I613: Formal Methods. Mutual Exclusion Problem

Transcription

1 I613: Formal Methods Analysis of the Bakery Protocol (1) Modeling and Specification CafeOBJ Team of Jaist Mutual Exclusion Problem Computer systems have resources such that they are shared by multiple entities (processors, processes, threads, etc.) and should be used by at most one entity at any given moment. The mutual exclusion (mutex) problem is to control multiple entities such that at most one entity is allowed to use shared resources at any given moment. The problem was originally proposed and solved by E.W. Dijkstra*. *Dijkstra, E.W.: Solution of a problem in concurrent programming control, CACM 8(9): 569,

2 Mutual Exclusion Protocols Solutions of the problem are called mutual exclusion (mutex) protocols (algorithms). Many mutex protocols have been designed. Qlock is a mutex protocol. 3 Qlock The program executed by each process i: Loop rs: put(queue,i); ws: repeat until top(queue) = i; Critical Section cs: get(queue); Segments of programs in which shared resources are used are called critical sections. One property Qlock should satisfy is that at most one process is at label cs at any given moment. The property is called the mutual exclusion (mutex) property. 4

3 An Incorrect Variant of Qlock If the program is changed as follows Loop rs: tmp i := insert(queue,i); es: queue := tmp i ; ws: repeat until top(queue) = i; Critical Section cs: deq(queue); the property does not hold for this variant. This is because process IDs are not put into queue atomically (indivisibly). 5 Assumptions on Atomic Operations Mutex protocols can be considered atomic operations, which allow shared resources to be accessed by at most one entity at any given moment. But, many mutex protocols such as Qlock assume lower level atomic operations such as atomic operations (put, top and get) of queues. 6

4 The Bakery Protocol (1) A mutex protocol proposed by L. Lamport*. Does not assume any lower level atomic operations. Writes and reads to a shared variable X can overlap. A read to X while a write to X is being done returns an arbitrary value (an arbitrary sequence of bits). *Lamport, L.: A New Solution of Dijkstra s Concurrent Programming Problem, CACM 17(8): , The Bakery Protocol (2) The program executed by each process i for i = 1,,N: L1: choosing[i] := 1; number[i] := 1 + maximum(number[1],,number[n]); choosing[i] := 0; for j=1 step 1 until N do begin L2: if choosing[j] =/= 0 then goto L2; L3: if number[j] =/= 0 and (number[j],j) < (number[i],i) then goto L3; end; critical section; number[i] := 0; noncritical section; goto L1; 8

5 The Bakery Protocol (3) The type of each variable is integer. choosing[i], number[i], j choosing[i] and number[i] are written by only process i but read by the N processes. Initially, each process i is in the noncritical section and choosing[i] and number[i] are set to 0. The args of the maximum function can be read in any order. maximum(number[1],,number[n]) (a,b) < (c,d) if a < c or (a = c and b < d) (number[j],j) < (number[i],i) 9 The Bakery Protocol (4) If number[i] is not 0, it contains a number given to process i that wants to enter the critical section. The smaller number process i is given, the higher priority it has to enter the critical section. L1: choosing[i] := 1; number[i] := 1 + maximum(number[1],,number[n]); choosing[i] := 0; for j=1 step 1 until N do begin L2: if choosing[j] =/= 0 then goto L2; L3: if number[j] =/= 0 and (number[j],j) < (number[i],i) then goto L3; end; critical section; number[i] := 0; noncritical section; goto L1; 10

6 The Bakery Protocol (5) The same number may be given to multiple processes. If that is the case, process IDs are used to break the tie (the smaller ID, the higher priority). L1: choosing[i] := 1; number[i] := 1 + maximum(number[1],,number[n]); choosing[i] := 0; for j=1 step 1 until N do begin L2: if choosing[j] =/= 0 then goto L2; L3: if number[j] =/= 0 and (number[j],j) < (number[i],i) then goto L3; end; critical section; number[i] := 0; noncritical section; goto L1; 11 The Bakery Protocol (6) If choosing[i] is not 0, a number is being given to process i. If choosing[1],, choosing[n] are not used, the mutex property does not hold even if we assume that writes and reads to number[1],, number[n] are atomic. 12

7 Modeling the Protocol A model (in an engineering sense) of the protocol is made as an OTS. Before making such an OTS, data types used are provided. Natural numbers (are used instead of integers) Pairs of natural numbers Sets of natural numbers (for computing maximum(number[1],,number[n])) Labels See the file bakery.mod. 13 Boolean Terms Boolean terms basically reduce to an exclusive or normal form. Good: A perfect propositional tautology checker. Bad: It can take much time Try reducing p1 or or p10. Some situations where _or-else_ should be used instead of _or_. Attributes assoc & comm are not given to the former in module BOOL. In the file bakery.mod, the attributes are given for convenience. 14

8 Formalizing Overlaps of Writes&Reads An assignment to a shared variable (x := E;) is divided into three parts: Part 1 computes the expression E. Part 2 begins writing the result to the variable x. Part 3 ends the writing. Parts 2&3 are represented by two transition functions beginwtx and endwtx, whose equations are like x(beginwtx(s)) = rand(s) x(endwtx(s)) = theresult where rand(s) returns an arbitrary value. Between parts 2&3, reading x returns an arbitrary value. 15 Formalizing Comp of maximum (1) maximum(number[1],,number[n]) is computed as follows: 1. Set temporary variables tmp and m to {1,,N} and If tmp is empty, the computation is done (m contains the result); otherwise go to Choose and delete a number k arbitrarily from tmp, set m to max(m,k), and go to 1. The three steps are represented by three transition functions settmp, checklc and findmax. 16

9 Formalizing Comp of maximum (2) Part of the equations are like 1. pc(settmp(s)) = 2 tmp(settmp(s)) = {1,,N} m(settmp(s)) = 0 2. pc(checklc(s)) = if empty?(tmp(s)) then 4 else 3 fi tmp(checklc(s)) = tmp(s) m(checklc(s)) = m(s) 3. If K in tmp(s) then pc(findmax(s,k)) = 2 tmp(finfmax(s,k)) = del(tmp(s),k) m(findmax(s,k)) = max(m(s),k) Observation Functions (1) 7 observation functions are used. bop pc : Sys Nat -> Label bop choosing : Sys Nat -> Nat bop number : Sys Nat -> Nat bop j : Sys Nat -> Nat bop tmp : Sys Nat -> NatSet bop m : Sys Nat -> Nat bop rand : Sys -> Nat 18

10 Observation Functions (2) Given a state s and a process ID i, pc(s,i) returns the label at which i is in s. choosing(s,i) returns the value of choosing[i] in s. number(s,i) returns the value of number[i] in s. j(s,i) returns the value of j (owned by i) in s. tmp(s,i) returns a set of natural numbers. m(s,i) returns a natural number. rand(s) returns an arbitrary natural number. 19 Observation Functions (3) Initially each observation function returns the following values: pc(init,i) = ncs choosing(init,i) = 0 number(init,i) = 0 rand(init) = seed where init denotes an arbitrary initial state and seed denotes an arbitrary natural number. j, tmp and m return an arbitrary natural number, an arbitrary set of natural numbers and an arbitrary natural number, respectively. 20

11 Transition Functions (1) 18 transition (action) functions are used. bop beginwtch1 : Sys Nat -> Sys bop endwtch1 : Sys Nat -> Sys bop settmp : Sys Nat -> Sys bop checklc1 : Sys Nat -> Sys bop findmax : Sys Nat Nat -> Sys bop beginwtnum1 : Sys Nat -> Sys bop endwtnum1 : Sys Nat -> Sys bop beginwtch2 : Sys Nat -> Sys bop endwtch2 : Sys Nat -> Sys bop setj : Sys Nat -> Sys bop checklc2 : Sys Nat -> Sys bop checkch : Sys Nat -> Sys bop checknum : Sys Nat -> Sys bop execcs : Sys Nat -> Sys bop beginwtnum2 : Sys Nat -> Sys bop endwtnum2 : Sys Nat -> Sys bop execncs : Sys Nat -> Sys bop trycs : Sys Nat -> Sys 21 Transition Functions (2) l1: beginwtch1(_,i) l2: endwtch1(_,i) L1: choosing[i] := 1; See the file bakery.mod. 22

12 Transition Functions (3) l3: settmp(_,i) l4: checklc1(_,i) l5: findmax(_,i,k) l6: beginwtnum1(_,i) l7: endwtnum1(_,i) number[i] := 1 + maximum(number[1],,number[n]); See the file bakery.mod. 23 Transition Functions (4) l8: beginwtch2(_,i) l9: endwtch2(_,i) choosing[i] := 0; See the file bakery.mod. 24

13 Transition Functions (5) l10: setj(_,i) l11: checklc2(_,i) l12: checkch(_,i,k) l13: checknum(_,i) for j=1 step 1 until N do begin L2: if choosing[j] =/= 0 then goto L2; L3: if number[j] =/= 0 and (number[j],j) < (number[i],i) then goto L3; end; See the file bakery.mod. 25 Transition Functions (6) cs: execcs(_,i) critical section; l14: beginwtnum2(_,i) l15: end WtNum2(_,i) number[i] := 0; ncs: execncs(_,i) ncs: trycs(_,i) noncritical section; goto L1; See the file bakery.mod. 26

14 Any Problems? (1) Operator choose is used to choose a number arbitrarily from a set. mod! NSET { pr(pnat) [Nat < NSet] op empty : -> NSet op : NSet NSet -> NSet {assoc comm id: empty} op choose : NSet -> Nat var S : NSet var X : Nat eq choose(x S) = X. } 27 Any Problems? (2) choose(s(0) s(s(0))) = choose(s(0) s(s(0))) = = s(s(0))? = choose(s(s(0)) s(0)) s(0) = Equation choose(x S) = X introduces confusion. 28