1 / 19

Verifying a Wait Free Register Algorithm Using Assertional Reasoning

Verifying a Wait Free Register Algorithm Using Assertional Reasoning. Xu Qiwen Faculty of Science and Technology University of Macau. Read and Write Conflict (Race). If read and write operations are performed on the same memory cell at the same time, read

sebastien-romano
Download Presentation

Verifying a Wait Free Register Algorithm Using Assertional Reasoning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verifying a Wait Free Register Algorithm Using Assertional Reasoning Xu Qiwen Faculty of Science and Technology University of Macau

  2. Read and Write Conflict (Race) If read and write operations are performed on the same memory cell at the same time, read operation may obtain an erroneous value.

  3. Avoiding Race • One cell, waiting needed • More cells, wait free possible write read write read write read 2 cells, read and write different cells, but read and write have no relations (read should read values written by write) 4 cells, read can read a cell that has been written recently but Currently not written

  4. Simpson 4 Slot Algorithm Write Read loop loop a-2: Wp = ! r b-3: Rp = l a-1: Wi = ! Li [ Wp ] b-2: r = Rp a: Cells [ Wp ] [ Wi ] = value b-1: Ri = Li [ Rp ] a+1: Li [ Wp ] = Wi b: y=Cells [ Rp ] [Ri ] a+2: l = Wp

  5. Recent Work on Verifying Register Algorithms Separation Logic. Quite complicated.

  6. Model and Reason about Race Suppose R1(X), W1(X), R2(X), W2(X), are read and write operations from 2 processors Consider all execution sequences by interleaving ………….(a:R1(X))…(b:R2(X))………. no conflict …………. (a:R1(X))...(b:W2(X))………. conflict …………. (a:W1(X))...(b:R2(X))………. conflict …………. (a:W1(X))…(b:W2(X))……… conflict A program is race free if any interleaving of the operations contains no state in which location variables of two processors are at a conflicting pair of operations.

  7. Model and Reason about Race Suppose O1(X), O2(Y), are two operations from 2 processors at locations a and b, the location variables of the two processors areαandβ For any interleaving of operations …………. (a:O1(X))… (b:O2(Y))……. If O1(X) and O2(Y) are read/write, write/write pairs, then X and Y must be distinct (α=a β=b)  XY should be an invariant

  8. Assertional Methods Floyd 1967 Assigning meanings to programs Hoare Logic 1969 An axiomatic basis for computer programming { P[e/x] } x:=e { P } { true } x:=1 { x=1 } { x=0 } x:=x+1 { x=1 } { x>0 } x:=x+1 { x>1 }

  9. Race Freedom for Simpson Algorithm a: Cells [ Wp ] [ Wi ] = value b: y=Cells [ Rp ] [Ri ] Invariant(α=a β=b)  ( WpRp  WiRi )

  10. Verification of Invariant (Global Method) init  inv { inv } Op { inv } for any operation Op inv is an invariant This rule cannot be used to prove all invariants. { inv } Op { inv } ( we say inductive ) may not hold for any operation Op, ie, inv may not be inductive.

  11. Verification of Simpson 4 Slot Algorithm (Global method) a-2: Wp = ! r b-3: Rp = l a-1: Wi = ! Li [ Wp ] b-2: r = Rp a: Cells [ Wp ] [ Wi ] = value b-1: Ri = Li [ Rp ] a+1: Li [ Wp ] = Wi b: y=Cells [ Rp ] [Ri ] a+2: l = Wp α=a  ( Wi  Li [ Wp ] ) is invariant, can be proved by the rule β=b  ( Ri = Li [ Rp ] ) is not invariant (α=a β=b)  ( WpRp  WiRi ) are invariants, β=b  ( r = Rp ) but cannot be proved by the rule

  12. Additional Rules inv’  inv inv’ is an invariant inv is an invariant ( Consequence ) inv, inv’ are invariants inv  inv’ is an invariant

  13. Verification of Simpson 4 Slot Algorithm (Global method) To prove (α=a β=b)  ( WpRp  WiRi) invariant, by using the fact α=a  ( Wi  Li [ Wp ] ), β=b  ( r = Rp ) are invariants, it is enough to prove (α=a β=b)  ( Wpr  Ri = Li [ Rp ] ) invariant. Close enough, but still not inductive. Finally ((α=a-1  α=a)β=b)  ( Wpr  Ri = Li [ Rp ] ) is inductive.

  14. Verification of Simpson 4 Slot Algorithm (Assertional Network Method) a-2: Wp = ! r b-3: Rp = l a-1: Wi = ! Li [ Wp ] b-2: r = Rp { Wi  Li [ Wp ]{ r = Rp } β=b  ( Wpr  Ri = Li [ Rp ] ) } a: Cells [ Wp ] [ Wi ] = value b-1: Ri = Li [ Rp ] a+1: Li [ Wp ] = Wi b: y=Cells [ Rp ] [Ri ] a+2: l = Wp

  15. Owicki & Gries Method Any triple { p } S { q } in each processor should be correct just like usual sequential Hoare logic. For each assertion p in one processor, the execution of any operation of the other processor will maintain the assertion. This is called interference freedom. Suppose the other operation is Op, executed under precondition q, p is maintained if { p  q } Op { p } interference freedom test

  16. Conclusion and Future Work Traditional assertional methods seem to be able to verify register algorithm quite well. Future Work • Study more complicated algorithms • Verify more properties Data Freshness

  17. Expressing Data Freshness Write Read counter=0 loop loop counter=counter +1 FinishedW=LastW a-2: Wp = ! r b-3: Rp = l a-1: Wi = ! Li [ Wp ] b-2: r = Rp a: Cells [ Wp ] [ Wi ] = value b-1: Ri = Li [ Rp ] C [ Wp ] [ Wi ] = counter b: y=Cells [ Rp ] [Ri ] RC=C [ Rp ] [ Ri ] a+1: Li [ Wp ] = Wi { RC>=max(LastR,FinishedW) } a+2: l = Wp LastR=RC LastW=counter

  18. References R.W. Floyd. Assigning meanings to programs Proceedings of the Symposium on Applied Math, 1967 C.A.R. Hoare An axiomatic basis for computer Programming. Communications of the ACM , 12(1969) 576-580. L. Lamport. On Interprocess Communication Part I: Formalism; Part II: Algorithms. Distributed Computing 1 2(1986), 77-101.

  19. References H. Simpson. Four-slot fully asychronous communication mechanism. IEE Proceedings 137 Part E(1) (January 1990), 17-30. S. Owicki and D. Gries. An Axiomatic Proof Technique for Parallel Programs I. Acta Inf. 6: 319-340 (1976)

More Related