From Traces To Proofs: Proving Concurrent Programs Safe S. - PowerPoint PPT Presentation

From Traces To Proofs: Proving Concurrent Programs Safe S. Arun-Kumar (Joint work with Chinmay Narayan, Subodh Sharma, and Shibashis Guha) Indian Institute of Technology Delhi TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Overview Motivation 1 2 Preliminaries 3 Example 4 Overall Picture 5 Optimizations Performance Evaluation 6 7 Contribution Remarks 8 TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Motivation TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Example: Peterson’s Algorithm Example trace flag 1 = true , flag 2 = true , turn = 0 while (true) do while (true) do a . flag 1 := true p . flag 2 := true b . turn := 2 q . turn := 1 assume ( ¬ flag 2 � turn = 1); assume ( ¬ flag 1 � turn = 2); A . P . cs := 1; cs := 2; CS1 . CS2 . ℓ 1 := cs ; ℓ 2 := cs ; d . s . flag 1 := false flag 2 := false e . t . od od Informal reasoning about the correctness of the mutual exclusion property TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Example: Peterson’s Algorithm Example trace flag 1 = true , flag 2 = true , turn = 0 while (true) do while (true) do a . flag 1 := true p . flag 2 := true b . turn := 2 q . turn := 1 assume ( ¬ flag 2 � turn = 1); assume ( ¬ flag 1 � turn = 2); A . P . cs := 1; cs := 2; CS1 . CS2 . ℓ 1 := cs ; ℓ 2 := cs ; d . s . flag 1 := false flag 2 := false e . t . od od Informal reasoning about the correctness of the mutual exclusion property When turn := 2 is the last write to variable turn TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Example: Peterson’s Algorithm Example trace flag 1 = true , flag 2 = true , turn = 0 while (true) do while (true) do a . flag 1 := true p . flag 2 := true b . turn := 2 q . turn := 1 assume ( ¬ flag 2 � turn = 1); assume ( ¬ flag 1 � turn = 2); A . P . cs := 1; cs := 2; CS1 . CS2 . ℓ 1 := cs ; ℓ 2 := cs ; d . s . flag 1 := false flag 2 := false e . t . od od Informal reasoning about the correctness of the mutual exclusion property When turn := 2 is the last write to variable turn When turn := 1 is the last write to variable turn TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Overall Partitioning Algorithm Program is Safe Yes Set of traces (S) Pick a Trace from S SC Trace S Empty? AFA Generation Generation P 1 Is Safe? S=S-AFA No Subtr Yes P n TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Some Preliminaries: Weakest Preconditions wp ( S , φ ) is the largest set of states from where the execution of the statement S halts in a state satisfying φ . S Weakest Preconditin ψ Postcondition φ TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Some Preliminaries: Weakest Preconditions wp ( S , φ ) is the largest set of states from where the execution of the statement S halts in a state satisfying φ . S Weakest Preconditin ψ Postcondition φ wp ( x := a + 1 , x > 5 ) = a + 1 > 5 TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Some Preliminaries: Weakest Preconditions wp ( S , φ ) is the largest set of states from where the execution of the statement S halts in a state satisfying φ . S Weakest Preconditin ψ Postcondition φ wp ( x := a + 1 , x > 5 ) = a + 1 > 5 wp ( assert ( ψ ) , φ ) = ψ ∧ φ TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Some Preliminaries: Weakest Preconditions wp ( S , φ ) is the largest set of states from where the execution of the statement S halts in a state satisfying φ . S Weakest Preconditin ψ Postcondition φ wp ( x := a + 1 , x > 5 ) = a + 1 > 5 wp ( assert ( ψ ) , φ ) = ψ ∧ φ wp ( assume ( ψ ) , φ ) = ψ ∧ φ TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Preliminaries TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Some Preliminaries: Alternating Finite Automata b s 4 ∃ c s 2 ∃ a lang( s 2 )= cb ∗ ∃ b lang( s 3 )= cb ∗ + b s 5 ∀ lang( s 1 )= acb ∗ s 1 a c s 3 ∃ b s 6 ∃ TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Example TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Example trace and its AFA construction Peterson Example trace σ a . flag 1 := true b . turn := 2 A . assume ( ¬ flag 2 � turn = 1 ); p . flag 2 := true turn := 1 q . assume ( ¬ flag 1 � turn = 2 ); P . cs := 2 CS2 . cs := 1 CS1 . ℓ 2 := cs s . assert ( ℓ 2 = 2) Let I be an initial condition. Then show that wp ( σ, ¬ ( ℓ 2 = 2 )) ∧ I is unsatisfiable TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Step 1 a . flag 1 := true b . turn := 2 A . assume ( ¬ flag 2 � turn = 1 ); flag 2 := true p . ∃ ¬ ( ℓ 2 = 2) q . turn := 1 assume ( ¬ flag 1 � turn = 2 ); P . CS2 . cs := 2 CS1 . cs := 1 s 1 s . ℓ 2 := cs assert ( ℓ 2 = 2) TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Step 2 flag 1 := true a . b . turn := 2 ∃ s 2 ¬ ( cs = 2) A . assume ( ¬ flag 2 � turn = 1 ); p . flag 2 := true q . turn := 1 s assume ( ¬ flag 1 � turn = 2 ); P . CS2 . cs := 2 ∃ cs := 1 CS1 . ¬ ( ℓ 2 = 2) s . ℓ 2 := cs assert ( ℓ 2 = 2) s 1 Note that wp ( s , ¬ ( ℓ 2 = 2 )) = ¬ ( cs = 2) TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Step 3 s 3 true ∃ flag 1 := true a . CS 1 b . turn := 2 assume ( ¬ flag 2 � turn = 1 ); A . p . flag 2 := true ∃ s 2 ¬ ( cs = 2) q . turn := 1 P . assume ( ¬ flag 1 � turn = 2 ); CS2 . cs := 2 s cs := 1 CS1 . s . ℓ 2 := cs assert ( ℓ 2 = 2) ∃ ¬ ( ℓ 2 = 2) s 1 Note that wp ( c , ¬ ( cs = 2 )) = true TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Step 4 CS 2 s 3 true ∃ flag 1 := true a . CS 1 b . turn := 2 assume ( ¬ flag 2 � turn = 1 ); A . p . flag 2 := true ∃ s 2 ¬ ( cs = 2) q . turn := 1 P . assume ( ¬ flag 1 � turn = 2 ); CS2 . cs := 2 s cs := 1 CS1 . s . ℓ 2 := cs assert ( ℓ 2 = 2) ∃ ¬ ( ℓ 2 = 2) s 1 Note that wp ( CS2 , true) = true TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Step 5 ∃ s 5 turn = 2 s 4 ∃ ¬ flag 1 P P a . flag 1 := true ¬ flag 1 CS 2 ∀ s 3 b . turn := 2 � turn = 2 A . assume ( ¬ flag 2 � turn = 1 ); p . flag 2 := true turn := 1 CS 1 q . P . assume ( ¬ flag 1 � turn = 2 ); cs := 2 CS2 . ∃ s 2 ¬ ( cs = 2) CS1 . cs := 1 s . ℓ 2 := cs assert ( ℓ 2 = 2) s ∃ ¬ ( ℓ 2 = 2) s 1 Note that wp ( P , true) = ( flag 1 = 0 � turn = 2) TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Step 6 p , q s 5 ∃ turn = 2 s 4 ¬ flag 1 ∃ P P a . flag 1 := true ¬ flag 1 CS 2 ∀ turn := 2 s 3 b . � turn = 2 A . assume ( ¬ flag 2 � turn = 1 ); p . flag 2 := true q . turn := 1 CS 1 P . assume ( ¬ flag 1 � turn = 2 ); CS2 . cs := 2 s 2 ∃ ¬ ( cs = 2) CS1 . cs := 1 ℓ 2 := cs s . assert ( ℓ 2 = 2) s ∃ ¬ ( ℓ 2 = 2) s 1 TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Step 7 p , a , b , A s 6 false ∃ q p , q s 5 turn = 2 s 4 ¬ flag 1 ∃ flag 1 := true a . P P b . turn := 2 A . assume ( ¬ flag 2 � turn = 1 ); ¬ flag 1 CS 2 ∀ s 3 p . flag 2 := true � turn = 2 q . turn := 1 assume ( ¬ flag 1 � turn = 2 ); P . CS 1 CS2 . cs := 2 cs := 1 CS1 . s . ℓ 2 := cs ∃ s 2 ¬ ( cs = 2) assert ( ℓ 2 = 2) s ∃ ¬ ( ℓ 2 = 2) s 1 TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Step 8 a , b s 10 ∃ s 9 ∃ turn = 1 ¬ flag 2 ǫ ǫ ¬ flag 2 ∀ s 8 � turn = 1 s 7 ∃ ¬ flag 1 p , a , b , A s 6 false ∃ A A a . flag 1 := true q b . turn := 2 ¬ flag 1 ∧ p , q ∀ s 4 ( ¬ flag 2 A . assume ( ¬ flag 2 � turn = 1 ); ∃ s 5 turn = 2 � turn = 1) p . flag 2 := true P P turn := 1 q . P . assume ( ¬ flag 1 � turn = 2 ); ¬ flag 1 CS 2 ∀ s 3 � turn = 2 cs := 2 CS2 . CS1 . cs := 1 CS 1 s . ℓ 2 := cs assert ( ℓ 2 = 2) ∃ s 2 ¬ ( cs = 2) s ∃ ¬ ( ℓ 2 = 2) s 1 TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe

Step 9 a s 11 ∃ false b a , b s 10 ∃ turn = 1 s 9 ¬ flag 2 ∃ ǫ ǫ ¬ flag 2 ∀ s 8 � turn = 1 a . flag 1 := true s 7 ¬ flag 1 ∃ p , a , b , A s 6 ∃ false turn := 2 A b . A A . assume ( ¬ flag 2 � turn = 1 ); q ¬ flag 1 ∧ p , q p . flag 2 := true ∀ s 4 ( ¬ flag 2 ∃ � turn = 1) s 5 turn = 2 q . turn := 1 P . assume ( ¬ flag 1 � turn = 2 ); P P CS2 . cs := 2 ¬ flag 1 CS 2 ∀ s 3 CS1 . cs := 1 � turn = 2 ℓ 2 := cs s . assert ( ℓ 2 = 2) CS 1 s 2 ¬ ( cs = 2) ∃ s ∃ ¬ ( ℓ 2 = 2) s 1 TASE-2016 S. Arun-Kumar From Traces To Proofs: Proving Concurrent Programs Safe