Memory Model Safety of Programs Sebastian Burckhardt Madanlal Musuvathi Microsoft Research EC^2, July 7, 2008.

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Effective Program Verification for Relaxed Memory Models Sebastian BurckhardtMadanlal Musuvathi Microsoft Research CAV, July 10, 2008.
Threads Cannot be Implemented As a Library Andrew Hobbs.
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
CS 162 Memory Consistency Models. Memory operations are reordered to improve performance Hardware (e.g., store buffer, reorder buffer) Compiler (e.g.,
(C) 2001 Daniel Sorin Correctly Implementing Value Prediction in Microprocessors that Support Multithreading or Multiprocessing Milo M.K. Martin, Daniel.
D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.
Silberschatz, Galvin and Gagne ©2007 Operating System Concepts with Java – 7 th Edition, Nov 15, 2006 Chapter 6 (a): Synchronization.
Chapter 6: Process Synchronization
Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.
Process Synchronization. Module 6: Process Synchronization Background The Critical-Section Problem Peterson’s Solution Synchronization Hardware Semaphores.
CHESS: Systematic Concurrency Testing Tom Ball, Sebastian Burckhardt, Madan Musuvathi, Shaz Qadeer Microsoft Research
ADVERSARIAL MEMORY FOR DETECTING DESTRUCTIVE RACES Cormac Flanagan & Stephen Freund UC Santa Cruz Williams College PLDI 2010 Slides by Michelle Goodstein.
Formalisms and Verification for Transactional Memories Vasu Singh EPFL Switzerland.
Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.
Computer Architecture II 1 Computer architecture II Lecture 9.
1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.
Race Conditions CS550 Operating Systems. Review So far, we have discussed Processes and Threads and talked about multithreading and MPI processes by example.
Instructor: Umar KalimNUST Institute of Information Technology Operating Systems Process Synchronization.
Why Threads Are A Bad Idea (for most purposes) John Ousterhout Sun Microsystems Laboratories
1 Lecture 22: Synchronization & Consistency Topics: synchronization, consistency models (Sections )
© 2007 GrammaTech, Inc. All rights reserved GrammaTech, Inc. 317 N Aurora St. Ithaca, NY Tel: Verifying.
Memory Consistency Models Some material borrowed from Sarita Adve’s (UIUC) tutorial on memory consistency models.
1 Thread Synchronization: Too Much Milk. 2 Implementing Critical Sections in Software Hard The following example will demonstrate the difficulty of providing.
Aquinas Hobor and Cristian Gherghina (National University of Singapore) TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.:
Shared Memory Consistency Models: A Tutorial Sarita V. Adve Kouroush Ghrachorloo Western Research Laboratory September 1995.
CDP 2012 Based on “C++ Concurrency In Action” by Anthony Williams and The C++11 Memory Model and GCC WikiThe C++11 Memory Model and GCC Created by Eran.
Lecture 2 Foundations and Definitions Processes/Threads.
CDP 2013 Based on “C++ Concurrency In Action” by Anthony Williams, The C++11 Memory Model and GCCThe C++11 Memory Model and GCC Wiki and Herb Sutter’s.
Foundations of the C++ Concurrency Memory Model Hans-J. Boehm Sarita V. Adve HP Laboratories UIUC.
Practical Reduction for Store Buffers Ernie Cohen, Microsoft Norbert Schirmer, DFKI.
Concurrency: Mutual Exclusion and Synchronization Chapter 5.
C o n f i d e n t i a l 1 Course: BCA Semester: III Subject Code : BC 0042 Subject Name: Operating Systems Unit number : 1 Unit Title: Overview of Operating.
Shared Memory Consistency Models. SMP systems support shared memory abstraction: all processors see the whole memory and can perform memory operations.
Memory Consistency Models. Outline Review of multi-threaded program execution on uniprocessor Need for memory consistency models Sequential consistency.
Multiprocessor Cache Consistency (or, what does volatile mean?) Andrew Whitaker CSE451.
December 1, 2006©2006 Craig Zilles1 Threads and Cache Coherence in Hardware  Previously, we introduced multi-cores. —Today we’ll look at issues related.
CS 295 – Memory Models Harry Xu Oct 1, Multi-core Architecture Core-local L1 cache L2 cache shared by cores in a processor All processors share.
Fundamentals of Parallel Computer Architecture - Chapter 71 Chapter 7 Introduction to Shared Memory Multiprocessors Yan Solihin Copyright.
ICFEM 2002, Shanghai Reasoning about Hardware and Software Memory Models Abhik Roychoudhury School of Computing National University of Singapore.
HARD: Hardware-Assisted lockset- based Race Detection P.Zhou, R.Teodorescu, Y.Zhou. HPCA’07 Shimin Chen LBA Reading Group Presentation.
The C++11 Memory Model CDP Based on “C++ Concurrency In Action” by Anthony Williams, The C++11 Memory Model and GCCThe C++11 Memory Model and GCC Wiki.
Agenda  Quick Review  Finish Introduction  Java Threads.
Synchronization Questions answered in this lecture: Why is synchronization necessary? What are race conditions, critical sections, and atomic operations?
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
An Operational Approach to Relaxed Memory Models
Lazy Sequentialization via Shared Memory Abstractions
Memory Consistency Models
Threads Cannot Be Implemented As a Library
Atomic Operations in Hardware
Atomic Operations in Hardware
Memory Consistency Models
Effective Data-Race Detection for the Kernel
Threads and Memory Models Hal Perkins Autumn 2011
Threads and Memory Models Hal Perkins Autumn 2009
Critical section problem
Mengjia Yan† , Jiho Choi† , Dimitrios Skarlatos,
Store Atomicity What does atomicity really require?
Memory Consistency Models
CSE 153 Design of Operating Systems Winter 19
Relaxed Consistency Part 2
Why we have Counterintuitive Memory Models
Relaxed Consistency Finale
Compilers, Languages, and Memory Models
Foundations and Definitions
CS 8803: Memory Models David Devecsery.
Problems with Locks Andrew Whitaker CSE451.
Presentation transcript:

Memory Model Safety of Programs Sebastian Burckhardt Madanlal Musuvathi Microsoft Research EC^2, July 7, 2008

Motivation: Memory Model Vulnerabilities Programmers do not always follow strict locking discipline in performance-critical code ◦ Ad-hoc synchronization with normal loads and stores or interlocked operations is faster Such code can break on relaxed memory models ◦ Most multicore machines are not sequentially consistent ◦ Both compilers and actual hardware can contribute to effect (we focus on hardware effects here) Vulnerabilities are hard to find, reproduce, and analyze ◦ May require specific hardware configuration and schedule 2

C# Example (found in production-level code) volatile bool isIdling; volatile bool hasWork; //Consumer thread void BlockOnIdle(){ lock (condVariable){ isIdling = true; if (!hasWork) Monitor.Wait(condVariable); isIdling = false; } //Producer thread void NotifyPotentialWork(){ hasWork = true; if (isIdling) lock (condVariable) { Monitor.Pulse(condVariable); } 3

Key pieces of code on previous slide: On x86, hardware may perform store late Bug: Producer thread does not notice waiting Consumer, does not send signal Store ii, 1 Example: Store Buffer Vulnerability Store ii, 1 volatile int ii = 0; volatile int hw = 0; Load hw, 0 Load ii, 1 Store hw, 1 ConsumerProducer 0 0 4

Abstract View of Memory Models 5 Given a program P, a memory model Y defines the subset T P,Y  T of traces corresponding to some (partial or complete) execution of P on Y. T P, SC T T P, Y SC (sequential consistency) Is strongest memory model More executions may be possible on a relaxed memory model Y 5

Memory Model Safety Observation: Programmer writes code for SC ◦ Resorts to {fences, volatiles, interlocked operations} to maintain SC behavior where needed ◦ If program P exhibits non-SC behavior, it is most likely a bug Definition: A program P is Y-safe if T P,SC = T P,Y 6

Goal & Position 7 Goal: Find efficient methods to verify / falsify memory model safety of programs. Position: Memory models should be formulated in a manner that facilitates this goal. It helps if a memory model Y … … guarantees that data-race-free programs are Y-safe (but what about racy ones?) … guarantees borderline executions (to be defined next).

Borderline Executions Def.: A borderline execution for P, Y is an execution in T P,SC with a successor in T P,Y - T P,SC TP,YTP,Y T P,SC 8 Successor traces are traces with one more instruction.

Example: TSO Borderline Execution Store hw, Store ii, Load hw, Store hw, Load ii, Store ii, Load hw, Store hw, Load ii, Store ii, Load hw, 0 T P, SC T P, TSO Successor traces are traces with one more instruction.

Borderline Executions Def.: A borderline execution for P, Y is an execution in T P,SC with a successor in T P,Y - T P,SC Def.: A memory model Y guarantees borderline executions if the following property is true: A program P is Y -safe if and only if it has no borderline executions. TP,YTP,Y T P,SC 10

Borderline Executions Def.: A borderline execution for P, Y is an execution in T P,SC with a successor in T P,Y - T P,SC Def.: A memory model Y guarantees borderline executions if the following property is true: A program P is Y -safe if and only if it has no borderline executions. TP,YTP,Y T P,SC 11 We can verify / falsify this as a safety property of sequentially consistent executions!

When does a Memory Model Guarantee Borderline Executions? Simplest case: If each trace T P,Y has a predecessor in T P,Y, we can use simple induction (because empty trace is in T P,SC ). This is true for TSO, and we show in [ CAV08 ] paper how to exploit this to build a borderline monitor. 12 TP,YTP,Y T P,SC

How May a Memory Model Fail to Guarantee Borderline Executions? Sometimes, traces have no predecessors (i.e. we can not take away any one instruction). Example program: some memory models may allow this “circular” trace: 13 // Thread 1// Thread 2 if (y = 1) if (x = 1) x = 1; y = 1; Load y, 1 Store x, 1 Store y, 1 Load x, 1

Conclusions / Future Work With increasing use of multicores and little programmer regard for race-freedom, we expect more programs to exhibit failures caused by the memory model. Borderline executions provide a practical way to verify / falsify memory model safety for a general class of memory models Future work: how to deal with ◦ Memory models without borderline executions ◦ Memory models defined by compiler optimizations 14

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.