2,030 research outputs found
Proving opacity of a pessimistic STM
Transactional Memory (TM) is a high-level programming abstraction for concurrency control that provides
programmers with the illusion of atomically executing blocks of code, called transactions. TMs come in
two categories, optimistic and pessimistic, where in the latter transactions never abort. While this simplifies
the programming model, high-performing pessimistic TMs can complex.
In this paper, we present the first formal verification of a pessimistic software TM algorithm, namely,
an algorithm proposed by Matveev and Shavit. The correctness criterion used is opacity, formalising the
transactional atomicity guarantees. We prove that this pessimistic TM is a refinement of an intermediate
opaque I/O-automaton, known as TMS2. To this end, we develop a rely-guarantee approach for reducing
the complexity of the proof. Proofs are mechanised in the interactive prover Isabelle
Correctness and Progress Verification of Non-Blocking Programs
The progression of multi-core processors has inspired the development of concurrency libraries that guarantee safety and liveness properties of multiprocessor applications. The difficulty of reasoning about safety and liveness properties in a concurrent environment has led to the development of tools to verify that a concurrent data structure meets a correctness condition or progress guarantee. However, these tools possess shortcomings regarding the ability to verify a composition of data structure operations. Additionally, verification techniques for transactional memory evaluate correctness based on low-level read/write histories, which is not applicable to transactional data structures that use a high-level semantic conflict detection. In my dissertation, I present tools for checking the correctness of multiprocessor programs that overcome the limitations of previous correctness verification techniques. Correctness Condition Specification (CCSpec) is the first tool that automatically checks the correctness of a composition of concurrent multi-container operations performed in a non-atomic manner. Transactional Correctness tool for Abstract Data Types (TxC-ADT) is the first tool that can check the correctness of transactional data structures. TxC-ADT elevates the standard definitions of transactional correctness to be in terms of an abstract data type, an essential aspect for checking correctness of transactions that synchronize only for high-level semantic conflicts. Many practical concurrent data structures, transactional data structures, and algorithms to facilitate non-blocking programming all incorporate helping schemes to ensure that an operation comprising multiple atomic steps is completed according to the progress guarantee. The helping scheme introduces additional interference by the active threads in the system to achieve the designed progress guarantee. Previous progress verification techniques do not accommodate loops whose termination is dependent on complex behaviors of the interfering threads, making these approaches unsuitable. My dissertation presents the first progress verification technique for non-blocking algorithms that are dependent on descriptor-based helping mechanisms
Model checking transactional memories
Model checking transactional memories (TMs) is difficult because of the unbounded number, length, and delay of concurrent transactions, as well as the unbounded size of the memory. We show that, under certain conditions satisfied by most TMs we know of, the model checking problem can be reduced to a finite-state problem, and we illustrate the use of the method by proving the correctness of several TMs, including two-phase locking, DSTM, and TL2. The safety properties we consider include strict serializability and opacity; the liveness properties include obstruction freedom, livelock freedom, and wait freedom. Our main contribution lies in the structure of the proofs, which are largely automated and not restricted to the TMs mentioned above. In a first step we show that every TM that enjoys certain structural properties either violates a requirement on some program with two threads and two shared variables, or satisfies the requirement on all programs. In the second step, we use a model checker to prove the requirement for the TM applied to a most general program with two threads and two variables. In the safety case, the model checker checks language inclusion between two finite-state transition systems, a nondeterministic transition system representing the given TM applied to a most general program, and a deterministic transition system representing a most liberal safe TM applied to the same program. The given TM transition system is nondeterministic because a TM can be used with different contention managers, which resolve conflicts differently. In the liveness case, the model checker analyzes fairness conditions on the given TM transition syste
C4: Verified Transactional Objects
A framework for Verified Transactional Objects in Coq.
- Formalization of concurrent objects, linearizability, strict
serializability, and associated proof techniques.
- Verified linearizable concurrent hash map
- Verified strictly serializable TML
- Verified strictly serializable transaction-predicated ma
Safety of Deferred Update in Transactional Memory
Transactional memory allows the user to declare sequences of instructions as
speculative \emph{transactions} that can either \emph{commit} or \emph{abort}.
If a transaction commits, it appears to be executed sequentially, so that the
committed transactions constitute a correct sequential execution. If a
transaction aborts, none of its instructions can affect other transactions.
The popular criterion of \emph{opacity} requires that the views of aborted
transactions must also be consistent with the global sequential order
constituted by committed ones. This is believed to be important, since
inconsistencies observed by an aborted transaction may cause a fatal
irrecoverable error or waste of the system in an infinite loop. Intuitively, an
opaque implementation must ensure that no intermediate view a transaction
obtains before it commits or aborts can be affected by a transaction that has
not started committing yet, so called \emph{deferred-update} semantics.
In this paper, we intend to grasp this intuition formally. We propose a
variant of opacity that explicitly requires the sequential order to respect the
deferred-update semantics. We show that our criterion is a safety property,
i.e., it is prefix- and limit-closed. Unlike opacity, our property also ensures
that a serialization of a history implies serializations of its prefixes.
Finally, we show that our property is equivalent to opacity if we assume that
no two transactions commit identical values on the same variable, and present a
counter-example for scenarios when the "unique-write" assumption does not hold
A Concurrent Perspective on Smart Contracts
In this paper, we explore remarkable similarities between multi-transactional
behaviors of smart contracts in cryptocurrencies such as Ethereum and classical
problems of shared-memory concurrency. We examine two real-world examples from
the Ethereum blockchain and analyzing how they are vulnerable to bugs that are
closely reminiscent to those that often occur in traditional concurrent
programs. We then elaborate on the relation between observable contract
behaviors and well-studied concurrency topics, such as atomicity, interference,
synchronization, and resource ownership. The described
contracts-as-concurrent-objects analogy provides deeper understanding of
potential threats for smart contracts, indicate better engineering practices,
and enable applications of existing state-of-the-art formal verification
techniques.Comment: 15 page
- …