Formal Aspects of Computing

, Volume 23, Issue 1, pp 91–112 | Cite as

Proving linearizability with temporal logic

  • Simon Bäumler
  • Gerhard Schellhorn
  • Bogdan Tofan
  • Wolfgang Reif
Original Article


Linearizability is a global correctness criterion for concurrent systems. One technique to prove linearizability is applying a composition theorem which reduces the proof of a property of the overall system to sufficient rely-guarantee conditions for single processes. In this paper, we describe how the temporal logic framework implemented in the KIV interactive theorem prover can be used to model concurrent systems and to prove such a composition theorem. Finally, we show how this generic theorem can be instantiated to prove linearizability of two classic lock-free implementations: a Treiber-like stack and a slightly improved version of Michael and Scott’s queue.


Lock-free Linearizability Verification Temporal logic Compositional reasoning Rely-guarantee 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. AC05.
    Abrial J-R, Cansell D (2005) Formal construction of a non-blocking concurrent queue algorithm (a case study in atomicity). J Univers Comput Sci 11(5): 744–770Google Scholar
  2. AL95.
    Abadi M, Lamport L (1995) Conjoining specifications. ACM Trans Program Lang Syst 17: 507–534CrossRefGoogle Scholar
  3. ARR+07.
    Amit D, Rinetzky N, Reps TW, Sagiv M, Yahav E (2007) Comparison under abstraction for verifying linearizability. In: CAV, pp 477–490Google Scholar
  4. AS87.
    Alpern B, Schneider FB (1987) Recognizing safety and liveness. Distrib Comput 2(3): 117–126zbMATHCrossRefGoogle Scholar
  5. Bal05.
    Balser M (2005) Verifying concurrent system with symbolic execution—temporal reasoning is symbolic execution with a little induction. PhD thesis, University of Augsburg, Augsburg, GermanyGoogle Scholar
  6. BBO+99.
    Bjørner NS, Browne A, Michael A Col On, Finkbeiner B, Sipma HB, Uribe T (1999) Verifying temporal properties of reactive systems: a STeP tutorial. In: Formal methods in system design, vol 16, 2000 pGoogle Scholar
  7. BBRS08.
    Balser M, Bäumler S, Reif W, Schellhorn G (2008) Interactive verification of concurrent systems using symbolic execution. In: Proceedings of 7th international workshop of implementation of logics (IWIL 08)Google Scholar
  8. BLAM+08.
    Berdine J, Lev-Ami T, Manevich R, Ramalingam G, Sagiv M (2008) Thread quantification for concurrent shape analysis. In: CAV’08. Springer, New YorkGoogle Scholar
  9. BNBR08.
    Bäumler S, Nafz F, Balser M, Reif W (2008) Compositional proofs with symbolic execution. In: Beckert B, Klein G (eds) Proceedings of the 5th international verification workshop, vol 372 of Ceur workshop proceedingsGoogle Scholar
  10. BS03.
    Börger E, Stärk RF (2003) Abstract state machines—a method for high-level system design and analysis. Springer-Verlag, New YorkzbMATHGoogle Scholar
  11. Bur74.
    Burstall RM (1974) Program proving as hand simulation with a little induction. Inf Process 74: 309–312Google Scholar
  12. CC96.
    Cau A, Collette P (1996) Parallel composition of assumption-commitment specifications: a unifying approach for shared variable and distributed message passing concurrency. Acta Inform 33(2): 153–176CrossRefMathSciNetGoogle Scholar
  13. CDG05.
    Colvin R, Doherty S, Groves L (2005) Verifying concurrent data structures by simulation. ENTCS 137: 93–110Google Scholar
  14. CGP00.
    Clarke E, Grumberg O, Peled D (2000) Model checking. MIT Press, CambridgeGoogle Scholar
  15. CMZ02.
    Cau A, Moszkowski B, Zedan H (2002) ITL—interval temporal logic. Software Technology Research Laboratory, SERCentre, De Montfort University, The Gateway, Leicester LE1 9BH, UK.
  16. CPV07.
    Calcagno C, Parkinson MJ, Vafeiadis V (2007) Modular safety checking for fine-grained concurrency. In: SAS, pp 233–248Google Scholar
  17. DGLM04.
    Doherty S, Groves L, Luchangco V, Moir M (2004) Formal verification of a practical lock-free queue algorithm. In: FORTE 2004, vol 3235 of LNCS, pp 97–114Google Scholar
  18. Dij65.
    Dijkstra EW (1965) Solution of a problem in concurrent programming control. Commun ACM 8(9): 569CrossRefGoogle Scholar
  19. DOY06.
    Distefano D, O’Hearn PW, Yang H (2006) A local shape analysis based on separation logic. In: TACAS, vol 3920. Springer, New York, pp 287–302Google Scholar
  20. dRdBH+01.
    de Roever W-P, de Boer F, Hannemann U, Hooman J, Lakhnech Y, Poel M, Zwiers J (2001) Concurrency verification: introduction to compositional and noncompositional methods. Number 54 in Cambridge Tracts in Theoretical Computer Science. Cambridge University PressGoogle Scholar
  21. DSW07.
    Derrick J, Schellhorn G, Wehrheim H (2007) Proving linearizability via non-atomic refinement. In: IFM, pp 195–214Google Scholar
  22. DSW08.
    Derrick J, Schellhorn G, Wehrheim H (2008) Mechanising a correctness proof for a lock-free concurrent stack. In: Prooceedings of FMOODS 2008, Oslo, vol 5051 of LNCS, pp 78–95Google Scholar
  23. GC07.
    Groves L, Colvin R (2007) Derivation of a scalable lock-free stack algorithm. Electron Notes Theor Comput Sci 187: 55–74CrossRefGoogle Scholar
  24. GC09.
    Groves L, Colvin R (2009) Trace-based derivation of a scalable lock-free stack algorithm. Form Asp Comp 21(1–2): 187–223zbMATHCrossRefGoogle Scholar
  25. GGH07.
    Gao H, Groote JF, Hesselink WH (2007) Lock-free parallel and concurrent garbage collection by mark&sweep. Sci Comput Program 64(3): 341–374zbMATHCrossRefMathSciNetGoogle Scholar
  26. Gur95.
    Gurevich Y (1995) Evolving algebras 1993: Lipari guide. In: Börger E (eds) Specification and validation methods. Oxford University Press, Oxford, pp 9–36Google Scholar
  27. Har84.
    Harel D (1984) Dynamic logic. In: Gabbay D, Guenther F (eds) Handbook of philosophical logic, vol 2. Reidel, Dordrecht, pp 496–604Google Scholar
  28. Hes06.
    Hesselink WH (2006) Refinement verification of the lazy caching algorithm. Acta Inform 43(3): 195–222zbMATHCrossRefMathSciNetGoogle Scholar
  29. HSY04.
    Hendler D, Shavit N, Yerushalmi L (2004) A scalable lock-free stack algorithm. In: SPAA ’04: ACM symposium on parallelism in algorithms and architectures, New York, NY, USA. ACM Press, pp 206–215Google Scholar
  30. HW90.
    Herlihy M, Wing J (1990) Linearizability: a correctness condition for concurrent objects. ACM Trans Program Lang Syst 12(3): 463–492CrossRefGoogle Scholar
  31. Jon83.
    Jones CB (1983) Tentative steps toward a development method for interfering programs. ACM Trans Program Lang Syst 5(4): 596–619zbMATHCrossRefGoogle Scholar
  32. JT96.
    Jonsson B, Tsay Y-K (1996) Assumption/guarantee specifications in linear-time temporal logic. Theor Comput Sci 167(1–2): 47–72zbMATHCrossRefMathSciNetGoogle Scholar
  33. Kal95.
    Kalvala S (1995) A formulation of TLA in Isabelle. Accessed June 1995
  34. KIV.
    Web presentation of the composition theorem and the lock-free stack and queue case study in KIV. URL:
  35. Lam94.
    Lamport L (1994) The temporal logic of actions. ACM Trans Program Lang Syst 16(3): 872–923CrossRefGoogle Scholar
  36. Lam06.
    Lamport L (2006) The +CAL algorithm language. Technical report, MicrosoftGoogle Scholar
  37. MC81.
    Misra J, Chandi KM (1981) Proofs of networks of processes. IEEE Trans Softw EngGoogle Scholar
  38. Mer95.
    Merz S (1995) Mechanizing TLA in Isabelle. In: Rodošek R (ed) Workshop on verification in new orientations. Univeristy of Maribor, Maribor, pp 54–74Google Scholar
  39. Mos86.
    Moszkowski B (1986) Executing temporal logic programs. Cambridge University Press, CambridgeGoogle Scholar
  40. MS96.
    Michael MM, Scott ML (1996) Simple, fast, and practical non-blocking and blocking concurrent queue algorithms. In: Proceedings of 15th ACM symposium on principles of distributed computing, pp 267–275Google Scholar
  41. OG76.
    Owicki SS, Gries D (1976) An axiomatic proof technique for parallel programs I. Acta Inform 6: 319–340zbMATHCrossRefMathSciNetGoogle Scholar
  42. PA03.
    Pnueli A, Arons T (2003) TLPVS: a PVS-based LTL verification system. In: Verification-theory and practice. Proceedings of an international symposium in honor of Zohar Manna’s 64th birthday. Lecture Notes in Computer Science. Springer-Verlag, New York, pp 84–98Google Scholar
  43. Pre03.
    Prensa Nieto L (2003) The rely-guarantee method in Isabelle/HOL. In: Degano P (eds) European symposium on programming (ESOP’03), vol 2618 of LNCS. Springer, New York, pp 348–362Google Scholar
  44. Rey02.
    Reynolds JC (2002) Separation logic: a logic for shared mutable data structures. In: LICS ’02: Proceedings of the 17th annual IEEE symposium on logic in computer science, Washington, DC, USA. IEEE Computer Society, pp 55–74Google Scholar
  45. RSSB98.
    Reif W, Schellhorn G, Stenzel K, Balser M (1998) Structured specifications and interactive proofs with KIV. In: Bibel W, Schmitt P (eds) Automated deduction—a basis for applications, vol II: systems and implementation techniques, chapter 1: interactive theorem proving. Kluwer Academic Publishers, Dordrecht, pp 13–39Google Scholar
  46. Tre86.
    Treiber RK (1986) System programming: coping with parallelism. Technical report RJ 5118. IBM Almaden Research CenterGoogle Scholar
  47. Vaf07.
    Vafeiadis V (2007) Modular fine-grained concurrency verification. PhD thesis, University of CambridgeGoogle Scholar
  48. Vaf09.
    Vafeiadis V (2009) Shape-value abstraction for verifying linearizability. In: Proceedings VMCAI 2009, vol 5403 of LNCS. Springer, New YorkGoogle Scholar
  49. VHHS06.
    Vafeiadis V, Herlihy M, Hoare T, Shapiro M (2006) Proving correctness of highly-concurrent linearisable objects. In: PPoPP ’06: Proceedings of the eleventh ACM SIGPLAN symposium on principles and practice of parallel programming, New York, NY, USA. ACM, pp 129–136Google Scholar
  50. VP07.
    Vafeiadis V, Parkinson MJ (2007) A marriage of rely/guarantee and separation logic. In: CONCUR, pp 256–271Google Scholar

Copyright information

© British Computer Society 2009

Authors and Affiliations

  • Simon Bäumler
    • 1
  • Gerhard Schellhorn
    • 1
  • Bogdan Tofan
    • 1
  • Wolfgang Reif
    • 1
  1. 1.Lehrstuhl für Softwaretechnik und ProgrammiersprachenUniversität AugsburgAugsburgGermany

Personalised recommendations