VPERM: Variable Permissions for Concurrency Verification Duy-Khanh Le, Wei-Ngan Chin, Yong-Meng Teo ICFEM, Kyoto, Japan, Nov 2012

Outline  Motivation & Example  Formalism  Programming & Specification Language  Verification by Entailment Checking  Inferring Variable Permissions  Eliminating Variable Aliasing  Applicability  Experiment  Conclusion 2 VPERM: Variable Permissions for Concurrency Verification

Motivation  Access permissions attracted much attention for reasoning about shared heap data structures  State-of-the-art verification tools  ignore program variables  or apply the same permission system, designed for heap memory, to variables  However, variables are simpler than heap data structures: each variable is distinct  Need a simpler reasoning scheme for variables 3 VPERM: Variable Permissions for Concurrency Verification

Related Work VPERM: Variable Permissions for Concurrency Verification 4 Expressiveness Variables as Resource [Bornat et al. 2006] Logic + complex permissions Syntactic Control of Inference [Reddy et al. 2012] Syntactic + complex permissions Smallfoot [Berdine et al. 2006] Syntactic + simple Our Variable Permissions (VPERM) Logic + simple Complexity

Related Work  Permission systems for variables  Variables as resources [1] & syntactic control of inference [2] User fractional/counting permissions to allow sharing Though flexible, this places higher burden on programmers to figure out the fraction used  Verification systems for concurrency  Smallfoot [3] uses side conditions to outlaw conflicting accesses  Chalice [4] does not support permission of variables in method’s bodies  Verifast [5] treats variables as heap locations 5 VPERM: Variable Permissions for Concurrency Verification

Objective  Propose a simple permission system to ensure data-race freedom when accessing variables 6 VPERM: Variable Permissions for Concurrency Verification

A Motivating Example void main() { int id; int x,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } void inc(ref int i, int j) { i=i+j; } int creator(ref int x,ref int y) { int tid; tid=fork(inc,x,1); inc(y,2); return tid; } 1.Any accesses to x after fork and before join are unsafe (racy) 2.How to propagate the above fact across procedure boundaries pass-by-refpass-by-value 7 VPERM: Variable Permissions for Concurrency Verification

A Motivating Example with Specifications void main() requires true ensures true; { int id; int x,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } void inc(ref int i, int j) requires true ensures i'=i+j; { i=i+j; } int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid & thread=main and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } main thread child thread 8 VPERM: Variable Permissions for Concurrency Verification implicit

A Motivating Example with Specifications void main() requires true ensures true; { int id; int x,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } void inc(ref int i, int j) requires true ensures i'=i+j; { i=i+j; } int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } main thread child thread 9 VPERM: Variable Permissions for Concurrency Verification

A Motivating Example with VPERM void main() requires true ensures true; { int id; int x,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } void inc(ref int i, int j) ensures i'=i+j { i=i+j; } int creator(ref int x, ref int y) & y’=y+2 & res=tid & x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } main thread child thread 10 VPERM: Variable Permissions for Concurrency Verification

A Motivating Example with VPERM int creator(ref int x, ref int y) & y’=y+2 & res=tid & x'=x+1 & thread=tid; { int & x’=x & y’=y & id’=0 & y’=y & id’=tid // & x'=x+1 & thread=tid; inc(y,2); & y’=y+2 & id’=tid // & x'=x+1 & thread=tid; return id; & y’=y+2 & id’=tid & res=tid // & x'=x+1 & thread=tid; } void inc(ref int i, int j) ensures i'=i+j { i=i+j; } main thread and child thread int creator(ref int x, ref int y) { int id; id=fork(inc,x,1); inc(y,2); return id; } 11 VPERM: Variable Permissions for Concurrency Verification

A Motivating Example with VPERM void main() requires true ensures true; { int int id = join(id); assert } void inc(ref int i, int j) ensures i'=i+j { i=i+j; } int creator(ref int x, ref int y) & y’=y+2 & res=tid & x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } void main() requires true ensures true; { int id; int x,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } 12 VPERM: Variable Permissions for Concurrency Verification

Programming Language 13 VPERM: Variable Permissions for Concurrency Verification

Specification Language 14 VPERM: Variable Permissions for Concurrency Verification

Variable Permissions  Two key annotations for variable permissions  In a pre-condition w* is a list of pass-by-ref variables variable permissions are passed from caller to callee  In a post-condition variable permissions are returned from callee to caller  In a pre-condition w* is a list of pass-by-value variables  Not exist in post-conditions 15 VPERM: Variable Permissions for Concurrency Verification

Verification by Entailment Checking 16 VPERM: Variable Permissions for Concurrency Verification

Entailment Rules for VPERM 17 VPERM: Variable Permissions for Concurrency Verification

Soundness Proofs are in the paper 18 VPERM: Variable Permissions for Concurrency Verification

Inferring Variable Permissions int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } V post = V post = {x} 19 VPERM: Variable Permissions for Concurrency Verification

Inferring Variable Permissions int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; V post = V post = {x} 20 VPERM: Variable Permissions for Concurrency Verification

Inferring Variable Permissions int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; V pre 21 VPERM: Variable Permissions for Concurrency Verification

Inferring Variable Permissions (*) Algorithm and Soundness in the paper int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return @full[y] 22 VPERM: Variable Permissions for Concurrency Verification

Eliminating Variable Aliasing void main() { int x = 0; int ∗ p = &x; int id; id = fork(inc, x, 1);...//accesses to *p are racy join(id); } void inc(ref int i, int j) [i] [i] ∧ i’=i+j; { i = i + j; } 23 VPERM: Variable Permissions for Concurrency Verification

Eliminating Variable Aliasing void main() { int x = 0; int ∗ p = &x; int id = fork(inc, x, join(id); } void inc(ref int i, int j) [i] [i] ∧ i’=i+j; { i = i + j; } void main() { int x = 0; int ∗ p = &x; int id; id = fork(inc, x, 1);... join(id); } still have permission to access p and indirectly x Solution: a translation to eliminate * and & 24 VPERM: Variable Permissions for Concurrency Verification

Translation Scheme void main() { int x = 0; int ∗ p = &x; int id; id = fork(inc, x, 1);... join(id); } void inc(ref int i, int j) [i] [i] ∧ i’=i+j; { i = i + j; } void main() { int_ptr x = new int_ptr(0); int_ptr p = x; int id; id = fork(inc, x, 1);... join(id); delete(x); } void inc(int_ptr i, int j) requires i::int_ptr ensures i::int_ptr & new_i=old_i+j; { i.val = i.val + j; } promote (*) details are in the paper 25 VPERM: Variable Permissions for Concurrency Verification

Applicability  Pthread  pthread_create requires a single pointer to heap memory  Cilk  More flexible, either pass-by-ref or pass-by- value  Vperm  Passing the pointer by value when fork  Pass-by-ref and pass- by-value 26 VPERM: Variable Permissions for Concurrency Verification

Applicability: Cilk cilk int fib (int n) { if (n<=1) return n; else{ int x, y; x = spawn fib (n-1); y = spawn fib (n-2); … // not safe to access x and y sync; return (x+y); } 27 VPERM: Variable Permissions for Concurrency Verification

Applicability: Cilk cilk int fib (int n) { if (n<=1) return n; else{ int x, y; x = spawn fib (n-1); y = spawn fib (n-2); … // not safe to access x and y sync; return (x+y); } void fib(int n, ref int result) [result] & n>=0 [result] & fiba(n, result ); { if (n<=1){ result = n; } else{ int x, y; int id1 = fork(fib,n−1, x); int id2 = fork(fib,n−2, y); … // cannot access x and y join(id1); join(id2); result=x+y; } } 28 VPERM: Variable Permissions for Concurrency Verification

Experiments 29 VPERM: Variable Permissions for Concurrency Verification Download or try VPERM online at Trade-off: higher verification time (machine effort) BUT less manual annotation (human effort).

Conclusion  A simple permission system for variables  Simple to understand  Simple to reason about  Simple to infer  Expressive enough to capture real-world programming languages such as Pthreads, Cilk  Feasible to incorporate into a tool VPERM  Experiments show less annotation overheads compared to state-of-the-art 30 VPERM: Variable Permissions for Concurrency Verification

THANK YOU END Q&A 31 VPERM: Variable Permissions for Concurrency Verification Download or try VPERM online at

Limitations  Phased Accesses to Shared Variables  Read outside a critical region but write inside a critical region  This requires partial permissions  BUT we could use pseudo-heap locations for this type of complex reasoning VPERM: Variable Permissions for Concurrency Verification 32

Phased Accesses inv & x=a+b; int x=0; int a = 0; int b = 0; lock l; init(l); & half[a,b] // l is passed by value to child thread //full[l] & half[a] acquire(l); //full[l,x,a] & half[b] x = x +1; a = 1; //full[l,x,a] & half[b] release(l); //full[l] & half[a] //full[l] & half[b] acquire(l); //full[l,x,b] & half[a] x = x +1; b = 1; //full[l,x,b] & half[a] release(l); //full[l] & half[b] & half[a,b] assert(x’=2); For this complex reasoning, convert two integer auxiliary variables a,b to int_ptr and use the complex reasoning over heap

Phased Accesses inv & x=a.val+b.val; int x=0; int_ptr a = new int_ptr(0); int_ptr b = new int_ptr(0); lock l; init(l); & half[a,b] // l,a,b is passed by value to child thread //a::int_ptr(1/2)<> & full[l,a] acquire(l); //full[l,x,a] & half[b] x = x +1; a.val = 1; //full[l,x,a] & half[b] release(l); //full[l] & half[a] //full[l] & half[b] acquire(l); //full[l,x,b] & half[a] x = x +1; b.val = 1; //full[l,x,b] & half[a] release(l); //full[l] & half[b] & half[a,b] assert(x’=2); For this complex reasoning, convert two integer auxiliary variables a,b to int_ptr and use the complex reasoning over heap

Verification by Entailment Checking (Full) 35 VPERM: Variable Permissions for Concurrency Verification

Background  Heap vs stack  A stack variable x pointing to  A heap location containing an integer  E.g. int_ptr x = new int_ptr(1);  Separation logic  Fractional permissions  How about program (stack) variables? VPERM: Variable Permissions for Concurrency Verification 36 {x  2 * y  2} [x]=3 {x  3 * y  2} x1x1 {x  2 * x  2}  {x  2}

Background  Heap vs stack  A stack variable x pointing to  A heap location containing an integer 1  E.g. int_ptr x = new int_ptr(1);  Hoare’s logic  Separation logic  Fractional permissions VPERM: Variable Permissions for Concurrency Verification 37 {x  2 /\ y  2} x=3 {x  3 /\ y  2} {x  2 * y  2} x=3 {x  3 * y  2} what if x and y aliased ??? no alias  ok x1x1 {x  1 /\ y  2} x=3 {x  3 /\ y  2} {x  2 * x  2}  {x  2}