1}$



#### - committing semantics

- 1.  $\forall$  i: [1..k] |  $C_i \subseteq A_i$
- 2. ∀ i: [1..k], r: C<sub>i</sub> ∩ Read | (hb[W[r], r] ⇔ hb<sub>i</sub>[W[r], r]) ∧ ¬ hb<sub>i</sub>[r, W[r]]
- 3.  $\forall$  i:  $[1..k] | C_i \triangleleft V_i = C_i \triangleleft V$
- **4.**  $\forall$  **i**:  $[1..k] | C_{i-1} \triangleleft W_i = C_{i-1} \triangleleft W$
- 5.  $\forall$  i: [1..k], r: (A<sub>i</sub> \ C<sub>i</sub>)  $\cap$  Read | hb<sub>i</sub>[W<sub>i</sub>[r], r]
- 6.  $\forall$  i: [1..k], r: (C<sub>i</sub> \ C<sub>i-1</sub>) ∩ Read | W<sub>i</sub>[r] ⊆ C<sub>i-1</sub>
- 7. ∀ i: [1..k], y: C<sub>i</sub>, x: A<sub>i</sub> | (y ⊆ Special ∧ hb[x, y]) ⇒ x ⊆ C<sub>i-1</sub>



- committing semantics

- 1.  $\forall$  i: [1..k] |  $C_i \subseteq A_i$
- 2. ∀ i: [1..k], r: C<sub>i</sub> ∩ Read | (hb[W[r], r] ⇔ hb<sub>i</sub>[W[r], r]) ∧ ¬ hb<sub>i</sub>[r, W[r]]
- 3.  $\forall$  i:  $[1..k] | C_i \triangleleft V_i = C_i \triangleleft V$
- **4.**  $\forall$  **i**:  $[1..k] | C_{i-1} \triangleleft W_i = C_{i-1} \triangleleft W$
- 5.  $\forall$  i: [1..k], r: (A<sub>i</sub> \ C<sub>i</sub>)  $\cap$  Read | hb<sub>i</sub>[W<sub>i</sub>[r], r]
- 6.  $\forall$  i: [1..k], r: (C<sub>i</sub> \ C<sub>i-1</sub>)  $\cap$  Read | W<sub>i</sub>[r]  $\subseteq$  C<sub>i-1</sub>
- 7. ∀ i: [1..k], y:  $C_i$ , x:  $A_i$  | (y ⊆ Special ∧ hb[x, y]) ⇒ x ⊆  $C_{i-1}$



| <b>E</b> 1 -√                     | $\rightarrow$ E <sub>2</sub> $\sim$ | ∿≻… E <sub>k</sub> -∿∿              | → E      |
|-----------------------------------|-------------------------------------|-------------------------------------|----------|
| $A_1, W_1, V_1,$                  | $A_2,W_2,V_2,$                      | $A_k, W_k, V_k,$                    | A, W, V, |
| l <sub>1</sub> , m <sub>1</sub> , | l <sub>2</sub> , m <sub>2</sub> ,   | l <sub>k</sub> , m <sub>k</sub> ,   | l, m,    |
| <b>po</b> 1, <b>so</b> 1,         | <b>po</b> 2, <b>so</b> 2,           | po <sub>k</sub> , so <sub>k</sub> , | po, so,  |
| <b>sw</b> 1, <b>hb</b> 1          | sw <sub>2</sub> , hb <sub>2</sub>   | sw <sub>k</sub> , hb <sub>k</sub>   | sw, hb   |

### Witness of legality (model)





witness: an execution of the program that satisfies both the assertions and the memory model constraints.



1.  $\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i]$  **SC** 2.  $\forall i, j: A \mid ord[i, j] \Rightarrow \neg ord[j, i]$ 3.  $\forall i, j, k: A \mid (ord[i, j] \land ord[j, k]) \Rightarrow ord[i, k]$ 4.  $\forall i, j: A \mid (t[i] = t[j] \land co^+[i, j]) \Rightarrow ord[i, j]$ 5.  $\forall i, j: A \mid (t[i] \neq t[j] \land to^+[t[i], t[j]]) \Rightarrow ord[i, j]$ 6.  $\forall k: A \cap Read \mid \neg ord[k, W[k]]$ 7.  $\forall k: A \cap Read, j: A \cap Write \mid \neg (I[k] = I[j] \land ord[W[k], j] \land ord[j, k])$   $V[a_{01}] = 0$   $V[a_{02}] = 0$   $V[W[a_{11}]] = 1$   $V[W[a_{21}]] = 1$   $\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i]$   $\forall i, j, k: A \mid (ord[i, j] \land ord[j, k]) \Rightarrow ord[i, k]$   $\forall i, j: A \mid (t[i] = t[j] \land co^{+}[i, j]) \Rightarrow ord[i, j]$  $\forall k: A \cap Read \mid \neg ord[k, W[k]]$ 

| × = 0,          | y = 0  |
|-----------------|--------|
| rl = x          | r2 = y |
| y = 1           | x = 1  |
| rl==1 && r2==1? |        |

1.  $\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i]$  **SC** 2.  $\forall i, j: A \mid ord[i, j] \Rightarrow \neg ord[j, i]$ 3.  $\forall i, j, k: A \mid (ord[i, j] \land ord[j, k]) \Rightarrow ord[i, k]$ 4.  $\forall i, j: A \mid (t[i] = t[j] \land co^+[i, j]) \Rightarrow ord[i, j]$ 5.  $\forall i, j: A \mid (t[i] \neq t[j] \land to^+[t[i], t[j]]) \Rightarrow ord[i, j]$ 6.  $\forall k: A \cap Read \mid \neg ord[k, W[k]]$ 7.  $\forall k: A \cap Read, j: A \cap Write \mid \neg (I[k] = I[j] \land ord[W[k], j] \land ord[j, k])$   $V[a_{01}] = 0$  $V[a_{02}] = 0$  a<sub>ij</sub> represents the action (if any) performed by the j<sup>th</sup> statement of the i<sup>th</sup> thread

 $V[W[a_{11}]] = 1$  $V[W[a_{21}]] = 1$ 

 $\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i]$   $\forall i, j, k: A \mid (ord[i, j] \land ord[j, k]) \Rightarrow ord[i, k]$   $\forall i, j: A \mid (t[i] = t[j] \land co^+[i, j]) \Rightarrow ord[i, j]$  $\forall k: A ∩ Read \mid \neg ord[k, W[k]]$ 



1.  $\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i]$  **SC** 2.  $\forall i, j: A \mid ord[i, j] \Rightarrow \neg ord[j, i]$ 3.  $\forall i, j, k: A \mid (ord[i, j] \land ord[j, k]) \Rightarrow ord[i, k]$ 4.  $\forall i, j: A \mid (t[i] = t[j] \land co^+[i, j]) \Rightarrow ord[i, j]$ 5.  $\forall i, j: A \mid (t[i] \neq t[j] \land to^+[t[i], t[j]]) \Rightarrow ord[i, j]$ 6.  $\forall k: A \cap Read \mid \neg ord[k, W[k]]$ 7.  $\forall k: A \cap Read, j: A \cap Write \mid \neg (I[k] = I[j] \land ord[W[k], j] \land ord[j, k])$   $V[a_{01}] = 0$  $V[a_{02}] = 0$  $V[W[a_{11}]] = 1$  $V[W[a_{21}]] = 1$ 

 $\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i]$   $\forall i, j, k: A \mid (ord[i, j] \land ord[j, k]) \Rightarrow ord[i, k]$   $\forall i, j: A \mid (t[i] = t[j] \land co^+[i, j]) \Rightarrow ord[i, j]$   $\forall k: A \cap Read \mid \neg ord[k, W[k]]$ 



| 1. | $\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i] \qquad \textbf{SC}$ |
|----|-----------------------------------------------------------------------------------------|
| 2. | ∀ i, j: A   ord[i, j] ⇒ ¬ord[j, i]                                                      |
| 3. | $\forall i, j, k: A \mid (ord[i, j] \land ord[j, k]) \Rightarrow ord[i, k]$             |
| 4. | $\forall i, j: A \mid (t[i] = t[j] \land co^+[i, j]) \Rightarrow ord[i, j]$             |
| 5. | $\forall i, j: A \mid (t[i] \neq t[j] \land to^{+}[t[i], t[j]]) \Rightarrow ord[i, j]$  |
| 6. | ∀ k: A ∩ Read   ¬ ord[k, W[k]]                                                          |
| 7. | ∀ k: A ∩ Read, j: A ∩ Write                                                             |
|    | ¬ ( l[k] = l[j] ∧ ord[W[k], j] ∧ ord[j, k] )                                            |
|    |                                                                                         |

| $V[a_{01}] = 0$                                                              |
|------------------------------------------------------------------------------|
| $V[a_{02}] = 0$                                                              |
|                                                                              |
| $V[W[a_{11}]] = 1$                                                           |
| $V[W[a_{21}]] = 1$                                                           |
|                                                                              |
| $\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i]$         |
| $\forall$ i, j, k: A I (ord[i, j] $\land$ ord[j, k]) $\Rightarrow$ ord[i, k] |
| $\forall i, j: A \mid (t[i] = t[j] \land co^+[i, j]) \Rightarrow ord[i, j]$  |
| $\forall$ k: A $\cap$ Read I $\neg$ ord[k, W[k]]                             |
|                                                                              |

| x = 1, y = 0 $r  = x$ $r2 = y$ $y = 1$ $r1 ==1$ & r2 = 1 $r1 ==1$ & r2 = 1?                                                                                                                                                                                                                              | $V[a_{01}] = 0$ $V[a_{02}] = 0$ $V[W[a_{11}]] = 1$ $V[W[a_{21}]] = 1$ $\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i]$                               |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1. $\forall$ i, j: A   i $\neq$ j $\Rightarrow$ ord[i, j] $\lor$ ord[j, i] <b>SC</b>                                                                                                                                                                                                                     | $\forall$ i, j, k: A   (ord[i, j] $\land$ ord[j, k]) $\Rightarrow$ ord[i, k]<br>$\forall$ i, i: A   (t[i] = t[i] $\land$ co <sup>+</sup> [i, i]) $\Rightarrow$ ord[i, i] |
| 2. $\forall$ i, j: A   ord[i, j] $\Rightarrow \neg$ ord[j, l]<br>3. $\forall$ i, j, k: A   (ord[i, j] $\land$ ord[j, k]) $\Rightarrow$ ord[i, k]                                                                                                                                                         | ∀ k: A ∩ Read I ¬ ord[k, W[k]]                                                                                                                                           |
| <ul> <li>4. ∀ I, J: A   (t[I] = t[J] ∧ CO<sup>+</sup>[I, J]) ⇒ Ord[I, J]</li> <li>5. ∀ i, j: A   (t[i] ≠ t[j] ∧ to<sup>+</sup>[t[i], t[j]]) ⇒ Ord[i, j]</li> <li>6. ∀ k: A ∩ Read   ¬ ord[k, W[k]]</li> <li>7. ∀ k: A ∩ Read, j: A ∩ Write  <br/>¬ ( I[k] = I[j] ∧ Ord[W[k], j] ∧ Ord[j, k] )</li> </ul> | minimal core: an unsatisfiable<br>subset of the program and<br>memory model constraints that<br>becomes satisfiable if one of its                                        |

members is removed

| x = 0, y = 0a01: write(x, 0) $r  = x$ $r2 = y$ $y =  $ $x =  $ $r2==1?$ a11: read(x, 0)a12: write(y, 1)a21: read(y, 1)a22: write(x, 1)                                                                                                                                                                   | $V[a_{01}] = 0$<br>$V[a_{02}] = 0$<br>$V[W[a_{11}]] = 1$<br>$V[W[a_{21}]] = 1$<br>$\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i]$                                                        |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1. $\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i]$ <b>SC</b><br>2. $\forall i, j: A \mid ord[i, j] \Rightarrow \neg ord[j, i]$<br>3. $\forall i, j, k: A \mid (ord[i, j] \land ord[j, k]) \Rightarrow ord[i, k]$                                                                    | $\forall i, j, k: A \mid (ord[i, j] \land ord[j, k]) \Rightarrow ord[i, k]$<br>$\forall i, j: A \mid (t[i] = t[j] \land co^+[i, j]) \Rightarrow ord[i, j]$<br>$\forall k: A \cap Read \mid \neg ord[k, W[k]]$ |
| <ul> <li>4. ∀ i, j: A   (l[i] = l[j] ∧ co<sup>+</sup>[i, j]) ⇒ ord[i, j]</li> <li>5. ∀ i, j: A   (t[i] ≠ t[j] ∧ to<sup>+</sup>[t[i], t[j]]) ⇒ ord[i, j]</li> <li>6. ∀ k: A ∩ Read   ¬ ord[k, W[k]]</li> <li>7. ∀ k: A ∩ Read, j: A ∩ Write  <br/>¬ ( l[k] = l[j] ∧ ord[W[k], j] ∧ ord[j, k] )</li> </ul> | minimal core: an unsatisfiable<br>subset of the program and<br>memory model constraints that<br>becomes satisfiable if one of its                                                                             |

members is removed

| x = 0, y = 0a01: write(x, 0) $r  = x$ $r2 = y$ $y = 1$ $x = 1$ $r  == 1$ && $r2 == 1$ ?                                                                                                                                               | $V[a_{01}] = 0$<br>$V[a_{02}] = 0$<br>$V[W[a_{11}]] = 1$<br>$V[W[a_{21}]] = 1$<br>$\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i]$                                                        |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1. $\forall i, j: A \mid i \neq j \Rightarrow ord[i, j] \lor ord[j, i]$ <b>SC</b><br>2. $\forall i, j: A \mid ord[i, j] \Rightarrow \neg ord[j, i]$<br>3. $\forall i, j, k: A \mid (ord[i, j] \land ord[j, k]) \Rightarrow ord[i, k]$ | $\forall i, j, k: A \mid (ord[i, j] \land ord[j, k]) \Rightarrow ord[i, k]$<br>$\forall i, j: A \mid (t[i] = t[j] \land co^+[i, j]) \Rightarrow ord[i, j]$<br>$\forall k: A \cap Read \mid \neg ord[k, W[k]]$ |
| <ul> <li>5. ∀ i, j: A   (t[i] ≠ t[j] ∧ to+[t[i], t[j]]) ⇒ ord[i, j]</li> <li>6. ∀ k: A ∩ Read   ¬ ord[k, W[k]]</li> <li>7. ∀ k: A ∩ Read, j: A ∩ Write  <br/>¬ ( I[k] = I[j] ∧ ord[W[k], j] ∧ ord[j, k] )</li> </ul>                  | minimal core: an unsatisfiable<br>subset of the program and<br>memory model constraints that<br>becomes satisfiable if one of its                                                                             |

members is removed

















```
public class Test1 {
    static int x = 0;
    static int y = 0;
```

```
@thread
public static void thread1() {
    final int r1 = x;
    if (r1 != 0)
        y = r1;
    else
        y = 1;
    assert r1==1;
}
```

```
@thread
public static void thread2() {
    final int r2 = y;
    x = 1;
    assert r2==1;
}
```

}

finitize P and convert it to an intermediate form

# I(P)

```
public class Test1 {
  static int x = 0;
  static int y = 0;
  @thread
  public static void thread1() {
     final int r1 = x;
      if (r1 != 0)
         y = r1;
      else
         y = 1;
      assert r1 == 1;
  @thread
  public static void thread2() {
     final int r^2 = y;
```

```
x = 1;
assert r2==1;
```



```
public class Test1 {
  static int x = 0;
  static int y = 0;
  @thread
  public static void thread1() {
     final int r1 = x;
      if (r1 != 0)
         y = r1;
      else
         y = 1;
      assert r1 == 1;
  @thread
  public static void thread2() {
     final int r^2 = y;
      x = 1;
```

assert r2==1;

}



```
public class Test1 {
  static int x = 0;
  static int y = 0;
  @thread
  public static void thread1() {
     final int r1 = x;
      if (r1 != 0)
         y = r1;
      else
         y = 1;
      assert r1 == 1;
  @thread
  public static void thread2() {
     final int r^2 = y;
      x = 1;
      assert r2==1;
```

}



```
public class Test1 {
  static int x = 0;
  static int y = 0;
  @thread
  public static void thread1() {
      final int r1 = x;
      if (r1 != 0)
         y = r1;
      else
         y = 1;
      assert r1 == 1;
  ]
  @thread
  public static void thread2() {
      final int r^2 = y;
      x = 1;
```

```
assert r2==1;
```

}







| S  | Loc | Val | Guard |
|----|-----|-----|-------|
| 00 |     |     |       |
| 01 |     |     |       |
| 02 |     |     |       |
| 03 |     |     |       |
| 10 |     |     |       |
| 11 |     |     |       |
| 12 |     |     |       |
| 13 |     |     |       |
| 14 |     |     |       |
| 15 |     |     |       |
| 16 |     |     |       |
| 20 |     |     |       |
| 21 |     |     |       |
| 22 |     |     |       |
| 23 |     |     |       |
| 24 |     |     |       |



maps reads, writes, locks, and unlocks to relations representing locations that are accessed

| S  | Loc | Val | Guard |
|----|-----|-----|-------|
| 00 |     |     |       |
| 01 | x   |     |       |
| 02 | y   |     |       |
| 03 |     |     |       |
| 10 |     |     |       |
| 11 | x   |     |       |
| 12 |     |     |       |
| 13 | y   |     |       |
| 14 | y   |     |       |
| 15 |     |     |       |
| 16 |     |     |       |
| 20 |     |     |       |
| 21 | y y |     |       |
| 22 | X   |     |       |
| 23 |     |     |       |
| 24 |     |     |       |

maps reads, writes, locks, and unlocks to relations representing locations that are accessed





maps writes and asserts to relational encodings of the values written or asserted

| S  | Loc | Val                | Guard |
|----|-----|--------------------|-------|
| 00 |     |                    |       |
| 01 | X   | Bits(0)            |       |
| 02 | У   | Bits(0)            |       |
| 03 |     |                    |       |
| 10 |     |                    |       |
| 11 | X   |                    |       |
| 12 |     |                    |       |
| 13 | У   | r1                 |       |
| 14 | У   | Bits(1)            |       |
| 15 |     | <b>r1</b> =Bits(1) |       |
| 16 |     |                    |       |
| 20 |     |                    |       |
| 21 | У   |                    |       |
| 22 | x   | Bits(1)            |       |
| 23 |     | <b>r2</b> =Bits(1) |       |
| 24 |     |                    |       |



maps writes and asserts to relational encodings of the values written or asserted



#### maps statements to formulas that encode their guards



| S  | Loc | Val                | Guard              |
|----|-----|--------------------|--------------------|
| 00 |     |                    | Т                  |
| 01 | x   | Bits(0)            | Т                  |
| 02 | y   | Bits(0)            | Т                  |
| 03 |     |                    | Т                  |
| 10 |     |                    | Т                  |
| 11 | x   |                    | Т                  |
| 12 |     |                    | Т                  |
| 13 | y   | r1                 | <i>r1</i> ≠Bits(0) |
| 14 | y   | Bits(1)            | <b>r1</b> =Bits(0) |
| 15 |     | <i>r1</i> =Bits(1) | Т                  |
| 16 |     |                    | Т                  |
| 20 |     |                    | Т                  |
| 21 | y   |                    | Т                  |
| 22 | x   | Bits(1)            | Т                  |
| 23 |     | <b>r2</b> =Bits(1) | Т                  |
| 24 |     |                    | Т                  |



#### **Constraint assembly**



#### **Constraint assembly**



 $\begin{array}{l} F(R(P), E) \land \\ F_{\alpha}(R(P), E) \land \\ \land \\ \land_{1 \leq i \leq k} F(R(P), E_i) \land \\ M(E, E_1, \dots, E_k) \end{array}$


The witness execution E respects the sequential semantics of P

 $\begin{array}{l} F(R(P), E) \land \\ F_{\alpha}(R(P), E) \land \\ \land_{1 \leq i \leq k} F(R(P), E_i) \land \\ M(E, E_1, \dots, E_k) \end{array}$ 









 $F(R(P), E) \land$   $F_{\alpha}(R(P), E) \land$   $\land_{1 \le i \le k} F(R(P), E_i) \land$   $M(E, E_1, \dots, E_k)$ 

| S  | Loc | Val                | Guard              |
|----|-----|--------------------|--------------------|
| 00 |     |                    | Т                  |
| 01 | X   | Bits(0)            | Т                  |
| 02 | У   | Bits(0)            | Т                  |
| 03 |     |                    | Т                  |
| 10 |     |                    | Т                  |
| 11 | x   |                    | Т                  |
| 12 |     |                    | Т                  |
| 13 | У   | r1                 | <i>r1</i> ≠Bits(0) |
| 14 | y   | Bits(1)            | <b>r1</b> =Bits(0) |
| 15 |     | <b>r1</b> =Bits(1) | Т                  |
| 16 |     |                    | Т                  |
| 20 |     |                    | Т                  |
| 21 | У   |                    | Т                  |
| 22 | x   | Bits(1)            | Т                  |
| 23 |     | <b>r2</b> =Bits(1) | Т                  |
| 24 |     |                    | Т                  |

- A set of all executed actions
- W maps reads to seen writes
- V maps writes to written values
- / maps writes to written values
- *m* maps locks/unlocks to monitors

F(R(P), E)  $F_{\alpha}(R(P), E) \land$   $\land_{1 \le i \le k} F(R(P), E_i) \land$   $M(E, E_1, \dots, E_k)$ 

|                 | S   | Loc | Val                | Guard              |             |
|-----------------|-----|-----|--------------------|--------------------|-------------|
| 00 start        |     |     |                    | Т                  | <b>a</b> 00 |
| 01 write(x, 0)  |     | X   | Bits(0)            | Т                  | <b>a</b> 01 |
| 02 write(y, 0)  |     | У   | Bits(0)            | Т                  | <b>a</b> 02 |
| 03 end          |     |     |                    | Т                  | <b>a</b> 03 |
| 10 start        |     |     |                    | Т                  | <b>a</b> 10 |
| 11 r1=read(x)   |     | X   |                    | Т                  | <b>a</b> 11 |
| 12 branch(r1!   | =0) |     |                    | Т                  |             |
| 13 write(y, r1) |     | У   | r1                 | <i>r1</i> ≠Bits(0) | <b>a</b> 13 |
| 14 write(y, 1)  |     | У   | Bits(1)            | <b>r1</b> =Bits(0) | <b>a</b> 14 |
| 15 assert(r1=   | =1) |     | <i>r1</i> =Bits(1) | Т                  |             |
| 16 end          |     |     |                    | Т                  | <b>a</b> 16 |
| 20 start        |     |     |                    | Т                  | <b>a</b> 20 |
| 21 r2=read(y)   |     | У   |                    | Т                  | <b>a</b> 21 |
| 22 write(x, 1)  |     | X   | Bits(1)            | Т                  | <b>a</b> 22 |
| 23 assert(r2=   | =1) |     | <b>r2</b> =Bits(1) | Т                  |             |
| 24 end          |     |     |                    | Т                  | <b>a</b> 24 |

- A set of all executed actions
- W maps reads to seen writes
- V maps writes to written values
- / maps writes to written values
- *m* maps locks/unlocks to monitors

 $F(R(P), E) \land$   $F_{\alpha}(R(P), E) \land$   $\land_{1 \leq i \leq k} F(R(P), E_i) \land$ 

 $M(E, E_1, ..., E_k)$ 

relational variable  $a_{ij}$ represents the action performed if E executes the statement ij

|                          | S     | Loc         | Val                  | Guard              |             |
|--------------------------|-------|-------------|----------------------|--------------------|-------------|
| 00 start                 |       |             |                      | Т                  | <b>a</b> 00 |
| 01 write(x,              | 0)    | X           | Bits(0)              | Т                  | <b>a</b> 01 |
| 02 write(y, 0            | D)    | У           | Bits(0)              | Т                  | <b>a</b> 02 |
| 03 end                   |       |             |                      | Т                  | <b>a</b> 03 |
| 10 start                 |       |             | V[[//[a11]]          | Т                  | <b>a</b> 10 |
| 11 r1=read               | (X)   | X           | • [•• [ɑ / /]]       | Т                  | <b>a</b> 11 |
| 12 branch(r              | 1!=0) |             |                      | Т                  |             |
| 13 write(y, I            | r1)   | У           | r1                   | <b>r1</b> ≠Bits(0) | <b>a</b> 13 |
| 14 write(y, <sup>-</sup> | 1)    | У           | Bits(1)              | <b>r1</b> =Bits(0) | <b>a</b> 14 |
| 15 assert(r1             | l==1) |             | <b>r1</b> =Bits(1)   | Т                  |             |
| 16 end                   |       |             |                      | Т                  | <b>a</b> 16 |
| 20 start                 |       |             |                      | Т                  | <b>a</b> 20 |
| 21 r2=read               | (y)   | У           |                      | Т                  | <b>a</b> 21 |
| 22 write(x,              | 1)    | X           | Bits(1)              | Т                  | <b>a</b> 22 |
| 23 assert(r2             | 2==1) |             | <b>r2</b> =Bits(1)   | Т                  |             |
| 24 end                   |       |             |                      | Т                  | <b>a</b> 24 |
|                          |       | <i>V</i> [И | /[a <sub>21</sub> ]] |                    |             |

- A set of all executed actions
- W maps reads to seen writes
- V maps writes to written values
- / maps writes to written values
- *m* maps locks/unlocks to monitors

F(R(P), E)  $F_{\alpha}(R(P), E) \land$   $\land_{1 \le i \le k} F(R(P), E_i) \land$   $M(E, E_1, \dots, E_k)$ 



 $F(R(P), E) \land$   $V[W[a_{11}]]=Bits(1) \land$   $V[W[a_{21}]]=Bits(1) \land$   $\land_{1 \le i \le k} F(R(P), E_i) \land$   $M(E, E_1, ..., E_k)$ 

|               | S     | Loc         | Val                  | Guard              |                        |
|---------------|-------|-------------|----------------------|--------------------|------------------------|
| 00 start      |       |             |                      | Т                  | <b>a</b> 00            |
| 01 write(x, 0 | )     | X           | Bits(0)              | Т                  | <b>a</b> 01            |
| 02 write(y, 0 | )     | У           | Bits(0)              | Т                  | <b>a</b> 02            |
| 03 end        |       |             |                      | Т                  | <b>a</b> 03            |
| 10 start      |       |             | V[W[a11]]            | Т                  | <b>a</b> 10            |
| 11 r1=read()  | x)    | X           | • [•• [ɑ / /]]       | Т                  | <b>a</b> 11            |
| 12 branch(r   | l!=0) |             |                      | Т                  |                        |
| 13 write(y, r | 1)    | У           | r1                   | <b>r1</b> ≠Bits(0) | <b>a</b> 13            |
| 14 write(y, 1 | )     | У           | Bits(1)              | <b>r1</b> =Bits(0) | <b>a</b> 14            |
| 15 assert(r1  | ==1)  |             | <b>r1</b> =Bits(1)   | Т                  |                        |
| 16 end        |       |             |                      | Т                  | <b>a</b> 16            |
| 20 start      |       |             |                      | Т                  | <b>a</b> 20            |
| 21 r2=read(   | y)    | У           |                      | Т                  | <b>a</b> 21            |
| 22 write(x, 1 | )     | X           | Bits(1)              | Т                  | <b>a</b> 22            |
| 23 assert(r2  | ==1)  |             | <b>r2</b> =Bits(1)   | Т                  |                        |
| 24 end        |       |             |                      | Т                  | <b>a</b> <sub>24</sub> |
|               |       | <i>V</i> [И | /[a <sub>21</sub> ]] |                    |                        |

- A set of all executed actions
- W maps reads to seen writes
- V maps writes to written values
- / maps writes to written values
- m maps locks/unlocks to monitors

 $F(R(P), E) \land$   $V[W[a_{11}]] = Bits(1) \land$   $V[W[a_{21}]] = Bits(1) \land$   $\land_{1 \le i \le k} F(R(P), E_i) \land$   $M(E, E_1, \dots, E_k)$ 

|                          | S            | Loc         | Val                  | Guard              |                        |
|--------------------------|--------------|-------------|----------------------|--------------------|------------------------|
| 00 start                 |              |             |                      | Т                  | <b>a</b> 00            |
| 01 write(x,              | 0)           | X           | Bits(0)              | Т                  | <b>a</b> 01            |
| 02 write(y, 0            | D)           | У           | Bits(0)              | Т                  | <b>a</b> 02            |
| 03 end                   |              |             |                      | Т                  | <b>a</b> 03            |
| 10 start                 |              |             | V[W[a11]]            | Т                  | <b>a</b> 10            |
| 11 r1=read               | (X)          | X           | v [v v [a / /]]      | Т                  | <b>a</b> 11            |
| 12 branch(r              | 1!=0)        |             |                      | Т                  |                        |
| 13 write(y, I            | r <b>1</b> ) | У           | r1                   | <b>r1</b> ≠Bits(0) | <b>a</b> 13            |
| 14 write(y, <sup>-</sup> | 1)           | У           | Bits(1)              | <b>r1</b> =Bits(0) | <b>a</b> 14            |
| 15 assert(r1             | l==1)        |             | <b>r1</b> =Bits(1)   | Т                  |                        |
| 16 end                   |              |             |                      | Т                  | <b>a</b> 16            |
| 20 start                 |              |             |                      | Т                  | <b>a</b> 20            |
| 21 r2=read               | (y)          | У           |                      | Т                  | <b>a</b> 21            |
| <b>22 write(x,</b>       | 1)           | X           | Bits(1)              | Т                  | <b>a</b> 22            |
| 23 assert(r2             | 2==1)        |             | <b>r2</b> =Bits(1)   | Т                  |                        |
| 24 end                   |              |             |                      | Т                  | <b>a</b> <sub>24</sub> |
|                          |              | <i>V</i> [И | /[a <sub>21</sub> ]] |                    |                        |

- A set of all executed actions
- W maps reads to seen writes
- V maps writes to written values
- / maps writes to written values
- *m* maps locks/unlocks to monitors

 $\bigwedge_{s \in P} F(s, R(P), E) \land$   $A = a_{00} \cup \ldots \cup a_{24} \land$   $\bigvee[W[a_{11}]] = Bits(1) \land$   $\bigvee[W[a_{21}]] = Bits(1) \land$   $\bigwedge_{1 \leq i \leq k} F(R(P), E_i) \land$   $M(E, E_1, \ldots, E_k)$ 

|                                 | S            | Loc         | Val                  | Guard              |             |
|---------------------------------|--------------|-------------|----------------------|--------------------|-------------|
| 00 start                        |              |             |                      | Т                  | $a_{00}$    |
| 01 write(x,                     | 0)           | X           | Bits(0)              | Т                  | <b>a</b> 01 |
| 02 write(y, (                   | <b>)</b> )   | У           | Bits(0)              | Т                  | <b>a</b> 02 |
| 03 end                          |              |             |                      | Т                  | <b>a</b> 03 |
| 10 start                        |              |             | V[[/[a11]]           | Т                  | <b>a</b> 10 |
| 11 r1=read                      | (X)          | X           | v [vv[a//]]          | Т                  | <b>a</b> 11 |
| 12 branch(r                     | 1!=0)        |             |                      | Т                  |             |
| 13 write(y, ı                   | 1)           | У           | r1                   | <b>r1</b> ≠Bits(0) | <b>a</b> 13 |
| 14 write(y, 1                   | I)           | У           | Bits(1)              | <b>r1</b> =Bits(0) | <b>a</b> 14 |
| 15 assert(r1                    | ==1)         |             | <i>r1</i> =Bits(1)   | Т                  |             |
| 16 end                          |              |             |                      | Т                  | <b>a</b> 16 |
| 20 start                        |              |             |                      | Т                  | <b>a</b> 20 |
| 21 r2=read                      | ( <b>y</b> ) | У           |                      | Т                  | <b>a</b> 21 |
| <b>22 write(x,</b> <sup>-</sup> | 1)           | X           | Bits(1)              | Т                  | <b>a</b> 22 |
| 23 assert(r2                    | 2==1)        |             | <b>r2</b> =Bits(1)   | Т                  |             |
| 24 end                          |              |             |                      | Т                  | <b>a</b> 24 |
|                                 |              | <i>V</i> [И | /[a <sub>21</sub> ]] |                    |             |

- A set of all executed actions
- W maps reads to seen writes
- V maps writes to written values
- / maps writes to written values
- *m* maps locks/unlocks to monitors
- → 0 or 1 action performed
- action performed iff the guard is true
- no other statement performs the same action
- action location is valid
- action value is valid

| S                     | Loc | Val                          | Guard              |                        |
|-----------------------|-----|------------------------------|--------------------|------------------------|
| 00 start              |     |                              | Т                  | <b>a</b> 00            |
| 01 write(x, 0)        | Х   | Bits(0)                      | $\top$             | <b>a</b> 01            |
| <b>02 write(y, 0)</b> | У   | Bits(0)                      | $\top$             | <b>a</b> 02            |
| 03 end                |     |                              | Т                  | <b>a</b> 03            |
| 10 start              |     | \/[\/[a <sub>11</sub> ]]     | T                  | <b>a</b> 10            |
| 11 r1=read(x)         | X   | v [v v [a / / ]]             | Т                  | <b>a</b> 11            |
| 12 branch(r1!=0)      |     |                              | Т                  |                        |
| 13 write(y, r1)       | У   | r1                           | <b>r1</b> ≠Bits(0) | <b>a</b> 13            |
| 14 write(y, 1)        | У   | Bits(1)                      | <b>r1</b> =Bits(0) | <b>a</b> 14            |
| 15 assert(r1==1)      |     | <i>r1</i> =Bits(1)           | $\top$             |                        |
| 16 end                |     |                              | $\top$             | <b>a</b> 16            |
| 20 start              |     |                              | $\top$             | <b>a</b> 20            |
| 21 r2=read(y)         | У   |                              | $\top$             | <b>a</b> <sub>21</sub> |
| 22 write(x, 1)        | X   | Bits(1)                      | $\top$             | <b>a</b> 22            |
| 23 assert(r2==1)      |     | <b>r2</b> =Bits(1)           | $\top$             |                        |
| <b>24 end</b>         |     |                              | Т                  | <b>a</b> 24            |
|                       | V[N | /[ <b>a</b> <sub>21</sub> ]] |                    |                        |

- A set of all executed actions
- W maps reads to seen writes
- V maps writes to written values
- / maps writes to written values
- *m* maps locks/unlocks to monitors

→ 0 or 1 action performed

- action performed iff the guard is true
- no other statement performs the same action
- Action location is valid
- action value is valid

 $|\mathbf{a}_{13}| \leq \mathbf{1} \wedge$ 

guard is true

no other statement

Action location is valid

Action value is valid

action performed iff the

| S                     | Loc     | Val                | Guard              |                        |
|-----------------------|---------|--------------------|--------------------|------------------------|
| 00 start              |         |                    | Т                  | <b>a</b> 00            |
| 01 write(x, 0)        | Х       | Bits(0)            | $\top$             | <b>a</b> 01            |
| <b>02 write(y, 0)</b> | У       | Bits(0)            | $\top$             | <b>a</b> 02            |
| 03 end                |         |                    | Т                  | <b>a</b> 03            |
| 10 start              |         | V[[/[a11]]         | T                  | <b>a</b> 10            |
| 11 r1=read(x)         | X       |                    | Т                  | <b>a</b> 11            |
| 12 branch(r1!=0)      |         |                    | Т                  |                        |
| 13 write(y, r1)       | У       | r1                 | <b>r1</b> ≠Bits(0) | <b>a</b> 13            |
| 14 write(y, 1)        | У       | Bits(1)            | <b>r1</b> =Bits(0) | <b>a</b> 14            |
| 15 assert(r1==1)      |         | <b>r1</b> =Bits(1) | $\top$             |                        |
| 16 end                |         |                    | $\top$             | <b>a</b> 16            |
| 20 start              |         |                    | $\top$             | <b>a</b> 20            |
| 21 r2=read(y)         | У       |                    | $\top$             | <b>a</b> <sub>21</sub> |
| 22 write(x, 1)        | X       | Bits(1)            | $\top$             | <b>a</b> 22            |
| 23 assert(r2==1)      |         | <b>r2</b> =Bits(1) | $\top$             |                        |
| <b>24 end</b>         |         |                    | Т                  | <b>a</b> 24            |
|                       | VГИ     | /[a21]]            |                    |                        |
|                       | - L · · |                    |                    |                        |

- set of all executed actions Α
- maps reads to seen writes W
- maps writes to written values V
- maps writes to written values
- maps locks/unlocks to monitors m

 $\wedge_{s\in P} F(s, R(P), E) \wedge$  $A = a_{00} \cup ... \cup a_{24} \land$  $V[W[a_{11}]] = Bits(1) \land$ performs the same action *V*[*W*[*a*<sub>21</sub>]]=Bits(1) ∧  $\wedge_{1 \leq i \leq k} F(R(P), E_i) \wedge$  $M(E, E_1, ..., E_k)$ 

 $|\mathbf{a}_{13}| \leq \mathbf{1} \wedge$ 

(|a<sub>13</sub>| = 1 ⇔

no other statement

action value is valid

| S                     | Loc | Val                | Guard              |                        |
|-----------------------|-----|--------------------|--------------------|------------------------|
| 00 start              |     |                    | $\top$             | <b>a</b> 00            |
| 01 write(x, 0)        | X   | Bits(0)            | Т                  | <b>a</b> 01            |
| <b>02 write(y, 0)</b> | У   | Bits(0)            | Т                  | <b>a</b> 02            |
| 03 end                |     |                    | Т                  | <b>a</b> 03            |
| 10 start              |     | V[[//[a11]]        | Т                  | <b>a</b> 10            |
| 11 r1=read(x)         | X   |                    | Т                  | <b>a</b> <sub>11</sub> |
| 12 branch(r1!=0)      |     |                    | Т                  |                        |
| 13 write(y, r1)       | У   | r1                 | <b>r1</b> ≠Bits(0) | <b>a</b> 13            |
| 14 write(y, 1)        | У   | Bits(1)            | <b>r1</b> =Bits(0) | <b>a</b> 14            |
| 15 assert(r1==1)      |     | <b>r1</b> =Bits(1) | Т                  |                        |
| 16 end                |     |                    | Т                  | <b>a</b> 16            |
| 20 start              |     |                    | Т                  | <b>a</b> 20            |
| 21 r2=read(y)         | У   |                    | Т                  | <b>a</b> <sub>21</sub> |
| 22 write(x, 1)        | X   | Bits(1)            | Т                  | <b>a</b> 22            |
| 23 assert(r2==1)      |     | <b>r2</b> =Bits(1) | $\top$             |                        |
| <b>24 end</b>         |     |                    | Т                  | <b>a</b> 24            |
|                       | VГИ | /[a21]]            |                    |                        |
|                       |     |                    |                    |                        |

- set of all executed actions Α
- maps reads to seen writes W
- maps writes to written values V
- maps writes to written values
- maps locks/unlocks to monitors m

 $\wedge_{s\in P} F(s, R(P), E) \wedge$  $A = a_{00} \cup \ldots \cup a_{24} \land$ V[W[a<sub>11</sub>]] ≠ Bits(0)) ∧  $V[W[a_{11}]] = Bits(1) \land$ performs the same action *V*[*W*[*a*<sub>21</sub>]]=Bits(1) ∧ Action location is valid  $\wedge_{1 \leq i \leq k} F(R(P), E_i) \wedge$  $M(E, E_1, ..., E_k)$ 

 $|\mathbf{a}_{13}| \leq \mathbf{1} \wedge$ 

(|a<sub>13</sub>| = 1 ⇔

 $(\mathbf{a}_{13} \cap \mathbf{a}_{00}) = \emptyset \land \ldots \land$ 

 $(\mathbf{a}_{13} \cap \mathbf{a}_{24}) = \emptyset \land$ 

action value is valid

| S                     | Loc | Val                | Guard              |             |
|-----------------------|-----|--------------------|--------------------|-------------|
| 00 start              |     |                    | T                  | <b>a</b> 00 |
| 01 write(x, 0)        | Х   | Bits(0)            | $\top$             | <b>a</b> 01 |
| <b>02 write(y, 0)</b> | У   | Bits(0)            | $\top$             | <b>a</b> 02 |
| 03 end                |     |                    | Т                  | <b>a</b> 03 |
| 10 start              |     | V[W[a11]]          | Т                  | <b>a</b> 10 |
| 11 r1=read(x)         | X   |                    | Т                  | <b>a</b> 11 |
| 12 branch(r1!=0)      |     |                    | Т                  |             |
| 13 write(y, r1)       | У   | r1                 | <b>r1</b> ≠Bits(0) | <b>a</b> 13 |
| 14 write(y, 1)        | У   | Bits(1)            | <b>r1</b> =Bits(0) | <b>a</b> 14 |
| 15 assert(r1==1)      |     | <b>r1</b> =Bits(1) | $\top$             |             |
| 16 end                |     |                    | $\top$             | <b>a</b> 16 |
| 20 start              |     |                    | $\top$             | <b>a</b> 20 |
| 21 r2=read(y)         | У   |                    | $\top$             | <b>a</b> 21 |
| 22 write(x, 1)        | X   | Bits(1)            | $\top$             | <b>a</b> 22 |
| 23 assert(r2==1)      |     | <b>r2</b> =Bits(1) | $\top$             |             |
| <b>24 end</b>         |     |                    | Т                  | <b>a</b> 24 |
|                       | VГИ | /[a21]]            |                    |             |
|                       |     |                    |                    |             |

- set of all executed actions Α
- maps reads to seen writes W
- maps writes to written values V
- maps writes to written values
- maps locks/unlocks to monitors m

 $\wedge_{s\in P} F(s, R(P), E) \wedge$  $A = a_{00} \cup \ldots \cup a_{24} \land$ V[W[a<sub>11</sub>]] ≠ Bits(0)) ∧  $V[W[a_{11}]] = Bits(1) \land$ *V*[*W*[*a*<sub>21</sub>]]=Bits(1) ∧ Action location is valid  $\wedge_{1 \leq i \leq k} F(R(P), E_i) \wedge$  $M(E, E_1, ..., E_k)$ 

 $|\mathbf{a}_{13}| \leq \mathbf{1} \wedge$ 

(|a<sub>13</sub>| = 1 ⇔

 $I[a_{13}] = y \land$ 

 $(\mathbf{a}_{13} \cap \mathbf{a}_{24}) = \emptyset \land$ 

Action value is valid

| S                     | Loc   | Val                | Guard              |                        |
|-----------------------|-------|--------------------|--------------------|------------------------|
| 00 start              |       |                    | Т                  | <b>a</b> 00            |
| 01 write(x, 0)        | Х     | Bits(0)            | $\top$             | <b>a</b> 01            |
| <b>02 write(y, 0)</b> | У     | Bits(0)            | $\top$             | <b>a</b> 02            |
| 03 end                |       |                    | Т                  | <b>a</b> 03            |
| 10 start              |       | V[[/[a11]]         | Т                  | <b>a</b> 10            |
| 11 r1=read(x)         | X     | v [v v [a / /]]    | Т                  | <b>a</b> 11            |
| 12 branch(r1!=0)      |       |                    | Т                  |                        |
| 13 write(y, r1)       | У     | r1                 | <b>r1</b> ≠Bits(0) | <b>a</b> 13            |
| 14 write(y, 1)        | У     | Bits(1)            | <b>r1</b> =Bits(0) | <b>a</b> 14            |
| 15 assert(r1==1)      |       | <b>r1</b> =Bits(1) | $\top$             |                        |
| 16 end                |       |                    | $\top$             | <b>a</b> 16            |
| 20 start              |       |                    | $\top$             | <b>a</b> 20            |
| 21 r2=read(y)         | У     |                    | $\top$             | <b>a</b> <sub>21</sub> |
| 22 write(x, 1)        | Х     | Bits(1)            | $\top$             | <b>a</b> 22            |
| 23 assert(r2==1)      |       | <b>r2</b> =Bits(1) | $\top$             |                        |
| <b>24 end</b>         |       |                    | Т                  | <b>a</b> <sub>24</sub> |
|                       | VГИ   | /[a21]]            |                    |                        |
|                       | - L · |                    |                    |                        |

- set of all executed actions Α
- maps reads to seen writes W
- maps writes to written values V
- maps writes to written values
- maps locks/unlocks to monitors m

 $\wedge_{s\in P} F(s, R(P), E) \wedge$  $A = a_{00} \cup \ldots \cup a_{24} \land$ V[W[a<sub>11</sub>]] ≠ Bits(0)) ∧  $(\mathbf{a}_{13} \cap \mathbf{a}_{00}) = \emptyset \land \ldots \land$  $V[W[a_{11}]] = Bits(1) \land$ *V*[*W*[*a*<sub>21</sub>]]=Bits(1) ∧  $\wedge_{1 \leq i \leq k} F(R(P), E_i) \wedge$  $M(E, E_1, ..., E_k)$ 

| S                     | Loc | Val                          | Guard              |                        |
|-----------------------|-----|------------------------------|--------------------|------------------------|
| 00 start              |     |                              | Т                  | <b>a</b> 00            |
| 01 write(x, 0)        | Х   | Bits(0)                      | $\top$             | <b>a</b> 01            |
| <b>02 write(y, 0)</b> | У   | Bits(0)                      | $\top$             | <b>a</b> 02            |
| 03 end                |     |                              | Т                  | <b>a</b> 03            |
| 10 start              |     | V[[/[a++]]]                  | Т                  | <b>a</b> 10            |
| 11 r1=read(x)         | X   | v [v v [a / /]]              | Т                  | <b>a</b> 11            |
| 12 branch(r1!=0)      |     |                              | Т                  |                        |
| 13 write(y, r1)       | У   | r1                           | <b>r1</b> ≠Bits(0) | <b>a</b> 13            |
| 14 write(y, 1)        | У   | Bits(1)                      | <b>r1</b> =Bits(0) | <b>a</b> 14            |
| 15 assert(r1==1)      |     | <b>r1</b> =Bits(1)           | $\top$             |                        |
| 16 end                |     |                              | $\top$             | <b>a</b> 16            |
| 20 start              |     |                              | $\top$             | <b>a</b> 20            |
| 21 r2=read(y)         | У   |                              | $\top$             | <b>a</b> 21            |
| 22 write(x, 1)        | Х   | Bits(1)                      | $\top$             | <b>a</b> 22            |
| 23 assert(r2==1)      |     | <b>r2</b> =Bits(1)           | $\top$             |                        |
| <b>24 end</b>         |     |                              | Т                  | <b>a</b> <sub>24</sub> |
|                       | V[N | /[ <b>a</b> <sub>21</sub> ]] |                    |                        |

| A<br>W<br>V<br>I<br>m                                                  | set of all executed actions<br>maps reads to seen writes<br>maps writes to written values<br>maps writes to written values<br>maps locks/unlocks to monitors |
|------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <b>a</b> <sub>13</sub>   ≤ 1 ∧                                         | $\wedge_{s\in P} F(s, R(P), E) \land$                                                                                                                        |
| ( a <sub>13</sub>   = 1 ⇔<br>V[W[a <sub>11</sub> ]] ≠ Bits(0)) ∧       | $A = a_{00} \cup \cup a_{24}$                                                                                                                                |
| $(\mathbf{a}_{13} \cap \mathbf{a}_{00}) = \emptyset \land \dots \land$ | <i>V</i> [ <i>W</i> [ <i>a</i> <sub>11</sub> ]]=Bits(1)                                                                                                      |
| $(a_{13} \cap a_{24}) = \emptyset \land$                               | $\sqrt{1}\sqrt{1}$                                                                                                                                           |
| <b>I[a</b> <sub>13</sub> ] = y ∧                                       | $v[vv[a_{21}]]=DitS(1)$                                                                                                                                      |
| $V[a_{13}] = V[W[a_{11}]]$                                             | $\wedge_{1 \leq i \leq k} F(R(P), E_i) \wedge$                                                                                                               |

M(E, E<sub>1</sub>, ..., E<sub>k</sub>)

 $\wedge$ 

) <

) ^

## **Bounds assembly**



### **Bounds assembly**





## **Bounds assembly: universe**



finite universe of symbolic values from which the model, if any, is drawn -8, 1, 2, 4, x, y, a00, a01, a02, a03, a10, a11, a13, a16, a20, a21, a22, a24

 $\{\ldots\} \subseteq A \subseteq \{\ldots\}$  $\{\ldots\} \subseteq V \subseteq \{\ldots\}$  $\{\ldots\} \subseteq W \subseteq \{\ldots\}$  $\{\ldots\} \subseteq I \subseteq \{\ldots\}$ 

 $\{\ldots\} \subseteq m \subseteq \{\ldots\}$ 

## **Bounds assembly: universe**



## **Bounds assembly: universe**





-8, 1, 2, 4, x, y, a00, a01, a02, a03, a10, a11, a13, a16, a20, a21, a22, a24

 $\{\ldots\} \subseteq A \subseteq \{\ldots\}$   $\{\ldots\} \subseteq V \subseteq \{\ldots\}$ er
alue  $\{\ldots\} \subseteq W \subseteq \{\ldots\}$ n that
M)  $\{\ldots\} \subseteq I \subseteq \{\ldots\}$ 

 $\{\ldots\}\subseteq m\subseteq\{\ldots\}$ 



-8, 1, 2, 4, x, y, a00, a01, a02, a03, a10, a11, a13, a16, a20, a21, a22, a24

 $\{\ldots\}\subseteq A\subseteq \{\ldots\}$ 

 $\{\ldots\}\subseteq V\subseteq \{\ldots\}$ 

 $\{\ldots\}\subseteq W\subseteq \{\ldots\}$ 

 $\{\ldots\} \subseteq I \subseteq \{\ldots\}$ 

 $\{\ldots\}\subseteq m\subseteq \{\ldots\}$ 



-8, 1, 2, 4, x, y, a00, a01, a02, a03, a10, a11, a13, a16, a20, a21, a22, a24



 $\{\ldots\}\subseteq V\subseteq\{\ldots\}$ 

upper and lower bound on the value of each relation that appears in F(P, M) {...} ⊆ W ⊆ {...}

 $\{\ldots\} \subseteq m \subseteq \{\ldots\}$ 



-8, 1, 2, 4, x, y, a00, a01, a02, a03, a10, a11, a13, a16, a20, a21, a22, a24 <a00>, <a01>, <a02>, **(**<**a**00>, <**a**01>, <**a**02>,  $<a03>, <a10>, <a11>, <br/><math>\leq A \leq <cond <a10>, <a11>, <br/><math><a16>, <a20>, <cond <a11>, <cond <a11>, <a11>,$ <a21>, <a22>, <a24> <a21>, <a22>, <a24>  $\{\ldots\} \subseteq V \subseteq \{\ldots\}$ upper and lower  $\{\ldots\} \subseteq W \subseteq \{\ldots\}$ bound on the value of each relation that appears in F(P, M)  $\{\ldots\} \subseteq / \subseteq \{\ldots\}$  $\{\ldots\} \subseteq m \subseteq \{\ldots\}$ 





 $\{\ldots\} \subseteq m \subseteq \{\ldots\}$ 





 $\{\ldots\} \subseteq m \subseteq \{\ldots\}$ 

# **Results (highlights)**

#### **MemSAT performance on JMM causality tests**



# Conclusion

### Practical checker for axiomatic specifications of memory models

- first tool to directly handle the current JMM
- first tool to provide minimal cores

### **Prior work (highlights)**

- CheckFence hardcodes the memory model
- Nemos accepts simple axiomatic specs but no cores
- JMM checkers (e.g. OpMM) use operational approximations

### **Future work**

• extend MemSAT to handle hardware memory models