Title: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning
1On the Relationship Between Concurrent Separation
Logic and Assume-Guarantee Reasoning
- Xinyu Feng
- Yale University
Joint work with Rodrigo Ferreira and Zhong Shao
2Motivation
- Concurrency verification is challenging!
Memory aliasing makes it harder to ensure
non-interference.
Modularity is the key!
3Two kinds of modularity
- Control modularity
- a.k.a. thread-modularity
- each thread is verified independently of others
- Data modularity
- a.k.a. information hiding
- each thread only cares about data it uses
4Existing work
- Assume-Guarantee (A-G) reasoning
MisraChandy81, Jones83 - thread modularity
- general no restriction over synchronization
pattern - spec of AG requires global data invariants
- Concurrent Separation Logic (CSL) OHearn,
Brookes 2004 - thread modularity
- data modularity local reasoning
- restrictive synchronization pattern
- shared resources can be accessed only inside
critical regions
5Our Contributions
- SAGL combining CSL and A-G reasoning
- extend A-G logic with local reasoning
- better data modularity (than A-G reasoning)
- thread modularity
- no restriction over synchronization pattern
- A formal study of the relationship between CSL
and A-G reasoning
6Outline of this talk
- Background
- Concurrent Separation Logic
- Assume-Guarantee reasoning
- SAGL combination of CSL A-G reasoning
- Interpretation of CSL in SAGL
7Concurrent Separation Logic
- Assertions capture ownerships of resources
- Cannot access resource without ownership
- Shared resources are protected by critical
regions (CRs) - Transfer of ownership at boundary of CR
l ? n
8CSL assertions
9Locks and Critical Regions
- Lock-based critical regions (CR)
l.acq() l.rel()
10Concurrent Separation Logic
l1.rel()
l1.acq()
11Example List
x
? l ? List(x)
getNode() l.acq()
l.rel()
-emp
-emp List(x)
-Node(y) List(x)
-Node(y)
12Concurrent Separation Logic
- Thread modularity
- Data modularity by local reasoning
- do not need knowledge of other threads data
- Ownership transfer is bound with CRs
- requires built-in critical regions
- hard to support ad-hoc synchronizations
? ? p C q
13Outline of this talk
- Background
- Concurrent Separation Logic
- Assume-Guarantee reasoning
- SAGL combination of CSL A-G reasoning
- Interpretation of CSL in SAGL
14Assume-Guarantee Reasoning
- Thread T and its environment
- Environment the collection of all other threads
except T - A assumption about environments transition
- G guarantee to the environment
- a precondition
15Assume-Guarantee Reasoning
Non-Interference of threads
G1 ? ? Gi-1 ? Gi1 ? ? Gn ? Ai
Gi ? A1 ? ? Ai-1 ? Ai1 ? ? An
preservation of precondition
? S, S'. a S ? A S S' ? a S'
transitions satisfy the guarantee
G S Nextc(S)
16A-G reasoning
G1
G2
a1
a2
A1
A2
a2
a1
17A-G reasoning
- Thread modular
- separate verification of threads
- Not require CRs
- but need to know smallest granularity of
transitions - A, G global invariants about all resources
- hard to define
- lack data modularity
- Need to check A and G at every step
(A,G)? a C a
18Example data modularity broken
100
101
100 m
101 n
G1 101 101' A1 100 100'
G2 100 100' A2 101 101'
19Outline of this talk
- Background
- Concurrent Separation Logic
- Assume-Guarantee reasoning
- SAGL combination of CSL A-G reasoning
- Interpretation of CSL in SAGL
20SAGL Separated A-G Logic
- Partition of each threads resource
- shared and private
- shared can be accessed at any time
- governed by A and G
- exclusive access to private resources
- follows local reasoning in CSL
- not specified in A and G
- better memory modularity
- Dynamic change of partition
- may occur at any point, not tied with CR
boundaries
21SAGL Specification of Threads
- A, G assumption and guarantee
- a precondition about shared resources
- p precondition about private resources
- Spec for Ti ((ai, pi), Ai, Gi)
22SAGL Access Private Resource
23Example regained data modularity
100
101
-(emp , 101 ? _)
-(emp , 100 ? _)
100 m
101 n
24SAGL Access Shared Resource
G2
a1
A1
a1
A-G reasoning a special case where
p1 and p2 are emp.
25SAGL - Redistribution
G2
A1
G2
A1
26SAGL
- Thread modular
- separate verification of threads
- Not require CRs
- but need to know smallest granularity of
transitions - A, G only specifies shared resources
- better modularity
- Need to check A and G at every step
- but the check is trivial if only private resource
is used
(A,G)? (a,p) C (a,p)
27Outline of this talk
- Background
- Concurrent Separation Logic
- Assume-Guarantee reasoning
- SAGL combination of CSL A-G reasoning
- Interpretation of CSL in SAGL
28Concurrent Separation Logic
l1.rel()
l1.acq()
29Implicit Invariants in CSL
- Shared resources are well-formed outside of
critical regions.
Invariants of shared resources a? ?
Inv(l1) ? ? Inv(ln)
Inv(li) ? (free(li) ? ?(li)) ? (? free(li) ?
emp)
At each program point (p1 ? ?
pn) ? a? S
30Specialization of SAGL
- At each program point in SAGL
- (p1 ? ? pn) ? (a1 ? ? an)
Specialize ai into a? (p1 ? ? pn) ?
(a? ? ? a?)
? (p1 ? ? pn) ? a?
Specialize A and G to enforce a? at every step
A? S S' ? a? S ? a? S' G? S S' ?
a? S ? a? S'
31Interpretation of CSL in SAGL
- If ??CSL p C q,
- then
- (A?,G?)?SAGL (a?,p) C (a?,q)
Also a new way to prove the soundness of CSL!
The soundness of SAGL is proved following
the syntactic approach (by proving progress
preservation). Proofs have been formalized in Coq.
32Example List
? l ? List(x)
a? free(l) ? List(x) ? ?free(l) ? emp
getNode() l.acq()
l.rel()
-(a?, emp)
? a?
-(emp, emp List(x))
? a?
-(emp, Node(y) List(x))
? a?
-(List(x), Node(y))
33Conclusion
- SAGL
- combination of local reasoning with A-G reasoning
- improved modularity than A-G reasoning
- more flexible than CSL
- Embedding of CSL in SAGL
- formalization of invariants shared resources
are well-formed outside of CRs - a new way to prove the soundness of CSL
34Thank you!
35Example GCD
initially x ? y ?
while(x ltgt y) if (x gt y) x x y
while(x ltgt y) if (y gt x) y y x
result x GCD(?, ?) y GCD(?, ?)
G1 (y y') ? (x ? y ? x x') ? (GCD(x, y)
GCD(x', y')) A1 (x x') ? (y ? x ? y y') ?
(GCD(x, y) GCD(x', y')) G2 A1
A2 G1
36Example GCD
initially x ? y ?
while(x ltgt y) if (x gt y) x x y
while(x ltgt y) if (y gt x) y y x
result x GCD(?, ?) y GCD(?, ?)
Hard to certify using CSL without rewriting the
program and adding auxiliary variables.
37Problem with CSL
- Needs to rewrite code using CRs
- then needs to prove semantic preservation
- CSL is a program logic
- what if the language does not support CRs?
- only use cas to do synchronization
38Example malloc
x alloc(1) x 2 if ( odd(x) )
//should never reach here
y alloc(1) y 3 if ( even(y) )
//should never reach here
G1 ??? A1 ???
G2 ??? A1 ???
39Example malloc
- (emp, emp
- (emp, emp)
x alloc(1) x 2 if ( odd(x) )
//should never reach here
y alloc(1) y 3 if ( even(y) )
//should never reach here
- (emp, y ? _)
- (emp, x ? _)
40Soundness of SAGL
- Safety progress preservation
- Partial correctness
- assertions assigned to program points hold when
we reach these points