1 / 27

# Verifying Properties of Parallel Programs: An Axiomatic Approach - PowerPoint PPT Presentation

Verifying Properties of Parallel Programs: An Axiomatic Approach. Susan Owicki and David Gries Communications of the ACM, 1976 Presented by Almog Benin 1 /6/2014. Outline of talk. Introduction The language The axioms Theorems mutual exclusion, termination & deadlock Related work

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Verifying Properties of Parallel Programs: An Axiomatic Approach' - ailsa

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Verifying Properties of Parallel Programs: An Axiomatic Approach

Susan Owicki and David Gries

Communications of the ACM, 1976

Presented by Almog Benin

1/6/2014

Outline of talk Approach

• Introduction

• The language

• The axioms

• Theorems

• mutual exclusion, termination & deadlock

• Related work

• Conclusions

Introduction Approach

• Concurrent programs becomes more popular

• It’s harder to prove their correction

• Scheduling can be changed

• Regular testing is not enough

• The suggested solution:

• Axiomatic proof system

The language Approach

• Derived from Algol 60

• Contains the usual statements:

• Assignment

• Conditional

• Loops: while \ for

• Compound \ null

The language – Approachcont’

• Denote by:

• – a set of variables

• – a statement

• – a boolean condition

• Parallel execution statement:

resource,…,:

cobegin//…//coend

• Critical section statement:

with r whendo

Example Approach

• Each statement has:

• Pre-condition

• Post-condition

• Wrote as

• We assume that sequential execution is simple to be proved.

• – the invariant for the resource r

• Remains true at all times outside critical sections for r

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end

Example – Approachcont’

• Each statement has:

• Pre-condition

• Post-condition

• Wrote as

• We assume that sequential execution is simple to be proved.

• – the invariant for the resource r

• Remains true at all times outside critical sections for r

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end

Axiom #1 Approach

• The critical section axiom:

• If:

• is the invariant from the cobegin statement

• No variable free in P or Q is changed in another thread

• Then:

• withwhen do

• For example, set:

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end

Axiom Approach#2

• The parallel execution axiom:

• If:

• No variable free in or is changed in )

• All variables in belong to resource

• Then:

• resource : cobegincoend

• For example, set:

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end

The consequence Approach

• Using the invariant, we have the result:

begin, ;

resource: cobegin

with when do

begin ; end

//

with when do

begin ; z end

coend

end

resource r(x): cobegin

withwhen true do

//

with r when true do

coend

• Unable to proof using the existing axioms.

• This program does the same as the former.

resource r(x): cobegin

withwhen true do

//

with r when true do

coend

• The solution: make use of auxiliary variables

• Auxiliary variable is a variable which is assigned, but never used

• Removing this variable doesn’t change the program.

resource r(x): cobegin

withwhen true do

//

with r when true do

coend

• If:

• AV is an auxiliary variable set for a statement .

• obtained by deleting all assignments to variables in AV.

• is true

• and don’t refer to variable any variables from AV.

• Then:

• is also true.

The Dining Philosophers Problem Approach

• 5 bowls of spaghetti

• 5 forks

• 5 philosophers

• Each philosopher repeatedly eats and then thinks

• Needs 2 forks for eating

begin Approach

forstep 1 until 4

begin;end

resource : cobegin

coend

end

:

forstep 1 until

begin

withwhendo

begin ;; end

<eat >

withwhen true do

begin;end

<think >

end

– an auxiliary variable

begin Approach

forstep 1 until 4

begin ;end

resource : cobegin

coend

end

:

forstep 1 until

begin

withwhendo

begin ;; end

<eat >

withwhen true do

begin;end

<think >

end

– an auxiliary variable

Mutual Exclusion Approach

• We will prove that there are no 2 neighbors eating together.

• Assume by contradiction that there is for which .

• We will derive a contradiction:

• For that, we need to proof a new theorem.

• Because another philosopher may be in a critical section ( will not hold).

Theorem #1: ApproachThe Mutual Exclusion Theorem

Suppose:

• and are statements in different parallel threads of a program

• Neither nor belongs to a critical section for resource .

• Let and be assertions that holds during the execution of and , respectively.

Then:

and are mutually exclusive

if and are true when the execution of begins.

Example:

By theorem #1:

• A thread is blocked if it is stopped at the statement withwhendo because is false or because another thread is using resource .

• A parallel program is blockedif at least one thread is blocked, and all other threads are either finished or blocked as well.

• A parallel program is deadlock-free if there is no computation lead it to be blocked.

Theorem #2: The Blocking Theorem Approach

• Suppose program contains the statement:

• = resource; cobegincoend

• Let the with-when statements of thread be

• = withwhendo

• Let pre and be assertions derived from a proof of .

Theorem #2: The Blocking ApproachTheorem – cont’

• means: “for each thread, it is either finished or blocked at the beginning of one of its with-when statement”:

• means: “There is at least one thread that is blocked by one of the with-when statement”:

Then if , is deadlock-free if is true when execution begins.

The Blocking ApproachTheorem in The Dining Philosophers

Let . Thus:

And thus the dining philosophers program is deadlock free.

Theorem #3: Termination Approach

• Definition: A statement terminates conditionally if it can be proved to terminate under the assumption that it doesn’t become blocked.

• Theorem: if is a cobeginstatement in a program which is deadlock-free, terminates if each of its parallel threads terminates conditionally.

• Easy to be proved for the dining philosophers

Related work Approach

• This work uses a language presented by Hoare (1972).

• However, Hoare’s solution provides partial correctness (a program that produces the correct result or doesn’t terminate).

• It also fails to prove partial correctness for some simple programs.

Conclusion Approach

• We presented an axiomatic proof system for parallel programs.

• We defined some theorems based on these axioms.

• We applied these theorems on the dinning philosophers problem.

Questions? Approach

?

My thoughts Approach

• Is that proof system cost-effective?

• Better than normal testing?

• What is the best way to use this proof system?

• Manual?

• Automatic?

• Interactive?