Verifying Concurrent Memory Reclamation Algorithms with Grace

Memory management is one of the most complex aspects of modern concurrent algorithms, and various techniques proposed for it--such as hazard pointers, read-copy-update and epoch-based reclamation--have proved very challenging for formal reasoning. In this paper, we show that different memory reclamation techniques actually rely on the same implicit synchronisation pattern, not clearly reflected in the code, but only in the form of assertions used to argue its correctness. The pattern is based on the key concept of a grace period, during which a thread can access certain shared memory cells without fear that they get deallocated. We propose a modular reasoning method, motivated by the pattern, that handles all three of the above memory reclamation techniques in a uniform way. By explicating their fundamental core, our method achieves clean and simple proofs, scaling even to realistic implementations of the algorithms without a significant increase in proof complexity. We formalise the method using a combination of separation logic and temporal logic and use it to verify example instantiations of the three approaches to memory reclamation.

[1]  Xinyu Feng,et al.  On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning , 2007, ESOP.

[2]  Maged M. Michael Hazard pointers: safe memory reclamation for lock-free objects , 2004, IEEE Transactions on Parallel and Distributed Systems.

[3]  Peter W. O'Hearn,et al.  Local Action and Abstract Separation Logic , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[4]  Peter W. O'Hearn,et al.  Modular verification of a non-blocking stack , 2007, POPL '07.

[5]  Yu Zhang,et al.  Reasoning about Optimistic Concurrency Using a Program Logic for History , 2010, CONCUR.

[6]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.

[7]  Viktor Vafeiadis Concurrent Separation Logic and Operational Semantics , 2011, MFPS.

[8]  Antonio Cerone,et al.  Theoretical Aspects of Computing (ICTAC 2011) , 2014, Theor. Comput. Sci..

[9]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[10]  Keir Fraser,et al.  Practical lock-freedom , 2003 .

[11]  John Tang Boyland,et al.  Checking Interference with Fractional Permissions , 2003, SAS.

[12]  Viktor Vafeiadis,et al.  Modular fine-grained concurrency verification , 2008 .

[13]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[14]  Maurice Herlihy,et al.  The Repeat Offender Problem: A Mechanism for Supporting Dynamic-Sized, Lock-Free Data Structures , 2002, DISC.

[15]  Peter W. O'Hearn,et al.  Resources, Concurrency and Local Reasoning , 2004, CONCUR.

[16]  Amir Pnueli,et al.  In Transition From Global to Modular Temporal Reasoning about Programs , 1989, Logics and Models of Concurrent Systems.

[17]  Serdar Tasiran,et al.  A calculus of atomic actions , 2009, POPL '09.

[18]  Paul Gastin,et al.  CONCUR 2010 - Concurrency Theory, 21th International Conference, CONCUR 2010, Paris, France, August 31-September 3, 2010. Proceedings , 2010, CONCUR.

[19]  Jonathan Walpole,et al.  Exploiting deferred destruction: an analysis of read-copy-update techniques in operating system kernels , 2004 .

[20]  Wolfgang Reif,et al.  Formal Verification of a Lock-Free Stack with Hazard Pointers , 2011, ICTAC.