Programming Language Semantics

Rely/Guarantee Reasoning Parallel Programs

Tal Lev-Ami

Viktor Vafeiadis

Mooly Sagiv

An Axiomatic Proof Technique for Parallel Programs

Owicky & Gries

Verification of Sequential and Concurrent Programs

Apt & Oldrog

Chapters 4-6

Interference

• A command T with a precondition pre(T) does not interfere with the proof of {p} c {q} if:– {q pre(T) } T {q}– For any command c’ inside c with a precondition

pre(c’)• {pre(c’) pre(T) } T {pre(c’)}

• {p1} c1 {q1} {p2} c2 {q2}.. {pk} ck {qk} are interference free if for every i j and for every assignment in T in ci does not interfere with {pj} cj {qj}

Parallel Composition Rule

{p1} c1 {q1} {p2} c2 {q2}.. {pk} ck {qk}

{p1 p2 … pk} cobegin c1 || c2 || …|| ck coend {q1 q2 … qk}

{p1}q1 {q1} {p2} c2 {q2}.. {pk} ck {qk} are interference free

Limitations of the Owicky & Griesproof rules

• Checking interference can be hard– Non-compositionality

• Until you finished the local proofs cannot check interference

• A non-standard meaning of Hoare triples– Depends on the interference of other threads with the

proof– Proofs need to be saved– Hard to handle libraries and missing code– Soundness is non-trivial

• Completeness depends on auxiliary variables

Commands as relations

• It is convenient to view the meaning of commands as relations between pre-states and post-states

• In {p} C {Q}– p is a one state predicate– Q is a two-state predicate

• Example– {true} x := x + 1 {x= x + 1}

Global Reasoning

{x 0}

x := x + 1;

y := 1

{x >0}

{x 0}

x := x + 2;

y := 2

{x >0}

{x 0}

x := x + 200;

y := 200

{x >0}

…

x0 0

x1 x0

x2 = x1+7 y2 = y1

x3 x2

x4 = x3 y4=7

x5 x4

Rely/Guarantee Reasoning

{x x} x := x + 7;

y:=7

x5 >0

{x0}

{x>0}

Rely/Guarantee Reasoning(2)

{x x}{x0}

x := x + 7;

y:=7

{x>0}

x =x+7 y=y x x

x =x y=7 x x

Hoare vs. Rely/Guarantee Reasoning

{P} c {Q}

{P} c

{Q}

{P} c

{Q}

R*

G

R*

G

R*

G

The rest of the lecture

• Operations on relations

• (Informal) Semantics of Rely/Guarantee

• A sound Rely/Guarantee inference rules

From one- to two-state relations

• p(, ) =p()

• p(, ) =p()

• A single state predicate p is preserved by a two-state relation R if– p R p , : p() R(, ) p()

Operations on Relations

• (P;Q)(, )=:P(, ) Q(, )

• ID(, )= (=)

• R*=IDR (R;R) (R;R;R) …

Formulas

• ID(x) = (x = x)

• ID(p) =(p p)

• Preserve (p)= p p

Informal Semantics

• c (p, R, G, Q)– For every state such that p:

• Every execution of c on state with (potential) interventions which satisfy R results in a state such that (, ) Q

• The execution of every atomic sub-command of c on any possible intermediate state satisfies G

• c [p, R, G, Q]– For every state such that p:

• Every execution of c on state with (potential) interventions which satisfy R must terminate in a state such that (, ) Q

• The execution of every atomic sub-command of c on any possible intermediate state satisfies G

A Formal Semantics

• Let cR denotes the set of quadruples <1, 2, 3, 4 > s.t. that when c executes on 1 with potential interferences by R it yields an intermediate state 2 followed by an intermediate state 3 and a final state 4

– as usual 4= when c does not terminate cR = {<1, 2, 3, 4> : : <1, > R

( <com, >* 2 2 = 3= 4 ’, c’: <c, >* <c’, ’ > ( ((2= 1 2 = ) (3 = 3=’) 4= ) <’, 2, 3, 4 > c’R)

• c (p, R, G, Q) – For every <1, 2, 3 , 4 > cR such that 1 p

• < 2, 3> G• If 4 : <1, 4 > Q

Simple Examples

• X := X + 1 (true, X=X, X =X+1X=X, X =X+1)

• X := X + 1 (X 0, X X, X>0 X=X, X>0)

• X := X + 1 ; Y := Y + 1 (X 0Y 0, X X Y Y, G, X>0 Y>0)

A Realistic ExampleFindpos: begin

initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1;

search: cobegin

Evensearch: while i < min(oddtop, eventop) do

if (x(i) > 0) then eventop := i

else i := i + 2;

|| Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2;

coendk := min(eventop, oddtop)end {k M+1 (l: 1 l <k x(l) 0) (k M x(k)>0)}

ES=eventopM+1

even(i)

l: (even(l) 0<l<i) x(l)0

eventopM x(eventop)>0

OS=oddtopM+1

odd(j)

l: (odd(l) 0<l<j) x(l)0

oddtopM x(oddtop)>0

Inference Rules

• Define c (p, R, G, Q) by structural induction on c

• Soundness– If c (p, R, G, Q) then c (p, R, G, Q)

Atomic Command

{p} c {Q}

atomic {c} (p, preserve(p), QID, Q)

(Atomic)

Conditional Critical Section

{pb} c {Q}

await b then c (p, preserve(p), QID, Q)

(Critical)

Sequential Compositionc1 (p1, R, G, Q1)

c1 ; c2 (p1, R, G, (Q1; R*; Q2))

(SEQ)

c2 (p2, R, G, Q2)

Q1 p2

Conditionals

c1 (p b1, R, G, Q) p b R* b1

if atomic {b} then c1 else c2 (p, R, G, Q)

(IF)

c2 (p b2, R, G, Q) p b R* b2

Loops

c (j b1, R, G, j) j b R* b1

while atomic {b} do c (j, R, G, b j)

(WHILE)

R Preserve(j)

Refinementc (p, R, G, Q)

c (p’, R’, G’, Q’)

(REFINE)

p’ p Q Q’

R’ R G G’

Parallel Compositionc1 (p1, R1, G1, Q1)

c1 || c2 (p1 p1, (R1 R2), (G1 G2), Q)

where Q= (Q1 ; (R1R2)*; Q2) (Q2 ; (R1R2)*; Q1)

(PAR)

c2 (p2, R2, G2, Q2)

G1 R2

G2 R1

A Realistic ExampleFindpos: begin

initialize: i :=2 ; j :=1; eventop = M+1 ; oddtop := M+1;

search: cobegin

Evensearch: while i < min(oddtop, eventop) do

if (x(i) > 0) then eventop := i

else i := i + 2;

|| Oddsearch: while j < min(oddtop, eventop) do if (x(j) > 0) then oddtop := j else j := j + 2;

coendk := min(eventop, oddtop)end {k M+1 (l: 1 l <k x(l) 0) (k M x(k)>0)}

ES=eventopM+1

even(i)

l: (even(l) 0<l<i) x(l)0

eventopM x(eventop)>0

OS=oddtopM+1

odd(j)

l: (odd(l) 0<l<j) x(l)0

oddtopM x(oddtop)>0

OddSearch (OS, RO , GO, OSjmin(et, ot))

RE=i =i ototet =et GE=j =j etet ot =ot

RE Preserve(ES)

et :=i (ESi <et) x(i) >0 , RE , GE,

ES)

i :=i+2 (ESi< et) x(i) 0 , RE , GE, ES)

ES i<et)) x(i) >0 RE* x(i) >0 ES i < et x(i) 0 RE* x(i) 0

if (x(i) >0) … (ESi<et) , RE , GE, ES) (IF)

EvenSearch (ES, RE , GE, ES imin(et, ot))

(WHILE)

Go=RERO=GE

EvenSearch||OddSearch (ES OS, RE RO, GEGO, ES OS imin(et, ot) jmin(et, ot))

(PAR)

ES i<min(et, ot) RE* i<et

Auxiliary in Owicky-Gries

{X = Y} X := X + 1 || Y := Y+1

{X=Y}

Issues in R/G

• Total correctness is trickier

• Restrict the structure of the proofs– Sometimes global proofs are preferable

• Many design choices– Transitivity and Reflexivity of Rely/Guarantee– No standard set of rules

• Suitable for designs

Summary

• Reasoning about concurrent programs is difficult• Oweeki-Gries suggest to carefully design the sequential

proofs to simplify the proof procedure– The use of auxiliary variables can make proofs difficult– Can have difficulties with fine-grained concurrency

• Benign dataraces

• Rely/Guarantee style allows more elegant/general reasoning– Compositional– Local– Adapts to the complexity of the proof– Soundness is simple– Naturally handles libraries and missing code