Atomc Semantcs of Nonatomc Programs James H. Anderson Mohamed G. Gouda Department of Computer Scences The Unversty of Texas at Austn Austn, Texas 78712 December 1987 Abstract We argue that t s possble, and sometmes useful, to reason about nonatomc programs wthn the conventonal atomc mel of concurrency. 1 Intructon Most of the proof meths that have been proposed for reasonng about concurrent programs are developed wthn the atomc mel of concurrency [Ho 72, LS 84, MP 84, OG 76]. Ths mel s based on the assumpton that no two operatons n a concurrent program are executed at the same tme. Hence, the resultng proof theory may seem nadequate for reasonng about programs n whch operatons of derent processes mayoverlap. In ths paper, we show to the contrary that t s possble to reason about such programs wthn the atomc mel of concurrency. Work supported n part by Oce of Naval Research Contract N00014-86-K-0763. 1
2 Nonatomc Programs A concurrent program conssts of two or more sequental processes that access a set of program varables. A program state s a mappng from the program varables and program counters to values. A process s a sequence of operatons, each ofwhch s ether atomc or nonatomc. An atomc operaton s a relaton on the set of program states that s, an atomc operaton causes a sngle transton between a par of states. A nonatomc operaton s a sequence of atomc operatons that s, a nonatomc operaton may cause several state transtons. Intutvely, the executon of an atomc operaton s nstantaneous and does not overlap the executon of another atomc operaton, whereas the executon of a nonatomc operaton lasts for an arbtrary, but nte, per of tme and may overlap the executon of other operatons. If each process n a concurrent program conssts only of atomc operatons, then the program s called atomc otherwse, t s called nonatomc. Each program varable s ether global or local: a varable s global f t s accessed by more than one process, and local f t s accessed by only one process. Snce each process s sequental, we may assume that an operaton that accesses no global varable s atomc. By contrast, an operaton that does access a global varable may be nonatomc. In ths note, we consder a class of nonatomc programs n whch processes communcate only by readng and wrtng global varables. For now, we assume that the value of each globalvarable ranges over a nte doman f0 ::: M ; 1g, for some M called the range of the global varable. (Later, n Secton 5, we relax ths restrcton.) We also assume that each varable s wrtten by only one process. Furthermore, we assume that global varables are accessed accordng to the followng rules. 1. (Atomcty) Each operaton ether reads or wrtes at most one global varable. An operaton that reads a global varable s atomc, and an operaton that wrtes a global varable s nonatomc. 2. (Readng Whle Wrtng) If a read of a global varable occurs whle the varable s beng wrtten, then the read operaton returns an arbtrary value from the value doman of the varable. 3. (Exclusve Readng) If a read of a global varable does not occur whle the varable s beng wrtten, then the read operaton returns the most recently wrtten value. 2
For convenence, each nonatomc wrte operaton s dstngushed by the specal syntax: wrte v to x where x s a global varable, and v s the value beng wrtten. 3 Semantcs In [La 77], Lamport denes the semantcs of the nonatomc wrte operaton \wrte v to x" by the atomc program fragment hx :=? hx := v where \h" and \" enclose the atomc operatons, and \?" s an ndetermnate value. Furthermore, a read operaton that reads x when x =? returns an arbtrary value from the value doman of x. Therefore, the semantcs of a read operaton that reads x must be augmented to allow the possblty of x =?. In partcular, the value of x must now bevewed as a relaton nstead of a functon. We would lke to suggest an alternatve approach to denng the semantcs of the nonatomc wrte operaton \wrte v to x". In ths approach, t s unnecessary to redene the semantcs of a read operaton. Instead, the semantcs of the wrte operaton s dened by a nondetermnstc program fragment along wth a farness condton. The program fragmentsasfollows: do htrue! x := x +1mulo M [] htrue! x := v ext where M s the range of x, and the second branch of the do- loop s called the ext branch. The farness condton can be stated as follows. If the ext branch s contnuously enabled, then t s eventually executed. Ths condton guarantees that the program fragment termnates n a nte tme, and, consequently, the duraton of the correspondng nonatomc wrte operaton s nte. 3
local var k: 1::N whle true do hnoncrtcal Secton 1: wrte true to a[] 2: hk := 1 3: whle hk ; 1 do 4: f ha[k] then 5: wrte false to a[] 6: whle ha[k] do 7: hskp 8: hgoto 1 9: hk := k +1 10: hk := +1 11: whle hk N do 12: whle ha[k] do 13: hskp 14: hk := k +1 15: hcrtcal Secton 16: wrte false to a[] 4 Vercaton Fgure 1: Process P of a nonatomc program. The above semantcs suggests the followng meth for verfyng that a nonatomc program P satses some asserton, under some farness condton F. Frst, translate the par (P F) nto a par (P 0 F 0 ), where P 0 s an atomc program. Second, show thatp 0 satses the requred asserton under the farness condton F 0. Snce P 0 s atomc, ths step can be accomplshed usng tradtonal proof meths,.e. nvarants and well-founded sets [MP 84]. As an example, consder the one-bt mutual excluson program gven n [La 86a]. The program, call t P, conssts of N processes, P 1 ::: P N,that communcate va a global boolean array a[1::n] each element n the array s ntally false. The ce for process P s shown n Fgure 1, and the farness condton F assocated wth P s true. 4
As dscussed earler, the par (P F) can be translated nto a par (P 0 F 0 ). The ce for process P 0 n the resultng program P 0 s shown n Fgure 2. The farness condton F 0 s as follows: If any ext branch s contnuously enabled, then t s eventually executed. Now, to prove that program P satses the mutual excluson property S [ 8 j : 6= j : :(P at f15g^p j at f15g) ] at each of ts reachable states, t s sucenttoshow that the atomc program P 0 satses S at each of ts reachable states. (Farness s not needed n provng mutual excluson, snce t s a safety property.) Ths can be done by ndng a sutable nvarant ofp 0. To ths end, let k denote the local varable k of process P, 0 and let z be an auxlary varable of process P 0 dened as follows: ( 1 f P 0 at f9 14g z = 0 otherwse Then, the requred nvarant s as follows. nvarant ofp 0 s left to the reader.) (Provng that t s ndeed an J S ^ S 1 ^ S 2 ^ S 3 ^ S 4 where S 1 [ 8 :: P 0 at f2::4 9::15g )a[] ] S 2 [ 8 :: P 0 at f15g )k >N ] S 3 [ 8 :: P 0 at f10g )k ] S 4 [ 8 :: P 0 at f3 4 9::15g )( 8j : j 6= ^ j<k + z : :a[j] _ P 0 j at f1 2 5 16g _(k j + z j ) )] We used an nterestng \heurstc" n order to deduce the nvarant J. We rst deduced an nvarant I for the nonatomc program (Fgure 1), under the assumpton that each \wrte true to a[]" and \wrte false to a[]" s an atomc operaton. We then \massaged" ths nvarant to get J. The requred massagng was slght, snce I was very close to J already n fact, I S ^ S 1 ^ S 2 ^ S 3 ^ R, where R [ 8 :: P at f3 4 9::15g )( 8j : j 6= ^ j<k + z : :a[j] _ P j at f2g_(k j + z j ) )] 5
local var k: 1::N whle htrue do hnoncrtcal Secton 1: do htrue! a[]:=:a[] [] htrue! a[] :=true ext 2: hk := 1 3: whle hk ; 1 do 4: f ha[k] then 5: do htrue! a[] :=:a[] [] htrue! a[] :=false ext 6: whle ha[k] do 7: hskp 8: hgoto 1 9: hk := k +1 10: hk := +1 11: whle hk N do 12: whle ha[k] do 13: hskp 14: hk := k +1 15: hcrtcal Secton 16: do htrue! a[]:=:a[] [] htrue! a[] :=false ext Fgure 2: Process P 0 of an equvalent atomc program. 6
5 Concludng Remarks Our approach can be extended to reason about nonatomc wrtes to unbounded global varables. For example, the semantcs of a nonatomc wrte to an nteger varable x can be dened by the program fragment do htrue! x := x +1 [] htrue! x := x ; 1 [] htrue! x := v ext along wth the obvous farness condton. The semantcs that we proposed n Secton 3 s, n fact, the semantcs of a wrte operaton of a safe regster. A safe regster s the most prmtve regster n a herarchy of regsters dened by Lamport [La 86b] t satses only one constrant: a read of a safe regster must return the most recently wrtten value f t does not \overlap" a wrte of the regster. Another regster n Lamport's herarchy s the regular regster. A regular regster s a safe regster that satses one addtonal constrant: a read of a regular regster that overlaps a wrte of the regster must return ether the \old" or the \new" value. The operaton \wrte v to x", where x s a regular regster, can be dened by the program fragment u := x do htrue! x := u [] htrue! x := v [] htrue! x := v ext along wth the usual farness condton. Ths example llustrates the fact that our approach s general enough to reason about a varety of shared objects. The semantcs that we suggest s useful for provng safety propertes (whch specfy that somethng wll not occur) and progress propertes (whch specfy that somethng wll occur). However, t s not partcularly useful for provng possblty propertes (whch specfy that somethng may occur). For example, consder a read of a shared varable that occurs whle the varable's value s beng changed from 0 to 200. To prove that the read may return the value 500, at least 500 atomc steps are requred. An alternatve semantcs, whch s more convenent for provng possblty propertes, s obtaned 7
by usng a nondetermnstc selecton functon. In partcular, \wrte v to x" can be dened by the followng program fragment along wth the usual farness condton: do htrue! x := select(doman(x)) [] htrue! x := v ext where select(:::) s the selecton functon, and doman(x) returns the value doman of the varable x. Recently, Lamport has proposed a proof theory for reasonng about nonatomc programs n whch the mplementaton of the nonatomc operatons n terms of atomc operatons s left unspeced [La 83, La 87]. Thus, ths proof theory allows mplementaton decsons to be deferred, n contrast to our approach n whch mplementaton decsons are made a pror. On the other hand, our approach allows one to reason about program correctness wthn the conventonal atomc framework, nstead of appealng to a new theory. Acknowledgements We are thankful to L. Lamport, C. Lengauer, M. Merrtt, F. Schneder, and the referees for ther helpful comments on ths note. References [Ho 72] Hoare, C.A.R., \Towards a Theory of Parallel Programmng," Operatng Systems Technques, Hoare and Perott (Eds.), Academc Press, New York, 1972. [La 77] Lamport, L., \Provng the Correctness of Multprocess Programs," IEEE Transactons on Software Engneerng, Vol. SE-3, No. 2, pp. 125-143, March 1977. [La 83] Lamport, L., \Reasonng About Nonatomc Operatons," Proceedngs of the 10th Annual ACM SIGACT-SIGPLAN Symposum on Prncples of Programmng Languages, pp. 28-37, 1983. [La 86a] Lamport, L., \The Mutual Excluson Problem, Parts I and II," Journal of the ACM,Vol. 23, No. 2, pp. 311-348, Aprl 1986. 8
[La 86b] Lamport, L., \On Interprocess Communcaton, Parts I and II," Dstrbuted Computng, Vol. 1, pp. 77-101, 1986. [La 87] Lamport, L., \wn and sn: Predcate Transformers for Concurrency," Techncal Report, Systems Research Center, Dgtal Equpment Corporaton, May 1987. [LS 84] Lamport, L., and Schneder, F., \The Hoare Logc of CSP, and All That," ACM Transactons on Programmng Languages and Systems, Vol. 6, No. 2, pp. 281-296, Aprl 1984. [MP 84] Manna, Z., and Pnuel, A., \Adequate Proof Prncples for Invarance and Lveness Propertes of Concurrent Programs," Scence of Computer Programmng, Vol. 4, pp. 257-289, 1984. [OG 76] Owck, S., and Gres, D., \An Axomatc Proof Technque for Parallel Programs I," Acta Informatca, Vol. 6, pp. 319-340, 1976. 9