AZALEA RAAD, Imperial College London and Meta, UK JOSH BERDINE, Meta, UK DEREK DREYER, MPI-SWS, Germany PETER W. O'HEARN, Meta and University College London, UK

Incorrectness separation logic (ISL) was recently introduced as a theory of under-approximate reasoning, with the goal of proving that compositional bug catchers find actual bugs. However, ISL only considers sequential programs. Here, we develop *concurrent incorrectness separation logic* (CISL), which extends ISL to account for bug catching in concurrent programs. Inspired by the work on Views, we design CISL as a parametric framework, which can be instantiated for a number of bug catching scenarios, including race detection, deadlock detection, and memory safety error detection. For each instance, the CISL meta-theory ensures the *soundness* of incorrectness reasoning for free, thereby guaranteeing that the bugs detected are true positives.

# $\label{eq:CCS Concepts: CCS Concepts: • Theory of computation \rightarrow Concurrency; Semantics and reasoning; • Software and its engineering \rightarrow General programming languages.$

Additional Key Words and Phrases: Concurrency, program logics, separation logic, bug catching

#### **ACM Reference Format:**

Azalea Raad, Josh Berdine, Derek Dreyer, and Peter W. O'Hearn. 2022. Concurrent Incorrectness Separation Logic. Proc. ACM Program. Lang. 6, POPL, Article 34 (January 2022), 29 pages. https://doi.org/10.1145/3498695

#### **1 INTRODUCTION**

Recently there has been a successful trend in automated static analysis tools that use *under-approximate* techniques to detect bugs in *concurrent* programs. The idea behind under-approximation is to focus on a *subset* of program behaviours, to ensure one detects only *true positives* (real bugs) rather than *false positives* (spurious bug reports). For instance, RacerD [Blackshear et al. 2018] uses under-approximation to detect data races in Java programs, while Brotherston et al. [2021] utilise under-approximation for deadlock detection. RacerD is the state-of-the-art tool in race detection, significantly outperforming other race detectors in terms of bugs found and fixed: over 3k races found by RacerD have been fixed before reaching production (see [Blackshear et al. 2018]). More significantly, it supported the conversion of Facebook's Android app to a multi-threaded UI model, performing counter-factual reasoning to detect races that could exist *if* a class were placed in a multi-threaded context, *before* it was placed there; thousands of classes were converted this way, leading to performance gains in Facebook's Android app. The deadlock detector of Brotherston et al. [2021] has also been useful in practice, with over two-hundred deadlocks fixed by Facebook engineers. Fixing deadlocks is especially impactful as they can lead to "app not responding" behaviour, which can be more difficult for engineers to detect than plain crashes.

Authors' addresses: Azalea Raad, Imperial College London and Meta, UK, azalea.raad@imperial.ac.uk; Josh Berdine, Meta, UK, josh@berdine.net; Derek Dreyer, MPI-SWS, Saarland Informatics Campus, Germany, dreyer@mpi-sws.org; Peter W. O'Hearn, Meta and University College London, UK, p.ohearn@ucl.ac.uk.



This work is licensed under a Creative Commons Attribution 4.0 International License. © 2022 Copyright held by the owner/author(s). 2475-1421/2022/1-ART34 https://doi.org/10.1145/3498695 These static tools are compositional and run quickly on code changes, often in time proportional to the size of a code change rather than that of the global codebase. This distinguishes them from whole-program dynamic testing tools, making them especially well-suited to deployment at code review time within continuous integration systems (a deployment model emphasised by Google and Facebook in articles on static analysis at scale [Sadowski et al. 2018; Distefano et al. 2019]).

Unfortunately, useful though they may be, there is currently no well-understood or unifying theory underpinning such under-approximate analyses. As a result, each time such a tool is developed, the authors spend a significant amount of technical effort proving a *no-false-positives* (NFP) theorem, stating that the bugs found by the tool are indeed real bugs. For instance, in the case of RacerD this took a separate technical effort by Gorogiannis et al. [2019] to establish its NFP theorem. In the case of [Brotherston et al. 2021], the authors have developed a large corpus of lemmas building towards their NFP theorem, requiring significant technical investment and expertise. Furthermore, each such technical effort proves an NFP theorem for a bespoke tool or technique, and one cannot easily port those results to other under-approximate tools or techniques.

Ideally, one would have a unifying theory that underpins *concurrent under-approximate reasoning* (for proving *incorrectness*, i.e. the presence of bugs), in the same way that program logics such as [O'Hearn 2004; Owicki and Gries 1976] provide a foundation for concurrent over-approximate reasoning (for proving *correctness*, i.e. the absence of bugs). The key advantage of such a theory is that tools and techniques underpinned by it are accompanied by an NFP theorem *for free*.

Fortunately, the recent work of O'Hearn [2019] on *incorrectness logic* (IL) and its later extension to *incorrectness separation logic* (ISL) [Raad et al. 2020] have paved the way toward such a theory. IL lays the groundwork for a general theory of compositional under-approximate reasoning, and ISL has extended that to account for pointers and memory errors. However, these logics only apply to *sequential* programs and do not support reasoning about *concurrent* bug catching analyses.

In this paper, we close the gap by extending ISL to support concurrency. This task is far from straightforward, as witnessed in the correctness setting when extending separation logic (SL) [O'Hearn et al. 2001] with concurrency. Specifically, the advent of SL at the turn of the century led to a large body of work extending SL with concurrency, e.g. [O'Hearn 2004; Vafeiadis and Parkinson 2007; Dinsdale-Young et al. 2010; Nanevski et al. 2014; Jung et al. 2015; Raad et al. 2015], using different techniques to address different verification needs. This led to Parkinson's observation, in "The next 700 separation logics" [Parkinson 2010], that there has been "a disturbing trend for each new library or concurrency primitive to require a new separation logic". He rightfully argued "we shouldn't be inventing new separation logics, but should find the right logic to reason about interference". This insight eventually led to the concurrent Views framework [Dinsdale-Young et al. 2013], a parametric meta-theory of concurrent reasoning that distils the essence of separation logic, and can be instantiated to reason about different concurrent scenarios.

In the same spirit, in order to avoid inventing the "next 700 *incorrectness* separation logics", we develop *concurrent incorrectness separation logic* (CISL, pronounced "sizzle"), a unifying framework for concurrent under-approximate reasoning that can be instantiated to prove true-positives theorems for a range of concurrent bug catching scenarios. To our knowledge, CISL is the very *first* formal theory for concurrent under-approximate reasoning and bug catching. As with ISL, a key advantage of CISL is that it supports *compositional* reasoning, as needed to account for compositional analyses like those mentioned above. Moreover, CISL adds compositionality in a new dimension, namely *thread-locality*: we can reason about each concurrent thread in isolation.

Thanks to the soundness of CISL, each CISL instance is automatically accompanied by an NFP theorem. In §4–7, we instantiate CISL to detect concurrency bugs such as data races, deadlocks, and memory safety errors, along with a proof that the bugs found are real. Our CISL instantiations for races and deadlocks are inspired by the under-approximate analyses of RacerD and [Brotherston

| free(x);<br>L: $[x] := 1$ C<br>(a) A local memory<br>safety bug at L | ory (b) Data-agno | ostic (global)                       | $free(x); \  a := [z];$ $[z] := 1; \  if(a=1) L:$ (c) A data-dependent<br>memory safety bug a        | (global)                                   | (d) A data-ag                                                                                                                                                         |                                                                       |
|----------------------------------------------------------------------|-------------------|--------------------------------------|------------------------------------------------------------------------------------------------------|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------|
|                                                                      | a := [y];         | 3. [y] := 1;<br>4. unlock <i>l</i> ; | $\begin{cases} 6. & a := [y]; \\ 7. & unlock l; \\ 8. & if (*) [x] := 2; \\ ostic (global) race be-$ | 2. [z]<br>3. unlo<br>4. [x] ::<br>(g) A da | $\begin{vmatrix} s & l \\ s & ck & l \\ s & s & l \\ s & s & s & l \\ s & s & s & l \\ s & s & s & s \\ s & s & s & s \\ s & s &$ | = [z];<br>ock <i>l</i> ;<br><i>a</i> =1) [x] := 2;<br>t (global) race |

Fig. 1. Several examples of memory safety bugs and races where all memory locations x, y, z initially hold 0

et al. 2021], respectively. Additionally, we strengthen our instantiations to catch races that RacerD could not, and to produce more informative assertions (i.e. with a witness trace) than those of [Brotherston et al. 2021].

**Contributions and Outline.** Our contributions (detailed in §2) are as follows. In §3 we present the general meta-theory of CISL. In §4 we instantiate CISL for race detection and compare it to RacerD. In §5 we instantiate CISL for deadlock detection and compare it to [Brotherston et al. 2021]. In §6 we further generalise CISL to account for thread interference. Using this generalisation, in §7 we instantiate CISL for subvariant reasoning (an under-approximate analogue of invariant reasoning), and use it to detect memory safety bugs. We discuss related work and conclude in §8.

#### 2 OVERVIEW OF CISL

**CISL at a Glance.** As with its sequential counterpart ISL, CISL allows us to prove triples of the form  $[p] \ C \ [\epsilon : q]$ , stating that *every* state in *q* is reachable by executing C starting in *some* state in *p*. The  $\epsilon$  denotes an *exit condition* that may be either *ok* to denote normal (non-erroneous) execution, or  $\epsilon \in \text{EREXIT}$  to denote a buggy (erroneous) execution (EREXIT is supplied to CISL as a parameter to distinguish different classes of bugs such as memory safety errors, races and so forth). A key part of CISL is its parallel composition rule, PAR in Fig. 5 (p. 9), stating that if we prove  $[p_i] \ C_i \ [ok: q_i]$  for each  $i \in \{1, 2\}$  in isolation, then we can also prove  $[p_1 * p_2] \ C_1 \ [l] \ C_2 \ [ok: q_1 * q_2]$ . Note that PAR is identical to its over-approximate analogue in [O'Hearn 2004] and is similarly *compositional*: we can identify a normal execution of  $C_1 \ [l] \ C_2$  by considering each thread in isolation. Observe that PAR only allows us to prove normal (*ok*) triples; as we describe below, CISL provides different techniques for proving buggy triples, depending on the *bug category*.

The Three Faces of Concurrent Bugs (Errors). When using CISL to detect different classes of bugs (e.g. memory safety errors and races), we have identified three bug categories: 1) *local* (interleaving-agnostic) bugs; 2) *global* (interleaving-dependent), *data-agnostic* bugs; and 3) *global*, *data-dependent* bugs. We describe these three categories through several examples in Fig. 1, where we write  $\tau_1$  and  $\tau_2$  for the left and right threads in each example, respectively.

Local bugs are due to one thread, say  $\tau$ , in that they arise even when  $\tau$  executes in isolation (i.e. sequentially) and are thus *interleaving-agnostic*. An example of this is shown in Fig. 1a: regardless of the behaviour of C in  $\tau_2$  (the right thread), executing  $\tau_1$  (the left thread) leads to a use-after-free (memory safety) bug at L as x is accessed after it is deallocated. As we describe later in §3, local bugs can be detected using the PARER rule of CISL in Fig. 5 (on p. 9): due to the short-circuit semantics of

errors (whereby execution is terminated upon encountering an error), a bug is reached by executing a concurrent program,  $[p] C_1 || C_2 [\epsilon; q]$ , if it is reached by executing one thread,  $[p] C_1 [\epsilon; q]$ .

In contrast to local bugs, global bugs are due to how concurrent threads interact with one another and arise only under certain interleavings, i.e. they are *interleaving-dependent*. For instance, Figures 1b and 1c both depict examples of global bugs. In particular, in an interleaving of Fig. 1b where  $\tau_1$  is executed after (resp. before)  $\tau_2$ , we reach a use-after-free bug at L (resp. L'). Analogously, in an interleaving of Fig. 1c where  $\tau_2$  is executed after  $\tau_1$ , the condition of the if statement is satisfied and thus we reach a use-after-free bug at L. Note that there is a *data dependency* between  $\tau_1$  and  $\tau_2$  in Fig. 1c in that  $\tau_1$  may affect the *control flow* of  $\tau_2$ : the value read in a := [z], and subsequently the condition of if and whether L: [x] := 1 is executed, depends on whether  $\tau_2$  executes a := [z] before or after  $\tau_1$  executes [z] := 1. As such, the bug at L is *data-dependent*. By contrast, the threads in Fig. 1b cannot affect the control flow of one another and thus the bugs at L and L' are *data-agnostic*. Intuitively, data dependence arises through *deterministic* (non-random) conditions in if/loop statements, prescribing a certain execution path. Specifically, were we to replace the (deterministic) condition a=1 in Fig. 1c with the *non-deterministic* expression \* (which evaluates to an arbitrary value), then the memory-safety error at L would be rendered data-agnostic.

**Detecting Global Bugs.** Due to their global nature, global bugs (be they data-agnostic/dependent) cannot be detected using PARER. Instead, as they manifest only under certain interleavings, they can be detected using the PARSEQ, PARL and PARR rules of CISL (in Fig. 5), which enable us to consider certain interleavings. For instance, let  $C_1 = C_3$ ;  $C_4$  and  $C = C_1 || C_2$ , and let  $\epsilon$  denote an error that manifests only in an interleaving of C in which  $C_2$  is executed between  $C_3$  and  $C_4$  as  $[p] C_1 || C_2$  [ $\epsilon : q$ ]. We can then detect  $\epsilon$  as follows. First, we use PARL to execute  $C_3$  normally, (the  $[p] C_3$  [ok: r] premise); and then show that the continuation  $C_4 || C_2$  yields error  $\epsilon$  (the  $[r] C_4 || C_2 [\epsilon : q]$ .

Unfortunately, however, PARSEQ, PARL and PARR are *not compositional* as they consider multiple threads at every proof step, rather than examining each thread in isolation, and require the user to determine an interleaving *a priori*. However, as we discuss below, in most cases we *can* detect global bugs compositionally in CISL by encoding buggy executions as normal ones and then using the compositional PAR rule. We elaborate on this below through several examples of data races.

**Data Races.** Unlike memory safety bugs that may be local or global, *data races* (hereafter simply races) belong solely to the global category. Specifically, two accesses (reads and writes) of a given program C race with one another if 1) they are *conflicting*, i.e. they are by distinct threads, on the same location, and at least one of them is a write; and 2) they appear next to each other in a given interleaving (a.k.a. history) of C. As such, races are attributed to two threads (and are thus global) and may manifest only under certain interleavings. To see this, consider the example in Fig. 1d, and let us write  $H = [1, \dots, n]$  for an interleaving where the instructions numbered  $1 \dots n$  are executed in order. Note that the program in Fig. 1d induces several (partial) interleavings, including H = [1, 2, 4, 3, 5] and H' = [4, 5, 6, 1, 2, 3]. The two conflicting accesses on *x* (lines 3 and 5) *race* in *H* as they are adjacent in *H*. By contrast, they *do not race* in H': thanks to the mutual exclusion induced by the lock on *l*, they cannot appear as adjacent accesses when  $\tau_2$  acquires *l* first.

**Data-Dependent Bugs in Practice.** As shown by Blackshear et al. [2018] and Brotherston et al. [2021], data-dependent bugs (due to deterministic conditions in if/while statements) make the task of detecting true bugs (true positives) much more difficult. To see this, consider the example in Fig. 1e and note that it does not allow any data races: both threads access *y* while holding the lock *l*, and  $\tau_2$  accesses *x* only if a = 1, i.e.  $\tau_2$  accesses *x* only when its critical section is executed after that in  $\tau_1$ , forcing a *happens-before* order from [x] := 1 to [x] := 2. On the other hand, it is always

34:5

possible to find a race in Fig. 1f, when the value non-deterministically picked by  $\star$  is non-zero, as witnessed by the history [5, 6, 7, 1, 2, 8]. Note that the program in Fig. 1f only differs from the one in Fig. 1e in that the deterministic condition (*a*=1) is replaced with the non-deterministic  $\star$ .

Although we can generalise the CISL *theory* to detect data-dependent bugs, ruling out datadependent bugs is non-trivial in *practice* (e.g. due to the happens-before order induced under certain interleavings). This difficulty led Blackshear et al. [2018] and Brotherston et al. [2021] to focus only on data-agnostic bugs by assuming that all program conditionals are *non-deterministic* (\*) as in Fig. 1f. As such, in the remainder of the paper, we follow the same practical approach and focus on providing a theoretical foundation for *data-agnostic* bug catching.

**CISL for Detecting Data-Agnostic Bugs.** Returning to Fig. 1d, note that the race between lines 3 and 5 in H = [1, 2, 4, 3, 5] is data-agnostic. As mentioned above, we can detect data-agnostic bugs *compositionally* by treating buggy (here racy) executions as normal (non-erroneous) executions and using the PAR rule to analyse each thread in isolation and combine their results. More concretely, to enable compositional reasoning, we do not treat races as errors. Rather, we compute a local (sequential) history of each thread in isolation, combine them together using PAR, and ultimately examine them to detect data races and construct a global (concurrent) history *witnessing* the race.

To see this, consider the CISL proof sketch of the race in Fig. 1d in Fig. 2, where the sequential histories of  $\tau_1$ and  $\tau_2$  are initially both [], as denoted by  $\tau_1 \mapsto [] * \tau_2 \mapsto []$ . Using PAR, for  $i \in \{1, 2\}$  we reason about  $\tau_i$  in isolation starting from  $\tau_i \mapsto []$ . Subsequently, we obtain  $\tau_1 \mapsto [1, 2, 3]$ and  $\tau_2 \mapsto [4, 5, 6]$  separately, and combine them using PAR into  $\tau_1 \mapsto [1, 2, 3] * \tau_2 \mapsto [4, 5, 6]$ . Finally, we use the CISL rule of consequence, Cons, to additionally obtain race(3, 5, [1, 2, 4, 3, 5]), describing a race between lines 3 and 5, witnessed by global history [1, 2, 4, 3, 5]. A global history of  $\tau_1 \mapsto H_1$  and  $\tau_2 \mapsto H_2$  is obtained by computing all permutations of  $H_1 # H_2$  (where # denotes concatenation) and then filtering out those that are not *well-formed*.

$$\begin{bmatrix} \tau_1 \mapsto [] & \tau_2 \mapsto [] \\ [\tau_1 \mapsto [] \\ 1. \log k l; \\ [ok: \tau_1 \mapsto [1]] \\ 2. \operatorname{unlock} l; \\ [ok: \tau_1 \mapsto [1, 2]] \\ 3. [x] := 1; \\ [ok: \tau_1 \mapsto [1, 2, 3]] \\ [ok: \tau_1 \mapsto [1, 2, 3] \\ [ok: \tau_1 \mapsto [1, 2, 3] \\ [ok: \tau_2 \mapsto [4, 5, 6]] \\ [ok: \tau_1 \mapsto [1, 2, 3] \\ [ok: \tau_2 \mapsto [4, 5, 6]] \\ [ok: \tau_1 \mapsto [1, 2, 3] \\ v_2 \mapsto [4, 5, 6] \\ A \operatorname{race}(3, 5, [1, 2, 4, 3, 5]) \end{bmatrix} // \operatorname{Cons}$$

Intuitively, well-formed histories respect the mutual exclusion semantics of locks. For instance, [1, 4, 2, 3, 5, 6] in Fig. 1d is not well-formed: it allows  $\tau_2$  to acquire *l* (4) while it is held by  $\tau_1$  (at 1). We formalise well-formed histories in §4.

Lastly, our presentation of histories thus far was abbreviated by merely recording line numbers. However, to identify races, rather than recording line numbers (which requires examining the code), we record execution *events*. For instance, the sequential history of  $\tau_1$  in Fig. 1f is  $\tau_1 \mapsto H_1$  with  $H_1 = [L(\tau_1, l), W(\tau_1, 2, x), W(\tau_1, 3, y), U(\tau_1, l)]$  (abbreviated as [1, 2, 3, 4]), where  $L(\tau_1, l)$  and  $U(\tau_1, l)$  respectively denote (the events for) locking and unlocking *l* on lines 1 and 4, and  $W(\tau_1, 2, x)$  and  $W(\tau_1, 3, y)$  respectively denote writing to *x* and *y* on lines 2 and 3. Similarly, a sequential history of  $\tau_2$  is  $\tau_2 \mapsto H_2$  with  $H_2 = [L(\tau_2, l), R(\tau_2, 6, y), U(\tau_2, l), W(\tau_2, 8, x)]$ . We combine  $H_1$  and  $H_2$  into  $H = [L(\tau_2, l), R(\tau_2, 6, y), U(\tau_2, l), L(\tau_1, l), W(\tau_1, 2, x), W(\tau_2, 8, x)]$ , witnessing the race via the adjacent conflicting accesses  $W(\tau_1, 2, x)$  and  $W(\tau_2, 8, x)$ . Note that we do not record the labels (line numbers) of lock/unlock events: labels are used to locate races which can only occur between memory accesses. Moreover, as we focus on data-agnostic races, we need not record the values read/written. That is, the values read/written do not affect the control flow and have no bearing on races. In the remainder of the paper, we use both abbreviated histories (for exposition brevity) and full histories.

**Summary: Compositional Reasoning with CISL.** CISL proof rules (Fig. 5) support *compositional* reasoning via: (1) PAR for normal executions; and (2) PARER for detecting local bugs. Moreover,

(3) one can detect data-agnostic bugs by encoding buggy executions as normal ones and using PAR to detect them. In the case of (2), PARER reduces *concurrent* bug detection to *sequential*, which can be automated as in [Raad et al. 2020]. In the case of (3), we instantiate CISL to detect races (CISL<sub>RD</sub>), deadlocks (CISL<sub>DD</sub>), and memory safety errors (CISL<sub>SV</sub>); CISL<sub>RD</sub> and CISL<sub>DD</sub> are inspired by the under-approximate analyses of the [Blackshear et al. 2018] and [Brotherston et al. 2021] tools.

#### **3 THE CISL FRAMEWORK**



We present the CISL meta-theory. The CISL framework is parametric and may be instantiated for concurrent, underapproximate reasoning for a multitude of applications, including e.g.  $\text{CISL}_{\text{DC}}$  (CISL with disjoint concurrency) for detecting memory safety bugs,  $\text{CISL}_{\text{RD}}$  (CISL with race detection) for detecting races on shared memory, and  $\text{CISL}_{\text{DD}}$ (CISL with deadlock detection) for detecting deadlock scenarios. To instantiate CISL, one must supply CISL with the specified parameters; the soundness of the instantiated CISL reasoning then follows immediately from the

Fig. 3. An overview of the CISL framework

soundness of the framework (see Thm. 3.8). For clarity, we delineate the CISL parameters enclosed in solid boxes. To provide a clearer account of CISL, we often follow CISL parameters with their CISL<sub>DC</sub> instantiation for detecting memory safety bugs.

**Programming Language.** We build CISL on a simple programming language comprising standard composite commands, and parametrised by a set of *atomic* commands. This allows us to instantiate CISL for a number of use-cases without changing the underlying meta-theory. Our programming language is given by the C grammar in Def. 3.1, and includes atomic commands (a) supplied as a parameter (Par. 1), as well as the standard constructs of skip, sequential composition ( $C_1$ ;  $C_2$ ), non-deterministic choice ( $C_1 + C_2$ ), loops ( $C^*$ ) and parallel composition ( $C_1 || C_2$ ).

Parameter 1 (Atomic commands). Assume a set of atomic commands, ATOM, ranged over by a.

Definition 3.1 (CISL language). The CISL programming language is defined as follows:

*Example 3.2 (CISL<sub>DC</sub> atomics).* The CISL<sub>DC</sub> atomic commands, ATOM<sub>DC</sub>, are defined as follows:

 $ATOM_{DC} \ni a ::= L: error \mid x := v \mid assume(B) \mid x := alloc() \mid L: free(x) \mid L: x := [y] \mid L: [x] := y$ 

The CISL<sub>DC</sub> atomic commands include explicit error statements (error), assume statements (assume(*B*)) to model deterministic conditionals/loops, assignment (x := v) and heap-manipulating commands for allocation (x := alloc()), disposal (free(x)), lookup (reading from the heap, x := [y]) and mutation (writing to the heap [x] := y). We assume a set BAST of *Boolean assertions*; we use *B* as a metavariable for a Boolean assertion,  $v, v' \cdots$  for values, and x, y, z for variables.

To better track memory safety errors and connect them to culprit instructions, we annotate instructions that may cause such errors with a label  $L \in LABEL$ . As we demonstrate shortly, when an error is encountered we report the label of the offending instruction (e.g. L). As such, we only consider *well-formed* programs: those with unique labels across their constituent instructions. For brevity, we drop the instruction labels when they are immaterial to the discussion.

#### 3.1 CISL Logic and Proof Rules

**State PCM.** Program logics, and reasoning frameworks in general, do not typically reason directly about the low-level machine states. Rather, they provide a high-level (abstract) representation of the state, often equipped with additional instrumentation that supports certain reasoning principles. For instance, in order to reason about concurrent accesses to the memory, one can model the state as a shared heap of memory locations, with each location instrumented with a *fractional permission*  $\pi \in (0, 1]$ , where  $\pi = 1$  on location *x* denotes *full ownership* on *x* granting permission for writing to *x*, while  $0 < \pi < 1$  denotes *partial ownership* on *x* sufficient for reading from *x*.

In separation logic and its family of descendants, the high-level states are typically modelled by a *partial commutative monoid* (PCM) of the form (STATE,  $\circ$ , STATE<sup>0</sup>), where STATE denotes the set of states;  $\circ$  : STATE  $\times$  STATE  $\rightarrow$  STATE denotes the partial state composition operator that is commutative and associative; and STATE<sup>0</sup>  $\subseteq$  STATE denotes the set of unit states. The reasoning is then carried out via  $p, q \in$  VIEW  $\triangleq \mathcal{P}($ STATE), describing *views* (sets of states).

Parameter 2 (State PCM). Assume a partial commutative monoid (PCM) for states, (STATE,  $\circ$ , STATE<sup>0</sup>), where STATE<sup>0</sup>  $\subseteq$  STATE and:

- the composition function, : STATE × STATE → STATE, is commutative and associative;
- for all  $s \in STATE$ , there exists  $s_0 \in STATE^0$  such that  $s \circ s_0 = s$ ; and
- for all  $s, s' \in \text{STATE}$  and  $s_0 \in \text{STATE}^0$ , if  $s \circ s_0 = s'$  then s = s'.

*Example 3.3 (CISL*<sub>DC</sub> *States).* We model a CISL<sub>DC</sub> state  $s \in \text{STATE}_{DC}$  as a partial map associating each program variable or location with a value and a *fractional permission*  $\pi \in (0, 1]$ : STATE<sub>DC</sub>  $\triangleq$  (VAR  $\stackrel{\text{fin}}{\rightarrow}$  VAL  $\times (0, 1]$ )  $\cup$  (Loc  $\stackrel{\text{fin}}{\rightarrow}$  (VAL  $\uplus \{\bot\}$ )  $\times (0, 1]$ ). The designated value  $\bot \notin$  VAL is used to track those locations that have been *deallocated*. That is, given  $l \in \text{Loc}$ , if s(l)=(v, -) and  $v \in \text{VAL}$  then l is allocated in s and holds value v; and if  $v=\bot$  then l has been deallocated.

CISL<sub>DC</sub> composition is standard:  $(s_1 \circ_{DC} s_2)(x)$  is 1)  $s_i(x)$  if  $x \in dom(s_i) \setminus dom(s_{3-i})$  for  $i \in \{1, 2\}$ ; 2)  $(v, \pi_1 + \pi_2)$  if  $s_1(x) = (v, \pi_1)$ ,  $s_2(x) = (v, \pi_2)$  and  $\pi_1 + \pi_2 \leq 1$ . If there exists  $x \in dom(s_1) \cap dom(s_2)$  s.t. the conditions of 2) are not satisfied, the entire composition  $s_1 \circ_{DC} s_2$  is undefined. CISL<sub>DC</sub> unit set is STATE<sup>0</sup><sub>DC</sub>  $\triangleq \{\emptyset\}$ , where  $\emptyset$  is an empty function. CISL<sub>DC</sub> state PCM is (STATE<sub>DC</sub>,  $\circ_{DC}$ , STATE<sup>0</sup><sub>DC</sub>).

Definition 3.4 (Views). The set of views is VIEW  $\triangleq \mathcal{P}(\text{STATE})$ .

**Notation.** We use p, q, r as meta-variables for views (i.e.  $p, q, r \in V$ IEW). We write p \* q for  $\{s \circ s' \mid s \in p \land s' \in q\}$ ;  $p \land q$  for  $p \cap q$ ;  $p \lor q$  for  $p \cup q$ ; false for  $\emptyset$ ; and true for VIEW. In the context of CISL<sub>DC</sub>, we write emp for  $\{\emptyset\}$  and  $l \stackrel{\pi}{\mapsto} v$  (resp.  $x \stackrel{\pi}{\mapsto} v$ ) for  $\{[l \mapsto (v, \pi)]\}$  (resp.  $\{[x \mapsto (v, \pi)]\}$ ). We write  $l \mapsto v$  (resp.  $x \mapsto v$ ) for  $l \stackrel{1}{\mapsto} v$  (resp.  $x \stackrel{1}{\mapsto} v$ ),  $l \stackrel{\pi}{\not\mapsto}$  for  $l \stackrel{\pi}{\mapsto} \bot$ , and  $l \not\mapsto$  for  $l \stackrel{1}{\not\mapsto}$ .

**Exit Conditions.** The CISL theory uses *under-approximate triples* [O'Hearn 2019] of the form  $[p] C [\epsilon : q]$ , interpreted as: *q* describes a *subset* of the states that can be reached from *p* by executing C, where  $\epsilon$  denotes an *exit condition* indicating either normal or erroneous termination.

We define the set of exit conditions as EXIT  $\triangleq \{ok\} \uplus EREXIT$ , where ok denotes normal termination, and  $\epsilon \in EREXIT$  denotes an erroneous termination. Erroneous conditions are reasoning-specific and thus supplied as a CISL parameter. For instance, an error condition in  $CISL_{DC}$  denotes either a memory safety bug or an explicit error (after executing error). Concretely, we define  $CISL_{DC}$  error conditions as  $EREXIT_{DC} \triangleq \{mse(L), er(L) \mid L \in LABEL\}$ , where mse(L) denotes a memory safety bug encountered at the L-labelled instruction and er(L) denotes an explicit error at L.

*Parameter 3 (Error conditions).* Assume a set of *error conditions*, EREXIT, where  $ok \notin$  EREXIT.

DC-ERROR  $\begin{bmatrix} emp] \text{ L: error } [er(L): emp] \qquad DC-Assume$  $\begin{bmatrix} * & x_i \stackrel{\pi_i}{\mapsto} v_i \end{bmatrix} \text{ assume}(B) \begin{bmatrix} ok: * & x_i \stackrel{\pi_i}{\mapsto} v_i \land B[\overline{v_i/x_i}] \end{bmatrix} \\
DC-Assign & DC-Load \\
\begin{bmatrix} x\mapsto v' \end{bmatrix} x \coloneqq v [ok: x\mapsto v] & \begin{bmatrix} DC-Load \\ x\mapsto v' * y \stackrel{\pi_y}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v] \text{ L: } x \coloneqq [y] [ok: x\mapsto v * y \stackrel{\pi_y}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v] \\
DC-ALLOC & DC-LoadER \\
\begin{bmatrix} x\mapsto v' \end{bmatrix} x \coloneqq alloc() [ok: \exists l. x\mapsto l * l\mapsto v] & \begin{bmatrix} y \stackrel{\pi_y}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v] \text{ L: } x \coloneqq [y] [mse(L): y \stackrel{\pi_y}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v] \\
DC-FREE & DC-STORE \\
\begin{bmatrix} x \stackrel{\pi_v}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v * l \mapsto v'] \text{ L: } [x] \coloneqq y [ok: x \stackrel{\pi_v}{\mapsto} l * l \mapsto v] \text{ L: } free(x) [ok: x \stackrel{\pi_v}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v] \\
DC-FREER & DC-STOREER \\
\begin{bmatrix} x \stackrel{\pi_x}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v * l \mapsto v'] \text{ L: } [x] \coloneqq y [mse(L): x \stackrel{\pi_x}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v] \\
DC-FREER & DC-STOREER \\
\begin{bmatrix} x \stackrel{\pi_x}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v * l \mapsto v'] \text{ L: } [x] \coloneqq y [mse(L): x \stackrel{\pi_x}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v] \\
DC-FREER & DC-STOREER \\
\begin{bmatrix} x \stackrel{\pi_x}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v + l \mapsto v'] \text{ L: } [x] \coloneqq y [mse(L): x \stackrel{\pi_x}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v] \\
DC-FREER & DC-STOREER \\
\begin{bmatrix} x \stackrel{\pi_x}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} l \times l \stackrel{\pi_v}{\mapsto} v] \text{ L: } [x] \coloneqq y [mse(L): x \stackrel{\pi_v}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v] \\
DC-FREER & DC-STOREER \\
\begin{bmatrix} x \stackrel{\pi_x}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} l \times l \stackrel{\pi_v}{\mapsto} l \times l \stackrel{\pi_v}{\mapsto} v] \text{ L: } [x] \coloneqq y [mse(L): x \stackrel{\pi_v}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} v] \\
DC-FREER & DC-STOREER \\
\begin{bmatrix} x \stackrel{\pi_x}{\mapsto} l * l \stackrel{\pi_v}{\mapsto} l \times l \stackrel{\pi_v}{\mapsto} l \times l \stackrel{\pi_v}{\mapsto} v] \text{ L: } [x] \coloneqq y [mse(L): x \stackrel{\pi_v}{\mapsto} l \times l \stackrel{\pi_v}{\mapsto} v]$ 

**Atomic Axioms.** We shortly define the under-approximate proof system of CISL. As atomic commands are supplied as a parameter, the CISL proof system is accordingly parametrised by their set of under-approximate *axioms* (Par. 4). An atomic axiom is a tuple of the form  $(p, a, \epsilon, q)$ , with  $p, q \in VIEW$ ,  $a \in ATOM$  and  $\epsilon \in EXIT$ , and is lifted to the CISL proof rule [p] a  $[\epsilon : q]$  (see ATOM).

*Parameter 4 (Axioms).* Assume a set of *axioms*  $AXIOM \subseteq VIEW \times ATOM \times EXIT \times VIEW$ .

*Example 3.5 (CISL*<sub>DC</sub> axioms). The CISL<sub>DC</sub> axioms, AXIOM<sub>DC</sub>, are given in Fig. 4 and are analogous to those of Raad et al. [2020]. For better readability, we present the axioms as inference rules with CISL triples of the form [p] a  $[\epsilon : q]$  in their conclusion, rather than tuples of the form  $(p, a, \epsilon, q)$ .

**CISL Proof Rules.** We present the under-approximate CISL proof system in Fig. 5. As in [Raad et al. 2020; O'Hearn 2019], our triples are of the form:  $\vdash [p] C [\epsilon : q]$ , denoting that every state in the postcondition q is reachable from some state in the precondition p under  $\epsilon$ . That is, for each  $s_q$  in q, there exists  $s_p$  in p such that executing C on  $s_p$  terminates with  $\epsilon$  and yields  $s_q$ .

The SKIP, SEQER, SEQ, LOOP1, LOOP2, CHOICE, CONS and DISJ rules are as in [O'Hearn 2019; Raad et al. 2020]). Similarly, the FRAME rule is analogous to that of [Raad et al. 2020], except that the \* operator here denotes the general notion of composition defined by lifting the composition operator of the underlying PCM to views (sets of states), rather than that of heap composition in [Raad et al. 2020].

The ATOM rule simply lifts atomic axioms as CISL proof rules. The PAR rule is an under-approximate analogue of the disjoint concurrency rule in concurrent separation logic (CSL) [O'Hearn 2004], stating that if the states in  $q_1$  (resp.  $q_2$ ) are reachable from those in  $p_1$  (resp.  $p_2$ ) when executing  $C_1$  (resp.  $C_2$ ), then the combined states in  $q_1 * q_2$  are reachable from  $p_1 * p_2$  when executing  $C_1 || C_2$ . Note that, unlike in CSL where the composition operator imposes *disjointness*, the composition operator in CISL does not and merely mandates composability as defined by the PCM (Par. 2).

The PARER rule is the concurrent analogue of SEqER, describing the *short-circuiting* semantics of concurrent executions: given  $i \in \{1, 2\}$ , if running the smaller program  $C_i$  results in an error, then running the larger  $C_1 || C_2$  also results in an error. Intuitively, this is because the behaviours of  $C_1$ ;  $C_2$  and  $C_2$ ;  $C_1$  are both included in those of  $C_1 || C_2$ , in that they describe two possible *interleavings* when executing  $C_1 || C_2$ . As such, as in SEqER, if running  $C_1$  (resp.  $C_2$ ) yield an error, then the overall execution of the  $C_1$ ;  $C_2$  (resp.  $C_2$ ;  $C_1$ ) interleaving of  $C_1 || C_2$  also yields an error.



Fig. 5. The CISL proof rules

Finally, PARL, PARR and PARSEQ are concurrent analogues of SEQ, stating that the states in q are reachable from those in p by executing  $C_1 || C_2$ , if they are reachable under a particular *interleaving* of  $C_1 || C_2$ . For instance, when  $C_1 = C_3$ ;  $C_4$ , PARL captures the  $C_3$ ;  $(C_4 || C_2)$  interleaving of  $C_1 || C_2$ : if executing  $C_3$  from p terminates normally and yields  $r (\vdash [p] C_3 [ok: r])$  and executing the continuation  $C_4 || C_2$  from r yields q under  $\epsilon$ , then executing  $C_1 || C_2$  from p results in q under  $\epsilon$ . Observe that PAR can be *derived* from PARSEQ, SEQ and FRAME as follows:

$$\frac{\left[\begin{array}{c} \vdash [p_{1}] C_{1} [ok:q_{1}] \\ \vdash [p_{1}*p_{2}] C_{1} [ok:q_{1}*p_{2}] \end{array}\right]}{\left[\begin{array}{c} \vdash [p_{1}*p_{2}] C_{1} [ok:q_{1}*p_{2}] \\ \vdash [q_{1}*p_{2}] C_{1} [ok:q_{1}*q_{2}] \end{array}\right]} F_{RAME} \qquad \frac{\left[\begin{array}{c} \vdash [p_{2}] C_{2} [ok:q_{2}] \\ \vdash [q_{1}*p_{2}] C_{2} [ok:q_{1}*q_{2}] \end{array}\right]}{\left[\begin{array}{c} \vdash [p_{1}*p_{2}] C_{1} [c_{2} [ok:q_{1}*q_{2}] \\ \vdash [p_{1}*p_{2}] C_{1} || C_{2} [ok:q_{1}*q_{2}] \end{array}\right]} F_{RAME} \qquad F_{RAME}$$

Note that the PAR rule enables *compositional* reasoning in that it is *interleaving-agnostic*, allowing us to reason about the behaviour of each thread in isolation, i.e. locally, combining the results at the end. Intuitively, this is because of the resources accessed by distinct threads are compatible with one another, then their combined result is reachable regardless of their interleaving. That is, the combined result is reachable under *all* possible interleavings of concurrent threads. Similarly, PARER enables compositional bug-catching by allowing us to reason about the erroneous behaviour of one thread in isolation. This is thanks to the short-circuiting semantics of CISL for concurrent executions: if one thread terminates erroneously, then the overall program also terminates erroneously. By contrast, PARL, PARR and PARSEQ are not compositional and correspond to a particular interleaving.

As discussed in §2, PARER is used to detect *local* bugs, i.e. those bugs that are *interleaving-agnostic* and can manifest by executing a single thread, regardless of the behaviour of concurrent threads. For instance, when concurrent threads access disjoint heap resources, then memory safety bugs such as use-after-free are instances of local bugs: if a thread  $\tau$  accesses a memory location owned by  $\tau$  after it has already been freed (deallocated) by  $\tau$ , then a use-after-free error can always be encountered regardless of the behaviour of other threads running concurrently with  $\tau$ .

However, as discussed in §2, certain bugs are *global* (i.e. they depend on the behaviour of two or more threads) and are *interleaving-dependent* in that they only manifest under certain interleavings. For instance, data races and deadlocks are examples of bugs that may only occur under certain interleavings of two or more threads. As such, PARER cannot be used to detect such global bugs. Although PARL and PARR can indeed be used to detect global bugs such as data races, they are not ideal due to their non-compositionality. However, as discussed in §2, we can detect (global) data-agnostic errors *compositionally* by encoding *bugs as non-errors*, whereby we treat buggy executions as normal (non-erroneous) ones and use PAR to analyse them compositionally. As such, we show that PAR and PARER are indeed sufficient to detect a significant number of bugs compositionally.

#### 3.2 CISL Model and Semantics

We next present the CISL operational semantics, parametrised by *machine states* (Par. 5 below). Note that while the states in Par. 2 provide a high-level (often instrumented) state representation, the machine states denote a low-level representation of the machine (without instrumentation). For instance,  $\text{CISL}_{DC}$  machine states forgo the fractional instrumentation of their high-level counterpart.

Parameter 5 (Machine states). Assume a set of machine states, MSTATE, ranged over by m.

*Example 3.6 (CISL<sub>DC</sub> machine states).* A CISL<sub>DC</sub> machine state  $m \in MSTATE_{DC}$  is a partial function from variables and locations to VAL  $\uplus \{\bot\}$ : MSTATE<sub>DC</sub> : (VAR  $\stackrel{\text{fin}}{\rightarrow}$  VAL)  $\cup$  (Loc  $\stackrel{\text{fin}}{\rightarrow}$  VAL  $\uplus \{\bot\}$ ).

**Atomic Semantics.** As the set of atomic commands is supplied as a parameter to the CISL programming language (Par. 1), the CISL operational semantics is further parametrised by the *semantics of atomic commands* (Par. 6 below), defined as (machine) state transformers. For instance, the CISL<sub>DC</sub> atomic semantics is analogous to its counterpart in [Raad et al. 2020].

Parameter 6 (Atomic semantics). Assume an atomic semantics function  $[\![.]\!]_A : ATOM \to EXIT \to \mathcal{P}(MSTATE \times MSTATE).$ 

**CISL operational semantics.** We define the CISL operational semantics by separating its *control flow transitions* from its state-transforming transitions. The former describe the sequential execution steps in each thread, e.g. how a loop is unrolled; while the latter describe how the underlying machine states determine the overall execution of a (concurrent) program.

The CISL control flow transitions at the top of Fig. 6 are standard and are of the form  $C \xrightarrow{l} C'$ , where  $l \in LAB \triangleq ATOM \uplus \{id\}$  denotes the *transition label*. A transition label l may be either id for silent transitions (no-ops), or  $a \in ATOM$  for executing the atomic command a.

We define the *state-transforming function*  $[\![.]\!]$  : LAB  $\rightarrow \text{EXIT} \rightarrow \mathcal{P}(\text{MSTATE} \times \text{MSTATE})$  as an extension of  $[\![.]\!]_A$  as follows. Given a transition label l, we write  $[\![l]\!]\epsilon$  for 1)  $[\![l]\!]_A\epsilon$  when  $l \in \text{ATOM}$ ; 2) { $(m, m) \mid m \in \text{MSTATE}$ } when l = id and  $\epsilon = ok$ ; and 3) Ø when l = id and  $\epsilon \in \text{EREXIT}$ . That is, atomic transitions transform the state according to their semantics as prescribed by  $[\![.]\!]_A$  (Par. 6), while no-op transitions (denoted by id) always execute normally and leave the state unchanged.

The CISL state-transforming transitions are given at the bottom of Fig. 6 and are of the form  $C, m \xrightarrow{n} \epsilon, m'$  with  $C \in COMM, m, m' \in MSTATE, \epsilon \in EXIT$  and  $n \in \mathbb{N}$ , stating that starting from state m, program C terminates after n steps in state m' under exit condition  $\epsilon$ . The first transition states that skip trivially terminates (after zero steps) successfully (with exit condition ok) and leaves the underlying state unchanged. The second transition states that starting from m a program C terminates erroneously (with  $\epsilon \in EREXIT$ ) after one step in m' if it takes an erroneous step. Finally, the last (inductive) transition states that if C takes one normal (non-erroneous) step transforming

$$\frac{1}{a \xrightarrow{a} \text{skip}} \frac{C_1 \xrightarrow{l} C'_1}{C_1; C_2 \xrightarrow{l} C'_1; C_2} = \frac{1}{\text{skip}; C \xrightarrow{id} C} \frac{i \in \{1, 2\}}{C_1 + C_2 \xrightarrow{id} C_i} = \frac{i \in \{1, 2\}}{C_1 + C_2 \xrightarrow{id} C_i} = \frac{1}{C^* \xrightarrow{id} skip} = \frac{1}{C^* \xrightarrow{id} C; C^*}$$

$$\frac{1}{C_1 \xrightarrow{l} C'_1} \frac{C_1 \xrightarrow{l} C'_1}{C_1 \parallel C_2} = \frac{C_2 \xrightarrow{l} C'_2}{C_1 \parallel C_2 \xrightarrow{l} C_1 \parallel C'_2} = \frac{1}{\text{skip} \parallel C} = \frac{1}{C^* \xrightarrow{id} C} = \frac{1}{C \mid skip \xrightarrow{id} C}$$

$$\frac{e \in \text{EREXIT}}{C_1 \xrightarrow{l} C, m \xrightarrow{l} c, m'} = \frac{1}{C \xrightarrow{l} C'} (m, m') \in [[l]]e}{C_1 \xrightarrow{l} C, m \xrightarrow{l} c, m'} = C, m' \xrightarrow{l} c, m'}$$

Fig. 6. The CISL control flow transitions (above); the CISL operational semantics (below)

*m* to *m*<sup> $\prime\prime$ </sup>, and the resulting program C<sup> $\prime\prime$ </sup> subsequently terminates after *n* steps with  $\epsilon$  transforming *m*<sup> $\prime\prime$ </sup> to *m*<sup> $\prime$ </sup>, then the overall program terminates after *n*+1 steps with  $\epsilon$  transforming *m* to *m*<sup> $\prime$ </sup>.

#### 3.3 CISL Soundness

**Erasure**. In order to relate the CISL proof system to its operational semantics, it is necessary to define a relationship between the abstract states and the concrete machine states. To this end, as the abstract and machine states are both supplied as parameters to CISL, we further parametrise CISL by an *erasure* function, relating each abstract state to a set of machine states. For instance, in the case of CISL<sub>DC</sub>, the erasure function simply removes the instrumentation given by permissions.

*Parameter 7 (Erasure).* Assume an *erasure function*  $\lfloor . \rfloor$  : STATE  $\rightarrow \mathcal{P}(MSTATE)$ .

We lift the erasure function to views (sets of states) and define  $\lfloor p \rfloor \triangleq \bigcup_{s \in p} \lfloor s \rfloor$  for  $p \in VIEW$ .

*Example 3.7 (CISL*<sub>DC</sub> *erasure).* The  $CISL_{DC}$  *erasure function*,  $\lfloor . \rfloor_{DC}$ , is defined as follows: where:

$$\lfloor s \rfloor_{\mathrm{DC}} = \{ m \} \iff dom(m) = dom(s) \land \forall x, v. \ m(x) = v \implies s(x) = (v, -)$$

**Semantic Incorrectness Triples.** We next present the formal interpretation of CISL triples. Recall that intuitively a CISL triple  $[p] C [\epsilon : q]$  states that every state in q is reachable from some state in p under  $\epsilon$ . Put formally:  $\models [p] C [\epsilon : q] \stackrel{\text{def}}{\longleftrightarrow} \exists n \in \mathbb{N}$ . reach<sub>n</sub>( $p, C, \epsilon, q$ ), denoting that each state in q is reachable from some state in p in at most n steps, with:

$$\operatorname{reach}_n(p,\mathsf{C},\epsilon,q) \ \stackrel{\mathrm{def}}{\longleftrightarrow} \ \forall m_q \in \lfloor q \rfloor. \ \exists m_p \in \lfloor p \rfloor, k \leq n. \ \mathsf{C}, m_p \xrightarrow{k} \epsilon, m_q$$

Atomic Soundness. In order to show that the CISL proof system is sound, we must show that its (syntactic) triples in Fig. 5 induce valid semantics triples: if a triple  $\vdash [p] C [\epsilon : q]$  is derivable using the rules in Fig. 5, then  $\models [p] C [\epsilon : q]$  holds. Note that we must also show this for the atomic axioms in Par. 4 as they are lifted to proof rules via ATOM. Since atomic axioms are a CISL parameter, we thus require (Par. 8 below) that they 1) induce valid semantic triples; and 2) preserve all \*-compatible views. The former ensures that if  $(p, a, \epsilon, q) \in AXIOM$ , then  $\models [p] a [\epsilon : q]$  holds; i.e. for all  $m_q \in \lfloor q \rfloor$ , there exists  $m_p \in \lfloor p \rfloor$  such that  $(m_p, m_q) \in \llbracket a \rrbracket A\epsilon$ . The latter ensures that atomic commands of one thread preserve the states of concurrent threads in the environment and is necessary for establishing the soundness of FRAME. Putting the two conditions together, we require: Parameter 8 (Atomic soundness). Assume that for all  $(p, a, \epsilon, q) \in AXIOM$  the following holds:  $\forall s \in STATE, m_q \in \lfloor q * \{s\} \rfloor$ .  $\exists m_p \in \lfloor p * \{s\} \rfloor$ .  $(m_p, m_q) \in \llbracket a \rrbracket_A \epsilon$ 

We show the soundness of the CISL<sub>DC</sub> atomic axioms in the technical appendix [Raad et al. 2022]. Finally, in the following theorem we show that the CISL proof system is *sound*, with its full proof given in the technical appendix [Raad et al. 2022].

THEOREM 3.8 (SOUNDNESS). For all  $p, C, \epsilon, q, if \vdash [p] C [\epsilon : q]$  is derivable using the rules in Fig. 5, then  $\models [p] C [\epsilon : q]$  holds.

#### 3.4 Generalising the Rule of Consequence (View Shifts)

**View Shifts.** As shown in the literature [Dinsdale-Young et al. 2013; Jung et al. 2015], it is common to instrument abstract states with additional *ghost* states (e.g. auxiliary variables [Owicki and Gries 1976]) that do not have a counterpart in the underlying machine states. As such, when updating the ghost state, one can alter the abstract state without changing the underlying machine state. To capture such updates, following the literature we define a *view shift* relation. A view shift from abstract states *p* to those in *q*, written  $p \leq q$ , describes updating each abstract state  $s_p \in p$  to some abstract state  $s_q \in q$  without altering the underlying machine state and while preserving all \*-compatible states (i.e. frames). This is captured in Def. 3.9 below. We can then *generalise* the rule of consequence Cons in Fig. 5 to use view shifts in its premise rather than implications, as shown in GCons below. In the technical appendix [Raad et al. 2022] we show that GCons is sound.

$$\frac{p' \leq p \quad \vdash [p'] C [\epsilon : q'] \quad q \leq q'}{\vdash [p] C [\epsilon : q]}$$

Definition 3.9 (View shift). The view shift relation,  $\leq \subseteq$  VIEW × VIEW, is defined as follows:

$$p \leq q \iff \forall s \in \text{STATE.} \lfloor p * \{s\} \rfloor \subseteq \lfloor q * \{s\} \rfloor$$

#### 4 CISL<sub>RD</sub>: CISL FOR RACE DETECTION

We present  $\text{CISL}_{\text{RD}}$  for detecting data-agnostic races such as that in Fig. 1f. We follow the approach of the RacerD tool [Blackshear et al. 2018] and assume all program conditions are non-deterministic. We compare  $\text{CISL}_{\text{RD}}$  with RacerD and show how it detects races that RacerD cannot.

**Lazy versus Eager Race Reporting.** Recall from §2 that we use  $\text{CISL}_{\text{RD}}$  to detect races by encoding erroneous (here racy) executions as normal ones. This has an additional advantage in that it allows us to uncover *all* potential races at once. More concretely, when combining the sequential histories of threads, we can either adopt a *lazy* approach where we only report the first global history that witnesses a race, or adopt an *eager* approach where we consider and find a witness for each possible race. For instance, let C denote extending the program in Fig. 1d with a third thread  $\tau_3$  executing 7. [x] := 3, thus yielding the sequential history [7]. The lazy approach then produces a trace witnessing a single race, e.g. [1, 2, 3, 7], whereas the eager approach produces a witness trace for each of the three data races, namely between lines 3 and 5 (witness [1, 2, 4, 3, 5]), lines 3 and 7 (witness [1, 2, 3, 7]).

**Simplifying Assumption: Races.** As CISL (and by extension  $\text{CISL}_{RD}$ ) is an under-approximate analysis, it is sound to aim for a subset of races. As such, for simplicity, rather than aiming to detect all races, we initially focus on a specific class of races. Specifically, we target races between conflicting accesses *e* and *e'* where the set of locks held by at least one access is empty. This way, given two sequential histories of the form  $H = H_0 + e + -$  and  $H' = H'_0 + e' + -$ , when the set of locks

$$\begin{split} H &\in \mathrm{Hist} \triangleq \left\{ E \in \mathrm{Seq}\langle \mathrm{Event} \rangle \mid \mathsf{wf}(E) \right\} \qquad e \in \mathrm{Event} \triangleq \begin{cases} \mathsf{R}(\mathsf{L},\tau,x), \mathsf{W}(\mathsf{L},\tau,x), \mid \mathsf{L} \in \mathrm{LABEL} \land \tau \in \mathrm{TID} \\ \mathsf{L}(\tau,x), \mathsf{U}(\tau,x) \mid \land x \in \mathrm{Loc} \end{cases} \\ s \in \mathrm{STATE}_{\mathrm{RD}} \triangleq \left\{ f \in \mathrm{TID} \stackrel{\mathrm{fin}}{\longrightarrow} \mathrm{Hist} \mid \forall \tau, H, e. \ f(\tau) = H \land e \in H \Rightarrow \mathrm{tid}(e) = \tau \right\} \qquad m \in \mathrm{MSTATE}_{\mathrm{RD}} \triangleq \mathrm{Hist} \\ \mathsf{wf}(H) \stackrel{\mathrm{def}}{\longleftrightarrow} \forall x, \tau, H'. \ H = H' + \mathsf{U}(\tau, x) + - \Longrightarrow x \in \mathrm{alocks}(H', \tau) \\ \land \forall x, \tau, H'. \ H = H' + \mathsf{L}(\tau, x) + - \Longrightarrow \forall \tau'. \ x \notin \mathrm{alocks}(H', \tau') \\ \mathrm{alocks}([], \tau) \triangleq \emptyset \qquad \mathrm{alocks}(e + H, \tau) \triangleq \begin{cases} \{x\} \cup \mathrm{alocks}(H, \tau) & \mathrm{if} \ e = \mathsf{L}(\tau, x) \land \mathsf{U}(\tau, x) \notin H \\ \mathrm{alocks}(H, \tau) & \mathrm{otherwise} \end{cases} \end{split}$$

Fig. 7. The  $CISL_{RD}$  model domain

held at *e* is empty, then we can always construct the well-formed *witness* history  $H_0 + H'_0 + e + e'$ . For instance, when *e* and *e'* respectively denote the accesses on lines 3 and 5 of Fig. 1d, then the set of locks held by  $\tau_1$  at *e* is empty. As such, given the sequential histories H = [1, 2, 3] and H' = [4, 5, 6], we can construct the history [1, 2, 4, 3, 5] witnessing the race, i.e.  $H_0 = [1, 2]$  and  $H'_0 = [4]$ . As we describe shortly in §4.1, this is because when the set of locks held at *e* is empty (i.e.  $H_0$  contains no active locks), then the history  $H_0 + H'_0 + e + e'$  is always well-formed.

**Caveat and Relation to RacerD.** The subset of racy executions described above coincide precisely with those detected by RacerD [Blackshear et al. 2018]. Nevertheless, both our simple approach described above and RacerD fail to detect races where e.g. two threads with conflicting accesses hold a disjoint set of

1. 
$$lock_{\tau} l;$$
  
2.  $L: [x] :=_{\tau} 1;$   
3.  $unlock_{\tau} l;$   
(RACE1)  
4.  $lock_{\tau'} l';$   
5.  $L': [x] :=_{\tau'} 2;$   
6.  $unlock_{\tau'} l';$ 

locks, as shown in RACE1. Specifically, as the two threads acquire two distinct locks (l and l'), RACE1 induces the racy interleaving H = [1, 4, 2, 5] in which the conflicting accesses on x (on lines 2 and 5) are adjacent. However, neither RacerD nor our simple CISL<sub>RD</sub> instantiation detect this race. Nevertheless, in §4.2 we show how we can generalise and strengthen CISL<sub>RD</sub> to detect such races.

#### 4.1 CISL<sub>RD</sub> Formalism

**CISL**<sub>RD</sub> **Atomic Commands (Par. 1).** We assume a set of shared memory locations ranged over by *x*, *y*, *l*, and a set of local variables (registers) ranged over by *a*, *b*, *c*. We instantiate  $\text{CISL}_{\text{RD}}$  with a simple set of atomic commands comprising reads and writes (accesses) on shared memory locations, and locking constructs used as a synchronisation mechanism to avoid races:

ATOM<sub>RD</sub> 
$$\ni$$
 a ::= L:  $a :=_{\tau} [x] \mid L: [x] :=_{\tau} a \mid lock_{\tau} l \mid unlock_{\tau} l$ 

To identify races, we annotate instructions with a thread id  $\tau$ . Moreover, to locate races we further annotate memory accesses with a label L. As such, we assume that a CISL<sub>RD</sub> program C is *well-formed* in that (1) the labels across C are unique; (2) instructions of the same thread are associated with the same thread id; and (3) concurrent instructions in C have distinct thread ids.

Note that ATOM<sub>RD</sub> does not include the assume(.) construct, and thus since the CISL programming language (Def. 3.1) only supports non-deterministic choice ( $C_1 + C_2$ ) and loops ( $C^*$ ), we rule out deterministic conditionals and loops from CISL<sub>RD</sub>.<sup>1</sup>

**CISL**<sub>RD</sub> **State PCM (Par. 2).** The CISL<sub>RD</sub> states, STATE<sub>RD</sub>, are as defined in Fig. 7, where a state *s* is a map from thread identifiers to *well-formed histories*. A history records a sequence of *events* executed by the thread thus far, where an event may be either 1) R(L,  $\tau$ , x) denoting a read access on x by  $\tau$  at L; 2) W(L,  $\tau$ , x) denoting a write access on x by  $\tau$  at L; 3) L( $\tau$ , l) denoting a lock acquisition

<sup>&</sup>lt;sup>1</sup>Recall that if (b) then  $C_1$  else  $C_2$  can be encoded as (assume(b);  $C_1$ ) + (assume(¬b);  $C_2$ ), and while (b) C can be encoded as (assume(b); C)\*; assume(¬b).

on *l* by  $\tau$ ; or 4) U( $\tau$ , *l*) denoting a lock release on *l* by  $\tau$ . The functions tid and lab respectively return the thread and label of an event, where applicable; e.g. tid(e) =  $\tau$  and lab(e) = L when  $e = R(L, \tau, x)$ .

A history is well-formed, written wf(H), iff it respects the lock semantics. Specifically, if H contains a lock release on x by  $\tau$ , then it must contain an earlier lock acquisition on x by  $\tau$  (first conjunct); i.e. a lock can only be released by the thread that acquired it last. Moreover, if H contains a lock acquisition on x by  $\tau$ , then no thread must have previously acquired x without releasing it (second conjunct). Note that given a history H and a thread  $\tau$ , the alocks(H,  $\tau$ ) denotes the *active locks* of  $\tau$  in H, namely those locks that have been acquired by  $\tau$  in H but not released.

The CISL<sub>RD</sub> PCM is (STATE<sub>RD</sub>,  $\forall$ ,  $\emptyset$ ), where  $\forall$  denotes disjoint function union and  $\emptyset$  denotes a map with an empty domain. We write  $\tau \mapsto H$  for the set  $p=\{[\tau \mapsto H]\}$ . We define the *conflict* relation,  $\bowtie$ , as follows, where  $R^{s}$  denotes the symmetric closure of R:

$$\mathbf{\bowtie} \triangleq \left( (\text{Event} \times \text{Event}) \cap \left\{ (\mathsf{R}(\mathsf{l}, \tau, x), \mathsf{W}(\mathsf{l}', \tau', x)), (\mathsf{W}(\mathsf{l}, \tau, x), \mathsf{W}(\mathsf{l}', \tau', x)) \mid \tau \neq \tau' \right\} \right)^{s}$$

CISL<sub>RD</sub> Error Conditions (Par. 3). As discussed above, we do not treat data races as errors and thus define the set of erroneous exit conditions for  $\text{CISL}_{\text{RD}}$  as the empty set:  $\text{EREXIT}_{\text{RD}} \triangleq \emptyset$ 

**The Race Assertion.** Recall from §4 that we aim to detect races between conflicting accesses  $e_1$  and  $e_2$  where the set of locks held by at least one access is empty. This is captured by race( $L_1, L_2, H$ ) below, denoting a data race between  $L_1$  and  $L_2$  with the *witness history* (trace) *H*:

$$\operatorname{race}(L_1, L_2, H) \iff \exists \tau_1, \tau_2, e_1, e_2, H_1, H_2. \ \tau_1 \mapsto H_1 \ \# \ e_1 \ \# \ - \ast \ \tau_2 \mapsto H_2 \ \# \ e_2 \ \# \ - \ast \ e_1 \bowtie \ e_2 \\ \ast \ \operatorname{lab}(e_1) = L_1 \ \ast \ \operatorname{lab}(e_2) = L_2 \ \ast \ \operatorname{alocks}(H_1, \tau_1) = \emptyset \ \ast \ H = H_1 \ \# \ H_2 \ \# \ [e_1, e_2]$$

Specifically, if the history of  $\tau_1$  is of the form  $H_1 + e_1 + -$  with  $e_1$  at  $L_1$ , the history of  $\tau_2$  is  $H_2 + e_2 + -$  with  $e_2$  at  $L_2$ , the accesses  $e_1$  and  $e_2$  are conflicting, and (without loss of generality) the set of locks held by  $\tau_1$  prior to  $e_1$  is empty, then there is a race between  $e_1$  and  $e_2$  which can be witnessed by  $H_1 + H_2 + [e_1, e_2]$ . For instance, let  $e_i$  denote the event associated with the instruction on line *i* in Fig. 1d; i.e.  $e_3$  and  $e_5$  denote the conflicting accesses on lines 3 and 5, respectively. Then race(3, 5,  $[e_1, e_2, e_4, e_3, e_5]$ ) holds, capturing the race between  $e_3$  and  $e_5$ .

Note that requiring that  $\tau_1$  hold an empty lock set upon the  $e_1$  access simplifies the task of constructing a witness history. Specifically, as the set of locks held by  $\tau_1$  at the end of  $H_1$  is empty, the combined history  $H_1 + H_2 + [e_1, e_2]$  is always well-formed (see Fig. 7). We shortly demonstrate how race can be used for identifying races in an execution.

**CISL**<sub>RD</sub> **Axioms (Par. 4).** The CISL<sub>RD</sub> axioms, AXIOM<sub>RD</sub>, are defined below, where assignments require no resource (they do not extend the history as their behaviour is local), while each non-local instruction of  $\tau$  simply extends its history thus far with an associated event. For instance, when the current state is  $\tau \mapsto H$ , i.e. the current history of  $\tau$  is given by H, then executing lock<sub> $\tau$ </sub> l updates the state to  $\tau \mapsto H + L(\tau, l)$ . Note that when  $\tau$  already holds the lock on l (i.e.  $l \in alocks(H, \tau)$ ), then the resulting history  $H + L(\tau, l)$  is not well-formed, and thus  $\tau \mapsto H + L(\tau, l)$  describes an empty set, rendering the triple vacuously true. For better readability, we present the axioms as inference rules with CISL triples of the form [p] a  $[\epsilon : q]$ , rather than tuples of the form  $(p, a, \epsilon, q)$ .

 $\begin{array}{l} \text{RD-READ} & \text{RD-WRITE} \\ [\tau \mapsto H] \text{ L: } a \coloneqq_{\tau} [x] [ok: \tau \mapsto H + \text{R}(\textbf{L}, \tau, x)] & [\tau \mapsto H] \text{ L: } [x] \coloneqq_{\tau} a [ok: \tau \mapsto H + \text{W}(\textbf{L}, \tau, x)] \\ \end{array}$   $\begin{array}{l} \text{RD-ASSIGN} & \text{RD-Lock} & \text{RD-UNLOck} \\ [\text{emp}] x \coloneqq \text{e} [ok: \text{emp}] & [\tau \mapsto H] \text{ lock}_{\tau} l [ok: \tau \mapsto H + \text{L}(\tau, l)] & [\tau \mapsto H] \text{ unlock}_{\tau} l [ok: \tau \mapsto H + \text{U}(\tau, l)] \end{array}$ 

$$\begin{bmatrix} \tau_1 \mapsto [ \end{bmatrix} \\ \begin{bmatrix} \tau_1 \mapsto [ \end{bmatrix} \\ \\ lock_{\tau_1} l; // RD-Lock \\ [ok: \tau_1 \mapsto [L(\tau_1, l)]] \\ \\ L_x: [x] :=_{\tau_1} 1; // RD-WRITE \\ [ok: \tau_1 \mapsto [L(\tau_1, l), W(L_x, \tau_1, x)]] \\ \\ unlock_{\tau_1} l; // RD-WRITE \\ [ok: \tau_1 \mapsto [L(\tau_1, l), W(L_x, \tau_1, x), W(L_y, \tau_1, y)]] \\ unlock_{\tau_1} l; // RD-UNLOCK \\ [ok: \tau_2 \mapsto [L(\tau_2, l), R(L'_y, \tau_2, y), U(\tau_2, l)]] \\ (L'_x: [x] :=_{\tau_2} 2 + skip) // CHOICE, RD-WRITE \\ [ok: \tau_1 \mapsto [L(\tau_1, l), W(L_x, \tau_1, x), W(L_y, \tau_1, y), U(\tau_1, l)]] // PAR \\ [ok: \tau_1 \mapsto [L(\tau_1, l), W(L_x, \tau_1, x), W(L_y, \tau_1, y), U(\tau_1, l)] + \tau_2 \mapsto [L(\tau_2, l), R(L'_y, \tau_2, y), U(\tau_2, l), W(L'_x, \tau_2, x)]] // CONS \\ \begin{bmatrix} \tau_1 \mapsto [L(\tau_1, l), W(L_x, \tau_1, x), W(L_y, \tau_1, y), U(\tau_1, l)] + \tau_2 \mapsto [L(\tau_2, l), R(L'_y, \tau_2, y), U(\tau_2, l), W(L'_x, \tau_2, x)]] \\ // CONS \\ \begin{bmatrix} v_1 \mapsto [L(\tau_1, l), W(L_x, \tau_1, x), W(L_y, \tau_1, y), U(\tau_1, l)] + \tau_2 \mapsto [L(\tau_2, l), R(L'_y, \tau_2, y), U(\tau_2, l), W(L'_x, \tau_2, x)]] \\ // CONS \\ \begin{bmatrix} v_1 \mapsto [L(\tau_1, l), W(L_x, \tau_1, x), W(L_y, \tau_1, y), U(\tau_1, l)] + \tau_2 \mapsto [L(\tau_2, l), R(L'_y, \tau_2, y), U(\tau_2, l), W(L'_x, \tau_2, x)]] \\ // CONS \\ \end{bmatrix}$$

Fig. 8. A proof sketch of the race in Fig. 1f (see Example 4.2)

*Example 4.1.* Let  $e \triangleq W(L, \tau, x)$  and  $e' \triangleq W(L', \tau', x)$ . We then have:

| $[\tau \mapsto []] L: [x] :=_{\tau} 1 [ok: \tau \mapsto [e]] RD-WRITE$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | $[\tau' \mapsto []] \operatorname{L}': [x] :=_{\tau'} 2 [ok: \tau' \mapsto [e']]$     | RD-WRITE |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------|----------|
| $[\tau \mapsto [] * \tau' \mapsto []] \mathrel{\mathrm{L}}: [x] :=_{\tau} 1    \mathrel{\mathrm{L}}': [x] :=_{\tau} 1  $ | $\tau'^2 [ok: \tau \mapsto [e] * \tau' \mapsto [e']]$                                 | 0        |
| $\boxed{[\tau \mapsto [] * \tau' \mapsto []] \operatorname{L}: [x] :=_{\tau} 1    \operatorname{L}': [x] :=_{\tau'} 2 [ok: (\tau + \tau')]    \mathbf{L}': [x] :$                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | $\rightarrow [e] * \tau' \mapsto [e']) \land race(\mathtt{L}, \mathtt{L}', [e, e'])]$ | - Cons   |

At the last step of the derivation above, we apply the Construle of CISL to obtain race(L, L', [e, e']). Specifically, note that  $(\tau \mapsto [e] * \tau' \mapsto [e']) \land \text{race}(L, L', [e, e']) \Leftrightarrow \tau \mapsto [e] * \tau' \mapsto [e']$ , and we are only required to show that  $(\tau \mapsto [e] * \tau' \mapsto [e']) \land \text{race}(L, L', [e, e']) \Rightarrow \tau \mapsto [e] * \tau' \mapsto [e']$ .

**Duplicate Races.** Observe that using the same reasoning steps above, we can also derive race(L', L, [e', e]), identifying the same race between L and L' with a different witness history. However, duplicate race reporting can be avoided by simply inspecting the labels of racing instructions. For instance, once we report the race between L and L' via race(L, L', [e, e']), we can suppress all other witnesses of the form race(L, L', -) or race(L', L, -).

*Example 4.2 (Fig. 1f).* We present a proof outline of the race in Fig. 1f in Fig. 8, where we have annotated instructions with their thread identifiers and labels (where applicable). Note that we have encoded if (\*)  $L'_x$ :  $[x] :=_{\tau_2} 1$  in the right thread using the non-deterministic choice (+) of CISL as  $L'_x$ :  $[x] :=_{\tau_2} 2 + \text{skip}$ . For brevity, rather than giving the full derivation, we follow the classical Hoare logic proof outline, annotating each line of the code with its pre- and post-condition. We further commentate each proof step and write e.g. // RD-LOCK to denote an application of RD-LOCK.

**CISL**<sub>RD</sub> **Machine States (Par. 5) and Erasure (Par. 7).** While a CISL<sub>RD</sub> state  $s \in \text{STATE}_{RD}$  records the local (sequential) history associated with each thread, a  $CISL_{RD}$  machine state,  $m \in \text{MSTATE}_{RD}$  in Fig. 7, records the global execution history. A global history is obtained (through the  $\text{CISL}_{RD}$  erasure function) by combining all local thread histories into a well-formed history. That is, the  $CISL_{RD}$  erasure function is as defined below, where  $H|_{\tau}$  denotes restricting H to the events of  $\tau$ :  $\lfloor s \rfloor_{RD} \triangleq \{H \mid \forall \tau. s(\tau) = H' \Rightarrow H|_{\tau} = H'\}.$ 

**CISL**<sub>RD</sub> **Atomic Semantics (Par. 6).** The CISL<sub>RD</sub> atomic semantics is defined below, where each instruction of  $\tau$  extends the current history (machine state)  $H_q$  by inserting an associated event

*e* in  $H_g$  such that *e* is the last event of  $\tau$  in the extended history, and the extended history is wellformed (i.e. is in HIST). That is, whenever  $H_g$  can be split as  $H_{\tau} + H$  such that *H* does not contain any events associated with  $\tau$ , then executing an instruction associated with *e* may update  $H_g$  to  $H_{\tau} + e + H$ . Note that such splitting of  $H_g$  may not be unique; e.g. when  $H_g = [e_1 \cdots e_n]$  and none of  $e_1 \cdots e_n$  are associated with  $\tau$ , then  $R(I, \tau, x)$  may be inserted anywhere within  $H_g$ . Intuitively, this captures the different ways executing the instructions of one thread may be interleaved with those of others.

$$\begin{bmatrix} \text{IL:} a :=_{\tau} [x] \end{bmatrix}_{A} ok \triangleq \left\{ (H_{\tau} + H, H_{\tau} + e + H) \in \text{HIST}^{2} \middle| e = \mathbb{R}(\text{L}, \tau, x) \land \forall e' \in H. e'. \text{tid} \neq \tau \right\}$$

$$\begin{bmatrix} \text{IL:} [x] :=_{\tau} a \end{bmatrix}_{A} ok \triangleq \left\{ (H_{\tau} + H, H_{\tau} + e + H) \in \text{HIST}^{2} \middle| e = \mathbb{W}(\text{L}, \tau, x) \land \forall e' \in H. e'. \text{tid} \neq \tau \right\}$$

$$\begin{bmatrix} \text{Iock}_{\tau} l \end{bmatrix}_{A} ok \triangleq \left\{ (H_{\tau} + H, H_{\tau} + e + H) \in \text{HIST}^{2} \middle| e = \mathbb{U}(\tau, l) \land \forall e' \in H. e'. \text{tid} \neq \tau \right\}$$

$$\begin{bmatrix} \text{unlock}_{\tau} l \end{bmatrix}_{A} ok \triangleq \left\{ (H_{\tau} + H, H_{\tau} + e + H) \in \text{HIST}^{2} \middle| e = \mathbb{U}(\tau, l) \land \forall e' \in H. e'. \text{tid} \neq \tau \right\}$$

Note that the atomic semantics of  $lock_{\tau} l$  returns an empty set when the lock l is already held by  $\tau$ , thanks to the well-formedness condition on histories (see Fig. 7). Specifically, when the current machine state is  $H_1 = H_{\tau} + H$  (where H contains no actions by  $\tau$ ) and  $\tau$  then attempts to acquire the lock on l, then the resulting history  $H_2 = H_{\tau} + L(\tau, l) + H$  is well-formed and thus defined only if no other thread already holds the lock on l in  $H_{\tau}$ . That is,  $H_2$  is not well-formed (wf( $H_2$ ) does not hold) according to the definition in Fig. 7 when  $l \in alocks(H_{\tau}, \tau')$  for some  $\tau'$ . Consequently, when some thread  $\tau'$  already holds the lock on  $l, H_2$  is not defined, rendering the  $\{(H_1, H_2)\}$  set empty. Similarly, thanks to the well-formedness condition on histories, the atomic semantics of unlock  $\tau l$  returns an empty set when the lock l is not already held by  $\tau$ .

 $CISL_{RD}$  Atomic Soundness (Par. 8). Finally, in the technical appendix [Raad et al. 2022] we demonstrate that the  $CISL_{RD}$  atomic instructions are sound.

#### 4.2 Generalising CISL<sub>RD</sub>

Recall that the CISL<sub>RD</sub> formalism in §4.1 (as with RacerD) cannot detect races such as that in RACE1. This is because the definition of the race predicate simply requires that the set of locks held at the time of one of the conflicting accesses be empty, and thus fails to detect the race in RACE1 where the conflicting access occur while their threads hold disjoint (but non-empty) sets of locks.

We next generalise the race predicate to account for races such as RACE1. Note that we cannot naively update the race predicate to require that the set of locks held at the time of conflicting accesses be *disjoint* as this leads to *false positives*. To see this, consider the examples below:

| 1. lock <sub>τ</sub> <i>l</i> ;               |                                                                                    | 1. lock <sub><math>\tau</math></sub> $l'$ ;     | 6. lock <sub><math>\tau'</math></sub> $l$ ;                  |
|-----------------------------------------------|------------------------------------------------------------------------------------|-------------------------------------------------|--------------------------------------------------------------|
| 2. lock <sub><math>\tau</math></sub> $l'$ ;   | 7. lock $_{\tau'}$ l;                                                              | 2. lock <sub><math>\tau</math></sub> <i>l</i> ; | 7. lock <sub><math>\tau'</math></sub> $l'$ ;                 |
| 3. unlock <sub><math>\tau</math></sub> $l'$ ; | 8. unlock <sub><math>\tau'</math></sub> <i>l</i> ; (NoRACE1)                       | 3. unlock <sub><math>\tau</math></sub> $l'$ ;   | 8. unlock <sub><math>\tau'</math></sub> <i>l</i> ; (NoRace2) |
| 4. L: $[x] :=_{\tau} 1;$                      | 9. $L': [x] :=_{\tau'} 2;$<br>10. unlock <sub><math>\tau'</math></sub> <i>l'</i> ; |                                                 | 9. L': $[x] :=_{\tau'} 2;$                                   |
| 5. unlock <sub><math>\tau</math></sub> $l$ ;  | 10. unlock $_{\tau'}$ $l';$                                                        | 5. unlock <sub><math>\tau</math></sub> $l$ ;    | 10. unlock $_{\tau'}$ $l';$                                  |

In the case of NoRACE1, although at the time of the conflicting accesses on x (at L and L') the corresponding threads (resp.  $\tau$  and  $\tau'$ ) hold disjoint sets of locks (resp. {l} and {l'}), the two accesses do not race thanks to the synchronisation induced by the additional locks acquired in each thread (e.g. l' in the left thread). That is, even though these additional locks are released before the conflicting accesses and thus the locks held at the time of the conflicting accesses are disjoint, their mere acquisition induces additional synchronisation ('happens-before' ordering) that renders the program non-racy.<sup>2</sup> As such, reporting a race between L and L' would constitute a false positive.

<sup>&</sup>lt;sup>2</sup>We encourage the reader to attempt to construct a history to witness a race in NORACE1 and note that this cannot be done.

Similarly, the synchronisation induced by the additional locks in NoRACE2 (e.g. l' in the left thread) renders the programs non-racy. Note that NoRACE2 is obtained from NoRACE1 by swapping the order in which the two locks are acquired in each thread. That is, while the lock acquisitions in NoRACE1 are *balanced* (well-nested), those in NoRACE2 are not. Lock acquisition is balanced when acquired locks are released in the reverse acquisition order. Balanced locks are tantamount to synchronized blocks in Java, in that lock l; C; unlock l is commensurate with synchronized(l){C}. For simplicity, here we assume that the lock acquisitions are balanced as in RacerD (which allows lock acquisition only through (balanced) synchronized blocks). Nonetheless, it is straightforward to lift this assumption and generalise our formalism of CISL<sub>PD</sub> yet again.

**Generalising the** race **Assertion**. We present our general race assertion in Fig. 9 and describe it shortly. Given history H and thread  $\tau$ , a lock acquired by  $\tau$  in H is *active* if it is *not released* subsequently by  $\tau$  in H, i.e. is in alocks $(H, \tau)$ . Conversely, a lock acquired by  $\tau$  in H is *passive* if it is *released* subsequently by  $\tau$  in H, i.e. is in syncs $(H, \tau)$  defined Fig. 9.

We compute the set of passive locks to account for the additional synchronisation induced by them as in NORACE1. More concretely, to avoid false positives such as that in NORACE1 while identifying races such as that in RACE1, given  $\tau$  and  $\tau'$  and their respective histories H+e and H'+e' such that eand e' are conflicting, we identify a race between e and e' if the (active) locks held by  $\tau$  prior to e are disjoint from *all* (both active and passive) locks of  $\tau'$  or vice versa:  $\operatorname{alocks}(H, \tau) \cap \operatorname{locks}(H', \tau')=\emptyset$ or  $\operatorname{alocks}(H', \tau') \cap \operatorname{locks}(H, \tau)=\emptyset$ , where  $\operatorname{locks}(H, \tau) \triangleq \operatorname{alocks}(H, \tau) \cup \operatorname{syncs}(H, \tau)$ . For instance, let H=[1,2,3] and H'=[6,7,8] respectively denote (partial) histories of  $\tau$  and  $\tau'$  in NORACE1, with n denoting the event associated with the instruction at line n. We then have  $\operatorname{alocks}(H, \tau)=\{l\}$ ,  $\operatorname{alocks}(H', \tau')=\{l'\}$ ,  $\operatorname{syncs}(H, \tau)=\{l\} = \emptyset$  and  $\operatorname{alocks}(H, \tau)=[l]\neq\emptyset$ .

Finally, note that when computing the passive locks prior to an access *e*, we must only consider those passive locks that have been acquired *after* an active lock. To see this, consider a variant of NoRACE1 in RACE3 where the inner passive locks are promoted to the beginning of each thread. Observe that the accesses at L and L' race as witnessed by H = [1, 2, 6, 7, 3, 8, 4, 9]. That is, unlike in NoRACE1, the additional locks acquired by each thread at the beginning do not induce synchronisation when accessing *x*.

1. 
$$\operatorname{lock}_{\tau} l'$$
;   
2.  $\operatorname{unlock}_{\tau} l'$ ;   
3.  $\operatorname{lock}_{\tau} l$ ;   
4.  $\operatorname{L}: [x] :=_{\tau} 1$ ;   
5.  $\operatorname{unlock}_{\tau} l$ ;   
(RACE3)

Intuitively, this is because unlike in NORACE1, the passive locks are no longer preceded by an active lock, and thus when constructing a witness history as in *H*, they can always be acquired and released before the active locks.

To this end, given threads  $\tau_1$  and  $\tau_2$  and their respective histories  $H_1 + e_1$  and  $H_2 + e_2$  such that  $e_1$  and  $e_2$  are conflicting, we identify a race between  $e_1$  and  $e_2$  if 1) the active locks held by  $\tau_1$  prior to  $e_1$  are disjoint from all locks of  $\tau_2$  or vice versa (as explained above); and 2) thread histories can be partitioned as  $H_1=H_p + H_l$  and  $H_2=H'_p + H'_l$ , where  $H_p$  (resp.  $H'_p$ ) is the maximal prefix of  $H_1$  (resp.  $H_2$ ) such that  $\operatorname{alocks}(H_p, \tau_1)=\emptyset$  (resp.  $\operatorname{alocks}(H'_p, \tau_2)=\emptyset$ ). We then construct a global history witnessing the race as  $H_p + H'_p + H_l + H'_l + [e_1, e_2]$ , as shown in Fig. 9.

Note that the witness history  $H_p + H'_p + H'_l + H'_l + [e_1, e_2]$  is always well-formed: 1) alocks $(H_p, \tau_1)$  = alocks $(H'_p, \tau_2) = \emptyset$  (see partition) ensures that  $H_p + H'_p$  is well-formed and that there are no locks held at the end of  $H_p + H'_p$ ; and 2) alocks $(H_l, \tau_1) \cap \text{locks}(H'_l, \tau_2) = \emptyset$ , and thus the (active or passive) locks acquired by  $\tau_2$  in  $H'_l$  are disjoint from those that are held by  $\tau_1$  at the end of  $H_l$ .

*Example 4.3 (RACE3).* Let C and C' denote the sequential programs of  $\tau$  and  $\tau'$  in RACE3 above, respectively. Let  $H_p \triangleq [L(\tau, l'), U(\tau, l')], H'_p \triangleq [L(\tau', l), U(\tau', l)], H_l \triangleq [L(\tau, l)], H'_l \triangleq [L(\tau', l')], w \triangleq W(\iota, \tau, x), w' \triangleq W(\tau', \iota', x), H \triangleq H_p + H_l + [w] and H' \triangleq H'_p + H'_l + [e']. We then have:$ 

Azalea Raad, Josh Berdine, Derek Dreyer, and Peter W. O'Hearn

$$\begin{aligned} \operatorname{race}(\mathtt{l}_{1},\mathtt{l}_{2},H) & \longleftrightarrow^{\operatorname{det}} \exists \tau_{1},\tau_{2},H_{1},H_{2},e_{1},e_{2},H_{p},H_{p}',H_{l},H_{l}':\tau_{1}\mapsto H_{1}+e_{1}+-\ast\tau_{2}\mapsto H_{2}+e_{2}+-\ast e_{1}\mapsto e_{2}\ast \operatorname{lab}(e_{1})=\mathtt{l}_{1}\ast \operatorname{lab}(e_{2})=\mathtt{l}_{2}\ast \operatorname{partition}(H_{1},\tau_{1},H_{p},H_{l})\ast \operatorname{partition}(H_{2},\tau_{2},H_{p}',H_{l}') \\ & \ast H=H_{p}+H_{p}'+H_{l}+H_{l}'+H_{l}'+[e_{1},e_{2}]\ast \operatorname{alocks}(H_{l},\tau_{1})\cap \operatorname{locks}(H_{l}',\tau_{2})=\emptyset \end{aligned}$$

$$\begin{aligned} \operatorname{partition}(H,\tau,H_{1},H_{2}) & \overset{\operatorname{def}}{\longleftrightarrow} H=H_{1}+H_{2}\wedge \operatorname{alocks}(H_{1},\tau)=\emptyset \wedge \forall H_{1}'. H=H_{1}'+-\wedge \operatorname{alocks}(H_{1}',\tau)=\emptyset \Rightarrow H_{1}'\subseteq H_{1} \\ \operatorname{locks}(H,\tau) & \triangleq \operatorname{alocks}(H,\tau) \cup \operatorname{syncs}(H,\tau) \\ \operatorname{syncs}([],\tau) \triangleq \emptyset \qquad \qquad \operatorname{syncs}(e+H,\tau) \triangleq \begin{cases} x \cup \operatorname{syncs}(H,\tau) & \operatorname{if} e = \mathtt{l}(\tau,x) \wedge \mathtt{U}(\tau,x) \in H \\ \operatorname{syncs}(H,\tau) & \operatorname{otherwise} \end{cases} \end{aligned}$$

Fig. 9. The general race assertion; the highlighted text denotes the extensions generalising race on p. 14

(derived via Seq, Атом and CISL<sub>RD</sub> axioms on p. 14) (derived via Seq, Атом and CISL<sub>RD</sub> axioms on p. 14)

$$\frac{\begin{bmatrix} \tau \mapsto [ ] \end{bmatrix} C_1 [ok: \tau \mapsto H] & [\tau' \mapsto [ ] \end{bmatrix} C_2 [ok: \tau' \mapsto H']}{[\tau \mapsto [ ] * \tau' \mapsto [ ] ] C || C' [ok: \tau \mapsto H * \tau' \mapsto H']} P_{AR}}{[\tau \mapsto [ ] * \tau' \mapsto [ ] ] C || C' [ok: (\tau \mapsto H * \tau' \mapsto H') \land \operatorname{race}(L, L', H_p # H'_p # H_l # H'_l # [w, w'])]} C_{ONS}$$

#### 5 CISL<sub>DD</sub>: CISL FOR DEADLOCK DETECTION

As with races, deadlocks are *global* errors (due to two or more threads). We present  $\text{CISL}_{\text{DD}}$  for detecting data-agnostic deadlocks. To this end, we follow the approach of Brotherston et al. [2021] and assume that all program conditions are *non-deterministic*. We compare  $\text{CISL}_{\text{DD}}$  to the work of [Brotherston et al. 2021] and show how the  $\text{CISL}_{\text{DD}}$  deadlock assertion is more expressive in that it can produce a history *witnessing* the deadlock. As in  $\text{CISL}_{\text{RD}}$ , we do not treat deadlocks as errors; instead, we compute a sequential history of each thread in isolation, combine them using PAR, and examine them to detect deadlocks and construct a concurrent history witnessing the deadlock.

**Deadlocks and Critical Pairs.** As with races, deadlocks may only manifest under certain interleavings. To see this, consider the example shown in DL, where  $C_{ht}$ ,  $C'_{ht}$  denote arbitrary code without lock/unlock instructions. The program in DL induces several (abbreviated) histories, including H=[1, 5] and H'=[1, 2, 3, 4, 5, 6, 7, 8]. However, the deadlock between lines 1, 2 and lines 5, 6 only manifest in H and not H'. That is, after  $\tau$  and  $\tau'$  respectively execute lines 1 and 5, then neither thread can proceed further as they each need to acquire a lock already held by the other.

Specifically, note that as part of the history we do not record the instructions associated with  $C_{lul}/C'_{lut}$ : as we discuss below, the only instructions relevant to deadlocks are locks and unlocks, and thus the instructions in  $C_{lut}$ ,  $C'_{lut}$  are immaterial. In particular, since all conditions are non-deterministic, threads cannot affect the control flow of each other; as such, we do ignore memory accesses (read/write instructions) altogether (unlike in races).

1. 
$$L_1: lock_{\tau} l;$$
  
2.  $L_2: lock_{\tau} l';$   
3.  $unlock_{\tau} l';$   
4.  $unlock_{\tau} l;$   
(DL)  
5.  $L_5: lock_{\tau'} l;$   
6.  $L_6: lock_{\tau'} l;$   
7.  $unlock_{\tau'} l;$   
8.  $unlock_{\tau'} l;$ 

The notion of deadlocks is captured by Brotherston et al. [2021] in terms of *critical pairs*. Specifically, a critical pair of a thread  $\tau$  is a pair (A, l) such that in some execution  $\tau$  attempts to acquire a lock l while already holding the set of locks (i.e. active locks) A. For instance, after executing lines 1 and 5 in DL, the critical pairs of  $\tau$  and  $\tau'$  are given by  $(l', \{l\})$  and  $(l, \{l'\})$ , respectively. Two threads  $\tau_1$  and  $\tau_2$  deadlock iff they respectively yield critical pairs  $c_1 = (l_1, A_1)$  and  $c_2 = (l_2, A_2)$  such that  $l_1 \in A_2$ ,  $l_2 \in A_1$  and  $A_1 \cap A_2 = \emptyset$ , as is the case for  $(l', \{l\})$  and  $(l, \{l'\})$  of  $\tau$  and  $\tau'$  in DL. This intuition can be generalised to n threads: threads  $\tau_1, \dots, \tau_n$  with critical pairs  $(l_1, A_1), \dots, (l_n, A_n)$  deadlock iff for all  $i \in \{1 \dots n\}$ ,  $l_i \in \bigcup_{j \neq i} A_j$  and  $A_i \cap \bigcup_{j \neq i} A_j = \emptyset$ .

dof

 $\begin{array}{l} H \in \operatorname{Hist} \triangleq \left\{ E \in \operatorname{Seq}(\operatorname{Event}) \mid \operatorname{wf}(E) \right\} & e \in \operatorname{Event} \triangleq \left\{ \mathsf{L}(\mathsf{l},\tau,x), \mathsf{U}(\tau,x) \mid \mathsf{l} \in \operatorname{Label} \land \tau \in \operatorname{TID} \land x \in \operatorname{Loc} \right\} \\ s \in \operatorname{State_{DD}} \triangleq \left\{ f \in \operatorname{TID} \stackrel{\text{fin}}{\longrightarrow} \operatorname{Hist} \mid \forall \tau, H, e. \ f(\tau) = H \land e \in H \Rightarrow \operatorname{tid}(e) = \tau \right\} \\ & m \in \operatorname{MState_{DD}} \triangleq \operatorname{Hist} \end{aligned}$ 

Fig. 10. The CISL<sub>DD</sub> Model Domain, where the wf(.) definition is analogous to that in Fig. 7

We can capture the notion of critical pairs using our *histories* as defined in §4. For instance, the sequential history of  $\tau$  in DL is  $\tau \mapsto H$  with  $H = [L(L_1, \tau, l), L(L_2, \tau, l'), U(\tau, l'), U(\tau, l)]$ , which yields the critical pair  $c_1$ : H can be decomposed as  $H_1 + [L(L_2, \tau, l')] + -$ , with  $H_1 = [L(L_1, \tau, l)]$  and the  $\tau$  active locks in  $H_1$  is given by  $A_1$  (alocks $(H_1, \tau) = A_1$ ); i.e.  $\tau$  attempts to acquire l' (via  $L(L_2, \tau, l')$ ) while holding the locks in  $A_1$ . Analogously, the sequential history of  $\tau'$  yields the critical pair  $c_2$ .

We next present our  $\text{CISL}_{\text{DD}}$  formalism and show how we use it to detect deadlocks using a deadlock assertion. Our formalism is inspired by that of Brotherston et al. [2021] and uses their notion of critical pairs. We then demonstrate how we can strengthen our deadlock assertion to go beyond the critical pairs of Brotherston et al. [2021] and produce a history *witnessing* the deadlock.

**CISL**<sub>DD</sub> **Atomic Commands (Par. 1).** As before, we assume a set of (shared) memory locations ranged over by *x*, *y*, *z*. We instantiate  $\text{CISL}_{\text{DD}}$  with a simple set of atomic commands comprising constructs for acquiring and releasing locks, assignment and accessing the memory:

ATOM<sub>DD</sub>  $\ni$  a ::= L: lock<sub> $\tau$ </sub> x | unlock<sub> $\tau$ </sub> y | a := e | a := [x] | [x] := a

To identify and locate deadlocks, we annotate each lock instruction with a label, L, and each lock/unlock with a thread id,  $\tau$ . Since conditions are non-deterministic, threads cannot affect the control flow of one another via (reading) in-memory values. As such, assignments and memory accesses have no bearing on deadlocks and thus need not be annotated. Similarly, when reporting a deadlock, we identify the culprit lock instructions, and thus do not label unlock instructions. As in CISL<sub>DD</sub> we assume that a CISL<sub>DD</sub> program is *well-formed*: it meets conditions (1)–(3) on p. 13.

CISL<sub>DD</sub> State PCM (Par. 2) and Error Conditions (Par. 3). The CISL<sub>DD</sub> PCM is (STATE<sub>DD</sub>,  $\uplus$ ,  $\emptyset$ ), where STATE<sub>DD</sub> is defined in Fig. 10,  $\uplus$  denotes disjoint function union and  $\emptyset$  denotes a map with an empty domain. As before, we write  $\tau \mapsto H$  for  $p = \{\tau \mapsto H\}$ ; the CISL<sub>DD</sub> functions alocks, syncs and locks are defined analogously to those of CISL<sub>RD</sub> in Figures 7 and 9. As discussed, we do not treat deadlocks as errors and thus define the CISL<sub>DD</sub> erroneous exit conditions as: EREXIT<sub>DD</sub>  $\triangleq \emptyset$ .

**CISL**<sub>DD</sub> **Axioms (Par. 4).** The set of  $\text{CISL}_{\text{DD}}$  axioms,  $\text{AxioM}_{\text{DD}}$ , is defined below, where assignment and memory accesses require no resource: they have no bearing on deadlocks (recall that we prohibit deterministic conditions) and thus are not included in the history. By contrast, lock and unlock instructions extend their thread history with an associated event. As before, when  $\tau$  already holds the lock on l (i.e.  $l \in \text{alocks}(H, \tau)$ ), then the resulting history  $H + L(\tau, l)$  is not well-formed, and thus  $\tau \mapsto H + L(\tau, l)$  in the postcondition of lock would render the triple vacuously valid.

| DD-LOCK<br>$[\tau \mapsto H]$ L: lock <sub><math>\tau</math></sub> l [ok: $\tau \mapsto I$ |                                            | DD-UNLOCK<br>$\tau \mapsto H$ ] unlock $_{\tau} l [ok: \tau \mapsto H + U(\tau, l)]$ |
|--------------------------------------------------------------------------------------------|--------------------------------------------|--------------------------------------------------------------------------------------|
| DD-Assign $[emp] a := e [ok: emp]$                                                         | DD-READ<br>[emp] $a := [x] [ok: \epsilon]$ | DD-WRITE $[emp] [x] := a [ok: emp]$                                                  |

A Simple Deadlock Assertion. Recall that we can formulate a deadlock between two threads in terms of their critical pairs which in turn can be derived from the sequential thread histories. This is formulated in the  $DL(l_1, A_1, l_2, A_2)$  assertion below:

$$DL(l_1, A_1, l_2, A_2) \stackrel{\text{def}}{\longleftrightarrow} \exists \tau_1, \tau_2, H_1, H_2, \tau_1 \mapsto H_1 + L(-, \tau_1, l_1) + -* \operatorname{alocks}(H_1, \tau_1) = A_1 * l_2 \in A_1 \\ * \tau_2 \mapsto H_2 + L(-, \tau_2, l_2) + -* \operatorname{alocks}(H_2, \tau_2) = A_2 * l_1 \in A_2 * A_1 \cap A_2 = \emptyset$$



Fig. 11. A proof sketch of the deadlock in DL

That is, a deadlock exists between  $\tau_1$ ,  $\tau_2$  when they respectively yield critical pairs  $(l_1, A_1)$  and  $(l_1, A_1)$ , and their respective critical pairs clash as described above. Specifically, a thread  $\tau_1$  attempts to lock  $l_1$  after having locked  $l_2$ , while another thread  $\tau_2$  attempts to lock  $l_2$  after having locked  $l_1$ , thus leading to a deadlock. The DL assertion corresponds to the deadlock reporting mechanism of Brotherston et al. [2021] using critical pairs; as discussed, this can be generalised to *n* threads.

A More Expressive Deadlock Assertion. Note that the DL assertion above (and that of Brotherston et al. [2021]) merely reports the *presence* of a deadlock, rather than *how* a deadlock may be encountered. Specifically, DL does not reflect how one may construct a history witnessing the deadlock. However, thanks to the sequential histories recorded for each thread in  $CISL_{DD}$ , we can indeed strengthen the DL assertion as follows to record a history (trace) *H* witnessing the deadlock, where the highlighted sections denote the extensions strengthening DL:

$$SDL(l_1, l_2, H) \stackrel{\text{der}}{\longleftrightarrow} \exists \tau_1, \tau_2, H'_1, H'_2, H_1, H_2, e_1, e_2, A_1, A_2, P_2.$$
  

$$\tau_1 \mapsto H'_1 + H_1 + e_1 + - * e_1 = L(-, \tau_1, l_1) * \operatorname{alocks}(H_1, \tau_1) = A_1 * l_2 \in A_1$$
  

$$*\tau_2 \mapsto H'_2 + H_2 + e_2 + - * e_2 = L(-, \tau_2, l_2) * \operatorname{alocks}(H_2, \tau_2) = A_2 * l_1 \in A_2 * \operatorname{locks}(H_2, \tau_2) = P_2$$
  

$$*\operatorname{alocks}(H'_1, \tau_1) = \operatorname{alocks}(H'_2, \tau_2) = \emptyset * A_1 \cap P_2 = \emptyset * H = H'_1 + H'_2 + H_1 + H_2 + e_1 + e_2$$

The  $H'_1$  and  $H'_2$  prefixes allow the two deadlocking threads to acquire the same lock so long as they release it before the deadlocking accesses (alocks $(H'_1, \tau_1) = \text{alocks}(H'_2, \tau_2) = \emptyset$ ).

1.  $\tau_1: \operatorname{lock}_{\tau} x; \| 4. \tau_2: \operatorname{lock}_{\tau} y;$  The  $A_1 \cap P_2 = \emptyset$  ensures that the histories of  $\tau_1, \tau_2$  can be combined 2.  $\tau_1: \operatorname{lock}_{\tau} z; \| 5. \tau_2: \operatorname{lock}_{\tau} z;$  into a well-formed global history. That is, (without loss of generality) 3.  $\tau_1: \operatorname{lock}_{\tau} y; \| 6. \operatorname{unlock}_{\tau_2} z;$  we require that the locks (active or passive) acquired by  $\tau_2$  (in  $H_2$ ) on 7.  $\tau_2: \operatorname{lock}_{\tau} x;$  the way to acquiring  $l_2$  (via  $e_2$ ) do not intersect with the active locks held by  $\tau_1$  thus far; were this not the case and  $\tau_2$  attempted to acquire a lock already held by  $\tau_1$ , then appending  $H_2$  after  $H_1$  would not yield a

well-formed history. To see this, consider DL1 and let  $H'_1=H'_2=[]$ ,  $H_1=[1, 2]$ ,  $H_2=[4, 5, 6]$ , and let  $e_1$  and  $e_2$  be the events of locks on lines 3 and 7, respectively. We then have  $A_1=\operatorname{alocks}(H_1,\tau_1)=\{x,z\}$  and  $P_2 = \operatorname{locks}(H_2,\tau_2)=\{y,z\}$ , rendering the combined history  $H=H'_1+H'_2+H_1+H_2+e_1+e_2$  not well-formed, as  $\tau_2$  attempts to acquire z (line 5 in  $H_2$ ) which is already held by  $\tau_1$  (line 2 in  $H_1$ ).

*Example 5.1.* We present a proof sketch of the deadlock in DL in Fig. 11. Note that since  $C_{lut}$  (resp.  $C'_{lut}$ ) contain no luck/unlock instructions, and the remaining  $CISL_{DD}$  instructions (assignment, read and write) do not alter the history, it is straightforward to show that after executing  $C_{lut}$  (resp.  $C'_{lut}$ ) the sequential thread histories remain unchanged.

**The** SDL **versus** DL **Assertion.** Note that the SDL assertion is stronger (stricter) than DL, in that SDL may fail to catch deadlocks that DL can catch. To see this, consider the program in DL2, where the deadlock between lines 4, 5, 9 and 10 can be captured by DL as  $DL(y, \{z, x\}, x, \{w, y\})$ , but not by SDL. However, our aim with SDL is not to detect more deadlocks, but rather to provide a more expressive assertion that provides

| 6. $\tau_2$ : lock <sub><math>\tau</math></sub> w;  |
|-----------------------------------------------------|
| 7. $\tau_2$ : lock $_{\tau} x$ ;                    |
| 8. unlock <sub><math>\tau_2</math></sub> x;         |
| 9. $\tau_2$ : lock $_{\tau}$ y;                     |
| 10. $\tau_2$ : lock <sub><math>\tau</math></sub> x; |
| DL2)                                                |
|                                                     |

the user with a trace witnessing the deadlock. This is indeed a tradeoff: while DL can identify all potential deadlocks, it does not describe how the deadlock may arise (e.g. via a witness trace), and it is not always immediately obvious how the deadlock may be encountered, which can be crucial when fixing the deadlock. By contrast, SDL provides a witness trace that may aid the deadlock fixing process, albeit at the cost of missing some deadlocks. Note that given the under-approximate nature of CISL, it is sound to miss some deadlocks in the case of SDL.

**Machine States (Par. 5) and Erasure (Par. 7).** As in  $\text{CISL}_{\text{RD}}$ , a  $\text{CISL}_{DD}$  machine state,  $m \in \text{MSTATE}_{\text{DD}}$  in Fig. 10, records the global execution history, obtained by combining the thread histories (in  $\text{STATE}_{\text{DD}}$ ) into a well-formed history via the  $\text{CISL}_{DD}$  erasure function below, where  $H|_{\tau}$  is as defined in §4:

$$\lfloor s \rfloor_{\text{DD}} \triangleq \{ H \mid \forall \tau. \ s(\tau) = H' \Longrightarrow H \mid_{\tau} = H' \}$$

**CISL**<sub>DD</sub> **Atomic Semantics (Par. 6).** The CISL<sub>DD</sub> atomic semantics is defined below, where (as in CISL<sub>RD</sub>) each instruction of  $\tau$  extends the current history (machine state)  $H_g$  by inserting an associated event e in  $H_g$  such that e is the last event of  $\tau$  in the extended history, and the extended history is well-formed (i.e. is in HIST). As before, the atomic semantics of L: lock<sub> $\tau$ </sub> l (resp. unlock<sub> $\tau$ </sub> l) returns an empty set when the lock l is already held (resp. not held) by  $\tau$ , thanks to the well-formedness condition on histories (see Fig. 10).

$$\begin{aligned} & [L: \operatorname{lock}_{\tau} l]_{A}ok \triangleq \left\{ (H_{\tau} + H, H_{\tau} + e + H) \in \operatorname{HIST}^{2} \middle| e = \mathsf{L}(\mathsf{L}, \tau, l) \land \forall e' \in H. \ e'. \mathsf{tid} \neq \tau \right\} \\ & [[\operatorname{unlock}_{\tau} l]_{A}ok \triangleq \left\{ (H_{\tau} + H, H_{\tau} + e + H) \in \operatorname{HIST}^{2} \middle| e = \mathsf{U}(\tau, l) \land \forall e' \in H. \ e'. \mathsf{tid} \neq \tau \right\} \\ & [[a := e]_{A}ok = [[a := [x]]_{A} = [[x] := a]_{A} \triangleq \left\{ (H, H) \middle| H \in \operatorname{HIST} \right\} \end{aligned}$$

**CISL**<sub>DD</sub> **Atomic Soundness (Par. 8).** In the technical appendix [Raad et al. 2022] we demonstrate that the CISL<sub>DD</sub> atomic instructions are sound.

### 6 GENERALISING CISL TO PCMS WITH INTERFERENCE

**Interference.** Our notion of views thus far (Def. 3.4) describes abstract states *constructed* in such a way that are *stable*, i.e. immune to *interference* (modification) from concurrent threads. For instance, let  $\tau$  and  $\tau'$  denote two concurrent threads in CISL<sub>DC</sub>, with their current states respectively given by *s* and *s'*, such that their composition ( $s \circ_{DC} s'$ ) is defined (otherwise they cannot run concurrently). From CISL<sub>DC</sub> axioms we then know  $\tau$  (resp.  $\tau'$ ) can only modify an entry in *s* (resp. *s'*) for which it has full permission ( $\pi$ =1), which (by definition of  $\circ_{DC}$ ) cannot be in the domain of *s'* (resp. *s*). As such,  $\tau$  and  $\tau'$  cannot modify the states (and by lifting the views) of one another.

In our CISL instantiations so far, views are stable *by construction*. Although stable-by-construction views are simpler, and are indeed sufficient for our CISL instantiations so far, they are not strictly necessary. In particular, in reasoning frameworks with finer-grained permissions such as those of

 $\frac{F_{\text{RAMEINTER}}}{F_{\text{I}} [p] C [\epsilon:q]} \text{ stable}(r) \qquad \qquad \frac{P_{\text{ARINTER}}}{F_{\text{I}} [p*r] C [\epsilon:q*r]} \qquad \qquad \frac{P_{\text{ARINTER}}}{F_{\text{I}} [p_1,q_2) \lor \text{stable}(p_2,q_1)} \qquad \qquad F_{\text{I}} [p_i] C_i [ok:q_i] \quad \text{for all } i \in \{1,2\}}{F_{\text{I}} [p_1*p_2] C_1 || C_2 [ok:q_1*q_2]}$ 

Fig. 12. Generalised rules of frame and parallel composition in the presence of interference

[Jung et al. 2015; Dinsdale-Young et al. 2010], views need not be stable by construction, so long as they are stable with respect to *interference* from other threads. Accordingly, the rules of frame and parallel composition are adapted to admit views that are stable with respect to interference. We can analogously generalise CISL to allow for interference. An interference relation describes how the states of one thread can be modified by other threads in the environment. As states are supplied as a CISL parameter, CISL is also parametric in their associated interference. In all our examples thus far, interference can be denoted by the *identity relation* as threads do not interfere by construction. Later in §7 we present a CISL instance with a non-identity interference relation.

*Parameter 9 (Interference).* Assume an interference relation  $I \subseteq STATE \times STATE$  such that:

- *I* is reflexive and transitive;
- for all  $s, s_1, s_2, s'$ , if  $s=s_1 \circ s_2$  and  $(s, s') \in I$ , then there exist  $s'_1, s'_2$  such that  $s'=s'_1 \circ s'_2$  and  $(s_1, s'_1), (s_2, s'_2) \in I$ ; and
- for all  $s_0 \in \text{STATE}^0$  and  $s \in \text{STATE}$ , if  $(s, s_0) \in I$ , then  $s \in \text{STATE}^0$ .

*Example 6.1.* We illustrate how interference can be used to construct views by revisiting the states in  $\text{CISL}_{\text{DC}}$  (Example 3.3). Specifically, rather than modelling states as maps with non-zero permissions, we can additionally allow zero permissions:  $\text{STATE}_{\text{DC}}^z \triangleq \text{VAR} \xrightarrow{\text{fin}} (\text{VAL} \times [0, 1]) \cup (\text{Loc} \xrightarrow{\text{fin}} \text{VAL} \uplus \{\bot\} \times [0, 1])$ , with composition  $\circ_{\text{DC}}$  and units  $\text{STATE}_{\text{DC}}^0$  defined as before. The zero permission on *k* denotes the absence of ownership on *k* and confers no resources; as such, the  $\text{CISL}_{\text{DC}}$  axioms remain unchanged. However, the interference is no longer the identity relation as we should account for other threads modifying those entries for which the current thread has zero permission:  $I \triangleq \{(s, s') \mid \forall k. \ s(k) = (-, \pi) \land \pi > 0 \Rightarrow s(k) = s'(k)\}$ . That is, concurrent threads may modify those entries that are not (partially) owned by the current thread.

We next define the notion of *stable* views as those views that are invariant under interference.

Definition 6.2 (Stability). Given the interference relation I (Par. 9), a view p is stable, written stable(p), iff  $I^{-1}(p) \subseteq p$ , where  $I^{-1}(p) \triangleq \bigcup_{s \in p} I^{-1}(s)$  and  $I^{-1}(s) \triangleq \{s' \mid \exists s \in p. (s', s) \in I\}$ .

Note that unlike in correctness settings where stability is defined in the forward direction on I, namely stable $(p) \iff I(p) \subseteq p$  with  $I(s) \triangleq \{s' \mid (s,s') \in I\}$ , in the incorrectness setting of CISL stability is defined in the backward direction via  $I^{-1}$ . To see why, let  $p \triangleq x \stackrel{1}{\mapsto} 2$ ,  $q \triangleq x \stackrel{1}{\mapsto} 3$ ,  $r \triangleq x \stackrel{0}{\mapsto} 3$  and  $C \triangleq x := 3$ . Using the DC-Assign axiom we obtain [p] C [ok: q]. Subsequently, we can apply FRAME to get [p \* r] C [ok: q \* r], i.e. [false] C [ok: q \* r]. The resulting triple is *invalid*: it states that each state in q \* r is reachable from some state in the empty state set false! Similarly, using SKIP we have [r]skip[ok: r] and we can apply PAR to get [false] C [] skip[ok: q \* r]!

In other words, when interference is a non-identity relation, we jeopardise the soundness of FRAME and PAR. In the example above, as the frame *r* holds zero permission on *x*, it should anticipate the environment to modify it. That is, *r* should be (but it is not) *stable* under *I* as defined in Example 6.1. As such, even though *r* is compatible with *q* (*q* \* *r* is defined), when *x* is modified by the environment, this change is not anticipated by *r* and thus  $p * r \equiv$  false. By contrast,  $r' \triangleq \exists v. x \stackrel{0}{\mapsto} v$  is stable, resulting in valid triples [p \* r'] C [ok: q \* r'] and [p \* r'] C || skip [ok: q \* r'].

As such, we adapt the FRAME and PAR rules as shown in Fig. 12, where we write stable( $p_1, p_2$ ) as a shorthand for stable( $p_1$ )  $\land$  stable( $p_2$ ). Note that in PARINTER it is sufficient for either  $p_1, q_2$  or  $p_2, q_1$  to be stable. Intuitively, this is because it suffices to show  $[p_1 * p_2] C_1 || C_2 [ok: q_1 * q_2]$  holds for *one interleaving* of  $C_1 || C_2$ . In particular,  $C_1$ ;  $C_2$  is a valid interleaving of  $C_1 || C_2$ , and so long as we have stable( $p_2, q_1$ ) and  $[p_i] C_i [ok: q_i]$  for  $i \in \{1, 2\}$ , we can derive:

$$\frac{[p_1] C_1 [ok:q_1] \text{ stable}(p_2)}{[p_1 * p_2] C_1 [ok:q_1 * p_2]} \operatorname{FrameINTER} \frac{[p_2] C_2 [ok:q_2] \text{ stable}(q_1)}{[q_1 * p_2] C_1 [ok:q_1 * q_2]} \operatorname{FrameINTER} \frac{[p_1 * p_2] C_1; C_2 [ok:q_1 * q_2]}{[p_1 * p_2] C_1; C_2 [ok:q_1 * q_2]} \operatorname{ParSeq} \operatorname{FrameINTER}$$

Analogously, stable( $p_1, q_2$ ) allows us to derive [ $p_1 * p_2$ ] C<sub>2</sub>; C<sub>1</sub> [ $ok: q_1 * q_2$ ] as another interleaving of C<sub>1</sub> || C<sub>2</sub>. Lastly, we generalise axiom soundness accordingly to allow for interference: atomic commands may modify compatible frames (of concurrent threads) up to their interference.

Parameter 10 (General axiom soundness). Assume for all  $(p, l, \epsilon, q) \in A$ XIOM the following holds:  $\forall s \in STATE, m_q \in \lfloor q * \{s\} \rfloor$ .  $\exists m_p \in \lfloor p * I^{-1}(s) \rfloor$ .  $(m_p, m_q) \in \llbracket l \rrbracket \epsilon$ 

#### 7 CISL<sub>SV</sub>: CISL FOR SHARED CONCURRENCY WITH RESOURCE SUBVARIANTS

We next develop  $\text{CISL}_{SV}$  as an instance of CISL with non-identity interference.  $\text{CISL}_{SV}$  is the underapproximate analogue of concurrent separation logic (CSL) [O'Hearn 2004], used for reasoning about shared concurrency with resource invariants. In the correctness setting of CSL one must show that a shared resource **r** always satisfies an *invariant* that *over-approximates* the possible states of **r**, after it has been accessed (within a critical section) an arbitrary number for times. However, in the incorrectness setting of CISL such over-approximation is of little use. Instead, we appeal to a resource *subvariant* that *under-approximates* the possible states of **r**. Specifically, a subvariant *S* associated with resource **r** is a map from natural numbers to states, with S(n) under-approximating the possible states of **r** after it has been accessed *n* times; i.e. the initial state of **r** is given by S(0).

CISL<sub>SV</sub> Atomic Commands (Par. 1). CISL<sub>SV</sub> atomics include the heap-manipulating constructs of CISL<sub>DC</sub>, as well as commands for accessing shared resources: 1)  $acq_{\tau} \mathbf{r}$  for acquiring the shared resource  $\mathbf{r} \in RID$  within a critical section of thread  $\tau$ ; and 2)  $rel_{\tau} \mathbf{r}$  for releasing the shared resource  $\mathbf{r}$  held by  $\tau$ . As in CSL, we assume shared resources are declared sequentially before forking parallel threads: we focus on programs of the form resource  $\mathbf{r}_1 \cdots \mathbf{r}_k$ ;  $C_1 || \cdots || C_n$ . As noted in [O'Hearn 2004], it is possible to consider nested resource declarations and parallel compositions; however, for brevity we focus on this restricted form. We write with\_{\tau} \mathbf{r} do C as a shorthand for  $acq_{\tau} \mathbf{r}$ ; C;  $rel_{\tau} \mathbf{r}$ .

ATOM<sub>SV</sub>  $\ni$  a ::=  $x := v \mid x :=$ alloc() | L: free(x) | L:  $x := [y] \mid$  L:  $[x] := y \mid$  acq<sub> $\tau$ </sub> r | rel<sub> $\tau$ </sub> r

In what follows we first present the  $\text{CISL}_{SV}$  axioms using an intuitive description of  $\text{CISL}_{SV}$  states, and then present the formal definition of  $\text{CISL}_{SV}$  states and their interference.

**CISL**<sub>SV</sub> Atomic Axioms. We present the CISL<sub>SV</sub> axioms in Fig. 13. The res<sup>r</sup><sub>S</sub>( $\tau$ : n) (defined shortly below) in the precondition of SV-AcQ describes the resources necessary for  $\tau$  to acquire **r** with subvariant S, where n denotes the *contribution* of  $\tau$  on **r**: the number of times  $\tau$  has accessed **r**. That is, res<sup>r</sup><sub>S</sub>( $\tau$ : n) reflects the contribution of  $\tau$  only, and not that of other threads; as such, the total contribution on **r** is unknown and may be any value  $m \ge n$ , as captured by the disjunction in the SV-AcQ postcondition. Given the total contribution  $m \ge n$ , once  $\tau$  acquires **r**, it claims the resources of **r** (S(m)) and changes res<sup>r</sup><sub>S</sub>( $\tau$ : n) for cs<sup>r</sup><sub>S</sub>( $\tau$ : n, m). That is, once  $\tau$  acquires **r**, others can no longer access **r** and thus its total contribution m remains unchanged and can be reflected in cs<sup>r</sup><sub>S</sub>( $\tau$ : n, m).

Azalea Raad, Josh Berdine, Derek Dreyer, and Peter W. O'Hearn

$$\begin{aligned} & \text{SV-Acq} \\ & [\text{res}_{\mathcal{S}}^{r}(\tau;n)] \operatorname{acq}_{\tau} \mathbf{r} \left[ ok; \bigvee_{m \ge n}^{} (\mathcal{S}(m) * \operatorname{cs}_{\mathcal{S}}^{r}(\tau;n,m)) \right] & \begin{bmatrix} \bigvee_{m \ge n}^{} (\mathcal{S}(m+1) * \operatorname{cs}_{\mathcal{S}}^{r}(\tau;n,m)) \\ & \bigvee_{m \ge n}^{} (\mathcal{S}(m+1) * \operatorname{cs}_{\mathcal{S}}^{r}(\tau;n,m)) \end{bmatrix} \mathbf{rel}_{\tau} \mathbf{r} \left[ ok; \operatorname{res}_{\mathcal{S}}^{r}(\tau;n+1) \right] \\ & \text{SV-Acq-G} \\ & [\operatorname{res}_{\mathcal{S}}^{r}(m)] \operatorname{acq}_{\tau} \mathbf{r} \left[ ok; \mathcal{S}(m) * \operatorname{cs}_{\mathcal{S}}^{r}(\tau,m) \right] & [\mathcal{S}^{} (\mathcal{S}(m+1) * \operatorname{cs}_{\mathcal{S}}^{r}(\tau,m)] \operatorname{rel}_{\tau} \mathbf{r} \left[ ok; \operatorname{res}_{\mathcal{S}}^{r}(m+1) \right] \\ & [\mathcal{S}^{} (\mathcal{S}(m+1) * \operatorname{cs}_{\mathcal{S}}^{r}(\tau,m)] \operatorname{rel}_{\tau} \mathbf{r} \left[ ok; \operatorname{res}_{\mathcal{S}}^{r}(m+1) \right] \\ & [\mathcal{S}^{} (\mathcal{S}(m) = n, [p * \mathcal{S}(m)] \operatorname{C} \left[ ok; q * \mathcal{S}(m+1) \right] & \operatorname{stable}(p,q) \\ & [p * \operatorname{res}_{\mathcal{S}}^{r}(\tau;n)] \text{ with}_{\tau} \mathbf{r} \text{ do } \operatorname{C} \left[ ok; q * \operatorname{res}_{\mathcal{S}}^{r}(n+1) \right] \\ & [p * \operatorname{res}_{\mathcal{S}}^{r}(n)] \text{ with}_{\tau} \mathbf{r} \text{ do } \operatorname{C} \left[ ok; q * \operatorname{res}_{\mathcal{S}}^{r}(n+1) \right] \end{aligned}$$

Fig. 13. CISL<sub>SV</sub> axioms (excerpt); SV-CS and SV-CS-G are derived from SV-Acq, SV-ReL and CISL proof rules

Upon successful acquisition of  $\mathbf{r}$ ,  $\tau$  enters a critical section and may freely modify  $\mathcal{S}(m)$ . However, prior to exiting the critical section, it must re-establish the subvariant for its incremented contribution, namely  $\mathcal{S}(m+1)$ , as shown in the precondition of SV-Rel. Once  $\tau$  releases  $\mathbf{r}$ , it relinquishes  $\mathcal{S}(m+1)$  and increments its contribution to n+1 by changing  $cs^r_{\mathcal{S}}(\tau; n, m)$  for  $res^r_{\mathcal{S}}(\tau; n+1)$ .

While  $\operatorname{res}_{S}^{r}(\tau; n)$  describes the resources needed for  $\tau$  to acquire **r** and thus denotes a  $\tau$ -local view, the  $\operatorname{res}_{S}^{r}(n)$  describes those needed for all threads, denoting a global view. That is,  $\operatorname{res}_{S}^{r}(n)$  grants full permission on **r**, the environment cannot interfere with **r** and thus we can stably reflect the total contribution of all threads (*m*). Similarly,  $\operatorname{cs}_{S}^{r}(\tau, m)$  denotes a global analogue of  $\operatorname{cs}_{S}^{r}(\tau; n, m)$ . Note that a global view may always be split to its constituent local views via the following equivalence:

$$\operatorname{res}_{\mathcal{S}}^{\mathbf{r}}(k) \Leftrightarrow \exists k_{1} \cdots k_{n}. \ k = \sum k_{i} * \underset{\tau_{i} \in \operatorname{TID}}{*} \operatorname{res}_{\mathcal{S}}^{\mathbf{r}}(\tau_{i}:k_{i})$$
(SUBV-SPLIT)

We use the global views in SV-Acq-G and SV-ReL-G which denote global analogues of the local SV-Acq and SV-ReL rules. In contrast to the local, in the global rules we know the precise total contribution *m* and thus no longer need the outer disjunct  $(\lor_{m \ge n})$ .

The SV-CS for executing C within a critical section of **r** can be derived using SV-Acq, SV-ReL and other CISL rules, where p, q denote additional resources needed for executing C, provided that they are stable (as they will be framed off when applying SV-Acq and SV-ReL, respectively). The remaining axioms of CISL<sub>SV</sub> (e.g. for free(x)) are the same as their CISL<sub>DC</sub> counterparts in Fig. 4.

*Example 7.1.* Assume that location x is shared within resource  $\mathbf{r}$  (i.e. can only be accessed within a critical section), and let disp<sub> $\tau$ </sub> x be defined as follows to dispose (free) x atomically:

 $\operatorname{disp}_{\tau} x \triangleq \operatorname{with}_{\tau} \mathbf{r} \text{ do } C_1 + C_2 \quad C_1 \triangleq \operatorname{assume}(\neg \operatorname{flag}); \operatorname{free}(x); \operatorname{flag}:= 1 \quad C_2 \triangleq \operatorname{assume}(\operatorname{flag}); \operatorname{skip}(x) = C_1 = C_2 = C_2 = C_2$ 

That is, if flag is set, then x is already deallocated and  $\operatorname{disp}_{\tau} x$  does nothing; otherwise x is deallocated and flag is set. Let  $S(0) \triangleq \operatorname{flag} \mapsto 0 * x \mapsto -$  and  $S(n) \triangleq \operatorname{flag} \mapsto 1 * x \not\mapsto$  for  $n \ge 1$ . We present a proof derivation of  $\operatorname{disp}_{\tau_1} x || \operatorname{disp}_{\tau_1} x$  in Fig. 14 (top), where we assume TID = { $\tau_1, \tau_2$ }. Note that we use the SUBV-SPLIT equivalence together with the CISL CONS rule to split the global view into thread-local ones and subsequently pass them on to respective threads via PAR.

*Example 7.2.* Let  $\operatorname{disp}_{\tau} x$  and S be as in Example 7.1, and  $C \triangleq \operatorname{disp}_{\tau_1} x$ ;  $C_3 || C'$  for an arbitrary C' and with  $C_3 \triangleq \operatorname{with}_{\tau_1} r$  do L: free(x). There is a local memory safety error at L: after executing  $\operatorname{disp}_{\tau_1} x$ , the location at x is guaranteed to be deallocated and thus the call to free(x) at L causes a memory safety error. We present a CISL proof of this error using PARER in Fig. 14 (middle).

**CISL**<sub>SV</sub> **States.** A CISL<sub>SV</sub> state is a triple  $s = (l, p, \rho)$ , where  $l \in LSTATE$  is a local state,  $p \in PERM$  is a permission and  $\rho \in RMAP$  is a shared resource map, provided that s is well-formed (defined below).

34:24



Fig. 14. Proof derivations of Example 7.1 (top) and Example 7.2 (middle), with  $P(\tau)$  as defined at the bottom

Intuitively, a local state denotes the resources owned locally by a thread and is given by a PCM. The PCM choice, (LSTATE,  $\circ_I$ , LSTATE<sup>0</sup>), can be supplied as a parameter to  $\text{CISL}_{SV}$ . For clarity, here we instantiate it with the  $\text{CISL}_{DC}$  PCM in §3: LSTATE  $\triangleq$  STATE<sub>DC</sub>,  $\circ_I \triangleq \circ_{DC}$  and LSTATE<sup>0</sup>  $\triangleq$  LSTATE<sup>0</sup>.

Permissions are used for accessing shared resources and are defined as  $PERM \triangleq (RID \times TID) \rightarrow \mathbb{N}$ . Intuitively, given a permission **p**, a shared resource **r** and a thread  $\tau$ , the **p**(**r**,  $\tau$ ) is held locally by  $\tau$  and grants it the permission to access **r** within a critical section. Moreover, when **p**(**r**,  $\tau$ ) = *n*, then *n* denotes the contribution of  $\tau$  on **r**: the number of times  $\tau$  has accessed **r**.

The set of resource maps is:  $\rho \in \text{RMAP} \triangleq \text{RID} \xrightarrow{\text{fin}} (\text{TID} \uplus \{\bot\}) \times \text{SUBV} \times \text{TMAP}$  and describes shared resources. Specifically, a resource map  $\rho$  associates a resource **r** with a triple of the form (o, S, t), where  $o \in \text{TID} \uplus \{\bot\}$  denotes the *owner*;  $S \in \text{SUBV} \triangleq \mathbb{N} \to \mathcal{P}(\text{LSTATE})$  denotes the subvariant; and  $t \in \text{TMAP}$  denotes a *thread map*. Intuitively,  $o = \tau \in \text{TID}$  denotes that **r** is currently being accessed within a critical section by  $\tau$  (and thus  $\tau$  owns the resources of **r**). Conversely,  $o = \bot$  denotes that **r** is not currently being accessed. The S denotes the resource subvariant as described above, with S(k)denoting the possible resources associated with **r** after it has been accessed k times. Lastly, the set of thread maps is  $t \in \text{TMAP} \triangleq \text{TID} \to \mathbb{N}$ . Intuitively, when t is associated with **r**,  $t(\tau)$  denotes the contribution of  $\tau$  to **r** (i.e. the number of times  $\tau$  has accessed **r**). As such, as we formalise below,  $t(\tau)$  and the permission  $\mathbf{p}(\mathbf{r}, \tau)$  held locally by  $\tau$  on **r** must agree. When accessing **r** within a critical section,  $\tau$  can then use  $\mathbf{p}(\mathbf{r}, \tau)$  to increment  $\mathbf{p}(\mathbf{r}, \tau)$  and  $t(\tau)$  in tandem, reflecting its added contribution. Given a thread map t, we write *count* (t) for  $\sum_{\tau \in dom(t)} t(\tau)$ . Given a resource **r** and resource map  $\rho$  with  $\rho(\mathbf{r}) = (-, -, t)$ , we define *count* ( $\rho$ , **r**)  $\triangleq count$  (t) and *count* ( $\rho$ , **r**,  $\tau$ )  $\triangleq t(\tau)$ .

Note that *count* ( $\rho$ , **r**) denotes the *total* number of times **r** has been accessed (by all threads). As such, when *count* ( $\rho$ , **r**) = n: 1) if  $\rho$ (**r**) = ( $\perp$ , S, -) (i.e. **r** is not being accessed), then the resources of

**r** are unclaimed and are given by S(n); and 2) if  $\rho(\mathbf{r}) = (\tau, S, -)$ , then  $\tau$  has acquired the resources of **r** (S(n)) and transferred them to its local state; upon exiting the critical section,  $\tau$  increments its contribution and releases the **r** resources, now given by S(n+1), returning them to the shared state.

A triple  $(\mathbf{l}, \mathbf{p}, \rho)$  is *well-formed* if 1) the composition of the local state  $\mathbf{l}$  and the resource of each  $\mathbf{r}$  in  $\rho$  is defined; and 2) the contribution of  $\mathbf{p}$  for each  $(\mathbf{r}, \tau)$  agrees with its counterpart in  $\rho$ . We thus define the set of CISL<sub>SV</sub> states as follows, where  $\mathcal{L} \triangleq \{S(n) \mid \exists \mathbf{r}. \rho(\mathbf{r}) = (\bot, S, t) \land count(\rho, \mathbf{r}) = n\}$ :

$$STATE_{SV} \triangleq \left\{ (\mathbf{l}, \mathbf{p}, \rho) \in LSTATE \times PERM \times RMAP \mid \{\mathbf{l}\} * \underset{L_i \in \mathcal{L}}{\bigstar} L_i \neq \emptyset \land \forall \mathbf{r}, \tau, n. \ \mathbf{p}(\mathbf{r}, \tau) = n \Rightarrow count (\rho, \mathbf{r}, \tau) = n \right\}$$

The  $CISL_{SV}$  state composition is defined component-wise as  $\circ_{SV} \triangleq (\circ_1, \uplus, \circ_=)$ , where  $\rho_1 \circ_= \rho_2 = \rho_1$  if  $\rho_1 = \rho_2$  and is otherwise undefined. The  $CISL_{SV}$  unit set is  $\{(\mathbf{l}_0, \emptyset, \rho) \mid \mathbf{l}_0 \in LSTATE^0 \land \rho \in RMAP\}$ .

**CISL**<sub>SV</sub> **Interference.** The CISL<sub>SV</sub> interference is  $I \triangleq (\text{STATE}_{\text{SV}} \times \text{STATE}_{\text{SV}}) \cap (I_a \cup I_r)^*$ , where  $(I_a \cup I_r)^*$  denotes the transitive closure of  $(I_a \cup I_r)$ , and:

$$\begin{split} I_a &\triangleq \left\{ \left( (\mathbf{l}, \mathbf{p}, \rho), (\mathbf{l}, \mathbf{p}, \rho') \right) \middle| \exists \mathbf{r}, \mathcal{S}, t, \tau, \rho(\mathbf{r}) = (\bot, \mathcal{S}, t) \land (\mathbf{r}, \tau) \notin dom(\mathbf{p}) \land \rho' = \rho[\mathbf{r} \mapsto (\tau, \mathcal{S}, t)] \right\} \\ I_r &\triangleq \left\{ \left( (\mathbf{l}, \mathbf{p}, \rho), (\mathbf{l}, \mathbf{p}, \rho') \right) \middle| \exists \mathbf{r}, \mathcal{S}, t, \tau, \rho(\mathbf{r}) = (\tau, \mathcal{S}, t) \land (\mathbf{r}, \tau) \notin dom(\mathbf{p}) \land \rho' = \rho[\mathbf{r} \mapsto (\bot, \mathcal{S}, t[\tau \mapsto t(\tau) + 1])] \right\} \end{split}$$

The  $\mathcal{I}_a$  describes how a concurrent thread  $\tau$  may modify a state  $(\mathbf{l}, \mathbf{p}, \rho)$  of the current thread to  $(\mathbf{l}, \mathbf{p}, \rho')$  when *acquiring*  $\mathbf{r}$  (entering a critical section on  $\mathbf{r}$ ). Note that  $(\mathbf{r}, \tau) \notin dom(\mathbf{p})$  ensures the current thread holds no permission on  $(\mathbf{r}, \tau)$ , i.e.  $\tau$  is a thread in the environment. Moreover,  $\tau$  does not alter the local state (l) and permission (**p**) of the current thread, and its modification is limited to the shared state  $\rho$ . Specifically,  $\tau$  acquires  $\mathbf{r}$  by first checking it is not currently being accessed (the first component of  $\rho(\mathbf{r})$  is  $\perp$ ) and subsequently changing it to reflect it is being accessed by  $\tau$ .

Dually,  $I_r$  describes how  $\tau$  may modify a CISL<sub>SV</sub> state when *releasing* **r** (exiting a critical section on **r**). As before, the changes are limited to the shared state, whereby the first component of  $\rho(\mathbf{r})$  is updated from  $\tau$  (the releasing thread) to  $\perp$ , denoting that **r** is no longer being accessed. Moreover, the thread map of **r** (*t*) is updated to increment the number of accesses on **r** by  $\tau$ .

CISL<sub>SV</sub> Stable Views. Recall that the CISL<sub>SV</sub> axioms in Fig. 13 use the stable views below:

| $\operatorname{res}_{\mathcal{S}}^{\mathbf{r}}(\tau;n) \triangleq \left\{ (\mathbf{l}_{0},\mathbf{p},\rho) \mid \mathbf{l}_{0} \in \operatorname{LSTATE}^{0} \land \exists o, t. \rho(\mathbf{r}) = (o, \mathcal{S}, t) \land o \neq \tau \land n = t(\tau) \land \mathbf{p} = [(\mathbf{r},\tau) \mapsto n] \right\}$                              |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| $\operatorname{res}_{\mathcal{S}}^{\mathbf{r}}(m) \triangleq \left\{ (\mathbf{l}_{0}, \mathbf{p}, \rho) \mid \mathbf{l}_{0} \in \operatorname{LSTATE}^{0} \land \exists t. \ \rho(\mathbf{r}) = (\bot, \mathcal{S}, t) \land m = count(t) \land \mathbf{p} = \biguplus_{\tau \in \operatorname{TID}} [(\mathbf{r}, \tau) \mapsto t(\tau)] \right\}$ |
| $\operatorname{cs}_{\mathcal{S}}^{\mathbf{r}}(\tau; n, m) \triangleq \left\{ (\mathbf{l}_0, \mathbf{p}, \rho) \mid \mathbf{l}_0 \in \operatorname{LSTATE}^0 \land \exists t. \ \rho(\mathbf{r}) = (\tau, \mathcal{S}, t) \land n = t(\tau) \land \mathbf{p} = [(\mathbf{r}, \tau) \mapsto n] \land m = count(t) \right\}$                           |
| $\widetilde{\mathrm{cs}}_{\mathcal{S}}^{\mathbf{r}}(\tau,m) \triangleq \left\{ (\mathbf{l}_{0},\mathbf{p},\rho) \mid \mathbf{l}_{0} \in \mathrm{LSTATE}^{0} \land \exists t. \ \rho(\mathbf{r}) = (\tau,\mathcal{S},t) \land m = count \ (t) \land \mathbf{p} = \biguplus_{\tau \in \mathrm{TID}} [(\mathbf{r},\tau) \mapsto t(\tau)] \right\}$     |

The res<sup>r</sup><sub>S</sub>( $\tau$ : *n*) describes the resources necessary for  $\tau$  to acquire **r** (as in the precondition of SV-Acq): no local resources are needed (**l**<sub>0</sub>),  $\tau$  has not already acquired **r** ( $o \neq \tau$ ) and the current state holds the permission for  $\tau$  to access **r** with matching contributions ( $n = t(\tau) \land \mathbf{p} = [(\mathbf{r}, \tau) \mapsto n]$ ). Note that res<sup>r</sup><sub>S</sub>( $\tau$ : *n*) does not require  $o = \bot$  and thus allows for the possibility that another thread  $\tau' \neq \tau$  may be currently accessing **r** (i.e. allows for  $o = \tau'$ ). Were we to stipulate  $o = \bot$ , then res<sup>r</sup><sub>S</sub>( $\tau$ : *n*) would no longer be stable, as another thread  $\tau'$  could release **r** and change *o* from  $\tau'$  to  $\bot$  as per  $I_r$ .

Analogously,  $\operatorname{res}_{S}^{\mathbf{r}}(\tau; n)$  only reflects the contribution of  $\tau$ , and not that of other threads (as this could change as per  $I_r$ ). Once  $\tau$  acquires  $\mathbf{r}$ , it changes  $\operatorname{res}_{S}^{\mathbf{r}}(\tau; n)$  for  $\operatorname{cs}_{S}^{\mathbf{r}}(\tau; n, m)$  by updating o to  $\tau$ , where  $m \geq n$  is the total contribution on  $\mathbf{r}$ . As such, once  $\tau$  acquires  $\mathbf{r}$ , threads can no longer access  $\mathbf{r}$  and thus its total contribution remains unchanged and can be *stably* reflected in  $\operatorname{cs}_{S}^{\mathbf{r}}(\tau; n, m)$ .

Recall that  $\operatorname{res}_{S}^{r}(\tau; n)$  denotes a  $\tau$ -local view, while  $\operatorname{res}_{S}^{r}(n)$  denotes a global view. As such, the current state in  $\operatorname{res}_{S}^{r}(n)$  must hold the permissions of all threads  $(\mathbf{p} = \bigcup_{\tau \in \text{TID}} [(\mathbf{r}, \tau) \mapsto t(\tau)])$ . Moreover, since the current state holds all thread permissions, the environment cannot interfere and thus we can stably 1) stipulate that  $\mathbf{r}$  not be currently accessed  $(o = \bot)$ ; and 2) reflect the total contribution of all threads (m = count(t)). The  $\operatorname{cs}_{S}^{r}(\tau, m)$  is defined analogously to  $\operatorname{cs}_{S}^{r}(\tau; n, m)$ .

The remaining  $\text{CISL}_{SV}$  axioms (e.g. for free(x)) are as in Fig. 4, provided that we lift  $\text{CISL}_{DC}$  views to  $\text{CISL}_{SV}$ . Specifically, in  $\text{CISL}_{SV}$  we write emp and  $x \stackrel{\pi}{\mapsto} v$  for the stable views  $\{(\emptyset, \emptyset, -)\}$  and  $\{([x \mapsto (v, \pi)], \emptyset, -)\}$ , respectively. We then write  $x \mapsto v$  for  $x \stackrel{1}{\mapsto} v$ , and so forth.

 $CISL_{SV}$  Soundness. We define the remaining  $CISL_{SV}$  parameters (Parameters 5 to 7) in the technical appendix [Raad et al. 2022], proving that  $CISL_{SV}$  atomic instructions are sound (Par. 8).

## 8 CONCLUSIONS AND RELATED WORK

This work builds on CSL (concurrent separation logic) [O'Hearn 2004], IL (incorrectness logic) [O'Hearn 2019], and ISL (incorrectness separation logic) [Raad et al. 2020].

CSL spawned a wealth of prior research; see the survey article of Brookes and O'Hearn [2016] for an account of work in the area up to 2016. All of this prior work has focussed on over-approximation, used for proving the absence of violations of safety properties. The impact of this work has remained, however, largely academic. In contrast, the two under-approximate static analyses [Blackshear et al. 2018; Brotherston et al. 2021]—both intuitively (but not formally) related to separation logic—have already had a great deal of real-world impact beyond the academic subject area. These analyses share some of the pre-formal intuitions with CSL: both systems are based on compositional and thread-modular reasoning—the under-approximate analyses just use such modular reasoning to *find* bugs rather than exclude them. This commonality is unsurprising, given that—as O'Hearn [2018] explains—CSL-based ideas were in fact the genesis of RacerD, even if formally the connection was tenuous. In this paper, we bring these threads back together, by showing that the two analyses can in fact be understood in terms of a concurrent separation logic, but an under-approximate one, CISL, rather than the original CSL or one of its other successors.

IL and ISL are very young. The ISL paper [Raad et al. 2020] makes a partial but not full connection to an in-production static analyser, Pulse. The present paper makes a fuller connection to different analyses which have already proven effective in practice, and which also rely crucially on the compositional nature of reasoning as formalised in IL and CISL. This new account of recent, novel analysers adds significantly to the known ability of IL to describe legacy testing and symbolic execution reasoning techniques.

There is a body of work on static concurrency analysis which often is thread-modular (but not always compositional), exemplified by such papers as [Gotsman et al. 2007; Berdine et al. 2008; Li et al. 2019]. Noteworthy advances have been made on automated reasoning about concurrent programs in these works and, even if the technical expression of the ideas has tended to use over-approximation, it makes sense to consider in these and many other cases whether under-approximate variants would be possible or useful.

There is a fairly well-developed tradition of dynamic analysis techniques for concurrency, some of which has crossed over to have industrial impact. Prominent examples include probabilistic concurrency testing [Burckhardt et al. 2010], context-bounded model checking [Qadeer and Rehof 2005], and dynamic race detection as exemplified by Google's Thread Sanitizer [Serebryany and Iskhodzhanov 2009]. It is not yet clear whether CISL has anything to offer these techniques directly, but their insights might be transferred to static under-approximate concurrency analysis, and merging with CISL could conceivably open doors to more compositional and scalable techniques which are fast enough for deployment in code review on pull requests.

Finally, in addition to CSL, the Owicki-Gries [Owicki and Gries 1976] and Rely-Guarantee [Jones 1983] proof methods produced fundamental insights into reasoning about safety properties for concurrency, which were particularly well-suited to programs with more interference and less resource separation. We wonder whether under-approximate variants of these theories exist with

similarly compelling intuitive bases, and whether such under-approximation might open yet further avenues for automated analyses of concurrent programs.

# ACKNOWLEDGMENTS

We thank the POPL 2022 reviewers and Viktor Vafeiadis for their valuable feedback. This research was supported in part by a UKRI Future Leaders Fellowship [grant number MR/V024299/1] and a European Research Council (ERC) Consolidator Grant for the project "RustBelt", funded under the European Union's Horizon 2020 Framework Programme (grant agreement no. 683289).

# REFERENCES

- Josh Berdine, Tal Lev-Ami, Roman Manevich, G. Ramalingam, and Shmuel Sagiv. 2008. Thread Quantification for Concurrent Shape Analysis. In Computer Aided Verification, 20th International Conference, CAV 2008, Princeton, NJ, USA, July 7-14, 2008, Proceedings (Lecture Notes in Computer Science, Vol. 5123), Aarti Gupta and Sharad Malik (Eds.). Springer, 399–413. https://doi.org/10.1007/978-3-540-70545-1\_37
- Sam Blackshear, Nikos Gorogiannis, Peter W. O'Hearn, and Ilya Sergey. 2018. RacerD: Compositional Static Race Detection. *Proc. ACM Program. Lang.* 2, OOPSLA, Article 144 (Oct. 2018), 28 pages. https://doi.org/10.1145/3276514
- Stephen Brookes and Peter W. O'Hearn. 2016. Concurrent separation logic. SIGLOG News 3, 3 (2016), 47–65. https://dl.acm.org/citation.cfm?id=2984457
- James Brotherston, Paul Brunet, Nikos Gorogiannis, and Max Kanovich. 2021. A Compositional Deadlock Detector for Android Java. In *Proceedings of ASE-36*. ACM. http://www0.cs.ucl.ac.uk/staff/J.Brotherston/ASE21/deadlocks.pdf
- Sebastian Burckhardt, Pravesh Kothari, Madanlal Musuvathi, and Santosh Nagarakatte. 2010. A randomized scheduler with probabilistic guarantees of finding bugs. In Proceedings of the 15th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2010, Pittsburgh, Pennsylvania, USA, March 13-17, 2010, James C. Hoe and Vikram S. Adve (Eds.). ACM, 167–178. https://doi.org/10.1145/1736020.1736040
- Thomas Dinsdale-Young, Lars Birkedal, Philippa Gardner, Matthew Parkinson, and Hongseok Yang. 2013. Views: Compositional Reasoning for Concurrent Programs. In *Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages* (Rome, Italy) (*POPL '13*). ACM, New York, NY, USA, 287–300. https: //doi.org/10.1145/2429069.2429104
- Thomas Dinsdale-Young, Mike Dodds, Philippa Gardner, Matthew J. Parkinson, and Viktor Vafeiadis. 2010. Concurrent Abstract Predicates. In *ECOOP 2010 – Object-Oriented Programming*, Theo D'Hondt (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 504–528.
- Dino Distefano, Manuel Fähndrich, Francesco Logozzo, and Peter W. O'Hearn. 2019. Scaling static analyses at Facebook. *Commun. ACM* 62, 8 (2019), 62–70. https://doi.org/10.1145/3338112
- Nikos Gorogiannis, Peter W. O'Hearn, and Ilya Sergey. 2019. A True Positives Theorem for a Static Race Detector. *Proc. ACM Program. Lang.* 3, POPL, Article 57 (Jan. 2019), 29 pages. https://doi.org/10.1145/3290370
- Alexey Gotsman, Josh Berdine, Byron Cook, and Mooly Sagiv. 2007. Thread-Modular Shape Analysis. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (San Diego, California, USA) (PLDI '07). Association for Computing Machinery, New York, NY, USA, 266–277. https://doi.org/10.1145/1250734.1250765
- C. B. Jones. 1983. Tentative Steps Toward a Development Method for Interfering Programs. ACM Trans. Program. Lang. Syst. 5, 4 (Oct. 1983), 596–619. https://doi.org/10.1145/69575.69577
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Mumbai, India) (POPL '15). Association for Computing Machinery, New York, NY, USA, 637–650. https://doi.org/10.1145/2676726.2676980
- Yanze Li, Bozhen Liu, and Jeff Huang. 2019. SWORD: a scalable whole program race detector for Java. In Proceedings of the 41st International Conference on Software Engineering: Companion Proceedings, ICSE 2019, Montreal, QC, Canada, May 25-31, 2019, Joanne M. Atlee, Tevfik Bultan, and Jon Whittle (Eds.). IEEE / ACM, 75–78. https://doi.org/10.1109/ICSE-Companion.2019.00042
- Aleksandar Nanevski, Ruy Ley-Wild, Ilya Sergey, and Germán Andrés Delbianco. 2014. Communicating State Transition Systems for Fine-Grained Concurrent Resources. In *Programming Languages and Systems*, Zhong Shao (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 290–310.
- Peter W. O'Hearn. 2004. Resources, Concurrency and Local Reasoning. In *CONCUR 2004 Concurrency Theory*, Philippa Gardner and Nobuko Yoshida (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 49–67.
- Peter W. O'Hearn. 2018. Experience Developing and Deploying Concurrency Analysis at Facebook. In *Static Analysis*, Andreas Podelski (Ed.). Springer International Publishing, Cham, 56–70.

Proc. ACM Program. Lang., Vol. 6, No. POPL, Article 34. Publication date: January 2022.

- Peter W. O'Hearn. 2019. Incorrectness Logic. Proc. ACM Program. Lang. 4, POPL, Article 10 (Dec. 2019), 32 pages. http://doi.acm.org/10.1145/3371078
- Peter W. O'Hearn, John C. Reynolds, and Hongseok Yang. 2001. Local Reasoning about Programs that Alter Data Structures. In Computer Science Logic, 15th International Workshop, CSL 2001. 10th Annual Conference of the EACSL, Paris, France, September 10-13, 2001, Proceedings. 1–19. https://doi.org/10.1007/3-540-44802-0\_1
- Susan Owicki and David Gries. 1976. An axiomatic proof technique for parallel programs I. *Acta Informatica* 6, 4 (01 Dec 1976), 319–340. https://doi.org/10.1007/BF00268134
- Matthew Parkinson. 2010. The Next 700 Separation Logics. In Verified Software: Theories, Tools, Experiments, Gary T. Leavens, Peter O'Hearn, and Sriram K. Rajamani (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 169–182.
- Shaz Qadeer and Jakob Rehof. 2005. Context-Bounded Model Checking of Concurrent Software. In Tools and Algorithms for the Construction and Analysis of Systems, 11th International Conference, TACAS 2005, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2005, Edinburgh, UK, April 4-8, 2005, Proceedings (Lecture Notes in Computer Science, Vol. 3440), Nicolas Halbwachs and Lenore D. Zuck (Eds.). Springer, 93–107. https://doi.org/10.1007/978-3-540-31980-1\_7
- Azalea Raad, Josh Berdine, Hoang-Hai Dang, Derek Dreyer, Peter O'Hearn, and Jules Villard. 2020. Local Reasoning About the Presence of Bugs: Incorrectness Separation Logic. In *Computer Aided Verification*, Shuvendu K. Lahiri and Chao Wang (Eds.). Springer International Publishing, Cham, 225–252.
- Azalea Raad, Josh Berdine, Derek Dreyer, and Peter O'Hearn. 2022. Technical Appendix. https://www.soundandcomplete. org/papers/POPL2022/CISL/appendix.pdf
- Azalea Raad, Jules Villard, and Philippa Gardner. 2015. CoLoSL: Concurrent Local Subjective Logic. In Programming Languages and Systems, Jan Vitek (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 710–735.
- Caitlin Sadowski, Edward Aftandilian, Alex Eagle, Liam Miller-Cushon, and Ciera Jaspan. 2018. Lessons from Building Static Analysis Tools at Google. *Commun. ACM* 61, 4 (March 2018), 58–66. https://doi.org/10.1145/3188720
- Konstantin Serebryany and Timur Iskhodzhanov. 2009. ThreadSanitizer: data race detection in practice. In Proceedings of the Workshop on Binary Instrumentation and Applications. 62–71.
- Viktor Vafeiadis and Matthew Parkinson. 2007. A Marriage of Rely/Guarantee and Separation Logic. In CONCUR 2007 Concurrency Theory, Luís Caires and Vasco T. Vasconcelos (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 256–271.