A marriage of rely/guarantee & separation logic Viktor V - - PowerPoint PPT Presentation

A marriage of rely/guarantee & separation logic

Viktor V afeiadis MPI-SWS

Coarse-grain locking

2 3 5 7 11 13

Coarse-grain locking

2 3 5 7 11 13

2 3 5 7 11 13

Fine-grain locking

Pessimistic: lock-coupling

2 3 5 7 11 13

Fine-grain locking

Pessimistic: lock-coupling

2 3 5 7 11 13

Fine-grain locking

Pessimistic: lock-coupling

2 3 5 7 11 13

Fine-grain locking

Pessimistic: lock-coupling

2 3 5 7 11 13

Fine-grain locking

Pessimistic: lock-coupling

2 3 5 7 11 13

Fine-grain locking

Pessimistic: lock-coupling

2 3 5 7 11 13

Fine-grain locking

Pessimistic: lock-coupling

2 3 5 7 11 13

Fine-grain locking

Pessimistic: lock-coupling

2 3 5 7 11 13

Fine-grain locking

Optimistic traversal

2 3 5 7 11 13

Fine-grain locking

Optimistic traversal

2 3 5 7 11 13

Fine-grain locking

Optimistic traversal Re-traverse the list OR deletions in two steps Leaks memory: cannot dispose deleted nodes.

Operations (actions)

Lock Unlock Pessimistic algorithm Add node Delete node

Optimistic algorithm Lock Unlock Add node Delete node

Operations (actions)

Fine-grained concurrency

• Complex concurrency patterns
• Dynamically allocated data structures
• Explicit memory deallocation
• Concurrent libraries: java.util.concurrent

Aim: T ractable reasoning, manual & automatic

Separation logic

[Reynolds, O’Hearn, et al. 2001+]

Separation logic (1/3)

e1 e2

empty heap ... a logic for describing the heap

P Q

single cell separation

lseg(x, y)

def

= (x = y ∧ emp) ∨ (∃z v. x → v, z ∗ lseg(z, y)) P, Q ::= e = e′ | P ∧ Q | P ∨ Q | ¬P | ∃x. P | ∀x. P | emp | e → e1, . . . , en | P ∗ Q | P − ∗ Q e :

Separation logic (2/3)

• Hoare triples

{precondition} program {postcondition}

• Rules for commands accessing the heap
• Frame rule

... a program logic

P Q C R R P Q C

If then {P} C {Q} {P ∗ R} C {Q ∗ R}

Separation logic (3/3)

... disjoint parallelism If then

P1 Q1 C1 P2 Q2 C2 P1 Q1 P2 Q2 C1C2

and [+ resource invariants] {P1} C1 {Q1} {P2} C2 {Q2} {P1 ∗ P2} C1C2 {Q1 ∗ Q2}

Introduction to RGSep

Basic concepts

2 3 5 7 11 13

Local and shared state

Shared Local

6

Actions

Describe how the shared state changes: (i) by the program & (ii) by its environment Semantics: An action changes the part of the shared state that matches the LHS to something that matches the RHS. The rest of the shared state is not touched. Lock Unlock

The two roles of actions

• Guarantee: As annotations to atomic blocks,

they specify what an atomic block does to the shared state They also adjust the boundary between local and shared state

• Rely: Abstract what all the other threads do to

the shared state

Effect of an action

2 3 5 7 11 13

Shared Local

6 Lock

Effect of an action

2 3 5 7 11 13

Shared Local

6 Lock 2 3 5 7 11 13

Shared Local

6

Effect of an action

2 3 5 7 11 13

Shared Local

6 Lock 2 3 5 7 11 13

Shared Local

6

Effect of an action

2 3 5 7 11 13

Shared Local

6 Lock 2 3 5 7 11 13

Shared Local

6

Effect of an action

2 3 5 7 11 13

Shared Local

6 Lock 2 3 5 7 11 13

Shared Local

6

Effect of an action

2 3 5 7 11 13

Shared Local

6 Lock 2 3 5 7 11 13

Shared Local

6

Effect of an action

2 3 5 7 11 13

Shared Local

6 Lock 2 3 5 7 11 13

Shared Local

6

Ownership transfer

Where did this node come from? Where did this node go? Add node Delete node

Local and shared state

2 3 5 7 11 13

Shared Local

6

Add node

Pessimistic algorithm

Local and shared state

2 3 5 7 11 13

Shared

6

Local

Add node

Pessimistic algorithm

Local and shared state

2 3 5 7 11 13

Shared

6

Local

Lock node

Pessimistic algorithm

Local and shared state

2 3 5 7 11 13

Shared

6

Local

Lock node

Pessimistic algorithm

Local and shared state

2 3 5 7 11 13

Shared

6

Local

Delete node

Pessimistic algorithm

Local and shared state

2 3 5 7 11 13

Shared Local

6

Delete node

Pessimistic algorithm

Local and shared state

2 3 5 7 11 13

Shared Local

6

Now, the node is local; we can safely dispose it. Pessimistic algorithm

Local and shared state

2 3 5 7 11 13

Shared Local Now, the node is local; we can safely dispose it. Pessimistic algorithm

Local and shared state

Shared Local

13 2 3 5 7 11 6

Optimistic algorithm

Delete node

Local and shared state

Shared Local

13 2 3 5 7 11 6

Optimistic algorithm

Delete node

2 7 11 13 5

Interference:

• ther threads

A A

3

2 7 11 13 5

Interference:

• ther threads

A A

2 7 11 13 5

Interference:

• ther threads

12

A A

2 7 11 13 5

Interference:

• ther threads

12

A A

7 5

A A

Stability

7 5

A A

Lock

B

Unlock

B

Stability

7 5

A A

Delete node

B B B

Add node

B B

RGSep

More formally...

Assertion syntax

Separation Logic Extended logic P, Q ::= false | emp | e = e′ | e → e′ | ∃x. P | P ⇒ Q | P ∗ Q | P − ⊛ Q h SL P − ⊛ Q ⇐ ⇒ h SL ¬(P − ∗ ¬Q) ⇐ ⇒ ∃h′. (h′ SL P) ∧ (h ⊎ h′ SL Q) p, q ::= P | P | p ∗ q | p ∧ q | p ∨ q | ∃x. p | ∀x. p local shared

Assertion semantics

Split local state; share global state. l, s P ⇐ ⇒ l SL P l, s P ⇐ ⇒ l = ∅ ∧ (s SL P) l, s p1 ∗ p2 ⇐ ⇒ ∃l1, l2. (l = l1 ⊎ l2) ∧ (l1, s p1) ∧ (l2, s p2)

Actions

x → tid, v, t

• x → 0, v, t

x → 0, v, t

• x → tid, v, t

x → tid, v, t

• x → tid, v, y

∗ y → 0, v′, t x → tid, v, y ∗ y → tid, v′, t x → tid, v, t x → tid, v, y ∗ y → tid, v′, t x → tid, v, t ∗ y → tid, v′, t

Judgements

(precondition, rely, guarantee, postcondition)

⊢ C sat (p, R, G, q)

Parallel rule

Splits local state; Shares global state. ⊢ C1 sat (p1, R ∪ G2, G1, q1) ⊢ C2 sat (p2, R ∪ G1, G2, q2) ⊢ (C1C2) sat (p1 ∗ p2, R, G1 ∪ G2, q1 ∗ q2)

Atomic commands

Shared state Local state P2, Q2 precise (P2 Q2) ∈ G ⊢ C sat (P1 ∗ P2, ∅, ∅, Q1 ∗ Q2) ⊢ (atomic C) sat

• P1 ∗ P2 ∗ F , ∅, G, Q1 ∗ Q2 ∗ F
• p, q stable under R

⊢ (atomic C) sat (p, ∅, G, q) ⊢ (atomic C) sat (p, R, G, q)

Stability

iff S stable under P Q ((P − ⊛ S) ∗ Q) ⇒ S