Reasoning About C11 Programs with Fences and Relaxed Atomics

Student thesis: Doctoral Thesis


For efficiency reasons, weak (or relaxed) memory is now the norm on modern
architectures, in which the memory accesses might be reordered. To cater for
this trend, modern programming languages are adapting their memory models.
The C/C++ (C11) memory model (ISO/IEC, 2011a,b) allows several levels of
memory weakening, including non-atomics, relaxed atomics, release-acquire
atomics, and sequentially consistent atomics. Due to the out-of-order executions
allowed in the weakened C11 memory model, multithreaded programs
exhibit more behaviour, some of which would have been inconsistent under the
traditional strong (i.e. sequentially consistent, or SC for short) memory model.
The existence of conter-intuitive behaviour makes understanding and correctly
implementing C11 concurrent programs highly difficult, and highlights the
importance of the involvement of formal methods. In the first formalisation
of C11 memory model, Batty et al. (2011) pointed out that there are several
problems in the prose language presented standards. This is an evidence of
the inadequate of informal approaches in the complex weak memory world.
Therefore there is a demand in search for programming logics that can reason
about concurrent programs assuming a weak, esp. the C11, memory model.
Three notable examples are the recent frameworks Relaxed Separation Logic
(RSL) (Vafeiadis and Narayan, 2013), GPS (Turon et al., 2014) and Fenced
Separation Logic (FSL) (Doko and Vafeiadis, 2016, 2017). However, both
GPS and RSL are limited in terms of the number of C11 synchronisation
mechanisms they support, in part due to the fact that neither of them supports C11 fences. While FSL can deal with C11 fences, it is incapable of reasoning
about some complex behaviours of C11 programs, due to some fundamental
restrictions it imposes, e.g. the stateless atomic locations.
In this thesis, by introducing the support to relaxed atomics and fences
we develop a new program logic, GPS+, that can be used to verify a bigger
class of C11 programs, that is, programs with all four commonly used types
of synchronisations. The key innovations and contributions of our proposed
logic include (1) two new types of assertions, (2) a more expressive resource
model and (3) a set of newly-designed verification rules; (4) we have also
provided a soundness proof for GPS+ and (5) put it in use for non-trivial
concurrent algorithms. Specifically, with the two new types of assertions we
can naturally distinguish in a concurrent context, the computation resources
that are locally available (captured by normal assertions), the resources ready
to be shared (captured by the newly introduced shareable assertions), and the
shared resources received from another thread but not yet locally usable until a
synchronisation is established (captured by the newly introduced waiting-tobe-
acquired assertions). These features are supported by a more expressive
resource model, in which we use a triple of resources, which are modeled as
partical commutative monoids (PCMs), to represent a single computation state.
We have also worked out the semantics for a enlarged language set based on
this resource model, which provides a firm soundness foundation for our new
logic framework, GPS+, On top of these foundations, our GPS+ logic is built
powerful enough to reason about programs with all four common forms of
synchronisations with the enhanced or newly-added reasoning rules. Together
with other advanced techniques like per-location-protocols, GPS+ can handle
sophisticated programs that cannot be verified by the state-of-the-art works
like GPS, RSL, or FSL.
Date of Award16 Feb 2018
Original languageEnglish
Awarding Institution
  • Teesside University
SupervisorShengchao Qin (Supervisor) & Joao Ferreira (Supervisor)

Cite this