Presentation is loading. Please wait.

Presentation is loading. Please wait.

Programming Language Semantics Axiomatic Semantics of Parallel Programs.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Programming Language Semantics Axiomatic Semantics of Parallel Programs."— Presentation transcript:

1 Programming Language Semantics Axiomatic Semantics of Parallel Programs

2 Tentative Schedule 15/6 Parallel Programs 22/6 Rely/Guarantee Reasoning –Assignment 2 29/6 Separation Logic 6, 3/7 Type Inference –Assignment 3

3 Plan More on Hoare Proof Rules Proof Rules for Concurrent Programs

4 Hoare Proof Rules for Partial Correctness {A} skip {A} {B[a/X]} X:=a {B} (Assignment Rule) {P} c 0 {C} {C} c 1 {Q} {P} c 0 ;c 1 {Q} {P  b} c 0 {Q} {P  b} c 1 {Q} {P} if b then c 0 else c 1 {Q} {I  b} c {I} {I} while b do c{I  b}  P  P’ {P’} c {Q’}  Q’  Q {P} c {Q} (Composition Rule) (Conditional Rule) (Loop Rule) (Consequence Rule)

5 Potential Language Extensions Blocks Procedures –Procedures as parameters Abstract data types Non-determinism Parallelism Arrays, Pointers, and Dynamic allocations

6 More Rules {P 1 } c {Q 1 } {P 2 } c {Q 2 } {P 1  P 2 } c {Q 1  Q 2 } (Conjunction Rule) {P} c {P} where Mod(c)  Var(P) =  (Invariance Rule)

7 Underlying Principles of Hoare Rules Commands are predicate transformers Different behaviors for different preconditions Commands can be partial –Resource restriction –Implementation restriction In {P} comm {Q} –P and Q are contracts with the clients of comm

8 An Axiomatic Proof Technique for Parallel Programs Owicky & Gries Verification of Sequential and Concurrent Programs Apt & Oldrog Chapters 4-6

9 IMP+ Parallel Constructs Abstract syntax com::= X := a | skip | com 1 ; com 2 | if b then com 1 else com 2 | while b do com| cobegin com 1 || com 2 … || com k coend All the interleavings of are executed Example –cobegin X := 1 || (X :=2 ; X := X+2) coend

10 A First Attempt {P 1 } c 1 {Q 1 } {P 2 } c 2 {Q 2 }.. {P k } c k {Q k } {P 1  P 2  … P k } cobegin c 1 || c 2 || …|| c n coend {Q 1  Q 2  …  Q k } (Parallel Rule)

11 Simple Examples {true} X := 1 { X >0 } {true} Y:= 1 {Y>0} {true} cobegin X :=1 || Y := 1 coend{X>0  Y >0} {true} X := 1 { X >0 } {true} X:=2 ; X := X+2 {X>0} {true} cobegin X :=1 || X:=2 ; X := X+2 coend{X>0 }

12 Unsoundness {Y=1} X := 0 { Y=1 } {true} Y:=0 {true} {Y=1} cobegin X :=0 || Y:=0 coend {Y=1 }

13 Modified Parallel Rule {P 1 } c 1 {Q 1 } {P 2 } c 2 {Q 2 }.. {P k } c k {Q k } {P 1  P 2  … P k } cobegin c 1 || c 2 || …|| c k coend {Q 1  Q 2  …  Q k } Mod(c j )  Var(P i ) =  Mod(c j )  Var(Q i ) =  i  j

14 Unsoundness from sharing {true} X := 1 { X >0 } {true} X:=2 ; X := X+2 {X>3} {true} cobegin X :=1 || X:=2 ; X := X+2 coend {X>3 }

15 Handling Shared Variables Carefully design the proofs of every thread to make them local Show that the code of other threads do not interfere with the proofs of other threads

16 Interference A command T with a precondition pre(T) does not interfere with the proof of {P} C {Q} if: –{Q  pre(T) } T {Q} –For any command C’ inside C with a precondition pre(C’) {pre(C’)  pre(T) } T {pre(C’)} {P 1 } c 1 {Q 1 } {P 2 } c 2 {Q 2 }.. {P k } c k {Q k } are interference free if for every i  j and for every assignment in T in c i does not interfere with {P j } c j {Q j }

17 Modified Parallel Rule {P 1 } c 1 {Q 1 } {P 2 } c 2 {Q 2 }.. {P k } c k {Q k } {P 1  P 2  … P k } cobegin c 1 || c 2 || …|| c k coend {Q 1  Q 2  …  Q k } {P 1 } c 1 {Q 1 } {P 2 } c 2 {Q 2 }.. {P k } c k {Q k } are interference free

18 No unsoundness from sharing {true} X := 1 { X >0 } {true} X:=2 ; X := X+2 {X>3} {true} cobegin X :=1 || X:=2 ; X := X+2 coend {X>3 }

19 A Realistic Example Findpos: begin initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1; search: cobegin Evensearch: while i < min(oddtop, eventop) do if (x(i) > 0) then eventop := i else i := i + 2; || Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2; coend k := min(eventop, oddtop) end {k  M+1  (  l: 1  l 0)} ES=eventop  M+1  even(i)   l: (even(l)  0<l<i)  x(l)  0  eventop  M  x(eventop)>0 OS=oddtop  M+1  odd(j)   l: (odd(l)  0<l<j)  x(l)  0  oddtop  M  x(oddtop)>0

20 Incompleteness There exist correct programs which cannot be verified by the parallelization rule –{X = Y} cobegin X := X + 1 || Y := Y+1 coend {X=Y}

21 An Informal Proof of {X = Y} cobegin X := X + 1 || Y := Y+1 coend {X=Y} {X = Z} X : = X + 1 { X = Z +1} {Y = Z} Y : = Y + 1 { Y = Z +1} {X = Z  Y = Z} cobegin X := X + 1 || Y := Y+1 coend {X=Z+1  Y= Z+1} {X = Z  Y = Z} cobegin X := X + 1 || Y := Y+1 coend {X=Y} {X = Y} Z : = X { X = Y  Y = Z} {X =Y } Z : = X ; cobegin X := X + 1 || Y := Y+1 coend {X=Y} {X =Y } cobegin X := X + 1 || Y := Y+1 coend {X=Y}

22 Auxiliary Variables Record history information A set of variables AV is auxiliary for a command S if each variable from AV only occurs in assignments of the form X := t where X  AV Auxiliary variable elimination rule {P} S {Q} {P} S’ {Q} Where A is auxiliary for S FV(Q)  A =  FV(P)  A =  S’ results from S by deleting all assignments in to variables in S

23 A Formal Proof of {X = Y} cobegin X := X + 1 || Y := Y+1 coend {X=Y} {X = Z} X : = X + 1 { X = Z +1} {Y = Z} Y : = Y + 1 { Y = Z +1} {X = Z  Y = Z} cobegin X := X + 1 || Y := Y+1 coend {X=Z+1  Y= Z+1} {X = Z  Y = Z} cobegin X := X + 1 || Y := Y+1 coend {X=Y} {X = Y} Z : = X { X = Y  Y = Z} {X =Y } Z : = X ; cobegin X := X + 1 || Y := Y+1 coend {X=Y} {X =Y } cobegin X := X + 1 || Y := Y+1 coend {X=Y} (Assign-Rule) (Par-Rule) (Cons.-Rule) (Assign-Rule) (Comp.-Rule) (Aux.-Rule)

24 Synchronization Primitives Support for atomic sections and communication A High Level Construct await B then S –No parallelization in S –Blocked until B holds –If B is true then S is executed atomically Examples –await true then S –Await “some condition” then skip –Semaphore P(sem): await sem >0 then sem := sem – 1 V(sem): await true then sem := sem + 1

25 Interference (modified) A command T with a precondition pre(T) does not interfere with the proof of {P} C {Q} if: –{Q  pre(T) } T {Q} –For any command C’ inside C but not within await with a precondition pre(C’) {pre(C’)  pre(T) } T {pre(C’)} {P 1 } c 1 {Q 1 } {P 2 } c 2 {Q 2 }.. {P k } c k {Q k } are interference free if for every i  j and for every assignment not inside await or an await T in c i does not interfere with {P j } c j {Q j }

26 An Inference Rule for Await {P  b} c {Q} {P } await B then c {Q}

27 Producer-Consumer Two processes communicating via a shared bounded buffer Consumer waits for the buffer to be filled Producer waits for the buffer to be non-full and fills the buffer buffer[0..N-1] in – the number of elements added out – the number of elements deleted buffer[out mod N], … buffer[(out + in – out -1) mod N] elements

28 in := 0; out := 0 ; cobegin producer: … await in-out < N then skip add: buffer(in mod N) := next value; markin: in := in +1; … || consumer: … await in-out >0 then skip remove: this value := buffer(out mod N); markout: out := out +1; … coend Producer/Consumer Code

29 in := 0; out := 0 ; i := 1; j :=1; {M  0} cobegin producer: while i  M do begin x:= A[i]; await in-out <N then skip; add: buffer[in mod N] := x ; markin: in := in + 1; i := i + 1 end || consumer: while j  M do begin await in-out >0 then skip; remove: y := buffer[out mod N] ; markout: out := out + 1; B[j] := y; j := j + 1 end coend {  k: 1  k  M  B[k] = A[k]} I=  k: out < k  M  buffer[(k-1} mod N] = A[k]  0  in-out  N  0  i  M+1  0  j  M+1

30 {I  i = in+1=1  j=out+1=1} cobegin {I  i = in+1=1} producer: while i  M do begin x:= A[i]; await in-out <N then skip; add: buffer[in mod N] := x ; markin: in := in + 1; i := i + 1 end {I  i = in+1=M+1} || {I  j = out+1=1} consumer: while j  M do begin await in-out >0 then skip; remove: y := buffer[out mod N] ; markout: out := out + 1; B[j] := y; j := j + 1 end {I   k: 1  k  M  B[k] = A[k]}} coend {  k: 1  k  M  B[k] = A[k]} I=  k: out < k  M  buffer[(k-1} mod N] = A[k]  0  in-out  N  0  i  M+1  0  j  M+1

31 Summary Reasoning about concurrent programs is difficult Aweeki-Gries suggest to carefully design the sequential proofs to simplify the proof procedure The use of auxiliary variables can make proofs difficult Can have difficulties with fine-grained concurrency –Benign dataraces Rely/Guarantee style can allow more elegant/general reasoning (next lesson)

Download ppt "Programming Language Semantics Axiomatic Semantics of Parallel Programs."

Similar presentations

Operating Systems Semaphores II

Operating Systems Semaphores II
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 12.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 12.
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, 2000 1 PZ03D - Program verification Programming Language Design.

PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.

50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.
CIS 720 Lecture 2. Concurrency …shared variable declaration…. …shared variable initialization… co P 1 // P 2 // P 3 // P 4 oc Execution of P 1 … P 4 starts.

CIS 720 Lecture 2. Concurrency …shared variable declaration…. …shared variable initialization… co P 1 // P 2 // P 3 // P 4 oc Execution of P 1 … P 4 starts.
Formal Semantics of Programming Languages 虞慧群 Topic 6: Advanced Issues.

Formal Semantics of Programming Languages 虞慧群 Topic 6: Advanced Issues.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
Program Analysis and Verification 0368-4479

Program Analysis and Verification
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv.

Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv.
Programming Language Semantics Axiomatic Semantics Chapter 6.

Programming Language Semantics Axiomatic Semantics Chapter 6.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.

Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.

Similar presentations

Ads by Google