Formal Verification of Lock-Free Algorithms

More documents

Recommendations

Info

of the slightly optimized version [28] of Michael and Scott’s queue [1] implementation. This work also proves lockfreedom of the queue. 5. Related Work Our approach is based on an expressive temporal logic, which is built into the theorem prover. In this sense it is similar to the formalization of TLA [24] in Isabelle [29] and to the STEP prover [30] or to + CAL [31]. All these approaches require to encode programs to a normal form of transition systems for deduction. Although this is not a drawback for automated proofs using model checking, we found it very unintuitive to reason about program counters in interactive verification. Therefore we avoid such an encoding. An alternative to using temporal logic and rely-guarantee reasoning directly, is to use an encoding into higher-order logic (e.g. [32], [33] or [34]). This has the advantage that soundness of the logic can be reduced to the soundness of higher-order logic, but it requires to encode a lot of the semantics (we are not aware of encodings that support a full abstract programming language with local variables, recursion, blocking, and interleaving as KIV does). Verification of lock-free algorithms is currently an active research topic. Various algorithms have been proved to be linearizable, e.g. algorithms working on a global queue [28], [35], a lazy caching algorithm [36] or a concurrent garbage collection [37]. The algorithm considered here was taken from Colvin and Groves [28], [38], who have given a correctness proof using IO automata and the theorem prover PVS. We have only studied the core algorithm, their work discusses extending the algorithm with elimination arrays, and adds modification counts to avoid the ABA problem. In contrast to this formal proof our proof is not monolithic, and does not require to encode programs as automata using program counters. Recent work by the same authors [39], [40] discusses incremental development of the algorithm using refinement calculus and programs very similar to ours. The resulting steps are rather intuitive for explaining the ideas and possible variations, but have not been mechanized. Again this work also discusses various extensions and variations of the algorithm. Colvin and Dongol [41] have also developed an mechanized approach to verify lock-freeness. In [42], Vafeiadis et. al. describe a rely-guarantee approach for linearizability, that is applied informally on an implementation of sets using fine-grained locking. [43], [44], [45] mechanizes verification of the resulting proof obligations (correctness of the proof obligations is argued on the semantic level). [46] considers lock-freedom. In contrast to our approach, the approach mixes the abstract and concrete layer, by calling the abstract operation at the linearization point within the concrete code. We have not used this idea, since it is incompatible with the idea of developing concrete programs incrementally from abstract specifications. Nevertheless the technique allows to use a standard rely-guarantee theorem for a single program. The approach is fully automatic on a number of examples. It uses an impressive range of specialized automation techniques: separation logic [47] is used to reason over pointer structures, the distinction between local (i.e. modifiable only by one process) and global references is encoded as boxed and unboxed formulas. A variant of the abstraction and invariant generation technique proposed by [48] is used to deal with loops. Fully automatic approaches based on static analysis are given by Amit et. al. in [49] and by Berdine et. al. in [50]. They also specialize on reasoning over pointer structures. 6. Conclusion Our work aims to define a generic, modular approach that allows mechanized, interactive verification of lockfree and other concurrent algorithms. The approach uses an expressive temporal logic to formalize compositionality theorems for rely-guarantee reasoning and refinement. The approach has been applied to simple examples like the one shown in this paper. Current work is to use the approach on more complex examples and to integrate specialized deduction techniques that help to automate proofs into our generic framework. References [1] M. M. Michael and M. L. Scott, “Nonblocking algorithms and preemption-safe locking on multiprogrammed shared — memory multiprocessors,” Journal of Parallel and Distributed Computing, vol. 51, no. 1, pp. 1–26, 1998. [2] M. M. Michael, “High performance dynamic lock-free hash tables and list-based sets,” in SPAA 2002. ACM, 2002, pp. 73–82. [3] M. M. Michael, “Practical lock-free and wait-free ll/sc/vl implementations using 64-bit cas,” in DISC 04, vol. 3274. Springer LNCS, 2004. [4] T. Leonard, “Dragged kicking and screaming: Source multicore,” Talk at the Game Developers Conference, San Francisco, March 2007. [Online]. Available: www.valvesoftware.com/publications/2007/ GDC2007 SourceMulticore.pdf [5] M. Herlihy and J. M. Wing, “Linearizability: A correctness condition for concurrent objects,” ACM Transactions on Programming Languages and Systems, vol. 12, no. 3, pp. 463– 492, 1990. [6] M. Balser, “Verifying concurrent system with symbolic execution – temporal reasoning is symbolic execution with a little induction,” Ph.D. dissertation, University of Augsburg, Augsburg, Germany, 2005. 16 Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on January 18, 2010 at 11:43 from IEEE Xplore. Restrictions apply.
[7] M. Balser, S. Bäumler, W. Reif, and G. Schellhorn, “Interactive verification of concurrent systems using symbolic execution,” in Proceedings of 7th International Workshop of Implementation of Logics (IWIL 08), 2008. [8] W.Reif,G.Schellhorn,K.Stenzel,andM.Balser,“Structured specifications and interactive proofs with KIV,” in Automated Deduction—A Basis for Applications, W. Bibel and P. Schmitt, Eds. Dordrecht: Kluwer Academic Publishers, 1998, vol. II: Systems and Implementation Techniques, ch. 1: Interactive Theorem Proving, pp. 13 – 39. [9] S. Bäumler, G. Schellhorn, M. Balser, and W. Reif, “Proving linearizability with temporal logic,” Formal Aspects of Computing (FAC), 2009, submitted. [10] R. K. Treiber, “System programming: Coping with parallelism,” IBM Almaden Research Center, Tech. Rep. RJ 5118, 1986. [11] J. Derrick, G. Schellhorn, and H. Wehrheim, “Mechanising a correctness proof for a lock-free concurrent stack,” in Prooceedings of FMOODS 2008, Oslo, ser. LNCS, vol. 5051, 2008, pp. 78–95. [12] J. Derrick, G. Schellhorn, and H. Wehrheim, “Proving linearizabilty via non-atomic refinement,” in Proceedings of the International Conference on integrated formal methods (iFM) 2007, ser. LNCS, J. G. J. Davies, Ed., vol. 4591. Springer, 2007, pp. 195–214. [13] J. Derrick, G. Schellhorn, and H. Wehrheim, “Mechanically verified proof obligations for linearizability,” ACM transactions on Programming Languages and Systems, 2009, (submitted). [14] S. S. Owicki and D. Gries, “An Axiomatic Proof Technique for Parallel Programs I,” Acta Inf., vol. 6, pp. 319–340, 1976. [15] E.W.Dijkstra,“Solutionofaprobleminconcurrentprogramming control,” Commun. ACM, vol. 8, no. 9, p. 569, 1965. [16] C. B. Jones, “Tentative steps toward a development method for interfering programs,” ACM Trans. Program. Lang. Syst., vol. 5, no. 4, pp. 596–619, 1983. [17] J. Misra and K. Chandi, “Proofs of networks of processes,” IEEE Transactions of Software Engineering, 1981. [18] W.-P. de Roever et al., Concurrency Verification: Introduction to Compositional and Noncompositional Methods. Cambridge University Press, 2001. [19] M. Abadi and L. Lamport, “Conjoining specifications,” ACM Transactions on Programming Languages and Systems, 1995. [20] A. Cau and P. Collette, “Parallel composition of assumptioncommitment specifications: A unifying approach for shared variable and distributed message passing concurrency,” Acta Informatica, vol. 33, no. 2, pp. 153–176, 1996. [21] B. Moszkowski, Executing Temporal Logic Programs. Cambridge: Cambridge University Press, 1986. [Online]. Available: citeseer.ist.psu.edu/moszkowski86executing.html [22] S. Bäumler, M. Balser, A. Knapp, W. Reif, and A. Thums, “Interactive verification of uml state machines,” in Formal Methods and Software Engineering, ser. LNCS, no. 3308. Springer, 2004. [23] A. Thums, F. Ortmeier, W.Reif, and G. Schellhorn, “Interactive verification of statecharts,” in Integration of Software Specification Techniques for Applications in Engineering, H. Ehrig, Ed. Springer LNCS 3147, 2004, pp. 355 – 373. [24] L. Lamport, “The temporal logic of actions,” ACM Transactions on Programming Languages and Systems, vol. 16, no. 3, pp. 872–923, May 1994. [25] R. M. Burstall, “Program proving as hand simulation with a little induction,” Information processing 74, pp. 309–312, 1974. [26] S. Bäumler, G. Schellhorn, M. Balser, and W. Reif, “Proving linearizability with temporal logic,” Universität Augsburg, Technical Report 2008-19, 2008, uRL: http://www.informatik.uniaugsburg.de/lehrstuehle/swt/se/publications/. [27] B. Tofan, “Correctness Analysis Of Lock-Free Algorithms For Multi-Core Architectures,” Diplomarbeit, Universität Augsburg, 2009. [28] S. Doherty, L. Groves, V. Luchangco, and M. Moir, “Formal verification of a practical lock-free queue algorithm,” in FORTE 2004, ser. LNCS, vol. 3235, 2004, pp. 97–114. [29] S. Merz, “Mechanizing TLA in Isabelle,” in Workshop on Verification in New Orientations, R. Rodošek, Ed. Maribor: Univ. of Maribor, Jul. 1995, pp. 54–74. [30] N. S. Bjørner, A. Browne, M. A. C. On, B. Finkbeiner, H. B. Sipma, and T. Uribe, “Verifying temporal properties of reactive systems: A step tutorial,” in Formal Methods in System Design, 1999, p. 2000. [31] L. Lamport, “The +cal algorithm language,” Microsoft, Tech. Rep., 2006. [Online]. Available: http://research.microsoft.com/users/lamport/pubs/pubs.html [32] S. Owre, S. Rajan, J. M. Rushby, N. Shankar, and M. Srivas, “PVS: Combining specification, proof checking, and model checking,” in Computer Aided Verification (CAV), R. Alur and T. A. Henzinger, Eds. Springer LNCS 1102, 1996. [33] S. Kalvala, “A formulation of TLA in isabelle,” http://www.research.digital.com/SRC/personal/lamport/ tla/tla.html, June 1995. [34] L. Nieto, “The rely-guarantee method in isabelle /hol,” in European Symposium on Programming (ESOP’03), ser. LNCS, P. Degano, Ed., vol. 2618. Springer, 2003, pp. 348–362. [35] J.-R. Abrial and D. Cansell, “Formal Construction of a Nonblocking Concurrent Queue Algorithm (a Case Study in Atomicity),” Journal of Universal Computer Science, vol. 11, no. 5, pp. 744–770, 2005. [36] W. H. Hesselink, “Refinement verification of the lazy caching algorithm,” Acta Inf., vol. 43, no. 3, pp. 195–222, 2006. 17 Authorized licensed use limited to: Technische Universitat Kaiserslautern. Downloaded on January 18, 2010 at 11:43 from IEEE Xplore. Restrictions apply.
Page 1 and 2: 2009 Ninth International Conference
Page 3: order in the sequential history. Fo

Formal Verification of Lock-Free Algorithms

Create successful ePaper yourself

Delete template?

Save as template?