Mechanised Owicki-Gries Proofs for C11 Brijesh Dongol University of - PDF document

Mechanised Owicki-Gries Proofs for C11 Brijesh Dongol University of Surrey Joint work with Sadegh Dalvandi (University of Surrey) Simon Doherty (University of Sheffield) Heike Wehrheim (University of Paderborn) John Derrick (University of Sheffield)

A weak memory talk { talk = weak memory } reaction := listen ( talk ) { reaction = ∨ reaction = }

A weak memory talk { talk = weak memory } reaction := listen ( talk ) this ( talk ) { reaction = ∨ reaction = } { reaction = }

A weak memory talk { talk = weak memory } reaction := listen ( talk ) this ( talk ) { reaction = ∨ reaction = } { reaction = } Turning into — relate weak memory semantics to Hoare logic and Owicki-Gries style proof rules

Outline C11 Axiomatic Semantics C11 Operational Semantics C11 Owicki-Gries Proofs in Isabelle

C11 Axiomatic Semantics

Axiomatic C11 semantics Example (Message Passing). Init: f := 0 ; d := 0 ; thread 1 thread 2 d := 5 ; do r1 f f := 1 ; until r1 = 1 ; r2 d ;

Axiomatic C11 semantics Example (Message Passing). Init: f := 0 ; d := 0 ; thread 1 thread 2 d := 5 ; do r1 f f := 1 ; until r1 = 1 ; r2 d ; In C11, r2 can have a final value 0 — the execution below is allowed wr ( f, 0) , wr ( d, 0) sb sb wr 1 ( d, 5) rd 2 ( f, 1) sb sb wr 1 ( f, 1) rd 2 ( d, 0)

Axiomatic C11 semantics Example (Message Passing). Init: f := 0 ; d := 0 ; thread 1 thread 2 d := 5 ; do r1 f f := 1 ; until r1 = 1 ; r2 d ; In C11, r2 can have a final value 0 — the execution below is allowed wr ( f, 0) , wr ( d, 0) sb sb mo wr 1 ( d, 5) rd 2 ( f, 1) mo rf sb sb rf fr wr 1 ( f, 1) rd 2 ( d, 0)

Axiomatic C11 semantics Example (Message Passing). Corrected Message Passing. Init: f := 0 ; d := 0 ; Init: f := 0 ; d := 0 ; thread 1 thread 2 thread 1 thread 2 do r1 A f d := 5 ; do r1 f d := 5 ; f := R 1 ; f := 1 ; until r1 = 1 ; until r1 = 1 ; r2 d ; r2 d ; In C11, r2 can have a final value 0 — the execution below is allowed wr ( f, 0) , wr ( d, 0) sb sb mo wr 1 ( d, 5) rd 2 ( f, 1) mo rf sb sb rf fr wr 1 ( f, 1) rd 2 ( d, 0)

Axiomatic C11 semantics Example (Message Passing). Corrected Message Passing. Init: f := 0 ; d := 0 ; Init: f := 0 ; d := 0 ; thread 1 thread 2 thread 1 thread 2 do r1 A f d := 5 ; do r1 f d := 5 ; f := R 1 ; f := 1 ; until r1 = 1 ; until r1 = 1 ; r2 d ; r2 d ; In C11, r2 can have a final value 0 The following execution is now — the execution below is allowed disallowed wr ( f, 0) , wr ( d, 0) wr ( f, 0) , wr ( d, 0) sb sb sb sb mo rd A wr 1 ( d, 5) rd 2 ( f, 1) wr 1 ( d, 5) mo 2 ( f, 1) rf sb sb sb sb rf fr wr 1 ( f, 1) rd 2 ( d, 0) wr R rd 2 ( d, 0) 1 ( f, 1)

Axiomatic C11 semantics Example (Message Passing). Corrected Message Passing. Init: f := 0 ; d := 0 ; Init: f := 0 ; d := 0 ; thread 1 thread 2 thread 1 thread 2 do r1 A f d := 5 ; do r1 f d := 5 ; f := R 1 ; f := 1 ; until r1 = 1 ; until r1 = 1 ; r2 d ; r2 d ; In C11, r2 can have a final value 0 The following execution is now — the execution below is allowed disallowed wr ( f, 0) , wr ( d, 0) wr ( f, 0) , wr ( d, 0) sb sb sb sb mo mo rd A wr 1 ( d, 5) rd 2 ( f, 1) wr 1 ( d, 5) mo 2 ( f, 1) mo rf rf sb sb sb sb sw rf fr fr wr 1 ( f, 1) rd 2 ( d, 0) wr R rd 2 ( d, 0) 1 ( f, 1)

Axiomatic C11 semantics Example (Message Passing). Corrected Message Passing. Init: f := 0 ; d := 0 ; Init: f := 0 ; d := 0 ; thread 1 thread 2 thread 1 thread 2 do r1 A f d := 5 ; do r1 f d := 5 ; f := R 1 ; f := 1 ; until r1 = 1 ; until r1 = 1 ; r2 d ; r2 d ; In C11, r2 can have a final value 0 The following execution is now — the execution below is allowed disallowed wr ( f, 0) , wr ( d, 0) wr ( f, 0) , wr ( d, 0) sb sb sb sb mo mo rd A wr 1 ( d, 5) rd 2 ( f, 1) wr 1 ( d, 5) mo 2 ( f, 1) mo rf rf sb sb sb sb sw rf fr fr wr 1 ( f, 1) rd 2 ( d, 0) wr R rd 2 ( d, 0) 1 ( f, 1)

What about verification? I Axiomatic semantics useful for certain forms of verification, e.g., SMT, BMC, ... I But how can we link with existing works — Hoare Logic, Owicki/Gries, Rely/Guarantee ? We need an operational semantics for C11

C11 Operational Semantics

Point of departure I Start with operational semantics by Doherty et al (2019) — proved sound and complete with respect to RC11 I For the experts: restrict attention to a fragment of C11 I All operations are either relaxed , write-releasing , or read-acquiring I Do not model fences or release-sequences I Assume no-thin-air , i.e., sb [ rf acyclic I Strategy: construct valid C11 graphs by stepping through program in thread order (without consulting axioms) I Brings us back to well understood (programmer friendly) notion Concurrency = Interleaving of threads I What’s different? I More non-determinism in choosing the next C11 state I Both reads and writes may change state configuration

Observing a C11 state Key point. I Each thread has its own observable set of writes I Observable writes can be determined from the current C11 state

Observing a C11 state Key point. I Each thread has its own observable set of writes I Observable writes can be determined from the current C11 state Example. Restricting mo [ rf [ fr to a single variable, we have: r 1 r 2 r 3 r 4 r 0 1 r 0 r 0 rf fr rf fr rf fr rf fr 2 4 r 00 1 w 1 w 2 w 3 w 4 w 5 mo mo mo mo t 1 Hidden t 2 Hidden t 3 Hidden I Thread t 1 can observe w 3 , w 4 , w 5 I Thread t 2 can observe w 2 , w 3 , w 4 , w 5 I Thread t 3 can observe w 5

Observing a C11 state Key point. I Each thread has its own observable set of writes I Observable writes can be determined from the current C11 state Example. Restricting mo [ rf [ fr to a single variable, we have: r 1 r 2 r 3 r 4 r 0 1 r 0 r 0 rf fr rf fr rf fr rf fr 2 4 r 00 1 w 1 w 2 w 3 w 4 w 5 mo mo mo mo t 1 Hidden t 2 Hidden t 3 Hidden I Thread t 1 can observe w 3 , w 4 , w 5 I Thread t 2 can observe w 2 , w 3 , w 4 , w 5 I Thread t 3 can observe w 5 Observable set changes as threads interact with the C11 state

Message passing with “bad” transition f := 0 ; d := 0 Init: thread 1 thread 2 d := 5 ; do r1 f until r1 = 1 ; f := 1 ; r2 d ; Pre-state wr ( f, 0) , wr ( d, 0) sb sb mo wr 1 ( d, 5) rd 2 ( f, 1) mo sb rf wr 1 ( f, 1)

Message passing with “bad” transition f := 0 ; d := 0 Init: thread 1 thread 2 d := 5 ; do r1 f until r1 = 1 ; f := 1 ; r2 d ; Pre-state wr ( f, 0) , wr ( d, 0) sb sb mo wr 1 ( d, 5) rd 2 ( f, 1) mo sb rf wr 1 ( f, 1) Thread 2 can observe both writes to d

Message passing with “bad” transition f := 0 ; d := 0 Init: thread 1 thread 2 d := 5 ; do r1 f until r1 = 1 ; f := 1 ; r2 d ; Pre-state Possible post-state wr ( f, 0) , wr ( d, 0) wr ( f, 0) , wr ( d, 0) sb sb mo sb sb mo wr 1 ( d, 5) rd 2 ( f, 1) wr 1 ( d, 5) rd 2 ( f, 1) mo mo rf sb rf sb sb fr rf wr 1 ( f, 1) wr 1 ( f, 1) rd 2 ( d, 0) Thread 2 can observe “Bad” transition with read both writes to d from wr ( d, 0) is possible

Message passing with release/acquire annotations Init: f := 0 ; d := 0 thread 1 thread 2 do r1 A 1 until r1 = 1 ; d := 5 ; f := R 1 ; r2 := d ; Pre-state wr ( f, 0) , wr ( d, 0) sb sb mo rd A wr 1 ( d, 5) 2 ( f, 1) mo sw sb wr R 1 ( f, 1)

Message passing with release/acquire annotations Init: f := 0 ; d := 0 thread 1 thread 2 do r1 A 1 until r1 = 1 ; d := 5 ; f := R 1 ; r2 := d ; Pre-state wr ( f, 0) , wr ( d, 0) sb sb mo rd A wr 1 ( d, 5) 2 ( f, 1) mo sw sb wr R 1 ( f, 1) Thread 2 can only observe wr 1 ( d, 5)

Message passing with release/acquire annotations Init: f := 0 ; d := 0 thread 1 thread 2 do r1 A 1 until r1 = 1 ; d := 5 ; f := R 1 ; r2 := d ; Pre-state Only possible post-state wr ( f, 0) , wr ( d, 0) wr ( f, 0) , wr ( d, 0) sb sb mo sb sb mo rd A wr 1 ( d, 5) 2 ( f, 1) rd A wr 1 ( d, 5) mo 2 ( f, 1) mo sw sb rf sw sb sb wr R 1 ( f, 1) wr R rd 2 ( d, 5) 1 ( f, 1) Thread 2 can only Only the “good” transition observe wr 1 ( d, 5) is available

C11 Owicki-Gries Proofs in Isabelle

Proof outline for message passing Init: d := 0 ; f := 0 ; do r1 A f until r1 = 1 ; d := 5 ; f := R 1 ; r2 d ;

Proof outline for message passing Init: d := 0 ; f := 0 ; { d = 1 0 ^ d = 2 0 ^ f = 1 0 ^ f = 2 0 } {¬ ( f ⇡ 2 1) ^ d = 1 0 } { [ f = 1] 2 ( d = 5) } do r1 A f until r1 = 1 ; d := 5 ; {¬ ( f ⇡ 2 1) ^ d = 1 5 } { d = 2 5 } f := R 1 ; r2 d ; { true } { r 2 = 5 } { r 2 = 5 }

Proof outline for message passing Init: d := 0 ; f := 0 ; { d = 1 0 ^ d = 2 0 ^ f = 1 0 ^ f = 2 0 } {¬ ( f ⇡ 2 1) ^ d = 1 0 } { [ f = 1] 2 ( d = 5) } do r1 A f until r1 = 1 ; d := 5 ; {¬ ( f ⇡ 2 1) ^ d = 1 5 } { d = 2 5 } f := R 1 ; r2 d ; { true } { r 2 = 5 } { r 2 = 5 } Recall the Owicki-Gries technique: ` { P 1 } C 1 { Q 1 } k { P 2 } C 2 { Q 2 } P ) P 1 ^ P 2 Q 1 ^ Q 2 ) Q ` { P } ( { P 1 } C 1 { Q 1 } k { P 2 } C 2 { Q 2 } ) { Q } ` { P 1 } C 1 { Q 1 } { P 1 } C 1 { Q 1 } is interference free wrt C 2 ` { P 2 } C 2 { Q 2 } { P 2 } C 2 { Q 2 } is interference free wrt C 1 ` { P 1 } C 1 { Q 1 } k { P 2 } C 2 { Q 2 }

Proof outline for message passing Init: d := 0 ; f := 0 ; { d = 1 0 ^ d = 2 0 ^ f = 1 0 ^ f = 2 0 } {¬ ( f ⇡ 2 1) ^ d = 1 0 } { [ f = 1] 2 ( d = 5) } do r1 A f until r1 = 1 ; d := 5 ; {¬ ( f ⇡ 2 1) ^ d = 1 5 } { d = 2 5 } f := R 1 ; r2 d ; { true } { r 2 = 5 } { r 2 = 5 } I The C11 state is a special implicit variable in the program I Assertions are predicates over program states (including the C11 states)