An Axiomatic Proof Technique for Parallel Programs
description
Transcript of An Axiomatic Proof Technique for Parallel Programs
![Page 1: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/1.jpg)
An Axiomatic Proof Technique for Parallel Programs
Susan Owicki & David Gries
Presented by Omer KatzSeminar in Distributed Algorithms Spring 2013
29/04/13
![Page 2: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/2.jpg)
What’s next?• What are we trying to do?• The sequential solution• The parallel solution– Interference freedom– Auxiliary variables– Examples
• Cooperation with other synchronization tools• If given enough time– Deadlocks– Termination
![Page 3: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/3.jpg)
The problem
• We want to prove correctness of parallel programs
• Most existing methods rely on informal arguments– Not accurate enough
• We would like to formally prove correctness and other properties– Preferably statically
![Page 4: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/4.jpg)
Hoare (1969)
• Hoare presented a simple deductive system• Used to describe variable and program states
during execution.• Used for proving properties of sequential
programs.
– Originally meant to be verified by compilers
![Page 5: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/5.jpg)
Partial correctness VS.total correctness
• We only deal with partial correctness– The program is correct only if it terminates
• Total correctness will be dealt with later– Termination– Deadlocks & Blocking
![Page 6: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/6.jpg)
Notation and Declarations
• P, Q = assertions• S = statement
– If P was true prior to execution of S, then Q is true after execution.
• – If a is true than b is also true.
![Page 7: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/7.jpg)
Notation and Declarations
• Null statements:
![Page 8: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/8.jpg)
Notation and Declarations
• Assignments: • is formed by replacing every appearance of in with .
if then and we get
![Page 9: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/9.jpg)
Notation and Declarations
• Alternation:
![Page 10: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/10.jpg)
Notation and Declarations
• Iteration:
![Page 11: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/11.jpg)
Notation and Declarations
• Composition:
![Page 12: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/12.jpg)
Notation and Declarations
• Consequence:
![Page 13: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/13.jpg)
Sequential Example
• We want to prove • Assume we already know:
![Page 14: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/14.jpg)
Sequential Example
![Page 15: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/15.jpg)
𝑖𝑓 𝑒𝑡 h𝑒𝑛
𝑒𝑙𝑠𝑒
𝑏𝑒𝑔𝑖𝑛
Proof Outline
• The previous proofcan be written as:
![Page 16: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/16.jpg)
Extension for parallel programs
• We need to introduce new statements:
• Statements will be executed in parallel.• statement finishes only after all statements have
finished.
• may not contain any or statements.– can be used to make any action indivisible
![Page 17: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/17.jpg)
Extension for parallel programs
• We need to introduce new statements:
• Used by Gries to prove correctness of Dijkstra’s on-the-fly garbage collector
![Page 18: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/18.jpg)
Assumptions
• We do not assume anything regarding processing speed
• We require that all assignments be executed and all expression be evaluated as an indivisible action– Not necessary if every expression in the program may
refer to at most one shared variable and at most once• Only required indivisible action is memory access• All following examples will adhere to this convention• (similarly for assignments)
![Page 19: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/19.jpg)
Interference
• Let’s examine two programs:
• If we try to run them in parallel:
• We cannot guarantee the post-condition.
![Page 20: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/20.jpg)
Interference
• Given a proof for a program and a statement with precondition , does not interfere with if:
• Execution of won’t change the outcome– such that is not within an statement, • Execution of will not prevent execution of the rest of
![Page 21: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/21.jpg)
Interference
• are interference free if:– is an statement or an statement (not in an )– does not interfere with
• Redefine as:
![Page 22: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/22.jpg)
Proving a parallel program
• When proving correctness of a program we will start by proving each thread sequentially.
• We will then show that each thread does not interfere with another thread’s prove– Interfere = invalidate the prove
![Page 23: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/23.jpg)
Proving a parallel program
• We will prove the following program:
• We will do so by loosening the assertions
![Page 24: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/24.jpg)
Proving a parallel program
![Page 25: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/25.jpg)
Proving a parallel program
• All that is left is to show interference freedom• We need to verify:
![Page 26: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/26.jpg)
Proving a parallel program
![Page 27: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/27.jpg)
Proving a parallel program
![Page 28: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/28.jpg)
Auxiliary Variables
• Consider the following program:
• Can we prove ?
![Page 29: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/29.jpg)
Auxiliary Variables {x=0}
Not the required result
The processes are not interference free
![Page 30: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/30.jpg)
Auxiliary Variables
• Now consider the following proof outline?
• Can we prove that this is correct?
• If this proof outline is correct we can prove invalid statements
– in this case we will get
![Page 31: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/31.jpg)
Auxiliary Variables
• A variable that is only in assignments is an Auxiliary Variable
• Let AV be the set of Auxiliary Variables in the program
• If is obtained from by deleting all the assignment to variables in AV then
![Page 32: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/32.jpg)
Auxiliary Variables• Consider the following program:
• This program has the same behavior as with the auxiliary variables
![Page 33: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/33.jpg)
Auxiliary Variables
![Page 34: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/34.jpg)
Another Example - Descriptrion
• A parallel program for finding the 1st item in an array which is greater than 0.
![Page 35: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/35.jpg)
Another Example – Proof Outline 1
![Page 36: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/36.jpg)
Another Example – Proof Outline 2
![Page 37: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/37.jpg)
Another Example - Proof
• To prove the correctness of the program we need to:– Separately check each thread (evensearch &
oddsearch) sequentially– Verify interference freedom between the threads
• We will show that oddsearch does not interfere with evensearch– (the complementary argument is similar)
![Page 38: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/38.jpg)
Another Example - Proof
• No need to check all possible statements in oddsearch • Enough the check only assignments of oddsearch that
change a shared variable– The only suitable statement is
• No need to check all possible statements in evensearch• Enough the check only assertions of evensearch
affected by the change of a shared variable– The only suitable assertion is
![Page 39: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/39.jpg)
Another Example - Proof
• Need to show that:
• is part of – Therefore
• We conclude that the assertion holds!
![Page 40: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/40.jpg)
Synchronization Mechanism
• The deductive system presented is flexible enough to handle other existing parallel programming tools– Semaphores– Mutual exclusion
• The tools can be converted to assertions and verified
![Page 41: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/41.jpg)
Synchronization Mechanism
• Semaphores– Obtain a semaphore:
– Release a semaphore:
![Page 42: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/42.jpg)
Synchronization Mechanism
• Mutual Exclusion– We introduce another statement to the system:
– is the resource on which we want mutual exclusion ( and same as in the staement)
– The assertion (invariant of , if exists) is appended to the assertions of
![Page 43: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/43.jpg)
Conclusion
• a strong versatile deductive system for parallel program verification– Few assumptions on the system and/or program
• The main ideas:– Start by verifying the sequential case and than check that
parallel execution doesn’t invalidate the proof– Sometimes we might need to loosen our assertions to be able
to prove them– In some cases we might need to add auxiliary variables to a
program in order to verify it
![Page 44: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/44.jpg)
References• An Axiomatic Proof Technique for Parallel Programs
– Susan Owicky & David Gries, 1976• Verifying Properties of Parallel Programs: An axiomatic Approach
– Susan Owicky & David Gries, 1976• An Axiomatic Basis for Computer Programming
– C. A. R. Hoare, 1969• An Exercise in Proving Parallel Programs Correct
– David Gries, 1977• Verification of Sequential and Concurrent Programs
– Krzysztof R. Apt, Frank S. de Boer, Ernst-Rudiger Oldberog3rd edition, 2010
![Page 45: An Axiomatic Proof Technique for Parallel Programs](https://reader036.fdocuments.us/reader036/viewer/2022062501/56816419550346895dd5d012/html5/thumbnails/45.jpg)
Questions?