Linearizability Analysis of the Contention-Friendly Binary Search Tree

We present a formal framework for proving the correctness of set implementations backed by binary-search-tree (BST) and linked lists, which are often difficult to prove correct using automation. This is because many concurrent set implementations admit non-local linearization points for their `contains' procedure. We demonstrate this framework by applying it to the Contention-Friendly Binary-Search Tree algorithm of Crain et al. We took care to structure our framework in a way that can be easily translated into input for model-checking tools such as TLA+, with the aim of using a computer to verify bounded versions of claims that we later proved manually. Although this approach does not provide complete proof (i.e., does not constitute full verification), it allows checking the reasonableness of the claims before spending effort constructing a complete proof. This is similar to the test-driven development methodology, that has proven very beneficial in the software engineering community. We used this approach and validated many of the invariants and properties of the Contention-Friendly algorithm using TLA+. It proved beneficial, as it helped us avoid spending time trying to prove incorrect claims. In one example, TLA+ flagged a fundamental error in one of our core definitions. We corrected the definition (and the dependant proofs), based on the problematic scenario TLA+ provided as a counter-example. Finally, we provide a complete, manual, proof of the correctness of the Contention-Friendly algorithm, based on the definitions and proofs of our two-tiered framework.