Dekker’s Algorithm for Mutual Exclusion
Download
Report
Transcript Dekker’s Algorithm for Mutual Exclusion
1
PARTIAL-COHERENCE ABSTRACTIONS
FOR RELAXED MEMORY MODELS
Presented by Michael Kuperstein, Technion
Joint work with Martin Vechev, IBM Research and Eran Yahav, Technion
Sequential Consistency
We expect our programs to have
“Interleaving
semantics”
Consistent with program order
“The result of any execution is the same as if the
operations of all the processors were executed
in some sequential order, and the operations of
each individual processor appear in this
sequence in the order specified by its program.”
– Leslie Lamport, 1973
2
Dekker’s Algorithm for Mutual Exclusion
Process 0:
flag[0] := true
while flag[1] = true {
if turn ≠ 0 {
flag[0] := false
while turn ≠ 0 { }
flag[0] := true
}
}
// critical section
turn := 1
flag[0] := false
Process 1:
flag[1] := true
while flag[0] = true {
if turn ≠ 1 {
flag[1] := false
while turn ≠ 1 { }
flag[1] := true
}
}
// critical section
turn := 0
flag[1] := false
Specification: mutual exclusion over critical section
3
Store Buffer Based Models
TSO & PSO
x86
~ TSO
Memory Fences
Restore
order
store before
the fence becomes
globally visible
before anything
after the fence
executes
store
P0
Every
P1
3 X
2
1
Y
Z
X
Y
Z
fence
flush
…
…
…
…
…
…
Main
Memory
load
4
Memory Fences
Fences are expensive
Practical Significance
10s-100s of cycles
Data structures
Linux Kernel spinlocks
Placing fences manually
Overfencing: hurts
performance
Underfencing: subtle
bugs
Process 0:
flag[0] := true
fence
while flag[1] = true {
if turn ≠ 0 {
flag[0] := false
fence
while turn ≠ 0 { }
flag[0] := true
fence
}
}
// critical section
turn := 1
fence
flag[0] := false
fence
5
Memory Fences
Fences are expensive
Practical Significance
10s-100s of cycles
Data structures
Linux Kernel spinlocks
Placing fences manually
Overfencing: hurts
performance
Underfencing: subtle
bugs
Process 0:
flag[0] := true
fence
while flag[1] = true {
if turn ≠ 0 {
flag[0] := false
while turn ≠ 0 { }
flag[0] := true
}
}
// critical section
turn := 1
flag[0] := false
6
Automatic Solutions
Equivalence to Sequential Consistency
Reduce program behaviors to sequentially consistent (SC) runs
High-level specifications are ignored
Goes back to Shasha & Snir [TOPLAS ’88]
Place fences to satisfy provided specification
Using specification may forbid less executions
May require fewer fences
PSO
SC
Safe
7
Goal
Finite-State
Program
P
Safety
Specification
S
Program P’
with
Fences
Memory
Model
M
P’ satisfies the specification S under M
8
General Recipe
1.
2.
3.
Compute reachable
states
Compute weakest
constraints that
guarantee all “bad
states” are avoided
Implement the
constraints with fences
9
Constraints
Constraint language
Not
every transition can be prevented using a fence
10
A BC
P1: X 1 2 3
P2: X
Unavoidable
P2 : (D) LOAD R1 = X
A BC
P1: X 1 2 3
P2: X
A BC
P1: X 1 2 3
P2: X
A BC
P1: X 1 2 3
P1 : (D) LOAD R1 = X
[A < D] [B < D] [C < D]
P2: X
10
Concrete Transition System
Building transition system under TSO/PSO is hard
No a-priori bound on buffer length
Unbounded
state-space
Even for programs that were finite-state under SC
Reachability
has non-primitive recursive complexity
[Atig et al., POPL ’10]
11
Abstract Memory Models (AMM)
Bounded approximation of unbounded buffers
Strictly
weaker than concrete TSO/PSO
Finite-state programs remain finite-state
Reachability becomes effectively computable
Construct
finite (abstract) transition system
Apply
fence inference
Can also be used for verification
PSO
AMM
SC
Safe
12
Partial Coherence Abstractions
Record what values
appeared (without
order or number)
Allows precise fence semantics
Allows precise loads from buffer
Recent
value
P0
P1
X
X
YY
ZZ
X
X
Y
XZ
Unordered
elements
Keeps the analysis precise
for “well behaved” programs
Bounded
length k
…
…
…
…
…
…
Main
Memory
13
Partial Coherence Abstractions
Concrete
Abstract
1
2
3
4
5
6
7
{2,3,4,5}
14
Abstract Fence Inference
1.
2.
3.
Compute reachable
abstract states
Compute constraints.
Precision depends on
abstraction.
Implement the
constraints with fences
15
Fence Inference Results
Program FD k=0
FD k=1
FD k=2
PD k=0
PD k=1
PD k=2
Sense0
Pet0
Dek0
Lam0
Fast0
Fast1a
Fast1b
Fast1c
Benchmarks are mutual exclusion primitives
k - the bound on the FIFO part of the abstract buffer
PD more “aggressive” than FD
16
Summary
Partial-coherence abstractions
Verification
without arbitrary bounds
Abstraction precision affects quality of results
Synthesis of fences
Can
infer optimal fences for mutual exclusion primitives
P
S
P’
M
17
Questions
18
Related Work
Under-approximation
CheckFence [Burckhardt et al., PLDI ’07]
Fender [KVY, FMCAD ’10]
And more…
Over-approximation
Equivalence to SC
Very imprecise
Goes back to Shasha & Snir [TOPLAS ‘88]
Abstract Interpretation
Varying precision
Regular Abstraction [Linden et al., SPIN ’10]
Partial-Coherence [KVY, PLDI ’11]
19