Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Mover Logic: A Concurrent Program Logic for Reduction and Rely-Guarantee Reasoning (Extended Version)

Cormac Flanagan, Stephen N. Freund

TL;DR

Mover logic extends rely-guarantee reasoning by introducing atomic function specifications and reduction-based verification. It uses yield annotations to demarcate interference points and Lipton-style reduction to treat reducible blocks as atomic, enabling reusable, non-entangled postconditions for libraries and clients. The framework provides formal rules for atomic/non-atomic functions, defines mover specifications, and proves soundness via instrumented semantics and a reduction theorem. This approach aims to simplify and generalize verification of sophisticated concurrent code and to serve as a foundation for future reduction-based verifiers. It demonstrates modularity through concrete examples like spin locks and lock-free data structures and positions mover logic as a unifying theory for reduction-based concurrent verification tools.

Abstract

Rely-guarantee (RG) logic uses thread interference specifications (relies and guarantees) to reason about the correctness of multithreaded software. Unfortunately, RG logic requires each function postcondition to be "stabilized" or specialized to the behavior of other threads, making it difficult to write function specifications that are reusable at multiple call sites. This paper presents mover logic, which extends RG logic to address this problem via the notion of atomic functions. Atomic functions behave as if they execute serially without interference from concurrent threads, and so they can be assigned more general and reusable specifications that avoid the stabilization requirement of RG logic. Several practical verifiers (Calvin-R, QED, CIVL, Armada, Anchor, etc.) have demonstrated the modularity benefits of atomic function specifications. However, the complexity of these systems and their correctness proofs makes it challenging to understand and extend these systems. Mover logic formalizes the central ideas of reduction in a declarative program logic that provides a foundation for future work in this area.

Mover Logic: A Concurrent Program Logic for Reduction and Rely-Guarantee Reasoning (Extended Version)

TL;DR

Mover logic extends rely-guarantee reasoning by introducing atomic function specifications and reduction-based verification. It uses yield annotations to demarcate interference points and Lipton-style reduction to treat reducible blocks as atomic, enabling reusable, non-entangled postconditions for libraries and clients. The framework provides formal rules for atomic/non-atomic functions, defines mover specifications, and proves soundness via instrumented semantics and a reduction theorem. This approach aims to simplify and generalize verification of sophisticated concurrent code and to serve as a foundation for future reduction-based verifiers. It demonstrates modularity through concrete examples like spin locks and lock-free data structures and positions mover logic as a unifying theory for reduction-based concurrent verification tools.

Abstract

Rely-guarantee (RG) logic uses thread interference specifications (relies and guarantees) to reason about the correctness of multithreaded software. Unfortunately, RG logic requires each function postcondition to be "stabilized" or specialized to the behavior of other threads, making it difficult to write function specifications that are reusable at multiple call sites. This paper presents mover logic, which extends RG logic to address this problem via the notion of atomic functions. Atomic functions behave as if they execute serially without interference from concurrent threads, and so they can be assigned more general and reusable specifications that avoid the stabilization requirement of RG logic. Several practical verifiers (Calvin-R, QED, CIVL, Armada, Anchor, etc.) have demonstrated the modularity benefits of atomic function specifications. However, the complexity of these systems and their correctness proofs makes it challenging to understand and extend these systems. Mover logic formalizes the central ideas of reduction in a declarative program logic that provides a foundation for future work in this area.
Paper Structure (36 sections, 16 theorems, 38 equations, 10 figures)

This paper contains 36 sections, 16 theorems, 38 equations, 10 figures.

Table of Contents

  1. Introduction
  2. Limitations of Rely-Guarantee Logic
  3. Disentangling RG Specifications: First Attempt
  4. Disentangling RG Specifications: Second Attempt
  5. Broken Invariants and Bidirectional Entanglement
  6. Review of Lipton's Theory of Reduction
  7. Overview of Mover Logic
  8. Additional Examples
  9. Spin Lock
  10. Lock-Free Queue
  11. Lock-Free Stack
  12. Mover Logic Language
  13. Mover Logic Effects and Specifications
  14. Effects
  15. Mover Specifications
  16. ...and 21 more sections

Key Result

Theorem 2

If $\vdash \Sigma$ then $\Sigma$ does not go wrong.

Figures (10)

  • Figure 1: Our idealized running example is an add(n) library function that atomically increases shared variable x by n. (Left) A rely-guarantee specification. The client's data invariant even(x) becomes entangled in the library specification. (Right) A second client that cannot be verified because the specification is insufficiently general.
  • Figure 2: (Left) An attempt to disentangle the library specification from the client that does not meet RG stability requirements. (Right) Another attempt that meets stability requirements but fails to verify the client.
  • Figure 3: A second version of the counter library with a temporarily broken $\texttt{even(x)}$ invariant. (Left) Under RG logic, the library specification is entangled with the client's even(x) invariant and the client specification is entangled with the library's synchronization discipline. (Right) Under mover logic, the specifications are cleanly disentangled.
  • Figure 4: Reduction applied to an execution trace of add() from Figure \ref{['fig:set']}.
  • Figure 5: (Left) A new implementation of the counter library using a user-defined spin lock. (Top Right) A single-element lock-free queue. (Bottom Right) A lock-free stack.
  • ...and 5 more figures

Theorems & Definitions (17)

  • Definition 1: Validity
  • Theorem 2: Soundness
  • Theorem 3: Simulation
  • Theorem 4: Reduction
  • Theorem 5: Preservation
  • Theorem 6: Verified States Are Not Wrong
  • Lemma 7: Right Commutativity
  • Lemma 8: Left Commutativity
  • Lemma 9: Post-Commit Termination
  • Lemma 10: Diamond
  • ...and 7 more