Proving Linearizability Using Partial Orders (Extended Version)

Linearizability is the commonly accepted notion of correctness for concurrent data structures. It requires that any execution of the data structure is justified by a linearization — a linear order on operations satisfying the data structure’s sequential specification. Proving linearizability is often challenging because an operation’s position in the linearization order may depend on future operations. This makes it very difficult to incrementally construct the linearization in a proof. We propose a new proof method that can handle data structures with such future-dependent linearizations. Our key idea is to incrementally construct not a single linear order of operations, but a partial order that describes multiple linearizations satisfying the sequential specification. This allows decisions about the ordering of operations to be delayed, mirroring the behaviour of data structure implementations. We formalise our method as a program logic based on rely-guarantee reasoning, and demonstrate its effectiveness by verifying several challenging data structures: the Herlihy-Wing queue, the TS queue and the Optimistic set.

💡 Research Summary

Linearizability is the de‑facto correctness criterion for concurrent data structures because it guarantees contextual refinement: any program that uses a linearizable implementation behaves as if the operations were executed atomically according to a sequential specification. The traditional proof technique for linearizability relies on identifying a linearization point for each operation—an instant between its invocation and response where the operation appears to take effect. While this method works for many classic algorithms, it breaks down for data structures whose ordering decisions depend on future operations. A prominent example is the time‑stamped (TS) queue, where enqueues first obtain a placeholder timestamp and later receive a concrete timestamp that may be incomparable with timestamps of concurrently enqueued items. Consequently, the relative order of those enqueues cannot be fixed until a dequeue later selects the “oldest” timestamp. Similar future‑dependent behavior appears in the Herlihy‑Wing queue, basket queues, and optimistic set implementations.

The paper introduces a novel proof methodology that replaces the single linear order with a partial order—an abstract history—that captures all admissible linearizations simultaneously. An abstract history consists of a finite set of events E (each representing an operation invocation together with its argument and a placeholder return value) and a strict partial order R that records the real‑time precedence that is already known. Crucially, the abstract history must satisfy the property that every total extension (i.e., every linearization that respects R) belongs to the set of sequential histories defined by the specification. In other words, the partial order is guaranteed to be “safe”: no matter how the remaining unordered pairs are later resolved, the resulting total order will still obey the sequential semantics.

To construct such histories during execution, the authors define three kinds of commitment points (the analogue of linearization points, but more flexible):

1. Operation start – when a thread begins an operation, a fresh event is added to E and placed after all already completed events in R.
2. Order commitment – at any moment the proof may add new edges to R, thereby fixing the relative order of two previously unordered events.
3. Operation completion – when an operation determines its return value, the event’s placeholder is replaced with the concrete result, turning the event into a completed one.

These commitment points are instrumented into the algorithm’s code as auxiliary statements that update a global abstract history variable. Because the order commitments can be delayed arbitrarily, the method naturally accommodates future‑dependent linearizations: the proof can postpone ordering enqueues until a dequeue actually observes a timestamp, exactly mirroring the algorithm’s behavior.

The logical foundation of the method is a Rely‑Guarantee program logic. Each thread is assigned a rely relation (what it may assume about the environment) and a guarantee relation (what it promises to the environment). The logic includes rules for the three commitment point forms, ensuring that each update to the abstract history preserves the “abstract‑history‑is‑a‑refinement‑of‑specification” invariant. The central theorem shows that if a program can be proved in this logic, then the set of concrete histories it generates is linearizable with respect to the sequential specification.

The authors demonstrate the practicality of the approach by formally verifying three challenging data structures:

• Time‑Stamped Queue (TS queue) – The proof records, at each enqueue, the insertion of a placeholder event and later adds ordering edges based on timestamp comparisons only when a dequeue inspects the timestamps. The partial order thus remains open for concurrent enqueues with incomparable timestamps, and the dequeue’s choice later resolves the necessary ordering to satisfy the queue specification.

• Herlihy‑Wing Queue – This classic lock‑free queue also exhibits future‑dependent ordering because the “head” pointer may be advanced by later dequeues. The abstract history captures the enqueue events without fixing their order until a dequeue successfully removes an element, at which point the necessary ordering edges are added.

• Optimistic Set – The set’s add and remove operations proceed optimistically and may abort; the abstract history records tentative events and later commits them when the operation validates its view, again using order‑commitment points to resolve any remaining ambiguities.

In each case, the proof proceeds in an inductive style reminiscent of traditional linearization‑point arguments, but the abstraction of ordering into a partial order eliminates the need to guess future‑dependent linearization points. The authors also argue that the technique can be used informally by algorithm designers: by drawing abstract histories and marking commitment points, one can reason about correctness without constructing a full formal proof.

Overall, the paper makes four key contributions:

1. A new proof principle based on partial orders that captures all admissible linearizations simultaneously.
2. A formal Rely‑Guarantee logic that integrates abstract‑history updates and guarantees that any implementation proved in the logic is linearizable.
3. Concrete, concise proofs for several high‑performance concurrent data structures that were previously difficult to verify with standard techniques.
4. Practical guidance (commitment points, abstract histories) that can aid informal reasoning and potentially be incorporated into automated verification tools.

By allowing the ordering of operations to be deferred until sufficient information is available, the method bridges the gap between the intuitive, algorithm‑centric view of concurrent data structures and the rigorous, simulation‑based requirements of linearizability. This opens the door to verifying a broader class of lock‑free and wait‑free algorithms that rely on future‑dependent decisions, thereby advancing both the theory and practice of concurrent data‑structure verification.