Abstract
We present a linearizability proof for the Chase-Lev work-stealing queue (WSQ) on sequentially consistent (SC) memory. We used the CIVL proof system for verifying refinement of concurrent programs. The lowest-level description of the WSQ is the data structure code described in terms of fine-grained actions whose atomicity is guaranteed by hardware. Higher level descriptions consist of increasingly coarser action blocks obtained using a combination of Owicki-Gries (OG) annotations and reduction and abstraction. We believe that the OG annotations (location invariants) we provided to carry out the refinement proofs at each level provide insight into the correctness of the algorithm. The top-level description for the WSQ consists of a single atomic action for each data structure operation, where the specification of the action is tight enough to show that the WSQ data structure is linearizable.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
CIVL proof files can be obtained from: http://msrc.ku.edu.tr/projects/chase-lev-wsq/.
References
Arora, N.S., Blumofe, R.D., Plaxton, C.G.: Thread scheduling for multiprogrammed multiprocessors. Theor. Comput. Syst. 34(2), 115–144 (2001)
Chase, D., Lev, Y.: Dynamic circular work-stealing deque. In: Proceedings of the Seventeenth Annual ACM Symposium on Parallelism in Algorithms and Architectures, pp. 21–28. ACM (2005)
Elmas, T., Qadeer, S., Tasiran, S.: A calculus of atomic actions. In: ACM Symposium on Principles of Programming Languages, p. 14. Association for Computing Machinery Inc., January 2009
Frigo, M., Leiserson, C.E., Randall, K.H.: The implementation of the Cilk-5 multithreaded language. ACM SIGPLAN Not. 33, 212–223 (1998). ACM
Hawblitzel, C., Petrank, E., Qadeer, S., Tasiran, S.: Automated and modular refinement reasoning for concurrent programs. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9207, pp. 449–465. Springer, Heidelberg (2015)
Aghai, M.K.: Verification of work-stealing deque implementation (2012)
Lê, N.M., Pop, A., Cohen, A., Zappa Nardelli, F.: Correct and efficient work-stealing for weak memory models. ACM SIGPLAN Not. 48, 69–80 (2013). ACM
Lipton, R.J.: Reduction: a method of proving properties of parallel programs. Commun. ACM 18(12), 717–721 (1975)
Liu, F., Nedev, N., Prisadnikov, N., Vechev, M., Yahav, E.: Dynamic synthesis for relaxed memory models. ACM SIGPLAN Not. 47, 429–440 (2012). ACM
Morrison, A., Afek, Y.: Fence-free work stealing on bounded tso processors. ACM SIGPLAN Not. 49(4), 413–426 (2014)
Owicki, S., Gries, D.: An axiomatic proof technique for parallel programs I. Acta Inf. 6(4), 319–340 (1976)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Observations on the SC Executions of the Program
In this section, we first present some observations on (full or partial) executions of the WSQ algorithm with the finest-grained actions (the algorithm in Fig. 1). They will be helpful for obtaining location annotations and enlarging atomic blocks in upper layers.
Our initial observations are simple and they hold for full executions.
Observation 1: H is non-decreasing throughout an execution.
Observation 2: Let us call a steal operation successful if it returns a value other than EMPTY. Then, last iterations of two successful steals cannot be concurrent.
Next, we want to understand the relation between global variables H and T. For a sequential execution, one expects that \(H \le T\) invariant holds throughout the execution. This is not true for the fine-grained SC execution. We observe that H could exceed T in some special cases. However, this violations occur temporarily if take method follows some paths and they begin to hold again after take method finishes.
We examine execution portions (sub-sequences of executions) in a systematic way to obtain observations showing relation between H and T variables.
Observation 3: If an execution portion consists of only concurrent steal operations, we observe that \(H\le T\) is preserved throughout the execution portion.
Observation 4: If an execution portion consists of a single put method concurrent with steal methods, then \(H\le T\) holds throughout this execution portion.
Next, we consider execution portions that has take method concurrent with steal operations. The take method could follow three different paths by either entering the if block in Line 4 (path 1), by entering the if block in Line 9 (path 2) or by not entering those if blocks and returning by Line 15 (path 3).
Observation 5: If an execution portion consists of path 1 of take method concurrent with steals, then \(H\le T\) holds throughout this execution portion.
Observation 6: If an execution portion consists of path 2 of take method concurrent with steals, then \(H\le T\) holds before Line 2 and after Line 14 of the take method and \(H=T \vee H=T+1\) holds between Lines 2 and 14 of take method.
Observation 7: If an execution portion consists of path 3 of take method concurrent with steals, then \(H\le T\) holds before Line 2 and after Line 5 of the take method and \(H=T+1\) holds between Lines 2 and 5 of take method.
B Path Splitting and Loop Peeling
In this section we present our initial abstractions on steal and take methods. These abstractions are not performed by CIVL. Rather, they are obtained by applying some proof rules that are not currently supported by CIVL. We explain the rules and their applications in this section. Methods we obtained after initial abstractions constitute the bottom layer of our mechanized proof.
Our first abstraction is performed on steal method. If we consider the iterations of the loop at Line 1 of steal before the last iteration, they do not modify any global variable and value assigned to return variable is reset by the last iteration. Moreover, value assigned to local variables by reading global variables are also reread by the last iteration before using them. Hence, those iterations has no important effect on OG annotations of other methods and they will not be useful for the refinement proof of steal. Our aim is to abstract steal method so that we do not need to deal with unsuccessful previous iterations of steal.
On the left-side of Fig. 4, we have steal method obtained by peeling out the last iteration of the while loop. All the unsuccessful iterations are captured by the loop at Line 1. They are guaranteed to be unsuccessful by assume statements at lines 4 and 6. The last successful iteration is modeled from Line 7 on.
Lines 2, 3, 5 and 6 could be abstracted by \(havoc\ h,t, task, chk\) and line 4 can be abstracted by skip. With these abstractions, we obtain the method body in the middle column of Fig. 4. Since h, t, chk and task variables have non-deterministic values at the beginning of steal, the whole loop at Line 1 could be removed and we obtain the method at the right-side of Fig. 4 as our basis of steal for the mechanized proof.
For the take method, we want to separate take in such a way that we can reason about each possible path separately. We use the following rule for this purpose:
Rule 1: Let procedure foo has the following body:
where s0 and s2 are sequence of statements and s1 is an atomic block. Then, replacing this body with the following one is a valid abstraction of foo:
where p is a boolean expression on local variables. The \(*\) denotes a non-deterministic value of true or false To obtain the desired method body in Fig. 5, we apply the following steps:
-
1.
Apply Rule 1 to take in Fig. 1 with taking s0, s1, s2 as lines 1, 2; 3 and 4–15 respectively. We also pick p as \(h>t\).
-
2.
Collect statements inside the if block in the method take1 and statements in the else part in the method take23.
-
3.
Apply Rule 1 to take23 with the same line choices in step 1 but taking p as \(h=t\).
-
4.
Collect the statements inside the if block of take23 in take2 method and statements in the else part in take3 method.
-
5.
Inline call of take23 inside the else block of take with its body.
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Mutluergil, S.O., Tasiran, S. (2016). A Mechanized Refinement Proof of the Chase-Lev Deque Using a Proof System. In: Abdulla, P., Delporte-Gallet, C. (eds) Networked Systems. NETYS 2016. Lecture Notes in Computer Science(), vol 9944. Springer, Cham. https://doi.org/10.1007/978-3-319-46140-3_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-46140-3_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46139-7
Online ISBN: 978-3-319-46140-3
eBook Packages: Computer ScienceComputer Science (R0)