Concurrent Featherweight VeriFast Formalization and Soundness Proof - - PowerPoint PPT Presentation

Concurrent Featherweight VeriFast Formalization and Soundness Proof

Bart Jacobs May 4, 2015

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Contents

1

The Programming Language

2

Concrete Execution Small Step Semantics Mutator Semantics Relationship

3

Semiconcrete Execution Definition Soundness

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Contents

1

The Programming Language

2

Concrete Execution Small Step Semantics Mutator Semantics Relationship

3

Semiconcrete Execution Definition Soundness

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

The Programming Language

z ∈ Z x ∈ Vars e ::= z | x | e + e | e − e b ::= e = e | e < e | ¬b c ::= x := e | (c; c) | if b then c else c | while b do c | r(e) | x := malloc(e) | x := [e] | [e] := e | free(e) | fork(c) | acquire(e) | release(e) rdef ::= routine r(x) = c

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Example Program

routine produce(b) = while 0 = 0 do ( x := malloc(0); while ¬(x = 0) do ( acquire(b); e := [b + 1]; if e = 0 then ( [b + 1] := x; x := 0 ) else x := x; release(b) ) ) routine consume(b) = while 0 = 0 do ( x := 0; while x = 0 do ( acquire(b); x := [b + 1]; [b + 1] := 0; release(b) ); free(x) ) b := malloc(2); [b + 1] := 0; [b] := 0; fork(produce(b)); consume(b)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Contents

1

The Programming Language

2

Concrete Execution Small Step Semantics Mutator Semantics Relationship

3

Semiconcrete Execution Definition Soundness

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Contents

1

The Programming Language

2

Concrete Execution Small Step Semantics Mutator Semantics Relationship

3

Semiconcrete Execution Definition Soundness

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Example Concrete Execution

// γ = (0, { [(0, pair := · · · ; fork(· · · ); [pair + 1] := 24; done)] }) pair := malloc(2); // γ = ({ [mb(33, 2), 33 → 1, 34 → −1] }, { [(0[pair := 33], fork(· · · ); [pair + 1] := 24; done)] }) fork([pair] := 42); // γ = ({ [mb(33, 2), 33 → 1, 34 → −1] }, { [(0[pair := 33], [pair + 1] := 24; done), (0[pair := 33], [pair] := 42; done)] }) [pair + 1] := 24 // γ = ({ [mb(33, 2), 33 → 1, 34 → 24] }, { [(0[pair := 33], [pair] := 42; done)] }) fork([pair] := 42 // γ = ({ [mb(33, 2), 33 → 42, 34 → 24] }, 0)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Concrete Execution States (Small Step)

k ∈ CContinuations ::= done | c; k | ret(s, k) p ∈ CPredicates = {→, mb} CChunks = {p(ℓ, v) | p ∈ CPredicates, ℓ, v ∈ Z} h ∈ CHeaps = CChunks → N s ∈ CStores = Vars → Z θ ∈ CThreads = CStores × CContinuations T ∈ CThreadTables = CThreads → N γ ∈ CConfigurations = CHeaps × CThreadTables ℓ → v is alternative syntax for →(ℓ, v)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Step Rules (Small Step)

s, h | x := e; k t s[x := s(e)], h | k s, h | (c; c′); k t s, h | c; (c′; k) routine r(x) = c s, h | r(e); k t 0[x := s(e)], h | c; ret(s, k) s, h | ret(s′, k) t s′, h | k

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Step Rules (Small Step)

s(b) = true s, h | if b then c else c′; k t s, h | c; k s(b) = false s, h | if b then c else c′; k t s, h | c′; k s(b) = true s, h | while b do c; k t s, h | c; (while b do c; k) s(b) = false s, h | while b do c; k t s, h | k

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Step Rules (Small Step)

s(e) = n 0 ≤ n h′ = { [mb(ℓ, n), ℓ → v1, . . . , vn] } dom(h) ∩ dom(h′) = ∅ s, h | x := malloc(e); k t s[x := ℓ], h ⊎ h′ | k s(e) = ℓ h′ = { [mb(ℓ, n), ℓ → v1, . . . , vn] } s, h ⊎ h′ | free(e); k t s, h | k ¬∃ℓ, n, v1, . . . , vn. s(e) = ℓ ∧ { [mb(ℓ, n), ℓ → v1, . . . , vn] } ≤ h s, h | free(e); k t failure

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Step Rules (Small Step)

s, h ⊎ { [s(e) → v] } | x := [e]; k t s[x := v], h ⊎ { [s(e) → v] } | k ¬∃v. { [s(e) → v] } ≤ h s, h | x := [e]; k t failure s, h ⊎ { [s(e) → v] } | [e] := e′; k t s, h ⊎ { [s(e) → s(e′)] } | k ¬∃v. { [s(e) → v] } ≤ h s, h | [e] := e′; k t failure

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Step Rules (Small Step)

s, h ⊎ { [s(e) → 0] } | acquire(e); k t s, h ⊎ { [s(e) → 1] } | k ¬∃v. { [s(e) → v] } ≤ h s, h | acquire(e); k t failure s, h ⊎ { [s(e) → 1] } | release(e); k t s, h ⊎ { [s(e) → 0] } | k { [s(e) → 1] } h s, h | release(e); k t failure

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Step Rules (Small Step)

s, h | k t s′, h′ | k′ (h, T ⊎ { [(s, k)] }) (h′, T ⊎ { [(s′, k′)] }) s, h | k t failure (h, T ⊎ { [(s, k)] }) failure (h, T ⊎ { [(s, fork(c); k)] }) (h, T ⊎ { [(s, k), (s, c; done)] }) (h, T ⊎ { [(s, done)] }) (h, T)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Step Rules (Small Step): Data Races

s(e) = s′(e′) (h, T ⊎ { [(s, x := [e]; k), (s′, [e′] := e′′; k′)] }) failure s(e) = s′(e′) (h, T ⊎ { [(s, [e] := e′′; k), (s′, [e′] := e′′′; k′)] }) failure

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Small Step Semantics

γ ∗ γ γ ∗ γ′ γ′ γ′′ γ ∗ γ′′ Definition (Safe Program) safe programss(c) ⇔ (0, { [(0, c; done)] }) ∗ failure

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Contents

1

The Programming Language

2

Concrete Execution Small Step Semantics Mutator Semantics Relationship

3

Semiconcrete Execution Definition Soundness

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Behaviors

Single-threaded: exec(c) ∈ CStates → Outcomes(CStates) Multithreaded: CFracHeaps = CChunks → Q+ { [p(v)] } = 0[p(v) := 1] { [[π]p(v)] } = 0[p(v) := π] where π ∈ Q+ ℓ π → v = [π]→(ℓ, v) exec(c) ∈ CStores → Outcomes(Behaviors(CStores, CFracHeaps)) β ∈ Behaviors(L, S) ::= return(ℓ, f ) | step(S) where ℓ ∈ L f ∈ Outcomes(Behaviors(∅, S)) S ∈ S → Outcomes(S × Outcomes(Behaviors(L, S)))

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Behaviors: Parallel Composition

OBs(L, S) = Outcomes(Behaviors(L, S)) · || · : OBs(L, S) → OBs(∅, S) → OBs(L, S)

• || o′ =
• ; λβ.

return(ℓ, o′′ || o′) if β = return(ℓ, o′′) step(λh. S(h); λ(h′, o′′). (h′, o′′ || o′)) if β = step(S) ⊗

• ′; λstep(S). step(λh. S(h); λ(h′, o′′). (h′, o || o′′))

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Behaviors: Sequential Composition

· · : OBs(L, S) → (L → OBs(L′, S)) → OBs(L′, S)

• B =
• ; λβ.

B(ℓ) || o′ if β = return(ℓ, o′) step(λh. S(h); λ(h′, o′). (h′, o′ B)) if β = step(S)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Some Auxiliary Definitions

dom(h) = {p(ℓ) | ∃v. p(ℓ, v) ∈ h} s, a = return((s, a), ⊤) s = return(s, ⊤) assume(b) = λs. bs = true. s store = λs. s, s store := s′ = λs. s′ with(s′, C) = s ← store store := s′ C, store := s eval(e) = λs. s, es x := v = λs. s[x := v] C 0 = noop C n+1 = C C n C ∗ = n ∈ N. C n cconsume(h′) = λs. step(λh. h′ ≤ h. h − h′, s) cproduce(h′) = λs. step(λh. dom(h) ∩ dom(h′) = ∅. h ⊎ h′, s)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Concrete Execution of Commands

exec0(c) = ⊤ execn+1(x := e) = v ← eval(e) x := v execn+1(c; c′) = execn(c) execn(c′) execn+1(if b then c else c′) = assume(b) execn(c) ⊗ assume(¬b) execn(c′) execn+1(while b do c) = (assume(b) execn(c))∗ assume(¬b) execn+1(r(e)) = v ← eval(e) with(0[x := v], execn(c)) where routine r(x) = c

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Concrete Execution of Commands

execn+1(x := malloc(n)) = ℓ, v1, . . . , vn ∈ Z. cproduce(mb(ℓ, n), ℓ → v1, . . . , ℓ + n − 1 → vn) x := ℓ execn+1(x := [e]) = ℓ ← eval(e) π, v. cconsume(ℓ π → v) cproduce(ℓ π → v) x := v execn+1([e] := e′) = ℓ ← eval(e) v ← eval(e′)

• v0. cconsume(ℓ → v0) cproduce(ℓ → v)

execn+1(free(e)) = ℓ ← eval(e) N ∈ N, v1, . . . , vN ∈ Z. cconsume(mb(ℓ, N), ℓ → v1, . . . , ℓ + N − 1 → vN)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Concrete Execution

execn+1(fork(c)) = λs. return(s, execn(c)(s) ⊤) execn+1(acquire(e)) = λs. step(λh. v, h′, h = h′ ⊎ { [s(e) → v] }. v = 0. h′ ⊎ { [s(e) → 1] }, s) execn+1(release(e)) = λs. step(λh. h′, h = h′ ⊎ { [s(e) → 1] }. h′ ⊎ { [s(e) → 0] }, s) exec(c) = n. execn(c)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Concrete Execution

run(o, h) =

• ; λβ.

run(o′, h) if β = return(ℓ, o′) S(h); λ(h′, o′). run(o′, h′) if β = step(S) safe programmut(c) ⇔ run(exec(c)(0), 0) {true}

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Contents

1

The Programming Language

2

Concrete Execution Small Step Semantics Mutator Semantics Relationship

3

Semiconcrete Execution Definition Soundness

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Mutator Semantics Soundness

exec(done) = ⊤ exec(c; k) = exec(c) exec(k) exec(ret(s, k)) = λ . exec(k)(s) config ok((h, T)) ⇔ run(||(s,k)∈Texec(k)(s), h) {true} Theorem (Mutator Semantics Soundness) safe programmut(c) ⇒ config ok((0, { [(0, c; done)] })) ∀γ. config ok(γ) ⇒ γ failure ∀γ, γ′. config ok(γ) ∧ γ γ′ ⇒ config ok(γ′) safe programmut(c) ⇒ safe programss(c)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Contents

1

The Programming Language

2

Concrete Execution Small Step Semantics Mutator Semantics Relationship

3

Semiconcrete Execution Definition Soundness

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Example Program

mutex invariant 1(b) = b + 1 → ?e ∗ if e = 0 then 0 = 0 else mb(e, 0) routine produce(b) req [ ]mutex(b, 1) ens ¬(0 = 0) routine consume(b) req [ ]mutex(b, 1) ens ¬(0 = 0) b := malloc(2); [b + 1] := 0; [b] := 0; create mutex(b, 1); fork(produce(b)); consume(b)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Example Program

mutex invariant 1(b) = b + 1 → ?e ∗ if e = 0 then 0 = 0 else mb(e, 0) routine produce(b) req [ ]mutex(b, 1) ens ¬(0 = 0) routine consume(b) req [ ]mutex(b, 1) ens ¬(0 = 0) b := malloc(2); [b + 1] := 0; [b] := 0; // s = 0[b := 10], h = { [mb(10, 2), 10 → 0, 11 → 0] } create mutex(b, 1); // s = 0[b := 10], h = { [mb(10, 2), mutex(10, 1)] } fork(produce(b)); // s = 0[b := 10], h = { [mb(10, 2), [1/2]mutex(10, 1)] } consume(b)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Example Program

routine consume(b) req [ ]mutex(b, 1) ens ¬(0 = 0) = while 0 = 0 inv [ ]mutex(b, 1) do ( x := 0; while x = 0 inv [ ]mutex(b, 1) ∗ if x = 0 then 0 = 0 else mb(x, 0) do ( acquire(b); x := [b + 1]; [b + 1] := 0; release(b) ); free(x) )

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Example Program

routine consume(b) req [ ]mutex(b, 1) ens ¬(0 = 0) = while 0 = 0 inv [ ]mutex(b, 1) do ( x := 0; while x = 0 inv [ ]mutex(b, 1) ∗ if x = 0 then 0 = 0 else mb(x, 0) do ( acquire(b); // s = 0[b := 10], h = { [mutex held(10, 1), 11 → 22, mb(22, 0)] } x := [b + 1]; [b + 1] := 0; release(b) ); free(x) )

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Annotations

q ∈ UserDefinedPredicates p ::= → | mb | q | mutex | mutex held a ::= b | p(e, ?x) | [ ]p(e, ?x) | a ∗ a | if b then a else a preddef ::= predicate q(x) = a midef ::= mutex invariant z(x) = a c ::= · · · | while b inv a do c | open q(e) | close q(e) | create mutex(e, z) | fork(r(e)) rspec ::= routine r(x) req a ens a e → ?x is alternative syntax for →(e, ?x)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Semiconcrete execution

SCStores = Vars → Z SCPredicates = {→, mb, mutex, mutex held} ∪ UserDefinedPredicates SCChunks = {p(v) | p ∈ SCPredicates, v ∈ Z} SCHeaps = SCChunks → Q+ SCStates = SCStores × SCHeaps SCMutators = SCStates → Outcomes(SCStates) scexec ∈ Commands → SCMutators consume ∈ Assertions → SCMutators produce ∈ Assertions → SCMutators

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Producing and Consuming Assertions

produce(p(e, ?x)) = v ← eval(e); v′. produce(p(v, v′)); x := v′ produce([ ]p(e, ?x)) = v ← eval(e); π, v′. produce([π]p(v, v′)); x := v′ consume(p(e, ?x)) = v ← eval(e); v′. consume(p(v, v′)); x := v′ consume([ ]p(e, ?x)) = v ← eval(e); π, v′. consume([π]p(v, v′)); x := v′

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Semiconcrete Execution of Commands

scexec(x := [e]) = ℓ ← eval(e); π, v. consume(ℓ π → v); produce(ℓ π → v); x := v scexec(fork(r(e))) = v ← eval(e); with(0[x := v], c(a)) where routine r(x) req a ens a′ scexec(create mutex(e, z)) = ℓ ← eval(e); c(ℓ → 0); with(0[x := ℓ], c(a)); p(mutex(ℓ, z)) where mutex invariant z(x) = a scexec(acquire(e)) = ℓ ← eval(e); π, z. c([π]mutex(ℓ, z)); p(mutex held(ℓ, z)); with(0[x := ℓ], p(a)) where mutex invariant z(x) = a scexec(release(e)) = ℓ ← eval(e); z. c(mutex held(ℓ, z)); with(0[x := ℓ], c(a)); π. p([π]mutex(ℓ, z)) where mutex invariant z(x) = a

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Semiconcrete Execution

sc-safe program(c) ⇔ ((0, 0) ⊲ scexec(c) {true} ∧ ∀r. valid(r))

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Soundness

hc ∼ h ⇔ ∃L ∈ Z × Z × {0, 1} × [0, 1], hc0 ∈ CHeaps, hL ∈ Z → SCHeap, htot. (∀(ℓ, z, 0, 0) ∈ L. (0[x := ℓ], hL(ℓ)) ⊲ κ−1; c(a); leakcheck {true} where mutex invariant z(x) = a) ∧ (∀(ℓ, z, v, π) ∈ L. v = 0 ⇔ π = 0) ∧ htot = h ⊎

(ℓ,z,0,0)∈L hL(ℓ)

∧ hc = hc0 ⊎ { [ℓ → v | (ℓ, z, v, π) ∈ L] } ∧ htot ≤ hc0 ⊎ { [[1 − π]mutex(ℓ, z) | (ℓ, z, v, π) ∈ L] } ⊎ { [mutex held(ℓ, z) | (ℓ, z, 1, π) ∈ L] }

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness

Soundness

runsc(o, h) =

• ; λβ.

               if β = return(s, o′): h1, h2, h = h1 ⊎ h2.(s, h1) ⊗ runsc(o′, h2) if β = step(S): hc, henv, hc ∼⊳ h ⊎ henv. S(hc); λ(h′

c, o′). h′, h′ c ∼⊳ h′ ⊎ henv.

runsc(o′, h′) Theorem (Soundness) If ∀r. valid(r) then scexec(c) ⇛ λ(s, h). runsc(exec(c)(s), h) runsc(C, 0) {true} ⇒ run(C, 0) {true} sc-safe program(c) ⇒ safe programss(c)

Bart Jacobs Concurrent Featherweight VeriFast Formalization and Soundness