Mechanized proofs of opacity: a comparison of two techniques

Software transactional memory (STM) provides programmers with a high-level programming abstraction for synchronization of parallel processes, allowing blocks of codes that execute in an interleaved manner to be treated as atomic blocks. This atomicity property is captured by a correctness criterion called opacity, which relates the behaviour of an STM implementation to those of a sequential atomic specification. In this paper, we prove opacity of a recently proposed STM implementation: the Transactional Mutex Lock (TML) by Dalessandro et al. For this, we employ two different methods: the first method directly shows all histories of TML to be opaque (proof by induction), using a linearizability proof of TML as an assistance; the second method shows TML to be a refinement of an existing intermediate specification called TMS2 which is known to be opaque (proof by simulation). Both proofs are carried out within interactive provers, the first with KIV and the second with both Isabelle and KIV. This allows to compare not only the proof techniques in principle, but also their complexity in mechanization. It turns out that the second method, already leveraging an existing proof of opacity of TMS2, allows the proof to be decomposed into two independent proofs in the way that the linearizability proof does not.

[1]  Olaf Müller,et al.  I/O Automata and Beyond: Temporal Logic and Abstraction in Isabelle , 1998, TPHOLs.

[2]  Michel Raynal,et al.  Virtual world consistency: A condition for STM systems (with a versatile protocol with invisible read operations) , 2012, Theor. Comput. Sci..

[3]  John Derrick,et al.  Verifying Opacity of a Transactional Mutex Lock , 2015, FM.

[4]  Markus Wenzel,et al.  Isabelle, Isar - a versatile environment for human readable formal proof documents , 2002 .

[5]  Maged M. Michael,et al.  RingSTM: scalable transactions with a single atomic instruction , 2008, SPAA '08.

[6]  Sathya Peri,et al.  Opacity proof for CaPR+ algorithm , 2015, ICDCN.

[7]  Mohsen Lesani,et al.  On the Correctness of Transactional Memory Algorithms , 2014 .

[8]  Amir Pnueli,et al.  Verifying Correctness of Transactional Memories , 2007 .

[9]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[10]  Nancy A. Lynch,et al.  Hierarchical correctness proofs for distributed algorithms , 1987, PODC '87.

[11]  John Derrick,et al.  Verifying Linearisability with Potential Linearisation Points , 2011, FM.

[12]  Viktor Vafeiadis,et al.  Modular fine-grained concurrency verification , 2008 .

[13]  Rachid Guerraoui,et al.  Completeness and Nondeterminism in Model Checking Transactional Memories , 2008, CONCUR.

[14]  Maurice Herlihy,et al.  Software transactional memory for dynamic-sized data structures , 2003, PODC '03.

[15]  Rupak Majumdar,et al.  Parameterized verification of transactional memories , 2010, PLDI '10.

[16]  Gokcen Kestor,et al.  Verification Tools for Transactional Programs , 2015, Transactional Memory.

[17]  John Derrick,et al.  Verifying Linearisability , 2015, ACM Comput. Surv..

[18]  N. Lynch,et al.  Forward and backward simulations , 1993 .

[19]  Nancy A. Lynch,et al.  Forward and Backward Simulations: I. Untimed Systems , 1995, Inf. Comput..

[20]  Jens Palsberg,et al.  Decomposing Opacity , 2014, DISC.

[21]  Mark Moir,et al.  Towards formally specifying and verifying transactional memory , 2009, Formal Aspects of Computing.

[22]  Mark Moir,et al.  A Framework for Formally Verifying Software Transactional Memory Algorithms , 2012, CONCUR.

[23]  Nir Shavit,et al.  Transactional Locking II , 2006, DISC.

[24]  Michael F. Spear,et al.  NOrec: streamlining STM by abolishing ownership records , 2010, PPoPP '10.

[25]  M. Lesani Putting Opacity in its Place , 2012 .

[26]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[27]  Jens Palsberg,et al.  Proving Non-opacity , 2013, DISC.

[28]  Christos H. Papadimitriou,et al.  The serializability of concurrent database updates , 1979, JACM.

[29]  Rachid Guerraoui,et al.  Model checking transactional memories , 2008, PLDI '08.

[30]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[31]  Rachid Guerraoui,et al.  Principles of Transactional Memory , 2010, Synthesis Lectures on Distributed Computing Theory.

[32]  Mark Moir,et al.  Formal Verification of a Practical Lock-Free Queue Algorithm , 2004, FORTE.

[33]  Yong Li,et al.  Formal reasoning about lazy-STM programs , 2010 .

[34]  Leslie Lamport,et al.  How to Make a Multiprocessor Computer That Correctly Executes Multiprocess Programs , 2016, IEEE Transactions on Computers.

[35]  Gidon Ernst,et al.  KIV: overview and VerifyThis competition , 2014, International Journal on Software Tools for Technology Transfer.

[36]  Nir Shavit,et al.  Transactional Mutex Locks , 2010, Euro-Par.

[37]  Hagit Attiya,et al.  A programming language perspective on transactional memory consistency , 2013, PODC '13.

[38]  Hagit Attiya,et al.  Safety of Live Transactions in Transactional Memory: TMS is Necessary and Sufficient , 2014, DISC.

[39]  John Derrick,et al.  A Sound and Complete Proof Technique for Linearizability of Concurrent Data Structures , 2014, TOCL.

[40]  James R. Larus,et al.  Transactional Memory, 2nd edition , 2010, Transactional Memory.