Local rely-guarantee reasoning

FengXinyu,

doi:10.1145/1594834.1480922

Cited by 51 publications

(75 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…[24], [8], [7], [3], [13], [6], [21], [17], [19], [4], [11]), namely ghost states, protocols and separation logic, and adapts them in a novel way to support modular weak memory reasoning. We shall first give a brief introduction about GPS, focusing on atomic writes/reads and escrows, which are essential for synchronisations.…”

Section: The Gps Frameworkmentioning

confidence: 99%

Reasoning about Fences and Relaxed Atomics

Vafeiadis

Qin³

et al. 2016

2016 24th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP)

View full text Add to dashboard Cite

Abstract-For efficiency reasons, weak (or relaxed) memory is now the norm on modern architectures. To cater for this trend, modern programming languages are adapting their memory models. The new C11 memory model [1] allows several levels of memory weakening, including non-atomics, relaxed atomics, releaseacquire atomics, and sequentially consistent atomics. Under such weak memory models, multithreaded programs exhibit more behaviours, some of which would have been inconsistent under the traditional strong (i.e. sequentially consistent) memory model. This makes the task of reasoning about concurrent programs even more challenging. The GPS framework, recently developed by Turon et al. [22], has made a step forward towards tackling this challenge. By integrating ghost states, per-location protocols and separation logic, GPS can successfully verify programs with release-acquire atomics. In this paper, we present a program logic, an enhancement of the GPS framework, that can support the verification of a bigger class of C11 programs, that is, programs with release-acquire atomics, relaxed atomics and release-acquire fences. Key elements of our proposed logic include two new types of assertions, a more expressive resource model and a set of newlydesigned verification rules.

show abstract

Section: The Gps Frameworkmentioning

confidence: 99%

Reasoning about Fences and Relaxed Atomics

Vafeiadis

Qin³

et al. 2016

2016 24th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP)

View full text Add to dashboard Cite

show abstract

“…Separation logic cannot concisely specify the counter's intended semantics, only code's behavior. Rely-guarantee and related systems can express the semantics among threads [18,27,45], but only coarsely [46] among different program sections. Most program logics can constrain the actions of a function on an argument, but the specification must deal with aliasing, either by giving linear semantics to knowledge of the counter (as in separation logic), or by explicitly treating aliasing (as in more traditional Hoare logics [24]).…”

Section: Rely-guarantee Referencesmentioning

confidence: 99%

Rely-guarantee references for refinement types over aliased mutable data

2013

View full text Add to dashboard Cite

Reasoning about side effects and aliasing is the heart of verifying imperative programs. Unrestricted side effects through one reference can invalidate assumptions about an alias. We present a new type system approach to reasoning about safe assumptions in the presence of aliasing and side effects, unifying ideas from reference immutability type systems and rely-guarantee program logics. Our approach, rely-guarantee references, treats multiple references to shared objects similarly to multiple threads in rely-guarantee program logics. We propose statically associating rely and guarantee conditions with individual references to shared objects. Multiple aliases to a given object may coexist only if the guarantee condition of each alias implies the rely condition for all other aliases. We demonstrate that existing reference immutability type systems are special cases of rely-guarantee references.In addition to allowing precise control over state modification, rely-guarantee references allow types to depend on mutable data while still permitting flexible aliasing. Dependent types whose denotation is stable over the actions of the rely and guarantee conditions for a reference and its data will not be invalidated by any action through any alias. We demonstrate this with refinement (subset) types that may depend on mutable data. As a special case, we derive the first reference immutability type system with dependent types over immutable data.We show soundness for our approach and describe experience using rely-guarantee references in a dependently-typed monadic DSL in COQ.

show abstract

“…This gives us a deductive verification tool for concurrent programs using the sequential verifier Boogie. We used this method to prove correct the following set of concurrent programs-X + + (Fig 2), Lock [2], Peterson's algorithm, the Bakery protocol, ArrayIndexSearch, GCD [1] and a simplified version of a Windows NT Bluetooth driver. Lock is a simple example program consisting of two threads that modify a shared variable after acquiring a lock; the safety condition in the example confirms that these modifications cannot occur concurrently.…”

Section: Experiencementioning

confidence: 99%

Compositionality Entails Sequentializability

Garg

Madhusudan

2011

Tools and Algorithms for the Construction and Analysis of Systems

View full text Add to dashboard Cite

Abstract. We show that any concurrent program that is amenable to compositional reasoning can be effectively translated to a sequential program. More precisely, we give a reduction from the verification problem for concurrent programs against safety specifications to the verification of sequential programs with safety specifications, where the reduction is parameterized by a set of auxiliary variables A, such that the concurrent program compositionally satisfies its specification using auxiliary variables A iff the sequentialization satisfies its specification. The result generalizes known results in the literature on sequentializing concurrent programs under a bounded number of context-switches, and has the salient feature that it can prove concurrent programs entirely correct, as opposed to only showing safety of under-approximations. The sequentialization allows us to use sequential verification tools (including deductive verification tools and predicate abstraction tools) to analyze and prove concurrent programs correct. We also show how proof annotations of a rely-guarantee proof of the concurrent program (i.e. rely/guarantee relations, pre-and post-conditions, and loop invariants) over the auxiliary variables A can be transformed into Hoare-style proof annotations of the sequential program (rely/guarantee relations get transformed to pre-and post-conditions in the sequential program). We utilize the sequentializability and the proof annotation translation to prove several concurrent programs compositionally correct by proving their sequential counterparts using the program verifier Boogie.

show abstract

Local rely-guarantee reasoning

Cited by 51 publications

References 28 publications

Reasoning about Fences and Relaxed Atomics

Reasoning about Fences and Relaxed Atomics

Rely-guarantee references for refinement types over aliased mutable data

Compositionality Entails Sequentializability

Contact Info

Product

Resources

About