FSL: A Program Logic for C11 Memory Fences Marko Doko Viktor - - PowerPoint PPT Presentation

FSL: A Program Logic for C11 Memory Fences

Marko Doko Viktor Vafeiadis

Max Planck Institute for Software Systems (MPI-SWS)

VMCAI 2016

Why C11?

Oddities of weak memory

① ❂ ✵❀ ② ❂ ✵❀ ① ❂ ✶❀ ② ❂ ✶❀ ♣r✐♥t ②❀ ♣r✐♥t ①❀

W(①,0) W(②,0) W(①,1) R(②,0) W(②,1) R(①,0)

1

Why C11?

Oddities of weak memory

① ❂ ✵❀ ② ❂ ✵❀ ① ❂ ✶❀ ② ❂ ✶❀ ♣r✐♥t ②❀ ♣r✐♥t ①❀

Both threads can print 0! W(①,0) W(②,0) W(①,1) R(②,0) W(②,1) R(①,0)

2

Why C11?

Oddities of weak memory

① ❂ ✵❀ ② ❂ ✵❀ ① ❂ ✶❀ ② ❂ ✶❀ ♣r✐♥t ②❀ ♣r✐♥t ①❀

Both threads can print 0! W(①,0) W(②,0) W(①,1) R(②,0) W(②,1) R(①,0)

3

Why C11?

Oddities of weak memory

① ❂ ✵❀ ② ❂ ✵❀ ① ❂ ✶❀ ② ❂ ✶❀ ♣r✐♥t ②❀ ♣r✐♥t ①❀

Both threads can print 0! W(①,0) W(②,0) W(①,1) R(②,0) W(②,1) R(①,0) sb sb sb sb sb

sb – sequenced-before

4

Why C11?

Oddities of weak memory

① ❂ ✵❀ ② ❂ ✵❀ ① ❂ ✶❀ ② ❂ ✶❀ ♣r✐♥t ②❀ ♣r✐♥t ①❀

Both threads can print 0! W(①,0) W(②,0) W(①,1) R(②,0) W(②,1) R(①,0) sb sb sb sb sb rf rf

sb – sequenced-before rf – reads-from

5

C11 model through examples

✐♥t ❛ ❂ ✵❀ ✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ❢❡♥❝❡ ❀ ❢❡♥❝❡ ❀ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

6

C11 model through examples

✐♥t ❛ ❂ ✵❀ ✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ❢❡♥❝❡ ❀ ❢❡♥❝❡ ❀ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

1

7

C11 model through examples

✐♥t ❛ ❂ ✵❀ ✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ❢❡♥❝❡ ❀ ❢❡♥❝❡ ❀ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

1

race 8

C11 model through examples

✐♥t ❛ ❂ ✵❀ ✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ❢❡♥❝❡ ❀ ❢❡♥❝❡ ❀ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

1

race

2

9

C11 model through examples

✐♥t ❛ ❂ ✵❀ ✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ❢❡♥❝❡ ❀ ❢❡♥❝❡ ❀ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

1

race

2

race 10

C11 model through examples

✐♥t ❛ ❂ ✵❀ ✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ❢❡♥❝❡ ❀ ❢❡♥❝❡ ❀ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

1

race

2

race

3

11

C11 model through examples

✐♥t ❛ ❂ ✵❀ ✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ❢❡♥❝❡ ❀ ❢❡♥❝❡ ❀ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

1

race

2

race

3

rf 12

C11 model through examples

✐♥t ❛ ❂ ✵❀ ✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ❢❡♥❝❡ ❀ ❢❡♥❝❡ ❀ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

1

race

2

race

3

rf sync 13

C11 model through examples

✐♥t ❛ ❂ ✵❀ ✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ❢❡♥❝❡rel❀ ❢❡♥❝❡acq❀ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

1

race

2

race

3

rf sync

4

14

C11 model through examples

✐♥t ❛ ❂ ✵❀ ✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ❢❡♥❝❡rel❀ ❢❡♥❝❡acq❀ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

1

race

2

race

3

rf sync

4

rf 15

C11 model through examples

✐♥t ❛ ❂ ✵❀ ✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ❢❡♥❝❡rel❀ ❢❡♥❝❡acq❀ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

1

race

2

race

3

rf sync

4

rf sync 16

C11 model through examples

✐♥t ❛ ❂ ✵❀ ✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭① ❂❂ ✶✮④ ① ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥ ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ❢❡♥❝❡rel❀ ❢❡♥❝❡acq❀ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

Why use fences? Release and acquire constructs are expensive!

17

The synchronizes-with relation

Wrel Racq rf sync Wrel Facq R rf sb+ sync Frel Racq W rf sb+ sync Frel Facq W R rf sb+ sb+ sync

18

The synchronizes-with relation

Wrel Racq rf sync RSL, GPS, OGRA Wrel Facq R rf sb+ sync Frel Racq W rf sb+ sync Frel Facq W R rf sb+ sb+ sync

RSL Relaxed Separation Logic (V. Vafeiadis, C. Narayan; OOPSLA ’13) GPS Ghosts, Protocols, and Separation (A. Turon, V. Vafeiadis, D. Dreyer; OOPSLA ’14) OGRA Owicki-Gries for Release-Acquire (O. Lahav, V. Vafeiadis; ICALP ’15)

19

The synchronizes-with relation

Wrel Racq rf sync RSL , GPS, OGRA Wrel Facq R rf sb+ sync Frel Racq W rf sb+ sync Frel Facq W R rf sb+ sb+ sync

RSL Relaxed Separation Logic (V. Vafeiadis, C. Narayan; OOPSLA ’13) GPS Ghosts, Protocols, and Separation (A. Turon, V. Vafeiadis, D. Dreyer; OOPSLA ’14) OGRA Owicki-Gries for Release-Acquire (O. Lahav, V. Vafeiadis; ICALP ’15)

20

Relaxed Separation Logic (RSL)

• V. Vafeiadis, C. Narayan (OOPSLA 2013)

✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

Wrel Racq rf sync

21

Relaxed Separation Logic (RSL)

• V. Vafeiadis, C. Narayan (OOPSLA 2013)

{true} ✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

22

Relaxed Separation Logic (RSL)

• V. Vafeiadis, C. Narayan (OOPSLA 2013)

{true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

23

Relaxed Separation Logic (RSL)

• V. Vafeiadis, C. Narayan (OOPSLA 2013)

Q

def

= λv. (v = 0 ∨ &a → 42) {true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ {&a → 0 ∗ Rel(x, Q) ∗ Acq(x, Q)} ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

• Q(v)
• ❛t♦♠✐❝❴✐♥t ① ❂ v
• Rel(x, Q) ∗ Acq(x, Q)
• 24

Relaxed Separation Logic (RSL)

• V. Vafeiadis, C. Narayan (OOPSLA 2013)

Q

def

= λv. (v = 0 ∨ &a → 42) {true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ {&a → 0 ∗ Rel(x, Q) ∗ Acq(x, Q)} {&a → 0 ∗ Rel(x, Q)} ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

25

Relaxed Separation Logic (RSL)

• V. Vafeiadis, C. Narayan (OOPSLA 2013)

Q

def

= λv. (v = 0 ∨ &a → 42) {true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ {&a → 0 ∗ Rel(x, Q) ∗ Acq(x, Q)} {&a → 0 ∗ Rel(x, Q)} ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ {&a → 42 ∗ Rel(x, Q)} ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

26

Relaxed Separation Logic (RSL)

• V. Vafeiadis, C. Narayan (OOPSLA 2013)

Q

def

= λv. (v = 0 ∨ &a → 42) {true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ {&a → 0 ∗ Rel(x, Q) ∗ Acq(x, Q)} {&a → 0 ∗ Rel(x, Q)} ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ {&a → 42 ∗ Rel(x, Q)} ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ {Rel(x, Q)} {true} ⑥

• Rel(x, Q) ∗ Q(v)
• ①rel ❂ v
• Rel(x, Q)
• 27

Relaxed Separation Logic (RSL)

• V. Vafeiadis, C. Narayan (OOPSLA 2013)

Q

def

= λv. (v = 0 ∨ &a → 42) {true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ {&a → 0 ∗ Rel(x, Q) ∗ Acq(x, Q)} {&a → 0 ∗ Rel(x, Q)} {Acq(x, Q)} ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ {&a → 42 ∗ Rel(x, Q)} ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ {Rel(x, Q)} {true} ⑥

28

Relaxed Separation Logic (RSL)

• V. Vafeiadis, C. Narayan (OOPSLA 2013)

Q

def

= λv. (v = 0 ∨ &a → 42) {true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ {&a → 0 ∗ Rel(x, Q) ∗ Acq(x, Q)} {&a → 0 ∗ Rel(x, Q)} {Acq(x, Q)} ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ {&a → 42 ∗ Rel(x, Q)} {&a → 42} ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ {Rel(x, Q)} {true} ⑥

• Acq(x, Q)
• t ❂ ①acq
• Q(t)
• 29

Relaxed Separation Logic (RSL)

• V. Vafeiadis, C. Narayan (OOPSLA 2013)

Q

def

= λv. (v = 0 ∨ &a → 42) {true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ {&a → 0 ∗ Rel(x, Q) ∗ Acq(x, Q)} {&a → 0 ∗ Rel(x, Q)} {Acq(x, Q)} ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ {&a → 42 ∗ Rel(x, Q)} {&a → 42} ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ {Rel(x, Q)} {true} {true} ⑥

30

Relaxed Separation Logic (RSL)

• V. Vafeiadis, C. Narayan (OOPSLA 2013)

Q

def

= λv. (v = 0 ∨ &a → 42) {true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ {&a → 0 ∗ Rel(x, Q) ∗ Acq(x, Q)} {&a → 0 ∗ Rel(x, Q)} {Acq(x, Q)} ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ {&a → 42 ∗ Rel(x, Q)} {&a → 42} ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ {Rel(x, Q)} {true} {true} ⑥ {true}

31

Relaxed Separation Logic (RSL)

• V. Vafeiadis, C. Narayan (OOPSLA 2013)

Q

def

= λv. (v = 0 ∨ &a → 42) {true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ {&a → 0 ∗ Rel(x, Q) ∗ Acq(x, Q)} {&a → 0 ∗ Rel(x, Q)} {Acq(x, Q)} ❛ ❂ ✹✷❀ ✐❢✭①acq ❂❂ ✶✮④ {&a → 42 ∗ Rel(x, Q)} {&a → 42} ①rel ❂ ✶❀ ♣r✐♥t✭❛✮❀ {Rel(x, Q)} {true} {true} ⑥ {true}

• no data races
• memory safety
• no reads of uninitialized locations

32

Fenced Separation Logic (FSL)

✐♥t ❛ ❂ ✵❀ ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ ❢❡♥❝❡rel❀ ❢❡♥❝❡acq❀ ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ ⑥

Frel Facq W R rf sb+ sb+ sync

33

Fenced Separation Logic (FSL)

Q

def

= λv. (v = 0 ∨ &a → 42) {true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ {&a → 0 ∗ Rel(x, Q) ∗ Acq(x, Q)} {&a → 0 ∗ Rel(x, Q)} {Acq(x, Q)} ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ {&a → 42 ∗ Rel(x, Q)} ❢❡♥❝❡rel❀ ❢❡♥❝❡acq❀ {&a → 42} ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ {Rel(x, Q)} {true} {true} ⑥ {true}

Frel Facq W R rf sb+ sb+ sync ??? ???

34

Fenced Separation Logic (FSL)

Q

def

= λv. (v = 0 ∨ &a → 42) {true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ {&a → 0 ∗ Rel(x, Q) ∗ Acq(x, Q)} {&a → 0 ∗ Rel(x, Q)} {Acq(x, Q)} ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ {&a → 42 ∗ Rel(x, Q)} ❢❡♥❝❡rel❀ ❢❡♥❝❡acq❀ {△(&a → 42) ∗ Rel(x, Q)} {&a → 42} ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ {Rel(x, Q)} {true} {true} ⑥ {true}

• P
• ❢❡♥❝❡rel
• △P
• Rel(x, Q) ∗ △Q(v)
• ①rlx ❂ v
• Rel(x, Q)
• ???

35

Fenced Separation Logic (FSL)

Q

def

= λv. (v = 0 ∨ &a → 42) {true} ✐♥t ❛ ❂ ✵❀ {&a → 0} ❛t♦♠✐❝❴✐♥t ① ❂ ✵❀ {&a → 0 ∗ Rel(x, Q) ∗ Acq(x, Q)} {&a → 0 ∗ Rel(x, Q)} {Acq(x, Q)} ❛ ❂ ✹✷❀ ✐❢✭①rlx ❂❂ ✶✮④ {&a → 42 ∗ Rel(x, Q)} {▽(&a → 42)} ❢❡♥❝❡rel❀ ❢❡♥❝❡acq❀ {△(&a → 42) ∗ Rel(x, Q)} {&a → 42} ①rlx ❂ ✶❀ ♣r✐♥t✭❛✮❀ {Rel(x, Q)} {true} {true} ⑥ {true}

• Acq(x, Q)
• t ❂ ①rlx

▽Q(t)

• ▽P
• ❢❡♥❝❡acq
• P
• 36

Wrel Racq rf sync RSL, GPS, OGRA, FSL Wrel Facq R rf sb+ sync FSL Frel Racq W rf sb+ sync FSL Frel Facq W R rf sb+ sb+ sync FSL

37

The semantics of triples

Without a notion of state, what is the meaning of

• P
• c
• Q
• ?

38

The semantics of triples

Without a notion of state, what is the meaning of

• P
• c
• Q
• ?

Execution

• f c

39

The semantics of triples

Without a notion of state, what is the meaning of

• P
• c
• Q
• ?

Execution

• f c

40

The semantics of triples

Without a notion of state, what is the meaning of

• P
• c
• Q
• ?

Execution

• f c

sb sb

41

The semantics of triples

Without a notion of state, what is the meaning of

• P
• c
• Q
• ?

Execution

• f c

sb sb Annotate heaps on sb and rf edges in the execution graph.

42

The semantics of triples

Without a notion of state, what is the meaning of

• P
• c
• Q
• ?

Execution

• f c

sb sb

h | = P

Annotate heaps on sb and rf edges in the execution graph.

43

The semantics of triples

Without a notion of state, what is the meaning of

• P
• c
• Q
• ?

Execution

• f c

sb sb

h | = P h′ | = Q

Annotate heaps on sb and rf edges in the execution graph.

44

Local validity

a very simplified example

{△(&a → 42) ∗ Rel(x, Q)} ①rlx ❂ ✶ {Rel(x, Q)}

45

Local validity

a very simplified example

{△(&a → 42) ∗ Rel(x, Q)} ①rlx ❂ ✶ {Rel(x, Q)}

Wrlx(①, 1)

46

Local validity

a very simplified example

{△(&a → 42) ∗ Rel(x, Q)} ①rlx ❂ ✶ {Rel(x, Q)}

Wrlx(①, 1)

47

Local validity

a very simplified example

{△(&a → 42) ∗ Rel(x, Q)} ①rlx ❂ ✶ {Rel(x, Q)}

Wrlx(①, 1)

48

Local validity

a very simplified example

{△(&a → 42) ∗ Rel(x, Q)} ①rlx ❂ ✶ {Rel(x, Q)}

Wrlx(①, 1)

49

Local validity

a very simplified example

{△(&a → 42) ∗ Rel(x, Q)} ①rlx ❂ ✶ {Rel(x, Q)}

Wrlx(①, 1)

△(&a → 42) ∗ Rel(x, Q)

50

Local validity

a very simplified example

{△(&a → 42) ∗ Rel(x, Q)} ①rlx ❂ ✶ {Rel(x, Q)}

Wrlx(①, 1)

△(&a → 42) ∗ Rel(x, Q) Rel(x, Q)

51

Local validity

a very simplified example

{△(&a → 42) ∗ Rel(x, Q)} ①rlx ❂ ✶ {Rel(x, Q)}

Wrlx(①, 1)

△(&a → 42) ∗ Rel(x, Q) Rel(x, Q) ▽(&a → 42)

52

Independent heap compatibility

Definition (Independent edges) A set of edges T in an execution graph is pairwise independent if for all (a, a′), (b, b′) ∈ T , we have ¬(sb ∪ rf)∗(a′, b).

a a′ b b′ h1 h2 (sb ∪ rf)∗ = ⇒ h1 ⊕ h2 is defined

Lemma (Independent heap compatibility) For every validly annotated execution, and pairwise independent set of edges T , heaps annotated on edges in T are combinable.

53

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). (sb ∪ sync)+

54

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). ℓ → − access(ℓ) ℓ → − access(ℓ) (sb ∪ sync)+

55

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). ℓ → − access(ℓ) ℓ → − access(ℓ) (sb ∪ sync)+

56

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). ℓ → − access(ℓ) ℓ → − access(ℓ) (sb ∪ rf)∗ (sb ∪ sync)+

57

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). ℓ → − access(ℓ) ℓ → − access(ℓ) ℓ → − (sb ∪ sync)+

58

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). ℓ → − access(ℓ) ℓ → − access(ℓ) ℓ → − ℓ → − (sb ∪ sync)+

59

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). ℓ → − access(ℓ) ℓ → − access(ℓ) ℓ → − ℓ → − (sb ∪ sync)+

60

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). ℓ → − access(ℓ) ℓ → − access(ℓ) ℓ → − ℓ → − (sb ∪ sync)+

61

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). ℓ → − access(ℓ) ℓ → − access(ℓ) ℓ → − (sb ∪ rf)∗ (sb ∪ sync)+

62

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). ℓ → − access(ℓ) ℓ → − access(ℓ) ℓ → − (sb ∪ rf)∗ (sb ∪ sync)+ sb sb (sb ∪ rf)∗

63

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). ℓ → − access(ℓ) ℓ → − access(ℓ) ℓ → − (sb ∪ rf)∗ (sb ∪ sync)+ sb

• sb
• (sb ∪ rf)∗

{◦, △, ▽}

64

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). ℓ → − access(ℓ) ℓ → − access(ℓ) ℓ → − (sb ∪ rf)∗ (sb ∪ sync)+ (sb ∪ sync)+ sb

• sb
• (sb ∪ rf)∗

{◦, △, ▽}

(sb ∪ sync)+

65

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). (sb ∪ sync)+ sb

• sb
• 66

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). (sb ∪ sync)+ sb

• sb
• sb
• 67

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). (sb ∪ sync)+ sb

• sb
• sb
• △

68

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). (sb ∪ sync)+ sb

• sb
• sb
• sb

△

Frel

69

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). (sb ∪ sync)+ sb

• sb
• sb
• sb

△

Frel sb

△

70

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). (sb ∪ sync)+ sb

• sb
• sb
• sb

△

Frel sb

△

rf

▽

W R

71

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). (sb ∪ sync)+ sb

• sb
• sb
• sb

△

Frel sb

△

rf

▽

W R sb

▽

72

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). (sb ∪ sync)+ sb

• sb
• sb
• sb

△

Frel sb

△

rf

▽

W R sb

▽

sb

• Facq

73

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). (sb ∪ sync)+ sb

• sb
• sb
• sb

△

Frel sb

△

rf

▽

W R sb

▽

sb

• Facq

Frel Facq W R rf sb+ sb+ sync

74

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). (sb ∪ sync)+ sb

• sb
• sb
• sb

△

Frel sb

△

rf

▽

W R sb

▽

sb

• Facq

sync Frel Facq W R rf sb+ sb+ sync

75

Data race freedom

Theorem In a validly annotated execution, any two non-atomic accesses to the same location are ordered by (sb ∪ sync)+ (i.e. they are not racing). (sb ∪ sync)+ sb

• sb
• sb
• sb

△

Frel sb

△

rf

▽

W R sb

▽

sb

• Facq

sync (sb ∪ sync)+ Frel Facq W R rf sb+ sb+ sync

76

Summary and future work

Summary: FSL is the first logic that supports C11-style memory fences. FSL ensures

data race freedom, memory safety, and all reads read from initialized locations.

Soundness proof is formalized in Coq:

❤tt♣✿✴✴♣❧✈✳♠♣✐✲s✇s✳♦r❣✴❢s❧✴

Future work: Support for CAS instructions and fractional permissions. Verify real-world algorithms (such as Rust’s Arc).

77

Why the two modalities?

Q def = λv. if v = 0 then emp else a → 42

• a → 0 ∗ Rel(x, Q)
• ❛ ❂ ✹✷❀
• a → 42 ∗ Rel(x, Q)
• ❢❡♥❝❡rel❀
• ♦a → 42 ∗ Rel(x, Q)
• ①rlx ❂ ✶❀
• true
• Acq(x, Q)
• ✇❤✐❧❡✭①rlx ❂❂ ✵✮❀
• ♦a → 42
• ②rlx ❂ ✶❀
• true
• Acq(y, Q)
• ✇❤✐❧❡✭②rlx ❂❂ ✵✮❀
• ♦a → 42
• ❢❡♥❝❡acq❀
• a → 42
• ♣r✐♥t✭❛✮❀
• a → 42
• Wna(a, 42)

Frel Wrlx(x, 1) Rrlx(x, 1) Wrlx(y, 1) Rrlx(y, 1) Facq Rna(a, ?)

race

Some important properties of FSL assertions

Release permissions are duplicable:

Rel(ℓ, Q) ⇐ ⇒ Rel(ℓ, Q) ∗ Rel(ℓ, Q)

Acquire permissions are splittable:

Acq(ℓ, Q1) ∗ Acq(ℓ, Q2) ⇐ ⇒ Acq(ℓ, λv. Q1(v) ∗ Q2(v))

Modalities (△ and ▽) distribute over disjunction, conjunction, and separating conjunction:

△(P ∧ Q) ⇐ ⇒ △P ∧ △Q ▽(P ∧ Q) ⇐ ⇒ ▽P ∧ ▽Q △(P ∨ Q) ⇐ ⇒ △P ∨ △Q ▽(P ∨ Q) ⇐ ⇒ ▽P ∨ ▽Q △(P ∗ Q) ⇐ ⇒ △P ∗ △Q ▽(P ∗ Q) ⇐ ⇒ ▽P ∗ ▽Q