Dagstuhl Seminar 15191
Compositional Verification Methods for Next-Generation Concurrency
( May 03 – May 08, 2015 )
- Lars Birkedal (Aarhus University, DK)
- Derek Dreyer (MPI-SWS - Saarbrücken, DE)
- Philippa Gardner (Imperial College London, GB)
- Zhong Shao (Yale University, US)
One of the major open problems confronting software developers today is how to cope with the complexity of building and maintaining large-scale concurrent programs. Such programs are increasingly important as a means of taking advantage of parallelism in modern architectures. However, their correctness frequently depends on subtle invariants governing the use of shared mutable data structures, which must take into account the potential interference between different threads accessing the state simultaneously. Just figuring out how to express such invariants at all has proven to be a very challenging problem; even more challenging is how to reason about such invariants locally, i.e. only within the components of the program that absolutely need to know about them.
Fortunately, we are now at a point where verification research has produced the critical foundations needed to tackle this problem: namely, compositional methods, which exploit the inherently modular structure of realistic concurrent programs in order to decompose verification effort along module boundaries. In the last several years, a variety of different but related compositional methods have been developed for verifying complex concurrent programs, including Hoare type theories, Kripke logical-relations models, and modal separation logics. But much work remains to be done. For example, the vast majority of existing methods for concurrency verification assume a sequentially consistent memory model. However, modern hardware implements---and real programs and compilers exploit---much weaker memory models, which enable more efficient reorderings of basic operations. Existing methods apply primarily to the verification of simple safety and partial correctness properties for imperative programs, whereas most large programs involve higher-order features and must also satisfy liveness properties. Grappling with these kinds of limitations is essential if our verification technology is to be relevant to real-world programs running on modern architectures, and as such it poses exciting new research questions that we as a community are just beginning to explore.
In this seminar, we aim to bring together a wide variety of researchers on concurrency verification, as well as leading experts on concurrent software development in both high- and low-level languages. The goal is to facilitate a stimulating interchange between the theory and practice of concurrent programming, and thereby foster the development of compositional verification methods that can scale to handle the realities of next-generation concurrency.
Among the concrete research challenges we hope to investigate in depth during the seminar are the following:
- What are good ways of reasoning (compositionally) about programs that exploit weak memory semantics?
- How can we adapt existing (or develop new) compositional techniques for reasoning about liveness properties of concurrent programs?
- What are the right concurrency abstractions for higher-order concurrent programming idioms? And what is the best way to verify programs that use those abstractions?
- Can the models and logics developed for reasoning about shared-memory concurrency be adapted to account for message-passing concurrency idioms?
- Several logics have been developed recently for modeling complex shared-state invariants using more sophisticated forms of auxiliary state based on protocols (or transition systems). What is the relationship between these different approaches?
- Toward the goal of compositional verification, what is the most useful way to characterize atomicity of concurrent objects?
- Given the recent progress in compositional methods for verifying complex concurrent programs, can we abstract away common proof patterns that would be suitable for automation?
In this seminar, we brought together a wide variety of researchers on concurrency verification, as well as leading experts on concurrent software development in both high- and low-level languages. The goal was to facilitate a stimulating interchange between the theory and practice of concurrent programming, and thereby foster the development of compositional verification methods that can scale to handle the realities of next-generation concurrency.
Among the concrete research challenges investigated in depth during the seminar are the following:
- What are good ways of reasoning about weak memory models? It should be possible to reason about low-level programs that exploit weak memory models (e.g., locks used inside operating systems) but also to reason at higher levels of abstractions for programs that use sufficient locking.
- What is the best way to define a language-level memory model that is nevertheless efficiently implementable on modern hardware. C11 is the state of the art, but it is flawed in various ways, and we heard about a number of different ways of possibly fixing it.
- What is the best way to mechanize full formal verification of concurrent programs, using interactive proof assistants, such as Coq.
- How can we adapt existing and develop new compositional techniques for reasoning about liveness properties of concurrent programs? Can we apply quantitative techniques to reduce the proof of a liveness property to the proof of a stronger safety property? Also, recent work on rely-guarantee-based simulation can prove linearizability of a sophisticated concurrent object by showing the concurrent implementation is a contextual refinement of its sequential specification. We would hope that similar techniques can be used to prove progress properties as well.
- Only recently have researchers begun to propose logics and models for higher-order concurrency [23, 21]. What are the right concurrency abstractions for higher-order concurrent programming idioms as diverse as transactional memory [11], Concurrent ML [18], joins [25], and reagents [24], among others? What is the best way to even specify, let alone verify, programs written in these idioms, and are there unifying principles that would apply to multiple different idioms?
- Most verification work so far has focused on shared-memory concurrency, with little attention paid to message-passing concurrency (except for some recent work on verifying the C# joins library). Can the models and logics developed for the former be carried over usefully to the latter, and what is the connection (if any) with recent work on proof-theoretic accounts of session types [5]? Can session types help to simplify reasoning about some classes of concurrent programs, e.g., those that only involve some forms of message passing and not full shared memory?
- A number of recent Kripke models and separation logics have employed protocols of various forms to describe the invariants about how the semantic state of a concurrent ADT can evolve over time. But different approaches model protocols differently, e.g., using enriched forms of state transition systems vs. partial commutative monoids. Is there a canonical way of representing these protocols formally and thus better understanding the relationship between different proof methods?
- There seem to be tradeoffs between approaches to concurrency verification based on Hoare logic vs. refinement (unary vs. relational reasoning), with the former admitting a wider variety of formal specifications but the latter offering better support for reasoning about atomicity. Consequently, a number of researchers are actively working on trying to combine both styles of reasoning in a unified framework. What is the best way to do this?
- To what extent do we need linearizability to facilitate client-side reasoning? Is it possible in many cases for clients to rely on a much weaker specification ? And which ways are there to formalize looser notions, e.g. where there are multiple linearization points?
- Now that we are finally developing logics and models capable of verifying realistic concurrent algorithms, can we abstract away useful proof patterns and automate them? What is needed in order to integrate support for concurrent invariants into automated verification tools like SLAyer and Abductor?
These different challenges were discussed through talks and discussions by participants, see the list of talk abstracts below.
