Programming Language Semantics Axiomatic Semantics of Parallel Programs

Tentative Schedule 15/6 Parallel Programs 22/6 Rely/Guarantee Reasoning –Assignment 2 29/6 Separation Logic 6, 3/7 Type Inference –Assignment 3

Plan More on Hoare Proof Rules Proof Rules for Concurrent Programs

Hoare Proof Rules for Partial Correctness {A} skip {A} {B[a/X]} X:=a {B} (Assignment Rule) {P} c 0 {C} {C} c 1 {Q} {P} c 0 ;c 1 {Q} {P  b} c 0 {Q} {P  b} c 1 {Q} {P} if b then c 0 else c 1 {Q} {I  b} c {I} {I} while b do c{I  b}  P  P’ {P’} c {Q’}  Q’  Q {P} c {Q} (Composition Rule) (Conditional Rule) (Loop Rule) (Consequence Rule)

Potential Language Extensions Blocks Procedures –Procedures as parameters Abstract data types Non-determinism Parallelism Arrays, Pointers, and Dynamic allocations

More Rules {P 1 } c {Q 1 } {P 2 } c {Q 2 } {P 1  P 2 } c {Q 1  Q 2 } (Conjunction Rule) {P} c {P} where Mod(c)  Var(P) =  (Invariance Rule)

Underlying Principles of Hoare Rules Commands are predicate transformers Different behaviors for different preconditions Commands can be partial –Resource restriction –Implementation restriction In {P} comm {Q} –P and Q are contracts with the clients of comm

An Axiomatic Proof Technique for Parallel Programs Owicky & Gries Verification of Sequential and Concurrent Programs Apt & Oldrog Chapters 4-6

IMP+ Parallel Constructs Abstract syntax com::= X := a | skip | com 1 ; com 2 | if b then com 1 else com 2 | while b do com| cobegin com 1 || com 2 … || com k coend All the interleavings of are executed Example –cobegin X := 1 || (X :=2 ; X := X+2) coend

A First Attempt {P 1 } c 1 {Q 1 } {P 2 } c 2 {Q 2 }.. {P k } c k {Q k } {P 1  P 2  … P k } cobegin c 1 || c 2 || …|| c n coend {Q 1  Q 2  …  Q k } (Parallel Rule)

Simple Examples {true} X := 1 { X >0 } {true} Y:= 1 {Y>0} {true} cobegin X :=1 || Y := 1 coend{X>0  Y >0} {true} X := 1 { X >0 } {true} X:=2 ; X := X+2 {X>0} {true} cobegin X :=1 || X:=2 ; X := X+2 coend{X>0 }

Unsoundness {Y=1} X := 0 { Y=1 } {true} Y:=0 {true} {Y=1} cobegin X :=0 || Y:=0 coend {Y=1 }

Modified Parallel Rule {P 1 } c 1 {Q 1 } {P 2 } c 2 {Q 2 }.. {P k } c k {Q k } {P 1  P 2  … P k } cobegin c 1 || c 2 || …|| c k coend {Q 1  Q 2  …  Q k } Mod(c j )  Var(P i ) =  Mod(c j )  Var(Q i ) =  i  j

Unsoundness from sharing {true} X := 1 { X >0 } {true} X:=2 ; X := X+2 {X>3} {true} cobegin X :=1 || X:=2 ; X := X+2 coend {X>3 }

Handling Shared Variables Carefully design the proofs of every thread to make them local Show that the code of other threads do not interfere with the proofs of other threads

Interference A command T with a precondition pre(T) does not interfere with the proof of {P} C {Q} if: –{Q  pre(T) } T {Q} –For any command C’ inside C with a precondition pre(C’) {pre(C’)  pre(T) } T {pre(C’)} {P 1 } c 1 {Q 1 } {P 2 } c 2 {Q 2 }.. {P k } c k {Q k } are interference free if for every i  j and for every assignment in T in c i does not interfere with {P j } c j {Q j }

Modified Parallel Rule {P 1 } c 1 {Q 1 } {P 2 } c 2 {Q 2 }.. {P k } c k {Q k } {P 1  P 2  … P k } cobegin c 1 || c 2 || …|| c k coend {Q 1  Q 2  …  Q k } {P 1 } c 1 {Q 1 } {P 2 } c 2 {Q 2 }.. {P k } c k {Q k } are interference free

No unsoundness from sharing {true} X := 1 { X >0 } {true} X:=2 ; X := X+2 {X>3} {true} cobegin X :=1 || X:=2 ; X := X+2 coend {X>3 }

A Realistic Example Findpos: begin initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1; search: cobegin Evensearch: while i < min(oddtop, eventop) do if (x(i) > 0) then eventop := i else i := i + 2; || Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2; coend k := min(eventop, oddtop) end {k  M+1  (  l: 1  l 0)} ES=eventop  M+1  even(i)   l: (even(l)  0<l<i)  x(l)  0  eventop  M  x(eventop)>0 OS=oddtop  M+1  odd(j)   l: (odd(l)  0<l<j)  x(l)  0  oddtop  M  x(oddtop)>0

Incompleteness There exist correct programs which cannot be verified by the parallelization rule –{X = Y} cobegin X := X + 1 || Y := Y+1 coend {X=Y}

An Informal Proof of {X = Y} cobegin X := X + 1 || Y := Y+1 coend {X=Y} {X = Z} X : = X + 1 { X = Z +1} {Y = Z} Y : = Y + 1 { Y = Z +1} {X = Z  Y = Z} cobegin X := X + 1 || Y := Y+1 coend {X=Z+1  Y= Z+1} {X = Z  Y = Z} cobegin X := X + 1 || Y := Y+1 coend {X=Y} {X = Y} Z : = X { X = Y  Y = Z} {X =Y } Z : = X ; cobegin X := X + 1 || Y := Y+1 coend {X=Y} {X =Y } cobegin X := X + 1 || Y := Y+1 coend {X=Y}

Auxiliary Variables Record history information A set of variables AV is auxiliary for a command S if each variable from AV only occurs in assignments of the form X := t where X  AV Auxiliary variable elimination rule {P} S {Q} {P} S’ {Q} Where A is auxiliary for S FV(Q)  A =  FV(P)  A =  S’ results from S by deleting all assignments in to variables in S

A Formal Proof of {X = Y} cobegin X := X + 1 || Y := Y+1 coend {X=Y} {X = Z} X : = X + 1 { X = Z +1} {Y = Z} Y : = Y + 1 { Y = Z +1} {X = Z  Y = Z} cobegin X := X + 1 || Y := Y+1 coend {X=Z+1  Y= Z+1} {X = Z  Y = Z} cobegin X := X + 1 || Y := Y+1 coend {X=Y} {X = Y} Z : = X { X = Y  Y = Z} {X =Y } Z : = X ; cobegin X := X + 1 || Y := Y+1 coend {X=Y} {X =Y } cobegin X := X + 1 || Y := Y+1 coend {X=Y} (Assign-Rule) (Par-Rule) (Cons.-Rule) (Assign-Rule) (Comp.-Rule) (Aux.-Rule)

Synchronization Primitives Support for atomic sections and communication A High Level Construct await B then S –No parallelization in S –Blocked until B holds –If B is true then S is executed atomically Examples –await true then S –Await “some condition” then skip –Semaphore P(sem): await sem >0 then sem := sem – 1 V(sem): await true then sem := sem + 1

Interference (modified) A command T with a precondition pre(T) does not interfere with the proof of {P} C {Q} if: –{Q  pre(T) } T {Q} –For any command C’ inside C but not within await with a precondition pre(C’) {pre(C’)  pre(T) } T {pre(C’)} {P 1 } c 1 {Q 1 } {P 2 } c 2 {Q 2 }.. {P k } c k {Q k } are interference free if for every i  j and for every assignment not inside await or an await T in c i does not interfere with {P j } c j {Q j }

An Inference Rule for Await {P  b} c {Q} {P } await B then c {Q}

Producer-Consumer Two processes communicating via a shared bounded buffer Consumer waits for the buffer to be filled Producer waits for the buffer to be non-full and fills the buffer buffer[0..N-1] in – the number of elements added out – the number of elements deleted buffer[out mod N], … buffer[(out + in – out -1) mod N] elements

in := 0; out := 0 ; cobegin producer: … await in-out < N then skip add: buffer(in mod N) := next value; markin: in := in +1; … || consumer: … await in-out >0 then skip remove: this value := buffer(out mod N); markout: out := out +1; … coend Producer/Consumer Code

in := 0; out := 0 ; i := 1; j :=1; {M  0} cobegin producer: while i  M do begin x:= A[i]; await in-out <N then skip; add: buffer[in mod N] := x ; markin: in := in + 1; i := i + 1 end || consumer: while j  M do begin await in-out >0 then skip; remove: y := buffer[out mod N] ; markout: out := out + 1; B[j] := y; j := j + 1 end coend {  k: 1  k  M  B[k] = A[k]} I=  k: out < k  M  buffer[(k-1} mod N] = A[k]  0  in-out  N  0  i  M+1  0  j  M+1

{I  i = in+1=1  j=out+1=1} cobegin {I  i = in+1=1} producer: while i  M do begin x:= A[i]; await in-out <N then skip; add: buffer[in mod N] := x ; markin: in := in + 1; i := i + 1 end {I  i = in+1=M+1} || {I  j = out+1=1} consumer: while j  M do begin await in-out >0 then skip; remove: y := buffer[out mod N] ; markout: out := out + 1; B[j] := y; j := j + 1 end {I   k: 1  k  M  B[k] = A[k]}} coend {  k: 1  k  M  B[k] = A[k]} I=  k: out < k  M  buffer[(k-1} mod N] = A[k]  0  in-out  N  0  i  M+1  0  j  M+1

Summary Reasoning about concurrent programs is difficult Aweeki-Gries suggest to carefully design the sequential proofs to simplify the proof procedure The use of auxiliary variables can make proofs difficult Can have difficulties with fine-grained concurrency –Benign dataraces Rely/Guarantee style can allow more elegant/general reasoning (next lesson)