Modular Full Functional Specification and Verification of Lock-Free Data Structures

We propose an approach for specifying and verifying full functional (partial) correctness of modules of multithreaded imperative programs that implement or use lock-free data structures for interthread communication. The approach extends separation logic with simple atomic spaces, which are regions of memory that may be accessed concurrently using atomic operations. A fixed invariant is associated with each atomic space. The specification of an atomic operation consists of the usual precondition and postcondition, as well as a number of proof obligations. The precondition requires permission to access an atomic space. The proof obligations state that, in the specific context of the call, the atomic space’s invariant can be rewritten to separate out the lock-free data structure, and that updating the data structure preserves the invariant. To allow threads to retain information about the state of the data structure, a combination of fractional permissions and ghost cells is used in a way similar to the use of auxiliary variables in Owicki-Gries reasoning. The approach has been implemented in the VeriFast program verifier, and used to verify an implementation and a client program of a multiple-enqueueer, single-dequeueer lock-free queue. Modular Full Functional Specification and Verification of Lock-Free Data Structures Bart Jacobs ∗ Frank Piessens Department of Computer Science, Katholieke Universiteit Leuven, Belgium {bart.jacobs,frank.piessens}@cs.kuleuven.be createCell(c) x := get(c) set(c, x) x := compareAndSet(c, x0, x1) disposeCell(c) Figure 1. Syntactic interface of the cell module. The createCell(c) operation turns the memory location at address c into a cell. disposeCell(c) turns it back into an ordinary memory location.