Lec 13
Lec 13
Lec 13
Class 13
Today’s plan
• Asynchronous shared-memory systems
• The mutual exclusion problem
• Dijkstra’s algorithm
• Peterson’s algorithms
• Lamport’s Bakery algorithm
• Reading: Chapter 9, 10.1-10.5, 10.7
• Next: Sections 10.6-10.8
Asynchronous Shared-Memory
Systems
Asynchronous Shared-Memory
systems
• We’ve covered basics of non-fault-tolerant asynchronous
network algorithms:
– How to model them.
– Basic asynchronous network protocols---broadcast, spanning trees,
leader election,…
– Synchronizers (running synchronous algorithms in asynch networks)
– Logical time
– Global snapshots
• Now consider asynchronous shared-memory systems:
• Processes, interacting via shared objects,
possibly subject to some access constraints. p1
x1
• Shared objects are typed, e.g.: p2
– Read/write (weak)
– Read-modify-write, compare-and-swap (strong) x2
– Queues, stacks, others (in between) pn
Asynch Shared-Memory systems
• Theory of ASM systems has much in common with theory
of asynchronous networks:
– Similar algorithms and impossibility results.
– Even with failures.
– Transformations from ASM model to asynch network model allow
ASM algorithms to run in asynchronous networks.
• “Distributed Shared Memory”.
• Historically, theory for ASM started first.
• Arose in study of early operating systems, in which several
processes can run on a single processor, sharing memory,
with possibly-arbitrary interleavings of steps.
• Currently, ASM models apply to multiprocessor shared-
memory systems, in which processes can run on separate
processors and share memory.
Topics
• Define the basic system model, without failures.
• Use it to study basic problems:
– Mutual exclusion.
– Other resource-allocation problems.
• Introduce process failures into the model.
• Use model with failures to study basic problems:
– Distributed consensus
– Implementing atomic objects:
• Atomic snapshot objects
• Atomic read/write registers
• Wait-free and fault-tolerant computability theory
• Modern shared-memory multiprocessors:
– Practical issues
– Algorithms
– Transactional memory
Basic ASM Model, Version 1
• Processes + objects, modeled as automata.
p1
• Arrows: x1
– Represent invocations and responses for p2
operations on the objects.
x2
– Modeled as input and output actions.
pn
• Fine-granularity model, can describe:
– Delay between invocation and response. invoke(read)
– Concurrent (overlapping) operations: p1
• Object could reorder. x1
• Could allow them to run concurrently, interfering with respond(v)
each other.
invoke(write,v)
• We’ll begin with a simpler, coarser model: p1
– Object runs ops in invocation order, one at a time. x1
– In fact, collapse each operation into a single step. respond()
• Return to the finer model later.
Basic ASM Model, Version 2
• One big shared memory system automaton A.
• External actions at process “ports”. A
• Each process i has: p1
– A set statesi of states. x1
– A subset starti,of start states. p2
• Each variable x has:
x2
– A set valuesx of values it can take on.
pn
– A subset initialx of initial values.
• Automaton A:
– States: State for each process, a value for each variable.
– Start: Start states, initial values.
– Actions: Each action associated with one process, and some also with a
single shared variable.
– Input/output actions: At the external boundary.
– Transitions: Correspond to local process steps and variable accesses.
• Action enabling, which variable is accessed, depend only on process state.
• Changes to variable and process state depend also on variable value.
• Must respect the type of the variable.
– Tasks: One or more per process (threads).
Basic ASM Model
• Execution of A: A
– By IOA fairness definition, each task gets p1
infinitely many chances to take steps. x1
p2
– Model environment as a separate automaton,
to express restrictions on environment
x2
behavior.
pn
x2
• Architecture:
Un pn
– Uis and A are IOAs, compose.
The Mutual Exclusion Problem
• Actions at user interface:
– tryi, criti, exiti, remi tryi
– Ui interacts with pi criti
• Correctness conditions: Ui pi
exiti
– Well-formedness (Safety property): remi
• System obeys cyclic discipline.
• E.g., doesn’t grant resource when it wasn’t
requested.
– Mutual exclusion (Safety):
• System never grants to > 1 user
simultaneously.
A
• Trace safety property. U1 p1
• Or, there’s no reachable system state in
which >1 user is in C at once. x1
U2 p2
– Progress (Liveness):
• From any point in a fair execution: x2
– If some user is in T and no user is in C then at
some later point, some user enters C. Un pn
– If some user is in E then at some later point,
some user enters R.
The Mutual Exclusion Problem
• Well-formedness (Safety):
A
– System obeys cyclic discipline. U1 p1
• Mutual exclusion (Safety): x1
– System never grants to > 1 user. U2 p2
• Progress (Liveness): x2
– From any point in a fair execution: Un pn
• If some user is in T and no user is in C then
at some later point, some user enters C.
• If some user is in E then at some later point,
some user enters R.
• Fairness assumption:
– Progress condition requires fairness assumption (all process
tasks continue to get turns to take steps).
– Needed to guarantee that some process enters C or R.
– In general, in the asynchronous model, liveness properties
require fairness assumptions.
– Contrast: Well-formedness and mutual exclusion are safety
properties, don’t depend on fairness.
One more assumption…
• No permanently active processes.
– Locally-controlled actions can be enabled only
when user is in T or E.
– No always-awake, dedicated processes.
– Motivation:
• Multiprocessor settings, where users can run
processes at any time, but are otherwise not involved
in the protocol.
• Avoid “wasting processors”.
Mutual Exclusion algorithm
[Dijkstra 65]
• Based on Dekker’s 2-process solution.
• Pseudocode, p. 265-266
– Written in traditional sequential style, must somehow translate into
more detailed state/transition description.
• Shared variables: Read/write registers.
– turn, in {1,2,…,n}, multi-writer multi-reader (mWmR), init anything.
– for each process i:
• flag(i), in {0,1,2}, single-writer multi-reader (1WmR), init 0
• Written by i, read by everyone.
• Process i’s Stage 1:
– Set flag := 1, test to see if turn = i.
– If not, and turn’s current owner is seen to be inactive, then set turn := i.
– Otherwise go back to to testing…
– When you see turn = i, move to Stage 2.
Dijkstra’s algorithm
• Stage 2:
– Set flag(i) := 2.
– Check (one at a time, any order) that no other process has flag = 2.
– If check completes successfully, go to C.
– If not, go back to beginning of Stage 1.
• Exit protocol:
– Set flag(i) := 0.
• Problem with the sequential code style:
– Unclear what constitutes an atomic step.
• E.g., need three separate steps to test turn, test flag(turn), and set turn.
– Must rewrite to make this clear:
• E.g., precondition/effect code (p. 268-269)
• E.g., sequential-style code with explicit reads and writes, one per line.
Dijkstra’s algorithm, pre/eff code
• One transition definition for each kind of atomic step.
• Explicit program counter, pc.
• E.g.: When pc is:
– set-flag-1i: Sets flag to 1 and prepares to test turn.
– test-turni: Tests turn, and either moves to Stage 2 or prepares to
test the current owner’s flag.
– test-flag(j)i: Tests j’s flag, and either goes on to set turn or goes back
to test turn again.
– …
– set-flag-2i: Sets flag to 2 and initializes set S, preparing to check all
other processes’ flags.
– check(j)i: If flag(j) = 2, go back to beginning.
– …
• S keeps track of which processes have been successfully
checked in Stage 2.
Precondition/effect code
Shared variables:
turn ∈ {1,…,n}, initially arbitrary
for every i:
flag(i) ∈ {0,1,2}, initially 0
Actions of process i:
Input: tryi, exiti
Output: criti, remi
Internal: set-flag-1i, test-turni, test-flag(j)i, set-turni, set-flag-2i,
check(j)i, reseti
Precondition/effect code,
Dijkstra process i
tryi: test-flag(j)i
Eff: pc := set-flag-1 Pre: pc = test-flag(j)
Eff: if flag(j) = 0 then pc := set-turn
else pc := test-turn
set-flag-1i :
Pre: pc = set-flag-1 set-turni :
Eff: flag(i) := 1 Pre: pc = set-turn
Eff: turn := i
pc := test-turn
pc := set-flag-2
test-turni :
Pre: pc = test-turn set-flag-2i :
Pre: pc = set-flag-2
Eff: if turn = i then pc := set-flag-2
Eff: flag(i) := 2
else pc := test-flag(turn) S := {i}
pc := check
More precondition/effect code,
Dijkstra process i
check(j)i : exiti
Pre: pc = check Eff: pc := reset
j∉S
Eff: if flag(j) = 2 then reseti :
S := ∅ Pre: pc = reset
pc := set-flag-1 Eff: flag(i) := 0
S := ∅
else
pc := leave-exit
S := S ∪ {j}
if |S| = n then pc := leave-try
remi :
Pre: pc = leave-exit
criti : Eff: pc := rem
Pre: pc = leave-try
Eff: pc := crit
Note on code style
• Explicit pc makes atomicity clear, but looks
somewhat verbose/awkward.
• pc is often needed in invariants.
• Alternatively: Use sequential style, with explicit
reads or writes (or other operations), one per line.
• Need line numbers:
– Play same role as pc.
– Used in invariants: “If process i is at line 7 then…”
Correctness
Initial
state
• Well-formedness: Obvious.
• Mutual exclusion:
– Based on event order in executions, rather
than invariants.
– By contradiction: Assume Ui, Uj are ever in U i , Uj
C at the same time. in C
α1
No region changes, everyone in T or R, all in T have flag ≥ 1.
Progress, cont’d
α “Contenders”
α1
No region changes, everyone in T or R, all in T have flag ≥ 1.
α1
No region changes, everyone in T or R, all in T have flag ≥ 1.
α2
turn remains = i
Other process not active. Other process has the turn variable.
– Toggles between the two tests.
• Exit protocol:
– Sets flag(i) := 0
Precondition/effect code
Shared variables:
turn ∈ {0,1}, initially arbitrary
for every i ∈ {0,1}:
flag(i) ∈ {0,1}, initially 0
Actions of process i:
Input: tryi, exiti
Output: criti, remi
Internal: set-flagi, set-turni, check-flagi, check-turni, reseti
Precondition/effect code,
Peterson 2P, process i
tryi: check-flagi
Eff: pc := set-flag Pre: pc = check-flag
Eff: if flag(1-i) = 0 then pc := leave-try
else pc := check-turn
set-flagi :
Pre: pc = set-flag check-turni :
Eff: flag(i) := 1 Pre: pc = check-turn
pc := set-turn Eff: if turn ≠ i then pc := leave-try
else pc := check-flag
set-turni :
Pre: pc = set-turn
Eff: turn := i
pc := check-flag
More precondition/effect code,
Peterson 2P, process i
criti : reseti :
Pre: pc = leave-try Pre: pc = reset
Eff: flag(i) := 0
Eff: pc := crit pc := leave-exit
exiti remi :
Eff: pc := reset
Pre: pc = leave-exit
Eff: pc := rem
Correctness: Mutual exclusion
• Key invariant:
– If pci ∈ {leave-try, crit, reset} (essentially in C), and
– pc1-i ∈ {check-flag, check-turn, leave-try, crit, reset} (engaged in the
competition or in C),
– then turn ≠ i.
• That is:
– If i has won and 1-i is currently competing then turn is set favorably
for i---which means it is set to 1-i.
• Shared vars:
– For each competition k in {1,2,…,n-1}:
• turn(k) in {1,2,…n}, mWmR register, written and read by all, initially arbitrary.
– For i in {1,2,…n}:
• flag(i) in {0,1,2,…,n-1}, 1WmR register, written by i and read by all, initially 0.
• Exit protocol:
– Set flag(i) := 0
Correctness: Mutual exclusion
• Definition: Process i is a winner at level k if either:
– leveli > k, or
– leveli = k and pci ∈ {leave-try, crit, reset}.
• Definition: Process i is a competitor at level k if either:
– Process i is a winner at level k, or
– leveli = k and pci ∈ {check-flag, check-turn}.
0 1 2 3 4 5 6 7
Peterson Tournament Algorithm
• Shared variables:
– For each process i, flag(i) in {0,…,h}, indicating level, initially 0
– For each competition x, turn(x), a Boolean, initially arbitrary.
0 1 2 3 4 5 6 7
Correctness
• Mutual exclusion:
– Similar to before.
– Key invariant: At most one process from any particular subtree
rooted at level k is currently a winner at level k.
• Shared variables:
– For each process i:
• choosing(i), a Boolean, written by i, read by all, initially 0
• number(i), a natural number, written by i, read by all, initially 0
Bakery Algorithm
• First part, up to choosing(i) := 0 (the “Doorway”, D):
– Process i chooses a number number greater than all the numbers it
reads for the other processes; writes this in number(i).
– While doing this, keeps choosing(i) = 1.
– Two processes could choose the same number (unlike real bakery).
– Break ties with process ids.
• Second part:
– Wait to see that no others are choosing, and no one else has a
smaller number.
– That is, wait to see that your ticket is the smallest.
– Never go back to the beginning of this part---just proceed step by
step, waiting when necessary.
Code
Shared variables:
for every i ∈ {1,…,n}:
choosing(i) ∈ {0,1}, initially 0, writable by i, readable by all j ≠ i
number(i), a natural number, initially 0, writable by i, readable by j ≠ i.
tryi
choosing(i) := 1
number(i) := 1 + maxj ≠ i number(j)
choosing(i) := 0
for j ≠ i do
waitfor choosing(j) = 0
waitfor number(j) = 0 or (number(i), i) < (number(j), j)
criti
exiti
number(i) := 0
remi
Correctness: Mutual exclusion
• Key invariant: If process i is in C, and process j ≠ i
is in (T − D) ∪ C,
Trying region after doorway, or critical region
• Proof:
– Could prove by induction.
– Instead, give argument based on events in executions.
– This argument extends to weaker registers, with
concurrent accesses.
Correctness: Mutual exclusion
• Invariant: If i is in C, and j ≠ i is in (T − D) ∪ C, then
(number(i),i) < (number(j),j).
• Proof:
– Consider a point where i is in C and j ≠ i is in (T − D) ∪ C.
– Then before i entered C, it must have read choosing(j) = 0, event π.
π: i reads choosing(j) = 0 i in C, j in (T − D) ∪ C
• Lockout-freedom:
– Consider any i that enters T
– Eventually it finishes the doorway.
– Thereafter, any newly-entering process picks a bigger number.
– Progress implies that processes continue to enter C, as long as i is
still in T.
– In fact, this must happen infinitely many times!
– But those with bigger numbers can’t get past i, contradiction.
FIFO Condition
• Not really FIFO (→T vs. →C), but almost:
– FIFO after the doorway: if j leaves D before i →T, then j →C before
i →C.
• But the “doorway” is an artifact of this algorithm, so this
isn’t a meaningful way to evaluate the algorithm!
• Maybe say “there exists a doorway such that”…
• But then we could take D to be the entire trying region,
making the property trivial.
• To make the property nontrivial:
– Require D to be “wait-free”: a process is guaranteed to complete D
it if it keeps taking steps, regardless of what any other processes
do.
– D in the Bakery Algorithm is wait-free.
• The algorithm is FIFO after a wait-free doorway.
Impact of Bakery Algorithm
• Originated important ideas:
– Wait-freedom
• Fundamental notion for theory of fault-tolerant
asynchronous distributed algorithms.
– Weakly coherent memories
• Beginning of formal study: definitions, and some
algorithmic strategies for coping with them.
Next time…
• More mutual exclusion algorithms:
– Lamport’s Bakery Algorithm, cont’d
– Burns’ algorithm
• Number of registers needed for mutual exclusion.
• Reading: Sections 10.6-10.8
MIT OpenCourseWare
http://ocw.mit.edu
For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.