Causal Atomicity: Correctness conditions for weak memory Heike - - PowerPoint PPT Presentation

causal atomicity correctness conditions for weak memory
SMART_READER_LITE
LIVE PREVIEW

Causal Atomicity: Correctness conditions for weak memory Heike - - PowerPoint PPT Presentation

Feb 14, 2024 243 likes •445 views

Causal Atomicity: Correctness conditions for weak memory Heike Wehrheim Joint work with Simon Doherty, Brijesh Dongol, John Derrick Paderborn University Germany Our interest Proving correctness of algorithms allowing seemingly atomic access

slide-1
SLIDE 1

Causal Atomicity: Correctness conditions for weak memory

Heike Wehrheim

Joint work with Simon Doherty, Brijesh Dongol, John Derrick Paderborn University Germany

slide-2
SLIDE 2

Our interest

Proving correctness of algorithms allowing seemingly atomic access to shared state

  • concurrent data structures
  • software transactional memory

Correctness conditions:

  • linearizability
  • opacity

Heike Wehrheim - University of Paderborn 2

slide-3
SLIDE 3

Proof technique

Proof of refinement: Simulation shown with interactive verifier (KIV, Isabelle)

Heike Wehrheim - University of Paderborn 3

TMS2 STM implementation Opacity

Intermediate specification

v (shown via simulation)

slide-4
SLIDE 4

Opacity & linearizability I

Defs based on histories:

  • Sequence of invocations and returns

Concurrent history: h1: invt1(enq,3) invt2(deq) rett2(deq,3) rett1(enq) Sequential history: h2: invt1(enq,3) rett1(enq) invt2(deq) rett2(deq,3) Real-time order: t1 <h2 t2 return of t1 in history h before invocation of t2

Heike Wehrheim - University of Paderborn 4

slide-5
SLIDE 5

Opacity & linearizability II

Def.: Concurrent history hc atomic if there exists sequential legal history hs s.t. 1. 8 t: hc|t = hs|t (preservation of thread events and thread order)

  • 2. <hc µ <hs

(preservation of real-time order) legal = adheres to semantics of object ( Enq(4) Deq(?) – not legal, Enq(4) Deq(4) – legal)

Heike Wehrheim - University of Paderborn 5

i.e. linearizable

  • r opaque
slide-6
SLIDE 6

Question

What correctness condition to use when executions are not histories, but partial orders? e.g. weak memory model (happens-before relation)

Heike Wehrheim - University of Paderborn 6

slide-7
SLIDE 7

History:

inv(TMWr(x,0)) ret(TMWr) inv(TMWr(x,42)) ret(TMWr) inv(TMRd(x)) ret(TMRd(x,0))

But partial order:

Example

Heike Wehrheim - University of Paderborn 7

TMWr(x,0) TMWr(x,42) TMRd(x,0) Not atomic TMWr – Trans.Memory write TMRd – Trans.Memory read OK!

slide-8
SLIDE 8

PO-atomicity

Def.: Partial order hc po-atomic if there exists sequential legal history hs s.t. 1. 8 t: hc|t = hs|t (preservation of thread events and thread order)

  • 2. <po µ <hs

(preservation of partial order)

Heike Wehrheim - University of Paderborn 8

TMWr(x,0) TMWr(x,42) TMRd(x,0) po- atomic hs hs

slide-9
SLIDE 9

Compositionality

Clients using more than one such concurrent object Objective: Individual accesses po-atomic iff combined accesses po-atomic Fails to hold:

Heike Wehrheim - University of Paderborn 9

TMRd(x,42) Deq(?) Enq(11) TMWr(x,42) Thread1: Thread2: # # Conflict #

slide-10
SLIDE 10

Conflicts

Conflicts between actions # = {(a,a´) j 9 w1,w2: w1aa´w2 is legal, w1a´aw2 is not legal } Orderings between conflicting actions cannot be arbitrarily chosen

Heike Wehrheim - University of Paderborn 10

slide-11
SLIDE 11

Execution structures

Def.: [Lamport, 1986] Execution structure (E,!,Ã) with

  • E: finite set of events
  • ! µ E £ E „precedes“
  • Ã µ E £ E „communicates with“, „affects“
  • A1. ! irreflexive partial order
  • A2. e1 ! e2 implies e1 Ã e2 and e2 Ã e1
  • A3. e1 ! e2 Ã e3 or e1 Ã e2 ! e3 implies e1 Ã e3
  • A4. e1 ! e2 Ã e3 ! e4 implies e1 ! e4

Heike Wehrheim - University of Paderborn 11

slide-12
SLIDE 12

Non-atomicity and !

e ! e´ iff 8 f 2 ¹(e), 8 f´2 ¹(e´): f <hb f´ „happens-before“

Heike Wehrheim - University of Paderborn 12

¹ ¹ Impl. execution

slide-13
SLIDE 13

Non-atomicity and Ã

e ! e´ iff 9 f 2 ¹(e),9 f´2 ¹(e´): f <hb f´ „happens-before“

Heike Wehrheim - University of Paderborn 13

¹ ¹ Impl. execution

Ã

slide-14
SLIDE 14

Causal atomicity

Def. Execution structure (E,!,Ã) is causally atomic if there exists sequential legal history hs s.t. 1. events(hs) = E 2. ! µ <hs (preservation of partial order)

  • 3. e1 <hs e2 and e1 # e2 implies e1 Ã e2

Heike Wehrheim - University of Paderborn 14

slide-15
SLIDE 15

Back to example

Individual accesses not causally atomic Queue part: Deq(?) <hs Enq(11) + Enq(11) # Deq(?) ) Deq(?) Ã Enq(11) Similarly, we need: TMWr(x,42) Ã TMRd(x,42) (no proper execution structure anymore)

Heike Wehrheim - University of Paderborn 15

TMRd(x,42) Deq(?) Enq(11) TMWr(x,42) Thread1: Thread2: # # Conflict #

slide-16
SLIDE 16

Result

Causal atomicity is compositional: Theorem. E execution structure over concurrent objects Oi, 1 · i · n 8 i: Ei causally atomic iff E causally atomic

Heike Wehrheim - University of Paderborn 16

slide-17
SLIDE 17

Causal atomicity vs linearizability

Concurrent history hc to execution structure exec(hc)

  • e ! e´ if ret(e) <hc inv(e´)
  • e à e´ if inv(e) <hc ret(e´)

Theorem. hc linearizable iff exec(hc) causally atomic

Heike Wehrheim - University of Paderborn 17

e e´ e e´ e e´

slide-18
SLIDE 18

Proof technique (in progress)

Proof of execution structure refinement:

Heike Wehrheim - University of Paderborn 18

CTMS STM implementation Causal Atomicity

Intermediate specification library

v (shown via simulation)

Implementation library

slide-19
SLIDE 19

Summary

New correctness condition for concurrent objects

  • Compositional
  • Adequate for weak memory models

Heike Wehrheim - University of Paderborn 19