Logics and analyses for concurrent heap-manipulating programs

Reasoning about concurrent programs is difficult because of the need to consider all possible interactions between concurrently executing threads. The problem is especially acute for programs that manipulate shared heap-allocated data structures, since heapmanipulation provides more ways for threads to interact. Modular reasoning techniques sidestep this difficulty by considering every thread in isolation under some assumptions on its environment. In this dissertation we develop modular program logics and program analyses for the verification of concurrent heap-manipulating programs. Our approach is to exploit reasoning principles provided by program logics to construct modular program analyses and to use this process to obtain further insights into the logics. In particular, we build on concurrent separation logic—a Hoare-style logic that allows modular manual reasoning about concurrent programs written in a simple heap-manipulating programming language. Our first contribution is to show the soundness of concurrent separation logic without the conjunction rule and the restriction that resource invariants be precise, and to construct an analysis for concurrent heap-manipulating programs that exploits this modified reasoning principle to achieve modularity. The analysis can be used to automatically verify a number of safety properties, including memory safety, data-structure integrity, data-race freedom, the absence of memory leaks, and the absence of assertion violations. We show that we can view the analysis as generating proofs in our variant of the logic, which enables the use of its results in proof-carrying code or theorem proving systems. Reasoning principles expressed by program logics are most often formulated for only idealised programming constructs. Our second contribution is to develop logics and analyses for modular reasoning about features present in modern languages and libraries for concurrent programming: storable locks (i.e., locks dynamically created and destroyed in the heap), first-order procedures, and dynamically-created threads.

[1]  Noam Rinetzky,et al.  Interprocedural Shape Analysis for Recursive Programs , 2001, CC.

[2]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[3]  K. Rustan M. Leino,et al.  A Basis for Verifying Multi-threaded Programs , 2009, ESOP.

[4]  Peter W. O'Hearn,et al.  Shape Analysis for Composite Data Structures , 2007, CAV.

[5]  Stephen D. Brookes,et al.  A Semantics for Concurrent Separation Logic , 2004, CONCUR.

[6]  G. Winskel The formal semantics of programming languages , 1993 .

[7]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[8]  George C. Necula,et al.  Proof-Carrying Code , 2011, Encyclopedia of Cryptography and Security.

[9]  Hongseok Yang,et al.  Automatic Verification of Pointer Programs Using Grammar-Based Shape Analysis , 2005, ESOP.

[10]  Paul Rovner Extending Modula-2 to Build Large, Integrated Systems , 1986, IEEE Software.

[11]  Xinyu Feng,et al.  Deny-Guarantee Reasoning , 2009, ESOP.

[12]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[13]  Shmuel Sagiv Thread-Modular Shape Analysis , 2009, VMCAI.

[14]  Peter W. O'Hearn,et al.  On Scalable Shape Analysis , 2007 .

[15]  Peter W. O'Hearn,et al.  A Semantic Basis for Local Reasoning , 2002, FoSSaCS.

[16]  Stephen D. Brookes,et al.  Variables as Resource for Shared-Memory Programs: Semantics and Soundness , 2006, MFPS.

[17]  Andrew D. Birrell,et al.  An Introduction to Programming with Threads , 1996 .

[18]  Andrew W. Appel,et al.  Oracle Semantics for Concurrent Separation Logic , 2008, ESOP.

[19]  Jeremy Manson,et al.  The Java memory model , 2005, POPL '05.

[20]  Peter Sewell,et al.  A Better x86 Memory Model: x86-TSO , 2009, TPHOLs.

[21]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[22]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[23]  John Tang Boyland,et al.  Checking Interference with Fractional Permissions , 2003, SAS.

[24]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[25]  Roman Manevich,et al.  Thread Quantification for Concurrent Shape Analysis , 2008, CAV.

[26]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[27]  Viktor Vafeiadis,et al.  RGSep Action Inference , 2010, VMCAI.

[28]  Viktor Vafeiadis,et al.  Modular fine-grained concurrency verification , 2008 .

[29]  Martin C. Rinard,et al.  ACM Conference on Object-Oriented Programming, Systems, Languages and Applications (OOPSLA), November 2002 Ownership Types for Safe Programming: Preventing Data Races and Deadlocks , 2022 .

[30]  Peter W. O'Hearn,et al.  Automatic Termination Proofs for Programs with Shape-Shifting Heaps , 2006, CAV.

[31]  Xinyu Feng,et al.  On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning , 2007, ESOP.

[32]  Arie de Bruin,et al.  Goto statements: semantics and deduction systems , 1981, Acta Informatica.

[33]  Hongseok Yang,et al.  Automatic Construction of Hoare Proofs from Abstract Interpretation Results , 2003, APLAS.

[34]  Viktor Vafeiadis,et al.  Modular Safety Checking for Fine-Grained Concurrency , 2007, SAS.

[35]  Xinyu Feng Local rely-guarantee reasoning , 2009, POPL '09.

[36]  David I. August,et al.  Shape analysis with inductive recursion synthesis , 2007, PLDI '07.

[37]  永田 守男,et al.  Verifying Properties of Parallel Programs : An Axiomatic Approach , 1976 .

[38]  Peter W. O'Hearn,et al.  Local Action and Abstract Separation Logic , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[39]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[40]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[41]  Moshe Y. Vardi Verification of Concurrent Programs: The Automata-Theoretic Framework , 1991, Ann. Pure Appl. Log..

[42]  Peter W. O'Hearn,et al.  Permission accounting in separation logic , 2005, POPL '05.

[43]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[44]  Glynn Winskel,et al.  Independence and Concurrent Separation Logic , 2006, 21st Annual IEEE Symposium on Logic in Computer Science (LICS'06).

[45]  Roman Manevich,et al.  Heap Decomposition for Concurrent Shape Analysis , 2008, SAS.

[46]  C. A. R. Hoare,et al.  Procedures and parameters: An axiomatic approach , 1971, Symposium on Semantics of Algorithmic Languages.

[47]  Eran Yahav,et al.  Interprocedural Functional Shape Analysis using Local Heaps , 2004 .

[48]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[49]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[50]  Andreas Podelski,et al.  Proving that programs eventually do something good , 2007, POPL '07.

[51]  Marieke Huisman,et al.  Reasoning about Java's Reentrant Locks , 2008, APLAS.

[52]  Stephen N. Freund,et al.  Type-based race detection for Java , 2000, PLDI '00.

[53]  Maurice Herlihy,et al.  The art of multiprocessor programming , 2020, PODC '06.

[54]  Xinyu Feng,et al.  Modular verification of concurrent assembly code with dynamic thread creation and termination , 2005, ICFP '05.

[55]  Alexey Gotsman,et al.  Local Reasoning for Storable Locks and Threads , 2007, APLAS.

[56]  Patrick Cousot,et al.  Abstract Interpretation Frameworks , 1992, J. Log. Comput..

[57]  Jong-Deok Choi,et al.  Efficient and precise datarace detection for multithreaded object-oriented programs , 2002, PLDI '02.

[58]  John Boyland,et al.  Interprocedural Analysis for JVML Verification , 2002 .

[59]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[60]  Richard Bornat,et al.  Variables as Resource in Hoare Logics , 2006, 21st Annual IEEE Symposium on Logic in Computer Science (LICS'06).

[61]  Ahmed Bouajjani,et al.  Programs with lists are counter automata , 2011, Formal Methods Syst. Des..

[62]  Dan Grossman,et al.  Type-safe multithreading in cyclone , 2003, TLDI '03.

[63]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[64]  Alexey Gotsman,et al.  Interprocedural Shape Analysis with Separated Heap Abstractions , 2006, SAS.

[65]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[66]  Eran Yahav,et al.  Verifying safety properties of concurrent Java programs using 3-valued logic , 2001, POPL '01.

[67]  Viktor Vafeiadis,et al.  Proving that non-blocking algorithms don't block , 2009, POPL '09.

[68]  Roman Manevich,et al.  Shape Analysis by Graph Decomposition , 2007, TACAS.

[69]  Reinhard Wilhelm,et al.  A semantics for procedure local heaps and its abstractions , 2005, POPL '05.

[70]  Eran Yahav,et al.  Interprocedural Shape Analysis for Cutpoint-Free Programs , 2005, SAS.

[71]  Jeffrey S. Foster,et al.  LOCKSMITH: context-sensitive correlation analysis for race detection , 2006, PLDI '06.

[72]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[73]  Viktor Vafeiadis,et al.  Compositional Resource Invariant Synthesis , 2009 .

[74]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[75]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[76]  Alexander Aiken,et al.  Effective static race detection for Java , 2006, PLDI '06.

[77]  Cormac Flanagan,et al.  Thread-Modular Model Checking , 2003, SPIN.

[78]  Neil Immerman,et al.  Abstraction for Shape Analysis with Fast and Precise Transformers , 2006, CAV.

[79]  Alexander Aiken,et al.  Conditional must not aliasing for static race detection , 2007, POPL '07.