Separation Logic for Weak Consistency PLMW’15 Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 14 January 2015
Sequential consistency Sequential consistency (SC): ◮ The standard model for concurrency. ◮ Interleave each thread’s atomic accesses. ◮ Almost all verification work assumes it. Initially, X = Y = 0. X := 1; Y := 1; a := Y b := X In SC, this program cannot return a = b = 0. Viktor Vafeiadis Separation Logic for Weak Consistency 2/14
Store buffering in x86-TSO . . . cpu 1 cpu n write . . . read write-back Memory Initially, X = Y = 0. X := 1; Y := 1; a := Y b := X Allowed outcome: a = b = 0. Viktor Vafeiadis Separation Logic for Weak Consistency 3/14
Owicki-Gries (1976) Hoare logic, { P } C { Q } , + Rule for parallel composition: { P 1 } C 1 { Q 1 } { P 2 } C 2 { Q 2 } the two proofs are “interference-free” { P 1 ∧ P 2 } C 1 � C 2 { Q 1 ∧ Q 2 } Viktor Vafeiadis Separation Logic for Weak Consistency 4/14
Owicki-Gries is unsound under weak memory { a � = 0 } X := 1 Y := 1 a := Y b := X Viktor Vafeiadis Separation Logic for Weak Consistency 5/14
Owicki-Gries is unsound under weak memory { a � = 0 } { a � = 0 } { true } X := 1 Y := 1 a := Y b := X Viktor Vafeiadis Separation Logic for Weak Consistency 5/14
Owicki-Gries is unsound under weak memory { a � = 0 } { a � = 0 } { true } X := 1 Y := 1 { X � = 0 } a := Y b := X { X � = 0 } Viktor Vafeiadis Separation Logic for Weak Consistency 5/14
Owicki-Gries is unsound under weak memory { a � = 0 } { a � = 0 } { true } X := 1 Y := 1 { X � = 0 } { Y � = 0 } a := Y b := X { X � = 0 } { Y � = 0 ∧ ( a � = 0 ∨ b = X ) } Viktor Vafeiadis Separation Logic for Weak Consistency 5/14
Owicki-Gries is unsound under weak memory { a � = 0 } { a � = 0 } { true } X := 1 Y := 1 { X � = 0 } { Y � = 0 } a := Y b := X { X � = 0 } { Y � = 0 ∧ ( a � = 0 ∨ b = X ) } { a � = 0 ∨ b � = 0 } Viktor Vafeiadis Separation Logic for Weak Consistency 5/14
Owicki-Gries is unsound under weak memory { a � = 0 } { a � = 0 } { true } X := 1 Y := 1 { X � = 0 } { Y � = 0 } a := Y b := X { X � = 0 } { Y � = 0 ∧ ( a � = 0 ∨ b = X ) } { a � = 0 ∨ b � = 0 } Interference-freedom checks: Viktor Vafeiadis Separation Logic for Weak Consistency 5/14
Owicki-Gries is unsound under weak memory { a � = 0 } { a � = 0 } { true } X := 1 Y := 1 { X � = 0 } { Y � = 0 } a := Y b := X { X � = 0 } { Y � = 0 ∧ ( a � = 0 ∨ b = X ) } { a � = 0 ∨ b � = 0 } Interference-freedom checks: { Y � = 0 ∧ ( a � = 0 ∨ b = X ) ∧ a � = 0 } X := 1 { Y � = 0 ∧ ( a � = 0 ∨ b = X ) } Viktor Vafeiadis Separation Logic for Weak Consistency 5/14
Owicki-Gries is unsound under weak memory { a � = 0 } { a � = 0 } { true } X := 1 Y := 1 { X � = 0 } { Y � = 0 } a := Y b := X { X � = 0 } { Y � = 0 ∧ ( a � = 0 ∨ b = X ) } { a � = 0 ∨ b � = 0 } Interference-freedom checks: { Y � = 0 ∧ ( a � = 0 ∨ b = X ) ∧ a � = 0 } X := 1 { Y � = 0 ∧ ( a � = 0 ∨ b = X ) } { Y � = 0 ∧ ( a � = 0 ∨ b = X ) ∧ X � = 0 } a := Y { Y � = 0 ∧ ( a � = 0 ∨ b = X ) } Viktor Vafeiadis Separation Logic for Weak Consistency 5/14
IRIW: Not just store buffering Initially, X = Y = 0. a := X ; c := Y ; X := 1 Y := 1 b := Y d := X Allowed outcome: a = c = 1 and b = d = 0. X := 1 Y := 1 a := X c := Y b := Y d := X Viktor Vafeiadis Separation Logic for Weak Consistency 6/14
Some guarantees (1) Coherence: “SC for a single variable” Initially, X = 0. a := X ; c := X ; X := 1 X := 2 b := X d := X Forbidden outcome: a = 1 , b = 2 , c = 2 , d = 1. Viktor Vafeiadis Separation Logic for Weak Consistency 7/14
Some guarantees (2) Message passing (for release-acquire atomics): “Transitive visibility” Initially, X = Y = 0. X := 1; a := Y acq ; Y rel := 1 b := X Forbidden outcome: a = 1 , b = 0. Viktor Vafeiadis Separation Logic for Weak Consistency 8/14
A simple solution: data race freedom Theorem (DRF) If � Prg � SC contains no data races, then � Prg � Relaxed = � Prg � SC . ◮ We need techniques to rule out data races. ◮ What about racy programs? Viktor Vafeiadis Separation Logic for Weak Consistency 9/14
Separation logic (Reynolds, O’Hearn, Ishtiaq, Yang, 2001) A logic for describing data structures in the heap: h | = P Some SL assertions: h | = ℓ �→ v ⇐ ⇒ h ( ℓ ) = v h | = P ∧ Q ⇐ ⇒ ( h | = P ) ∧ ( h | = Q ) h | = P ∗ Q ⇐ ⇒ ∃ h 1 , h 2 . h = h 1 ⊎ h 2 ∧ ( h 1 | = P ) ∧ ( h 2 | = Q ) Viktor Vafeiadis Separation Logic for Weak Consistency 10/14
Separation logic Key concept of ownership : ◮ Resourceful reading of Hoare triples. { P } C { Q } ◮ To access a location, you must own it: { X �→ v } a := X { X �→ v ∧ a = v } { X �→ v } X := b { X �→ b } ◮ Disjoint parallelism: { P 1 } C 1 { Q 1 } { P 2 } C 2 { Q 2 } { P 1 ∗ P 2 } C 1 � C 2 { Q 1 ∗ Q 2 } Viktor Vafeiadis Separation Logic for Weak Consistency 11/14
Relaxed separation logic (OOPSLA’13, simplified) Ownership transfer by rel-acq synchronizations. ◮ Atomic allocation ❀ pick loc. invariant Q . {Q ( v ) } atomic _ int X := v { W Q ( X ) ∗ R Q ( X ) } ◮ Release write ❀ give away permissions. {Q ( b ) ∗ W Q ( X ) } X rel := b { true } ◮ Acquire read ❀ gain permissions. { R Q ( X ) } a := X acq {Q ( a ) } Viktor Vafeiadis Separation Logic for Weak Consistency 12/14
Message passing in RSL Let Q ( v ) def = v = 0 ∨ X �→ 1. { true } int X := 0; atomic_int Y := 0; { X �→ 0 ∗ W Q ( Y ) ∗ R Q ( Y ) } a := Y acq { X �→ 0 ∗ W Q ( Y ) } { a = 0 ∨ X �→ 1 } X := 1 if ( a � = 0) { X �→ 1 ∗ W Q ( Y ) } { X �→ 1 } Y rel := 1 b := X { true } { X �→ 1 ∧ b = 1 } { a = 0 ∨ b = 1 } Viktor Vafeiadis Separation Logic for Weak Consistency 13/14
Conclusion Weak consistency is a fascinating topic: ◮ Challenges basic reasoning principles. Significant progress has been made: ◮ Program logics: RSL, GPS, iCAP-TSO ◮ Robustness theorems ◮ Verification of compiler optimisations (See talk @ POPL’15) But many open problems remain. Viktor Vafeiadis Separation Logic for Weak Consistency 14/14
Recommend
More recommend
