Brief Announcement: Generalising Concurrent Correctness to Weak Memory

LIPICS - Leibniz International Proceedings in Informatics, Sep 2018

Correctness conditions like linearizability and opacity describe some form of atomicity imposed on concurrent objects. In this paper, we propose a correctness condition (called causal atomicity) for concurrent objects executing in a weak memory model, where the histories of the objects in question are partially ordered. We establish compositionality and abstraction results for causal atomicity and develop an associated refinement-based proof technique.

A PDF file should load here. If you do not see its contents the file may be temporarily unavailable at the journal website or you do not have a PDF plug-in installed and enabled in your browser.

Alternatively, you can download the file locally and open with any standalone PDF reader:

http://drops.dagstuhl.de/opus/volltexte/2018/9834/pdf/LIPIcs-DISC-2018-45.pdf

Brief Announcement: Generalising Concurrent Correctness to Weak Memory

LIPIcs.DISC. Brief Announcement: Generalising Concurrent Correctness to Weak Memory John Derrick 2 3 4 5 0 Department of Computer Science, University of Sheffield , UK 1 Department of Computer Science, University of Surrey , Guildford , UK 2 Department of Computer Science, University of Sheffield , UK 3 Simon Doherty 4 Heike Wehrheim Department of Computer Science, Paderborn University , Paderborn , Germany 5 Brijesh Dongol Correctness conditions like linearizability and opacity describe some form of atomicity imposed on concurrent objects. In this paper, we propose a correctness condition (called causal atomicity) for concurrent objects executing in a weak memory model, where the histories of the objects in question are partially ordered. We establish compositionality and abstraction results for causal atomicity and develop an associated refinement-based proof technique. 2012 ACM Subject Classification Theory of computation ? Concurrency, Theory of computation ? Shared memory algorithms Correctness conditions like linearizability for data structures and opacity for software transactional memory (STM) specify atomicity for concurrent objects. They are developed under the assumption that the underlying memory model is sequentially consistent. Our objective here is to generalise such notions to weak memory models. We develop a new notion of correctness: casual atomicity3, which we show is compositional and ensures client abstraction. Causal atomicity applies to both concurrent objects and transactional memory, thus it encompasses both linearizability and opacity. Causal linearizability is covered earlier [1]; here we specialise causal atomicity to causal opacity and develop a proof technique for it. Our framework is based on object executions given as execution structures [4]. They describe the usual precedence order between events as well as a communication relation. Informally, a communication relation between two events arises when some low-level operation of the first event synchronises with some operation belonging to the second event. Events describe e.g. transactions in an STM or operations on a data structure, and their 1 Simon Doherty and John Derrick are funded by EPSRC Grant EP/M017044/1. 2 Funded by EPSRC Grant EP/R019045/1. 3 This notion is related to, but different from causal atomicity defined by Farzan and Madhusudan [3]. For example, their notion is not compositional. and phrases Weak Memory; Concurrent Object; Execution Structure Foundations Generalising Concurrent Correctness to Weak Memory implementations give arise to the execution of low-level operations. In prior work [1], we have used this technique to define a causal version of linearizability. Here, we generalise the methods and define a notion of atomicity that is also applicable to transactional memory. I Definition 1. An execution structure is a tuple (E, , ) consisting of a finite set of events E, a strict order ? E ? E and a relation ? E ? E satisfying: 1. If t1 t2, then both t1 t2 and ?(t2 t1). 2. If t1 t2 t3 or t1 t2 t3, then t1 t3. 3. If t1 t2 t3 t4, then t1 t4. Like other concurrent correctness conditions, we employ some sequential object on a fixed alphabet to compare the executions of the concurrent object against. A sequential object S specifies a set of legal sequential executions denoted legalS. Syntactically, each element of legalS is a sequence of events that are labelled with operations that the object provides. 2 Contributions Causal atomicity. When comparing concurrent executions against sequential ones, some key orders of the concurrent execution need to be preserved. In our case, these are the relations and of the execution structure. We say < is a logical order of an execution structure E = (E, , ) iff < ? E ? E is a strict order such that ? < ? . For a partial order < ? E ? E, we let LE(<) = {w ? E? | < ? w} be the set of linear extensions of <, where w is the total order corresponding to the (total) order on the elements of w. I Definition 2. Let S be a sequential object. An execution structure E is causally atomic w.r.t. S iff there exists a logical order < of E such that LE(<) ? legalS. The logical order at least needs to contain the precedence order and at most the communication relation . Note that the logical order (induced by a specification) can introduce additional communication in an implementation (see example below). Compositionality. A key requirement on every correctness condition is compositionality: when a program employs operations from two different concurrent objects, these objects individually satisfy the correctness condition if, and only if, their combined usage also satisfies the correctness condition. Technically, we use a composition operator ? on sequential objects to compute the interleavings of sequential executions, and an operator | to restrict execution structures to events from a given alphabet. I Theorem 3. Let S1 and S2 be sequential objects with disjoint alphabets ?1 and ?2 and let E = (E, , ) be an execution structure. Then E|?1 and E|?2 are causally atomic w.r.t. S1 and S2, respectively, iff E is causally atomic w.r.t. S1 ? S2. For example, consider the execution structure below, which comprises a stack object S and an STM, where we assume memory values are initialised to 0. The event W (x, 1); W (y, 1) corresponds to a transaction consisting of a write to x followed by a write to y. Similarly, R(x, 1); R(y, 1) corresponds to a transaction comprising a read of x followed by a read of y. S.Push(1) W (x, 1); W (y, 1) R(x, 1); R(y, 1) (S.Pop, empty) The execution should not be allowed since there is no total ordering of events that respects the existing precedence order . Causal atomicity necessitates a communication relation W (x, 1); W (y, 1) R(x, 1); R(y, 1) which, together with axiom A3 induces order S.Push(1) (S.Pop, empty). Thus, when considering the full execution structure the composition execution restricted to the stack object is not causally atomic. A more detailed example composition of concurrent objects is given in [1]. Abstraction. Another property of causal atomicity is abstraction, which formalises a notion of substitutability: when a client uses the operations that an object provides in its interface, then it should not be able to distinguish the implementation from its sequential specification. To formalise this, we represent a client C as a set of client executions, each of which is simply a partial order over events labelled with operations from the alphabet of the object and other client-local events such as reads and writes to client variables. Suppose O is a set of execution structures over ?. The client-object composition of C and O is the set CJOK = {? ? C | ? ((dom(?) ? ran(?)) ? ?, , ) ? O. ?|? ? }. Given a sequential object S, we let CA[S] be the set of execution structures that are causally atomic w.r.t. S. Furthermore, we lift sequential objects to sets of execution structures by letting E [S] be the set of execution structures such that there is some w ? legalS where both the precedence order and communication relation is the total order w. Our goal is to compare, for any client C, the client-object composition CJCA[S]K with the corresponding composition with the sequential object, CJE [S]K. To do so, we define a notion of observational refinement, denoted v, such that CJCA[S]K v CJE [S]K holds if for every execution in CJCA[S]K, there is an observationally equivalent execution in CJE [S]K. Our notion of observational equivalence requires that any pair of equivalent executions must have compatible orders when restricted to client-local events. We then prove the following. I Theorem 4. If C is a client and S a sequential object, then CJCA[S]K v CJE [S]K. Transactional Memory. We use causal atomicity to obtain a correctness condition for transactional memory, which we call causal opacity. To do so, we first define a transactional sequential object, denoted T, whose alphabet is made up of entire blocks of reads and writes, and whose semantics requires that each block executes atomically. Causal opacity itself is a condition on transactional operations rather than atomic blocks, thus allowing concurrent transactions. It is defined in terms a transformation called ?-abstraction [4], that combines these operations into a block from the alphabet of T. An execution structure is said to be causally opaque whenever its ?-abstraction is causally atomic w.r.t. T. We show how to verify causal opacity using a sequential object, C, such that the ?abstraction of every execution structure in CA[C] is causally atomic w.r.t. T. The object C is adapted from TMS2 [2], and like its predecessor, is given in an operational fashion which enables simulation-based refinement proofs. S. Doherty , B. Dongol , H. Wehrheim , and J. Derrick . Making Linearizability Compositional for Partially Ordered Executions . In iFM, volume 11023 of LNCS , 2018 . S. Doherty , L. Groves , V. Luchangco , and M. Moir . Towards formally specifying and verifying transactional memory . Formal Asp. Comput. , 25 ( 5 ): 769 - 799 , 2013 . A. Farzan and P. Madhusudan . Causal atomicity . In CAV , volume 4144 of LNCS , pages 315 - 328 . Springer, 2006 . L. Lamport . On interprocess communication. part I: basic formalism . Distributed Computing , 1 ( 2 ): 77 - 85 , 1986 .


This is a preview of a remote PDF: http://drops.dagstuhl.de/opus/volltexte/2018/9834/pdf/LIPIcs-DISC-2018-45.pdf

Simon Doherty, Brijesh Dongol, Heike Wehrheim, John Derrick. Brief Announcement: Generalising Concurrent Correctness to Weak Memory, LIPICS - Leibniz International Proceedings in Informatics, 2018, 45:1-45:3, DOI: 10.4230/LIPIcs.DISC.2018.45