Rely/guarantee An introduction to rely/guarantee reasoning about concurrency Pre I assume that this lecture starts at 8:30am Ian J. Hayes (and Cliff B. Jones) Guarantee you will understand to rely/guarantee reasoning Rely that you ask questions when you don’t understand The University of Queensland, Australia (and Newcastle University, UK) Post finish this lecture at 9:30am SETSS Spring School Chongqing, China 2017-04-17–19 1 / 1 2 / 1 Overview Your background Logic and set theory I Propositional logic: , and ^ _ : I Predicate logic: and I Deriving sequential programs 8 9 I Set theory: , , , and ::: I Example: Sieve of Eratosthenes 2 ⊆ [ \ f g I Deriving concurrent programs I Specification languages: VDM, Z, B and TLA I Example: Sieve of Eratosthenes Reasoning about programs I Example: Communicating through a circular buffer I Hoare logic: p c q I Semantics of concurrent programs f g f g î ó I Refinement calculus or B or Event-B: , x : p ; q v I Rely/guarantee concurrency I Separation logic I Concurrent separation logic 3 / 1 4 / 1 Reasoning about (concurrent) software Compositional reasoning Our main tool is abstraction: Reasoning about the whole is decomposed into reasoning about the components sequential specify components using pre/post conditions Why? I Make reasoning tractable I e.g. sorting I Partition the work (e.g. for multiple people to work on different I precondition noduplicates(s) components) 0 0 I postcondition ordered(s ) items(s ) = items(s) I Avoid reasoning about paths ^ data use abstractions such as sets and maps j := 0; I decouple the specification of what the user sees from the while j = N do 6 implementation if p then s else t; I avoid the details of the implementations, such as, linked lists and j := j + 1 trees N process due to interference between processes need more than pre and post I 2 possible paths 5 / 1 6 / 1 Hoare logic is compositional Parallel composition Structured reasoning about programs Interference possible before or after every atomic step si and ti I Sequential composition s ; s ; ::: ; sn t ; t ; ::: ; tn 1 2 k 1 2 p s q q t r f g f g f g f g p s ; t r f g f g I The number of paths in terms of n explodes I While loop using a loop invariant p I If there is no interference between s and t p b s p p s q p t q f ^ g f g f 1g f 1g f 2g f 2g p while b do s p b p p s t q q f g f ^ : g f 1 ^ 2g k f 1 ^ 2g For termination one needs to add a loop variant or well-founded relation I But this is the easy case 7 / 1 8 / 1 Example: Sieve of Eratosthenes (sequential) REM(2) I Determine primes up to some given n I Illustrates: I starting with abstract type (a set) 1 2 3 4 5 6 7 8 9 10 11 12 ... I using guarantees (even for a sequential program) I introducing loops I data refinement to an array of small sets that can each fit in a word REM(3) 9 / 1 10 / 1 Specification in refinement calculus style Sieve of Eratosthenes - sequential Concrete syntax I Precondition s 2 :: n holds initially ⊆ I Assume that C is the set of all composite numbers (non-primes) 0 I Postcondition s = s C − VDM Refinement calculus î ó s : s 2 :: n ; s0 = s C ⊆ − SIEVE SIEVE =“ = equivalent post condition (set theory) î 0 ó î ó ext wr s : FN1 s 2 :: n s : s = s C s : s 2 :: n ; s0 s s s0 C s0 C = pre s 2 :: n f ⊆ g − ⊆ ⊆ ^ − ⊆ ^ \ ; ⊆ guarantee on every step post s0 = s C v î ó − (guar s0 s s s0 C) s : s 2 :: n ; s0 C = ⊆ ^ − ⊆ e ⊆ \ ; The guarantee condition is 0 0 0 I reflexive, i.e. s = s s s s s C 0 )00 ⊆ ^ 00− ⊆ 00 0 0 0 I transitive, i.e. s s s s s C s s C s s s s C ⊆ ⊆ ^ − ⊆ ^ − ⊆ ) ⊆ ^ − ⊆ 11 / 1 12 / 1 First some set theory Then some number theory Assume ci is the set of all multiples of i, excluding i s0 C = If 2 i 2 j and if i j n then either ≤ ^ ≤ ∗ ≤ 0 \ S ; 2 2 s j N 2 j cj = I i n j n or ≡ \ f 2 j ≤ · g ; S 0 2 ≤ ^ 2 ≥ j N 2 j (s cj ) = I j n i n ≡ f 2 j ≤ · 0 \ g ; j N 2 j s cj = ≤ ^ ≥ ≡ 8 2 · ≤ ) \ ; Hence one only has to remove multiples of i up to the (integer part of) the square Therefore root of i 2 0 0 s 0 :: n n i ( j 2 :: i s c = ) (guar s s s s C) e ⊆ ^ ≤ ^ 8 2 · \ j ; î ⊆ ^ − 0⊆ ó s : s 2 :: n ; s C = ) ⊆ \ ; ( j N 2 j s cj = ) by above set theory 8 2 · ≤ ) \ ; v 0 0 (guar s s s s C) e î ⊆ ^ − ⊆ ó The predicate ( j 2 :: i s cj = ) holds if i is 1 s : s 2 :: n ; j 2 j s0 c = 8 2 · \ ; ⊆ 8 · ≤ ) \ j ; The refinement now focuses on just the specification (the second line) 13 / 1 14 / 1 Introducing a loop Refining the loop body ñs 2 :: n (i + 1)2 n i < i0 ô i; s : ⊆ ^ ≤ ^ ; ^ 0 j 2 :: i s c = j 2 :: i s cj = 8 2 · \ j ; 8 2 · \ ; î ó introduce sequential composition s : s 2 :: n ; j 2 j s0 c = v ⊆ 8 · ≤ ) \ j ; i := i + 1; introduce variable i to be used as loop index ñ 2 ô v s 2 :: n i n var i := 1; s : ⊆ ^ ≤ ^ ; 0 j 2 :: i 1 s cj = j 2 :: i s cj = ñs 2 :: n n < (i + 1)2 ô 8 2 − · \ ; 8 2 · \ ; i; s : ⊆ ^ ; ^ j 2 :: i s c = j 2 :: i s0 c = Refining the specification: 8 2 · \ j ; j introduce while loop 8 2 · \ ; v 2 ñ 2 ô while(i + 1) n do s 2 :: n i n 0 ñ ≤ ô s : ⊆ ^ ≤ ^ ; j 2 :: i s cj = s 2 :: n (i + 1)2 n i < i0 j 2 :: i 1 s cj = 8 2 · \ ; i; s : ⊆ ^ ≤ ^ ; ^ 0 8 2 − · \ ; j 2 :: i s cj = j 2 :: i s cj = to achieve the post condition the elements in ci need to be removed 8 2 · \ ; 8 2 · \ ; v î 2 0 ó s : s 2 :: n i n ; s ci = ⊆ ^ ≤ \ ; recall that ci contains all the multiples of i, excluding i v î ó s : s 2 :: n i2 n ; j 2 i j i n j i s0 ⊆ ^ ≤ 8 · ∗ ≤ ∗ ≤ ) ∗ 62 Reminder: this is all in the context of (guar s0 s s s0 C) ⊆ ^ − ⊆ 15 / 1 16 / 1 Introduce inner loop Refine the inner loop body 2s 2 :: n 2 i k i n k < k 0 3 k; s : 6 j⊆ 2 i ^j ∗i <≤k ∗i ≤ ^ ; j 2 ^i j i < k i 7 î ó 4 5 s : s 2 :: n i2 n ; j 2 i j i n j i s0 8 · j ∗i ≤s ∗ ∗ ) 8 · j ∗i ≤s0∗ ∗ ) ⊆ ^ ≤ 8 · ∗ ≤ ∗ ≤ ) ∗ 62 ∗ 62 ∗ 62 introduce variable k to be used as a loop index introduce sequential composition v v var k := 2; 2s 2 :: n 2 i k i n 3 2 3 s 2 :: n i2 n n < k i 6 ⊆ ^ ∗ ≤ ∗ ≤ ^ 7 s : 4 j 2 i j i < k i ; j 2 i j i < (k + 1) i 5; 6 ⊆ ^ ≤ ^ ∗ ^ 7 8 · ∗ ≤ ∗ ∗ ) 8 · ∗ ≤ 0∗ ∗ ) k; s : 4 j 2 i j i < k i ; j 2 i j i < k i 5 j i s j i s 8 · ∗ ≤ ∗ ∗ ) 8 · ∗ ≤ 0∗ ∗ ) ∗ 62 ∗ 62 j i s j i s k := k + 1 ∗ 62 ∗ 62 introduce inner loop v while k i n do Now refine the specification ∗ 2≤ 0 3 s 2 :: n 2 i k i n k < k 2 3 k; s : 6 j⊆ 2 i ^j ∗i <≤k ∗i ≤ ^ ; j 2 ^i j i < k i 7 s 2 :: n 2 i k i n 48 · ∗ ≤ ∗ ∗ ) 8 · ∗ ≤ ∗ ∗ )5 6 ⊆ ^ ∗ ≤ ∗ ≤ ^ 7 j i s j i s0 s : 4 j 2 i j i < k i ; j 2 i j i < (k + 1) i 5 ∗ 62 ∗ 62 8 · j ∗i ≤s ∗ ∗ ) 8 · j ∗i ≤s0∗ ∗ ) ∗ 62 ∗ 62 to achieve the post condition the element k i must be removed v î ó ∗ s : s 2 :: n 2 i k i n ; k i s0 ⊆ ^ ∗ ≤ ∗ ≤ ∗ 62 17 / 1 18 / 1 Bring back the guarantee Remove an element from the set Define î ó Rem(m) = (guar s0 s s s0 m ) s : s 0 :: n m 0 :: n ; m s0 “ ⊆ ^ − ⊆ f g e ⊆ ^ 2 62 Now recall that this was all in the context of a guarantee. The code so far is 0 0 î 0ó (guar s s s s C) e s : s 2 :: n 2 i k i n ; k i s ⊆ ^ − ⊆ ⊆ ^ ∗ ≤ ∗ ≤ ∗ 62 var i := 1; strengthen guarantee and weaken precondition v î ó while(i + 1)2 n do (guar s0 s s s0 k i ) s : s 0 :: n k i 0 :: n ; k i s0 ≤ ⊆ ^ − ⊆ f ∗ g e ⊆ ^ ∗ 2 ∗ 62 i := i + 1; var k := 2; while k i n do Rem∗ (k≤ i); k := k +∗ 1 19 / 1 20 / 1 Data refinement: representing the set as an array of words Remove an element from the set Define î ó Rem(m) = (guar s0 s s s0 m ) s : s 0 :: n m 0 :: n ; m s0 “ ⊆ ^ − ⊆ f g e ⊆ ^ 2 62 † £ I A finite set contained in 0 :: n can be represented by a bit map of n + 1 bits Using the representation as an array v : array 0 :: n+1 1 of (0 :: ws 1) ws − − I Assume a word has ws bits 0 0 (guar retr(v ) retr(v) retr(v) retr(v ) m ) e I A word can represent a set with ws elements î ⊆ ^ − ⊆ó f g v : retr(v) 0 :: n m 0 :: n ; m retr(v 0) I A word can represent a set contained in the set 0 :: ws 1 ⊆ ^ 2 62 † n+1 £ − I For a large set one needs a vector v of ws words From the definition of retr I The function retr(v) retrieves the set represented by v m retr(v 0) (m mod ws) v 0(m div ws) 62 , 62 retr(v) = j 0 :: n (j mod ws) v(j div ws) “ f 2 j 2 g Hence the specification can be written as î ó v : retr(v) 0 :: n m 0 :: n ; (m mod ws) v 0(m div ws) ⊆ ^ 2 62 v î ó v(m div ws): m 0 :: n ; (m mod ws) v 0(m div ws) 2 62 21 / 1 22 / 1 Removing an element from a set represented as a single word Conclusions RemW (var w : F(0 :: ws 1); i : 0 :: ws 1) =“ 0 − 0 − (guar w w w w i ) e î ⊆ ^ − ⊆ f g ó w : w 0 :: ws 1 i 0 :: ws 1 ; i = w 0 ⊆ − ^ 2 − 2 I Importance of data abstraction Therefore I Guarantee allows one to focus on the interesting part Rem(m) v RemW (v(m div ws); m mod ws) RemW can be implemented using bit-wise operations on a word (exercise) 23 / 1 24 / 1 Example: Parallel SIEVE of Eratosthenes REM(2) I Determine primes up to some given n I Illustrates: ? I starting with abstract type I need1 to document2 3 interference4 5 6 (R)7 8 9 10 11 12 ..