The University of Texas at Austin. Austin, Texas 78712. December 1987. Abstract. programs in which operations of dierent processes mayoverlap.



Similar documents
Recurrence. 1 Definitions and main statements

Luby s Alg. for Maximal Independent Sets using Pairwise Independence

Extending Probabilistic Dynamic Epistemic Logic

1 Example 1: Axis-aligned rectangles

8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by

The OC Curve of Attribute Acceptance Plans

Project Networks With Mixed-Time Constraints

NON-CONSTANT SUM RED-AND-BLACK GAMES WITH BET-DEPENDENT WIN PROBABILITY FUNCTION LAURA PONTIGGIA, University of the Sciences in Philadelphia

What is Candidate Sampling

An Alternative Way to Measure Private Equity Performance

SUPPLIER FINANCING AND STOCK MANAGEMENT. A JOINT VIEW.

This circuit than can be reduced to a planar circuit

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Lecture 3: Force of Interest, Real Interest Rate, Annuity

Conferencing protocols and Petri net analysis

v a 1 b 1 i, a 2 b 2 i,..., a n b n i.

An Analysis of Central Processor Scheduling in Multiprogrammed Computer Systems

Calculation of Sampling Weights

Implementation of Boolean Functions through Multiplexers with the Help of Shannon Expansion Theorem

Fault tolerance in cloud technologies presented as a service

Activity Scheduling for Cost-Time Investment Optimization in Project Management

Power-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts

FORMAL ANALYSIS FOR REAL-TIME SCHEDULING

How Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence

A Performance Analysis of View Maintenance Techniques for Data Warehouses

J. Parallel Distrib. Comput.

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

Addendum to: Importing Skill-Biased Technology

PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12

A Dynamic Energy-Efficiency Mechanism for Data Center Networks

Rate Monotonic (RM) Disadvantages of cyclic. TDDB47 Real Time Systems. Lecture 2: RM & EDF. Priority-based scheduling. States of a process

21 Vectors: The Cross Product & Torque

Single and multiple stage classifiers implementing logistic discrimination

1.1 The University may award Higher Doctorate degrees as specified from time-to-time in UPR AS11 1.

A new look at atomic broadcast in the asynchronous. crash-recovery model

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)

Survey on Virtual Machine Placement Techniques in Cloud Computing Environment

Section 5.4 Annuities, Present Value, and Amortization

Research of concurrency control protocol based on the main memory database

THE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek

RELIABILITY, RISK AND AVAILABILITY ANLYSIS OF A CONTAINER GANTRY CRANE ABSTRACT

Complete Fairness in Secure Two-Party Computation

L10: Linear discriminants analysis

An MILP model for planning of batch plants operating in a campaign-mode

CALL ADMISSION CONTROL IN WIRELESS MULTIMEDIA NETWORKS

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *

Analysis of Energy-Conserving Access Protocols for Wireless Identification Networks

Minimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures

"Research Note" APPLICATION OF CHARGE SIMULATION METHOD TO ELECTRIC FIELD CALCULATION IN THE POWER CABLES *

A Novel Methodology of Working Capital Management for Large. Public Constructions by Using Fuzzy S-curve Regression

A hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm

A Hierarchical Reliability Model of Service-Based Software System

Cross-Domain Authorization Management Model for Multi- Levels Hybrid Cloud Computing

1. Measuring association using correlation and regression

How To Calculate The Accountng Perod Of Nequalty

APPLICATION OF PROBE DATA COLLECTED VIA INFRARED BEACONS TO TRAFFIC MANEGEMENT

Verifying Multi-threaded Software using SMT-based Context-Bounded Model Checking

SPEE Recommended Evaluation Practice #6 Definition of Decline Curve Parameters Background:

Hedging Interest-Rate Risk with Duration

Traffic-light a stress test for life insurance provisions

Research Article Enhanced Two-Step Method via Relaxed Order of α-satisfactory Degrees for Fuzzy Multiobjective Optimization

Chapter 4 ECONOMIC DISPATCH AND UNIT COMMITMENT

Some literature also use the term Process Control

NOTE: The Flatpak version has the same pinouts (Connection Diagram) as the Dual In-Line Package. *MR for LS160A and LS161A *SR for LS162A and LS163A

An Interest-Oriented Network Evolution Mechanism for Online Communities

A DATA MINING APPLICATION IN A STUDENT DATABASE

Testing Database Programs using Relational Symbolic Execution

A DYNAMIC CRASHING METHOD FOR PROJECT MANAGEMENT USING SIMULATION-BASED OPTIMIZATION. Michael E. Kuhl Radhamés A. Tolentino-Peña

IDENTIFICATION AND CORRECTION OF A COMMON ERROR IN GENERAL ANNUITY CALCULATIONS

RESEARCH ON DUAL-SHAKER SINE VIBRATION CONTROL. Yaoqi FENG 1, Hanping QIU 1. China Academy of Space Technology (CAST)

REGULAR MULTILINEAR OPERATORS ON C(K) SPACES

QoS-based Scheduling of Workflow Applications on Service Grids

An ILP Formulation for Task Mapping and Scheduling on Multi-core Architectures

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) , Fax: (370-5) , info@teltonika.

ANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING

DEFINING %COMPLETE IN MICROSOFT PROJECT

PERRON FROBENIUS THEOREM

To manage leave, meeting institutional requirements and treating individual staff members fairly and consistently.

We assume your students are learning about self-regulation (how to change how alert they feel) through the Alert Program with its three stages:

The program for the Bachelor degrees shall extend over three years of full-time study or the parttime equivalent.

On-Line Fault Detection in Wind Turbine Transmission System using Adaptive Filter and Robust Statistical Features

Can Auto Liability Insurance Purchases Signal Risk Attitude?

Embedding lattices in the Kleene degrees

Mean Molecular Weight

Fisher Markets and Convex Programs

Application of Multi-Agents for Fault Detection and Reconfiguration of Power Distribution Systems

A Crossplatform ECG Compression Library for Mobile HealthCare Services

A Probabilistic Theory of Coherence

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic

INVESTIGATION OF VEHICULAR USERS FAIRNESS IN CDMA-HDR NETWORKS

Implementation of Deutsch's Algorithm Using Mathcad

Ring structure of splines on triangulations

Efficient Project Portfolio as a tool for Enterprise Risk Management

Mooring Pattern Optimization using Genetic Algorithms

An Inductive Fuzzy Classification Approach applied to Individual Marketing

Linear Circuits Analysis. Superposition, Thevenin /Norton Equivalent circuits

Examensarbete. Rotating Workforce Scheduling. Caroline Granfeldt

Real-Time Process Scheduling

Period and Deadline Selection for Schedulability in Real-Time Systems

VERIFICATION OF BUSINESS RULES USING LOGIC PROGRAMMING MEANS

Transcription:

Atomc Semantcs of Nonatomc Programs James H. Anderson Mohamed G. Gouda Department of Computer Scences The Unversty of Texas at Austn Austn, Texas 78712 December 1987 Abstract We argue that t s possble, and sometmes useful, to reason about nonatomc programs wthn the conventonal atomc mel of concurrency. 1 Intructon Most of the proof meths that have been proposed for reasonng about concurrent programs are developed wthn the atomc mel of concurrency [Ho 72, LS 84, MP 84, OG 76]. Ths mel s based on the assumpton that no two operatons n a concurrent program are executed at the same tme. Hence, the resultng proof theory may seem nadequate for reasonng about programs n whch operatons of derent processes mayoverlap. In ths paper, we show to the contrary that t s possble to reason about such programs wthn the atomc mel of concurrency. Work supported n part by Oce of Naval Research Contract N00014-86-K-0763. 1

2 Nonatomc Programs A concurrent program conssts of two or more sequental processes that access a set of program varables. A program state s a mappng from the program varables and program counters to values. A process s a sequence of operatons, each ofwhch s ether atomc or nonatomc. An atomc operaton s a relaton on the set of program states that s, an atomc operaton causes a sngle transton between a par of states. A nonatomc operaton s a sequence of atomc operatons that s, a nonatomc operaton may cause several state transtons. Intutvely, the executon of an atomc operaton s nstantaneous and does not overlap the executon of another atomc operaton, whereas the executon of a nonatomc operaton lasts for an arbtrary, but nte, per of tme and may overlap the executon of other operatons. If each process n a concurrent program conssts only of atomc operatons, then the program s called atomc otherwse, t s called nonatomc. Each program varable s ether global or local: a varable s global f t s accessed by more than one process, and local f t s accessed by only one process. Snce each process s sequental, we may assume that an operaton that accesses no global varable s atomc. By contrast, an operaton that does access a global varable may be nonatomc. In ths note, we consder a class of nonatomc programs n whch processes communcate only by readng and wrtng global varables. For now, we assume that the value of each globalvarable ranges over a nte doman f0 ::: M ; 1g, for some M called the range of the global varable. (Later, n Secton 5, we relax ths restrcton.) We also assume that each varable s wrtten by only one process. Furthermore, we assume that global varables are accessed accordng to the followng rules. 1. (Atomcty) Each operaton ether reads or wrtes at most one global varable. An operaton that reads a global varable s atomc, and an operaton that wrtes a global varable s nonatomc. 2. (Readng Whle Wrtng) If a read of a global varable occurs whle the varable s beng wrtten, then the read operaton returns an arbtrary value from the value doman of the varable. 3. (Exclusve Readng) If a read of a global varable does not occur whle the varable s beng wrtten, then the read operaton returns the most recently wrtten value. 2

For convenence, each nonatomc wrte operaton s dstngushed by the specal syntax: wrte v to x where x s a global varable, and v s the value beng wrtten. 3 Semantcs In [La 77], Lamport denes the semantcs of the nonatomc wrte operaton \wrte v to x" by the atomc program fragment hx :=? hx := v where \h" and \" enclose the atomc operatons, and \?" s an ndetermnate value. Furthermore, a read operaton that reads x when x =? returns an arbtrary value from the value doman of x. Therefore, the semantcs of a read operaton that reads x must be augmented to allow the possblty of x =?. In partcular, the value of x must now bevewed as a relaton nstead of a functon. We would lke to suggest an alternatve approach to denng the semantcs of the nonatomc wrte operaton \wrte v to x". In ths approach, t s unnecessary to redene the semantcs of a read operaton. Instead, the semantcs of the wrte operaton s dened by a nondetermnstc program fragment along wth a farness condton. The program fragmentsasfollows: do htrue! x := x +1mulo M [] htrue! x := v ext where M s the range of x, and the second branch of the do- loop s called the ext branch. The farness condton can be stated as follows. If the ext branch s contnuously enabled, then t s eventually executed. Ths condton guarantees that the program fragment termnates n a nte tme, and, consequently, the duraton of the correspondng nonatomc wrte operaton s nte. 3

local var k: 1::N whle true do hnoncrtcal Secton 1: wrte true to a[] 2: hk := 1 3: whle hk ; 1 do 4: f ha[k] then 5: wrte false to a[] 6: whle ha[k] do 7: hskp 8: hgoto 1 9: hk := k +1 10: hk := +1 11: whle hk N do 12: whle ha[k] do 13: hskp 14: hk := k +1 15: hcrtcal Secton 16: wrte false to a[] 4 Vercaton Fgure 1: Process P of a nonatomc program. The above semantcs suggests the followng meth for verfyng that a nonatomc program P satses some asserton, under some farness condton F. Frst, translate the par (P F) nto a par (P 0 F 0 ), where P 0 s an atomc program. Second, show thatp 0 satses the requred asserton under the farness condton F 0. Snce P 0 s atomc, ths step can be accomplshed usng tradtonal proof meths,.e. nvarants and well-founded sets [MP 84]. As an example, consder the one-bt mutual excluson program gven n [La 86a]. The program, call t P, conssts of N processes, P 1 ::: P N,that communcate va a global boolean array a[1::n] each element n the array s ntally false. The ce for process P s shown n Fgure 1, and the farness condton F assocated wth P s true. 4

As dscussed earler, the par (P F) can be translated nto a par (P 0 F 0 ). The ce for process P 0 n the resultng program P 0 s shown n Fgure 2. The farness condton F 0 s as follows: If any ext branch s contnuously enabled, then t s eventually executed. Now, to prove that program P satses the mutual excluson property S [ 8 j : 6= j : :(P at f15g^p j at f15g) ] at each of ts reachable states, t s sucenttoshow that the atomc program P 0 satses S at each of ts reachable states. (Farness s not needed n provng mutual excluson, snce t s a safety property.) Ths can be done by ndng a sutable nvarant ofp 0. To ths end, let k denote the local varable k of process P, 0 and let z be an auxlary varable of process P 0 dened as follows: ( 1 f P 0 at f9 14g z = 0 otherwse Then, the requred nvarant s as follows. nvarant ofp 0 s left to the reader.) (Provng that t s ndeed an J S ^ S 1 ^ S 2 ^ S 3 ^ S 4 where S 1 [ 8 :: P 0 at f2::4 9::15g )a[] ] S 2 [ 8 :: P 0 at f15g )k >N ] S 3 [ 8 :: P 0 at f10g )k ] S 4 [ 8 :: P 0 at f3 4 9::15g )( 8j : j 6= ^ j<k + z : :a[j] _ P 0 j at f1 2 5 16g _(k j + z j ) )] We used an nterestng \heurstc" n order to deduce the nvarant J. We rst deduced an nvarant I for the nonatomc program (Fgure 1), under the assumpton that each \wrte true to a[]" and \wrte false to a[]" s an atomc operaton. We then \massaged" ths nvarant to get J. The requred massagng was slght, snce I was very close to J already n fact, I S ^ S 1 ^ S 2 ^ S 3 ^ R, where R [ 8 :: P at f3 4 9::15g )( 8j : j 6= ^ j<k + z : :a[j] _ P j at f2g_(k j + z j ) )] 5

local var k: 1::N whle htrue do hnoncrtcal Secton 1: do htrue! a[]:=:a[] [] htrue! a[] :=true ext 2: hk := 1 3: whle hk ; 1 do 4: f ha[k] then 5: do htrue! a[] :=:a[] [] htrue! a[] :=false ext 6: whle ha[k] do 7: hskp 8: hgoto 1 9: hk := k +1 10: hk := +1 11: whle hk N do 12: whle ha[k] do 13: hskp 14: hk := k +1 15: hcrtcal Secton 16: do htrue! a[]:=:a[] [] htrue! a[] :=false ext Fgure 2: Process P 0 of an equvalent atomc program. 6

5 Concludng Remarks Our approach can be extended to reason about nonatomc wrtes to unbounded global varables. For example, the semantcs of a nonatomc wrte to an nteger varable x can be dened by the program fragment do htrue! x := x +1 [] htrue! x := x ; 1 [] htrue! x := v ext along wth the obvous farness condton. The semantcs that we proposed n Secton 3 s, n fact, the semantcs of a wrte operaton of a safe regster. A safe regster s the most prmtve regster n a herarchy of regsters dened by Lamport [La 86b] t satses only one constrant: a read of a safe regster must return the most recently wrtten value f t does not \overlap" a wrte of the regster. Another regster n Lamport's herarchy s the regular regster. A regular regster s a safe regster that satses one addtonal constrant: a read of a regular regster that overlaps a wrte of the regster must return ether the \old" or the \new" value. The operaton \wrte v to x", where x s a regular regster, can be dened by the program fragment u := x do htrue! x := u [] htrue! x := v [] htrue! x := v ext along wth the usual farness condton. Ths example llustrates the fact that our approach s general enough to reason about a varety of shared objects. The semantcs that we suggest s useful for provng safety propertes (whch specfy that somethng wll not occur) and progress propertes (whch specfy that somethng wll occur). However, t s not partcularly useful for provng possblty propertes (whch specfy that somethng may occur). For example, consder a read of a shared varable that occurs whle the varable's value s beng changed from 0 to 200. To prove that the read may return the value 500, at least 500 atomc steps are requred. An alternatve semantcs, whch s more convenent for provng possblty propertes, s obtaned 7

by usng a nondetermnstc selecton functon. In partcular, \wrte v to x" can be dened by the followng program fragment along wth the usual farness condton: do htrue! x := select(doman(x)) [] htrue! x := v ext where select(:::) s the selecton functon, and doman(x) returns the value doman of the varable x. Recently, Lamport has proposed a proof theory for reasonng about nonatomc programs n whch the mplementaton of the nonatomc operatons n terms of atomc operatons s left unspeced [La 83, La 87]. Thus, ths proof theory allows mplementaton decsons to be deferred, n contrast to our approach n whch mplementaton decsons are made a pror. On the other hand, our approach allows one to reason about program correctness wthn the conventonal atomc framework, nstead of appealng to a new theory. Acknowledgements We are thankful to L. Lamport, C. Lengauer, M. Merrtt, F. Schneder, and the referees for ther helpful comments on ths note. References [Ho 72] Hoare, C.A.R., \Towards a Theory of Parallel Programmng," Operatng Systems Technques, Hoare and Perott (Eds.), Academc Press, New York, 1972. [La 77] Lamport, L., \Provng the Correctness of Multprocess Programs," IEEE Transactons on Software Engneerng, Vol. SE-3, No. 2, pp. 125-143, March 1977. [La 83] Lamport, L., \Reasonng About Nonatomc Operatons," Proceedngs of the 10th Annual ACM SIGACT-SIGPLAN Symposum on Prncples of Programmng Languages, pp. 28-37, 1983. [La 86a] Lamport, L., \The Mutual Excluson Problem, Parts I and II," Journal of the ACM,Vol. 23, No. 2, pp. 311-348, Aprl 1986. 8

[La 86b] Lamport, L., \On Interprocess Communcaton, Parts I and II," Dstrbuted Computng, Vol. 1, pp. 77-101, 1986. [La 87] Lamport, L., \wn and sn: Predcate Transformers for Concurrency," Techncal Report, Systems Research Center, Dgtal Equpment Corporaton, May 1987. [LS 84] Lamport, L., and Schneder, F., \The Hoare Logc of CSP, and All That," ACM Transactons on Programmng Languages and Systems, Vol. 6, No. 2, pp. 281-296, Aprl 1984. [MP 84] Manna, Z., and Pnuel, A., \Adequate Proof Prncples for Invarance and Lveness Propertes of Concurrent Programs," Scence of Computer Programmng, Vol. 4, pp. 257-289, 1984. [OG 76] Owck, S., and Gres, D., \An Axomatc Proof Technque for Parallel Programs I," Acta Informatca, Vol. 6, pp. 319-340, 1976. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information