implementing and evaluating a model checker for tm systems
play

Implementing and Evaluating a Model Checker for TM Systems Woongki - PowerPoint PPT Presentation

Nov 17, 2022 •120 likes •357 views

Implementing and Evaluating a Model Checker for TM Systems Woongki Baek, Nathan Bronson, Christos Kozyrakis, Kunle Olukotun wkbaek@stanford.edu Stanford University Introduction Transactional Memory (TM) simplifies parallel programming

  1. Implementing and Evaluating a Model Checker for TM Systems Woongki Baek, Nathan Bronson, Christos Kozyrakis, Kunle Olukotun wkbaek@stanford.edu Stanford University

  2. Introduction � � Transactional Memory (TM) simplifies parallel programming • � User-specified “transactions” run in an atomic and isolated way • � TM provides correctness and liveness guarantees � � Performance critical: subtle but fast TM implementations are favored • � Vulnerable to correctness bugs • � The resulting systems become difficult to prove correctness � � Many TMs are used without any formal correctness guarantees � � A few recent works attempted to model check TMs • � [PLDI’08] � � An important reduction theorem: 2 threads, 2 variables, … � � Model checked the abstract models of several STMs including TL2 • � [ICDCS’09] � � Model checked Intel’s McRT STM �

  3. Limitations of Previous Works � � Too “abstracted” models • � E.g., timestamp-based version control of TL2 is not modeled [PLDI’08] � � Committing transactions invalidate other conflicting transactions • � Need a proof that “abstract model” == “actual implementation” � � Otherwise, correctness of the evaluated TM still remains unchecked � � Lack of use-cases of model checking for a wider range of TM systems • � E.g., No previous study on hybrid TMs or nested TMs � � Lack of modeling both txn and non-txn memory operations • � To investigate subtle correctness issues with weak isolation � � Lack of an in-depth quantitative analysis to understand practical issues • � E.g., Sensitivity of the state space to various system parameters �

  4. Contributions of This Work � � Proposing ChkTM: • � Flexible model checker for TMs � � TL2: a timestamp-based, high-performance STM � � SigTM: a hybrid TM that accelerates an STM using hardware sigs � � NesTM: an STM that supports nested parallel transactions • � Model STMs close to the implementation level � � E.g., timestamp-based version control is accurately modeled � � Using ChkTM: • � Case study: found a subtle correctness bug in the current TL2 code • � Verify the correctness of TL2 and SigTM • � Provide an in-depth quantitative analysis on ChkTM �

  5. Outline � � Introduction � � Background � � Design and Implementation of ChkTM � � Case Study: Debugging Eager TL2 � � Evaluation � � Conclusions �

  6. Background � � Correctness criterion: conflict serializability • � Conflict equivalence: same order of every pair of conflicting op’s • � Conflict-serializable: conflict-equivalent to a serial schedule � � TL2 (STM) • � A global version clock is used to establish serializability • � Each memory loc. is associated with a version-owner lock (voLock) • � On commit, each transaction validates its read set � � Checking all the voLocks in the read set � � Success � updates are visible to others, Fail � updates are discarded • � Two data-versioning schemes � � Lazy: buffers updates in write buffers until the commit time � � Eager: performs in-place updates (undo-logs hold previous values) �

  7. ChkTM: Overall Architecture � � The three components of ChkTM • � Architectural state space explorer (ASE) • � TM model specifications • � Test program generator (see the paper) � � Implemented in Scala � Concise implementation �

  8. ASE: Architectural Simulator � � Models a simple shared-memory multiprocessor system � � Processors • � Model simple RISC processors with ALU, PC, registers, etc. � � Store buffers (SBs) • � Every update to shared memory is made via a bounded SB • � SB may retire stores in any order � similar to SPARC’s TSO • � If SBS=0, the simulator emulates sequential consistency � � Shared memory • � Consists of a fixed (configurable) number of shared memory words �

  9. ASE: State Space Explorer � � Architectural state • � Describe the current state of the system using state variables � � Processor-private: PC, SB, registers, … � � Global: shared memory, … � � State transition • � Dynamic executions of instructions generate new states � � Instructions: load, store, branch, halt, ... � � BFS is performed to explore every possible interleaving of a program • � Initial state: all the state variables (including PCs) are initialized • � Terminal state: all the proc’s are halted after executing a “halt” inst. �

  10. ASE: Verifying Serializability (1) � � First step: coarse-grain state space exploration (CSE) • � Generate all “serial” schedules at transaction granularity � � Only a single processor is active at any time � � The active processor cannot be changed while a transaction is active • � Goal: to produce all the valid terminal states � � VOR: values observed by transactional reads � � VOW: values overwritten by transactional writes � � Final shared-memory state • � Every transactional store in a test program writes a unique value � � To establish one-to-one mapping between conflicting op’s ��

  11. ASE: Verifying Serializability (2) Violation! T2 T1 T1 T2 T2 T1 � � Second step: fine-grain state space exploration (FSE) • � Explore every possible interleaving at instruction granularity • � Check every terminal state is identical to one of the valid terminals � � If this check fails, ChkTM reports a serializability violation • � Checking with VORs guarantee view-serializable schedules � � VOWs are used to check conflict-serializable schedules (see the paper) ��

  12. TM Model Specifications: TL2 � � Additional state variables to model TL2 • � E.g., R/W sets of transactions, global version clock, voLocks � � TM barriers are modeled close to the implementation level • � Left: C-styled pseudocode of the lazy TL2 read barrier • � Right: the ChkTM model of the lazy TL2 read barrier (in Scala) ��

  13. TM Model Specifications: Timestamp Canonicalization � � The problem: state space explosion • � An infinite # of states corresponding different timestamp values � � Our solution: timestamp canonicalization • � Key idea: the relative ordering among timestamp values is important � � But not the exact values • � Canonicalize all the timestamp values in each step � � 1: compute the set of all the timestamp values � � 2: sort them � � 3: replace each value with its ordinal position in the sorted set ��

  14. Outline � � Introduction � � Background � � Design and Implementation of ChkTM � � Case Study: Debugging Eager TL2 � � Evaluation � � Conclusions ��

  15. Case Study: Debugging Eager TL2 (1) � � We modeled the eager TL2 close to its current implementation � � With the test program above, ChkTM reported a serializability violation • � VOR(T1)=={(y,2)}: T2 � T1 (T2 precedes T1) • � VOR(T2)=={(x,1)}: T1 � T2 • � A cycle in the precedence graph � Not a serializable schedule � � Current TL2 code is buggy � How can we locate the bug using ChkTM? ��

  16. Case Study: Debugging Eager TL2 (2) � � ChkTM generates a counterexample shown above • � Steps are not necessarily consecutive (some are skipped for brevity) � � T1 executing TxLoad, T2 executing TxStore and TxAbort � � Step 0: T1 samples the value of the voLock of “y” (addr == &y) � � Step 1: T2 sets the lock bit of the voLock of “y” � � Step 2: T2 “speculatively” updates “y” to 2 ��

  17. Case Study: Debugging Eager TL2 (3) Abort! Incorrect! � � Step 3: T1 reads a “dirty” value (i.e., 2) of “y” � � Step 4: T2 restores the value of “y” to 0 (executing TxAbort) � � Step 5: T2 restores the voLock of “y” to the previous value � � Step 6: T1 observes that “cv” matches the current value of voLock � � Step 7+: T1 continues (and commits) even after it read a “dirty” value • � This is incorrect! ��

  18. Case Study: Debugging Eager TL2 (4) � � Invalid-read bug : Line 6 in TxAbort • � On abort, voLocks in the write set are merely restored � Wrong � � Timestamp values should have been incremented • � Reported this bug to the TL2 developers � � Note: difficult to find this kind of subtle bugs using random tests • � May increase the possibility by inserting random delays in the code • � Require non-trivial intuition (where potential bugs would be) ��

  19. Evaluation � � Three issues to investigate • � Correctness guarantees of TL2 and SigTM � � Serializability / Strong isolation (refer to the paper) • � Sensitivity of the state space to system parameters � � E.g., number of threads • � Tradeoff between state space and fidelity of approximate models � � Refer to the paper � � Methodology • � Processors: two quad-core 2.33GHz Intel Xeon CPUs • � Memory: 32GB • � OS: Linux x86_64 kernel 2.6.18 • � JVM: the 64-bit Server VM in Sun’s JAVA JRE (build: 1.6.0-14-b08) • � Scala: compiler version 2.7.5 ��

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision

The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision

The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision Group. UIB. SPAIN Julin Proenza. UIB. Oct 2008 The aim of this presentation Introduce the basic concepts of model checking from a practical

804 views • 68 slides
Can a Model Checker Generate Tests for Non-Deterministic Systems? Sergiy Boroday, Alexandre

Can a Model Checker Generate Tests for Non-Deterministic Systems? Sergiy Boroday, Alexandre

Can a Model Checker Generate Tests for Non-Deterministic Systems? Sergiy Boroday, Alexandre Petrenko CRIM, Montreal, Canada Roland Groz INPG, France MBT 2007 Outline Motivation Weak and Strong Tests Test Generation Model

802 views • 22 slides
Towards a model-checker for counter systems S. Demri 1 A. Finkel 1 V. Goranko 2 G. van Drimmelen 2

Towards a model-checker for counter systems S. Demri 1 A. Finkel 1 V. Goranko 2 G. van Drimmelen 2

Towards a model-checker for counter systems S. Demri 1 A. Finkel 1 V. Goranko 2 G. van Drimmelen 2 1 LSV, CNRS & ENS Cachan & INRIA Futurs 2 University of Witwatersrand, Johannesburg ATVA, October 2006, Beijing Motivations Presburger

679 views • 37 slides
Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July -

Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July -

Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July - November 2015 1 / 31 Model-checker Specify the model of the system Specify the requirements Model-checker will automatically check if system

1.72k views • 112 slides
Implementation of a Coalgebraic Model Checker Aaron Strahlberger 16.07.2019 Parity Game based

Implementation of a Coalgebraic Model Checker Aaron Strahlberger 16.07.2019 Parity Game based

Implementation of a Coalgebraic Model Checker Aaron Strahlberger 16.07.2019 Parity Game based Model Checker Game-Based Local Model Checking for the Coalgebraic -Calculus by Daniel Hausmann and Lutz Schrder [1] (CONCUR 2019)

474 views • 31 slides
Implementing an X-ray Implementing an X-ray reverberation model in XSPEC reverberation model in

Implementing an X-ray Implementing an X-ray reverberation model in XSPEC reverberation model in

Implementing an X-ray Implementing an X-ray reverberation model in XSPEC reverberation model in XSPEC M. D. Caballero-Garcia, M. Dovciak (ASU CAS Praha 4, Prague), A. Epitropakis (D. of Physics - U. of Crete, Heraklion) Contents 1. The

435 views • 19 slides
Vhdl Bounded Model Checker (VBMC): A Formal Verification Tool for VHDL Designs Ajith John, A. K.

Vhdl Bounded Model Checker (VBMC): A Formal Verification Tool for VHDL Designs Ajith John, A. K.

Vhdl Bounded Model Checker (VBMC): A Formal Verification Tool for VHDL Designs Ajith John, A. K. Bhattacharjee RCnD, BARC Supratik Chakraborty, CFDVS, IIT Bombay Introduction Design of modern computer based systems involves partitioning of

710 views • 58 slides
Verification of a Dynamic Channel Model using the SPIN Model Checker Rune M. Friborg and Brian

Verification of a Dynamic Channel Model using the SPIN Model Checker Rune M. Friborg and Brian

Verification of a Dynamic Channel Model using the SPIN Model Checker Rune M. Friborg and Brian Vinter eScience center, University of Copenhagen Dias 1 Introduction to PyCSP 2007 - PyCSP is presented. The synchronization model for channel

574 views • 20 slides
A Model Checker Collection for the Model Checking Contest @ Petri Nets Didier Buchs Stefan

A Model Checker Collection for the Model Checking Contest @ Petri Nets Didier Buchs Stefan

A Model Checker Collection for the Model Checking Contest @ Petri Nets Didier Buchs Stefan Klikovits Alban Linard Romain Mencattini Dimitri Racordon 28 June 2018 1/11 1/11 Examination Result GreatSPN ITSTools LoLA LTSMin Marcie

613 views • 20 slides
Schedulability Analysis of Timed CSP Models Using the PAT Model Checker O uzcan O UZ Jan

Schedulability Analysis of Timed CSP Models Using the PAT Model Checker O uzcan O UZ Jan

Schedulability Analysis of Timed CSP Models Using the PAT Model Checker O uzcan O UZ Jan F. BROENINK Angelika MADER Robotics and Mechatronics, University of Twente, The Netherlands Contents Problem Statement & Approach

516 views • 24 slides
The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Florian Merz | October

The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Florian Merz | October

The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Florian Merz | October 7, 2010 Carsten Sinz Stephan Falke V ERIFICATION MEETS A LGORITHM E NGINEERING www.kit.edu KIT University of the State of Baden-Wuerttemberg

415 views • 19 slides
The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A.

The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A.

The Software Model Checker BLAST: Applications to Software Engineering Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar Int. Journal on Software Tools for Technology Transfer, 2007 Stefan Buchholz March 17, 2009 1 Model

456 views • 12 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides
Evaluating & Implementing ITFM Solutions A lie can travel half-way around the world while

Evaluating & Implementing ITFM Solutions A lie can travel half-way around the world while

Evaluating & Implementing ITFM Solutions A lie can travel half-way around the world while the truth is still putting on its shoes. - Mark Twain Executive Summary & Key Questions What is an ITFM solution going to do for us?

398 views • 23 slides
A Tutorial on Model Checker SPIN Instructor: Hao Zheng Department of Computer Science and

A Tutorial on Model Checker SPIN Instructor: Hao Zheng Department of Computer Science and

A Tutorial on Model Checker SPIN Instructor: Hao Zheng Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: haozheng@usf.edu Phone: (813)974-4757 Fax: (813)974-5456 1 Overview of Concurrent

1.5k views • 68 slides
A Storm is Coming! A New Probabilistic Model Checker Joost-Pieter Katoen IFIP WG 1.8 Open

A Storm is Coming! A New Probabilistic Model Checker Joost-Pieter Katoen IFIP WG 1.8 Open

A Storm is Coming! A New Probabilistic Model Checker Joost-Pieter Katoen IFIP WG 1.8 Open Problems in Concurrency Theory, June 26, 2017 joint with: Christian Dehnert, Sebastian Junges and Matthias Volk Probabilistic Model Checking Theory in

468 views • 28 slides
TXDOT TRAFFIC MANAGEMENT CENTER (TMC) PERFORMANCE METRICS Evolution by Performance Metrics

TXDOT TRAFFIC MANAGEMENT CENTER (TMC) PERFORMANCE METRICS Evolution by Performance Metrics

TXDOT TRAFFIC MANAGEMENT CENTER (TMC) PERFORMANCE METRICS Evolution by Performance Metrics Monday, June 18, 2018 Pe Performan ance B Based C Contrac actin ing Pe Peer E Exchan ange Agenda Projec ject O Overvie iew Projec

230 views • 10 slides
New Directions For Neurorehabilitation Karunesh Ganguly, MD PhD Assistant Professor, Department

New Directions For Neurorehabilitation Karunesh Ganguly, MD PhD Assistant Professor, Department

9/6/2014 STROKE AND ANEURYSM UPDATE DISCLOSURE September 6, 2014 I have nothing to disclose. New Directions For Neurorehabilitation Karunesh Ganguly, MD PhD Assistant Professor, Department of Neurology University of California, San

663 views • 6 slides
Building Buggy Chips - That Work! Building Buggy Chips - That Work! Todd Austin Advanced

Building Buggy Chips - That Work! Building Buggy Chips - That Work! Todd Austin Advanced

Building Buggy Chips - That Work! Building Buggy Chips - That Work! Todd Austin Advanced Computer Architecture Laboratory University of Michigan Advanced Computer Architecture Lab Building Buggy Chips - That Work! University of Michigan Todd

358 views • 20 slides
Resource Efficient Europe Harry Lehmann SUSTAINABLE INNOVATION 2012 Resource Efficiency, Innovation

Resource Efficient Europe Harry Lehmann SUSTAINABLE INNOVATION 2012 Resource Efficiency, Innovation

Resource Efficient Europe Harry Lehmann SUSTAINABLE INNOVATION 2012 Resource Efficiency, Innovation and Lifestyles Part of the Towards Sustainable Product Design series of conferences 17th International Conference, 29th 30th October 2012,

493 views • 13 slides
Lecture 13 EQ TM is neither recognizable nor co-recognizable M 0 : on any input x, reject x. L(M

Lecture 13 EQ TM is neither recognizable nor co-recognizable M 0 : on any input x, reject x. L(M

Lecture 13 EQ TM is neither recognizable nor co-recognizable M 0 : on any input x, reject x. L(M 0 ) = M 1 : on any input x, accept x. L(M 1 ) = * For any <M,w>, let h(<M,w>) = M 2 be the TM that, on input x, 1. runs M on w

419 views • 13 slides
Implement an Industry Vision One global platform open to all stakeholders in the translation

Implement an Industry Vision One global platform open to all stakeholders in the translation

Implement an Industry Vision One global platform open to all stakeholders in the translation industry TDA Services TM Sharing Services for members only Upload and download translation memories Search free & open to the

432 views • 9 slides
Safety of Transactions in Transactional Memory: TMS is Necessary and Sufficient Hagit Attiya,

Safety of Transactions in Transactional Memory: TMS is Necessary and Sufficient Hagit Attiya,

Safety of Transactions in Transactional Memory: TMS is Necessary and Sufficient Hagit Attiya, Technion Sandeep Hans, Technion Alexey Gotsman, IMDEA Noam Rinetzky, Tel-Aviv University TM Consistency Conditions VWC TMS1 Opacity [Guerraoui

183 views • 16 slides
Turing Machine properties There are many ways to skin a cat Turing Machines And many ways

Turing Machine properties There are many ways to skin a cat Turing Machines And many ways

Turing Machine properties There are many ways to skin a cat Turing Machines And many ways to define a TM The books Standard Turing Machines Tape unbounded on both sides Deterministic (at most 1 move / configuration) TM

173 views • 5 slides

More recommend