Aleksandar Nanevski - Academia.edu (original) (raw)
Papers by Aleksandar Nanevski
This artefact is a companion to the paper: František Farka, Aleksandar Nanevski, Anindya Banerjee... more This artefact is a companion to the paper: František Farka, Aleksandar Nanevski, Anindya Banerjee, Germán Andrés Delbianco, and Ignacio Fábregas. 2021. <strong>On Algebraic Abstractions for Concurrent Separation Logics</strong>. <em>Proc. ACM Program. Lang. 5</em>, POPL, Article 5 (January 2021), 32 pages. https://doi.org/10.1145/3434286 The artefact contains Coq sources of the developments presented in the submission. The artefact supports the developments paper in both a theoretical and practical way. First, it provides a complete bottom-up mechanization of partial commutative monoids (PCM), separating relations, PCM morphisms, and the related constructions. The artefact formalizes all the concepts defined in the paper, Secondly, the artifact demonstrate practical utilisation of the theory of PCMs. Using FCSL (Nanevski et al, 2019) as the opaque type theory, the artefact provides mechanical verification of Ticket lock, the running example developed in the p...
Proceedings of the ACM on Programming Languages, 2022
Visibility relations have been proposed by Henzinger et al. as an abstraction for proving lineari... more Visibility relations have been proposed by Henzinger et al. as an abstraction for proving linearizability of concurrent algorithms that obtains modular and reusable proofs. This is in contrast to the customary approach based on exhibiting the algorithm's linearization points. In this paper we apply visibility relations to develop modular proofs for three elegant concurrent snapshot algorithms of Jayanti. The proofs are divided by signatures into components of increasing level of abstraction; the components at higher abstraction levels are shared, i.e., they apply to all three algorithms simultaneously. Importantly, the interface properties mathematically capture Jayanti's original intuitions that have previously been given only informally.
Arguments about correctness of a concurrent data structure are typically carried out by using the... more Arguments about correctness of a concurrent data structure are typically carried out by using the notion of linearizability and specifying the linearization points of the data structure's procedures. Such arguments are often cumbersome as the linearization points' position in time can be dynamic (depend on the interference, run-time values and events from the past, or even future), non-local (appear in procedures other than the one considered), and whose position in the execution trace may only be determined after the considered procedure has already terminated. In this paper we propose a new method, based on a separation-style logic, for reasoning about concurrent objects with such linearization points. We embrace the dynamic nature of linearization points, and encode it as part of the data structure's auxiliary state, so that it can be dynamically modified in place by auxiliary code, as needed when some appropriate run-time event occurs. We name the idea linking-in-tim...
Recent approaches to verifying programs in separation logics for concurrency have used state tran... more Recent approaches to verifying programs in separation logics for concurrency have used state transition systems (STSs) to specify the atomic operations of programs. A key challenge in the setting has been to compose such STSs into larger ones, while enabling programs specified under one STS to be linked to a larger one, without reverification. This paper develops a notion of morphism between two STSs which permits such lifting. The morphisms are a constructive form of simulation between the STSs, and lead to a general and concise proof system. We illustrate the concept and its generality on several disparate examples, including staged construction of a readers/writers lock and its proof, and of proofs about quiescence when concurrent programs are executed without external interference.
Dagstuhl Artifacts Ser., 2017
This artifact provides the full mechanization in FCSL of the developments in the companion paper,... more This artifact provides the full mechanization in FCSL of the developments in the companion paper, "Concurrent Data Structures Linked in Time". In the latter, we propose a new method, based on a separation-style logic, for reasoning about concurrent objects with such linearization points. We embrace the dynamic nature of linearization points, and encode it as part of the data structure's auxiliary state, so that it can be dynamically modified in place by auxiliary code, as needed when some appropriate run-time event occurs. We illustrate the method by verifying (mechanically in FCSL) an intricate optimal snapshot algorithm due to Jayanti, as well as some clients. FCSL is the first completely formalized framework for mechanized verification of full functional correctness of fine-grained concurrent programs. It is implemented as an embedded domain-specific language (DSL) in the dependently-typed language of the Coq proof assistant, and is powerful enough to reason about p...
In this work, we present a family of operational semantics that gradually approximates the realis... more In this work, we present a family of operational semantics that gradually approximates the realistic program behaviors in the C/C++11 memory model. Each semantics in our framework is built by elaborating and combining two simple ingredients: viewfronts and operation buffers. Viewfronts allow us to express the spatial aspect of thread interaction, i.e., which values a thread can read, while operation buffers enable manipulation with the temporal execution aspect, i.e., determining the order in which the results of certain operations can be observed by concurrently running threads. Starting from a simple abstract state machine, through a series of gradual refinements of the abstract state, we capture such language aspects and synchronization primitives as release/acquire atomics, sequentially-consistent and non-atomic memory accesses, also providing a semantics for relaxed atomics, while avoiding the Out-of-Thin-Air problem. To the best of our knowledge, this is the first formal and e...
To illustrate separate verification of a library and its client, we adapt another classic example... more To illustrate separate verification of a library and its client, we adapt another classic example due to Owicki and Gries. The library is a one-place buffer with blocking put and get operations. The client is a pair of producer and consumer each with a private array of data that they concurrently communicate through the buffer. The producer iterates over its array, putting the elements into the buffer, one by one. The consumer populates its private array in order by getting from the buffer. The goal is to verify that at the end, the producer and consumer arrays have identical contents.
Proceedings of the ACM on Programming Languages, 2020
Modern highly-concurrent search data structures, such as search trees, obtain multi-core scalabil... more Modern highly-concurrent search data structures, such as search trees, obtain multi-core scalability and performance by having operations traverse the data structure without any synchronization. As a result, however, these algorithms are notoriously difficult to prove linearizable, which requires identifying a point in time in which the traversal's result is correct. The problem is that traversing the data structure as it undergoes modifications leads to complex behaviors, necessitating intricate reasoning about all interleavings of reads by traversals and writes mutating the data structure. In this paper, we present a general proof technique for proving unsynchronized traversals correct in a significantly simpler manner, compared to typical concurrent reasoning and prior proof techniques. Our framework relies only on sequential properties of traversals and on a conceptually simple and widely-applicable condition about the ways an algorithm's writes mutate the data structure...
From Owicki-Gries’ resource invariants and Jones’ rely/guarantee to modern variants based on sepa... more From Owicki-Gries’ resource invariants and Jones’ rely/guarantee to modern variants based on separation logic, axiomatic program logics for concurrency have a limited form of compositionality. Proving non-trivial properties usually requires the use of auxiliary state, which is “objective” in the sense that each thread’s auxiliary state is given a globally-unique name. Since auxiliary state exposes the program’s global structure to each local thread, axiomatic approaches fail to be compositional in the presence of auxiliary state. We propose “subjective” auxiliary state as a solution to this historical limitation of axiomatic program logics. Each thread can be verified with a subjective view on auxiliary state: auxiliary state can be partitioned to either belong to the self (i.e., the thread itself) or to the other (i.e., its environment). We formulate Subjective Concurrent Separation Logic as a combination of the resource invariant method, separation logic, and subjective auxiliary ...
Concurrent separation logic is distinguished by transfer of state ownership upon parallel composi... more Concurrent separation logic is distinguished by transfer of state ownership upon parallel composition and framing. The algebraic structure that underpins ownership transfer is that of partial commutative monoids (PCMs). Extant research considers ownership transfer primarily from the logical perspective while comparatively less attention is drawn to the algebraic considerations. This paper provides an algebraic formalization of ownership transfer in concurrent separation logic by means of structure-preserving partial functions (i.e., morphisms) between PCMs, and an associated notion of separating relations. Morphisms of structures are a standard concept in algebra and category theory, but haven't seen ubiquitous use in separation logic before. Separating relations are binary relations that generalize disjointness and characterize the inputs on which morphisms preserve structure. The two abstractions facilitate verification by enabling concise ways of writing specs, by providing a...
Proceedings of the ACM on Programming Languages
Programming languages with algebraic effects often track the computations’ effects using type-and... more Programming languages with algebraic effects often track the computations’ effects using type-and-effect systems. In this paper, we propose to view an algebraic effect theory of a computation as a variable context; consequently, we propose to track algebraic effects of a computation with contextual modal types . We develop ECMTT, a novel calculus which tracks algebraic effects by a contextualized variant of the modal □ (necessity) operator, that it inherits from Contextual Modal Type Theory (CMTT). Whereas type-and-effect systems add effect annotations on top of a prior programming language, the effect annotations in ECMTT are inherent to the language, as they are managed by programming constructs corresponding to the logical introduction and elimination forms for the □ modality. Thus, the type-and-effect system of ECMTT is actually just a type system. Our design obtains the properties of local soundness and completeness, and determines the operational semantics solely by β-reductio...
Proceedings of the ACM on Programming Languages
In addition to pre- and postconditions, program specifications in recent separation logics for co... more In addition to pre- and postconditions, program specifications in recent separation logics for concurrency have employed an algebraic structure of resources —a form of state transition systems—to describe the state-based program invariants that must be preserved, and to record the permissible atomic changes to program state. In this paper we introduce a novel notion of resource morphism , i.e. structure-preserving function on resources, and show how to effectively integrate it into separation logic, using an associated notion of morphism-specific simulation . We apply morphisms and simulations to programs verified under one resource, to compositionally adapt them to operate under another resource, thus facilitating proof reuse.
Acm Transactions on Programming Languages and Systems, Jul 1, 2013
Dedicated to the memory of John C. Reynolds (1935--2013). We present Relational Hoare Type Theory... more Dedicated to the memory of John C. Reynolds (1935--2013). We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic.
Proceedings of the 37th Annual Acm Sigplan Sigact Symposium, Jan 17, 2010
Proceedings of the 13th Acm Sigplan International Conference, Sep 1, 2008
We present a dependent Hoare Type Theory (HTT) which provides support for reasoning about program... more We present a dependent Hoare Type Theory (HTT) which provides support for reasoning about programs with higher- order functions and effects, including non-termination, state with aliasing and pointer arithmetic. The type struc- ture encapsulates effectful commands using a monad in- dexed by pre- and post-conditions in the style of Hoare logic. The theory carefully distinguishes between an ap- propriate notion of definitional equality and propositional equality, in order to maintain the relative decidability of type-checking.
Algorithms in Computational Geometry and Computer Aided Design are often developed for the Real R... more Algorithms in Computational Geometry and Computer Aided Design are often developed for the Real RAM model of computation, which assumes exactness of all the input arguments and operations. In practice, however, the exactness imposes tremendous limitations on the algorithms---even the basic operations become uncomputable, or prohibitively slow. In some important cases, however, the computations of interest are limited to determining the sign of polynomial expressions. In such circumstances, a faster approach is available: one can evaluate the polynomial in floating-point first, together with some estimate of the rounding error, and fall back to exact arithmetic only if this error is too big to determine the sign reliably. A particularly efficient variation on this approach has been used by Shewchuk in his robust implementations of Orient and InSphere geometric predicates. We extend Shewchuk's method to arbitrary polynomial expressions. The expressions are given as programs in a s...
This artefact is a companion to the paper: František Farka, Aleksandar Nanevski, Anindya Banerjee... more This artefact is a companion to the paper: František Farka, Aleksandar Nanevski, Anindya Banerjee, Germán Andrés Delbianco, and Ignacio Fábregas. 2021. <strong>On Algebraic Abstractions for Concurrent Separation Logics</strong>. <em>Proc. ACM Program. Lang. 5</em>, POPL, Article 5 (January 2021), 32 pages. https://doi.org/10.1145/3434286 The artefact contains Coq sources of the developments presented in the submission. The artefact supports the developments paper in both a theoretical and practical way. First, it provides a complete bottom-up mechanization of partial commutative monoids (PCM), separating relations, PCM morphisms, and the related constructions. The artefact formalizes all the concepts defined in the paper, Secondly, the artifact demonstrate practical utilisation of the theory of PCMs. Using FCSL (Nanevski et al, 2019) as the opaque type theory, the artefact provides mechanical verification of Ticket lock, the running example developed in the p...
Proceedings of the ACM on Programming Languages, 2022
Visibility relations have been proposed by Henzinger et al. as an abstraction for proving lineari... more Visibility relations have been proposed by Henzinger et al. as an abstraction for proving linearizability of concurrent algorithms that obtains modular and reusable proofs. This is in contrast to the customary approach based on exhibiting the algorithm's linearization points. In this paper we apply visibility relations to develop modular proofs for three elegant concurrent snapshot algorithms of Jayanti. The proofs are divided by signatures into components of increasing level of abstraction; the components at higher abstraction levels are shared, i.e., they apply to all three algorithms simultaneously. Importantly, the interface properties mathematically capture Jayanti's original intuitions that have previously been given only informally.
Arguments about correctness of a concurrent data structure are typically carried out by using the... more Arguments about correctness of a concurrent data structure are typically carried out by using the notion of linearizability and specifying the linearization points of the data structure's procedures. Such arguments are often cumbersome as the linearization points' position in time can be dynamic (depend on the interference, run-time values and events from the past, or even future), non-local (appear in procedures other than the one considered), and whose position in the execution trace may only be determined after the considered procedure has already terminated. In this paper we propose a new method, based on a separation-style logic, for reasoning about concurrent objects with such linearization points. We embrace the dynamic nature of linearization points, and encode it as part of the data structure's auxiliary state, so that it can be dynamically modified in place by auxiliary code, as needed when some appropriate run-time event occurs. We name the idea linking-in-tim...
Recent approaches to verifying programs in separation logics for concurrency have used state tran... more Recent approaches to verifying programs in separation logics for concurrency have used state transition systems (STSs) to specify the atomic operations of programs. A key challenge in the setting has been to compose such STSs into larger ones, while enabling programs specified under one STS to be linked to a larger one, without reverification. This paper develops a notion of morphism between two STSs which permits such lifting. The morphisms are a constructive form of simulation between the STSs, and lead to a general and concise proof system. We illustrate the concept and its generality on several disparate examples, including staged construction of a readers/writers lock and its proof, and of proofs about quiescence when concurrent programs are executed without external interference.
Dagstuhl Artifacts Ser., 2017
This artifact provides the full mechanization in FCSL of the developments in the companion paper,... more This artifact provides the full mechanization in FCSL of the developments in the companion paper, "Concurrent Data Structures Linked in Time". In the latter, we propose a new method, based on a separation-style logic, for reasoning about concurrent objects with such linearization points. We embrace the dynamic nature of linearization points, and encode it as part of the data structure's auxiliary state, so that it can be dynamically modified in place by auxiliary code, as needed when some appropriate run-time event occurs. We illustrate the method by verifying (mechanically in FCSL) an intricate optimal snapshot algorithm due to Jayanti, as well as some clients. FCSL is the first completely formalized framework for mechanized verification of full functional correctness of fine-grained concurrent programs. It is implemented as an embedded domain-specific language (DSL) in the dependently-typed language of the Coq proof assistant, and is powerful enough to reason about p...
In this work, we present a family of operational semantics that gradually approximates the realis... more In this work, we present a family of operational semantics that gradually approximates the realistic program behaviors in the C/C++11 memory model. Each semantics in our framework is built by elaborating and combining two simple ingredients: viewfronts and operation buffers. Viewfronts allow us to express the spatial aspect of thread interaction, i.e., which values a thread can read, while operation buffers enable manipulation with the temporal execution aspect, i.e., determining the order in which the results of certain operations can be observed by concurrently running threads. Starting from a simple abstract state machine, through a series of gradual refinements of the abstract state, we capture such language aspects and synchronization primitives as release/acquire atomics, sequentially-consistent and non-atomic memory accesses, also providing a semantics for relaxed atomics, while avoiding the Out-of-Thin-Air problem. To the best of our knowledge, this is the first formal and e...
To illustrate separate verification of a library and its client, we adapt another classic example... more To illustrate separate verification of a library and its client, we adapt another classic example due to Owicki and Gries. The library is a one-place buffer with blocking put and get operations. The client is a pair of producer and consumer each with a private array of data that they concurrently communicate through the buffer. The producer iterates over its array, putting the elements into the buffer, one by one. The consumer populates its private array in order by getting from the buffer. The goal is to verify that at the end, the producer and consumer arrays have identical contents.
Proceedings of the ACM on Programming Languages, 2020
Modern highly-concurrent search data structures, such as search trees, obtain multi-core scalabil... more Modern highly-concurrent search data structures, such as search trees, obtain multi-core scalability and performance by having operations traverse the data structure without any synchronization. As a result, however, these algorithms are notoriously difficult to prove linearizable, which requires identifying a point in time in which the traversal's result is correct. The problem is that traversing the data structure as it undergoes modifications leads to complex behaviors, necessitating intricate reasoning about all interleavings of reads by traversals and writes mutating the data structure. In this paper, we present a general proof technique for proving unsynchronized traversals correct in a significantly simpler manner, compared to typical concurrent reasoning and prior proof techniques. Our framework relies only on sequential properties of traversals and on a conceptually simple and widely-applicable condition about the ways an algorithm's writes mutate the data structure...
From Owicki-Gries’ resource invariants and Jones’ rely/guarantee to modern variants based on sepa... more From Owicki-Gries’ resource invariants and Jones’ rely/guarantee to modern variants based on separation logic, axiomatic program logics for concurrency have a limited form of compositionality. Proving non-trivial properties usually requires the use of auxiliary state, which is “objective” in the sense that each thread’s auxiliary state is given a globally-unique name. Since auxiliary state exposes the program’s global structure to each local thread, axiomatic approaches fail to be compositional in the presence of auxiliary state. We propose “subjective” auxiliary state as a solution to this historical limitation of axiomatic program logics. Each thread can be verified with a subjective view on auxiliary state: auxiliary state can be partitioned to either belong to the self (i.e., the thread itself) or to the other (i.e., its environment). We formulate Subjective Concurrent Separation Logic as a combination of the resource invariant method, separation logic, and subjective auxiliary ...
Concurrent separation logic is distinguished by transfer of state ownership upon parallel composi... more Concurrent separation logic is distinguished by transfer of state ownership upon parallel composition and framing. The algebraic structure that underpins ownership transfer is that of partial commutative monoids (PCMs). Extant research considers ownership transfer primarily from the logical perspective while comparatively less attention is drawn to the algebraic considerations. This paper provides an algebraic formalization of ownership transfer in concurrent separation logic by means of structure-preserving partial functions (i.e., morphisms) between PCMs, and an associated notion of separating relations. Morphisms of structures are a standard concept in algebra and category theory, but haven't seen ubiquitous use in separation logic before. Separating relations are binary relations that generalize disjointness and characterize the inputs on which morphisms preserve structure. The two abstractions facilitate verification by enabling concise ways of writing specs, by providing a...
Proceedings of the ACM on Programming Languages
Programming languages with algebraic effects often track the computations’ effects using type-and... more Programming languages with algebraic effects often track the computations’ effects using type-and-effect systems. In this paper, we propose to view an algebraic effect theory of a computation as a variable context; consequently, we propose to track algebraic effects of a computation with contextual modal types . We develop ECMTT, a novel calculus which tracks algebraic effects by a contextualized variant of the modal □ (necessity) operator, that it inherits from Contextual Modal Type Theory (CMTT). Whereas type-and-effect systems add effect annotations on top of a prior programming language, the effect annotations in ECMTT are inherent to the language, as they are managed by programming constructs corresponding to the logical introduction and elimination forms for the □ modality. Thus, the type-and-effect system of ECMTT is actually just a type system. Our design obtains the properties of local soundness and completeness, and determines the operational semantics solely by β-reductio...
Proceedings of the ACM on Programming Languages
In addition to pre- and postconditions, program specifications in recent separation logics for co... more In addition to pre- and postconditions, program specifications in recent separation logics for concurrency have employed an algebraic structure of resources —a form of state transition systems—to describe the state-based program invariants that must be preserved, and to record the permissible atomic changes to program state. In this paper we introduce a novel notion of resource morphism , i.e. structure-preserving function on resources, and show how to effectively integrate it into separation logic, using an associated notion of morphism-specific simulation . We apply morphisms and simulations to programs verified under one resource, to compositionally adapt them to operate under another resource, thus facilitating proof reuse.
Acm Transactions on Programming Languages and Systems, Jul 1, 2013
Dedicated to the memory of John C. Reynolds (1935--2013). We present Relational Hoare Type Theory... more Dedicated to the memory of John C. Reynolds (1935--2013). We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic.
Proceedings of the 37th Annual Acm Sigplan Sigact Symposium, Jan 17, 2010
Proceedings of the 13th Acm Sigplan International Conference, Sep 1, 2008
We present a dependent Hoare Type Theory (HTT) which provides support for reasoning about program... more We present a dependent Hoare Type Theory (HTT) which provides support for reasoning about programs with higher- order functions and effects, including non-termination, state with aliasing and pointer arithmetic. The type struc- ture encapsulates effectful commands using a monad in- dexed by pre- and post-conditions in the style of Hoare logic. The theory carefully distinguishes between an ap- propriate notion of definitional equality and propositional equality, in order to maintain the relative decidability of type-checking.
Algorithms in Computational Geometry and Computer Aided Design are often developed for the Real R... more Algorithms in Computational Geometry and Computer Aided Design are often developed for the Real RAM model of computation, which assumes exactness of all the input arguments and operations. In practice, however, the exactness imposes tremendous limitations on the algorithms---even the basic operations become uncomputable, or prohibitively slow. In some important cases, however, the computations of interest are limited to determining the sign of polynomial expressions. In such circumstances, a faster approach is available: one can evaluate the polynomial in floating-point first, together with some estimate of the rounding error, and fall back to exact arithmetic only if this error is too big to determine the sign reliably. A particularly efficient variation on this approach has been used by Shewchuk in his robust implementations of Orient and InSphere geometric predicates. We extend Shewchuk's method to arbitrary polynomial expressions. The expressions are given as programs in a s...