Proving Lock-Freedom Easily and Automatically Xiao Jia 1 Wei Li 1 - - PowerPoint PPT Presentation

Proving Lock-Freedom Easily and Automatically Xiao Jia1 Wei Li1 Viktor Vafeiadis2

1 Shanghai Jiao Tong University 2 Max Planck Institute for Software Systems (MPI-SWS)

CPP’15, 14 January 2015

Blocking synchronisation H: 9 2 3 × n := malloc(...); n→val := 7; lock(); t := ∗H; n→next := t; ∗H := n; unlock();

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 2/17

Non-blocking synchronisation H: 9 2 3 × n := malloc(...); n→val := 7; while(true) { t := ∗H; n→next := t; if(CAS(H, t, n)) break; }

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 3/17

What is lock-freedom? Liveness property for concurrent libraries:

◮ If library operations are scheduled infinitely

• ften, then some operation will terminate.

Observations:

◮ LF is a global property. ◮ LF allows starvation. ◮ wait-free ⊆ lock-free ⊆ obstruction-free ◮ LF is a practical compromise.

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 4/17

Proving lock-freedom Proving lock-freedom is low-hanging fruit:

◮ Typically lock-freedom

is really easy to show.

◮ But formal LF proofs

are often too complex.

◮ Automation is not

readily available.

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 5/17

Reduction to termination

◮ Concurrent library, L = Cinit, C1, . . . , Cn. ◮ Bounded most general client, BMGCk,m(L),

runs Cinit and then creates k threads executing up to m times a method from C1, . . . , Cn. Theorem (Hoffmann, Marmar, Shao, LICS’13) L is lock-free ⇐ ⇒ ∀k, m. BMGCk,m(L) terminates.

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 6/17

Read-compute-update pattern A common pattern in LF algorithms: while(true) { t := X; . . . ; n := . . . ; if (CAS(&X, t, n)) break; }

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 7/17

Read-compute-update pattern A common pattern in LF algorithms: while(true) { t := X; . . . ; n := . . . ; if (X == t) {X := n; break; } }

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 7/17

Verifying the read-compute-update pattern Using a global progress counter: while(true) { r := P; t := X; . . . ; n := . . . ; if (X == t) {X := n; ++P; break; } assert(P > r); }

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 8/17

Verifying the read-compute-update pattern Using a progress flag per thread: while(true) { Btid := false; t := X; . . . ; n := . . . ; if (X == t) {X := n; ∀i. Bi := true; break; } assert(Btid); }

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 8/17

Verifying the read-compute-update pattern Using a progress flag per thread: while(true) { Btid := ∗; t := X; . . . ; n := . . . ; if (X == t) {X := n; ∀i. Bi := true; break; } assert(Btid); }

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 8/17

Verifying the read-compute-update pattern Using a progress flag per thread: while(true) { Btid := ∗; t := X; . . . ; n := . . . ; if (X == t) {X := n; assume(∀i. Bi); break; } assert(Btid); }

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 8/17

What else is there? Two important extensions:

◮ Nested loops ◮ Loops that terminate for sequential reasons

What else:

◮ Implementation/evaluation ◮ Formalisation in Ott & Coq

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 9/17

Handling nested loops while(true) { t1 := X1; . . . ; if(X1 == t1) { X1 := . . . ; break; } . . . ; while(true) { t2 := X2; . . . ; if(X2 == t2) { X2 := . . . ; break; } . . . ; } . . . ; }

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 10/17

Handling nested loops while(true) {r1 := P1; t1 := X1; ++P2; . . . ; if(X1 == t1) { X1 := . . . ; ++P1; ++P2; break; } ++P2; . . . ; while(true) {r2 := P2; t2 := X2; . . . ; if(X2 == t2) { X2 := . . . ; ++P2; break; } . . . ; assert(P2 > r2); } ++P2; . . . ; assert(P1 > r1); }

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 10/17

Termination for sequential reasons How about the following program? i := 0; while(i < 2) {i++; }

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 11/17

Termination for sequential reasons How about the following program? i := 0; while(i < 2) {i++; } Naive instrumented version: i := 0; ++P1; L0(skip, p := P1; if(i < 2) i++; else break; assert(P1 > p); ) Oops!

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 11/17

Termination for sequential reasons How about the following program? i := 0; while(i < 2) {i++; } Why does it terminate?

◮ Ranking function, f (i) = 2 − i. ◮ Decreases round each loop iteration. ◮ Loop exits if f (i) < 0.

Idea: use the ranking function in the instrumentation!

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 11/17

Termination for sequential reasons How about the following program? i := 0; while(i < 2) {i++; } Better instrumented version: i := 0; ++P1; L0(skip, p := P1; isaved := i; if(i < 2) i++; else break; assert(P1 > p ∨ 2 − i < 2 − isaved); ) Now provable.

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 11/17

Experimental results Algorithm LOC Time CAS counter 41 0.02s Double counter 64 0.11s Treiber stack 52 0.11s DCAS stack 52 0.11s Elimination stack 76 1.22s MS queue 83 3.01s DGLM queue 83 3.92s MSV queue 74 2.85s

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 12/17

Formal set up Minimal programming language: C ::= skip | break | BC | C1; C2 | C1 C2 | C1 ⊕ C2 | Ln(C1, C2) Standard operational semantics: C, σ → C ′, σ′ Instrumented semantics: d ⊢ C, σ, P → C ′, σ′, P′ d ⊢ C, σ, P → abort

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 13/17

Operational semantics: standard rules (σ, σ′) ∈ [ [BC] ] d ⊢ BC, σ, P → skip, σ′, Cinc(P, d) d ⊢ C1, σ, P → C ′

1, σ′, P′

d ⊢ C1; C2, σ, P → C ′

1; C2, σ′, P′

etc. where Cinc(P, d)

def

= λx.

    

P(x) if x ≤ d P(x) + 1 if x > d

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 14/17

Operational semantics: loops d ⊢ Ln(skip, C), σ, P → LP(d)(C, C), σ, P P(d) ≤ n d ⊢ Ln(skip, C), σ, P → abort d + ldinc(C1) ⊢ C1, σ, P → C ′

1, σ′, P′

d ⊢ Ln(C1, C2), σ, P → Ln(C ′

1, C2), σ′, P′

where ldinc(C)

def

=

    

if lpExit(C) 1 if ¬lpExit(C)

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 15/17

Results

◮ Define configuration size,

|C, P| d : N → N.

◮ ≺k : lexicographic order on first k elems.

Lemma (Progress) If d ⊢ C, σ, P → C ′, σ′, P′ and d ⊢ C, σ, P → abort, then

• |C ′, P′|

d ≺d+

|C| depth

|C, P| d. Theorem (Termination) If 0 ⊢ C, σ, λx. 1 →∗ abort, then C, σ always terminates.

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 16/17

Termination metric: the size of a configuration

• |skip, P|

d(m) def = 0

• |break, P|

d(m) def = 1

• |BC, P|

d(m) def = 1

• |C1; C2, P|

d(m) def =

    

• |C1, P|

d(m) + 1 if lpExit(C1)

• |C1, P|

d(m) + |C2, P| d(m) + 1 if ¬lpExit(C1)

• |Ln(C1, C2), P|

d(m) def =

                  

• |C1, P|

d(m) if lpExit(C1)

• |C2, P|

d+1(m) else if m < d

• |C1, P|

d+1(m) + |C2, P| d+1(m) + |C2, P| d+1(m) + 1 else if n < P(d)

• |C1, P|

d+1(m) + |C2, P| d+1(m)

• therwise
• |C1 C2, P|

d(m) def = |C1, P| d(m) + |C2, P| d(m) + 1

• |C1 ⊕ C2, P|

d(m) def = |C1, P| d(m) + |C2, P| d(m) + 1

Questions?

• X. Jia, W. Li, V. Vafeiadis

Proving Lock-Freedom Easily and Automatically 17/17