A marriage of rely/guarantee & separation logic Viktor V - PowerPoint PPT Presentation

A marriage of rely/guarantee & separation logic Viktor V afeiadis MPI - SWS

Coarse - grain locking 2 3 5 7 11 13

Coarse - grain locking 2 3 5 7 11 13

Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13

Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13

Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13

Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13

Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13

Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13

Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13

Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13

Fine - grain locking Optimistic traversal 2 3 5 7 11 13

Fine - grain locking Optimistic traversal 2 3 5 7 11 13

Fine - grain locking Optimistic traversal 2 3 5 7 11 13 Re - traverse the list OR deletions in two steps Leaks memory: cannot dispose deleted nodes.

Operations ( actions ) Pessimistic algorithm Lock Unlock Add node Delete node

Operations ( actions ) Optimistic algorithm Lock Unlock Add node Delete node

Fine - grained concurrency • Complex concurrency patterns • Dynamically allocated data structures • Explicit memory deallocation • Concurrent libraries: java.util.concurrent Aim: T ractable reasoning, manual & automatic

Separation logic [ Reynolds, O ’ Hearn, et al. 2001+ ]

Separation logic ( 1/3 ) ... a logic for describing the heap P, Q ::= e = e ′ | P ∧ Q | P ∨ Q | ¬ P | ∃ x. P | ∀ x. P | emp | e �→ e 1 , . . . , e n | P ∗ Q | P − ∗ Q Q empty heap single cell P e 1 e 2 e : separation def lseg ( x, y ) = ( x = y ∧ emp ) ∨ ( ∃ z v. x �→ v, z ∗ lseg ( z, y ))

Separation logic ( 2/3 ) ... a program logic • Hoare triples { precondition } program { postcondition } • Rules for commands accessing the heap • Frame rule { P } C { Q } { P ∗ R } C { Q ∗ R } C C Q Q If then P P R R

Separation logic ( 3/3 ) ... disjoint parallelism { P 1 } C 1 { Q 1 } { P 2 } C 2 { Q 2 } { P 1 ∗ P 2 } C 1 � C 2 { Q 1 ∗ Q 2 } C 1 C 2 Q 1 If and P 1 Q 2 P 2 C 1 � C 2 Q 1 P 1 then Q 2 P 2 [ + resource invariants ]

Introduction to RGSep Basic concepts

Local and shared state 2 3 5 7 11 13 Shared Local 6

Actions Describe how the shared state changes: ( i ) by the program & ( ii ) by its environment Lock Unlock Semantics: An action changes the part of the shared state that matches the LHS to something that matches the RHS. The rest of the shared state is not touched.

The two roles of actions • Guarantee: As annotations to atomic blocks, they specify what an atomic block does to the shared state They also adjust the boundary between local and shared state • Rely: Abstract what all the other threads do to the shared state

E ff ect of an action 2 3 5 7 11 13 Shared Local 6 Lock

E ff ect of an action 2 3 5 7 11 13 Shared Local 6 Lock 2 3 5 7 11 13 Shared Local 6

E ff ect of an action 2 3 5 7 11 13 Shared Local 6 Lock 2 3 5 7 11 13 Shared Local 6

E ff ect of an action 2 3 5 7 11 13 Shared Local 6 Lock 2 3 5 7 11 13 Shared Local 6

E ff ect of an action 2 3 5 7 11 13 Shared Local 6 Lock 2 3 5 7 11 13 Shared Local 6

E ff ect of an action 2 3 5 7 11 13 Shared Local 6 Lock 2 3 5 7 11 13 Shared Local 6

E ff ect of an action 2 3 5 7 11 13 Shared Local 6 Lock 2 3 5 7 11 13 Shared Local 6

Ownership transfer Add node Where did this node come from? Delete node Where did this node go?

Local and shared state Pessimistic algorithm Shared 2 3 5 7 11 13 Local 6 Add node

Local and shared state Pessimistic algorithm Shared 2 3 5 7 11 13 6 Local Add node

Local and shared state Pessimistic algorithm Shared 2 3 5 7 11 13 6 Local Lock node

Local and shared state Pessimistic algorithm Shared 2 3 5 7 11 13 6 Local Lock node

Local and shared state Pessimistic algorithm Shared 2 3 5 7 11 13 6 Local Delete node

Local and shared state Pessimistic algorithm Shared 2 3 5 7 11 13 Local 6 Delete node

Local and shared state Pessimistic algorithm Shared 2 3 5 7 11 13 Local 6 Now, the node is local; we can safely dispose it.

Local and shared state Pessimistic algorithm Shared 2 3 5 7 11 13 Local Now, the node is local; we can safely dispose it.

Local and shared state Optimistic algorithm Shared 2 3 5 7 11 13 6 Local Delete node

Local and shared state Optimistic algorithm Shared 2 3 5 7 11 13 6 Local Delete node

Interference: other threads 2 3 5 7 11 13 A A

Interference: other threads 2 5 7 11 13 A A

Interference: other threads 2 5 7 11 13 A A 12

Interference: other threads 2 5 7 11 13 A A 12 5 7 A A

Stability 5 7 A A Lock B Unlock B

Stability 5 7 A A Add node B B Delete node B B B

RGSep More formally...

Assertion syntax Separation Logic P, Q ::= false | emp | e = e ′ | e �→ e ′ | ∃ x. P | P ⇒ Q | P ∗ Q | P − ⊛ Q ⇒ h � SL ¬ ( P − ∗ ¬ Q ) h � SL P − ⊛ Q ⇐ ⇒ ∃ h ′ . ( h ′ � SL P ) ∧ ( h ⊎ h ′ � SL Q ) ⇐ Extended logic p, q ::= P | P | p ∗ q | p ∧ q | p ∨ q | ∃ x. p | ∀ x. p local shared

Assertion semantics ⇐ ⇒ l, s � P l � SL P ⇐ ⇒ l = ∅ ∧ ( s � SL P ) l, s � P l, s � p 1 ∗ p 2 ⇐ ⇒ ∃ l 1 , l 2 . ( l = l 1 ⊎ l 2 ) ∧ ( l 1 , s � p 1 ) ∧ ( l 2 , s � p 2 ) Split local state; share global state.

Actions x �→ 0 , v, t x �→ tid, v, t � x �→ tid, v, t x �→ 0 , v, t � x �→ tid, v, y x �→ tid, v, t � ∗ y �→ 0 , v ′ , t x �→ tid, v, y x �→ tid, v, t ∗ y �→ tid, v ′ , t � x �→ tid, v, y x �→ tid, v, t ∗ y �→ tid, v ′ , t � ∗ y �→ tid, v ′ , t

Judgements ⊢ C sat ( p, R, G, q ) ( precondition, rely, guarantee, postcondition )

Parallel rule ⊢ C 1 sat ( p 1 , R ∪ G 2 , G 1 , q 1 ) ⊢ C 2 sat ( p 2 , R ∪ G 1 , G 2 , q 2 ) ⊢ ( C 1 � C 2 ) sat ( p 1 ∗ p 2 , R, G 1 ∪ G 2 , q 1 ∗ q 2 ) Splits local state; Shares global state.

Atomic commands p, q stable under R ⊢ ( atomic C ) sat ( p, ∅ , G, q ) ⊢ ( atomic C ) sat ( p, R, G, q ) P 2 , Q 2 precise ( P 2 � Q 2 ) ∈ G ⊢ C sat ( P 1 ∗ P 2 , ∅ , ∅ , Q 1 ∗ Q 2 ) � � ⊢ ( atomic C ) sat P 1 ∗ P 2 ∗ F , ∅ , G, Q 1 ∗ Q 2 ∗ F Shared Local state state

Stability S stable under P � Q i ff (( P − ⊛ S ) ∗ Q ) ⇒ S