Owicki-Gries Reasoning for C11 Programs with Relaxed Dependencies

Wright, Daniel; Batty, Mark; Dongol, Brijesh

doi:10.1007/978-3-030-90870-6_13

Cited by 10 publications

(7 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For language models, including C11, weak memory semantics that appropriately handles load-bufering yet rules out thin-air reads has been an ongoing research topic [32,34,42,49]. In recent work, Wright et al [60] have shown that the łsequence-beforež total order (which enforces program order in RC11) can be relaxed to the łsemantic dependencyž partial order of Paviotti et al [49] in a manner that allows an Owicki-Gries logic based on thread views (c.f., [19,20]) to be obtained. Since this change only afects enabledness of actions in the transition relation, we conjecture that abstractions of this work provide a pathway towards addressing memory models that are more relaxed than RC11.…”

Section: Related Workmentioning

confidence: 99%

Unifying Operational Weak Memory Verification: An Axiomatic Approach

Doherty

Dalvandi

Dongol

et al. 2022

ACM Trans. Comput. Logic

Self Cite

View full text Add to dashboard Cite

In this paper, we propose an approach to program verification using an abstract characterisation of weak memory models. Our approach is based on a hierarchical axiom scheme that captures the observational properties of a memory model. In particular, we show that it is possible to prove correctness of a program with respect to a particular axiom scheme, and show this proof to suffice for any memory model that satisfies the axioms. Our axiom scheme is developed using a characterisation of weakest liberal preconditions for weak memory. This characterisation naturally extends to Hoare logic and Owicki-Gries reasoning by lifting weakest liberal preconditions (defined over read/write events) to the level of programs. We study three memory models (SC, TSO and RC11-RAR) as example instantiations of the axioms, then demonstrate the applicability of our reasoning technique on a number of litmus tests. The majority of the proofs in this paper are supported by mechanisation within Isabelle/HOL.

show abstract

Section: Related Workmentioning

confidence: 99%

Unifying Operational Weak Memory Verification: An Axiomatic Approach

Doherty

Dalvandi

Dongol

et al. 2022

ACM Trans. Comput. Logic

Self Cite

View full text Add to dashboard Cite

show abstract

“…It seems unfortunate to complicate the entirety of the C memory model to accommodate one architecture, when its effects can be captured in a separate memory subsystem specification (which can be ignored by developers targetting different architectures). Hence we recommend keeping the extra behaviours induced by this separate mechanism, peculiar to a single currently-in-production architecture, separately specified within the model; we point to [14,65,68] as examples of how this can be done, which fulfil similar roles to time-stamped event structures in [42] and the shared action graph of [80].…”

Section: Further Extensionsmentioning

confidence: 99%

“…A recent advance in reasoning for the C memory model is that of Wright et. al [80], but that framework appeals to a shared event graph structure, and does not consider memory fences or constraints. Very few of the formalisms surveyed have a simple way of address consume ( ) constraints (Sect.…”

Section: Related Workmentioning

confidence: 99%

Separation of concerning things: a simpler basis for defining and programming with the C/C++ memory model (extended version)

Colvin¹

2022

Preprint

View full text Add to dashboard Cite

The C/C++ memory model provides an interface and execution model for programmers of concurrent (sharedvariable) code. It provides a range of mechanisms that abstract from underlying hardware memory modelsthat govern how multicore architectures handle concurrent accesses to main memory -as well as abstracting from compiler transformations. The C standard describes the memory model in terms of cross-thread relationships between events, and has been influenced by several research works that are similarly based. In this paper we provide a thread-local definition of the fundamental principles of the C memory model, which, for concise concurrent code, serves as a basis for relatively straightforward reasoning about the effects of the C ordering mechanisms. We argue that this definition is more practical from a programming perspective and is amenable to analysis by already established techniques for concurrent code. The key aspect is that the memory model definition is separate to other considerations of a rich programming language such as C, in particular, expression evaluation and optimisations, though we show how to reason about those considerations in the presence of C concurrency. A major simplification of our framework compared to the description in the C standard and related work in the literature is separating out considerations around the "lack of multicopy atomicity", a concept that is in any case irrelevant to developers of code for x86, Arm, RISC-V or SPARC architectures. We show how the framework is convenient for reasoning about well-structured code, and for formally addressing unintuitive behaviours such as "out-of-thin-air" writes.

show abstract

“…Our interest here is the development and use of Hoare-style [17] structural proof calculi (and their extensions to concurrency by Owicki and Gries [27]) for weak memory models. Owicki-Gries-like proof calculi have been proposed by a number of researchers [10,11,22,40], and have also recently been given for nonvolatile memory [3,31]. Svendsen et al [35] have developed a separation logic for promises for the C11 memory model.…”

Section: Introductionmentioning

confidence: 99%

Formal Methods

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Modern processors such as ARMv8 and RISC-V allow executions in which independent instructions within a process may be reordered. To cope with such phenomena, so called promising semantics have been developed, which permit threads to read values that have not yet been written. Each promise is a speculative update that is later validated (fulfilled) by an actual write. Promising semantics are operational, providing a pathway for developing proof calculi. In this paper, we develop an incorrectness-style logic, resulting in a framework for reasoning about state reachability. Like incorrectness logic, our assertions are underapproximating, since the set of all valid promises are not known at the start of execution. Our logic uses event structures as assertions to compactly represent the ordering among events such as promised and fulfilled writes. We prove soundness and completeness of our proof calculus and demonstrate its applicability by proving reachability properties of standard weak memory litmus tests.

show abstract

Owicki-Gries Reasoning for C11 Programs with Relaxed Dependencies

Abstract: The version in the Kent Academic Repository may differ from the final published version. Users are advised to check http://kar.kent.ac.uk for the status of the paper. Users should always cite the published version of record.

Cited by 10 publications

References 29 publications

Unifying Operational Weak Memory Verification: An Axiomatic Approach

Unifying Operational Weak Memory Verification: An Axiomatic Approach

Separation of concerning things: a simpler basis for defining and programming with the C/C++ memory model (extended version)

Formal Methods

Contact Info

Product

Resources

About