Transcript ppt

Dynamic Verification of
Sequential Consistency
Albert Meixner and Daniel J. Sorin
Presented by Peter Gilbert
ECE259 Spring 2008
Introduction
• Problem: How to detect errors in
multithreaded memory systems?
– Transient physical faults increasingly
problematic as memory systems become
more complex
– Errors possible in many components: caches,
memories, cache/memory controllers,
interconnect
Potential approach
• Tailored detection mechanisms for each
component and each type of error
– Example: for “single-bit-stuck-at-x” model for system
bus, add a parity bit
– Problems:
•
•
•
•
Lots of components…
Requires understanding error models and how they interact
Cannot detect design bugs
Some errors difficult to detect with localized mechanisms
Dynamic verification
• Monitor system execution
• Verify high-level invariants rather than
considering individual components
• Can detect transient faults, design bugs,
fabrication defects
– Any error that affects the high-level invariants
• End-to-end correctness
DVSC
• Verifying memory consistency == verifying
memory system correctness
• Goal of DVSC: verify that SC is enforced
in a shared memory multiprocessor
– SC defines end-to-end correctness
DVSC error model
• Caches and memories
– Bit corruption
• Cache/memory controllers
– Corruption of state or outputs
• Interconnect
– Messages corrupted, dropped, replicated,
misrouted, reordered
First idea: DVSC-Direct
• Dynamically construct total order of loads
and stores
• Verify that total order satisfies SC
• Trigger system recovery when error is
detected
DVSC-Direct Design
• For every load and store:
– Processor informs block’s home memory node
• Inform message:
– <address, load/store, data value, logical time>
• Logical time: if A causes B, A has smaller logical time
• Replay accesses in logical time order at home
node
– Uses priority queue for Informs and shadow copies of
memory blocks
– Verify that load gets value from most recent store
Cost of DVSC-Direct
• Inform bandwidth proportional to the
number of loads and stores
– 8-53 times more bandwidth than unprotected
system
– Uses bandwidth like a system without caches!
Alternative: DVSC-Indirect
• Verify sub-invariants proven to be
equivalent to SC
– Proof due to Plakal et al.
• Terminology
– coherence epoch - interval of logical time
during which a processor has Shared or
Exclusive access to a block
– A memory access is bound to a coherence
transaction T if permission is obtained via T
Constructing SC from sub-invariants
•
Fact 1: load of block B bound to T receives
either:
–
–
•
Most recent store of B bound to T
Value of B received in response to T
Lemmas
1. Exclusive epochs for block B do not overlap with
other Exclusive or Shared epochs for B
2. Every load or store occurs in some epoch and is
bound to the transaction that epoch
3. Each word w of B received at the start of an epoch
equals the most recent store to w
DVSC-Indirect approach
• DIVA to verify that memory operations
occur in program order (Fact 1)
– Recall from Architecture I: DIVA dynamically
verifies a speculative core
– DIVA presents in-order abstraction to memory
system
• ECC added to each cache and memory
line to detect silent corruptions
• Hardware for verifying epoch invariants
Cache controller
• Cache controller maintains Cache Epoch Table
– CET entry (per-block):
S/E DRB
1 bit 1 bit
Logical time at start
16 bits
Hash of data block at
start of epoch
16 bits
S/E - type of epoch: shared or exclusive
DRB - data ready bit
– Check that every load and store is performed in
appropriate epoch (Lemma 2)
– When epoch ends, send info to home memory
controller in Inform-Epoch message (CET + end time
and end data hash)
Memory controller
• Memory controller maintains directory-like
Memory Epoch Table
– MET entry (per-block):
Latest end time
of any S epoch
Latest end time
of any E epoch
Hash of data block
from latest E epoch
16 bits
16 bits
16 bits
– When Inform-Epoch is received from cache
controller:
• Sort in priority queue (VWB)
• Process in logical time order, checking:
– This epoch does not overlap with other epochs
– Correct block data is transferred from epoch to epoch
DVSC-Indirect implementation
CPU
DIVA
CPU
DIVA
CPU
DIVA
Cache
CET
Cache
CET
Cache
CET
Interconnect
VWB
Memory
Verifier
MET
VWB
Memory
Verifier
MET
VWB
Memory
Verifier
MET
DVSC-Indirect snooping example
DVSC-Indirect summary
• Verifies SC through sub-invariants
• Costs:
– DIVA
– Storage structures
• CET at each cache controller, MET and VWB at each
memory controller, ECC on cache and memory lines
• Not large or complicated
• Bandwidth usage
– Proportional to coherence traffic (as opposed to
number of loads and stores for DVSC-Direct)
Evaluation
• Can DVSC detect the errors from the error
model?
– Corrupted, dropped, misrouted, reordered,
duplicated messages
– Corrupted cache and memory blocks
– Don’t consider errors in processor core
• DIVA handles this
• How much does DVSC increase
bandwidth usage?
• How does it affect error-free performance?
Methodology
• Full-system simulation with Simics
– 8-node multiprocessor
• Each processor implements SC, speculates for higher performance
• Two levels of cache
• Support for backward error recovery with SafetyNet at each node
– DVSC-Indirect costs
• Each CET 68 KB
• Each MET 102 KB
• VWB: 1024 entries
– SPARC V9 running Solaris 8
– Interconnect: 2.5 GB/s links
• Benchmarks
– Four commercial workloads + barnes-hut from SPLASH-2
Error coverage
• DVSC-Direct and DVSC-Indirect detected
all injected errors in simulation
• Small probability of false negatives in
DVSC-Indirect
– ECC fails to detect a bit error
– hash collisions
• False positives also possible in DVSCIndirect
– When VWB not large enough to prevent outof-order processing of Inform-Epochs
Bottleneck link bandwidth
Bandwidth on most-utilized link - directory
• DVSC-Direct: uses 8-53 times more bandwidth
• DVSC-Indirect directory: 8-25% increase
• DVSC-Indirect snooping: 0-15% increase
DVSC-Indirect error-free performance
Runtime with DVSC-Indirect compared to unprotected system - directory
•
•
Performance impact minimal: usually equivalent to that of SafetyNet by itself
Similar results for snooping
Conclusions
• DVSC-Indirect is effective at detecting all
memory system errors injected in the
simulations
– False negatives and false positives will occur with
small probability
• DVSC-Indirect imposes small error-free
performance overhead
• Bottleneck bandwidth usage with DVSC-Indirect
is only 8-25% greater than unprotected case
• Is the hardware cost justified?
– Probably depends on the application reliability
requirements