Persistence Semantics for Weak Memory Integrating Epoch Persistency - - PowerPoint PPT Presentation

Persistence Semantics for Weak Memory

Integrating Epoch Persistency with the TSO Memory Model

Azalea Raad Viktor Vafeiadis

Max Planck Institute for Software Systems (MPI-SWS)

Thursday 8 November OOPSLA 2018 Boston, USA

azalea@mpi-sws.org @azalearaad SoundAndComplete.org

History

time Difficulty Sequential

😋

History

time Difficulty Sequential

😋

SC

😑

History

time Difficulty Sequential

😋

SC

😑

WMC

☹

History

time Difficulty Sequential

😋

SC

😑

WMC

☹ 😤

Persistent WMC

Volatile memory

x := 1 // x = 1 // x = 0

What is Persistent Memory?

3

// x = v : reading x yields v

Volatile memory

x := 1 // x = 1 // x = 0

What is Persistent Memory?

3

// x = 0 // no recovery // x = v : reading x yields v

Volatile memory

x := 1 // x = 1 // x = 0

What is Persistent Memory?

3

// x = 0 // no recovery // x = v : reading x yields v

Persistent memory

x := 1 // x = 1 // x = 0 // x = 0 OR x = 1 // recovery routine

Volatile memory

x := 1 // x = 1 // x = 0

What is Persistent Memory?

3

// x = 0 // no recovery // x = v : reading x yields v

Persistent memory

x := 1 // x = 1 // x = 0 // x = 0 OR x = 1 // recovery routine

persists are asynchronous (buffered): may not persist immediately

(Sequential) Hardware

CPU (Volatile) Memory

(Sequential) Hardware

CPU (Volatile) Memory

(Sequential) Hardware

x:=1 : adds x:=1 to memory

CPU (Volatile) Memory

(Sequential) Hardware

x:=1 : adds x:=1 to memory a:=x : reads x from memory

CPU (Volatile) Memory

(Sequential) Hardware

x:=1 : adds x:=1 to memory a:=x : reads x from memory memory lost

Persistence Buffer CPU (Persistent) Memory CPU (Volatile) Memory

(Sequential) Hardware

x:=1 : adds x:=1 to memory a:=x : reads x from memory memory lost

Persistence Buffer CPU (Persistent) Memory CPU (Volatile) Memory

(Sequential) Hardware

x:=1 : adds x:=1 to memory a:=x : reads x from memory memory lost x:=1 : adds x:=1 to p-buffer

Persistence Buffer CPU (Persistent) Memory CPU (Volatile) Memory

(Sequential) Hardware

x:=1 : adds x:=1 to memory a:=x : reads x from memory memory lost x:=1 : adds x:=1 to p-buffer a:=x : if p-buffer contains x, reads latest entry else reads from memory

Persistence Buffer CPU (Persistent) Memory CPU (Volatile) Memory

(Sequential) Hardware

x:=1 : adds x:=1 to memory a:=x : reads x from memory memory lost x:=1 : adds x:=1 to p-buffer a:=x : if p-buffer contains x, reads latest entry else reads from memory p-buffer lost; memory retained

Persistence Buffer CPU (Persistent) Memory CPU (Volatile) Memory

(Sequential) Hardware

x:=1 : adds x:=1 to memory a:=x : reads x from memory memory lost x:=1 : adds x:=1 to p-buffer a:=x : if p-buffer contains x, reads latest entry else reads from memory p-buffer lost; memory retained unbuffer* : p-buffer to memory * at non-deterministic times

• Memory consistency model describes: 


the order writes are made visible to other threads


e.g. SC, TSO, …

What is Memory Persistency Model?

• Memory consistency model describes: 


the order writes are made visible to other threads


e.g. SC, TSO, …

• Memory persistency model describes: 


the order writes are persisted to memory


e.g. Epoch Persistency

What is Memory Persistency Model?

• Memory consistency model describes: 


the order writes are made visible to other threads


e.g. SC, TSO, …

• Memory persistency model describes: 


the order writes are persisted to memory


e.g. Epoch Persistency

What is Memory Persistency Model?

Problem Formal Epoch Persistency Model for Mainstream Hardware (Weak Memory Models)

x := 1; // recovery routine // x=0;y=0 y := 1; // x=0;y=0 OR x=1;y=1 OR x=1;y=0 OR x=0;y=1

What Can Go Wrong?

6

x := 1; // recovery routine // x=0;y=0 y := 1; // x=0;y=0 OR x=1;y=1 OR x=1;y=0 OR x=0;y=1

What Can Go Wrong?

6

!! Writes may persist out of order

x := 1; // recovery routine // x=0;y=0 y := 1; // x=0;y=0 OR x=1;y=1 OR x=1;y=0 OR x=0;y=1

What Can Go Wrong?

6

!! Writes may persist out of order ☛ persistent fence pfence

7

x := 1; // recovery routine // x=0;y=0 y := 1; // x=0;y=0 OR x=1;y=1 OR x=1;y=0 OR x=0;y=1 pfence;

☛

Persistent Fence

Persistent Fence

8

x := 1; z := 4; pfence; y := 2; x := 3;

a b c d

Persistent Fence

8

• writes on same locations persist in execution order

x := 1; z := 4; pfence; y := 2; x := 3;

a b c d a c

persists before

Persistent Fence

8

• writes on same locations persist in execution order
• writes on different locations are unordered

x := 1; z := 4; pfence; y := 2; x := 3;

a b c d a b

may persist in any order

a c

persists before

Persistent Fence

8

• writes on same locations persist in execution order
• writes on different locations are unordered
• pfence adds a new epoch

x := 1; z := 4; pfence; y := 2; x := 3;

a b c d a b

may persist in any order

a c

persists before

epoch 1 epoch 2

Persistent Fence

8

• writes on same locations persist in execution order
• writes on different locations are unordered
• pfence adds a new epoch
• writes persist in epoch order

x := 1; z := 4; pfence; y := 2; x := 3;

a b c d

persist before

a b c d a b

may persist in any order

a c

persists before

epoch 1 epoch 2

// x=0;y=0 OR x=1;y=1 OR x=1;y=0 x := 1; // recovery routine // x=0;y=0 y := 1; pfence;

9

What Can Go Wrong (Continued)?

!! Execution continues ahead of persistence

asynchronous (buffered)

// x=0;y=0 OR x=1;y=1 OR x=1;y=0 x := 1; // recovery routine // x=0;y=0 y := 1; pfence;

9

What Can Go Wrong (Continued)?

!! Execution continues ahead of persistence ☛ persistent sync psync

asynchronous (buffered)

// x=0;y=0 OR x=1;y=1 OR x=1;y=0 x := 1; // recovery routine // x=0;y=0 y := 1; pfence;

9

What Can Go Wrong (Continued)?

!! Execution continues ahead of persistence ☛ persistent sync psync

C1; psync; C2

• same persist-ordering as pfence
• C2 executed only when all C1 writes have persisted

asynchronous (buffered)

x := 1; // recovery routine // x=0;y=0 y := 1; // x=0;y=0 OR x=1;y=1 OR x=1;y=0 psync;

10

Persistent Sync

!! Execution continues ahead of persistence ☛ persistent sync psync

C1; psync; C2

• same persist-ordering as pfence
• C2 executed only when all C1 writes have persisted

☛

(Sequential) Hardware

x:=1 : adds x:=1 to p-buffer a:=x : if p-buffer contains x, reads latest entry else reads from memory p-buffer lost; memory retained

11

CPU (Persistent) Memory

epoch n epoch 2 pfence pfence . . . pfence epoch 1

(Sequential) Hardware

x:=1 : adds x:=1 to p-buffer a:=x : if p-buffer contains x, reads latest entry else reads from memory unbuffer* : p-buffer to memory (in epoch order) p-buffer lost; memory retained * at non-deterministic times

11

CPU (Persistent) Memory

epoch n epoch 2 pfence pfence . . . pfence epoch 1

(Sequential) Hardware

x:=1 : adds x:=1 to p-buffer a:=x : if p-buffer contains x, reads latest entry else reads from memory unbuffer* : p-buffer to memory (in epoch order) p-buffer lost; memory retained * at non-deterministic times pfence : introduces a new epoch in p-buffer

11

CPU (Persistent) Memory

epoch n epoch 2 pfence pfence . . . pfence epoch 1

(Sequential) Hardware

x:=1 : adds x:=1 to p-buffer a:=x : if p-buffer contains x, reads latest entry else reads from memory unbuffer* : p-buffer to memory (in epoch order) p-buffer lost; memory retained * at non-deterministic times pfence : introduces a new epoch in p-buffer psync : flushes the entire p-buffer to memory

11

CPU (Persistent) Memory

epoch n epoch 2 pfence pfence . . . pfence epoch 1

What about Concurrency?

TSO POWER ARMv8

…

12

What about Concurrency?

TSO POWER ARMv8

…

12

Contributions

13

• PTSO: First formal epoch persistency semantics under 


mainstream hardware

• Operational model
• Declarative model
• Equivalence of the two models

Contributions

13

• PTSO: First formal epoch persistency semantics under 


mainstream hardware

• Operational model
• Declarative model
• Equivalence of the two models

Contributions

13

• PTSO: First formal epoch persistency semantics under 


mainstream hardware

• Operational model
• Declarative model
• Equivalence of the two models
• Verifying programs under PTSO
• PTSO programming pattern
• Correctness condition: persistent linearisability
• Verified several examples under PTSO

Contributions

13

Total Store Ordering (TSO)

14

Total Store Ordering (TSO)

14

Thread2 Buffer (Volatile) Memory Thread1 Buffer

Total Store Ordering (TSO)

14

Thread2 Thread1

x = 0; y = 0;

x := 1; a := y;

Thread1

y := 1; c := x;

Thread2

☛ ☛

Store Buffering (SB)

Total Store Ordering (TSO)

14

Thread2 Thread1

x = 0; y = 0;

x := 1; a := y;

Thread1

y := 1; c := x;

Thread2

x = 1

☛ ☛

Store Buffering (SB)

Total Store Ordering (TSO)

14

Thread2 Thread1

x = 0; y = 0;

x := 1; a := y;

Thread1

y := 1; c := x;

Thread2

x = 1 y = 1

☛ ☛

Store Buffering (SB)

Total Store Ordering (TSO)

14

Thread2 Thread1

x = 0; y = 0;

x := 1; a := y;

Thread1

y := 1; c := x;

Thread2

x = 1 y = 1

☛ ☛

Store Buffering (SB)

Total Store Ordering (TSO)

14

Thread2 Thread1

x = 0; y = 0;

x := 1; a := y;

Thread1

y := 1; c := x;

Thread2

x = 1 y = 1

☛ ☛

Store Buffering (SB)

Total Store Ordering (TSO)

14

Thread2 Thread1

x = 0; y = 0;

x := 1; a := y;

Thread1

y := 1; c := x;

Thread2

x = 1 y = 1

☛ ☛

// 0 Store Buffering (SB)

Total Store Ordering (TSO)

14

Thread2 Thread1

x = 0; y = 0;

x := 1; a := y;

Thread1

y := 1; c := x;

Thread2

x = 1 y = 1

☛ ☛

// 0 Store Buffering (SB)

Total Store Ordering (TSO)

14

Thread2 Thread1

x = 0; y = 0;

x := 1; a := y;

Thread1

y := 1; c := x;

Thread2

x = 1 y = 1

☛ ☛

// 0 Store Buffering (SB)

Total Store Ordering (TSO)

14

Thread2 Thread1

x = 0; y = 0;

x := 1; a := y;

Thread1

y := 1; c := x;

Thread2

x = 1 y = 1

☛ ☛

// 0 // 0 Store Buffering (SB)

Total Store Ordering (TSO)

14

Thread2 Thread1

x := 1; a := y;

Thread1

y := 1; c := x;

Thread2

x = 1 y = 1

☛ ☛

// 0 // 0 Store Buffering (SB)

; y = 0;

Total Store Ordering (TSO)

14

Thread2 Thread1

x := 1; a := y;

Thread1

y := 1; c := x;

Thread2

x = 1

☛ ☛

// 0 // 0 Store Buffering (SB)

; y = 1;

Persistent TSO (PTSO)

15

(Volatile) Memory Thread1 Buffer Thread2 Buffer (Volatile) Memory CPU

Persistent TSO (PTSO)

15

(Persistent) Memory CPU Persistence Buffer (Volatile) Memory Thread1 Buffer Thread2 Buffer (Volatile) Memory CPU

Persistent TSO (PTSO)

15

(Persistent) Memory Thread1 Buffer Persistence Buffer Thread2 Buffer (Persistent) Memory CPU Persistence Buffer (Volatile) Memory Thread1 Buffer Thread2 Buffer (Volatile) Memory CPU

• PTSO: First formal epoch persistency semantics under 


mainstream hardware

• Operational model
• Declarative model
• Equivalence of the two models

Contributions

16

• PTSO: First formal epoch persistency semantics under 


mainstream hardware

• Operational model
• Declarative model
• Equivalence of the two models

Contributions

16

• Verifying programs under PTSO
• PTSO programming pattern
• Correctness condition: persistent linearisability
• Verified several examples under PTSO

• PTSO: First formal epoch persistency semantics under 


mainstream hardware

• Operational model
• Declarative model
• Equivalence of the two models

Contributions

16

• Verifying programs under PTSO
• PTSO programming pattern
• Correctness condition: persistent linearisability
• Verified several examples under PTSO

Verifying programs under PTSO

The persistent variant of the Michael-Scott queue and its recovery mechanism

Verifying programs under PTSO

The persistent variant of the Michael-Scott queue and its recovery mechanism

What constitutes a correct persistent implementation?

Linearisability

18

thread 1 thread 2 enq(1)

a

deq(1)

c

enq(2)

b

time

Linearisability

• Define happens-before relation hb
• (e1, e2) ∈ hb ⟺ e1.end <time e2.begin

18

thread 1 thread 2 enq(1)

a

deq(1)

c

enq(2)

b

time

Linearisability

• Define happens-before relation hb
• (e1, e2) ∈ hb ⟺ e1.end <time e2.begin

18

thread 1 thread 2 enq(1)

a

deq(1)

c

enq(2)

b

time

• - e.g. ( , ) ∈ hb ( , ) ∉ hb

a b a c

Linearisability

• Define happens-before relation hb
• (e1, e2) ∈ hb ⟺ e1.end <time e2.begin

18

thread 1 thread 2 enq(1)

a

deq(1)

c

enq(2)

b

time

• - e.g. ( , ) ∈ hb ( , ) ∉ hb

a b a c

• H respects hb
• H is a legal sequence (library-specific)
• Linearisable ⟺ ∃ H. H totally orders events

Linearisability

• Define happens-before relation hb
• (e1, e2) ∈ hb ⟺ e1.end <time e2.begin

18

thread 1 thread 2 enq(1)

a

deq(1)

c

enq(2)

b

time

• - e.g. ( , ) ∈ hb ( , ) ∉ hb

a b a c

• H respects hb
• H is a legal sequence (library-specific)
• - e.g. FIFO sequences for queue
• Linearisable ⟺ ∃ H. H totally orders events

a c b

✔

c a b

✘

a b c

✔

Linearisability

• Define happens-before relation hb
• (e1, e2) ∈ hb ⟺ e1.end <time e2.begin

18

thread 1 thread 2 enq(1)

a

deq(1)

c

enq(2)

b

time

• - e.g. ( , ) ∈ hb ( , ) ∉ hb

a b a c

• H respects hb
• H is a legal sequence (library-specific)
• - e.g. FIFO sequences for queue
• Linearisable ⟺ ∃ H. H totally orders events

a c b

✔

c a b

✘

a b c

✔

linearisable

Linearisability

• Define happens-before relation hb
• (e1, e2) ∈ hb ⟺ e1.end <time e2.begin

19

thread 1 thread 2 enq(1)

a

deq(2)

c

enq(2)

b

time

• - e.g. ( , ) ∈ hb ( , ) ∉ hb

a b a c

• H respects hb
• H is a legal sequence (library-specific)
• - e.g. FIFO sequences for queue
• Linearisable ⟺ ∃ H. H totally orders events

Linearisability

• Define happens-before relation hb
• (e1, e2) ∈ hb ⟺ e1.end <time e2.begin

19

thread 1 thread 2 enq(1)

a

deq(2)

c

enq(2)

b

time

• - e.g. ( , ) ∈ hb ( , ) ∉ hb

a b a c

• H respects hb
• H is a legal sequence (library-specific)
• - e.g. FIFO sequences for queue
• Linearisable ⟺ ∃ H. H totally orders events

a c b c a b a b c

Linearisability

• Define happens-before relation hb
• (e1, e2) ∈ hb ⟺ e1.end <time e2.begin

19

thread 1 thread 2 enq(1)

a

deq(2)

c

enq(2)

b

time

• - e.g. ( , ) ∈ hb ( , ) ∉ hb

a b a c

• H respects hb
• H is a legal sequence (library-specific)
• - e.g. FIFO sequences for queue
• Linearisable ⟺ ∃ H. H totally orders events

a c b

✘

c a b

✘

a b c

✘

non-linearisable (not legal)

• Define happens-before relation hb
• (e1, e2) ∈ hb ⟺ e1.end <time e2.begin

20

• - e.g. ( , ) ∈ hb ( , ) ∉ hb

a b a c

thread 1 thread 2 enq(1)

a

deq(1)

c

time enq(2)

b

Persistent Linearisability

• Define happens-before relation hb
• (e1, e2) ∈ hb ⟺ e1.end <time e2.begin

20

• - e.g. ( , ) ∈ hb ( , ) ∉ hb

a b a c

• H respects hb
• H is a legal sequence
• Persistently linearisable ⟺ ∃ H. H totally orders a subset S of events

thread 1 thread 2 enq(1)

a

deq(1)

c

time enq(2)

b

Persistent Linearisability

• Define happens-before relation hb
• (e1, e2) ∈ hb ⟺ e1.end <time e2.begin

20

• - e.g. ( , ) ∈ hb ( , ) ∉ hb

a b a c

• H respects hb
• H is a legal sequence
• Persistently linearisable ⟺ ∃ H. H totally orders a subset S of events

thread 1 thread 2 enq(1)

a

deq(1)

c

time enq(2)

b

• - persists are asynchronous: only a prefix may persist after a crash

Persistent Linearisability

• S is hb-prefix-closed : (a, b) ∈ hb and b ∈ S ⇒ a ∈ S

• Define happens-before relation hb
• (e1, e2) ∈ hb ⟺ e1.end <time e2.begin

20

• - e.g. ( , ) ∈ hb ( , ) ∉ hb

a b a c

• H respects hb
• H is a legal sequence
• Persistently linearisable ⟺ ∃ H. H totally orders a subset S of events

a c

✔

Persistently linearisable thread 1 thread 2 enq(1)

a

deq(1)

c

time enq(2)

b

• - persists are asynchronous: only a prefix may persist after a crash

Persistent Linearisability

• S is hb-prefix-closed : (a, b) ∈ hb and b ∈ S ⇒ a ∈ S

21

What about Multiple Crashes?

execution

time

recovery recovery execution execution

21

What about Multiple Crashes?

execution

time

recovery recovery execution execution

no crashes

21

What about Multiple Crashes?

G1 Gn G2

execution

time

recovery recovery execution execution

no crashes

21

• H i persistently linearises G i — as before
• H1 ++ … ++ Hn is a legal sequence
• A chain G1 … Gn is persistently linearisable ⟺ ∃ H1 … Hn .

What about Multiple Crashes?

G1 Gn G2

execution

time

recovery recovery execution execution

no crashes

Conclusions

• PTSO: First formal epoch persistency semantics under


mainstream hardware

• Operational model
• Declarative model
• Equivalence of the two models
• Verifying programs under PTSO
• PTSO programming pattern
• Correctness condition: persistent linearisability
• Verified several examples under PTSO

Conclusions

• PTSO: First formal epoch persistency semantics under


mainstream hardware

• Operational model
• Declarative model
• Equivalence of the two models
• Verifying programs under PTSO
• PTSO programming pattern
• Correctness condition: persistent linearisability
• Verified several examples under PTSO

Thank you for listening!

azalea@mpi-sws.org @azalearaad SoundAndComplete.org

Programming Pattern

• 1. // log progress
• 2. pfence
• 3. // do the work
• 4. pfence

Programming Pattern

• 1. // log progress
• 2. pfence
• 3. // do the work
• 4. pfence

Log at most one step ahead of work

Programming Pattern

• 1. // log progress
• 2. pfence
• 3. // do the work
• 4. pfence

1. 2. 3. 4.

Log at most one step ahead of work