Abstract
Early in the development of Hoare logic, Owicki and Gries introduced auxiliary variables as a way of encoding information about the history of a program’s execution that is useful for verifying its correctness. Over a decade later, Abadi and Lamport observed that it is sometimes also necessary to know in advance what a program will do in the future. To address this need, they proposed prophecy variables, originally as a proof technique for refinement mappings between state machines. However, despite the fact that prophecy variables are a clearly useful reasoning mechanism, there is (surprisingly) almost no work that attempts to integrate them into Hoare logic. In this paper, we present the first account of prophecy variables in a Hoare-style program logic that is flexible enough to verify logical atomicity (a relative of linearizability) for classic examples from the concurrency literature like RDCSS and the Herlihy-Wing queue. Our account is formalized in the Iris framework for separation logic in Coq. It makes essential use of ownership to encode the exclusive right to resolve a prophecy, which in turn enables us to enforce soundness of prophecies with a very simple set of proof rules.
Supplemental Material
- Martín Abadi and Leslie Lamport. 1988. The existence of refinement mappings. In Proceedings of the Third Annual Symposium on Logic in Computer Science (LICS ’88), Edinburgh, Scotland, UK, July 5-8, 1988. 165–175. Google Scholar
Cross Ref
- Martín Abadi and Leslie Lamport. 1991. The existence of refinement mappings. Theor. Comput. Sci. 82, 2 (May 1991), 253–284. Google Scholar
Digital Library
- John Boyland. 2003. Checking interference with fractional permissions. In SAS (LNCS), Vol. 2694. 55–72.Google Scholar
- Byron Cook and Eric Koskinen. 2011. Making prophecies with decision predicates. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’11). ACM, New York, NY, USA, 399–410. Google Scholar
Digital Library
- Pedro da Rocha Pinto, Thomas Dinsdale-Young, and Philippa Gardner. 2014. TaDA: A logic for time and data abstraction. In ECOOP (LNCS), Vol. 8586. 207–231.Google Scholar
- Paulo Emílio de Vilhena, François Pottier, and Jacques-Henri Jourdan. 2020. Spy game: Verifying a local generic solver in Iris. PACMPL 4, POPL, Article 33 (Jan. 2020). http://gallium.inria.fr/~fpottier/publis/de- vilhena- pottier- jourdan- spygame- 2020.pdfGoogle Scholar
Digital Library
- Germán Andrés Delbianco, Ilya Sergey, Aleksandar Nanevski, and Anindya Banerjee. 2017. Concurrent data structures linked in time. In 31st European Conference on Object-Oriented Programming (ECOOP 2017) (Leibniz International Proceedings in Informatics (LIPIcs)), Peter Müller (Ed.), Vol. 74. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 8:1–8:30. Google Scholar
Cross Ref
- Thomas Dinsdale-Young, Lars Birkedal, Philippa Gardner, Matthew J. Parkinson, and Hongseok Yang. 2013. Views: Compositional reasoning for concurrent programs. In POPL. 287–300.Google Scholar
Digital Library
- Dan Frumin, Robbert Krebbers, and Lars Birkedal. 2018. ReLoC: A mechanised relational logic for fine-grained concurrency. In LICS. 442–451.Google Scholar
- Ming Fu, Yong Li, Xinyu Feng, Zhong Shao, and Yu Zhang. 2010. Reasoning about optimistic concurrency using a program logic for history. In CONCUR (LNCS), Vol. 6269. 388–402.Google Scholar
- Timothy L. Harris, Keir Fraser, and Ian A. Pratt. 2002. A practical multi-word compare-and-swap operation. In DISC.Google Scholar
Digital Library
- Maurice Herlihy and Jeannette M. Wing. 1990. Linearizability: A correctness condition for concurrent objects. ACM Trans. Program. Lang. Syst. 12, 3 (1990), 463–492. Google Scholar
Digital Library
- Bart Jacobs and Frank Piessens. 2011. Expressive modular fine-grained concurrency specification. In POPL. 271–282.Google Scholar
- Bart Jacobs, Jan Smans, Pieter Philippaerts, Frédéric Vogels, Willem Penninckx, and Frank Piessens. 2011. VeriFast: A powerful, sound, predictable, fast verifier for C and Java. In NASA Formal Methods.Google Scholar
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Aleš Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. Journal of Functional Programming 28, e20 (Nov. 2018), 1–73. Google Scholar
Cross Ref
- Ralf Jung, Rodolphe Lepigre, Gaurav Parthasarathy, Marianna Rapoport, Amin Timany, Derek Dreyer, and Bart Jacobs. 2019. The future is ours: Prophecy variables in separation logic – Artifact. Google Scholar
Digital Library
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In POPL. 637–650.Google Scholar
- Robbert Krebbers, Jacques-Henri Jourdan, Ralf Jung, Joseph Tassarotti, Jan-Oliver Kaiser, Amin Timany, Arthur Charguéraud, and Derek Dreyer. 2018. MoSeL: A general, extensible modal framework for interactive proofs in separation logic. PACMPL 2, ICFP (2018), 77:1–16:30.Google Scholar
Digital Library
- Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017. Interactive proofs in higher-order concurrent separation logic. In POPL. 205–217.Google Scholar
- Leslie Lamport and Stephan Merz. 2017. Auxiliary variables in TLA+. CoRR abs/1703.05121 (2017). http://arxiv.org/abs/ 1703.05121Google Scholar
- Ruy Ley-Wild and Aleksandar Nanevski. 2013. Subjective auxiliary state for coarse-grained concurrency. In POPL. 561–574.Google Scholar
- Hongjin Liang and Xinyu Feng. 2013. Modular verification of linearizability with non-fixed linearization points. In PLDI.Google Scholar
- Richard J. Lipton. 1975. Reduction: A method of proving properties of parallel programs. Commun. ACM 18, 12 (Dec. 1975). Google Scholar
Digital Library
- Peter W. O’Hearn. 2007. Resources, concurrency, and local reasoning. Theor. Comput. Sci. 375, 1 (2007), 271–307. Google Scholar
Digital Library
- Susan Owicki and David Gries. 1976. An axiomatic proof technique for parallel programs I. Acta Informatica 6, 4 (1976), 319–340. Google Scholar
Digital Library
- Willem Penninckx, Amin Timany, and Bart Jacobs. 2019. Specifying I/O using abstract nested hoare triples in separation logic. In Proceedings of the 21st Workshop on Formal Techniques for Java-like Programs (FTf JP ’19). ACM, New York, NY, USA, Article 5, 7 pages. Google Scholar
Digital Library
- John C. Reynolds. 2002. Separation logic: A logic for shared mutable data structures. In LICS. 55–74.Google Scholar
- Ilya Sergey, Aleksandar Nanevski, and Anindya Banerjee. 2015. Specifying and verifying concurrent algorithms with histories and subjectivity. In ESOP. 333–358. Google Scholar
Digital Library
- Ali Sezgin, Serdar Tasiran, and Shaz Qadeer. 2010. Tressa: Claiming the future. In VST TE.Google Scholar
- Aaron Turon, Jacob Thamsborg, Amal Ahmed, Lars Birkedal, and Derek Dreyer. 2013. Logical relations for fine-grained concurrency. In POPL.Google Scholar
- Aaron Turon, Viktor Vafeiadis, and Derek Dreyer. 2014. GPS: Navigating weak memory with ghosts, protocols, and separation. In OOPSLA. 691–707. Google Scholar
Digital Library
- Viktor Vafeiadis. 2008. Modular fine-grained concurrency verification. Ph.D. Dissertation. University of Cambridge, Computer Laboratory. https://www.cl.cam.ac.uk/techreports/UCAM- CL- TR- 726.pdfGoogle Scholar
- Viktor Vafeiadis and Matthew J. Parkinson. 2007. A marriage of rely/guarantee and separation logic. In CONCUR (LNCS), Vol. 4703. 256–271.Google Scholar
Digital Library
- Zipeng Zhang, Xinyu Feng, Ming Fu, Zhong Shao, and Yong Li. 2012. A structural approach to prophecy variables. In TAMC. Google Scholar
Digital Library
Index Terms
The future is ours: prophecy variables in separation logic
Recommendations
Proof Automation for Linearizability in Separation Logic
Recent advances in concurrent separation logic enabled the formal verification of increasingly sophisticated fine-grained (i.e., lock-free) concurrent programs. For such programs, the golden standard of correctness is linearizability, which expresses ...
Theorems for free from separation logic specifications
Separation logic specifications with abstract predicates intuitively enforce a discipline that constrains when and how calls may be made between a client and a library. Thus a separation logic specification of a library intuitively enforces a protocol ...
Two-Variable Separation Logic and Its Inner Circle
Separation logic is a well-known assertion language for Hoare-style proof systems. We show that first-order separation logic with a unique record field restricted to two quantified variables and no program variables is undecidable. This is among the ...






Comments