Oleg Travkin

SPIN as a Linearizability Checker under Weak Memory Models

Linearizability is the key correctness criterion for concurrent data structures like stacks, queues or sets. Consequently, much effort has been spent on developing techniques for showing linearizability. However, most of these approaches assume a sequentially consistent memory model whereas today’s multicore processors provide relaxed out-of-order execution semantics.

Quiescent Consistency: Defining and Verifying Relaxed Linearizability

Concurrent data structures like stacks, sets or queues need to be highly optimized to provide large degrees of parallelism with reduced contention. Linearizability, a key consistency condition for concurrent objects, sometimes limits the potential for optimization. Hence algorithm designers have started to build concurrent data structures that are not linearizable but only satisfy relaxed consistency requirements. In this paper, we study quiescent consistency as proposed by Shavit and Herlihy, which is one such relaxed condition. More precisely, we give the first formal definition of quiescent consistency, investigate its relationship with linearizability, and provide a proof technique for it based on coupled simulations. We demonstrate our proof technique by verifying quiescent consistency of a non-linearizable FIFO queue built using a diffraction tree.

A High-Level Semantics for Program Execution under Total Store Order Memory

Processor cores within modern multicore systems often communicate via shared memory and use (local) store buffers to improve performance. A penalty for this improvement is the loss of Sequential Consistency to weaker memory guarantees that increase the number of possible program behaviours, and hence, require a greater amount of programming effort. This paper formalises the effect of Total Store Order (TSO) memory — a weak memory model that allows a write followed by a read in the program order to be reordered during execution. Although the precise effects of TSO are well-known, a high-level formalisation of programs that execute under TSO has not been developed. We present an interval-based semantics for programs that execute under TSO memory and include methods for fine-grained expression evaluation, capturing the non-determinism of both concurrency and TSO-related reorderings.

Verifying Opacity of a Transactional Mutex Lock

Software transactional memory (STM) provides programmers with a high-level programming abstraction for synchronization of parallel processes, allowing blocks of codes that execute in an interleaved manner to be treated as an atomic block. This atomicity property is captured by a correctness criterion called opacity. Opacity relates histories of a sequential atomic specification with that of STM implementations.

Handling TSO in Mechanized Linearizability Proofs

Linearizability is the key correctness criterion for concurrent data structures. In recent years, numerous verification techniques for linearizability have been developed, ranging from model checking to mechanized proving. Today, these verification techniques are challenged by the fact that concurrent software is most likely to be run on multi-core processors equipped with a weak memory semantics (like total store order, TSO), making standard techniques unsound. While for model checking and static analysis techniques, approaches for handling weak memory in verification have already emerged, this is lacking for theorem-prover supported, mechanized correctness proofs.

Verification of Concurrent Programs on Weak Memory Models

Modern multi-core processors equipped with weak memory models seemingly reorder instructions (with respect to program order) due to built-in optimizations. For concurrent programs, weak memory models thereby produce interleaved executions which are impossible on sequentially consistent (SC) memory. Verification of concurrent programs consequently needs to take the memory model of the executing processor into account. This, however, makes most standard software verification tools inapplicable.

TSO to SC via Symbolic Execution

Modern multi-core processors equipped with weak memory models like TSO exhibit executions which – due to store buffers – seemingly reorder program operations. Thus, they deviate from the commonly assumed sequential consistency (SC) semantics. Analysis techniques for concurrent programs consequently need to take reorderings into account. For TSO, this is often accomplished by explicitly modelling store buffers.

Towards a Thread-Local Proof Technique for Starvation Freedom

Today, numerous elaborate algorithms for the effective synchronization of concurrent processes operating on shared memory exist. Of particular importance for the verification of such concurrent algorithms are thread-local proof techniques, which allow to reason about the sequential program of one process individually. While thread-local verification of safety properties has received a lot of attention in recent years, this is less so for liveness properties, in particular for liveness under the assumption of fairness. In this paper, we propose a new thread-local proof technique for starvation freedom. Starvation freedom states that under a weakly fair schedule every process will eventually make progress. We contrast our new proof technique with existing global proof techniques based on ranking functions, and employ it exemplarily for the proof of starvation freedom of ticket locks, the standard locking algorithm of the Linux kernel.

Two approaches for proving linearizability of multiset

Linearizability is a key correctness criterion for concurrent software. In our previous work, we have introduced local proof obligations, which, by showing a refinement between an abstract specification and its implementation, imply linearizability of the implementation. The refinement is shown via a process local simulation. We have incorporated the approach of verifying linearizability based on refinement in two rather different proof systems: a predicate logic based approach performing a simulation for two processes and second, an approach based on temporal logic that shows a refinement for an individual process using rely-guarantee reasoning and symbolic execution. To compare both proof techniques, we use an implementation of a multiset as running example. Moreover, we show how ownership annotations have helped us to reduce the proof effort. All proofs are mechanized in the theorem prover KIV. Two approaches for verifying linearizability.Mechanized verification of local proof obligations.Challenging case study of a multiset implementation with fine-grained locking.Rely-Guarantee reasoning for a Temporal Logic with Programs.

FastLane Is Opaque – a Case Study in Mechanized Proofs of Opacity

Software Transactional Memory (STM) algorithms provide programmers with a high-level synchronization technique for concurrent programming. STMs guarantee “seemingly atomic” access to shared state via transactions. This seeming atomicity is the standard requirement on STM implementations and formalized in the concept of opacity. The standard proof technique for opacity is via refinement: the STM implementation is shown to refine an IO automaton called TMS2 which itself is known to be opaque.