Upload File

separating functional and parallel correctness...

  • Home
  • Documents
  • Separating Functional and Parallel Correctness (poster)parlab.eecs.berkeley.edu/sites/all/parlab/files/2010-summer-burnim-necula-sen-poster.pdfNot a complete spec of parallel correctness.#
1
SPECIFYING DETERMINISM Previous work: Deterministic specifications. [Burnim and Sen, FSE 2009] Idea: Parallel correctness means every thread schedule gives semantically equivalent results. Internal nondeterminism, but deterministic output. Assert that parallel code yields semantically equivalent outputs for equivalent inputs. Lightweight spec of parallel correctness. Independent of complex functional correctness. Great for testing (with, e.g., active testing). Can automatically infer likely specifications [Burnim and Sen, ICSE 2010]. Not a complete spec of parallel correctness. Specification ignores tree t in Figure 1. For complex programs, determinism proof attempts get entangled in details of sequential correctness. Separating Parallel and Functional Correctness Jacob Burnim, George Necula, Koushik Sen OVERVIEW Verifying parallel programs is very challenging. Painful to reason simultaneously about correctness of parallelism and about functional correctness. Functional correctness often largely sequential. Goal: Decompose effort of verifying parallelism and verifying functional correctness. Prove parallel correctness simply – not entangled in complex sequential functional correctness. Verify functional correctness in a sequential way. Question: What is parallel correctness? OUR APPROACH For a parallel program, use a sequential but nondeterministic version as a specification. User annotates intended algorithmic nondeterminism We interpret parallel constructs as nondeterministic and sequential. Parallelism is correct if it adds no unintended nondeterminism. I.e., if parallel and nondeterministic sequential versions of the program are equivalent. FUTURE WORK Formal proof rules for parallel and nondeterministic sequential equivalence. Automated proofs of parallel correctness. Combine with verification tools for sequential programs with nondeterminism. Model checking with predicate abstraction (CEGAR). Can verify functional correctness on sequential code! Apply above to real parallel benchmarks. Applications to debugging? Allow programmer to sequentially debug a parallel execution by mapping a parallel trace to a nondeterministic sequential one. PROVING PARALLEL CORRECTNESS Goal: Prove each execution of a parallel program is equivalent to a nondeterministic sequential (ndseq) execution. Added nondeterminism allows prune?(a) to be moved past update(b) without changing the programʼs behavior. parallel-for (w in queue): if (lower_bnd(w) >= best): continue if (size(w) < T): (soln, cost) = find_min(w) atomic: if cost < best: best = cost best_soln = soln else: queue.addAll(split(w)) Figure 2. Generic parallel branch-and-bound search. nondet-for (w in queue): if (lower_bnd(w) >= best && *): continue if (size(w) < T): (soln, cost) = find_min(w) atomic: if cost < best: best = cost best_soln = soln else: queue.addAll(split(w)) Figure 3. Nondeterministic but sequential branch-and-bound. deterministic assume (data == data’) { // Parallel branch-and-bound Tree t = min_phylo_tree(N, data); } assert (t.cost == t’.cost()); Figure 1. Deterministic spec for parallel breanch-and- bound search to find minimum-cost phyogenetic trees. Different runs may return different optimal trees. PROOF BY REDUCTION Reduction: Method for proving atomicity. [Lipton, CACM 1974] Program operations classified as right-movers and left-movers if they commute to the right/left with all operations that can run in parallel with them. Code block is atomic if a sequence of right-movers, one non-mover, and a sequence of left-movers. Implies all parallel runs equivalent to ones where atomic code block is run serially. Idea: Statically prove that operations are right- and left-movers using SMT solving. Encode: Are all behaviors of op 1 ; op 2 also behaviors of op 2 ; op 1 ? Like [Elmas, Qadeer, and Tasiran, POPL 2009]. dequeue(a) dequeue(b) prune?(a) prune?(b) update(a) update(b) dequeue(a) prune?(a) update(a) update(b) prune?(b) dequeue(b) Parallel execution trace: Ndseq execution trace: parallel-for (…): op 1 op k-1 op k op k+1 op n right movers le. movers nondet-for (…): op 1 op n equivalent

Upload: others

Post on 05-Mar-2020

19 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Separating Functional and Parallel Correctness (poster)parlab.eecs.berkeley.edu/sites/all/parlab/files/2010-summer-burnim-necula-sen-poster.pdfNot a complete spec of parallel correctness.#

SPECIFYING DETERMINISM!  Previous work: Deterministic specifications.

[Burnim and Sen, FSE 2009]#  Idea: Parallel correctness means every thread

schedule gives semantically equivalent results.#  Internal nondeterminism, but deterministic output.#  Assert that parallel code yields semantically

equivalent outputs for equivalent inputs.#

  Lightweight spec of parallel correctness.#  Independent of complex functional correctness.#  Great for testing (with, e.g., active testing).#  Can automatically infer likely specifications

[Burnim and Sen, ICSE 2010].#

  Not a complete spec of parallel correctness.#  Specification ignores tree t in Figure 1.#  For complex programs, determinism proof attempts

get entangled in details of sequential correctness.#

Separating Parallel and Functional Correctness Jacob Burnim, George Necula, Koushik Sen

OVERVIEW!  Verifying parallel programs is very challenging.#

  Painful to reason simultaneously about correctness of parallelism and about functional correctness.#

  Functional correctness often largely sequential.#

  Goal: Decompose effort of verifying parallelism and verifying functional correctness.!  Prove parallel correctness simply – not entangled

in complex sequential functional correctness.#  Verify functional correctness in a sequential way.#

  Question: What is parallel correctness?!

OUR APPROACH!  For a parallel program, use a sequential but

nondeterministic version as a specification.#  User annotates intended algorithmic nondeterminism#  We interpret parallel constructs as nondeterministic

and sequential.#

  Parallelism is correct if it adds no unintended nondeterminism.#  I.e., if parallel and nondeterministic sequential

versions of the program are equivalent.#

FUTURE WORK!  Formal proof rules for parallel and

nondeterministic sequential equivalence.#

  Automated proofs of parallel correctness.#

  Combine with verification tools for sequential programs with nondeterminism.#  Model checking with predicate abstraction (CEGAR).#  Can verify functional correctness on sequential code!#

  Apply above to real parallel benchmarks.#

  Applications to debugging?#  Allow programmer to sequentially debug a parallel

execution by mapping a parallel trace to a nondeterministic sequential one.#

PROVINGPARALLEL CORRECTNESS!

  Goal: Prove each execution of a parallel program is equivalent to a nondeterministic sequential (ndseq) execution.#

  Added nondeterminism allows prune?(a) to be moved past update(b) without changing the programʼs behavior.!

parallel-for (w in queue): if (lower_bnd(w) >= best): continue if (size(w) < T): (soln, cost) = find_min(w) atomic: if cost < best: best = cost best_soln = soln else: queue.addAll(split(w))

Figure 2. Generic parallel branch-and-bound search.!

nondet-for (w in queue): if (lower_bnd(w) >= best && *): continue if (size(w) < T): (soln, cost) = find_min(w) atomic: if cost < best: best = cost best_soln = soln else: queue.addAll(split(w))

Figure 3. Nondeterministic but# sequential branch-and-bound.

deterministic assume (data == data’) {! // Parallel branch-and-bound! Tree t = min_phylo_tree(N, data);!} assert (t.cost == t’.cost());!

Figure 1. Deterministic spec for parallel breanch-and-bound search to find minimum-cost phyogenetic trees. Different runs may return different optimal trees.!

PROOF BY REDUCTION!  Reduction: Method for proving atomicity.

[Lipton, CACM 1974]!  Program operations classified as right-movers and

left-movers if they commute to the right/left with all operations that can run in parallel with them.#

  Code block is atomic if a sequence of right-movers, one non-mover, and a sequence of left-movers.#

  Implies all parallel runs equivalent to ones where atomic code block is run serially.#

  Idea: Statically prove that operations are right- and left-movers using SMT solving.#  Encode: Are all behaviors of op1 ; op2 also

behaviors of op2 ; op1 ?#  Like [Elmas, Qadeer, and Tasiran, POPL 2009].#

dequeue(a)# dequeue(b)# prune?(a)# prune?(b)# update(a)#update(b)#

dequeue(a)# prune?(a)# update(a)#update(b)#prune?(b)#dequeue(b)#

Parallel execution trace:#

Ndseq execution trace:#

parallel-for (…): op1 … opk-1 opk opk+1 … opn

right-­‐  movers  

le.-­‐  movers  

nondet-for (…): op1 … opn

equivalent!

Program Correctness & Efficiency

What About Correctness?

Lightweight Specifications for Parallel Correctness€¦ · and the correctness of parallel interleavings poses a great challenge both for programmers writing, understanding, and

Supercompiler HOSC: proof of correctness · Ilya G. Klyuchnikov. Supercompiler HOSC: proof of correctness The paper presents the proof of correctness of an experimental supercompiler

Proof of Quicksort Correctness

Correctness and Appropriateness In

(Optimal) Program Analysis of Sequential and Parallel Programs · Markus Müller-Olm, WWU Münster VTSA 2010, Luxembourg, September 6-10, 2010 17 Data-Flow Frameworks Correctness

Parallel Hardware Applications Parallel Users · Breaking through disciplinary boundaries 3. Developing Parallel Software with Productivity, Efficiency, and Correctness 2 Layers +

Is Political Correctness Correct?

CERTIFICATE OF CORRECTNESS

Parallel Programming Concepts - Lehighalp514/hpc2017/parprog.pdfWriting a parallel program step by step 1.Start from serial programs as a baseline –Something to check correctness

The Notion of Correctness

Proof of Correctness

Correctness Proofs

Chapter 2 correctness

Correctness of Speculative Optimizations with Dynamic ...aviral.io/publications/correctness-of-speculative-optimizations-with... · 49 Correctness of Speculative Optimizations with

Parallel Hardware Applications Parallel Users · 2019-02-25 · Breaking through disciplinary boundaries 3. Developing Parallel Software with Productivity, Efficiency, and Correctness

Interfaces for Runtime Correctness Checking of Parallel Programs · 2020. 8. 11. · Generic Tool Interface for Runtime Correctness Checking Joachim Protze 3 Synchronization in OpenMP

Proving Total Correctness of Parallel Programs - computer.org · IEEETRANSACTIONSONSOFTWAREENGINEERING,VOL.SE-5, NO.6, NOVEMBER 1979 REFERENCES [1] G.V.Bochmann,"Multiple exits fromaloopwithouttheGOTO,"

Correctness through simplicity

Striving for correctness*

Media and political correctness

Correctness of parallel programs

Teaching Software Correctness

Simplicity, elegance, correctness

1 Model Definition Data Items Elementary Operations Transaction Concept Schedule Concept Correctness Concept Correctness Algorithms

Improving Correctness with Types

The Limits of Correctness

Ensuring Correctness

Software Correctness Proofs

Parallelism and Concurrency...functional languages (Haskell, F#, ...) do. Fortunately, when thinking about program correctness, it doesn’t matter that OCaml is not parallel -- I

Order (Correctness) Quality Initiative

Criteria of Correctness

Recursive Algorithms & Program Correctness 1.Algorithm. 2.Recursive Algorithms 3.Algorithm Correctness-Program

Recursion: Introduction and Correctness