A Separation Logic to Verify Termination of Busy-Waiting for Abrupt - - PowerPoint PPT Presentation

a separation logic to verify termination of busy waiting
SMART_READER_LITE
LIVE PREVIEW

A Separation Logic to Verify Termination of Busy-Waiting for Abrupt - - PowerPoint PPT Presentation

Jan 07, 2024 215 likes •463 views

A Separation Logic to Verify Termination of Busy-Waiting for Abrupt Program Exit Tobias Reinhard 1 , Amin Timany 2 , Bart Jacobs 1 1 KU Leuven, imec-DistriNet Research Group 2 Aarhus University, Logic and Semantics Group 23rd July 2020 Motivation

slide-1
SLIDE 1

A Separation Logic to Verify Termination of Busy-Waiting for Abrupt Program Exit

Tobias Reinhard 1, Amin Timany 2, Bart Jacobs 1

1 KU Leuven, imec-DistriNet Research Group 2 Aarhus University, Logic and Semantics Group

23rd July 2020

slide-2
SLIDE 2

Motivation Language Verification Work in Progress & Outlook

slide-3
SLIDE 3

Motivation Language Verification Work in Progress & Outlook

slide-4
SLIDE 4

Motivation

◮ Busy-waiting for other threads common in programs for multiprocessor machines ⇒ Goal: Prove termination of busy-waiting ◮ In this work: Consider specific event ”abrupt termination” ⇒ On-going work: Generalization to arbitrary events

abruptly terminate entire program approximate event E by "abrupt termination"

. . .

perform event E

. . . . . . . . .

busy-waiting for event E busy-waiting for abrupt termination thread 1 thread 2 thread 1 thread 2

slide-5
SLIDE 5

Motivation Language Verification Work in Progress & Outlook

slide-6
SLIDE 6

Motivation Language Verification Work in Progress & Outlook

slide-7
SLIDE 7

Language

◮ Abrupt termination of all threads: exit ◮ Infinite busy-waiting loop: loop skip ◮ Forking new thread: fork c ◮ Approach applicable to realistic languages c ∈ Cmds ::= exit | loop skip | fork c | c ; c ◮ Busy-waiting for abrupt termination: fork exit; loop skip ◮ Thread scheduling non-deterministic ⇒ Need to assume fair scheduling

slide-8
SLIDE 8

Motivation Language Verification Work in Progress & Outlook

slide-9
SLIDE 9

Motivation Language Verification Work in Progress & Outlook

slide-10
SLIDE 10

Termination of Busy-Waiting

◮ Problem: Termination of loop skip depends on other threads ⇒ Need knowledge that other threads exit ◮ Solution: Track which threads eventually exit Ghost resources: ◮ Obligation: Thread must eventually exit ◮ Credit: Local proof that other thread will exit ⇒ Permission to busy-wait ◮ Track which resources each thread holds ◮ Can be spawned & cancelled during ghost steps ⇒ Ensure #obligations = #credits ◮ Can be transferred during forking

credit fork exit; loop skip exit loop skip

  • bligation
  • bligation

credit fork exit; loop skip ghost step fork

slide-11
SLIDE 11

Assertions

Separation Logic with ◮ a ∗ b ⇒ Standard separating conjunction ◮ Predicate obs(n) ⇒ Expresses possession of n obligations ◮ Predicate credit ⇒ Possession of single credit a ∈ A ::= True | False | a ∗ a | obs(n) | credit ◮ Can be combined with existing logics, e.g., Iris ⇒ Adds possibility to verify termination of busy-waiting

slide-12
SLIDE 12

Program Specifications

◮ Hoare triple {A} c {B} ⇒ Given precondition A, ...

◮ c terminates & postcondition B holds

  • r

◮ c diverges or abruptly terminates the program

◮ Postcondition False expresses either

◮ divergence

  • r

◮ abrupt termination, i.e., exit

(can conclude anything from False, e.g., obs(0)) ◮ Soundness of verification approach: Discharging all obligations & starting without credits, i.e., {obs(n)} c {obs(0)} ⇒ Termination under fair scheduling

slide-13
SLIDE 13

Proof Rules: Abrupt Termination & Busy-Waiting

◮ exit only way to discharge obligation ◮ Busy-waiting only allowed if thread possesses:

◮ Credit ⇒ Other thread holds obligation, i.e., will exit ⇒ Waiting terminates ◮ No obligations ⇒ Not waiting for itself to exit PR-Exit

⊢ {A} exit {False}

PR-Loop

⊢ {obs(0) ∗ credit} loop skip {False} ◮ #obligations chunks = #threads ⇒ obs(n) ∗ obs(n′) never holds ⇒ PR-Loop ensures that thread holds no obligations ◮ Need way to:

◮ Spawn obligations & credits ◮ Prove that exit discharges obligation, i.e., ⊢ {obs(1)} exit {obs(0)}

slide-14
SLIDE 14

Proof Rules: View Shift

◮ View shift A ⇛ B:

◮ Reasoning step independent of program, e.g., drawing conclusion: False ⇛ obs(0) ◮ Ghost step, e.g., Spawning obligation & credit:

  • bs(0) ⇛ obs(1) ∗ credit

⇒ obs(0) ∗ credit means other thread holds obligation VS-ObCred

  • bs(o) ⇚

⇛ obs(o + 1) ∗ credit

VS-SemImp

∀R. R A A → R A B A ⇛ B

VS-Trans

A ⇛ C C ⇛ B A ⇛ B ◮ Allows to strengthen precondition and weaken postcondition ⇒ Generalization of Rule of Consequence in Hoare logic

PR-ViewShift

A ⇛ A′ ⊢

  • A′

c

  • B′

B′ ⇛ B ⊢ {A} c {B}

slide-15
SLIDE 15

Proof Rules: exit Example

◮ Can prove that exit discharges obligation, i.e., ⊢ {obs(1)} exit {obs(0)} {obs(1)} exit PR-Exit {False} {obs(0)} PR-ViewShift + VS-SemImp

slide-16
SLIDE 16

Proof Rules: Transferring Ghost Resources

◮ Can transfer obligations & credits to forked threads ◮ Forking only way to split obligations chunk obs(n)

PR-Fork

⊢ {obs(of ) ∗ A} c {obs(0)} ⊢ {obs(om + of ) ∗ A} fork c {obs(om)} ◮ Only allowed if forked thread discharges all obligations

fork exit {obs(1) * credit} {obs(0) * credit} pass obligation to forked thread discharge

  • bligation

{obs(0)} view shift exit {obs(1)} {False} done {obs(0) * credit} terminate thread

◮ Also support frame rule and sequencing

PR-Frame

⊢ {A} c {B} ⊢ {A ∗ F} c {B ∗ F}

PR-Seq

⊢ {A} c1 {B} ⊢ {B} c2 {C} ⊢ {A} c1; c2 {C}

slide-17
SLIDE 17

Verification Example

◮ Remember Soundness: ⊢ {obs(n)} c {obs(0)} ⇒ Termination under fair scheduling ◮ Verify termination of fork exit; loop skip by proving ⊢ {obs(0)} fork exit; loop skip {obs(0)} {obs(0)} {obs(1) ∗ credit} PR-ViewShift + VS-ObCred fork PR-Fork {obs(1)} exit; PR-Exit {False} {obs(0)} PR-ViewShift + VS-SemImp {obs(0) ∗ credit} loop skip PR-Loop {False} {obs(0)} PR-ViewShift + VS-SemImp

slide-18
SLIDE 18

Additional Content of the Paper

◮ Operational semantics ◮ Semantics of assertions ◮ Semantics of Hoare triples ◮ Annotated operational semantics (bridging gap between verification & execution) ◮ Soundness theorem & proof

slide-19
SLIDE 19

Motivation Language Verification Work in Progress & Outlook

slide-20
SLIDE 20

Motivation Language Verification Work in Progress & Outlook

slide-21
SLIDE 21

Work in Progress & Outlook

◮ Formalize verification approach in Coq ◮ Generalize approach to Ghost Signals

◮ Obligation to set signal & Permission to wait for it to be set ◮ Allows to verify termination of busy-waiting for arbitrary events

◮ Combine with work on I/O liveness verification

◮ Encode I/O liveness as termination property (cf. server below)

◮ Verify liveness of server below

. . . . . . . . . .

Queue Responder Thread

insert requests receive req. 1, ..., N, ...

exit after responding to request N Responder Thread

. .

Clients Responder Thread

extract requests sending requests receiving response

Receiver Thread Receiver Thread Server S & "wait for exit"

respond to requests

slide-22
SLIDE 22

Thank you for your attention!

Motivation Language Verification Work in Progress & Outlook

slide-23
SLIDE 23

Additional Material: Semantics of Assertions

◮ Ghost resources R := Bags(N) × N.

◮ (O, χ) ∈ R ⇒ (i) Obligations chunks O and (ii) χ credits ◮ Threads hold single obligations chunk, i.e., ({ [o] }, χ). ◮ (O1, χ1) ⊎R (O2, χ2) := (O1 ⊎ O2, χ1 + χ2)

◮ Semantics of Assertions

◮ obs(n) must encompass full obligations chunk, i.e., assertion obs(n) ∗ obs(n′) must not hold for any ({ [o] }, χ)

R A True R A a1 ∗ a2 iff ∃R1, R2 ∈ R. R = R1 ⊎R R2 ∧ R1 A a1 ∧ R2 A a2 (O, χ) A

  • bs(o)

iff

  • ∈ O

(O, χ) A credit iff χ ≥ 1

passing obligation to forked thread exit ({1}, 0) ⊨ obs(1) fork exit; loop skip ({1}, 1) ⊨ obs(1) * credit loop skip ({0}, 1) ⊨ obs(0) * credit