Verifying concurrent software using movers in CSPEC

Writing concurrent systems software is error-prone, because multiple processes or threads can interleave in many ways, and it is easy to forget about a subtle corner case. This paper introduces CSPEC, a framework for formal verification of concurrent software, which ensures that no corner cases are missed. The key challenge is to reduce the number of interleavings that developers must consider. CSPEC uses mover types to re-order commutative operations so that usually it’s enough to reason about only sequential executions rather than all possible interleavings. CSPEC also makes proofs easier by making them modular using layers, and by providing a library of reusable proof patterns. To evaluate CSPEC, we implemented and proved the correctness of CMAIL, a simple concurrent Maildir-like mail server that speaks SMTP and POP3. The results demonstrate that CSPEC’s movers and patterns allow reasoning about sophisticated concurrency styles in CMAIL.

[1]  Richard J. Lipton,et al.  Reduction: a method of proving properties of parallel programs , 1975, CACM.

[2]  Nicolas Christin,et al.  Push-Button Verification of File Systems via Crash Refinement , 2016, USENIX Annual Technical Conference.

[3]  Stephen D. Brookes,et al.  A Semantics for Concurrent Separation Logic , 2004, CONCUR.

[4]  Shaz Qadeer,et al.  Layered Concurrent Programs , 2018, CAV.

[5]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.

[6]  Francesco Zappa Nardelli,et al.  x86-TSO , 2010, Commun. ACM.

[7]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[8]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[9]  Serdar Tasiran,et al.  A calculus of atomic actions , 2009, POPL '09.

[10]  Gian Ntzik,et al.  Reasoning about POSIX file systems , 2016 .

[11]  Wolfram Schulte,et al.  Local Verification of Global Invariants in Concurrent Programs , 2010, CAV.

[12]  F. Vaandrager Forward and Backward Simulations Part I : Untimed Systems , 1993 .

[13]  Zhong Shao,et al.  Certified concurrent abstraction layers , 2018, PLDI.

[14]  Xi Wang,et al.  Verdi: a framework for implementing and formally verifying distributed systems , 2015, PLDI.

[15]  Adam Chlipala,et al.  Chapar: certified causally consistent distributed key-value stores , 2016, POPL.

[16]  Naoki Kobayashi,et al.  Formalization and Verification of a Mail Server in Coq , 2002, ISSS.

[17]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[18]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[19]  Akinori Yonezawa,et al.  Verification of Concurrent Programs Using the Coq Proof Assistant: A Case Study , 2005 .

[20]  G. M. Karam,et al.  Principles of Computer Systems , 1992 .

[21]  Zhong Shao,et al.  Safety and Liveness of MCS Lock - Layer by Layer , 2017, APLAS.

[22]  Srinath T. V. Setty,et al.  IronFleet: proving practical distributed systems correct , 2015, SOSP.

[23]  Serdar Tasiran,et al.  Automated and Modular Refinement Reasoning for Concurrent Programs , 2015, CAV.

[24]  Leslie Lamport,et al.  On-the-fly garbage collection: an exercise in cooperation , 1975, CACM.

[25]  Wolfram Schulte,et al.  A Practical Verification Methodology for Concurrent Programs , 2009 .

[26]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[27]  Serdar Tasiran,et al.  Reasoning About TSO Programs Using Reduction and Abstraction , 2018, CAV.

[28]  Ilya Sergey,et al.  Programming and proving with distributed protocols , 2017, Proc. ACM Program. Lang..

[29]  Xinyu Feng Local rely-guarantee reasoning , 2009, POPL '09.

[30]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[31]  Nancy A. Lynch,et al.  An introduction to input/output automata , 1989 .