Modular Termination Verification for Non-blocking Concurrency Julian - - PowerPoint PPT Presentation

modular termination verification for non blocking
SMART_READER_LITE
LIVE PREVIEW

Modular Termination Verification for Non-blocking Concurrency Julian - - PowerPoint PPT Presentation

Mar 11, 2024 145 likes •449 views

Modular Termination Verification for Non-blocking Concurrency Julian Sutherland Joint work with: Pedro da Rocha Pinto, Thomas Dinsdale-Young, Philippa Gardner July, 2015 1 / 15 Module Abstractions Given the following modules. Queue Counter

slide-1
SLIDE 1

Modular Termination Verification for Non-blocking Concurrency

Julian Sutherland

Joint work with: Pedro da Rocha Pinto, Thomas Dinsdale-Young, Philippa Gardner

July, 2015

1 / 15

slide-2
SLIDE 2

Module Abstractions

Given the following modules. Counter Stack Queue

◮ What is the right specification?

◮ Sufficiently strong for clients to be able to use it constructively. ◮ Sufficiently weak for any “reasonable” implementations of the module to satisfy it.

◮ How much can we abstract? ◮ Can we prove termination?

2 / 15

slide-3
SLIDE 3

Example of a Client of a Counter Module

x := makeCounter(); n := random(); i := 0; while (i < n) { incr(x); i := i + 1; } m := random(); j := 0; while (j < m) { incr(x); j := j + 1; }

3 / 15

slide-4
SLIDE 4

Counter Module Operations: Partial Correctness

  • emp
  • makeCounter()
  • C(ret, 0)

A n ∈ N.

  • C(x, n)
  • read(x)
  • C(x, n) ∧ ret = n

A n ∈ N.

  • C(x, n)
  • incr(x)
  • C(x, n + 1)
  • 4 / 15
slide-5
SLIDE 5

Spin Counter: Increment

⊢ A n ∈ N.

  • C(x, n)
  • incr(x)
  • C(x, n + 1)
  • function incr(x) {

b := 0; while (b = 0) { v := [x]; b := CAS(x, v, v + 1); } }

5 / 15

slide-6
SLIDE 6

Counter Module Operations : Total Correctness

∀α. ⊢τ

  • emp
  • makeCounter()
  • C(ret, 0, α)
  • ⊢τ

A n ∈ N, α.

  • C(x, n, α)
  • read(x)
  • C(x, n, α) ∧ ret = n
  • ∀β. ⊢τ

A n ∈ N, α.

  • C(x, n, α) ∧ α > β(α)
  • incr(x)
  • C(x, n + 1, β(α))
  • 6 / 15
slide-7
SLIDE 7

Counter Module Operations : Total Correctness

∀α. ⊢τ

  • emp
  • makeCounter()
  • C(ret, 0, α)
  • ⊢τ

A n ∈ N, α.

  • C(x, n, α)
  • read(x)
  • C(x, n, α) ∧ ret = n
  • ∀β. ⊢τ

A n ∈ N, α.

  • C(x, n, α) ∧ α > β(α)
  • incr(x)
  • C(x, n + 1, β(α))
  • ∀α > β. C(x, n, α) =

⇒ C(x, n, β)

6 / 15

slide-8
SLIDE 8

Counter Module Operations : Total Correctness

∀α. ⊢τ

  • emp
  • makeCounter()
  • C(ret, 0, α)
  • ⊢τ

A n ∈ N, α.

  • C(x, n, α)
  • read(x)
  • C(x, n, α) ∧ ret = n
  • ∀β. ⊢τ

A n ∈ N, α.

  • C(x, n, α) ∧ α > β(α)
  • incr(x)
  • C(x, n + 1, β(α))
  • ∀α > β. C(x, n, α) =

⇒ C(x, n, β) Non-impedance relationship in the counter module: incr read

slide-9
SLIDE 9

Counter Module Operations : Total Correctness

∀α. ⊢τ

  • emp
  • makeCounter()
  • C(ret, 0, α)
  • ⊢τ

A n ∈ N, α.

  • C(x, n, α)
  • read(x)
  • C(x, n, α) ∧ ret = n
  • ∀β. ⊢τ

A n ∈ N, α.

  • C(x, n, α) ∧ α > β(α)
  • incr(x)
  • C(x, n + 1, β(α))
  • ∀α > β. C(x, n, α) =

⇒ C(x, n, β) Non-impedance relationship in the counter module: incr read

6 / 15

slide-10
SLIDE 10

Total Correctness for Loops

∀γ ≤ α. ⊢τ

  • p(γ) ∧ B
  • C
  • ∃β. p(β) ∧ β < γ
  • ⊢τ
  • p(α)
  • while (B) C
  • ∃β. p(β) ∧ ¬B ∧ β ≤ α
  • 7 / 15
slide-11
SLIDE 11

Example of a Client of a Counter Module

x := makeCounter(); n := random(); i := 0; while (i < n) { incr(x); i := i + 1; } m := random(); j := 0; while (j < m) { incr(x); j := j + 1; }

8 / 15

slide-12
SLIDE 12

Example of a Client of a Counter Module

  • emp
  • x := makeCounter();

n := random(); i := 0; while (i < n) { incr(x); i := i + 1; } m := random(); j := 0; while (j < m) { incr(x); j := j + 1; }

  • C(x, n + m, 0)
  • 8 / 15
slide-13
SLIDE 13

Building abstraction

I(CClientr(x, n)) ∃α. C(x, n, α) ∗ [Total(n, α)]r I(CClientr(x, ◦)) True

9 / 15

slide-14
SLIDE 14

Building abstraction

I(CClientr(x, n)) ∃α. C(x, n, α) ∗ [Total(n, α)]r I(CClientr(x, ◦)) True Inc(x, n + m, α ⊕ β, π1 + π2) = Inc(x, n, α, π1) • Inc(x, m, β, π2) Total(n, α) • Inc(m, β, 1) defined = ⇒ n = m ∧ α = β

9 / 15

slide-15
SLIDE 15

Building abstraction

I(CClientr(x, n)) ∃α. C(x, n, α) ∗ [Total(n, α)]r I(CClientr(x, ◦)) True Inc(x, n + m, α ⊕ β, π1 + π2) = Inc(x, n, α, π1) • Inc(x, m, β, π2) Total(n, α) • Inc(m, β, 1) defined = ⇒ n = m ∧ α = β Inc(m, γ, π) : n n + 1 Inc(m, γ, 1) : n ◦

9 / 15

slide-16
SLIDE 16

Building abstraction

I(CClientr(x, n)) ∃α. C(x, n, α) ∗ [Total(n, α)]r I(CClientr(x, ◦)) True Inc(x, n + m, α ⊕ β, π1 + π2) = Inc(x, n, α, π1) • Inc(x, m, β, π2) Total(n, α) • Inc(m, β, 1) defined = ⇒ n = m ∧ α = β Inc(m, γ, π) : n n + 1 Inc(m, γ, 1) : n ◦

9 / 15

slide-17
SLIDE 17

Proving the Client

  • emp
  • x := makeCounter();
  • C(x, 0, ω ⊕ ω)
  • .

. .

10 / 15

slide-18
SLIDE 18

Proving the Client

  • emp
  • x := makeCounter();
  • C(x, 0, ω ⊕ ω)
  • CClient(x, 0) ∗ [Inc(0, ω ⊕ ω, 1)]
  • ∃v. CClient(x, v) ∗ [Inc(0, ω, 1

2)] ∧ 0 ≤ v

  • . . .

. . .

10 / 15

slide-19
SLIDE 19

Proving the client

  • ∃v. CClient(x, v) ∗ [Inc(0, ω, 1

2)] ∧ 0 ≤ v

  • n := random();

i := 0; while (i < n) { incr(x); i := i + 1; } . . .

11 / 15

slide-20
SLIDE 20

Proving the client

  • ∃v. CClient(x, v) ∗ [Inc(0, ω, 1

2)] ∧ 0 ≤ v

  • n := random();

i := 0; while (i < n) { incr(x); i := i + 1; }

  • ∃v. CClient(x, v) ∗ [Inc(n, 0, 1

2)]

  • . . .

11 / 15

slide-21
SLIDE 21

Proving the client

  • ∃v. CClient(x, v) ∗ [Inc(0, ω, 1

2)] ∧ 0 ≤ v

  • n := random();

i := 0;

  • ∃v. CClient(x, v) ∗ [Inc(i, n, 1

2)] ∧ 0 ≤ v ∧ i = 0

  • while (i < n) {

incr(x); i := i + 1; }

  • ∃v. CClient(x, v) ∗ [Inc(n, 0, 1

2)]

  • . . .

11 / 15

slide-22
SLIDE 22

Proving the client

  • ∃v. CClient(x, v) ∗ [Inc(0, ω, 1

2)] ∧ 0 ≤ v

  • n := random();

i := 0;

  • ∃v. CClient(x, v) ∗ [Inc(i, n, 1

2)] ∧ 0 ≤ v ∧ i = 0

  • while (i < n) {

∀β. ∃v. CClient(x, v) ∗ [Inc(i, β, 1

2)] ∧ i ≤ v ∧ i ≤ n

∧ β = n − i

  • incr(x);

i := i + 1; }

  • ∃v. CClient(x, v) ∗ [Inc(n, 0, 1

2)]

  • . . .

11 / 15

slide-23
SLIDE 23

Proving the client

  • ∃v. CClient(x, v) ∗ [Inc(0, ω, 1

2)] ∧ 0 ≤ v

  • n := random();

i := 0;

  • ∃v. CClient(x, v) ∗ [Inc(i, n, 1

2)] ∧ 0 ≤ v ∧ i = 0

  • while (i < n) {

∀β. ∃v. CClient(x, v) ∗ [Inc(i, β, 1

2)] ∧ i ≤ v ∧ i ≤ n

∧ β = n − i

  • incr(x);

i := i + 1; ∃δ, v. CClient(x, v) ∗ [Inc(i, δ, 1

2)] ∧ i ≤ v ∧ i ≤ n

∧ δ = n − i ∧ δ < β

  • }
  • ∃v. CClient(x, v) ∗ [Inc(n, 0, 1

2)]

  • . . .

11 / 15

slide-24
SLIDE 24

Proving the client

  • emp
  • x := makeCounter();
  • C(x, 0, ω ⊕ ω)
  • CClient(x, 0) ∗ [Inc(0, ω ⊕ ω, 1)]
  • ∃v. CClient(x, v) ∗ [Inc(0, ω, 1

2)] ∧ 0 ≤ v

  • . . .
  • ∃v. CClient(x, v) ∗ [Inc(n, 0, 1

2)]

  • . . .

12 / 15

slide-25
SLIDE 25

Proving the client

  • emp
  • x := makeCounter();
  • C(x, 0, ω ⊕ ω)
  • CClient(x, 0) ∗ [Inc(0, ω ⊕ ω, 1)]
  • ∃v. CClient(x, v) ∗ [Inc(0, ω, 1

2)] ∧ 0 ≤ v

  • . . .
  • ∃v. CClient(x, v) ∗ [Inc(n, 0, 1

2)]

  • . . .
  • ∃v. CClient(x, v) ∗ [Inc(n, 0, 1

2)] ∗ [Inc(m, 0, 1 2)]

  • ∃v. CClient(x, v) ∗ [Inc(n + m, 0, 1)]
  • C(x, n + m, 0)
  • 12 / 15
slide-26
SLIDE 26

What to take home

◮ Ordinals can be used to bound interference in a module. ◮ Generally, termination is not guaranteed unless we restrict the environment. ◮ Atomic triples allow us to restrict the environment. ◮ The client can choose how to decrease the ordinals. ◮ Non-impedance seems to be a useful way of specifying blocking within a module.

13 / 15

slide-27
SLIDE 27

Conclusions

◮ Introduced atomic triples with total correctness interpretation. ◮ Introduced Total-TaDA, that extends TaDA for total correctness. ◮ Modular approach: clients and implementations are verified independently. ◮ Examples: Counters, Stacks, Queues, Sets, Graphs

14 / 15

slide-28
SLIDE 28

Current/Future work

◮ Extend logic (and specifications?) to blocking algorithms ◮ Non-terminating behaviour

15 / 15