Presentation is loading. Please wait.

Presentation is loading. Please wait.

Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv."— Presentation transcript:

1 Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv

2 An Axiomatic Proof Technique for Parallel Programs Owicky & Gries Verification of Sequential and Concurrent Programs Apt & Oldrog Chapters 4-6

3 Interference A command T with a precondition pre(T) does not interfere with the proof of {p} c {q} if: –{q  pre(T) } T {q} –For any command c’ inside c with a precondition pre(c’) {pre(c’)  pre(T) } T {pre(c’)} {p 1 } c 1 {q 1 } {p 2 } c 2 {q 2 }.. {p k } c k {q k } are interference free if for every i  j and for every assignment in T in c i does not interfere with {p j } c j {q j }

4 Parallel Composition Rule {p 1 } c 1 {q 1 } {p 2 } c 2 {q 2 }.. {p k } c k {q k } {p 1  p 2  … p k } cobegin c 1 || c 2 || …|| c k coend {q 1  q 2  …  q k } {p 1 }q 1 {q 1 } {p 2 } c 2 {q 2 }.. {p k } c k {q k } are interference free

5 Limitations of the Owicky & Gries proof rules Checking interference can be hard –Non-compositionality Until you finished the local proofs cannot check interference A non-standard meaning of Hoare triples –Depends on the interference of other threads with the proof –Proofs need to be saved –Hard to handle libraries and missing code –Soundness is non-trivial Completeness depends on auxiliary variables

6 Commands as relations It is convenient to view the meaning of commands as relations between pre-states and post-states In {p} C {Q} –p is a one state predicate –Q is a two-state predicate Example –{true} x := x + 1 {x= x + 1}

7 Global Reasoning {x  0} x := x + 1; y := 1 {x >0} {x  0} x := x + 2; y := 2 {x >0} {x  0} x := x + 200; y := 200 {x >0} …  

8 x 0  0  x 1  x 0  x 2 = x 1 +7  y 2 = y 1  x 3  x 2  x 4 = x 3  y 4 =7  x 5  x 4 Rely/Guarantee Reasoning {x  x} x := x + 7; y:=7   x 5 >0 {x  0} {x>0}

9 Rely/Guarantee Reasoning(2) {x  x} {x  0} x := x + 7; y:=7 {x>0} x =x+7  y=y  x  x  x =x  y=7  x  x

10 Hoare vs. Rely/Guarantee Reasoning {P} c {Q} {P} c {Q} {P} c {Q} R*R* G R*R* G R*R* G

11 The rest of the lecture Operations on relations (Informal) Semantics of Rely/Guarantee A sound Rely/Guarantee inference rules

12 From one- to two-state relations p( ,  ) =p(  ) A single state predicate p is preserved by a two-state relation R if –p  R  p – ,  : p(  )  R( ,  )  p(  )

13 Operations on Relations (P;Q)( ,  )=  :P( ,  )  Q( ,  ) ID( ,  )= (  =  ) R * =ID  R  (R;R)  (R;R;R)  … 

14 Formulas ID(x) = (x = x) ID(p) =(p  p) Preserve (p)= p  p

15 Informal Semantics c  (p, R, G, Q) –For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R results in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G c  [p, R, G, Q] –For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R must terminate in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G

16 A Formal Semantics Let  c  R denotes the set of quadruples s.t. that when c executes on  1 with potential interferences by R it yields an intermediate state  2 followed by an intermediate state  3 and a final state  4 –as usual  4 =  when c does not terminate  c  R = { :   :  R  (  *  2   2 =  3 =  4    ’, c’:  *  ( ((  2 =  1   2 =  )  (  3 =   3 =  ’)   4 =  )    c’  R ) c  (p, R, G, Q) –For every   c  R such that  1  p  G If  4   :  Q

17 Simple Examples X := X + 1  (true, X=X, X =X+1  X=X, X =X+1) X := X + 1  (X  0, X  X, X>0  X=X, X>0) X := X + 1 ; Y := Y + 1  (X  0  Y  0, X  X  Y  Y, G, X>0  Y>0)

18 A Realistic Example Findpos: begin initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1; search: cobegin Evensearch: while i < min(oddtop, eventop) do if (x(i) > 0) then eventop := i else i := i + 2; || Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2; coend k := min(eventop, oddtop) end {k  M+1  (  l: 1  l 0)} ES=eventop  M+1  even(i)   l: (even(l)  0<l<i)  x(l)  0  eventop  M  x(eventop)>0 OS=oddtop  M+1  odd(j)   l: (odd(l)  0<l<j)  x(l)  0  oddtop  M  x(oddtop)>0

19 Inference Rules Define c  (p, R, G, Q) by structural induction on c Soundness –If c  (p, R, G, Q) then c  (p, R, G, Q)

20 Atomic Command {p} c {Q} atomic {c}  (p, preserve(p), Q  ID, Q) (Atomic)

21 Conditional Critical Section {p  b} c {Q} await b then c  (p, preserve(p), Q  ID, Q) (Critical)

22 Sequential Composition c 1  (p 1, R, G, Q 1 ) c 1 ; c 2  (p 1, R, G, (Q 1 ; R * ; Q 2 )) (SEQ) c 2  (p 2, R, G, Q 2 ) Q 1  p 2

23 Conditionals c 1  (p  b 1, R, G, Q) p  b  R *  b 1 if atomic {b} then c 1 else c 2  (p, R, G, Q) (IF) c 2  (p  b 2, R, G, Q) p   b  R*  b 2

24 Loops c  (j  b 1, R, G, j) j  b  R *  b 1 while atomic {b} do c  (j, R, G,  b  j) (WHILE) R  Preserve(j)

25 Refinement c  (p, R, G, Q) c  (p’, R’, G’, Q’) (REFINE) p’  p Q  Q’ R’  R G  G’

26 Parallel Composition c 1  (p 1, R 1, G 1, Q 1 ) c 1 || c 2  (p 1  p 1, (R 1  R2), (G 1  G 2 ), Q) where Q= (Q 1 ; (R 1  R 2 )*; Q 2 )  (Q 2 ; (R 1  R 2 )*; Q 1 ) (PAR) c 2  (p 2, R 2, G 2, Q 2 ) G 1  R 2 G 2  R 1

27 A Realistic Example Findpos: begin initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1; search: cobegin Evensearch: while i < min(oddtop, eventop) do if (x(i) > 0) then eventop := i else i := i + 2; || Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2; coend k := min(eventop, oddtop) end {k  M+1  (  l: 1  l 0)} ES=eventop  M+1  even(i)   l: (even(l)  0<l<i)  x(l)  0  eventop  M  x(eventop)>0 OS=oddtop  M+1  odd(j)   l: (odd(l)  0<l<j)  x(l)  0  oddtop  M  x(oddtop)>0

28 OddSearch  (OS, R O, G O, OS  j  min(et, ot)) R E =i =i  ot  ot  et =etG E =j =j  et  et  ot =ot R E  Preserve(ES) et :=i  (ES  i 0, R E, G E, ES) i :=i+2  (ES  i< et)  x(i)  0, R E, G E, ES) ES  i 0  R E *  x(i) >0ES  i < et  x(i)  0  R E *  x(i)  0 if (x(i) >0) …  (ES  i<et), R E, G E, ES) (IF) EvenSearch  (ES, R E, G E, ES  i  min(et, ot)) (WHILE) G o =R E R O =G E EvenSearch||OddSearch  (ES  OS, R E  R O, G E  G O, ES  OS  i  min(et, ot)  j  min(et, ot)) (PAR) ES  i<min(et, ot)  R E *  i<et

29 Auxiliary in Owicky-Gries {X = Y} X := X + 1 || Y := Y+1 {X=Y}

30 Issues in R/G Total correctness is trickier Restrict the structure of the proofs –Sometimes global proofs are preferable Many design choices –Transitivity and Reflexivity of Rely/Guarantee –No standard set of rules Suitable for designs

31 Summary Reasoning about concurrent programs is difficult Oweeki-Gries suggest to carefully design the sequential proofs to simplify the proof procedure –The use of auxiliary variables can make proofs difficult –Can have difficulties with fine-grained concurrency Benign dataraces Rely/Guarantee style allows more elegant/general reasoning –Compositional –Local –Adapts to the complexity of the proof –Soundness is simple –Naturally handles libraries and missing code

Download ppt "Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, 2000 1 PZ03D - Program verification Programming Language Design.

PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.

50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.

This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.
Program Analysis and Verification 0368-4479

Program Analysis and Verification
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers

Predicate Transformers
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.

Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Axiomatic Semantics Dr. M Al-Mulhem ICS535-091.

Axiomatic Semantics Dr. M Al-Mulhem ICS
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://

Similar presentations

Ads by Google