queue-spec-sc.tex 9.5 KB
Newer Older
1
\subsection{Specification under sequential consistency}
2
3
\label{sec:queue:spec:sc}

Glen Mével's avatar
Glen Mével committed
4
We now consider a situation where several threads can access the queue concurrently.
Glen Mével's avatar
Glen Mével committed
5
Let us assume for now that the memory model is sequentially consistent~\cite{lamport-79}.
6
%
Glen Mével's avatar
Glen Mével committed
7
8
9
10
11
12
13
In a seminal work, \citet{brookes-04} and \citet{ohearn-07} devised \CSL, an extension of \SL which enables to reason
about programs where several threads can access a same piece of memory.
Though the original logic achieves sharing through hard-wired ``conditional critical regions'',
it has spawned a variety of descendants lifting this limitation and pushing
further the applicability of such separation logics.
% applicability / expressiveness / generality
In this work, we use Iris~\cite{iris}, a modular framework for building separation logics.
Glen Mével's avatar
Glen Mével committed
14
15

In a derivative of \CSL, we may retain the exact same specification as is presented
16
in~\fref{fig:queue:spec:seq}, recalling that $\isQueueSEQ\elemList$ is an
Glen Mével's avatar
Glen Mével committed
17
exclusive assertion:
18
a thread that has this assertion can safely assume to be the only one allowed
19
20
to operate on the queue.
%
21
22
A client application can transfer this assertion between threads via some means of
synchronization: for instance, it may use a lock to guard all operations on the
Glen Mével's avatar
Glen Mével committed
23
24
25
26
27
shared queue, following the approach of \CSL.
%
However this coarse grain concurrency has a run-time penalty,
and it also creates some contention on the use of the queue.
%
28
29
These costs are often unnecessary, as many data~structures are designed
specifically to support concurrent accesses. In this paper, as stated, we wish
30
to prove the correctness of a MPMC~queue implementation, which should thus
31
32
ensure, by itself, thread safety.
%
Glen Mével's avatar
Glen Mével committed
33
Hence we can achieve finer-grain concurrency, where operating on a queue does
34
35
36
37
38
39
40
41
not require its exclusive ownership.

In this context, another option is for the client to share this ownership among
several threads, logically. In an Iris-like logic, one would typically place the
exclusive ownership in an \emph{invariant}.
%---alongside the properties about the public state which are needed by the particular application.
An invariant is an assertion which is agreed upon by all threads, and is owned
by anyone; it remains true forever.
42
%
43
44
45
46
As the public state of the queue---the list $\elemList$ of currently stored
items---would only be known from that invariant, the client would also express
in there the properties about this state that their particular application
needs.
47
%
48
49
50
Then, when one of the threads needs to access the shared resource, it can
\emph{open} the invariant, get the assertions it contains, perform the desired
operation on the shared state, reestablish the invariant, and finally close it.
51
%
52
However, to ensure soundness in the face of concurrency, the use of invariants
53
in Iris obeys a strict constraint: they can remain open during at most one
54
step of execution. Unfortunately, $\enqueue$ and $\dequeue$ are complex
55
operations which, \emph{a~priori}, take several steps. Hence a client
56
57
58
would be unable to open their invariant around the triples shown
in~\fref{fig:queue:spec:seq}.
Yet these operations are ``atomic'' in some empirical sense.
59

Jacques-Henri Jourdan's avatar
Jacques-Henri Jourdan committed
60
The concept of logical atomicity~\cite[\S7]{jacobs2011expressive,jung-slides-2019,iris-15} aims at addressing that difficulty.
Glen Mével's avatar
Glen Mével committed
61
To use it, we substitute ordinary Hoare triples with \emph{logically atomic triples}.
62
63
64
65
Two important reasoning rules for logically atomic triples are given in \fref{fig:latriples}.%
  \footnote{%
    Following Iris notations, $\knowInv{}{I}$ is an invariant whose content is the assertion~$I$, and $\later$ is a step-indexing modality, a technicality of Iris that we can ignore in this paper.
  }
66
67
A logically atomic triple is denoted with angle brackets~$\anglebracket{\ldots}$.
Just like an ordinary triple, it specifies a program fragment with a precondition and a postcondition.
68
69
In fact, as witnessed by rule \RULE{LAHoare}, one can deduce an ordinary Hoare triple from a logically atomic triple.
The core difference is that, thanks to rule \RULE{LAInv}, invariants can be opened around a logically atomic triple, regardless of the number of execution steps of the program fragment: in a sense, when a function is specified using a logically atomic triple, one states that said function behaves as if it were atomic.
Glen Mével's avatar
Glen Mével committed
70
%
71
The definition of logically atomic triples is further discussed in~\sref{sec:queue:proof:la}
Jacques-Henri Jourdan's avatar
Jacques-Henri Jourdan committed
72
and given with detail in previous work~\cite[\S7]{jung-slides-2019,iris-15}.
73
74
75
We now try to give an intuition of that concept:
a logically atomic triple $\lahoare{P}{e}{Q}$ states, roughly, that the expression $e$ contains an atomic instruction, called the \emph{commit point}, which has $P$ as a precondition and $Q$ as a postcondition.
Because it is atomic, invariants can be opened around that commit point.
76
%
77
\begin{figure}
78
79
\begin{mathpar}
%
80
  \infer[LAHoare]{% using the rule names from \cite{iris-15}
81
82
83
84
    \lahoare <x> {P} {e} {Q}
  }{%
    \Forall x. \hoare {P} {e} {Q}
  }
Glen Mével's avatar
Glen Mével committed
85
\and
86
  \infer[LAInv]{% using the rule names from \cite{iris-15}
Jacques-Henri Jourdan's avatar
Jacques-Henri Jourdan committed
87
    \lahoare <x> {\later I \isep P} {e} {\later I \isep Q}
88
  }{%
89
    \knowInv{}{I} \vdash \lahoare <x> {P} {e} {Q}
90
91
92
  }
%
\end{mathpar}
93
94
95
96
\Description{Selected rules for logically atomic triples.}
\caption{Selected rules for logically atomic triples}
\label{fig:latriples}
\end{figure}
97
98

Using logically atomic triples, the specification can be written as shown
99
100
in~\fref{fig:queue:spec:sc}.
It closely resembles that of the sequential setting (\fref{fig:queue:spec:seq}).
Glen Mével's avatar
Glen Mével committed
101
102
103
104
105
106
107
108
The first noticeable difference is the use of angle brackets~$\anglebracket{\ldots}$
denoting logically atomic triples instead of curly brackets~$\curlybracket{\ldots}$
for ordinary Hoare triples.

Another difference is the presence, in the syntax of logically atomic triples,
of an explicit binder for some variables ($\nbelems, \elemList*[]$).
This binder addresses a subtlety of logical atomicity:
a client calling \enqueue or \dequeue does not know in advance
Jacques-Henri Jourdan's avatar
Jacques-Henri Jourdan committed
109
the state of the queue at the commit point,
Glen Mével's avatar
Glen Mével committed
110
111
112
which is when the precondition and postcondition are to be interpreted.
Hence, both formulas have to be parameterized by said shared state.
Said otherwise, a logically atomic triple provides a \emph{family} of pre/postcondition pairs
Jacques-Henri Jourdan's avatar
Jacques-Henri Jourdan committed
113
covering every possible shared state at the commit point.
Glen Mével's avatar
Glen Mével committed
114
115
116

The last departure from the sequential specification
is that the representation predicate is split into two parts:
117
118
119
120
121
122
123
124
125
126
127
a persistent%
  \footnote{%
    In Iris terms, \emph{persistent} qualifies an assertion that is duplicable.
    Once established, such an assertion holds forever.
  }
assertion~$\queueInv$ and an exclusive assertion $\isQueueSC\elemList$,
connected by a ghost name%
  \footnote{%
    Ghost names in Iris are identifiers for pieces of ghost state. We say more on this in~\sref{sec:queue:proof}.
  }%
~$\gqueue$.
Glen Mével's avatar
Glen Mével committed
128
129
130
131
132
133
That splitting is an artifact of our correctness proof technique,
which we detail in~\sref{sec:queue:proof}.
%
Note that this does not complicate the use of the queue by the client:
both assertions are produced when creating the queue,
and while the exclusive component can be put in an invariant as before,
134
135
136
137
138
the persistent component can be directly duplicated and distributed to all threads.%
  \footnote{%
    An Iris expert may want to conceal the queue invariant, $\queueInv$, inside $\isQueueSC\elemList$. However, we need to access this invariant at various places other than the commit point. This is feasible with a more elaborate definition of logically atomic triples than the one given in this paper, so that they support \emph{aborting}~\cite{jung-slides-2019}.
    Another drawback is that we would lose the timelessness of the representation predicate.
  }
Jacques-Henri Jourdan's avatar
Jacques-Henri Jourdan committed
139

140
141
142
143
144
145
The use of such a specification in a concrete example will be detailed in~\sref{sec:pipeline:proof}.
For now, we illustrate how a weaker specification can be easily deduced from this one.

% ------------------------------------------------------------------------------

\subsubsection{A Persistent Specification}
Jacques-Henri Jourdan's avatar
Jacques-Henri Jourdan committed
146
\label{sec:queue:spec:sc:persistent}
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187

If it were not for logical atomicity, and we still wanted to share the ownership
of the queue, we would have little choice left than renouncing to an exclusive
representation predicate. Only a persistent assertion would be provided, because
the description of the public state has to be stable in the face of interference
by other threads. The resulting specification would be much weaker.
%
For example, we may merely specify that all of the elements stored in the queue
satisfy some predicate~$\Phi$. In doing so, we lose most structural properties
of a queue: the same specification could also describe a stack or a bag.
%
\begin{mathpar}
%
  \infer{~}{%
    \persistent{\isQueuePers\Phi}
  }
\quad
  \infer{%
    \isQueuePers\Phi
  }{%
    \hoare
      {\Phi\,\elem}
      {\enqueue~\queue~\elem}
      {\Lam \Unit. \TRUE}
  }
\quad
  \infer{%
    \isQueuePers\Phi
  }{%
    \hoare
      {\TRUE}
      {\dequeue~\queue}
      {\Lam \elem. \Phi\,\elem}
  }
%
\end{mathpar}

To derive these Hoare triples from the ones of~\fref{fig:queue:spec:sc},
one simply defines the persistent assertion as follows,
where the boxed assertion is an Iris invariant:
%
188
\[
189
190
  \isQueuePers\Phi
  \;\eqdef\;
Glen Mével's avatar
Glen Mével committed
191
  \Exists\gqueue. \isepV{%
192
      \queueInv
Glen Mével's avatar
Glen Mével committed
193
  \\  \knowInv{}{\Exists \nbelems, \elemList*[]. \isQueueSC\elemList \ISEP \Phi\,\nthElem{0} \ISEP \cdots \ISEP \Phi\,\nthElem{\nbelems-1}}
194
  }
195
196
\]

197
198
199
This assertion is trivial to produce at the creation of the queue,
when \make hands us the assertions $\queueInv$ and $\isQueueSC{[]}$.
Then, for proving the weaker specification of $\enqueue$ and $\dequeue$,
Glen Mével's avatar
Glen Mével committed
200
one opens the invariant around the associated logically atomic triples.