Verifying Properties of Parallel Programs: An Axiomatic Approach

Download Presentation

Verifying Properties of Parallel Programs: An Axiomatic Approach

Loading in 2 Seconds...

- 114 Views
- Uploaded on
- Presentation posted in: General

Verifying Properties of Parallel Programs: An Axiomatic Approach

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Verifying Properties of Parallel Programs: An Axiomatic Approach

Susan Owicki and David Gries

Communications of the ACM, 1976

Presented by Almog Benin

1/6/2014

- Introduction
- The language
- The axioms
- Theorems
- mutual exclusion, termination & deadlock

- Related work
- Conclusions

- Concurrent programs becomes more popular
- It’s harder to prove their correction
- Scheduling can be changed
- Regular testing is not enough

- The suggested solution:
- Axiomatic proof system

- Derived from Algol 60
- Contains the usual statements:
- Assignment
- Conditional
- Loops: while \ for
- Compound \ null

- Denote by:
- – a set of variables
- – a statement
- – a boolean condition

- Parallel execution statement:
resource,…,:

cobegin//…//coend

- Critical section statement:
with r whendo

- Each statement has:
- Pre-condition
- Post-condition

- Wrote as
- We assume that sequential execution is simple to be proved.
- – the invariant for the resource r
- Remains true at all times outside critical sections for r

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end

- Each statement has:
- Pre-condition
- Post-condition

- Wrote as
- We assume that sequential execution is simple to be proved.
- – the invariant for the resource r
- Remains true at all times outside critical sections for r

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end

- The critical section axiom:
- If:
- is the invariant from the cobegin statement
- No variable free in P or Q is changed in another thread

- Then:
- withwhen do

- If:
- For example, set:

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end

- The parallel execution axiom:
- If:
- …
- No variable free in or is changed in )
- All variables in belong to resource

- Then:
- resource : cobegincoend

- If:
- For example, set:

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end

- Using the invariant, we have the result:

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end

resource r(x): cobegin

withwhen true do

//

with r when true do

coend

- Unable to proof using the existing axioms.
- This program does the same as the former.

resource r(x): cobegin

withwhen true do

//

with r when true do

coend

- The solution: make use of auxiliary variables
- Auxiliary variable is a variable which is assigned, but never used
- Removing this variable doesn’t change the program.

resource r(x): cobegin

withwhen true do

//

with r when true do

coend

- If:
- AV is an auxiliary variable set for a statement .
- obtained by deleting all assignments to variables in AV.
- is true
- and don’t refer to variable any variables from AV.

- Then:
- is also true.

- 5 bowls of spaghetti
- 5 forks
- 5 philosophers
- Each philosopher repeatedly eats and then thinks
- Needs 2 forks for eating

begin

forstep 1 until 4

begin;end

resource : cobegin

coend

end

:

forstep 1 until

begin

withwhendo

begin ;; end

<eat >

withwhen true do

begin;end

<think >

end

– an auxiliary variable

begin

forstep 1 until 4

begin ;end

resource : cobegin

coend

end

:

forstep 1 until

begin

withwhendo

begin ;; end

<eat >

withwhen true do

begin;end

<think >

end

– an auxiliary variable

- We will prove that there are no 2 neighbors eating together.
- Assume by contradiction that there is for which .
- We will derive a contradiction:
- For that, we need to proof a new theorem.
- Because another philosopher may be in a critical section ( will not hold).

- For that, we need to proof a new theorem.

Suppose:

- and are statements in different parallel threads of a program
- Neither nor belongs to a critical section for resource .
- Let and be assertions that holds during the execution of and , respectively.
Then:

and are mutually exclusive

if and are true when the execution of begins.

Example:

By theorem #1:

In contradiction.

- A thread is blocked if it is stopped at the statement withwhendo because is false or because another thread is using resource .
- A parallel program is blockedif at least one thread is blocked, and all other threads are either finished or blocked as well.
- A parallel program is deadlock-free if there is no computation lead it to be blocked.

- Suppose program contains the statement:
- = resource; cobegincoend

- Let the with-when statements of thread be
- = withwhendo

- Let pre and be assertions derived from a proof of .

- means: “for each thread, it is either finished or blocked at the beginning of one of its with-when statement”:
- means: “There is at least one thread that is blocked by one of the with-when statement”:
Then if , is deadlock-free if is true when execution begins.

Let . Thus:

And thus the dining philosophers program is deadlock free.

- Definition: A statement terminates conditionally if it can be proved to terminate under the assumption that it doesn’t become blocked.
- Theorem: if is a cobeginstatement in a program which is deadlock-free, terminates if each of its parallel threads terminates conditionally.
- Easy to be proved for the dining philosophers

- This work uses a language presented by Hoare (1972).
- However, Hoare’s solution provides partial correctness (a program that produces the correct result or doesn’t terminate).
- It also fails to prove partial correctness for some simple programs.

- We presented an axiomatic proof system for parallel programs.
- We defined some theorems based on these axioms.
- We applied these theorems on the dinning philosophers problem.

?

- Is that proof system cost-effective?
- Better than normal testing?

- What is the best way to use this proof system?
- Manual?
- Automatic?
- Interactive?