Refinement Verification of Concurrent Programs and Its Applications

Many verification problems can be reduced to refinement verification, i.e., proving that a concrete program has no more behaviors than a more abstract program. This dissertation explores the applications of refinement verification of concurrent programs, and proposes compositional verification techniques that support these applications. It makes several contributions to understanding and verifying concurrent program refinement. First, it shows a Rely-Guarantee-based Simulation (RGSim) as a general proof technique for concurrent program refinement. The novel simulation relation is parameterized with the interference between threads and their parallel environments. It is compositional and supports modular verification. RGSim can incorporate the assumptions about environments made by specific refinement applications, thus is flexible and practical. We apply RGSim to reason about optimizations in parallel contexts. We also reduce the verification of concurrent garbage collectors (GCs) to refinement verification, and propose a general GC verification framework based on RGSim. Using the framework, we verify the Boehm et al. concurrent mark-sweep GC algorithm. Second, it shows a Hoare-style program logic for modular and effective verification of linearizability of concurrent objects, which is an important application of concurrent program refinement verification. Our logic with a lightweight instrumentation mechanism supports objects with non-fixed linearization points (LPs), including the most challenging ones that use the helping mechanism to achieve lock-freedom (as in HSY elimination-based stack), or have LPs depending on unpredictable future executions (as in the lazy set algorithm), or involve both features (as in the RDCSS algorithm). We generalize RGSim with the support for non-fixed LPs as the meta-theory of our logic, and show it implies a contextual refinement which is equivalent to linearizability. Using our logic we successfully verify 12 wellknown algorithms, two of which are used in the java.util.concurrent package. Finally, it shows a unified framework that characterizes the full correctness (i.e., linearizability and progress properties) of concurrent objects via contextual

[1]  Aaron Turon,et al.  A separation logic for refining concurrent objects , 2011, POPL '11.

[2]  Michael Norrish,et al.  seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[3]  Nobuko Yoshida,et al.  Intensional and Extensional Characterisation of Global Progress in the π-Calculus , 2012, CONCUR.

[4]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[5]  Timothy L. Harris,et al.  A Pragmatic Implementation of Non-blocking Linked-Lists , 2001, DISC.

[6]  Mark Moir,et al.  Formal Verification of a Lazy Concurrent List-Based Set Algorithm , 2006, CAV.

[7]  Scott Shenker,et al.  Mostly parallel garbage collection , 1991, PLDI '91.

[8]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[9]  Maurice Herlihy,et al.  The art of multiprocessor programming , 2020, PODC '06.

[10]  Peter W. O'Hearn,et al.  Resources, Concurrency, and Local Reasoning (Abstract) , 2004, ESOP.

[11]  Nir Shavit,et al.  Transactional Locking II , 2006, DISC.

[12]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[13]  Maurice Herlihy,et al.  A Lazy Concurrent List-Based Set Algorithm , 2005, OPODIS.

[14]  Mitchell Wand,et al.  Compiler Correctness for Concurrent Languages , 1996, COORDINATION.

[15]  Leslie Lamport,et al.  A new solution of Dijkstra's concurrent programming problem , 1974, Commun. ACM.

[16]  Uday S. Reddy,et al.  Fine-grained Concurrency with Separation Logic , 2011, J. Philos. Log..

[17]  Viktor Vafeiadis Automatically Proving Linearizability , 2010, CAV.

[18]  Martín Abadi,et al.  A model of cooperative threads , 2009, POPL '09.

[19]  Hans-Juergen Boehm,et al.  HP Laboratories , 2006 .

[20]  Erez Petrank,et al.  Progress guarantee for parallel programs via bounded lock-freedom , 2009, PLDI '09.

[21]  Viktor Vafeiadis,et al.  Modular fine-grained concurrency verification , 2008 .

[22]  Serdar Tasiran,et al.  Back and Forth: Prophecy Variables for Static Verification of Concurrent Programs , 2009 .

[23]  Nancy A. Lynch,et al.  Forward and Backward Simulations, II: Timing-Based Systems , 1996, Inf. Comput..

[24]  Xinyu Feng,et al.  Characterizing Progress Properties of Concurrent Objects via Contextual Refinements , 2013, CONCUR.

[25]  Keir Fraser,et al.  A Practical Multi-word Compare-and-Swap Operation , 2002, DISC.

[26]  Eran Yahav,et al.  Verifying linearizability with hindsight , 2010, PODC.

[27]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[28]  Sebastian Burckhardt,et al.  Verifying Local Transformations on Relaxed Memory Models , 2010, CC.

[29]  Mark Moir,et al.  Formal Verification of a Practical Lock-Free Queue Algorithm , 2004, FORTE.

[30]  Andreas Lochbihler,et al.  Verifying a Compiler for Java Threads , 2010, ESOP.

[31]  Hongseok Yang,et al.  Relational separation logic , 2007, Theor. Comput. Sci..

[32]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[33]  Nancy A. Lynch,et al.  Forward and Backward Simulations: I. Untimed Systems , 1995, Inf. Comput..

[34]  Maurice Herlihy,et al.  Wait-free data structures in the asynchronous PRAM model , 1990, SPAA '90.

[35]  Maurice Herlihy,et al.  On the Nature of Progress , 2011, OPODIS.

[36]  Maged M. Michael,et al.  High performance dynamic lock-free hash tables and list-based sets , 2002, SPAA '02.

[37]  John Derrick,et al.  Mechanically verified proof obligations for linearizability , 2011, TOPL.

[38]  Maurice Herlihy,et al.  Obstruction-free synchronization: double-ended queues as an example , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[39]  Maurice Herlihy,et al.  Wait-free synchronization , 1991, TOPL.

[40]  Nir Shavit,et al.  A scalable lock-free stack algorithm , 2010, J. Parallel Distributed Comput..

[41]  Long Li,et al.  A general framework for certifying garbage collectors and their mutators , 2007, PLDI '07.

[42]  Xinyu Feng,et al.  Modular verification of linearizability with non-fixed linearization points , 2013, PLDI 2013.

[43]  John Derrick,et al.  Verifying Linearisability with Potential Linearisation Points , 2011, FM.

[44]  Yanhong A. Liu,et al.  Model Checking Linearizability via Refinement , 2009, FM.

[45]  Mitchell Wand,et al.  Compiler correctness for parallel languages , 1995, FPCA '95.

[46]  Eran Yahav,et al.  Correctness-preserving derivation of concurrent garbage collection algorithms , 2006, PLDI '06.

[47]  Peter W. O'Hearn,et al.  Abstraction for concurrent objects , 2009, Theor. Comput. Sci..

[48]  Xinyu Feng Local rely-guarantee reasoning , 2009, POPL '09.

[49]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[50]  Stephen D. Brookes Full Abstraction for a Shared-Variable Parallel Language , 1996, Inf. Comput..

[51]  Omer Subasi,et al.  Simplifying Linearizability Proofs with Reduction and Abstraction , 2010, TACAS.

[52]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[53]  Eran Yahav,et al.  Comparison Under Abstraction for Verifying Linearizability , 2007, CAV.

[54]  Lars Birkedal,et al.  Unifying refinement and hoare-style reasoning in a logic for higher-order concurrency , 2013, ICFP.

[55]  C. A. R. Hoare,et al.  Proof of correctness of data representations , 1972, Acta Informatica.

[56]  Chung-Kil Hur,et al.  A kripke logical relation between ML and assembly , 2011, POPL '11.

[57]  Lars Birkedal,et al.  Logical relations for fine-grained concurrency , 2013, POPL.

[58]  Hongseok Yang,et al.  Liveness-Preserving Atomicity Abstraction , 2011, ICALP.

[59]  C. A. R. Hoare,et al.  Data Refinement Refined , 1986, ESOP.

[60]  Martín Abadi,et al.  The Existence of Refinement Mappings , 1988, LICS.

[61]  Eran Yahav,et al.  Experience with Model Checking Linearizability , 2009, SPIN.

[62]  Erez Petrank,et al.  A parallel, incremental, mostly concurrent garbage collector for servers , 2005, TOPL.

[63]  Brijesh Dongol Formalising Progress Properties of Non-blocking Programs , 2006, ICFEM.

[64]  Xinyu Feng,et al.  Rely-Guarantee-Based Simulation for Compositional Verification of Concurrent Program Transformations , 2014, ACM Trans. Program. Lang. Syst..

[65]  Hans-Juergen Boehm,et al.  Foundations of the C++ concurrency memory model , 2008, PLDI '08.

[66]  Hongseok Yang,et al.  Linearizability with Ownership Transfer , 2012, CONCUR.

[67]  Suresh Jagannathan,et al.  Relaxed-memory concurrency and verified compilation , 2011, POPL '11.

[68]  Viktor Vafeiadis Concurrent Separation Logic and Operational Semantics , 2011, MFPS.

[69]  Xinyu Feng,et al.  A rely-guarantee-based simulation for verifying concurrent program transformations , 2012, POPL '12.

[70]  John Derrick,et al.  How to Prove Algorithms Linearisable , 2012, CAV.

[71]  Dusko Pavlovic,et al.  Formal Derivation of Concurrent Garbage Collectors , 2010, MPC.

[72]  Maged M. Michael,et al.  Simple, fast, and practical non-blocking and blocking concurrent queue algorithms , 1996, PODC '96.

[73]  Richard Bornat,et al.  Variables as Resource in Hoare Logics , 2006, 21st Annual IEEE Symposium on Logic in Computer Science (LICS'06).