Starling:** simpler*concurrency*proofs* Ma#$Windsor (1),$ Mike$Dodds - - PowerPoint PPT Presentation

starling
SMART_READER_LITE
LIVE PREVIEW

Starling:** simpler*concurrency*proofs* Ma#$Windsor (1),$ Mike$Dodds - - PowerPoint PPT Presentation

Oct 19, 2022 185 likes •412 views

Starling:** simpler*concurrency*proofs* Ma#$Windsor (1),$ Mike$Dodds (1) ,$$$$$$$Ma#hew$Parkinson (2)$ (1) University$of$York$$$$$$$$$$$$$$$$$$$$$$$$$(2)$Microso>$Research$ Sturnus'vulgaris' (common$starling)$ Ticketed*Lock

slide-1
SLIDE 1

Starling:** simpler*concurrency*proofs*

Ma#$Windsor(1),$ Mike$Dodds(1),$$$$$$$Ma#hew$Parkinson(2)$

(1) University$of$York$$$$$$$$$$$$$$$$$$$$$$$$$(2)$Microso>$Research$

slide-2
SLIDE 2

Sturnus'vulgaris'(common$starling)$

slide-3
SLIDE 3
slide-4
SLIDE 4

Ticketed*Lock

global&int&ticket;&&//&The&next&ticket&to&hand&out.& global&int&serving;&//&The&current&ticket&holding&the&lock.& & method&lock()&{& &&<t&=&ticket++>;& &&do&{& &&&&<s&=&serving>;& &&}&while&(s&!=&t);& }& & method&unlock()&{& &&<serving++>;& }$

slide-5
SLIDE 5

Ticketed*Lock

method&lock()&{& &&{|&emp&|}& &&<t&=&ticket++>;& &&do&{& &&&&<s&=&serving>;& &&}&while&(s&!=&t);& &&{|&holdLock()&|}& }& & method&unlock()&{& &&{|&holdLock()&|}& &&<serving++>;& &&{|&emp&|}& }$ constraint&holdLock()&&&*&holdLock()&&&G>&false;&

slide-6
SLIDE 6

method&lock()&{& &&{|&emp&|}& &&<t&=&ticket++>;& &&{|&holdTick(t)&|}! &&do&{& &&&&{|&holdTick(t)&|}& &&&&<s&=&serving>;& &&&&{|&if&s==t&then&holdLock()&else&holdTick(t)&|}& &&}&while&(s&!=&t);& &&{|&holdLock()&|}& }& & method&unlock()&{& &&{|&holdLock()&|}& &&<serving++>;& &&{|&emp&|}& }$ constraint&holdLock()&&&*&holdLock()&&&G>&false;& & constraint&emp&&&&&&&&&&&&&&&&&&&&&&&&&G>&ticket&>=&serving;& constraint&holdTick(t)&&&&&&&&&&&&&&&&&G>&ticket&>&t;& constraint&holdLock()&&&&&&&&&&&&&&&&&&G>&ticket&!=&serving;& constraint&holdLock()&&&*&holdTick(t)&&G>&serving&!=&t;& constraint&holdTick(ta)&*&holdTick(tb)&G>&ta&!=&tb;&

slide-7
SLIDE 7

Demo

slide-8
SLIDE 8

Views

Hoare$triples$ Context$asserGons$ ReificaGon$ Establish$post;$ preserve$context$ Program$ semanGcs$

slide-9
SLIDE 9

method&lock()&{& &&{|&emp&|}& &&<t&=&ticket++>;& &&{|&holdTick(t)&|}! &&do&{& &&&&{|&holdTick(t)&|}& &&&&<s&=&serving>;& &&&&{|&if&s==t&then&holdLock()&else&holdTick(t)&|}& &&}&while&(s&!=&t);& &&{|&holdLock()&|}& }& & method&unlock()&{& &&{|&holdLock()&|}& &&<serving++>;& &&{|&emp&|}& }$

slide-10
SLIDE 10

method&lock()&{& &&{|&emp&|}& &&<t&=&ticket++>;& &&{|&holdTick(t)&|}! &&do&{& &&&&{|&holdTick(t)&|}& &&&&<s&=&serving>;& &&&&{|&if&s==t&then&holdLock()&else&holdTick(t)&|}& &&}&while&(s&!=&t);& &&{|&holdLock()&|}& }& & method&unlock()&{& &&{|&holdLock()&|}& &&<serving++>;& &&{|&emp&|}& }$

Views$=! {&holdTick(1),&&holdTick(2),&&holdTick(1)*holdTick(2),&...}&&

U&{&holdLock(),&&holdLock()*holdLock(),&...}&&$ U&{&holdLock()*holdTick(1),&&holdLock()*holdTick(2),&&...}&& U&{&emp&}&&$

slide-11
SLIDE 11

method&lock()&{& &&{|&emp&|}& &&<t&=&ticket++>;& &&{|&holdTick(t)&|}! &&do&{& &&&&{|&holdTick(t)&|}& &&&&<s&=&serving>;& &&&&{|&if&s==t&then&holdLock()&else&holdTick(t)&|}& &&}&while&(s&!=&t);& &&{|&holdLock()&|}& }& & method&unlock()&{& &&{|&holdLock()&|}& &&<serving++>;& &&{|&emp&|}& }$

Axioms$=$$${${|&emp&|}&<t&=&ticket++>&{|&holdTick(t)&|},&!

$ {|&holdLock()&|}&<serving++>&{|&emp&|},&&

{|&holdTick(t)&|}&<s&=&serving>&{|&if&s==t&then&holdLock()&else&holdTick(t)&|},&&

...}&

slide-12
SLIDE 12

method&lock()&{& &&{|&emp&|}& &&<t&=&ticket++>;& &&{|&holdTick(t)&|}! &&do&{& &&&&{|&holdTick(t)&|}& &&&&<s&=&serving>;& &&&&{|&if&s==t&then&holdLock()&else&holdTick(t)&|}& &&}&while&(s&!=&t);& &&{|&holdLock()&|}& }& & method&unlock()&{& &&{|&holdLock()&|}& &&<serving++>;& &&{|&emp&|}& }$

ReificaGon$=$$ constraint&holdLock()&&&*&holdLock()&&&G>&false;&

constraint&emp&&&&&&&&&&&&&&&&&&&&&&&&&G>&ticket&>=&serving;& constraint&holdTick(t)&&&&&&&&&&&&&&&&&G>&ticket&>&t;& constraint&holdLock()&&&&&&&&&&&&&&&&&&G>&ticket&!=&serving;& constraint&holdLock()&&&*&holdTick(t)&&G>&serving&!=&t;& constraint&holdTick(ta)&*&holdTick(tb)&G>&ta&!=&tb;&

slide-13
SLIDE 13

Checking*proof*outline

Infinite!!!'

Eg.&& holdLock()&*&holdTick(1)&*&holdTick(2)&*&holdTick(3)&*&holdTick(4)& *&holdTick(5)&*&holdTick(6)&*&holdTick(7)&*&holdTick(8)&*& holdTick(9)&*&holdTick(10)&*&holdTick(11)&*&holdTick(12)&*&...$ $ $ $

slide-14
SLIDE 14

Defining*views

constraint&holdLock()&*&holdLock()&&&G>&&&false;$

MulGset$subset$

slide-15
SLIDE 15

Defining*views

View$adjoint$ (mulGset$minus)$ = ⇒ finite$

slide-16
SLIDE 16

Example

Axiom:$$ {|&emp&|}&<t&=&ticket++>&{|&holdTick(t)&|}$ Defining$view:$$ holdLock()$ Proof$obligaGon:$$

Jt = ticket + +Kbemp ⇤ (holdLock() \m holdTick(t))c ✓ D(holdLock())

Jt = ticket + +Kbemp ⇤ holdLock()c ✓ D(holdLock()) Jt = ticket + +K(ticket serving) ✓ ticket 6= serving

slide-17
SLIDE 17

Making*proofs*simpler!

Horn$clause!$

slide-18
SLIDE 18

Demo*#2

slide-19
SLIDE 19

Synergies

  • More$powerful$backTend$solvers$

needed$to$verify$heap$programs.$ $

  • CounterTexample$finding$needed$if$

Starling$is$to$be$used$for$find/fix$loop.$ $$

  • Starling$approach$useful$as$a$backT

end$for$other$verificaGon$tools?$$

slide-20
SLIDE 20

Open*Development

Follow$Starling$on$GitHub:$ $h#p://github.com/septract/starlingTtool/$

slide-21
SLIDE 21

Proof*of*approximaHon