Concurrent Separation Logic
How to prove the correctness of concurrent programs? Difficult because of the interleaving and state sharing. Sometimes the programs could be too smart such that they are very difficult to understand.
How to prove the correctness of concurrent programs One philosophy (due to Tony Hoare): Disallow the smart (but error-prone) programs; Concurrent programming should follow some idioms or disciplines. Most of the time each process uses its own private data. In the rare cases that they need to communicate, access the shared data exclusively in critical regions. await (B) do C with r when B do C Mutex or locks (which we will use here)
The language x := e | [e] := e' | x := [e] | cons(e) | dispose(e) | C; C | C || C | … A new construct: l.acq() | l.rel()
Operational Semantics Program state: (s, h, L) where L locks {0, 1} L(l) = 1 (l.acq(), (s, h, L)) (skip, (s, h, L{l 0}) ) (l.rel(), (s, h, L)) (skip, (s, h, L{l 1}) )
How to control interference? Basic idea: Each thread has private memory (resource) The private resource can be arbitrarily used Private resources of different threads are disjoint Shared resources are protected by locks Shared resources are disjoint with local resources Can only be used when the lock is acquired (i.e. in critical regions) Different locks protect different resources
Basic Memory Model Shared (accessible only in critical regions) Private Private
Basic Memory Model
Basic Memory Model
Basic Memory Model
Basic Memory Model When the resource is acquired/released, it must be well-formed. The well-formedness is resource invariant.
Concurrent Separation Logic (CSL) Lock-based critical regions (CR): l.acq(); … l.rel() Invariants about memory protected by locks: = {l1 r1, …, ln rn} r1, …, rn disjoint l1 ln r1 rn
CSL – Formalization Key ideas: Threads can only access disjoint resources at the same time. p q p q Transfer is logical: no memory copying ┝ {p1} C1 {q1} ┝ {p2} C2 {q2} ┝ {p1 p2} C1 || C2 {q1 q2}
CSL – Parallel Composition ln p q p q r1 rn ┝ {p1} C1 {q1} ┝ {p2} C2 {q2} ┝ {p1 p2} C1 || C2 {q1 q2} Transfer is logical: no memory copying I() p1 p2 I() q1 q2 We’ll define I() later.
CSL - Locks Lock acquire: Lock release: ┝ {p} l.acq() {p (l)} Note: do not support reentrant locks Lock release: ┝ {p (l)} l.rel() {p} Compare the rules with cons and dispose
Examples (l) = full c _, _ full emp Put (x): l.acq(); while( full ){ l.rel(); } c := x; full := true; Get (y): l.acq(); while( !full ){ l.rel(); } y := c; full := false; (l) = full c _, _ full emp
Examples (l) = full c _, _ full emp Put (x): l.acq(); while( full ){ l.rel(); } (l) = full c _, _ full emp {x _, _ } {x _, _ (l) full } {x _, _ } c := x; full := true; l.rel(); {x _, _ (l) } {c _, _ } {x _, _ } {full c _, _ } {x _, _ (l) } {(l) } {emp } {x _, _ (l) full }
Examples (l) = full c _, _ full emp get (y): l.acq(); while( !full ){ l.rel(); } (l) = full c _, _ full emp {emp} { (l) full } {c _, _ } y := c; full := false; l.rel(); { (l) } {y _, _ } { emp } {y _, _ (full emp) } {(l) } {y _, _ (l)} {y _, _ } {(l) full }
Examples {x _, _ } put (x) {emp } {emp} get (y) {y _, _ } {emp} x := cons(a, b); put(x); get(y); use(y); dispose(y); {x _, _ } {y _, _ } {y _, _ } {emp } {emp} {emp emp}
Examples (2) (l) = list(f) alloc (x, a, b): l.acq(); if( f == null ){ l.rel(); x := cons (a, b); } else { x := f; f := [x+1]; [x] := a; [x+1] := b; } free (y): l.acq(); [y+1] := f; f := y; l.rel(); (l) = list(f)
Examples (2)
Requirement on Resource Invariant ┝ {p1} C1 {q1} ┝ {p2} C2 {q2} ┝ {p1 p2} C1 || C2 {q1 q2} l1 ln r1 rn Transfer is logical: no memory copying Resource invariants need to be precise, i.e. l dom(). precise( (l) )
Requirement on Resource Invariant one 10 _ (l) = true ┝ {true} skip {true} ┝ {(emp one) true} skip {emp true} ┝ {(emp one)} l.acq; skip; l.rel(); {emp} C l.acq; skip; l.rel(); ┝ {(emp one)} C {emp} ┝ {(emp one)} C {emp} ┝ {emp} C {emp} ┝ {one} C {emp} ┝ {emp one} C {emp one} ┝ {one} C {one}
Requirement on Resource Invariant (l) = true ┝ {one} C {one} ┝ {one} C {emp} ┝ {one} C {one emp} ┝ {one} C {false} The problem: (l) is not precise. Recall that p r q r (p q ) r does not hold unless r is precise.
Soundness l1 ln I(, L, l) = L(l) = 0 emp L(l) = 0 (l) r1 rn I(, L) = ldom() . I(, L, l) We define Safek(, (s, h, L), C, q) inductively.
Soundness Safe0(, (s, h, L), C, q) always holds Safek+1(, (s, h, L), C, q) holds if there exist hs and hp such that (1) h = hs |+| hp; (2) (s, hs) |= I(, L) (3) for all s’, hs’, L’, and h’, if (s’, hs’) |= I(, L’), and h = hs’ |+| hp, then Safek(, (s’, h’, L’), C, q) (4) if C = skip, then (s, hp) |= q true (5) for all s’, h’, L’, if (C, (s, h, L)) (C’, (s’, h’, L’)), then Safek(, (s’, h’, L’), C’, q)
Soundness l1 ln I(, L, l) = L(l) = 0 emp L(l) = 0 (l) r1 rn I(, L) = ldom() . I(, L, l) We define Safek(, (s, h, L), C, q) inductively. Safe(, (s, h, L), C, q) iff k. Safek(, (s, h, L), C, q) [ ┝ { p } C { q } ] s, h, L. if (s, h) |= I(, L) p true, then Safe(, (s, h, L), C, q)
Reading Peter W. O'Hearn: Resources, Concurrency and Local Reasoning. CONCUR 2004: 49-67 Peter W. O'Hearn: Resources, concurrency, and local reasoning. Theor. Comput. Sci. 375(1-3): 271-307 (2007) Viktor Vafeiadis. Concurrent separation logic and operational semantics. In MFPS 2011. ENTCS 276, pp. 335-351. Elsevier (Sep. 2011)