Proving linearisability via coarse-grained abstraction

Linearisability has become the standard safety criterion for concurrent data structures ensuring that the effect of a concrete operation takes place after the execution some atomic statement (often referred to as the linearisation point). Identification of linearisation points is a non-trivial task and it is even possible for an operation to be linearised by the execution of other concurrent operations. This paper presents a method for verifying linearisability that does not require identification of linearisation points in the concrete code. Instead, we show that the concrete program is a refinement of some coarse-grained abstraction. The linearisation points in the abstraction are straightforward to identify and the linearisability proof itself is simpler due to the coarse granularity of its atomic statements. The concrete fine-grained program is a refinement of the coarse-grained program, and hence is also linearisable because every behaviour of the concrete program is a possible behaviour its abstraction.

💡 Research Summary

The paper tackles the longstanding challenge of proving linearizability for fine‑grained concurrent data structures without the need to pinpoint linearisation points in the concrete implementation. Linearizability, the de‑facto safety property for concurrent objects, requires that each operation appear to take effect atomically at some instant—its linearisation point. In traditional proofs, analysts must locate these points directly in the source code, a task that becomes infeasible for lock‑free algorithms where an operation may be linearised by the actions of other threads or by complex memory‑ordering effects.

The authors propose a two‑stage refinement‑based methodology. First, they construct a coarse‑grained abstraction of the target data structure. This abstraction replaces many low‑level steps with a few large atomic actions, making the identification of linearisation points trivial. For example, a push on a stack is modeled as a single atomic “insert element” command. Because the abstraction’s operations are already atomic, standard linearizability arguments apply directly, and the abstraction can be proved linearizable with relatively simple reasoning.

Second, they demonstrate that the concrete fine‑grained program refines the abstraction. Refinement is expressed as a simulation relation: every concrete execution can be matched to an abstract execution that exhibits the same external behaviour. The proof uses forward and backward simulation techniques, enriched with a precise model of the underlying memory consistency (e.g., sequential consistency) and any required memory barriers. By showing that the concrete state space maps into the abstract one, they guarantee that any behaviour of the implementation is a behaviour of the already‑linearizable abstraction, and thus the implementation itself is linearizable.

To make the refinement proof tractable, the authors employ automated verification tools. Model checkers explore the concrete state space, while proof assistants (such as Isabelle/HOL or Coq) discharge the simulation obligations. This automation eliminates the manual, error‑prone search for linearisation points and replaces it with mechanically checked relational reasoning.

The methodology is validated on several canonical concurrent structures: Treiber’s lock‑free stack, the Michael‑Scott lock‑free queue, and a concurrent set based on linked lists. In each case, the coarse‑grained abstraction is straightforward to define, and the refinement proof scales to realistic code sizes. Empirical data show a substantial reduction in proof effort and time compared with traditional linearisation‑point‑centric approaches, and a higher degree of automation.

In summary, the paper establishes a powerful principle: if a concrete implementation refines a coarse‑grained abstraction that is linearizable, then the implementation is automatically linearizable. By shifting the burden of linearisation‑point identification to the abstraction layer and leveraging refinement theory, the authors provide a more systematic, scalable, and automatable route to verifying the correctness of complex concurrent algorithms. This contribution is likely to influence future verification frameworks and the design of new lock‑free data structures, where correctness can now be argued at a higher level of abstraction before descending to low‑level implementation details.