modeling and analysis of fischer's algorithm

Modeling and Analysis of Fischer’s Algorithm

Thomas Davies

Processes and Data,Department of Computer Science, Swansea University

Vino - July 2011

Thomas Davies Modeling and Analysis of Fischer’s Algorithm

Today’s Talk

1. Mutual Exclusion Algorithms (recap)

2. Fischer’s Algorithm

3. Modeling Fischer’s Algorithm

4. Analysis of Fischer’s Algorithm


Mutual Exclusion Algorithms


Mutual Exclusion

As previously observed, the idea of mutual exclusion is that twoprocesses which have critical sections cannot enter those sectionsat the same time.

CriticalSection

CriticalSection


Mutual Exclusion Algorithms

The abstract behaviour of mutual exclusion algorithms describedas:

while true dobegin

remainder regiontrying regioncritical sectionexit region

end

Algorithms like this satisfy two properties:

I Mutual Exclusion

I Deadlock Freedom


Asynchronous Mutual Exclusion

Known asynchronous mutual exclusion algorithms for n processesrequire O(n) read and write registers and O(n) operations in orderto access the critical section. (Lynch and Shavit 1992)

Question:Is it possible to achieve mutual exclusion in asynchronous systemsconsisting of n processes by using a smaller number of sharedregisters and/or fewer than O(n) operations to access the criticalsection?


Asynchronous Mutual Exclusion (cont.)

Short answer:

No.

Long answer:

TheoremThere is no asynchronous algorithm providing mutual exclusionwith deadlock freedom for n ≥ 2 processes that uses fewer than nshared read and write registers. (Burns and Lynch)


Asynchronous Mutual Exclusion (cont.)

Short answer:No.

Long answer:

TheoremThere is no asynchronous algorithm providing mutual exclusionwith deadlock freedom for n ≥ 2 processes that uses fewer than nshared read and write registers. (Burns and Lynch)


Fischer’s Algorithm


Beating the theorem

Can the lower bound in the Theorem for deadlock-free mutualexclusion be overcome by considering computational models otherthan the one underlying the above-mentioned result of Burns andLynch?


Michael Fischer

The first researcher to accomplish this was Michael Fischer, whoovercame the lower bound by assuming timing constraints.

His algorithm uses one shared mulitwriter register ’id’ with initialvalue 0. Each process Pi , i ∈ {1, . . . , n} executes the followingalgorithm, where ’delay’ is a positive integer constant.


Fischer’s Algorithm

while true dobegin

noncritical section;L: if id 6= 0 then goto L;1: id := i;2: pause(delay);3: if id 6= i then goto L;critical section;id := 0;

end

pause(delay) makes the process wait for the amount of timespecified by the constant ’delay’.


Choosing the value of ’delay’

Fischer’s algorithm is real-time. Therefore it is important tooptimise the value of ’delay’. So what should it’s value be?

We could assume a positive integer upper bound c for the timebetween successive steps of the execution of a process while itattempts to access its critical section.

In Fischer’s algorithm, we choose a value larger than c , the longesttime that a process may take to perform a step while trying toenter its critical section.But why?


Choosing the value of ’delay’ (cont.)

By the time that process i has reached line 3 in the pseudocodealgorithm (3: if id 6= i then goto L;), each process j that haspassed the test in line L (L: if id 6= 0 then goto L;) and mightwrite j in the variable id has already done so, since delay ¿ c and cis the longest time that such a step may take.

Therefore, whenever process i finds that id = i in line 3 then it cansafely enter its critical section because all the other processes areeither before line L or after line 1 with their index overwritten byprocess i , so they will fail the test at line 3.


A Brief Reflection

Fischer’s algorithm is deadlock free and mutually exclusive for aslong as its timing assumptions are met. The timing behaviour ofthe algorithm is nearly optimal (Lynch and Shavit 1992, Theorem4.6.)

However...If the timing constraints are not met, then the algorithm can nolonger guarantee mutual exclusion!


A Brief Reflection


However...

If the timing constraints are not met, then the algorithm can nolonger guarantee mutual exclusion!


A Brief Reflection


However...If the timing constraints are not met, then the algorithm can nolonger guarantee mutual exclusion!


Modeling Fischer’s Algorithm


Modeling Fischer’s Algorithm

Fischer’s algorithm for n processes can be modeled as a network oftimed automata. Each of the n timed automata in the network isakin to one process running the algorithm.


Fischer’s Automaton

/tiny/tinyL

/tiny1, x ≤ c

/tiny2

/tinyCS

id = 0,x := 0

id := i ,x := 0

id = i ,x > c

id := 0not(id = 0),x > c


Fischer’s Network

We model the algorithm for n processes as the network of timedautomata

A1|A2| . . . |An

States of this network consist of an n-tuple of locations (l1, . . . , ln),where ln is a location in the automaton Ai , i ∈ {1, . . . , n} and avaluation for the set of clocks {x1, . . . , xn}; xi standing for thelocal clock of automaton Ai .

But...


Handling the shared variable

Due to the value of the shared variable ’id’ actively determiningwhich edges are enabled, the states of the network also need torecord the current value of this variable.

We write a state of the network A1|A2| . . . |An as so:

(l1, . . . , ln, x1 = c1, . . . , xn = cn, id = i),

where c1, . . . , cn are non-negative reals and i ∈ {1, . . . , n}.

The initial state of the network is

(L, . . . , L, x1 = 0, . . . , xn = 0, id = 0),


Analysis of Fischer’s Algorithm


Analysis of Fischer’s Algorithm

Now we have a model of the algorithm as a network of timedautomata, we must analyse the behaviour of the model in order toverify that it affords the mutual exclusion property.

We state the following invariant property:

No matter how the network evolves, at no point of its computationwill two different component automata each be in its location CSat the same time.


Using Hennessy-Milner logic with time

We can express invariance properties in Hennessy-Milner logic withtime.

We wish to express the following requirement:

Two different component automata cannot each be in its locationCS at the same time.


Using Hennessy-Milner logic with time (cont.)

We have the option of modifying the model by adding self-loopedges to location CS, labeling them with some observablesynchronisation action ini ! which is used to signal that Ai is in itscritical section.

This allows us to express mutual exclusion using the property

Inv

∧1≤i<j≤n

([ini !]ff ∨ [inj !]ff )


UPPAAL Verification

We could potentially look to verify the correctness of the algorithmusing the verification tool UPPAAL, however the languagesupported by it does not allow us to write formulae such as we hadon the previous slide.

We can rewrite this formula as

MutexNow∧

1≤i<j≤n

(¬Ai .CS ∨ Aj .CS)

Which will allow us to express mutual exclusion using the property

Inv(MutexNow)


Summary - Part One

To summarise, we briefly recapped on mutual exclusion. We thenintroduced Fischer’s algorithm and modeled it using timedautomata.

We then went some way to verifying its correctness by giving theideas needed to formally verify the algorithm using UPPAAL.


Summary - Part Two

I Introduction to CCS

I Behavioural equivalences

I Fixed points and bisimulation equivalence

I Hennessy-Milner logic

I Hennessy-Milner logic with recursive definitions

I Mutual exclusion

I CCS with time delays

I Timed automata

I Timed behavioural equivalences

I Hennessy-Milner logic with time

I Modeling and analysis of Fischer’s Algorithm


Thank you!


modeling and analysis of fischer's algorithm

Documents