Proving Lock-Freedom Easily and Automatically Xiao Jia 1 Wei Li 1 - PowerPoint PPT Presentation

Proving Lock-Freedom Easily and Automatically Xiao Jia 1 Wei Li 1 Viktor Vafeiadis 2 1 Shanghai Jiao Tong University 2 Max Planck Institute for Software Systems (MPI-SWS) CPP’15, 14 January 2015

Blocking synchronisation 3 × H : 9 2 n := malloc( ... ); n → val := 7; lock(); t := ∗ H ; n → next := t ; ∗ H := n ; unlock(); X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 2/17

Non-blocking synchronisation 3 × H : 9 2 n := malloc( ... ); n → val := 7; while (true) { t := ∗ H ; n → next := t ; if ( CAS ( H , t , n )) break ; } X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 3/17

What is lock-freedom? Liveness property for concurrent libraries: ◮ If library operations are scheduled infinitely often, then some operation will terminate. Observations: ◮ LF is a global property. ◮ LF allows starvation. ◮ wait-free ⊆ lock-free ⊆ obstruction-free ◮ LF is a practical compromise. X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 4/17

Proving lock-freedom Proving lock-freedom is low-hanging fruit: ◮ Typically lock-freedom is really easy to show. ◮ But formal LF proofs are often too complex. ◮ Automation is not readily available. X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 5/17

Reduction to termination ◮ Concurrent library, L = � C init , C 1 , . . . , C n � . ◮ Bounded most general client, BMGC k , m ( L ), runs C init and then creates k threads executing up to m times a method from C 1 , . . . , C n . Theorem (Hoffmann, Marmar, Shao, LICS’13) ⇒ ∀ k , m . BMGC k , m ( L ) terminates. L is lock-free ⇐ X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 6/17

Read-compute-update pattern A common pattern in LF algorithms: while (true) { t := X ; . . . ; n := . . . ; if (CAS(& X , t , n )) break ; } X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 7/17

Read-compute-update pattern A common pattern in LF algorithms: while (true) { t := X ; . . . ; n := . . . ; if ( X == t ) { X := n ; break ; } } X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 7/17

Verifying the read-compute-update pattern Using a global progress counter: while (true) { r := P ; t := X ; . . . ; n := . . . ; if ( X == t ) {� X := n ; ++ P � ; break ; } assert ( P > r ); } X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 8/17

Verifying the read-compute-update pattern Using a progress flag per thread: while (true) { B tid := false; t := X ; . . . ; n := . . . ; if ( X == t ) {� X := n ; ∀ i . B i := true � ; break ; } assert ( B tid ); } X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 8/17

Verifying the read-compute-update pattern Using a progress flag per thread: while (true) { B tid := ∗ ; t := X ; . . . ; n := . . . ; if ( X == t ) {� X := n ; ∀ i . B i := true � ; break ; } assert ( B tid ); } X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 8/17

Verifying the read-compute-update pattern Using a progress flag per thread: while (true) { B tid := ∗ ; t := X ; . . . ; n := . . . ; if ( X == t ) {� X := n ; assume ( ∀ i . B i ) � ; break ; } assert ( B tid ); } X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 8/17

What else is there? Two important extensions: ◮ Nested loops ◮ Loops that terminate for sequential reasons What else: ◮ Implementation/evaluation ◮ Formalisation in Ott & Coq X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 9/17

Handling nested loops while (true) { t 1 := X 1 ; . . . ; if ( X 1 == t 1 ) { X 1 := . . . ; break ; } . . . ; while (true) { t 2 := X 2 ; . . . ; if ( X 2 == t 2 ) { X 2 := . . . ; break ; } . . . ; } . . . ; } X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 10/17

Handling nested loops while (true) { r 1 := P 1 ; � t 1 := X 1 ; ++ P 2 � ; . . . ; if ( X 1 == t 1 ) { � X 1 := . . . ; ++ P 1 ; ++ P 2 � ; break ; } ++ P 2 ; . . . ; while (true) { r 2 := P 2 ; t 2 := X 2 ; . . . ; if ( X 2 == t 2 ) { � X 2 := . . . ; ++ P 2 � ; break ; } . . . ; assert ( P 2 > r 2 ); } ++ P 2 ; . . . ; assert ( P 1 > r 1 ); } X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 10/17

Termination for sequential reasons How about the following program? i := 0; while( i < 2) { i ++; } X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 11/17

Termination for sequential reasons How about the following program? i := 0; while( i < 2) { i ++; } Naive instrumented version: � i := 0; ++ P 1 � ; L 0 (skip , p := P 1 ; if( i < 2) i ++; else break; assert( P 1 > p ); ) Oops! X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 11/17

Termination for sequential reasons How about the following program? i := 0; while( i < 2) { i ++; } Why does it terminate? ◮ Ranking function, f ( i ) = 2 − i . ◮ Decreases round each loop iteration. ◮ Loop exits if f ( i ) < 0. Idea: use the ranking function in the instrumentation! X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 11/17

Termination for sequential reasons How about the following program? i := 0; while( i < 2) { i ++; } Better instrumented version: � i := 0; ++ P 1 � ; L 0 (skip , p := P 1 ; i saved := i ; if( i < 2) i ++; else break; assert( P 1 > p ∨ 2 − i < 2 − i saved ); ) Now provable. X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 11/17

Experimental results Algorithm LOC Time CAS counter 41 0.02s Double counter 64 0.11s Treiber stack 52 0.11s DCAS stack 52 0.11s Elimination stack 76 1.22s MS queue 83 3.01s DGLM queue 83 3.92s MSV queue 74 2.85s X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 12/17

Formal set up Minimal programming language: C ::= skip | break | BC | C 1 ; C 2 | C 1 � C 2 | C 1 ⊕ C 2 | L n ( C 1 , C 2 ) Standard operational semantics: � C , σ � → � C ′ , σ ′ � Instrumented semantics: d ⊢ � C , σ, P � → � C ′ , σ ′ , P ′ � d ⊢ � C , σ, P � → abort X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 13/17

Operational semantics: standard rules ( σ, σ ′ ) ∈ [ [ BC ] ] d ⊢ � BC , σ, P � → � skip , σ ′ , Cinc( P , d ) � d ⊢ � C 1 , σ, P � → � C ′ 1 , σ ′ , P ′ � etc. d ⊢ � C 1 ; C 2 , σ, P � → � C ′ 1 ; C 2 , σ ′ , P ′ � where  P ( x ) if x ≤ d  def  Cinc( P , d ) = λ x . P ( x ) + 1 if x > d   X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 14/17

Operational semantics: loops d ⊢ � L n (skip , C ) , σ, P � → � L P ( d ) ( C , C ) , σ, P � P ( d ) ≤ n d ⊢ � L n (skip , C ) , σ, P � → abort d + ldinc( C 1 ) ⊢ � C 1 , σ, P � → � C ′ 1 , σ ′ , P ′ � d ⊢ � L n ( C 1 , C 2 ) , σ, P � → � L n ( C ′ 1 , C 2 ) , σ ′ , P ′ � where  0 if lpExit( C )  def  ldinc( C ) = 1 if ¬ lpExit( C )   X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 15/17

Results � d : N → N . ◮ Define configuration size, � | C , P | ◮ ≺ k : lexicographic order on first k elems. Lemma (Progress) If d ⊢ � C , σ, P � → � C ′ , σ ′ , P ′ � and d ⊢ � C , σ, P � �→ abort , then � d ≺ d + � | C ′ , P ′ | � d . � � depth � | C , P | | C | Theorem (Termination) If 0 ⊢ � C , σ, λ x . 1 � �→ ∗ abort , then � C , σ � always terminates. X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 16/17

Termination metric: the size of a configuration � d ( m ) def � | skip , P | = 0 � d ( m ) def � | break , P | = 1 � d ( m ) def � | BC , P | = 1  � d ( m ) + 1 � | C 1 , P | if lpExit( C 1 ) � d ( m ) def   � | C 1 ; C 2 , P | = � d ( m ) + � � d ( m ) + 1 � | C 1 , P | | C 2 , P | if ¬ lpExit( C 1 )    � | C 1 , P | � d ( m ) if lpExit( C 1 )      � d +1 ( m )  � | C 2 , P | else if m < d   � d ( m ) def  � | L n ( C 1 , C 2 ) , P | = � d +1 ( m ) + � � d +1 ( m ) + � � d +1 ( m ) + 1 � | C 1 , P | | C 2 , P | | C 2 , P | else if n < P ( d )       � d +1 ( m ) + � � d +1 ( m )  � | C 1 , P | | C 2 , P | otherwise   � d ( m ) def � d ( m ) + � � d ( m ) + 1 � | C 1 � C 2 , P | = � | C 1 , P | | C 2 , P | � d ( m ) def � d ( m ) + � � d ( m ) + 1 � | C 1 ⊕ C 2 , P | = � | C 1 , P | | C 2 , P | Questions? X. Jia, W. Li, V. Vafeiadis Proving Lock-Freedom Easily and Automatically 17/17