Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
CMSC 630 February 11, 2015 1'
&
$
%
Owicki-Gries Logic
Sources
• K. Apt and E.-R. Olderog. Verification of Sequential and Concurrent Programs (Second
Edition). Springer-Verlag, Berlin, 1997.
• A. Bernstein and P. Lewis. Concurency in Programming and Database Systems. Jones and
Bartlett, Boston, 1993.
• S. Owicki and D. Gries. An axiomatic proof technique for parallel programs. Acta Informatica
6(4): 319–340, December 1976.
• F. Schneider. On Concurrent Programming. Springer-Verlag, New York, 1997.
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 2'
&
$
%
Concurrency
The Hoare Logic we have studied so far only considers sequential programs. How does
concurrency affect the framework?
To study this question we will:
• add a construct to the programming language for spawning threads, and
• study the impact this has on the proof rules for Hoare triples.
The new logic is often called Owicki-Gries Logic, after the researchers who developed the idea.
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 3'
&
$
%
The cobegin Statement
... introduces concurrency into GC. It has following form.
cobegin S1 ‖ S2 ‖ . . . ‖ Sn coend
• Each Si can have a label, Li (prepended to the statement using double colons ::).
• Control is concurrently enabled at each of the Si’s; after all have terminated, the construct is
exited and a single thread of control re-established.
• Shared memory!
• We will call the extended language PGC (Parallel GC).
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 4'
&
$
%
Owicki-Gries Logic Verification Framework: Sys
Adding cobegin... coend to the programming notation alters Sys, so we must reopen the
issue of program semantics.
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 5'
&
$
%
Subtleties in the Semantics of cobegin
In sequential programming the following are equivalent.
y:= x;
x:= y+1
x,y:= x+1, x
S1 S2
(Here “equivalent” means [[S1]] = [[S2]].) But what happens if they are substituted for S in
cobegin S ‖ y := y+1 coend ?
Moral In concurrent programming, issues of atomicity and nondeterminism must be factored into
semantics.
⇒ Existing semantics of programming language must be changed!
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 6'
&
$
%
An SOS Semantics for PGC
Fix S to be the set of PGC statements (possibly containing occurrences of cobegin).
The new semantics will be given in an SOS transition (“ small-step”) style, as a relation
−→⊆ (S× Σ)× (Σ ∪ (S× Σ)).
Intuition −→ captures a notion of “atomic execution step”:
• 〈S, σ〉 −→ 〈S′, σ′〉 if in state σ, S can engage in one execution step and then behave like
S′, with the state changing from σ to σ′.
• 〈S, σ〉 −→ σ′ if S can terminate in one step, with the state changing to σ′.
How do we define −→? Using inference rules, just as we did for the evaluation semantics of PC.
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 7'
&
$
%
Rules for −→
〈skip, σ〉 −→ σ
k1 = [[e1]]AE(σ) . . . kn = [[en]]AE(σ)
〈v1, . . . , vn := e1, . . . en, σ〉 −→ σ[v1 7→ k1, . . . , vn 7→ kn]
〈S1, σ〉 −→ σ′
〈S1;S2, σ〉 −→ 〈S2, σ′〉
〈S1, σ〉 −→ 〈S′1, σ
′〉
〈S1;S2, σ〉 −→ 〈S′1;S2, σ
′〉
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 8'
&
$
%
Rules for −→ (cont.)
σ |=BE Gi
〈if G1 → S1 · · · Gn → Sn fi, σ〉 −→ 〈Si, σ〉
σ 6|=BE G1 . . . σ 6|=BE Gn
〈do G1 → S1 · · · Gn → Sn od, σ〉 −→ σ
σ |=BE Gi
〈do G1 → S1 · · · Gn → Sn od, σ〉 −→ 〈Si; do G1 → S1 · · · Gn → Sn od, σ〉
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 9'
&
$
%
Rules for −→ (cont.)
〈S, σ〉 −→ σ′
〈cobegin S coend, σ〉 −→ σ′
n ≥ 2 〈Si, σ〉 −→ σ′
〈cobegin S1 ‖ · · · ‖ Si−1 ‖ Si ‖ Si+1 ‖ · · · ‖ Sn coend, σ〉 −→
〈cobegin S1 ‖ · · · ‖ Si−1 ‖ Si+1 ‖ · · · ‖ Sn coend, σ′〉
〈Si, σ〉 −→ 〈S′i, σ
′〉
〈cobegin S1 ‖ · · · ‖ Si−1 ‖ Si ‖ Si+1 ‖ · · · ‖ Sn coend, σ〉 −→
〈cobegin S1 ‖ · · · ‖ Si−1 ‖ S′i ‖ Si+1 ‖ · · · ‖ Sn coend, σ′〉
Note This semantics models concurrency as interleaving of atomic execution steps in the
individual threads.
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 10'
&
$
%
Owicki-Gries Logic: Spec and sat
The set Spec of specifications will remain unchanged: precondition/postcondition pairs. What
about sat ⊆ Sys × Spec?
Definition Program S satisfies specification 〈P,Q〉 if for every σ, σ′ ∈ Σ such that σ |= P
and 〈S, σ〉 −→∗ σ′, σ′ |= Q.
Aside (Transitive and Reflexive Closure) What is −→∗?
• Let R ⊆ T × U be a binary relation, with T ⊆ U .• Then R∗ ⊆ T × U , the reflexive and transitive closure of R, defined as follows.
– t R∗ t for all t ∈ T .
– If t R t′ and t′ R∗ u, then t R∗ u.
Idea: t R∗ u holds if t can reach u via a “sequence” of R steps: t ≡ t1 R · · · R tn ≡ u.
Aside (Full Abstraction) What is the relationship between =⇒ and −→? Suppose S is a GC
program (i.e. no cobegin). Then for any σ, σ′ ∈ Σ:
〈S, σ〉 =⇒ σ′ iff 〈S, σ〉 −→∗ σ′
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 11'
&
$
%
Proving Hoare Triples for Concurrent Programs
Because of full abstraction, all the old Hoare Logic inference rules remain valid!
We need to add a rule for cobegin . . .coend. The following is due to Owicki and Gries.
{P1} S1 {Q1} · · · {Pn} Sn {Qn} interference freedom
{P1 ∧ · · · ∧ Pn} cobegin S1 ‖ · · · ‖ Sn coend {Q1 ∧ · · · ∧Qn}(cobegin)
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 12'
&
$
%
Interference Freedom
... a property of the proofs of the {Pi} Si {Qi}
• Suppose we have a proof for {Pi} Si {Qi}.
• Interference-freedom requires proving that the execution of statement in another Sj does not
invalidate the reasoning used in the proof of {Pi} Si {Qi}.
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 13'
&
$
%
Interference Example
{tt}
x:=0;
{x = 0}
cobegin
{x = 0} {x+ 1 = 1}
x:=x+1
{x = 1}
‖ {x = 0} {x+ 1 = 1}
x:=x+1
{x = 1}
coend
{x = 1}
• The conclusion x = 1 is bogus!
• But the individual reasoning of each parallel statement is fine!
Executing one assignment to x invalidates all the state predicates (x = 0, x+ 1 = 1) preceding
the other! This phenomenon is called interference; correct proofs must avoid it.
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 14'
&
$
%
Formalizing Interference-Freedom
... turns out to be somewhat tricky.
• Interference-freedom is a property of proofs, not Hoare triples.
• Identifying which parts of a proof need to be considered requires some effort.
To cope with these issues, we will do the following.
• Define the notion of normalized proof outline, which is like a proof outline but with only one
predicate before every statement and one predicate at end.
• Define interference-freedom using normalized proof outlines.
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 15'
&
$
%
Normalized Proof Outlines
... like proof outlines, but with exactly one state predicate before each statement and at end.
Example
{tt}
x:=0;
{x = 0}
cobegin
{x = 0} {x+ 1 = 1}
x:=x+1
{x = 1}
‖ {x = 0} {x+ 1 = 1}
x:=x+1
{x = 1}
coend
{x = 1}
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 16'
&
$
%
Facts about Normalized Proof Outlines
Definition Let NS be a normalized proof outline for statement S.
1. If S′ is a statement in S, then let pre(NS , S′) and post(NS , S
′) be the state predicates
immediately preceding and following S′, respectively. Write pre(NS) for pre(NS , S) and
post(NS) for post(NS , S).
2. NS is valid if for every statement S′ in S, the Hoare triple {pre(NS , S′)} S′ {post(NS , S
′)}
is valid.
Fact
1. Let S be a cobegin-free program. Then {P} S {Q} is valid if and only if there is a valid
normalized proof outline NS for S with pre(NS) = P and post(NS) = Q.
2. Every valid normalized proof outline may be converted into a (full) proof outline.
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 17'
&
$
%
Interference-Freedom and Normalized Proof Outlines
Recall the (cobegin) rule:
{P1} S1 {Q1} · · · {Pn} Sn {Qn} interference freedom
{P1 ∧ · · · ∧ Pn} cobegin S1 ‖ · · · ‖ Sn coend {Q1 ∧ · · · ∧Qn}(cobegin)
• Suppose each Si has a normalized proof outline NSi.
• NSiis interference-free with respect to proof outline NSj
(i 6= j) if for each statement S′
i in Si and S′
j
in Sj :
{pre(NSi, S′
i) ∧ pre(NSj, S′
j)} S′
j {pre(NSi, S′
i)}
{post(NSi, S′
i) ∧ pre(NSj, S′
j)} S′
j {post(NSi, S′
i)}
The NS1, . . . , NSn are interference free if they are pairwise interference free with respect to one other.
• So applying the (cobegin) rule requires the development of interference-free normalized proof
outlines for the Si!
• In proving interference-freedom of NSiwith respect to NSj
, can limit our attention to:
– Preconditions of each statement in Si, and postcodition of NSi
– Assignment statements in Sj
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 18'
&
$
%
Example Revisited
{tt}
x:=0;
{x = 0}
cobegin
{x = 0}
x:=x+1
{x = 1}
‖ {x = 0}
x:=x+1
{x = 1}
coend
{x = 1}
Interference-freedom is violated because the following Hoare triple is not valid:
{x = 0 ∧ x = 0} x := x+ 1 {x = 0}
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 19'
&
$
%
Another Example
We want to prove:
{bal = B ∧ amt > 0}
S
{bal = B + amt ∧ amt > 0 ∧ (credit = 1 ⇒ bal > 1000)}
where S is given below.
cobegin
Samt :: bal := bal + amt
‖ Scred :: if
bal > 1000 → credit := 1
bal ≤ 1000 → credit := 0
fi
coend
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 20'
&
$
%
Proof of Example
We do the proof as follows.
1. Give valid normalized proof outline for
{bal = B ∧ amt > 0} Samt {bal = B + amt ∧ amt > 0}
2. Give valid normalized proof outline for
{tt} Scred {credit = 1 ⇒ bal > 1000}
3. Use cobegin rule to infer desired result.
�
�
�
�Outline for Samt
{bal = B ∧ amt > 0}
bal := bal + amt
{bal = B + amt ∧ amt > 0}
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 21'
&
$
%
Outline for Scred
{tt}
if
bal > 1000 →
{bal > 1000}
credit := 1
{credit = 1 ⇒ bal > 1000}
bal ≤ 1000 →
{tt}
credit := 0
{credit = 1 ⇒ bal > 1000}
fi
{credit = 1 ⇒ bal > 1000}
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 22'
&
$
%
Applying cobegin
To apply (cobegin) we need to prove non-interference. For convenience, define the following.
D1 = (bal = B) ∧ (amt > 0)
D2 = (bal = B + amt) ∧ (amt > 0)
C1 = tt
C2 = bal > 1000
C3 = credit = 1 ⇒ bal > 1000
D1, D2 are state predicates in outline for Samt; C1, C2, C3 are those for Scred.
To prove non-interference we must establish, for all 1 ≤ i ≤ 2 and 1 ≤ j ≤ 3:
1. {Cj ∧D1} bal := bal+ amt {Cj}
2. {Di ∧ C2} credit := 1 {Di}
3. {Di ∧ C1} credit := 0 {Di}
7 proof obligations!
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 23'
&
$
%
Applying cobegin (cont.)
Most are vacuously true, however.
• Triples of types (2) and (3) hold because no Di mentions variable credit.
• Assertion C1 is true in all states and hence cannot be invalidated.
Consequently, to complete the proof of non-interference we must prove:
• {C2 ∧D1} bal := bal+ amt {C2}
• {C3 ∧D1} bal := bal+ amt {C3}
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 24'
&
$
%
Proving Interference-Freedom: {C2 ∧D1} bal := bal+ amt {C2}
{(bal > 1000) ∧ (bal = B) ∧ (amt > 0)}
{bal > 1000 ∧ amt > 0}
{bal+ amt > 1000}
bal := bal + amt
{bal > 1000}
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 25'
&
$
%
Proving Interference-Freedom: {C3 ∧D1} bal := bal+ amt {C3}
{(credit = 1 ⇒ bal > 1000) ∧ (bal = B) ∧ (amt > 0)}
{credit = 1 ⇒ bal+ amt > 1000}
bal := bal + amt
{credit = 1 ⇒ bal > 1000}
QED!
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 26'
&
$
%
Notes on Proof
• If Samt had been a withdrawal transaction, the assignment statement would have been
bal := bal - amt
and the last step of the non-interference proof would not have gone through.
• Postcondition does not say that credit denial implies a balance of 1000 or less, so a program
that never grants credit would satisfy the given specification! I.e. we could change Scred to
credit := 0
and still conduct a proof of the same Hoare triple.
• We would like for a postcondition of the form
(credit = 1 ⇒ bal > 1000) ∧ (credit = 0 ⇒ bal ≤ 1000)
But this would lead to a violation of interference freedom. Why?
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 27'
&
$
%
Soundness and Completeness
Theorem (Soundness) If {P} S {Q} is provable using the proof rules seen so far then S
satisfies specification 〈P,Q〉.
What about completeness?
• Completeness does not hold.
• Neither does relative completeness!
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 28'
&
$
%
Incompleteness
Theorem The following valid Hoare triple cannot be proved using the rules given so far.
{tt}
cobegin x := x+2 ‖ x := 0 coend
{x = 0 ∨ x = 2}
Proof By contradiction. Suppose there were such a proof. Then there would be Q, R such that
{tt} x := x+ 2 {Q}
{tt} x := 0 {R}
Q ∧R ⇒ x = 0 ∨ x = 2
By (:=), tt ⇒ Qx
x+2holds, and hence Q does also. Similarly, Rx
0 holds. By (cobegin),
{R ∧ tt} x := x+ 2 {R} holds, meaning R ⇒ Rx
x+2is valid. But then by induction,
∀x. (x ≥ 0 ∧ even(x)) ⇒ R is true. Since Q ∧R ⇒ x = 0 ∨ x = 2, it now follow that
∀x. (x ≥ 0 ∧ even(x)) ⇒ (x = 0 ∨ x = 2), which is a contradiction: there are positive even
integers other than 0 or 2.
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 29'
&
$
%
???
We have just showed that for every interference-free proof outline of form:
{tt}
cobegin
{tt} x:=x+2 {Q}
‖ {tt} x:=0 {R}
coend
{Q ∧R}
R must hold for all even, positive x.
• R must hold after execution of x:=0.
• R must also hold both before and after execution of x:=x+2.
What is needed is the capability in R to say that until x:=x+2 fires, x = 0 holds. This can be
done using auxiliary variables.
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 30'
&
$
%
Auxiliary Variables
... variables that are put into a program just to reason about progess in other processes.
done := 0;
cobegin
x, done := x+2, 1
‖ x := 0
coend
• done is auxiliary : it is only assigned to, and not read
• It is 0 when increment to x is pending and 1 when it is completed.
• Proof is now possible!
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 31'
&
$
%
Normalized Proof Outline Using Auxiliary Variables
{tt}
done := 0;
{done = 0}
cobegin
{done = 0}
x, done := x+2, 1
{tt}
‖
{tt}
x := 0
{(x = 0 ∨ x = 2) ∧ (done = 0 ⇒ x = 0)}
coend
{x = 0 ∨ x = 2}
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 32'
&
$
%
Non-interference Proofs
• {done = 0 ∧ tt} x := 0 {done = 0}
• {tt ∧ tt} x := 0 {tt}
• {tt ∧ done = 0} x, done := x+ 2, 1 {tt}
• {(x = 0 ∨ x = 2) ∧ (done = 0 ⇒ x = 0) ∧ done = 0}
{x = 0}
{x+ 2 = 2 ∧ 1 = 1}
x, done := x+2, 1
{x = 2 ∧ done = 1}
{(x = 0 ∨ x = 2) ∧ (done = 0 ⇒ x = 0)}
c©2015 Rance Cleaveland. All rights reserved.
CMSC 630 February 11, 2015 33'
&
$
%
Ugh
... adding auxiliary variables enables proofs to be conducted
... but we don’t want these variables to be in our code!
Fortunately, auxiliary variables can be removed.
{P} S {Q} x not free in Q x auxiliary in S
{P} S′ {Q}(aux)
where S′ is S with all references to x deleted.
Using (aux), references to done can be removed!
Theorem (Relative Completeness) Adding rules (cobegin) and (aux) to the other Hoare
rules yields a relatively complete proof system for the cobegin language.
c©2015 Rance Cleaveland. All rights reserved.