PARTIAL-COHERENCE ABSTRACTIONS FOR RELAXED MEMORY MODELS Presented by Michael Kuperstein, Technion Joint work with Martin Vechev, IBM Research and Eran Yahav, Technion 1

Sequential Consistency  We expect our programs to have  “Interleaving semantics”  Consistent with program order “The result of any execution is the same as if the operations of all the processors were executed in some sequential order, and the operations of each individual processor appear in this sequence in the order specified by its program.” – Leslie Lamport,

Process 0: flag[0] := true while flag[1] = true { if turn ≠ 0 { flag[0] := false while turn ≠ 0 { } flag[0] := true } // critical section turn := 1 flag[0] := false Process 1: flag[1] := true while flag[0] = true { if turn ≠ 1 { flag[1] := false while turn ≠ 1 { } flag[1] := true } // critical section turn := 0 flag[1] := false 3 Dekker’s Algorithm for Mutual Exclusion Specification: mutual exclusion over critical section

… P0 Main Memory … P1 … … … … X Y Z X Y Z 123 Store Buffer Based Models 4  TSO & PSO  x86 ~ TSO  Memory Fences  Restore order  Every store before the fence becomes globally visible before anything after the fence executes storeflush load fence

Process 0: flag[0] := true fence while flag[1] = true { if turn ≠ 0 { flag[0] := false fence while turn ≠ 0 { } flag[0] := true fence } // critical section turn := 1 fence flag[0] := false fence 5 Memory Fences  Fences are expensive  10s-100s of cycles  Practical Significance  Data structures  Linux Kernel spinlocks  Placing fences manually  Overfencing: hurts performance  Underfencing: subtle bugs

Process 0: flag[0] := true fence while flag[1] = true { if turn ≠ 0 { flag[0] := false while turn ≠ 0 { } flag[0] := true } // critical section turn := 1 flag[0] := false 6 Memory Fences  Fences are expensive  10s-100s of cycles  Practical Significance  Data structures  Linux Kernel spinlocks  Placing fences manually  Overfencing: hurts performance  Underfencing: subtle bugs

Automatic Solutions  Equivalence to Sequential Consistency  Reduce program behaviors to sequentially consistent (SC) runs  High-level specifications are ignored  Goes back to Shasha & Snir [TOPLAS ’88]  Place fences to satisfy provided specification  Using specification may forbid less executions  May require fewer fences 7 Safe SC PSO

Goal  P’ satisfies the specification S under M Finite-State Program P Finite-State Program P Safety Specification S Safety Specification S Memory Model M Memory Model M Program P’ with Fences 8

General Recipe 1. Compute reachable states 2. Compute weakest constraints that guarantee all “bad states” are avoided 3. Implement the constraints with fences 9

Constraints 10  Constraint language  Not every transition can be prevented using a fence 10 P 2 : (D) LOAD R1 = X P 1 : (D) LOAD R1 = X P1:P1: P2:P2: 123 ABC X X P1:P1: P2:P2: 123 ABC X X P1:P1: P2:P2: 123 ABC X X P1:P1: P2:P2: 123 ABC X X Unavoidable [A < D]  [B < D]  [C < D]

Concrete Transition System 11  Building transition system under TSO/PSO is hard  No a-priori bound on buffer length  Unbounded state-space Even for programs that were finite-state under SC  Reachability has non-primitive recursive complexity [Atig et al., POPL ’10]

Abstract Memory Models (AMM) 12  Bounded approximation of unbounded buffers  Strictly weaker than concrete TSO/PSO  Finite-state programs remain finite-state  Reachability becomes effectively computable  Construct finite (abstract) transition system Apply fence inference Can also be used for verification Safe SC PSO AMM

Partial Coherence Abstractions 13 … P0 Main Memory … P1 … … … … X Y Z X Y X P0 Main Memory P1 X Z X Y Z Recent value Bounded length k Unordered elements Y Allows precise fence semantics Allows precise loads from buffer Keeps the analysis precise for “well behaved” programs Record what values appeared (without order or number)

Partial Coherence Abstractions {2,3,4,5} Concrete Abstract

Abstract Fence Inference 1. Compute reachable abstract states 2. Compute constraints. Precision depends on abstraction. 3. Implement the constraints with fences 15

Fence Inference Results 16  Benchmarks are mutual exclusion primitives  k - the bound on the FIFO part of the abstract buffer  PD more “aggressive” than FD ProgramFD k=0FD k=1FD k=2PD k=0PD k=1PD k=2 Sense0   Pet0  Dek0  Lam0    Fast0  Fast1a   Fast1b    Fast1c  

Summary  Partial-coherence abstractions  Verification without arbitrary bounds  Abstraction precision affects quality of results  Synthesis of fences  Can infer optimal fences for mutual exclusion primitives 17 P P S S M M P’

Questions 18

Related Work  Under-approximation  CheckFence [Burckhardt et al., PLDI ’07]  Fender [KVY, FMCAD ’10]  And more…  Over-approximation  Equivalence to SC Very imprecise Goes back to Shasha & Snir [TOPLAS ‘88]  Abstract Interpretation Varying precision Regular Abstraction [Linden et al., SPIN ’10] Partial-Coherence [KVY, PLDI ’11] 19