# A proof framework for concurrent programs

## Summary (3 min read)

### 1 Introduction

- Parallelism has been employed for many years, mainly in high-performance computing.
- Parallel computer programs are more difficult to write than sequential ones, because concurrency introduces several new classes of potential software bugs.
- In an earlier paper [14] a case study is presented that combines two formal verification methods, namely model checking and theorem proving.
- The improved algorithm was subsequently shown to be correct in PVS.
- In Section 3 these framework basics are applied to a classic example, the bakery algorithm.

### 2 Framework basics

- In their case, the authors use PVS as theorem prover and Promela as the modeling language.
- The embedding presented in this paper is a mixed shallow/deep one: the framework is based on a shallow embedding while the translation of the model into PVS exploits the native features of PVS as much as possible, and hence can be seen as a deep embedding.

### Transition system

- The authors framework reflects this directly by representing concurrently executing threads by means of a state transition system.
- Denotes the set of natural numbers between 0 and NT, exclusive of NT.
- The entire system state consists of all the threads combined with the global variable store global (again a theory type parameter), and a variable current signifying which thread is currently executing.
- This Model theory, resulting from the translation of the Promela program (say P ), has the following skeleton.
- The effect of step is local, i.e. it only affects the local state of the currently executing thread, and possibly the global state of the system.

### Theorems and proofs

- Proving the different properties requires (1) the instantiation of the (noDeadlockMeasure and noStarvationMeasure) measures needed for the theorems defined in Section 2, and (2) the definition of an invariant strong enough to prove that these measures indeed strictly decrease.
- This is formulated using the program counter.
- This value of peers is set to the value of the global variable enter at the moment the thread has drawn its number (the location with program counter 5), and the thread is removed from peer groups of other threads after leaving the critical section (indicated by the program counter value 10).
- The invariants guarantee that when a process proceeds to the critical section (location 10), all the other processes have larger numbers.
- The proofs of the theorems proceed by a case distinction on the value of the program counter, creating a symbolic execution of the algorithm.

### 3 An example: bakery algorithm

- The algorithm itself is analogue to the way bakeries give their customers turns by drawing a number from a machine, where the baker serves the lowest number when he is available.
- The complete model will execute the above code infinitely many times.
- Next the authors translate this IL program into the PVS framework.
- The first three assignments of their example are combined into a single transition.
- This theory also contains the proper instances of the parameters of Threads from Section 2.

### 4 Framework with thread synchronisation

- Many concurrent algorithms are based on locking primitives that modern operating systems usually support.
- These primitives are not available in standard Promela but are added to the framework.
- In principle the authors could have modeled these locking primitives in Promela (like the bakery algorithm) and translated this model to PVS using the procedure as described in the previous sections.
- It appears to be more convenient to extend Promela with special synchronization constructs8, and use a shallow embedding by also incorporating basic locks into their PVS framework.

### Incorporating locking primitives

- The idea of the basic locks is similar to, for example, the synchronization mechanism of Java.
- Besides, processes should be able to relinquish their turn temporarily by means of a wait command and also be able to wake other processes up using notify.
- This state indicates whether the lock is occupied (in which case lockedBy refers to the corresponding thread) and maintains two queues for holding the blocked and waiting processes.
- A thread executing a synchronization operation may indirectly affect other system components.
- Instead of passing the complete system state to the step relation, the authors have implemented these ‘system calls’ by extending the result of step with a function of type [System → System ] .

### Example: reentrant read-write

- A more complex synchronization mechanism involves processes that acquire access to resources for both reading and writing: the classic readers-writers problem.
- Most solutions give priority to write locks over read locks because write locks are assumed to be more important, smaller, exclusive, and occurring less frequently.
- This is not included in the translation function, but can be added straightforwardly (e.g. by parameterizing the translation with an additional environment that performs this mapping).
- The part of the step relation that corresponds to this program fragment is shown below.
- The invariant needed to prove the theorems is large, but revolves around the relationships of the possible values of the variables used in the program at certain points in their execution past, similar to what was done in Section 3.

Did you find this useful? Give us your feedback

##### Citations

41 citations

##### References

17 citations

11 citations

### "A proof framework for concurrent pr..." refers background in this paper

...[11] combine model checking and theorem proving to analyze the classic readers-writers problem....

[...]

6 citations

### "A proof framework for concurrent pr..." refers methods in this paper

...We demonstrate the power of the framework by applying it to a larger example, showing correctness of a solution to the reentrant readers-writers problem [15] that improves upon the widely used Qt C++ library by Trolltech....

[...]

...In that paper [15] it was described how a model was constructed and checked using the SPIN model checker....

[...]

...Comparing the ad hoc proof given in our earlier paper [15] with the proof that is possible using the framework, we find only small differences....

[...]

6 citations

6 citations

##### Related Papers (5)

##### Frequently Asked Questions (2)

###### Q2. What are the future works in "A proof framework for concurrent programs" ?

Their future plans are to extend the framework in such a way that it covers the complete Promela language, e. g. by adding constructs for modeling message passing. Furthermore, the proof process can be partially automated by defining appropriate PVS-tactics to avoid repeating certain sequences of proof steps. Also, many auxiliary mappings of program counters to natural numbers that were needed to define proper measures, can be generated automatically.