# Ori LahavTel Aviv University | TAU

Ori Lahav

PhD

## About

69

Publications

2,453

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

1,372

Citations

Citations since 2017

## Publications

Publications (69)

A four-valued semantics for the modal logic K is introduced. Possible worlds are replaced by a hierarchy of four-valued valuations, where the valuations of the first level correspond to valuations that are legal w.r.t. a basic non-deterministic matrix, and each level further restricts its set of valuations. The semantics is proven to be effective,...

While causal consistency is one of the most fundamental consistency models weaker than sequential consistency, the decidability of safety verification for (finite-state) concurrent programs running under causally consistent shared memories is still unclear. In this article, we establish the decidability of this problem for two standard and well-stu...

We study abstraction for crash-resilient concurrent objects using non-volatile memory (NVM). We develop a library-correctness criterion that is sound for ensuring contextual refinement in this setting, thus allowing clients to reason about library behaviors in terms of their abstract specifications, and library developers to verify their implementa...

The rise of persistent memory is disrupting computing to its core. Our work aims to help programmers navigate this brave new world by providing a program logic for reasoning about x86 code that uses low-level operations such as memory accesses and fences, as well as persistency primitives such as flushes. Our logic, Pierogi, benefits from a simple...

The rise of persistent memory is disrupting computing to its core. Our work aims to help programmers navigate this brave new world by providing a program logic for reasoning about x86 code that uses low-level operations such as memory accesses and fences, as well as persistency primitives such as flushes. Our logic, Pierogi , benefits from a simple...

We study abstraction for crash-resilient concurrent objects using non-volatile memory (NVM). We develop a library correctness criterion that is sound for ensuring contextual refinement in this setting, thus allowing clients to reason about library behaviors in terms of their abstract specifications, and library developers to verify their implementa...

Liveness properties, such as termination, of even the simplest shared-memory concurrent programs under sequential consistency typically require some fairness assumptions about the scheduler. Under weak memory models, we observe that the standard notions of thread fairness are insufficient, and an additional fairness property, which we call memory f...

We study the problem of verifying the robustness of concurrent programs against a C11-style memory model that includes relaxed accesses and release/acquire accesses and fences, and show that this verification problem can be reduced to a standard reachability problem under sequential consistency. We further observe that existing robustness notions d...

We study the formal semantics of non-volatile memory in the x86-TSO architecture. We show that while the explicit persist operations in the recent model of Raad et al. from POPL'20 only enforce order between writes to the non-volatile memory, it is equivalent, in terms of reachable states, to a model whose explicit persist operations mandate that p...

We observe that the standard notion of thread fairness is insufficient for guaranteeing termination of even the simplest shared-memory programs under weak memory models. Guaranteeing termination requires additional model-specific fairness constraints, which we call memory fairness. In the case of acyclic declarative memory models, such as TSO and R...

The advent of non-volatile memory (NVM) technologies is expected to transform how software systems are structured fundamentally, making the task of correct programming significantly harder. This is because ensuring that memory stores persist in the correct order is challenging, and requires low-level programming to flush the cache at appropriate po...

We study the formal semantics of non-volatile memory in the x86-TSO architecture. We show that while the explicit persist operations in the recent model of Raad et al. from POPL'20 only enforce order between writes to the non-volatile memory, it is equivalent, in terms of reachable states, to a model whose explicit persist operations mandate that p...

Weakestmo is a recently proposed memory consistency model that uses event structures to resolve the infamous "out-of-thin-air" problem. Although it has been shown to have important benefits over other memory models, its established compilation schemes are suboptimal in that they add more fences than necessary. In this paper, we prove the correctnes...

We present an algorithm for automatically checking robustness of concurrent programs against C/C++11 release/acquire semantics, namely verifying that all program behaviors under release/acquire are allowed by sequential consistency. Our approach reduces robustness verification to a reachability problem under (instrumented) sequential consistency. W...

Analyticity, also known as the subformula property, typically guarantees decidability of derivability in propositional sequent calculi. To utilize this fact, two substantial gaps have to be addressed: (i) What makes a sequent calculus analytic? and (ii) How do we obtain an efficient decision procedure for derivability in an analytic calculus? In th...

We consider concurrent programs interacting with causally consistent shared memory. After describing the semantics of such programs, we outline several verification problems and survey some existing solutions.

In the original publication, the corresponding author was indicated incorrectly. The correct corresponding author of the article should be Ori Lahav. The original article has been updated accordingly. © 2017 Springer International Publishing AG, part of Springer Nature

Snapshot isolation (SI) is a standard transactional consistency model used in databases, distributed systems and software transactional memory (STM). Its semantics is formally defined both declaratively as an acyclicity axiom, and operationally as a concurrent algorithm with memory bearing timestamps.

Concurrent libraries are the building blocks for concurrency. They encompass a range of abstractions (locks, exchangers, stacks, queues, sets) built in a layered fashion: more advanced libraries are built out of simpler ones. While there has been a lot of work on verifying such libraries in a sequentially consistent (SC) environment, little is know...

We develop a new intermediate weak memory model, IMM, as a way of modularizing the proofs of correctness of compilation from concurrent programming languages with weak memory consistency semantics to mainstream multi-core architectures, such as POWER and ARM. We use IMM to prove the correctness of compilation from the promising semantics of Kang et...

While the subformula property is usually a trivial consequence of cut-admissibility in sequent calculi, it is unclear in which cases the subformula property implies cut-admissibility. In this paper, we identify two wide families of propositional sequent calculi for which this is the case: the (generalized) subformula property is equivalent to cut-a...

We develop a new intermediate weak memory model, IMM, as a way of modularizing the proofs of correctness of compilation from concurrent programming languages with weak memory consistency semantics to mainstream multi-core architectures, such as POWER and ARM. We use IMM to prove the correctness of compilation from the promising semantics of Kang et...

Snapshot isolation (SI) is a standard transactional consistency model used in databases, distributed systems and software transactional memory (STM). It is formally defined both declaratively as an acyclicity axiom, and operationally as a concurrent algorithm with memory bearing timestamps. In this paper, we develop two simpler equivalent operation...

We present SLR, the first expressive program logic for reasoning about concurrent programs under a weak memory model addressing the out-of-thin-air problem. Our logic includes the standard features from existing logics, such as RSL and GPS, that were previously known to be sound only under stronger memory models: (1) separation, (2) per-location in...

Parallel snapshot isolation (PSI) is a standard transactional consistency model used in databases and distributed systems. We argue that PSI is also a useful formal model for software transactional memory (STM) as it has certain advantages over other consistency models. However, the formal PSI definition is given declaratively by acyclicity axioms,...

Parallel snapshot isolation (PSI) is a standard transactional
consistency model used in databases and distributed systems. We argue
that PSI is also a useful formal model for software transactional memory
(STM) as it has certain advantages over other consistency models. However,
the formal PSI definition is given declaratively by acyclicity axioms,...

We present a stateless model checking algorithm for verifying concurrent programs running under RC11, a repaired version of the C/C++11 memory model without dependency cycles. Unlike most previous approaches, which enumerate thread interleavings up to some partial order reduction improvements, our approach works directly on execution graphs and (in...

Non-classical negations may fail to be contradictory-forming operators in more than one way, and they often fail also to respect fundamental meta-logical properties such as the replacement property. Such drawbacks are witnessed by intricate semantics and proof systems, whose philosophical interpretations and computational properties are found wanti...

We identify two wide families of propositional sequent calculi for which cut-admissibility is a corollary of the subformula property. While the subformula property is often a simple consequence of cut-admissibility, our results shed light on the converse direction, and may be used to simplify cut-admissibility proofs in various propositional sequen...

The C/C++11 memory model defines the semantics of concurrent memory accesses in C/C++, and in particular supports racy "atomic" accesses at a range of different consistency levels, from very weak consistency ("relaxed") to strong, sequential consistency ("SC"). Unfortunately, as we observe in this paper, the semantics of SC atomic accesses in C/C++...

The C/C++11 memory model defines the semantics of concurrent memory accesses in C/C++, and in particular supports racy "atomic" accesses at a range of different consistency levels, from very weak consistency ("relaxed") to strong, sequential consistency ("SC"). Unfortunately, as we observe in this paper, the semantics of SC atomic accesses in C/C++...

Despite many years of research, it has proven very difficult to develop a memory model for concurrent programming languages that adequately balances the conflicting desiderata of programmers, compilers, and hardware. In this paper, we propose the first relaxed memory model that (1) accounts for a broad spectrum of features from the C++11 concurrenc...

Despite many years of research, it has proven very difficult to develop a memory model for concurrent programming languages that adequately balances the conflicting desiderata of programmers, compilers, and hardware. In this paper, we propose the first relaxed memory model that (1) accounts for a broad spectrum of features from the C++11 concurrenc...

Concurrent programs have behaviors, which cannot be explained by interleaving execution of their threads on a single processing unit due to optimizations, which are performed by modern compilers and CPUs. How to correctly and completely define a semantics of a programming language, which accounts for the behaviors, is an open research problem. Ther...

Weak memory models determine the behavior of concurrent programs. While they are often understood in terms of reorderings that the hardware or the compiler may perform, their formal definitions are typically given in a very different style—either axiomatic or operational. In this paper, we investigate to what extent weak behaviors of existing memor...

Recent work has made great progress in verifying the forwarding correctness of networks . However, these approaches cannot be used to verify networks containing middleboxes, such as caches and firewalls, whose forwarding behavior depends on previously observed traffic. We explore how to verify reachability properties for networks that include such...

We look at non-classical negations and their corresponding adjustment connectives from a modal viewpoint, over complete distributive lattices, and apply a very general mechanism in order to offer adequate analytic proof systems to logics that are based on them. Defining non-classical negations within usual modal semantics automatically allows one t...

We introduce a strengthening of the release-Acquire fragment of the C11 memory model that (i) forbids dubious behaviors that are not observed in any implementation; (ii) supports fence instructions that restore sequential consistency; and (iii) admits an equivalent intuitive operational semantics based on point-to-point communication. This strength...

We introduce a strengthening of the release-acquire fragment of the C11 memory model that (i) forbids dubious behaviors that are not observed in any implementation; (ii) supports fence instructions that restore sequential consistency; and (iii) admits an equivalent intuitive operational semantics based on point-to-point communication. This strength...

We show that even in the absence of auxiliary variables, the well-known Owicki-Gries method for verifying concurrent programs is unsound for weak memory models. By strengthening its non-interference check, however, we obtain OGRA, a program logic that is sound for reasoning about programs in the release-acquire fragment of the C11 memory model. We...

We prove that the extension of the known hypersequent calculus for standard first-order Gödel logic with usual rules for second-order quantifiers is sound and (cut-free) complete for Henkin-style semantics for second-order Gödel logic. The proof is semantic, and it is similar in nature to Schütte and Tait's proof of Takeuti's conjecture.

Software-defined networking (SDN) is a new paradigm for operating and managing computer networks. SDN enables logically-centralized control over network devices through a "controller" --- software that operates independently of the network hardware. Network operators can run both in-house and third-party SDN programs on top of the controller, e.g.,...

We develop a fully algorithmic approach to "taming" logics expressed Hilbert style, that is, reformulating them in terms of analytic sequent calculi and useful semantics. Our approach applies to Hilbert calculi extending the positive fragment of propositional classical logic with axioms of a certain general form that contain new unary connectives....

Great progress has been made recently in verifying the correctness of router
forwarding tables. However, these approaches do not work for networks
containing middleboxes such as caches and firewalls whose forwarding behavior
depends on previously observed traffic. We explore how to verify isolation
properties in networks that include such "dynamic...

Primal infon logic was proposed by Gurevich and Neeman as an efficient yet expressive logic for policy and trust management. It is a propositional multimodal subintuitionistic logic decidable in linear time. However in that logic the principle of the replacement of equivalents fails. For example, x∧y→z does not entail y∧x→z, and similarly w→x∧y∧z d...

We study the question of when a given set of derivable rules in some basic analytic propositional sequent calculus forms itself an analytic calculus. First, a general syntactic criterion for analyticity in the family of pure sequent calculi is presented. Next, given a basic calculus admitting this criterion, we provide a method to construct weaker...

We identify a wide family of analytic sequent calculi for propositional non-classical logics whose derivability problem can be uniformly reduced to SAT. The proposed reduction is based on interpreting these calculi using non-deterministic semantics. Its time complexity is polynomial, and, in fact, linear for a useful subfamily. We further study an...

First order logic with transitive closure, and separation logic enable elegant interactive verification of heap-manipulating programs. However, undecidabilty results and high asymptotic complexity of checking validity preclude complete automatic verification of such programs, even when loop invariants and procedure contracts are specified as formul...

First order logic with transitive closure, and separation logic enable elegant interactive verification of heap-manipulating programs. However, undecidabilty results and high asymptotic complexity of checking validity preclude complete automatic verification of such programs, even when loop invariants and procedure contracts are specified as formul...

We define a general family of canonical labelled calculi, of which many previously studied sequent and labelled calculi are particular instances. We then provide a uniform and modular method to obtain finite-valued semantics for every canonical labelled calculus by introducing the notion of partial non-deterministic matrices. The semantics is appli...

We identify a large family of fully structural propositional sequent systems, which we call basic systems. We present a general uniform method for providing (potentially, nondeterministic) strongly sound and complete Kripke-style semantics, which is applicable for every system of this family. In addition, this method can also be applied when: (i) s...

We define a general family of hypersequent systems with well-behaved logical rules, of which the known hypersequent calculus
for (propositional) Gödel logic, is a particular instance. We present a method to obtain (possibly, non-deterministic) many-valued
semantics for every system of this family. The detailed semantic analysis provides simple char...

We provide a general method for generating cutfree and/or analytic hypersequent Gentzen-type calculi for a variety of normal modal logics. The method applies to all modal logics characterized by Kripke frames, transitive Kripke frames, or symmetric Kripke frames satisfying some properties, given by first-order formulas of a certain simple form. Thi...

We provide a constructive direct semantic proof of the completeness of the cut-free part of the hypersequent calculus HIF for the standard first-order Gödel logic (thereby proving both completeness of the calculus for its standard semantics, and the admissibility of the cut rule in the full calculus). The results also apply to derivations from assu...

We automate the construction of analytic sequent calculi and effective semantics for a large class of logics formulated as Hilbert calculi. Our method applies to infinitely many logics, which include the family of paraconsistent C-systems, as well as to other logics for which neither analytic calculi nor suitable semantics have so far been availabl...

We consider a family of sequent systems with "well-behaved" logical rules in which the cut rule and/or the identity-axiom are not present. We provide a semantic characterization of the logics induced by these systems in the form of non-deterministic three-valued or four-valued matrices. The semantics is used to study some important proof-theoretic...

We provide a systematic and modular method to define non-deterministic finite-valued semantics for a natural and very general family of canonical labelled calculi, of which many previously studied sequent and labelled calculi are particular instances. This semantics is effective, in the sense that it naturally leads to a decision procedure for thes...

We use non-deterministic finite-valued matrices to provide uniform effective semantics for a large family of logics, emerging from "well-behaved" sequent systems in which the cut rule and/or the identity-axiom are not present. We exploit this semantics to obtain important proof-theoretic properties of systems of this kind, such as cut-admissibility...

We define the notion of a canonical Gödel system in the framework of single-conclusion hypersequent calculi. A corresponding general (nondeterministic) Gödel valuation semantics is developed, as well as a (nondeterministic) linear intuitionistic Kripke-frames semantics. We show that every canonical Gödel system induces a class of Gödel valuations (...

We present a general method for providing Kripke semantics for the family of fully-structural multiple-conclusion propositional
sequent systems. In particular, many well-known Kripke semantics for a variety of logics are easily obtained as special cases.
This semantics is then used to obtain semantic characterizations of analytic sequent systems of...

(Non-)deterministic Kripke-style semantics is used to characterize two syntactic properties of single-conclusion canonical
sequent calculi: invertibility of rules and axiom-expansion. An alternative matrix-based formulation of such semantics is
introduced, which provides an algorithm for checking these properties, and also new insights into basic c...

We present a multiple-conclusion hypersequent system for the standard first-order Gödel logic. We provide a constructive,
direct, and simple proof of the completeness of the cut-free part of this system, thereby proving both completeness for its
standard semantics, and the admissibility of the cut rule in the full system. The results also apply to...

Canonical inference rules and canonical systems are defined in the framework
of non-strict single-conclusion sequent systems, in which the succeedents of
sequents can be empty. Important properties of this framework are investigated,
and a general non-deterministic Kripke-style semantics is provided. This
general semantics is then used to provide a...

We define the notions of a canonical inference rule and a canonical constructive system in the framework of strict single-conclusion Gentzen-type systems (or, equivalently, natural deduction systems), and develop a corresponding general non-deterministic Kripke-style semantics. We show that every strict constructive canonical system induces a class...

We define the notions of a canonical inference rule and a canonical constructive system in the framework of strict single-conclusion
Gentzen-type systems (or, equivalently, natural deduction systems), and develop a corresponding general non-deterministic
Kripke-style semantics. We show that every constructive canonical system induces a class of non...