Upload
angel-barton
View
219
Download
0
Embed Size (px)
DESCRIPTION
Research Overview Transformations Automatic Parallelization Object-Oriented Programs with Linked Data Structures [PLDI96] Divide and Conquer Programs [PPoPP99, PLDI00] Synchronization Optimizations Lock Coarsening [POPL97,PLDI98] Synchronization Elimination [OOPSLA99] Optimistic Synchronization Primitives [PPoPP97] Memory Management Optimizations Stack Allocation [OOPSLA99,PLDI01] Per-Thread Heap Allocation
Citation preview
Program Analysis and Design Conformance
Martin RinardLaboratory for Computer Science
Massachusetts Institute of Technology
Research OverviewProgram Analysis
• Commutativity Analysis for C++ Programs [PLDI96]
• Memory Disambiguation for Multithreaded C Programs• Pointer Analysis [PLDI99]• Region Analysis [PPoPP99, PLDI00]
• Pointer and Escape Analysis for Multithreaded Java Programs [OOPSLA99, PLDI01, PPoPP01]
Research OverviewTransformations
• Automatic Parallelization• Object-Oriented Programs with Linked Data
Structures [PLDI96]• Divide and Conquer Programs [PPoPP99, PLDI00]
• Synchronization Optimizations• Lock Coarsening [POPL97,PLDI98]• Synchronization Elimination [OOPSLA99] • Optimistic Synchronization Primitives [PPoPP97]
• Memory Management Optimizations• Stack Allocation [OOPSLA99,PLDI01]• Per-Thread Heap Allocation
Research OverviewVerifications of Safety Properties
• Data Race Freedom [PLDI00]• Array Bounds Checks [PLDI00]• Correctness of Region-Based Allocation
[PPoPP01]• Credible Compilation [RTRV99]
• Correctness of Dataflow Analysis Results• Correctness of Standard Compiler
Optimizations
Talk Overview• Memory Disambiguation
• Goal: Verify Data Race Freedom for Multithreaded Divide and Conquer Programs
• Analyses: • Pointer Analysis• Accessed Region Analysis
• Experience integrating information from the developer into the memory disambiguation analysis
• Role Verification• Design Conformance
Basic Memory Disambiguation Problem
*p = v
Without Any Analysis:
*p=v may access any location
*p = v;(write v into the memory location that p points
to)What memory locations may *p=v access?
*p = v;(write v into the memory location that p points
to)What memory location may *p=v access?
*p = v
With Analysis:
*p=v does not access these memory locations !
*p=v may access this location
*p=v may access this location
Basic Memory Disambiguation Problem
Static Memory Disambiguation
Analyze the program to characterize the memory locations that statements
in the program read and write
Fundamental problem in program analysis with many applications
Application: Verify Data Race Freedom
*p = v1;
*q = v2; *q = v2
*p = v1||
*q = v2
*p = v1
Program Does This
NOT This
Example - Divide and Conquer Sort
47 6 1 53 8 2
8 2536 147
Example - Divide and Conquer Sort
47 6 1 53 8 2
Divide
2 8531 674
8 2536 147
47 6 1 53 8 2
Example - Divide and Conquer Sort
Conquer
Divide
Example - Divide and Conquer Sort
2 8531 674 Conquer
8 2536 147 Divide
47 6 1 53 8 2
41 6 7 32 5 8Combine
Example - Divide and Conquer Sort
2 8531 674 Conquer
8 2536 147 Divide
47 6 1 53 8 2
41 6 7 32 5 8Combine
21 3 4 65 7 8
Divide and Conquer Algorithms• Lots of Generated Concurrency
• Solve Subproblems in Parallel
Divide and Conquer Algorithms• Lots of Recursively Generated Concurrency
• Recursively Solve Subproblems in Parallel
Divide and Conquer Algorithms• Lots of Recursively Generated Concurrency
• Recursively Solve Subproblems in Parallel• Combine Results in Parallel
“Sort n Items in d, Using t as Temporary Storage”
void sort(int *d, int *t, int n) if (n > CUTOFF) {
spawn sort(d,t,n/4); spawn sort(d+n/4,t+n/4,n/4);spawn sort(d+2*(n/2),t+2*(n/2),n/4);spawn
sort(d+3*(n/4),t+3*(n/4),n-3*(n/4));sync;spawn merge(d,d+n/4,d+n/2,t);spawn
merge(d+n/2,d+3*(n/4),d+n,t+n/2);sync;merge(t,t+n/2,t+n,d);
} else insertionSort(d,d+n);
“Sort n Items in d, Using t as Temporary Storage”
void sort(int *d, int *t, int n) if (n > CUTOFF) {
spawn sort(d,t,n/4); spawn sort(d+n/4,t+n/4,n/4);spawn sort(d+2*(n/2),t+2*(n/2),n/4);spawn
sort(d+3*(n/4),t+3*(n/4),n-3*(n/4));sync;spawn merge(d,d+n/4,d+n/2,t);spawn
merge(d+n/2,d+3*(n/4),d+n,t+n/2);sync;merge(t,t+n/2,t+n,d);
} else insertionSort(d,d+n);
Divide array into subarrays and recursively sort subarrays in
parallel
“Sort n Items in d, Using t as Temporary Storage”
void sort(int *d, int *t, int n) if (n > CUTOFF) {
spawn sort(d,t,n/4); spawn sort(d+n/4,t+n/4,n/4);spawn sort(d+2*(n/2),t+2*(n/2),n/4);spawn
sort(d+3*(n/4),t+3*(n/4),n-3*(n/4));sync;spawn merge(d,d+n/4,d+n/2,t);spawn
merge(d+n/2,d+3*(n/4),d+n,t+n/2);sync;merge(t,t+n/2,t+n,d);
} else insertionSort(d,d+n);
Subproblems Identified
Using Pointers Into Middle of Array
47 6 1 53 8 2d
d+n/4d+n/2
d+3*(n/4)
“Sort n Items in d, Using t as Temporary Storage”
void sort(int *d, int *t, int n) if (n > CUTOFF) {
spawn sort(d,t,n/4); spawn sort(d+n/4,t+n/4,n/4);spawn sort(d+2*(n/2),t+2*(n/2),n/4);spawn
sort(d+3*(n/4),t+3*(n/4),n-3*(n/4));sync;spawn merge(d,d+n/4,d+n/2,t);spawn
merge(d+n/2,d+3*(n/4),d+n,t+n/2);sync;merge(t,t+n/2,t+n,d);
} else insertionSort(d,d+n); 74 1 6 53 2 8
dd+n/4d+n/2
d+3*(n/4)
Sorted Results Written Back Into
Input Array
“Merge Sorted Quarters of d Into Halves of t”
void sort(int *d, int *t, int n) if (n > CUTOFF) {
spawn sort(d,t,n/4); spawn sort(d+n/4,t+n/4,n/4);spawn sort(d+2*(n/2),t+2*(n/2),n/4);spawn
sort(d+3*(n/4),t+3*(n/4),n-3*(n/4));sync;spawn merge(d,d+n/4,d+n/2,t);spawn
merge(d+n/2,d+3*(n/4),d+n,t+n/2);sync;merge(t,t+n/2,t+n,d);
} else insertionSort(d,d+n); 74 1 6 53 2 8
41 6 7 32 5 8d
tt+n/2
“Merge Sorted Halves of t Back Into d”void sort(int *d, int *t, int n) if (n > CUTOFF) {
spawn sort(d,t,n/4); spawn sort(d+n/4,t+n/4,n/4);spawn sort(d+2*(n/2),t+2*(n/2),n/4);spawn
sort(d+3*(n/4),t+3*(n/4),n-3*(n/4));sync;spawn merge(d,d+n/4,d+n/2,t);spawn
merge(d+n/2,d+3*(n/4),d+n,t+n/2);sync;merge(t,t+n/2,t+n,d);
} else insertionSort(d,d+n); 21 3 4 65 7 8
41 6 7 32 5 8d
tt+n/2
“Use a Simple Sort for Small Problem Sizes”
void sort(int *d, int *t, int n) if (n > CUTOFF) {
spawn sort(d,t,n/4); spawn sort(d+n/4,t+n/4,n/4);spawn sort(d+2*(n/2),t+2*(n/2),n/4);spawn
sort(d+3*(n/4),t+3*(n/4),n-3*(n/4));sync;spawn merge(d,d+n/4,d+n/2,t);spawn
merge(d+n/2,d+3*(n/4),d+n,t+n/2);sync;merge(t,t+n/2,t+n,d);
} else insertionSort(d,d+n); 47 6 1 53 8 2
dd+n
“Use a Simple Sort for Small Problem Sizes”
void sort(int *d, int *t, int n) if (n > CUTOFF) {
spawn sort(d,t,n/4); spawn sort(d+n/4,t+n/4,n/4);spawn sort(d+2*(n/2),t+2*(n/2),n/4);spawn
sort(d+3*(n/4),t+3*(n/4),n-3*(n/4));sync;spawn merge(d,d+n/4,d+n/2,t);spawn
merge(d+n/2,d+3*(n/4),d+n,t+n/2);sync;merge(t,t+n/2,t+n,d);
} else insertionSort(d,d+n); 47 1 6 53 8 2
dd+n
What Do You Need To Know To Verify Data Race Freedom?
Points-to Information(data blocks that pointers point into)
Region Information(accessed regions within data blocks)
d and t point to different memory blocksCalls to sort access disjoint parts of d and t
Together, calls access [d,d+n-1] and [t,t+n-1]
sort(d,t,n/4);
sort(d+n/4,t+n/4,n/4);
sort(d+n/2,t+n/2,n/4);
sort(d+3*(n/4),t+3*(n/4), n-3*(n/4));
Information Needed To Verify Race Freedom
dt
dt
dt
dt
d+n-1t+n-1
d+n-1t+n-1
d+n-1t+n-1
d+n-1t+n-1
d and t point to different memory blocksFirst two calls to merge access disjoint parts of
d,tTogether, calls access [d,d+n-1] and [t,t+n-1]
merge(d,d+n/4,d+n/2,t);
merge(d+n/2,d+3*(n/4), d+n,t+n/2);
merge(t,t+n/2,t+n,d);
dt
dt
d+n-1t+n-1
d+n-1t+n-1
dt
d+n-1t+n-1
Information Needed To Verify Race Freedom
d d+n-1
Information Needed To Verify Race Freedom
Calls to insertionSort access [d,d+n-1]
insertionSort(d,d+n);
What Do You Need To Know To Verify Data Race Freedom?
Points-to Information(d and t point to different data
blocks)
Symbolic Region Information(accessed regions within d and t
blocks)
How Hard Is It To Figure These Things Out?
Challenging
How Hard Is It For the Program Analysis To Figure These Things
Out?
How Hard Is It For the Program Analysis To Figure These Things
Out?void insertionSort(int *l, int *h) {
int *p, *q, k;for (p = l+1; p < h; p++) {
for (k = *p, q = p-1; l <= q && k < *q; q--)*(q+1) = *q;
*(q+1) = k;}
}Not immediately obvious that
insertionSort(l,h) accesses [l,h-1]
void merge(int *l1, int*m, int *h2, int *d) {int *h1 = m; int *l2 = m;while ((l1 < h1) && (l2 < h2))
if (*l1 < *l2) *d++ = *l1++;else *d++ = *l2++;
while (l1 < h1) *d++ = *l1++;while (l2 < h2) *d++ = *l2++;
}
Not immediately obvious that merge(l,m,h,d)
accesses [l,h-1] and [d,d+(h-l)-1]
How Hard Is It For the Program Analysis To Figure These Things
Out?
Issues• Heavy Use of Pointers
• Pointers into Middle of Arrays• Pointer Arithmetic• Pointer Comparison
• Multiple Procedures• sort(int *d, int *t, n)• insertionSort(int *l, int *h)• merge(int *l, int *m, int *h, int *t)
• Recursion• Multithreading
Pointer Analysis• For each program point, computes
where each pointer may point
e.g. “ p x before statement *p = 1”• Complications
1. Statically unbounded number of locations • recursive data structures (lists, trees)• dynamically allocated arrays
2. Multiple possible executions of the program• may create different dynamic data
structures
Memory Abstraction
Physical Memory
Abstract Memory
Stack Heapp
i
head
r
p head
r
q v
q v
j
i
j
Allocation block for each variable declarationAllocation block for each memory allocation site
Memory Abstraction
Physical Memory
Abstract Memory
Stack Heapp
i
head
r
p head
r
q v
q v
j
i
j
Allocation block for each variable declarationAllocation block for each memory allocation site
Pointer Analysis Summary• Key Challenge for Multithreaded
Programs: Analyzing interactions between threads
• Solution: Interference Edges• Record edges generated by each
thread• Captures effect of parallel threads on
points-to information of other threads
What Pointer Analysis Gives Us
• Disambiguation of Memory Accesses Via Pointers• Pointer-based loads and stores: use pointer analysis
results to derive the allocation block that each pointer-based load or store statement accesses
• MOD-REF or READ-WRITE SETS Analysis:• All loads and stores• Procedures: use the memory access information for
loads and stores to compute the allocation blocks that each procedure accesses
Is This Information Enough?
Is This Information Enough?
NONecessary but not Sufficient
Parallel Tasks Access (Disjoint) Regions of Same Allocated Block of
Memory
Structure of Analysis
Bounds Analysis
Region Analysis
Data Race Freedom
Symbolic Upper and LowerBounds for Each Memory Access in Each Procedure
Symbolic Regions AccessedBy Execution of Each Procedure
Check that Parallel Threads Are Independent
Pointer Analysis Disambiguate Memory at the Granularity of Allocation Blocks
Running Example – Array Increment
void f(char *p, int n) if (n > CUTOFF) {spawn f(p, n/2); /* increment first half */spawn f(p+n/2, n/2); /* increment second half */sync;} else {/* base case: increment small array */int i = 0;while (i < n) { *(p+i) += 1; i++; }}
Bounds Analysis
Region Analysis
Data Race Detection
Symbolic Upper and LowerBounds for Each Memory Access in Each Procedure
Pointer Analysis
Intra-procedural Bounds Analysis
Intraprocedural Bounds Analysis
GOAL: For each pointer and array index variable at each program point, derive lower and upper bounds
E.g. “ 0 i n-1 at statement *(p+i) += 1 ”
• Bounds are symbolic expressions• variables represent initial values of parameters
of enclosing procedure• bounds are combinations of variables• example expression for f(p,n): p+(n/2)-1
What are upper and lower bounds for i at each program point in base case?
int i = 0;while (i < n) { *(p+i) += 1; i++; }
Intraprocedural Bounds Analysis
Bounds Analysis, Step 1Build control flow graph
i = 0
i < n
*(p+i) += 1
i = i+1
Set up bounds at beginning of basic blocks
Bounds Analysis, Step 2
l1 i u1i = 0
i < n
*(p+i) += 1
i = i+1
l2 i u2
l3 i u3
Compute transfer functionsBounds Analysis, Step 3
l1 i u1i = 0
i < n
*(p+i) += 1
i = i+1
l2 i u2
l3 i u3
0 i 0
l3 i u3
l3+1 i u3+1
l2 i n-1 n i u2
l2 i u2
Compute transfer functionsBounds Analysis, Step 3
l1 i u1i = 0
i < n
*(p+i) += 1
i = i+1
l3 i u3
0 i 0
l3 i u3
l3+1 i u3+1
Key Step: set up constraints for boundsBounds Analysis, Step 4
l2 i n-1 n i u2
l2 i u2
i = 0
i < n
*(p+i) += 1
i = i+1
l3 i u3
0 i 0
l3 i u3
l3+1 i u3+1
Build Region Constraints
[ 0, 0 ] [ l2 , u2 ] [ l3+1, u3+1 ] [ l2 ,
u2 ] [ l2 , n-1 ] [ l3 , u3 ]
l1 i u1
Key Step: set up constraints for boundsBounds Analysis, Step 4
l2 i n-1 n i u2
l2 i u2
i = 0
i < n
*(p+i) += 1
i = i+1
l3 i u3
0 i 0
l3 i u3
l3+1 i u3+1
Build Region Constraints
[ 0, 0 ] [ l2 , u2 ] [ l3+1, u3+1 ] [ l2 ,
u2 ] [ l2 , n-1 ] [ l3 , u3 ]
l1 i u1
Key Step: set up constraints for boundsBounds Analysis, Step 4
l2 i n-1 n i u2
l2 i u2
i = 0
i < n
*(p+i) += 1
i = i+1
l3 i u3
0 i 0
l3 i u3
l3+1 i u3+1
Build Region Constraints
[ 0, 0 ] [ l2 , u2 ] [ l3+1, u3+1 ] [ l2 ,
u2 ] [ l2 , n-1 ] [ l3 , u3 ]
l1 i u1
Key Step: set up constraints for boundsBounds Analysis, Step 4
l2 i n-1 n i u2
l2 i u2
i = 0
i < n
*(p+i) += 1
i = i+1
l3 i u3
0 i 0
l3 i u3
l3+1 i u3+1
Build Region Constraints
[ 0, 0 ] [ l2 , u2 ] [ l3+1, u3+1 ] [ l2 ,
u2 ] [ l2 , n-1 ] [ l3 , u3 ]
- i +
Key Step: set up constraints for boundsBounds Analysis, Step 4
l2 i n-1 n i u2
l2 i u2
i = 0
i < n
*(p+i) += 1
i = i+1
l3 i u3
0 i 0
l3 i u3
l3+1 i u3+1
Build Region Constraints
[ 0, 0 ] [ l2 , u2 ] [ l3+1, u3+1 ] [ l2 ,
u2 ] [ l2 , n-1 ] [ l3 , u3 ]
- i +
Key Step: set up constraints for boundsBounds Analysis, Step 4
l2 i n-1 n i u2
l2 i u2
i = 0
i < n
*(p+i) += 1
i = i+1
l3 i u3
0 i 0
l3 i u3
l3+1 i u3+1
Build Region Constraints
[ 0, 0 ] [ l2 , u2 ] [ l3+1, u3+1 ] [ l2 ,
u2 ] [ l2 , n-1 ] [ l3 , u3 ]
- i +
l2 0l2 l3+1l3 l2
0 u2
u3+1 u2
n-1 u3
Inequality Constraints
Generate symbolic expressions for bounds
Goal: express bounds in terms of parameters
Bounds Analysis, Step 5
l2 = c1p + c2n + c3
l3 = c4p + c5n + c6
u2 = c7p + c8n + c9
u3 = c10p + c11n + c12
Generate symbolic expressions for bounds
Goal: express bounds in terms of parameters
l2 = c1p + c2n + c3
l3 = c4p + c5n + c6
Bounds Analysis, Step 5
u2 = c7p + c8n + c9
u3 = c10p + c11n + c12
l2 0l2 l3+1l3 l20 u2
u3+1 u2
n-1 u3
c1p + c2n + c3 0c1p + c2n + c3 c4p + c5n + c6 +1c4p + c5n + c6 c1p + c2n + c3
Substitute expressions into constraintsBounds Analysis, Step 6
0 c7p + c8n + c9
c10p + c11n + c12 +1 c7p + c8n + c9
c7p + c8n + c9 c10p + c11n + c12
Reduce symbolic inequalities to linear inequalities
c1p + c2n + c3 c4p + c5n + c6
if
c1 c4, c2 c5, and c3 c6
Bounds Analysis, Step 7
Apply reduction and generate a linear programc1 0 c2 0 c3 0c1 c4 c2 c5 c3 c6+1c4 c1 c5 c2 c6 c3
Bounds Analysis, Step 8
0 c7 0 c8 0 c9
c10 c7 c11 c8 c12+1
c9
c7 c10 c8 c11 c9 c12
Apply reduction and generate a linear programc1 0 c2 0 c3 0c1 c4 c2 c5 c3 c6+1c4 c1 c5 c2 c6 c3
lower bounds upper bounds
Bounds Analysis, Step 8
Objective Function:max: (c1 + ••• + c6) - (c7 + ••• + c12)
0 c7 0 c8 0 c9
c10 c7 c11 c8 c12+1
c9
c7 c10 c8 c11 c9 c12
Solve linear program to extract boundsBounds Analysis, Step 10
c1=0 c2 =0 c3 =0 c4=0 c5 =0 c6 =0 c7=0 c8 =1 c9 =0 c10=0 c11=1 c12=-1
l2 i n-1 n i u2
l2 i u2
- i +i = 0
i < n
*(p+i) += 1
i = i+1
l3 i u3
0 i 0
l3 i u3
l3+1 i u3+1
Solution
Solve linear program to extract boundsBounds Analysis, Step 9
u2 = nu3 = n-1
l2 i n-1 n i u2
l2 i u2
- i +i = 0
i < n
*(p+i) += 1
i = i+1
l3 i u3
0 i 0
l3 i u3
l3+1 i u3+1
l2 = 0l3 = 0
c1=0 c2 =0 c3 =0 c4=0 c5 =0 c6 =0 c7=0 c8 =1 c9 =0 c10=0 c11=1 c12=-1
Solution
Symbolic Bounds
Substitute bounds at each program pointBounds Analysis, Step 10
0 i n-1 n i n
0 i n
- i +i = 0
i < n
*(p+i) += 1
i = i+1
0 i n-1
0 i 0
0 i n-1
1 i n
u2 = nu3 = n-1
l2 = 0l3 = 0
c1=0 c2 =0 c3 =0 c4=0 c5 =0 c6 =0 c7=0 c8 =1 c9 =0 c10=0 c11=1 c12=-1
Solution
Symbolic Bounds
0 i n-1 n i n
0 i n
- i +i = 0
i < n
*(p+i) += 1
i = i+1
0 i n-1
0 i 0
0 i n-1
1 i n
Compute access regions at each load or store
Access Regions
[p,p+n-1] u2 = nu3 = n-1
l2 = 0l3 = 0
c1=0 c2 =0 c3 =0 c4=0 c5 =0 c6 =0 c7=0 c8 =1 c9 =0 c10=0 c11=1 c12=-1
Solution
Symbolic Bounds
Bounds Analysis
Region Analysis
Data Race Detection
Symbolic Regions AccessedBy Execution of Each Procedure
Pointer Analysis
Interprocedural Region Analysis
• Same Approach• Set up target bounds of accessed regions• Build a constraint system to compute these
bounds• Constraint System
Accessed regions for a procedure must include: 1. Regions accessed by statements in the
procedure 2. Regions accessed by invoked procedures
Interprocedural Region AnalysisGOAL: Compute accessed regions of
memory for each procedure E.g. “ f(p,n) accesses [p, p+n-1] ”
void f(char *p, int n) if (n > CUTOFF) {
spawn f(p, n/2);spawn f(p+n/2, n/2);sync;
} else {int i = 0;while (i < n) { *(p+i) += 1; i++; }
}[ p, p+n-1 ]
Region Analysis in Example
f(p,n) accesses[ l(p,n), u(p,n) ]
Region Analysis in Example
void f(char *p, int n) if (n > CUTOFF) {
spawn f(p, n/2);spawn f(p+n/2, n/2);sync;
} else {int i = 0;while (i < n) { *(p+i) += 1; i++; }
}[ p, p+n-1 ]
[ l(p,n/2), u(p,n/2) ][ l(p+n/2,n/2), u(p+n/2,n/2) ]
Region Analysis in Example
void f(char *p, int n) if (n > CUTOFF) {
spawn f(p, n/2);spawn f(p+n/2, n/2);sync;
} else {int i = 0;while (i < n) { *(p+i) += 1; i++; }
}[ p, p+n-1 ]
f(p,n) accesses[ l(p,n), u(p,n) ]
Derive Constraint System• Region constraints
[ l(p,n/2), u(p,n/2) ] [ l(p,n), u(p,n) ]www [ l(p+n/2,n/2), u(p+n/2,n/2) ] [ l(p,n), u(p,n) ]www
[ p, p+n-1 ] [ l(p,n), u(p,n) ]www
• Reduce to inequalities between lower/upper bounds
• Further reduce to a linear program and solve:l(p,n) = pu(p,n) = p+n-1
• Access region for f(p,n): [p, p+n-1]
Bounds Analysis
Region Analysis
Data Race Freedom Check that Parallel Threads Are Independent
Pointer Analysis
Data Race Freedom
• Dependence testing of two statements• Do accessed regions intersect?• Based on comparing upper and lower
bounds of accessed regions
• Absence of data races• Check that all the statements that execute
in parallel are independent
Data Race Freedom
Data Race Freedom
void f(char *p, int n) if (n > CUTOFF) {
spawn f(p, n/2);spawn f(p+n/2, n/2);sync;
} else {int i = 0;while (i < n) { *(p+i) += 1; i++; }
}
f(p,n) accesses[ p, p+n-1 ]
[ p, p+n/2-1 ][ p+n/2, p+n-1 ]
Data Race Freedom
void f(char *p, int n) if (n > CUTOFF) {
spawn f(p, n/2);spawn f(p+n/2, n/2);sync;
} else {int i = 0;while (i < n) { *(p+i) += 1; i++; }
}
f(p,n) accesses[ p, p+n-1 ]
No data races !
Data Race Freedom
void f(char *p, int n) if (n > CUTOFF) {
spawn f(p, n/2);spawn f(p+n/2, n/2);sync;
} else {int i = 0;while (i < n) { *(p+i) += 1; i++; }
}
Fundamental Property of the Analysis:
No Fixed Point Computations• The analysis does not use fixed-point
computations:• The problem is reduced to a linear program• The solution to the linear program directly gives
the symbolic lower and upper bounds
• Fixed-point approaches:• Termination is not guaranteed: analysis domain of
symbolic expressions has infinite ascending chains
• Use imprecise techniques to ensure termination:• Artificially truncate number of iterations• Use imprecise widening operators
Experience• Set of benchmark programs
• Two versions of each benchmark • Sequential version written in C• Multithreaded version written in Cilk
• Experiments:1. Data Race Freedom for the multithreaded versions2. Array Bounds Violation Detection for both
sequential and multithreaded versions3. Automatic Parallelization for the sequential
version
Data Races and Array Bounds Violations
Application Data races(multithreade
d)
Array Bounds Violations
(multithreaded)
Array Bounds Violations
(sequential)
QuickSort NO NO NO
MergeSort NO NO NO
BlockMul NO NO NO
NoTempMul
NO NO NO
LU NO NO NO
Knapsack YES NO NO
Heat NO NO NO
0
2
4
6
8
0 2 4 6 80
2
4
6
8
0 2 4 6 80
2
4
6
8
0 2 4 6 8
Parallel Performance
Quicksort Mergesort Heat0
2
4
6
8
0 2 4 6 80
2
4
6
8
0 2 4 6 80
2
4
6
8
0 2 4 6 8
BlockMul NoTempMul LU
Summary• Sophisticated Memory Disambiguation
Analysis• Points-to Information• Accessed Region Information
• Automatic • Interprocedural• Handles Multithreaded Programs• Other Uses Besides Data Race Freedom
• Bitwidth Analysis• Array-Bounds Check Elimination• Buffer Overrun Detection
Bigger Picture• Analysis has a very specific goal• Developer understands and cares about
results• Points-to and region information is (implicitly)
part of the interface of each procedure• Developer understands interfaces• Developer has expectations about analysis
results• Analysis can identify serious programming
errors• Developer expectations are implicit
IdeaEnhance procedure interface to make points-to and region information explicit
• Points-to language• Points-to graphs at entry and exit• Effect on points-to relationships
• Region language• Symbolic specification of accessed
regions• Developer provides information• Analysis verifies that it is correct, and
that correctness implies data race freedom
Points-to Languagef(p, q, n) {
context {entry: p->_a, q->_b;exit: p->_a, _a->_c, q->_b, _b->_d;}context {entry: p->_a, q->_a;exit: p->_a, _a->_c, q->_a;}
}
Points-to Languagef(p, q, n) {
context {entry: p->_a, q->_b;exit: p->_a, _a->_c, q->_b, _b->_d;
}context {
entry: p->_a, q->_a;exit: p->_a, _a->_c,
q->_a;}
}
pq
pq
pq
pq
Contexts for f(p,q,n)
entry
exit
Verifying Points-to InformationOne (flow sensitive) analysis per context
f(p,q,n) {...
}
pq
pq
pq
pq
Contexts for f(p,q,n)
entry
exit
Verifying Points-to InformationStart with entry points-to graph
f(p,q,n) {...
}
pq
pq
pq
pq
entry
exit
pq
Contexts for f(p,q,n)
Verifying Points-to InformationAnalyze procedure
f(p,q,n) {...
}
pq
pq
pq
pq
entry
exit
pq
Contexts for f(p,q,n)
Verifying Points-to InformationAnalyze procedure
f(p,q,n) {...
}
pq
pq
pq
pq
entry
exitpq
Contexts for f(p,q,n)
Verifying Points-to InformationCheck result against exit points-to graph
f(p,q,n) {...
}
pq
pq
pq
pq
entry
exitpq
Contexts for f(p,q,n)
Verifying Points-to InformationSimilarly for other context
f(p,q,n) {...
}
pq
pq
pq
pq
entry
exit
Contexts for f(p,q,n)
Verifying Points-to InformationStart with entry points-to graph
f(p,q,n) {...
}
pq
pq
pq
pq
entry
exit
pq
Contexts for f(p,q,n)
Verifying Points-to InformationAnalyze procedure
f(p,q,n) {...
}
pq
pq
pq
pq
entry
exit
pq
Contexts for f(p,q,n)
Verifying Points-to InformationCheck result against exit points-to graph
f(p,q,n) {...
}
pq
pq
pq
pq
entry
exitpq
Contexts for f(p,q,n)
Analysis of Call Statements
g(r,n) {..f(r,s,n);..
}
Analysis of Call StatementsAnalysis produces points-graph before call
g(r,n) {..f(r,s,n);..
}
rs
pq
pq
pq
pq
entry
exit
Contexts for f(p,q,n)
Analysis of Call StatementsRetrieve declared contexts from callee
g(r,n) {..f(r,s,n);..
}
rs
pq
pq
pq
pq
entry
exit
Contexts for f(p,q,n)
Analysis of Call StatementsFind context with matching entry graph
g(r,n) {..f(r,s,n);..
}
rs
pq
pq
pq
pq
entry
exit
Contexts for f(p,q,n)
Analysis of Call StatementsFind context with matching entry graph
g(r,n) {..f(r,s,n);..
}
rs
pq
pq
pq
pq
entry
exit
Contexts for f(p,q,n)
Analysis of Call StatementsApply corresponding exit points-to graph
g(r,n) {..f(r,s,n);..
}
rs
rs
Analysis of Call StatementsContinue analysis after call
g(r,n) {..f(r,s,n);..
}
rs
Analysis of Call Statements
g(r,n) {..f(r,s,n);..
}
rs
Result• Points-to declarations
separate analysis of multiple procedures
• Transformed • global, whole-program
analysis into • local analysis that
operates on each procedure independently
Experience• Implemented points-to and region languages• Integrated with points-to and region
analyses• Divide and Conquer Benchmarks
• Quicksort (QS)• Mergesort (MS)• Matrix multiply (MM)• LU decomposition (LU)• Heat (H)
• We added points-to and region information
Sorting Programs
Dense MatrixComputationsScientific Computation
Programming OverheadProportion of C Code, Region
Declarations, and Points-to Declarations
0.00
0.25
0.50
0.75
1.00
QS MS MM LU H
C Code
RegionDeclarationsPoints-toDeclarations
EvaluationHow difficult is it to provide declarations?
Not that difficult.• Have to write comparatively little code• Must know information anyway
How much benefit does analysis obtain?Substantial benefit.
• Simpler analysis software (no complex interprocedural analysis)
• More scalable, precise analysis
EvaluationSoftware Engineering Benefits of Points-to
and Region Declarations
• Improved communication between developer and analysis
• Analysis reflects developer’s expectations
• Enhanced code reliability • Enhanced interface information• Analyze incomplete programs
•Programs that use libraries•Programs under development
EvaluationDrawbacks of Points-to and Region
Declarations• Have to learn new language• Have to integrate into development
process• Legacy software issues
(programmer may not know points-to and region information)
Steps to Design ConformanceVerify that Program Correctly Implements Key Design
Properties as Expressed by Developer or Designer• Role Verification• Design Conformance for Object Models
(joint with Daniel Jackson, MIT LCS)• Context: Air Traffic Control Software
• MIT LCS (Daniel Jackson, Martin Rinard) MIT Aero-Astro Department (R. John Hansman) NASA Ames Research Center (Michelle Eshow) Kansas State University CS Dept. (David Schmidt)
• CTAS (Center/TRACON Automation System)
Role Verification• Objects play different roles during their
lifetime in computation• Parked Aircraft, Taxiing Aircraft, Cleared for
Takeoff Aircraft, In Flight Aircraft• Roles reflect constraints on activities of object• System actions must respect role constraints
• Parked Aircraft can’t take off• Action violations indicate system confusion
• Goals• Obtain role information from developer• Check that program uses roles correctly
Role Classification
• Two General Kinds of Classification• Content-based (predicate on
object fields determines role) • Relative (points-to relationships
determine role)• Role Classification is Application
Dependent
Aircraft
Flying Aircraft
Parked Aircraft
Taxiing Aircraft
Cleared Aircraft
Class
Roles
Standard View of Object
Fields
OutgoingReferences List of Meter
FixesSequence Of PointsString
RunwayObjectGate
Object
••
•
IncomingReferences
Flight PlanTrajectory
Flight NameRunway
Gate
Relative Role ClassificationPoints-to relationships define roles
• Specify sources of incoming edges• Field of an object playing a given role• Global or local variable
• Specify target of outgoing edges• Specify available fields in each role
Example Roles
Gate Object
Aircraft•••
Parked Aircraft
Flight PlanTrajectory
Flight NameRunway
Gate
Trajectory
Gate
Example Roles
Runway ObjectAircraft
•••
Cleared for Takeoff Aircraft
Flight Plan
RunwayFlight Name
List of MeterFixes
String
Role Verification• Analysis Obtains
• Role Definitions• Method Information
• Roles of parameters and globals on entry• Role changes that method performs• Role of return value
• Intraprocedural Analysis• Simulates potential executions of method• Precise abstraction of heap• Use role information for invoked methods• Verify correctness of role information
Benefits of Roles• Software Engineering Benefits
• Safety checks that take application semantics into account
• Enhanced implementation transparency
• Transformations Enabled By Precise Referencing Behavior• Safe real-time memory management• Parallelization and race detection for
Programs with linked data structures• Optimized Atomic Transactions
Key Issue: Obtaining Role Information
• Range of Developer and Designer Involvement• Some Involvement Reasonable and
Necessary: Roles Reflect Application-Specific Properties
• Primary Focus: Role Definitions• Determine analysis distinctions• Relevance of extracted information
• Secondary Focus: Method Specifications• Developer specifies roles of parameters• Analysis extracts role changes
Design Conformance• Software Development Activities
• Requirements• Design• Implementation
• Design is Partial• Focus on Important Aspects• Omit Many Low-Level Details
• Design and Implementation are Disconnected• No guarantee that code conforms to design
Goal of Design Conformance• Establish and mechanically check
conformance• Use specific design formalism (object
models)• Boxes (objects) and Arrows (relations
between objects)Aircraft
Flying Aircraft
Parked Aircraft
Taxiing Aircraft
Cleared Aircraft
MeterFix
Flight Plan Flight Plan+ +
Key Issue• Establishing correspondence between object
model and implementation• Object models usually at a higher level of
abstraction• Many relations in object model realized as
group of objects and references• Object model may entirely omit some objects
or references• Enables designer to focus on important aspects• But complicates path to conformance analysis
Aircraft
Flying Aircraft
Parked Aircraft
Taxiing Aircraft
Cleared Aircraft
MeterFixFlight Plan Flight Plan
+ +
Gate Object
Aircraft•••
Flight PlanTrajectory
Flight NameRunway
Gate
Trajectory
GateRunway Object
Aircraft•••
Flight Plan
RunwayFlight Name
List of MeterFixes
String
Aircraft
MeterFix
Flight Plan+
AbstractObject Model
ConcreteObject Model
IntermediateObject Model
Roles
Concretization Specifications• Maps Between Object Models• Enables Designer/Developer to Establish
Correspondence Between Object Models• Specify how Object Model is Realized in
Code• Foundation for design conformance
analysis• Guides implementation of object model• Implementation patterns for object
models
Design Conformance Benefits• Higher Confidence in Software
• Promote clean implementation of design
• Guarantee important design properties
• Design becomes useful throughout entire development cycle• Updated as implementation changes• Reliable source of information
• Enables more precise, relevant analysis
Related Work• Pointer Analysis
• Landi, Ryder, Zhang – PLDI93• Emami, Ghiya, Hendren – PLDI94• Wilson, Lam – PLDI96• Rugina, Rinard – PLDI99• Rountev, Ryder – CC01• Salcianu, Rinard – PPoPP01
• Region Analysis• Triolet, Irigoin, Feautrier- PLDI86• Havlak, Kennedy – IEEE TPDS91• Rugina, Rinard – PLDI00
• Pointer Specifications• Hendren, Hummel, Nicolau – PLDI92• Guyer, Lin – LCPC00
Related Work• Shape Analysis
[CWZ90,GH96,FL97,SRW99,MS01]• Extended Type Systems
• FX/87 [GJLS87]• Dependent Types [XF99]
• Program Verification• ESC [DLNS98]• PVS [ORRSS96]
• Implementations of Object Models [HBR00]
Conclusion• Developer and Designer Interact with Analysis• Benefits
• More precise, relevant analysis• Verify key safety and design properties• Enhance utility of design• Enable powerful transformations
• Key Issue:• Determining appropriate abstractions to leverage• Access regions, roles, object models
• Abstractions Share Several Features• Identify important properties of data• Relate properties of data to behavior of
computation