Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verifying Concurrent Objects under Fair Scheduling Hongjin Liang University of Science and Technology of China (USTC) Joint work with Xinyu Feng.

Published byBuddy Atkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Verifying Concurrent Objects under Fair Scheduling Hongjin Liang University of Science and Technology of China (USTC) Joint work with Xinyu Feng."— Presentation transcript:

1 Verifying Concurrent Objects under Fair Scheduling Hongjin Liang University of Science and Technology of China (USTC) Joint work with Xinyu Feng

2 … push(7); x = pop(); … push(6); … Client code C How to prove O’s correctness (safety + liveness) Concurrent object O java.util.concurrent void push(int v) { … } … int pop() { … } under fair scheduling ?

3 Fair scheduling Every active thread gets eventually executed Why? Real-world setting is often fair, e.g. round-robin sched. Lock-based objects are correct only under fair sched.

4 Need to assume fair scheduling for correctness of lock-based objects Safety: linearizability Liveness: starvation-freedom / deadlock-freedom e.g. every (or some) thread trying to acquire the lock will eventually succeed inc() { local r; … // code to acquire lock L r := cnt; cnt := r + 1; // critical section … // code to release lock L } under fair scheduling T holds lock L none of other threads may get lock L unfair

5 Challenge in verifying lock-based objects Object impl takes advantage of fairness assumption complicated interdependencies among threads T’ releases the lock T’ is holding the lock fair sched T gets the lock ? Progress of T can rely on other threads’ helps which fairness ensures to happen.

6 Challenge: with fairness, progress of T can rely on other threads’ helps look out for circular reasoning (usually unsound in liveness proofs) x := 1; while (y = 1) {}; x := 0; y := 1; while (x = 1) {}; y := 0; T1T2 deadlock cycle

7 Our work Program logic for starvation-free objects ensure linearizability & starvation-freedom (SF) together e.g. counter with ticket lock, lock-coupling list, … [Ongoing] verifying deadlock-free objects unified with our logic for starvation-free objects fairness plays a more complicated role e.g. objects with TAS lock, lazy list (even with ticket lock), …

8 SF example: counter with ticket lock inc() { local i, r; i := getAndInc( next ); while( i != owner ) {} ; // acquire lock r := cnt; cnt := r + 1; // critical section owner := i + 1; // release lock } the next available ticket currently being served

9 SF example: counter with ticket lock inc() { local i, r; i := getAndInc( next ); while( i != owner ) {} ; // acquire lock r := cnt; cnt := r + 1; // critical section owner := i + 1; // release lock } 0123 T1: request lock T2: request lock T1: release lock T3: request lock owner next It’s SF, because: critical section is straight-line code threads waiting for the lock line up (num of threads ahead of T not increase)

10 No circular reasoning because threads’ dependences form an acyclic chain T will get lockT2 releases lock T2 gets lock fair sched T1 releases lock T1 gets lock fair sched Not depend on others! next owner 0123 TT2 T1

11 Our idea: definite action D T will get lockT2 releases lock T2 gets lock fair sched T1 releases lock T1 gets lock fair sched D D “definite” because: action D must eventually be finished (without relying on other threads) once D becomes “enabled”. Enable

12 DProgress for the D-chain T gets lockT2 releases lock T2 gets lockT1 releases lock T1 gets lock D D DProgress ( n, D, S, Q) iff starting from state S, after n number of Ds from env, current thread can eventually reach a “good” state satisfying Q state S Q (inductively defined over n ) current thread succeeds in acquiring lock

13 Key proof for ticket-lock example inc() { local i, r; i := getAndInc( next ); while( i != owner ) {} ; r := cnt; cnt := r + 1; owner := i + 1; } T: increment owner T: its i equals owner D (1)Establish D : prove termination of critical section no matter what env does (2)Prove DProgress ( n, D, S, Q) by induction over n = (i - owner) Details of logic and example proofs are in draft paper.

14 Ongoing work: unify with verifying deadlock-free objects Example: counter with TAS lock inc() { local b, r; b := false; while( !b ) { b := cas(&L, 0, T); } r := cnt; cnt := r + 1; // critical section L := 0; } current thread ID DF: Some thread will succeed in acquiring the lock. It’s not SF: critical section is still straight-line code BUT, threads waiting for the lock do not line up (num of threads ahead of T could increase)

15 Ongoing work: unify with verifying deadlock-free objects T will get lockT1 releases lock T1 is holding lock D DProgress ( n, D, S, Q) breaks Q state S T2 will get lock T3 will get lock ? ? ? because progress of T can be delayed by other threads Solution: combined with token transfer? [Hoffmann et al. LICS’13]

16 More problems on modularity inc() { local r; lock(); r := cnt; cnt := r + 1; unlock(); } lock() { local i; i := getAndInc( next ); while( i != owner ) {} ; } unlock() { ; } Can we view “locks” as objects? Define “starvation-free” / “deadlock-free” locks?

17 Summary Verify lock-based objects under fair scheduling linearizability + starvation-freedom / deadlock-freedom problem: fairness assumption allows a thread to rely on other threads’ helps idea: definite action D & DProgress for the D-chain

Download ppt "Verifying Concurrent Objects under Fair Scheduling Hongjin Liang University of Science and Technology of China (USTC) Joint work with Xinyu Feng."

Similar presentations

Operating Systems Semaphores II

Operating Systems Semaphores II
Hongjin Liang and Xinyu Feng

Hongjin Liang and Xinyu Feng
Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.

Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.
Practice Session 7 Synchronization Liveness Deadlock Starvation Livelock Guarded Methods Model Thread Timing Busy Wait Sleep and Check Wait and Notify.

Practice Session 7 Synchronization Liveness Deadlock Starvation Livelock Guarded Methods Model Thread Timing Busy Wait Sleep and Check Wait and Notify.
Overview Assignment 8: hints Assignment 7: solution Deadlocks

Overview Assignment 8: hints Assignment 7: solution Deadlocks
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.

Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
Section 3. True/False Changing the order of semaphores’ operations in a program does not matter. False.

Section 3. True/False Changing the order of semaphores’ operations in a program does not matter. False.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
A Simple Critical Section Protocol There are N concurrent processes P 1,…,P N that share some data. A process accessing the shared data is said to execute.

A Simple Critical Section Protocol There are N concurrent processes P 1,…,P N that share some data. A process accessing the shared data is said to execute.
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.

Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.
Previously… Processes –Process States –Context Switching –Process Queues Threads –Thread Mappings Scheduling –FCFS –SJF –Priority scheduling –Round Robin.

Previously… Processes –Process States –Context Switching –Process Queues Threads –Thread Mappings Scheduling –FCFS –SJF –Priority scheduling –Round Robin.
Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.

Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.
Chair of Software Engineering Concurrent Object-Oriented Programming Prof. Dr. Bertrand Meyer Lecture 4: Mutual Exclusion.

Chair of Software Engineering Concurrent Object-Oriented Programming Prof. Dr. Bertrand Meyer Lecture 4: Mutual Exclusion.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Deadlock Emery Berger and Mark Corner University of Massachusetts.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Deadlock Emery Berger and Mark Corner University of Massachusetts.
Parallel Processing (CS526) Spring 2012(Week 6).  A parallel algorithm is a group of partitioned tasks that work with each other to solve a large problem.

Parallel Processing (CS526) Spring 2012(Week 6).  A parallel algorithm is a group of partitioned tasks that work with each other to solve a large problem.
SPL/2010 Liveness And Performance 1. SPL/2010 Performance ● Throughput - How much work can your program complete in a given time unit? ● Example: HTTP.

SPL/2010 Liveness And Performance 1. SPL/2010 Performance ● Throughput - How much work can your program complete in a given time unit? ● Example: HTTP.
Multi-Object Synchronization. Main Points Problems with synchronizing multiple objects Definition of deadlock – Circular waiting for resources Conditions.

Multi-Object Synchronization. Main Points Problems with synchronizing multiple objects Definition of deadlock – Circular waiting for resources Conditions.
1 CS 333 Introduction to Operating Systems Class 7 - Deadlock Jonathan Walpole Computer Science Portland State University.

1 CS 333 Introduction to Operating Systems Class 7 - Deadlock Jonathan Walpole Computer Science Portland State University.

Similar presentations

Ads by Google