520 likes | 624 Views
Oracle Semantics for Concurrent Separation Logic. Aquinas Hobor Joint work with Andrew Appel & Francesco Zappa Nardelli. Goal. We want to add concurrency to large , realistic systems in a provably correct, modular way Those systems may already exist in a sequential
E N D
Oracle Semantics for Concurrent Separation Logic Aquinas Hobor Joint work with Andrew Appel & Francesco Zappa Nardelli
Goal We want to add concurrency to large, realistic systems in a provably correct, modular way Those systems may already exist in a sequential form; we would like to re-use existing code and machine-checked proofs wherever possible The key is to isolate the sequential and concurrent reasoning from each other.
Leroy, 2006 CompCert Project Sequential Source Program (C minor) Sequential C minor Operational Semantics Compiler Correctness Proof CompCert Compiler Sequential PowerPC Operational Semantics Sequential Target Program (Power PC) Sequential Translation Correctness Guarantee User Leroy
Leroy, 2006 CompCert Project Sequential Source Program (C minor) Sequential C minor Operational Semantics What is relationship here? Compiler Correctness Proof CompCert Compiler Sequential PowerPC Operational Semantics Sequential Target Program (Power PC) Sequential Translation Correctness Guarantee User Leroy
Appel & Blazy, 2007 • Separation Logic for C minor Sequential Source Program (C minor) Axiomatic Semantics (Separation Logic) Sequential C minor Operational Semantics Program Verification Soundness Proof Compiler Correctness Proof CompCert Compiler Sequential PowerPC Operational Semantics Sequential Target Program (Power PC) Sequential Translation Correctness Guarantee User Leroy Appel & Blazy
Changes Required for Concurrency Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)
Changes Required for Concurrency Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)
Additions to C minor language We add five new statements: lock elock a lock unlock eunlock a lock makelocke Rturn an address into a lock freelockerestore an address fork e el start a new thread
Additions to C minor language We add five new statements: lock elock a lock unlock eunlock a lock makelocke R turn an address into a lock freelockerestore an address fork e el start a new thread Resource Invariant – Describes what resources a thread acquires on lock and relinquishes on unlock
Shallow Embedding Our invariants are semantic and shallowly embedded in both the syntax of programs and Coq: we avoid the POPLmark Quagmire The shallow embedding means that our invariants are easy to use and reason about in Coq, and can be freely shared between code (in makelock) and proof To enable this behavior, a more complex semantic model for invariants was required
Modularity Principle Sequential Features Concurrent Features s1 ; s2 if e then s1 else s2 while e do s break n (x1, …, xn) := e (e1, …, em) return (e1, …, en) x := e [e1] := e2 Skip … lock e unlock e fork e (e1, …, en) makelock e R freelock e …
Modularity Principle Sequential Features Concurrent Features s1 ; s2 if e then s1 else s2 while e do s break n (x1, …, xn) := e (e1, …, em) return (e1, …, en) x := e [e1] := e2 Skip … lock e unlock e fork e (e1, …, en) makelock e R freelock e … Connection Easy – Just Syntax
Changes Required for Concurrency Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)
Modularity Principle Sequential Reasoning Concurrent Reasoning Sequential Separation Logic Soundness Sequential Compiler Correctness Type Systems … Concurrent Separation Logic Soundness Concurrent Compiler Correctness Synchronization …
Modularity Principle Sequential Reasoning Concurrent Reasoning Sequential Separation Logic Soundness Sequential Compiler Correctness Type Systems … Concurrent Separation Logic Soundness Concurrent Compiler Correctness Synchronization … Insert Magic Here
How is it done? Key: only consider well-synchronized programs • Mutual exclusion via Dijkstra Semaphores • Data-race free Our operational semantics gets stuck on ill-synchronized programs
Changes to Pure Sequential Semantics C minor small-step sequential semantics step relation: (1, 1) ↦ (2, 2) = (ρ, m) is a control stack World-aware C minor sequential semantics step relation: (1, 1) ↦ (2, 2) = (ρ, w, m) w is a map from addresses to ownerships
Ownerships Basic ownerships: | NONE | VAL (data) | LOCK of invariant (invariant comes from makelock) Get stuck if you use memory without ownership Thread worlds are disjoint – at any time, only one thread can access each address Sequential instructions and proofs ignore LOCK
Concurrent Operational Semantics Concurrent C minor step relation (1, K1, m1, G1) ⇒ (2, K2, m2, G2) is scheduler K is thread list (ρ1, w1, 1) :: (ρ2, w2, 2) :: … m is memory G is global world – owner of unlocked locks To execute a sequential instruction, use the world-aware sequential step relation
Concurrent Instructions • The concurrent step executes concurrent instructions directly • Updates memory at the lock instruction • Maintains thread list • Transfers world between threads and global pool • unlock: world transferred to global pool • lock: world transferred from global pool
Space Thread A Thread B Global World w1 w wR w2 w3 Time Memory unlock 𝓁 w2 w1 w wR w3 Memory lock 𝓁 w1 w wR w2 w3 Memory wR is the unique world that satisfies l’’s lock invariant
Coroutine Interleaving Executes sequentially without interleaving Interleave when we get to concurrent operation Key: we have well-synchronized programs
Not Computable (ρ, wlock, m) ⊩l⇝ P (ρ, wlock, m) ⊩ ⊳P m(l) = 0 m’ = [l↦ 1] m w’ wlock = w G wlock = G’ Ki = (ρ, w, (unlock l) • ) K’ = [i -> (ρ, w’, )] K (i :: , K, m, G) ⇒ (, K’, m’, G’) Key: Does not prevent compilation! Unlock
Reasoning About Concurrency Most of the time, concurrent programs are executing sequential code Proofs about sequential features are hard enough We don’t want to add the extra complexity of concurrency when reasoning about sequential code Idea: why can’t we just pretend it is sequential?
Sequential Reasoning x := x + 1 [y] := 2 lock l a := [x]
Sequential Reasoning (1, 1) • (2, 2) • (3, 3) STUCK x := x + 1 [y] := 2 lock l a := [x] ↦ ↦
Oracular Reasoning (1, 1) • (2, 2) • (3, 3) STUCK (o1, 1, 1) • (o1, 2, 2) • (o1, 3, 3) • (o2, 4, 4) • (o2, 5, 5) x := x + 1 [y] := 2 lock l a := [x] ↦ ↦ ↦ ↦ ↦ ↦
Oracular Composition An oracle o is (, K, G) is the scheduler K is the other threads G is the global world The oracle simulates running all of the other threads until the scheduler returns control to this thread
Soundness of Oracular Reasoning Theorem (connection of oracle and concurrent semantics) If a thread executes in a certain way on the oracular machine, then it executes in the same way when executing in the concurrent machine
Changes Required for Concurrency Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)
CSL 1.0 by O’Hearn, 2006 Concurrent Separation Logic 2.0 Extension of separation logic to handle concurrency Includes all of typical the rules of separation logic Associate with each lock an invariant R l⇝ R ≡ l is a lock with invariant R Rules for concurrent operations {l⇝ R} lock l {(l⇝ R) * R} {(l⇝ R) * R} unlock l {l⇝ R} Programs proved in CSL are well-synchronized! Separation Logic Concurrent Separation Logic
Space Thread A Thread B Thread C FB FA 𝓁⇝ R R Time w1 w wR w2 w3 Memory lock 𝓁 unlock 𝓁 FA 𝓁⇝ R R FB w1 w wR w2 w3 Memory {𝓁 ⇝ R} lock 𝓁 {(𝓁 ⇝ R) ∗ R} {FA∗ (𝓁 ⇝ R)} lock 𝓁 {FA∗ (𝓁 ⇝ R) ∗ R} (lock rule) (frame rule)
Difficulties in modeling lock even lock even 100 l23 124 101 Invariants need to be able to refer to other invariants • Example: 50 ⇝∃l2. ((51 ↦ l2) ∗ (l2⇝ (∃x.l2+1 ↦ 2*x)
Difficulties in modeling lock pointer lock even lock even 100 l23 50 124 51 101 Invariants need to be able to refer to other invariants • Example: 50 ⇝∃l2. ((51 ↦ l2) ∗ (l2⇝ (∃x.l2+1 ↦ 2*x))) Nested Invariants are Difficult to Model
A modal substructural logic When a logical proposition describes when and where another logical proposition holds, we have a modal logic To build a semantic model of the modal logic, we will use the “very modal model” of Appel, Melliès, Richards, & Vouillon Unlike in that work, where it was sufficient to have only modal relationships, we also need to describe spatial properties, leading to a modal substructural logic
Changes Required for Concurrency Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)
Changes Required for Concurrency Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)
Exploit Oracle Step Axioms of sequential separation logic areprovedbymachine checked proofs of Appel & Blazywith only minor modification The additional axioms added by ConcurrentSeparation Logic are able to ignore the difficulties of sequential control flow and focus on the truly concurrent behavior Separation Logic Appel & Blazy Concurrent Separation Logic Hobor, Appel, Zappa Nardelli
Status of Machine Checked Proofs “As expected, it took longer than expected” - Hobor, Appel, Zappa Nardelli About 58k lines of proof script at the moment “Building such scripts is surprisingly addictive, in a videogame kind of way…” - Xavier Leroy
Status of Machine Checked Proofs Definition of the Concurrent Machine Definition of the Oracular Machine Definition of Hoare Tuple Sequential Separation Logic Rules Concurrent S.L. Rules Oracular Soundness Done Done Done Done 90% Done (Unlock) 90% Done (Fork)
Future Work Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)
Future Work Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)
Future Work Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)
Concurrent C minor Project Concurrent Source Program (C minor) Axiomatic Semantics (Concurrent Separation Logic) Concurrent C minor Operational Semantics Program Verification Soundness Proof Concurrency-Aware Compiler Correctness Proof Concurrency-Aware CompCert Compiler Concurrent PowerPC Operational Semantics Concurrent Target Program (Power PC) Concurrent Translation Correctness Guarantee User Future Work This paper (Hobor, Appel, & Zappa Nardelli)
Modularity Troubles Sequential Step Concurrent Step Convenient for sequential reasoning But… Gets stuck on concurrent instructions: impossible for concurrent reasoning! Convenient for concurrent reasoning But… Inconvenient for sequential reasoning: too messy! Dependency: Concurrent Step Built from Sequential Step
What we want Oracular Step Concurrent Step Convenient for sequential reasoning And Easy to access Concurrent Step for concurrent reasoning! Convenient for concurrent reasoning And We do not have to use it for sequential reasoning Dependency: Oracular Step Built from Concurrent Step