Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
Folie 2 H. Schlingloff, Software Verification I Research is calling
Folie 3 H. Schlingloff, Software Verification I Parallelism increasing importance (multicore processors) in C, parallelism by multithreading POSIX: pthread_create (name, function, args) pthread_join, pthread_exit,... key issue: synchronization hard to understand, error-prone
Folie 4 H. Schlingloff, Software Verification I Concept Language we add the following new constructs to the language of while-programs { 1 || 2 } or, more generally, { 1 ||... || n } await (b) ; semantics parallel (interleaved) execution of the i blocking wait until condition is satisfied; program fragment within await is noninterruptable for simplicity, assignments are atomic actions
Folie 5 H. Schlingloff, Software Verification I Examples int n=0; { for (int i = 0; i<100; i++) n++; || for (int i = 0; i<100; i++) n--; } int n=0; int l, r; {for (int i = 0; i<100; i++) {l=n; l++; n=l;} || for (int i = 0; i<100; i++) {r=n; r--; n=r;}} int n=0; {for (int i = 0; i<100; i++) await (1) {l=n; l++; n=l;} || for (int i = 0; i<100; i++) await (1) {r=n; r--; n=r;}}
Folie 6 H. Schlingloff, Software Verification I More Examples a=0; {a*=a; a-=5; || a=2*a+3; a=1-a;} a=0; {a++; || a--;} {a=0; a++; || a=0; a--} a=0; {await (a>=0); a++; || await (a<=0); a--} a=0; {await (a>=0) a++; || await (a<=0) a--}
Folie 7 H. Schlingloff, Software Verification I A realistic example a=n; b=0; c=1; { while (a!=n-k) {c=c*a; a--;} || while (b!=k) {b++; await (a+b<=n); c=c/b;} } program calculates binomial coefficient
Folie 8 H. Schlingloff, Software Verification I Interleaving Semantics A state of the program consists of an assignment of values to variables a set of program counters (depending on the number of parallel components), and SOS-rules for parallel programs if (U,I,V) ⊨ b and ( , V) * (skip,V’), then (await (b) , V) (skip,V’) if ( 1, V) ( 1 ’,V’), then ({ 1 || 2 }, V) ({ 1 ’ || 2 },V’) if ( 2, V) ( 2 ’,V’), then ({ 1 || 2 }, V) ({ 1 || 2 ’},V’) ({skip || skip}, V) (skip,V) In general, several possible executions! (tree of possibilities)
Folie 9 H. Schlingloff, Software Verification I A realistic example a=n; b=0; c=1; :{ 1: while (a!=n-k) { 2: c=c*a; 3: a--; } 4: || 1: while (b!=k) { 2: b++; 3: await (a+b<=n); 4: c=c/b; } 5: }
Folie 10 H. Schlingloff, Software Verification I Deadlocks a=0; b=0; {await (a!=0) || await (b!=0)} a=0; b=0; {await (a==1) b=1 || await (b==1) a=1} prt=T; dsk=T; {await (prt) prt=F; await(dsk) dsk=F; foo; prt=T; dsk=T; || await (dsk) dsk=F; await(prt) prt=F; bar; prt=T; dsk=T;}
Folie 11 H. Schlingloff, Software Verification I Invariants for Parallel Programs Assume is a formula such that { } { } for every subprogram of { 1 || 2 }. Then { } { 1 || 2 } { } Example: a=0; : {a++; : || a--; :} : Invariant a==0+ - (or, more explicit: ( ¬ ¬ a==0 a==0 ¬ a==1 ¬ a==-1) ) int n=0; { for (int i = 0; i<100; i++) n++; || for (int j = 0; j<100; j++) n--;} Invariant n=i-j