Abstract
Shared-memory concurrent algorithms are well-known for being difficult to write, ill-adapted to test, and complex to prove. Wait-free concurrent objects are a subclass where a process is never prevented from progressing, whatever the other processes are doing (or not doing). Algorithms in this subclass are often non intuitive and among the most complex to prove. This paper presents the analysis and the proof of a wait-free concurrent algorithm that is used to rename processes. By its adaptive and non-blocking nature, the renaming algorithm resists to test, because of the cost of covering all its states and transitions even with a small input set. Thus, a proof has been conducted in 
and verified with TLAPS, the 
Proof System. This algorithm is itself based on the assembly of wait-free concurrent objects, the splitters, that separate processes. With just two shared variables and three assignments, a splitter seems a simple object but it is not linearizable. To avoid explicitly in-lining it and dealing with its internal state, the proof of the renaming algorithm relies on replacing the splitter with a sequential specification that is proved correct with TLAPS and verified complete by model-checking on finite instances.
Supported by project PARDI ANR-16-CE25-0006.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The percentage decrease is explained by the progressive dominance of multiple stop in the invalid assignments.
- 2.
The construct \([ x \textsc { except }![e_1] = e_2]\) is a shortcut for
. For multi-dimensional arrays, provers work better with the latest. - 3.
Another approach would have been to show a bisimulation between their transition systems. Note that it requires to exhibit a parameterized bisimulation, as we have to consider any number of concurrent invocations. We had already proved the properties on the concurrent splitter during our initial attempt at proving the renaming algorithm (Sect. 4.2) and it seemed simpler to continue onward.
. For multi-dimensional arrays, provers work better with the latest.References
Afek, Y., Merritt, M.: Fast, wait-free (2k)-renaming. In: 18th Annual ACM Symposium on Principles of Distributed Computing, pp. 105–112 (1999)
Chaudhuri, K., Doligez, D., Lamport, L., Merz, S.: Verifying safety properties with the \({\rm TLA}^+\) proof system. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS (LNAI), vol. 6173, pp. 142–148. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14203-1_12
Chuong, P., Ellen, F., Ramachandran, V.: A universal construction for wait-free transaction friendly data structures. In: 22nd ACM Symposium on Parallelism in Algorithms and Architectures, pp. 335–344 (2010)
Castaneda, A., Hurault, A., Queinnec, P., Roy, M.: Modular machine-checked proofs of concurrent algorithms built from tasks. In: Submitted to DISC 2019 (2019)
Castañeda, A., Rajsbaum, S., Raynal, M.: The renaming problem in shared memory systems: an introduction. Comput. Sci. Rev. 5(3), 229–251 (2011)
Drăgoi, C., Gupta, A., Henzinger, T.A.: Automatic linearizability proofs of concurrent objects with cooperating updates. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 174–190. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_11
Gao, H., Groote, J.F., Hesselink, W.H.: Lock-free dynamic hash tables with open addressing. Distrib. Comput. 18(1), 21–42 (2005)
Gao, H., Hesselink, W.H.: A formal reduction for lock-free parallel algorithms. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 44–56. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27813-9_4
Gu, R., et al.: Deep specifications and certified abstraction layers. In: 42nd ACM Symposium on Principles of Programming Languages, pp. 595–608 (2015)
Gafni, E., Rajsbaum, S.: Recursion in distributed computing. In: Dolev, S., Cobb, J., Fischer, M., Yung, M. (eds.) SSS 2010. LNCS, vol. 6366, pp. 362–376. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16023-3_30
Herlihy, M.: Wait-free synchronization. ACM Trans. Program. Lang. Syst. 13(1), 124–149 (1991)
Herlihy, M.: A methodology for implementing highly concurrent objects. ACM Trans. Program. Lang. Syst. 15(5), 745–770 (1993)
Hurault, A., Quéinnec, P.: \({\rm TLA}^+\) proof of Moir-Anderson renaming algorithm (2019). http://hurault.perso.enseeiht.fr/RenamingProof
Herlihy, M., Wing, J.M.: Linearizability: a correctness condition for concurrent objects. ACM Trans. Program. Lang. Syst. 12(3), 463–492 (1990)
Bug JDK-6785442: ConcurrentLinkedQueue.remove() and poll() can both remove the same element (2008)
Kshemkalyani, A.D., Singhal, M.: Distributed Computing: Principles, Algorithms, and Systems. Cambridge University Press, Cambridge (2011)
Lamport, L.: On interprocess communication. Distrib. Comput. 1(2), 77–101 (1986)
Lamport, L.: The temporal logic of actions. ACM Trans. Program. Lang. Syst. 16(3), 872–923 (1994)
Lamport, L.: Specifying Systems. Addison Wesley, Boston (2002)
Lamport, L.: The PlusCal algorithm language. In: Leucker, M., Morgan, C. (eds.) ICTAC 2009. LNCS, vol. 5684, pp. 36–60. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03466-4_2
Lamport, L.: How to write a 21st century proof. J. Fixed Point Theory Appl. 11(1), 43–63 (2012)
Moir, M., Anderson, J.H.: Wait-free algorithms for fast, long-lived renaming. Sci. Comput. Program. 25(1), 1–39 (1995)
Moir, M., Nussbaum, D., Shalev, O., Shavit, N.: Using elimination to implement scalable and lock-free FIFO queues. In: 17th ACM Symposium on Parallelism in Algorithms and Architectures, pp. 253–262 (2005)
Michael, M.M., Scott, M.L.: Nonblocking algorithms and preemption-safe locking on multiprogrammed shared memory multiprocessors. J. Parallel Distrib. Comput. 51(1), 1–26 (1998)
O’Hearn, P.W., Rinetzky, N., Vechev, M.T., Yahav, E., Yorsh, G.: Verifying linearizability with hindsight. In: 29th ACM Symposium on Principles of Distributed Computing, pp. 85–94 (2010)
Rajsbaum, S., Raynal, M.: A theory-oriented introduction to wait-free synchronization based on the adaptive renaming problem. In: 25th IEEE International Conference on Advanced Information Networking and Applications, pp. 356–363 (2011)
Shavit, N., Touitou, D.: Elimination trees and the construction of pools and stacks. Theory Comput. Syst. 30(6), 645–670 (1997)
Timnat, S., Petrank, E.: A practical wait-free simulation for lock-free data structures. In: ACM Symposium on Principles and Practice of Parallel Programming, PPoPP 2014, pp. 357–368 (2014)
Tofan, B., Schellhorn, G., Reif, W.: A compositional proof method for linearizability applied to a wait-free multiset. In: Albert, E., Sekerinski, E. (eds.) IFM 2014. LNCS, vol. 8739, pp. 357–372. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10181-1_22
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Description of the Artifact
A Description of the Artifact
This artifact [HQ19] allows to replicate all the results that we claim in the paper:
-
the proof of correctness of the splitter with registers,
-
the proof of correctness of the splitter with set/get,
-
the way to check the completeness of the splitter with set/get,
-
the way to check the completeness of the splitter with registers,
-
the proof of correctness of the renaming algorithm using the set/get splitter.
Combining these results implies that the renaming algorithm is correct when used with the original splitter with registers.
1.1 A.1 Requirements
Running the artifact relies on the TLA+ Toolbox and the TLA+ Proof System. Both are included in the distributed files, and a script is supplied to install them. The verification of the correctness proofs is achievable on a standard laptop, checking the completeness requires much more resources (at least a quad core with 8 GB of memory, and a 32 core computer with 16 GB was used for the largest numbers of processes).
1.2 A.2 Proofs of Correctness
The proof of correctness of Moir-Anderson renaming algorithm is built upon the four following files:
-
Splitter.tla: the set/get splitter with some lemma needed for the correctness proof of the renaming;
-
Splitter_correct_proof.tla: the proof of correctness of the set/get splitter;
-
Renaming.tla: the Renaming algorithm and its proof of correctness;
-
Splitter_register.tla: the splitter based on register and its proof of correctness.
One just has to load them in the toolbox and launch the verification, as explained in the artifact distribution.
1.3 A.3 Proofs of Completeness
The goal is to verify the completeness of an implementation w.r.t a property P, i.e. that all the valid (w.r.t to P) assignments of the variables are reachable in the implementation.
Our approach consists in two steps: first generate all the valid assignments; then, for each of these assignments, verify that it is reachable. As we rely on TLC, the 
model checker, this approach works for a given number of processes.
-
1.
Choose a number of processes;
-
2.
generate-states nbproc Splitter_config.tla
The module Splitter_config.tla is used to generate all the return values that satisfy the correctness property of the splitter, for nbproc processes.
-
3.
check-reachability vars XXX.tla
For each valuation (read from stdin), a module is built with an invariant
and it is model-checked with the specification in XXX. It should end with a violation, which proves that this state is reachable.
-
4.
Once all states have been checked, this proves the completeness of XXX for this number of processes.
A script runall enumerates the verification of both splitter specifications for 1, 2, 3 etc. processes. One can also check a specific size.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Hurault, A., Quéinnec, P. (2019). Proving a Non-blocking Algorithm for Process Renaming with TLA\(^+\). In: Beyer, D., Keller, C. (eds) Tests and Proofs. TAP 2019. Lecture Notes in Computer Science(), vol 11823. Springer, Cham. https://doi.org/10.1007/978-3-030-31157-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-31157-5_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31156-8
Online ISBN: 978-3-030-31157-5
eBook Packages: Computer ScienceComputer Science (R0)