1 / 45

An Axiomatic Proof Technique for Parallel Programs

An Axiomatic Proof Technique for Parallel Programs. Susan Owicki & David Gries Presented by Omer Katz Seminar in Distributed Algorithms Spring 2013 29/04/13. What’s next?. What are we trying to do? The sequential solution The parallel solution Interference freedom Auxiliary variables

zofia
Download Presentation

An Axiomatic Proof Technique for Parallel Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Axiomatic Proof Technique for Parallel Programs Susan Owicki & David Gries Presented by Omer Katz Seminar in Distributed Algorithms Spring 2013 29/04/13

  2. What’s next? • What are we trying to do? • The sequential solution • The parallel solution • Interference freedom • Auxiliary variables • Examples • Cooperation with other synchronization tools • If given enough time • Deadlocks • Termination

  3. The problem • We want to prove correctness of parallel programs • Most existing methods rely on informal arguments • Not accurate enough • We would like to formally prove correctness and other properties • Preferably statically

  4. Hoare (1969) • Hoare presented a simple deductive system • Used to describe variable and program states during execution. • Used for proving properties of sequential programs. • Originally meant to be verified by compilers

  5. Partial correctness VS.total correctness • We only deal with partial correctness • The program is correct only if it terminates • Total correctness will be dealt with later • Termination • Deadlocks& Blocking

  6. Notation and Declarations • P, Q = assertions • S = statement • If P was true prior to execution of S, then Q is true after execution. • If a is true than b is also true.

  7. Notation and Declarations • Null statements:

  8. Notation and Declarations • Assignments: • is formed by replacing every appearance of in with . if then and we get

  9. Notation and Declarations • Alternation:

  10. Notation and Declarations • Iteration:

  11. Notation and Declarations • Composition:

  12. Notation and Declarations • Consequence:

  13. Sequential Example • We want to prove • Assume we already know:

  14. Sequential Example

  15. Proof Outline • The previous proofcan be written as:

  16. Extension for parallel programs • We need to introduce new statements: • Statements will be executed in parallel. • statement finishes only after all statements have finished. • may not contain any or statements. • can be used to make any action indivisible

  17. Extension for parallel programs • We need to introduce new statements: • Used by Gries to prove correctness of Dijkstra’s on-the-fly garbage collector

  18. Assumptions • We do not assume anything regarding processing speed • We require that all assignments be executed and all expression be evaluated as an indivisible action • Not necessary if every expression in the program may refer to at most one shared variable and at most once • Only required indivisible action is memory access • All following examples will adhere to this convention • (similarly for assignments)

  19. Interference • Let’s examine two programs: • If we try to run them in parallel: • We cannot guarantee the post-condition.

  20. Interference • Given a proof for a program and a statement with precondition , does not interfere with if: • Execution of won’t change the outcome • such that is not within an statement, • Execution of will not prevent execution of the rest of

  21. Interference • are interference free if: • is an statement or an statement (not in an ) • does not interfere with • Redefine as:

  22. Proving a parallel program • When proving correctness of a program we will start by proving each thread sequentially. • We will then show that each thread does not interfere with another thread’s prove • Interfere = invalidate the prove

  23. Proving a parallel program • We will prove the following program: • We will do so by loosening the assertions

  24. Proving a parallel program

  25. Proving a parallel program • All that is left is to show interference freedom • We need to verify:

  26. Proving a parallel program

  27. Proving a parallel program

  28. Auxiliary Variables • Consider the following program: • Can we prove ?

  29. Auxiliary Variables • {x=0} The processes are not interference free Not the required result

  30. Auxiliary Variables • Now consider the following proof outline? • Can we prove that this is correct? • If this proof outline is correct we can prove invalid statements • in this case we will get

  31. Auxiliary Variables • A variable that is only in assignments is an Auxiliary Variable • Let AV be the set of Auxiliary Variables in the program • If is obtained from by deleting all the assignment to variables in AV then

  32. Auxiliary Variables • Consider the following program: • This program has the same behavior as with the auxiliary variables

  33. Auxiliary Variables

  34. Another Example - Descriptrion • A parallel program for finding the 1st item in an array which is greater than 0.

  35. Another Example – Proof Outline 1

  36. Another Example – Proof Outline 2

  37. Another Example - Proof • To prove the correctness of the program we need to: • Separately check each thread (evensearch & oddsearch) sequentially • Verify interference freedom between the threads • We will show that oddsearch does not interfere with evensearch • (the complementary  argument is similar)

  38. Another Example - Proof • No need to check all possible statements in oddsearch • Enough the check only assignments of oddsearch that change a shared variable • The only suitable statement is • No need to check all possible statements in evensearch • Enough the check only assertions of evensearch affected by the change of a shared variable • The only suitable assertion is

  39. Another Example - Proof • Need to show that: • is part of • Therefore • We conclude that the assertion holds!

  40. Synchronization Mechanism • The deductive system presented is flexible enough to handle other existing parallel programming tools • Semaphores • Mutual exclusion • The tools can be converted to assertions and verified

  41. Synchronization Mechanism • Semaphores • Obtain a semaphore: • Release a semaphore:

  42. Synchronization Mechanism • Mutual Exclusion • We introduce another statement to the system: • is the resource on which we want mutual exclusion ( and same as in the staement) • The assertion (invariant of , if exists) is appended to the assertions of

  43. Conclusion • a strong versatile deductive system for parallel program verification • Few assumptions on the system and/or program • The main ideas: • Start by verifying the sequential case and than check that parallel execution doesn’t invalidate the proof • Sometimes we might need to loosen our assertions to be able to prove them • In some cases we might need to add auxiliary variables to a program in order to verify it

  44. References • An Axiomatic Proof Technique for Parallel Programs • Susan Owicky & David Gries, 1976 • Verifying Properties of Parallel Programs: An axiomatic Approach • Susan Owicky & David Gries, 1976 • An Axiomatic Basis for Computer Programming • C. A. R. Hoare, 1969 • An Exercise in Proving Parallel Programs Correct • David Gries, 1977 • Verification of Sequential and Concurrent Programs • Krzysztof R. Apt, Frank S. de Boer, Ernst-RudigerOldberog3rd edition, 2010

  45. Questions?

More Related