A Separation Logic to Verify Termination of Busy-Waiting for Abrupt Program Exit
AA Separation Logic to Verify Termination ofBusy-Waiting for Abrupt Program Exit
Tobias Reinhard
KU Leuvenimec-DistriNet Research Group [email protected]
Amin Timany
Aarhus UniversityLogic and Semantics Group [email protected]
Bart Jacobs
KU Leuvenimec-DistriNet Research Group [email protected]
Abstract
Programs for multiprocessor machines commonly performbusy-waiting for synchronisation. In this paper, we make afirst step towards proving termination of such programs. Weapproximate (i) arbitrary waitable events by abrupt programtermination and (ii) busy-waiting for events by busy-waitingto be abruptly terminated.We propose a separation logic for modularly verifyingtermination (under fair scheduling) of programs where somethreads eventually abruptly terminate the program, andother threads busy-wait for this to happen.
Programs for multiprocessor machines commonly performbusy-waiting for synchronisation [15, 16, 18]. In this paper,we make a first step towards proving termination of such pro-grams. Specifically, we propose a separation logic [17, 20] formodularly verifying termination (under fair scheduling) ofprograms where some threads eventually abruptly terminatethe program, and others busy-wait for this to happen.Here, by modular we mean that we reason about eachthread and each function in isolation. That is, we do notreason about thread scheduling or interleavings. We onlyconsider these issues when proving the soundness of ourlogic.In this work, we approximate (i) arbitrary events that aprogram might wait for by abrupt termination and (ii) busy-waiting for events by busy-waiting to be abruptly terminated.In Section 6, we sketch preliminary ideas for generalizingthis to verifying termination of busy-waiting for arbitraryevents, and how this work may also be directly relevant toverifying liveness properties of a programβs I/O behaviour.Throughout this paper we use a very simple programminglanguage to illustrate our verification approach. Its simpli-city would allow us to verify termination of busy-waiting forabrupt termination via a static analysis significantly simplerthan the proposed separation logic. However, in contrastto such an analysis, our approach is also applicable to real-istic languages. We are confident that the logic we proposecan be combined straightforwardly with existing concurrentseparation logics like Iris [9] to verify termination of real-istic programs where threads busy-wait for abrupt programtermination. π β πΆπππ :: = exit | loop skip | fork π | π ; ππ β πΎ :: = done | π ; π Figure 1.
SyntaxWe start by introducing the programming language inSection 2 and continue in Section 3 with presenting theseparation logic and so-called obligations and credits [3, 4,11, 12], which we use to reason about termination of busy-waiting. In Section 4 we present our verification approach inthe form of a set of proof rules and illustrate their application.Afterwards, we sketch the soundness proof of our proofsystem in Section 5. We conclude by outlining our plans forfuture work, comparing our approach to related work andreflecting on our approach in Sections 6, 7 and 8.
We consider a simple programming language with an exit command that abruptly terminates all running threads, a fork command, a looping construct loop skip to expressinfinite busy-waiting loops and sequencing π ; π . Definition 2.1 (Commands and Continuations) . We denotethe sets of commands π and continuations π as defined by thegrammar presented in Figure 1 by πΆπππ and πΎ . We considersequencing Β· ; Β· as defined in the grammars of commands andcontinuations to be right-associative. We use commands and continuations to represent pro-grams and single threads, respectively, as well as naturalnumbers for thread IDs. Continuation done marks the endof a threadβs execution. We consider thread pools to be func-tions mapping a finite set of thread IDs to continuations.
Definition 2.2 (Thread Pools) . We define the set of threadpools TP as follows TP : = { π : Ξ β πΎ | Ξ β fin N } . We denote thread pools by π , thread IDs by π and the emptythread pool by β tp : β β πΎ . Definition 2.3 (Thread Pool Extension) . Let π : Ξ β πΎ βTP be a thread pool. We define: β’ π + tp β : = π , β’ π + tp { π } : Ξ βͺ { max ( Ξ ) + } β πΎ with ( π + tp { π })( π ) = π ( π ) for all π β Ξ and ( π + tp { π })( max ( Ξ ) + ) = π , a r X i v : . [ c s . L O ] O c t obias Reinhard, Amin Timany, and Bart Jacobs RedST-Loop loop skip ; π β st loop skip ; π , β RedST-Fork fork π ; π β st π , { π ; done } RedST-Seq ( π ; π ) ; π β st π ; ( π ; π ) , β Figure 2.
Reduction rules for single threads.
RedTP-Lift π β dom ( π ) π ( π ) = π π β st π β² ,ππ π β tp π [ π : = π β² ] + tp π RedTP-Exit π β dom ( π ) π ( π ) = exit ; π π π β tp β tp RedTP-ThreadTerm π β dom ( π ) π ( π ) = done π π β tp π β tp π Figure 3.
Reduction rules for thread pools. β’ π β tp π β² : Ξ \ { π β² } β πΎ with ( π β tp π β² )( π ) = π ( π ) We consider a standard small-step operational semanticsfor our language defined in terms of two reduction relations:(i) β st for single thread reduction steps and (ii) β tp forthread pool reduction steps. Definition 2.4 (Single-Thread Reduction Relation) . We definea single-thread reduction relation β st according to the rulespresented in Figure 2. A reduction step has the form π β st π β² ,π for a set of forked threads π β πΎ with | π | β€ . Definition 2.5 (Thread Pool Reduction Relation) . We definea thread pool reduction relation β tp according to the rulespresented in Figure 3. A reduction step has the form π π β tp π β² for a thread ID π β dom ( π ) . Figure 4 illustrates the type of programs we aim to verify.The code snippet spawns a new thread which will abruptlyterminate the entire program and then busy-waits for theprogram to be terminated. The operational semantics definedabove is non-deterministic in regard to when and if threadsare scheduled. Meanwhile, the presented program only ter-minates if the exiting thread is eventually scheduled. Hence,we need to assume fair scheduling.
Definition 2.6 (Reduction Sequence) . Let ( π π ) π β N be a se-quence of thread pools such that π π π π β tp π π + holds for all fork exit ; loop skip Figure 4.
Example program with two threads: An exitingthread and one waiting for the program to be abruptly ter-minated. π β N and some sequence ( π π ) π β N of thread IDs. Then we call ( π π ) π β N a reduction sequence . Note that according to this definition, reduction sequencesare implicitly infinite.
Definition 2.7 (Fairness) . We call a reduction sequence ( π π ) π β N fair iff for all π β N and π β dom ( π π ) there exists π β₯ π such that π π π β tp π π + . In this paper, we develop a separation logic to reason abouttermination of busy-waiting programs. Separation logic isdesigned for reasoning about program resources as well asghost resources [17, 20]. The latter is information attached toprogram executions for the purpose of program verification,e.g., a resource tracking how many threads have access to ashared memory location [8]. Here, we use ghost resourcesto track which thread will eventually exit , i.e., abruptly ter-minate the entire program.
Obligations & Credits.
Remember that exit terminatesall running threads. Therefore, in order to modularly reasonabout program termination we need information about otherthreads performing exit .For this purpose, we introduce two kinds of ghost re-sources: obligations and credits . Threads holding an oblig-ation are required to perform exit while threads holding acredit are allowed to busy-wait for another thread to exit . Asseen in the next section we ensure that no thread (directlyor indirectly) waits for itself.We aggregate obligations into obligations chunks, whereeach obligations chunk collects the held obligations of asingle thread.
Assertions.
The language of assertions defined in the fol-lowing allows us to express knowledge and assumptionsabout held obligations and credits. The language containsthe standard separating conjunction Β· β Β· as well as two non-standard predicates obs and credit to express the possessionof ghost resources. (i) obs ( π ) expresses the possession ofone obligations chunk containing π exit obligations; i.e., itexpresses that the current thread holds π exit obligations .(ii) credit expresses the possession of an exit credit that canbe used to busy-wait for another thread to exit . As outlined in Section 6, we plan to extend this logic to one where threadsare obliged to set ghost signals. This makes it necessary to track how manysignals remain to be set. Hence, we track the number of obligations.2
Separation Logic to Verify Termination of Busy-Waiting for Abrupt Program Exit π β A :: = True | False | π β π | obs ( π ) | credit π β N Figure 5.
Syntax of assertions. π β¨ A True π β¨ A π β π iff β π , π β R . π = π β R π β§ π β¨ A π β§ π β¨ A π ( π, π ) β¨ A obs ( π ) iff π β π ( π, π ) β¨ A credit iff π β₯ Figure 6.
Modeling relation for assertions.
Definition 3.1 (Assertions) . Figure 5 defines the set of asser-tions A . As we see in Section 4 it is crucial to our verificationapproach that the obs -predicate captures a full obligationschunk and that this chunk can only be split when obliga-tions are passed to a newly forked thread. We represent theinformation about the held obligations chunks and creditsby resource bundles ( π, π ) . Definition 3.2 (Resource Bundles) . We define the set of re-source bundles R as R : = Bags ( N ) Γ N . For ( π , π ) , ( π , π ) β R we define ( π , π ) β R ( π , π ) : = ( π β π , π + π ) , Threads hold exactly one obligations chunk, i.e., resources ( π, π ) with | π | =
1. We call such resource bundles complete . Definition 3.3 (Complete Resource Bundles) . We call a re-source bundle ( π, π ) β R complete if | π | = holds and write complete (( π, π )) . Note that the following definition indeed ensures that the obs -predicate captures a full obligations-chunk. Hence, nobundle with one obligations chunk can satisfy an assertionof the form obs ( π ) β obs ( π β² ) . Definition 3.4 (Assertion Model Relation) . Figure 6 definesthe assertion model relation β¨ A β R Γ A . We write π β¨ A π to express that resource bundle π β R models assertion π β A . In this section we present the proof system we propose forverifying termination of programs with busy-waiting forabrupt program exit and illustrate its application. Further,we present a soundness theorem stating that every program,which provably discharges all its exit obligations and startswithout credits, terminates.
VS-ObCred obs ( π ) ββ obs ( π + ) β credit VS-SemImp β π . π β¨ A π΄ β π β¨ A π΅π΄ β π΅ VS-Trans π΄ β πΆ πΆ β π΅π΄ β π΅ Figure 7.
View shift rules.
Hoare Triples.
We use Hoare triples { π΄ } π { π΅ } [5] to spe-cify the behaviour of programs. Such a triple expresses thatgiven precondition π΄ , command π can be reduced withoutgetting stuck and if this reduction terminates, then postcon-dition π΅ holds afterwards. In particular, a triple { π΄ } π { False } expresses that π does not terminate normally , i.e., it eitherdiverges or exits abruptly. Ghost Steps.
When verifying the termination of a pro-gram π , we consider it to start without any obligations orcredits, i.e., { obs ( )} π { π΅ } . Obligation-credit pairs can, how-ever, be generated during so-called ghost steps . These aresteps that exclusively exist on the verification level and onlyaffect ghost resources, but not the programβs behaviour [2, 9].A credit can also be cancelled against an obligation. View Shift.
In our proofs, we need to capture ghost stepsas well as drawing conclusions from assertions, e.g., rewrit-ing π΄ β π΅ into π΅ β π΄ and concluding obs ( ) from the assump-tion False . We ensure this by introducing a view shift relation β [9]. A view shift π΄ β π΅ expresses that whenever π΄ holds,then either (i) π΅ also holds or (ii) π΅ can be established byperforming ghost steps. π΄ ββ π΅ stands for π΄ β π΅ β§ π΅ β π΄ . Definition 4.1 (View Shift) . We define the view shift relation β β A Γ A according to the rules presented in Figure 7. Note that view shifts only allow to spawn or remove oblig-ations and credits simultaneously. This way, we ensure thatthe number of obligations and credits in the system remainsequal at any time (provided this also holds for the programβsinitial state).
Proof Rules.
We verify program specifications { π΄ } π { π΅ } via a proof relation β’ defined by a set of proof rules. Theserules are designed to prove that every command π , whichprovably discharges its obligations, i.e., β’ { obs ( π )} π { obs ( )} ,terminates under fair scheduling. Definition 4.2 (Proof Relation) . We define a proof relation β’ for Hoare triples { π΄ } π { π΅ } according to the rules presentedin Figure 8. Obligation-credit pairs can be generated and removed viaa ghost step by applying PR-ViewShift plus VS-ObCred.The only way to discharge an obligation, i.e., removing it obias Reinhard, Amin Timany, and Bart Jacobs PR-Frame β’ { π΄ } π { π΅ }β’ { π΄ β πΉ } π { π΅ β πΉ } PR-Exit β’ { π΄ } exit { False } PR-Loop β’ { obs ( ) β credit } loop skip { False } PR-Fork β’ (cid:8) obs ( π π ) β π΄ (cid:9) π { obs ( )}β’ (cid:8) obs ( π π + π π ) β π΄ (cid:9) fork π { obs ( π π )} PR-Seq β’ { π΄ } π { π΅ } β’ { π΅ } π { πΆ }β’ { π΄ } π ; π { πΆ } PR-ViewShift π΄ β π΄ β² β’ { π΄ β² } π { π΅ β² } π΅ β² β π΅ β’ { π΄ } π { π΅ } Figure 8.
Proof rules.without simultaneously removing a credit, is via rule PR-Exit. That is, a discharging program β’ { obs ( )} π { obs ( )} ,must involve an abrupt exit at some point.We can pass obligations and credits to newly forked threadsby applying PR-Fork. However, note that in order to proveanything about a command fork π , we need to prove thatthe forked thread discharges or cancels all of its obligations.The only way to justify busy-waiting is via PR-Loop,which requires the possession of a credit. Note that therule forbids the looping thread to hold any obligations. Thisensures that threads do not busy-wait for themselves to exit . In other words, we can only prove a triple of the form { π΄ } loop skip { π΅ } if precondition π΄ expresses the knowledgethat another thread is obliged to exit . Example.
Consider the program π ππ₯ = fork exit ; loop skip presented in Figure 4. It forks a new thread instructed to exit and busy-waits for it to do so. We can verify its terminationunder fair scheduling by proving β’ { obs ( )} π ππ₯ { obs ( )} .Figure 9 sketches this proof. Note that the assumption of fairscheduling is essential, since otherwise we would have noguarantees that the exiting thread is ever executed.The following soundness theorem states that we canprove termination of a program π under fair schedulingby proving that it discharging all its exit obligations, i.e., β’ { obs ( π )} π { obs ( )} . By such a proof we verify that no fairinfinite reduction sequence of π exists. That is, the reductioneventually terminates, either abruptly via exit or normally. Theorem 4.3 (Soundness) . Let β’ { obs ( π )} π { obs ( )} . Thereexists no fair reduction sequence ( π π ) π β N starting with π = {( π , π ; done )} for any π β N . { obs ( )}{ obs ( ) β credit } PR-ViewShift + VS-ObCred fork
PR-Fork { obs ( )} exit ; PR-Exit { False }{ obs ( )} PR-ViewShift + VS-SemImp { obs ( ) β credit } loop skip PR-Loop { False }{ obs ( )} PR-ViewShift + VS-SemImp
Figure 9.
Verification sketch for a program with two threads:An exiting thread and one busy-waiting for abrupt termina-tion. Applied proof rules are highlighted in violet.
In this section, we sketch the proof of Soundness Theorem 4.3as well as all necessary concepts and lemmas. Formal defini-tions and proofs can be found in the technical report [19].
Bridging the Gap.
According to our proof rules, ghostresources are not static but affected by the commands occur-ring in a program. For instance, forking allows us to passresources to the newly forked thread and exiting dischargesobligations. Hence, we annotate threads by resource bundlesto obtain annotated thread pools and define annotated ver-sions β ast and β atp of the relations β st and β tp . We define β atp as the union of two reduction relations: (i) β real for ac-tual program execution steps and (ii) β ghost for ghost steps.These relations reflect the interaction between commandsand ghost resources as reflected in the proof rules as well asghost steps realized by view shifts.Figure 10 shows three of the rules we use to define β ast , β ghost , β real . A ghost step performed by GS-ObCredIntrospawns an obligation-credit pair, comparable to a verificationghost step realized by a view shift. Reduction rule A-RedST-Loop requires the looping thread to hold a credit but forbidsit to hold any obligation. This ensures that busy-waitingthreads do not wait for themselves and corresponds to the re-striction that proof rule PR-Loop imposes on looping threads.Furthermore, we only allow annotated threads to terminate,i.e., be removed from the thread pool, if they do not holdany obligations, as shown by rule A-RedTP-ThreadTerm.Note that in contrast to the plain semantics, reductions inthe annotated semantics can get stuck.The annotated semantics act as an intermediary betweenhigh-level reasoning steps, e.g., using obligations to trackwhich thread is going to exit , and the actual program execu-tions. Interpreting Hoare Triples.
We interpret Hoare triplesin terms of a model relation β¨ H and an auxiliary safety rela-tion safe ( π , π ) . Intuitively, a continuation π is safe under a Separation Logic to Verify Termination of Busy-Waiting for Abrupt Program Exit
A-RedST-Loop π β₯ ({[ ]} , π ) , loop skip ; π β ast ({[ ]} , π ) , loop skip ; π , β GS-ObCredIntro π β dom ( π π ) π π ( π ) = (({[ π ]} , π ) , π ) π π π β ghost π π [ π : = (({[ π + ]} , π + ) , π )] A-RedTP-ThreadTerm π β dom ( π π ) π π ( π ) = (({[ ]} , π ) , done ) π π π β real π π β atp π Figure 10.
Example reduction rules for β real and β ghost .complete resource bundle π if π provides all necessary ghostresources such that the reduction of ( π , π ) does not get stuck.We write anno ( π π , π ) to express that π π is an annotated ver-sion of π , containing the same threads but each equippedwith a resource bundle. Definition 5.1 (Safety) . We define the safety predicate safe βR Γ πΎ coinductively as the greatest solution (with respect to β ) of the following equation: safe ( π , π ) = complete ( π ) ββ π, π β² . β π β dom ( π ) . β π π .π ( π ) = π β§ π π β tp π β² β§ anno ( π π , π ) β§ π π ( π ) = ( π , π ) ββ π π G . β π π β² . π π π β β ghost π π G β§ π π G π β real π π β² β§ anno ( π π β² , π β² )β§ β( π β , π β ) β range ( π π β² ) \ range ( π π ) . safe ( π β , π β ) Definition 5.2 (Hoare Triple Model Relation) . We define theHoare triple model relation β¨ H such that β¨ H { π΄ } π { π΅ }βββ π πΉ . β π . (β π π΅ . π π΅ β¨ A π΅ β safe ( π π΅ β R π πΉ , π ))β (β π π΄ . π π΄ β¨ A π΄ β safe ( π π΄ β R π πΉ , π ; π )) Every specification { π΄ } π { π΅ } we can derive with our proofrules also holds in our model. Lemma 5.3 (Soundness of Hoare Triples) . Let β’ { π΄ } π { π΅ } .Then β¨ H { π΄ } π { π΅ } holds.Proof. By induction on the derivation of β’ { π΄ } π { π΅ } . β‘ Constructing Annotated Executions.
Given a fair re-duction sequence ( π π ) π β N starting with π = {( π, π ; done )} ,we can construct a fair annotated reduction sequence ( π ππ ) π β N .Our definition of fairness for annotated reduction sequencesforbids ( π ππ ) π β N to perform ghost steps forever. Definition 5.4 (Fair Annotated Reduction Sequences) . Wecall an annotated reduction sequence ( π ππ ) π β N fair iff for all π β N and π β dom ( π ππ ) there exists π β₯ π such that π ππ π β real π ππ + . Lemma 5.5.
Let β¨ H { π΄ } π { π΅ } , π π΄ β¨ A π΄ and complete ( π π΄ ) .Furthermore, let ( π π ) π β N be fair with π = {( π, π ; done )} . Thereexists a fair annotated reduction sequence ( π ππ ) π β N with π π = {( π, ( π π΄ , π ; done ))} . As next step, we show that a fair and infinite annotatedreduction sequence such as ( π ππ ) π β N constructed above, muststart with an initial credit. We do this by analysing the se-quenceβs program order graph G(( π ππ ) π β N ) sketched below. Program Order Graph.
In the program order graph
G(( π ππ ) π β N ) of ( π ππ ) π β N , every node π represents the π th re-duction step of the sequence, i.e., π ππ π π β atp π ππ + . An edge hasthe form ( π, π, π, π ) and expresses that one of the followinghold: β’ π ππ π π β atp π ππ + is the first step of a thread forked instep π or β’ π is the next index representing a reduction of thread π π (in which case π π = π π holds).In both cases, π represents the name of the reduction ruleapplied in step π ππ π π β atp π ππ + . We set 0 as the graphβs root. Lemma 5.6.
Let G π be a finite sibling-closed prefix of someprogram order graph G(( π ππ ) π β N ) with π π = {( π , ( π , π ))} for some complete π . For all π β leaves (G π ) choose π π , π π , π π , π π such that π ππ π π β atp π ππ + and π ππ ( π π ) = (({[ π π ]} , π π ) , π π ) .The sum of the obligations held by the threads reduced in theleaves of G π equal the sum of the credits held by these threads: Ξ£ π β leaves (G π ) π π = Ξ£ π β leaves (G π ) π π Proof.
Proof by induction on the size of G π . β‘ Lemma 5.7.
There are no fair annotated reduction sequences ( π ππ ) π β N with π π = {( π , (({[ π ]} , ) , π ))} for any π , π , π .Proof Sketch. We prove our claim by contradiction. Supposethere exits such a reduction sequence ( π ππ ) π β N . Consider themaximal loop-edge-free sibling-closed prefix G lf of its pro-gram order graph. Since the G lf has no loop edges, it is finite.Since the reduction sequence ( π ππ ) π β N is infinite, at leastone of the leaves of the prefix G lf is the predecessor of aloop edge. This leaf (i.e., the thread reduced in the leaf) musttherefore hold a credit but no obligations. By Lemma 5.6,for any finite prefix of G , the sum of obligations held bythe leaves equals the sum of credits held by them. Hence,some other leaf π£ π must hold an obligation. Every leaf iseither (i) the final step of a thread or (ii) the predecessor of A subgraph is sibling-closed if, for each node π of the subgraph, π βs prede-cessorsβ successors are also in the subgraph. In other words, for each forkstep node, either both the next step of the forking thread and the first stepof the forked thread are in the subgraph, or neither are.5 obias Reinhard, Amin Timany, and Bart Jacobs . . . . . . . . . . Queue Responder Thread insertrequestsreceive req. 1, ..., N, ... respond to requests exit after respondingto request NResponder Thread . .
Clients Responder Thread extractrequestssending requests receiving response
Receiver ThreadReceiver Thread Server S Figure 11.
Server π receiving and replying to requests.Threads communicating via shared queue.a loop edge. Otherwise, by fairness, G lf would also includethe nodeβs successors. In both cases (i) and (ii), the leaf isforbidden to hold any obligations. However, leaf π£ π does holdan obligation. This contradicts π£ π being a leaf and, hence, theinfinite reduction sequence ( π ππ ) π β N cannot exist. β‘ Theorem 4.3 (Soundness) . Let β’ { obs ( π )} π { obs ( )} . Thereexists no fair reduction sequence ( π π ) π β N starting with π = {( π , π ; done )} for any π β N .Proof. By Lemmas 5.3, 5.5, 5.7. β‘ We are currently formalizing the presented approach and itssoundness proof in Coq.
Ghost Signals.
We plan to extend the verification ap-proach described in this paper to a verification technique wecall ghost signals , which allows us to verify termination ofbusy-waiting for arbitrary events. Ghost signals come withan obligation to set the signal and a credit that can be used tobusy-wait for the signal to be set. Consider a program withtwo threads: π‘ π eventually performs some event π (such assetting a flag in shared memory) and π‘ π€ busy-waits for π . Byletting π‘ π set the signal when it performs π , and thereby link-ing the ghost signal to the event, we can justify terminationof π‘ π€ βs busy-waiting. I/O Liveness as Abrupt Program Exit.
In concurrentwork we encode I/O liveness properties as abrupt programtermination following a conjecture of Jacobs et al. [7]. Con-sider a non-terminating server π which shall reply to allrequests. We can prove liveness of π using the followingmethodology: β’ For some arbitrary, but fixed π , assume that respond-ing to the π th request abruptly terminates the wholeprogram. β’ Prove that the program always terminates.One can combine this approach with the one of the presentpaper to verify liveness of a server where multiple threadsindependently receive and handle requests. Using a prophecyvariable [10], one can determine ahead of time which thread will receive the exiting request. The other threads can thenbe seen as busy-waiting for this thread to exit.
Combination.
We plan to combine the two approachessketched above and conjecture that the combination will beexpressive enough to verify liveness of programs such asthe server π presented in Figure 11. It runs a set of receivingand a set of responding threads communicating via a sharedqueue. The responding threads busy-wait for requests toarrive in the queue. In order to verify liveness of π , we needto show that some thread eventually abruptly terminatesthe program by acquiring and responding to the π th request.This requires us to prove that the responding threadsβ busy-waiting for requests to arrive in the shared queue terminates.In order to demonstrate the approachβs usability, we planto implement it in VeriFast [6] and prove liveness of π . Liang and Feng [13, 14] propose LiLi, a separation logic toverify liveness of blocking constructs implemented via busy-waiting. In contrast to our verification approach, theirs isbased on the idea of contextual refinement. LiLi does notsupport forking nor structured parallel composition.DβOsualdo et al. [1] propose TaDA Live, a separation lo-gic for verifying termination of busy-waiting. This logicallows to modularly reason about fine-grained concurrentprograms and blocking operations that are implemented interms of busy-waiting and non-blocking primitives. It usesthe concept of obligations to express thread-local livenessinvariants, e.g., that a thread eventually releases an acquiredlock. TaDA Live is expressive enough to verify CLH and spinlocks. The current version supports structured parallel com-position instead of unstructured forking. Comparing theirproof rules to ours, it is fair to say that our logic is simpler.Of course, theirs is much more powerful. We hope to be ableto extend ours as sketched above while remaining simpler.
In this paper we proposed a separation logic to verify the ter-mination of programs where some threads abruptly termin-ate the program and others busy-wait for abrupt termination.We proved our logic sound and illustrated its application.Abrupt termination can be understood as an approxim-ation of a general event. We outlined our vision on howto extend our approach to verify the termination of busy-waiting for arbitrary events. We have good hope that thefinal logic will be as expressive as TaDA Live proposed byDβOsualdo et al. [1] while remaining conceptually simpler.Further, we sketched our vision to combine this extendedwork with concurrent work on the encoding of I/O livenessproperties as abrupt termination. We illustrated that thiscombination will be expressive enough to verify livenessof concurrent programs where multiple threads share I/Oresponsibilities. Separation Logic to Verify Termination of Busy-Waiting for Abrupt Program Exit
References [1] Emanuele DβOsualdo, Azadeh Farzan, Philippa Gardner, and JulianSutherland. Tada live: Compositional reasoning for termination offine-grained concurrent programs.
CoRR , abs/1901.05750, 2019. URL http://arxiv.org/abs/1901.05750 .[2] Jean-Christophe FilliΓ’tre, LΓ©on Gondelman, and Andrei Paskevich.The spirit of ghost code.
Formal Methods in System Design , 48:152β174,2016. doi:10.1007/s10703-016-0243-x.[3] Jafar Hamin and Bart Jacobs. Deadlock-free monitors. In
ESOP , 2018.doi:10.1007/978-3-319-89884-1_15.[4] Jafar Hamin and Bart Jacobs. Transferring obligations through syn-chronizations. In
ECOOP , 2019.[5] C. A. R. Hoare. An axiomatic basis for computer programming.
Com-mun. ACM , 12:576β580, 1968. doi:10.1145/363235.363259.[6] Bart Jacobs, Jan Smans, Pieter Philippaerts, FrΓ©dΓ©ric Vogels, WillemPenninckx, and Frank Piessens. Verifast: A powerful, sound, pre-dictable, fast verifier for c and java. In M. Bobaru, K. Havelund, G.J.Holzmann, and R. Joshi, editors,
NASA Formal Methods (NFM 2011) ,volume 6617, pages 41β55. Springer, 2011. ISBN 978-3-642-20397-8.doi:10.1007/978-3-642-20398-5_4. URL https://lirias.kuleuven.be/95720 .[7] Bart Jacobs, Dragan Bosnacki, and Ruurd Kuiper. Modular terminationverification of single-threaded and multithreaded programs.
ACMTrans. Program. Lang. Syst. , 40:12:1β12:59, 2018. doi:10.1145/3210258.[8] Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer.Higher-order ghost state.
Proceedings of the 21st ACM SIG-PLAN International Conference on Functional Programming , 2016.doi:10.1145/2951913.2951943.[9] Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, LarsBirkedal, and Derek Dreyer. Iris from the ground up: A modularfoundation for higher-order concurrent separation logic.
J. Funct.Program. , 28:e20, 2018. doi:10.1017/S0956796818000151. [10] Ralf Jung, Rodolphe Lepigre, Gaurav Parthasarathy, Marianna Rapo-port, Amin Timany, Derek Dreyer, and Bart Jacobs. The future isours: prophecy variables in separation logic.
Proceedings of the ACMon Programming Languages , 4(POPL), January 2020. ISSN 2475-1421.doi:10.1145/3371113.[11] Naoki Kobayashi. A new type system for deadlock-free processes. In
CONCUR , 2006. doi:10.1007/11817949_16.[12] K. Rustan M. Leino, Peter MΓΌller, and Jan Smans. Deadlock-freechannels and locks. In
ESOP , 2010. doi:10.1007/978-3-642-11957-6_22.[13] Hongjin Liang and Xinyu Feng. A program logic for con-current objects under fair scheduling. In
POPL 2016 , 2016.doi:10.1145/2837614.2837635.[14] Hongjin Liang and Xinyu Feng. Progress of concurrent objects withpartial methods.
Proc. ACM Program. Lang. , 2:20:1β20:31, 2017.[15] John M. Mellor-Crummey and Michael L. Scott. Algorithms for scalablesynchronization on shared-memory multiprocessors.
ACM Trans.Comput. Syst. , 9:21β65, 1991. doi:10.1145/103727.103729.[16] Kurt MΓΌhlemann. Method for reducing memory conflicts causedby busy waiting in multiple processor synchronisation. 1980.doi:10.1049/ip-e.1980.0017.[17] Peter W. OβHearn, John C. Reynolds, and Hongseok Yang. Localreasoning about programs that alter data structures. In
CSL , 2001.doi:10.1007/3-540-44802-0_1.[18] Md. Mahbubur Rahman. Process synchronization in multipro-cessor and multi-core processor. , pages 554β559, 2012.doi:10.1109/ICIEV.2012.6317471.[19] Tobias Reinhard, Amin Timany, and Bart Jacobs. A separation logic toverify termination of busy-waiting for abrupt program exit: Technicalreport. 2020. URL https://arxiv.org/abs/2007.10215 .[20] John C. Reynolds. Separation logic: a logic for shared mutable datastructures.