Task-Aware Optimization of Dynamic Fractional Permissions

Boyland’s original work on fractional permissions introduced a mechanism to statically reason about the correct use of shared memory in concurrent programs. Permissions are linear capabilities that can be passed from one task to another. By splitting a permission into fractions, a task can grant multiple other tasks concurrent read access. Because writing data requires the full permission– and by definition at most one task can have the full permission–, fractional permissions prevent read/write conflicts. This paper presents an optimizing compiler for a dynamic variant of fractional permissions where memory accesses are checked at runtime. In this system, every object is associated with a list of tasks that have read and/or write permission for the object. Tasks can grant read permission to subtasks by splitting their own permission into fractions and later collect those fractions back to re-gain the original permission. To reduce the time and space overhead associated with permission checks, the compiler uses task-ordering information to minimize the places where permission checks must be inserted. For three of the five benchmarks we have investigated, the fully optimized version is within 10% of the original version without fractional permissions. The average performance overhead over all benchmarks is 48% which can be attributed to the poor performance of one particular benchmark. (For the other benchmarks, the average overhead is 15%.) With the rise of multithreaded programming, the number of programming errors related to concurrency is constantly growing [1]. One prevalent type of bugs found in concurrent systems are data races. A data race occurs when two concurrent accesses to the same memory location are not ordered by happens-before relations and at least one of the accesses is a write. In practice, there are three general approaches to design data-race free programs: Language-enforced data-race freedom: Some languages guarantee data-race freedom through their type systems [2, 3]. From a high-level, the programmer provides program and type annotations that describe how data is shared and accessed by concurrent tasks. The languages’ type systems use the annotations to prove that accesses to shared memory are ordered or the type checks fail otherwise. In recent years, much research also went into transactional memory [4–6]. Transactional memory allows programmers to specify code regions that should be atomic; an accompanying runtime system implemented in hardand/or software protects the accessed memory from concurrent accesses thus preventing data races. Static verification and model checking: Static verification and model checking of concurrent programs are approaches that—conceptually—exhaustively explore the whole state space of the program to rule out potential data races [7, 8]. The major challenge of model checking techniques is the state space explosion: the number of states increases exponentially with the number of possible task interleavings. Numerous approaches exist for reducing the state space that must be effectively explored for guaranteeing data-race freedom. Dynamic detection and testing: Systems for dynamic data-race detection aim at finding data-races when they happen during program execution or testing. This can be done online, that is, during program execution, or offline, by analyzing a pre-recorded program trace. Dynamic detection cannot generally guarantee the absence of data-races for all possible executions; rather, it focusses on data-races in the observed execution traces. Dynamic data-race detection systems further fall into two general categories: Precise and imprecise systems [9]. While precise race detectors never report false positives, they can impose a significant runtime overhead due to the additional bookkeeping they require. Imprecise race detectors increase the performance by giving up precision but—as a result—may report false alarms on data-race free programs. This paper introduces a dynamic variant of fractional permissions [3] in which the programmer explicitly manages task-access permissions for objects. In this system, each object is associated with an access control list (ACL) that contains all the tasks that are allowed to access the object. A task is allowed to write an object if it is the only task in the object’s ACL and therefore has full permission. In order for a task to read the object, however, it is enough if the task is one of several tasks in the object’s ACL. Each task in an object’s ACL conceptually owns a fraction of the full access permission corresponding to the total number of tasks in the ACL. The system can detect data-races by checking the current task’s access permissions on every read and write operation. By imposing restrictions on when and how tasks are allowed to modify an object’s ACL, the system further forces the programmer to follow a structured accessright management regime and prevents privilege escalation where a task A with low privileges tries to grant higher access privileges to another task B . There are two factors that result in a relatively large overhead for a direct implementation of the dynamic fractional permissions system. First, the memory for storing the ACLs for each object have a negative impact on the memory footprint, memory allocation, cache behavior, and garbage collection. And second, checking whether a task has the correct access rights slows down every single field-read and -write operation. Because of the imposed runtime overhead, without optimizations dynamic fractional permissions are impractical for real-world applications. We present an optimizing compiler that significantly reduces the runtime overhead by only allocating ACLs for objects that may be shared between concurrent tasks as well as removing access checks on read and write operations that are not conflicting with concurrent accesses. The compiler uses a schedule analysis[10, 11] to gather information about possible execution orderings of the program tasks. Section 1 describes the dynamic fractional permission system and its implementation. The example presented in Section 2 illustrates how dynamic fractional permissions can be used to dynamically enforce a data access policy in a MapReduce(). The compiler optimizations are presented in Section 3 and evaluated in Section 4 before concluding in Section 6. 1 Dynamic Fractional Permissions This section describes the three components of the dynamic fractional permission system: access control lists (ACLs), permissions, and permission management operations. 1.1 Access Control Lists and Permissions At runtime, each object o is associated with an access control list (ACL). We define a function ACL(o) to return the ACL of object o. The ACL is the set of all task objects that share the full access permission for the object. The fraction Frac(o,A) of the full permission that a task A owns for an object o directly correlates to the number of tasks that are in o’s ACL. Frac(o,A) is defined as: Frac(o,A) :=  1 ‖ACL(o)‖ if A ∈ ACL(o)