Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verifying a Wait Free Register Algorithm Using Assertional Reasoning Xu Qiwen Faculty of Science and Technology University of Macau.

Published byReynold Phillips Modified over 9 years ago

Similar presentations

Presentation on theme: "Verifying a Wait Free Register Algorithm Using Assertional Reasoning Xu Qiwen Faculty of Science and Technology University of Macau."— Presentation transcript:

1 Verifying a Wait Free Register Algorithm Using Assertional Reasoning Xu Qiwen Faculty of Science and Technology University of Macau

2 Read and Write Conflict (Race) If read and write operations are performed on the same memory cell at the same time, read operation may obtain an erroneous value.

3 Avoiding Race One cell, waiting needed More cells, wait free possible write read write read 2 cells, read and write different cells, but read and write have no relations (read should read values written by write) 4 cells, read can read a cell that has been written recently but Currently not written

4 Simpson 4 Slot Algorithm Write Read loop loop a-2: Wp = ! r b-3: Rp = l a-1: Wi = ! Li [ Wp ] b-2: r = Rp a: Cells [ Wp ] [ Wi ] = value b-1: Ri = Li [ Rp ] a+1: Li [ Wp ] = Wi b: y=Cells [ Rp ] [Ri ] a+2: l = Wp

5 Recent Work on Verifying Register Algorithms Separation Logic. Quite complicated.

6 Model and Reason about Race Suppose R 1 (X), W 1 (X), R 2 (X), W 2 (X), are read and write operations from 2 processors Consider all execution sequences by interleaving ………….(a:R 1 (X))…(b:R 2 (X))………. no conflict …………. (a:R 1 (X))...(b:W 2 (X))………. conflict …………. (a:W 1 (X))...(b:R 2 (X))………. conflict …………. (a:W 1 (X))…(b:W 2 (X))……… conflict A program is race free if any interleaving of the operations contains no state in which location variables of two processors are at a conflicting pair of operations.

7 Model and Reason about Race Suppose O 1 (X), O 2 (Y), are two operations from 2 processors at locations a and b, the location variables of the two processors areαandβ For any interleaving of operations …………. (a:O 1 (X))… (b:O 2 (Y))……. If O 1 (X) and O 2 (Y) are read/write, write/write pairs, then X and Y must be distinct (α=a  β=b)  X  Y should be an invariant

8 Assertional Methods Floyd 1967 Assigning meanings to programs Hoare Logic 1969 An axiomatic basis for computer programming { P[e/x] } x:=e { P } { true } x:=1 { x=1 } { x=0 } x:=x+1 { x=1 } { x>0 } x:=x+1 { x>1 }

9 Race Freedom for Simpson Algorithm a: Cells [ Wp ] [ Wi ] = value b: y=Cells [ Rp ] [Ri ] Invariant (α=a  β=b)  ( Wp  Rp  Wi  Ri )

10 Verification of Invariant (Global Method) init  inv { inv } Op { inv } for any operation Op inv is an invariant This rule cannot be used to prove all invariants. { inv } Op { inv } ( we say inductive ) may not hold for any operation Op, ie, inv may not be inductive.

11 Verification of Simpson 4 Slot Algorithm (Global method) a-2: Wp = ! r b-3: Rp = l a-1: Wi = ! Li [ Wp ] b-2: r = Rp a: Cells [ Wp ] [ Wi ] = value b-1: Ri = Li [ Rp ] a+1: Li [ Wp ] = Wi b: y=Cells [ Rp ] [Ri ] a+2: l = Wp α=a  ( Wi  Li [ Wp ] ) is invariant, can be proved by the rule β=b  ( Ri = Li [ Rp ] ) is not invariant (α=a  β=b)  ( Wp  Rp  Wi  Ri ) are invariants, β=b  ( r = Rp ) but cannot be proved by the rule

12 Additional Rules inv’  inv inv’ is an invariant inv is an invariant ( Consequence ) inv, inv’ are invariants inv  inv’ is an invariant

13 Verification of Simpson 4 Slot Algorithm (Global method) To prove (α=a  β=b)  ( Wp  Rp  Wi  Ri) invariant, by using the fact α=a  ( Wi  Li [ Wp ] ), β=b  ( r = Rp ) are invariants, it is enough to prove (α=a  β=b)  ( Wp  r  Ri = Li [ Rp ] ) invariant. Close enough, but still not inductive. Finally ((α=a-1  α=a)  β=b)  ( Wp  r  Ri = Li [ Rp ] ) is inductive.

14 Verification of Simpson 4 Slot Algorithm (Assertional Network Method) a-2: Wp = ! r b-3: Rp = l a-1: Wi = ! Li [ Wp ] b-2: r = Rp { Wi  Li [ Wp ] { r = Rp }  β=b  ( Wp  r  Ri = Li [ Rp ] ) } a: Cells [ Wp ] [ Wi ] = value b-1: Ri = Li [ Rp ] a+1: Li [ Wp ] = Wi b: y=Cells [ Rp ] [Ri ] a+2: l = Wp

15 Owicki & Gries Method Any triple { p } S { q } in each processor should be correct just like usual sequential Hoare logic. For each assertion p in one processor, the execution of any operation of the other processor will maintain the assertion. This is called interference freedom. Suppose the other operation is Op, executed under precondition q, p is maintained if { p  q } Op { p } interference freedom test

16 Conclusion and Future Work Traditional assertional methods seem to be able to verify register algorithm quite well. Future Work 1) Study more complicated algorithms 2) Verify more properties Data Freshness

17 Expressing Data Freshness Write Read counter=0 loop loop counter=counter +1 FinishedW=LastW a-2: Wp = ! r b-3: Rp = l a-1: Wi = ! Li [ Wp ] b-2: r = Rp a: Cells [ Wp ] [ Wi ] = value b-1: Ri = Li [ Rp ] C [ Wp ] [ Wi ] = counter b: y=Cells [ Rp ] [Ri ] RC=C [ Rp ] [ Ri ] a+1: Li [ Wp ] = Wi { RC>=max(LastR,FinishedW) } a+2: l = Wp LastR=RC LastW=counter

18 References R.W. Floyd. Assigning meanings to programs Proceedings of the Symposium on Applied Math, 1967 C.A.R. Hoare An axiomatic basis for computer Programming. Communications of the ACM, 12(1969) 576-580. L. Lamport. On Interprocess Communication Part I: Formalism; Part II: Algorithms. Distributed Computing 1 2(1986), 77-101.

19 References H. Simpson. Four-slot fully asychronous communication mechanism. IEE Proceedings 137 Part E(1) (January 1990), 17-30. S. Owicki and D. Gries. An Axiomatic Proof Technique for Parallel Programs I. Acta Inf. 6: 319-340 (1976)

Download ppt "Verifying a Wait Free Register Algorithm Using Assertional Reasoning Xu Qiwen Faculty of Science and Technology University of Macau."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.

50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
1 Discrete Structures Lecture 29 Predicates and Programming Read Ch. 10.1 - 10.2.

1 Discrete Structures Lecture 29 Predicates and Programming Read Ch
Predicate Transformers

Predicate Transformers
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
A Survey of Rely-Guarantee Approaches in Compositional Verification Murat Demirbas OSU.

A Survey of Rely-Guarantee Approaches in Compositional Verification Murat Demirbas OSU.
CSE115/ENGR160 Discrete Mathematics 04/12/11 Ming-Hsuan Yang UC Merced 1.

CSE115/ENGR160 Discrete Mathematics 04/12/11 Ming-Hsuan Yang UC Merced 1.

Similar presentations

Ads by Google