A Mechanically Checked Proof of aMultiprocessor Result via

We describe a mechanically checked correctness proof for a system of n processes, each running a simple, non-blocking counter algorithm. We prove that if the system runs longer than 5n steps, the counter is increased. The theorem is formalized in applicative Common Lisp and proved with the ACL2 theorem prover. The value of this paper lies not so much in the trivial algorithm addressed as in the method used to prove it correct. The method allows one to reason accurately about the behavior of a concurrent , multiprocess system by reasoning about the sequential computation carried out by a selected process, against a memory that is changed externally. Indeed, we prove general lemmas that allow shifting between the multiprocess and uniprocess views. We prove a safety property using a multiprocess view, project the property to a uniprocess view, and then prove a global progress property via a local, sequential computation argument. 1 Informal Discussion of the Problem Consider a system of n processes each executing the ve step program in Figure 1 in a shared memory. The execution model we use is that each of the ve instructions is atomic and they are executed in an interleaved way by the various processes. Naively, each process is simply incrementing a shared global counter, CTR, non-atomically. The variables old and new are local to each process. Instruction 2 is just a \compare and swap" (CAS). The instruction either writes new to CTR or reads CTR into old. In either case, it sets new to a Boolean indicating which branch was taken. The type of new is thus integer or Boolean. The program could be simpliied by deleting instruction 3 and using instruction 4 to loop back to the top in both cases. As written, instruction 4 serves as a