verifythis_2015_parallel_gcd: documentation and updated session

parent 9369e246
......@@ -107,7 +107,10 @@ module ParallelGCD
end
(** Threads interleaving.
Code and invariants by Rustan Leino. *)
Code and invariants by Rustan Leino.
Termination argument by Martin Clochard and Léon Gondelman.
Proof by Martin Clochard and Léon Gondelman.
*)
module Interleaving
use import int.Int
......@@ -118,7 +121,7 @@ module Interleaving
(* Representation of a thread: two local variables
(register copies of the globals) and a program counter:
ReadA:
local_a <- a
ReadB:
......@@ -128,7 +131,7 @@ module Interleaving
if local_a > local_b a := local_a - local_b;
goto ReadA;
Halt:
For the sake of simplicity, every section is considered atomic.
(strictly speaking, section Compare is not, but it interacts
atomically with memory so it would be equivalent)
......@@ -154,12 +157,12 @@ module Interleaving
| Halt -> th.local_a = a = b (* Final state is stable. *)
end
(* Does running this thread make any progress toward the result ? *)
predicate progress_thread (th:thread) (a b:int) =
(* Does running this thread make any progress toward the result? *)
predicate progress_thread (th: thread) (a b: int) =
a > b \/ (a = b /\ th.state <> Halt)
(* Decreasing ordering on program counter *)
function state_index (s:state) : int = match s with
function state_index (s: state) : int = match s with
| ReadA -> 7
| ReadB -> 5
| Compare -> 3
......@@ -167,31 +170,32 @@ module Interleaving
end
(* Synchronisation status. *)
predicate sync (th:thread) (b:int) =
predicate sync (th: thread) (b: int) =
match th.state with Compare -> th.local_b = b | _ -> true end
(* Convert status into an index. *)
function sync_index (th:thread) (b:int) : int =
function sync_index (th: thread) (b: int) : int =
if sync th b then 0 else 42
(* Thread progression index: if running this thread should make any
progression toward the result, then it will have the following shape:
- A first (optional) loop run for synchronization.
- A second synchronized run until effective progress *)
function prog_index (th:thread) (b:int) : int =
function prog_index (th: thread) (b: int) : int =
sync_index th b + state_index th.state
val create_thread () : thread
ensures { result.state = ReadA }
(* Fair scheduler modelisation: Each time it switch to a thread,
it also writes down the time remaining before it switch to the other.
If it does not switch, this timeout decrease. *)
(* Fair scheduler modelisation: Each time it switches between threads,
it also writes down the maximal time remaining before it
will switch to the other.
If it does not switch, this timeout decreases. *)
val ghost scheduled : ref bool
val ghost timer : ref int
val schedule () : bool
writes { scheduled , timer }
writes { scheduled, timer }
ensures { !scheduled = old !scheduled -> 0 <= !timer < old !timer }
ensures { result = !scheduled }
......@@ -201,8 +205,8 @@ module Interleaving
writes { th, a }
ensures { inv th d !a !b }
ensures { 0 < !a <= old !a }
ensures { old !a > !a -> old !a >= !a + !b }
ensures { progress_thread th !a !b ->
ensures { old !a > !a -> old !a >= !a + !b }
ensures { progress_thread th !a !b ->
prog_index (old th) !b > prog_index th !b \/ !a < old !a }
=
match th.state with
......@@ -234,17 +238,26 @@ module Interleaving
let th2 = create_thread () in
while th1.state <> Halt || th2.state <> Halt do
invariant { inv th1 d !a !b /\ inv th2 d !b !a }
variant { !a + !b ,
variant { (* global progress in the algorithm *)
!a + !b
,
(* progress in one of the two threads *)
if !a = !b
then prog_index th2 !a + prog_index th1 !b
else if !a < !b
then prog_index th2 !a
else prog_index th1 !b ,
else prog_index th1 !b
,
(* no progress in both threads, but the scheduler
switches to the non-progressing thread *)
if progress_thread th1 !a !b
then if !scheduled then 1 else 0
else if progress_thread th2 !b !a
then if !scheduled then 0 else 1
else 0 , !timer }
else 0
,
(* the scheduler is still running the non-progressing thread *)
!timer }
if schedule () then step th1 d a b else step th2 d b a
done;
!a
......
......@@ -10,178 +10,178 @@
<prover id="6" name="CVC3" version="2.4.1" timelimit="5" memlimit="1000"/>
<prover id="7" name="Eprover" version="1.8-001" timelimit="5" memlimit="1000"/>
<file name="../verifythis_2015_parallel_gcd.mlw" expanded="true">
<theory name="ParallelGCD" sum="8319d7f76f67ab787192d931e1a55949">
<goal name="gcd_sub">
<theory name="ParallelGCD" sum="8319d7f76f67ab787192d931e1a55949" expanded="true">
<goal name="gcd_sub" expanded="true">
<proof prover="2"><result status="valid" time="0.05"/></proof>
<proof prover="4" obsolete="true"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd" expl="VC for parallel_gcd">
<transf name="split_goal_wp">
<goal name="WP_parameter parallel_gcd.1" expl="1. loop invariant init">
<goal name="WP_parameter parallel_gcd" expl="VC for parallel_gcd" expanded="true">
<transf name="split_goal_wp" expanded="true">
<goal name="WP_parameter parallel_gcd.1" expl="1. loop invariant init" expanded="true">
<proof prover="5" timelimit="6"><result status="valid" time="0.01" steps="2"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.2" expl="2. loop invariant preservation">
<goal name="WP_parameter parallel_gcd.2" expl="2. loop invariant preservation" expanded="true">
<proof prover="5" timelimit="6"><result status="valid" time="0.01" steps="11"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.3" expl="3. loop invariant preservation">
<goal name="WP_parameter parallel_gcd.3" expl="3. loop invariant preservation" expanded="true">
<proof prover="0"><result status="valid" time="0.02"/></proof>
<proof prover="2"><result status="valid" time="0.02"/></proof>
<proof prover="4" obsolete="true"><result status="valid" time="0.12"/></proof>
<proof prover="4"><result status="valid" time="0.12"/></proof>
<proof prover="5" timelimit="6"><result status="valid" time="0.03" steps="37"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.4" expl="4. loop invariant preservation">
<goal name="WP_parameter parallel_gcd.4" expl="4. loop invariant preservation" expanded="true">
<proof prover="5" timelimit="6"><result status="valid" time="0.02" steps="10"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.5" expl="5. loop invariant preservation">
<goal name="WP_parameter parallel_gcd.5" expl="5. loop invariant preservation" expanded="true">
<proof prover="5" timelimit="6"><result status="valid" time="0.02" steps="10"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.6" expl="6. loop invariant preservation">
<goal name="WP_parameter parallel_gcd.6" expl="6. loop invariant preservation" expanded="true">
<proof prover="5" timelimit="6"><result status="valid" time="0.01" steps="11"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.7" expl="7. loop invariant preservation">
<goal name="WP_parameter parallel_gcd.7" expl="7. loop invariant preservation" expanded="true">
<proof prover="0"><result status="valid" time="0.02"/></proof>
<proof prover="2" timelimit="30"><result status="valid" time="0.09"/></proof>
<proof prover="4" timelimit="30" obsolete="true"><result status="valid" time="0.09"/></proof>
<proof prover="4" timelimit="30"><result status="valid" time="0.09"/></proof>
<proof prover="5" timelimit="6"><result status="valid" time="0.02" steps="13"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.8" expl="8. loop invariant preservation">
<goal name="WP_parameter parallel_gcd.8" expl="8. loop invariant preservation" expanded="true">
<proof prover="0"><result status="valid" time="0.01"/></proof>
<proof prover="1"><result status="valid" time="0.01"/></proof>
<proof prover="5" timelimit="6"><result status="valid" time="0.01" steps="10"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.9" expl="9. loop invariant preservation">
<goal name="WP_parameter parallel_gcd.9" expl="9. loop invariant preservation" expanded="true">
<proof prover="0"><result status="valid" time="0.01"/></proof>
<proof prover="1"><result status="valid" time="0.00"/></proof>
<proof prover="5" timelimit="6"><result status="valid" time="0.00" steps="10"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.10" expl="10. postcondition">
<goal name="WP_parameter parallel_gcd.10" expl="10. postcondition" expanded="true">
<proof prover="0"><result status="valid" time="0.03"/></proof>
</goal>
</transf>
</goal>
</theory>
<theory name="Interleaving" sum="8a7f2e36501d957e8de13171fbd9f63c" expanded="true">
<goal name="gcd_sub">
<goal name="gcd_sub" expanded="true">
<proof prover="7"><result status="valid" time="0.04"/></proof>
</goal>
<goal name="WP_parameter step" expl="VC for step">
<transf name="split_goal_wp">
<goal name="WP_parameter step.1" expl="1. postcondition">
<goal name="WP_parameter step" expl="VC for step" expanded="true">
<transf name="split_goal_wp" expanded="true">
<goal name="WP_parameter step.1" expl="1. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.02" steps="8"/></proof>
</goal>
<goal name="WP_parameter step.2" expl="2. postcondition">
<goal name="WP_parameter step.2" expl="2. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.01" steps="5"/></proof>
</goal>
<goal name="WP_parameter step.3" expl="3. postcondition">
<goal name="WP_parameter step.3" expl="3. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.02" steps="4"/></proof>
</goal>
<goal name="WP_parameter step.4" expl="4. postcondition">
<proof prover="5"><result status="valid" time="0.89" steps="180"/></proof>
<goal name="WP_parameter step.4" expl="4. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="1.25" steps="180"/></proof>
</goal>
<goal name="WP_parameter step.5" expl="5. postcondition">
<goal name="WP_parameter step.5" expl="5. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.02" steps="11"/></proof>
</goal>
<goal name="WP_parameter step.6" expl="6. postcondition">
<goal name="WP_parameter step.6" expl="6. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.02" steps="5"/></proof>
</goal>
<goal name="WP_parameter step.7" expl="7. postcondition">
<goal name="WP_parameter step.7" expl="7. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.01" steps="4"/></proof>
</goal>
<goal name="WP_parameter step.8" expl="8. postcondition">
<proof prover="5"><result status="valid" time="1.86" steps="269"/></proof>
<goal name="WP_parameter step.8" expl="8. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="2.53" steps="281"/></proof>
</goal>
<goal name="WP_parameter step.9" expl="9. postcondition">
<goal name="WP_parameter step.9" expl="9. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.02" steps="14"/></proof>
</goal>
<goal name="WP_parameter step.10" expl="10. postcondition">
<goal name="WP_parameter step.10" expl="10. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.02" steps="5"/></proof>
</goal>
<goal name="WP_parameter step.11" expl="11. postcondition">
<goal name="WP_parameter step.11" expl="11. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.02" steps="4"/></proof>
</goal>
<goal name="WP_parameter step.12" expl="12. postcondition">
<goal name="WP_parameter step.12" expl="12. postcondition" expanded="true">
<proof prover="6"><result status="valid" time="0.04"/></proof>
</goal>
<goal name="WP_parameter step.13" expl="13. postcondition">
<proof prover="5"><result status="valid" time="0.94" steps="41"/></proof>
<goal name="WP_parameter step.13" expl="13. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="1.30" steps="41"/></proof>
</goal>
<goal name="WP_parameter step.14" expl="14. postcondition">
<goal name="WP_parameter step.14" expl="14. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.02" steps="11"/></proof>
</goal>
<goal name="WP_parameter step.15" expl="15. postcondition">
<goal name="WP_parameter step.15" expl="15. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.02" steps="12"/></proof>
</goal>
<goal name="WP_parameter step.16" expl="16. postcondition">
<goal name="WP_parameter step.16" expl="16. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.02" steps="13"/></proof>
</goal>
<goal name="WP_parameter step.17" expl="17. postcondition">
<goal name="WP_parameter step.17" expl="17. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.01" steps="11"/></proof>
</goal>
<goal name="WP_parameter step.18" expl="18. postcondition">
<goal name="WP_parameter step.18" expl="18. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.02" steps="6"/></proof>
</goal>
<goal name="WP_parameter step.19" expl="19. postcondition">
<goal name="WP_parameter step.19" expl="19. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.01" steps="5"/></proof>
</goal>
<goal name="WP_parameter step.20" expl="20. postcondition">
<goal name="WP_parameter step.20" expl="20. postcondition" expanded="true">
<proof prover="6"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="WP_parameter step.21" expl="21. postcondition">
<goal name="WP_parameter step.21" expl="21. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.01" steps="2"/></proof>
</goal>
<goal name="WP_parameter step.22" expl="22. postcondition">
<goal name="WP_parameter step.22" expl="22. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.01" steps="3"/></proof>
</goal>
<goal name="WP_parameter step.23" expl="23. postcondition">
<goal name="WP_parameter step.23" expl="23. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.01" steps="2"/></proof>
</goal>
<goal name="WP_parameter step.24" expl="24. postcondition">
<goal name="WP_parameter step.24" expl="24. postcondition" expanded="true">
<proof prover="5"><result status="valid" time="0.01" steps="10"/></proof>
</goal>
</transf>
</goal>
<goal name="WP_parameter parallel_gcd" expl="VC for parallel_gcd">
<transf name="split_goal_wp">
<goal name="WP_parameter parallel_gcd.1" expl="1. loop invariant init">
<goal name="WP_parameter parallel_gcd" expl="VC for parallel_gcd" expanded="true">
<transf name="split_goal_wp" expanded="true">
<goal name="WP_parameter parallel_gcd.1" expl="1. loop invariant init" expanded="true">
<proof prover="5"><result status="valid" time="0.04" steps="16"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.2" expl="2. precondition">
<goal name="WP_parameter parallel_gcd.2" expl="2. precondition" expanded="true">
<proof prover="5"><result status="valid" time="0.01" steps="7"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.3" expl="3. loop invariant preservation">
<goal name="WP_parameter parallel_gcd.3" expl="3. loop invariant preservation" expanded="true">
<proof prover="5"><result status="valid" time="0.19" steps="98"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.4" expl="4. loop variant decrease">
<transf name="inline_goal">
<goal name="WP_parameter parallel_gcd.4.1" expl="1. loop variant decrease">
<transf name="inline_goal">
<goal name="WP_parameter parallel_gcd.4.1.1" expl="1. loop variant decrease">
<goal name="WP_parameter parallel_gcd.4" expl="4. loop variant decrease" expanded="true">
<transf name="inline_goal" expanded="true">
<goal name="WP_parameter parallel_gcd.4.1" expl="1. loop variant decrease" expanded="true">
<transf name="inline_goal" expanded="true">
<goal name="WP_parameter parallel_gcd.4.1.1" expl="1. loop variant decrease" expanded="true">
<proof prover="0" timelimit="5"><result status="valid" time="0.13"/></proof>
</goal>
</transf>
</goal>
</transf>
</goal>
<goal name="WP_parameter parallel_gcd.5" expl="5. precondition">
<goal name="WP_parameter parallel_gcd.5" expl="5. precondition" expanded="true">
<proof prover="5"><result status="valid" time="0.01" steps="7"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.6" expl="6. loop invariant preservation">
<goal name="WP_parameter parallel_gcd.6" expl="6. loop invariant preservation" expanded="true">
<proof prover="5"><result status="valid" time="0.05" steps="59"/></proof>
</goal>
<goal name="WP_parameter parallel_gcd.7" expl="7. loop variant decrease">
<transf name="inline_goal">
<goal name="WP_parameter parallel_gcd.7.1" expl="1. loop variant decrease">
<transf name="inline_goal">
<goal name="WP_parameter parallel_gcd.7.1.1" expl="1. loop variant decrease">
<goal name="WP_parameter parallel_gcd.7" expl="7. loop variant decrease" expanded="true">
<transf name="inline_goal" expanded="true">
<goal name="WP_parameter parallel_gcd.7.1" expl="1. loop variant decrease" expanded="true">
<transf name="inline_goal" expanded="true">
<goal name="WP_parameter parallel_gcd.7.1.1" expl="1. loop variant decrease" expanded="true">
<proof prover="0" timelimit="5"><result status="valid" time="0.17"/></proof>
</goal>
</transf>
</goal>
</transf>
</goal>
<goal name="WP_parameter parallel_gcd.8" expl="8. postcondition">
<goal name="WP_parameter parallel_gcd.8" expl="8. postcondition" expanded="true">
<proof prover="1" timelimit="5"><result status="valid" time="0.03"/></proof>
<proof prover="2" timelimit="5"><result status="valid" time="1.10"/></proof>
<proof prover="2" timelimit="5"><result status="valid" time="2.12"/></proof>
<proof prover="6"><result status="valid" time="0.06"/></proof>
<proof prover="7"><result status="valid" time="0.07"/></proof>
</goal>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment