the civl verifier
TRANSCRIPT
The Civl VerifierBernhard Kragl
Amazon Web Services and IST AustriaShaz Qadeer
Work done while at IST Austria
httpscivl-verifiergithubio
Invent inductive invariant 119868119899119907bull 119868119899119894119905 rArr 119868119899119907bull 119868119899119907 and 119873119890119909119905 rArr 119868119899119907bull 119868119899119907 rArr 119878119886119891119890
The transition system approach
lost program structure
complicatedinvariants
Realistic implementationsof large concurrent systems
Civl layered refinement overstructured concurrent programs
Layered Concurrent Program
119979(concrete low-level implementation)
119979
119979$(abstract high-level specification)
119979$
⋮≼
≼≼≼
small program transformation
structuredprogram
Tactic 1 Creating atomic blocks
Liptonrsquos reductionSequences of RL are atomic
R R L L
R L LR
Right mover
Left moverLeftRight mover
User declares mover types
Civl applies reductionbull Pairwise commutativity checksbull Mover sequence check
Tactic 2 Creating atomic actionsvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
action ACQUIRE()assume b == falseb = true
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIRE
Tactic 3 Changing state representationvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
Tactic 3 Changing state representationvar b bool
proc Acquire(tid) yieldwhile true
yieldexec s = CAS(b false true)if (s)
intro [l = Some(tid)]break
yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIREb hArr l ne None
ℐ ℐ ℐ ℐ
Asynchronous executions1 ADD(1) ADD(2) ADD(3) ADD(4) ADD(5) ADD(6) ⋯2 ADD(2) ADD(5) ADD(1) ADD(4) ADD(6) ADD(3) ⋯3 ADD(6) ADD(4) ADD(5) ADD(1) ADD(3) ADD(2) ⋯4 ADD(4) ADD(1) ADD(6) ADD(3) ADD(2) ADD(5) ⋯
⋮
Tactic 4 Synchronizing asynchronyvar x nat
action ADD(i nat)x = x + i
action ASYNC_SUM(n nat)for i in 1n
async ADD(i)
action SUM(n nat)x = x + (n (n+1)) div 2
inv SUM_INV(n nat)var j natassume 0 lt= j ampamp j lt= nx = x + (j (j+1)) div 2for i in j+1n
async ADD(i)Inductive Sequentialization of Asynchronous Programs [PLDI 2020]
Works for practical protocolsPaxos Two-phase commit Chang-Roberts hellip
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j)barrierSet = barrierSet - i
MutatorInv(j)
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(linear i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(linear i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j) and i ne jbarrierSet = barrierSet - i
MutatorInv(j)
Layered Concurrent Programs
bull Write 119979 ≼ ⋯ ≼ 119979 as a single ℒ119979
bull ldquodata layeringrdquowhich variables live on which layer
bull ldquocontrol layeringrdquowhich operations live on which layer
bull Express only the changesfrom one layer to the next
Civl Syntax
Conservative extension of Boogie
Boogie providesbull Imperative languagebull Specification features
Civl addsbull async par yield statementsbull other syntactic extensions
attributes attr e1 e2 hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Invent inductive invariant 119868119899119907bull 119868119899119894119905 rArr 119868119899119907bull 119868119899119907 and 119873119890119909119905 rArr 119868119899119907bull 119868119899119907 rArr 119878119886119891119890
The transition system approach
lost program structure
complicatedinvariants
Realistic implementationsof large concurrent systems
Civl layered refinement overstructured concurrent programs
Layered Concurrent Program
119979(concrete low-level implementation)
119979
119979$(abstract high-level specification)
119979$
⋮≼
≼≼≼
small program transformation
structuredprogram
Tactic 1 Creating atomic blocks
Liptonrsquos reductionSequences of RL are atomic
R R L L
R L LR
Right mover
Left moverLeftRight mover
User declares mover types
Civl applies reductionbull Pairwise commutativity checksbull Mover sequence check
Tactic 2 Creating atomic actionsvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
action ACQUIRE()assume b == falseb = true
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIRE
Tactic 3 Changing state representationvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
Tactic 3 Changing state representationvar b bool
proc Acquire(tid) yieldwhile true
yieldexec s = CAS(b false true)if (s)
intro [l = Some(tid)]break
yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIREb hArr l ne None
ℐ ℐ ℐ ℐ
Asynchronous executions1 ADD(1) ADD(2) ADD(3) ADD(4) ADD(5) ADD(6) ⋯2 ADD(2) ADD(5) ADD(1) ADD(4) ADD(6) ADD(3) ⋯3 ADD(6) ADD(4) ADD(5) ADD(1) ADD(3) ADD(2) ⋯4 ADD(4) ADD(1) ADD(6) ADD(3) ADD(2) ADD(5) ⋯
⋮
Tactic 4 Synchronizing asynchronyvar x nat
action ADD(i nat)x = x + i
action ASYNC_SUM(n nat)for i in 1n
async ADD(i)
action SUM(n nat)x = x + (n (n+1)) div 2
inv SUM_INV(n nat)var j natassume 0 lt= j ampamp j lt= nx = x + (j (j+1)) div 2for i in j+1n
async ADD(i)Inductive Sequentialization of Asynchronous Programs [PLDI 2020]
Works for practical protocolsPaxos Two-phase commit Chang-Roberts hellip
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j)barrierSet = barrierSet - i
MutatorInv(j)
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(linear i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(linear i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j) and i ne jbarrierSet = barrierSet - i
MutatorInv(j)
Layered Concurrent Programs
bull Write 119979 ≼ ⋯ ≼ 119979 as a single ℒ119979
bull ldquodata layeringrdquowhich variables live on which layer
bull ldquocontrol layeringrdquowhich operations live on which layer
bull Express only the changesfrom one layer to the next
Civl Syntax
Conservative extension of Boogie
Boogie providesbull Imperative languagebull Specification features
Civl addsbull async par yield statementsbull other syntactic extensions
attributes attr e1 e2 hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Realistic implementationsof large concurrent systems
Civl layered refinement overstructured concurrent programs
Layered Concurrent Program
119979(concrete low-level implementation)
119979
119979$(abstract high-level specification)
119979$
⋮≼
≼≼≼
small program transformation
structuredprogram
Tactic 1 Creating atomic blocks
Liptonrsquos reductionSequences of RL are atomic
R R L L
R L LR
Right mover
Left moverLeftRight mover
User declares mover types
Civl applies reductionbull Pairwise commutativity checksbull Mover sequence check
Tactic 2 Creating atomic actionsvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
action ACQUIRE()assume b == falseb = true
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIRE
Tactic 3 Changing state representationvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
Tactic 3 Changing state representationvar b bool
proc Acquire(tid) yieldwhile true
yieldexec s = CAS(b false true)if (s)
intro [l = Some(tid)]break
yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIREb hArr l ne None
ℐ ℐ ℐ ℐ
Asynchronous executions1 ADD(1) ADD(2) ADD(3) ADD(4) ADD(5) ADD(6) ⋯2 ADD(2) ADD(5) ADD(1) ADD(4) ADD(6) ADD(3) ⋯3 ADD(6) ADD(4) ADD(5) ADD(1) ADD(3) ADD(2) ⋯4 ADD(4) ADD(1) ADD(6) ADD(3) ADD(2) ADD(5) ⋯
⋮
Tactic 4 Synchronizing asynchronyvar x nat
action ADD(i nat)x = x + i
action ASYNC_SUM(n nat)for i in 1n
async ADD(i)
action SUM(n nat)x = x + (n (n+1)) div 2
inv SUM_INV(n nat)var j natassume 0 lt= j ampamp j lt= nx = x + (j (j+1)) div 2for i in j+1n
async ADD(i)Inductive Sequentialization of Asynchronous Programs [PLDI 2020]
Works for practical protocolsPaxos Two-phase commit Chang-Roberts hellip
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j)barrierSet = barrierSet - i
MutatorInv(j)
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(linear i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(linear i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j) and i ne jbarrierSet = barrierSet - i
MutatorInv(j)
Layered Concurrent Programs
bull Write 119979 ≼ ⋯ ≼ 119979 as a single ℒ119979
bull ldquodata layeringrdquowhich variables live on which layer
bull ldquocontrol layeringrdquowhich operations live on which layer
bull Express only the changesfrom one layer to the next
Civl Syntax
Conservative extension of Boogie
Boogie providesbull Imperative languagebull Specification features
Civl addsbull async par yield statementsbull other syntactic extensions
attributes attr e1 e2 hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Civl layered refinement overstructured concurrent programs
Layered Concurrent Program
119979(concrete low-level implementation)
119979
119979$(abstract high-level specification)
119979$
⋮≼
≼≼≼
small program transformation
structuredprogram
Tactic 1 Creating atomic blocks
Liptonrsquos reductionSequences of RL are atomic
R R L L
R L LR
Right mover
Left moverLeftRight mover
User declares mover types
Civl applies reductionbull Pairwise commutativity checksbull Mover sequence check
Tactic 2 Creating atomic actionsvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
action ACQUIRE()assume b == falseb = true
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIRE
Tactic 3 Changing state representationvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
Tactic 3 Changing state representationvar b bool
proc Acquire(tid) yieldwhile true
yieldexec s = CAS(b false true)if (s)
intro [l = Some(tid)]break
yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIREb hArr l ne None
ℐ ℐ ℐ ℐ
Asynchronous executions1 ADD(1) ADD(2) ADD(3) ADD(4) ADD(5) ADD(6) ⋯2 ADD(2) ADD(5) ADD(1) ADD(4) ADD(6) ADD(3) ⋯3 ADD(6) ADD(4) ADD(5) ADD(1) ADD(3) ADD(2) ⋯4 ADD(4) ADD(1) ADD(6) ADD(3) ADD(2) ADD(5) ⋯
⋮
Tactic 4 Synchronizing asynchronyvar x nat
action ADD(i nat)x = x + i
action ASYNC_SUM(n nat)for i in 1n
async ADD(i)
action SUM(n nat)x = x + (n (n+1)) div 2
inv SUM_INV(n nat)var j natassume 0 lt= j ampamp j lt= nx = x + (j (j+1)) div 2for i in j+1n
async ADD(i)Inductive Sequentialization of Asynchronous Programs [PLDI 2020]
Works for practical protocolsPaxos Two-phase commit Chang-Roberts hellip
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j)barrierSet = barrierSet - i
MutatorInv(j)
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(linear i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(linear i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j) and i ne jbarrierSet = barrierSet - i
MutatorInv(j)
Layered Concurrent Programs
bull Write 119979 ≼ ⋯ ≼ 119979 as a single ℒ119979
bull ldquodata layeringrdquowhich variables live on which layer
bull ldquocontrol layeringrdquowhich operations live on which layer
bull Express only the changesfrom one layer to the next
Civl Syntax
Conservative extension of Boogie
Boogie providesbull Imperative languagebull Specification features
Civl addsbull async par yield statementsbull other syntactic extensions
attributes attr e1 e2 hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Tactic 1 Creating atomic blocks
Liptonrsquos reductionSequences of RL are atomic
R R L L
R L LR
Right mover
Left moverLeftRight mover
User declares mover types
Civl applies reductionbull Pairwise commutativity checksbull Mover sequence check
Tactic 2 Creating atomic actionsvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
action ACQUIRE()assume b == falseb = true
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIRE
Tactic 3 Changing state representationvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
Tactic 3 Changing state representationvar b bool
proc Acquire(tid) yieldwhile true
yieldexec s = CAS(b false true)if (s)
intro [l = Some(tid)]break
yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIREb hArr l ne None
ℐ ℐ ℐ ℐ
Asynchronous executions1 ADD(1) ADD(2) ADD(3) ADD(4) ADD(5) ADD(6) ⋯2 ADD(2) ADD(5) ADD(1) ADD(4) ADD(6) ADD(3) ⋯3 ADD(6) ADD(4) ADD(5) ADD(1) ADD(3) ADD(2) ⋯4 ADD(4) ADD(1) ADD(6) ADD(3) ADD(2) ADD(5) ⋯
⋮
Tactic 4 Synchronizing asynchronyvar x nat
action ADD(i nat)x = x + i
action ASYNC_SUM(n nat)for i in 1n
async ADD(i)
action SUM(n nat)x = x + (n (n+1)) div 2
inv SUM_INV(n nat)var j natassume 0 lt= j ampamp j lt= nx = x + (j (j+1)) div 2for i in j+1n
async ADD(i)Inductive Sequentialization of Asynchronous Programs [PLDI 2020]
Works for practical protocolsPaxos Two-phase commit Chang-Roberts hellip
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j)barrierSet = barrierSet - i
MutatorInv(j)
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(linear i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(linear i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j) and i ne jbarrierSet = barrierSet - i
MutatorInv(j)
Layered Concurrent Programs
bull Write 119979 ≼ ⋯ ≼ 119979 as a single ℒ119979
bull ldquodata layeringrdquowhich variables live on which layer
bull ldquocontrol layeringrdquowhich operations live on which layer
bull Express only the changesfrom one layer to the next
Civl Syntax
Conservative extension of Boogie
Boogie providesbull Imperative languagebull Specification features
Civl addsbull async par yield statementsbull other syntactic extensions
attributes attr e1 e2 hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Tactic 2 Creating atomic actionsvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
action ACQUIRE()assume b == falseb = true
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIRE
Tactic 3 Changing state representationvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
Tactic 3 Changing state representationvar b bool
proc Acquire(tid) yieldwhile true
yieldexec s = CAS(b false true)if (s)
intro [l = Some(tid)]break
yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIREb hArr l ne None
ℐ ℐ ℐ ℐ
Asynchronous executions1 ADD(1) ADD(2) ADD(3) ADD(4) ADD(5) ADD(6) ⋯2 ADD(2) ADD(5) ADD(1) ADD(4) ADD(6) ADD(3) ⋯3 ADD(6) ADD(4) ADD(5) ADD(1) ADD(3) ADD(2) ⋯4 ADD(4) ADD(1) ADD(6) ADD(3) ADD(2) ADD(5) ⋯
⋮
Tactic 4 Synchronizing asynchronyvar x nat
action ADD(i nat)x = x + i
action ASYNC_SUM(n nat)for i in 1n
async ADD(i)
action SUM(n nat)x = x + (n (n+1)) div 2
inv SUM_INV(n nat)var j natassume 0 lt= j ampamp j lt= nx = x + (j (j+1)) div 2for i in j+1n
async ADD(i)Inductive Sequentialization of Asynchronous Programs [PLDI 2020]
Works for practical protocolsPaxos Two-phase commit Chang-Roberts hellip
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j)barrierSet = barrierSet - i
MutatorInv(j)
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(linear i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(linear i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j) and i ne jbarrierSet = barrierSet - i
MutatorInv(j)
Layered Concurrent Programs
bull Write 119979 ≼ ⋯ ≼ 119979 as a single ℒ119979
bull ldquodata layeringrdquowhich variables live on which layer
bull ldquocontrol layeringrdquowhich operations live on which layer
bull Express only the changesfrom one layer to the next
Civl Syntax
Conservative extension of Boogie
Boogie providesbull Imperative languagebull Specification features
Civl addsbull async par yield statementsbull other syntactic extensions
attributes attr e1 e2 hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Tactic 3 Changing state representationvar b bool
proc Acquire() yieldwhile true
yieldexec s = CAS(b false true)if (s)
break yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
Tactic 3 Changing state representationvar b bool
proc Acquire(tid) yieldwhile true
yieldexec s = CAS(b false true)if (s)
intro [l = Some(tid)]break
yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIREb hArr l ne None
ℐ ℐ ℐ ℐ
Asynchronous executions1 ADD(1) ADD(2) ADD(3) ADD(4) ADD(5) ADD(6) ⋯2 ADD(2) ADD(5) ADD(1) ADD(4) ADD(6) ADD(3) ⋯3 ADD(6) ADD(4) ADD(5) ADD(1) ADD(3) ADD(2) ⋯4 ADD(4) ADD(1) ADD(6) ADD(3) ADD(2) ADD(5) ⋯
⋮
Tactic 4 Synchronizing asynchronyvar x nat
action ADD(i nat)x = x + i
action ASYNC_SUM(n nat)for i in 1n
async ADD(i)
action SUM(n nat)x = x + (n (n+1)) div 2
inv SUM_INV(n nat)var j natassume 0 lt= j ampamp j lt= nx = x + (j (j+1)) div 2for i in j+1n
async ADD(i)Inductive Sequentialization of Asynchronous Programs [PLDI 2020]
Works for practical protocolsPaxos Two-phase commit Chang-Roberts hellip
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j)barrierSet = barrierSet - i
MutatorInv(j)
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(linear i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(linear i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j) and i ne jbarrierSet = barrierSet - i
MutatorInv(j)
Layered Concurrent Programs
bull Write 119979 ≼ ⋯ ≼ 119979 as a single ℒ119979
bull ldquodata layeringrdquowhich variables live on which layer
bull ldquocontrol layeringrdquowhich operations live on which layer
bull Express only the changesfrom one layer to the next
Civl Syntax
Conservative extension of Boogie
Boogie providesbull Imperative languagebull Specification features
Civl addsbull async par yield statementsbull other syntactic extensions
attributes attr e1 e2 hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Tactic 3 Changing state representationvar b bool
proc Acquire(tid) yieldwhile true
yieldexec s = CAS(b false true)if (s)
intro [l = Some(tid)]break
yield
var l OptionltThreadIdgt
action ACQUIRE(tid)assume l == Nonel = Some(tid)
Every execution of Acquire behaves like ldquoSKIP ACQUIRE SKIPrdquo
CAS CAS CAS
SKIP SKIP ACQUIREb hArr l ne None
ℐ ℐ ℐ ℐ
Asynchronous executions1 ADD(1) ADD(2) ADD(3) ADD(4) ADD(5) ADD(6) ⋯2 ADD(2) ADD(5) ADD(1) ADD(4) ADD(6) ADD(3) ⋯3 ADD(6) ADD(4) ADD(5) ADD(1) ADD(3) ADD(2) ⋯4 ADD(4) ADD(1) ADD(6) ADD(3) ADD(2) ADD(5) ⋯
⋮
Tactic 4 Synchronizing asynchronyvar x nat
action ADD(i nat)x = x + i
action ASYNC_SUM(n nat)for i in 1n
async ADD(i)
action SUM(n nat)x = x + (n (n+1)) div 2
inv SUM_INV(n nat)var j natassume 0 lt= j ampamp j lt= nx = x + (j (j+1)) div 2for i in j+1n
async ADD(i)Inductive Sequentialization of Asynchronous Programs [PLDI 2020]
Works for practical protocolsPaxos Two-phase commit Chang-Roberts hellip
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j)barrierSet = barrierSet - i
MutatorInv(j)
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(linear i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(linear i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j) and i ne jbarrierSet = barrierSet - i
MutatorInv(j)
Layered Concurrent Programs
bull Write 119979 ≼ ⋯ ≼ 119979 as a single ℒ119979
bull ldquodata layeringrdquowhich variables live on which layer
bull ldquocontrol layeringrdquowhich operations live on which layer
bull Express only the changesfrom one layer to the next
Civl Syntax
Conservative extension of Boogie
Boogie providesbull Imperative languagebull Specification features
Civl addsbull async par yield statementsbull other syntactic extensions
attributes attr e1 e2 hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Asynchronous executions1 ADD(1) ADD(2) ADD(3) ADD(4) ADD(5) ADD(6) ⋯2 ADD(2) ADD(5) ADD(1) ADD(4) ADD(6) ADD(3) ⋯3 ADD(6) ADD(4) ADD(5) ADD(1) ADD(3) ADD(2) ⋯4 ADD(4) ADD(1) ADD(6) ADD(3) ADD(2) ADD(5) ⋯
⋮
Tactic 4 Synchronizing asynchronyvar x nat
action ADD(i nat)x = x + i
action ASYNC_SUM(n nat)for i in 1n
async ADD(i)
action SUM(n nat)x = x + (n (n+1)) div 2
inv SUM_INV(n nat)var j natassume 0 lt= j ampamp j lt= nx = x + (j (j+1)) div 2for i in j+1n
async ADD(i)Inductive Sequentialization of Asynchronous Programs [PLDI 2020]
Works for practical protocolsPaxos Two-phase commit Chang-Roberts hellip
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j)barrierSet = barrierSet - i
MutatorInv(j)
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(linear i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(linear i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j) and i ne jbarrierSet = barrierSet - i
MutatorInv(j)
Layered Concurrent Programs
bull Write 119979 ≼ ⋯ ≼ 119979 as a single ℒ119979
bull ldquodata layeringrdquowhich variables live on which layer
bull ldquocontrol layeringrdquowhich operations live on which layer
bull Express only the changesfrom one layer to the next
Civl Syntax
Conservative extension of Boogie
Boogie providesbull Imperative languagebull Specification features
Civl addsbull async par yield statementsbull other syntactic extensions
attributes attr e1 e2 hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j)barrierSet = barrierSet - i
MutatorInv(j)
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(linear i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(linear i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j) and i ne jbarrierSet = barrierSet - i
MutatorInv(j)
Layered Concurrent Programs
bull Write 119979 ≼ ⋯ ≼ 119979 as a single ℒ119979
bull ldquodata layeringrdquowhich variables live on which layer
bull ldquocontrol layeringrdquowhich operations live on which layer
bull Express only the changesfrom one layer to the next
Civl Syntax
Conservative extension of Boogie
Boogie providesbull Imperative languagebull Specification features
Civl addsbull async par yield statementsbull other syntactic extensions
attributes attr e1 e2 hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Foundation Invariants amp Permissions
Refinement for Structured Concurrent Programs [CAV 2020]
invariant yield_x(i int)x ge i
named parameterizedprocedure double_inc()requires yield_x(x)
[x = x + 1]call yield_x(x)[x = x + 1]
ensures yield_x(old(x) + 2)
procedure Mutator(linear i Tid)hellipcall MutatorInv(i)[ barrierSet = barrierSet - i ]hellip
invariant MutatorInv(linear i Tid)i isin barrierSet
Yield invariants
Linear permissionsdisjointness invariants ldquofor freerdquo
MutatorInv(i) and MutatorInv(j) and i ne jbarrierSet = barrierSet - i
MutatorInv(j)
Layered Concurrent Programs
bull Write 119979 ≼ ⋯ ≼ 119979 as a single ℒ119979
bull ldquodata layeringrdquowhich variables live on which layer
bull ldquocontrol layeringrdquowhich operations live on which layer
bull Express only the changesfrom one layer to the next
Civl Syntax
Conservative extension of Boogie
Boogie providesbull Imperative languagebull Specification features
Civl addsbull async par yield statementsbull other syntactic extensions
attributes attr e1 e2 hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Layered Concurrent Programs
bull Write 119979 ≼ ⋯ ≼ 119979 as a single ℒ119979
bull ldquodata layeringrdquowhich variables live on which layer
bull ldquocontrol layeringrdquowhich operations live on which layer
bull Express only the changesfrom one layer to the next
Civl Syntax
Conservative extension of Boogie
Boogie providesbull Imperative languagebull Specification features
Civl addsbull async par yield statementsbull other syntactic extensions
attributes attr e1 e2 hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
var l Option TidGlobal variable
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
Mover type
Mover type
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
var l Option Tid
procedure rightAcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure leftReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var b bool
procedure yieldsrefines AcquireSpec
Acquire(tid Tid)
var s bool
while (true)
call s = CAS_b(false true)if (s)
break
Yielding procedure
Atomicity spec
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
break
Layer range Layer range
Layer range
Layer range
Disappearing layer
Introduction layer
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpec
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
Introduction action
Introduction action
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1 tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Yield invariant
Yield invariant
Yield invariant
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
Linear variable
Linear variable
Linear variable
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
var layer 1 2 l Option Tid
procedure right layer 2 2AcquireSpec(linear tid tid Tid)modifies l
assume l == None()l = Some(tid)
procedure left layer 2 2ReleaseSpec(linear tid tid Tid)modifies l
assert l == Some(tid)l = None()
var layer 0 1 b bool
procedure yields layer 1refines AcquireSpecyield_preserves LockInv
Acquire(layer 1linear tid tid Tid)
var s bool
while (true)invariant layer 1yields
yield_loop LockInv true
call s = CAS_b(false true)if (s)
call set_l(Some(tid))break
procedure intro layer 1set_l(v Option Tid)modifies l l = v
procedure yield_invariant layer 1 LockInv()requires b lt==gt (l = None())
procedure yields layer 2refines ClientSpecyield_preserves LockInv
Client(layer 12 hidelinear tid tid Tid)
call Acquire(tid)call Release(tid)
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Concurrent garbage collector
Two major case studies
Atomic CPU operations
Locks and readwrite access
Actions used in barrier synchronization
Collector-mutator coordination for phase changes
ldquoGray objectsrdquo stack rArr set
Atomic root scan
0
1
2
4
5
3
Actions to allocate readwrite fields check equality6
Paxos
Low-level implementationnetwork memory hellip
Atomic event handlersabstract protocol state
High-level specificationConsensus in a single atomic step
2031 LOC 1116 LOC
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Experience
Oursbull Concurrent garbage collector [Hawblitzel et al CAVrsquo15]bull Paxos [Kragl et al PLDIrsquo20]bull Two-phase commit [Kragl et al CONCURrsquo18]bull Lock-protected memory atop TSO thread-local heap atop shared heap
work-stealing queue Treiber stack ticket lock hellip
Othersbull VerifiedFT (FastTrack data-race detector) [Flanagan et al PPoPPrsquo18]bull Chase-Lev deque [Mutluergil amp Tasiran Computing lsquo19]bull Java weakly-consistent data structures [Krishna et al ESOPrsquo20]bull Weak memory (TSO) programs [Bouajjani et al CAVrsquo18]
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Boogie
BoogieVC gen
Boogieparser
Boogietype checker
Boogiesolver callProgrambpl SMT-LIB
Implementation
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
BoogieCivl
BoogieVC gen
Boogieparser
Boogietype
checker
Boogiesolver
call
Civltype checker
Layer analysis
Yield sufficiency
Linearity
Civlprocessor
Linearity
Mover types
Invariants
Refinement
Inductive seq
Programbpl SMT-LIB
-civlDesugaredFile
Implementationstatic analysis
controldata flowlogical reasoning
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip
Give Civl a tryhttpscivl-verifiergithubio
Source codeDocumentation
ExamplesPapersTalks
hellip