## Proving correctness of highlyconcurrent linearisable objects (2006)

### Cached

### Download Links

Venue: | In PPoPP |

Citations: | 40 - 7 self |

### BibTeX

@INPROCEEDINGS{Vafeiadis06provingcorrectness,

author = {Viktor Vafeiadis},

title = {Proving correctness of highlyconcurrent linearisable objects},

booktitle = {In PPoPP},

year = {2006},

pages = {129--136},

publisher = {ACM Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

We study a family of implementations for linked lists using finegrain synchronisation. This approach enables greater concurrency, but correctness is a greater challenge than for classical, coarse-grain synchronisation. Our examples are demonstrative of common design patterns such as lock coupling, optimistic, and lazy synchronisation. Although they are are highly concurrent, we prove that they are linearisable, safe, and they correctly implement a highlevel abstraction. Our proofs illustrate the power and applicability of rely-guarantee reasoning, as well of some of its limitations. The examples of the paper establish a benchmark challenge for other reasoning techniques.

### Citations

957 | Linearizability: A correctness condition for concurrent objects
- Herlihy, Wing
- 1990
(Show Context)
Citation Context ...e provide the first formal proof [22] of these algorithms, whereby we show that, despite high concurrency: (i) each operation appears to take effect instantaneously (a property called linearisability =-=[11]-=-); (ii) the lowlevel list code implements a high-level specification, that of a set; and (iii) the code is safe, i.e., each operation satisfies a specified post-condition and maintains the structural ... |

846 | The temporal logic of actions
- Lamport
- 1994
(Show Context)
Citation Context ...portant for some examples, e.g., Section 7.5. We rely on annotating the original Java program with a specification. We expect that the our methodology can also be applied within languages such as TLA =-=[14]-=- or IO Automata [17]. These have been designed for reasoning about concurrent algorithms and have been used successfully in proving properties such as safety, liveness, or compliance of implementation... |

553 | Conjoining specifications
- ABADI, LAMPORT
- 1995
(Show Context)
Citation Context ...e [21]. Their proof method was extended by Cliff Jones, who invented the Rely-Guarantee Methodology [13]. As the parallel composition rule appears to be based on circular reasoning, Abadi and Lamport =-=[1]-=- studied whether it is sound. They conclude that it is sound for safety conditions, and provide a condition ensuring soundness in the case of liveness as well. Our work has only considered safety. Els... |

389 | Hierarchical correctness proofs for distributed algorithms
- Lynch, Tuttle
- 1987
(Show Context)
Citation Context ...mples, e.g., Section 7.5. We rely on annotating the original Java program with a specification. We expect that the our methodology can also be applied within languages such as TLA [14] or IO Automata =-=[17]-=-. These have been designed for reasoning about concurrent algorithms and have been used successfully in proving properties such as safety, liveness, or compliance of implementation to specification. T... |

171 |
Specification and design of (parallel) programs
- Jones
- 1983
(Show Context)
Citation Context ...multiple threads to access inside a same object simultaneously. Reasoning about such algorithms is a greater challenge. Our contribution is to show, by extended example, that rely-guarantee reasoning =-=[13]-=- can be applied successfully to several rather challenging concurrent object implementation. We provide the first formal proof [22] of these algorithms, whereby we show that, despite high concurrency:... |

164 | Resources, concurrency and local reasoning
- O’Hearn
(Show Context)
Citation Context ... ∗ describes any finite number of iterations of the program described by R. It is defined ∗ def R = ID ∨ R ∨ (R; R) ∨ (R; R; R) ∨ · · · 2.2 Ownership-based methodologies Ownership-based methodologies =-=[12, 20]-=- generalise sequential reasoning to concurrent objects that synchronise via coarse-grained synchronisation. At most one thread at a time can own an object. While the object is unowned, it must satisfy... |

146 |
Verifying Properties of Parallel Programs: An Axiomatic Approach
- Owicki, Gries
- 1976
(Show Context)
Citation Context ...rther, note that N is not transitive and hence R �= R ∗ . The proof that all atomic actions satisfy N is simple. 8. Previous work Owicki and Gries originally identified the concept of noninterference =-=[21]-=-. Their proof method was extended by Cliff Jones, who invented the Rely-Guarantee Methodology [13]. As the parallel composition rule appears to be based on circular reasoning, Abadi and Lamport [1] st... |

104 |
Concurrency of operations on B-trees
- Bayer, Schkolnick
- 1977
(Show Context)
Citation Context ... Another contribution is our development of a version of relyguarantee reasoning suitable for linearisable specifications. There is a large body of research investigating fine-grained synchronisation =-=[2, 8, 18, 19]-=-. A number of standard design patterns have emerged. For example, in lock coupling [2], locks are acquired and released in a “hand-over-hand” order, acquiring the next lock in a sequence before releas... |

103 | You assume, we guarantee: Methodology and case studies
- Henzinger, Quadeer, et al.
- 1998
(Show Context)
Citation Context ...have been used mainly for whole-system proofs of distributed algorithms. The R-G approach is widely used in hardware verification (where it is called assume-guarantee). For instance, Henzinger et al. =-=[10]-=- verify that a complex pipe-line implements a high-level processor specification. Both are expressed in a reactive language; writes are synchronous and parallelism occurs as non-deterministic choice. ... |

79 | Non-blocking algorithms and preemption-safe locking on multiprogrammed shared memory multiprocessors
- Michael, Scott
- 1998
(Show Context)
Citation Context ... Another contribution is our development of a version of relyguarantee reasoning suitable for linearisable specifications. There is a large body of research investigating fine-grained synchronisation =-=[2, 8, 18, 19]-=-. A number of standard design patterns have emerged. For example, in lock coupling [2], locks are acquired and released in a “hand-over-hand” order, acquiring the next lock in a sequence before releas... |

78 |
High performance dynamic lock-free hash tables and list-based sets
- Michael
(Show Context)
Citation Context ... Another contribution is our development of a version of relyguarantee reasoning suitable for linearisable specifications. There is a large body of research investigating fine-grained synchronisation =-=[2, 8, 18, 19]-=-. A number of standard design patterns have emerged. For example, in lock coupling [2], locks are acquired and released in a “hand-over-hand” order, acquiring the next lock in a sequence before releas... |

64 | A pragmatic implementation of non-blocking linked-lists
- Harris
(Show Context)
Citation Context |

62 |
Abstract data types and software validation
- GUTTAG, HORNUNG
- 1979
(Show Context)
Citation Context ...h between the abstract type being implemented (for example, a set of integers), and the underlying concrete type (for example, a linked list). In the standard proof methodology for sequential objects =-=[7]-=-, a linking invariant (sometimes called an abstraction or refinement map) describes how concrete values represent abstract values. Not every concrete value necessarily represents an abstract value: on... |

39 | A lazy concurrent list-based set algorithm
- Heller, Herlihy, et al.
(Show Context)
Citation Context ...ctures. We consider examples of list implementations that employ many of these fine-grained synchronisation techniques. We study in some detail a highly-concurrent linked-list implementation of a set =-=[9]-=- that uses a combination of optimistic and lazy synchronisation. The rest of the paper proceeds as follows. We first introduce rely-guarantee reasoning and some notation, in §2. Then, Section 3 provid... |

31 | Formal verification of a practical lockfree queue algorithm
- Doherty, Groves, et al.
- 2004
(Show Context)
Citation Context ... examples of bugs detected by their tool in sizable programs. Our highly-concurrent linked list algorithms are similar to ones previously published [8, 9, 18, 19]. Doherty, Groves, Luchangco and Moir =-=[4]-=- offer a formal proof of the lock-free queue algorithm of Michael and Scott [19]. Their proof is machine-verified; ours remains manual, hence more prone to error (automated verification is future work... |

30 | Composition: A Way to Make Proofs Harder
- Lamport
(Show Context)
Citation Context ...d whether it is sound. They conclude that it is sound for safety conditions, and provide a condition ensuring soundness in the case of liveness as well. Our work has only considered safety. Elsewhere =-=[15]-=- Lamport argues that R-G only makes proofs harder, by imposing a predefined modular structure to a proof that is necessarily global. We argue that the compositional nature of RG constitutes a powerful... |

18 |
Modular verification of multithreaded programs
- Flanagan, Freund, et al.
- 2005
(Show Context)
Citation Context ... are expressed in a reactive language; writes are synchronous and parallelism occurs as non-deterministic choice. Proofs are assisted by a formal verification tool. The recent work of Flanagan et al. =-=[5]-=- is the most similar to ours. They use a prover to statically verify properties of legacy multithreaded Java programs (annotated with pre-conditions, postconditions, invariants, and R-G conditions), u... |

13 |
Computer-assisted assume/guarantee reasoning with VeriSoft
- Dingel
- 2003
(Show Context)
Citation Context ...ondition. In the rely condition, we often want to specify that there are certain variables the environment does not update, or that if some condition is satisfied, the environment actions preserve it =-=[3]-=-. We introduce the following notation for these specifications. ID(x) def = ( ↼− x = x) ID(P ) def = ( ↼− P = P ) Preserve(P ) def = ( ↼− P ⇒ P ) For convenience in the post-condition and guarantee co... |

13 |
Lock-free dynamic hash tables with open addressing
- Gao, Groote, et al.
(Show Context)
Citation Context ... source text, and we prove that the implementation conforms to the specification by embedding the latter in the text. Recently, Gao, Groote and Hesselink studied a lock-free algorithm for hash tables =-=[6]-=-. They prove both safety and liveness using the PVS verifier, by equipping the program text, line by line, with a large number of assertions and invariants.s9. Conclusion Modern research on concurrent... |

13 | Verification of multithreaded object-oriented programs with invariants
- Jacobs, Leino, et al.
- 2004
(Show Context)
Citation Context ... ∗ describes any finite number of iterations of the program described by R. It is defined ∗ def R = ID ∨ R ∨ (R; R) ∨ (R; R; R) ∨ · · · 2.2 Ownership-based methodologies Ownership-based methodologies =-=[12, 20]-=- generalise sequential reasoning to concurrent objects that synchronise via coarse-grained synchronisation. At most one thread at a time can own an object. While the object is unowned, it must satisfy... |

3 |
Concurrent hash map in JSR 166 concurrency utilities. http://gee.cs.oswego.edu/dl/ concurrency-interest/index.html
- Lea
- 2007
(Show Context)
Citation Context ...or delays by other threads. These techniques are important in practice: for example, the widely-used Java util.concurrent library includes fine-grain, lock-free implementations of lists and hash maps =-=[16]-=-. We suggest that the examples considered here be used as a kind of benchmark challenge for techniques for reasoning about highlyconcurrent data structures. We consider examples of list implementation... |

1 |
A safety proof of a lazy concurrent list-based set implementation
- Vafeiadis, Herlihy, et al.
- 2006
(Show Context)
Citation Context ...ution is to show, by extended example, that rely-guarantee reasoning [13] can be applied successfully to several rather challenging concurrent object implementation. We provide the first formal proof =-=[22]-=- of these algorithms, whereby we show that, despite high concurrency: (i) each operation appears to take effect instantaneously (a property called linearisability [11]); (ii) the lowlevel list code im... |