Program Analysis and Verification Noam Rinetzky Lecture 7: Axiomatic Semantics - Concurrency Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Good manners Mobiles

Home Work Assignment #1 & #2 #1 due today – Modulo justified extensions #2 Wednesday – Due lesson 10

Axiomatic Semantics (Hoare Logic) Programming Language – Syntax ( skip | S 1 ; S 2 | … ) – Semantics (e.g., states ∑ + Stmts  C, s   s) Assertions – Syntax ( x = 3 | x < y + a | …) – Semantics (P ⊆ ∑ alt. s  p P) Judgments – {P} C {Q}, [P] C [Q] –  p {P} C {Q} :  s, s’  . (s  p P   C, s   s’)  s’  p Q) Inference rules Proofs

Axiomatic semantics for While { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Inference rule for every composed statement Axiom for every primitive statement

Factorial proof W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W {x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 }

Soundness The inference system is sound: –  p { P } C { Q } implies  p { P } C { Q }

Soundness and completeness The inference system is sound: –  p { P } C { Q } implies  p { P } C { Q } The inference system is relatively complete: –  p { P } C { Q } implies  p { P } C { Q } ∀ A,B. A ⇒ B Assertion language is expressive enough

While + Concurrency Abstract syntax: a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 b ::= true | false | a 1 = a 2 | a 1  a 2 |  b | b 1  b 2 S ::= x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S | cobegin S 1 ‖ … ‖ S n coend

Proofs {P 1 Λ P 1 } S 1 ‖ S 2 { Q 2 Λ Q 2 } { P 1 } S 1 { Q 2 } { P 2 } S 2 { Q 2 } … … … Challenge: Interference

Disjoint Parallelism {P 1 Λ P 1 } S 1 ‖ S 2 { Q 2 Λ Q 2 } { P 1 } S 1 { Q 2 } { P 2 } S 2 { Q 2 } FV(P 1,S 1,Q 1 ) ∩ FV(P 2,S 2,Q 2 ) = ∅

Global Invariant I ⊢ {P 1 Λ P 1 } S 1 ‖ S 2 { Q 2 Λ Q 2 } I ⊢ { P 1 } S 1 { Q 2 } I ⊢ { P 2 } S 2 { Q 2 }

Global Invariant I ⊢ {P 1 Λ P 1 } S 1 ‖ S 2 { Q 2 Λ Q 2 } I ⊢ { P 1 } S 1 { Q 2 } I ⊢ { P 2 } S 2 { Q 2 } I ⊢ { P } S 1 ; S 2 { R } I ⊢ { P } S 1 { Q } I ⊢ { Q } S 2 { R }

Global Invariant I ⊢ {P 1 Λ P 1 } S 1 ‖ S 2 { Q 2 Λ Q 2 } I ⊢ { P 1 } S 1 { Q 2 } I ⊢ { P 2 } S 2 { Q 2 } I ⊢ { P } S 1 ; S 2 { Q } I ⊢ { P } S 1 { R } I ⊢ { R } S 2 { Q } I ⊢ { P } S { Q } { P Λ I } S { Q Λ I }

Owicky-Gries A command C with a precondition pre(C) does not interfere with the proof of {P} S {Q} if: – {Q  pre(C) } C {Q} – For any S’ “ ∈ ” S: {pre(S’)  pre(C) } C {pre(S’)} {P 1 } C 1 {Q 1 }... {P k } C k {Q k } are interference free if ∀ i  j and ∀ x:=a “ ∈ ” C i, x:=a does not interfere with {P j } C j {Q j }

Parallel Composition Rule I ⊢ {P 1 Λ P 1 } S 1 ‖ S 2 { Q 2 Λ Q 2 } I ⊢ { P 1 } S 1 { Q 2 } I ⊢ { P 2 } S 2 { Q 2 } {P 1 } C 1 {Q 1 }... {P k } C k {Q k } are interference free

Owicky-Gries: Limiations Checking interference can be hard – Non-compositionality Until you finished the local proofs cannot check interference Proofs need to be “saved” – Hard to handle libraries and missing code A non-standard meaning of Hoare triples – Depends on the interference of other threads with the proof – Soundness is non-trivial Completeness depends on auxiliary variables

Rely / Guarantee Aka assume Guarantee Cliff Jones Main idea: Modular capture of interference – Compositional proofs

Commands as relations It is convenient to view the meaning of commands as relations between pre-states and post-states In {P} C {Q} – P is a one state predicate – Q is a two-state predicate Recall auxiliary variables Example – {true} x := x + 1 {x= x + 1}

Intuition C G Hoare: { P } S { Q } ~ {P} ⇒⇒⇒⇒ {Q} C R/G: R,G ⊢ { P } S { Q } ~ {P} ⇒⇒⇒⇒⇒⇒⇒ {Q} G R R R G G

From one- to two-state relations p( ,  ) =p(  ) A single state predicate p is preserved by a two-state relation R if – p  R  p – ,  : p(  )  R( ,  )  p(  )

Operations on Relations (P;Q)( ,  )=  :P( ,  )  Q( ,  ) ID( ,  )= (  =  ) R * =ID  R  (R;R)  (R;R;R)  … 

Formulas ID(x) = (x = x) ID(p) =(p  p) Preserve (p)= p  p

Informal Semantics c  (p, R, G, Q) – For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R results in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G

Informal Semantics c  (p, R, G, Q) – For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R results in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G c  [p, R, G, Q] – For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R must terminate in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G

A Formal Semantics Let  C  R denotes the set of quadruples s.t. that when c executes on  1 with potential interferences by R it yields an intermediate state  2 followed by an intermediate state  3 and a final state  4 – as usual  4 =  when c does not terminate  C  R = { :   :  R  (  *  2   2 =  3 =  4    ’, C’:  *  ( (  2 =  1   2 =  )  (  3 =    3 =  ’)   4 =  )    C’  R ) c  (p, R, G, Q) – For every   C  R such that  1  p  G If  4   :  Q

Simple Examples X := X + 1  (true, X=X, X =X+1  X=X, X =X+1) X := X + 1  (X  0, X  X, X>0  X=X, X>0) X := X + 1 ; Y := Y + 1  (X  0  Y  0, X  X  Y  Y, G, X>0  Y>0)

Inference Rules Define c  (p, R, G, Q) by structural induction on c Soundness – If c  (p, R, G, Q) then c  (p, R, G, Q)

Atomic Command {p} c {Q} atomic {c}  (p, preserve(p), Q  ID, Q) (Atomic)

Conditional Critical Section {p  b} c {Q} await b then c  (p, preserve(p), Q  ID, Q) (Critical)

Sequential Composition c 1  (p 1, R, G, Q 1 ) c 1 ; c 2  (p 1, R, G, (Q 1 ; R * ; Q 2 )) (SEQ) c 2  (p 2, R, G, Q 2 ) Q 1  p 2

Conditionals c 1  (p  b 1, R, G, Q) p  b  R *  b 1 if atomic {b} then c 1 else c 2  (p, R, G, Q) (IF) c 2  (p  b 2, R, G, Q) p   b  R*  b 2

Loops c  (j  b 1, R, G, j) j  b  R *  b 1 while atomic {b} do c  (j, R, G,  b  j) (WHILE) R  Preserve(j)

Refinement c  (p, R, G, Q) c  (p’, R’, G’, Q’) (REFINE) p’  p Q  Q’ R’  R G  G’

Parallel Composition c 1  (p 1, R 1, G 1, Q 1 ) c 1 || c 2  (p 1  p 1, (R 1  R2), (G 1  G 2 ), Q) where Q= (Q 1 ; (R 1  R 2 )*; Q 2 )  (Q 2 ; (R 1  R 2 )*; Q 1 ) (PAR) c 2  (p 2, R 2, G 2, Q 2 ) G 1  R 2 G 2  R 1

Issues in R/G Total correctness is trickier Restrict the structure of the proofs – Sometimes global proofs are preferable Many design choices – Transitivity and Reflexivity of Rely/Guarantee – No standard set of rules Suitable for designs