1. Concurrent Separation Logic

2. How to prove the correctness of concurrent programs?
Difficult because of the interleaving and state sharing.
Sometimes the programs could be too smart such that they are very difficult to understand.

3. How to prove the correctness of concurrent programs
One philosophy (due to Tony Hoare):
Disallow the smart (but error-prone) programs; Concurrent programming should follow some idioms or disciplines.
Most of the time each process uses its own private data. In the rare cases that they need to communicate, access the shared data exclusively in critical regions.
await (B) do C
with r when B do C
Mutex or locks (which we will use here)

4. The language x := e | [e] := e' | x := [e] | cons(e)
| dispose(e) | C; C | C || C | …
A new construct:
l.acq() | l.rel()

5. Operational Semantics
Program state: (s, h, L)
where L  locks  {0, 1}
L(l) = 1
(l.acq(), (s, h, L))  (skip, (s, h, L{l  0}) )
(l.rel(), (s, h, L))  (skip, (s, h, L{l  1}) )

6. How to control interference?
Basic idea:
Each thread has private memory (resource)
The private resource can be arbitrarily used
Private resources of different threads are disjoint
Shared resources are protected by locks
Shared resources are disjoint with local resources
Can only be used when the lock is acquired (i.e. in critical regions)
Different locks protect different resources

7. Basic Memory Model Shared (accessible only in critical regions)
Private
Private

8. Basic Memory Model

9. Basic Memory Model

10. Basic Memory Model

11. Basic Memory Model
When the resource is acquired/released, it must be well-formed. The well-formedness is resource invariant.

12. Concurrent Separation Logic (CSL)
Lock-based critical regions (CR):
l.acq(); …
l.rel()
Invariants about memory protected by locks:
 = {l1  r1, …, ln  rn}
r1, …, rn disjoint l1 ln
r1 
 rn

13. CSL – Formalization Key ideas:
Threads can only access disjoint resources at the same time.
p  q p q
Transfer is logical: no memory copying
┝ {p1} C1 {q1}
┝ {p2} C2 {q2}
┝ {p1  p2} C1 || C2 {q1  q2}

14. CSL – Parallel Compositionln
p  q p q
r1 
 rn 
┝ {p1} C1 {q1} 
┝ {p2} C2 {q2} 
┝ {p1  p2} C1 || C2 {q1  q2}
Transfer is logical: no memory copying
I()  p1  p2
I()  q1  q2
We’ll define I() later.

15. CSL - Locks Lock acquire: Lock release:  ┝ {p} l.acq() {p  (l)}
Note: do not support reentrant locks
Lock release: 
┝ {p  (l)} l.rel() {p}
Compare the rules with cons and dispose

16. Examples (l) = full  c _, _   full  emp Put (x): l.acq();
while( full ){
l.rel(); }
c := x;
full := true;
Get (y):
l.acq();
while( !full ){
l.rel(); }
y := c;
full := false;
(l) = full  c _, _   full  emp

17. Examples (l) = full  c _, _   full  emp Put (x): l.acq();
while( full ){
l.rel(); }
(l) = full  c _, _   full  emp
{x _, _ }
{x _, _  (l)   full }
{x _, _ }
c := x;
full := true;
l.rel();
{x _, _  (l) }
{c _, _ }
{x _, _ }
{full  c _, _ }
{x _, _  (l) }
{(l) }
{emp }
{x _, _  (l)   full }

18. Examples (l) = full  c _, _   full  emp get (y): l.acq();
while( !full ){
l.rel(); }
(l) = full  c _, _   full  emp
{emp}
{ (l)  full }
{c _, _ }
y := c;
full := false;
l.rel();
{ (l) }
{y _, _ }
{ emp }
{y _, _  (full  emp) }
{(l) }
{y _, _  (l)}
{y _, _ }
{(l)  full }

19. Examples {x _, _ } put (x) {emp } {emp} get (y) {y _, _ } {emp}
x := cons(a, b);
put(x);
get(y);
use(y);
dispose(y);
{x _, _ }
{y _, _ }
{y _, _ }
{emp }
{emp}
{emp  emp}

20. Examples (2) (l) = list(f) alloc (x, a, b): l.acq(); if( f == null ){
l.rel();
x := cons (a, b); } else {
x := f;
f := [x+1];
[x] := a;
[x+1] := b; }
free (y):
l.acq();
[y+1] := f;
f := y;
l.rel();
(l) = list(f)

21. Examples (2)

22. Requirement on Resource Invariant
┝ {p1} C1 {q1} 
┝ {p2} C2 {q2} 
┝ {p1  p2} C1 || C2 {q1  q2} l1 ln
r1 
 rn
Transfer is logical: no memory copying
Resource invariants need to be precise, i.e.
 l  dom(). precise( (l) )

23. Requirement on Resource Invariant
one  10  _
(l) = true 
┝ {true} skip {true}
┝ {(emp  one)  true} skip {emp  true} 
┝ {(emp  one)} l.acq; skip; l.rel(); {emp} 
C  l.acq; skip; l.rel();
┝ {(emp  one)} C {emp} 
┝ {(emp  one)} C {emp} 
┝ {emp} C {emp} 
┝ {one} C {emp} 
┝ {emp  one} C {emp  one} 
┝ {one} C {one} 

24. Requirement on Resource Invariant
(l) = true 
┝ {one} C {one} 
┝ {one} C {emp} 
┝ {one} C {one  emp} 
┝ {one} C {false}
The problem: (l) is not precise.
Recall that p  r  q  r  (p  q )  r does not hold unless r is precise.

25. Soundness l1 ln I(, L, l) = L(l) = 0  emp  L(l) = 0  (l) r1 
 rn
I(, L) = ldom() . I(, L, l)
We define Safek(, (s, h, L), C, q) inductively.

26. Soundness Safe0(, (s, h, L), C, q) always holds
Safek+1(, (s, h, L), C, q) holds if there exist hs and hp such that
(1) h = hs |+| hp; (2) (s, hs) |= I(, L)
(3) for all s’, hs’, L’, and h’, if (s’, hs’) |= I(, L’), and h = hs’ |+| hp, then Safek(, (s’, h’, L’), C, q)
(4) if C = skip, then (s, hp) |= q  true
(5) for all s’, h’, L’, if (C, (s, h, L))  (C’, (s’, h’, L’)), then
Safek(, (s’, h’, L’), C’, q)

27. Soundness l1 ln I(, L, l) = L(l) = 0  emp  L(l) = 0  (l) r1 
 rn
I(, L) = ldom() . I(, L, l)
We define Safek(, (s, h, L), C, q) inductively.
Safe(, (s, h, L), C, q) iff k. Safek(, (s, h, L), C, q)
[ ┝ { p } C { q } ]
s, h, L. if (s, h) |= I(, L)  p  true, then Safe(, (s, h, L), C, q)

28. Reading
Peter W. O'Hearn: Resources, Concurrency and Local Reasoning. CONCUR 2004: 49-67
Peter W. O'Hearn: Resources, concurrency, and local reasoning. Theor. Comput. Sci. 375(1-3): (2007)
Viktor Vafeiadis. Concurrent separation logic and operational semantics. In MFPS ENTCS 276, pp Elsevier (Sep. 2011)