Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs

1
Programming Language SemanticsRely/Guarantee
Reasoning Parallel Programs
Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv
2
An Axiomatic Proof Technique for Parallel Programs

• Owicky Gries

Verification of Sequential and Concurrent
Programs Apt Oldrog Chapters 4-6
3
Interference

• A command T with a precondition pre(T) does not
  interfere with the proof of p c q if
• q ? pre(T) T q
• For any command c inside c with a precondition
  pre(c)
• pre(c) ? pre(T) T pre(c)
• p1 c1 q1 p2 c2 q2.. pk ck qk are
  interference free if for every i ?j and for every
  assignment in T in ci does not interfere with
  pj cj qj

4
Parallel Composition Rule
p1 c1 q1 p2 c2 q2.. pk ck qk p1 ?p2
? pk cobegin c1 c2 ck coend q1 ?q2
? ? qk
p1q1 q1 p2 c2 q2.. pk ck qk are
interference free
5
Limitations of the Owicky Griesproof rules

• Checking interference can be hard
• Non-compositionality
• Until you finished the local proofs cannot check
  interference
• A non-standard meaning of Hoare triples
• Depends on the interference of other threads with
  the proof
• Proofs need to be saved
• Hard to handle libraries and missing code
• Soundness is non-trivial
• Completeness depends on auxiliary variables

6
Commands as relations

• It is convenient to view the meaning of commands
  as relations between pre-states and post-states
• In p C Q
• p is a one state predicate
• Q is a two-state predicate
• Example
• true x x 1 x x 1

7
Global Reasoning
x ?0 x x 1 y 1 x gt0
x ?0 x x 2 y 2 x gt0
x ?0 x x 200 y 200 x gt0

?
?
8
Rely/Guarantee Reasoning
x?0

• x0? 0
• ?
• x1 ? x0
• x2 x17 ? y2 y1
• x3 ? x2
• ?
• x4 x3 ? y47
• ?
• x5? x4

?
x x 7 y7
x ? x
xgt0
x5 gt0
?
9
Rely/Guarantee Reasoning(2)
x?0 x x 7 y7 xgt0
x ? x
?
x x7 ?yy ? x ? x
x x ?y7 ? x ? x
10
Hoare vs. Rely/Guarantee Reasoning
P
c
Q
P
c
P
G
G
G
c
R
R
R
11
The rest of the lecture

• Operations on relations
• (Informal) Semantics of Rely/Guarantee
• A sound Rely/Guarantee inference rules

12
From one- to two-state relations

• p(?, ?) p(?)
• p(?, ?) p(?)
• A single state predicate p is preserved by a
  two-state relation R if
• p ?R ?p
• ??, ? p(?) ?R(?, ?) ?p(?)

13
Operations on Relations

• (PQ)(?, ?)??P(?, ?) ?Q(?, ?)
• ID(?, ?) (??)
• RID?R ?(RR) ?(RRR) ? ?

14
Formulas

• ID(x) (x x)
• ID(p) (p ?p)
• Preserve (p) p ?p

15
Informal Semantics

• c ? (p, R, G, Q)
• For every state ? such that ? ?p
• Every execution of c on state ? with (potential)
  interventions which satisfy R results in a state
  ? such that (?, ?) ? Q
• The execution of every atomic sub-command of c on
  any possible intermediate state satisfies G
• c ? p, R, G, Q
• For every state ? such that ? ?p
• Every execution of c on state ? with (potential)
  interventions which satisfy R must terminate in a
  state ? such that (?, ?) ? Q
• The execution of every atomic sub-command of c on
  any possible intermediate state satisfies G

16
A Formal Semantics

• Let ?c?R denotes the set of quadruples lt?1, ?2,
  ?3, ?4 gt s.t. that when c executes on ?1 with
  potential interferences by R it yields an
  intermediate state ?2 followed by an intermediate
  state ?3 and a final state ?4
• as usual ?4? when c does not terminate
• ?c?R lt?1, ?2, ?3, ?4gt ? ? lt?1, ?gt ? R ?
  ( ltcom, ?gt? ?2 ? ?2 ?3 ?4 ? ?
  ?, c ltc, ?gt? ltc, ? gt ? (
  ((?2 ?1 ? ?2 ?) ? (?3 ?? ?3?) ? ?4? )
  ? lt?, ?2, ?3, ?4 gt ? ?c?R)
• c ? (p, R, G, Q)
• For every lt?1, ?2, ?3 , ?4 gt ? ?c?R such that ?1
  ?p
• lt ?2, ?3gt ? G
• If ?4 ?? lt?1, ?4 gt ? Q

17
Simple Examples

• X X 1 ? (true, XX, X X1?XX, X X1)
• X X 1 ? (X ?0, X ?X, Xgt0 ?XX, Xgt0)
• X X 1 Y Y 1 ? (X ?0?Y ?0, X ?X ? Y
  ?Y, G, Xgt0 ?Ygt0)

18
A Realistic Example
ESeventop??M1 ? even(i) ? ?l (even(l) ?
0ltllti) ?x(l)?0 ? eventop??M ?x(eventop)gt0
Findpos begin initialize i 2 j 1
eventop M1 oddtop M1 search
cobegin Evensearch while i lt
min(oddtop, eventop) do
if (x(i) gt 0) then eventop i

else i i 2
Oddsearch while j lt min(oddtop, eventop) do
if (x(j) gt 0)
then oddtop j
else j j 2
coend k min(eventop, oddtop) end k
?M1 ?(?l 1 ?l ltk ? x(l) ?0) ? (k ?M ?x(k)gt0)
OSoddtop??M1 ? odd(j) ? ?l (odd(l) ? 0ltlltj)
?x(l)?0 ? oddtop??M ?x(oddtop)gt0
19
Inference Rules

• Define c ? (p, R, G, Q) by structural induction
  on c
• Soundness
• If c ? (p, R, G, Q) then c ? (p, R, G, Q)

20
Atomic Command
p c Q
21
Conditional Critical Section
p?b c Q
22
Sequential Composition
c1 ?(p1, R, G, Q1)
c2 ?(p2, R, G, Q2)
Q1 ? p2
23
Conditionals
c1 ?(p? b1, R, G, Q) p ? b ? R? b1
c2 ?(p ? b2, R, G, Q) p ? ?b ? R? b2
24
Loops
c ?(j ?b1, R, G, j) j ? b ? R? b1
R ? Preserve(j)
25
Refinement
c ?(p, R, G, Q)
p ? p Q ?Q
R ? R G ? G
26
Parallel Composition
c1 ?(p1, R1, G1, Q1)
c2 ?(p2, R2, G2, Q2)
G1 ? R2
G2 ? R1
27
A Realistic Example
ESeventop??M1 ? even(i) ? ?l (even(l) ?
0ltllti) ?x(l)?0 ? eventop??M ?x(eventop)gt0
Findpos begin initialize i 2 j 1
eventop M1 oddtop M1 search
cobegin Evensearch while i lt
min(oddtop, eventop) do
if (x(i) gt 0) then eventop i

else i i 2
Oddsearch while j lt min(oddtop, eventop) do
if (x(j) gt 0)
then oddtop j
else j j 2
coend k min(eventop, oddtop) end k
?M1 ?(?l 1 ?l ltk ? x(l) ?0) ? (k ?M ?x(k)gt0)
OSoddtop??M1 ? odd(j) ? ?l (odd(l) ? 0ltlltj)
?x(l)?0 ? oddtop??M ?x(oddtop)gt0
28
OddSearch ?(OS, RO , GO, OS?j?min(et, ot))
ES ?iltmin(et, ot) ?RE? iltet
RE ?Preserve(ES)
ES ?iltet))? x(i) gt0 ?RE? x(i) gt0
ES ?i lt et ? x(i) ?0 ?RE? x(i) ?0
et i ?(ES?i ltet)? x(i) gt0 , RE , GE, ES)
i i2 ?(ES?ilt et)? x(i) ?0 , RE , GE, ES)
REi i ?ot?ot?et et
GEj j ?et?et ? ot ot
GoRE
ROGE
29
Auxiliary in Owicky-Gries
X Y X X 1 Y Y1 XY
30
Issues in R/G

• Total correctness is trickier
• Restrict the structure of the proofs
• Sometimes global proofs are preferable
• Many design choices
• Transitivity and Reflexivity of Rely/Guarantee
• No standard set of rules
• Suitable for designs

31
Summary

• Reasoning about concurrent programs is difficult
• Oweeki-Gries suggest to carefully design the
  sequential proofs to simplify the proof procedure
• The use of auxiliary variables can make proofs
  difficult
• Can have difficulties with fine-grained
  concurrency
• Benign dataraces
• Rely/Guarantee style allows more elegant/general
  reasoning
• Compositional
• Local
• Adapts to the complexity of the proof
• Soundness is simple
• Naturally handles libraries and missing code