Deadlock-Free Monitors Bart Jacobs (joint work with Jafar Hamin) - - PowerPoint PPT Presentation

deadlock free monitors
SMART_READER_LITE
LIVE PREVIEW

Deadlock-Free Monitors Bart Jacobs (joint work with Jafar Hamin) - - PowerPoint PPT Presentation

Dec 27, 2022 289 likes •484 views

Deadlock-Free Monitors Bart Jacobs (joint work with Jafar Hamin) DistriNet, KU Leuven IFIP WG 1.9/2.15 meeting @ Leuven, 11-12 May 2017 Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors Contents Bart Jacobs (joint work with

slide-1
SLIDE 1

Deadlock-Free Monitors

Bart Jacobs (joint work with Jafar Hamin)

DistriNet, KU Leuven

IFIP WG 1.9/2.15 meeting @ Leuven, 11-12 May 2017

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-2
SLIDE 2

Contents

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-3
SLIDE 3

Contents

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-4
SLIDE 4

Programming Language

e ::= v | x c ::= e | let x := c in c | new{f := e} | e.f | e.f := e | new lock | new channel | fork c | e.acquire() | e.release() | e.send(e) | e.receive()

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-5
SLIDE 5

Example Program: Producer-Consumer

let c := new channel() in fork ( c.receive(); c.receive() ); c.send(24); c.send(42)

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-6
SLIDE 6

Example Proof: Producer-Consumer

{obs(0)} let c := new channel() in {obs(0)} CreateObligation(c) {obs({ [c] }) ∗ c.credit()} CreateObligation(c) {obs({ [2 · c] }) ∗ 2 · c.credit()} fork ( {obs(0) ∗ 2 · c.credit()} c.receive(); {obs(0) ∗ c.credit()} c.receive() {obs(0)} ); {obs({ [2 · c] })} c.send(24); {obs({ [c] })} c.send(42) {obs(0)}

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-7
SLIDE 7

Proof Rules

{obs(O)} CreateObligation(c) {obs(O ⊎ { [c] }) ∗ c.credit()} {obs(O′) ∗ P} c {obs(0)} {obs(O ⊎ O′) ∗ P} fork c {obs(O)} {obs(O) ∗ c.credit() ∧ w(c) ≺ O} c.receive() {obs(O)} {obs(O ⊎ { [c] }} c.send(v) {obs(O)}

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-8
SLIDE 8

Example Program: Shared Counter

let c := new{x := 0} in let lock := new lock in let inc() = ( lock.acquire(); let v := c.x in c.x := v; lock.release() ) in fork inc(); inc()

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-9
SLIDE 9

Example Proof: Shared Counter

{obs(0)} let c := new{x := 0} in {obs(0) ∗ c.x → 0} let lock := new lock in {obs(0) ∗ lock.lock(c.x → )} let inc() = ( {obs(0) ∗ lock.lock(c.x → )} lock.acquire(); {obs({ [lock] }) ∗ lock.locked(c.x → ) ∗ c.x → } let v := c.x in c.x := v; {obs({ [lock] }) ∗ lock.locked(c.x → ) ∗ c.x → } lock.release() {obs(0) ∗ lock.lock(c.x → )} ) in fork inc(); inc()

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-10
SLIDE 10

Proof Rules for Locks

{I} new lock {res.lock(I)} ℓ.lock(I) ⇔ ℓ.lock(I) ∗ ℓ.lock(I) {obs(O) ∗ ℓ.lock(I) ∧ w(ℓ) ≺ O} ℓ.acquire() {obs(O ⊎ { [ℓ] }) ∗ ℓ.locked(I) ∗ I} {obs(O ⊎ { [ℓ] }) ∗ ℓ.locked(I) ∗ I} ℓ.release() {obs(O) ∗ ℓ.lock(I)}

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-11
SLIDE 11

Soundness statement

⊢ {obs(0)} c {obs(0)} ⇒ (0, { [(0, c)] }) ∗ γ ⇒ ¬(γ deadlocked)

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-12
SLIDE 12

Programming Language

c ::= · · · | new monitor | new condvar | e.enter() | e.exit() | e.wait() | e.signal() | e.signalAll()

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-13
SLIDE 13

Example Program: Channels using monitors

let createChannel() := let q := createQueue() in let m := new monitor() in let cv := new condvar() in new{q := q, m := m, cv := cv} let send(c, v) := c.m.enter(); enqueue(c.q, v); c.cv.signal(); c.m.exit() let receive(c) := c.m.enter(); while queueSize(c.q) = 0 do c.cv.wait(); let v := dequeue(c.q) in c.m.exit(); v

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-14
SLIDE 14

Monitors: Proof Rules

{emp} new monitor {res.monitor raw(∅)} {m.monitor raw(V )} new condvar {res / ∈ V ∧ m.monitor raw(V ∪ {res})} ∀(P, Q) ∈ S, (P′, Q′) ∈ S′. P ∗ P′ ∗ stop perm() ⇒ Q ∗ Q′ {m.monitor raw(V ) ∗ I(λcv ∈ V . 0)} InitMonitor {m.monitor(V , I, S, S′)} m.monitor(V , I, S, S′) ⇒ m.monitor(V , I, S, S′) ∗ m.monitor(V , I, S, S′) {m.obs(O) ∗ m.monitor(V , I, S, S′) ∧ w(m) ≺ O} m.enter() {m.obs(O ⊎ { [m] }) ∗ m.monitor entered(V , I, S, S′, W ) ∗ I(W )} {m.obs(O ⊎ { [m] }) ∗ m.monitor entered(V , I, S, S′, W ) ∗ I(W )} m.exit() {m.obs(O) ∗ m.monitor(V , I)}

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-15
SLIDE 15

Condition Variables: Proof Rules

  • bs(O) ⇔ obs(O ⊎ {

[o] }) ∗ ob(1, o)

  • b(π1 + π2, o) ⇔ ob(π1, o) ∗ ob(π2, o)
  • bs(O) ∗ ob(π, o) ∧ o ≺ O ⇔ obs calling(O, π, o) ∗ stop perm()

(P, Q) ∈ S {m.monitor entered(V , I, S, S′, W ) ∗ I(W [cv := W (cv) + 1]) ∗ stop perm() ∗ P} cv.wait() {∃W ′. m.monitor entered(V , I, S, S′, W ′) ∗ I(W ′) ∗ Q} (P′, Q′) ∈ S′ {m.monitor entered(V , I, S, S′, W ) ∗ P′ ∧ W (cv) > 0} cv.signal() {m.monitor entered(V , I, S, S′, W [cv := W (cv) − 1]) ∗ Q′}

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-16
SLIDE 16

Channels using monitors: Invariant

I(c)(W ) = ∃#elems, #weakCredits, #strongCredits, #obs. queue(c.q, #elems) ∗ c.wc ֒ →• #weakCredits ∗ c.sc ֒ →• #strongCredits ∗ c.o ֒ →• #obs ∗ (#obs − W (c.cv)) · ob(1, c) ∧ W (c.cv) + #weakCredits + #strongCredits = #elems + #obs ∧ (W (c.cv) = 0 ∨ W (c.cv) ≤ #obs − #strongCredits) c.credit() = c.sc ֒ →◦ 1 S = {O. (obs calling(O, 1, c), obs(O) ∗ c.wc ֒ →◦ 1)} S′ = {(c.wc ֒ →◦ 1, ob(1, c))}

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-17
SLIDE 17

Channels using monitors: Proof of receive

let receive(c) := {obs(O) ∗ channel(c) ∗ c.credit() ∧ w(c) ≺ O} {obs(O) ∗ c.m.monitor(V , I, S, S′) ∗ c.credit() ∧ w(c) ≺ O} c.m.enter(); {obs(O) ∗ c.m.mon entered(V , I, S, S′, W ) ∗ I(W ) ∗ c.credit() ∧ w(c) ≺ O} {obs(O) ∗ c.m.mon entered(V , I, S, S′, W ) ∗ I(W ) ∗ c.wc ֒ →◦ 1 ∧ w(c) ≺ O} while queueSize(c.q) = 0 do {obs(O) ∗ c.m.mon entered(V , I, S, S′, W ) ∗ I(W + 1) ∗ ob(1, c) ∧ w(c) ≺ O} {obs calling(O, 1, c) ∗ c.m.mon entered(V , I, S, S′, W ) ∗ I(W + 1) ∗ stop perm()} c.cv.wait(); {obs(O) ∗ c.m.mon entered(V , I, S, S′, W ′) ∗ I(W ′) ∗ c.wc ֒ →◦ 1} let v := dequeue(c.q) in c.m.exit(); v {obs(O)}

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-18
SLIDE 18

Channels using monitors: Proof of send

let send(c, v) := {channel(c)} {c.m.monitor(V , I, S, S′)} c.m.enter(); {c.m.mon entered(V , I, S, S′, W ) ∗ I(W )} enqueue(c.q, v); Case W > 0 {c.m.mon entered(V , I, S, S′, W ) ∗ (ob(1, c → ∗ I(W − 1)) ∗ c.sc ֒ →◦ 1 ∗ c.wc ֒ →◦ 1} c.cv.signal(); {c.m.mon entered(V , I, S, S′, W − 1) ∗ I(W − 1) ∗ c.sc ֒ →◦ 1} c.m.exit() {channel(c) ∗ c.credit()}

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors

slide-19
SLIDE 19

Channels using monitors: Proof of obligation creation and destruction

let CreateObligation(c) := {obs(O) ∗ c.channel()} {obs(O ⊎ { [c] }) ∗ c.ob() ∗ c.credit()} let DestroyObligation(c) := {obs(O ⊎ { [c] }) ∗ c.ob() ∗ c.credit()} {obs(O) ∗ c.channel()}

Bart Jacobs (joint work with Jafar Hamin) Deadlock-Free Monitors