Owicki-Gries Reasoning for Weak Memory Models
نویسندگان
چکیده
We show that even in the absence of auxiliary variables, the wellknown Owicki-Gries method for verifying concurrent programs is unsound for weak memory models. By strengthening its non-interference check, however, we obtain OGRA, a program logic that is sound for reasoning about programs in the release-acquire fragment of the C11 memory model. We demonstrate the usefulness of this logic by applying it to several challenging examples, ranging from small litmus tests to an implementation of the RCU synchronization primitives.
منابع مشابه
Program Verification Under Weak Memory Consistency Using Separation Logic
The semantics of concurrent programs is now defined by a weak memory model, determined either by the programming language (e.g., in the case of C/C++11 or Java) or by the hardware architecture (e.g., for assembly and legacy C code). Since most work in concurrent software verification has been developed prior to weak memory consistency, it is natural to ask how these models affect formal reasoni...
متن کاملControlled Owicki-Gries Concurrency: Reasoning about the Preemptible eChronos Embedded Operating System
We introduce a controlled concurrency framework, derived from the Owicki-Gries method, for describing a hardware interface in detail sufficient to support the modelling and verification of small, embedded operating systems (OS’s) whose run-time responsiveness is paramount. Such real-time systems run with interrupts mostly enabled, including during scheduling. That differs from many other succes...
متن کاملSyntactic Control of Interference for Separation Logic (Preliminary Report)
In an important paper in 1978 [26], Reynolds formulated a system of rules for “syntactic control of interference” formalizing the extant conventions for good programming practice in controlling variable aliasing as well as the conventions used in the programming logics formulated by Hoare [11, 12]. The focus of the rules at that time was the use of procedures. However, concurrency poses very mu...
متن کاملCoherent Causal Memory
Coherent causal memory (CCM) is causal memory in which prefixes of an execution can be mapped to global memory states in a consistent way. While CCM requires conflicting pairs of writes to be globally ordered, it allows writes to remain unordered with respect to both reads and nonconflicting writes. Nevertheless, it supports assertional, state-based program reasoning using generalized Owicki-Gr...
متن کاملConcurrent Program Design in the Extended Theory of Owicki and Gries
Feijen and van Gasteren have shown how to use the theory of Owicki and Gries to design concurrent programs, however, the lack of a formal theory of progress has meant that these designs are driven entirely by safety requirements. Proof of progress requirements are made post-hoc to the derivation and are operational in nature. In this paper, we describe the use of an extended theory of Owicki an...
متن کامل