Modular fine-grained concurrency verification

Traditionally, concurrent data structures are protected by a single mutual exclusion lock so that only one thread may access the data structure at any time. This coarse-grained approach makes it relatively easy to reason about correctness, but it severely limits parallelism. More advanced algorithms instead perform synchronisation at a finer grain. They employ sophisticated synchronisation schemes (both blocking and non-blocking) and are usually written in low-level languages such as C. This dissertation addresses the formal verification of such algorithms. It proposes techniques that are modular (and hence scalable), easy for programmers to use, and yet powerful enough to verify complex algorithms. In doing so, it makes two theoretical and two practical contributions to reasoning about fine-grained concurrency. First, building on rely/guarantee reasoning and separation logic, it develops a new logic, RGSep, that subsumes these two logics and enables simple, modular proofs of finegrained concurrent algorithms that use complex dynamically allocated data structures and may explicitly deallocate memory. RGSep allows for ownership-based reasoning and ownership transfer between threads, while maintaining the expressiveness of binary relations to describe inter-thread interference. Second, it describes techniques for proving linearisability, the standard correctness condition for fine-grained concurrent algorithms. The main proof technique is to introduce auxiliary single-assignment variables to capture the linearisation point and to inline the abstract effect of the program at that point as auxiliary code. Third, it demonstrates this approach by proving linearisability of a collection of concurrent list and stack algorithms, as well as providing the first correctness proofs of the RDCSS and MCAS implementations of Harris et al. Finally, it describes a prototype safety checker, SmallfootRG, for fine-grained concurrent programs that is based on RGSep. SmallfootRG proves simple safety properties for a number of list and stack algorithms and verifies the absence of memory leaks.

[1]  Stephen D. Brookes,et al.  A Semantics for Concurrent Separation Logic , 2004, CONCUR.

[2]  Martín Abadi,et al.  The existence of refinement mappings , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[3]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[4]  Alexey Gotsman,et al.  Local Reasoning for Storable Locks and Threads , 2007, APLAS.

[5]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[6]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[7]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[8]  Wolfram Schulte,et al.  Verification of Multithreaded Object-Oriented Programs with Invariants , 2004 .

[9]  C Sterling,et al.  A compositional reformulation of Owicki-Grier's partial correctness logic for a concurrent while language , 1986 .

[10]  Mark Plesko,et al.  Optimizing memory transactions , 2006, PLDI '06.

[11]  Richard J. Lipton Reduction: a new method of proving properties of systems of processes , 1975, POPL '75.

[12]  Xinyu Feng,et al.  On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning , 2007, ESOP.

[13]  Robert Colvin,et al.  Verifying Concurrent Data Structures by Simulation , 2005, Electron. Notes Theor. Comput. Sci..

[14]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.

[15]  Nir Shavit,et al.  Software transactional memory , 1995, PODC '95.

[16]  H. R. Simpson Four-slot fully asynchronous communication mechanism , 1990 .

[17]  Alan Bundy,et al.  Constructing Induction Rules for Deductive Synthesis Proofs , 2006, CLASE.

[18]  Gary L. Peterson,et al.  Myths About the Mutual Exclusion Problem , 1981, Inf. Process. Lett..

[19]  Thomas A. Henzinger,et al.  You Assume, We Guarantee: Methodology and Case Studies , 1998, CAV.

[20]  Richard Bornat,et al.  Variables as Resource in Hoare Logics , 2006, 21st Annual IEEE Symposium on Logic in Computer Science (LICS'06).

[21]  Maurice Herlihy,et al.  Transactional Memory: Architectural Support For Lock-free Data Structures , 1993, Proceedings of the 20th Annual International Symposium on Computer Architecture.

[22]  Simon L. Peyton Jones,et al.  Composable memory transactions , 2005, CACM.

[23]  Glynn Winskel,et al.  Independence and Concurrent Separation Logic , 2006, 21st Annual IEEE Symposium on Logic in Computer Science (LICS'06).

[24]  Thomas A. Henzinger,et al.  Decomposing refinement proofs using assume-guarantee reasoning , 2000, IEEE/ACM International Conference on Computer Aided Design. ICCAD - 2000. IEEE/ACM Digest of Technical Papers (Cat. No.00CH37140).

[25]  Maurice Herlihy,et al.  A Lazy Concurrent List-Based Set Algorithm , 2007, Parallel Process. Lett..

[26]  Keir Fraser,et al.  A Practical Multi-word Compare-and-Swap Operation , 2002, DISC.

[27]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[28]  Edward A. Ashcroft,et al.  Proving Assertions about Parallel Programs , 1975, J. Comput. Syst. Sci..

[29]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[30]  Jürgen Dingel,et al.  Computer-assisted assume/guarantee reasoning with VeriSoft , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[31]  Leonor Prensa Nieto The Rely-Guarantee Method in Isabelle/HOL , 2003, ESOP.

[32]  Mark Moir,et al.  Formal Verification of a Lazy Concurrent List-Based Set Algorithm , 2006, CAV.

[33]  Cormac Flanagan,et al.  A type and effect system for atomicity , 2003, PLDI.

[34]  A. Pnueli The Temporal Semantics of Concurrent Programs , 1979, Theor. Comput. Sci..

[35]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[36]  Maurice Herlihy,et al.  Proving correctness of highly-concurrent linearisable objects , 2006, PPoPP '06.

[37]  K. Mani Chandy,et al.  Proofs of Networks of Processes , 1981, IEEE Transactions on Software Engineering.

[38]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[39]  Maurice Herlihy,et al.  Obstruction-free synchronization: double-ended queues as an example , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[40]  Maurice Herlihy,et al.  Wait-free synchronization , 1991, TOPL.

[41]  Frank Piessens,et al.  A Statically Verifiable Programming Model for Concurrent Object-Oriented Programs , 2006, ICFEM.

[42]  Peter W. O'Hearn,et al.  The Logic of Bunched Implications , 1999, Bulletin of Symbolic Logic.

[43]  K. Rustan M. Leino,et al.  Verification of Object-Oriented Programs with Invariants , 2003, J. Object Technol..

[44]  Frank Piessens,et al.  Safe concurrency for aggregate objects with invariants , 2005, Third IEEE International Conference on Software Engineering and Formal Methods (SEFM'05).

[45]  Cormac Flanagan,et al.  Types for atomicity , 2003, TLDI '03.

[46]  David R. Cheriton,et al.  Non-blocking synchronization and system design , 1999 .

[47]  Cliff B. Jones,et al.  A Structural Proof of the Soundness of Rely/guarantee Rules , 2007, J. Log. Comput..

[48]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[49]  Eran Yahav,et al.  Comparison Under Abstraction for Verifying Linearizability , 2007, CAV.

[50]  Hongseok Yang,et al.  Variables as Resource in Separation Logic , 2005, MFPS.

[51]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[52]  Mark Moir,et al.  Formal Verification of a Practical Lock-Free Queue Algorithm , 2004, FORTE.

[53]  John Tang Boyland,et al.  Checking Interference with Fractional Permissions , 2003, SAS.

[54]  Keir Fraser,et al.  Language support for lightweight transactions , 2003, SIGP.

[55]  Nir Shavit,et al.  A scalable lock-free stack algorithm , 2010, J. Parallel Distributed Comput..

[56]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[57]  Leslie Lamport,et al.  Reduction in TLA , 1998, CONCUR.

[58]  Carroll Morgan,et al.  The specification statement , 1988, TOPL.

[59]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[60]  Dan Grossman,et al.  Type-safe multithreading in cyclone , 2003, TLDI '03.

[61]  Peter W. O'Hearn,et al.  Local Action and Abstract Separation Logic , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[62]  Peter W. O'Hearn,et al.  Modular verification of a non-blocking stack , 2007, POPL '07.

[63]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[64]  Robert DeLine,et al.  Adoption and focus: practical linear types for imperative programming , 2002, PLDI '02.

[65]  Martín Abadi,et al.  Conjoining specifications , 1995, TOPL.

[66]  Willem P. de Roever,et al.  The rely-guarantee method for verifying shared variable concurrent programs , 1997, Formal Aspects of Computing.

[67]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[68]  Colin Stirling A Compositional Reformulation of Owicki-Gries's Partial Correctness Logic for a Concurrent While Language , 1986, ICALP.

[69]  Stephen D. Brookes,et al.  Variables as Resource for Shared-Memory Programs: Semantics and Soundness , 2006, MFPS.

[70]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[71]  David Walker,et al.  Typed memory management in a calculus of capabilities , 1999, POPL '99.

[72]  Philippa Gardner,et al.  Local Reasoning About Tree Update , 2006, MFPS.

[73]  Matthew J. Parkinson,et al.  Local reasoning for Java , 2005 .

[74]  Peter W. O'Hearn,et al.  Permission accounting in separation logic , 2005, POPL '05.

[75]  Leslie Lamport,et al.  A new solution of Dijkstra's concurrent programming problem , 1974, Commun. ACM.

[76]  Viktor Vafeiadis,et al.  Modular Safety Checking for Fine-Grained Concurrency , 2007, SAS.

[77]  Scott D. Stoller,et al.  Static analysis of atomicity for programs with non-blocking synchronization , 2005, PPoPP.

[78]  Peter W. O'Hearn,et al.  Smallfoot: Modular Automatic Assertion Checking with Separation Logic , 2005, FMCO.