Aquinas Hobor and Cristian Gherghina(National University of Singapore) 

BarriersBarriers:

Mechanism for synchronizing multiple parties at specific synchronization points

2

A B C

time

BarriersWhy barriers?

We looked at PARSEC Leading benchmark for shared memory systems Provides representative sample of parallel

programs workloads

Out of 13 PARSEC applications 5 (38%) use barriers

Fields like: financial analysis, computer vision, engineering, animation, data mining

3

BarriersWhy barriers?

not easy to reduce to other synchronization mechanisms like locks or channels

have an interesting property : They are a multiparty stateful synchronization mechanism

4

Barriers in Concurrent Separation Logic(CSL)Aims:

Extend CSL with rules for modularly reasoning about barriers

Define the necessary side conditions

Proof the soundness of the barrier rules (mechanically verify the proof in Coq)

5

OverviewExample of barrier use: Video compression

algorithm

Notation description

Key observations, translation to side conditions

Hoare Rules and side conditions

Comments about the soundness proof6

Example of Barrier UsageParallel video encoding:

Divide the frame into n parts, one per threadEach frame depends on the previousMore so, each part of a frame does depend on

the entire previous frame (e.g.. Moving objects)

Sounds like a good place for a barrier!

7

Ridiculously simplified…• We have two threads, and four shared data

memory cells, divided into pairs (x1, x2) and (y1, y2)

• Each thread computes one cell of the “current” pair using both cells from the “previous” pair

• They synchronize with barrier b

• Memory cell i, the frame count is also shared

8

9

Synchronize

Write new frame Y

Read old frame X

Synchronize

Synchronize

Read frame Y

Write new XCounter ++

Code example

10

Code exampleState 0

State 2

State 3

State 1

State 0

State 1

State 2

State 3

11

Barrier state machineState 0 0

State 11

State 2

2

State 33

Call @ 1

Call @ 16

Call @ 7

Call @ 13

ObservationsBarrier use is inherently statefull

For each thread, each state is characterized by reads from specific cells and writes to specific cells

From state to state and from thread to thread these permission requirements change

The transitions do not always mirror the control flow graph

State changes and permission reshuffling are tightly linked to the barrier calls

12

Prerequisites ( extensions to Separation Logic)

“maps-to” assertions : e1 e2

mean the current thread owns the memory location pointed to by e1 with ¼ permission and that location currently contains e2.

π can be either: Full, ¥ (reading and writing allowed) Empty, ¤ (nothing allowed) Or partial, i.e., ¤ < ¼ < ¥ (read only)

the symbols and indicate two distinct partial shares

With: © = ¥13

¼

x1 i

Explaining a notation

14

PRECONDITIONS

POSTCONDITIONS

barrier (b, ¼, n)

The “is-a-barrier” assertion:

Means the current thread owns the (nonempty) share ¼ of the barrier b, currently in state n

15

Prerequisites ( extensions to Separation Logic)

x1 i b-state

Explaining a notation

16

Barriers in CSLProblem:

Encoding the reshuffling of permissions and the staging associated with barrier calls

Solution:State diagram with labeled transitions

Labels consist of pairs of pre/post conditions

17

18

Key Restrictions on Barrier Definitions

1. A barrier reshuffles It does not create resources Translated: For a given transition, the total

preconditions and postconditions must be equal modulo the barrier state change

19

x1 i b-state

Key Restrictions on Barrier Definitions

1. Threads always agree on the barrier stateDirections must be mutually exclusive:

one thread cannot go left while the other goes right

20

Hoare RulesThere are other technical restrictions on

barrier definitions but they are less interesting

Instead, we will present our Hoare rules

Actually, almost all of our rules are standardSkip, If, Sequence, While , Assign,

Consequence, Frame, Store, Load, New, Free

21

Barrier Rule

Lookup_move finds a pre/postcondition in the barrier state diagram

Actually, this rule is so simple that it seems false:

cs, ns, and ln seem free in the premises!

22

ns ln

Barrier Rule

This is not true: cs and ns are uniquely determined (the barrier is in some state, and recall mutual exclusion)

ln is not determined, but if more than one is possible, then the barrier will never end!

23

ns ln

24

25

The barrier call from line 13

26

bn {Q}

Γ(bn) = b

27

The barrier call from line 13

28

29

The barrier call from line 13

30

31

P

Q

The barrier call from line 13

32

SoundnessGiven:

a concurrent machineAn operational semantics defined for that

machineA Hoare rule is sound if:

Whenever a Hoare triple {P}c{Q} holds and Q is enough to ensure safety after c then all states satisfying P are safe

A state is safe if in none of the successor states, the machine blocks

33

Coq development

34

3,352

16,598

Take awayCommon barrier usage makes them an

implicitly statefull multiparty synchronization mechanism

We have introduced an amazingly simple Hoare rule for dealing with barrier calls

We have proven sound the Hoare rules

35