83 research outputs found
Linearizability with Ownership Transfer
Linearizability is a commonly accepted notion of correctness for libraries of
concurrent algorithms. Unfortunately, it assumes a complete isolation between a
library and its client, with interactions limited to passing values of a given
data type. This is inappropriate for common programming languages, where
libraries and their clients can communicate via the heap, transferring the
ownership of data structures, and can even run in a shared address space
without any memory protection. In this paper, we present the first definition
of linearizability that lifts this limitation and establish an Abstraction
Theorem: while proving a property of a client of a concurrent library, we can
soundly replace the library by its abstract implementation related to the
original one by our generalisation of linearizability. This allows abstracting
from the details of the library implementation while reasoning about the
client. We also prove that linearizability with ownership transfer can be
derived from the classical one if the library does not access some of data
structures transferred to it by the client
Concurrent Data Structures Linked in Time
Arguments about correctness of a concurrent data structure are typically
carried out by using the notion of linearizability and specifying the
linearization points of the data structure's procedures. Such arguments are
often cumbersome as the linearization points' position in time can be dynamic
(depend on the interference, run-time values and events from the past, or even
future), non-local (appear in procedures other than the one considered), and
whose position in the execution trace may only be determined after the
considered procedure has already terminated.
In this paper we propose a new method, based on a separation-style logic, for
reasoning about concurrent objects with such linearization points. We embrace
the dynamic nature of linearization points, and encode it as part of the data
structure's auxiliary state, so that it can be dynamically modified in place by
auxiliary code, as needed when some appropriate run-time event occurs. We name
the idea linking-in-time, because it reduces temporal reasoning to spatial
reasoning. For example, modifying a temporal position of a linearization point
can be modeled similarly to a pointer update in separation logic. Furthermore,
the auxiliary state provides a convenient way to concisely express the
properties essential for reasoning about clients of such concurrent objects. We
illustrate the method by verifying (mechanically in Coq) an intricate optimal
snapshot algorithm due to Jayanti, as well as some clients
Putting Strong Linearizability in Context: Preserving Hyperproperties in Programs That Use Concurrent Objects
It has been observed that linearizability, the prevalent consistency condition for implementing concurrent objects, does not preserve some probability distributions. A stronger condition, called strong linearizability has been proposed, but its study has been somewhat ad-hoc. This paper investigates strong linearizability by casting it in the context of observational refinement of objects. We present a strengthening of observational refinement, which generalizes strong linearizability, obtaining several important implications.
When a concrete concurrent object refines another, more abstract object - often sequential - the correctness of a program employing the concrete object can be verified by considering its behaviors when using the more abstract object. This means that trace properties of a program using the concrete object can be proved by considering the program with the abstract object. This, however, does not hold for hyperproperties, including many security properties and probability distributions of events.
We define strong observational refinement, a strengthening of refinement that preserves hyperproperties, and prove that it is equivalent to the existence of forward simulations. We show that strong observational refinement generalizes strong linearizability. This implies that strong linearizability is also equivalent to forward simulation, and shows that strongly linearizable implementations can be composed both horizontally (i.e., locality) and vertically (i.e., with instantiation).
For situations where strongly linearizable implementations do not exist (or are less efficient), we argue that reasoning about hyperproperties of programs can be simplified by strong observational refinement of non-atomic abstract objects
Defining and Verifying Durable Opacity: Correctness for Persistent Software Transactional Memory
Non-volatile memory (NVM), aka persistent memory, is a new paradigm for
memory that preserves its contents even after power loss. The expected ubiquity
of NVM has stimulated interest in the design of novel concepts ensuring
correctness of concurrent programming abstractions in the face of persistency.
So far, this has lead to the design of a number of persistent concurrent data
structures, built to satisfy an associated notion of correctness: durable
linearizability.
In this paper, we transfer the principle of durable concurrent correctness to
the area of software transactional memory (STM). Software transactional memory
algorithms allow for concurrent access to shared state. Like linearizability
for concurrent data structures, opacity is the established notion of
correctness for STMs. First, we provide a novel definition of durable opacity
extending opacity to handle crashes and recovery in the context of NVM. Second,
we develop a durably opaque version of an existing STM algorithm, namely the
Transactional Mutex Lock (TML). Third, we design a proof technique for durable
opacity based on refinement between TML and an operational characterisation of
durable opacity by adapting the TMS2 specification. Finally, we apply this
proof technique to show that the durable version of TML is indeed durably
opaque. The correctness proof is mechanized within Isabelle.Comment: This is the full version of the paper that is to appear in FORTE 2020
(https://www.discotec.org/2020/forte
Replication-Aware Linearizability
Geo-distributed systems often replicate data at multiple locations to achieve
availability and performance despite network partitions. These systems must
accept updates at any replica and propagate these updates asynchronously to
every other replica. Conflict-Free Replicated Data Types (CRDTs) provide a
principled approach to the problem of ensuring that replicas are eventually
consistent despite the asynchronous delivery of updates.
We address the problem of specifying and verifying CRDTs, introducing a new
correctness criterion called Replication-Aware Linearizability. This criterion
is inspired by linearizability, the de-facto correctness criterion for
(shared-memory) concurrent data structures. We argue that this criterion is
both simple to understand, and it fits most known implementations of CRDTs. We
provide a proof methodology to show that a CRDT satisfies replication-aware
linearizability which we apply on a wide range of implementations. Finally, we
show that our criterion can be leveraged to reason modularly about the
composition of CRDTs
Library abstraction for C/C++ concurrency
When constructing complex concurrent systems, abstraction is vital: programmers should be able to reason about concurrent libraries in terms of abstract specifications that hide the implementation details. Relaxed memory models present substantial challenges in this respect, as libraries need not provide sequentially consistent abstractions: to avoid unnecessary synchronisation, they may allow clients to observe relaxed memory effects, and library specifications must capture these. In this paper, we propose a criterion for sound library abstraction in the new C11 and C++11 concurrency model, generalising the standard sequentially consistent notion of linearizability. We prove that our criterion soundly captures all client-library interactions, both through call and return values, and through the subtle synchronisation effects arising from the memory model. To illustrate our approach, we verify implementations against specifications for the lock-free Treiber stack and a producer-consumer queue. Ours is the first approach to compositional reasoning for concurrent C11/C++11 programs. 1
- âŠ