ebook img

Possible values: exploring a concept for concurrency PDF

0.16 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Possible values: exploring a concept for concurrency

Possible values: exploring a concept for concurrency CliffB.Jonesa,∗,IanJ.Hayesb aSchoolofComputingScience,NewcastleUniversity,UK bSchoolofInformationTechnologyandElectricalEngineering,TheUniversityofQueensland,Australia 6 1 0 2 Abstract n a Animportantissue in concurrencyis interference. Thisissue manifestsitself in both J shared-variableand communication-basedconcurrency— this paper focusses on the 9 formercasewhereinterferenceiscausedbytheenvironmentofaprocesschangingthe ] valuesof shared variables. Rely/guaranteeapproacheshave been shown to be useful O in specifying and reasoning compositionally about concurrentprograms. This paper L exploresthe use of a “possible values” notation for reasoning aboutvariables whose . values can be changed multiple times by interference. Apart from the value of this s c conceptinprovidingclearspecifications,itoffersaprincipledwayofavoidingtheneed [ forsomeauxiliary(orghost)variableswhoseunwiseusecandestroycompositionality. 1 Keywords: Concurrentprogramming,rely/guaranteeconditions,possiblevalues v 2 3 1 1. Introduction 2 0 Highonthelistofissuesthatmakethedesignofconcurrentprogramsdifficultto . 1 getrightis‘interference’. Reproducingasituationthatexhibiteda‘bug’canbefrus- 0 trating;attemptingtoreasoninformallyaboutallpossibleinterleavingsofinterference 6 canbeexasperating;anddesigningformalapproachestotheverificationofconcurrent 1 programsischallenging. : v Recordingpostconditionsforsequentialprogramsappliestheonlyrealtoolthatwe i X have: abstractionisachievedbywinnowingoutwhatisinessentialintherelationship betweentheinitialandfinalstatesofacomputation.Postconditionsrecordtherequired r a relationshipwithoutfixinganalgorithmtobringaboutthetransformation;furthermore, theyrecordrequiredpropertiesonlyofthosevariableswhichtheenvironmentwilluse. The rely/guarantee approach (see Section 1.1) uses abstraction in the same way to providespecificationsof concurrentsoftwarecomponentsthatare moreabstractthan their implementations: for any component, rely conditions are relations that record interferencethatthecomponentmusttolerateandguaranteeconditionsdocumentthe interferencethattheenvironmentofthecomponentmustaccept. Thispaperexploresaconceptthatfitswellwithrely/guaranteereasoningbutprob- ablyhaswiderapplicability. Inrelationalpostconditions,itisnecessarytobeableto ∗Correspondingauthor PreprintsubmittedtoLogicalandAlgebraicMethodsinProgramming January12,2016 refertotheinitialvaluex andfinalvaluex′ ofavariablex (e.g.x ≤ x′ ≤ x +9). If however it is necessary to record something as simple as the fact that a local vari- able x captures one of the values of a shared variable y, it is inadequate to write x′ = y ∨ x′ = y′ in the case where y might be changed many times by the en- vironment. Enter ‘possible values’: the suggested notation is that y denotes the set of values which variable y contains during the execution of the opÛeration in whose specificationy iswritten.So,(assumingtheaccesstoreadthevalueofy isatomic): post-OÛp:x′ ∈y Û issatisfiedbyasimpleassignmentofy tox. 1.1. Rely/Guaranteethinking Before going into more detail on the possible values notation (see Section 2), a brief overview of backgroundwork is offered. The specifications given in Section 3 arewritteninthenotationofVDM[Jon80,Jon90]. Itisunlikelythattheywillpresent difficultieseventoreadersunfamiliarwiththatspecificnotationbecausesimilarideas for sequential programs are present in Z [Hay93], B [Abr96], Event-B [Abr10], and TLA [Lam03]. The basic idea is of state-based specifications with operations (or events)transformingthestateandbeingspecifiedbysomethinglikepreandpostcon- ditions. Pre conditions are predicates over states that indicate what can be assumed aboutstatesinwhichanoperationcanbeinitiated. Postconditionsarerelationsover initial and final states that specify the required relations between the initial and final valuesofstatecomponents. Goodsequentialspecificationseschewanydetailsofim- plementation algorithms: they do not specify anything about intermediate states; in factanimplementationmightuseastatewithmorecomponents.Atfirstsight,itmight appear surprising that there is not a precise functionalrequirement on the final state butusingnon-determinisminspecificationsturnsouttobeanextremelyusefulwayof postponingdesigndecisions. The use of abstract objects in specifications is a crucial tool for larger applica- tions. Moreover,datatypeinvariantscanmakespecificationsclearer: restrictingtypes by predicatessimplifies pre/postconditionsand also offersa way for the specifier to recordtheintentionofaspecification. AnotherusefulaspectofVDMistheabilityto define more tightly the ‘frame’ of an operation by recording whether access to state componentsisfor(only)readingorforbothreadingandwriting.1 The basic rely/guarantee [Jon81, Jon83] idea2 is simple: interference is docu- mentedandproofrulesare givenwhich supportreasoningaboutinterferencein con- current threads. Just as in sequential specifications, the role of a state is central to recordingrely/guaranteespecifications. For concurrency,it is acceptedthatthe envi- 1Mostoftheliteratureonrely/guaranteeconditionsislimitedtonormal(or‘scoped’)variables;[JY15] showshow‘heap’variablescanbeviewedasrepresentationsofmoreabstractstates. 2Theliteratureonrely/guaranteeapproachescontinuestoexpand;see[JHC15,HJC14]forfurtherrefer- ences. Forareaderwhoiscompletelyunfamiliarwithrely/guaranteeconcepts,ausefulbriefpresentation canbefoundin[Jon96]. 2 f ←wr; whiletruedo whiletruedo ···producev··· (cid:12)(cid:12)(cid:12)(cid:12) whilef =wrdoskipod; whilef =rddoskipod; (cid:12)(cid:12)(cid:12)(cid:12) r ←b; b ←v; (cid:12)(cid:12)(cid:12)(cid:12) f ←wr f ←rd (cid:12)(cid:12)(cid:12)(cid:12) ···consumer··· (cid:12)(cid:12) od (cid:12)(cid:12) od (cid:12)(cid:12) (cid:12)(cid:12) guar (f =rd ⇒ b′ =b)∧ rely (f =rd ⇒ b′ =b)∧ (f =rd ⇒ f′ =rd) (f =rd ⇒ f′ =rd) relyf =wr ⇒ f′ =wr guarf =wr ⇒ f′ =wr Figure1:Aone-placebuffer ronmentofaprocesscanchangevaluesinthestateduringexecutionofanoperation.3 Suchchangesarehoweverassumedtobeconstrainedbyarelycondition. Inorderto reasonaboutthecombinedeffectofoperations,theinterferencethataprocesscanin- flictonitsenvironmentisalsorecorded;thisisdoneinaguaranteecondition.Bothrely andguaranteeconditionsare,forobviousreasons,relationsoverstates. Intheoriginal form –and after many experiments– both conditions are reflexive and transitive cov- ering the possibility of zero or many steps. Such relations often indicate monotonic evolutionofvariables. It is useful to compare the roles of rely and guarantee conditions with the better knownpre/postconditions. Preconditionsareessentiallyaninvitationtothedesigner ofaspecifiedcomponenttoignoresomestartingstates;inthesameway,thedeveloper canignorethepossibilitythatinterferencewillmakestatechangesthatdonotsatisfy the rely condition. In neither case should a developer include code to test these as- sumptions;thereisanimplicitrequirementtoprovethatthecomponentisonlyusedin anappropriatecontext. Incontrast,postconditionsandguaranteeconditionsareobli- gationson the runningcode that the developerhas to create; these conditionsrecord propertiesonwhichthedeployercandepend. Thesimplestformofrelationthatcouldbeusedinrelyorguaranteeconditionsis to state that the value of a variableremainsunchanged(e.g.b′ = b). Such uncondi- tionalconstraintsarenormallybetterhandledbymarkinganoperation(orpartthereof) as having only read access. There is however an important way to combine ‘mono- tonic’changestoflagswithassertionsaboutvariablesremainingunchanged.Consider asimpleone-placebufferinwhichaproducerprocessplacesavalueinabuffervari- able b from which a consumer process extracts values. Testing and setting flag f in Figure1ensuresthattheproducerandconsumeralternatetheiraccesstob. Duringits 3Noticethatthereisanessentialdifferenceherefrom‘actions’[Bac89]or‘events’[Abr10]whichview executionofaguardedactionasatomic. 3 read phase, the consumer needsto rely on the fact that the value of b cannotchange but this is too strong as a rely condition for the whole of the consumer process — theproducerprocesscouldneverinsertanythingintothebufferifitwere requiredto achieveaguaranteeconditionofb′ =b. Buttheconsumerprocesscaninsteadrelyon f = rd ⇒ b′ = b, whichinturniseasyfortheproducertoguarantee. The‘mono- tonic’behaviouroftheflagsmeansthattheproducerhasalsotoguaranteethatf =rd ⇒ f′ = rd andthe consumermust guaranteef = wr ⇒ f′ = wr. Thisexample showsone way in which rely/guaranteeconditionscan be used to reason aboutrace- freeprograms. ItalsoillustratesatechniquethatisusedinSection3tolocatewhatis goingonintheenvironmentwithoutaddingauxiliaryvariables. Theexampletackled inSection3ishowevermuchmorechallengingthanthissimpleone-placebuffer. 1.2. Lawformutualstrengtheningofguaranteeandrely As part of the example in Section 3, a new facet of rely/guarantee refinement is needed: it allows mutual strengthening of both rely and guarantee conditions for a portionofoneprocess.Theapproachisacontributiontorely/guaranteerefinementand itmakesitpossibletoavoidintroducingadditionalauxiliaryvariables(seeSection4.3) inordertohandletheexampleinSection3. Inthestandardapproachtorely/guaranteerefinement,whentwoparallelprocesses are introduced each has an associated rely/guarantee pair and there is an obligation to show that the guarantee of each implies the rely of the other. Normally the one rely/guaranteepairsufficesto handletherefinementofa processbutforthe example inSection3thatisnotsufficient. In the standardtheory, rely/guaranteepairs are oftenmutuallydependent: for the two-processcase,aprocessP maintainingitsguaranteemaybedependentonitsenvi- ronment(processQ)maintainingthe relyofP (byQ maintainingitsguarantee)and viceversa.Forexample,P mayguaranteetomaintainx ≥0provideditcanrelyonits environmentmaintainingx ≥ 0. Theguarantee,g, ofaprocesshastoholdforevery atomic program step it makes and hence g has to be weak enough to be maintained byeverystep. However,fora subpartS ofP, alltheatomicstepsofS mayimplya strongerguaranteegs. AsP formstheenvironmentofprocessQ,whileP isexecuting subpartS,Q mayassumeastrongerrelyconditionofgs andasaconsequenceofthis itsownguaranteemaybestrengthenedfromr tors,whichinturnallowsprocessP to assumeastrongerrelyconditionrs,butonlywhileitisexecutingsubpartS. Notethat whileonlyasubpartS ofP isofconcern,thewholeofQ hastobeconsideredforthe strengtheningofitsrelyandguarantee. Inordertoestablishthestrengthenedrely/guaranteepairforthedurationofS,the state when P enters S may need to satisfy an initial condition j. For the example in Section 3 a special case of the above reasoning applies in which the guarantee of P is strengthenedto state that P does not modify any shared variables. In this case oneneedstoshowthatprocessQ maintainsthestrongerrelyrs fromanyinitialstate satisfyingj providedQ suffersnoinferencefromP. 1.3. Connectiontodataabstraction/reification Itisimportanttoappreciatehowrelyrelationsabstractfromthedetailoftheactual environmentalinterferenceofanoperation. Obviously,themostdetailedinformation 4 aboutanenvironmentistheactualstatechangesitmakes. Butdesigningtosuchcon- crete detail would create a componentthat is notrobustto change. Just as postcon- ditions deliberately omit implementation details of a specified operation, it is useful tostriveforanabstractdocumentationofinterference. Itisclearthatrelationscannot recordcertainsortsofinformationbut,iftheyareadequateforagiventask,theiruse willyieldamorecompositionaldevelopmentthanthedetailoftheenvironment. TheextendedexampleinSection3showstheimportanceoflinkingrely/guarantee ideaswith data abstractionandreification. Specificationusing abstractmathematical objectsandtheprocessofstepwiseintroductionofmoreconcrete(i.e.closertohard- ware) objects is well established for sequential programsand for significant applica- tionsisoftenmoretellingthantheabstractionthatcomesfrompostconditions—see, forexample,[Jon90]. Inadditiontolayeringdesigndecisions,carefuluseofabstract objectsinthedevelopmentofconcurrentprogramsoffersotheradvantages. Inpartic- ular,developmentscanappeartoallowdataracesatanabstractlevelthatareremoved by careful choice of a concrete representation — this is discussed in [Jon07]. One reasonthatthisisinterestingisPeterO’Hearn’ssuggesteddichotomyin[O’H07]that separationlogicisappropriateforreasoningaboutraceavoidancewhilstrely/guarantee methodsfit‘racy’programs. Thedistinctionbetweenabstractandconcretedataraces isperfectlyillustratedinSection3buttheexampleisnoteasytosummarise. Asim- plerexampleissearchinganarraytofindthelowestindexofanelementthatsatisfiesa predicateP bymeansoftwoparallelprocessesthatsearchtheelementswith,respec- tively,evenandoddindices(forafulldevelopmentofthisexample,see[HJC14]). If asinglevariablet wereusedtorecordtheleastindexofanelementthatsatisfiesP,it wouldbenecessarytohavelocksinthethetwoprocessestoavoidadataraceont. A neatwaytoavoidthe‘write/write’raceistorepresentt bytheminimumoftwovari- ables,et andot thatrecordtheleastvalueof,respectively,evenandoddindiceswhere the array element satisfies P. The ‘write/write’ race, which is useful in an abstract descriptionofthedesign,isreducedtoa‘read/write’racebecausetheactualcodefor eachprocessupdatesonlyoneofthevariablesalthoughitreadstheothervariableinits looptest(andonthecompletionofbothprocessest canberetrievedasmin(et,ot)). Thecitationsaboverelatetotheoriginalformofrely/guaranteereasoninginwhich the(potentially)fourconditionsarecombined.Morerecentworkhasshownhowsep- arate rely and/orguaranteeconstraintscan be wrappedaroundany commandinclud- ingconventionalrefinementcalculusstylespecifications. Thepresentationin[JHC15, HJC14]ofrely/guaranteethinkingmakesalgebraicpropertiesclearer. 1.4. Planofthispaper Thispaperprovidesevidenceoftheusefulnessofthepossiblevaluesconcept.Sec- tion2presentsanotationfortheconceptwhileSection3isanextendedexampleusing theconceptandnotation. Section2.2outlineshowasemanticmodelcanbeprovided and looksat the form of laws that would fit the newer presentation of rely/guarantee reasoning[HJC14,JHC15].Thecurrentauthorsrecognisethatthispaperrepresentsthe startofanexploration—someavenuestobeinvestigatedarementionedinSection4. 5 2. Possiblevalues Itisarguedabovethattheconfessedexpressiveweaknessofrely/guaranteespeci- ficationsservesthepurposeofpreservingsomeformofcompositionalityinthedesign of concurrentprograms. However, if notationscan be foundthat increase expressive power, they should be evaluatedboth for expressivenessand tractability. The simple casementionedaboveofusingoneormorepossiblevaluestermsinapostconditionis consideredfirstandissuesaboutextensionaredeferredtoSection4. 2.1. Possiblevaluesofvariables Ifanoperationonlyhasreadaccesstoasharedvariabley andx isalocalvariable oftheprocess,then: ′ post-Op:x ∈y (1) Û requiresthatthefinalvalueofthevariablex shouldcontainoneofthevaluesthatthe environmentplacesinthevariabley —thisincludesthe(initial)valueofy atthetime Op beganexecution.Soy denotesasetofvalueswhoseelementshavethetypeofy. Notice that the post cÛondition above is ‘stable’ in the sense that the environment mightchange the value of y after Op accesses the variable and the post condition is stilltrue.Incontrast,itwouldbeunwisetowriteapostconditionthatcontainedx′ ∈/ y because this would not be stable and it would appear to require that every possiblÛe change that the environmentmakes to the value of y is observed. (In some cases, it wouldbepossibleto establishsucharesultunderasuitablerelycondition;butsome formof(local)datatypeinvariantshouldalsobeconsideredinsuchcases.) So, for the straightforward case, the post condition (1) can be established by the atomicassignmentx ←y. AsisreportedinSection3.2,aninstanceofthissimplecase wastheinspirationforthepossiblevaluesnotation. Therearehoweverseveralvectors ofextension. Iftheprocessinwhichthey termiswrittenalsohaswriteaccesstothe variabley,itisnecessarytotakeapositioÛnonwhetherbothenvironmentassignments toy andthoseofthecomponentitselfarereflectediny;theviewofthecurrentauthors isthaty containsallvaluesofy thatcouldbeobserveÛdbytheprocess. Û 2.2. Semanticsandlaws It is not difficult to see how a formal meaning can be given to the simple form ofthepossiblevaluesnotationin asemanticssuchasthatin [HJC14]: basically,that portionof the sequenceof states thatcorrespondsto the executionof an operationis distinguished so as to identify the first and last states in order to give a semantics to postconditions. Itisonlynecessarytoconsiderallofthestatesinthatportionandto extractthesetofvaluesoftherelevantvariable. Another interesting semantic issue concernslocking. In fact, the possible values notation forces consideration of a number of facets of ‘atomicity’. Locking may be used to ensure mutuallyexclusiveaccess to a set of variables. A processmaylock a resource protecting a set of variables. While it owns the lock, it may make multiple changestothevariablesprotectedbythelock,however,anyotherprocessesaccessing the protectedvariablescannotobserveany ofthe intermediatestates of the protected 6 variables. Henceaprocessinthescopeofaresourcewithasetofprotectedvariables canonlyobservetheinitialandfinalstatesofaprotectedblockwithinanotherprocess. Throughoutthebodyofaprotectedblockaprocesscanrelyontheprotectedvariables beingstable. Furthermore,anyguaranteeinvolvingjusttheprotectedvariableshasto holdonlybetweentheinitialandfinalstatesoftheprotectedblock. Justasthesemanticsforthestraightforwarduseofpossiblevaluestermsinapost condition poses no difficulties in terms of the underlyingtraces, a rather simple law sufficestoreasonaboutthenotation. Here,itisconvenienttoswitchtotherefinement calculusstyleof[JHC15,HJC14]inwhichthespecificationstatementx: q establishes (cid:2) (cid:3) thepostconditionq andmodifiesonlyx,andthecommandc inarelycontextofr is writtenrelyr ·c. Assumingareadofy isatomic,thefollowinglawholds. rely(x′ =x)·x: x′ ∈y ⊑ x ←y (2) (cid:2) (cid:3) Û Therelyconditionx′ =x isrequiredtoensurethattheenvironmentdoesn’tchangex aftertheassignmentismade. Forexample,x maybea localvariableor, asbelowin Section3.3,annotatedownswrx. 2.3. Possiblevaluesofexpressions Forthesetofpossiblevaluesofanexpression,e,oneneedstoconsiderthecorre- spondingsetofstatesoftheexecutionandformthesÛetofvaluesofe,eachevaluatedin oneofthosestates. Importantly,allvaluesofprogramvariablesusedine aresampled inasinglestateforeachevaluation.Forexample,forthespecification x:îx′ ∈y +yó (3) ˘ both occurrencesof y are sampled in the same state and hence the resultant value is always even (assuming the variables are integer valued). Note that there is a subtle differencebetween(3),whichsamplesy once,and x: ∃v,w ·v ∈y ∧w ∈y ∧x′ =v +w (cid:2) (cid:3) Û Û whichsamplesy twicesothatthevaluesofv andw maydiffer. Replacing y in the law (2) with an expressione introducesthe complicationthat eachvariablereferenceintheevaluationofe intheassignmentcouldbeaccessedina differentstate. Notethatife hasmultiplereferencestoasinglevariabley,eachrefer- encecouldbeaccessed ina differentstate. However,if e hasonlya singlereference toavariabley andallothervariablesine arestable,anyevaluationofe isequivalent toevaluatingitinthestateinwhichy isaccessedandthelawisvalid. LetS beaset ofvariablessuchthatthefreevariablesofe arecontainedinS ∪{y}ande hasonlya singlereferencetoy andaccessestoy areatomic,then rely(x′ =x ∧( z ∈S ·z′ =z))·x: x′ ∈e ⊑ x ←e . (4) ^ (cid:2) (cid:3) Û Ife isoftheformd(f)foramappingd andexpressionf,stabilityisrequiredon the programvariablesin f but stability is notrequiredfor the whole of d, just d(f), becausetheotherelementsofd havenoeffectontheexpressionsvalue. 7 Iftheexpressione containsmultiplereferencestoavariablex,savingx inalocal variablet andthenevaluatinge intermsoft ensuresthatthevalueusedforx isfrom asinglestate. Thefollowingrefinementlawensuresx issampledonce. Itisassumed thatr andt arelocalvariables(andhencetheenvironmentcannotchangethem)and thatr andt donotoccurfreeine. t,r: r′ ∈e[x/v] ⊑ ht ←xi; r: r′ ∈e[t/v] (5) h i h i ˙ ˙ Forthistobevalidoneneedstorelyontheenvironmentmaintaininge[t/v]⊆e[x/v], forthedurationofthecommand.Thisholdsprovidedtherelyconditi˙on ˙ ′ ′ ′ x 6=t ∧t =t ⇒ e[t/v] =e[t/v] ismaintainedbytheenvironment,wheree[t/v]′standsfore[t/v]evaluatedintheafter state,i.e.e′ise witheveryprogramvariabley ine replacedbyy′. Law (5) can be justified as follows. The atomic statement ht ← xi establishes e[t/v]=e[x/v].Anenvironmentstepthathasafinalstateinwhichx′ =t establishes e[t/v]′ =e[x/v]′otherwisetheenvironmentestablishese[t/v]′ =e[t/v]=e[x/v]. Asanexampleconsiderthecaseinwhichtheexpressione isd(v). Applying(5) gives t,r: r′ ∈d(x) ⊑ ht ←xi; r: r′ ∈d(t) (6) h i h i ¯ ¯ provideditsenvironmentensuresthecondition: x′ 6= t ⇒ d′(t) = d(t). Immedi- atelyaftertheatomicassignmenttot, d(t)=d(x)∈d(x). (7) ¯ If the environment makes a step that does not change x, (7) is maintained because d′(t′) = d′(x′) but if the environment changes x so that it no longer equals t one can no longer rely on d′(t′) being the same as d′(x′). However, if one can rely on d(t) being stable and because d(t) = d(x) and d′(t′) = d(t), one can still deduce d′(t′)=d(x). 3. AsynchronousCommunicationMechanisms An Asynchronous Communication Mechanism (ACM) logically provides a one- place buffer between a single writer and a single reader (see Figure 2). This sounds trivialbutthesnagisintheadjective:ACMsareasynchronousinthesensethatneither thereadernorthewritershouldeverbeheldupbylocks.4 Unlessthevaluebeingcom- municatedvia the bufferis small enoughto be read and written atomically, it should beobviousthatoneslotisnotenoughtorealisethebuffer;alittlethoughtshowsthata bufferrepresentationwithtwoslotsisalsoinadequate;thetopicofhowmanyslotsare requiredisreturnedtoinSection3.4.In[Sim90],HugoSimpsonproposeda‘four-slot’ algorithmto implementan ACMforwhich,whilethecodeisshort,extremelysubtle reasoningisrequiredforitsjustification. 4Thiscontrastswiththesimpleone-placebufferinSection1wherethecodewould‘busywait’onthe valueofaflagtocontrolalternationbetweentheproducerandconsumer. 8 whiletruedo whiletruedo (cid:12)(cid:12) ···producev··· (cid:12)(cid:12) r ← Read() (cid:12)(cid:12) Write(v) (cid:12)(cid:12) ···consumer··· (cid:12)(cid:12) od (cid:12)(cid:12) od (cid:12)(cid:12) (cid:12)(cid:12) Figure2:Codetoclarifyreader/writerstructure 3.1. ACMrequirements Therequirementistocommunicatethe“mostrecent”valuefromasingleproducer toasingleconsumerviaasharedbuffer.Moreprecisely,itmustsatisfythefollowing. • Itisassumedthatthereisonlyasinglereaderandasinglewriterbutthereader andwriterprocessesoperatecompletelyasynchronously • Awriteputsanewvalueinthebuffer • Areadgetsacompletelywrittenvaluefromthebuffer • Thevaluereadisatleastasfreshasthelastcompletelywrittenvaluewhenthe readstarted–thisimpliesthat,fortwoconsecutivereads,thevaluereadbythe secondreadwillbeatleastasfreshasthatreadbythefirst • Readsandwritesmustnotblock(nolocks) • Readsandwritesofvaluescan’tbeassumedtobeatomic(i.e.asinglevaluemay belargerthantheatomicchangesmadebythehardware) • The onlything Simpsonassumes to be atomic is the setting of single bits(and theyareactuallyrealisedbywires) • Thebufferisinitialisedwithadatavalue(sothereisalwayssomethingtoread) • The buffer is shared by the reading and writing processes alone (i.e. no third processcanmodifythebuffer) IntheterminologyofLamport[Lam86]thiscanbesummarisedasimplementinga single-readerwait-freeatomicregisterintermsofatomicBooleancontrolregisters. 3.2. ApproachestospecifyingACM There is an interesting range of approaches as to how the requirements that are listedabovecanbeexpressedinaformalspecification.Withoutsurveyingallofthem, it fits the theme of this paper to review two strands of publications:5 one motivated by (Concurrent) Separation Logic [Rey02, O’H07] and the other by rely/guarantee methods.Surveyingthelatteralsopinpointstheoriginofthepossiblevaluenotation. 5Otherapproachesinclude[Hen04,Abr10]. 9 RichardBornatisanexpertonseparationlogicsoitisinterestingtolookathowhe hasformalisedthe specificationand developmentof Simpson’s‘fourslot’ algorithm. In[BA10], separationlogicis certainlyusedbutitis interestingto see thatthe paper alsousesrely/guaranteeconcepts. Incontrast,[BA13]makesnorealuseofseparation logicandthespecificationusestheconceptoflinearisability[HW90]. Thereasonthat thishistoryisenlighteningisthattheessenceofSimpson’salgorithmistheexchange of‘ownership’ofthefourslotsbetweenthereaderandwriterprocesses. Thisisdone precisely to ensure (data) race freedomso one would anticipate that separation logic would be in its element. There is, in fact, one paper that uses separation logic for preciselythisformofargument;unfortunately[WW12]doesnotincludeanargument that the reader always gets the ‘freshest’ value and a recent private correspondence withoneoftheauthorsindicatesthattheyhavenotextendedtheirworktocoverthis essentialproperty. It is only fair to make an equally critical assessment of two papers [JP08, JP11] thatuse rely/guaranteeideas. Inthedevelopmentrecordedin[JP08],6 it isnecessary to assert that the value of one variable (lw) is assigned to another variable (cr); this assertionwasrecordedas: cr′ =lw ∨cr′ =lw′. Thisplausibleattemptsaysthatthefinalvalueofcr iseithertheinitialorfinalvalueof lw. Unfortunately,duringtheoperationbeingspecified, thevalueoflw couldpoten- tiallybechangedmorethanonce. Thisobservationwaspreciselythestimulusthatled totheinventionofthenotationforpossiblevalues.Inadditiontovariousimprovements andclarificationsinthedevelopment,thejournalversion[JP11]resolvestheproblem byusing cr′ ∈lw . ı Rushby [Rus02] noted a similar issue in modelcheckingSimpson’salgorithm: a versioncheckingforjustthebeforeoraftervaluesfailsinthecaseofmultiplewrites overlappinga single read. To handle this in the modelcheckingcontext, Rushby re- strictsthesequenceofdatavalueswrittensothattheyarestrictlyincreasinginvalue, andthenchecksthatthesequenceofvaluesreadisnondecreasing,whichheconcludes isnecessarybutmaynotbesufficient. Heconcedesthatthisisalimitationoftheex- pressiveness of the model checking specification language (which does not have the (unbounded)expressivepowerofthepossiblevaluesnotation). There is however a deeper objection to both of the Jones/Pierce specifications of ACMs. In both cases, the most abstract specification uses a variable (data-w) that contains the entire history of values written by the write process. This is in spite of thefactthatareadoperationcannotaccessvaluesinthesequenceearlierthanthelast value added beforethe read began. This sort of redundancyis deprecatedin [Jon90, Sect. 9.3] as using a ‘biased’ representation: the state contains values that have no influence on subsequentoperations. Where there is no bias in the representationun- derlyinga specification, a homomorphism(retrieve function)relates a representation 6ThevariablenamesintheJones/Piercepapersarehold-r/fresh-w;forthereader’sconvenience,these havebeenchangedintheextractsinthecurrentpapertomatchthenamesusedhere(cr/lw). 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.