an axiomatic proof technique for parallel programs
DESCRIPTION
An Axiomatic Proof Technique for Parallel Programs. Susan Owicki & David Gries Presented by Omer Katz Seminar in Distributed Algorithms Spring 2013 29/04/13. What’s next?. What are we trying to do? The sequential solution The parallel solution Interference freedom Auxiliary variables - PowerPoint PPT PresentationTRANSCRIPT
An Axiomatic Proof Technique for Parallel Programs
Susan Owicki & David Gries
Presented by Omer KatzSeminar in Distributed Algorithms Spring 2013
29/04/13
What’s next?• What are we trying to do?• The sequential solution• The parallel solution– Interference freedom– Auxiliary variables– Examples
• Cooperation with other synchronization tools• If given enough time– Deadlocks– Termination
The problem
• We want to prove correctness of parallel programs
• Most existing methods rely on informal arguments– Not accurate enough
• We would like to formally prove correctness and other properties– Preferably statically
Hoare (1969)
• Hoare presented a simple deductive system• Used to describe variable and program states
during execution.• Used for proving properties of sequential
programs.
– Originally meant to be verified by compilers
Partial correctness VS.total correctness
• We only deal with partial correctness– The program is correct only if it terminates
• Total correctness will be dealt with later– Termination– Deadlocks & Blocking
Notation and Declarations
• P, Q = assertions• S = statement
– If P was true prior to execution of S, then Q is true after execution.
• – If a is true than b is also true.
Notation and Declarations
• Null statements:
Notation and Declarations
• Assignments: • is formed by replacing every appearance of in with .
if then and we get
Notation and Declarations
• Alternation:
Notation and Declarations
• Iteration:
Notation and Declarations
• Composition:
Notation and Declarations
• Consequence:
Sequential Example
• We want to prove • Assume we already know:
Sequential Example
𝑖𝑓 𝑒𝑡 h𝑒𝑛
𝑒𝑙𝑠𝑒
𝑏𝑒𝑔𝑖𝑛
Proof Outline
• The previous proofcan be written as:
Extension for parallel programs
• We need to introduce new statements:
• Statements will be executed in parallel.• statement finishes only after all statements have
finished.
• may not contain any or statements.– can be used to make any action indivisible
Extension for parallel programs
• We need to introduce new statements:
• Used by Gries to prove correctness of Dijkstra’s on-the-fly garbage collector
Assumptions
• We do not assume anything regarding processing speed
• We require that all assignments be executed and all expression be evaluated as an indivisible action– Not necessary if every expression in the program may
refer to at most one shared variable and at most once• Only required indivisible action is memory access• All following examples will adhere to this convention• (similarly for assignments)
Interference
• Let’s examine two programs:
• If we try to run them in parallel:
• We cannot guarantee the post-condition.
Interference
• Given a proof for a program and a statement with precondition , does not interfere with if:
• Execution of won’t change the outcome– such that is not within an statement, • Execution of will not prevent execution of the rest of
Interference
• are interference free if:– is an statement or an statement (not in an )– does not interfere with
• Redefine as:
Proving a parallel program
• When proving correctness of a program we will start by proving each thread sequentially.
• We will then show that each thread does not interfere with another thread’s prove– Interfere = invalidate the prove
Proving a parallel program
• We will prove the following program:
• We will do so by loosening the assertions
Proving a parallel program
Proving a parallel program
• All that is left is to show interference freedom• We need to verify:
Proving a parallel program
Proving a parallel program
Auxiliary Variables
• Consider the following program:
• Can we prove ?
Auxiliary Variables {x=0}
Not the required result
The processes are not interference free
Auxiliary Variables
• Now consider the following proof outline?
• Can we prove that this is correct?
• If this proof outline is correct we can prove invalid statements
– in this case we will get
Auxiliary Variables
• A variable that is only in assignments is an Auxiliary Variable
• Let AV be the set of Auxiliary Variables in the program
• If is obtained from by deleting all the assignment to variables in AV then
Auxiliary Variables• Consider the following program:
• This program has the same behavior as with the auxiliary variables
Auxiliary Variables
Another Example - Descriptrion
• A parallel program for finding the 1st item in an array which is greater than 0.
Another Example – Proof Outline 1
Another Example – Proof Outline 2
Another Example - Proof
• To prove the correctness of the program we need to:– Separately check each thread (evensearch &
oddsearch) sequentially– Verify interference freedom between the threads
• We will show that oddsearch does not interfere with evensearch– (the complementary argument is similar)
Another Example - Proof
• No need to check all possible statements in oddsearch • Enough the check only assignments of oddsearch that
change a shared variable– The only suitable statement is
• No need to check all possible statements in evensearch• Enough the check only assertions of evensearch
affected by the change of a shared variable– The only suitable assertion is
Another Example - Proof
• Need to show that:
• is part of – Therefore
• We conclude that the assertion holds!
Synchronization Mechanism
• The deductive system presented is flexible enough to handle other existing parallel programming tools– Semaphores– Mutual exclusion
• The tools can be converted to assertions and verified
Synchronization Mechanism
• Semaphores– Obtain a semaphore:
– Release a semaphore:
Synchronization Mechanism
• Mutual Exclusion– We introduce another statement to the system:
– is the resource on which we want mutual exclusion ( and same as in the staement)
– The assertion (invariant of , if exists) is appended to the assertions of
Conclusion
• a strong versatile deductive system for parallel program verification– Few assumptions on the system and/or program
• The main ideas:– Start by verifying the sequential case and than check that
parallel execution doesn’t invalidate the proof– Sometimes we might need to loosen our assertions to be able
to prove them– In some cases we might need to add auxiliary variables to a
program in order to verify it
References• An Axiomatic Proof Technique for Parallel Programs
– Susan Owicky & David Gries, 1976• Verifying Properties of Parallel Programs: An axiomatic Approach
– Susan Owicky & David Gries, 1976• An Axiomatic Basis for Computer Programming
– C. A. R. Hoare, 1969• An Exercise in Proving Parallel Programs Correct
– David Gries, 1977• Verification of Sequential and Concurrent Programs
– Krzysztof R. Apt, Frank S. de Boer, Ernst-Rudiger Oldberog3rd edition, 2010
Questions?