Iron: Managing Obligations in Higher-Order Concurrent Separation Logic

ALEŠ BIZJAK, Aarhus University, Denmark
DANIEL GRATZER, Aarhus University, Denmark
ROBBERT KREBBERS, Delft University of Technology, The Netherlands
LARS BIRKEDAL, Aarhus University, Denmark

Precise management of resources and the obligations they impose, such as the need to dispose of memory, close locks, and release file handles, is hard—especially in the presence of concurrency, when some resources are shared, and different threads operate on them concurrently. We present Iron, a novel higher-order concurrent separation logic that allows for precise reasoning about resources that are transferable among dynamically allocated threads. In particular, Iron can be used to show the correctness of challenging examples, where the reclamation of memory is delegated to a forked-off thread. We show soundness of Iron by means of a model of Iron, defined on top of the Iris base logic, and we use this model to prove that memory resources are accounted for precisely and not leaked. We have formalized all of the developments in the Coq proof assistant.

CCS Concepts: • Theory of computation → Separation logic; Program verification; Programming logic; Operational semantics;

Additional Key Words and Phrases: Separation logic, concurrency, resource management

ACM Reference Format:

1 INTRODUCTION

To enable reasoning about resources in the presence of concurrency, a plethora of variants of concurrent separation logic (CSL) have been proposed, e.g., [da Rocha Pinto et al. 2014; Dinsdale-Young et al. 2010; Feng 2009; Feng et al. 2007; Fu et al. 2010; Hobor et al. 2008; Jung et al. 2016, 2018, 2015; Krebbers et al. 2017a; Mansky et al. 2017; Nanevski et al. 2014; O’Hearn 2007; Svendsen and Birkedal 2014; Turon et al. 2013; Vafeiadis and Parkinson 2007]. Despite their increased expressiveness and increased sophistication to provide modular specifications of program modules, none of these variants of separation logic can both:

(1) reason locally about unstructured fork-style concurrency, and,
(2) prove that resources are necessarily used, e.g., that a program module is obligated to free all the memory it has allocated, or that it is obligated to released all the locks it has acquired.

Authors’ addresses: Aleš Bizjak, Aarhus University, abizjak@cs.au.dk; Daniel Gratzer, Aarhus University, gratzer@cs.au.dk; Robbert Krebbers, Delft University of Technology, mail@robbertkrebbers.nl; Lars Birkedal, Aarhus University, birkedal@cs.au.dk.

This work is licensed under a Creative Commons Attribution 4.0 International License.
© 2019 Copyright held by the owner/author(s).
2475-1421/2019/1-ART65
https://doi.org/10.1145/3290378
The combination of these features is important in practice, where an often used programming pattern is to transfer resources between dynamically allocated threads. For instance, one could have a background thread that acts as a garbage collector to clear up unused resources, as used in Singularity OS [Fähndrich et al. 2006]. For concreteness, let us consider a very simple example illustrating the transfer of resources from one thread to another (which could be thought of as the garbage collector) that then deallocates the transferred resources:

```ocaml
let ℓ = ref (None) in
let rec cleanup() = match !ℓ with
  None ⇒ cleanup() |
  Some ℓ' ⇒ free(ℓ'); free(ℓ)
end in fork {cleanup()};
let ℓ' = ref (0) in ℓ ← Some ℓ'
```

The idea of this example is that the location $\ell$ acts as a channel. The main thread forks off a new thread, `cleanup`, which waits until it receives a message with a location $\ell'$, which it then deallocates, and then it also deallocates the channel $\ell$. After forking off the cleanup thread, the main thread allocates a resource, the location $\ell'$, which is sent to the forked-off thread (so that the forked-off thread may deallocate it).

While existing variants of concurrent separation logic can be used to prove functional correctness of programs that transfer ownership of resources between dynamically allocated threads, none of these logics can be used to establish that such programs correctly dispose of all resources (in the example, to establish that memory resources are not leaked).

**Technical problem.** For reasoning about (non-disjoint) shared-memory concurrency, most variants of concurrent separation logic employ some form of an invariant mechanism to share ownership of resources among threads. When the programming language only includes structured concurrency, it suffices to use CSL-style scoped invariants [Nanevski et al. 2014; O’Hearn 2007], where the program syntax is used to delineate how invariants are shared between threads.

In contrast, variants of concurrent separation logic that can reason about fork-style concurrency, such as iCap [Svendsen and Birkedal 2014], TaDa [da Rocha Pinto et al. 2014], and Iris [Jung et al. 2016, 2018, 2015; Krebbers et al. 2017a], use shareable invariants that are not tracked in the logic. Technically, shareable means that such invariants are persistent, hence duplicable, and hence they need not be explicitly tracked in pre- and postconditions of Hoare triples. One can thus silently throw away resources, such as the “points-to” connective $\ell \mapsto \nu$ that expresses ownership of a location $\ell$, by putting these resources in a shareable invariant, and throwing away that invariant.

**Solution and key ideas.** In this paper we present a new higher-order concurrent separation logic called Iron, which supports precise reasoning about resources in the presence of fork-style concurrency. In order to provide a combination of expressiveness and high-level abstraction, the Iron logic is defined in terms of two layers:

- The core Iron logic, which provides a new notion of a trackable resources. Concretely, for the case of memory resources, Iron provides the trackable points-to connective $\ell \mapsto_{\pi} \nu$, which not only denotes ownership of a location $\ell$, but also includes a fraction $\pi$ to control sharing. Intuitively, this fraction $\pi$ expresses the degree of knowledge of the heap; if $\pi = 1$, then we know the heap exactly, and if $\pi < 1$, then we only have a partial local view of the heap (other threads may have complementary views of the heap).

  Importantly, trackable resources allow precise tracking of resources even when they are transferred through shareable invariants. In fact, trackable resources allow precise tracking of
resources even when the separation logic is affine, i.e., it satisfies the weakening rule $P \ast Q \vdash P$, which allows to forget arbitrary resources. Iron is thus an affine separation logic.

- The high-level Iron++ logic, which provides a layer on top of the core Iron logic to hide the use of fractions. We prove that this more abstract logic satisfies the standard rules of classical separation logic. In fact, we show that Iron++ is not affine, but rather linear—in other words, we have defined a linear separation logic (Iron++) on top of an affine one (Iron).

At the cost of hiding the fractions, Iron++ does not provide shareable invariants. Instead, it provides a new form of invariants that we call trackable invariants. These invariants are tracked in the logic (appear in pre- and postconditions), but are not scoped. Importantly, contrary to shareable invariants, our trackable invariants are not freely duplicable, but instead do support a controlled form of sharing via a so-called splitting rule.

Working in the combination of these logics is crucial. The Iron++ logic provides more abstract reasoning principles, which are sufficient for most practical cases, including the challenging channel module inspired by Singularity OS (Section 4.3). However, there are some constructs that cannot be verified in the abstract Iron++ logic. Notably, to establish a modular specification of a parallel composition operator defined using a reference cell and fork, one needs “drop down” to the core Iron logic (with explicit fractions) and prove that construct there. Partly for this reason, and partly to explain how the reasoning works, we have decided to start with an explicit treatment of Iron using fractions (Section 3-4), and then only later describe the more abstract Iron++ (Section 5) rather than the other way round.

In order to establish that Iron indeed enables precise reasoning of resources, we prove an adequacy theorem (Section 3.4), which guarantees that given an appropriate Hoare triple, when all threads terminate, all memory resources have indeed been disposed of.

We have modeled Iron on top of the Iris base logic [Jung et al. 2018; Krebbers et al. 2017a]. This simplifies the adequacy proof and model construction of Iron significantly (e.g., we do not have to solve recursive domain equations, that is done in the model of Iris). Furthermore, it allows us to reuse Iris’s features for shareable invariants and (higher-order) ghost state, and Iris’s infrastructure for mechanized proofs in the Coq proof assistant [Krebbers et al. 2018, 2017b].

Contributions. In summary, we make the following contributions:

- We present trackable resources, a new construction for precise accounting of resources in separation logics with rules for weakening, either through shareable invariants, or through the weakening rule $P \ast Q \vdash P$ of affine separation logic (Section 2).
- We show that this construction scales to a rich separation logic for fork-based concurrency by defining Iron, a higher-order concurrent separation that allows for precise reasoning about memory resources that are transferable among dynamically allocated threads (Section 3).
- We demonstrate how Iron can be used for verifying challenging examples (Section 4).
- We define a more abstract logic Iron++, which makes it possible to reason at a higher level of abstraction, similar to Iris, but with fine-grained control over resource usage (Section 5).
- We prove soundness of Iron by means of a model of Iron, defined on top of the Iris base logic. We use this model to prove important adequacy theorems for Iron, which make precise that memory resources are accounted for and not leaked (Section 6).
- We show that the Iron approach can also be used to reason precisely about other user-defined resources, such as locks (Section 8).
- We have formalized all of the theory and examples in the Coq proof assistant. We have used the recent MoSeL framework [Krebbers et al. 2018], which allows us to smoothly mechanize proofs in the combination of both layers of Iron (Section 8). The Coq formalization can be found online at https://iris-project.org/iron/.
2 THE KEY TECHNICAL CONSTRUCTION—TRACKABLE RESOURCES

Before we describe the rich Iron logic in Section 3, we explain its key notion of trackable resources, which allow for precise accounting of resources even if we are allowed to forget resources, either explicitly through weakening, or in the presence of shareable invariant mechanisms as needed for logics for fork-style concurrency. To keep this section self-contained, we will restrict ourselves to memory resources of a simple first-order functional language without concurrency:

\[ v \in \text{Val} ::= () | z | \text{true} | \text{false} | \ell \quad (z \in \mathbb{Z}, \ell \in \text{Loc}) \]
\[ e \in \text{Exp} ::= v | x | \text{skip} | \text{let } x = e_1 \text{ in } e_2 | e_1; e_2 | \text{ref}(e) | \text{free}(e) | ! e | e_1 \leftarrow e_2 | \ldots \]

We start with a brief recapitulation of traditional intuitionistic (or affine) separation logic [Ishtiaq and O’Hearn 2001; Reynolds 2000] (Section 2.1) and its model (Section 2.2). After that, we explain our new separation logic with trackable resources (Section 2.3) and its model (Section 2.4). Finally, we show an adequacy theorem for our separation logic with trackable resources that formally guarantees no memory is leaked (Section 2.5).

2.1 Resources in Traditional Separation Logic

Program specifications in separation logic are Hoare triples \( \{ P \} e \{ w. Q \} \), where \( e \) is a program, and \( P \) and \( Q \) are the pre- and postcondition, respectively. The variable \( w \) in the postcondition \( Q \) binds the return value of the program. The propositions (typically named \( P, Q, R \)) of separation logic [Ishtiaq and O’Hearn 2001; Reynolds 2000, 2002] are formulas of first-order logic extended with separating conjunction * and the Emp connective satisfying the usual commutativity, associativity rules, and the rule stating that Emp is the unit of the separating conjunction. Next to that, separation logic has one more proposition—the points-to connective \( \ell \mapsto v \), which expresses that the location \( \ell \) in the heap contains the value \( v \). A selection of rules is displayed in Figure 1.

Already in the original separation logic papers, two different models of separation logic were considered: intuitionistic separation logic [Reynolds 2000] and classical separation logic [Ishtiaq and O’Hearn 2001; Reynolds 2002]. The difference between these two models is that the intuitionistic model enjoys the following “weakening” rule:

\[ P * Q \vdash P \quad \text{(affine)} \]

Following the nomenclature by Krebbers et al. [2018, 2017b], we call separation logics with the weakening rule affine. Affine separation logics are often used to reason about garbage collected languages as the weakening rule allows one to forget about locations that the program no longer cares about. For example, one could prove the following Hoare triple in such logics:

\[ \{ \ell \mapsto v \} \text{skip} \{ \text{Emp} \} \quad \{ \text{Emp} \} \text{ref}(3); \text{skip} \{ \text{Emp} \} \]
In the presence of explicit memory deallocation (via the *free* operation) the weakening rule is usually not desired. We see that *skip* has the same specification as *free*, and thus the logic cannot possibly guarantee that resources are freed.

It is important to note that even if a logic does not have the weakening rule, there might be some other mechanism that could be used to leak resources. In the introduction we mentioned one such mechanism, shareable invariants, which appear in slightly different shapes in different logics, but what is common to all of them is that in existing separation logics for fork-style concurrency they all allow us to prove triples as shown above without explicitly using the weakening rule.

### 2.2 A Model of Traditional Separation Logic

In order to describe the standard model of affine separation logic and to see why it cannot precisely account for resources, we need to fix some notations. We let $\mathcal{H}$ be the set of heap fragments, *i.e.*, partial functions with a finite domain of locations to values. Two such heap fragments can be composed via the partial operation $(\cdot) : \mathcal{H} \times \mathcal{H} \rightarrow \mathcal{H}$. The composition of $\sigma_1$ and $\sigma_2$, denoted $\sigma_1 \cdot \sigma_2$, is only defined when the domains of $\sigma_1$ and $\sigma_2$ are disjoint, in which case it is defined to be the union of the two heap fragments. This operation has the empty heap fragment $\emptyset$ as the unit. The operation $\cdot$ together with $\emptyset$ makes $\mathcal{H}$ into a partial commutative monoid.

We describe how to model propositions $P$ and program specifications $\{P\} e \{w, Q\}$ in two stages. Propositions $P$ are modeled as upwards closed sets of heap fragments, where upwards closure means that if $\sigma \in [P]$, then $\sigma \cdot \sigma_f \in [P]$ for any disjoint heap fragment $\sigma_f$. The points-to and $\text{Emp}$ connectives, and the separating conjunction, are modeled as follows:

\[
\begin{align*}
\llbracket \ell \mapsto v \rrbracket & \triangleq \{ \sigma \in \mathcal{H} \mid \text{dom}(\sigma) \supseteq \{ \ell \} \land \sigma(\ell) = v \} \\
\llbracket \text{Emp} \rrbracket & \triangleq \{ \sigma \in \mathcal{H} \mid \text{dom}(\sigma) \supseteq \emptyset \} = \mathcal{H} \\
\llbracket P \cdot Q \rrbracket & \triangleq \{ \sigma \in \mathcal{H} \mid \exists \sigma_1 \in [P], \sigma_2 \in [Q], \sigma = \sigma_1 \cdot \sigma_2 \}
\end{align*}
\]

It is important to notice that $\llbracket \ell \mapsto v \rrbracket$ contains *all* heap fragments $h$ that contain the location $\ell$ with value $v \leftarrow h$ might contain other locations. Similarly, $\llbracket \text{Emp} \rrbracket$ contains the empty heap fragment, but due to propositions being upwards closed, $\llbracket \text{Emp} \rrbracket$ consequently needs to contain all other heap fragments. This argument also shows that there is no proposition in this logic that can express that the heap is empty.

From these definitions we can also see how the upwards closure justifies the weakening rule $P \cdot Q \vdash P$. If $\sigma \in [P \cdot Q]$, then $\sigma = \sigma_1 \cdot \sigma_2$ for some $\sigma_1 \in [P]$ (and $\sigma_2 \in [Q]$). Thus by definition of the upwards closure, $\sigma \in [P]$.

In contrast to propositions, Hoare triples are not heap dependent. There are some subtleties in defining their meaning precisely, and the precise definition depends on the precise formulation of the operational semantics. In this section we omit these subtleties since they do not affect the main point (in the model of Iron, as described in Section 6, we fix a concrete operational semantics and define the meaning of Hoare triples precisely). With these caveats, we define the Hoare triple $\{P\} e \{w, Q\}$ to be valid when:

- for any heap fragment $\sigma \in [P]$ and any disjoint heap fragment $\sigma_f$,
- running the program $e$ in the heap $\sigma \cdot \sigma_f$ is safe, and,
- if running $e$ in the heap $\sigma \cdot \sigma_f$ terminates with value $w$ and heap $\sigma_{wv}$, then there exists a heap fragment $\sigma' \in [Q]$ disjoint from $\sigma_f$ such that $\sigma_{wv} = \sigma' \cdot \sigma_f$.

We conclude this subsection by showing that the described model of affine separation logic cannot be used to reason precisely about resources. For this, suppose we have proved the triple $\{\text{Emp}\} e \{\text{Emp}\}$. If we let $\sigma_f = \emptyset$, then the interpretation of Hoare triples implies that if we start in
In the previous subsection we saw why traditional affine separation logic cannot guarantee the absence of memory leaks. Hence in this model it is impossible to guarantee the absence of memory leaks.

### 2.3 Separation Logic with Trackable Resources

In the previous subsection we saw why traditional affine separation logic cannot guarantee the absence of resource leaks—there is no proposition in the logic that can describe upper bounds on the number of memory locations. We now introduce a new separation logic with trackable resources to remedy this shortcoming. This new separation logic still has the weakening rule of affine separation logic, however, contrary to traditional separation logic, the use of weakening will be clearly visible in program specifications.

The precise degree of knowledge of the heap is given by a resource fraction, a term of the form $\epsilon_{\pi}$, with $\pi \in (0,1]$. This fraction represents some degree of knowledge of the heap, it is always possible to separate both connectives $\epsilon_{\pi_1} \land \epsilon_{\pi_2} \equiv \epsilon_{\pi_1 + \pi_2}$ and $\epsilon_{\pi_1} \lor \epsilon_{\pi_2} \equiv \epsilon_{\pi_1 + \pi_2}$, so the sum of fractions in the precondition $\preceq$ or postcondition $\succeq$ of each Hoare triple is the same.

Note that it is impossible to replace $\epsilon_{\pi_1}$ by some other postcondition to address this problem. No proposition in this model can give upper bounds on the number of locations, as explained above. Hence in this model it is impossible to guarantee the absence of memory leaks.

The logic with trackable resources needs an additional connective $\epsilon_{\pi}$ (with $\pi \in (0,1]$), which can be thought of as “permission to allocate”. Its meaning is that the $\pi$ fraction of the heap is empty. This is best visible in the following specifications for the basic memory operations as displayed in Figure 2. Allocating a reference requires some degree of knowledge about the heap (thoare-alloc), and in turn we trade that knowledge for the points-to connective, with the same fraction $\pi$. Freeing a location is exactly dual (thoare-free): we regain the knowledge (with the same fraction $\pi$) that the heap is empty. Reading to and writing from a location is exactly as in traditional separation logic, except that there is a fraction $\pi$ on the points-to connectives (thoare-load and thoare-store).

There are a number of rules for manipulating $\epsilon_{\pi}$ and $\ell \mapsto_{\pi} v$. First, since both $\epsilon_{\pi_1}$ and $\ell \mapsto_{\pi} v$ represent some degree of knowledge of the heap, it is always possible to separate both connectives into an empty permission $\epsilon_{\pi_1'}$, along with the original connective at $\pi_2$ for any $\pi_1$ and $\pi_2$ with

\[
\begin{align*}
\text{EMP-SPLIT} & \quad \ell \mapsto_{\pi_1} v \cdot \epsilon_{\pi_2} \vdash \ell \mapsto_{\pi_1 + \pi_2} v \\
\text{PT-SPLIT} & \quad \ell \mapsto_{\pi_1} v \cdot \epsilon_{\pi_2} \vdash \ell \mapsto_{\pi_1 + \pi_2} v \\
\text{PT-DISJ} & \quad \ell_1 \mapsto_{\pi_1} - * \ell_2 \mapsto_{\pi_2} - * \ell_1 \neq \ell_2 \\
\text{THOARE-ALLOC} & \quad \{ v \} \text{ref}(v) \{ \ell, \ell \mapsto_{\pi} v \} \\
\text{THOARE-FREE} & \quad \{ \ell \mapsto_{\pi} - \} \text{free}(\ell) \{ \epsilon_{\pi} \} \\
\text{THOARE-LOAD} & \quad \{ \ell \mapsto_{\pi} v \} \cdot \ell \mapsto w \{ \ell \mapsto_{\pi} w \} \\
\text{THOARE-STOR} & \quad \{ \ell \mapsto_{\pi} - \} \ell \mapsto w \{ \ell \mapsto_{\pi} w \}
\end{align*}
\]

Fig. 2. Selected rules of separation logic with trackable resources for a sequential language.
$\pi_1 + \pi_2 = \pi$ (rules $\text{PT-SPLIT}$ and $\text{EMP-SPLIT}$). These rules are crucial for allocating new locations: the rule for allocation ($\text{THOARE-ALLOC}$) has $\varepsilon_\pi$ as its precondition, which serves as permission to use part of the heap for allocating a new location. So, before allocating a new location, we typically use $\text{PT-SPLIT}$ or $\text{EMP-SPLIT}$ in right-to-left direction to split off a $\varepsilon_\pi$ permission. Dually, the permission $\varepsilon_\pi$ that is given back after deallocation ($\text{THOARE-FREE}$) can subsequently be merged back into another $\varepsilon_{\pi'}$, or $\ell \mapsto \pi'$, $\upsilon$ using $\text{PT-SPLIT}$ or $\text{EMP-SPLIT}$ in left-to-right direction.

Let us see trackable resources in action on the following program:

$$e \triangleq \text{let } \ell_1 = \text{ref}(0) \text{ in let } \ell_2 = \text{ref}(0) \text{ in free}(\ell_1); \text{free}(\ell_2).$$

To show that this program has no memory leaks, we shall prove $\{\varepsilon_\pi\} e \{\varepsilon_\pi\}$ for any $\pi$. First, we use $\text{EMP-SPLIT}$ in right-to-left direction to turn the precondition $\varepsilon_\pi$ into $\varepsilon_{\pi/\ell} \cdot \varepsilon_{\ell/\pi}$. Then, we use $\text{THOARE-ALLOC}$ twice, after which we need to prove $\{\ell_1 \mapsto \varepsilon_{\ell_1}; 0 \mapsto \ell_2 \mapsto \varepsilon_{\ell_2}\} \text{free}(\ell_1); \text{free}(\ell_2) \{\varepsilon_\pi\}$. This follows from two applications of $\text{THOARE-FREE}$, followed by $\text{EMP-SPLIT}$ in left-to-right direction.

The general pattern that we see here is that if we want to prove that a program does not leak memory, we need to prove a Hoare triple of the form $\{P\} e \{w, Q\}$ where the sum of fractions $\pi$ in the precondition $P$ and postcondition $Q$ is the same. Note that for composition it is crucial to write specifications that are parametric in the fraction $\pi$—after all, it is almost impossible to reuse a specification that demands a concrete fraction.

It is important to note that the accounting for resources by means of fractions is precise even if the separation logic enjoys the weakening rule $\pi \cdot \ell \mapsto_\pi \upsilon$. Intuitively, if we would use the weakening rule to forget about a location $\ell \mapsto \pi \cdot \upsilon$, we will not be able to reproduce a postcondition with the right sum of fractions.

Finally, to prevent confusion between the well-known fractional permissions [Boyland 2003] and trackable resources, let us point out the key difference between the two. The rule for the store operation ($\text{THOARE-STORE}$) does not require the full fraction. Instead, owning $\ell \mapsto \pi \cdot \upsilon$ gives exclusive access to $\ell$ regardless of the fraction $\pi$, so owning both $\ell \mapsto \pi - \pi_\ell$ and $\ell' \mapsto \pi' - \pi_{\ell'}$ implies $\ell \neq \ell'$ (rule $\text{PT-DISJ}$), which is not the case for fractional permissions.

### 2.4 A Model of Separation Logic with Trackable Resources

We will now construct a model for the separation logic with trackable resources as described in the previous subsection. The construction is very similar to the model of affine separation logic as described in Section 2.2, but we will use a different partial commutative monoid. For this, let $M$ be the partial commutative monoid with carrier the set $\{0, 1\} \times H$ together with an additional element $\varepsilon$, which is defined to be the unit. Furthermore, we define:

$$(\pi_1, \sigma_1) \cdot (\pi_2, \sigma_2) \triangleq (\pi_1 + \pi_2, \sigma_1 \cdot \sigma_2)$$

whenever $\pi_1 + \pi_2 \leq 1$ and $\sigma_1 \cdot \sigma_2$ is defined; otherwise the operation is undefined. We need to add a separate unit $\varepsilon$ for modeling $\text{Emp}$. Moreover, note that it is crucial that the fractions $\pi$ are nonzero (we use the half-closed interval $\langle 0, 1 \rangle$ instead of $\langle 0, 1 \rangle$), see descriptions of $\varepsilon_\pi$ and $\ell \mapsto \pi \cdot \upsilon$ below for a detailed explanation.

Propositions are modeled as upwards closed sets of elements of $M$. Upwards closure means the same as before: if $m \in \llbracket P \rrbracket$ then $m \cdot m_f \in \llbracket P \rrbracket$, for any $m_f$ for which $m \cdot m_f$ is defined.

The $\text{Emp}$ connective and separating conjunction are modeled as in the model in Section 2.2, replacing the partial commutative monoid of heap fragments with the partial commutative monoid $M$. The interesting part is how the points-to and the $\varepsilon_\pi$ connectives are modeled:

$$\llbracket \ell \mapsto \pi \cdot \upsilon \rrbracket \triangleq \{ (\pi, \sigma) \mid \text{dom}(\sigma) = \{\ell\} \land \sigma(\ell) = \upsilon \}$$

$$\llbracket \varepsilon_\pi \rrbracket \triangleq \{ (\pi, \sigma) \mid \text{dom}(\sigma) = \emptyset \}$$
We now show that the model of separation logic with trackable resources as constructed in the section on trackable resources is adequate when we are allowed to throw away resources. The key idea is to require positive evidence, instead of relying on the absence of resources as evidence in itself. This is important because even if we did not allow explicit weakening in the logic, there might be some other way in which the resources might be leaked, such as invariants. With the approach outlined here, the user of the logic is able to and required to show that they have not forgotten to account for some resources.

To summarize, we have shown how to enable precise reasoning using trackable resources even when we are allowed to throw away resources. The key idea is to require positive evidence, instead of relying on the absence of resources as evidence in itself. This is important because even if we did not allow explicit weakening in the logic, there might be some other way in which the resources might be leaked, such as invariants. With the approach outlined here, the user of the logic is able to and required to show that they have not forgotten to account for some resources.

As we already saw in the simple example in Section 2.3, keeping precise track of resources using fractions results in additional bookkeeping. However, as we will illustrate through numerous examples in the full Iron logic (Section 4), this bookkeeping is principled, and can in fact be hidden in most cases using the more abstract Iron++ logic (Section 5). In the rest of this paper we will show...
Iron: Managing Obligations in Higher-Order Concurrent Separation Logic

3 THE IRON LOGIC

In this section we describe the rich core Iron logic. Contrary to the simple logic with trackable resources that we introduced in Section 2, Iron features support for fork-based concurrency and higher-order functions. To make reasoning about said features possible, Iron not only provides the trackable points-to connectives, but also the full feature set of Iris [Jung et al. 2016, 2018, 2015; Krebbers et al. 2017a], along with a new notion of trackable invariants.

Similar to Iris, Iron is parameterized by the programming language that one wishes to reason about. For the purpose of this paper we instantiate Iron with \( \lambda_{\text{ref,conc}} \)—an ML-like language with higher-order store, explicit deallocation, the fork primitive, and compare-and-set (cas), as given below (the language includes the usual operations on pairs and sums, but we have elided them):

\[
\begin{align*}
\text{val} &::= () \mid z \mid \text{true} \mid \text{false} \mid \ell \mid \lambda x. e \mid \ldots \quad (z \in \mathbb{Z}, \ell \in \text{Loc}) \\
\text{exp} &::= v \mid x \mid e_1(e_2) \mid \text{fork} \{e\} \mid \text{ref}(e) \mid \text{free}(e) \mid !e \mid e_1 \leftarrow e_2 \mid \text{cas}(e_1, e_2) \mid \ldots 
\end{align*}
\]

The language is fairly standard, but has fork \{\} in contrast to simply having a parallel composition operation. The presence of fork makes reasoning considerably more challenging, since the newly created threads are not scoped, \textit{i.e.}, they can run after the parent thread has terminated.

Figure 3 displays the grammar of Iron propositions, and Figure 4 displays a selection of the rules. (We use \( P \vdash Q \) as notation for bidirectional entailment.) For reasons of space, we do not include a detailed description of the connectives and rules Iron inherits from Iris; we refer to Jung et al. [2018] for an extensive formal description, and Birkedal and Bizjak [2017] for a tutorial-style introduction. There are a couple of things that we need to point out though.

Like Iris, but unlike the simple logic from Section 2, Hoare triples \( \{P\} e \{Q\} \) are annotated with a mask \( \mathcal{E} \) to keep track of which invariants can be used. We will discuss masks in more detail in Section 3.2, but ignore them for the first part of this section. Moreover, like Iris, many of the Iron rules involve the “later” modality (▷). This modality is necessary to prevent logical inconsistencies in the presence of impredicative invariants, but it is orthogonal to the novel features of Iron. Thus, it is safe to ignore the modality on the first reading; more details can be found in the previous Iris literature [Jung et al. 2018].

Throughout this section we will explain Iron’s rules for fork-based concurrency (Section 3.1) and trackable invariants (Section 3.2), as well as how Iris’s machinery for ghost state is embedded into Iron (Section 3.3). We finally describe Iron’s adequacy theorem (Section 3.4) that formally ensures no resources are leaked.
**Ordinary separation logic:**

\[
\begin{align*}
\text{HOARE-VAL} & : (P) e \{v / x\} \{w. Q\} E \\
\text{HOARE-\lambda} & : (P) e [v / x] \{w. Q\} E \\
\text{HOARE-BIND} & : (P) e \{v. Q\} E \\
\text{HOARE-LOAD} & : (P) K[e] \{w. R\} E \\
\forall v. \{Q\} K[v] \{w. R\} E \\
\text{HOARE-FREE} & : (P) e \{v. Q\} E \\
\text{PT-SPLIT} & : \ell \mapsto \pi_1 \lor \pi_2 \land \ell \mapsto \pi_1 + \pi_2 \\
\text{PT-DISJ} & : \ell_1 \mapsto \pi_1 \lor \ell_2 \mapsto \pi_2 \lor \ell_1 \neq \ell_2 \\
\text{HOARE-ALLOC} & : (P) \ref(v) [\ell. \ell \mapsto \pi\ v] E \\
\text{HOARE-FORK-TRUE} & : (P) e \{\text{True}\} E \\
\text{HOARE-FORK-EMP} & : (P) e \{\pi\} E \\
\text{INV-DUP} & : N^* \ast N^* \ast \ast N^* \\
\text{INV-ALLOC} & : [P] e \{w. Q\} E \\
\text{INV-OPEN} & : [P \ast \triangleright I] e \{w. Q\} E \\
\text{TINV-SPLIT} & : O_{\text{Perm}} (p_1 + p_2) \ast O_{\text{Perm}} (p_1) \ast O_{\text{Perm}} (p_2) \\
\text{TINV-ALLOC} & : \exists y. P \ast \\llbracket I(y) \rrbracket^N,y \ast O_{\text{Perm}} (1) \ast O_{\text{Perm}} (\pi_1) e \{w. Q\} E \\
\text{TINV-OPEN} & : N \subseteq E \quad \text{atomic}(e) \quad \{P \ast \triangleright I(\pi_1) \ast O_{\text{Perm}} (p)\} e \{w. \exists \pi_2. Q \ast \triangleright I(\pi_2)\} E \setminus N \\
\text{TINV-CASE} & : N \subseteq E \quad \text{atomic}(e) \quad \{P \ast \triangleright I(\pi_1) \ast O_{\text{Perm}} (p)\} e \{w. \exists \pi_2. Q \ast \triangleright I(\pi_2)\} E \setminus N \\
\text{TINV-DEALLOC} & : N \subseteq E \quad \text{atomic}(e) \quad \{P \ast \triangleright I(\pi_1) \ast O_{\text{Perm}} (p)\} e \{w. Q \ast \triangleright O_{\text{Perm}} (\pi_1)\} E \setminus N \\
\end{align*}
\]

**Heap manipulation:**

**Fork-based concurrency:**

**Shareable (Iris) invariants:**

**Trackable (Iron) invariants:**

Fig. 4. Selected rules of the Iron logic.
3.1 Fork-based Concurrency

In order to support concurrency, \( \lambda_{\text{ref,conc}} \) has the expression fork \( \{ e \} \), which spawns a thread \( e \) that is executed in the background. Iron includes two rules for proving Hoare triples involving fork (HOARE-FORK-TRUE and HOARE-FORK-EMP), displayed in Figure 4.

The two rules deal with two different uses for fork \( \{ e \} \). The rule HOARE-FORK-TRUE, which is like the fork rule of Iris, is sufficient if \( e \) either does not make use of memory at all, or if all memory it uses is joined at the end of its execution by means of explicit synchronization (see Section 4.5, where we use this rule to prove the correctness of the parallel composition operator, implemented using a synchronization mechanism). The rule HOARE-FORK-TRUE is insufficient for proving more interesting programs, however. For example, it cannot be used to verify the example from the introduction (Section 1), where there is a cleanup thread, which acts as a “garbage collector” that continually monitors a data structure to see if it is still in use, and otherwise deallocates it. In order to verify such programs, Iron has the additional rule HOARE-FORK-EMP, which allows the forked-off thread to return a permission \( e_{\pi} \) in its postcondition, while the main thread continues to have the permission \( e_{\pi} \) too. Before taking a look at the actual example in Section 4.3, let us show how this rule can be used to prove that the program below is free of memory leaks:

\[
e \triangleq \text{let } \ell_1 = \text{ref} \,(0) \text{ in let } \ell_2 = \text{ref} \,(0) \text{ in fork } \{ \text{free}(\ell_1) \} ; \text{free}(\ell_2).
\]

This program is much like the example from Section 2.3, but the location \( \ell_1 \) is now deallocated by a forked-off thread instead of by the main thread. In order to establish \( \{ e_{\pi} \} \, e \{ e_{\pi} \} \) (for any \( \pi \)), we first use EMP-SPLIT in right-to-left direction to turn our precondition into \( e_{\pi} / 2 \star e_{\pi} / 2 \), and use HOARE-ALLOC twice, after which it remains to prove \( \{ \ell_1 \mapsto_{\pi/2} 0 \star \ell_2 \mapsto_{\pi/2} 0 \} \text{fork} \, \{ \text{free}(\ell_1) \} ; \text{free}(\ell_2) \{ e_{\pi} \} \). To do so, we use HOARE-FORK-EMP, after which it suffices to prove the following Hoare triples:

\[
\{ \ell_1 \mapsto_{\pi/2} 0 \} \text{free}(\ell_1) \{ e_{\pi/2} \} \quad \{ \ell_2 \mapsto_{\pi/2} 0 \star e_{\pi/2} \} \text{free}(\ell_2) \{ e_{\pi} \}
\]

The first of these triples follows from HOARE-FREE and the second follows from a combination of HOARE-FREE and EMP-SPLIT.

Suppose we had instead used HOARE-FORK-TRUE, then we would have had to show:

\[
\{ \ell_1 \mapsto_{\pi/2} 0 \} \text{free}(\ell_1) \{ \text{True} \} \quad \{ \ell_2 \mapsto_{\pi/2} 0 \} \text{free}(\ell_2) \{ e_{\pi} \}
\]

The second goal is the issue: without the \( e_{\pi/2} \) from the forked-off thread we cannot reconstruct the full \( e_{\pi} \), needed to satisfy the postcondition.

3.2 Shared and Trackable Invariants

Similar to Iris, Iron supports shared invariants \( \prod^N \), which can be used to share resources between any number of (forked-off) threads. Shared invariants are impredicative, because the resources that are guarded by the invariant are described by an arbitrary Iron proposition \( I \), which may contain Hoare triples, or even nested invariants themselves. In this section, we will briefly recap how shared invariants are used in Iris, followed by a discussion showing that shared invariants do not provide the appropriate level of abstraction to reason about correct disposal of resources. We then introduce Iron’s novel solution to this: trackable invariants.
Shared (Iris) invariants work as follows: Using the rule INV-ALLOC, one may transfer any proposition $I$ into an invariant $I^N$. This assertion is *duplicable* \(^2\) (INV-DUP), and can thus be freely shared among any number of threads. Converting resources $I$ into an invariant that may be shared among threads comes at a price—using the rule INV-OPEN, one can only get *temporary* access to $I$ for the duration of an instruction $e$ that is *physically atomic* (denoted atomic($e$)). The restriction to physically atomic instruction $e$ is essential for soundness: within the verification of $e$, the invariant $I$ might be temporarily broken, but since the execution of physically atomic instructions is limited to a single step, it is ensured that no other thread can observe that $I$ was broken. In $\mathcal{L}_{\text{ref,conc}}$, reading and writing from memory ($!$ and $\leftarrow$), allocation and deallocation (ref and free), and compare-and-set (cas) are all physically atomic operations, and can thus be used by the rule INV-OPEN.

Though powerful, shared (Iris) invariants have two limitations:

1. once a proposition $I$ is put into an invariant $I^N$, it can never be taken out, and,
2. once a proposition $I$ is put into an invariant $I^N$, it can never be changed.

The first limitation means that if we simply put $\ell \mapsto \pi \gamma$ into an invariant, we can never get it back to free the location (using the free instruction). The second limitation means that once we put $\ell \mapsto \pi \gamma$ into an invariant, we can never change the fraction $\pi$. Both of these limitations could be worked around by more explicit accounting of fractions, and by making use of ghost state. However, doing so would lead to excessive bookkeeping of fractions and overly rigid specifications, which is problematic when building hierarchies of specifications, e.g., when specifying a module in terms of other modules. Related to that, as we will show in Section 5.2, shared invariants cannot be integrated into the more abstract logic Iron\(^++\), which hides the fractions.

Trackable (Iron) invariants capture a common pattern of use when reasoning about resources, and thereby solve both of these limitations. They also form the key ingredient to enable exact resource accounting in the more abstract logic Iron\(^++\) in Section 5. Although trackable invariants are in fact encoded in terms of ordinary shared (Iris) invariants, we will not discuss this encoding here, but focus on the connectives and reasoning principles they provide.

The proof pattern supported by trackable invariants is as follows. When we use the rule TINV-ALLOC to allocate the invariant, we obtain the following three resources:

- The *trackable invariant assertion* $[\pi, I]^N \gamma$, which expresses the knowledge that the invariant exists.\(^3\) Like shared invariants, the trackable invariant assertion is duplicable (TINV-DUP), but unlike shared invariants, it does not provide immediate access to $I$.
- The *opening token* $\text{OpPerm}_\gamma(p)$ where $p \in (0, 1]$, which provides the permission to *open* the invariant using the rule TINV-OPEN, i.e., it provides the permission to temporarily access the resources $I$. The fraction $p$ should not be confused with the fractions $\pi$ that are used to express the degree of knowledge of the heap. The fraction $p$ is a fractional permission [Boyland 2003].

---

\(^1\) Every invariant has a namespace $N$ [Jung et al. 2018], which appears in the invariant assertion $I^N$. Namespaces are needed to avoid reentrancy, which in the case of invariants means avoiding “opening” the same invariant twice in a nested fashion. Reentrancy is avoided by annotating Hoare triples $\{p\} e \{v. Q\}_{E}$ with a mask $E$, representing the names of invariants which can be used. When the mask $E$ is omitted it is assumed to be the set of all masks. In practice the use of masks results in some additional bookkeeping orthogonal to our focus, and thus we mostly ignore namespaces in this paper.

\(^2\) Technically, the invariant proposition $I^N$ is *persistent*, which is stronger property than being duplicable, e.g., it allows one to move the proposition in and out of the precondition of a Hoare triple. For this paper, the exact difference between duplicable and persistent does not matter, and we refer to Jung et al. [2018] for further details.

\(^3\) Due to technical reasons related to the encoding in Iris, trackable invariants $[\pi, I]^N \gamma$ have both a namespace $N$, which is chosen by the user that allocates the invariant, and an *invariant name* $\gamma$, which is dynamically chosen upon allocation of the invariant. The namespace $N$ is used to prevent reentrancy, exactly the same as for shared invariants. The invariant name $\gamma$ is used to connect the knowledge of the invariant assertion with the opening and deallocation tokens.
for the specific invariant: \( p = 1 \) provides unique ownership of the invariant, while \( p < 1 \) provides shared ownership of the invariant. The fraction can be split using the rule \text{TINV-SPLIT}.  
- The deallocation token \( \text{DPerm}_y(\pi) \), which together with the full opening token \( \text{OPerm}_y(1) \) provides the permission to deallocate the invariant using the rule \text{TINV-DEALLOC}, i.e., it allows to permanently take out the resources \( I \) of the invariant.

Trackable invariants solve limitation (1); due to the fact that we have the opening and deallocation tokens, we can keep track of the number of threads that may access the invariant. Whenever there is just one thread left (i.e., we own \( \text{OPerm}_y(1) \) and \( \text{DPerm}_y(\pi) \)), it can be deallocated using the rule \text{TINV-DEALLOC}. Before describing the details of these tokens (in particular, why there is a separate open and deallocation token), let us see how trackable invariants address limitation (2).

To address limitation (2), the proposition \( I \) in \( [\pi, I]^N_y \) is parameterized by a fraction \( \pi \in (0, 1] \). (In the notation, \( \pi \) is used as a binder to provide syntactical convenience.) Parameterizing \( I \) by a fraction makes the invariant easier to use since we do not have to reestablish it at the same fraction we opened it. To see how this works, let us take a look at the rule \text{TINV-OPEN} for opening trackable invariants. This rule requires \( e_{\pi_1} \) in order to open the invariant, and in turn, provides the resources \( I \) at the fraction \( \pi_1 \) for the duration of the physically atomic instruction. After the verification of the atomic instruction has been concluded, \( I \) needs to be reestablished, but this may be done at a different fraction \( \pi_2 \). After closing the invariant, we thus get back \( e_{\pi_2} \) in return.

For the rule \text{TINV-OPEN} to be sound, the proposition \( I \) must be uniform w.r.t. fractions:

\[
\text{uniform}(I) \triangleq \forall \pi_1, \pi_2. \ I(\pi_1 + \pi_2) \vdash I(\pi_1) \ast e_{\pi_2}.
\]

Conceptually, this condition means that the fraction \( \pi \) in \( I \) is only used by connectives \( e_{\pi} \) and \( \ell \mapsto_{\pi} \upsilon \) appearing in \( I \). A way to think about the use of the permission \( e_{\pi} \) in the rule \text{TINV-OPEN} is that we temporarily trade the resources \( e_{\pi} \) for the resources \( I(\pi) \); uniformity allows exactly this.

When allocating or deallocating a trackable invariant \( [\pi, I]^N_y \) (using the rules \text{TINV-ALLOC} and \text{TINV-DEALLOC}, respectively) we also need to take the fraction \( \pi \) into account. To make this possible, the deallocation token \( \text{DPerm}_y(\pi) \) records the fraction \( \pi \) at which the invariant \( I \) was initially established. As such, when allocating a trackable invariant, one needs to establish the invariant \( I \) at the same fraction \( \pi \) as the one recorded in the deallocation token \( \text{DPerm}_y(\pi) \). Dually, upon deallocation, the invariant \( I \) is returned at the fraction \( \pi \) recorded in the deallocation token \( \text{DPerm}_y(\pi) \), making sure no resources have gotten lost in action.

As will be shown in Section 4.2, it is often useful to put some fraction \( p \) of the opening token in the invariant resource \( I \). To facilitate this, the rules for trackable invariants feature some interesting bells and whistles. Firstly, since the invariant name \( y \) is dynamically chosen upon allocation (as witnessed by the existential quantifier \( \exists y \) in the rule \text{TINV-ALLOC}), the invariant \( I \) needs to be initially established for any \( y \) (i.e., one needs to prove \( \forall y. \triangleright I(\pi_1) \) in the rule \text{TINV-ALLOC}). Secondly, in case a fraction of the token \( \text{OPerm}_y(p) \) resides in the invariant \( I \), it may be the case that the full permission \( \text{OPerm}_y(1) \) is not present up front when deallocating an invariant. As such, the deallocation rule \text{TINV-DEALLOC} allows one to first obtain the contents \( I \) of the invariant, and then also use \( I \) to account for the full permission \( \text{OPerm}_y(1) \) to justify the deallocation of the invariant.

The fact that we may store the opening token \( \text{OPerm}_y(p) \) in the invariant itself, is also the reason Iron has a separate deallocation token \( \text{DPerm}_y(\pi) \). The token \( \text{DPerm}_y(\pi) \) is not uniform with respect to the fraction \( \pi \), and thus cannot be put into the invariant.

### 3.3 Ghost State

Iron inherits Iris’s sophisticated mechanism for *ghost state*, which can be used to keep track of additional verification information that is not present in the source code of the program itself. For
We will see an example of ghost state in Section 4.1.

To formally establish that Iron ensures that resources are correctly disposed of, we show an adequacy theorem that its result is a particular number, or that it does not leak memory when executed. That is what Iron’s adequacy theorems allow us to conclude.

### Thread-local head reduction:

\[
(\lambda x. e) \nu, \sigma \to_h (e[v/x], \sigma) \quad \text{(ref(\nu), \sigma)} \to_h (\ell, \sigma[\ell \mapsto \nu]) \quad \text{if } \ell \notin \text{dom}(\sigma)
\]

\[
\text{fork } \{ e \}, \sigma \to_h ((), \sigma, e) \quad (\ell \leftarrow \nu, \sigma[\ell \mapsto w]) \to_h (((), \sigma[\ell \mapsto v]) \quad \text{if } \ell \notin \text{dom}(\sigma)
\]

### Threadpool reduction:

\[
\begin{align*}
(e_1, \sigma_1) & \to_t (e_2, \sigma_2, \vec{e}_f) \\
& \equiv (T; e_1; T', \sigma) \to_{tp} (T; e_2; T'; \vec{e}_f, \sigma_2)
\end{align*}
\]

Fig. 5. Selected rules of the operational semantics of \( \lambda_{ref,conc} \).

the purpose of this paper, it suffices to know that ghost state can be used to encode transition systems, which can be used to control the transitions made by different threads. Some of these transitions are expressed in terms of a view shift \( P \Rightarrow e P' \), which says that, potentially through a ghost state transition, the resource \( P \) can be turned into \( P' \). The generalized rule of consequence below says that we can apply view shifts in the pre- and postconditions of triples:

\[
\frac{\text{HOARE-CONS}}{P \Rightarrow e P' \quad \{P'\} E e \{w. Q'\} E \quad \forall w. (Q' \Rightarrow e Q) \quad \{P\} E e \{w. Q\} E}
\]

We will see an example of ghost state in Section 4.1.

### 3.4 Adequacy

To formally establish that Iron ensures that resources are correctly disposed of, we show an adequacy statement with respect to a standard call-by-value operational semantics of \( \lambda_{ref,conc} \).

**Operational semantics.** The operational semantics of \( \lambda_{ref,conc} \) is given by means of small-step operational semantics; we show selected rules in Figure 5. It is defined in terms of configurations \((T, \sigma)\), which consist of a threadpool \( T \) (a list of expressions) and a heap \( \sigma \) (a finite partial function from locations to values). The main part of the semantics is the threadpool reduction \( (T, \sigma) \to_{tp} (T', \sigma') \), and its reflexive-transitive closure \((T, \sigma) \to_{tp} (T', \sigma') \).

Configurations \((T, \sigma)\) are reduced by non-deterministically choosing a thread \( e_1 \in T \) from the threadpool \( T \), and letting this thread make a thread-local reduction \( (e_1, \sigma_1) \to_t (e_2, \sigma_2, \vec{e}_f) \). Following the conventions in Iris [Jung et al. 2018], the thread-local reduction relation includes a list of newly forked-off threads \( \vec{e}_f \). As usual, thread-local reduction is defined in terms of a thread-local head reduction relation \( (e_1, \sigma_1) \to_h (e_2, \sigma_2, \vec{e}_f) \), which is lifted by means of standard call-by-value evaluation contexts \( K \) to thread-local reductions \( (K[e_1], \sigma_1) \to_t (K[e_2], \sigma_2, \vec{e}_f) \).

**Adequacy.** The adequacy theorem is crucial for inferring properties of the operational behavior of programs from their logical specifications because these are often very abstract and involve higher-order quantification, ghost state, invariants, etc. While these features are necessary for specifying open programs and modules, in the end, we typically compose individual modules into a closed program and wish to conclude, e.g., that its result is a particular number, or that it does not leak memory when executed. That is what Iron’s adequacy theorems allow us to conclude.

**Theorem 3.1 (Basic adequacy).** Let \( \phi \) be a first-order predicate over values and suppose the Hoare triple \( \{e_1\} e \{w. \phi(w)\} \) is derivable in Iron. If we have:

\[
(e, \emptyset) \to_{tp} ((e_1, e_2, \ldots, e_n), \sigma)
\]

then the following properties hold:
(1) **Postcondition validity:** If $e_1$ is a value, then $\phi(e_1)$ holds at the meta-level.

(2) **Safety:** Each $e_i$ that is not a value can make a thread-local reduction step.

This theorem provides the normal adequacy guarantees of Iris-like logics: safety, which ensures that threads cannot get stuck, and it ensures that the postcondition holds for the resulting value.

The novel part of Iron is the next adequacy theorem, which guarantees that once all threads have terminated, all resources have been disposed of properly.

**Theorem 3.2 (Adequacy for correct usage of resources).** Suppose the Hoare triple $\{e_1\} e \{e_1\}$ is derivable in Iron and we have: $(e, \emptyset) \rightarrow^*_{tp} ((e_1, e_2, \ldots, e_n), \sigma)$. If all expressions $e_i$ are values, then $\sigma = \emptyset$.

Note that the adequacy theorem for correct usage of resources requires all threads to have terminated, whereas the basic adequacy theorem for postconditions only requires the main thread to have terminated. This is due to our strong fork rule $\text{HOARE-FORK-EMP}$, which allows one to transfer resources $e_{\pi}$ to the forked-off thread. These resources are only ensured to be correctly disposed of once the forked-off thread terminates (e.g., the forked-off thread could just loop, and never dispose of the resources that were transferred to it).

The adequacy theorems presented in this section are special cases of more generic adequacy statements, which allow one to start and end in an arbitrary heap, instead of the empty heap $\emptyset$. The proofs of the adequacy theorems are discussed in Section 6.

### 4 Examples

In this section, we will specify and verify a channel module inspired by the one in Singularity OS (Section 4.3), as well as a client of that channel module (Section 4.4). Before doing that, we verify a simpler example—first in the setting of scoped concurrency, using the parallel composition operator (Section 4.1), and then in the setting of unscoped concurrency, using fork (Section 4.2).

**Parallel composition.** The parallel composition operator is not primitive in our language, but it is definable via fork in the usual way (Section 4.5). Parallel composition can be given the following specification (where $P_i$ and $Q_i$ are arbitrary Iron propositions):

$$\forall i \in \{1, 2\}. \{P_i\} e_i \{w_i. Q_i\}$$

$$\{P_1 \ast P_2 \ast e_{\pi}\} e_1 || e_2 \{w_1, w_2. Q_1 \ast Q_2 \ast e_{\pi}\}$$

This rule is almost the same as the usual rule for parallel composition of CSL, but for the $e_{\pi}$ in the pre- and postconditions. The reason $e_{\pi}$ is needed is that the implementation of parallel composition uses a location to signal between the forked-off thread, which runs $e_2$, and the main thread, which runs $e_1$. (In Section 5.3 we show how to hide this fraction.) We will prove this rule in Section 4.5, since its proof illustrates an important feature of Iron. For now, we will assume this rule to hold.

#### 4.1 Resource Transfer Using Parallel Composition

Consider the following example program:

```plaintext
e_{\text{par}} \triangleq \text{let } \ell = \text{ref } (\text{None}) \text{ in}
\quad \text{let } \ell' = \text{ref } (\text{0}) \text{ in}
\quad \ell \leftarrow \text{Some } \ell'
\quad \text{(rec cleanup() = match } ! \ell \text{ with}
\quad \quad \text{None } \Rightarrow \text{ cleanup()}
\quad \quad \text{| Some } \ell' \Rightarrow \text{ free}(\ell')
\quad \text{end)()}
\quad \text{free}(\ell)
```

The idea is that the location $\ell$ acts as a channel. The left thread sends a message (the location $\ell'$), while the right thread waits until it receives the message (using a busy loop), and then deallocates the location $\ell'$. After both threads finish, we dispose of the location $\ell$.

To show that this program does not leak memory, we will prove $\{v_e\} \mathit{e}_{\text{par}} \{v_e\}$. Since the location $\ell$ is shared among two threads, the proof will become slightly more complicated than the examples we have seen so far—we will need a trackable invariant to account for the sharing that occurs. This invariant contains a disjunction of the possible states in which the program may be in:

$$I(\pi) \triangleq (s_1(\gamma_{\mathit{sts}}) * \ell \mapsto \mathit{None}) \lor (s_2(\gamma_{\mathit{sts}}) * \exists \ell' : \pi_1 \pi_2 : (\pi = \pi_1 + \pi_2) * \ell \mapsto \pi_1 \mathit{Some} \ell' * \ell' \mapsto \pi_2 -) \lor (s_3(\gamma_{\mathit{sts}}) * \ell \mapsto \mathit{None})$$

(initial state)

In order to keep track of the state of the invariant, we use a transition system consisting of tokens $s_j(\gamma_{\mathit{sts}})$ and $t_j(\gamma_{\mathit{sts}})$ for $j \in \{1, 2, 3\}$. The tokens $s_j(\gamma_{\mathit{sts}})$ appear in the different states of the invariant $I$, while the tokens $t_j(\gamma_{\mathit{sts}})$ are carried around through the pre- and postconditions of the Hoare triples so as to ensure that the invariant is in the expected state. The transition system is modeled using ghost state, following the usual approach in Iris, and gives rise to the rules in Figure 6.

Let us sketch the proof of $\{v_e\} \mathit{e}_{\text{par}} \{v_e\}$. Starting with the precondition $v_e$, we first split it into 4 parts $v_{e_1}$. We use one part $v_{e_1}$ to allocate the location $\ell \mapsto \mathit{None}$ (using $\mathit{HOARE-ALLOC}$), one part for the precondition of $\mathit{HOARE-PAR}$, and the other parts for both threads. We allocate the tokens $t_1(\gamma_{\mathit{sts}})$, $s_1(\gamma_{\mathit{sts}})$ and $t_2(\gamma_{\mathit{sts}})$ using the first rule in Figure 6, which sets us up with all the resources needed to establish the initial state of the invariant $I$. So, using $\mathit{TINV-ALLOC}$, we obtain $\mathcal{E}[I(\pi)]_{\pi_{\mathit{Perm}}}^N \gamma$, thereby giving up $s_1(\gamma_{\mathit{sts}})$ and $\ell \mapsto \mathit{None}$ (i.e., the left disjunct of $I(\mathit{\pi})$), while getting $\mathit{OPerm_\gamma}(\mathit{1})$ and $\mathit{DPerm_\gamma}(\mathit{\pi_1})$ in return. To proceed, we rearrange the resources as follows:

<table>
<thead>
<tr>
<th>Deallocation token</th>
<th>For par</th>
<th>Precondition of the left thread</th>
<th>Precondition of the right thread</th>
</tr>
</thead>
<tbody>
<tr>
<td>$\mathit{OPerm_\gamma}(\mathit{\pi_1})$ *</td>
<td>$v_{e_1}$ *</td>
<td>$t_1(\gamma_{\mathit{sts}})$ * $v_{e_1}$ *</td>
<td>$t_2(\gamma_{\mathit{sts}})$ * $v_{e_1}$ *</td>
</tr>
</tbody>
</table>

This rearrangement allows us to use the rule $\mathit{HOARE-PAR}$, which in turn, requires us to prove the following Hoare triples for the left and right thread, respectively:

{}.$t_1(\gamma_{\mathit{sts}})$ * $v_{e_1}$ * $\mathit{OPerm_\gamma}(\mathit{\pi_1})$ \{left\} $v_{e_1}$ * $\mathit{OPerm_\gamma}(\mathit{\pi_1})$

{}.$t_2(\gamma_{\mathit{sts}})$ * $v_{e_1}$ * $\mathit{OPerm_\gamma}(\mathit{\pi_1})$ \{right\} $t_3(\gamma_{\mathit{sts}})$ * $v_{e_1}$ * $\mathit{OPerm_\gamma}(\mathit{\pi_1})$

To verify the left thread, we split $v_{e_1}$ up into $v_{e_1}$ and $v_{e_1}$. We use the first $v_{e_1}$ to allocate $\ell' \mapsto \mathit{None}$ (using $\mathit{HOARE-ALLOC}$). We then open the invariant (using $\mathit{TINV-OPEN}$) using the other permission $v_{e_1}$. Since we own the token $t_1(\gamma_{\mathit{sts}})$, we know the invariant is in the initial state. We thus obtain $\ell \mapsto \mathit{None}$. None, and by using the assignment rule $\mathit{HOARE-STORE}$, we then obtain $\ell \mapsto \mathit{None}$ Some $\ell'$. Combining this with $\ell' \mapsto \mathit{None}$ 0, we close the invariant in the second state (after updating the tokens of the transition system using the rule $t_1(\gamma_{\mathit{sts}})$ * $s_1(\gamma_{\mathit{sts}})$ * $s_2(\gamma_{\mathit{sts}})$, as shown Figure 6). Subsequently, we close the invariant with fraction $\pi_{\mathit{e_1}}$ (this fraction corresponds to the sum of the fractions of the two points-to propositions). This concludes the proof of the left thread.
For the right thread we wait until the invariant is in the second state (technically this is achieved by using Löb induction and opening and closing the invariant using $e_{\pi/4}$ for each iteration of the busy loop). Once it is in the second state (recall that we have the token $t_2(y)$, which guarantees it can never be in the third state), we obtain fractions $\pi_{41}$ and $\pi_{42}$ with $\ell \mapsto \pi_{4i}$. Some $\ell'$, and $\ell' \mapsto \pi_{4i} -$, and $\pi/4 = \pi_{41} + \pi_{42}$. We then update the transition system to $t_3(y_{\text{sts}})$, and close the invariant using $\ell \mapsto \pi_{4i} -$, obtaining $e_{\pi_{41}}$. After freeing the location $\ell'$, we conclude the proof of the right thread.

After having verified both threads, we have the following resources left:

$$\begin{align*}
D\text{Perm}_Y (\pi/4) & \ast e_{\pi/4} \ast e_{\pi/4} \ast D\text{Perm}_Y (\ell/2) \ast t_3(y_{\text{sts}}) \ast e_{\pi/4} \ast D\text{Perm}_Y (\ell/2) \\
\text{deallocation token} & \text{for par} & \text{postcondition of the left thread} & \text{postcondition of the right thread}
\end{align*}$$

We now consider a slight modification of the previous example. This example illustrates the utility of transferring the token $D\text{Perm}_Y (p)$ to open the invariant through the invariant itself:

$$\begin{align*}
e_{\text{fork}} \triangleq & \text{let } \ell = \text{ref (None)} \text{ in} \\
& \text{let rec cleanup()} = \text{match } \ell \text{ with} \\
& \text{None } \Rightarrow \text{cleanup()} \\
& \text{| Some } \ell' \Rightarrow \text{free}(\ell'); \text{free}(\ell) \\
& \text{end in} \\
& \text{fork } \{\text{cleanup()}\}; \\
& \text{let } \ell' = \text{ref (0)} \text{ in } \ell \leftarrow \text{Some } \ell'
\end{align*}$$

The modification is in the fact that now the main thread is sending the location $\ell'$ to an independent thread. Thus instead of parallel composition we use fork. This also means that the receiving thread must deallocate the channel once it is done with receiving the message—after all, the main thread does not wait for the receiving thread to terminate.

Note that even though this example is contrived, it reflects a common pattern. Instead of the cleanup function in the forked-off thread, we could imagine a runtime system that would reclaim the memory, and then the specification of a method would indicate that either the method itself dispose of resources, or it has passed them to the runtime system.

In Iron, we again prove $\{e_{\pi}\} e_{\text{fork}} (e_{\pi})$ to show that the program does not leak memory resources. The verification of the program is much the same as it was before—we use a trackable invariant, and put the location $\ell$ into it so it can be shared between both threads. The invariant we use is almost the same as before, but since there is no “join” after the forked-off cleanup thread is finished, the forked-off thread will be in charge of deallocating the invariant. To achieve that, we will transfer the token $D\text{Perm}_Y (\ell/2)$ from the main thread to the forked-off thread. This is done by slightly
augmenting the invariant that we use (the change from the previous one is highlighted in blue):

\[
I(\pi) \triangleq (s_1(y_{sts}) \ast \ell \mapsto_{\pi} \text{None}) \lor \\
(s_2(y_{sts}) \ast \exists \ell' \pi_1 \pi_2. (\pi = \pi_1 + \pi_2) \ast \ell \mapsto_{\pi_1} \text{Some} \ell' \leftrightarrow_{\pi_2} - \ast \text{OPerm}_{\gamma}(1/2) \lor \\
(s_3(y_{sts}) \ast \ell \mapsto_{\pi} -)
\]

The proof then proceeds almost the same as before, except that the main thread transfers its \text{OPerm}_{\gamma}(1/2) token into the invariant together with the location \ell'. Subsequently, the forked-off thread takes out the token \text{OPerm}_{\gamma}(1/2) when the invariant is in the second state, combines it with its own token \text{OPerm}_{\gamma}(1/2), so it can deallocate the invariant.

4.3 The Channel Module

We now present our main example of memory management, a core implementation of a channel module for communication between two threads. This example is inspired by the implementation of inter-process communication in Singularity OS [Fähndrich et al. 2006].

A channel consists of two endpoints which both support three operations: send (send a message), receive (receive a message), and close (close the endpoint). The idea is that each thread gets an endpoint, and a message is sent from one thread to another if the sending thread calls send on its endpoint, and the receiving thread calls receive on its endpoint.

There are several intricacies in the verification of this module:

- A channel is alive as long as either of its endpoints is alive (i.e., not closed). In particular, one can send messages over the channel even if the receiving endpoint is closed. This is to reduce the need for inter-thread signaling.
- To reduce overhead, only primitive types (e.g., integers and pointers) can be send over the channel. However, one can send pointers to compound data structures (e.g., linked lists) over the channel, and thus transfer the ownership of compound data structures too.
- Each channel endpoint has a queue of messages it has received. Adding and removing to this queue uses no locking, or other fine-grained synchronization mechanisms, since it is a single consumer/single producer queue.

There are thus several challenging aspects from the memory management perspective. For example, we can allocate a linked list in one thread and send a pointer to it through the channel. But it may turn out that the other endpoint (owned by some other thread) has already closed at this point, so who should be in charge of disposing of the linked list?

In Singularity OS, the runtime system keeps track of channels, and when both endpoints of a channel are closed, the runtime system disposes of the memory still owned by the message queues, as well as the auxiliary data structures of the channel. Here we model the runtime system by a background thread which is responsible for said disposal. This background thread waits until both endpoints of the channel are closed, at which point it disposes of the memory still in the message queues, the queues themselves, as well as the auxiliary locations used to keep track of the liveness of channels. This is best shown by means of the constructor of the channel module:

\[
\text{newchannel}(d) \triangleq \\
\text{let } q_x = \text{qNew}() \text{ in let } q_y = \text{qNew}() \text{ in} \\
\text{let } x_a = \text{ref (true)} \text{ in let } y_a = \text{ref (true)} \text{ in} \\
\text{let rec cleanup()} = \text{if } ! x_q \text{ then cleanup()} \\
\text{else if } ! y_a \text{ then cleanup()} \\
\text{else qDealloc}(d, q_x); qDealloc(d, q_y); free(x_a); free(y_a) \\
\text{fork } \{(\text{cleanup}()); ((q_x, q_y, x_a), (q_y, q_x, y_a)) \}
\]
Two messages queues (which have operations qNew for creating a queue, qInsert and qRemove for inserting and removing an element, and qDealloc for deallocation) \(q_x\) and \(q_y\) are created, as well as two references to Boolean flags \(x_a\) and \(y_a\) to keep track of whether the channel is still alive (true) or not (false). In addition, newchannel forks off a background thread cleanup, which is responsible for cleaning up any remaining memory left over when both of the endpoints are closed. The method is parameterized by a destructor \(d\), which depends on what data structures are sent through the channel. The destructor \(d\) is passed to qDealloc to deallocate all elements in the queue.

The code of the send, receive, and close methods is as follows:

\[
\begin{align*}
\text{send}(\text{ep}, w) &\triangleq \text{let } (q_{\text{recv}}, q_{\text{send}}, x) = \text{ep } \text{qInsert}(q_{\text{send}}, w) \\
\text{receive}(\text{ep}) &\triangleq \text{let } (q_{\text{recv}}, q_{\text{send}}, x) = \text{ep } \text{in} \\
&\quad \text{let rec } \text{recv}() = \text{match } \text{qRemove}(q_{\text{recv}}) \text{with} \\
&\qquad \text{None } \Rightarrow \text{recv}() \\
&\qquad | \text{Some } w \Rightarrow w \\
&\quad \text{end in } \text{recv}() \\
\text{close}(\text{ep}) &\triangleq \text{let } (q_{\text{recv}}, q_{\text{send}}, x) = \text{ep } \text{in} \ x \leftarrow \text{false}
\end{align*}
\]

The send method has two arguments. The first is the endpoint, the second is the value to be sent. Sending a message means inserting it into the message queue of the receiving endpoint. The receive method waits until there is a message on the endpoint, i.e., it is blocking. The fact that it is blocking is inessential, however it simplifies its use. The close method simply sets the flag of the endpoint to false (meaning the endpoint is no longer alive).

**Specification of the channel module.** The specifications of the channel module is parameterized by an Iron predicate \(\Phi(w, \pi)\) on values and fractions that describes the invariant that each message that is sent over the channel should satisfy. For instance, \(\Phi(w, \pi)\) could be \(\exists n. w \mapsto n * \text{even}(n)\), specifying that only even numbers are sent over the channel, but it could also be something more sophisticated like the “list predicate”. To specify the methods of the channel module, we use two abstract predicates Endpoint\(_i\)(ep, \(\gamma\), \(\pi\)) and Endpoint\(_j\)(ep, \(\gamma\), \(\pi\)), corresponding to the two endpoints. The specifications we prove are as follows (where \(i \in \{1, 2\}\), and \(d\) is a destructor function satisfying \(\{\Phi(w, \pi)\} d(w) \{\varepsilon_{\pi}\}\) for each value \(w\) and fraction \(\pi\):

\[
\begin{align*}
\{\varepsilon_x\} \text{newchannel}(d) &\{ (\pi = \pi_1 + \pi_2) * \\
\{ \text{Endpoint}_1(ep, \gamma, \pi_1) * \Phi(w, \pi_2) \} \} \\
\{ \text{Endpoint}_j(ep, \gamma, \pi_1) * \Phi(w, \pi_2) \} \} &\text{send}(ep, w) \{ \text{Endpoint}_j(ep, \gamma, \pi_1 + \pi_2) \} \\
\{ \text{Endpoint}_i(ep, \gamma, \pi) \} \} &\text{receive}(ep) \{ w. \exists \pi_1, \pi_2. (\pi = \pi_1 + \pi_2) * \\
\{ \text{Endpoint}_j(ep, \gamma, \pi_1) * \Phi(w, \pi_2) \} \} \\
\{ \text{Endpoint}_i(ep, \gamma, \pi) \} \} &\text{close}(ep) \{ \varepsilon_{\pi} \}
\end{align*}
\]

Both of the channel endpoints have the same specifications: in case we send a message, it needs to satisfy \(\Phi\), and when we receive a message, we know it satisfies \(\Phi\). We could give a stronger specification to the channel module, e.g., using TaDa style logical atomic triples [da Rocha Pinto et al. 2014] or HOCA-P-style specification [Svensden et al. 2013] that provides tighter guarantees about the messages being sent. However, that is an orthogonal consideration from memory management, so here our protocol is simply that all messages satisfy \(\Phi\).

**Implementation of the channel module.** The channel uses two queues to transfer messages between the endpoints; one queue for each endpoint. Since there is exactly one producer and one consumer,
the queue need not use any locking or any other synchronization mechanism, such as compare-and-set (cas), to work correctly. To verify the channel module, it suffices to know that the queue behaves as a bag storing elements satisfying an Iron predicate \( \Phi(w, \pi) \). Its specification is as follows (where \( d \) is a destructor function satisfying \( \{ \Phi(w, \pi) \} d(w) \{ \epsilon_\pi \} \) for each value \( w \) and fraction \( \pi \):\(^4\)

\[
\{ \epsilon_\pi \} \text{qNew}(w) \{ q \cdot \exists y, \pi_1, \pi_2, \pi_3, \pi = (\pi_1 + \pi_2 + \pi_3) * iHandle(q, y, \pi_1) * \}
\{ \Phi(w, \pi_1) * iHandle(q, y, \pi_2) \} \text{qInsert}(q, w) \{ iHandle(q, y, \pi_1 + \pi_2) \}
\{ rHandle(q, y, \pi) \} \text{qRemove}(q) \left\{ \begin{array}{l}
(w = \text{None} * rHandle(q, y, \pi)) \lor \\
\exists w', \pi_1, \pi_2, (\pi = \pi_1 + \pi_2) * w = \text{Some} w' *
\end{array} \right\}
\{ \Phi(w', \pi_2) \} \}
\{ iHandle(q, y, \pi_1) * \\
rHandle(q, y, \pi_2) *
\} \text{qDealloc}(d, q) \{ \epsilon_{\pi_1+\pi_2+\pi_3} \}
\]

There are three abstract predicates: \( iHandle \) (the handle to insert elements), \( rHandle \) (the handle to remove elements), and \( dHandle \) (the handle to deallocate the queue). None of these predicates are duplicable, hence the queue can be used by at most two threads. However, the insert and remove handles \( iHandle(q, y, \pi) \) and \( rHandle(q, y, \pi) \) are uniform with respect to the fraction \( \pi \). This means in particular that the handles can be transferred through Iron’s trackable invariants—something which is essential to verify the channel module.

**Verification of the channel module.** Using this queue specification, we can quite easily verify the channel module. The predicate \( \text{Endpoint}_i((q_1, q_2, x), y, \pi) \) is defined roughly as follows:

\[
\text{Endpoint}_i((q_1, q_2, x), y, \pi) \triangleq \exists \pi_1, \pi_2, (\pi = \pi_1 + \pi_2) *
\text{rHandle}(q_1, y, \pi_1) * \text{iHandle}(q_2, y, \pi_2) * \text{Alive}_i * \mathcal{C}_3
\]

Each endpoint has two handles, one for sending, and one for receiving messages. An endpoint also contains \( \text{Alive}_i \), a piece of ghost state which ensures that the endpoint is open when \( \text{Endpoint}_i \) is owned. We use a piece of ghost state rather than explicitly holding \( x \mapsto \pi' \). true because the background thread must also be able to read this reference to see when it is safe to dispose of the endpoint. Finally, the proposition \( \mathcal{C}_3 \) is the invariant used to communicate between the endpoints and the cleanup thread. It is again a trackable invariant, which encodes a 4-state transition system, whose states correspond to:

1. both channel endpoints are alive,
2. the first endpoint is closed, but the second still alive,
3. the second endpoint is closed, but the first still alive, and,
4. both of the channel endpoints are closed.

The close methods transition from the first to the second or third state, or from the second or third to the fourth state, depending on which of the two endpoints is closed first. In this case, it transfers the proposition \( rHandle, iHandle \) and \( \text{Alive}_i \) into the invariant \( \mathcal{C}_3 \). Note, to transfer \( rHandle \) and \( iHandle \) into the trackable invariant it is crucial that they are uniform w.r.t. fractions. Finally, the background thread gets to run when the invariant is in the fourth state, at which point it retrieves all the handles from the invariant, and disposes of all the memory.

\(^4\)In the accompanying Coq formalization we have implemented and verified such a queue, with a very precise HOCAP-style specification. From that, we have derived the bag-like specification that is given here. The verification of the queue is intricate. However, none of the intricacies are to do with the fraction accounting, but rather with the fact that the implementation is delicate (since it does not use any synchronization primitives). We thus do not include the verification in this paper.
4.4 Client of the Channel Module

To illustrate that the specification of the channel is indeed useful for ensuring safe disposal of memory, we will prove a specification for the following simple module:

\[
\epsilon_{\text{msg}} \triangleq \text{let } (\epsilon_1, \epsilon_2) = \text{newchannel} (\text{disposeList}) \text{ in } \\
\text{let } \ell_1 = \text{mkList}(5) \text{ in } \text{let } \ell_3 = \text{mkList}(5) \text{ in } \text{send}(\epsilon_1, \ell_1); \\
\text{let } \ell_2 = \text{mkList}(10) \text{ in } \text{send}(\epsilon_2, \ell_2); \\
\text{close}(\epsilon_1) \quad \text{let } \ell_4 = \text{receive}(\epsilon_2) \text{ in } \text{disposeList}(\ell_4); \\
\text{close}(\epsilon_2)
\]

The method \(\text{mkList}(n)\) creates a linked list of integers \(n, n-1, \ldots, 1\), and \(\text{disposeList}\) is the destructor for lists. The left thread creates two linked lists, and sends (references to) them over the channel, and finally closes its endpoint \(\epsilon_1\). It does not clean up any memory on its own. The right thread creates another list \(\ell_3\), and sends it on the other endpoint \(\epsilon_2\). However, since no thread ever receives on \(\epsilon_1\), the \(\ell_3\) list will never be removed from the channel’s message queue. The right thread receives only one (reference to a) list—note that \(\ell_4\) will be equal to \(\ell_1\)—which it then disposes of. Finally, after both endpoints are closed, the channel’s cleanup thread deallocates the lists \(\ell_2\) and \(\ell_3\), which at that point, are still in the message queues of the endpoints \(\epsilon_2\) and \(\epsilon_1\), respectively.

Using the channel module specification, it is straightforward to show that the example program satisfies the specification \(\{ \epsilon_\pi \} \epsilon_{\text{msg}} \{ \epsilon_\pi \}\). By adequacy of Iron (Theorem 3.2), we can thus conclude that all the allocated memory has been disposed of when the program terminates.

4.5 The Parallel Composition Operator

We conclude this section by showing how to prove the Hoare triple of the parallel composition operator Hoare-par using Iron. This verification cannot be carried out in the same way as the examples we have seen before—namely, using trackable invariants. The reason is essentially that trackable invariants require the proposition stored in the invariant to be uniform w.r.t. fractions. As a consequence, if we were to use them to prove the Hoare triple of the parallel composition operator, we would need to impose that the postconditions of one of the two threads is uniform, while that is not the case for any postcondition. We thus would like our rule for parallel composition to be more flexible and allow arbitrary postconditions for both operands.

**Implementation of parallel composition.** As usual, parallel composition is implemented via two auxiliary methods \(\text{spawn}\) and \(\text{join}\). The method \(\text{spawn}\) takes a method and runs it in another thread, but it also allocates a reference cell, which is used to signal that the thread is finished:

\[
\text{spawn}(f) \triangleq \text{let } c = \text{ref}(\text{None}) \text{ in } \\
\text{fork } \{ c \leftarrow \text{Some}(f()); \} \\
\text{join(c)} \triangleq \text{match } ! c \text{ with } \\
\text{Some } x \Rightarrow \text{free}(c); x \\
\text{| None } \Rightarrow \text{join(c)}
\]

Using \(\text{spawn}\) and \(\text{join}\), we let the parallel composition operator be syntactic sugar:

\[
e_1 || e_2 \triangleq \text{let } h = \text{spawn}(\lambda _ . e_1) \text{ in } \\
\text{let } v_2 = e_2 \text{ in } \\
\text{let } v_1 = \text{join}(h) \text{ in } (v_1, v_2)
\]

**Verification of parallel composition.** The crucial part of verifying the Hoare triple Hoare-par is proving the Hoare triples for \(\text{spawn}\) and \(\text{join}\)—from these, the correctness of Hoare-par follows.
immediately. We can give the methods spawn and join the following specifications (where $P$ is an arbitary Iron proposition, and $\Phi : Val \rightarrow \text{Prop}$ an arbitrary Iron predicate):

\[
\{ e_\pi \nvdash P \ast \{ P \} \} \text{ spawn}(f) \{ c. \ \text{joinHandle}(c, \Phi, \pi) \}
\]

\[
\{ \text{joinHandle}(c, \Phi, \pi) \} \text{ join}(c) \{ w. \ e_\pi \nvdash \Phi(w) \}
\]

The predicate $\text{joinHandle}(c, \Phi, \pi)$ is defined to be:

\[
\exists \text{ysts}. \ t_2(\text{ysts}) \ast \{(s_1(\text{ysts}) \ast c \mapsto \pi \ \text{None}) \lor (s_2(\text{ysts}) \ast (\exists w. \ c \mapsto \pi \ \text{Some} \ w \ast \Phi(w)))\} \lor s_3(\text{ysts})^N
\]

Note that we are using an ordinary shared invariant, and are thereby fixing a specific fraction $\pi$ inside the invariant. As the result of using a shared invariant, $P$ and $\Phi$ can be arbitrary propositions. The invariant again makes use of the three state transition system from Figure 6. The forked-off thread (in spawn) transitions from the first to the second state, and the join method transitions from the second to the third state (once the invariant is in the second state). Note that in the third state the invariant no longer owns any memory resources, i.e., it is essentially deallocated.

5 A MORE ABSTRACT VIEW—HOW TO HIDE THE FRACTIONS

Thus far we have reasoned explicitly about the fractions in each proof. However, we took care that the fraction accounting was principled and modular—every example, apart from the derivation of the parallel composition operator specification, treated all fractions parametrically. In this section we show how we can exploit that fact using Iron++: a more abstract logic build on top of the Iron logic that hides the fractions. As it turns out, all examples but the parallel composition operator specification, treated all fractions parametrically. In this section the key observation that motivates the setup of Iron++ is that most propositions (that appeared as pre- and postconditions and invariants) throughout this paper are of the shape:

\[
(\pi = \pi_1 + \pi_2 + \ldots + \pi_n) \ast P_1(\pi_1) \ast P_2(\pi_2) \ast \ldots \ast P_n(\pi_n)
\]

That is, the fraction is split among the separating conjuncts and the precise partition chosen is unimportant. In order to hide this splitting of fractions, we will consider predicates over fractions and “lift” the separating conjunction to such predicates $P$ and $Q$ as follows:

\[
(P \ast Q)(\pi) \triangleq \exists \pi_1, \pi_2. \ (\pi = \pi_1 + \pi_2) \ast P(\pi_1) \ast Q(\pi_2)
\]

With the lifted separation conjunction in hand, we are now able to write propositions like 1 simply as $P_1 \ast P_2 \ast \ldots \ast P_n$. This idea turns out to generalize to all connectives of separation logic, leading to the logic Iron++, whose type of propositions Prop++ and its entailment relation ($\vdash$) are defined as (recall that Prop is the type of Iris propositions):

\[
\text{Prop}^{++} \triangleq [0,1] \rightarrow \text{Prop}
\]

\[
P \vdash Q \triangleq \forall \pi. \ P(\pi) \vdash Q(\pi)
\]

By means of lifting, we can define all the connectives of higher-order logic with equality (True, False, $\Rightarrow$, $\land$, $\lor$, $\exists$, $\forall$, $=$), together with the usual BI connectives ($\ast$, $\dashv$, $\mathsf{Emp}$), and the lifted points-to connective ($\mathbin{\hat{\rightarrow}}$). Below we give the definitions of some of these connectives:

\[
(P \land Q)(\pi) \triangleq P(\pi) \land Q(\pi) \quad \quad \text{Emp}(\pi) \triangleq \pi = 0
\]

\[
(P \Rightarrow Q)(\pi) \triangleq P(\pi) \Rightarrow Q(\pi) \quad \quad (P \vdash Q)(\pi) \triangleq \forall \pi'. \ P(\pi') \vdash Q(\pi + \pi')
\]

\[
(t = s)(\pi) \triangleq (t = s) \quad \quad (\ell \mathbin{\hat{\rightarrow}} v)(\pi) \triangleq \pi > 0 \land \ell \mapsto \pi v
\]

An important feature of Iron++ is that, unlike Iris and Iron, it does not satisfy the weakening rule $P \ast Q \vdash P$. In particular, $\ell \mathbin{\hat{\rightarrow}} v \ast \ell' \mathbin{\hat{\rightarrow}} v' \vdash \ell \mathbin{\hat{\rightarrow}} v$ is not valid in Iron++, which means that we cannot leak memory resources. We have thus built a linear separation logic over an affine one.
Ordinary separation logic:

**LHOARE-FRAME**
\[
\{ P \} e \{ \text{w. } Q \}_E
\]
\[
\{ P \to R \} e \{ \text{w. } Q \to R \}_E
\]

**LHOARE-VAL**
\[
\{ P \} \nu \{ \text{w. } w = v \land \text{Emp} \}_E
\]
\[
\{ \nu \lambda x. e \} v \{ \text{w. } Q \}_E
\]

**LHOARE-BIND**
\[
\{ P \} e \{ \nu v. Q \}_E
\]
\[
\quad \forall v. \{ Q \} K[ v ] \{ \text{w. } R \}_E
\]
\[
\{ P \} K[ e ] \{ \text{w. } R \}_E
\]
\[
\text{K a call-by-value evaluation context}
\]

**Heap manipulation:**

**LPT-DISJ**
\[
\ell_1 \supseteq - \ell_2 \supseteq - \ell_1 \neq \ell_2
\]

**LHOARE-ALLOC**
\[
\{ \text{Emp} \} \text{ref}(v) \{ \ell. \ell \supseteq v \}_E
\]
\[
\{ \nu \lambda \ell \supseteq - \} \text{free}(\ell) \{ \text{Emp} \}_E
\]

**LHOARE-LOAD**
\[
\{ \nu \lambda \ell \supseteq - \} \ell \leftarrow \text{w} \{ \ell \supseteq \text{w} \}_E
\]

**LHOARE-STORE**
\[
\{ \nu \lambda \ell \supseteq - \} \ell \leftarrow \text{w} \{ \ell \supseteq \text{w} \}_E
\]

**Fork-based concurrency:**

**LHOARE-FORK**
\[
\{ P \} e \{ \text{Emp} \}
\]
\[
\{ \nu \lambda e \} \{ \text{w. } w = () \land \text{Emp} \}_E
\]

**Trackable (Iron) invariants:**

**LTINV-SPLIT**
\[
\text{OPerm}_y(p_1 + p_2) \equiv \text{OPerm}_y(p_1) \ast \text{OPerm}_y(p_2)
\]
\[
\{ \exists y. P \ast [\gamma]^{N,y} \ast \text{OPerm}_y(1) \ast \text{DPerm}_y \} e \{ \text{w. } Q \}_E
\]
\[
\{ P \ast (\forall y. \ast I) \} e \{ \text{w. } Q \}_E
\]

**LTINV-ALLOC**
\[
\{ \exists y. P \ast [\gamma]^{N,y} \ast \text{OPerm}_y(1) \ast \text{DPerm}_y \} e \{ \text{w. } Q \}_E
\]
\[
\{ P \ast (\forall y. \ast I) \} e \{ \text{w. } Q \}_E
\]

**LTINV-OPEN**
\[
N \subseteq E \quad \text{atomic}(e) \quad \text{uniform}(I)
\]
\[
\{ P \ast \nu I \ast \text{OPerm}_y(p) \} e \{ \text{w. } Q \}_E \backslash N
\]
\[
[\gamma]^{N,y} \leftarrow \{ P \ast \text{OPerm}_y(p) \} e \{ \text{w. } Q \}_E \backslash N
\]

**LTINV-DEALLOC**
\[
N \subseteq E \quad \text{atomic}(e) \quad \{ P \ast \nu I \ast \text{OPerm}_y(p) \} e \{ \text{w. } Q \}_E \backslash N
\]
\[
[\gamma]^{N,y} \leftarrow \{ P \ast \text{OPerm}_y(p) \ast \text{DPerm}_y \} e \{ \text{w. } Q \}_E
\]

Fig. 7. Selected rules of the Iron++ logic.

The weakening rule \( P \ast Q \vdash P \) does, however, hold for the class of propositions \( Q \) that are affine [Krebs et al. 2018]. Intuitively, affine propositions \( Q \) are those that do not hold resources that should be accounted for precisely—which formally means \( Q \vdash \text{Emp} \). Clearly \( \ell \supseteq v \) is not affine, but throughout this section we will see examples of other connectives that are affine.

In the remainder of this section we will see how Hoare triples are incorporated into Iron++ and how that leads to the corresponding adequacy theorems for Iron++ (Section 5.1). We then show how trackable invariants are integrated into Iron++ (Section 5.2), and finally conclude with some examples (Section 5.3). A selection of Iron++ rules is shown in Figure 7.
5.1 Hoare Triples and Adequacy

Some of the Iron rules for Hoare triples contained permissions $e_\pi$ in the pre- or postcondition (\texttt{HOARE-ALLOC} and \texttt{HOARE-FREE}). In Iron++ we can hide these permissions by essentially threading through a permission $e_\pi$ in the pre- and postcondition:

$$
(P) e \{v, Q\}_E(\pi) \triangleq (\pi = 0) \land \forall \pi_1 > 0, \pi_2 \geq 0.

\{e_\pi \cdot P(\pi_2)\} e \{v, \exists \pi_1, \pi_2. (\pi_1 + \pi_2 = \pi_1' + \pi_2') \ast e_\pi' \ast Q(\pi_2')\}_E
$$

To ensure no resources are lost, the fractions in the postcondition should sum up to the same value as those in the precondition. Using this definition, we can prove the usual rules for heap manipulation of classical separation logic: \texttt{HOARE-ALLOC}, \texttt{HOARE-FREE}, \texttt{LHOARE-LOAD}, and \texttt{LHOARE-STORE}—instead of pre- and postconditions containing $e_\pi$, these now contain \texttt{Emp} (without a fraction). Hoare triples themselves are affine and duplicable, which is crucial for verifying higher-order functions.

An important feature of Iron++ is that we inherit Iron’s machinery for handling concurrency. In particular, the rule \texttt{LHOARE-FORK} simply follows from \texttt{HOARE-FORK-EMP}. It is also worth noting that this rule mirrors the rule for fork in existing separation logics such as Iris, except that we require the forked-off thread to not leak any resources—\textit{i.e.}, the postcondition is \texttt{Emp} as opposed to True.

\textbf{Adequacy.} We will state versions of Iron’s adequacy statements (Theorem 3.1 and 3.2) for Iron++.

We take the liberty of stating these theorems in a more generic way, so that the initial and final heap can be arbitrary (instead of the empty heap $\emptyset$).

\textbf{Theorem 5.1 (Lifted Basic Adequacy).} Given a first-order predicate over values $\phi$, and suppose the Hoare triple $\{*, (f, v) \in \sigma \downarrow \downarrow v\} e \{w, \phi(w)\}$ is derivable in Iron++. Now, if we have:

$$(e, \sigma) \rightsquigarrow_{\text{tp}} ((e_1, e_2, \ldots, e_n), \sigma')$$

then the following properties hold:

1. \textbf{Postcondition validity:} If $e_i$ is a value, then $\phi(e_i)$ holds at the meta-level.
2. \textbf{Safety:} Each $e_i$ that is not a value can make a thread-local reduction step.

\textbf{Theorem 5.2 (Lifted Adequacy for Correct Usage of Resources).} Suppose the Hoare triple $\{*, (f, v) \in \sigma \downarrow \downarrow v\} e \{w, *_{(f, v) \in \sigma'} \downarrow \downarrow v\}$ is derivable. Now, if we have:

$$(e, \sigma) \rightsquigarrow_{\text{tp}} ((e_1, e_2, \ldots, e_n), \sigma'')$$

and all expressions $e_i$ are values, then $\sigma'' = \sigma'$.

5.2 Trackable Invariants

The most difficult concept to incorporate into Iron++ is invariants. One may attempt to lift shared (Iris) invariants like we have lifted the other connectives—\textit{i.e.}, to define the invariant assertion $[\pi]^N$ as $[I(\pi)]^N$. However, this does not work: this invariant assertion is generally not duplicable—it is only duplicable if $I$ is independent of the fraction (\textit{i.e.}, if $I$ is constant). As such, one cannot put points-to connectives in the invariant, rendering them essentially useless.  

\footnote{We distinguish the Hoare triples of Iron and Iron++ by coloring the pre- and postconditions in red and blue, respectively.}

\footnote{We could also define lifted invariants which could only hold affine assertions, with no other restrictions, however, again, this would not be useful since the points-to connective is not affine.}

Trackable invariants on the other hand, can be lifted into Iron++, and when lifted, they enjoy good abstract rules. We lift trackable invariants as follows (where \( p \in (0, 1) \)):

\[
\begin{align*}
&
\bar{\text{OPerm}}_Y(p)(\pi) \triangleq \pi = 0 \land \text{OPerm}_Y(p) \\
&
\bar{\text{DPerm}}_Y(\pi) \triangleq \pi > 0 \land \text{DPerm}_Y(\pi)
\end{align*}
\]

The invariant assertion \( \bar{I}^{N,Y} \) is affine (due to \( \pi = 0 \)) and duplicable. The opening token \( \bar{\text{OPerm}}_Y(p) \) is also affine, and can be split through the fraction \( p \). In contrast, the deallocation token \( \bar{\text{DPerm}}_Y \) is not affine, which is crucial—it ensures that we cannot forget to deallocate an invariant.

Similar to the opening rule of Iron (\( \text{ltinv-open} \)), the opening rule of Iron++ (\( \text{ltinv-open} \)), requires \( I \) to be uniform. For Iron++ uniformity is defined in a similar way:

\[
\text{uniform}(I : \text{Prop}^{++}) \triangleq \forall \pi_1, \pi_2 > 0. I(\pi_1 + \pi_2) \models I(\pi_1) \ast e_{\pi_2}.
\]

The class of uniform propositions enjoys good closure properties: it is closed under disjunction, existentials, separating conjunction, and all affine propositions are uniform. Recall that the invariant deallocation token is not affine, nor is it uniform, and thus cannot be put into the invariant.

5.3 Examples

We can verify all of the examples we have presented in this paper in Iron++ (including the channel module from Section 4.3), with the exception of the parallel composition operator (Section 4.5). The proofs follow exactly the same structure as in the plain Iron logic, except that there is no manual fraction accounting—all that is handled abstractly by Iron++.

For example, we can derive the following specifications for the channel module (provided we have \( \{\Phi(w)\} d(w) \{\text{Emp}\} \) for any value \( w \)):

\[
\begin{align*}
\{\text{Emp}\} & \text{ newchannel}(d) \{\text{ep}_1, \text{ep}_2\}. \端点_{i_1}(\text{ep}_1, \gamma) \ast \端点_{i_2}(\text{ep}_2, \gamma) \\
\{\text{Endpoint}_{i_1}(\text{ep}, \gamma) \ast \Phi(u)\} & \text{ send}(\text{ep}, u) \{\text{Endpoint}_{i_1}(\text{ep}, \gamma)\} \\
\{\text{Endpoint}_{i_1}(\text{ep}, \gamma)\} & \text{ receive}(\text{ep}) \{w. \ ENDPO T_{i_1}(\text{ep}, \gamma) \ast \Phi(w)\} \\
\{\text{Endpoint}_{i_1}(\text{ep}, \gamma)\} & \text{ close}(\text{ep}) \{\text{Emp}\}
\end{align*}
\]

Note that we have not just hidden the fractions at the end (by lifting the specification from Iron to Iron++). Instead, the entire proof of this specification can be carried out in Iron++. In fact, we have done so in Coq all the way—from the (precise HOCA-P-style [Svendsen et al. 2013]) specifications and proofs of the messages queues, to the final channel specifications, to the client of the channel module.

This is in contrast to the parallel composition operator, whose Iron++ specification is as follows:

\[
\begin{align*}
\text{LHOA-\text{par}} \\
i \in \{1, 2\} & \quad \{P_i\} \ e_i \ \{w_i, Q_i\} \\
\{P_1 \ast P_2\} & \ e_1 \ \| \ e_2 \ \{(w_1, w_2), Q_1 \ast Q_2\}
\end{align*}
\]

While we can recover this specification from the one in plain Iron, we cannot prove this specification entirely in Iron++. If we attempt that, the best we can prove entirely in Iron++ is a version where \( Q_2 \) should be uniform as we are limited to trackable invariants. This restriction is undesirable in general, and prevents e.g., allocating an invariant in \( e_2 \) (since \( \bar{\text{DPerm}}_Y \) is not uniform).

\footnote{Note that even though I ranges over non-negative fractions, we require uniformity only for strictly positive fractions. If we would require the property to hold for all fractions, the condition would force \( I \) to be essentially \( \varepsilon \).}
6 SEMANTICS OF IRON

The semantics of Iron builds upon the semantics of Iris [Jung et al. 2016, 2018; Krebbers et al. 2017a], which is staged in two parts:

- The Iris base logic, which comprises only the assertion layer of vanilla separation logic, plus a handful of simple modalities for dealing with (higher-order) ghost state and step-indexing. The semantics of the Iris base logic is given by solving a recursive domain equation.
- The Iris program logic, which provides machinery for invariants and program specifications on top of the Iris base logic. The semantics of the Iris program logic is given by defining its connectives in terms of the Iris base logic.

For the semantics of Iron, we use the Iris base logic in its original form, and only modify the program logic in the following ways:

1. We change the state interpretation of Hoare triples (which are defined in terms of weakest preconditions) to incorporate trackable points-to connectives $\ell \mapsto_{\pi} v$.
2. We change the definition of Hoare triples to account for the resources of forked-off threads.
3. We define trackable invariants as a layer on top of ordinary Iris invariants.

In this section we will focus on the first two points. For reasons of space, we cannot recall the Iris semantics here, so we presume that the reader is familiar with the semantics of Iris.

Definition of weakest precondition. In Iron we use the following definition of weakest preconditions, with changes from the Iris definition highlighted in blue. We explain the changes below.

$$\begin{align*}
wp_{E} e \{ \Phi \} & \triangleq (e \in Val \land \models_{E} \Phi(e)) \\
& \land \bigvee \left( e \notin Val \land \forall \sigma_{1}, \pi_{1}. S(\sigma_{1}, \pi_{1}) \rightarrow e_{1} \models_{E} (\text{red}(e, \sigma_{1}) \\
& \land \exists v_{\ell}. (S(\sigma_{2}, \pi_{1} + \sum v_{\ell} f) \ast wp_{E} e_{2} \{ \Phi \ast \ast_{e_{1}, \pi_{1}} wp_{E} e' \{ _{\ell} \cdot e_{\pi} \}) \big) )
\end{align*}$$

Here, $\gamma_{h}$ is a fixed ghost name, $\sigma$’s range over the physical state, and $S$ is the state interpretation. The state interpretation $S(\sigma, \pi)$ in Iron has an additional argument $\pi$ which is the amount of knowledge the forked-off threads have about the heap. Concretely, we use the resource algebra $\text{AUTH}((0, \infty) \times (\text{Loc} \times \text{Ex} (\text{Val})) \times \{ e \})$ for the state interpretation, and define:

$$S(\sigma, \pi) \triangleq \frac{1}{\sum_{i=1}^{\pi} \pi_{i}} \cdot \left( \frac{\sigma_{i}}{\sum_{i=1}^{\pi} \pi_{i}} \right)^{\gamma_{h}}$$

This resource algebra is very close to the partial commutative monoid we used in Section 2.4, except that we allow arbitrary positive fractions $\pi$ (instead of $\pi \leq 1$). The reason for this is that we need to accommodate the postconditions of the forked-off threads. The invariant maintained by the definition of weakest precondition is that the total fraction is always $1 + \sum_{i} \pi_{i}$ where $i$ ranges over the forked-off threads, and $e_{\pi_{i}}$ is the postcondition of the $i$-th thread. Using this invariant we can conclude, once all the threads have terminated, and we have $e_{1}$ in the postcondition of the main thread, that the heap is empty. This is because $S(\sigma, 1 + \pi) \ast e_{1+\pi}$ implies $\sigma = \emptyset$. A precise adequacy statement is the following theorem.

8Here we allow $\pi = 0$ and define $e_{0}$ to be True in order to be able to have True as a postcondition of the new thread.
9In the Coq formalization, the treatment of postconditions of forked-off threads is more general. Instead of parameterizing the state interpretation $S$ by a fraction, we parameterize it by the number of forked-off threads, and have a fixed postcondition for all forked-off threads. The version in the paper can be derived via a step of induction using Iris’s ghost state mechanism. We ignore this extra generality in the paper as it is unnecessary for our purposes.
Theorem 6.1. Let $\phi$ be a first-order predicate over the initial state, final state, and value, and suppose the following Hoare triple is derivable:

$$\{e; \pi \} e \{ v. Q \} \quad \forall v, \sigma', \bar{\pi}_f. Q \ast S(\sigma', \sum \bar{\pi}_f) \ast (\star_{e' \in \bar{\pi}_f} e') \vdash \phi(\sigma, \sigma', v)$$

Now, if we have $(e, \sigma) \rightarrow_{tp} ((e_1, e_2, \ldots, e_n), \sigma')$, and all expressions $e_i$ are values, then $\phi(\sigma, \sigma', e_1)$ holds at the meta-level.

Note that like Iron’s adequacy statement (Theorem 3.2) we require all the threads to terminate before we can apply this theorem. This condition is crucial—intuitively, the main thread may have disposed of all of its memory, so that $e_1$ holds, but the postconditions of the forked-off threads are needed to ensure that no memory has leaked anywhere else, and indeed the forked-off thread might not yet have disposed of the memory when the main thread terminates.

In order to show that the actual adequacy result (Theorem 3.2) follows from Theorem 6.1, we let $\pi \triangleq 1$ and $Q \triangleq e_1$ and $\phi(v, \sigma, \sigma') \triangleq (\sigma = \sigma')$.

7 RELATED WORK

We already discussed some related work in the introduction (Section 1); in this section we consider some further related work.

Already in early work on separation logic for sequential languages [Ishtiaq and O’Hearn 2001; Reynolds 2000, 2002], different models were considered; see [Cao et al. 2017; Krebbers et al. 2018] for a recent account. In particular, models aimed at reasoning about explicit memory deallocation, often referred to as “classical” separation logic, and models aimed at reasoning about garbage collected languages without explicit memory deallocation, often referred to as “intuitionistic” separation logic. The classical models were defined using the full powerset of the set of heaps, whereas the intuitionistic models used upwards closed subsets of heaps (with respect to the extension order of heaps). In our terminology, the “intuitionistic” logic is affine and the “classical” is linear.

Ishtiaq and O’Hearn [2001] pointed out that one could recover the “intuitionistic” (affine) logic from the “classical” (linear). Here instead, as mentioned in Section 5, we recover a linear logic from an affine one; for a much richer higher-order logic, for a concurrent language, with invariants etc.

There has previously been a variant of Iris with a notion of linearity [Tassarotti et al. 2017]. It was used to reason about concurrent termination-preserving refinement. However, the treatment of linearity by Tassarotti et al. [2017] is limited: in contrast to Iron only affine propositions can be framed and it is not possible to share linear propositions through invariants, which means that the logic, in the words of the authors, is “unsuitable for tracking resources like the heap”. As part of future work, we would like to investigate whether the approach we have used in Iron can also be used for proving termination-preserving refinements.

Krebbers et al. [2018] described a variant of the Iris model that can handle a mixture of linear and affine resources, by equipping Iris’s algebraic structure (a resource algebra) for modeling resources with a pre-order. While this model encompasses the model of Tassarotti et al. [2017], it is not clear how its generality can be exploited to prove program specifications. The authors only defined the basic BI connectives, but did not fully generalize the other Iris connectives (like the update modalities, invariant machinery, and weakest preconditions).

Gotsman et al. [2007] described a variant of concurrent separation logic where resources can be transferred between dynamically allocated threads. To prevent leaking of resources their resource invariants need to satisfy a global admissibility condition. This condition needs to be checked for a set of resource invariants simultaneously. In contrast our reasoning is local, and the fraction accounting in Iron ensures that any resource leaks are visible in the specifications.
8 DISCUSSION AND FUTURE WORK

Trackable invariants. Recall that Iron’s trackable invariants require that the proposition that is put into the invariant is uniform with respect to fractions. As we have demonstrated by the examples in the paper, the uniformity requirement does not seem like a very restrictive condition, as we have been able to reason about many challenging examples involving transfer of resources between dynamically allocated threads.

The uniformity requirement does, however, mean that there are some examples which are out of reach of Iron++. We already mentioned that the parallel composition operator cannot be verified completely in Iron++, but requires one to “drop down” to the lower-level Iron logic. For this particular example, we believe that one could define a bespoke sharing mechanism in Iron and then use that carry out the main proof in Iron++. Other examples which are out of reach of the Iron++ are those where it is not statically known who disposes of the shared resources. An example of such a program is the channel module implementation we have considered, but instead of having a background thread in charge of cleaning up the resources, the resources would have to be disposed by the last user to close the endpoint. We have a generalization of trackable invariants which would be sufficient to verify such an implementation of the channel module also in Iron++, however this generalization is tailored rather specifically to the kind of invariant we need in this example. Designing a more principled sharing mechanism more general than the trackable invariants we have considered in this paper is left as future work. For now such examples can still be done by dropping down to Iron, which also shows the power of having this logic available, even if most examples can already be done entirely in Iron++.

Managing other resources. We believe that the methodology of trackable resources is also applicable to precise reasoning about other kinds of resources. The key idea is simple enough—to combine the real resource we care about, e.g., the heap, together with a fraction and make it so that splitting of the resource is tied to the splitting of the fraction, such as in the rule PT-SPLIT. The fraction can be used to avoid silently leaking resources in the proof through, for instance, the weakening rule. If we do, we lose a degree of knowledge about the resource, and with this property we gain the ability to say exactly what the resources are, which is a property typically only expressible in a linear separation logic. In retrospect, this is not surprising since the use of fractions in Iron is intimately related to linearity, as seen in the definition of the logic Iron++.

For example, if we extended the language with file handles, or input/output channels we could follow an approach analogous to how we manage the heap. Each different kind of resource would be paired with a fraction, as is the points-to connective.

Interestingly, we can also use the same approach for keeping track of resources which are not primitive to the language. As an example let us look at how we can ensure that locks (which are not primitive in λref,conc) are used correctly. That is, if a program acquires a lock it should release it before it terminates. The simplest lock implementation is the spin lock, which consists of the following four methods:

\[
\begin{align*}
\text{newLock}() & \triangleq \text{ref}(\text{false}) \\
\text{dispose}(\ell) & \triangleq \text{free}(\ell) \\
\text{acquire}(\ell) & \triangleq \begin{cases} 
\text{if cas}(\ell, \text{false}, \text{true}) \text{ then () else acquire}(\ell) 
\end{cases} \\
\text{release}(\ell) & \triangleq \ell \leftarrow \text{false}
\end{align*}
\]

The lock itself is a Boolean flag, which is false when the lock is released, and true when it is acquired. Since multiple threads can race to acquire the lock, the acquire method is implemented via a cas loop so that checking the flag and (potentially) setting it to true is done in a single atomic step.
The release method is only called by the method which has acquired the lock, and thus can simply set the flag without any additional synchronization mechanisms. The dispose method should only be called when there is a single thread using the lock and the lock is released, and thus it simply disposes of the flag, reclaiming the memory.

In Iron++, we can define two abstract predicates, isLock(w, γ, p) and locked(w, γ, p), parameterized over a proposition I, and give the following specifications to the methods of the lock:

\[
\{I\} \text{newLock() } \{w. \exists \gamma. \text{isLock}(w, \gamma, 1)\}
\]

\[
\{\text{isLock}(w, \gamma, p)\} \text{acquire}(w) \{I * \text{locked}(w, \gamma, p)\}
\]

\[
\{I * \text{locked}(w, \gamma, p)\} \text{release}(w) \{\text{isLock}(w, \gamma, p)\}
\]

\[
\{\text{isLock}(w, \gamma, 1)\} \text{dispose}(w) \{I\}
\]

Here, \(p \in (0, 1]\) is a fraction. The analogy we wish to make is that isLock(w, γ, p) is akin to the \(e\pi\) proposition of Iron. We can split it, i.e., isLock(w, γ, \(p_1 + p_2\)) \(\vdash\) isLock(v, γ, \(p_1\)) \(\&\) isLock(v, γ, \(p_2\)), and the operations acquire and release behave analogously to ref and free.

The fact that we can define the above specification for locks is not specific to Iron; it can also be done in vanilla Iris. What is novel however, is that with these abstract predicates we can prove the following (simplified here, for clarity) analogue of adequacy for usage of locks. If the following specification of an arbitrary expression \(e\) is provable:

\[
\{\text{isLock}(w, \gamma, 1)\} e \{\text{isLock}(w, \gamma, 1)\},
\]

then if the program \(e\) terminates, every acquire has an accompanying release. A formal statement and proof of this requires a slight extension of the adequacy theorem to take into account the fact that invariants hold at the end of the execution of the program. Further details are beyond the scope of this paper but are worked out in the accompanying Coq formalization.

The key idea in related examples is to tie a concrete operation on a shared data structure (necessarily guarded by an invariant) with transferring the permission to use the invariant into the invariant itself, connected to some particular physical state. This way the specification of a method using the data structure will expose whether certain methods are called or not.

\textbf{Coq formalization.} We have formalized Iron and Iron++ using the recent MoSeL framework [Krebbers et al. 2018]—which provides an extensive set of tactics for making separation logics proofs look like Coq proofs. To do so, we have instantiated MoSeL’s modal BI (MoBI) interface with both the propositions of Iron (which comes in the form of a fork of Iris, with the changes described in Section 6) and those of Iron++ (whose formalization in Coq is based on fractional predicates over arbitrary BI logics). Having instantiated the MoSeL interfaces, and having taught MoSeL about some of the Iron specific features by instantiating corresponding type classes, we were then able to reason both in Iron++, and to “drop down” to Iron when needed. In fact, all proofs in Coq were directly carried out in Iron++, with the exception the parallel composition operator, for whose proof we dropped down to Iron.

\textbf{ACKNOWLEDGMENTS}

We thank Thomas Dinsdale-Young and Morten Krogh-Jespersen for invaluable discussions, and the reviewers for suggestions on how to make the paper more accessible.

This research was supported by the ModuRes Sapere Aude Advanced Grant from The Danish Council for Independent Research for the Natural Sciences (FNU).
REFERENCES


John Boyland. 2003. Checking interference with fractional permissions. In SAS.

Qinxiang Cao, Santiago Cuellar, and Andrew W. Appel. 2017. Bringing order to the separation logic jungle. In APLAS.

Pedro da Rocha Pinto, Thomas Dinsdale-Young, and Philippa Gardner. 2014. TaDA: A logic for time and data abstraction. In ECOOP.

Thomas Dinsdale-Young, Mike Dodds, Philippa Gardner, Matthew J. Parkinson, and Viktor Vafeiadis. 2010. Concurrent abstract predicates. In ECOOP.


Xinyu Feng. 2009. Local rely-guarantee reasoning. In POPL.

Xinyu Feng, Rodrigo Ferreira, and Zhong Shao. 2007. On the relationship between concurrent separation logic and assume-guarantee reasoning. In ESOP.

Ming Fu, Yong Li, Xinyu Feng, Zhong Shao, and Yu Zhang. 2010. Reasoning about optimistic concurrency using a program logic for history. In CONCUR.

Alexey Gotsman, Josh Berdine, Byron Cook, Noam Rinetzky, and Mooly Sagiv. 2007. Local reasoning about storable locks and threads. In APLAS.


Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In ICFP.


Ralf Jung, David Swasey, Filip Siewczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In POPL.


Robbert Krebbers, Ralf Jung, Aleš Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017a. The essence of higher-order concurrent separation logic. In ESOP.

Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017b. Interactive proofs in higher-order concurrent separation logic. In POPL.


Aleksandar Nanevski, Ruy Ley-Wild, Ilya Sergey, and Germán Andrés Delbianco. 2014. Communicating state transition systems for fine-grained concurrent resources. In ESOP.


Kasper Svendsen and Lars Birkedal. 2014. Impredicative concurrent abstract predicates. In ESOP.


Aaron Turon, Derek Dreyer, and Lars Birkedal. 2013. Unifying refinement and Hoare-style reasoning in a logic for higher-order concurrency. In ICFP.

Viktor Vafeiadis and Matthew Parkinson. 2007. A marriage of rely/guarantee and separation logic. In CONCUR.