The existence of refinement mappings
Theoretical Computer Science
Verifying properties of parallel programs: an axiomatic approach
Communications of the ACM
Reduction: a method of proving properties of parallel programs
Communications of the ACM
Using Ghost Variables to Prove Refinement
AMAST '96 Proceedings of the 5th International Conference on Algebraic Methodology and Software Technology
CONCUR '02 Proceedings of the 13th International Conference on Concurrency Theory
A type and effect system for atomicity
PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
Static analysis of atomicity for programs with non-blocking synchronization
Proceedings of the tenth ACM SIGPLAN symposium on Principles and practice of parallel programming
Exploiting Purity for Atomicity
IEEE Transactions on Software Engineering
Resources, concurrency, and local reasoning
Theoretical Computer Science
Simulation Refinement for Concurrency Verification
Electronic Notes in Theoretical Computer Science (ENTCS)
Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Proving assertions about parallel programs
Journal of Computer and System Sciences
Formal verification of a lazy concurrent list-based set algorithm
CAV'06 Proceedings of the 18th international conference on Computer Aided Verification
Run-time verification of optimistic concurrency
RV'10 Proceedings of the First international conference on Runtime verification
A structural approach to prophecy variables
TAMC'12 Proceedings of the 9th Annual international conference on Theory and Applications of Models of Computation
Hi-index | 0.00 |
Unlike sequential programs, concurrent programs have to account for interference on shared variables. Static verification of a desired property for such programs crucially depends on precisely asserting the conditions for interference. In a static proof system, in addition to program variables, auxiliary (history) variables summarizing the past of the program execution are used in these assertions. Capable of expressing reachability only, assertions (and history variables) are not as useful in the proofs of programs using optimistic concurrency. Pessimistic implementations which allow access to shared data only after synchronization (e.g. locks) guarantee exclusivity; optimistic concurrency implementations which check for interference after shared data is accessed abandon exclusivity in favor of performance. In this paper, we propose a new construct, tressa, to express properties, including interference, about the future of an execution. A tressa claim states a condition for reverse reachability from an end state of the program, much like an assert claim states a condition for forward reachability from the initial state of the program. As assertions employ history variables, tressa claims employ prophecy variables, originally introduced for refinement proofs. Being the temporal dual of history variables, prophecy variables summarize the future of the program execution. We present the proof rules and the notion of correctness of a program for two-way reasoning in a static setting: forward in time for assert claims, backward in time for tressa claims. We have incorporated our proof rules into the QED verifier and have used our implementation to verify a small but sophisticated algorithm. Our experience shows that the proof steps and annotations follow closely the intuition of the programmer, making the proof itself a natural extension of implementation.