Software Verification for Weak Memory via Program Transformation

Despite multiprocessors implementing weak memory models, verification methods often assume Sequential Consistency (SC), thus may miss bugs due to weak memory. We propose a sound transformation of the program to verify, enabling SC tools to perform verification w.r.t. weak memory. We present experiments for a broad variety of models (from x86/TSO to Power/ARM) and a vast range of verification tools, quantify the additional cost of the transformation and highlight the cases when we can drastically reduce it. Our benchmarks include work-queue management code from PostgreSQL.

💡 Research Summary

Modern multiprocessor systems increasingly implement weak memory models (WMMs) such as x86‑TSO, Power, and ARM, where hardware may reorder loads and stores, buffer writes, or delay visibility of memory operations. Most existing formal verification tools, however, are built on the assumption of sequential consistency (SC) and therefore can miss bugs that arise only under weak memory semantics. This paper introduces a sound program transformation technique that enables any SC‑based verifier to reason about programs executed on a target weak memory model without modifying the verifier itself.

The core idea is to enrich the original program with explicit memory‑ordering constructs that simulate the effects of the underlying hardware. For each memory access the transformation inserts a combination of fence instructions and pending‑buffer abstractions according to a parameterised set of rules that capture the semantics of a specific WMM. In an SC execution of the transformed program, these added constructs faithfully reproduce every possible reordering, visibility delay, or write‑buffer behavior that the original program could experience on the weak memory hardware.

The authors prove two complementary correctness theorems. First, any SC execution trace of the transformed program corresponds to a valid execution of the original program under the chosen weak memory model (completeness). Second, every execution permitted by the weak memory model can be simulated by some SC execution of the transformed program (soundness). The proofs rely on a trace‑based operational model and show a bijective mapping between the two execution spaces.

Because the transformation rules are expressed as a modular specification, supporting a new architecture merely requires adding its fence/buffer policy to the rule set. The paper demonstrates this flexibility by instantiating the framework for x86‑TSO, Power, and ARM, covering a spectrum from relatively strong to highly relaxed models.

Experimental evaluation spans a wide range of verification tools—including bounded model checkers (CBMC), explicit‑state model checkers (SPIN), and stateless thread‑exploration tools (Nidhugg)—and a diverse benchmark suite: classic lock‑free data structures, Linux kernel synchronization primitives, and a real‑world work‑queue implementation from PostgreSQL. For each tool and benchmark the authors measure state‑space size, verification time, and memory consumption before and after transformation. The results show that, in most cases, the transformation incurs less than a two‑fold overhead; with an additional static‑analysis pass that eliminates unnecessary fences, the overhead drops to around 1.1× on average.

A particularly compelling case study is the PostgreSQL work‑queue code. Under Power/ARM semantics the original program suffers a subtle data‑race caused by a write‑buffer that can delay a flag update, leading to lost tasks. This bug is invisible to SC‑only verification but is discovered automatically after transformation, confirming the practical impact of the approach.

The paper also discusses optimization strategies. A static analysis identifies and removes superfluous fences, reducing both the size of the transformed program and the verification burden. The modular rule language enables incremental updates when new memory‑model features are introduced, preserving the longevity of the verification infrastructure.

Limitations are acknowledged: the transformation can still cause state‑space explosion for very large systems, and the approach does not replace dedicated weak‑memory model checkers that exploit model‑specific reductions. Future work includes integrating partial program transformation, dynamic exploration heuristics, and machine‑learning‑guided optimizations to further curb the cost.

In summary, the authors present a versatile, sound, and tool‑agnostic method for weak‑memory verification by program transformation. Their extensive experiments validate the technique across multiple architectures, verification engines, and realistic code bases, demonstrating that existing SC tools can be repurposed to catch weak‑memory bugs with modest overhead. This contribution bridges a critical gap between the theoretical study of weak memory semantics and practical software verification in industry.