A Program Logic for Reasoning About C11 Programs With Release-Sequences by He, Mengda et al.
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier XXX
A Program Logic for Reasoning about
C11 Programs with Release-Sequences
MENGDA HE1, SHENGCHAO QIN1(Senior Member, IEEE & ACM), ZHIWU XU2
1School of Computing, Engineering and Digital Technologies, Teesside University
2College of Computer Science and Software Engineering, Shenzhen University
Corresponding author: Shengchao Qin (e-mail: s.qin@tees.ac.uk).
ABSTRACT
With the popularity of weak/relaxed memory models widely used in modern hardware architectures, the
C11 standard introduced a language level weak memory model, A.K.A the C11 memory model, that allows
C/C++ programs to exploit the optimisation provided by the hardware platform in memory ordering and
gain benefits in efficiency. On the other hand, with the weakened memory ordering allowed, more program
behaviours are introduced, among which some are counterintuitive and make it even more challenging for
programmers to understand or to formally reason about C11 multithread programs. To support the formal
verification of the C11 weak memory programs, several program logics, e.g. RSL, GPS, FSL, and GPS+,
have been developed during the last few years. However, due to the complexity of the weakened memory
model, some intricate C11 features still cannot be handled in these logics. A notable example is the lack of
supporting to the reasoning about a highly flexible C11 synchronisation mechanism, the release-sequence.
Recently, the FSL++ logic proposed by Doko and Vafeiadis moves one step forward to address this problem,
but FSL++ only considers the scenarios with atomic update operations in a release-sequence. In this article,
we propose a new program logic, GPS++, that supports the reasoning about C11 programs with fully
featured release-sequences. We also introduce fractional read permissions to GPS++, which are essential
to the reasoning about a large number of real-world concurrent programs. GPS++ is a successor of our
previous program logic GPS+, but it comes with much finer control over the resource transmission with the
newly introduced restricted-shareable assertions and an enhanced protocol system. A more sophisticated
resource model is devised to support the soundness proof of our new program logic. We also demonstrate
GPS++ in action by verifying C11 programs with release-sequences that could not be handled by existing
program logics.
INDEX TERMS program logic, formal semantics, program verification, C11 weak memory model, release-
sequence
I. INTRODUCTION
To discuss the behaviours of shared-memory concurrent pro-
grams, a memory model must be assumed, as it fundamen-
tally defines how the threads communicate with each other.
The traditional strong memory model, i.e., the sequential-
consistency (SC) [1] model, assumes a single global memory
that is accessed by all threads in an interleaving manner while
the instructions in each thread are executed strictly following
their program orders. However, this model is abandoned by
most of the modern hardware architectures, as it leaves very
little room for optimisation. Modern hardware architectures
embrace more relaxed memory models, which allow memory
accessing operations to be reordered and threads to have their
own observations about the memory states. For instance, the
memory model used for the x86 architecture is the total-store-
order (TSO) model instead of the SC model, as with write
buffers facilitated, the x86 architecture allows some store
operations to be reordered after the following load operations
as long as a total order for all store operations is preserved.
Other platforms like ARM and PowerPC adopt even weaker
memory models.
With the various levels of memory weakening allowed by
different hardware platforms, a unified interface is essential
to help programmers to compose programs that have best
performance regardless the underlying platforms. Therefore,
in the C11 standard [2], [3], a language-level weak memory
VOLUME x, 202x 1
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
model, i.e., the C11 memory model, is introduced and has
later been formalised by Batty et al. [4]. However, it remains
challenging to understand or to reason about the counter-
intuitive behaviours introduced by this weakened memory
model. Several program logics (RSL [5], GPS [6], [7] FSL
[8], GPS+ [9], [10], and FSL++ [11]) focusing on C11
programs have been proposed during the last few years, but
the reasoning about some highly intricate features of the C11
memory model is still not supported. A notable example
is that the support to a highly flexible C11 synchronisation
mechanism, i.e., the release-sequences, is usually left out. As
shown in Table 1, there are four commonly used paradigms
to establish C11 synchronisations. From the most straightfor-
ward way that only uses release write and acquire read pairs
to the ones with fully featured release-sequences involved,
the complexity increases along with its flexibility, as more
program commands’ interactions need to be taken under
consideration. The formal reasoning about the most flexible
paradigm facilitating with fully featured release-sequences is
not supported until this work.
Beside the memory optimisations, another approach to
maximising the benefits of multiprocessing is to reduce the
fractions of tasks that could not be parallelised. For instance,
instead of enforcing all the accesses to a shared resource to
be mutually exclusive, a readers-writer-lock allows multiple
readers (or a single writer) to exist at a time. The readers-
writer-lock is widely adopted by real-world programs (e.g.
the Linux kernel, pthread library, etc.). However, to formally
verify a sophisticated algorithm like the readers-writer-lock,
fractional permissions [12], [13] will be a necessary ingredi-
ent, which is not yet supported in the GPS family.
In this article, we propose GPS++, a program logic that
supports the reasoning about C11 programs with fully fea-
tured release-sequences. To achieve this, our logic is fa-
cilitated with an enhanced per-location protocol system, a
new type of assertions, i.e., the restricted shareable asser-
tion, and a set of new reasoning rules to deal with C11
release-sequences related operations. We also introduce the
support to fractional permissions, which enables us to use the
proposed logic against sophisticated real-world concurrent
algorithms such as the readers-writer-lock.
This article extends the earlier conference version [14] sig-
nificantly with the following additional contributions: 1. The
support for fractional read permissions in the new logic, that
allows it to reason about real-world concurrent algorithms
that otherwise would not be possible; 2. The proof in the new
logic of the correctness of a non-trivial concurrent program,
i.e. readers-write-lock (which cannot be handled by previous
logics in the GPS family) that illustrates the applicability of
GPS++; 3. A more sophisticated resource-map-based instru-
mented semantic model that help characterise the subtle new
features in GPS++; 4. The formulation of the soundness of
the GPS++ logic, together with proof sketches for lemmas
and theorems.
In the rest of the article, we first introduce our core lan-
guage that captures most essential C11 features and the C11
memory model in §II. Then we discuss this work’s founda-
tion, the GPS+ logic, in §III, before presenting our new logic
in §IV. We demonstrate the power of our new program logic
by using it to verify example programs including a variant
of the readers-writer-lock in §V. After that, we present the
formal foundation of GPS++ in Section VI and illustrate its
soundness in §VII. Finally, related work is discussed in §VIII
and the article is concluded in §IX.
II. THE LANGUAGE AND THE MEMORY MODEL
A. THE LANGUAGE
Val v ::= x | V whereV ∈ N
Exp e ::= v | v+ v | v − v | v== v | v mod v
letx = e in e | repeat e end |
if v then e else e | fork e | alloc(V )
[v]O | [v]O := v | CASO,O(v, v, v) | fenceO
MO O ::= rel | acq | rlx | na
EvalCtx K ::= [ ] | letx = K in e
FIGURE 1: A language for C11 concurrency
We use the expression-oriented language presented in
Fig. 1 as our core language. It is used to capture the es-
sential features of the C11 memory model. With the support
to atomic read/write (load/store), fences, and compare-and-
swap (CAS) our language can express C11 programs using
various kinds of inter-thread synchronisation mechanisms,
including the powerful release-sequence.
Our language has variable names (represented by
metavariable x) and integer values (represented by metavari-
able V ) as values (Val ). The pointer arithmetic, let-
binding, loop command repeat e, conditional statement
if . . . then . . . else, thread forking fork e, memory alloca-
tion alloc(V ), memory load (read) [v]O and store (write)
[v]O := v, atomic update operation CASO,O(v, v, v), and
fence operations fenceO are supported as our expressions
(e). Specifically, in the loop command repeat e the loop
body e will be repeatedly executed until a non-zero value is
returned.
Note that a memory orderO needs to be specified for some
expressions indicating which degree of memory relaxation
can be applied to the annotated operation. Following the C11
language, we require a memory location is either atomic or
non-atomic and this cannot be changed once defined. For an
atomic location v1, the memory orderO used in a load opera-
tion [v1]O can be acquire (acq) or relaxed (rlx); the memory
order O in a store operation [v1]O := v can be either release
(rel) or relaxed (rlx). Meanwhile, memory accesses to non-
atomic locations can only be annotated as non-atomic (na).
The compare-and-swap expression CASO1,O2(v1, v2, v3) re-
quires v1 to be the address of an atomic location and performs
the following steps in a single atomic move: firstly, the value
of v1 is loaded with the memory order O1 (which can be
either acq or rlx), then the value is used to “compare” with
the expected value v2; if they are the same, the value v3
is stored to location v1 with the memory order O2 (which
can be rel or rlx) (the “swapping”) and a numerical value
2 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
TABLE 1: Program Logics’ Support to C11 Synchronisations
Synchronisation Paradigms RSL GPS FSL GPS+ FSL++ GPS++
With Release Store & Acquire Load Pairs X X X X X X
With Fences X X X X
With Release-sequences with only Atomic Updates X X
With Fully Featured Release-sequences X
1 is returned indicating its success; otherwise 0 is returned
indicating the failure of the compare-and-swap process.
B. THE GRAPH SEMANTICS
The C11 memory model resides at language-level aiming
at abstracting away the differences of underlying hardware
memory models. Therefore, it is not straightforward to ex-
press it in an operational manner. The axiomatic approach
is often used instead to formalise the C11 memory model,
where execution graphs are used to represent candidate ex-
ecutions (with the program actions/events as vertices and
their relations represented by the edges) and a set of axioms
decide if an execution is legal or not. This is the approach
adopted by Batty et al. [4] to give the first formalisation of
the C11 memory model. The memory models used in the
C11 program logics [5], [6], [8]–[11] are defined in a similar
manner but with certain simplifications, e.g., only accepting
synchronisations created using a simple way without release-
sequences involved. This work follows the graph based ax-
iomatic semantics, with extra information added for threads
(highlighted in Fig. 2), and supports synchronisations with
fully featured release-sequences.
As shown in Fig. 2, the event graph G (A, T, sb,mo, rf)
concerns a set of events, and records their action type in-
formation in A (the action types will be further discussed
shortly), their thread identities in T (i.e. to which threads
they belong), as well as their relations in sb,mo, and rf. The
sequenced-before relation (sb) represents the non-transitive
program order. All store operations accessing a same location
form a strict-total order, which we record in the modification-
order (mo). When a load operation reads from a store oper-
ation, this relation is tracked in the reads-from map (rf). We
formalise the thread pool as T which tracks each numeri-
cally indexed thread’s last event and the expressions to be
executed.
Action α ::= S | A(`..`′) |W(`, V,O) | R(`, V,O) |
U(`, V, V,O,O) | F(O)
EventName a (from an infinite set)
ActMap A ∈ EventName fin⇀ Action
ThreadID T ∈ EventName fin⇀ N
Graph G ::= (A, T , sb,mo, rf) where
sb,mo ⊆ dom(A)× dom(A), rf ∈ dom(A) ⇀ dom(A)
ThreadMap T ∈ N fin⇀ (EventName × Exp)
FIGURE 2: Syntax of event graph
As shown in Fig. 3 and Fig. 4, we adopt a two-layer seman-
tics, namely, event-step and machine-step, following GPS
and GPS+. An event-step (e α→ e′) is the execution of e, re-
sulting in a return value or a remainder expression (e′) and an
action (α) to be added to the execution graph in the machine-
steps. The executions of arithmetic, let-banding, repeat, and
conditional expressions returns different values or remainder
expressions but they only generates skip actions (S) as they
do not involve memory accesses. The allocation expression
alloc(n) generates an allocation action A(`..`+ n− 1),
which indicates n fresh memory location ranging from ` to
`+ n− 1 are allocated and ` is returned. Store and fence
expresses generate corresponding write (W) and fence (F)
actions with specified memory orders; and we let them
always return 0 as they should not be used to change the
program control flow. Note that the event-step rule for read
action R only specifies that it should return some numerical
value V . The actual value can be read is constrained by the
memory model axioms (consistentC11) in the machine-
steps (which will be discussed shortly in this section) with
the global execution taken under consideration. There are
two rules for CAS expressions to correspondingly capture the
successful and failure cases. In the case of success, an update
action U(`, Vo, Vn, Or, Ow) is generated, where the current
value Vo stored at location ` is required to be the same as
specified in the expression; otherwise, the CAS should be
considered as failed and is treated as an atomic read action
which reads some value other than Vo.
We use the machine configuration 〈T ;G〉 to represent
the execution states, where the thread pool T contains the
expressions to be executed in each thread and the execution
graph G is a record of the execution history. Machine-step
rules are used to update the machine configurations. The
first rule states that an arbitrary thread from T can take a
move (e α→ e′) and generate a new machine configuration
(〈T ′;G′〉) based on the current one (〈T ;G〉) with the new
event (a′) and the corresponding relations added to the
event graph given that the C11 memory model axioms are
preserved in the extended graph (consistentC11(G′)). More
specifically, assume the thread i in the thread pool T is
chosen to execute, its last event is a and the expression to
be executed is e. Then e is reduced to e′ following the corre-
sponding event-step semantics rule, yielding a new action α
with a new event name a′. We update i in the thread pool with
this information (a′, e′), then add the newly generated event
to the event graph as the following, yielding a new graph
G′. Firstly, the mapping a′ 7→ α and a′ 7→ i are added to the
action map (G′.A) and the thread map (G′.T ), respectively.
This information will be crucial for reasoning about pro-
grams with C11 release-sequences, as we will need to know
if different writes are from a same thread or not. Secondly, we
know that a′ comes after a, so we record it in the sequenced-
VOLUME x, 202x 3
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
n+m
S→ k k = n+m
n−m S→ k k = n−m if n ≥ m
n−m S→ 0 if n < m
n==m
S→ 1 n = m
n==m
S→ 0 n 6= m
letx = V in e
S→ e[V/x]
repeat e end
S→ letx = e in ifx thenx else repeat e end
ifV then e1 else e2
S→ e1 V 6= 0
ifV then e1 else e2
S→ e2 V = 0
alloc(n)
A(`..`+n−1)−−−−−−−−→ `
[`]O
R(`,V,O)−−−−−→ V
[`]O :=V
W(`,V,O)−−−−−−→ 0
CASOr,Ow (`, Vo, Vn)
U(`,Vo,Vn,Or,Ow)−−−−−−−−−−−−→ 1
CASOr,Ow (`, Vo, Vn)
R(`,V ′,Or)−−−−−−−→ 0 V ′ 6= Vo
fenceO
F(O)−−−→ 0
K[e]
α−→ K[e′] e α−→ e′
FIGURE 3: Event-steps semantic rules: e α−→ e′
e
α→ e′ consistentC11(G′) G′.A = G.A unionmulti [a′ 7→ α] G′.T = G.T unionmulti [a′ 7→ i]
G′.sb = G.sb unionmulti (a, a′) G′.mo ⊇ G.mo G′.rf ∈ {G.rf,G.rf unionmulti [a′ 7→ b]}
〈T unionmulti [i 7→ (a, e)];G〉 −→ 〈T unionmulti [i 7→ (a′, e′)];G′〉
〈T unionmulti [i 7→ (a,K[fork (e)])];G〉 −→ 〈T unionmulti [i 7→ (a,K[0]) unionmulti [j 7→ (a, e)];G〉
FIGURE 4: Machine-step semantics: 〈T ;G〉 −→ 〈T ′;G′〉
before relation (G′.sb). Finally, the modification-order only
gets updated if a′ is a write (W) or a success update action
(U), so we have G′.mo ⊇ G.mo. Similarly, the read-from
relation only gets updated if a′ is a read (R) or an update
action (U) which reads from a write/update action b. The
exact way these two relations to be updated is restricted by
the C11 memory model axioms consistentC11 that to be
presented in the next subsection.
The second machine-step rule indicates that the fork e
command creates a new thread (i.e. j) that will be added to
the thread pool. The expression e is waiting to be executed in
the new thread while the parent thread (i) has whatever left
in the evaluation context K[0].
A thread terminates if its expression is reduced to be a
pure value and the program terminates when all its threads
terminate.
C. THE MEMORY MODEL
A memory model defines how different CPU cores can
access a shared memory, and thus controls how multithread
programs should behave. As a language-level memory model
that must be sufficiently generalised, the C11 memory model
regulates the program behaviours by using a group of axioms
based on the event graph. We have discussed the event graph;
now we first introduce several derived relations before we can
formally introduce the C11 memory model axioms.
1) Happens-before Relation
The happens-before relation is the cornerstone of the causal-
ity in C11 programs. That is, for two events a and b, unless
we can establish that a happens before b (a hb→ b), there
is no guarantee that a’s effect will be observed by b. The
happens-before relation is derived from the sequenced-before
and the synchronised-with relations (to be discussed shortly
in §II-C2), i.e., hb , (sb ∪ sw)+. Intuitively, the happens-
before relation preserves the program order for events within
the same thread; however, for the events from different
threads can by ordered in hb only if their threads are syn-
chronised at appropriate locations.
This idea is demonstrated in Fig. 5 with an unsuccessful
message passing program. In this example, we assume both
x and y are initialised as 0. In the first thread, the flag y is
changed to 1 (event b) after the message x is set to be 42
(event a); the second thread first reads y to be 1 (event c)
then reads x (event d). Though a chain of relations can be
established as a sb→ b rf→ c sb→ d, the stale value 0 can still be
read by d as the read-from relation between b and c is not
strong enough to form a synchronisation, thus the happens-
before relation a hb→ d could not be derived and a’s effect is
not guaranteed to be seen by d.
4 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
Thread 1 :
a : W(x, 42, rlx)
b : W(y, 1, rlx)
Thread 2 :
c : R(y, 1, rlx)
d : R(x, 0 or 42, rlx)
sb sbrf
FIGURE 5: A failed message passing example
2) Release-sequence and Synchronisation
As a weak memory model, the C11 memory model allows
threads to have different observations about the memory1.
But when necessary, one thread’s observation can be passed
to another if they are synchronised. To form a synchroni-
sation and share its observation, the sharer’s thread must
first perform a release action. Intuitively, the release action
would label its up-to-date memory observation as ready to be
shared. Then a sequence of store operations, i.e. a release-
sequence, work like messengers notifying their readers that
some information can be acquired. However, the acquisition
is only successful after an acquire action is performed in the
reader’s thread. In this way, the acquire action is synchro-
nised with the release action and is obliged to acknowledge
the memory modifications happened before the release ac-
tion.
The release-sequence plays the crucial role in this process.
It is led by an action with the release memory order, i.e.,
the release head, which can either be a release fence or a
release store, and is followed by the longest sub-sequence
of store operations from the modification order (mo) where
these store operations are either in the same thread as the
release head or atomic update operations (i.e., U).
As the example shown in Fig. 6a the release write event a is
the release head; and the release-sequence also contains b and
c as they follow a in the mo order and is either in a’s thread
(b) or is an atomic update (c). Another thread can acquire a’s
observation by reading from any event from this sequence.
Fig. 6b shows that a release-sequence can be interrupted if a
non-update store operation (c in this case) from a different
thread is positioned in the chain of mo order. In the case
shown in Fig. 6b, the release-sequence only contains the
head a. As shown in Fig. 6c, a relaxed write can lead a
hypothetical release-sequence and in this case itself is called
a hypothetical release head. If an operation acquires from this
sequence, it is synchronised with a release fence prior to the
hypothetical release head if there is any.
To formally define the synchronised-with relation, we first
define a predicate (along with some shorthand definitions)
that indicates if an action b is qualified to be a member of the
release-sequence led by action a:
1For instance, in the example shown in Fig. 5, thread 2 can observe a state
where x = 0 ∧ y = 1, which is infeasible from the perspective of thread 1.
rs_element(a, b) , sameThreadG(a, b) ∨ isCASG(b)
sameThreadG(a, b) , G.T (a) = G.T (b)
isCASG(b) , G.A(b) = U(−,−,−,−,−)
WO(a) , G.A(a) = W(−,−, O) ∨ U(−,−,−,−, O)
RO(a) , G.A(a) = R(−,−, O) ∨ U(−,−,−, O,−)
For a store action a, we say that event b is in a’s release-
sequence, a rs→ b or rs(a, b), if and only if:
WO(a) ∧
(
a = b ∨ rs_element(a, b) ∧ a mo→ b ∧
∀c. a mo→ c mo→ b⇒ rs_element(a, c)
)
Then we can formally define the synchronised-with rela-
tion as that shown in Fig. 7:
D. DEMONSTRATING C11 SYNCHRONISATIONS
We have introduced the highly flexible release-sequence
based C11 synchronisation mechanism. In Fig. 8, we demon-
strate how C11 synchronisations can be formed in different
manners by restoring the message passing protocol discussed
in Fig. 5 in various ways. Recall that, as summarised in Ta-
ble 1, existing C11 program logics usually support simplified
versions of the C11 synchronisation mechanism, due to its
complicity, with limited scenarios allowed to from synchro-
nisations. These demonstrations are also used to illustrate
which types of C11 synchronisations can be supported by
existing C11 program logics.
The first C11 program logics, RSL and GPS, can only be
used to reason about C11 programs with synchronisations
formed between release write and acquire read pairs as that
is shown in Fig. 8a. With C11 fences supported, FSL and
GPS+ can also reason about programs like that is shown
in Fig. 8b. Still, they do not accept release-sequences with
more than one element. FSL++ overcomes this limitation,
but expect the release head, it only accepts atomic update
operations to be in a release-sequence (Fig. 8c). To the best of
our knowledge, only this work supports the reasoning about
C11 programs with synchronisations based on fully-featured
release-sequences, including the scenario shown in Fig. 8d.
E. THE AXIOMATIC MODEL
With the preparations that have been made about synchroni-
sations, happens-before relations and etc., in this subsection,
we present the axiomatic definitions for the C11 memory
model in Fig. 9 following a similar approach used by [4].
Intuitively, the axioms are regulations that rule out illegal
executions, e.g., “no one can read from an event that happens
after itself” or “an update action cannot be interrupted”, and
etc. These axiomatic rules also leave us enough room to
ensure the aforementioned principle: no guarantee of obser-
vation without happens-before relations.
Specifically, ConsistentMO1 states that mo is a binary re-
lation over writing actions. ConsistentMO2 requires all writ-
ing actions in mo to follow a strict total order. ConsistentRF1
VOLUME x, 202x 5
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
Thread 1 :
a : W(`,−, rel)
b : W(`,−, rlx)
Thread 2 :
c : U(`, . . . )
sb
+
rf,mo
m
o
(a) Sequence led by release store
Thread 1 :
a : W(`,−, rel)
b : W(`,−, rlx)
Thread 2 :
c : W(`,−,−)
sb
+
mo
m
o
(b) Interrupted sequence
Thread 1 :
a : F(rel)
b : W(`,−, rlx)
Thread 2 :
c : U(`, . . . )
sb
+
rf,mo
(c) Sequence led by relaxed store
FIGURE 6: Examples of release-sequence (highlighted in red)
sw ,
(a, b) |
Wrel(a) ∧ Racq(b) ∧ ∃c. rs(a, c) ∧ rf(b) = c ∨
Wrel(a) ∧ G.A(b) = F(acq) ∧ ∃c, d. Rrlx(d) ∧ rs(a, c) ∧ rf(d) = c ∧ (d, b) ∈ sb+ ∨
G.A(a) = F(rel) ∧ Racq(b) ∧ ∃c, d. Wrlx(c) ∧ (a, c) ∈ sb+ ∧ rs(c, d) ∧ rf(b) = d ∨
G.A(a) = F(rel) ∧ G.A(b) = F(acq) ∧
∃c, d, e. Wrlx(c) ∧ Rrlx(e) ∧ (a, c) ∈ sb+ ∧ (e, d) ∈ sb+ ∧ rs(c, d) ∧ rf(e) = d

FIGURE 7: Synchronised-with relation
Thread 1 :
a : W(x, 42, rlx)
b : W(y, 1, rel)
Thread 2 :
c : R(y, 1, acq)
d : R(x, 42, rlx)
sb sbr
f
sw
hb
(a) Sync between release write and acquire read
(supported by: RSL, GPS, FSL, GPS+, FSL++, and this work)
Thread 1 :
a : W(x, 42, rlx)
e : F(rel)
b : W(y, 1, rlx)
Thread 2 :
c : R(y, 1, rlx)
f : F(acq)
d : R(x, 42, rlx)
sb
sb
sb
sb
rf
sw
hb
(b) Sync with relaxed atomics and fences
(supported by: FSL, GPS+, FSL++, and this work)
Thread 1 :
a : W(x, 42, rlx)
b : W(y, 1, rel)
Thread 2 :
c : U(y, 1, 2, acq, rel)
Thread 3 :
d : R(y, 1, acq)
e : R(x, 42, rlx)
sb sb
rf,mo
rf
swhb
(c) CAS in release-sequence
(supported by: FSL++ and this work)
Thread 1 :
a : W(x, 42, rlx)
b : W(y, 1, rel)
c : W(y, 2, rlx)
Thread 2 :
d : R(y, 2, acq)
e : R(x, 42, rlx)
sb
sb
sb
rf
sw
hb
(d) Relaxed write in release-sequence
(supported by: this work)
FIGURE 8: Examples of C11 synchronisations
indicates there always is at least one writing action before
a reading on the same location, that is, all locations are
initialised before reading. ConsistentRF2 says that a reading
action cannot read from a writing that happens after itself.
For a non-atomic reading action, ConsistentRFNA requires
it must read from a writing action that happens before it.
Coherence puts restrictions on happens-before relations and
the modification orders, e.g. a reading actions should not read
older value than its happens-before ancestors. AtomicCAS
enforces no interruption could happen to an atomic update
action. ConsistentAlloc states the sets of locations allocated
by two allocation actions will not intersect, that is, no loca-
tion will be allocated more than once. Acyclic is introduced
to rule out the thin-air-read problem following [6], [9].
Note that while atomic locations are meant to be accessed
concurrently, concurrent accesses (accesses that are not or-
dered in hb) to non-atomic locations with at least one write
action lead to a hazardous situation called data-race, in which
the program behaviour is undefined. The memory error is
another hazardous situation, which involves accessing a loca-
tion before it is allocated. Definitions for these two hazardous
situations are needed to complete our semantical model as we
need them to rule out executions with undefined results.
dataRace(G) , ∃`.∃a, b ∈ dom(G.A). G.A(a) = W(`,−, na) ∧ G.A(b) = W(`,−, na)∨G.A(a) = W(`,−, na) ∧ G.A(b) = R(`,−, na)∨
G.A(a) = R(`,−, na) ∧ G.A(b) = W(`,−, na)

∧¬((a, b) ∈ hb ∨ (b, a) ∈ hb)
memErr(G) , ∃l.∃b ∈ dom(G.A). (G.A(b) = W(`,−,−)
∨ G.A(b) = R(`,−,−) ∨ G.A(b) = U(`,−,−,−,−))
∧ @a ∈ dom(G.A).A(a) = A(~`) ∧ ` ∈ ~`∧ (a, b) ∈ hb
III. RECAP OF GPS+
Verifying concurrent programs is difficult. To reason about
C11 concurrent programs with weak memory behaviours is
even harder. To do this, GPS-like logics amalgamate three
techniques from state-of-the-art concurrent program logics
6 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
consistentC11((A, T, sb,mo, rf)) ,
∀a, b. mo(a, b)⇒ ∃`. writes(a, `,−),writes(b, `,−) (ConsistentMO1)
∧ ∀`. strictTotalOrder({a | writes(a, `,−)},mo) (ConsistentMO2)
∧ ∀b. rf(b) 6= ⊥ ⇔ ∃`, a. writes(a, `,−) ∧ reads(b, `,−) ∧ hb(a, b) (ConsistentRF1)
∧ ∀a, b. rf(b) = a⇒ ∃`, V. writes(a, `, V ) ∧ reads(b, `, V ) ∧ ¬hb(b, a) (ConsistentRF2)
∧ ∀a, b. rf(b) = a ∧ (isNonatomic(a) ∨ isNonatomic(b))⇒ hb(a, b) (ConsistentRFNA)
∧ ∀a, b. hb(a, b)⇒ a 6= b ∧ ¬mo(rf(b), rf(a)) ∧ ¬mo(rf(b), a) ∧ ¬mo(b, rf(a)) ∧ ¬mo(b, a) (Coherence)
∧ ∀a, c. isUpd(c) ∧ rf(c) = a⇒ mo(a, c) ∧ 6 ∃b. mo(a, b) ∧mo(b, c) (AtomicCAS)
∧ ∀a 6= b, ~`, ~`′. A(a) = A(~`) ∧A(b) = A(~`′)⇒ ~`∩ ~`′ = ∅ (ConsistentAlloc)
∧ acyclic(hb ∪ rf) (Acyclic)
where strictTotalOrder(S,R) , (6 ∃a. R(a, a)) ∧ (∀a, b, c. R(a, b) ∧R(b, c)⇒ R(a, c))
∧ (∀a, b ∈ S. a 6= b⇒ R(a, b) ∨R(b, a))
acyclic(R) ,6 ∃x. R+(x, x)
reads(a, `, V ) , A(a) ∈ R(`, V,−),U(`, V,−)
writes(a, `, V ) , A(a) ∈W(`, V,−),U(`,−, V )
FIGURE 9: The C11 axioms
(e.g. [15]–[28]), namely ghost states, protocols and separa-
tion logic. Our proposed program logic, GPS++, follows the
line of GPS works. In this section, we lay the foundation for
the discussion of our program logic by briefly introducing its
closest predecessor GPS+.
A. PROTOCOLS FOR ATOMIC LOCATIONS
As illustrated in previous sections, in C11 concurrent pro-
grams threads communicate with each other by writing and
reading atomic locations. As updates may happen in other
threads, it is difficult to determine the precise value of an
atomic location. Therefore, GPS/GPS+ employs the concept
of per-location protocols and each atomic location has its
own protocol depicting how its states can evolve along with
the program execution. The possible states for an atomic
location are partially ordered, and the state assertion is used
to describe the lower-bound state an atomic location can be
in. That is, assuming an atomic location `’s protocol is τ , the
state assertion ` : s τ says that ` is at least at state s.
Atomic locations can be concurrently accessed by different
threads, therefore their state assertions should be able to
be duplicated and shared between different threads. These
assertions that do not require exclusive ownership are called
knowledge in GPS logics. A knowledge assertion is deco-
rated with the notation  and the following rules applied:
` : s τ ⇒  ` : s τ P ⇔ P ∗P P ⇒ P
The first rule states that a state assertion is knowledge. The
second rule says that copies can be made out of a knowledge
assertion. When necessary a knowledge assertion can also be
transformed back to its normal form using the third rule.
To complete the protocol definition τ for its atomic loca-
tion `, a partial order vτ must be provided to depict all `’s
possible state transitions. That is, assuming ` is currently in
state s and a write command moves it to state s′, this is valid
if and only if s vτ s′ is defined in the protocol. In addition,
state interpretations need to be specified for all states. A state
interpretation τ(s, z) describes the conditions that must be
satisfied for a write command to be permitted to write value
z to ` and transfer ` to state s. On the other hand, when a
reader reads ` at state s, it knows some conditions have been
established in the writer’s thread. Therefore, they can reach
agreement about these facts, i.e., they are synchronised. The
following rules formally capture this process.
[GPS+-RELEASE-STORE]
P V τ(s′′, v) ∗Q ∀s′ wτ s. τ(s′,−) ∗ P ⇒ s′′ wτ s′{
` : s τ ∗ P} [`]rel := v { ` : s′′ τ ∗Q}
The [GPS+-RELEASE-STORE] rule states that to move ` to
the target state s′′, the state interpretation τ(s′′, v) must be
derivable from the resource P currently possessed in its
precondition (the first premise). Note that the ghost moveV
used to imply the state interpretation refers to a transition
that only affects auxiliary states leaving physical states un-
changed. Note also that due to the possible moves from the
environment, the actual state of ` before the writing may be
different from the lower-bond state s in the triple’s precon-
dition. Therefore, the second premise is introduced requiring
that the target state s′′ is reachable from any possible state s′
that ` might be currently in.
[GPS+-ACQUIRE-LOAD]
∀s′ wτ s. ∀z. τ(s′, z) ∗ P ⇒ Q{
` : s τ ∗ P} [`]acq {z. ∃s′. ` : s′ τ ∗ P ∗Q}
The [GPS+-ACQUIRE-LOAD] states that some knowledge
Q can be added to an acquire read’s postcondition if
VOLUME x, 202x 7
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
the knowledge can be derived from the candidate states’
interpretations. Note that only knowledge assertions can be
retrieved, as the read operations from different threads may
observe a same state and try to retrieve the same information.
If the information to be retrieved is not duplicable, conflicts
will raise. The assertion P included in this rule enables rely-
guarantee style of reasoning and reduces the possible states
that can be read [6].
B. ESCROWS FOR NON-ATOMIC LOCATIONS
The [GPS+-ACQUIRE-LOAD] rule only retrieve knowledge as-
sertions from state interpretations. However, the ownership
of some exclusive resource is also often needed to be trans-
mitted across threads. This can be done by using escrows
in GPS/GPS+. Intuitively, an escrow σ : P  Q is a safe
protecting Q with a non-duplicable resource P as the key.
Following ghost move rules are used to put some resource
(Q) under escrow and retrieve it:
σ : P  Q
QV [σ]
σ : P  Q
P ∧ [σ]V Q
An escrow [σ] is no longer ownership-dependent. It can be
transformed into knowledge following the rule: [σ]⇔ [σ].
As shown in the second rule, the “key” P will be consumed
once it is used to open the safe and retrieve the resource Q.
Therefore P is preferred to be a ghost assertion instead some
assertions relating to physical resources. A ghost assertion
in the form γ : t µ indicates that γ is a ghost variable,
and its value is a ghost permission t drawn from some
partial commutative monoid (PCM) type µ. With a fresh
identity, a new ghost value t can be introduced out of thin
air: trueV ∃γ. γ : t µ .
C. WORKING WITH FENCES
As shown in Fig. 8b, synchronisations can also be established
by using relaxed write and read operations but only with the
help from C11 fences. In GPS+, this process is interpreted
as that a relaxed write can only share the resource made
shareable (denoted as 〈P 〉) by a prior release fence. On the
other hand, when some resource is retrieved by a relaxed
read, it cannot be used instantly. Instead, it is marked as
waiting-to-be-acquired P and an acquire fence is needed
to transform it back to its normal form.
The fence related rules are adopted by our new program
logic. Detailed discussions will be provided in the next
section to illustrate how we make them compatible with other
more complicated features.
IV. REASONING ABOUT C11 RELEASE-SEQUENCES
AND FRACTIONAL PERMISSIONS
The use of release-sequences provides C11 programs great
flexibility to choose the best way to synchronise their threads.
However, as discussed in previous sections no existing pro-
gram logic supports the formal verification about the use
of fully featured release-sequences due to its complexity.
Also, there is no work in GPS family that supports fractional
permissions. In this section, we introduce our new reasoning
framework, GPS++, that support the aforementioned features
with the aid from several novel techniques.
A. A NEW TYPE OF ASSERTION AND THE ENHANCED
PROTOCOL SYSTEM
The key to reason about the C11 synchronisation process is
to deal with the relaxed write operations involved. As that is
discussed in §II-C2, unlike a release write, a relaxed write
cannot form a synchronisation by itself. That is, no resource
can be shared by a relaxed write to its readers unless (1) there
is a release fence prior to it; or (2) it belongs to a release
write’s release-sequence. To reason about the behaviours of
a relaxed write in the C11 synchronisation, its context must
be taken under consideration. The first scenario is relatively
easier, as we can adopt the shareable assertion introduced by
GPS+ to indicate if there is a prior release fence that makes
some resource available for the relaxed write operation to
share. The second scenario is more complicated, as we need
to know if there is a prior release write to the same memory
location and if so, whether or not the release-sequence led by
that release write is still valid at the point where the relaxed
write takes place.
To tackle this problem, a naive solution is to introduce
location-based restricted shareable assertions. That is, a re-
lease write operation on location ` may create an assertion
〈P 〉`, which indicates P is shareable by following relaxed
writes operation on ` who are assumed to be the members
of its release-sequence. However, as discussed in §II-C2 a
release-sequence could be interrupted by non-update writes
from other threads and this definition is not sufficient to be
used to detect these potential interruptions. Therefore, we
introduce state-based restricted shareable assertions (which
we call restricted-shareable assertions for short) instead.
Specifically, a release write that changes location ` to state s
may make some resource P shareable, 〈P 〉s, for the members
of its release-sequence. To check if a following relaxed write
belongs to the release-sequence and can use the restricted-
shareable resource 〈P 〉s, we first check (1) whether they
are operations on the same location; (2) whether they are in
the same thread; and (3) whether the sequence is free from
interruptions. The check for condition (1) can be done by
simply examining whether the two writes follow the same
protocol. To enable the checks for condition (2) and (3),
we extend the state interpretation τ(s, z) used in GPS+ to
the form like τ(s, z, tid, upd), where tid indicates in which
threads the target location can be transformed to the state s,
and upd is 1 if the state s can only be reached by atomic
update operations or 0 otherwise. With these preparations,
we derive the following predicates:
sameThread(s, s′) , ∀t, t′, v, v′, c, c′. (τ(s, v, t, c) 6⇒ false ∧
τ(s′, v′, t′, c′) 6⇒ false)⇒ t = t′
isCAS(s) , ∀v, t, u. (τ(s, v, t, u) 6⇒ false)⇒ u = 1
8 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
With these definitions, the thread and interruption checks
can be formalised as:
∀s′′. s′ wτ s′′ wτ s⇒ sameThread(s′′, s) ∨ isCAS(s′′).
where s is the state established by the release head and s′
is the target state of the relaxed write being checked. The
following properties can be derived for our new restricted-
shareable assertions based on our semantical model:
[SEPARATION-R]
〈P1 ∗ P2〉s ⇔ 〈P1〉s ∗ 〈P2〉s
[UNSHARE-R]
〈P 〉s V P
The [SEPARATION-R] rule indicates that a restricted-shareable
assertion can be split as while as several restricted-shareable
assertions can be merged if they are restricted to the same
state. The [UNSHARE-R] rule states that a restricted-shareable
assertion can be transformed back into its normal form via a
ghost move.
The new restricted-shareable assertion, the enhanced pro-
tocol system, and their properties are semantically supported
by our upgraded resource model, which will be presented in
later sections.
B. REASONING ABOUT C11 RELEASE-SEQUENCES
With our new restricted-shareable assertions and the en-
hanced protocol system introduced, new reasoning rule can
be devised to handle the C11 programs with fully featured
release-sequences. In this section, we first introduce the es-
sential rules most related to C11 synchronisations in Fig. 10.
Rules to deal with fractional permissions are presented in
§IV-C, while other rules are discussed in §IV-D.
Unlike a release write in GPS+ which only needs to
concern about what resource it can share to its readers, a
release write in this work can also initiate a release-sequence,
that is, it can make some resource shareable by the quali-
fied relaxed writes followed. This idea is formalised in our
[RELEASE-STORE] rule as that part of the resource P currently
held in the release write’s precondition can be transformed
into a restricted shareable assertion 〈Q1〉s′′ .
We require the P used in the rule must be normal, i.e., it
can not contain any special forms of assertions (e.g., share-
able assertions or waiting-to-be-acquired assertions). This
ensures that Q1 is also free from special assertions and we
do not create the problematic nesting of special assertions by
putting Q1 into 〈. . . 〉s′′ . The formal definition for the nor-
mality check is normal(P ) , P ⇒ false ∨ 〈P 〉 6⇒ false.
This is not the only occasion where the normality check is
used. Allowing special assertions to be transmitted across
threads also raises problems, therefore we require state asser-
tions to be normal as well to prevent special assertions from
being included.
The [RELAXED-STORE-2] rule illustrate how a release
write works in a release write’s release-sequence. With the
restricted-shareable assertion 〈P2〉so created by a release
write and passed down to the relaxed write, the relaxed write
knows it may be in a release-sequence created at state so. The
validity of the release-sequence needs to be checked using the
second premise (recall §IV-A) then P2 can be used to imply
the target state interpretation (the first premise).
Our reasoning framework is compatible with the rules
developed in GPS+ for reasoning about the synchronisa-
tion initiated by a relaxed write with the help from a
prior release fence. Therefore we inherit these rules as our
[RELAXED-STORE-1] and [RELEASE-FENCE] rules. They state
that a release fence can turn some resource into a (unre-
stricted) shareable resource and then being used by any re-
laxed write that follows. Intuitively, these tow rules are sound
for C11 release-based synchronisation mechanism because
every relaxed write after a release fence is a (hypothetical)
release head and is allowed to share the observations es-
tablished at point where the release fence took place (recall
§II-C2).
On the other side, if the reader is an acquire read, the
[ACQUIRE-LOAD] rule applies. It states that when observing
the location ` at a certain state s′, some knowledgeQ can be
learnt from the state interpretation. Similarly, as shown in the
[RELAXED-LOAD] rule, a relaxed read can also retrieve some
knowledge from the state interpretation, but this knowledge
Q is not instantly useable and is waiting-to-be-acquired by
a following acquire fence that may transfer it to a normal
knowledge according to the [ACQUIRE-FENCE] rule. These
three rules are adopted from GPS+ with minor changes, as
our extension with release-sequence is still compatible with
the principles working on the reader’s side.
Compare-and-swap (CAS) plays an important role in C11
concurrent programming. It is the foundation to the imple-
mentation of many locks and non-blocking algorithms. It can
join in a release-sequence without being in the same thread
as the release head. Therefore, sophisticated concurrent al-
gorithms like the atomic reference counter [11] can use CAS
operations to create synchronisations between many different
threads. GPS+ provides some basic support to CASes without
user specified memory orders. In this work, we devise a set of
rules to cover CAS operations with all possible memory order
specifications. We first take a close look at the [ACQ-REL-CAS]
rule. The first premise corresponds to the case of success
where `’s value is same vo as expected. In this case, the
acquire-release CAS performs as a release store However,
unlike normal release write which can only use the resource
P in its precondition to imply its target state’s interpretation,
a successful CAS can also use the resource from the state in-
terpretation of `’s current state (τ(s′, vo,−,−)). In this way,
the CAS can retransmit the information passed down in its
release-sequence. Moreover, a successful CAS can retrieve
non-knowledge resources from the state interpretation of `’s
current state. The second premise corresponds to the case of
failure where ` is found to have some value other than vo.
In this case, the acquire-release CAS performs as an acquire
read and some knowledge R can be retrieved from the
VOLUME x, 202x 9
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
[RELEASE-STORE]
P V τ(s′′, v,−, 0) ∗Q1 ∗Q2 normal(P )
∀s′ wτ s. τ(s′,−,−,−) ∗ P ⇒ s′′ wτ s′{
` : s τ ∗ P} [`]rel := v { ` : s′′ τ ∗ 〈Q1〉s′′ ∗Q2}
[RELAXED-STORE-1]
P2 V τ(s′′, v,−, 0) ∗Q
∀s′ wτ s. τ(s′,−,−,−) ∗ P1 ∗ P2 ⇒ s′′ wτ s′{
` : s τ ∗ P1 ∗ 〈P2〉
}
[`]rlx := v
{
` : s′′ τ ∗ P1 ∗Q
}
[RELAXED-STORE-2]
P2 V τ(s′′, v,−, 0) ∗Q
∀s′. s′′ wτ s′ wτ so ⇒ sameThread(s′, so) ∨ isCAS(s′)
∀s′ wτ s. τ(s′,−,−,−) ∗ P1 ∗ P2 ⇒ s′′ wτ s′{
` : s τ ∗ P1 ∗ 〈P2〉so
}
[`]rlx := v
{
` : s′′ τ ∗ P1 ∗Q
}
[RELEASE-FENCE]
normal(P )
{P} fencerel {〈P 〉}
[ACQUIRE-FENCE]
{P} fenceacq {P}
[ACQUIRE-LOAD]
∀s′ wτ s. ∀z. τ(s′, z,−,−) ∗ P ⇒ Q{
` : s τ ∗ P} [`]acq {z. ∃s′. ` : s′ τ ∗ P ∗Q}
[RELAXED-LOAD]
∀s′ wτ s. ∀z. τ(s′, z,−,−) ∗ P ⇒ Q{
` : s τ ∗ P} [`]rlx {z. ∃s′. ` : s′ τ ∗ P ∗Q}
[ACQ-REL-CAS]
∀s′ wτ s. τ(s′, vo,−,−) ∗ P V ∃s′′ wτ s′. τ(s′′, vn,−, 1) ∗Q
∀s′′ wτ s. ∀y 6= vo. τ(s′′, y,−,−) ∗ P ⇒ R{
` : s τ ∗ P} CASacq,rel(`, vo, vn) { z. ∃s′′. ` : s′′ τ ∗ ((z = 1 ∗Q) ∨ (z = 0 ∗ P ∗R)) }
[RLX-REL-CAS]
∀s′ wτ s. τ(s′, vo,−,−) ∗ P V ∃s′′ wτ s′. τ(s′′, vn,−, 1) ∗Q
∀s′′ wτ s. ∀y 6= vo. τ(s′′, y,−,−) ∗ P ⇒ R{
` : s τ ∗ P} CASrlx,rel(`, vo, vn)
 z. ∃s
′′. ` : s′′ τ
∗ ((z = 1 ∗Q) ∨
(z = 0 ∗ P ∗R))

[ACQ-RLX-CAS-1]
∀s′ wτ s. τ(s′, vo,−,−) ∗ P2 V
∃s′′ wτ s′. τ(s′′, vn,−, 1) ∗Q
∀si. s′ wτ si wτ so ⇒ sameThread(si, so) ∨ isCAS(si)
∀s′′ wτ s. ∀y 6= vo. τ(s′′, y,−,−) ∗ P1 ∗ P2 ⇒ R{
` : s τ ∗
P1 ∗ 〈P2〉so
}
CASacq,rlx(`, vo, vn)
z. ∃s
′′. ` : s′′ τ
∗ ((z = 1 ∗Q) ∨
(z = 0 ∗ P ∗R))

[ACQ-RLX-CAS-2]
∀s′ wτ s. τ(s′, vo,−,−) ∗ P2 V
∃s′′ wτ s′. τ(s′′, vn,−, 1) ∗Q
∀s′′ wτ s. ∀y 6= vo. τ(s′′, y,−,−) ∗ P1 ∗ P2 ⇒ R{
` : s τ ∗
P1 ∗ 〈P2〉
}
CASacq,rlx(`, vo, vn)
z. ∃s
′′. ` : s′′ τ
∗ ((z = 1 ∗Q) ∨
(z = 0 ∗ P ∗R))

[RLX-RLX-CAS-1]
∀s′ wτ s. τ(s′, vo,−,−) ∗ P2 V
∃s′′ wτ s′. τ(s′′, vn,−, 1) ∗Q
∀si. s′ wτ si wτ so ⇒ sameThread(si, so) ∨ isCAS(si)
∀s′′ wτ s. ∀y 6= vo. τ(s′′, y,−,−) ∗ P1 ∗ P2 ⇒ R{
` : s τ ∗
P1 ∗ 〈P2〉so
}
CASrlx,rlx(`, vo, vn)
z. ∃s
′′. ` : s′′ τ
∗ ((z = 1 ∗Q) ∨
(z = 0 ∗ P ∗R))

[RLX-RLX-CAS-2]
∀s′ wτ s. τ(s′, vo,−,−) ∗ P2 V
∃s′′ wτ s′. τ(s′′, vn,−, 1) ∗Q
∀s′′ wτ s. ∀y 6= vo. τ(s′′, y,−,−) ∗ P1 ∗ P2 ⇒ R{
` : s τ ∗
P1 ∗ 〈P2〉
}
CASrlx,rlx(`, vo, vn)
z. ∃s
′′. ` : s′′ τ
∗ ((z = 1 ∗Q) ∨
(z = 0 ∗ P ∗R))

FIGURE 10: Synchronisation Related Verification Rules
actual state observed.
The ideas for the other CAS rules are similar. How-
ever, when a CAS has relaxed memory order for its
reading component ([RLX-REL-CAS], [RLX-RLX-CAS-1], and
[RLX-RLX-CAS-2]), it still can retrieve some information (Q)
from the state it reads but this information needs to be marked
as “waiting-to-be-acquired” in its post condition (Q). When
a CAS has relaxed memory order for its writing component
([ACQ-RLX-CAS], [RLX-RLX-CAS-1], and [RLX-RLX-CAS-2]), it
can only use the resources that are already sharable to derive
its target state interpretation.
C. DEALING WITH FRACTIONAL PERMISSIONS
As discussed in §II-E, while atomic locations are designed
for concurrent accesses, concurrent accesses (i.e., the ac-
cesses not ordered in hb) to a non-atomic location with at
10 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
least one of them being a store operation lead to data-races.
To ensure the verified programs are data-race-free, previous
work in GPS family models each non-atomic location as a
resource that could only be exclusively held by one thread at a
time, which means these logics can not support the reasoning
about programs with concurrent non-atomic reads (though
they would not result in any race-condition). To verify real-
world concurrent programs with concurrent non-atomic reads
(e.g. the readers-writer-lock algorithm), we introduce frac-
tional permissions for non-atomic locations.
Fractional permissions technique is an example of partial
permissions [12], [13]. In our setting, a fraction in the interval
[0, 1] is used to represent the portion of the ownership to a
non-atomic location. The full permission ` 17→ − is needed
for a thread to write to `; while for a non-atomic read, only a
fraction of the permission will be sufficient:
[NON-ATOMIC-STORE]
{uninit(`) ∨ ` 17→ −} [`]na := v {` 17→ v}
[NON-ATOMIC-LOAD]
p ∈ (0, 1]
{` p7→ v} [`]na {x. x = v ∗ ` p7→ v}
The empty permission ` 07→ − is semantically equivalent
to emp. Permissions can also be combined or separated as
defined below:
[SEPARATION-F]
`
p7→ v ∗ ` q7→ v ⇐⇒
{
`
p⊕q7→ v if p⊕ q is defined
false otherwise
where p⊕ q =
{
p+ q if p, q, p+ q ∈ [0, 1]
undefined otherwise
According to the composition rules, a full permission
(writing permission) is not compatible with another full
permission or any other non-zero permissions. As a result,
a program verified by our logic would not have any race
condition where a write goes in parallel with other accesses
to the same non-atomic location.
D. OTHER RULES
Besides the rules highlighted in previous subsections, we
also have the following rules that make our reasoning system
complete. We gather them into groups for the convenience of
discussion.
The following inference rules depict properties of knowl-
edge assertions. That is, knowledge can be transformed back
to its normal form; knowledge symbol can be safely nested;
a piece of knowledge acts like pure information and thus the
separation assertion is equivalent to the logical conjunction; a
picked escrow, an assertion about atomic location and a pure
term are all knowledge; and a duplicable ghost term is also a
form of knowledge.
[KNOWLEDGE-MANIPULATION-1. . . 7]
P ⇒ P P ⇒ P P ∗Q⇔ P ∧Q
[σ]⇒ [σ] t : t′ τ ⇒  t : t′ τ t = t′ ⇒ t = t′
t ·µ t = t
γ : t µ ⇒  γ : t µ
The first inference rule below states that ghost terms can be
composed or separated according to their PCM definitions.
The second inference rule states that two atomic assertions
about the same location only coherence if the protocols are
same and the states are reachable from one to another or the
other way around.
[SEPARATION-1. . . 2]
γ : t µ ∗ γ : t′ µ ⇔ γ : t ·µ t′ µ
` : s τ ∗ ` : s′ τ ′ ⇒ τ = τ ′ ∧ (s vτ s′ ∨ s′ vτ s)
Following rules are about possible ghost moves. Partic-
ularly, similar to the [UNSHARE-R] rule we have discussed
before, the fifth rule allows us to change an unrestricted
shareable assertion to its normal form. The seventh rule states
that a new ghost term can popup from thin air with a fresh
identifier. The eighth rule states that a ghost variable can be
updated to a new value as long as the new value is compatible
with the environment. The last two rules are inherited from
GPS/GPS+ to cope escrows.
[GHOST-MOVE-1. . . 8]
P ⇒ Q
P V Q
P V Q
P ∗RV Q ∗R
P V Q QV R
P V R 〈P 〉V P
trueV ∃γ. γ : t µ ∀tF : JµK. t1#µtF ⇒ t2#µtF
γ : t1 µ V γ : t2 µ
σ : P  Q
QV [σ]
σ : P  Q
P ∧ [σ]V Q
Note that, following the GPS/GPS+ logic for PCM terms
with type µ we use the shorthand notation t1#µt2 to indicate
that t1 ⊕ t2 is defined. The type declaration can be omitted
when it is obvious.
The following rule is for the memory allocation. Starting
with any valid precondition, alloc(n) allocates n fresh and
continuous locations, which are marked as uninitialised, and
uses the leading location as its return value.
[ALLOCATION]
{true} alloc(n) {x. x 6= 0 ∗ uninit(x) ∗ · · · ∗ uninit(x+ n− 1)}
The following tow rules are for atomic initialisation. In the
precondition P must hold as changing an atomic location to a
particular state requires the state interpretation to be satisfied.
VOLUME x, 202x 11
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
[INITIALISATION-1. . . 2]
P ⇒ τ(s, v)
{uninit(`) ∗ P} [`]rel := v
{
` : s τ
}
P ⇒ τ(s, v)
{uninit(`) ∗ 〈P 〉} [`]rlx := v
{
` : s τ
}
[CONSEQUENCE-RULE]
P ′ V P {P} e {x. Q} ∀x. QV Q′
{P ′} e {x. Q′}
[FRAME-RULE]
{P} e {x. Q}
{P ∗R} e {x. Q ∗R}
Essentially, the following rules states that the special as-
sertions are not to be nested. Nesting special assertions is
problematic as it may introduce things violate the exquisite
design of the whole system. For instance, assuming we allow
an assertion in the form of 〈P 〉, it immediately becomes
shareable, 〈P 〉, after an acquire fence which does not have
the releasing semantics. Therefore, we prevent such nesting
from the resource model level and these inference rules are
corollaries of our resource model design. Note that the anno-
tation (e.g. a) used in these rules can be any valid label (for
restricted shareable assertions) or nothing (for unrestricted
shareable assertions).
[ASSERTION-PROPERTY-1. . . 7]
〈P 〉a ⇒ false if EMP6∈JP Kρ 〈P 〉a ⇒ false if EMP6∈JP Kρ
 P ⇒ false if EMP6∈JP Kρ 〈P 〉a ⇒ false if EMP6∈JP Kρ
 P ⇒ false if EMP6∈JP Kρ 〈P 〉a ∗ 〈Q〉a ⇔ 〈P ∗Q〉a
〈〈P 〉a1〉a2 ⇒ false if EMP6∈JP Kρ
[PURE-REDUCTION-AXIOM-1. . . 2]
{true} v {x. x = v} {true} v == v′ {x. x = 1⇔ v = v′}
We also have the following rules for conditional state-
ments, let-binding, fork expression, and the repeat loop. The
fork rule states that given e can be safely executed from
the precondition Q, we can fork a new thread with the
precondition {P ∗Q} to execute e and leaving only P to the
parent thread.
[CONDITIONAL]
{P ∗ v 6= 0} e1 {x.Q} {P ∗ v = 0} e2 {x.Q}
{P} if v then e1 else e2 {x.Q}
[LET-BINDING]
{P} e {x. Q} ∀x. {Q} e′ {y. R}
{P} letx = e in e′ {y. R}
[FORK]
{Q} e {true}
{P ∗Q} fork e {P}
[REPEAT]
{P} e {x. (x = 0 ∧ P ) ∨ (x 6= 0 ∧Q)}
{P} repeat e end {x. Q}
V. CASE STUDIES
In this section, we first demonstrate our logic with an illus-
trative example using a release-sequence to pass messages
between three threads. Then, we further illustrate the power
of our logic by using it to verify a readers-writer-lock imple-
mentation where both the release-sequence and concurrent
reads are involved.
A. AN ILLUSTRATIVE EXAMPLE
In Fig. 11 we show a message passing program. In this
example, the initial values for x and y are both 0. In the first
thread, the message x is set to be 42 then y is set to be 1. As
the write operation to y is a release write, it initiates a release-
sequence that contains the following relaxed write and may
contain the CAS in the second thread. In the third thread,
y is repeatedly checked until a non-zero value is observed.
Then the message x is examined. Note that, for readability we
use x = e1; e2 as an equivalent expression for the command
letx = e1 in e2 (or simply e1; e2 if the evaluation result of
e1 is not used in e2). For the same reason, we use || to separate
the threads forked.
[x]rlx := 42; CASacq,rel(y, 1, 2) repeat [y]acqend;
[y]rel := 1; r := [x]rlx
[y]rlx := 3; {r = 42}
FIGURE 11: Message passing using release-sequence
We assert that at the end of the execution, the reading of x
must return the new value 42. Intuitively, this is because for
the third thread to exit the loop, a non-zero value y must be
observed, which can only be the result from one of the writes
in the release-sequence led by the release write to y in the
first thread. Therefore a synchronisation is formed between
the release write to y and the acquire read of y, ensuring
the information about x = 42 is available when the their
thread reads the value of x. To formally reason about this
procedure, the protocols for x and y must be defined first. We
call x’s states xo (the initial state) and xn (the new state). Its
protocol Px allows one possible state transition: xo vPx xn.
The state interpretations can be defined as:
Px(s, v, t, c) , s = xn ∧ v = 42 ∧ t = 1 ∧ c = 0,
which states that thread 1 is allowed to change x to state xn
by writing 42 to it and it is not necessary to be a CAS.
There are four states for y: y0,y1,y2 and y3 and the
following transitions are permitted:
y0 vPy y1,y1 vPy y2,y1 vPy y3, and y2 vPy y3.
The state interpretations are defined as:
Py(s, v, t, c) ,
s = y1 ∧ v = 1 ∧ t = 1 ∧ c = 0 ∧ x : xn Px
∨ s = y2 ∧ v = 2 ∧ t = 2 ∧ c = 1 ∧ x : xn Px
∨ s = y3 ∧ v = 3 ∧ t = 1 ∧ c = 0 ∧ x : xn Px ,
12 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
which indicates what values, threads, and the CAS indicators
are needed to move y to a corresponding state. Most impor-
tantly, the interpretations also specify that the stores must
have the knowledge x : xn Px at hand before the actions
can be taken. Therefore, when the acquire load in the third
thread reads from any one of them, the knowledge about x
can be retrieved.
The proof of the program is illustrated in Fig. 12. As the
threads start with observing x and y in their initial states.
In the first thread, the relaxed store to x moves x to its
new state thus we have x : xn Px in (1.2). This resource
is essential for the next command to be performed as it is
required to know x : xn Px in the state interpretation of
y1. With x : xn Px at hand, the release write to y can be
performed and moves y to the state y1. Moreover, according
to the [RELEASE-STORE] rule and rules about knowledge it can
make a restricted-shareable cope of x : xn Px , which can
be used by the relaxed store that follows. When processing
the relaxed store to y, the [RELAXED-STORE-2] rule is applied.
The release-sequence validity check will success as the only
state that can be in the middle of the release head y1 and the
target state y3 is y2, a state can only be reached with a CAS
operation, and CAS does not interrupt a release-sequence.
In different scheduling, the CAS from the second thread
may find y to be in state y0, y1, or y3 before its execution.
The CAS only success if it observes y1. But even when it
fails, the protocol still holds. According to the [ACQ-REL-CAS]
rule, the CAS operation’s postcondition can be derived as
shown in (2.2).
In the third thread, first y is repeatedly read. According
to the [REPEAT] rule and the definitions of Py , exiting the
loop needs y is at least at state y1 as that is denoted in
(3.2). According to the [ACQUIRE-LOAD] rule, some common
knowledge can be retrieved from the state interpretation,
which is x : xn Px in this case. Therefore, when x is read
in the last step, it is guaranteed to return the latest value 42.
Our verification system can also detect possible interrup-
tions in a release-sequences and will not allow the veri-
fication to go through. This is illustrated in the following
example shown in Fig. 13, where the CAS operation in the
second thread is changed to a relaxed store.
For the new program, state transitions and interpretations
for y have to be changed to:
y0 vPy y1 ∧ y0 vPy y2 ∧ y1 vPy y2 ∧
y1 vPy y3 ∧ y2 vPy y1 ∧ y2 vPy y3 ∧ y3 vPy y2
Py(s, v, t, c) ,
s = y1 ∧ v = 1 ∧ t = 1 ∧ c = 0 ∧ x : xn Px
∨ s = y2 ∧ v = 2 ∧ t = 2 ∧ c = 0
∨ s = y3 ∧ v = 3 ∧ t = 1 ∧ c = 0 ∧ x : xn Px
If we attempt to apply [RELAXED-STORE-2] to the command
[y]rlx := 3 and change y to state y3 using the restricted-
shareable resource obtained from release head y1, the valid-
ity check for the release-sequence (the second premise) will
fail as according y’s protocol definition, a non-CAS state y2
from a different thread may be interrupting. The verification
will fail as we would have expected.
B. VERIFYING THE READERS-WRITER-LOCK
In this section, we use our reasoning system to verify the
readers-writer-lock implementation shown in Fig. 14. Note
that, this lock has a bounded capacity N, i.e. it allows at
most N readers (or one writer) to access the protected non-
atomic data field at a time. Note also that, for readability we
use the following field offsets: x.data , x+ 0, which is the
location of the data field; and x.count , x+ 1, which refers
to a counter that keeps track of the number of active players
(a reader is counted as 1, while a writer is solely counted
as N). Once the lock is created and initialised by the new()
function, a reader can atomically increase the counter by 1
(when there are vacancies available, i.e. r1 6= N in Fig. 142)
to inform other players that there is an active reader, which
will prevent a writer from obtaining the lock. After using
the shared resource, the reader relinquishes the reader’s lock
by atomically decrease the counter by 1. A writer waits
until the counter is 0 (which indicates that there is no other
reader nor writer); then it atomically set the counter to N
indicating that the shared resource is fully occupied; then it
can safely modify the non-atomic data. When finishing, the
writer releases the lock by setting the counter back to 0.
Our readers-writer-lock allows concurrent reads. To verify
such an algorithm, we use fractional permissions. The idea is
to divide the permission to access x.data into N pieces (1/N
each). Correspondingly, the value of the counter represents
how many pieces of the fractional permissions have been
distributed. Atomically increasing the counter by 1, a reader
gains one piece of 1/N permission, which is sufficient for it
to perform the read action. However, a writer will have to
update the counter from 0 to N to retrieve the full permission
that consists of all of the N pieces. When releasing the lock,
the permissions go back to the invariant (or protocol, in our
terminology). This design is demonstrated in the execution
graph shown in Fig. 15, which is annotated with the per-
missions transferred along the execution. In this particular
execution, Writer 1 first sets x.data to 42 after obtaining
the full permission. Then this information is released together
with the full ownership of the protected data by the release
write c. In fact, c initiates a release-sequence, from which the
two readers both retrieve one piece of the 1/N permission
to access x.data and read the value 42. The rest of the
permission goes to Writer 2 when j reads from the release-
sequence (which is underlined): c mo→ d mo→ g mo→ f mo→ i rf→ j.
The two 1/N permissions assigned to the readers are also
transferred to Writer 2 via release-sequences: f mo→ i rf→ j
and i rf→ j. Thereupon, Writer 2 can write to x.data freely.
Now we embed this idea into the definitions of the
counter’s protocol Pc and prove that our algorithm works as
intended while the protocol is preserved. Firstly, we choose
2v1 6= v2 , (v1 == v2) == 0
VOLUME x, 202x 13
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
(1.1)
{
x : xo Px ∗ y : y0 Py
}
[x]rlx := 42;
(1.2)
{
x : xn Px ∗ y : y0 Py
}
[y]rel := 1;
(1.3)
{
x : xn Px ∗ y : y1 Py
∗ 〈 x : xn Px 〉y1
}
[y]rlx := 3;
(1.4)
{
x : xn Px ∗ y : y3 Py
}
(2.1)
{
x : xo Px ∗ y : y0 Py
}
CASacq,rel(y, 1, 2);
(2.2)
z.
z = 0 ∧ x : xo Px ∗ y : y0 Py ∨
z = 1 ∧ x : xn Px ∗ y : y2 Py ∨
z = 0 ∧ x : xn Px ∗ y : y3 Py

(3.1)
{
x : xo Px ∗ y : y0 Py
}
repeat [y]acq end;
(3.2)
{
x : xn Px ∗ y : y1 Py
}
r := [x]rlx;
(3.3)
{
x : xn Px ∗ y : y1 Py
∧ r = 42
}
FIGURE 12: Verification of the message passing program
[x]rlx := 42; [y]rlx := 2 repeat [y]acqend;
[y]rel := 1; r := [x]rlx
[y]rlx := 3; {r = 42?}
FIGURE 13: A broken release-sequence
new() ,
x = alloc(2);
[x .data]na := 0;
[x .count]rel := 0;
x
read(x ) ,
repeat
repeat r1 = [x .count]rlx; r1 6= N end;
CASrlx,rlx(x .count, r1, r1 + 1)
end;
fenceacq;
v = [x .data]na;
repeat
r2 = [x .count]rlx;
CASrlx,rel(x .count, r2, r2 − 1)
end;
v
write(x , v) ,
repeat
repeat r = [x .count]rlx; r == 0 end;
CASrlx,rlx(x .count, 0,N)
end;
fenceacq;
[x .data]na := v ;
[x .count]rel := 0
FIGURE 14: A Readers-Writer-Lock
ci,j as the counter’s states, where i tracks how many pieces
of the fractional permissions have been issued so far and j
represents the number of the fractional permissions that have
been returned. As the capacity of our lock is N, we require
that for any valid state i ∈ [j, j + N] holds. For valid states,
the state transitions are defined as ci,j vPc ci+1,j (when
the counter is increased and new permission is issued) and
ci,j vPc ci,j+1 (when the counter is decreased and some
permission is returned). The state interpretation is defined as
below:
Pc(s, v, t, u) , s = ci,j ∧ v = i− j ∧ (i = j ∨ i > j ∧ u = 1)
∗ ∃v′. x.data (N−v)/N7−−−−−→ v′.
This definition specifies that at state ci,j , we have
x.count = i− j. Both CASes and atomic writes can change
x.count to 0 (i = j); however, we must use a CAS (u = 1)
to change x.count to other states (where i < j). Most
importantly, at state ci,j we must ensure that there is
(N− (i− j))/N permission under the guard of the protocol.
This enables a player to retrieve some permission when it
increases the counter (move i forward) and enforces a player
to return permission when it decrease the counter (move j
forward). With these preparations, we can verify our readers-
writer-lock algorithm. Firstly, we demonstrate in Fig. 16 that
the new() function prepares the lock invariant.
Then, as shown in Fig. 17, a reader begins with some
(maybe dated) knowledge of the counter. It repeatedly reads
from the counter until it reads some value that is not equal
to N, which indicates that the lock is not fully occupied.
According to the protocol, we can deduce that at state (2) r2
is actually smaller than N. This is critical for our reasoning, as
when the reader increases the counter in the next step, we will
have to know it would not bring the counter over the bound
and break the protocol. Therefore, after a successful CAS that
increases the counter by 1, the reader exits the loop knowing
that the protocol is preserved and a fraction of the ownership
of x.data is retrieved as shown in state (4). At this stage,
the resource retrieved is waiting-to-be-acquired, as the CAS
itself has only relaxed memory order for loading. An acquire
fence turns the resource to its normal form at (5). Then
x.date can be read according to the [NON-ATOMIC-LOAD]
rule. When unlocking, the reader first gets the latest value of
the counter (in state (7)). As it have a fractional ownership
of x.data at hand, we can deduce that the environment
cannot change the counter to 0, which requires that all the
fractions of x.data’s ownership to be returned. This idea
is also formalised in the [RELAXED-LOAD] rule, according
to which we can only read states whose interpretation is
compatible with the resource we currently hold. Thus, we
know that the counter’s latest value must be greater than 0
and can be safely decreased by 1 using a release CAS when
14 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
Writer 1 :
a : U
(
x.count, 0,
N, rlx, rlx
)
b : W(x.data, 42, na)
c :W(x.count, 0, rel)
Reader 1 :
d :U
(
x.count, 0,
1, rlx, rlx
)
e : R(x, 42, na)
f :U
(
x.count, 2,
1, rlx, rel
)
Reader 2 :
g :U
(
x.count, 1,
2, rlx, rlx
)
h : R(x, 42, na)
i :U
(
x.count, 1,
0, rlx, rel
)
Writer 2 :
j :U
(
x.count, 0,
N, rlx, rlx
)
. . . . . .
sb
+1
sb1
rf
,m
o
1
sb
+
1
/
N
sb
+
1
/
N
rf,mo
(N− 1)/N
rf,mo
(N− 1)/N
rf
,m
o
(N
−
2
)/
N
sb
+
1
/
N
sb
+
1
/
N
rf,mo
1
FIGURE 15: An Execution of Readers-Writer-Lock
new() ,
(1){emp}
x = alloc(2);
(2){x.data = uninit ∗ x.count = uninit}
[x .data]na := 0;
(3)
{
x.data
17→ 0 ∗ x.count = uninit
}
[x .count]rel := 0;
(4)
{
x.count : c0,0 Pc
}
x
(5)
{
z. z = x ∧ x.count : c0,0 Pc
}
FIGURE 16: Verifying the initialisation of a Readers-Writer-
Lock
we return the fractional permission (state (9)). At last, we
return the value read from x.data.
The verification of the writer’s program is shown in
Fig. 18. A writer’s lock can only be acquired when the value
of the counter is 0. When it reads 0 from the counter, it
starts attempting to update the counter to N using CAS.
When the CAS successes, the full ownership of x.data can
be retrieved according the protocol and the [RELAXED-LOAD]
rule (in state (3)). Then, an acquire fence makes the waiting-
to-be-acquired resource locally available before it can be
changed to the new value v that is given in the parameters.
Releasing the writer’s lock is easier than releasing a reader’s
lock. As the writer owns the full permissions to the protected
data (state (6)), it knows that the environment cannot change
the counter to another state (which requires to add or remove
fractional permissions from the protocol) during the time it
holes the lock. Therefore, the writer can simply use a release
write to change the counter back to 0 and release the full
ownership of the data.
VI. THE RESOURCE BASED SEMANTIC MODEL
With memory weakening behaviours, it is difficult to model
the semantics of C11 programs based on a single piece of
sequentially consistent heap shared by all threads. Instead,
GPS and GPS+ use resources and resource triples respec-
tively to depict the computational states of the threads and,
based on the concept of resource, GPS and GPS+ develop
an instrumented semantics to bridge the program logics and
the event/machine level semantics similar to the one we have
defined in §II. In this section we first give a brief introduction
read(x ) ,
(1)
{
x.count : ci0,j0 Pc
}
repeat
repeat r1 = [x .count]rlx; r1 6= N end;
(2)
{∃ci1,j1 . x.count : ci1,j1 Pc ∧ r1 = i1 − j1 < N}
CASrlx,rlx(x .count, r1, r1 + 1)
(3)
z1.
∃ci2,j2 . x.count : ci2,j2 Pc ∧
(z1 = 0 ∧ (i2 − j2 6= i1 − j1)) ∨
(z1 = 1 ∧ i2 = i1 + 1 ∧ j2 = j1 ∗
∃v′. x.data 1/N7→ v′)

end;
(4){ x.count : ci2,j2 Pc ∗x.data 1/N7→ v′)}
fenceacq;
(5){ x.count : ci2,j2 Pc ∗ x.data 1/N7→ v′)}
v = [x .data]na;
(6){v = v′ ∧ x.count : ci2,j2 Pc ∗ x.data 1/N7→ v′)}
repeat
r2 = [x .count]rlx;
(7)
{
v = v′ ∧ ∃ci3,j3 . x.count : ci3,j3 Pc ∧
r2 = i3 − j3 > 0 ∗ x.data 1/N7→ v′)
}
CASrlx,rel(x .count, r2, r2 − 1)
(8)
z2.
v = v′ ∧ ∃ci4,j4 . x.count : ci4,j4 Pc ∧
(z2 = 1 ∧ i4 = i3 ∧ j4 = j3 + 1) ∨
(z2 = 0 ∧ (i4 − j4 6= i3 − j3 ∗ x.data 1/N7→ v′)

end;
(9)
{
v = v′ ∧ x.count : ci4,j4 Pc
}
v
(10)
{
z3. z3 = v = v
′ ∧ x.count : ci4,j4 Pc
}
FIGURE 17: Verifying the Reader’s Lock
to our predecessors’ semantic models, on top of which we can
introduce our new resource-map model that is much more
expressive and enables us to depict the behaviours of C11
release-sequences.
A. RESOURCES AND RESOURCE TRIPLES
In the GPS logic, resources are used to logically describe
computational states. A resource r ∈ Resource is a triple
combined with a physical location map, a ghost identity
map, and a set of known escrows: (Π, g,Σ). For a non-
atomic location, the physical location map Π maps it to some
value na(V ); for an atomic location, Π maps it to a trace
of states governed by the corresponding protocol at(τ, S);
VOLUME x, 202x 15
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
write(x , v) ,
(1)
{
x.count : ci0,j0 Pc
}
repeat
repeat r = [x .count]rlx; r == 0 end;
(2)
{∃ci1,j1 . x.count : ci1,j1 Pc ∧ r = i1 − j1 = 0}
CASrlx,rlx(x .count, 0,N)
(3)
z1.
∃ci2,j2 . x.count : ci2,j2 Pc ∧
(z1 = 0 ∧ (i2 − j2 6= 0) ∨
(z1 = 1 ∧ i2 = i1 + N ∧ j2 = j1 ∗
∃v′. x.data 17→ v′)

end;
(4){ x.count : ci2,j2 Pc ∗x.data 17→ v′}
fenceacq;
(5){ x.count : ci2,j2 Pc ∗ x.data 17→ v′}
[x .data]na := v ;
(6){ x.count : ci2,j2 Pc ∗ x.data 17→ v}
[x .count]rel := 0
(7){∃ci3,j3 . x.count : ci3,j3 Pc ∧ i3 = i2 = j3 = j2 + N}
FIGURE 18: Verifying the Writer’s Lock
and there are also infinite uninitialised locations are mapped
to ⊥. Similarly, the ghost identity map tracks the ghost
values for our auxiliary variables. All established escrows are
recorded in the known escrow set. Resources form a PCM
with composition ⊕. Some useful definitions are:
emp , ((λn. ⊥), (λµ. λn. µ),∅)
r ≤ r′ , ∃r′′. r ⊕ r′′ = r′
brc , {r ⊕ r′ | r′ ∈ Resource}
With resources defined, the semantics for a GPS
proposition can be defined as a set of resources, i.e.,JP Kρ ⊆ Resource, where ρ is a term interpretation assumed
for protocol states and other PCM terms. Note that, GPS
propositions depict the lower bound of the states, that is:
∀r ∈ JP Kρ. ∀r′#r. r ⊕ r′ ∈ JP Kρ.
To support the reasoning about C11 fences, in GPS+ we in-
troduced two new types of assertions, i.e. shareable assertions
and waiting-to-be-acquired assertions. Correspondingly, its
semantic representation is lifted from the resource based
model to a model based on resource triples. A resource triple
(rL, rS, rA) combines three resources to represent the locally
available resource, shareable resource, and the resource re-
trieved from other threads that is waiting for an acquire action
to merge it into the local resource.
B. NEW RESOURCE MAP BASED MODEL
In this work, to deal with the even subtler restricted sharable
assertions, we extend the underlying resource model in GP-
S/GPS+ logic to a more expressive label indexed resource
map:
R ∈ ResMap , Label → Resource
where Label , {L,S,A} ∪ S and S is the domain of the
atomic locations’ states. There are three special labels,
R(L),R(S), and R(A), which respectively represent the lo-
cal, (unrestricted) shareable and the waiting-to-be-acquired
resources. For a resource indexed by a state, R(s) (s ∈ S),
it represents the resource that is made shareable at state s.
The idea behind resource maps is to partition the resource
available to a thread into fragments and label them for easier
manipulation. When putting the resources under all the dif-
ferent labels together, we should get a meaningful resource
back. Therefore, we define that a resource map R is well-
formed if the sum of all its components, i.e.⊕l∈LabelR(l)
(or⊕R for short), is defined.
Similar to the resources introduced in the GPS logic,
the ResMap is also a PCM. Its composition operation ⊕ is
point-wisely lifted from the resource composition operations.
We say two ResMaps are compatible R#R′ if we have
R⊕R′ defined. There is an identity element EMP, which
represents empty for all labels: ∀l. EMP(l) = emp. Like that
in the GPS logic, propositions in GPS++ are lower bounds of
the described states:
∀R ∈ JP Kρ. ∀R′#R.R⊕R′ ∈ JP Kρ
The interpretations for GPS++ propositions are also lifted
to the ResMap-based model. To check if a resource map
R satisfies a “basic” proposition P (an assertion that does
not contain knowledge, shareable, or waiting-to-be-acquired
parts) only its local component is concerned. For instance,
R ∈ J ` : s τ Kρ ⇔ ∃S.R(L).Π(`) = at(τ, S) ∧ s ∈ S. For
knowledge, (restricted/unrestricted) shareable, and waiting-
to-be-acquired assertions, the resources under particular la-
bels are picked out and checked:
R ∈ JP Kρ ⇔ |EMP[L 7→ R(L)]| ∈ JP Kρ
R ∈ J〈P 〉Kρ ⇔ EMP[L 7→ R(S)] ∈ JP Kρ
R ∈ J〈P 〉sKρ ⇔ EMP[L 7→ R(s)] ∈ JP Kρ
R ∈ JP Kρ ⇔ EMP[L 7→ R(A)] ∈ JP Kρ
Note that the stripping operation on a resource map |R| is a
point-wise lifted GPS stripping, that is:
|R| , R′ ∧ ∀l.R′(l) = |R(l)|.3
Note also that, R[l 7→ r] represents a new resource map that
is generated from R by updating R(l) to r. The third defini-
tion gives the semantics for our newly introduced restricted-
shareable-assertions. Intuitively, it states thatR satisfies 〈P 〉s
if the resource indexed by its s label contains the information
3In the GPS logic, a stripped resource |r| is a resource with only
r’s duplicable part: r = r ⊕ |r|. For instance, duplicable elements in r,
e.g., the information about atomic locations and the known escrow set,
is preserved. That is, |r|.Σ = r.Σ, and for any atomic location `at in r
|r|.Π(`at) = r.Π(`at). On the other hand, the information about ownership
dependent elements, e.g., non-atomic values, is removed by stripping. For
instance, for any non-atomic location `na in r |r|.Π(`na) = ⊥.
16 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
needed by P . The semantics for other special assertions is
defined in a similar way. By defining the semantics like
this, we can securely rule out the undesirable nesting of
special assertions. For instance, one can not construct a R
that satisfies 〈P 〉 where P is not emp.
Composed propositions like the separating conjunction are
straightly lifted to the resource map based model:
R ∈ JP1 ∗ P2Kρ ⇔ ∃R1,R2.R = R1 ⊕R2 ∧
R1 ∈ JP1Kρ ∧R2 ∈ JP2Kρ
The semantics for other types of assertions is left in ap-
pendix.
1) Modelling Physical Locations
In GPS/GPS+ na(V ) is used to represent a non-atomic re-
source with value V assigned to a non-atomic location in the
physical location map Π. A na(V ) resource is not duplicable
as it is only compatible with the empty resource ⊥. As we
now support fractional permissions to non-atomic locations,
we use na(V, f) to represent a non-atomic resource where
f ∈ [0, 1]. We have the composition of non-atomic resource
defined as:
na(V, f)⊕⊥ , na(V, f)
na(V, f1)⊕ na(V, f1) , na(V, f1 + f2) if f1 + f2 ∈ (0, 1]
Following GPS/GPS+, an atomic location’s value is mod-
elled as at(τ, S) instead of some concrete values. The τ is
the protocol the location follows, and S is a trace (totally
ordered set) of states it has gone through. One atomic value is
compatible with another if they follow the same protocol and
the union of their traces remains to be a well-formed trace.
For atomic values, we have following shorthand definitions:
at(τ, S) vτ at(τ, S′) , ∀s ∈ S. ∃s′ ∈ S′. s vτ s′
pi ≡τ pi′ , pi vτ pi′ ∧ pi′ vτ pi
Intuitively, the first definition depicts the fact that the
atomic value at(τ, S′) is newer than at(τ, S). In practice, if
a thread holding at(τ, S) for an atomic location ` discovers
that the environment has changed their copy of ` to at(τ, S′);
then it may update ` to the new value as well. The second
definition depicts the situation that two states under the same
protocol are mutually transferable. This usually happens
when two unsynchronised threads are going to change a
same atomic location to different states. Therefore, the two
states must be defined as mutually transferable to cope the
unpredictable scheduling.
A physical location can also be uninitialised uninit or
unallocated ⊥.
2) Ghost Moves
Similar to that in GPS/GPS+, the semantics for our ghost
moves are given by resource-level ghost moves:
ρ |= P V Q , ∀R ∈ JP Kρ.RV JQKρ.
The difference is that resource maps are now used at the
resource-level for greater expressiveness. For example, our
new ghost move [UNSHARE-R] 〈P 〉s V P is validated by the
following resource-level rule:
R′[L] = R[L]⊕ r l ∈ {S} ∪ S R′[l]⊕ r = R[l]
∀l′ 6= L ∨ l.R′[l′] = R[l′]
RV bR′c
Intuitively, it states that a resource map R can move some
resource r from one of its shareable components (unrestricted
shareable component L or restricted shareable component
indexed by one of the labels in S) back to its local component.
The resource-level ghost move rules are designed to avoid
modifying physical states; therefore, the ghost moves are
guaranteed to only change auxiliary/logical computation
states. The rest of the resource-level ghost move rules are left
in appendix.
3) Rely/Guarantee Definitions
Following GPS/GPS+, we provide an instrumented seman-
tics for all actions allowed in our model in a rely/guarantee
style. But unlike GPS/GPS+ instrumented semantics which
are built on resources or resource triples, our actions ma-
nipulate more expressive resource maps, which gives us the
flexibility to depict the subtle differences between all kinds
of actions including their interactions in release-sequences.
A full definition of the rely and guarantee conditions are
presented in Fig. 19 and Fig. 20.
First we introduce the definition of environment moves
envMv(R, `, V ), which depicts a set of resources that could
be acquired4 by reading the location ` with value V .
rrf ∈ envMv(R, `, V ) , ∃τ, s. EMP[L 7→ rrf ] ∈ interp(τ)(s, V ) ∧
∀l.R(l)#rrf ∧R(L)[`] vτ rrf [`] ≡τ at(τ, {s})
The resource that could be acquired is depicted by
interp(τ)(s, V ), which is described by the state interpretation
of the state read s, i.e. Jτ(s, V )Kρ. The R in the definition is
the resource map the current thread holds. It is used to limit
the values can be read as in a well-behaving environment
it is impossible to perform a write operation that requires
resources incompatible withR.
For an action α and its precondition represented byR, the
rely condition rely(R, α) describes which kind of resource
maps Rrely (with potential environment changes taken under
4Recall that resources can be transmitted when a thread reads an atomic
location written by another thread.
VOLUME x, 202x 17
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
α Rrely Rrely ∈ rely(R, α) if
R(`, V, na) R R(L)[`] = na(V ′, f)⇒ V = V ′ ∧ f ∈ (0, 1]
R(`, V, rlx) R′ ∃rrf .R(L)[`] = at(−)⇒ rrf ∈ envMv(R, `, V ) ∧R′(A) = R(A)⊕ |rrf |
∧ R′(L) = R(L)[ ` := rrf [`]] ∧ ∀l 6= L ∨ A.R′(l) = R(l)
R(`, V, acq) R′ ∃rrf .R(L)[`] = at(−)⇒ rrf ∈ envMv(R, `, V ) ∧ ∀l 6= L.R′(l) = R(l) ∧R′(L) = R[L]⊕ |rrf |
W(`, V, at) R R(L)[`] = at(−)⇒ ∃V ′. envMv(R, `, V ′) 6= ∅
U(`, V, V ′, acq, at) R′ ∃rrf .R(L)[`] = at(−)⇒ rrf ∈ envMv(R, `, V ) ∧ ∀l 6= L.R′(l) = R(l) ∧R′(L) = R(L)⊕ rrf
U(`, V, V ′, rlx, at) R′ ∃rrf .R(L)[`] = at(−)⇒ rrf ∈ envMv(R, `, V ) ∧R′(A) = R(A)⊕ rrf
∧ R′(L) = R(L)[ ` := rrf [`]]∀l 6= L ∨ A.R′(l) = R(l)
otherwise R always
FIGURE 19: Rely Conditions for Actions
consideration) can be accepted for α to be safely executed.
To help the readers understand the rely conditions defined
in Fig. 19, we interpret them in an intuitive way below.
First, a non-atomic read relies on its current resource map’s
local component to have the expect value to read and the
permission for the designated memory location is greater
than zero. A relaxed read relies on the condition that there
is some environment move to be read from and then the
resource retrieved can be put into the local resource map’s
waiting-to-be-acquired component. Meanwhile, an acquire
read can put the retrieved resource directly into the resource
map’s local component. Note that only knowledge can be re-
trieved for read operations. The rely conditions for the atomic
update operations are similar to the read operations with
corresponding memory order, except that they can retrieve
non-knowledge resource.
A guarantee condition guar(Rpre,R, α) signifies that the
action α guarantees to generate some resources (Rsb, rrf), in
which the resource map Rsb is left for its sb successors and
the resource rrf could be passed to its potential readers. Note
that the action’s precondition is represented byRpre; however
the action is actually executed with R due to the possible
environment moves. We use at to represent atomic memory
orders (rel or rlx for writing orders; acq or rlx for reading
orders), when it is unnecessary to specify which particular
order is concerned. Intuitively, a skip action guarantees that
it gives nothing if some action tries to read from it; and leaves
everything to its sb successor. An allocation action leaves its
sb successor a resource map with newly allocated locations.
The read actions guarantee that the resource map left for their
sb successor contains some non-trivial information about the
location read. A non-atomic write requires full permission
for the target location (or the location is uninitialised) in R
and leaves the location with updated value in the resource
map for its sb successor. The guarantee conditions for relaxed
and release write will be compared below. Atomic update
operations have the same guarantee conditions with the write
operations having the same memory order. For release fence,
it can move resource between the resource map’s local and
shareable components; and the acquire fence may move
resource between the resource map’s local and waiting-to-
be-acquired components.
With the support from resource map based model, our new
rely/guarantee definitions can depict the subtleness of the
C11 release-sequence behaviours. For instance, both relaxed
and release write can send some information to their potential
readers; but their guarantee definitions are very different. A
relaxed write who changes the target location to state s can
only send out the information made shareable by previous
release fences or valid release heads, which is represented
using s′ in the following definition:
validS(s) ,
 s
′ | ∃τ. s′ vτ s ∧ sameThread(s, s′) ∧
∀s′′. s′ vτ s′′ vτ s⇒ sameThread(s, s′′)
∨ isCAS(s′′)

Therefore, from R′ (the resource map after the writing
takes effect), a relaxed write can take a rrf that satisfies
its state interpretation from the labels valid for it to share
(rrf ≤⊕l∈validS(s)R′(l)), and leave everything else (Rsb)
to its sb successor. Note that we ensure that the internal
participation of Rsb is consistent with R′ (no fragment of
resources is misplaced under a different label) by requiring:
∀l.Rsb(l) ≤ R′(l). On the other hand, a release write can di-
rectly use the resource under its local label5, i.e. rrf ≤ R′(L).
In addition, a release write can make some resource (r2)
restricted shareable to the following writes in its release-
sequence. The relaxed and release atomic updates are similar
to the corresponding writing actions only that they can use
the resource from their reading sources (rin) to fulfil their tar-
get states’ interpretations, as they can be always considered
as a part of release-sequences.
VII. SOUNDNESS
In this section, we formulate the soundness of our proposed
program logic. As in GPS/GPS+, our reasoning framework
is compositional. That is, triples can be proved individually
and then a bigger proof can be generated by connecting
the proved triples with the let and fork rules provided.
To bridge the gap between the localised reasoning and the
5If a resource under a shareable label is demanded, it can be moved to
local via ghost move first.
18 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
α (Rsb, rrf) ∈ guar(Rpre,R, α) if
S rrf = emp ∧Rsb = R
A(`..`′) rrf = emp ∧ ∀l 6= L.Rsb(l) = R(l) ∧R(L) = R(L)[`..`′ := uninit]
R(`, V, na) rrf = emp ∧Rsb = R∧R(L) = na(−)
R(`, V, at) rrf = emp ∧Rsb = R∧R(L) = at(−)
W(`, V, na) Rrf = emp ∧R(L)[`] ∈ {uninit, na(−, 1)} ∧
∀l 6= L.Rsb(l) = R(l) ∧Rsb(L) = R(L)[ ` := na(V, 1) ]
W(`, V, rlx) ∃τ, s, S,R′.
R′(L) = R(L)[` := at(τ, S ∪ {s})] ∧ ∀l 6= L.R′(l) = R(l)
∧ rrf ≤⊕l∈validS(s)R′(l) ∧⊕Rsb ⊕ rrf =⊕R′ ∧ EMP[L 7→ rrf ] ∈ interp(τ)(s, V )
∧ ∀l.Rsb(l) ≤ R′(l) ∧ ∀rE ∈ envMv(Rpre, `,−). rE [`] vat rrf [`]
∧ Rpre(L)[`] 6= ⊥ ∧ (R(L)[`] = uninit ∧ S=∅ ∨R(L)[`] = at(τ, S) ∧ ∀s0 ∈ S. s0 vτ s)
W(`, V, rel) ∃τ, s, S,R′.
∃r1, r2.R(L) = r1 ⊕ r2 ∧R′(L) = r1[` := at(τ, S ∪ {s})]
∧ R′(s) = R(s)⊕ r2[` := at(τ, S ∪ {s})] ∧ ∀l 6∈ {L, s}.R′(l) = R(l)
∧ rrf ≤ R′(L) ∧⊕Rsb ⊕ rrf =⊕R′ ∧ EMP[L 7→ rrf ] ∈ interp(τ)(s, V )
∧ ∀l.Rsb(l) ≤ R′(l) ∧ ∀rE ∈ envMv(Rpre, `,−). rE [`] vat rrf [`]
∧ Rpre(L)[`] 6= ⊥ ∧ (R(L)[`] = uninit ∧ S=∅ ∨R(L)[`] = at(τ, S) ∧ ∀s0 ∈ S. s0 vτ s)
U(`, V, V ′, at, rlx) ∃τ, s, S, rin,R′.
R′(L) = R(L)[` := at(τ, S ∪ {s})] ∧ ∀l 6= L.R′(l) = R(l)
∧ ∀l.Rsb(l) ≤ R′(l) ∧⊕Rpre ⊕ rin ≤⊕R′ ∧R(L)[`] = at(−)
∧ rrf ≤⊕l∈validS(s)R′(l)⊕ rin ∧⊕Rsb ⊕ rrf =⊕R′ ∧ EMP[L 7→ rrf ] ∈ interp(τ)(s, V )
∧ Rpre(L)[`] 6= ⊥ ∧ (R(L)[`] = uninit ∧ S=∅ ∨R(L)[`] = at(τ, S) ∧ ∀s0 ∈ S. s0 vτ s)
U(`, V, V ′, at, rel) ∃τ, s, S, rin,R′.
∃r1, r2. ∧R(L) = r1 ⊕ r2 ∧R′(L) = r1[` := at(τ, S ∪ {s})]
∧ R′(s) = R(s)⊕ r2[` := at(τ, S ∪ {s})] ∧ ∀l 6∈ {L, s}.R′(l) = R(l)
∧ ∀l.Rsb(l) ≤ R′(l) ∧⊕Rpre ⊕ rin ≤⊕R′ ∧R(L)[`] = at(−)
∧ rrf ≤ R′(L)⊕ rin ∧⊕Rsb ⊕ rrf =⊕R′ ∧ EMP[L 7→ rrf ] ∈ interp(τ)(s, V )
∧ Rpre(L)[`] 6= ⊥ ∧ (R(L)[`] = uninit ∧ S=∅ ∨R(L)[`] = at(τ, S) ∧ ∀s0 ∈ S. s0 vτ s)
F(rel) rrf = emp ∧ ∀l 6= L ∨ S.Rsb(l) = R(l) ∧Rsb(L)⊕Rsb(S) = R(L)⊕R(S)
F(acq) rrf = emp ∧ ∀l 6= L ∨ A.Rsb(l) = R(l) ∧Rsb(L)⊕Rsb(A) = R(L)⊕R(A)
FIGURE 20: Guarantee Conditions for Actions
threads’ global interactions and non-sequential-consistent
behaviours, we formulate the notions of local safety and
global safety and provide the soundness proof in both layers.
A. LOCAL SAFETY
The rely-guarantee reasoning [15], [29] is deeply rooted
in the soundness of GPS++. As GPS/GPS+, we formulate
local safety to indicate that given a thread’s rely-condition
respected by other threads’ guarantee-conditions, it confirms
to its own guarantee. However, resource maps are used as
the base model in our proofs to capture the subtle C11
synchronisation features such as release-sequences.
Based on the rely and guarantee definitions we have in-
troduced in the previous section, we define LSafen(e,Φ)
as the set of resource maps on which the command e can
safely execute for n steps and end up with Φ, which is the
interpretation of triple’s postcondition with the return value
filled in place holders, being satisfied:
R ∈ LSafe0(e,Φ) , always
R ∈ LSafen+1(e,Φ) , If e ∈ Val thenRV JΦ(e)Kρ
If e = K[fork e′] then
R ∈ LSafen(K[0],Φ) ∗ LSafen(e′, true)
If e α−→ e′ then ∀RF#R. ∀Rpre V rely(R⊕RF , α).∃P ′.
Rpre ∈ JP ′Kρ ∧ ∀R′ ∈ JP ′Kρ. (Rpre,R′) ∈ wpe(α)
=⇒ ∃Rpost. (Rpost ⊕RF ,−) ∈ guar(Rpre,R′, α)
∧ Rpost ∈ LSafen(e′,Φ)
It is worth noting that with the possible environment moves
taken under consideration, the expression e actually works on
some R′ that follows the action’s rely condition. Note also
that the wpe provides a sanity check to rule out the obvious
problematic environment changes.
α (Rpre,R′) ∈ wpe(α) if
A(`1..`n) ∀i. 1 ≤ i ≤ n⇒R′(`i) = ⊥
W(`,−, at) Rpre(L)[`] = at(−) ∧R′(L)[`] = at(−) ⇒
∃RE ∈ envMv(Rpre, `,−).
RE(L)[`] = R′(L)[`]
U(`,−,−,−) Rpre(L)[`] = at(−)⇒R′(L)[`] ≡ Rpre(L)[`]
Intuitively, the definitions above state that a memory allo-
cation action will only allocation fresh locations; an atomic
VOLUME x, 202x 19
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
write may observe its target location at a state other than
the state in its precondition, while this is not allowed for an
atomic update action.
As that in GPS and GPS+, we formulate the local sound-
ness definition as:
ρ  {P} e {x.Q} , ∀n,R ∈ JP Kρ.RV LSafen(e, λx. JQKρ).
The local soundness provides semantics for our Hoare triples.
It states that starting from any computation state R in the
triple’s precondition P , it is safe for the expression e to
execute as many steps as necessary; and when e terminates,
we can expect that all its possible result states satisfies the
triple’s postcondition λx. JQKρ, where x is e’s return value.
Ghost moves and corollary inference rules also play an
important role in our reasoning system. To validate the (local)
soundness of our reasoning system, we first demonstrate the
correctness of our ghost move and corollary inference rules
introduced in §IV.
Our reasoning system is featured with new corol-
lary inference rules (in the form of P ⇒ Q), namely
[SEPARATION-R], [SEPARATION-F], [SEPARATION-1. . . 2], and
[KNOWLEDGE-MANIPULATION-1. . . 7], to deal with the newly
introduced types of assertions. These rules’ correctness is
ensured by the enhanced resource model and is formalised
in Corollary 1 (whose proof is left in the appendix).
Corollary 1 (Soundness of Corollary Inference Rules).
Our corollary inference rules are semantically sound. That
is, given an inference rule allowing P ⇒ Q, we have
∃R. bRc ∩ JP Kρ ⊆ JQKρ
In our reasoning system we support ghost moves depicted
by rules [UNSHARE-R] and [GHOST-MOVE-1. . . 8]. A ghost move
is a transition that only modifies auxiliary/logical computa-
tion states. This is ensured by the resource-level ghost moves
and formalised in Corollary 2 (whose proof is left in the
appendix).
Corollary 2 (Soundness of Ghost Moves). Our ghost move
rules are semantically sound. That is, given a ghost move rule
allowing P V Q, we have ∀R ∈ JP Kρ.RV JQKρ.
Then we formalise the two of our structural rules below.
Theorem 1 (Consequence Rule). Given ρ  P ′ V P ,
ρ  {P} e {x. Q}, and ∀x. ρ  QV Q′, we can prove that
ρ  {P ′} e {x. Q′}.
Proof. From the first premise of the theorem, we have the
following property ∀R ∈ JP ′Kρ.RV JP Kρ.
From the second premise of the theorem, we have the fol-
lowing property ∀n,R ∈ JP Kρ.RV LSafen(e, λx. JQKρ).
According to [GHOST-MOVE-3] rule (ghost transitive rule),
we have the proof obligation transformed to the form (1)
∀n,R ∈ JP ′Kρ.RV LSafen(e, λx. JQKρ). So far, the pre-
condition strenthning is proven.
In (1), we choose an arbitrarily large n, and unfold LSafe
by its definition. For an e that is terminating, the proof obliga-
tion can be reduced to ∀n,R ∈ JP ′Kρ.RV λx. JQKρ. From
the third premise, we have ∀x. ∀R ∈ JQKρ.RV JQ′Kρ. By
putting them together the consequence rule is proven.
Theorem 2 (Frame Rule). Given ρ  {P} e {x. Q}, we
have ρ  {P ∗R} e {x. Q ∗R}.
Proof. From the premise of the theorem, we have the follow-
ing property: ∀n,R ∈ JP Kρ.RV LSafen(e, λx. JQKρ).
With this, we are going to prove the term that
∀n,R ∈ JP ∗RKρ.RV LSafen(e, λx. JQKρ) ∗ JRKρ.
According to the definition of separation assertions, the
proof obligation can be transformed into:
∀n,R1,R2.R1#R2 ∧R1 ∈ JP Kρ ∧R2 ∈ JRKρ ⇒R1 V
LSafen(e, λx. JQKρ) ∧R2 ∈ JRKρ
By simplification, we can translate the formula above
into the form ∀n,R1 ∈ JP Kρ.R1 V LSafen(e, λx. JQKρ),
which matches the premise.
The frame rules is proven.
Finally, we formalise the local soundness of our reasoning
system as shown below.
Theorem 3 (Local Soundness). Our verification logic is
locally sound. That is, if {P} e {x. Q} is provable, then for
all closing ρ we have ρ  {P} e {x. Q}.
Proof. The expression e may be a single expression or a
series of expressions connected by let-binding. We first prove
that given a single expression e, our reasoning rules are
locally sound. Then we prove by structural induction that our
reasoning system is locally sound for e with arbitrary layers
of let-binding.
For the rule [PURE-REDUCTION-1], where e is a value v
(or an arithmetic term that results in v), we are going to
prove that ∀n,R ∈ JtrueKρ.RV LSafen(v, λx. Jx = vKρ).
The case n = 0 holds trivially. In the case that n > 0, as
e ∈ Val we have:
RV LSafen(v, λx. Jx = vKρ) , RV λx. Jx = vKρ v,
which can be derived from R ∈ JtrueKρ that is given by the
precondition. The proof for [PURE-REDUCTION-1] is finished.
For the rule [PURE-REDUCTION-2], where e is a relational
statement v == v′, we are going to prove that for all n and
R ∈ JtrueKρ:
RV LSafen((v == v′), λx. Jx = 1⇔ v = v′Kρ). Accord-
ing to the event-step rules in our semantics, the expres-
sion v == v′ will be evaluated as 1 if v = v′ and 0 other-
wise. Therefore, in the case v = v′ we have that the term
RV LSafen((v == v′), λx. Jx = 1⇔ v = v′Kρ) is seman-
tically equivalent to R ∈ J1 = 1⇔ v = v′Kρ), which can be
further reduced to R ∈ JtrueKρ that is given by the precon-
dition. Similarly, in the case v 6= v′, we have that the term
RV LSafen((v == v′), λx. Jx = 1⇔ v = v′Kρ) is seman-
tically equivalent to R ∈ J0 = 1⇔ falseKρ) which can be
20 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
derived from R ∈ JtrueKρ that is given by the precondition.
The proof for [PURE-REDUCTION-2] is finished.
For the [FORK] rule, where e = fork e′, we are going to
prove that ∀n,R ∈ JP ∗QKρ.RV LSafen((fork e′), JP Kρ),
with the premise ∀n,R ∈ JQKρ.RV LSafen(e′, JtrueKρ).
The case n = 0 is trivial. In the case n > 0, according to
the definition of local safety, the proof obligation
R ∈ LSafen((fork e′), JP Kρ)
is equivalent to the
R ∈ LSafen−1(0, JP Kρ) ∗ LSafen−1(e′, JtrueKρ),
and this formula can be further reduced to the follow-
ing form according to the definitions of the local safety:
R ∈ JP Kρ ∗ LSafen−1(e′, JtrueKρ). According to the defini-
tion of separation assertions we have:
∀R ∈ JP ∗QKρ. ∃R′,R′′.R = R′ ⊕R′′
∧ R′ ∈ JP Kρ ∧R′′ ∈ JQKρ.
By putting together with the premise, we have
∀R ∈ JP ∗QKρ. ∃R′,R′′.R = R′ ⊕R′′
∧ R′ ∈ JP Kρ ∧R′′ ∈ LSafen−1(e′, JtrueKρ),
which implies the proof obligation. The proof for [FORK] is
finished.
For the rules: [ALLOCATION], [INITIALISATION-1. . . 2],
[ACQUIRE-LOAD], [RELAXED-LOAD], [NON-ATOMIC-LOAD],
[RELEASE-STORE], [RELAXED-STORE], [NON-ATOMIC-STORE],
[ACQ-REL-CAS], [RLX-REL-CAS], [ACQ-RLX-CAS-1],
[ACQ-RLX-CAS-2], [RLX-RLX-CAS-1], [RLX-RLX-CAS-2],
[RELEASE-FENCE], and [ACQUIRE-FENCE], where e is allo-
cation, initialisation, read, write, CASes, or fence. The
event-step used would be e α−→ v, where α could be
A,R,W,U, or F. We prove the soundness of the triple by
unfolding the rely (Fig. 19), guarantee (Fig. 20), and wpe
definitions corresponding to action α; then it is trivial to
check that
∀n > 0,R ∈ JP Kρ.RV LSafen(e, Jx.QKρ)
whereRV LSafen(e, Jx.QKρ) ,
∀RF#R. ∀Rpre V rely(R⊕RF , α).
∃P ′.Rpre ∈ JP ′Kρ ∧ ∀R′ ∈ JP ′Kρ.
(Rpre,R′) ∈ wpe(α)⇒
∃Rpost. (Rpost ⊕RF ,−) ∈ guar(Rpre,R′, α)
∧Rpost ∈ JΦ(v)Kρ
We have also discussed that when n = 0, the local safety
holds by definition. Therefore the aforementioned rules are
locally sound.
For the case e = if v then e1 else e2 in the rule of
[CONDITIONAL], we prove that:
∀n,R ∈ JP Kρ.RV LSafen((if v then e1 else e2), λx. JQKρ).
In the case v 6= 0, we can add the pure assertion to triple’s
precondition according to the semantics for assertions, i.e.
∀R.R ∈ JP Kρ ⇒ R ∈ JP ∧ t 6= 0Kρ = JP ∗ v 6= 0Kρ; then
the triple is validated by the first premise. Similarly, in the
case of v = 0, the triple is validated by the second premise.
The proof for [REPEAT] is finished.
For the [REPEAT] rule, where e = repeat e′end, we prove
that ∀n,R ∈ JP Kρ.RV LSafen((repeat e′end), λx. JQKρ).
In the case that e′ is evaluated as some non-zero value v, The
proof obligation is reduced to ∀n,R ∈ JP Kρ.RV λx. JQKρ,
which is validated by the premise. Otherwise accord-
ing to the event-step semantics for repeat and condi-
tional expressions, the definition of local safety, the re-
ly/guarantee conditions for S action, this proof obliga-
tion can be reduced to that for all n > 0 and R ∈ JP Kρ
RV LSafen−1((repeat e′end), λx. JQKρ) This transfor-
mation can be recursively performed until e′ is evaluated
as non-zero or it reaches LSafe0, which holds trivially. The
proof for [REPEAT] is finished.
For the [LET-BINDING] rule, where e = (letx = e′ in e′′),
we prove that:
∀n,R ∈ JP Kρ.RV LSafen((letx = e′ in e′′), λy. JRKρ)
by using structural induction. We first prove triples with sin-
gle layer let-binding, that is e′ is one of the aforementioned
expresses and does not contain let-binding6, as the base case.
For e = (letx = fork e′ in e′′), we have following
premises:
ρ  {P ∗Q} fork e′ {x. P} and ρ  ∀x. {P} e′′ {y. P ′} .
We are going to prove that ρ  {P ∗Q} e′′[0/x] {y. P ′} .
From the first premise, we have:
∀n,R ∈ JP ∗QKρ.R ∈ LSafen(fork e′, Jx. P Kρ),
which can be unfolded to the following from according to the
definitions of local safety:
∀n,R ∈ JP ∗QKρ.R ∈ LSafen(JP [0/x]Kρ) ∗ LSafen(e′, true).
6Technically speaking, composed expressions like conditional expression,
fork expression and the repeat expression may contain let-binding. However,
as long as they terminate with numerical values we can treat them as “single
expressions”.
VOLUME x, 202x 21
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
From the second premise, we have ρ  ∀x. {P} e′′ {y. P ′}
and thus:
∀n,R′ ∈ JP [0/x]Kρ.R′ ∈ LSafen(letx = 0 in e′′, Jy. P ′Kρ)
= LSafen(K[0], Jy. P ′Kρ).
Therefore, we can derive that:
∀n,R ∈ JP ∗QKρ.
R ∈ LSafen(K[0], Jy. P ′Kρ) ∗ LSafen(e′, true).
For other single expressions let us assume that e′ can be
reduced to numerical value v. According to the event-step
definition for let-binding and the corresponding rely/guar-
antee definitions, the proof obligation can be transformed
into ∀n,R ∈ JP Kρ.RV LSafen(e′′[v/x], λy. JRKρ). At
the same time the first premise can be simplified as
∀R ∈ JP Kρ.R ∈ JQKρ; together with the second premise,
the proof obligation is met.
Then we move on to the inductive case. Let us as-
sume ρ  {P} e′ {x. Q}, where e′ = (letx = e1 in e2),
and prove ρ  {P} letx = e′ in e′′ {x. Q}. According to
the event-step definition for evaluation context, we need
to evaluate e′ first. According to the assumption, e′
can be savely executed as many steps as possible un-
til it is reduced to a numerical value v. Then we have
∀R ∈ JP Kρ.R ∈ JQKρ; together with the second premise
∀n, v,R ∈ JQKρ.R ∈ LSafen(e′, λy. JRKρ), the soundness
of the triples:
∀n,R ∈ JP Kρ.R ∈ LSafen(e′[v/x], λy. JRKρ)
is proven.
B. GLOBAL SAFETY AND THE FINAL SOUNDNESS
THEOREM
As our target programs assume a concurrent environment,
in addition to their local safety, it is also necessary to
demonstrate that given the triple {P}e{x.Q} provable the
executions of e are free from data races, memory errors,
nor dangling reads under all possible threads interleaving.
Therefore, we formulate the global soundness of the pro-
posed program logic similar to its predecessors GPS/GPS+.
However the new logic provides full support to C11 release-
sequences, which makes it much trickier to prove some
critical properties such as data-race-freedom.
Before we can formally define global soundness, we first
provide definition for program execution (with an arbitrary
number of steps) execs(e) and the semantics for C11 pro-
grams JeK in Fig. 21 on top of the machine-step semantics
discussed earlier in §II.
The definitions indicate that the result of a program e is
either some value that can be validated by a legal execution
or an error state if e allows race conditions or memory errors
in its execution.
With these preparations, we define the global soundness
as:
if ` {true} e {x.P} then JeK ⊆ {V | JP [V/x]K 6= ∅}.
Intuitively, this definition requires that a provable Hoare
triple about a close program e must precisely predict the
result of e regarding to its executions under the C11 memory
model. To demonstrate the global soundness of our proposed
Hoare triples, a property called global safety is defined as
below:
GSafen(T ,G,L) ,
valid(G,L, N) = N ∧ compat(G,L) ∧ conform(G,L, N) ∧
∀a ∈ N. L(sb, a,⊥) =⊕{R | ∃i. Tins(i) = (a,−,R,−)} ∧
∀i. Tins(i) = (a, e,R,Φ) =⇒R ∈ LSafen(e,Φ)
where
N , dom(G.A) ∧ Tins ∈ IThreadMap , {N→ (a, e,R,Φ)}
We annotate/label the edges in our execution graphs
with the computation resources they carry from one node
to another and a labelling maps L is used to record that
information. The Tins is an instrumented thread pool, in
which all threads are depicted in tuples like (a, e,R,Φ).
We have a as a thread’s last generated event in the
graph, e as the thread’s continuation, R as the resource
map the thread currently holds (representing the thread’s
computation state), and the postcondition expected after
the execution of the thread is depicted by Φ. The in-
strumented thread pool Tins can be down casted to a
machine thread pool T (recall §II-B) using erase(Tins),
where ∀i. Tins(i) = (a, e,R,Φ)⇒ erase(T )(i) = (a, e).
The predicate valid signifies that a set of nodes and with
their edges properly labelled. By requestingN , dom(G.A),
the global safety definition requires all nodes in the graph
are properly labelled. The compat(G) indicates that for any
group of hb-independent edges in the event graph G, the sum
of resources they carried is defined. We call a group of edges
are hb-independent if for any pair of the edges (a, a′) and
(b, b′) we have ¬hb=(a′, b). Note that, we only consider the
compatibility of the resource maps’ local components, which
should be sufficient as the local components are the actual
resources involved in computation. We also show in our
proofs that when the resources under other labels merged to
local, the compatibility keeps preserved. The conform states
that the mo order for all atomic writes is consistent with the
predefined state transitions.
Intuitively, the global safety definition GSafen(T ,G,L)
indicates that based on an event graph G and with the resource
maps recorded in L, it is safe for any thread from the
thread pool T to execute n steps. We aim to demonstrate
that this global safe property is to be preserved during the
entire executions of legal programs allowed in our logic. To
achieve this, we introduce the method we used to update
22 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
execs(e) , {(e′,G) | 〈[i 7→ (start, e)]; ([start 7→ S],∅,∅,∅,∅)〉 −→∗ 〈[i 7→ (−, e′) unionmulti T ];G〉}JeK , { error ∃(−,G) ∈ execs(e). dataRace(G) ∨memErr(G){V | (V,−) ∈ execs(e)} otherwise
FIGURE 21: Semantics for Program Execution
the labelling L for the event graph when a new node (i.e., a
new event) is added. The labelling process is then formalised
into five lemmas which will demonstrate the restoration of
the global safety for the event graph with the new node
added. In this section, we focus to convey the high-level ideas
about this process leaving the lemmas’ proof and the detailed
definitions to the appendix.
When adding a node the the event graph, its sb incoming
edge is to be labelled first. Suppose that the node to be
added is b and a is its sb predecessor in the event graph.
Initially, node a’s sb outgoing edge points to a sink node, i.e.,
sb(a,⊥), and is labelled with the resource map Rsb which
will be passed to a’s sb successor. If a is followed by a fork
command and b is the first event in the forked thread, part
of the Rsb, namely R, is taken and used to label the sb(a, b)
edge, while the remaining resourceRrem is left in a’s sb sink
edge for a’s local thread. If there is no new thread involved
and b is from the same thread as a, the entire Rsb should
be used to label sb(a, b). Note that we assume there is a
S node with all its outgoing edges labelled as empty in the
initial event graph; therefore if b is the first event generated
in the program, for generality it will take that skip node as
its sb predecessor. We illustrate this process in Fig. 22 and
formalise it as the following lemma.
Lemma 1 (Step Preparation).
if consistentC11(G)
∧ consistentC11(G′)
∧ dom(G′.A) = dom(G.A) unionmulti b
∧ L(sb, a,⊥) = R⊕Rrem
∧ dom(G.A) ⊆ valid(G,L, dom(G.A))
∧ compat(G,L) ∧ conform(G,L, N)
∧ ∀c ∈ dom(G.A). G.A(c) = G′.A(c)
∧ G′.sb = G.sb unionmulti [a, b)
∧ ∀c ∈ dom(G.A). G.rf(c) = G′.rf(c)
∧ G′.mo ⊇ G.mo
then ∃L′. dom(G.A) = valid(G′,L′, dom(G.A))
∧ compat(G′,L′)
∧ conform(G′,L′, dom(G′.A))
∧ L′(sb, a,⊥) = Rrem
∧ in(L′, b, sb) = R
∧ in(L′, b, rf) = EMP
∧ in(L′, b, esc) = EMP
∧ ∀a′ 6= a. L′(sb, a′, b) = EMP
∧ out(L′, b, all) = EMP
∧ ∀a′ 6= a. L′(sb, a′,⊥) = L(sb, a′,⊥)
Note that the shorthand notations in(L, a, t) and
out(L, a, t) correspondingly stand for the sum of resource
maps labelled with a’s incoming or outgoing edges of type t.
Next, the new node’s rf incoming edge will be labelled.
Note that this labelling process is for atomic reading actions
and CASes. A non-atomic load simply returns the value
recorded in its thread-local resource map. Meanwhile, an
atomic load (or a CAS) is able to read from any writer with
respect to the C11 memory model consistentC11. Initially, a
writing event’s rf outgoing resource, which can be referred
to as rrf , is associated to its rf sink edge. When the new
node reads from that write, their rf edge is labelled following
four different approaches according to the read event’s type
(atomic read or CAS) and the memory order used (relaxed or
acquire). If the new event is a relaxed read, its rf incoming
edge is labelled with a resource map EMP[A 7→ |rrf |], indicat-
ing that it can retrieve some knowledge from the write but the
knowledge is “waiting-to-be-acquired”. If the new event is
an acquire read, the retrieved knowledge is directly put under
the local label: EMP[L 7→ |rrf |]. The labelling for the CASes is
similar, but for CASes the information can be retrieved is not
limited to knowledge. Note that, we always left |rrf | in the
writer’s rf sink edge for other readers to read. This process
is illustrated in Fig. 23. By labelling the new rf edge in this
way, the following lemma can be proved.
Lemma 2 (Rely Step).
if G.A(a) = α
∧ dom(G.A) = N unionmulti a
∧N ∈ prefix(G) ∧N ⊆ valid(G,L, N)
∧ in(L, a, all) = out(L, a, all) = EMP
∧ compat(G,L) ∧ conform(G,L, N)
∧ consistentC11(G)
∧ in(L, a, rf) = EMP ∧ in(L, a, esc) = EMP
∧ out(L, a, all) = EMP
then ∃L′. N ⊆ valid(G,L′, N)
∧ compat(G,L)
∧ conform(G,L, N)
∧ in(L′, a, sb)⊕ in(L′, a, rf) ∈ rely(in(L′, a, sb), α)
∧ in(L′, a, esc) = out(L′, a, all) = EMP
∧ ∀b, c. L′(sb, b, c) = L(sb, b, c)
∧ ∀b. L′(sb, b,⊥) = L(sb, b,⊥)
When a piece of resource R is packed into an escrow
by event a, R is removed from a’s working resource map
and put into a’s esc sink edge for safe keeping. Another
event b owning the resource R′ that is required to open the
VOLUME x, 202x 23
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
a
⊥
sbRsb
(a) Before b is added
(Rsb = Rrem ⊕R)
a
b⊥
sbsbRrem R
(b) If b is in a forked thread
a
⊥b
sb
sbRsb EMP
(c) If b is not in a forked thread
FIGURE 22: Labelling event b’s sb incoming edge
w
a⊥
rfrrf
(a) Event a and its rf source w
w
a⊥
rf rfrrf EMP[A 7→ |rrf |]
(b) If a is a relaxe read
w
a⊥
rf rfrrf EMP[L 7→ |rrf |]
(c) If a is an acquire read
w
a⊥
rf rf|rrf | EMP[L 7→ rrf ]
(d) If a is an acquire CAS read
w
a⊥
rf rf|rrf | EMP[A 7→ rrf ]
(e) If a is a relaxed CAS read
FIGURE 23: Labelling event a’s rf incoming edge
escrow may retrieve R through a new escrow edge created
associating a and itself. ThenR′ is dumped to b’s escrow sink
edge. This process (and other local ghost moves) is depicted
in Fig. 24 and is formalised in the following lemma.
Lemma 3 (Ghost Step).
if dom(G.A) = N unionmulti a ∧N ∈ prefix(G)
∧N ⊆ valid(G,L, dom(G.A))
∧ compat(G,L[(esc,−, a,⊥) := L(esc,−, a,⊥)⊕R])
∧ conform(G,L, N) ∧ consistentC11(G)
∧Rbefore , in(L, a, sb)⊕ in(L, a, rf)⊕ in(L, a, esc)
∧Rafter , R⊕ out(L, a, esc)⊕ out(L, a, cond)
∧Rbefore VI Rafter ∧ |Rbefore| ≤ R ∧RV P
∧ ∀c. L(esc,−, a, e) = EMP
∧ ∀(σ,RE) ∈ I. interp(σ) = (Q,Q′)⇒RE ∈ Q′
∧ L(esc, a,⊥) =
⊕
RE | (σ,RE) ∈ I,RE ∈ Q
′,
interp(σ) = (Q,Q′),
( 6 ∃b. hb=(a, b) ∧ L(cond, b,⊥) ∈ Q)

then ∃L′, I′,R′,R′before,R′after ∈ P.N ⊆ valid(G,L′, dom(G.A))
∧ compat(G,L′[(esc,−, a,⊥) := L′(esc,−, a,⊥)⊕R′])
∧ conform(G,L′, N)
∧R′before , in(L′, a, sb)⊕ in(L′, a, rf)⊕ in(L′, a, esc)
∧R′after , R′ ⊕ out(L′, a, esc)⊕ out(L, a, cond)
∧R′before VI′ I′R′after
∧ ∀b. L′(sb, b,⊥) = L(sb, b,⊥)
∧ ∀b. L′(rf, b,⊥) = L(rf, b,⊥)
∧ ∀b, c. L′(sb, b, c) = L(sb, b, c)
∧ ∀b, c. L′(rf, b, c) = L(rf, b, c)
∧ ∀c. L′(esc,−, a, e) = EMP
∧ ∀(σ,RE) ∈ I′. interp(σ) = (Q,Q′)⇒ RE ∈ Q′
∧ L(esc, a,⊥) =
⊕
RE | (σ,RE) ∈ I
′,RE ∈ Q′,
interp(σ) = (Q,Q′),
( 6 ∃b. hb=(a, b) ∧ L(cond, b,⊥) ∈ Q)

The following lemma demonstrates that by labelling the
graph in the way we have described, the new node’s all
incoming resource map will satisfy its wpe requirements.
Lemma 4 (Protocol Equivalence for Writes).
if dom(G.A) = N unionmulti a ∧N ∈ prefix(G)
∧N ⊆ valid(G,L, dom(G.A))
∧ compat(G,L[(esc,−, a,⊥) := L(esc,−, a,⊥)⊕R])
∧ conform(G,L, N) ∧ consistentC11(G)
∧ in(L, a, all)VI R⊕ out(L, a, esc)⊕ out(L, a, cond)
∧ |in(L, a, sb)⊕ in(L, a, rf)| ≤ R
then (in(L, a, sb)⊕ in(L, a, rf), in(L, a, all)) ∈ wpe(G.A(a))
Finally, the new node’s outgoing edges (sb and rf) will
be labelled in guarantee step, using the corresponding re-
source map and resource (Rsb, rrf ) derived from the action’s
guarantee definition. These resources are initially assigned
to the corresponding sink edges of the new node, until the
node’s future sb and rf successors are added to the graph
and take the resources for the labelling of the corresponding
edges. Note that, as annotation for read-from sink edge, rrf ,
is a resource instead of resource map, we require it to be
24 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
a b
⊥
escR
(a) a creates escrow
a b
⊥ ⊥
esc
Resc escEMP R′
(b) b retrievesR by consumingR′
FIGURE 24: labelling event b’s escrow incoming edge
compatible with other resource maps’ local component at the
compat checking.
Lemma 5 (Guarantee Step).
if G.A(a) = α ∧ dom(G.A) = N unionmulti a ∧N ∈ prefix(G)
∧N ⊆ valid(G,L, dom(G.A))
∧ compat(G,L[(esc,−, a,⊥) := L(esc,−, a,⊥)⊕R])
∧ conform(G,L, N) ∧ consistentC11(G)
∧Rpre = in(L, a, sb)⊕ in(L, a, rf)
∧ in(L, a, all)VI R⊕ out(L, a, esc)⊕ out(L, a, cond)
∧Rpre ∈ rely(−, α) ∧ |in(L, a, all)| ≤ R
∧ ∀(σ,RE) ∈ I. interp(σ) = (Q,Q′)⇒ RE ∈ Q′
∧ L(esc, a,⊥) =
⊕
RE | (σ,RE) ∈ I,RE ∈ Q
′,
interp(σ) = (Q,Q′),
( 6 ∃b. hb=(a, b) ∧ L(cond, b,⊥) ∈ Q)

∧ out(L, a, sb) = out(L, a, rf) = EMP
∧ (Rsb, rrf) ∈ guar(Rpre,R, α) ∧ wpe(α,Rpre, in(L, a, all))
then ∃L′. dom(G.A) = valid(G,L′, dom(G.A))
∧ compat(G,L′) ∧ conform(G,L′, dom(G.A))
∧ ∀b 6= a. L′(sb, b,⊥) = L(sb, b,⊥) ∧ L′(sb, a,⊥) = Rsb
In what follows we formulate the Theorem Instrumented
Execution. Intuitively, this theorem states that is a program is
globally safe to be executed for n+ 1 steps from the current
machine configuration, an arbitrarily scheduled move will
lead to a new machine configuration, based on which the rest
of the program will be global-safely for another n steps.
Theorem 4 (Instrumented Execution). If we have
GSafen+1(Tins,G,L) ∧ 〈erase(Tins);G〉 −→ 〈T ′;G′〉
then ∃T ′ins,L′. erase(T ′ins) = T ′ ∧ GSafen(T ′ins,G′,L′).
Proof. Starting from GSafen+1(Tins,G,L), a machine step
transforms the graph into G′ with a new event b and the thread
pool into T ′, leaving n more locally safe steps for the active
thread.
By applying Lemma 1, we have that there exists a
labelling L1 derived from the original labelling L with
in(L1, b, sb) = R∧ L1(sb, a,⊥) = Rrem, which ensures:
dom(G.A) = valid(G′,L1, dom(G.A))
∧ compat(G′,L1 ∧ conform(G′,L1, dom(G′.A)).
By applying Lemma 2, we have that there exists L2
updated from L1 with the new node’s rfincoming label and
maintains the valid set.
By applying Lemma 3, we have that there exists L3
updated from L2 with escrow incoming and outgoing edges
taken under consideration. With the new labelling, the
compat and conform properties are recovered.
By applying Lemma 4, we have that with L3, the sum
of new event’s incoming resource maps satisfies its wpe
definitions.
By applying Lemma 5, we have that there is a labelling
L′ with the new event’s outgoing edges updated. The valid,
compat, and conform along with other properties are pre-
served for the new graph and labelling. Therefore, the new
graph is GSafen(T ′ins,G′,L′).
Now we present one more lemma, whose proof is left in
the appendix, to demonstrate that all possible executions are
free from data-race, memory errors, and uninitialised reads.
Lemma 6 (Error Free). If we have GSafen(Tins,G,L) then
¬dataRace(G),¬memErr(G), and there is no dangling reads.
Ultimately we give the global soundness Theorem Ade-
quacy.
Theorem 5 (Adequacy). If we have ` {true} e {x.P} thenJeK ⊆ {V | JP [V/x]K 6= ∅}.
Proof. From ` {true} e {x.P}, we can derive that from true
the program e is locally safe for an arbitrarily large number of
steps. We assume e terminates in n steps. That is, according
to the step-level semantics e will be reduced to some pure
value, which can be referred to as V , after n steps. We assert
LSafen+1(e, Jx.P K), based on which we construct:
GSafen+1
 [0 7→ (start, e, emp, Jx.P K)],([start 7→ S],∅,∅,∅),
[(sb, start,⊥) 7→ EMP] unionmulti [(rf, start,⊥) 7→ EMP]
 .
By repeatedly applying the Theorem Instrumented Execu-
tion for n times, we can derive:
∃T ′ins,R. GSafe1(T ′ins unionmulti [0 7→ (−, V,R, Jx.P K)],−,−). From
this condition we can imply thatRV JP [V/x]K and thus we
can conclude that JP [V/x]K 6= ∅.
VIII. RELATED WORK
Our work is closely related to the GPS logic [6] and the RSL
logic [5]. RSL can be used to reason about release-acquire
VOLUME x, 202x 25
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
synchronisations in the style of Concurrent Separation Logic
(CSL) [16]. Following up work, FSL and FSL++ [8], [11],
provide support to C11 fences and part of the release-
sequence feature. GPS framework integrates ghost states,
protocols and separation logic, which are the most handy
tools for reasoning about concurrent program advocated by
the state-of-the-art literature [15], [17]–[26]. Tassarotti et
al. [7] demonstrated the power of GPS by apply it to real
world Linux synchronisations algorithms. Following up work
GPS+ [9], [10] provides support to C11 fences and based
on which our work provides the full support to C11 release-
sequences and fractional permissions.
There are some recent works aiming at providing automa-
tions in the verification of C11 weak memory programs.
With the Iris [26] semantics supported, [30] provides the first
mechanical verification tool for a subset of C11 programs
with the GPS and RSL style reasoning. [31] encodes the line
of RSL works [5], [8], [11] into the Viper verification infras-
tructure [32]. Similar automatic implementations would be
one of our future interests.
Semantics-wise, we follow the axioms-based approach
like that introduced by [4]. Similar axioms-based approach
is also used for the Java memory model [33]. For various
hardware memory models, operational semantics are also
used [34]–[36]. Some recent works about the “promising”
semantics [36], [37] propose a relatively more economical
way to eliminate the “thin-air-read” problem without sacrific-
ing too many possible optimisations. Its usefulness has been
demonstrated in the formalisation of the ARMv8 memory
model [38]. It is yet to be proved how handy it could be in
supporting weak memory program logics.
IX. CONCLUSION
To the best of our knowledge, our proposed program logic
GPS++ is the first one that provides the support to the
reasoning about fully featured C11 release-sequences. Built
on top of the GPS+ logic, our work is extended with the
powerful restricted shareable assertions 〈P 〉s, an enhanced
per-location protocol model, and a set of new verification
rules. In addition, GPS++ also has the support to fractional
permission, which makes it more practical than its predeces-
sors, as now the reasoning about concurrent non-atomic reads
is allowed.
In our future work, we aim to bring more memory orders,
e.g., the consume read, into our reasoning framework. We
also aim to apply GPS++ to more real-world C11 programs
and develop reasoning aids with certain degrees of atomisa-
tion.
REFERENCES
[1] L. Lamport, “How to Make a Multiprocessor Computer That Correctly
Executes Multiprocess Programs,” IEEE Trans. on Comp., vol. 28, no. 9,
1979.
[2] ISO/IEC, “ISO/IEC 9899:2011 : Information technology – Programming
Language – C,” 2011.
[3] ——, “ISO/IEC 14882:2011 : Information technology – Programming
Language – C++ ,” 2011.
[4] M. Batty, S. Owens, S. Sarkar, P. Sewell, and T. Weber, “Mathematizing
C++ Concurrency,” SIGPLAN Not., vol. 46, no. 1, Jan. 2011.
[5] V. Vafeiadis and C. Narayan, “Relaxed Separation Logic: A Program Logic
for C11 Concurrency,” ser. OOPSLA ’13. ACM, 2013.
[6] A. Turon, V. Vafeiadis, and D. Dreyer, “GPS: Navigating Weak Memory
with Ghosts, Protocols, and Separation,” ser. OOPSLA ’14. ACM, 2014.
[7] J. Tassarotti, D. Dreyer, and V. Vafeiadis, “Verifying Read-copy-update in
a Logic for Weak Memory,” ser. PLDI ’15. ACM, 2015.
[8] M. Doko and V. Vafeiadis, “A Program Logic for C11 Memory Fences,”
ser. VMCAI ’16. Springer-Verlag New York, Inc., 2016.
[9] M. He, V. Vafeiadis, S. Qin, and J. F. Ferreira, “Reasoning about Fences
and Relaxed Atomics,” ser. PDP ’16. IEEE, 2016.
[10] ——, “GPS+: Reasoning About Fences and Relaxed Atomics,” Interna-
tional Journal of Parallel Programming, vol. 46, no. 6, pp. 1157–1183,
Dec 2018.
[11] M. Doko and V. Vafeiadis, “Tackling Real-Life Relaxed Concurrency with
FSL++,” ser. ESOP ’17, H. Yang, Ed. Springer Berlin Heidelberg, 2017.
[12] J. Boyland, “Checking Interference with Fractional Permissions,” in Pro-
ceedings of the 10th International Conference on Static Analysis, ser.
SAS’03. Berlin, Heidelberg: Springer-Verlag, 2003, pp. 55–72.
[13] R. Bornat, C. Calcagno, P. O’Hearn, and M. Parkinson, “Permission ac-
counting in separation logic,” in Proceedings of the 32Nd ACM SIGPLAN-
SIGACT Symposium on Principles of Programming Languages, ser. POPL
’05. New York, NY, USA: ACM, 2005, pp. 259–270.
[14] M. He, S. Qin, and J. Ferreira, “Towards a program logic for c11 release-
sequences,” in 2018 International Symposium on Theoretical Aspects of
Software Engineering (TASE), 2018, pp. 28–35.
[15] V. Vafeiadis and M. Parkinson, “A Marriage of Rely/Guarantee and
Separation Logic,” ser. CONCUR’07. Springer-Verlag, 2007.
[16] P. W. O’Hearn, “Resources, Concurrency and Local Reasoning,” Theoret-
ical Computer Science, vol. 375, no. 1-3, Apr. 2007, elsevier.
[17] X. Feng, “Local Rely-guarantee Reasoning,” ser. POPL ’09. ACM, 2009.
[18] M. Dodds, X. Feng, M. Parkinson, and V. Vafeiadis, “Deny-Guarantee
Reasoning,” ser. ESOP ’09. Springer-Verlag, 2009.
[19] E. Cohen, M. Dahlweid, M. Hillebrand, D. Leinenbach, M. Moskal,
T. Santen, W. Schulte, and S. Tobies, “VCC: A Practical System for
Verifying Concurrent C,” ser. TPHOLs ’09. Springer-Verlag, 2009.
[20] K. R. Leino, P. Müller, and J. Smans, “Foundations of Security Analysis
and Design V,” A. Aldini, G. Barthe, and R. Gorrieri, Eds. Berlin, Hei-
delberg: Springer-Verlag, 2009, ch. Verification of Concurrent Programs
with Chalice.
[21] T. Dinsdale-Young, M. Dodds, P. Gardner, M. J. Parkinson, and
V. Vafeiadis, “Concurrent Abstract Predicates,” ser. ECOOP, 2010.
[22] A. Turon, D. Dreyer, and L. Birkedal, “Unifying Refinement and Hoare-
style Reasoning in a Logic for Higher-order Concurrency,” ser. ICFP, 2013.
[23] A. Nanevski, R. Ley-Wild, I. Sergey, and G. A. Delbianco, “Communicat-
ing State Transition Systems for Fine-Grained Concurrent Resources,” ser.
ESOP ’14. Springer-Verlag New York, Inc., 2014.
[24] K. Svendsen and L. Birkedal, “Impredicative Concurrent Abstract Predi-
cates,” ser. ESOP ’14. Springer-Verlag New York, Inc., 2014.
[25] P. Rocha Pinto, T. Dinsdale-Young, and P. Gardner, “TaDA: A Logic for
Time and Data Abstraction,” ser. ECOOP, 2014.
[26] R. Jung, D. Swasey, F. Sieczkowski, K. Svendsen, A. Turon, L. Birkedal,
and D. Dreyer, “Iris: Monoids and Invariants As an Orthogonal Basis for
Concurrent Reasoning,” ser. POPL ’15. ACM, 2015.
[27] T. Dinsdale-Young, L. Birkedal, P. Gardner, M. Parkinson, and H. Yang,
“Views: Compositional Reasoning for Concurrent Programs,” ser. POPL,
2013.
[28] R. Ley-Wild and A. Nanevski, “Subjective Auxiliary State for Coarse-
grained Concurrency,” SIGPLAN Not., vol. 48, no. 1, Jan. 2013.
[29] C. B. Jones, “Specification and Design of (Parallel) Programs,” in IFIP
congress, vol. 83. IFIP, 1983, pp. 321–332.
[30] J.-O. Kaiser, H.-H. Dang, D. Dreyer, O. Lahav, and V. Vafeiadis, “Strong
Logic for Weak Memory: Reasoning About Release-Acquire Consistency
in Iris,” in 31st European Conference on Object-Oriented Programming
(ECOOP 2017), ser. Leibniz International Proceedings in Informatics
(LIPIcs), P. Müller, Ed., vol. 74. Dagstuhl, Germany: Schloss Dagstuhl–
Leibniz-Zentrum fuer Informatik, 2017, pp. 17:1–17:29.
[31] A. J. Summers and P. Müller, “Automating deductive verification for weak-
memory programs (extended version),” International Journal on Software
Tools for Technology Transfer, pp. 1–20, 2020.
[32] P. Müller, M. Schwerhoff, and A. J. Summers, “Viper: A verification in-
frastructure for permission-based reasoning,” in International Conference
26 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
on Verification, Model Checking, and Abstract Interpretation. Springer,
2016, pp. 41–62.
[33] J. Manson, W. Pugh, and S. V. Adve, “The java memory model,” in Pro-
ceedings of the 32Nd ACM SIGPLAN-SIGACT Symposium on Principles
of Programming Languages, ser. POPL ’05. New York, NY, USA: ACM,
2005, pp. 378–391.
[34] S. Sarkar, P. Sewell, F. Z. Nardelli, S. Owens, T. Ridge, T. Braibant,
M. O. Myreen, and J. Alglave, “The Semantics of x86-CC Multiprocessor
Machine Code,” in Proceedings of the 36th Annual ACM SIGPLAN-
SIGACT Symposium on Principles of Programming Languages, ser. POPL
’09. New York, NY, USA: ACM, 2009, pp. 379–391.
[35] S. Sarkar, P. Sewell, J. Alglave, L. Maranget, and D. Williams, “Under-
standing POWER Multiprocessors,” in Proceedings of the 32Nd ACM
SIGPLAN Conference on Programming Language Design and Implemen-
tation, ser. PLDI ’11. New York, NY, USA: ACM, 2011, pp. 175–186.
[36] S. Flur, K. E. Gray, C. Pulte, S. Sarkar, A. Sezgin, L. Maranget, W. Deacon,
and P. Sewell, “Modelling the ARMv8 Architecture, Operationally: Con-
currency and ISA,” in Proceedings of the 43rd Annual ACM SIGPLAN-
SIGACT Symposium on Principles of Programming Languages, ser. POPL
’16. New York, NY, USA: ACM, 2016, pp. 608–621.
[37] S.-H. Lee, M. Cho, A. Podkopaev, S. Chakraborty, C.-K. Hur, O. Lahav,
and V. Vafeiadis, “Promising 2.0: global optimizations in relaxed memory
concurrency.” in PLDI, 2020, pp. 362–376.
[38] C. Pulte, J. Pichon-Pharabod, J. Kang, S.-H. Lee, and C.-K. Hur,
“Promising-arm/risc-v: a simpler and faster operational concurrency
model,” in Proceedings of the 40th ACM SIGPLAN Conference on Pro-
gramming Language Design and Implementation, 2019, pp. 1–15.
APPENDIX: MORE DEFINITIONS AND PROOF OF
LEMMAS
In this section we present the less interesting yet indispens-
able definitions used in our reasoning system and semantic
framework, and the proof the lemmas and corollaries we have
discussed in the main text.
Our reasoning system is featured with new types of asser-
tions and the corresponding inference rules to reason about
them. We first present the semantics for our assertions; and
then prove the soundness of our inference rules with the form
P ⇒ Q.
R R ∈ JRKρ iff
(1) t = t′ JtKρ = Jt′Kρ
(2) t vτ t′ JtKρ vτ Jt′Kρ
(3) uninit(t) R(L).Π(JtKρ) = uninit
(4) t
f7→ t′ R(L).Π(JtKρ) = na(Jt′Kρ, f) ∧ f ∈ (0, 1]
(5) t : t′ τ ∃S.R(L).Π(JtKρ) = at(τ, S) ∧ Jt′Kρ ∈ S
(6) t : t′ µ R(L).g(µ)(JtKρ) ≥ Jt′Kρ
(7) [σ] σ ∈ R(L).Σ
(8) P ∧Q R ∈ JP Kρ ∩ JQKρ
(9) P ∨Q R ∈ JP Kρ ∪ JQKρ
(10) P ⇒ Q bRc ∩ JP Kρ ⊆ JQKρ
(11) ∀X. P R ∈ ⋂d∈sort(X)JP Kρ[X 7→d]
(12) ∃X. P R ∈ ⋃d∈sort(X)JP Kρ[X 7→d]
(13) P1 ∗ P2 R ∈ JP1Kρ ∗ JP2Kρ
(14) P |EMP[L 7→ R(L)]| ∈ JP Kρ
(15) 〈P 〉 EMP[L 7→ R(A)] ∈ JP Kρ
(16) 〈P 〉s EMP[L 7→ R(s)] ∈ JP Kρ
(17) P EMP[L 7→ R(A)] ∈ JP Kρ
Corollary 1 (Soundness of Corollary Inference Rules).
Our corollary inference rules are semantically sound. That
is, given an inference rule allowing P ⇒ Q, we have
∃R. bRc ∩ JP Kρ ⊆ JQKρ
Proof. For the [SEPARATION-R] rule: 〈P ∗Q〉s ⇔ 〈P 〉s ∗ 〈Q〉s,
from left to right by the definition (16), we have
R ∈ J〈P ∗Q〉sKρ , EMP[L 7→ R(s)] ∈ JP ∗QKρ. Accord-
ing to the definition (13), the term can be transformed into:
∃r1, r2.R(s) = r1 ⊕ r2 ∧
EMP[L 7→ r1] ∈ JP Kρ ∧ EMP[L 7→ r2] ∈ JQKρ,
which implies the right hand side term. Similarly, we can do
it from right to left. The proof of this rule is finished.
For the [KNOWLEDGE-MANIPULATION-1] rule: P ⇒ P ,
according to definition (14) the semantic for its left
hand side is R ∈ P , |EMP[L 7→ R(L)]| ∈ JP Kρ. As
|EMP[L 7→ R(L)]| ≤ R, R is also in JP Kρ. The proof of this
rule is finished.
Next we prove the rule [KNOWLEDGE-MANIPULATION-2]:
P ⇒ P . Start from the rule’s left hand side, we have
|EMP[L 7→ R(L)]| ∈ JP Kρ. Therefore, ||EMP[L 7→ R(L)]|| ∈ JP Kρ.
The proof of this rule is finished.
For [KNOWLEDGE-MANIPULATION-3]:P ∗Q⇔ P ∧Q,
as P is knowledge, the semantic definition (8)JP Kρ ∩ JQKρ is equivalent to (13) JP Kρ ∗ JQKρ in terms
of evaluation results. Therefore, the rule is proven.
For [KNOWLEDGE-MANIPULATION-4. . . 7], they are seman-
tically sound as according to the definition of stripping
operation and their corresponding semantic definitions ((7),
(5), (1), and (6)) the resource representing these assertions
does not change after stripping. Therefore they are able to be
transformed into knowledge form.
For [SEPARATION-1]: γ : t µ ∗ γ : t′ µ ⇔ γ : t ·µ t′ µ ,
starting from the rule’s left hand side, we have:
R ∈ J γ : t µ ∗ γ : t′ µ Kρ ,
∃R1 ∈ J γ : t µ Kρ,R2 ∈ J γ : t′ µ Kρ.R = R1 ⊕R2,
which is equivalent to the semantics of the rule’s right hand
side. The rule is proven.
For the [SEPARATION-2] rule:
` : s τ ∗ ` : s′ τ ′ ⇒ τ = τ ′ ∧ (s vτ s′ ∨ s′ vτ s), start-
ing from the rule’s left hand side, we have:
R ∈ J ` : s τ ∗ ` : s′ τ ′ Kρ ,
∃R1 ∈ J ` : s τ Kρ,R2 ∈ J ` : s′ τ ′ Kρ.R = R1 ⊕R2.
Given R1#R2, according to the definition of protocol com-
positions, the right hand side is implied. The rule is proven.
For [ASSERTION-PROPERTY-1. . . 7], we prove that special as-
sertions can not be nested. According to the definition (14-
17), the nesting shown on the left hand side results in an
empty resource map that is used to be checked with the
VOLUME x, 202x 27
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
original assertion P , which implies false unless P is emp.
The proof is finished.
A ghost move is a transition that only changes auxiliary/-
logical computation states. This is ensured by our resource-
level ghost moves. We first present our resource-level ghost
moves below:
(1)
R ∈ JP Kρ
RV JP Kρ (2) R0 ∈ JP Kρ ∀R ∈ JP Kρ.RV JP ′KρR0 V JP ′Kρ
(3)
m ∈ JµK
RV bRc ∗ {EMP[L 7→ (⊥, [µ 7→ [i 7→ m]],∅)]}
(4)
∀gF#g. gF#g′
EMP[L 7→ (Π, g,Σ)]V bEMP[L 7→ (Π, g′,Σ)]c
(5)
interp(σ) = (JP Kρ, JP ′Kρ) R′ ∈ JP ′Kρ R[L] = (Π, g,Σ)
R⊕R′ V bR[L 7→ (Π, g,Σ ∪ {σ})]c
(6)
interp(σ) = (JP Kρ, JP ′Kρ) σ ∈ R[L].Σ R ∈ JP Kρ
R0 ⊕RV bR0c ∗ JP ′Kρ
(7)
R′[L] = R[L]⊕ r l ∈ {S} ∪ S R′[l]⊕ r = R[l]
∀l′ 6= L ∨ l.R′[l′] = R[l′]
RV bR′c
Corollary 2 (Soundness of Ghost Moves). Our ghost move
rules are semantically sound. That is, given a ghost move rule
allowing P V Q, we have ∀R ∈ JP Kρ.RV JQKρ.
Proof. We prove the ghost move rules one by one.
For the [GHOST-MOVE-1] rule, we are going to prove
that∀R ∈ JP Kρ.RV JQKρ,with the premise that is given as
∀R. bRc ∩ JP Kρ ⊆ JQKρ. The premise can be simplified asJP Kρ ⊆ JQKρ. Therefore, we have ∀R ∈ JP Kρ.R ∈ JQKρ.
By using the resource level ghost move (1), we have
∀R ∈ JP Kρ.RV JQKρ. [GHOST-MOVE-1] is proven.
For the [GHOST-MOVE-2] rule, we are going to prove that
∀R ∈ JP ∗RKρ.RV JQ ∗RKρ.According to the definition
of separation assertions, it can be transformed to:
∀R ∈ JP Kρ,R′ ∈ JRKρ.
R⊕R′ V {R1 ⊕R2 | R1 ∈ JQKρ ∧R2 ∈ JRKρ}.
According to the premise, we have ∀R ∈ JP Kρ.RV JQKρ.
We can check that the proof obligation is valid for all possible
ghost moves allowed by the resource-level ghost move rules.
[GHOST-MOVE-2] is proven.
For the [GHOST-MOVE-3] rule, initially we have the follow-
ing property: ∀R ∈ JP Kρ.RV JQKρ ∧ ∀R ∈ JQKρ.RV JRKρ,
and we are going to prove that ∀R ∈ JP Kρ.RV JRKρ. From
the first premise ∀R ∈ JP Kρ can be transformed into some
resource in JQKρ for all possible ghost moves. Together with
the second premise, the rule is proven.
The [GHOST-MOVE-3] and [UNSHARE-R] can be proved by
moving the resource under the shareable labels to the re-
source maps’ local component, which is allowed by the
resource level ghost move (7).
For the [GHOST-MOVE-4] rule, we are going to prove that
∀R ∈ JtrueKρ.RV J∃γ. γ : t1 µ Kρ, which can be done by
applying the resource level ghost move (3).
The [GHOST-MOVE-5] is a corollary of the resource level
ghost move (4), while the [GHOST-MOVE-6] is a corollary of
the resource level ghost move (5), and [GHOST-MOVE-7] is a
corollary of the resource level ghost move (6).
Now we present the proofs of the labelling lemmas we
have discussed for our reasoning system’s global safety with
the following definitions (which has been informally dis-
cussed in the main text):
RVI R′ , ∃g.R′ = (R.Π ∪ {σ|(σ,−) ∈ I})
N , dom(G.A)
a ∈ valid(G,L, N) , ∃,R, I.
L ∈ labelling(G)
in(sb)⊕ in(rf)⊕ in(esc)VI R⊕ out(esc)⊕ out(cond)
(out(sb), out(rf)) ∈ guar(in(sb)⊕ in(rf),R, G.A(a))
(∀b ∈ N. isUpd(b) ∧ rf(b) = a) =⇒ (L(rf, a, b) = out(rf))
( 6 ∃b ∈ N. isUpd(b) ∧ rfb = a) =⇒ (L(rf, a,⊥) = out(rf))
|L(rf, a,⊥)| = |out(rf)|
∀(σ,RE) ∈ I. interp(σ) = (P,P ′) =⇒RE ∈ P ′
L(esc, a,⊥) =
⊕
RE | (σ,RE) ∈ I,RE ∈ P
′,
interp(σ) = (P,P ′),
( 6 ∃b. hb=(a, b) ∧ L(cond, b,⊥) ∈ P)

where, in(x) ,⊕{L(x, b, a) | (x, b, a) ∈ dom(L)}
out(x) ,⊕{L(x, a, c) | (x, a, c) ∈ dom(L)}
compat(G,L) , ∀ ⊆ dom(L).
6 ∃e1, e2 ∈ . G.hb∗(target(e1), source(e2))
=⇒⊕η∈L(η)defined
conform(G,L, N) , ∀`. ∀a, b ∈ N.
G.mol,at(a, b) =⇒ out(L, a, rf)[`] vat out(L, b, rf)[`]
Lemma 1 (Step Preparation).
if consistentC11(G)
∧ consistentC11(G′)
∧ dom(G′.A) = dom(G.A) unionmulti b
∧ L(sb, a,⊥) = R⊕Rrem
∧ dom(G.A) ⊆ valid(G,L, dom(G.A))
∧ compat(G,L) ∧ conform(G,L, N)
∧ ∀c ∈ dom(G.A). G.A(c) = G′.A(c)
∧ G′.sb = G.sb unionmulti [a, b)
∧ ∀c ∈ dom(G.A). G.rf(c) = G′.rf(c)
∧ G′.mo ⊇ G.mo
then ∃L′. dom(G.A) = valid(G′,L′, dom(G.A))
∧ compat(G′,L′)
28 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
∧ conform(G′,L′, dom(G′.A))
∧ L′(sb, a,⊥) = Rrem
∧ in(L′, b, sb) = R
∧ in(L′, b, rf) = EMP
∧ in(L′, b, esc) = EMP
∧ ∀a′ 6= a. L′(sb, a′, b) = EMP
∧ out(L′, b, all) = EMP
∧ ∀a′ 6= a. L′(sb, a′,⊥) = L(sb, a′,⊥)
Proof. Firstly, we prove the compat property. Notice that
for all edges in that are hb-independent with the edge
sb(a, b), they are hb-independent with the sb(a,⊥) edge
as well. Suppose the sum of the resources carried un-
der their local label r is incompatible with L(sb, a, b)(L),
i.e., ¬r#L(sb, a, b)(L). According our labeling rule
L(sb, a, b)(L) ≤ L(sb, a,⊥)(L). That is there exists some r′
that makes L(sb, a,⊥)(L) = L(sb, a, b)(L)⊕ r′. Therefore
we can deduce the following property ¬r#L(sb, a,⊥)(L)
as r ⊕ L(sb, a,⊥)(L) = r ⊕ L(sb, a, b)(L)⊕ r′ which has
undefined result. However ¬r#L(sb, a,⊥)(L) contradicts
with the premise where the compat(G,L) property holds.
Therefore, the sum of the resources carried by all the edges
hb-independent with sb(a, b) is compitable with its resource,
and we can derive that compat(G′,L′)
To prove the conform property, notice that the atomic lo-
cations are unchanged in this step’s labelling process. There-
fore conform(G′,L′, dom(G′.A)) is essentially equivalent to
conform(G′,L′, dom(G′.A)). To prove the valid property and
the validity of the updated labelling, we unfold the corre-
sponding definitions and check the requirements with our
labelling results.
Lemma 2 (Rely Step).
if G.A(a) = α
∧ dom(G.A) = N unionmulti a
∧N ∈ prefix(G) ∧N ⊆ valid(G,L, N)
∧ in(L, a, all) = out(L, a, all) = EMP
∧ compat(G,L) ∧ conform(G,L, N)
∧ consistentC11(G)
∧ in(L, a, rf) = EMP ∧ in(L, a, esc) = EMP
∧ out(L, a, all) = EMP
then ∃L′. N ⊆ valid(G,L′, N)
∧ compat(G,L)
∧ conform(G,L, N)
∧ in(L′, a, sb)⊕ in(L′, a, rf) ∈ rely(in(L′, a, sb), α)
∧ in(L′, a, esc) = out(L′, a, all) = EMP
∧ ∀b, c. L′(sb, b, c) = L(sb, b, c)
∧ ∀b. L′(sb, b,⊥) = L(sb, b,⊥)
Proof. We first focus on the compat property. For non-
update reading actions, we argue that only knowledge is
taken into the new node and knowledge is always compatible
with the environment. For an relaxed atomic update, the
resource taken in from its rf edge is left to be acquired,
therefore the local resources are still compatible. For an ac-
quire atomic update, which can take non-duplicable resource
to its local resource, we notice that there must be a nearest
release action b that made the resource shareable. Therefore
we have b happens before a, which does not break the compat
property.
We assert that conform(G′,L′, dom(G′.A)) is essentially
equivalent to conform(G′,L′, dom(G′.A)) as there is no
changes to atomic locations in this labelling step. To prove
the valid property and the validity of the updated labelling,
we unfold the corresponding definitions and check the re-
quirements with our labelling results.
Lemma 3 (Ghost Step).
if dom(G.A) = N unionmulti a ∧N ∈ prefix(G)
∧N ⊆ valid(G,L, dom(G.A))
∧ compat(G,L[(esc,−, a,⊥) := L(esc,−, a,⊥)⊕R])
∧ conform(G,L, N) ∧ consistentC11(G)
∧Rbefore , in(L, a, sb)⊕ in(L, a, rf)⊕ in(L, a, esc)
∧Rafter , R⊕ out(L, a, esc)⊕ out(L, a, cond)
∧Rbefore VI Rafter ∧ |Rbefore| ≤ R ∧RV P
∧ ∀c. L(esc,−, a, e) = EMP
∧ ∀(σ,RE) ∈ I. interp(σ) = (Q,Q′)⇒RE ∈ Q′
∧ L(esc, a,⊥) =
⊕
RE | (σ,RE) ∈ I,RE ∈ Q
′,
interp(σ) = (Q,Q′),
( 6 ∃b. hb=(a, b) ∧ L(cond, b,⊥) ∈ Q)

then ∃L′, I′,R′,R′before,R′after ∈ P.N ⊆ valid(G,L′, dom(G.A))
∧ compat(G,L′[(esc,−, a,⊥) := L′(esc,−, a,⊥)⊕R′])
∧ conform(G,L′, N)
∧R′before , in(L′, a, sb)⊕ in(L′, a, rf)⊕ in(L′, a, esc)
∧R′after , R′ ⊕ out(L′, a, esc)⊕ out(L, a, cond)
∧R′before VI′ I′R′after
∧ ∀b. L′(sb, b,⊥) = L(sb, b,⊥)
∧ ∀b. L′(rf, b,⊥) = L(rf, b,⊥)
∧ ∀b, c. L′(sb, b, c) = L(sb, b, c)
∧ ∀b, c. L′(rf, b, c) = L(rf, b, c)
∧ ∀c. L′(esc,−, a, e) = EMP
∧ ∀(σ,RE) ∈ I′. interp(σ) = (Q,Q′)⇒RE ∈ Q′
∧ L(esc, a,⊥) =
⊕
RE | (σ,RE) ∈ I
′,RE ∈ Q′,
interp(σ) = (Q,Q′),
( 6 ∃b. hb=(a, b) ∧ L(cond, b,⊥) ∈ Q)

Proof. To prove the compat property, firstly we assert that
the escrowed resource a retrieved must have been put under
escrow by an event that happens before a. This is because
our labelling process ensures that the escrowed resource is
initially attached to the creator’s escrow sink edge, and can
only appear in a node’s local component if that node is
in a chain of (sb ∪ sw)+ following the creator. Then we
VOLUME x, 202x 29
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
assert that the compat property holds for the updated graph
following the same argument as that used in the compat proof
for the Lemma Rely Step. We also assert that the conform,
valid properties and the new labelling are valid for the same
reasons discussed in the proof for the previous lemma.
Lemma 4 (Protocol Equivalence for Writes).
if dom(G.A) = N unionmulti a ∧N ∈ prefix(G)
∧N ⊆ valid(G,L, dom(G.A))
∧ compat(G,L[(esc,−, a,⊥) := L(esc,−, a,⊥)⊕R])
∧ conform(G,L, N) ∧ consistentC11(G)
∧ in(L, a, all)VI R⊕ out(L, a, esc)⊕ out(L, a, cond)
∧ |in(L, a, sb)⊕ in(L, a, rf)| ≤ R
then (in(L, a, sb)⊕ in(L, a, rf), in(L, a, all)) ∈ wpe(G.A(a))
Proof. We prove this lemma by firstly unfold the definitions
of valid, compat, andconform. Then we do case analysis
based on the type of a and check the corresponding wpe
definitions.
Lemma 5 (Guarantee Step).
if G.A(a) = α ∧ dom(G.A) = N unionmulti a ∧N ∈ prefix(G)
∧N ⊆ valid(G,L, dom(G.A))
∧ compat(G,L[(esc,−, a,⊥) := L(esc,−, a,⊥)⊕R])
∧ conform(G,L, N) ∧ consistentC11(G)
∧Rpre = in(L, a, sb)⊕ in(L, a, rf)
∧ in(L, a, all)VI R⊕ out(L, a, esc)⊕ out(L, a, cond)
∧Rpre ∈ rely(−, α) ∧ |in(L, a, all)| ≤ R
∧ ∀(σ,RE) ∈ I. interp(σ) = (Q,Q′)⇒RE ∈ Q′
∧ L(esc, a,⊥) =
⊕
RE | (σ,RE) ∈ I,RE ∈ Q
′,
interp(σ) = (Q,Q′),
( 6 ∃b. hb=(a, b) ∧ L(cond, b,⊥) ∈ Q)

∧ out(L, a, sb) = out(L, a, rf) = EMP
∧ (Rsb, rrf) ∈ guar(Rpre,R, α) ∧ wpe(α,Rpre, in(L, a, all))
then ∃L′. dom(G.A) = valid(G,L′, dom(G.A))
∧ compat(G,L′) ∧ conform(G,L′, dom(G.A))
∧ ∀b 6= a. L′(sb, b,⊥) = L(sb, b,⊥) ∧ L′(sb, a,⊥) = Rsb
Proof. For the new node a’s sb outgoing edge, we first
proved the proof for its compat property. Suppose there is
an edge ξ that is hb-independent with the new node a’s
sboutgoing edge sb(a,⊥) and the resource map it carries is
incompatible with L(sb, a,⊥). Supposing a is not an acquire
action, i.e. the incompatibility is not caused by moving
resources from the current resource map’s A component to
its local component, we use case analysis to demonstrate that
the action’s guarantee condition would not introduce new
incompatibility; however if the incompatibility is not newly
introduced, it would appear in one of the incoming edges,
which violates the compat property in the premise. If a is an
acquire action, which could move resources from the A com-
ponent to L, we argue incompatibility can not be introduced
in this process by contradiction. Assuming the incompatible
resource originally in A is r, there must be another node, say b
that moves r from L to a shareable component and thereafter
r could be loaded to A in a’s thread, according to our labeling
method. According to the C11 memory model, we derive
that b happens before a. If there exists an edge ξ that is hb-
independent with L′(sb, a,⊥) and carries the incompatible
resource r, it also hb-independent with one of a’s incoming
edges that carries r (the case that r is created by a is trivial),
which violates the compat(G,L). With the same argument
used for the release fence case, we argue that the compat
property holds for a’s rf outgoing edge.
For the new graph’s conform property, we prove by ex-
haustion on all possible type of actions, and check unfolded
conform definitions against the guarantee conditions for the
corresponding type of actions. Same to that for previous
lemmas the proof for the valid property and the validity of
the updated labelling, can be demonstrated by unfolding the
corresponding definitions and check the requirements with
our labelling results.
Lemma 6 (Error Free). If GSafen(Tins,G,L) then we have
¬dataRace(G),¬memErr(G), and all reads are initialised.
Proof. We first prove that an event graph supporting safe
executions is free from race conditions using proof by con-
tradiction. Suppose event a and b in G cause a data race,
by the definition of race condition we can deduce that
¬hb(a, b) ∧ ¬hb(b, a). Also, we can derive that there is a
location ` that appears in both a and b’s incoming edges that
holds some non-trivial (not ⊥) non-atomic values. However,
given that a’s incoming edges are hb-independent with that of
b’s the appearance of the non-atomic resource about location
` in both groups violates the compatproperty in the global
safety definitions. Therefore, there are no two events in G
that could raise a data race.
To prove the graph is free from memory errors, i.e., there
is no memory access to unallocated memory locations, first
notice that ensured by our instrumented semantics to manip-
ulate a location `, an event b must have the information about
` in one of its incoming edge’s local component. Then we
define a recursive search procedure to find the action that
allocates ` and demonstrate that the memory accesses to `
are error free.
Firstly, we search backwards following the sb+ edges in
the graph starting from b, until we reach an event a where the
information about ` is not in one of its incoming edge’s local
component. In the case that a is an allocation action and it
allocates `, the search ends. In the case that a is an acquire
fence and it moves ` from the waiting-to-be-acquired com-
ponent in one of its incoming edge to the local component in
its outgoing resource maps, we assert that there exists an read
or update event a0 with relaxed memory order prior to a in
the sb+ relation according to our labelling process, and the
information about ` appears in a0’s read-from incoming edge
under the waiting-to-be-acquired label. Then we recursively
perform this search procedure starting with the write event
30 VOLUME x, 202x
M. He et al.: A Program Logic for Reasoning about C11 Programs with Release-Sequences
that a0 reads from until we find the right allocation action. If
it is not the cases aforementioned, we check if a’s immediate
sbsuccessor a′ is a read or update event with acquire memory
order. If so, we recursively perform this search procedure
starting with the write event that a′ reads from. We assert
these are all the cases needed to be considered as any other
case violates the global safety definitions according to our
labelling process. Therefore, a globally safe event graph is
error free.
VOLUME x, 202x 31
