Refinement Proofs and Techniques Suha Orhun Mutluergil Koc University, Istanbul, Turkey
Refinement ο΄ In general: A concrete and complex system π 1 refines the abstract system π 2 iff π 2 completely captures the behaviors of π 1 . ο΄ For automata/state machines/transition systems ο΄ Refinement is based on observable actions alphabet Ξ£ . ο΄ Formally: A Labeled Transition System (LTS) π 1 Ξ£ β refines the LTS π 2 iff for every trace π of π 1 , there exists a trace πβ² of π 2 such that π Ξ£ = π β² Ξ£ . ο΄ Example: L 1 = β©π 1 = π‘ 0 , π‘ 1 , β¦ , Ξ£ 1 = π½, πΎ, πΏ , π 1 βͺ s.t. π 1 β π 1 Γ Ξ£ 1 Γ S 1 π 2 = β©π 2 = π 0 , π 1 , β¦ , Ξ£ 2 = π½, πΎ, π , π 2 βͺ s.t. π 2 β π 2 Γ Ξ£ 2 Γ π 2 Ξ£ = {π½, πΎ} π½ πΏ πΎ πΎ π‘ 0 π‘ 1 π‘ 3 π‘ 4 π‘ 2 π½ πΎ πΎ π π 0 π 3 π 4 π 1 π 2
Refinement ο΄ In general: A concrete and complex system π 1 refines the abstract system π 2 iff π 2 completely captures the behaviors of π 1 . ο΄ For automata/state machines/transition systems ο΄ Refinement is based on observable actions alphabet Ξ£ . ο΄ Formally: A Labeled Transition System (LTS) π 1 Ξ£ β refines the LTS π 2 iff for every trace π of π 1 , there exists a trace πβ² of π 2 such that π Ξ£ = π β² Ξ£ . ο΄ Example: L 1 = β©π 1 = π‘ 0 , π‘ 1 , β¦ , Ξ£ 1 = π½, πΎ, πΏ , π 1 βͺ s.t. π 1 β π 1 Γ Ξ£ 1 Γ S 1 π 2 = β©π 2 = π 0 , π 1 , β¦ , Ξ£ 2 = π½, πΎ, π , π 2 βͺ s.t. π 2 β π 2 Γ Ξ£ 2 Γ π 2 Ξ£ = {π½, πΎ} π· πΏ πΈ πΈ π‘ 0 π‘ 1 π‘ 3 π‘ 4 π‘ 2 π· πΈ πΈ π π 0 π 3 π 4 π 1 π 2
How to Prove Refinement ο΄ In general, proofs depend on finding a particular kind of relations/functions that relates states of π 1 to states of π 2 . ο΄ Refinement mappings, forward simulation relations, backward simulation relations ο΄ Completeness issues: None of these relations/functions are complete. ο΄ Refinement Mappings ο΄ Complete if π 1 is a forest and π 2 is deterministic. 2 ο΄ Otherwise, history and/or prophecy variables may need to be added. 1 ο΄ Forward Simulations ο΄ Complete if π 2 is deterministic. 2 ο΄ Otherwise, prophecy variables may need to be added. 2 ο΄ Backward Simulations ο΄ Complete if π 1 is a forest. 2 ο΄ Otherwise, history variables may need to be added. 2 1. Abadi, M., & Lamport, L. (1991). The existence of refinement mappings. Theoretical Computer Science, 82(2), 253-284. 2. Lynch, N. A., & Vaandrager, F. W. (1995). Forward and backward simulations. Part I: Untimed systems. Information and Computation , 121 (2), 214-233.
Proving Linearizability using Forward Simulations Η Joint work with Ahmed Bouajjani 1 , Constantin Enea 1 and Michael Emmi 2 1 :IRIF, University of Paris Diderot 2 :Nokia Bell Labs Η: To Appear in CAV'17
A Brief Overview ο΄ Scope: Proving correctness of concurrent stack and queue implementations (which eventually boils down to a refinement proof). ο΄ Contributions: A new stack and queue LTS specifications that are more useful than the standard specifications for the proofs ο΄ Shown the equivalence to the standard specifications ο΄ Existence of forward simulations is guaranteed if some properties are known for the dequeue/pop methods of the implementations. ο΄ Experiments/Applications ο΄ Shown the correctness of Herlihy-Wing Queue 1 by finding a forward simulation relation to the new queue implementation. ο΄ Shown correctness of Time-Stamped Stack 2 finding a forward simulation relation to the new stack implementation. 1. Herlihy, Maurice P., and Jeannette M. Wing. "Linearizability: A correctness condition for concurrent objects." ACM Transactions on Programming Languages and Systems (TOPLAS) 12.3 (1990): 463-492. 2. Dodds, Mike, Andreas Haas, and Christoph M. Kirsch. "A scalable, correct time-stamped stack." ACM SIGPLAN Notices. Vol. 50. No. 1. ACM, 2015.
Linearizability ο΄ The standard correctness condition for concurrent data structures/libraries. ο΄ Call and return actions mark the beginning and end of methods. ο΄ History: Projection of a trace over call and return actions ( π· βͺ π ). ο΄ π 1 is linearizable with respect to the specification π 2 iff there exists a linearization point of every operation in the history β 1 btw its call and return points such that the same operation of π 2 takes place atomically at that point. inv(enq,3) ret(enq) inv(enq,5) ret(enq) inv(deq) ret(deq,3) enq(3) deq(3) enq(5)
How to Prove Linearizability of Queues ο΄ Standard abstract specification π΅ππ‘π 0 : ο΄ State: π: β π ο΄ Actions: πππ€(πππ, π) , πππ πππ, π , π ππ’(πππ) , πππ€(πππ) , πππ(πππ, π) , π ππ’(πππ, π) β π β² = π β β©πβͺ ο΄ πππ πππ, π β q β² = q ο΄ πππ πππ, EMPTY β π = ο΄ πππ πππ, π β π = π β π‘ β§ π β EMPTY β π β² = π‘ ο΄ Showing that the implementation π 1 π· βͺ π β refines π΅ππ‘π 0 is sufficient. ο΄ If we know the linearization points of enqueue or dequeue methods, finding π· βͺ π βͺ πππ β refinements are easier.
Observations about Implementations ο΄ Linearization points of enqueues are usually not fixed (depends on the execution). ο΄ Linearization points of dequeues are usually fixed and easy to determine. ο΄ π΅ππ‘π 0 is not deterministic in terms of π· βͺ π and π· βͺ π βͺ πππ πππ . ret(enq) inv(enq,3) lin(enq,3) π = β©3,5 βͺ inv(enq,5) lin(enq,5) ret(enq)
Observations about Implementations ο΄ Linearization points of enqueues are usually not fixed (depends on the execution). ο΄ Linearization points of dequeues are usually fixed and easy to determine. ο΄ π΅ππ‘π 0 is not deterministic in terms of π· βͺ π and π· βͺ π βͺ πππ πππ . inv(enq,3) lin(enq,3) ret(enq) π = β©5,3 βͺ inv(enq,5) lin(enq,5) ret(enq)
New Abstract Queue π΅ππ‘π ο΄ States: Strict partial order of enqueue π 6 operations based on happens-before relation. They can be pending or completed π 5 ο΄ Actions: π· βͺ π βͺ πππ(πππ) π 4 ο΄ π΅ππ‘π is deterministic in terms of π· βͺ π βͺ πππ(πππ) π 3 ο΄ π΅ππ‘π produces same histories with π΅ππ‘π 0 . ο΄ Example Application: Showing linearizability of Herlihy & Wing Queue 1 by finding a forward π 1 π 2 simulation to π΅ππ‘π . dequable minimal nodes :COMPLETED :PENDING 1. Herlihy, Maurice P., and Jeannette M. Wing. "Linearizability: A correctness condition for concurrent objects." ACM Transactions on Programming Languages and Systems (TOPLAS) 12.3 (1990): 463-492.
The Stack Case ο΄ A natural conversion of π΅ππ‘π to π΅ππ‘π exists. Pops remove maximal elements instead of minimal elements. ο΄ Similar observations on implementations: linearization points of pushes are not fixed. For complicated examples, linearization points of pops are not fixed neither. But, we can determine commit points (that fixes the return value) of pops. ο΄ π΅ππ‘π 0 is not deterministic in terms of π· βͺ π or π· βͺ π βͺ πππ(πππ) . ο΄ We introduce a new π΅ππ‘π that produces different from the dual of π΅ππ‘π , equivalent executions with π΅ππ‘π 0 and deterministic in terms of π· βͺ π βͺ πππ πππ . ο΄ We have shown its applicability by finding a forward simulation from the complicated Time-Stamped Stack 1 implementation to π΅ππ‘π . 1. Dodds, Mike, Andreas Haas, and Christoph M. Kirsch. "A scalable, correct time-stamped stack." ACM SIGPLAN Notices. Vol. 50. No. 1. ACM, 2015.
Conclusions & Other Interests ο΄ Future work: Extending the idea to other data structures like sets. ο΄ Future work: Mechanizing the proofs on Boogie/CIVL proof system developed by Microsoft Research and Koc University. ο΄ Other interests: ο΄ Refinement proofs for weak memory models. ο΄ Particularly, extending the CIVL proof system for TSO memory model. ο΄ New proof rules for TSO. ο΄ Extending the concept of linearizability for WMM.
Thank You ο΄ Any Questions?
How to Prove Linearizability inv(enq,3) ret(enq) inv(enq,5) ret(enq) inv(deq) ret(deq,3) inv(enq,3) lin(enq,3) ret(enq) inv(enq,5) ret lin lin inv(deq) ret(deq,3) inv lin ret inv lin ret inv lin ret
Recommend
More recommend
Sambuz
Unleash a World of Digital PossibilitiesβBrowse, Share, and Explore Content Without Boundaries
![Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2](https://c.sambuz.com/697105/interactive-proofs-s.webp)
