Abstract
Verifying the correctness of concurrent software with subtle synchronization is notoriously challenging. We present the Anchor verifier, which is based on a new formalism for specifying synchronization disciplines that describes both (1) what memory accesses are permitted, and (2) how each permitted access commutes with concurrent operations of other threads (to facilitate reduction proofs). Anchor supports the verification of both lock-based blocking and cas-based non-blocking algorithms. Experiments on a variety concurrent data structures and algorithms show that Anchor significantly reduces the burden of concurrent verification.
Supplemental Material
Available for Download
This supplement to "The Anchor Verifier for Blocking and Non-blocking Concurrent Software" contains detailed proofs for theorems appearing in the body of the paper.
- Ralph-Johan Back. 1989. A Method for Refining Atomicity in Parallel Algorithms. In PARLE '89: Parallel Architectures and Languages Europe, Volume II: Parallel Languages. 199-216.Google Scholar
Cross Ref
- Michael Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K. Rustan M. Leino. 2005. Boogie: A Modular Reusable Verifier for Object-Oriented Programs. In Formal Methods for Components and Objects (FMCO). 364-387.Google Scholar
- Rudolf Bayer and Mario Schkolnick. 1977. Concurrency of Operations on B-Trees. Acta Inf. 9 ( 1977 ), 1-21.Google Scholar
- Stefan Blom, Saeed Darabi, Marieke Huisman, and Wytse Oortwijn. 2017. The VerCors Tool Set: Verification of Parallel and Concurrent Software. In IFM (Lecture Notes in Computer Science), Vol. 10510. Springer, 102-110. https://link.springer. com/chapter/10.1007/978-3-319-66845-1_7Google Scholar
- Stephen Brookes. 2007. A semantics for concurrent separation logic. TCS 375, 1-3 ( 2007 ), 227-270.Google Scholar
Digital Library
- Tej Chajed, M. Frans Kaashoek, Butler W. Lampson, and Nickolai Zeldovich. 2018. Verifying concurrent software using movers in CSPEC. In OSDI. 306-322.Google Scholar
- A. T. Chamillard, Lori A. Clarke, and George S. Avrunin. 1996. An Empirical Comparison of Static Concurrency Analysis Techniques. Technical Report 96-084. Department of Computer Science, University of Massachusetts at Amherst.Google Scholar
- David G. Clarke, John Potter, and James Noble. 1998. Ownership Types for Flexible Alias Protection. In OOPSLA. 48-64.Google Scholar
- Ernie Cohen, Markus Dahlweid, Mark A. Hillebrand, Dirk Leinenbach, Michal Moskal, Thomas Santen, Wolfram Schulte, and Stephan Tobies. 2009. VCC: A Practical System for Verifying Concurrent C. In Theorem Proving in Higher Order Logics (TPHOLs). 23-42.Google Scholar
Digital Library
- Ernie Cohen and Leslie Lamport. 1998. Reduction in TLA. In CONCUR (Lecture Notes in Computer Science), Davide Sangiorgi and Robert de Simone (Eds.), Vol. 1466. Springer, 317-331.Google Scholar
- Coq 2019. The Coq Proof Assistant. https://coq.inria.fr/Google Scholar
- Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An Eficient SMT Solver. In TACAS. 337-340.Google Scholar
- Tayfun Elmas. 2010. QED: a proof system based on reduction and abstraction for the static verification of concurrent software. In ICSE. 507-508.Google Scholar
- Azadeh Farzan and Anthony Vandikas. 2020. Reductions for safety proofs. Proc. ACM Program. Lang. 4, POPL ( 2020 ), 13 : 1-13 : 28.Google Scholar
Digital Library
- Xinyu Feng. 2009. Local rely-guarantee reasoning. In POPL. 315-327.Google Scholar
- Cormac Flanagan and Stephen N. Freund. 2010. FastTrack: eficient and precise dynamic race detection. Commun. ACM 53, 11 ( 2010 ), 93-101.Google Scholar
- Cormac Flanagan and Stephen N. Freund. 2020. Software Artifact for Article “The Anchor Verifier for Blocking and Non-Blocking Concurrent Software". https://doi.org/10.5281/zenodo.4032624 Google Scholar
Cross Ref
- Cormac Flanagan, Stephen N. Freund, Marina Lifshin, and Shaz Qadeer. 2008. Types for atomicity: Static checking and inference for Java. ACM Trans. Program. Lang. Syst. 30, 4 ( 2008 ), 20 : 1-20 : 53.Google Scholar
Digital Library
- Cormac Flanagan, Stephen N. Freund, and Shaz Qadeer. 2002. Thread-Modular Verification for Shared-Memory Programs. In ESOP. 262-277.Google Scholar
- Cormac Flanagan, Stephen N. Freund, Shaz Qadeer, and Sanjit A. Seshia. 2005. Modular verification of multithreaded programs. TCS 338, 1-3 ( 2005 ), 153-183.Google Scholar
Digital Library
- Cormac Flanagan, Stephen N. Freund, and James R. Wilcox. 2018. VerifiedFT CIVL Implementation. https://github.com/ boogie-org/boogie/blob/3b7fc31f4ef3f8efc70c812e374c01384509b7f2/Test/civl/verified-ft.bplGoogle Scholar
- Cormac Flanagan, Amr Sabry, Bruce F. Duba, and Matthias Felleisen. 1993. The Essence of Compiling with Continuations. In PLDI. 237-247.Google Scholar
- Stephen N. Freund and Shaz Qadeer. 2004. Checking Concise Specifications for Multithreaded Software. Journal of Object Technology 3, 6 ( 2004 ), 81-101.Google Scholar
Cross Ref
- Patrice Godefroid. 1997. Model Checking for Programming Languages using Verisoft. In POPL. 174-186.Google Scholar
Digital Library
- Patrice Godefroid and Pierre Wolper. 1991. A Partial Approach to Model Checking. In LICS. 406-415.Google Scholar
- Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified concurrent abstraction layers. In PLDI. 646-661.Google Scholar
- Timothy L. Harris. 2001. A Pragmatic Implementation of Non-blocking Linked-Lists. In DISC. 300-314.Google Scholar
- Chris Hawblitzel, Erez Petrank, Shaz Qadeer, and Serdar Tasiran. 2015. Automated and Modular Refinement Reasoning for Concurrent Programs. In CAV. 449-465.Google Scholar
- Steve Heller, Maurice Herlihy, Victor Luchangco, Mark Moir, William N. Scherer III, and Nir Shavit. 2005. A Lazy Concurrent List-Based Set Algorithm. In Principles of Distributed Systems. 3-16.Google Scholar
- Maurice Herlihy and Nir Shavit. 2008. The art of multiprocessor programming. Morgan Kaufmann.Google Scholar
- C. A. R. Hoare. 1974. Monitors: An Operating System Structuring Concept. CACM 17, 10 ( 1974 ), 549-557.Google Scholar
- Clif B. Jones. 1983. Tentative Steps Toward a Development Method for Interfering Programs. ACM Trans. Program. Lang. Syst. 5, 4 ( 1983 ), 596-619.Google Scholar
Digital Library
- Thomas W. Doeppner Jr. 1977. Parallel Program Correctness Through Refinement. In POPL. 155-169.Google Scholar
- Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. J. Funct. Program. 28 ( 2018 ), e20. https://doi.org/10.1017/S0956796818000151 Google Scholar
Cross Ref
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning. In POPL. 637-650.Google Scholar
Digital Library
- Leslie Lamport. 1983. Specifying Concurrent Program Modules. ACM Trans. Program. Lang. Syst. 5, 2 ( 1983 ), 190-222.Google Scholar
Digital Library
- Leslie Lamport and Fred B. Schneider. 1989. Pretending Atomicity. Research Report 44. DEC Systems Research Center.Google Scholar
- Claire Le Goues, K. Rustan M. Leino, and Michal Moskal. 2011. The Boogie Verification Debugger (Tool Paper). In Software Engineering and Formal Methods (SEFM). 407-414.Google Scholar
- Doug Lea. 2019. Concurrency JSR-166. http://gee.cs.oswego.edu/dl/concurrency-interest/index.htmlGoogle Scholar
- K. Rustan M. Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In LPAR (Dakar) (Lecture Notes in Computer Science), Vol. 6355. Springer, 348-370.Google Scholar
- K. Rustan M. Leino, Peter Müller, and Jan Smans. 2009. Verification of Concurrent Programs with Chalice. In Foundations of Security Analysis and Design V, FOSAD 2007 / 2008 /2009 Tutorial Lectures. 195-222.Google Scholar
- LibLFDS 2019. LFDS 7.11 queue implementation. https://github.com/liblfds/liblfds7.1.1/tree/master/liblfds7.1.1/liblfds711/ src/lfds711_queue_bounded_singleproducer_singleconsumerGoogle Scholar
- Richard J. Lipton. 1975. Reduction: A Method of Proving Properties of Parallel Programs. Commun. ACM 18, 12 ( 1975 ), 717-721.Google Scholar
- Jacob R. Lorch, Yixuan Chen, Manos Kapritsos, Bryan Parno, Shaz Qadeer, Upamanyu Sharma, James R. Wilcox, and Xueyuan Zhao. 2020a. Armada: low-efort verification of high-performance concurrent programs. In PLDI. ACM, 197-210.Google Scholar
Digital Library
- Jacob R. Lorch, Yixuan Chen, Manos Kapritsos, Bryan Parno, Shaz Qadeer, Upamanyu Sharma, James R. Wilcox, and Xueyuan Zhao. 2020b. Replication Package for Article "Armada: Low-Efort Verification of High-Performance Concurrent Programs". https://doi.org/10.1145/3395653 Google Scholar
Digital Library
- Maged M. Michael. 2002. High performance dynamic lock-free hash tables and list-based sets. In SPAA. 73-82.Google Scholar
- Maged M. Michael. 2004. Hazard Pointers: Safe Memory Reclamation for Lock-Free Objects. IEEE Trans. Parallel Distrib. Syst. 15, 6 ( 2004 ), 491-504.Google Scholar
Digital Library
- Maged M. Michael and Michael L. Scott. 1996. Simple, Fast, and Practical Non-Blocking and Blocking Concurrent Queue Algorithms. In PODC. 267-275.Google Scholar
- Jayadev Misra. 2001. A Discipline of Multiprogramming-Programming Theory for Distributed Applications. Springer.Google Scholar
Digital Library
- Peter Müller, Malte Schwerhof, and Alexander J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In Verification, Model Checking, and Abstract Interpretation, Barbara Jobstmann and K. Rustan M. Leino (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 41-62.Google Scholar
- Madanlal Musuvathi, Shaz Qadeer, Thomas Ball, Gerard Basler, Piramanayagam Arumuga Nainar, and Iulian Neamtiu. 2008. Finding and Reproducing Heisenbugs in Concurrent Programs. In OSDI.Google Scholar
Digital Library
- Peter W. O'Hearn. 2004. Resources, Concurrency and Local Reasoning. In CONCUR. 49-67.Google Scholar
- Doron A. Peled. 1994. Combining Partial Order Reductions with On-the-fly Model-Checking. In CAV. 377-390.Google Scholar
- Amr Sabry and Matthias Felleisen. 1992. Reasoning About Programs in Continuation-Passing Style. In LISP and Functional Programming. ACM, 288-298.Google Scholar
- R. K. Treiber. 1986. Systems Programming: Coping With Parallelism. Technical Report RJ 5118. IBM Almaden.Google Scholar
- Liqiang Wang and Scott D. Stoller. 2005. Static analysis of atomicity for programs with non-blocking synchronization. In PPOPP. 61-71.Google Scholar
- James R. Wilcox, Cormac Flanagan, and Stephen N. Freund. 2018. VerifiedFT: a verified, high-performance precise dynamic race detector. In PPOPP. 354-367.Google Scholar
- Fengwei Xu, Ming Fu, Xinyu Feng, Xiaoran Zhang, Hui Zhang, and Zhaohui Li. 2016. A Practical Verification Framework for Preemptive OS Kernels. In CAV. 59-79.Google Scholar
- Eran Yahav. 2001. Verifying Safety Properties of Concurrent Java Programs using 3-valued Logic. In POPL. 27-40.Google Scholar
- Jaeheon Yi, Tim Disney, Stephen N. Freund, and Cormac Flanagan. 2012. Cooperative types for controlling thread interference in Java. In ISSTA. 232-242.Google Scholar
Index Terms
The anchor verifier for blocking and non-blocking concurrent software
Recommendations
Grasping the gap between blocking and non-blocking transactional memories
Transactional memory (TM) is an inherently optimistic abstraction: it allows concurrent processes to execute sequences of shared-data accesses (transactions) speculatively, with an option of aborting them in the future. Early TM designs avoided using ...
Grasping the Gap Between Blocking and Non-Blocking Transactional Memories
DISC 2015: Proceedings of the 29th International Symposium on Distributed Computing - Volume 9363Transactional memory TM is an inherently optimistic synchronization abstraction: it allows concurrent processes to execute sequences of shared-data accesses transactions speculatively, with an option of aborting them in the future. Early TM designs ...
Non-blocking timeout in scalable queue-based spin locks
PODC '02: Proceedings of the twenty-first annual symposium on Principles of distributed computingQueue-based spin locks allow programs with busy-wait synchronization to scale to very large multiprocessors, without fear of starvation or performance-destroying contention. Timeout-capable spin locks allow a thread to abandon its attempt to acquire a ...






Comments