Intermittent hangs and crashes during parallel BDD operations

[Augists]

Intermittent hangs and crashes during parallel BDD operations — possible GC synchronization issues

Summary

I'm experiencing intermittent hangs and crashes (SIGSEGV/SIGBUS) when running parallel BDD operations under high contention on Sylvan v1.9.4 + Lace v1.5.4. The crashes appear non-deterministic and are more frequent when the node table approaches capacity, suggesting a relationship with GC triggering.

I've done a detailed code audit of the GC synchronization path and wanted to share several findings — some may explain the instability, others are precautionary observations.

Environment

• Sylvan v1.9.4, Lace v1.5.4
• Multi-core Linux (x86_64)
• Observed with both GCC and Clang

Analysis (by Claude Code ^_^)

1. cache_clear() uses munmap + mmap (not MAP_FIXED)

In sylvan_cache.c, cache_clear() calls cache_free() (which munmaps the old cache_table and cache_status) and then cache_create() (which mmaps new memory at a potentially different address):

void cache_clear() {
    cache_free();                         // munmap — old pointers become dangling immediately
    cache_create(cache_size, cache_max);  // mmap — new allocation, updates global pointers
}

This is more dangerous than the MAP_FIXED approach used in clear_aligned() (which at least preserves virtual addresses). After munmap, any stale reference to the old cache_table would cause SIGSEGV.

Furthermore, cache_table and cache_status are non-atomic static globals:

static cache_entry_t  cache_table;
static uint32_t*      cache_status;

After GC completes and workers resume BDD operations, the visibility of the new pointer values to other workers relies on implicit acquire semantics from the barrier spin-loop exit (while (wait == lace_bar.wait) {} reading an atomic_int). This works in practice but is fragile — there is no explicit atomic_store/atomic_load or fence guarding the cache_table pointer update.

2. lace_barrier() uses memory_order_relaxed throughout

All atomic operations inside lace_barrier() use memory_order_relaxed:

void lace_barrier() {
    int wait = lace_bar.wait;
    if ((int)n_workers == 1 + atomic_fetch_add_explicit(&lace_bar.count, 1, memory_order_relaxed)) {
        atomic_store_explicit(&lace_bar.count, 0, memory_order_relaxed);
        atomic_store_explicit(&lace_bar.leaving, n_workers, memory_order_relaxed);
        atomic_store_explicit(&lace_bar.wait, 1-wait, memory_order_relaxed);
    } else {
        while (wait == lace_bar.wait) {}
    }
    lace_bar.leaving -= 1;
}

The correctness of GC synchronization depends on the atomic_thread_fence(memory_order_seq_cst) inside lace_exec_in_new_frame(), which sits between Barrier 1 (in lace_yield) and Barrier 2 (in lace_exec_in_new_frame). This fence provides the actual memory ordering guarantee that all workers' prior stores (table/cache accesses) are visible before the GC task runs.

This design is correct but tightly coupled — the barrier itself provides no ordering, and the correctness relies entirely on the fence placement in lace_exec_in_new_frame. If any code path calls lace_barrier() without the subsequent seq_cst fence (e.g., in a future refactor), the GC safety guarantee silently breaks.

3. Potential hang: cooperative NEWFRAME relies on all workers reaching sylvan_gc_test()

The NEWFRAME mechanism is fully cooperative. Workers can only yield at sylvan_gc_test() / YIELD_NEWFRAME() checkpoints. If any worker is stuck in a long-running non-TASK C function (e.g., a pathological hash probe sequence in llmsset_lookup2 under extreme table load), the GC barrier cannot complete and all other workers spin indefinitely.

In sylvan_table.c, llmsset_lookup2() contains a linear probe loop:

while (1) {
    // ... probe dbs->table[idx] ...
    if (idx >= dbs->table_size) idx -= dbs->table_size;
    // No YIELD_NEWFRAME checkpoint in this loop
}

When the table is near capacity (which is exactly when GC is triggered), probe sequences can become very long. Meanwhile, other workers that have already triggered GC are spinning at lace_barrier(), waiting for this worker. This creates a livelock-like situation: the table-full condition triggers GC, but GC can't start because a worker is still probing the nearly-full table.

This could explain the hangs I'm observing.

4. lace_bar.leaving reuse between consecutive barriers

Inside lace_exec_in_new_frame, three barriers are called in sequence:

lace_barrier();              // Barrier 2
root->f(...);                // GC task (MAP_FIXED, munmap, etc.)
lace_barrier();              // Barrier 3

After Barrier 2 releases, all workers execute lace_bar.leaving -= 1 asynchronously. When Barrier 3's last-arriving worker stores leaving = n_workers, there is no explicit fence ensuring that all workers have completed their leaving -= 1 from Barrier 2. The correctness relies on the assumption that the GC task (root->f(...)) takes long enough for all workers to complete the decrement — a timing assumption, not a formal guarantee.

Questions

1. Has there been any testing under extreme table-fill conditions (>95% occupancy) with many workers? The hang scenario in point 3 seems most likely to reproduce under these conditions.

2. Would it be feasible to add a YIELD_NEWFRAME checkpoint inside the probe loop of llmsset_lookup2, or would this break the lookup invariants?

3. Should cache_table / cache_status be declared _Atomic to make the post-GC visibility guarantee explicit rather than relying on implicit barrier semantics?

Reproduction

The issue is non-deterministic. It reproduces more frequently with:

• High worker count (matching or exceeding physical cores)(but also in one worker situation)
• Small initial table sizes (forcing frequent GC)
• Workloads that create many unique nodes rapidly

[trolando]

Hi @Augists

Ideally if you could share the program that crashes, that would be helpful. I can try to reproduce it on my own x86_64 machine.

Alternatively, if you could run your program with RelWithDebInfo or Debug, or with the -g parameter, and share the state of all threads at the moment it crashes, that would be very helpful in narrowing it down.

One important aspect of Sylvan is to ensure that all Sylvan operations (including making a node) must be performed inside a Lace task and/or on a Lace worker. If you invoke sylvan_makenode for example from a non-Lace worker, it might be running garbage collection and lose references to BDD nodes. These lost BDD nodse are then freed in the table and reused, resulting in corrupt BDDs and potential bad memory accesses, causing the crash. I intend to redesign Sylvan in the 2.0 version to be more robust against these kind of mistakes, since it is easy to make the mistake. I would suggest you see if you can wrap your entire program in a Lace task, and if that is not feasible, then at least any time you're doing a BDD operation that is not already running as a Lace task (in particular sylvan_makenode), then wrap it in a helper task.

cache_clear

So cache_clear would normally only be called during garbage collection, which is a stop-the-world operation. There should be no ongoing cache operation and the pointers into the cache should not leak outside of the cache_get and cache_put functions anyway.

lace_barrier

I was going to link to the documentation, but I just realized that the lace_barrier in Lace 2.0 is not the same as the one in Lace 1.9.4. I will address this later today/tomorrow).

This hypotheses can be tested. For example, if you "fix" the lace_barrier by adding something like

atomic_thread_fence(memory_order_seq_cst);

at the end, does that solve the problem?

checking to yield inside llmsset_lookup2

Do you have any evidence that threads are failing in the lookup? It's a hot code path that in principle should not be burdened with additional checks. Furthermore, even if the table is nearly full, the call will finish. So it would not be a hang. If the hang is related to this, please provide evidence in the form of gdb or lldb output, for example, by listing all threads when it is hanging and where they are in the program.

Questions

On Q1, well, yes, Sylvan is used for high-performance scientific computing, very often with full tables where GC is repeatedly called. I am not aware of this issue with other users at this time.

On Q2, it does not make sense to add this checkpoint without a very clear reason, because the llmsset_lookup2 should be able to finish. There are no livelocks in the lookup, because GC is activated outside of the llmsset_lookup2 call, not inside.

On Q3, what exactly would that change is unclear.

Reproduction

Please provide code that reliably reproduces this problem. I am considering writing a test program that simply creates many many random BDDs of random sets, flooding the nodes table, then checking if BDDs are not corrupted.

However it would be most useful if you could share more details as outlined above. If necessary, reach out to me via my UTwente email address with a reproduction package.

[trolando]

Try Sylvan 1.10.0 with Lace 1.6.0.

[Augists]

all Sylvan operations (including making a node) must be performed inside a Lace task and/or on a Lace worker

I did try to embed sylvan in NDD as BDD backend and other benchmarks or tests. (also in my private repositories) And I did not wrap all function in Lace worker MACRO. This may the cause of my crash.

Also I wanna show you my test of differernt version of Sylvan and Lace, which you can access by JSylvan-NDD. In my repository, all these versions were tested by NQueens and also I tried the bundled Lace (version <= 1.4.1, which performs the best, even better than the latest version). I know it has to compatible with all platforms so you have to trade off between performance and compatibility ^_^

So in my latest implementation of NDD (a private repository), I take a bundled version of Lace with Sylvan v1.9.1. When the network topology dataset grows larger, my Network Verification Tool sometimes crashes.

Also for the NQueens benchmark, the default example outputs too much logs so I wrote a nqueens_fast.c in my nqueensBenchmarkDDs. But these days when I tried to re-run sylvan, I got a situation where the CPU is at about 100% utilization but is stuck in futex (as indicated by strace). I had to increase parameters such as the BDD node table size (which is much larger than other BDD libraries).

[trolando]

Oh, that calls for an investigation. So a newer version of Lace causes a major performance regression?

What about Lace 1.6.0 with Sylvan 1.10.0? I might have fixed some issues with the atomics between 1.5.x and 1.6.0.

It may also be that my implementation of nqueens is different from other BDD libraries. For comparison with other libraries, SSoelvsten's BDD benchmarks might be useful to see.

[trolando]

Alright, looking at https://github.com/Augists/JSylvan-NDD/blob/main/NDD_VARIANT_RESULTS.md, it seems that at least some of the performance regression is solved with the new version, but there is still a marked difference between using Lace 1.4.1 and Lace 1.6.0. I am curious if that is only when used with the Java bridge, or also without the Java bridge.

[Augists]

Yep. In my previous test, the overhead of JNI is essentially negligible. The most notable difference is the change made in Lace v1.4.2 when Lace was removed from the Sylvan library. Subsequent versions have continued to optimize performance based on this, but they still cannot match the performance of the original version.

Maybe I should directly test some of these benchmarks in Sylvan. But when mmap=on, Sylvan sometimes crashes so I did not get valid results in the last month. Some of my tests paused cause of this. (In Java JNI warpper of NDD, it shows me native crash)

[trolando]

So the 4x difference is (almost) purely based on the Lace version right? No change in Sylvan or JSylvan except to follow a changed API?

[trolando]

So according to Claude (your programming buddy), you could use async-profiler and compare the flame graphs:

# CPU profiling — shows where time is spent across Java + native
./asprof -d 30 -f flamegraph.html <pid>

# Or launch directly
./asprof -d 30 -f flamegraph.html \
    java -cp target/ndd-1.0.1-jar-with-dependencies.jar \
    application.nqueen.NQueensTest 12

Run this once with Lace 1.4.1 and once with Lace 1.6, then compare the flame graphs side by side.

You can also check hardware counters with perf stat:

perf stat -e cycles,instructions,cache-references,cache-misses,\
branch-instructions,branch-misses,L1-dcache-load-misses,\
LLC-load-misses \
    java -cp target/ndd-1.0.1-jar-with-dependencies.jar \
    application.nqueen.NQueensTest 12

Is it more instructions, or is the cache behavior worse (memory layout issues)?

Or for more detail on the native side:

# Need frame pointers in your C build — add -fno-omit-frame-pointer
perf record -g -F 999 -- java -XX:+PreserveFramePointer \
    -cp target/ndd-1.0.1-jar-with-dependencies.jar \
    application.nqueen.NQueensTest 12

perf report

I don't have a lot of experience with the Java bridge and debugging performance issues there, but I might have a look later.

[trolando]

Do you run with or without HWLOC?

[trolando]

There are just very few changes between 1.4.1 and 1.5.0 that could influence performance:

• Larger minimum program stack size for new threads
• LACE_USE_MMAP and LACE_USE_HWLOC are actually set in lace_config.h (this was an omission, so the flags were no-ops before)

From 1.5.0 to 1.5.1 not much should be changed, nothing that I can see would influence performance.
From 1.5.1 to 1.5.2 to 1.5.3 to 1.5.4 also nothing that would influence performance.
From 1.5.4 to 1.6.0 major fixes that should improve performance with more careful placement of memory barriers.

So from that one might presume that it's the LACE_USE_MMAP feature that causes the issue. What happens if you run it with version 1.5.4 but LACE_USE_MMAP=OFF?

[trolando]

Alright, I have limited time at the moment, I've done a bit of looking around in JSylvan-NDD.

I changed build-sylvan.sh to use CMAKE_BUILD_TYPE=RelWithDebInfo to keep the symbols. With perf record -g and perf report I could with a bit of magic (perf buildid-cache --add /path/to/build/libsylvan-java.so) see that somehow it was spending all its time trying to steal. Huh?

I changed build-sylvan.sh to add -DLACE_PIE_TIMES=ON -DLACE_COUNT_TASKS=ON -DLACE_COUNT_STEALS=ON -DSYLVAN_STATS=ON to the CMake command for Sylvan. I changed NQueensTest.java to call JSylvan.quit() and changed the implementation for quit to add lace_stop(); and sylvan_stats_report(stdout);. This prints out Sylvan and Lace statistics, which are helpful for figuring out what is happening. I also added lace_set_verbosity(1) to the init function of JSylvan.

Here's what I'm getting. First, I see that Lace startup goes well with 20 workers and a 16MB program stack for each Lace worker.

Then indeed running NQueens 12 takes very long, much longer than with Lace 1.4.1.

N=12, solutions=14200.0, time=77.836s
NDD nodes: 1851150

Sylvan statistics

Tables
MTBDD nodes created  640,166         
MTBDD nodes reused   885,703         
Lookup iterations    31,215          
Unique nodes table   640,312 of 8,388,608 buckets filled.
Operation cache      1,572,808 of 4,194,304 buckets filled.
Memory (nodes)       192.00 MB (max real) of 3.000 GB (allocated virtual memory).
Memory (cache)       144.00 MB (max real) of 2.250 GB (allocated virtual memory).

Operation            Count            Cache get        Cache put
BDD and              14,880,995       1,566,664        13,306,705      
BDD satcount         449,803          435,919          13,859          

...

Tasks (sum): 713900
Steals (sum): 97147 good/23757 busy of 21063598167 tries; leaps: 1208 good/104 busy of 2264908 tries
Tasks per steal (sum): 7

...

Startup time (sum):        626.41 ms
Steal work (sum):         1619.18 ms
Leap work (sum):             2.93 ms
Steal overhead (sum):    39973.55 ms
Leap overhead (sum):         0.08 ms
Steal search (sum):    1526489.95 ms
Leap search (sum):          25.12 ms
Backoff time (sum):      68281.32 ms
Exit time (sum):             1.19 ms

Those numbers are just weird. It spends 1.6 seconds of actual work in total, and 1526 seconds on just trying to steal? That's like 76 seconds of just attempted steals per worker. Considering the entire wallclock time was 77.8 seconds, almost all that time is spent doing nothing!

If I run nqueens on Sylvan directly using Sylvan's implementation, Sylvan's implementation of nqueens seems quite inefficient compared to yours, but here's what I get:

[  132.56] Result: NQueens(12) has 14200 solutions.
[  132.57] Result BDD has 435170 nodes.
[  132.57] Computation time: 132.528717 sec.

Sylvan statistics

Tables
MTBDD nodes created  1,177,579,473   
MTBDD nodes reused   8,358,009,178   
Lookup iterations    23,436,181,071  
Unique nodes table   199,480,396 of 268,435,456 buckets filled.
Operation cache      67,096,503 of 67,108,864 buckets filled.
Memory (nodes)       6.000 GB (max real) of 6.000 GB (allocated virtual memory).
Memory (cache)       2.250 GB (max real) of 2.250 GB (allocated virtual memory).

Operation            Count            Cache get        Cache put
BDD and              10,824,761,426   2,726,591,088    1,283,816,616   
BDD satcount         462,418          144,306          13,855          

Garbage collection
GC executions        14              
Total time spent     8.864103 sec.

...

Tasks (sum): 2376405562
Steals (sum): 185351 good/6133 busy of 99668876 tries; leaps: 310501 good/29673 busy of 399080756 tries
Tasks per steal (sum): 4792

...

Startup time (sum):        708.44 ms
Steal work (sum):      2129450.47 ms
Leap work (sum):        450075.64 ms
Steal overhead (sum):     1157.60 ms
Leap overhead (sum):        75.80 ms
Steal search (sum):      39626.75 ms
Leap search (sum):        7194.36 ms
Backoff time (sum):      37106.79 ms
Exit time (sum):            21.06 ms

That's a much different picture. Work time is much bigger now, in total 2580 seconds, or 129 seconds per worker. That makes sense considering the entire computation took 132.5 seconds. Steal+leap search is actually mostly backoff time of about 1.9 seconds per worker. So that's pretty good.

This makes me wonder why JSylvan is unable to feed Sylvan enough work that it's practically doing nothing.

I might want to add some more statistics to Lace, such as number of stolen external tasks, to get a clearer picture. The BACKOFF and HWLOC options are also causing massive slowdowns.

[trolando]

Oh by the way the core of the problem appears to be that JSylvan is getting too few too small jobs so Lace has nothing to do. However, idle workers seems to cause massive problems with scalability. Normally this does not show up in Lace benchmarks. The backoff strategy was supposed to help keep CPU down with idle workers, but in this case it seems to make this particular problem much worse. The HWLOC is supposed to prevent pathological thread migration patterns (threads moving CPUs all day long) but it's somehow also actively making things worse.

Bottom line is twofold:

• Sylvan is not getting enough work from the Java application
• Lace is currently not managing idle threads well

[Augists]

That's right. NDD from our paper decouples fields, which idea generated from Network Verification. (We need to encode srcIP, dstIP, srcPort, dstPort, protocol, and else. So we found it is helpful to seperate these fields.)

As for NQueens, I decouple by lines on the board (by N, the size of question). So the BDD task in NQueens(NDD) is small. The max variable of BDD backend is N.

[trolando]

I'm a bit busy at the moment, but my action plan is roughly to replace the backoff logic with a 1ms futex, and add wakeups in lace_run_task and lace_steal (if more work is available). That should make Lace much more responsive and remove the pathological backoff behavior.

[Augists]

I did my work on a parallel NDD implementation - MTPNDD, with Sylvan v1.9.1 and bundled Lace v1.4.1 (for its performing the best in JSylvan-NDD, the test in Java version). All of these are written in C for the reason that I need Sylvan to support calling BDD operations in parallel (NDD operations will compute m x n edges at most but they are mutually independent computations) and called from Network Verification Tools in Java (by JNI bindings). Actually, in MTPNDD it does not care about the parallelism in BDD operations. Maybe MTPNDD would perform better if BDD backend operates in only one worker? (BDD task is in large numbers and small in NDD)