Abstract
Verifying invariants of fine-grained concurrent data structures is challenging, because interference from other threads may occur at any time. We propose a new way of proving invariants of fine-grained concurrent data structures: applying rely-guarantee reasoning to references in the concurrent setting. Rely-guarantee applied to references can verify bounds on thread interference without requiring a whole program to be verified.
This article provides three new results. First, it provides a new approach to preserving invariants and restricting usage of concurrent data structures. Our approach targets a space between simple type systems and modern concurrent program logics, offering an intermediate point between unverified code and full verification. Furthermore, it avoids sealing concurrent data structure implementations and can interact safely with unverified imperative code. Second, we demonstrate the approach’s broad applicability through a series of case studies, using two implementations: an axiomatic Coq domain-specific language and a library for Liquid Haskell. Third, these two implementations allow us to compare and contrast verifications by interactive proof (Coq) and a weaker form that can be expressed using automatically-discharged dependent refinement types (Liquid Haskell).
- Pieter Agten, Bart Jacobs, and Frank Piessens. 2015. Sound modular verification of c code executing in an unverified context. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’15). Google Scholar
Digital Library
- Richard J. Anderson and Heather Woll. 1991. Wait-free parallel algorithms for the union-find problem. In Proceedings of the Symposium on Theory of Computing (STOC’91). Google Scholar
Digital Library
- Yves Bertot and Pierre Castéran. 2004. Interactive Theorem Proving and Program Development; Coq’Art: The Calculus of Inductive Constructions. Springer Verlag. Google Scholar
Digital Library
- John Boyland. 2003. Checking interference with fractional permissions. In Proceedings of the Static Analysis Symposium (SAS’03). Google Scholar
Digital Library
- Stephen Brookes. 2004. A semantics for concurrent separation logic. In Proceedings of the International Conference on Concurrency Theory (CONCUR’04). Google Scholar
Cross Ref
- Venanzio Capretta. 2004. A Polymorphic Representation of Induction-Recursion. Retrieved September 12, 2012 from http://www.cs.ru.nl/∼enanzio/publications/induction_recursion.pdf.Google Scholar
- Adam Chlipala. 2011. Mostly-automated verification of low-level programs in computational separation logic. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’11). Google Scholar
Digital Library
- Adam Chlipala, Gregory Malecha, Greg Morrisett, Avraham Shinnar, and Ryan Wisnesky. 2009. Effective interactive proofs for higher-order imperative programs. In Proceedings of the ACM SIGPLAN International Conference on Functional Programming (ICFP’09). Google Scholar
Digital Library
- Vasek Chvatal. 1983. Linear Programming. Macmillan.Google Scholar
- Ernie Cohen, Markus Dahlweid, Mark Hillebrand, Dirk Leinenbach, Michal Moskal, Thomas Santen, Wolfram Schulte, and Stephan Tobies. 2009. VCC: A practical system for verifying concurrent C. In Proceedings of the International Conference on Theorem Proving in Higher Order Logics (TPHOL’09). Google Scholar
Digital Library
- Ernie Cohen, Michal Moskal, Wolfram Schulte, and Stephan Tobies. 2010. Local verification of global invariants in concurrent programs. In Proceedings of the International Conference on Computer-Aided Verification (CAV’10). Google Scholar
Digital Library
- Thierry Coquand and Gerard Huet. 1988. The calculus of constructions. Inform. Comput. 76, 2 (1988), 95--120. Google Scholar
Digital Library
- Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. 2009. Introduction to Algorithms, Third Edition (3rd ed.). The MIT Press. Google Scholar
Digital Library
- Pedro da Rocha Pinto, Thomas Dinsdale-Young, and Philippa Gardner. 2014. TaDA: A logic for time and data abstraction. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP’14). Google Scholar
Digital Library
- Edsger W. Dijkstra. 1975. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18, 8 (Aug. 1975), 453--457. Google Scholar
Digital Library
- Thomas Dinsdale-Young, Lars Birkedal, Philippa Gardner, Matthew Parkinson, and Hongseok Yang. 2013. Views: Compositional reasoning for concurrent programs. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’13). Google Scholar
Digital Library
- Thomas Dinsdale-Young, Mike Dodds, Philippa Gardner, Matthew Parkinson, and Viktor Vafeiadis. 2010. Concurrent abstract predicates. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP’10). Google Scholar
Digital Library
- Mike Dodds, Xinyu Feng, Matthew Parkinson, and Viktor Vafeiadis. 2009. Deny-guarantee reasoning. In Proceedings of the European Symposium on Programing Languages and Systems (ESOP’09). Google Scholar
Digital Library
- Peter Dybjer. 2000. A general formulation of simultaneous inductive-recursive definitions in type theory. J. Symbol. Logic 65, 02 (2000), 525--549. Google Scholar
Cross Ref
- Tayfun Elmas, Shaz Qadeer, Ali Sezgin, Omer Subasi, and Serdar Tasiran. 2010. Simplifying linearizability proofs with reduction and abstraction. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Google Scholar
Digital Library
- Tayfun Elmas, Shaz Qadeer, and Serdar Tasiran. 2009. A calculus of atomic actions. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’09). Google Scholar
Digital Library
- Xinyu Feng. 2009. Local rely-guarantee reasoning. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’09). Google Scholar
Digital Library
- Cormac Flanagan and Martín Abadi. 1999. Types for safe locking. In Proceedings of the European Symposium on Programing Languages and Systems (ESOP’99). Google Scholar
Digital Library
- Cormac Flanagan and Stephen N. Freund. 2000. Type-based race detection for java. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’00). Google Scholar
Digital Library
- Fredrik Nordvall Forsberg and Anton Setzer. 2010. Inductive-inductive definitions. In Proceedings of the International Workshop on Computer Science Logic. Springer, 454--468. Google Scholar
Digital Library
- Tim Freeman and Frank Pfenning. 1991. Refinement types for ML. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’91). Google Scholar
Digital Library
- Colin S. Gordon. 2014. Verifying Concurrent Programs by Controlling Alias Interference. Ph.D. Thesis. University of Washington.Google Scholar
- Colin S. Gordon, Michael D. Ernst, and Dan Grossman. 2013. Rely-guarantee references for refinement types over aliased mutable data. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’13). Google Scholar
Digital Library
- Colin S. Gordon, Matthew J. Parkinson, Jared Parsons, Aleks Bromfield, and Joe Duffy. 2012. Uniqueness and reference immutability for safe parallelism. In Proceedings of the ACM International Object Oriented Programming Systems Languages and Applications (OOPSLA’12). Google Scholar
Digital Library
- Timothy L Harris. 2001. A pragmatic implementation of non-blocking linked-lists. In Proceedings of the International Symposium on Distributed Computing (DISC’01). Google Scholar
Digital Library
- Steve Heller, Maurice Herlihy, Victor Luchangco, Mark Moir, William N. Scherer, and Nir Shavit. 2006. A lazy concurrent list-based set algorithm. In Proceedings of the International Conference on Principles of Distributed Systems (OPODIS’05). Google Scholar
Digital Library
- Danny Hendler, Nir Shavit, and Lena Yerushalmi. 2004. A scalable lock-free stack algorithm. In Proceedings of the ACM Symposium on Parallelism in Algorithms and Architectures (SPAA’04). Google Scholar
Digital Library
- Maurice Herlihy. 1991. Wait-free synchronization. ACM Trans. Program. Lang. Syst. 13, 1 (Jan. 1991), 124--149. Google Scholar
Digital Library
- Maurice Herlihy and Nir Shavit. 2008. The Art of Multiprocessor Programming. Morgan Kaufmann Publishers Inc., San Francisco, CA. Google Scholar
Digital Library
- C. A. R. Hoare. 1969. An axiomatic basis for computer programming. Commun. ACM 12, 10 (Oct. 1969), 576--580. Google Scholar
Digital Library
- Wei Huang, Ana Milanova, Werner Dietl, and Michael D Ernst. 2012. ReIm 8 ReImInfer: Checking and inference of reference immutability and method purity. In Proceedings of the ACM International Object Oriented Programming Systems Languages and Applications (OOPSLA’12). Google Scholar
Digital Library
- Bart Jacobs and Frank Piessens. 2011. Expressive modular fine-grained concurrency specification. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’11). Google Scholar
Digital Library
- Jonas Braband Jensen and Lars Birkedal. 2012. Fictional separation logic. In Proceedings of the European Symposium on Programing Languages and Systems (ESOP’12). Google Scholar
Digital Library
- Ranjit Jhala. 2015. LiquidHaskell: Refinement Types for Haskell. Retrieved from http://www. degoesconsulting.com/lambdaconf-2015/#talk-6f64790e6c.Google Scholar
- Ranjit Jhala. 2016. Programming with Refinement Types. Retrieved from http://www.thestrangeloop.com/2015/programming-with-refinement-types.html.Google Scholar
- Ranjit Jhala, Rupak Majumdar, and Andrey Rybalchenko. 2011. HMC: Verifying functional programs with abstract interpreters. In Proceedings of the International Conference on Computer-Aided Verification (CAV’11). Google Scholar
Digital Library
- C. B. Jones. 1983. Tentative steps toward a development method for interfering programs. ACM Trans. Program. Lang. Syst. 5, 4 (Oct. 1983), 596--619. Google Scholar
Digital Library
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’15). Google Scholar
Digital Library
- Ming Kawaguchi, Patrick Rondon, Alexander Bakst, and Ranjit Jhala. 2012. Deterministic parallelism with liquid effects. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’12). Google Scholar
Digital Library
- Ming Kawaguchi, Patrick Rondon, and Ranjit Jhala. 2009. Type-based data structure verification. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’09). Google Scholar
Digital Library
- Ming Kawaguchi, Patrick M. Rondon, and Ranjit Jhala. 2010. Dsolve: Safety verification via liquid types. In Proceedings of the International Conference on Computer-Aided Verification (CAV’10). Google Scholar
Digital Library
- Johannes Kloos, Rupak Majumdar, and Viktor Vafeiadis. 2015. Asynchronous liquid separation types. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP’15).Google Scholar
- Ruy Ley-Wild and Aleksandar Nanevski. 2013. Subjective auxiliary state for coarse-grained concurrency. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’13). Google Scholar
Digital Library
- Hongjin Liang and Xinyu Feng. 2013. Modular verification of linearizability with non-fixed linearization points. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’13). Google Scholar
Digital Library
- Barbara H. Liskov and Jeannette M. Wing. 1994. A behavioral notion of subtyping. ACM Trans. Program. Lang. Syst. 16, 6 (Nov. 1994), 1811--1841. Google Scholar
Digital Library
- Anil Madhavapeddy, Richard Mortier, Charalampos Rotsos, David Scott, Balraj Singh, Thomas Gazagnaire, Steven Smith, Steven Hand, and Jon Crowcroft. 2013. Unikernels: Library operating systems for the cloud. In Proceedings of the ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’13). Google Scholar
Digital Library
- Maged M. Michael. 2004. Hazard pointers: Safe memory reclamation for lock-free objects. IEEE Trans. Parallel Distrib. Syst. 15, 6 (2004), 491--504. Google Scholar
Digital Library
- Maged M. Michael and Michael L. Scott. 1996. Simple, fast, and practical non-blocking and blocking concurrent queue algorithms. In Proceedings of the Symposium on Principles of Distributed Computing (PODC’96). Google Scholar
Digital Library
- Filipe Militão, Jonathan Aldrich, and Luís Caires. 2014. Rely-guarantee protocols. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP’14). Google Scholar
Digital Library
- Filipe Militão, Jonathan Aldrich, and Luís Caires. 2016. Composing interfering abstract protocols. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP’16).Google Scholar
- Aleksandar Nanevski, Paul Govereau, and Greg Morrisett. 2009. Towards type-theoretic semantics for transactional concurrency. In Proceedings of the ACM SIGPLAN Workshop on Types in Language Design and Implementation (TLDI’09). Google Scholar
Digital Library
- Aleksandar Nanevski, Ruy Ley-Wild, Ilya Sergey, and Germán André s Delbianco. 2014. Communicating state transition systems for fine-grained concurrent resources. In Proceedings of the European Symposium on Programing Languages and Systems (ESOP’14). Google Scholar
Digital Library
- Aleksandar Nanevski, Greg Morrisett, Avraham Shinnar, Paul Govereau, and Lars Birkedal. 2008. Ynot: Dependent types for imperative programs. In Proceedings of the ACM SIGPLAN International Conference on Functional Programming (ICFP’08). Google Scholar
Digital Library
- Aleksandar Nanevski, Viktor Vafeiadis, and Josh Berdine. 2010. Structuring the verification of heap-manipulating programs. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’10). Google Scholar
Digital Library
- Peter O’Hearn, John Reynolds, and Hongseok Yang. 2001. Local reasoning about programs that alter data structures. In Proceedings of the International Workshop on Computer Science Logic (CSL’01). Google Scholar
Digital Library
- Peter W. O’Hearn, Noam Rinetzky, Martin T. Vechev, Eran Yahav, and Greta Yorsh. 2010. Verifying linearizability with hindsight. In Proceedings of the Symposium on Principles of Distributed Computing (PODC’10). Google Scholar
Digital Library
- Susan Owicki and David Gries. 1976. An axiomatic proof technique for parallel programs I. Acta Inform. Issue 6 (1976), 319--340. Google Scholar
Digital Library
- Alexandre Pilkiewicz and François Pottier. 2011. The essence of monotonic state. In Proceedings of the ACM SIGPLAN Workshop on Types in Language Design and Implementation (TLDI’11). Google Scholar
Digital Library
- François Pottier. 2008. Hiding local state in direct style: A higher-order anti-frame rule. In Proceedings of the IEEE Symposium on Logic in Computer Science (LICS’08). Google Scholar
Digital Library
- Azalea Raad, Jules Villard, and Philippa Gardner. 2015. CoLoSL: Concurrent local subjective logic. In Proceedings of the European Symposium on Programing Languages and Systems (ESOP’15). Google Scholar
Cross Ref
- John C. Reynolds. 1988. Preliminary Design of the Programming Language Forsythe. Technical Report CMU-CS-88-159. Carnegie Mellon University.Google Scholar
- Patrick Rondon. 2012. Liquid Types. Ph.D. Dissertation. University of California, San Diego. Google Scholar
Digital Library
- Patrick Rondon, Alexander Bakst, Ming Kawaguchi, and Ranjit Jhala. 2012. CSolve: Verifying C with liquid types. In Proceedings of the International Conference on Computer-Aided Verification (CAV’12). Google Scholar
Digital Library
- Patrick M. Rondon, Ming Kawaguchi, and Ranjit Jhala. 2008. Liquid types. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’08). Google Scholar
Digital Library
- Patrick M. Rondon, Ming Kawaguchi, and Ranjit Jhala. 2010. Low-level liquid types. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’10). Google Scholar
Digital Library
- Ilya Sergey, Aleksandar Nanevski, and Anindya Banerjee. 2015a. Mechanized verification of fine-grained concurrent programs. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’15). Google Scholar
Digital Library
- Ilya Sergey, Aleksandar Nanevski, and Anindya Banerjee. 2015b. Specifying and verifying concurrent algorithms with histories and subjectivity. In Proceedings of the European Symposium on Programing Languages and Systems (ESOP’15). Google Scholar
Digital Library
- Jan Smans, Dries Vanoverberghe, Dominique Devriese, Bart Jacobs, and Frank Piessens. 2014. Shared Boxes: Rely-Guarantee Reasoning in VeriFast. Technical Report CW622. KU Leuven.Google Scholar
- Kasper Svendsen and Lars Birkedal. 2014. Impredicative concurrent abstract predicates. In Proceedings of the European Symposium on Programing Languages and Systems (ESOP’14). Google Scholar
Digital Library
- Kasper Svendsen, Lars Birkedal, and Matthew Parkinson. 2013. Modular reasoning about separation of concurrent data structures. In Proceedings of the European Symposium on Programing Languages and Systems (ESOP’13). Google Scholar
Digital Library
- Nikhil Swamy, Catalin Hritcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, Jean Karim Zinzindohoue, and Santiago Zanella Béguelin. 2016. Dependent types and multi-monadic effects in F☆. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’16). Google Scholar
Digital Library
- Nikhil Swamy, Joel Weinberger, Cole Schlesinger, Juan Chen, and Benjamin Livshits. 2013. Verifying higher-order programs with the dijkstra monad. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’13). Google Scholar
Digital Library
- R. Kent Treiber. 1986. Systems programming: Coping with parallelism. Technical Report. IBM Thomas J. Watson Research Center.Google Scholar
- Matthew S. Tschantz and Michael D. Ernst. 2005. Javari: Adding reference immutability to java. In Proceedings of the ACM International Object Oriented Programming Systems Languages and Applications (OOPSLA’05). Google Scholar
Digital Library
- Aaron Turon, Derek Dreyer, and Lars Birkedal. 2013. Unifying refinement and hoare-style reasoning in a logic for higher-order concurrency. In Proceedings of the ACM SIGPLAN International Conference on Functional Programming (ICFP’13). Google Scholar
Digital Library
- Viktor Vafeiadis, Maurice Herlihy, Tony Hoare, and Marc Shapiro. 2006. Proving correctness of highly-concurrent linearisable objects. In Proceedings of the ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming (PPoPP’06). Google Scholar
Digital Library
- Viktor Vafeiadis and Matthew Parkinson. 2007. A marriage of rely/guarantee and separation logic. In Proceedings of the International Conference on Concurrency Theory (CONCUR’07). Google Scholar
Digital Library
- Niki Vazou. 2016. LiquidHaskell: Verification of Haskell Programs with SMTs. Retrieved from http://cufp.org/2016/t6-niki-vazou-liquid-haskell-intro.html.Google Scholar
- Niki Vazou, Alexander Bakst, and Ranjit Jhala. 2015. Bounded refinement types. In Proceedings of the ACM SIGPLAN International Conference on Functional Programming (ICFP’15). Google Scholar
Digital Library
- Niki Vazou, Patrick Rondon, and Ranjit Jhala. 2013. Abstract refinement types. In Proceedings of the European Symposium on Programing Languages and Systems (ESOP’13). Google Scholar
Digital Library
- Niki Vazou, Eric L. Seidel, and Ranjit Jhala. 2014a. LiquidHaskell: Experience with refinement types in the real world. In Haskell Workshop. Google Scholar
Digital Library
- Niki Vazou, Eric L. Seidel, Ranjit Jhala, Dimitrios Vytiniotis, and Simon Peyton-Jones. 2014b. Refinement types for haskell. In Proceedings of the ACM SIGPLAN International Conference on Functional Programming (ICFP’14). Google Scholar
Digital Library
- John Wickerson, Mike Dodds, and Matthew Parkinson. 2010. Explicit stabilisation for modular rely-guarantee reasoning. In Proceedings of the European Symposium on Programing Languages and Systems (ESOP’10). Google Scholar
Digital Library
- Yoav Zibin, Alex Potanin, Mahmood Ali, Shay Artzi, Adam Kiezun, and Michael D. Ernst. 2007. Object and reference immutability using java generics. In Proceedings of the Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC-FSE’07). Google Scholar
Digital Library
- Yoav Zibin, Alex Potanin, Paley Li, Mahmood Ali, and Michael D. Ernst. 2010. Ownership and immutability in generic java. In Proceedings of the ACM International Object Oriented Programming Systems Languages and Applications (OOPSLA’10). Google Scholar
Digital Library
Index Terms
Verifying Invariants of Lock-Free Data Structures with Rely-Guarantee and Refinement Types
Recommendations
Rely-guarantee references for refinement types over aliased mutable data
PLDI '13Reasoning about side effects and aliasing is the heart of verifying imperative programs. Unrestricted side effects through one reference can invalidate assumptions about an alias. We present a new type system approach to reasoning about safe assumptions ...
Rely-guarantee references for refinement types over aliased mutable data
PLDI '13: Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and ImplementationReasoning about side effects and aliasing is the heart of verifying imperative programs. Unrestricted side effects through one reference can invalidate assumptions about an alias. We present a new type system approach to reasoning about safe assumptions ...
Alone together: compositional reasoning and inference for weak isolation
Serializability is a well-understood correctness criterion that simplifies reasoning about the behavior of concurrent transactions by ensuring they are isolated from each other while they execute. However, enforcing serializable isolation comes at a ...






Comments