Abstract
Early in the development of Hoare logic, Owicki and Gries introduced auxiliary variables as a way of encoding information about the history of a program’s execution that is useful for verifying its correctness. Over a decade later, Abadi and Lamport observed that it is sometimes also necessary to know in advance what a program will do in the future . To address this need, they proposed prophecy variables , originally as a proof technique for refinement mappings between state machines. However, despite the fact that prophecy variables are a clearly useful reasoning mechanism, there is (surprisingly) almost no work that attempts to integrate them into Hoare logic. In this paper, we present the first account of prophecy variables in a Hoare-style program logic that is flexible enough to verify logical atomicity (a relative of linearizability) for classic examples from the concurrency literature like RDCSS and the Herlihy-Wing queue. Our account is formalized in the Iris framework for separation logic in Coq. It makes essential use of ownership to encode the exclusive right to resolve a prophecy, which in turn enables us to enforce soundness of prophecies with a very simple set of proof rules.
Highlights
When proving correctness of a program P, it is often easier and more natural to reason forwardÐthat is, to start at the beginning of P’s execution and reason about how it behaves as it executes
We develop our formal account of prophecy variables in the higher-order concurrent separation logic framework Iris [Jung et al 2018]
In ğ4, using the RDCSS data structure as a motivating example, we review the idea of logical atomicity and how it is proven in Iris
Summary
When proving correctness of a program P, it is often easier and more natural to reason forwardÐthat is, to start at the beginning of P’s execution and reason about how it behaves as it executes. To address this need, Abadi and Lamport [1988, 1991] introduced the idea of prophecy variables. The focus of Abadi and Lamport’s original paper was on using both history and prophecy variables to prove that one program (or program specification) is a correct implementation of another, by showing that the first refinesÐi.e., has a subset of the observable behaviors ofÐthe second. Their main result was a theorem establishing that, under some restrictions, the combination of history and prophecy variables offers a sound and complete technique for proving valid refinement mappings. Prophecy variables have been integrated into verification tools based on reduction [Sezgin et al 2010] and temporal logic [Cook and Koskinen 2011; Lamport and Merz 2017], there has been almost no work at all on incorporating prophecy variables into a Hoare-style program logic
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
