Rely-Guarantee Termination and Cost Analyses of Loops with Concurrent Interleavings

Abstract

By following a rely-guarantee style of reasoning, we present novel termination and cost analyses for concurrent programs that, in order to prove termination or infer the cost of a considered loop: (1) infer the termination/cost of each loop as if it were a sequential one, imposing assertions on how shared-data is modified concurrently; and then (2) prove that these assertions cannot be violated infinitely many times and, for cost analysis, infer how many times they are violated. At the core of the analysis, we use a may-happen-in-parallel analysis to restrict the set of program points whose execution can interleave. Interestingly, the same kind of reasoning can be applied to prove termination and infer upper bounds on the number of iterations of loops with concurrent interleavings. To the best of our knowledge, this is the first method to automatically bound the cost of such kind of loops. We have implemented our analysis for an actor-based language, and showed its accuracy and efficiency by applying it on several typical applications for concurrent programs and on an industrial case study.

Appendix: Proofs of Theorems

We base our proofs on traces generated by the semantics rules and the behavior of the loop counters described in the definition of local termination and local loop bound. First, we will define some auxiliary notions.

Given a trace, we denote \(S_{x: t }\) a scope \(S_x\) executing in a task \( t \) whose auxiliary counter is \(i_{x, t }\). Also we can map each execution step \({St}_i \rightarrow ^{b_i} {St}_{i+1}\) to the task \( t \) in which \(b_i\) is executed with \( TaskOf (b_i)= t \). As stated in Sect. 2.4, an instruction \(b_i\) can only belong to one scope but it can appear inside several scopes. A typical example is an instruction inside a nested loop. \(b_i\in S\) denotes that \(b_i\) belongs to S and \(b_i\sqsubset S\) denotes that \(b_i\) appears inside S.

A \( t \)-interleaving trace represents a trace fragment where all the execution steps are performed in tasks different from \( t \)

Definition 3

( \( t \) -interleaving trace) A trace \({tr^{lv}}\equiv {St}_1 \rightarrow ^{b_1} \ldots \rightarrow ^{b_{n-1}} {St}_n \rightarrow ^{b_n}\ldots \) is interleaving with task \( t \) if for all \(b_i\) such that \(1\le i \le n\), \( TaskOf (b_i)\ne t \).

Definition 4

( C valid in trace \({tr}\) ) A shared-memory-assertion C is valid in a trace \({tr}\equiv {St}_1 \rightarrow ^{b_1} \ldots \rightarrow ^{b_{n-1}} {St}_n \) with respect to an object \( o \), if for all constraints \(f'\bowtie f\in C\), \(ob( o ,a,lk)\in {St}_1\), \(ob( o ,a',lk')\in {St}_n\) and \(a'(f)\bowtie a(f)\).

Next we define traces that represent a single iteration of a loop scope in a task \(S_{x: t }\):

Definition 5

( \(S_{x: t }\) iteration trace) A trace \({tr^{it}}\equiv {St}_1 \rightarrow ^{b_1} \ldots \rightarrow ^{b_{n-1}} {St}_n \rightarrow ^{b_n}\ldots \) is a iteration trace of \(S_{x: t }\) if:

• for all the steps \({St}_i \rightarrow ^{b} {St}_{i+1}\) either \( TaskOf (b_i)\ne t \) or \(b_i\sqsubset S_x\). This implies that the loop exit is not taken and \(i_{x, t }\) is not reset but there can be \( t \)-interleaving traces within \({tr^{it}}\)

• \(i_{x, t }\) is only incremented in \(b_1\) and thus it can represent at most one iteration of \(S_{x: t }\).

An iteration trace \({tr^{it}}\) of \(S_{x: t }\) can be infinite. This is because it might contain infinite \( t \)-interleaving traces or because \(S_x\) contains other loop scopes that can iterate indefinitely.

We say that a finite \({tr^{it}}\) is well-behaving with respect to C if C is valid in all its maximal \( t \)-interleaving subtraces. Finally, we define traces that represent a complete execution of a loop scope \(S_{x: t }\) without resetting the counter \(i_{x, t }\):

Definition 6

( \(S_{x: t }\) execution trace) A trace \({tr^{ex}}\equiv {St}_1 \rightarrow ^{b_1} \ldots \rightarrow ^{b_{n-1}} {St}_n \rightarrow ^{b_n}\ldots \) is an execution trace of \(S_{x: t }\) if it can be expressed as a (possibly infinite) sequence of iteration traces \({tr^{it}}\) and \(i_{x, t }\) is 0 in \({St}_1\).

In addition, our proof relies on the soundness of the \(\mathtt {seq\_termin} \) algorithm [4] and the may-happen-in-parallel (MHP) analysis [10] that we state below.

Soundness of \(\mathtt {seq\_termin} \) guarantees universal termination of a scope provided the interleaving scopes do not violate the constraint set C. We can define the soundness of \(\mathtt {seq\_termin} \) using these notions:

Definition 7

(Soundness of \(\mathtt {seq\_termin} \) ) If \(\mathtt {seq\_termin} (S_x,C) = true \), then for any task \(tsk( t ,m, o ,l,s)\in {St}_a\) and trace \({tr^{w}}\equiv {St}_a \rightarrow ^{b_a} \ldots \rightarrow ^{b_{n-1}} {St}_n \rightarrow ^{b_n} \ldots \) that can be expressed as a sequence of well-behaved iteration traces of \(S_{x: t }\), the number of execution steps that increments \(i_{x, t }\) (and the number of iteration subtraces) is finite (\(sup({tr},i_{x, t })\) is defined).

The soundness of the \(\mathtt {MHP\_pairs} \) analysis states that it overapproximates the set of program points that can happen in parallel, i.e., if two program can be executed in some state \({St}\) of the trace, then both points will be related in the results of \(\mathtt {MHP\_pairs} \).

Definition 8

(Soundness of MHP) Consider a set of program points \( RP \) and \(\mathtt {MHP\_pairs} ( RP ) = MP \). If \(s_1 \in RP \) and for some reachable state \({St}\) we have that \( tsk(t_1,m_1,o_1,l_1,s_1;s'_1) \) and \( tsk(t_2,m_2,o_2,l_2,s_2;s'_2) \) are two tasks available in \({St}\), then \(s_2 \in MP \).

1.1 Proof of Theorem 1

We re-state Theorem 1 using the definition of locally terminating scope:

Theorem 3

(Soundness of TERMINATES(S, L)) If , for any task \( t \) and any trace \({tr}\) there exists \(n_{ t ,{tr}}\in \mathbb {N}\) such that \(sup({tr},i_{x,{tr}})\le n_{ t ,{tr}}\)

Proof

For any trace \({tr}\) we consider any execution trace \({tr^{ex}}\) of \(S_{x: t }\) (for any \( t \)) that appear in \({tr}\). Then, \(S_x\) is locally terminating if \(i_{x, t }\) is incremented a finite number of times in all possible \({tr^{ex}}\). This is equivalent to proving that \({tr^{ex}}\) contains a finite number of iteration subtraces (each iteration subtrace increments \(i_{x, t }\) once).

We can partition \({tr^{ex}}\) into an alternative sequence of subtraces \({tr^{w}}_j\) and \({tr^{b}}_i\), where \({tr^{w}}_j\) are maximal subtraces that satisfy the restrictions in Definition 7 (a sequence of well-behaving iteration traces) and \({tr^{b}}_i\) is a sequence of iteration traces that are not well-behaved. An iteration trace is not well-behaved because it is either infinite or it contains \( t \)-interleaving traces that violate C.

\(\mathtt {seq\_termin} (S_x,C)=true\) guarantees that every \({tr^{w}}_j\) increments \(i_{x, t }\) a finite number of times. In order to prove that the total number of increments are finite, we need to prove that the number of \({tr^{w}}_j\) is finite and the number of iterations in all \({tr^{b}}_i\) (the iterations that are not well-behaving) is also finite. Because we consider maximal subtraces, we have that between two consecutive \({tr^{w}}_j\) there must be at least one \({tr^{b}}_i\) that contains at least one iteration that is not well-behaving. Therefore, it is enough to prove that the number of iteration traces that are not well-behaving is finite.

Recall that if an iteration trace is not well-behaving, it must be either infinite or contain at least one \( t \)-interleaving trace where C is not valid. If we have that \({tr^{it}}_j\) is infinite, there cannot be other iteration traces after \({tr^{it}}_j\) and we can trivially conclude that the number of total iterations is finite (it is j). If \({tr^{it}}_j\) contains at least one \( t \)-interleaving trace \({tr^{lv}}\) where C is not valid, there must be at least one execution step \({St}_i \rightarrow ^{p} {St}_{i+1}\) that makes a constraint in C invalid, and p must be a field assignment. Because \({tr^{it}}_j\) is an iteration trace of \(S_{x: t }\), we have that \(tsk(t,m, o ,l_1,s_1:s)\in {St}_i\) and \(s_1\) must be a release point with \(s_1\sqsubset S_x\). This is because if p can perform a field assignment in object \( o \), it has to be executed in a task \( t '\) that belongs to the same object \( o \) and have the object’s lock. In order to take the lock, it must have been released by the last instruction before the interleaving trace. We have that \(p\in I=MP(RP)\) where RP are the release points that appear in \(S_x\). Lines 6–8 approximate this set of points. The soundness of I is given by the soundness of the MHP analysis.

If the number of times each p is executed is finite, then the number of subtraces \({tr^{it}}_j\) that are not well-behaving is also finite and \(S_x\) is locally terminating. This is guaranteed by proving that every scope that can reach p is locally terminating through the recursive calls to TERMINATES. \(\square \)

1.2 Proof of Theorem 2

We have to prove \(\textsc {lbound} \) computes a valid local bound for any scope S. The bounds of method scopes are trivial so in what follows we only consider bounds of loop scopes. Our proof relies on the soundness of the sequential loop bound \(\textsc {niters} _S\) computed by \(\mathtt {seq\_termin} \) and the soundness of the \(\mathtt {max\_init}\) procedure that we state below:

Definition 9

(Soundness of \(\mathtt {seq\_termin} \) sequential loop bound) If \(\mathtt {seq\_termin} (S_x,C)\) returns a function \(\textsc {niters} _S\), then for any task \(tsk( t ,m, o ,l,s)\in {St}_e\) and partial trace \({tr^{w}}\equiv {St}_{e} \rightarrow ^{b_{e}} \ldots \rightarrow ^{b_{n-1}} {St}_n \rightarrow ^{b_n} \ldots \) that can be expressed as a sequence of well-behaved iteration traces of \(S_{x: t }\), the number of execution steps that increments \(i_{x, t }\) (and the number of iteration subtraces) is finite and smaller or equal that \(\textsc {niters} _S\) evaluated in \({St}_{e}\).

Definition 10

(Soundness of \(\mathtt {max\_init}\) ) For any partial trace \({tr}\equiv {St}_{0} \rightarrow ^{0} \ldots \rightarrow ^{b_{e-1}} {St}_{e}\) where \(tsk( t ,m, o ,l,s),ob( o ,a, t )\in {St}_{e}\), s is the loop scope \(S_x\), \(tsk(0,main,0,l_0,s)\in {St}_{0}\) and \(\bar{f}^+\) and \(\bar{f}^-\) are the upper and lower bounds of the fields of object \( o \). We have:

\(\textsc {niters} _S(l,a) \le \mathtt {max\_init}(\textsc {niters} _S)(l_0,\bar{f}^+,\bar{f}^-)\).

The implementation of \(\textsc {lbound} \) corresponds directly with the Observation 2. Therefore, it is enough to proof that the Observation 2 is sound. Below, we re-state the Observation 2 using the definition of loop bound and prove its soundness.

Observation 4

(Loop bound (expanded)) For any task \( t \) and any trace \({tr}\), \(sup(i_{x, t })\le \textsc {lbound} _S\) where \(\textsc {lbound} _S\) is defined as \(\textsc {lbound} _S=\mathtt {max\_init}(\textsc {niters} _S )* (rst+1)\) where \( rst = \sum _{\{ p| p \in I_{S}\}} \textsc {nvisits} (p)\).

Proof

Similarly to the proof of termination, we consider arbitrary execution subtraces \({tr^{ex}}\) of S partitioned into an alternative sequence of subtraces \({tr^{w}}_j\) and \({tr^{b}}_i\), where \({tr^{w}}_j\) are maximal subtraces that satisfy the restrictions defined in Definition 7 (a sequence of well-behaving iteration traces) and \({tr^{b}}_i\) is a sequence of iteration traces that are not well-behaved.

Combining the soundness of the bound returned by \(\mathtt {seq\_termin} \) and of \(\mathtt {max\_init}\), we know that each \({tr^{w}}_j\) increments \(i_{x, t }\) at most \(\mathtt {max\_init}(\textsc {niters} _S)\). However, if \({tr^{w}}_j\) is not at the end of \({tr^{ex}}\) it must be possible to execute at least one iteration after \({tr^{w}}_j\). In that case \({tr^{w}}_j\) has at most \(\mathtt {max\_init}(\textsc {niters} _S)-1\) iterations.

Here again, we have that between two consecutive \({tr^{w}}_j\) there must be at least one finite \({tr^{b}}_i\) that contains at least one iteration that is not well-behaving. In addition, we can have at most one infinite not well-behaving iteration trace at the end. Let rst be the number of finite iterations that are not well-behaving, the number of \({tr^{w}}_j\) subtraces is at most \(rst+1\) where only one of them can be at the end of \({tr^{ex}}\). The maximal number of iterations in \({tr^{ex}}\) is:

• \((\mathtt {max\_init}(\textsc {niters} _S )-1)*(rst)+\mathtt {max\_init}(\textsc {niters} _S)+rst\) if \({tr^{ex}}\) ends with a \({tr^{w}}_j\) and

• \((\mathtt {max\_init}(\textsc {niters} _S )-1)*(rst+1)+rst+1\) if \({tr^{ex}}\) ends with an infinite not well-behaving iteration trace.

In these expressions (1) \((\mathtt {max\_init}(\textsc {niters} _S )-1)*(rst)\) and \((\mathtt {max\_init}(\textsc {niters} _S )-1)*(rst)\) account for the iterations in all \({tr^{w}}_j\) that are not at the end of \({tr^{ex}}\); (2) rst for the finite iterations that are not well-behaved; and (3) \(+1\) corresponds to an infinite not well-behaving iteration trace in the second expression. These two expressions are equivalent to the one in the Observation 4

We can use the same reasoning used in the proof of Theorem 1 to conclude that each finite \({tr^{it}}\) that is not well-behaving must contain at least one step \({St}_i \rightarrow ^{p} {St}_{i+1}\) such that \(p\in I\) that makes C invalid. Recall that I is set of field assignments that might happpen in parallel with the release points of \(S_x\). Therefore \(rst\le \sum _{\{ p| p \in I_{S}\}} \textsc {nvisits} (p)\).

Finally, \(\textsc {nvisits} (p)\) corresponds to obtaining the cost of the program \(\mathtt {UB}(S_{main})\) given a cost model that assigns \(\mathcal{M}(p)=1\) and 0 to any other instruction. It is inmediate to see that the implementation of \(\textsc {nvisits} (p)\) corresponds to the definition of \(\mathtt {UB}(S_{main})\) with the given cost model in Sec.2.4. \(\square \)

1.3 Soundness of Observation 3

Proof

Consider an execution trace \({tr^{ex}}\) of a loop scope S partitioned into \({tr^{w}}\) and \({tr^{b}}\) subtraces, but this time we distinguish between the \({tr^{b}}\) that contain only interleavings with points in \( inc (I_S)\), denoted \({tr^{ inc }}\), and the ones that might interleave with other points in \(I_S\setminus inc (I_S) \) as well, denoted \({tr^{ rst }}\). We denote \( rst \) the number of finite iterations that are not well-behaved in \({tr^{ rst }}\), which is at most \(\sum _{\{ p| p \in I_S\setminus inc (I_S)\}} \textsc {nvisits} (p)\). We have at most \( rst \) \({tr^{ rst }}\) subtraces (if each \({tr^{ rst }}\) contains a single iteration) that split the execution trace in at most \(( rst +1)\) \({tr^{ no-rst }}\) subtraces. Each \({tr^{ no-rst }}\) is a sequence of \({tr^{w}}\) separated by a \({tr^{ inc }}\).

We know that each \({tr^{w}}\) has at most \(\textsc {niters} _{S}\) iterations expressed in terms of the initial variables of \({tr^{w}}\) (soundness of \(\mathtt {seq\_termin}\)) but also we have that \(\textsc {niters} _{S}(\overline{x_i})-\textsc {niters} _{S}(\overline{x_f})\) is an upper bound on the number of iterations of \({tr^{w}}\) where \(\overline{x_i}\) and \(\overline{x_f}\) are the variables at the first and last state of \({tr^{w}}\). This is because each well-behaved iteration is guaranteed to decrease \(\textsc {niters} _{S}(\overline{x_i})\) at least 1 (and decrease at least n in n iterations). Given one of these subtraces \({tr^{ no-rst }}\) ⁵ \(\equiv {tr^{w}}_1{tr^{ inc }}_{1}{tr^{w}}_{2}\ldots {tr^{ inc }}_{n-1} {tr^{w}}_n\), we have that the cost of each \({tr^{w}}_j\) is \(\textsc {niters} _{S}(\overline{x_{i:j}})-\textsc {niters} _{S}(\overline{x_{f:j}})\) (where \(\overline{x_{i:j}}\) and \(\overline{x_{f:j}}\) are the variables of the first and last state of \({tr^{w}}_j\)). We have checked that the effect of one iteration of \({tr^{ inc }}\) on \(\textsc {niters} _{S}\) is \((\sum z_q)-1\). Let \(it_j\) be the number of iterations in \({tr^{ inc }}_{j}\), the effect of \({tr^{ inc }}_{j}\) is \(\textsc {niters} _{S}(\overline{x_{i:j+1}}) \le \textsc {niters} _{S}(\overline{x_{f:j}}) +\sum _{k=1}^{it_j} ( (\sum z_{q:k})-1)\). We have that the cost of all the \({tr^{w}}_1\) in the sequence \({tr^{ no-rst }}\) is at most \(\sum _{j=1}^n \textsc {niters} _{S}(\overline{x_{i:j}})-\textsc {niters} _{S}(\overline{x_{f:j}})\) Then, we express each \(\textsc {niters} _{S}(\overline{x_{i:j}})\) (for \(j>1\)) in terms of \(\textsc {niters} _{S}(\overline{x_{f:j-1}})\) and we cancel the positive and negative summands obtaining \(\textsc {niters} _{S}(\overline{x_{i:1}})-\textsc {niters} _{S}(\overline{x_{f:n}})+ extra \) where \( extra = \sum _{j=1}^{n-1} \sum _{k=1}^{it_j} ( \sum z_{q:k})-1\). To complete the cost of the sequence \({tr^{ no-rst }}\), we add 1 for each iteration in \({tr^{ inc }}\) subtraces: \( \sum _{j=1}^{n-1} \sum _{k=1}^{it_j} 1\) which we can cancel with the \(-1\) appearing in \( extra \). As a result we have \(Cost({tr^{ no-rst }})= \textsc {niters} _{S}(\overline{x_{i:1}})-\textsc {niters} _{S}(\overline{x_{f:n}})+ extra '\) where \( extra '= \sum _{j=1}^{n-1} \sum _{k=1}^{it_j} \sum z_{q:k}\).

We can maximize \(\textsc {niters} _{S}(\overline{x_{i:1}})\) and substitute \(\textsc {niters} _{S}(\overline{x_{f:n}})\) by 0 if \({tr^{ no-rst }}\) is at the end of the execution or by 1 if there are further iterations. Then we denote \( inc \) the sum of all \( extra '\) for every \({tr^{ no-rst }}\) subtrace. The cost of the complete \({tr^{ex}}\) is : \((\mathtt {max\_init}(\textsc {niters} _S)-1)*rst+ rst+\mathtt {max\_init}(\textsc {niters} _S)+ inc \) which corresponds to the expression given in Observation 3.

Finally, it is left to justify that \( inc \) is bounded by \(\sum _{p \in inc (I_{S})} diff _p*\textsc {nvisits} (p)\). \( inc \) represents the sum of all field modifications \(z_q\) that occur in interleavings of \({tr^{ex}}\) where C is not valid and the points in \(I_{S}\setminus inc (I_{S})\) are not visited. Consequently, the points in \( inc (I_{S})\) are the only ones that can contribute to \( inc \) and they can contribute at most \( diff _p\) per program point visit. Therefore \(\sum _{p \in inc (I_{S})} diff _p*\textsc {nvisits} (p)\) is a sound approximation of \( inc \). \(\square \)

1.4 Soundness of n_atomic_nvisits

In the previous section, we argued that rst is the number of finite iterations \({tr^{it}}\) that are not well-behaving and belong to a \({tr^{ rst }}\). Each not well-behaving \({tr^{it}}\) in a \({tr^{ rst }}\) must contain at least one \( t \)-interleaving trace \({tr^{lv}}\) with at least one step \({St}_i \rightarrow ^{p} {St}_{i+1}\) such that \(p\in I\setminus inc(I)\) that makes C invalid.

Instruction p is executed in a task \( t '\ne t \) such that \( t '\) and \( t \) belong to the same object (otherwise p could not make C invalid). In order to execute p, the task \( t '\) must have obtained the object’s lock in a previous step \({St}_j \rightarrow ^{p'} {St}_{j+1}\) (\(j<i\), \(ob(o,a,\bot )\in {St}_j\) and \(ob(o,a, t ')\in {St}_{j+1}\)) of \({tr^{lv}}\). We denote \(trace_{p\rightarrow p'}\) the subtrace of \({tr^{lv}}\) from \({St}_j\) to \({St}_i\). According to the semantics of the language (see Fig. 1) a lock can only be obtained at the beginning of execution of the task \( t '\) or at a release point ().

Let S be a loop scope where p appears \(p\sqsubset S\). If there is no release point \(p'\sqsubset S\), there must be a step \({St}_j \rightarrow ^{p''} {St}_{j+1}\) that goes inside the loop scope S. We know that \(p''\) must be executed in \({tr^{lv}}\) and \(\textsc {nvisits} (p'')\) is smaller than \(\textsc {nvisits} (p)\) because it does not have to count the iterations of S or other loop scopes inside S.

\(\textsc {n\_atomic\_nvisits} (p)\) computes the number of visits to \(p''\) where \(p''\) is the entry point of the biggest loop scope S such that \(p\sqsubset S\) and or simply the number of visits to p if there is not such a loop. Therefore, we have that \(\sum _{\{ p| p \in I_{S}\}} \textsc {n\_atomic\_nvisits} (p)\) is a valid and more precise upper bound on the number of iteration traces that are not well-behaved \( rst \le \sum _{\{ p| p \in I_{S}\}} \textsc {n\_atomic\_nvisits} (p)\) and can be applied to the definition of \(\textsc {lbound} \).

Finally, it is worth mentioning that \(\textsc {n\_atomic\_nvisits} (p)\) cannot be used to compute inc because for inc we have to count the total amount a field can be modified regardless of whether it happens in one or several \( t \)-interleaving traces.