Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and."— Presentation transcript:

1 On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and Zhong Shao

2 Motivation Concurrency verification is challenging! T1 T2 Exponential state space caused by interleaving of execution. Memory aliasing makes it harder to ensure non-interference. Modularity is the key!

3 Two kinds of modularity Control modularity –a.k.a. thread-modularity –each thread is verified independently of others Data modularity –a.k.a. information hiding –each thread only cares about data it uses

4 Existing work Assume-Guarantee (A-G) reasoning [Misra&Chandy’81, Jones’83] thread modularity general: no restriction over synchronization pattern  spec of A&G requires global data invariants Concurrent Separation Logic (CSL) [O’Hearn, Brookes 2004] thread modularity data modularity: local reasoning  restrictive synchronization pattern  shared resources can be accessed only inside critical regions

5 Our Contributions SAGL: combining CSL and A-G reasoning –extend A-G logic with local reasoning better data modularity (than A-G reasoning) thread modularity no restriction over synchronization pattern A formal study of the relationship between CSL and A-G reasoning

6 Outline of this talk Background –Concurrent Separation Logic –Assume-Guarantee reasoning SAGL: combination of CSL & A-G reasoning Interpretation of CSL in SAGL

7 Concurrent Separation Logic Assertions capture ownerships of resources Cannot access resource without ownership Shared resources are protected by critical regions (CRs) Transfer of ownership at boundary of CR l  n

8 CSL assertions l  n n l p  qp  q pq emp empty heap p  qp  q p  q

9 Locks and Critical Regions Lock-based critical regions (CR): l.acq(); … l.rel() Invariants about memory protected by locks:  = {l 1  r 1, …, l n  r n } r 1  rn rn l1l1 lnln

10 p1p1 (l2)(l2) p2p2 (l1)(l1) p1p1 (l2)(l2) (l1)  p2(l1)  p2 Concurrent Separation Logic p1p1 (l2)(l2) p2p2 (l1)(l1) l 1.acq() l 1.rel() … p1p1 (l2)(l2) (l1)  p2(l1)  p2

11 Example: List x …  = { l  List(x) } getNode(): l.acq(); … l.rel(); -{emp} -{emp * List(x)}; -{Node(y) * List(x)} -{Node(y)} x … y

12 Concurrent Separation Logic Thread modularity Data modularity by local reasoning –do not need knowledge of other threads’ data  Ownership transfer is bound with CRs –requires built-in critical regions –hard to support ad-hoc synchronizations  ┝ {p} C {q}

13 Outline of this talk Background –Concurrent Separation Logic –Assume-Guarantee reasoning SAGL: combination of CSL & A-G reasoning Interpretation of CSL in SAGL

14 Assume-Guarantee Reasoning Thread T and its environment –Environment: the collection of all other threads except T A: assumption about environment’s transition G: guarantee to the environment a: precondition

15 Assume-Guarantee Reasoning To certify each thread:  S, S'. a S  A S S'  a S' Non-Interference of threads: G 1  …  G i-1  G i+1  …  G n  A i G i  A 1  …  A i-1  A i+1  …  A n preservation of precondition: G S Next c (S) transitions satisfy the guarantee:

16 A-G reasoning a1a2a1a2 a 1  a 2 a1a2a1a2 G2G2 A1A1 A2A2 G1G1 a2a2 a2a2 a1a1 a1a1

17 A-G reasoning Thread modular –separate verification of threads Not require CRs –but need to know smallest granularity of transitions  A, G: global invariants about all resources –hard to define –lack data modularity  Need to check A and G at every step (A,G) ┝ {a} C {a’}

18 Example: data modularity broken … [100] := m; … [101] := n; … 100101 G 1 : [101] = [101]' A 1 : [100] = [100]' G 2 : [100] = [100]' A 2 : [101] = [101]'

19 Outline of this talk Background –Concurrent Separation Logic –Assume-Guarantee reasoning SAGL: combination of CSL & A-G reasoning Interpretation of CSL in SAGL

20 SAGL: Separated A-G Logic Partition of each thread’s resource –shared and private –shared can be accessed at any time governed by A and G –exclusive access to private resources follows local reasoning in CSL not specified in A and G better memory modularity Dynamic change of partition –may occur at any point, not tied with CR boundaries

21 SAGL: Specification of Threads A, G: assumption and guarantee a: precondition about shared resources p: precondition about private resources Spec for T i : (( a i, p i ), A i, G i )

22 p1p1 a1a2a1a2 p2'p2' p1p1 a1a2a1a2 p2p2 SAGL – Access Private Resource

23 Example: regained data modularity … [100] := m; … [101] := n; … 100101 -{(emp, 100  _) } -{(emp, 101  _)} G 1 : emp A 1 : emp G 2 : emp A 2 : emp

24 p1p1 a1a2'a1a2' p2p2 p1p1 a1a2a1a2 p2p2 SAGL – Access Shared Resource A1A1 G2G2 a1a1 a1a1 A-G reasoning: a special case where p 1 and p 2 are emp.

25 p1p1 a 1  a 2  p 2  p1p1 a1a2a1a2 p2p2 p1p1 a1a2'a1a2' p2p2 SAGL - Redistribution A1A1 G2G2 A1A1 G2G2

26 SAGL Thread modular –separate verification of threads Not require CRs –but need to know smallest granularity of transitions A, G: only specifies shared resources –better modularity Need to check A and G at every step –but the check is trivial if only private resource is used (A,G) ┝ {(a,p)} C {(a’,p’)}

27 Outline of this talk Background –Concurrent Separation Logic –Assume-Guarantee reasoning SAGL: combination of CSL & A-G reasoning Interpretation of CSL in SAGL

28 p1p1 (l2)(l2) p2p2 (l1)(l1) p1p1 (l2)(l2) (l1)  p2(l1)  p2 Concurrent Separation Logic p1p1 (l2)(l2) p2p2 (l1)(l1) l 1.acq() l 1.rel() … p1p1 (l2)(l2) (l1)  p2(l1)  p2

29 Implicit Invariants in CSL Shared resources are well-formed outside of critical regions. Invariants of shared resources: a   Inv( l 1 )  …  Inv( l n ) At each program point: (p 1  …  p n )  a  S Inv( l i )  ( free (l i )   (l i ))  (  free (l i )  emp )

30 p1p1 a1a2a1a2 p2p2 Specialization of SAGL At each program point in SAGL: (p 1  …  p n )  (a 1  …  a n ) Specialize a i into a  (p 1  …  p n )  (a   …  a  ) Specialize A and G to enforce a  at every step A  S S'  a  S  a  S' G  S S'  a  S  a  S'  (p 1  …  p n )  a 

31 Interpretation of CSL in SAGL If  ┝ CSL {p} C {q}, then (A ,G  ) ┝ SAGL {(a ,p)} C {(a ,q)} Also a new way to prove the soundness of CSL! The soundness of SAGL is proved following the syntactic approach (by proving progress & preservation). Proofs have been formalized in Coq.

32 getNode(): l.acq(); … l.rel(); -{(a , emp)} Example: List  = { l  List(x) } -{(emp, emp * List(x))}; -{(emp, Node(y) * List(x))} -{(List(x), Node(y))} a  = free( l )  List(x)   free( l )  emp x … x … y  a a  a a  a a

33 Conclusion SAGL –combination of local reasoning with A-G reasoning –improved modularity than A-G reasoning –more flexible than CSL Embedding of CSL in SAGL –formalization of invariants: shared resources are well-formed outside of CRs –a new way to prove the soundness of CSL

34 Thank you!

35 Example: GCD while(x <> y){ if (x > y) x = x – y; } while(x <> y){ if (y > x) y = y – x; } initially: x =  ; y =  ; result: x = GCD( ,  ); y = GCD( ,  ); G 1 : (y = y')  (x  y  x = x')  (GCD(x, y) = GCD(x', y')) A 1 : (x = x')  (y  x  y = y')  (GCD(x, y) = GCD(x', y')) G 2 = A 1 ; A 2 = G 1

36 Example: GCD while(x <> y){ if (x > y) x = x – y; } while(x <> y){ if (y > x) y = y – x; } initially: x =  ; y =  ; result: x = GCD( ,  ); y = GCD( ,  ); Hard to certify using CSL without rewriting the program and adding auxiliary variables.

37 Problem with CSL Needs to rewrite code using CRs –then needs to prove semantic preservation CSL is a program logic –what if the language does not support CRs? only use “ cas ” to do synchronization

38 Example: malloc x = alloc(1); [x] = 2; if ( odd([x]) ){ //should never reach here } y = alloc(1); [y] = 3; if ( even([y]) ){ //should never reach here } G 1 : ??? A 1 : ??? G 2 : ??? A 1 : ??? { emp }  { x  _ } { y  _ } 

39 Example: malloc x = alloc(1); [x] = 2; if ( odd([x]) ){ //should never reach here } y = alloc(1); [y] = 3; if ( even([y]) ){ //should never reach here } G 1 : emp A 1 : emp G 2 : emp A 1 : emp -{ (emp, emp) } -{ (emp, emp } -{ (emp, x  _) } -{ (emp, y  _) }

40 Soundness of SAGL Safety: progress & preservation Partial correctness: –assertions assigned to program points hold when we reach these points

Download ppt "On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and."

Similar presentations

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Soundness of Higher-order Frame Rules (How did category theory help me?) Hongseok Yang Seoul National University Joint work with Lars Birkedal and Noah.

Soundness of Higher-order Frame Rules (How did category theory help me?) Hongseok Yang Seoul National University Joint work with Lars Birkedal and Noah.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.

A Rely-Guarantee-Based Simulation for Verifying Concurrent Program Transformations Hongjin Liang, Xinyu Feng & Ming Fu Univ. of Science and Technology.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.

Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.
An Open Framework for Certified System Software Xinyu Feng Yale University.

An Open Framework for Certified System Software Xinyu Feng Yale University.
Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong.

Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong.
Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.

Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.
10/19/2007TTI-C PL-Lunch Certified Concurrent Code with Interrupts Xinyu Feng Joint work with Zhong Shao (Yale University) and Yuan Dong (Tsinghua University)

10/19/2007TTI-C PL-Lunch Certified Concurrent Code with Interrupts Xinyu Feng Joint work with Zhong Shao (Yale University) and Yuan Dong (Tsinghua University)
An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.

An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.
Modular Verification of Assembly Code with Stack-Based Control Abstractions Xinyu Feng Yale University Joint work with Zhong Shao, Alexander Vaynberg,

Modular Verification of Assembly Code with Stack-Based Control Abstractions Xinyu Feng Yale University Joint work with Zhong Shao, Alexander Vaynberg,
Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang.

Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang.

Similar presentations

Ads by Google