Refinement Proofs and Techniques Suha Orhun Mutluergil Koc - - PowerPoint PPT Presentation

β–Ά
refinement proofs and
SMART_READER_LITE
LIVE PREVIEW

Refinement Proofs and Techniques Suha Orhun Mutluergil Koc - - PowerPoint PPT Presentation

Jan 11, 2023 215 likes β€’457 views

Refinement Proofs and Techniques Suha Orhun Mutluergil Koc University, Istanbul, Turkey Refinement In general: A concrete and complex system 1 refines the abstract system 2 iff 2 completely captures the behaviors of 1 .

slide-1
SLIDE 1

Refinement Proofs and Techniques

Suha Orhun Mutluergil Koc University, Istanbul, Turkey

slide-2
SLIDE 2

Refinement

ο‚΄ In general: A concrete and complex system 𝑇1 refines the abstract system 𝑇2 iff 𝑇2 completely captures the behaviors of 𝑇1. ο‚΄ For automata/state machines/transition systems

ο‚΄ Refinement is based on observable actions alphabet Ξ£. ο‚΄ Formally: A Labeled Transition System (LTS) 𝑀1 Ξ£ βˆ’refines the LTS 𝑀2 iff for every trace 𝜐 of 𝑀1, there exists a trace πœβ€² of 𝑀2 such that 𝜐 Ξ£ = πœβ€² Ξ£.

ο‚΄ Example: L1 = βŒ©π‘‡1 = 𝑑0, 𝑑1, … , Ξ£1 = 𝛽, 𝛾, 𝛿 , πœ€1βŒͺ s.t. πœ€1 βŠ† 𝑇1 Γ— Ξ£1 Γ— S1 𝑀2 = βŒ©π‘‡2 = π‘Ÿ0, π‘Ÿ1, … , Ξ£2 = 𝛽, 𝛾, πœ„ , πœ€2βŒͺ s.t. πœ€2 βŠ† 𝑇2 Γ— Ξ£2 Γ— 𝑇2 Ξ£ = {𝛽, 𝛾}

𝑑0 𝛽 𝑑1 𝛿 𝑑2 𝛾 𝑑3 𝛾 𝑑4 π‘Ÿ0 𝛽 π‘Ÿ1 𝛾 π‘Ÿ2 πœ„ π‘Ÿ3 𝛾 π‘Ÿ4

slide-3
SLIDE 3

Refinement

ο‚΄ In general: A concrete and complex system 𝑇1 refines the abstract system 𝑇2 iff 𝑇2 completely captures the behaviors of 𝑇1. ο‚΄ For automata/state machines/transition systems

ο‚΄ Refinement is based on observable actions alphabet Ξ£. ο‚΄ Formally: A Labeled Transition System (LTS) 𝑀1 Ξ£ βˆ’refines the LTS 𝑀2 iff for every trace 𝜐 of 𝑀1, there exists a trace πœβ€² of 𝑀2 such that 𝜐 Ξ£ = πœβ€² Ξ£.

ο‚΄ Example: L1 = βŒ©π‘‡1 = 𝑑0, 𝑑1, … , Ξ£1 = 𝛽, 𝛾, 𝛿 , πœ€1βŒͺ s.t. πœ€1 βŠ† 𝑇1 Γ— Ξ£1 Γ— S1 𝑀2 = βŒ©π‘‡2 = π‘Ÿ0, π‘Ÿ1, … , Ξ£2 = 𝛽, 𝛾, πœ„ , πœ€2βŒͺ s.t. πœ€2 βŠ† 𝑇2 Γ— Ξ£2 Γ— 𝑇2 Ξ£ = {𝛽, 𝛾}

𝑑0 𝜷 𝑑1 𝛿 𝑑2 𝜸 𝑑3 𝜸 𝑑4 π‘Ÿ0 𝜷 π‘Ÿ1 𝜸 π‘Ÿ2 πœ„ π‘Ÿ3 𝜸 π‘Ÿ4

slide-4
SLIDE 4

How to Prove Refinement

ο‚΄ In general, proofs depend on finding a particular kind of relations/functions that relates states of 𝑀1 to states of 𝑀2.

ο‚΄ Refinement mappings, forward simulation relations, backward simulation relations

ο‚΄ Completeness issues: None of these relations/functions are complete. ο‚΄ Refinement Mappings

ο‚΄ Complete if 𝑀1 is a forest and 𝑀2 is deterministic.2 ο‚΄ Otherwise, history and/or prophecy variables may need to be added.1

ο‚΄ Forward Simulations

ο‚΄ Complete if 𝑀2 is deterministic.2 ο‚΄ Otherwise, prophecy variables may need to be added.2

ο‚΄ Backward Simulations

ο‚΄ Complete if 𝑀1 is a forest.2 ο‚΄ Otherwise, history variables may need to be added.2

1. Abadi, M., & Lamport, L. (1991). The existence of refinement mappings. Theoretical Computer Science, 82(2), 253-284. 2. Lynch, N. A., & Vaandrager, F. W. (1995). Forward and backward simulations. Part I: Untimed systems. Information and Computation, 121(2), 214-233.

slide-5
SLIDE 5

Proving Linearizability using Forward SimulationsΗ‚

Joint work with Ahmed Bouajjani1, Constantin Enea1 and Michael Emmi2

1:IRIF, University of Paris Diderot 2:Nokia Bell Labs

Η‚: To Appear in CAV'17

slide-6
SLIDE 6

A Brief Overview

ο‚΄ Scope: Proving correctness of concurrent stack and queue implementations (which eventually boils down to a refinement proof). ο‚΄ Contributions: A new stack and queue LTS specifications that are more useful than the standard specifications for the proofs

ο‚΄ Shown the equivalence to the standard specifications ο‚΄ Existence of forward simulations is guaranteed if some properties are known for the dequeue/pop methods of the implementations.

ο‚΄ Experiments/Applications

ο‚΄ Shown the correctness of Herlihy-Wing Queue1 by finding a forward simulation relation to the new queue implementation. ο‚΄ Shown correctness of Time-Stamped Stack2 finding a forward simulation relation to the new stack implementation.

1. Herlihy, Maurice P., and Jeannette M. Wing. "Linearizability: A correctness condition for concurrent objects." ACM Transactions on Programming Languages and Systems (TOPLAS) 12.3 (1990): 463-492. 2. Dodds, Mike, Andreas Haas, and Christoph M. Kirsch. "A scalable, correct time-stamped stack." ACM SIGPLAN Notices. Vol. 50. No.

  • 1. ACM, 2015.
slide-7
SLIDE 7

Linearizability

ο‚΄ The standard correctness condition for concurrent data structures/libraries. ο‚΄ Call and return actions mark the beginning and end of methods. ο‚΄ History: Projection of a trace over call and return actions (𝐷 βˆͺ 𝑆). ο‚΄ 𝑀1 is linearizable with respect to the specification 𝑀2 iff there exists a linearization point of every operation in the history β„Ž1 btw its call and return points such that the same operation of 𝑀2 takes place atomically at that point.

inv(deq) ret(deq,3) inv(enq,5) ret(enq) inv(enq,3) ret(enq) enq(5) deq(3) enq(3)

slide-8
SLIDE 8

How to Prove Linearizability of Queues

ο‚΄ Standard abstract specification 𝐡𝑐𝑑𝑅0:

ο‚΄ State: π‘Ÿ: β„•πœ• ο‚΄ Actions: π‘—π‘œπ‘€(π‘“π‘œπ‘Ÿ, 𝑒), π‘šπ‘—π‘œ π‘“π‘œπ‘Ÿ, 𝑒 , 𝑠𝑓𝑒(π‘“π‘œπ‘Ÿ), π‘—π‘œπ‘€(π‘’π‘“π‘Ÿ), π‘šπ‘—π‘œ(π‘’π‘“π‘Ÿ, 𝑒), 𝑠𝑓𝑒(π‘’π‘“π‘Ÿ, 𝑒) ο‚΄ π‘šπ‘—π‘œ π‘“π‘œπ‘Ÿ, 𝑒 ≔ π‘Ÿβ€² = π‘Ÿ ∘ βŒ©π‘’βŒͺ ο‚΄ π‘šπ‘—π‘œ π‘’π‘“π‘Ÿ, EMPTY ≔ π‘Ÿ = β‡’ qβ€² = q ο‚΄ π‘šπ‘—π‘œ π‘’π‘“π‘Ÿ, 𝑒 ≔ π‘Ÿ = 𝑒 ∘ 𝑑 ∧ 𝑒 β‰  EMPTY β‡’ π‘Ÿβ€² = 𝑑

ο‚΄ Showing that the implementation 𝑀1 𝐷 βˆͺ 𝑆 βˆ’refines 𝐡𝑐𝑑𝑅0 is sufficient. ο‚΄ If we know the linearization points of enqueue or dequeue methods, finding 𝐷 βˆͺ 𝑆 βˆͺ π‘šπ‘—π‘œ βˆ’refinements are easier.

slide-9
SLIDE 9

Observations about Implementations

ο‚΄ Linearization points of enqueues are usually not fixed (depends on the execution). ο‚΄ Linearization points of dequeues are usually fixed and easy to determine. ο‚΄ 𝐡𝑐𝑑𝑅0 is not deterministic in terms of 𝐷 βˆͺ 𝑆 and 𝐷 βˆͺ 𝑆 βˆͺ π‘šπ‘—π‘œ π‘’π‘“π‘Ÿ .

inv(enq,3) lin(enq,3) ret(enq) inv(enq,5) lin(enq,5) ret(enq)

π‘Ÿ = 〈3,5 βŒͺ

slide-10
SLIDE 10

Observations about Implementations

ο‚΄ Linearization points of enqueues are usually not fixed (depends on the execution). ο‚΄ Linearization points of dequeues are usually fixed and easy to determine. ο‚΄ 𝐡𝑐𝑑𝑅0 is not deterministic in terms of 𝐷 βˆͺ 𝑆 and 𝐷 βˆͺ 𝑆 βˆͺ π‘šπ‘—π‘œ π‘’π‘“π‘Ÿ .

inv(enq,3) lin(enq,3) ret(enq) inv(enq,5) lin(enq,5) ret(enq)

π‘Ÿ = 〈5,3 βŒͺ

slide-11
SLIDE 11

New Abstract Queue 𝐡𝑐𝑑𝑅

ο‚΄ States: Strict partial order of enqueue

  • perations based on happens-before relation.

They can be pending or completed ο‚΄ Actions: 𝐷 βˆͺ 𝑆 βˆͺ π‘šπ‘—π‘œ(π‘’π‘“π‘Ÿ) ο‚΄ 𝐡𝑐𝑑𝑅 is deterministic in terms of 𝐷 βˆͺ 𝑆 βˆͺ π‘šπ‘—π‘œ(π‘’π‘“π‘Ÿ) ο‚΄ 𝐡𝑐𝑑𝑅 produces same histories with 𝐡𝑐𝑑𝑅0. ο‚΄ Example Application: Showing linearizability of Herlihy & Wing Queue1 by finding a forward simulation to 𝐡𝑐𝑑𝑅. 𝑓1 𝑓2 𝑓3 𝑓5 𝑓4 𝑓6 :COMPLETED :PENDING

dequable minimal nodes

  • 1. Herlihy, Maurice P., and Jeannette M. Wing. "Linearizability: A correctness condition for concurrent objects." ACM Transactions on

Programming Languages and Systems (TOPLAS) 12.3 (1990): 463-492.

slide-12
SLIDE 12

The Stack Case

ο‚΄ A natural conversion of 𝐡𝑐𝑑𝑅 to 𝐡𝑐𝑑𝑇 exists. Pops remove maximal elements instead of minimal elements. ο‚΄ Similar observations on implementations: linearization points of pushes are not fixed. For complicated examples, linearization points of pops are not fixed neither. But, we can determine commit points (that fixes the return value) of pops. ο‚΄ 𝐡𝑐𝑑𝑇0 is not deterministic in terms of 𝐷 βˆͺ 𝑆 or 𝐷 βˆͺ 𝑆 βˆͺ 𝑑𝑝𝑛(π‘žπ‘π‘ž). ο‚΄ We introduce a new 𝐡𝑐𝑑𝑇 that produces different from the dual of 𝐡𝑐𝑑𝑅, equivalent executions with 𝐡𝑐𝑑𝑇0 and deterministic in terms of 𝐷 βˆͺ 𝑆 βˆͺ 𝑑𝑝𝑛 π‘žπ‘π‘ž . ο‚΄ We have shown its applicability by finding a forward simulation from the complicated Time-Stamped Stack1 implementation to 𝐡𝑐𝑑𝑇.

  • 1. Dodds, Mike, Andreas Haas, and Christoph M. Kirsch. "A scalable, correct time-stamped stack." ACM SIGPLAN Notices. Vol. 50. No.
  • 1. ACM, 2015.
slide-13
SLIDE 13

Conclusions & Other Interests

ο‚΄ Future work: Extending the idea to other data structures like sets. ο‚΄ Future work: Mechanizing the proofs on Boogie/CIVL proof system developed by Microsoft Research and Koc University. ο‚΄ Other interests:

ο‚΄ Refinement proofs for weak memory models. ο‚΄ Particularly, extending the CIVL proof system for TSO memory model. ο‚΄ New proof rules for TSO. ο‚΄ Extending the concept of linearizability for WMM.

slide-14
SLIDE 14

Thank You

ο‚΄ Any Questions?

slide-15
SLIDE 15

How to Prove Linearizability

inv(deq) ret(deq,3) inv(enq,5) ret(enq) inv(enq,3) ret(enq) inv(enq,3) ret(enq) inv(enq,5) ret inv(deq) ret(deq,3) lin(enq,3) lin lin inv lin ret inv lin ret inv lin ret

slide-16
SLIDE 16

How to Prove Refinement -1

ο‚΄ Refinement Mappings: 𝑔: 𝑅𝐷 β†’ 𝑅𝐡 ο‚΄ Initial: 𝑑 ∈ π½π‘œπ‘—π‘’ 𝑀𝐷 β‡’ 𝑔 𝑑 ∈ π½π‘œπ‘—π‘’(𝑀𝐡) ο‚΄ Step: ο‚΄ Complete if 𝑀𝑑 is a forest and 𝑀𝐡 is deterministic.2 ο‚΄ History and/or Prophecy variables may be needed to be added to find a

  • ref. map.1

Abstract Concrete

𝑑1 𝑑2 𝑏 𝑒1 𝑒2 𝑏+ f f

1. Abadi, M., & Lamport, L. (1991). The existence of refinement mappings. Theoretical Computer Science, 82(2), 253-284. 2. Lynch, N. A., & Vaandrager, F. W. (1995). Forward and backward simulations. Part I: Untimed systems. Information and Computation, 121(2), 214-233.

Let Ξ£ βŠ† Σ𝐷, Σ𝐡 be the refinement alphabet. If 𝑏 ∈ Ξ£, then, 𝑏+ ∈ Σ𝐡 βˆ– Ξ£ βˆ—π‘ Σ𝐡 βˆ– Ξ£ βˆ—. If 𝑏 βˆ‰ Ξ£, then 𝑏+ ∈ Σ𝐡 βˆ– Ξ£ βˆ—.

slide-17
SLIDE 17

How to Prove Refinement -2

ο‚΄ Forward Simulation Relations: fs βŠ† 𝑅𝐷 Γ— 𝑅𝐡 ο‚΄ Initial: 𝑑 ∈ π½π‘œπ‘—π‘’ 𝑀𝐷 β‡’ 𝑔𝑑 𝑑 ∩ π½π‘œπ‘—π‘’ 𝑀𝐡 β‰  βˆ… ο‚΄ Step: ο‚΄ Complete if 𝑀𝐡 is deterministic.1 ο‚΄ Prophecy variables may be needed to be added to find a frw. sim. rln.1

Abstract Concrete

𝑑1 𝑑2 𝑏 𝑒1

1

𝑒2

1

𝑏+ fs fs 𝑒1

2

𝑒2

2

𝑏+

  • 1. Lynch, N. A., & Vaandrager, F. W. (1995). Forward and backward simulations. Part I: Untimed systems. Information and

Computation, 121(2), 214-233.

slide-18
SLIDE 18

How to Prove Refinement -3

ο‚΄ Backward Simulation Relations: bs βŠ† 𝑅𝐷 Γ— 𝑅𝐡 ο‚΄ Initial: 𝑑 ∈ π½π‘œπ‘—π‘’ 𝑀𝐷 β‡’ 𝑐𝑑 𝑑 βŠ† π½π‘œπ‘—π‘’(𝑀𝐡) ο‚΄ Step: ο‚΄ Complete if 𝑀𝑑 is a forest.1 ο‚΄ History variables may be needed to be added to find a bck. sim. rln.1

Abstract Concrete

𝑑1 𝑑2 𝑏 𝑒1

1

𝑒2

1

𝑏+ bs bs 𝑒1

2

𝑒2

2

𝑏+

  • 1. Lynch, N. A., & Vaandrager, F. W. (1995). Forward and backward simulations. Part I: Untimed systems. Information and

Computation, 121(2), 214-233.

slide-19
SLIDE 19

New Abstract Queue 𝐡𝑐𝑑𝑅

slide-20
SLIDE 20

Results on 𝐡𝑐𝑑𝑅

ο‚΄ 𝐡𝑐𝑑𝑅 is a 𝐷 βˆͺ 𝑆 βˆͺ π‘šπ‘—π‘œ π‘’π‘“π‘Ÿ -refinement of 𝐡𝑐𝑑𝑅0. ο‚΄ 𝐡𝑐𝑑𝑅0 is a 𝐷 βˆͺ 𝑆 βˆͺ π‘šπ‘—π‘œ π‘’π‘“π‘Ÿ -refinement of 𝐡𝑐𝑑𝑅. ο‚΄ 𝐡𝑐𝑑𝑅 is deterministic in terms of 𝐷 βˆͺ 𝑆 βˆͺ π‘šπ‘—π‘œ(π‘’π‘“π‘Ÿ). ο‚΄ If 𝑀𝐷 is a queue implementation for which linearization or commit points of dequeue is known and fixed, we can find a forward simulation relation from 𝑀𝐷 to 𝐡𝑐𝑑𝑅.

ο‚΄ Example: Herlihy-Wing Queue1

  • 1. Herlihy, Maurice P., and Jeannette M. Wing. "Linearizability: A correctness condition for concurrent objects." ACM Transactions on

Programming Languages and Systems (TOPLAS) 12.3 (1990): 463-492.

slide-21
SLIDE 21

What about Stacks?

slide-22
SLIDE 22

𝐡𝑐𝑑𝑇 Extensions

ο‚΄ Keep track of pushes that can be removed by a pop:

ο‚΄ Nodes that are pending or maximally closed when the pop started (initialize 𝑐𝑓 and 𝑝𝑀 sets) ο‚΄ Pushes that overlap with the pop (extend 𝑝𝑀 set) ο‚΄ Nodes that become maximal while the pop was executing (update 𝑐𝑓 set)

ο‚΄ NOTE: New 𝐡𝑐𝑑𝑇 keeps working for implementations with fixed pop linearization points. ο‚΄ How it actually works:

slide-23
SLIDE 23

Results on 𝐡𝑐𝑑𝑇

ο‚΄ 𝐡𝑐𝑑𝑇 is a 𝐷 βˆͺ 𝑆-refinement of 𝐡𝑐𝑑𝑇0. ο‚΄ 𝐡𝑐𝑑𝑇0 is a 𝐷 βˆͺ 𝑆-refinement of 𝐡𝑐𝑑𝑇. ο‚΄ 𝐡𝑐𝑑𝑇 is deterministic in terms of 𝐷 βˆͺ 𝑆 βˆͺ 𝑑𝑝𝑛(π‘žπ‘π‘ž). ο‚΄ If 𝑀𝐷 is a stack implementation for which linearization or commit points of pop is known and fixed, we can find a forward simulation relation from 𝑀𝐷 to 𝐡𝑐𝑑𝑇.

ο‚΄ Example: Time-Stamped Stack1

  • 1. Dodds, Mike, Andreas Haas, and Christoph M. Kirsch. "A scalable, correct time-stamped stack." ACM SIGPLAN Notices. Vol. 50. No.
  • 1. ACM, 2015.