Relaxed separation logic Viktor Vafeiadis Chinmay Narayan MPI-SWS IIT Delhi
Concurrent program logics Goal: Understand concurrent programs. Tool: Concurrent program logics: C oncurrent S eparation L ogic OG, RG, RGSep, LRG, DG, CAP, CaReSL. . . ∗ ∗ ∗ What about weak memory models ? ∗ ∗ ∗ Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 2/16
Relaxed memory models & data race freedom All sane memory models satisfy the DRF property: Theorem (DRF-property) If � Prg � SC contains no data races, then � Prg � Relaxed = � Prg � SC . Program logics that disallow data races are trivially sound. What about racy programs? Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 3/16
C11 operations Two types of locations: ordinary and atomic Races on ordinary accesses ❀ undefined Several kinds of atomic accesses: Sequentially consistent (reads & writes) Release (writes) Acquire (reads) Relaxed (reads & writes) A few more advanced constructs: Fences, consume reads, . . . (ignored here) Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 4/16
C11 executions Execution = set of events & a few relations: sb: sequenced before rf: reads-from map mo: memory order per location sc: seq.consistency order sw: synchronizes with (derived) rf sw W-release → R-acq = ⇒ W-release → R-acq def hb: happens before (derived, hb = ( sb ∪ sw ) + ) Axioms constraining the consistent executions. Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 5/16
� � � � � � � � Message passing example [ a ] na := 0 ; [ x ] rlx := 0 ; � � [ a ] na := 10 ; if ([ x ] acq = 1 ) [ x ] rel := 1 ; print [ a ] na ; W na ( a , 0 ) sb � W rlx ( x , 0 ) sb sb W na ( a , 10 ) R acq ( x , 1 ) rf , sw sb sb W rel ( x , 1 ) rf R na ( a , 10 ) sb sb Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 6/16
Separation logic recap def � ℓ �→ v � = { h | h ( ℓ ) = v } def � P 1 ∗ P 2 � = { h 1 ⊎ h 2 | h 1 ∈ � P 1 � ∧ h 2 ∈ � P 2 � } Proof rules: { ℓ �→ −} [ ℓ ] := v { ℓ �→ v } (WRI) { P } C { Q } (FRM) { P ∗ R } C { Q ∗ R } { P 1 } C 1 { Q 1 } { P 2 } C 2 { Q 2 } (PAR) { P 1 ∗ P 2 } C 1 � C 2 { Q 1 ∗ Q 2 } Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 7/16
Read-acquire & write-release permissions (1/2) Introduce two assertion forms: rel acq P := . . . | ℓ ֒ → Q | ℓ ֒ → Q where Q ∈ Val → Assn. Initially (simplified rule): Q ( v ) = emp acq rel { emp } x := alloc atom ( v ) { x ֒ → Q ∗ x ֒ → Q} Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 8/16
Read-acquire & write-release permissions (2/2) Release writes: rel rel {Q ( v ) ∗ ℓ ֒ → Q} [ ℓ ] rel := v { ℓ ֒ → Q} Acquire reads: acq acq { ℓ ֒ → Q} x := [ ℓ ] acq {Q ( x ) ∗ ℓ ֒ → Q [ x := emp ] } def where Q [ x := P ] = λ y . if x = y then P else Q ( y ) . Splitting permissions: rel rel rel ℓ ֒ → Q ∗ ℓ ֒ → Q ⇐ ⇒ ℓ ֒ → Q acq acq acq ℓ ֒ → Q 1 ∗ ℓ ֒ → Q 2 ⇐ ⇒ ℓ ֒ → ( Q 1 ∗ Q 2 ) Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 9/16
Simple ownership transfer example Let Q := { ( 0 , emp ) , ( 1 , a ֒ → 2 ) } . � emp � a := alloc na ( 0 ); x := alloc atom ( 0 ); � � rel acq a ֒ → 0 ∗ x ֒ → Q ∗ x ֒ → Q � � acq ֒ → Q x repeat � � rel a ֒ → 0 ∗ x ֒ → Q r := [ x ] acq [ a ] na := 2 ; acq � � r = 0 ∗ x ֒ → Q ∨ � � rel r = 1 ∗ a ֒ → 2 a ֒ → 2 ∗ x ֒ → Q until ( r � = 0 ); [ x ] rel := 1 ; � r = 1 ∗ a ֒ � true � → 2 � r := [ a ] na � r = 2 ∗ a ֒ → 2 � � r = 2 ∗ a ֒ → 2 � Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 10/16
Relaxed atomics Basically, disallow ownership transfer. Relaxed reads: acq acq { ℓ ֒ → Q} x := [ ℓ ] rlx { ℓ ֒ → Q ∧ ( Q ( x ) � = false ) } Relaxed writes: Q ( v ) = emp rel rel { ℓ ֒ → Q} [ ℓ ] rlx := v { ℓ ֒ → Q} Unsound in C11 because of dependency cycles. Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 11/16
� � � � Dependency cycles let a = alloc atom ( 0 ) in let b = alloc atom ( 0 ) in � if 1 = [ a ] rlx then � � if 1 = [ b ] rlx then � [ b ] rlx := 1 [ a ] rlx := 1 A problematic consistent execution: [ Initialization actions not shown ] R rlx ( a , 1 ) R rlx ( b , 1 ) rf sb sb rf W rlx ( b , 1 ) W rlx ( a , 1 ) [Crude fix: Require hb ∪ rf to be acyclic. ] Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 12/16
Compare and swap (CAS) macq New assertion form, P := . . . | ℓ ֒ → Q . macq macq macq Duplicable, ℓ ֒ → Q ⇐ ⇒ ℓ ֒ → Q ∗ ℓ ֒ → Q . Proof rule for CAS: macq P ⇒ ℓ ֒ → Q ∗ true rel → Q ′ ∗ Q ′ ( v ′ ) ∗ R [ v / z ] P ∗ Q ( v ) ⇒ ℓ ֒ X ∈ { rel , rlx } ⇒ Q ( v ) = emp X ∈ { acq , rlx } ⇒ Q ′ ( v ′ ) = emp { P } z := [ ℓ ] Y { z � = v ⇒ R } { P } z := CAS X , Y ( ℓ, v , v ′ ) { R } Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 13/16
Mutual exclusion locks def Let Q J ( v ) = ( v = 0 ∧ emp ) ∨ ( v = 1 ∧ J ) macq rel def Lock ( x , J ) = x ֒ → Q J ∗ x ֒ → Q J def def lock ( x ) = new-lock () = � Lock ( x , J ) � � J � repeat res := alloc atom ( 1 ) � Lock ( x , J ) � � Lock ( res , J ) � y := CAS acq , rlx ( x , 1 , 0 ) def unlock ( x ) = � � � � y = 0 ∧ emp � J ∗ Lock ( x , J ) � Lock ( x , J ) ∗ ∨ y = 1 ∧ J [ x ] rel := 1 until y � = 0 � Lock ( x , J ) � � J ∗ Lock ( x , J ) � Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 14/16
Technical challenges Assertions in heaps = ⇒ Store syntactic assertions (modulo ∗ -ACI) No (global) notions of state and time = ⇒ Define a logical local notion of state = ⇒ Annotate hb edges with logical state No operational semantics = ⇒ Use the axiomatic semantics = ⇒ Induct over max hb-path distance from top Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 15/16
Possible extensions / future work Take more advanced program logics (rely-guarantee, RGSep, deny-guarantee, . . . ) and adapt them to C11 concurrency Handle the more advanced C11 constructs: consume atomics & fences Build a tool & verify real programs Viktor Vafeiadis, Chinmay Narayan Relaxed separation logic 16/16
Recommend
More recommend
