Causal Atomicity Heike Wehrheim Joint work with Simon Doherty, - - PowerPoint PPT Presentation

Causal Atomicity

Heike Wehrheim

Joint work with Simon Doherty, Brijesh Dongol, John Derrick, Alastair Armstrong Paderborn University Germany

Access to shared state I

Software transactional memory (STM)

• Synchronization of parallel processes accessing

shared state

T1: TMBegin; TMRd(x,0); TMWr(z,4); TMWr(y,3); TMEnd; T2: TMBegin; TMRd(z,4); TMWr(x,42); TMEnd

• Lots of algorithms
• Correctness condition: opacity

[Guerraoui&Kapalka, 2008] Transactions: “all-or-nothing”, “atomic”

Heike Wehrheim - University of Paderborn 2

Example: Transactional mutex lock

Init: glb = 0; TMBegin: TMEnd: B1 do loc:= glb; E1 if (loc odd) B2 while (loc odd); E2 glb++; B3 return ok; E3 return commit; TMRead(addr): TMWrite(addr,val): R1 tmp:= &addr; W1 if (loc even) R2 if (glb = loc) W2 if (! CAS (glb,loc,loc+1)) R3 return tmp; W3 return abort; R4 else return abort; W4 else loc++; W5 addr:= val;

[Dallessandro et al.,2010] W6 return ok;

Heike Wehrheim - University of Paderborn 3

Lock: Even – open Odd - closed

Access to shared state II

Concurrent data structures

• Synchronization of parallel processes accessing

shared data structures (queues, sets, stacks, …)

T1: inv(enq,4); ret(enq); inv(enq,42); ret(enq); T2: inv(deq); ret(deq,4);

• Lots of algorithms
• Correctness condition: linearizability

[Herlihy&Wing, 1990] Operations: “instantaneously”, “atomic”

Heike Wehrheim - University of Paderborn 4

Opacity & linearizability I

Defs based on histories:

• Sequence of invocations and returns

Concurrent history: invt1(enq,3) invt2(deq) rett2(deq,3) rett1(enq) Sequential history: invt1(enq,3) rett1(enq) invt2(deq) rett2(deq,3) Real-time order t1 <h t2: ret of t1 in history h before inv of t2

Heike Wehrheim - University of Paderborn 5

Opacity & linearizability II

Def.: Concurrent history hc atomic if there exists sequential legal history hs s.t. 1. 8 t: hc|t = hs|t (preservation of thread events and order)

• 2. <hc µ <hs

(preservation of real-time order) legal = adheres to semantics of object ( Enq(4) Deq(?) – not legal, Enq(4) Deq(4) – legal)

Heike Wehrheim - University of Paderborn 6

Proving opacity of STMs

Showing refinement Spec (TMS2) Impl (algorithm) TMS2 & algorithm given as IO-automata v is data refinement (trace inclusion) TMS2 proven to only produce opaque behaviour proof via forward simulation:

• abstraction relation, invariants, simulation steps

Heike Wehrheim - University of Paderborn 7

v

Our work so far

• Proving correctness of concurrent data structures

and STMs (via forward and backward simulation)

• Supported by interactive provers (KIV, Isabelle)

What about weak memory models? Maybe not the right correctness condition?

Heike Wehrheim - University of Paderborn 8

History:

inv(TMWr(x,0)) ret(TMWr) inv(TMWr(x,42)) ret(TMWr) inv(TMRd(x)) ret(TMRd(x,0))

Partial Order:

Weak memory models: „happens-before“ (hb) e.g. C11: program order + synchronizes-with order

Example

Heike Wehrheim - University of Paderborn 9

TMWr(x,0) TMWr(x,42) TMRd(x,0) Not atomic

PO-atomicity

Def.: Partial order hc po-atomic if there exists sequential legal history hs s.t. 1. 8 t: hc|t = hs|t (preservation of thread events and order)

• 2. <po µ <hs

(preservation of partial order)

Heike Wehrheim - University of Paderborn 10

TMWr(x,0) TMWr(x,42) TMRd(x,0) po- atomic

Compositionality

Clients using more than one such concurrent object Objective: Individual accesses po-atomic iff combined accesses po-atomic Fails to hold:

Heike Wehrheim - University of Paderborn 11

TMRd(x,42) Deq(?) Enq(11) TMWr(x,42) Thread1: Thread2: # # Conflict #

Conflicts

Conflicts between actions # = {(a,a´) j 9 w1,w2: w1aa´w2 is legal, w1a´aw2 is not legal } Orderings between conflicting actions cannot be arbitrarily chosen

Heike Wehrheim - University of Paderborn 12

Execution structures

Def.: [Lamport, 1986] Execution structure (E,!,Ã) with

• E: finite set of events
• ! µ E £ E „precedes“
• Ã µ E £ E „communicates with“, „affects“
• A1. ! irreflexive partial order
• A2. e1 ! e2 implies e1 Ã e2 and e2 Ã e1
• A3. e1 ! e2 Ã e3 or e1 Ã e2 ! e3 implies e1 Ã e3
• A4. e1 ! e2 Ã e3 ! e4 implies e1 ! e4

Heike Wehrheim - University of Paderborn 13

Non-atomicity and !

e ! e´ iff 8 f 2 ¹(e), 8 f´2 ¹(e´): f <hb f´ „happens-before“

Heike Wehrheim - University of Paderborn 14

¹ ¹ Impl. execution

Non-atomicity and Ã

e ! e´ iff 9 f 2 ¹(e),9 f´2 ¹(e´): f <hb f´ „happens-before“

Heike Wehrheim - University of Paderborn 15

¹ ¹ Impl. execution

Ã

Causal atomicity

Def. Execution structure (E,!,Ã) is causally atomic if there exists sequential legal history hs s.t. 1. events(hs) = E 2. ! µ <hs (preservation of partial order)

• 3. e1 <hs e2 and e1 # e2 implies e1 Ã e2

Heike Wehrheim - University of Paderborn 16

Result

Causal atomicity is compositional: Theorem. E execution structure over concurrent objects Oi, 1 · i · n 8 i: Ei causally atomic iff E causally atomic

Heike Wehrheim - University of Paderborn 17

Causal atomicity vs linearizability

Concurrent history hc to execution structure exec(hc)

• e ! e´ if ret(e) <hc inv(e´)
• e à e´ if inv(e) <hc ret(e´)

Theorem. hc linearizable iff exec(hc) causally atomic

Heike Wehrheim - University of Paderborn 18

e e´ e e´ e e´

Summary

New correctness condition for concurrent objects

• Compositional
• Captures effects of weak memory

Open problems:

• Abstraction theorem for causal atomicity
• Proof technique for causal atomicity

Heike Wehrheim - University of Paderborn 19