1 / 31

Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs

Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs. Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv. An Axiomatic Proof Technique for Parallel Programs. Owicky & Gries. Verification of Sequential and Concurrent Programs Apt & Oldrog Chapters 4-6. Interference.

tad-higgins
Download Presentation

Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Programming Language SemanticsRely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv

  2. An Axiomatic Proof Technique for Parallel Programs Owicky & Gries Verification of Sequential and Concurrent Programs Apt & Oldrog Chapters 4-6

  3. Interference • A command T with a precondition pre(T) does not interfere with the proof of {p} c {q} if: • {q  pre(T) } T {q} • For any command c’ inside c with a precondition pre(c’) • {pre(c’)  pre(T) } T {pre(c’)} • {p1} c1 {q1} {p2} c2 {q2}.. {pk} ck {qk} are interference free if for every i j and for every assignment in T in ci does not interfere with {pj} cj {qj}

  4. Parallel Composition Rule {p1} c1 {q1} {p2} c2 {q2}.. {pk} ck {qk} {p1p2 …pk} cobegin c1 || c2 || …|| ck coend {q1q2…  qk} {p1}q1 {q1} {p2} c2 {q2}.. {pk} ck {qk} are interference free

  5. Limitations of the Owicky & Griesproof rules • Checking interference can be hard • Non-compositionality • Until you finished the local proofs cannot check interference • A non-standard meaning of Hoare triples • Depends on the interference of other threads with the proof • Proofs need to be saved • Hard to handle libraries and missing code • Soundness is non-trivial • Completeness depends on auxiliary variables

  6. Commands as relations • It is convenient to view the meaning of commands as relations between pre-states and post-states • In {p} C {Q} • p is a one state predicate • Q is a two-state predicate • Example • {true} x := x + 1 {x= x + 1}

  7. Global Reasoning {x 0} x := x + 1; y := 1 {x >0} {x 0} x := x + 2; y := 2 {x >0} {x 0} x := x + 200; y := 200 {x >0} …  

  8. Rely/Guarantee Reasoning {x0} • x0 0 •  • x1 x0 • x2 = x1+7  y2 = y1 • x3 x2 •  • x4 = x3  y4=7 •  • x5 x4  x := x + 7; y:=7 {x  x} {x>0} x5 >0 

  9. Rely/Guarantee Reasoning(2) {x0} x := x + 7; y:=7 {x>0} {x  x}  x =x+7 y=y  x  x x =x y=7  x  x

  10. {Q} {Q} Hoare vs. Rely/Guarantee Reasoning {P} c {Q} {P} c {P} G G G c R* R* R*

  11. The rest of the lecture • Operations on relations • (Informal) Semantics of Rely/Guarantee • A sound Rely/Guarantee inference rules

  12. p(, ) =p() p(, ) =p() A single state predicate p is preserved by a two-state relation R if p R p , : p() R(, ) p() From one- to two-state relations

  13. Operations on Relations • (P;Q)(, )=:P(, ) Q(, ) • ID(, )= (=) • R*=IDR (R;R) (R;R;R) … 

  14. Formulas • ID(x) = (x = x) • ID(p) =(pp) • Preserve (p)= pp

  15. Informal Semantics • c(p, R, G, Q) • For every state  such that p: • Every execution of c on state  with (potential) interventions which satisfy R results in a state  such that (, )  Q • The execution of every atomic sub-command of c on any possible intermediate state satisfies G • c[p, R, G, Q] • For every state  such that p: • Every execution of c on state  with (potential) interventions which satisfy R must terminate in a state  such that (, )  Q • The execution of every atomic sub-command of c on any possible intermediate state satisfies G

  16. A Formal Semantics • Let cR denotes the set of quadruples <1, 2, 3, 4 > s.t. that when c executes on 1 with potential interferences by R it yields an intermediate state 2 followed by an intermediate state 3 and a final state 4 • as usual 4= when c does not terminate • cR = {<1, 2, 3, 4> :  : <1, >  R  ( <com, >* 2  2 =3=4   ’, c’: <c, >* <c’, ’>  ( ((2= 12 = )  (3 =  3=’)  4= ) <’, 2, 3, 4 >  c’R) • c(p, R, G, Q) • For every <1, 2, 3 , 4 >  cR such that 1p • < 2, 3>  G • If 4 : <1, 4 >  Q

  17. Simple Examples • X := X + 1  (true, X=X, X =X+1X=X, X =X+1) • X := X + 1  (X 0, X X, X>0 X=X, X>0) • X := X + 1 ; Y := Y + 1  (X 0Y 0, X X  YY, G, X>0 Y>0)

  18. A Realistic Example ES=eventopM+1  even(i)  l: (even(l)  0<l<i) x(l)0  eventopM x(eventop)>0 Findpos: begin initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1; search: cobegin Evensearch: while i < min(oddtop, eventop) do if (x(i) > 0) then eventop := i else i := i + 2; || Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2; coend k := min(eventop, oddtop) end{k M+1 (l: 1 l <k  x(l) 0)  (k Mx(k)>0)} OS=oddtopM+1  odd(j)  l: (odd(l)  0<l<j) x(l)0  oddtopM x(oddtop)>0

  19. Inference Rules • Define c  (p, R, G, Q) by structural induction on c • Soundness • If c  (p, R, G, Q) then c  (p, R, G, Q)

  20. (Atomic) atomic {c}  (p, preserve(p), QID, Q) Atomic Command {p} c {Q}

  21. (Critical) await b then c  (p, preserve(p), QID, Q) Conditional Critical Section {pb} c {Q}

  22. (SEQ) c1 ; c2 (p1, R, G, (Q1; R*; Q2)) Sequential Composition c1(p1, R, G, Q1) c2(p2, R, G, Q2) Q1 p2

  23. (IF) if atomic {b} then c1 else c2 (p, R, G, Q) Conditionals c1(p b1, R, G, Q) p b  R* b1 c2(p b2, R, G, Q) p b  R* b2

  24. (WHILE) while atomic {b} do c  (j, R, G, b j) Loops c (j b1, R, G, j) j b  R* b1 R  Preserve(j)

  25. (REFINE) c  (p’, R’, G’, Q’) Refinement c (p, R, G, Q) p’  p Q Q’ R’  R G  G’

  26. (PAR) c1 || c2 (p1 p1, (R1R2), (G1G2), Q) where Q= (Q1 ; (R1R2)*; Q2) (Q2 ; (R1R2)*; Q1) Parallel Composition c1(p1, R1, G1, Q1) c2(p2, R2, G2, Q2) G1 R2 G2 R1

  27. A Realistic Example ES=eventopM+1  even(i)  l: (even(l)  0<l<i) x(l)0  eventopM x(eventop)>0 Findpos: begin initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1; search: cobegin Evensearch: while i < min(oddtop, eventop) do if (x(i) > 0) then eventop := i else i := i + 2; || Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2; coend k := min(eventop, oddtop) end{k M+1 (l: 1 l <k  x(l) 0)  (k Mx(k)>0)} OS=oddtopM+1  odd(j)  l: (odd(l)  0<l<j) x(l)0  oddtopM x(oddtop)>0

  28. EvenSearch||OddSearch (ES OS, RE RO, GEGO, ES OS imin(et, ot) jmin(et, ot)) (PAR) EvenSearch (ES, RE , GE, ES imin(et, ot)) (WHILE) (IF) if (x(i) >0) … (ESi<et), RE , GE, ES) OddSearch (OS, RO , GO, OSjmin(et, ot)) ES i<min(et, ot)RE* i<et REPreserve(ES) ES i<et)) x(i) >0 RE* x(i) >0 ES i < et  x(i) 0 RE* x(i) 0 et :=i (ESi <et) x(i) >0, RE , GE, ES) i :=i+2 (ESi< et) x(i) 0, RE , GE, ES) RE=i =iototet =et GE=j =jetet  ot =ot RO=GE Go=RE

  29. Auxiliary in Owicky-Gries • {X = Y} X := X + 1 || Y := Y+1 • {X=Y}

  30. Issues in R/G • Total correctness is trickier • Restrict the structure of the proofs • Sometimes global proofs are preferable • Many design choices • Transitivity and Reflexivity of Rely/Guarantee • No standard set of rules • Suitable for designs

  31. Summary • Reasoning about concurrent programs is difficult • Oweeki-Gries suggest to carefully design the sequential proofs to simplify the proof procedure • The use of auxiliary variables can make proofs difficult • Can have difficulties with fine-grained concurrency • Benign dataraces • Rely/Guarantee style allows more elegant/general reasoning • Compositional • Local • Adapts to the complexity of the proof • Soundness is simple • Naturally handles libraries and missing code

More Related