rely guarantee reasoning for asynchronous programs
play

Rely/Guarantee Reasoning for Asynchronous Programs Ivan Gavran 1 , - PowerPoint PPT Presentation

Jul 14, 2023 •145 likes •672 views

Rely/Guarantee Reasoning for Asynchronous Programs Ivan Gavran 1 , Filip Niksic 1 , Aditya Kanade 2 , Rupak Majumdar 1 , Viktor Vafeiadis 1 1 Max Planck Institute for Software Systems (MPI-SWS), Germany 2 Indian Institute of Science, Bangalore,

  1. Rely/Guarantee Reasoning for Asynchronous Programs Ivan Gavran 1 , Filip Niksic 1 , Aditya Kanade 2 , Rupak Majumdar 1 , Viktor Vafeiadis 1 1 Max Planck Institute for Software Systems (MPI-SWS), Germany 2 Indian Institute of Science, Bangalore, India

  2. Asynchronous programming is widespread • Web apps : AJAX, jQuery, XMLHttpRequest • Smartphone apps : AsyncTask, dispatch_async • Server-side : node.js, java.nio • Systems : kqueue, epoll, Libevent • Other : async/await in Scala

  3. Common feature: Posting tasks for later execution A pending tasks

  4. Common feature: Posting tasks for later execution A pending tasks B C

  5. Common feature: Posting tasks for later execution A B C pending tasks

  6. Common feature: Posting tasks for later execution A B C Tasks may be executed when pending tasks • triggered by external events (mouse click, response ready, socket ready, …) • dispatched by a scheduler

  7. Drawback: Obscured control-flow A B C

  8. Drawback: Obscured control-flow A C B Multiple pending tasks may be executed in any order .

  9. Drawback: Obscured control-flow A C B precondition P B

  10. Drawback: Obscured control-flow A C B precondition P B postcondition Q A Q A ⇒ P B

  11. Drawback: Obscured control-flow A C B precondition P B postcondition Q A Q A ⇒ P B C might invalidate P B

  12. Adapting rely/guarantee reasoning [Jones83] A C B precondition P B postcondition Q A Q A ⇒ P B

  13. Adapting rely/guarantee reasoning [Jones83] A C B precondition P B postcondition Q A Q A ⇒ P B rely R B : “preserve P B ”

  14. Adapting rely/guarantee reasoning [Jones83] A C B precondition P B postcondition Q A Q A ⇒ P B rely R B : “preserve P B ” guarantee G C G C ⇒ R B

  15. Soundness of rely/guarantee reasoning Given a program with specification in terms of predicates P, Q, R, G, if the predicates satisfy “natural rely/guarantee • conditions” each task meets its rely/guarantee specification • then the program is correct.

  16. Rely/guarantee reasoning is modular Sufficient to verify each task in isolation , using a verifier for sequential software.

  17. Contributions We have: • Identified the “natural rely/guarantee conditions” • Proved soundness of rely/guarantee reasoning • Demonstrated the approach on two C programs that use Libevent (done using Frama-C)

  18. The rest of the talk: Rely/guarantee… … by example … in theory … in practice

  19. The rest of the talk: Rely/guarantee… … by example … in theory … in practice

  20. Modeling asynchronous tasks Extend an imperative language with asynchronous procedures , together with constructs: post f(v 1 , …, v k ) delete f(v 1 , …, v k ) Maintain a set of pending procedure instances . Execute instances atomically in a non-deterministic order .

  21. Example: ROT13 server async main() { int socket = prepare_socket(); post accept(socket); } async accept( int socket) { struct client *c = malloc(…); client_setup(c); c->fd = accept_connection(socket); post read(c); post accept(socket); } async read( struct client *c) { … } async write( struct client *c) { … }

  22. Example: ROT13 server async read( struct client *c) { async write( struct client *c) { if (…) { // c->fd is ready if (…) { // c->fd is ready receive_chunk(c); send_chunk(c); post write(c); if (more_to_send(c)) post read(c); post write(c); } } else { // connection is closed else { // connection is closed delete write(c); delete read(c); free(c); free(c); } } } }

  23. Example: ROT13 server //@ requires valid(c); //@ requires valid(c); async read( struct client *c) { async write( struct client *c) { if (…) { // c->fd is ready if (…) { // c->fd is ready receive_chunk(c); send_chunk(c); post write(c); if (more_to_send(c)) post read(c); post write(c); } } else { // connection is closed else { // connection is closed delete write(c); delete read(c); free(c); free(c); } } } }

  24. Introducing predicate posted f For each asynchronous procedure f(x 1 ,…,x k ) , we introduce a predicate posted f (x 1 , …, x k ) True iff f has been posted with arguments x 1 , …, x k during the execution of the current asynchronous procedure .

  25. Example: ROT13 server /*@ requires valid(c); /*@ requires valid(c); @ ensures ∀ c 1 ; @ ensures ∀ c 1 ; @ posted_read(c 1 ) ⇒ valid(c 1 ); @ posted_write(c 1 ) ⇒ valid(c 1 ); @ ensures ∀ c 1 ; @*/ @ posted_write(c 1 ) ⇒ valid(c 1 ); async write( struct client *c) { if (…) { // c->fd is ready @*/ send_chunk(c); async read( struct client *c) { if (more_to_send(c)) if (…) { // c->fd is ready post write(c); receive_chunk(c); } post write(c); else { // connection is closed post read(c); delete read(c); } free(c); else { // connection is closed } delete write(c); } free(c); } }

  26. Preserving the precondition read(c) write(c) P write ( c ) ≡ valid( c ) P write ( c ) ≡ valid( c ) parent child

  27. Preserving the precondition read(c 1 ) write(c 1 ) read(c) accept(socket) write(c) P write ( c ) ≡ valid( c ) P write ( c ) ≡ valid( c ) parent concurrent siblings child

  28. Preserving the precondition read(c 1 ) write(c 1 ) read(c) accept(socket) write(c) G read ⇒ R write guarantee P write rely on P write G write ⇒ R write is preserved being preserved G accept ⇒ R write parent concurrent siblings child

  29. Introducing predicate pending f For each asynchronous procedure f(x 1 ,…,x k ) , we introduce a predicate pending f (x 1 , …, x k ) True iff f with arguments x 1 , …, x k is pending , i.e. is in the set of pending procedure instances.

  30. write ’s rely predicate R write R write ≡ ∀ c. (pending’ write (c) ∧ pending write (c) ∧ valid’(c)) ⇒ valid(c) (prime means at the beginning of execution)

  31. write ’s global invariant With write ’s parents ensuring: ∀ c. posted write (c) ⇒ valid(c) and write ’s concurrent siblings ensuring: ∀ c. (pending’ write (c) ∧ pending write (c) ∧ valid’(c)) ⇒ valid(c) rely/guarantee ensures a global invariant : ∀ c. pending write (c) ⇒ valid(c)

  32. Final specification of write /*@ requires Precondition: @ valid(c); @ ensures Parent_child_condition: @ ∀ c 1 ; posted_write(c 1 ) ⇒ valid(c 1 ); @ ensures Guarantee: @ ( ∀ c 1 ; (pending_read’(c 1 ) ∧ pending_read(c 1 ) @ ∧ valid’(c 1 )) ⇒ valid(c 1 )) @ ∧ ( ∀ c 1 ; (pending_write’(c 1 ) ∧ pending_write(c 1 ) @ ∧ valid’(c 1 )) ⇒ valid(c 1 )); @*/ async write( struct client *c) { … }

  33. Final specification of write /*@ requires Precondition: @ valid(c); @ ensures Parent_child_condition: @ ∀ c 1 ; posted_write(c 1 ) ⇒ valid(c 1 ); @ ensures Guarantee: @ ( ∀ c 1 ; (pending_read’(c 1 ) ∧ pending_read(c 1 ) } R read @ ∧ valid’(c 1 )) ⇒ valid(c 1 )) @ ∧ ( ∀ c 1 ; (pending_write’(c 1 ) ∧ pending_write(c 1 ) } R write @ ∧ valid’(c 1 )) ⇒ valid(c 1 )); @*/ async write( struct client *c) { … }

  34. Final specification of write /*@ requires Precondition: @ valid(c); @ ensures Parent_child_condition: @ ∀ c 1 ; posted_write(c 1 ) ⇒ valid(c 1 ); @ ensures Guarantee: @ ( ∀ c 1 ; (pending_read’(c 1 ) ∧ pending_read(c 1 ) } R read @ ∧ valid’(c 1 )) ⇒ valid(c 1 )) @ ∧ ( ∀ c 1 ; (pending_write’(c 1 ) ∧ pending_write(c 1 ) } R write @ ∧ valid’(c 1 )) ⇒ valid(c 1 )); @*/ async write( struct client *c) { … } write can now be verified in isolation using a standard verification tool (in our case Frama-C)

  35. The rest of the talk: Rely/guarantee… … by example … in theory … in practice

  36. Rely/guarantee decomposition For each asynchronous procedure f we require: • P f — precondition predicate • R f — rely predicate • G f — guarantee predicate • Q f — postcondition predicate First-order formulas; may include predicates posted g and pending g (in negative positions)

  37. Rely/guarantee conditions Given a rely/guarantee decomposition, for each asynchronous procedure f : (1) Q f ⇒ G f (2) Q g ⇒ (posted f ⇒ P f ), for each g ∈ parents( f ) (3) R f ⇒ ((pending’ f ∧ pending f ∧ P’ f ) ⇒ P f ) (4) G g ⇒ R f , for each g ∈ siblings( f )

  38. Soundness of rely/guarantee reasoning Theorem. Given an asynchronous program with a rely/guarantee decomposition, if • the decomposition satisfies the rely/guarantee conditions • each procedure meets its specification (P and Q) then the program is correct.

  39. Key lemma Lemma. For each asynchronous procedure f , at every schedule point we have pending f ⇒ P f

  40. The rest of the talk: Rely/guarantee… … by example … in theory … in practice

  41. Generic rely/guarantee predicates Given preconditions P f , the weakest predicates that satisfy the rely/guarantee conditions: • R f ≡ (pending’ f ∧ pending f ∧ P’ f ) ⇒ P f • G f ≡ ⋀ R g g ∈ siblings( f ) • Q f ≡ G f ∧ ⋀ posted g ⇒ P g g ∈ children( f )

Recommend

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15 Overview Introduction

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15 Overview Introduction

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15 Overview Introduction Basics of Rely-Guarantee Overview of the paper Two techniques for constructing Rely-Guarantee models Soundness results The traditional

272 views • 23 slides
Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL

Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL

Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL Leonor Prensa Nieto TU M unchen Marseille, 7 January 2002 Isabelle HOL = Overview Motivation. Hoare logic for

263 views • 23 slides
Developing programs by Splitting atoms (rely/guarantee conditions, data reification, . . . )

Developing programs by Splitting atoms (rely/guarantee conditions, data reification, . . . )

Developing programs by Splitting atoms (rely/guarantee conditions, data reification, . . . ) Cliff B Jones Computing Science Newcastle University FMCO 2008-10-22 Cliff B Jones (Newcastle) Developing programs by Splitting atoms

603 views • 36 slides
Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon,

Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon,

Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon, Michael D. Ernst, and Dan Grossman University of Washington PLDI 2013 Static Verification Meets Aliasing 2 3 x:ref y:ref x := !x+1; m(y);

739 views • 26 slides
Rely-Guarantee Protocols Filipe Milito 1,2 Jonathan Aldrich 1 Lus Caires 2 1 Carnegie Mellon

Rely-Guarantee Protocols Filipe Milito 1,2 Jonathan Aldrich 1 Lus Caires 2 1 Carnegie Mellon

ECOOP 2014 Rely-Guarantee Protocols Filipe Milito 1,2 Jonathan Aldrich 1 Lus Caires 2 1 Carnegie Mellon University, Pittsburgh, USA 2 Universidade Nova de Lisboa, Lisboa, Portugal Motivation Mutable state can be useful in certain cases.

1.45k views • 109 slides
Cuesta College Night Oct. 30, 2017 Transfer Admission Guarantee Programs in the CSU and UC

Cuesta College Night Oct. 30, 2017 Transfer Admission Guarantee Programs in the CSU and UC

Cuesta College Night Oct. 30, 2017 Transfer Admission Guarantee Programs in the CSU and UC Blake Reed, Counselor Thea Labrenz, Counselor Types of Guarantee Programs In the UC system they are refers to them as Transfer Admission

285 views • 14 slides
A Boolean algebra of contracts for assume-guarantee reasoning Yann Glouche with Jean-Pierre

A Boolean algebra of contracts for assume-guarantee reasoning Yann Glouche with Jean-Pierre

Introduction A Model for Contracts Use Case Conclusion Further work A Boolean algebra of contracts for assume-guarantee reasoning Yann Glouche with Jean-Pierre Talpin Paul Le Guernic Thierry Gautier 1 INRIA, Resarch Unit of

963 views • 69 slides
Reasoning about Programs (and bugs) A brief interlude on specifications, assertions, and

Reasoning about Programs (and bugs) A brief interlude on specifications, assertions, and

Reasoning about Programs (and bugs) A brief interlude on specifications, assertions, and debugging Largely based on material from University of Washington CSE 331 Good programs, broken programs? Goal: program works (does not fail) Need:

540 views • 32 slides
A marriage of rely/guarantee & separation logic Viktor V afeiadis MPI - SWS Coarse - grain

A marriage of rely/guarantee & separation logic Viktor V afeiadis MPI - SWS Coarse - grain

A marriage of rely/guarantee & separation logic Viktor V afeiadis MPI - SWS Coarse - grain locking 2 3 5 7 11 13 Coarse - grain locking 2 3 5 7 11 13 Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13 Fine -

743 views • 57 slides
Diagrammatic Reasoning for Asynchronous Circuits Dan R. Ghica University of Birmingham

Diagrammatic Reasoning for Asynchronous Circuits Dan R. Ghica University of Birmingham

Diagrammatic Reasoning for Asynchronous Circuits Dan R. Ghica University of Birmingham Samson@60 Oxford, May 2013 How I met your Samson How I met your Samson why async? very high speed (+) very low power (+) high footprint (-)

617 views • 33 slides
Asynchronous Communication II: Semantics, specification and reasoning INF 4140 Lecture 11

Asynchronous Communication II: Semantics, specification and reasoning INF 4140 Lecture 11

INF4140 Asynchronous Communication II: Semantics, specification and reasoning INF 4140 Lecture 11 09.11.11, page 1. INF4140 Overview: Last time semantics: histories and trace sets specification: invariants over histories global

859 views • 37 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a weak consistency model. - no

738 views • 48 slides
Reasoning about Programs Need: definition of works/correct : a specification (and bugs) But

Reasoning about Programs Need: definition of works/correct : a specification (and bugs) But

Good programs, broken programs? Goal: program works (does not fail) Reasoning about Programs Need: definition of works/correct : a specification (and bugs) But programs fail all the time. Why? A brief interlude on 1. Misuse of your code:

86 views • 8 slides
Reasoning about reasoning by nested conditioning: Modeling theory of mind with probabilistic

Reasoning about reasoning by nested conditioning: Modeling theory of mind with probabilistic

Reasoning about reasoning by nested conditioning: Modeling theory of mind with probabilistic programs November 8, 2019 Zikun Chen, Alex Chang Main Idea model the flexibility and inherent uncertainty of reasoning about agents with

417 views • 29 slides
Asynchronous Algorithms for Conic Programs, including Optimal, Infeasible, and Unbounded Ones

Asynchronous Algorithms for Conic Programs, including Optimal, Infeasible, and Unbounded Ones

Asynchronous Algorithms for Conic Programs, including Optimal, Infeasible, and Unbounded Ones Wotao Yin joint: Fei Feng, Robert Hannah, Yanli Liu, Ernest Ryu (UCLA, Math) DIMACS: Distributed Optimization, Information Processing, and Learning

844 views • 67 slides
Reasoning and Derivation of Monadic Programs Shin-Cheng Mu Tom Schrijvers Koen Pauwels Content

Reasoning and Derivation of Monadic Programs Shin-Cheng Mu Tom Schrijvers Koen Pauwels Content

Reasoning and Derivation of Monadic Programs Shin-Cheng Mu Tom Schrijvers Koen Pauwels Content Equational reasoning Reasoning with monads Goal of the paper Our contribution (a + b) * (a - b) [distr: forall x y z. x * (y + z) =

493 views • 25 slides
Stack and Queue ADT Stack Queue 2 ADT Example All main programs rely on concept of

Stack and Queue ADT Stack Queue 2 ADT Example All main programs rely on concept of

Advanced Programming Stack - Queue Summary Stack and Queue ADT Stack Queue 2 ADT Example All main programs rely on concept of Abstract It is possible to define an ADT corresponding Data Type (ADT). to a generic set of elements,

350 views • 7 slides
Verifying Asynchronous programs with nested locks K Narayan Kumar CMI, Chennai Joint work with

Verifying Asynchronous programs with nested locks K Narayan Kumar CMI, Chennai Joint work with

Verifying Asynchronous programs with nested locks K Narayan Kumar CMI, Chennai Joint work with M.F. Atig A. Bouajjani Prakash Saivasan Programs with Locks: A collection of processes executing concurrently. A finite set of Locks

1.82k views • 169 slides
Hitting Families of Schedules for Asynchronous Programs Dmitry Chistikov 1,2 , Rupak Majumdar 1 ,

Hitting Families of Schedules for Asynchronous Programs Dmitry Chistikov 1,2 , Rupak Majumdar 1 ,

Hitting Families of Schedules for Asynchronous Programs Dmitry Chistikov 1,2 , Rupak Majumdar 1 , Filip Niksic 1 1 Max Planck Institute for Software Systems (MPI-SWS), Germany 2 University of Oxford, UK Ninjas at a conference banquet 1 2 n

654 views • 36 slides
how to Clean Code in asynchronous programs. Helge Betzinger CTO pcvisit Software AG Developer

how to Clean Code in asynchronous programs. Helge Betzinger CTO pcvisit Software AG Developer

Developer Days 2014 Write Event-based programs again sequentially or how to Clean Code in asynchronous programs. Helge Betzinger CTO pcvisit Software AG Developer Age genda da Days 2014 What is the problem and how to escape?

920 views • 59 slides
Rethinking Federal Credit: Managing Loan and Loan Guarantee Programs in a Changing Environment

Rethinking Federal Credit: Managing Loan and Loan Guarantee Programs in a Changing Environment

Rethinking Federal Credit: Managing Loan and Loan Guarantee Programs in a Changing Environment Thursday, May 17, 2018 Changing Economic and Policy Environments for the Worlds Largest Financial Institution Doug Criscitello , Executive Director,

538 views • 29 slides
An Abstract Machine for Asynchronous Programs with Closures and Priority Queues Giorgio Delzanno

An Abstract Machine for Asynchronous Programs with Closures and Priority Queues Giorgio Delzanno

An Abstract Machine for Asynchronous Programs with Closures and Priority Queues Giorgio Delzanno D. Ancona L. Franceschini M. Leotta E. Prampolini M. Ribaudo F. Ricca FUSTAQ Project 1 DIBRIS, University of Genoa 1 SEED 2016 project funded

1.25k views • 97 slides
A Graph-Based Semantics Workbench for Concurrent Asynchronous Programs Alexander Heuner Chris

A Graph-Based Semantics Workbench for Concurrent Asynchronous Programs Alexander Heuner Chris

A Graph-Based Semantics Workbench for Concurrent Asynchronous Programs Alexander Heuner Chris Poskitt Otto-Friedrich-Universitt ETH Zrich Bamberg Dagstuhl, November 2015 Analysis (Verification) of Evolving Graph Structures 2 CP AH

370 views • 15 slides
Inferring and Executing Programs for Visual Reasoning Justin Johnson , Bharath Hariharan, Laurens

Inferring and Executing Programs for Visual Reasoning Justin Johnson , Bharath Hariharan, Laurens

Inferring and Executing Programs for Visual Reasoning Justin Johnson , Bharath Hariharan, Laurens van der Maaten, Judy Hoffman, Li Fei-Fei, C.Lawrence Zitnick, Ross Girshick Presenter: Siliang Lu 9/26/2017 What is visual reasoning? In order

398 views • 18 slides

More recommend