Skip to main content
SpringerLink
Log in

Automating deductive verification for weak-memory programs (extended version)

  • General
  • Special Issue TACAS 2018
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

Writing correct programs for weak-memory models such as the C11 memory model is challenging because of the weak consistency guarantees these models provide. The first program logics for the verification of such programs have recently been proposed, but their usage has been limited thus far to manual proofs. Automating proofs in these logics via first-order solvers is non-trivial, due to features such as higher-order assertions, modalities and rich permission resources. In this paper, we provide the first encoding of a weak-memory program logic using existing deductive verification tools. Our work enables, for the first time, the (unbounded) verification of C11 programs at the level of abstraction provided by the program logics; the only necessary user interaction is in the form of specifications written in the program logic and, in rare cases, ghost operations. We tackle three recent program logics: Relaxed Separation Logic and two forms of Fenced Separation Logic, and show how these can be encoded using the Viper verification infrastructure. In doing so, we illustrate several novel encoding techniques which could be employed for other logics. Our work is implemented, and has been evaluated on examples from existing papers as well as the Facebook open-source Folly library.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17

Similar content being viewed by others

Notes

  1. For a general introduction to these reasoning challenges and issues in defining the model itself, we refer the reader to [43].

  2. i.e. verifying all program behaviours, without bounding the number of threads, loop iterations, heap size and so on.

  3. By convention, we use math-font variables for meta/logical variables and those from source programs (e.g. in \(\textsf {Uninit}(l)\); we use corresponding code-font variables for the Viper variables corresponding to these source-level variables (e.g. in .

  4. Viper macros can be defined for assertions or statements, and are syntactically expanded (and their arguments substituted) on use.

  5. A expression yields the permission fraction held for a field or predicate instance.

  6. For historical reasons, in our artefact examples, the macro is actually called ; we renamed this subsequently due to potential confusion with the notion of the “real heap” employed in Sect. 4.2.

  7. In the RSL logics, extended CAS proof rules are also supported (e.g. in the “Appendix” of FSL\({+}{+}\) [14]) allowing the specification of a different access mode for when a CAS operation fails; we omit this for simplicity, and use the same access mode for both cases. An extension would be straightforward, but this flexibility has not yet appeared necessary for any examples.

  8. Instead of distinguishing the two cases via the value of the field, it would also be possible to introduce another field to represent \(\textsf {RMWAcq}\) assertions.

References

  1. Abdulla, P.A., Atig, M.F., Jonsson, B., Leonardsson, C.: Stateless model checking for POWER. In: CAV 2016 Proceedings Part II, pp. 134–156 (2016). https://doi.org/10.1007/978-3-319-41540-6_8

  2. Abdulla, P.A., Atig, M.F., Bouajjani, A., Ngo, T.P.: The benefits of duality in verifying concurrent programs under TSO. CoRR (2017). arXiv:1701.08682

  3. Alglave, J., Cousot, P.: Ogre and Pythia: an invariance proof method for weak consistency models. In: POPL 2017, pp. 3–18. ACM, New York, NY, USA, POPL (2017). https://doi.org/10.1145/3009837.3009883

  4. Barnett, M., Chang, B.Y.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boogie: a modular reusable verifier for object-oriented programs. In: Proceedings of the 4th International Conference on Formal Methods for Components and Objects, pp. 364–387. Springer, Berlin, FMCO’05 (2006). https://doi.org/10.1007/11804192_17

  5. Bobot, F., Filliâtre, J.C., Marché, C., Paskevich, A.: Why3: shepherd your herd of provers. In: Boogie 2011: First International Workshop on Intermediate Verification Languages, Wrocław, Poland, pp. 53–64 (2011). http://proval.lri.fr/publications/boogie11final.pdf

  6. Bornat, R., Calcagno, C., O’Hearn, P., Parkinson, M.: Permission accounting in separation logic. In: Proceedings of POPL’05, pp. 259–270. ACM, New York, NY, USA (2005). https://doi.org/10.1145/1040305.1040327

  7. Bouajjani, A., Derevenetc, E., Meyer, R.: Checking and enforcing robustness against TSO. In: ESOP 2013, pp. 533–553. Springer, Berlin, ESOP’13 (2013). https://doi.org/10.1007/978-3-642-37036-6_29

  8. Boyland, J.: Checking Interference with Fractional Permissions, vol. 2694, pp. 55–72. Springer, Berlin (2003)

  9. Chlipala, A.: Mostly-automated verification of low-level programs in computational separation logic. In: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 234–245. ACM, New York, NY, USA, PLDI’11 (2011). https://doi.org/10.1145/1993498.1993526

  10. Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: A Practical System for Verifying Concurrent C, pp. 23–42. Springer, Berlin (2009). https://doi.org/10.1007/978-3-642-03359-9_2

  11. Cuoq, P., Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-C. In: SEFM, pp. 233–247. Springer, Berlin (2012). https://doi.org/10.1007/978-3-642-33826-7_16

  12. Dan, A., Meshman, Y., Vechev, M., Yahav, E.: Effective abstractions for verification under relaxed memory models. In: VMCAI 2015, pp. 449–466. Springer, Berlin (2015). https://doi.org/10.1007/978-3-662-46081-8_25

  13. Doko, M., Vafeiadis, V.: A program logic for C11 memory fences. VMCAI, Springer, Lecture Notes in Computer Science 9583, 413–430 (2016)

    Article  Google Scholar 

  14. Doko, M., Vafeiadis, V.: Tackling real-life relaxed concurrency with FSL++. In: ESOP 2017, pp. 448–475. Springer, Berlin (2017)

  15. Facebook Folly: Reader–writer spinlock implementation (2018). https://github.com/facebook/folly/blob/master/folly/RWSpinLock.h

  16. Heule, S., Leino, K.R.M., Müller, P., Summers, A.J.: Abstract read permissions: fractional permissions without the fractions. VMCAI, Springer, Lecture Notes in Computer Science 7737, 315–334 (2013)

    Article  MathSciNet  Google Scholar 

  17. Jacobs, B.: Verifying TSO programs. CW Reports CW660, Department of Computer Science, KU Leuven, (2014). https://lirias.kuleuven.be/handle/123456789/452373

  18. Jacobs, B., Smans, J., Piessens, F.: A quick tour of the VeriFast program verifier. APLAS, Springer, LNCS 6461, 304–311 (2010)

    Google Scholar 

  19. Kaiser, J.O., Dang, H.H., Dreyer, D., Lahav, O., Vafeiadis, V.: Strong logic for weak memory: reasoning about release-acquire consistency in Iris. In: ECOOP 2017, Schloss Dagstuhl–Leibniz, LIPIcs, vol. 74, pp. 17:1–17:29, (2017). https://doi.org/10.4230/LIPIcs.ECOOP.2017.17, http://drops.dagstuhl.de/opus/volltexte/2017/7275

  20. Kokologiannakis, M., Lahav, O., Sagonas, K., Vafeiadis, V.: Effective stateless model checking for C/C++ concurrency. In: PACMPL, vol. 2(POPL), pp. 17:1–17:32 (2018). https://doi.org/10.1145/3158105, https://doi.org/10.1145/3158105

  21. Krebbers, R., Jung, R., Bizjak, A., Jourdan, J.H., Dreyer, D., Birkedal, L.: The essence of higher-order concurrent separation logic. In: ESOP, pp. 696–723, Springer, New York, Inc., New York, NY, USA (2017). https://doi.org/10.1007/978-3-662-54434-1_26, https://doi.org/10.1007/978-3-662-54434-1_26

  22. Lahav, O.: Verification under causally consistent shared memory. SIGLOG News 6(2), 43–56 (2019). https://doi.org/10.1145/3326938.3326942

    Article  MathSciNet  Google Scholar 

  23. Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Proceedings of LPAR’10, pp. 348–370, Springer, Berlin (2010). http://dl.acm.org/citation.cfm?id=1939141.1939161

  24. Leino, K.R.M., Müller, P.: A basis for verifying multi-threaded programs. In: Castagna, G. (ed.) ESOP, Springer-Verlag, LNCS, vol. 5502, pp. 378–393 (2009)

  25. Müller, P., Schwerhoff, M., Summers, A.J.: Automatic verification of iterated separating conjunctions using symbolic execution. CAV, Springer-Verlag, LNCS 9779, 405–425 (2016)

    MathSciNet  Google Scholar 

  26. Müller, P., Schwerhoff, M., Summers, A.J.: Viper: a verification infrastructure for permission-based reasoning. In: Jobstmann, B., Leino, K.R.M. (eds.) VMCAI, Springer-Verlag, LNCS, vol. 9583, pp. 41–62 (2016)

  27. O’Hearn, P.W., Reynolds, J.C., Yang, H.: Local reasoning about programs that alter data structures. In: Proceedings of CSL’01, pp. 1–19. Springer, London, UK (2001). http://dl.acm.org/citation.cfm?id=647851.737404

  28. Online Appendix: Viper-encoded examples (2019). http://viper.ethz.ch/onlineappendix-rsl-encoding/

  29. Parkinson, M.J., Summers, A.J.: The relationship between separation logic and implicit dynamic frames. Log. Methods Comput. Sci. 8(3:01), 1–54 (2012)

  30. Reynolds, J.C.: Definitional interpreters for higher-order programming languages. In: ACM Annual Conference—Volume 2, pp. 717–740. ACM, ACM’72 (1972)

  31. Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: LICS, IEEE Computer Society Press (2002)

  32. RSL Front-End: RSL to Viper Front-End; TACAS 2018 Artifact Version (2018). https://figshare.com/articles/RSL_to_Viper_Front_end/5900233

  33. RSL Front-End Zip Files: RSL to Viper Front-End Zip Files (updated since TACAS 2018; Windows, Linux, Mac versions available) (2019). https://www.pm.inf.ethz.ch/research/viper/prototype-rsl-encoding.html

  34. Rust Library: ARC (Atomic Reference Counting) (2019). https://doc.rust-lang.org/std/sync/struct.Arc.html

  35. Sergey, I., Nanevski, A., Banerjee, A.: Mechanized verification of fine-grained concurrent programs. In: Proceedings of PLDI’15, pp. 77–87. ACM, New York, NY, USA (2015). https://doi.org/10.1145/2737924.2737964

  36. Smans, J., Jacobs, B., Piessens, F.: Implicit dynamic frames. ACM Trans Program Lang Syst 34(1), 2:1–2:58 (2012)

  37. Summers, A.J., Drossopoulou, S.: A formal semantics for isorecursive and equirecursive state abstractions. ECOOP, Springer, LNCS 7920, 129–153 (2013)

    Google Scholar 

  38. Summers, A.J., Müller, P.: Automating deductive verification for weak-memory programs. Tools and Algorithms for the Construction and Analysis of Systems (TACAS), LNCS, pp. 190–209. Springer, Berlin (2018)

  39. Summers, A.J., Müller, P.: Automating deductive verification for weak-memory programs (extended version) (2018)

  40. Travkin, O., Wehrheim, H.: Verification of concurrent programs on weak memory models. In: Sampaio, A., Wang, F. (eds.) Theoretical Aspects of Computing (ICTAC). Lecture Notes in Computer Science, vol. 9965, pp. 3–24. Springer, Berlin (2016)

    MATH  Google Scholar 

  41. Turon, A., Vafeiadis, V., Dreyer, D.: GPS: navigating weak memory with ghosts, protocols, and separation. In: OOPSLA, pp. 691–707. ACM (2014)

  42. Vafeiadis, V.: Personal communication (2016)

  43. Vafeiadis, V., Narayan, C.: Relaxed separation logic: a program logic for C11 concurrency. In: OOPSLA, pp. 867–884. ACM (2013)

  44. Xu, F., Fu, M., Feng, X., Zhang, X., Zhang, H., Li, Z.: A practical verification framework for preemptive OS kernels. In: CAV Proceedings Part II, Springer International Publishing, Cham, pp. 59–79 (2016). https://doi.org/10.1007/978-3-319-41540-6_4

Download references

Acknowledgements

We are grateful to Viktor Vafeiadis and Marko Doko for many explanations of the RSL logics and helpful discussions about our encoding. We thank Christiane Goltz for her work on the prototype tool, and Malte Schwerhoff for implementing additional features. We thank Marco Eilers for his assistance with the online appendix, and Arshavir Ter-Gabrielyan for automating our artefact assembly for various operating systems. We also thank Andrei Dan, Lucas Brutschy, Malte Schwerhoff and the anonymous TACAS 2018 and STTT Special Issue reviewers for feedback on earlier versions of this work.

Author information

Authors and Affiliations

  1. Department of Computer Science, ETH Zurich, Universitätstrasse 6, 8092, Zurich, Switzerland

    Alexander J. Summers & Peter Müller

Authors
  1. Alexander J. Summers
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peter Müller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peter Müller.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Summers, A.J., Müller, P. Automating deductive verification for weak-memory programs (extended version). Int J Softw Tools Technol Transfer 22, 709–728 (2020). https://doi.org/10.1007/s10009-020-00559-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-020-00559-y

Keywords

Search

Navigation