Michael Carbin Sasa Misailovic and Martin Rinard MIT CSAIL Image Scaling Image Scaling Kernel Bilinear Interpolation Bilinear Interpolation int bilinearinterpolation ID: 434204
Download Presentation The PPT/PDF document "Rely: Verifying Quantitative Reliability..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Rely: Verifying Quantitative Reliability for Programs that Execute on Unreliable Hardware
Michael
Carbin
,
Sasa
Misailovic
,
and Martin
Rinard
MIT CSAILSlide2
Image ScalingSlide3
Image Scaling Kernel:
Bilinear Interpolation
=Slide4
Bilinear Interpolation
int
bilinear_interpolation
(
int
i
,
int
j,
int src
[][], int dest
[][]){
int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] + src[up][right] + src
[down][right] + src[down][left];
return
0.
25 *
val
;
}Slide5
Bilinear Interpolation
int
bilinear_interpolation
(
int
i
,
int
j,
int
src[][], int dest
[][]){
int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] + src
[up][right] +
src[down][right] +
src
[down][left];
return 0.25 * val;}Slide6
Unreliable Hardware
Unreliable Units (ALUs and Memories)
May produce incorrect results
Faster, smaller, and lower
power
Registers
Memory
CU
CPU
ALUSlide7
Image Scaling with Approximate Bilinear Interpolation
20%
4
0%
60%
8
0%
99%
99.9%
90%
ReliabilitySlide8
Unreliable Hardware
Necessitates
Hardware Specification: probability operations execute correctly
Software Specification: required reliability of computations
Analysis: verify software satisfies its specification on hardware
Registers
Memory
CU
CPU
ALUSlide9
Rely: a Language for Quantitative Reliability
20%
4
0%
60%
8
0%
99%
99.9%
90%
Reliability
Hardware Specification
(
A
rchitect)
Software
Specification(Developer)Static Analysis(Language)Slide10
Hardware Specification
hardware
{
operator
(+)
= 1 - 10^-7;
operator
(-)
= 1 - 10^-7;
operator
(*) = 1 - 10^-7; operator (<) = 1 - 10^-7; memory urel {rd = 1 - 10^-7, wr = 1}; }Slide11
Approximate Bilinear Interpolation in Rely
int
bilinear_interpolation
(
int
i
,
int
j,
int
src[][], int
dest[][]){
int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int val = src[up][left] +.
src[up][right] +.
src
[down][right]
+.
src
[down][left]; return 0.25 *. val;
}
Unreliable Operations:
executed on
unreliable ALUsSlide12
Approximate Bilinear Interpolation in Rely
int
bilinear_interpolation
(
int
i
,
int
j,
int
in urel src
[][], int
in urel dest[][]){ int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int
in urel
val
=
src
[up][left
] +.
src[up][right] +. src[down][right] +. src[down][left];
return 0.25 *. val
;
}
Unreliable
Memories:
stored in unreliable SRAM/DRAMSlide13
What is reliability?Slide14
Reliable Hardware
One Execution
Unreliable Hardware
Multiple Executions
Reliability
Probability unreliableexecution reaches
same state
Or
,
= probability over distribution of states that x and y (only) have correct values.
Semantics of ReliabilitySlide15
Reliable Hardware
One Execution
Unreliable Hardware
Multiple Executions
Reliability
Probability unreliableexecution reaches
same state
Or,
= probability over distribution of states that x and y (only) have correct values.
Semantics of ReliabilitySlide16
Approximate Bilinear Interpolation
Reliability Specification
int
bilinear_interpolation
(
int
i
,
int
j,
int
in
urel src[][], int
in urel
dest[][]);Slide17
Reliability of output is a function of reliability of inputs
Approximate
Bilinear Interpolation
Reliability Specification
int
<.99>
bilinear_interpolation
(
int
i
,
int
j,
int
in urel src[][], int in urel dest[][]);Slide18
Reliability of output is a function of reliability of inputs
The term
R(
i
, j,
src
,
dest
)
abstracts the
joint reliability
of
the function’s inputs on entryApproximate Bilinear Interpolation
Reliability Specification
int<.99 * R(i, j, src, dest)> bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);Slide19
Reliability of output is a function of reliability of inputs
The term
R(
i
, j,
src
,
dest
)
abstracts the
joint reliability
of
the function’s inputs on entryCoefficient .99 bounds
reliability degradation
Approximate Bilinear InterpolationReliability Specificationint<.99 * R(i, j, src, dest)> bilinear_interpolation(int i, int j, int in urel src[][], int in urel dest[][]);Slide20
How does Rely verify reliability?Slide21
Rely’s Analysis Framework
Precondition
generator for statements
{
Precondition
}
s
{
Postcondition
}
Specification
C
omputation
Slide22
Assignment Rule
x
’ = e
Slide23
Assignment Rule
x’ = e
UnmodifiedSlide24
Assignment Rule
x’ = e
Standard SubstitutionSlide25
Assignment Rule
is the probability the expression and write execute correctly
x’ = e
Slide26
int
<.99 * R(
i,j,src,dest
)>
bilinear_interpolation
(
int
i
,
int
j,
int in urel
src[][], int in
urel dest
[][]){ int i_src = map_y(i, src, dest), j_src = map_x(j, src, dest); int up = i_src - 1, down = i_src + 1, left = j_src – 1, right = j_src + 1; int in urel val =
src[up][left] +.
src[up][right] +.
src
[down][right] +.
src
[down][left];
return 0.25 *. val; }Verifying the Reliability of Bilinear InterpolationSlide27
Verifying the Reliability of Bilinear Interpolation
Generate
p
ostcondition
from return statement
Work backwards to produce verification condition
Use hardware specification to replace reliabilities
return
0.
25 *.
val
;
Reliability of return
Reliability of sum of neighborsSlide28
Verifying the Reliability of Bilinear Interpolation
Generate
p
ostcondition
from return statement
Work backwards to produce verification condition
Use hardware specification to replace reliabilities
Discharge Verification Condition
return
0.
25 *.
val
; Slide29
Verification Condition Checking Insight
Computing full
joint distributions
is intractable and input distribution dependent
Slide30
Conjunct Checking
A conjunct is implied by a pair of constraints
Decidable, efficiently checkable,
and
input distribution agnostic
Slide31
Verification Condition Checking for Approximate Bilinear Interpolation
.99
Hardware Specification
Data
DependencesSlide32
What about…programs? (conditionals, loops, and functions)Slide33
Conditionals
if
(y >.
0)
x
=
x
+.
1
x
=
2 *.
x
+
. 1Slide34
=
y >.
0
if (
)
x
1
=
x
0
+.
1
x
2
= 2 *. x0 +. 1ConditionalsSlide35
Conditionals
=
y >.
0
if (
)
x =
φ
(
, x
1
, x
2
)
x1 = x0 +. 1x2 = 2 *. x0 +. 1Slide36
Conditionals
=
y >.
0
if (
)
x =
φ
(
, x
1
, x
2
)
x1 = x0 +. 1x2 = 2 *. x0 +. 1Spec ≤ R(x) Spec ≤ R(
, x
1)
Spec ≤ R(
, x
2
)
Slide37
Conditionals
=
y >.
0
if (
)
x =
φ
(
, x
1
, x
2
)
x1 = x0 +. 1x2 = 2 *. x0 +. 1Spec ≤ R(x) Spec ≤ R(
, x
1)
Spec ≤ op(+.)
R(
, x0)
Spec ≤ op(+.)
op(*.)
R(
, x
0
)
Spec ≤ R(
, x
2
)
Slide38
Conditionals
=
y >.
0
if (
)
x =
φ
(
, x
1
, x
2
)
x1 = x0 +. 1x2 = 2 *. x0 +. 1Spec ≤ R(x) Spec ≤ R(
, x
1)
Spec ≤ R(
, x
2
)
Spec ≤ op(+.)
R(
, x
0
)
Spec ≤ op(+.)
op(*.)
R(
, x
0
)
Slide39
Conditionals
=
y >.
0
if (
)
x =
φ
(
, x
1
, x
2
)
x1 = x0 +. 1x2 = 2 *. x0 +. 1Spec ≤ R(x) Spec ≤ R(
, x
1)
Spec ≤ R(
, x
2
)
Spec ≤ op(+.)
R(
, x
0
)
Spec ≤ op(+.)
op(*.)
R(
, x
0
)
Spec ≤ op(+.)
op
(>.) R(x0, y) Spec ≤ op(+.) op(*.) op(>.) R(x0, y)
Slide40
Spec ≤ op(+.)
op
(>.)
R(x0
,
y
)
Spec ≤ op(+.)
op(*.)
op(>.) R(x
0, y)
Simplification= y >. 0if () x = φ (, x1, x
2)
x
1
=
x
0 +. 1x2 = 2 *. x0
+. 1
Spec ≤ R(x)
Spec ≤ R(
, x
1
)
Spec ≤ R(
, x
2
)
Spec ≤ op(+.)
R(
, x
0
)
Spec ≤ op(+.)
op(*.) R(, x0) Slide41
Simplification
=
y >.
0
if (
)
x =
φ
(
, x
1
, x
2
)
x1 = x0 +. 1x2 = 2 *. x0 +. 1Spec ≤ R(x) Spec ≤ R(
, x
1)
Spec ≤ R(
, x
2
)
Spec ≤ op(+.)
R(
, x
0
)
Spec ≤ op(+.)
op(*.)
R(
, x
0
)
Spec ≤ op(+.)
op
(>.) R(x0, y) Spec ≤ op(+.) op(*.) op(>.) R(x0
, y) Slide42
Reliability of loop-carried, unreliably updated variables decreases monotonically
Finitely Bounded
Loops:
bounded decrease
Unbounded loops:
conservative result is 0
int
sum
= 0;
for
(
int
i
= 0;
i < n; i = i + 1) { sum = sum +. a[i];} LoopsR(sum) depends on n unreliable addsSlide43
Functions
Verification is
modular
(assume/guarantee)
Recursion similar to loops: unreliably updated variables naturally have 0 reliability
int<
>
f(x
);
y
= f(x);
Slide44
Rely: a Language for Quantitative Reliability
20%
4
0%
60%
8
0%
99%
99.9%
90%
Reliability
Hardware Specification
(
A
rchitect)
Software
Specification(Developer)Static Analysis(Language)Slide45
Evaluation
Experiment #1:
verify specifications
How does the analysis behave?Slide46
Benchmarks
newton:
zero-finding using Newton’s method
s
ecant:
zero-finding using Secant Methodcoord
:
C
artesian to polar coordinate converter
search_ref
:
motion estimation
mat_vec
: matrix-vector multiplyhadamard: frequency-domain pixel-block difference metricSlide47
Experiment #1: Results
Observation: small number of conjuncts with simplification
Benchmark
LOC
Time (
ms
)
Conjuncts
w/o
with
newton
21
8
82
1
secant
307163562coord361920
1
search_ref
37
348
36205
3
matvec
32
110
1061
4
hadamard
87
18
3
3Slide48
Evaluation
Experiment #2:
application scenarios
How to use reliabilities?Slide49
Checkable Computations
A
simple checker
can validate whether the program produced a correct result
Execution time optimization:
vs.
Slide50
Approximate Computations
High Quality
Bilinear Interpolation Reliability (as Negative Log Failure Probability)
Quality
Target ReliabilitySlide51
Other Concerns for Unreliable Hardware
Safety:
does the program always produce
a
result?
no
failures or ill-defined
behaviors
[
Misailovic
et al. ICSE ’10;
Carbin et al. ISSTA ’10;
Sidiroglou et al. FSE’11;
Carbin et al., PLDI ’12; Carbin
et al., PEPM ’13]
Accuracy: is result accurate enough? small expected error [Rinard ICS’06; Misailovic et al.,ICSE ’10; Hofffmann at al. ASPLOS ’11; Misailovic et al. SAS ’11; Sidiroglou et al. FSE’11; Zhu et al. POPL ’12; Misailovic et al. RACES ‘12]Slide52
Takeaway
Separating approximate computation isn’t enough
Acceptability of results
depends on reliability
Rely
Architect provides hardware specification
Develo
per provides software specification
Rely provides verified reliability guarantee Slide53
Backup SlidesSlide54
Execution of
e
is a
stochastic process
Independent probability of failure for each operation
Reliability is probability
of fully reliable path
Semantic Model
Slide55
Semantic Formalization
Probabilistic
transition system
Set of possible executions on unreliable hardware gives
distributions
of states
Predicates
defined over distributions
See paper for inference rules!Slide56
Identifying Reliably Update Variabes
R
eliably
updated vs
.
unreliably
updated variables
Dependence graph gives classification
Reliably updated variables have same reliability
int
sum
= 0;
for
(int i = 0; i < n; i = i + 1) { sum = sum +. a[i];} isuma
n