# Thread Synchronization: Foundations ## Two Theads, One Shared Variable Might execute like this: T<sub>1</sub> r1 := load from amount r1 := r1 - 10,000 store r1 to amount T2 r2 := load from amount r2 := 0.5 \* r2 store r2 to amount amount = 40,000 Or viceversa: $T_1$ and then $T_2$ amount = 45,000 ## Two Theads, One Shared Variable Two threads updating shared variable amount - $\ \square \ T_1$ wants to decrement amount by \$10K - $\ \square \ T_2$ wants to decrement amount by 50% amount = 100,000 What happens when $\mathsf{T}_1$ and $\mathsf{T}_2$ execute concurrently? 2 ### Two Theads, One Shared Variable But might also execute like this: T2 r2 := load from amount r2 := 0.5 \* r2 store r2 to amount amount = 50,000 One update is lost! Wrong - and very hard to debug #### Race Conditions #### Timing dependent behavior involving shared state - Behavior of race condition depends on how threads are scheduled! - □ one program can generate exponentially many schedules or interleavings - □ bug if any of them generates an undesirable behavior All possible interleavings should be safe! 5 #### Therac-25 [1982] Computer-controlled radiation therapy machine - Safety critical system with software interlocks - □ they let state of element A determine allowed states for element B - Ex: elevator cannot move with doors open - Beam controlled entirely through a custom OS ## Race Conditions: Hard to Debug - Only some interleavings may produce a bug - But bad interleavings may happen very rarely - program may run 100s of times without generating an unsafe interleaving - Compiler and processor hardware can reorder instructions 6 #### Therac-25 - Old system used a hardware interlock - □ Lever either in the "electron-beam" or "x-ray" position - New system was computer controlled - Much went wrong: - A synchronization failure triggered when competent nurses used back arrow to change the data on the screen "too quickly" - $\ \square$ Engineers reused software from older models - ▶ it was buggy, but hardware interlocks masked the bugs - ☐ The system noted a problem and halted X-beam, displaying "MALFUNCTION" followed by obscure error code 54 - ▶ technician resumed treatment #### Therac-25 Outcome - Patients received over 100x the recommended dose of radiation - □ Three patients died of radiation overdose - ☐ Many cancer patients received inadequate treatment - People died because a programmer could not write correct code for a concurrent system - 38 Year Later.... Now what? ## Edsger's perspective Testing can only prove the presence of bugs... ... not their absence! ## Aye, there's the rub... - OS virtualizes resources - Virtualizing a resource requires managing concurrent accesses - □ data structures must transition between consistent states - □ Atomic actions transform state indivisibly - ▶ can be implemented by executing actions within a critical section 10 Take a walk on the wild side... Lou Reed, 1972 1 #### Properties Property: a predicate that is evaluated over a run of the program (a trace) "every message that is received was previously sent" Not everything you may want to say about a program is a property: "the program sends an average of 50 messages in a run" 13 #### Liveness properties - "Something good eventually happens" - A process that wishes to enter the critical section eventually does so - □ Some message is eventually delivered - Medications are eventually distributed to patients - □ Windows eventually boots - Every run can be extended to satisfy a liveness property - □ if it does not hold in a prefix of a run, it does not mean it may not hold eventually #### Safety properties - "Nothing bad happens" - $\ \square$ No more than k processes are simultaneously in the critical section - Messages that are delivered are delivered in FIFO order - D No patient is ever given the wrong medication - □ Windows never crashes - A safety property is "prefix closed": - □ if it holds in a run, it holds in its every prefix 14 #### A really cool theorem Every property is a combination of a safety property and a liveness property (Alpern & Schneider) Gian this spore a without to a problem which to the boundary of the withor, has been on, you, waster at least 1952, exemption of the without [1.]. This may be underso as fine a state of the without of the without of the without of the without of the without of the without the without the without flower flowers flowers and the legislation of the without the without the without the without without the without the without without the without the without without the #### Critical Section - A segment of code involved in reading and writing data shared by N threads - □ Used to protect data structures (e.g., queues, shared variables, lists, ...) - Must be executed atomically - Key requirements: - □ Solution must be symmetrical for the N threads - □ Nothing can be assumed about the speed of the N threads, but that their speed inside the CS is not zero - A thread that stops outside CS must not impede access to CS for other threads - $\ensuremath{\square}$ "Italians at a door syndrome" (mutual blocking) unacceptable #### Critical section | Thread To | Thread T <sub>1</sub> | |---------------------|-----------------------| | while(!terminate) { | while(!terminate) { | | $entry_0$ | $entry_1$ | | $CS_0$ | $CS_1$ | | lock.release() | lock.release() | | $NCS_0$ | $NCS_1$ | | } | } | | | 19 | # $\begin{array}{ccc} \textbf{Critical section} \\ \\ \textbf{Thread T}_0 & \textbf{Thread T}_1 \\ \\ \textbf{while(!terminate) } \{ & \textbf{while(!terminate) } \{ \\ \\ \textbf{lock.acquire()} & \textbf{lock.acquire()} \\ \\ \textbf{CS}_0 & \textbf{CS}_1 \\ \\ \end{array}$ lock.release() $NCS_1$ lock.release() $NCS_0$ #### Critical section | Thread To | Thread T <sub>1</sub> | |---------------------|-----------------------| | while(!terminate) { | while(!terminate) { | | $entry_0$ | $entry_1$ | | $CS_0$ | $CS_1$ | | $exit_0$ | $exit_1$ | | $NCS_0$ | $NCS_1$ | | } | } | | | 20 | #### Critical Section - $m{\varnothing}$ Mutual Exclusion: At most one thread in CS (Safety) $\exists in(CS_i) \land in(CS_j)$ must be false - No deadlock: If some thread attempts to acquire the lock, some thread will eventually succeed (Liveness) - No starvation: Every thread that attempts to acquire the lock eventually succeeds (Liveness) - $\Box$ If $at(entry_i)$ , then eventually $at(CS_i)$ - $\hfill \square$ When $in(NCS_i)$ , thread i cannot block other threads from entering CS - ullet Assumption: if $in(CS_i)$ , then eventually $after(CS_i)$ 21 ### Critical Section: Like-to Lock (unless you do too) ``` Thread T_0 Thread T_1 while(!terminate) { in_0 := true await \neg in_1 await \neg in_0 CS_0 CS_1 exit_0 exit_1 NCS_0 NCS_1 } ``` ## Critical Section: Like-to Lock (unless you do too) ``` \begin{array}{cccc} \textbf{Thread T}_0 & \textbf{Thread T}_1 \\ \textbf{while(!terminate)} & \textbf{while(!terminate)} & \\ entry_0 & entry_1 \\ CS_0 & CS_1 \\ exit_0 & exit_1 \\ NCS_0 & NCS_1 \\ \end{pmatrix} ``` #### Critical Section: Like-to Lock (unless you do too) ``` \begin{array}{lll} & & & & & & \\ & \text{Thread T}_1 & & & & \\ & \text{while(!terminate)} \ \{ & & & & \\ & in_0 := true & & & & \\ & in_1 := true & \\ & & \text{while } (in_1) \ \ \{ \} & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & & \\ & & & \\ & & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & & & \\ & ``` ## Critical Section: Like-to Lock (unless you do too) # Thread $T_0$ Thread $T_1$ while(!terminate) { $in_0 := true$ $in_1 := true$ $await <math>\neg in_1$ $await <math>\neg in_0$ $CS_0$ $CS_1$ $exit_0$ $exit_1$ $NCS_0$ $NCS_1$ } ## Critical Section: Like-to Lock (unless you do too) ## Critical Section: Like-to Lock (unless you do too) ``` \begin{array}{lll} \textbf{Thread} \ \textbf{T}_0 & \textbf{Thread} \ \textbf{T}_1 \\ \\ \textbf{while}(!\mathsf{terminate}) \ \{ & & & & \\ in_0 := true \ \{in_0\} & & & \\ in_1 := true \ \{in_1\} \\ \\ \textbf{await} \ \neg in_1 \ \ \{in_0 \wedge \neg in_1\} & & \\ \textbf{await} \ \neg in_0 \ \ \{in_1 \wedge \neg in_0\} \\ \\ \textbf{CS}_0 & & & \\ \textbf{CS}_1 \\ \\ in_0 := false \ \{\neg in_0\} & & & \\ \textbf{NCS}_0 & & \\ \textbf{NCS}_1 \\ \\ \} & & \\ \end{pmatrix} \\ \\ \textbf{NCS}_0 & & \\ \textbf{NCS}_1 \\ \\ \} & \\ \\ \end{array} ``` #### Critical Section: Like-to Lock (unless you do too) # Once More unto the Breach: Taking Turns ``` egin{array}{ll} {\sf Thread} \ {\sf T_0} & {\sf Thread} \ {\sf T_1} \ in_0 := true & in_1 := true \ {\sf await} \ \lnot in_0 & {\sf await} \ \lnot in_0 \ \end{array} ``` The above condition for entering $CS_i$ is too strong: we weaken it by adding turns Even if $in_1$ , if it is $T_0$ 's turn, then $T_0$ is allowed to enter $CS_0$ Invariant I: $turn = 0 \lor turn = 1$ The new entry code then is ``` Thread T_0 in_0 := true await \lnot in_1 \lor (turn = 0) ``` Thread T $_1$ $in_1 := true$ await $\lnot in_0 \lor (turn = 1)$ #### Critical Section: Taking Turns ``` Thread To Thread T<sub>1</sub> while(!terminate) { while(!terminate) { in_0 := true \{in_0 \wedge I\} in_1 := true \{in_1 \wedge I\} while (in_1 \wedge turn \neq 0); while (in_0 \wedge turn \neq 1); \{in_0 \wedge (\neg in_1 \vee turn = 0) \wedge I\} \{in_1 \wedge (\neg in_0 \vee turn = 1) \wedge I\} CS_0 CS_1 in_0 := false \{ \neg in_0 \wedge I \} in_1 := false \{ \neg in_1 \wedge I \} NCS_0 NCS_1 ``` ## Critical Section: Taking Turns ``` Thread To Thread Ti while(!terminate) { while(!terminate) { in_0 := true \{in_0 \wedge I\} in_1 := true \{in_1 \wedge I\} await \neg in_1 \lor (turn = 0) await \neg in_0 \lor (turn = 1) \{in_0 \wedge (\neg in_1 \vee turn = 0) \wedge I\} \{in_1 \wedge (\neg in_0 \vee turn = 1) \wedge I\} CS_0 CS_1 in_0 := false \{ \neg in_0 \wedge I \} in_1 := false \{ \neg in_1 \wedge I \} NCS_0 NCS_1 ``` #### Critical Section: Taking Turns ``` Thread To Thread T<sub>1</sub> while(!terminate) { while(!terminate) { in_1 := true \{in_1 \land I\} in_0 := true \{in_0 \wedge I\} while (in_1 \wedge turn \neq 0); while (in_0 \wedge turn \neq 1); \{in_0 \land (\neg in_1 \lor turn = 0) \land I\} \{in_1 \wedge (\neg in_0 \vee turn = 1) \wedge I\} CS_0 CS_1 in_0 := false \{ \neg in_0 \wedge I \} in_1 := false \{ \neg in_1 \wedge I \} NCS_0 NCS_1 ``` #### Interference Freedom **8** By executing $in_1 := true$ , $T_1$ can interfere on the truth of $T_0$ 's assertion! (and symmetrically for $T_0$ ) $\{pre(S)\}$ $\{P\}$ ``` \{in_0 \wedge (\neg in_1 \vee turn = 0) \wedge I\} ``` In general, interference freedom requires to establish ``` \{pre(S) \land P\} \ S \ \{P\} ``` for all S in one thread and P in the other # Establishing Interference Freedom ``` \begin{array}{lll} \textbf{Thread T}_0 & \textbf{Thread T}_1 \\ \textbf{while}(!\mathsf{terminate}) \left\{ & \text{while}(!\mathsf{terminate}) \left\{ \\ in_0 := true \; \{in_0 \land I\} \; \checkmark & in_1 := true \; \{in_1 \land I\} \\ \end{array} \right. \\ \textbf{while} \left( in_1 \land turn \neq 0 \right); & \textbf{while} \left( in_0 \land turn \neq 1 \right); \\ \left\{ in_0 \land \left( \neg in_1 \lor turn = 0 \right) \land I \right\} \; \textbf{X} & \{in_1 \land \left( \neg in_0 \lor turn = 1 \right) \land I \} \\ CS_0 & CS_1 \\ in_0 := false \; \{ \neg in_0 \land I \} \; \checkmark & in_1 := false \; \{ \neg in_1 \land I \} \\ NCS_0 & NCS_1 \\ \} & \\ \end{array} ``` # Establishing Interference Freedom ``` Thread To Thread Ti while(!terminate) { while(!terminate) { in_0 := true \{in_0 \wedge I\} in_1 := true \{in_1 \wedge I\} while (in_1 \wedge turn \neq 0): while (in_0 \wedge turn \neq 1); \{in_0 \wedge (\neg in_1 \vee turn = 0) \wedge I\} \{in_1 \wedge (\neg in_0 \vee turn = 1) \wedge I\} CS_0 CS_1 in_0 := false \{ \neg in_0 \wedge I \} in_1 := false \{ \neg in_1 \wedge I \} NCS_0 NCS_1 ``` ## Establishing Interference Freedom ``` \begin{array}{lll} \textbf{Thread T}_0 & \textbf{Thread T}_1 \\ \textbf{while}(!\mathsf{terminate}) \ \{ & in_0 := true \ \{in_0 \land I\} \ \checkmark \ \end{array} \\ & \text{while}(!\mathsf{terminate}) \ \{ & in_1 := true \ \{in_1 \land I\} \ \end{array} \\ & \text{while} \ (in_1 \land turn \neq 0); \\ \{in_0 \land (\neg in_1 \lor turn = 0) \land I\} \ \checkmark \ \end{aligned} \\ & \text{while} \ (in_0 \land turn \neq 1); \\ \{in_1 \land (\neg in_0 \lor turn = 1) \land I\} \\ & CS_0 \\ & in_0 := false \ \{ \neg in_0 \land I\} \ \checkmark \ \end{aligned} \\ & CS_1 \\ & in_1 := false \ \{ \neg in_1 \land I\} \\ & NCS_0 \\ \} \\ & NCS_1 \\ \end{cases} ``` # Establishing Interference Freedom ``` Thread To Thread T<sub>1</sub> while(!terminate) { while(!terminate) { in_1 := true \{in_1 \wedge I\} /in_0 := true \{in_0 \wedge I\} turn = 1 \{in_0 \wedge I\} turn = 0 \qquad \{in_1 \wedge I\} while (in_1 \wedge turn \neq 0): while (in_0 \wedge turn \neq 1); \{in_0 \wedge (\neg in_1 \vee turn = 0) \wedge I\} \{in_1 \wedge (\neg in_0 \vee turn = 1) \wedge I\} CS_0 CS_1 in_0 := false \{ \neg in_0 \wedge I \} in_1 := false \{ \neg in_1 \wedge I \} NCS_0 NCS_1 ``` # Establishing Interference Freedom ``` Thread To Thread T<sub>1</sub> while(!terminate) { while(!terminate) { in_0 := true \{in_0 \wedge I\} fin_1 := true \{in_1 \wedge I\} turn = 1 \{in_0 \wedge I\} turn = 0 \{in_1 \wedge I\} while (in_1 \wedge turn \neq 0); while (in_0 \wedge turn \neq 1); \{in_0 \wedge (\neg in_1 \vee turn = 0) \wedge I\} \{in_1 \wedge (\neg in_0 \vee turn = 1) \wedge I\} CS_0 CS_1 in_1 := false \{ \neg in_1 \wedge I \} in_0 := false \{ \neg in_0 \wedge I \} NCS_0 NCS_1 ``` #### Taking stock - We solved the critical section problem, as long as we know how to execute multiple operations atomically - □ in other words, we can solve the CS problem as long as we can solve the CS problem... sigh... - besides, no machine instruction allows for those operations to execute atomically... - But what if we don't execute the entry code atomically? Where is the problem? ## Establishing Interference Freedom ``` Thread To Thread T<sub>1</sub> while(!terminate) { while(!terminate) { \stackrel{\mathsf{PCT}_{\mathfrak{l}}}{\longrightarrow} in_1 := true \; \{in_1 \wedge I\} \; No problem! in_0 := true \{in_0 \wedge I\} turn = 1 \{in_0 \wedge I\} turn = 0 \{in_1 \wedge I\} while (in_1 \wedge turn \neq 0); while (in_0 \wedge turn \neq 1); \{in_0 \wedge (\neg in_1 \vee turn = 0) \wedge I\} \{in_1 \wedge (\neg in_0 \vee turn = 1) \wedge I\} CS_0 CS_1 \overline{in_1 := false} \{ \neg in_1 \land \underline{I} \} in_0 := false \{ \neg in_0 \wedge I \} NCS_0 NCS_1 ``` # Establishing Interference Freedom ``` Thread To Thread T<sub>1</sub> while(!terminate) { while(!terminate) { in_0 := true \{in_0 \wedge I\} in_1 := true \{in_1 \wedge I\} turn = 1 \{in_0 \wedge I\} turn = 0 \{in_1 \wedge I\} • while (in_0 \land turn \neq 1); No problem! while (in_1 \wedge turn \neq 0): \{in_0 \wedge (\neg in_1 \vee turn = 0) \wedge I\} \{in_1 \wedge (\neg in_0 \vee turn = 1) \wedge I\} CS_0 CS_1 in_0 := false \{ \neg in_0 \wedge I \} in_1 := false \{ \neg in_1 \wedge I \} NCS_0 NCS_1 ``` ## Establishing Interference Freedom ``` Thread To Thread T<sub>1</sub> while(!terminate) { while(!terminate) { in_0 := true \{in_0 \wedge I\} in_1 := true \{in_1 \wedge I\} turn = 1 \{in_0 \land I\} extstyle ext while (in_1 \wedge turn \neq 0); while (in_0 \wedge turn \neq 1); \{in_0 \wedge (\neg in_1 \vee turn = 0 \vee at(turn = 0)) \wedge I\} \{in_1 \wedge (\neg in_0 \vee turn = 1) \wedge I\} CS_0 CS_1 in_0 := false \{ \neg in_0 \wedge I \} in_1 := false \{ \neg in_1 \wedge I \} NCS_0 NCS_1 ``` # Establishing Interference Freedom ``` Thread To Thread Ti while(!terminate) { while(!terminate) { in_0 := true \{in_0 \wedge I\} in_1 := true \{in_1 \wedge I\} extstyle{\mathsf{PC}_{\mathsf{T}_{\mathsf{i}}}} lacksymbol{turn} = 0 \quad \{in_1 \wedge I\} Problem! turn = 1 \{in_0 \wedge I\} while (in_1 \wedge turn \neq 0): while (in_0 \wedge turn \neq 1); \{in_1 \wedge (\neg in_0 \vee turn = 1) \wedge I\} \{in_0 \wedge (\neg in_1 \vee turn = 0) \wedge I\} CS_0 CS_1 in_0 := false \{ \neg in_0 \wedge I \} in_1 := false \{ \neg in_1 \wedge I \} NCS_0 NCS_1 ``` ## Establishing Interference Freedom ``` Thread To Thread T<sub>1</sub> while(!terminate) { while(!terminate) { in_0 := true \{in_0 \wedge I\} in_1 := true \{in_1 \wedge I\} extstyle ext turn = 1 \{in_0 \wedge I\} while (in_1 \wedge turn \neq 0); while (in_0 \wedge turn \neq 1); \{in_0 \wedge (\neg in_1 \vee turn = 0 \vee at(turn = 0)) \wedge I\} \{in_1 \wedge (\neg in_0 \vee turn = 1 \vee at(turn = 1)) \wedge I\} CS_0 CS_1 in_1 := false \{ \neg in_1 \wedge I \} in_0 := false \{ \neg in_0 \wedge I \} NCS_0 NCS_1 ``` #### Peterson's Algorithm ``` Thread To Thread Ti while(!terminate) { while(!terminate) { in_0 := true \{in_0 \wedge I\} in_1 := true \{in_1 \wedge I\} turn = 1 \{in_0 \wedge I\} turn = 0 \{in_1 \wedge I\} while (in_1 \wedge turn \neq 0): while (in_0 \wedge turn \neq 1); \{in_0 \wedge (\neg in_1 \vee turn = 0 \vee at(turn = 0)) \wedge I\} \{in_1 \wedge (\neg in_0 \vee turn = 1 \vee at(turn = 1)) \wedge I\} CS_0 CS_1 in_0 := false \{ \neg in_0 \wedge I \} in_1 := false \{ \neg in_1 \wedge I \} NCS_0 NCS_1 ``` #### Peterson: Non-blocking ``` while(!terminate) { while(!terminate) { \{R_1: \neg in_0 \land (turn = 1 \lor turn = 0)\} in_0 = true in_1 := true \{R_2: in_0 \wedge (turn = 1 \vee turn = 0)\} \{S_2: in_1 \wedge (turn = 1 \vee turn = 0)\} \alpha_0 turn = 1 \alpha_1 \ turn := 0 \{R_2\} \{S_2\} \underline{\mathsf{T}_1}'s PC while (in_0 \wedge turn \neq 1); while (in_1 \wedge turn \neq 0): \{R_3: in_0 \wedge (\neg in_1 \vee turn = 0 \vee at(\alpha_1))\} \{S_3: in_1 \wedge (\neg in_0 \vee turn = 1 \vee at(\alpha_0))\} CS_0 CS_1 \{R_3\} \{S_3\} in_0 = false in_1 = false \{R_1\} \{S_1\} To's PC NCS_0 NCS_1 Blocking Scenario: To before NCSo, To stuck at while loop R_1 \wedge S_2 \wedge in_0 \wedge (turn = 0) = \neg in_0 \wedge in_1 \wedge in_0 \wedge (turn = 0) = false ``` #### Peterson's Algorithm: Safety #### Peterson: Deadlock-free ``` while(!terminate) { while(!terminate) { \{R_1: \neg in_0 \land (turn = 1 \lor turn = 0)\} \{S_1: \neg in_1 \land (turn = 1 \lor turn = 0)\} \overline{in_0} = \overline{true} in_1 := true \{R_2: in_0 \wedge (turn = 1 \vee turn = 0)\} \{S_2: in_1 \wedge (turn = 1 \vee turn = 0)\} \alpha_0 turn = 1 \alpha_1 \ turn := 0 \{R_2\} \{S_2\} T_0's PC while (in_1 \wedge turn \neq 0); T<sub>1</sub>'s PC while (in_0 \wedge turn \neq 1); \{R_3: in_0 \wedge (\neg in_1 \vee turn = 0 \vee at(\alpha_1))\} \{S_3: in_1 \wedge (\neg in_0 \vee turn = 1 \vee at(\alpha_0))\} CS_0 \{R_3\} \{S_3\} in_0 = false in_1 = false \{R_1\} NCS_0 NCS_1 Blocking Scenario: To and To at the while loop, before entering critical section R_2 \wedge S_2 \wedge in_1 \wedge (turn = 1) \wedge in_0 \wedge (turn = 0) \Rightarrow (turn = 0) \wedge (turn = 1) = false ```