Concurrent

1
Concurrent DistributedProgramming

• Reasoning about correctness
• The mutual exclusion problem

Ed Brinksma
2
Objectives

• get a feeling for the complexity of concurrent
  programs
• learn to reason about concurrent programs
• first introduction to (linear) temporal logic
• understand the value of verification and model
  checking for concurrent programs

Exercise your brains!!!
3
Contents of this lecture

• Correctness of concurrent processes
• safety, liveness, fairness
• temporal logic
• proving correctness
• The mutual exclusion problem (again)
• proving mutual exclusion
• absence of deadlock
• non-starvation
• Dekkers algorithm

4
Contents of this lecture

• Correctness of concurrent processes
• safety, liveness, fairness
• temporal logic
• proving correctness
• The mutual exclusion problem (again)
• proving mutual exclusion
• absence of deadlock
• non-starvation
• Dekkers algorithm

5
Classical Correctness
? is a symbol for logical implication (if then
), also written as ? or ?

• Given a program Prog(a,b) with
• a a1,,an input variables
• b b1,,bn output variables
• P(a) an input or pre-condition
• Q(a,b) a termination or post-condition
• then we distinguish
• partial correctness
• (P(a) ? terminates (Prog(a,b))) ? Q(a,b)
• total correctness
• P(a) ? (terminates (Prog(a,b)) ? Q(a,b))

6
Example

• If SQRT is a program calculating the square root
  of a positive integer the two conditions become
• (a 0 ? terminates (SQRT(a,b))) ? b ?a
• a 0 ? (terminates (SQRT(a,b)) ? b ?a)
• What if termination is considered a system
  failure?

7
Correctness for concurrent programs

• Correctness is expressed as properties of
  (infinite) execution sequences of programs
• There are two classes of properties
• safety properties nothing bad happens,
• i.e. a (good) property holds everywhere in all
  execution sequences
• liveness properties something good happens
  eventually,
• i.e. a (good) property holds now or in a future
  state of all execution sequences.
  

8
Common safety properties

• Mutual exclusion
• different processes never access the same
  resource at the same time,
• example different print jobs will not use the
  same printing device at the same time
• Absence of deadlock
• a process never enters a state it cannot leave
• example circular dependency between processes,
  e.g. dining philosophers

9
Common liveness properties

• Safety properties can be fulfilled vacuously.
• e.g. a resource that is not accessed at all,
  will not violate the mutual exclusion property.
• In addition we need things like
• responsiveness eventually a resource is granted
• e.g. the printer will be assigned to a print job
• absence of starvation eventually each process is
  granted a resource
• e.g. to every print job a printer will be
  assigned

10
Fairness properties

• Fairness properties are needed to obtain
  liveness if there is contention for resources.
• Examples
• Weak fairness if a process continuously makes a
  request, it will be granted eventually
• Strong fairness if a process makes a request
  infinitely often, it will be granted eventually
• Implementation strategies
• Linear waiting if a process makes a request it
  will be granted before any other process is
  granted a request more that once
• FIFO (first-in first-out) if a process makes a
  request it will be granted before any later
  request by any process

11
Strong vs. weak fairness
P1 requests resource infinitely often
P1 requests resource continuously
When requests are checked at time t0,t1,t2,
resource is granted to P2 and not to P1, i.e.
incidental polling only supports weak fairness
12
Proving properties of execution sequences

• Execution sequences of concurrent processes are
  infinite sequences of execution states.
• Safety properties require that some (good)
  property holds at all states in all execution
  sequences.
• How can we prove properties of such infinite
  objects?

13
Inductive proofs

• We can adapt the standard technique of natural
  induction to execution sequences.
• Basis prove the desired property P for the
  initial state s0 of the program, i.e. P(s0).
• Inductive step assume that P holds in nth state
  sn of an execution sequences, i.e. P(sn)
  (inductive hypothesis), and prove that then it
  also must holds in all possible continuation
  states sn1, i.e. P(sn1).

14
Example
assume (X0 ? X1) holds before a1

• task body P1 is
• X Integer 0
• begin
• loop
• a1 X X1
• b1 X X-1
• end loop
• end P1

• task body P2 is
• Y Integer 0
• begin
• loop
• a2 Y Y1
• b2 Y Y-1
• end loop
• end P2

Problem !?
then (X1 ? X2) holds after a1
Can we prove that (X0 ? X1) is an invariant of
this program?
15
Solution
Prove something stronger, viz. the invariance of
Q (at(a1) ? X0) ? (at(b1) ? X1)

• Basis initially P1 is at(a1) and X0
• Induction suppose Q holds then by case analysis
  on the possible transitions
• a1?b1 we are at(a1) so by the induction
  hypothesis we know X0 it follows that after the
  assignment at(b1) and X1 is true, so Q holds.
• b1 ?a1 we are at(b1) so by the induction
  hypothesis we know X1 it follows that after the
  assignment at(a1) and X0 is true, so Q holds.
• a2?b2 and b2?a2 these transitions only affect
  the value of Y so if Q is true before the
  transition it will be true after.

16
Location predicates

• Many inductive formulas take the form
  at(location) ? variable value
• this formula holds whenever at(location) is not
  true. Why?
• so we only have to check that variablevalue when
  at(location) holds.

17
Complexity

• The induction step requires
• analysis of all cases of P1 all cases of P2
  i.e. 4 cases, not 8...

4 states
a1,a2
b1,a2
a1,b2
b1,b2
18
Liveness proofs

• For reasoning about liveness we extend our
  logical language with three operators from
  temporal logic
• ?P (always P)
• P holds now and in all future states of the
  computation
• ?P (eventually P)
• P holds now or in some future state of the
  computation

19
A bit more precisely

• Let s0,s1, , sn, be a computation sequence
• ?P holds in state si if and only if (iff)
  P holds in state sj for all j i.
• ?P holds in state si if and only if (iff)
  P holds in state sj for some j i.

20
In pictures
??P holds in all states !
21
Some new expressions

• ??P means eventually always P, i.e. after some
  finite time P will become and remain true.
• What does ??P mean?
• For every state there is a future state where P
  holds, i.e. infinitely often P .

P
P
P
P
22
Example

• at(a1) ? ?at(b1)
• If P1 is at(a1) then eventually P1 will arrive
  at(b1).
• Requires fairness to make sure that not only P2
  makes progress.
• Proof often requires inspection of the relevant
  process only.

23
Contents of this lecture

• Correctness of concurrent processes
• safety, liveness, fairness
• temporal logic
• proving correctness
• The mutual exclusion problem (again)
• proving mutual exclusion
• absence of deadlock
• non-starvation
• Dekkers algorithm

24
Contents of this lecture

• Correctness of concurrent processes
• safety, liveness, fairness
• temporal logic
• proving correctness
• The mutual exclusion problem (again)
• proving mutual exclusion
• absence of deadlock
• non-starvation
• Dekkers algorithm

25
The mutual exclusion problem

• N loop processes of the right-hand side format.
• Always at most one process in its critical
  section.
• Processes may halt only in their non-critical
  section.
• The solution must not cause deadlock.
• Processes must not starve.

• loop
• Non_Critical_Section
• Pre_Protocol
• Critical_Section
• Post_Protocol
• end loop

26
First attempt
Turn Integer range 1..2 1

• task body P1 is
• begin
• loop
• Non_Critical_Section_1
• loop exit when Turn 1
• end loop
• Critical_Section_1
• Turn 2
• end loop
• end P1

• task body P2 is
• begin
• loop
• Non_Critical_Section_2
• loop exit when Turn 2
• end loop
• Critical_Section_2
• Turn 1
• end loop
• end P2

27
Analysis

• This solution satisfies the mutual exclusion
  requirement.
• if P1 and P2 are in the CS then the Turn variable
  must have changed value without a process leaving
  its CS. Contradiction.
• The solution can cause deadlock.
• Suppose P2 halts in its non-critical section then
  P1 can only execute its CS once.

loop Non_Critical_Section_i loop exit when
Turn i end loop Critical_Section_i
Turn 3-i end loop
28
Second attempt
Ci0 iff Pi WILL enter its CS
C1,C2 Integer range 0..1 1
task body P1 is begin loop Non_Critical_Section
_1 loop exit when C2 1 end loop C1
0 Critical_Section_1 C1 1 end loop end
P1
task body P2 is begin loop Non_Critical_Section
_2 loop exit when C1 1 end loop C2
0 Critical_Section_2 C2 1 end loop end
P2
What was wrong with this solution?
29
Analysis

• P1 and P2 can be in their CS simultaneously
• P1 checks C2 and finds C21.
• P2 checks C1 and finds C11.
• P1 sets C1 to 0.
• P2 sets C2 to 0.
• P1 enters its CS.
• P2 enters its CS.

loop Non_Critical_Section_1 loop exit when
C2 1 end loop C1 0
Critical_Section_1 C1 1 end loop
30
Third attempt
IDEA move C10 and C20 to before the loop
tests
Ci0 iff Pi INTENDS to enter its CS
C1,C2 Integer range 0..1 1
task body P1 is begin loop Non_Critical_Section
_1 C1 0 loop exit when C2 1 end
loop Critical_Section_1 C1 1 end
loop end P1
task body P2 is begin loop Non_Critical_Section
_2 C2 0 loop exit when C1 1 end
loop Critical_Section_2 C2 1 end
loop end P2
31
Analysis

• The following formulas are invariants
• C10 iff at(c1)?at(d1)?at(e1)
• C20 iff at(c2)?at(d2)?at(e2)
• (at(d1) ? at(d2))
• 3. implies the mutual exclusion requirement

• loop
• ai Non_Critical_Section_i
• bi Ci 0
• ci loop exit when C3-i 1
• end loop
• di Critical_Section_i
• ei Ci 1
• end loop

32
Proofs
Q1 C10 iff at(c1)?at(d1)?at(e1)
C20 iff at(c2)?at(d2)?at(e2) follows by a
symmetrical argument!

• basis
• formula holds initially, C11 and at(a1)
• induction step
• b1?c1 C1 changes to 0, and at(c1) becomes
  true, so Q1 remains true
• e1?a1 C1 changes to 1, and at(a1) becomes
  true, so Q1 remains true
• other transitions do not leave location set
  c1,d1,e1 and do not change C1.

• loop
• a1 Non_Critical_Section_1
• b1 C1 0
• c1 loop exit when C3-i 1
• end loop
• d1 Critical_Section_1
• e1 C1 1
• end loop

33
Proofs
D (at(d1) ? at(d2))

• basis initially, at(a1) and at(a2), so D holds.
• induction step only
  relevant cases (why?)
• c2?d2 and at(d1) by Q1 we have at(d1) implies
  C10, but then the test for c2?d2 fails, and thus
  transition cannot occur.
• c1?d1 and at(d2) excluded by symmetrical
  argumentation.

• loop
• ai Non_Critical_Section_i
• bi Ci 0
• ci loop exit when C3-i 1
• end loop
• di Critical_Section_1
• ei Ci 1
• end loop

34
But, unfortunately

• loop
• ai Non_Critical_Section_i
• bi Ci 0
• ci loop exit when Ci 1
• end loop
• di Critical_Section_1
• ei Ci 1
• end loop

• The solution can cause deadlock
• P1 assigns 0 to C1
• P2 assigns 0 to C2
• P1 tests C2 and loops
• P2 test C1 and loops

35
Fourth attempt
C1,C2 Integer range 0..1 1
task body P1 is begin loop Non_Critical_Section
_1 C1 0 loop exit when C2 1 C1
1 C1 0 end loop Critical_Section_1
C1 1 end loop end P1
task body P2 is begin loop Non_Critical_Section
_2 C2 0 loop exit when C1 1 C2
1 C2 0 end loop Critical_Section_2
C2 1 end loop end P2
can cause starvation and deadlock see book
36
Dekkers algorithm
C1,C2 Integer range 0..1 1 Turn Integer
range 1..2 1
loop Non_Critical_Section_1 C1 0 i1
loop exit when C2 1 i2 if Turn 2 then
C1 1 i3 loop exit when Turn 1
end loop C1 0 end if
end loop Critical_Section_1 C1 1 Turn
2 end loop
37
Commitment 1
?C10 ? ?Turn1 ? ??C21

• loop
• Non_Critical_Section_2
• C2 0
• i1 loop exit when C1 1
• i2 if Turn 1 then
• C2 1
• i3 loop exit when Turn 2
• end loop
• C2 0
• end if
• end loop
• Critical_Section_2
• C2 1 Turn 1
• end loop

• Proof.
• Assume C10 and Turn1 always.
• Either P2 halts in its non-CS and C2 is always 1.
  
• Or P2 executes its pre-protocol and loops
  eternally at i3. From then on always C21.

38
Commitment 2
?C11 ? ?Turn2 ? ?Turn1
loop Non_Critical_Section_2 C2 0 i1
loop exit when C1 1 i2 if Turn 1 then
C2 1 i3 loop exit when Turn 2
end loop C2 0 end
if end loop Critical_Section_2 C2
1 Turn 1 end loop
Proof. Assume that P2 does not halt in its
non-CS (case left as exercise). Because C1 is
always 1 and Turn is always 2, P2 will enter and
leave its CS, and then set Turn to 1. So,
eventually Turn1.
39
Analysis

• Theorem. If P1 enters its pre-protocol, then
  eventually it will enter its critical section.

Proof. By contradiction assume that P1 does not
enter its CS.
40
Step 1
?Turn2 ???C11

• loop
• Non_Critical_Section_1
• C1 0
• i1 loop exit when C2 1
• i2 if Turn 2 then
• C1 1
• i3 loop exit when Turn 1
• end loop
• C1 0
• end if
• end loop
• Critical_Section_1
• C1 1 Turn 2
• end loop

• Proof. If P1 does not enter its CS it must stay
  indefinitely in its pre-protocol. Given that
  always Turn2 it will loop indefinitely at i3.
  But then C11 always after reaching i3.

41
Step 2
?Turn2 ??Turn1

• Proof. We have
• ?Turn2 ???C11 ? ?Turn2 (step 1)
• ?Turn2 ??(?C11 ? ?Turn2) (why?)
• ?Turn2 ???Turn1 (comm. 2)
• ?Turn2 ??Turn1 (why?)

42
Step 3
?Turn 2 ??Turn 1

• Proof. If not always Turn 2 then in some state
  Turn must assume another value, i.e. ?Turn ? 2.
  The only possibility is ?Turn 1.

43
Step 4
?Turn 1

• Proof. We have
• ?Turn2 ??Turn1 (step 2)
• ?Turn 2 ??Turn 1 (step 3)
• ?Turn 1 follows from 1. 2. by propositional
  logic.

44
Step 5
? ? Turn 1
loop Non_Critical_Section_1 C1 0 i1
loop exit when C2 1 i2 if Turn 2 then
C1 1 i3 loop exit when Turn 1
end loop C1 0 end
if end loop Critical_Section_1 C1
1 Turn 2 end loop

• Proof. Once we reach a state where Turn1, the
  only way Turn can change back to 2 is when P1
  enters and leaves its CS, which we assume is not
  the case. So Turn1 always from that state
  onwards, i.e. ? ? Turn 1.

45
Step 6
? ? (at(i1)?at(i2))
loop Non_Critical_Section_1 C1 0 i1
loop exit when C2 1 i2 if Turn 2 then
C1 1 i3 loop exit when Turn 1
end loop C1 0 end
if end loop Critical_Section_1 C1
1 Turn 2 end loop

• Proof. Once we reach a state where Turn1 always
  from that state onwards, and P1 does not enter
  its CS, this implies that it will loop
  indefinitely through locations i1 and i2.

46
Step 7
? ? C1 0
loop Non_Critical_Section_1 C1 0 i1
loop exit when C2 1 i2 if Turn 2 then
C1 1 i3 loop exit when Turn 1
end loop C1 0 end
if end loop Critical_Section_1 C1
1 Turn 2 end loop

• Proof. Once we reach a state that will loop
  indefinitely through locations i1 and i2, C1 can
  no longer change value. As C10 when reaching i1,
  it will remain 0 always.

47
Step 8
? ? C2 1

• Proof. We have
• ? ?Turn 1 (step 5)
• ? ?C1 0 (step 7)
• ?C10 ? ?Turn1 ? ??C21 (comm. 1)
• ? ? C2 1 follows from 1, 2 3 (how?)

48
Step 9
Contradiction
loop Non_Critical_Section_1 C1 0 i1
loop exit when C2 1 i2 if Turn 2 then
C1 1 i3 loop exit when Turn 1
end loop C1 0 end
if end loop Critical_Section_1 C1
1 Turn 2 end loop

• Proof. Once we reach a state where C21 always,
  we cannot loop indefinitely at i1 and i2 (step
  6), as we
• must leave the loop via the test C21.

49
Mutual exclusion for N processes

• Study the Bakery algorithm yourselves in the book
  (section 3.7).