1 / 56

Rely: Verifying Quantitative Reliability for Programs that Execute on Unreliable Hardware

Rely: Verifying Quantitative Reliability for Programs that Execute on Unreliable Hardware. Michael Carbin , Sasa Misailovic , and Martin Rinard MIT CSAIL. Image Scaling. Image Scaling Kernel: Bilinear Interpolation. =. Bilinear Interpolation.

orrick
Download Presentation

Rely: Verifying Quantitative Reliability for Programs that Execute on Unreliable Hardware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rely: Verifying Quantitative Reliability for Programs that Execute on Unreliable Hardware • Michael Carbin, SasaMisailovic, • and Martin Rinard • MIT CSAIL

  2. Image Scaling

  3. Image Scaling Kernel: Bilinear Interpolation =

  4. Bilinear Interpolation intbilinear_interpolation(inti, int j, intsrc[][], intdest[][]) { inti_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; intval = src[up][left] + src[up][right] + src[down][right] + src[down][left]; return 0.25 * val; }

  5. Bilinear Interpolation intbilinear_interpolation(inti, int j, intsrc[][], intdest[][]) { inti_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; intval = src[up][left] +src[up][right] + src[down][right] +src[down][left]; return 0.25 *val; }

  6. Unreliable Hardware • Unreliable Units (ALUs and Memories) • May produce incorrect results • Faster, smaller, and lower power Memory CPU Registers CU ALU

  7. Image Scaling with Approximate Bilinear Interpolation 20% 40% 99.9% 99% 60% 80% 90% Reliability

  8. Unreliable Hardware • Necessitates • Hardware Specification: probability operations execute correctly • Software Specification: required reliability of computations • Analysis: verify software satisfies its specification on hardware Memory CPU Registers CU ALU

  9. Rely: a Language for Quantitative Reliability Hardware Specification (Architect) Static Analysis (Language) Software Specification (Developer) 20% 40% 99.9% 99% 60% 80% 90% Reliability

  10. Hardware Specification • hardware { • operator (+) = 1 - 10^-7; • operator (-) = 1 - 10^-7; • operator (*) = 1 - 10^-7; • operator (<) = 1 - 10^-7; • memoryurel{rd= 1 - 10^-7, wr= 1}; • }

  11. Approximate Bilinear Interpolation in Rely intbilinear_interpolation(inti, int j, intsrc[][], intdest[][]) { inti_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; intval = src[up][left] +.src[up][right] +. src[down][right] +.src[down][left]; return 0.25 *.val; } Unreliable Operations: executed on unreliable ALUs

  12. Approximate Bilinear Interpolation in Rely intbilinear_interpolation(inti, int j, intin urelsrc[][], intin ureldest[][]) { inti_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; intin urelval= src[up][left] +. src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; } Unreliable Memories: stored in unreliable SRAM/DRAM

  13. What is reliability?

  14. Semantics of Reliability • Reliable Hardware • One Execution • Unreliable Hardware • Multiple Executions • Reliability • Probability unreliableexecution reachessame state • Or, = probability over distribution of states that x and y (only) have correct values.

  15. Semantics of Reliability • Reliable Hardware • One Execution • Unreliable Hardware • Multiple Executions • Reliability • Probability unreliableexecution reachessame state • Or, = probability over distribution of states that x and y (only) have correct values.

  16. Approximate Bilinear InterpolationReliability Specification int bilinear_interpolation(inti, int j, int in urelsrc[][], int in ureldest[][]);

  17. Approximate Bilinear InterpolationReliability Specification • Reliability of output is a function of reliability of inputs int<.99> bilinear_interpolation(inti, int j, int in urelsrc[][], int in ureldest[][]);

  18. Approximate Bilinear InterpolationReliability Specification • Reliability of output is a function of reliability of inputs • The term R(i, j, src, dest)abstracts the joint reliabilityof the function’s inputs on entry int<.99 * R(i, j, src, dest)> bilinear_interpolation(inti, int j, int in urelsrc[][], int in ureldest[][]);

  19. Approximate Bilinear InterpolationReliability Specification • Reliability of output is a function of reliability of inputs • The term R(i, j, src, dest)abstracts the joint reliabilityof the function’s inputs on entry • Coefficient .99 bounds reliability degradation int<.99 * R(i, j, src, dest)> bilinear_interpolation(inti, int j, int in urelsrc[][], int in ureldest[][]);

  20. How does Rely verify reliability?

  21. Rely’s Analysis Framework • Precondition generator for statements { Precondition } s { Postcondition } Specification Computation

  22. Assignment Rule x’ = e

  23. Assignment Rule x’ = e Unmodified

  24. Assignment Rule x’ = e Standard Substitution

  25. Assignment Rule • is the probability the expression and write execute correctly x’ = e

  26. Verifying the Reliability of Bilinear Interpolation int<.99 * R(i,j,src,dest)> bilinear_interpolation(inti, int j, intin urelsrc[][], int in ureldest[][]) { inti_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int in urelval = src[up][left] +. src[up][right] +. src[down][right] +. src[down][left]; return 0.25 *. val; }

  27. Verifying the Reliability of Bilinear Interpolation • Generate postcondition from return statement • Work backwards to produce verification condition • Use hardware specification to replace reliabilities return 0.25 *. val; Reliability of return Reliability of sum of neighbors

  28. Verifying the Reliability of Bilinear Interpolation • Generate postcondition from return statement • Work backwards to produce verification condition • Use hardware specification to replace reliabilities • Discharge Verification Condition return 0.25 *. val;

  29. Verification Condition Checking Insight • Computing full joint distributions is intractable and input distribution dependent

  30. Conjunct Checking • A conjunct is implied by a pair of constraints • Decidable, efficiently checkable,and input distribution agnostic

  31. Verification Condition Checking for Approximate Bilinear Interpolation DataDependences Hardware Specification .99

  32. What about…programs? (conditionals, loops, and functions)

  33. Conditionals if (y >. 0) x = x+. 1 x = 2 *. x+. 1

  34. Conditionals = y >. 0 if () x1 = x0+. 1 x2= 2 *. x0+. 1

  35. Conditionals = y >. 0 if () x1 = x0+. 1 x2= 2 *. x0+. 1 x = φ(, x1, x2)

  36. Conditionals = y >. 0 if () x1 = x0+. 1 x2= 2 *. x0+. 1 Spec ≤ R(, x1) Spec ≤ R(, x2) x = φ(, x1, x2) Spec ≤ R(x)

  37. Conditionals = y >. 0 if () Spec ≤ op(+.) op(*.)  R(, x0) Spec ≤ op(+.) R(, x0) x1 = x0+. 1 x2= 2 *. x0+. 1 Spec ≤ R(, x1) Spec ≤ R(, x2) x = φ(, x1, x2) Spec ≤ R(x)

  38. Conditionals = y >. 0 if () Spec ≤ op(+.) op(*.)  R(, x0) Spec ≤ op(+.) R(, x0) x1 = x0+. 1 x2= 2 *. x0+. 1 Spec ≤ R(, x1) Spec ≤ R(, x2) x = φ(, x1, x2) Spec ≤ R(x)

  39. Conditionals Spec ≤ op(+.) op(>.) R(x0, y) Spec ≤ op(+.) op(*.) op(>.) R(x0, y) = y >. 0 if () Spec ≤ op(+.) op(*.)  R(, x0) Spec ≤ op(+.) R(, x0) x1 = x0+. 1 x2= 2 *. x0+. 1 Spec ≤ R(, x1) Spec ≤ R(, x2) x = φ(, x1, x2) Spec ≤ R(x)

  40. Simplification Spec ≤ op(+.) op(>.)  R(x0, y) Spec ≤ op(+.) op(*.) op(>.) R(x0, y) = y >. 0 if () Spec ≤ op(+.) op(*.)  R(, x0) Spec ≤ op(+.) R(, x0) x1 = x0+. 1 x2= 2 *. x0+. 1 Spec ≤ R(, x1) Spec ≤ R(, x2) x = φ(, x1, x2) Spec ≤ R(x)

  41. Simplification Spec ≤ op(+.) op(>.)  R(x0, y) Spec ≤ op(+.) op(*.) op(>.) R(x0, y) = y >. 0 if () Spec ≤ op(+.) op(*.)  R(, x0) Spec ≤ op(+.) R(, x0) x1 = x0+. 1 x2= 2 *. x0+. 1 Spec ≤ R(, x1) Spec ≤ R(, x2) x = φ(, x1, x2) Spec ≤ R(x)

  42. Loops • Reliability of loop-carried, unreliably updated variables decreases monotonically • Finitely Bounded Loops: bounded decrease • Unbounded loops: conservative result is 0 intsum= 0; for (inti = 0; i < n; i = i+1) { sum = sum+. a[i]; } R(sum) depends on n unreliableadds

  43. Functions • Verification is modular (assume/guarantee) • Recursion similar to loops: unreliably updated variables naturally have 0 reliability y = f(x); int<> f(x);

  44. Rely: a Language for Quantitative Reliability Hardware Specification (Architect) Static Analysis (Language) Software Specification (Developer) 20% 40% 99.9% 99% 60% 80% 90% Reliability

  45. Evaluation • Experiment #1: verify specifications • How does the analysis behave?

  46. Benchmarks • newton: zero-finding using Newton’s method • secant: zero-finding using Secant Method • coord: Cartesian to polar coordinate converter • search_ref: motion estimation • mat_vec: matrix-vector multiply • hadamard: frequency-domain pixel-block difference metric

  47. Experiment #1: Results Observation: small number of conjuncts with simplification

  48. Evaluation • Experiment #2: application scenarios • How to use reliabilities?

  49. Checkable Computations • A simple checker can validate whether the program produced a correct result • Execution time optimization: vs.

  50. Approximate Computations Target Reliability High Quality Quality Bilinear Interpolation Reliability (as Negative Log Failure Probability)

More Related