Owicki–Gries Logic for Timestamp Semantics

Tatsuya Abe¹¹1STAIR Lab, Chiba Institute of Technology, 2-17-1 Tsudanuma, Narashino, Chiba, 275-0016, Japan. abet@stair.center

(May 25, 2025)

Abstract

Whereas an extension with non-interference of Hoare logic for sequential programs Owicki–Gries logic ensures the correctness of concurrent programs on strict consistency, it is unsound to weak memory models adopted by modern computer architectures and specifications of programming languages. This paper proposes a novel non-interference notion and provides concurrent program logic sound to timestamp semantics corresponding to a weak memory model that allows delays in the effects of store instructions. This paper reports three theoretically interesting techniques for modifying non-interference to support delays in the effects of store instructions. The techniques contribute to a better understanding of constructing concurrent program logic.

Keywords: program logic, weak memory model, non-interference, timestamp, vector clock, auxiliary variable

1 Introduction

Modern computer architectures have multiple cores. Because using multiple cores is significant in computational performance, we cannot ignore weak memory models. On a weak memory model, delays in the effects of store instructions are allowed. For example, let us consider the example program called Store Buffering:

⬇

x := 1

r0 := y // 0

⬇

y := 1

r1 := x // 0

where $x$ and $y$ are shared variables and $r_{0}$ and $r_{1}$ are thread-local variables.

On the strongest memory model called strict consistency, $r_{0}=0\wedge r_{1}=0$ does not hold finally. If $r_{0}=0$ holds, $r_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}y$ is executed earlier than $y\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1$ . It implies that $x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1$ is executed earlier than $r_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x$ and therefore $r_{1}=1$ holds, and vice versa. On a weak memory model that allows delays in the effects of store instructions, $r_{0}=0\wedge r_{1}=0$ is allowed.

Because the example program has just six execution traces on strict consistency, the so-called exhaustive search enables us to confirm that $r_{0}=0\wedge r_{1}=0$ does not finally hold. Even if we cannot assume strict consistency, model checking with weak memory models is still a promising verification method (e.g., [1, 10]). However, we would like to focus on program logic sound to weak memory models in this paper.

Owicki–Gries logic is well-known to be sound to the standard state semantics based on strict consistency [15]. The logic is an extension for concurrent programs of Hoare logic for sequential programs [7]. Owicki and Gries invented the notion of non-interference to repair the unsoundness of the parallel composition rule without any side condition. They also invented the notion of auxiliary variables to enhance the provability of their logic.

Because Owicki–Gries logic fits strict consistency, it is too strong to be sound to weak memory models. In this paper, we modify the non-interference and propose program logic sound to a weak memory model that allows delays in the effects of store instructions.

In this paper, we adopt timestamp semantics as a weak memory model. Timestamp semantics are obtained by extending messages on memory to messages with timestamps and letting threads have the so-called vector clock, which has one clock at each shared variable [12, 14]. It is known that it expresses delays in the effects of store instructions. For example, because the store instructions that occur in Store Buffering send the messages $x=1$ and $y=1$ with timestamp $1$ to the memory as follows:

⬇

x := 1 // <<x,1>,1>

r0 := y // <<y,0>,0>

⬇

y := 1 // <<y,1>,1>

r1 := x // <<x,0>,0>

the load instructions read the messages $x=0$ and $y=0$ with timestamp $0$ . Therefore, $r_{0}=0\wedge r_{1}=0$ is allowed to finally hold. On the other hand, in a similar example program called Coherence:

⬇

x := 1 // <<x,1>,1>

r0 := x // <<x,2>,2>

⬇

x := 2 // <<x,2>,2>

r1 := x // <<x,2>,2>

$r_{0}=2\wedge r_{1}=1$ is not allowed to finally hold because the memory requires a total order of messages with timestamps for the same shared variable.

In this paper, we modify the non-interference in Owicki–Gries logic and construct concurrent program logic sound to timestamp semantics. The key idea is to formalize different observations of shared variables by threads. Also, this study provides three theoretically interesting techniques clarified by the novel non-interference. The author believes that broadly sharing the techniques contributes to a better understanding of constructing logic. The techniques are explained in detail in Section 4 and clearly described in Section 6 that concludes the paper.

2 Owicki–Gries Logic

We introduce notation for describing the standard state semantics for concurrent programs and remember Owicki–Gries logic, which is sound to the semantics.

Expression $E$ and sequential program $s$ are defined as follows:

\displaystyle E

\displaystyle\Coloneqq n\mid v\mid E+E\mid E-E\mid\ldots

\displaystyle s

\displaystyle\Coloneqq\texttt{skip}\mid v\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}E\mid s;s\enspace.

where $n$ and $v$ denote a numeral and a variable, respectively. Expressions denoting arithmetic operations are appropriately defined.

In this paper, we do not adopt the so-called fork-join paradigm for parallel executions but fix the number of threads to $N$ . A concurrent program is denoted by

s_{0}\parallel\cdots\parallel s_{i}\parallel\cdots\parallel s_{N-1}\enspace.

We also omit conditional and loop statements for the simplicity of the presentation.

State $M$ is a function from variables to numerals in a standard manner. Configurations consist of pairs $\mathord{\langle s,M\rangle}$ of programs and states. We define operational semantics as follows:

$\dfrac{}{\mathord{\langle v\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}E,M\rangle}\to\mathord{\langle\texttt{skip},M[v\mapsto[\![E]\!]_{M}]\rangle}}$	$\dfrac{\mathord{\langle s_{0},M\rangle}\to\mathord{\langle\texttt{skip},M^{\prime}\rangle}}{\mathord{\langle s_{0};s_{1},M\rangle}\to\mathord{\langle s_{1},M^{\prime}\rangle}}$
$\dfrac{\mathord{\langle s_{0},M\rangle}\to\mathord{\langle s^{\prime}_{0},M^{\prime}\rangle}}{\mathord{\langle s_{0};s_{1},M\rangle}\to\mathord{\langle s^{\prime}_{0};s_{1},M^{\prime}\rangle}}$	$\dfrac{\mathord{\langle s_{i},M\rangle}\to\mathord{\langle s^{\prime}_{i},M^{\prime}\rangle}}{\genfrac{}{}{0.0pt}{0}{\mathord{\langle s_{0}\parallel\cdots\parallel s_{i}\parallel\cdots\parallel s_{N-1},M\rangle}\quad\;\;}{\to\mathord{\langle s_{0}\parallel\cdots\parallel s^{\prime}_{i}\parallel\cdots\parallel s_{N-1},M^{\prime}\rangle}}}$

where $[\![E]\!]_{M}$ means the interpretation $E$ by $M$ that is defined as follows:

\displaystyle[\![n]\!]_{M}

\displaystyle=n

\displaystyle[\![v]\!]_{M}

\displaystyle=M(v)

\displaystyle[\![E+E^{\prime}]\!]_{M}

\displaystyle=[\![E]\!]_{M}+[\![E^{\prime}]\!]_{M}\enspace\ldots

and the update function $M[v\mapsto n](v^{\prime})$ is defined as follows:

M[v\mapsto n](v^{\prime})=\begin{cases}n&\mbox{if }v^{\prime}=v\\ M(v^{\prime})&\mbox{otherwise.}\end{cases}

To describe properties that concurrent programs enjoy, we define an assertion language as follows:

\displaystyle\varphi

\displaystyle\Coloneqq E=E\mid E\leq E\mid\mathop{\neg}{\varphi}\mid\varphi\wedge\varphi\enspace.

We use abbreviations $\top$ , $\varphi\vee\psi$ , and $\varphi\supset\psi$ in the standard manner.

We interpret $\varphi$ by $M$ as follows:

	$\displaystyle M\vDash E=E^{\prime}$	$\displaystyle\Longleftrightarrow[\![E]\!]_{M}=[\![E^{\prime}]\!]_{M}$	$\displaystyle M\vDash E\leq E^{\prime}$	$\displaystyle\Longleftrightarrow[\![E]\!]_{M}\leq[\![E^{\prime}]\!]_{M}$
	$\displaystyle M\vDash\mathop{\neg}{\varphi}$	$\displaystyle\Longleftrightarrow M\not\vDash\varphi$	$\displaystyle M\vDash\varphi\wedge\psi$	$\displaystyle\Longleftrightarrow M\vDash\varphi\mbox{ and }M\vDash\psi\enspace.$

Owicki and Gries provided logic that is sound to the state semantics [15]. Owicki–Gries logic consists of the so-called Hoare triples. A triple $\varphi\>\{\mathord{s}\}\>\psi$ means that an execution of the program $s$ under the pre-condition $\varphi$ implies that the post-condition $\psi$ holds.

The following is a subset of their inference rules:

\dfrac{}{\varphi\>\{\mathord{\texttt{skip}}\}\>\varphi}

\dfrac{}{[E/v]\varphi\>\{\mathord{v\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}E}\}\>\varphi}

\dfrac{\vDash\varphi^{\prime}\supset\varphi\qquad\varphi\>\{\mathord{s}\}\>\psi\qquad\vDash\psi\supset\psi^{\prime}}{\varphi^{\prime}\>\{\mathord{s}\}\>\psi^{\prime}}

\dfrac{\varphi\>\{\mathord{s}\}\>\psi\qquad\psi\>\{\mathord{s^{\prime}}\}\>\chi}{\varphi\>\{\mathord{s;s^{\prime}}\}\>\chi}

\dfrac{\genfrac{}{}{0.0pt}{0}{\varDelta_{i}}{\varphi_{i}\>\{\mathord{s_{i}}\}\>\psi_{i}}\qquad\genfrac{}{}{0.0pt}{0}{}{\mbox{$\varDelta_{i}$s are non-interference}}}{\varphi_{0}\wedge\cdots\wedge\varphi_{N-1}\>\{\mathord{s_{0}\parallel\cdots\parallel s_{N-1}}\}\>\psi_{0}\wedge\cdots\wedge\psi_{N-1}}\enspace.

Formula $[E/v]\varphi$ in the assignment axiom denotes the formula obtained by replacing $v$ that occurs in $\varphi$ by $E$ . Symbol $\vDash$ occurring in the third inference rule denotes the standard satisfaction relation as seen in the first-order predicate logic. If there exists a derivation tree of the root $\varphi\>\{\mathord{s_{0}\parallel\cdots\parallel s_{N-1}}\}\>\psi$ , we write $\vdash\varphi\>\{\mathord{s_{0}\parallel\cdots\parallel s_{N-1}}\}\>\psi$ .

Owicki and Gries defined that $\varDelta_{1}$ does not interfere with $\varDelta_{0}$ if $\vdash\varphi_{1}\wedge\varphi_{0}\>\{\mathord{v_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}E_{1}}\}\>\varphi_{0}$ and $\vdash\varphi_{1}\wedge\psi_{0}\>\{\mathord{v_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}E_{1}}\}\>\psi_{0}$ hold for any $\varphi_{0}\>\{\mathord{v_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}E_{0}}\}\>\psi_{0}$ in $\varDelta_{0}$ and $\varphi_{1}\>\{\mathord{v_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}E_{1}}\}\>\_$ in $\varDelta_{1}$ . In this paper, we write $\varphi_{1}\>\{v_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}E_{1}\}\Vdash\varphi_{0}$ for $\vdash\varphi_{1}\wedge\varphi_{0}\>\{\mathord{v_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}E_{1}}\}\>\varphi_{0}$ , for short, and call that $\varphi_{0}$ is stable under $\varphi_{1}\>\{v_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}E_{1}\}\Vdash\_$ . We call $\varDelta_{i}$ s $(0\leq i<N)$ non-interference if $\varDelta_{i_{0}}$ does not interfere with $\varDelta_{i_{1}}$ for any $i_{0}\neq i_{1}$ .

Figure 1: Parallel compositionality by non-interference.

In a standard manner, we define $\vDash\varphi\>\{\mathord{s}\}\>\psi$ if $M\vDash\varphi$ and $\mathord{\langle s,M\rangle}\to\mathord{\langle\texttt{skip},M^{\prime}\rangle}$ implies $M^{\prime}\vDash\psi$ for any $M$ and $M^{\prime}$ . Similarly, we define $\vDash\varphi\>\{\mathord{s_{0}\parallel\cdots\parallel s_{N-1}}\}\>\psi$ . The logic is sound to the state semantics, as shown in Figure 1.

Let us see an example derivation. In this paper, we assume that initial values of variables are $0$ . Figure 2 shows a derivation of Coherence for ensuring the property $\mathop{\neg}{(r_{0}=2\wedge r_{1}=1)}$ . In this paper, we write $x$ and $y$ for shared variables and write $r$ for a thread-local variable.

⬇

x := 1

r0 := x

⬇

x := 2

r1 := x

\begin{array}[]{c}\smash{\top}\rule{0.0pt}{8.6111pt}\\ \smash{\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}}\rule{0.0pt}{8.6111pt}\\ \smash{\top}\rule{0.0pt}{8.6111pt}\\ \smash{\{r_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}}\rule{0.0pt}{8.6111pt}\\ \smash{r_{0}\leq x}\rule{0.0pt}{8.6111pt}\end{array}

\begin{array}[]{c}\smash{\top}\rule{0.0pt}{8.6111pt}\\ \smash{\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}}\rule{0.0pt}{8.6111pt}\\ \smash{1\leq x}\rule{0.0pt}{8.6111pt}\\ \smash{\{r_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}}\rule{0.0pt}{8.6111pt}\\ \smash{1\leq r_{1}\wedge x\leq r_{1}}\rule{0.0pt}{8.6111pt}\end{array}

invariant: $(x=0\vee x=1\vee x=2)\wedge(r_{0}=0\vee r_{0}=1\vee r_{0}=2)\wedge(r_{1}=0\vee r_{1}=1\vee r_{1}=2)$

$\top\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}\Vdash\top$

$\top\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}\Vdash r_{0}\leq x$

$1\leq x\>\{r_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}\Vdash\top$

$1\leq x\>\{r_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}\Vdash r_{0}\leq x$

$\top\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash\top$

$\top\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash 1\leq x$

$\top\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash 1\leq r_{1}\wedge x\leq r_{1}$

$\top\>\{r_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}\Vdash\top$

$\top\>\{r_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}\Vdash 1\leq x$

$\top\>\{r_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}\Vdash 1\leq r_{1}\wedge x\leq r_{1}$

Figure 2: Derivation of Coherence on non-interference.

Notably, the shared variable $x$ acts as an intermediary between $r_{0}$ and $r_{1}$ and ensures finally $r_{0}\leq r_{1}$ as shown in the derivation. Such variables often enable us to describe assertions.

We checked all the derivations described in this paper by the Boogie program verifier [4].

The provability of the logic still needs to be improved. Figure 3 shows the concurrent program $x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+1\parallel x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+2$ and a derivation for ensuring that $x=3$ finally holds. A reason that we can construct the derivation is that the assertions have sufficient information about the execution traces of the program. Specifically, the value of $x$ tells us how far the program is executed.

⬇

x := x + 1

⬇

x := x + 2

\begin{array}[]{c}\smash{x=0\vee x=2}\rule{0.0pt}{8.6111pt}\\ \smash{\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+1\}}\rule{0.0pt}{8.6111pt}\\ \smash{x=1\vee x=3}\rule{0.0pt}{8.6111pt}\end{array}

\begin{array}[]{c}\smash{x=0\vee x=1}\rule{0.0pt}{8.6111pt}\\ \smash{\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+2\}}\rule{0.0pt}{8.6111pt}\\ \smash{x=2\vee x=3}\rule{0.0pt}{8.6111pt}\end{array}

invariant: $x=0\vee x=1\vee x=2\vee x=3$

$x=0\vee x=1\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+2\}\Vdash x=0\vee x=2$

$x=0\vee x=1\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+2\}\Vdash x=1\vee x=3$

$x=0\vee x=2\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+1\}\Vdash x=0\vee x=1$

$x=0\vee x=2\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+1\}\Vdash x=2\vee x=3$

Figure 3: Derivation of One-Two on non-interference.

On the other hand, the value of $x$ in the parallel composition $x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+1\parallel x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+1$ does not tell us. Therefore, we cannot add appropriate assertions that do not interfere with each other to the as-is program.

⬇

atomic {

x := x + 1

a0 := 1

}

⬇

atomic {

x := x + 1

a1 := 1

}

\begin{array}[]{c}\smash{a_{i}=0\wedge(a_{1-i}=0\supset x=0)\wedge(a_{1-i}=1\supset x=1)}\rule{0.0pt}{8.6111pt}\\ \smash{\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+1;a_{i}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}}\rule{0.0pt}{8.6111pt}\\ \smash{a_{i}=1\wedge(a_{1-i}=0\supset x=1)\wedge(a_{1-i}=1\supset x=2)}\rule{0.0pt}{8.6111pt}\end{array}

invariant: $(x=0\vee x=1\vee x=2)\wedge(a_{0}=0\vee a_{0}=1)\wedge(a_{1}=0\vee a_{1}=1)$

$a_{1-i}=0\wedge(a_{i}=0\supset x=0)\wedge(a_{i}=1\supset x=1)\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+1;a_{1-i}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash a_{i}=0\wedge(a_{1-i}=0\supset x=0)\wedge(a_{1-i}=1\supset x=1)$

$a_{1-i}=0\wedge(a_{i}=0\supset x=0)\wedge(a_{i}=1\supset x=1)\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x+1;a_{1-i}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash a_{i}=1\wedge(a_{1-i}=0\supset x=1)\wedge(a_{1-i}=1\supset x=2)$

Figure 4: Derivation of One-One on non-interference.

Owicki and Gries invented auxiliary variables, which are write-only in programs, atomically updated with existing assignments, described in assertions, and removed from programs later. Figure 4 shows a derivation for ensuring that $x=2$ finally holds. The auxiliary variables $a_{0}$ and $a_{1}$ enable us to describe the assertions.

Theorem 1 ([15]).

$\vdash\varphi\>\{\mathord{s_{0}\parallel\cdots\parallel s_{N-1}}\}\>\psi$ implies $\vDash\varphi\>\{\mathord{s_{0}\parallel\cdots\parallel s_{N-1}}\}\>\psi$ .

Figure 5 shows a derivation of Store Buffering with auxiliary variables.

⬇

x := 1

atomic {

r0 := y

a0 := 1

}

⬇

y := 1

atomic {

r1 := x

a1 := 1

}

\begin{array}[]{c}\smash{\top}\rule{0.0pt}{8.6111pt}\\ \smash{\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}}\rule{0.0pt}{8.6111pt}\\ \smash{x=1}\rule{0.0pt}{8.6111pt}\\ \smash{\{r_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}y,a_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}}\rule{0.0pt}{8.6111pt}\\ \smash{a_{0}=1}\rule{0.0pt}{8.6111pt}\end{array}

\begin{array}[]{c}\smash{(x=0\wedge a_{0}=0)\vee x=1}\rule{0.0pt}{8.6111pt}\\ \smash{\{y\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}}\rule{0.0pt}{8.6111pt}\\ \smash{y=1\wedge((x=0\wedge a_{0}=0)\vee x=1)}\rule{0.0pt}{8.6111pt}\\ \smash{\{r_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x,a_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}}\rule{0.0pt}{8.6111pt}\\ \smash{y=1\wedge(a_{0}\leq r_{0}\vee r_{1}=1)}\rule{0.0pt}{8.6111pt}\end{array}

invariant: $(x=0\vee x=1)\wedge(y=0\vee y=1)\wedge(r_{0}=0\vee r_{0}=1)\wedge(r_{1}=0\vee r_{1}=1)$

$(x=0\wedge a_{0}=0)\vee x=1\>\{y\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash\top$

$(x=0\wedge a_{0}=0)\vee x=1\>\{y\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash x=1$

$(x=0\wedge a_{0}=0)\vee x=1\>\{y\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash a_{0}=1$

$y=1\wedge((x=0\wedge a_{0}=0)\vee x=1)\>\{r_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x,a_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash\top$

$y=1\wedge((x=0\wedge a_{0}=0)\vee x=1)\>\{r_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x,a_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash x=1$

$y=1\wedge((x=0\wedge a_{0}=0)\vee x=1)\>\{r_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x,a_{1}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash a_{0}=1$

$\top\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash(x=0\wedge a_{0}=0)\vee x=1$

$\top\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash y=1\wedge((x=0\wedge a_{0}=0)\vee x=1)$

$\top\>\{x\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash y=1\wedge(a_{0}\leq r_{0}\vee r_{1}=1)$

$x=1\>\{r_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}y,a_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash(x=0\wedge a_{0}=0)\vee x=1$

$x=1\>\{r_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}y,a_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash y=1\wedge((x=0\wedge a_{0}=0)\vee x=1)$

$x=1\>\{r_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}y,a_{0}\stackrel{{\scriptstyle\smash{}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash y=1\wedge(a_{0}\leq r_{0}\vee r_{1}=1)$

Figure 5: Derivation of Store Buffering on non-interference.

3 Timestamp Semantics

We formally define timestamp semantics.

In the following, we formally distinguish thread-local variables $r$ from shared variables $x$ . We also divide assignments into three kinds, thread-local, load, and store instructions as follows:

\displaystyle e

\displaystyle\Coloneqq n\mid r\mid e+e\mid\ldots

\displaystyle c

\displaystyle\Coloneqq r\stackrel{{\scriptstyle\smash{i}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e\mid r\stackrel{{\scriptstyle\smash{i}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\mid x\stackrel{{\scriptstyle\smash{i}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e

\displaystyle s

\displaystyle\Coloneqq\texttt{skip}\mid c\mid s;s

and each assignment has a thread identifier denoting the thread that executes the assignment. A sequentially compound statement contains a unique thread identifier.

On timestamp semantics, thread-local states $S$ are separated from the shared memory $M$ . Thread-local state $S$ is a function from thread-local variables to numerals. We define the interpretations of expressions by $S$ as follows:

\displaystyle[\![n]\!]_{S}

\displaystyle=n

\displaystyle[\![r]\!]_{S}

\displaystyle=S(r)

\displaystyle[\![e+e^{\prime}]\!]_{S}

\displaystyle=[\![e]\!]_{S}+[\![e^{\prime}]\!]_{S}\enspace\ldots\enspace.

\dfrac{}{\mathord{\langle\mathord{\langle r\stackrel{{\scriptstyle\smash{i}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e,S,T\rangle},M\rangle}\to\mathord{\langle\mathord{\langle\texttt{skip},S[r\mapsto[\![e]\!]_{S}],T\rangle},M\rangle}}

\dfrac{M(\mathord{\langle x,t\rangle})=n\qquad T(x)\leq t}{\mathord{\langle\mathord{\langle r\stackrel{{\scriptstyle\smash{i}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x,S,T\rangle},M\rangle}\to\mathord{\langle\mathord{\langle\texttt{skip},S[r\mapsto n],T[x\mapsto t]\rangle},M\rangle}}

\dfrac{T(x)<t}{\mathord{\langle\mathord{\langle x\stackrel{{\scriptstyle\smash{i}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e,S,T\rangle},M\rangle}\to\mathord{\langle\mathord{\langle\texttt{skip},S,T[x\mapsto t]\rangle},M\sqcup\{\mathord{\langle\mathord{\langle x,t\rangle},[\![e]\!]_{S}\rangle}\}\rangle}}

\dfrac{\mathord{\langle\mathord{\langle s_{0},S,T\rangle},M\rangle}\to\mathord{\langle\mathord{\langle\texttt{skip},S^{\prime},T^{\prime}\rangle},M^{\prime}\rangle}}{\mathord{\langle\mathord{\langle s_{0};s_{1},S,T\rangle},M\rangle}\to\mathord{\langle\mathord{\langle s_{1},S^{\prime},T^{\prime}\rangle},M^{\prime}\rangle}}

\dfrac{\mathord{\langle\mathord{\langle s_{0},S,T\rangle},M\rangle}\to\mathord{\langle\mathord{\langle s^{\prime}_{0},S^{\prime},T^{\prime}\rangle},M^{\prime}\rangle}}{\mathord{\langle\mathord{\langle s_{0};s_{1},S,T\rangle},M\rangle}\to\mathord{\langle\mathord{\langle s^{\prime}_{0};s_{1},S^{\prime},T^{\prime}\rangle},M^{\prime}\rangle}}

\dfrac{\mathord{\langle\mathfrak{C}(i),M\rangle}\to\mathord{\langle C^{\prime},M^{\prime}\rangle}}{\mathord{\langle\mathfrak{C},M\rangle}\to\mathord{\langle\mathfrak{C}[i\mapsto C^{\prime}],M^{\prime}\rangle}}

Figure 6: Timestamp semantics.

The shared memory possesses messages with timestamps $\mathord{\langle\mathord{\langle x,t\rangle},n\rangle}$ , differently from physical memories that we know. In this paper, timestamps are rationals, i.e., elements of $\mathbb{Q}$ . It is known that a set of timestamps should be dense (e.g. [9]). The shared memory $M$ is a function from pairs of shared variables and timestamps to numerals. Notably, $M$ is a function; a shared memory cannot possess multiple messages for the same shared variable and the same timestamp.

Each thread has a vector clock [12, 14]. A vector clock takes a shared variable and returns a timestamp. Differences between vector clocks that threads have express observations of shared variables by threads.

Thread-local configurations $C$ consist of triples $\mathord{\langle s,S,T\rangle}$ of programs, thread-local states, and vector clocks. Thread-local configurations with memory consist of pairs $\mathord{\langle C,M\rangle}$ of thread-local configurations $C$ and memories. Global Configurations consist of pairs $\mathord{\langle\mathfrak{C},M\rangle}$ of thread-local configurations $\mathfrak{C}$ and memories $M$ where $\mathfrak{C}$ takes a thread identifier $i$ and returns a configuration $C$ . Operational semantics are as shown in Figure 6.

No explanation for thread-local assignments is needed. An assignment of a load instruction takes any message in the memory whose timestamp is equal to or larger than the timestamp that the vector clock indicates. Furthermore, it updates the vector clock. An assignment of a store instruction sends a message whose timestamp is strictly larger than the timestamp that the vector clock indicates, and updates the vector clock. Timestamp semantics express a modern memory model on which effects of store instructions may be delayed (e.g. [9]).

4 Observation-Based Logic

In this section, we provide concurrent program logic for timestamp semantics.

4.1 Formal system

We introduce observation variable $x^{i}$ , which denotes $x$ observed by thread $i$ , for any shared variable $x$ . Whereas the notion of observation variables is previously provided by the author [2], we provide another logic in this paper.

The motivation for the introduction of observation variables is straightforward. In the standard state semantics, all variables are synchronous; if a thread updates the value of a variable, then other threads can immediately see the update. Variables that occur in assertions are also synchronous in stability checking. However, in timestamp semantics, that is not the case. Nevertheless, variables that occur in assertions in logic should be synchronous because stability checking is designed that way.

Observation variables fix the gap. Observation variables are synchronous in assertions in logic, that is, if a thread updates the value of an observation variable, then other threads can immediately see the update. Surely, a relation between observation variables $x^{i_{0}}$ and $x^{i_{1}}\;(i_{0}\neq i_{1})$ is not a relation between distinct shared variables $x$ and $y$ . We clarify and formalize the relation between observation variables in logic.

We define a satisfaction relation that configurations enjoy assertions. For convenience, we write $\mathfrak{S}$ for the thread-local states of $\mathfrak{C}$ , that is, $\mathfrak{S}(i)$ denotes the thread-local state of $\mathfrak{C}(i)$ . We also write $\mathfrak{T}$ for the vector clocks of $\mathfrak{C}$ , that is, $\mathfrak{T}(i)$ denotes the vector clock of $\mathfrak{C}(i)$ . We define $\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}\vDash^{t}\varphi$ as follows:

\displaystyle E\Coloneqq e

\displaystyle\mid x^{i}\mid E+E\mid E-E\mid\ldots

	$\displaystyle[\![n]\!]_{\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}}$	$\displaystyle=n$
	$\displaystyle[\![r]\!]_{\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}}$	$\displaystyle=\mathfrak{S}(i)(r)\quad\mbox{if thread $i$ contains $r$}$
	$\displaystyle[\![x^{i}]\!]_{\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}}$	$\displaystyle=M(\mathord{\langle x,\mathfrak{T}(i)(x)\rangle})$
	$\displaystyle[\![E+E^{\prime}]\!]_{\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}}$	$\displaystyle=[\![E]\!]_{\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}}+[\![E^{\prime}]\!]_{\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}}\enspace\ldots$

	$\displaystyle\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}\vDash^{t}E=E^{\prime}$	$\displaystyle\Longleftrightarrow[\![E]\!]_{\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}}=[\![E^{\prime}]\!]_{\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}}$
	$\displaystyle\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}\vDash^{t}E\leq E^{\prime}$	$\displaystyle\Longleftrightarrow[\![E]\!]_{\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}}=[\![E^{\prime}]\!]_{\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}}$
	$\displaystyle\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}\vDash^{t}\mathop{\neg}{\varphi}$	$\displaystyle\Longleftrightarrow\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}\not{\vDash^{t}}\varphi$
	$\displaystyle\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}\vDash^{t}\varphi\wedge\psi$	$\displaystyle\Longleftrightarrow\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}\vDash^{t}\varphi\mbox{ and }\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}\vDash^{t}\psi\enspace.$

We define $M\vDash^{t}\varphi\>\{\mathord{s}\}\>\psi$ if $\mathord{\langle M,\mathord{\langle\mathfrak{S},\mathfrak{T}\rangle}\rangle}\vDash^{t}\varphi$ and $\mathord{\langle\mathord{\langle s,\mathfrak{S}(i),\mathfrak{T}(i)\rangle},M\rangle}\to\mathord{\langle\mathord{\langle\texttt{skip},\mathfrak{S^{\prime}}(i),\mathfrak{T^{\prime}}(i)\rangle},M^{\prime}\rangle}$ implies $\mathord{\langle M^{\prime},\mathord{\langle\mathfrak{S^{\prime}},\mathfrak{T^{\prime}}\rangle}\rangle}\vDash^{t}\psi$ for any $\mathfrak{S}$ and $\mathfrak{T}$ . Similarly, we define $M\vDash^{t}\varphi\>\{\mathord{s_{0}\parallel\cdots\parallel s_{N-1}}\}\>\psi$ .

We also introduce timestamp variable $t\mathrm{@}x$ for any shared variable $x$ . We describe how to use timestamp variables with the explanation of non-observation-interference described later. Timestamp variables in assertions are interpreted as thread-local variables. The following are inference rules consisting of extended judgments:

$\dfrac{}{\varphi,\mathit{L}\>\{\mathord{\texttt{skip}}\}\>\varphi,\mathit{L}}$	$\dfrac{}{[e/r]\varphi,\mathit{L}\>\{\mathord{r\stackrel{{\scriptstyle\smash{i}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e}\}\>\varphi,\mathit{L}}$
$\dfrac{}{[x^{i}/r]\varphi,\mathit{L}\>\{\mathord{r\stackrel{{\scriptstyle\smash{i}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x}\}\>\varphi,\mathit{L}}$	$\dfrac{\mbox{ $t$ is fresh }}{[e/x^{i}]\varphi,\mathit{L}\>\{\mathord{x\stackrel{{\scriptstyle\smash{i}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e}\}\>\varphi,\mathit{L}[x\mapsto\mathit{L}(x)\!\mathbin{:}\!t\mathrm{@}x]}$
$\dfrac{\vDash\varphi^{\prime}\supset\varphi\qquad\varphi,\mathit{L}_{0}\>\{\mathord{s}\}\>\psi,\mathit{L}_{1}\qquad\vDash\psi\supset\psi^{\prime}}{\varphi^{\prime},\mathit{L}_{0}\>\{\mathord{s}\}\>\psi^{\prime},\mathit{L}_{1}}$
$\dfrac{\varphi,\mathit{L}_{0}\>\{\mathord{s_{0}}\}\>\psi,\mathit{L}\qquad\psi,\mathit{L}\>\{\mathord{s_{1}}\}\>\chi,\mathit{L}_{1}}{\varphi,\mathit{L}_{0}\>\{\mathord{s_{0};s_{1}}\}\>\chi,\mathit{L}_{1}}$
$\dfrac{\genfrac{}{}{0.0pt}{0}{\varDelta_{i}}{\varphi_{i},I\>\{\mathord{s_{i}}\}\>\psi_{i},\mathit{L}_{i}}\qquad\genfrac{}{}{0.0pt}{0}{}{\mbox{$\varDelta_{i}$s are non-observation-interference}}}{\varphi_{0}\wedge\cdots\wedge\varphi_{N-1}\>\{\mathord{s_{0}\parallel\cdots\parallel s_{N-1}}\}\>\psi_{0}\wedge\cdots\wedge\psi_{N-1}}\enspace.$

Because assignments are divided into three kinds, the assignment axiom is also divided into three. Assignments of load instructions by thread $i$ replace thread-local variables with $x^{i}$ . Careful readers may wonder if the assignment axiom for load instructions is unconditionally unsound. The unsoundness is remedied by the non-observation-interference, as explained in detail in the following subsection.

The assignment axiom for store instructions is sound because we introduced observation variables to make it so. For example,

{r+1=2\wedge x^{i_{1}}=0\>\{\mathord{x\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}r+1}\}\>x^{i_{0}}=2\wedge x^{i_{1}}=0}

is valid because $x\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}r+1$ updates the vector clock of thread $i_{0}$ .

Sequence $L$ consists of reverse lists of timestamp variables at each shared variable. An initial timestamp sequence $I$ has exactly one timestamp variable for any shared variable. A timestamp variable is freshly generated at an assignment axiom of a store instruction to $x$ and is added to the end at $x$ of the timestamp sequence.

To ensure a total order of timestamps of each shared variable, we assume $\vDash t\mathrm{@}x<t^{\prime}\mathrm{@}x$ for any shared variable $x$ and $\ldots\!\mathbin{:}\!t\mathrm{@}x\!\mathbin{:}\!\ldots\!\mathbin{:}\!t^{\prime}\mathrm{@}x\!\mathbin{:}\!\ldots$ in $\mathit{L}$ . To ensure a total order of timestamps of each shared variable on memory, we assume $\vDash t\mathrm{@}x<t^{\prime}\mathrm{@}x\vee t^{\prime}\mathrm{@}x<t\mathrm{@}x$ for any shared variable $x$ and any distinct $t$ and $t^{\prime}$ .

If there exists a derivation tree of the root $\varphi,\mathit{L}\>\{\mathord{s}\}\>\psi,\mathit{L}^{\prime}$ in the system, we write $\vdash^{t}\varphi,\mathit{L}\>\{\mathord{s}\}\>\psi,\mathit{L}^{\prime}$ . Similarly, we define $\vdash^{t}\varphi\>\{\mathord{s_{0}\parallel\cdots\parallel s_{N-1}}\}\>\psi$ .

4.2 Non-observation-interference

Before providing the formal definition of non-observation-interference, we explain its intuition. For the simplicity, we often omit reverse lists of timestamp variables in judgments if they are clear from the context.

First, it appears that $x^{i_{0}}=1\>\{\mathord{r\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x}\}\>r=1\wedge x^{i_{0}}=1$ is unsound to timestamp semantics because the value of $x$ at a timestamp $t$ , which may not be pointed by the vector clock satisfying $x^{i_{0}}=1$ , is loaded. That makes us want to add, for example, a necessity modality operator $\Box$ meaning “always true” to $x^{i_{0}}=1$ in the pre-condition. Alternatively, one may want to extend the assertion language with control predicates and modify the interpretation of Hoare triples [13]. However, we do not adopt them in this paper.

If the number of threads is $1$ , the judgment is still sound because the memory has no message from another thread. Soundness of $\varphi_{0}\>\{\mathord{r\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x}\}\>\psi_{0}$ is stained by a store instruction $x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e$ by another thread $i_{1}$ . It is reminiscent of the non-interference.

Let $\varphi_{1}\>\{\mathord{x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e}\}\>\psi_{1}$ in $\varDelta_{i_{1}}$ . The store instruction $x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e$ may not be simultaneously executed with $r\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x$ . Therefore, for any pre-condition $\varphi^{\prime}_{0}$ that is sequentially composed on or before the $r\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x$ , we have to check that the effect of $x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}n$ to the memory does not interfere $\varphi_{0}$ for any $n\in\langle\!|e|\!\rangle_{\varphi^{\prime}_{0}\wedge\varphi_{1}}$ , which denotes arbitrary values of $e$ that are constrained by $\varphi^{\prime}_{0}\wedge\varphi_{1}$ . For example, for $x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}r_{1}$ under $0\leq r_{1}<3$ , we have to consider the judgments about $x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}0$ , $x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1$ , and $x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2$ .

How do we check whether the effect of $x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}n$ to the memory interferes $\varphi_{0}$ or not? A load instruction $r\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x$ updates the vector clock of $i_{0}$ , therefore, $x^{i}$ , and $r$ . We divide it into two phases. If the updates of the vector clock and $x^{i}$ are finished, the update of $r$ is sound. The unsoundness of the assignment axiom for load instructions is derived from updates of vector clocks.

Here, we do a trick. By replacing thread identifier $i_{1}$ of the store instruction with thread identifier $i_{0}$ , we can update the vector clock of thread identifier $i_{0}$ . That is, for any $\varphi^{\prime}_{1}$ that is a pre/post-condition on or after the $x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e$ , we check $M\vDash^{t}\varphi^{\prime}_{1}\wedge\varphi_{0}\>\{\mathord{x\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}n}\}\>\varphi_{0}$ instead of any judgment consisting of $x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}n$ . Notably, our assertion language cannot directly refer to vector clocks. We notice updates of vector clocks through updates of observation variables.

Because judgments of store instructions are as-is sound, it is sufficient to check $\vdash^{t}\varphi^{\prime}_{1}\wedge\varphi_{0}\>\{\mathord{x\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}n}\}\>\varphi_{0}$ . The following:

\dfrac{{x^{0}=0\>\{\mathord{r\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x}\}\>r=0}\qquad{\top\>\{\mathord{x\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1}\}\>\top}\qquad{\top\wedge x^{0}=0\>\{\mathord{x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1}\}\>x^{0}=0}}{x^{0}=0\>\{\mathord{r\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\parallel x\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1}\}\>r=0}

is not derivable because ${\top\wedge x^{0}=0\>\{\mathord{x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1}\}\>x^{0}=0}$ is not derivable. Thus, we reuse the notion of non-interference for soundness of judgments of load instructions.

Table 1: Remedying soundness.

Without non-(observation-)interference	assignment axiom		parallel composition rule
Without non-(observation-)interference	XloadX	store	parallel composition rule
Owicki–Gries logic	$\checkmark$
Our logic ( $1$ thread)	$\checkmark$	$\checkmark$	N/A
Our logic ( $\geq 2$ threads)		$\checkmark$
With non-(observation-)interference	assignment axiom		parallel composition rule
With non-(observation-)interference	XloadX	store	parallel composition rule
Owicki–Gries logic	$\checkmark$		$\checkmark$
Our logic ( $1$ thread)	$\checkmark$	$\checkmark$	N/A
Our logic ( $\geq 2$ threads)	$\checkmark$	$\checkmark$	$\checkmark$

The assignment axiom in Owicki–Gries logic is sound to the standard state semantics, but the parallel composition rule without any side condition is unsound. Therefore, Owicki and Gries introduced the notion of non-interference. The assignment axiom becomes unsound in our logic to timestamp semantics if another thread executes a store instruction. Non-observation-interference adopted by our logic plays a role in keeping the assignment axiom for load instructions sound to timestamp semantics. Table 1 summarizes it.

Next, we explain the extension of non-interference in our logic. If an interfering instruction is $r\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e$ , we have to consider no issue in addition to non-interference. If an interfering instruction is $x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e$ , we also have to consider no issue because $x^{i_{1}}$ in the assertion possessed by thread $i_{0}$ is synchronous and stability checking is the same as that in Owicki–Gries logic, as explained in the beginning of Section 4.

If an interfering instruction is $r\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x$ , we have to take care of that $r_{1}\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x$ updates not only $r_{1}$ but also $x^{i_{1}}$ in $\varphi_{0}$ and $\psi_{0}$ . Let $\varphi_{0}\>\{\mathord{c_{0}}\}\>\psi_{0}$ be a possibly interfered judgment. We have to confirm $M\vDash^{t}\varphi_{1}\wedge\varphi_{0}\>\{\mathord{r_{1}\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x}\}\>\varphi_{0}$ and $M\vDash^{t}\varphi_{1}\wedge\psi_{0}\>\{\mathord{r_{1}\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x}\}\>\psi_{0}$ . Similar to the discussion about the soundness of judgments of load instructions, we have to take care of that $\vdash^{t}\varphi_{1}\wedge\varphi_{0}\>\{\mathord{r_{1}\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x}\}\>\varphi_{0}$ and $\vdash^{t}\varphi_{1}\wedge\psi_{0}\>\{\mathord{r_{1}\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x}\}\>\psi_{0}$ are not sufficient because they are not ensured not to be interfered with any store instruction by another thread.

Thus, we have constructed logic that is sound to timestamp semantics. However, the provability still needs to be improved. Non-interference utilizes the pre-condition of the interfering judgment, but it is impossible because the effect of the store instruction may be delayed on timestamp semantics. It weakens the expressive power of assertion language. Therefore, we cannot delicately deal with execution traces; specifically, we cannot show the correctness of Coherence under timestamp semantics because how to grasp the difference between Store Buffering and Coherence, a total order of timestamps at each variable on memory, has not been explained yet.

We have introduced timestamp variables. Freshness in assignment axioms of store instructions and non-logical axioms ensure total orders at shared variables on memory. The variables are not updated by assignments. We can describe assertions. For any store instruction, a fresh timestamp variable is defined and added to the end of the sequence at each variable. It enables us to describe how far the program runs. Timestamp variables are also used to restrict ranges that instructions interfere in the definition of non-observation-interference. Whereas auxiliary variables with non-interference in Owicki–Gries logic do not restrict ranges that instructions interfere with, pre-conditions that interfering instructions have actually restricted ranges of interfered conditions. In our logic, where we cannot assume pre-conditions for interfering instructions, timestamp variables directly restrict ranges of instructions that interfere with each other.

Finally, we formally define non-observation-interference. We call $\varDelta_{i}$ s ( $0\leq i<N$ ) non-observation-interference if for any $i_{0}$ , $i_{1}$ , and $i_{2}$ such that $i_{0}\neq i_{1}$ and $i_{1}\neq i_{2}$ hold,

•

$t_{0}\mathrm{@}x<t_{1}\mathrm{@}x\wedge\varphi^{\prime}_{1}\>\{x\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}n\}\Vdash^{t}\varphi_{0}$ holds for any $\varphi_{0}\>\{\mathord{r\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x}\}\>\_,\_\!\mathbin{:}\!t_{0}\mathrm{@}x$ in $\varDelta_{i_{0}}$ , $\varphi_{1}\>\{\mathord{x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e}\}\>\_,\_\!\mathbin{:}\!t_{1}\mathrm{@}x$ in $\varDelta_{i_{1}}$ , a pre-condition $\varphi^{\prime}_{0}$ that is sequentially composed on or before the $r\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x$ in $\varDelta_{i_{0}}$ , $n\in\langle\!|e|\!\rangle_{\varphi^{\prime}_{0}\wedge\varphi_{1}}$ , and a pre/post-condition $\varphi^{\prime}_{1}$ that is sequentially composed on or after the $x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e$ in $\varDelta_{i_{1}}$ ,
•

$\varphi_{1}\>\{r\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e\}\Vdash^{t}\varphi_{0}$ and $\varphi_{1}\>\{r\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e\}\Vdash^{t}\psi_{0}$ hold for any $\varphi_{0}\>\{\mathord{c_{0}}\}\>\psi_{0}$ in $\varDelta_{i_{0}}$ and $\varphi_{1}\>\{\mathord{r\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e}\}\>\_$ in $\varDelta_{i_{1}}$ ,
•

$\varphi_{1}\>\{x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e\}\Vdash^{t}\varphi_{0}$ and $\varphi_{1}\>\{x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e\}\Vdash^{t}\psi_{0}$ hold for any $\varphi_{0}\>\{\mathord{c_{0}}\}\>\psi_{0}$ in $\varDelta_{i_{0}}$ and $\varphi_{1}\>\{\mathord{x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e}\}\>\_$ in $\varDelta_{i_{1}}$ , and
•
$\varphi_{1}\>\{r\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}\Vdash^{t}\varphi_{0}$ and $\varphi_{1}\>\{r\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}\Vdash^{t}\psi_{0}$ hold for any $\varphi_{0}\>\{\mathord{c_{0}}\}\>\psi_{0}$ in $\varDelta_{i_{0}}$ and $\varphi_{1}\>\{\mathord{r\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x}\}\>\psi_{1},\_\!\mathbin{:}\!t_{1}\mathrm{@}x$ in $\varDelta_{i_{1}}$ , moreover,
- –
  
  $t_{1}\mathrm{@}x<t_{0}\mathrm{@}x\wedge\varphi^{\prime\prime}_{0}\>\{x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}n\}\Vdash^{t}\varphi_{1}\wedge\varphi_{0}$ and $\varphi^{\prime\prime}_{0}\>\{x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}n\}\Vdash^{t}\varphi_{1}\wedge\psi_{0}$ hold for any $\varphi^{\prime}_{0}\>\{\mathord{x\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e}\}\>\_,\_\!\mathbin{:}\!t_{0}\mathrm{@}x$ that is sequentially composed on or before the $c_{0}$ in $\varDelta_{i_{0}}$ , a pre-condition $\varphi^{\prime}_{1}$ that is sequentially composed on or before the $r\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x$ in $\varDelta_{i_{1}}$ , a pre/post-condition $\varphi^{\prime\prime}_{0}$ that is sequentially composed on or after the $x\stackrel{{\scriptstyle\smash{i_{0}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e$ and on or before $c_{0}$ in $\varDelta_{i_{0}}$ , and $n\in\langle\!|e|\!\rangle_{\varphi^{\prime}_{1}\wedge\varphi^{\prime}_{0}}$
- –
  
  $t_{1}\mathrm{@}x<t_{2}\mathrm{@}x\wedge\varphi^{\prime}_{2}\>\{x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}n\}\Vdash^{t}\varphi_{1}\wedge\varphi_{0}$ and $\varphi^{\prime}_{2}\>\{x\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}n\}\Vdash^{t}\varphi_{1}\wedge\psi_{0}$ hold for any $\varphi_{2}\>\{\mathord{x\stackrel{{\scriptstyle\smash{i_{2}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e}\}\>\_,\_\!\mathbin{:}\!t_{2}\mathrm{@}x$ in $\varDelta_{i_{2}}$ , a pre-condition $\varphi^{\prime}_{1}$ that is sequentially composed on or before the $r\stackrel{{\scriptstyle\smash{i_{1}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x$ in $\varDelta_{i_{1}}$ , $n\in\langle\!|e|\!\rangle_{\varphi^{\prime}_{1}\wedge\varphi_{2}}$ , and a pre/post-condition $\varphi^{\prime}_{2}$ that is sequentially composed on or after the $x\stackrel{{\scriptstyle\smash{i_{2}}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}e$ in $\varDelta_{i_{2}}$

where we write $\varphi_{1}\>\{c\}\Vdash^{t}\varphi_{0}$ for $\vdash^{t}\varphi_{1}\wedge\varphi_{0}\>\{\mathord{c}\}\>\varphi_{0}$ , for short.

Theorem 2.

$\vdash^{t}\varphi\>\{\mathord{s_{0}\parallel\cdots\parallel s_{N-1}}\}\>\psi$ implies $\varnothing[\mathord{\langle\_,0\rangle}\mapsto 0]\vDash^{t}\varphi\>\{\mathord{s_{0}\parallel\cdots\parallel s_{N-1}}\}\>\psi$ .

⬇

x := 1

r0 := x

⬇

x := 2

r1 := x

\begin{array}[]{c}\smash{r_{0}=0\wedge r_{1}\leq x^{1}}\rule{0.0pt}{8.6111pt}\\ \smash{\{x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}}\rule{0.0pt}{8.6111pt}\\ \smash{0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}}\rule{0.0pt}{8.6111pt}\\ \smash{\{r_{0}\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}}\rule{0.0pt}{8.6111pt}\\ \smash{0<r_{0}}\rule{0.0pt}{8.6111pt}\end{array}

\begin{array}[]{c}\smash{r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1}\rule{0.0pt}{8.6111pt}\\ \smash{\{x\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}}\rule{0.0pt}{8.6111pt}\\ \smash{r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<x^{1}}\rule{0.0pt}{8.6111pt}\\ \smash{\{r_{1}\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}}\rule{0.0pt}{8.6111pt}\\ \smash{r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<r_{1}}\rule{0.0pt}{8.6111pt}\end{array}

invariant: $(x^{0}=0\vee x^{0}=1\vee x^{0}=2)\wedge(x^{1}=0\vee x^{1}=1\vee x^{1}=2)\wedge(r_{0}=0\vee r_{0}=1\vee r_{0}=2)\wedge(r_{1}=0\vee r_{1}=1\vee r_{1}=2)\wedge(t_{0}\mathrm{@}x=0\vee t_{0}\mathrm{@}x=1)\wedge(t_{1}\mathrm{@}x=0\vee t_{1}\mathrm{@}x=1)$ where $t_{0}\mathrm{@}x$ and $t_{1}\mathrm{@}x$ are freshly generated at $x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1$ and $x\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2$ in the judgments, respectively.

Figure 7: Derivation of Coherence on non-observation-interference.

$r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\>\{x\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}\Vdash^{t}r_{0}=0\wedge r_{1}\leq x^{1}$

$r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\>\{x\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}\Vdash^{t}0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}$

$r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\>\{x\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}\Vdash^{t}0<r_{0}$

$r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<x^{1}\>\{r_{1}\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}\Vdash^{t}r_{0}=0\wedge r_{1}\leq x^{1}$

$r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<x^{1}\>\{r_{1}\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}\Vdash^{t}0<r_{0}$

$t_{1}\mathrm{@}x<t_{0}\mathrm{@}x\wedge r_{0}=0\wedge r_{1}\leq x^{1}\>\{x\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash^{t}r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<x^{1}\wedge r_{0}=0\wedge r_{1}\leq x^{1}$

$t_{1}\mathrm{@}x<t_{0}\mathrm{@}x\wedge 0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}\>\{x\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash^{t}r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<x^{1}\wedge r_{0}=0\wedge r_{1}\leq x^{1}$

$t_{1}\mathrm{@}x<t_{0}\mathrm{@}x\wedge 0<r_{0}\>\{x\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash^{t}r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<x^{1}\wedge 0<r_{0}$ $t_{1}\mathrm{@}x<t_{0}\mathrm{@}x\wedge 0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}\>\{x\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash^{t}r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1$

$t_{1}\mathrm{@}x<t_{0}\mathrm{@}x\wedge 0<r_{0}\>\{x\stackrel{{\scriptstyle\smash{1}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash^{t}r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1$

$r_{0}=0\wedge r_{1}\leq x^{1}\>\{x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash^{t}r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1$

$r_{0}=0\wedge r_{1}\leq x^{1}\>\{x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash^{t}r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<x^{1}$

$r_{0}=0\wedge r_{1}\leq x^{1}\>\{x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}1\}\Vdash^{t}r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<r_{1}$

$0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}\>\{r_{0}\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}\Vdash^{t}r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1$

$0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}\>\{r_{0}\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}\Vdash^{t}r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<x^{1}$

$0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}\>\{r_{0}\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}x\}\Vdash^{t}r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<r_{1}$

$t_{0}\mathrm{@}x<t_{1}\mathrm{@}x\wedge r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\>\{x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}\Vdash^{t}0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}\wedge r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1$

$t_{0}\mathrm{@}x<t_{1}\mathrm{@}x\wedge r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\>\{x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}\Vdash^{t}0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<r_{1}$

$t_{0}\mathrm{@}x<t_{1}\mathrm{@}x\wedge r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<x^{1}\>\{x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}\Vdash^{t}0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}\wedge r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1$

$t_{0}\mathrm{@}x<t_{1}\mathrm{@}x\wedge r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<x^{1}\>\{x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}\Vdash^{t}0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<r_{1}$

$t_{0}\mathrm{@}x<t_{1}\mathrm{@}x\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<r_{1}\>\{x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}\Vdash^{t}0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}\wedge r_{1}=0\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1$

$t_{0}\mathrm{@}x<t_{1}\mathrm{@}x\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<r_{1}\>\{x\stackrel{{\scriptstyle\smash{0}\rule{0.0pt}{3.0pt}}}{{\coloneqq}}2\}\Vdash^{t}0<x^{0}\wedge r_{0}=0\wedge r_{1}\leq x^{1}\wedge r_{0}\leq x^{0}\wedge x^{0}\leq t_{1}\mathrm{@}x+1\wedge t_{1}\mathrm{@}x<r_{1}$

Figure 8: Stability checking of Coherence on non-observation-interference.

Figures 7 and 8 show a derivation of Coherence on non-observation-interference. We can see that the timestamp variable $t_{1}\mathrm{@}x$ acts as an intermediary between $r_{0}$ and $r_{1}$ .

5 Related Work and Discussion

Some logics handling dataracy programs are sound to semantics on which the effects of store instructions may be delayed [16, 11, 2, 5].

Dalvandi et al. provided Owicki–Gries logic for a C11 fragment memory model [5]. They also adopted timestamp semantics. However, they introduced multiple relations based on observations by thread to their assertion language. Each assignment has multiple axioms since their assertion language has multiple relations based on observations by threads. In this paper, we aim to construct theoretically simple logic. We adopted variables based on observations by threads. Each assignment has exactly one axiom.

Lahav and Vafeiadis proposed Owicki–Gries style logic for semantics by execution graphs [11], more axiomatic semantics than operational timestamp semantics. Their logic has high provability. They succeeded in providing derivations to ensure the correctness of Store Buffering with memory fences and a variant of Coherence. They also modified stability checking to ensure the correctness of concurrent programs on a weak memory model, as we did in this paper. Their logic differs from ours because they are constructed without observation and timestamp variables.

An unsatisfactory point is that it is necessary to check judgments of the form $\varGamma\not\vdash\varphi$ in their logic. Specifically, the logic requires to find satisfiable values under the semantics when checking stability. This means that it is necessary to consider models when providing derivations. Whereas the author provided logic using observation variables [2], the logic also assumes the use of external knowledge called observation invariants.

Thus, semantics on which effects of store instructions often disturb us to construct a pure logic in which assertions are added to programs in the Floyd style [6] are syntactically operated. In our logic, it occurs as the arbitrariness of the values of store instructions in the definition of non-observation-interference as described in Section 4. This study is one of the challenges to finding a purely syntactical logic for weak memory models.

The author proposed observation variables in the previous work [2]. However, observation variables are almost regarded as shared variables in the logic. Relations between observation variables strongly depend on observation invariants, which are assumed to be externally given. In this paper, observation variables are explicitly handled in the definition of non-observation-interference. This work is positioned as a detailed investigation of shared variables observed by threads.

6 Conclusion and Future Work

In this paper, we provide Owicki–Gries style logic, which uses the notion of non-interference for timestamp semantics. It theoretically contributes to show techniques that 1)we used the notion of non-interference for ensuring soundness of assignment axiom, 2)we replaced thread identifiers for an update of a vector clock on timestamp semantics, and 3)we introduced timestamp variables in order to enhance the expressiveness of the assertion language.

This study has a lot left to do. In this paper, we do not refer to completeness to timestamp semantics. We do not confirm the minimality of assertions that occur in the derivations in this paper. Above all else, Owicki–Gries logic using non-interference is not compositional; the depths of derivations combinatorial increase the number of checking judgments. It means that Owicki–Gries logic and our logic could be more practical. Jones proposed a compositional logic using rely/guarantee reasoning [8]. Lahav and Vafeiadis tried to make their logic compositional using the rely/guarantee notion. However, because their “rely” and “guarantee” are not single assertions but finite sets of assertions [11], it is hard to say that combinatorial explosion is wholly avoided. Enriching the assertion language using the next variables (e.g. [17]) is promising. Our previous study also proposed a compositional logic using observation variables [2], so to speak, observation-based Jones logic. However, external knowledge is required, called observation invariants, as described in Section 5. Thus, it is challenging to construct compositional logic for weak memory models. We try to construct a compositional logic using observation variables by utilizing the knowledge obtained in this study.

This study considered store buffering only. It is not easy to consider load buffering. Whereas we previously proposed concurrent program logic sound and complete to semantics that support reordering of load instructions [3], the semantics support reordering of load instructions that are statically determined to be independent. For a weaker memory model, Kang et al. proposed a novel notion called promise for supporting load buffering on timestamp semantics [9]. For example, in the following program:

⬇

r0 := y // 0

x := 1

⬇

r1 := x

y := r1

assertion $r_{0}=0$ always holds on timestamp semantics. However, $r_{0}=1$ is allowed on timestamp semantics with promise. We try to combine the notion of promise with our logic and construct a novel logic to ensure the correctness of concurrent programs on semantics that allow load buffering.

Acknowledgments. This work was supported by JSPS KAKENHI Grant Number JP23K11051.

References

[1] P. A. Abdulla, M. F. Atig, B. Jonsson, and C. Leonardsson. Stateless model checking for POWER. In Proc. CAV, volume 9780 of LNCS, pages 134–156, 2016.
[2] T. Abe and T. Maeda. Observation-based concurrent program logic for relaxed memory consistency models. In Proc. APLAS, volume 10017 of LNCS, pages 63–84, 2016.
[3] T. Abe and T. Maeda. Concurrent program logic for relaxed memory consistency models with dependencies across loop iterations. Journal of Information Processing, 25:244–255, 2017.
[4] M. Barnett, B.-Y. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino. Boogie: A modular reusable verifier for object-oriented programs. In Proc. FMCO, volume 4111 of LNCS, pages 364–387, 2005.
[5] S. Dalvandi, S. Doherty, B. Dongol, and H. Wehrheim. Owicki–Gries reasoning for C11 RAR. In Proc. ECOOP, 2020.
[6] R. W. Floyd. Assigning meanings to programs. In Proc. Symposia in Applied Mathematics, volume 19, pages 19–32, 1967.
[7] C. A. R. Hoare. An axiomatic basis for computer programming. CACM, 12(10):576–580, 583, 1969.
[8] C. B. Jones. Development Methods for Computer Programs Including a Notion of Interference. PhD thesis, Oxford University, 1981.
[9] J. Kang, C.-K. Hur, O. Lahav, V. Vafeiadis, and D. Dreyer. A promising semantics for relaxed-memory concurrency. In Proc. POPL, pages 175–189, 2017.
[10] M. Kokologiannakis and V. Vafeiadis. GenMC: A model checker for weak memory models. In Proc. CAV, volume 12759 of LNCS, pages 427–440, 2021.
[11] O. Lahav and V. Vafeiadis. Owicki–Gries reasoning for weak memory models. In Proc. ICALP, volume 9135 of LNCS, pages 311–323, 2015.
[12] L. Lamport. Time, clocks, and the ordering of events in a distributed system. CACM, 21(7):558–565, 1978.
[13] L. Lamport. Control predicates are better than dummy variables for reasoning about program control. TOPLAS, 10(2):267–281, 1988.
[14] F. Mattern. Virtual time and global states of distributed systems. In Parallel and Distributed Algorithms, pages 215–226. North-Holland, 1989.
[15] S. S. Owicki and D. Gries. An axiomatic proof technique for parallel programs I. Acta Informatica, 6:319–340, 1976.
[16] T. Ridge. A rely-guarantee proof system for x86-TSO. In Proc. VSTTE, volume 6217 of LNCS, pages 55–70, 2010.
[17] Q. Xu, W. P. de Roever, and J. He. The rely-guarantee method for verifying shared variable concurrent programs. Formal Aspects of Computing, 9(2):149–174, 1997.