Formal Reasoning about Concurrent Assembly Code with Reentrant Locks

1. Formal Reasoning about Concurrent Assembly Code with Reentrant Locks Ming Fu & Yu Zhang & Yong Li USTC 2009-7-31

2. Outline • Motivation • Background on Concurrent Separation Logic (CSL) • The Framework for Reasoning About Reentrant Locks • Abstract Machine • Program Logic • Conclusion

3. Motivation • Concurrency verification is challenging • Exponential state space caused by interleaving of execution • Memory aliasing makes it harder to ensure non-interference • Reentrant lock • Allowing a thread to re-acquire a lock that it already holds • Easing concurrent programming but CSL cannot be directly applied to reason about it

4. Outline • Motivation • Background on Concurrent Separation Logic (CSL) • The Framework for Reasoning About Reentrant Locks • Abstract Machine • Program Logic • Conclusion

5. Concurrent Separation Logic(CSL) • Assertions capture ownerships of resources • Cannot access resource without ownership • Shared resources are protected by critical regions (CRs) • Transfer of ownership at boundary of CR

6. emp empty heap l  n l n pq p q p  q pq CSL assertions

7. Lock-based critical regions (CR): Invariants about memory protected by locks: l1 ln  = {l1 m1, …, ln  mn} m1  mn Locks and Critical Regions lock l … … … … unlock l

8. Concurrent Separation Logic(CSL) To deal with non-reentrant locks, concurrent separation logic attaches resource invariants to locks: • Locks also own resources. • When a lock is acquired, it lends its resource invariant to the acquiring thread.

9. CSL does not Support Reentrant Locks This rule does not support reentrant locks: -{emp} lock l -{I} lock l -{I*I} … Wrong!!

10. Outline • Motivation • Background on Concurrent Separation Logic (CSL) • The Framework for Reasoning About Reentrant Locks • Abstract Machine • Program Logic • Conclusion

11. Abstract Machine lock … lw … sw … unlock… … j f (Data Heap) H I: T1 R1 pc1 t1 0 1 2 … T2 R2 pc2 t2 (Register Files) R r1 r2 r3 … rn … (InstrSeq) I (LockMap) L Tn Rn pcn tn l1 ln （Owner）u:= t （ReentrantLevel） n:=nat (u,n) … (u,n) (Code Heap) C ::={f  i}* ::=(H,[T1,…,Tn],L) (World) W

12. Operational Semantcis for Reetrant Locks • Acquiring Lock: • l is not in the domain of L, intitial acquiring lock. • l is in the domain of L and held by the current thread tid, thread tid tries to re-acquired a held lock. • l is held by others, block • Releasing Lock: • ….

13. The Rule for Acquiring Reentrant Lock • Two Cases in the Unified Rule LOCK: • First acquirement: resource invariants m obtained • Reentrant acquirement: resource invariant m not obtained

14. The Rule for Releasing Reentrant Lock • Two Cases in Unified Rule UNLOCK • Releasing lock l, l’s reentrancy level =1, l’s resource invariant abandoned. • Releasing lock I, but l’s reentrancy level > 1: invariant not abandoned.

15. Soundness • Enforce the non-stuckness and the partial correctness of programs with respected to the specifications

16. Conclusion • Extending CAP to build an abstract machine for modeling the behavior of reentrant lock • Adapting CSL to obtaining the program logic for reasoning about reentrant lock • The system is fully mechanized and its soundness has been verified using Coq

17. Thanks & Questions

24. Ongoing and Future Work • Reasoning about Reentrant read-write lock • Merging lock map space with data heap and reasoning about storable lock • Verifying correctness of the implementations of lock-based software transactional memory