





#### The problem

- $N \ge 2$  threads, code divided in *critical* and *non-critical* sections
- Leaving non-critical section is optional

## **Algorithm** Mutex

repeat

non-critical section

critical section



#### The problem

- $N \ge 2$  threads, code divided in *critical* and *non-critical* sections
- Leaving non-critical section is optional

#### **Properties**

- Mutual exclusion
- Deadlock freedom
- Starvation freedom

## **Algorithm** Mutex

## repeat

non-critical section
entry protocol
critical section
exit protocol



#### The problem

- N > 2 threads, code divided in *critical* and *non-critical* sections
- Leaving non-critical section is optional

#### **Properties**

- Mutual exclusion
   No two threads in critical section simultaneously
- Deadlock freedom
- Starvation freedom

# repeat non-critical section entry protocol ri → critical section exit protocol



#### The problem

- N > 2 threads, code divided in *critical* and *non-critical* sections
- Leaving non-critical section is optional

#### **Properties**

- Mutual exclusion
   No two threads in critical section simultaneously
- Starvation freedom

## **Algorithm** Mutex

repeat

non-critical section

 $T_i \rightarrow entry\ protocol$  critical section exit protocol



#### The problem

- N > 2 threads, code divided in *critical* and *non-critical* sections
- Leaving non-critical section is optional

#### **Properties**

- Mutual exclusion
   No two threads in critical section simultaneously
- Starvation freedom  $T_i$  leaves non-critical section  $\to$  eventually  $T_i$  enters critical section

## **Algorithm** Mutex

## repeat

 $T_i$  non-critical section entry protocol critical section exit protocol



#### The problem

- N > 2 threads, code divided in *critical* and *non-critical* sections
- Leaving non-critical section is optional

#### **Properties**

- Mutual exclusion
  - No two threads in critical section simultaneously
- Deadlock freedom
  - $T_i$  in entry protocol  $\rightarrow$  eventually  $T_j$  enters critical section
- Starvation freedom
  - $T_i$  leaves non-critical section ightarrow eventually  $T_i$  enters critical section

# Algorithm Mutex

## repeat

non-critical section
entry protocol
critical section
exit protocol



Goal: verify many mutual exclusion algorithms



Goal: verify many mutual exclusion algorithms

Method: model checking with mCRL2

- Model algorithms and environment in process-algebra
- ullet Capture properties in modal  $\mu$ -calculus



Goal: verify many mutual exclusion algorithms

Method: model checking with mCRL2

- Model algorithms and environment in process-algebra
- Capture properties in modal  $\mu$ -calculus

Abstraction leads to unrealistic executions  $\rightarrow$  must disregard



Goal: verify many mutual exclusion algorithms

Method: model checking with mCRL2

- Model algorithms and environment in process-algebra
- Capture properties in modal  $\mu$ -calculus

Abstraction leads to unrealistic executions  $\rightarrow$  must disregard Which?



Goal: verify many mutual exclusion algorithms

Method: model checking with mCRL2

- Model algorithms and environment in process-algebra
- Capture properties in modal  $\mu$ -calculus

Abstraction leads to unrealistic executions  $\rightarrow$  must disregard Which?

Example: starvation freedom violation of Dekker's algorithm



10:  $flag[0] \leftarrow 0$ 

## **Algorithm** Dekker's for $T_0$ 1: non-critical section 2: $flag[0] \leftarrow 1$ 3: **while** flag[1] = 1 **do** if turn = 1 then $flag[0] \leftarrow 0$ 5: await turn = 0 $flag[0] \leftarrow 1$ 8: critical section 9: $turn \leftarrow 1$

```
flag[0] = 0

flag[1] = 0

turn = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
 4: if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
             flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```



# **Algorithm** Dekker's for $T_0$ 1: non-critical section 2: $flag[0] \leftarrow 1$ 3: **while** f[ag[1] = 1 do]if turn = 1 then $flag[0] \leftarrow 0$ 5: await turn = 0 $flag[0] \leftarrow 1$ 8: critical section 9: $turn \leftarrow 1$ 10: $flag[0] \leftarrow 0$

```
flag[0] = 0

flag[1] = 0

turn = 1
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
 4: if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
             flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```



# **Algorithm** Dekker's for $T_0$ 1: non-critical section 2: $flag[0] \leftarrow 1$ 3: **while** flag[1] = 1 **do** if turn = 1 then $flag[0] \leftarrow 0$ 5: await turn = 0 $flag[0] \leftarrow 1$ 8: critical section 9: $turn \leftarrow 1$ 10: $flag[0] \leftarrow 0$

```
flag[0] = 0
flag[1] = 0
turn = 1
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
 4: if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
             flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```

Is this execution realistic?



Is this execution realistic?
It depends on our *memory model* 



Is this execution realistic?
It depends on our *memory model* 

Goal: verify many mutual exclusion algorithms under 6 different memory models





Memory: only read/write registers



Memory: only read/write registers Memory model

- Operations *blocking* each other
- Register behaviour when operations overlap



Memory: only read/write registers Memory model

- Operations *blocking* each other
- Register behaviour when operations overlap
- weak memory models, caching, operation reordering, etc.



Memory: only read/write registers Memory model

- Operations *blocking* each other
- Register behaviour when operations overlap
- weak memory models, caching, operation reordering, etc.







Original problem assumes *atomicity*: operations cannot overlap





Original problem assumes *atomicity*: operations cannot overlap Operations have *duration* 





Original problem assumes *atomicity*: operations cannot overlap Operations have *duration*Duration + no overlap = operations *block* each other





4 reasonable views on blocking

1.

2.

3.

4



- 4 reasonable views on blocking
  - 1.
  - 2.
  - 3
  - 4. Atomicity assumption: no overlap at all





- 4 reasonable views on blocking
  - 1.
  - 2.
  - 3
  - 4. Blocking reads and writes





- 4 reasonable views on blocking
  - 1. Drop the atomicity assumption: all overlap allowed
  - 2.
  - 3.
  - 4. Blocking reads and writes





- 4 reasonable views on blocking
  - 1. Non-blocking reads and writes
  - 2.
  - 3.
  - 4. Blocking reads and writes





- 4 reasonable views on blocking
  - 1. Non-blocking reads and writes
  - 2. Writes cannot overlap anything + prioritize writes
  - 3. Writes cannot overlap anything
  - 4. Blocking reads and writes





- 4 reasonable views on blocking
  - 1. Non-blocking reads and writes
  - 2. Blocking writes and non-blocking reads
  - 3. Blocking model with concurrent reads
  - 4. Blocking reads and writes





- 4 reasonable views on blocking
  - 1. Non-blocking reads and writes
  - 2. Blocking writes and non-blocking reads
  - 3. Blocking model with concurrent reads
  - 4. Blocking reads and writes



# Memory models - blocking

#### 4 reasonable views on blocking

- 1. Non-blocking reads and writes
- 2. Blocking writes and non-blocking reads
- 3. Blocking model with concurrent reads
- 4. Blocking reads and writes

|   | r block $r'$ ? | r block $w$ ? | w block $r$ ? | $w$ block $w^\prime$ ? |
|---|----------------|---------------|---------------|------------------------|
| 1 | X              | X             | X             | X                      |
| 2 | X              | X             | ✓             | ✓                      |
| 3 | X              | ✓             | ✓             | ✓                      |
| 4 | ✓              | ✓             | ✓             | $\checkmark$           |





Behaviour in case of overlap

Based on Lamport's work

safe registers regular registers atomic registers



Behaviour in case of overlap

- Based on Lamport's work
- Only overlapping writes matter

non-blocking reads and writes blocking writes and non-blocking reads blocking model with concurrent reads blocking reads and writes





Behaviour in case of overlap

- Based on Lamport's work
- Only overlapping writes matter

non-blocking reads and writes blocking writes and non-blocking reads blocking model with concurrent reads blocking reads and writes





non-blocking reads and writes blocking writes and non-blocking reads blocking model with concurrent reads blocking reads and writes



safe registers regular registers atomic registers



non-blocking reads and writes blocking writes and non-blocking reads blocking model with concurrent reads blocking reads and writes



Capture in two dimensions:



non-blocking reads and writes blocking writes and non-blocking reads blocking model with concurrent reads blocking reads and writes



#### Capture in two dimensions:

Register types via models

# Process-Algebraic Models of Multi-Writer Multi-Reader Non-Atomic Registers

Myrthe S. C. Spronck 

□

□

Eindhoven University of Technology, The Netherlands

Bas Luttik ⊠ ©

Eindhoven University of Technology, The Netherlands

#### — Abstract

We present process-algebraic models of multi-writer multi-reader safe, regular and atomic registers. We establish the relationship between our models and alternative versions presented in the literature. We use our models to formally analyse by model checking to what extent several well-known mutual exclusion algorithms are robust for relaxed atomicity requirements. Our analyses refute correctness



non-blocking reads and writes blocking writes and non-blocking reads blocking model with concurrent reads blocking reads and writes



safe registers regular registers atomic registers

### Capture in two dimensions:

- Register types via models
- Blocking behaviour via formulas



Leverage the *justness* assumption Completeness criteria: disregard "incomplete" executions



Leverage the justness assumption

Completeness criteria: disregard "incomplete" executions

Justness: an enabled event must eventually occur or be "interfered with"



Leverage the justness assumption

Completeness criteria: disregard "incomplete" executions

Justness: an enabled event must eventually occur or be "interfered with"





Leverage the justness assumption

Completeness criteria: disregard "incomplete" executions

Justness: an enabled event must eventually occur or be "interfered with"



Depends on a *concurrency relation* •

- Encodes knowledge of real system
- Interference given by  $\checkmark$



Leverage the *justness* assumption

Completeness criteria: disregard "incomplete" executions

Justness: an enabled event must eventually occur or be "interfered with"



Depends on a concurrency relation -

- Encodes knowledge of real system
- Interference ≈ blocking





|   | $r$ block $r^\prime$ ? | r block $w$ ? | $w \operatorname{block} r$ ? | $w$ block $w^\prime$ ? |
|---|------------------------|---------------|------------------------------|------------------------|
| 1 | Х                      | Х             | Х                            | Х                      |
| 2 | X                      | X             | ✓                            | ✓                      |
| 3 | X                      | ✓             | ✓                            | ✓                      |
| 4 | ✓                      | ✓             | ✓                            | ✓                      |



|   | $r' \not \sim r$ ? | $w \not - r$ ? | $r \not - w$ ? | $w' \not - w$ ? |
|---|--------------------|----------------|----------------|-----------------|
| 1 | X                  | X              | Х              | Х               |
| 2 | X                  | X              | ✓              | ✓               |
| 3 | X                  | ✓              | ✓              | ✓               |
| 4 | 1                  | ✓              | ✓              | ✓               |



|   | $r' \not \sim r$ ? | $w \not - r$ ? | $r \not - w$ ? | $w' \not - w$ ? |
|---|--------------------|----------------|----------------|-----------------|
| 1 | X                  | Х              | Х              | X               |
| 2 | X                  | X              | ✓              | ✓               |
| 3 | X                  | ✓              | ✓              | ✓               |
| 4 | 1                  | ✓              | ✓              | ✓               |

Incorporate justness + concurrency relations into formulas



|   | $r' \not \sim r$ ? | $w \not - r$ ? | $r \not - w$ ? | $w' \not \rightharpoonup w$ ? |
|---|--------------------|----------------|----------------|-------------------------------|
| 1 | X                  | Х              | X              | Х                             |
| 2 | X                  | X              | ✓              | ✓                             |
| 3 | X                  | ✓              | ✓              | ✓                             |
| 4 | 1                  | ✓              | ✓              | ✓                             |

### Incorporate justness + concurrency relations into formulas

# Progress, Justness and Fairness in Modal $\mu$ -Calculus Formulae

Myrthe S. C. Spronck 

□

Eindhoven University of Technology. The Netherlands

Bas Luttik ⊠ ©

Eindhoven University of Technology, The Netherlands

Tim A. C. Willemse ⊠ ©

Eindhoven University of Technology, The Netherlands





| Algorithm  | # threads | Safe Regular |              | Atomic     |           |           |           |  |
|------------|-----------|--------------|--------------|------------|-----------|-----------|-----------|--|
| Algorithin |           | $igcup_1$    | $\smile_1$   | $\smile_1$ | $ullet_2$ | $ullet_3$ | $ullet_4$ |  |
| :          | :         | ;            | :            | :          | :         | :         |           |  |
| Dekker     | 2         | M            | $\mathbf{M}$ | S          | D/S       | M         | M         |  |
| <u>:</u>   | :         | :            | :            | ÷          | :         | ÷         | :         |  |



| Algorithm | # threads | Safe Regular |              | Atomic    |           |           |           |  |
|-----------|-----------|--------------|--------------|-----------|-----------|-----------|-----------|--|
| Algorithm |           | $igcup_1$    | $ullet_1$    | $ullet_1$ | $ullet_2$ | $ullet_3$ | $ullet_4$ |  |
| :         | :         | :            | :            | :         | :         | :         | :         |  |
| Dekker    | 2         | M            | $\mathbf{M}$ | S         | D/S       | M         | M         |  |
| :         | :         | :            | :            | :         | ÷         | ÷         | :         |  |

### Starvation freedom counterexample

• Recall: repeated writes prevent read



| Algorithm   | # threads | Safe Regular |              | Atomic    |                       |              |              |  |
|-------------|-----------|--------------|--------------|-----------|-----------------------|--------------|--------------|--|
| Algoritiiii |           | $igcup_1$    | $ullet_1$    | $ullet_1$ | $oldsymbol{\smile}_2$ | $ullet_3$    | $ullet_4$    |  |
|             | :         | ;            | :            | :         | :_                    | :            | :            |  |
| Dekker      | 2         | M            | $\mathbf{M}$ | S         | D/S                   | $\mathbf{M}$ | $\mathbf{M}$ |  |
| <u> </u>    | :         | :            | :            | ÷         | :                     | ÷            | <u>:</u>     |  |

### Starvation freedom counterexample

- Recall: repeated writes prevent read
- Easily fixed



### **Results - full**

| A long with to me         | // +/     | Safe                  | Regular               |                      | Ato                  | mic                  |                      |
|---------------------------|-----------|-----------------------|-----------------------|----------------------|----------------------|----------------------|----------------------|
| Algorithm                 | # threads | $oldsymbol{\smile}_1$ | $oldsymbol{\smile}_1$ | $oldsymbol{\circ}_1$ | $oldsymbol{\circ}_2$ | $oldsymbol{\circ}_3$ | $oldsymbol{\circ}_4$ |
| Anderson                  | 2         | S                     | S                     | S                    | S                    | M                    | M                    |
| Aravind BLRU              | 3         | S                     | S                     | S                    | M/S                  | $\mathbf{M}$         | M                    |
| Attiya-Welch (orig.)      | 2         | D/S                   | S                     | S                    | D                    | $\mathbf{M}$         | $\mathbf{M}$         |
| Attiya-Welch (var.)       | 2         | M/S                   | M/S                   | S                    | D                    | $\mathbf{M}$         | M                    |
| Burns-Lynch               | 3         | D                     | D                     | D                    | D                    | M                    | M                    |
| Dekker                    | 2         | M                     | M                     | S                    | D/S                  | M                    | M                    |
| Dekker RW-safe            | 2         | S                     | S                     | S                    | D                    | $\mathbf{M}$         | $\mathbf{M}$         |
| Dekker RW-safe (DFtoSF)   | 2         | S                     | S                     | S                    | S                    | $\mathbf{M}$         | M                    |
| Dijkstra                  | 3         | M                     | D                     | D                    | $\mathbf{M}$         | $\mathbf{M}$         | M                    |
| Kessels                   | 2         | X                     | X                     | S                    | S                    | M                    | M                    |
| Knuth                     | 3         | M                     | S                     | S                    | $\mathbf{M}$         | $\mathbf{M}$         | M                    |
| Lamport 1-bit             | 3         | D                     | D                     | D                    | D                    | $\mathbf{M}$         | M                    |
| Lamport 1-bit (DFtoSF)    | 3         | S                     | S                     | S                    | S                    | M                    | M                    |
| Lamport 3-bit             | 3         | S                     | S                     | S                    | S                    | M                    | M                    |
| Peterson                  | 2         | X                     | X                     | S                    | S                    | $\mathbf{M}$         | M                    |
| Szymanski flag (int.)     | 3         | X                     | X                     | S                    | S                    | $\mathbf{M}$         | M                    |
| Szymanski flag (bit)      | 3         | X                     | X                     | X                    | X                    | X                    | X                    |
| Szymanski 3-bit lin. wait | 3/2       | X/S                   | X/S                   | X/S                  | X/S                  | X/M                  | X/M                  |



# **Conclusion**



### **Conclusion**

#### Contributions

- 4 blocking behaviours captured
- Many mutual exclusion algorithms verified
  - 3 properties
  - 6 memory models



### **Conclusion**

#### Contributions

- 4 blocking behaviours captured
- Many mutual exclusion algorithms verified
  - 3 properties
  - 6 memory models

#### Future work

- Other properties, e.g. bounded bypass
- Impact of busy waiting
- Arbitrary numbers of threads?







- Reads interfere with writes
- Observation made previously
- In short: repeated reads prevent communicating interest



- Reads interfere with writes
- Observation made previously
- In short: repeated reads prevent communicating interest





- Reads interfere with writes
- Observation made previously
- In short: repeated reads prevent communicating interest





- Reads interfere with writes
- Observation made previously
- In short: repeated reads prevent communicating interest





- Reads interfere with writes
- Observation made previously
- In short: repeated reads prevent communicating interest





Deadlock freedom always observed to be violated with I and A

- Might not be impossible
- Busy waiting often to blame



Deadlock freedom always observed to be violated with I and A

- Might not be impossible
- Busy waiting often to blame
- Both stuck in entry or one stuck in exit

### Algorithm Peterson's algorithm

- 1:  $flag[i] \leftarrow true$
- 2:  $turn \leftarrow i$
- 3: **await**  $flag[j] = false \lor turn = j$
- 4: critical section
- 5:  $flag[i] \leftarrow false$



Deadlock freedom always observed to be violated with I and A

- Might not be impossible
- Busy waiting often to blame
- Both stuck in entry or one stuck in exit

### Algorithm Peterson's algorithm

- 1:  $flag[i] \leftarrow true$
- 2:  $\underline{turn \leftarrow i}$
- 3: **await**  $flag[j] = false \lor turn = j$
- 4: critical section
- 5:  $flag[i] \leftarrow false$



# (Im)possibility of liveness

Deadlock freedom always observed to be violated with I and A

- Might not be impossible
- Busy waiting often to blame
- Both stuck in entry or one stuck in exit

#### Algorithm Peterson's algorithm

- 1:  $flag[i] \leftarrow true$
- 2:  $turn \leftarrow i$
- 3: **await**  $flag[j] = false \lor turn = j$
- 4: critical section
- 5:  $flag[i] \leftarrow false$





Dekker with safe-T: M

#### **Algorithm** Dekker's for $T_0$ 1: non-critical section 2: $flag[0] \leftarrow 1$ 3: **while** flag[1] = 1 **do** if turn = 1 then 4: $flag[0] \leftarrow 0$ 5: await turn = 06: $flag[0] \leftarrow 1$ 8: critical section 9: $turn \leftarrow 1$ 10: $flag[0] \leftarrow 0$

```
flag[0] = 0

flag[1] = 0

turn = 0
```

```
Algorithm Dekker's for T_1
```

```
1: non-critical section

2: flag[1] \leftarrow 1

3: while flag[0] = 1 do

4: if turn = 0 then

5: flag[1] \leftarrow 0

6: await turn = 1

7: flag[1] \leftarrow 1

8: critical section
```

9:  $turn \leftarrow 0$ 

10:  $flag[1] \leftarrow 0$ 

```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = 1flag[1] = 0turn = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
 4: if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
             flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```



```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while f[ag[1] = 1 \text{ do}]
         if turn = 1 then
              flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
              flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = 1

flag[1] = 0

turn = 0
```

```
Algorithm Dekker's for T_1

1: non-critical section
2: flag[1] \leftarrow 1
```

```
3: while flag[0] = 1 do

4: if turn = 0 then

5: flag[1] \leftarrow 0

6: await turn = 1

7: flag[1] \leftarrow 1

8: critical section
```

- 9:  $turn \leftarrow 0$
- 10:  $flag[1] \leftarrow 0$



Dekker with safe-T: M

#### **Algorithm** Dekker's for $T_0$ 1: non-critical section 2: $flag[0] \leftarrow 1$ 3: **while** flag[1] = 1 **do** if turn = 1 then 4: $flag[0] \leftarrow 0$ 5: await turn = 06: $flag[0] \leftarrow 1$ 8: critical section 9: $turn \leftarrow 1$ 10: $flag[0] \leftarrow 0$

```
flag[0] = 1
flag[1] = 0
  turn = 0
```

```
Algorithm Dekker's for T_1
```

```
1: non-critical section
2: flag[1] \leftarrow 1
3: while flag[0] = 1 do
4: if turn = 0 then
           flag[1] \leftarrow 0
            await turn = 1
            flag[1] \leftarrow 1
8: critical section
```

9: 
$$turn \leftarrow 0$$
  
10:  $flag[1] \leftarrow 0$ 



Dekker with safe-T: M

#### **Algorithm** Dekker's for $T_0$ 1: non-critical section 2: $flag[0] \leftarrow 1$ 3: **while** flag[1] = 1 **do** if turn = 1 then 4: $flag[0] \leftarrow 0$ 5: await turn = 06: $flag[0] \leftarrow 1$ 8: critical section 9: $turn \leftarrow 1$ 10: $flag[0] \leftarrow 0$

```
flag[0] = 1

flag[1] = 0

turn = 1
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
 4: if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
             flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```

```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
\begin{aligned} &\textit{flag}[0] = ?\\ &\textit{flag}[1] = 0\\ &\textit{turn} = 1 \\ &\text{new-old}\\ &\text{inversion}\\ &\text{old} = 1\\ &\text{new} = 0 \end{aligned}
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```

```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = ?
flag[1] = 1
turn = 1

new-old inversion
old = 1
new = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```

```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = ?
flag[1] = 1
turn = 1
new-old
inversion
old = 1
new = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```

```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = ?
flag[1] = 1
turn = 1

new-old inversion
old = 1
new = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```



```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = ?
flag[1] = 1
turn = 0

new-old inversion
old = 1
new = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```

```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = ?
flag[1] = 0
turn = 0

new-old inversion
old = 1
new = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```

```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = ?
flag[1] = 0
turn = 0

new-old inversion
old = 1
new = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```

```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = ?
flag[1] = 1
turn = 0

new-old inversion
old = 1
new = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```



```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = ?
flag[1] = 1
turn = 0

new-old inversion
old = 1
new = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```

```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = ?
flag[1] = 1
turn = 0

new-old inversion old = 1
new = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
              flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```

```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = ?
flag[1] = 0
turn = 0

new-old inversion
old = 1
new = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
        if turn = 0 then
              flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```

```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = ?
flag[1] = 0
turn = 0

new-old inversion
old = 1
new = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```



```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = 0
flag[1] = 0
turn = 0
new-old
inversion
old = 1
new = 0
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```



```
Algorithm Dekker's for T_0
 1: non-critical section
 2: flag[0] \leftarrow 1
 3: while flag[1] = 1 do
         if turn = 1 then
 4:
             flag[0] \leftarrow 0
 5:
              await turn = 0
 6:
             flag[0] \leftarrow 1
 8: critical section
 9: turn \leftarrow 1
10: flag[0] \leftarrow 0
```

```
flag[0] = 0
flag[1] = 0
  turn = 0
 new-old
 inversion
  old = 1
 new = 0
  infinite
non-critical
```

```
Algorithm Dekker's for T_1
 1: non-critical section
 2: flag[1] \leftarrow 1
 3: while flag[0] = 1 do
       if turn = 0 then
             flag[1] \leftarrow 0
              await turn = 1
              flag[1] \leftarrow 1
 8: critical section
 9: turn \leftarrow 0
10: flag[1] \leftarrow 0
```



• Dekker with safe-T: M

RW-safe variant: S

Peter A. Buhr<sup>1,\*,†</sup>, David Dice<sup>2</sup> and Wim H. Hesselink<sup>3</sup>

<sup>1</sup>Cheriton School of Computer Science, University of Waterloo, Waterloo, ON, Canada
<sup>2</sup>Oracle Labs, Burlington, MA, USA
<sup>3</sup>Department of Computing Science, University of Groningen, 9700 AK Groningen, The Netherlands

#### SUMMARY

Dekker's algorithm was thought to be safe in an environment without atomic reads or writes where bits flicker or scramble during simultaneous operations. A counter-example is presented showing Dekker's algorithm is unsafe without atomic read. A modification to the original algorithm is presented making it RW-safe, allowing threaded systems to be built on low cost/power hardware without atomic read/write. Correctness is verified by means of invariants and UNITY logic. A performance comparison is made for several two-thread software mutual-exclusion algorithms to see if the RW-safe Dekker is competitive. A subset of the two-thread solutions are then compared in two N-thread tournament algorithms. The performance results show that the additional checks in the RW-safe Dekker do not disadvantage the algorithm in comparison with other two-thread algorithms. The RW-safe N-thread tournament algorithms are competitive with the hardware-assisted Mellor-Crummey and Scott algorithm. Convright © 2015 John Wiley & Sons, Ltd.





