- Email: [email protected]
A liveness property of a parallel algorithm
Information Processing Letters 24 (1987) 275-277 North-Holland
2 March 1987
A LIVENESS PROPERTY OF A PARALLEL A L G O R I T H M Jonathan RUBY AEP Software, 9 Greenway Court, Brookline, ?via 02146, U.S.A. Communicated by David Gries Received 6 December 1985 Revised 18 February 1986
Keywords: (Systems) parallel processing, programming language, resource allocation (Theory) data structure, theory of computation
The DMLSS algorithm [2] is a well-known algorithm for concurrent garbage collection in a LisP-like environment. A number of proofs of its safety and liveness properties [3,4] have appeared since the algorithm was published in 1975. The following presents a new proof of a liveness property of the algorithm. The algorithm works on data structures built of nodes. Each node includes two pointers (called right and left pointers) to successor nodes. An integer n where 0 ~ n < N (N being the number of nodes) uniquely names each node and allows the node to be accessed independently. A null pointer value is represented as a pointer to node 0. A node may belong to a tree whose root is the special node ROOT or to a list called the free list which begins with the special node FREE but not to both at once. A node belonging to the tree starting at ROOT or to the free list is called reachable. An unreachable node is called garbage. In the DMLSS algorithm, the mutator operates on reachable nodes and may turn them into garbage. The collector runs in parallel with the mutator, collecting unreachable nodes and appending them to the free list. Nodes possess a color (white, gray, or black), which is used to coordinate mutator and collector behavior. It is an important liveness property of the algorithm that no node can be forever unreacha-
ble. This property will be proved below. The proof has the following advantages over the other proofs I have found in the literature: (a) It is shorter and simpler. (b) It uses the same concepts and notations used to prove the algorithm's safety properties. There is no need to introduce new concepts (for example, an until operator) in order to prove liveness.
(c) The proof is formal. It only relies on the text of the algorithm and makes no reference to the algorithm's executional history. In the algorithm presented below, the integer arrays E[N] and r[N] hold the left and right pointers of the nodes. ENDFREE is an integer variable marking the end of the free list. The texts of the mutator and collector are as follows (k and j are indices of reachable nodes): Mutator:
do true -+ E [k] -- 0 true ~ r[k] = 0 true --} addleft(k, j) [7 true ~ addright(k, j) ~] true ~ f := •[FREE]; addleft(k, f);
0020-0190/87/$3.50 © 1987, Elsevier Science Publishers B.V. (North-Holland)
do f = ENDFREE ~ skip od;
addleft(FREE, f[f]); := 0 275
Volume 24, Number 4
I N F O R M A T I O N PROCESSING LETTERS
[-] true ~ f := d[FREE]; addright(k, f); do f = ENDFREE -+ skip od; addleft(FREE, f[f]);
t[f]..= 0 od Collector:
do true ~ atleastgray(ROoT); atleastgray(FREE); atleastgray(0); i:=0; do i ~: N and color[i] ~: gray -o i "= i + 1 i :~ N and color[i] = gray atleastgray(r[i]); atleastgray(d[i]); color[i] "= black; i:=0 od i -'= 0; doi#N -o if color[i] = white d[i], r[i], d[ENDFREE], ENDFREE := 0, 0, i, i ~] CO1Or[il = black -o color[i]-'= white ~3 color[i] = gray -o skip Ii; i:=i+l od od T h e algorithm uses an atomic action, called "atleastgray" which has the effect of the following code: atleastgray(i): if color[i] = white ---, color[i] := gray ~] color[i] ~ white ~ skip
2 March 1987
T h e collector has the form " d o t r u e - o C o d " where " C " is the n a m e of the b o d y of the collector's outer loop. In the following, " S " will n a m e the s t a t e m e n t "if true--o C fi". The predicate " r e a c h ( M ) " will m e a n that the n o d e M (0 ~< M < N) is reachable. H a v i n g given the text of the algorithm we can n o w prove that it will not leave any garbage uncollected. The proof will use the formalism of weakest preconditions as described in [1]. T h e first question to be answered is h o w to give a definition or at least a necessary consequence of liveness in this formalism. Since only the collector changes a garbage n o d e into a reachable node, the definition of liveness will involve the collector only. Liveness for a garbage collection algorithm is usually taken to m e a n that there is no possible executional history in which - reach(M) always holds between every two statements of the collector for some n o d e M. If such a n o d e and such an executional history exist, - reach(M) will always hold at the b o t t o m of the collector's outer loop in that executional history. Therefore, a p r o o f that reach(M) (0 ~< M < N) will eventually hold at the b o t t o m of the collector's loop whatever the executional history of the collector and m u t a t o r also proves liveness. This p r o o f will be given below. Let U be the set of states for which - reach(M) holds. We wish to prove that some finite n u m b e r of catenations of S will m a p every m e m b e r of U to a state not belonging to this set. That is, if V __cU a n d S m a p s every state in V to a state in V, then V = ~. In other words, we can state the following theorem. T h e o r e m . 1.[ P is an invariant of the collector loop a n d P impfies - reach(M) for some node M (0 <~ M < N), then P = F.
addleft(k, j ) : d [ k ] : = j ; atleastgray(j),
Proof. Because the m u t a t o r changes reachable n o d e s only, we can consider the status of n o d e M w i t h o u t reference to m u t a t o r behavior. S u p p o s e that there is a predicate P that is an invariant of the collector. Then, by the definition of an invariant [1],
a d d r i g h t ( k , j ) : r[k] : = j ; atleastgray(.j).
P A true = P =~ wp(S, P).
fi In a d d i t i o n there are two procedures:
276
(1)
Volume 24, Number 4
INFORMATION PROCESSING LETTERS
Suppose further that P = , - reach(M) for some node M. Then, by Property 2 of weakest preconditions [1], wp(S, P) =~ wp(S, - reach(M)).
(2)
Statements (1) and (2) imply P =~ wp(S, - r e a c h ( M ) ) . By the same argument beginning from (3), P ~ wp(S, wp(S, - reach(M))) so
P ~ wp(S, - reach(M)) A wp(S, wp(S, - reach(M))) = - reach(M) A color[M] 4: white A wp(S, wp(S, - reach(M)))
(3)
2 March 1987
= - reach(M) A color[M] :~ white A color[M] 4: black A color[M] ~: gray =F (since every node is either white, black, or gray). Therefore, P = F and the theorem is proved. []
References [1] E.W. Dijkstra, A Discipline of Programming (Prentice-Hall, Englewood Cfiffs, NJ, 1976). [2] E.W. Dijkstra, L. Lamport, A.J. Martin, C.S. Scholten and E.F.M. Steffens, On-the-fly garbage collection: An exercise in cooperation, Comm. ACM 21 (11) (1978) 966-975. [3] D. Giles, An exercise in proving parallel programs correct, Comm. ACM 20 (12) (1977) 921-930. [4] S. Ramesh and S.L. Melmdiratta, The liveness property of on-the-fly garbage collection--A proof, Inform. Process, Lett. 17 (1983) 189-195.
277
2 March 1987
A LIVENESS PROPERTY OF A PARALLEL A L G O R I T H M Jonathan RUBY AEP Software, 9 Greenway Court, Brookline, ?via 02146, U.S.A. Communicated by David Gries Received 6 December 1985 Revised 18 February 1986
Keywords: (Systems) parallel processing, programming language, resource allocation (Theory) data structure, theory of computation
The DMLSS algorithm [2] is a well-known algorithm for concurrent garbage collection in a LisP-like environment. A number of proofs of its safety and liveness properties [3,4] have appeared since the algorithm was published in 1975. The following presents a new proof of a liveness property of the algorithm. The algorithm works on data structures built of nodes. Each node includes two pointers (called right and left pointers) to successor nodes. An integer n where 0 ~ n < N (N being the number of nodes) uniquely names each node and allows the node to be accessed independently. A null pointer value is represented as a pointer to node 0. A node may belong to a tree whose root is the special node ROOT or to a list called the free list which begins with the special node FREE but not to both at once. A node belonging to the tree starting at ROOT or to the free list is called reachable. An unreachable node is called garbage. In the DMLSS algorithm, the mutator operates on reachable nodes and may turn them into garbage. The collector runs in parallel with the mutator, collecting unreachable nodes and appending them to the free list. Nodes possess a color (white, gray, or black), which is used to coordinate mutator and collector behavior. It is an important liveness property of the algorithm that no node can be forever unreacha-
ble. This property will be proved below. The proof has the following advantages over the other proofs I have found in the literature: (a) It is shorter and simpler. (b) It uses the same concepts and notations used to prove the algorithm's safety properties. There is no need to introduce new concepts (for example, an until operator) in order to prove liveness.
(c) The proof is formal. It only relies on the text of the algorithm and makes no reference to the algorithm's executional history. In the algorithm presented below, the integer arrays E[N] and r[N] hold the left and right pointers of the nodes. ENDFREE is an integer variable marking the end of the free list. The texts of the mutator and collector are as follows (k and j are indices of reachable nodes): Mutator:
do true -+ E [k] -- 0 true ~ r[k] = 0 true --} addleft(k, j) [7 true ~ addright(k, j) ~] true ~ f := •[FREE]; addleft(k, f);
0020-0190/87/$3.50 © 1987, Elsevier Science Publishers B.V. (North-Holland)
do f = ENDFREE ~ skip od;
addleft(FREE, f[f]); := 0 275
Volume 24, Number 4
I N F O R M A T I O N PROCESSING LETTERS
[-] true ~ f := d[FREE]; addright(k, f); do f = ENDFREE -+ skip od; addleft(FREE, f[f]);
t[f]..= 0 od Collector:
do true ~ atleastgray(ROoT); atleastgray(FREE); atleastgray(0); i:=0; do i ~: N and color[i] ~: gray -o i "= i + 1 i :~ N and color[i] = gray atleastgray(r[i]); atleastgray(d[i]); color[i] "= black; i:=0 od i -'= 0; doi#N -o if color[i] = white d[i], r[i], d[ENDFREE], ENDFREE := 0, 0, i, i ~] CO1Or[il = black -o color[i]-'= white ~3 color[i] = gray -o skip Ii; i:=i+l od od T h e algorithm uses an atomic action, called "atleastgray" which has the effect of the following code: atleastgray(i): if color[i] = white ---, color[i] := gray ~] color[i] ~ white ~ skip
2 March 1987
T h e collector has the form " d o t r u e - o C o d " where " C " is the n a m e of the b o d y of the collector's outer loop. In the following, " S " will n a m e the s t a t e m e n t "if true--o C fi". The predicate " r e a c h ( M ) " will m e a n that the n o d e M (0 ~< M < N) is reachable. H a v i n g given the text of the algorithm we can n o w prove that it will not leave any garbage uncollected. The proof will use the formalism of weakest preconditions as described in [1]. T h e first question to be answered is h o w to give a definition or at least a necessary consequence of liveness in this formalism. Since only the collector changes a garbage n o d e into a reachable node, the definition of liveness will involve the collector only. Liveness for a garbage collection algorithm is usually taken to m e a n that there is no possible executional history in which - reach(M) always holds between every two statements of the collector for some n o d e M. If such a n o d e and such an executional history exist, - reach(M) will always hold at the b o t t o m of the collector's outer loop in that executional history. Therefore, a p r o o f that reach(M) (0 ~< M < N) will eventually hold at the b o t t o m of the collector's loop whatever the executional history of the collector and m u t a t o r also proves liveness. This p r o o f will be given below. Let U be the set of states for which - reach(M) holds. We wish to prove that some finite n u m b e r of catenations of S will m a p every m e m b e r of U to a state not belonging to this set. That is, if V __cU a n d S m a p s every state in V to a state in V, then V = ~. In other words, we can state the following theorem. T h e o r e m . 1.[ P is an invariant of the collector loop a n d P impfies - reach(M) for some node M (0 <~ M < N), then P = F.
addleft(k, j ) : d [ k ] : = j ; atleastgray(j),
Proof. Because the m u t a t o r changes reachable n o d e s only, we can consider the status of n o d e M w i t h o u t reference to m u t a t o r behavior. S u p p o s e that there is a predicate P that is an invariant of the collector. Then, by the definition of an invariant [1],
a d d r i g h t ( k , j ) : r[k] : = j ; atleastgray(.j).
P A true = P =~ wp(S, P).
fi In a d d i t i o n there are two procedures:
276
(1)
Volume 24, Number 4
INFORMATION PROCESSING LETTERS
Suppose further that P = , - reach(M) for some node M. Then, by Property 2 of weakest preconditions [1], wp(S, P) =~ wp(S, - reach(M)).
(2)
Statements (1) and (2) imply P =~ wp(S, - r e a c h ( M ) ) . By the same argument beginning from (3), P ~ wp(S, wp(S, - reach(M))) so
P ~ wp(S, - reach(M)) A wp(S, wp(S, - reach(M))) = - reach(M) A color[M] 4: white A wp(S, wp(S, - reach(M)))
(3)
2 March 1987
= - reach(M) A color[M] :~ white A color[M] 4: black A color[M] ~: gray =F (since every node is either white, black, or gray). Therefore, P = F and the theorem is proved. []
References [1] E.W. Dijkstra, A Discipline of Programming (Prentice-Hall, Englewood Cfiffs, NJ, 1976). [2] E.W. Dijkstra, L. Lamport, A.J. Martin, C.S. Scholten and E.F.M. Steffens, On-the-fly garbage collection: An exercise in cooperation, Comm. ACM 21 (11) (1978) 966-975. [3] D. Giles, An exercise in proving parallel programs correct, Comm. ACM 20 (12) (1977) 921-930. [4] S. Ramesh and S.L. Melmdiratta, The liveness property of on-the-fly garbage collection--A proof, Inform. Process, Lett. 17 (1983) 189-195.
277