# Strong Logic for Weak Memory: Reasoning About Release-Acquire Consistency in Iris<sup>\*</sup>

Technical report MPI-SWS-2017-###

Jan-Oliver Kaiser janno@mpi-sws.org Hoang-Hai Dang<sup>†</sup> haidang@mpi-sws.org

Derek Dreyer dreyer@mpi-sws.org Ori Lahav orilahav@mpi-sws.org

Viktor Vafeiadis viktor@mpi-sws.org November 20, 2017

## DRAFT IN PROGRESS

This technical report fleshes out the encoding of two weak memory program logics —GPS and RSL—in Iris. We discuss many technical problems that closely follow the Coq development but were not mentioned in the original paper [1]. Specifically, we present the full RA+NA operational semantics, the model and soundness proof of the base logic, and models and proofs of both iRSL and iGPS. We also present how extensions to GPS and RSL are built upon those models. Finally, we show how these extensions can simplify proofs of many examples. This report also aims to provide a helpful reference for ones who wish to use Iris to construct their logics.

<sup>\*</sup>This report accompanies our original paper published in ECOOP'17, available at [1].

 $<sup>^{\</sup>dagger}$  Hai is responsible for the wording of this report, as a writing exercise. Please direct any complaint or suggestion to him.

# Contents

| 1 | Introduction                                                                                             | 4   |  |  |  |  |  |  |  |  |  |  |
|---|----------------------------------------------------------------------------------------------------------|-----|--|--|--|--|--|--|--|--|--|--|
| 2 | RA+NA operational semantics                                                                              | 5   |  |  |  |  |  |  |  |  |  |  |
|   | 2.1 RA+NA machine                                                                                        | 5   |  |  |  |  |  |  |  |  |  |  |
|   | 2.1.1 Machine state wellformedness                                                                       | 6   |  |  |  |  |  |  |  |  |  |  |
|   | 2.1.2 Per-thread reduction                                                                               | 6   |  |  |  |  |  |  |  |  |  |  |
|   | 2.2 The $\lambda_{\rm RN}$ language                                                                      | 8   |  |  |  |  |  |  |  |  |  |  |
| 3 | Instantiating Iris: the base logic                                                                       | 11  |  |  |  |  |  |  |  |  |  |  |
|   | 3.1 The logic of views                                                                                   | 11  |  |  |  |  |  |  |  |  |  |  |
|   | 3.2 Model                                                                                                | 11  |  |  |  |  |  |  |  |  |  |  |
| 4 | View-monotone predicates                                                                                 | 13  |  |  |  |  |  |  |  |  |  |  |
| 5 | Devictor and Exactor                                                                                     |     |  |  |  |  |  |  |  |  |  |  |
| 3 | 5.1 Persistor                                                                                            | 14  |  |  |  |  |  |  |  |  |  |  |
|   | 5.2 Fractor                                                                                              | 14  |  |  |  |  |  |  |  |  |  |  |
|   | 0.2 1140001                                                                                              |     |  |  |  |  |  |  |  |  |  |  |
| 6 | Non-Atomics                                                                                              | 14  |  |  |  |  |  |  |  |  |  |  |
|   | 6.1 Proof rules                                                                                          | 14  |  |  |  |  |  |  |  |  |  |  |
|   | 6.2 Model                                                                                                | 14  |  |  |  |  |  |  |  |  |  |  |
| 7 | iRSL                                                                                                     | 15  |  |  |  |  |  |  |  |  |  |  |
|   | 7.1 Proof rules                                                                                          | 15  |  |  |  |  |  |  |  |  |  |  |
|   | 7.2 Model for atomic reads and writes                                                                    | 15  |  |  |  |  |  |  |  |  |  |  |
|   | 7.3 Adding CAS $\ldots$ | 15  |  |  |  |  |  |  |  |  |  |  |
| 8 | iGPS                                                                                                     | 16  |  |  |  |  |  |  |  |  |  |  |
|   | 8.1 Proof rules                                                                                          | 16  |  |  |  |  |  |  |  |  |  |  |
|   | 8.1.1 Plain protocols                                                                                    | 16  |  |  |  |  |  |  |  |  |  |  |
|   | 8.1.2 Single-Writer protocols                                                                            | 16  |  |  |  |  |  |  |  |  |  |  |
|   | 8.1.3 Fractional protocols                                                                               | 16  |  |  |  |  |  |  |  |  |  |  |
|   | 8.1.4 Fractional Single-Writer protocols with life cycles                                                | 16  |  |  |  |  |  |  |  |  |  |  |
|   | 8.1.5 Exchanges and Escrows                                                                              | 16  |  |  |  |  |  |  |  |  |  |  |
|   | 8.2 Proof setup                                                                                          | 16  |  |  |  |  |  |  |  |  |  |  |
|   | 8.3 Raw protocols                                                                                        | 16  |  |  |  |  |  |  |  |  |  |  |
|   | 8.4 Plain protocols                                                                                      | 16  |  |  |  |  |  |  |  |  |  |  |
|   | 8.5 Single-Writer protocols                                                                              | 10  |  |  |  |  |  |  |  |  |  |  |
|   | 8.0 Fractional protocols                                                                                 | 10  |  |  |  |  |  |  |  |  |  |  |
|   | 8.8 Exchanges and Escrows                                                                                | 16  |  |  |  |  |  |  |  |  |  |  |
|   |                                                                                                          | 10  |  |  |  |  |  |  |  |  |  |  |
| 9 | Examples                                                                                                 | 17  |  |  |  |  |  |  |  |  |  |  |
|   | 9.1 Message passing in the base logic                                                                    | 17  |  |  |  |  |  |  |  |  |  |  |
|   | 9.2 Miessage passing in IGP5                                                                             | 17  |  |  |  |  |  |  |  |  |  |  |
|   | 9.9 Spin lock                                                                                            | 17  |  |  |  |  |  |  |  |  |  |  |
|   | 9.4 IICHUCI Statk                                                                                        | 17  |  |  |  |  |  |  |  |  |  |  |
|   |                                                                                                          | т ( |  |  |  |  |  |  |  |  |  |  |

| 9.6 | Michael-Scott queue                 |  |  |   |  |   |  |     |  |  |   |  |   |  |   |  |  | 17 |
|-----|-------------------------------------|--|--|---|--|---|--|-----|--|--|---|--|---|--|---|--|--|----|
| 9.7 | Bounded ticket lock                 |  |  |   |  |   |  |     |  |  |   |  |   |  |   |  |  | 17 |
| 9.8 | $\operatorname{Read-Copy-Update}$ . |  |  | • |  | • |  | • • |  |  | • |  | • |  | • |  |  | 17 |

## 1 Introduction

Mechanizing formalization is hard, and trying to understand other people's mechanized formalizations is even harder, as it is almost impossible to quickly get a high-level intuition by diving into thousands of lines of code written in a possibly different style from your own. It is a myth that one can successfully go through those developments without the original authors' help. This report aims to fill this gap for our paper [1] on the encodings of weak memory program logics RSL and GPS in Iris. Due to lack of space, many interesting details only live in the Coq development and were not mentioned in the paper. These include:

- the full Release-Acquire operational semantics with allocation and deallocation
- the full model and soundness proof of the base logic
- the models and soundness proofs of both iRSL and iGPS
- extensions of iRSL and iGPS and their proofs
- proofs of examples, which demonstrate the power of the extensions, in comparison with the origin proofs.

This report provides an intuitive documentation for all of these points, as well as for all the techniques employed to formalize them in Iris in Coq. It may therefore be beneficial to those who wish to use Iris to construct their logics. We explain the full operational semantics in §2, and how to instantiate Iris with it to get the base logic in §3. In §4, we present *view-monotone predicates*, which are the basic building blocks for all iRSL and iGPS assertions. In §5, we diverge a bit to present *persistor* and *fractor*—two useful constructs that we employ to derive different instances for some assertions. Next, in §6, we show how the points-to assertions and rules for non-atomic accesses can be built in a direct way from the base logic. We also demonstrate the application of the fractor construct to create fractional points-to assertions. In §7 and §8, we define the iRSL and iGPS assertions, respectively, and prove soundness of all the rules. These includes all extensions to RSL and GPS, which depend on the persistor and fractor constructs. The most important extension is the single-writer protocols. Finally in §9, we show the proofs of all the examples we have formalized.

## 2 RA+NA operational semantics

## 2.1 RA+NA machine

The intuition of the operational semantics comes from the observation that different threads have different view of the memory. We thus have to keep track of pass write events so that some threads can still access them. Moreover, write events to the same location must follow a total order enforced by C11 call *modification order (mo* for short). Finally, we need to keep track of each thread's progress on each location's *mo*, which decides which writes to the location the thread can read, and where its new writes may end up.

For the *mo* order, the RA+NA machine manages for each location a totally ordered set of timestamps  $t \in \text{Time} \triangleq \mathbb{N}$ . Each write of some value  $\nu$  to a location  $\ell$  gets assigned a new timestamp (unique for  $\ell$ ), resulting in a write event  $\omega \in \text{Event} \triangleq \text{Loc} \times \text{ADVal} \times \text{Time}$ , where  $\nu \in \text{ADVal} \triangleq \mathbb{Z} \cup \{A, D\}$ . The values A and D are used to mark allocation and deallocation events respectively. A keen reader may have noticed that our machine only accept simple integers, not tuples or functions, as values. Using timestamps, the thread's "progress" is represented by a *view*,  $V \in \text{View} \triangleq \text{Loc} \stackrel{\text{fin}}{\longrightarrow} \text{Time}$ , which records the timestamp of the most recent write event observed by the thread for every location. To enable communication between threads, every write event is augmented with the writing thread's view (including the timestamp of the write), yielding a message  $m \in \text{Msg} \triangleq \text{Event} \times \text{View}$ .

The machine state  $\sigma$  comprises a message pool M (called *memory*) and a thread-view map T that tracks the view of each thread. To detect data races during the execution of a program, we add an additional component to the physical state: the *non-atomic view* N, which tracks the timestamp of the most recent non-atomic write to every location.

For the reduction steps of the semantics, we need to track the operation's memory event  $\varepsilon \in \mathcal{E}$ , which can be read, write, update or fork. Updates are always release write and acquire read, while a normal read or write can have access mode  $\alpha \in \text{Access}$ , which can be non-atomic or atomic. An atomic read is always an acquire event, while an atomic write a release one.

The types of all components are summarized in Figure 1.

| Variable name                                  | Type       | Definition                                                                                                                                                                                                                                       |
|------------------------------------------------|------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| $\ell \in$                                     | Loc        | riangle N                                                                                                                                                                                                                                        |
| $t \in$                                        | Time       | $\triangleq \mathbb{N}$                                                                                                                                                                                                                          |
| $\nu \in$                                      | ADVal      | $\triangleq A \mid D \mid z \in \mathbb{Z}$                                                                                                                                                                                                      |
| $V \in$                                        | View       | $\triangleq \operatorname{Loc} \stackrel{\operatorname{fin}}{\rightharpoonup} \operatorname{Time}$                                                                                                                                               |
| $m \in$                                        | Msg        | $\triangleq Loc \times ADVal \times Time \times View$                                                                                                                                                                                            |
| $\pi,\rho\in$                                  | ThreadId   | $	riangle \mathbb{N}$                                                                                                                                                                                                                            |
| $\sigma,(\mathit{M},\mathit{T},\mathit{N})\in$ | $\Sigma$   | $\triangleq \mathcal{P}(Msg) \times (ThreadId \stackrel{fin}{\rightharpoonup} View) \times View$                                                                                                                                                 |
| $\alpha \in$                                   | Access     | $\triangleq$ na   at                                                                                                                                                                                                                             |
| $\varepsilon\in$                               | ${\cal E}$ | $\triangleq \langle \operatorname{Read}_{\alpha}, \ell, \nu \rangle \mid \langle \operatorname{Write}_{\alpha}, \ell, \nu \rangle \mid \langle \operatorname{Update}, \ell, \nu_o, \nu_n \rangle \mid \langle \operatorname{Fork}, \rho \rangle$ |

Figure 1: Types of RA+NA machine's components (lang/types.v).

#### 2.1.1 Machine state wellformedness

We only consider wellformed states. The reduction steps (see below) always preserve wellformedness. Wellformedness enforces the following restrictions on the components (M, T, N) of the machine state:

- nats\_ok: all timestamps of the non-atomic view N must be justified by a message in M.
- threads\_ok: similarly, all timestamps of a thread-view in T must be justified by a message in M.
- msgs\_ok: any message in *M* must include its write timestamp in its view, whose all timestamps also must be justified by *M*.
- alloc\_inv and dealloc\_inv: any message must be compatible with the location's history of allocations and deallocations before it. This means that (1) an allocation must be the first event, or must immediately follow a deallocation; (2) a normal-value event (*i.e.*, a write with  $v \in \mathbb{Z}$ ) is only possible if the previously closest non-normal-value event is an allocation; and (3) a deallocation is only possible if the previously closest non-normal-value event is an allocation. Note that although this condition allows the reuse of deallocated locations by re-allocating them, we do not exploit this ability. For the sake of simplicity, we maintain that an allocation will always pick a fresh location. These two invariants are just relics from the initial development, the kind of which the reader needs not pay to much attention.
- pairwise\_disj: the memory only contains *pairwise disjoint* messages, which requires that two messages that have the same location and timestamp must be exactly the same.

 $phys_inv(\sigma)$ 

#### Machine state wellformedness (lang/machine.v)

$$\begin{split} \texttt{view\_ok}(M,V) &\triangleq \forall \ell, t. \ V(\ell) = t \Rightarrow \exists m. \ m \in M \land m. \texttt{loc} = \ell \land m. \texttt{time} = t \land m. \texttt{view} \sqsubseteq V \\ \texttt{nats\_ok}(M,N) &\triangleq \forall \ell, t. \ N(\ell) = t \Rightarrow \exists m. \ m \in M \land m. \texttt{loc} = \ell \land m. \texttt{time} = t \\ \texttt{threads\_ok}(\sigma) &\triangleq \forall \pi, V. \ \sigma. \ T(\pi) = V \Rightarrow \texttt{view\_ok}(\sigma.M,V) \\ \texttt{msg\_ok}(m) &\triangleq m. \texttt{view}(m. \texttt{loc}) = m. \texttt{time} \\ \texttt{msgs\_ok}(M) &\triangleq \forall m \in M. \ \texttt{msg\_ok}(m) \land \texttt{view\_ok}(M, m. \texttt{view}) \\ \texttt{phys\_inv}(\sigma) &\triangleq \texttt{nats\_ok}(\sigma.M, \sigma.N) \land \texttt{threads\_ok}(\sigma) \land \texttt{msgs\_ok}(\sigma.M) \\ \land \texttt{alloc\_inv}(\sigma.M) \land \texttt{dealloc\_inv}(\sigma.M) \land \texttt{pairwise\_disj}(\sigma.M) \end{split}$$

#### 2.1.2 Per-thread reduction

The  $\lambda_{\rm RN}$  language's reduction relation is factored into the *expression reduction*, concerned with the evaluation of the language's expressions, and the *machine reduction*, concerted with how the execution of an expression affects the machine state. We will define the complete reduction relation later, after defining the expression reduction. In this sub-section we define the *per-thread* machine reduction relation (Figure 2).

The key difference between the definition of the operational semantics actually used to instantiate Iris and the definition given in the paper [1] is the *bad states*:  $\perp_{\text{race}}$  and  $\perp_{\text{uninit}}$ . In the current Coq development, we do not have bad states in the operational semantics: we simply model that, if the operational semantics is going to step to a bad state, it just gets stuck *i.e.*,

## Basic thread reduction (thread\_red)

 $(M,V) \xrightarrow{\varepsilon} (M',V')$ 

$$\begin{array}{l} \begin{array}{l} \begin{array}{l} \text{THREAD-READ} \\ \hline (\ell,\nu,t,V_o) \in M & V(\ell) \leq t \\ \hline (M,V) \xrightarrow{\langle \text{Read}_{\alpha},\ell,\nu \rangle} & (M,V \sqcup V_o) \end{array} \end{array} & \begin{array}{l} \begin{array}{l} \begin{array}{l} \text{THREAD-WRITE} \\ \neg \exists \nu_x, V_x. \ (\ell,\nu_x,t,V_x) \in M & V(\ell) < t & V' = V[\ell \mapsto t] \\ \hline (M,V) \xrightarrow{\langle \text{Write}_{\alpha},\ell,\nu \rangle} & (M \cup \{(\ell,\nu,t,V')\},V') \end{array} \end{array} \\ \\ \begin{array}{l} \begin{array}{l} \begin{array}{l} \text{THREAD-UPDATE} \\ \hline (\ell,\nu_o,t,V_o) \in M & V(\ell) \leq t & \neg \exists \nu_x, V_x. \ (\ell,\nu_x,t+1,V_x) \in M & V' = V[\ell \mapsto t+1] \sqcup V_o \\ \hline (M,V) \xrightarrow{\langle \text{Update},\ell,\nu_o,\nu_n \rangle} & (M \cup \{(\ell,\nu_n,t+1,V')\},V') \end{array} \end{array} \end{array} \end{array}$$

Data-race-freedom reduction (drf\_red)

 $(\mathit{M},\mathit{N}) \xrightarrow{\varepsilon}^{V} (\mathit{M}',\mathit{N}')$ 

 $\texttt{alloc\_red}(M,V,\varepsilon)$ 

$$\frac{\frac{\text{DRF-WRITE-NA}}{N(\ell) \leq V(\ell)} \quad \forall \nu', t', V'. \ (\ell, \nu', t', V') \in M' \Rightarrow t' \leq t}{(M, N) \xrightarrow{\langle \text{Write}_{na}, \ell, \nu \rangle} V} (M', N[\ell \mapsto t])$$

#### Allocation reduction

Alloc-Read initialized $(M, \ell, V(\ell))$   $v \in \mathbb{Z}$  $\texttt{alloc\_red}(M, V, \langle \operatorname{Read}_{\alpha}, \ell, v \rangle)$ 

Alloc-Write allocated $(M, \ell, V(\ell))$   $v \in \mathbb{Z}$  $\overline{\texttt{alloc\_red}(M, V, \langle \text{Write}_{\alpha}, \ell, v \rangle)}$ 

$$\begin{array}{l} \text{ALLOC-UPDATE} \\ \text{initialized}(M, \ell, V(\ell)) & v_o, v_n \in \mathbb{Z} \\ \hline \\ \hline \\ \textbf{alloc_red}(M, V, \langle \text{Update}, \ell, v_o, v_n \rangle) \end{array}$$

 $\frac{\substack{\ell \text{ is fresh in } M}{\texttt{alloc_red}(M, V, \langle \text{Write}_{na}, \ell, A \rangle)} } \qquad \qquad \begin{array}{c} \text{Alloc-Dealloc} \\ \begin{array}{c} \text{allocated}(M, \ell, V(\ell)) \\ \texttt{alloc_red}(M, V, \langle \text{Write}_{na}, \ell, D \rangle) \end{array}$ 

### Per-thread machine reduction (machine\_red)

Machine-Fork  $\frac{\rho \notin \operatorname{dom}(T)}{(M, T, N) \xrightarrow{\langle \operatorname{Fork}, \rho \rangle}{\pi} (M, T[\rho \mapsto T(\pi)], N)}$ 

 $(M, T, N) \xrightarrow{\varepsilon}^{\pi} (M', T', N')$ Machine-Thread  $\varepsilon \neq \langle \text{Fork} \rangle$  $(M \ T(\pi)) \xrightarrow{\varepsilon} (M' \ V')$ 

$$\frac{(M, N) \stackrel{\varepsilon}{\to} T(\pi) (M', N')}{(M, T, N) \stackrel{\varepsilon}{\to} \pi (M', T(\pi)) \stackrel{\varphi}{\to} (M, V)} \frac{(M, V)}{(M, T, N) \stackrel{\varepsilon}{\to} \pi (M', T[\pi \mapsto V'], N')}$$

Figure 2: Per-thread reductions for the RA+NA machine (lang/machine.v).

it cannot make a step. The bad states are only used in the correspondence proof between the axiomatic and operational semantics.

Another difference is that, in the Coq development, the per-thread reduction is factored into 3 smaller component reductions: the *basic thread* reduction, the *data-race-freedom* reduction, and the *allocation* reduction.

Basic thread reduction The basic thread reduction maintains the following:

- THREAD-READ: a read of a location  $\ell$  always reads from a message in the memory M that is *mo*-later than the thread's view V for the location, and update the thread's view with the view of the message.
- THREAD-WRITE: a write of  $\ell$  always picks an unused timestamp t that is greater from the thread's view V, and updates the thread's view with t.
- THREAD-UPDATE: an update combines a read and a write, with the write being adjacent to the read by picking the new timestamp to be t + 1.

**Data-race-freedom reduction** The data-race-freedom reduction (DRF-Non-NA and DRF-WRITE-NA) maintains that, to perform any access to a location  $\ell$ , the thread's view V have observed the most recent non-atomic write to  $\ell$ , *i.e.*,  $N(\ell) \leq V(\ell)$ . Moreover, if it is a non-atomic read, then the thread's view must have observed the latest write. If it is a non-atomic write, then the write must pick a timestamp greater than all existing timestamps of messages of the same location, and update the non-atomic view. Intuitively, these restrictions enforce that each non-atomic write to  $\ell$  starts a new "era" in  $\ell$ 's timestamps, after which any attempt to access writes from a previous era (or to write with a timestamp from a previous era) constitutes a race.

**Allocation reduction** The allocation reduction maintains the following:

- an allocation is a non-atomic write to a fresh location (ALLOC-ALLOC), while a deallocation is a non-atomic write that is only applicable for allocated locations (ALLOC-DEALLOC).
- a normal-value write only requires that the thread's view V has observed the location to be allocated (Alloc-WRITE), while a normal-value read or update also requires the thread's view to have observed that the location is initialized (Alloc-READ and Alloc-UPDATE). Note that alloc\_red restricts that reads, updates and atomic writes can only work with normal values ( $v \in \mathbb{Z}$ ).

**Per-thread machine reduction** The per-thread machine reduction combines all the 3 reductions for the non-fork case (MACHINE-THREAD), and simply adds a new thread with the same view as the parent thread in the fork case (MACHINE-FORK).

## **2.2 The** $\lambda_{\rm RN}$ language

We now define the expressions and expression reduction for  $\lambda_{\rm RN}$ . Then we will define the combined reduction reduction for the language.

 $\lambda_{\rm RN}$  is a standard lambda calculus with recursive functions, forks, and first-order references with atomic and non-atomic accesses:

$$v \in \operatorname{Val} \triangleq | () | z \in \mathbb{Z} | \ell \in \operatorname{Loc} | \operatorname{fix} (f, x). e$$

$$e \in \operatorname{Expr} \triangleq | v | e e | \operatorname{if} e \operatorname{then} e \operatorname{else} e | \operatorname{fork} e$$

$$| e_{[\alpha]} | e_{[\alpha]} := e | \operatorname{cas}(e, e, e) | \operatorname{fai}(e, n)$$

$$| \operatorname{alloc} | \operatorname{free} e$$

$$| (\operatorname{int}) e | (\operatorname{loc}) e | - e | \neg e$$

$$| e + e | e - e | e \operatorname{mod} e$$

$$| e \leq e | e \leq e | e = e$$

In addition to standard expressions, we also have casting operations (**loc**) and (**int**), to cast positive integers to locations and vice versa, since only integers can be stored in the machine state. The fetch-and-increment primitive  $fai(\ell, n)$ , which is needed to model fixed width integer types<sup>1</sup>, updates the value z of  $\ell$  to  $z + 1 \mod n$ , where n is the maximum unsigned value of such a type. Boolean values are mapped by the common way to integer values *i.e.*, non-zeros for True and zero for False. We also support additions between locations and integers—see bin\_op\_eval in lang/lang.v for more details.

The expression reduction relation is given in Figure 3. The reduction is split into a non-stateful reduction  $(e \rightarrow e')$ , which does not change the physical machine state, and a stateful reduction  $(e \xrightarrow{\varepsilon} e', \overline{(e_f, \pi_f)})$ , which does change the state, and thus is labeled with an event  $\varepsilon$  that represents the change. The stateful reduction also has an extra component  $\overline{(e_f, \pi_f)}$ , which is a list of newly forked threads. This list is only populated by a **fork** expression.

The expression reduction and the machine reduction are then combined into the *head reduction*, given by the COMBINED-\* rules in Figure 3. The head reduction couples the machine state  $\sigma$  with the executing thread id  $\pi$  and its expression e. Non-stateful reduction (COMBINED-PURE) simply defers to the expression reduction and maintains the state. Stateful reduction (COMBINED-MEM) binds together the expression and machine reduction using the memory event  $\varepsilon$ .

The head reduction is then lifted to evaluation contexts in a standard way<sup>2</sup>, reflected in EvalCTX-THREAD in Figure 4. Finally, Iris<sup>3</sup> helps us lift all of these reductions to the full thread-pool reduction (THREADPOOL-RED-NO-FORK and THREADPOOL-RED-FORK), where threadpools are finite partial functions from thread ids to expressions:  $\mathcal{TS} \in \text{ThreadId} \stackrel{\text{fin}}{\rightarrow} \text{Expr.}$  This concludes the presentation of the  $\lambda_{\text{RN}}$  language.

<sup>&</sup>lt;sup>1</sup>see the bounded ticket lock example.

 $<sup>^2 {\</sup>rm Iris}$  supports this style, see <code>iris.program\_logic.ectx\_language.prim\_step</code>. We skip the standard definition of evaluation contexts here.

 $<sup>^3\</sup>mathrm{Also}$  see <code>iris.program\_logic.language.step</code>.

Non-stateful expression reduction (base.head\_step)

| $(\mathbf{fix}\ (f, x).\ e)\ v$ | $\rightarrow$ | $e[(fix\ (f, x).\ e)/f][v/x]$ |                                                |
|---------------------------------|---------------|-------------------------------|------------------------------------------------|
| if $z$ then $e_1$ else $e_2$    | $\rightarrow$ | $e_1$                         | if $z \neq 0$                                  |
| if $z$ then $e_1$ else $e_2$    | $\rightarrow$ | $e_2$                         | if $z = 0$                                     |
| $(int)\ \ell$                   | $\rightarrow$ | z                             | where z is $\ell$ as $\mathbb{Z}$              |
| $(\mathbf{loc}) \ z$            | $\rightarrow$ | $\ell$                        | if $z \in \text{Loc}$ and $\ell$ is $z$ as Loc |
|                                 |               |                               |                                                |

Stateful expression reduction (ra\_lang.step)

| $\ell_{[\alpha]}$              | $\xrightarrow{\langle \operatorname{Read}_{\alpha}, \ell, z \rangle}$             | z,nil             |                                                                        |
|--------------------------------|-----------------------------------------------------------------------------------|-------------------|------------------------------------------------------------------------|
| $\ell_{[lpha]} := z$           | $\xrightarrow{\langle \operatorname{Write}_{\alpha}, \ell, z \rangle}$            | (), nil           |                                                                        |
| $cas(\ell, z_o, z_n)$          | $\xrightarrow{ \langle \text{Update}, \ell, z_o, z_n \rangle}$                    | 1, nil            |                                                                        |
| $cas(\ell, z_o, z_n)$          | $\xrightarrow{\langle \operatorname{Read}_{\operatorname{at}}, \ell, z \rangle}$  | 0, nil            | if update fails                                                        |
| ${\operatorname{fai}}(\ell,n)$ | $\xrightarrow{\langle \mathrm{Update}, \ell, z, z+1 \bmod n \rangle}$             | z, nil            |                                                                        |
| fork $e$                       | $\xrightarrow{\langle \mathrm{Fork}, \rho \rangle}$                               | $(), [(e, \rho)]$ |                                                                        |
| alloc                          | $\xrightarrow{\langle \operatorname{Write}_{\operatorname{na}}, \ell, A \rangle}$ | $\ell,nil$        |                                                                        |
| free $\ell$                    | $\xrightarrow{\langle \mathrm{Write}_{\mathrm{na}}, \ell, D \rangle}$             | (), nil           |                                                                        |
| ead reduction (ra              | a_lang.head_step)                                                                 |                   | $\sigma; (e, \pi) \to_{h} \sigma'; (e', \pi), \overline{(e_f, \pi_f)}$ |
|                                |                                                                                   |                   |                                                                        |

Combined head reduction (ra\_lang.head\_step)

| Combined-Pure $e \rightarrow e'$                      | $\underbrace{\begin{array}{l}\text{COMBINED-MEM}\\ e \xrightarrow{\varepsilon} e', \overline{(e_f, \pi_f)} \\ \end{array} \sigma \xrightarrow{\varepsilon} \pi \sigma'$ |
|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| $\overline{\sigma;(e,\pi)\to_{h}\sigma;(e',\pi),nil}$ | $\overline{\sigma;(e,\pi)\to_{h}\sigma';(e',\pi),\overline{(e_f,\pi_f)}}$                                                                                               |

Figure 3:  $\lambda_{\rm RN}$  reduc

Thread-local reduction with evaluation contexts

 $\boxed{\sigma;(e,\pi)\rightarrow_{\mathsf{t}}\sigma';(e',\pi),\overline{(e_f,\pi_f)}}$ 

$$\frac{\sigma; (e, \pi) \to_{\mathsf{h}} \sigma'; (e', \pi), \overline{(e_f, \pi_f)}}{\sigma; (K[e], \pi) \to_{\mathsf{t}} \sigma'; (K[e'], \pi), \overline{(e_f, \pi_f)}}$$

### **Threadpool reduction**

 $\frac{\sigma_{;}(\mathcal{TS}(\pi),\pi) \rightarrow_{\mathbf{t}} \sigma';(e',\pi),\mathsf{nil}}{\sigma_{;}\mathcal{TS} \rightarrow_{\mathbf{tp}} \sigma';\mathcal{TS}[\pi \mapsto e']} \qquad \qquad \frac{\sigma_{;}(\mathcal{TS}(\pi),\pi) \rightarrow_{\mathbf{t}} \sigma';(e',\pi),[(e_{f},\pi_{f})]}{\sigma_{;}\mathcal{TS} \rightarrow_{\mathbf{tp}} \sigma';\mathcal{TS}[\pi \mapsto e'] \uplus [\pi_{f} \mapsto e_{f}]}$ 



 $\sigma; \mathcal{TS} \to_{\mathsf{tp}} \sigma'; \mathcal{TS}'$ 



 $e \xrightarrow{\varepsilon} e', \overline{(e_f, \pi_f)}$ 

$$(e,\pi) \rightarrow_{\mathsf{h}} \sigma'; (e',\pi), \overline{(e_f,\pi_f)}$$

## 3 Instantiating Iris: the base logic

The key pattern one repeatedly runs into in Iris is called *fictional separation*. Its idea was explained in the paper [1], but the term "fictional separation" was not mentioned, and its ubiquitous application also was not appreciated properly there. In the paper, we presented the case where one should get a physical state assertion  $Phys(\sigma)$  after instantiating Iris with some language, and one would want to split this ownership into local assertions. To do this, one simply creates a ghost copy of that ownership, and splits the ghost copy. That is, one does not achieve separation directly on some resource r, but *fictionally* and indirectly through a splittable ghost copy of r.

We only showed how the pattern worked for a sequentially consistent language  $\lambda_{SC}$  and the  $\lambda_{RN}$  language in the paper. But the pattern is more applicative than that: we also use fictional separation of the history assertion  $\text{Hist}(\ell, h)$  to create fractional non-atomics, fractional iRSL assertions or fractional iGPS protocols. Therefore it might be helpful to summarize the pattern here in Figure 5. The pattern's specific instance for fractional assertions was implemented in the *fractor* (see §5.2). We would need to ask the reader to refer to the paper [1] for a short, intuitive explanation of the authoritative PCM AUTH, or the original Iris paper [2] for more technical details.

We can now explain the application of this pattern for the base logic of  $\lambda_{\rm RN}$ . However, let us first look at the interface of the base logic, which mainly concerns with views.

## 3.1 The logic of views

## 3.2 Model

## To fictionally separate a monolithic, non-splittable resource r:

- 1. Make a splittable ghost copy of r, by designing a PCM  $\mathcal{M}$  with the right separation structure *i.e.*, an appropriate monoid composition.
- 2. Keep the copy in sync with the original resource r, by using the AUTH construction on  $\mathcal{M}$  and then an invariant I to tie the authoritative part  $\bullet r$  with r.
- 3. Derive rules to update the splittable non-authoritative parts  $\circ$  in conjunction with  $\bullet r$ .
- 4. Use the non-authoritative parts  $\circ$  in conjunction with the invariant I to build local assertions.

Figure 5: The pattern of fictional separation in Iris.

BASE-NA Base-NA-Mono BASE-NA-PERSISTENT  $\max(h).\text{view} \sqsubseteq V \dashv \vdash \operatorname{na}(h, V) \qquad V \sqsubseteq V' \vdash \operatorname{na}(h, V) \Rightarrow \operatorname{na}(h, V')$  $\operatorname{na}(h, V) \vdash \Box \operatorname{na}(h, V)$ BASE-INIT Base-Init-Mono  $\exists (v, V_0) \in h. \ v \in \mathbb{Z} \land V_0 \sqsubseteq V \dashv \operatorname{init}(h, V)$  $V \sqsubseteq V' \vdash \operatorname{init}(h, V) \Rightarrow \operatorname{init}(h, V')$ BASE-INIT-PERSISTENT BASE-ALLOC  $\exists (v, V_0) \in h. \ v \neq D \land V \sqsubseteq V \dashv \vdash \operatorname{alloc}(h, V)$  $\operatorname{init}(h, V) \vdash \Box \operatorname{init}(h, V)$ Base-Alloc-Mono BASE-ALLOC-PERSISTENT BASE-INIT-ALLOC  $V \sqsubseteq V' \vdash \operatorname{alloc}(h, V) \Rightarrow \operatorname{alloc}(h, V')$  $\operatorname{alloc}(h, V) \vdash \Box \operatorname{alloc}(h, V)$  $\operatorname{init}(h, V) \vdash \operatorname{alloc}(h, V)$ BASE-SEEN-EXCL BASE-HIST-EXCL  $\operatorname{Seen}(\pi, V) * \operatorname{Seen}(\pi, V') \vdash \mathsf{False}$  $\operatorname{Hist}(\ell, h) * \operatorname{Hist}(\ell, h') \vdash \mathsf{False}$ Base-Info-Excl  $\operatorname{Info}^{1}(\ell, n) * \operatorname{Info}^{1}(\ell, n') \vdash \mathsf{False}$ BASE-HIST-TIMESTAMP-DISJOINT  $\texttt{PSCtx} \vdash \texttt{Hist}(\ell,h) \Rrightarrow_{\mathcal{N}_{\mathsf{phys}}} \Box \forall (v_1,V_1) \in h, (v_2,V_2) \in h. \ V_1(\ell) = V_2(\ell) \Rightarrow (v_1,V_1) = (v_2,V_2)$ 

 $\begin{array}{l} \text{Base-Info-Frac} \\ \hline q_1, q_2, q_1 + q_2 \in (0, 1] \\ \hline \text{Info}^{q_1}(\ell, n) * \text{Info}^{q_2}(\ell, n) \Leftrightarrow \text{Info}^{q_1 + q_2}(\ell, n) \end{array} \qquad \begin{array}{l} \text{Base-Info-Agree} \\ \text{Info}^{q_1}(\ell, n) * \text{Info}^{q_2}(\ell, n') \Rightarrow n = n' \end{array}$ 

Figure 6: Properties of the base logic assertions.

# 4 View-monotone predicates

# 5 Persistor and Fractor

- 5.1 Persistor
- 5.2 Fractor

# 6 Non-Atomics

- 6.1 Proof rules
- 6.2 Model

# 7 iRSL

- 7.1 Proof rules
- 7.2 Model for atomic reads and writes
- 7.3 Adding CAS

# 8 iGPS

## 8.1 Proof rules

- 8.1.1 Plain protocols
- 8.1.2 Single-Writer protocols
- 8.1.3 Fractional protocols
- 8.1.4 Fractional Single-Writer protocols with life cycles
- 8.1.5 Exchanges and Escrows
- 8.2 Proof setup
- 8.3 Raw protocols
- 8.4 Plain protocols
- 8.5 Single-Writer protocols
- 8.6 Fractional protocols
- 8.7 Fractional Single-Writer protocols with life cycles
- 8.8 Exchanges and Escrows

# 9 Examples

- 9.1 Message passing in the base logic
- 9.2 Message passing in iGPS
- 9.3 Spin lock
- 9.4 Treiber stack
- 9.5 Circular buffer
- 9.6 Michael-Scott queue
- 9.7 Bounded ticket lock
- 9.8 Read-Copy-Update

## References

- [1] The original paper and the Coq development are available at the following URL: http: //plv.mpi-sws.org/igps/.
- [2] R. Jung, D. Swasey, F. Sieczkowski, K. Svendsen, A. Turon, L. Birkedal, and D. Dreyer. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In *POPL*, pages 637–650, 2015.