Abstract
Transactional objects combine the performance of classical concurrent objects with the high-level programmability of transactional memory. However, verifying the correctness of transactional objects is tricky, requiring reasoning simultaneously about classical concurrent objects, which guarantee the atomicity of individual methods—the property known as linearizability—and about software-transactional-memory libraries, which guarantee the atomicity of user-defined sequences of method calls—or serializability.
We present a formal-verification framework called C4, built up from the familiar notion of linearizability and its compositional properties, that allows proof of both kinds of libraries, along with composition of theorems from both styles to prove correctness of applications or further libraries. We apply the framework in a significant case study, verifying a transactional set object built out of both classical and transactional components following the technique of transactional predication; the proof is modular, reasoning separately about the transactional and nontransactional parts of the implementation. Central to our approach is the use of syntactic transformers on interaction trees—i.e., transactional libraries that transform client code to enforce particular synchronization disciplines. Our framework and case studies are mechanized in Coq.
- Martín Abadi and Leslie Lamport. 1991. The existence of refinement mappings. Theoretical Computer Science, 82, 2 (1991), 253–284.Google Scholar
Digital Library
- Sarita V Adve and Kourosh Gharachorloo. 1996. Shared memory consistency models: A tutorial. computer, 29, 12 (1996), 66–76.Google Scholar
- Timos Antonopoulos, Paul Gazzillo, Eric Koskinen, and Zhong Shao. 2016. Vertical Composition of Reversible Atomic Objects.Google Scholar
- Alasdair Armstrong, Brijesh Dongol, and Simon Doherty. 2017. Proving opacity via linearizability: a sound and complete method. In International Conference on Formal Techniques for Distributed Objects, Components, and Systems. 50–66.Google Scholar
Cross Ref
- Gal Assa, Hagar Meir, Guy Golan-Gueta, Idit Keidar, and Alexander Spiegelman. 2020. Nesting and composition in transactional data structure libraries. In Proceedings of the 25th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming. 405–406.Google Scholar
Digital Library
- Hagit Attiya, Alexey Gotsman, Sandeep Hans, and Noam Rinetzky. 2017. Characterizing transactional memory consistency conditions using observational refinement. Journal of the ACM (JACM), 65, 1 (2017), 1–44.Google Scholar
Digital Library
- Mark Batty, Mike Dodds, and Alexey Gotsman. 2013. Library abstraction for C/C++ concurrency. ACM SIGPLAN Notices, 48, 1 (2013), 235–248.Google Scholar
Digital Library
- Ahmed Bouajjani, Michael Emmi, Constantin Enea, and Suha Orhun Mutluergil. 2017. Proving linearizability using forward simulations. In International Conference on Computer Aided Verification. 542–563.Google Scholar
Cross Ref
- Nathan G. Bronson, Jared Casper, Hassan Chafi, and Kunle Olukotun. 2010. Transactional predication: high-performance concurrent sets and maps for STM. In Proceedings of the 29th ACM SIGACT-SIGOPS symposium on Principles of distributed computing (PODC ’10). ACM, New York, NY, USA. 6–15. isbn:978-1-60558-888-9 https://doi.org/10.1145/1835698.1835703 Google Scholar
Digital Library
- Andrea Cerone, Alexey Gotsman, and Hongseok Yang. 2014. Parameterised linearisability. In International Colloquium on Automata, Languages, and Programming. 98–109.Google Scholar
- Adam Chlipala. 2021. Skipping the Binder Bureaucracy with Mixed Embeddings in a Semantics Course (Functional Pearl). Proc. ACM Program. Lang., 5, ICFP (2021), Article 94, aug, 28 pages. https://doi.org/10.1145/3473599 Google Scholar
Digital Library
- Pedro da Rocha Pinto, Thomas Dinsdale-Young, and Philippa Gardner. 2014. TaDA: A logic for time and data abstraction. In European Conference on Object-Oriented Programming. 207–231.Google Scholar
Digital Library
- Luke Dalessandro, Dave Dice, Michael Scott, Nir Shavit, and Michael Spear. 2010. Transactional mutex locks. In European Conference on Parallel Processing. 2–13.Google Scholar
Cross Ref
- Thomas Dickerson, Eric Koskinen, Paul Gazzillo, and Maurice Herlihy. 2019. Conflict Abstractions and Shadow Speculation for Optimistic Transactional Objects. In Asian Symposium on Programming Languages and Systems. 313–331.Google Scholar
- Simon Doherty, Lindsay Groves, Victor Luchangco, and Mark Moir. 2013. Towards formally specifying and verifying transactional memory. Formal Aspects of Computing, 25, 5 (2013), 769–799.Google Scholar
Digital Library
- Avner Elizarov, Guy Golan-Gueta, and Erez Petrank. 2019. LOFT: lock-free transactional data structures. In Proceedings of the 24th Symposium on Principles and Practice of Parallel Programming. 425–426.Google Scholar
Digital Library
- Michael Emmi and Constantin Enea. 2019. Violat: generating tests of observational refinement for concurrent objects. In International Conference on Computer Aided Verification. 534–546.Google Scholar
Cross Ref
- Xinyu Feng. 2009. Local rely-guarantee reasoning. In POPL ’09.Google Scholar
- Ivana Filipović, Peter O’Hearn, Noam Rinetzky, and Hongseok Yang. 2010. Abstraction for concurrent objects. Theoretical Computer Science, 411, 51-52 (2010), 4379–4398.Google Scholar
Digital Library
- Guy Golan-Gueta, G. Ramalingam, Mooly Sagiv, and Eran Yahav. 2013. Concurrent Libraries with Foresight. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’13). ACM, New York, NY, USA. 263–274. isbn:978-1-4503-2014-6 https://doi.org/10.1145/2491956.2462172 Google Scholar
Digital Library
- Alexey Gotsman and Hongseok Yang. 2012. Linearizability with ownership transfer. In International Conference on Concurrency Theory. 256–271.Google Scholar
Digital Library
- Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’15). Association for Computing Machinery, New York, NY, USA. 595–608. isbn:9781450333009 https://doi.org/10.1145/2676726.2676975 Google Scholar
Digital Library
- Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified Concurrent Abstraction Layers. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2018). Association for Computing Machinery, New York, NY, USA. 646–661. isbn:9781450356985 https://doi.org/10.1145/3192366.3192381 Google Scholar
Digital Library
- Rachid Guerraoui. 1995. Modular atomic objects. Theory and Practice of Object Systems, 1, 2 (1995), 89–99.Google Scholar
Digital Library
- Rachid Guerraoui and Michal Kapalka. 2008. On the correctness of transactional memory. In Proceedings of the 13th ACM SIGPLAN Symposium on Principles and practice of parallel programming. 175–184.Google Scholar
Digital Library
- Tim Harris, Simon Marlow, Simon Peyton-Jones, and Maurice Herlihy. 2005. Composable Memory Transactions. In Proceedings of the Tenth ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming (PPoPP ’05). Association for Computing Machinery, New York, NY, USA. 48–60. isbn:1595930809 https://doi.org/10.1145/1065944.1065952 Google Scholar
Digital Library
- Ahmed Hassan, Roberto Palmieri, and Binoy Ravindran. 2014. Optimistic transactional boosting. In Proceedings of the 19th ACM SIGPLAN symposium on Principles and practice of parallel programming. 387–388.Google Scholar
Digital Library
- Chris Hawblitzel, Erez Petrank, Shaz Qadeer, and Serdar Tasiran. 2015. Automated and modular refinement reasoning for concurrent programs. In International Conference on Computer Aided Verification. 449–465.Google Scholar
Cross Ref
- Maurice Herlihy and Eric Koskinen. 2008. Transactional boosting: a methodology for highly-concurrent transactional objects. In Proceedings of the 13th ACM SIGPLAN Symposium on Principles and practice of parallel programming (PPoPP ’08). ACM, New York, NY, USA. 207–216. isbn:978-1-59593-795-7 https://doi.org/10.1145/1345206.1345237 Google Scholar
Digital Library
- Maurice Herlihy and J. Eliot B. Moss. 1993. Transactional Memory: Architectural Support for Lock-Free Data Structures. In Proceedings of the 20th Annual International Symposium on Computer Architecture (ISCA ’93). Association for Computing Machinery, New York, NY, USA. 289–300. isbn:0818638109 https://doi.org/10.1145/165123.165164 Google Scholar
Digital Library
- Maurice P. Herlihy and Jeannette M. Wing. 1990. Linearizability: a correctness condition for concurrent objects. ACM Trans. Program. Lang. Syst., 12, 3 (1990), July, 463–492. issn:0164-0925 https://doi.org/10.1145/78969.78972 Google Scholar
Digital Library
- Nathaniel Herman, Jeevana Priya Inala, Yihe Huang, Lillian Tsai, Eddie Kohler, Barbara Liskov, and Liuba Shrira. 2016. Type-aware transactions for faster concurrent code. In Proceedings of the Eleventh European Conference on Computer Systems. 1–16.Google Scholar
Digital Library
- Aquinas Hobor, Andrew W. Appel, and Francesco Zappa Nardelli. 2008. Oracle semantics for concurrent separation logic. In ESOP.Google Scholar
- Suresh Jagannathan, Vincent Laporte, Gustavo Petri, David Pichardie, and Jan Vitek. 2014. Atomicity refinement for verified compilation. ACM Transactions on Programming Languages and Systems (TOPLAS), 36, 2 (2014), 1–30.Google Scholar
Digital Library
- Suresh Jagannathan, Jan Vitek, Adam Welc, and Antony Hosking. 2005. A transactional object calculus. Science of Computer Programming, 57, 2 (2005), 164–186.Google Scholar
Digital Library
- Cliff B. Jones. 1983. Specification and Design of (Parallel) Programs. In Information Processing 83. 9, 321–332.Google Scholar
- Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order Ghost State. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP 2016). ACM, New York, NY, USA. 256–269. isbn:978-1-4503-4219-3 https://doi.org/10.1145/2951913.2951943 Google Scholar
Digital Library
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and Invariants As an Orthogonal Basis for Concurrent Reasoning. In POPL ’15. 637–650. isbn:978-1-4503-3300-9Google Scholar
- Nicolas Koh, Yao Li, Yishuai Li, Li yao Xia, Lennart Beringer, Wolf Honore, William Mansky, Benjamin C. Pierce, and Steve Zdancewic. 2019. From C to Interaction Trees: Specifying, Verifying, and Testing a Networked Server. In 8th ACM SIGPLAN International Conference on Certified Programs and Proofs.Google Scholar
Digital Library
- Bernhard Kragl, Shaz Qadeer, and Thomas A Henzinger. 2020. Refinement for structured concurrent programs. In International Conference on Computer Aided Verification. 275–298.Google Scholar
Digital Library
- Pierre LaBorde, Lance Lebanoff, Christina Peterson, Deli Zhang, and Damian Dechev. 2019. Wait-Free Dynamic Transactions for Linked Data Structures. In Proceedings of the 10th International Workshop on Programming Models and Applications for Multicores and Manycores (PMAM’19). Association for Computing Machinery, New York, NY, USA. 41–50. isbn:9781450362900 https://doi.org/10.1145/3303084.3309491 Google Scholar
Digital Library
- Kenneth Lamar, Christina Peterson, and Damian Dechev. 2020. Lock-free transactional vector. In Proceedings of the Eleventh International Workshop on Programming Models and Applications for Multicores and Manycores. 1–10.Google Scholar
Digital Library
- Douglas Lea. 2000. Concurrent programming in Java: design principles and patterns. Addison-Wesley Professional.Google Scholar
Digital Library
- Mohsen Lesani, Victor Luchangco, and Mark Moir. 2012. A framework for formally verifying software transactional memory algorithms. In International Conference on Concurrency Theory. 516–530.Google Scholar
Digital Library
- Mohsen Lesani, Victor Luchangco, and Mark Moir. 2012. Putting opacity in its place. In Workshop on the theory of transactional memory. 137–151.Google Scholar
- Mohsen Lesani, Todd Millstein, and Jens Palsberg. 2014. Automatic Atomicity Verification for Clients of Concurrent Data Structures. In Proceedings of the 16th International Conference on Computer Aided Verification - Volume 8559. Springer-Verlag New York, Inc., New York, NY, USA. 550–567. isbn:978-3-319-08866-2 https://doi.org/10.1007/978-3-319-08867-9_37 Google Scholar
Digital Library
- Mohsen Lesani, Li yao Xia, Anders Kaseorg, Christian J. Bell, Adam Chlipala, Benjamin C. Pierce, and Steve Zdancewic. 2022. C4: Verified Transactional Objects. https://doi.org/10.5281/zenodo.6342476 Google Scholar
Digital Library
- Hongjin Liang and Xinyu Feng. 2013. Modular Verification of Linearizability with Non-fixed Linearization Points. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’13). ACM, New York, NY, USA. 459–470. isbn:978-1-4503-2014-6 https://doi.org/10.1145/2491956.2462189 Google Scholar
Digital Library
- Peng Liu, Julian Dolby, and Charles Zhang. 2013. Finding Incorrect Compositions of Atomicity. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2013). ACM, New York, NY, USA. 158–168. isbn:978-1-4503-2237-9 https://doi.org/10.1145/2491411.2491435 Google Scholar
Digital Library
- Peng Liu, Omer Tripp, and Xiangyu Zhang. 2014. Flint: Fixing Linearizability Violations. In Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications (OOPSLA ’14). ACM, New York, NY, USA. 543–560. isbn:978-1-4503-2585-1 https://doi.org/10.1145/2660193.2660217 Google Scholar
Digital Library
- N. Lynch and F. Vaandrager. 1995. Forward and Backward Simulations. Information and Computation, 121, 2 (1995), 214 – 233. issn:0890-5401 https://doi.org/10.1006/inco.1995.1134 Google Scholar
Digital Library
- Erik Meijer, Maarten Fokkinga, and Ross Paterson. 1991. Functional programming with bananas, lenses, envelopes and barbed wire. In Conference on functional programming languages and computer architecture. 124–144.Google Scholar
Cross Ref
- Vijay Menon, Steven Balensiefer, Tatiana Shpeisman, Ali-Reza Adl-Tabatabai, Richard L Hudson, Bratin Saha, and Adam Welc. 2008. Single global lock semantics in a weakly atomic STM. ACM Sigplan Notices, 43, 5 (2008), 15–26.Google Scholar
Digital Library
- Andrzej S. Murawski and Nikos Tzevelekos. 2019. Higher-order linearisability. Journal of Logical and Algebraic Methods in Programming, 104 (2019), 86–116. issn:2352-2208 https://doi.org/10.1016/j.jlamp.2019.01.002 Google Scholar
- Aleksandar Nanevski, Ruy Ley-Wild, Ilya Sergey, and Germán Andrés Delbianco. 2014. Communicating State Transition Systems for Fine-Grained Concurrent Resources. In Proceedings of the 23rd European Symposium on Programming Languages and Systems - Volume 8410. Springer-Verlag New York, Inc., New York, NY, USA. 290–310. isbn:978-3-642-54832-1 https://doi.org/10.1007/978-3-642-54833-8_16 Google Scholar
Digital Library
- Peter W. O’Hearn. 2007. Resources, concurrency, and local reasoning. Theor. Comput. Sci., 375, 1-3 (2007), 271–307.Google Scholar
Digital Library
- Christos H Papadimitriou. 1979. The serializability of concurrent database updates. Journal of the ACM (JACM), 26, 4 (1979), 631–653.Google Scholar
Digital Library
- Christina Peterson and Damian Dechev. 2017. A Transactional Correctness Tool for Abstract Data Types. ACM Trans. Archit. Code Optim., 14, 4 (2017), Article 37, Nov., 24 pages. issn:1544-3566 https://doi.org/10.1145/3148964 Google Scholar
Digital Library
- Azalea Raad, Marko Doko, Lovro Rožić, Ori Lahav, and Viktor Vafeiadis. 2019. On library correctness under weak memory consistency: Specifying and verifying concurrent libraries under declarative consistency models. Proceedings of the ACM on Programming Languages, 3, POPL (2019), 1–31.Google Scholar
Digital Library
- Gerhard Schellhorn, Heike Wehrheim, and John Derrick. 2012. How to Prove Algorithms Linearisable. In Proceedings of the 24th International Conference on Computer Aided Verification (CAV’12). Springer-Verlag, Berlin, Heidelberg. 243–259. isbn:978-3-642-31423-0 https://doi.org/10.1007/978-3-642-31424-7_21 Google Scholar
Digital Library
- Michael Scott. 2006. Sequential specification of transactional memory semantics.Google Scholar
- Peter Sewell, Susmit Sarkar, Scott Owens, Francesco Zappa Nardelli, and Magnus O Myreen. 2010. x86-TSO: a rigorous and usable programmer’s model for x86 multiprocessors. Commun. ACM, 53, 7 (2010), 89–97.Google Scholar
Digital Library
- Ohad Shacham, Nathan Bronson, Alex Aiken, Mooly Sagiv, Martin Vechev, and Eran Yahav. 2011. Testing atomicity of composed concurrent operations. In Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications (OOPSLA ’11). ACM, New York, NY, USA. 51–64. isbn:978-1-4503-0940-0 https://doi.org/10.1145/2048066.2048073 Google Scholar
Digital Library
- Nir Shavit and Dan Touitou. 1995. Software Transactional Memory. In Proceedings of the Fourteenth Annual ACM Symposium on Principles of Distributed Computing (PODC ’95). Association for Computing Machinery, New York, NY, USA. 204–213. isbn:0897917103 https://doi.org/10.1145/224964.224987 Google Scholar
Digital Library
- Alexander Spiegelman, Guy Golan-Gueta, and Idit Keidar. 2016. Transactional Data Structure Libraries. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’16). ACM, New York, NY, USA. 682–696. isbn:978-1-4503-4261-2 https://doi.org/10.1145/2908080.2908112 Google Scholar
Digital Library
- Aaron Turon, Viktor Vafeiadis, and Derek Dreyer. 2014. GPS: Navigating Weak Memory with Ghosts, Protocols, and Separation. In Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications (OOPSLA ’14). ACM, New York, NY, USA. 691–707. isbn:978-1-4503-2585-1 https://doi.org/10.1145/2660193.2660243 Google Scholar
Digital Library
- Aaron J Turon, Jacob Thamsborg, Amal Ahmed, Lars Birkedal, and Derek Dreyer. 2013. Logical relations for fine-grained concurrency. In Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages. 343–356.Google Scholar
Digital Library
- Viktor Vafeiadis and Matthew Parkinson. 2007. A Marriage of Rely/Guarantee and Separation Logic. In CONCUR.Google Scholar
- Matt Windsor, Mike Dodds, Ben Simner, and Matthew J. Parkinson. 2017. Starling: Lightweight Concurrency Verification with Views. In Computer Aided Verification, Rupak Majumdar and Viktor Kunčak (Eds.). Springer International Publishing, Cham. 544–569. isbn:978-3-319-63387-9Google Scholar
- Li-yao Xia, Yannick Zakowski, Paul He, Chung-Kil Hur, Gregory Malecha, Benjamin C. Pierce, and Steve Zdancewic. 2020. Interaction trees: representing recursive and impure programs in Coq. Proc. ACM Program. Lang., 4, POPL (2020), 51:1–51:32. https://doi.org/10.1145/3371119 Distinguished paper award Google Scholar
Digital Library
- Yannick Zakowski, Paul He, Chung-Kil Hur, and Steve Zdancewic. 2020. An Equational Theory for Weak Bisimulation via Generalized Parameterized Coinduction. In Proceedings of the 9th ACM SIGPLAN International Conference on Certified Programs and Proofs (CPP).Google Scholar
Digital Library
- Deli Zhang, Pierre Laborde, Lance Lebanoff, and Damian Dechev. 2018. Lock-free transactional transformation for linked data structures. ACM Transactions on Parallel Computing (TOPC), 5, 1 (2018), 1–37.Google Scholar
Digital Library
Index Terms
C4: verified transactional objects
Recommendations
Sequential verification of serializability
POPL '10Serializability is a commonly used correctness condition in concurrent programming. When a concurrent module is serializable, certain other properties of the module can be verified by considering only its sequential executions. In many cases, concurrent ...
Sequential verification of serializability
POPL '10: Proceedings of the 37th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesSerializability is a commonly used correctness condition in concurrent programming. When a concurrent module is serializable, certain other properties of the module can be verified by considering only its sequential executions. In many cases, concurrent ...
Checking Linearizability of Encapsulated Extended Operations
Proceedings of the 23rd European Symposium on Programming Languages and Systems - Volume 8410Linearizable objects data-structures provide operations that appear to execute atomically. Modern mainstream languages provide many linearizable data-structures, simplifying concurrent programming. In practice, however, programmers often find a need to ...






Comments