Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Semantics Static semantics Dynamic semantics attribute grammars
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.
Program Analysis and Verification
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Axiomatic Semantics Dr. M Al-Mulhem ICS
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Dr. Muhammed Al-Mulhem 1ICS ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.
Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.
Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Programming Language Semantics Axiomatic Semantics of Parallel Programs.
Describing Syntax and Semantics
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Verifying a Wait Free Register Algorithm Using Assertional Reasoning Xu Qiwen Faculty of Science and Technology University of Macau.
Reading and Writing Mathematical Proofs
1 Formal Semantics of Programming Languages “Program testing can be used to show the presence of bugs, but never to show their absence!” --Dijkstra.
Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Reasoning about programs March CSE 403, Winter 2011, Brun.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.
Chapter 3 Part II Describing Syntax and Semantics.
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
Program Logic for Concurrency Refinement Verification Xinyu Feng University of Science and Technology of China Joint work with Hongjin Liang (USTC) and.
This Week Lecture on relational semantics Exercises on logic and relations Labs on using Isabelle to do proofs.
Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications Chapter.
Cs7100(Prasad)L18-9WP1 Axiomatic Semantics Predicate Transformers.
Program Analysis and Verification
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Axiomatic Verification II Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 18.
Spring 2017 Program Analysis and Verification
Formal methods: Lecture
Spring 2017 Program Analysis and Verification
Formal Methods in Software Engineering 1
Verification of Concurrent Programs
Hongjin Liang, Xinyu Feng & Ming Fu
Mathematical Structures for Computer Science Chapter 1
Lecture 5 Floyd-Hoare Style Verification
Lecture 2: Axiomatic semantics
Programming Languages and Compilers (CS 421)
Programming Languages 2nd edition Tucker and Noonan
Axiomatic Verification II
Axiomatic Verification I
Formal Methods in software development
Predicate Transformers
Formal Methods in software development
Axiomatic Verification I
Program correctness Axiomatic semantics
Program Verification with Hoare Logic
Programming Languages and Compilers (CS 421)
Programming Languages 2nd edition Tucker and Noonan
Program Analysis and Verification
Presentation transcript:

Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv

An Axiomatic Proof Technique for Parallel Programs Owicky & Gries Verification of Sequential and Concurrent Programs Apt & Oldrog Chapters 4-6

Interference A command T with a precondition pre(T) does not interfere with the proof of {p} c {q} if: –{q  pre(T) } T {q} –For any command c’ inside c with a precondition pre(c’) {pre(c’)  pre(T) } T {pre(c’)} {p 1 } c 1 {q 1 } {p 2 } c 2 {q 2 }.. {p k } c k {q k } are interference free if for every i  j and for every assignment in T in c i does not interfere with {p j } c j {q j }

Parallel Composition Rule {p 1 } c 1 {q 1 } {p 2 } c 2 {q 2 }.. {p k } c k {q k } {p 1  p 2  … p k } cobegin c 1 || c 2 || …|| c k coend {q 1  q 2  …  q k } {p 1 }q 1 {q 1 } {p 2 } c 2 {q 2 }.. {p k } c k {q k } are interference free

Limitations of the Owicky & Gries proof rules Checking interference can be hard –Non-compositionality Until you finished the local proofs cannot check interference A non-standard meaning of Hoare triples –Depends on the interference of other threads with the proof –Proofs need to be saved –Hard to handle libraries and missing code –Soundness is non-trivial Completeness depends on auxiliary variables

Commands as relations It is convenient to view the meaning of commands as relations between pre-states and post-states In {p} C {Q} –p is a one state predicate –Q is a two-state predicate Example –{true} x := x + 1 {x= x + 1}

Global Reasoning {x  0} x := x + 1; y := 1 {x >0} {x  0} x := x + 2; y := 2 {x >0} {x  0} x := x + 200; y := 200 {x >0} …  

x 0  0  x 1  x 0  x 2 = x 1 +7  y 2 = y 1  x 3  x 2  x 4 = x 3  y 4 =7  x 5  x 4 Rely/Guarantee Reasoning {x  x} x := x + 7; y:=7   x 5 >0 {x  0} {x>0}

Rely/Guarantee Reasoning(2) {x  x} {x  0} x := x + 7; y:=7 {x>0} x =x+7  y=y  x  x  x =x  y=7  x  x

Hoare vs. Rely/Guarantee Reasoning {P} c {Q} {P} c {Q} {P} c {Q} R*R* G R*R* G R*R* G

The rest of the lecture Operations on relations (Informal) Semantics of Rely/Guarantee A sound Rely/Guarantee inference rules

From one- to two-state relations p( ,  ) =p(  ) A single state predicate p is preserved by a two-state relation R if –p  R  p – ,  : p(  )  R( ,  )  p(  )

Operations on Relations (P;Q)( ,  )=  :P( ,  )  Q( ,  ) ID( ,  )= (  =  ) R * =ID  R  (R;R)  (R;R;R)  … 

Formulas ID(x) = (x = x) ID(p) =(p  p) Preserve (p)= p  p

Informal Semantics c  (p, R, G, Q) –For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R results in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G c  [p, R, G, Q] –For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R must terminate in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G

A Formal Semantics Let  c  R denotes the set of quadruples s.t. that when c executes on  1 with potential interferences by R it yields an intermediate state  2 followed by an intermediate state  3 and a final state  4 –as usual  4 =  when c does not terminate  c  R = { :   :  R  (  *  2   2 =  3 =  4    ’, c’:  *  ( ((  2 =  1   2 =  )  (  3 =   3 =  ’)   4 =  )    c’  R ) c  (p, R, G, Q) –For every   c  R such that  1  p  G If  4   :  Q

Simple Examples X := X + 1  (true, X=X, X =X+1  X=X, X =X+1) X := X + 1  (X  0, X  X, X>0  X=X, X>0) X := X + 1 ; Y := Y + 1  (X  0  Y  0, X  X  Y  Y, G, X>0  Y>0)

A Realistic Example Findpos: begin initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1; search: cobegin Evensearch: while i < min(oddtop, eventop) do if (x(i) > 0) then eventop := i else i := i + 2; || Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2; coend k := min(eventop, oddtop) end {k  M+1  (  l: 1  l 0)} ES=eventop  M+1  even(i)   l: (even(l)  0<l<i)  x(l)  0  eventop  M  x(eventop)>0 OS=oddtop  M+1  odd(j)   l: (odd(l)  0<l<j)  x(l)  0  oddtop  M  x(oddtop)>0

Inference Rules Define c  (p, R, G, Q) by structural induction on c Soundness –If c  (p, R, G, Q) then c  (p, R, G, Q)

Atomic Command {p} c {Q} atomic {c}  (p, preserve(p), Q  ID, Q) (Atomic)

Conditional Critical Section {p  b} c {Q} await b then c  (p, preserve(p), Q  ID, Q) (Critical)

Sequential Composition c 1  (p 1, R, G, Q 1 ) c 1 ; c 2  (p 1, R, G, (Q 1 ; R * ; Q 2 )) (SEQ) c 2  (p 2, R, G, Q 2 ) Q 1  p 2

Conditionals c 1  (p  b 1, R, G, Q) p  b  R *  b 1 if atomic {b} then c 1 else c 2  (p, R, G, Q) (IF) c 2  (p  b 2, R, G, Q) p   b  R*  b 2

Loops c  (j  b 1, R, G, j) j  b  R *  b 1 while atomic {b} do c  (j, R, G,  b  j) (WHILE) R  Preserve(j)

Refinement c  (p, R, G, Q) c  (p’, R’, G’, Q’) (REFINE) p’  p Q  Q’ R’  R G  G’

Parallel Composition c 1  (p 1, R 1, G 1, Q 1 ) c 1 || c 2  (p 1  p 1, (R 1  R2), (G 1  G 2 ), Q) where Q= (Q 1 ; (R 1  R 2 )*; Q 2 )  (Q 2 ; (R 1  R 2 )*; Q 1 ) (PAR) c 2  (p 2, R 2, G 2, Q 2 ) G 1  R 2 G 2  R 1

A Realistic Example Findpos: begin initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1; search: cobegin Evensearch: while i < min(oddtop, eventop) do if (x(i) > 0) then eventop := i else i := i + 2; || Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2; coend k := min(eventop, oddtop) end {k  M+1  (  l: 1  l 0)} ES=eventop  M+1  even(i)   l: (even(l)  0<l<i)  x(l)  0  eventop  M  x(eventop)>0 OS=oddtop  M+1  odd(j)   l: (odd(l)  0<l<j)  x(l)  0  oddtop  M  x(oddtop)>0

OddSearch  (OS, R O, G O, OS  j  min(et, ot)) R E =i =i  ot  ot  et =etG E =j =j  et  et  ot =ot R E  Preserve(ES) et :=i  (ES  i 0, R E, G E, ES) i :=i+2  (ES  i< et)  x(i)  0, R E, G E, ES) ES  i 0  R E *  x(i) >0ES  i < et  x(i)  0  R E *  x(i)  0 if (x(i) >0) …  (ES  i<et), R E, G E, ES) (IF) EvenSearch  (ES, R E, G E, ES  i  min(et, ot)) (WHILE) G o =R E R O =G E EvenSearch||OddSearch  (ES  OS, R E  R O, G E  G O, ES  OS  i  min(et, ot)  j  min(et, ot)) (PAR) ES  i<min(et, ot)  R E *  i<et

Auxiliary in Owicky-Gries {X = Y} X := X + 1 || Y := Y+1 {X=Y}

Issues in R/G Total correctness is trickier Restrict the structure of the proofs –Sometimes global proofs are preferable Many design choices –Transitivity and Reflexivity of Rely/Guarantee –No standard set of rules Suitable for designs

Summary Reasoning about concurrent programs is difficult Oweeki-Gries suggest to carefully design the sequential proofs to simplify the proof procedure –The use of auxiliary variables can make proofs difficult –Can have difficulties with fine-grained concurrency Benign dataraces Rely/Guarantee style allows more elegant/general reasoning –Compositional –Local –Adapts to the complexity of the proof –Soundness is simple –Naturally handles libraries and missing code