1 / 28

Concurrent Separation Logic

Concurrent Separation Logic. How to prove the correctness of concurrent programs. One philosophy (due to Tony Hoare): Disallow the smart (but error-prone) programs; Concurrent programming should follow some idioms or disciplines.

kaden-beach
Download Presentation

Concurrent Separation Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Concurrent Separation Logic

  2. How to prove the correctness of concurrent programs One philosophy (due to Tony Hoare): Disallow the smart (but error-prone) programs; Concurrent programming should follow some idioms or disciplines. Most of the time each process uses its own private data. In the rare cases that they need to communicate, access the shared data exclusively in critical regions. await (B) do C with r when B do C Mutex or locks (which we will use here)

  3. The language x := e | [e] := e' | x := [e] | cons(e) | dispose(e) | C; C | C || C | … A new construct: l.acq() | l.rel()

  4. Operational Semantics Program state: (s, h, L) where L  locks  {0, 1} L(l) = 1 (l.acq(), (s, h, L))  (skip, (s, h, L{l  0}) ) (l.rel(), (s, h, L))  (skip, (s, h, L{l  1}) )

  5. How to control interference? • Basic idea: • Each thread has private memory (resource) • The private resource can be arbitrarily used • Private resources of different threads are disjoint • Shared resources are protected by locks • Shared resources are disjoint with local resources • Can only be used when the lock is acquired (i.e. in critical regions) • Different locks protect different resources

  6. Basic Memory Model Shared (accessible only in critical regions) Private Private

  7. Basic Memory Model

  8. Basic Memory Model

  9. Basic Memory Model

  10. Basic Memory Model When the resource is acquired/released, it must be well-formed. The well-formedness is resource invariant.

  11. Invariants about memory protected by locks: l1 ln  = {l1 r1, …, ln  rn} r1  rn Concurrent Separation Logic (CSL) Lock-based critical regions (CR): l.acq(); … … … … l.rel()

  12. p q pq ┝ {p1 p2} C1 || C2 {q1 q2} CSL – Formalization Key ideas: Threads can only access disjoint resources at the same time. ┝ {p1} C1 {q1} ┝ {p2} C2 {q2}

  13. p q pq l1 ln r1  rn CSL – Parallel Composition  ┝ {p1} C1 {q1}  ┝ {p2} C2 {q2}  ┝ {p1 p2} C1 || C2 {q1 q2} I() p1 p2 I() q1 q2 We’ll define I() later.

  14. CSL - Locks Lock acquire:  ┝ {p} l.acq() {p  (l)} Note: do not support reentrant locks Lock release:  ┝ {p  (l)} l.rel() {p} Compare the rules with cons and dispose

  15. Examples Put (x): l.acq(); while( full ){ l.rel(); l.acq(); } c := x; full := true; l.rel(); Get (y): l.acq(); while( !full ){ l.rel(); l.acq(); } y := c; full := false; l.rel(); (l) = full  c _, _   full  emp

  16. Examples Put (x): l.acq(); while( full ){ l.rel(); l.acq(); } (l) = full  c _, _   full  emp {x _, _} {x _, _ (l)   full } {x _, _ } c := x; full := true; l.rel(); {x _, _ (l) } {c _, _ } {x _, _} {full c _, _ } {x _, _ (l) } {(l) } {emp } {x _, _ (l)   full }

  17. Examples get (y): l.acq(); while( !full ){ l.rel(); l.acq(); } (l) = full  c _, _   full  emp {emp} { (l)  full } {c _, _ } y := c; full := false; l.rel(); { (l) } {y _, _ } { emp} {y _, _  (full  emp) } {(l) } {y _, _  (l)} {y _, _ } {(l)  full }

  18. Examples {x _, _} put (x) {emp } {emp} get (y) {y _, _ } {emp} {emp  emp} {emp} {emp} get(y); use(y); dispose(y); x := cons(a, b); put(x); {y _, _ } {x _, _} {y _, _ } {emp} {emp} {emp  emp}

  19. Examples (2) alloc (x, a, b): l.acq(); if( f == null ){ l.rel(); x := cons (a, b);} else { x := f; f := [x+1]; l.rel(); [x] := a; [x+1] := b; } free (y): l.acq(); [y+1] := f; f := y; l.rel(); (l) = list(f)

  20. Examples (2)

  21. Implementation of P/V (locks)

  22. l1 ln r1  rn Requirement on Resource Invariant  ┝ {p1} C1 {q1}  ┝ {p2} C2 {q2}  ┝ {p1 p2} C1 || C2 {q1 q2} Resource invariants need to be precise, i.e.  l  dom(). precise( (l) )

  23. ┝ {(emp  one)  true} skip {emp  true}  ┝ {(emp  one)} l.acq; skip; l.rel(); {emp}  ┝ {(emp  one)} C {emp}  ┝ {(emp  one)} C {emp}  ┝ {emp} C {emp}  ┝ {one} C {emp}  ┝ {emp  one} C {emp  one}  ┝ {one} C {one} Requirement on Resource Invariant one  10  _ (l) = true  ┝ {true} skip {true} C l.acq; skip; l.rel();

  24. Requirement on Resource Invariant (l) = true  ┝ {one} C {one}  ┝ {one} C {emp}  ┝ {one} C {one  emp}  ┝ {one} C {false} The problem: (l) is not precise. Recall that p  r  q  r  (p  q )  r does not hold unless r is precise.

  25. l1 ln r1  rn Soundness I(, L, l) = L(l) = 0  emp  L(l) = 0  (l) I(, L) = ldom() . I(, L, l) We define Safek(, (s, h, L), C, q) inductively.

  26. Soundness Safe0(, (s, h, L), C, q) always holds Safek+1(, (s, h, L), C, q) holds if there exist hs and hp such that (1) h = hs |+| hp; (2) (s, hs) |= I(, L) (3) for all s’, hs’, L’, and h’, if (s’, hs’) |= I(, L’), andh = hs’ |+| hp, then Safek(, (s’, h’, L’), C, q) (4) if C = skip, then (s, hp) |= q  true (5) for all s’, h’, L’, if (C, (s, h, L))  (C’, (s’, h’, L’)), then Safek(, (s’, h’, L’), C’, q)

  27. l1 ln r1  rn Soundness I(, L, l) = L(l) = 0  emp  L(l) = 0  (l) I(, L) = ldom() . I(, L, l) We define Safek(, (s, h, L), C, q) inductively. Safe(, (s, h, L), C, q) iff k. Safek(, (s, h, L), C, q) [ ┝ { p } C { q }] s, h, L. if (s, h) |=I(, L)  p  true, then Safe(, (s, h, L), C, q)

  28. Reading Peter W. O'Hearn: Resources, Concurrency and Local Reasoning. CONCUR 2004: 49-67 Peter W. O'Hearn: Resources, concurrency, and local reasoning. Theor. Comput. Sci. 375(1-3): 271-307 (2007) Viktor Vafeiadis. Concurrent separation logic and operational semantics. In MFPS 2011. ENTCS 276, pp. 335-351. Elsevier (Sep. 2011)

More Related