Semaphores - courses.cecs.anu.edu.aucourses.cecs.anu.edu.au/courses/COMP2310/lectures2013/Semapho… · Semaphores Admin stuff: some 2012 CDS SELS comments of impact for 2013 the

SemaphoresAdmin stuff:

● some 2012 CDS SELS comments of impact for 2013

● the importance of practical participation: the 2012 lesson (correl. coeff. R = 0.64)

● practicals in week 3: the CountDownTerm.java program

Overview:

● ideas, modelling

● SEMADEMO example: model

● implementation in Java; coding SEMADEMO● the bounded buffer model and program

● nested monitors■ naive implementation■ modelling to understand cause of deadlock■ revised program

● monitor invariants(these slides including graphics are a modified version of the slides from Ch5 of Magee & Kramer:

Concurrency)

COMP2310 Lecture 8: Semaphores 2013 ◭◭ ◭ • ◮ ◮◮ × 1

https://cs.anu.edu.au/streams/forum.php?MsgID=64689

http://cs.anu.edu.au/courses/comp2310/lectures/finalLabs2012-scattergraph.pdf

http://cs.anu.edu.au/courses/comp2310/practicals/TuteLab-2.html

http://cs.anu.edu.au/courses/comp2310/programs/CountDownTerm.java

Semaphores: Basic Ideas

● semaphores are widely used for dealing with inter-process synchronization inoperating systems

● a semaphore s is an integer variable that can take only non-negative values

● the only operations permitted on s are up(s) and down(s)

● down(s):if (s > 0)decrement selse

block execution of the calling process

● up(s):

if there are processes blocked on sawaken one of themelse

increment s

● blocked processes or threads are held in a FIFO queue


Semaphores: Modelling

● to ensure analyzability, we only model semaphores that take a finite range ofvalues. If this range is exceeded, we regard this as an ERROR onst Max = 3range Int = 0..MaxSEMAPHORE(N=0) = SEMA[N℄, // N is the initial valueSEMA[v:Int℄ = ( up −> SEMA[v+1℄

| when (v>0) down −> SEMA[v−1℄ ),SEMA[Max+1℄ = ERROR.● LTS:

● the action down is only accepted when v > 0; up is not guarded

● trace to a violation: up -> up -> up -> up


The SemaDemo Model

● recall our semaphore model: onst Max = 3range Int = 0..MaxSEMAPHORE(N=0) = SEMA[N℄, // N is the initial valueSEMA[v:Int℄ = ( up −> SEMA[v+1℄

| when (v>0) down −> SEMA[v−1℄ ),SEMA[Max+1℄ = ERROR.● three processes p[1..3℄ use a shared semaphore mutex to ensure mutually

exclusive access to some resource (the action riti al)LOOP = (mutex.down −> riti al −> mutex.up −> LOOP).

| | SEMADEMO = (forall p[1..3℄: LOOP | |{p[1..3℄}:: mutex:SEMAPHORE (1)).

● for mutual exclusion, the semaphore’s initial value is 1. Why?

● is the ERROR state reachable for SEMADEMO?

● is a binary semaphore sufficient (i.e. Max=1)?

● LTS?


SemaDemo Model LTS


Semaphores: Implementation

● semaphores are passive objects, therefore can be implemented as a monitorpubli lass Semaphore {private int value;publi Semaphore (int initial) {value = initial;

}syn hronized publi void up() {++value;notifyAll ();}syn hronized publi void down()throws InterruptedEx eption {while (value == 0) wait();

−−value;}

}

● is it safe to use notify() here rather than notifyAll()?

● traditionally, semaphores were implemented as a low-level mechanism which were

often used to implementing the higher-level monitor construct


SemaDemo Applet

current semaphore value

thread 1 is executing critical

actions

thread 2 is blocked waiting

thread 3 is executing

non-critical actions

● what if we adjust the time that each thread spends in its critical section?

■ large resource requirement – more conflict? (e.g. > 67% of a rotation)?

■ small resource requirement – no conflict? (e.g. < 33% of a rotation)?

● hence the time a thread spends in its critical section should be kept as short as

possible


SemaDemo Program – MutexLoop Class lass MutexLoop implements Runnable {Semaphore mutex;MutexLoop (Semaphore sema) {mutex = sema;}publi void run() {try { while (true) {while (! ThreadPanel .rotate());mutex.down(); // a quire mutual ex lusionwhile (ThreadPanel .rotate()); // riti al a tionsmutex.up(); // release mutual ex lusion

}} at h (InterruptedEx eption e){}

}}

● the threads and semaphore are created by the applet’s start() method

● ThreadPanel.rotate() returns false while executing non-critical actions (dark

color) and true otherwise


The Bounded Buffer

● a bounded buffer consists of a fixed number of slots

● items are put into the buffer by a producer process and removed by a consumer

process (c.f. the CarPark example)

● it can be used to smooth out transfer rates between the producer and consumer

● bounded buffers are widely used components in computer networks (from on-chip

networks to internet hubs)


Bounded Buffer: a Data-independent Model

● the behavior of BOUNDEDBUFFER is independent of the actual data values, and so

can be modelled in a data- independent manner

● LTS:BUFFER(N=5) = COUNT [0℄,COUNT[i:0..N℄= ( when (i<N) put −> COUNT[i+1℄| when (i>0) get −> COUNT[i−1℄ ).PRODUCER = (put−>PRODUCER ).CONSUMER = (get−>CONSUMER ).

| | BOUNDEDBUFFER = (PRODUCER | | BUFFER ( 5 ) | | CONSUMER ).COMP2310 Lecture 8: Semaphores 2013 ◭◭ ◭ • ◮ ◮◮ × 10

Bounded Buffer Program – Buffer Monitor

We separate the interface to permit an alternative implementation later.publi interfa e Buffer {...}publi lass BufferImpl implements Buffer {publi syn hronized void put( har inC)throws InterruptedEx eption {while ( ount ==size) wait();buf[in℄ = inC; ++ ount; in = (in+1) % size;notifyAll ();}publi syn hronized har get()throws InterruptedEx eption {while ( ount ==0) wait(); har outC = buf[out℄;buf[out℄ = null; −− ount; out = (out+1) % size;notifyAll ();return (outC);}

Is it safe to use notify() here rather than notifyAll()?

(for clarity, the templates in the text’s BufferImpl.java have been instantiated with har)


http://cs.anu.edu.au/courses/comp2310/links/book_applets/concurrency/buffer/BufferImpl.java

Bounded Buffer Program — Producer Thread lass Produ er implements Runnable {Buffer buf;String alphabet = ``ab defghijklmnopqrstuvwxyz ’ ’;Produ er(Buffer b) {buf = b;}publi void run() {try {int ai = 0;while (true) {ThreadPanel .rotate (12);buf.put(alphabet. harAt(ai));ai = (ai+1) % alphabet.length();ThreadPanel .rotate (348);

}} at h (InterruptedEx eption e){}

}}

Similarly Consumer calls buf.get().


Nested Monitors

Suppose that, in place of using the ount variable and condition synchronization directly,

we instead use two semaphores full and empty to reflect the state of the buffer. lass SemaBuffer implements Buffer {Semaphore full; // ounts number of itemsSemaphore empty; // ounts number of spa esSemaBuffer (int s) {size = s; buf = new har[size℄;full = new Semaphore (0);empty= new Semaphore(size);

}syn hronized publi void put( har inC) throws Int ... tion {empty.down(); // de rement empty , or blo k if 0buf[in℄ = inC; ++ ount; in = (in+1) % size;full.up();}syn hronized publi har get() throws InterruptedEx eption {full.down(); // de rement full , or blo k if 0 har outC = buf[out℄;buf[out℄ = null; −− ount; out = (out+1) % size;empty.up();return (outC);

}


Nested Monitors – Bounded Buffer Model onst Max = 5range Int = 0..MaxSEMAPHORE(I=0) = SEMA[I℄,SEMA[v:Int℄ = ( up −> SEMA[v+1℄

| when(v>0) down −> SEMA[v−1℄ ).BUFFER = ( put −> empty.down −> full.up −> BUFFER

| get −> full.down −> empty.up −> BUFFER).PRODUCER = (put −> PRODUCER ).CONSUMER = (get −> CONSUMER ).| | BOUNDEDBUFFER = ( PRODUCER | | BUFFER | | CONSUMER | |empty:SEMAPHORE (5) | |full:SEMAPHORE (0))�{put ,get }.Does this behave as desired?


Nested Monitors – Bounded Buffer Model

LTSA analysis predicts a possible deadlock:Composing

potential DEADLOCK ...Trace to DEADLOCK: get

The Consumer tries to get a character, but the buffer is empty. It blocks and releases the

lock on the semaphore full. The Produ er tries to put a character into the buffer, but

also blocks. Why?

This situation is known as the nested monitor problem.syn hronized publi har get() throws InterruptedEx eption {full.down(); // if no items , blo k !...... }


Nested Monitors – Revised Bounded Buffer Program

The only way to avoid it in Java is by careful design. In this example, the deadlock can

be removed by ensuring that the monitor lock for the buffer is not acquired until after the

semaphores are decremented.publi void put( har inC) throws InterruptedEx eption {empty.down();syn hronized(this) {buf[in℄ = inC; ++ ount; in = (in+1) % size;

}full.up();}

Leading to the revised bounded buffer model:BUFFER = ( put −> BUFFER | get −> BUFFER ).PRODUCER = ( empty.down −> put −> full.up −> PRODUCER ).CONSUMER = ( full.down −> get −> empty.up −> CONSUMER ).

The semaphore actions have been moved to the producer and consumer. This is exactly

as in the implementation where the semaphore actions are outside the monitor.

Does this behave as desired? Minimized LTS?


Monitor Invariants and Other Forms Of Defensive Programmin g

● a monitor invariant is an assertion concerning the state variables it encapsulates

■ it must hold whenever there is no thread executing inside the monitor■ i.e. on thread entry to and exit from the monitor

● e.g.CarParkControl: 0 <= spa es && spa es < apa itySemaphore: 0 <= valueBoundedBuffer: (0 <= in && in < size) && (0 <= out && out < size) &&(0 <= ount && ount < size) &&(in == (out + ount) % size)

● invariants can be helpful in reasoning about correctness of monitors using a logicalproof-based approach.

Generally we prefer to use a model-based approach amenable to mechanicalchecking.

● invariants can be invaluable to checking the correctness of monitor implementations

■ they are a form of defensive programming, which also includes pre- and postcondition checking

■ this is especially important for reliable concurrent programs!


Summary

● concepts

■ monitors: encapsulated data + access procedures

◆ mutual exclusion + condition synchronization

■ nested monitors & their pitfalls!

● concepts

■ model: guarded actions

● practice

■ private data and synchronized methods in Java

■ a single thread is active in the monitor at a time

■ wait() and notifyAll() for condition synchronization


Documents

Semaphores - courses.cecs.anu.edu.aucourses.cecs.anu.edu.au/courses/COMP2310/lectures2013/Semapho… · Semaphores Admin stuff: some 2012 CDS SELS comments of impact for 2013 the