On the Strength of Owicki-Gries for Resources

In multithreaded programs data are often separated into lock- protected resources. Properties of those resources are typically verified by modular, Owicki-Gries-like methods. The modularity of the Owicki-Gries method has its price: proving some properties may require manual introduction of auxiliary variables. What properties can be proven without the burden of introducing auxiliary variables? We answer this question in the abstract interpretation framework. On one hand, we reveal a lattice structure of the method and supply a syntax-based abstract transformer that describes the method exactly. On the other hand, we bound the loss of precision from above and below by transition-relation-independent weakly relational closures. On infinitely many programs the closures coincide and describe the precision loss exactly; in general, the bounds are strict. We prove the absence of a general exact closure-based fixpoint characterization of the accuracy of the Owicki-Gries method, both in the collecting semantics and in certain trace semantics.

[1]  Peter W. O'Hearn,et al.  Local Action and Abstract Separation Logic , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[2]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[3]  Roberto Giacobazzi,et al.  Making abstract interpretations complete , 2000, JACM.

[4]  Matthew J. Parkinson,et al.  The Relationship between Separation Logic and Implicit Dynamic Frames , 2011, ESOP.

[5]  Patrick Cousot,et al.  Formal language, grammar and set-constraint-based program analysis by abstract interpretation , 1995, FPCA '95.

[6]  Viktor Vafeiadis,et al.  RGSep Action Inference , 2010, VMCAI.

[7]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[8]  Matthew J. Parkinson,et al.  The Relationship between Separation Logic and Implicit Dynamic Frames , 2011, ESOP.

[9]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[10]  Xinyu Feng,et al.  On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning , 2007, ESOP.

[11]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[12]  Andreas Podelski,et al.  Thread-Modular Verification Is Cartesian Abstract Interpretation , 2006, ICTAC.

[13]  Susan S. Owicki,et al.  Axiomatic Proof Techniques for Parallel Programs , 1975, Outstanding Dissertations in the Computer Sciences.

[14]  A. Rybalchenko,et al.  Thread-Modular Verification and Cartesian Abstraction , 2006 .

[15]  Viktor Vafeiadis,et al.  Modular fine-grained concurrency verification , 2008 .

[16]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[17]  Edmund M. Clarke Synthesis of resource invariants for concurrent programs , 1979, POPL '79.

[18]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[19]  Alexander Malkis,et al.  Cartesian abstraction and verification of multithreaded programs , 2010 .

[20]  Morgan Ward,et al.  The Closure Operators of a Lattice , 1942 .

[21]  K. Rustan M. Leino Verifying Concurrent Programs with Chalice , 2010, VMCAI.

[22]  Stanley Burris,et al.  A course in universal algebra , 1981, Graduate texts in mathematics.

[23]  Charles Antony Richard Hoare Towards a theory of parallel programming , 2002 .

[24]  Cormac Flanagan,et al.  Thread-Modular Model Checking , 2003, SPIN.

[25]  Kedar S. Namjoshi,et al.  Local proofs for global safety properties , 2007, Formal Methods Syst. Des..

[26]  A. Tarski A LATTICE-THEORETICAL FIXPOINT THEOREM AND ITS APPLICATIONS , 1955 .

[27]  Xinyu Feng,et al.  Deny-Guarantee Reasoning , 2009, ESOP.

[28]  Mark A. Hillebrand,et al.  Verifying C Programs : A VCC Tutorial Working draft , version 0 . 2 , April 18 , 2011 , 2011 .

[29]  Shuvendu K. Lahiri,et al.  Abstract Threads , 2010, VMCAI.