1 / 36

Noam Rinetzky Lecture 7: Axiomatic Semantics - Concurrency

Program Analysis and Verification 0368- 4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html. Noam Rinetzky Lecture 7: Axiomatic Semantics - Concurrency. Slides credit: Roman Manevich , Mooly Sagiv , Eran Yahav. Good manners. Mobiles. Home Work Assignment #1 & #2.

ama
Télécharger la présentation

Noam Rinetzky Lecture 7: Axiomatic Semantics - Concurrency

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Program Analysis and Verification 0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 7: Axiomatic Semantics - Concurrency Slides credit: Roman Manevich, MoolySagiv, EranYahav

  2. Good manners • Mobiles

  3. Home Work Assignment #1 & #2 • #1 due today • Modulo justified extensions • #2 Wednesday • Due lesson 10

  4. Axiomatic Semantics (Hoare Logic) • Programming Language • Syntax (skip | S1;S2 | … ) • Semantics (e.g., states ∑ + StmtsC, ss) • Assertions • Syntax ( x = 3 | x < y + a | …) • Semantics (⟦P⟧ ⊆ ∑ alt. s p P) • Judgments • {P} C {Q}, [P] C [Q] • p {P} C {Q} : s, s’ . (s p P  C, ss’)  s’pQ) • Inference rules • Proofs

  5. Axiomatic semantics for While Axiom for every primitive statement { P[a/x] } x:= a { P } [assp] [skipp] { P } skip { P } { P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R } [compp] { b P} S1 { Q}, { b P} S2 { Q} { P} if bthenS1elseS2 { Q} { b P } S { P } { P } while bdoS {b P } { P’ } S { Q’ } { P } S { Q } Inference rule for every composed statement [ifp] [whilep] [consp] if PP’ and Q’Q

  6. Factorial proof Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n!  n>0} W = while (x1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x] } x:=x-1{INV} { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } [comp] { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1{INV} [cons] {x1  INV } y:=y*x; x:=x–1{ INV} [while] { INV } W {x=1  INV} { INV[1/y] } y:=1 { INV } [cons] [cons] { x=n } y:=1 { INV } { INV } W { y=n!  n>0} [comp] { x=n } while (x1) do (y:=y*x; x:=x–1) { y=n!  n>0}

  7. Soundness • The inference system is sound: • p{ P } C { Q } implies p{ P } C { Q }

  8. Soundness and completeness • The inference system is sound: • p{ P } C { Q } implies p{ P } C { Q } • The inference system is relatively complete: • p{ P } C { Q } implies p{ P } C { Q } • ∀A,B. A⇒B • Assertion language is expressive enough

  9. While + Concurrency Abstract syntax: a ::= n | x | a1+a2 | a1a2 | a1–a2 b ::=true|false|a1=a2|a1a2|b|b1b2 S::=x:=a | skip | S1;S2| ifbthenS1elseS2 | whilebdoS | cobeginS1‖ …‖Sncoend

  10. Proofs … … { P2} S2{ Q2} { P1} S1{ Q2} … {P1 ΛP1} S1‖ S2{ Q2 ΛQ2 } Challenge: Interference

  11. Disjoint Parallelism { P2} S2{ Q2} { P1} S1{ Q2} {P1 ΛP1} S1‖ S2{ Q2 ΛQ2 } ∅ FV(P1,S1,Q1) ∩ FV(P2,S2,Q2) =

  12. Global Invariant I ⊢ { P2} S2{ Q2} I ⊢ { P1} S1{ Q2} I ⊢ {P1 ΛP1} S1‖ S2{ Q2 ΛQ2 }

  13. Global Invariant I ⊢ { P } S1 { Q } I ⊢ { Q } S2 { R } I ⊢ { P } S1; S2 { R } I ⊢ { P2} S2{ Q2} I ⊢ { P1} S1{ Q2} I ⊢ {P1 ΛP1} S1‖ S2{ Q2 ΛQ2 }

  14. Global Invariant I ⊢ { P } S1 { R } { P Λ I } S{ Q ΛI } I ⊢ { R } S2 { Q} I ⊢ { P } S1; S2 { Q } I ⊢ { P } S{ Q } I ⊢ { P2} S2{ Q2} I ⊢ { P1} S1{ Q2} I ⊢ {P1 ΛP1} S1‖ S2{ Q2 ΛQ2 }

  15. Owicky-Gries • A command Cwith a precondition pre(C)does not interfere with the proof of {P} S {Q} if: • {Q  pre(C) } C {Q} • For any S’ “∈” S: {pre(S’)  pre(C) } C {pre(S’)} • {P1} C1 {Q1} ... {Pk} Ck {Qk} are interference freeif ∀ i j and ∀x:=a“∈”Ci , x:=a does not interfere with {Pj} Cj {Qj}

  16. Parallel Composition Rule I ⊢ { P2} S2{ Q2} I ⊢ { P1} S1{ Q2} I ⊢ {P1 ΛP1} S1‖ S2{ Q2 ΛQ2 } {P1} C1 {Q1} ... {Pk} Ck {Qk} are interference free

  17. Owicky-Gries: Limiations • Checking interference can be hard • Non-compositionality • Until you finished the local proofs cannot check interference • Proofs need to be “saved” • Hard to handle libraries and missing code • A non-standard meaning of Hoare triples • Depends on the interference of other threads with the proof • Soundness is non-trivial • Completeness depends on auxiliary variables

  18. Rely / Guarantee • Aka assume Guarantee • Cliff Jones • Main idea: Modular capture of interference • Compositional proofs

  19. Commands as relations • It is convenient to view the meaning of commands as relations between pre-states and post-states • In {P} C {Q} • P is a one state predicate • Q is a two-state predicate • Recall auxiliary variables • Example • {true} x := x + 1 {x= x + 1}

  20. C C Intuition Hoare: { P} S { Q } ~ {P} ⇒⇒⇒⇒{Q} R/G: R,G⊢{ P} S { Q } ~ {P} ⇒⇒⇒⇒⇒⇒⇒{Q} R G R G G R G

  21. p(, ) =p() p(, ) =p() A single state predicate p is preserved by a two-state relation R if p R p , : p() R(, ) p() From one- to two-state relations

  22. Operations on Relations • (P;Q)(, )=:P(, ) Q(, ) • ID(, )= (=) • R*=IDR (R;R) (R;R;R) … 

  23. Formulas • ID(x) = (x = x) • ID(p) =(pp) • Preserve (p)= pp

  24. Informal Semantics • c (p, R, G, Q) • For every state  such that p: • Every execution of c on state  with (potential) interventions which satisfy R results in a state  such that (, )  Q • The execution of every atomic sub-command of c on any possible intermediate state satisfies G

  25. Informal Semantics • c (p, R, G, Q) • For every state  such that p: • Every execution of c on state  with (potential) interventions which satisfy R results in a state  such that (, )  Q • The execution of every atomic sub-command of c on any possible intermediate state satisfies G • c [p, R, G, Q] • For every state  such that p: • Every execution of c on state  with (potential) interventions which satisfy R must terminate in a state  such that (, )  Q • The execution of every atomic sub-command of c on any possible intermediate state satisfies G

  26. A Formal Semantics • Let CR denotes the set of quadruples <1, 2, 3, 4 > s.t. that when c executes on 1 with potential interferences by R it yields an intermediate state 2 followed by an intermediate state 3 and a final state 4 • as usual 4= when c does not terminate • CR = {<1, 2, 3, 4> :  : <1, >  R  ( <C, > * 2  2 =3= 4   ’, C’: <C, >* <C’, ’ >  ( (2= 1 2 = )  (3 =   3=’)  4= )  <’, 2, 3, 4 >  C’R ) • c (p, R, G, Q) • For every <1, 2, 3 , 4 >  CR such that 1p • < 2, 3>  G • If 4 : <1, 4 >  Q

  27. Simple Examples • X := X + 1  (true, X=X, X =X+1X=X, X =X+1) • X := X + 1  (X 0, X X, X>0 X=X, X>0) • X := X + 1 ; Y := Y + 1  (X 0Y 0, X X  YY, G, X>0 Y>0)

  28. Inference Rules • Define c  (p, R, G, Q) by structural induction on c • Soundness • If c  (p, R, G, Q) then c  (p, R, G, Q)

  29. (Atomic) atomic {c}  (p, preserve(p), QID, Q) Atomic Command {p} c {Q}

  30. (Critical) await b then c  (p, preserve(p), QID, Q) Conditional Critical Section {pb} c {Q}

  31. (SEQ) c1 ; c2 (p1, R, G, (Q1; R*; Q2)) Sequential Composition c1(p1, R, G, Q1) c2(p2, R, G, Q2) Q1 p2

  32. (IF) if atomic {b} then c1 else c2 (p, R, G, Q) Conditionals c1(p b1, R, G, Q) p b  R* b1 c2(p b2, R, G, Q) p b  R* b2

  33. (WHILE) while atomic {b} do c  (j, R, G, b j) Loops c (j b1, R, G, j) j b  R* b1 R  Preserve(j)

  34. (REFINE) c  (p’, R’, G’, Q’) Refinement c (p, R, G, Q) p’ p Q Q’ R’  R G  G’

  35. (PAR) c1 || c2 (p1 p1, (R1R2), (G1G2), Q) where Q= (Q1 ; (R1R2)*; Q2) (Q2 ; (R1R2)*; Q1) Parallel Composition c1(p1, R1, G1, Q1) c2(p2, R2, G2, Q2) G1 R2 G2 R1

  36. Issues in R/G • Total correctness is trickier • Restrict the structure of the proofs • Sometimes global proofs are preferable • Many design choices • Transitivity and Reflexivity of Rely/Guarantee • No standard set of rules • Suitable for designs

More Related