On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / - PowerPoint PPT Presentation

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15

Overview Introduction Basics of Rely-Guarantee Overview of the paper Two techniques for constructing Rely-Guarantee models Soundness results The “traditional” technique Example of a model Some valid rules Relationship with Hoare logic The “recent” technique Example of a model Some valid rules Special properties and comparison with “traditional” technique Soundness of both techniques Conclusion 2 / 15

Rely-Guarantee 101 Extension of Hoare logic (HL) for reasoning about concurrency. Makes interference explicit in specifications – rely & guarantee. They are binary relations on states that summarise the state transformations of execution steps. Judgements have the form: Pre Rely { | Prog | } Guar Post . Rely relation says what interference Prog can tolerate while still satisfying the Pre - Post spec. Guar relation says what interference Prog can inflict on its concurrent environment. Example: S S × S { | skip | } Id S . 3 / 15

Rely-Guarantee 101 (continued) RG offers a compositional rule for concurrency: S 1 R 1 { | P | } G 1 S ′ 1 ∧ S 2 R 2 { | Q | } G 2 S ′ 2 ∧ G 1 ⊆ R 2 ∧ G 2 ⊆ R 1 ⇒ ( S 1 ∩ S 2 ) ( R 1 ∩ R 2 ) { | P � Q | } ( G 1 ∪ G 2 ) ( S ′ 1 ∩ S ′ 2 ). 4 / 15

Rely-Guarantee 101 (continued) RG offers a compositional rule for concurrency: S 1 R 1 { | P | } G 1 S ′ 1 ∧ S 2 R 2 { | Q | } G 2 S ′ 2 ∧ G 1 ⊆ R 2 ∧ G 2 ⊆ R 1 ⇒ ( S 1 ∩ S 2 ) ( R 1 ∩ R 2 ) { | P � Q | } ( G 1 ∪ G 2 ) ( S ′ 1 ∩ S ′ 2 ). Every valid RG quintuple yields a valid HL triple: } G S ′ ⇒ S { S R { | P | | P | } S ′ . Enriched specs conquer concurrency! In fact, HL is embedded in RG: } S ′ ⇔ S ⊥ { S { | P | | P | } ⊤ S ′ . 4 / 15

The paper in a nutshell Generalising HL to RG involves a creative leap . At least two distinct techniques for this exist that differ in their treatment of guarantee conditions: ◮ “Traditional” technique (Jones, Stirling, Dingel, Coleman, . . . ) uses a weaker RG judgement and supports more general rules for atomic commands and disjunction. ◮ “Recent” technique (Hayes, CKA work . . . ) has a stronger RG judgement that can be decomposed into smaller constructs. It facilitates nice algebraic/refinement-style proofs. Despite their differences, both techniques satisfy the properties of the previous slides. The paper also gives a new proof of the soundness of both techniques w.r.t. operational calculi. 5 / 15

“Traditional” technique: example model Informal meaning of S R { | P | } G S ′ : if ◮ program P is executed in a state which satisfies S , and ◮ every environment step satisfies R , then ◮ every step of P satisfies G , and ◮ if the execution terminates, then the final state satisfies S ′ . 6 / 15

“Traditional” technique: example model Informal meaning of S R { | P | } G S ′ : if ◮ program P is executed in a state which satisfies S , and ◮ every environment step satisfies R , then ◮ every step of P satisfies G , and ◮ if the execution terminates, then the final state satisfies S ′ . Formally, require each trace of P to behave properly (a trace is a list of state pairs that describe P ’s ability to transform states): def S R { | P | } G S ′ = ∀ t ∈ P : rg - trace S R t G S ′ def rg - trace S R [] G S ′ = R ∗ ( S ) ⊆ S ′ def rg - trace S R (( σ, σ ′ ): t ) G S ′ = σ ∈ R ∗ ( S ) ⇒ ( σ, σ ′ ) ∈ G ∧ rg - trace { σ ′ } R t G S ′ . 6 / 15

“Traditional” technique: examples of valid rules Concurrency: S 1 R 1 { | P | } G 1 S ′ 1 ∧ S 2 R 2 { | Q | } G 2 S ′ 2 ∧ G 1 ⊆ R 2 ∧ G 2 ⊆ R 1 ⇒ ( S 1 ∩ S 2 ) ( R 1 ∩ R 2 ) { | P � Q | } ( G 1 ∪ G 2 ) ( S ′ 1 ∩ S ′ 2 ). Weakening: S 1 R 1 { | P | } G 1 S ′ 1 ∧ S 2 ⊆ S 1 ∧ R 2 ⊆ R 1 ∧ G 1 ⊆ G 2 ∧ S ′ 1 ⊆ S ′ 2 ⇒ S 2 R 2 { | P | } G 2 S ′ 2 . Atomic commands: rel ( a ) ∩ ( R ∗ ( S )) × Σ ⊆ G ∧ ( R ∗ ; rel ( a ); R ∗ )( S ) ⊆ S ′ ⇒ S R { | a | } G S ′ . Disjunction: } G S ′ ) ⇒ ( � Y ) R { ( ∀ S ∈ Y : S R { | P | | P | } G S ′ . 7 / 15

“Traditional” technique: relationship with HL } G S ′ ⇒ S ⊥ { } ⊤ S ′ holds by Weakening. S R { | P | | P | } ⊤ S ′ ⇔ S { } S ′ is true, and in fact we can prove a S ⊥ { | P | | P | more general theorem for arbitrary rely conditions: } ⊤ S ′ ⇔ S { S R { | P | | P � traces ( R ) | } S ′ . 8 / 15

“Traditional” technique: relationship with HL } G S ′ ⇒ S ⊥ { } ⊤ S ′ holds by Weakening. S R { | P | | P | } ⊤ S ′ ⇔ S { } S ′ is true, and in fact we can prove a S ⊥ { | P | | P | more general theorem for arbitrary rely conditions: } ⊤ S ′ ⇔ S { S R { | P | | P � traces ( R ) | } S ′ . No straightforward way to generalise this to arbitrary guarantee conditions. Why? Because the satisfaction of the guarantee depends on the program, the precondition, and the rely condition. E.g. Coleman & Jones use the judgement { S , R } | = P within G . 8 / 15

“Recent” technique: example model def } S ′ ∧ P ⊆ traces ( G ). S R { | P | } G S ′ = S { | P � traces ( R ) | The satisfaction of the guarantee depends on the program only, irrespective of the precondition and the rely. 9 / 15

“Recent” technique: example model def } S ′ ∧ P ⊆ traces ( G ). S R { | P | } G S ′ = S { | P � traces ( R ) | The satisfaction of the guarantee depends on the program only, irrespective of the precondition and the rely. Informal meaning of S R { | P | } G S ′ : every step of program P satisfies G , and if ◮ P is executed in a state which satisfies S , and ◮ every environment step satisfies R , then ◮ if the execution terminates, then the final state satisfies S ′ . Stronger judgement than in the “traditional” technique. 9 / 15

“Recent” technique: examples of valid rules Concurrency and Weakening as before. Atomic commands: rel ( a ) ⊆ G ∧ ( R ∗ ; rel ( a ); R ∗ )( S ) ⊆ S ′ ⇒ S R { | a | } G S ′ . Disjunction: } G S ′ ) ⇒ ( � Y ) R { Y � = ∅ ∧ ( ∀ S ∈ Y : S R { | P | | P | } G S ′ . } G S ′ is not In contrast to the “traditional” technique, ∅ R { | P | } ⊤ S ′ is valid and valid for arbitrary R , P , G , S ′ ! However, ∅ R { | P | the expected relationships with HL hold. Proofs of rules (and judgements) can be formulated i.t.o. HL and refinement. 10 / 15

“Recent” technique: decomposing the quintuple � P ′ be the largest (i.e. most nondeterministic) program Let P − whose concurrent composition with P is included in P ′ , i.e. P ′′ � P ⊆ P ′ ⇔ P ′′ ⊆ P − � P ′ . def = traces ( R ) − � P . rely R P def guar G P = traces ( G ) ∩ P . The rely and guar operators have nice algebraic properties. They can decompose the RG quintuple of the “recent” technique: } G S ′ ⇔ P ⊆ guar G ( rely R [ S , S ′ ]). S R { | P | So RG rules and judgements follow from the properties of simple operators. Delightful refinement-style derivations (see work by Ian Hayes et al.). 11 / 15

Soundness Define a big-step operational judgement: def � P , σ � − → σ ′ = ∃ t ∈ IF - traces - ending - in ( σ ) : ∃ t ′ ∈ IF - traces - ending - in ( σ ′ ) : { t } ; P ⊇ { t ′ } . All the familiar big-step operational rules are theorems, e.g. → σ ′ ∧ � P ′ , σ ′ � − → σ ′′ ⇒ � P ; P ′ , σ � − � P , σ � − → σ ′′ . 12 / 15

Soundness Define a big-step operational judgement: def � P , σ � − → σ ′ = ∃ t ∈ IF - traces - ending - in ( σ ) : ∃ t ′ ∈ IF - traces - ending - in ( σ ′ ) : { t } ; P ⊇ { t ′ } . All the familiar big-step operational rules are theorems, e.g. → σ ′ ∧ � P ′ , σ ′ � − → σ ′′ ⇒ � P ; P ′ , σ � − � P , σ � − → σ ′′ . Relationship with Hoare triple: } S ′ ⇔ ( ∀ σ ∈ S : ∀ σ ′ : � P , σ � − → σ ′ ⇒ σ ′ ∈ S ′ ). S { | P | So the RG judgements of both techniques are sound w.r.t. big-step execution: } G S ′ ⇒ ( ∀ σ ∈ S : ∀ σ ′ : � P , σ � − → σ ′ ⇒ σ ′ ∈ S ′ ). S R { | P | 12 / 15

Soundness (continued) The big-step judgement has no compositional rule for concurrency. Define a small-step operational judgement: def ∃ Q ∈ Actions : P ⊇ Q ; P ′ ∧ � Q , σ � − � P , σ � − → � P ′ , σ ′ � = → σ ′ . All the familiar small-step rules are theorems, including: → � P ′ � P ′′ , σ ′ � . � P , σ � − → � P ′ , σ ′ � ⇒ � P � P ′′ , σ � − � P , σ � − → � skip , σ ′ � ⇒ � P � P ′′ , σ � − → � P ′′ , σ ′ � . 13 / 15

Soundness (continued) The big-step judgement has no compositional rule for concurrency. Define a small-step operational judgement: def ∃ Q ∈ Actions : P ⊇ Q ; P ′ ∧ � Q , σ � − � P , σ � − → � P ′ , σ ′ � = → σ ′ . All the familiar small-step rules are theorems, including: → � P ′ � P ′′ , σ ′ � . � P , σ � − → � P ′ , σ ′ � ⇒ � P � P ′′ , σ � − � P , σ � − → � skip , σ ′ � ⇒ � P � P ′′ , σ � − → � P ′′ , σ ′ � . Relationship with the big-step judgement: → ∗ � skip , σ ′ � ⇒ � P , σ � − � P , σ � − → σ ′ . (Compare RG & HL.) 13 / 15