Tackling Real-Life Relaxed Concurrency with FSL++ Marko Doko Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) ESOP 2017-04-26
Weak memory memory models weaker than sequential consistency (SC) gives us better performance Logics for weak memory iCAP-TSO, OGRA, GPS, RSL, FSL Current state of verification simplified algorithms & toy examples In this talk first verification of a non-simplified real-world algorithm 1
Atomic Reference Counter (ARC) part of the Rust standard library allows concurrent reads of a shared resource uses advanced weak memory primitives 2
How is ARC used? ♥❡✇✭ v ✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮ 3
How is ARC used? ♥❡✇✭ v ✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮ 3
How is ARC used? ♥❡✇✭ v ✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮ 3
How is ARC used? ♥❡✇✭ v ✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮ 3
How is ARC used? ♥❡✇✭ v ✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮ 3
How is ARC used? ♥❡✇✭ v ✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮ 3
How is ARC used? ♥❡✇✭ v ✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮ 3
How is ARC used? ♥❡✇✭ v ✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮ 3
♥❡✇✭✈✮④ ❝❧♦♥❡✭❛✮④ ❛ ❂ ❛❧❧♦❝✭✮❀ ❋❆❉❉✭❛✳❝♦✉♥t✱ ✰✶✮❀ ❛✳❞❛t❛ ❂ ✈❀ ⑥ ❛✳❝♦✉♥t ❂ ✶❀ ❞r♦♣✭❛✮④ r❡t✉r♥ ❛❀ t ❂ ❋❆❉❉✭❛✳❝♦✉♥t✱ ✲✶✮❀ ⑥ ✐❢✭t ❂❂ ✶✮④ r❡❛❞✭❛✮④ ❢r❡❡✭❛✮❀ r❡t✉r♥ ❛✳❞❛t❛❀ ⑥ ⑥ ⑥ ❋❆❉❉ ❂ ❢❡t❝❤❴❛♥❞❴❛❞❞ � � � � ARC ( a, v ) emp a ❂ ♥❡✇✭ v ✮ � � � � ARC ( a, v ) y ❂ r❡❛❞✭ a ✮ y = v ∧ ARC ( a, v ) � � � � ARC ( a, v ) ARC ( a, v ) ∗ ARC ( a, v ) ❝❧♦♥❡✭ a ✮ � � � � ARC ( a, v ) ❞r♦♣✭ a ✮ emp 4
� � � � ARC ( a, v ) emp a ❂ ♥❡✇✭ v ✮ � � � � ARC ( a, v ) y ❂ r❡❛❞✭ a ✮ y = v ∧ ARC ( a, v ) � � � � ARC ( a, v ) ARC ( a, v ) ∗ ARC ( a, v ) ❝❧♦♥❡✭ a ✮ � � � � ARC ( a, v ) ❞r♦♣✭ a ✮ emp ♥❡✇✭✈✮④ ❝❧♦♥❡✭❛✮④ ❛ ❂ ❛❧❧♦❝✭✮❀ ❋❆❉❉✭❛✳❝♦✉♥t✱ ✰✶✮❀ ❛✳❞❛t❛ ❂ ✈❀ ⑥ ❛✳❝♦✉♥t ❂ ✶❀ ❞r♦♣✭❛✮④ r❡t✉r♥ ❛❀ t ❂ ❋❆❉❉✭❛✳❝♦✉♥t✱ ✲✶✮❀ ⑥ ✐❢✭t ❂❂ ✶✮④ r❡❛❞✭❛✮④ ❢r❡❡✭❛✮❀ r❡t✉r♥ ❛✳❞❛t❛❀ ⑥ ⑥ ⑥ ❋❆❉❉ ❂ ❢❡t❝❤❴❛♥❞❴❛❞❞ 4
� � � � ARC ( a, v ) emp a ❂ ♥❡✇✭ v ✮ � � � � ARC ( a, v ) y ❂ r❡❛❞✭ a ✮ y = v ∧ ARC ( a, v ) � � � � ARC ( a, v ) ARC ( a, v ) ∗ ARC ( a, v ) ❝❧♦♥❡✭ a ✮ � � � � ARC ( a, v ) ❞r♦♣✭ a ✮ emp ♥❡✇✭✈✮④ ❝❧♦♥❡✭❛✮④ ❛ ❂ ❛❧❧♦❝✭✮❀ ❋❆❉❉ rlx ✭❛✳❝♦✉♥t✱ ✰✶✮❀ ❛✳❞❛t❛ ❂ ✈❀ ⑥ ❛✳❝♦✉♥t rlx ❂ ✶❀ ❞r♦♣✭❛✮④ r❡t✉r♥ ❛❀ t ❂ ❋❆❉❉ rel ✭❛✳❝♦✉♥t✱ ✲✶✮❀ ⑥ ✐❢✭t ❂❂ ✶✮④ r❡❛❞✭❛✮④ ❢❡♥❝❡ acq ❀ r❡t✉r♥ ❛✳❞❛t❛❀ ❢r❡❡✭❛✮❀ ⑥ ⑥ ⑥ ❋❆❉❉ ❂ ❢❡t❝❤❴❛♥❞❴❛❞❞ 4
FSL (Fenced Separation Logic) [VMCAI ’16] ✓ supports rel , acq , and rlx accesses ✓ supports memory fences Too weak to verify ARC ✗ concurrent plain (non-atomic) reads SOLUTION : partial permissions ✗ ❢❡t❝❤❴❛♥❞❴❛❞❞ instructions SOLUTION : new rules ✗ not expressive enough SOLUTION : ghost state 5
❋❆❉❉ ❋❆❉❉ � � � � ❋❆❉❉ acq _ rel ( x, t ) 6
❋❆❉❉ ❋❆❉❉ � � � � U ( x, Q ) ∗ P ❋❆❉❉ acq _ rel ( x, t ) 6
❋❆❉❉ ❋❆❉❉ � � � � U ( x, Q ) ∗ P ❋❆❉❉ acq _ rel ( x, t ) Q : Val → Assn is invariant for x : x has value c ⇒ the invariant owns Q ( c ) 6
❋❆❉❉ ❋❆❉❉ ∀ c. Q ( c ) ⇒ R ∀ c. P ⇒ Q ( c + t ) � � � � U ( x, Q ) ∗ P ❋❆❉❉ acq _ rel ( x, t ) U ( x, Q ) ∗ R Q : Val → Assn is invariant for x : x has value c ⇒ the invariant owns Q ( c ) Updating the value of x from c to c + t : (1) get Q ( c ) out of the invariant (2) put Q ( c + t ) back into the invariant 6
❋❆❉❉ ❋❆❉❉ ∀ c. Q ( c ) ⇒ R ∗ T ∀ c. T ∗ P ⇒ Q ( c + t ) � � � � U ( x, Q ) ∗ P ❋❆❉❉ acq _ rel ( x, t ) U ( x, Q ) ∗ R Q : Val → Assn is invariant for x : x has value c ⇒ the invariant owns Q ( c ) Updating the value of x from c to c + t : (1) get Q ( c ) out of the invariant (2) put Q ( c + t ) back into the invariant 6
❋❆❉❉ ∀ c. Q ( c ) ⇒ R ∗ T ∀ c. T ∗ P ⇒ Q ( c + t ) � � � � U ( x, Q ) ∗ P ❋❆❉❉ acq _ rel ( x, t ) U ( x, Q ) ∗ R � � � � ❋❆❉❉ rel ( x, t ) ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉ rel ✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡ acq ❀ ❢r❡❡✭❛✮❀ ⑥ ⑥ 6
❋❆❉❉ ∀ c. Q ( c ) ⇒ R ∗ T ∀ c. T ∗ P ⇒ Q ( c + t ) � � � � U ( x, Q ) ∗ P ❋❆❉❉ acq _ rel ( x, t ) U ( x, Q ) ∗ R U ( x, Q ) ∗ ▽ R � � � � U ( x, Q ) ∗ P ❋❆❉❉ rel ( x, t ) ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉ rel ✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡ acq ❀ ❢r❡❡✭❛✮❀ ⑥ ⑥ 6
❋❆❉❉ ∀ c. Q ( c ) ⇒ R ∗ T ∀ c. T ∗ P ⇒ Q ( c + t ) � � � � U ( x, Q ) ∗ P ❋❆❉❉ acq _ rel ( x, t ) U ( x, Q ) ∗ R U ( x, Q ) ∗ ▽ R � � � � U ( x, Q ) ∗ P ❋❆❉❉ rel ( x, t ) � ▽ P � � � ❢❡♥❝❡ acq P ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉ rel ✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡ acq ❀ ❢r❡❡✭❛✮❀ ⑥ ⑥ 6
∀ c. Q ( c ) ⇒ R ∗ T ∀ c. T ∗ P ⇒ Q ( c + t ) � � � � U ( x, Q ) ∗ P ❋❆❉❉ acq _ rel ( x, t ) U ( x, Q ) ∗ R U ( x, Q ) ∗ ▽ R � � � � U ( x, Q ) ∗ P ❋❆❉❉ rel ( x, t ) � � � � ❋❆❉❉ rlx ( x, t ) ❞r♦♣✭❛✮④ ❝❧♦♥❡✭❛✮④ t ❂ ❋❆❉❉ rel ✭❛✳❝♦✉♥t✱ ✲✶✮❀ ❋❆❉❉ rlx ✭❛✳❝♦✉♥t✱ ✰✶✮❀ ✐❢✭t ❂❂ ✶✮④ ⑥ ❢❡♥❝❡ acq ❀ ❢r❡❡✭❛✮❀ ⑥ ⑥ 6
∀ c. Q ( c ) ⇒ R ∗ T ∀ c. T ∗ P ⇒ Q ( c + t ) � � � � U ( x, Q ) ∗ P ❋❆❉❉ acq _ rel ( x, t ) U ( x, Q ) ∗ R U ( x, Q ) ∗ ▽ R � � � � U ( x, Q ) ∗ P ❋❆❉❉ rel ( x, t ) U ( x, Q ) ∗ ▽ R � � � � ❋❆❉❉ rlx ( x, t ) � ▽ P � � � ❢❡♥❝❡ acq P ❞r♦♣✭❛✮④ ❝❧♦♥❡✭❛✮④ t ❂ ❋❆❉❉ rel ✭❛✳❝♦✉♥t✱ ✲✶✮❀ ❋❆❉❉ rlx ✭❛✳❝♦✉♥t✱ ✰✶✮❀ ✐❢✭t ❂❂ ✶✮④ ⑥ ❢❡♥❝❡ acq ❀ ❢r❡❡✭❛✮❀ ⑥ ⑥ 6
∀ c. Q ( c ) ⇒ R ∗ T ∀ c. T ∗ P ⇒ Q ( c + t ) � � � � U ( x, Q ) ∗ P ❋❆❉❉ acq _ rel ( x, t ) U ( x, Q ) ∗ R U ( x, Q ) ∗ ▽ R � � � � U ( x, Q ) ∗ P ❋❆❉❉ rel ( x, t ) U ( x, Q ) ∗ ▽ R � � � � U ( x, Q ) ∗ △ P ❋❆❉❉ rlx ( x, t ) � ▽ P � � � � � � � P ❢❡♥❝❡ rel △ P ❢❡♥❝❡ acq P ❞r♦♣✭❛✮④ ❝❧♦♥❡✭❛✮④ t ❂ ❋❆❉❉ rel ✭❛✳❝♦✉♥t✱ ✲✶✮❀ ❋❆❉❉ rlx ✭❛✳❝♦✉♥t✱ ✰✶✮❀ ✐❢✭t ❂❂ ✶✮④ ⑥ ❢❡♥❝❡ acq ❀ ❢r❡❡✭❛✮❀ ⑥ ⑥ 6
∀ c. Q ( c ) ⇒ R ∗ T ∀ c. T ∗ P ⇒ Q ( c + t ) � U ( x, Q ) ∗ P � � U ( x, Q ) ∗ ▽ R � ❋❆❉❉ rel ( x, t ) U ( x, Q ) ∗ ▽ R � U ( x, Q ) ∗ △ P � � � ❋❆❉❉ rlx ( x, t ) What is ARC ( a, v ) ? Which invariant to choose for the counter a. ❝♦✉♥t ? { ARC ( a, v ) } { ARC ( a, v ) } ❞r♦♣✭❛✮④ ❝❧♦♥❡✭❛✮④ t ❂ ❋❆❉❉ rel ✭❛✳❝♦✉♥t✱ ✲✶✮❀ ❋❆❉❉ rlx ✭❛✳❝♦✉♥t✱ ✰✶✮❀ ✐❢✭t ❂❂ ✶✮④ ⑥ { ARC ( a, v ) ∗ ARC ( a, v ) } ❢❡♥❝❡ acq ❀ ❢r❡❡✭❛✮❀ ⑥⑥ { emp } 7
Recommend
More recommend
