![Page 1: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/1.jpg)
A Foundation for Verifying Concurrent ProgramsK. Rustan M. LeinoRiSE, Microsoft Research, Redmond
joint work with Peter Müller and Jan Smans
Lecture 01 September 2009FOSAD 2009, Bertinoro, Italy
![Page 2: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/2.jpg)
Program verificationProve program correctnessfor all possible inputs and behaviors
![Page 3: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/3.jpg)
Modular verificationProve parts of a program separatelyCorrectness of every part
impliescorrectness of whole program
![Page 4: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/4.jpg)
SpecificationsRecord programmer design decisionsDescribe usage of program constructsProvide redundancyEnable modular verification
![Page 5: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/5.jpg)
Specification styleSpecification and verification methodology Describes properties of the heapActive area of research
OwnershipSpec#, Java+JML, vcc, type systems, …
Dynamic framesVeriCool, Dafny
Permissions (capabilities)Effect systems, separation logic, VeriCool 3, Chalice, …
![Page 6: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/6.jpg)
Concurrent programsInterleaving of thread executionsUnbounded number of: threads, locks, …We need some basis for doing the reasoning
A way of thinking!
![Page 7: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/7.jpg)
These lecturesConcurrent programs
Features like: threads, monitors, abstractionas well as: objects, methods, loops, …Avoid errors like: race conditions, deadlocks
Specifications with permissionsBuilding a program verifier
![Page 8: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/8.jpg)
Square
Pre- and postconditions
demo
![Page 9: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/9.jpg)
Cube
Loop invariants
demo
![Page 10: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/10.jpg)
ISqrt
Chalice
demo
![Page 11: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/11.jpg)
Specifications at run timeHelps testing find bugs more quicklyOptional, they can be treated as ghostsIf they are to be ghosted, specifications must have no side effects (on non-ghost state)
![Page 12: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/12.jpg)
Dealing with memory (the heap)Access to a memory location requires
permissionPermissions are held by activation recordsSyntax for talking about permission to y: acc(y)
![Page 13: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/13.jpg)
Inc
Permissions
demo
![Page 14: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/14.jpg)
Transfer of permissions
method Main(){
var c := new Counter;call c.Inc();
}
method Inc()requires acc(y)ensures acc(y)
{y := y + 1;
}
acc(c.y)
![Page 15: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/15.jpg)
Well-formed specificationsA specification expression can mention a memory location only if it also entails the permission to that locationacc(y) && y < 100 y < 100 acc(x) && y < 100 acc(o.y) && p.y < 100 o == p && acc(o.y) && p.y < 100 x / y < 20 y ≠ 0 && x / y < 20
![Page 16: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/16.jpg)
Loop invariants and permissionsA loop iteration is like its own
activation record
is like
Before;while (B) invariant J { S; }After;
Before; method MyLoop(…)call MyLoop(…); requires JAfter; ensures J
{if (B) {
S;call MyLoop(…);
}}
![Page 17: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/17.jpg)
Loop invariant: examplemethod M()
requires acc(x) && acc(y) && x <= 100 && y <= 100{
while (y < 100)invariant acc(y) && y <= 100
{y := y + 1;x := x + 1; // error: no permission to
access x}assert x <= y;
}
![Page 18: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/18.jpg)
Loop invariant: examplemethod M()
requires acc(x) && acc(y) && x <= 100 && y <= 100{
while (y < 100)invariant acc(y) && y <= 100
{y := y + 1;
}assert x <= y;
}
![Page 19: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/19.jpg)
ISqrt with fields
Loop invariants with permissions
demo
![Page 20: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/20.jpg)
ThreadsThreads run concurrentlyA new thread of control is started with the fork statementA thread can wait for another to complete with the join statementPermissions are transferred to and from a thread via the starting method’s pre- and postconditions
![Page 21: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/21.jpg)
ForkInc
Fork and join
demo
![Page 22: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/22.jpg)
The two halves of a callcall == fork + join
is semantically like
… but is implemented more efficiently
call x,y := o.M(E, F);
fork tk := o.M(E, F);join x,y := tk;
![Page 23: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/23.jpg)
TwoSqrts
Parallel computation
demo
![Page 24: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/24.jpg)
Well-formed revisitedRecall:A specification expression can mention a memory location only if it also entails some permission to that location
Example: acc(y) && y < 100
Without any permission to y, other threads may change y, and then y would not be stable
![Page 25: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/25.jpg)
Read permissionsacc(y) write permission to yrd(y) read permission to y
At any one time, at most one thread can have write permission to a location
![Page 26: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/26.jpg)
VideoRental
Parallel reads
demo
![Page 27: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/27.jpg)
Fractional permissionsacc(y) 100% permission to yacc(y, p) p% permission to yrd(y) read permission to yWrite access requires 100%Read access requires >0%
= +
acc(y) acc(y,69)
acc(y,31)
rd(y) acc(y,)
![Page 28: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/28.jpg)
Implicit dynamic framesmethod M() requires acc(y) ensures acc(y)can change yCanmethod P() requires rd(y) ensures rd(y)change y?That is, can we prove:method Q()requires rd(y) && y == 5
{call P();assert y == 5;
}Demo: NoPerm
![Page 29: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/29.jpg)
Shared stateWhat if two threads want write access to the same location?
method A() …{
y := y + 21;}
method B() …{
y := y + 34;}
class Fib {var y: int;method Main(){var c := new
Fib;fork c.A();fork c.B();
}}
acc(c.y) ?
![Page 30: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/30.jpg)
Monitorsmethod A() …{
acquire this;y := y + 21;release this;
}
method B() …{
acquire this;y := y + 34;release this;
}
class Fib {var y: int;
invariant acc(y);
method Main(){var c := new
Fib;share c;fork c.A();fork c.B();
}}
acc(c.y)
acc(y)
![Page 31: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/31.jpg)
Monitor invariantsLike other specifications, can hold both permissions and conditionsExample: invariant acc(y) && 0 <= y
acc(y)
![Page 32: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/32.jpg)
Object life cycle
thread local
shared,availabl
e
shared,locked
new
share
acquire
release
![Page 33: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/33.jpg)
SharedCounter
Monitors
demo
![Page 34: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/34.jpg)
Locks and permissionsThe concepts
holding a lock, andhaving permissions
are orthogonal to one anotherIn particular:
Holding a lock does not imply any right to read or modify shared variables
Their connection is:Acquiring a lock obtains some permissionsReleasing a lock gives up some permissions
![Page 35: K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy](https://reader030.vdocuments.us/reader030/viewer/2022032705/56649db15503460f94a9fae5/html5/thumbnails/35.jpg)
Thread-safe librariesServer-side locking
“safer” (requires less thinking)
Client-side lockingmore efficient
invariant acc(y);method M()
requires true{
acquire this; y := …; release this;}
method M()requires acc(y)
{y := …;
}