Verifying linearizability with hindsight

We present a proof of safety and linearizability of a highly-concurrent optimistic set algorithm. The key step in our proof is the Hindsight Lemma, which allows a thread to infer the existence of a global state in which its operation can be linearized based on limited local atomic observations about the shared state. The Hindsight Lemma allows us to avoid one of the most complex and non-intuitive steps in reasoning about highly concurrent algorithms: considering the linearization point of an operation to be in a different thread than the one executing it. The Hindsight Lemma assumes that the algorithm maintains certain simple invariants which are resilient to interference, and which can themselves be verified using purely thread-local proofs. As a consequence, the lemma allows us to unlock a perhaps-surprising intuition: a high degree of interference makes non-trivial highly-concurrent algorithms in some cases much easier to verify than less concurrent ones.

[1]  Yanhong A. Liu,et al.  Model Checking Linearizability via Refinement , 2009, FM.

[2]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.

[3]  Viktor Vafeiadis Automatically Proving Linearizability , 2010, CAV.

[4]  Roman Manevich,et al.  Thread Quantification for Concurrent Shape Analysis , 2008, CAV.

[5]  J. T. Robinson,et al.  On optimistic methods for concurrency control , 1979, TODS.

[6]  Mark Moir,et al.  Formal Verification of a Lazy Concurrent List-Based Set Algorithm , 2006, CAV.

[7]  Leslie Lamport,et al.  Specifying Concurrent Program Modules , 1983, TOPL.

[8]  Viktor Vafeiadis,et al.  Modular fine-grained concurrency verification , 2008 .

[9]  Maurice Herlihy,et al.  The art of multiprocessor programming , 2020, PODC '06.

[10]  Serdar Tasiran,et al.  VYRD: verifYing concurrent programs by runtime refinement-violation detection , 2005, PLDI '05.

[11]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[12]  Maurice Herlihy,et al.  A Lazy Concurrent List-Based Set Algorithm , 2005, OPODIS.

[13]  Eran Yahav,et al.  Deriving linearizable fine-grained concurrent objects , 2008, PLDI '08.

[14]  Jeannette M. Wing,et al.  Testing and Verifying Concurrent Objects , 1993, J. Parallel Distributed Comput..

[15]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[16]  Xinyu Feng,et al.  On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning , 2007, ESOP.

[17]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[18]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[19]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[20]  Sebastian Burckhardt,et al.  Line-up: a complete and automatic linearizability checker , 2010, PLDI '10.

[21]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[22]  Cormac Flanagan,et al.  Verifying Commit-Atomicity Using Model-Checking , 2004, SPIN.

[23]  Eran Yahav,et al.  Comparison Under Abstraction for Verifying Linearizability , 2007, CAV.

[24]  C. A. R. Hoare,et al.  Proof of correctness of data representations , 1972, Acta Informatica.

[25]  Viktor Vafeiadis,et al.  Shape-Value Abstraction for Verifying Linearizability , 2008, VMCAI.

[26]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.