A Calculus of Atomic Actions - PowerPoint PPT Presentation

1 / 56

About This Presentation

Title:

A Calculus of Atomic Actions

Description:

havoc t; assume x == t; x := t 1; SIMULATE. SIMULATE. 22. Abstraction for reduction ... havoc t; x := x 1; B. 26. Abstraction. abstracted by. Abstraction ... – PowerPoint PPT presentation

Number of Views:36

Avg rating:3.0/5.0

Slides: 57

Provided by: theore

Category:

more less

Transcript and Presenter's Notes

Title: A Calculus of Atomic Actions

1
A Calculus of Atomic Actions
Tayfun Elmas Koç University Istanbul,
Turkey Shaz Qadeer Serdar Tasiran Microsoft
Research Koç University Redmond,
WA Istanbul, Turkey
Microsoft Research
2
Challenge
2

Problem Prove properties of concurrent programs
statically
Challenge in proofs Interaction between threads
on shared memory
Existing methods Deal with non-interference at
fine granularity
Small atomic actions, many interleavings
Forced to think about concurrency and data at the
same time

3
The QED method

QED Static verification method, and supporting
tool
Central idea Atomicity as proof tool
Goals
Check assertions
Local conditions, data integrity, no null
pointer dereferences, ...
Reason about clean states
When no thread is running list is sorted, ...

4
Outline

Problem
QED proof strategy
Reduction, example
Abstraction, example
Borrowing assertions, example
Proofs with tactics
Experience
Conclusion

5
Example increment
global int x x 0 assert (x 2)
local int t acquire (lock) t x t t
1x t release (lock)
local int t acquire (lock) t x t t
1x t release (lock)
6
Proof by Owicki-Gries

A
ltB_at_L0gtx0, B_at_L5gtx1gt
L0 acquire(l)
ltB_at_L0gtx0, B_at_L5gtx1, held(l,A)gt
L1 t x
ltB_at_L0gtx0, B_at_L5gtx1, held(l,A), txgt
L2 t t 1
ltB_at_L0gtx0, B_at_L5gtx1, held(l,A), tx1gt
L3 x t
ltB_at_L0gtx1, B_at_L5gtx2, held(l,A)gt

B ltA_at_L0gtx0, A_at_L5gtx1gt L0
acquire(l) ltA_at_L0gtx0, A_at_L5gtx1,
held(l,B)gt L1 t x ltA_at_L0gtx0, A_at_L5gtx1,
held(l,B), txgt L2 t t 1 ltA_at_L0gtx0,
A_at_L5gtx1, held(l,B), tx1gt L3 x
t ltA_at_L0gtx1, A_at_L5gtx2, held(l,B)gt L4
release(l) ltA_at_L0gtx1, A_at_L5gtx2gt

7
Outline

Problem
QED proof strategy
Reduction, example
Abstraction, example
Borrowing assertions, example
Proofs with tactics
Experience
Conclusion

8
The QED approach
8

Difficult to prove
Fine-grain concurrency
Annotations at every
interleaving point

Easy to prove
Larger atomic blocks
Local, sequential analysis
within atomic blocks

Proof strategy
Transform program by enlarging atomic blocks
Certify P1 correct by analyzing Pn

9
The QED approach
9

Each proof step
Preserves assertion violations
Governed by a QED proof rule
Updates invariant, or
Transforms program
Reduction
Abstraction
Abstraction Reduction Keep enlarging atomic
actions

10
Soundness theorem
10
Abstraction
s1
Forall
s1
s1
1. If
error
error
then exists
s1
s2
s1
s2
2. If
then exists
s1
or
error
Theorem Preservation
For each proof step

Theorem Soundness
For each proof

11
Outline

Problem
QED proof strategy
Reduction, example
Abstraction, example
Borrowing assertions, example
Proofs with tactics
Experience
Conclusion

12
Example increment
inc () local int t acquire (lock)
t x t t 1 x t
release(lock)
Main x 0 inc()
inc() assert (x 2)
13
Proof by reduction
inc () int t acquire (lock)
t x t t 1 x
t release(lock)
inc () int t acquire (lock)
t x t t 1 x
t release(lock)
R
B
REDUCE-SEQUENTIAL
B
B
L
inc () x x 1
14
Proof by reduction
Main x 0 inc()
inc() assert (x 2)
Main x 0 x x 1 x x
1 assert (x 2)
Main x 0 x x 1 x x
1 assert (x 2)
B
B
REDUCE-PARALLEL
INLINE-CALL
15
Reduction
15
? right-mover
?
? ?
? ?
For each execution Exist equivalent executions
... ? ? ? ?1 ? ?2 ? ... ? ?n ? ? ? ...
... ? ?1 ? ? ? ?2 ? ... ? ?n ? ? ? ...
...........
... ? ?1 ? ?2 ? ... ? ? ? ?n ? ? ? ...
... ? ?1 ? ?2 ? ... ? ?n ? ? ? ? ? ...
16
Static mover check - 1
16

Right mover Commutes to the right of any other
action run by a different thread
Static right-mover check for ?

?
Insert(x)
......
......
For every action ? in program (run by different
thread)
......
.......
?
Delete(x)
......
......
abstracted by
......
......
? ?
? ?
.......
Find(x)
......
......
......
.......
17
Static mover check - 2
17

Static right-mover check between ? and ?
Simple cases
Mover check passes ? and ? access different
variables
Fails ? and ? 1) simultaneously enabled and
2) perform conflicting accesses to a
variable

abstracted by
? ?
? ?
18
Outline

Problem
QED proof strategy
Reduction, example
Abstraction, example
Borrowing assertions, example
Proofs with tactics
Experience
Conclusion

19
Non-blocking increment
19
inc () int t while(true)
t x if(CAS(x, t,
t1)) break
Main x 0 inc()
inc() assert (x 2)
CAS(x, t, t 1)
if (x t) x t 1 return true else
return false
20
Non-blocking increment
20
inc () int t while()
t x assume x ! t t
x assume x t x t 1
inc () int t while(true)
t x if(CAS(x, t,
t1)) break
21
Abstraction for reduction
21
inc () int t while()
havoc t assume x ! t
havoc t assume x t x t 1
inc () int t while() t
x assume x ! t t
x assume x t x t 1
SIMULATE
SIMULATE
22
Abstraction for reduction
22
inc () int t while()
havoc t assume x ! t
havoc t assume x t x t
1
inc () int t while()
havoc t skip havoc
t assume x t x t 1
SIMULATE
23
Abstraction for reduction
23
inc () int t while()
havoc t skip
havoc t assume x t x t 1
inc () int t while()
havoc t skip
havoc t assume x t x t 1
B
REDUCE
B
REDUCE
B
24
Proof by reduction
24
inc () int t while()
havoc t skip
havoc t assume x t x t 1
inc () int t havoc t
havoc t x x 1
REDUCE-LOOP
B
25
Proof by reduction
25
inc () int t havoc t
havoc t x x 1
inc () int t havoc t
x x 1
B
26
Abstraction
26

Abstraction rule
Replace ? with ? if

abstracted by
?
?
s1
Forall
?
?
s1
s1
error
1. If
error
then exists
?
?
s1
s2
s1
s2
2. If
then exists
?
s1
or
error

Going wrong more often is sound for assertion
checking

27
Abstraction
abstracted by
?
?
Adding non-determinism
Adding behaviors that go wrong
if (x 1) y y 1
if () y y 1
if (x 0) fail x x 1
x x 1
t x
havoc t
assert (x ! 0) y y / x
y y / x
assume x ! t
skip
28
Outline

Problem
QED proof strategy
Reduction, example
Abstraction, example
Borrowing assertions, example
Proofs with tactics
Experience
Conclusion

29
Example Sorted linked list with hand-over-hand
locking
29

Procedures Find, Insert, Delete
Prove
Local assertions
List is sorted when no procedure is running
Straightforward if procedures are atomic
Difficulty
Fine-grained locking Lock only nodes that are
currently used

30
Insert(5)
30
Find(5) returns p (locked)
p
n
head
5
t
p
n
head
31
Insert(x)
31
p, t, n local references to nodes
p Find(x) // locks p
n p.next
t new Node ()
t.val x
t.next n
p.next t
p.val lt t.val lt n.val p.next t t.next
n
assert (p, t, n sorted)
UNLOCK(p)
32
Insert(x)
32
Invariant List is sorted
p Find(x) // locks p
n p.next
t new Node ()
t.val x
t.next n
p.next t
assert (p, t, n sorted)
UNLOCK(p)
33
Insert(x)
33
Invariant List is sorted
p Find(x) // locks p
1
p.val and p.next not touched by other threads
n p.next
t new Node ()
2
t.val x
t.val, t.next thread local
t.next n
p.next t
3
t.val, t.next not touched by other threads
assert (p, t, n sorted)
UNLOCK(p)
34
QED approach Proof using atomicity
34
Insertn(x) In list is sorted
? ... ?
Insert1(x)
Find appropriate p from list LOCK(p) n
p.next t new Node () t.val x t.next
n p.next t assert (p, t, n
sorted) UNLOCK(p)
Concurrency facts to enlarge atomic actions
Data facts to prove assertion
35
QED approach Proof using atomicity
35
Insertn(x) In list is sorted
? ... ?
Insert1(x)
Find appropriate p from list LOCK(p) n
p.next t new Node () t.val x t.next
n p.next t assert (p, t, n
sorted) UNLOCK(p)

Proof script
Make Find atomic, inline
Reduce
Add aux. variable inList
Abstract using inList
Reduce
Add invariant

36
Applying reduction
36
Insert(x)
Insert(x)
Find appropriate p from list LOCK(p)
Find appropriate p from list LOCK(p)
n p.next
n p.next
R
t new Node () t.val x
t new Node ()
t.val x
t.next n
t.next n
p.next t
p.next t
assert (p, t, n sorted) UNLOCK(p)
assert (p, t, n sorted)
L
UNLOCK(p)
37
What if reduction gets stuck?
37
Insertn(x) In list is sorted
Inserti(x)
?
Insert1(x)
Reduction
?
?
Find appropriate p from list LOCK(p) n
p.next t new Node () t.val x t.next
n p.next t assert (p, t, n
sorted) UNLOCK(p)
38
Reduction stuck Need abstraction
38
Mover check between?? and ?
Thread A
?
Thread B
p.next t
?
n p.next
?
n p.next
?
p.next t

Case 1 ps in Thread A,B refer to different
nodes
? No interference, mover check passes
Case 2 ps in Thread A,B refer to same node
? Apparent interference, mover check fails
BUT, both ps are locked ? ? and ? not
simultaneously enabled
Solution Put global facts about locking inside
actions

39
Ruling out apparent interference - 1
39

Assertions Nodes locked by different threads
? No interference, mover check passes

40
Ruling out apparent interference - 2
40

Assertions t not in the list, p is in the list
? No interference, mover check passes

Thread A
Thread B
?
assert !inListt t.next n
?
assert inListp n p.next
?
assert inListp n p.next
?
assert !inListt t.next n
41
Reduction after abstraction
41
Insert(x)
Insert(x)
Find appropriate p from list LOCK(p) assert
inListp ownerp tid n p.next t
new Node() t.val x assert !inListt
t.next n assert inListp ownerp
tid p.next t assert (p, t, n
sorted) assert ownerp tid UNLOCK(p)
?
42
Borrowing and paying back assertions
42
Insert(x)
Insert(x)
Find appropriate p from list LOCK(p) assert
inListp ownerp tid n p.next t
new Node () t.val x assert !inListt
t.next n assert inListp ownerp
tid p.next t assert (p, t, n
sorted) assert ownerp tid UNLOCK(p)
?
43
Completing the proof
43
Proof result Soundness theorem

Insertn satisfies assertion and In states list is
sorted.
Insert1 satisfies assertion from In, a sorted
list.
When no thread is executing, list is sorted.

Insertn(x) In list is sorted
Abstraction Reduction
Inserti(x)
Insert1(x)
Reduction
?
?
Find appropriate p from list LOCK(p) n
p.next t new Node () t.val x t.next
n p.next t assert (p, t, n
sorted) UNLOCK(p)
44
Outline

Problem
QED proof strategy
Reduction, example
Abstraction, example
Borrowing assertions, example
Proofs with tactics
Experience
Conclusion

45
Proofs with tactics

Tactic Applies multiple proof rules
More intuitive and specific purpose
Represent complicated, coarse proof steps
concisely
Example reduce stmt
Apply multiple reduction rules
Proofs in implementation Guided by proof scripts
Sequence of tactics

46
Tactics for abstraction

All apply SIMULATE
abstract read x, ? Makes read of x
nondeterministic
abstract write x, ? Makes write of x
nondeterministic
assert p, ? Add assertion p to ?

47
Tactics for synchronization

mutex P, x1, x2,..., xn Specify use of
mutual-exclusion idiom
Use of AUX-ANNOTATE, INVARIANT, SIMULATE
A conceptual lock indicated by P
Add new auxiliary variable a (AUX-ANNOTATE)
Annotate acquire and release actions so that
(AUX-ANNOTATE)
When lock is held ? atid
When lock is free ? a 0
Add invariant (a ! 0) ? P (INVARIANT)
Add assertion (atid) wherever x1, x2,..., xn
are accessed (SIMULATE)

48
Abstraction with assertions
mutex (lock true), x
inc () int t acquire (lock)
t x t t 1 x t
release(lock)
acquire(lock) release(lock)
assume lock false lock true
lock false
49
Abstraction with assertions
mutex (lock true), x
New invariant (lock true)?? (a ! 0)
inc () int t acquire (lock) a
tid t x t t 1
x t release(lock) a 0
inc () int t acquire (lock)
t x t t 1 x t
release(lock)
AUX-ANNOTATE
50
Abstraction with assertions
mutex (lock true), x
Invariant (lock true)?? (a ! 0)
inc () int t acquire (lock) a
tid assert a tid t x
t t 1 assert
a tid x t assert a tid
release(lock) a 0
inc () int t acquire (lock) a
tid t x t t 1
x t release(lock) a 0
SIMULATE
51
Abstraction with assertions
mutex (lock true), x
Invariant (lock true)?? (a ! 0)
Discharges the assertions
inc () int t acquire (lock) a
tid assert a tid t x
t t 1 assert a
tid x t assert a tid
release(lock) a 0
inc () int t acquire (lock) a
tid assert a tid t x
t t 1 assert a
tid x t assert a tid
release(lock) a 0
R
B
B
B
L
REDUCE RELAX
52
Outline