## Shape-value abstraction for verifying linearizability (2008)

### Cached

### Download Links

- [www.research.microsoft.com]
- [research.microsoft.com]
- [www.cl.cam.ac.uk]
- [www.cl.cam.ac.uk]
- [www.mpi-sws.org]
- DBLP

### Other Repositories/Bibliography

Citations: | 24 - 3 self |

### BibTeX

@TECHREPORT{Vafeiadis08shape-valueabstraction,

author = {Viktor Vafeiadis},

title = {Shape-value abstraction for verifying linearizability},

institution = {},

year = {2008}

}

### OpenURL

### Abstract

Abstract. This paper presents a novel abstraction for heap-allocated data structures that keeps track of both their shape and their contents. By combining this abstraction with thread-local analysis and relyguarantee reasoning, we can verify a collection of fine-grained blocking and non-blocking concurrent algorithms for an arbitrary (unbounded) number of threads. We prove that these algorithms are linearizable, namely equivalent (modulo termination) to their sequential counterparts. 1

### Citations

927 | Linearizability: A correctness condition for concurrent objects
- Herlihy, Wing
- 1990
(Show Context)
Citation Context ...or an arbitrary (unbounded) number of threads. We prove that these algorithms are linearizable, namely equivalent (modulo termination) to their sequential counterparts. 1 Introduction Linearizability =-=[1]-=- is the standard correctness criterion for high-performance libraries of concurrent data structures, such as java.util.concurrent and Intel’s TBB (thread building blocks). Linearizability is a safety ... |

713 | Separation logic: A logic for shared mutable data structures
- Reynolds
- 2002
(Show Context)
Citation Context ...ization points that occur in a different thread than the one being verified. Our prototype implementation is based on RGSep [9], a program logic that combines rely-guarantee [10] and separation logic =-=[11]-=-. As a result, it deals with an unbounded number of threads, can reason about memory deallocation, which affects linearizability in subtle ways (see Sect. 2), and can prove the absence of memory leaks... |

163 |
Specification and design of (parallel) programs
- Jones
- 1983
(Show Context)
Citation Context ...nd we allow complex linearization points that occur in a different thread than the one being verified. Our prototype implementation is based on RGSep [9], a program logic that combines rely-guarantee =-=[10]-=- and separation logic [11]. As a result, it deals with an unbounded number of threads, can reason about memory deallocation, which affects linearizability in subtle ways (see Sect. 2), and can prove t... |

128 | A local shape analysis based on separation logic
- Distefano, O’Hearn, et al.
- 2006
(Show Context)
Citation Context ...Top; }; struct stack *S; void init() { S = alloc(); S->Top = NULL; /* ABS->val = ɛ; */ } [10] void push(value t v) { struct node *t, *x; [11] x = alloc(); [12] x->data = v; [13] do { [14] t = S->Top; =-=[15]-=- x->next = t; [16] } while (¬CAS(&S->Top,t,x)); // @1 [17] } [20] value t pop() { struct node *t, *x; [21] do { [22] t = S->Top; // @2 [23] if (t == NULL) [24] return EMPTY; [25] x = t->next; [26] } w... |

97 |
Systems Programming: Coping with Parallelism
- Treiber
- 1986
(Show Context)
Citation Context ...tions of the linearization points. (4) The programmer must describe the interference imposed by the module. 2 A Simple Example: Treiber’s Stack Figure 1 contains C-like pseudocode for Treiber’s stack =-=[12]-=-, one of the simplest non-blocking concurrent algorithms. The stack is represented as a singly linked list rooted at S->Top, which is updated using CAS (compare and swap). CAS is a primitive operation... |

74 | A marriage of rely/guarantee and separation logic
- Vafeiadis, Parkinson
(Show Context)
Citation Context ...at the specified linearization points are sound, and we allow complex linearization points that occur in a different thread than the one being verified. Our prototype implementation is based on RGSep =-=[9]-=-, a program logic that combines rely-guarantee [10] and separation logic [11]. As a result, it deals with an unbounded number of threads, can reason about memory deallocation, which affects linearizab... |

68 |
practical non-blocking and blocking concurrent queue algorithms
- MICHAEL, SCOTT, et al.
(Show Context)
Citation Context ...ck *S; void init() { S = alloc(); S->Top = NULL; /* ABS->val = ɛ; */ } [10] void push(value t v) { struct node *t, *x; [11] x = alloc(); [12] x->data = v; [13] do { [14] t = S->Top; [15] x->next = t; =-=[16]-=- } while (¬CAS(&S->Top,t,x)); // @1 [17] } [20] value t pop() { struct node *t, *x; [21] do { [22] t = S->Top; // @2 [23] if (t == NULL) [24] return EMPTY; [25] x = t->next; [26] } while (¬CAS(&S->Top... |

66 | A Practical Multi-Word Compare-and-Swap Operation
- Harris, Fraser, et al.
(Show Context)
Citation Context ... = NULL; /* ABS->val = ɛ; */ } [10] void push(value t v) { struct node *t, *x; [11] x = alloc(); [12] x->data = v; [13] do { [14] t = S->Top; [15] x->next = t; [16] } while (¬CAS(&S->Top,t,x)); // @1 =-=[17]-=- } [20] value t pop() { struct node *t, *x; [21] do { [22] t = S->Top; // @2 [23] if (t == NULL) [24] return EMPTY; [25] x = t->next; [26] } while (¬CAS(&S->Top,t,x)); // @3 [27] return t->data; [28] ... |

37 | Proving correctness of highly-concurrent linearisable objects
- Vafeiadis, Herlihy, et al.
- 2006
(Show Context)
Citation Context ...le reader and a single writer.Data structure Shape analysis Linearizability Berdine et al. [8] DCAS stack 0.2s 0.2s – Two-slot buffer 0.4s 1.2s – Two-lock queue [16] 0.5s 0.6s 17s Lock-coupling list =-=[5]-=- 0.3s 0.5s – Treiber stack [12] 0.2s 0.3s 7s Non-blocking queue [16] 2.6s 5.1s – Non-blocking queue [2] 2.6s 4.8s 252s RDCSS [17] 1.6s 87.7s – Table 1. Verification times for a collection of concurren... |

33 | Modular fine-grained concurrency verification
- Vafeiadis
- 2008
(Show Context)
Citation Context ...truct stack { struct node *Top; }; struct stack *S; void init() { S = alloc(); S->Top = NULL; /* ABS->val = ɛ; */ } [10] void push(value t v) { struct node *t, *x; [11] x = alloc(); [12] x->data = v; =-=[13]-=- do { [14] t = S->Top; [15] x->next = t; [16] } while (¬CAS(&S->Top,t,x)); // @1 [17] } [20] value t pop() { struct node *t, *x; [21] do { [22] t = S->Top; // @2 [23] if (t == NULL) [24] return EMPTY;... |

30 | Formal verification of a practical lock-free queue algorithm
- Doherty, Groves, et al.
- 2004
(Show Context)
Citation Context ...of, and is used as the precondition of push and pop. 3 Verifying Linearizability Proving linearizability can be reduced to proving that one transition system simulates another transition system (e.g. =-=[2, 4]-=-). The reduction is straightforward, but expensive: it converts a difficult problem into an even harder problem. Proofs done this way have involved significant human labour, especially in constructing... |

26 | Formal verification of a lazy concurrent list-based set algorithm
- Colvin, Groves, et al.
(Show Context)
Citation Context ...of, and is used as the precondition of push and pop. 3 Verifying Linearizability Proving linearizability can be reduced to proving that one transition system simulates another transition system (e.g. =-=[2, 4]-=-). The reduction is straightforward, but expensive: it converts a difficult problem into an even harder problem. Proofs done this way have involved significant human labour, especially in constructing... |

26 |
Static analysis of atomicity for programs with non-blocking synchronization
- Wang, Stoller
- 2005
(Show Context)
Citation Context ...osition.We have also performed tests where we inserted errors in the algorithms. In all these cases, our tool failed to prove linearizability. 7 Related Work Automatic Verification. Wang and Stoller =-=[18]-=- present a static analysis that verifies linearizability for an unbounded number of threads. Their analysis essentially detects certain coding patterns, which are known to be atomic irrespective of th... |

25 | Comparison under abstraction for verifying linearizability
- Amit, Rinetzky, et al.
- 2007
(Show Context)
Citation Context ...rify the correctness of their algorithms. The literature contains several hand-crafted linearizability proofs [2–5], but until recently nobody had automated the derivation of such proofs. Amit et al. =-=[6]-=- used shape analysis to verify linearizability for a fixed (small) number of threads. More recently, Manevich et al. [7] and Berdine et al. [8] extended this analysis, so that it works for a larger (f... |

22 | Thread quantification for concurrent shape analysis
- Berdine, Lev-Ami, et al.
- 2008
(Show Context)
Citation Context ...had automated the derivation of such proofs. Amit et al. [6] used shape analysis to verify linearizability for a fixed (small) number of threads. More recently, Manevich et al. [7] and Berdine et al. =-=[8]-=- extended this analysis, so that it works for a larger (fixed) number of threads and for an unbounded number of threads respectively. These works require a specialized abstract domain, do not handle m... |

20 | Modular safety checking for finegrained concurrency
- Calcagno, Parkinson, et al.
- 2007
(Show Context)
Citation Context ...k { struct node *Top; }; struct stack *S; void init() { S = alloc(); S->Top = NULL; /* ABS->val = ɛ; */ } [10] void push(value t v) { struct node *t, *x; [11] x = alloc(); [12] x->data = v; [13] do { =-=[14]-=- t = S->Top; [15] x->next = t; [16] } while (¬CAS(&S->Top,t,x)); // @1 [17] } [20] value t pop() { struct node *t, *x; [21] do { [22] t = S->Top; // @2 [23] if (t == NULL) [24] return EMPTY; [25] x = ... |

14 | Automatically verifying concurrent queue algorithms
- Yahav, Sagiv
(Show Context)
Citation Context ...y. More recently, Manevich et al. [7] and Berdine et al. [8] have presented some improvements to this analysis, which are orthogonal to the task of verifying linearizability. Finally, Yahav and Sagiv =-=[19]-=- and Calcagno et al. [14] use shape analysis to check simple safety properties of list-based concurrent algorithms, but cannot verify linearizability. Semi-automatic Verification. In [2–4], the PVS th... |

11 |
Lock-free dynamic hash tables with open addressing
- Gao, Groote, et al.
(Show Context)
Citation Context ...ifferent thread.Our use of the reserved value UNDEF encodes whether the linearization point has occurred or not. Alternatively, the same information can be recorded by a boolean variable. Gao et al. =-=[3]-=- instead keep a counter initially set to 0, incremented at each linearization point, and prove that it contains 1 at the end of the method. Besides using more state than necessary, their approach does... |