Mechanized Verification of Fine-grained Concurrent Programs User manual and code commentary

specification of a lock. What is a suitable abstract specification for a locking structure? To answer this question, we adopt the idea of specifying concurrent data structures via abstract predicates [1] and provide a lock interface in the form of two abstract procedures: lock and unlock. Every data structure, implementing the lock protocol, will require to provide the implementation of these procedures. The lock interface is parametrized by two abstract predicates, constraining some part of the state: is_lock and locked. The former denotes the fact that the part of state implements belongs to the locking protocol, while the latter one identifies that the lock is currently being locked by the current thread. Both predicates should satisfy a number of axioms, which are packaged into a dependent record in the section LockStruct (where the predicates are referred to as locked_op and is_lock_op). For instance, the following axiom expresses the lock’s mutual exclusion property: forall s gl ge, locked_op gl ge s -> locked_op ge gl (transp s)-> False Specifically, it states that the situation when lock is held by the current thread (locked_op gl ge s) and it is simultaneously held by some other thread, which is expressed via a transposition of a concurroid’s state s (locked_op ge gl (transp s)), implies the falsehood. The other property implies that if the state represents a locked lock, it also corresponds to a resource, which belongs to the lock protocol: forall s gl ge, locked_op gl ge s -> is_lock_op gl ge s These two predicates serve as parameters to specifications lock_spec and unlock_spec, which are supposed to be fulfilled by the locking and unlocking procedures, correspondingly. Let us consider the specification for locking, defined as follows: Definition lock_spec is_lock locked : spec unit := (* precondition predicate *) (fun i => exists (hl he : heap) (gl ge: U) i’, i = hp ->> [hl, tt, he] \+ i’ /\ is_lock gl ge i’, (* postcondition predicate *) fun i y m => forall hl he (gl ge: U) i’, i = hp ->> [hl, tt, he] \+ i’ -> is_lock gl ge i’ -> exists h ge’ he’ m’, [/\ m = hp ->> [hl \+ h, tt, he’] \+ m’, locked gl ge’ m’, valid (gl \+ ge’) & I (gl \+ ge’) h]).