modular termination verification for non blocking
play

Modular Termination Verification for Non-blocking Concurrency Julian - PowerPoint PPT Presentation

Mar 11, 2024 •145 likes •444 views

Modular Termination Verification for Non-blocking Concurrency Julian Sutherland Joint work with: Pedro da Rocha Pinto, Thomas Dinsdale-Young, Philippa Gardner July, 2015 1 / 15 Module Abstractions Given the following modules. Queue Counter

  1. Modular Termination Verification for Non-blocking Concurrency Julian Sutherland Joint work with: Pedro da Rocha Pinto, Thomas Dinsdale-Young, Philippa Gardner July, 2015 1 / 15

  2. Module Abstractions Given the following modules. Queue Counter Stack ◮ What is the right specification? ◮ Sufficiently strong for clients to be able to use it constructively. ◮ Sufficiently weak for any “reasonable” implementations of the module to satisfy it. ◮ How much can we abstract? ◮ Can we prove termination? 2 / 15

  3. Example of a Client of a Counter Module x := makeCounter (); n := random (); m := random (); i := 0; j := 0; while ( i < n ) { while ( j < m ) { incr ( x ); incr ( x ); i := i + 1; j := j + 1; } } 3 / 15

  4. Counter Module Operations: Partial Correctness � � � � ⊢ emp makeCounter () C ( ret , 0) � � � � ⊢ n ∈ N . C ( x , n ) read ( x ) C ( x , n ) ∧ ret = n A � � � � ⊢ n ∈ N . C ( x , n ) incr ( x ) C ( x , n + 1) A 4 / 15

  5. Spin Counter: Increment � � � � ⊢ A n ∈ N . C ( x , n ) incr ( x ) C ( x , n + 1) function incr ( x ) { b := 0; while ( b = 0) { v := [ x ]; b := CAS ( x , v , v + 1); } } 5 / 15

  6. Counter Module Operations : Total Correctness � � � � ∀ α. ⊢ τ emp makeCounter () C ( ret , 0 , α ) � � � � ⊢ τ A n ∈ N , α. C ( x , n, α ) read ( x ) C ( x , n, α ) ∧ ret = n � � � � ∀ β. ⊢ τ A n ∈ N , α. C ( x , n, α ) ∧ α > β ( α ) incr ( x ) C ( x , n + 1 , β ( α )) 6 / 15

  7. Counter Module Operations : Total Correctness � � � � ∀ α. ⊢ τ emp makeCounter () C ( ret , 0 , α ) � � � � ⊢ τ A n ∈ N , α. C ( x , n, α ) read ( x ) C ( x , n, α ) ∧ ret = n � � � � ∀ β. ⊢ τ A n ∈ N , α. C ( x , n, α ) ∧ α > β ( α ) incr ( x ) C ( x , n + 1 , β ( α )) ∀ α > β. C ( x, n, α ) = ⇒ C ( x, n, β ) 6 / 15

  8. Counter Module Operations : Total Correctness � � � � ∀ α. ⊢ τ emp makeCounter () C ( ret , 0 , α ) � � � � ⊢ τ A n ∈ N , α. C ( x , n, α ) read ( x ) C ( x , n, α ) ∧ ret = n � � � � ∀ β. ⊢ τ A n ∈ N , α. C ( x , n, α ) ∧ α > β ( α ) incr ( x ) C ( x , n + 1 , β ( α )) ∀ α > β. C ( x, n, α ) = ⇒ C ( x, n, β ) Non-impedance relationship in the counter module: incr read

  9. Counter Module Operations : Total Correctness � � � � ∀ α. ⊢ τ emp makeCounter () C ( ret , 0 , α ) � � � � ⊢ τ A n ∈ N , α. C ( x , n, α ) read ( x ) C ( x , n, α ) ∧ ret = n � � � � ∀ β. ⊢ τ A n ∈ N , α. C ( x , n, α ) ∧ α > β ( α ) incr ( x ) C ( x , n + 1 , β ( α )) ∀ α > β. C ( x, n, α ) = ⇒ C ( x, n, β ) Non-impedance relationship in the counter module: incr read 6 / 15

  10. Total Correctness for Loops � � � � ∀ γ ≤ α. ⊢ τ p ( γ ) ∧ B ∃ β. p ( β ) ∧ β < γ C � � � � ⊢ τ p ( α ) while ( B ) C ∃ β. p ( β ) ∧ ¬ B ∧ β ≤ α 7 / 15

  11. Example of a Client of a Counter Module x := makeCounter (); n := random (); m := random (); i := 0; j := 0; while ( i < n ) { while ( j < m ) { incr ( x ); incr ( x ); i := i + 1; j := j + 1; } } 8 / 15

  12. Example of a Client of a Counter Module � � emp x := makeCounter (); n := random (); m := random (); i := 0; j := 0; while ( i < n ) { while ( j < m ) { incr ( x ); incr ( x ); i := i + 1; j := j + 1; } } � � C ( x , n + m , 0) 8 / 15

  13. Building abstraction I ( CClient r ( x, n )) � ∃ α. C ( x, n, α ) ∗ [ Total ( n, α )] r I ( CClient r ( x, ◦ )) � True 9 / 15

  14. Building abstraction I ( CClient r ( x, n )) � ∃ α. C ( x, n, α ) ∗ [ Total ( n, α )] r I ( CClient r ( x, ◦ )) � True Inc ( x, n + m, α ⊕ β, π 1 + π 2 ) = Inc ( x, n, α, π 1 ) • Inc ( x, m, β, π 2 ) Total ( n, α ) • Inc ( m, β, 1) defined = ⇒ n = m ∧ α = β 9 / 15

  15. Building abstraction I ( CClient r ( x, n )) � ∃ α. C ( x, n, α ) ∗ [ Total ( n, α )] r I ( CClient r ( x, ◦ )) � True Inc ( x, n + m, α ⊕ β, π 1 + π 2 ) = Inc ( x, n, α, π 1 ) • Inc ( x, m, β, π 2 ) Total ( n, α ) • Inc ( m, β, 1) defined = ⇒ n = m ∧ α = β Inc ( m, γ, π ) : n � n + 1 Inc ( m, γ, 1) : n � ◦ 9 / 15

  16. Building abstraction I ( CClient r ( x, n )) � ∃ α. C ( x, n, α ) ∗ [ Total ( n, α )] r I ( CClient r ( x, ◦ )) � True Inc ( x, n + m, α ⊕ β, π 1 + π 2 ) = Inc ( x, n, α, π 1 ) • Inc ( x, m, β, π 2 ) Total ( n, α ) • Inc ( m, β, 1) defined = ⇒ n = m ∧ α = β Inc ( m, γ, π ) : n � n + 1 Inc ( m, γ, 1) : n � ◦ 9 / 15

  17. Proving the Client � � emp x := makeCounter (); � � C ( x , 0 , ω ⊕ ω ) . . . 10 / 15

  18. Proving the Client � � emp x := makeCounter (); � � C ( x , 0 , ω ⊕ ω ) � � CClient ( x , 0) ∗ [ Inc (0 , ω ⊕ ω, 1)] � ∃ v. CClient ( x , v ) ∗ [ Inc (0 , ω, 1 � 2 )] ∧ 0 ≤ v . . . . . . 10 / 15

  19. Proving the client � ∃ v. CClient ( x , v ) ∗ [ Inc (0 , ω, 1 � 2 )] ∧ 0 ≤ v n := random (); i := 0; while ( i < n ) { . . . incr ( x ); i := i + 1; } 11 / 15

  20. Proving the client � ∃ v. CClient ( x , v ) ∗ [ Inc (0 , ω, 1 � 2 )] ∧ 0 ≤ v n := random (); i := 0; while ( i < n ) { . . . incr ( x ); i := i + 1; } � ∃ v. CClient ( x , v ) ∗ [ Inc ( n , 0 , 1 � 2 )] 11 / 15

  21. Proving the client � ∃ v. CClient ( x , v ) ∗ [ Inc (0 , ω, 1 � 2 )] ∧ 0 ≤ v n := random (); i := 0; ∃ v. CClient ( x , v ) ∗ [ Inc ( i , n , 1 � � 2 )] ∧ 0 ≤ v ∧ i = 0 while ( i < n ) { . . . incr ( x ); i := i + 1; } � ∃ v. CClient ( x , v ) ∗ [ Inc ( n , 0 , 1 � 2 )] 11 / 15

  22. Proving the client � ∃ v. CClient ( x , v ) ∗ [ Inc (0 , ω, 1 � 2 )] ∧ 0 ≤ v n := random (); i := 0; ∃ v. CClient ( x , v ) ∗ [ Inc ( i , n , 1 � � 2 )] ∧ 0 ≤ v ∧ i = 0 while ( i < n ) { ∀ β. � ∃ v. CClient ( x , v ) ∗ [ Inc ( i , β, 1 � 2 )] ∧ i ≤ v ∧ i ≤ n . . . ∧ β = n − i incr ( x ); i := i + 1; } � ∃ v. CClient ( x , v ) ∗ [ Inc ( n , 0 , 1 � 2 )] 11 / 15

  23. Proving the client � ∃ v. CClient ( x , v ) ∗ [ Inc (0 , ω, 1 � 2 )] ∧ 0 ≤ v n := random (); i := 0; ∃ v. CClient ( x , v ) ∗ [ Inc ( i , n , 1 � � 2 )] ∧ 0 ≤ v ∧ i = 0 while ( i < n ) { ∀ β. � ∃ v. CClient ( x , v ) ∗ [ Inc ( i , β, 1 � 2 )] ∧ i ≤ v ∧ i ≤ n . . . ∧ β = n − i incr ( x ); i := i + 1; � ∃ δ, v. CClient ( x , v ) ∗ [ Inc ( i , δ, 1 � 2 )] ∧ i ≤ v ∧ i ≤ n ∧ δ = n − i ∧ δ < β } � ∃ v. CClient ( x , v ) ∗ [ Inc ( n , 0 , 1 � 2 )] 11 / 15

  24. Proving the client � � emp x := makeCounter (); � � C ( x , 0 , ω ⊕ ω ) � � CClient ( x , 0) ∗ [ Inc (0 , ω ⊕ ω, 1)] � ∃ v. CClient ( x , v ) ∗ [ Inc (0 , ω, 1 � 2 )] ∧ 0 ≤ v . . . . . . � ∃ v. CClient ( x , v ) ∗ [ Inc ( n , 0 , 1 � 2 )] 12 / 15

  25. Proving the client � � emp x := makeCounter (); � � C ( x , 0 , ω ⊕ ω ) � � CClient ( x , 0) ∗ [ Inc (0 , ω ⊕ ω, 1)] � ∃ v. CClient ( x , v ) ∗ [ Inc (0 , ω, 1 � 2 )] ∧ 0 ≤ v . . . . . . � ∃ v. CClient ( x , v ) ∗ [ Inc ( n , 0 , 1 � 2 )] ∃ v. CClient ( x , v ) ∗ [ Inc ( n , 0 , 1 2 )] ∗ [ Inc ( m , 0 , 1 � � 2 )] � � ∃ v. CClient ( x , v ) ∗ [ Inc ( n + m , 0 , 1)] � � C ( x , n + m , 0) 12 / 15

  26. What to take home ◮ Ordinals can be used to bound interference in a module. ◮ Generally, termination is not guaranteed unless we restrict the environment. ◮ Atomic triples allow us to restrict the environment. ◮ The client can choose how to decrease the ordinals. ◮ Non-impedance seems to be a useful way of specifying blocking within a module. 13 / 15

  27. Conclusions ◮ Introduced atomic triples with total correctness interpretation. ◮ Introduced Total-TaDA, that extends TaDA for total correctness. ◮ Modular approach: clients and implementations are verified independently. ◮ Examples: Counters, Stacks, Queues, Sets, Graphs 14 / 15

  28. Current/Future work ◮ Extend logic (and specifications?) to blocking algorithms ◮ Non-terminating behaviour 15 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modular Termination Verification Bart Jacobs 1 Dragan Bosnacki 2 Ruurd Kuiper 2 1 DistriNet, KU

Modular Termination Verification Bart Jacobs 1 Dragan Bosnacki 2 Ruurd Kuiper 2 1 DistriNet, KU

Modular Termination Verification Bart Jacobs 1 Dragan Bosnacki 2 Ruurd Kuiper 2 1 DistriNet, KU Leuven 2 Eindhoven University of Technology ECOOP 2015 Bart Jacobs , Dragan Bosnacki , Ruurd Kuiper Modular Termination Verification Disclaimer This

1.45k views • 89 slides
Analysis using Configurable Software Verification Sebastian Ott Termination No infinite

Analysis using Configurable Software Verification Sebastian Ott Termination No infinite

Implementing Termination Analysis using Configurable Software Verification Sebastian Ott Termination No infinite execution Liveness property Important property of programs: partial correctness termination total

375 views • 15 slides
Termination Impossibility of any infinite sequence G 0 R G 1 R G 2 R . . . given a

Termination Impossibility of any infinite sequence G 0 R G 1 R G 2 R . . . given a

Modular Termination of Graph Transformation 1 Detlef Plump University of York, UK 1 In Graph Transformation, Specifications, and Nets: In Memory of Hartmut Ehrig . LNCS 10800, Springer, 2018 Termination Impossibility of any infinite sequence

215 views • 17 slides
An Assume-Guarantee Method for Modular An Assume-Guarantee Method for Modular Verification of

An Assume-Guarantee Method for Modular An Assume-Guarantee Method for Modular Verification of

An Assume-Guarantee Method for Modular An Assume-Guarantee Method for Modular Verification of Evolving Component-Based Software Verification of Evolving Component-Based Software Pham Ngoc Hung, Nguyen Truong Thang, and Takuya Katayama Japan

544 views • 21 slides
Le Lever eragin aging g Rust Types es for Modular lar Speci cification and Verification

Le Lever eragin aging g Rust Types es for Modular lar Speci cification and Verification

Le Lever eragin aging g Rust Types es for Modular lar Speci cification and Verification Vytautas Astrauskas Peter Mller Federico Poli Alexander J. Summers Department of Computer Science Analogy with C verification void client(list *

451 views • 18 slides
Types of Termination Mutual With Consent Termination Automatic Termination

Types of Termination Mutual With Consent Termination Automatic Termination

Types of Termination Mutual With Consent Termination Automatic Termination Termination Termination for Convenience Without Consent Frustration /Force Majeure Contractual Breach Breach Common Law Breach

444 views • 29 slides
Modular, compositional and sound verification of the input/output behavior of programs Willem

Modular, compositional and sound verification of the input/output behavior of programs Willem

Modular, compositional and sound verification of the input/output behavior of programs Willem Penninckx, Bart Jacobs, Frank Piessens Department of Computer Science, KU Leuven, Belgium DRADS 2014 Table of Contents Introduction Requirements

660 views • 45 slides
. Needs effective (finitary) representation .. Failed Termination Proof vs. Non- TNT:

. Needs effective (finitary) representation .. Failed Termination Proof vs. Non- TNT:

Runtime Errors Proving Non-Termination Ashutosh K. Gupta Thomas A. Henzinger Rupak Majumdar MPI-SWS EPFL UCLA Andrey Rybalchenko Ru-Gang Xu MPI-SWS UCLA 2 Non-Termination Errors Proving Non-Termination Search for infinite

402 views • 6 slides
Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control

Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control

Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control Zachary Kincaid Azadeh Farzan University of Toronto January 18, 2013 Z. Kincaid (U. Toronto) Modular Reasoning about Data and Control January 18,

751 views • 54 slides
Termination Rate Debate in Africa Dr. Christoph Stork Termination = Monopoly Monopolies

Termination Rate Debate in Africa Dr. Christoph Stork Termination = Monopoly Monopolies

Termination Rate Debate in Africa Dr. Christoph Stork Termination = Monopoly Monopolies require price regulation Termination rates at cost of efficient operator Provide incentive to invest in new technologies to reduce costs Promote

605 views • 32 slides
Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of Oslo, N-0316 Oslo, Norway Spring 2008 Computational Physics II FYS4410 Outline Data Blocking Why blocking? What is blocking? Blocking in

626 views • 14 slides
Blocking in the 2 k Design Blocking may be required because: we cannot perform all required runs

Blocking in the 2 k Design Blocking may be required because: we cannot perform all required runs

ST 516 Experimental Statistics for Engineers II Blocking in the 2 k Design Blocking may be required because: we cannot perform all required runs under homogeneous conditions; e.g. raw material comes in limited batches; we want to carry out runs

487 views • 23 slides
Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of

Data Blocking Jon K. Nilsen Department of Physics and Scientific Computing Group University of Oslo, N-0316 Oslo, Norway Spring 2008 Computational Physics II FYS4410 Outline Data Blocking Implementing blocking Using vmc blocking

210 views • 8 slides
Part 6: Termination Revisited So far: Termination as a subordinate task for entailment checking.

Part 6: Termination Revisited So far: Termination as a subordinate task for entailment checking.

Part 6: Termination Revisited So far: Termination as a subordinate task for entailment checking. TRS is generated by some saturation process; ordering must be chosen before the saturation starts. Now: Termination as a main task (e. g., for

384 views • 20 slides
Blocking and Non-blocking Checkpointing and Rollback Recovery for Networks-on-Chip Claudia Rusu 1

Blocking and Non-blocking Checkpointing and Rollback Recovery for Networks-on-Chip Claudia Rusu 1

Blocking and Non-blocking Checkpointing and Rollback Recovery for Networks-on-Chip Claudia Rusu 1 , Cristian Grecu 2 , Lorena Anghel 1 1 TIMA Laboratory, CNRS-UJF-INP, Grenoble, France 2 SoC Laboratory, University of British Columbia, Vancouver,

700 views • 23 slides
Conflict Termination and Prevention September 3 - Class 9 Conflict Termination Over half of

Conflict Termination and Prevention September 3 - Class 9 Conflict Termination Over half of

Conflict Termination and Prevention September 3 - Class 9 Conflict Termination Over half of all conflicts end in military victory for one side. Those that are not require other means of settlement. Negotiated Settlements Both

612 views • 24 slides
Program Verification using Constraint Handling Rules and Array Constraint Generalizations

Program Verification using Constraint Handling Rules and Array Constraint Generalizations

Program Verification using Constraint Handling Rules and Array Constraint Generalizations Emanuele De Angelis 1 , 3 , Fabio Fioravanti 1 , Alberto Pettorossi 2 , and Maurizio Proietti 3 1 University of Chieti-Pescara G. dAnnunzio, Italy 2

508 views • 36 slides
Reducing Total Correctness to Partial Correctness by a Transformation of the Language Semantics a

Reducing Total Correctness to Partial Correctness by a Transformation of the Language Semantics a

Reducing Total Correctness to Partial Correctness by a Transformation of the Language Semantics a 1 a 2 Sebastian Buruian S , tefan Ciob ac 1 Alexandru Ioan Cuza University Bitedefender 2 Alexandru Ioan Cuza University WPTE 2018

435 views • 21 slides
08Program Verification II CS 5209: Foundation in Logic and AI Martin Henz and Aquinas Hobor

08Program Verification II CS 5209: Foundation in Logic and AI Martin Henz and Aquinas Hobor

Review Hoare Triples; Partial and Total Correctness Practical Aspects of Correctness Proofs Correctness of the Factorial Function Proof Calculus for Total Correctness 08Program Verification II CS 5209: Foundation in Logic and AI Martin

778 views • 39 slides
Towards Proving Runtime Properties of Data-Driven Systems Using Safety Envelopes Samuel Breese

Towards Proving Runtime Properties of Data-Driven Systems Using Safety Envelopes Samuel Breese

Towards Proving Runtime Properties of Data-Driven Systems Using Safety Envelopes Samuel Breese Fotis Kopsaftopoulos Carlos Varela Rensselaer Polytechnic Institute Dynamic Data Driven Application Systems (DDDAS) Session International Workshop

418 views • 21 slides
Computing GCDs for b 0 The Euclidean Proof: a = qb + r Algorithm any divisor of 2 of

Computing GCDs for b 0 The Euclidean Proof: a = qb + r Algorithm any divisor of 2 of

GCD Remainder Lemma Mathematics for Computer Science Lemma: MIT 6.042J/18.062J gcd(a,b) = gcd(b, rem(a,b)) Computing GCDs for b 0 The Euclidean Proof: a = qb + r Algorithm any divisor of 2 of these terms must divide all 3. Albert R

419 views • 4 slides
Lecture 10 (14.12.2015) Foundations of Software Verification Christoph Lth Jan Peleska Dieter

Lecture 10 (14.12.2015) Foundations of Software Verification Christoph Lth Jan Peleska Dieter

Systeme Hoher Sicherheit und Qualitt Universitt Bremen WS 2015/2016 Lecture 10 (14.12.2015) Foundations of Software Verification Christoph Lth Jan Peleska Dieter Hutter Where are we? 01: Concepts of Quality 02: Legal

453 views • 23 slides
A proof-theoretical journey through programming, model checking and theorem proving David Baelde

A proof-theoretical journey through programming, model checking and theorem proving David Baelde

A proof-theoretical journey through programming, model checking and theorem proving David Baelde IT University of Copenhagen ASL Meeting, Structural Proof Theory Session Madison, Wisconsin, April 2012 1 / 26 Logic programming A specification

270 views • 26 slides
W4231: Analysis of Algorithms Topological Sort 10/26/1999 Given a directed graph G = ( V, E ) , a

W4231: Analysis of Algorithms Topological Sort 10/26/1999 Given a directed graph G = ( V, E ) , a

W4231: Analysis of Algorithms Topological Sort 10/26/1999 Given a directed graph G = ( V, E ) , a topological sort of the vertices is an ordering v 1 , . . . , v n of the vertices such that for Topological Sort every edge ( v i , v j ) we have

396 views • 7 slides

More recommend