specifying and verifying concurrent algorithms histories...
TRANSCRIPT
![Page 1: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/1.jpg)
with
Histories and Subjectivity
ESOP 2015
Ilya Sergey Aleks Nanevski Anindya Banerjee
biennial report2008-09
madrid institute for advanced studies
memoria software v3.qxd 13/8/10 10:48 Página 1
Specifying and Verifying Concurrent Algorithms
![Page 2: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/2.jpg)
A logic-based approach for
Specifying and Verifying Concurrent Algorithms
![Page 3: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/3.jpg)
An approach, which is
![Page 4: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/4.jpg)
An approach, which is
• Natural- captures intuition behind realistic algorithms
![Page 5: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/5.jpg)
An approach, which is
• Natural- captures intuition behind realistic algorithms
• Powerful- enables compositional verification of concurrency
![Page 6: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/6.jpg)
An approach, which is
• Natural- captures intuition behind realistic algorithms
• Powerful- enables compositional verification of concurrency
• Lightweight- does not require to engineer a new logical framework
![Page 7: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/7.jpg)
Key ideas
• Subjectivity
• Partial Commutative Monoids (PCMs)
• Histories
![Page 8: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/8.jpg)
Key ideas
• Subjectivity
• Partial Commutative Monoids (PCMs)
• HistoriesNanevski et al. [ESOP’14]
![Page 9: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/9.jpg)
Key ideas
• Subjectivity
• Partial Commutative Monoids (PCMs)
• Histories
![Page 10: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/10.jpg)
Hoare-style program specifications
![Page 11: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/11.jpg)
Hoare-style program specifications
{ P } { Q }c
![Page 12: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/12.jpg)
Hoare-style program specifications
{ P } { Q }
precondition
c
![Page 13: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/13.jpg)
Hoare-style program specifications
{ P } { Q }
precondition postcondition
c
![Page 14: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/14.jpg)
Hoare-style program specifications
If the initial state satisfies P, then, after c terminates,
the final state satisfies Q.
{ P } { Q }
precondition postcondition
c
![Page 15: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/15.jpg)
push(x)
pop()
Abstract specifications for a stack
![Page 16: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/16.jpg)
push(x)
pop()
Abstract specifications for a stack
![Page 17: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/17.jpg)
push(x){ S = xs } { S′= x :: xs }
pop()
Abstract specifications for a stack
![Page 18: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/18.jpg)
push(x){ S = xs } { S′= x :: xs }
pop(){ S = xs } { res = None ⋀ S = Nil ⋁ ∃x, xs′. res = Some x ⋀ xs = x :: xs′ ⋀ S′ = xs′ }
Abstract specifications for a stack
![Page 19: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/19.jpg)
push(x){ S = xs } { S′= x :: xs }
pop(){ S = xs }
Suitable for sequential case
{ res = None ⋀ S = Nil ⋁ ∃x, xs′. res = Some x ⋀ xs = x :: xs′ ⋀ S′ = xs′ }
Abstract specifications for a stack
![Page 20: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/20.jpg)
push(x){ S = xs } { S′= x :: xs }
pop(){ S = xs }
Not so good for concurrent use: useless in the presence of interference
Abstract specifications for a stack
{ res = None ⋀ S = Nil ⋁ ∃x, xs′. res = Some x ⋀ xs = x :: xs′ ⋀ S′ = xs′ }
![Page 21: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/21.jpg)
y := pop();
![Page 22: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/22.jpg)
y := pop();
{ S = Nil }
![Page 23: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/23.jpg)
y := pop();
{ y = ??? }
{ S = Nil }
![Page 24: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/24.jpg)
y := pop();
��������
��������
push(1);
push(2);
{ S = Nil }
![Page 25: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/25.jpg)
y := pop();
{ y = 1 ⋁ y = 2 ⋁ y = None }
��������
��������
push(1);
push(2);
{ S = Nil }
![Page 26: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/26.jpg)
y := pop();
{ S = Nil }��������
��������
push(1);
push(2);
��������
��������
push(3);
![Page 27: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/27.jpg)
y := pop();
{ S = Nil }
{ y = 1 ⋁ y = 2 ⋁ y = 3 ⋁ y = None }
��������
��������
push(1);
push(2);
��������
��������
push(3);
![Page 28: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/28.jpg)
y := pop();
{ y = ??? }
{ S = Nil }
Thread-modular spec for pop?
![Page 29: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/29.jpg)
Idea
![Page 30: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/30.jpg)
Capture the effect of self, abstract over the others.
Idea
![Page 31: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/31.jpg)
Capture the effect of self, abstract over the others.
Idea
(subjective specification)
![Page 32: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/32.jpg)
y := pop();
Subjective stack specifications
![Page 33: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/33.jpg)
y := pop();
• Hs — pushes/pops to the stack by this thread
Subjective stack specifications
![Page 34: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/34.jpg)
y := pop();
• Hs — pushes/pops to the stack by this thread
• Ho — pushes/pops by all other threads
Subjective stack specifications
![Page 35: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/35.jpg)
y := pop();
{ Hs = ∅ }
• Hs — pushes/pops to the stack by this thread
• Ho — pushes/pops by all other threads
Subjective stack specifications
![Page 36: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/36.jpg)
y := pop();
{ y = None ⋁ y = Some(v), where v ∈ Ho }
{ Hs = ∅ }
• Hs — pushes/pops to the stack by this thread
• Ho — pushes/pops by all other threads
Subjective stack specifications
![Page 37: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/37.jpg)
y := pop();
{ y = None ⋁ y = Some(v), where v ∈ Ho }
{ Hs = ∅ }
Subjective stack specifications
| {z }
what I popped dependson what the others have pushed
• Hs — pushes/pops to the stack by this thread
• Ho — pushes/pops by all other threads
![Page 38: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/38.jpg)
{ y = None ⋁ y = Some(v), where v ∈ Ho }
Valid only if the stack is changed only by push/pops.
| {z }
what I popped dependson what the others have pushed
y := pop();
{ Hs = ∅ }
Subjective stack specifications
![Page 39: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/39.jpg)
{ P } { Q }y := pop();
![Page 40: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/40.jpg)
{ P } { Q }C ⊢ y := pop();
![Page 41: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/41.jpg)
{ P } { Q }C ⊢
Specifies expectedthread interference
y := pop();
![Page 42: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/42.jpg)
Concurrent Resources
![Page 43: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/43.jpg)
Shared state
Concurrent Resources
![Page 44: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/44.jpg)
Concurrent Resources
Auxiliary state
Shared state
Owicki, Gries [CACM’77]
![Page 45: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/45.jpg)
Subjective Concurrent Resources
Shared state
Ley-Wild, Nanevski [POPL’13]
![Page 46: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/46.jpg)
Auxiliary state, controlled by this thread
Subjective Concurrent Resources
Shared state
Ley-Wild, Nanevski [POPL’13]
![Page 47: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/47.jpg)
Auxiliary state, controlled by this thread
Auxiliary state, controlled by others
Subjective Concurrent Resources
Shared state
Ley-Wild, Nanevski [POPL’13]
![Page 48: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/48.jpg)
Subjective Concurrent ResourcesJones [TOPLAS’83]
![Page 49: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/49.jpg)
Changes (transitions) allowed to myself
(Guarantee)
Subjective Concurrent ResourcesJones [TOPLAS’83]
![Page 50: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/50.jpg)
Transitions, allowed to the others (Rely)
Changes (transitions) allowed to myself
(Guarantee)
Subjective Concurrent ResourcesJones [TOPLAS’83]
![Page 51: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/51.jpg)
Transitions, allowed to the others (Rely)
Changes (transitions) allowed to myself
(Guarantee)
What I have = what I can do and what I have done.
Subjective Concurrent ResourcesJones [TOPLAS’83]
![Page 52: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/52.jpg)
State Transition Systemswith
Subjective Auxiliary State
Concurrent Resources =
Nanevski, Ley-Wild, Sergey, Delbianco [ESOP’14]
![Page 53: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/53.jpg)
State Transition Systemswith
Subjective Auxiliary State
Concurrent Resources =
Nanevski, Ley-Wild, Sergey, Delbianco [ESOP’14]
(Concurroids)
![Page 54: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/54.jpg)
Specifications with concurroids
![Page 55: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/55.jpg)
Self
• Self — state controlled by me
Specifications with concurroids
![Page 56: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/56.jpg)
Self
Other
• Self — state controlled by me
• Other — state controlled by all other threads
Specifications with concurroids
![Page 57: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/57.jpg)
Self
Other
Joint
• Self — state controlled by me
• Other — state controlled by all other threads
• Joint — modified by everyone, as allowed by transitions
Specifications with concurroids
![Page 58: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/58.jpg)
C =
Specifications with concurroids
Self
Other
Joint
![Page 59: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/59.jpg)
C =
{ P } c { Q }C ⊢
Specifications with concurroids
Self
Other
Joint
![Page 60: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/60.jpg)
C =
{ P } c { Q }@ C
Specifications with concurroids
Self
Other
Joint
![Page 61: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/61.jpg)
C =
{ P } c { Q }| {z }
defines resources, touched by c, their transitions and invariants
@ C
Specifications with concurroids
Self
Other
Joint
![Page 62: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/62.jpg)
C =
{ P } c { Q }@ C
Specifications with concurroids
Self
Other
Joint
specify self/other/joint parts
![Page 63: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/63.jpg)
FCSL: Fine-grained Concurrent Separation Logic
Nanevski, Ley-Wild, Sergey, Delbianco [ESOP’14]
![Page 64: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/64.jpg)
FCSL: Fine-grained Concurrent Separation Logic
Nanevski, Ley-Wild, Sergey, Delbianco [ESOP’14]
• Logic for reasoning with concurroids
![Page 65: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/65.jpg)
FCSL: Fine-grained Concurrent Separation Logic
Nanevski, Ley-Wild, Sergey, Delbianco [ESOP’14]
• Logic for reasoning with concurroids
• Emphasis on subjective specifications
![Page 66: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/66.jpg)
Key ideas
• Subjectivity
• PCMs
• Histories
![Page 67: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/67.jpg)
Key ideas
• Subjectivity — reasoning with self and other
• PCMs
• Histories
![Page 68: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/68.jpg)
• Subjectivity — reasoning with self and other
• PCMs
• Histories
Key ideas
![Page 69: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/69.jpg)
Partial Commutative Monoids
• A set S of elements
• Join (⊕): commutative, associative, partial
• Unit element 0: ∀e ∈ S, e⊕0 = 0⊕e = e
(S, ⊕, 0)
![Page 70: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/70.jpg)
Parallel composition
![Page 71: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/71.jpg)
child1 child2||parent
Parallel composition
![Page 72: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/72.jpg)
child1 child2||parent
• commutative• associative• unit — idle thread• partial
Parallel composition
![Page 73: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/73.jpg)
child1 child2||parent
{ s1 ⊕ s2 }
Logical state split
![Page 74: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/74.jpg)
child1 child2||s1 ⊕ s2
parent{ s1 ⊕ s2 }
s3
Logical state split
![Page 75: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/75.jpg)
parent
child1 ||
State that belongs to child1
child2||s1
{ s1 }
{ s1 ⊕ s2 }
Logical state splits2 ⊕ s3
![Page 76: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/76.jpg)
child1 ||
State that belongs to child2
child2||s2
{ s1 } { s2 }
parent{ s1 ⊕ s2 }
Logical state splits1 ⊕ s3
![Page 77: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/77.jpg)
||||z2
{ s2 }{ s1 }
{ z1 } { z2 }
{ s1 ⊕ s2 }
Logical state split
child1 child2
parentz1 ⊕ z3
![Page 78: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/78.jpg)
z1 ⊕ z2
||
New state that belongs to parent′
||parent′
{ s2 }{ s1 }
{ z1 } { z2 }
{ s1 ⊕ s2 }
{ z1 ⊕ z2 }
Logical state split
child1 child2
parentz3
![Page 79: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/79.jpg)
• Subjectivity — reasoning with self and other
• PCMs
• Histories
Key ideas
![Page 80: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/80.jpg)
• Subjectivity — reasoning with self and other
• PCMs — uniform way to logically split state
• Histories
Key ideas
![Page 81: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/81.jpg)
Familiar PCM: finite heaps
![Page 82: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/82.jpg)
Familiar PCM: finite heaps
• Heaps are partial finite maps nat → Val
![Page 83: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/83.jpg)
Familiar PCM: finite heaps
• Heaps are partial finite maps nat → Val
• Join operation ⊕ is disjoint union
![Page 84: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/84.jpg)
Familiar PCM: finite heaps
• Heaps are partial finite maps nat → Val
• Join operation ⊕ is disjoint union
• Unit element 0 is the empty heap ∅
![Page 85: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/85.jpg)
∅
Concurroid for thread-local state
![Page 86: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/86.jpg)
hs
• hs — heap, logically owned by this thread
∅
Concurroid for thread-local state
![Page 87: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/87.jpg)
hs
• hs — heap, logically owned by this thread
• ho — heap, owned by others
ho
∅
Concurroid for thread-local state
![Page 88: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/88.jpg)
hs
• hs — heap, logically owned by this thread
• ho — heap, owned by others
ho
∅
Concurroid for thread-local stateConcurrent Separation Logic
O’Hearn [CONCUR’04]
![Page 89: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/89.jpg)
*x := 5; *y := 7;
��������
��������
![Page 90: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/90.jpg)
*x := 5; *y := 7;
{ hs = x ↦ - ⊕ y ↦ - ⋀ ho = h }��������
��������
![Page 91: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/91.jpg)
*x := 5; *y := 7;
{ hs = x ↦ - ⊕ y ↦ - ⋀ ho = h }��������
��������
disjoint by resource definition
![Page 92: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/92.jpg)
*x := 5; *y := 7;
{ hs = x ↦ - ⊕ y ↦ - ⋀ ho = h }
{ hs = x ↦ - ⋀ ho = y ↦ ? ⊕ h }
��������
��������
disjoint by resource definition
![Page 93: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/93.jpg)
*x := 5; *y := 7;
{ hs = x ↦ - ⊕ y ↦ - ⋀ ho = h }
{ hs = x ↦ - ⋀ ho = y ↦ ? ⊕ h } { hs = y ↦ - ⋀ ho = x ↦ ? ⊕ h }
��������
��������
disjoint by resource definition
![Page 94: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/94.jpg)
*x := 5; *y := 7;
{ hs = x ↦ - ⊕ y ↦ - ⋀ ho = h }
{ hs = x ↦ - ⋀ ho = y ↦ ? ⊕ h } { hs = y ↦ - ⋀ ho = x ↦ ? ⊕ h }
{ hs = x ↦ 5 ⋀ ho = y ↦ ? ⊕ h } { hs = y ↦ 7 ⋀ ho = x ↦ ? ⊕ h }
��������
��������
disjoint by resource definition
![Page 95: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/95.jpg)
*x := 5; *y := 7;
{ hs = x ↦ - ⊕ y ↦ - ⋀ ho = h }
{ hs = x ↦ - ⋀ ho = y ↦ ? ⊕ h } { hs = y ↦ - ⋀ ho = x ↦ ? ⊕ h }
{ hs = x ↦ 5 ⋀ ho = y ↦ ? ⊕ h } { hs = y ↦ 7 ⋀ ho = x ↦ ? ⊕ h }
{ hs = x ↦ 5 ⊕ y ↦ 7 ⋀ ho = h }
��������
��������
disjoint by resource definition
![Page 96: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/96.jpg)
• Subjectivity — reasoning with self and other
• PCMs — uniform way to logically split state
• Histories
Key ideas
![Page 97: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/97.jpg)
• Subjectivity — reasoning with self and other
• PCMs — uniform way to logically split state
• Histories
Key ideas
![Page 98: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/98.jpg)
• Subjectivity — reasoning with self and other
• PCMs — uniform way to logically split state
• Histories
Key ideas
Sergey et al. [ESOP’15]
![Page 99: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/99.jpg)
push(x)
Atomic stack specifications
![Page 100: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/100.jpg)
push(x){ S = xs } { S′ = x :: xs }
Atomic stack specifications
![Page 101: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/101.jpg)
x :: xsxstk →
Atomic stack specifications
![Page 102: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/102.jpg)
x :: xsxs
“timestamp”
tk →
Atomic stack specifications
![Page 103: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/103.jpg)
tk →
![Page 104: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/104.jpg)
tk → tk+1 →
tk+2 → tk+3 →
……
tk+n →
tk+4 →
![Page 105: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/105.jpg)
Changes by this thread Changes by other threads
tk+4 →
tk+1 →
tk+3 →
tk+n →
tk →
tk+2 →
……
![Page 106: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/106.jpg)
tk+4 →
tk+1 →
tk+3 →
tk+n →
tk →
tk+2 →
……
![Page 107: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/107.jpg)
tk+4 →
tk+1 →
tk+3 →
tk+n →
tk →
tk+2 →
……HsHo
Hs, Ho — self/other contributions to the resource history
![Page 108: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/108.jpg)
Histories are like heaps!
![Page 109: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/109.jpg)
Histories are like heaps!
• Histories are partial finite maps nat → AbsOp
![Page 110: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/110.jpg)
Histories are like heaps!
• Histories are partial finite maps nat → AbsOp
• Join operation ⊕ is disjoint union
![Page 111: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/111.jpg)
Histories are like heaps!
• Histories are partial finite maps nat → AbsOp
• Join operation ⊕ is disjoint union
• Unit element 0 is the empty history ∅
![Page 112: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/112.jpg)
Specifying stacks with histories
Cstack =Hs
Ho
![Page 113: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/113.jpg)
Specifying stacks with histories
Cstack =
• Hs, Ho = { tk ↦ (xs, x::xs), tn ↦ (x::xs, xs), … }
Hs
Ho
![Page 114: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/114.jpg)
Specifying stacks with histories
Cstack =
• Hs, Ho = { tk ↦ (xs, x::xs), tn ↦ (x::xs, xs), … }
• Joint part is specific for each implementation
Hs
Ho
![Page 115: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/115.jpg)
Specifying stacks with histories
Cstack =
• Hs, Ho = { tk ↦ (xs, x::xs), tn ↦ (x::xs, xs), … }
• Joint part is specific for each implementation
• Adjacent history entries agree on overlapping abstract states
Hs
Ho
![Page 116: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/116.jpg)
push(x)
{ ∃t, xs. Hs = t ↦ (xs, x::xs) ⋀ H ⊆ Ho ⋀ H < t }@Cstack
Stack specification
{ Hs = ∅ ⋀ H ⊆ Ho }
![Page 117: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/117.jpg)
push(x)
{ ∃t, xs. Hs = t ↦ (xs, x::xs) ⋀ H ⊆ Ho ⋀ H < t }@Cstack
Stack specification
{ Hs = ∅ ⋀ H ⊆ Ho }
self-contribution is a single entry
![Page 118: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/118.jpg)
push(x)
{ ∃t, xs. Hs = t ↦ (xs, x::xs) ⋀ H ⊆ Ho ⋀ H < t }@Cstack
Stack specification
{ Hs = ∅ ⋀ H ⊆ Ho }
t allocated during the call
![Page 119: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/119.jpg)
{ res. if (res = Some x) then ∃t, xs. H ⊆ Ho ⋀ H < t ⋀ Hs = t ↦ (x::xs, xs)) else ∃t. H ⊆ Ho ⋀ H ≤ t ⋀ Hs = ∅ ⋀ t ↦ (_, Nil) ⊆ Ho }@Cstack
Stack specification
pop()
{ Hs = ∅ ⋀ H ⊆ Ho }
![Page 120: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/120.jpg)
{ res. if (res = Some x) then ∃t, xs. H ⊆ Ho ⋀ H < t ⋀ Hs = t ↦ (x::xs, xs)) else ∃t. H ⊆ Ho ⋀ H ≤ t ⋀ Hs = ∅ ⋀ t ↦ (_, Nil) ⊆ Ho }@Cstack
Stack specification
pop()
{ Hs = ∅ ⋀ H ⊆ Ho }
• pop has hit Nil during its execution at the moment t
![Page 121: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/121.jpg)
{ res. if (res = Some x) then ∃t, xs. H ⊆ Ho ⋀ H < t ⋀ Hs = t ↦ (x::xs, xs)) else ∃t. H ⊆ Ho ⋀ H ≤ t ⋀ Hs = ∅ ⋀ t ↦ (_, Nil) ⊆ Ho }@Cstack
Stack specification
pop()
{ Hs = ∅ ⋀ H ⊆ Ho }
no self-contributions initially?
![Page 122: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/122.jpg)
Framing in FCSL
![Page 123: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/123.jpg)
Framing in FCSL
my_program
![Page 124: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/124.jpg)
Framing in FCSL
{ }my_program
![Page 125: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/125.jpg)
Framing in FCSL
{ }my_program
{ }
![Page 126: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/126.jpg)
Framing in FCSL
{ }my_program
{ }
![Page 127: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/127.jpg)
Framing in FCSL
{ }my_program
{ }
Works for any PCM, not just heaps!
![Page 128: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/128.jpg)
push(x)
{ ∃t, xs. H ⊆ Ho ⋀ H < t ⋀ Hs = t ↦ (xs, x::xs) }@Cstack
{ Hs = ∅ ⋀ H ⊆ Ho }
Framing histories
![Page 129: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/129.jpg)
push(x)
{ ∃t, xs. H2 ⊆ Ho ⋀ H1 ⊕ H2 < t ⋀ Hs = H1 ⊕ t ↦ (xs, x::xs) }@Cstack
{ Hs = H1 ⋀ H2 ⊆ Ho }
Framing histories
![Page 130: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/130.jpg)
push(x)
{ ∃t, xs. H2 ⊆ Ho ⋀ H1 ⊕ H2 < t ⋀ Hs = H1 ⊕ t ↦ (xs, x::xs) }@Cstack
{ Hs = H1 ⋀ H2 ⊆ Ho }
Framing histories
initial self-contribution
![Page 131: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/131.jpg)
push(x)
{ ∃t, xs. H2 ⊆ Ho ⋀ H1 ⊕ H2 < t ⋀ Hs = H1 ⊕ t ↦ (xs, x::xs) }@Cstack
{ Hs = H1 ⋀ H2 ⊆ Ho }
Framing histories
final self-contribution
![Page 132: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/132.jpg)
• Subjectivity — reasoning with self and other
• PCMs — uniform way to logically split state
• Histories
Key ideas
![Page 133: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/133.jpg)
• Subjectivity — reasoning with self and other
• PCMs — uniform way to logically split state
• Histories — logical updates via auxiliary state
Key ideas
![Page 134: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/134.jpg)
How useful are histories for clients?
![Page 135: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/135.jpg)
A stack client program
• Two threads: producer and consumer
• Ap — an n-element producer array
• Ac — an n-element consumer array
• A shared concurrent stack S is used as a buffer
• The goal: prove the exchange correct
![Page 136: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/136.jpg)
• Pushed H E iff E is a multiset of elements, pushed in H
• Popped H E iff E is a multiset of elements, popped in H
Auxiliary Predicates
![Page 137: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/137.jpg)
letrec produce(i : nat) = { if (i == n) then return; else { S.push(Ap[i]); produce(i+1); }}
![Page 138: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/138.jpg)
letrec produce(i : nat) = { if (i == n) then return; else { S.push(Ap[i]); produce(i+1); }}
{ Ap ↦ L ⋀ Pushed Hs L[< i] ⋀ Popped Hs ∅ }
{ Ap ↦ L ⋀ Pushed Hs L[< n] ⋀ Popped Hs ∅ }
![Page 139: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/139.jpg)
letrec produce(i : nat) = { if (i == n) then return; else { S.push(Ap[i]); produce(i+1); }}
{ Ap ↦ L ⋀ Pushed Hs L[< i] ⋀ Popped Hs ∅ }
{ Ap ↦ L ⋀ Pushed Hs L[< n] ⋀ Popped Hs ∅ }
![Page 140: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/140.jpg)
letrec consume(i : nat) = { if (i == n) then return; else { t ← S.pop(); if t == Some v then { Ac[i] := v; consume(i+1); } else consume(i); }}
![Page 141: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/141.jpg)
letrec consume(i : nat) = { if (i == n) then return; else { t ← S.pop(); if t == Some v then { Ac[i] := v; consume(i+1); } else consume(i); }}
{∃L, Ac ↦ L ⋀ Pushed Hs ∅ ⋀ Popped Hs L[< i] }
{∃L, Ac ↦ L ⋀ Pushed Hs ∅ ⋀ Popped Hs L[< n] }
![Page 142: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/142.jpg)
letrec consume(i : nat) = { if (i == n) then return; else { t ← S.pop(); if t == Some v then { Ac[i] := v; consume(i+1); } else consume(i); }}
{∃L, Ac ↦ L ⋀ Pushed Hs ∅ ⋀ Popped Hs L[< i] }
{∃L, Ac ↦ L ⋀ Pushed Hs ∅ ⋀ Popped Hs L[< n] }
![Page 143: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/143.jpg)
consume(0)produce(0)
��������
��������
![Page 144: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/144.jpg)
consume(0)produce(0)
��������
��������
8>><
>>:
9>>=
>>;
hide Cstack(hS) in
![Page 145: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/145.jpg)
consume(0)produce(0)
��������
��������
8>><
>>:
9>>=
>>;
No other threadscan interfere on S
hide Cstack(hS) in
![Page 146: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/146.jpg)
consume(0)produce(0)
��������
��������
8>><
>>:
9>>=
>>;
{ Ap ↦ L ⊕ Ac ↦ L′ ⊕ hS }
hide Cstack(hS) in
![Page 147: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/147.jpg)
consume(0)produce(0)
��������
��������
8>><
>>:
9>>=
>>;
{ Ap ↦ L ⊕ Ac ↦ L′ ⊕ hS }
{ Ap ↦ L { Ac ↦ L′
hide Cstack(hS) in
![Page 148: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/148.jpg)
consume(0)produce(0)
��������
��������
8>><
>>:
9>>=
>>;
{ Ap ↦ L ⊕ Ac ↦ L′ ⊕ hS }
{ Ap ↦ L { Ac ↦ L′ ⋀ Pushed Hs ∅ ⋀ Popped Hs ∅ } ⋀ Pushed Hs ∅ ⋀ Popped Hs ∅ }
hide Cstack(hS) in
![Page 149: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/149.jpg)
consume(0)produce(0)
��������
��������
8>><
>>:
9>>=
>>;
{ Ap ↦ L ⊕ Ac ↦ L′ ⊕ hS }
{ Ap ↦ L { Ac ↦ L′ ⋀ Pushed Hs ∅ ⋀ Popped Hs ∅ } ⋀ Pushed Hs ∅ ⋀ Popped Hs ∅ }
{ Ap ↦ L ⋀ Pushed Hs L[< n] ⋀
Popped Hs ∅ }
{ Ac ↦ L′′ ⋀ Pushed Hs ∅ ⋀
Popped Hs L′′[<n] }
hide Cstack(hS) in
![Page 150: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/150.jpg)
consume(0)produce(0)
��������
��������
8>><
>>:
9>>=
>>;
{ Ap ↦ L ⊕ Ac ↦ L′ ⊕ hS }
{ Ap ↦ L { Ac ↦ L′ ⋀ Pushed Hs ∅ ⋀ Popped Hs ∅ } ⋀ Pushed Hs ∅ ⋀ Popped Hs ∅ }
{ Ap ↦ L ⋀ Pushed Hs L[< n] ⋀
Popped Hs ∅ }
{ Ac ↦ L′′ ⋀ Pushed Hs ∅ ⋀
Popped Hs L′′[<n] }
These are the only changes in the stack’s history
hide Cstack(hS) in
![Page 151: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/151.jpg)
consume(0)produce(0)
��������
��������
8>><
>>:
9>>=
>>;
{ Ap ↦ L ⊕ Ac ↦ L′ ⊕ hS }
{ Ap ↦ L { Ac ↦ L′ ⋀ Pushed Hs ∅ ⋀ Popped Hs ∅ } ⋀ Pushed Hs ∅ ⋀ Popped Hs ∅ }
{ Ap ↦ L ⋀ Pushed Hs L[< n] ⋀
Popped Hs ∅ }
{ Ac ↦ L′′ ⋀ Pushed Hs ∅ ⋀
Popped Hs L′′[<n] }
{ Ap ↦ L ⊕ Ac ↦ L′′ ⊕ hS′ ⋀ L =set L′′}
hide Cstack(hS) in
![Page 152: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/152.jpg)
consume(0)produce(0)
��������
��������
8>><
>>:
9>>=
>>;
{ Ap ↦ L ⊕ Ac ↦ L′ ⊕ hS }
{ Ap ↦ L { Ac ↦ L′ ⋀ Pushed Hs ∅ ⋀ Popped Hs ∅ } ⋀ Pushed Hs ∅ ⋀ Popped Hs ∅ }
{ Ap ↦ L ⋀ Pushed Hs L[< n] ⋀
Popped Hs ∅ }
{ Ac ↦ L′′ ⋀ Pushed Hs ∅ ⋀
Popped Hs L′′[<n] }
{ Ap ↦ L ⊕ Ac ↦ L′′ ⊕ hS′ ⋀ L =set L′′}
hide Cstack(hS) in
![Page 153: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/153.jpg)
More use for histories(see the paper)
![Page 154: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/154.jpg)
More use for histories
• Verifying atomic snapshots
(see the paper)
![Page 155: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/155.jpg)
More use for histories
• Verifying atomic snapshots
• Instantiating higher-order concurrent structures
(see the paper)
![Page 156: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/156.jpg)
More use for histories
• Verifying atomic snapshots
• Instantiating higher-order concurrent structures
• Deriving sequential specifications via hiding
(see the paper)
![Page 157: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/157.jpg)
More use for histories
• Verifying atomic snapshots
• Instantiating higher-order concurrent structures
• Deriving sequential specifications via hiding
(see the paper)
![Page 158: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/158.jpg)
To take away
![Page 159: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/159.jpg)
To take away
• Histories as auxiliary state- Expressive abstraction for concurrent specs
![Page 160: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/160.jpg)
To take away
• Histories as auxiliary state- Expressive abstraction for concurrent specs
• Histories are a PCM-They are subject of the same rules as heaps
![Page 161: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/161.jpg)
To take away
• Histories as auxiliary state- Expressive abstraction for concurrent specs
• Histories are a PCM-They are subject of the same rules as heaps
• Historical reasoning requires subjectivity- History-based specs often talk about the effect of other threads
![Page 162: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/162.jpg)
To take away
• Histories as auxiliary state- Expressive abstraction for concurrent specs
• Histories are a PCM-They are subject of the same rules as heaps
• Historical reasoning requires subjectivity- History-based specs often talk about the effect of other threads
software.imdea.org/fcsl
![Page 163: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/163.jpg)
To take away
• Histories as auxiliary state- Expressive abstraction for concurrent specs
• Histories are a PCM-They are subject of the same rules as heaps
• Historical reasoning requires subjectivity- History-based specs often talk about the effect of other threads
Thanks!
software.imdea.org/fcsl
![Page 164: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/164.jpg)
![Page 165: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/165.jpg)
Q&A slides
![Page 166: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/166.jpg)
Owicki-Gries (1976)
CSL (2004)Rely-Guarantee (1983)
SAGL (2007) RGSep (2007)
Deny-Guarantee (2009)
CAP (2010) Jacobs-Piessens (2011)
Liang-Feng (2013)
LRG (2009)
SCSL (2013)HOCAP (2013)
iCAP (2014)
Iris (2015)
CaReSL (2013)
FCSL (2014)
TaDA (2014)
CoLoSL (2015)
Gotsman-al (2007)
HLRG (2010)
Bornat-al (2005)
RGSim (2012)
![Page 167: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/167.jpg)
How is your stuff different from other existing concurrent logics?
• [Owicki-Gries:CACM76] - reasoning about parallel composition is not compositional; subjectivity fixes that;
• [OHearn:CONCUR04] - only one type of resources — critical sections; FCSL allows one to define arbitrary resources;
• [Feng-al:ESOP07,Vafeiadis-Parkinson:CONCUR07] - framing over Rely/Guarantee, but only one shared resource: FCSL allows multiple ones;
• [Feng:POPL09] - introduced local Rely/Guarantee; FCSL improves on it by introducing a subjective state and explicitly identifying resources as STS;
• [DinsdaleYoung-al:ECOOP10] - first introduced concurred protocols;FCSL generalises permissions - self-state defines what a thread is allowed to do with a resource;
• [DinsdaleYoung-al:POPL13] - general framework for concurrency logic;FCSL is a particular logic, not clear whether it is an instance of Views;
• [Turon-al:ICFP13] - CaReSL and reasoning about contextual refinement;FCSL doesn’t address CR, in our experience it’s never required for Hoare-style reasoning;
• [Svendsen-al:ESOP13,ESOP14] - use much richer semantic domain, FCSL uses transitions and communication instead of view-shifts for changes in state and composition of resources;
• [Raad-al:ESOP15] - different notion of subjectivity, no self/other dichotomy, no observation made about PCMs.
FCSL’s assertions work explicitly with state variables.
![Page 168: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/168.jpg)
How is your stuff different from Iris?
• Iris makes the same observations as FCSL did in 2014 (PCMs, Invariants);
• Iris doesn’t have hiding and self/other dichotomy;
• It considers more primitive “building blocks” and encodes protocols as STSs + interpretation;
• This encoding is made default in FCSL, and so far it suffices;
• Currently, FCSL doesn’t support abstract atomicity in Iris/iCAP sense (however, it can recover most of it through the choice of PCMs).
Jung-al [POPL’15]
![Page 169: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/169.jpg)
Encoding verification in FCSL
![Page 170: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/170.jpg)
Encoding verification in FCSLProgram Definition my_prog: STSep (p, q) :=
Do c.
![Page 171: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/171.jpg)
Encoding verification in FCSLProgram Definition my_prog: STSep (p, q) :=
Do c.
• Program c’s weakest pre- and strongest postconditions (p*, q*) wrt. safety, inferred from the types of basic commands (ret, par, bind);
has type STSep (p*, q*)
![Page 172: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/172.jpg)
Encoding verification in FCSLProgram Definition my_prog: STSep (p, q) :=
Do c.
• Program c’s weakest pre- and strongest postconditions (p*, q*) wrt. safety, inferred from the types of basic commands (ret, par, bind);
• Do encodes the application of the rule of consequence (p*, q*) ⊑ (p, q);
Notation for do (_ : (p*, q*) ⊑ (p, q)) c
![Page 173: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/173.jpg)
Encoding verification in FCSLProgram Definition my_prog: STSep (p, q) :=
Do c.
• Program c’s weakest pre- and strongest postconditions (p*, q*) wrt. safety, inferred from the types of basic commands (ret, par, bind);
• Do encodes the application of the rule of consequence (p*, q*) ⊑ (p, q);
• The client constructs the proof of (p*, q*) ⊑ (p, q) interactively;
Notation for do (_ : (p*, q*) ⊑ (p, q)) c
![Page 174: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/174.jpg)
Encoding verification in FCSLProgram Definition my_prog: STSep (p, q) :=
Do c.
• Program c’s weakest pre- and strongest postconditions (p*, q*) wrt. safety, inferred from the types of basic commands (ret, par, bind);
• Do encodes the application of the rule of consequence (p*, q*) ⊑ (p, q);
• The client constructs the proof of (p*, q*) ⊑ (p, q) interactively;
• The obligations are reduced via structural lemmas (inference rules).
Notation for do (_ : (p*, q*) ⊑ (p, q)) c
![Page 175: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/175.jpg)
Program Libs Conc Acts Stab Main Total Build
CAS-lock 63 291 509 358 27 1248 1m 1s
Ticketed lock 58 310 706 457 116 1647 2m 46s
Increment 26 - - - 44 70 8s
Allocator 82 - - - 192 274 14s
Pair snapshot 167 233 107 80 51 638 4m 7s
Treiber stack 56 323 313 133 155 980 2m 41s
Spanning tree 348 215 162 217 305 1247 1m 11s
Flat combiner 92 442 672 538 281 2025 10m 55s
Seq. stack 65 - - - 125 190 1m 21s
FC-stack 50 - - - 114 164 44s
Prod/Cons 365 - - - 243 608 2m 43s
Table 1: Statistics for implemented programs: lines of codefor program-specific libraries (Libs), definitions of concur-roids and decorations (Conc), actions (Acts), stability lem-mas (Stab), spec and proof sizes of the main functions(Main), total LOC count (Total), and build times (Build).
CAS-lock Ticketed lock
Abstract lock
CG incrementor
CG Allocator
Flat combiner
FC stackTreiber stack
Sequential stack Producer/Consumer
Figure 5: Dependencies between concurrent libraries.
given specs via a PCM of time-stamped action histories inthe spirit of linearizability [Herlihy and Wing 1990], as wellas several client programs: a sequential stack (obtained fromTreiber stack via hiding), FC-based stack, and a Treiberstack-based concurrent Producer/Consumer.
Table 1 presents some statistics wrt. implemented pro-grams in terms of LOCs and build times. The program suitewas compiled on a 2.7 GHz Intel Core i7 OS X machine with8 Gb RAM, using Coq 8.4pl4 and Ssreflect 1.4. We didn’trely on any advanced proof automation in the proof scripts,which would, probably, decrease line counts at the expenseof increased compilation times. Notably, for those programsthat required implementing new primitive concurroids (e.g.,locks or Treiber stack), a large fraction of an implementa-tion is due to proofs of properties of transitions and actions,as well as stability-related lemmas, while the sizes of proofsof the main programs’ specs are always relatively small.
Our development is inherently compositional, as illus-trated by the dependency diagram on Figure 5. For exam-ple, both lock implementations are instances of the abstractlock interface, which is used to implement and verify theallocator, which is then employed by a Treiber stack, usedas a basis for sequential stack and producer/consumer im-plementations. In principle, we could implement an abstractinterface for stacks, too, to unify the Treiber stack and theFC-stack, although, we didn’t carry out this exercise.
Program P
r
i
v
C
L
o
c
k
T
L
o
c
k
R
e
a
d
P
a
i
r
T
r
e
i
b
e
r
S
p
a
n
T
r
e
e
F
l
a
t
C
o
m
b
i
n
e
CAS-lock 3 3Ticketed lock 3 3CG increment 3 3L 3LCG allocator 3 3L 3LPair snapshot 3Treiber stack 3 3L 3L 3Spanning tree 3 3Flat combiner 3 3L 3L 3Seq. stack 3 3L 3L 3FC-stack 3 3L 3L 3Prod/Cons 3 3L 3L 3
Table 2: Primitive concurroids (in column headings) em-ployed by different programs. Two lock concurroids, forCAS-based and ticketed locks, are interchangeable, as theyimplement the same abstract interface (indicated by 3L).
As hinted by Table 1, not every concurrent program re-quires implementing a new primitive concurroid: typicallythis is done only for libraries, so library clients can reasonout of the specifications. Table 2 shows that the reuse of con-curroids is quite high, and most of the programs make con-sistent use of the concurroid for thread-local state and locks(abstracted through the corresponding interface), as well asof those required by the used libraries (e.g., Treiber or FC).
7. Related and future workUsing the Coq proof assistant as a uniform platform for im-plementation of logic-based program verification tools is awell-established approach, which by now has been success-fully employed in a number of projects on certified com-pilers [Leroy 2006; Appel et al. 2014] and verified low-level code [Shao 2010; Chlipala 2011; Jensen et al. 2013],although, with no specific focus on abstractions for fine-grained concurrency, such as protocols and auxiliary state.Related program logics. The FCSL logic has been designedas a generalization of the classical Concurrent SeparationLogic by O’Hearn [2007], combining the ideas of local con-current protocols with arbitrary interference [Jones 1983;Feng 2009] and compositional auxiliary state [Ley-Wildand Nanevski 2013] with the possibility to compose pro-tocols. Other concurrency logics, close to FCSL in theirexpressive power, are iCAP [Svendsen and Birkedal 2014],CoLoSL [Raad et al. 2014], and CaReSL [Turon et al. 2013].
iCAP leverages the idea, originated by Jacobs and Piessens[2011], of parametrizing specs for fine-grained concurrentdata types by client-provided auxiliary code, which can beseen as a “callback”. A form of composition of concurrentresources can be encoded in iCAP using fractional permis-sions [Bornat et al. 2005] and view-shifts [Dinsdale-Younget al. 2013]. Since iCAP doesn’t have explicit subjective di-chotomy of the auxiliary state, encoding of thread-specificcontributions in it is less direct comparing to FCSL.
10
Implementation and evaluation
![Page 176: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/176.jpg)
Proof of push specification
![Page 177: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/177.jpg)
Proof of push specification Next Obligation.apply: gh=>i [h hS][B][v] X C.case: C (C) X=>_ [_][xa][->{i}][_][xp][xt][->] Cp Ct Ca C [P S H].rewrite (getC Cp C) !(getC Ct C) /= in P S H. rewrite -!joinA joinCA in C *. apply: step; apply: val_extend=>//;apply: (gh_ex h); apply: val_do=>//.move=>p' {xt S H C Ct Ca} xt [t][K] S H _ Ct s C M. case: {M} (menvs_coh M) (M) C=>_ [_][xp1][xa1][->{s}] Cp1 Ca M C.case/(menvs_split (injLE _ (erefl _)) Cp Cp1): M=>/= M _.have {M P} P : pv_self xp1 = p :-> v \+ hS by rewrite -(menvs_loc M).rewrite -joinCA in C *.apply: step; apply: val_extend=>//.apply: (gh_ex hS); apply: val_do; first by exists B, v. case=>{xp xp1 xa C Cp Cp1 Ca P} xp P Cp s /= C M.case: {M} (menvs_coh M) (M) C=>_ [_][xt1][xa][->{s}] Ct1 Ca M C.case/(menvs_split (injLA _ (erefl _)) Ct Ct1): M=>/= {xa1} M _.have {S} S : tb_self xt1 = Unit by rewrite -(menvs_loc M).have {xt Ct M H} H : [h <<= tb_other xt1] by apply: hist_trans H (hist_other M).rewrite joinA in C *.apply: step; apply: val_extend; first by apply/(star_coh_prec C).apply: (gh_ex h); apply: (gh_ex hS); apply: val_do.- by move=>C'; rewrite (getC Cp C') !(getC Ct1 C'). move=>b s X Y; case: Y (Y) X=>_ [xp1][xt][->{s}] {Cp} Cp1 Ct Y X.move=>xa1 /= {C} C M; case: (menvs_coh M)=>_ {M xa Ca} Ca1.rewrite (getC Cp1 Y) !(getC Ct Y) in X. case: b X; last first.- case=>{P S H} P S H. apply: (gh_ex h); apply: (gh_ex hS); apply: val_do=>//. move=>{C} C; exists (prod A ptr), (e, p'). by rewrite (getC Cp1 C) !(getC Ct C).case=>{xp xt1 Ct1 P K S H} t' [ls][P K S H]. apply: val_ret=>//= m M; rewrite -(menvs_loc M).rewrite (getC Cp1 C) (getC Ct C).exists t', ls; split=>//.case: {M} (menvs_coh M) (M)=>_ /= X'.case: X' (X')=>_ [s][xa][->{m}] Y'; case: Y' (Y')=>_ [xp][xt1][->].move=>Cp Ct1 Y' {Ca1} Ca {C} C. case/(menvs_split (injLE _ (erefl _)) Y Y').case/(menvs_split (injLE _ (erefl _)) Cp1 Cp)=> _ M _.by rewrite (getC Ct1 C); apply: hist_trans H (hist_other M).
apply: gh=>i [h hS] X C.case: C (C) X =>_ [_][xa][->][_][xp][xt][->] Cp Ct Ca C /= [P Ps H].rewrite !(getC Ct C) !(getC Cp C) /= in P Ps H.rewrite joinAC /V /= starAC in C *.apply: step; apply: val_extend; first by apply/(star_coh_prec C). apply: (gh_ex (pv_self xp)); apply: val_do. - by move=>Cpa; rewrite (getC Cp Cpa).move=>x m [B][v] Y X {Cp Ca C}.case: X (X) Y=>_ [xp1][xa1][->{m}] /= Cp Ca X S xt1 C M.rewrite {X} (getC Cp X) in S.case: (menvs_coh M)=>_ /= {Ct} Ct.have {P} P : tb_self xt1 = Unit by rewrite -(menvs_loc M).have {H M} H : [h <<= tb_other xt1] by apply: hist_trans H (hist_o M).apply: (gh_ex h); apply: (gh_ex (pv_self xp)).apply: val_do=>[_|]; first by exists B, v; rewrite!(getC Ct C).case=>m [t][ls][P2 S2 H2 K2]; exists t, ls; rewrite P2; split=>//.Qed.
![Page 178: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/178.jpg)
Next Obligation.apply: gh=>i [h hS][B][v] X C.case: C (C) X=>_ [_][xa][->{i}][_][xp][xt][->] Cp Ct Ca C [P S H].rewrite (getC Cp C) !(getC Ct C) /= in P S H. rewrite -!joinA joinCA in C *. apply: step; apply: val_extend=>//;apply: (gh_ex h); apply: val_do=>//.move=>p' {xt S H C Ct Ca} xt [t][K] S H _ Ct s C M. case: {M} (menvs_coh M) (M) C=>_ [_][xp1][xa1][->{s}] Cp1 Ca M C.case/(menvs_split (injLE _ (erefl _)) Cp Cp1): M=>/= M _.have {M P} P : pv_self xp1 = p :-> v \+ hS by rewrite -(menvs_loc M).rewrite -joinCA in C *.apply: step; apply: val_extend=>//.apply: (gh_ex hS); apply: val_do; first by exists B, v. case=>{xp xp1 xa C Cp Cp1 Ca P} xp P Cp s /= C M.case: {M} (menvs_coh M) (M) C=>_ [_][xt1][xa][->{s}] Ct1 Ca M C.case/(menvs_split (injLA _ (erefl _)) Ct Ct1): M=>/= {xa1} M _.have {S} S : tb_self xt1 = Unit by rewrite -(menvs_loc M).have {xt Ct M H} H : [h <<= tb_other xt1] by apply: hist_trans H (hist_other M).rewrite joinA in C *.apply: step; apply: val_extend; first by apply/(star_coh_prec C).apply: (gh_ex h); apply: (gh_ex hS); apply: val_do.- by move=>C'; rewrite (getC Cp C') !(getC Ct1 C'). move=>b s X Y; case: Y (Y) X=>_ [xp1][xt][->{s}] {Cp} Cp1 Ct Y X.move=>xa1 /= {C} C M; case: (menvs_coh M)=>_ {M xa Ca} Ca1.rewrite (getC Cp1 Y) !(getC Ct Y) in X. case: b X; last first.- case=>{P S H} P S H. apply: (gh_ex h); apply: (gh_ex hS); apply: val_do=>//. move=>{C} C; exists (prod A ptr), (e, p'). by rewrite (getC Cp1 C) !(getC Ct C).case=>{xp xt1 Ct1 P K S H} t' [ls][P K S H]. apply: val_ret=>//= m M; rewrite -(menvs_loc M).rewrite (getC Cp1 C) (getC Ct C).exists t', ls; split=>//.case: {M} (menvs_coh M) (M)=>_ /= X'.case: X' (X')=>_ [s][xa][->{m}] Y'; case: Y' (Y')=>_ [xp][xt1][->].move=>Cp Ct1 Y' {Ca1} Ca {C} C. case/(menvs_split (injLE _ (erefl _)) Y Y').case/(menvs_split (injLE _ (erefl _)) Cp1 Cp)=> _ M _.by rewrite (getC Ct1 C); apply: hist_trans H (hist_other M).
apply: gh=>i [h hS] X C.case: C (C) X =>_ [_][xa][->][_][xp][xt][->] Cp Ct Ca C /= [P Ps H].rewrite !(getC Ct C) !(getC Cp C) /= in P Ps H.rewrite joinAC /V /= starAC in C *.apply: step; apply: val_extend; first by apply/(star_coh_prec C). apply: (gh_ex (pv_self xp)); apply: val_do. - by move=>Cpa; rewrite (getC Cp Cpa).move=>x m [B][v] Y X {Cp Ca C}.case: X (X) Y=>_ [xp1][xa1][->{m}] /= Cp Ca X S xt1 C M.rewrite {X} (getC Cp X) in S.case: (menvs_coh M)=>_ /= {Ct} Ct.have {P} P : tb_self xt1 = Unit by rewrite -(menvs_loc M).have {H M} H : [h <<= tb_other xt1] by apply: hist_trans H (hist_o M).apply: (gh_ex h); apply: (gh_ex (pv_self xp)).apply: val_do=>[_|]; first by exists B, v; rewrite!(getC Ct C).case=>m [t][ls][P2 S2 H2 K2]; exists t, ls; rewrite P2; split=>//.Qed.
seq
seq
seq seqfun_call
fun_call
fun_call
fun_call
fun_call
fun_call
return
Proof of push specification
![Page 179: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/179.jpg)
Next Obligation.apply: gh=>i [h hS][B][v] X C.case: C (C) X=>_ [_][xa][->{i}][_][xp][xt][->] Cp Ct Ca C [P S H].rewrite (getC Cp C) !(getC Ct C) /= in P S H. rewrite -!joinA joinCA in C *. apply: step; apply: val_extend=>//;apply: (gh_ex h); apply: val_do=>//.move=>p' {xt S H C Ct Ca} xt [t][K] S H _ Ct s C M. case: {M} (menvs_coh M) (M) C=>_ [_][xp1][xa1][->{s}] Cp1 Ca M C.case/(menvs_split (injLE _ (erefl _)) Cp Cp1): M=>/= M _.have {M P} P : pv_self xp1 = p :-> v \+ hS by rewrite -(menvs_loc M).rewrite -joinCA in C *.apply: step; apply: val_extend=>//.apply: (gh_ex hS); apply: val_do; first by exists B, v. case=>{xp xp1 xa C Cp Cp1 Ca P} xp P Cp s /= C M.case: {M} (menvs_coh M) (M) C=>_ [_][xt1][xa][->{s}] Ct1 Ca M C.case/(menvs_split (injLA _ (erefl _)) Ct Ct1): M=>/= {xa1} M _.have {S} S : tb_self xt1 = Unit by rewrite -(menvs_loc M).have {xt Ct M H} H : [h <<= tb_other xt1] by apply: hist_trans H (hist_other M).rewrite joinA in C *.apply: step; apply: val_extend; first by apply/(star_coh_prec C).apply: (gh_ex h); apply: (gh_ex hS); apply: val_do.- by move=>C'; rewrite (getC Cp C') !(getC Ct1 C'). move=>b s X Y; case: Y (Y) X=>_ [xp1][xt][->{s}] {Cp} Cp1 Ct Y X.move=>xa1 /= {C} C M; case: (menvs_coh M)=>_ {M xa Ca} Ca1.rewrite (getC Cp1 Y) !(getC Ct Y) in X. case: b X; last first.- case=>{P S H} P S H. apply: (gh_ex h); apply: (gh_ex hS); apply: val_do=>//. move=>{C} C; exists (prod A ptr), (e, p'). by rewrite (getC Cp1 C) !(getC Ct C).case=>{xp xt1 Ct1 P K S H} t' [ls][P K S H]. apply: val_ret=>//= m M; rewrite -(menvs_loc M).rewrite (getC Cp1 C) (getC Ct C).exists t', ls; split=>//.case: {M} (menvs_coh M) (M)=>_ /= X'.case: X' (X')=>_ [s][xa][->{m}] Y'; case: Y' (Y')=>_ [xp][xt1][->].move=>Cp Ct1 Y' {Ca1} Ca {C} C. case/(menvs_split (injLE _ (erefl _)) Y Y').case/(menvs_split (injLE _ (erefl _)) Cp1 Cp)=> _ M _.by rewrite (getC Ct1 C); apply: hist_trans H (hist_other M).
apply: gh=>i [h hS] X C.case: C (C) X =>_ [_][xa][->][_][xp][xt][->] Cp Ct Ca C /= [P Ps H].rewrite !(getC Ct C) !(getC Cp C) /= in P Ps H.rewrite joinAC /V /= starAC in C *.apply: step; apply: val_extend; first by apply/(star_coh_prec C). apply: (gh_ex (pv_self xp)); apply: val_do. - by move=>Cpa; rewrite (getC Cp Cpa).move=>x m [B][v] Y X {Cp Ca C}.case: X (X) Y=>_ [xp1][xa1][->{m}] /= Cp Ca X S xt1 C M.rewrite {X} (getC Cp X) in S.case: (menvs_coh M)=>_ /= {Ct} Ct.have {P} P : tb_self xt1 = Unit by rewrite -(menvs_loc M).have {H M} H : [h <<= tb_other xt1] by apply: hist_trans H (hist_o M).apply: (gh_ex h); apply: (gh_ex (pv_self xp)).apply: val_do=>[_|]; first by exists B, v; rewrite!(getC Ct C).case=>m [t][ls][P2 S2 H2 K2]; exists t, ls; rewrite P2; split=>//.Qed.
seq
seq
seq seqfun_call
fun_call
fun_call
fun_call
fun_call
fun_call
return
Proof of push specification
proving stability
proving stability
proving stability
proving stability
proving stability
![Page 180: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/180.jpg)
Why do you need the explicit other?Other logics don’t have it!
• Other makes it possible to state open-world assumptions in a straightforward way (e.g., in push);
• It allows us to use hiding for uniformly cancelling the interference;
• Some algorithms are given more natural specs via other-contributions (e.g., stack’s pop and atomic snapshots).
![Page 181: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/181.jpg)
Composing concurrent resources
![Page 182: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/182.jpg)
Connect ownership-transferring transitions with right polarity
Composing concurrent resources
![Page 183: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/183.jpg)
Connect ownership-transferring transitions with right polarity
acq
acq
acqacq rel
rel
rel
rel
• Some channels might be left loose
• Some channels might be shut down
• Same channels might be connected several times
Composing concurrent resources
![Page 184: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/184.jpg)
Can you extract the verified programfrom your Coq implementation and run it?
![Page 185: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/185.jpg)
Can you extract the verified programfrom your Coq implementation and run it?
Not yet.
![Page 186: Specifying and Verifying Concurrent Algorithms Histories ...software.imdea.org/fcsl/slides/2015-ESOP-Histories.pdf · { S = xs } pop() Not so good for concurrent use: useless in the](https://reader034.vdocuments.us/reader034/viewer/2022050407/5f844ff1504d9f4c6001a48a/html5/thumbnails/186.jpg)
Can you extract the verified programfrom your Coq implementation and run it?
Not yet.
• Imperative programs are composed and verified (i.e., type-checked) by means of Coq;
• They cannot be run by means of Gallina’s operational semantics;
• The reason for that is the necessity to reason about concurrent computations and potentially diverging programs;
• Extraction will require proving operationally of arbitrary atomic actions.