A Compositional Proof Method for Linearizability Applied to a Wait-Free Multiset

Linearizability is the commonly accepted notion of correctness for concurrent data structures. It requires that any execution of the data structure is justified by a linearization—a linear order on operations satisfying the data structure’s sequential specification. Proving linearizability is often challenging because an operation’s position in the linearization order may depend on future operations. This makes it very difficult to incrementally construct the linearization in a proof. We propose a new proof method that can handle data structures with such future-dependent linearizations. Our key idea is to incrementally construct not a single linear order of operations, but a partial order that describes multiple linearizations satisfying the sequential specification. This allows decisions about the ordering of operations to be delayed, mirroring the behaviour of data structure implementations. We formalise our method as a program logic based on rely-guarantee reasoning, and demonstrate its effectiveness by verifying several challenging data structures: the Herlihy-Wing queue, the TS queue and the Optimistic set.

Two approaches for proving linearizability of multiset

We present a thread-modular proof method for complexity and resource bound analysis of concurrent, shared-memory programs, lifting Jones’ rely-guarantee reasoning to assumptions and commitments capable of expressing bounds. We automate reasoning in this logic by reducing bound analysis of concurrent programs to the sequential case. Our work is motivated by its application to lock-free data structures, fine-grained concurrent algorithms whose time complexity has to our knowledge not been inferred automatically before.

In this paper we define two logics, KLn and BLn, and present resolution-based proof methods for both. KLn is a temporal logic of knowledge. Thus, in addition to the usual connectives of linear discrete temporal logic, it contains a set of unary modal connectives for representing the knowledge possessed by agents. The logic BLn is somewhat similar: it is a temporal logic that contains connectives for representing the beliefs of agents. The proof methods we present for these logics involve two key steps. First, a formula to be tested for unsatisfiability is translated into a normal form. Secondly, a family of resolution rules are used, to deal with the interactions between the various operators of the logics. In addition to a description of the normal form and the proof methods, we present some short worked examples and proposals for future work.

An open problem posed by Milner asks for a proof that a certain axiomatisation, which Milner showed is sound with respect to bisimilarity for regular expressions, is also complete. One of the main difficulties of the problem is the lack of a full Kleene theorem, since there are automata that can not be specified, up to bisimilarity, by an expression. Grabmayer and Fokkink (2020) characterise those automata that can be expressed by regular expressions without the constant 1, and use this characterisation to give a positive answer to Milner's question for this subset of expressions. In this paper, we analyse Grabmayer and Fokkink's proof of completeness from the perspective of universal coalgebra, and thereby give an abstract account of their proof method. We then compare this proof method to another approach to completeness proofs from coalgebraic language theory. This culminates in two abstract proof methods for completeness, what we call the local and global approaches, and a description of when one method can be used in place of the other.

We develop a compositional, algebraic theory of skipping refinement, as well as local proof methods to effectively analyze the correctness of optimized reactive systems. A verification methodology based on refinement involves showing that any infinite behavior of an optimized low-level implementation is a behavior of the high-level abstract specification. Skipping refinement is a recently introduced notion to reason about the correctness of optimized implementations that run faster than their specifications, i.e., a step in the implementation can skip multiple steps of the specification. For the class of systems that exhibit bounded skipping, existing proof methods have been shown to be amenable to mechanized verification using theorem provers and model-checkers. However, reasoning about the correctness of reactive systems that exhibit unbounded skipping using these proof methods requires reachability analysis, significantly increasing the verification effort. In this paper, we develop two new sound and complete proof methods for skipping refinement. Even in presence of unbounded skipping, these proof methods require only local reasoning and, therefore, are amenable to mechanized verification. We also show that skipping refinement is compositional, so it can be used in a stepwise refinement methodology. Finally, we illustrate the utility of the theory of skipping refinement by proving the correctness of an optimized event processing system.

This paper presents an interactive proof method for the verification of temporal properties of concurrent systems based on symbolic execution. Symbolic execution is a well known and very intuitive strategy for the verification of sequential programs. We have carried over this approach to the interactive verification of arbitrary linear temporal logic properties of (infinite state) parallel programs. The resulting proof method is very intuitive to apply and can be automated to a large extent. It smoothly combines first-order reasoning with reasoning in temporal logic. The proof method has been implemented in the interactive verification environment KIV and has been used in several case studies.

Programming in metric temporal logic

The current trend towards multi-core processors has renewed the interest in the development and correctness of concurrent algorithms. Most of these algorithms rely on locks to protect critical sections from unwanted interference. Recently a new class of nonblocking algorithms has been developed which do not rely on critical sections, but on atomic compare-and-set instructions. Such lock-free algorithms are less vulnerable to the typical problems of concurrent algorithms: deadlocks, livelocks and priority inversion. On the other hand, the lack of a uniform principle to rule out interference results in increased complexity. This makes it harder to understand these algorithms and to verify their correctness. The paper gives a simple example to demonstrate the central correctness criteria of linearizability (a safety property) and lock-freeness (a liveness property) for lock-free algorithms. It then sketches our approach to the modular verification of lock-free algorithms which uses rely-guarantee reasoning and a powerful temporal logic to derive refinement proof obligations that can be verified with the interactive theorem prover KIV. Finally an overview over related work and techniques that are relevant to automate proofs is given.

First-order temporal logics are notorious for their bad computational behavior. It is known that even the two-variable monadic fragment is highly undecidable over various linear timelines, and over branching time even one-variable fragments might be undecidable. However, there have been several attempts at finding well-behaved fragments of first-order temporal logics and related temporal description logics, mostly either by restricting the available quantifier patterns or by considering sub-Boolean languages. Here we analyze seemingly “mild” extensions of decidable one-variable fragments with counting capabilities, interpreted in models with constant, decreasing, and expanding first-order domains. We show that over most classes of linear orders, these logics are (sometimes highly) undecidable, even without constant and function symbols, and with the sole temporal operator “eventually.” We establish connections with bimodal logics over 2D product structures having linear and “difference” (inequality) component relations and prove our results in this bimodal setting. We show a general result saying that satisfiability over many classes of bimodal models with commuting “unbounded” linear and difference relations is undecidable. As a byproduct, we also obtain new examples of finitely axiomatizable but Kripke incomplete bimodal logics. Our results generalize similar lower bounds on bimodal logics over products of two linear relations, and our proof methods are quite different from the known proofs of these results. Unlike previous proofs that first “diagonally encode” an infinite grid and then use reductions of tiling or Turing machine problems, here we make direct use of the grid-like structure of product frames and obtain lower-complexity bounds by reductions of counter (Minsky) machine problems. Representing counter machine runs apparently requires less control over neighboring grid points than tilings or Turing machine runs, and so this technique is possibly more versatile, even if one component of the underlying product structures is “close to” being the universal relation.

Clausal resolution in a logic of rational agency

Adding propositional quantification to the modal logics K, T or S4 is known to lead to undecidability but CTL with propositional quantification under the tree semantics (tQCTL) admits a non-elementary Tower-complete satisfiability problem. We investigate the complexity of strict fragments of tQCTL as well as of the modal logic K with propositional quantification under the tree semantics. More specifically, we show that tQCTL restricted to the temporal operator EX is already Tower-hard, which is unexpected as EX can only enforce local properties. When tQCTL restricted to EX is interpreted on N-bounded trees for some N >= 2, we prove that the satisfiability problem is AExpPol-complete; AExpPol-hardness is established by reduction from a recently introduced tiling problem, instrumental for studying the model-checking problem for interval temporal logics. As consequences of our proof method, we prove Tower-hardness of tQCTL restricted to EF or to EXEF and of the well-known modal logics such as K, KD, GL, K4 and S4 with propositional quantification under a semantics based on classes of trees.

Article Free Access Share on Automated logical verification based on trace abstractions Authors: Nils Klarlund AT&T Bell Laboratories, Room 2C-410, 600 Mountain Ave., Murray Hill, NJ and Basic Research in Computer Science, Centre of the Danish National Research Foundation, Department of Computer Science, University of Aarhus, Ny Munkegade, DK-8000 Aarhus C AT&T Bell Laboratories, Room 2C-410, 600 Mountain Ave., Murray Hill, NJ and Basic Research in Computer Science, Centre of the Danish National Research Foundation, Department of Computer Science, University of Aarhus, Ny Munkegade, DK-8000 Aarhus CView Profile , Mogens Nielsen Basic Research in Computer Science, Centre of the Danish National Research Foundation, Department of Computer Science, University of Aarhus, Ny Munkegade, DK-8000 Aarhus C Basic Research in Computer Science, Centre of the Danish National Research Foundation, Department of Computer Science, University of Aarhus, Ny Munkegade, DK-8000 Aarhus CView Profile , Kim Sunesen Basic Research in Computer Science, Centre of the Danish National Research Foundation, Department of Computer Science, University of Aarhus, Ny Munkegade, DK-8000 Aarhus C Basic Research in Computer Science, Centre of the Danish National Research Foundation, Department of Computer Science, University of Aarhus, Ny Munkegade, DK-8000 Aarhus CView Profile Authors Info & Claims PODC '96: Proceedings of the fifteenth annual ACM symposium on Principles of distributed computingMay 1996 Pages 101–110https://doi.org/10.1145/248052.248069Online:01 May 1996Publication History 8citation79DownloadsMetricsTotal Citations8Total Downloads79Last 12 Months2Last 6 weeks0 Get Citation AlertsNew Citation Alert added!This alert has been successfully added and will be sent to:You will be notified whenever a record that you have chosen has been cited.To manage your alert preferences, click on the button below.Manage my AlertsNew Citation Alert!Please log in to your account Save to BinderSave to BinderCreate a New BinderNameCancelCreateExport CitationPublisher SiteeReaderPDF

Action systems provide a method to program distributed systems that emphasizes the overall behavior of the system. System behavior is described in terms of the possible interactions (actions) that the processes can engage in, rather than in terms of the sequential code that the processes execute. The actions provide a symmetric communication mechanism that permits an arbitrary number of processes to be synchronized by a common handshake. This is a generalization of the usual approach, employed in languages like CSP and Ada, in which communication is asymmetric and restricted to involve only two processes. Two different execution models are given for action systems: a sequential one and a concurrent one. The sequential model is easier to use for reasoning, and is essentially equivalent to the guarded iteration statement by Dijkstra. It is well suited for reasoning about system properties in temporal logic, but requires a stronger fairness notion than it is reasonable to assume a distributed implementation will support. The concurrent execution model reflects the true concurrency that is present in a distributed execution, and corresponds to the way in which the system is actually implemented. An efficient distributed implementation of action systems on a local area network is described. The fairness assumptions of the concurrent model can be guaranteed in this implementation. The relationship between the two execution models is studied in detail in the paper. For systems that will be called fairly serializable, the two models are shown to be equivalent. Proof methods are given for verifying this property of action systems. It is shown that for fairly serializable systems, properties that hold for any concurrent execution of the system can be established by temporal proofs that are conducted entirely within the simpler sequential execution model.

We propose a new and practical framework for integrating the behavioral<br />reasoning about distributed systems with model-checking methods.<br />Our proof methods are based on trace abstractions, which relate the<br />behaviors of the program and the specification. We show that for finite-state<br />systems such symbolic abstractions can be specified conveniently in<br />Monadic Second-Order Logic (M2L). Model-checking is then made possible<br />by the reduction of non-determinism implied by the trace abstraction.<br />Our method has been applied to a recent verification problem by Broy<br />and Lamport. We have transcribed their behavioral description of a distributed<br />program into temporal logic and verified it against another distributed<br />system without constructing the global program state space. The<br />reasoning is expressed entirely within M2L and is carried out by a decision<br />procedure. Thus M2L is a practical vehicle for handling complex temporal<br />logic specifications, where formulas decided by a push of a button are as<br />long as 10-15 pages.