## Section: New Results

### Shared-memory parallelism

#### The Linux Kernel Memory Model

Participants : Luc Maranget, Jade Alglave [University College London–Microsoft Research, UK] , Paul Mckenney [IBM Corporation] , Andrea Parri [Sant'Anna School of Advanced Studies, PISA, Italy] , Alan Stern [Harvard University] .

Modern multi-core and multi-processor computers do not follow the intuitive “Sequential Consistency” model that would define a concurrent execution as the interleaving of the executions of its constituent threads and that would command instantaneous writes to the shared memory. This situation is due both to in-core optimizations such as speculative and out-of-order execution of instructions, and to the presence of sophisticated (and cooperating) caching devices between processors and memory. Luc Maranget is taking part in an international research effort to define the semantics of the computers of the multi-core era, and more generally of shared-memory parallel devices or languages, with a clear initial focus on devices.

This year saw progress as regards languages. To wit, a two-year effort to
define a weak memory model for the Linux Kernel has yielded an article in the
*Linux Weekly News* online technical
magazine [31], and a scholarly paper accepted for
publication at the *Architectural Support for Programming Languages and
Operating Systems* (ASPLOS) conference in March 2018.
While targeting different audiences, both articles describe a formal model
that defines how Linux programs are supposed to behave. The model is of course
a cat model, hence is understood by the **herd** simulator
(Section 7.3.3) that allows programmers to experiment and develop an
intuition. The model has been tested against hardware and refined in
consultation with maintainers. Finally, the ASPLOS article formalizes the
*fundamental law of the Read-Copy-Update synchronization mechanism*, and
proves that one of its implementations satisfies this law.

For the record, Luc Maranget also co-authored a paper that has been presented at POPL 2017 [22]. This work, which we described last year, is joint work with many researchers, including S. Flur and other members of P. Sewell's team (University of Cambridge) as well as M. Batty (University of Kent). Moreover, Luc Maranget still interacts with the Cambridge team, mostly by providing tests and performing comparisons between his axiomatic models and the operational models developed by this team.

#### ARMv8 and RISC-V memory models

Participants : Will Deacon [ARM Ltd] , Luc Maranget, Jade Alglave [University College London–Microsoft Research, UK] .

Jade Alglave and Luc Maranget helped Will Deacon, an engineer at ARM Ltd., who
developed a model for the ARMv8 64-bit processor. Will wrote a cat
model, which ARM uses internally as a specification. (cat is the
domain-specific language for describing memory models and is understood by the
**herd** simulator; see Section 7.3.3.) ARM's official documentation
presents a natural language transliteration of the cat model.

Luc Maranget also joined the RISC-V consortium (https://riscv.org/) as an individual and as a member of the memory model group. He takes part in the development of the memory model of this open architecture, mostly by writing cat models and reviewing tests that will be part of the documentation. A cat model will be part of the next version (V2.3) of the User-Level ISA Specification.

#### Improvements to the **diy** tool suite

Participants :
Luc Maranget [
**contact**
] , Jade Alglave [University College London–Microsoft Research, UK] .

The **diy** suite (for “Do It Yourself”) provides a set of tools for
testing shared memory models: the litmus tool for running tests on hardware,
various generators for producing tests from concise specifications, and
**herd**, a memory model simulator. Tests are small programs written in
x86, Power, ARM, generic (LISA) assembler, or a subset of the C language that
can thus be generated from concise specifications, run on hardware, or
simulated on top of memory models. Test results can be handled and compared
using additional tools.

This year's new features are a model for the Linux Kernel developed as a
collaborative effort (see Section 7.3.1) and an ongoing RISC-V model
transliterated by Luc Maranget from the model elaborated by the RISC-V
committee which Luc Maranget joined this year (see Section 7.3.2).
Those new models were made possible due to significant extensions of
**diy**, such as a new tool chain for RISC-V and the extension of the
macro system so as to handle most of the memory-model-related macros used by
Linux kernel developers.

#### Towards formal software verification with respect to weak memory models

Participants : Jean-Marie Madiot, Jade Alglave [University College London & Microsoft Research Cambridge] , Simon Castellan [Imperial College London] .

Past research efforts on weak memory models have provided both academia and
industry with very efficient tools to precisely describe memory models and to
carefully test them on a wide variety of architectures. While these models
give us a good understanding of complex *hardware* behaviors, exploiting
them to formally guarantee the good behavior of *software* remains
practically out of reach.

A difficulty is that weak memory models are described in terms of properties of graphs of execution candidates. Because graphs are far from the usual way of defining programming language semantics, because execution candidates are not defined formally, and because existing proofs of “data-race freedom” (DRF) theorems are hard to fathom and formally imprecise, there is a strong demand in the programming language community for a formal account of weak memory models.

In 2017, Jean-Marie Madiot started a collaboration with weak memory model expert Jade Alglave and concurrent game semantics researcher Simon Castellan to tackle these problems. The idea is to have a formal description, using partial-order techniques similar to the ones used in game semantics, of execution candidates. On the other side, a given model of shared memory is then described in terms of partial orders, and the composition of those partial orders provides the final possible executions of a given program in a given architecture. This should yield a formal semantics for programs in a weak memory setting, and should allow proving a DRF theorem so as to connect this semantics to more standard sequentially consistent semantics. A success in this direction would finally allow tractable verification of concurrent programs, particularly in combination with Madiot's ongoing work on a generalization to concurrency of the CompCert certified compiler (see Section 7.1.5).

#### Granularity control for parallel programs

Participants : Umut Acar, Vitaly Aksenov, Arthur Charguéraud, Adrien Guatto, Mike Rainey, Filip Sieczkowski.

The DeepSea team focused this year on the development of techniques for controlling granularity in parallel programs. Granularity control is an essential problem because creating too many tasks may induce overwhelming overheads, while creating too few tasks may harm the ability to process tasks in parallel. Granularity control turns out to be especially challenging for nested parallel programs, i.e., programs in which parallel constructs such as fork-join or parallel-loops can be arbitrarily nested. Two different approaches were investigated.

The first approach is based on the use of asymptotic complexity functions provided by the programmer, combined with runtime measurements to estimate the constant factors that apply. Combining these two sources of information allows to predict with reasonable accuracy the execution time of tasks. Such predictions may be used to guide the generation of tasks, by sequentializing computations of sufficiently-small size. An analysis is developed, establishing that task creation overheads are indeed bounded to a small fraction of the total runtime. These results builds upon prior work by the same authors [39], extending it with a carefully-designed algorithm for ensuring convergence of the estimation of the constant factors deduced from the measures, even in the face of noise and cache effects, which are taken into account in the analysis. The approach is demonstrated on a range of benchmarks taken from the state-of-the-art PBBS benchmark suite. A paper describing the results is under preparation.

The second approach is based on an instrumentation of the
runtime system. The idea is to process parallel function calls
just like normal function calls, by pushing a frame on the
stack, and only subsequently promoting these frames as threads
that might get scheduled on other cores. The promotion of
frames takes place at regular time intervals,
which is why we named this approach
*heartbeat scheduling*.
Unlike prior approaches such as *lazy scheduling*,
in which promotion is guided by the workload of the system,
heartbeat scheduling can be proved to induce only small
scheduling overheads, and to not asymptotically reduce the amount
of parallelism inherent in the program.
The theory behind the approach is formalized in Coq. It is also
implemented through instrumented C++ programs, and evaluated on
PBBS benchmarks.
A paper describing this approach was submitted
to an international conference.

#### Non-zero indicators: a provably-efficient, concurrent data structure

Participants : Umut Acar, Mike Rainey.

This work, conducted in collaboration with Naama Ben David
from Carnegie Mellon University,
investigates the design and analysis of an implementation
of a concurrent data structure called *non-zero indicator*.
This data structure plays a crucial role in the scheduling
of nested parallel programs: it is used to handle dependency
resolution among parallel tasks.
Concretely, a non-zero indicator is initialized with value 1,
and it supports the following two concurrent operations, which
may be invoked by threads that have knowledge that the counter
is non-zero: (1) atomically increase the counter by one unit,
and (2) atomically decrease the counter by one unit, and detect whether
the counter reaches zero.
While a trivial implementation can be set up using an atomic operation
on a shared memory cell (e.g., fetch-and-add), the key challenge is to
design a non-zero indicator that scales well to hundreds if not
thousands of threads, without suffering from contention.

Prior work leverages dynamic tree data structures to tame contention [42]. Yet, such prior work, as well as most concurrent data structures in general, are analyzed empirically, omitting asymptotic bounds on their efficiency. In this work, we propose a new variant of a tree-based non-zero indicator implementation, for which we are able to present a formal analysis establishing bounds on the worst-case contention of concurrent updates. Our analysis is the first to achieve relevant bounds of this kind. Furthermore, we demonstrate in practice that our proposal improves scalability, compared with a naive fetch-and-add atomic counter, and also compared with the original tree-based data structure. Our work was presented at PPoPP [16].

#### Efficient sequence data structures for ML

Participants : Arthur Charguéraud, Mike Rainey.

The use of sequence containers, including stacks, queues, and double-ended
queues, is ubiquitous in programming. When the maximal number of elements to
be stored is not known in advance, containers need to grow dynamically. For
this purpose, most ML programs rely on either lists or vectors. These data
structures are inefficient, both in terms of time and space usage. In this
work, we investigate the use of data structures based on *chunks*,
adapting ideas from some of our prior work implemented in C++
[38]. Each chunk stores items in a fixed-capacity array. All
chunks are linked together to represent the full sequence. These chunk-based
structures save a lot of memory and generally deliver better performance than
classic container data structures for long sequences. We measured a 2x speedup
compared with vectors, and up to a 3x speedup compared with long lists. This
work was presented at the ML Family Workshop [36].
Generalization of this work to double-ended sequences and to persistent
sequences is under progress.

#### A parallel algorithm for the dynamic trees problem

Participants : Umut Acar, Vitaly Aksenov.

Dynamic algorithms are used to compute a property of some data while the data undergoes changes over time. Many dynamic algorithms have been proposed, but nearly all of them are sequential.

In collaboration with Sam Westrick (Carnegie Mellon University), Umut Acar and Vitaly Aksenov investigated the design of an efficient parallel dynamic tree data structure. This data structure supports four operations, namely insertion and deletion of vertices and edges; these operations can be executed in parallel. The proposed data structure is work-efficient and highly parallel. A preliminary version of this work was presented in a brief announcement at SPAA 2017 [15].

#### A concurrency-optimal binary search tree

Participant : Vitaly Aksenov.

In joint work with Vincent Gramoli (IT School of Information Technologies, Sydney), Petr Kuznetsov (Telecom ParisTech), Anna Malova (Washington University in St Louis), and Srivatsan Ravi (Purdue University), Vitaly Aksenov proposed a concurrency-optimal implementation of binary search trees. Concurrency-optimality means that the data structure allows all interleavings of the underlying sequential implementation, except those that would violate linearizability. Aksenov and co-authors show that none of the state-of-the-art concurrent binary search trees are concurrency-optimal, and they experimentally verify that the new concurrency-optimal binary search tree is competitive with known implementations. This work was presented at Euro-Par 2017 [17].