Tackling Real-Life Relaxed Concurrency with FSL++ Marko Doko - - PowerPoint PPT Presentation

Tackling Real-Life Relaxed Concurrency with FSL++

Marko Doko Viktor Vafeiadis

Max Planck Institute for Software Systems (MPI-SWS)

ESOP 2017-04-26

Weak memory

memory models weaker than sequential consistency (SC) gives us better performance

Logics for weak memory

iCAP-TSO, OGRA, GPS, RSL, FSL

Current state of verification

simplified algorithms & toy examples

In this talk

first verification of a non-simplified real-world algorithm

1

Atomic Reference Counter (ARC)

part of the Rust standard library allows concurrent reads of a shared resource uses advanced weak memory primitives

2

How is ARC used?

♥❡✇✭v✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮

3

How is ARC used?

♥❡✇✭v✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮

3

How is ARC used?

♥❡✇✭v✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮

3

How is ARC used?

♥❡✇✭v✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮

3

How is ARC used?

♥❡✇✭v✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮

3

How is ARC used?

♥❡✇✭v✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮

3

How is ARC used?

♥❡✇✭v✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮

3

How is ARC used?

♥❡✇✭v✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❝❧♦♥❡✭✮ ❞r♦♣✭✮ ❞r♦♣✭✮

3

• emp
• a ❂ ♥❡✇✭v✮
• ARC(a, v)
• ARC(a, v)
• y ❂ r❡❛❞✭a✮
• y = v ∧ ARC(a, v)
• ARC(a, v)
• ❝❧♦♥❡✭a✮
• ARC(a, v) ∗ ARC(a, v)
• ARC(a, v)
• ❞r♦♣✭a✮
• emp
• ♥❡✇✭✈✮④

❛ ❂ ❛❧❧♦❝✭✮❀ ❛✳❞❛t❛ ❂ ✈❀ ❛✳❝♦✉♥t ❂ ✶❀ r❡t✉r♥ ❛❀ ⑥ r❡❛❞✭❛✮④ r❡t✉r♥ ❛✳❞❛t❛❀ ⑥ ❝❧♦♥❡✭❛✮④ ❋❆❉❉✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥ ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢r❡❡✭❛✮❀ ⑥ ⑥ ❋❆❉❉ ❂ ❢❡t❝❤❴❛♥❞❴❛❞❞

4

• emp
• a ❂ ♥❡✇✭v✮
• ARC(a, v)
• ARC(a, v)
• y ❂ r❡❛❞✭a✮
• y = v ∧ ARC(a, v)
• ARC(a, v)
• ❝❧♦♥❡✭a✮
• ARC(a, v) ∗ ARC(a, v)
• ARC(a, v)
• ❞r♦♣✭a✮
• emp
• ♥❡✇✭✈✮④

❛ ❂ ❛❧❧♦❝✭✮❀ ❛✳❞❛t❛ ❂ ✈❀ ❛✳❝♦✉♥t ❂ ✶❀ r❡t✉r♥ ❛❀ ⑥ r❡❛❞✭❛✮④ r❡t✉r♥ ❛✳❞❛t❛❀ ⑥ ❝❧♦♥❡✭❛✮④ ❋❆❉❉✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥ ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢r❡❡✭❛✮❀ ⑥ ⑥ ❋❆❉❉ ❂ ❢❡t❝❤❴❛♥❞❴❛❞❞

4

• emp
• a ❂ ♥❡✇✭v✮
• ARC(a, v)
• ARC(a, v)
• y ❂ r❡❛❞✭a✮
• y = v ∧ ARC(a, v)
• ARC(a, v)
• ❝❧♦♥❡✭a✮
• ARC(a, v) ∗ ARC(a, v)
• ARC(a, v)
• ❞r♦♣✭a✮
• emp
• ♥❡✇✭✈✮④

❛ ❂ ❛❧❧♦❝✭✮❀ ❛✳❞❛t❛ ❂ ✈❀ ❛✳❝♦✉♥trlx ❂ ✶❀ r❡t✉r♥ ❛❀ ⑥ r❡❛❞✭❛✮④ r❡t✉r♥ ❛✳❞❛t❛❀ ⑥ ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥ ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥ ❋❆❉❉ ❂ ❢❡t❝❤❴❛♥❞❴❛❞❞

4

FSL (Fenced Separation Logic) [VMCAI ’16]

✓ supports rel, acq, and rlx accesses ✓ supports memory fences

Too weak to verify ARC

✗ concurrent plain (non-atomic) reads

SOLUTION: partial permissions

✗ ❢❡t❝❤❴❛♥❞❴❛❞❞ instructions

SOLUTION: new rules

✗ not expressive enough

SOLUTION: ghost state

5

• ❋❆❉❉acq_rel(x, t)
• ❋❆❉❉

❋❆❉❉

6

• U(x, Q) ∗ P
• ❋❆❉❉acq_rel(x, t)
• ❋❆❉❉

❋❆❉❉

6

• U(x, Q) ∗ P
• ❋❆❉❉acq_rel(x, t)
• ❋❆❉❉

❋❆❉❉ Q: Val → Assn is invariant for x: x has value c ⇒ the invariant owns Q(c)

6

∀c. Q(c) ⇒ R ∀c. P ⇒ Q(c + t)

• U(x, Q) ∗ P
• ❋❆❉❉acq_rel(x, t)
• U(x, Q) ∗ R
• ❋❆❉❉

❋❆❉❉ Q: Val → Assn is invariant for x: x has value c ⇒ the invariant owns Q(c)

Updating the value of x from c to c + t: (1) get Q(c) out of the invariant (2) put Q(c + t) back into the invariant

6

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t)

• U(x, Q) ∗ P
• ❋❆❉❉acq_rel(x, t)
• U(x, Q) ∗ R
• ❋❆❉❉

❋❆❉❉ Q: Val → Assn is invariant for x: x has value c ⇒ the invariant owns Q(c)

Updating the value of x from c to c + t: (1) get Q(c) out of the invariant (2) put Q(c + t) back into the invariant

6

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t)

• U(x, Q) ∗ P
• ❋❆❉❉acq_rel(x, t)
• U(x, Q) ∗ R
• ❋❆❉❉rel(x, t)
• ❋❆❉❉

❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

6

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t)

• U(x, Q) ∗ P
• ❋❆❉❉acq_rel(x, t)
• U(x, Q) ∗ R
• U(x, Q) ∗ P
• ❋❆❉❉rel(x, t)
• U(x, Q) ∗ ▽R
• ❋❆❉❉

❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

6

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t)

• U(x, Q) ∗ P
• ❋❆❉❉acq_rel(x, t)
• U(x, Q) ∗ R
• U(x, Q) ∗ P
• ❋❆❉❉rel(x, t)
• U(x, Q) ∗ ▽R
• ❋❆❉❉

▽P

• ❢❡♥❝❡acq
• P
• ❞r♦♣✭❛✮④

t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

6

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t)

• U(x, Q) ∗ P
• ❋❆❉❉acq_rel(x, t)
• U(x, Q) ∗ R
• U(x, Q) ∗ P
• ❋❆❉❉rel(x, t)
• U(x, Q) ∗ ▽R
• ❋❆❉❉rlx(x, t)
• ❞r♦♣✭❛✮④

t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥ ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥

6

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t)

• U(x, Q) ∗ P
• ❋❆❉❉acq_rel(x, t)
• U(x, Q) ∗ R
• U(x, Q) ∗ P
• ❋❆❉❉rel(x, t)
• U(x, Q) ∗ ▽R
• ❋❆❉❉rlx(x, t)
• U(x, Q) ∗ ▽R
• ▽P
• ❢❡♥❝❡acq
• P
• ❞r♦♣✭❛✮④

t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥ ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥

6

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t)

• U(x, Q) ∗ P
• ❋❆❉❉acq_rel(x, t)
• U(x, Q) ∗ R
• U(x, Q) ∗ P
• ❋❆❉❉rel(x, t)
• U(x, Q) ∗ ▽R
• U(x, Q) ∗ △P
• ❋❆❉❉rlx(x, t)
• U(x, Q) ∗ ▽R
• ▽P
• ❢❡♥❝❡acq
• P
• P
• ❢❡♥❝❡rel
• △P
• ❞r♦♣✭❛✮④

t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥ ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥

6

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t) U(x, Q) ∗ P ❋❆❉❉rel(x, t)

• U(x, Q) ∗ ▽R
• U(x, Q) ∗ △P

❋❆❉❉rlx(x, t)

• U(x, Q) ∗ ▽R
• What is ARC(a, v)?

Which invariant to choose for the counter a.❝♦✉♥t? {ARC(a, v)} ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥⑥ {emp} {ARC(a, v)} ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥ {ARC(a, v) ∗ ARC(a, v)}

7

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t) U(x, Q) ∗ P ❋❆❉❉rel(x, t)

• U(x, Q) ∗ ▽R
• U(x, Q) ∗ △P

❋❆❉❉rlx(x, t)

• U(x, Q) ∗ ▽R
• What is ARC(a, v)?

Which invariant to choose for the counter a.❝♦✉♥t? {ARC(a, v)} ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥⑥ {emp} {ARC(a, v)} ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥ {ARC(a, v) ∗ ARC(a, v)}

ARC(a, v) = U(a.❝♦✉♥t, Q) ∗ ∃q ∈ 0, 1]. a.❞❛t❛

q

→ v

7

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t) U(x, Q) ∗ P ❋❆❉❉rel(x, t)

• U(x, Q) ∗ ▽R
• U(x, Q) ∗ △P

❋❆❉❉rlx(x, t)

• U(x, Q) ∗ ▽R
• What is ARC(a, v)?

Which invariant to choose for the counter a.❝♦✉♥t? {ARC(a, v)} ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥⑥ {emp} {ARC(a, v)} ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥ {ARC(a, v) ∗ ARC(a, v)}

ARC(a, v) = U(a.❝♦✉♥t, Q) ∗ ∃q ∈ 0, 1]. a.❞❛t❛

q

→ v ∗ ???

7

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t) U(x, Q) ∗ P ❋❆❉❉rel(x, t)

• U(x, Q) ∗ ▽R
• U(x, Q) ∗ △P

❋❆❉❉rlx(x, t)

• U(x, Q) ∗ ▽R
• What is ARC(a, v)?

Which invariant to choose for the counter a.❝♦✉♥t? {ARC(a, v)} ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥⑥ {emp} {ARC(a, v)} ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥ {ARC(a, v) ∗ ARC(a, v)} Modalities (△ and ▽) prevent data races. Ghost state is not accessed ⇒ no races on ghosts!

⇔△ ⇔▽

7

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t) U(x, Q) ∗ P ❋❆❉❉rel(x, t)

• U(x, Q) ∗ ▽R
• U(x, Q) ∗ △P

❋❆❉❉rlx(x, t)

• U(x, Q) ∗ ▽R
• What is ARC(a, v)?

Which invariant to choose for the counter a.❝♦✉♥t? {ARC(a, v)} ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥⑥ {emp} {ARC(a, v)} ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥ {ARC(a, v) ∗ ARC(a, v)}

⇔△ ⇔▽ ARC(a, v) = U(a.❝♦✉♥t, Q) ∗ ∃q ∈ 0, 1]. a.❞❛t❛

q

→ v ∗ ???

7

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t) U(x, Q) ∗ P ❋❆❉❉rel(x, t)

• U(x, Q) ∗ ▽R
• U(x, Q) ∗ △P

❋❆❉❉rlx(x, t)

• U(x, Q) ∗ ▽R
• What is ARC(a, v)?

Which invariant to choose for the counter a.❝♦✉♥t?

Q(c) ⇐ ⇒ Q(c + 1) ∗

{ARC(a, v)} ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥⑥ {emp} {ARC(a, v)} ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥ {ARC(a, v) ∗ ARC(a, v)}

⇔△ ⇔▽ ARC(a, v) = U(a.❝♦✉♥t, Q) ∗ ∃q ∈ 0, 1]. a.❞❛t❛

q

→ v ∗ ???

7

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t) U(x, Q) ∗ P ❋❆❉❉rel(x, t)

• U(x, Q) ∗ ▽R
• U(x, Q) ∗ △P

❋❆❉❉rlx(x, t)

• U(x, Q) ∗ ▽R
• What is ARC(a, v)?

Which invariant to choose for the counter a.❝♦✉♥t?

Q(c) ⇐ ⇒ Q(c + 1) ∗

{ARC(a, v)} ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥⑥ {emp} {ARC(a, v)} ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥ {ARC(a, v) ∗ ARC(a, v)}

⇔△ ⇔▽ ARC(a, v) = U(a.❝♦✉♥t, Q) ∗ ∃q ∈ 0, 1]. a.❞❛t❛

q

→ v ∗ (1 − q)

7

∀c. Q(c) ⇒ R ∗ T ∀c. T ∗ P ⇒ Q(c + t) U(x, Q) ∗ P ❋❆❉❉rel(x, t)

• U(x, Q) ∗ ▽R
• U(x, Q) ∗ △P

❋❆❉❉rlx(x, t)

• U(x, Q) ∗ ▽R
• What is ARC(a, v)?

ARC(a, v) ∗ ⇒ ARC(a, v) ∗ ARC(a, v)

Which invariant to choose for the counter a.❝♦✉♥t?

Q(c) ⇐ ⇒ Q(c + 1) ∗

{ARC(a, v)} ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥⑥ {emp} {ARC(a, v)} ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥ {ARC(a, v) ∗ ARC(a, v)}

⇔△ ⇔▽

7

Summary:

ARC: simple (but interesting) algorithm with advanced weak memory constructs FSL++ = FSL + partial permissions + rules for atomic updates (CAS, fetch & add) + ghost state ARC verification using FSL++ formalized in Coq

❤tt♣✿✴✴♣❧✈✳♠♣✐✲s✇s✳♦r❣✴❢s❧✴

Future work:

verify more examples adapt FSL++ for new memory models (e.g. promising semantics [Kang et al. POPL ’17])

8

❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥

ARC(a, v) ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥

ARC(a, v) ARC(a, v) ARC(a, v) ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥

ARC(a, v) Q(c) ARC(a, v) ARC(a, v) ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥

ARC(a, v) Q(c) ∗ Q(c + 1) ARC(a, v) ARC(a, v) ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥

ARC(a, v) Q(c) ∗ Q(c + 1)

▽

ARC(a, v) ARC(a, v) ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥

ARC(a, v) Q(c) ∗ Q(c + 1)

▽

ARC(a, v) ARC(a, v) ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥

ARC(a, v) Q(c) ∗ Q(c + 1)

▽

∗ ARC(a, v) ARC(a, v) ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥

ARC(a, v) Q(c) ∗ Q(c + 1)

▽

∗ ARC(a, v) ARC(a, v) ❝❧♦♥❡✭❛✮④ ❋❆❉❉rlx✭❛✳❝♦✉♥t✱ ✰✶✮❀ ⑥

Dtg

❞❛t❛ ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

Dtg

ARC(a, v) ❞❛t❛ ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

Decrementing the counter from c > 1:Dtg

ARC(a, v) ❞❛t❛ ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

Decrementing the counter from c > 1:Dtg

ARC(a, v) Q(c) ❞❛t❛ ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

Decrementing the counter from c > 1:Dtg

ARC(a, v) Q(c) ∗ Q(c − 1) ❞❛t❛ ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

Decrementing the counter from c = 1:Dtg

ARC(a, v) ❞❛t❛ ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

Decrementing the counter from c = 1:Dtg

ARC(a, v) Q(1) ❞❛t❛ ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

Decrementing the counter from c = 1:Dtg

ARC(a, v) Q(1) ▽Q(1) ❞❛t❛ ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

Decrementing the counter from c = 1:Dtg

ARC(a, v) Q(1) ▽Q(1) Q(1) ❞❛t❛ ❢❡♥❝❡acq ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

Decrementing the counter from c = 1:Dtg

ARC(a, v) Q(1) ▽Q(1) Q(1) ∗ ❞❛t❛ ❢❡♥❝❡acq ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

Decrementing the counter from c = 1:Dtg

ARC(a, v) Q(1) ▽Q(1) Q(1) ∗ a.❞❛t❛ 1 → v ∗ · · · ❢❡♥❝❡acq ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

Decrementing the counter from c = 1:Dtg

ARC(a, v) Q(1) ▽Q(1) Q(1) ∗ a.❞❛t❛ 1 → v ∗ · · · emp ❢❡♥❝❡acq ❢r❡❡✭❛✮ ❞r♦♣✭❛✮④ t ❂ ❋❆❉❉rel✭❛✳❝♦✉♥t✱ ✲✶✮❀ ✐❢✭t ❂❂ ✶✮④ ❢❡♥❝❡acq❀ ❢r❡❡✭❛✮❀ ⑥ ⑥

Q def = λc. if c = 0 then :0 ∗ :0 else ∃f ∈ [0, 1]. a.❞❛t❛

f

→ v ∗ :(c − 1 + f) ∗ :(1 − f) ARC(a, v) def = U(a✳❝♦✉♥t, Q(a.❞❛t❛)) ∗ ∃q ∈ 0, 1]. a.❞❛t❛

q

→ v ∗ (1 − q)· ∗ q· p· ∗ q·

+ ⇐

⇒ (p + q)· :p ∗ :q ⇐ ⇒ false p· ∗ :q ⇐ ⇒ :q ∗ p· ⇐ ⇒

• :(q − p)

if q − p 0

false

• therwise