Download presentation
Presentation is loading. Please wait.
1
Rely: Verifying Quantitative Reliability for Programs that Execute on Unreliable Hardware Michael Carbin, Sasa Misailovic, and Martin Rinard MIT CSAIL
2
Image Scaling
3
Image Scaling Kernel: Bilinear Interpolation =
4
Bilinear Interpolation int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] + src[up][right] + src[down][right] + src[down][left]; return 0.25 * val; } int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] + src[up][right] + src[down][right] + src[down][left]; return 0.25 * val; }
![Bilinear Interpolation int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] + src[up][right] + src[down][right] + src[down][left]; return 0.25 * val; } int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] + src[up][right] + src[down][right] + src[down][left]; return 0.25 * val; }](http://images.slideplayer.com./32/10021929/slides/slide_4.jpg "Bilinear Interpolation int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] + src[up][right] + src[down][right] + src[down][left]; return 0.25 * val; } int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] + src[up][right] + src[down][right] + src[down][left]; return 0.25 * val; }")
5
Bilinear Interpolation int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] + src[up][right] + src[down][right] + src[down][left]; return 0.25 * val; }
![Bilinear Interpolation int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] + src[up][right] + src[down][right] + src[down][left]; return 0.25 * val; }](http://images.slideplayer.com./32/10021929/slides/slide_5.jpg "Bilinear Interpolation int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] + src[up][right] + src[down][right] + src[down][left]; return 0.25 * val; }")
6
Unreliable Hardware Unreliable Units (ALUs and Memories) May produce incorrect results Faster, smaller, and lower power Registers Memory CU CPU ALU
7
Image Scaling with Approximate Bilinear Interpolation 20%40% 60%80% 99% 99.9% 90% Reliability
8
Unreliable Hardware Necessitates Hardware Specification: probability operations execute correctly Software Specification: required reliability of computations Analysis: verify software satisfies its specification on hardware Registers Memory CU CPU ALU
9
Rely: a Language for Quantitative Reliability 20%40% 60%80% 99% 99.9% 90% Reliability Hardware Specification (Architect) Hardware Specification (Architect) Software Specification (Developer) Software Specification (Developer) Static Analysis (Language) Static Analysis (Language)
10
Hardware Specification hardware { operator (+) = 1 - 10^-7; operator (-) = 1 - 10^-7; operator (*) = 1 - 10^-7; operator (<) = 1 - 10^-7; memory urel {rd = 1 - 10^-7, wr = 1}; } hardware { operator (+) = 1 - 10^-7; operator (-) = 1 - 10^-7; operator (*) = 1 - 10^-7; operator (<) = 1 - 10^-7; memory urel {rd = 1 - 10^-7, wr = 1}; }
11
Approximate Bilinear Interpolation in Rely int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] +. src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] +. src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } Unreliable Operations: executed on unreliable ALUs
![Approximate Bilinear Interpolation in Rely int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] +.](http://images.slideplayer.com./32/10021929/slides/slide_11.jpg "src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } int bilinear_interpolation(int i, int j, int src[][], int dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] +. src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } Unreliable Operations: executed on unreliable ALUs.")
12
Approximate Bilinear Interpolation in Rely int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int in urel val = src[up][left] +. src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int in urel val = src[up][left] +. src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } Unreliable Memories: stored in unreliable SRAM/DRAM
![Approximate Bilinear Interpolation in Rely int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int in urel val = src[up][left] +.](http://images.slideplayer.com./32/10021929/slides/slide_12.jpg "src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int in urel val = src[up][left] +. src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } Unreliable Memories: stored in unreliable SRAM/DRAM.")
13
What is reliability?
14
Semantics of Reliability
16
Approximate Bilinear Interpolation Reliability Specification int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]); int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);
![Approximate Bilinear Interpolation Reliability Specification int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]); int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);](http://images.slideplayer.com./32/10021929/slides/slide_16.jpg "Approximate Bilinear Interpolation Reliability Specification int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]); int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);")
17
Reliability of output is a function of reliability of inputs Approximate Bilinear Interpolation Reliability Specification int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]); int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);
![Reliability of output is a function of reliability of inputs Approximate Bilinear Interpolation Reliability Specification int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]); int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);](http://images.slideplayer.com./32/10021929/slides/slide_17.jpg "Reliability of output is a function of reliability of inputs Approximate Bilinear Interpolation Reliability Specification int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]); int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);")
18
Reliability of output is a function of reliability of inputs The term R(i, j, src, dest) abstracts the joint reliability of the function’s inputs on entry Approximate Bilinear Interpolation Reliability Specification int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]); int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);
![Reliability of output is a function of reliability of inputs The term R(i, j, src, dest) abstracts the joint reliability of the function’s inputs on entry Approximate Bilinear Interpolation Reliability Specification int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]); int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);](http://images.slideplayer.com./32/10021929/slides/slide_18.jpg "Reliability of output is a function of reliability of inputs The term R(i, j, src, dest) abstracts the joint reliability of the function’s inputs on entry Approximate Bilinear Interpolation Reliability Specification int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]); int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);")
19
Reliability of output is a function of reliability of inputs The term R(i, j, src, dest) abstracts the joint reliability of the function’s inputs on entry Coefficient.99 bounds reliability degradation Approximate Bilinear Interpolation Reliability Specification int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]); int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);
![Reliability of output is a function of reliability of inputs The term R(i, j, src, dest) abstracts the joint reliability of the function’s inputs on entry Coefficient.99 bounds reliability degradation Approximate Bilinear Interpolation Reliability Specification int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]); int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);](http://images.slideplayer.com./32/10021929/slides/slide_19.jpg "Reliability of output is a function of reliability of inputs The term R(i, j, src, dest) abstracts the joint reliability of the function’s inputs on entry Coefficient.99 bounds reliability degradation Approximate Bilinear Interpolation Reliability Specification int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]); int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);")
20
How does Rely verify reliability?
21
Rely’s Analysis Framework Precondition generator for statements { Precondition } s { Postcondition } { Precondition } s { Postcondition } SpecificationComputation
22
Assignment Rule
23
Unmodified
24
Assignment Rule Standard Substitution
25
Assignment Rule
26
int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int in urel val = src[up][left] +. src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int in urel val = src[up][left] +. src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } Verifying the Reliability of Bilinear Interpolation
![int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int in urel val = src[up][left] +.](http://images.slideplayer.com./32/10021929/slides/slide_26.jpg "src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } int bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]) { int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int in urel val = src[up][left] +. src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } Verifying the Reliability of Bilinear Interpolation.")
27
1.Generate postcondition from return statement 2.Work backwards to produce verification condition 3.Use hardware specification to replace reliabilities return 0.25 *. val; Reliability of return Reliability of sum of neighbors
28
Verifying the Reliability of Bilinear Interpolation 1.Generate postcondition from return statement 2.Work backwards to produce verification condition 3.Use hardware specification to replace reliabilities 4.Discharge Verification Condition return 0.25 *. val;
29
Verification Condition Checking Insight
30
Conjunct Checking A conjunct is implied by a pair of constraints Decidable, efficiently checkable, and input distribution agnostic
31
Verification Condition Checking for Approximate Bilinear Interpolation Hardware Specification Data Dependences
32
What about…programs? (conditionals, loops, and functions)
33
Conditionals if (y >. 0) x = x +. 1 x = 2 *. x +. 1
34
x 1 = x 0 +. 1 x 2 = 2 *. x 0 +. 1 Conditionals
35
x 1 = x 0 +. 1 x 2 = 2 *. x 0 +. 1
36
Conditionals x 1 = x 0 +. 1 x 2 = 2 *. x 0 +. 1 Spec ≤ R(x)
37
Conditionals x 1 = x 0 +. 1 x 2 = 2 *. x 0 +. 1 Spec ≤ R(x)
38
Conditionals x 1 = x 0 +. 1 x 2 = 2 *. x 0 +. 1 Spec ≤ R(x)
39
Conditionals x 1 = x 0 +. 1 x 2 = 2 *. x 0 +. 1 Spec ≤ R(x)
40
Simplification x 1 = x 0 +. 1 x 2 = 2 *. x 0 +. 1 Spec ≤ R(x)
41
Simplification x 1 = x 0 +. 1 x 2 = 2 *. x 0 +. 1 Spec ≤ R(x)
42
Reliability of loop-carried, unreliably updated variables decreases monotonically Finitely Bounded Loops: bounded decrease Unbounded loops: conservative result is 0 int sum = 0; for (int i = 0; i < n; i = i + 1) { sum = sum +. a[i]; } int sum = 0; for (int i = 0; i < n; i = i + 1) { sum = sum +. a[i]; } Loops R( sum) depends on n unreliable adds
43
Functions Verification is modular (assume/guarantee) Recursion similar to loops: unreliably updated variables naturally have 0 reliability
44
Rely: a Language for Quantitative Reliability 20%40% 60%80% 99% 99.9% 90% Reliability Hardware Specification (Architect) Hardware Specification (Architect) Software Specification (Developer) Software Specification (Developer) Static Analysis (Language) Static Analysis (Language)
45
Evaluation Experiment #1: verify specifications How does the analysis behave?
46
Benchmarks newton: zero-finding using Newton’s method secant: zero-finding using Secant Method coord: Cartesian to polar coordinate converter search_ref: motion estimation mat_vec: matrix-vector multiply hadamard: frequency-domain pixel-block difference metric
47
Experiment #1: Results Observation: small number of conjuncts with simplification
48
Evaluation Experiment #2: application scenarios How to use reliabilities?
49
Checkable Computations
50
Approximate Computations High Quality Bilinear Interpolation Reliability (as Negative Log Failure Probability) Quality Target Reliability
51
Other Concerns for Unreliable Hardware Safety: does the program always produce a result? –no failures or ill-defined behaviors [Misailovic et al. ICSE ’10; Carbin et al. ISSTA ’10; Sidiroglou et al. FSE’11; Carbin et al., PLDI ’12; Carbin et al., PEPM ’13] Accuracy: is result accurate enough? –small expected error [Rinard ICS’06; Misailovic et al.,ICSE ’10; Hofffmann at al. ASPLOS ’11; Misailovic et al. SAS ’11; Sidiroglou et al. FSE’11; Zhu et al. POPL ’12; Misailovic et al. RACES ‘12]
52
Takeaway Separating approximate computation isn’t enough Acceptability of results depends on reliability Rely Architect provides hardware specification Develo per provides software specification Rely provides verified reliability guarantee
53
Backup Slides
54
Execution of e is a stochastic process Independent probability of failure for each operation Reliability is probability of fully reliable path Semantic Model
55
Semantic Formalization See paper for inference rules!
56
Identifying Reliably Update Variabes Reliably updated vs. unreliably updated variables Dependence graph gives classification Reliably updated variables have same reliability int sum = 0; for (int i = 0; i < n; i = i + 1) { sum = sum +. a[i]; } int sum = 0; for (int i = 0; i < n; i = i + 1) { sum = sum +. a[i]; } i suma n
Similar presentations
