1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian...
-
date post
18-Dec-2015 -
Category
Documents
-
view
223 -
download
0
Transcript of 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian...
![Page 1: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/1.jpg)
1
CheckFence: Checking Consistency of Concurrent Data Types
on Relaxed Memory Models
Sebastian BurckhardtRajeev Alur
Milo M. K. Martin
Department of Computer and Information Science
University of Pennsylvania
June 6, 2007
![Page 2: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/2.jpg)
2
General Motivation
Multi-threaded Software Shared-memory Multiprocessor
Concurrent Executions
Bugs
![Page 3: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/3.jpg)
3
Specific Motivation
Multi-threaded Softwarelock-free synchronization(intentional races)
Shared-memory Multiprocessorwith relaxed memory model
Concurrent Executionsnot always sequentiallyconsistent
Bugs
![Page 4: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/4.jpg)
4
concurrency libaries with lock-free synchronization
... are simple, fast, and safe to use– concurrent versions of queues, sets, maps, etc.
– more concurrency, less waiting
– fewer deadlocks
... are notoriously hard to design and verify– tricky interleavings routinely escape reasoning and testing
– exposed to relaxed memory modelscode needs to contain memory fences for correct operation!
Specific Motivation
![Page 5: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/5.jpg)
5
... are simple, fast, and safe to use– concurrent versions of queues, sets, vectors, etc.
– more concurrency, less waiting
– fewer deadlocks
... are notoriously hard to design and verify– tricky interleavings
– exposed to relaxed memory modelscode needs memory fences for correct operations
Specific Motivation
DATA TYPE IMPLEMENTATIONS ARE TINYtens to hundreds lines of code
CLIENT PROGRAMS MAY BE LARGEthousands, millions lines of code
concurrency libaries with lock-free synchronization
![Page 6: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/6.jpg)
6
Bridging the Gap
Architecture:+ Multiprocessors
+ Relaxed memory models
Concurrent Algorithms:+ Lock-free queues, sets, deques
Computer-Aided Verification:+ Model check C code
+ Sound counterexamples
CheckFenceTool
methodologydescribed in our papers in[CAV 2006], [PLDI 2007]
![Page 7: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/7.jpg)
7
Example: Nonblocking Queue
The implementation
• optimized: no locks.
• not race-free
• exposed to memory model
The client program
• on multiple processors
• calls operations
....
... enqueue(1)
... enqueue(2)
....
.... ....
Processor 1
....
...
...a = dequeue()b = dequeue()
Processor 2
void enqueue(int val) { ...}
int dequeue() { ... }
![Page 8: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/8.jpg)
8
Michael & Scott’s Nonblocking Queue[Principles of Distributed Computing (PODC) 1996]
boolean_t dequeue(queue_t *queue, value_t *pvalue){ node_t *head; node_t *tail; node_t *next;
while (true) { head = queue->head; tail = queue->tail; next = head->next; if (head == queue->head) { if (head == tail) { if (next == 0) return false; cas(&queue->tail, (uint32) tail, (uint32) next); } else { *pvalue = next->value; if (cas(&queue->head, (uint32) head, (uint32) next)) break; } } } delete_node(head); return true;}
1 2 3
head tail
![Page 9: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/9.jpg)
9
Correctness Condition
Data type implementations must appear sequentially consistent to the client program:
the observed argument and return values must be consistent with some interleaved, atomic execution of the operations.
enqueue(1)dequeue() -> 2
enqueue(2)dequeue() -> 1
Observation Witness Interleaving
enqueue(1)enqueue(2)dequeue() -> 1
dequeue() -> 2
Observation Witness Interleaving
![Page 10: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/10.jpg)
10
Part II: Solution
![Page 11: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/11.jpg)
11
Bounded Model Checker
Pass: all executions of the test are observationally equivalent to a serial execution
Fail:CheckFence
Memory Model Axioms
Inconclusive: runs out of time or memory
![Page 12: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/12.jpg)
12
Demo: CheckFence Tool
![Page 13: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/13.jpg)
13
Example: Memory Model Bug
Processor 1 links new node into list
Processor 2 reads value at head of list
--> Processor 2 loads uninitialized value
...
3 node->value = 2; ...1 head = node; ...
...
2 value = head->value; ...
Processor 1 reorders the stores! memory accesses happen in order 1 2 3
adding a fence between lines on left side prevents reordering.
1 2 3
head
![Page 14: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/14.jpg)
14
Tool Architecture
C code
Symbolic Test
Trace
Symbolic test is nondeterministic, has exponentially many executions(due to symbolic inputs, dyn. memory allocation, interleaving/reordering of instructions).
CheckFence solves for “bad” executions.
![Page 15: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/15.jpg)
15
C code
Symbolic Test
Trace
Symbolic Test
automatic, lazyloop unrolling
automatic specification mining(enumerate correct observations)
construct CNF formula whose solutions correspond precisely to the concurrent executions
![Page 16: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/16.jpg)
16
Which Memory Model?• Memory models are
platform dependent & ridden with details
• We use a conservative abstract approximation “Relaxed” to capture common effects
• Once code is correct for Relaxed, it is correct for stronger models
• Finding simple, general abstraction is hard (work in progress)
TSO
PSO
IA-32
Alpha
Relaxed
RMO
z6SC
![Page 17: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/17.jpg)
17
Part VI: Results
![Page 18: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/18.jpg)
18
Type Description loc Source
Queue Two-lock queue 80 M. Michael and L. Scott
(PODC 1996)Queue Non-blocking queue 98
Set Lazy list-based set 141 Heller et al. (OPODIS 2005)
Set Nonblocking list 174 T. Harris (DISC 2001)
Deque “snark” algorithm 159 D. Detlefs et al. (DISC 2000)
LL/VL/SC CAS-based 74 M. Moir (PODC 1997)
LL/VL/SC Bounded Tags 198
Studied Algorithms
![Page 19: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/19.jpg)
19
2 known
1 unknown
regular
bugs
Bounded Tags
CAS-based
fixed “snark”
original “snark”
Nonblocking list
Lazy list-based set
Non-blocking queue
Two-lock queue
Description
Deque
LL/VL/SC
LL/VL/SC
Deque
Set
Set
Queue
Queue
Type
Results– snark algorithm has 2 known bugs, we found them– lazy list-based set had a unknown bug
(missing initialization; missed by formal correctness proof [CAV 2006] because of hand-translation of pseudocode)
![Page 20: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/20.jpg)
20
# Fences inserted
2 known
1 unknown
regular
bugs
4
1
1
2
1
StoreStore
2
4
Load Load
4
2
3
1
1
DependentLoads
4
3
6
3
2
AliasedLoads
Bounded Tags
CAS-based
fixed “snark”
original “snark”
Nonblocking list
Lazy list-based set
Non-blocking queue
Two-lock queue
Description
Deque
LL/VL/SC
LL/VL/SC
Deque
Set
Set
Queue
Queue
Type
Results– snark algorithm has 2 known bugs, we found them– lazy list-based set had a unknown bug
(missing initialization; missed by formal correctness proof [CAV 2006] because of hand-translation of pseudocode)
– Many failures on relaxed memory model• inserted fences by hand to fix them• small testcases sufficient for this purpose
![Page 21: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/21.jpg)
21
Typical Tool Performance
• Very efficient on small testcases (< 100 memory accesses)Example (nonblocking queue): T0 = i (e | d) T1 = i (e | e | d | d )- find counterexamples within a few seconds- verify within a few minutes- enough to cover all 9 fences in nonblocking queue
• Slows down with increasing number of memory accesses in testExample (snark deque):Dq = ( pop_l | pop_l | pop_r | pop_r | push_l | push_l | push_r | push_r )- has 134 memory accesses (77 loads, 57 stores)- Dq finds second snark bug within ~1 hour
• Does not scale past ~300 memory accesses
![Page 22: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/22.jpg)
22
Related Work
Bounded Software Model CheckingClarke, Kroening, Lerda (TACAS'04) Rabinovitz, Grumberg (CAV'05)
Correctness Conditions for Concurrent Data TypesHerlihy, Wing (TOPLAS'90) Alur, McMillan, Peled (LICS'96)
Operational Memory Models & Explicit Model CheckingPark, Dill (SPAA'95) Huynh, Roychoudhury (FM'06)
Axiomatic Memory Models & SAT solversYang, Gopalakrishnan, Lindstrom, Slind (IPDPS'04)
![Page 23: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/23.jpg)
23
ContributionFirst model checker for C code on relaxed memory models.
• Handles ``reasonable’’ subset of C(conditionals, loops, pointers, arrays, structures, function calls, dynamic memory allocation)
• No formal specifications or annotations required
• Requires manually written test suite
• Soundly verifies & falsifies individual tests, produces counterexamples
Relaxed MemoryModels
Lock-free implementations
Software Verification
![Page 24: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/24.jpg)
24
END
![Page 25: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/25.jpg)
25
Bounded Model Checker
Pass: all executions of the test are observationally equivalent to a serial execution
Fail:CheckFence
Memory Model Axioms
Inconclusive: runs out of time or memory
![Page 26: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/26.jpg)
26
Future Work
• Make CheckFence publicly available
• Experiment with more memory models – hardware (PPC, Itanium), language (Java, C++ volatiles)
• Improve solver component– enhance SAT solver support for total/partial orders
• Develop reasoning techniques for relaxed memory models
• Develop scalable methods for finding specific, common bugs
• Build concurrent library
![Page 27: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/27.jpg)
27
Axioms for Relaxed
A set of addresses V set of valuesX set of memory accesses S X subset of stores L X subset of
loadsa(x) memory address of x v(x) value loaded or stored by x
<p is a partial order over X (program order)
<m is a total order over X (memory order)
For a load l L, define the following set of stores that are “visible to l”:
S(l) = { s S | a(s) = a(l) and (s <m l or s <p l ) }
Executions for the model Relaxed are defined by the following axioms:
1. If x <p y and a(x) = a(y) and y S, then x <m y2. For l L and s S(l), always either v(l) = v(s) or there exists another store
s’ S(l) such that s <m s’
![Page 28: 1 CheckFence: Checking Consistency of Concurrent Data Types on Relaxed Memory Models Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of Computer.](https://reader036.fdocuments.net/reader036/viewer/2022062421/56649d245503460f949fa666/html5/thumbnails/28.jpg)
28
→ 2 → 0
Relaxed Memory Model Example• Example:
output not sequentially consistent (that is, not consistent with any interleaved execution) !
• processor 1 may perform stores out of order
• processor 2 may perform loads out of order
• relaxed ordering guarantees improve processor performance
• Q: Why doesn’t everything break?A: Relaxations are designed in a way to guarantee that
• uniprocessor programs are safe
• race-free programs are safe
x = 1 y = 2
print y print x
thread 1 thread 2