Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Analysis of Computer Algorithms
Symmetric Multiprocessors: Synchronization and Sequential Consistency.
1 Episode III in our multiprocessing miniseries. Relaxed memory models. What I really wanted here was an elephant with sunglasses relaxing On a beach,
0 - 0.
Formal Models of Computation Part II The Logic Model
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Lilian Blot Announcements Teaching Evaluation Form week 9 practical session Formative Assessment week 10 during usual practical sessions group 1 Friday.
1111 Abstract Data Types Cpt S 223. School of EECS, WSU.
1 Parallel Algorithms (chap. 30, 1 st edition) Parallel: perform more than one operation at a time. PRAM model: Parallel Random Access Model. p0p0 p1p1.
Eiffel: Analysis, Design and Programming Bertrand Meyer (Nadia Polikarpova) Chair of Software Engineering.
IBM T. J. Watson Research Center Conditions for Strong Synchronization Maged Michael IBM T J Watson Research Center Joint work with: Martin Vechev, Hagit.
1 Lecture 20: Synchronization & Consistency Topics: synchronization, consistency models (Sections )
Introduction to Compilation of Functional Languages Wanhe Zhang Computing and Software Department McMaster University 16 th, March, 2004.
Processes Management.
Effective Program Verification for Relaxed Memory Models Sebastian BurckhardtMadanlal Musuvathi Microsoft Research CAV, July 10, 2008.
CS 240 Computer Programming 1
1 Programming Languages (CS 550) Mini Language Interpreter Jeremy R. Johnson.
Hongjin Liang and Xinyu Feng
Memory Consistency Models Kevin Boos. Two Papers Shared Memory Consistency Models: A Tutorial – Sarita V. Adve & Kourosh Gharachorloo – September 1995.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
CS 162 Memory Consistency Models. Memory operations are reordered to improve performance Hardware (e.g., store buffer, reorder buffer) Compiler (e.g.,
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
(C) 2001 Daniel Sorin Correctly Implementing Value Prediction in Microprocessors that Support Multithreading or Multiprocessing Milo M.K. Martin, Daniel.
D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.
Requirements on the Execution of Kahn Process Networks Marc Geilen and Twan Basten 11 April 2003 /e.
Concurrent Executions on Relaxed Memory Models Challenges & Opportunities for Software Model Checking Rajeev Alur University of Pennsylvania Joint work.
1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.
CS 151 Digital Systems Design Lecture 37 Register Transfer Level
Slides 8d-1 Programming with Shared Memory Specifying parallelism Performance issues ITCS4145/5145, Parallel Programming B. Wilkinson Fall 2010.
1 Lecture 21: Transactional Memory Topics: consistency model recap, introduction to transactional memory.
1 Memory Model Sensitive Analysis of Concurrent Data Types Sebastian Burckhardt Dissertation Defense University of Pennsylvania July 30, 2007.
Formalisms and Verification for Transactional Memories Vasu Singh EPFL Switzerland.
1 Lecture 23: Transactional Memory Topics: consistency model recap, introduction to transactional memory.
1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.
Computer Architecture II 1 Computer architecture II Lecture 9.
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Joint work with Sebastian Burckhardt and Milo Martin UCLA, November.
Memory Model Safety of Programs Sebastian Burckhardt Madanlal Musuvathi Microsoft Research EC^2, July 7, 2008.
Data Flow Analysis Compiler Design Nov. 8, 2005.
Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Memory Consistency Models Some material borrowed from Sarita Adve’s (UIUC) tutorial on memory consistency models.
Maria-Cristina Marinescu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology A Synthesis Algorithm for Modular Design of.
Evaluation of Memory Consistency Models in Titanium.
Shared Memory Consistency Models: A Tutorial Sarita V. Adve Kouroush Ghrachorloo Western Research Laboratory September 1995.
Maged M.Michael Michael L.Scott Department of Computer Science Univeristy of Rochester Presented by: Jun Miao.
Memory Consistency Models. Outline Review of multi-threaded program execution on uniprocessor Need for memory consistency models Sequential consistency.
Threads cannot be implemented as a library Hans-J. Boehm (presented by Max W Schwarz)
Concurrency Properties. Correctness In sequential programs, rerunning a program with the same input will always give the same result, so it makes sense.
ICFEM 2002, Shanghai Reasoning about Hardware and Software Memory Models Abhik Roychoudhury School of Computing National University of Singapore.
Specifying Multithreaded Java semantics for Program Verification Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)
Agenda  Quick Review  Finish Introduction  Java Threads.
A Single Intermediate Language That Supports Multiple Implemtntation of Exceptions Delvin Defoe Washington University in Saint Louis Department of Computer.
Symmetric Multiprocessors: Synchronization and Sequential Consistency
Lecture 20: Consistency Models, TM
Memory Consistency Models
Threads Cannot Be Implemented As a Library
Department of Computer Science, University of Rochester
Memory Consistency Models
Specifying Multithreaded Java semantics for Program Verification
A Lock-Free Algorithm for Concurrent Bags
Course supervisor: Lubna Siddiqui
Symmetric Multiprocessors: Synchronization and Sequential Consistency
Symmetric Multiprocessors: Synchronization and Sequential Consistency
Over-Approximating Boolean Programs with Unbounded Thread Creation
Lecture 22: Consistency Models, TM
Memory Consistency Models
Programming with Shared Memory Specifying parallelism
Lecture: Consistency Models, TM
Presentation transcript:

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer and Information Science University of Pennsylvania CAV 2006, Seattle

Sebastian Burckhardt -2- softwaremultiprocessor concurrent executions bugs The General Problem concurrency libraries can help e.g. Java JSR-166 but how to debug the libraries?

Sebastian Burckhardt -3- optimized implementations of concurrent datatypes shared-memory multiprocessor with relaxed memory model bugs The Specific Problem case study: use SAT solver to find bugs concurrent executions

Sebastian Burckhardt -4- Case Study: Two-Lock Queue Algorithm published by M. Michael and M. Scott [PODC 1996] 123 head lock tail lock Singly linked list with head and tail pointers Dummy node at front Independent head and tail locks allows for concurrent enqueue() and dequeue() Race condition if queue is empty head lock tail lock

Sebastian Burckhardt -5- client program observes ordering of operation calls within each thread argument and return values of the operation code is correct if and only if all executions are observationally equivalent to some serial execution (def. serial: interleaved at operation boundaries only) We assume serial executions are correct (can be verified by convential sequential methods) thread 1 enqueue(1) enqueue(2) thread 2 enqueue(3) dequeue() 1 thread 3 dequeue() 3 dequeue() 2 Case Study: Our Correctness Criterion

Sebastian Burckhardt -6- Finer Interleavings = More Executions serial executions threads interleave the operations (operations are atomic) (operations are in-order) sequentially consistent executions threads interleave the instructions (instructions are atomic) (instructions are in-order) relaxed executions hardware makes performance- motivated compromises (stores may be non-atomic) (loads/stores may be out-of-order) Serial SC Relaxed Reordered Instructions = More Executions

Sebastian Burckhardt -7- Case Study: Relaxed Memory Models Example: output not consistent with any interleaved execution! can be the result of out-of-order stores can be the result of out-of-order loads improves performance (more choices for processor) Q: Why doesnt everything break? A: Relaxations are transparent to normal programs uniprocessor semantics are preserved library code for lock/unlock contains memory ordering fences x = 1 y = 2 print y print x thread 1thread 2 2 0

Sebastian Burckhardt -8- Which Memory Model? Memory models are platform dependent We use a conservative approximation Relaxed to capture common effects Once code is correct for Relaxed, it is correct for all models See paper for formal spec of Relaxed TSO PSO PPCAlpha Relaxed RMO 390 SC

Sebastian Burckhardt -9- Halftime Overview General motivation Case study parameters Two-lock queue implementation Correctness criterion Relaxed memory models Our verification method Symbolic tests SAT encoding Results Bugs found Evaluation & Conclusion done coming up

Sebastian Burckhardt -10- Our Verification Method Encoder SAT solver implementation code with commit points symbolic test passcounterexample

Sebastian Burckhardt -11- thread 1 enqueue(X) thread 2 dequeue() Y How To Bound Executions Verify individual symbolic tests finite number of operations nondeterministic instruction order nondeterministic input values Example (this is the smallest one in our test suite) User creates suite of tests of increasing size 1

Sebastian Burckhardt -12- Why symbolic test programs? 1) Avoid undecidability by making everything finite: State is unbounded (dynamic memory allocation)... is bounded for individual test Sequential consistency is undecidable... is decidable for individual test 2) Gives us finite instruction sequence to work with State space too large for interleaved system model.... can directly encode value flow between instructions Memory model specified by axioms.... can directly encode ordering axioms on instructions

Sebastian Burckhardt -13- Implementation code we hand-translated Michael & Scotts code (above) into a low-level representation that uses explicit loads, stores we added code for dynamic memory allocation and locks 2

Sebastian Burckhardt -14- Commit points designate where the operation commits logically given order of commit points, we can construct serial witness execution eliminates the in executions equivalent serial execution 3

Sebastian Burckhardt -15- Counterexample Trace thread 1 enqueue (1) thread 2 dequeue() commit point order (3 < 6) indicates that enqueue precedes dequeue, so we would expect dequeue() 1 incorrect value (0) of queue element gets read (7) before correct value (1) is being written (11). 4

Sebastian Burckhardt -16- Encoding Given symbolic test T(A, B) memory model Y implementation code & commit point specifications Encoding First step: encode concurrent executions of T on Y as solutions to CNF formula Y (A, B, X) (aux vars X) Second step: encode counterexamples as solutions to Y (A, B, X) Atomic (A, B, X) (A = A ) (commit point orders match) ((B B ) (some operations commit out of order)) thread 1 enqueue(A) thread 2 dequeue() B 5

Sebastian Burckhardt -17- Encoding Detail: Obtain Symbolic Instruction Stream Finite instruction sequence for each thread Only loads, stores, moves, and fences Each register is assigned exactly once Control flow represented by predicates

Sebastian Burckhardt -18- Encoding Detail: Memory Order Example: two threads: Encoding variables Use bool vars for relative order (x<y) of memory accesses Use bitvector variables A x and D x for address and data values associated with memory access x Encode constraints encode transitivity of memory order encode ordering axioms of the memory model Example (for SC): (s1<s2) (l1<l2) encode value flow Loaded value must match last value stored to same address Example: value must flow from s1 to l1 under following conditions: ( (s1<l1) ( A s1 = A l1 ) ( (s2<s1) (l1<s2) ( A s2 A l1 ) ) ) ( D s1 = D l1 ) s1 store s2 store l1 load l2 load thread 1thread 2 O(n 2 ) O(n 3 )

Sebastian Burckhardt -19- Encoding Detail: The combined formula communication formula memory order variables input values output values intermediate values thread-local formulas

Sebastian Burckhardt -20- So what did we learn in the case study? General motivation Case study parameters Two-lock queue implementation Correctness criterion Relaxed memory models Our verification method Symbolic tests SAT encoding Results Bugs found Evaluation & Conclusion done coming up

Sebastian Burckhardt -21- Results: 5 code problems found 3 were mistakes we made first commit point guess was wrong incorrect/insufficient fences in lock/unlock and alloc/free 2 were caused by missing fences in queue implementation (not fault of authors... were assuming SC multiprocessor) ---store-store-fence ---load-load-fence

Sebastian Burckhardt -22- Results: Scalability Graph shows tests in our suite (unsatisfiable instances only) y-axis : runtime in seconds x-axis : # accesses (loads/stores) in test Fast on small tests, slow on long tests Not sensitive to # threads All 5 problems were found on smallest 2 tests... all under 1 sec

Sebastian Burckhardt -23- Conclusion quickly finds subtle bugs supports relaxed memory models counterexample traces catches broad range of bugs (not limited to deadlocks or data races) is more automatic than deductive methods not truly scalable (though scalable enough to be useful) not fully automatic does not solve full problem (bounded instances, commit points) We would recommend this method to designers and implementors of concurrent data types. PROsCONs FUTURE WORK & CHALLENGES

Sebastian Burckhardt -24-

Sebastian Burckhardt -25- Ordering/Atomicity Relaxations store A, 1 load B, 0 store B, 1 load A, 0 processor 1processor 2 initially A=B=0 pink numbers = memory order store A, 1 load A, reg store reg, B load B, 1 load A, 0 processor 1processor 2 initially A=B=0 split store into local / remote components 1/ EXAMPLE 1 store, load may execute out of order EXAMPLE 2 stores are buffered locally before effect is global The following 2 examples illustrate the main effects (1. ordering relaxation / 2. atomicity relaxation) Where necessary, a programmer can prevent these effects by inserting fence instructions

Sebastian Burckhardt -26- What code? Data type implementations optimized for concurrent execution (Concurrency libraries) What machines? Common shared-memory multiprocessors (e.g. PPC, Sparc, Alpha) What bugs? Bugs caused by concurrency (We assume code runs fine if single-threaded)

Sebastian Burckhardt -27- Encoding Concurrent Executions x 1 load a[0], R1 x 2 store R1, y x 3 load y, R2 move R2+1, R3 x 4 store 1, a[R3] Variables O(n 2 ) bitvectors R1, R2, R3 for intermediate values boolean variables M ij to represent memory order x i < x j (for i < j) Constraints O(n 3 ) memory order is transitive: Λ i<j<k (M ij M jk ) M ik loads get latest value stored to same address memory order must respect memory model axioms and fences (e.g. sequential consistency requires M 12 M 34 ) thread-local computations connect values (e.g. R3 = R2 + 1) label

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.