rely guarantee reasoning for asynchronous programs
play

Rely/Guarantee Reasoning for Asynchronous Programs Ivan Gavran 1 , - PowerPoint PPT Presentation

Jul 14, 2023 •145 likes •672 views

Rely/Guarantee Reasoning for Asynchronous Programs Ivan Gavran 1 , Filip Niksic 1 , Aditya Kanade 2 , Rupak Majumdar 1 , Viktor Vafeiadis 1 1 Max Planck Institute for Software Systems (MPI-SWS), Germany 2 Indian Institute of Science, Bangalore,

  1. Rely/Guarantee Reasoning for Asynchronous Programs Ivan Gavran 1 , Filip Niksic 1 , Aditya Kanade 2 , Rupak Majumdar 1 , Viktor Vafeiadis 1 1 Max Planck Institute for Software Systems (MPI-SWS), Germany 2 Indian Institute of Science, Bangalore, India

  2. Asynchronous programming is widespread • Web apps : AJAX, jQuery, XMLHttpRequest • Smartphone apps : AsyncTask, dispatch_async • Server-side : node.js, java.nio • Systems : kqueue, epoll, Libevent • Other : async/await in Scala

  3. Common feature: Posting tasks for later execution A pending tasks

  4. Common feature: Posting tasks for later execution A pending tasks B C

  5. Common feature: Posting tasks for later execution A B C pending tasks

  6. Common feature: Posting tasks for later execution A B C Tasks may be executed when pending tasks • triggered by external events (mouse click, response ready, socket ready, …) • dispatched by a scheduler

  7. Drawback: Obscured control-flow A B C

  8. Drawback: Obscured control-flow A C B Multiple pending tasks may be executed in any order .

  9. Drawback: Obscured control-flow A C B precondition P B

  10. Drawback: Obscured control-flow A C B precondition P B postcondition Q A Q A ⇒ P B

  11. Drawback: Obscured control-flow A C B precondition P B postcondition Q A Q A ⇒ P B C might invalidate P B

  12. Adapting rely/guarantee reasoning [Jones83] A C B precondition P B postcondition Q A Q A ⇒ P B

  13. Adapting rely/guarantee reasoning [Jones83] A C B precondition P B postcondition Q A Q A ⇒ P B rely R B : “preserve P B ”

  14. Adapting rely/guarantee reasoning [Jones83] A C B precondition P B postcondition Q A Q A ⇒ P B rely R B : “preserve P B ” guarantee G C G C ⇒ R B

  15. Soundness of rely/guarantee reasoning Given a program with specification in terms of predicates P, Q, R, G, if the predicates satisfy “natural rely/guarantee • conditions” each task meets its rely/guarantee specification • then the program is correct.

  16. Rely/guarantee reasoning is modular Sufficient to verify each task in isolation , using a verifier for sequential software.

  17. Contributions We have: • Identified the “natural rely/guarantee conditions” • Proved soundness of rely/guarantee reasoning • Demonstrated the approach on two C programs that use Libevent (done using Frama-C)

  18. The rest of the talk: Rely/guarantee… … by example … in theory … in practice

  19. The rest of the talk: Rely/guarantee… … by example … in theory … in practice

  20. Modeling asynchronous tasks Extend an imperative language with asynchronous procedures , together with constructs: post f(v 1 , …, v k ) delete f(v 1 , …, v k ) Maintain a set of pending procedure instances . Execute instances atomically in a non-deterministic order .

  21. Example: ROT13 server async main() { int socket = prepare_socket(); post accept(socket); } async accept( int socket) { struct client *c = malloc(…); client_setup(c); c->fd = accept_connection(socket); post read(c); post accept(socket); } async read( struct client *c) { … } async write( struct client *c) { … }

  22. Example: ROT13 server async read( struct client *c) { async write( struct client *c) { if (…) { // c->fd is ready if (…) { // c->fd is ready receive_chunk(c); send_chunk(c); post write(c); if (more_to_send(c)) post read(c); post write(c); } } else { // connection is closed else { // connection is closed delete write(c); delete read(c); free(c); free(c); } } } }

  23. Example: ROT13 server //@ requires valid(c); //@ requires valid(c); async read( struct client *c) { async write( struct client *c) { if (…) { // c->fd is ready if (…) { // c->fd is ready receive_chunk(c); send_chunk(c); post write(c); if (more_to_send(c)) post read(c); post write(c); } } else { // connection is closed else { // connection is closed delete write(c); delete read(c); free(c); free(c); } } } }

  24. Introducing predicate posted f For each asynchronous procedure f(x 1 ,…,x k ) , we introduce a predicate posted f (x 1 , …, x k ) True iff f has been posted with arguments x 1 , …, x k during the execution of the current asynchronous procedure .

  25. Example: ROT13 server /*@ requires valid(c); /*@ requires valid(c); @ ensures ∀ c 1 ; @ ensures ∀ c 1 ; @ posted_read(c 1 ) ⇒ valid(c 1 ); @ posted_write(c 1 ) ⇒ valid(c 1 ); @ ensures ∀ c 1 ; @*/ @ posted_write(c 1 ) ⇒ valid(c 1 ); async write( struct client *c) { if (…) { // c->fd is ready @*/ send_chunk(c); async read( struct client *c) { if (more_to_send(c)) if (…) { // c->fd is ready post write(c); receive_chunk(c); } post write(c); else { // connection is closed post read(c); delete read(c); } free(c); else { // connection is closed } delete write(c); } free(c); } }

  26. Preserving the precondition read(c) write(c) P write ( c ) ≡ valid( c ) P write ( c ) ≡ valid( c ) parent child

  27. Preserving the precondition read(c 1 ) write(c 1 ) read(c) accept(socket) write(c) P write ( c ) ≡ valid( c ) P write ( c ) ≡ valid( c ) parent concurrent siblings child

  28. Preserving the precondition read(c 1 ) write(c 1 ) read(c) accept(socket) write(c) G read ⇒ R write guarantee P write rely on P write G write ⇒ R write is preserved being preserved G accept ⇒ R write parent concurrent siblings child

  29. Introducing predicate pending f For each asynchronous procedure f(x 1 ,…,x k ) , we introduce a predicate pending f (x 1 , …, x k ) True iff f with arguments x 1 , …, x k is pending , i.e. is in the set of pending procedure instances.

  30. write ’s rely predicate R write R write ≡ ∀ c. (pending’ write (c) ∧ pending write (c) ∧ valid’(c)) ⇒ valid(c) (prime means at the beginning of execution)

  31. write ’s global invariant With write ’s parents ensuring: ∀ c. posted write (c) ⇒ valid(c) and write ’s concurrent siblings ensuring: ∀ c. (pending’ write (c) ∧ pending write (c) ∧ valid’(c)) ⇒ valid(c) rely/guarantee ensures a global invariant : ∀ c. pending write (c) ⇒ valid(c)

  32. Final specification of write /*@ requires Precondition: @ valid(c); @ ensures Parent_child_condition: @ ∀ c 1 ; posted_write(c 1 ) ⇒ valid(c 1 ); @ ensures Guarantee: @ ( ∀ c 1 ; (pending_read’(c 1 ) ∧ pending_read(c 1 ) @ ∧ valid’(c 1 )) ⇒ valid(c 1 )) @ ∧ ( ∀ c 1 ; (pending_write’(c 1 ) ∧ pending_write(c 1 ) @ ∧ valid’(c 1 )) ⇒ valid(c 1 )); @*/ async write( struct client *c) { … }

  33. Final specification of write /*@ requires Precondition: @ valid(c); @ ensures Parent_child_condition: @ ∀ c 1 ; posted_write(c 1 ) ⇒ valid(c 1 ); @ ensures Guarantee: @ ( ∀ c 1 ; (pending_read’(c 1 ) ∧ pending_read(c 1 ) } R read @ ∧ valid’(c 1 )) ⇒ valid(c 1 )) @ ∧ ( ∀ c 1 ; (pending_write’(c 1 ) ∧ pending_write(c 1 ) } R write @ ∧ valid’(c 1 )) ⇒ valid(c 1 )); @*/ async write( struct client *c) { … }

  34. Final specification of write /*@ requires Precondition: @ valid(c); @ ensures Parent_child_condition: @ ∀ c 1 ; posted_write(c 1 ) ⇒ valid(c 1 ); @ ensures Guarantee: @ ( ∀ c 1 ; (pending_read’(c 1 ) ∧ pending_read(c 1 ) } R read @ ∧ valid’(c 1 )) ⇒ valid(c 1 )) @ ∧ ( ∀ c 1 ; (pending_write’(c 1 ) ∧ pending_write(c 1 ) } R write @ ∧ valid’(c 1 )) ⇒ valid(c 1 )); @*/ async write( struct client *c) { … } write can now be verified in isolation using a standard verification tool (in our case Frama-C)

  35. The rest of the talk: Rely/guarantee… … by example … in theory … in practice

  36. Rely/guarantee decomposition For each asynchronous procedure f we require: • P f — precondition predicate • R f — rely predicate • G f — guarantee predicate • Q f — postcondition predicate First-order formulas; may include predicates posted g and pending g (in negative positions)

  37. Rely/guarantee conditions Given a rely/guarantee decomposition, for each asynchronous procedure f : (1) Q f ⇒ G f (2) Q g ⇒ (posted f ⇒ P f ), for each g ∈ parents( f ) (3) R f ⇒ ((pending’ f ∧ pending f ∧ P’ f ) ⇒ P f ) (4) G g ⇒ R f , for each g ∈ siblings( f )

  38. Soundness of rely/guarantee reasoning Theorem. Given an asynchronous program with a rely/guarantee decomposition, if • the decomposition satisfies the rely/guarantee conditions • each procedure meets its specification (P and Q) then the program is correct.

  39. Key lemma Lemma. For each asynchronous procedure f , at every schedule point we have pending f ⇒ P f

  40. The rest of the talk: Rely/guarantee… … by example … in theory … in practice

  41. Generic rely/guarantee predicates Given preconditions P f , the weakest predicates that satisfy the rely/guarantee conditions: • R f ≡ (pending’ f ∧ pending f ∧ P’ f ) ⇒ P f • G f ≡ ⋀ R g g ∈ siblings( f ) • Q f ≡ G f ∧ ⋀ posted g ⇒ P g g ∈ children( f )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15 Overview Introduction

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15 Overview Introduction

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15 Overview Introduction Basics of Rely-Guarantee Overview of the paper Two techniques for constructing Rely-Guarantee models Soundness results The traditional

272 views • 23 slides
Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL

Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL

Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL Leonor Prensa Nieto TU M unchen Marseille, 7 January 2002 Isabelle HOL = Overview Motivation. Hoare logic for

263 views • 23 slides
Developing programs by Splitting atoms (rely/guarantee conditions, data reification, . . . )

Developing programs by Splitting atoms (rely/guarantee conditions, data reification, . . . )

Developing programs by Splitting atoms (rely/guarantee conditions, data reification, . . . ) Cliff B Jones Computing Science Newcastle University FMCO 2008-10-22 Cliff B Jones (Newcastle) Developing programs by Splitting atoms

603 views • 36 slides
Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon,

Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon,

Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon, Michael D. Ernst, and Dan Grossman University of Washington PLDI 2013 Static Verification Meets Aliasing 2 3 x:ref y:ref x := !x+1; m(y);

739 views • 26 slides
Rely-Guarantee Protocols Filipe Milito 1,2 Jonathan Aldrich 1 Lus Caires 2 1 Carnegie Mellon

Rely-Guarantee Protocols Filipe Milito 1,2 Jonathan Aldrich 1 Lus Caires 2 1 Carnegie Mellon

ECOOP 2014 Rely-Guarantee Protocols Filipe Milito 1,2 Jonathan Aldrich 1 Lus Caires 2 1 Carnegie Mellon University, Pittsburgh, USA 2 Universidade Nova de Lisboa, Lisboa, Portugal Motivation Mutable state can be useful in certain cases.

1.45k views • 109 slides
Cuesta College Night Oct. 30, 2017 Transfer Admission Guarantee Programs in the CSU and UC

Cuesta College Night Oct. 30, 2017 Transfer Admission Guarantee Programs in the CSU and UC

Cuesta College Night Oct. 30, 2017 Transfer Admission Guarantee Programs in the CSU and UC Blake Reed, Counselor Thea Labrenz, Counselor Types of Guarantee Programs In the UC system they are refers to them as Transfer Admission

285 views • 14 slides
A Boolean algebra of contracts for assume-guarantee reasoning Yann Glouche with Jean-Pierre

A Boolean algebra of contracts for assume-guarantee reasoning Yann Glouche with Jean-Pierre

Introduction A Model for Contracts Use Case Conclusion Further work A Boolean algebra of contracts for assume-guarantee reasoning Yann Glouche with Jean-Pierre Talpin Paul Le Guernic Thierry Gautier 1 INRIA, Resarch Unit of

963 views • 69 slides
Reasoning about Programs (and bugs) A brief interlude on specifications, assertions, and

Reasoning about Programs (and bugs) A brief interlude on specifications, assertions, and

Reasoning about Programs (and bugs) A brief interlude on specifications, assertions, and debugging Largely based on material from University of Washington CSE 331 Good programs, broken programs? Goal: program works (does not fail) Need:

540 views • 32 slides
A marriage of rely/guarantee & separation logic Viktor V afeiadis MPI - SWS Coarse - grain

A marriage of rely/guarantee & separation logic Viktor V afeiadis MPI - SWS Coarse - grain

A marriage of rely/guarantee & separation logic Viktor V afeiadis MPI - SWS Coarse - grain locking 2 3 5 7 11 13 Coarse - grain locking 2 3 5 7 11 13 Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13 Fine -

743 views • 57 slides
Diagrammatic Reasoning for Asynchronous Circuits Dan R. Ghica University of Birmingham

Diagrammatic Reasoning for Asynchronous Circuits Dan R. Ghica University of Birmingham

Diagrammatic Reasoning for Asynchronous Circuits Dan R. Ghica University of Birmingham Samson@60 Oxford, May 2013 How I met your Samson How I met your Samson why async? very high speed (+) very low power (+) high footprint (-)

617 views • 33 slides
Asynchronous Communication II: Semantics, specification and reasoning INF 4140 Lecture 11

Asynchronous Communication II: Semantics, specification and reasoning INF 4140 Lecture 11

INF4140 Asynchronous Communication II: Semantics, specification and reasoning INF 4140 Lecture 11 09.11.11, page 1. INF4140 Overview: Last time semantics: histories and trace sets specification: invariants over histories global

859 views • 37 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a weak consistency model. - no

738 views • 48 slides
Reasoning about Programs Need: definition of works/correct : a specification (and bugs) But

Reasoning about Programs Need: definition of works/correct : a specification (and bugs) But

Good programs, broken programs? Goal: program works (does not fail) Reasoning about Programs Need: definition of works/correct : a specification (and bugs) But programs fail all the time. Why? A brief interlude on 1. Misuse of your code:

86 views • 8 slides
Reasoning about reasoning by nested conditioning: Modeling theory of mind with probabilistic

Reasoning about reasoning by nested conditioning: Modeling theory of mind with probabilistic

Reasoning about reasoning by nested conditioning: Modeling theory of mind with probabilistic programs November 8, 2019 Zikun Chen, Alex Chang Main Idea model the flexibility and inherent uncertainty of reasoning about agents with

417 views • 29 slides
Asynchronous Algorithms for Conic Programs, including Optimal, Infeasible, and Unbounded Ones

Asynchronous Algorithms for Conic Programs, including Optimal, Infeasible, and Unbounded Ones

Asynchronous Algorithms for Conic Programs, including Optimal, Infeasible, and Unbounded Ones Wotao Yin joint: Fei Feng, Robert Hannah, Yanli Liu, Ernest Ryu (UCLA, Math) DIMACS: Distributed Optimization, Information Processing, and Learning

844 views • 67 slides
Reasoning and Derivation of Monadic Programs Shin-Cheng Mu Tom Schrijvers Koen Pauwels Content

Reasoning and Derivation of Monadic Programs Shin-Cheng Mu Tom Schrijvers Koen Pauwels Content

Reasoning and Derivation of Monadic Programs Shin-Cheng Mu Tom Schrijvers Koen Pauwels Content Equational reasoning Reasoning with monads Goal of the paper Our contribution (a + b) * (a - b) [distr: forall x y z. x * (y + z) =

493 views • 25 slides
Laurent Gregoire http://www.vim.org/about.php It is a poor craftsman who blames his tools. CS

Laurent Gregoire http://www.vim.org/about.php It is a poor craftsman who blames his tools. CS

Laurent Gregoire http://www.vim.org/about.php It is a poor craftsman who blames his tools. CS 152: Programming Language Paradigms Editor Plugins Prof. Tom Austin San Jos State University Plugin architectures for different text editors /

374 views • 21 slides
Handout 1 Summary of this handout: Overview of historical cryptographic techniques Definition

Handout 1 Summary of this handout: Overview of historical cryptographic techniques Definition

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 24 September, 2012 Handout 1 Summary of this handout: Overview of historical cryptographic techniques Definition of some im-

318 views • 13 slides
Cryptography Cipher Schemes A cryptographic scheme is an example of a code. The special

Cryptography Cipher Schemes A cryptographic scheme is an example of a code. The special

10.4 Cryptography P. Danziger Cryptography Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded mes- sage be difficult to retrieve without some special piece of information, usually

499 views • 27 slides
Implementation and Evaluation of Moderate Parallelism in the BIND9 DNS Server JINMEI, Tatuya /

Implementation and Evaluation of Moderate Parallelism in the BIND9 DNS Server JINMEI, Tatuya /

Implementation and Evaluation of Moderate Parallelism in the BIND9 DNS Server JINMEI, Tatuya / Toshiba Paul Vixie / Internet Systems Consortium [Supported by SCOPE of the Ministry of Internal Affairs and Communications, Japan.] June 2006 |

600 views • 8 slides
LECTURE 7 FOR AND WHILE LOOPS MCS 260 Fall 2020 David Dumas / REMINDERS Quiz 3 available

LECTURE 7 FOR AND WHILE LOOPS MCS 260 Fall 2020 David Dumas / REMINDERS Quiz 3 available

LECTURE 7 FOR AND WHILE LOOPS MCS 260 Fall 2020 David Dumas / REMINDERS Quiz 3 available Projects 0 and 1 are out Project 1 autograder to be opened soon / COMPARING SEQUENCES We talked about comparison operators , , , . > >=

684 views • 22 slides
The M/o/Vfuscator Turning 'mov' into a soul-crushing RE nightmare { domas / REcon 2015

The M/o/Vfuscator Turning 'mov' into a soul-crushing RE nightmare { domas / REcon 2015

The M/o/Vfuscator Turning 'mov' into a soul-crushing RE nightmare { domas / REcon 2015 REMath (github.com/REMath) Stephen Dolan http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf It is well-known that the x86 instruction set is baroque,

1.93k views • 158 slides
Cryptography I David Basin Institut f ur Informatik Albert-Ludwigs-Universit at Freiburg

Cryptography I David Basin Institut f ur Informatik Albert-Ludwigs-Universit at Freiburg

Cryptography I David Basin Institut f ur Informatik Albert-Ludwigs-Universit at Freiburg IT-Security: Theory and Practice (WS02) David Basin 1 Motivation then and now Three can keep a secret, if two of them are dead. Benjamin

566 views • 42 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Achieving security

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Radboud University Nijmegen e-Passport example

1.11k views • 12 slides

More recommend