4.5 Equivalence of the Speculative and Nonspeculative Versions of the Distributed Objects

4.5.3 Equivalence Theorems

Since this rule involves speculations, the lowering process has to take into account the outcome of the speculation, as illustrated in Definition 4.5.6.

• if O(s) =c then the oracle predicts that the speculation commits, in which case the process will not rollback its state.

⇓(∆i−1) =oj : [V ] ; Θ^NS ‡ [ Γ`let v=read(oj)in e[v][v] ] ; Π^NS

⇓(∆i) =oj : [V⁰ ] ; Θ^NS ‡ [ Γ, v:V `e[v] ] ; Π^NS

In this case, the Read-Spec-Proc reduction rule is equivalent to the NS-Read reduction rule from the nonspeculative operational semantics.

• ifO(s) =athen the oracle predicts that the speculation aborts, so the operations performed inside this speculation will be rolled back.

⇓(∆i−1) =oj: [ V ] ; Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

⇓(∆i) =oj: [ V ] ; Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

In this case theRead-Spec-Procreduction rule is equivalent to a no-op, as far as the nonspec- ulative model is concerned, because the speculative program will rollback its state and this operation is treated as if it never happened.

Rule Read-Spec-Obj.

• ifO(s) =cthen

⇓(∆i−1) = oj: [V ] ; Θ^NS ‡ [ Γ`let v=read(oj)in e[v] ] ; Π^NS

⇓(∆i) = oj: [V ] ; Θ^NS ‡ [ Γ, v:V `e[v] ] ; Π^NS

• ifO(s) =athen

⇓(∆i−1) = oj : [V⁰ ] ; Θ^NS ‡ [ Γ`let v=read(oj)in e[v] ] ; Π^NS

⇓(∆i) = oj : [V⁰ ] ; Θ^NS ‡ [ Γ`let v=read(oj)in e[v] ] ; Π^NS

TheRead-Spec-Objreduction rule is equivalent to either theNS-Readnonspeculative rule or with a no-op, depending on the outcome of speculations.

Rule Read-Spec-Same.

• ifO(s) =cthen

⇓(∆i−1) = oj: [V ] ; Θ^NS ‡ [ Γ`let v=read(oj)in e[v] ] ; Π^NS

⇓(∆i) = oj: [V ] ; Θ^NS ‡ [ Γ, v:V `e[v] ] ; Π^NS

• ifO(s) =athen

⇓(∆i−1) = oj: [ V⁰ ] ; Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

⇓(∆i) = oj: [ V⁰ ] ; Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

TheRead-Spec-Samereduction rule is equivalent to either the NS-Readnonspeculative rule or with a no-op, depending on the outcome of speculations.

Rule Read-Spec-Merge.

The two speculations,sP andsO, merge and a new speculation,s, is substituted for them. Since the oracle,O(), is valid it must predict the same outcome for all three speculations.

• ifO(s) =O(sP) =O(sO) =c then

⇓(∆i−1) = oj: [V ] ; Θ^NS ‡ [ Γ`let v=read(oj)in e[v] ] ; Π^NS

⇓(∆i) = oj: [V ] ; Θ^NS ‡ [ Γ, v:V `e[v] ] ; Π^NS

TheRead-Spec-Mergereduction rule is equivalent to the NS-Readnonspeculative rule.

• ifO(s) =O(sP) =O(sO) =athen

⇓(∆i−1) = oj: [ V⁰ ] ; Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

⇓(∆i) = oj: [ V⁰ ] ; Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

In this case, theRead-Spec-Mergereduction rule is equivalent to a no-op, since the speculations will be aborted and all the actions performed since entering them will be equivalent to null.

Rule Write-NoSpec.

⇓(∆i−1) =oj: [ V ] ; Θ^NS ‡ [ Γ`write(V⁰, oj);e] ; Π^NS

⇓(∆i) =oj: [ V⁰ ] ; Θ^NS ‡ [ Γ`e] ; Π^NS

As expected, when no speculation is involved, this reduction rule is equivalent to NS-Write.

Rule Write-Spec-Proc. Since this rule involves speculations, we have to analyze two cases, which depend on the oracle we choose.

• ifO(s) =cthen

⇓(∆i−1) =oj: [ V ] ; Θ^NS ‡ [ Γ`write(V⁰, oj);e] ; Π^NS

⇓(∆i) =oj: [ V⁰ ] ; Θ^NS ‡ [ Γ`e] ; Π^NS

In this case, the Write-Spec-Procreduction rule is equivalent to the NS-Writenonspec- ulative rule.

• ifO(s) =athen

⇓(∆i−1) =oj: [ V ] ; Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

⇓(∆i) =oj: [ V⁰ ] ; Θ^NS ‡ [ Γ⁰ `e⁰ ] ; Π In this case, the Write-Spec-Procreduction rule is equivalent to a no-op.

Rule Write-Spec-Obj.

• ifO(s) =cthen

⇓(∆i−1) = oj : [V ] ; Θ^NS ‡ [ Γ`write(V⁰⁰, oj);e] ; Π^NS

⇓(∆i) = oj : [V⁰⁰ ] ; Θ^NS ‡ [ Γ`e] ; Π^NS

• ifO(s) =athen

⇓(∆i−1) = oj : [V⁰ ] ; Θ^NS ‡ [ Γ`write(V⁰⁰, oj);e] ; Π^NS

⇓(∆_i) = o_j : [V⁰ ] ; Θ^NS ‡ [ Γ`write(V⁰⁰, o_j);e] ; Π^NS

TheWrite-Spec-Objreduction rule is equivalent to either theNS-Writenonspeculative rule or with a no-op, depending on the outcome of speculations.

Rule Write-Spec-Same.

• ifO(s) =cthen

⇓(∆i−1) = oj : [V ] ; Θ^NS ‡ [ Γ`write(V⁰⁰, oj);e] ; Π^NS

⇓(∆i) = oj : [V⁰⁰ ] ; Θ^NS ‡ [ Γ`e] ; Π^NS

• ifO(s) =athen

⇓(∆i−1) = oj: [ V⁰ ] ; Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

⇓(∆i) = oj: [ V⁰ ] ; Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

TheWrite-Spec-Same reduction rule is equivalent to either the NS-Writenonspeculative rule or with a no-op, depending on the outcome of speculations.

Rule Write-Spec-Merge. According to the definition of valid oracles, the oracle that we choose will provide the same outcome for the three speculations present in this rule,s,sP, andsO.

• ifO(s) =O(sP) =O(sO) =c then

⇓(∆_i−1) = o_j : [V ] ; Θ^NS ‡ [ Γ`write(V⁰⁰, o_j);e] ; Π^NS

⇓(∆i) = oj : [V⁰⁰ ] ; Θ^NS ‡ [ Γ`e] ; Π^NS

• ifO(s) =O(sP) =O(sO) =athen

⇓(∆i−1) = oj: [ V⁰ ] ; Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

⇓(∆i) = oj: [ V⁰ ] ; Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

TheWrite-Spec-Mergereduction rule is equivalent to either theNS-Writenonspeculative rule or with a no-op, depending on the outcome of speculations.

Rules Ab-Owner,Ab-Proc, andAb-Fail.

All three reduction rules,Ab-Owner, Ab-Proc, and Ab-Fail, are equivalent to no-ops when the⇓() is applied to the left and right hand side of the rules, since the oracle can only predict that the speculation has aborted, in which case we obtain the following.

⇓(∆i−1) = Θ^NS ‡ [ Γ⁰ `e⁰ ] ; Π^NS

⇓(∆i) = Θ^NS ‡ [ Γ⁰ `e⁰ ] ; Π^NS

This is expected, since the action of aborting a speculation cannot be translated to the nonspec- ulative operational semantics.

Rule Ab-Object.

Because the speculation that the object belongs to has been aborted the reduction rule is equiv- alent to a no-op.

⇓(∆i−1) = oj : [V⁰ ] ; Θ^NS ‡ Π^NS

⇓(∆_i) = o_j : [V⁰ ] ; Θ^NS ‡ Π^NS Rule Comm-Peer.

This rule is equivalent to a no-op since the program executed by the process illustrated in the rule doesn’t really advance to the next statement. The rule only changes the flag associated with the speculation. By applying thelowersto both sides of the rule the following nonspeculative rules are obtained, depending on the final outcome of the speculation.

• ifO(s) =cthen

⇓(∆i−1) = Θ^NS ‡ [ Γ`commit();e] ; Π^NS

⇓(∆i) = Θ^NS ‡ [ Γ`commit();e] ; Π^NS

• ifO(s) =athen

⇓(∆i−1) = Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

⇓(∆i) = Θ^NS ‡ [ Γ⁰`e⁰ ] ; Π^NS

Rules Comm-Owner and Comm-Proc.

For both rulesComm-OwnerandComm-Proctheir equivalents is ruleNS-Commit, since the oracle can only predict that the speculation has committed, in which case we obtain the following.

⇓(∆i−1) = Θ^NS ‡ [ Γ`commit();e] ; Π^NS

⇓(∆i) = Θ^NS ‡ [ Γ`e] ; Π^NS Rule Comm-Client.

The nonspeculative equivalent of this rule is a no-op. The lowering function simply discards the checkpoint belonging to a committed speculation.

⇓(∆i−1) = Θ^NS ‡ [ Γ`e] ; Π^NS

⇓(∆i) = Θ^NS ‡ [ Γ`e] ; Π^NS Rule Comm-Obj.

Because the speculation the object is part of has been committed this reduction rule is equivalent to a no-op.

⇓(∆i−1) = oj : [V ] ; Θ^NS ‡ Π^NS

⇓(∆i) = oj : [V ] ; Θ^NS ‡ Π^NS

u t The next theorem relies on the definition of lifting a nonspeculative state a speculative state (Definition 4.5.9).

Theorem 4.5.12. For any nonspeculative reduction rule such that

∆^NS_i−1⇒^NS ∆^NS_i ,

there is a sequence of speculative reduction rules such that

⇑(∆^NS_i−1)⇒^∗⇑(∆^NS_i )

Proof. The proof is done in a similar manner with the proof for Theorem 4.5.11, by considering each of the reduction rules in the nonspeculative operational semantics and showing that there exists

an appropriate sequence of transformations in the speculative operational semantics that satisfy the condition stated in the theorem.

Rule NS-Spec-C-br.

⇑(∆^NS_i−1) = ⇑(Θ^NS ‡ [ Γ`speculate(e₁⊕e₂);e₃ ] ; Π^NS) =

= ‡Θ ‡ pi: [ h i |Γ`speculate(e1⊕e2);e3] ; Π

⇑(∆^NS_i ) = ⇑(Θ^NS ‡ [ Γ,S:Spec,A:{e2;e3} `e1;e3 ] ; Π^NS) =

= ‡ S ‡ Θpi: [ h(S,own), Γ, e2;e3i |Γ`e1;e3 ] ; Π

This rule is equivalent to the Specreduction rule from the operational semantics of the speculative model.

Rule NS-Spec-A-br.

⇑(∆^NS_i−1) = ⇑(Θ^NS ‡ [ Γ`speculate(e1⊕e2);e3 ] ; Π^NS) =

= ‡Θ ‡ pi: [ h i |Γ`speculate(e1⊕e2);e3] ; Π

⇑(∆^NS_i ) = ⇑(Θ^NS ‡ [ Γ`e2;e3 ] ; Π^NS) =

= ‡Θ[aborted] ‡ pi: [h i |Γ`e2;e3 ] ; Π[aborted]

Lifting the right and the left hand side of this rule presents us with an interesting case. There is no rule that perfectly matches⇑(∆^NS_i−1)⇒⇑(∆^NS_i ).

However, if we carefully look at the operational semantics for the speculative model we observe that⇑(∆^NS_i−1) matches the left side of theSpecreduction rule.

After applying theSpecrule, we get the following state of the system:

‡Θ ‡ pi: [ h(s,own), Γ , e2;e3i |Γ`e1;e3] ; Π

To obtain ⇑ (∆^NS_i ) from the above state, the speculation has to be aborted, so applying the Ab-Ownerreduction rule would take us to the desired state.

In conclusion, this nonspeculative reduction rule is equivalent to a reduction trace composed of two rules.

⇑(∆^NS_i−1)Spec=⇒ ∆Ab-Owner=⇒ ⇑(∆^NS_i ).

Rule NS-Commit.

⇑(∆^NS_i−1) = ⇑(Θ^NS ‡ [ Γ,S :Spec,A:{e⁰} `commit();e] ; Π^NS) =

= S :{pi} ‡ Θ ‡ pi: [ h(S,own), Γ, e⁰i |Γ`commit();e] ; Π

⇑(∆^NS_i ) = ⇑(Θ^NS ‡ [ Γ`e] ; Π^NS) =

= ‡Θ ‡ pi : [h i |Γ`e] ; Π

This rule is equivalent to the Comm-Owner reduction rule from the operational semantics of the speculative model.

Rule NS-Read.

⇑(∆^NS_i−1) = ⇑(oj: [V ] ; Θ^NS ‡ [ Γ`let v=read(oj)in e[v] ] ; Π^NS) =

= ‡oj[h i |V ] ; Θ ‡ pi: [h i |Γ`let v=read(oj)in e[v] ] ; Π

⇑(∆^NS_i ) = ⇑(oj: [V ] ; Θ^NS ‡ [ Γ, v:V `e] ; Π^NS) =

= ‡oj[h i |V ] ; Θ ‡ pi: [h i |Γ, v:V `e] ; Π

This rule is equivalent to the Read-NoSpecreduction rule from the operational semantics of the speculative model.

Rule NS-Write.

⇑(∆^NS_i−1) = ⇑(oj : [V ] ; Θ^NS ‡ [ Γ`write(V⁰, oj);e] ; Π^NS) =

= ‡oj[h i |V ] ; Θ ‡ pi: [ h i |Γ`write(V⁰, oj);e] ; Π

⇑(∆^NS_i ) = ⇑(oj : [V⁰ ] ; Θ^NS ‡ [ Γ`e] ; Π^NS) =

= ‡oj[h i |V⁰ ] ; Θ ‡ pi: [ h i |Γ`e] ; Π

This rule is equivalent to the Write-NoSpecreduction rule from the operational semantics of the speculative model.

u t To conclude the equivalence proof, we need to show next that for any distributed system, com- posed of processes and shared objects, as defined in Section 4.2.1, the speculative and the nonspec- ulative operational semantics defined in Section 4.2 and Section 4.4 are equivalent.

To show the equivalence of the two operational semantics we need to show first that for any reduction trace that takes a distributed system from an initial speculative state ∆0 to a state ∆n, by only applying reduction rules in the speculative operational semantics, there is an equivalent nonspeculative reduction trace that takes the nonspeculative state ∆^NS₀ to state ∆^NS_m, using only

reduction rules from the nonspeculative operational semantics. Furthermore, the initial and final states have to be equivalent under the lowering and lifting operations.

The reciprocal of the above statement concludes the proof, and it states that for any nonspecu- lativereduction trace there is an equivalent speculativereduction trace such that the initial and the final states are equivalent under the lifting and lowering operations.

Formally, this is summarized by the following theorem.

Theorem 4.5.13. The speculative and the nonspeculative operational semantics are equivalent under the lowering and lifting operations, as follows:

∀→−

∆ ::= ∆0 ⇒ . . . ⇒ ∆n, ∀O ∈Ω(−→

∆),

∃→−

∆N S ::= ∆^NS₀ ⇒^NS . . . ⇒^NS ∆^NS_m, such that

⇓(∆0) = ∆^NS₀ ∧ ⇓(∆n) = ∆^NS_m, and

∀−→

∆N S ::= ∆^NS₀ ⇒^NS . . . ⇒^NS ∆^NS_m,

∃−→

∆ ::= ∆0 ⇒ . . . ⇒ ∆n, such that

⇑(∆^NS₀ ) = ∆0 ∧ ⇑(∆^NS_m) = ∆n

Proof. The proof of this theorem relies on the statement made in Lemma 4.5.4 and it follows from applying Theorem 4.5.12 and Theorem 4.5.11 to each reduction rule in the speculative and nonspeculativereduction traces, respectively.

u t

Chapter 5

Implementation

This chapter describes our implementation of the primitives for distributed speculative execution and our efforts to provide a transparent local and distributed rollback as part of the implementation.

We begin by discussing our initial work in implementing speculative execution as part of a compiler and we continue by presenting a kernel level implementation that is more general and efficient than our initial approach.

5.1 Background

The formal description of the speculative primitives makes them suitable to be implemented as extensions to existing programming languages. This approach calls for integrating them with existing compilers to provide the appropriate conversion to machine code.

There are two issues to consider when discussing this approach.

• What is the right programming language to extend with speculative primitives?

• Is there a compiler for that language that can naturally support the primitives used for spec- ulative execution?

In our initial approach we answered these questions as follows:

• Use several languages, both imperative (C and Java) and functional (ML).

• Use an open source compiler collection that we developed as part of a previous project, called the Mojave Compiler Collection (MCC) [53].