local reasoning for rcuropas.snu.ac.kr/seminar/20091222.pdf · 2010. 1. 6. · rcu_read_lock {b’...

$: Local Reasoning for RCUropas.snu.ac.kr/seminar/20091222.pdf · 2010. 1. 6. · rcu_read_lock {b’ = b; x = *b’; y = *(b’+1);}.. USE x,y .. .. PRODUCE u,v .. nb = malloc(2); rcu_write_lock$
Local Reasoning for RCU

Hongseok Yang (Queen Mary Univ. of London)

Joint work with Peter O’Hearn, Matthew Parkinson, Noam Rinetzky, Mooly Sagiv

and Viktor Vafeiadis

• Active research by verification communities.

• Various workshops/conferences.

• Many papers on concurrency appear in major conferences.

• Concurrency is a hot topic inside separation logic.

• What about Linux hackers?

Preparing Multicore Era

• Active research by verification communities.

• Various workshops/conferences.

• Many papers on concurrency appear in major conferences.

• Concurrency is a hot topic inside separation logic.

• What about Linux hackers?

Preparing Multicore Era

Finally, Yahav and Sagiv [18] and Calcagno et al. [13] use shape analysis tocheck simple safety properties of list-based concurrent algorithms, but cannotverify linearisability.

Semi-automatic Verification. In [2–5], the PVS theorem prover was used tocheck hand-crafted linearizability proofs. These papers prove linearizability usingdifferent techniques than the one used here. See §3 for details.

8 Conclusion

We have demonstrated that RGSep and shape-value abstraction enable effectiveautomatic linearizability proofs. The examples verified are typical of the researchliterature 5–10 years ago. The techniques can also cope with more complex al-gorithms, but the shape analyses must be powerful enough to describe the datastructures used in the algorithms. As shape analyses based on separaration logicare relatively new, they are still restricted to linked-list data structures.

In the future, we plan to improve the underlying shape analyses to han-dle other kinds of data structures such as arrays, and to attempt to infer thenecessary action annotations automatically.

References

1. Herlihy, M.P., Wing, J.M.: Linearizability: a correctness condition for concurrentobjects. ACM Trans. on Program. Languages and Systems 12(3) (1990) 463–492

2. Doherty, S., Groves, L., Luchangco, V., Moir, M.: Formal verification of a practicallock-free queue algorithm. In: Int. Conf. on Formal Techniques for Networked andDist. Sys. (FORTE 2004). Volume 3235 of LNCS., Madrid, Spain, IFIP WG 6.1,Springer (September 2004) 97–114

3. Colvin, R., Doherty, S., Groves, L.: Verifying concurrent data structures by simu-lation. Electronic Notes in Theoretical Computer Science 137(2) (2005) 93–110

4. Gao, H., Groote, J.F., Hesselink, W.H.: Lock-free dynamic hash tables with openaddressing. Distributed Computing 18(1) (July 2005) 21–42

5. Colvin, R., Groves, L., Luchangco, V., Moir, M.: Formal verification of a lazyconcurrent list-based set. In: 18th CAV. Volume 4144 of LNCS., Springer (2006)475–488

6. Vafeiadis, V., Herlihy, M., Hoare, T., Shapiro, M.: Proving correctness of highly-concurrent linearisable objects. In: 11th PPoPP, ACM (2006) 129–136

7. Amit, D., Rinetzky, N., Reps, T., Sagiv, M., Yahav, E.: Comparison under ab-straction for verifying linearisability. In: 19th CAV. (2007)

8. Manevich, R., Lev-Ami, T., Ramalingam, G., Sagiv, M., Berdine, J.: Heap decom-position for concurrent shape analysis. Technical Report TR-2007-11-85453, TelAviv University (November 2007)

9. Vafeiadis, V., Parkinson, M.: A marriage of rely/guarantee and separation logic.In: 18th International Conference on Concurrency Theory (CONCUR). Volume4703 of LNCS., Springer (September 2007)

10. Jones, C.B.: Specification and design of (parallel) programs. In: IFIP Congress.(1983) 321–332

From “Shape-value abstraction for verifying linearizability” by Viktor Vafeiadis

RCU Usage in Linux

Data fromPaul McKenney’sRCU Web Page

Objectives

• Explain RCU and research problems related to RCU.

• Present a preliminary result on program logic for RCU.

RCU (Read-Copy-Update)

• Back to the future: old style locking for new style architecture.

• Very approximately, reader/writer locks.

• Allows the concurrent access by multiple readers and a single writer.

• Very little concurrency overhead for readers.

• Intended to work well with weak memory.

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {

free(ob); free(ob+1); }

3 4

b

RCUReader/Writer

reader0 writer0

writer1reader1

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


3 4

b

RCUReader/Writer

reader0 writer0

writer1reader1

b’x:3 , y:4

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


3 4

b

RCUReader/Writer

reader0 writer0

writer1reader1

b’x:3 , y:4

nbobu:11, v:12

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


3 4

b

RCUReader/Writer

reader0 writer0

writer1reader1

b’x:3 , y:4

nbobu:11, v:12

11 12

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader1

b’x:3 , y:4

nbobu:11, v:12

11 12

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader13 4

b

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader13 4

b

Pb1: Racy writers.Sol: Use a standard lock.

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader13 4

b

rcu_write_lock {

}

Pb1: Racy writers.Sol: Use a standard lock.

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader13 4

b

Pb2: Dangling pointer dereference by readers.

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader13 4

b nbobu:11, v:12

11 12


rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader13 4

b nbobu:11, v:12

11 12

b’x:3 , y:4


rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader1

b nbobu:11, v:12

11 12

b’x:3 , y:4


rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader1

b nbobu:11, v:12

11 12

b’x:3 , y:4


Dangling Pointer Dereference

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader13 4

b


rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader13 4

b


} sync {

Wait until no readers are accessing the old buffer.

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader13 4

b


} sync {


rcu_read_lock {

}

Disable context switch

Enable context switch

Wait until all CPUs context-switch.

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader13 4

b


} sync {


rcu_read_lock {

}

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0 writer0

writer1reader13 4

b nbobu:11, v:12

11 12

b’x:3 , y:4


} sync {

rcu_read_lock {

}


reader1

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0

writer0

writer13 4

b nbobu:11, v:12

11 12b’x:3 , y:4


} sync {

rcu_read_lock {

}


reader1

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


b

RCUReader/Writer

reader0

writer0

writer1

b nbobu:11, v:12

11 12b’x:3 , y:4


} sync {

rcu_read_lock {

}


rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


RCUReader/Writer

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


RCUReader/Writer

barrier();

1) Handles weak memory.2) Ensures that a reader never reads values from a non-initialized buffer.

rcu_read_lock {

b’ = b;

x = *b’;

y = *(b’+1);

}

.. USE x,y ..

.. PRODUCE u,v ..

nb = malloc(2);

rcu_write_lock {

*nb = u; *(nb+1) = v;

barrier();

ob = b; b = nb;

} sync {


RCUReader/Writer

• RCU constructs:

rcu_read_lock { .. },

rcu_write_lock { ... } sync { ... }, barrier

• Linux API also includes asynchronous sync and others.

Research Issues• Full specification of RCU programs.

• Program logic for RCU.

• Automatic program analysis.

• Shape analysis, termination analysis.

• Verify the implementations of RCU.

• Implementations of RCU, SRCU.

• Prove correctness considering weak memory.

• New algorithms based on RCU.

Overview of Logic

• Resource-invariant-based, thread-local reasoning.

• sync, barrier as ownership transfer operations.

• Reasoning about readers should use only those facts preserved by writers’ operations.

Proof Sketch of RCU Readers/Writers

Formulas

Hongseok Yang

Queen Mary, University of London

1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .

(R, I(i)) � {P}C{Q}(R, I(i)) �r {K}C{L} (R, I(i)) �w {K}C{L}

{emp}rcu read lock {

{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}

{nb �→ , }rcu write lock {

{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {

{ob �→ , ∗ b �→ , }free(ob); free(ob+1);

{emp ∗ b �→ , }}

{emp}


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Invariant-based, thread-local reasoning.


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,

ResInv holds initially for the shared heap.


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,

ResInv holds right before releasing

the lock.


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

barrier as ownership transfer from private to shared

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

sync as ownership transfer from shared to private

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,

AlwaysResInv : b �→ , ∗ true


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,



Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,

Start with AlwaysResInv.

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,



Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,

Can end with any assertion.

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,



Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,



Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�

Not modify the shared heap.

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,



Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�

Should be preserved by writers.

Not modify the shared heap.


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,

Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Formulas

Hongseok Yang


1 Formulas

P ::= E �→E | emp | P ∗ P | ¬P | P ∧ P | ∃x.P | . . .

K ::= P | P | K ∗K | ¬K | K ∧K | ∃x.K | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�

1) Invariant-based, thread-local reasoning.2) barrier, sync as ownership transfer operations.3) Use only preserved facts, when verifying readers.

Judgments

Formulas

Hongseok Yang


1 Formulas

P ::= true | E �→F | emp | P ∗Q | ∃x.P | P ∧Q | . . .

K ::= P | P | K ∗ L | ∃x.K | K ∧ L | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�

(R, I(a)) �rd/wr/no {K}C{L}

Judgments

Formulas

Hongseok Yang


1 Formulas


K ::= P | P | K ∗ L | ∃x.K | K ∧ L | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�


Precise res. invariant. (E.g. b↦_,_)

Judgments

Formulas

Hongseok Yang


1 Formulas


K ::= P | P | K ∗ L | ∃x.K | K ∧ L | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�



Facts preserved by writers.

(E.g. a↦_,_ * true)

Judgments

Formulas

Hongseok Yang


1 Formulas


K ::= P | P | K ∗ L | ∃x.K | K ∧ L | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�

(R, I(a)) �rd/wr/no {K}C{L}Facts

preserved by writers. (E.g. a↦_,_ * true)

Indicates “lock” held.


Proof Rule for Lock/Sync

Formulas

Hongseok Yang


1 Formulas


K ::= P | P | K ∗ L | ∃x.K | K ∧ L | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�


(R, I(a)) �wr {P ∗ R }C{Q� ∗ R� ∗R }

(R, I(a)) �wr {Q� ∗R� ∗ R }D{Q ∗ R }(R, I(a)) �no {P}rcu write lock C sync D{Q}

Proof Rule for Lock/SyncAllowed to

access the shared heap described by R.

Formulas

Hongseok Yang


1 Formulas


K ::= P | P | K ∗ L | ∃x.K | K ∧ L | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�


(R, I(a)) �wr {P ∗ R }C{Q� ∗ R� ∗R }


Formulas

Hongseok Yang


1 Formulas


K ::= P | P | K ∗ L | ∃x.K | K ∧ L | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�


(R, I(a)) �wr {P ∗ R }C{Q� ∗ R� ∗R }


Proof Rule for Lock/Sync

sync transfers R’ from shared to private.

Proof Rule for Lock/SyncEvery op in C and D should preserve

R*true and I(a).

Formulas

Hongseok Yang


1 Formulas


K ::= P | P | K ∗ L | ∃x.K | K ∧ L | . . .



{emp ∗ b �→ , ∗ true }b� = b;

{emp ∗ b� �→ , ∗ true }x = ∗b�;

{emp ∗ b� �→ , ∗ true }y = ∗(b� + 1);

{emp ∗ b� �→ , ∗ true }}

{emp}


{nb �→ , ∗ b �→ , }∗nb = u; ∗(nb + 1) = v;

{nb �→ , ∗ b �→ , }barriernb �→ , ;

{emp ∗ nb �→ , ∗ b �→ , }ob = b; b = nb;

{emp ∗ b �→ , ∗ ob �→ , }} sync {


{emp ∗ b �→ , }}

{emp}

ResInv : b �→ ,


Pres : ∀a.�

a�→ , ∗ true � a�→ , ∗ true�


(R, I(a)) �wr {P ∗ R }C{Q� ∗ R� ∗R }


Proof Rule for Readers

(R, I(a)) �rd {P ∗ R ∗ true }C{Q ∗ R� }(R, I(a)) �no {P}rcu read lock C{Q}

2



2

Start with ResInv * true Anything



2

Every op in C can only read

the shared.

Proof Rule for barrier(R, I(a)) �rd {P ∗ R ∗ true }C{Q ∗ R� }(R, I(a)) �no {P}rcu read lock C{Q}

(R, I(a)) �wr {P ∗ Q ∗ R }barrierQ{P ∗ Q ∗ R }

2

Proof Rule for barrier(R, I(a)) �rd {P ∗ R ∗ true }C{Q ∗ R� }(R, I(a)) �no {P}rcu read lock C{Q}

(R, I(a)) �wr {P ∗ Q ∗ R }barrierQ{P ∗ Q ∗ R }

2

Transfer Q from private to shared.

Q has to be precise.

Soundness

• No weak memory yet.

• Proved by the compilation into RGSep by Vafeiadis and Parkinson.

Messages

• Sync transfers a heaplet from shared to private.

• Barrier transfers a heaplet from private to shared.

RCU Reader/Writer

while (TRUE) {

rcu_read_lock {

b’ = b;

x0 = *b’;

x1 = *(b’+1);

}

.. USE x0,x1 ..

}

while (TRUE) {

.. PRODUCE y0,y1 ..

nb = malloc(2);

rcu_write_lock {

*nb = y0; *(nb+1) = y1;

barrier();

ob = b; b = nb;

} sync {

free(ob); free(ob+1);

}}

RCU Reader/Writer

while (TRUE) {

rcu_read_lock {

b’ = b;

x0 = *b’;

x1 = *(b’+1);

}

.. USE x0,x1 ..

}

while (TRUE) {

.. PRODUCE y0,y1 ..

nb = malloc(2);

rcu_write_lock {

*nb = y0; *(nb+1) = y1;

barrier();

ob = b; b = nb;

} sync {

free(ob); free(ob+1);

}}

nb = malloc(2);

nb = ob;

Optimized

local reasoning for rcuropas.snu.ac.kr/seminar/20091222.pdf · 2010. 1. 6. · rcu_read_lock {b’...

Documents