Scenario-Based Proofs for Concurrent Objects [Extended Version]

TL;DR

This paper introduces a novel proof technique for concurrent objects using scenario-based reasoning formalized as commutativity quotients, simplifying linearizability proofs and capturing diverse algorithm features.

Contribution

It presents a new method to formalize correctness proofs of concurrent objects through scenario-based quotients, enabling reasoning about unbounded interleavings.

Findings

Quotients effectively capture features of various concurrent algorithms.

The method aligns with original correctness arguments and aids in proofs without straightforward linearization points.

Discovery of quotients reduces to two-thread reasoning, facilitating automated analysis.

Abstract

Concurrent objects form the foundation of many applications that exploit multicore architectures and their importance has lead to informal correctness arguments, as well as formal proof systems. Correctness arguments (as found in the distributed computing literature) give intuitive descriptions of a few canonical executions or "scenarios" often each with only a few threads, yet it remains unknown as to whether these intuitive arguments have a formal grounding and extend to arbitrary interleavings over unboundedly many threads. We present a novel proof technique for concurrent objects, based around identifying a small set of scenarios (representative, canonical interleavings), formalized as the commutativity quotient of a concurrent object. We next give an expression language for defining abstractions of the quotient in the form of regular or context-free languages that enable simple proofs of linearizability. These quotient expressions organize unbounded interleavings into a form more amenable to reasoning and make explicit the relationship between implementation-level contention/interference and ADT-level transitions. We evaluate our work on numerous non-trivial concurrent objects from the literature (including the Michael-Scott queue, Elimination stack, SLS reservation queue, RDCSS and Herlihy-Wing queue). We show that quotients capture the diverse features/complexities of these algorithms, can be used even when linearization points are not straight-forward, correspond to original authors' correctness arguments, and provide some new scenario-based arguments. Finally, we show that discovery of some object's quotients reduces to two-thread reasoning and give an implementation that can derive candidate quotients expressions from source code.