Verifying Invariants of Lock-Free Data Structures with Rely-Guarantee and Refinement Types

Verifying invariants of fine-grained concurrent data structures is challenging, because interference from other threads may occur at any time. We propose a new way of proving invariants of fine-grained concurrent data structures: applying rely-guarantee reasoning to references in the concurrent setting. Rely-guarantee applied to references can verify bounds on thread interference without requiring a whole program to be verified. This article provides three new results. First, it provides a new approach to preserving invariants and restricting usage of concurrent data structures. Our approach targets a space between simple type systems and modern concurrent program logics, offering an intermediate point between unverified code and full verification. Furthermore, it avoids sealing concurrent data structure implementations and can interact safely with unverified imperative code. Second, we demonstrate the approach’s broad applicability through a series of case studies, using two implementations: an axiomatic Coq domain-specific language and a library for Liquid Haskell. Third, these two implementations allow us to compare and contrast verifications by interactive proof (Coq) and a weaker form that can be expressed using automatically-discharged dependent refinement types (Liquid Haskell).

[1]  Michael D. Ernst,et al.  Javari: adding reference immutability to Java , 2005, OOPSLA '05.

[2]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[3]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[4]  Ranjit Jhala,et al.  Refinement types for Haskell , 2014, ICFP.

[5]  Viktor Vafeiadis,et al.  Structuring the verification of heap-manipulating programs , 2010, POPL '10.

[6]  Michael D. Ernst,et al.  Ownership and immutability in generic Java , 2010, OOPSLA.

[7]  John Tang Boyland,et al.  Checking Interference with Fractional Permissions , 2003, SAS.

[8]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[9]  Colin S. Gordon Verifying Concurrent Programs by Controlling Alias Interference , 2014 .

[10]  Peter Dybjer,et al.  A general formulation of simultaneous inductive-recursive definitions in type theory , 2000, Journal of Symbolic Logic.

[11]  Thierry Coquand,et al.  The Calculus of Constructions , 1988, Inf. Comput..

[12]  Maged M. Michael,et al.  Simple, fast, and practical non-blocking and blocking concurrent queue algorithms , 1996, PODC '96.

[13]  Xin-She Yang,et al.  Introduction to Algorithms , 2021, Nature-Inspired Optimization Algorithms.

[14]  Timothy L. Harris,et al.  A Pragmatic Implementation of Non-blocking Linked-Lists , 2001, DISC.

[15]  Ilya Sergey,et al.  Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity , 2014, ESOP.

[16]  Lars Birkedal,et al.  Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning , 2015, POPL.

[17]  Ranjit Jhala,et al.  Type-based data structure verification , 2009, PLDI '09.

[18]  Rupak Majumdar,et al.  Asynchronous Liquid Separation Types , 2015, ECOOP.

[19]  Lars Birkedal,et al.  Unifying refinement and hoare-style reasoning in a logic for higher-order concurrency , 2013, ICFP.

[20]  Lars Birkedal,et al.  Fictional Separation Logic , 2012, ESOP.

[21]  François Pottier Hiding Local State in Direct Style: A Higher-Order Anti-Frame Rule , 2008, 2008 23rd Annual IEEE Symposium on Logic in Computer Science.

[22]  Rupak Majumdar,et al.  HMC: Verifying Functional Programs Using Abstract Interpreters , 2011, CAV.

[23]  Michael D. Ernst,et al.  Reim & ReImInfer: checking and inference of reference immutability and method purity , 2012, OOPSLA '12.

[24]  Frank Piessens,et al.  Expressive modular fine-grained concurrency specification , 2011, POPL '11.

[25]  Frank Piessens,et al.  Sound Modular Verification of C Code Executing in an Unverified Context , 2014, POPL.

[26]  Xinyu Feng Local rely-guarantee reasoning , 2009, POPL '09.

[27]  Ilya Sergey,et al.  Mechanized verification of fine-grained concurrent programs , 2015, PLDI.

[28]  Eran Yahav,et al.  Verifying linearizability with hindsight , 2010, PODC.

[29]  Ranjit Jhala,et al.  Deterministic parallelism via liquid effects , 2012, PLDI '12.

[30]  J. Gregory Morrisett,et al.  Towards type-theoretic semantics for transactional concurrency , 2009, TLDI '09.

[31]  Adam Chlipala,et al.  Effective interactive proofs for higher-order imperative programs , 2009, ICFP.

[32]  Ranjit Jhala,et al.  Dsolve: Safety Verification via Liquid Types , 2010, CAV.

[33]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[34]  Stephen D. Brookes,et al.  A Semantics for Concurrent Separation Logic , 2004, CONCUR.

[35]  John C. Reynolds,et al.  Preliminary design of the programming language Forsythe , 1988 .

[36]  Jon Crowcroft,et al.  Unikernels: library operating systems for the cloud , 2013, ASPLOS '13.

[37]  Michael D. Ernst,et al.  Rely-guarantee references for refinement types over aliased mutable data , 2013, PLDI.

[38]  Xinyu Feng,et al.  Deny-Guarantee Reasoning , 2009, ESOP.

[39]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[40]  Juan Chen,et al.  Verifying higher-order programs with the dijkstra monad , 2013, PLDI.

[41]  Yuval Rabani,et al.  Linear Programming , 2007, Handbook of Approximation Algorithms and Metaheuristics.

[42]  Venanzio Capretta,et al.  A polymorphic representation of induction-recursion , 2004 .

[43]  Lars Birkedal,et al.  Impredicative Concurrent Abstract Predicates , 2014, ESOP.

[44]  Martín Abadi,et al.  Types for Safe Locking , 1999, ESOP.

[45]  Lars Birkedal,et al.  Modular Reasoning about Separation of Concurrent Data Structures , 2013, ESOP.

[46]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.

[47]  Maurice Herlihy,et al.  A Lazy Concurrent List-Based Set Algorithm , 2007, Parallel Process. Lett..

[48]  Philippa Gardner,et al.  CoLoSL: Concurrent Local Subjective Logic , 2015, ESOP.

[49]  Maurice Herlihy,et al.  Wait-free synchronization , 1991, TOPL.

[50]  Stephen N. Freund,et al.  Type-based race detection for Java , 2000, PLDI '00.

[51]  Ilya Sergey,et al.  Communicating State Transition Systems for Fine-Grained Concurrent Resources , 2014, ESOP.

[52]  Anton Setzer,et al.  Inductive-Inductive Definitions , 2010, CSL.

[53]  Patrick Maxim Rondon,et al.  Liquid types , 2008, PLDI '08.

[54]  Jonathan Aldrich,et al.  Rely-Guarantee Protocols , 2014, ECOOP.

[55]  Lars Birkedal,et al.  Ynot: dependent types for imperative programs , 2008, ICFP.

[56]  Ranjit Jhala,et al.  LiquidHaskell: experience with refinement types in the real world , 2014, Haskell.

[57]  Dominique Devriese,et al.  Shared boxes: rely-guarantee reasoning in VeriFast , 2014 .

[58]  Viktor Vafeiadis,et al.  Concurrent Abstract Predicates , 2010, ECOOP.

[59]  D. M. Hutton,et al.  The Art of Multiprocessor Programming , 2008 .

[60]  Maged M. Michael Hazard pointers: safe memory reclamation for lock-free objects , 2004, IEEE Transactions on Parallel and Distributed Systems.

[61]  Michael D. Ernst,et al.  Object and reference immutability using Java generics , 2007, ESEC-FSE '07.

[62]  Aleksandar Nanevski,et al.  Subjective auxiliary state for coarse-grained concurrency , 2013, POPL.

[63]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[64]  François Pottier,et al.  The essence of monotonic state , 2011, TLDI '11.

[65]  Ranjit Jhala,et al.  Low-level liquid types , 2010, POPL '10.

[66]  Ranjit Jhala,et al.  CSolve: Verifying C with Liquid Types , 2012, CAV.

[67]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[68]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[69]  Maurice Herlihy,et al.  Proving correctness of highly-concurrent linearisable objects , 2006, PPoPP '06.

[70]  Matthew J. Parkinson,et al.  Explicit Stabilisation for Modular Rely-Guarantee Reasoning , 2010, ESOP.

[71]  Wolfram Schulte,et al.  Local Verification of Global Invariants in Concurrent Programs , 2010, CAV.

[72]  Philippa Gardner,et al.  TaDA: A Logic for Time and Data Abstraction , 2014, ECOOP.

[73]  Jonathan Aldrich,et al.  Composing Interfering Abstract Protocols , 2016, ECOOP.

[74]  Frank Pfenning,et al.  Refinement types for ML , 1991, PLDI '91.

[75]  Omer Subasi,et al.  Simplifying Linearizability Proofs with Reduction and Abstraction , 2010, TACAS.

[76]  Ronald L. Rivest,et al.  Introduction to Algorithms, third edition , 2009 .

[77]  Serdar Tasiran,et al.  A calculus of atomic actions , 2009, POPL '09.

[78]  Nir Shavit,et al.  A scalable lock-free stack algorithm , 2004, SPAA '04.

[79]  Richard J. Anderson,et al.  Wait-free parallel algorithms for the union-find problem , 1991, STOC '91.

[80]  Ranjit Jhala,et al.  Abstract Refinement Types , 2013, ESOP.

[81]  Xinyu Feng,et al.  Modular verification of linearizability with non-fixed linearization points , 2013, PLDI 2013.

[82]  Adam Chlipala,et al.  Mostly-automated verification of low-level programs in computational separation logic , 2011, PLDI '11.

[83]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[84]  Matthew J. Parkinson,et al.  Uniqueness and reference immutability for safe parallelism , 2012, OOPSLA '12.

[85]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.

[86]  Ranjit Jhala,et al.  Bounded refinement types , 2015, ICFP.

[87]  Hongseok Yang,et al.  Views: compositional reasoning for concurrent programs , 2013, POPL.