Advertisement

Practical Abstractions for Automated Verification of Shared-Memory Concurrency

  • Wytse OortwijnEmail author
  • Dilian GurovEmail author
  • Marieke HuismanEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11990)

Abstract

Modern concurrent and distributed software is highly complex. Techniques to reason about the correct behaviour of such software are essential to ensure its reliability. To be able to reason about realistic programs, these techniques must be modular and compositional as well as practical by being supported by automated tools. However, many existing approaches for concurrency verification are theoretical and focus on expressivity and generality. This paper contributes a technique for verifying behavioural properties of concurrent and distributed programs that makes a trade-off between expressivity and usability. The key idea of the approach is that program behaviour is abstractly modelled using process algebra, and analysed separately. The main difficulty is presented by the typical abstraction gap between program implementations and their models. Our approach bridges this gap by providing a deductive technique for formally linking programs with their process-algebraic models. Our verification technique is modular and compositional, is proven sound with Coq, and has been implemented in the automated concurrency verifier VerCors. Moreover, our technique is demonstrated on multiple case studies, including the verification of a leader election protocol.

Notes

Acknowledgements

This work is partially supported by the NWO VICI 639.023.710 Mercedes project and by the NWO TOP 612.001.403 VerDi project.

References

  1. 1.
    Aldini, A., Bernardo, M., Corradini, F.: A Process Algebraic Approach to Software Architecture Design. Springer, London (2010).  https://doi.org/10.1007/978-1-84800-223-4CrossRefzbMATHGoogle Scholar
  2. 2.
    Appel, A.W., Blazy, S.: Separation logic for small-step cminor. In: Schneider, K., Brandt, J. (eds.) TPHOLs 2007. LNCS, vol. 4732, pp. 5–21. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74591-4_3CrossRefGoogle Scholar
  3. 3.
    Appel, A., Melliès, P., Richards, C., Vouillon, J.: A very modal model of a modern, major, general type system. In: POPL, vol. 42, pp. 109–122. ACM (2007).  https://doi.org/10.1145/1190216.1190235
  4. 4.
    Baeten, J.: Process Algebra with Explicit Termination. Eindhoven University of Technology, Department of Mathematics and Computing Science (2000)Google Scholar
  5. 5.
    Blom, S., Darabi, S., Huisman, M.: Verification of loop parallelisations. In: Egyed, A., Schaefer, I. (eds.) FASE 2015. LNCS, vol. 9033, pp. 202–217. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46675-9_14CrossRefGoogle Scholar
  6. 6.
    Blom, S., Darabi, S., Huisman, M., Oortwijn, W.: The VerCors tool set: verification of parallel and concurrent software. In: Polikarpova, N., Schneider, S. (eds.) IFM 2017. LNCS, vol. 10510, pp. 102–110. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66845-1_7CrossRefGoogle Scholar
  7. 7.
    Blom, S., Huisman, M., Zaharieva-Stojanovski, M.: History-based verification of functional behaviour of concurrent programs. In: Calinescu, R., Rumpe, B. (eds.) SEFM 2015. LNCS, vol. 9276, pp. 84–98. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-22969-0_6CrossRefGoogle Scholar
  8. 8.
    Boyland, J.: Checking interference with fractional permissions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 55–72. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-44898-5_4CrossRefGoogle Scholar
  9. 9.
    Brookes, S.: A semantics for concurrent separation logic. Theor. Comput. Sci. 375(1–3), 227–270 (2007).  https://doi.org/10.1016/j.tcs.2006.12.034MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Calcagno, C., Parkinson, M., Vafeiadis, V.: Modular safety checking for fine-grained concurrency. In: Nielson, H.R., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 233–248. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74061-2_15CrossRefGoogle Scholar
  11. 11.
    Dinsdale-Young, T., Dodds, M., Gardner, P., Parkinson, M.J., Vafeiadis, V.: Concurrent abstract predicates. In: D’Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 504–528. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14107-2_24CrossRefGoogle Scholar
  12. 12.
    Feng, X.: Local rely-guarantee reasoning. In: POPL, vol. 44, pp. 315–327. ACM (2009).  https://doi.org/10.1145/1480881.1480922
  13. 13.
    Feng, X., Ferreira, R., Shao, Z.: On the relationship between concurrent separation logic and assume-guarantee reasoning. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 173–188. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-71316-6_13CrossRefzbMATHGoogle Scholar
  14. 14.
    Gupta, A., Popeea, C., Rybalchenko, A.: Threader: a constraint-based verifier for multi-threaded programs. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 412–417. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22110-1_32CrossRefGoogle Scholar
  15. 15.
    Herlihy, M., Wing, J.: Linearizability: a correctness condition for concurrent objects. TOPLAS 12(3), 463–492 (1990).  https://doi.org/10.1145/78969.78972CrossRefGoogle Scholar
  16. 16.
    Hobor, A.: Oracle semantics. Ph.D. thesis, Princeton University (2008)Google Scholar
  17. 17.
    Hobor, A., Appel, A.W., Nardelli, F.Z.: Oracle semantics for concurrent separation logic. In: Drossopoulou, S. (ed.) ESOP 2008. LNCS, vol. 4960, pp. 353–367. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78739-6_27CrossRefGoogle Scholar
  18. 18.
    Honda, K., Vasconcelos, V.T., Kubo, M.: Language primitives and type discipline for structured communication-based programming. In: Hankin, C. (ed.) ESOP 1998. LNCS, vol. 1381, pp. 122–138. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0053567CrossRefGoogle Scholar
  19. 19.
    Jacobs, B., Smans, J., Philippaerts, P., Vogels, F., Penninckx, W., Piessens, F.: VeriFast: a powerful, sound, predictable, fast verifier for C and Java. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 41–55. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-20398-5_4CrossRefGoogle Scholar
  20. 20.
    Jones, C.: Tentative steps toward a development method for interfering programs. TOPLAS 5(4), 596–619 (1983).  https://doi.org/10.1145/69575.69577CrossRefzbMATHGoogle Scholar
  21. 21.
    Joosten, S., Oortwijn, W., Safari, M., Huisman, M.: An exercise in verifying sequential programs with VerCors. In: Summers, A. (ed.) FTfJP, pp. 40–45. ACM (2018).  https://doi.org/10.1145/3236454.3236479
  22. 22.
    Juhasz, U., Kassios, I., Müller, P., Novacek, M., Schwerhoff, M., Summers, A.: Viper: a verification infrastructure for permission-based reasoning. Technical report, ETH Zürich (2014)Google Scholar
  23. 23.
    Jung, R., Krebbers, R., Birkedal, L., Dreyer, D.: Higher-order ghost state. In: ICFP, vol. 51, pp. 256–269. ACM (2016).  https://doi.org/10.1145/2951913.2951943
  24. 24.
    Jung, R., et al.: Iris: monoids and invariants as an orthogonal basis for concurrent reasoning. In: POPL, vol. 50, pp. 637–650. ACM (2015).  https://doi.org/10.1145/2676726.2676980
  25. 25.
    Krebbers, R., Jung, R., Bizjak, A., Jourdan, J.-H., Dreyer, D., Birkedal, L.: The essence of higher-order concurrent separation logic. In: Yang, H. (ed.) ESOP 2017. LNCS, vol. 10201, pp. 696–723. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54434-1_26CrossRefGoogle Scholar
  26. 26.
    Krishna, S., Shasha, D., Wies, T.: Go with the flow: compositional abstractions for concurrent data structures. POPL 2, 1–31 (2017).  https://doi.org/10.1145/3158125CrossRefGoogle Scholar
  27. 27.
    Leino, K.R.M., Müller, P., Smans, J.: Verification of concurrent programs with Chalice. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007-2009. LNCS, vol. 5705, pp. 195–222. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03829-7_7CrossRefGoogle Scholar
  28. 28.
    Luo, Z., Zheng, M., Siegel, S.: Verification of MPI programs using CIVL. In: EuroMPI. ACM (2017).  https://doi.org/10.1145/3127024.3127032
  29. 29.
    Müller, P., Schwerhoff, M., Summers, A.J.: Viper: a verification infrastructure for permission-based reasoning. In: Jobstmann, B., Leino, K.R.M. (eds.) VMCAI 2016. LNCS, vol. 9583, pp. 41–62. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49122-5_2CrossRefzbMATHGoogle Scholar
  30. 30.
    Nanevski, A., Ley-Wild, R., Sergey, I., Delbianco, G.A.: Communicating state transition systems for fine-grained concurrent resources. In: Shao, Z. (ed.) ESOP 2014. LNCS, vol. 8410, pp. 290–310. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54833-8_16CrossRefzbMATHGoogle Scholar
  31. 31.
    Neele, T., Willemse, T.A.C., Groote, J.F.: Solving parameterised Boolean equation systems with infinite data through quotienting. In: Bae, K., Ölveczky, P.C. (eds.) FACS 2018. LNCS, vol. 11222, pp. 216–236. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-02146-7_11CrossRefGoogle Scholar
  32. 32.
    O’Hearn, P.: Resources, concurrency and local reasoning. Theor. Comput. Sci. 375(1–3), 271–307 (2007).  https://doi.org/10.1016/j.tcs.2006.12.035MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    O’Hearn, P., Yang, H., Reynolds, J.: Separation and information hiding. In: POPL, vol. 39, pp. 268–280. ACM (2004).  https://doi.org/10.1145/964001.964024
  34. 34.
    Oortwijn, W., Blom, S., Gurov, D., Huisman, M., Zaharieva-Stojanovski, M.: An abstraction technique for describing concurrent program behaviour. In: Paskevich, A., Wies, T. (eds.) VSTTE 2017. LNCS, vol. 10712, pp. 191–209. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-72308-2_12CrossRefGoogle Scholar
  35. 35.
    Oortwijn, W., Blom, S., Huisman, M.: Future-based static analysis of message passing programs. In: Programming Language Approaches to Concurrency- & Communication-cEntric Software (PLACES), pp. 65–72. Open Publishing Association (2016).  https://doi.org/10.4204/EPTCS.211.7
  36. 36.
    Oortwijn, W., Huisman, M.: Formal verification of an industrial safety-critical traffic tunnel control system. In: Ahrendt, W., Tapia Tarifa, S.L. (eds.) IFM 2019. LNCS, vol. 11918, pp. 418–436. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-34968-4_23CrossRefGoogle Scholar
  37. 37.
    Oortwijn, W., Huisman, M.: Practical abstractions for automated verification of message passing concurrency. In: Ahrendt, W., Tapia Tarifa, S.L. (eds.) IFM 2019. LNCS, vol. 11918, pp. 399–417. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-34968-4_22CrossRefGoogle Scholar
  38. 38.
    Owicki, S., Gries, D.: An axiomatic proof technique for parallel programs. Acta Informatica 6, 319–340 (1975)MathSciNetCrossRefGoogle Scholar
  39. 39.
    Parkinson, M.J., Summers, A.J.: The relationship between separation logic and implicit dynamic frames. In: Barthe, G. (ed.) ESOP 2011. LNCS, vol. 6602, pp. 439–458. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19718-5_23CrossRefzbMATHGoogle Scholar
  40. 40.
    Penninckx, W., Jacobs, B., Piessens, F.: Sound, modular and compositional verification of the input/output behavior of programs. In: Vitek, J. (ed.) ESOP 2015. LNCS, vol. 9032, pp. 158–182. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46669-8_7CrossRefzbMATHGoogle Scholar
  41. 41.
    da Rocha Pinto, P., Dinsdale-Young, T., Gardner, P.: TaDA: a logic for time and data abstraction. In: Jones, R. (ed.) ECOOP 2014. LNCS, vol. 8586, pp. 207–231. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44202-9_9CrossRefGoogle Scholar
  42. 42.
    da Rocha Pinto, P., Dinsdale-Young, T., Gardner, P.: Steps in modular specifications for concurrent modules. In: MFPS, pp. 3–18 (2015).  https://doi.org/10.1016/j.entcs.2015.12.002
  43. 43.
    Sergey, I., Nanevski, A., Banerjee, A.: Specifying and verifying concurrent algorithms with histories and subjectivity. In: Vitek, J. (ed.) ESOP 2015. LNCS, vol. 9032, pp. 333–358. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46669-8_14CrossRefzbMATHGoogle Scholar
  44. 44.
    Sergey, I., Wilcox, J., Tatlock, Z.: Programming and proving with distributed protocols. POPL 2, 1–30 (2017).  https://doi.org/10.1145/3158116CrossRefGoogle Scholar
  45. 45.
    Siegel, S., et al.: CIVL: the concurrency intermediate verification language. In: International Conference for High Performance Computing, Networking, Storage and Analysis (SC), p. 61. ACM (2015).  https://doi.org/10.1145/2807591.2807635
  46. 46.
    Supplementary Material. The supplementary material for this paper, consisting of a technical report, the Coq formalisation and the case study, can be found online at https://github.com/wytseoortwijn/VMCAI20-SharedMemAbstr
  47. 47.
    Summers, A.J., Müller, P.: Actor services – modular verification of message passing programs. In: Thiemann, P. (ed.) ESOP 2016. LNCS, vol. 9632, pp. 699–726. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49498-1_27CrossRefGoogle Scholar
  48. 48.
    Svendsen, K., Birkedal, L.: Impredicative concurrent abstract predicates. In: Shao, Z. (ed.) ESOP 2014. LNCS, vol. 8410, pp. 149–168. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54833-8_9CrossRefGoogle Scholar
  49. 49.
    Svendsen, K., Birkedal, L., Parkinson, M.: Modular reasoning about separation of concurrent data structures. In: Felleisen, M., Gardner, P. (eds.) ESOP 2013. LNCS, vol. 7792, pp. 169–188. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-37036-6_11CrossRefGoogle Scholar
  50. 50.
    Turon, A., Dreyer, D., Birkedal, L.: Unifying refinement and Hoare-style reasoning in a logic for higher-order concurrency. In: ICFP, pp. 377–390. ACM (2013).  https://doi.org/10.1145/2500365.2500600
  51. 51.
    Usenko, Y.: Linearization in \(\mu CRL\). Technische Universiteit Eindhoven (2002)Google Scholar
  52. 52.
    Vafeiadis, V.: Automatically proving linearizability. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 450–464. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14295-6_40CrossRefGoogle Scholar
  53. 53.
    Vafeiadis, V.: Concurrent separation logic and operational semantics. In: MFPS, volume 276 of ENTCS, pp. 335–351 (2011).  https://doi.org/10.1016/j.entcs.2011.09.029
  54. 54.
    Vafeiadis, V., Parkinson, M.: A marriage of rely/guarantee and separation logic. In: Caires, L., Vasconcelos, V.T. (eds.) CONCUR 2007. LNCS, vol. 4703, pp. 256–271. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74407-8_18CrossRefGoogle Scholar
  55. 55.
    Villard, J., Lozes, É., Calcagno, C.: Proving copyless message passing. In: Hu, Z. (ed.) APLAS 2009. LNCS, vol. 5904, pp. 194–209. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-10672-9_15CrossRefGoogle Scholar
  56. 56.
    Zaharieva-Stojanovski, M.: Closer to reliable software: verifying functional behaviour of concurrent programs. Ph.D. thesis, University of Twente (2015).  https://doi.org/10.3990/1.9789036539241
  57. 57.
    Zheng, M., Rogers, M., Luo, Z., Dwyer, M., Siegel, S.: CIVL: formal verification of parallel programs. In: ASE, pp. 830–835. IEEE (2015).  https://doi.org/10.1109/ASE.2015.99

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Department of Computer ScienceETH ZürichZürichSwitzerland
  2. 2.KTH Royal Institute of TechnologyStockholmSweden
  3. 3.University of TwenteEnschedeThe Netherlands

Personalised recommendations