Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv

An Axiomatic Proof Technique for Parallel Programs Owicky & Gries Verification of Sequential and Concurrent Programs Apt & Oldrog Chapters 4-6

Interference A command T with a precondition pre(T) does not interfere with the proof of {p} c {q} if: –{q  pre(T) } T {q} –For any command c’ inside c with a precondition pre(c’) {pre(c’)  pre(T) } T {pre(c’)} {p 1 } c 1 {q 1 } {p 2 } c 2 {q 2 }.. {p k } c k {q k } are interference free if for every i  j and for every assignment in T in c i does not interfere with {p j } c j {q j }

Parallel Composition Rule {p 1 } c 1 {q 1 } {p 2 } c 2 {q 2 }.. {p k } c k {q k } {p 1  p 2  … p k } cobegin c 1 || c 2 || …|| c k coend {q 1  q 2  …  q k } {p 1 }q 1 {q 1 } {p 2 } c 2 {q 2 }.. {p k } c k {q k } are interference free

Limitations of the Owicky & Gries proof rules Checking interference can be hard –Non-compositionality Until you finished the local proofs cannot check interference A non-standard meaning of Hoare triples –Depends on the interference of other threads with the proof –Proofs need to be saved –Hard to handle libraries and missing code –Soundness is non-trivial Completeness depends on auxiliary variables

Commands as relations It is convenient to view the meaning of commands as relations between pre-states and post-states In {p} C {Q} –p is a one state predicate –Q is a two-state predicate Example –{true} x := x + 1 {x= x + 1}

Global Reasoning {x  0} x := x + 1; y := 1 {x >0} {x  0} x := x + 2; y := 2 {x >0} {x  0} x := x + 200; y := 200 {x >0} …  

x 0  0  x 1  x 0  x 2 = x 1 +7  y 2 = y 1  x 3  x 2  x 4 = x 3  y 4 =7  x 5  x 4 Rely/Guarantee Reasoning {x  x} x := x + 7; y:=7   x 5 >0 {x  0} {x>0}

Rely/Guarantee Reasoning(2) {x  x} {x  0} x := x + 7; y:=7 {x>0} x =x+7  y=y  x  x  x =x  y=7  x  x

Hoare vs. Rely/Guarantee Reasoning {P} c {Q} {P} c {Q} {P} c {Q} R*R* G R*R* G R*R* G

The rest of the lecture Operations on relations (Informal) Semantics of Rely/Guarantee A sound Rely/Guarantee inference rules

From one- to two-state relations p( ,  ) =p(  ) A single state predicate p is preserved by a two-state relation R if –p  R  p – ,  : p(  )  R( ,  )  p(  )

Operations on Relations (P;Q)( ,  )=  :P( ,  )  Q( ,  ) ID( ,  )= (  =  ) R * =ID  R  (R;R)  (R;R;R)  … 

Formulas ID(x) = (x = x) ID(p) =(p  p) Preserve (p)= p  p

Informal Semantics c  (p, R, G, Q) –For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R results in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G c  [p, R, G, Q] –For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R must terminate in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G

A Formal Semantics Let  c  R denotes the set of quadruples s.t. that when c executes on  1 with potential interferences by R it yields an intermediate state  2 followed by an intermediate state  3 and a final state  4 –as usual  4 =  when c does not terminate  c  R = { :   :  R  (  *  2   2 =  3 =  4    ’, c’:  *  ( ((  2 =  1   2 =  )  (  3 =   3 =  ’)   4 =  )    c’  R ) c  (p, R, G, Q) –For every   c  R such that  1  p  G If  4   :  Q

Simple Examples X := X + 1  (true, X=X, X =X+1  X=X, X =X+1) X := X + 1  (X  0, X  X, X>0  X=X, X>0) X := X + 1 ; Y := Y + 1  (X  0  Y  0, X  X  Y  Y, G, X>0  Y>0)

A Realistic Example Findpos: begin initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1; search: cobegin Evensearch: while i < min(oddtop, eventop) do if (x(i) > 0) then eventop := i else i := i + 2; || Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2; coend k := min(eventop, oddtop) end {k  M+1  (  l: 1  l 0)} ES=eventop  M+1  even(i)   l: (even(l)  0<l<i)  x(l)  0  eventop  M  x(eventop)>0 OS=oddtop  M+1  odd(j)   l: (odd(l)  0<l<j)  x(l)  0  oddtop  M  x(oddtop)>0

Inference Rules Define c  (p, R, G, Q) by structural induction on c Soundness –If c  (p, R, G, Q) then c  (p, R, G, Q)

Atomic Command {p} c {Q} atomic {c}  (p, preserve(p), Q  ID, Q) (Atomic)

Conditional Critical Section {p  b} c {Q} await b then c  (p, preserve(p), Q  ID, Q) (Critical)

Sequential Composition c 1  (p 1, R, G, Q 1 ) c 1 ; c 2  (p 1, R, G, (Q 1 ; R * ; Q 2 )) (SEQ) c 2  (p 2, R, G, Q 2 ) Q 1  p 2

Conditionals c 1  (p  b 1, R, G, Q) p  b  R *  b 1 if atomic {b} then c 1 else c 2  (p, R, G, Q) (IF) c 2  (p  b 2, R, G, Q) p   b  R*  b 2

Loops c  (j  b 1, R, G, j) j  b  R *  b 1 while atomic {b} do c  (j, R, G,  b  j) (WHILE) R  Preserve(j)

Refinement c  (p, R, G, Q) c  (p’, R’, G’, Q’) (REFINE) p’  p Q  Q’ R’  R G  G’

Parallel Composition c 1  (p 1, R 1, G 1, Q 1 ) c 1 || c 2  (p 1  p 1, (R 1  R2), (G 1  G 2 ), Q) where Q= (Q 1 ; (R 1  R 2 )*; Q 2 )  (Q 2 ; (R 1  R 2 )*; Q 1 ) (PAR) c 2  (p 2, R 2, G 2, Q 2 ) G 1  R 2 G 2  R 1

A Realistic Example Findpos: begin initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1; search: cobegin Evensearch: while i < min(oddtop, eventop) do if (x(i) > 0) then eventop := i else i := i + 2; || Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2; coend k := min(eventop, oddtop) end {k  M+1  (  l: 1  l 0)} ES=eventop  M+1  even(i)   l: (even(l)  0<l<i)  x(l)  0  eventop  M  x(eventop)>0 OS=oddtop  M+1  odd(j)   l: (odd(l)  0<l<j)  x(l)  0  oddtop  M  x(oddtop)>0

OddSearch  (OS, R O, G O, OS  j  min(et, ot)) R E =i =i  ot  ot  et =etG E =j =j  et  et  ot =ot R E  Preserve(ES) et :=i  (ES  i 0, R E, G E, ES) i :=i+2  (ES  i< et)  x(i)  0, R E, G E, ES) ES  i 0  R E *  x(i) >0ES  i < et  x(i)  0  R E *  x(i)  0 if (x(i) >0) …  (ES  i<et), R E, G E, ES) (IF) EvenSearch  (ES, R E, G E, ES  i  min(et, ot)) (WHILE) G o =R E R O =G E EvenSearch||OddSearch  (ES  OS, R E  R O, G E  G O, ES  OS  i  min(et, ot)  j  min(et, ot)) (PAR) ES  i<min(et, ot)  R E *  i<et

Auxiliary in Owicky-Gries {X = Y} X := X + 1 || Y := Y+1 {X=Y}

Issues in R/G Total correctness is trickier Restrict the structure of the proofs –Sometimes global proofs are preferable Many design choices –Transitivity and Reflexivity of Rely/Guarantee –No standard set of rules Suitable for designs

Summary Reasoning about concurrent programs is difficult Oweeki-Gries suggest to carefully design the sequential proofs to simplify the proof procedure –The use of auxiliary variables can make proofs difficult –Can have difficulties with fine-grained concurrency Benign dataraces Rely/Guarantee style allows more elegant/general reasoning –Compositional –Local –Adapts to the complexity of the proof –Soundness is simple –Naturally handles libraries and missing code