5 research outputs found
Proving opacity of a pessimistic STM
Transactional Memory (TM) is a high-level programming abstraction for concurrency control that provides
programmers with the illusion of atomically executing blocks of code, called transactions. TMs come in
two categories, optimistic and pessimistic, where in the latter transactions never abort. While this simplifies
the programming model, high-performing pessimistic TMs can complex.
In this paper, we present the first formal verification of a pessimistic software TM algorithm, namely,
an algorithm proposed by Matveev and Shavit. The correctness criterion used is opacity, formalising the
transactional atomicity guarantees. We prove that this pessimistic TM is a refinement of an intermediate
opaque I/O-automaton, known as TMS2. To this end, we develop a rely-guarantee approach for reducing
the complexity of the proof. Proofs are mechanised in the interactive prover Isabelle
Defining and Verifying Durable Opacity: Correctness for Persistent Software Transactional Memory
Non-volatile memory (NVM), aka persistent memory, is a new paradigm for
memory that preserves its contents even after power loss. The expected ubiquity
of NVM has stimulated interest in the design of novel concepts ensuring
correctness of concurrent programming abstractions in the face of persistency.
So far, this has lead to the design of a number of persistent concurrent data
structures, built to satisfy an associated notion of correctness: durable
linearizability.
In this paper, we transfer the principle of durable concurrent correctness to
the area of software transactional memory (STM). Software transactional memory
algorithms allow for concurrent access to shared state. Like linearizability
for concurrent data structures, opacity is the established notion of
correctness for STMs. First, we provide a novel definition of durable opacity
extending opacity to handle crashes and recovery in the context of NVM. Second,
we develop a durably opaque version of an existing STM algorithm, namely the
Transactional Mutex Lock (TML). Third, we design a proof technique for durable
opacity based on refinement between TML and an operational characterisation of
durable opacity by adapting the TMS2 specification. Finally, we apply this
proof technique to show that the durable version of TML is indeed durably
opaque. The correctness proof is mechanized within Isabelle.Comment: This is the full version of the paper that is to appear in FORTE 2020
(https://www.discotec.org/2020/forte
Formalizing Determinacy of Concurrent Revisions
Concurrent revisions is a concurrency control model designed to guarantee
determinacy, meaning that the outcomes of programs are uniquely determined.
This paper describes an Isabelle/HOL formalization of the model's operational
semantics and proof of determinacy. We discuss and resolve subtle ambiguities
in the operational semantics and simplify the proof of determinacy. Although
our findings do not appear to correspond to bugs in implementations, the
formalization highlights some of the challenges involved in the design and
verification of concurrency control models.Comment: To appear in: Proceedings of the 9th ACM SIGPLAN International
Conference on Certified Programs and Proofs (CPP '20), January 20--21, 2020,
New Orleans, LA, USA. ACM, New York, NY, US
Verifying correctness of persistent concurrent data structures: a sound and complete method
Non-volatile memory (NVM), aka persistent memory, is a new memory paradigm that preserves its contents even after power loss. The expected ubiquity of NVM has stimulated interest in the design of persistent concurrent data structures, together with associated notions of correctness. In this paper, we present a formal proof technique for durable linearizability, which is a correctness criterion that extends linearizability to handle crashes and recovery in the context ofNVM.Our proofs are based on refinement of Input/Output automata (IOA) representations of concurrent data structures. To this end, we develop a generic procedure for transforming any standard sequential data structure into a durable specification and prove that this transformation is both sound and complete. Since the durable specification only exhibits durably linearizable behaviours, it serves as the abstract specification in our refinement proof. We exemplify our technique on a recently proposed persistentmemory queue that builds on Michael and Scott’s lock-free queue. To support the proofs, we describe an automated translation procedure from code to IOA and a thread-local proof technique for verifying correctness of invariants