An Axiomatic Proof Technique for Parallel Programs

transcript

Susan Owicki & David Gries

Presented by Omer KatzSeminar in Distributed Algorithms Spring 2013

29/04/13

What’s next?• What are we trying to do?• The sequential solution• The parallel solution– Interference freedom– Auxiliary variables– Examples

• Cooperation with other synchronization tools• If given enough time– Deadlocks– Termination

The problem

• We want to prove correctness of parallel programs

• Most existing methods rely on informal arguments– Not accurate enough

• We would like to formally prove correctness and other properties– Preferably statically

Hoare (1969)

• Hoare presented a simple deductive system• Used to describe variable and program states

during execution.• Used for proving properties of sequential

programs.

– Originally meant to be verified by compilers

Partial correctness VS.total correctness

• We only deal with partial correctness– The program is correct only if it terminates

• Total correctness will be dealt with later– Termination– Deadlocks & Blocking

Notation and Declarations

• P, Q = assertions• S = statement

– If P was true prior to execution of S, then Q is true after execution.

• – If a is true than b is also true.

• Null statements:

• Assignments: • is formed by replacing every appearance of in with .

if then and we get

• Alternation:

• Iteration:

• Composition:

• Consequence:

Sequential Example

• We want to prove • Assume we already know:

Sequential Example

𝑖𝑓 𝑒𝑡 h𝑒𝑛

𝑒𝑙𝑠𝑒

𝑏𝑒𝑔𝑖𝑛

Proof Outline

• The previous proofcan be written as:

Extension for parallel programs

• We need to introduce new statements:

• Statements will be executed in parallel.• statement finishes only after all statements have

finished.

• may not contain any or statements.– can be used to make any action indivisible

Extension for parallel programs

• We need to introduce new statements:

• Used by Gries to prove correctness of Dijkstra’s on-the-fly garbage collector

Assumptions

• We do not assume anything regarding processing speed

• We require that all assignments be executed and all expression be evaluated as an indivisible action– Not necessary if every expression in the program may

refer to at most one shared variable and at most once• Only required indivisible action is memory access• All following examples will adhere to this convention• (similarly for assignments)

Interference

• Let’s examine two programs:

• If we try to run them in parallel:

• We cannot guarantee the post-condition.

Interference

• Given a proof for a program and a statement with precondition , does not interfere with if:

• Execution of won’t change the outcome– such that is not within an statement, • Execution of will not prevent execution of the rest of

Interference

• are interference free if:– is an statement or an statement (not in an )– does not interfere with

• Redefine as:

Proving a parallel program

• When proving correctness of a program we will start by proving each thread sequentially.

• We will then show that each thread does not interfere with another thread’s prove– Interfere = invalidate the prove

• We will prove the following program:

• We will do so by loosening the assertions

• All that is left is to show interference freedom• We need to verify:

Auxiliary Variables

• Consider the following program:

• Can we prove ?

Auxiliary Variables {x=0}

Not the required result

The processes are not interference free

Auxiliary Variables

• Now consider the following proof outline?

• Can we prove that this is correct?

• If this proof outline is correct we can prove invalid statements

– in this case we will get

Auxiliary Variables

• A variable that is only in assignments is an Auxiliary Variable

• Let AV be the set of Auxiliary Variables in the program

• If is obtained from by deleting all the assignment to variables in AV then

Auxiliary Variables• Consider the following program:

• This program has the same behavior as with the auxiliary variables

Auxiliary Variables

Another Example - Descriptrion

• A parallel program for finding the 1st item in an array which is greater than 0.

Another Example – Proof Outline 1

Another Example – Proof Outline 2

Another Example - Proof

• To prove the correctness of the program we need to:– Separately check each thread (evensearch &

oddsearch) sequentially– Verify interference freedom between the threads

• We will show that oddsearch does not interfere with evensearch– (the complementary argument is similar)

• No need to check all possible statements in oddsearch • Enough the check only assignments of oddsearch that

change a shared variable– The only suitable statement is

• No need to check all possible statements in evensearch• Enough the check only assertions of evensearch

affected by the change of a shared variable– The only suitable assertion is

• Need to show that:

• is part of – Therefore

• We conclude that the assertion holds!

Synchronization Mechanism

• The deductive system presented is flexible enough to handle other existing parallel programming tools– Semaphores– Mutual exclusion

• The tools can be converted to assertions and verified

• Semaphores– Obtain a semaphore:

– Release a semaphore:

• Mutual Exclusion– We introduce another statement to the system:

– is the resource on which we want mutual exclusion ( and same as in the staement)

– The assertion (invariant of , if exists) is appended to the assertions of

Conclusion

• a strong versatile deductive system for parallel program verification– Few assumptions on the system and/or program

• The main ideas:– Start by verifying the sequential case and than check that

parallel execution doesn’t invalidate the proof– Sometimes we might need to loosen our assertions to be able

to prove them– In some cases we might need to add auxiliary variables to a

program in order to verify it

References• An Axiomatic Proof Technique for Parallel Programs

– Susan Owicky & David Gries, 1976• Verifying Properties of Parallel Programs: An axiomatic Approach

– Susan Owicky & David Gries, 1976• An Axiomatic Basis for Computer Programming

– C. A. R. Hoare, 1969• An Exercise in Proving Parallel Programs Correct

– David Gries, 1977• Verification of Sequential and Concurrent Programs

– Krzysztof R. Apt, Frank S. de Boer, Ernst-Rudiger Oldberog3rd edition, 2010

Questions?

An Axiomatic Proof Technique for Parallel Programs

Documents