modern concurrent separation logics
play

Modern Concurrent Separation Logics Philippa Gardner Thomas Pedro - PowerPoint PPT Presentation

Jan 20, 2023 •141 likes •530 views

Modern Concurrent Separation Logics Philippa Gardner Thomas Pedro da Rocha Pinto Dinsdale-Young Resource Reasoning 2016 1 / 37 Counter Module function read ( x ) { function incr ( x ) { function wkincr ( x ) { do { r := [ x ]; r := [ x ];

  1. Modern Concurrent Separation Logics Philippa Gardner Thomas Pedro da Rocha Pinto Dinsdale-Young Resource Reasoning 2016 1 / 37

  2. Counter Module function read ( x ) { function incr ( x ) { function wkincr ( x ) { do { r := [ x ]; r := [ x ]; return r ; r := [ x ]; [ x ] := r + 1; } b := CAS ( x , r , r + 1); } } while ( b = 0); return r ; } 2 / 37

  3. Ticket Lock Client function lock ( x ) { function unlock ( x ) { t := incr ( x . next ); wkincr ( x . owner ); do { } v := read ( x . owner ) } while ( v � = t ); } 3 / 37

  4. Sequential Specification Abstract predicate C ( x , n ) describes a counter with value n ∈ N at address x . { C ( x , n ) } read ( x ) { C ( x , n ) ∧ ret = n } { C ( x , n ) } incr ( x ) { C ( x , n + 1) ∧ ret = n } { C ( x , n ) } wkincr ( x ) { C ( x , n + 1) } Pros: The specification captures sequential behaviour. Cons: The specification does not support concurrency. 4 / 37

  5. Specification of Concurrent Modules Modular specifications of concurrent modules require: ◮ auxiliary state: Owicki, Gries ◮ interference abstraction: Jones ◮ resource ownership: O’Hearn ◮ atomicity: Herlithy Peter Maurice Herlihy O’Hearn Cliff Jones Susan Owicki David Gries 5 / 37

  6. Specification of Concurrent Modules Modular specifications of concurrent modules require: ◮ auxiliary state ◮ interference abstraction ◮ resource ownership ◮ atomicity 6 / 37

  7. Auxiliary State: Owicki-Gries Parallel Rule { P 1 } C 1 { Q 1 } { P 2 } C 2 { Q 2 } non-interference { P 1 ∧ P 2 } C 1 � C 2 { Q 1 ∧ Q 2 } 7 / 37

  8. Auxiliary State: Owicki-Gries Concurrent Specification using Invariants {∃ n. C ( x , n ) } read ( x ) {∃ n, m. C ( x , n ) ∧ ret = m } {∃ n. C ( x , n ) } incr ( x ) {∃ n, m. C ( x , n ) ∧ ret = m } {∃ n. C ( x , n ) } wkincr ( x ) {∃ n. C ( x , n ) } Pros: The specification captures concurrent behaviour. Cons: Using invariants leads to very weak specifications. No information about the actual value of the counter. 8 / 37

  9. Auxiliary State: Owicki-Gries Stronger specifications require auxiliary state: � � C ( x , 0) y := 0; z := 0; � � C ( x , 0) ∧ y = 0 ∧ z = 0 � � � � C ( x , y + z ) ∧ y = 0 C ( x , y + z ) ∧ z = 0 do { do { r ′ := [ x ]; r := [ x ]; � b ′ := CAS ( x , r ′ , r ′ + 1); � b := CAS ( x , r , r + 1); if ( b ) y++ ; � if ( b ′ ) z++ ; � } while ( b ′ = 0); } while ( b = 0); � � � � C ( x , y + z ) ∧ y = 1 C ( x , y + z ) ∧ z = 1 � � C ( x , 2) ∧ y = 1 ∧ z = 1 � � C ( x , 2) 9 / 37

  10. Auxiliary State: Owicki-Gries Pros: The specification is strong. Cons: The proof method, introducing auxiliary code, is not modular. 10 / 37

  11. Auxiliary State: Owicki-Gries Auxiliary state, introduced in the Owicki-Gries method, is important for specifying concurrent modules. 11 / 37

  12. Specification of Concurrent Modules Modular specifications of concurrent modules require: ◮ auxiliary state ◮ interference abstraction ◮ resource ownership ◮ atomicity 12 / 37

  13. Interference Abstraction: Rely/guarantee Parallel Rule The R s and G s are called rely and guarantee relations respectively. � � � � � � � � R ∪ G 2 , G 1 ⊢ R ∪ G 1 , G 2 ⊢ P 1 C 1 Q 1 P 2 C 2 Q 2 � � � � R, G 1 ∪ G 2 ⊢ P 1 ∧ P 2 C 1 � C 2 Q 1 ∧ Q 2 13 / 37

  14. Interference Abstraction: Rely/guarantee Specification: read ( x ) and incr ( x ) A, ∅ ⊢ {∃ n. C ( x , n ) } read ( x ) {∃ n. C ( x , n ) ∧ ret ≤ n } A, A ⊢ {∃ n. C ( x , n ) } incr ( x ) {∃ n. C ( x , n ) ∧ ret ≤ n } where A = { C ( x , n ) � C ( x , n + 1) | n ∈ N } . Pros: The behaviour that the environment might do is specified. Cons: This specification does not restrict the increment operation to perform a single increment. 14 / 37

  15. Ticket Lock Client function lock ( x ) { function unlock ( x ) { t := incr ( x . next ); wkincr ( x . owner ); do { } v := read ( x . owner ) } while ( v � = t ); } 15 / 37

  16. Interference Abstraction: Rely/guarantee Specification: wkincr ( x ) ∃ n ′ ≥ n + 1 . C ( x , n ′ ) R, G ⊢ � � � � C ( x , n ) wkincr ( x ) where R = { C ( x , m ) � C ( x , m + 1) | m > n } and G is as before. Pros: This specification allows weak increments to occur concurrently. Cons: This specification is too weak to reason about the ticket lock. 16 / 37

  17. Interference Abstraction: Rely/guarantee Interference abstraction, introduced in the rely/guarantee method, is important for specifying concurrent modules. 17 / 37

  18. Specification of Concurrent Modules Modular specifications of concurrent modules require: ◮ auxiliary state ◮ interference abstraction ◮ resource ownership ◮ atomicity 18 / 37

  19. Resource Ownership: Concurrent Separation Logics Parallel Rule The disjoint concurrency rule from concurrent separation logic: { P 1 } C 1 { Q 1 } { P 2 } C 2 { Q 2 } { P 1 ∗ P 2 } C 1 � C 2 { Q 1 ∗ Q 2 } Ownership embodies specialised notions of auxiliary state and interference abstraction. If a thread owns a resource, then the environment cannot manipulate it. 19 / 37

  20. Resource Ownership: Concurrent Separation Logics Fractional Permissions C ( x , n 1 + n 2 , π 1 + π 2 ) ⇐ ⇒ C ( x , n 1 , π 1 ) ∗ C ( x , n 2 , π 2 ) for n 1 , n 2 ∈ N and π 1 , π 2 ∈ (0 , 1] and π 1 + π 2 ≤ 1 . The abstract predicate C ( x , n, π 1 ) now means that this resource contributes value n to the counter at x with permission π 1 . 20 / 37

  21. Resource Ownership: Concurrent Separation Logics Specification using Fractional Permissions { C ( x , n, π ) } read ( x ) { C ( x , n, π ) ∧ ret ≥ n } { C ( x , n, 1) } read ( x ) { C ( x , n, 1) ∧ ret = n } { C ( x , n, π ) } incr ( x ) { C ( x , n + 1 , π ) ∧ ret ≥ n } { C ( x , n, 1) } wkincr ( x ) { C ( x , n + 1 , 1) } Pros: This specification allows concurrent reads and increments. Cons: The specification enforces sequential weak increments. The return values are no longer guaranteed to be the actual value of the counter. 21 / 37

  22. Resource Ownership: Concurrent Separation Logics � � C ( x , 0 , 1) � � C ( x , 0 , 0 . 5) ∗ C ( x , 0 , 0 . 5) � � � � C ( x , 0 , 0 . 5) C ( x , 0 , 0 . 5) incr ( x ) incr ( x ) � � � � C ( x , 1 , 0 . 5) C ( x , 1 , 0 . 5) � � C ( x , 1 , 0 . 5) ∗ C ( x , 1 , 0 . 5) � � C ( x , 2 , 1) 22 / 37

  23. Resource Ownership: Concurrent Separation Logics Resource ownership, developed by concurrent separation logic and its successors, is important for specifying concurrent modules. 23 / 37

  24. Specification of Concurrent Modules Modular specifications of concurrent modules require: ◮ auxiliary state ◮ interference abstraction ◮ resource ownership ◮ atomicity 24 / 37

  25. Atomicity Atomicity provides a way to abstract interference. It gives the abstraction that an operation takes effect at a single, discrete instant in time. 25 / 37

  26. Atomicity: Linearisability Sequential Specification for read ( x ) and incr ( x ) { C ( x , n ) } read ( x ) { C ( x , n ) ∧ ret = n } { C ( x , n ) } incr ( x ) { C ( x , n + 1) ∧ ret = n } Pros: Strong concurrent reasoning about read ( x ) and incr ( x ) . Cons: Linearisability does not allow us to control the interference like rely-guarantee. 26 / 37

  27. Atomicity: Linearisability Sequential Specification with wkincr ( x ) not possible { C ( x , n ) } read ( x ) { C ( x , n ) ∧ ret = n } { C ( x , n ) } incr ( x ) { C ( x , n + 1) ∧ ret = n } { C ( x , n ) } wkincr ( x ) { C ( x , n + 1) } Cons: The wkincr is not atomic when other increments occur. 27 / 37

  28. Atomicity: Linearisability Atomicity, put forward by linearisability, is important for specifying concurrent modules. 28 / 37

  29. Synthesis Now we combine auxiliary state, interference abstraction, resource reasoning and atomicity to provide expressive specifications for concurrent modules. 29 / 37

  30. Synthesis ◮ higher-order: Birkedal, Dreyer, Jacobs, Turon ◮ history-based: Nanevski, Sergey ◮ first-order: da Rocha Pinto, Dinsdale-Young, Gardner Ilya Sergey Aaron Turon Bart Jacobs Aleks Nanevski Derek Dreyer Lars Birkedal 30 / 37

  31. Synthesis: First-order Approach A simple atomic triple has the form A x ∈ X. � P ( x ) � C � Q ( x ) � 31 / 37

  32. Synthesis: First-order Approach Specification using Atomic Triples n. � C ( s, x , n ) � read ( x ) � C ( s, x , n ) ∧ ret = n � A n. � C ( s, x , n ) � incr ( x ) � C ( s, x , n + 1) ∧ ret = n � A � C ( s, x , n ) � wkincr ( x ) � C ( s, x , n + 1) � Pros: Atomic triples specify operations with respect to an abstraction; each operation can be verified independently. The specification is strong. It allows concurrent reads and concurrent increments, and concurrent reads and one weak increment. 32 / 37

  33. Verfication of Implementations and Clients Verification of the counter implementation. Specification and verification of the ticket-lock client. Pros: A specification of ticket lock whose implementation is based on the atomic counter commands. Cons: The specification of ticket lock is not atomic. It requires helping (on-going). 33 / 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Relaxed separation logic Viktor Vafeiadis Chinmay Narayan MPI-SWS IIT Delhi Concurrent program

Relaxed separation logic Viktor Vafeiadis Chinmay Narayan MPI-SWS IIT Delhi Concurrent program

Relaxed separation logic Viktor Vafeiadis Chinmay Narayan MPI-SWS IIT Delhi Concurrent program logics Goal: Understand concurrent programs. Tool: Concurrent program logics: C oncurrent S eparation L ogic OG, RG, RGSep, LRG, DG, CAP, CaReSL.

345 views • 16 slides
On Temporal and Separation Logics St ephane Demri CNRS, LSV, ENS Paris-Saclay TIME18

On Temporal and Separation Logics St ephane Demri CNRS, LSV, ENS Paris-Saclay TIME18

On Temporal and Separation Logics St ephane Demri CNRS, LSV, ENS Paris-Saclay TIME18 Warsaw, October 2018 The blossom of separation logics Separation logic: extension of Hoare-Floyd logic for (concurrent) programs with mutable data

642 views • 48 slides
On the Complexity of Modal Separation Logics S. Demri (CNRS, LSV) & R. Fervari (FAMAF,

On the Complexity of Modal Separation Logics S. Demri (CNRS, LSV) & R. Fervari (FAMAF,

On the Complexity of Modal Separation Logics S. Demri (CNRS, LSV) & R. Fervari (FAMAF, CONICET) AiML, August 2018, Bern Overview Separation logics in a nutshell Introduction to modal separation logics Optimal decision procedures

1.18k views • 27 slides
Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen,

Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen,

Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen, Netherlands Dec, 2015 Modular Reasoning about Higher-Order Concurrent Imperative Programs 1 / 33 Introduction Goal Program logics for

1.02k views • 63 slides
Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms Smaller Arthur Charguraud Franois Pottier LTP meeting Saclay, November 28, 2016 Motivation More Motivation Separation Logic with Read-Only

441 views • 27 slides
Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa,

Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa,

Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa, Aquinas Hobor and John Wickerson IRIS Day OScience, Coronavirus Lockdown Edition Tuesday 7th April, 2020 1/ 13 Concurrent separation logic (

164 views • 13 slides
Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS What is the

Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS What is the

Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS What is the paper about? Soundness proof for CSL Simple Extensible Permissions RGSep Storable locks [Buisse, Birkedal, Stvring, MFPS 2011] Concurrent

270 views • 14 slides
Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY http://www.inrialpes.fr/vasy Action-based temporal logics Introduction Modal logics Branching-time logics Regular logics Fixed point logics VTSA'08

1.7k views • 148 slides
SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz , Denis Merigoux, Danel Ahman, Guido Martinez ICFP 2020 1/12 Verifying Concurrent Programs Lots of recent work

556 views • 37 slides
A case for relaxed program logics Separation logic as a tool for

A case for relaxed program logics Separation logic as a tool for

A case for relaxed program logics Separation logic as a tool for understanding and debugging the C/C++ concurrency model Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS)

304 views • 13 slides
Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan, Franois Pottier August, 2020 ICFP, New York LRI & Inria, Paris, France This talk Our aim: Verifying fine-grained concurrent

511 views • 38 slides
Separation Logics for Pointer Programs James Brotherston Lorentz Center Workshop on Effective

Separation Logics for Pointer Programs James Brotherston Lorentz Center Workshop on Effective

Separation Logics for Pointer Programs James Brotherston Lorentz Center Workshop on Effective Verification of Pointer Programs Monday 13th May, 2019 1/ 28 Part I Introduction to separation logic 2/ 28 Introduction Verification of imperative

758 views • 28 slides
Relational reasoning using concurrent separation logic Robbert Krebbers 1 Delft University of

Relational reasoning using concurrent separation logic Robbert Krebbers 1 Delft University of

Relational reasoning using concurrent separation logic Robbert Krebbers 1 Delft University of Technology, The Netherlands January 20, 2020 @ ADSL, New Orleans, USA 1 This is joint work with Dan Frumin (Radboud University) and Lars Birkedal (Aarhus

1.78k views • 126 slides
Iris: a framework for higher-order concurrent separation logic in Coq Robbert Krebbers 1 Delft

Iris: a framework for higher-order concurrent separation logic in Coq Robbert Krebbers 1 Delft

Iris: a framework for higher-order concurrent separation logic in Coq Robbert Krebbers 1 Delft University of Technology, The Netherlands January 15, 2017 @ TTT, Paris, France 1 Iris is joint work with: Ralf Jung, Jacques-Hendri Jourdan, Ale s

1.49k views • 124 slides
Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Amin Timany 2

Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Amin Timany 2

Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Amin Timany 2 Lars Birkedal 3 1 Delft University of Technology, The Netherlands 2 imec-Distrinet, KU Leuven, Belgium 3 Aarhus University, Denmark January 18, 2017 @

953 views • 71 slides
Iris Proof Mode Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1

Iris Proof Mode Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1

Iris Proof Mode Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Delft University of Technology, The Netherlands June 12, 2017 @ MFPS, Ljubljana, Slovenia 1 Iris is joint work with: Ralf Jung, Jacques-Henri

1.16k views • 87 slides
Formal Specification and Verification of Voting Software Bernhard Beckert | ComSoC, 14.04.13 K

Formal Specification and Verification of Voting Software Bernhard Beckert | ComSoC, 14.04.13 K

Formal Specification and Verification of Voting Software Bernhard Beckert | ComSoC, 14.04.13 K ARLSRUHE I NSTITUTE OF T ECHNOLOGY | D EPARTMENT OF C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National

791 views • 67 slides
Computer certified efficient exact reals in Coq Robbert Krebbers Joint work with Bas Spitters 1

Computer certified efficient exact reals in Coq Robbert Krebbers Joint work with Bas Spitters 1

Computer certified efficient exact reals in Coq Robbert Krebbers Joint work with Bas Spitters 1 Radboud University Nijmegen August 26, 2011 @ The Coq Workshop Berg en Dal, The Netherlands 1 The research leading to these results has received

681 views • 23 slides
CS 2334: Lab 6 Abstract Classes & Interfaces Andrew H. Fagg: CS2334: Lab 6 1 Abstract Class

CS 2334: Lab 6 Abstract Classes & Interfaces Andrew H. Fagg: CS2334: Lab 6 1 Abstract Class

CS 2334: Lab 6 Abstract Classes & Interfaces Andrew H. Fagg: CS2334: Lab 6 1 Abstract Class Few important points to remember about abstract classes: An abstract class is a class that is declared abstract It can, but does not

382 views • 11 slides
Muhammad Taimoor Khan and Wolfgang Schreiner Doktoratskolleg and Research Institute for Symbolic

Muhammad Taimoor Khan and Wolfgang Schreiner Doktoratskolleg and Research Institute for Symbolic

Towards the Formal Specification and Verification of Maple Programs Muhammad Taimoor Khan and Wolfgang Schreiner Doktoratskolleg and Research Institute for Symbolic Computation Austria July 13, 2012 Towards the Formal Specification and

204 views • 16 slides
The Test Case Reasoning Assistant Dana P. Leonard, Jason O. Hallstrom, Murali Sitaraman School of

The Test Case Reasoning Assistant Dana P. Leonard, Jason O. Hallstrom, Murali Sitaraman School of

The Test Case Reasoning Assistant Dana P. Leonard, Jason O. Hallstrom, Murali Sitaraman School of Computing Clemson University This work is supported in part through grants from the National Science Foundation (DUE-0633506, CNS-0745846,

326 views • 14 slides
Connectors in Complex Systems Sun Meng LMAM & Department of Information Science, School of

Connectors in Complex Systems Sun Meng LMAM & Department of Information Science, School of

Modeling and Verification of Connectors in Complex Systems Sun Meng LMAM & Department of Information Science, School of Mathematical Sciences Peking University http://www.math.pku.edu.cn/teachers/sunm Thanks to: B. K. Aichernig (TUG), F.

905 views • 52 slides
Testing QEMU emulated devices using qtest Marc Mar Barcel <marc.mari.barcelo@gmail.com>

Testing QEMU emulated devices using qtest Marc Mar Barcel <marc.mari.barcelo@gmail.com>

Testing QEMU emulated devices using qtest Marc Mar Barcel <marc.mari.barcelo@gmail.com> KVM Forum 2014 Marc Mar Testing QEMU emulated devices using qtest 2 Who am I? Computer Science student Worked on QEMU in GSoC project

597 views • 44 slides
Application to Post-Placement Multi-Bit Flip-Flop Merging Chang Xu 1 , Peixin Li 1 , Guojie Luo 1

Application to Post-Placement Multi-Bit Flip-Flop Merging Chang Xu 1 , Peixin Li 1 , Guojie Luo 1

Analytical Clustering Score with Application to Post-Placement Multi-Bit Flip-Flop Merging Chang Xu 1 , Peixin Li 1 , Guojie Luo 1 , Yiyu Shi 2 , and Iris Hui-Ru Jiang 3 {changxu, gluo} @ pku.edu.cn 1 Outline Background Multi-bit

428 views • 30 slides

More recommend