Using abstract interpretation to correct synchronization faults - - PowerPoint PPT Presentation

Using abstract interpretation to correct synchronization faults

Eric Koskinen

Yale University

VMCAI · 17 January 2017 Pietro Ferrara

JuliaSoft

Omer Tripp

Google

Peng Liu

IBM Research

Concurrency is here to stay.

Queue HashMap List

Thread 1 Thread n Thread 2

…

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

Slot Res 10:00 α 11:00 β 12:00 γ 13:00 —

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

Slot Res 10:00 α 11:00 β 12:00 γ 13:00 —

t1 t2

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

t1: remove(10:00) / α t1: if (…) t1: replace(11:00) / δ t1: return δ t2: remove(13:00) / null t2: new Res() / δ t2: replace(11:00) / β t2: return β

Slot Res 10:00 α 11:00 β 12:00 γ 13:00 —

t1 t2

Not serializable! t1 goes first But returns δ ? t2 goes second Returns β ? Now: 11:00 —> α

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

Slot Res 10:00 α 11:00 β 12:00 γ 13:00 —

t1 t2

Slot Res 10:00 — 11:00 α 12:00 γ 13:00 — Slot Res 10:00 — 11:00 δ 12:00 γ 13:00 —

Acceptable Final States: t1 first, returns β t2 second, returns α t2 first, returns β t1 second, returns δ

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

Slot Res 10:00 α 11:00 β 12:00 γ 13:00 —

t1 t2 Existing approaches to enforcing serializability . . .

t2: lock(13:00);

Pessimistic

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

Slot Res 10:00 α 11:00 β 12:00 γ 13:00 —

t1 t2

t1 t1

t1: remove(10:00) / α t1: if (…) t1: replace(11:00) / β t1: return β t1: lock(10:00); lock(11:00)

t2

t2: lock(13:00); lock(11:00)

Pessimistic

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

Slot Res 10:00 α 11:00 β 12:00 γ 13:00 —

t1 t2

t1 t1

t1: remove(10:00) / α t1: if (…) t1: replace(11:00) / β t1: return β t1: lock(10:00); lock(11:00)

t2

get$ if(…)$ new$ putIfAbsent$ return$ get$ if(…)$ new$ putIfAbsent$ return$

pessimis,c%

t1% t2%

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

Pessimistic

remove if replace remove new replace

Optimistic

t1: remove(10:00) / α t1: if (…) t1: replace(11:00) / β t1: return β t2: remove(13:00) / null t2: new Res() / δ t2: replace(11:00) / β t2: return β

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

Optimistic

t1: remove(10:00) / α t1: if (…) t1: replace(11:00) / β t1: return β t2: remove(13:00) / null t2: new Res() / δ t2: replace(11:00) / β t2: return β

conflict.

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

get$ if(…)$ new$ putIfAbsent$ return$ get$ if(…)$ new$ putIfAbsent$ return$

pessimis,c%

t1% t2%

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

Optimistic

remove if replace remove new replace

get$ if(…)$ new$ putIfAbsent$ return$ get$ if(…)$ new$ putIfAbsent$

retry%

• p,mis,c%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace remove new replace

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

Other options? Perform a correction!

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

t1: remove(10:00) / α t1: if (…) t1: replace(11:00) / δ t1: return δ t2: remove(13:00) / null t2: new Res() / δ t2: replace(11:00) / β t2: return β

Slot Res 10:00 α 11:00 β 12:00 γ 13:00 —

t1 t2

Not serializable!

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

Slot Res 10:00 α 11:00 β 12:00 γ 13:00 —

t1 t2

t1: replace(11:00) / δ t1: return δ

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

t1: remove(10:00) / α t1: if (…) t2: remove(13:00) / null t2: new Res() / δ t2: replace(11:00) / β t2: return β

Slot Res 10:00 — 11:00 β 12:00 γ 13:00 —

♥

β β α α δ

Serializable Target

Slot Res 10:00 — 11:00

δ

12:00 γ 13:00 —

t1 first, returns β t2 second, returns α

t1: replace(11:00) / δ t1: return δ

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

t1: remove(10:00) / α t1: if (…) t2: remove(13:00) / null t2: new Res() / δ t2: replace(11:00) / β t2: return β

Slot Res 10:00 — 11:00 β 12:00 γ 13:00 —

♥

α

Serializable Target

Slot Res 10:00 — 11:00 α 12:00 γ 13:00 —

t2 first, returns β t1 second, returns δ

get$ if(…)$ new$ putIfAbsent$ return$ get$ if(…)$ new$ putIfAbsent$ return$

pessimis,c%

t1% t2%

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

Corrective

remove if replace remove new replace

get$ if(…)$ new$ putIfAbsent$ return$ get$ if(…)$ new$ putIfAbsent$

retry%

• p,mis,c%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace remove new replace

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Challenges & Contributions

• Is this serializable?


Yes, we have proved so.

• How to compute each thread’s alternative post-

states?
 Via a static abstract interpretation.

• Given an incorrect state, how to efficiently recover

to a correct post-state?
 Via a dynamic runtime system.

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Transition System

Formalization

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Formalization

Remember where we started

t

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Formalization

Act sort of optimistically: march ahead w local changes

,opt)

L t

'

Remember the operation that was performed

,Lt•opt)], σ, L)

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Formalization

Replay the mutations on the shared state Parameterize by property of interest (Serializability) L t

,opt) ,Lt•opt)], σ, L)

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Formalization

L t

,opt) ,Lt•opt)], σ, L)

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Formalization

Now let’s add correction . . .

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Γ,(t,s) ⊢ s ⟶* (T,μ’,σ,L) Γ,(t,s) ⊢ (T,μ,σ,L) ⟶ (T,μ[t ↦ μ’(t)],σ,L) corr t

Recall reference state s for txn t Txn t could have gone to some other μ’ Pretend that it did exactly that.

Formalization

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Let’s see these rules applied to the example . . .

t1: replace(11:00) / δ t1: return δ

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

t1: remove(10:00) / α t1: if (…) t2: remove(13:00) / null t2: new Res() / δ t2: replace(11:00) / β t2: return β

Slot Res 10:00 — 11:00 β 12:00 γ 13:00 —

♥

β

Serializable Target

Slot Res 10:00 — 11:00

δ

12:00 γ 13:00 —

t1 first, returns β t2 second, returns α

Rules

• 1. Both run, performing local

β

t1: replace(11:00) / δ t1: return δ

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

t1: remove(10:00) / α t1: if (…) t2: remove(13:00) / null t2: new Res() / δ t2: replace(11:00) / β t2: return β

Slot Res 10:00 — 11:00 β 12:00 γ 13:00 —

♥

α

Serializable Target

Slot Res 10:00 — 11:00

δ

12:00 γ 13:00 —

t1 first, returns β t2 second, returns α

Rules

• 1. Both run, performing local
• 2. t1 wants to end:
• a. t1 performs corr

β β

• reference state (Γ): initial state
• target state: where t1 acted alone
• set 11:00 to α, return β

t1: replace(11:00) / β t1: return β

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

t1: remove(10:00) / α t1: if (…) t2: remove(13:00) / null t2: new Res() / δ t2: replace(11:00) / β t2: return β

Slot Res 10:00 — 11:00 α 12:00 γ 13:00 —

♥

Serializable Target

Slot Res 10:00 — 11:00

δ

12:00 γ 13:00 —

t1 first, returns β t2 second, returns α

Rules

• 1. Both run, performing local
• 2. t1 wants to end:
• a. t1 performs corr
• b. t1 performs cmt
• Export the changes


to shared state

t1: replace(11:00) / δ t1: return δ

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

t1: remove(10:00) / α t1: if (…) t2: remove(13:00) / null t2: new Res() / δ t2: replace(11:00) / β t2: return β

Slot Res 10:00 — 11:00 α 12:00 γ 13:00 —

♥

β α α

Serializable Target

Slot Res 10:00 — 11:00

δ

12:00 γ 13:00 —

t1 first, returns β t2 second, returns α

Rules

• 1. Both run, performing local
• 2. t1 wants to end:
• a. t1 performs corr
• b. t1 performs cmt
• 3. t2 performs corr

β δ

• reference state (Γ): initial state
• use serializable target
• set 11:00 to δ, return α

t1: replace(11:00) / δ t1: return δ

updateReservation(Slot old_slot, Slot new_slot) : Reservation = { var r = map.remove(old_slot) // remove if exists if (r == null) { r = new Res() } val clobbered = map.replace(new_slot, r) return clobbered; }

t1: remove(10:00) / α t1: if (…) t2: remove(13:00) / null t2: new Res() / δ t2: replace(11:00) / α t2: return α

Slot Res 10:00 — 11:00 δ 12:00 γ 13:00 —

♥

β

Serializable Target

Slot Res 10:00 — 11:00

δ

12:00 γ 13:00 —

t1 first, returns β t2 second, returns α

Rules

• 1. Both run, performing local
• 2. t1 wants to end:
• a. t1 performs corr
• b. t1 performs cmt
• 3. t2 performs corr
• 4. t2 performs cmt

β

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Formalization

pessimism is like an almost trivial restriction in which conflicting executions never occur; no need to correct

• ptimism permits only corrections back to

the initial state (abort)

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Computing Target States

• Abstract Interpretation
• Specialized abstract domain for Java maps

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Computing Target States

• Abstract Interpretation
• Specialized abstract domain for Java maps

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Computing Target States

• Abstract Interpretation
• Specialized abstract domain for Java maps
• Computes an under-approximation of the serializable

intermedia (or final) states 
 (fixpoint over an inter-procedural cross-product CFG)

• Target states are “progress-safe” (don’t get stuck after

correction)

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Computing Target States

• Output: a relational corrective specification:
• Maps pre-states to sets of post-states
• e.g. [k → ⊥, x1 → v] {[k → v, x1 → v]}.



 If we started from a pre-state where k was not in the map and the argument was v,
 then in the post-state k is made to point to the value v pointed-to by the argument k in the pre-state.

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Using Target States

• Dynamic runtime system
• Consumes the relational corrective specification


(what operations to perform)

• At commit time, detect conflict and perform correction

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Preliminary Implementation

• Java static analysis (ainterp) for Map operations.
• Builds a serialized CFG.
• Computes a fixpoint over it.
• Static analysis running times are negligible (<1s).
• Limitation: prototype assumes all transactions start

simultaneously (e.g. loop parallelization)

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Evaluation

• Apache Tomcat web-app container, ApplicationContext
• dyuproject - Framework for development of Java web
• applications. StandardConvertorCache (objects to/from

JSON)

• Flexive - Content repository for development of web

apps FxValueRendererFactory (render transparently certain objects in a language)

• Gridkit - In-memory data grids. ReflectionPofSerializer

(generic POF serialization via reflection)

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Evaluation

• Relative gain of (boosting) STM and corrective synchronization


w.r.t. lock-based synchronization.

• We aggregate performance results
• On average, corrective synchronization leads to a gain


that is twice the one obtained by STM.

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Perf vs Workload Perf vs # of threads

get$ if(…)$ new$ putIfAbsent$ return$

correct%

correc,ve%

get$ if(…)$ new$ putIfAbsent$ return$ t1% t2%

remove if replace remove new replace

Corrective

Open Questions

• What are good abstract domains to use?
• How does this work in more realistic systems?
• When is it preferred over other options (pessimistic,
• ptimistic, etc.)?
• Adaptive approaches?

Thank you! eric.koskinen@yale.edu