Aquinas Hobor and Cristian Gherghina (National University of Singapore) TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A

Barriers Barriers: Mechanism for synchronizing multiple parties at specific synchronization points 2 ABC time

Barriers Why barriers? We looked at PARSEC Leading benchmark for shared memory systems Provides representative sample of parallel programs workloads Out of 13 PARSEC applications 5 (38%) use barriers Fields like: financial analysis, computer vision, engineering, animation, data mining 3

Barriers Why barriers? not easy to reduce to other synchronization mechanisms like locks or channels have an interesting property : They are a multiparty stateful synchronization mechanism 4

Barriers in Concurrent Separation Logic(CSL) Aims: Extend CSL with rules for modularly reasoning about barriers Define the necessary side conditions Proof the soundness of the barrier rules (mechanically verify the proof in Coq) 5

Overview Example of barrier use: Video compression algorithm Notation description Key observations, translation to side conditions Hoare Rules and side conditions Comments about the soundness proof 6

Example of Barrier Usage Parallel video encoding: Divide the frame into n parts, one per thread Each frame depends on the previous More so, each part of a frame does depend on the entire previous frame (e.g.. Moving objects) Sounds like a good place for a barrier! 7

Ridiculously simplified… We have two threads, and four shared data memory cells, divided into pairs (x 1, x 2 ) and (y 1, y 2 ) Each thread computes one cell of the “current” pair using both cells from the “previous” pair They synchronize with barrier b Memory cell i, the frame count is also shared 8

9 Synchronize Write new frame Y Read old frame X Synchronize Read frame Y Write new X Counter ++ Code example

10 Code example State 0 State 2 State 3 State 1 State 0 State 1 State 2 State 3

11 Barrier state machine State 0 0 State 1 1 State 2 2 State

Observations Barrier use is inherently statefull For each thread, each state is characterized by reads from specific cells and writes to specific cells From state to state and from thread to thread these permission requirements change The transitions do not always mirror the control flow graph State changes and permission reshuffling are tightly linked to the barrier calls 12

Prerequisites ( extensions to Separation Logic) “maps-to” assertions : e 1  e 2 mean the current thread owns the memory location pointed to by e 1 with ¼ permission and that location currently contains e 2. π can be either: Full, ¥ (reading and writing allowed) Empty, ¤ (nothing allowed) Or partial, i.e., ¤ < ¼ < ¥ (read only) the symbols and indicate two distinct partial shares With: © = ¥ 13 ¼

x 1 i Explaining a notation 14 PRECONDITIONS POSTCONDITIONS

barrier (b, ¼, n) The “is-a-barrier” assertion: Means the current thread owns the (nonempty) share ¼ of the barrier b, currently in state n 15 Prerequisites ( extensions to Separation Logic)

x 1 i b-state Explaining a notation 16

Barriers in CSL Problem: Encoding the reshuffling of permissions and the staging associated with barrier calls Solution: State diagram with labeled transitions Labels consist of pairs of pre/post conditions 17

18

Key Restrictions on Barrier Definitions 1. A barrier reshuffles It does not create resources Translated: For a given transition, the total preconditions and postconditions must be equal modulo the barrier state change 19 x 1 i b-state

Key Restrictions on Barrier Definitions 1. Threads always agree on the barrier state Directions must be mutually exclusive: one thread cannot go left while the other goes right 20

Hoare Rules There are other technical restrictions on barrier definitions but they are less interesting Instead, we will present our Hoare rules Actually, almost all of our rules are standard Skip, If, Sequence, While, Assign, Consequence, Frame, Store, Load, New, Free 21

Barrier Rule Lookup_move finds a pre/postcondition in the barrier state diagram Actually, this rule is so simple that it seems false: cs, ns, and ln seem free in the premises! 22 nsln

Barrier Rule This is not true: cs and ns are uniquely determined (the barrier is in some state, and recall mutual exclusion) ln is not determined, but if more than one is possible, then the barrier will never end! 23 nsln

24

25

The barrier call from line bn {Q} Γ(bn) = b

27

The barrier call from line 13 28

29

The barrier call from line 13 30

31 P Q

The barrier call from line 13 32

Soundness Given: a concurrent machine An operational semantics defined for that machine A Hoare rule is sound if: Whenever a Hoare triple {P}c{Q} holds and Q is enough to ensure safety after c then all states satisfying P are safe A state is safe if in none of the successor states, the machine blocks 33

Coq development 34 3,352 16,598

Take away Common barrier usage makes them an implicitly statefull multiparty synchronization mechanism We have introduced an amazingly simple Hoare rule for dealing with barrier calls We have proven sound the Hoare rules 35