TaDA Live: Compositional Reasoning for Termination of Fine-grained Concurrent Programs

Emanuele D’Osualdo,Julian Sutherland,Azadeh Farzan,Philippa Gardner

doi:10.1145/3477082

Abstract

We present TaDA Live, a concurrent separation logic for reasoning compositionally about the termination of blocking fine-grained concurrent programs. The crucial challenge is how to deal with abstract atomic blocking : that is, abstract atomic operations that have blocking behaviour arising from busy-waiting patterns as found in, for example, fine-grained spin locks. Our fundamental innovation is with the design of abstract specifications that capture this blocking behaviour as liveness assumptions on the environment. We design a logic that can reason about the termination of clients that use such operations without breaking their abstraction boundaries, and the correctness of the implementations of the operations with respect to their abstract specifications. We introduce a novel semantic model using layered subjective obligations to express liveness invariants and a proof system that is sound with respect to the model. The subtlety of our specifications and reasoning is illustrated using several case studies.

Highlights

We present TaDA Live, a concurrent separation logic for reasoning compositionally about the termination of blocking fine-grained concurrent programs
There has been a flowering of work on modern concurrent separation logics for reasoning compositionally about safety properties of finegrained concurrent programs: e.g., CAP [10], TaDA [7], Iris [24], and FCSL [34]
We have introduced TaDA Live, a concurrent separation logic for reasoning compositionally about the termination of fine-grained blocking concurrent programs and proved a substantial soundness result

Summary

Introduction

We present TaDA Live, a concurrent separation logic for reasoning compositionally about the termination of blocking fine-grained concurrent programs. There has been a flowering of work on modern concurrent separation logics for reasoning compositionally about safety properties of finegrained concurrent programs: e.g., CAP [10], TaDA [7], Iris [24], and FCSL [34] With these modern logics, it is possible to provide abstract specifications that match the intuitive software interface understood by the developer and to verify both implementations and client programs. The goal of this article is to design a program logic to reason compositionally about the safety and termination of fine-grained concurrent programs: i.e., to be able to prove that if the input satisfies the precondition, the program terminates without faulting and the result satisfies the postcondition. Proof reuse is achieved when the right abstract interface for a module is identified, so the proof of correctness of the implementation of the module and the proof of its clients is decoupled: A proof of a client can be reused when swapping the implementation of the module for one satisfying the same specification; a proof of an implementation can be reused when the specification is general enough to support arbitrary correct clients

Objectives

Results

Conclusion