Formal Verification of Lock-Free Algorithms

2009 Ninth International Conference on Application of Concurrency to System Design 

FormalVerificationof Lock-FreeAlgorithms 

(Invited Paper) 

Gerhard Schellhorn, Simon Bäumler 

Institute for Software and Systems Engineering 

University of Augsburg 

Germany 

{schellhorn, baeumler}@informatik.uni-augsburg.de 

Abstract 

The current trend towards multi-core processors has renewed 

the interest in the development and correctness of 

concurrent algorithms. 

Most of these algorithms rely on locks to protect critical 

sections from unwanted interference. Recently a new class 

of nonblocking algorithms has been developed which do 

not rely on critical sections, but on atomic compare-and-set 

instructions. Such lock-free algorithms are less vulnerable 

to the typical problems of concurrent algorithms: deadlocks, 

livelocks and priority inversion. On the other hand, the lack 

of a uniform principle to rule out interference results in 

increased complexity. This makes it harder to understand 

these algorithms and to verify their correctness. 

The paper gives a simple example to demonstrate the 

central correctness criteria of linearizability (a safety property) 

and lock-freeness (a liveness property) for lock-free 

algorithms. It then sketches our approach to the modular 

verification of lock-free algorithms which uses relyguaranteereasoningandapowerfultemporallogictoderive 

refinement proof obligations that can be verified with the 

interactive theorem prover KIV. Finally an overview over 

related work and techniques that are relevant to automate 

proofs is given. 

1. Introduction 

As multi-core processor architectures have become standard, 

the study of concurrent algorithms is a current and 

important research topic. Among these, lock-free algorithms 

are a recently developed class of algorithms for concurrent 

access to data structures. They typically do not use locks and 

mutualexclusiveaccess,butinsteadrelyonatomiccompareand-swap-operations. 

Such operations are now implemented 

byallcommonprocessortypes,languagesupportisprovided 

e.g.byJavaandC#.AsimpleexampleisshowninSection2. 

Lock-free algorithms use an optimistic approach to cope 

with interference: all processes may attempt to read or 

modify a data structure at the same time. In case of conflicts, 

only one process will succeed while the others have to 

retry. If conflicts are rare, this avoids the bottleneck of 

locks, which a priori restricts access to only one process. 

Lock-free algorithms also have the advantage of being less 

vulnerabletocommonproblemssuchasdeadlocks,livelocks 

and priority inversion. They have been used in operating 

system kernels [1], [2], [3], and also in computer games 

which need to exploit the performance gain of several 

processors [4]. 

On the other hand these algorithms are more complex, 

since they do not use the universal principle of mutual 

exclusion. This makes it harder to assure their correctness 

by intuitive arguments. Therefore, a number of researchers 

have started to develop formal verification techniques that 

guarantee their correctness. 

Correctness of lock-free algorithms is typically based on 

verifying linearizability (for safety) as defined by Herlihy 

and Wing [5] and lock-freedom (for liveness), which are 

described in Section 3. 

Usually, reasoning over a concurrent system is hard and 

tedious work as all possible interleavings have to be considered. 

To have compositional proofs the rely-guarantee 

paradigm is used, which reduces proof of properties for 

a full system to properties of the components. Section 4 

gives an introduction, and describes our current approach. 

which used a compositionality theorem for refinement, to 

break down the linearizability condition to rely-guarantee 

proof obligations for single processes. The approach is fully 

mechanized,usingtheexpressivetemporallogic[6],[7]built 

into the interactive theorem prover KIV [8]. KIV has been 

used to verify the compositionality theorem, as well as to 

verify the proof obligations that result from the lock-free 

stack algorithm of Section 2, see [9]. 

Finally, Section 5 gives an overview over related work. 

2. An example algorithm 

This section describes the lock-free stack implementation 

of Treiber [10], which is a standard example for lockfree 

algorithms. The example is used to illustrate the CAS 

instruction and the basic ideas of lock-free algorithms. 

For representation of the stack in the store, a linked list 

in the heap is used. Figure 1 shows an example of such 

a representation. Each node of the stack contains a .val 

1550-4808/09 $25.00 © 2009 IEEE 

DOI 10.1109/ACSD.2009.10 

13 

Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on January 18, 2010 at 11:43 from IEEE Xplore. Restrictions apply.

Top 

a b c 

null 

Figure 1. Example of a Stack representation 

CAS(Old,New,G : Pointer){ 

if G = Old 

then {G := New; return TRUE; } 

else return FALSE; 

} 

Figure 2. The atomic CAS operation 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

CPOP(Top : Pointer ) { 

repeat 

OTop := Top ; 

if OTop = null then 

return empty; 

ONxt := OTop .nxt ; 

Res := OTop .val ; 

until CAS(OTop , ONxt , Top ); 

return Res 

} 

Figure 4. The pop operation 

field for the data value and a .nxt pointer to refer to the 

succeeding node. The end of the stack is marked with the 

null pointer. The entry point of the stack, i.e. the top cell, 

is referenced by the global variable Top. 

The push and pop operations consist of two phases. First, 

the needed data is prepared without changing the main 

data structure, e.g. storage is allocated or data are read. In 

a second phase, it is attempted to change the stack data 

structure in a single atomic step. If this atomic step fails 

(e.g. because the data structure has changed), the main data 

structure is not changed and the algorithm repeats phase 

one. To change the stack atomically, a compare-and-swap 

(CAS) command is used. Pseudocode for this operation is 

given in Figure 2. The CAS command compares a local 

pointer Old with a global pointer G, where Old is typically 

a value of G, that was read earlier by the process. If both 

pointers are identical, G is set to a new value New and 

the CAS command succeeds. If the values are different, G 

is left unchanged and the CAS command fails. All usual 

multi-core processors support atomic CAS instructions (e.g. 

CMPXCHG on x86 processors) or equivalent instructions. 

The push algorithm is depicted in Figure 3. Parameters of 

CPUSH are the value input value V, which should be placed 

on top of the stack, and a reference to the Top pointer. 

Since each invocation of CPUSH runs in parallel with calls 

to CPUSH or CPOP from other processes, Top may change 

at any time while the algorithm is executed. 

Variables UNew and UTop are local pointer variables. 

1 

2 

3 

4 

5 

6 

7 

8 

CPUSH(V : Data, Top : Pointer){ 

UNew := new(Node); 

UNew .val := V; 

repeat { 

UTop := Top ; 

UNew .nxt := UTop ; 

} until CAS(UTop , UNew , Top ) 

} 

Figure 3. The push operation 

The algorithm starts by allocating a new cell on the heap 

and writing the input value V into the newly allocated node 

(line 2 and 3). After that the algorithm loops, as long as the 

insertion of the new cell in the stack fails (line 4 to 7). Inside 

the loop the pointer of the current top cell is copied to the 

local variable UTop and the .nxt-pointer of the previously 

allocated cell is set to the current top cell (line 5 and 6). 

Finally, the algorithms attempts to add the new data value 

to the top of the stack data structure by a CAS operation 

(line 7). If the current Top is still the same as it was in line 

5, the previously allocated cell UNew contains the correct 

.nxt -pointer and Top can be set to UNew . If the top of 

stack was changed by another push or pop process in the 

meantime, the CAS operation fails and the loop is reiterated. 

The pop algorithm, shown in Figure 4, is very similar. 

The only difference is that it has to be checked, whether the 

stack is empty or not (line 4). In case of an empty stack, a 

special value empty is returned. 

3. Linearizability and Lock-Freedom 

The usual correctness criteria for lock-free algorithms are 

linearizability for safety and lock-freedom for liveness. 

Linearizability was defined by Herlihy & Wing [5]. It 

is based on the visible inputs and outputs of processes. 

Formally a history is defined as a list of invoke and return 

events. An invoke event inv(p,op,in) is added to the history, 

when process p invokes operation op with input in. Similarly 

a return event ret(p,op,out) is added when process p returns 

with output out from operation op. In our example a possible 

history created by two processes p and q is 

H = [inv(p,push,3), inv(q,push,4), ret(p,push,−), 

ret(q,push,−), inv(q,pop,−), ret(q,pop,4)] 

where the − indicates no input/output. A history is linearizable 

if it can be reordered to a sequential history, where each 

invoke is directly followed by the corresponding return. The 

reordering must respect the order that was present in the 

original history: an operation whose invoke happened after 

the return of another operation, must end up in the same 

14 


order in the sequential history. For the history H above two 

linearizations are possible. 

[inv(q,push,4), ret(q,push,−), inv(p,push,3), 

ret(p,push,−), inv(q,pop,−), ret(q,pop,4)]. 

and 

[inv(p,push,3), ret(p,push,−), inv(q,push,4), 

ret(q,push,−), inv(q,pop,−), ret(q,pop,4)] 

The first history is not compatible with the semantics of 

a stack (if 3 was pushed last, then the pop should return 

3, not 4), but the second is. Therefore H is linearizable. A 

concurrent implementation of a data type is linearizable, if 

every history it creates is linearizable. 

The definition given is difficult to use for verification. 

Therefore all work we are aware of has used the following 

simpler requirement: in between the invoke and return of 

every operation a linearization point must exist, such that 

the operation can be thought of as executing atomically at 

that point. In simple examples, the linearization point can be 

identified as a specific line of the source code: for the push 

operation the CAS instruction is the linearization point. 

That the original definition is difficult to use has already 

been noted in the original work [5], and an alternative 

definition based on so-called possibilities is given that is 

closer to the simple requirement. In [11] we have formalized 

the original definition as well as possibilities, and have 

formally proved that they are equivalent. 

Linearizability can be viewed as a correctness criterion 

for refinement. In the example of the previous section, 

stack operations are refined by programs working on pointer 

structures. In [12] and [11] we have shown, that it is possible 

to view linearizability as an instance of non-atomic data 

refinement. [12] is based on encoding the control structure 

of the operations in CSP. Single steps of the algorithm are 

defined as Z operations. [11] replaces the CSP control structure 

with program counters, which allowed to mechanize the 

proofswithKIV.Interleavingisrealizedbyusingpromotion. 

To verify linearizability [11] and [13] give modular proof 

obligations, that reduce the problem to two processes by 

exploiting their symmetry. The stack algorithm is used as a 

running example. The resulting proof obligations can be verified 

using predicate logic alone. They resemble the Owicki- 

Gries technique [14] for proving program correctness. 

Linearizability guarantees that operations will return correct 

results, but not their termination. Indeed, termination 

of a single push algorithm (and therefore liveness of the 

process) cannot be guaranteed, since it is possible that each 

loopiterationisinterceptedbyanotherpushorpopoperation 

that modifies the stack and causes the CAS operation to fail. 

The algorithm does not satisfy the Wait-Freedom criterion, 

that requires that each operation must finish within a finite 

number of (his own) steps. This is a disadvantage compared 

to algorithms using locks which usually satisfy waitfreedom. 

Instead lock-free algorithms satisfy the weaker 

criterion of Lock-Freedom which only requires, that when 

several operations are currently running, at least one of 

them will terminate. This implies that as soon as no new 

operations are started any more, all running operations will 

eventually terminate. For the stack example the criterion is 

satisfied: if a push or pop operation must retry due to a failed 

CAS, this was caused by another push or pop operation, that 

successfully modified the stack and therefore terminated. 

4. Current Work 

Acommon technique toavoid proofs thathave toconsider 

theconcurrentsystemasawholeiscompositionalreasoning, 

which was first formulated in [15] by Dijkstra. The idea of 

this technique is to split the system into several subcomponents. 

Then, the overall property is proved by combining 

properties of the subcomponents. 

A common compositional proof technique is the relyguarantee 

paradigm, which was introduced by Jones [16] 

and by Misra and Chandy [17] (under the name assumptioncommitment). 

The basic idea of this paradigm is, that 

each component can make specific assumptions about its 

environment in order to guarantee a specific behavior. 

Usually a rely-guarantee technique provides a theorem, 

that specifies in a number of proof obligations how the 

various assumptions and guarantees have to be connected 

in order to show the property for the overall system. Ideally, 

these proof obligations consider only single subcomponents 

and are of feasible size. Most rely-guarantee techniques use 

either a semantic framework or temporal logics. Examples 

can be found e.g. in [18], [19], [20]. 

Our own approach uses an expressive temporal logic [7], 

[6] that is a variant of interval temporal logic (ITL, [21]). 

ITL extends linear temporal logic (LTL) by considering 

infinite as well as finite runs (called intervals). Therefore 

termination is expressible. The semantics of a formula is a 

set of intervals, which makes the formula valid. Sequential 

as well as parallel programs are just specific formulas, since 

their semantics is also a set of intervals (the set of possible 

runs). This makes it possible to mix programs and formulas 

freely: components can be abstracted to their properties. 

KIV supports deduction for interleaved programs (used to 

model the stack example), as well as asynchronous parallel 

programs and statecharts [22], [23]. 

Since programs are explicit formulas, there is no need to 

encode algorithms such as the push and pop algorithm into 

transition systems, as most other approaches (e.g. TLA [24]) 

do. Instead our deduction approach extends the well-known 

principle of symbolic execution and induction [25] to parallel 

programs. 

Using this approach we have mechanized a compositionality 

theorem for linearizability as a special case of trace 

refinement. We also verified the resulting proof obligations 

for the stack example [26],[9] from Section 2. In a master’s 

thesisoneofourstudents[27]hasmechanizedlinearizability 

15 


of the slightly optimized version [28] of Michael and Scott’s 

queue [1] implementation. This work also proves lockfreedom 

of the queue. 

5. Related Work 

Our approach is based on an expressive temporal logic, 

which is built into the theorem prover. In this sense it is similar 

to the formalization of TLA [24] in Isabelle [29] and to 

the STEP prover [30] or to + CAL [31]. All these approaches 

require to encode programs to a normal form of transition 

systems for deduction. Although this is not a drawback for 

automated proofs using model checking, we found it very 

unintuitive to reason about program counters in interactive 

verification. Therefore we avoid such an encoding. 

An alternative to using temporal logic and rely-guarantee 

reasoning directly, is to use an encoding into higher-order 

logic (e.g. [32], [33] or [34]). This has the advantage that 

soundness of the logic can be reduced to the soundness 

of higher-order logic, but it requires to encode a lot of 

the semantics (we are not aware of encodings that support 

a full abstract programming language with local variables, 

recursion, blocking, and interleaving as KIV does). 

Verification of lock-free algorithms is currently an active 

research topic. Various algorithms have been proved to be 

linearizable, e.g. algorithms working on a global queue [28], 

[35], a lazy caching algorithm [36] or a concurrent garbage 

collection [37]. 

The algorithm considered here was taken from Colvin and 

Groves [28], [38], who have given a correctness proof using 

IO automata and the theorem prover PVS. We have only 

studied the core algorithm, their work discusses extending 

the algorithm with elimination arrays, and adds modification 

counts to avoid the ABA problem. In contrast to this formal 

proof our proof is not monolithic, and does not require to 

encode programs as automata using program counters. 

Recent work by the same authors [39], [40] discusses 

incremental development of the algorithm using refinement 

calculus and programs very similar to ours. The resulting 

steps are rather intuitive for explaining the ideas and possible 

variations, but have not been mechanized. Again this 

work also discusses various extensions and variations of the 

algorithm. Colvin and Dongol [41] have also developed an 

mechanized approach to verify lock-freeness. 

In [42], Vafeiadis et. al. describe a rely-guarantee approach 

for linearizability, that is applied informally on an 

implementation of sets using fine-grained locking. [43], 

[44], [45] mechanizes verification of the resulting proof 

obligations (correctness of the proof obligations is argued 

on the semantic level). [46] considers lock-freedom. In 

contrast to our approach, the approach mixes the abstract 

and concrete layer, by calling the abstract operation at the 

linearization point within the concrete code. We have not 

used this idea, since it is incompatible with the idea of 

developing concrete programs incrementally from abstract 

specifications. Nevertheless the technique allows to use a 

standard rely-guarantee theorem for a single program. The 

approach is fully automatic on a number of examples. It uses 

an impressive range of specialized automation techniques: 

separation logic [47] is used to reason over pointer structures, 

the distinction between local (i.e. modifiable only by 

one process) and global references is encoded as boxed and 

unboxed formulas. A variant of the abstraction and invariant 

generation technique proposed by [48] is used to deal with 

loops. 

Fully automatic approaches based on static analysis are 

given by Amit et. al. in [49] and by Berdine et. al. in [50]. 

They also specialize on reasoning over pointer structures. 

6. Conclusion 

Our work aims to define a generic, modular approach 

that allows mechanized, interactive verification of lockfree 

and other concurrent algorithms. The approach uses 

an expressive temporal logic to formalize compositionality 

theorems for rely-guarantee reasoning and refinement. The 

approach has been applied to simple examples like the one 

shown in this paper. 

Current work is to use the approach on more complex 

examples and to integrate specialized deduction techniques 

that help to automate proofs into our generic framework. 

References 

[1] M. M. Michael and M. L. Scott, “Nonblocking algorithms 

and preemption-safe locking on multiprogrammed shared — 

memory multiprocessors,” Journal of Parallel and Distributed 

Computing, vol. 51, no. 1, pp. 1–26, 1998. 

[2] M. M. Michael, “High performance dynamic lock-free hash 

tables and list-based sets,” in SPAA 2002. ACM, 2002, pp. 

73–82. 

[3] M. M. Michael, “Practical lock-free and wait-free ll/sc/vl 

implementations using 64-bit cas,” in DISC 04, vol. 3274. 

Springer LNCS, 2004. 

[4] T. Leonard, “Dragged kicking and screaming: 

Source multicore,” Talk at the Game Developers 

Conference, San Francisco, March 2007. [Online]. 

Available: www.valvesoftware.com/publications/2007/ 

GDC2007 SourceMulticore.pdf 

[5] M. Herlihy and J. M. Wing, “Linearizability: A correctness 

condition for concurrent objects,” ACM Transactions on Programming 

Languages and Systems, vol. 12, no. 3, pp. 463– 

492, 1990. 

[6] M. Balser, “Verifying concurrent system with symbolic execution 

– temporal reasoning is symbolic execution with a 

little induction,” Ph.D. dissertation, University of Augsburg, 

Augsburg, Germany, 2005. 

16 


[7] M. Balser, S. Bäumler, W. Reif, and G. Schellhorn, “Interactive 

verification of concurrent systems using symbolic 

execution,” in Proceedings of 7th International Workshop of 

Implementation of Logics (IWIL 08), 2008. 

[8] W.Reif,G.Schellhorn,K.Stenzel,andM.Balser,“Structured 

specifications and interactive proofs with KIV,” in Automated 

Deduction—A Basis for Applications, W. Bibel and 

P. Schmitt, Eds. Dordrecht: Kluwer Academic Publishers, 

1998, vol. II: Systems and Implementation Techniques, ch. 1: 

Interactive Theorem Proving, pp. 13 – 39. 

[9] S. Bäumler, G. Schellhorn, M. Balser, and W. Reif, “Proving 

linearizability with temporal logic,” Formal Aspects of Computing 

(FAC), 2009, submitted. 

[10] R. K. Treiber, “System programming: Coping with parallelism,” 

IBM Almaden Research Center, Tech. Rep. RJ 5118, 

1986. 

[11] J. Derrick, G. Schellhorn, and H. Wehrheim, “Mechanising 

a correctness proof for a lock-free concurrent stack,” in 

Prooceedings of FMOODS 2008, Oslo, ser. LNCS, vol. 5051, 

2008, pp. 78–95. 

[12] J. Derrick, G. Schellhorn, and H. Wehrheim, “Proving linearizabilty 

via non-atomic refinement,” in Proceedings of the 

International Conference on integrated formal methods (iFM) 

2007, ser. LNCS, J. G. J. Davies, Ed., vol. 4591. Springer, 

2007, pp. 195–214. 

[13] J. Derrick, G. Schellhorn, and H. Wehrheim, “Mechanically 

verified proof obligations for linearizability,” ACM transactions 

on Programming Languages and Systems, 2009, (submitted). 

[14] S. S. Owicki and D. Gries, “An Axiomatic Proof Technique 

for Parallel Programs I,” Acta Inf., vol. 6, pp. 319–340, 1976. 

[15] E.W.Dijkstra,“Solutionofaprobleminconcurrentprogramming 

control,” Commun. ACM, vol. 8, no. 9, p. 569, 1965. 

[16] C. B. Jones, “Tentative steps toward a development method 

for interfering programs,” ACM Trans. Program. Lang. Syst., 

vol. 5, no. 4, pp. 596–619, 1983. 

[17] J. Misra and K. Chandi, “Proofs of networks of processes,” 

IEEE Transactions of Software Engineering, 1981. 

[18] W.-P. de Roever et al., Concurrency Verification: Introduction 

to Compositional and Noncompositional Methods. Cambridge 

University Press, 2001. 

[19] M. Abadi and L. Lamport, “Conjoining specifications,” ACM 

Transactions on Programming Languages and Systems, 1995. 

[20] A. Cau and P. Collette, “Parallel composition of assumptioncommitment 

specifications: A unifying approach for shared 

variable and distributed message passing concurrency,” Acta 

Informatica, vol. 33, no. 2, pp. 153–176, 1996. 

[21] B. Moszkowski, Executing Temporal Logic Programs. 

Cambridge: Cambridge University Press, 1986. [Online]. 

Available: citeseer.ist.psu.edu/moszkowski86executing.html 

[22] S. Bäumler, M. Balser, A. Knapp, W. Reif, and A. Thums, 

“Interactive verification of uml state machines,” in Formal 

Methods and Software Engineering, ser. LNCS, no. 3308. 

Springer, 2004. 

[23] A. Thums, F. Ortmeier, W.Reif, and G. Schellhorn, “Interactive 

verification of statecharts,” in Integration of Software 

Specification Techniques for Applications in Engineering, 

H. Ehrig, Ed. Springer LNCS 3147, 2004, pp. 355 – 373. 

[24] L. Lamport, “The temporal logic of actions,” ACM Transactions 

on Programming Languages and Systems, vol. 16, no. 3, 

pp. 872–923, May 1994. 

[25] R. M. Burstall, “Program proving as hand simulation with 

a little induction,” Information processing 74, pp. 309–312, 

1974. 

[26] S. Bäumler, G. Schellhorn, M. Balser, and 

W. Reif, “Proving linearizability with temporal 

logic,” Universität Augsburg, Technical Report 

2008-19, 2008, uRL: http://www.informatik.uniaugsburg.de/lehrstuehle/swt/se/publications/. 

[27] B. Tofan, “Correctness Analysis Of Lock-Free Algorithms 

For Multi-Core Architectures,” Diplomarbeit, Universität 

Augsburg, 2009. 

[28] S. Doherty, L. Groves, V. Luchangco, and M. Moir, “Formal 

verification of a practical lock-free queue algorithm,” in 

FORTE 2004, ser. LNCS, vol. 3235, 2004, pp. 97–114. 

[29] S. Merz, “Mechanizing TLA in Isabelle,” in Workshop on 

Verification in New Orientations, R. Rodošek, Ed. Maribor: 

Univ. of Maribor, Jul. 1995, pp. 54–74. 

[30] N. S. Bjørner, A. Browne, M. A. C. On, B. Finkbeiner, 

H. B. Sipma, and T. Uribe, “Verifying temporal properties 

of reactive systems: A step tutorial,” in Formal Methods in 

System Design, 1999, p. 2000. 

[31] L. Lamport, “The +cal algorithm language,” Microsoft, 

Tech. Rep., 2006. [Online]. Available: 

http://research.microsoft.com/users/lamport/pubs/pubs.html 

[32] S. Owre, S. Rajan, J. M. Rushby, N. Shankar, and M. Srivas, 

“PVS: Combining specification, proof checking, and model 

checking,” in Computer Aided Verification (CAV), R. Alur and 

T. A. Henzinger, Eds. Springer LNCS 1102, 1996. 

[33] S. Kalvala, “A formulation of TLA in isabelle,” 

http://www.research.digital.com/SRC/personal/lamport/ 

tla/tla.html, June 1995. 

[34] L. Nieto, “The rely-guarantee method in isabelle /hol,” in European 

Symposium on Programming (ESOP’03), ser. LNCS, 

P. Degano, Ed., vol. 2618. Springer, 2003, pp. 348–362. 

[35] J.-R. Abrial and D. Cansell, “Formal Construction of a Nonblocking 

Concurrent Queue Algorithm (a Case Study in 

Atomicity),” Journal of Universal Computer Science, vol. 11, 

no. 5, pp. 744–770, 2005. 

[36] W. H. Hesselink, “Refinement verification of the lazy caching 

algorithm,” Acta Inf., vol. 43, no. 3, pp. 195–222, 2006. 

17 


[37] H. Gao, J.F. Groote, and W. H. Hesselink,“Lock-free parallel 

and concurrent garbage collection by mark&sweep,” Sci. 

Comput. Program., vol. 64, no. 3, pp. 341–374, 2007. 

[38] R. Colvin, S. Doherty, and L. Groves, “Verifying concurrent 

data structures by simulation,” ENTCS, vol. 137, pp. 93–110, 

2005. 

[39] L. Groves and R. Colvin, “Derivation of a scalable lock-free 

stack algorithm,” Electron. Notes Theor. Comput. Sci., vol. 

187, pp. 55–74, 2007. 

[40] L. Groves and R. Colvin, “Trace-based derivation of a scalable 

lock-free stack algorithm,” Formal Aspects of Computing 

(FAC), vol. 21, no. 1–2, pp. 187–223, 2009. 

[41] R. Colvin and B. Dongol, “A general technique for proving 

lock-freedom,” Sci. Comput. Program., vol. 74, no. 3, pp. 

143–165, 2009. 

[42] V. Vafeiadis, M. Herlihy, T. Hoare, and M. Shapiro, “Proving 

correctness of highly-concurrent linearisable objects,” in 

PPoPP ’06: Proceedings of the eleventh ACM SIGPLAN symposium 

on Principles and practice of parallel programming. 

New York, NY, USA: ACM, 2006, pp. 129–136. 

[43] C. Calcagno, M. J. Parkinson, and V. Vafeiadis, “Modular 

safety checking for fine-grained concurrency,” in SAS, ser. 

Lecture Notes in Computer Science, H. R. Nielson and 

G. Filé, Eds., vol. 4634. Springer, 2007, pp. 233–248. 

[44] V. Vafeiadis and M. J. Parkinson, “A marriage of 

rely/guarantee and separation logic,” in CONCUR, ser. Lecture 

Notes in Computer Science, L. Caires and V. T. Vasconcelos, 

Eds., vol. 4703. Springer, 2007, pp. 256–271. 

[45] V. Vafeiadis, “Shape-value abstraction for verifying linearizability,” 

in Proceedings VMCAI 2009, ser. LNCS, vol. 5403. 

Springer, 2009. 

[46] A. Gotsman, B. Cook, M. Parkinson, and V. Vafeiadis, “Proving 

that nonblocking algorithms don’t block,” in Principles of 

Programming Languages. ACM, 2009, pp. 16–28. 

[47] J. C. Reynolds, “Separation logic: A logic for shared mutable 

data structures,” in LICS ’02: Proceedings of the 17th Annual 

IEEE Symposium on Logic in Computer Science. Washington, 

DC, USA: IEEE Computer Society, 2002, pp. 55–74. 

[48] D. Distefano, P. O’Hearn, and H. Yang, “A local shape 

analysis based on separation logic,” in TACAS, vol. 3920. 

Springer, 2006, pp. 287–302. 

[49] D. Amit, N. Rinetzky, T. W. Reps, M. Sagiv, and E. Yahav, 

“Comparison under abstraction for verifying linearizability,” 

in CAV, ser. Lecture Notes in Computer Science, W. Damm 

and H. Hermanns, Eds., vol. 4590. Springer, 2007, pp. 477– 

490. 

[50] J. Berdine, T. Lev-Ami, R. Manevich, G. Ramalingam, and 

M. Sagiv, “Thread quantification for concurrent shape analysis,” 

in CAV’08: 20th International Conference on Computer 

Aided Verification. Springer, 2008. 

18

Formal Verification of Lock-Free Algorithms

Create successful ePaper yourself

Delete template?

Save as template?