Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

Published byKeila Douthett Modified over 10 years ago

Similar presentations

Presentation on theme: "A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology."— Presentation transcript:

1 A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology of China

2 Compilers for concurrent programs Concurrent program transformations: Target code Source code T Multithreaded Java programs Java bytecode

3 Compilers for concurrent programs Fine-grained impl. of algorithms & objects local d,t; d = 0; while(d==0){ t = x; d = cas(&x, t, t+1); } Impl. of x++; x++; T Concurrent program transformations:

4 Compilers for concurrent programs Fine-grained impl. of algorithms & objects Impl. of software transactional memory (STM) – Atomic block (transaction)  fine-grained impl. Concurrent program transformations:

5 Compilers for concurrent programs Fine-grained impl. of algorithms & objects Impl. of software transactional memory (STM) Impl. of concurrent garbage collectors (GC) How to verify such a transformation T ? Concurrent program transformations:

6 How to define correctness of T ? O C T Print a rectangle. Print a square. Print a triangle.  T: Source  Target O  C: O has no more observable behaviors (e.g. I/O events by print(…) ) than C. OC refinement

7 Correct(T):  C, O. O = T(C)  O  C How to define correctness of T ? T: Source  Target O  C: O has no more observable behaviors (e.g. I/O events by print(…) ) than C.

8 (Compositionality) O1 || O2  Correct(T):  C, O. O = T(C)  O  C C1 || C2 O1C1  O2C2   T(C)  C for trans. unit C  To verify a concurrent program transformation T :

9  is NOT compositional w.r.t. parallel composition: O1  C1O2  C2 O1 || O2  C1 || C2  O: local t; t = x; x = t + 1; print( x ); C: x++; print( x ); We have O  C, since output (O)  output (C) ; but we do NOT have O || O  C || C.

10 RGSim = Rely/Guarantee + Simulation Compositional w.r.t. parallel composition A proof theory for verifying T – Stronger than O  C – Applications: optimizations, fine-grained obj., concurrent GC, … Our contribution:

11 Background: simulation in CompCert (O,  ) (C,  )(C’,  ’) (O’,  ’) * (C’’,  ’’) (O’’,  ’’) e e * … …   [Leroy et al.] Source state Target state observable event (e.g. I/O)

12 O: local t; t = x; x = t + 1; print( x ); C: x++; print( x ); We have O  C, but not O || O  C || C Simulation in CompCert [Leroy et al.] Can verify T for sequential programs  NOT compositional w.r.t. parallel composition

13 Simulation in CompCert [Leroy et al.] Can verify T for sequential programs  NOT compositional w.r.t. parallel composition  Consider NO environments Simulation in process calculus (e.g. CCS [Milner et al.]) Assume arbitrary environments Compositional  Too strong: limited applications

14 … (O’,  ’’)(O’’,  ’’’) (C’,  ’’) * (C’’,  ’’’) … ’’ ’’ e e Assuming arbitrary environments env  Too strong to be satisfied, since env. can be arbitrarily bad. (O,  )(O’,  ’) (C,  ) (C’,  ’) * ’’ ’’ In practice, T has assumptions about C & env.

15 T has assumptions about source code Compilers for concurrent programs – Prog. with data races has no semantics (e.g. concurrent C++) – Not guarantee correctness for racy programs Fine-grained objects – Accesses use same primitives (e.g. stack: push & pop) – Not guarantee correctness when env. can destroy obj. More examples are in the paper … Env. of a thread cannot be arbitrarily bad ! [Boehm et al. PLDI’08]

16 Problems of existing simulations : Our RGSim : Considers no env. in CompCert [Leroy et al.]  NOT compositional w.r.t. parallel composition Assumes arbitrary env. in process calculus (e.g. [Milner et al.])  Too strong: limited applications Parameterized with the interference with env. Compositional More applications Use rely/guarantee to specify the interference

17 What is rely/guarantee? [Jones'83] r: acceptable environment transitions g: state transitions made by the thread Thread1Thread2 Nobody else would update x I guarantee I would not touch y Nobody else would update y I guarantee I would not touch x Compatibility (Interference Constraints): g2  r1 and g1  r2 r1:  x = x’ ’’ r2:  y = y’ ’’ g1:  y = y’ ’’ g2:  x = x’ ’’

18 (O,  ) (C,  )(C’,  ’) (O’,  ’) * (C’’,  ’’’) (O’’,  ’’’) e e * … … * R r G g G g RGSim = Rely/Guarantee + Simulation ≲ ≲ ≲ (C’,  ’’) (O’,  ’’) ≲ (O, r, g) ≲ (C, R, G)

19 Soundness theorem (O, r, g) ≲ (C, R, G) If we can find r, g, R and G such that then we have: O  C

20 Parallel compositionality ( O 1 || O 2, r 1  r 2, g 1  g 2 ) ≲ ( C 1 || C 2, R 1  R 2, G 1  G 2 ) ( O 2, r 2, g 2 ) ≲ ( C 2, R 2, G 2 ) ( O 1, r 1, g 1 ) ≲ ( C 1, R 1, G 1 ) g 1  r 2 g 2  r 1 G 1  R 2 G 2  R 1 (PAR)

21 More on compositionality (O 1, r, g) ≲ (C 1, R, G)(O 2, r, g) ≲ (C 2, R, G) (O 1 ; O 2, r, g) ≲ (C 1 ; C 2, R, G) (O, r, g) ≲ (C, R, G) b  B (while b do O, r, g) ≲ (while B do C, R, G) An axiomatic proof system for verifying T …

22 We have applied RGSim to verify … Optimizations in parallel contexts – Loop invariant hoisting, strength reduction and induction variable elimination, dead code elimination, … Fine-grained impl. & concurrent objects – Lock-coupling list, impl. of x++, Treiber’s non-blocking stack, concurrent GCD algorithm, … Concurrent garbage collectors – A general GC verification framework – Hans Boehm’s concurrent GC [Boehm et al. 91]

23 Application: concurrent GC verification read x…write x, v…alloc… Programmer’s view of execution: Real execution: rB(x)…wB(x, v)…aB()… || GC code || AbsGC Turns garbage into reusable memory T Concurrent GC impl. = Barriers + GC code How to define Correct(GC) ?  C. T(C) || GC code  C || AbsGC Reduce to Correct(T) !

24 A concurrent GC verification framework T(C) || GC code  C || AbsGC   &  [Jones’83]  We have verified Hans Boehm’s concurrent GC algo [Boehm et al. 91] (T(C) || GC code, r’’, g’’) ≲ (C || AbsGC, R’’, G’’) (T(C), r’, g’) ≲ (C, R’, G’)(GC code, r, g) ≲ (AbsGC, R, G) (rB(x), r’, g’) ≲ (read x, R’, G’) (wB(x, v), r’, g’) ≲ ((write x, v), R’, G’) (aB(), r’, g’) ≲ (alloc, R’, G’) r, g ⊦ {p} GC code{q} Compositionality  C. g ≲ G

25 Conclusion RGSim = Rely/Guarantee + Simulation – Idea: parameterized with interference with env. – Compositional! A proof theory for verifying T – Optimizations, fine-grained obj., concurrent GC, … http://kyhcs.ustcsz.edu.cn/relconcur/rgsim

Download ppt "A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.
Hongjin Liang and Xinyu Feng

Hongjin Liang and Xinyu Feng
Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.

Refinement Verification of Concurrent Programs and Its Applications Hongjin Liang Univ. of Science and Technology of China Advisors: Xinyu Feng and Zhong.
TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.

TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.
8. Static Single Assignment Form Marcus Denker. © Marcus Denker SSA Roadmap  Static Single Assignment Form (SSA)  Converting to SSA Form  Examples.

8. Static Single Assignment Form Marcus Denker. © Marcus Denker SSA Roadmap  Static Single Assignment Form (SSA)  Converting to SSA Form  Examples.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.

50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Memory Models (1) Xinyu Feng University of Science and Technology of China.

Memory Models (1) Xinyu Feng University of Science and Technology of China.
Optimizing single thread performance Dependence Loop transformations.

Optimizing single thread performance Dependence Loop transformations.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Program Analysis and Verification 0368-4479

Program Analysis and Verification
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
Progress Guarantee for Parallel Programs via Bounded Lock-Freedom Erez Petrank – Technion Madanlal Musuvathi- Microsoft Bjarne Steensgaard - Microsoft.

Progress Guarantee for Parallel Programs via Bounded Lock-Freedom Erez Petrank – Technion Madanlal Musuvathi- Microsoft Bjarne Steensgaard - Microsoft.
“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.

“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.
Formalisms and Verification for Transactional Memories Vasu Singh EPFL Switzerland.

Formalisms and Verification for Transactional Memories Vasu Singh EPFL Switzerland.
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

Similar presentations

Ads by Google