Exascale Resilience Turns a Corner
While advancing the field of HPC into the exascale era is beset by many obstacles, resiliency might be the most thorny of all. As the number of cores proliferate so too do the number of incorrect behaviors, threatening not just the operation of the machine, but the validity of the results as well. When you consider that exascale machines will employ billion-way parallelism, the necessity to address this problem is clear.
“Over the past few years resilience has became a major issue for HPC systems, in particular in the perspective of large Petascale systems and future Exascale ones.” These words are the opening text of a 2009 technical report by the Illinois-INRIA Joint Laboratory on PetaScale Computing.
The study did a very good job outlining the resilience challenge, which while no means the only problem for exascale computing, is certainly one of the most vexing. To whit, the troubling assertion (written in 2009) that “the time to checkpoint and restart may exceed the mean time to interrupt of top supercomputers before 2015.”
Recently, the authors – HPC’ers Franck Cappello, Al Geist, William Gropp, Sanjay Kale, Bill Kramer, and Marc Snir – revisited that earlier work to elucidate some of the changes that have taken place over the last five years. While there is still a lot of work to be done, the picture that emerges is decidedly more optimistic than it was in 2009.
“The past five years have seen extraordinary technical progress in many domains related to exascale resilience,” the authors report. “Several technical options, initially considered inapplicable or unrealistic in the HPC context, have demonstrated surprising successes. Despite this progress, the exascale resilience problem is not solved, and the community is still facing the difficult challenge of ensuring that exascale applications complete and generate correct results while running on unstable systems.”
The paper defines resilience in the context of computer platforms as “the techniques for keeping applications running to a correct solution in a timely and efficient manner despite underlying system faults.” Faults, which are the result of errors, are dealt with by predicting, preventing, removing or tolerating them. Faults can occur at all levels of the stack, and thus fault tolerance extends to the hardware, system and application software.
The first section of the paper is devoted to describing the exascale resilience problem. In the words of the authors: “Future exascale systems are expected to exhibit much higher fault rates than current systems do, for various reasons relating to both hardware and software.”
All else being equal, a system that was one-thousand times more powerful, would have one-thousand times more failures. While that simple statistic would be distressing enough, the problem is worse than that. Smaller feature sizes make CPUs more error prone, and shrunken transistors and wires age faster causing even more permanent failures down the road. The same techniques that reduce current leakage also contribute to increased faults. There are steps that vendors can take to reduce error frequency, such as adding circuits, but doing so adds material and energy cost.
Hardware is by no means the only challenge. More complex hardware is matched by more complex system software, which is also more error-prone. Application codes are also increasingly sophisticated and again more error-prone. Research suggests that large parallel jobs may fail as often as once every 30 minutes on exascale platforms.
On the positive side, there have been some important lessons learned now that the community has a few years of experience working with petascale machines. Current petascale platforms experience multiple component failures every day, according to the authors. One study on Blue Waters showed an event that required remedial repair action occurred on average every 4.2 hours and that system-wide events occurred approximately every 160 hours.
The authors report that in its first year of full production, Blue Waters failure rates fell by 50 percent. They note that other supercomputing centers have experienced similar improvements.
The bulk of this 28-page paper is dedicated to laying out a survey of what the community has learned since 2009 (section four) and a summary of the research problems still considered critical by the community (section five).
The authors note that a lot of progress has occurred in handling fail-stop errors by checkpointing.
From the paper: “The norm in 2009 was to store the application state on remote storage, generally a parallel ﬁle system, through I/O nodes. Checkpoint time was significant (often 15–30 minutes), because of the limited bandwidth of the parallel ﬁle system. When checkpoint time is close to the MTBF, the system spends all its time checkpointing and restarting, with little forward progress. Since the MTJI may be an hour or less on exascale platforms, new techniques are needed in order to reduce checkpoint time.”
This can be accomplished by reducing the checkpoint size. For this, programmers are in the best position to know what is the critical data, but this requires a manual approach. “Annotations about ways to protect or check key data, computations, or communications are still a relevant direction,” the authors state.
Another avenue is to reduce the usage of disks for checkpoint storage for example by using in-memory checkpointing or multi-level checkpointing technologies, which involves combining several storage technologies to optimize overhead and reliability. Partial restart techniques also enable accelerated recovery.
Forward recovery is another way to handle errors. In this scenario, “the application needs to be notified of the error and runs forward recovery steps that may involve access to past or remote data to correct (sometimes partially) or compensate the error and its effect, depending on the latency of the error detection.”
The MPI standard does not provide any specification on the behavior of an MPI application after a fault so several resilient MPI designs and implementations have been developed to fill this void. The first effort was the FT-MPI (fault-tolerant MPI) library. Another called ULFM enables the application to be notified of errors and to reorganize the execution for forward recovery. The MPI Forum has not yet reached a consensus on the characteristics of a resilient MPI.
Replication is another approach for resilience in HPC but it is beset by several constraints including high overhead.
An area that has made “exceptional progress” is recent years is failure prediction, specifically an approach that combines data mining with signal analysis and methods to spot outliers. The authors claim results from the Universty of Illinois at Urbana-Champaign and the Illinois Institute of Technology clearly demonstrate the feasibility of error prediction for the Blue Waters Cray system and the IBM Blue Gene. In fact, Blue Waters staff has been able to predict failures with more than 60 percent accuracy, however the authors also say that higher accuracy still is needed to switch from pure reactive fault tolerance to truly proactive fault tolerance.
This leads to the question of how to run a failure predictor on large infrastructures. Local and global methods each have their merits and drawbacks.
There’s also a side effect of all this error and fault handling: it places an additional energy demand on the computing system. The authors refer to another paper that shows that for clusters, there was not much difference in the energy footprint of different checkpointing protocols. The same study suggests that energy demand correlates more with execution time than it does with the power consumption of the operation performed by the various protocols. Models developed to further study the issue point to parallel recovery as being superior to coordinating checkpointing protocols from an energy perspective since parallel recovery takes less time.
Another difficult challenge facing extreme-scale HPC is the rise of silent data corruptions (SDCs). Interestingly, studies show that while SDCs lead to hangs and crashes, only a small fraction of them corrupt results. But getting the wrong result has researchers concerned enough to explore mitigation strategies. The classic solution is to detect at least some of these silent errors, replicate executions and compare results. Here again, there is a high overhead cost.
A second thornier problem is the presupposition that execution generates identical results. The authors write: “the trend toward more asynchrony and more load balancing plays against deterministic executions.” A workaround was developed, called approximate replication, which runs the normal computation along with an approximate computation. The comparison uses upper and lower bounds and only results outside the bounds are suspect.
There has also been a movement towards integrative approaches that take into consideration all the layers from the hardware to the application. Currently there are at least five projects coming at this problem from different ways.
Other areas that have made huge strides since 2009 include algorithmic approaches to detecting and recovering from faults and so-called fault-oblivious iterative methods. One important change has been the separation of faults into two categories. Fail-stop refers to a process that fails and stops, causing a loss of all state in the process, while fail-continue means a process fails but continues, often due to a transient error. It is expected that transient faults (also called soft faults) are likely
to be the most troubling type of faults in exascale systems, thus it is promising that considerable progress has been made in this area.
In the final section of the paper, the authors lay out several research areas that are closely aligned with supporting resiliency at exascale. These are:
– Characterization of hardware faults
– Development of a standardized fault-handling model
– Improved fault prediction, containment, detection, notiﬁcation, and recovery
– Programming abstractions for resilience
– Standardized evaluation of fault-tolerance approaches
There is a lot of emphasis placed on informing the research process as much as possible to support better choices. The characterization of hardware faults would help researchers know which problems had the highest probability of occurring and which wreaked the most havoc, so they can maximize their efforts. The first step here would be to systematically gather information about current systems.
Regarding the second bullet point, the authors write: “A useful fault model would have a standard set of recovery services that all computer suppliers would provide to the software developers to develop resilient exascale applications.”
Of course error detection is not very useful if faults are not detected. To this point, the authors are emphatic that further research is needed to pinpoint silent errors. Getting to exascale requires better error detection, and there is currently no technology that can handle frequent SDC other than brute force and replication.
Another void exists when it comes to programming abstractions for resilience. Current research shows that several programming applications will need to be developed and supported in order to develop resilient exascale applications.
The final focus area would provide a practical way of testing new approaches against known approaches, and just as importantly it would provide a means of measuring the effectiveness of a given approach on different architectures and at different scales. To achieve the goal of a standardized evaluation system, the authors envision the “the development of a portable, scalable test suite that simulates all the errors from the fault model and measures the recovery time, services required, and the resources used for a given resilient exascale application.”