Causal Atomicity Heike Wehrheim Joint work with Simon Doherty, Brijesh Dongol, John Derrick, Alastair Armstrong Paderborn University Germany
Access to shared state I Software transactional memory (STM) Synchronization of parallel processes accessing shared state T1: TMBegin; TMRd(x,0); TMWr(z,4); TMWr(y,3); TMEnd; T2: TMBegin; TMRd(z,4); TMWr(x,42); TMEnd Lots of algorithms Correctness condition: opacity [Guerraoui&Kapalka, 2008] Transactions: “all-or-nothing”, “atomic” Heike Wehrheim - University of Paderborn 2
Example: Transactional mutex lock Lock: Even – open Init: glb = 0; Odd - closed TMBegin: TMEnd: B1 do loc:= glb; E1 if (loc odd) B2 while (loc odd); E2 glb++; B3 return ok; E3 return commit; TMRead(addr): TMWrite(addr,val): R1 tmp:= &addr; W1 if (loc even) R2 if (glb = loc) W2 if (! CAS (glb,loc,loc+1)) R3 return tmp; W3 return abort; R4 else return abort; W4 else loc++; W5 addr:= val; [Dallessandro et al.,2010] W6 return ok; Heike Wehrheim - University of Paderborn 3
Access to shared state II Concurrent data structures Synchronization of parallel processes accessing shared data structures (queues, sets, stacks, …) T1: inv(enq,4); ret(enq); inv(enq,42); ret(enq); T2: inv(deq); ret(deq,4); Lots of algorithms Correctness condition: linearizability [Herlihy&Wing, 1990] Operations: “instantaneously”, “atomic” Heike Wehrheim - University of Paderborn 4
Opacity & linearizability I Defs based on histories: Sequence of invocations and returns Concurrent history: inv t1 (enq,3) inv t2 (deq) ret t2 (deq,3) ret t1 (enq) Sequential history: inv t1 (enq,3) ret t1 (enq) inv t2 (deq) ret t2 (deq,3) Real-time order t 1 < h t 2 : ret of t 1 in history h before inv of t 2 Heike Wehrheim - University of Paderborn 5
Opacity & linearizability II Def.: Concurrent history hc atomic if there exists sequential legal history hs s.t. 1. 8 t: hc| t = hs| t (preservation of thread events and order) 2. < hc µ < hs (preservation of real-time order) legal = adheres to semantics of object ( Enq(4) Deq( ? ) – not legal, Enq(4) Deq(4) – legal) Heike Wehrheim - University of Paderborn 6
Proving opacity of STMs Showing refinement Spec (TMS2) v Impl (algorithm) TMS2 & algorithm given as IO-automata v is data refinement (trace inclusion) TMS2 proven to only produce opaque behaviour proof via forward simulation: abstraction relation, invariants, simulation steps Heike Wehrheim - University of Paderborn 7
Our work so far Proving correctness of concurrent data structures and STMs (via forward and backward simulation) Supported by interactive provers (KIV, Isabelle) What about weak memory models? Maybe not the right correctness condition? Heike Wehrheim - University of Paderborn 8
Example History: inv(TMWr(x,0)) ret(TMWr) inv(TMWr(x,42)) ret(TMWr) inv(TMRd(x)) ret(TMRd(x,0)) Not atomic Partial Order: TMWr(x,42) TMWr(x,0) TMRd(x,0) Weak memory models: „happens-before“ (hb) e.g. C11: program order + synchronizes-with order Heike Wehrheim - University of Paderborn 9
PO-atomicity Def.: Partial order hc po-atomic if there exists sequential legal history hs s.t. 1. 8 t: hc | t = hs | t (preservation of thread events and order) 2. < po µ < hs (preservation of partial order) po- atomic TMWr(x,42) TMWr(x,0) TMRd(x,0) Heike Wehrheim - University of Paderborn 10
Compositionality Clients using more than one such concurrent object Objective: Individual accesses po-atomic iff combined accesses po-atomic Fails to hold: Conflict # Deq( ? ) Thread1: TMRd(x,42) # # Thread2: Enq(11) TMWr(x,42) Heike Wehrheim - University of Paderborn 11
Conflicts Conflicts between actions # = {(a,a´) j 9 w 1 ,w 2 : w 1 aa´w 2 is legal, w 1 a´aw 2 is not legal } Orderings between conflicting actions cannot be arbitrarily chosen Heike Wehrheim - University of Paderborn 12
Execution structures Def.: [Lamport, 1986] Execution structure (E, ! , Ã ) with E: finite set of events ! µ E £ E „precedes“ Ã µ E £ E „communicates with“, „affects“ A1. ! irreflexive partial order A2. e 1 ! e 2 implies e 1 Ã e 2 and e 2 Ã e 1 A3. e 1 ! e 2 Ã e 3 or e 1 Ã e 2 ! e 3 implies e 1 Ã e 3 A4. e 1 ! e 2 Ã e 3 ! e 4 implies e 1 ! e 4 Heike Wehrheim - University of Paderborn 13
Non-atomicity and ! e ! e´ iff 8 f 2 ¹ (e), 8 f´ 2 ¹ (e´): f < hb f´ ¹ ¹ Impl. execution „happens-before“ Heike Wehrheim - University of Paderborn 14
Non-atomicity and à e ! e´ iff 9 f 2 ¹ (e), 9 f´ 2 ¹ (e´): f < hb f´ à ¹ ¹ Impl. execution „happens-before“ Heike Wehrheim - University of Paderborn 15
Causal atomicity Def. Execution structure (E, ! , Ã ) is causally atomic if there exists sequential legal history hs s.t. 1. events( hs ) = E 2. ! µ < hs (preservation of partial order) 3. e 1 < hs e 2 and e 1 # e 2 implies e 1 Ã e 2 Heike Wehrheim - University of Paderborn 16
Result Causal atomicity is compositional: Theorem. E execution structure over concurrent objects O i , 1 · i · n 8 i: E i causally atomic iff E causally atomic Heike Wehrheim - University of Paderborn 17
Causal atomicity vs linearizability Concurrent history hc to execution structure exec(hc) e ! e´ if ret(e) < hc inv(e´) e e´ e à e´ if inv(e) < hc ret(e´) e e e´ e´ Theorem. hc linearizable iff exec(hc) causally atomic Heike Wehrheim - University of Paderborn 18
Summary New correctness condition for concurrent objects Compositional Captures effects of weak memory Open problems: Abstraction theorem for causal atomicity Proof technique for causal atomicity Heike Wehrheim - University of Paderborn 19
Recommend
More recommend
