![Page 1: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/1.jpg)
Concurrency Verification
![Page 2: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/2.jpg)
Why concurrency verification
• Concurrent programs show in many systems– Multi-task support in OS kernels– Handling interrupts from external devices– …
• Will be more common– Multi-core processors
• Intellectually interesting– Correctness/incorrectness are not obvious
![Page 3: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/3.jpg)
Shared-State Concurrency Model
Memory
A B
![Page 4: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/4.jpg)
100100 101
Execution Model: Simple Examples
T1: T2:
[ 100 ] := 3 [ 101 ] := 5
3 5
T1: T2:
[ 100 ] := 3 [ 100 ] := 5
3/5
Don’t know which one is written first, but order doesn’t matter.
Order may affect the result if threads share resources.
![Page 5: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/5.jpg)
Execution Model: Simple Examples
T1: T2:
[ x ] := 3 [ y ] := 5
x
y
x
y
3 53/5
It is difficult to discuss resource sharing with memory pointer aliasing.
![Page 6: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/6.jpg)
Execution Model: Simple Examples
T1: T2:
C11;
C12;
C1n
C21;
C22;
C2n
T1
T1 T1
T2
T2 T2
Non-deterministic interleaving may produce exponential num. of execution traces;
Different traces may lead to different results (depends on the resource sharing).
![Page 7: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/7.jpg)
Challenges to reason about concurrent programs
• Sharing of resources makes the result dependent on the ordering of execution
• Non-deterministic interleaving produces exponential num. of possible ordering
• Memory pointer aliasing makes it difficult to tell how resources are shared
![Page 8: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/8.jpg)
Outline of this Lecture
• Separation Logic Review
• Concurrent Separation Logic (CSL)
• Rely-Guarantee Reasoning (R-G)
• Modular verification of fine-grained concurrency – recent progress
![Page 9: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/9.jpg)
Separation Logic
A Hoare-style program logic:
{ p } C { q }
What’s new here is the assertion language.
[Ishtiaq&O’Hearn’01,Reynolds’02]
![Page 10: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/10.jpg)
Separation Logic Assertions
l n nl
p q p q
emp empty heap
p qp q
![Page 11: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/11.jpg)
Separation Logic Assertions
l n nl
p q p q
emp empty heap
l_ defined as n. l n
ln defined as (ln) truel
n
![Page 12: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/12.jpg)
Properties
pemp p
pq qp
pp p ptrue p
pp p (l_)(l_) false
p ptrue
ptrue p
![Page 13: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/13.jpg)
Assertions Model Ownership
{(l _)}
[l] := m;
{(l m)}
{emp}
[l] := m;
{???} Ownership cannot be duplicated: (l_) (l_)(l_)
![Page 14: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/14.jpg)
Strength of Separation
{(xn) (yn)}
[x] := m;
{(xm) (yn)}
{(xn) (yn)}
[x] := m;
{(xm) (yn)}
what if x=y ?
![Page 15: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/15.jpg)
A Frame Rule for Modularity
{ p } C { q }
{ p r } C { q r }
Another example showing the strength of separation!
C
p
q
r
r
![Page 16: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/16.jpg)
Specification of a List
top…
List (top) (top = null) emp
next. top (_, next) List ( next ).
![Page 17: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/17.jpg)
Example: getNode
getNode()
if (top <> null){
r1 = top;
r2 = top.next;
top = r2;
} else {r1 = null }
{ List (top) }
{ List (top) top null }
{ next. top (_, next) List ( next ) }
{ r1 = top next. top (_, next) List ( next ) r2 = next }
{ r1 (_, _) List ( r2 ) }
{ r1 (_, _) List ( top ) }
{ List ( top ) * (top = r1 = null emp r1 (_, _) ) }
![Page 18: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/18.jpg)
Reading Materials
http://www.cs.cmu.edu/~jcr/
See the miniCourse webpage of John Reynolds:
![Page 19: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/19.jpg)
Outline of This Lecture
• Separation Logic Review
• Concurrent Separation Logic (CSL)
• Rely-Guarantee Reasoning (R-G)
• Modular verification of fine-grained concurrency – recent progress
![Page 20: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/20.jpg)
Separation Logic for Concurrency
100100 101
T1: T2:
[ 100 ] := 3 [ 101 ] := 5
3 5
T1: T2:
[ 100 ] := 3 [ 100 ] := 5
3/5
Separation is an effective way to control interference.
![Page 21: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/21.jpg)
The language
x := e | [e] := e' | x := [e] | cons(e)
| dispose(e) | C; C | C || C | …
A new construct:
l.acq() | l.rel()
![Page 22: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/22.jpg)
Operational Semantics
(l.acq(), (s, h, L)) (skip, (s, h, L{l 0}) )
Program state: (s, h, L)
where L locks {0, 1}
L(l) = 1
(l.rel(), (s, h, L)) (skip, (s, h, L{l 1}) )
![Page 23: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/23.jpg)
How to control interference?
• Basic idea:– Each thread has private memory (resource)
• The private resource can be arbitrarily used• Private resources of different threads are disjoint
– Shared resources are protected by locks• Shared resources are disjoint with local resources• Can only be used when the lock is acquired (i.e. in
critical regions)• Different locks protect different resources
![Page 24: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/24.jpg)
Basic Memory Model
Private PrivateShared (accessible only in critical regions)
![Page 25: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/25.jpg)
Basic Memory Model
![Page 26: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/26.jpg)
Basic Memory Model
![Page 27: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/27.jpg)
Basic Memory Model
![Page 28: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/28.jpg)
Basic Memory Model
When the resource is acquired/released, it must be well-formed. The well-formedness is resource invariant.
![Page 29: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/29.jpg)
Concurrent Separation Logic (CSL)
Lock-based critical regions (CR): l.acq();…………
l.rel()
Invariants about memory protected by locks:
= {l1 r1, …, ln rn}
r1 rn
. . .
l1 ln
![Page 30: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/30.jpg)
CSL – Formalization
Key ideas:
Threads can only access disjoint resources at the same time.
p q p q
┝ {p2} C2 {q2} ┝ {p1} C1 {q1}
┝ {p1 p2} C1 || C2 {q1 q2}
![Page 31: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/31.jpg)
CSL – Parallel Composition
p q p q
┝ {p2} C2 {q2} ┝ {p1} C1 {q1}
┝ {p1 p2} C1 || C2 {q1 q2}
I() p1 p2 I() q1 q2
r1 rn
. . .
l1 ln
We’ll define I() later.
![Page 32: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/32.jpg)
CSL - Locks
┝ {p} l.acq() {p (l)}
Lock acquire:
Note: do not support reentrant locks
┝ {p (l)} l.rel() {p}
Lock release:
Compare the rules with cons and dispose
![Page 33: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/33.jpg)
ExamplesPut (x):
l.acq();
while( full ){
l.rel();
l.acq();
}
c := x;
full := true;
l.rel();
Get (y):
l.acq();
while( !full ){
l.rel();
l.acq();
}
y := c;
full := false;
l.rel();
(l) = full c _, _ full emp
![Page 34: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/34.jpg)
ExamplesPut (x):
l.acq();
while( full ){
l.rel();
l.acq();
}
(l) = full c _, _ full emp
c := x;
full := true;
l.rel();
{x _, _ }
{x _, _ (l) }
{x _, _ (l) }
{x _, _ }
{x _, _ (l) full }
{x _, _ (l) full }
{x _, _ }
{c _, _ }
{full c _, _ }
{(l) }
{emp }
![Page 35: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/35.jpg)
Examplesget (y):
l.acq();
while( !full ){
l.rel();
l.acq();
}
(l) = full c _, _ full emp
y := c;
full := false;
l.rel();
{emp}
{ (l) }
{(l) }
{ emp }
{(l) full }
{ (l) full }
{c _, _ }
{y _, _ }
{y _, _ (full emp) }
{y _, _ (l)}
{y _, _ }
![Page 36: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/36.jpg)
Examples
x := cons(a, b);
put(x);
get(y);
use(y);
dispose(y);
{x _, _ } put (x) {emp } {emp} get (y) {y _, _ }
{emp emp}
{emp}
{emp} {emp}
{x _, _ }
{emp }
{y _, _ }
{y _, _ }
{emp}{emp emp}
![Page 37: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/37.jpg)
Outline of This Lecture
• Separation Logic Review
• Concurrent Separation Logic (CSL)
• Rely-Guarantee Reasoning (R-G)
• Modular verification of fine-grained concurrency – recent progress
![Page 38: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/38.jpg)
Owicki-Gries MethodSusan Owicki and David Gries, 1975
![Page 39: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/39.jpg)
Non-InterferenceKey idea: execution of a statement does not invalidate proofs of other code fragments that may run in parallel with the statement in question.
Given a proof {p} c {q}, and a command T whose precondition is pre(T), we say T does not interfere with {p} c {q} if
- {q pre(T)} T {q}; and
- for all c’ in c (but not in await), {pre(c’) pre(T)} T {pre(c’)}
![Page 40: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/40.jpg)
Non-Interference
{p1} c1 {q1}, … {pn} cn {qn} are interference-free if, for any await or primitive statement T (not inside await) in ci, and for all j i, T does not interfere with {pj} cj {qj}.
This method is not compositional!
![Page 41: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/41.jpg)
![Page 42: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/42.jpg)
![Page 43: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/43.jpg)
![Page 44: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/44.jpg)
![Page 45: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/45.jpg)
![Page 46: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/46.jpg)
Rely-Guarantee Reasoning
• Use rely (R) and guarantee (G) conditions to summarize the behaviors of environments and the thread itself.
R R R
G G G
p q
![Page 47: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/47.jpg)
Rely-Guarantee Reasoning
• R and G: specification of state transitionsexample: x’ x
R R R
G G G
p q
![Page 48: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/48.jpg)
Inference Rules
![Page 49: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/49.jpg)
Inference Rules (2)
![Page 50: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/50.jpg)
Example
< x := x+1 > < x := x+1 >||
{x = 0}
{x = 2}
![Page 51: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/51.jpg)
y := 0; z := 0;
< x := x+1; y := 1; >
< x := x+1; z := 1; >||
{x = 0}
{x = 2}
G1 y = 0 y’ = 1 x’ = x+1 z’ = z
G2 z = 0 z’ = 1 x’ = x+1 y’ = y
R1 G2 R2 G1
{x = y+z y = 0} {x = y+z z = 0}
{x = y+z y = 1} {x = y+z z = 1}
{x = y+z y = 0 z = 0}
{x = y+z y = 1 z = 1}
![Page 52: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/52.jpg)
Soundness
• Partial correctness
• Safety
• Preservation of R/G
![Page 53: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/53.jpg)
Outline of This Lecture
• Separation Logic Review
• Concurrent Separation Logic (CSL)
• Rely-Guarantee Reasoning (R-G)
• Modular verification of fine-grained concurrency – recent progress
![Page 54: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/54.jpg)
An Optimistic Non-blocking Stack
ABA problem leads to corrupted stacks
…n Next n Next
Top
pop( ){ local done, next, t; done = false; while (!done) { t = Top; if (t==null) return null; next = t.Next; done = CAS(&Top, t, next); } return t;
![Page 55: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/55.jpg)
ABA Problem
Threads T1 and T2 are interleaved as follows:
A
B
C
Top
t
next
Timeline
T1:pop(){ t = Top next = t.Next interrupted
resumesCAS(&Top,t,next) succeedsstack corrupted
T2: a = pop(); b = pop(); push(a);
Top
Top
![Page 56: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/56.jpg)
Fix Bugs with Hazard Pointers [Michael04]
pop( ){1 local done, next, t, t1; 2 done = false;3 while (!done) {4 t = Top;5 if (t==null) return null;6 HP[tid] = t;7 t1 := Top;8 if (t == t1){ 9 next = t.Next;10 done = CAS(&Top, t,
next);11 }12 }13 retireNode(t);14 HP[tid] = null;15 return t;
push(x)16 local done, t;
17 done = false;18 while(!done) {19 t = Top;20 x.Next := t;21 done = CAS(&Top,
t, x);22 }23 return true;How to verify its correctness?
![Page 57: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/57.jpg)
The key of concurrency verification is to control sharing of resources.
Two classic methods:
Concurrent Separation Logic (CSL) [O’Hearn 2004]
Rely-Guarantee Reasoning [Jones'83]
![Page 58: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/58.jpg)
Concurrent Separation Logic
Very good modularity– Reduce concurrency verification to seq. verification– Frame rules (will explain later)
Invariant not very expressive for fine-grained alg.How to say “x cannot decrease in C”?
(necessary for fine-grained algorithms)
need extensive use of auxiliary variablessee [Parkinson et al.’07]
atomic{ -{ I } C -{ I } }
![Page 59: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/59.jpg)
The key of Concurrency Verification is to control sharing of resources.
Two classic methods:
Concurrent Separation Logic (CSL) [O’Hearn 2004]
Rely-Guarantee Reasoning [Jones'83]
![Page 60: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/60.jpg)
Rely-Guarantee Reasoning
All resources are shared,but access must follow contracts (R-G)!
(R1, G1) (R2, G2)
![Page 61: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/61.jpg)
Rely-Guarantee Reasoning
• Thread T and its environment– Environment: the collection of all other threads except T
• R: rely condition about environment’s transition
• G: guarantee to the environment
• p, q: pre-/post-conditions
(R,G) {p} C {q}┝
![Page 62: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/62.jpg)
Rely-Guarantee Reasoning
(R1, G1) (R2, G2)
Non-Interference (NI): G2 R1 and G1 R2
![Page 63: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/63.jpg)
Example
…
[100] := m;
…
…
[101] := n;
…
100 101
G1: [101] = [101]'
R1: [100] = [100]'
G2: [100] = [100]'
R2: [101] = [101]'
Modularity broken!
![Page 64: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/64.jpg)
Rely-Guarantee Reasoning
Expressive for fine-grained concurrency “x cannot decrease”: x' x
Treat everything as shared; no private data Limited support of modularity
![Page 65: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/65.jpg)
Expressiveness and Modularity
Expressiveness of interference
Mo
du
larity (lo
ca
l rea
son
ing
)
CSL
R-G
How to reach here?
![Page 66: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/66.jpg)
Modular verification of fine-grained concurrency
SAGL [Feng et al’07]
RGSep[Vafeiadis & Parkinson’07]
LRG [Feng’09]
HLRG [Fu et al'10]
Deny-Guarantee[Dodds et al'09]
![Page 67: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/67.jpg)
SAGL: Separated A-G Logic[Feng et al'07]
Key idea: Separate resources into local and shared!
Private PrivateShared
(R1, G1) (R2, G2)(R2, G2)
![Page 68: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/68.jpg)
SAGL [Feng et al’07]
• Separate resources into shared and private
• Shared can be accessed at any time– governed by R and G– more expressive than I in CSL
• Exclusive access to private resources– follows local reasoning in CSL– not specified in R and G– better memory modularity
(R,G) {(a, p)} C {(r, q)}┝
![Page 69: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/69.jpg)
Example: regained data modularity
…
[100] := m;
…
…
[101] := n;
…
100 101
-{(emp , 100 _) } -{(emp , 101 _)}
G1: emp
R1: emp
G2: emp
R2: emp
![Page 70: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/70.jpg)
Expressiveness and Modularity
Expressiveness of interference
Mo
du
larity (lo
ca
l rea
son
ing
)
CSL
R-G
SAGL(RGSep)
But still not as modular as CSL!
More expressive for interference:R/G vs. invariants I
More modular:do not specify local data in R/G
![Page 71: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/71.jpg)
R-G with Local Reasoning
Frame rules in CSL:
I {p} ┝ C {q}
I I' {p} ┝ C {q}
No corresponding rules in R-G, SAGL and RGSep.
(R,G) {(a, p)} C {(r, q)}┝
All shared resources must be globally known and specified in R/G.
Allow local reasoning and information hiding.
![Page 72: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/72.jpg)
LRG: Local Rely-Guarantee Reasoning[Feng'09]
a a' S1 S2 S1' S2'
a
a'
Separating conjunction over R/G:
(R0R1,G0G1) {p┝ r} C {p'r}
side conditions omitted(frame)
(R0,G0) {p} ┝ C {p'}
![Page 73: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/73.jpg)
LRG
Another interesting rule for modularity:
(R0R1,G0G1) {p} ┝ C {q} side conditions omitted
(R1,G1) {p} ┝ C {q}
(hide)
Need invariants as fences
R, G, I {p} C {q}┝
![Page 74: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/74.jpg)
Expressiveness and Modularity
Expressiveness of interference
Mo
du
larity (lo
ca
l rea
son
ing
)
CSL
R-G
SAGLRGSep
LRG
R * R'G * G'
![Page 75: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/75.jpg)
HLRG – Adding Histories to R/G[Fu et al.’10]
LRG still not good enough to verify the stack algorithm
Existing approach: heavy use of history variables.
Needs to say “if something happened before in history, then I guarantee that …”
Our solution:
Adding past-tense temporal operators to assertions and R/G
![Page 76: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/76.jpg)
HLRG - Assertion Language
State Assertions:
Trace Assertions:
p, q, R, G::= P | Id | p q | …
P , Q ::= B | E E | P * Q | …
![Page 77: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/77.jpg)
p qTime
p
q
p holds over the historical trace
q holds ever since
q
![Page 78: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/78.jpg)
Time
p = (p true) p
p was once true in the history, including the current trace.
p
![Page 79: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/79.jpg)
p holds at every step in the history
p = ( p)Time
p
…p
pp
![Page 80: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/80.jpg)
p q
Time
p
q
s6s5s4s3s2s1s0
![Page 81: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/81.jpg)
HLRG
R, G, I {p} C {q}┝
Now R, G, I, p and q are all trace assertions
The stack algorithm verified without using history variables!
![Page 82: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/82.jpg)
Expressiveness and Modularity
Expressiveness of interference
Mo
du
larity (lo
ca
l rea
son
ing
)
CSL
R-G
SAGLRGSep
LRG HLRG
use trace assertions
![Page 83: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/83.jpg)
Expressiveness and Modularity
Expressiveness of interference
Mo
du
larity (lo
ca
l rea
son
ing
)
CSL
R-G
SAGLRGSep
LRG HLRG
Deny-Guarantee
A separation algebra for interference (D-G)
![Page 84: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/84.jpg)
What do we learn?
We need expressive assertions to specify fine-grained interference!
Invariant I Actions (R,G) Trace assertionsp, p,
Separation gives us local reasoning (modularity)!
All resources as shared
Separate local & shared in R/G
R R' and G G'
(p) (q) …
![Page 85: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/85.jpg)
Take-home messages:
We need expressive assertions to specify fine-grained interference!
Separation gives us local reasoning (modularity)!
![Page 86: Concurrency Verification. Why concurrency verification Concurrent programs show in many systems –Multi-task support in OS kernels –Handling interrupts](https://reader030.vdocument.in/reader030/viewer/2022032414/56649ee65503460f94bf6ab1/html5/thumbnails/86.jpg)
Reading Recommendation
• Modular fine-grained concurrency verification Viktor’s Thesis
• Local Rely Guarantee, Xinyu Feng
• HLRG
• Deny-Guarantee Reasoning