1 / 52

Oracle Semantics for Concurrent Separation Logic

Oracle Semantics for Concurrent Separation Logic. Aquinas Hobor Joint work with Andrew Appel & Francesco Zappa Nardelli. Goal. We want to add concurrency to large , realistic systems in a provably correct, modular way Those systems may already exist in a sequential

traci
Download Presentation

Oracle Semantics for Concurrent Separation Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Oracle Semantics for Concurrent Separation Logic Aquinas Hobor Joint work with Andrew Appel & Francesco Zappa Nardelli

  2. Goal We want to add concurrency to large, realistic systems in a provably correct, modular way Those systems may already exist in a sequential form; we would like to re-use existing code and machine-checked proofs wherever possible The key is to isolate the sequential and concurrent reasoning from each other.

  3. Leroy, 2006 CompCert Project Sequential Source Program (C minor) Sequential C minor Operational Semantics Compiler Correctness Proof CompCert Compiler Sequential PowerPC Operational Semantics Sequential Target Program (Power PC) Sequential Translation Correctness Guarantee User Leroy

  4. Leroy, 2006 CompCert Project Sequential Source Program (C minor) Sequential C minor Operational Semantics What is relationship here? Compiler Correctness Proof CompCert Compiler Sequential PowerPC Operational Semantics Sequential Target Program (Power PC) Sequential Translation Correctness Guarantee User Leroy

  5. Appel & Blazy, 2007 • Separation Logic for C minor Sequential Source Program (C minor) Axiomatic Semantics (Separation Logic) Sequential C minor Operational Semantics Program Verification Soundness Proof Compiler Correctness Proof CompCert Compiler Sequential PowerPC Operational Semantics Sequential Target Program (Power PC) Sequential Translation Correctness Guarantee User Leroy Appel & Blazy

  6. Changes Required for Concurrency Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)

  7. Changes Required for Concurrency Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)

  8. Additions to C minor language We add five new statements: lock elock a lock unlock eunlock a lock makelocke Rturn an address into a lock freelockerestore an address fork e el start a new thread

  9. Additions to C minor language We add five new statements: lock elock a lock unlock eunlock a lock makelocke R turn an address into a lock freelockerestore an address fork e el start a new thread Resource Invariant – Describes what resources a thread acquires on lock and relinquishes on unlock

  10. Shallow Embedding Our invariants are semantic and shallowly embedded in both the syntax of programs and Coq: we avoid the POPLmark Quagmire The shallow embedding means that our invariants are easy to use and reason about in Coq, and can be freely shared between code (in makelock) and proof To enable this behavior, a more complex semantic model for invariants was required

  11. Modularity Principle Sequential Features Concurrent Features s1 ; s2 if e then s1 else s2 while e do s break n (x1, …, xn) := e (e1, …, em) return (e1, …, en) x := e [e1] := e2 Skip … lock e unlock e fork e (e1, …, en) makelock e R freelock e …

  12. Modularity Principle Sequential Features Concurrent Features s1 ; s2 if e then s1 else s2 while e do s break n (x1, …, xn) := e (e1, …, em) return (e1, …, en) x := e [e1] := e2 Skip … lock e unlock e fork e (e1, …, en) makelock e R freelock e … Connection Easy – Just Syntax

  13. Changes Required for Concurrency Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)

  14. Modularity Principle Sequential Reasoning Concurrent Reasoning Sequential Separation Logic Soundness Sequential Compiler Correctness Type Systems … Concurrent Separation Logic Soundness Concurrent Compiler Correctness Synchronization …

  15. Modularity Principle Sequential Reasoning Concurrent Reasoning Sequential Separation Logic Soundness Sequential Compiler Correctness Type Systems … Concurrent Separation Logic Soundness Concurrent Compiler Correctness Synchronization … Insert Magic Here

  16. How is it done? Key: only consider well-synchronized programs • Mutual exclusion via Dijkstra Semaphores • Data-race free Our operational semantics gets stuck on ill-synchronized programs

  17. Changes to Pure Sequential Semantics C minor small-step sequential semantics step relation: (1, 1) ↦ (2, 2)  = (ρ, m)  is a control stack World-aware C minor sequential semantics step relation: (1, 1) ↦ (2, 2)  = (ρ, w, m) w is a map from addresses to ownerships

  18. Ownerships Basic ownerships: | NONE | VAL (data) | LOCK of invariant (invariant comes from makelock) Get stuck if you use memory without ownership Thread worlds are disjoint – at any time, only one thread can access each address Sequential instructions and proofs ignore LOCK

  19. Concurrent Operational Semantics Concurrent C minor step relation (1, K1, m1, G1) ⇒ (2, K2, m2, G2)  is scheduler K is thread list (ρ1, w1, 1) :: (ρ2, w2, 2) :: … m is memory G is global world – owner of unlocked locks To execute a sequential instruction, use the world-aware sequential step relation

  20. Concurrent Instructions • The concurrent step executes concurrent instructions directly • Updates memory at the lock instruction • Maintains thread list • Transfers world between threads and global pool • unlock: world transferred to global pool • lock: world transferred from global pool

  21. Space Thread A Thread B Global World w1 w wR w2 w3 Time Memory unlock 𝓁 w2 w1 w wR w3 Memory lock 𝓁 w1 w wR w2 w3 Memory wR is the unique world that satisfies l’’s lock invariant

  22. Coroutine Interleaving Executes sequentially without interleaving Interleave when we get to concurrent operation Key: we have well-synchronized programs

  23. Not Computable (ρ, wlock, m) ⊩l⇝ P (ρ, wlock, m) ⊩ ⊳P m(l) = 0 m’ = [l↦ 1] m w’ wlock = w G wlock = G’ Ki = (ρ, w, (unlock l) • ) K’ = [i -> (ρ, w’, )] K (i :: , K, m, G) ⇒ (, K’, m’, G’) Key: Does not prevent compilation! Unlock

  24. Reasoning About Concurrency Most of the time, concurrent programs are executing sequential code Proofs about sequential features are hard enough We don’t want to add the extra complexity of concurrency when reasoning about sequential code Idea: why can’t we just pretend it is sequential?

  25. Sequential Reasoning x := x + 1 [y] := 2 lock l a := [x]

  26. Sequential Reasoning (1, 1) • (2, 2) • (3, 3) STUCK x := x + 1 [y] := 2 lock l a := [x] ↦ ↦

  27. Oracular Reasoning (1, 1) • (2, 2) • (3, 3) STUCK (o1, 1, 1) • (o1, 2, 2) • (o1, 3, 3) • (o2, 4, 4) • (o2, 5, 5) x := x + 1 [y] := 2 lock l a := [x] ↦ ↦ ↦ ↦ ↦ ↦

  28. Oracular Composition An oracle o is (, K, G)  is the scheduler K is the other threads G is the global world The oracle simulates running all of the other threads until the scheduler returns control to this thread

  29. Soundness of Oracular Reasoning Theorem (connection of oracle and concurrent semantics) If a thread executes in a certain way on the oracular machine, then it executes in the same way when executing in the concurrent machine

  30. Changes Required for Concurrency Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)

  31. CSL 1.0 by O’Hearn, 2006 Concurrent Separation Logic 2.0 Extension of separation logic to handle concurrency Includes all of typical the rules of separation logic Associate with each lock an invariant R l⇝ R ≡ l is a lock with invariant R Rules for concurrent operations {l⇝ R} lock l {(l⇝ R) * R} {(l⇝ R) * R} unlock l {l⇝ R} Programs proved in CSL are well-synchronized! Separation Logic Concurrent Separation Logic

  32. Space Thread A Thread B Thread C FB FA 𝓁⇝ R R Time w1 w wR w2 w3 Memory lock 𝓁 unlock 𝓁 FA 𝓁⇝ R R FB w1 w wR w2 w3 Memory {𝓁 ⇝ R} lock 𝓁 {(𝓁 ⇝ R) ∗ R} {FA∗ (𝓁 ⇝ R)} lock 𝓁 {FA∗ (𝓁 ⇝ R) ∗ R} (lock rule) (frame rule)

  33. Difficulties in modeling lock even lock even 100 l23 124 101 Invariants need to be able to refer to other invariants • Example: 50 ⇝∃l2. ((51 ↦ l2) ∗ (l2⇝ (∃x.l2+1 ↦ 2*x)

  34. Difficulties in modeling lock pointer lock even lock even 100 l23 50 124 51 101 Invariants need to be able to refer to other invariants • Example: 50 ⇝∃l2. ((51 ↦ l2) ∗ (l2⇝ (∃x.l2+1 ↦ 2*x))) Nested Invariants are Difficult to Model

  35. A modal substructural logic When a logical proposition describes when and where another logical proposition holds, we have a modal logic To build a semantic model of the modal logic, we will use the “very modal model” of Appel, Melliès, Richards, & Vouillon Unlike in that work, where it was sufficient to have only modal relationships, we also need to describe spatial properties, leading to a modal substructural logic

  36. Changes Required for Concurrency Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)

  37. Changes Required for Concurrency Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)

  38. Exploit Oracle Step Axioms of sequential separation logic areprovedbymachine checked proofs of Appel & Blazywith only minor modification The additional axioms added by ConcurrentSeparation Logic are able to ignore the difficulties of sequential control flow and focus on the truly concurrent behavior Separation Logic Appel & Blazy Concurrent Separation Logic Hobor, Appel, Zappa Nardelli

  39. Status of Machine Checked Proofs “As expected, it took longer than expected” - Hobor, Appel, Zappa Nardelli About 58k lines of proof script at the moment “Building such scripts is surprisingly addictive, in a videogame kind of way…” - Xavier Leroy

  40. Status of Machine Checked Proofs Definition of the Concurrent Machine Definition of the Oracular Machine Definition of Hoare Tuple Sequential Separation Logic Rules Concurrent S.L. Rules Oracular Soundness Done Done Done Done 90% Done (Unlock) 90% Done (Fork)

  41. Future Work Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)

  42. Future Work Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)

  43. Future Work Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)

  44. Concurrent C minor Project Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)

  45. Questions?

  46. Modularity Troubles Sequential Step Concurrent Step Convenient for sequential reasoning But… Gets stuck on concurrent instructions: impossible for concurrent reasoning! Convenient for concurrent reasoning But… Inconvenient for sequential reasoning: too messy! Dependency: Concurrent Step Built from Sequential Step

  47. What we want Oracular Step Concurrent Step Convenient for sequential reasoning And Easy to access Concurrent Step for concurrent reasoning! Convenient for concurrent reasoning And We do not have to use it for sequential reasoning Dependency: Oracular Step Built from Concurrent Step

More Related