Verifying properties of parallel programs an axiomatic approach
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

Verifying Properties of Parallel Programs: An Axiomatic Approach PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on
  • Presentation posted in: General

Verifying Properties of Parallel Programs: An Axiomatic Approach. Susan Owicki and David Gries Communications of the ACM, 1976 Presented by Almog Benin 1 /6/2014. Outline of talk. Introduction The language The axioms Theorems mutual exclusion, termination & deadlock Related work

Download Presentation

Verifying Properties of Parallel Programs: An Axiomatic Approach

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Verifying properties of parallel programs an axiomatic approach

Verifying Properties of Parallel Programs: An Axiomatic Approach

Susan Owicki and David Gries

Communications of the ACM, 1976

Presented by Almog Benin

1/6/2014


Outline of talk

Outline of talk

  • Introduction

  • The language

  • The axioms

  • Theorems

    • mutual exclusion, termination & deadlock

  • Related work

  • Conclusions


Introduction

Introduction

  • Concurrent programs becomes more popular

  • It’s harder to prove their correction

    • Scheduling can be changed

    • Regular testing is not enough

  • The suggested solution:

    • Axiomatic proof system


The language

The language

  • Derived from Algol 60

  • Contains the usual statements:

    • Assignment

    • Conditional

    • Loops: while \ for

    • Compound \ null


The language cont

The language – cont’

  • Denote by:

    • – a set of variables

    • – a statement

    • – a boolean condition

  • Parallel execution statement:

    resource,…,:

    cobegin//…//coend

  • Critical section statement:

    with r whendo


Example

Example

  • Each statement has:

    • Pre-condition

    • Post-condition

  • Wrote as

  • We assume that sequential execution is simple to be proved.

  • – the invariant for the resource r

    • Remains true at all times outside critical sections for r

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end


Example cont

Example – cont’

  • Each statement has:

    • Pre-condition

    • Post-condition

  • Wrote as

  • We assume that sequential execution is simple to be proved.

  • – the invariant for the resource r

    • Remains true at all times outside critical sections for r

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end


Axiom 1

Axiom #1

  • The critical section axiom:

    • If:

      • is the invariant from the cobegin statement

      • No variable free in P or Q is changed in another thread

    • Then:

      • withwhen do

  • For example, set:

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end


Axiom 2

Axiom #2

  • The parallel execution axiom:

    • If:

      • No variable free in or is changed in )

      • All variables in belong to resource

    • Then:

      • resource : cobegincoend

  • For example, set:

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end


The consequence

The consequence

  • Using the invariant, we have the result:

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end


Axiom 3 auxiliary variable axiom

Axiom #3 - Auxiliary Variable Axiom:

resource r(x): cobegin

withwhen true do

//

with r when true do

coend

  • Unable to proof using the existing axioms.

  • This program does the same as the former.


Axiom 3 auxiliary variable axiom1

Axiom #3 - Auxiliary Variable Axiom:

resource r(x): cobegin

withwhen true do

//

with r when true do

coend

  • The solution: make use of auxiliary variables

    • Auxiliary variable is a variable which is assigned, but never used

    • Removing this variable doesn’t change the program.


Axiom 3 auxiliary variable axiom2

Axiom #3 - Auxiliary Variable Axiom:

resource r(x): cobegin

withwhen true do

//

with r when true do

coend

  • If:

    • AV is an auxiliary variable set for a statement .

    • obtained by deleting all assignments to variables in AV.

    • is true

    • and don’t refer to variable any variables from AV.

  • Then:

    • is also true.


The dining philosophers problem

The Dining Philosophers Problem

  • 5 bowls of spaghetti

  • 5 forks

  • 5 philosophers

  • Each philosopher repeatedly eats and then thinks

  • Needs 2 forks for eating


Verifying properties of parallel programs an axiomatic approach

begin

forstep 1 until 4

begin;end

resource : cobegin

coend

end

:

forstep 1 until

begin

withwhendo

begin ;; end

<eat >

withwhen true do

begin;end

<think >

end

– an auxiliary variable


Verifying properties of parallel programs an axiomatic approach

begin

forstep 1 until 4

begin ;end

resource : cobegin

coend

end

:

forstep 1 until

begin

withwhendo

begin ;; end

<eat >

withwhen true do

begin;end

<think >

end

– an auxiliary variable


Mutual exclusion

Mutual Exclusion

  • We will prove that there are no 2 neighbors eating together.

  • Assume by contradiction that there is for which .

  • We will derive a contradiction:

    • For that, we need to proof a new theorem.

      • Because another philosopher may be in a critical section ( will not hold).


Theorem 1 the mutual exclusion theorem

Theorem #1:The Mutual Exclusion Theorem

Suppose:

  • and are statements in different parallel threads of a program

  • Neither nor belongs to a critical section for resource .

  • Let and be assertions that holds during the execution of and , respectively.

    Then:

    and are mutually exclusive

    if and are true when the execution of begins.

Example:

By theorem #1:

In contradiction.


Deadlock

Deadlock

  • A thread is blocked if it is stopped at the statement withwhendo because is false or because another thread is using resource .

  • A parallel program is blockedif at least one thread is blocked, and all other threads are either finished or blocked as well.

  • A parallel program is deadlock-free if there is no computation lead it to be blocked.


Theorem 2 the blocking theorem

Theorem #2: The Blocking Theorem

  • Suppose program contains the statement:

    • = resource; cobegincoend

  • Let the with-when statements of thread be

    • = withwhendo

  • Let pre and be assertions derived from a proof of .


Theorem 2 the blocking theorem cont

Theorem #2: The Blocking Theorem – cont’

  • means: “for each thread, it is either finished or blocked at the beginning of one of its with-when statement”:

  • means: “There is at least one thread that is blocked by one of the with-when statement”:

    Then if , is deadlock-free if is true when execution begins.


The blocking theorem in the dining philosophers

The Blocking Theorem in The Dining Philosophers

Let . Thus:

And thus the dining philosophers program is deadlock free.


Theorem 3 termination

Theorem #3: Termination

  • Definition: A statement terminates conditionally if it can be proved to terminate under the assumption that it doesn’t become blocked.

  • Theorem: if is a cobeginstatement in a program which is deadlock-free, terminates if each of its parallel threads terminates conditionally.

  • Easy to be proved for the dining philosophers


Related work

Related work

  • This work uses a language presented by Hoare (1972).

    • However, Hoare’s solution provides partial correctness (a program that produces the correct result or doesn’t terminate).

    • It also fails to prove partial correctness for some simple programs.


Conclusion

Conclusion

  • We presented an axiomatic proof system for parallel programs.

  • We defined some theorems based on these axioms.

  • We applied these theorems on the dinning philosophers problem.


Questions

Questions?

?


My thoughts

My thoughts

  • Is that proof system cost-effective?

    • Better than normal testing?

  • What is the best way to use this proof system?

    • Manual?

    • Automatic?

    • Interactive?


  • Login