![Page 1: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/1.jpg)
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning
Xinyu Feng
Yale University
Joint work with Rodrigo Ferreira and Zhong Shao
![Page 2: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/2.jpg)
Motivation
Concurrency verification is challenging!
T1
T1 T1
T2
T2 T2
Exponential state space caused by interleaving of execution.
Memory aliasing makes it harder to ensure non-interference.
Modularity is the key!
![Page 3: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/3.jpg)
Two kinds of modularity
• Control modularity– a.k.a. thread-modularity– each thread is verified independently of others
• Data modularity– a.k.a. information hiding– each thread only cares about data it uses
![Page 4: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/4.jpg)
Existing work
• Assume-Guarantee (A-G) reasoning [Misra&Chandy’81, Jones’83]
thread modularity general: no restriction over synchronization pattern spec of A&G requires global data invariants
• Concurrent Separation Logic (CSL) [O’Hearn, Brookes 2004]
thread modularity data modularity: local reasoning restrictive synchronization pattern
shared resources can be accessed only inside critical regions
![Page 5: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/5.jpg)
Our Contributions
• SAGL: combining CSL and A-G reasoning– extend A-G logic with local reasoning better data modularity (than A-G reasoning) thread modularity no restriction over synchronization pattern
• A formal study of the relationship between CSL and A-G reasoning
![Page 6: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/6.jpg)
Outline of this talk
• Background– Concurrent Separation Logic– Assume-Guarantee reasoning
• SAGL: combination of CSL & A-G reasoning
• Interpretation of CSL in SAGL
![Page 7: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/7.jpg)
Concurrent Separation Logic
• Assertions capture ownerships of resources
• Cannot access resource without ownership
• Shared resources are protected by critical regions (CRs)
• Transfer of ownership at boundary of CR
l n
![Page 8: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/8.jpg)
CSL assertions
l n nl
p q p q
emp empty heap
p qp q
![Page 9: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/9.jpg)
Locks and Critical Regions
Lock-based critical regions (CR): l.acq();…………
l.rel()
Invariants about memory protected by locks:
= {l1 r1, …, ln rn}
r1 rn
. . .
l1 ln
![Page 10: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/10.jpg)
p1
(l2)
p2
(l1)
p1
(l2)
(l1) p2
Concurrent Separation Logic
p1
(l2)
p2
(l1)
l1.acq()
l1.rel()
…
p1
(l2)
(l1) p2
![Page 11: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/11.jpg)
Example: List
x… = { l List(x) }
getNode():
l.acq();
…
l.rel();
-{emp}
-{emp * List(x)};
-{Node(y) * List(x)}
-{Node(y)}
x … y
![Page 12: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/12.jpg)
Concurrent Separation Logic
• Thread modularity
• Data modularity by local reasoning– do not need knowledge of other threads’ data
Ownership transfer is bound with CRs– requires built-in critical regions– hard to support ad-hoc synchronizations
┝ {p} C {q}
![Page 13: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/13.jpg)
Outline of this talk
• Background– Concurrent Separation Logic– Assume-Guarantee reasoning
• SAGL: combination of CSL & A-G reasoning
• Interpretation of CSL in SAGL
![Page 14: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/14.jpg)
Assume-Guarantee Reasoning
• Thread T and its environment– Environment: the collection of all other threads except T
• A: assumption about environment’s transition
• G: guarantee to the environment
• a: precondition
![Page 15: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/15.jpg)
Assume-Guarantee Reasoning
To certify each thread:
S, S'. a S A S S' a S'
Non-Interference of threads:
G1 … Gi-1 Gi+1 … Gn Ai
Gi A1 … Ai-1 Ai+1 … An
preservation of precondition:
G S Nextc(S)
transitions satisfy the guarantee:
![Page 16: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/16.jpg)
A-G reasoning
a1a2
a1a2 a1a2
G2
A1A2
G1
a2
a2
a1
a1
![Page 17: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/17.jpg)
A-G reasoning
• Thread modular– separate verification of threads
• Not require CRs– but need to know smallest granularity of transitions
A, G: global invariants about all resources– hard to define– lack data modularity
Need to check A and G at every step
(A,G) {a} C {a’}┝
![Page 18: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/18.jpg)
Example: data modularity broken
…
[100] := m;
…
…
[101] := n;
…
100 101
G1: [101] = [101]'
A1: [100] = [100]'
G2: [100] = [100]'
A2: [101] = [101]'
![Page 19: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/19.jpg)
Outline of this talk
• Background– Concurrent Separation Logic– Assume-Guarantee reasoning
• SAGL: combination of CSL & A-G reasoning
• Interpretation of CSL in SAGL
![Page 20: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/20.jpg)
SAGL: Separated A-G Logic
• Partition of each thread’s resource– shared and private– shared can be accessed at any time
• governed by A and G
– exclusive access to private resources• follows local reasoning in CSL• not specified in A and G• better memory modularity
• Dynamic change of partition– may occur at any point, not tied with CR boundaries
![Page 21: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/21.jpg)
SAGL: Specification of Threads
• A, G: assumption and guarantee
• a: precondition about shared resources
• p: precondition about private resources
• Spec for Ti: ((ai, pi), Ai, Gi)
![Page 22: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/22.jpg)
p1
a1a2
p2'
p1
a1a2
p2
SAGL – Access Private Resource
![Page 23: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/23.jpg)
Example: regained data modularity
…
[100] := m;
…
…
[101] := n;
…
100 101
-{(emp , 100 _) } -{(emp , 101 _)}
G1: emp
A1: emp
G2: emp
A2: emp
![Page 24: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/24.jpg)
p1
a1a2'
p2
p1
a1a2
p2
SAGL – Access Shared Resource
A1
G2
a1 a1
A-G reasoning: a special case where
p1 and p2 are emp.
![Page 25: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/25.jpg)
p1
a1a2
p2
p1
a1a2
p2
p1
a1a2'
p2
SAGL - Redistribution
A1
G2 A1
G2
![Page 26: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/26.jpg)
SAGL
• Thread modular– separate verification of threads
• Not require CRs– but need to know smallest granularity of transitions
• A, G: only specifies shared resources– better modularity
• Need to check A and G at every step– but the check is trivial if only private resource is used
(A,G) {(a,p)} C {(a’,p’)}┝
![Page 27: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/27.jpg)
Outline of this talk
• Background– Concurrent Separation Logic– Assume-Guarantee reasoning
• SAGL: combination of CSL & A-G reasoning
• Interpretation of CSL in SAGL
![Page 28: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/28.jpg)
p1
(l2)
p2
(l1)
p1
(l2)
(l1) p2
Concurrent Separation Logic
p1
(l2)
p2
(l1)
l1.acq()
l1.rel()
…
p1
(l2)
(l1) p2
![Page 29: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/29.jpg)
Implicit Invariants in CSL
Shared resources are well-formed outside of critical regions.
Invariants of shared resources:
a Inv(l1) … Inv(ln)
At each program point:
(p1 … pn) a S
Inv(li) (free(li) (li)) ( free(li) emp)
![Page 30: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/30.jpg)
p1
a1a2
p2
Specialization of SAGL
At each program point in SAGL: (p1 … pn) (a1 … an)
Specialize ai into a
(p1 … pn) (a … a)
Specialize A and G to enforce a at every step
A S S' a S a S'
G S S' a S a S'
(p1 … pn) a
![Page 31: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/31.jpg)
Interpretation of CSL in SAGL
If ┝CSL {p} C {q},
then
(A,G)┝SAGL {(a,p)} C {(a,q)}
Also a new way to prove the soundness of CSL! The soundness of SAGL is proved following the syntactic approach (by proving progress & preservation).
Proofs have been formalized in Coq.
![Page 32: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/32.jpg)
getNode():
l.acq();
…
l.rel();
-{(a, emp)}
Example: List = { l List(x) }
-{(emp, emp * List(x))};
-{(emp, Node(y) * List(x))}
-{(List(x), Node(y))}
a = free(l) List(x)
free(l) emp
x…
x … y a
a
a
![Page 33: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/33.jpg)
Conclusion
• SAGL– combination of local reasoning with A-G reasoning– improved modularity than A-G reasoning– more flexible than CSL
• Embedding of CSL in SAGL– formalization of invariants:
shared resources are well-formed outside of CRs– a new way to prove the soundness of CSL
![Page 34: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/34.jpg)
Thank you!
![Page 35: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/35.jpg)
Example: GCD
while(x <> y){
if (x > y)
x = x – y;
}
while(x <> y){
if (y > x)
y = y – x;
}
initially: x = ; y = ;
result: x = GCD(, ); y = GCD(, );
G1: (y = y') (x y x = x') (GCD(x, y) = GCD(x', y'))
A1: (x = x') (y x y = y') (GCD(x, y) = GCD(x', y'))
G2 = A1; A2 = G1
![Page 36: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/36.jpg)
Example: GCD
while(x <> y){
if (x > y)
x = x – y;
}
while(x <> y){
if (y > x)
y = y – x;
}
initially: x = ; y = ;
result: x = GCD(, ); y = GCD(, );
Hard to certify using CSL without rewriting the program and adding auxiliary variables.
![Page 37: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/37.jpg)
Problem with CSL
• Needs to rewrite code using CRs– then needs to prove semantic preservation
• CSL is a program logic– what if the language does not support CRs?
• only use “cas” to do synchronization
![Page 38: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/38.jpg)
Example: malloc
x = alloc(1);
[x] = 2;
if ( odd([x]) ){
//should never reach here
}
y = alloc(1);
[y] = 3;
if ( even([y]) ){
//should never reach here
}
G1: ???
A1: ???
G2: ???
A1: ???
{ emp } { emp }
{ x _ } { y _ }
![Page 39: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/39.jpg)
Example: malloc
x = alloc(1);
[x] = 2;
if ( odd([x]) ){
//should never reach here
}
y = alloc(1);
[y] = 3;
if ( even([y]) ){
//should never reach here
}
G1: emp
A1: emp
G2: emp
A1: emp
-{ (emp, emp) } -{ (emp, emp }
-{ (emp, x _) } -{ (emp, y _) }
![Page 40: On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and](https://reader030.vdocument.in/reader030/viewer/2022032801/56649d535503460f94a2f610/html5/thumbnails/40.jpg)
Soundness of SAGL
• Safety: progress & preservation
• Partial correctness:– assertions assigned to program points hold
when we reach these points