Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

Similar presentations


Presentation on theme: "A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology."— Presentation transcript:

1 A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology of China

2 Compilers for concurrent programs Concurrent program transformations: Target code Source code T Multithreaded Java programs Java bytecode

3 Compilers for concurrent programs Fine-grained impl. of algorithms & objects local d,t; d = 0; while(d==0){ t = x; d = cas(&x, t, t+1); } Impl. of x++; x++; T Concurrent program transformations:

4 Compilers for concurrent programs Fine-grained impl. of algorithms & objects Impl. of software transactional memory (STM) – Atomic block (transaction)  fine-grained impl. Concurrent program transformations:

5 Compilers for concurrent programs Fine-grained impl. of algorithms & objects Impl. of software transactional memory (STM) Impl. of concurrent garbage collectors (GC) How to verify such a transformation T ? Concurrent program transformations:

6 How to define correctness of T ? O C T Print a rectangle. Print a square. Print a triangle.  T: Source  Target O  C: O has no more observable behaviors (e.g. I/O events by print(…) ) than C. OC refinement

7 Correct(T):  C, O. O = T(C)  O  C How to define correctness of T ? T: Source  Target O  C: O has no more observable behaviors (e.g. I/O events by print(…) ) than C.

8 (Compositionality) O1 || O2  Correct(T):  C, O. O = T(C)  O  C C1 || C2 O1C1  O2C2   T(C)  C for trans. unit C  To verify a concurrent program transformation T :

9  is NOT compositional w.r.t. parallel composition: O1  C1O2  C2 O1 || O2  C1 || C2  O: local t; t = x; x = t + 1; print( x ); C: x++; print( x ); We have O  C, since output (O)  output (C) ; but we do NOT have O || O  C || C.

10 RGSim = Rely/Guarantee + Simulation Compositional w.r.t. parallel composition A proof theory for verifying T – Stronger than O  C – Applications: optimizations, fine-grained obj., concurrent GC, … Our contribution:

11 Background: simulation in CompCert (O,  ) (C,  )(C’,  ’) (O’,  ’) * (C’’,  ’’) (O’’,  ’’) e e * … …   [Leroy et al.] Source state Target state observable event (e.g. I/O)

12 O: local t; t = x; x = t + 1; print( x ); C: x++; print( x ); We have O  C, but not O || O  C || C Simulation in CompCert [Leroy et al.] Can verify T for sequential programs  NOT compositional w.r.t. parallel composition

13 Simulation in CompCert [Leroy et al.] Can verify T for sequential programs  NOT compositional w.r.t. parallel composition  Consider NO environments Simulation in process calculus (e.g. CCS [Milner et al.]) Assume arbitrary environments Compositional  Too strong: limited applications

14 … (O’,  ’’)(O’’,  ’’’) (C’,  ’’) * (C’’,  ’’’) … ’’ ’’ e e Assuming arbitrary environments env  Too strong to be satisfied, since env. can be arbitrarily bad. (O,  )(O’,  ’) (C,  ) (C’,  ’) * ’’ ’’ In practice, T has assumptions about C & env.

15 T has assumptions about source code Compilers for concurrent programs – Prog. with data races has no semantics (e.g. concurrent C++) – Not guarantee correctness for racy programs Fine-grained objects – Accesses use same primitives (e.g. stack: push & pop) – Not guarantee correctness when env. can destroy obj. More examples are in the paper … Env. of a thread cannot be arbitrarily bad ! [Boehm et al. PLDI’08]

16 Problems of existing simulations : Our RGSim : Considers no env. in CompCert [Leroy et al.]  NOT compositional w.r.t. parallel composition Assumes arbitrary env. in process calculus (e.g. [Milner et al.])  Too strong: limited applications Parameterized with the interference with env. Compositional More applications Use rely/guarantee to specify the interference

17 What is rely/guarantee? [Jones'83] r: acceptable environment transitions g: state transitions made by the thread Thread1Thread2 Nobody else would update x I guarantee I would not touch y Nobody else would update y I guarantee I would not touch x Compatibility (Interference Constraints): g2  r1 and g1  r2 r1:  x = x’ ’’ r2:  y = y’ ’’ g1:  y = y’ ’’ g2:  x = x’ ’’

18 (O,  ) (C,  )(C’,  ’) (O’,  ’) * (C’’,  ’’’) (O’’,  ’’’) e e * … … * R r G g G g RGSim = Rely/Guarantee + Simulation ≲ ≲ ≲ (C’,  ’’) (O’,  ’’) ≲ (O, r, g) ≲ (C, R, G)

19 Soundness theorem (O, r, g) ≲ (C, R, G) If we can find r, g, R and G such that then we have: O  C

20 Parallel compositionality ( O 1 || O 2, r 1  r 2, g 1  g 2 ) ≲ ( C 1 || C 2, R 1  R 2, G 1  G 2 ) ( O 2, r 2, g 2 ) ≲ ( C 2, R 2, G 2 ) ( O 1, r 1, g 1 ) ≲ ( C 1, R 1, G 1 ) g 1  r 2 g 2  r 1 G 1  R 2 G 2  R 1 (PAR)

21 More on compositionality (O 1, r, g) ≲ (C 1, R, G)(O 2, r, g) ≲ (C 2, R, G) (O 1 ; O 2, r, g) ≲ (C 1 ; C 2, R, G) (O, r, g) ≲ (C, R, G) b  B (while b do O, r, g) ≲ (while B do C, R, G) An axiomatic proof system for verifying T …

22 We have applied RGSim to verify … Optimizations in parallel contexts – Loop invariant hoisting, strength reduction and induction variable elimination, dead code elimination, … Fine-grained impl. & concurrent objects – Lock-coupling list, impl. of x++, Treiber’s non-blocking stack, concurrent GCD algorithm, … Concurrent garbage collectors – A general GC verification framework – Hans Boehm’s concurrent GC [Boehm et al. 91]

23 Application: concurrent GC verification read x…write x, v…alloc… Programmer’s view of execution: Real execution: rB(x)…wB(x, v)…aB()… || GC code || AbsGC Turns garbage into reusable memory T Concurrent GC impl. = Barriers + GC code How to define Correct(GC) ?  C. T(C) || GC code  C || AbsGC Reduce to Correct(T) !

24 A concurrent GC verification framework T(C) || GC code  C || AbsGC   &  [Jones’83]  We have verified Hans Boehm’s concurrent GC algo [Boehm et al. 91] (T(C) || GC code, r’’, g’’) ≲ (C || AbsGC, R’’, G’’) (T(C), r’, g’) ≲ (C, R’, G’)(GC code, r, g) ≲ (AbsGC, R, G) (rB(x), r’, g’) ≲ (read x, R’, G’) (wB(x, v), r’, g’) ≲ ((write x, v), R’, G’) (aB(), r’, g’) ≲ (alloc, R’, G’) r, g ⊦ {p} GC code{q} Compositionality  C. g ≲ G

25 Conclusion RGSim = Rely/Guarantee + Simulation – Idea: parameterized with interference with env. – Compositional! A proof theory for verifying T – Optimizations, fine-grained obj., concurrent GC, …


Download ppt "A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology."

Similar presentations


Ads by Google