The meaning of concurrent programs by Yodaiken, Victor
ar
X
iv
:0
81
0.
13
16
v1
  [
cs
.D
M
]  
7 O
ct 
20
08
The meaning of onurrent programs (DRAFT)
Vitor Yodaiken
Copyright 2008.

yodaikenfinitestateresearh.om
Otober 28, 2018
1 Basis
Consider a ombined software and hardware "system" onsisting of a set of threads
T , a memory, a set of devies D, some number of proessor ores, and i/o and
other omponents that we don't need to speify yet. Questions like "an there be a
state where multiple threads are exeuting inside a ritial region" an be answered
only by understanding how state variables hange as the system hanges. Sine the
hardware and software are designed to be both disrete state and deterministi we
an onsider system variables to be funtions of the sequene of events that have
driven the system to its urrent state. For example, the ontents stored in a memory
loation vary with the event sequene. Or onsider the following: "Formal
methods"
researhers
argue
onurreny is
non-
deterministi
beause they
have onfused
"unspeied"
with "non-
deterministi".
thread t starts a test-and-set operation with arguments "ptr" =  and
"index" = j in the state determined by event sequene w
The event sequene is generally immense and the events are ompliated. A single
event may orrespond to the signal hanges on the input pins of every iruit on the
system during a single proessor yle. But we an abstrat out properties of the
sequenes and fous on the properties of interest.
The "speiations" given here are in ordinary working mathematial notation
plus some relatively informal language. I have made a deliberate eort to try to
avoid unneessary formalization. A statement of the form "at this state "x" holds
ontents = j" is lear enough  and an be translated into more formal mathemat-
ial notation whenever needed. See setion 3 for details. On the other hand, I have
made eorts to avoid oversimplifying the semantis of atual omputations. For
example, the exeution of an atomi "ompare and swap" operation is both impres-
sively omplex and preise. When a thread reahes the start of this operation, there
may be interrupts whih ause unspeied delays as the operating system swithes
out the thread and any number of other tasks may start the same operation "at
the same time", but the hardware assures that only one thread will omplete the
operation and get a suess result.
1.1 Sequenes and state
Given a sequene w and a variable depending on w , x the meaning of x at w is
simply the value of x in the state reahed by following w from the initial state. For

Permission granted to make and distribute omplete opies for non-ommerial use but not for
use in a publiation. All other rights reserved but fair use enouraged as long as properly ited.
1
example onsider:
The ontents of memory loation is n at w:
Many properties are desribed in terms of what an happen between two states.
Write wz for the sequene obtained by appending sequene z to sequene w . If
some memory loation  remains unhanged from the w state to the wz state we
ould say:
The ontents of loation  does not hange between w and wz (inlusive
of the end points).
I'll label memory loations with either addresses or symboli names that may depend
on the thread. The address orresponding to variable x for task t at w may not be
the same as the address of x for thread t
0
or even for thread t in another state.
Write Addr(w; t; x) for the address of x in the state determined by w in the ontext
of t. Let Word(w;) be the ontents of memory at address  in the w state.
Let's insist that memory ontents only hange if a devie or thread "writes" to
that loation:
Desription 1.1 If Word(w;) 6= Word(wz;) there there must be some be some
thread t so that t writes Word(wz;) to  between w and wz or some devie d
so that d writes Word(wz;) to  between w and wz
When we disuss the way a state variable hanges as the system hanges state,
we will often need to be able to identify the states that are visited in between the
two terminal states. For any u, the sequene w is a prex of the sequene wu. If
u is not the empty sequene, then w is a proper prex of wu. Write w  wz to
indiate w is a prex, and w < wu to indiate that w must be a proper prex. Then
w < q < wz onstrains q to be between w and wz and but not equal to either,
while w  q  wz allows q to reah the end points. So our onstraint above ould
be rewritten more preisely as
Desription 1.2 If Word(w;) 6= Word(wz;) = k there there must be some
w < q  wz so that for some thread t, t writes k to  at q or or for some devie
d , d writes k to  at q.
The problem with shared memory systems is that the operation of reading,
modifying and writing a new value bak is generally not atomi. This an be shown
as follows for a simple inrement x = x+1 the semantis of whih is as follows.
Desription 1.3 If task t starts x = x + 1 at w and ompletes it at wz and
Addr(w; t; x) =  then there is some w  q  wz so that Word(wz;) =
Word(q; ) + 1 (where "+1" depends on the type of the variable x in the ontext
of t).
Suppose t exeutes x = x+1 in the interval w to wz and t
0
exeutes the line
of ode in the interval w
0
to wz
0
where w  w
0
< wz  wz
0
and for t we have
Word(wz;) = Word(q; )+1 and for t
0
we haveWord(wz
0
; ) = Word(q
0
; )+1.
There is no assurane that Word(q
0
; ) = Word(wz;)  and that's the heart of
the synhronization problem for data in shared memory arhitetures.
An atomi ompare and swap (ACS) operation hanges swaps the ontents of
memory for a "new" value if it nds the ontents to be idential to a "test" value 
and if there is no ompeting write that beats us to the punh. If the result is 1 then
(1) no other task an get a result of 1 for that address during the interval, and (2)
2
at the start,  ontains the old value and it only hanges in some in-between state
to ontain the new value. If the result is 0 then (1) the thread does not omplete
any write operation during the interval, and (2) there is, by way of explanation,
some in-between state where  does not ontain the expeted old value or some
intervening "write" operation.
Desription 1.4 If thread t starts an atomi ompare-and-swap (ACS) operation at
w with target= , new= n and old= k and ompletes it at wz , then let R
t;wz;
=
the result at wz for t
R
t;wz;
2 f0; 1g (1)
R
t;wz;
= 1! for all w  q  wz there is no t
0
6= t; R
t
0
;q;
= 1
and there is some w < q  wz so that
for all w  q
0
< q the ontents of  at q
0
is k
and for all q  q
0
 wz the ontents of  at q
0
is n (2)
R
t;wz;
= 0! for all w  q  wz; t does not write to memory at q
and there is some w  q  wz so that either (3)
the ontents of  at q is not k
or there is some write at q by any devie or a thread t
0
6= t (4)
Note that we do not require the hardware is smart enough to be sure that we
sueed if some in-between write writes the old value k. This allows for implemen-
tation by hardware that does a "lear written bit on this address", then a "load
ontents", then a "write if written bit is still zero". And there is no requirement
that the ACS omplete in any xed time - that's something we'd need in a more
detailed treatment.
1.2 Pointers, funtions, and longer hunks of ode
Word(w;Word(w;)) is the ontents of the memory at the address that is the
ontents of the memory at  in the w state. Consider this simple funtion.
vo id  a l  u l a t e ( i n t m, i n t  p t r ){
i n t o l d =  p t r ;
 p t r = mm +  p t r ;
r e tu rn o l d ;
}
The intended behavior an be dened as follows:
Desription 1.5 If t starts to all alulate with "m" = j and "ptr" =  at w
and t returns from the all started at w in wz .
Then Word(wz;) = Word(w;) + j  j and at wz the return value of t =
Word(w;). (Assuming non-interferene).
What's non-interferene? In this ase it is just that:
There is no w  q  wz; h 2 Tnftg[D; so that h writes to any of the loal variables of t at q
1.2.1 Note on mahine model
The model used here assumes that "writes" ommit at the last event  so that a
store to memory loation  may takes multiple events, butWord(w;) only hanges
as the write ompletes. I an't see how this assumption onits with omputer
3
arhiteture pratie in any way that would lead us astray, but the assumption is not
at all neessary for using the methods desribed here.
More seriously, I'm glossing over non-oherent memory here just to simplify
exposition. In fat, Word(w; t; ) may not equal Word(w;) if some t
0
has written
to  but the new value is in a write buer or even if the write has been exeuted
out of order. I'll return to this below to show how to make the model more realisti,
but assuming that memory is oherent is reasonable in many situations and leaves
us with a useful model.
I'm treating memory ontents as "numbers"  assuming that expressions like
Word(w;) + 1 are known to be shorthand for e.q. Word(w;) + 1) mod 2
32
or whatever the programming language type restritions all for. Finally, I'm only
working with whole words of memory value here and am not worrying about bytes
 see setion 3 for some disussion.
2 Critial regions
One protool for synhronization is to use a memory loation as a "gateway" set
to ontain 0 when open and some non-zero value, say 1, when losed. One the
gateway is initialized, we an require that threads sueed in an atomi ompare
and swap with the gateway address as target, 0 as the old value, and 1 as the new
value to beome "owner" and that the gateway is released by setting it to zero.
It's not neessary to have the owner always be the releaser - but the releaser needs
to be sure not to release an already released gateway. To understand this problem,
suppose t
1
is trying to enter the gateway and t
2
is trying to release it  but it is
already released. Then t
1
may fail on the ACS operation beause a write happens
during the ACS operation  even though the write does not hange the ontents.
I'm going to dene G(w;) 2 f0; 1g to tell us if the gateway has been initialized
and used properly and then Owns(w;; t)f0; 1g to tell us if thread t owns the
losed gateway. Let's leave "ativated" and "deativated" undened for now and
just trak status. The empty sequene of events "" is the sequene that leads to
the initial state. So if we dene a funtion at  and at wa in terms of its value at
w , we have dened it for every state.
G(;) = 0 (5)
G(wa;) =


1 if the gateway is set to 0 and was ativated
and no thread is exeuting an ACS operations with target=
0 if the gateway was deativated
or if some devie d writes to at wa
or if some thread t writes a nonzero value to  at wa
unlesst is exeuting an ACS operation
or if some thread t writes a zero value to  at wa
unless  ontains 1 at w
G(w) mboxotherwise
(6)
Owns(;; t) = 0 (7)
Owns(wa;; t) =


0 if G(wa;) = 0
or if  ontains 0 at wa
1 if G(wa;) = 1
and t ompletes an ACS operation
with target=; old=0 new=1 and result=1 at wa
(8)
We an now show that:

t
Owns(w;; t)  1 (9)
4
This is obviously orret if G(w;) = 0, so in what follows assume G(w;) = 1.

t
Owns(w; t; )  1 and 
t
Owner(w; t; ) > 0$Word(w;) = 1 (10)
[Proof is done, but ugly. Basi idea is indution on string length. TBFixed℄.
Let C be a set of line numbers within a "ritial region". We may want to use
ACS operations to guard a ritial operation. So we may want to show that for
some 
if t is exeuting a line n 2 C in the w state then Owner(w; t; ): (11)
3 Details
Assume we have Word and also Reg so that Reg(w; t; r) is the ontents of either
the physial register r in the w state if t is exeuting on some ore in that state,
or the stored register saved by the OS if t is bloked in that state. We also need
InstrutionBoundary(w; ) 2 f0; 1g to be true (1) if and only if ore  ompletes
exeution of its urrent instrution in the w state. Finally, we need some under-
standing of how the OS traks threads - let Ative(w; ; t) 2 f0; 1g be true (1)
if and only if thread t is exeuting on ore  in the w state. In most operating
systems, there will be a data struture indexed by ore proessor identier so that
we will have something like
Ative(w; ; t) =
{
1 if Word(w; ) = t; where  = Word(w;Word(w; "urrent") + )
0 otherwiseAtive(w; t) = 

Ative(w; ; t)
(12)
Assume that Ative(w; t)  1.
For eah thread t, t is exeuting at w if and only if Ative(w; t).
Thread t writes value j to memory loation  at w depends on Reg(w; t; programounter)
and InstrutionBoundary(w; ) where  is the ore identier so that Ative(w; ; t).
If Ative(w; t) = 0 then the thread annot be ompleting a write at w .
Thread t starts exeution of line of ode y = x+1 at w and ompletes exeution
of the line of ode at wz also depends on Reg and InstrutionBoundary.
Thread t alls funtion f(int x; float y) with arguments "x" = i, "y"
= j at w and ompletes the all with return value = k at wz requires
some depth traking if we permit reursive funtions - whih we
should. Let Fdepth(; t; f ) = 0 and
Fdepth(wa; t; f ) =


1 + Fdepth(w; t; f ) if t alls f at wa
Fdepth(w; t; f )  1 if t ends a all to f at wa
Fdepth(w; t; f ) otherwise
Then t alls f at w and returns from that all at wz requires that
Fdepth(w; t; f ) = Fdepth(wz; t; f ) + 1 and there is no w < q < wz
so that Fdepth(w; t; f ) = Fdepth(q; t; f ) + 1.
4 Related Work and Empiriism versus Axiomatis
This is a less formal and less OS-entri ompanion to [Yod08℄ whih is a suessor
to a long series of papers attempting to make this line of researh into something
pratial.
5
This work is in some ways a reation against the entire eld of "formal methods
" whih starts with the idea that a program is a mathematial objet that an
and should be "formalized". I'm more omfortable with onsidering a program
to be a manufatured objet with some properties we may nd useful to dene
mathematially but with a nature that is empirial. So my goal is to provide methods
that an be used in onjuntion with informal rules, and experimentation, and testing,
muh engineers approah other manufatured goods suh as loomotives and rubber
duks.
The empirial bias lead me to disard the emphasis on non-determinism in the
formal methods literature. In software and hardware design, non-determinism is an
error ondition or is a result of interation with some partially speied devie or
software omponent. At the most basi, if we see systems as non-deterministi, they
must be modelled as relations: a sequene of events w maps to a set of possible
terminal states. But relations are really awkward objets and it is oneptually at
least as reasonable to onsider eah sequene to determine a single terminal state 
but one whih we may not be able to fully speify. Even the most non-deterministi
of phenomena, suh as a gate that an go into meta-stable state an be onsidered a
deterministi devie. Is the state mahine that models the gate non-deterministially
hoosing an output or reading from a very large or even innite table of random
digits? I an't see why we would ever are at the system level.
The tehniques of formal logi/meta-mathematis and the viewpoint rooted
in the semantis of programming languages have drawbaks for a more empirial
approah to semantis. Applied mathematiians do not use formal logi - formal
logi is a tool for reasoning about mathematis while I'm more interested in reasoning
about test-and-set bit instrutions. And programming languages, espeially those
whih have built-in "onurreny" have weak semantis that requires building up
of omplex rule sets. For example, the treatment of onurrent threads here is far
simpler than that of Milner[Mil79℄ and Hoare [Hoa85℄ where a thread has to be
treated as a fundamental objet that is inherently "non-deterministi" instead of as
produt of an underlying deterministi sheduling system.
It may be obvious, however, that the ideas of reasoning about intervals were
inuened and derive a great deal from works on temporal logi[MP79, MM83℄ and
more generally modal logis[Kri63℄. The idea of dealing with sequenes of events
instead of states omes from frustrating attempts to desribe spei paths using
the state quantiers in temporal logi. Temporal logi allows the user to say "P is
true in the all possible next states" or "P is true in some possible next states", but
to say "if X happens and drives us to the next state, then P" requires additional
data strutures and after some one one begins to doubt the utility of the formal
logi framework.
Referenes
[Hoa85℄ C. A. R. Hoare. Communiating Sequential Proesses. Prentie-Hall, 1985.
[Kri63℄ S. Kripke. Semantial onsiderations on modal logi. Ata Philosophia
Fennia, 16:8394, 1963.
[Mil79℄ R. Milner. A Calulus of Communiating Systems, volume 92 of Leture
Notes in Computer Siene. Springer Verlag, 1979.
[MM83℄ B. Moszkowski and Z. Manna. Reasoning in interval temporal logi. Teh-
nial Report STAN-CS-83-969, Stanford University, July 1983.
6
[MP79℄ Z. Manna and A. Pnueli. The modal logi of programs. In Proeedings of
the 6th International Colloquium on Automata, Languages, and Program-
ming, volume 71 of Leture Notes in Computer Siene, New York, 1979.
Springer-Verlag.
[Yod08℄ Vitor Yodaiken. State and history in operating systems.
Tehnial report, Finite State Researh LLC, May 2008.
http://www.yodaiken.om/papers/h2.pdf".
7
