programming language semantics rely/guarantee reasoning parallel programs tal lev-ami viktor...
Post on 19-Dec-2015
222 Views
Preview:
TRANSCRIPT
Programming Language Semantics
Rely/Guarantee Reasoning Parallel Programs
Tal Lev-Ami
Viktor Vafeiadis
Mooly Sagiv
An Axiomatic Proof Technique for Parallel Programs
Owicky & Gries
Verification of Sequential and Concurrent Programs
Apt & Oldrog
Chapters 4-6
Interference
• A command T with a precondition pre(T) does not interfere with the proof of {p} c {q} if:– {q pre(T) } T {q}– For any command c’ inside c with a precondition
pre(c’)• {pre(c’) pre(T) } T {pre(c’)}
• {p1} c1 {q1} {p2} c2 {q2}.. {pk} ck {qk} are interference free if for every i j and for every assignment in T in ci does not interfere with {pj} cj {qj}
Parallel Composition Rule
{p1} c1 {q1} {p2} c2 {q2}.. {pk} ck {qk}
{p1 p2 … pk} cobegin c1 || c2 || …|| ck coend {q1 q2 … qk}
{p1}q1 {q1} {p2} c2 {q2}.. {pk} ck {qk} are interference free
Limitations of the Owicky & Griesproof rules
• Checking interference can be hard– Non-compositionality
• Until you finished the local proofs cannot check interference
• A non-standard meaning of Hoare triples– Depends on the interference of other threads with the
proof– Proofs need to be saved– Hard to handle libraries and missing code– Soundness is non-trivial
• Completeness depends on auxiliary variables
Commands as relations
• It is convenient to view the meaning of commands as relations between pre-states and post-states
• In {p} C {Q}– p is a one state predicate– Q is a two-state predicate
• Example– {true} x := x + 1 {x= x + 1}
Global Reasoning
{x 0}
x := x + 1;
y := 1
{x >0}
{x 0}
x := x + 2;
y := 2
{x >0}
{x 0}
x := x + 200;
y := 200
{x >0}
…
x0 0
x1 x0
x2 = x1+7 y2 = y1
x3 x2
x4 = x3 y4=7
x5 x4
Rely/Guarantee Reasoning
{x x} x := x + 7;
y:=7
x5 >0
{x0}
{x>0}
The rest of the lecture
• Operations on relations
• (Informal) Semantics of Rely/Guarantee
• A sound Rely/Guarantee inference rules
From one- to two-state relations
• p(, ) =p()
• p(, ) =p()
• A single state predicate p is preserved by a two-state relation R if– p R p , : p() R(, ) p()
Informal Semantics
• c (p, R, G, Q)– For every state such that p:
• Every execution of c on state with (potential) interventions which satisfy R results in a state such that (, ) Q
• The execution of every atomic sub-command of c on any possible intermediate state satisfies G
• c [p, R, G, Q]– For every state such that p:
• Every execution of c on state with (potential) interventions which satisfy R must terminate in a state such that (, ) Q
• The execution of every atomic sub-command of c on any possible intermediate state satisfies G
A Formal Semantics
• Let cR denotes the set of quadruples <1, 2, 3, 4 > s.t. that when c executes on 1 with potential interferences by R it yields an intermediate state 2 followed by an intermediate state 3 and a final state 4
– as usual 4= when c does not terminate cR = {<1, 2, 3, 4> : : <1, > R
( <com, >* 2 2 = 3= 4 ’, c’: <c, >* <c’, ’ > ( ((2= 1 2 = ) (3 = 3=’) 4= ) <’, 2, 3, 4 > c’R)
• c (p, R, G, Q) – For every <1, 2, 3 , 4 > cR such that 1 p
• < 2, 3> G• If 4 : <1, 4 > Q
Simple Examples
• X := X + 1 (true, X=X, X =X+1X=X, X =X+1)
• X := X + 1 (X 0, X X, X>0 X=X, X>0)
• X := X + 1 ; Y := Y + 1 (X 0Y 0, X X Y Y, G, X>0 Y>0)
A Realistic ExampleFindpos: begin
initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1;
search: cobegin
Evensearch: while i < min(oddtop, eventop) do
if (x(i) > 0) then eventop := i
else i := i + 2;
|| Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2;
coendk := min(eventop, oddtop)end {k M+1 (l: 1 l <k x(l) 0) (k M x(k)>0)}
ES=eventopM+1
even(i)
l: (even(l) 0<l<i) x(l)0
eventopM x(eventop)>0
OS=oddtopM+1
odd(j)
l: (odd(l) 0<l<j) x(l)0
oddtopM x(oddtop)>0
Inference Rules
• Define c (p, R, G, Q) by structural induction on c
• Soundness– If c (p, R, G, Q) then c (p, R, G, Q)
Sequential Compositionc1 (p1, R, G, Q1)
c1 ; c2 (p1, R, G, (Q1; R*; Q2))
(SEQ)
c2 (p2, R, G, Q2)
Q1 p2
Conditionals
c1 (p b1, R, G, Q) p b R* b1
if atomic {b} then c1 else c2 (p, R, G, Q)
(IF)
c2 (p b2, R, G, Q) p b R* b2
Parallel Compositionc1 (p1, R1, G1, Q1)
c1 || c2 (p1 p1, (R1 R2), (G1 G2), Q)
where Q= (Q1 ; (R1R2)*; Q2) (Q2 ; (R1R2)*; Q1)
(PAR)
c2 (p2, R2, G2, Q2)
G1 R2
G2 R1
A Realistic ExampleFindpos: begin
initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1;
search: cobegin
Evensearch: while i < min(oddtop, eventop) do
if (x(i) > 0) then eventop := i
else i := i + 2;
|| Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2;
coendk := min(eventop, oddtop)end {k M+1 (l: 1 l <k x(l) 0) (k M x(k)>0)}
ES=eventopM+1
even(i)
l: (even(l) 0<l<i) x(l)0
eventopM x(eventop)>0
OS=oddtopM+1
odd(j)
l: (odd(l) 0<l<j) x(l)0
oddtopM x(oddtop)>0
OddSearch (OS, RO , GO, OSjmin(et, ot))
RE=i =i ototet =et GE=j =j etet ot =ot
RE Preserve(ES)
et :=i (ESi <et) x(i) >0 , RE , GE,
ES)
i :=i+2 (ESi< et) x(i) 0 , RE , GE, ES)
ES i<et)) x(i) >0 RE* x(i) >0 ES i < et x(i) 0 RE* x(i) 0
if (x(i) >0) … (ESi<et) , RE , GE, ES) (IF)
EvenSearch (ES, RE , GE, ES imin(et, ot))
(WHILE)
Go=RERO=GE
EvenSearch||OddSearch (ES OS, RE RO, GEGO, ES OS imin(et, ot) jmin(et, ot))
(PAR)
ES i<min(et, ot) RE* i<et
Issues in R/G
• Total correctness is trickier
• Restrict the structure of the proofs– Sometimes global proofs are preferable
• Many design choices– Transitivity and Reflexivity of Rely/Guarantee– No standard set of rules
• Suitable for designs
Summary
• Reasoning about concurrent programs is difficult• Oweeki-Gries suggest to carefully design the sequential
proofs to simplify the proof procedure– The use of auxiliary variables can make proofs difficult– Can have difficulties with fine-grained concurrency
• Benign dataraces
• Rely/Guarantee style allows more elegant/general reasoning– Compositional– Local– Adapts to the complexity of the proof– Soundness is simple– Naturally handles libraries and missing code
top related