Skip to main content
SpringerLink
Log in

A Mechanized Refinement Proof of the Chase-Lev Deque Using a Proof System

  • Conference paper
  • First Online:
Book cover Networked Systems (NETYS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 9944))

Included in the following conference series:

  • 551 Accesses

Abstract

We present a linearizability proof for the Chase-Lev work-stealing queue (WSQ) on sequentially consistent (SC) memory. We used the CIVL proof system for verifying refinement of concurrent programs. The lowest-level description of the WSQ is the data structure code described in terms of fine-grained actions whose atomicity is guaranteed by hardware. Higher level descriptions consist of increasingly coarser action blocks obtained using a combination of Owicki-Gries (OG) annotations and reduction and abstraction. We believe that the OG annotations (location invariants) we provided to carry out the refinement proofs at each level provide insight into the correctness of the algorithm. The top-level description for the WSQ consists of a single atomic action for each data structure operation, where the specification of the action is tight enough to show that the WSQ data structure is linearizable.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    CIVL proof files can be obtained from: http://msrc.ku.edu.tr/projects/chase-lev-wsq/.

References

  1. Arora, N.S., Blumofe, R.D., Plaxton, C.G.: Thread scheduling for multiprogrammed multiprocessors. Theor. Comput. Syst. 34(2), 115–144 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  2. Chase, D., Lev, Y.: Dynamic circular work-stealing deque. In: Proceedings of the Seventeenth Annual ACM Symposium on Parallelism in Algorithms and Architectures, pp. 21–28. ACM (2005)

    Google Scholar 

  3. Elmas, T., Qadeer, S., Tasiran, S.: A calculus of atomic actions. In: ACM Symposium on Principles of Programming Languages, p. 14. Association for Computing Machinery Inc., January 2009

    Google Scholar 

  4. Frigo, M., Leiserson, C.E., Randall, K.H.: The implementation of the Cilk-5 multithreaded language. ACM SIGPLAN Not. 33, 212–223 (1998). ACM

    Article  Google Scholar 

  5. Hawblitzel, C., Petrank, E., Qadeer, S., Tasiran, S.: Automated and modular refinement reasoning for concurrent programs. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9207, pp. 449–465. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  6. Aghai, M.K.: Verification of work-stealing deque implementation (2012)

    Google Scholar 

  7. Lê, N.M., Pop, A., Cohen, A., Zappa Nardelli, F.: Correct and efficient work-stealing for weak memory models. ACM SIGPLAN Not. 48, 69–80 (2013). ACM

    Article  Google Scholar 

  8. Lipton, R.J.: Reduction: a method of proving properties of parallel programs. Commun. ACM 18(12), 717–721 (1975)

    Article  MathSciNet  MATH  Google Scholar 

  9. Liu, F., Nedev, N., Prisadnikov, N., Vechev, M., Yahav, E.: Dynamic synthesis for relaxed memory models. ACM SIGPLAN Not. 47, 429–440 (2012). ACM

    Article  Google Scholar 

  10. Morrison, A., Afek, Y.: Fence-free work stealing on bounded tso processors. ACM SIGPLAN Not. 49(4), 413–426 (2014)

    Google Scholar 

  11. Owicki, S., Gries, D.: An axiomatic proof technique for parallel programs I. Acta Inf. 6(4), 319–340 (1976)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Koc University, Istanbul, Turkey

    Suha Orhun Mutluergil & Serdar Tasiran

Authors
  1. Suha Orhun Mutluergil
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Serdar Tasiran
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Suha Orhun Mutluergil .

Editor information

Editors and Affiliations

  1. Uppsala University , Uppsala, Sweden

    Parosh Aziz Abdulla

  2. Université Paris Diderot , Paris, France

    Carole Delporte-Gallet

Appendices

A Observations on the SC Executions of the Program

In this section, we first present some observations on (full or partial) executions of the WSQ algorithm with the finest-grained actions (the algorithm in Fig. 1). They will be helpful for obtaining location annotations and enlarging atomic blocks in upper layers.

Our initial observations are simple and they hold for full executions.

Observation 1: H is non-decreasing throughout an execution.

Observation 2: Let us call a steal operation successful if it returns a value other than EMPTY. Then, last iterations of two successful steals cannot be concurrent.

Next, we want to understand the relation between global variables H and T. For a sequential execution, one expects that \(H \le T\) invariant holds throughout the execution. This is not true for the fine-grained SC execution. We observe that H could exceed T in some special cases. However, this violations occur temporarily if take method follows some paths and they begin to hold again after take method finishes.

We examine execution portions (sub-sequences of executions) in a systematic way to obtain observations showing relation between H and T variables.

Observation 3: If an execution portion consists of only concurrent steal operations, we observe that \(H\le T\) is preserved throughout the execution portion.

Observation 4: If an execution portion consists of a single put method concurrent with steal methods, then \(H\le T\) holds throughout this execution portion.

Next, we consider execution portions that has take method concurrent with steal operations. The take method could follow three different paths by either entering the if block in Line 4 (path 1), by entering the if block in Line 9 (path 2) or by not entering those if blocks and returning by Line 15 (path 3).

Observation 5: If an execution portion consists of path 1 of take method concurrent with steals, then \(H\le T\) holds throughout this execution portion.

Observation 6: If an execution portion consists of path 2 of take method concurrent with steals, then \(H\le T\) holds before Line 2 and after Line 14 of the take method and \(H=T \vee H=T+1\) holds between Lines 2 and 14 of take method.

Observation 7: If an execution portion consists of path 3 of take method concurrent with steals, then \(H\le T\) holds before Line 2 and after Line 5 of the take method and \(H=T+1\) holds between Lines 2 and 5 of take method.

B Path Splitting and Loop Peeling

In this section we present our initial abstractions on steal and take methods. These abstractions are not performed by CIVL. Rather, they are obtained by applying some proof rules that are not currently supported by CIVL. We explain the rules and their applications in this section. Methods we obtained after initial abstractions constitute the bottom layer of our mechanized proof.

Fig. 4.
figure 4

Initial abstractions on steal method

Full size image

Our first abstraction is performed on steal method. If we consider the iterations of the loop at Line 1 of steal before the last iteration, they do not modify any global variable and value assigned to return variable is reset by the last iteration. Moreover, value assigned to local variables by reading global variables are also reread by the last iteration before using them. Hence, those iterations has no important effect on OG annotations of other methods and they will not be useful for the refinement proof of steal. Our aim is to abstract steal method so that we do not need to deal with unsuccessful previous iterations of steal.

On the left-side of Fig. 4, we have steal method obtained by peeling out the last iteration of the while loop. All the unsuccessful iterations are captured by the loop at Line 1. They are guaranteed to be unsuccessful by assume statements at lines 4 and 6. The last successful iteration is modeled from Line 7 on.

Lines 2, 3, 5 and 6 could be abstracted by \(havoc\ h,t, task, chk\) and line 4 can be abstracted by skip. With these abstractions, we obtain the method body in the middle column of Fig. 4. Since h, t, chk and task variables have non-deterministic values at the beginning of steal, the whole loop at Line 1 could be removed and we obtain the method at the right-side of Fig. 4 as our basis of steal for the mechanized proof.

For the take method, we want to separate take in such a way that we can reason about each possible path separately. We use the following rule for this purpose:

Fig. 5.
figure 5

Initial abstractions on take method

Full size image

Rule 1: Let procedure foo has the following body:

figure a

where s0 and s2 are sequence of statements and s1 is an atomic block. Then, replacing this body with the following one is a valid abstraction of foo:

figure b

where p is a boolean expression on local variables. The \(*\) denotes a non-deterministic value of true or false To obtain the desired method body in Fig. 5, we apply the following steps:

  1. 1.

    Apply Rule 1 to take in Fig. 1 with taking s0, s1, s2 as lines 1, 2; 3 and 4–15 respectively. We also pick p as \(h>t\).

  2. 2.

    Collect statements inside the if block in the method take1 and statements in the else part in the method take23.

  3. 3.

    Apply Rule 1 to take23 with the same line choices in step 1 but taking p as \(h=t\).

  4. 4.

    Collect the statements inside the if block of take23 in take2 method and statements in the else part in take3 method.

  5. 5.

    Inline call of take23 inside the else block of take with its body.

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Mutluergil, S.O., Tasiran, S. (2016). A Mechanized Refinement Proof of the Chase-Lev Deque Using a Proof System. In: Abdulla, P., Delporte-Gallet, C. (eds) Networked Systems. NETYS 2016. Lecture Notes in Computer Science(), vol 9944. Springer, Cham. https://doi.org/10.1007/978-3-319-46140-3_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-46140-3_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-46139-7

  • Online ISBN: 978-3-319-46140-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation