John Derrick
Skip Abstract Section
Abstract
Concurrent objects are inherently complex to verify. In the late 80s and early 90s, Herlihy and Wing proposed linearizability as a correctness condition for concurrent objects, which, once proven, allows us to reason about concurrent objects using pre- and postconditions only. A concurrent object is linearizable if all of its operations appear to take effect instantaneously some time between their invocation and return.
In this article we define simulation-based proof conditions for linearizability and apply them to two concurrent implementations, a lock-free stack and a set with lock-coupling. Similar to other approaches, we employ a theorem prover (here, KIV) to mechanize our proofs. Contrary to other approaches, we also use the prover to mechanically check that our proof obligations actually guarantee linearizability. This check employs the original ideas of Herlihy and Wing of verifying linearizability via possibilities.
- Abrial, I.-R. and Cansell, D. 2005. Formal construction of a non-blocking concurrent queue algorithm (a case study in atomicity). J. Univ. Comput. Sci. 11, 5, 744--770.Google Scholar
- Amit, D., Rinetzky, N., Reps, T. W., Sagiv, M., and Yahav, E. 2007. Comparison under abstraction for verifying linearizability. In Proceedings of the International Conference on Computer Aided Verification. W. Damm and H. Hermanns, Eds. Lecture Notes in Computer Science, vol. 4590, Springer, 477--490. Google ScholarDigital Library
- Barden, R., Stepney, S., and Cooper, D. 1994. Z in Practice. BCS Practitioner Series. Prentice-Hall. Google ScholarDigital Library
- Barnett, M., Rustan, K., Leino, M., and Schulte, W. 2004. The Spec# programming system: An overview. In Proceedings of the International Conference on Construction and Analysis of Safe, Secure, and Interoperable Smart Devices. Lecture Notes in Computer Science, vol. 3362, Springer, 49--69. Google ScholarDigital Library
- Bäumler, S., Schellhorn, G., Tofan, B., and Reif, W. 2009. Proving linearizability with temporal logic. Form. Asp. Comput.Google Scholar
- Bayer, R. and Schkolnick, M. 1977. Concurrency of operations on b-trees. Acta Inform. 9, 1--21.Google ScholarDigital Library
- Calcagno, C., Parkinson, M., and Vafeiadis, V. 2007. Modular safety checking for fine-grained concurrency. In Proceedings of the International Static Analysis Symposium. Lecture Notes in Computer Science, vol. 4634, Springer, 233--238. Google ScholarDigital Library
- CoFI. 2004. CASL Reference Manual. Lecture Notes in Computer Science, vol. 2960, (IFIP Series). Springer.Google Scholar
- Cohen, E. and Lamport, L. 1998. Reduction in TLA. In Proceedings of the 9th International Conference on Concurrency Theory (CONCUR'98). Springer-Verlag, 317--331. Google ScholarDigital Library
- Colvin, R., Doherty, S., and Groves, L. 2005. Verifying concurrent data structures by simulation. Electron. Notes Theor. Comput. Sci. 137, 93--110. Google ScholarDigital Library
- de Roever, W. and Engelhardt, K. 1998. Data Refinement: Model-Oriented Proof Methods and Their Comparison. Cambridge Tracts in Theoretical Computer Science, vol. 47, Cambridge University Press.Google ScholarCross Ref
- Derrick, J. and Boiten, E. 2001. Refinement in Z and Object-Z: Foundations and Advanced Applications. Springer. Google ScholarDigital Library
- Derrick, J., Schellhorn, G., and Wehrheim, H. 2007. Proving linearizability via non-atomic refinement. In Proceedings of the 6th International Conference on Integrated Formal Methods. J. Davies and J. Gibbons Eds., Lecture Notes in Computer Science, vol. 4591, Springer, 195--214. Google ScholarDigital Library
- Derrick, J., Schellhorn, G., and Wehrheim, H. 2008. Mechanizing a correctness proof for a lock-free concurrent stack. In Proceedings of the International Conference on Formal Methods For Open, Object-Based Distributed Systems. G. Barthe and F. de Boer Eds., Lecture Notes in Computer Science, vol. 5051, Springer, 78--95. Google ScholarDigital Library
- Derrick, J. and Wehrheim, H. 2003. Using coupled simulations in non-atomic refinement. In Proceedings of the 3rd International Conference of B and Z Users: Format Specification and Development in Z and B. Lecture Notes in Computer Science, vol. 2651, Springer, 127--147. Google ScholarDigital Library
- Derrick, J. and Wehrheim, H. 2005. Non-atomic refinement in Z and CSP. In Proceedings of the 4th International Conference of B and Z Users. Lecture Notes in Computer Science, vol. 3455, Springer. Google ScholarDigital Library
- Distefano, D., O'Hearn, P., and Yang, H. 2006. A local shape analysis based on separation logic. In Proceedings of the 12th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'06). Lecture Notes in Computer Science, vol. 3920, Springer, 287--302. Google ScholarDigital Library
- Doherty, S., Groves, L., Luchangco, V., and Moir, M. 2004. Formal verification of a practical lock-free queue algorithm. In Proceedings of the 12th International Conference on Formal Techniques for Networked and Distributed Systems. Lecture Notes in Computer Science, vol. 3235, Springer, 97--114.Google ScholarCross Ref
- Farmer, W. M. 1994. Theory interpretation in simple type theory. In Proceedings of the 1st International Workshop on Higher-Order Algebra, Logic, and Term Rewriting. J. Heering et al. Eds., Lecture Notes in Computer Science, vol. 816, Springer. Google ScholarDigital Library
- Feng, X., Ferheira, R., and Shao, Z. 2007. On the relationship between concurrent separation logic and assume-guarantee reasoning. In Proceedings of the 16th European Symposium on Programming. Springer, 173--188. Google ScholarDigital Library
- Flanagan, C. and Qadeer, S. 2003. Thread-modular model checking. In Proceedings of the Spin Workshop. Lecture Notes in Computer Science, vol. 2648, Springer, 213--224. Google ScholarDigital Library
- Gao, H. and Hesselink, W. H. 2007. A general lock-free algorithm using compare-and-swap.Inform. Comput. 205, 2, 225--241. Google ScholarDigital Library
- Groves, L. and Colvin, R. 2007. Derivation of a scalable lock-free stack algorithm. Electron. Notes Theor. Comput Sci. 187, 55--74. Google ScholarDigital Library
- Hendler, D., Shavit, N., and Yerushalmi, L. 2004. A scalable lock-free stack algorithm. In Proceedings of the Annual ACM Symposium on Parallelism in Algorithms and Architectures(SPAA'04). ACM Press, New York, NY, 206--215. Google ScholarDigital Library
- Herlihy, M. and Wing, J. 1987. Axioms for concurrent objects. In Proceedings of the ACM Symposium on Principles of Programming Languages. ACM Press, 13--26. Google ScholarDigital Library
- Herlihy, M. and Wing, J. M. 1990. Linearizability: A correctness condition for concurrent objects. ACM Trans. Program. Lang. Syst. 12, 3, 463--492. Google ScholarDigital Library
- Hesselink, W. H. 2004. Using eternity variables to specify and prove a serializable database interface. Sci. Comput. Program. 51, 1--2, 47--85. Google ScholarDigital Library
- Hesselink, W. H. 2005. Eternity variables to prove simulation of specifications. ACM Trans. Comput. Logic 6, 1, 175--201. Google ScholarDigital Library
- Hesselink, W. H. 2006. Refinement verification of the lazy caching algorithm. Acta Inform. 43, 3, 195--222. Google ScholarDigital Library
- Hesselink, W. H. 2007. A criterion for atomicity revisited. Acta Inform. 44, 2, 123--151. Google ScholarDigital Library
- Jacobs, B., Smans, J., Piessens, F., and Schulte, W. 2006. A statically verifiable programming model for concurrent object-oriented programs. In Proceedings of the 8th International Conference on Formal Engineering Methods (ICFEM'06). Z. Liu and J. He Eds., Lecture Notes in Computer Science, vol. 4260, Springer, 420--439. Google ScholarDigital Library
- Jones, C. B. 1983. Specification and design of (parallel) programs. InProceedings of the International Federation for Information Processing (IFIP'83). North-Holland, 321--332.Google Scholar
- KIV. 2009. Web presentation of the linearization case study in KIV. http://www.informatik.uni-augsburg.de/swt/projects/linearizability2.html.Google Scholar
- Lamport, L. 1994. The temporal logic of actions. ACM Trans. Program. Lang. Syst. 16, 3, 872--923. Google ScholarDigital Library
- Lamport, L. and Schneider, F. B. 1989. Pretending atomicity. Tech. rep. TR89-1005, SRC Digital. Google ScholarDigital Library
- Lipton, R. J. 1975. Reduction: A method of proving properties of parallel programs. Comm. ACM 18, 12, 717--72l. Google ScholarDigital Library
- Liu, Y., Chen, W., Liu, Y. A., and Sun, J. 2009. Model checking linearizability via refinement. In Proceedings of the 2nd World Congress on Formal Methods. A. Cavalcanti and D. Dams Eds., Lecture Notes in Computer Science, vol. 5850, Springer, 321--337. Google ScholarDigital Library
- Michael, M. M. and Scott, M. L. 1998. Nonblocking algorithms and preemption-safe locking on multi programmed shared - memory multiprocessors. J. Parall. Distrib. Comput. 51, 1, 1--26. Google ScholarDigital Library
- Misra, J. 2003. A reduction theorem for concurrent object-oriented programs. In Programming Methodology. A. McIver and C. Morgan Eds., Springer-Verlag, 69--92. Google ScholarDigital Library
- Owicki, S. S. and Gries, D. 1976. An axiomatic proof technique for parallel programs I. Acta Inform. 6, 319--340.Google ScholarDigital Library
- Parkinson, M., Bornat, R., and O'Hearn, P. 2007. Modular verification of a non-blocking stack. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'07). ACM, New York, NY, 297--302. Google ScholarDigital Library
- Reif, W., Schellhorn, G., Stenzel, K., and Balser, M. 1998. Structured specifications and interactive proofs with KIV. In Automated Deduction—A Basis for Applications, Vol. II: Systems and Implementation Techniques, W. Bibel and P. Schmitt Eds., Kluwer Academic Publishers, Dordrecht, Chapter 1, 13--39.Google Scholar
- Reynolds, J. C. 2002. Separation logic: A logic for shared mutable data structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science. 55--74. Google ScholarDigital Library
- Spivey, J. 1992. The Z Notation: A Reference Manual. Prentice Hall. Google ScholarDigital Library
- Vafeiadis, V. 2008. Modular fine-grained concurrency verification. Tech. rep. UCAM-CL-TR726, Computer Laboratory, University of Cambridge.Google Scholar
- Vafeiadis, V., Herlihy, M., Hoare, T., and Shapiro, M. 2006. Proving correctness of highly concurrent linearisable objects. In Proceedings of the 11th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming (PPoPP'06). ACM, New York, NY, 129--136. Google ScholarDigital Library
- Vafeiadis, V. and Parkinson, M. J. 2007. A marriage of rely/guarantee and separation logic. In Proceedings of the 18th International Conference on Concurrency Theory, (CONCUR'07). L. Caires and V. T. Vasconcelos Eds., Lecture Notes in Computer Science, vol. 4703, Springer, 256--27l. Google ScholarDigital Library
- Vechev, M. and Yahav, E. 2008. Deriving linearizable fine-grained concurrent objects. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'08). ACM, New York, NY, 125--135. Google ScholarDigital Library
- Wang, L. and Stoller, S. D. 2004. Automated verification of programs with non-blocking synchronization. Tech. rep. DAR-04-17, Computer Science Department, SUNY at Stony BroDk. http://www.cs.sunysb.edu/~liqiang/lockfree.html.Google Scholar
- Wang, L. and Stoller, S. D. 2004, 2005. Static analysis for programs with non-blocking synchronization. In Proceedings of the ACM SIGPLAN Symposium on Principles and Practice of Parallel. Programming (PPoPP'05). ACM Press, New York, NY. Google ScholarDigital Library
- Woodcock, J. C. P. and Davies, J. 1996. Using Z: Specification, Refinement, and Proof. Prentice Hall. Google ScholarDigital Library
Index Terms
- Mechanically verified proof obligations for linearizability
Recommendations
A Sound and Complete Proof Technique for Linearizability of Concurrent Data Structures
Efficient implementations of data structures such as queues, stacks or hash-tables allow for concurrent access by many processes at the same time. To increase concurrency, these algorithms often completely dispose with locking, or only lock small parts ...
Mechanizing a Correctness Proof for a Lock-Free Concurrent Stack
FMOODS '08: Proceedings of the 10th IFIP WG 6.1 international conference on Formal Methods for Open Object-Based Distributed SystemsDistributed algorithms are inherently complex to verify. In this paper we show how to verify that a concurrent lock-free implementation of a stack is correct by mechanizing the proof that it is linearizable, linearizability being a correctness notion ...
Verifying Linearizability via Optimized Refinement Checking
Linearizability is an important correctness criterion for implementations of concurrent objects. Automatic checking of linearizability is challenging because it requires checking that: 1) All executions of concurrent operations are serializable, and 2) ...
Comments