# INF4140 - Models of concurrency

# Fall 2016

# September 23, 2016

### Abstract

This is the "handout" version of the slides for the lecture (i.e., it's a rendering of the content of the slides in a way that does not waste so much paper when printing out). The material is found in [Andrews, 2000]. Being a handout-version of the slides, some figures and graph overlays may not be rendered in full detail, I remove most of the overlays, especially the long ones, because they don't make sense much on a handout/paper. Scroll through the real slides instead, if one needs the overlays.

This handout version also contains more remarks and footnotes, which would clutter the slides, and which typically contains remarks and elaborations, which may be given orally in the lecture.

03. 10. 2016

# 1 Program Analysis

# Program Logic (PL)

- PL lets us *express* and *prove* properties about programs
- *Formulas* are on the form

"triple" (or "Hoare triple")

 $\{P\}S\{Q\}$ 

- -S: program statement(s)
- P and Q: assertions over program states
- P: Pre-condition
- -Q: Post-condition

If we can use PL to prove some property of a program, then this property will hold for all executions of the program

### PL rules from last week

# How to actually use the while rule?

- Cannot control the execution in the same manner as for if statements
  - Cannot tell *from the code* how many times the loop body will be executed (not a "syntax-directed" rule)

$$\{ \ y \geq 0 \ \}$$
 while  $(y > 0) \ y := y - 1$ 

- Cannot speak about the state after the first, second, third ... iteration
- Solution: Find an assertion I that is maintained by the loop body
  - Loop invariant: express a property preserved by the loop
- Often hard to find suitable loop invariants
  - The course is not an exercise in finding complicated invariants
  - "suitable:
    - 1. must be preserved by the body, i.e., it must be actually an invariant
    - 2. must be strong enough to imply the desired post-condition
    - 3. Note: both "true" and "false" are loop invariants for partial correctness! Both typically fail to be suitable (i.e. they are basically useless invariants).

# While rule

$$\label{eq:constraint} \left\{ \begin{array}{c} I \land B \end{array} \right\} S \left\{ \begin{array}{c} I \end{array} \right\}$$
 While  $B$  do  $S \left\{ \begin{array}{c} I \land \neg B \end{array} \right\}$  While

Can use this rule to reason about the general situation:

$$\{ \ P \ \}$$
 while  $B$  do  $S \ \{ \ Q \ \}$ 

where

- P need not be the loop invariant
- Q need not match  $(I \land \neg B)$  syntactically

Combine WHILE-rule with CONSEQUENCE-rule to prove:

- Entry:  $P \Rightarrow I$
- Loop:  $\{ I \land B \} S \{ I \}$
- Exit:  $I \land \neg B \Rightarrow Q$

### While rule: example

 $\{ 0 \le n \} k := 0; \{ k \le n \}$  while  $(k < n) k := k + 1; \{ k = n \}$ 

Composition rule splits a proof in two: assignment and loop. Let  $k \leq n$  be the loop invariant

- Entry:  $k \leq n$  follows from itself
- Loop:

$$\frac{k < n \Rightarrow k + 1 \le n}{\{ k \le n \land k < n \} k := k + 1 \{ k \le n \} }$$

• Exit:  $(k \le n \land \neg (k < n)) \Rightarrow k = n$ 

# Rule for await

 $\frac{\{P \land B\} S \{Q\}}{\{P\} \langle \texttt{await}(B) S \rangle \{Q\}} \text{Await}$ 

Remember: we are reasoning about safety properties/partial correctness

- termination is assumed/ignored
- the rule does not speak about waiting or progress

#### **Concurrent** execution

Assume two statements  $S_1$  and  $S_2$  such that:

 $\{P_1\}\langle S_1\rangle\{Q_1\}$  and  $\{P_2\}\langle S_2\rangle\{Q_2\}$ 

Note: to avoid further complications right now:  $S_i$ 's are enclosed into " $\langle \text{atomic brackets} \rangle$ ". First attempt for a co...oc rule in PL:

$$\frac{\{P_1\}\langle S_1\rangle\{Q_1\}}{\{P_1\wedge P_2\}\operatorname{co}\langle S_1\rangle \| \langle S_2\rangle \operatorname{co}\{Q_1\wedge Q_2\}} \operatorname{Pap}$$

Example 1 (Problem with this rule).

$$\frac{\{x=0\} \langle x := x+1 \rangle \{x=1\}}{\{x=0\} \langle x := x+2 \rangle \{x=2\}}$$

but this conclusion is not true: the postcondition should be x = 3!

1>This first attempt may seem plausible. One has two programs, both with its "own" precondition. Therefore, if they run in parallel, they start in a common state, obviously. That may be characterized by the conjunction. Alternatively, one may use the *same* precondition. There is not much difference between those two ways of thinking (due to strengthening of preconditions). Indeed, the precodition in this line of reasoning is not problematic. Note however, that conceptually we are thinking in a *forward* way, we are not currently reason like "assume you are in a given post-state, ...". But the forward reasoning fits better to the following illustrating example. 2>Different ways to analyze what's exactly wrong. But the important observation is: that it's plain wrong. Remember Soundness. The break of soundness is illustrated by the following example. Linear logic, resources: "I win 100 dollar  $\land$  I win 100 dollar". The rule, if it were true, wo be nice: compositionality. For independent variables (i.e., local ones) it would be true. So, the reason, why concurrency is hard/compositional reasoning does not work, are shared variables. The absence of such problem will later be called interference free. It will not be defined for processes alone, but for specifications insofar: an annotated program is interference free if the *conditions* of parallel processes are not disturbed. It's like an invariant.

### Interference problem

- $\begin{array}{ll} S_1 & \{ \; x=0 \; \} \; \langle x:=x+1 \rangle \; \{ \; x=1 \; \} \\ S_2 & \{ \; x=0 \; \} \; \langle x:=x+2 \rangle \; \{ \; x=2 \; \} \end{array}$
- execution of  $S_2$  interferes with pre- and postconditions of  $S_1$

– The assertion x = 0 need not hold when  $S_1$  starts execution

- execution of  $S_1$  interferes with pre- and postconditions of  $S_2$ 
  - The assertion x = 0 need not hold when  $S_2$  starts execution

Solution: weaken the assertions to account for the other process:

$$S_1 \quad \{ x = 0 \lor x = 2 \} \langle x := x + 1 \rangle \{ x = 1 \lor x = 3 \}$$
  
$$S_2 \quad \{ x = 0 \lor x = 1 \} \langle x := x + 2 \rangle \{ x = 2 \lor x = 3 \}$$

### Interference problem

Apply the previous "parallel-composition-is-conjunction" rule again:

$$\begin{array}{l} \left\{ \begin{array}{l} x=0 \lor x=2 \end{array} \right\} \langle x:=x+1 \rangle \; \left\{ \begin{array}{l} x=1 \lor x=3 \end{array} \right\} \\ \left\{ \begin{array}{l} x=0 \lor x=1 \end{array} \right\} \; \langle x:=x+2 \rangle \; \left\{ \begin{array}{l} x=2 \lor x=3 \end{array} \right\} \\ \hline \left\{ \begin{array}{l} PRE \end{array} \right\} \; \cos \langle x:=x+1 \rangle \parallel \langle x:=x+2 \rangle \; \mathrm{oc} \; \left\{ \begin{array}{l} POST \end{array} \right\} \end{array}$$

where:

$$PRE : (x = 0 \lor x = 2) \land (x = 0 \lor x = 1) POST : (x = 1 \lor x = 3) \land (x = 2 \lor x = 3)$$

which gives:

$$\{x = 0\}$$
 co  $||x = x + 1|| \langle x := x + 2 \rangle$  oc  $\{x = 3\}$ 

### Concurrent execution

Assume  $\{P_i\} S_i \{Q_i\}$  for all  $S_1, \ldots, S_n$ 

| $\{P_i\}S_i\{Q_i\}$ are interference free                                                                                                | Cooc |
|------------------------------------------------------------------------------------------------------------------------------------------|------|
| $\overline{\{P_1 \wedge \ldots \wedge P_n\}} \operatorname{co} S_1 \parallel \ldots \parallel S_n \operatorname{oc} \{Q_1 \wedge \ldots$ |      |

# Interference freedom

A process interferes with (the specification of) another process, if its execution changes the assertions<sup>1</sup> of the other process.

- assertions inside awaits: not endangered
- critical assertions or critical conditions: assertions outside await statement bodies.<sup>2</sup>

# Interference freedom

#### Interference freedom

- S: statement in some process, with pre-condition pre(S)
- C: critical assertion in another process
- S does not interfere with C, if

$$\vdash \{ C \land pre(S) \} S \{ C \}$$

is derivable in PL (= theorem).

"C is *invariant* under the execution of the other process"

 $\frac{\{P_1\}S_1\{Q_1\}}{\{P_1 \land P_2\} \cos S_1 \parallel S_2 \cos \{Q_1 \land Q_2\}}$ 

Four interference freedom requirements:

$$\begin{array}{l} \{P_2 \land P_1\} \ S_1 \ \{P_2\} & \{P_1 \land P_2\} \ S_2 \ \{P_1\} \\ \{Q_2 \land P_1\} \ S_1 \ \{Q_2\} & \{Q_1 \land P_2\} \ S_2 \ \{Q_1\} \end{array}$$

<sup>&</sup>lt;sup>1</sup>Only "critical assertions" considered

<sup>&</sup>lt;sup>2</sup>More generally one could say: outside mutex-protected sections.

# "Avoiding" interference: Weakening assertions

Here we have interference, for instance the precondition of  $S_1$  is not maintained by execution of  $S_2$ :

$$\{ (x=0) \land (x=0) \} x := x+2 \{ x=0 \}$$

is not true

However, after weakening:

$$S_1: \{x = 0 \lor x = 2\} \langle x := x + 1 \rangle \{x = 1 \lor x = 3\}$$
  
$$S_2: \{x = 0 \lor x = 1\} \langle x := x + 2 \rangle \{x = 2 \lor x = 3\}$$

$$\{ (x = 0 \lor x = 2) \land (x = 0 \lor x = 1) \} x := x + 2 \{ x = 0 \lor x = 2 \}$$

(Correspondingly for the other three critical conditions)

### Avoiding interference: Disjoint variables

- V set: global variables referred to (i.e. read or written) by a process
- W set: global variables written to by a process
- Reference set: global variables in critical assertions/conditions of one process

 $S_1$  and  $S_2$ : in 2 different processes. No interference, if:

- W set of  $S_1$  is disjoint from reference set of  $S_2$
- W set of  $S_2$  is disjoint from reference set of  $S_1$

Alas: variables in a critical condition of one process will often be among the written variables of another

# Avoiding interference: Global invariants

# Global inductive invariants

- Some condition that only refers to global (shared) variables
- Holds initially.
- Preserved by all assignments/transitions ("inductive")

"Separation of concerns: We avoid interference if critical conditions are on the form {  $I \wedge L$  } where:

- *I* is a global invariant
- L only refers to local variables of the considered process

### Avoiding interference: Synchronization

- Hide critical conditions
- MUTEX to critical sections

 $\texttt{co} \dots; S; \dots \parallel \dots; S_1; \Set{C}{S_2; \dots \texttt{oc}}$ 

 ${\cal S}$  might interfere with  ${\cal C}$  Hide the critical condition by a critical region:

 $\operatorname{co}\ldots;S;\ldots\parallel\ldots;\langle S_1;\{C\}S_2\rangle;\ldots\operatorname{oc}$ 

### Example: Producer/ consumer synchronization

Let process Producer deliver data to a Consumer process

 $PC: c \le p \le c + 1 \land (p = c + 1) \Rightarrow (buf = a[p - 1])$ 

*PC* a global inductive invariant of the producer/consumer?

### **Example:** Producer

Loop invariant of Producer:  $I_P : PC \land p \leq n$ 

**Proof obligation:** {  $I_P \land p < n \land p = c$  }  $\Rightarrow$  {  $I_P$  }[p + 1/p][a[p]/buf]

### Example: Consumer

Loop invariant of Consumer:  $I_C : PC \land c \le n \land b[0:c-1] = a[0:c-1]$ 

**Proof Obligation:**  $\{I_C \land c < n \land p > c\} \Rightarrow \{I_C\}[c+1/c][buf/b[c]]$ 

# Example: Producer/Consumer

The final state of the program satisfies:

$$PC \wedge p = n \wedge c = n \wedge b[0:c-1] = a[0:c-1]$$

which ensures that all elements in a are received and occur in the same order in b

Interference freedom is ensured by the global invariant and await-statements. Combining the two assertions after the await statements, we get:

 $I_P \wedge p < n \wedge p = c \wedge I_C \wedge c < n \wedge p > c$ 

which gives *false*! At any time, only one process can be after the await statement!

# Monitor invariant

- A monitor invariant (I): describe the monitor's inner state
- Express relationship between monitor variables
- Maintained by execution of procedures:
  - Must hold after initialization
  - Must hold when a procedure terminates
  - Must hold when we suspend execution due to a call to wait
  - Can assume that the invariant holds after wait and when a procedure starts
- Should be as *strong* as possible!

# Axioms for signal and continue (1)

Assume that the monitor invariant I and predicate P does not mention cv. Then we can set up the following axioms:

 $\left\{ \begin{array}{l} I \end{array} \right\} wait(cv) \left\{ \begin{array}{l} I \end{array} \right\} \\ \left\{ \begin{array}{l} P \end{array} \right\} signal(cv) \left\{ \begin{array}{l} P \end{array} \right\} \\ \left\{ \begin{array}{l} P \end{array} \right\} signal\_all(cv) \left\{ \begin{array}{l} P \end{array} \right\} \\ for arbitrary P \end{array}$ 

### Monitor solution to reader/writer problem

Verification of the invariant over request\_read

$$I: (nr = 0 \lor nw = 0) \land nw \le 1$$

```
procedure request_read() {

{ I }

while (nw > 0) { I \land nw > 0 }

{ I \land nw = 0 }

{ I \land nw = 0 }

{ I[nr + 1/nr] }

nr = nr + 1;

{ I }

}
```

 $(I \wedge nw > 0) \Rightarrow I (I \wedge nw = 0) \Rightarrow I[nr + 1/nr]$  1>The invariant we had earlier already, it's the obvious one.

### Axioms for Signal and Continue (2)

Assume that the invariant can mention the number of processes in the queue to a condition variable.

- Let #cv be the number of proc's waiting in the queue to cv.
- The test empty(cv) thus corresponds to #cv = 0

wait(cv) is modelled as an extension of the queue followed by processor release:

$$wait(cv): \{?\} \ \#cv:= \ \#cv+1; \{I\} \ "sleep"\{I\}$$

by assignment axiom:

$$wait(cv): \{I[\#cv + 1/\#cv]; \#cv := \#cv + 1; \{I\} "sleep" \{I\}\}$$

### Axioms for Signal and Continue (3)

signal(cv) can be modelled as a reduction of the queue, if the queue is not empty:

$$signal(cv): \{?\} if (\#cv \neq 0) \#cv := \#cv - 1 \{P\}$$

$$\begin{aligned} \text{signal}(cv): & \{((\#cv=0) \Rightarrow P) \land ((\#cv\neq 0) \Rightarrow P[\#cv-1/\#cv]\} \\ & if \ (\#cv\neq 0) \ \#cv := \#cv-1 \\ & \{P\} \end{aligned}$$

•  $signal\_all(cv): \{ P[0/\#cv] \} \#cv := 0 \{ P \}$ 

Axioms for Signal and Continue (4)

Together this gives:

Axioms for monitor communication

{ I[#cv + 1/#cv] } wait(cv) { I } WAIT {  $((\#cv = 0) \Rightarrow P) \land ((\#cv \neq 0) \Rightarrow P[\#cv - 1/\#cv])$  } signal(cv) { P } SIGNAL { P[0/#cv] } signal\_all(cv) { P } SIGNALALL

If we know that  $\#cv \neq 0$  whenever we signal, then the axiom for signal(cv) be simplified to:

 $\{ P[\#cv - 1/\#cv] \}$  signal $(cv) \{ P \}$ 

Note! #cv is not allowed in statements!, Only used for reasoning

#### Example: FIFO semaphore verification (1)

```
 \{ \begin{array}{l} \# \ monitor \ invariant: \ s \geq \\ \# \ value \ of \ the \ semaphore \\ \# \ wait \ condition \end{array} 
monitor Semaphore
                                                                                                           0
    int s := 0;
   cond pos;
    procedure Psem() {
        i f
               (s=0)
                wait (pos);
        else
                s := s - 1
   }
    procedure Vsem() {
        i f
                  empty(pos)
                  \mathbf{s} \hspace{0.1 cm} := \hspace{0.1 cm} \mathbf{s} \hspace{0.1 cm} + \hspace{0.1 cm} \mathbf{1}
        else
                   signal(pos);
    }
```

Consider the following monitor invariant:

 $s \ge 0 \land (s > 0 \Rightarrow \#pos = 0)$ 

No process is waiting if the semaphore value is positive!

1>The example is from the monitor chapter. This is a monitor solution for FIFO-semaphores, even under the weak s&c signalling discipline. It's "forwarding the condition"

### Example: FIFO semaphore verification: Psem

 $I: s \ge 0 \land (s > 0 \Rightarrow \#pos = 0)$ 

```
procedure Psem() {

{I}

if (s=0) {I \land s = 0}

{I[\#pos + 1/\#pos]} wait(pos); {I}

else {I \land s \neq 0}

{I[s - 1/s]} s := s-1; {I}

{I}

}
```

# Example: FIFO semaphore verification (3)

$$I: s \ge 0 \land (s > 0 \Rightarrow \#pos = 0)$$

This gives two proof obligations: If-branch:

$$\begin{array}{ll} (I \wedge s = 0) & \Rightarrow & I[\#pos + 1/\#pos] \\ s = 0 & \Rightarrow & s \geq 0 \wedge (s > 0 \Rightarrow \#pos + 1 = 0) \\ s = 0 & \Rightarrow & s \geq 0 \end{array}$$

Else branch:

$$\begin{array}{ll} (I \wedge s \neq 0) & \Rightarrow & I[s - 1/s] \\ (s > 0 \wedge \#pos = 0) & \Rightarrow & s - 1 \geq 0 \wedge (s - 1 \geq 0 \Rightarrow \#pos = 0) \\ (s > 0 \wedge \#pos = 0) & \Rightarrow & s > 0 \wedge \#pos = 0 \end{array}$$

### Example: FIFO semaphore verification: Vsem

 $I: s \ge 0 \land (s > 0 \Rightarrow \#pos = 0)$ 

```
procedure Vsem() {

{I}

if empty(pos) \{I \land \#pos = 0\}

\{I[s+1/s]\}s:=s+1; \{I\}

else \{I \land \#pos \neq 0\}

\{I[\#pos - 1/\#pos]\} signal(pos); \{I\}

{I}

}
```

Example: FIFO semaphore verification (5)

$$I: s \ge 0 \land (s > 0 \Rightarrow \#pos = 0)$$

As above, this gives two proof obligations: If-branch:

 $\begin{array}{ll} (I \wedge \#pos = 0) & \Rightarrow & I[s+1/s] \\ (s \geq 0 \wedge \#pos = 0) & \Rightarrow & s+1 \geq 0 \wedge (s+1 > 0 \Rightarrow \#pos = 0) \\ (s \geq 0 \wedge \#pos = 0) & \Rightarrow & s+1 \geq 0 \wedge \#pos = 0 \end{array}$ 

Else branch:

$$\begin{array}{ll} (I \wedge \#pos \neq 0) & \Rightarrow & I[\#pos - 1/\#pos] \\ (s = 0 \wedge \#pos \neq 0) & \Rightarrow & s \geq 0 \wedge (s > 0 \Rightarrow \#pos - 1 = 0) \\ s = 0 & \Rightarrow & s \geq 0 \end{array}$$

# References

[Andrews, 2000] Andrews, G. R. (2000). Foundations of Multithreaded, Parallel, and Distributed Programming. Addison-Wesley.