An Axiomatic Proof Technique for
Parallel Programs
Susan Owicki & David Gries
Presented by Omer Katz
Seminar in Distributed Algorithms Spring 2013
29/04/13
What’s next?
• What are we trying to do?
• The sequential solution
• The parallel solution
– Interference freedom
– Auxiliary variables
– Examples
• Cooperation with other synchronization tools
• If given enough time
– Deadlocks
– Termination
The problem
• We want to prove correctness of parallel
programs
• Most existing methods rely on informal
arguments
– Not accurate enough
• We would like to formally prove correctness
and other properties
– Preferably statically
Hoare (1969)
• Hoare presented a simple deductive system
• Used to describe variable and program states
during execution.
• Used for proving properties of sequential
programs.
– Originally meant to be verified by compilers
Partial correctness VS.
total correctness
• We only deal with partial correctness
– The program is correct only if it terminates
• Total correctness will be dealt with later
– Termination
– Deadlocks & Blocking
Notation and Declarations
• 𝑃 𝑆 𝑄
• P, Q = assertions
• S = statement
– If P was true prior to execution of S, then Q is true
after execution.
𝑎
•
𝑏
– If a is true than b is also true.
Notation and Declarations
• Null statements: 𝑃 𝑠𝑘𝑖𝑝{𝑃}
𝑥 > 42 𝑠𝑘𝑖𝑝 𝑥 > 42
Notation and Declarations
• Assignments: 𝑃𝑒𝑥 𝑥 ≔ 𝑒 𝑃
• 𝑃𝑒𝑥 is formed by replacing every appearance of 𝑥 in 𝑃
with 𝑒.
𝑥
if 𝑃 = {𝑥 > 42} then 𝑃𝑥+1
= 𝑥 + 1 > 42 = 𝑥 > 41
and we get 𝑥 > 41 𝑥 ≔ 𝑥 + 1{𝑥 > 42}
Notation and Declarations
• Alternation:
𝑃∧𝐵 𝑆1 𝑄 , 𝑃∧¬𝐵 𝑆2 𝑄
𝑃 𝑖𝑓 𝐵 𝑡ℎ𝑒𝑛 𝑆1 𝑒𝑙𝑠𝑒 𝑆2 𝑄
𝑥>0∧𝑥 𝑖𝑠 𝑒𝑣𝑒𝑛 𝑦≔0 𝑦=0∨𝑦=1 , 𝑥>0∧𝑥 𝑖𝑠 𝑜𝑑𝑑 𝑦≔1 𝑦=0∨𝑦=1
𝑥>0 𝑖𝑓 𝑥 𝑖𝑠 𝑒𝑣𝑒𝑛 𝑡ℎ𝑒𝑛 𝑦≔0 𝑒𝑙𝑠𝑒 𝑦≔1 𝑦=0∨y=1
Notation and Declarations
• Iteration:
𝑃∧𝐵 𝑆 𝑃
𝑃 𝑤ℎ𝑖𝑙𝑒 𝐵 𝑑𝑜 𝑆 𝑃∧¬𝐵
𝑥>0∧𝑥>10 𝑥:𝑥−1 𝑥>0
𝑥>0 𝑤ℎ𝑖𝑙𝑒 𝑥>10 𝑑𝑜 𝑥:𝑥−1 𝑥>0∧¬ 𝑥>10
Notation and Declarations
• Composition:
𝑃1 𝑆1 𝑃2 , 𝑃2 𝑆2 𝑃3 ,… 𝑃𝑛 𝑆𝑛 𝑃𝑛+1
𝑃1 𝑏𝑒𝑔𝑖𝑛 𝑆1 ;𝑆2 ;…;𝑆𝑛 𝑒𝑛𝑑 𝑃𝑛+1
𝑥=0 𝑥:𝑥+1 𝑥=1 , 𝑥=1 𝑥≔𝑥+2 𝑥=3
𝑥=0 𝑏𝑒𝑔𝑖𝑛 𝑥≔𝑥+1;𝑥≔𝑥+2 𝑥=3
Notation and Declarations
• Consequence:
𝑃1 𝑆 𝑄1 ,𝑃⊢𝑃1 ,𝑄1 ⊢𝑄
𝑃 𝑆 𝑄
𝑥>0 𝑥≔𝑥+10 𝑥>10 ,x>10⊢𝑥>0,𝑥>10⊢𝑥>0
𝑥>10 x≔x+10 x>0
Sequential Example
• 𝑆 ≡ 𝑏𝑒𝑔𝑖𝑛 𝑥 ≔ 𝑎; 𝑖𝑓 𝑒 𝑡ℎ𝑒𝑛 𝑆1 𝑒𝑙𝑠𝑒 𝑆2 𝑒𝑛𝑑
• We want to prove 𝑃 𝑆 𝑄
• Assume we already know:
– 𝑃1 ∧ 𝑒 𝑆1 𝑄1
– 𝑃1 ∧ ¬𝑒 𝑆2 𝑄1
– 𝑃 ⊢ 𝑃1 𝑎𝑥
– 𝑄1 ⊢ 𝑄
Sequential Example
• 𝑆 ≡ 𝑏𝑒𝑔𝑖𝑛 𝑥 ≔ 𝑎; 𝑖𝑓 𝑒 𝑡ℎ𝑒𝑛 𝑆1 𝑒𝑙𝑠𝑒 𝑆2 𝑒𝑛𝑑
1.
𝑃1 𝑎𝑥 𝑥 ≔ 𝑎 𝑃1
2.
𝑥
𝑃1 𝑥
𝑎 𝑥≔𝑎 𝑃1 ,𝑃⊢𝑃1 𝑎
𝑃 𝑥≔𝑎 𝑃1
3.
𝑃1 ∧𝑒 𝑆1 𝑄1 , 𝑃1 ∧¬𝑒 𝑆2 𝑄1
𝑃1 𝑖𝑓 𝑒 𝑡ℎ𝑒𝑛 𝑆1 𝑒𝑙𝑠𝑒 𝑆2 {𝑄1 }
4.
𝑃1 𝑖𝑓 𝑒 𝑡ℎ𝑒𝑛 𝑆1 𝑒𝑙𝑠𝑒 𝑆2 𝑄1 ,Q1 ⊢𝑄
𝑃1 𝑖𝑓 𝑒 𝑡ℎ𝑒𝑛 𝑆1 𝑒𝑙𝑠𝑒 𝑆2 𝑄
5.
𝑃 𝑥≔𝑎 𝑃1 , 𝑃1 𝑖𝑓 𝑒 𝑡ℎ𝑒𝑛 𝑆1 𝑒𝑙𝑠𝑒 𝑆2 𝑄
{𝑃}𝑏𝑒𝑔𝑖𝑛 𝑥≔𝑎;𝑖𝑓 𝑒 𝑡ℎ𝑒𝑛 𝑆1 𝑒𝑙𝑠𝑒 𝑆2 𝑒𝑛𝑑 {𝑄}
Proof Outline
• The previous proof
can be written as:
𝑃
𝑏𝑒𝑔𝑖𝑛 𝑃
{𝑃1 𝑎𝑥 }
𝑥≔𝑎
𝑃1
𝑖𝑓 𝑒 𝑡ℎ𝑒𝑛 𝑃1 ∧ 𝑒
𝑆1
𝑄1
𝑒𝑙𝑠𝑒 𝑃1 ∧ ¬𝑒
𝑆2
𝑄1
𝑄1
𝑄
𝑒𝑛𝑑
Q
Extension for parallel programs
• We need to introduce new statements:
– 𝑐𝑜𝑏𝑒𝑔𝑖𝑛 𝑆1 //𝑆2 // ⋯//𝑆𝑛 𝑐𝑜𝑒𝑛𝑑
• Statements 𝑆1 , 𝑆2 , … , 𝑆𝑛 will be executed in parallel.
• 𝑐𝑜𝑏𝑒𝑔𝑖𝑛 statement finishes only after all 𝑆𝑖 statements
have finished.
– 𝑎𝑤𝑎𝑖𝑡 𝐵 𝑡ℎ𝑒𝑛 𝑆
• Process will be delayed until 𝐵 is true and then S will be
executed as an indivisible action.
• 𝑆 may not contain any 𝑐𝑜𝑏𝑒𝑔𝑖𝑛 or 𝑎𝑤𝑎𝑖𝑡 statements.
– 𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 can be used to make any action indivisible
Extension for parallel programs
• We need to introduce new statements:
– 𝑐𝑜𝑏𝑒𝑔𝑖𝑛:
– 𝑎𝑤𝑎𝑖𝑡:
𝑃1 𝑆1 Q1 ,…, Pn Sn Qn
P1 ∧⋯∧𝑃𝑛 𝑐𝑜𝑏𝑒𝑔𝑖𝑛 𝑆1 //⋯//𝑆𝑛 𝑐𝑜𝑒𝑛𝑑 𝑄1 ∧⋯∧𝑄𝑛
𝑃∧𝐵 𝑆 𝑄
𝑃 𝑎𝑤𝑎𝑖𝑡 𝐵 𝑡ℎ𝑒𝑛 𝑆 𝑄
• Used by Gries to prove correctness of
Dijkstra’s on-the-fly garbage collector
Assumptions
• We do not assume anything regarding processing
speed
• We require that all assignments be executed and
all expression be evaluated as an indivisible
action
– Not necessary if every expression in the program may
refer to at most one shared variable and at most once
• Only required indivisible action is memory access
• All following examples will adhere to this convention
• (similarly for assignments)
Interference
• Let’s examine two programs:
𝑥=0
𝑥 ≔𝑥+2
{𝑥 = 2}
𝑥=0
𝑥 ≔𝑥+1
{𝑥 = 1}
• If we try to run them in parallel:
𝑥=0 𝑥≔𝑥+2 𝑥=2 , 𝑥=0 𝑥≔𝑥+1 𝑥=1
𝑥=0∧𝑥=0 𝑐𝑜𝑏𝑒𝑔𝑖𝑛 𝑥≔𝑥+2//𝑥≔𝑥+1 𝑐𝑜𝑒𝑛𝑑 𝑥=2∧𝑥=1
• We cannot guarantee the post-condition.
Interference
• Given a proof 𝑃 𝑆 𝑄 for a program 𝑆 and a
statement 𝑇 with precondition 𝑝𝑟𝑒(𝑇), 𝑇 does
not interfere with 𝑆 if:
– 𝑄 ∧ 𝑝𝑟𝑒 𝑇 𝑇 𝑄
• Execution of 𝑇 won’t change the outcome
– ∀𝑆 ′ ∈ 𝑆 such that 𝑆′ is not within an 𝑎𝑤𝑎𝑖𝑡
statement, 𝑝𝑟𝑒 𝑆 ′ ∧ 𝑝𝑟𝑒 𝑇 𝑇 𝑝𝑟𝑒 𝑆 ′
• Execution of 𝑇 will not prevent execution of the rest of 𝑆
Interference
•
𝑃1 𝑆1 𝑄1 , … , 𝑃𝑛 𝑆𝑛 𝑄𝑛 are interference free if:
– ∀𝑇 ∈ 𝑆𝑖 is an 𝑎𝑤𝑎𝑖𝑡 statement or an 𝑎𝑠𝑠𝑖𝑔𝑛𝑚𝑒𝑛𝑡 statement
(not in an 𝑎𝑤𝑎𝑖𝑡)
– ∀𝑗, 𝑗 ≠ 𝑖, 𝑇 does not interfere with 𝑃𝑗 𝑆𝑗 𝑄𝑗
• Redefine 𝑐𝑜𝑏𝑒𝑔𝑖𝑛 as:
𝑃1 𝑆1 Q1 , … , Pn Sn Q n 𝑎𝑟𝑒 𝑖𝑛𝑡𝑒𝑟𝑓𝑒𝑟𝑒𝑛𝑐𝑒 𝑓𝑟𝑒𝑒
𝑐𝑜𝑏𝑒𝑔𝑖𝑛:
P1 ∧ ⋯ ∧ 𝑃𝑛 𝑐𝑜𝑏𝑒𝑔𝑖𝑛 𝑆1 // ⋯//𝑆𝑛 𝑐𝑜𝑒𝑛𝑑 𝑄1 ∧ ⋯ ∧ 𝑄𝑛
Proving a parallel program
• When proving correctness of a program we
will start by proving each thread sequentially.
• We will then show that each thread does not
interfere with another thread’s prove
– Interfere = invalidate the prove
Proving a parallel program
• We will prove the following program:
𝑐𝑜𝑏𝑒𝑔𝑖𝑛
𝑆1 : 𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑡ℎ𝑒𝑛 𝑥 = 𝑥 + 2
//
𝑆2 : 𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑡ℎ𝑒𝑛 𝑥 = 𝑥 + 1
𝑐𝑜𝑒𝑛𝑑
• We will do so by loosening the assertions
Proving a parallel program
𝑥=0
𝑐𝑜𝑏𝑒𝑔𝑖𝑛
𝑥=0
𝑥 =0∨𝑥 = 1
𝑆1 : 𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑡ℎ𝑒𝑛 𝑥 = 𝑥 + 2
𝑥 =2∨𝑥 = 3
//
𝑥=0
𝑥 =0∨𝑥 = 2
𝑆2 : 𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑡ℎ𝑒𝑛 𝑥 = 𝑥 + 1
𝑥 =1∨𝑥 = 3
𝑐𝑜𝑒𝑛𝑑
𝑥 = 1 ∨ 𝑥 = 3 ∧ (𝑥 = 2 ∨ 𝑥 = 3)
𝑥=3
Proving a parallel program
• All that is left is to show interference freedom
• We need to verify:
1.
2.
3.
4.
𝑝𝑟𝑒
𝑝𝑟𝑒
𝑝𝑟𝑒
𝑝𝑟𝑒
𝑆1
𝑆2
𝑆1
𝑆2
∧ 𝑝𝑟𝑒 𝑆2 𝑆1 𝑝𝑟𝑒 𝑆2
∧ 𝑝𝑟𝑒 𝑆1 𝑆2 𝑝𝑟𝑒 𝑆1
∧ 𝑄2 𝑆1 𝑄2
∧ 𝑄1 𝑆2 𝑄1
Proving a parallel program
1. 𝑝𝑟𝑒 𝑆1 ∧ 𝑝𝑟𝑒 𝑆2 𝑆1 𝑝𝑟𝑒 𝑆2
𝑥 =0∨𝑥 =1 ∧ 𝑥 =0∨𝑥 =2
𝑥=0
𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑡ℎ𝑒𝑛
𝑥=0
𝑥 ≔𝑥+2
𝑥=2
𝑥=2
𝑥 =0∨𝑥 =2
Proving a parallel program
3. 𝑝𝑟𝑒 𝑆1 ∧ 𝑄2 𝑆1 𝑄2
𝑥 =0∨𝑥 =1 ∧ 𝑥 =1∨𝑥 =3
𝑥=1
𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑡ℎ𝑒𝑛
𝑥=1
𝑥 ≔𝑥+2
𝑥=3
𝑥=3
𝑥 =1∨𝑥 =3
Auxiliary Variables
• Consider the following program:
𝑆 ≡ 𝑐𝑜𝑏𝑒𝑔𝑖𝑛
𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑡ℎ𝑒𝑛 𝑥 ≔ 𝑥 + 1
//
𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑡ℎ𝑒𝑛 𝑥 ≔ 𝑥 + 1
𝑐𝑜𝑒𝑛𝑑
• Can we prove 𝑥 = 0 𝑆{𝑥 = 2}?
Auxiliary Variables
cobegin {x=0}
{𝑥 = 0 ∨ 𝑥 = 1}
await true then x ≔ x + 1
𝑥 =1∨𝑥 =2
//
{𝑥 = 0 ∨ 𝑥 = 1}
await true then x ≔ x + 1
𝑥 =1∨𝑥 =2
𝑥 =1∨𝑥 =2
Not the required result
coend
The processes are not
interference free
Auxiliary Variables
• Now consider the following proof outline?
𝑇≡
𝑡𝑟𝑢𝑒 𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑐𝑜𝑏𝑒𝑔𝑖𝑛 𝑥 ≔ 𝑥 + 2//𝑥 ≔ 0 𝑐𝑜𝑒𝑛𝑑 {𝑥 = 0 ∨ 𝑥 = 2}
• Can we prove that this is correct?
• If this proof outline is correct we can prove
invalid statements
– in this case we will get ∀𝑥 𝑥 ≥ 0 ∧ 𝑥 𝑖𝑠 𝑒𝑣𝑒𝑛 → 𝑥 = 0 ∨ 𝑥 = 2
Auxiliary Variables
• A variable 𝑥 that is only in assignments 𝑥 ≔ 𝑒
is an Auxiliary Variable
• Let AV be the set of Auxiliary Variables in the
program 𝑆
• If 𝑆′ is obtained from 𝑆 by deleting all the
assignment to variables in AV then
𝑃 𝑆 𝑄
𝑃 𝑆′ 𝑄
Auxiliary Variables
• Consider the following program:
𝑇 ′ ≡ 𝑏𝑒𝑔𝑖𝑛 𝑑𝑜𝑛𝑒 ≔ 𝑓𝑎𝑙𝑠𝑒
𝑐𝑜𝑏𝑒𝑔𝑖𝑛
𝑏𝑒𝑔𝑖𝑛 𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑡ℎ𝑒𝑛 𝑥 ≔ 𝑥 + 2; 𝑑𝑜𝑛𝑒 ≔ 𝑡𝑟𝑢𝑒 𝑒𝑛𝑑
//
𝑏𝑒𝑔𝑖𝑛 𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑡ℎ𝑒𝑛 𝑥 ≔ 0 𝑒𝑛𝑑
𝑐𝑜𝑒𝑛𝑑
𝑒𝑛𝑑
• This program has the same behavior as 𝑇 with the
auxiliary variables 𝑑𝑜𝑛𝑒
Auxiliary Variables
{𝑡𝑟𝑢𝑒}
𝑏𝑒𝑔𝑖𝑛 𝑑𝑜𝑛𝑒 ≔ 𝑓𝑎𝑙𝑠𝑒
¬𝑑𝑜𝑛𝑒
𝑐𝑜𝑏𝑒𝑔𝑖𝑛
¬𝑑𝑜𝑛𝑒
𝑏𝑒𝑔𝑖𝑛 𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑡ℎ𝑒𝑛 𝑥 ≔ 𝑥 + 2; 𝑑𝑜𝑛𝑒 ≔ 𝑡𝑟𝑢𝑒 𝑒𝑛𝑑
𝑡𝑟𝑢𝑒
//
𝑡𝑟𝑢𝑒
𝑏𝑒𝑔𝑖𝑛 𝑥 ≔ 0 𝑒𝑛𝑑
𝑥 = 0 ∨ x = 2 ∧ (¬𝑑𝑜𝑛𝑒 → 𝑥 = 0)
𝑐𝑜𝑒𝑛𝑑
𝑥 = 0 ∨ x = 2 ∧ (¬𝑑𝑜𝑛𝑒 → 𝑥 = 0)
𝑥 =0∨𝑥 =2
𝑒𝑛𝑑
𝑥 =0∨𝑥 =2
Another Example - Descriptrion
• A parallel program for finding the 1st item in an array 𝑥
which is greater than 0.
𝐹𝑖𝑛𝑑𝑝𝑜𝑠: 𝑏𝑒𝑔𝑖𝑛
𝑖 ≔ 2; 𝑗 ≔ 1; 𝑒𝑣𝑒𝑛𝑡𝑜𝑝 ≔ 𝑀 + 1; 𝑜𝑑𝑑𝑡𝑜𝑝 ≔ 𝑀 + 1;
𝑠𝑒𝑎𝑟𝑐ℎ: cobegin
𝑒𝑣𝑒𝑛𝑠𝑒𝑎𝑟𝑐ℎ: 𝑤ℎ𝑖𝑙𝑒 𝑖 < min 𝑜𝑑𝑑𝑡𝑜𝑝, 𝑒𝑣𝑒𝑛𝑡𝑜𝑝 𝑑𝑜
𝑖𝑓 𝑥 𝑖 > 0 𝑡ℎ𝑒𝑛 𝑒𝑣𝑒𝑛𝑡𝑜𝑝 ≔ 𝑖
𝑒𝑙𝑠𝑒 𝑖 ≔ 𝑖 + 2
𝑜𝑑𝑑𝑡𝑜𝑝: 𝑤ℎ𝑖𝑙𝑒 𝑗 < min 𝑜𝑜𝑑𝑡𝑜𝑝, 𝑒𝑣𝑒𝑛𝑡𝑜𝑝 𝑑𝑜
𝑖𝑓 𝑥 𝑗 > 0 𝑡ℎ𝑒𝑛 𝑜𝑑𝑑𝑡𝑜𝑝 ≔ 𝑗
𝑒𝑙𝑠𝑒 𝑗 ≔ 𝑗 + 2
𝑐𝑜𝑒𝑛𝑑
𝑘 ≔ min 𝑒𝑣𝑒𝑛𝑡𝑜𝑝, 𝑜𝑑𝑑𝑡𝑜𝑝
𝑒𝑛𝑑
Another Example – Proof Outline 1
𝐸𝑆 ∧ 𝑂𝑆
𝑠𝑒𝑎𝑟𝑐ℎ: cobegin
{𝐸𝑆}
𝑒𝑣𝑒𝑛𝑠𝑒𝑎𝑟𝑐ℎ: 𝑤ℎ𝑖𝑙𝑒 𝑖 < min 𝑜𝑑𝑑𝑡𝑜𝑝, 𝑒𝑣𝑒𝑛𝑡𝑜𝑝 𝑑𝑜
{𝐸𝑆 ∧ 𝑖 < 𝑒𝑣𝑒𝑛𝑡𝑜𝑝 ∧ 𝑖 < 𝑀 + 1}
𝑖𝑓 𝑥 𝑖 > 0 𝑡ℎ𝑒𝑛
𝐸𝑆 ∧ 𝑖 < 𝑀 + 1 ∧ 𝑥 𝑖 > 0 ∧ 𝑖 < 𝑒𝑣𝑒𝑛𝑡𝑜𝑝
𝑒𝑣𝑒𝑛𝑡𝑜𝑝 ≔ 𝑖
𝐸𝑆
𝑒𝑙𝑠𝑒
{𝐸𝑆 ∧ i < 𝑒𝑣𝑒𝑛𝑡𝑜𝑝 ∧ 𝑥 𝑖 ≤ 0}
𝑖 ≔𝑖+2
𝐸𝑆
{ES}
𝐸𝑆 ∧ i ≥ min 𝑜𝑑𝑑𝑡𝑜𝑝, 𝑒𝑣𝑒𝑛𝑡𝑜𝑝
// ⋯
𝑂𝑆 = 𝑜𝑑𝑑𝑡𝑜𝑝 ≤ 𝑀 + 1 ∧ ∀𝑙 𝑙 𝑜𝑑𝑑 ∧ 0 < 𝑙 < 𝑗 → 𝑥 𝑙 ≤ 0 ∧ 𝑗 𝑜𝑑𝑑 ∧ 𝑜𝑑𝑑𝑡𝑜𝑝 ≤ 𝑀 → 𝑥 𝑜𝑑𝑑𝑡𝑜𝑝 > 0
𝐸𝑆 = 𝑒𝑣𝑒𝑛𝑡𝑜𝑝 ≤ 𝑀 + 1 ∧ ∀𝑙 𝑙 𝑒𝑣𝑒𝑛 ∧ 0 < 𝑙 < 𝑖 → 𝑥 𝑙 ≤ 0 ∧ 𝑖 𝑒𝑣𝑒𝑛 ∧ 𝑒𝑣𝑒𝑛𝑡𝑜𝑝 ≤ 𝑀 → 𝑥 𝑒𝑣𝑒𝑛𝑡𝑜𝑝 > 0
Another Example – Proof Outline 2
… {𝑂𝑆}
𝑜𝑑𝑑𝑡𝑜𝑝: 𝑤ℎ𝑖𝑙𝑒 𝑗 < min 𝑜𝑜𝑑𝑡𝑜𝑝, 𝑒𝑣𝑒𝑛𝑡𝑜𝑝 𝑑𝑜
𝑂𝑆 ∧ 𝑗 < 𝑜𝑑𝑑𝑡𝑜𝑝 ∧ j < 𝑀 + 1
𝑖𝑓 𝑥 𝑗 > 0 𝑡ℎ𝑒𝑛
{𝑂𝑆 ∧ 𝑗 < 𝑀 + 1 ∧ x 𝑗 > 0 ∧ j < 𝑜𝑑𝑑𝑡𝑜𝑝}
𝑜𝑑𝑑𝑡𝑜𝑝 ≔ 𝑗
𝑂𝑆
𝑒𝑙𝑠𝑒
𝑂𝑆 ∧ 𝑗 < 𝑜𝑑𝑑𝑡𝑜𝑝 ∧ 𝑥 𝑗 ≤ 0
𝑗≔𝑗+2
𝑂𝑆
𝑂𝑆
𝑂𝑆 ∧ 𝑗 ≥ 𝑚𝑖𝑛 𝑜𝑑𝑑𝑡𝑜𝑝, 𝑒𝑣𝑒𝑛𝑡𝑜𝑝
𝑐𝑜𝑒𝑛𝑑
𝑂𝑆 ∧ 𝐸𝑆 ∧ 𝑖 ≥ min 𝑜𝑑𝑑𝑡𝑜𝑝, 𝑒𝑣𝑒𝑛𝑡𝑜𝑝 ∧ 𝑗 ≥ min 𝑜𝑑𝑑𝑡𝑜𝑝, 𝑒𝑣𝑒𝑛𝑡𝑜𝑝
𝑘 ≔ min 𝑒𝑣𝑒𝑛𝑡𝑜𝑝, 𝑜𝑑𝑑𝑡𝑜𝑝
𝑘 ≤ 𝑀 + 1 ∧ ∀𝑙 0 < 𝑙 < 𝑘 → 𝑥 𝑙 ≤ 0 ∧ 𝑘 ≤ 𝑀 → 𝑥 𝑘 > 0
Another Example - Proof
• To prove the correctness of the program we
need to:
– Separately check each thread (evensearch &
oddsearch) sequentially
– Verify interference freedom between the threads
• We will show that oddsearch does not
interfere with evensearch
– (the complementary argument is similar)
Another Example - Proof
• No need to check all possible statements in oddsearch
• Enough the check only assignments of oddsearch that
change a shared variable
– The only suitable statement is 𝑜𝑑𝑑𝑡𝑜𝑝 ≔ 𝑗
• No need to check all possible statements in evensearch
• Enough the check only assertions of evensearch
affected by the change of a shared variable
– The only suitable assertion is 𝑖 ≥ min(𝑒𝑣𝑒𝑛𝑡𝑡𝑜𝑝, 𝑜𝑑𝑑𝑡𝑜𝑝)
Another Example - Proof
• Need to show that:
𝑖 ≥ min 𝑒𝑣𝑒𝑛𝑡𝑜𝑝, 𝑜𝑑𝑑𝑡𝑜𝑝 ∧ 𝑝𝑟𝑒 𝑜𝑑𝑑𝑡𝑜𝑝 ≔ 𝑗
𝑜𝑑𝑑𝑡𝑜𝑝 ≔ 𝑗
𝑖 ≥ min 𝑒𝑣𝑒𝑛𝑡𝑜𝑝, 𝑜𝑑𝑑𝑡𝑜𝑝
– 𝑝𝑟𝑒 𝑜𝑑𝑑𝑡𝑜𝑝 ≔ 𝑗 = {𝑂𝑆 ∧ 𝑗 < 𝑀 + 1 ∧ 𝑥 𝑗 > 0 ∧ 𝑗 < 𝑜𝑑𝑑𝑡𝑜𝑝}
• 𝑗 < 𝑜𝑑𝑑𝑡𝑜𝑝 is part of 𝑝𝑟𝑒 𝑜𝑑𝑑𝑡𝑜𝑝 ≔ 𝑗
– Therefore 𝑖 ≥ min 𝑒𝑣𝑒𝑛𝑡𝑜𝑝, 𝑜𝑑𝑑𝑡𝑜𝑝 ≥ min 𝑒𝑣𝑒𝑛𝑡𝑜𝑝, 𝑗
• We conclude that the assertion holds!
Synchronization Mechanism
• The deductive system presented is flexible
enough to handle other existing parallel
programming tools
– Semaphores
– Mutual exclusion
• The tools can be converted to assertions and
verified
Synchronization Mechanism
• Semaphores
– Obtain a semaphore:
• 𝑃 𝑠𝑒𝑚 : 𝑎𝑤𝑎𝑖𝑡 𝑠𝑒𝑚 > 0 𝑡ℎ𝑒𝑛 𝑠𝑒𝑚 ≔ 𝑠𝑒𝑚 − 1
– Release a semaphore:
• 𝑉 𝑠𝑒𝑚 : 𝑎𝑤𝑎𝑖𝑡 𝑡𝑟𝑢𝑒 𝑡ℎ𝑒𝑛 𝑠𝑒𝑚 ≔ 𝑠𝑒𝑚 + 1
Synchronization Mechanism
• Mutual Exclusion
– We introduce another statement to the system:
𝑤𝑖𝑡ℎ 𝑟 𝑤ℎ𝑒𝑛 𝐵 𝑑𝑜 𝑆
– 𝑟 is the resource on which we want mutual
exclusion (𝐵 and 𝑆 same as in the 𝑎𝑤𝑎𝑖𝑡
staement)
– The assertion 𝐼(𝑟) (invariant of 𝑟, if exists) is
appended to the assertions of 𝑆
Conclusion
• a strong versatile deductive system for parallel
program verification
– Few assumptions on the system and/or program
• The main ideas:
– Start by verifying the sequential case and than check
that parallel execution doesn’t invalidate the proof
– Sometimes we might need to loosen our assertions to
be able to prove them
– In some cases we might need to add auxiliary
variables to a program in order to verify it
References
• An Axiomatic Proof Technique for Parallel Programs
– Susan Owicky & David Gries, 1976
• Verifying Properties of Parallel Programs: An axiomatic
Approach
– Susan Owicky & David Gries, 1976
• An Axiomatic Basis for Computer Programming
– C. A. R. Hoare, 1969
• An Exercise in Proving Parallel Programs Correct
– David Gries, 1977
• Verification of Sequential and Concurrent Programs
– Krzysztof R. Apt, Frank S. de Boer, Ernst-Rudiger Oldberog
3rd edition, 2010
Questions?