171 research outputs found
Hoare-style Specifications as Correctness Conditions for Non-linearizable Concurrent Objects
Designing scalable concurrent objects, which can be efficiently used on
multicore processors, often requires one to abandon standard specification
techniques, such as linearizability, in favor of more relaxed consistency
requirements. However, the variety of alternative correctness conditions makes
it difficult to choose which one to employ in a particular case, and to compose
them when using objects whose behaviors are specified via different criteria.
The lack of syntactic verification methods for most of these criteria poses
challenges in their systematic adoption and application.
In this paper, we argue for using Hoare-style program logics as an
alternative and uniform approach for specification and compositional formal
verification of safety properties for concurrent objects and their client
programs. Through a series of case studies, we demonstrate how an existing
program logic for concurrency can be employed off-the-shelf to capture
important state and history invariants, allowing one to explicitly quantify
over interference of environment threads and provide intuitive and expressive
Hoare-style specifications for several non-linearizable concurrent objects that
were previously specified only via dedicated correctness criteria. We
illustrate the adequacy of our specifications by verifying a number of
concurrent client scenarios, that make use of the previously specified
concurrent objects, capturing the essence of such correctness conditions as
concurrency-aware linearizability, quiescent, and quantitative quiescent
consistency. All examples described in this paper are verified mechanically in
Coq.Comment: 18 page
Visibility and Separability for a Declarative Linearizability Proof of the Timestamped Stack
Linearizability is a standard correctness criterion for concurrent algorithms, typically proved by establishing the algorithms\u27 linearization points (LP). However, LPs often hinder abstraction, and for some algorithms such as the timestamped stack, it is unclear how to even identify their LPs. In this paper, we show how to develop declarative proofs of linearizability by foregoing LPs and instead employing axiomatization of so-called visibility relations. While visibility relations have been considered before for the timestamped stack, our study is the first to show how to derive the axiomatization systematically and intuitively from the sequential specification of the stack. In addition to the visibility relation, a novel separability relation emerges to generalize real-time precedence of procedure invocation. The visibility and separability relations have natural definitions for the timestamped stack, and enable a novel proof that reduces the algorithm to a simplified form where the timestamps are generated atomically
Visibility and Separability for a Declarative Linearizability Proof of the Timestamped Stack: Extended Version
Linearizability is a standard correctness criterion for concurrent
algorithms, typically proved by establishing the algorithms' linearization
points (LP). However, LPs often hinder abstraction, and for some algorithms
such as the timestamped stack, it is unclear how to even identify their LPs. In
this paper, we show how to develop declarative proofs of linearizability by
foregoing LPs and instead employing axiomatization of so-called visibility
relations. While visibility relations have been considered before for the
timestamped stack, our study is the first to show how to derive the
axiomatization systematically and intuitively from the sequential specification
of the stack. In addition to the visibility relation, a novel separability
relation emerges to generalize real-time precedence of procedure invocation.
The visibility and separability relations have natural definitions for the
timestamped stack, and enable a novel proof that reduces the algorithm to a
simplified form where the timestamps are generated atomically.Comment: Changed notation in all the proofs in the appendices so that the
notation matches the one used in the main bod
Concurrent Data Structures Linked in Time
Arguments about correctness of a concurrent data structure are typically
carried out by using the notion of linearizability and specifying the
linearization points of the data structure's procedures. Such arguments are
often cumbersome as the linearization points' position in time can be dynamic
(depend on the interference, run-time values and events from the past, or even
future), non-local (appear in procedures other than the one considered), and
whose position in the execution trace may only be determined after the
considered procedure has already terminated.
In this paper we propose a new method, based on a separation-style logic, for
reasoning about concurrent objects with such linearization points. We embrace
the dynamic nature of linearization points, and encode it as part of the data
structure's auxiliary state, so that it can be dynamically modified in place by
auxiliary code, as needed when some appropriate run-time event occurs. We name
the idea linking-in-time, because it reduces temporal reasoning to spatial
reasoning. For example, modifying a temporal position of a linearization point
can be modeled similarly to a pointer update in separation logic. Furthermore,
the auxiliary state provides a convenient way to concisely express the
properties essential for reasoning about clients of such concurrent objects. We
illustrate the method by verifying (mechanically in Coq) an intricate optimal
snapshot algorithm due to Jayanti, as well as some clients
Concurrent Data Structures Linked in Time (Artifact)
This artifact provides the full mechanization in FCSL of the
developments in the companion paper, "Concurrent Data Structures
Linked in Time". In the latter, we propose a new method, based on a
separation-style logic, for reasoning about concurrent objects with
such linearization points. We embrace the dynamic nature of
linearization points, and encode it as part of the data structure\u27s
auxiliary state, so that it can be dynamically modified in
place by auxiliary code, as needed when some appropriate run-time
event occurs. We illustrate the method by verifying (mechanically in
FCSL) an intricate optimal snapshot algorithm due to Jayanti, as well
as some clients.
FCSL is the first completely formalized framework for mechanized
verification of full functional correctness of fine-grained concurrent
programs. It is implemented as an embedded domain-specific language
(DSL) in the dependently-typed language of the Coq proof assistant,
and is powerful enough to reason about programming features such as
higher-order functions and local thread spawning. By incorporating a
uniform concurrency model, based on state-transition systems and
partial commutative monoids, FCSL makes it possible to build proofs
about concurrent libraries in a thread-local, compositional way, thus
facilitating scalability and reuse: libraries are verified just once,
and their specifications are used ubiquitously in client-side
reasoning
From dynamic binding to state via modal possibility
In this paper we propose a typed, purely functional calculus for state (with second-class locations) in which types reflect the dichotomy between reading from and writing into the global store. This is in contrast to the usual formulation of state via monads, where the primitives for reading and writing introduce the same monadic type constructor. We hope to argue that making this distinction is useful, simple, and has strong logical foundations. Our type system is based on the proof-term calculus for constructive modal logic S4, which has two modal type operators: for neces-sity and 3 for possibility. We extend this calculus with the notion of names (which stand for locations) and generalize to indexed fami-lies of modal operators (indexed by sets of names). Then, the modal type CA classifies computations of type A which read from store locations listed in the set C. The dual type 3CA classifies compu-tations which first write into the locations from C and than use the changed store to obtain a value of type A. There are several benefits to this development. First, the necessita-tion fragment of the language is interesting in its own: it formulates a calculus of dynamic binding. Second, the possibility operator 3 is a monad, thus forcing the single-threading of memory writes, but not of memory reads (as these are associated with ). Finally, the different status of reads and writes gives rise to a natural way of expressing the allocation of uninitialized memory while also pro-viding guarantees that only initialized locations are dereferenced
Concurrent Data Structures Linked in Time (Artifact)
This artifact provides the full mechanization in FCSL of the developments in the companion paper, "Concurrent Data Structures Linked in Time". In the latter, we propose a new method, based on a separation-style logic, for reasoning about concurrent objects with such linearization points. We embrace the dynamic nature of linearization points, and encode it as part of the data structure's auxiliary state, so that it can be dynamically modified in place by auxiliary code, as needed when some appropriate run-time event occurs. We illustrate the method by verifying (mechanically in FCSL) an intricate optimal snapshot algorithm due to Jayanti, as well as some clients. FCSL is the first completely formalized framework for mechanized verification of full functional correctness of fine-grained concurrent programs. It is implemented as an embedded domain-specific language (DSL) in the dependently-typed language of the Coq proof assistant, and is powerful enough to reason about programming features such as higher-order functions and local thread spawning. By incorporating a uniform concurrency model, based on state-transition systems and partial commutative monoids, FCSL makes it possible to build proofs about concurrent libraries in a thread-local, compositional way, thus facilitating scalability and reuse: libraries are verified just once, and their specifications are used ubiquitously in client-side reasoning
- …