Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Safety-First Approach to Memory Models Madan Musuvathi Microsoft Research ISMM ‘13 Keynote 1.

Published byAllen Ray Modified over 8 years ago

Similar presentations

Presentation on theme: "A Safety-First Approach to Memory Models Madan Musuvathi Microsoft Research ISMM ‘13 Keynote 1."— Presentation transcript:

1 A Safety-First Approach to Memory Models Madan Musuvathi Microsoft Research ISMM ‘13 Keynote 1

2 x x y y z z 2 Example: Memory Safety Protects the abstraction of logical variables Example: Memory Safety Protects the abstraction of logical variables A safe programming language is one that protects its own abstractions.

3 3 Provide strong correctness guarantees Eliminate subtle security vulnerabilities Reduce program complexity Provide strong correctness guarantees Eliminate subtle security vulnerabilities Reduce program complexity Modern programming languages have embraced the benefits of safety.

4 4 Recent standardization of concurrent languages is reversing this trend Key programming abstractions are being compromised Key programming abstractions are being compromised

5 Can this Java Program Crash? Data d = null; boolean init = false; // Thread t // Thread u A: d = new Data(); C: if(init) B: init = true; D: d.doIt(); 5 A: d = new Data(); B: init = true; C: if(init) D: d.doIt(); How could these threads be interleaved? That was hard…but looks ok! Null Dereference!

6 Broken Program Abstractions ; 6

7 Program order A ; B Execute A and then B 7

8 Broken Program Abstractions Shared memory Memory is map from address to values With reads/writes taking effect immediately 8 AddressValues 0xDEADBEE00x0000002a 0xDEADBEE40x00000042 0xDEADBEE80xDEADBEEF 0xDEADBEEA0x00000000

9 // Thread t // Thread u A: d = new Data(); C: if(init) B: init = true; D: d.doIt(); A Crash is Counter-Intuitive Data d = null; boolean init = false; Program abstractions broken: 1.Program Order: 2.Shared Memory

10 // Thread t // Thread u A: d = new Data(); C: if(init) B: init = true; D: d.doIt(); C: if(init) D: d.doIt(); B: init = true; How can this Program Crash? Data d = null; boolean init = false; B doesn’t depend on A. It might be faster to reorder them! B doesn’t depend on A. It might be faster to reorder them! Optimizing Software / Hardware Stack Null Dereference! 10 Programming Language Compiler Safe for sequential programs. But can break concurrent ones… Safe for sequential programs. But can break concurrent ones… A: d = new Data();

11 Why are Accesses Reordered? 11 Programming Language Compiler sequentially valid hardware optimizations can reorder memory accesses out-of-order execution, store buffers sequentially valid optimizations can reorder memory accesses common subexpression elimination, register promotion, instruction scheduling

12 More Counter-Intuitive Behaviors The assert can fail (in C++)! [ Boehm HotPar’11 ] 12 // Thread t // Thread u A: init = true; B: init = true; bool init = false; assert( init );

13 More Counter-Intuitive Behaviors The assert can fail (in C++)!  Compiler can introduce accesses 13 // Thread t A: local = init; B: if (local) C: assert( local ); bool init = false;

14 Memory Consistency Models 14 A memory consistency model defines the order in which memory operations can execute and become visible to other threads. How could these threads be interleaved? Sequential Consistency (SC) [Lamport 1979] memory operations appear to occur in some global order consistent with the per-thread program order Sequential Consistency (SC) [Lamport 1979] memory operations appear to occur in some global order consistent with the per-thread program order

15 Memory Consistency Models 15 A memory consistency model defines the order in which memory operations can execute and become visible to other threads. How could these threads be interleaved? Sequential Consistency (SC) guarantees program order and shared memory abstractions Sequential Consistency (SC) guarantees program order and shared memory abstractions Java, C, C++ provide weaker guarantees, to retain sequential compiler and hardware optimizations Java, C, C++ provide weaker guarantees, to retain sequential compiler and hardware optimizations

16 Summary of the Talk 1.Concurrent languages require SC for programmer sanity and program safety 2.The SC abstraction needs to be protected 3.SC is efficiently realizable 16

17 access the same memory location at least one is a write access the same memory location at least one is a write A Short Detour: Data Races 17 A program has a data race if it has an execution in which two conflicting accesses to memory are simultaneously ready to execute. // Thread t // Thread u A: d = new Data(); C: if(init) B: init = true; D: d.doIt(); Data Race

18 Useful Data Races Data races are essential for implementing shared-memory synchronization 18 AcquireLock(){ while (lock == 1) {} t = CAS (lock, 0, 1); if (!t) retry; } AcquireLock(){ while (lock == 1) {} t = CAS (lock, 0, 1); if (!t) retry; } ReleaseLock() { lock = 0; } ReleaseLock() { lock = 0; }

19 Useful Data Races Data races are essential for implementing shared-memory synchronization 19 DoubleCheckedLock(){ if (p == null){ lock(l); if (p == null){ p = AllocAndInit(); } unlock(l); } return p; } DoubleCheckedLock(){ if (p == null){ lock(l); if (p == null){ p = AllocAndInit(); } unlock(l); } return p; }

20 Data Race Freedom and Memory Models 20 DRF0 [Adve & Hill 1990] SC behavior for data-race-free programs, weak or no semantics otherwise DRF0 [Adve & Hill 1990] SC behavior for data-race-free programs, weak or no semantics otherwise A program is data-race-free if all data races are appropriately annotated ( volatile/atomic ) Java Memory Model (JMM) [Manson et al. 2005] Java Memory Model (JMM) [Manson et al. 2005] C++0x Memory Model [Boehm & Adve 2008] C++0x Memory Model [Boehm & Adve 2008]

21 // Thread t // Thread u A: d = new Data(); C: if(init) B: init = true; D: d.doIt(); Preventing the Crash Data d = null; boolean init = false; 21 volatile Eliminates the data race Prevents A and B from being reordered Eliminates the data race Prevents A and B from being reordered

22 So What’s the Problem? easy to accidentally introduce a data race  forget to grab a lock  grab the wrong lock  forget a volatile annotation …… no good way to know if program is data-race-free  current static techniques are limited typically only handle locks, conservative due to aliasing etc.  dynamic analysis is insufficient many paths / interleavings missed, expensive (8x slowdown) 22

23 A Common Misperception 23 Data races are program errors and SC removes the incentive to eliminate them

24 Data Race ≠ Race Condition Race condition: any timing error Data race: concurrent conflicting accesses Confusing terminology: “Race” A data race is neither sufficient nor necessary for a race condition 24

25 Race Condition with no Data Races 25 class BankAccount { volatile int balance; void withdraw(int amt) { if (balance >= amt) balance -= amt; }

26 Race Condition with no Data Races 26 class BankAccount { int balance; void withdraw(int amt) { Lock.Acquire(); if (balance >= amt){ Lock.Release(); Lock.Acquire(); balance -= amt; } Lock.Release(); }

27 Data Races with no Race Condition (assuming SC) Low-fidelity counters 27 // Thread t // Thread u A: stats++; B: stats++;

28 Data Races with no Race Condition (assuming SC) Single writer multiple readers 28 // Thread t // Thread u A: time++; B: l = time;

29 Data Races with no Race Condition (assuming SC) Lazy initialization 29 // Thread t // Thread u if( p == 0 ) if( p == 0 ) p = init(); p = init();

30 “Benign” Data Races ~97% of data races are not errors under SC  Experience from one MS-internal data-race detection study [OSDI ‘08]  Benign data-races are a common phenomenon in data-race detection literature The main reason to annotate data races is to protect against compiler/hardware optimizations 30

31 Deficiencies of DRF0 31 weak or no semantics for data- racy programs unintentional data races easy to introduce problematic for DEBUGGABILITY programmer must assume non-SC behavior for all programs SAFETY optimization + data race = jump to arbitrary code! [Boehm et al., PLDI 2008] COMPILER CORRECTNESS Java must maintain safety at the cost of complexity [Ševčík&Aspinall, ECOOP 2008] Analogous to unsafe languages: relying on programmer infallibility Analogous to unsafe languages: relying on programmer infallibility

32 A Safety-First Approach 32 Program order and shared memory are important abstractions Modern languages should protect them All programs, buggy or otherwise, should have SC semantics All programs, buggy or otherwise, should have SC semantics

33 A Safety-First Approach 33 All memory locations are treated by the compiler and hardware as volatile unless proven safe local variables are always safe other fields can be proven safe through annotations (e.g., @LockedBy) local variables are always safe other fields can be proven safe through annotations (e.g., @LockedBy) the result: SC guaranteed for all programs

34 What is the Cost of SC? 34 SC prevents essentially all compiler and hardware optimizations. And thus SC is impractical. the rest of this talk challenges this perception…

35 How much does SC really cost? 35 Programming Language Compiler x86-TSO is only a small relaxation of SC several research proposals for efficient hardware SC [Ranganathan et al. 1997] [Gniady et al. 1999] [Ceze et al. 2007] [Blundell et al. 2009] compilers optimize effectively without violating SC 3.8% slowdown on average

36 An SC-Preserving C Compiler modified LLVM [Lattner & Adve 2004] to be SC-preserving  the compiled binary preserves SC when run on SC hardware  obvious idea: restrict optimizations so they never reorder shared accesses  simple, small modifications to the base compiler  slowdown on x86: average of 3.8% PARSEC, SPLASH-2, SPEC CINT2006 36

37 Some optimizations preserve SC for(i=0;i<3;i++) X++; loop unrolling X++;X++;X++ foo(); bar(); baz(); function inlining bar(){X++;} foo(); X++; baz(); t=X*4; arithmetic simplification t=X<<2; unreachable code elim. dead argument elim. scalar replication correlated val prop tail call elim loop rotation loop unswitching allocating locals to virtual registers virtual to physical register allocation stack slot coloring arithmetic reassociation all optimizations on locals and compiler temporaries Many

38 Optimizations that Break SC E.g. Common Subexpression Elimination (CSE) t,u,v are local variables X,Y are possibly shared L1: t = X*5; L2: u = Y; L3: v = X*5; L1: t = X*5; L2: u = Y; L3: v = X*5; L1: t = X*5; L2: u = Y; L3: v = t; L1: t = X*5; L2: u = Y; L3: v = t;

39 CSE is not SC-Preserving L1: t = X*5; L2: u = Y; L3: v = X*5; L1: t = X*5; L2: u = Y; L3: v = X*5; L1: t = X*5; L2: u = Y; L3: v = t; L1: t = X*5; L2: u = Y; L3: v = t; M1: X = 1; M2: Y = 1; M1: X = 1; M2: Y = 1; M1: X = 1; M2: Y = 1; M1: X = 1; M2: Y = 1; u == 1  v == 5 possibly u == 1 && v == 0 Init: X = Y = 0;

40 Implementing CSE in a SC-Preserving Compiler Enable this transformation when  X is a local variable, or  Y is a local variable L1: t = X*5; L2: u = Y; L3: v = X*5; L1: t = X*5; L2: u = Y; L3: v = X*5; L1: t = X*5; L2: u = Y; L3: v = t; L1: t = X*5; L2: u = Y; L3: v = t;

41 Modifying LLVM classified optimization passes based on potential reorderings  7 of 31 front end passes, 4 of 26 back end passes modified passes to avoid reordering possibly shared accesses  definitely local vars already identified by LLVM  often reused existing code in an optimization that handles volatile vars 41

42 Experiments using LLVM baseline stock LLVM compiler with standard optimizations (-O3) no optimizations disable all LLVM optimization passes naïve SC-preserving disable LLVM passes that possibly reorder memory accesses SC-preserving use modified LLVM passes that avoid reordering shared memory accesses ran compiled programs on 8-core Intel Xeon 42

43 Results for Parallel Benchmarks Slowdown over LLVM –O3 43 Naïve SC-preserving No opts. 480373 154 132200116159173237 298

44 Results for SPEC Integer 2006 44 487 149 170 Slowdown over LLVM –O3

45 How Far Can A SC-Preserving Compiler Go? float s, *x, *y; int i; s=0; for( i=0; i<n; i++ ){ s += (x[i]-y[i]) * (x[i]-y[i]); } float s, *x, *y; int i; s=0; for( i=0; i<n; i++ ){ s += (x[i]-y[i]) * (x[i]-y[i]); } float s, *x, *y; float *px, *py, *e; s=0; py=y; e = &x[n] for( px=x; px<e; px++, py++){ s += (*px-*py) * (*px-*py); } float s, *x, *y; float *px, *py, *e; s=0; py=y; e = &x[n] for( px=x; px<e; px++, py++){ s += (*px-*py) * (*px-*py); } float s, *x, *y; int i; s=0; for( i=0; i<n; i++ ){ s += (*(x + i*sizeof(float)) – *(y + i*sizeof(float))) * (*(x + i*sizeof(float)) – *(y + i*sizeof(float))); } float s, *x, *y; int i; s=0; for( i=0; i<n; i++ ){ s += (*(x + i*sizeof(float)) – *(y + i*sizeof(float))) * (*(x + i*sizeof(float)) – *(y + i*sizeof(float))); } float s, *x, *y; float *px, *py, *e, t; s=0; py=y; e = &x[n] for( px=x; px<e; px++, py++){ t = (*px-*py); s += t*t; } float s, *x, *y; float *px, *py, *e, t; s=0; py=y; e = &x[n] for( px=x; px<e; px++, py++){ t = (*px-*py); s += t*t; } no opt. SC pres full opt

46 Hardware Cost of SC Speculation efficiently hides optimizations [Gharachorloo et.al. ‘91] 46 Load X Load Y Load X SC Preseving if Y is not modified in this region Hardware dynamically enforces this constraint, mostly reusing branch speculation hardware Hardware dynamically enforces this constraint, mostly reusing branch speculation hardware

47 Hardware SC is Realizable “Multiprocessors should support simple memory consistency models”  Mark Hill [IEEE Computer ‘98]  “Simple” == SC or TSO Various research proposals for hardware SC  [Ranganathan et al. 1997] [Gniady et al. 1999] [Ceze et al. 2007] [Blundell et al. 2009] 47

48 Current Hardware Inefficient mechanisms (fences) to recover SC Problem for both SC and DRF0 What is the cost of SC on existing hardware? 48

49 Ideal DRF0 Hardware DRF0 hardware 1.Regular loads/stores 2.Acquire loads 3.Store releases Optimizations: 49 Acquire/ Release Acquire/ Release Acquire/ Release Acquire/ Release Regular Acquire Release Regular

50 Compiling TO DRF0 Hardware Access TypeDRF0SC DRF ProvableRegular DRF UnprovableRegularAcq/Rel Data Race UnannotatedRegularAcq/Rel Data Race AnnotatedAcq/Rel 50 Performance Cost of SC Semantic Cost of DRF0

51 Two Trends That Reduce SC Performance Gap Acq/Rel implementations will get more efficient  Partly to support DRF0 languages Programming language improvements will reduce the number of DRF-unprovable accesses  Locked by annotations  Linear types  … 51

52 DRF0 is Leaving Some Optimizations on the Table [ISCA ‘12] Hardware supports an additional type 1.Thread-local loads/stores 2.Regular loads/stores 3.Acquire loads / Store releases Optimizations: 52 Acquire/ Release Acquire/ Release Acquire/ Release Acquire/ Release Local/ Regular Local/ Regular Local/ Regular Local/ Regular Acquire Release Local/ Regular Local/ Regular Local Regular Local Regular Local

53 Cost of End-to-End SC Average performance cost of end-to-end SC is 6.2% w.r.t stock compiler on TSO 53 SC-baseline HW + SC-compilerSC-hybrid HW + SC-compiler RMO HW + Stock-compilerx86 HW + SC-compiler

54 Conclusion Safe languages should protect their abstractions Program order and shared memory are important abstractions, guaranteed by sequential consistency Sequential consistency is realizable  With the right choices in the programming language, compiler, and the hardware 54

55 Acknowledgements This is joint work with some great collaborators: 55 Todd Millstein UCLA University of Michigan Abhay Singh Satish Narayanasamy Dan Marino UCLA/Symantec

56 Conclusion Safe languages should protect their abstractions Program order and shared memory are important abstractions, guaranteed by sequential consistency Sequential consistency is realizable  With the right choices in the programming language, compiler, and the hardware 56

Download ppt "A Safety-First Approach to Memory Models Madan Musuvathi Microsoft Research ISMM ‘13 Keynote 1."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Memory Consistency Models Kevin Boos. Two Papers Shared Memory Consistency Models: A Tutorial – Sarita V. Adve & Kourosh Gharachorloo – September 1995.

Memory Consistency Models Kevin Boos. Two Papers Shared Memory Consistency Models: A Tutorial – Sarita V. Adve & Kourosh Gharachorloo – September 1995.
The Case for a SC-preserving Compiler Madan Musuvathi Microsoft Research Dan Marino Todd Millstein UCLA University of Michigan Abhay Singh Satish Narayanasamy.

The Case for a SC-preserving Compiler Madan Musuvathi Microsoft Research Dan Marino Todd Millstein UCLA University of Michigan Abhay Singh Satish Narayanasamy.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Memory Models (1) Xinyu Feng University of Science and Technology of China.

Memory Models (1) Xinyu Feng University of Science and Technology of China.
CS 162 Memory Consistency Models. Memory operations are reordered to improve performance Hardware (e.g., store buffer, reorder buffer) Compiler (e.g.,

CS 162 Memory Consistency Models. Memory operations are reordered to improve performance Hardware (e.g., store buffer, reorder buffer) Compiler (e.g.,
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
© Krste Asanovic, 2014CS252, Spring 2014, Lecture 12 CS252 Graduate Computer Architecture Spring 2014 Lecture 12: Synchronization and Memory Models Krste.

© Krste Asanovic, 2014CS252, Spring 2014, Lecture 12 CS252 Graduate Computer Architecture Spring 2014 Lecture 12: Synchronization and Memory Models Krste.
D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.

D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.
DRF x A Simple and Efficient Memory Model for Concurrent Programming Languages Dan Marino Abhay Singh Todd Millstein Madan Musuvathi Satish Narayanasamy.

DRF x A Simple and Efficient Memory Model for Concurrent Programming Languages Dan Marino Abhay Singh Todd Millstein Madan Musuvathi Satish Narayanasamy.
ADVERSARIAL MEMORY FOR DETECTING DESTRUCTIVE RACES Cormac Flanagan & Stephen Freund UC Santa Cruz Williams College PLDI 2010 Slides by Michelle Goodstein.

ADVERSARIAL MEMORY FOR DETECTING DESTRUCTIVE RACES Cormac Flanagan & Stephen Freund UC Santa Cruz Williams College PLDI 2010 Slides by Michelle Goodstein.
“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.

“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.
By Sarita Adve & Kourosh Gharachorloo Review by Jim Larson Shared Memory Consistency Models: A Tutorial.

By Sarita Adve & Kourosh Gharachorloo Review by Jim Larson Shared Memory Consistency Models: A Tutorial.
Formalisms and Verification for Transactional Memories Vasu Singh EPFL Switzerland.

Formalisms and Verification for Transactional Memories Vasu Singh EPFL Switzerland.
1 Lecture 23: Transactional Memory Topics: consistency model recap, introduction to transactional memory.

1 Lecture 23: Transactional Memory Topics: consistency model recap, introduction to transactional memory.
1 Lecture 7: Consistency Models Topics: sequential consistency, requirements to implement sequential consistency, relaxed consistency models.

1 Lecture 7: Consistency Models Topics: sequential consistency, requirements to implement sequential consistency, relaxed consistency models.
Computer Architecture II 1 Computer architecture II Lecture 9.

Computer Architecture II 1 Computer architecture II Lecture 9.
1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.

1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.
Memory Model Safety of Programs Sebastian Burckhardt Madanlal Musuvathi Microsoft Research EC^2, July 7, 2008.

Memory Model Safety of Programs Sebastian Burckhardt Madanlal Musuvathi Microsoft Research EC^2, July 7, 2008.

Similar presentations

Ads by Google