Introduction to Permission-Based Program Logics Part II Concurrent Programs

Size: px

Start display at page:

Download "Introduction to Permission-Based Program Logics Part II Concurrent Programs"

Sabrina Jennings
6 years ago
Views:

1 Introduction to Permission-Based Program Logics Part II Concurrent Programs Thomas Wies New York University

2 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.

Example: Lock-Coupling List 2 3 5 7 8 9 There is one lock per node; threads acquire locks in a hand over hand fashion.

3 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.

4 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.

5 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.

6 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.

7 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.

8 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.

9 Extensions of Separation Logic for Concurrent Programs

10 Extensions of Separation Logic for Concurrent Programs

11 Extensions of Separation Logic for Concurrent Programs

12 RGSep Primer [courtesy of Viktor Vafeiadis]

13 Program and Environment Program: the current thread being verified. Environment: all other threads of the system that execute in parallel with the thread being verified. Interference: The program interferes with the environment by modifying the shared state. Conversely, the environment interferes with the program by modifying the shared state.

14 Local & Shared State The total state is logically divided into two components: Shared: accessible by all threads via synchronization Local: accessible only by one thread, its owner shared local State of the lock-coupling list just before inserting a new node. The node to be added is local because other threads cannot yet access it.

15 Program Specifications The specification of a program consists of two assertions (precondition & postcondition), and two sets of actions: Rely: Describes the interference that the program can tolerate from the environment; i.e. specifies how the environment can change the shared state. Guarantee: Describes the interference that the program imposes on its environment; i.e. specifies how the program can change the shared state.

16 Rely/Guarantee Actions Actions describe minimal atomic changes to the shared state. Lock node Unlock node An action allows any part of the shared state that satisfies the LHS to be changed to a part satisfying the RHS, but the rest of the shared state must not be changed.

17 Rely/Guarantee Actions Actions can adjust the boundary between local state and stared state. This is also known as transfer of ownership. Add node Delete node

18 Rely/Guarantee Actions Actions can adjust the boundary between local state and stared state. This is also known as transfer of ownership. Add node this node becomes shared Delete node this node becomes local

19 Rely/Guarantee Actions: Lock Coupling List shared local Add node

20 Rely/Guarantee Actions: Lock Coupling List shared local Add node

21 Rely/Guarantee Actions: Lock Coupling List shared local Add node

22 Rely/Guarantee Actions: Lock Coupling List shared local Add node

23 Rely/Guarantee Actions: Lock Coupling List shared local Lock node

24 Rely/Guarantee Actions: Lock Coupling List shared local Lock node

25 Rely/Guarantee Actions: Lock Coupling List shared local Lock node

26 Rely/Guarantee Actions: Lock Coupling List shared local Lock node

27 Rely/Guarantee Actions: Lock Coupling List shared local Delete node

28 Rely/Guarantee Actions: Lock Coupling List shared local Delete node

29 Rely/Guarantee Actions: Lock Coupling List shared local Delete node

30 Rely/Guarantee Actions: Lock Coupling List shared local Delete node

31 Assertion Syntax Separation Logic P, Q ::= e = e e e e (f: e) P * Q Extended Logic p, q ::= P P p * q local shared

32 Assertion Semantics l, s ² P, l ² SL P l, s ² P, s ² SL P and l = {} l, s ² p * q, exists l, l 2 : l = l ² l 2 and l, s ² p and l 2, s ² q

33 Assertion Semantics l, s ² P, l ² SL P l, s ² P, s ² SL P and l = {} l, s ² p * q, exists l, l 2 : l = l ² l 2 and l, s ² p and l 2, s ² q split local state

34 Assertion Semantics l, s ² P, l ² SL P l, s ² P, s ² SL P and l = {} l, s ² p * q, exists l, l 2 : l = l ² l 2 and l, s ² p and l 2, s ² q share global state

35 Assertions: Lock Coupling List Unlocked node x holding value v and pointing to y v y x x (0, v, y) Node x holding value v and pointing to y, locked by thread T T v x y x (T, v, y) List segment from x to y of possibly locked nodes x y lseg(x, y)

36 Rely/Guarantee Actions: Lock Coupling List x (0, v, y) x (T, v, y) x (T, v, y) x (0, v, y) x (T, v, z) x (T, v, y) * z (0, w, y) x (T, v, z) * x (T, v, y) z (T, w, y)

37 Programs: Syntax Basic commands c: noop: skip guard: assume(b) heap write: [x] := y heap read: x := [y] allocation: x := new() deallocation: free(x) Commands C 2 Com: basic commands: c seq. composition: C ; C 2 nondet. choice: C + C 2 looping: C* atomic com.: atomic C par. composition: C C 2

38 Rely/Guarantee Judgements ` C sat (p, R, G, q) (precondition, rely, guarantee, postcondition)

39 Parallel Composition Rule ` C sat (p, R [ G 2, G, q ) ` C 2 sat (p 2, R [ G, G 2, q 2 ) ` (C C 2 ) sat (p * p 2, R, G [ G 2, q * q 2 )

40 Stability An assertion is stable iff it is preserved under interference by other threads. Example: A A Lock B

41 Stability An assertion is stable iff it is preserved under interference by other threads. Example: B A A Lock B

42 Stability An assertion is stable iff it is preserved under interference by other threads. Example: B A A Lock B not stable!

43 Stability An assertion is stable iff it is preserved under interference by other threads. Example: A A 5 7 Lock B Unlock B

44 Stability An assertion is stable iff it is preserved under interference by other threads. Example: A A 5 7 Add B B

45 Stability An assertion is stable iff it is preserved under interference by other threads. Example: A A 5 7 Delete B B B

46 Stability An assertion is stable iff it is preserved under interference by other threads. Example: A A 5 7 Delete B B B stable!

47 Stability (Formally) S stable under P Q iff (P -* S) * Q ² S where P -* S := : (: P -* : S)

48 Atomic Commands ` { P } C { Q } ` (atomic C) sat (P, ;, ;, Q) p, q stable under R ` (atomic C) sat (p, ;, G, q) ` (atomic C) sat (p, R, G, q)

49 Atomic Commands ` { P } C { Q } ` (atomic C) sat (P, ;, ;, Q) only local state p, q stable under R ` (atomic C) sat (p, ;, G, q) ` (atomic C) sat (p, R, G, q) reduction to sequential SL

50 Atomic Commands ` { P } C { Q } ` (atomic C) sat (P, ;, ;, Q) p, q stable under R ` (atomic C) sat (p, ;, G, q) ` (atomic C) sat (p, R, G, q)

51 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared local Add node

52 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared local Add node

53 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared local P 2 6 P 2 Q 2

54 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared local F 6 F P 2 Q 2

55 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared local 6 P P 2 Q 2

56 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared Q 2 6 local P 2 Q 2

57 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared F 6 F local P 2 Q 2

58 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared Q = emp local P 2 Q 2

59 Challenge: Harris' Non-blocking List head

60 Challenge: Harris' Non-blocking List head

61 Challenge: Harris' Non-blocking List head

62 Challenge: Harris' Non-blocking List head

63 Challenge: Harris' Non-blocking List head

64 Challenge: Harris' Non-blocking List head Z Z 8

65 Challenge: Harris' Non-blocking List head free 7 2 8

66 Challenge: Harris' Non-blocking List head free 7 2 8

67 Challenge: Harris' Non-blocking List head free 7 2 Z Z 8

68 Challenge: Harris' Non-blocking List head free 7 2 8

69 Challenge: Harris' Non-blocking List head free 7 2 8

70 Challenge: Harris' Non-blocking List head free 7 2 8

71 Challenge: Harris' Non-blocking List head free 7 2 8

72 Flow Interfaces joint work with Siddharth Krishna and Dennis Shasha

73 Goal Data structure abstractions that can handle unbounded sharing and overlays treat structural and data constraints uniformly do not encode specific traversal strategies provide data-structure-agnostic composition and decomposition rules remain within general theory of separation logic ) Flow Interfaces

74 High-Level Idea Express all data structure invariants in terms of a local condition, satisfied by each node. Local condition may depend on a quantity of the graph that is calculated inductively over the entire graph (the flow). Introduce a notion of graph composition that preserves local invariants of global flows. Introduce a generic good graph predicate that abstracts a heap region satisfying the local flow condition (the flow interface).

75 Local Data Structure Invariants with Flows root r l r l l r r l l r Can we express the property that root points to a tree as a local condition of each node in the graph?

76 Local Data Structure Invariants with Flows root r l l r l Path counting! r r l l r Can we express the property that root points to a tree as a local condition of each node in the graph?

77 Local Data Structure Invariants with Flows root r 0 l r l 8 n 2 N. pc(root, n) "G contains a tree rooted at root" r 0 l r l r l 0 Can we express the property that root points to a tree as a local condition of each node in the graph?

78 Flows Step : Defining the Flow Graph root Label each edge in the graph with an element from some flow domain (D, v, +,, 0, )

79 Flows Step : Defining the Flow Graph root Requirements of flow domain: (D, +,, 0, ) is a semiring (D, v) is!-cpo with smallest element 0 + and are continuous Path counting flow domain: (N [ {},, +,, 0, ) Label each edge in the graph with an element from some flow domain (D, v, +,, 0, )

80 Flows Step : Defining the Flow Graph root Flow graph G = (N, e) N finite set of nodes e: N N D Label each edge in the graph with an element from some flow domain (D, v, +,, 0, )

81 Flows Step : Defining the Flow Graph 0 root Flow graph G = (N, e) N finite set of nodes e: N N D Label each edge in the graph with an element from some flow domain (D, v, +,, 0, )

82 Flows Step 2: Define the Inflow root in root (n) =, n = root 0, n root Label each node using an inflow in: N D

83 Flows Step 3: Calculate the flow 0 0 root Flow graph G = (N, e) flow in, G N D flow(in, G) = lfp λc. λn N. in n + C n e n, n n N

84 Flows Step 3: Calculate the flow root 0 0 Flow graph G = (N, e) flow in, G N D flow(in, G) = lfp λc. λn N. in n + C n e n, n n N

85 Flows Step 3: Calculate the flow root 0 0 Flow graph G = (N, e) n 2 N. flow(in root, G)(n) "G contains a tree rooted at root" 0 0 flow in, G N D flow(in, G) = lfp λc. λn N. in n + C n e n, n n N

86 Data Constraints predicate tree(t: Node, C: Set<Int>) { t == null Æ emp Æ C = ; Ç 9 v, x, y, Cx, Cy :: t (d:v, r:x, l:y) * tree(x, Cx) * tree(y, Cy) Æ C = {v} [ Cx [ Cy Æ v > Cx Æ v < Cy } d t v r l tree(x,cx) tree(y,cy)

87 Data Invariants predicate tree(t: Node, C: Set<Int>) { t == null Æ emp Æ C = ; Ç 9 v, x, y, Cx, Cy :: t (d:v, r:x, l:y) * tree(x, Cx) * tree(y, Cy) Æ C = {v} [ Cx [ Cy Æ v > Cx Æ v < Cy } d t v implies Cx Å Cy = ; r l tree(x,cx) tree(y, Cy)

88 Data Invariants predicate tree(t: Node, C: Set<Int>) { t == null Æ emp Æ C = ; Ç 9 v, x, y, Cx, Cy :: t (d:v, r:x, l:y) * tree(x, Cx) * tree(y, Cy) Æ C = {v} [ Cx [ Cy Æ v > Cx Æ v < Cy } d t v implies Cx Å Cy = ; r l Data invariant piggybacks on inductive definition of the tree. ) hard to entangle tree(x,cx) data invariants from tree(y, data Cy) structure specifics.

89 Inset Flows root 6 r l 3 8 KS: the set of all search keys e.g. KS = Z Inset flow domain: (2 KS, µ, [, \, ;, KS) r l l 4 9 Label each edge with the set of keys that follow that edge in a search (edgeset).

90 Inset Flows root 6 {k k < 6} {k k > 6} 3 8 KS: the set of all search keys e.g. KS = Z Inset flow domain: (2 KS, µ, [, \, ;, KS) {k k < 3} {k k > 3} {k k > 8} 4 9 Label each edge with the set of keys that follow that edge in a search (edgeset).

91 Inset Flows {k k < 6} root KS {k k > 6} ; ; KS: the set of all search keys e.g. KS = Z Inset flow domain: (2 KS, µ, [, \, ;, KS) {k k < 3} {k k > 3} {k k > 8} ; ; ; Set inflow in of root to KS and to ; for all other nodes.

92 Inset Flows {k k < 6} ; root KS {k k > 6} ; I = {k 3 < k} I 2 = {k 3 < k < 6} {k k < 3} {k k > 3} {k k > 8} I 3 = {k 8 < k} ; I I 2 ; I 3 ; flow(in, G)(n) is the inset of node n, i.e., the set of keys k such that a search for k will traverse node n.

93 From Insets to Keysets outset(g) n = n N e(n, n ) {k. k < 5 k } 5 {5} 7 {k. k > 5} keyset(in, G) n = inset(in, G) n outset(g)(n) 3 {k. k < 5 k > } keyset(in, G)(n) is the set of keys that could be in n

94 Verifying Concurrent Search Data Structures Local data structure invariants edgesets are disjoint for each n: {e(n,n')} n' 2 N are disjoint keyset of each n covers n's contents: C(G)(n) µ keyset(in, G)(n) Observation: disjoint inflows imply disjoint keysets If {in(n)} n 2 N are disjoint (e.g. G has a single root) then {keyset(in,g)(n)} n 2 N are disjoint ) Can be used to prove linearizability of concurrent search data structures in a data-structure-agnostic fashion [Shasha and Goodman, 988]

95 Compositional Reasoning Can we reason compositionally about flows and flow graphs à la SL?

96 Flow Graph Composition Standard SL Composition (disjoint union) is too weak: root root x * x = x y y y a tree a tree not a tree

97 Flow Interface Graph (in, G) is a flow interface graph iff G = (N, N o,, e) is a partial graph with N the set of internal nodes of the graph N o the set of external nodes of the graph : N A a node labeling function e: N x (N [ N o ) D is an edge function in: N D is an inflow Inflow in specifies rely of G on its context.

98 Flow Interface Graph Composition (in, G) root

99 Flow Interface Graph Composition (in, G) = (in, G ) ² (in 2, G 2 ) in =?, in 2 =? root G G

100 Flow Interface Graph Composition (in, G) = (in, G ) ² (in 2, G 2 ) root in =?, in 2 =? G G

101 Flow Interface Graph Composition (in, G) = (in, G ) ² (in 2, G 2 ) root in =?, in 2 =? G G 2 2 2

102 Flow Interface Graph Composition (in, G) = (in, G ) ² (in 2, G 2 ) root in =?, in 2 =? G G

103 Flow Interface Graph Composition H ² H 2 is commutative: H ² H 2 = H 2 ² H associative : (H ² H 2 ) ² H 3 = H ² (H 2 ² H 3 ) cancelative: H ² H = H ² H 2 ) H = H 2 ) Flow interface graphs form a separation algebra. ) We can use them to give semantics to SL assertions. How do we abstract flow interface graphs?

104 Flow Map of a Flow Interface Graph n n o G fm(g)(n, n o ) = { pathproduct(p) p path from n to n o in G} flow(in, G)(n o ) = { in(n) fm(g)(n, n o ) n 2 G}

105 Flow Map of a Flow Interface Graph in n n o G fm(g)(n, n o ) = { pathproduct(p) p path from n to n o in G} flow(in, G)(n o ) = { in(n) fm(g)(n, n o ) n 2 G}

106 Flow Map of a Flow Interface Graph in n p n o G fm(g)(n, n o ) = { pathproduct(p) p path from n to n o in G} flow(in, G)(n o ) = { in(n) fm(g)(n, n o ) n 2 G}

107 Flow Map of a Flow Interface Graph in n p n o fm(g) (n, n o ) G fm(g)(n, n o ) = { pathproduct(p) p path from n to n o in G} flow(in, G)(n o ) = { in(n) fm(g)(n, n o ) n 2 G}

108 Flow Map: Example

109 Flow Map: Example Flow map abstracts from internal structure of the graph

110 Flow Map: Example Flow map abstracts from internal structure of the graph

111 Flow Map: Example 0 0 Flow map abstracts from internal structure of the graph

112 Flow Interfaces I = (in, f) is a flow interface if in: N D is an inflow f: N N o D is a flow map (in, f) good denotes all flow interface graphs (in, G) s.t. fm(g) = f for all n 2 N good(in(n), G n ) holds where good is some good node condition e.g. good(i, _) = i

113 Flow Interfaces with Node Abstraction I = (in,, f) is a flow interface if in: N D is an inflow f: N N o D is a flow map 2 A is a node label (in,, f) good denotes all flow interface graphs (in, G) s.t. fm(g) = f = t { G(n) n 2 N } for all n 2 N good(in(n), G n ) holds where good is some good node condition e.g. good(i, _) = i

114 Flow Interface Composition Composition of flow interface graphs can be lifted to flow interfaces: I 2 I I 2 iff 9 H, H, H 2 such that H 2 I, H 2 I, and H 2 2 I 2 H = H ² H 2 Some nice properties of is associative and commutative I ² I 2 µ I I 2 if I 2 I I 2, then for all H 2 I, H 2 2 I 2, H ² H 2 defined

115 Separation Logic with Flow Interfaces Good graph predicate Gr (I) : SL predicate that defines good node condition and abstraction of heap onto nodes of flow graph I: flow interface term Good node predicate N (x, I) like Gr but denotes a single node definable in terms of Gr Dirty region predicate [P],I P: SL predicate denotes heap region that is expected to satisfy interface I but may currently not

116 Graph Predicate: Linked List root x y next next next {k', k' > 3} {k', k' > 6} {k', k' > 8} Abstraction of linked list node (x, in, C, f) = 9k, y. x (data: k, next: y) Æ C = {k} Æ k 2 in Æ f = ITE(y = null, ², { (x,y) {k'. k' > k} }) Invariant 9I :: Gr (I) Æ I in = {root KS}.0 Æ I f = ²

117 Graph Predicate: Binary Search Tree Abstraction of BST node (x, in, C, f) = 9k, y, z. x (data: k, left: y, right: z) Æ C = {k} Æ k 2 in Æ f = ITE(y = null, ², { (x,y) {k'. k' < k} }. ITE(z = null, ², { (x,z) {k'. k' > k} } Invariant 9I :: Gr (I) Æ I in = {root KS}.0 Æ I f = ² root 5 { k'. k' < 5 } { k'. k' > 5 } left right 7 right { k'. k' > } 3

118 Graph Predicate: Binary Search Tree Need tree invariant? Abstraction of BST node (x, in, C, f) = 9k, y, z. x (data: k, left: y, right: z) Æ C = {k} Æ k 2 in Æ f = ITE(y = null, ², { (x,y) {k'. k' < k} }. ITE(z = null, ², { (x,z) {k'. k' > k} } Invariant 9I :: Gr (I) Æ I in = {root KS}.0 Æ I f = ² root 5 { k'. k' < 5 } { k'. k' > 5 } left right 7 right { k'. k' > } 3

119 Graph Predicate: Binary Search Tree Need tree invariant? No problem! Abstraction of BST node (x, (in, pc), C, f) = 9k, y, z. x (data: k, left: y, right: z) Æ C = {k} Æ k 2 in Æ pc = Æ f = ITE(y = null, ², { (x,y) ({k'. k' < k}, ) }. ITE(z = null, ², { (x,z) ({k'. k' > k}, ) } Invariant root 5 ({ k'. k' < 5}, ) ({ k'. k' > 5 }, ) left right 7 right ({ k'. k' > }, ) 3 9I :: Gr (I) Æ I in = {root (KS, )}.0 Æ I f = ²

120 Data-Structure-Agnostic Proof Rules Decomposition Gr(I) Æ x 2 I in. N(x, I ) * Gr(I 2 ) Æ I 2 I I 2 Abstraction Gr(I ) * Gr(I 2 ) Æ I 2 I I 2 Gr(I) Æ I 2 I. I 2 Replacement I 2 I I 2 Æ I J. J 2 J I 2 Æ I J.

121 Generic R/G Actions Lock node N(x, (in, 0, f)) N(x, (in, T, f)) Unlock node N(x, (in, T, f)) N(x, (in, 0, f)) Dirty [true] I Æ I = t [true] I Sync [true] I Æ I = t Gr(I') Æ I I'

122 Conclusion Radically new approach for building compositional abstractions of data structures. Fits in existing (concurrent) separation logics. Enables simple correctness proofs of concurrent data structure algorithms Proofs abstract from the details of the specific data structure implementation.

Flow Interfaces Compositional Abstractions of Concurrent Data Structures. Siddharth Krishna, Dennis Shasha, and Thomas Wies

Flow Interfaces Compositional Abstractions of Concurrent Data Structures Siddharth Krishna, Dennis Shasha, and Thomas Wies Background Verifying programs, separation logic, inductive predicates Slides courtesy