a foundation for verifying concurrent programs
DESCRIPTION
A Foundation for Verifying Concurrent Programs. K. Rustan M. Leino RiSE , Microsoft Research, Redmond joint work with Peter M ü ller and Jan Smans. Lecture 1 2 September 2009 FOSAD 2009, Bertinoro , Italy. Summary, so far. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/1.jpg)
A Foundation for Verifying Concurrent ProgramsK. Rustan M. LeinoRiSE, Microsoft Research, Redmond
joint work with Peter Müller and Jan Smans
Lecture 12 September 2009FOSAD 2009, Bertinoro, Italy
![Page 2: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/2.jpg)
Summary, so farPermissions guide what memory locations are allowed to be accessedActivation records and monitors can hold permissionsPermissions can be transferred between activation records and monitorsLocks grant mutually exclusive access to monitors
![Page 3: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/3.jpg)
Today’s lectureMore examplesPreventing deadlocksUsing abstractionBuilding a program verifier
![Page 4: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/4.jpg)
OwickiGriesCounter
Summary, and ghost variables
demo
![Page 5: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/5.jpg)
DeadlocksA deadlock is the situation where a nonempty set (cycle) of threads each waits for a resource (e.g., lock) that is held by another thread in the setExample:method M() …{acquire a;acquire b;…
}
method N() …{acquire b;acquire a;…
}
![Page 6: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/6.jpg)
Preventing deadlocks
Deadlocks are prevented by making sure no such cycle can ever occur
The program partially order locksThe program must acquire locks in strict ascending order
A deadlock is the situation where a nonempty set (cycle) of threads each waits for a resource (e.g., lock) that is held by another thread in the set
![Page 7: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/7.jpg)
Wait orderWait order is a dense partial order(Mu, <<) with a bottom element << is the strict version of <<The wait level of an object o is stored in a mutable ghost field o.muAccessing o.mu requires appropriate permissions, as for other fieldsThe syntaxmeans ( lHeld l.mu << X) whereHeld denotes the set of locks held by thecurrent thread
maxlock << X
![Page 8: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/8.jpg)
Example revisited
With these preconditions, both methods verifyThe conjunction of the preconditions is false, so the methods can never be invoked at the same time
method M()
requires a.mu << b.mu{acquire a;acquire b;…
}
method N()
requires b.mu << a.mu{acquire b;acquire a;…
}
requires rd(a.mu) requires rd(b.mu)
requires rd(a.mu) requires rd(b.mu)
![Page 9: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/9.jpg)
Setting the wait orderRecall, the wait level of an object o is stored in the ghost field o.muInitially, the .mu field is The .mu field is set by the share statement:
picks some wait level strictly betweenL and H, and sets o.mu to that levelProvided L << H and neither denotes an extreme element, such a wait level exists, since the order is dense means
share o between L and H;
share o;
share o between maxlock and ;
![Page 10: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/10.jpg)
OwickiGriesCounterD
Deadlock prevention
demo
![Page 11: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/11.jpg)
DiningPhilosophers
Specifying wait levels
demo
![Page 12: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/12.jpg)
Changing the wait orderWhen is:
allowed?When o.mu is writable!
… and the thread holds oRecall, means(lHeld l.mu << X), so uttering maxlock has the effect of reading many .mu fieldsWe either need rd(maxlock), or
reorder o between L and H;
maxlock << X
![Page 13: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/13.jpg)
Deadlocks when joining
Include threads in wait order
method M() …{fork tk := N();acquire a;join tk;…
}
method N() …{acquire a;…release a;
}
![Page 14: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/14.jpg)
Thread levelspicks a level θ between L and H, and then sets tk.mu to θThe precondition of o.M() is checked, substituting θ as the value of any occurrence of maxlock now means(lHeld l.mu << X) θ << Xwhere θ is the one for the current thread requires maxlock << tk.muwithout between clause, θ is picked as just barely above maxlock of the forking thread
fork tk := o.M() between L and H;
maxlock << X
join tk;
![Page 15: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/15.jpg)
HandOverHand
Fine-grained locking
demo:List
:Node:Node
:Node:Node
head tailcurrent
![Page 16: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/16.jpg)
Hand-over-hand locking: the idea:Node :Node :Node :Node
tail
pmethod Update(p: Node)
requires acc(p.data,40)…
{acquire p;while (p.next != null) …
{var nx := p.next;acquire nx;nx.data := nx.data +
1;release p;p := nx;
}release p;
}
invariantacc(data,60) && … &&(next != null ==>
acc(next.data,40) &&
data <= next.data);
40% 40%100%
![Page 17: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/17.jpg)
Hand-over-hand locking: the idea:Node :Node :Node :Node
tail
pmethod Update(p: Node)
requires acc(p.data,40)…
{acquire p;while (p.next != null) …
{var nx := p.next;acquire nx;nx.data := nx.data +
1;release p;p := nx;
}release p;
}
nx
invariantacc(data,60) && … &&(next != null ==>
acc(next.data,40) &&
data <= next.data);
40%100%
40%100%
![Page 18: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/18.jpg)
Hand-over-hand locking: the idea:Node :Node :Node :Node
tail
pmethod Update(p: Node)
requires acc(p.data,40)…
{acquire p;while (p.next != null) …
{var nx := p.next;acquire nx;nx.data := nx.data +
1;release p;p := nx;
}release p;
}
nx
invariantacc(data,60) && … &&(next != null ==>
acc(next.data,40) &&
data <= next.data);
60%40% 40%100%
100%
![Page 19: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/19.jpg)
Hand-over-hand locking: the idea:Node :Node :Node :Node
tail
pmethod Update(p: Node)
requires acc(p.data,40)…
{acquire p;while (p.next != null) …
{var nx := p.next;acquire nx;nx.data := nx.data +
1;release p;p := nx;
}release p;
}
nx
invariantacc(data,60) && … &&(next != null ==>
acc(next.data,40) &&
data <= next.data);
60%40% 40%
![Page 20: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/20.jpg)
Abstraction What permissions to include in method Play’s precondition?:RockBan
d
:Guitar
:GtString
:GtString
:Organ
:DrawBar
:Drums
:Kick
:Snare
method Play() …
method Bang() …
method Strum() …
method Grind() …
![Page 21: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/21.jpg)
PredicatesNamed container of permissions
acc(y)
class C{predicate P {…}…
}
fold P;
unfold P;
![Page 22: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/22.jpg)
RockBand
Predicates
demo
![Page 23: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/23.jpg)
BoogieIntermediate verification languageVerification engine
Spec# DafnyC with VCC specificatio
nsChalice
C with HAVOC
specifications
Z3Simplify
SMT Lib
Boogie
Isabelle/HOL
![Page 24: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/24.jpg)
Boogie languageFirst-order mathematical declarationstypeconstfunctionaxiom
Imperative declarationsvarprocedureimplementation
![Page 25: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/25.jpg)
Boogie statementsx := Ehavoc xassert Eassume E…
Useful idiom:havoc x; assume P(x);“set x to a value such that P(x) holds”
![Page 26: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/26.jpg)
Weakest preconditions
wp( x := E, Q ) =wp( havoc x, Q ) =wp( assert P, Q ) =wp( assume P, Q ) =wp( S ; T, Q ) =
Q[ E / x ](x Q )P QP Qwp( S, wp( T, Q ))
For any command S and post-state predicate Q, wp(S,Q) is the pre-state predicate that characterizes those initial states from which every terminating trace of S:• does not go wrong, and• terminates in a state satisfying Q
![Page 27: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/27.jpg)
Modeling Chalice’s memory and permissions in Boogievar Heap: Ref FieldName Value;var Mask: Ref FieldName Permission;x := o.f; ≡
assert o ≠ null;assert Mask[o, f] > 0;x := Heap[o, f];
o.f := x ≡assert o ≠ null;assert Mask[o, f] == 100;Heap[o, f] := x;
![Page 28: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/28.jpg)
Semantics (defined by translation into Boogie)o := new C ≡ … o.mu := …share o between L and H ≡
assert CanWrite(o,mu) o.mu = ;assert L << H;havoc μ; assume L << μ << H;o.mu := μ;Exhale MonitorInv(o);
acquire o ≡ assert CanRead(o,mu);assert maxlock << o.mu;Held := Held {o};Inhale MonitorInv(o);
release o ≡ assert o Held;Exhale MonitorInv(o);Held := Held – {o};
thread local
shared,availabl
e
shared,locked
new
share
acquire
release
![Page 29: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/29.jpg)
Exhale and InhaleDefined by structural inductionFor expression P without permission predicates
Exhale P ≡ assert PInhale P ≡ assume P
Exhale acc(o.f, p) ≡ assert Mask[o,f] ≥ p;Mask[o,f] := Mask[o,f] – p;
Inhale acc(o.f, p) ≡if (Mask[o,f] == 0) { havoc
Heap[o,f]; }Mask[o,f] := Mask[o,f] + p;
![Page 30: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/30.jpg)
Inc
Boogie encoding
demo
![Page 31: A Foundation for Verifying Concurrent Programs](https://reader035.vdocuments.net/reader035/viewer/2022062521/5681672e550346895ddbd197/html5/thumbnails/31.jpg)
Try it for yourselfChalice (and Boogie) available as open source:http://boogie.codeplex.com
Spec# also available as open source under academic license:http://specsharp.codeplex.com