Results 1  10
of
15
Automatically proving linearizability
 In CAV
, 2010
"... Abstract. This paper presents a practical automatic verification procedure for proving linearizability (i.e., atomicity and functional correctness) of concurrent data structure implementations. The procedure employs a novel instrumentation to verify logically pure executions, and is evaluated on a n ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a practical automatic verification procedure for proving linearizability (i.e., atomicity and functional correctness) of concurrent data structure implementations. The procedure employs a novel instrumentation to verify logically pure executions, and is evaluated on a number of standard concurrent stack, queue and set algorithms. 1
Model checking of linearizability of concurrent list implementations
 In CAV
, 2010
"... Concurrent data structures with finegrained synchronization are notoriously difficult to implement correctly. The difficulty of reasoning about these implementations does not stem from the number of variables or the program size, but rather from the large number of possible interleavings. These imp ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
(Show Context)
Concurrent data structures with finegrained synchronization are notoriously difficult to implement correctly. The difficulty of reasoning about these implementations does not stem from the number of variables or the program size, but rather from the large number of possible interleavings. These implementations are therefore prime candidates for model checking. We introduce an algorithm for verifying linearizability of singlylinked heapbased concurrent data structures. We consider a model consisting of an unbounded heap where each vertex stores an element from an unbounded data domain, with a restricted set of operations for testing and updating pointers and data elements. Our main result is that linearizability is decidable for programs that invoke a fixed number of methods, possibly in parallel. This decidable fragment covers many of the common implementation techniques — finegrained locking, lazy synchronization, and lockfree synchronization. We also show how the technique can be used to verify optimistic implementations with the help of programmer annotations. We developed a verification tool CoLT and evaluated it on a representative sample of Java implementations of the concurrent set data structure. The tool verified linearizability of a number of
Verifying Linearizability with Hindsight
, 2010
"... We present a proof of safety and linearizability of a highlyconcurrent optimistic set algorithm. The key step in our proof is the Hindsight Lemma, which allows a thread to infer the existence of a global state in which its operation can be linearized based on limited local atomic observations about ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
We present a proof of safety and linearizability of a highlyconcurrent optimistic set algorithm. The key step in our proof is the Hindsight Lemma, which allows a thread to infer the existence of a global state in which its operation can be linearized based on limited local atomic observations about the shared state. The Hindsight Lemma allows us to avoid one of the most complex and nonintuitive steps in reasoning about highly concurrent algorithms: considering the linearization point of an operation to be in a different thread than the one executing it. The Hindsight Lemma assumes that the algorithm maintains certain simple invariants which are resilient to interference, and which can themselves be verified using purely threadlocal proofs. As a consequence, the lemma allows us to unlock a perhapssurprising intuition: a high degree of interference makes nontrivial highlyconcurrent algorithms in some cases much easier to verify than less concurrent ones.
H.: Verifying Linearisability with Potential Linearisation Points
 FM 2011. LNCS
, 2011
"... Abstract. Linearisability is the key correctness criterion for concurrent implementations of data structures shared by multiple processes. In this paper we present a proof of linearisability of the lazy implementation of a set due to Heller et al. The lazy set presents one of the most challenging is ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Linearisability is the key correctness criterion for concurrent implementations of data structures shared by multiple processes. In this paper we present a proof of linearisability of the lazy implementation of a set due to Heller et al. The lazy set presents one of the most challenging issues in verifying linearisability: a linearisation point of an operation set by a process other than the one executing it. For this we develop a proof strategy based on refinement which uses thread local simulation conditions and the technique of potential linearisation points. The former allows us to prove linearisability for arbitrary numbers of processes by looking at only two processes at a time, the latter permits disposing with reasoning about the past. All proofs have been mechanically carried out using the interactive prover KIV. 1
AspectOriented Linearizability Proofs
"... Abstract. Linearizability of concurrent data structures is usually proved by monolithic simulation arguments relying on identifying the socalled linearization points. Regrettably, such proofs, whether manual or automatic, are often complicated and scale poorly to advanced nonblocking concurrency p ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. Linearizability of concurrent data structures is usually proved by monolithic simulation arguments relying on identifying the socalled linearization points. Regrettably, such proofs, whether manual or automatic, are often complicated and scale poorly to advanced nonblocking concurrency patterns, such as helping and optimistic updates. In response, we propose a more modular way of checking linearizability of concurrent queue algorithms that does not involve identifying linearization points. We reduce the task of proving linearizability with respect to the queue specification to establishing four basic properties, each of which can be proved independently by much simpler arguments. As a demonstration of our approach, we verify the Herlihy and Wing queue, an algorithm that is challenging to verify by a simulation proof. 1
Verifying Linearizability via Optimized Refinement Checking
"... Abstract—Linearizability is an important correctness criterion for implementations of concurrent objects. Automatic checking of linearizability is challenging because it requires checking that: 1) All executions of concurrent operations are serializable, and 2) the serialized executions are correct ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Linearizability is an important correctness criterion for implementations of concurrent objects. Automatic checking of linearizability is challenging because it requires checking that: 1) All executions of concurrent operations are serializable, and 2) the serialized executions are correct with respect to the sequential semantics. In this work, we describe a method to automatically check linearizability based on refinement relations from abstract specifications to concrete implementations. The method does not require that linearization points in the implementations be given, which is often difficult or impossible. However, the method takes advantage of linearization points if they are given. The method is based on refinement checking of finitestate systems specified as concurrent processes with shared variables. To tackle state space explosion, we develop and apply symmetry reduction, dynamic partial order reduction, and a combination of both for refinement checking. We have built the method into the PAT model checker, and used PAT to automatically check a variety of implementations of concurrent objects, including the first algorithm for scalable nonzero indicators. Our system is able to find all known and injected bugs in these implementations. Index Terms—Linearizability, refinement, model checking, PAT Ç
Verifying Concurrent Programs Against Sequential Specifications
"... Abstract. We investigate the algorithmic feasibility of checking whether concurrent implementations of sharedmemory objects adhere to their given sequential specifications; sequential consistency, linearizability, and conflict serializability are the canonical variations of this problem. While veri ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We investigate the algorithmic feasibility of checking whether concurrent implementations of sharedmemory objects adhere to their given sequential specifications; sequential consistency, linearizability, and conflict serializability are the canonical variations of this problem. While verifying sequential consistency of systems with unbounded concurrency is known to be undecidable, we demonstrate that conflict serializability, and linearizability with fixed linearization points are EXPSPACEcomplete, while the general linearizability problem is undecidable. Our (un)decidability proofs, besides bestowing novel theoretical results, also reveal novel program explorations strategies. For instance, we show that every violation to conflict serializability is captured by a conflict cycle whose length is bounded independently from the number of concurrent operations. This suggests an incomplete detection algorithm which only remembers a small subset of conflict edges, which can be made complete by increasing the number of remembered edges to the cyclelength bound. Similarly, our undecidability proof for linearizability suggests an incomplete detection algorithm which limits the number of “barriers ” bisecting nonoverlapping operations. Our decidability proof of boundedbarrier linearizability is interesting on its own, as it reduces the consideration of all possible operation serializations to numerical constraint solving. The literature seems to confirm that most violations are detectable by considering very few conflict edges or barriers. 1
Formal Verification of Scalable NonZero Indicators
"... Concurrent algorithms are notoriously difficult to design correctly, and high performance algorithms that make little or no use of locks even more so. In this paper, we describe a formal verification of a recent concurrent data structure Scalable NonZero Indicators. The algorithm supports incrementi ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Concurrent algorithms are notoriously difficult to design correctly, and high performance algorithms that make little or no use of locks even more so. In this paper, we describe a formal verification of a recent concurrent data structure Scalable NonZero Indicators. The algorithm supports incrementing, decrementing, and querying the shared counter in an efficient and linearizable way without blocking. The algorithm is highly nontrivial and it is challenging to prove the correctness. We have proved that the algorithm satisfies linearizability, by showing a trace refinement relation from the concrete implementation to its abstract specification. These models are specified in CSP and verified automatically using the model checking toolkit PAT. 1
Verifying a Quantitative Relaxation of Linearizability via Refinement
"... Abstract. Concurrent data structures have found increasingly widespread use in both multicore and distributed computing environments, thereby escalating the priority for verifying their correctness. Quasi linearizability is a relaxation of linearizability to allow more implementation freedom for per ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Concurrent data structures have found increasingly widespread use in both multicore and distributed computing environments, thereby escalating the priority for verifying their correctness. Quasi linearizability is a relaxation of linearizability to allow more implementation freedom for performance optimization. However, ensuring the quantitative aspects of this correctness condition is an arduous task. We propose a new method for formally verifying quasi linearizability of the implementation model of a concurrent data structure. The method is based on checking the refinement relation between the implementation and a specification model via explicit state model checking. It can directly handle concurrent programs where each thread can make infinitely many method calls, and it does not require the user to write annotations for the linearization points. We have implemented and evaluated our method in the PAT model checking toolkit. Our experiments show that the method is effective in verifying quasi linearizability or detecting its violations. 1
Resilience of Mutual Exclusion Algorithms to Transient Memory Faults
"... We study the behavior of mutual exclusion algorithms in the presence of unreliable shared memory subject to transient memory faults. It is wellknown that classical 2process mutual exclusion algorithms, such as Dekker and Peterson’s algorithms, are not faulttolerant; in this paper we ask what degre ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We study the behavior of mutual exclusion algorithms in the presence of unreliable shared memory subject to transient memory faults. It is wellknown that classical 2process mutual exclusion algorithms, such as Dekker and Peterson’s algorithms, are not faulttolerant; in this paper we ask what degree of fault tolerance can be achieved using the same restricted resources as Dekker and Peterson’s algorithms, namely, three binary read/write registers. We show that if one memory fault can occur, it is not possible to guarantee both mutual exclusion and deadlockfreedom using three binary registers; this holds in general when fewer than2f+1 binary registers are used and f may be faulty. Hence we focus on algorithms that guarantee (a) mutual exclusion and starvationfreedom in faultfree executions, and (b) only mutual exclusion in faulty executions. We show that using only three binary registers it is possible to design an 2process mutual exclusion algorithm which tolerates a single memory fault in this manner. Further, by replacing one read/write register with a test&set register, we can guarantee mutual exclusion in executions where one variable experiences unboundedly many faults. In the more general setting where up tof registers may be faulty, we show that it is not possible to guarantee mutual exclusion using 2f +1 binary read/write registers if each faulty register can exhibit unboundedly many faults. On the positive side, we show that an nvariable singlefault tolerant algorithm satisfying certain conditions can be transformed into an ((n − 1)f + 1)variable ffault tolerant algorithm with the same progress guarantee as the original. In combination with our threevariable algorithm, this implies that there is a(2f+1)variable mutual exclusion algorithm tolerating a single fault in up tof variables without violating mutual exclusion.