Book Chapter 3

1
Concurrency
Concurrent Execution
Claus Brabrand brabrand_at_daimi.au.dk University of
Aarhus
2
Repetition (Concepts, Models, and Practice)

• Concepts
• We adopt a model-based approach for the design
  and construction of concurrent programs
• Safe model gt safe program
• Models
• We use finite state models to represent
  concurrent behaviour(Finite State Processes and
  Labelled Transition Systems)
• Practice
• We use Java for constructing concurrent programs

3
Repetition (Models LTS/FSM, FSP)

• Model simplified representation of the real
  world
• Based on Labelled Transition Systems (LTS )
• Described textually as Finite State Processes
  (FSP )

Focuses on concurrency aspects (of the program)-
everything else abstracted away
Aka. Finite State Machine (FSM )
EngineOff (engineOn-gt EngineOn), EngineOn
(engineOff-gt EngineOff
speed-gtEngineOn).
4
Repetition (Finite State Processes FSP)

• Finite State Processes (FSP)

P STOP // termination (x -gt P) //
action prefix (when () x -gt P) // guard P
P // choice P // alphabet
extension X // process variable

• action indexing xi1..N-gtP or xi-gtP
• process parameters Pi1..N
• constant definitions const N 3
• range definitions range R 0..N

Which constructions do not add expressive
power? (and are thus only "syntactic sugar").
5
Repetition (Java Threads)

• Subclassing java.lang.Thread
• Implementing java.lang.Runnable

class MyThread extends Thread public void
run() // ...
Thread t new MyThread() t.start() // ...
class MyRun implements Runnable public void
run() // ...
Thread t new Thread(new MyRun()) t.start() //
...
6
Chapter 3
Concurrent Execution
7
Concurrent execution
Concepts processes - concurrent execution
and interleaving. process
interaction. Models parallel composition of
asynchronous processes -
interleaving interaction - shared
actions process labelling, and action
relabelling and hiding structure
diagrams Practice Multithreaded Java programs
8
Definition Parallelism

• Parallelism (aka. Real/True Concurrent Execution)
• Physically simultaneous processing
• Involves multiple processing elements (PEs)
  and/or independent device operations

9
Definition Concurrency

• Concurrency (aka. Pseudo-Concurrent Execution)
• Logically simultaneous processing
• Does not imply multiple processing elements (PEs)
• Requires interleaved execution on a single PE

10
Parallelism vs. Concurrency

• Parallelism

• Concurrency

Both concurrency and parallelism require
controlled access to shared resources. We use
the terms parallel and concurrent interchangeably
(and generally do not distinguish between real
and pseudo-concurrent execution). Also, creating
software independent of the physical setup, makes
us capable of deploying it on any platform!
11
3.1 Modelling Concurrency

• How do we model concurrency?
• Arbitrary relative order of actions from
  different processes (interleaving but
  preservation of each process order)

Possible execution sequences?
? x y
Asynchronous model of execution
? y x
? x y
12
3.1 Modelling Concurrency

• How should we model process execution speed?
• We choose to abstract away time
• Arbitrary speed!

- we can say nothing of real-time properties
independent of architecture, processor speed,
scheduling policies,
13
parallel composition - action interleaving
ITCH (scratch-gtSTOP). CONVERSE
(think-gttalk-gtSTOP). CONVERSE_ITCH (ITCH
CONVERSE).

• scratch?think?talk
• think?scratch?talk
• think?talk?scratch

Possible traces as a result of action
interleaving?
14
parallel composition - action interleaving
2 states
3 states
Cartesian product?
2 x 3 states
15
parallel composition - algebraic laws
Commutative (PQ) (QP) Associative
(P(QR)) ((PQ)R) (PQR).
Clock radio example
CLOCK (tick-gtCLOCK). RADIO (on-gtoff-gtRADIO).
CLOCK_RADIO (CLOCK RADIO).
LTS? Traces? Number of states?
16
modeling interaction - shared actions
MAKE1 (make-gtready-gtSTOP). USE1
(ready-gtuse-gtSTOP). MAKE1_USE1 (MAKE1
USE1).
MAKE1 synchronizes with USE1 when ready.
LTS? Traces? Number of states?

• Shared Actions

If processes in a composition have actions in
common, these actions are said to be shared.
Shared actions are the way that process
interaction is modelled. While unshared actions
may be arbitrarily interleaved, a shared action
must be executed at the same time by all
processes that participate in the shared action.
17
modeling interaction - example
MAKE1 (make-gtready-gtSTOP). USE1
(ready-gtuse-gtSTOP). MAKE1_USE1 (MAKE1
USE1).
3 states
3 states
make
ready
ready
ready
ready
ready
make
3 x 3 states?
use
use
use
No!
make
ready
18
modeling interaction - example
MAKE1 (make-gtready-gtSTOP). USE1
(ready-gtuse-gtSTOP). MAKE1_USE1 (MAKE1
USE1).
3 states
3 states
make
ready
ready
ready
ready
ready
4 states!
ready
make
Interaction may constrain the overall behaviour !
use
use
use
make
ready
19
Example
P (x -gt y -gt P). Q (y -gt x -gt Q). R
(P Q).
2 states
2 states
LTS? Traces? Number of states?
20
modeling interaction - example
MAKER (make-gtready-gtMAKER). USER
(ready-gtuse-gtUSER). MAKER_USER (MAKER
USER).
LTS? Traces?
Can we make sure the MAKER does not get ahead
of the USER (i.e. never make before use) and if
so, how?
21
modeling interaction - handshake
A handshake is an action acknowledged by another
MAKERv2 (make-gtready-gtused-gtMAKERv2). USERv2
(ready-gtuse-gtused-gtUSERv2). MAKER_USERv2
(MAKERv2 USERv2).
22
modeling interaction - multiple processes
Multi-party synchronization
MAKE_A (makeA-gtready-gtused-gtMAKE_A). MAKE_B
(makeB-gtready-gtused-gtMAKE_B). ASSEMBLE
(ready-gtassemble-gtused-gtASSEMBLE). FACTORY
(MAKE_A MAKE_B ASSEMBLE).
23
composite processes
A composite process is a parallel composition of
primitive processes. These composite processes
can be used in the definition of further
compositions.
MAKERS (MAKE_A MAKE_B). FACTORY
(MAKERS ASSEMBLE).
substitution of defn of MAKERS
FACTORY ((MAKE_A MAKE_B) ASSEMBLE).
associativity!
Further simplification?
FACTORY (MAKE_A MAKE_B ASSEMBLE).
24
process labelling
aP prefixes each action label in the alphabet of
P with a.
Two instances of a switch process
LTS? (aSWITCH)
SWITCH (on-gtoff-gtSWITCH). TWO_SWITCH
(aSWITCH bSWITCH).
25
process labelling
aP prefixes each action label in the alphabet of
P with a.
Two instances of a switch process
SWITCH (on-gtoff-gtSWITCH). TWO_SWITCH
(aSWITCH bSWITCH).
An array of instances of the switch process
SWITCHES(N3) (foralli1..N
siSWITCH). SWITCHES(N3)
(si1..NSWITCH).
26
process labelling by a set of prefix labels
a1,..,anP replaces every action label x in
the alphabet of P with the labels a1.x,,an.x.
Further, every transition (x-gtX) in the
definition of P is replaced with the transitions
(a1.x,,an.x -gtX).
Process prefixing is useful for modeling shared
resources
USER (acquire-gtuse-gtrelease-gtUSER).
RESOURCE (acquire-gtrelease-gtRESOURCE).
RESOURCE_SHARE (aUSER bUSER
a,bRESOURCE).
27
process prefix labels for shared resources
RESOURCE (acquire-gtrelease-gtRESOURCE).
USER (acquire-gtuse-gtrelease-gtUSER).
RESOURCE_SHARE (aUSER bUSER
a,bRESOURCE).
How does the model ensure that the user that
acquires the resource is the one to release it?
28
Example
X (x -gt STOP).
SYS_1 a,bX.
LTS? Traces? Number of states?
SYS_2 a,bX.
LTS? Traces? Number of states?
29
action relabelling
Relabelling functions are applied to processes to
change the names of action labels. The general
form of the relabelling function is
/newlabel1/oldlabel1, newlabeln/oldlabeln.
Relabeling to ensure that composed processes
synchronize on particular actions
CLIENT (call-gtwait-gtcontinue-gtCLIENT).
SERVER (request-gtservice-gtreply-gtSERVER).
30
action relabelling
CLIENT (call-gtwait-gtcontinue-gtCLIENT).
SERVER (request-gtservice-gtreply-gtSERVER).
C (CLIENT /reply/wait).
S (SERVER /call/request).
C_S (C S).
C
S
C_S
31
action relabelling - prefix labels
An alternative formulation of the client server
system is described below using qualified or
prefixed labels
SERVERv2 (accept.request
-gtservice-gtaccept.reply-gtSERVERv2). CLIENTv2
(call.request -gtcall.reply-gtcontinue-gt
CLIENTv2). CLIENT_SERVERv2 (CLIENTv2
SERVERv2) /call/accept.
32
action hiding - abstraction to reduce complexity
When applied to a process P, the hiding operator
\a1..ax removes the action names a1..ax from
the alphabet of P and makes these concealed
actions "silent". These silent actions are
labelled tau. Silent actions in different
processes are not shared.
USER (acquire-gtuse-gtrelease-gtUSER)
\use.
33
action hiding - abstraction to reduce complexity
Sometimes it is more convenient to specify the
set of labels to be exposed....
When applied to a process P, the interface
operator _at_a1..ax hides all actions in the
alphabet of P not labelled in the set a1..ax.
USER (acquire-gtuse-gtrelease-gtUSER)
_at_acquire,release.
34
action hiding
The following definitions are equivalent
USER (acquire-gtuse-gtrelease-gtUSER)
\use. USER (acquire-gtuse-gtrelease-gtUSER)
_at_acquire,release.
Minimization removes hidden tau actions to
produce an LTS with equivalent observable
behavior.
35
structure diagrams
36
structure diagrams
37
structure diagrams
38
structure diagrams
39
structure diagrams
40
structure diagrams
41
structure diagrams
range T 0..3 BUFF (iniT-gtouti-gtBUFF).
We use structure diagrams to capture the
structure of a model expressed by the static
combinators parallel composition, relabeling
and hiding.
TWOBUF
(aBUFF bBUFF) /in/a.in, a.out/b.in,
out/b.out _at_in,out.
42
structure diagrams
CLIENT (call-gtwait-gtcontinue-gtCLIENT). SERVER
(request-gtservice-gtreply-gtSERVER).CLIENT_SERVE
R (CLIENTSERVER)
/reply/wait,
call/request.
Structure diagram for CLIENT_SERVER ?
43
structure diagrams
SERVERv2 (accept.request
-gtservice-gtaccept.reply-gtSERVERv2). CLIENTv2
(call.request -gtcall.reply-gtcontinue-gt
CLIENTv2). CLIENT_SERVERv2 (CLIENTv2
SERVERv2) /call/accept.
Structure diagram for CLIENT_SERVERv2 ?
44
structure diagrams - resource sharing
RESOURCE (acquire-gtrelease-gtRESOURCE). USER
(printer.acquire-gtuse-gtprinter.release-gtUSER).
PRINTER_SHARE (aUSER bUSER
a,bprinterRESOURCE).
45
ThreadDemo model
THREAD OFF, OFF (toggle-gtON
abort-gtSTOP), ON (toggle-gtOFF
output-gtON abort-gtSTOP). THREAD_DEMO
(aTHREAD bTHREAD)
/stop/a,b.abort.
Interpret toggle, abort as inputs output
as output
46
ThreadDemo code MyThread
class MyThread extends Thread private
boolean on MyThread() super() this.on
false public void toggle() on !on
public void abort() this.interrupt()
private void output() System.out.println(
output) public void run()
try while (true)
if (on) output() sleep(1000)
catch(IntExc _)
System.out.println(Done!)
47
ThreadDemo code ThreadDemo
class ThreadDemo public static void
main(String args) MyThread a new
MyThread() MyThread b new MyThread()
a.start() b.start() while (true)
switch (readChar())
case a a.toogle()
break case b b.toogle()
break
case i stop(a,b)
return private
stop(MyThread a, MyThread b)
a.abort() b.abort()
48
Summary

• Concepts
• concurrent processes and process interaction
• Models
• Asynchronous (arbitrary speed) interleaving
  (arbitrary order).
• Parallel composition as a finite state process
  with action interleaving.
• Process interaction by shared actions.
• Process labeling and action relabeling and
  hiding.
• Structure diagrams
• Practice
• Multiple threads in Java.

49
Concurrency
Shared Objects and Mutual Exclusion
Claus Brabrand brabrand_at_daimi.au.dk University of
Aarhus
50
Repetition (FSP)

• FSP
• P Q // parallel composition
• aP // parameterized parallel composition
• P // set prefixing (usually for sharing)
• P / x/y // action relabling
• P \ // hiding
• P _at_ // keeping (hide complement)
• Structure Diagrams

51
Chapter 4
Shared Objects Mutual Exclusion
52
Shared Objects Mutual Exclusion

• Concepts
• Process interference
• Mutual exclusion
• Models
• Model-checking for interference
• Modelling mutual exclusion
• Practice
• Thread interference in shared objects in Java
• Mutual exclusion in Java
• synchronized objects, methods, and statements

53
4.1 Interference
The Ornamental Garden Problem
People enter an ornamental garden through either
of two turnstiles. Management wishes to know how
many are in the garden at any time. (Nobody can
exit).
0
1
2
Counter
54
and now for something completely different!

• Der var engang en hytte lang ude i skoven...

3
4
Hvis der går1 person ind i hytten,så er den tom!
...og...
Reproduktion!
Måleusikkerhed!

• En fysiker

• En biolog

• En matematiker

55
4.1 Ornamental Garden Problem (contd)
Counter
Java implementation The concurrent program
consists of ? two concurrent threads (west
east) and ? a shared counter object
2
56
Class Diagram
40
20
20
counter
57
Ornamental Garden Program
The go() method of the Garden applet
class Garden extends Applet NumberCanvas
counterD, westD, eastD Turnstile east,
west ... private void go()
counter new Counter(counterD) west
new Turnstile(westD,counter) east new
Turnstile(eastD,counter) west.start()
east.start()
creates the shared Counter object the
Turnstile threads.
58
The Turnstile Class
class Turnstile extends Thread NumberCanvas
display Counter counter public void
run() try
display.setvalue(0) for (int i1
iltGarden.MAX i)
Thread.sleep(1000)
display.setvalue(i)
counter.increment()
catch (InterruptedException _)
The Turnstile thread simulates periodic arrival
of visitors by invoking the counter objects
increment() method every second
59
The Shared Counter Class
The increment() method of the Counter class
increments its internal value and updates the
display.
class Counter int value NumberCanvas
display void increment() value
value 1 display.setvalue(value)

60
Running the Applet
39
20
20
After the East and West turnstile threads each
have incremented the counter 20 times, the garden
people counter is not the sum of the counts
displayed.
Why?
61
The Shared Counter Class (contd)
class Counter int value NumberCanvas
display void increment() value
value 1 display.setvalue(value)

aload_0 // push this onto stack dup
// duplicate top stack element getfield 2
// get value of this.value iconst_1 //
push 1 onto stack iadd // add two top
stack elements putfield 2 // put result into
this.value
Thread switch?
62
Concurrent Method Activation
Java method activation is not atomic!
Thus, threads east and west may be executing the
code for the increment method at the same time.
west
Shared code
east
Counter.class
program counter
aload_0 // this dup getfield 2 //
x iconst_1 iadd putfield 2 // x return
program counter
63
Pedagogification the Counter Class (contd)
class Counter void increment()
value value 1 display.setvalue(value
)
64
Pedagogification the Counter Class (contd)
class Counter void increment()
int temp value // read
Simulate.HWinterrupt() value temp 1
// write display.setvalue(value)
The counter simulates a hardware interrupt during
an increment(), between reading and writing to
the shared counter value.
class Simulate // randomly force thread
switch! public static void HWinterrupt()
if (random()lt0.5) Thread.yield()
65
Running the Applet
Now the erroneous behaviour occurs all the time!
66
Garden Model (Structure Diagram)
GARDEN
VARmodels read and write access to the shared
counter value. TURNSTILEIncrement is modelled
inside TURNSTILE, since Java method activation is
not atomic (i.e., thread objects east and west
may interleave their read and write actions).
67
Ornamental Garden Model (FSP)
const N 4 range T 0..N VAR
VAR0, VARuT (readu -gt VARu
writevT -gt VARv). TURNSTILE (go -gt
RUN), RUN (arrive -gt INCREMENT end -gt
TURNSTILE), INCREMENT (value.readxT -gt
value.writex1 -gt RUN)
value.write0. GARDEN
(eastTURNSTILE westTURNSTILE
east,west,displayvalueVAR)
/ go / east,west.go , end / east,west.end.
?(VAR) ?
?(valueVAR) ?
?(east,west,displayvalueVAR) ?
?(eastTURNSTILE) ?
?(TURNSTILE) ?
68
Checking for Errors - Animation
Scenario checking - use animation to produce a
trace.
Is the modelcorrect?
Never send a human to do a machines job
- Agent Smith (1999)
69
Checking for Errors - Compose with Error Detector
Exhaustive checking - compose the model with a
TEST process which sums the arrivals and checks
against the display value
TEST TEST0, TESTvT (when (vltN)
west.arrive-gtTESTv1 when (vltN)
east.arrive-gtTESTv1 end -gt
CHECKv), CHECKvT (display.value.readuT
-gt (when (uv) right -gt
TESTv when (u!v) wrong -gt
ERROR))
display.value.writeT.
70
Checking for Errors - Exhaustive Analysis
TESTGARDEN (GARDEN TEST).
Use LTSA to perform an exhaustive search for
ERROR
Trace to property violation in TEST go east.arr
ive east.value.read.0 west.arrive west.value.re
ad.0 east.value.write.1 west.value.write.1 end
display.value.read.1 wrong
LTSA produces the shortest path to reach the
ERROR state.
71
Interference and Mutual Exclusion
Destructive update, caused by the arbitrary
interleaving of read and write actions, is termed
interference.
Interference bugs are extremely difficult to
locate. The general solution is ? Give methods
mutually exclusive access to shared objects.
Mutual exclusion can be modelled as atomic
actions.
72
4.2 Mutual Exclusion in Java
Concurrent activations of a method in Java can be
made mutually exclusive by prefixing the method
with the keyword synchronized.
We correct the Counter class by deriving a class
from it and making its increment method
synchronized
class SynchronizedCounter extends Counter
SynchronizedCounter(NumberCanvas n)
super(n) synchronized void increment()
super.increment()
73
The Garden Class (revisited)
If the fixit checkbox is ticked, the go() method
creates a SynchronizedCounter
class Garden extends Applet private void
go() if (!fixit.getState())
counter new Counter(counterD) else
counter new SynchCounter(counterD)
west new Turnstile(westD,counter)
east new Turnstile(eastD,counter)
west.start() east.start()
74
Mutual Exclusion - The Ornamental Garden
Java associates a lock with every object. The
Java compiler inserts code to ? acquire the
lock before executing a synchronized method
? release the lock after the synchronized method
returns. Concurrent threads are blocked until
the lock is released.
75
Java synchronized Statement
Synchronized methods
synchronized void increment()
super.increment()
Variant - the synchronized statement
object reference
void increment() synchronized(counter)
value value 1
display.setvalue(value)
Use synch methods whenever possible.
76
Java -gt Java Bytecode
Method void m() gtgt max_stack3, max_locals3 ltlt
0 aload_0 1 dup 2 astore_1 3
monitorenter 4 aload_0 5 dup 6
getfield 2 ltField X.xintgt 9 iconst_1 10
iadd 11 putfield 2 ltField X.xintgt 14
aload_1 15 monitorexit 16 goto 24 19
astore_2 20 aload_1 21 monitorexit 22
aload_2 23 athrow 24 return Exception
table from to target type 4 16
19 any 19 22 19 any
1 class X 2 int x 3 void m() 4
synchronized(this) 5 x 6 7
8
compile
77
4.3 Modeling Mutual Exclusion
GARDEN (eastTURNSTILE westTURNSTILE
east,west,displayvalueLOCKVAR)
Define a mutual exclusion LOCK process
LOCK (acq -gt rel -gt LOCK).
and compose it with the shared VAR in the Garden
LOCKVAR (LOCK VAR).
Modify TURNSTILE to acquire and release the lock
TURNSTILE (go -gt RUN), RUN (arrive -gt
INCREMENT end -gt TURNSTILE), INCREMENT
(value.acq -gt value.readxT
-gt value.writex1 -gt
value.rel-gtRUN ) value.write0
78
Revised Ornamental Garden Model - Checking for
Errors
A sample trace
go east.arrive east.value.acq
east.value.read.0 east.value.write.1
east.value.rel west.arrive west.value.acq
west.value.read.1 west.value.write.2
west.value.rel end display.value.read.2
right
Use LTSA to perform an exhaustive check is
TEST satisfied?
79
Summary

• Concepts
• process interference
• mutual exclusion
• Models
• model checking for interference
• modelling mutual exclusion
• Practice
• thread interference in shared Java objects
• mutual exclusion in Java (synchronized
  objects/methods).