Separation Logic for Weak Consistency PLMW15 Viktor Vafeiadis Max - - PowerPoint PPT Presentation

Separation Logic for Weak Consistency

PLMW’15 Viktor Vafeiadis

Max Planck Institute for Software Systems (MPI-SWS)

14 January 2015

Sequential consistency Sequential consistency (SC):

◮ The standard model for concurrency. ◮ Interleave each thread’s atomic accesses. ◮ Almost all verification work assumes it.

Initially, X = Y = 0. X := 1; a := Y Y := 1; b := X In SC, this program cannot return a = b = 0.

Viktor Vafeiadis Separation Logic for Weak Consistency 2/14

Store buffering in x86-TSO

cpu 1

write write-back read

cpu n

. . . . . .

Memory

Initially, X = Y = 0. X := 1; a := Y Y := 1; b := X Allowed outcome: a = b = 0.

Viktor Vafeiadis Separation Logic for Weak Consistency 3/14

Owicki-Gries (1976) Hoare logic, {P} C {Q}, + Rule for parallel composition: {P1} C1 {Q1} {P2} C2 {Q2} the two proofs are “interference-free” {P1 ∧ P2} C1C2 {Q1 ∧ Q2}

Viktor Vafeiadis Separation Logic for Weak Consistency 4/14

Owicki-Gries is unsound under weak memory {a = 0} X := 1 a := Y Y := 1 b := X

Viktor Vafeiadis Separation Logic for Weak Consistency 5/14

Owicki-Gries is unsound under weak memory {a = 0} {a = 0} X := 1 a := Y {true} Y := 1 b := X

Viktor Vafeiadis Separation Logic for Weak Consistency 5/14

Owicki-Gries is unsound under weak memory {a = 0} {a = 0} X := 1 {X = 0} a := Y {X = 0} {true} Y := 1 b := X

Viktor Vafeiadis Separation Logic for Weak Consistency 5/14

Owicki-Gries is unsound under weak memory {a = 0} {a = 0} X := 1 {X = 0} a := Y {X = 0} {true} Y := 1 {Y = 0} b := X {Y = 0 ∧ (a = 0 ∨ b = X)}

Viktor Vafeiadis Separation Logic for Weak Consistency 5/14

Owicki-Gries is unsound under weak memory {a = 0} {a = 0} X := 1 {X = 0} a := Y {X = 0} {true} Y := 1 {Y = 0} b := X {Y = 0 ∧ (a = 0 ∨ b = X)} {a = 0 ∨ b = 0}

Viktor Vafeiadis Separation Logic for Weak Consistency 5/14

Owicki-Gries is unsound under weak memory {a = 0} {a = 0} X := 1 {X = 0} a := Y {X = 0} {true} Y := 1 {Y = 0} b := X {Y = 0 ∧ (a = 0 ∨ b = X)} {a = 0 ∨ b = 0}

Interference-freedom checks:

Viktor Vafeiadis Separation Logic for Weak Consistency 5/14

Owicki-Gries is unsound under weak memory {a = 0} {a = 0} X := 1 {X = 0} a := Y {X = 0} {true} Y := 1 {Y = 0} b := X {Y = 0 ∧ (a = 0 ∨ b = X)} {a = 0 ∨ b = 0}

Interference-freedom checks: {Y = 0 ∧ (a = 0 ∨ b = X) ∧ a = 0} X := 1 {Y = 0 ∧ (a = 0 ∨ b = X)}

Viktor Vafeiadis Separation Logic for Weak Consistency 5/14

Owicki-Gries is unsound under weak memory {a = 0} {a = 0} X := 1 {X = 0} a := Y {X = 0} {true} Y := 1 {Y = 0} b := X {Y = 0 ∧ (a = 0 ∨ b = X)} {a = 0 ∨ b = 0}

Interference-freedom checks: {Y = 0 ∧ (a = 0 ∨ b = X) ∧ a = 0} X := 1 {Y = 0 ∧ (a = 0 ∨ b = X)} {Y = 0 ∧ (a = 0 ∨ b = X) ∧ X = 0} a := Y {Y = 0 ∧ (a = 0 ∨ b = X)}

Viktor Vafeiadis Separation Logic for Weak Consistency 5/14

IRIW: Not just store buffering Initially, X = Y = 0. X := 1 Y := 1 a := X; b := Y c := Y ; d := X Allowed outcome: a = c = 1 and b = d = 0.

X := 1 a := X b := Y Y := 1 c := Y d := X

Viktor Vafeiadis Separation Logic for Weak Consistency 6/14

Some guarantees (1) Coherence: “SC for a single variable” Initially, X = 0. X := 1 X := 2 a := X; b := X c := X; d := X Forbidden outcome: a = 1, b = 2, c = 2, d = 1.

Viktor Vafeiadis Separation Logic for Weak Consistency 7/14

Some guarantees (2) Message passing (for release-acquire atomics): “Transitive visibility” Initially, X = Y = 0. X := 1; Yrel := 1 a := Yacq; b := X Forbidden outcome: a = 1, b = 0.

Viktor Vafeiadis Separation Logic for Weak Consistency 8/14

A simple solution: data race freedom Theorem (DRF) If PrgSC contains no data races, then PrgRelaxed = PrgSC.

◮ We need techniques to rule out data races. ◮ What about racy programs?

Viktor Vafeiadis Separation Logic for Weak Consistency 9/14

Separation logic (Reynolds, O’Hearn, Ishtiaq, Yang, 2001) A logic for describing data structures in the heap: h | = P Some SL assertions: h | = ℓ → v ⇐ ⇒ h(ℓ) = v h | = P ∧ Q ⇐ ⇒ (h | = P) ∧ (h | = Q) h | = P ∗ Q ⇐ ⇒ ∃h1, h2. h = h1 ⊎ h2 ∧ (h1 | = P) ∧ (h2 | = Q)

Viktor Vafeiadis Separation Logic for Weak Consistency 10/14

Separation logic Key concept of ownership :

◮ Resourceful reading of Hoare triples.

{P} C {Q}

◮ To access a location, you must own it:

{X → v} a := X {X → v ∧ a = v} {X → v} X := b {X → b}

◮ Disjoint parallelism:

{P1} C1 {Q1} {P2} C2 {Q2} {P1 ∗ P2} C1C2 {Q1 ∗ Q2}

Viktor Vafeiadis Separation Logic for Weak Consistency 11/14

Relaxed separation logic (OOPSLA’13, simplified) Ownership transfer by rel-acq synchronizations.

◮ Atomic allocation ❀ pick loc. invariant Q.

{Q(v)} atomic_int X := v {WQ(X) ∗ RQ(X)}

◮ Release write ❀ give away permissions.

{Q(b) ∗ WQ(X)} Xrel := b {true}

◮ Acquire read ❀ gain permissions.

{RQ(X)} a := Xacq {Q(a)}

Viktor Vafeiadis Separation Logic for Weak Consistency 12/14

Message passing in RSL Let Q(v) def = v = 0 ∨ X → 1. {true} int X := 0; atomic_int Y := 0; {X → 0 ∗ WQ(Y ) ∗ RQ(Y )}

             

{X → 0 ∗ WQ(Y )} X := 1 {X → 1 ∗ WQ(Y )} Yrel := 1 {true} a := Yacq {a = 0 ∨ X → 1} if (a = 0) {X → 1} b := X {X → 1 ∧ b = 1}

             

{a = 0 ∨ b = 1}

Viktor Vafeiadis Separation Logic for Weak Consistency 13/14

Conclusion Weak consistency is a fascinating topic:

◮ Challenges basic reasoning principles.

Significant progress has been made:

◮ Program logics: RSL, GPS, iCAP-TSO ◮ Robustness theorems ◮ Verification of compiler optimisations

(See talk @ POPL’15) But many open problems remain.

Viktor Vafeiadis Separation Logic for Weak Consistency 14/14