Abstract
Multicore OCaml extends OCaml with support for shared-memory concurrency. It is equipped with a weak memory model, for which an operational semantics has been published. This begs the question: what reasoning rules can one rely upon while writing or verifying Multicore OCaml code? To answer it, we instantiate Iris, a modern descendant of Concurrent Separation Logic, for Multicore OCaml. This yields a low-level program logic whose reasoning rules expose the details of the memory model. On top of it, we build a higher-level logic, Cosmo, which trades off some expressive power in return for a simple set of reasoning rules that allow accessing nonatomic locations in a data-race-free manner, exploiting the sequentially-consistent behavior of atomic locations, and exploiting the release/acquire behavior of atomic locations. Cosmo allows both low-level reasoning, where the details of the Multicore OCaml memory model are apparent, and high-level reasoning, which is independent of this memory model. We illustrate this claim via a number of case studies: we verify several implementations of locks with respect to a classic, memory-model-independent specification. Thus, a coarse-grained application that uses locks as the sole means of synchronization can be verified in the Concurrent-Separation-Logic fragment of Cosmo, without any knowledge of the weak memory model.
Supplemental Material
- Mark Batty, Scott Owens, Susmit Sarkar, Peter Sewell, and Tjark Weber. 2011. Mathematizing C+ + concurrency. In Principles of Programming Languages (POPL). 55-66. https://www.cl.cam.ac.uk/~pes20/cpp/popl085ap-sewell.pdfGoogle Scholar
- John Bender and Jens Palsberg. 2019. A formalization of Java's concurrent access modes. Proceedings of the ACM on Programming Languages 3, OOPSLA ( 2019 ), 142 : 1-142 : 28. https://johnbender.us/assets/oopsla-2019.pdfGoogle Scholar
Digital Library
- Lars Birkedal and Aleš Bizjak. 2018. Lecture Notes on Iris: Higher-Order Concurrent Separation Logic. (Dec. 2018 ). https://iris-project. org/tutorial-pdfs/iris-lecture-notes.pdf Lectures notes.Google Scholar
- Richard Bornat, Cristiano Calcagno, Peter O'Hearn, and Matthew Parkinson. 2005. Permission accounting in separation logic. In Principles of Programming Languages (POPL). 259-270. http://www.cs.ucl.ac.uk/staf/p.ohearn/papers/permissions_paper.pdfGoogle Scholar
- John Boyland. 2003. Checking Interference with Fractional Permissions. In Static Analysis Symposium (SAS) (Lecture Notes in Computer Science, Vol. 2694 ). Springer, 55-72. http://www.cs.uwm.edu/~boyland/papers/permissions.pdfGoogle Scholar
- Alexandre Buisse, Lars Birkedal, and Kristian Støvring. 2011. A Step-Indexed Kripke Model of Separation Logic for Storable Locks. Electronic Notes in Theoretical Computer Science 276 ( Sept. 2011 ), 121-143. https://cs.au.dk/~birke/papers/locks.pdfGoogle Scholar
- Hoang-Hai Dang, Jacques-Henri Jourdan, Jan-Oliver Kaiser, and Derek Dreyer. 2020. RustBelt meets relaxed memory. Proceedings of the ACM on Programming Languages 4, POPL ( 2020 ), 34 : 1-34 : 29. https://hal.inria.fr/hal-02351793/Google Scholar
Digital Library
- Marko Doko and Viktor Vafeiadis. 2016. A Program Logic for C11 Memory Fences. In Verification, Model Checking and Abstract Interpretation (VMCAI) (Lecture Notes in Computer Science, Vol. 9583 ). Springer, 413-430. https://plv.mpisws.org/fsl/base/paper.pdfGoogle Scholar
- Marko Doko and Viktor Vafeiadis. 2017. Tackling Real-Life Relaxed Concurrency with FSL++. In European Symposium on Programming (ESOP) (Lecture Notes in Computer Science, Vol. 10201 ). Springer, 448-475. https://plv.mpi-sws.org/fsl/ARC/ paper.pdfGoogle Scholar
Cross Ref
- Stephan Dolan, Anil Madhavapeddy, and KC Sivaramakrishnan. 2018a. The Multicore OCaml development wiki. https: //github.com/ocaml-multicore/ocaml-multicore/wikiGoogle Scholar
- Stephen Dolan, K. C. Sivaramakrishnan, and Anil Madhavapeddy. 2018b. Bounding data races in space and time. In Programming Language Design and Implementation (PLDI). 242-255. http://kcsrk.info/papers/pldi18-memory.pdfGoogle Scholar
- Alexey Gotsman, Josh Berdine, Byron Cook, Noam Rinetzky, and Mooly Sagiv. 2007. Local Reasoning for Storable Locks and Threads. In Asian Symposium on Programming Languages and Systems (APLAS) (Lecture Notes in Computer Science, Vol. 4807 ). Springer, 19-37. http://dx.doi.org/10.1007/978-3-540-76637-7_3 Google Scholar
Cross Ref
- Aquinas Hobor, Andrew W. Appel, and Francesco Zappa Nardelli. 2008. Oracle Semantics for Concurrent Separation Logic. In European Symposium on Programming (ESOP) (Lecture Notes in Computer Science, Vol. 4960 ). Springer, 353-367. http://www.cs.princeton.edu/~appel/papers/concurrent.pdfGoogle Scholar
- Ralf Jung. 2019. Logical Atomicity in Iris: the Good, the Bad, and the Ugly. Iris Workshop. https://people.mpi-sws.org/ ~jung/iris/logatom-talk-2019.pdfGoogle Scholar
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018a. RustBelt: securing the foundations of the Rust programming language. Proceedings of the ACM on Programming Languages 2, POPL ( 2018 ), 66 : 1-66 : 34. https://people.mpi-sws.org/~dreyer/papers/rustbelt/paper.pdfGoogle Scholar
Digital Library
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleš Bizjak, Lars Birkedal, and Derek Dreyer. 2018b. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. Journal of Functional Programming 28 ( 2018 ), e20. https://people.mpi-sws.org/~dreyer/papers/iris-ground-up/paper.pdfGoogle Scholar
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: monoids and invariants as an orthogonal basis for concurrent reasoning. In Principles of Programming Languages (POPL). 637-650. http://plv.mpi-sws.org/iris/paper.pdfGoogle Scholar
- Jan-Oliver Kaiser, Hoang-Hai Dang, Derek Dreyer, Ori Lahav, and Viktor Vafeiadis. 2017. Strong Logic for Weak Memory: Reasoning About Release-Acquire Consistency in Iris. In European Conference on Object-Oriented Programming (ECOOP). 17 : 1-17 : 29. https://people.mpi-sws.org/~dreyer/papers/iris-weak/paper.pdfGoogle Scholar
- Ori Lahav, Viktor Vafeiadis, Jeehoon Kang, Chung-Kil Hur, and Derek Dreyer. 2017. Repairing sequential consistency in C/C++11. In Programming Language Design and Implementation (PLDI ). 618-632. https://plv.mpi-sws.org/scfix/paper.pdfGoogle Scholar
- Leslie Lamport. 1979. How to Make a Multiprocessor Computer That Correctly Executes Multiprocess Programs. IEEE Trans. Computers 28, 9 ( 1979 ), 690-691. https://www.microsoft.com/en-us/research/uploads/prod/2016/12/How-toMake-a-Multiprocessor-Computer-That-Correctly-Executes-Multiprocess-Programs.pdfGoogle Scholar
- Xavier Leroy, Damien Doligez, Alain Frisch, Jacques Garrigue, Didier Rémy, and Jérôme Vouillon. 2019. The OCaml system: documentation and user's manual. http://caml.inria.fr/pub/docs/manual-ocaml/Google Scholar
- Andreas Lochbihler. 2012. Java and the Java Memory Model-A Unified, Machine-Checked Formalisation. In European Symposium on Programming (ESOP) (Lecture Notes in Computer Science, Vol. 7211 ). Springer, 497-517. https://ethz.ch/content/ dam/ethz/special-interest/infk/inst-infsec/information-security-group-dam/people/andreloc/lochbihler12esop.pdfGoogle Scholar
- Jeremy Manson, William Pugh, and Sarita V. Adve. 2005. The Java memory model. In Principles of Programming Languages (POPL). 378-391. http://rsim.cs.uiuc.edu/Pubs/popl05.pdfGoogle Scholar
- Glen Mével, Jacques-Henri Jourdan, and François Pottier. 2020. Coq proofs for Cosmo. https://gitlab.inria.fr/gmevel/cosmo.Google Scholar
- Peter W. O'Hearn. 2007. Resources, Concurrency and Local Reasoning. Theoretical Computer Science 375, 1-3 (May 2007 ), 271-307. http://www.cs.ucl.ac.uk/staf/p.ohearn/papers/concurrency.pdfGoogle Scholar
Digital Library
- Peter W. O'Hearn. 2019. Separation logic. Commun. ACM 62, 2 ( 2019 ), 86-95. https://doi.org/10.1145/3211968 Google Scholar
Digital Library
- Matthew J. Parkinson, Richard Bornat, and Peter W. O'Hearn. 2007. Modular verification of a non-blocking stack. In Principles of Programming Languages (POPL). 297-302. https://doi.org/10.1145/1190216.1190261 Google Scholar
Digital Library
- Michel Raynal. 2013. Concurrent Programming: Algorithms, Principles, and Foundations. Springer. https://doi.org/10.1007/978-3-642-32027-9 Google Scholar
Cross Ref
- Filip Sieczkowski, Kasper Svendsen, Lars Birkedal, and Jean Pichon-Pharabod. 2015. A Separation Logic for Fictional Sequential Consistency. In European Symposium on Programming (ESOP) (Lecture Notes in Computer Science, Vol. 9032 ). Springer, 736-761. https://www.cl.cam.ac.uk/~jp622/ a_separation_logic_for_fictional_sequential_consistency.pdfGoogle Scholar
Cross Ref
- Aaron Turon. 2012. Reagents: expressing and composing fine-grained concurrency. In Programming Language Design and Implementation (PLDI). 157-168. https://aturon.github.io/academic/reagents.pdfGoogle Scholar
- Aaron Turon, Viktor Vafeiadis, and Derek Dreyer. 2014. GPS: navigating weak memory with ghosts, protocols, and separation. In Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA). 691-707. http://plv.mpisws.org/gps/paper.pdfGoogle Scholar
- Viktor Vafeiadis. 2017. Program Verification Under Weak Memory Consistency Using Separation Logic. In Computer Aided Verification (CAV) (Lecture Notes in Computer Science, Vol. 10426 ). Springer, 30-46. https://people.mpi-sws.org/~viktor/ papers/cav2017-invited.pdfGoogle Scholar
Cross Ref
- Viktor Vafeiadis and Chinmay Narayan. 2013. Relaxed separation logic: a program logic for C11 concurrency. In ObjectOriented Programming, Systems, Languages, and Applications (OOPSLA). 867-884. https://people.mpi-sws.org/~viktor/ papers/oopsla2013-rsl.pdfGoogle Scholar
- Andrew K. Wright and Matthias Felleisen. 1994. A Syntactic Approach to Type Soundness. Information and Computation 115, 1 (Nov. 1994 ), 38-94. http://www.cs.rice.edu/CS/PLT/Publications/Scheme/ic94-wf.ps.gzGoogle Scholar
Digital Library
Index Terms
Cosmo: a concurrent separation logic for multicore OCaml
Recommendations
Formal verification of a concurrent bounded queue in a weak memory model
We use Cosmo, a modern concurrent separation logic, to formally specify and verify an implementation of a multiple-producer multiple-consumer concurrent queue in the setting of the Multicore OCaml weak memory model. We view this result as a ...
Interactive proofs in higher-order concurrent separation logic
POPL '17: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming LanguagesWhen using a proof assistant to reason in an embedded logic -- like separation logic -- one cannot benefit from the proof contexts and basic tactics of the proof assistant. This results in proofs that are at a too low level of abstraction because they ...
Iron: managing obligations in higher-order concurrent separation logic
Precise management of resources and the obligations they impose, such as the need to dispose of memory, close locks, and release file handles, is hard---especially in the presence of concurrency, when some resources are shared, and different threads ...






Comments