Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Proving Highly-Concurrent Traversals Correct

Yotam M. Y. Feldman, Artem Khyzha, Constantin Enea, Adam Morrison, Aleksandar Nanevski, Noam Rinetzky, Sharon Shoham

TL;DR

This paper addresses the difficulty of proving linearizability for highly-concurrent traversals by introducing a general proof technique that relies on sequential properties of traversals and a forepassed condition on interfering writes. The core ideas are single-step compatibility between the traversal and reachability predicates, and a forepassed interference constraint that eliminates the need to reason about complex read-write interleavings. A main theorem shows that if these conditions hold, traversal correctness—and thus linearizability—follows, with extensions to contentions on additional fields. The framework is validated on challenging BSTs such as the Logical Ordering tree, the Citrus tree, and the full Contention-Friendly tree, including cases where prior approaches fail. The work simplifies and unifies traversal proofs, with potential for mechanization and broader impact on designing and verifying optimistic traversals in concurrent data structures.

Abstract

Modern highly-concurrent search data structures, such as search trees, obtain multi-core scalability and performance by having operations traverse the data structure without any synchronization. As a result, however, these algorithms are notoriously difficult to prove linearizable, which requires identifying a point in time in which the traversal's result is correct. The problem is that traversing the data structure as it undergoes modifications leads to complex behaviors, necessitating intricate reasoning about all interleavings of reads by traversals and writes mutating the data structure. In this paper, we present a general proof technique for proving unsynchronized traversals correct in a significantly simpler manner, compared to typical concurrent reasoning and prior proof techniques. Our framework relies only on sequential properties} of traversals and on a conceptually simple and widely-applicable condition about the ways an algorithm's writes mutate the data structure. Establishing that a target data structure satisfies our condition requires only simple concurrent reasoning, without considering interactions of writes and reads. This reasoning can be further simplified by using our framework. To demonstrate our technique, we apply it to prove several interesting and challenging concurrent binary search trees: the logical-ordering AVL tree, the Citrus tree, and the full contention-friendly tree. Both the logical-ordering tree and the full contention-friendly tree are beyond the reach of previous approaches targeted at simplifying linearizability proofs.

Proving Highly-Concurrent Traversals Correct

TL;DR

This paper addresses the difficulty of proving linearizability for highly-concurrent traversals by introducing a general proof technique that relies on sequential properties of traversals and a forepassed condition on interfering writes. The core ideas are single-step compatibility between the traversal and reachability predicates, and a forepassed interference constraint that eliminates the need to reason about complex read-write interleavings. A main theorem shows that if these conditions hold, traversal correctness—and thus linearizability—follows, with extensions to contentions on additional fields. The framework is validated on challenging BSTs such as the Logical Ordering tree, the Citrus tree, and the full Contention-Friendly tree, including cases where prior approaches fail. The work simplifies and unifies traversal proofs, with potential for mechanization and broader impact on designing and verifying optimistic traversals in concurrent data structures.

Abstract

Modern highly-concurrent search data structures, such as search trees, obtain multi-core scalability and performance by having operations traverse the data structure without any synchronization. As a result, however, these algorithms are notoriously difficult to prove linearizable, which requires identifying a point in time in which the traversal's result is correct. The problem is that traversing the data structure as it undergoes modifications leads to complex behaviors, necessitating intricate reasoning about all interleavings of reads by traversals and writes mutating the data structure. In this paper, we present a general proof technique for proving unsynchronized traversals correct in a significantly simpler manner, compared to typical concurrent reasoning and prior proof techniques. Our framework relies only on sequential properties} of traversals and on a conceptually simple and widely-applicable condition about the ways an algorithm's writes mutate the data structure. Establishing that a target data structure satisfies our condition requires only simple concurrent reasoning, without considering interactions of writes and reads. This reasoning can be further simplified by using our framework. To demonstrate our technique, we apply it to prove several interesting and challenging concurrent binary search trees: the logical-ordering AVL tree, the Citrus tree, and the full contention-friendly tree. Both the logical-ordering tree and the full contention-friendly tree are beyond the reach of previous approaches targeted at simplifying linearizability proofs.

Paper Structure

This paper contains 37 sections, 6 theorems, 12 equations, 13 figures.

Table of Contents

  1. Introduction
  2. Background: Proofs of Linearizability
  3. Overview
  4. Example: The Logical Ordering Tree
  5. Linearizability of the Logical Ordering Tree
  6. The Need for Traversal Correctness Assertions
  7. The Challenge of Proving Traversal Correctness
  8. Our Framework: Proving Traversal Correctness
  9. Traversals and Their Correctness Criterion
  10. States, Locations, Executions, and Writes
  11. Traversals
  12. Traversal Correctness
  13. The Framework: Proving the Correctness of Traversals
  14. Single-Step Compatibility
  15. The Condition on Interference: Forepassed
  16. ...and 22 more sections

Key Result

lemma 1

Consider an execution in timespan $[t_{\star},t^{\star}]$. If $\textit{reach}({\cdot})$ is single-step compatible with $\text{extend}_{{k}}{}$ (sec:local-path-extension) and all writes satisfy the forepassed condition (def:black-condition), then if a location is reachable, it will always afterwards

Figures (13)

  • Figure 1: Logical ordering tree. Following a right rotation of $y$, a traversal about to navigate from $y$ towards $A$ (before) would normally reach $C$ instead (after). However, it can follow $\mathit{pred}$ pointers (dashed) to reach $A$ from $C$.
  • Figure 2: Logical-ordering tree Drachsler:2014. For brevity, unlock operations are omitted; a procedure releases all the locks it acquired when it terminates or restarts. $*$ denotes an arbitrary key.
  • Figure 3: Traversals in the LO tree. A traversal looking for key $2$ has reached node $y$ due to a concurrent rotation in the tree (see \ref{['LO:Rotation']}). In (1), it continues to perform a binary search in the tree and does not find $2$ (Ln:lo-tree-search-startLn:lo-tree-search-end in \ref{['Fi:LO-code']}). Nevertheless, in (2), the traversal continues by reading $\mathit{pred}$ pointers and finds the key, allowing it to return $\mathtt{contains}(2)=\textit{true}$ (\ref{['Ln:lo-pred-search']}). Another traversal, this time looking for key $2.5$, encountering the same scenario in (1)--(2) performs an extra step of reading $\mathit{succ}$ pointers until it reaches a node with a larger key, allowing it to return $\mathtt{contains}(2.5)=\textit{false}$ (\ref{['Ln:lo-succ-search']}).
  • Figure 4: Removing a node $\mathtt{n}$ with with two children from the tree structure of the LO tree ($\mathtt{removeFromTree}$ in \ref{['Fi:LO-code']}). $\mathtt{s}$ is the successor of $\mathtt{n}$, found using the list layout. (a) $\mathtt{s}$ is temporarily removed from the tree structure (\ref{['Ln:lo-remove2-unlink']}). (b) the children of $\mathtt{n}$ are copied to $\mathtt{s}$ (Ln:lo-remove2-dup-startLn:lo-remove2-dup-end). (c) $\mathtt{n}$'s parent is modified to point to $\mathtt{s}$ instead; thus $\mathtt{s}$ takes the location of $\mathtt{n}$ in the tree (\ref{['Ln:lo-remove2-done']}). Note that $\mathit{pred},\mathit{succ}$ are not modified yet, and are thus inconsistent with the tree layout (the list layout is updated afterwards). The updates to the $\mathit{parent}$ field are not presented.
  • Figure 5: Single-step compatibility of the tree traversal w.r.t. $\{-\infty\}\overset{}{\leadsto}{\cdot}$.
  • ...and 8 more figures

Theorems & Definitions (19)

  • Remark 3.1
  • Remark 4.1
  • definition 1
  • definition 2
  • definition 3: Forepassed
  • definition 4: Strong Forepassed
  • lemma 1
  • proof
  • theorem 1
  • proof
  • ...and 9 more