Programming Language Semantics Axiomatic Semantics of Parallel Programs - PowerPoint PPT Presentation
Title:
Programming Language Semantics Axiomatic Semantics of Parallel Programs
Description:
Programming Language Semantics. Axiomatic Semantics of. Parallel Programs ... Unsoundness from sharing {true} X := 1 { X 0 } {true} X:=2 ; X := X 2 {X 3} ... – PowerPoint PPT presentation
Number of Views:210
Avg rating:3.0/5.0
Title: Programming Language Semantics Axiomatic Semantics of Parallel Programs
1
Programming Language SemanticsAxiomatic
Semantics of Parallel Programs
2
Tentative Schedule
- 15/6 Parallel Programs
- 22/6 Rely/Guarantee Reasoning
- Assignment 2
- 29/6 Separation Logic
- 6, 3/7 Type Inference
- Assignment 3
3
Plan
- More on Hoare Proof Rules
- Proof Rules for Concurrent Programs
4
Hoare Proof Rules for Partial Correctness
A skip A
Ba/X Xa B (Assignment Rule)
P c0 C C c1 Q P c0c1Q
(Composition Rule)
P?b c0 Q P ??b c1 Q P if b then c0 else
c1Q
(Conditional Rule)
(Loop Rule)
I?b c I I while b do cI??b
?P ? P P c Q ? Q ? Q P c Q
(Consequence Rule)
5
Potential Language Extensions
- Blocks
- Procedures
- Procedures as parameters
- Abstract data types
- Non-determinism
- Parallelism
- Arrays, Pointers, and Dynamic allocations
6
More Rules
7
Underlying Principles of Hoare Rules
- Commands are predicate transformers
- Different behaviors for different preconditions
- Commands can be partial
- Resource restriction
- Implementation restriction
- In P comm Q
- P and Q are contracts with the clients of comm
8
An Axiomatic Proof Technique for Parallel Programs
- Owicky Gries
Verification of Sequential and Concurrent
Programs Apt Oldrog Chapters 4-6
9
IMP Parallel Constructs
- Abstract syntaxcom X a skip com1
com2 if b then com1 else com2
while b do com cobegin com1
com2 comk coend - All the interleavings of are executed
- Example
- cobegin X 1 (X 2 X X2) coend
10
A First Attempt
P1 c1 Q1 P2 c2 Q2.. Pk ck Qk P1 ?P2
? Pk cobegin c1 c2 cn coend Q1 ?Q2
? ? Qk
(Parallel Rule)
11
Simple Examples
true X 1 X gt0 true Y 1
Ygt0 true cobegin X 1 Y 1 coendXgt0 ?Y
gt0
true X 1 X gt0 true X2 X X2
Xgt0 true cobegin X 1 X2 X X2
coendXgt0
12
Unsoundness
Y1 X 0 Y1 true Y0 true Y1
cobegin X 0 Y0 coend Y1
13
Modified Parallel Rule
P1 c1 Q1 P2 c2 Q2.. Pk ck Qk P1 ?P2
? Pk cobegin c1 c2 ck coend Q1 ?Q2
? ? Qk
Mod(cj)?Var(Pi) ? Mod(cj)?Var(Qi) ? i?j
14
Unsoundness from sharing
true X 1 X gt0 true X2 X X2
Xgt3 true cobegin X 1 X2 X X2
coend Xgt3
15
Handling Shared Variables
- Carefully design the proofs of every thread to
make them local - Show that the code of other threads do not
interfere with the proofs of other threads
16
Interference
- A command T with a precondition pre(T) does not
interfere with the proof of P C Q if - Q ? pre(T) T Q
- For any command C inside C with a precondition
pre(C) - pre(C) ? pre(T) T pre(C)
- P1 c1 Q1 P2 c2 Q2.. Pk ck Qk are
interference free if for every i ?j and for every
assignment in T in ci does not interfere with
Pj cj Qj
17
Modified Parallel Rule
P1 c1 Q1 P2 c2 Q2.. Pk ck Qk P1 ?P2
? Pk cobegin c1 c2 ck coend Q1 ?Q2
? ? Qk
P1 c1 Q1 P2 c2 Q2.. Pk ck Qk are
interference free
18
No unsoundness from sharing
true X 1 X gt0 true X2 X X2
Xgt3 true cobegin X 1 X2 X X2
coend Xgt3
19
A Realistic Example
ESeventop??M1 ? even(i) ? ?l (even(l) ?
0ltllti) ?x(l)?0 ? eventop??M ?x(eventop)gt0
Findpos begin initialize i 2 j 1
eventop M1 oddtop M1 search
cobegin Evensearch while i lt
min(oddtop, eventop) do
if (x(i) gt 0) then eventop i
else i i 2
Oddsearch while j lt min(oddtop, eventop) do
if (x(j) gt 0)
then oddtop j
else j j 2
coend k min(eventop, oddtop) end k
?M1 ?(?l 1 ?l ltk ? x(l) ?0) ? (k ?M ?x(k)gt0)
OSoddtop??M1 ? odd(j) ? ?l (odd(l) ? 0ltlltj)
?x(l)?0 ? oddtop??M ?x(oddtop)gt0
20
Incompleteness
- There exist correct programs which cannot be
verified by the parallelization rule - X Y cobegin X X 1 Y Y1 coend
XY
21
An Informal Proof of X Y cobegin X X 1
Y Y1 coend XY
X Z X X 1 X Z 1
Y Z Y Y 1 Y Z 1
X Z ? Y Z cobegin X X 1 Y Y1
coend XZ1 ? Y Z1
X Z ? Y Z cobegin X X 1 Y Y1
coend XY
X Y Z X X Y ? Y Z
X Y Z X cobegin X X 1 Y
Y1 coend XY
X Y cobegin X X 1 Y Y1 coend
XY
22
Auxiliary Variables
- Record history information
- A set of variables AV is auxiliary for a command
S if each variable from AV only occurs in
assignments of the form X t where X ? AV - Auxiliary variable elimination rule
P S Q P S Q Where A is auxiliary for
SFV(Q) ?A ? FV(P) ?A ? S results from S by
deleting all assignments in to variables in S
23
A Formal Proof of X Y cobegin X X 1
Y Y1 coend XY
X Z X X 1 X Z 1
(Assign-Rule)
(Assign-Rule)
Y Z Y Y 1 Y Z 1
X Z ? Y Z cobegin X X 1 Y Y1
coend XZ1 ? Y Z1
(Par-Rule)
X Z ? Y Z cobegin X X 1 Y Y1
coend XY
(Cons.-Rule)
(Assign-Rule)
X Y Z X X Y ? Y Z
X Y Z X cobegin X X 1 Y
Y1 coend XY
(Comp.-Rule)
X Y cobegin X X 1 Y Y1 coend
XY
(Aux.-Rule)
24
Synchronization Primitives
- Support for atomic sections and communication
- A High Level Constructawait B then S
- No parallelization in S
- Blocked until B holds
- If B is true then S is executed atomically
- Examples
- await true then S
- Await some condition then skip
- Semaphore
- P(sem) await sem gt0 then sem sem 1
- V(sem) await true then sem sem 1
25
Interference (modified)
- A command T with a precondition pre(T) does not
interfere with the proof of P C Q if - Q ? pre(T) T Q
- For any command C inside C but not within await
with a precondition pre(C) - pre(C) ? pre(T) T pre(C)
- P1 c1 Q1 P2 c2 Q2.. Pk ck Qk are
interference free if for every i ?j and for every
assignment not inside await or an await T in ci
does not interfere with Pj cj Qj
26
An Inference Rule for Await
P ?b c Q P await B then c Q
27
Producer-Consumer
- Two processes communicating via a shared bounded
buffer - Consumer waits for the buffer to be filled
- Producer waits for the buffer to be non-full and
fills the buffer - buffer0..N-1
- in the number of elements added
- out the number of elements deleted
- bufferout mod N, buffer(out in out -1)
mod N elements
28
Producer/Consumer Code
in 0 out 0 cobegin producer
await in-out lt N then skip
add buffer(in mod N) next
value markin in in 1
consumer
await in-out gt0 then skip
remove this value buffer(out mod N)
markout out out 1
coend
29
in 0 out 0 i 1 j 1 M ?0
cobegin producer while i ?M do begin
x Ai await in-out ltN then skip
add bufferin mod N x
markin in in 1 i i 1
end consumer while j ?M do begin
await in-out gt0 then skip remove y
bufferout mod N markout out
out 1 Bj y j j
1 end coend ?k 1 ?k ?M ? Bk Ak
I ?k out lt k ?M ? buffer(k-1 mod N Ak
? 0 ?in-out ?N ? 0 ?i ?M1 ? 0 ?j ?M1
30
I ?i in11? jout11 cobegin I ? i
in11 producer while i ?M do begin
x Ai await in-out ltN then skip
add bufferin mod N x
markin in in 1 i i 1
end I ? i in1M1 I ? j out11
consumer while j ?M do begin await
in-out gt0 then skip remove y
bufferout mod N markout out
out 1 Bj y j j
1 end I ? ?k 1 ?k ?M ? Bk
Ak coend ?k 1 ?k ?M ? Bk Ak
I ?k out lt k ?M ? buffer(k-1 mod N Ak
? 0 ?in-out ?N ? 0 ?i ?M1 ? 0 ?j ?M1
31
Summary
- Reasoning about concurrent programs is difficult
- Aweeki-Gries suggest to carefully design the
sequential proofs to simplify the proof procedure - The use of auxiliary variables can make proofs
difficult - Can have difficulties with fine-grained
concurrency - Benign dataraces
- Rely/Guarantee style can allow more
elegant/general reasoning (next lesson)
Recommended
CrystalGraphics Presentations
