Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Folie 2 H. Schlingloff, Software Verification I Research is calling

Folie 3 H. Schlingloff, Software Verification I Parallelism increasing importance (multicore processors) in C, parallelism by multithreading  POSIX: pthread_create (name, function, args)  pthread_join, pthread_exit,... key issue: synchronization hard to understand, error-prone

Folie 4 H. Schlingloff, Software Verification I Concept Language we add the following new constructs to the language of while-programs  {  1 ||  2 } or, more generally, {  1 ||... ||  n }  await (b)  ; semantics  parallel (interleaved) execution of the  i  blocking wait until condition is satisfied; program fragment within await is noninterruptable for simplicity, assignments are atomic actions

Folie 5 H. Schlingloff, Software Verification I Examples int n=0; { for (int i = 0; i<100; i++) n++; || for (int i = 0; i<100; i++) n--; } int n=0; int l, r; {for (int i = 0; i<100; i++) {l=n; l++; n=l;} || for (int i = 0; i<100; i++) {r=n; r--; n=r;}} int n=0; {for (int i = 0; i<100; i++) await (1) {l=n; l++; n=l;} || for (int i = 0; i<100; i++) await (1) {r=n; r--; n=r;}}

Folie 6 H. Schlingloff, Software Verification I More Examples a=0; {a*=a; a-=5; || a=2*a+3; a=1-a;} a=0; {a++; || a--;} {a=0; a++; || a=0; a--} a=0; {await (a>=0); a++; || await (a<=0); a--} a=0; {await (a>=0) a++; || await (a<=0) a--}

Folie 7 H. Schlingloff, Software Verification I A realistic example a=n; b=0; c=1; { while (a!=n-k) {c=c*a; a--;} || while (b!=k) {b++; await (a+b<=n); c=c/b;} } program calculates binomial coefficient

Folie 8 H. Schlingloff, Software Verification I Interleaving Semantics A state of the program consists of  an assignment of values to variables  a set of program counters (depending on the number of parallel components), and SOS-rules for parallel programs  if (U,I,V) ⊨ b and ( , V)  * (skip,V’), then (await (b) , V)  (skip,V’)  if (  1, V)  (  1 ’,V’), then ({  1 ||  2 }, V)  ({  1 ’ ||  2 },V’) if (  2, V)  (  2 ’,V’), then ({  1 ||  2 }, V)  ({  1 ||  2 ’},V’) ({skip || skip}, V)  (skip,V) In general, several possible executions! (tree of possibilities)

Folie 9 H. Schlingloff, Software Verification I A realistic example a=n; b=0; c=1;  :{  1: while (a!=n-k) {  2: c=c*a;  3: a--; }  4: ||  1: while (b!=k) {  2: b++;  3: await (a+b<=n);  4: c=c/b; }  5: }

Folie 10 H. Schlingloff, Software Verification I Deadlocks a=0; b=0; {await (a!=0) || await (b!=0)} a=0; b=0; {await (a==1) b=1 || await (b==1) a=1} prt=T; dsk=T; {await (prt) prt=F; await(dsk) dsk=F; foo; prt=T; dsk=T; || await (dsk) dsk=F; await(prt) prt=F; bar; prt=T; dsk=T;}

Folie 11 H. Schlingloff, Software Verification I Invariants for Parallel Programs Assume  is a formula such that {  }  {  } for every subprogram  of {  1 ||  2 }. Then {  } {  1 ||  2 } {  } Example: a=0;  : {a++;  : || a--;  :}  : Invariant a==0+  -  (or, more explicit: ( ¬  ¬  a==0   a==0   ¬  a==1  ¬  a==-1) ) int n=0; { for (int i = 0; i<100; i++) n++; || for (int j = 0; j<100; j++) n--;} Invariant n=i-j