Formal Verification of Lock-Free Algorithms
Formal Verification of Lock-Free Algorithms
Formal Verification of Lock-Free Algorithms
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>of</strong> the slightly optimized version [28] <strong>of</strong> Michael and Scott’s<br />
queue [1] implementation. This work also proves lockfreedom<br />
<strong>of</strong> the queue.<br />
5. Related Work<br />
Our approach is based on an expressive temporal logic,<br />
which is built into the theorem prover. In this sense it is similar<br />
to the formalization <strong>of</strong> TLA [24] in Isabelle [29] and to<br />
the STEP prover [30] or to + CAL [31]. All these approaches<br />
require to encode programs to a normal form <strong>of</strong> transition<br />
systems for deduction. Although this is not a drawback for<br />
automated pro<strong>of</strong>s using model checking, we found it very<br />
unintuitive to reason about program counters in interactive<br />
verification. Therefore we avoid such an encoding.<br />
An alternative to using temporal logic and rely-guarantee<br />
reasoning directly, is to use an encoding into higher-order<br />
logic (e.g. [32], [33] or [34]). This has the advantage that<br />
soundness <strong>of</strong> the logic can be reduced to the soundness<br />
<strong>of</strong> higher-order logic, but it requires to encode a lot <strong>of</strong><br />
the semantics (we are not aware <strong>of</strong> encodings that support<br />
a full abstract programming language with local variables,<br />
recursion, blocking, and interleaving as KIV does).<br />
<strong>Verification</strong> <strong>of</strong> lock-free algorithms is currently an active<br />
research topic. Various algorithms have been proved to be<br />
linearizable, e.g. algorithms working on a global queue [28],<br />
[35], a lazy caching algorithm [36] or a concurrent garbage<br />
collection [37].<br />
The algorithm considered here was taken from Colvin and<br />
Groves [28], [38], who have given a correctness pro<strong>of</strong> using<br />
IO automata and the theorem prover PVS. We have only<br />
studied the core algorithm, their work discusses extending<br />
the algorithm with elimination arrays, and adds modification<br />
counts to avoid the ABA problem. In contrast to this formal<br />
pro<strong>of</strong> our pro<strong>of</strong> is not monolithic, and does not require to<br />
encode programs as automata using program counters.<br />
Recent work by the same authors [39], [40] discusses<br />
incremental development <strong>of</strong> the algorithm using refinement<br />
calculus and programs very similar to ours. The resulting<br />
steps are rather intuitive for explaining the ideas and possible<br />
variations, but have not been mechanized. Again this<br />
work also discusses various extensions and variations <strong>of</strong> the<br />
algorithm. Colvin and Dongol [41] have also developed an<br />
mechanized approach to verify lock-freeness.<br />
In [42], Vafeiadis et. al. describe a rely-guarantee approach<br />
for linearizability, that is applied informally on an<br />
implementation <strong>of</strong> sets using fine-grained locking. [43],<br />
[44], [45] mechanizes verification <strong>of</strong> the resulting pro<strong>of</strong><br />
obligations (correctness <strong>of</strong> the pro<strong>of</strong> obligations is argued<br />
on the semantic level). [46] considers lock-freedom. In<br />
contrast to our approach, the approach mixes the abstract<br />
and concrete layer, by calling the abstract operation at the<br />
linearization point within the concrete code. We have not<br />
used this idea, since it is incompatible with the idea <strong>of</strong><br />
developing concrete programs incrementally from abstract<br />
specifications. Nevertheless the technique allows to use a<br />
standard rely-guarantee theorem for a single program. The<br />
approach is fully automatic on a number <strong>of</strong> examples. It uses<br />
an impressive range <strong>of</strong> specialized automation techniques:<br />
separation logic [47] is used to reason over pointer structures,<br />
the distinction between local (i.e. modifiable only by<br />
one process) and global references is encoded as boxed and<br />
unboxed formulas. A variant <strong>of</strong> the abstraction and invariant<br />
generation technique proposed by [48] is used to deal with<br />
loops.<br />
Fully automatic approaches based on static analysis are<br />
given by Amit et. al. in [49] and by Berdine et. al. in [50].<br />
They also specialize on reasoning over pointer structures.<br />
6. Conclusion<br />
Our work aims to define a generic, modular approach<br />
that allows mechanized, interactive verification <strong>of</strong> lockfree<br />
and other concurrent algorithms. The approach uses<br />
an expressive temporal logic to formalize compositionality<br />
theorems for rely-guarantee reasoning and refinement. The<br />
approach has been applied to simple examples like the one<br />
shown in this paper.<br />
Current work is to use the approach on more complex<br />
examples and to integrate specialized deduction techniques<br />
that help to automate pro<strong>of</strong>s into our generic framework.<br />
References<br />
[1] M. M. Michael and M. L. Scott, “Nonblocking algorithms<br />
and preemption-safe locking on multiprogrammed shared —<br />
memory multiprocessors,” Journal <strong>of</strong> Parallel and Distributed<br />
Computing, vol. 51, no. 1, pp. 1–26, 1998.<br />
[2] M. M. Michael, “High performance dynamic lock-free hash<br />
tables and list-based sets,” in SPAA 2002. ACM, 2002, pp.<br />
73–82.<br />
[3] M. M. Michael, “Practical lock-free and wait-free ll/sc/vl<br />
implementations using 64-bit cas,” in DISC 04, vol. 3274.<br />
Springer LNCS, 2004.<br />
[4] T. Leonard, “Dragged kicking and screaming:<br />
Source multicore,” Talk at the Game Developers<br />
Conference, San Francisco, March 2007. [Online].<br />
Available: www.valves<strong>of</strong>tware.com/publications/2007/<br />
GDC2007 SourceMulticore.pdf<br />
[5] M. Herlihy and J. M. Wing, “Linearizability: A correctness<br />
condition for concurrent objects,” ACM Transactions on Programming<br />
Languages and Systems, vol. 12, no. 3, pp. 463–<br />
492, 1990.<br />
[6] M. Balser, “Verifying concurrent system with symbolic execution<br />
– temporal reasoning is symbolic execution with a<br />
little induction,” Ph.D. dissertation, University <strong>of</strong> Augsburg,<br />
Augsburg, Germany, 2005.<br />
16<br />
Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on January 18, 2010 at 11:43 from IEEE Xplore. Restrictions apply.