1 / 27

Verifying Properties of Parallel Programs: An Axiomatic Approach

Verifying Properties of Parallel Programs: An Axiomatic Approach. Susan Owicki and David Gries Communications of the ACM, 1976 Presented by Almog Benin 1 /6/2014. Outline of talk. Introduction The language The axioms Theorems mutual exclusion, termination & deadlock Related work

ailsa
Télécharger la présentation

Verifying Properties of Parallel Programs: An Axiomatic Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verifying Properties of Parallel Programs: An Axiomatic Approach Susan Owicki and David Gries Communications of the ACM, 1976 Presented by Almog Benin 1/6/2014

  2. Outline of talk • Introduction • The language • The axioms • Theorems • mutual exclusion, termination & deadlock • Related work • Conclusions

  3. Introduction • Concurrent programs becomes more popular • It’s harder to prove their correction • Scheduling can be changed • Regular testing is not enough • The suggested solution: • Axiomatic proof system

  4. The language • Derived from Algol 60 • Contains the usual statements: • Assignment • Conditional • Loops: while \ for • Compound \ null

  5. The language – cont’ • Denote by: • – a set of variables • – a statement • – a boolean condition • Parallel execution statement: resource,…,: cobegin//…//coend • Critical section statement: with r whendo

  6. Example • Each statement has: • Pre-condition • Post-condition • Wrote as • We assume that sequential execution is simple to be proved. • – the invariant for the resource r • Remains true at all times outside critical sections for r begin, ; resource: cobegin with when do begin ; end // with when do begin ; z end coend end

  7. Example – cont’ • Each statement has: • Pre-condition • Post-condition • Wrote as • We assume that sequential execution is simple to be proved. • – the invariant for the resource r • Remains true at all times outside critical sections for r begin, ; resource: cobegin with when do begin ; end // with when do begin ; z end coend end

  8. Axiom #1 • The critical section axiom: • If: • is the invariant from the cobegin statement • No variable free in P or Q is changed in another thread • Then: • withwhen do • For example, set: begin, ; resource: cobegin with when do begin ; end // with when do begin ; z end coend end

  9. Axiom #2 • The parallel execution axiom: • If: • … • No variable free in or is changed in ) • All variables in belong to resource • Then: • resource : cobegincoend • For example, set: begin, ; resource: cobegin with when do begin ; end // with when do begin ; z end coend end

  10. The consequence • Using the invariant, we have the result: begin, ; resource: cobegin with when do begin ; end // with when do begin ; z end coend end

  11. Axiom #3 - Auxiliary Variable Axiom: resource r(x): cobegin withwhen true do // with r when true do coend • Unable to proof using the existing axioms. • This program does the same as the former.

  12. Axiom #3 - Auxiliary Variable Axiom: resource r(x): cobegin withwhen true do // with r when true do coend • The solution: make use of auxiliary variables • Auxiliary variable is a variable which is assigned, but never used • Removing this variable doesn’t change the program.

  13. Axiom #3 - Auxiliary Variable Axiom: resource r(x): cobegin withwhen true do // with r when true do coend • If: • AV is an auxiliary variable set for a statement . • obtained by deleting all assignments to variables in AV. • is true • and don’t refer to variable any variables from AV. • Then: • is also true.

  14. The Dining Philosophers Problem • 5 bowls of spaghetti • 5 forks • 5 philosophers • Each philosopher repeatedly eats and then thinks • Needs 2 forks for eating

  15. begin forstep 1 until 4 begin;end resource : cobegin coend end : forstep 1 until begin withwhendo begin ;; end <eat > withwhen true do begin;end <think > end – an auxiliary variable

  16. begin forstep 1 until 4 begin ;end resource : cobegin coend end : forstep 1 until begin withwhendo begin ;; end <eat > withwhen true do begin;end <think > end – an auxiliary variable

  17. Mutual Exclusion • We will prove that there are no 2 neighbors eating together. • Assume by contradiction that there is for which . • We will derive a contradiction: • For that, we need to proof a new theorem. • Because another philosopher may be in a critical section ( will not hold).

  18. Theorem #1:The Mutual Exclusion Theorem Suppose: • and are statements in different parallel threads of a program • Neither nor belongs to a critical section for resource . • Let and be assertions that holds during the execution of and , respectively. Then: and are mutually exclusive if and are true when the execution of begins. Example: By theorem #1: In contradiction.

  19. Deadlock • A thread is blocked if it is stopped at the statement withwhendo because is false or because another thread is using resource . • A parallel program is blockedif at least one thread is blocked, and all other threads are either finished or blocked as well. • A parallel program is deadlock-free if there is no computation lead it to be blocked.

  20. Theorem #2: The Blocking Theorem • Suppose program contains the statement: • = resource; cobegincoend • Let the with-when statements of thread be • = withwhendo • Let pre and be assertions derived from a proof of .

  21. Theorem #2: The Blocking Theorem – cont’ • means: “for each thread, it is either finished or blocked at the beginning of one of its with-when statement”: • means: “There is at least one thread that is blocked by one of the with-when statement”: Then if , is deadlock-free if is true when execution begins.

  22. The Blocking Theorem in The Dining Philosophers Let . Thus: And thus the dining philosophers program is deadlock free.

  23. Theorem #3: Termination • Definition: A statement terminates conditionally if it can be proved to terminate under the assumption that it doesn’t become blocked. • Theorem: if is a cobeginstatement in a program which is deadlock-free, terminates if each of its parallel threads terminates conditionally. • Easy to be proved for the dining philosophers

  24. Related work • This work uses a language presented by Hoare (1972). • However, Hoare’s solution provides partial correctness (a program that produces the correct result or doesn’t terminate). • It also fails to prove partial correctness for some simple programs.

  25. Conclusion • We presented an axiomatic proof system for parallel programs. • We defined some theorems based on these axioms. • We applied these theorems on the dinning philosophers problem.

  26. Questions? ?

  27. My thoughts • Is that proof system cost-effective? • Better than normal testing? • What is the best way to use this proof system? • Manual? • Automatic? • Interactive?

More Related