On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning

1
On the Relationship Between Concurrent Separation
Logic and Assume-Guarantee Reasoning

• Xinyu Feng
• Yale University

Joint work with Rodrigo Ferreira and Zhong Shao
2
Motivation

• Concurrency verification is challenging!

Memory aliasing makes it harder to ensure
non-interference.
Modularity is the key!
3
Two kinds of modularity

• Control modularity
• a.k.a. thread-modularity
• each thread is verified independently of others
• Data modularity
• a.k.a. information hiding
• each thread only cares about data it uses

4
Existing work

• Assume-Guarantee (A-G) reasoning
  
  MisraChandy81, Jones83
• thread modularity
• general no restriction over synchronization
  pattern
• spec of AG requires global data invariants
• Concurrent Separation Logic (CSL) OHearn,
  Brookes 2004
• thread modularity
• data modularity local reasoning
• restrictive synchronization pattern
• shared resources can be accessed only inside
  critical regions

5
Our Contributions

• SAGL combining CSL and A-G reasoning
• extend A-G logic with local reasoning
• better data modularity (than A-G reasoning)
• thread modularity
• no restriction over synchronization pattern
• A formal study of the relationship between CSL
  and A-G reasoning

6
Outline of this talk

• Background
• Concurrent Separation Logic
• Assume-Guarantee reasoning
• SAGL combination of CSL A-G reasoning
• Interpretation of CSL in SAGL

7
Concurrent Separation Logic

• Assertions capture ownerships of resources
• Cannot access resource without ownership
• Shared resources are protected by critical
  regions (CRs)
• Transfer of ownership at boundary of CR

l ? n
8
CSL assertions
9
Locks and Critical Regions

• Lock-based critical regions (CR)

l.acq() l.rel()
10
Concurrent Separation Logic
l1.rel()
l1.acq()

11
Example List
x
? l ? List(x)

getNode() l.acq()
l.rel()
-emp
-emp List(x)
-Node(y) List(x)
-Node(y)
12
Concurrent Separation Logic

• Thread modularity
• Data modularity by local reasoning
• do not need knowledge of other threads data
• Ownership transfer is bound with CRs
• requires built-in critical regions
• hard to support ad-hoc synchronizations

? ? p C q
13
Outline of this talk

• Background
• Concurrent Separation Logic
• Assume-Guarantee reasoning
• SAGL combination of CSL A-G reasoning
• Interpretation of CSL in SAGL

14
Assume-Guarantee Reasoning

• Thread T and its environment
• Environment the collection of all other threads
  except T
• A assumption about environments transition
• G guarantee to the environment
• a precondition

15
Assume-Guarantee Reasoning
Non-Interference of threads
G1 ? ? Gi-1 ? Gi1 ? ? Gn ? Ai
Gi ? A1 ? ? Ai-1 ? Ai1 ? ? An

• To certify each thread

preservation of precondition
? S, S'. a S ? A S S' ? a S'
transitions satisfy the guarantee
G S Nextc(S)
16
A-G reasoning
G1
G2
a1
a2
A1
A2
a2
a1
17
A-G reasoning

• Thread modular
• separate verification of threads
• Not require CRs
• but need to know smallest granularity of
  transitions
• A, G global invariants about all resources
• hard to define
• lack data modularity
• Need to check A and G at every step

(A,G)? a C a
18
Example data modularity broken
100
101
100 m
101 n
G1 101 101' A1 100 100'
G2 100 100' A2 101 101'
19
Outline of this talk

• Background
• Concurrent Separation Logic
• Assume-Guarantee reasoning
• SAGL combination of CSL A-G reasoning
• Interpretation of CSL in SAGL

20
SAGL Separated A-G Logic

• Partition of each threads resource
• shared and private
• shared can be accessed at any time
• governed by A and G
• exclusive access to private resources
• follows local reasoning in CSL
• not specified in A and G
• better memory modularity
• Dynamic change of partition
• may occur at any point, not tied with CR
  boundaries

21
SAGL Specification of Threads

• A, G assumption and guarantee
• a precondition about shared resources
• p precondition about private resources
• Spec for Ti ((ai, pi), Ai, Gi)

22
SAGL Access Private Resource
23
Example regained data modularity
100
101
-(emp , 101 ? _)
-(emp , 100 ? _)
100 m
101 n
24
SAGL Access Shared Resource
G2
a1
A1
a1
A-G reasoning a special case where
p1 and p2 are emp.
25
SAGL - Redistribution
G2
A1
G2
A1
26
SAGL

• Thread modular
• separate verification of threads
• Not require CRs
• but need to know smallest granularity of
  transitions
• A, G only specifies shared resources
• better modularity
• Need to check A and G at every step
• but the check is trivial if only private resource
  is used

(A,G)? (a,p) C (a,p)
27
Outline of this talk

• Background
• Concurrent Separation Logic
• Assume-Guarantee reasoning
• SAGL combination of CSL A-G reasoning
• Interpretation of CSL in SAGL

28
Concurrent Separation Logic
l1.rel()
l1.acq()

29
Implicit Invariants in CSL

• Shared resources are well-formed outside of
  critical regions.

Invariants of shared resources a? ?
Inv(l1) ? ? Inv(ln)
Inv(li) ? (free(li) ? ?(li)) ? (? free(li) ?
emp)
At each program point (p1 ? ?
pn) ? a? S
30
Specialization of SAGL

• At each program point in SAGL
• (p1 ? ? pn) ? (a1 ? ? an)

Specialize ai into a? (p1 ? ? pn) ?
(a? ? ? a?)
? (p1 ? ? pn) ? a?
Specialize A and G to enforce a? at every step
A? S S' ? a? S ? a? S' G? S S' ?
a? S ? a? S'
31
Interpretation of CSL in SAGL

• If ??CSL p C q,
• then
• (A?,G?)?SAGL (a?,p) C (a?,q)

Also a new way to prove the soundness of CSL!
The soundness of SAGL is proved following
the syntactic approach (by proving progress
preservation). Proofs have been formalized in Coq.
32
Example List
? l ? List(x)
a? free(l) ? List(x) ? ?free(l) ? emp
getNode() l.acq()
l.rel()
-(a?, emp)
? a?
-(emp, emp List(x))
? a?
-(emp, Node(y) List(x))
? a?
-(List(x), Node(y))
33
Conclusion

• SAGL
• combination of local reasoning with A-G reasoning
• improved modularity than A-G reasoning
• more flexible than CSL
• Embedding of CSL in SAGL
• formalization of invariants shared resources
  are well-formed outside of CRs
• a new way to prove the soundness of CSL

34
Thank you!
35
Example GCD
initially x ? y ?
while(x ltgt y) if (x gt y) x x y
while(x ltgt y) if (y gt x) y y x
result x GCD(?, ?) y GCD(?, ?)
G1 (y y') ? (x ? y ? x x') ? (GCD(x, y)
GCD(x', y')) A1 (x x') ? (y ? x ? y y') ?
(GCD(x, y) GCD(x', y')) G2 A1
A2 G1
36
Example GCD
initially x ? y ?
while(x ltgt y) if (x gt y) x x y
while(x ltgt y) if (y gt x) y y x
result x GCD(?, ?) y GCD(?, ?)
Hard to certify using CSL without rewriting the
program and adding auxiliary variables.
37
Problem with CSL

• Needs to rewrite code using CRs
• then needs to prove semantic preservation
• CSL is a program logic
• what if the language does not support CRs?
• only use cas to do synchronization

38
Example malloc
x alloc(1) x 2 if ( odd(x) )
//should never reach here
y alloc(1) y 3 if ( even(y) )
//should never reach here
G1 ??? A1 ???
G2 ??? A1 ???
39
Example malloc
- (emp, emp
- (emp, emp)
x alloc(1) x 2 if ( odd(x) )
//should never reach here
y alloc(1) y 3 if ( even(y) )
//should never reach here
- (emp, y ? _)
- (emp, x ? _)
40
Soundness of SAGL

• Safety progress preservation
• Partial correctness
• assertions assigned to program points hold when
  we reach these points