Verifying Concurrent Objects under Fair Scheduling Hongjin Liang University of Science and Technology of China (USTC) Joint work with Xinyu Feng.

Slides:



Advertisements
Similar presentations
Operating Systems Semaphores II
Advertisements

Hongjin Liang and Xinyu Feng
Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.
Practice Session 7 Synchronization Liveness Deadlock Starvation Livelock Guarded Methods Model Thread Timing Busy Wait Sleep and Check Wait and Notify.
Overview Assignment 8: hints Assignment 7: solution Deadlocks
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
Section 3. True/False Changing the order of semaphores’ operations in a program does not matter. False.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
A Simple Critical Section Protocol There are N concurrent processes P 1,…,P N that share some data. A process accessing the shared data is said to execute.
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.
Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.
Previously… Processes –Process States –Context Switching –Process Queues Threads –Thread Mappings Scheduling –FCFS –SJF –Priority scheduling –Round Robin.
Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.
Chair of Software Engineering Concurrent Object-Oriented Programming Prof. Dr. Bertrand Meyer Lecture 4: Mutual Exclusion.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Deadlock Emery Berger and Mark Corner University of Massachusetts.
Parallel Processing (CS526) Spring 2012(Week 6).  A parallel algorithm is a group of partitioned tasks that work with each other to solve a large problem.
SPL/2010 Liveness And Performance 1. SPL/2010 Performance ● Throughput - How much work can your program complete in a given time unit? ● Example: HTTP.
Multi-Object Synchronization. Main Points Problems with synchronizing multiple objects Definition of deadlock – Circular waiting for resources Conditions.
1 CS 333 Introduction to Operating Systems Class 7 - Deadlock Jonathan Walpole Computer Science Portland State University.
Race Conditions Critical Sections Deker’s Algorithm.
Deadlock CSCI 444/544 Operating Systems Fall 2008.
Chapter 3 Deadlocks 3.1. Resource 3.2. Introduction to deadlocks
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
Synchronization in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Chapter 6: Synchronization. 6.2 Silberschatz, Galvin and Gagne ©2005 Operating System Principles Module 6: Synchronization 6.1 Background 6.2 The Critical-Section.
Dependent Types for Reasoning About Distributed Systems Paul Sivilotti - Ohio State Hongwei Xi - Cincinnati.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts, Amherst Operating Systems CMPSCI 377 Lecture.
Synchronization CSCI 444/544 Operating Systems Fall 2008.
Synchronization Andy Wang Operating Systems COP 4610 / CGS 5765.
Compositional Verification of Termination-Preserving Refinement of Concurrent Programs Hongjin Liang Univ. of Science and Technology of China (USTC) Joint.
Parallel Programming Philippas Tsigas Chalmers University of Technology Computer Science and Engineering Department © Philippas Tsigas.
The Critical Section Problem
1 CMSC421: Principles of Operating Systems Nilanjan Banerjee Principles of Operating Systems Acknowledgments: Some of the slides are adapted from Prof.
CS 153 Design of Operating Systems Spring 2015 Lecture 11: Scheduling & Deadlock.
Characterizing Progress Properties of Concurrent Objects via Contextual Refinements Hongjin Liang Univ. of Science and Technology of China (USTC) Joint.
Deadlock Questions answered in this lecture: What are the four necessary conditions for deadlock? How can deadlock be prevented? How can deadlock be avoided?
Chapter 28 Locks Chien-Chung Shen CIS, UD
COMP 111 Threads and concurrency Sept 28, Tufts University Computer Science2 Who is this guy? I am not Prof. Couch Obvious? Sam Guyer New assistant.
Presenter: Long Ma Advisor: Dr. Zhang 4.5 DISTRIBUTED MUTUAL EXCLUSION.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Mutual Exclusion.
This Time - Deadlock Definition Conditions for deadlocks
Hwajung Lee. The State-transition model The set of global states = s 0 x s 1 x … x s m {s k is the set of local states of process k} S0  S1  S2  Each.
D u k e S y s t e m s Asynchronous Replicated State Machines (Causal Multicast and All That) Jeff Chase Duke University.
Monitors and Blocking Synchronization Dalia Cohn Alperovich Based on “The Art of Multiprocessor Programming” by Herlihy & Shavit, chapter 8.
A Program Logic for Concurrent Objects under Fair Scheduling Hongjin Liang and Xinyu Feng University of Science and Technology of China (USTC) To appear.
Program Logic for Concurrency Refinement Verification Xinyu Feng University of Science and Technology of China Joint work with Hongjin Liang (USTC) and.
Hwajung Lee. Mutual Exclusion CS p0 p1 p2 p3 Some applications are:  Resource sharing  Avoiding concurrent update on shared data  Controlling the.
Hwajung Lee. Mutual Exclusion CS p0 p1 p2 p3 Some applications are: 1. Resource sharing 2. Avoiding concurrent update on shared data 3. Controlling the.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science Computer Systems Principles Synchronization Emery Berger and Mark Corner University.
Operating Systems Lecture 4 Deadlock Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software Engineering.
CS333 Intro to Operating Systems Jonathan Walpole.
Deadlocks Mark Stanovich Operating Systems COP 4610.
1 Critical Section Problem CIS 450 Winter 2003 Professor Jinhua Guo.
Proving Correctness and Measuring Performance CET306 Harry R. Erwin University of Sunderland.
Hwajung Lee. Mutual Exclusion CS p0 p1 p2 p3 Some applications are:  Resource sharing  Avoiding concurrent update on shared data  Controlling the.
Homework-6 Questions : 2,10,15,22.
Introduction to operating systems What is an operating system? An operating system is a program that, from a programmer’s perspective, adds a variety of.
Synchronization Questions answered in this lecture: Why is synchronization necessary? What are race conditions, critical sections, and atomic operations?
A Program Logic for Concurrent Objects under Fair Scheduling Hongjin Liang and Xinyu Feng University of Science and Technology of China (USTC)
Bakery Algorithm - Proof
Background on the need for Synchronization
Joint work with Yong Li, Xinyu Feng, Zhong Shao and Yu Zhang
Hongjin Liang, Xinyu Feng & Ming Fu
Progress of Concurrent Objects with Partial Methods
Mutual Exclusion CS p0 CS p1 p2 CS CS p3.
Concurrency: Mutual Exclusion and Process Synchronization
Andy Wang Operating Systems COP 4610 / CGS 5765
CSE 542: Operating Systems
Presentation transcript:

Verifying Concurrent Objects under Fair Scheduling Hongjin Liang University of Science and Technology of China (USTC) Joint work with Xinyu Feng

… push(7); x = pop(); … push(6); … Client code C How to prove O’s correctness (safety + liveness) Concurrent object O java.util.concurrent void push(int v) { … } … int pop() { … } under fair scheduling ?

Fair scheduling Every active thread gets eventually executed Why? Real-world setting is often fair, e.g. round-robin sched. Lock-based objects are correct only under fair sched.

Need to assume fair scheduling for correctness of lock-based objects Safety: linearizability Liveness: starvation-freedom / deadlock-freedom e.g. every (or some) thread trying to acquire the lock will eventually succeed inc() { local r; … // code to acquire lock L r := cnt; cnt := r + 1; // critical section … // code to release lock L } under fair scheduling T holds lock L none of other threads may get lock L unfair

Challenge in verifying lock-based objects Object impl takes advantage of fairness assumption complicated interdependencies among threads T’ releases the lock T’ is holding the lock fair sched T gets the lock ? Progress of T can rely on other threads’ helps which fairness ensures to happen.

Challenge: with fairness, progress of T can rely on other threads’ helps look out for circular reasoning (usually unsound in liveness proofs) x := 1; while (y = 1) {}; x := 0; y := 1; while (x = 1) {}; y := 0; T1T2 deadlock cycle

Our work Program logic for starvation-free objects ensure linearizability & starvation-freedom (SF) together e.g. counter with ticket lock, lock-coupling list, … [Ongoing] verifying deadlock-free objects unified with our logic for starvation-free objects fairness plays a more complicated role e.g. objects with TAS lock, lazy list (even with ticket lock), …

SF example: counter with ticket lock inc() { local i, r; i := getAndInc( next ); while( i != owner ) {} ; // acquire lock r := cnt; cnt := r + 1; // critical section owner := i + 1; // release lock } the next available ticket currently being served

SF example: counter with ticket lock inc() { local i, r; i := getAndInc( next ); while( i != owner ) {} ; // acquire lock r := cnt; cnt := r + 1; // critical section owner := i + 1; // release lock } 0123 T1: request lock T2: request lock T1: release lock T3: request lock owner next It’s SF, because: critical section is straight-line code threads waiting for the lock line up (num of threads ahead of T not increase)

No circular reasoning because threads’ dependences form an acyclic chain T will get lockT2 releases lock T2 gets lock fair sched T1 releases lock T1 gets lock fair sched Not depend on others! next owner 0123 TT2 T1

Our idea: definite action D T will get lockT2 releases lock T2 gets lock fair sched T1 releases lock T1 gets lock fair sched D D “definite” because: action D must eventually be finished (without relying on other threads) once D becomes “enabled”. Enable

DProgress for the D-chain T gets lockT2 releases lock T2 gets lockT1 releases lock T1 gets lock D D DProgress ( n, D, S, Q) iff starting from state S, after n number of Ds from env, current thread can eventually reach a “good” state satisfying Q state S Q (inductively defined over n ) current thread succeeds in acquiring lock

Key proof for ticket-lock example inc() { local i, r; i := getAndInc( next ); while( i != owner ) {} ; r := cnt; cnt := r + 1; owner := i + 1; } T: increment owner T: its i equals owner D (1)Establish D : prove termination of critical section no matter what env does (2)Prove DProgress ( n, D, S, Q) by induction over n = (i - owner) Details of logic and example proofs are in draft paper.

Ongoing work: unify with verifying deadlock-free objects Example: counter with TAS lock inc() { local b, r; b := false; while( !b ) { b := cas(&L, 0, T); } r := cnt; cnt := r + 1; // critical section L := 0; } current thread ID DF: Some thread will succeed in acquiring the lock. It’s not SF: critical section is still straight-line code BUT, threads waiting for the lock do not line up (num of threads ahead of T could increase)

Ongoing work: unify with verifying deadlock-free objects T will get lockT1 releases lock T1 is holding lock D DProgress ( n, D, S, Q) breaks Q state S T2 will get lock T3 will get lock ? ? ? because progress of T can be delayed by other threads Solution: combined with token transfer? [Hoffmann et al. LICS’13]

More problems on modularity inc() { local r; lock(); r := cnt; cnt := r + 1; unlock(); } lock() { local i; i := getAndInc( next ); while( i != owner ) {} ; } unlock() { ; } Can we view “locks” as objects? Define “starvation-free” / “deadlock-free” locks?

Summary Verify lock-based objects under fair scheduling linearizability + starvation-freedom / deadlock-freedom problem: fairness assumption allows a thread to rely on other threads’ helps idea: definite action D & DProgress for the D-chain

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.