Download presentation
Presentation is loading. Please wait.
1
VPERM: Variable Permissions for Concurrency Verification Duy-Khanh Le, Wei-Ngan Chin, Yong-Meng Teo ICFEM, Kyoto, Japan, Nov 2012
2
Outline Motivation & Example Formalism Programming & Specification Language Verification by Entailment Checking Inferring Variable Permissions Eliminating Variable Aliasing Applicability Experiment Conclusion 2 VPERM: Variable Permissions for Concurrency Verification
3
Motivation Access permissions attracted much attention for reasoning about shared heap data structures State-of-the-art verification tools ignore program variables or apply the same permission system, designed for heap memory, to variables However, variables are simpler than heap data structures: each variable is distinct Need a simpler reasoning scheme for variables 3 VPERM: Variable Permissions for Concurrency Verification
4
Related Work VPERM: Variable Permissions for Concurrency Verification 4 Expressiveness Variables as Resource [Bornat et al. 2006] Logic + complex permissions Syntactic Control of Inference [Reddy et al. 2012] Syntactic + complex permissions Smallfoot [Berdine et al. 2006] Syntactic + simple Our Variable Permissions (VPERM) Logic + simple Complexity
5
Related Work Permission systems for variables Variables as resources [1] & syntactic control of inference [2] User fractional/counting permissions to allow sharing Though flexible, this places higher burden on programmers to figure out the fraction used Verification systems for concurrency Smallfoot [3] uses side conditions to outlaw conflicting accesses Chalice [4] does not support permission of variables in method’s bodies Verifast [5] treats variables as heap locations 5 VPERM: Variable Permissions for Concurrency Verification
![Related Work Permission systems for variables Variables as resources [1] & syntactic control of inference [2] User fractional/counting permissions to allow sharing Though flexible, this places higher burden on programmers to figure out the fraction used Verification systems for concurrency Smallfoot [3] uses side conditions to outlaw conflicting accesses Chalice [4] does not support permission of variables in method’s bodies Verifast [5] treats variables as heap locations 5 VPERM: Variable Permissions for Concurrency Verification](http://images.slideplayer.com./32/9932868/slides/slide_5.jpg "Related Work Permission systems for variables Variables as resources [1] & syntactic control of inference [2] User fractional/counting permissions to allow sharing Though flexible, this places higher burden on programmers to figure out the fraction used Verification systems for concurrency Smallfoot [3] uses side conditions to outlaw conflicting accesses Chalice [4] does not support permission of variables in method’s bodies Verifast [5] treats variables as heap locations 5 VPERM: Variable Permissions for Concurrency Verification")
6
Objective Propose a simple permission system to ensure data-race freedom when accessing variables 6 VPERM: Variable Permissions for Concurrency Verification
7
A Motivating Example void main() { int id; int x,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } void inc(ref int i, int j) { i=i+j; } int creator(ref int x,ref int y) { int tid; tid=fork(inc,x,1); inc(y,2); return tid; } 1.Any accesses to x after fork and before join are unsafe (racy) 2.How to propagate the above fact across procedure boundaries pass-by-refpass-by-value 7 VPERM: Variable Permissions for Concurrency Verification
8
A Motivating Example with Specifications void main() requires true ensures true; { int id; int x,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } void inc(ref int i, int j) requires true ensures i'=i+j; { i=i+j; } int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid & thread=main and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } main thread child thread 8 VPERM: Variable Permissions for Concurrency Verification implicit
9
A Motivating Example with Specifications void main() requires true ensures true; { int id; int x,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } void inc(ref int i, int j) requires true ensures i'=i+j; { i=i+j; } int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } main thread child thread 9 VPERM: Variable Permissions for Concurrency Verification
10
A Motivating Example with VPERM void main() requires true ensures true; { int id; int x,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } void inc(ref int i, int j) requires @full[i] & @value[j] ensures i'=i+j & @full[i]; { i=i+j; } int creator(ref int x, ref int y) requires @full[x,y] ensures @full[y] & y’=y+2 & res=tid and @full[x] & x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } main thread child thread 10 VPERM: Variable Permissions for Concurrency Verification
11
A Motivating Example with VPERM int creator(ref int x, ref int y) requires @full[x,y] ensures @full[y] & y’=y+2 & res=tid and @full[x] & x'=x+1 & thread=tid; { int id;// @full[x,y] & x’=x & y’=y & id’=0 id=fork(inc,x,1);// @full[y] & y’=y & id’=tid // and @full[x] & x'=x+1 & thread=tid; inc(y,2); // @full[y] & y’=y+2 & id’=tid // and @full[x] & x'=x+1 & thread=tid; return id; // @full[y] & y’=y+2 & id’=tid & res=tid // and @full[x] & x'=x+1 & thread=tid; } void inc(ref int i, int j) requires @full[i] & @value[j] ensures i'=i+j & @full[i]; { i=i+j; } main thread and child thread int creator(ref int x, ref int y) { int id; id=fork(inc,x,1); inc(y,2); return id; } 11 VPERM: Variable Permissions for Concurrency Verification
12
A Motivating Example with VPERM void main() requires true ensures true; { int id;// @full[id] int x,y;// @full[id,x,y] x=0;y=0;// @full[id,x,y] id = creator(x,y);// @full[id,y] and @full[x] …// @full[id,y] and @full[x] join(id); // @full[id,x,y] assert (x+y=3);// @full[id,x,y] } void inc(ref int i, int j) requires @full[i] & @value[j] ensures i'=i+j & @full[i]; { i=i+j; } int creator(ref int x, ref int y) requires @full[x,y] ensures @full[y] & y’=y+2 & res=tid and @full[x] & x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } void main() requires true ensures true; { int id; int x,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } 12 VPERM: Variable Permissions for Concurrency Verification
13
Programming Language 13 VPERM: Variable Permissions for Concurrency Verification
14
Specification Language 14 VPERM: Variable Permissions for Concurrency Verification
15
Variable Permissions Two key annotations for variable permissions @full[w*] In a pre-condition w* is a list of pass-by-ref variables variable permissions are passed from caller to callee In a post-condition variable permissions are returned from callee to caller @value[w*] In a pre-condition w* is a list of pass-by-value variables Not exist in post-conditions 15 VPERM: Variable Permissions for Concurrency Verification
16
Verification by Entailment Checking 16 VPERM: Variable Permissions for Concurrency Verification
17
Entailment Rules for VPERM 17 VPERM: Variable Permissions for Concurrency Verification
18
Soundness Proofs are in the paper 18 VPERM: Variable Permissions for Concurrency Verification
19
Inferring Variable Permissions int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } V post = {x,y} @full[y], V post = {x} 19 VPERM: Variable Permissions for Concurrency Verification
20
Inferring Variable Permissions int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } @full[x], V post = {} @full[y], V post = {x} 20 VPERM: Variable Permissions for Concurrency Verification
21
Inferring Variable Permissions int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } @full[x,y] V pre = {x,y} @full[x] @full[y] 21 VPERM: Variable Permissions for Concurrency Verification
22
Inferring Variable Permissions (*) Algorithm and Soundness in the paper int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } @full[x,y] @full[x] @full[y] 22 VPERM: Variable Permissions for Concurrency Verification
![Inferring Variable Permissions (*) Algorithm and Soundness in the paper int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid and x =x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return @full[y] 22 VPERM: Variable Permissions for Concurrency Verification](http://images.slideplayer.com./32/9932868/slides/slide_22.jpg "Inferring Variable Permissions (*) Algorithm and Soundness in the paper int creator(ref int x, ref int y) requires true ensures y’=y+2 & res=tid and x =x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return @full[y] 22 VPERM: Variable Permissions for Concurrency Verification")
23
Eliminating Variable Aliasing void main() { int x = 0; int ∗ p = &x; int id; id = fork(inc, x, 1);...//accesses to *p are racy join(id); } void inc(ref int i, int j) requires @full [i] ∧ @value[j] ensures @full [i] ∧ i’=i+j; { i = i + j; } 23 VPERM: Variable Permissions for Concurrency Verification
![Eliminating Variable Aliasing void main() { int x = 0; int ∗ p = &x; int id; id = fork(inc, x, 1);...//accesses to *p are racy join(id); } void inc(ref int i, int j) [i] [i] ∧ i’=i+j; { i = i + j; } 23 VPERM: Variable Permissions for Concurrency Verification](http://images.slideplayer.com./32/9932868/slides/slide_23.jpg "Eliminating Variable Aliasing void main() { int x = 0; int ∗ p = &x; int id; id = fork(inc, x, 1);...//accesses to *p are racy join(id); } void inc(ref int i, int j) [i] [i] ∧ i’=i+j; { i = i + j; } 23 VPERM: Variable Permissions for Concurrency Verification")
24
Eliminating Variable Aliasing void main() { int x = 0; // @full[x] int ∗ p = &x; // @full[x,p] int id;// @full[x,p,id] id = fork(inc, x, 1); // @full[p,id]...// @full[p,id] join(id); // @full[x,p,id] } void inc(ref int i, int j) requires @full [i] ∧ @value[j] ensures @full [i] ∧ i’=i+j; { i = i + j; } void main() { int x = 0; int ∗ p = &x; int id; id = fork(inc, x, 1);... join(id); } still have permission to access p and indirectly x Solution: a translation to eliminate * and & 24 VPERM: Variable Permissions for Concurrency Verification
![Eliminating Variable Aliasing void main() { int x = 0; int ∗ p = &x; int id = fork(inc, x, join(id); } void inc(ref int i, int j) [i] [i] ∧ i’=i+j; { i = i + j; } void main() { int x = 0; int ∗ p = &x; int id; id = fork(inc, x, 1);...](http://images.slideplayer.com./32/9932868/slides/slide_24.jpg "join(id); } still have permission to access p and indirectly x Solution: a translation to eliminate * and & 24 VPERM: Variable Permissions for Concurrency Verification.")
25
Translation Scheme void main() { int x = 0; int ∗ p = &x; int id; id = fork(inc, x, 1);... join(id); } void inc(ref int i, int j) requires @full [i] ∧ @value[j] ensures @full [i] ∧ i’=i+j; { i = i + j; } void main() { int_ptr x = new int_ptr(0); int_ptr p = x; int id; id = fork(inc, x, 1);... join(id); delete(x); } void inc(int_ptr i, int j) requires i::int_ptr & @value[i,j] ensures i::int_ptr & new_i=old_i+j; { i.val = i.val + j; } promote (*) details are in the paper 25 VPERM: Variable Permissions for Concurrency Verification
26
Applicability Pthread pthread_create requires a single pointer to heap memory Cilk More flexible, either pass-by-ref or pass-by- value Vperm Passing the pointer by value when fork Pass-by-ref and pass- by-value 26 VPERM: Variable Permissions for Concurrency Verification
27
Applicability: Cilk cilk int fib (int n) { if (n<=1) return n; else{ int x, y; x = spawn fib (n-1); y = spawn fib (n-2); … // not safe to access x and y sync; return (x+y); } 27 VPERM: Variable Permissions for Concurrency Verification
28
Applicability: Cilk cilk int fib (int n) { if (n<=1) return n; else{ int x, y; x = spawn fib (n-1); y = spawn fib (n-2); … // not safe to access x and y sync; return (x+y); } void fib(int n, ref int result) requires @value[n] & @full [result] & n>=0 ensures @full [result] & fiba(n, result ); { if (n<=1){ result = n; } else{ int x, y; int id1 = fork(fib,n−1, x); int id2 = fork(fib,n−2, y); … // cannot access x and y join(id1); join(id2); result=x+y; } } 28 VPERM: Variable Permissions for Concurrency Verification
![Applicability: Cilk cilk int fib (int n) { if (n<=1) return n; else{ int x, y; x = spawn fib (n-1); y = spawn fib (n-2); … // not safe to access x and y sync; return (x+y); } void fib(int n, ref int result) [result] & n>=0 [result] & fiba(n, result ); { if (n<=1){ result = n; } else{ int x, y; int id1 = fork(fib,n−1, x); int id2 = fork(fib,n−2, y); … // cannot access x and y join(id1); join(id2); result=x+y; } } 28 VPERM: Variable Permissions for Concurrency Verification](http://images.slideplayer.com./32/9932868/slides/slide_28.jpg "Applicability: Cilk cilk int fib (int n) { if (n<=1) return n; else{ int x, y; x = spawn fib (n-1); y = spawn fib (n-2); … // not safe to access x and y sync; return (x+y); } void fib(int n, ref int result) [result] & n>=0 [result] & fiba(n, result ); { if (n<=1){ result = n; } else{ int x, y; int id1 = fork(fib,n−1, x); int id2 = fork(fib,n−2, y); … // cannot access x and y join(id1); join(id2); result=x+y; } } 28 VPERM: Variable Permissions for Concurrency Verification")
29
Experiments 29 VPERM: Variable Permissions for Concurrency Verification Download or try VPERM online at http://loris-7.ddns.comp.nus.edu.sg/~project/vperm/ Trade-off: higher verification time (machine effort) BUT less manual annotation (human effort).
30
Conclusion A simple permission system for variables Simple to understand Simple to reason about Simple to infer Expressive enough to capture real-world programming languages such as Pthreads, Cilk Feasible to incorporate into a tool VPERM Experiments show less annotation overheads compared to state-of-the-art 30 VPERM: Variable Permissions for Concurrency Verification
31
THANK YOU END Q&A 31 VPERM: Variable Permissions for Concurrency Verification leduykha@comp.nus.edu.sg Download or try VPERM online at http://loris-7.ddns.comp.nus.edu.sg/~project/vperm/
32
Limitations Phased Accesses to Shared Variables Read outside a critical region but write inside a critical region This requires partial permissions BUT we could use pseudo-heap locations for this type of complex reasoning VPERM: Variable Permissions for Concurrency Verification 32
33
Phased Accesses inv := @full[x] & @half[a,b] & x=a+b; int x=0; int a = 0; int b = 0; lock l; //@full[x,a,b,l] init(l); //@full[l] & half[a,b] // l is passed by value to child thread //full[l] & half[a] acquire(l); //full[l,x,a] & half[b] x = x +1; a = 1; //full[l,x,a] & half[b] release(l); //full[l] & half[a] //full[l] & half[b] acquire(l); //full[l,x,b] & half[a] x = x +1; b = 1; //full[l,x,b] & half[a] release(l); //full[l] & half[b] //@full[l] & half[a,b] assert(x’=2); For this complex reasoning, convert two integer auxiliary variables a,b to int_ptr and use the complex reasoning over heap
![Phased Accesses inv & x=a+b; int x=0; int a = 0; int b = 0; lock l; init(l); & half[a,b] // l is passed by value to child thread //full[l] & half[a] acquire(l); //full[l,x,a] & half[b] x = x +1; a = 1; //full[l,x,a] & half[b] release(l); //full[l] & half[a] //full[l] & half[b] acquire(l); //full[l,x,b] & half[a] x = x +1; b = 1; //full[l,x,b] & half[a] release(l); //full[l] & half[b] & half[a,b] assert(x’=2); For this complex reasoning, convert two integer auxiliary variables a,b to int_ptr and use the complex reasoning over heap](http://images.slideplayer.com./32/9932868/slides/slide_33.jpg "Phased Accesses inv & x=a+b; int x=0; int a = 0; int b = 0; lock l; init(l); & half[a,b] // l is passed by value to child thread //full[l] & half[a] acquire(l); //full[l,x,a] & half[b] x = x +1; a = 1; //full[l,x,a] & half[b] release(l); //full[l] & half[a] //full[l] & half[b] acquire(l); //full[l,x,b] & half[a] x = x +1; b = 1; //full[l,x,b] & half[a] release(l); //full[l] & half[b] & half[a,b] assert(x’=2); For this complex reasoning, convert two integer auxiliary variables a,b to int_ptr and use the complex reasoning over heap")
34
Phased Accesses inv := @full[x] & x=a.val+b.val; int x=0; int_ptr a = new int_ptr(0); int_ptr b = new int_ptr(0); lock l; //@full[x,a,b,l] init(l); //@full[l] & half[a,b] // l,a,b is passed by value to child thread //a::int_ptr(1/2)<> & full[l,a] acquire(l); //full[l,x,a] & half[b] x = x +1; a.val = 1; //full[l,x,a] & half[b] release(l); //full[l] & half[a] //full[l] & half[b] acquire(l); //full[l,x,b] & half[a] x = x +1; b.val = 1; //full[l,x,b] & half[a] release(l); //full[l] & half[b] //@full[l] & half[a,b] assert(x’=2); For this complex reasoning, convert two integer auxiliary variables a,b to int_ptr and use the complex reasoning over heap
![Phased Accesses inv & x=a.val+b.val; int x=0; int_ptr a = new int_ptr(0); int_ptr b = new int_ptr(0); lock l; init(l); & half[a,b] // l,a,b is passed by value to child thread //a::int_ptr(1/2)<> & full[l,a] acquire(l); //full[l,x,a] & half[b] x = x +1; a.val = 1; //full[l,x,a] & half[b] release(l); //full[l] & half[a] //full[l] & half[b] acquire(l); //full[l,x,b] & half[a] x = x +1; b.val = 1; //full[l,x,b] & half[a] release(l); //full[l] & half[b] & half[a,b] assert(x’=2); For this complex reasoning, convert two integer auxiliary variables a,b to int_ptr and use the complex reasoning over heap](http://images.slideplayer.com./32/9932868/slides/slide_34.jpg "Phased Accesses inv & x=a.val+b.val; int x=0; int_ptr a = new int_ptr(0); int_ptr b = new int_ptr(0); lock l; init(l); & half[a,b] // l,a,b is passed by value to child thread //a::int_ptr(1/2)<> & full[l,a] acquire(l); //full[l,x,a] & half[b] x = x +1; a.val = 1; //full[l,x,a] & half[b] release(l); //full[l] & half[a] //full[l] & half[b] acquire(l); //full[l,x,b] & half[a] x = x +1; b.val = 1; //full[l,x,b] & half[a] release(l); //full[l] & half[b] & half[a,b] assert(x’=2); For this complex reasoning, convert two integer auxiliary variables a,b to int_ptr and use the complex reasoning over heap")
35
Verification by Entailment Checking (Full) 35 VPERM: Variable Permissions for Concurrency Verification
36
Background Heap vs stack A stack variable x pointing to A heap location containing an integer E.g. int_ptr x = new int_ptr(1); Separation logic Fractional permissions How about program (stack) variables? VPERM: Variable Permissions for Concurrency Verification 36 {x 2 * y 2} [x]=3 {x 3 * y 2} x1x1 {x 2 * x 2} {x 2} 0.5 1.0
37
Background Heap vs stack A stack variable x pointing to A heap location containing an integer 1 E.g. int_ptr x = new int_ptr(1); Hoare’s logic Separation logic Fractional permissions VPERM: Variable Permissions for Concurrency Verification 37 {x 2 /\ y 2} x=3 {x 3 /\ y 2} {x 2 * y 2} x=3 {x 3 * y 2} what if x and y aliased ??? no alias ok x1x1 {x 1 /\ y 2} x=3 {x 3 /\ y 2} {x 2 * x 2} {x 2}
Similar presentations
