1 / 37

Variable Permissions for Concurrency Verification: A Simplified Approach

This paper presents VPERM, a new permission system designed to ensure data-race freedom in concurrent programming. Traditional verification tools often focus on heap data structures, neglecting simpler variables. VPERM addresses this gap by offering a straightforward reasoning scheme tailored for individual variables, enhancing access permissions and enabling safe multi-threaded operations. The work includes motivation, formalism, and practical examples highlighting the effectiveness of variable permissions. Verification through entailment checking and experiments demonstrate VPERM's applicability in verifying concurrent programs.

helena
Télécharger la présentation

Variable Permissions for Concurrency Verification: A Simplified Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VPERM: Variable Permissions forConcurrency Verification Duy-Khanh Le, Wei-Ngan Chin, Yong-MengTeo ICFEM, Kyoto, Japan, Nov 2012

  2. ICFEM2012 Outline • Motivation & Example • Formalism • Programming & Specification Language • Verification by Entailment Checking • Inferring Variable Permissions • Eliminating Variable Aliasing • Applicability • Experiment • Conclusion VPERM: Variable Permissions for Concurrency Verification

  3. ICFEM2012 Motivation • Access permissions attracted much attention for reasoning about shared heap data structures • State-of-the-art verification tools • ignore program variables • orapply the same permission system, designed for heap memory, to variables • However, variables are simpler than heap data structures: each variable is distinct • Need a simpler reasoning scheme for variables VPERM: Variable Permissions for Concurrency Verification

  4. ICFEM2012 Related Work Expressiveness Complexity VPERM: Variable Permissions for Concurrency Verification

  5. ICFEM2012 Related Work • Permission systems for variables • Variables as resources [1] & syntactic control of inference [2] • User fractional/counting permissions to allow sharing • Though flexible, this places higher burden on programmers to figure out the fraction used • Verification systems for concurrency • Smallfoot [3] uses side conditions to outlaw conflicting accesses • Chalice [4] does not support permission of variables in method’s bodies • Verifast [5] treats variables as heap locations VPERM: Variable Permissions for Concurrency Verification

  6. ICFEM2012 Objective • Propose a simple permission system to ensure data-race freedom when accessing variables VPERM: Variable Permissions for Concurrency Verification

  7. ICFEM2012 A Motivating Example int creator(refintx,refint y) { inttid; tid=fork(inc,x,1); inc(y,2); returntid; } void inc(ref int i, int j) { i=i+j; } pass-by-ref pass-by-value void main() { int id; intx,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } • Any accesses to x after fork and before join are unsafe (racy) • How to propagate the above fact across procedure boundaries VPERM: Variable Permissions for Concurrency Verification

  8. ICFEM2012 A Motivating Example with Specifications int creator(refint x, refint y) requires true ensures y’=y+2 & res=tid & thread=main and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } void inc(ref int i, int j) requires true ensures i'=i+j; { i=i+j; } implicit main thread child thread void main() requires true ensures true; { int id; intx,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } VPERM: Variable Permissions for Concurrency Verification

  9. ICFEM2012 A Motivating Example with Specifications int creator(refint x, refint y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } void inc(ref int i, int j) requires true ensures i'=i+j; { i=i+j; } main thread child thread void main() requires true ensures true; { int id; intx,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } VPERM: Variable Permissions for Concurrency Verification

  10. ICFEM2012 A Motivating Example with VPERM int creator(refint x, refint y) requires @full[x,y] ensures @full[y] & y’=y+2 & res=tid and@full[x] & x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } void inc(ref int i, int j) requires @full[i] & @value[j] ensures i'=i+j & @full[i]; { i=i+j; } main thread child thread void main() requires true ensures true; { int id; intx,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } VPERM: Variable Permissions for Concurrency Verification

  11. ICFEM2012 A Motivating Example with VPERM void inc(ref int i, int j) requires @full[i] & @value[j] ensures i'=i+j & @full[i]; { i=i+j; } int creator(refint x, refint y) requires @full[x,y] ensures @full[y] & y’=y+2 & res=tid and@full[x] & x'=x+1 & thread=tid; { int id; // @full[x,y] & x’=x & y’=y & id’=0 id=fork(inc,x,1); // @full[y] & y’=y & id’=tid // and@full[x] & x'=x+1 & thread=tid; inc(y,2); // @full[y] & y’=y+2 & id’=tid // and@full[x] & x'=x+1 & thread=tid; return id; // @full[y] & y’=y+2 & id’=tid & res=tid // and@full[x] & x'=x+1 & thread=tid; } int creator(refint x, refint y) { int id; id=fork(inc,x,1); inc(y,2); return id; } main thread main thread and child thread VPERM: Variable Permissions for Concurrency Verification

  12. ICFEM2012 A Motivating Example with VPERM int creator(refint x, refint y) requires @full[x,y] ensures @full[y] & y’=y+2 & res=tid and@full[x] & x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } void inc(ref int i, int j) requires @full[i] & @value[j] ensures i'=i+j & @full[i]; { i=i+j; } void main() requires true ensures true; { int id; // @full[id] intx,y; // @full[id,x,y] x=0;y=0; // @full[id,x,y] id = creator(x,y); // @full[id,y] and @full[x] … // @full[id,y] and @full[x] join(id); // @full[id,x,y] assert (x+y=3); // @full[id,x,y] } void main() requires true ensures true; { int id; intx,y; x=0;y=0; id = creator(x,y); … join(id); assert (x+y=3); } VPERM: Variable Permissions for Concurrency Verification

  13. ICFEM2012 Programming Language VPERM: Variable Permissions for Concurrency Verification

  14. ICFEM2012 Specification Language VPERM: Variable Permissions for Concurrency Verification

  15. ICFEM2012 Variable Permissions • Two key annotations for variable permissions • @full[w*] • In a pre-condition • w* is a list of pass-by-ref variables • variable permissions are passed from caller to callee • In a post-condition • variable permissions are returned from callee to caller • @value[w*] • In a pre-condition • w* is a list of pass-by-value variables • Not exist in post-conditions VPERM: Variable Permissions for Concurrency Verification

  16. ICFEM2012 Verification by Entailment Checking VPERM: Variable Permissions for Concurrency Verification

  17. ICFEM2012 Entailment Rules for VPERM VPERM: Variable Permissions for Concurrency Verification

  18. ICFEM2012 Soundness Proofs are in the paper VPERM: Variable Permissions for Concurrency Verification

  19. ICFEM2012 Inferring Variable Permissions int creator(refint x, refint y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } Vpost = {x,y} @full[y] , Vpost = {x} VPERM: Variable Permissions for Concurrency Verification

  20. ICFEM2012 Inferring Variable Permissions int creator(refint x, refint y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } @full[y] , Vpost = {x} @full[x] , Vpost = {} VPERM: Variable Permissions for Concurrency Verification

  21. ICFEM2012 Inferring Variable Permissions int creator(refint x, refint y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } Vpre = {x,y} @full[x,y] @full[y] @full[x] VPERM: Variable Permissions for Concurrency Verification

  22. ICFEM2012 Inferring Variable Permissions (*) Algorithm and Soundness in the paper int creator(refint x, refint y) requires true ensures y’=y+2 & res=tid and x'=x+1 & thread=tid; { int id; id=fork(inc,x,1); inc(y,2); return id; } @full[x,y] @full[y] @full[x] VPERM: Variable Permissions for Concurrency Verification

  23. ICFEM2012 Eliminating Variable Aliasing void inc(ref int i, int j) requires @full [i] ∧ @value[j] ensures @full [i] ∧ i’=i+j; { i = i + j; } void main() { int x = 0; int ∗ p = &x; int id; id = fork(inc, x, 1); ... //accesses to *p are racy join(id); } VPERM: Variable Permissions for Concurrency Verification

  24. ICFEM2012 Eliminating Variable Aliasing void inc(ref int i, int j) requires @full [i] ∧ @value[j] ensures @full [i] ∧ i’=i+j; { i = i + j; } Solution: a translation to eliminate * and & void main() { int x = 0; int ∗ p = &x; int id; id = fork(inc, x, 1); ... join(id); } void main() { int x = 0; // @full[x] int ∗ p = &x; // @full[x,p] int id; // @full[x,p,id] id = fork(inc, x, 1); // @full[p,id] ... // @full[p,id] join(id); // @full[x,p,id] } unsafe still have permission to access p and indirectly x VPERM: Variable Permissions for Concurrency Verification

  25. ICFEM2012 Translation Scheme void inc(ref int i, int j) requires @full [i] ∧ @value[j] ensures @full [i] ∧ i’=i+j; { i = i + j; } void inc(int_ptr i, int j) requires i::int_ptr<old_i>& @value[i,j] ensures i::int_ptr<new_i> & new_i=old_i+j; { i.val = i.val + j; } void main() { int x = 0; int ∗ p = &x; int id; id = fork(inc, x, 1); ... join(id); } void main() { int_ptr x = new int_ptr(0); int_ptrp = x; int id; id = fork(inc, x, 1); ... join(id); delete(x); } promote (*) details are in the paper VPERM: Variable Permissions for Concurrency Verification

  26. ICFEM2012 Applicability • Pthread • pthread_create requires a single pointer to heap memory • Cilk • More flexible, either pass-by-ref or pass-by-value • Vperm • Passing the pointer by value when fork • Pass-by-ref and pass-by-value VPERM: Variable Permissions for Concurrency Verification

  27. ICFEM2012 Applicability: Cilk cilk int fib (int n) { if (n<=1) return n; else{ int x, y; x = spawn fib (n-1); y = spawn fib (n-2); … // not safe to access x and y sync; return (x+y); } } VPERM: Variable Permissions for Concurrency Verification

  28. ICFEM2012 Applicability: Cilk cilk int fib (int n) { if (n<=1) return n; else{ int x, y; x = spawn fib (n-1); y = spawn fib (n-2); … // not safe to access x and y sync; return (x+y); } } void fib(int n, ref int result) requires @value[n] & @full [result] & n>=0 ensures @full [result] & fiba(n, result ); { if (n<=1){ result = n; } else{ int x, y; int id1 = fork(fib,n−1, x); int id2 = fork(fib,n−2, y); … // cannot access x and y join(id1); join(id2); result=x+y; } } VPERM: Variable Permissions for Concurrency Verification

  29. ICFEM2012 Experiments Trade-off: higher verification time (machine effort) BUT less manual annotation (human effort). Demo Download or try VPERM online at http://loris-7.ddns.comp.nus.edu.sg/~project/vperm/ VPERM: Variable Permissions for Concurrency Verification

  30. ICFEM2012 Conclusion • A simple permission system for variables • Simple to understand • Simple to reason about • Simple to infer • Expressive enough to capture real-world programming languages such as Pthreads, Cilk • Feasible to incorporate into a tool VPERM • Experiments show less annotation overheads compared to state-of-the-art VPERM: Variable Permissions for Concurrency Verification

  31. ICFEM2012 Q&A END leduykha@comp.nus.edu.sg Download or try VPERM online at http://loris-7.ddns.comp.nus.edu.sg/~project/vperm/ Thank you VPERM: Variable Permissions for Concurrency Verification

  32. Limitations • Phased Accesses to Shared Variables • Read outside a critical region but write inside a critical region • This requires partial permissions • BUT we could use pseudo-heap locations for this type of complex reasoning VPERM: Variable Permissions for Concurrency Verification

  33. Phased Accesses For this complex reasoning, convert two integer auxiliary variables a,b to int_ptr and use the complex reasoning over heap

  34. Phased Accesses For this complex reasoning, convert two integer auxiliary variables a,b to int_ptr and use the complex reasoning over heap

  35. ICFEM2012 Verification by Entailment Checking (Full) VPERM: Variable Permissions for Concurrency Verification

  36. ICFEM2012 Background • Heap vs stack • A stack variable x pointing to • A heap location containing an integer • E.g. int_ptr x = new int_ptr(1); • Separation logic • Fractional permissions • How about program (stack) variables? • x1 • {x2 * y2} [x]=3 {x3 * y2} 0.5 1.0 0.5 • {x2 * x2}  {x2} VPERM: Variable Permissions for Concurrency Verification

  37. Background • Heap vs stack • A stack variable x pointing to • A heap location containing an integer 1 • E.g. int_ptr x = new int_ptr(1); • Hoare’s logic • Separation logic • Fractional permissions • x1  • {x1 /\ y2} x=3 {x3 /\ y2} ok  • {x2 /\ y2} x=3 {x3 /\ y2} what if x and y aliased ???  no alias • {x2 * y2} x=3 {x3 * y2} • {x2 * x2}  {x2} VPERM: Variable Permissions for Concurrency Verification

More Related