Download presentation

Presentation is loading. Please wait.

Published byAudrey Parker Modified about 1 year ago

1
The Semantics of Concurrent Programming, 3 K. V. S. Prasad Dept of Computer Science Chalmers University February – March 2013

2
Recap What do *you* think we have established?

3
Processes revisited We didn’t really say what ”waiting” was – Define it as ”blocked for resource” If run will only busy-wait – If not blocked, it is ”ready” Whether actually running depends on scheduler – Running -> blocked transition done by process – Blocked -> ready transition due to external event Now see B-A slide 6.1 Define ”await” as a non-blocking check of boolean condition

4
Deadlock? With higher level of process – Processes can have a blocked state – If all processes are blocked, deadlock – So require: no path leads to such a state With independent machines (always running) – Can have livelock Everyone runs but no one can enter critical section – So require: no path leads to such a situation

5
Semaphore definition Is a pair Initialised to – k depends on application For a binary semaphore, k=1 or 0, and k=1 at first Two operations. When proc p calls sem S – Wait (S) = if k>0 then k:=k-1 else block p and add it to set – signal (S) If empty set then k:=k+1 else take a q from set and unblock it Signal undefined on a binary sem when k=1

6
Critical Section with semaphore See alg 6.1 and 6.2 (slides 6.2 through 6.4) Semaphore is like alg 3.6 – The second attempt at CS without special ops – There, the problem was P checks wantq – Finds it false, enters CS, – but q enters before p can set wantp We can prevent that by compare-and-swap Semaphores are high level versions of this

7
Correct? Look at state diagram (p 112, s 6.4) – Mutex, because we don’t have a state (p2, q2,..) – No deadlock Of a set of waiting (or blocked) procs, one gets in Simpler definition of deadlock now – Both blocked, no hope of release – No starvation, with fair scheduler A wait will be executed A blocked process will be released

8
Invariants Do you know what they are? – Help to prove loops correct – Game example Semaphore invariants – k >= 0 – k = k.init + #signals - #waits – Proof by induction Initially true The only changes are by signals and waits

9
CS correctness via sem invariant Let #CS be the number of procs in their CS’s. – Then #CS + k = 1 True at start Wait decrements k and increments #CS; only one wait possible before a signal intervenes Signal – Either decrements #CS and increments k – Or leaves both unchanged – Since k>=0, #CS <= 1. So mutex. – If a proc is waiting, k=0. Then #CS=1, so no deadlock. – No starvation – see book, page 113

10
Why two proofs? The state diagram proof – Looks at each state – Will not extend to large systems Except with machine aid (model checker) The invariant proof – In effect deals with sets of states E.g., all states with one proc is CS satisfy #CS=1 – Better for human proofs of larger systems – Foretaste of the logical proofs we will see (Ch. 4)

11
Towards Dekker: the problem, again Specification – Both p and q cannot be in their CS at once (mutex) – If p and q both wish to enter their CS, one must succeed eventually (no deadlock) – If p tries to enter its CS, it will succeed eventually (no starvation) GIVEN THAT – A process in its CS will leave eventually (progress) – Progress in non-CS optional

12
Different kinds of requirement Safety: – Nothing bad ever happens on any path – Example: mutex In no state are p and q in CS at the same time If state diagram is being generated incrementally, we see more clearly that this says ”in every path, mutex” Liveness – A good thing happens eventually on every path – Example: no starvation If p tries to enter its CS, it will succeed eventually – Often bound up with fairness We can see a path that starves, but see it is unfair

13
Language, logic and machines Evolution – Language fits life – why? – What is language? What is logic? – Special language What are machines? – Why does logic work with them? What kind of logic?

14
Logic Review How to check that our programs are correct? – Testing Can show the presence of errors, but never absence – Unless we test every path, usually impractical – How do you show math theorems? For *every* triangle, … (wow!) For *every* run – Nothing bad ever happens (safety) – Something good eventually happens (liveness)

15
Propositional logic Assignment – atomic props mapped to T or F – Extended to interpretation of formulae (B.1) Satisfiable – f is true in some interpretation Valid - f is true in all interpretations Logically equal – same value for all interpretations – P -> q is equivalent to (not p) or q Material implcation – p -> q is true if p is false

16
Proof methods State diagram – Large scale: ”model checking” – A logical formula is true of a set of states Deductive proofs – Including inductive proofs – Mixture of English and formulae Like most mathematics

17
Atomic Propositions (true in a state) wantp is true in a state – iff (boolean) var wantp has value true p4 is true iff the program counter is at p4 p4 is the command about to be executed Then pj is false for all j =/= 4 turn=2 is true iff integer var turn has value 2 not (p4 and q4) in alg 4.1, slide 4.1 Should be true in all states to ensure mutex

18
Mutex for Alg 4.1 Invariant Inv1: (p3 or p4 or p5) -> wantp – Base: p1, so antecedent is false, so Inv1 holds. – Step: Process q changes neither wantp nor Inv1. Neither p1 nor p3 nor p4 change Inv1. p2 makes both p3 and wantp true. p5 makes antecedent false, so keeps Inv1. So by induction, Inv1 is always true.

19
Mutex for Alg 4.1 (contd.) Invariant Inv2: wantp -> (p3 or p4 or p5) – Base: wantp is initialised to false, so Inv2 holds. – Step: Process q changes neither wantp nor Inv1. Neither p1 nor p3 nor p4 change Inv1. p2 makes both p3 and wantp true. p5 makes antecedent false, so keeps Inv1. So by induction, Inv2 is always true. Inv2 is the converse of Inv1. Combining the two, we have Inv3: wantp (p3 or p4 or p5) and wantq (q3 or q4 or q5)

20
Mutex for Alg 4.1 (concluded) Invariant Inv4: not (p4 and q4) – Base: p4 and q4 is false at the start. – Step: Only p3 or q3 can change Inv4. p3 is ”await (not wantq)”. But at q4, wantq is true by Inv3, so p3 cannot execute at q4. Similarly for q3. So we have mutex for Alg 4.1

21
Proof of Dekker’s Algorithm (outline) Invariant Inv2: (turn = 1) or (turn = 2) Invariant Inv3: wantp p3..5 or p8..10 Invariant Inv4: wantq q3..5 or q8..10 Mutex follows as for Algorithm 4.1 Will show neither p nor q starves – Effectively shows absence of livelock

22
Liveness via Progress Invariants can prove safety properties – Something good is always true – Something bad is always false But invariants cannot state liveness – Something good happens eventually Progress A to B – if we are in state A, we will progress to state B. Weak fairness assumed – to rule out trivial starvation because process never scheduled. – A scenario is weakly fair if B is continually enabled at state Ain scenario -> B will eventually appear in the scenario

23
Box and Diamond A request is eventually granted – For all t. req(t) -> exists t’. (t’ >= t) and grant(t’) – New operators indicate time relationship implicitly box (req -> diam grant) If ”successor state” is reflexive, – box A -> A (if it holds indefinitely, it holds now) – A -> diam A (if it holds now, it holds eventually) If ”successor state” is transitive, – box A -> box box A if not transitive, A might hold in the next state, but not beyond – diam diam A -> diam A

24
Progress in (non-)critical section Progress in critical section – box (p8 -> diam p9) – It is always true that if we are at p8, we will eventually progress to p9 Non-progress in non-critical section – diam (box p1) – It is possible that we will stay at p1 indefinitely

25
Progress through control statements For ”p1: if A then s” to progress to s, need – p1 and box A – p1 and A is not enough does not guarantee A holds by the time p1 is scheduled So in Dekker’s algorithm – p4 and box (turn = 2) -> diam p5 – But turn = 2 is not true forever! It doesn’t have to be. Only as long as p4.

26
Lemma 4.11 box wantp and box (turn = 1) -> diam box (not wantq) – If it is p’s turn, and it wants to enter its CS, q will eventually defer Note that at q1, wantq is always false – Both at init and on looping q will progress through q2..q5 and wait at q6 – Inv4: wantq q3..5 or q8..10 Implies box (not wantq) at q Lemma follows

27
Progress to CS in Dekker’s algorithm Suppose p2 and box (turn=2) – If p3 and not wantq then diam p8 – p2 and box (turn=2 and wantq) -> diam box p6 diam box (not wantp) – p6 and box (turn=2 and not wantp) -> diam q9 – p2 and box (turn=2) -> diam box (p6 and turn=1) – Lemma 4.11 now yields diam p8

28
waitC(cond) Append p to cond p.State <- blocked Monitor release

29
signalC(cond) If cond not empty q <- head of queue ready q

30
Correctness of semaphore See p 151 Exactly the same as fig 6.1 (s 6.4) Note that state diagrams simplify – Whole operations are atomic

31
Producer-consumer Alg 7.3 All interesting code gathered in monitor Very simple user code

32
Immediate resumption So signalling proc cannot again falsify cond – If signal is the last op, allow proc to leave? How? See protected objects Many other choices possible – Check what your language implements

33
Readers and writers Alg 7.4 Not hard to follow, but lots of detail – Readers check for no writers But also for no blocked writers – Gives blocked writers prioroty Cascaded release of blocked readers – But only until next writer shows up – No starvation for either reader or writer Shows up in long proof (sec 7.7, p 157) – Read at home!

34
Readers-writers invariants Readers exclude writers but not other readers Writers write alone Invariants R >= 0 and W >= 0 Theorem – (W R=0) and (R>0 -> W=0) – Monitor operations are atomic! Check each one. – Don’t forget to check the Signal operations

35
Readers progress i.e., Won’t block forever on OKtoRead Invariants (lemma) – Not empty(OKtoRead) -> (W ne 0) or not empty(OKtoWrite) – not empty(OKtoWrite) -> (R ne 0) or (W ne 0) not empty(OKtoRead)-> <> signalC(OKtoRead) – Case W ne 0 Writer progresses, executes the signalC(OKtoRead) – Case R ne 0 Last reader releases a writer, reduces to previous case

36
Exchange ex(a,b) = atomic{local t; t:=a; a:=b; b:=t} See slide 3.23, alg 3.12 Prove correct

37
Ex 2. 5 There is i such that f(i)=0. An algorithm is correct if for all scenarios, both processes terminate after one has found the zero. For each of algorithms A – E, starting with slide 2.40, either show the program correct or find a counterexample scenario.

38
Ex 7.2 See alg 7.4 (slides 7.9, 7.10, readers-writers with monitors). Replace int writers by a boolean writers>0 Thm 7.1 and 7.2 say R>=0, W>=0, R>0 -> W=0, and W=1 -> R=0 So W=0 or W=1 is invariant: can be replaced by boolean. Why does the book proof use integers?

39
Why arbitrary interleaving? Multitasking (2.8 is a picture of a context switch) – Context switches are quite expensive – Take place on time slice or I/O interrupt – Thousands of process instructions between switches – But where the cut falls depends on the run Runs of concurrent programs – Depend on exact timing of external events – Non-deterministic! Can’t debug the usual way! – Does different things each time!

40
Arbitrary interleaving (contd.) Multiprocessors (see 2.9) – If no contention between CPU’s True parallelism (looks like arbitrary interleaving) – Contention resolved arbitrarily Again, arbitrary interleaving is the safest assumption

41
But what is being interleaved? Unit of interleaving can be – Whole function calls? – High level statements? – Machine instructions? Larger units lead to easier proofs but make other processes wait unnecessarily We might want to change the units as we maintain the program Hence best to leave things unspecified

42
Why not rely on speed throughout? Don’t get into the train crash scenario – use speed and time throughout to design – everyday planning is often like this Particularly in older, simpler machines without sensors For people, we also add explicit synchronisation For our programs, the input can come from the keyboard or broadband – And the broadband gets faster every few months So allow arbitrary speeds

43
Atomic statements The thing that happens without interruption – Can be implemented as high priority Compare algorithms 2.3 and 2.4 Slides 2.12 to 2.17 – 2.3 can guarantee n=2 at the end – 2.4 cannot hardware folk say there is a ”race condition” We must say what the atomic statements are – In the book, assignments and boolean conditions – How to implement these as atomic?

44
Atomic statements The thing that happens without interruption – Can be implemented as high priority Compare algorithms 2.3 and 2.4 Slides 2.12 to 2.17 – 2.3 can guarantee n=2 at the end – 2.4 cannot hardware folk say there is a ”race condition” We must say what the atomic statements are – In the book, assignments and boolean conditions – How to implement these as atomic?

45
What are hardware atomic actions? Setting a register Testing a register Is that enough? Think about it (or cheat, and read Chap. 3)

46
The standard Concurrency model 1.What world are we living in, or choose to? a.Synchronous or asynchronous? b.Real-time? c.Distributed? 2.We choose an abstraction that a.Mimics enough of the real world to be useful b.Has nice properties (can build useful and good programs) c.Can be implemented correctly, preferably easily

47
Obey the rules you make! 1For almost all of this course, we assume single processor without real-time (so parallelism is only potential). 2Real life example where it is dangerous to make time assumptions when the system is designed on explicit synchronisation – the train 3And at least know the rules! (Therac).

48
Primitives and Machines We see this repeatedly in Computer Science – Whether for primitives or whole machines Recognise pattern in nature or in use Specify primitive or machine Figure out range of use and problems Figure out (efficient) implementation

49
CS problem for n processes See alg 6.3 (p 113, s 6.5) – The same algorithm works for n procs – The proofs for mutex and deadlock freedom work We never used special properties of binary sems – But starvation is now possible p and q can release each other and leave r blocked Exercise: If k is set to m initially, at most m processes can be in their CS’s.

50
Mergesort using semaphores See p 115, alg 6.5 (s 6.8) – The two halves can be sorted independently No need to synch – Merge, the third process, has to wait for both halves – Note semaphores initialised to 0 Signal precedes wait Done by process that did not do a wait – Not a CS problem, but a synchronisation one

51
Producer - consumer Yet another meaning of ”synchronous” – Buffer of 0 size Buffers can only even out transient delays – Average speed must be same for both Infinite buffer first. Means – Producer never waits – Only one semaphore needed – Need partial state diagram – Like mergesort, but signal in a loop See algs 6.6 and 6.7

52
Infinite buffer is correct Invariant – #sem = #buffer 0 initially Incremented by append-signal – Need more detail if this is not atomic Decremented by wait-take So cons cannot take from empty buffer Only cons waits – so no deadlock or starvation, since prod will always signal

53
Bounded buffer See alg 6.8 (p 119, s 6.12) – Two semaphores Cons waits if buffer empty Prod waits if buffer full – Each proc needs the other to release ”its” sem Different from CS problem – ”Split semaphores” – Invariant notEmpty + notFull = initially empty places

54
Different kinds of semaphores ”Strong semaphores” – use queue insteadof set of blocked procs No starvation Busy wait semaphores – No blocked processes, simply keep checking See book re problems about starvation – Simpler. Useful in multiprocessors where each proc has own CPU – The CPU can’t be used for anything else anyway Or if there is very little contention

56
Recap – state diagrams (Discrete) computation = states + transitions – Both sequential and concurrent Can two frogs move at the same time? – We use labelled or unlabelled transitions According to what we are modelling Chess games are recorded by transitions alone (moves) – States used occasionally for illustration or as checks Concurrent or sequential – Concurrent just has more states due to interleaving – But sort program sorts no matter which interleaving,

57
What is interleaved? Atomic statements The thing that happens without interruption – Can be implemented as high priority We must say what the atomic statements are – In the book, assignments and boolean conditions – How to implement these as atomic?

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google