Embed Size (px)
DESCRIPTION
Concurrent Separation Logic. How to prove the correctness of concurrent programs. One philosophy (due to Tony Hoare): Disallow the smart (but error-prone) programs; Concurrent programming should follow some idioms or disciplines. - PowerPoint PPT Presentation
Citation preview
Concurrent Separation Logic
How to prove the correctness of concurrent programs
One philosophy (due to Tony Hoare):
Disallow the smart (but error-prone) programs; Concurrent programming should follow some idioms or disciplines.
Most of the time each process uses its own private data. In the rare cases that they need to communicate, access the shared data exclusively in critical regions.
await (B) do C with r when B do C
Mutex or locks (which we will use here)
The language
x := e | [e] := e' | x := [e] | cons(e)
| dispose(e) | C; C | C || C | …
A new construct:
l.acq() | l.rel()
Operational Semantics
(l.acq(), (s, h, L)) (skip, (s, h, L{l 0}) )
Program state: (s, h, L)
where L locks {0, 1}
L(l) = 1
(l.rel(), (s, h, L)) (skip, (s, h, L{l 1}) )
How to control interference?
• Basic idea:– Each thread has private memory (resource)
• The private resource can be arbitrarily used• Private resources of different threads are disjoint
– Shared resources are protected by locks• Shared resources are disjoint with local resources• Can only be used when the lock is acquired (i.e. in
critical regions)• Different locks protect different resources
Basic Memory Model
Private PrivateShared (accessible only in critical regions)
Basic Memory Model
Basic Memory Model
Basic Memory Model
Basic Memory Model
When the resource is acquired/released, it must be well-formed. The well-formedness is resource invariant.
Concurrent Separation Logic (CSL)
Lock-based critical regions (CR): l.acq();…………
l.rel()
Invariants about memory protected by locks:
= {l1 r1, …, ln rn}
r1 rn
. . .
l1 ln
CSL – Formalization
Key ideas:
Threads can only access disjoint resources at the same time.
p q p q
┝ {p2} C2 {q2} ┝ {p1} C1 {q1}
┝ {p1 p2} C1 || C2 {q1 q2}
CSL – Parallel Composition
p q p q
┝ {p2} C2 {q2} ┝ {p1} C1 {q1}
┝ {p1 p2} C1 || C2 {q1 q2}
I() p1 p2 I() q1 q2
r1 rn
. . .
l1 ln
We’ll define I() later.
CSL - Locks
┝ {p} l.acq() {p (l)}
Lock acquire:
Note: do not support reentrant locks
┝ {p (l)} l.rel() {p}
Lock release:
Compare the rules with cons and dispose
ExamplesPut (x):
l.acq();
while( full ){
l.rel();
l.acq();
}
c := x;
full := true;
l.rel();
Get (y):
l.acq();
while( !full ){
l.rel();
l.acq();
}
y := c;
full := false;
l.rel();
(l) = full c _, _ full emp
ExamplesPut (x):
l.acq();
while( full ){
l.rel();
l.acq();
}
(l) = full c _, _ full emp
c := x;
full := true;
l.rel();
{x _, _ }
{x _, _ (l) }
{x _, _ (l) }
{x _, _ }
{x _, _ (l) full }
{x _, _ (l) full }
{x _, _ }
{c _, _ }
{full c _, _ }
{(l) }
{emp }
Examplesget (y):
l.acq();
while( !full ){
l.rel();
l.acq();
}
(l) = full c _, _ full emp
y := c;
full := false;
l.rel();
{emp}
{ (l) }
{(l) }
{ emp }
{(l) full }
{ (l) full }
{c _, _ }
{y _, _ }
{y _, _ (full emp) }
{y _, _ (l)}
{y _, _ }
Examples
x := cons(a, b);
put(x);
get(y);
use(y);
dispose(y);
{x _, _ } put (x) {emp } {emp} get (y) {y _, _ }
{emp emp}
{emp}
{emp} {emp}
{x _, _ }
{emp }
{y _, _ }
{y _, _ }
{emp}{emp emp}
Examples (2)alloc (x, a, b):
l.acq();
if( f == null ){
l.rel();
x := cons (a, b);} else {
x := f;
f := [x+1];
l.rel();
[x] := a;
[x+1] := b;
}
free (y):
l.acq();
[y+1] := f;
f := y;
l.rel();
(l) = list(f)
Examples (2)
Implementation of P/V (locks)
Requirement on Resource Invariant
┝ {p2} C2 {q2} ┝ {p1} C1 {q1}
┝ {p1 p2} C1 || C2 {q1 q2}
r1 rn
. . .
l1 ln
Resource invariants need to be precise, i.e.
l dom(). precise( (l) )
Requirement on Resource Invariant
┝ {true} skip {true}
one 10 _ (l) = true
┝ {(emp one) true} skip {emp true}
┝ {(emp one)} l.acq; skip; l.rel(); {emp}C l.acq; skip; l.rel();
┝ {(emp one)} C {emp}
┝ {emp} C {emp}
┝ {emp one} C {emp one}
┝ {one} C {one}
┝ {(emp one)} C {emp}
┝ {one} C {emp}
Requirement on Resource Invariant
┝ {one} C {one} ┝ {one} C {emp}
┝ {one} C {one emp}
┝ {one} C {false}
(l) = true
The problem: (l) is not precise.Recall that p r q r (p q ) r does not hold unless r is precise.
Soundness
r1 rn
. . .
l1 lnI(, L, l) = L(l) = 0 emp L(l) = 0 (l)
I(, L) = ldom() . I(, L, l)
We define Safek(, (s, h, L), C, q) inductively.
Soundness
Safe0(, (s, h, L), C, q) always holds
Safek+1(, (s, h, L), C, q) holds if there exist hs and hp such that
(1) h = hs |+| hp; (2) (s, hs) |= I(, L)
(3) for all s’, hs’, L’, and h’, if (s’, hs’) |= I(, L’), and h = hs’ |+| hp, then Safek(, (s’, h’, L’), C, q)
(4) if C = skip, then (s, hp) |= q true
(5) for all s’, h’, L’, if (C, (s, h, L)) (C’, (s’, h’, L’)), then
Safek(, (s’, h’, L’), C’, q)
Soundness
r1 rn
. . .
l1 lnI(, L, l) = L(l) = 0 emp L(l) = 0 (l)
I(, L) = ldom() . I(, L, l)
We define Safek(, (s, h, L), C, q) inductively.
Safe(, (s, h, L), C, q) iff k. Safek(, (s, h, L), C, q)
[ { p } C { q }┝ ]
s, h, L. if (s, h) |= I(, L) p true, then Safe(, (s, h, L), C, q)
Reading
Peter W. O'Hearn: Resources, concurrency, and local reasoning. Theor. Comput. Sci. 375(1-3): 271-307 (2007)
Peter W. O'Hearn: Resources, Concurrency and Local Reasoning. CONCUR 2004: 49-67
Viktor Vafeiadis. Concurrent separation logic and operational semantics. In MFPS 2011. ENTCS 276, pp. 335-351. Elsevier (Sep. 2011)
![On the Complexity of Pointer Arithmetic in Separation Logic · Keywords: Separation logic, pointer arithmetic, complexity. 1 Introduction Separation logic (SL) [23] is a well-known](https://img.dokumen.tips/doc/110x75/6067262c7a0a4d42040aae9b/on-the-complexity-of-pointer-arithmetic-in-separation-keywords-separation-logic.jpg)
