Proof of Meta Theory C - Verifying Non-blocking Data Structures with Manual Memory Management

We give the proofs for the meta theory from Appendix B.

C.1 Compositionality

Proof C.1(Lemma B.28).By definition of≤_•andO_EBR. Proof C.2(Lemma B.29).By definition of≤_•andO_HP^𝑘 . Proof C.3(Lemma B.30).By definition of≤_•andO_HP⁰^,¹. Proof C.4(Proposition 5.3).Consider someℎ∈S((𝑙₁, 𝜑)). We show thatℎ∈S((𝑙₂, 𝜑))holds.

To that end, we proceed by induction over the length ofℎ. In the base case, we haveℎ=𝜖. Then, location𝑙₁is not accepting by definition. By the simulation relation,𝑙₂is not accepting as well.

Hence,ℎ∈S((𝑙₂, 𝜑))follows as required. For the induction step, consider𝑓(𝑣).ℎ∈S((𝑙₁, 𝜑)).

By Assumption 5.2, there are steps(𝑙₁, 𝜑)−−−→

𝑓(𝑣)

(𝑙₁^′, 𝜑)and(𝑙₂, 𝜑)−−−→

𝑓(𝑣)

(𝑙₂^′, 𝜑). The former step is due to a transition𝑙₁−−−−→

𝑓(𝑟), 𝑔

𝑙₁^′ such that𝜑(𝑔[𝑟 ↦𝑣])evaluates to^true. Similarly, the latter step is due to a transition𝑙₂−−−−→

𝑓(𝑟), 𝑔

𝑙₂^′ such that𝜑(𝑔^′[𝑟↦𝑣])evaluates to^true. This means𝜑is a model for𝑔and𝑔^′. That is,𝑔∧𝑔^′is satisfiable. Then,𝑙₁ ≤_O 𝑙₂yields𝑙₁^′ ≤_O 𝑙^′₂. Note that we haveℎ∈S((𝑙₁^′, 𝜑))by definition. By induction, we getℎ∈S((𝑙₂^′, 𝜑)). Because SMR automata are deterministic by Assumption 5.2, we conclude𝑓(𝑣).ℎ∈S((𝑙₂, 𝜑))as required.

Proof C.5(Theorem A.2).We proceed by induction over the structure of𝜏. In the base case, we have the empty computation𝜏 =𝜖. Then, the claim follows by definition for𝜎 =𝜖. For the induction step, consider𝜏 ∈⟦P(R)⟧^Adr_Adrand the following step in the standard semantics:

(pc₁◦pc₃, 𝜏)⇢⇢_Q,𝑡 (pc^′₁◦pc^′₃, 𝜏 .act) with pc₁◦pc₃∈ctrl(𝜏). (1) By definition,𝜏 .act∈⟦P(R)⟧^Adr_Adr. Assume we already constructed for𝜏 some𝜎 ∈⟦𝑀𝐺𝐶(R)⟧^Adr_Adr with the desired properties. That is, there ispc₂withpc₂◦pc₃∈ctrl(𝜎). Furthermore, we have the following:𝑚^R_𝜏 = 𝑚^R_𝜎,𝑚_𝜏↓_IVar =𝑚_𝜎↓_IVar,H(𝜏)= H(𝜎),fresh𝜏 ⊆ fresh𝜎,freed𝜏 ⊆ freed𝜎,

Section C.1 Compositionality 171

andused(𝜏)⊆used(𝜎). We construct a computation𝜎^′∈⟦𝑀𝐺𝐶(R)⟧^Adr_Adr that mimics𝜏 .act. To that end, we show that there is a program step of the form:

(pc₂◦pc₃, 𝜎)⇢⇢^∗(pc^′₂◦pc^′₃, 𝜎^′) (2) with the following:𝑚_{𝜏 .}^R_act =𝑚^R

𝜎′,𝑚_{𝜏 .}_act↓_IVar =𝑚_𝜎′↓_IVar,fresh𝜏 .act ⊆fresh𝜎^′,freed𝜏 .act ⊆freed𝜎^′, andused(𝜏 .act)⊆used(𝜎^′), as well asH(𝜏 .act)=H(𝜎^′). Letact=⟨𝑡 ,com,up⟩.

⋄ Case 1: Q=R

Step (1) is due to Rule (sos-std-par) followed by Rule (sos-std-smr). By definition, we havepc^′₁ =pc₁. Letstmt₃ =pc₃(𝑡). Then,pc^′₃ =pc₃[𝑡 ↦stmt^′₃]withstmt₃ −−^com⇀stmt^′₃. By definition of Rule (sos-std-par), we the step(stmt₂◦stmt₃, 𝜎)⇢⇢_R,𝑡 (stmt₂◦stmt^′₃, 𝜎 .act) satisfies (2), provided we haveact∈Act(𝜎 , 𝑡 ,com). We show thatact∈Act(𝜎 , 𝑡 ,com)holds and that𝜎^′=𝜎 .actsatisfies the required properties. To do this, we rely on the following:

∀exp. comcontainsexp ⟹ exp∈IVar∪Var^R∪Sel^R (3)

∀exp. comassigns toexp ⟹ exp∈Var^R∪Sel^R (4)

∀exp. exp∈IVar∪Var^R∪Sel^R ⟹ 𝑚_𝜏(exp)=𝑚_𝜎(exp) (5) Implications (3) and (4) follow from𝜏 .actbeing free from separation violations. The remaining implication (5) is due toexp∈dom(𝑚_𝜏↓_IVar)∪dom(𝑚_𝜏^R)by definition together with both 𝑚_𝜏^R=𝑚^R_𝜎and𝑚_𝜏↓_IVar =𝑚_𝜎↓_IVarby induction. Now, we do a case distinction overcom.

⋄ Case 1.1: com∈{ⁱⁿ∶func(𝑟), _re∶func, _env(𝑎) }

By definition of Rule (sos-std-smr), the case does apply.

⋄ Case 1.2: com∈{beginAtomic, _endAtomic,com≡skip}

By definition,act∈Act(𝜎 , 𝑡 ,com)as required. We conclude by induction:

𝑚^R_{𝜏 .}_act=𝑚_𝜏^R=𝑚^R_𝜎=𝑚^R_{𝜎 .}_act

𝑚_{𝜏 .}_act↓_IVar =𝑚_𝜏↓_IVar =𝑚_𝜎↓_IVar =𝑚_{𝜎 .}_act↓_IVar fresh𝜏 .act=fresh𝜏 ⊆fresh𝜎 =fresh𝜎 .act

freed𝜏 .act=freed𝜏 ⊆freed𝜎=freed𝜎 .act

used(𝜏 .act)=used(𝜏)⊆used(𝜎)=used(𝜎 .act) H(𝜏 .act)=H(𝜏)=H(𝜎)=H(𝜎 .act)

⋄ Case 1.3: com≡exp∶=exp^′

First, we showact∈Act(𝜎 , 𝑡 ,com). To that end, we show that the updateupis an appro-priate update forcomafter𝜎. Ifexp∈Var, then the update isup=[exp↦𝑚_𝜏(exp^′)].

From (5), we obtain𝑚_𝜏(exp^′)=𝑚_𝜎(exp^′). That is,upis appropriate. Otherwise, we have

172 ^{Appendix C} Proof of Meta Theory

exp ∉Var. This meansexp∈ Sel^R by (3). Soexpmust be of the formexp≡𝑝 ._sel. Let 𝑎=𝑚_𝜏(𝑝). The update isup= [𝑎 ._sel↦𝑚_𝜏(exp^′)]. From (5), we get𝑚_𝜎(𝑝)=𝑎and 𝑚_𝜏(exp^′)=𝑚_𝜎(exp^′). Again,upis appropriate. Altogether,act∈Act(𝜎 , 𝑡 ,com).

Observe that (4) yieldsexp∈Var^R∪Sel^R. We have𝑚_𝜏(exp^′)=𝑚_𝜎(exp^′)=𝑏for some address𝑏, as argued above. So we get:

𝑚_{𝜏 .}_act↓_IVar =𝑚_𝜏↓_IVar =𝑚_𝜎↓_IVar =𝑚_{𝜎 .}_act↓_IVar 𝑚_{𝜏 .}^R_act =𝑚^R_𝜏[up]=𝑚^R_𝜎[up]=𝑚^R_{𝜎 .}_act

The remaining properties follow by definition and induction as before.

⋄ Case 1.4: com≡assumecond

Letexpbe an expression incond. Similarly to the previous cases,𝑚_𝜏(exp)=𝑚_𝜎(exp) follows (3) and (5). Soact∈Act(𝜎 , 𝑡 ,com)follows becausecondhas the same truth value after𝜏 and𝜎. The remaining properties follow immediately sinceactdoes not modify the memory nor affects the fresh/free addresses.

⋄ Case 1.5: com≡𝑝∶=malloc

Let𝑎=𝑚_{𝜏 .}_act(𝑝)be the allocated address. We have𝑎 ∈fresh𝜏 ∪freed𝜏. By induction, we get𝑎∈fresh𝜎∪freed𝜎. This yieldsact∈Act(𝜎 , 𝑡 ,com). Moreover, we get:

fresh𝜏 .act =fresh𝜏 \ {𝑎}⊆fresh𝜎\ {𝑎}=fresh𝜎 .act

freed𝜏 .act=freed𝜏 \ {𝑎}⊆freed𝜎\ {𝑎}=freed𝜎 .act

H(𝜏 .act)=H(𝜏)=H(𝜎)=H(𝜎 .act)

We turn to the remaining properties. We haveup=[𝑝↦𝑎, 𝑎 ._next↦seg, 𝑎 ._data↦𝑑] for some𝑑. Observe that𝑝∈Var^Rholds by (4). SinceVar^R∩IVar =∅, we get:

𝑚_{𝜏 .}_act↓_IVar =𝑚_𝜏↓_IVar =𝑚_𝜎↓_IVar =𝑚_{𝜎 .}_act↓_IVar used(𝜏 .act)=used(𝜏)⊆used(𝜎)=used(𝜎 .act)

For𝑝we have𝑚_{𝜏 .}^R_act(𝑝)=𝑎=𝑚^R_{𝜎 .}_act(𝑝). For𝑎 ._nextwe have:

𝑚^R_{𝜏 .}_act(𝑎 ._next)=seg=𝑚^R_{𝜎 .}_act(𝑎 ._next) if^next∈Sel^R 𝑚_{𝜏 .}^R_act(𝑎 ._next)=⊥=𝑚^R_{𝜎 .}_act𝑎 ._next otherwise.

Similarly, we obtain𝑚^R_{𝜏 .}_act(𝑎 ._data) =𝑚^R_{𝜎 .}_act(𝑎 ._data). Altogether, this establishes the desired𝑚^R_{𝜏 .}_act=𝑚^R_{𝜎 .}_actasupdoes not modify expressions besides𝑝,𝑎 ._next, and𝑎 ._data.

Section C.1 Compositionality 173

⋄ Case 1.6: com≡free(𝑝)

We haveact∈Act(𝜎 , 𝑡 ,com)by definition. Let𝑚_𝜏(𝑝)=𝑎. As before,𝑚_𝜏(𝑝)=𝑚_𝜎(𝑝) follows from (3) and (5). Hence, we conclude as follows:

fresh𝜏 .act=fresh𝜏\ {𝑎}⊆fresh𝜎\ {𝑎}=fresh𝜎 .act

freed𝜏 .act=freed𝜏 ∪{𝑎}⊆freed𝜎∪{𝑎}=freed𝜎 .act

H(𝜏 .act)=H(𝜏)._free(𝑎)=H(𝜎)._free(𝑎)=H(𝜎 .act) used(𝜏 .act)=used(𝜏)⊆used(𝜎)=used(𝜎 .act)

𝑚_{𝜏 .}_act↓_IVar =𝑚_𝜏↓_IVar =𝑚_𝜎↓_IVar =𝑚_{𝜎 .}_act↓_IVar 𝑚^R_{𝜏 .}_act=𝑚_𝜏^R=𝑚^R_𝜎=𝑚^R_{𝜎 .}_act

where the last two equalities are due toup=∅.

⋄ Case 2: Q=Pandcom≡/ env(𝑎)

Step (1) is due to Rule (sos-std-par). Letstmt1=pc₁(𝑡)andstmt3=pc₃(𝑡). By definition, pc^′₁ =pc₁[𝑡 ↦stmt^′₁]andpc^′₃=pc₃[𝑡 ↦stmt^′₃]withstmt₁◦stmt₃−−^com⇀stmt^′₁◦stmt^′₃.

⋄ Case 2.1: com≡in∶func(𝑟)

Step (1) involves Rule (sos-std-call):stmt3≡skipandstmt^′₃≡R.func;^awaitfunc.

Assume for a moment we havestmt₂ −−^com⇀ stmt^′₂ andact ∈ Act(𝜎 , 𝑡 ,com). Then, we satisfies (2) by step(pc₂◦pc₃, 𝜎)⇢⇢_R,𝑡 (pc^′₂◦pc^′₃, 𝜎 .act)due to Rule (sos-std-call) combined with Rule (sos-std-par). Now, we show thatactis enabled after𝜎. By assumption,𝑟_𝑖 ∈IVar. By induction,^seg≠𝑚_𝜏(𝑟_𝑖)=𝑚_𝜎(𝑟_𝑖). So,𝜎 .act∈O⟦P⟧^Adr_Adrby the assumptions on the𝑀𝐺𝐶. This means we satisfy (2) because the stepstmt₂−−^com⇀stmt^′₂ exists andact∈Act(𝜎 , 𝑡 ,com)holds. We turn to the remaining properties and establish that𝜎^′=𝜎 .actis an adequate choice. Letevtbe an event such thatH(𝜏 .act)=H(𝜏).evt.

Since we have established𝑚_𝜏(𝑟_𝑖)=𝑚_𝜎(𝑟_𝑖)already, we getH(𝜎 .act)= H(𝜎).evt. By induction,H(𝜏 .act)=H(𝜎 .act). The remaining properties follow by definition together with induction as before sinceactdoes not affect the memory nor the fresh/freed/used addresses.

⋄ Case 2.2: com≡re∶func

The step is due to Rule (sos-std-return): stmt₃ ≡ awaitfunc andstmt₃ ≡ skip. We show that𝜎^′ = 𝜎 .act is an appropriate choice. We get𝜎 .act ∈ O⟦P⟧^Adr_Adr by the assumptions on the𝑀𝐺𝐶. We find a step(pc₂◦pc₃, 𝜎) ⇢⇢_R,𝑡 (pc^′₂◦pc^′₃, 𝜎 .act)that satisfies (2), as in the previous case. Further, we get:

H(𝜏 .act)=H(𝜏)._re∶func(𝑡)=H(𝜎)._re∶func(𝑡)=H(𝜎 .act)

and conclude the remaining properties by definition together with induction as before.

174 ^{Appendix C} Proof of Meta Theory

⋄ Case 2.3: otherwise

The step is due to Rule (sos-std-ds). By definition,stmt3 ≡stmt3. Observe that we satisfy (2) with𝜎^′=𝜎and𝜎^′=𝜎 .act^′for anyact^′∈Act(𝜎 , 𝑡 ,com). Depending oncom, we decide whether or not to append an action and show the remaining properties.

⋄ Case 2.3.1: com≡𝑝∶=mallocand𝑝 ∉IVar

Next, observe that𝑝∈Var^Psince𝜏 .actis free from separation violations. Hence, we obtain: for all selectors^sel∈Sel^Rsince𝑝∉IVar (the selectors of all other addresses remain unchanged). This follows from the fact thatupandup^′agree on the updates they perform on selectors. Formally, we have𝑚_{𝜏 .}^R_act(𝑎 ._sel)=𝑣 =𝑚^R

𝜎 .act^′(𝑎 ._sel)where we use𝑣 =𝑎if^sel=nextand𝑣 =𝑑if^sel=data.

⋄ Case 2.3.2: com≡𝑝∶=mallocand𝑝 ∈IVar

Follows analogously to the previous case. Here, we can simply choose𝜎^′=𝜎 .actand observe that𝑚_{𝜏 .}^R_act(𝑝)=𝑚^R

and conclude the remaining properties by definition and induction as before.

⋄ Case 2.3.4: com≡exp∶=exp^′withexp∉IVar

We show that𝜎^′=𝜎satisfies the desired properties. We get (2) forpc^′₂=pc₂. Next, we show𝑚^R_{𝜏 .}_act =𝑚^R_𝜎. To do so, it is sufficient to show𝑚^R_{𝜏 .}_act =𝑚^R_𝜏 since𝑚^R_𝜏 =𝑚^R_𝜎 holds by induction. To the contrary, assume𝑚^R_{𝜏 .}_act ≠𝑚^R_𝜏. Note that, by definition, we havedom(𝑚_𝜏^R)=dom(𝑚^R_{𝜏 .}_act). Consider𝑝 ∈dom(𝑚_𝜏^R). Because𝜏 .actis free from separation violations, we haveexp ≡/ 𝑝. Hence,𝑚^R_{𝜏 .}_act(𝑝) =𝑚_𝜏^R(𝑝)holds. That is, there must be𝑎 ._sel∈ dom(𝑚^R_𝜏)such that𝑚^R_{𝜏 .}_act(𝑎 ._sel) ≠𝑚^R_𝜏(𝑎 ._sel). Hence, we haveexp≡𝑞 ._selwith𝑚_𝜏(𝑞)=𝑎. Observe that𝑎 ._sel∈dom(𝑚_𝜏^R)means^sel∈Sel^R. So,actis a separation violation. This contradicts the assumptions and thus concludes the desired𝑚_{𝜏 .}^R_act =𝑚^R_𝜏. The remaining properties follow by definition together with induction.

⋄ Case 2.3.5: com∈{^assumecond, beginAtomic, _endAtomic,_skip}

We can choose𝜎^′=𝜎 and immediately obtain the desired properties by induction.

⋄ Case 3: Q=Pandcom≡env(𝑎)

Step (1) is due to Rule (sos-std-env). We havepc^′₁ ≡pc₁andpc^′₃ ≡ pc₃and𝑡 =⊥. By definition,𝑎∈fresh𝜏 ∪freed𝜏. By induction,𝑎∈fresh𝜎∪freed𝜎. So,act∈Act(𝜎 ,⊥,com).

That is, we obtain the step(pc₂◦pc₃, 𝜎)⇢⇢_P,⊥(pc₂◦pc₃, 𝜎 .act)which satisfies (2). Next, we establish𝑚^R_{𝜏 .}_act=𝑚^R_{𝜎 .}_act. To that end, considerexp∈PExp∪DExp. Ifexp∩Adr≠{𝑎}, then we get𝑚_{𝜏 .}^R_actexp =𝑚^R_𝜏exp =𝑚^R_𝜎exp =𝑚^R_{𝜎 .}_actexpwhere the second equality holds by induction and the first/third equality holds byup. It remains to show, for all^sel ∈ Sel^R, that𝑚^R_{𝜏 .}_act(𝑎 ._sel)=𝑚^R

𝜎 .act^′(𝑎 ._sel)holds. This follows from the fact thatupandup^′agree on the updates they perform on selectors. The remaining properties follow by induction since actdoes not affect the control locations nor the valuation of variables nor the history nor the fresh/freed/used addresses.

The above case distinction is complete and thus concludes the claim.

Proof C.6(Corollary A.3).Consequence of Theorem A.2.

Proof C.7(Theorem A.4).We proceed by induction over the structure of𝜏. In the base case, we have the empty computation𝜏 = 𝜖. Then, the claim follows by definition for𝜎 = 𝜖. For the induction step, consider𝜏 ∈ ⟦P(R)⟧^Adr_Adr and the following program step in the standard semantics:

(pc₁◦pc₂, 𝜏)⇢⇢_Q,𝑡 (pc^′₁◦pc^′₂, 𝜏 .act) with pc₁◦pc₂ ∈ctrl(𝜏). (6) By definition,𝜏 .act ∈ ⟦P(R)⟧^Adr_Adr. Assume we already constructed for𝜏 some𝜎 ∈ ⟦P(R)⟧^Adr_Adr with the following: stmt₁ ∈ctrl(𝜎),𝑚_𝜏^P =𝑚^P_𝜎,H(𝜏)=H(𝜎),fresh𝜏 ⊆fresh𝜎,freed𝜏 ⊆freed𝜎,

176 ^{Appendix C} Proof of Meta Theory

andretired^𝜏 ⊆ retired^𝜎. We now construct a computation𝜎^′ ∈ ⟦P(R)⟧^Adr_Adr that mimics𝜏 .act.

More precisely, we show that there is a program step in the SMR semantics of the form (pc₁, 𝜎)⇢^∗(pc^′₁, 𝜎^′) (7) satisfying the following:𝑚^P_{𝜏 .}_act=𝑚^P

𝜎′,H(𝜏 .act)=H(𝜎^′),fresh𝜏 .act⊆fresh𝜎^′,freed𝜏 .act⊆freed𝜎^′, andretired^{𝜏 .}_act ⊆retired^𝜎^′. Letact=⟨𝑡 ,com,up⟩.

⋄ Case 1: Q =R

Step (6) is due to Rule (sos-std-par) followed by Rule (sos-std-smr). By definition, we havepc^′₁=pc₁. Letstmt₂ =pc₂(𝑡). Then,pc^′₂=pc₂[𝑡 ↦stmt^′₂]withstmt₂−−^com⇀stmt^′₂.

⋄ Case 1.1: com∈{ⁱⁿ∶func(𝑟), _re∶func}

According to Rule (sos-std-smr), the case does not apply.

⋄ Case 1.2: com∈{^skip, beginAtomic, _endAtomic,_assumecond}

We show that𝜎^′=𝜎is an appropriate choice. We immediately satisfy (7) bypc^′₁ =pc₁. For the remaining properties, we conclude by induction as follows:

𝑚^P_{𝜏 .}_act=𝑚_𝜏^P=𝑚^P_𝜎=𝑚^P_{𝜎 .}_act H(𝜏 .act)=H(𝜏)=H(𝜎)=H(𝜎 .act)

fresh𝜏 .act=fresh𝜏 ⊆fresh𝜎 =fresh𝜎 .act

freed𝜏 .act=freed𝜏 ⊆freed𝜎=freed𝜎 .act

retired^{𝜏 .}_act =retired^𝜏 ⊆retired^𝜎 =retired^{𝜎 .}_act

⋄ Case 1.3: com≡exp∶=exp^′

We choose𝜎^′=𝜎. We immediately satisfy (7) bypc^′₁ =pc₁. Next, we show𝑚^P_{𝜏 .}_act=𝑚^P_𝜎. To that end, it suffices to establish𝑚^P_{𝜏 .}_act=𝑚_𝜏^P. First, consider the case whereexp∈Var holds. Then,exp∈Var^R because𝜏 .actis free from separation violations. By definition, we obtain𝑚_{𝜏 .}_act=𝑚_𝜏[exp↦𝑚_𝜏(exp^′)]. That is,𝑚^P_{𝜏 .}_act=𝑚_𝜏^PbecauseVar^R∩Var^P =∅.

Second, consider the remaining case whereexp∉Varholds. So,exp≡𝑝 ._selfor some pointer𝑝 and selector^sel. Let𝑎 =𝑚_𝜏(𝑝). We have𝑚_{𝜏 .}_act = 𝑚_𝜏[𝑎 ._sel ↦𝑚_𝜏(exp^′)].

Since𝜏 .actis free from separation violations,^sel∈Sel^R. So, we get𝑚_{𝜏 .}^P_act=𝑚^P_𝜏 because ofSel^R∩Sel^P =∅. The remaining properties follow by definition together with induction as before.

⋄ Case 1.4: com≡𝑝∶=malloc

Let𝑎=𝑚_{𝜏 .}_act(𝑝). The update isup =[𝑝 ↦𝑎, 𝑎 ._next ↦seg, 𝑎 ._data ↦𝑑]for some𝑑. We choose𝜎^′=𝜎 .act^′withact^′=⟨𝑡 ,_env(𝑎),up^′⟩andup=[𝑎 ._next↦seg, 𝑎 ._data↦𝑑].

By definition, we have𝑎∈fresh𝜏∪freed𝜏. Hence,𝑎∈fresh𝜎∪freed𝜎 by induction. So we getact^′∈Act(𝜎 , 𝑡 ,_env(𝑎)). Rule (sos-env) yields the step(pc₁, 𝜎)⇢(pc₁, 𝜎 .act^′)

Section C.1 Compositionality 177

which satisfies (7). Next, we show𝑚^P_{𝜏 .}_act = 𝑚^P

𝜎 .act^′. The remaining properties follow by definition and induction as before.

⋄ Case 1.5: com≡free(𝑝)

Let𝑚_𝜏(𝑝)=𝑎. We choose𝜎^′ =𝜎 .act^′withact^′ =⟨𝑡 ,_free(𝑎),∅⟩. By the standard se-mantics, we haveact∈Act(𝜏 , 𝑡 ,com). Hence,act^′∈Act(𝜎 ,⊥,_free(𝑎))holds according to the SMR semantics. Then, Rule (sos-free) yields(pc₁, 𝜎) ⇢ (pc₁, 𝜎 .act^′)which satisfies (7). For the remaining properties, we conclude by definition and induction as before.

By definition,act∈Act(𝜎 , 𝑡 ,com). We conclude by definition and induction:

𝑚^P_{𝜏 .}_act =𝑚^P_𝜏 =𝑚^P_𝜎 =𝑚^P_{𝜎 .}_act

Step (6) involves Rule (sos-std-call). By assumption, we have𝑟_𝑖 ∈IVar. By induction, we get𝑚_𝜏(𝑟_𝑖)=𝑚_𝜎(𝑟_𝑖). Hence,𝑚_𝜎(𝑟_𝑖)≠ segbecause𝑚_𝜏(𝑟_𝑖)≠ segaccording to the semantics. This givesact∈Act(𝜎 , 𝑡 ,com)by definition. Now, letevtbe the event emitted

178 ^{Appendix C} Proof of Meta Theory

byactafter𝜏, that is,H(𝜏 .act)=H(𝜏).evt. Because we have already established𝑚_𝜏(𝑟_𝑖)= 𝑚_𝜎(𝑟_𝑖),actmust emit the same event after𝜎, i.e.,H(𝜎 .act)=H(𝜎).evt. So,H(𝜏 .act)= H(𝜎 .act)follows by induction. For the remaining property, let𝑀 ⊆ Adr such that 𝑀={𝑎}ifevt≡in∶^retire(𝑡 , 𝑎)and𝑀=∅otherwise. Then, we get:

retired^{𝜏 .}_act =retired^𝜏 ∪𝑀⊆retired^𝜎∪𝑀=retired^{𝜎 .}_act.

The remaining properties follow by definition and induction as before.

⋄ Case 2.3: com≡re∶func

Step (6) involves Rule (sos-std-return). By definition,act∈Act(𝜎 , 𝑡 ,_re∶func). We get:

H(𝜏 .act)=H(𝜏)._re∶func(𝑡)=H(𝜎)._re∶func(𝑡)=H(𝜎 .act)

and conclude the remaining properties by definition and induction as before.

⋄ Case 2.4: com≡𝑝∶=malloc

Let𝑎=𝑚_{𝜏 .}_act(𝑝). Then, the update isup=[𝑝↦𝑎, 𝑎 ._next↦seg, 𝑎 ._data ↦𝑑]for some data value𝑑. By definition,𝑎 ∈ fresh𝜏 ∪freed𝜏. So,𝑎 ∈ fresh𝜎∪freed𝜎 by induction.

This meansact∈Act(𝜎 , 𝑡 ,com). Moreover, we get:

fresh𝜏 .act =fresh𝜏 \ {𝑎}⊆fresh𝜎\ {𝑎}=fresh𝜎 .act

freed𝜏 .act=freed𝜏 \ {𝑎}⊆freed𝜎\ {𝑎}=freed𝜎 .act

retired^{𝜏 .}_act =retired^𝜏 ⊆retired^𝜎 =retired^{𝜎 .}_act H(𝜏 .act)=H(𝜏)=H(𝜎)=H(𝜎 .act)

It remains to establish𝑚^P_{𝜏 .}_act =𝑚^P_{𝜎 .}_act. By induction and the form ofup, we have:

𝑚^P_{𝜏 .}_act(exp)=𝑚^P_𝜏(exp)=𝑚^P_𝜎(exp)=𝑚^P

𝜎 .act^′(exp) if exp∉{𝑝, 𝑎 ._next, 𝑎 ._data}. Hence, it suffices to show𝑚^P_{𝜏 .}_act(exp^′)=𝑚^P_{𝜎 .}_act(exp^′)forexp^′∈{𝑝, 𝑎 ._next, 𝑎 ._data}. By the definition of the memory separation, it suffices to show𝑚_{𝜏 .}_act(exp^′)=𝑚_{𝜎 .}_act(exp^′).

This follows immediately from the performed updateup.

⋄ Case 2.5: com≡𝑝 ._sel∶=exp

By definition of the syntax, we haveexp ∈ Var. Let𝑎 =𝑚_𝜏(𝑝)and let𝑣 =𝑚_𝜏(exp).

Then, the update isup=[𝑎 ._sel↦𝑣]. Since𝜏 .actis free from separation violations, we get𝑝,exp∈Var^Pand^sel∈Sel^P. Hence,{𝑝,exp, 𝑎 ._sel}⊆dom(𝑚^P_𝜏). By induction, we have𝑚_𝜎(𝑝)=𝑎and𝑚_𝜎(exp)=𝑣. This meansupis a valid foractafter𝜎. That is, we obtainact∈Act(𝜎 , 𝑡 ,com). From^sel∈Sel^Pwe get:

𝑚_{𝜏 .}^P_act =𝑚^P_𝜏[𝑎 ._sel↦𝑣]=𝑚^P_𝜎[𝑎 ._sel↦𝑣]=𝑚^P_{𝜎 .}_act.

Section C.1 Compositionality 179

The remaining properties follow by definition and induction as before.

⋄ Case 2.6: com≡𝑝∶=exp^′ Analogous to the previous case.

⋄ Case 2.7: com≡assumecond

Letexpbe an expression incond. Similarly to the previous cases,𝑚_𝜏(exp)=𝑚_𝜎(exp) by induction together with the fact that𝜏 .actis free from separation violations and thus only variables fromVar^P and selectors fromSel^P can occur inexp. Then, we arrive atact∈Act(𝜎 , 𝑡 ,com)sincecondhas the same truth value after𝜏and𝜎. The remaining properties follow by induction.

⋄ Case 3: Q=Pandcom≡env(𝑎)

Step (6) is due to Rule (sos-std-env). By definition of the rule, we havepc₁ =pc^′₁as well asup= [𝑎 ._next ↦seg, 𝑎 ._data ↦𝑑]for some value𝑑. By definition,𝑎∈ fresh𝜏 ∪freed𝜏. By induction,𝑎 ∈ fresh𝜎 ∪freed𝜎. Hence, we obtainact ∈ Act(𝜎 , 𝑡 ,com)such that the step(pc₁, 𝜎)⇢(pc^′₁, 𝜎 .act)by Rule (sos-env) satisfies (7). Next, we show𝑚^P_{𝜏 .}_act=𝑚^P_{𝜎 .}_act. By induction together with the form ofup, we have:

𝑚_{𝜏 .}^P_act(exp)=𝑚_𝜏^P(exp)=𝑚_𝜎^P(exp)=𝑚^P

𝜎 .act^′(exp) if exp∉{𝑎 ._next, 𝑎 ._data}. Hence, it suffices to show𝑚^P_{𝜏 .}_act(exp^′)=𝑚^P_{𝜎 .}_act(exp^′)forexp^′∈{𝑝, 𝑎 ._next, 𝑎 ._data}. By the definition of the memory separation, it suffices to show𝑚_{𝜏 .}_act(exp^′) =𝑚_{𝜎 .}_act(exp^′). This follows from the performed updateup. The remaining properties follow by definition and induction as before.

The above case distinction is complete and thus concludes the induction.

Proof C.8(Theorem 5.10).Note that Theorem A.4 implicitly assumes that⟦P(R)⟧^Adr_Adr is free from separation violations—these requirements were stated informally in Section 5.3. This means that Theorem A.4 is applicable. Consider now some computation𝜏 ∈⟦P(R)⟧^Adr_Adr. From Theorem A.4 we get𝜎 ∈ O⟦P⟧^Adr_Adr withctrl^P(𝜏)= ctrl(𝜎). By assumption, we havegood(𝜎).

That is,ctrl^P(𝜎)∩Fault = ∅. From this we getctrl^P(𝜏)∩Fault = ∅. This givesgood(𝜏)as

required.

Proof C.9(Theorem 5.11).As noted in Proof C.8 already, Theorem 5.11 comes with the implicit assumption that⟦P(R)⟧^Adr_Adr is free from separation violations. Towards a contradiction, assume that⟦P(R)⟧^Adr_Adris not free from double retires. That is, there is a computation𝜏 .act∈⟦P(R)⟧^Adr_Adr withact = ⟨𝑡 ,_in∶^retire(𝑝),up⟩and𝑚_{𝜏 .}_act(𝑝)∈ retired^𝜏. Theorem A.4 yields𝜎 ∈ O⟦P⟧^Adr_Adr with𝑚^P_𝜏 =𝑚^P_𝜎 andretired^𝜏 ⊆ retired^𝜎. We obtain𝜎 .act ∈O⟦P⟧^Adr_Adr. To see thatactis enabled, note that𝑝 ∈ IVar ⊆ Var^P by assumption and thus𝑚_𝜎(𝑝) = 𝑚_𝜏(𝑝) ≠ seg. Moreover, this

180 ^{Appendix C} Proof of Meta Theory

means𝑚_𝜎(𝑝)∈retired^𝜎. That is,𝜎 .actis a double retire. This contradicts the assumption of the

semanticsO⟦P⟧^Adr_Adr being free from double retires.

C.2 Ownership

Proof C.10(Theorem 6.7).We show the contrapositive:

∀𝜏 , 𝑝, 𝑡 . 𝑝∉local^𝑡 ∧𝑝∈valid^𝜏 ⟹ 𝑚_𝜏(𝑝)∉owned^𝜏(𝑡).

To that end, we proceed by induction over the structure of𝜏 ∈O⟦P⟧^Adr_Adr. In the base case,𝜏 =𝜖. Then, the claim follows byowned^𝜏(𝑡)= ∅. For the induction step, consider𝜏 .act∈ O⟦P⟧^Adr_Adr and assume that the claim holds for𝜏. Consider some thread𝑡and some𝑥 ∈PVar\local^𝑡 such that𝑝∈valid^𝜏. We show that𝑚_𝜏(𝑝)∉owned^𝜏(𝑡)holds. Letact=⟨𝑡^′,com,up⟩.

⋄ Case 1: 𝑡≠𝑡^′

By definition, we haveowned^{𝜏 .}_act(𝑡)⊆owned^𝜏(𝑡).

⋄ Case 1.1: 𝑥 ∉shared

If𝑥 ∉ shared, then𝑥 cannot occur in comby to the semantics. Hence,𝑥 ∈ valid^{𝜏 .}act

implies𝑥 ∈ valid^𝜏. Moreover,𝑚_{𝜏 .}_act(𝑥) =𝑚_𝜏(𝑥). By induction,𝑚_𝜏(𝑥) ∉ owned^𝜏(𝑡).

Hence, we obtain𝑚_{𝜏 .}_act(𝑥)∉owned^{𝜏 .}_act(𝑡)as required.

⋄ Case 1.2: 𝑥 ∈sharedand[𝑥 ↦•] /⊆up

That𝑥 does not receive an update means that it is not the target of an assignment nor an allocation. We get𝑚_𝜏(𝑥)=𝑚_{𝜏 .}_act(𝑥)by definition. Moreover, we obtain𝑥 ∈valid^𝜏 by𝑥 ∈valid^{𝜏 .}_act. By induction,𝑚_𝜏(𝑥)∉owned^𝜏(𝑡). Hence,𝑚_{𝜏 .}_act(𝑥)∉owned^{𝜏 .}_act(𝑡)as required.

⋄ Case 1.3: 𝑥 ∈sharedand[𝑥 ↦𝑎]⊆up

Byowned^{𝜏 .}_act(𝑡)⊆ owned^𝜏(𝑡), we know thatcomcannot be an allocation targeting𝑥. So,com≡𝑥 ∶=pexp. First, considerpexp ∈PVar. To arrive at𝑥 ∈ valid^{𝜏 .}act, we must havepexp∈valid^𝜏. As this gives a contradicting𝑚_{𝜏 .}_act(𝑥)=𝑎∉owned^{𝜏 .}_act(𝑡), the case cannot apply. That is,pexp ≡ 𝑝 ._next. Let𝑏 =𝑚_𝜏(𝑝). To arrive at𝑥 ∈ valid^{𝜏 .}_act, we must have𝑝, 𝑏 ._next∈valid^𝜏. By definition, this results in𝑚_{𝜏 .}_act(𝑥)=𝑎∉owned^{𝜏 .}_act(𝑡).

Hence, the case cannot apply.

⋄ Case 2: 𝑡=𝑡^′

We distinguish three cases.

⋄ Case 2.1: 𝑥 ∉shared

By the semantics,𝑥 cannot occur incom. We get𝑥 ∈ valid^𝜏 and𝑚_𝜏(𝑥) = 𝑚_{𝜏 .}_act(𝑥).

Section C.2 Ownership 181

Hence,𝑚_{𝜏 .}_act(𝑥)∉ owned^𝜏(𝑡). Ifowned^{𝜏 .}_act(𝑡) ⊆owned^𝜏(𝑡), then nothing remains to be shown. Consider nowowned^{𝜏 .}act(𝑡) /⊆owned^𝜏(𝑡). By definition, this means we must havecom≡𝑝∶=mallocand thusowned^{𝜏 .}_act(𝑡)=owned^𝜏(𝑡)∪{𝑎}where𝑎=𝑚_{𝜏 .}_act(𝑝).

If𝑚_𝜏(𝑥)= 𝑎, then𝑥 ∉ valid^𝜏 by the definition of validity. Since this contradicts the previous𝑥 ∈valid^𝜏, we must have𝑚_𝜏(𝑥)≠𝑎. Hence,𝑚_{𝜏 .}_act(𝑥)∉owned^{𝜏 .}_act(𝑡)follows as required.

⋄ Case 2.2: 𝑥 ∈sharedand[𝑥 ↦•] /⊆up

That𝑥 does not receive an update means it is not the target of an assignment nor an allocation. We get𝑥 ∈ valid^𝜏 and𝑚_𝜏(𝑥) =𝑚_{𝜏 .}_act(𝑥). We conclude as in the previous case.

⋄ Case 2.3: 𝑥 ∈sharedand[𝑥 ↦𝑎]⊆up

To the contrary, assumecom≡𝑥 ∶=malloc. This means𝑚_{𝜏 .}_act(𝑥)∈fresh𝜏 ∪freed𝜏. By definition,𝑚_{𝜏 .}_act(𝑥)∉ owned^𝜏(𝑡). Because of𝑥 ∈ shared, the allocated address is not owned, that is,𝑚_{𝜏 .}_act(𝑥)∉owned^{𝜏 .}_act(𝑡)by definition. Since this contradicts the choice of𝑥, we must havecom≡/𝑥 ∶=malloc. Hence, we get𝑚_{𝜏 .}_act(𝑥)∈owned^{𝜏 .}act(𝑡)⊆𝜏 𝑡. Becausecomis no allocation but updates𝑥, it must be an assignment,com≡𝑥 ∶=pexp.

By𝑥 ∈shared, we must havepexp∈PVarin order to get𝑚_{𝜏 .}_act(𝑥)=𝑎∈owned^{𝜏 .}act(𝑡).

To get𝑥 ∈valid^{𝜏 .}_act, we must havepexp∈valid^𝜏. We get𝑚_{𝜏 .}_act(𝑥)=𝑎∉owned^{𝜏 .}_act(𝑡).

Since this contradicts the choice of𝑥, the case cannot apply.

The above case distinction is complete and thus concludes the induction.

C.3 Reductions

Proof C.11(Lemma B.31).By definition.

Proof C.12(Lemma B.32).By definition.

Proof C.13(Lemma B.33).By definition.

Proof C.14(Lemma B.34).By definition.

Proof C.15(Lemma B.35).By definition we have:

182 ^{Appendix C} Proof of Meta Theory

Im Dokument Verifying Non-blocking Data Structures with Manual Memory Management (Seite 189-200)