Mover Logic: A Concurrent Program Logic for Reduction and Rely-Guarantee Reasoning (Extended Version)

TL;DR

Mover logic enhances rely-guarantee reasoning for multithreaded programs by introducing atomic functions, enabling more reusable specifications and providing a formal foundation for modular verification of concurrent software.

Contribution

It extends rely-guarantee logic with atomic functions, allowing for more general specifications and formalizing reduction principles in a declarative logic framework.

Findings

Atomic functions enable reusable specifications in concurrent verification.

Mover logic formalizes reduction techniques for concurrent program reasoning.

Practical verifiers benefit from the modularity introduced by atomic functions.

Abstract

Rely-guarantee (RG) logic uses thread interference specifications (relies and guarantees) to reason about the correctness of multithreaded software. Unfortunately, RG logic requires each function postcondition to be "stabilized" or specialized to the behavior of other threads, making it difficult to write function specifications that are reusable at multiple call sites. This paper presents mover logic, which extends RG logic to address this problem via the notion of atomic functions. Atomic functions behave as if they execute serially without interference from concurrent threads, and so they can be assigned more general and reusable specifications that avoid the stabilization requirement of RG logic. Several practical verifiers (Calvin-R, QED, CIVL, Armada, Anchor, etc.) have demonstrated the modularity benefits of atomic function specifications. However, the complexity of these systems and their correctness proofs makes it challenging to understand and extend these systems. Mover logic formalizes the central ideas of reduction in a declarative program logic that provides a foundation for future work in this area.