## Cosmo: a concurrent separation logic for the weak memory model of Multicore OCaml

**Glen Mével** PhD defense December 14, 2022

LMF & Inria Paris

# An introduction to weak-memory concurrency

Movix

#### Family Cosmo shares a Movix account





#### Movix



Movix' policy: simultaneous accesses  $\implies$  account canceled



#### Family Cosmo shares a Movix account





Movix' policy: simultaneous accesses  $\implies$  account canceled

**Solution:** Family Cosmo has established a protocol:

- a totem in the living room, that anyone can borrow
- to watch Movix, one must have borrowed the totem



#### Movix: mutual exclusion







### Family Cosmo's members can change the password One day...



Family Cosmo's members can change the password One day...



Family Cosmo's members can change the password One day...



Alice had changed the password the day before, Bob didn't know

Family Cosmo's members can change the password One day...



Alice had changed the password the day before, Bob didn't know Movix' security policy: wrong password  $\implies$  IP blocked

Mutual exclusion is not enough

Alice and Bob have diverging views of their common password

Alice must transmit her (more up-to-date) knowledge to Bob

Mutual exclusion is not enough

Alice and Bob have diverging views of their common password

Alice must transmit her (more up-to-date) knowledge to Bob

Solution: write the password on the totem



#### Weak memory models:

multicore architecture, shared memory each thread has its own **view** of the state of the shared memory

- example: C11
- example: Java
- example: Multicore OCaml ("OCaml 5")

[Dolan et al, PLDI 2018, Bounding data races in space and time]

#### Weak memory models:

multicore architecture, shared memory each thread has its own **view** of the state of the shared memory

- example: C11
- example: Java
- example: Multicore OCaml ("OCaml 5")

[Dolan et al, PLDI 2018, Bounding data races in space and time]

Some bugs might have catastrophic consequences

- losing a paid Movix account
- killing patients: Therac-25 radiotherapy machine
- ...

Some bugs might have catastrophic consequences

- losing a paid Movix account
- killing patients: Therac-25 radiotherapy machine
- ...

How to improve confidence in software?

Some bugs might have catastrophic consequences

- losing a paid Movix account
- killing patients: Therac-25 radiotherapy machine
- ...

#### How to improve confidence in software?

Specify it:

state the expected behavior of a program in mathematical terms

Some bugs might have catastrophic consequences

- losing a paid Movix account
- killing patients: Therac-25 radiotherapy machine
- ...

#### How to improve confidence in software?

Specify it:

state the expected behavior of a program in mathematical terms

Verify it:

prove that the actual behavior matches the expected one

#### My aim:

- verifying
- fine-grained concurrent programs
- in the setting of Multicore OCaml

#### My contributions:

- Cosmo, a concurrent separation logic with views [ICFP 2020]
- case studies: locks [ICFP 2020], concurrent queue [ICFP 2021]

## Verifying SC concurrent programs with Concurrent Separation Logic

#### Hoare triple: {*Pre*} *e* {*Post*}

- e: program code
- Pre: precondition (logical assertion about the computer state)
- Post: postcondition (ditto)

"If we run *e* from a state that satisfies *Pre*, and if it terminates, then it ends in a state that satisfies *Post*."

#### Hoare triple: {*Pre*} *e* {*Post*}

- e: program code
- Pre: precondition (logical assertion about the computer state)
- Post: postcondition (ditto)

"If we run *e* from a state that satisfies *Pre*, and if it terminates, then it ends in a state that satisfies *Post*."

Pre and Post are stated in Separation Logic:

- an assertion represents the ownership of a resource
- the separating conjunction *P* \* *Q* asserts ownership of two distinct resources *P* and *Q*
- in general,  $P \Rightarrow P * P$

#### Resources and locks

Portions of memory are ownable resources

• example:  $a \rightsquigarrow$  "azerty"

"Movix account a, whose current password is "azerty""

We can guard such resources by using a lock (like the totem)

Two operations for a lock lk guarding a resource R:

• acquire *lk* 

grants R: we become its unique owner

• release *lk* 

reclaims R: we give it back and stop owning it

#### Resources and locks

Portions of memory are ownable resources

• example:  $a \rightsquigarrow$  "azerty"

"Movix account a, whose current password is "azerty""

We can guard such resources by using a lock (like the totem)

Two operations for a lock lk guarding a resource R:

• acquire *lk* 

grants R: we become its unique owner

• release *lk* 

reclaims R: we give it back and stop owning it

Formal specification?

if *lk* is a lock that guards *R*, then acquiring *lk* assumes nothing and grants *R* releasing *lk* reclaims *R* and grants nothing  $\label{eq:score} \fbox{isLock $lk$ $R$} \vdash $ if $lk$ is a lock that guards $R$, then $ \left\{ \{ \mathsf{True} \} \texttt{acquire } lk $\{R\}$ acquiring $lk$ assumes nothing and grants $R$ $\{R\}$ release $lk$ $\{\mathsf{True}\}$ releasing $lk$ reclaims $R$ and grants nothing $R$ $\end{tabular} }$ 

# $$\label{eq:slock_lk_R} \begin{split} & \vdash & \text{if $lk$ is a lock that guards $R$, then} \\ & \left\{ \{\text{True}\} \text{ acquire } \Bbbk\{R\} \ \text{ acquiring $lk$ assumes nothing and grants $R$} \\ & \left\{R\} \text{ release } \Bbbk\{\text{True}\} \ \text{ releasing $lk$ reclaims $R$ and grants nothing} \\ \end{split} \right.$$

isLock *lk* R is an assertion describing the internal layout of *lk*  $\implies$  asserts unique ownership of *lk* 

isLock lk R is an Iris invariant containing isLock lk R $\implies$  shares lk among all threads

#### The spin lock

A spin lock implements a lock using a Boolean reference:

| <pre>let release lk =</pre> | <pre>let try_acquire lk =</pre> |
|-----------------------------|---------------------------------|
| lk := false                 | CAS lk false true               |

A spin lock implements a lock using a Boolean reference:

| <pre>let release lk =</pre> | <pre>let try_acquire lk =</pre> |
|-----------------------------|---------------------------------|
| lk := false                 | CAS lk false true               |

Described by this assertion:

isLock  $lk R \triangleq \exists b. \ lk \rightsquigarrow b * (b = false \Rightarrow R)$ 

A spin lock implements a lock using a Boolean reference:

let release lk = let try\_acquire lk =
lk := false CAS lk false true

Described by this assertion:

 $\mathsf{isLock}\ \mathsf{lk}\ \mathsf{R} \triangleq \exists b.\ \mathsf{lk} \rightsquigarrow b * (b = \mathsf{false} \Rightarrow \mathsf{R})$ 

Specification of operations used by the spin lock:

|                                          | ${X \rightsquigarrow V}$                                 |
|------------------------------------------|----------------------------------------------------------|
| $\left\{ x \rightsquigarrow v \right\}$  | CAS $x v_1 v_2$                                          |
| $x \coloneqq v'$                         | (if <i>ret</i>                                           |
| $\left\{ x \rightsquigarrow v' \right\}$ | $ \{ \text{ then } x \rightsquigarrow v_2 * v = v_1 \} $ |
| . ,                                      | else $x \rightsquigarrow v$                              |

#### Verifying the spin lock in Concurrent Separation Logic [Iris, 2015]

isLock  $lk R \triangleq \exists b. \ lk \rightsquigarrow b * (b = false \Rightarrow R)$ 

isLock *lk R* ⊢

// release:
{R}

lk := false

isLock lk R ⊢
// try\_acquire:
{True}

CAS *lk* false true

 $\{\mathsf{True}\}$ 

$$\{(\mathit{ret} = \mathtt{true} \Rightarrow R)\}$$

#### Verifying the spin lock in Concurrent Separation Logic [Iris, 2015]

isLock 
$$lk R \triangleq \exists b. \ lk \rightsquigarrow b * (b = false \Rightarrow R)$$

// release: {isLock lk R \* R}

lk := false

// try\_acquire:
{isLock lk R}

CAS *lk* false true

{isLock *lk R*}

{isLock *lk R* \* (*ret* = true  $\Rightarrow$  *R*)} 12

#### Verifying the spin lock in Concurrent Separation Logic [Iris, 2015]

isLock 
$$lk R \triangleq \exists b. \ lk \rightsquigarrow b * (b = false \Rightarrow R)$$

// release: {isLock  $lk \ R \ * \ R$ } { $lk \rightarrow \ R$ } lk := false{ $lk \rightarrow false \ * \ R$ } {isLock  $lk \ R$ } // try\_acquire: {isLock *lk R*}  $\{lk \rightsquigarrow b * (b = \texttt{false} \Rightarrow R)\}$ CAS *lk* false true  $\begin{cases} \text{if } ret \\ \text{then } lk \rightsquigarrow \text{true } * R \\ \text{else } lk \rightsquigarrow b * (b = \text{false} \Rightarrow R) \end{cases}$  $\begin{cases} \text{if } ret \\ \text{then isLock } lk R * R \\ \text{else isLock } lk R \end{cases}$ if ret {isLock *lk*  $R * (ret = true \Rightarrow R)$ }

## Verifying Multicore OCaml programs with Cosmo

#### Using a lock

Example of using a lock *lk* to guard accesses to *pw*:

```
initially, pw = 0
initially, lk = false
acquire lk
pw := 1
release lk
B := !pw
release lk
```

#### Using a lock

Example of using a lock *lk* to guard accesses to *pw*:

```
initially, pw = 0
initially, lk = false
acquire lk
pw := 1
release lk
B := !pw
release lk
```

Passing a write to *pw* from the left thread to the right thread:

```
initially, pw = 0
initially, lk = true
pw := 1
release lk
B := !pw
```

Passing a write to *pw* from the left thread to the right thread:

```
initially, pw = 0
initially, lk = true
pw := 1
lk := false
A := !lk
B := !pw
```

Passing a write to *pw* from the left thread to the right thread:

Possible (A, B): (true, 1), (true, 0), (false, 1)

Passing a write to *pw* from the left thread to the right thread:

Possible (A, B): (true, 1), (true, 0), (false, 1)

Passing a write to *pw* from the left thread to the right thread:



Possible (A, B): (true, 1), (true, 0), (false, 1)

Passing a write to *pw* from the left thread to the right thread:



Possible (A, B): (true, 1), (true, 0), (false, 1)

Passing a write to *pw* from the left thread to the right thread:



Possible (A, B): (true, 1), (true, 0), (false, 1)

Passing a write to *pw* from the left thread to the right thread:



Possible (A, B): (true, 1), (true, 0), (false, 1)

Passing a write to *pw* from the left thread to the right thread:

Possible (A, B): (true, 1), (true, 0), (false, 1)

Passing a write to *pw* from the left thread to the right thread:

Possible (A, B): (true, 1), (true, 0), (false, 1)

### Passing a message in Multicore OCaml

Passing a write to *pw* from the left thread to the right thread:

Possible (A, B): (true, 1), (true, 0), (false, 1), (false, 0)

Traditional model of concurrency violated

## Passing a message in Multicore OCaml

Passing a write to *pw* from the left thread to the right thread:

Possible (A, B): (true, 1), (true, 0), (false, 1), (false, 0)

Traditional model of concurrency violated

- hardware optimizations (e.g. buffering writes)
- compiler optimizations (e.g. reordering independent writes)

## The essence of weak memory: subjectivity

Weak memory: each thread has its own view of memory [Dolan et al]

In Cosmo: [ICFP 2020]

Some assertions are subjective: they depend on the thread's view

• example: *pw* ~> "azerty"

## The essence of weak memory: subjectivity

Weak memory: each thread has its own view of memory [Dolan et al]

In Cosmo: [ICFP 2020]

Some assertions are subjective: they depend on the thread's view

example: *pw* → "azerty"

Invariants are **objective**:

because they are available to all threads they cannot share subjective assertions

## The essence of weak memory: subjectivity

Weak memory: each thread has its own view of memory [Dolan et al]

In Cosmo: [ICFP 2020]

Some assertions are subjective: they depend on the thread's view

• example:  $pw \rightsquigarrow$  "azerty"

Invariants are **objective**:

because they are available to all threads they cannot share subjective assertions

The lock's resource R might be subjective, so cannot be put in an invariant as we did

The left thread must transmit its view to the right thread  $\implies$  need for a synchronization mechanism

The left thread must transmit its view to the right thread  $\implies$  need for a synchronization mechanism

In Multicore OCaml: atomic references [Dolan et al]

The left thread must transmit its view to the right thread  $\implies$  need for a synchronization mechanism

In Multicore OCaml: atomic references [Dolan et al]

Specification of atomic references?

Semantics of an atomic reference: [Dolan et al]

- 1. stores a value on which all threads agree at any point in time
- 2. achieves release/acquire synchronization

Semantics of an atomic reference: [Dolan et al]

- 1. stores a value on which all threads agree at any point in time
- 2. achieves release/acquire synchronization

In Cosmo: [ICFP 2020]

•  $x \rightsquigarrow_{\text{at}} (v, \mathcal{U})$ 

"x stores the value v and a view (at least)  $\mathcal{U}$ "

- this assertion is objective
- reasoning rules (sample):

$$\begin{cases} x \rightsquigarrow_{\mathrm{at}} (v, \mathcal{U}) * \uparrow \mathcal{U}' \\ x :=_{\mathrm{at}} v' \end{cases} \begin{cases} x \rightsquigarrow_{\mathrm{at}} (v_1, \mathcal{U}) \\ \mathrm{CAS} \times v_1 v_2 \\ \\ x \rightsquigarrow_{\mathrm{at}} (v', \mathcal{U}') \end{cases} \end{cases} \begin{cases} ret = \mathrm{true} * x \rightsquigarrow_{\mathrm{at}} (v_2, \mathcal{U}) * \uparrow \mathcal{U} \end{cases}$$

Semantics of an atomic reference: [Dolan et al]

- 1. stores a value on which all threads agree at any point in time
- 2. achieves release/acquire synchronization

In Cosmo: [ICFP 2020] views are mathematical objects;

•  $x \rightsquigarrow_{\text{at}} (v, U)$  they enjoy a lattice structure

"x stores the value v and a view (at least)  $\mathcal{U}$ "

- this assertion is objective
- reasoning rules (sample):

$$\begin{cases} x \rightsquigarrow_{\mathrm{at}} (v, \mathcal{U}) * \uparrow \mathcal{U}' \\ x :=_{\mathrm{at}} v' \\ \\ x \rightsquigarrow_{\mathrm{at}} (v', \mathcal{U}') \end{cases} \begin{cases} x \rightsquigarrow_{\mathrm{at}} (v_1, \mathcal{U}) \\ \\ \mathrm{CAS} \times v_1 v_2 \\ \\ \text{ret} = \mathtt{true} * x \rightsquigarrow_{\mathrm{at}} (v_2, \mathcal{U}) * \uparrow \mathcal{U} \end{cases}$$

Semantics of an atomic reference: [Dolan et al]

- 1. stores a value on which all threads agree at any point in time
- 2. achieves release/acquire synchronization

In Cosmo: [ICFP 2020]

•  $x \rightsquigarrow_{\text{at}} (v, \mathcal{U})$ 

"x stores the value v and a view (at least)  $\mathcal{U}$ "

- this assertion is objective
- reasoning rules (sample):

$$\begin{cases} x \rightsquigarrow_{\mathrm{at}} (v, \mathcal{U}) * \uparrow \mathcal{U}' \\ x :=_{\mathrm{at}} v' \end{cases} \begin{cases} x \rightsquigarrow_{\mathrm{at}} (v_1, \mathcal{U}) \\ \mathrm{CAS} \times v_1 v_2 \\ \\ x \rightsquigarrow_{\mathrm{at}} (v', \mathcal{U}') \end{cases} \end{cases} \begin{cases} ret = \mathrm{true} * x \rightsquigarrow_{\mathrm{at}} (v_2, \mathcal{U}) * \uparrow \mathcal{U} \end{cases}$$

Semantics of an atomic reference: [Dolan et al]

- 1. stores a value on which all threads agree at any point in time
- 2. achieves release/acquire synchronization

In Cosmo: [ICFP 2020]

•  $x \rightsquigarrow_{\text{at}} (v, \mathcal{U})$ 

"x stores the value v and a view (at least)  $\mathcal{U}$ "

- this assertion is objective
- reasoning rules (sample):

$$\begin{cases} x \rightsquigarrow_{\mathrm{at}} (v, \mathcal{U}) * \uparrow \mathcal{U}' \\ x :=_{\mathrm{at}} v' \\ \hline x \sim_{\mathrm{at}} (v', \mathcal{U}') \end{cases} \quad \begin{cases} x \sim_{\mathrm{at}} (v_1, \mathcal{U}) \\ \mathrm{CAS} x v_1 v_2 \\ \hline ret = \mathtt{true} * x \sim_{\mathrm{at}} (v_2, \mathcal{U}) * \uparrow \mathcal{U} \end{cases}$$

current view

 $\uparrow \mathcal{U}$  : "the current view contains  $\mathcal{U}$ "

Semantics of an atomic reference: [Dolan et al]

- 1. stores a value on which all threads agree at any point in time
- 2. achieves release/acquire synchronization

In Cosmo: [ICFP 2020]

•  $x \rightsquigarrow_{\text{at}} (v, U)$ 

"x stores the value v and a view (at least)  $\mathcal{U}$ "

- this assertion is objective
- reasoning rules (sample):

current view

 $\uparrow \mathcal{U}$  : "the current view contains  $\mathcal{U}"$ 

$$\begin{cases} x \rightsquigarrow_{\mathrm{at}} (v, \mathcal{U}) * \uparrow \mathcal{U}' \\ x :=_{\mathrm{at}} v' \\ x \rightsquigarrow_{\mathrm{at}} (v', \mathcal{U}') \end{cases} \begin{cases} x \rightsquigarrow_{\mathrm{at}} (v_1, \mathcal{U}) \\ \mathsf{release}^{\mathrm{CAS} \times v_1 v_2} \\ \mathsf{ret} = \mathsf{true} * x \rightsquigarrow_{\mathrm{at}} (v_2, \mathcal{U}) * \uparrow \mathcal{U} \end{cases}$$

Semantics of an atomic reference: [Dolan et al]

- 1. stores a value on which all threads agree at any point in time
- 2. achieves release/acquire synchronization

In Cosmo: [ICFP 2020]

•  $x \rightsquigarrow_{\text{at}} (v, U)$ 

"x stores the value v and a view (at least)  $\mathcal{U}$ "

- this assertion is objective
- reasoning rules (sample):

$$\begin{cases} x \rightsquigarrow_{\mathrm{at}} (v, \mathcal{U}) * \uparrow \mathcal{U}' \\ x \coloneqq_{\mathrm{at}} v' \\ \\ x \rightsquigarrow_{\mathrm{at}} (v', \mathcal{U}') \end{cases} \quad \begin{cases} x \rightsquigarrow_{\mathrm{at}} (v_1, \mathcal{U}) \\ CAS \times v_1 v_2 \\ \\ ret = \texttt{true} * x \rightsquigarrow_{\mathrm{at}} (v_2, \mathcal{U}) \\ \end{cases}$$

current view

 $\uparrow \mathcal{U}$  : "the current view contains  $\mathcal{U}$ "

A spin lock implements a lock using an **atomic** Boolean reference:

let release lk = let try\_acquire lk =
lk :={at} false CAS lk false true

Described by this assertion:

isLock  $lk R \triangleq \exists b . lk \rightsquigarrow_{at} b * (b = false \Rightarrow R)$ 

A spin lock implements a lock using an **atomic** Boolean reference:

let release lk = let try\_acquire lk =
lk :={at} false CAS lk false true

Described by this assertion:

isLock  $lk R \triangleq \exists b . lk \rightsquigarrow_{at} b * (b = false \Rightarrow R)$ 

R may be subjective!

A spin lock implements a lock using an **atomic** Boolean reference:

let release lk = let try\_acquire lk = lk :={at} false CAS lk false true

Described by this assertion:

isLock *lk*  $R \triangleq \exists b, \mathcal{U}. \ lk \rightsquigarrow_{\mathrm{at}}(b, \mathcal{U}) * (b = \mathtt{false} \Rightarrow R@\mathcal{U})$ 

*R* may be subjective!

 $R @ \mathcal{U} : "R where the current view is fixed to \mathcal{U}"$ 

## Verifying the spin lock in Multicore OCaml

$$\text{isLock} \ \textit{lk} \ \textit{R} \ \ \triangleq \ \ \exists b, \mathcal{U}. \ \textit{lk} \leadsto_{\mathrm{at}}(b, \mathcal{U}) \ \ast \ (b = \texttt{false} \Rightarrow \textit{R} @ \mathcal{U})$$

#### // release:

$$\{ \begin{array}{c} \text{isLock } lk \ R * R \} \\ \{ \begin{array}{c} lk \rightsquigarrow_{\text{at}} \_ & * R \} \\ \\ \exists \mathcal{U}. \ lk \rightsquigarrow_{\text{at}} \_ & * \overleftarrow{\uparrow \mathcal{U} * R @ \mathcal{U}} \\ \\ lk \coloneqq_{\text{at}} \texttt{false} \\ \\ \{ \begin{array}{c} lk \rightsquigarrow_{\text{at}} (\texttt{false}, \mathcal{U}) * R @ \mathcal{U} \\ \\ \\ \text{isLock } lk \ R \\ \\ \end{array} \}$$



// try\_acquire:  $\{isLock \ lk \ R\}$  $\{lk \rightsquigarrow_{at} (b, \mathcal{U}) * (b = \texttt{false} \Rightarrow R @ \mathcal{U})\}$ CAS *lk* false true if ret  $\begin{cases} \text{if } ret \\ \text{then } lk \rightsquigarrow_{\text{at}} (\text{true}, \mathcal{U}) * \uparrow \mathcal{U} * R @ \mathcal{U} \\ \text{else } \dots \\ \end{cases} \\ \begin{cases} \text{if } ret \\ \text{then isLock } lk \ R \ * \ R \\ \text{else } \dots \end{cases} \end{cases}$ {isLock  $lk R * (ret = true \Rightarrow R)$ }

A method for proving correctness under weak memory:

- 1. Start with the invariant under sequential consistency;
- 2. Identify how information flows between threads;
  - i.e. where are the synchronization points;
- 3. Refine the invariant with corresponding views.

# Case study: a multiple-producer multiple-consumer queue

case study: [ICFP 2021]

specifying and verifying a fine-grained concurrent queue in the weak memory model of Multicore OCaml

challenges:

1. shared ownership

tool: logical atomicity (not in this talk) [Iris, 2015; ICFP 2021]

case study: [ICFP 2021]

specifying and verifying a fine-grained concurrent queue in the weak memory model of Multicore OCaml

challenges:

- shared ownership tool: logical atomicity (not in this talk) [Iris, 2015; ICFP 2021]
- 2. need to specify thread synchronization tool: views [ICFP 2020]

case study: [ICFP 2021]

specifying and verifying a fine-grained concurrent queue in the weak memory model of Multicore OCaml

challenges:

- shared ownership tool: logical atomicity (not in this talk) [Iris, 2015; ICFP 2021]
- 2. need to specify thread synchronization tool: views [ICFP 2020]
  - fine-grained specification, more permissive than lock-based

non-trivial implementation taking profit from the relaxed spec

## A specification for concurrent queues in SC

$$\langle n, v_0, ..., v_{n-1}.$$
 IsQueue  $q$   $[v_0, ..., v_{n-1}] 
angle$ 

enqueue q v

 $\lambda$ (). IsQueue q [ $v_0, ..., v_{n-1}, v$ ]

$$[n, v_0, ..., v_{n-1}]$$
. IsQueue  $q [v_0, ..., v_{n-1}]$ 

dequeue q

$$\left< \lambda v. ext{ IsQueue } q \; [v_1,...,v_{n-1}] \; * \; 1 \leq n \; * \; v = v_0 
ight>$$

$$(n, v_0, ..., v_{n-1})$$
 IsQueue  $q [v_0, ..., v_{n-1}]$ 

enqueue q v

 $\lambda$ (). IsQueue q [ $v_0,...,v_{n-1},v$ ]

$$n, v_0, ..., v_{n-1}$$
. IsQueue  $q [v_0, ..., v_{n-1}]$ 

dequeue q

$$\left\langle \lambda v. \text{ IsQueue } q \; [v_1,...,v_{n-1}] \; * \; 1 \leq n \; * \; v = v_0 
ight
angle$$

IsQueue q [v<sub>0</sub>, ..., v<sub>n−1</sub>] is exclusive
 ⇒ must be shared through an invariant

$$(n, v_0, ..., v_{n-1})$$
. IsQueue  $q [v_0, ..., v_{n-1}]$ 

enqueue q v

 $\lambda$ (). IsQueue q [ $v_0,...,v_{n-1},v$ ]

$$n, v_0, ..., v_{n-1}$$
. IsQueue  $q [v_0, ..., v_{n-1}]$ 

dequeue q

$$\lambda v.$$
 IsQueue  $q \; [v_1,...,v_{n-1}] \; * \; 1 \leq n \; * \; v = v_0$ 

IsQueue q [v<sub>0</sub>,..., v<sub>n−1</sub>] is exclusive
 ⇒ must be shared through an invariant

$$(n, v_0, ..., v_{n-1})$$
 IsQueue  $q [v_0, ..., v_{n-1}]$ 

enqueue q v

 $\lambda$ (). IsQueue q [ $v_0, ..., v_{n-1}, v$ ]

$$n, v_0, ..., v_{n-1}$$
. IsQueue  $q [v_0, ..., v_{n-1}]$ 

dequeue q

$$\left\langle \lambda v. \text{ IsQueue } q \; [v_1,...,v_{n-1}] \; * \; 1 \leq n \; * \; v = v_0 
ight
angle$$

IsQueue q [v<sub>0</sub>, ..., v<sub>n−1</sub>] is exclusive
 ⇒ must be shared through an invariant

IsQueue q [v<sub>0</sub>, ..., v<sub>n−1</sub>] is exclusive
 ⇒ must be shared through an invariant

- IsQueue  $q [v_0, ..., v_{n-1}]$  is exclusive
  - $\Longrightarrow$  must be shared through an invariant
  - $\Longrightarrow$  must be objective

- IsQueue  $q [v_0, ..., v_{n-1}]$  is exclusive
  - $\implies$  must be shared through an invariant
  - $\Longrightarrow$  must be objective
- The queue transfers resources  $\Longrightarrow$  must transfer views

$$\begin{pmatrix}
n, (v_0, \mathcal{V}_0), ..., (v_{n-1}, \mathcal{V}_{n-1}). \\
\text{IsQueue } q \ [(v_0, \mathcal{V}_0), ..., (v_{n-1}, \mathcal{V}_{n-1})] & * \uparrow \mathcal{V} \\
\text{enqueue } q \ v \\
\langle \lambda(). \text{ IsQueue } q \ [(v_0, \mathcal{V}_0), ..., (v_{n-1}, \mathcal{V}_{n-1}), (v, \mathcal{V})] \\
\rangle, (v_0, \mathcal{V}_0), ..., (v_{n-1}, \mathcal{V}_{n-1}). \\
\text{IsQueue } q \ [(v_0, \mathcal{V}_0), (v_1, \mathcal{V}_1), ..., (v_{n-1}, \mathcal{V}_{n-1})] \\
\text{dequeue } q$$

 $\Big\langle \lambda v. \text{ IsQueue } q \; [(v_1,\mathcal{V}_1),...,(v_{n-1},\mathcal{V}_{n-1})] \; \ast \; \stackrel{\wedge}{\to} \mathcal{V}_0 \; \ast \; 1 \leq n \; \ast \; v = v_0 \Big\rangle$ 

- IsQueue  $q [v_0, ..., v_{n-1}]$  is exclusive
  - $\Longrightarrow$  must be shared through an invariant
  - $\Longrightarrow$  must be objective

n

• The queue transfers resources  $\Longrightarrow$  must transfer views

$$\begin{pmatrix} n, (v_0, \mathcal{V}_0), ..., (v_{n-1}, \mathcal{V}_{n-1}). \\ \text{IsQueue } q \ [(v_0, \mathcal{V}_0), ..., (v_{n-1}, \mathcal{V}_{n-1})] & & \uparrow \mathcal{V} \\ \\ \text{enqueue } q \ v \\ \hline \lambda(). \text{ IsQueue } q \ [(v_0, \mathcal{V}_0), ..., (v_{n-1}, \mathcal{V}_{n-1}), (v, \mathcal{V})] & & \\ \end{pmatrix} \\ p, (v_0, \mathcal{V}_0), ..., (v_{n-1}, \mathcal{V}_{n-1}). \\ \text{IsQueue } q \ [(v_0, \mathcal{V}_0), (v_1, \mathcal{V}_1), ..., (v_{n-1}, \mathcal{V}_{n-1})] \\ \hline \text{dequeue } q \\ \end{cases}$$

 $\left\langle \lambda v. ext{ IsQueue } q \; [(v_1,\mathcal{V}_1),...,(v_{n-1},\mathcal{V}_{n-1})] \; * \; iggtarrow \mathcal{V}_0 \; * \; 1 \leq n \; * \; v = v_0 
ight
angle$ 

- IsQueue  $q [v_0, ..., v_{n-1}]$  is exclusive
  - $\Longrightarrow$  must be shared through an invariant
  - $\Longrightarrow$  must be objective
- The queue transfers resources  $\Longrightarrow$  must transfer views

$$\begin{array}{c} \begin{pmatrix} n, (v_{0}, \mathcal{V}_{0}), ..., (v_{n-1}, \mathcal{V}_{n-1}). \\ \text{IsQueue } q \ [(v_{0}, \mathcal{V}_{0}), ..., (v_{n-1}, \mathcal{V}_{n-1})] & * \uparrow \mathcal{V} \\ \end{array} \\ \begin{array}{c} \text{enqueue } q \ v \\ \hline \langle \lambda(). \ \text{IsQueue } q \ [(v_{0}, \mathcal{V}_{0}), ..., (v_{n-1}, \mathcal{V}_{n-1}), (v, \mathcal{V})] \\ \hline \end{pmatrix} \\ \begin{array}{c} n, (v_{0}, \mathcal{V}_{0}), ..., (v_{n-1}, \mathcal{V}_{n-1}). \\ \text{IsQueue } q \ [(v_{0}, \mathcal{V}_{0}), (v_{1}, \mathcal{V}_{1}), ..., (v_{n-1}, \mathcal{V}_{n-1})] \\ \hline \\ \hline \\ dequeue \ q \\ \hline \lambda v. \ \text{IsQueue } q \ [(v_{1}, \mathcal{V}_{1}), ..., (v_{n-1}, \mathcal{V}_{n-1})] \ * \ \uparrow \mathcal{V}_{0} \ * \ 1 \leq n \ * \ v = v_{0} \\ \end{array} \right)$$

- IsQueue  $q [v_0, ..., v_{n-1}]$  is exclusive
  - $\Longrightarrow$  must be shared through an invariant
  - $\Longrightarrow$  must be objective
- The queue transfers resources  $\Longrightarrow$  must transfer views

**Refinement** is another approach to specifying the queue: "this queue can replace a sequential queue guarded by a lock"

Shortcoming of the refinement spec:

the lock induces synchronization between all operations

**Refinement** is another approach to specifying the queue: "this queue can replace a sequential queue guarded by a lock"

Shortcoming of the refinement spec: the lock induces synchronization between **all** operations

Our spec is more permissive:

no guaranteed synchronization from dequeuer to enqueuer

Allows for more relaxed implementations... like the one we verified

# Conclusion

# Contributions

- BaseCosmo: A low-level program logic for the weak memory model of Multicore OCaml [ICFP 2020]
  - closely reflects the operational semantics
- Cosmo: A higher-level logic, based on a notion of views [ICFP 2020]
  - easier to use, cannot reason about racy programs
- Verification of locks and mutual exclusion algorithms [ICFP 2020]
- Specification and verification of a non-trivial lock-free queue [ICFP 2021]
  - demonstrates the expressivity of Cosmo
  - methodology: add views wherever synchronization is relevant
- Mechanized in Coq (Iris) 🦆

The logic of views enables concise and natural reasoning about how threads synchronize

Enables fine-grained specifications

Don't hide views: make them apparent in specifications!

Prove specifications with the splitting rule

Fits naturally into a Hoare/Concurrent Separation Logic framework

# Model of the logic in Iris

### Assertions are predicates on views:

$$v \operatorname{Prop} \triangleq \operatorname{view} \longrightarrow \operatorname{iProp}$$
$$\uparrow \mathcal{U}_0 \triangleq \lambda \mathcal{U}. \ \mathcal{U}_0 \sqsubseteq \mathcal{U}$$
$$P * Q \triangleq \lambda \mathcal{U}. \ P \ \mathcal{U} * Q \ \mathcal{U}$$
$$P \twoheadrightarrow Q \triangleq \lambda \mathcal{U}. \ P \ \mathcal{U} * Q \ \mathcal{U}$$

We equip a language-with-view with an operational semantics:  $exprWithView \triangleq expr \times view$ 

Iris builds a WP calculus for exprWithView in iProp.

We derive a WP calculus for expr in vProp and prove adequacy:

 $\begin{array}{l} \mathsf{WP} \ e \ \varphi \triangleq \lambda \mathcal{U} \ . \\ & \mathsf{valid} \ \mathcal{U} \twoheadrightarrow \mathsf{WP} \ \langle e, \mathcal{U} \rangle \ \left( \lambda \left\langle v, \mathcal{U}' \right\rangle . \ \mathsf{valid} \ \mathcal{U}' \ast \varphi \ v \ \mathcal{U}' \right) \\ & \mathsf{where} \ \varphi : \mathsf{val} \rightarrow \mathsf{vProp} \end{array}$ 

# Model of the logic in Iris

#### Assertions are monotonic predicates on views:

$$v \operatorname{Prop} \triangleq \operatorname{view} \xrightarrow{\operatorname{mon}} \operatorname{iProp}$$
$$\uparrow \mathcal{U}_0 \triangleq \lambda \mathcal{U}. \ \mathcal{U}_0 \sqsubseteq \mathcal{U}$$
$$P * Q \triangleq \lambda \mathcal{U}. \ P \ \mathcal{U} * Q \ \mathcal{U}$$
$$P \twoheadrightarrow Q \triangleq \lambda \mathcal{U}_1. \ \forall \mathcal{U} \sqsupseteq \mathcal{U}_1. \ P \ \mathcal{U} \twoheadrightarrow Q \ \mathcal{U}$$

We equip a language-with-view with an operational semantics:  $exprWithView \triangleq expr \times view$ 

Iris builds a WP calculus for exprWithView in iProp.

We derive a WP calculus for expr in vProp and prove adequacy:

WP  $e \varphi \triangleq \lambda \mathcal{U}_1$ .  $\forall \mathcal{U} \sqsupseteq \mathcal{U}_1$ .

 $\mathsf{valid}\,\mathcal{U} \twoheadrightarrow \mathsf{WP} \ \langle e, \mathcal{U} \rangle \ \left( \lambda \left\langle v, \mathcal{U}' \right\rangle . \ \mathsf{valid}\,\mathcal{U}' \ast \varphi \ v \ \mathcal{U}' \right)$ 

where  $\varphi : \mathsf{val} \to \mathsf{vProp}$ 

# Model of the logic in Iris

#### Assertions are monotonic predicates on views:

$$v \operatorname{Prop} \triangleq \operatorname{view} \xrightarrow{\operatorname{mon}} \operatorname{iProp}$$
$$\uparrow \mathcal{U}_0 \triangleq \lambda \mathcal{U}. \ \mathcal{U}_0 \sqsubseteq \mathcal{U}$$
$$P * Q \triangleq \lambda \mathcal{U}. \ P \ \mathcal{U} * Q \ \mathcal{U}$$
$$P \twoheadrightarrow Q \triangleq \lambda \mathcal{U}_1. \ \forall \mathcal{U} \sqsupseteq \mathcal{U}_1. \ P \ \mathcal{U} \twoheadrightarrow Q \ \mathcal{U}$$

We equip a language-with-view with an operational semantics:  $exprWithView \triangleq expr \times view$ 

Iris builds a WP calculus for exprWithView in iProp.

We derive a WP calculus for expr in vProp and prove adequacy:

WP  $e \varphi \triangleq \lambda \mathcal{U}_1$ .  $\forall \mathcal{U} \sqsupseteq \mathcal{U}_1$ .

 $\mathsf{valid}\,\mathcal{U} \twoheadrightarrow \mathsf{WP} \langle e, \mathcal{U} \rangle \ \left( \lambda \left\langle v, \mathcal{U}' \right\rangle. \ \mathsf{valid}\,\mathcal{U}' \ast \varphi \ v \ \mathcal{U}' \right)$ 

where  $\varphi$  : val  $\rightarrow$  vProp

Subjective assertions are monotonic w.r.t. the thread's view.

One reason is the frame rule:

$$\begin{cases} x \rightsquigarrow_{na} v * P \\ x \coloneqq_{na} v' \\ \\ \hline \lambda(). x \rightsquigarrow_{na} v' * P \end{cases}$$

Subjective assertions are monotonic w.r.t. the thread's view.

One reason is the frame rule:

$$\begin{cases} x \rightsquigarrow_{na} v * P - \text{holds at the thread's current view} \\ x \coloneqq_{na} v' \\ \end{cases}$$

$$\{\lambda(). x \rightsquigarrow_{na} v' * P - \text{holds at the thread's now extended view} \}$$

Decompose subjective assertions:

 $P \iff \exists \mathcal{U}. \underbrace{P @ \mathcal{U}}_{\text{objective}} * \underbrace{\uparrow \mathcal{U}}_{\text{subjective}}$  $P @ \mathcal{U} \implies \qquad \uparrow \mathcal{U} \twoheadrightarrow P$ 

Share parts via distinct mechanisms:

- *P* @ *U* : via an objective **invariant**
- $\uparrow \mathcal{U}$  : via synchronization offered by the memory model

Decompose subjective assertions:

 $P \iff \exists \mathcal{U}. \underbrace{\mathcal{P} @ \mathcal{U}}_{\text{objective}} * \underbrace{\uparrow \mathcal{U}}_{\text{subjective}}$  $P @ \mathcal{U} \iff \text{Objectively}(\uparrow \mathcal{U} \twoheadrightarrow P)$  $\text{Objectively} Q \iff (\forall \mathcal{U}. Q @ \mathcal{U}) \iff Q @ \varnothing$ 

Share parts via distinct mechanisms:

- P @ U : via an objective invariant
- $\uparrow \mathcal{U}$  : via synchronization offered by the memory model