Progress Guarantee for Parallel Programs via Bounded Lock-Freedom Erez Petrank – Technion Madanlal Musuvathi- Microsoft Bjarne Steensgaard - Microsoft.

Slides:

Advertisements

Similar presentations

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Advertisements

Implementation and Verification of a Cache Coherence protocol using Spin Steven Farago.

Priority INHERITANCE PROTOCOLS

Wait-Free Linked-Lists Shahar Timnat, Anastasia Braginsky, Alex Kogan, Erez Petrank Technion, Israel Presented by Shahar Timnat 469-+

Progress with Progress Guarantees Erez Petrank - Technion Based on joint work with Anastasia Braginsky, Alex Kogan, Madanlal Musuvathi, Filip Pizlo, and.

N-Consensus is the Second Strongest Object for N+1 Processes Eli Gafni UCLA Petr Kuznetsov Max Planck Institute for Software Systems.

© 2005 P. Kouznetsov Computing with Reads and Writes in the Absence of Step Contention Hagit Attiya Rachid Guerraoui Petr Kouznetsov School of Computer.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.

Maged M. Michael, “Hazard Pointers: Safe Memory Reclamation for Lock- Free Objects” Presentation Robert T. Bauer.

Wait-Free Reference Counting and Memory Management Håkan Sundell, Ph.D.

Parallel Programming Motivation and terminology – from ACM/IEEE 2013 curricula.

Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.

Concurrency 101 Shared state. Part 1: General Concepts 2.

An On-the-Fly Mark and Sweep Garbage Collector Based on Sliding Views Hezi Azatchi - IBM Yossi Levanoni - Microsoft Harel Paz – Technion Erez Petrank –

Locality-Conscious Lock-Free Linked Lists Anastasia Braginsky & Erez Petrank 1.

Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.

Race Conditions. Isolated & Non-Isolated Processes Isolated: Do not share state with other processes –The output of process is unaffected by run of other.

1 The Compressor: Concurrent, Incremental and Parallel Compaction. Haim Kermany and Erez Petrank Technion – Israel Institute of Technology.

On the limits of partial compaction Anna Bendersky & Erez Petrank Technion.

Lock-free Cuckoo Hashing Nhan Nguyen & Philippas Tsigas ICDCS 2014 Distributed Computing and Systems Chalmers University of Technology Gothenburg, Sweden.

Formalisms and Verification for Transactional Memories Vasu Singh EPFL Switzerland.

CS510 Concurrent Systems Class 13 Software Transactional Memory Should Not be Obstruction-Free.

CS Distributed Computing Systems Chin-Chih Chang, An Introduction to Threads.

Multithreading in Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

A. Frank - P. Weisberg Operating Systems Introduction to Tasks/Threads.

SUPPORTING LOCK-FREE COMPOSITION OF CONCURRENT DATA OBJECTS Daniel Cederman and Philippas Tsigas.

Java How to Program, 9/e CET 3640 Professor: Dr. Reyes Álamo © Copyright by Pearson Education, Inc. All Rights Reserved.

Compositional Verification of Termination-Preserving Refinement of Concurrent Programs Hongjin Liang Univ. of Science and Technology of China (USTC) Joint.

Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.

Threads in Java. History  Process is a program in execution  Has stack/heap memory  Has a program counter  Multiuser operating systems since the sixties.

Joseph Cordina 1/11 The Use of Model-Checking for the Verification of Concurrent Algorithms Joseph Cordina Department of C.S.&A.I.

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Introduction to Concurrency.

Characterizing Progress Properties of Concurrent Objects via Contextual Refinements Hongjin Liang Univ. of Science and Technology of China (USTC) Joint.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto Mutual Exclusion.

Maged M.Michael Michael L.Scott Department of Computer Science Univeristy of Rochester Presented by: Jun Miao.

On the Performance of Window-Based Contention Managers for Transactional Memory Gokarna Sharma and Costas Busch Louisiana State University.

A Methodology for Creating Fast Wait-Free Data Structures Alex Koganand Erez Petrank Computer Science Technion, Israel.

Wait-Free Multi-Word Compare- And-Swap using Greedy Helping and Grabbing Håkan Sundell PDPTA 2009.

Practical concurrent algorithms Mihai Letia Concurrent Algorithms 2012 Distributed Programming Laboratory Slides by Aleksandar Dragojevic.

Hazard Pointers: Safe Memory Reclamation for Lock-Free Objects Maged M. Michael Presented by Abdulai Sei.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Concurrency & Dynamic Programming.

Software Transactional Memory Should Not Be Obstruction-Free Robert Ennals Presented by Abdulai Sei.

Gal Milman Based on Chapter 10 (Concurrent Queues and the ABA Problem) in The Art of Multiprocessor Programming by Herlihy and Shavit Seminar 2 (236802)

A Program Logic for Concurrent Objects under Fair Scheduling Hongjin Liang and Xinyu Feng University of Science and Technology of China (USTC) To appear.

Program Logic for Concurrency Refinement Verification Xinyu Feng University of Science and Technology of China Joint work with Hongjin Liang (USTC) and.

ICFEM 2002, Shanghai Reasoning about Hardware and Software Memory Models Abhik Roychoudhury School of Computing National University of Singapore.

13-1 Chapter 13 Concurrency Topics Introduction Introduction to Subprogram-Level Concurrency Semaphores Monitors Message Passing Java Threads C# Threads.

Techniques and Structures in Concurrent Programming Wilfredo Velazquez.

Tornado: Maximizing Locality and Concurrency in a Shared Memory Multiprocessor Operating System Ben Gamsa, Orran Krieger, Jonathan Appavoo, Michael Stumm.

On the limits of partial compaction Nachshon Cohen and Erez Petrank Technion.

MULTIVIE W Slide 1 (of 21) Software Transactional Memory Should Not Be Obstruction Free Paper: Robert Ennals Presenter: Emerson Murphy-Hill.

From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.

Specifying Multithreaded Java semantics for Program Verification Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)

Hazard Pointers: Safe Memory Reclamation for Lock-Free Objects MAGED M. MICHAEL PRESENTED BY NURIT MOSCOVICI ADVANCED TOPICS IN CONCURRENT PROGRAMMING,

Agenda  Quick Review  Finish Introduction  Java Threads.

Concurrent Programming in Java Based on Notes by J. Johns (based on Java in a Nutshell, Learning Java) Also Java Tutorial, Concurrent Programming in Java.

ECE 1747: Parallel Programming Short Introduction to Transactions and Transactional Memory (a.k.a. Speculative Synchronization)

Silberschatz, Galvin and Gagne ©2009Operating System Concepts – 8 th Edition Chapter 4: Threads.

Healing Data Races On-The-Fly

Background on the need for Synchronization

Challenges in Concurrent Computing

Applied Operating System Concepts

Deadlock Detection for Distributed Process Networks

Programming with Shared Memory Specifying parallelism

Presentation transcript:

Progress Guarantee for Parallel Programs via Bounded Lock-Freedom Erez Petrank – Technion Madanlal Musuvathi- Microsoft Bjarne Steensgaard - Microsoft

Advances in Parallel Programming Attempts to simplify – Automatic parallelization, easy models (transactional memories), new languages, platforms, tools for debugging, … Develop our understanding – Define good and bad properties of parallel systems and parallel runs (deadlocks, data races, lock-freedom), logics for arguing about parallel runs, verification methods, compositionality, …

A Progress Guarantee Intuitively: “ No matter which interleaving is scheduled, my program will make progress. ” “Progress” is something the developer defines. – Specific lines of code

Progress Guarantees Lock-Freedom If you schedule enough steps across all threads, one of them will make progress. Lock-Freedom If you schedule enough steps across all threads, one of them will make progress. Great guarantee, but difficult to achieve. Somewhat weak. Wait-Freedom If you schedule enough steps of any thread, it will make progress. Wait-Freedom If you schedule enough steps of any thread, it will make progress. Obstruction-Freedom If you let any thread run alone for enough steps, it will make progress. Obstruction-Freedom If you let any thread run alone for enough steps, it will make progress.

Concentrate on Lock-Freedom Realistic (though difficult): Various algorithms appear in the literature: data structures (stack, queue, hashing, skiplist, etc.), Michael’s allocator, garbage collectors, etc. Advantages: Worst-case responsiveness, scalability, no deadlocks, no livelocks, added robustness to threads fail-stop. Lock-Freedom If you schedule enough steps across all threads, one of them will make progress. Lock-Freedom If you schedule enough steps across all threads, one of them will make progress.

Observations Can progress be guaranteed when using locks ? – No ! – Thread T 1 can hold a lock and not be scheduled while T 2 waits for the lock.

Observations Can progress be guaranteed when using locks ? – No ! Is progress guaranteed when we do not employ locks? – No ! – Computation can be blocked by fine-grained synchronization. While ( ! CAS(addr,0,1) ) ; Work on shared space; *addr = 0; While ( ! CAS(addr,0,1) ) ; Work on shared space; *addr = 0;

Observations Can progress be guaranteed when using locks ? – No ! Is progress guaranteed when we do not employ locks? – No ! Can we determine if a given program has a progress guarantee? – No ! – We cannot generally decide which paths of the computation are reachable.

Observations Can progress be guaranteed when using locks ? – No ! Is progress guaranteed when we do not employ locks? – No ! Can we determine if a given program has a progress guarantee? – No ! Thus, even if we do not employ locks, it is necessary to argue that the program makes progress.

Agenda Progress guarantees & lock-freedom intro  Motivate and define bounded lock-freedom ( Formalize using LTL & Model Checking ) Motivate and define system support for lock-freedom (composability) Conclusion Lock-freedom supporting garbage collection

Definition:  execution π,  a bound k, such that  point in the execution, if the threads run k steps, one of them will make progress. – Rigorous, – but provides a intangible guarantee: when will progress be made? In 10 steps? Or 100,000,000? Defining Lock-Freedom Lock-Freedom If you schedule enough steps across all threads, one of them will make progress. Lock-Freedom If you schedule enough steps across all threads, one of them will make progress.

Defining Lock-Freedom Lock-Freedom If you schedule enough steps across all threads, one of them will make progress. Lock-Freedom If you schedule enough steps across all threads, one of them will make progress. My program is certified to make progress. Do you really need to know when?

Defining Lock-Freedom A more tangible guarantee:  a bound k, such that  execution π, and  point in the execution, if the threads run k steps, one of them will make progress. – Bounded lock-freedom: allows quantifying the guarantee. – Important whenever the bound needs be specified. – Not so easy… Lock-Freedom If you schedule enough steps across all threads, one of them will make progress. Lock-Freedom If you schedule enough steps across all threads, one of them will make progress.

Defining Lock-Freedom A more tangible guarantee:  a bound k, such that  execution π, and  point in the execution, if the threads run k steps, one of them will make progress. – Bounded lock-freedom: allows quantifying the guarantee. – Important whenever the bound needs be specified. Lock-Freedom If you schedule enough steps across all threads, one of them will make progress. Lock-Freedom If you schedule enough steps across all threads, one of them will make progress. Problem: nothing “reasonable” would satisfy this def.

Problem with First Attempt A running thread Progress points in the execution Current execution position k threads

Problem with First Attempt k threads Naïve solution: let k depend on the num of threads.

Bounded Lock-Freedom Pitfalls Consider:  τ,  k, such that  execution π that does not run more than τ threads, and  point in the execution, if the threads run k steps, one of them will make progress. Problem: everything lock-free is bounded lock-free. – Let your algorithm run. If it fails to make progress on time, invoke a few more threads to increase τ, and buy more time until progress is required. Solution: let k depend on the input.

Bounded Lock-Freedom Definition A program is bounded lock-free if  n  k such that,  input x of length n,  execution of the program on the input x, and  possible point in the execution, if the threads run k steps, one of them will make progress.

Bounded Lock-Freedom Definition On inputs of length n, my program makes progress within 2n steps! No other program can do that! What if the system does not have a natural input ? Create a “complexity” input 1 n (a standard trick from complexity and cryptography) What if the system does not have a natural input ? Create a “complexity” input 1 n (a standard trick from complexity and cryptography)

Formalization and Model Checking Formalization using Linear Temporal Logic. Model checking for an implementation of a lock-free stack implementation. See Paper…

Services Supporting Lock- Freedom

Consider system services: event counters, memory management, micro-code interpreters, caching, paging, etc. Normally, designs of lock-free algorithms assume that the underlying system operations do not foil lock-freedom.

Can We Trust Services to Support Lock-Freedom ? Valois’ lock-free linked-list algorithm has a well known C++ implementation, which uses the C++ new operation. A hardware problem: lock Free algorithms typically use CAS or LL/S, but LL/SC implementations are typically weak: spurious failures are permitted.

Can We Trust Services to Support Lock-Freedom ? Background threads may also cause difficulties ! – Consider an event counter with create(); inc(); dec(); zero(); – If one thread fails to update the counter, another must succeed  lock-freedom. – But, if a background thread presents statistics graphically, and may reset its value, then the program may not make progress. Conclusion: system support matters.

A Service background program Service operation

A Service We’d like to separate the discussion: – Show that a program is lock-free – Show that a system supports lock-freedom And then compose – Composition theorem: any execution of a lock-free program on a lock-free supporting service is lock-free. background program

Projecting Service Operations background program background Service operations program

Lock-Free Program A program is lock free if: – It is lock-free when service operations are executed in a single step. – Service calls are valid (for the service). –  n  τ(n), such that on inputs of length n, the program: does not simultaneously run more than τ (n) threads. Calls the service operations with inputs of length ≤ n. The natural requirement The service’s guarantees depend on its use: bounded concurrency and bounded inputs.

A Service Supports Lock-freedom Let e s be a valid execution of service operation sequence. e s is k-bounded lock-free if at any point in the execution, after the projected service operations run k steps jointly, one of the threads will finish an operation. A service supports lock-freedom if  n  τ  k, such that if inputs to operations never exceed n, and number of simultaneous concurrent threads never exceeds τ, then the projected service execution is k-bounded lock-free.

The Composition Theorem Let P be a program and let S be a service. If: 1.Program P is lock-free. 2.The service S supports lock-freedom. 3.The program P does not communicate with the service except via the service operations, Then the joint execution of the program P using the service S is lock-free.

Related Work [Herlihy91] presented wait- and lock-freedom Vast literature on designing lock-free algorithms (see [ The Art of Multiprocessor Programming, Herlihy & Shavit 2008 ]. Formal definitions (unbounded LF) [ Dongol, ICFEM’06 ]. First (and only) automatic verification of lock-free data structures [Gotsman et al. POPL’09] Various lock-free garbage collectors – First one by Herlihy & Moss – Moving lock-free collectors by Pizlo-Petrank-Steensgaard PLDI’08

Conclusion We’ve introduced, motivated, and formally defined bounded lock-freedom. The formal definition was used with Chess to model- check a lock-free stack implementation. Real-world examples motivate system support for lock-freedom. Defining system support for lock-freedom: a framework and a composability theorem.

Open Problems Classify the guarantees provided by known lock-free algorithms. Lower bounds for interesting tasks. Dealing with weak memory models. More model checking and verification of (bounded) lock-free algorithms.