A perspective on specifying and verifying concurrent modules by Dinsdale-Young, TW et al.
Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25Contents lists available at ScienceDirect
Journal of Logical and Algebraic Methods in 
Programming
www.elsevier.com/locate/jlamp
A perspective on specifying and verifying concurrent modules
Thomas Dinsdale-Young a,∗,1, Pedro da Rocha Pinto b,2, Philippa Gardner b,2
a Department of Computer Science, Aarhus University, Aarhus, Denmark
b Department of Computing, Imperial College London,London, United Kingdom
a r t i c l e i n f o a b s t r a c t
Article history:
Received 22 May 2017
Received in revised form 17 February 2018
Accepted 19 March 2018
Available online xxxx
Keywords:
Concurrency
Speciﬁcation
Program veriﬁcation
The speciﬁcation of a concurrent program module, and the veriﬁcation of implementations 
and clients with respect to such a speciﬁcation, are diﬃcult problems. A speciﬁcation 
should be general enough that any reasonable implementation satisﬁes it, yet precise 
enough that it can be used by any reasonable client. We survey a range of techniques 
for specifying concurrent modules, using the example of a counter module to illustrate the 
beneﬁts and limitations of each. In particular, we highlight four key concepts underpinning 
these techniques: auxiliary state, interference abstraction, resource ownership and atomici-
ty. We demonstrate how these concepts can be combined to achieve two powerful 
approaches for specifying concurrent modules and verifying implementations and clients, 
which remove the limitations highlighted by the counter example.
© 2018 The Authors. Published by Elsevier Inc. This is an open access article under the CC 
BY license (http://creativecommons.org/licenses/by/4.0/).
1. Introduction
The speciﬁcation of a concurrent program module and the veriﬁcation of implementations and clients with respect to 
such a speciﬁcation are diﬃcult problems. When concurrent threads work with shared data, the resulting behaviour can be 
complex. Reasoning about such modules in a tractable fashion requires effective abstractions that hide this complexity. To 
be effective, an abstract speciﬁcation of a module must balance two key requirements: it must be general enough that any 
reasonable implementation satisﬁes it; and it must be precise enough that any intended client can use it. A speciﬁcation 
that is too precise will disallow some reasonable implementations, while one that is too general will disallow reasonable 
clients. The speciﬁcation should support modular veriﬁcation, in that the veriﬁcation of the module implementation and 
clients should only reference the speciﬁcation, and not each other’s code. This requires the speciﬁcation to be modular, in 
that it should capture the entire contract between a module and its clients. Since the 1970s, substantial progress has been 
made on reasoning techniques for concurrency, and recent developments have brought us closer than ever to a general 
approach to effective modular speciﬁcation and veriﬁcation.
In this survey paper, we describe some of the key techniques for reasoning about concurrency that have been developed 
in recent decades. We restrict our exposition to four concepts which are pervasive and underpin modern program logics 
for concurrency: auxiliary state, interference abstraction, resource ownership and atomicity. To illustrate these concepts, 
we consider a concurrent counter module, with an implementation using a spin loop (Section 2.1) and a ticket-lock client 
* Corresponding author.
E-mail addresses: tyoung @cs .au .dk (T. Dinsdale-Young), pmd09 @doc .ic .ac .uk (P. da Rocha Pinto), pg @doc .ic .ac .uk (P. Gardner).
1 This research was supported in part by the “Automated Veriﬁcation for Concurrent Programs” postdoc grant from The Danish Council for Independent 
Research for Technology and Production Sciences.
2 This research was supported in part by the EPSRC Programme Grants EP/H008373/1 and EP/K008528/1.https://doi.org/10.1016/j.jlamp.2018.03.003
2352-2208/© 2018 The Authors. Published by Elsevier Inc. This is an open access article under the CC BY license 
(http://creativecommons.org/licenses/by/4.0/).
2 T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25function makeCounter() {
x := alloc(1); // Allocate a single cell
[x] := 0; // Initialise the value at address xwith 0
return x;
}
function read(x) {
v := [x]; // Get value at address x
return v;
}
function incr(x) {
do {
v := [x]; // Get value at address x
b := CAS(x,v,v+ 1); // Compare value at address xwith v and
// set it to v + 1 if they are the same
} while (b= 0); // Retry if the CAS failed
return v;
}
function wkIncr(x) {
v := [x]; // Get value at address x
[x] := v+ 1; // Set value at address x to v + 1
return v;
}
Fig. 1. A counter module given using a spin-counter implementation.
(Section 2.2). In Section 3, we look at a range of historical reasoning techniques for concurrency, and how they embody the 
key concepts:
• Owicki–Gries reasoning [1] introduces auxiliary state (Section 3.2) to abstract the internal state of threads;
• rely/guarantee reasoning [2] introduces interference abstraction (Section 3.3) to abstract the interactions between differ-
ent threads;
• concurrent separation logic [3] introduces resource ownership (Section 3.4) to encode interference abstraction as auxiliary 
state;
• linearisability [4] introduces atomicity (Section 3.5) to abstract the effects of an operation so that it appears to take 
place instantaneously.
Modern program logics, such as TaDA [5,6], Iris [7] and FCSL [8,9], combine these techniques, allowing us to prove effective 
modular speciﬁcations for concurrent modules such as the counter. We compare two approaches: a ﬁrst-order approach 
used in TaDA (Section 3.6.2), and a higher-order approach introduced by Jacobs and Piessens [10] and used in Iris (Section 
3.6.1). In Section 4, we compare these approaches by showing how the spin-counter implementation can be veriﬁed against 
such a counter speciﬁcation and how the ticket-lock client can be veriﬁed using the speciﬁcation.
2. Concurrent modules
We use a concurrent counter module as the case study for this paper. This section describes a spin-counter implemen-
tation and a ticket-lock client.
2.1. A spin-counter implementation
Consider the spin-counter implementation of a concurrent counter shown in Fig. 1. We make use of three primitive 
atomic operations (i.e. operations that take effect at a single, discrete instant in time) for manipulating the heap. The load 
operation x := [E]; reads the value of the heap at the address given by E and assigns it to the variable x. The store 
operation [E1] := E2; stores the value E2 in the heap at the address given by E1. Finally, the compare-and-set (CAS) 
operation x := CAS(E1, E2, E3); checks if the value in the heap at the address given by E1 is equal to E2: if so, it replaces 
it with the value E3 and assigns 1 to x; otherwise, x is assigned 0.
The counter module has three operations. The read operation returns the value of the counter. The incr operation 
increments the value of the counter and returns the old value, using the compare-and-set operation to do this atomically. 
The compare-and-set can fail if the value of the counter is changed concurrently, so the operation loops (or spins) until it 
T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25 3function makeLock() {
next := makeCounter(); // Allocate ticket counter
owner := makeCounter(); // Allocate serving counter
x := alloc(2); // Allocate two cells
[x.next] := next; // Initialise ﬁrst cell with ticket counter address
[x.owner] := owner; // Initialise second cell with serving counter address
return x;
}
function acquire(x) {
next := [x.next]; // Get address of the ticket counter
owner := [x.owner]; // Get address of the serving counter
t := incr(next); // Take a ticket
do {
v := read(owner); // Get serving counter value
} while (v = t); // Wait for serving value to match the ticket
}
function release(x) {
owner := [x.owner]; // Get address of the serving counter
wkIncr(owner); // Increment the serving counter
}
where E.next def= E and E.owner def= E + 1.
Fig. 2. A ticket lock implemented using the counter module from Fig. 1.
succeeds. The wkIncr operation also increments the value of the counter and returns the old value. However, this operation 
uses a store instead of a CAS, which can lead to different behaviour in a concurrent setting.
A speciﬁcation of the counter module should describe how each operation affects the value of the counter. It should 
express that the counter must be allocated as a precondition of the operations that access it. It should also describe the 
permitted interference from the context of concurrent operations. Intuitively, the read and incr operations are robust 
with respect to concurrent operations that change the value of the counter. By contrast, the potentially faster wkIncr
requires that no concurrent operation changes the value of the counter between the load and store operations, in order for 
it to behave as intended. This informal speciﬁcation is subtle, and so it is an interesting case study to capture formally.
2.2. A ticket-lock client
Consider a ticket-lock client [11] that uses the counter module to provide synchronisation. The code for the ticket lock 
is given in Fig. 2. The lock uses two counters, the ticket counter next and the serving counter owner, which both initially 
have the value 0. A thread acquires the lock by calling the acquire operation. This operation increments the next counter 
to obtain a notional ticket. When the value of the owner counter agrees with this ticket, the thread has acquired the lock. 
It can then use whatever resources are protected by the lock, without interference from other threads. Control of these 
resources is relinquished by calling the release operation. This increments the owner counter, passing the lock on to 
the next waiting thread. Intuitively, the use of incr for the acquire operation is necessary, since it needs to be robust 
with respect to concurrent threads taking tickets. The use of wkIncr for the release operation is possible, since only the 
thread holding the lock should release it.
The spin-counter and its ticket-lock client provide a case study that illustrates some of the key diﬃculties in specifying 
concurrent modules, and verifying their implementations and intended clients. The challenge is to develop a concurrent 
speciﬁcation of the counter module that is strong enough to allow us to reason about the ticket lock. This mandates a precise 
description of how each operation affects the value of the counter, and a detailed account of concurrent interference, which 
distinguishes between incr and wkIncr. We require a reasoning technique that can formally express such speciﬁcations, 
and verify implementations and clients using these formal speciﬁcations. In Section 3, we concentrate on how to specify the 
counter module, while in Section 4, we demonstrate how to verify the spin-counter implementation and ticket-lock client 
using our eventual speciﬁcation.
3. Speciﬁcation
Our objective is to give a speciﬁcation for the counter module that, in particular, is satisﬁed by our spin-counter imple-
mentation and can be used to verify the ticket lock as a client. We start by considering a sequential speciﬁcation, before 
exploring how different techniques can be used to give concurrent speciﬁcations for the counter module. In particular, we 
show how these techniques use the concepts of auxiliary state, interference abstraction, resource ownership, and atomicity. 
4 T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25We then show how recent logics combine these ideas in a way that can be used to give an effective speciﬁcation for the 
counter.
3.1. Sequential speciﬁcation
It is straightforward to give a sequential speciﬁcation for the counter module using standard Hoare triples [12]. A Hoare 
triple, written  {P} C {Q }, states that if program C is executed from a state satisfying assertion P , then it either does 
not terminate or terminates with the resulting state satisfying assertion Q . The assertions P and Q are given in ﬁrst-order 
logic, with predicates of the form E1 → E2 describing those heaps containing a heap cell at address E1 with value E2. The 
sequential speciﬁcation of the counter module is given by:
 {True} makeCounter() {ret → 0}
 {x → n} read(x) {x → n∧ ret = n}
 {x → n} incr(x) {x → n+ 1∧ ret = n}
 {x → n} wkIncr(x) {x → n+ 1∧ ret = n}
With Hoare logic, it is possible to verify that the spin-counter implementation satisﬁes the sequential speciﬁcation, and to 
verify the correctness of sequential clients that use the counter module. However, this speciﬁcation gives no information 
about the behaviour of the operations in a concurrent setting.
3.2. Auxiliary state
Owicki and Gries [1] developed the ﬁrst tractable proof technique for concurrent programs, identifying the importance 
of reasoning about interference between threads and of using auxiliary state. With the Owicki–Gries method, each thread 
is given a sequential proof. When the threads are composed, we must check that they do not interfere with each other’s 
proofs. This is achieved by extending standard Hoare logic with the Owicki–Gries rule for parallel composition:
OG-Parallel
OG
{
P1
}
C1
{
Q 1
} OG {P2} C2 {Q 2} non-interference
OG
{
P1 ∧ P2
}
C1 ‖C2
{
Q 1 ∧ Q 2
}
The non-interference side-condition constrains the proof derivations for C1 and C2. It requires that every intermediate 
assertion between atomic actions in the proof of C1 must be preserved by every atomic action in the proof of C2, and 
vice-versa. This side-condition leads to non-compositional reasoning, in the sense that it refers to details of the proof 
derivations that are not represented in the speciﬁcations.
An abstract speciﬁcation for the counter needs to be robust with respect to the non-interference condition. However, in 
general, the condition will vary depending on the concurrent context. Let us assume that the client may invoke any of the 
counter operations concurrently, but will not directly interact with the state of the counter. That is, we will only consider 
interference caused by the counter operations themselves. To this end, we can use an invariant: that is, an assertion that 
is preserved by each atomic action in the module. For the counter speciﬁcation, the invariant ∃n. x → n asserts that the 
counter at x is allocated and has some value. Using this invariant, we can give the following speciﬁcation for the counter 
module:
OG
{
True
}
makeCounter()
{∃n. ret → n}
OG
{∃n.x → n} read(x) {∃n,m.x → n∧ ret =m}
OG
{∃n.x → n} incr(x) {∃n,m.x → n∧ ret =m}
OG
{∃n.x → n} wkIncr(x) {∃n,m.x → n∧ ret =m}
However, these speciﬁcations are too weak to verify clients such as the ticket lock. They lose all information about the value 
of the counter, and give no information about how the operations change this value. In fact, the read operation could 
change the value of the counter and still satisfy the speciﬁcation! Unfortunately, assertions that describe the precise value 
of the counter are not invariant.
The Owicki–Gries method is able to provide stronger speciﬁcations by using auxiliary state, which records extra informa-
tion about the execution history via auxiliary variables. The auxiliary state is updated by auxiliary code, which instruments 
the program code. Since the auxiliary code only updates auxiliary variables, it has no effect on the program behaviour and 
so can be erased. The auxiliary code is not required when the program is run; it is only used for the static logical reasoning.
By way of example, consider two threads that both increment a counter, as in Fig. 3. The auxiliary variables y and z, 
with initial values 0, are used to record the contribution (that is, the number of increments) of each thread. For each thread, 
the code of the incr operation is instrumented with code that updates the appropriate auxiliary variable when the CAS
T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25 5{
True
}
x := makeCounter();{
x → 0
}
y := 0;
z := 0;{
x → 0∧ y= 0∧ z= 0
}
{
x → y+ z∧ y= 0
}
do {
v1 := [x];〈
b1 := CAS(x,v1,v1 + 1);
if (b1 = 0) {y := y+ 1; }
〉
} while (b1 = 0);{
x → y+ z∧ y= 1
}
{
x → y+ z∧ z= 0
}
do {
v2 := [x];〈
b2 := CAS(x,v2,v2 + 1);
if (b2 = 0) {z := z+ 1; }
〉
} while (b2 = 0);{
x → y+ z∧ z= 1
}
{
x → 2∧ y= 1∧ z= 1
}
{
x → 2
}
Fig. 3. Reasoning about concurrent increments using auxiliary state.
operation succeeds. This auxiliary variable must be updated at the same instant as the counter, so that the counter always 
holds the sum of the two contributions — our invariant. This is expressed by the angle brackets, 〈_〉, which indicate that 
the CAS and auxiliary code should be executed in a single atomic step. Note that the auxiliary state can be seen as an 
abstraction of the internal state of the threads. That is, we can recover all of the relevant information about the auxiliary 
variables by knowing each thread’s program counter and local variables. The auxiliary state captures just the information 
about the internal state that we need for our reasoning.
The resulting speciﬁcation of the two-increment program is strong, with precise information about the initial and ﬁnal 
value of the counter. However, it comes at the price of modularity. Firstly, the incr operations require different speciﬁca-
tions depending on the client’s use: in our example, the assertion x → y+ z uses auxiliary variables y and z; with three 
threads, the speciﬁcation requires three auxiliary variables. A modular speciﬁcation would be one that captures all use cases. 
Secondly, each use of the incr operation requires the underlying implementation to be extended with auxiliary code to 
increment the appropriate auxiliary variable. Modular veriﬁcation would not modify the module code for each use by the 
client. Thirdly, and more subtly, the Owicki–Gries method requires the global non-interference condition. To meet this, we 
made the implicit assumption that the client only interacts with the state of the counter through the counter operations. 
Modular speciﬁcation would be explicit about such assumptions regarding the behaviour of the client.
Thesis The concept of auxiliary state, introduced in the Owicki–Gries method, is important for the speciﬁcation of concurrent 
modules. Auxiliary state abstracts the internal state of threads, and is a powerful mechanism for giving precise speciﬁcations. 
However, auxiliary variables can violate modularity; module code may be instrumented with different auxiliary code and its 
speciﬁcation may give a different description of the auxiliary state, depending on how the client uses the code. As we shall 
see, various subsequent approaches have taken a more modular approach to auxiliary state than that provided by auxiliary 
variables in the Owicki–Gries method.
3.3. Interference abstraction
Jones [2] introduced interference abstraction, providing the rely/guarantee method as a way to improve the composition-
ality of the Owicki–Gries approach. To avoid the global non-interference condition, speciﬁcations both explicitly constrain the 
interference from the concurrent context and describe the interference that a thread may cause. To this end, each speciﬁ-
cation incorporates two relations, the rely and guarantee relations, that abstract the interference between threads. The rely 
relation abstracts the actions of other threads; each assertion in the derivation must be stable under all of these actions. 
The guarantee relation abstracts the actions in the current derivation; each atomic update by the thread must be described 
by the guarantee. (See Fig. 4.)
Rely/guarantee speciﬁcations have the form R,G RG
{
P
}
C 
{
Q
}
, where the additional relations, R and G , are the rely 
and guarantee relations respectively. We denote the elements of the rely and guarantee relations as actions p  q. The 
actions of the rely relation describe the changes that may be made by the concurrent environment, while the actions of the 
guarantee relation describe the changes that may be made by the thread (or threads) under consideration. When composing 
concurrent threads, each thread belongs to the environment of the other and, hence, the guarantee of each thread must be 
included in the rely of the other. The parallel composition rule is therefore adapted to:
6 T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25{
True
}
x := makeCounter();{
x → 0
}
// Weaken assertion{
∃n.x → n∧ n ≥ 0
}
{
∃n.x → n∧ n ≥ 0
}
incr(x);{
∃n.x → n∧ n ≥ 1
}
{
∃n.x → n∧ n ≥ 0
}
incr(x);{
∃n.x → n∧ n ≥ 1
}
{
∃n.x → n∧ n ≥ 1
}
Fig. 4. Reasoning about concurrent increments using interference abstraction.
RG-Parallel
R ∪ G2,G1 RG
{
P1
}
C1
{
Q 1
}
R ∪ G1,G2 RG
{
P2
}
C2
{
Q 2
}
R,G1 ∪ G2 RG
{
P1 ∧ P2
}
C1 ‖C2
{
Q 1 ∧ Q 2
}
The rely for C1 consists of the actions that may be performed by the wider environment, namely R , together with the 
actions that may be performed by C2, namely G2. The guarantee for C1 ‖ C2 consists of both the actions of C1 and the 
actions of C2, namely G1 ∪ G2.
The rely/guarantee speciﬁcations for the read and incr operations are:
A,∅ RG
{∃n.x → n} read(x) {∃n.x → n∧ ret ≤ n}
A, A RG
{∃n.x → n} incr(x) {∃n.x → n+ 1∧ ret ≤ n}
where A = {x → n x → n+ 1 | n ∈N}. The read speciﬁcation has an empty guarantee relation indicating that nothing is 
changed by the read. It has the rely relation A, stating that other threads can only increment the counter, and that they can 
do so as many times as they like. The incr speciﬁcation has the same rely relation. Its guarantee relation is also A, stating 
that the increment can increase the value of the counter. The guarantee must be deﬁned for all n, as the environment can 
change the counter value. This means that we cannot express that the incr operation only does a single increment.
The rely/guarantee speciﬁcation for the wkIncr operation is subtle. Recall that, intuitively, the wkIncr operation is 
intended to be used when no other threads are concurrently updating the counter. As a ﬁrst try, we can give a simple 
speciﬁcation with a rely condition that enforces this constraint:
∅,G RG
{
x → n} wkIncr(x) {x → n+ 1∧ ret = n}
where G  {x → n x → n+ 1}. The rely relation is empty, so this speciﬁcation cannot be used in a context where concur-
rent updates may occur. This means that the guarantee relation can be very precise, consisting of a single action.With this 
speciﬁcation, the wkIncr operation will effectively appear as a single atomic operation.
Although this speciﬁcation captures some of the intended behaviour of wkIncr, it is insuﬃcient to reason about the 
ticket lock. With the ticket lock, it is possible for two invocations of the wkIncr operation to be executing concurrently. 
Consider a situation in which one thread currently holds the lock, while another thread is attempting to acquire the lock 
(that is, it is in the loop of the acquire operation). Suppose that the ﬁrst thread executes the release operation, in 
which it calls wkIncr. After the body of wkIncr has executed, but before the call has returned, the second thread can 
perform its read and observe that it holds the lock. Moreover, it can then call the release operation, executing wkIncr
before the ﬁrst thread’s call to wkIncr has returned. Thus we have two concurrent invocations of wkIncr.
The above speciﬁcation does not allow this concurrent behaviour, since the empty rely relation rules out all concurrent 
updates to the counter. It is possible to allow such concurrent updates by changing the rely, but at the expense of weakening 
the postcondition:
R,G RG
{
x → n} wkIncr(x) {∃n′ ≥ n+ 1.x → n′ ∧ ret = n}
where R = {x →m x →m+ 1 | m ∈N,m > n} and G is as before. Notice that the rely states that concurrent increments 
can only happen when the value of the counter is above n. Also notice that, in generalising the rely, we must weaken the 
postcondition to make it stable.
In summary, this speciﬁcation is too weak to reason about the ticket lock. It is possible to instrument the code with 
auxiliary variables, as with the Owicki–Gries method, again leading to a loss of modularity.
Thesis The concept of interference abstraction, introduced in the rely/guarantee method, is important for the speciﬁcation of 
concurrent modules. By abstracting the interactions between different threads, speciﬁcations are able to express constraints 
on their concurrent contexts. This abstraction leads to more compositional reasoning: since the interference is part of the 
speciﬁcation, we do not need to examine proofs in order to justify parallel composition. While it may be speciﬁed differently, 
some form of interference abstraction is generally present in subsequent approaches to verifying concurrent programs.
T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25 73.4. Resource ownership
O’Hearn and Brookes developed a new style of Hoare-logic reasoning for concurrency based on resource ownership, ex-
tending the ideas of separation logic [13,14] to concurrency. They introduced concurrent separation logic [3,15], which 
provides a highly compositional approach to reasoning about concurrency. Resource ownership can be seen as a specialised 
form of auxiliary state and interference abstraction. Resource ownership provides auxiliary information that a thread has 
the right to access some resource; the program does not explicitly record which threads own which resources. Ownership 
also provides the simple interference abstraction that only a thread that owns a resource can update that resource.
Concurrent separation logic uses an assertion language based on the Bunched Logic of O’Hearn and Pym [16]. Assertions 
in separation logic treat data, such as heap cells or counter objects, as resources. Each operation acts on some speciﬁc re-
source, with the precondition requiring ownership of the resource it represents. When threads operate on disjoint resources, 
they do not interfere with each other and so their effects can be combined simply. This principle is embodied in the disjoint 
parallel composition rule:
Parallel
CSL
{
P1
}
C1
{
Q 1
} CSL {P2} C2 {Q 2}
CSL
{
P1 ∗ P2
}
C1 ‖C2
{
Q 1 ∗ Q 2
}
where the assertion P1 ∗ P2 in the conclusion describes the disjoint combination of the resources described by the assertions 
P1 and P2.
Remark 1. (Disjoint Resources) The fundamental idea behind separation logic [13,14] is to treat the heap as a resource, 
which can be subdivided into separate disjoint sub-heaps also treated as resources. Heap operations only require parts of 
the heap for their execution. For example, the update of a heap cell only requires the resource of the heap cell. The rest of 
the heap is not needed for the update. Such operations are local to the speciﬁc resource on which they operate, as they do 
no affect other parts of the heap.
Locality is expressed by the frame rule3:
Frame
CSL
{
P
}
C
{
Q
}
CSL
{
P ∗ R} C {Q ∗ R}
The frame rule allows us to reason about programs in a local way. We can focus our reasoning on the resource that the 
program uses; any additional resource, which would not be affected by the program, can be added using the frame rule. In 
particular, the premiss states that, if a program is run in a state described by precondition P then it will not fault and, if it 
terminates, the resulting state will be described by postcondition Q . The conclusion states that the program has the same 
behaviour if the disjoint resource R is added to the precondition and postcondition. This is possible because the separating 
conjunction ∗ enforces disjointness. 
In the original concurrent separation logic, resources can be shared between threads by using invariants. The resource 
associated with an invariant can only be accessed by a thread during a conditional critical region [3,15], which enforces 
coarse-grained synchronisation between accesses to the shared resource. We have seen that invariants with auxiliary state 
allow for precise reasoning, but they are less compositional than the interference abstraction provided by rely/guarantee 
reasoning. Subsequent developments in concurrent separation logic [17–19] incorporate various forms of rely/guarantee 
reasoning over shared resources in order to support reasoning about ﬁne-grained concurrency, where threads typically make 
multiple accesses to shared resources through atomic operations. The concurrent abstract predicate (CAP) [20] approach 
builds on this with abstractions that hide the shared resources, effectively allowing disjoint concurrent reasoning at the 
abstract level.
Let us illustrate this CAP reasoning on the counter module. Consider the concurrent abstract predicate Counter(x, n)
which denotes the existence of a counter at address x with value n. With our spin counter implementation, this abstract 
predicate simply describes the concrete sub-heap that is the heap cell x → n. Treating Counter(x, n) as a resource, we could 
use the original sequential speciﬁcation as a concurrent one. However, for multiple threads to use the counter, they would 
have to transfer the resource between each other using some form of synchronisation. Such a speciﬁcation effectively en-
forces sequential access to the counter. This is because the client has no mechanism for dividing the resource: in particular,
Counter(x,n) =⇒ Counter(x,n) ∗ Counter(x,n)
just does not hold since it is not possible to split the concrete heap into two parts which both contain the cell x → n.
3 In many presentations, the frame rule has a side-condition stating that program variables modiﬁed by C do not occur free in R . An alternative is to 
treat variables as resource, in which case the frame rule does not need a side-condition.
8 T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25{
Counter(x,0,1)
}
{
Counter(x,0,0.5) ∗ Counter(x,0,0.5)
}
{
Counter(x,0,0.5)
}
incr(x){
Counter(x,1,0.5)
}
{
Counter(x,0,0.5)
}
incr(x){
Counter(x,1,0.5)
}
{
Counter(x,1,0.5) ∗ Counter(x,1,0.5)
}
{
Counter(x,2,1)
}
Fig. 5. Reasoning about concurrent increments using resource ownership.
Following Boyland [21], Bornat et al. [22] introduced permission accounting to separation logic. This allows shared re-
sources to be divided by associating with them a fraction in the interval (0, 1]. Shared resources may be subdivided 
by splitting this fraction. For instance, we may associate fractions with our counter resource and declare the logical ax-
iom:
Counter(x,n,π1 +π2) ⇐⇒ Counter(x,n,π1) ∗ Counter(x,n,π2)
for π1 +π2 ≤ 1. We can now modify our counter speciﬁcation to give concurrent read access:
CAP
{
Counter(x,n,π)
}
read(x)
{
Counter(x,n,π) ∗ ret = n}
CAP
{
Counter(x,n,1)
}
incr(x)
{
Counter(x,n+ 1,1) ∗ ret = n}
CAP
{
Counter(x,n,1)
}
wkIncr(x)
{
Counter(x,n+ 1,1) ∗ ret = n}
Notice that we require full permission (the 1) in order to perform either increment operation. This means that only con-
current reads are permitted; concurrent updates must be synchronised with all other concurrent accesses (both increments 
and reads). If only partial permission were necessary, then the speciﬁcation for read would be incorrect, since it could no 
longer guarantee that the value being read matched the resource it had.
It is possible to specify concurrent increments by changing how we interpret the counter predicate Counter(x, n, π). 
Now, the resource Counter(x, n, π) no longer asserts that the value of the counter is n, except if π = 1. Instead, it asserts 
that the thread is contributing n to the value of the counter; other threads may also have contributions. We can split this 
counter resource by declaring the logical axiom:
Counter(x,n1 + n2,π1 +π2) ⇐⇒ Counter(x,n1,π1) ∗ Counter(x,n2,π2)
for n1, n2 ∈N and π1, π2 ∈ (0, 1]. We then specify our counter operations as:
CAP
{
Counter(x,n,π)
}
read(x)
{
Counter(x,n,π) ∗ ret ≥ n}
CAP
{
Counter(x,n,1)
}
read(x)
{
Counter(x,n,1) ∗ ret = n}
CAP
{
Counter(x,n,π)
}
incr(x)
{
Counter(x,n+ 1,π) ∗ ret ≥ n}
CAP
{
Counter(x,n,1)
}
incr(x)
{
Counter(x,n+ 1,1) ∗ ret = n}
CAP
{
Counter(x,n,1)
}
wkIncr(x)
{
Counter(x,n+ 1,1) ∗ ret = n}
At last, we have a speciﬁcation that allows concurrent reads and increments.
Fig. 5 shows how this speciﬁcation can be used to verify the example of two concurrent increments. Whereas in Fig. 3
each thread was instrumented with different auxiliary code, here the code has not been changed. Rather than each thread 
having an auxiliary variable to record its contribution to the counter, the contribution is recorded in auxiliary resource that 
is owned by the thread and encapsulated in the Counter(x, n, π) predicate. This idea of subjective auxiliary state is at the 
core of Subjective Concurrent Separation Logic (SCSL) [23] (and the subsequent Fine-grained Concurrent Separation Logic 
(FCSL) [8,9]).
This speciﬁcation still has weaknesses. It requires the wkIncr operation to be synchronised with the other operations. 
It also does not guarantee that sequenced reads will never see decreasing values of the counter (since the contribution is 
not changed and only provides the lower bound). It is possible to describe a more elaborate permission system that allows
wkIncr in the presence of reads, and to extend the predicate to record the last known value as a lower bound for reads. 
This would give us a more useful, if somewhat cumbersome, speciﬁcation. However, it would still not handle the ticket 
lock. While a ticket lock has been veriﬁed using CAP reasoning [20], the proof depends on the atomicity of the underlying 
counter operations in order to synchronise access to shared resources. The proof does not work with any of our abstract 
speciﬁcations, since they simply do not embody the necessary atomicity.
T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25 9Thesis The concept of resource ownership, developed in the work on concurrent separation logic and its successors, is im-
portant for the speciﬁcation of concurrent modules. The idiom of ownership can be seen as a form of auxiliary state, which 
critically embodies a notion of disjointness and interference abstraction. Various approaches have explored the power of 
ownership for reasoning about concurrency [20,23,24,8,25,26,9,7]. While it is an effective concept, and can be used to give 
elegant speciﬁcations, something more is required to provide the strong speciﬁcations required for our ticket-lock exam-
ple.
3.5. Atomicity
Atomicity is the abstraction that an operation takes effect at a single, discrete instant in time. The concurrent behaviour 
of such operations is equivalent to a sequential interleaving of the operations. A client can use such operations as if they 
were simple atomic operations.
Herlihy and Wing introduced linearisability [4], a well-known correctness condition for atomicity, which identiﬁes when 
the operations of a concurrent module appear to behave atomically. Using the linearisability approach, each operation is 
given a sequential speciﬁcation. The operations are then proved to behave atomically with respect to each other. One way 
of seeing this is that there is an instant during the invocation of each operation at which that operation appears to take 
effect. This instant is referred to as the linearisation point. With linearisability, the interference of every operation is toler-
ated at all times by any of the other operations. Consequently, the interference abstraction is deemed to be the module 
boundary.
Given our sequential speciﬁcation for the counter in Section 3.1, is our implementation linearisable? If we only consider 
the read and incr operations, then yes, it is. However, the addition of the wkIncr operation breaks linearisability. The 
problem with wkIncr is that, for instance, two concurrent calls can result in the counter only being incremented once. 
This is not consistent with atomic behaviour.
The essence of the problem is that we only envisage calling wkIncr in a concurrent context where there are no other 
increments. In such a case, it would appear to behave atomically. However, the sequential speciﬁcation cannot express this 
constraint. We need an interference abstraction that constrains the concurrent context.
Linearisability is related to the notion of contextual reﬁnement. With contextual reﬁnement, the behaviour of program 
code is described by (more abstract) speciﬁcation code. (In general, this speciﬁcation code need not be directly executable.) 
Contextual reﬁnement asserts that the speciﬁcation code can be replaced by the program code in any context, without 
introducing new observable behaviours; we say that the program code contextually reﬁnes the speciﬁcation code. Filipovic´ 
et al. [27] have shown that, under certain assumptions about a programming language, linearisability implies contextual 
reﬁnement for that language. For a linearisable module, each operation contextually reﬁnes the operation itself executed 
atomically. For instance, the code for incr(x) contextually reﬁnes the atomic command 〈incr(x)〉. Conversely, contextual 
reﬁnement implies linearisability.
CaReSL [24] is a logic for proving contextual reﬁnement of concurrent programs. CaReSL makes use of auxiliary state, 
interference abstraction and ownership in the technical proofs. However, these concepts are not exposed in speciﬁcations. 
This means that it is not obvious what a suitable speciﬁcation of wkIncr in CaReSL should be.
Thesis The concept of atomicity, put forward by linearisability, is important for the speciﬁcation of concurrent modules. 
Atomicity can be seen as a form of interference abstraction: it effectively guarantees that the only observable interference 
from an operation will occur at a single instant in its execution. This is a powerful abstraction, since a client need not 
consider intermediate states of an atomic operation (which, for non-atomic operations, might violate invariants) but only 
the overall transformation it performs.
3.6. Synthesis
We now examine two approaches, a higher-order approach and a ﬁrst-order approach, that bring together the ideas we 
have so far discussed to provide expressive modular speciﬁcations for concurrent modules.
3.6.1. A higher-order approach
One way of overcoming the non-modularity of the Owicki–Gries method was introduced by Jacobs and Piessens [10]. 
Their key idea is to give higher-order speciﬁcations for operations, which are parametrised by auxiliary code that is 
performed when the abstract atomic operation appears to take effect (the linearisation point). Where previously we instru-
mented the code of the incr operation differently for different call sites, here it is instrumented uniformly; the auxiliary 
code is a parameter that is determined at the call site.
10 T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25{
x → 0
}
y := 0;
z := 0;{
x → y+ z∧ y= 0∧ z= 0
}
In
va
ri
an
t:
x
→
y
+
z
{
y= 0∧ z= 0
}
{
y= 0
}
incr(x, λn.y := y+ 1;);{
y= 1
}
{
z= 0
}
incr(x, λn.z := z+ 1;);{
z= 1
}
{
y= 1∧ z= 1
}
{
x → y+ z∧ y= 1∧ z= 1
}
{
x → 2
}
Fig. 6. Reasoning about concurrent increments using parametrised auxiliary code.
Applying this idea to the incr operation we have the following code:
function incr(x,ρ) {
do {
v := [x];
〈b := CAS(x,v,v+ 1);
if (b = 0) { ρ(v); }〉
} while (b= 0);
return v;
}
Note that the function ρ is an auxiliary code parameter of the operation. When the atomic update to the counter occurs, 
ρ is invoked, which can update the client’s auxiliary state. The function ρ is parametrised by the value of the counter 
immediately before the update occurs, which allows the update to the auxiliary state to depend on this value.
The speciﬁcation of incr is parametrised by the speciﬁcation of the auxiliary code. Written as a proof rule, the speciﬁ-
cation is as follows:
I ∗ P ⇔ ∃n ∈N.x → n ∗ R(n) ∀n ∈N.  {x → n+ 1 ∗ R(n)} ρ(n) {I ∗ T (n)}
I  {P} incr(x,ρ) {T (ret)}
In the conclusion of this rule, the assertion I is an invariant; it is disjoint from the pre- and postcondition, and must be 
preserved by atomic updates of all threads. At the point where the counter is atomically incremented, the following steps 
conceptually take place:
1. the ﬁrst equivalence from the premiss is used to convert the disjoint combination of the invariant I and the precondition 
P into the disjoint combination of the counter heap assertion x → n and R(n) for some value of n;
2. the module performs the increment, updating x → n to x → n + 1; and
3. the auxiliary code ρ(n) is run, updating the combination of x → n + 1 and R(n) to the combination of I and T (n).
This speciﬁcation enables us to exploit the expressivity of auxiliary variables in a modular way. In particular, Fig. 6
shows how this technique can be used to prove two concurrent increments. The proof is very similar to the one shown 
in Fig. 3. The new speciﬁcation allows us to abstract the atomic update performed by the incr and use the same module 
implementation for both threads. The invariant I is instantiated as x → y+z. The predicate R(n) is instantiated as n = y+z. 
The predicates P and T are instantiated with the pre- and postconditions of incr at each call site. Since the lifetime of the 
threads is syntactically scoped, we can create an invariant that holds for this scope: we require it to hold before we enter 
the scope and assume that it holds after the scope; outside the scope, it is no longer invariant. (When threads are created 
by a fork operation, their lifetimes are not syntactically scoped, and so a different approach to invariants is required.)
The read operation can be speciﬁed as:
I ∗ P ⇔ ∃n ∈N.x → n ∗ R(n) ∀n ∈N.  {x → n ∗ R(n)} ρ(n) {I ∗ T (n)}
I  {P} read(x,ρ) {T (ret)}
Finally, recall that the wkIncr operation is intended to be used when there are no updates from the environment. This can 
be speciﬁed as:
I ∗ P ⇔ x → n ∗ R  {x → n+ 1 ∗ R} ρ(n) {I ∗ T (n)}
I  {P} wkIncr(x,ρ) {T (ret)}
T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25 11A key difference with the wkIncr speciﬁcation is that n is not quantiﬁed in the premisses. This is because the value of the 
counter must be preserved by other threads before the update.
Note that, although these speciﬁcations are written in the form of a proof rules, they are actually implications: the im-
plementation must show that the conclusion follows from the premisses, and a client can use the conclusion if it establishes 
the premisses. The predicates I , P , T and R , as well as the ghost code ρ , are universally quantiﬁed: the client can instantiate 
them as necessary.
This higher-order speciﬁcation approach has been adopted in other higher-order logics such as HOCAP [25], iCAP [26]
and Iris [7]. In these logics, auxiliary state is not manipulated by auxiliary code, but by view shifts [28]. These view shifts 
serve essentially the same purpose: they are able to update auxiliary state, but have no effect on the concrete state.
3.6.2. A ﬁrst-order approach
An alternative way of providing speciﬁcations for concurrent modules was introduced in the program logic TaDA [5,
6] using atomic triples. Rather than treating atomic speciﬁcations as a higher-order construct, atomic triples build such 
speciﬁcations into TaDA as a ﬁrst-order construct. An atomic triple has the form:
 Ax ∈ X .〈P (x)〉 C 〈Q (x)〉
Abstractly, this can be read as: C atomically updates P (x) to Q (x), under the assumption that the environment ensures that, 
before the atomic update, P (x) holds continuously for some x ∈ X which may change over time. The “pseudo-quantiﬁer” A
is part of the syntax of the TaDA speciﬁcation, and not a quantiﬁer in the underlying assertion language. If x were bound by 
the standard universal quantiﬁer ∀ instead, C would still update P (x) to Q (x) for arbitrary x, but the environment would 
not be permitted to change the value of x. The 
A
x binding combines the arbitrary nature of x (hence the resemblance to ∀) 
and the changeable nature of x.4
This abstract description hides the subtle behaviour permitted by an implementation. The implementation may assume 
that the assertion P (x0) holds initially for some x0 ∈ X . The implementation must tolerate continual interference from the 
environment updating P (x) to P (x′) for any x, x′ ∈ X . The implementation may make updates, but it must preserve P (x)
at each step; it cannot change the value of x itself. At some point, the implementation must update P (x) to Q (x) for the 
current choice of x, if the implementation terminates. After this update, Q (x) is no longer available to the implementation 
and another thread may be using it.
In TaDA, resources may belong to a particular thread or be shared between all threads. Shared resources are encapsulated 
by shared regions, a kind of invariant which establish protocols for threads to use the encapsulated resources. To ensure that 
the protocol is followed, a thread can only access the contents of a shared region for the duration of an atomic operation, 
and the atomic update must conform to the region’s protocol. To use C with the above atomic speciﬁcation to update 
a shared region, the region’s protocol must ensure that P (x) currently holds, and will continue to do so for arbitrary, 
changeable x ∈ X . Moreover, the thread must have the right to perform the update from P (x) to Q (x) according to the 
protocol.
With the counter example in TaDA, the counter operations are speciﬁed in terms of an abstract predicate [30] that 
represents the state of a counter: the abstract predicate Counter(s, x, n) asserts the existence of a counter at address x with 
value n. The ﬁrst parameter s ranges over an abstract type T1, which captures implementation-speciﬁc information about 
the counter. To the client, the type is opaque; the implementation realises the type appropriately. The predicate confers 
ownership of the counter: it is not possible to have more than one Counter(s, x, n) for the same value of x.
The speciﬁcation for the makeCounter operation is a simple Hoare triple:
 {True} makeCounter() {∃s ∈ T1.Counter(s, ret,0)}
The operation creates a new counter, which is initially set to value 0, and returns its address. The speciﬁcation says nothing 
about the granularity of the operation. In fact, the granularity is hardly relevant, since no concurrent environment can 
meaningfully observe the effects of makeCounter until its return value is known: that is, once the operation has been 
completed.
Remark 2 (On the abstractly-typed parameters). Typically, a proof of a speciﬁcation concludes with a step that existentially 
quantiﬁes over some ﬁxed parameters in the representation of the data structure. With the atomic speciﬁcations of TaDA, 
this approach is not possible as the following rule is unsound:
 〈P (s)〉 C 〈Q (s)〉
 〈∃s. P (s)〉 C 〈∃s. Q (s)〉
This rule is unsound in because, in the conclusion, the environment is able to change the value of s, while in the premiss the 
value cannot be changed by the environment. (A limited form of atomic existential rule is sound [29], where the parameter 
4 In Ntzik’s thesis [29], which combines TaDA with reﬁnement, 
A
x is interpreted as a combination of universal quantiﬁcation with stuttering and mum-
bling reﬁnement rules that account for x changing over time.
12 T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25in the premiss is bound by 
A
.) Since we cannot abstract in this fashion, we instead expose the parameter s. The client 
does not need to know any particular information about s, only that it should not be changed; hence, the type of s can be 
abstracted.
In contrast, a higher-order logic can avoid this additional parameter. This is done by specifying in the postcondition of 
the constructor (makeCounter) that there exists some predicate Counter for which the counter operations satisfy their 
speciﬁcations:
{True}
x := makeCounter(){∃Counter.Counter(0) ∗ (  An ∈N.〈Counter(n)〉 read(x) 〈Counter(n) ∗ ret = n〉) ∗ . . .}
Since the parameter is speciﬁc to the particular instance of the counter, it is abstracted in the existentially-quantiﬁed Counter
predicate. (Indeed, the address of the counter can also be abstracted in the predicate.) The parameter s can be viewed as an 
artefact of defunctionalising the higher-order speciﬁcation. 
The speciﬁcation for the read(x) operation is the atomic triple:
 An ∈N.〈Counter(s,x,n)〉 read(x) 〈Counter(s,x,n) ∗ ret = n〉
Intuitively, this speciﬁcation states that the read operation will read the state of the counter atomically, even in the pres-
ence of concurrent updates by the environment that may change the value of the counter, which are possible as n is bound 
by 
A
. However, the environment must preserve the counter and cannot, for instance, deallocate it.
This atomicity means that the resources in the speciﬁcation may be shared: that is, concurrently accessible by multiple 
threads. Sharing in this way is not possible with ordinary Hoare triples, since they make no guarantee that intermediate 
steps preserve invariants on the resources. The atomic triple, by contrast, makes a strong guarantee: as long as the concur-
rent environment guarantees that the (possibly) shared resource Counter(s, x, n) is available for some n, the read operation 
will preserve Counter(s, x, n) until it reads it; after reading, the operation no longer requires Counter(s, x, n), and is conse-
quently oblivious to subsequent transformations by the environment such as another thread incrementing the counter.
It is signiﬁcant that the notion of atomicity is tied to the abstraction in the speciﬁcation. The predicate Counter(s, x, n)
can abstract multiple underlying states in the implementation. If we were to observe the underlying state, the operation 
might no longer appear to be atomic.
The speciﬁcation of the incr is similar:
 An ∈N.〈Counter(s,x,n)〉 incr(x) 〈Counter(s,x,n+ 1) ∗ ret = n〉
The speciﬁcation states that incr operation will increment the state of the counter atomically and return its previous 
value, even in the presence of concurrent updates by the environment that may change the value of the counter, which are 
possible as n is bound by 
A
.
The speciﬁcation of the wkIncr operation is slightly different:
∀n ∈N.  〈Counter(s,x,n)〉 wkIncr(x) 〈Counter(s,x,n+ 1) ∗ ret = n〉
The speciﬁcation states that the wkIncr will increment the state of the counter atomically and return the previous value, 
as long as the environment guarantees that the shared counter will not change the value before the atomic update. This 
speciﬁcation holds for arbitrary n, but this n cannot be changed by the environment as it is universally quantiﬁed in the 
standard sense. This means that, if the counter is shared, other threads can concurrently only perform read operations 
until the counter has been incremented. It is, however, possible for other incr or wkIncr operations to occur between 
the update and the return of the operation.
Atomic triples specify operations with respect to an abstract assertion, such as the Counter(s, x, n). This means that each 
operation can be veriﬁed independently of the modules of the library. This makes it possible to extend modules with new 
operations without having to verify the existing operations again. Linearisability, by contrast, is a whole module property: 
the addition of new operations such as wkIncr can break the linearisability of the module.
TaDA [5] introduced a generalised version of the atomic triple that combines atomic updates to shared resources with 
non-atomic updates to resources owned by the thread. For example, we can use this to specify an operation that reads the 
value of the counter into a buffer: the read happens atomically, but the write to the buffer does not, and so ownership 
of the buffer must be transferred between the client and implementation. Such speciﬁcations are not possible with tradi-
tional linearisability, although Gotsman and Yang [31] have proposed an extension of linearisability that supports ownership 
transfer.
Remark 3 (On relating ﬁrst-order and higher-order approaches). We can relate the ﬁrst-order approach to the higher-order 
approach by encoding atomic triples in the higher-order setting. This approach was taken with Iris [7]. In the Jacobs–Piessens 
logic, the atomic triple
T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25 13 Ax ∈ X .〈P (x)〉 C 〈Q (x, ret)〉
can be encoded as the “rule”
I ∗ S ⇔ ∃x ∈ X . P (x) ∗ R(x) ∀x ∈ X .  {Q (x, ret) ∗ R(x)} ρ(x) {I ∗ T (ret)}
I  {S} C {T (ret)}
This encodes how an atomic triple may be used which, in TaDA, is expressed through the proof rules for the atomic triples. 
The ﬁrst premiss is used to guarantee that the environment maintains P (x) initially. The second premiss establishes that it 
is legal to update P (x) to Q (x).
In Section 4, we show proofs using both approaches. While the details differ, the essence of the proofs are the same in 
each approach. 
Evaluation A combination of auxiliary state, interference abstraction, resource ownership and atomicity makes it possible to 
specify modules in a way that is both precise and modular. The speciﬁcations described in this section are precise enough 
to derive the earlier speciﬁcations we have considered. As we shall see in Section 4, they are also precise enough to verify a 
client such as the ticket lock, which uses counters to provide synchronisation. Furthermore, the speciﬁcations do not expose 
implementation details. This makes it possible to vary the implementation without changing the speciﬁcation, which would 
require updating proofs of client modules. The result is an expressive, modular approach to speciﬁcation and veriﬁcation of 
concurrent modules.
4. Veriﬁcation
We have discussed both higher-order and ﬁrst-order approaches to giving expressive, modular speciﬁcations for concur-
rent programs. We now show how these approaches can be used to verify the spin-counter implementation given in Section 
2.1, and the ticket-lock client of the counter given in Section 2.2. We begin with the ﬁrst-order approach of TaDA, before 
comparing it with a higher-order approach in the style of Jacobs and Piessens.
Remark 4 (Constructors). We omit the proofs for the constructors makeCounter and makeLock, focusing instead on the 
operations that speciﬁcally involve abstract atomicity.
4.1. First-order approach
In Section 3.6.2, we used TaDA’s ﬁrst-order approach to specify the spin counter using atomic triples. TaDA has proof rules 
for establishing atomic triples. These rules involve shared regions, which are TaDA’s mechanism for providing interference 
abstraction over shared state.
4.1.1. Spin counter
Recall the spin counter implementation from Section 2.1 and the counter speciﬁcation from Section 3.6.2. To verify the 
implementation against the speciﬁcation, we must give an interpretation of the abstract predicate Counter(s, x, n) including 
an interpretation of the abstract type T1 of its ﬁrst parameter, and prove the implementation against the speciﬁcation under 
this interpretation. Since the speciﬁcations are atomic, we cannot simply interpret Counter(s, x, n) as x → n. Instead, TaDA 
requires that x → n be encapsulated by a shared region, which determines the interference abstraction associated with the 
counter.
A shared region encapsulates resource that is available to multiple threads when they perform atomic operations. The 
region enforces a protocol that determines how threads can mutate the encapsulated resource. Rather than expressing the 
protocol for a region directly in terms of the resource it encapsulates, the region is associated with a set of abstract states, 
and the protocol is speciﬁed in terms of these. An interpretation function determines the concrete resource that is associated 
with each abstract state.
The region is associated with abstract resources called guards — a form of auxiliary state — that determine the role that 
a thread can play in the protocol. The protocol is deﬁned as a labelled transition system on the abstract states of the region, 
where the labels are guards. To change the state of the shared region, a thread needs to own the guard associated with 
the transition it will perform. The guard that a thread owns determines the possible guards that the environment can own, 
thus limiting the transitions that are available to the environment. Consequently, the guards determine what knowledge a 
thread can have about the region that is stable: that is, continues to hold under the actions of other threads. In TaDA, the 
guards for a region are speciﬁed as a partial commutative monoid (PCM). This gives us the ﬂexibility to specify complex 
usage patterns for regions.
Remark 5 (Partial commutative monoids as auxiliary state). Since concurrent separation logic, there has been extensive 
work [32,33,28,7] on using partial commutative monoids to model auxiliary state. Partial commutative monoids allow us 
14 T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25to express complex patterns for subdividing resources. A partial commutative monoid (G, •, 0) consists of a carrier set G
equipped with a partial binary operator • : G × G ⇀ G and a neutral (or identity) element5 0 ∈ G satisfying:
• Commutativity: x • y = y • x when either is deﬁned.
• Associativity: x • (y • z) = (x • y) • z when either is deﬁned.
• Identity: x • 0 = 0 • x = x. 
The guard PCM, protocol and interpretation function associated with a region are determined by a region type. We deﬁne 
a region type Counter for counter regions. Multiple regions can have the same region type; for example, the ticket lock uses 
two counters, and hence two instances of the Counter region type. We distinguish instances by giving each region a distinct 
region identiﬁer. A region type can be parametrised: Counter is parametrised by the address of the heap cell representing 
the counter. Region type parameters do not change during the lifetime of the region, unlike the region’s abstract state. For 
a Counter region, the abstract state is a natural number representing the current value of the counter. To specify a Counter
region with region identiﬁer a, parameter x and current state n, we write Countera(x, n).
The guard PCM associated with Counter regions simply comprises an indivisible guard Inc, which is used to increment 
the counter, and the empty guard 0. The composition Inc • Inc is undeﬁned, and all other compositions are determined by 
0 being the neutral element.
The set of abstract states for Counter regions is the set of natural numbers N, representing the possible values of the 
counter. The labelled transition system for the region enables the counter to be incremented using the guard Inc. This is 
speciﬁed by:
Inc : ∀n.n n+ 1
The region interpretation function I for Counter regions is:
I(Countera(x,n)) x → n.
With this interpretation, the heap cell that contains the value of the counter is always in the region, and its value corre-
sponds to the abstract state of the region.
Remark 6 (Protocols). Protocols enforce a set of rules governing how threads can mutate and exchange resources. Protocols 
exist in many forms, the simplest form being unary invariants such as the ones used in concurrent separation logic. With a 
unary invariant, all updates must preserve the invariant assertion. Another form of a protocol is the relational invariants used 
in rely/guarantee reasoning. With a relational invariant, updates can only change the state in accordance with the invariant 
relation: for the environment, this is the rely relation; for the thread, this is the guarantee relation. Various approaches, 
such as RGSep [17], LRG [18], CAP [20], VCC [34], Verifast [10] and HOCAP [25], have localised the notion of protocols 
to speciﬁc shared resources, often as regions or other similar constructs. CaReSL [24], SCSL [23] and iCAP [26] extended 
the concept of regions with a notion of abstract state and a transition system over those abstract states: in CaReSL these 
protocols are called islands; in SCSL they are called concurroids; and in iCAP and, following iCAP, TaDA[5], Total-TaDA [35]
and Caper [36], they are called shared regions. Iris [7] encodes regions with state transition systems using unary invariants 
and partial commutative monoids. Finally, some logics support additional abstraction over the protocol actions, such as 
LRG [18], SCSL [23] and CoLoSL [37]. 
Having deﬁned the Counter region type, we can now give a concrete interpretation to the abstract predicate 
Counter(s, x, n) and the abstract type T1:
T1  RId
Counter(a, x,n)  Countera(x,n) ∗ [Inc]a
Here, RId is the set of region identiﬁers. The region assertion Countera(x, n) asserts that there exists a Counter region with 
identiﬁer a and parameter x in state n. The guard assertion [Inc]a asserts ownership of guard Inc for region a. Notice that 
the Counter(a, x, n) predicate encapsulates ownership of both a Counter shared region and the guard Inc required to update 
the region.
We are now in a position to prove that the counter implementation satisﬁes the speciﬁcation using the above deﬁnitions. 
The proof outlines for the read, incr and wkIncr operations are given in Figs. 7, 8 and 9, respectively. These proofs use 
TaDA’s core proof rules for deriving atomic speciﬁcations: MakeAtomic and UpdateRegion. The MakeAtomic rule allows us 
to derive an atomic speciﬁcation that updates a shared region, provided evidence that the code performs a single atomic 
update on the region, under suitable constraints on how the environment can update the region. The UpdateRegion rule is 
used to perform the update at the linearisation point, and produces the evidence of this update.
5 An alternative deﬁnition of PCMs uses a set of neutral elements. The deﬁnition given here is typically simpler to use.
T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25 15A
n ∈N.〈
Counter(s,x,n)
〉
A
bs
tr
ac
t;
le
t
s
=
a
〈
Countera(x,n) ∗ [Inc]a
〉
M
ak
eA
to
m
ic
a : n ∈N n {∃n ∈N.Countera(x,n) ∗ a ⇒}
U
pd
at
eR
eg
io
n
A
n ∈N.〈
x → n〉
v := [x];〈
x → n ∗ v= n〉{∃n ∈N.v= n ∗ a ⇒ (n,n)}
return v;{∃n ∈N.a ⇒ (n,n) ∗ ret = n}〈
Countera(x,n) ∗ [Inc]a ∗ ret = n
〉〈
Counter(s,x,n) ∗ ret = n〉
Fig. 7. Proof outline for the read operation.
A
n ∈N.〈
Counter(s,x,n)
〉
A
bs
tr
ac
t;
le
t
s
=
a
〈
Countera(x,n) ∗ [Inc]a
〉
M
ak
eA
to
m
ic
a : n ∈N n+ 1 {∃n ∈N.Countera(x,n) ∗ a ⇒}
do {{∃n ∈N.Countera(x,n) ∗ a ⇒}
O
pe
n
Re
gi
on
A
n ∈N.〈
x → n〉
v := [x];〈
x → n ∗ v= n〉{∃n ∈N.Countera(x,n) ∗ a ⇒ ∗ n ≥ v}
U
pd
at
eR
eg
io
n An ∈N.〈
x → n ∗ n ≥ v〉
b := CAS(x,v,v+ 1);〈
if b= 0 then x → n
else x → n+ 1 ∗ v= n
〉
{∃n ∈N. if b= 0 then Countera(x,n) ∗ a ⇒ else a ⇒ (n,n+ 1) ∗ v= n}
} while (b= 0);{∃n ∈N.a ⇒ (n,n + 1) ∗ v= n}
return v;{∃n ∈N.a ⇒ (n,n + 1) ∗ ret = n}〈
Countera(x,n+ 1) ∗ [Inc]a ∗ ret = n
〉〈
Counter(s,x,n+ 1) ∗ ret = n〉
Fig. 8. Proof outline for the incr operation.
We consider a simpliﬁed version of TaDA’s MakeAtomic rule:
{(x, y) | x ∈ X, y ∈ Q (x)} ⊆ Tt(G)∗ R is pure
a : x ∈ X Q (x)  {∃x ∈ X . ta(z, x) ∗ a ⇒ } C {∃x ∈ X, y ∈ Q (x).a ⇒ (x, y) ∗ R(x, y)}
 Ax ∈ X .〈ta(z, x) ∗ [G]a〉 C 〈∃y ∈ Q (x). ta(z, y) ∗ [G]a ∗ R(x, y)〉
The region assertion ta(z, x) asserts that the region with identiﬁer a is of type t (for example Counter), with parameters z, 
and is in state x. The conclusion of the rule establishes that C effectively atomically updates this region from some state 
x ∈ X to some state y ∈ Q (x) using the guard G for the region.
The ﬁrst premiss requires that this update is permitted by the transition system given the guard G. Here, Tt(G) is the 
set of transitions for region type t that are labelled by G. We assume that this is closed upwards under adding resource: 
if (a, b) ∈ Tt(G) then (a, b) ∈ Tt(G • H) for all H with G • H deﬁned. Then Tt(G)∗ is the reﬂexive-transitive closure of this 
relation. The second premiss requires the assertion R to be pure: that is, independent of resources and regions. The ﬁnal 
premiss captures the notion of atomicity of C, with respect to the abstraction in the conclusion, as a proof obligation. 
Speciﬁcally, the region must be in the state x for some x ∈ X , which may be changed by the environment, until at some 
point the thread updates it to some y ∈ Q (x). This obligation is expressed using two new technical concepts that are used 
in the premiss. The ﬁrst, a : x ∈ X  Q (x), is called the atomicity context. The atomicity context records the actual abstract 
atomic action that is to be performed: from some state x ∈ X to a state in Q (x). The second, a ⇒ −, is the atomic tracking 
resource. The atomic tracking resource indicates whether the atomic update has occurred (the a ⇒  indicates it has not) 
16 T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25〈
Counter(s,x,n)
〉
A
bs
tr
ac
t;
le
t
s
=
a
〈
Countera(x,n) ∗ [Inc]a
〉
M
ak
eA
to
m
ic
a : n n+ 1 {
Countera(x,n) ∗ a ⇒
}
O
pe
n
Re
gi
on 〈
x → n〉
v := [x];〈
x → n ∗ v= n〉
{
Countera(x,n) ∗ a ⇒ ∗ v= n
}
U
pd
at
eR
eg
io
n 〈
x → n ∗ v= n〉
[x] := v+ 1;〈
x → n+ 1 ∗ v= n〉
{
a ⇒ (n,n+ 1) ∗ v= n}
return v;{
a ⇒ (n,n+ 1) ∗ ret = n}〈
Countera(x,n+ 1) ∗ [Inc]a ∗ ret = n
〉〈
Counter(s,x,n+ 1) ∗ ret = n〉
Fig. 9. Proof outline for the wkIncr operation.
and, if it has, the state of the shared region immediately before and after (the a ⇒ (x, y) indicates an update from x to 
y). The resource a ⇒  also plays two special roles that are normally ﬁlled by guards. Firstly, it limits the interference 
on region a: the environment may only update the state so long as it remains in the set X , as speciﬁed by the atomicity 
context. Secondly, it confers permission for the thread to update the region from state x ∈ X to any state y ∈ Q (x); in doing 
so, the thread also updates a ⇒  to a ⇒ (x, y). This permission is expressed by the UpdateRegion rule (described below), 
and ensures that the atomic update only happens once.
In the proof of the read operation given in Fig. 7, the MakeAtomic rule is instantiated as follows:
{(n,n) | n ∈N} ⊆ TCounter(Inc)∗ = {(n,n+ 1) | n ∈N}∗ = {(n,m) | n,m ∈N∧ n ≤m}
a : n ∈N n  {∃n ∈N.Countera(x,n) ∗ a ⇒ } v := [x];return v; {∃n ∈N.a ⇒ (n,n) ∗ ret = n}
 An ∈N.〈Countera(x,n) ∗ [Inc]a〉 v := [x];return v; 〈Countera(x,n) ∗ [Inc]a ∗ ret = n〉
Here, we choose the pure assertion R(x, y)  (ret = x). Since Q (x)  {x}, we simplify the postconditions by eliminating the 
existentially quantiﬁed variable y.
The second key TaDA proof rule is the UpdateRegion rule, which uses the atomicity tracking resource to update a region. 
A simpliﬁed version of this rule is as follows (where ∗ binds tighter than ∨):
 Ax ∈ X .〈I(ta(z, x)) ∗ P (x)〉 C 〈(∃y ∈ Q (x). I(ta(z, y)) ∗ Q 1(x, y))∨ I(ta(z, x)) ∗ Q 2(x)〉
a : x ∈ X Q (x)  {∃x ∈ X . ta(z, x) ∗ P (x) ∗ a ⇒ } C
{∃x ∈ X . (∃y ∈ Q (x). Q 1(x, y) ∗ a ⇒ (x, y))
∨ ta(z, x) ∗ Q 2(x) ∗ a ⇒ 
}
In the premiss of this rule, either the atomic operation updates the state of the region to some y ∈ Q (x), or the state is 
unchanged. In the conclusion, this is represented by either updating the atomic tracking resource to a ⇒ (x, y), or leaving it 
as a ⇒ . Note that, if y = x in the postcondition, the abstract state of the region is not changed and we can either perform 
the atomic update or not.
In the proof of the read operation in Fig. 7, the UpdateRegion rule is instantiated as follows:
 An ∈N.〈x → n〉 v := [x]; 〈x → n ∗ v= n〉
a : n ∈N n  {∃n ∈N.Countera(x,n) ∗ a ⇒ } v := [x]; {∃n ∈N.v= n ∗ a ⇒ (x, y)}
Here, we choose P (x)  True, Q 1(x, y)  (v= x) and Q 2(x)  False, and simplify the assertions.
The proof of the read implementation (Fig. 7) ﬁrst rewrites the speciﬁcation using the deﬁnition of the Counter predi-
cate. It is then possible to apply the MakeAtomic rule. The atomicity context allows the region a to be in any abstract state 
n ∈ N. The UpdateRegion rule performs the atomic action, which leaves the region in the same state and records the state 
in the atomic tracking resource.
The proof of the incr implementation (Fig. 8) follows a similar style. The main difference is that, when entering the 
loop, it ﬁrst performs a read operation and stores the current value of the counter in v. The OpenRegion rule allows a region 
to be opened for an atomic operation, provided that the abstract state is unchanged. Here, it is used to read the value of 
the counter. The UpdateRegion rule is then used to perform the atomic action conditionally. If the atomic compare-and-set 
operation succeeds, the region transitions from state n to n + 1 and the atomic tracking component is updated. If it fails, 
T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25 17the region remains in the same state and the atomic tracking component is not updated. The loop will repeat until the 
compare-and-set succeeds, with the loop invariant ensuring that the region has not yet been updated. After the loop, the 
region is guaranteed to have been updated.
The proof of the wkIncr implementation (Fig. 9) is somewhat similar to incr, except that the atomicity context does 
not allow the environment to change the abstract state of the region before the atomic update occurs. Consequently, the 
update to the region is always successful.
4.1.2. Ticket lock
We give a speciﬁcation for a lock based on ownership transfer. We show how to prove that the ticket lock implementa-
tion from Section 2.2 satisﬁes this speciﬁcation using the atomic speciﬁcation of the counter.
Lock speciﬁcation We start by specifying the lock module using a speciﬁcation based on ownership transfer, ﬁrst given in 
the work on CAP reasoning [20]. The speciﬁcation provides two abstract predicates: IsLock(x), which is a non-exclusive 
resource that allows a thread to compete for the lock; and Locked(x), which is an exclusive resource that represents that 
the thread has acquired the lock, and allows it to release the lock. The lock is speciﬁed as follows:
 {True} makeLock() {IsLock(ret)}
 {Locked(x)} release(x) {True}
 {IsLock(x)} acquire(x) {IsLock(x) ∗ Locked(x)}
IsLock(x) ⇐⇒ IsLock(x) ∗ IsLock(x)
Locked(x) ∗ Locked(x) =⇒ False
When a thread acquires the lock, it gets the Locked(x) predicate that can subsequently be used to release the lock. 
The last two axioms respectively allow us to duplicate the non-exclusive resource describing the existence of a lock, and 
guarantee that two threads cannot hold the Locked(x) resource at the same time.
Implementation To verify this implementation against the atomic speciﬁcation, we ﬁrst deﬁne a shared region for the ticket 
lock. Recall that the ticket lock comprises two counters: the ﬁrst counter records the next available ticket, while the second 
counter records the ticket which currently holds the lock. The lock is considered unlocked when the two counters are equal. 
In order for a thread to acquire the lock, it must obtain a ticket by incrementing the ﬁrst counter and then must wait until 
the second counter reaches the value of the obtained ticket. To release the lock, a thread simply increments the second 
counter.
To verify the implementation, we introduce a new shared region type, TLock. The abstract state of the region will 
be a natural number n, representing the ticket that currently holds the lock. The guard PCM is generated by the guards 
Pending(n, m), for n ≤m ∈N, and Key(n), for n ∈N, subject to the following rules:
Pending(n1,m1) • Pending(n2,m2) undeﬁned
Key(n) • Key(n) undeﬁned
Pending(n,m) • Key(v) deﬁned =⇒ n ≤ v <m
Pending(n,m) = Pending(n,m+ 1) • Key(m)
Pending(n,m) • Key(n) = Pending(n+ 1,m)
Conceptually, Key(n) will represent ownership of ticket n for the lock. The guard Pending(n, m) tracks the yet-to-be-used 
tickets that are currently held by threads, namely those between n and m −1 inclusive. The last two rules allow us to extract 
and merge tickets with the Pending guard. This PCM can be seen as an instance of the authoritative monoid of Iris [7]. 
(Speciﬁcally, it is the authoritative monoid on the monoid of ﬁnite subsets of N under disjoint union. Here, Pending(n, m) =
• {i | n ≤ i <m} and Key(n) = ◦ {n}.) An alternative approach would be to have only Key guards, one for each natural number, 
and deﬁne Pending as an inﬁnite combination of Key guards, as in [38,20].
The labelled transition system is given by:
Key(n) : n n+ 1
It ensures that a thread must hold the ticket Key(n) in order to pass ownership of the lock to the next ticket.
We deﬁne the region interpretation for TLock regions by:
I(TLocka(x, s, t,owner,next,n)) ∃m. x.owner → owner ∗ x.next → next ∗ Counter(s,owner,n)
∗ Counter(t,next,m) ∗ [Pending(n,m)]a ∗ n ≤m
18 T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25{
Locked(x)
}
A
bs
tr
ac
t;
Ex
is
ts
:a
,s
,t
,o
w
ne
r,
ne
xt {∃n.TLocka(x, s, t,owner,next,n) ∗ [Key(n)]a}
owner := [x.owner];{∃n.TLocka(x, s, t,owner,next,n) ∗ [Key(n)]a ∗ owner= owner}
Ex
is
ts
:n
{
TLocka(x, s, t,owner,next,n) ∗ [Key(n)]a ∗ owner= owner
}
U
se
A
to
m
ic
〈∃m.x.owner → owner ∗ x.next → next ∗ Counter(s,owner,n) ∗ Counter(t,next,m)
∗ [Pending(n,m)]a ∗ n ≤m ∗ [Key(n)]a ∗ owner= owner
〉
wkIncr(owner);〈∃m.x.owner → owner ∗ x.next → next ∗ Counter(s,owner,n+ 1)
∗ Counter(t,next,m) ∗ [Pending(n+ 1,m)]a ∗ n+ 1≤m ∗ owner= owner
〉
{∃n.TLocka(x, s, t,owner,next,n)}{∃n.TLocka(x, s, t,owner,next,n)}{
True
}
Fig. 10. Proof outline for the release operation.
In the region, x is the address of the lock and enables us to retrieve both counter addresses, located at owner and next
respectively, and n is the value of the owner counter. In addition, the logical variables s and t denote parameters associated 
with the two counter abstract predicates.
We now deﬁne the interpretation of the predicates as follows:
IsLock(x)  ∃a, s, t,owner,next,n.TLocka(x, s, t,owner,next,n)
Locked(x)  ∃a, s, t,owner,next,n.TLocka(x, s, t,owner,next,n) ∗ [Key(n)]a
The abstract predicate IsLock(x) asserts there is a ticket lock region with address x in some state n. Locked(x) additionally 
asserts ownership of the guard [Key(n)]a which can be used to update the region. Note that by holding the Locked(x)
exclusively, we guarantee that the region abstract state cannot be changed by the environment, as no other thread holds 
the guard (Key(n)) necessary to perform the update action.
It remains to prove the speciﬁcations for the operations and the axioms. The last key TaDA rule that we mention is the
UseAtomic rule. A simpliﬁed version of the rule is as follows:
∀x ∈ X . (x, f (x)) ∈ Tt(G)∗  Ax ∈ X .
〈
I(ta(z, x)) ∗ P (x) ∗ [G]a
〉
C
〈
I(ta(z, f (x))) ∗ Q (x)
〉
 {∃x ∈ X . ta(z, x) ∗ P (x) ∗ [G]a} C {∃x ∈ X . ta(z, f (x)) ∗ Q (x)}
This rule allows a region a, with region type t, to be opened so that it may be updated by C, from some state x ∈ X to state 
f (x). In order to do so, the precondition must include a guard G that is suﬃcient to perform the update to the region, in 
accordance with the labelled transition system as is established by the ﬁrst premiss.
The proofs of the release and acquire operations are given in Fig. 10 and Fig. 11. The interesting part of release is 
the call to wkIncr. Here, the thread has the Key(n) guard for the current state of the lock n. The UseAtomic rule is applied 
choosing X = {n} and f (x) = n + 1. When the region is opened, the guards Pending(n, m) and Key(n) combine to give 
Pending(n + 1, m). Together with the update to the owner counter, the region is closed in state n + 1. In the postcondition 
of the UseAtomic rule, we must stabilise the assertion to account for the environment’s possible changes to the region. 
Ultimately, we weaken the postcondition to True, as required by the speciﬁcation.
The acquire proof uses the 
A
quantiﬁer in the premiss of the UseAtomic rule to account for the fact that the state of 
the lock is not stable. The ﬁrst use of the UseAtomic rule increments the counter and retrieves a Key(t) for the value read. 
After the read, because we own Key(t), we can guarantee that the state of the region cannot be larger than t, i.e. that the 
environment does not have the necessary guards to perform such a transition. The loop then simply waits until the state of 
the region matches the ticket. When that happens, we know it cannot change as long as we own the guard Key(t) and as 
such we can satisfy the Locked(x) predicate.
The axiom IsLock(x) ⇐⇒ IsLock(x) ∗ IsLock(x) follows from the duplicability of region assertions: that is, TLocka(x, s, t,
owner, next, n) ⇐⇒ TLocka(x, s, t, owner, next, n) ∗TLocka(x, s, t, owner, next, n). Finally, the axiom Locked(x) ∗Locked(x) =⇒
False follows from the fact that Key(n) • Key(n) is undeﬁned.
4.2. Higher-order approach
We now consider how the spin-counter implementation and the ticket-lock client can be veriﬁed in a higher-order 
approach based on that of Jacobs and Piessens [10]. Similar proofs are possible in other higher-order separation logics, such 
as HOCAP [25], iCAP [26] and Iris [7], although the details vary.
T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25 19{
IsLock(x)
}
A
bs
tr
ac
t;
Ex
is
ts
:a
,s
,t
,o
w
ne
r,
ne
xt
{∃n.TLocka(x, s, t,owner,next,n)}
next := [x.next];
owner := [x.owner];{∃n.TLocka(x, s, t,owner,next,n) ∗ next= next ∗ owner= owner}
U
se
A
to
m
ic
A
n.〈∃m.x.owner → owner ∗ x.next → next ∗ Counter(s,owner,n) ∗ Counter(t,next,m)
∗ [Pending(n,m)]a ∗ n ≤m ∗ next= next ∗ owner= owner
〉
t := incr(next);〈∃m′.x.owner → owner ∗ x.next → next ∗ Counter(s,owner,n) ∗ Counter(t,next,m′)
∗ [Pending(n,m′)]a ∗ n ≤m′ ∗ [Key(t)]a ∗ t=m′ − 1≥ n ∗ next= next ∗ owner= owner
〉
{∃n.TLocka(x, s, t,owner,next,n) ∗ [Key(t)]a ∗ n ≤ t ∗ next= next ∗ owner= owner}
do {{∃n.TLocka(x, s, t,owner,next,n) ∗ [Key(t)]a ∗ n ≤ t ∗ next= next ∗ owner= owner}
U
se
A
to
m
ic
A
n.〈∃m.x.owner → owner ∗ x.next → next ∗ Counter(s,owner,n) ∗ Counter(t,next,m)
∗ [Pending(n,m)]a ∗ n ≤m ∗ [Key(t)]a ∗ n ≤ t ∗ next= next ∗ owner= owner
〉
v := read(owner);〈∃m.x.owner → owner ∗ x.next → next ∗ Counter(s,owner,n) ∗ Counter(t,next,m)
∗ [Pending(n,m)]a ∗ n ≤m ∗ [Key(t)]a ∗ n ≤ t ∗ n = v ∗ next= next ∗ owner= owner
〉
{∃n.TLocka(x, s, t,owner,next,n) ∗ [Key(t)]a ∗ n ≤ t ∗ n ≥ v
∗ next= next ∗ owner= owner
}
} while (v = t);{∃n.TLocka(x, s, t,owner,next,n) ∗ [Key(t)]a ∗ n = t}{
Locked(x)
}
Fig. 11. Proof outline for the acquire operation.
I {
P
}
A
to
m
ic
〈{
I ∗ P}
// I ∗ P ⇔ ∃n.x → n ∗ R(n){∃n.x → n ∗ R(n)}
Ex
is
ts
:n
{
x → n ∗ R(n)}
v := [x];{
x → v ∗ R(v)}
ρ(v);{
I ∗ T (v)}{∃n. I ∗ T (v)}{
I ∗ T (v)}〉{
T (v)
}
return v;{
T (ret)
}
Fig. 12. Proof outline for the read operation.
4.2.1. Spin counter
Recall the higher-order speciﬁcation of read, given in Section 3.6.1 in the form of a rule:
I ∗ P ⇔ ∃n ∈N.x → n ∗ R(n) ∀n ∈N.  {x → n ∗ R(n)} ρ(n) {I ∗ T (n)}
I  {P} read(x,ρ) {T (ret)}
This should be read as a logical implication between the premisses and conclusion, with the predicates I, P , R, T , and 
parameters x, ρ universally quantiﬁed. A proof outline for this speciﬁcation is given in Fig. 12.
In the read operation, the concrete memory read is sequenced with the auxiliary code ρ in a single atomic operation 
(delimited by 〈_〉). Since it is atomic, we can transfer the invariant I into the local state for the duration, reestablishing it 
at the end. The assumed bi-implication I ∗ P ⇔ ∃n. x → n ∗ R(n) is used to obtain the x → n resource, which is then read 
into v. The auxiliary code ρ then updates x → n ∗ R(n) to I ∗ T (n). Once the invariant is closed, we are thus left with the 
required postcondition.
Compare this proof with the corresponding TaDA proof (Fig. 7). We may look at the MakeAtomic rule as establishing 
a ⇒  and a ⇒ (n,n) as proxy resources for P and T (n) respectively. The Counter region plays a similar role to the 
invariant, in that both are opened for the duration of atomic operations. The interpretation of the region plays the role of 
the bi-implication I ∗ P ⇔ ∃n. x → n ∗ R(n). The UpdateRegion both opens the region for the duration of the atomic update 
and plays the role of ρ in updating the auxiliary state.
20 T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25I {
P
}
A
to
m
ic
〈{
I ∗ P}
// I ∗ P ⇔ x → n ∗ R{
x → n ∗ R}
v := [x];{
x → n ∗ R ∗ v= n}
// I ∗ P ⇔ x → n ∗ R{
I ∗ P ∗ v= n}〉{
P ∗ v= n}
A
to
m
ic
〈{
I ∗ P ∗ v= n}
// I ∗ P ⇔ x → n ∗ R{
x → n ∗ R ∗ v= n}
[x] := v+ 1;{
x → n+ 1 ∗ R ∗ v= n}
Fr
am
e
{
x → n+ 1 ∗ R}
ρ(v);{
I ∗ T (n)}{
I ∗ T (n) ∗ v= n}〉{
T (v)
}
return v;{
T (ret)
}
Fig. 13. Proof outline for the wkIncr operation.
The speciﬁcation for incr is as follows:
I ∗ P ⇔ ∃n ∈N.x → n ∗ R(n) ∀n ∈N.  {x → n+ 1 ∗ R(n)} ρ(n) {I ∗ T (n)}
I  {P} incr(x,ρ) {T (ret)}
The proof outline for this operation is given in Fig. 14. By comparison with read, the operation involves multiple atomic 
steps and so exploits the bi-implication in both directions: at all atomic steps where the update does not occur, the bi-
implication is used to restore the invariant and precondition. The linearisation point occurs when the CAS succeeds, so the 
auxiliary code ρ is executed conditionally at this point.
Note that after the ﬁrst atomic read, no relationship between the value that was read and the current value is retained. 
This is necessary, since it may in fact change arbitrarily before the CAS operation. This contrasts with the wkIncr operation, 
where the value cannot change.
Recall the wkIncr speciﬁcation:
I ∗ P ⇔ x → n ∗ R  {x → n+ 1 ∗ R} ρ(n) {I ∗ T (n)}
I  {P} wkIncr(x,ρ) {T (ret)}
The proof outline for this operation is given in Fig. 13. Here, the value of the cell must be ﬁxed at some n, and so when the 
update is performed v+ 1 will be n + 1.
As for read, the higher-order proofs of incr and wkIncr somewhat resemble their TaDA counterparts, but with 
abstract predicates taking on the roles of the region and atomic tracking resources. The higher-order approach does lead 
to speciﬁcations that obscure the atomic update. However, we can see them as encoding a notion of atomic triple, as per 
Remark 3.
4.2.2. Ticket lock
We now show how to verify the ticket lock in the higher-order setting, using the above speciﬁcations for the counter. 
We give the ticket lock a speciﬁcation where the lock itself (represented by the IsLock predicate) belongs to the invariant:
 {True} makeLock() {IsLock(ret)}
IsLock(x)  {Locked(x)} release(x) {True}
IsLock(x)  {True} acquire(x) {Locked(x)}
Locked(x) ∗ Locked(x) =⇒ False
Other than treating IsLock as an invariant rather than a duplicable assertion, this speciﬁcation is essentially the same as the 
TaDA speciﬁcation given in Section 4.1.2.
T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25 21I {
P
}
do {{
P
}
A
to
m
ic
〈{
I ∗ P}
// I ∗ P ⇔ ∃n.x → n ∗ R(n){∃n.x → n ∗ R(n)}
v := [x];{∃n.x → n ∗ R(n) ∗ v= n}
// I ∗ P ⇔ ∃n.x → n ∗ R(n){
I ∗ P}〉{
P
}
A
to
m
ic
〈{
I ∗ P}
// I ∗ P ⇔ ∃n.x → n ∗ R(n){∃n.x → n ∗ R(n)}
Ex
is
ts
:n
{
x → n ∗ R(n)}
b := CAS(x,v,v+ 1);{
if b= 0 then x → n ∗ R(n) ∗ v = n
else x → n+ 1 ∗ R(n) ∗ v= n
}
if (b = 0) {{
x → v+ 1 ∗ R(v)}
ρ(v);{
I ∗ T (v)}
}{
if b= 0 then x → n ∗ R(n) ∗ v = n
else I ∗ T (v)
}
{
if b= 0 then ∃n.x → n ∗ R(n) ∗ v = n
else I ∗ T (v)
}
// I ∗ P ⇔ ∃n.x → n ∗ R(n){
if b= 0 then I ∗ P else I ∗ T (v)}〉{
if b= 0 then P else T (v)}
} while (b= 0);{
T (v)
}
return v;{
T (ret)
}
Fig. 14. Proof outline for the incr operation.
We deﬁne the IsLock and Locked predicates, along with auxiliary predicate LockDescr, as follows:
LockDescr(x,o,n) ∃π1,π2. x.owner π1−→ o ∗ x.next π2−→ n
IsLock(x) ∃owner,next,n,m.LockDescr(x,owner,next) ∗
n ≤m ∗ owner → n ∗ next →m ∗ x.ghost 1/3−→ n ∗(
(gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ n <m) ∨
(gbag(x.ts, {n, . . . ,m− 1}) ∗ x.ghost 2/3−→ n)
)
Locked(x) ∃n. x.ghost 2/3−→ n
Remark 7 (Fractional Permissions). Fractional permissions are associated with heap locations [21,22] to indicate partial own-
ership of the heap location. The assertion x 
π−→ y denotes partial ownership of heap cell x with fractional permission 
π ∈ (0, 1]; a heap cell can be read with any fractional permission. The assertion x 1−→ y (or simply x → y) denotes full 
ownership of the heap cell x; a heap cell can only be written with full permission. 
The invariant for the lock, IsLock(x), establishes that the x.owner and x.next cells point to owner and next, respectively. 
It only holds fractional permission for x.owner and x.next, allowing all threads to be able to obtain knowledge of owner
and next and to be sure that they will not change; when a thread reads either of the cells, it will take a fractional permission 
from the invariant. The invariant holds full ownership of the owner and next cells, which represent the owner and next 
counters, and asserts that the value of the owner counter is at most the value of the next counter. The invariant also uses 
auxiliary (or ghost) resources, which can only be accessed by auxiliary code. The auxiliary heap cell, x.ghost, tracks the 
owner counter. A 1/3 permission to this cell always belongs to the invariant. When a thread holds the lock, the remaining 
2/3 permission belongs to the thread holding the lock, which is encapsulated by the Locked(x) predicate. Since permissions 
cannot exceed 1, the axiom Locked(x) ∗ Locked(x) =⇒ False holds. Holding the Locked(x) predicate ensures that no other 
22 T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25IsLock(x) {
Locked(x)
}
A
bs
tr
ac
t
{
∃n.x.ghost 2/3−→ n
}
owner := [x.owner];{
∃n,π.x.owner π−→ owner ∗ x.ghost 2/3−→ n
}
Ex
is
ts
:n
{
∃π.x.owner π−→ owner ∗ x.ghost 2/3−→ n
}
wkIncr(owner, λn. [x.ghost] := [x.ghost] + 1;);
where
I ≡
⎛
⎜⎜⎜⎝
∃owner,next,n,m.LockDescr(x,owner,next) ∗
n ≤m ∗ owner → n ∗ next →m ∗ x.ghost 1/3−→ n ∗(
(gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ n <m) ∨
(gbag(x.ts, {n, . . . ,m− 1}) ∗ x.ghost 2/3−→ n)
)
⎞
⎟⎟⎟⎠
P ≡ ∃π.x.owner π−→ owner ∗ x.ghost 2/3−→ n
T (n) ≡ True
R ≡
(∃next,m.LockDescr(x,owner,next) ∗ n <m ∗ next →m ∗
gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ x.ghost → n
)
{
True
}{
True
}{
True
}
Fig. 15. Proof outline for the release operation.
thread can change the value of the ghost cell, and hence the value of the owner counter, which it tracks. When no thread 
owns the lock, the remaining 2/3 permission belongs to the invariant. (It might seem that we could use fractional permissions 
on the owner counter instead of this auxiliary heap cell. However, the speciﬁcation of the counter read operation requires 
full permission, so full permission for the owner counter must belong to the invariant.)
The other auxiliary resource in the invariant is a ghost bag [10], represented by the gbag predicate. The ghost bag is an 
abstract data type that represents a bag (or multiset). Ghost bags have two associated abstract predicates: gbag(b, B), which 
represents a ghost bag with identiﬁer b and contents B; and gbagh(b, v), which represents the knowledge that the ghost 
bag with identiﬁer b contains element v and the permission to remove this element. The two operations for updating the 
ghost bags are speciﬁed as follows:
{
gbag(b, B)
}
gbag_add(b, v)
{
gbag(b, B unionmulti {v}) ∗ gbagh(b, v)}{
gbag(b, B) ∗ gbagh(b, v)} gbag_remove(b, v) {v ∈ B ∧ gbag(b, B \ {v})}
Here, unionmulti, ∈ and \ are bag join, membership and difference operations, respectively. We treat a set as a bag where the 
elements have multiplicity 1.
The invariant uses a ghost bag with identiﬁer x.ts to track the pending tickets. When the acquire operation takes 
a ticket, it adds the ticket to the bag using gbag_add. In doing so, it obtains a gbagh(x.ts, v) resource, representing 
ownership of ticket v . When it successfully obtains the lock, it removes the ticket from the bag using gbag_remove, losing 
the resource in the process.
The invariant allows for two cases, depending on whether or not the lock is currently held. If the lock has been success-
fully acquired by some thread, the disjunct
gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ n <m
holds. In this case, the thread holding the lock owns the fractional permission x.ghost
2/3−→ n, and the pending tickets run 
from n + 1 to m − 1. (If n + 1 =m then there are no pending tickets.)
Alternatively, if the lock has not been acquired, the disjunct
gbag(x.ts, {n, . . . ,m− 1}) ∗ x.ghost 2/3−→ n
holds. If n = m then there are no pending tickets. Otherwise, the thread with ticket n (in the form of the gbagh(x.ts, n)
resource) can acquire the lock by removing n from the ghost bag and obtaining the x.ghost
2/3−→ n permission.
Fig. 15 gives the proof outline for the release operation. When the invariant is opened, the ﬁrst disjunct must 
hold, since otherwise there would be too much ownership of the x.ghost heap cell. We can thus establish that 
I ∗ P ⇔ owner → n ∗ R . When the auxiliary code is executed, it updates x.ghost to match owner at n + 1. We establish 
 {owner → n+ 1 ∗ R} [x.ghost] := [x.ghost] + 1; {I ∗ T (n)} as follows:
T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25 23IsLock(x) {
True
}
A
bs
tr
ac
t
{
True
}
next := [x.next];
owner := [x.owner];{
∃π1,π2.x.owner π1−−→ owner ∗ x.next π2−−→ next
}
t := incr(next, λm.gbag_add(x.ts,m););
where
I ≡
⎛
⎜⎜⎜⎝
∃owner,next,n,m.LockDescr(x,owner,next) ∗
n ≤m ∗ owner → n ∗ next →m ∗ x.ghost 1/3−→ n ∗(
(gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ n <m) ∨
(gbag(x.ts, {n, . . . ,m− 1}) ∗ x.ghost 2/3−→ n)
)
⎞
⎟⎟⎟⎠
P ≡ ∃π1,π2.x.owner π1−−→ owner ∗ x.next π2−−→ next
T (m) ≡ gbagh(x.ts,m)
R(m) ≡
⎛
⎜⎜⎜⎝
∃n.LockDescr(x,owner,next) ∗ n ≤m ∗
owner → n ∗ x.ghost 1/3−→ n ∗(
(gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ n <m) ∨
(gbag(x.ts, {n, . . . ,m− 1}) ∗ x.ghost 2/3−→ n)
)
⎞
⎟⎟⎟⎠
{
∃π1,π2.x.owner π1−−→ owner ∗ x.next π2−−→ next ∗ gbagh(x.ts,t)
}
do {{
∃π1,π2.x.owner π1−−→ owner ∗ x.next π2−−→ next ∗ gbagh(x.ts,t)
}
v := read(owner, λn.if (n= t) {gbag_remove(x.ts,t); });
where
I ≡
⎛
⎜⎜⎜⎝
∃owner,next,n,m.LockDescr(x,owner,next) ∗
n ≤m ∗ owner → n ∗ next →m ∗ x.ghost 1/3−→ n ∗(
(gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ n <m) ∨
(gbag(x.ts, {n, . . . ,m− 1}) ∗ x.ghost 2/3−→ n)
)
⎞
⎟⎟⎟⎠
P ≡ ∃π1,π2.x.owner π1−−→ owner ∗ x.next π2−−→ next ∗ gbagh(x.ts,t)
T (n) ≡
(
if n = t then x.ghost 2/3−→ n
else ∃π1,π2.x.owner π1−−→ owner ∗ x.next π2−−→ next ∗ gbagh(x.ts,t)
)
R(n) ≡
⎛
⎜⎜⎜⎝
∃m.LockDescr(x,owner,next) ∗ n ≤m ∗
next →m ∗ x.ghost 1/3−→ n ∗ gbagh(x.ts,t) ∗(
(gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ n <m) ∨
(gbag(x.ts, {n, . . . ,m− 1}) ∗ x.ghost 2/3−→ n)
)
⎞
⎟⎟⎟⎠
{
if v= t then ∃n.x.ghost 2/3−→ n
else ∃π1,π2.x.owner π1−−→ owner ∗ x.next π2−−→ next ∗ gbagh(x.ts,t)
}
} while (v = t);{
∃n.x.ghost 2/3−→ n
}
{
Locked(x)
}
Fig. 16. Proof outline for the acquire operation.
{
owner → n+ 1 ∗ ∃next,m.LockDescr(x,owner,next) ∗ n <m ∗ next →m ∗
gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ x.ghost → n
}
[x.ghost] := [x.ghost] + 1;{
owner → n+ 1 ∗ ∃next,m.LockDescr(x,owner,next) ∗ n+ 1≤m ∗ next →m ∗
gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ x.ghost → n+ 1
}
// n′ := n+ 1⎧⎪⎨
⎪⎩
∃owner,next,n′,m.LockDescr(x,owner,next) ∗ n′ ≤m ∗ owner → n′ ∗ next →m ∗ x.ghost 1/3−→ n′ ∗(
(gbag(x.ts,
{
n′ + 1, . . . ,m− 1}) ∗ n′ <m) ∨ (gbag(x.ts,{n′, . . . ,m− 1}) ∗ x.ghost 2/3−→ n′))
⎫⎪⎬
⎪⎭
Fig. 16 gives the proof outline for the acquire operation. When incr is used to acquire a ticket, the auxiliary code 
adds the new ticket m to the ghost bag, reestablishing the invariant, while obtaining the ticket resource gbagh(x.ts, m) for 
the thread. The proof outline for this auxiliary code is as follows:
24 T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25⎧⎪⎪⎪⎨
⎪⎪⎪⎩
∃n.LockDescr(x,owner,next) ∗ n ≤m ∗
owner → n ∗ x.ghost 1/3−→ n ∗(
(gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ n <m) ∨
(gbag(x.ts, {n, . . . ,m− 1}) ∗ x.ghost 2/3−→ n)
)
∗ next →m+ 1
⎫⎪⎪⎪⎬
⎪⎪⎪⎭
gbag_add(x.ts,m);⎧⎪⎪⎪⎨
⎪⎪⎪⎩
∃n.LockDescr(x,owner,next) ∗ n ≤m ∗
owner → n ∗ x.ghost 1/3−→ n ∗ next →m+ 1 ∗(
(gbag(x.ts, {n+ 1, . . . ,m}) ∗ n <m) ∨
(gbag(x.ts, {n, . . . ,m}) ∗ x.ghost 2/3−→ n)
)
∗ gbagh(x.ts,m)
⎫⎪⎪⎪⎬
⎪⎪⎪⎭
//m′ :=m+ 1⎧⎪⎪⎪⎨
⎪⎪⎪⎩
∃owner,next,n,m′.LockDescr(x,owner,next) ∗
n ≤m′ ∗ owner → n ∗ next →m′ ∗ x.ghost 1/3−→ n ∗(
(gbag(x.ts,
{
n+ 1, . . . ,m′ − 1}) ∗ n <m′) ∨
(gbag(x.ts,
{
n, . . . ,m′ − 1}) ∗ x.ghost 2/3−→ n)
)
∗ gbagh(x.ts,m)
⎫⎪⎪⎪⎬
⎪⎪⎪⎭
In the read operation, the ghost code conditionally removes the ticket t from the bag, when n = t: i.e. it is now the 
thread’s turn to hold the lock. It can do so because it holds the gbagh(x.ts, t) resource. When it does so, the second 
disjunct must apply (since n /∈ {n+ 1, . . . ,m− 1}), and so the resource x.ghost 2/3−→ n is available to be transferred to the 
thread. When n = t, the invariant and thread resources are unchanged. The proof outline for this auxiliary code is as follows:⎧⎪⎪⎪⎨
⎪⎪⎪⎩
∃m.LockDescr(x,owner,next) ∗ n ≤m ∗
next →m ∗ x.ghost 1/3−→ n ∗ gbagh(x.ts,t) ∗(
(gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ n <m) ∨
(gbag(x.ts, {n, . . . ,m− 1}) ∗ x.ghost 2/3−→ n)
)
∗ owner → n+ 1
⎫⎪⎪⎪⎬
⎪⎪⎪⎭
if (n = t) {⎧⎪⎪⎪⎨
⎪⎪⎪⎩
∃m.LockDescr(x,owner,next) ∗ t≤m ∗
next →m ∗ x.ghost 1/3−→ t ∗ gbagh(x.ts,t) ∗(
(gbag(x.ts, {t+ 1, . . . ,m− 1}) ∗ t<m) ∨
(gbag(x.ts, {t, . . . ,m− 1}) ∗ x.ghost 2/3−→ t)
)
∗ owner → t+ 1
⎫⎪⎪⎪⎬
⎪⎪⎪⎭
Ca
se
s
{
gbag(x.ts, {t+ 1, . . . ,m− 1}) ∗
t<m ∗ gbagh(x.ts,t)
}
gbag_remove(x.ts,t);{
False
}
{
gbag(x.ts, {t, . . . ,m− 1}) ∗ x.ghost 2/3−→ t ∗
gbagh(x.ts,t)
}
gbag_remove(x.ts,t);{
gbag(x.ts, {t+ 1, . . . ,m− 1}) ∗ x.ghost 2/3−→ t ∗ t<m
}
{∃m.LockDescr(x,owner,next) ∗ t+ 1≤m ∗ next →m ∗ gbag(x.ts, {t+ 1, . . . ,m− 1}) ∗
x.ghost
1/3−→ t ∗ x.ghost 2/3−→ t ∗ owner → t+ 1
}
}⎧⎪⎪⎪⎪⎪⎪⎪⎪⎨
⎪⎪⎪⎪⎪⎪⎪⎪⎩
⎛
⎜⎜⎝
∃owner,next,n,m.LockDescr(x,owner,next) ∗
n ≤m ∗ owner → n ∗ next →m ∗ x.ghost 1/3−→ n ∗(
(gbag(x.ts, {n+ 1, . . . ,m− 1}) ∗ n <m) ∨ (gbag(x.ts, {n, . . . ,m− 1}) ∗ x.ghost 2/3−→ n)
)
⎞
⎟⎟⎠ ∗
if n = t then x.ghost 2/3−→ n
else ∃π1,π2.x.owner π1−→ owner ∗ x.next π2−→ next ∗ gbagh(x.ts,t)
⎫⎪⎪⎪⎪⎪⎪⎪⎪⎬
⎪⎪⎪⎪⎪⎪⎪⎪⎭
Compared with the TaDA approach, the invariant IsLock(x) plays a similar role to the TLock shared region. Here, 
we use fractional permissions to establish the fact that x.owner and x.next hold unchangeable values, while in TaDA 
this was a consequence of these values being parameters of the region. In TaDA, the counters were abstracted by the 
Counter(s, owner, n) and Counter(s, next, m) predicates, whereas here they are represented directly as owner → n and 
next → m respectively. We could have used abstract predicates in the higher-order counter speciﬁcation, but chose to ex-
pose the heap cell directly, which is not possible in the TaDA approach. The auxiliary resource gbag(x.ts, {n, . . . ,m− 1})
is a close analogue of [Pending(n, m)]a . Similarly gbagh(x.ts, t) is analogous to [Key(t)]a . One difference, however, is that 
whereas the assertion [Key(t)]a ∗ [Key(t)]a is inconsistent, the assertion gbagh(x.ts, t) ∗ gbagh(x.ts, t) is not. This is since 
a bag may, in principle, contain more than one copy of a given element. We thus cannot use gbagh(x.ts, t) to represent 
T. Dinsdale-Young et al. / Journal of Logical and Algebraic Methods in Programming 98 (2018) 1–25 25ownership of the lock in the case that t matches the owner counter. Instead, the gbagh(x.ts, t) resource is exchanged for 
x.ghost
2/3−→ t when a thread acquires the lock.
5. Conclusions
We have examined four major techniques for specifying and verifying concurrent modules: Owicki–Gries, rely/guarantee, 
concurrent separation logic, and linearisability. For each technique, we identiﬁed a particularly valuable contribution. We 
demonstrated how a synthesis of these contributions can be used to produce effective modular speciﬁcations for concurrent 
modules, using a counter module as a case study. We gave speciﬁcations for the counter module in both the ﬁrst-order 
approach of TaDA and the higher-order approach of Jacobs and Piessens. With each approach, we demonstrated the ex-
pressivity and modularity of the counter speciﬁcation by proving that it is satisﬁed by a spin-counter implementation and 
suﬃcient to verify a ticket-lock client.
References
[1] S. Owicki, D. Gries, Verifying properties of parallel programs: an axiomatic approach, Commun. ACM 19 (5) (1976) 279–285, https://doi .org /10 .1145 /
360051.360224.
[2] C.B. Jones, Speciﬁcation and design of (parallel) programs, in: IFIP Congress, vol. 83, 1983, pp. 321–332.
[3] P.W. O’Hearn, Resources, concurrency, and local reasoning, Theor. Comput. Sci. 375 (1–3) (2007) 271–307, https://doi .org /10 .1016 /j .tcs .2006 .12 .035.
[4] M.P. Herlihy, J.M. Wing, Linearizability: a correctness condition for concurrent objects, ACM Trans. Program. Lang. Syst. 12 (3) (1990) 463–492, https://
doi .org /10 .1145 /78969 .78972.
[5] P. da Rocha Pinto, T. Dinsdale-Young, P. Gardner, TaDA: a logic for time and data abstraction, in: ECOOP, 2014, pp. 207–231.
[6] P. da Rocha Pinto, Reasoning with Time and Data Abstractions, Ph.D. thesis, Imperial College London, Department of Computing, 2016.
[7] R. Jung, D. Swasey, F. Sieczkowski, K. Svendsen, A. Turon, L. Birkedal, D. Dreyer, Iris: monoids and invariants as an orthogonal basis for concurrent 
reasoning, in: POPL, 2015, pp. 637–650.
[8] A. Nanevski, R. Ley-Wild, I. Sergey, G.A. Delbianco, Communicating state transition systems for ﬁne-grained concurrent resources, in: ESOP, 2014, 
pp. 290–310.
[9] I. Sergey, A. Nanevski, A. Banerjee, Specifying and verifying concurrent algorithms with histories and subjectivity, in: ESOP, 2015, pp. 333–358.
[10] B. Jacobs, F. Piessens, Expressive modular ﬁne-grained concurrency speciﬁcation, in: POPL, 2011, pp. 271–282.
[11] J.M. Mellor-Crummey, M.L. Scott, Algorithms for scalable synchronization on shared-memory multiprocessors, ACM Trans. Comput. Syst. 9 (1) (1991) 
21–65, https://doi .org /10 .1145 /103727.103729.
[12] C.A.R. Hoare, An axiomatic basis for computer programming, Commun. ACM 12 (10) (1969) 576–580, https://doi .org /10 .1145 /363235 .363259.
[13] S.S. Ishtiaq, P.W. O’Hearn, BI as an assertion language for mutable data structures, in: POPL, 2001, pp. 14–26.
[14] J.C. Reynolds, Separation logic: a logic for shared mutable data structures, in: LICS, 2002, pp. 55–74.
[15] S. Brookes, A semantics for concurrent separation logic, Theor. Comput. Sci. 375 (1) (2007) 227–270, https://doi .org /10 .1016 /j .tcs .2006 .12 .034, http://
www.sciencedirect .com /science /article /pii /S0304397506009248.
[16] P.W. O’Hearn, D.J. Pym, The logic of bunched implications, Bull. Symb. Log. 5 (2) (1999) 215–244, https://doi .org /10 .2307 /421090, http://www.jstor.org /
stable /421090.
[17] V. Vafeiadis, Modular Fine-Grained Concurrency Veriﬁcation, Ph.D. thesis, University of Cambridge, Computer Laboratory, 2008.
[18] X. Feng, Local rely-guarantee reasoning, in: POPL, 2009, pp. 315–327.
[19] M. Dodds, X. Feng, M. Parkinson, V. Vafeiadis, Deny-guarantee reasoning, in: ESOP, 2009, pp. 363–377.
[20] T. Dinsdale-Young, M. Dodds, P. Gardner, M.J. Parkinson, V. Vafeiadis, Concurrent abstract predicates, in: ECOOP, 2010, pp. 504–528.
[21] J. Boyland, Checking interference with fractional permissions, in: SAS, 2003, pp. 55–72.
[22] R. Bornat, C. Calcagno, P. O’Hearn, M. Parkinson, Permission accounting in separation logic, in: POPL, 2005, pp. 259–270.
[23] R. Ley-Wild, A. Nanevski, Subjective auxiliary state for coarse-grained concurrency, in: POPL, 2013, pp. 561–574.
[24] A. Turon, D. Dreyer, L. Birkedal, Unifying reﬁnement and hoare-style reasoning in a logic for higher-order concurrency, in: ICFP, 2013, pp. 377–390.
[25] K. Svendsen, L. Birkedal, M. Parkinson, Modular reasoning about separation of concurrent data structures, in: ESOP, 2013, pp. 169–188.
[26] K. Svendsen, L. Birkedal, Impredicative concurrent abstract predicates, in: ESOP, 2014, pp. 149–168.
[27] I. Filipovic´, P. O’Hearn, N. Rinetzky, H. Yang, Abstraction for concurrent objects, in: ESOP, 2009, pp. 252–266.
[28] T. Dinsdale-Young, L. Birkedal, P. Gardner, M. Parkinson, H. Yang, Views: compositional reasoning for concurrent programs, in: POPL, 2013, pp. 287–300.
[29] G. Ntzik, Reasoning About POSIX File Systems, Ph.D. thesis, Imperial College London, Department of Computing, 2016.
[30] M.J. Parkinson, G.M. Bierman, Separation logic and abstraction, in: POPL, 2005, pp. 247–258.
[31] A. Gotsman, H. Yang, Linearizability with ownership transfer, in: CONCUR, 2012, pp. 256–271.
[32] C. Calcagno, P.W. O’Hearn, H. Yang, Local action and abstract separation logic, in: LICS, 2007, pp. 366–378.
[33] R. Dockins, A. Hobor, A.W. Appel, A fresh look at separation algebras and share accounting, in: APLAS, 2009, pp. 161–177.
[34] M. Dahlweid, M. Moskal, T. Santen, S. Tobies, W. Schulte, VCC: contract-based modular veriﬁcation of concurrent C, in: ICSE, 2009, pp. 429–430.
[35] P. da Rocha Pinto, T. Dinsdale-Young, P. Gardner, J. Sutherland, Modular termination veriﬁcation for non-blocking concurrency, in: ESOP, 2016, 
pp. 176–201.
[36] T. Dinsdale-Young, P. da Rocha Pinto, K.J. Andersen, L. Birkedal, Caper: automatic veriﬁcation for ﬁne-grained concurrency, in: ESOP, 2017, pp. 420–447.
[37] A. Raad, J. Villard, P. Gardner, CoLoSL: concurrent local subjective logic, in: ESOP, 2015, pp. 710–735.
[38] P. da Rocha Pinto, T. Dinsdale-Young, M. Dodds, P. Gardner, M. Wheelhouse, A simple abstraction for complex concurrent indexes, in: OOPSLA, 2011, 
pp. 845–864.
