Non-preemptive Semantics for Data-race-free Programs

Slides:



Advertisements
Similar presentations
While loops.
Advertisements

Models of Concurrency Manna, Pnueli.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
Operating System Concepts and Techniques Lecture 12 Interprocess communication-1 M. Naghibzadeh Reference M. Naghibzadeh, Operating System Concepts and.
Nested Parallelism in Transactional Memory Kunal Agrawal, Jeremy T. Fineman and Jim Sukha MIT.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
Concurrency.
1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
C. Varela; Adapted w/permission from S. Haridi and P. Van Roy1 Declarative Computation Model Kernel language semantics Carlos Varela RPI Adapted with permission.
1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.
Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Compositional Verification of Termination-Preserving Refinement of Concurrent Programs Hongjin Liang Univ. of Science and Technology of China (USTC) Joint.
Defining Liveness by Bowen Alpern and Fred B. Schneider Presented by Joe Melnyk.
Hwajung Lee. Well, you need to capture the notions of atomicity, non-determinism, fairness etc. These concepts are not built into languages like JAVA,
Hwajung Lee. Why do we need these? Don’t we already know a lot about programming? Well, you need to capture the notions of atomicity, non-determinism,
Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications Chapter.
Chapter 1 Section 1 - Slide 1 Copyright © 2009 Pearson Education, Inc. AND.
Program Correctness. The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using.
Week 9, Class 3: Java’s Happens-Before Memory Model (Slides used and skipped in class) SE-2811 Slide design: Dr. Mark L. Hornick Content: Dr. Hornick Errors:
Today Quiz not yet graded Final report requirements posted More on Multithreading Happens-Before in Java SE-2811 Slide design: Dr. Mark L. Hornick Content:
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Synchronization Questions answered in this lecture: Why is synchronization necessary? What are race conditions, critical sections, and atomic operations?
Internet Security CSCE 813 Communicating Sequential Processes.
Program Analysis and Verification Noam Rinetzky Lecture 2: Operational Semantics 1 Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik.
1 Interactive Computer Theorem Proving CS294-9 October 19, 2006 Adam Chlipala UC Berkeley Lecture 9: Beyond Primitive Recursion.
Kernel Synchronization David Ferry, Chris Gill CSE 522S - Advanced Operating Systems Washington University in St. Louis St. Louis, MO
Verifiable Programming Reason about imperative sequential programs such as Java Imperative program –defines state space defined by collection of typed.
Chapter 1 Logic and Proof.
Formal methods: Lecture
Model and complexity Many measures Space complexity Time complexity
Architecture Concept Documents
Points of condensation
Concurrency.
Atomic Operations in Hardware
Modeling Arithmetic, Computation, and Languages
3.5 Notes: Proving Lines Parallel
2008/10/22: Lecture 12 CMSC 104, Section 0101 John Y. Park
Hongjin Liang, Xinyu Feng & Ming Fu
Threads and Memory Models Hal Perkins Autumn 2011
Adapted from slides by Marty Stepp and Stuart Reges
Synchronization Memory Consistency
Spring 2017 Program Analysis and Verification Operational Semantics
CSCE 411 Design and Analysis of Algorithms
Progress of Concurrent Objects with Partial Methods
2008/10/22: Lecture 12 CMSC 104, Section 0101 John Y. Park
Programming Languages and Compilers (CS 421)
Information Security CS 526
Threads and Memory Models Hal Perkins Autumn 2009
Dr. Mustafa Cem Kasapbaşı
Shared Memory Consistency Models: A Tutorial
UMBC CMSC 104 – Section 01, Fall 2016
Instructor: Aaron Roth
Axiomatic Semantics Will consider axiomatic semantics (A.S.) of IMP:
Chapter8: Statement-Level Control Structures April 9, 2019
Lecture 2 The Art of Concurrency
More Loops Topics Counter-Controlled (Definite) Repetition
Functional Verification III
CSE 153 Design of Operating Systems Winter 19
More Loops Topics Counter-Controlled (Definite) Repetition
Program correctness Axiomatic semantics
More Loops Topics Counter-Controlled (Definite) Repetition
More Loops Topics Counter-Controlled (Definite) Repetition
Information Security CS 526
Programming Languages and Compilers (CS 421)
Problems with Locks Andrew Whitaker CSE451.
More Loops Topics Counter-Controlled (Definite) Repetition
More Loops Topics Counter-Controlled (Definite) Repetition
Don Porter Portions courtesy Emmett Witchel
Presentation transcript:

Non-preemptive Semantics for Data-race-free Programs Siyang Xiao(USTC),Hanru Jiang(USTC), Hongjin Liang(NJU),Xinyu Feng(NJU) ICTAC 2018, Stellenbosch, South Africa, Oct 19

Concurrent Program Thread 1 Thread 2 Thread 3 Shared States Parallel Threads Shared States Interleaving Semantics Called preemptive semantics in this talk

Concurrent Program Simple Example: 6 possible execution sequences 1 possible result (x,r1:42 y,r2:24) No shared variable No need to consider all interleaving

Concurrent Program 70 possible execution sequences z = 0 x := 42; r1 := x; <z:=x ; r1:= z+1>; x:=x+r1; y := 24; r2 := y; <y:=z ; z:=z+1>; y:=y+r2; 70 possible execution sequences 2 possible results ( final value of y is 24 or 66)

Concurrent Program Properly Synchronized x := 42; r1 := x; <z:=x ; r1:= z+1>; x:=x+r1; y := 24; r2 := y; <y:=z ; z:=z+1>; y:=y+r2; Properly Synchronized Access to shared variable are inside critical regions

Data Race Free All access to shared variable are inside critical regions The program has no data race z = 0 x := 42; r1 := x; <z:=x ; r1:= z+1>; x:=x+r1; y := 24; r2 := y; <y:=z ; z:=z+1>; y:=y+r2;

Folklore Data-race-free (DRF) programs only need to consider interleaving at synchronization points

Intuition Code inside critical sections cannot be interrupted by other threads z = 0 x := 42; r1 := x; <z:=x ; r1:= z+1>; x:=x+r1; y := 24; r2 := y; <y:=z ; z:=z+1>; y:=y+r2;

Intuition Code outside critical sections has no influence on other threads z = 0 x := 42; r1 := x; <z:=x ; r1:= z+1>; x:=x+r1; y := 24; r2 := y; <y:=z ; z:=z+1>; y:=y+r2;

Intuition Only the boundaries of critical regions matter z = 0 Update the shared variables Interleaving allows other threads to access shared resources z = 0 x := 42; r1 := x; <z:=x ; r1:= z+1>; x:=x+r1; y := 24; r2 := y; <y:=z ; z:=z+1>; y:=y+r2;

Folklore Data-race-free (DRF) programs only need to consider interleaving at synchronization points Code inside critical sections cannot be interrupted by other threads Code outside critical sections has no influence on other threads Only the boundaries of critical sections matters

Non-Preemptive Semantics Only allow interleaving at certain points: Example: beginning & end of critical regions z = 0 x := 42; r1 := x; <z:=x ; r1:= z+1>; x:=x+r1; y := 24; r2 := y; <y:=z ; z:=z+1>; y:=y+r2;

Non-Preemptive Execution r1:=x; y:=24; r2:=y; x:42 y:24 z:0 r1:42 r2:24 x:42 y:24 z:42 r1:43 r2:24 x:42 y:0 z:1 r1:42 r2:24 x:42 y:0 z:0 r1:42 r2:0 x:42 y:24 z:1 r1:42 r2:24 x:85 y:24 z:42 r1:43 r2:24 x:0 y:0 z:0 r1:0 r2:0 <z:=x; r1:=z+1>; <y:=z; z:=z+1>; x:=x+r1; y:=y+r2;

Non-Preemptive Execution r1:=x; y:=24; r2:=y; x:42 y:0 z:42 r1:43 r2:0 x:42 y:66 z:42 r1:43 r2:24 x:42 y:24 z:42 r1:43 r2:24 x:42 y:0 z:0 r1:42 r2:0 x:42 y:42 z:43 r1:43 r2:24 x:85 y:66 z:42 r1:43 r2:24 x:0 y:0 z:0 r1:0 r2:0 <z:=x; r1:=z+1>; <y:=z; z:=z+1>; x:=x+r1; y:=y+r2;

Questions Can we further reduce the number of interleaving points? Is it necessary to consider interleaving at both boundaries of critical sections? I/O commands introduce observable effects. Will they affect the choice of interleaving points? How will non-termination, as a special effect, affect the choice of interleaving points?

Contributions Give answer to these questions, and present our non-preemptive semantics. Try to reduce the interleaving points as many as possible Prove it’s equivalent to preemptive semantics for DRF programs Propose a new notion of DRF (called NPDRF) based on non-preemptive semantics Prove it’s equal to DRF in preemptive semantics. We can reason about the behavior of data-race-free programs solely under our non-preemptive semantics

Question Can we further reduce the number of interleaving points? We may only consider interleaving at the end of critical regions.

Question Can we further reduce the number of interleaving points? We may only consider interleaving at the end of critical regions. But we cannot only consider interleaving at the beginning of critical sections.

Counterexample x = 0 <x:=1> ; while(true) skip; <r:=x> ; print(r); If we only allow interleaving at the beginning of critical sections, this program can only print 0. But in preemptive semantics, it can print 1

Non-preemptive Execution <r:=x> infinite loop print(r) Output: 0 No output

Preemptive Execution <x:=1> <r:=x> infinite loop print(r) Output 1

Question Can we further reduce the number of interleaving points? In our paper, we prove it is correct to only consider the end of critical regions as interleaving points.

Question I/O commands introduce new observable effects. Will they affect the choice of interleaving points? Yes. We need to take print command as a point for interleaving.

Example Possible result in preemptive execution: 1-2-0 1-0-2 0-1-2 If interleaving not allowed at print command Possible result: 1-2-0 0-1-2 print(1); print(2); print(0);

Further discussion What if we observe the output of each thread instead of the whole sequence? print(1); print(2); print(0); 1-2

Further discussion What if we observe the output of each thread instead of the whole sequence? Still need to allow interleaving at print command print(1); while(true) skip; print(0); while(true) skip; 1

Principle There must be at least one interleaving point between any two consecutive externally observable effects generated at runtime in the same thread Externally observable effects includes: Output Access of shared variables(inside critical region) Non-termination

Non-termination Non-termination plays an important role when choosing interleaving points print(1); while(true) skip; print(0); while(true) skip; x = 0 <x:=1> ; while(true) skip; <r:=x> ; print(r);

Non-termination Example: Print command after non-termination can never be executed, thus it cannot generate observable behavior No need for interleaving points print(1); while(true) skip; print(2); print(0); while(true) skip;

Our Non-preemptive Semantics Limits interleaving at such points: End of critical regions End of print step End of current thread

Justifying Our non-preemptive Semantics is equivalent to standard preemptive semantics. DRF programs behave the same under non-preemptive and preemptive semantics.

Equivalence of Semantics Theorem: DRF Programs should behave the same under preemptive semantics and non-preemptive semantics. We need to formally define program behaviors and DRF.

Program Behavior--Trace Program behavior is defined by the trace of output and other observable events Traces are co-inductively defined. They can be infinite. Traces can be empty.

Program Behavior--Trace print(1) print(0) print(2) 1 2 Done

Data Race Freedom If a program have no data race, then it is data-race-free. What is a data race?

Data Race Definition: Two threads making conflicting actions at the same time. We need to record the memory access(called footprints).

Footprint Footprint: Record of memory location Two parts: read & write Ex: [12]:=0 Write: [12]

Footprint Footprint: Record of memory location Two parts: read & write Ex: x:=[1] Read: [1] Write: x

Footprint Footprint: Record of memory location Two parts: read & write Only need to record shared resources Data race only concerns shared resources

Conflicting Footprints Two footprints have a same location in their write sets, or one’s read set and the other’s write sets. x:=[1] Read: [1] Write: x [1]:=12 Read: 𝜙 Write: [1]

Data Race Definition: How to predict a footprint? At interleaving points, the predicted footprints of any two threads are conflicting. How to predict a footprint?

Prediction P 𝛿 1 =({[1]},𝜙) x:=[1] [2]:=5; x:=x+1; [1]:=0 y:=y+1;

Prediction P x:=[1] [2]:=5; [1]:=0 x:=x+1; 𝛿 1 =({[1]},𝜙) 𝛿 2 =(𝜙,{[2]}) x:=[1] [2]:=5; 𝛿 3 =(𝜙,{[1]}) x:=x+1; [1]:=0 y:=y+1;

Prediction P x:=[1] [2]:=5; [1]:=0 x:=x+1; 𝛿 1 =({[1]},𝜙) 𝛿′=(𝜙,{ 1 ,[2]}) x:=x+1; [1]:=0 y:=y+1;

Prediction P RACE x:=[1] [2]:=5; [1]:=0 x:=x+1; 𝛿 1 =({[1]},𝜙) 𝛿′=(𝜙,{ 1 ,[2]}) x:=x+1; [1]:=0 y:=y+1;

Prediction Prediction must be made at interleaving points. To make the prediction executable

Counterexample Assume the initial value of [0] is 0. (A) (B) (C) Assume the initial value of [0] is 0. This program has no data race, because x can never be 42 and thread B can never write [1]. <[0]:=42; [0]:=0>; <x:=[0]; if(x=42) [1]:=42 else skip>; [1]:=0;

Counterexample (A) (B) (C) If we predict from here, where [0] is 42, we may predict a false race. <[0]:=42; [0]:=0>; <x:=[0]; if(x=42) [1]:=42 else skip>; [1]:=0;

Prediction Prediction must be made at interleaving points. To make the prediction executable Two predictions inside critical regions are never conflicting

Data Race 𝑡 1 and 𝑡 2 are two different threads 𝛿 1 and 𝛿 2 are the conflicting footprints (at least one not inside critical regions) 𝑊 𝑎 not inside critical regions 𝑊 1 𝑡 1 𝛿 1 𝑊 0 𝑊 𝑎 … 𝑡 2 𝛿 2 𝑊 2

Data Race Free If at any interleaving point, the program have no data race, then the program is data race free (DRF)

Equivalence of Semantics Theorem: DRF Programs should have the same trace under preemptive semantics and non-preemptive semantics. Any trace in preemptive execution can be found in non-preemptive execution

Data Race Freedom DRF is a property in preemptive semantics We need to consider all the interleaving If we consider DRF in non-preemptive, we may reduce the interleaving and consider solely under non-preemptive.

Non-Preemptive Prediction Prediction of execution must be made at such points The beginning of the program Interleaving points The end of critical regions The end of print command The end of current thread

Non-Preemptive Prediction Prediction must includes steps before critical regions Prediction from the last interleaving point to the racy statements Skip; <[0]:=42>; [0]:=1;

Non-Preemptive Data Race Predict at the beginning : 𝑡 1 and 𝑡 2 are two different threads 𝛿 1 and 𝛿 2 are the predicted conflicting footprints 𝑊 1 𝑡 1 𝑊 0 𝛿 1 𝑡 2 𝛿 2 𝑊 2

Non-Preemptive Data Race Predict at the interleaving points: 𝑊 𝑎 switches to 𝑊 𝑏 Then start the prediction at 𝑊 𝑏 𝑊 1 𝑡 1 𝑠𝑤 𝑊 0 𝑊 𝑎 𝑊 𝑏 𝛿 1 … 𝑡 2 𝛿 2 𝑊 2

Equivalence of Data Race Lemma: If a program has a data race in preemptive semantics, it also has a data race in non-preemptive semantics.

Equivalence of DRF Theorem: If a program has no data race in non- preemptive semantics, it also has no data race in preemptive semantics.

Conclusion Present our non-preemptive semantics. Prove DRF programs behave the same under preemptive and non-preemptive semantics. Propose a new notion of DRF (called NPDRF) based on non-preemptive semantics Prove it’s equal to DRF in preemptive semantics. We can reason about the behavior of data-race-free programs solely under our non-preemptive semantics

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.