Verification of Data-Dependent Properties of MPI-Based Parallel Scientific Software Anastasia Mironova.

Slides:



Advertisements
Similar presentations
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Advertisements

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Rules of Matrix Arithmetic
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.
The Spin Model Checker Promela Introduction Nguyen Tuan Duc Shogo Sawai.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
© Janice Regan, CMPT 102, Sept CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Linear Systems and Matrices
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.
Today Objectives Chapter 6 of Quinn Creating 2-D arrays Thinking about “grain size” Introducing point-to-point communications Reading and printing 2-D.
1.2 Gaussian Elimination.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Chapter 1 Systems of Linear Equations and Matrices
CS32310 MATRICES 1. Vector vs Matrix transformation formulae Geometric reasoning allowed us to derive vector expressions for the various transformation.
Propositional Calculus CS 270: Mathematical Foundations of Computer Science Jeremy Johnson.
Temporal Logic Model-checking with SPIN
May University of Glasgow Generalising Feature Interactions in Muffy Calder, Alice Miller Dept. of Computing Science University of Glasgow.
Message-Passing Computing Chapter 2. Programming Multicomputer Design special parallel programming language –Occam Extend existing language to handle.
An Introduction to MPI (message passing interface)
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
Message Passing Programming Based on MPI Collective Communication I Bora AKAYDIN
4 - Conditional Control Structures CHAPTER 4. Introduction A Program is usually not limited to a linear sequence of instructions. In real life, a programme.
Solving Systems of Equations Using Matrices
MAT 322: LINEAR ALGEBRA.
Auburn University
Hans Bodlaender, Marek Cygan and Stefan Kratsch
Scalability for Search
Formal verification in SPIN
CSE 503 – Software Engineering
Threads Cannot Be Implemented As a Library
Auburn University COMP7330/7336 Advanced Parallel and Distributed Computing Mapping Techniques Dr. Xiao Qin Auburn University.
MPI Message Passing Interface
Automatic Verification
Parallel Programming with MPI and OpenMP
Chapter 1 Systems of Linear Equations and Matrices
Collective Communication Operations
Propositional Calculus: Boolean Algebra and Simplification
Matrices and Systems of Equations
Lecture 14: Inter-process Communication
Lectures on Graph Algorithms: searching, testing and sorting
Iteration Implemented through loop constructs (e.g., in C++)
CSCE569 Parallel Computing
COMP60621 Fundamentals of Parallel and Distributed Systems
Loop Statements & Vectorizing Code
UNIVERSITY OF MASSACHUSETTS Dept
An explicit state model checker
Approximating the Buffer Allocation Problem Using Epochs
A Refinement Calculus for Promela
Abstraction.
Chapter 3: Selection Structures: Making Decisions
Chapter8: Statement-Level Control Structures April 9, 2019
UNIVERSITY OF MASSACHUSETTS Dept
Chapter 3: Selection Structures: Making Decisions
Loop Statements & Vectorizing Code
COMP60621 Designing for Parallelism
Chapter 13 Recursion Copyright © 2010 Pearson Addison-Wesley. All rights reserved.
Synchronizing Computations
COMP60611 Fundamentals of Parallel and Distributed Systems
Chapter 13: I/O Systems.
CSE 503 – Software Engineering
Presentation transcript:

Verification of Data-Dependent Properties of MPI-Based Parallel Scientific Software Anastasia Mironova

Problem It is hard to create “correct” parallel programs Concurrency adds complexity and introduces problems such as deadlock and race conditions Nondeterminacy makes testing even less effective Model checking techniques have been applied to concurrent systems, however Focus on patterns of communication and not correctness of the computation Limited experience with MPI-based programs

Objective Verification of MPI-based programs using model checking and symbolic execution Properties considered Freedom from Deadlock Correctness of Computation

Approach Use a model checker to explore all possible executions Deadlock detection Modeling MPI functions Abstracting away unnecessary data Computational correctness Extend the model checker to create symbolic representations of the executions Compare the sequential program’s symbolic representation of the result to the parallel program’s representation

Outline Model checking Modeling the program MPI functions Freedom from deadlock Correctness of Computation Carrying out the verification Experimental results

Typical Model Checking Architecture Program (C, MPI) Property Usually represented in temporal logic or sometimes as an automaton abstraction Program Model (PROMELA) Builds a graph representing all possible states of the system State explosion problem: number of states is exponential in the number of concurrent processes Hence necessary to create an abstracted version of the program to eliminate unnecessary details wrt the property being proved Model Checker (SPIN) counter example (execution trace) produced property verified

Case Studies Matrix Multiplication - Gauss-Jordan Elimination – written by my classmates and myself as one of the assignments for the Programming Languages Course in Computer Science (CS331) at the University of Alaska, Anchorage Gauss-Jordan Elimination – written at the University of Massachusetts, Amherst under the guidance of Dr. Stephen Siegel Testing was performed on both of these implementations and based on the results the code was assumed to be correct.

Modeling The Program Key Abstractions: Processes and communication channels Collective MPI functions Messages

Processes and Channels in PROMELA Coordinator Definition of Processes: active proc Root{…} active proc [numprocs - 1] NonRoot{…} active proc Coordinator{…} Definition of Channels: /*Data channels from root to non-root nodes*/ chan chan_from_root[nprocs] /*Data Channels from non-root nodes to root */ chan chan_to_root[nprocs] /*Collective communication channels from nodes to Coordinator */ chan chan_c[nprocs] NonRoot[0] Root … NonRoot[nprocs -1]

Modeling MPI Functions: Coordinator Process The Coordinator process is used to model the collective MPI functions MPI_Bcast and MPI_Reduce: MPI_Bcast MPI_Reduce BCAST REDUCE Proc 0 Proc 0 Proc 1 Proc 1 Coordinator Coordinator … … … … Proc n Proc n …wait for all processes to receive data from root… …wait for the root process to collect data from all procs… DONE DONE Proc 0 Proc 0 Coordinator Proc 1 Proc 1 Coordinator … … … Proc n Proc n

Communication Messages Messages between the coordinator and processes participating in the computation are abstracted in the following manner: mtype = {BCAST, REDUCE, DONE}, where BCAST is a message sent to the Coordinator process by every process participating in the computation at the beginning of all the MPI_Bcast collective routines REDUCE is sent to the Coordinator process by every process participating in the computation at the beginning of all the MPI_Reduce collective routines DONE is sent to the Coordinator process by processes participating in the computation upon completion of every collective operation as expected by the Coordinator process

Modeling to Check Freedom From Deadlock Further abstraction of data mtype = {BCAST, REDUCE, DONE, DATA} Example: Process with rank root broadcasting data to all process participating in the computation: Original: MPI_Bcast(void *buffer, int count, MPI_Datatype datatype, int root, MPI_Comm comm) Simplified: MPI_Bcast(int root, DATA); - data unit is abstract. Accounting for synchronization issues of a blocking send operation channel!message if :: 1 -> empty(channel) :: 1 -> skip fi

Verifying Freedom from Deadlock Applying the SPIN Model Checker No need for special property definition Scalability – raw – utilizing optimizations of SPIN results in extended capabilities

Modeling Computation MPI Communication Symbolic expressions – the same as in the deadlock model Symbolic expressions Representation in PROMELA: typedef Expn{ byte length; byte array[maxExpnSize] } Enumeration: a2 a3 a4 b11 b12 b13 Note: 0 and 1 are reserved for representing integer constants. A = a5 a6 a7 B = b14 b15 b16 a8 a9 a10 b17 b18 b19 Reverse Polish notation: C1,1 = b17a4* b14 a3 *+ b11a2 *+ Representation in PROMELA using arrays of bytes: * 17 4 * 14 3 * + 11 2 * + Note: *, + are actually represented with byte values 255 and 254, respectively.

Validating the Results Key Idea: Implement both the sequential and parallel versions of the algorithm Apply SPIN and compare the symbolic expressions produced Conclude that the result of the parallel computations is correct if it matches the output of the sequential code. Example: Multiplication of matrices Symbolic computation is performed in parallel, generating a matrix of expressions on the root process The root process does the symbolic computations sequentially The root process loops through the two resultant structures checking that the two are the same via a set of assertions sequential parallel results compare

More Interesting Example: Gauss-Jordan Elimination Definition: Reduced Row-Echelon form Properties of a matrix in the reduced row-echelon form: Each row contains only zeros until the first non-zero element, which must be a 1 As the rows are followed from top to bottom, the first nonzero number occurs further to the right than in the previous row The entries above and below the first 1 in each row must be all 0 Example: Original matrix Reduced Row-Echelon form -2 7 12 1 2 3 7 Gauss-Jordan Elimination 2 4 -10 6 12 28 1 1 2 4 -5 6 -5 -1 1 2

Matrix Multiplication vs. Gauss-Jordan Elimination Why is it harder to verify the correctness of the Gauss-Jordan Elimination? Need to introduce branching when conditions are functions of data The property is harder to express since there is no closed formula of the answer, again, consequence of data dependencies

Example of Symbolic Gauss-Jordan Elimination on a 2X2 matrix Case 1: a11 = 0 Consider A = a11 a12 a21 = 0 a12 = 0 a21 a22 a22 = 0 Case 2: a11 = 0 Case 3: a11 = 0 a21 = 0 a21 = 0 1 a12 = 0 a12 != 0 1 a22 != 0 a22 free a11 = 0 a21 != 0 Case 4: Case 5: a11 != 0 a12 free 1 a22 free 1 a12/a11 a22- a21*a12/a11 != 0 a11 != 0 1 a22- a21*a12/a11 != 0

Dealing with Data Dependencies Explore Both Branches Keep a table of path conditions a11 ? 0 a11 = 0 a11 != 0 Modeling a non-deterministic choice in PROMELA: if :: 1 -> /* Assume (a11 == 0) */ /* Add expression (a11 == 0) to the path conditions table */ … :: 1 -> /* Assume (a11 != 0) */ /* Add expression (a11 != 0) to the path conditions table */ fi

Experimental Evaluation Problems Unreasonable execution time (exponential); Insufficient memory (“large” cases never run to completion); Distinguishing feature: The common problem of state explosion is overshadowed by issues associated with the size of the State Vector; Experimental Results Multiplication of Matrices Matrix dimensions: nxn, where n = 2, 3, …, 7 Number of processes: numprocs = 1, …, 10 Gauss-Jordan Elimination Sequential Matrix sizes: mxn, where m, n = 2, 3, 4 Parallel

Conclusions Deadlock detection Computational correctness demonstrated applicability of abstractions scaled somewhat reasonably – ability to do non-trivial sizes of matrices Computational correctness sequential model capable of handling non-trivial sizes of matrices using SPIN to create symbolic expressions and comparing these expressions for the parallel and sequential versions of the algorithm Although more work needs to be done, this project served as a proof of concept. Conference paper in progress.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.