Presentation is loading. Please wait.

Presentation is loading. Please wait.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

Published byNathan Weakly Modified over 9 years ago

Similar presentations

Presentation on theme: "“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1."— Presentation transcript:

1 “FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1

2 p0: flag[0] := true while flag[1] = true { if turn ≠ 0 { flag[0] := false while turn ≠ 0 { } flag[0] := true } // critical section turn := 1 flag[0] := false p1: flag[1] := true while flag[0] = true { if turn ≠ 1 { flag[1] := false while turn ≠ 1 { } flag[1] := true } // critical section turn := 0 flag[1] := false Specification: mutual exclusion over critical section Dekker’s Algorithm 2

3 p0: flag[0] := true while flag[1] = true { if turn ≠ 0 { flag[0] := false while turn ≠ 0 { } flag[0] := true } // critical section turn := 1 flag[0] := false p1: flag[1] := true while flag[0] = true { if turn ≠ 1 { flag[1] := false while turn ≠ 1 { } flag[1] := true } // critical section turn := 0 flag[1] := false Beyond Textbooks: Weak Memory Models  Re-ordering of operations  Non-atomic stores 3

4 Memory Fences  Enforce order, at a cost!  Fences are expensive  10s-100s of cycles  Example: removing a single fence yields 3x speedup in a work-stealing queue [Michael, et al. PPoPP ’09]  Where should we put fences?  Required fences depend on memory model  Different kinds of fences 4

5 Goal  “Correct and efficient fencing for the masses”  A tool to help the programmer place fences  For non-trivial finite-state programs  Under a realistic memory model  Safe  Efficient 5

6 Easy! p0: flag[0] := true fence while flag[1] = true { if turn ≠ 0 { flag[0] := false while turn ≠ 0 { } flag[0] := true } // critical section turn := 1 flag[0] := false p1: flag[1] := true fence while flag[0] = true { if turn ≠ 1 { flag[1] := false while turn ≠ 1 { } flag[1] := true } // critical section turn := 0 flag[1] := false 6

7 Chase-Lev Work-Stealing Queue 1 int take() { 2 long b = bottom – 1; 3 item_t * q = wsq; 4 bottom = b 5 long t = top 6 if (b < t) { 7 bottom = t; 8 return EMPTY; 9 } 10 task = q->ap[b % q->size]; 11 if (b > t) 12 return task 13 if (!CAS(&top, t, t+1)) 14 return EMPTY; 15 bottom = t + 1; 16 return task; 17 } 1 void push(int task) { 2 long b = bottom; 3 long t = top; 4 item_t * q = wsq; 5 if (b – t >= q->size – 1) { 6 wsq = expand(); 7 q = wsq; 8 } 9 q->ap[b % q->size] = task; 10 bottom = b + 1; 11} 1 int steal() { 2 long t = top; 3 long b = bottom; 4 item_t * q = wsq; 5 if (t >= b) 6 return EMPTY; 7 task = q->ap[t % q->size]; 8 if (!CAS(&top, t, t+1)) 9 return ABORT; 10 return task; 11} 7

8 In Practice - Hard  This is a real problem  Finding the best placement for fences is hard  Classical trade-off: correctness vs. efficiency  Existing tools are insufficient  CheckFence [Alur et al. PLDI ’07] 8

9 Our Approach: Overview  P’ satisfies the specification S under M (Finite-State) Program P (Finite-State) Program P (Safety) Specification S Memory Model M Memory Model M Program P’ with Fences 9

10 Our Approach: Recipe  Compute reachable states for the program  Bad news: Reachability problem undecidable even for finite-state programs running under sufficiently weak MM [Atig et al. POPL ’10] So sometimes use an additional bound  Compute constraints that guarantee that all “bad states” are avoided  The constraints restrict non-determinism allowed by the memory model  Implement the constraints with fences 10

11 Our Approach: Ingredients  Operational semantics for weak memory models  An algorithm for finding order constraints  An algorithm for implementing constraints as fences in the program 11

12 Classification due to Adve et al. IEEE Computer ‘95 12 Operational Semantics for WMM

13  Model store buffers  Model instruction reordering (execution buffers)  Variety of re-ordering rules 13

14 States and Transitions Processor B: B 1 : R2 = Y B 2 : R1 = X Processor A: A 1 : X = 1 A 2 : Y = 1 Initially X = Y = R1 = R2 = 0 A 2 :Y = 1 A 1 :X = 1 B 2 :R1 = X B 1 :R2 = Y X = 0 Y = 0 R1 = 0 R2 = 0 A 1 :X = 1B 2 :R1 = X B 1 :R2 = Y X = 0 Y = 1 R1 = 0 R2 = 0 A2A2 14

15 Compute Reachable States (0,0,0,0) (1,0,0,0)(0,1,0,0)(0,0,0,0) (0,1,0,0)(0,1,0,1)(0,1,0,0) (1,1,0,1)(0,1,0,1) (1,1,1,1)(1,1,0,1) A1A1 A2A2 B2B2 B1B1 A1A1 A1A1 A1A1 B1B1 B2B2 B2B2 B2B2 A2A2 A2A2 Error state (x,y,r1,r2) EB1 EB2 legend Specification at final state ¬ (R1 = 0  R2 = 1) initial 15 A1 A2 B1 B2 A2 B1 B2A1 B1 B2 A1 A2B2 A1 A2B1 A1B2A1B2 B1 B2 A1B2 B 1 : R2 = Y B 2 : R1 = X A 1 : X = 1 A 2 : Y = 1

16 Avoiding states  To avoid a state  Avoid all incoming transitions  To avoid an incoming transition  Either avoid the transition itself  Or avoid the source state 16

17 Avoidable Transitions  Execution buffer is ordered  A transition not executing first instruction in the execution buffer can be avoided  By forcing a different transition to execute A 4 :W = 1 A 3 :Z = 1 A 2 :Y = 1 A 1 :X = 1 Processor A A 1 : X = 1 A 2 : Y = 1 A 3 : Z = 1 A 4 : W = 1 A1A1 A2A2 A3A3 A4A4 17

18 Avoidable Transitions  To avoid A 3 in this state  Force A 1 to execute before A 3  Or force A 2 to execute before A 3  Language of ordering constraints  [A 1 < A 3 ]  [A 2 < A 3 ] A 4 :W = 1 A 3 :Z = 1 A 2 :Y = 1 A 1 :X = 1 Processor A A 1 : X = 1 A 2 : Y = 1 A 3 : Z = 1 A 4 : W = 1 A1A1 A2A2 18 A3A3 A4A4

19 Computing Avoid Formulae  Ordering constraint  [l 1 < l 2 ]  l 2 may not be reordered with l 1  Associate a propositional variable with each constraint  “Avoid formulas” are (positive) propositional formulas over ordering constraints  Fixed-point computation computes an avoid formula for every state  Final constraint formula is the conjunction of avoiding all “bad states” 19

20 Back to our example (0,0,0,0) false A1A1 (0,1,0,0) A1 < A2 (0,0,0,0) B1 < B2 (1,0,0,0) B1 < B2 (0,1,0,0) A1 < A2 || B1 < B2 (0,1,0,1) A1 < A2 (1,1,0,0) A1 < A2 (1,1,0,0) B1 < B2 (1,1,0,1) [] A1 < A2 && B1 < B2 A1A1 A1A1 A2A2 A2A2 A2A2 B1B1 B1B1 B1B1 B2B2 B2B2 B2B2 20 A1 A2 B1 B2 A1 B1 B2 A1 A2B1 A1B2A1B1A2B1 A1 B1 B 1 : R2 = Y B 2 : R1 = X A 1 : X = 1 A 2 : Y = 1

21 Fence Placement Processor B B 1 : R2 = Y fence(“load-load”) B 2 : R1 = X Processor A A 1 : X = 1 fence(“store-store”) A 2 : Y = 1 [A 1 < A 2 ]  [B 1 < B 2 ] 21

22 Fence Placement  Trivial in the previous example  Satisfying assignment to the avoid formula  Every satisfied constraint realized as a fence  Only had to choose fence type  More complicated in practice  Which satisfying assignment to chose? 22

23 Data Structures  Treiber’s Stack  Michael & Scott’s Non-Blocking Queue  Idempotent Work-Stealing Queue  Chase & Lev’s Work-Stealing Queue  Found a missing fence in an implementation used for an earlier paper.  … 23

24 Sample Results: Michael-Scott Queue  Used the results from [Alur et al. PLDI ’07] as a reference  Reference contains 7 fences  RMO*: 3 found  2 unneeded due to environment issues (memory management)  2 unneeded due to lack of speculation  PSO: 1 found, TSO: No fences required 24

25 Results 25

26 Summary  Fence inference  Finite-state programs  Safe and optimal  Work in progress  Scalability  Abstraction Over-approximation instead of bounding 26

Download ppt "“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1."

Similar presentations

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Symmetric Multiprocessors: Synchronization and Sequential Consistency.

Symmetric Multiprocessors: Synchronization and Sequential Consistency.
IBM T. J. Watson Research Center Conditions for Strong Synchronization Maged Michael IBM T J Watson Research Center Joint work with: Martin Vechev, Hagit.

IBM T. J. Watson Research Center Conditions for Strong Synchronization Maged Michael IBM T J Watson Research Center Joint work with: Martin Vechev, Hagit.
Operating Systems Part III: Process Management (Process Synchronization)

Operating Systems Part III: Process Management (Process Synchronization)
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } P1() Challenge: Correct and Efficient Synchronization { ……………………………
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Memory Consistency Models Kevin Boos. Two Papers Shared Memory Consistency Models: A Tutorial – Sarita V. Adve & Kourosh Gharachorloo – September 1995.

Memory Consistency Models Kevin Boos. Two Papers Shared Memory Consistency Models: A Tutorial – Sarita V. Adve & Kourosh Gharachorloo – September 1995.
Concurrency: Mutual Exclusion and Synchronization Chapter 5.

Concurrency: Mutual Exclusion and Synchronization Chapter 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.

Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
Ch 7 B.

Ch 7 B.
CS 162 Memory Consistency Models. Memory operations are reordered to improve performance Hardware (e.g., store buffer, reorder buffer) Compiler (e.g.,

CS 162 Memory Consistency Models. Memory operations are reordered to improve performance Hardware (e.g., store buffer, reorder buffer) Compiler (e.g.,
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)

1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)
Timed Automata.

Timed Automata.
Chapter 6: Process Synchronization

Chapter 6: Process Synchronization
Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.

Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.

Similar presentations

Ads by Google