Presentation is loading. Please wait.

Presentation is loading. Please wait.

Progress of Concurrent Objects with Partial Methods

Published byΦιλοκράτης Γιάνναρης Modified over 5 years ago

Similar presentations

Presentation on theme: "Progress of Concurrent Objects with Partial Methods"— Presentation transcript:

1 Progress of Concurrent Objects with Partial Methods
Hongjin Liang and Xinyu Feng Nanjing University & USTC

2  What are good locks? as objects with partial methods?
lock_acquire() { } lock_release() { as objects with partial methods? Safety & Functionality: linearizability Progress: Wait-freedom (WF) Lock-freedom (LF) Starvation-freedom (SF) Deadlock-freedom (DF) ... None applies!

3 Not all locks are equally good!

4 Example: Test-and-Set (TAS) locks
Tickets acq() { local succ; succ := false; while( ! succ ) { succ := cas(L, 0, 1); } rel() { L := 0; Unfair!

5 Example: Ticket locks Fair! Ticket locks Queue management in banks
acq() { local i; i := getAndInc( next ); while( i != serving ) {} ; } rel() { serving := serving + 1; } Fair! i Ticket locks Queue management in banks next serving

6 Not all locks are equally good!
How to distinguish them? What are the progress-aware abstractions?

7 Abstractions & Contextual Refinements
O ctxt A iff C. ObsBeh(C[O])  ObsBeh(C[A]) Contextual Refinement (CR): Is O as good as A, from C’s point of view?

8 Abstractions & Contextual Refinements
Abstraction for linearizable objects: atomic specs [Filipović et al. 2009] O lin. w.r.t. atomic A  O ctxt A Similar equiv. results hold for WF/LF/SF/DF objects: [Gotsman & Yang 2011; Liang et al. 2013, 2016] O lin. + progress P  O ctxt AP progress-aware abstractions for progress P P  {WF, LF, SF, DF}

9 Abstractions & Contextual Refinements
Abstraction for linearizable objects: atomic specs [Filipović et al. 2009] O lin. w.r.t. atomic A  O ctxt A Similar equiv. results hold for WF/LF/SF/DF objects: [Gotsman & Yang 2011; Liang et al. 2013, 2016] O lin. + progress P  O ctxt AP No known results for locks! or, in general, objects with partial methods O lin. + progress P  O ctxt AP ? ??

10 SF or DF? Depends on lock impl.!
Why is this bad? int cnt; inc() { acq(); cnt := cnt + 1; rel(); } Lock-based counter SF or DF? Depends on lock impl.! Compositional progress verification of lock-based objects? Redo the verification of acq() and rel() in different obj. [Liang & Feng 2016] No known results for locks! or, in general, objects with partial methods O lin. + progress P  O ctxt AP ? ??

11 Our contributions O lin. + progress P  O ctxt AP ? ??
P  {PSF/PDF} New prog. properties for obj. with partial methods Partial starvation-freedom (PSF) Partial deadlock-freedom (PDF) SF and DF are specializations of PSF and PDF

12 Our contributions O lin. + progress P  O ctxt AP ??
P  {PSF/PDF} New prog. properties for obj. with partial methods Abstractions to establish contextual refinements (CR)

13 Our contributions O lin. + progress P  O ctxt AP
P  {PSF/PDF} New prog. properties for obj. with partial methods Abstractions to establish contextual refinements (CR) Equivalence result (Abstraction Theorem)

14 Our contributions O lin. + progress P  O ctxt AP
P  {PSF/PDF} New prog. properties for obj. with partial methods Abstractions to establish contextual refinements (CR) Equivalence result (Abstraction Theorem) Program logic for Progress Reasoning Linearizability + PSF/PDF

15 New progress properties
Different impl exhibit different progress properties How to distinguish them?

16 New progress properties
TAS lock client: acq() { local succ; succ := false; while( ! succ ) { succ := cas(L, 0, 1); } rel() { L := 0; acq(); rel(); print(1); while(true){ } It may not print 1 (even with fair scheduling). Deadlock-freedom But there always exists a method call that returns, unless the lock is never released.

17 New progress properties
TAS lock client: acq() { local succ; succ := false; while( ! succ ) { succ := cas(L, 0, 1); } rel() { L := 0; acq(); rel(); print(1); while(true){ } It may not print 1 (even with fair scheduling). But there always exists a method call that returns, unless the lock is never released. Rule out non-termination caused by “bad” clients

18 New progress properties
May never terminate TAS lock client: acq() { local succ; succ := false; while( ! succ ) { succ := cas(L, 0, 1); } rel() { L := 0; acq(); rel(); while(true) skip; Should blame client instead of obj. But there always exists a method call that returns, unless the lock is never released. Rule out non-termination caused by “bad” clients

19 New progress properties
May never terminate TAS lock client: acq() { local succ; succ := false; while( ! succ ) { succ := cas(L, 0, 1); } rel() { L := 0; acq(); rel(); while(true) skip; Need to generalize this for all objects with partial methods Should blame client instead of obj. But there always exists a method call that returns, unless the lock is never released. Partial Deadlock-Freedom (PDF)

20 New progress properties
acq() { local i; i := getAndInc( next ); while( i != serving ) {} ; } rel() { serving := serving + 1; } client: acq(); rel(); print(1); while(true){ } Ticket lock It must print 1 under fair scheduling Starvation-freedom Every method must return (under fair scheduling), unless the lock is never released.

21 New progress properties
May never terminate acq() { local i; i := getAndInc( next ); while( i != serving ) {} ; } rel() { serving := serving + 1; } client: acq(); rel(); while(true) skip; Ticket lock Should blame client instead of obj. Rule out non-termination caused by “bad” clients Every method must return (under fair scheduling), unless the lock is never released.

22 New progress properties
May never terminate acq() { local i; i := getAndInc( next ); while( i != serving ) {} ; } rel() { serving := serving + 1; } client: acq(); rel(); while(true) skip; Ticket lock Should blame client instead of obj. Every method must return (under fair scheduling), unless the lock is never released. Partial Starvation-Freedom (PSF)

23 New progress properties
Different impl exhibit different progress properties PDF PSF

24 New progress properties
Different impl exhibit different progress properties What are the abstractions for locks?

25 Progress-aware abstractions for locks?
Atomic Partial Spec (APS): await(B) { C } If B is false, waits until B becomes true; otherwise executes C atomically It is called “disabled” / “enabled” if B is false/true. Atomic block <C> can be viewed as await(true) { C }

26 Progress-aware abstractions for locks?
Atomic Partial Spec (APS): await(B) { C } Spec for locks? ACQ(){ await(L=0){ L := 1 }; } REL() { L := 0; }

27 Progress-aware abstractions for locks?
Atomic Partial Spec (APS): await(B) { C } More generally: O lin. + progress P  O ctxt await(B) { C } ?? P  {PSF/PDF}

28 Progress-aware abstractions for locks?
Atomic Partial Spec (APS): await(B) { C } More generally: O lin. + progress P  O ctxt await(B) { C } P  {PSF/PDF} Atomic: to capture linearizability

29 Progress-aware abstractions for locks?
Atomic Partial Spec (APS): await(B) { C } More generally: O lin. + progress P  O ctxt await(B) { C } P  {PSF/PDF} Atomic: to capture linearizability Partial: to capture progress

30 Progress-aware abstractions for locks?
Atomic Partial Spec (APS): await(B) { C } Insufficient to serve as abstractions More generally: O lin. + progress P  O ctxt await(B) { C } P  {PSF/PDF} Atomic: to capture linearizability Partial: to capture progress

31 Atomic partial specs insufficient as abstractions
Problem #1: it is sensitive to fairness of scheduling e.g., strong fairness vs. weak fairness

32 Atomic partial specs insufficient as abstractions
Problem #1: it is sensitive to fairness of scheduling client: Atomic partial spec: acq(); rel(); print(1); while(true){ } ACQ(){ await(L=0){ L := 1 }; } REL() { L := 0; } Weak fairness It may not print 1 if left thread is always scheduled when await is disabled (lock unavailable)

33 Atomic partial specs insufficient as abstractions
Problem #1: it is sensitive to fairness of scheduling client: Atomic partial spec: acq(); rel(); print(1); while(true){ } ACQ(){ await(L=0){ L := 1 }; } REL() { L := 0; } Strong fairness: if the await block is enabled infinitely many times, the thread will be scheduled when await is enabled. It must print 1 with strong fairness

34 Atomic partial specs insufficient as abstractions
Compare it with other lock implementations: acq(); rel(); print(1); while(true){ } client: ACQ(){ await(L=0){ L := 1 }; } REL() { L := 0; } Atomic partial spec: TAS locks Ticket locks

35 Atomic partial specs insufficient as abstractions
Compare it with other lock implementations: acq(); rel(); print(1); while(true){ } client: Atomic partial spec: ACQ(){ await(L=0){ L := 1 }; } REL() { L := 0; } TAS locks Behaviors are the same under strong & weak fairness It may not print 1.

36 Consider the client behaviors with the three locks:
acq(); rel(); print(1); while(true){ } client: Atomic partial spec: ACQ(){ await(L=0){ L := 1 }; } REL() { L := 0; } TAS locks Ticket locks It must print 1 under strong/weak fairness

37 APS insufficient as abstractions
acq(); rel(); print(1); while(true){ } APS insufficient as abstractions Atomic partial spec Ticket lock TAS lock Strong fairness Must print 1 May not print 1 Weak fairness Problem #1: await blocks cannot be abstraction for the same impl. under different fairness

38 APS insufficient as abstractions
acq(); rel(); print(1); while(true){ } APS insufficient as abstractions PSF PDF Atomic partial spec Ticket lock TAS lock Strong fairness Must print 1 May not print 1 Weak fairness Problem #1: await blocks cannot be abstraction for the same impl. under different fairness Problem #2: await blocks cannot serve as abstraction for different implementations, which exhibit different progress

39 APS insufficient as abstractions
acq(); rel(); print(1); while(true){ } APS insufficient as abstractions PSF PDF Atomic partial spec Ticket lock TAS lock Strong fairness Must print 1 May not print 1 Weak fairness We need more than one abstraction! 2 progress (PSF vs. PDF) x 2 fairness (Strong vs. Weak) Can we systematically generate all of them?

40 Our solution Code wrappers: syntactic transformations that turn await(B){C} to proper (possibly non-atomic) specs (APS) A ::= await(B){C} (Spec) S ::= … | A | S;S | S+S | … Extend spec lang. with atomic partial specs (APS): P--Wrapper : APS  Spec P  {PSF, PDF}  {Strong / Weak Fairness}

41 Our solution Code wrappers: syntactic transformations that turn await(B){C} to proper (possibly non-atomic) specs O ctxt ?? Captures linearizability Simple & Intuitive But insufficient for CR P--Wrapper P  {PSF, PDF}  {Strong, Weak} await(B){C} Obj. Impl. O

42 Our solution Code wrappers: syntactic transformations that turn await(B){C} to proper (possibly non-atomic) specs O ctxt P--Wrapper( await(B){ C } ) P--Wrapper P  {PSF, PDF}  {Strong, Weak} await(B){C} Obj. Impl. O

43 Code wrappers Code wrappers: syntactic transformations that turn await(B){C} to proper (possibly non-atomic) specs P--Wrapper(await(B){C}) P  {PSF, PDF}  {Strong / Weak Fairness} PSF PDF Strong fairness ? Weak fairness

44 Code Wrappers PSF-sfair-wrapper(await(B){C}) = ? await(B){C} ? PSF PDF
Strong fairness ? Weak fairness

45 Code Wrappers PSF-wfair-wrapper(await(B){C}) = ?
needs more progress than await(B){C} under weak fairness PSF-wfair-wrapper(await(B){C}) = ? listid := listid ++ [(cid, ‘B’)]; await(B  cid = enhd(listid)){ C; listid := listid\cid; } a waiting queue PSF PDF Strong fairness ? Weak fairness

46 Code Wrappers PDF-wfair-wrapper(await(B){C}) = ?
await(B){C} provides more progress than needed (for PDF) PDF-wfair-wrapper(await(B){C}) = ? done: auxiliary Boolean var, initialized to false await(B  done){ C; done := true; }; done := false; await(done){ }; PSF PDF Strong fairness ? Weak fairness

47 Code wrappers in summary
PSF PDF Strong fairness Weak fairness

48 Our solution Code wrappers: syntactic transformations that turn await(B){C} to proper (possibly non-atomic) specs O lin. + progress P  O ctxt P--Wrapper( await(B){ C } ) P--Wrapper P  {PSF, PDF}  {Strong, Weak} await(B){C} Obj. Impl. O

49 Our solution Code wrappers: syntactic transformations that turn await(B){C} to proper (possibly non-atomic) specs O lin. + progress P  O ctxt P--Wrapper( await(B){ C } ) P  {PSF, PDF}  {Strong, Weak} Abstraction Theorem to establish equiv. Justifies wrappers: abstractions NOT too weak Justifies P (PSF/PDF): implies CR

50 Extension of LiLi [Liang & Feng 2016] for SF & DF
Program logic Extension of LiLi [Liang & Feng 2016] for SF & DF {p} O : A D, R, G Program logic: (P, ) A ::= await(B){C} Soundness O lin. + progress P  O ctxt P--Wrapper( await(B){ C } ) P  {PSF, PDF}  {Strong, Weak} Allows us to verify linearizability and PSF/PDF

51 Conclusion Study progress of objects with partial methods
2 new progress properties: PSF & PDF 4 wrappers to generate abstractions for PSF/PDF objects under strongly/weakly fair scheduling Abstraction Theorem A new program logic for Linearizability + PSF / PDF O lin. + progress P  O ctxt P--Wrapper( await(B){C} ) P  {PSF, PDF}  {Strong, Weak}

52 Thank you!

Download ppt "Progress of Concurrent Objects with Partial Methods"

Similar presentations

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Mutual Exclusion – SW & HW By Oded Regev. Outline: Short review on the Bakery algorithm Short review on the Bakery algorithm Black & White Algorithm Black.

Mutual Exclusion – SW & HW By Oded Regev. Outline: Short review on the Bakery algorithm Short review on the Bakery algorithm Black & White Algorithm Black.
Hongjin Liang and Xinyu Feng

Hongjin Liang and Xinyu Feng
Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.

Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Models of Concurrency Manna, Pnueli.

Models of Concurrency Manna, Pnueli.
1 Chapter 4 Synchronization Algorithms and Concurrent Programming Gadi Taubenfeld © 2014 Synchronization Algorithms and Concurrent Programming Synchronization.

1 Chapter 4 Synchronization Algorithms and Concurrent Programming Gadi Taubenfeld © 2014 Synchronization Algorithms and Concurrent Programming Synchronization.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.

Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.
Chapter 6: Process Synchronization

Chapter 6: Process Synchronization
Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.

Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 6: Process Synchronization.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
Parallel Processing (CS526) Spring 2012(Week 6).  A parallel algorithm is a group of partitioned tasks that work with each other to solve a large problem.

Parallel Processing (CS526) Spring 2012(Week 6).  A parallel algorithm is a group of partitioned tasks that work with each other to solve a large problem.
Progress Guarantee for Parallel Programs via Bounded Lock-Freedom Erez Petrank – Technion Madanlal Musuvathi- Microsoft Bjarne Steensgaard - Microsoft.

Progress Guarantee for Parallel Programs via Bounded Lock-Freedom Erez Petrank – Technion Madanlal Musuvathi- Microsoft Bjarne Steensgaard - Microsoft.
Assignment – no class Wednesday All: watch the Google Techtalk “Getting C++ Threads Right” by Hans Boehm at the following link in place of Wednesday’s.

Assignment – no class Wednesday All: watch the Google Techtalk “Getting C++ Threads Right” by Hans Boehm at the following link in place of Wednesday’s.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

Similar presentations

Ads by Google