Download presentation

Presentation is loading. Please wait.

Published byCori Rich Modified about 1 year ago

1
PARTIAL-COHERENCE ABSTRACTIONS FOR RELAXED MEMORY MODELS Presented by Michael Kuperstein, Technion Joint work with Martin Vechev, IBM Research and Eran Yahav, Technion 1

2
Sequential Consistency We expect our programs to have “Interleaving semantics” Consistent with program order “The result of any execution is the same as if the operations of all the processors were executed in some sequential order, and the operations of each individual processor appear in this sequence in the order specified by its program.” – Leslie Lamport,

3
Process 0: flag[0] := true while flag[1] = true { if turn ≠ 0 { flag[0] := false while turn ≠ 0 { } flag[0] := true } // critical section turn := 1 flag[0] := false Process 1: flag[1] := true while flag[0] = true { if turn ≠ 1 { flag[1] := false while turn ≠ 1 { } flag[1] := true } // critical section turn := 0 flag[1] := false 3 Dekker’s Algorithm for Mutual Exclusion Specification: mutual exclusion over critical section

4
… P0 Main Memory … P1 … … … … X Y Z X Y Z 123 Store Buffer Based Models 4 TSO & PSO x86 ~ TSO Memory Fences Restore order Every store before the fence becomes globally visible before anything after the fence executes storeflush load fence

5
Process 0: flag[0] := true fence while flag[1] = true { if turn ≠ 0 { flag[0] := false fence while turn ≠ 0 { } flag[0] := true fence } // critical section turn := 1 fence flag[0] := false fence 5 Memory Fences Fences are expensive 10s-100s of cycles Practical Significance Data structures Linux Kernel spinlocks Placing fences manually Overfencing: hurts performance Underfencing: subtle bugs

6
Process 0: flag[0] := true fence while flag[1] = true { if turn ≠ 0 { flag[0] := false while turn ≠ 0 { } flag[0] := true } // critical section turn := 1 flag[0] := false 6 Memory Fences Fences are expensive 10s-100s of cycles Practical Significance Data structures Linux Kernel spinlocks Placing fences manually Overfencing: hurts performance Underfencing: subtle bugs

7
Automatic Solutions Equivalence to Sequential Consistency Reduce program behaviors to sequentially consistent (SC) runs High-level specifications are ignored Goes back to Shasha & Snir [TOPLAS ’88] Place fences to satisfy provided specification Using specification may forbid less executions May require fewer fences 7 Safe SC PSO

8
Goal P’ satisfies the specification S under M Finite-State Program P Finite-State Program P Safety Specification S Safety Specification S Memory Model M Memory Model M Program P’ with Fences 8

9
General Recipe 1. Compute reachable states 2. Compute weakest constraints that guarantee all “bad states” are avoided 3. Implement the constraints with fences 9

10
Constraints 10 Constraint language Not every transition can be prevented using a fence 10 P 2 : (D) LOAD R1 = X P 1 : (D) LOAD R1 = X P1:P1: P2:P2: 123 ABC X X P1:P1: P2:P2: 123 ABC X X P1:P1: P2:P2: 123 ABC X X P1:P1: P2:P2: 123 ABC X X Unavoidable [A < D] [B < D] [C < D]

11
Concrete Transition System 11 Building transition system under TSO/PSO is hard No a-priori bound on buffer length Unbounded state-space Even for programs that were finite-state under SC Reachability has non-primitive recursive complexity [Atig et al., POPL ’10]

12
Abstract Memory Models (AMM) 12 Bounded approximation of unbounded buffers Strictly weaker than concrete TSO/PSO Finite-state programs remain finite-state Reachability becomes effectively computable Construct finite (abstract) transition system Apply fence inference Can also be used for verification Safe SC PSO AMM

13
Partial Coherence Abstractions 13 … P0 Main Memory … P1 … … … … X Y Z X Y X P0 Main Memory P1 X Z X Y Z Recent value Bounded length k Unordered elements Y Allows precise fence semantics Allows precise loads from buffer Keeps the analysis precise for “well behaved” programs Record what values appeared (without order or number)

14
Partial Coherence Abstractions {2,3,4,5} Concrete Abstract

15
Abstract Fence Inference 1. Compute reachable abstract states 2. Compute constraints. Precision depends on abstraction. 3. Implement the constraints with fences 15

16
Fence Inference Results 16 Benchmarks are mutual exclusion primitives k - the bound on the FIFO part of the abstract buffer PD more “aggressive” than FD ProgramFD k=0FD k=1FD k=2PD k=0PD k=1PD k=2 Sense0 Pet0 Dek0 Lam0 Fast0 Fast1a Fast1b Fast1c

17
Summary Partial-coherence abstractions Verification without arbitrary bounds Abstraction precision affects quality of results Synthesis of fences Can infer optimal fences for mutual exclusion primitives 17 P P S S M M P’

18
Questions 18

19
Related Work Under-approximation CheckFence [Burckhardt et al., PLDI ’07] Fender [KVY, FMCAD ’10] And more… Over-approximation Equivalence to SC Very imprecise Goes back to Shasha & Snir [TOPLAS ‘88] Abstract Interpretation Varying precision Regular Abstraction [Linden et al., SPIN ’10] Partial-Coherence [KVY, PLDI ’11] 19

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google