CSLPerm: Logic for Fractional Memory Permissions

• CSLPerm is a formal framework that extends concurrent separation logic by introducing fractional permissions for precise shared-memory concurrency reasoning.
• It enables multiple concurrent readers and exclusive writers through fractional access, ensuring modular proofs of data-race freedom and safe updates.
• Advanced tool support and automated inference techniques allow scalable verification of complex multithreaded programs with rigorous resource invariants.

Concurrent Separation Logic with Fractional Permissions (CSLPerm) extends the foundational approach of concurrent separation logic by introducing quantitative ownership of memory locations, allowing precise specification and verification of shared-memory concurrency with fine-grained access permissions. Fractional permissions enable multiple concurrent readers (each owning a fraction <1 of the resource) while still enforcing exclusive write access (full permission =1). This framework supports modular proofs of data-race freedom, safe parallel updates, and resource invariants, providing both a theoretical basis and algorithms for real-world static analysis and verification of complex multithreaded programs.

1. Fractional Permissions: Concepts and Principles

Fractional permissions reify ownership as elements in a partial commutative monoid (PCM) of fractions, typically the rational interval (0,1], modeling degrees of access:

• A cell with permission value 1 is exclusively writable (full ownership).
• Fractions <1 permit shared (concurrent, read-only) access; multiple threads may collectively hold read access as long as the sum of their fractions does not exceed 1.
• Permissions can be split and recombined, formally captured by the "split/merge" axiom:

$$\text{PointsTo}(x,\ 1,\ v)\ \vdash\ \text{PointsTo}(x,\ \frac{1}{2},\ v)\ *\ \text{PointsTo}(x,\ \frac{1}{2},\ v)$$

(where $*$ is the separating conjunction).

• Fractional permission accounting is deeply integrated into the spatial logic: assertions of the form $\ell \mapsto^{q} v$ for $q \in (0,1]$.

This model enables concise and compositionally sound specifications of shared, parallel, and re-entrant access patterns, especially suited to modeling resource splitting for fork/join, monitor reentrancy, and parallel loop verification (Haack et al., 2014).

2. Semantic Foundations and Soundness

The foundational semantics of CSLPerm have been provided both by Petri net models and structural operational semantics (SOS). In Petri-net semantics, resources and control are encoded in markings, with ownership tokens generalized from a three-valued set to a fractional domain (0802.0820).

A process-environment duality is enforced, with the combined "ownership net" ensuring:

• Validity conditions: No "fault" event (access to unowned resource) can be reached, and every complete run ends in a marking in which the owned heap portion satisfies the desired post-condition.
• All runs are free of unsound races, as independence information is maintained at the level of tagged control conditions, ensuring that parallel execution is only permitted when disjoint permissions are held.

The soundness of CSLPerm follows from structural induction over program composition, as each concurrent thread can be statically assigned a non-overlapping (or summable) fraction of each memory region, and all rules (parallel composition, resource acquisition, release, sequential composition) preserve the permission invariants (0802.0820, Soares et al., 2017).

3. Tool Support, Automation, and Frame Inference

The absence of practical automation in earlier systems is directly addressed by recent work introducing compositional verification techniques and automated entailment procedures. Notably, (Le, 25 Aug 2025) describes a system with:

• Explicit representation of both strong ($*$) and weak sharing conjunctions for heap regions, preserving arithmetic constraints that explicitly encode disjointness, e.g., $$(A * B) \iff (A\, \mathbin{\amalg}\, B) \land (\alpha \perp \beta)$$, where $\mathbin{\amalg}$ denotes the weak sharing (possibly overlapping).
• An entailment procedure ("FrInfer") that, given a goal $G$ and heap $A$, computes the residual frame $F$ and associated constraints such that $A \models G * F$. Arithmetic constraints govern the legal splits and joins of fractional permission tokens, enforcing $\sum_i q_i \leq 1$ for the permissions assigned to any region.
• Frame inference algorithms that allow modular verification: threads and functions are specified and checked locally, with explicit tracking of which regions are preserved, modified, or shared, supporting scalable verification of programs with dozens of threads and complex data structures.

Empirical evaluation on 10 challenging concurrent programs demonstrates scalability (all programs verified within one minute on a 4-core/8GB system), confirming the practical viability of these compositional, fractionally-sensitive reasoning systems (Le, 25 Aug 2025).

4. Specification Techniques and Reasoning Patterns

CSLPerm supports advanced specification constructs for modern concurrent languages:

• Parameterized Points-to and Invariants: Assertions such as $\text{PointsTo}(x,\,f,\,v)$ support expressing state access at permission $f$; data abstraction and behavioral subtyping are realized via abstract predicates and value-parameterized types (Haack et al., 2014).
• Iterated Separating Conjunctions: Verification of random-access and graph data structures leverages iterated separating conjunctions (ISCs), specifying access to unbounded sets of heap locations in a structure-agnostic way and enabling symbolic execution engines to account for permission sums and splits over quantified ranges (Müller et al., 2016).
• Handling Fork, Join, and Monitors: Permission transfer is tightly integrated with thread lifecycle events (fork/join), and reentrant locks distinguish initial from recursive acquisitions using fractional permission annotations and auxiliary variables for locksets (Haack et al., 2014).
• Modular Termination via Call Permissions: Liveness proofs are modularized by encoding call permissions (which can be themselves fractionally shared and "burned" upon use), allowing total correctness arguments for non-blocking concurrent programs (Fasse et al., 2022).

5. Advanced Models: Resource Algebra, Category Theory, and Abstract Protocols

Recent work generalizes the resource models underlying CSLPerm using algebraic and categorical abstractions:

• Resource Algebras and Morphisms: Specifications are interpreted in resources modeled as partial commutative monoids (PCMs); morphisms provide structure-preserving mappings between resource interpretations, enabling compositional proof reuse and adaptation of code across concurrency control regimes (e.g., spin locks, exclusive locks, reader-writer locks) (Nanevski et al., 2019).
• Categorical Models: The semantics of CSLPerm have been recast in terms of internal opcategories, double categories of cobordisms, and template game semantics (Melliès et al., 2020). Sequential composition is formalized as gluing by pushouts; parallel product as synchronizing by pullbacks. Fractional permissions are naturally invariant under these constructions, preserving correct resource combination and ownership transfer.
• Abstracted Sharing Protocols: Frameworks such as Leaf (Hance et al., 2023) introduce guarding operators, allowing user-defined abstractions of sharing protocols (fractions, counting) and modular temporal sharing: a resource can be "guarded" by a protocol-specific ghost state, enabling temporary sharing and later reclamation (writeback) of exclusive access within a unifying proof system.

6. Integration with Static Analysis and Symbolic Execution

CSLPerm's permission-based reasoning has been integrated into static analysis and verification tools to automate specification inference and checking for concurrent programs:

• Permission Inference for Arrays: (Dohrau et al., 2018) presents a backward static analysis that computes per-element permission maps for array programs, encoding loop requirements as pointwise maxima over iterations. Fractional permissions directly support safe concurrent access (read/write distinction) and communicate required preconditions to verification tools.
• Symbolic Execution for ISCs and Fractional Permissions: (Müller et al., 2016) describes an extension of the Viper tool, where symbolic heaps are enriched to represent ISCs as quantified permission "chunks," with arithmetic over permission sums/ranges and capability to soundly handle both recursive predicates and fraction-sharing specifications.
• Automation and Modularity: By leveraging explicit arithmetic constraints and frame inference, tools can scale modular verification to fine-grained concurrent systems, supporting both declarative and operational styles (Le, 25 Aug 2025).

7. Quantitative and Liveness Extensions

Recent CSLPerm work has broadened the logic's expressiveness to probabilistic properties and total correctness:

• Quantitative CSL: By combining Quantitative Separation Logic (QSL) and CSL, logic can reason about the lower bounds of the probability with which a concurrent program realizes a postcondition. Assertions become [0,1]-valued expectations, multiplied via quantitative separating conjunction, and are tracked against resource invariants (Fesefeldt et al., 2022).
• Termination and Liveness: Modular liveness reasoning is enabled by annotating programs with call permissions that are fractionally split, transferred, and burned at function application sites, transforming termination into a safety property supported by the fractional machinery of CSLPerm (Fasse et al., 2022).

8. Practical Impact and Limitations

CSLPerm-based logics, semantic models, and algorithms provide:

• Precise, scalable reasoning about data-race-freedom, memory safety, and safe resource sharing in real-world multithreaded systems (e.g., parallel mergesort, lock-coupling, reader-writer locks).
• Broad integration with formal verification platforms (e.g., Viper, Iris, F*), supporting both partial correctness and, with additional ghost-state and call-permission machinery, total correctness.
• Empirically validated efficiency in verification benchmarks, including challenging programs beyond earlier state-of-the-art.

However, CSLPerm requires detailed management of permission invariants and arithmetic constraints, and annotation burden may still be significant for highly dynamic or blocking concurrency patterns. Advanced abstractions (e.g., user-defined storage protocols, modular guarding, category-theoretic models) seek to alleviate these limitations by supporting abstraction, protocol parameterization, and compositional verification.

---

In summary, CSLPerm synthesizes the foundational insights of concurrent separation logic with a rigorous, quantitative account of resource ownership, advanced module and concurrency models, and state-of-the-art verification techniques. By extending traditional binary ownership to arbitrary fractions, it enables robust reasoning about safe sharing, compositionality, and advanced liveness properties across a broad class of concurrent systems (0802.0820, Haack et al., 2014, Soares et al., 2017, Le, 25 Aug 2025).