Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hongjin Liang, Xinyu Feng & Ming Fu

Published byἈελλώ Ασπάσιος Modified over 6 years ago

Similar presentations

Presentation on theme: "Hongjin Liang, Xinyu Feng & Ming Fu"— Presentation transcript:

1 A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations
Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology of China

2 Concurrent program transformations:
Compilers for concurrent programs Source code Multithreaded Java programs T Target code Java bytecode

3 Concurrent program transformations:
Compilers for concurrent programs Fine-grained impl. of algorithms & objects local d,t; d = 0; while(d==0){ t = x; d = cas(&x, t, t+1); } Impl. of x++; T x++;

4 Concurrent program transformations:
Compilers for concurrent programs Fine-grained impl. of algorithms & objects Impl. of software transactional memory (STM) Atomic block (transaction)  fine-grained impl.

5 Concurrent program transformations:
Compilers for concurrent programs Fine-grained impl. of algorithms & objects Impl. of software transactional memory (STM) Impl. of concurrent garbage collectors (GC) How to verify such a transformation T ?

6   How to define correctness of T ? T C O
T: Source  Target C Print a rectangle. C O T O Print a square. Print a triangle. refinement O  C: O has no more observable behaviors (e.g. I/O events by print(…)) than C.

7 How to define correctness of T ?
T: Source  Target Correct(T): C, O. O = T(C)  O  C O  C: O has no more observable behaviors (e.g. I/O events by print(…)) than C.

8 To verify a concurrent program transformation T :
O2 C2 (Compositionality) O1 || O2 C1 || C2 Correct(T): C, O. O = T(C)  O  C T(C)  C for trans. unit C

9   is NOT compositional w.r.t. parallel composition: O1  C1 O2  C2
O1 || O2  C1 || C2 O: local t; t = x; x = t + 1; print( x ); C: x++; print( x ); We have O  C, since output(O)  output(C) ; but we do NOT have O||O  C||C .

10 RGSim = Rely/Guarantee + Simulation
Our contribution: RGSim = Rely/Guarantee + Simulation Compositional w.r.t. parallel composition A proof theory for verifying T Stronger than O  C Applications: optimizations, fine-grained obj., concurrent GC, …

11 Background: simulation in CompCert
[Leroy et al.] Source state e * * (C, ) (C’, ’) (C’’, ’’) observable event (e.g. I/O) Target state (O’’, ’’) e (O, ) (O’, ’)

12 Simulation in CompCert [Leroy et al.]
 Can verify T for sequential programs  NOT compositional w.r.t. parallel composition O: local t; t = x; x = t + 1; print( x ); C: x++; print( x ); We have O  C , but not O||O  C||C

13 Simulation in CompCert [Leroy et al.]
 Can verify T for sequential programs  NOT compositional w.r.t. parallel composition Consider NO environments Simulation in process calculus (e.g. CCS [Milner et al.]) Assume arbitrary environments  Compositional  Too strong: limited applications

14 Assuming arbitrary environments
(O’, ’’) (O’’, ’’’) (C’, ’’) * (C’’, ’’’) ’ e env (O, ) (O’, ’) (C, ) (C’, ’) * ’ env Too strong to be satisfied, since env. can be arbitrarily bad. In practice, T has assumptions about C & env.

15 T has assumptions about source code
Compilers for concurrent programs Prog. with data races has no semantics (e.g. concurrent C++) Not guarantee correctness for racy programs Fine-grained objects Accesses use same primitives (e.g. stack: push & pop) Not guarantee correctness when env. can destroy obj. More examples are in the paper … [Boehm et al. PLDI’08] Env. of a thread cannot be arbitrarily bad !

16 Problems of existing simulations :
Considers no env. in CompCert [Leroy et al.]  NOT compositional w.r.t. parallel composition Assumes arbitrary env. in process calculus (e.g. [Milner et al.])  Too strong: limited applications Our RGSim : Parameterized with the interference with env.  Compositional More applications Use rely/guarantee to specify the interference

17 What is rely/guarantee?
[Jones'83] r: acceptable environment transitions g: state transitions made by the thread Thread1 Thread2 r1: x = x’ ’ r2: y = y’ ’ Nobody else would update y Nobody else would update x g1: y = y’ ’ g2: x = x’ ’ I guarantee I would not touch x I guarantee I would not touch y Compatibility (Interference Constraints): g2  r and g1  r2 17

18 RGSim = Rely/Guarantee + Simulation
* * * R (C, ) (C’, ’) (C’, ’’) (O’, ’’)  (C’’, ’’’) G G    (O’’, ’’’) e (O, ) (O’, ’) r g g (O, r, g)  (C, R, G)

19 Soundness theorem If we can find r, g, R and G such that
(O, r, g)  (C, R, G) then we have: O  C

20 Parallel compositionality
(O1||O2, r1r2, g1g2)  (C1||C2, R1R2, G1G2) (O2, r2, g2)  (C2, R2, G2) (O1, r1, g1)  (C1, R1, G1) g1  r2 g2  r1 G1  R2 G2  R1 (PAR)

21 More on compositionality
(O1, r, g)  (C1, R, G) (O2, r, g)  (C2, R, G) (O1; O2, r, g)  (C1; C2, R, G) (O, r, g)  (C, R, G) b  B (while b do O, r, g)  (while B do C, R, G) An axiomatic proof system for verifying T

22 We have applied RGSim to verify …
Optimizations in parallel contexts Loop invariant hoisting, strength reduction and induction variable elimination, dead code elimination, … Fine-grained impl. & concurrent objects Lock-coupling list, impl. of x++, Treiber’s non-blocking stack, concurrent GCD algorithm, … Concurrent garbage collectors A general GC verification framework Hans Boehm’s concurrent GC [Boehm et al. 91]

23 Application: concurrent GC verification
read x write x, v alloc Programmer’s view of execution: || AbsGC T Turns garbage into reusable memory Real execution: || GC code rB(x) wB(x, v) aB() Concurrent GC impl. = Barriers + GC code How to define Correct(GC) ? Reduce to Correct(T) ! C. T(C) || GC code  C || AbsGC

24 A concurrent GC verification framework
T(C) || GC code  C || AbsGC (T(C) || GC code, r’’, g’’)  (C || AbsGC, R’’, G’’) Compositionality (T(C), r’, g’)  (C, R’, G’) & (GC code, r, g)  (AbsGC, R, G) Compositionality (rB(x), r’, g’)  (read x, R’, G’) (wB(x, v), r’, g’)  ((write x, v), R’, G’) (aB(), r’, g’)  (alloc, R’, G’) r, g |- {p} GC code{q} [Jones’83] g G We have verified Hans Boehm’s concurrent GC algo [Boehm et al. 91]

25 Conclusion RGSim = Rely/Guarantee + Simulation
Idea: parameterized with interference with env. Compositional! A proof theory for verifying T Optimizations, fine-grained obj., concurrent GC, …

Download ppt "Hongjin Liang, Xinyu Feng & Ming Fu"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.
Hongjin Liang and Xinyu Feng

Hongjin Liang and Xinyu Feng
Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.

Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.
TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.

TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.
8. Static Single Assignment Form Marcus Denker. © Marcus Denker SSA Roadmap  Static Single Assignment Form (SSA)  Converting to SSA Form  Examples.

8. Static Single Assignment Form Marcus Denker. © Marcus Denker SSA Roadmap  Static Single Assignment Form (SSA)  Converting to SSA Form  Examples.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.

50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.
Memory Models (1) Xinyu Feng University of Science and Technology of China.

Memory Models (1) Xinyu Feng University of Science and Technology of China.
Optimizing single thread performance Dependence Loop transformations.

Optimizing single thread performance Dependence Loop transformations.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Program Analysis and Verification 0368-4479

Program Analysis and Verification
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
Progress Guarantee for Parallel Programs via Bounded Lock-Freedom Erez Petrank – Technion Madanlal Musuvathi- Microsoft Bjarne Steensgaard - Microsoft.

Progress Guarantee for Parallel Programs via Bounded Lock-Freedom Erez Petrank – Technion Madanlal Musuvathi- Microsoft Bjarne Steensgaard - Microsoft.
“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.

“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.
Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.

Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.
Formalisms and Verification for Transactional Memories Vasu Singh EPFL Switzerland.

Formalisms and Verification for Transactional Memories Vasu Singh EPFL Switzerland.
An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.

An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.

Similar presentations

Ads by Google