Automated Verification Of Concurrent Search Structures Siddharth Krishna

Automated Verification Of Concurrent Search
Structures Siddharth Krishna download
https://ebookbell.com/product/automated-verification-of-
concurrent-search-structures-siddharth-krishna-32860930
Explore and download more ebooks at ebookbell.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.
Critical Systems Formal Methods And Automated Verification Joint 21st
International Workshop On Formal Methods For Industrial Critical
Systems And 16th International Workshop On Automated Verification Of
Critical Systems Fmicsavocs 2016 Pisa Italy 1st Edition Maurice H Ter
Beek
https://ebookbell.com/product/critical-systems-formal-methods-and-
automated-verification-joint-21st-international-workshop-on-formal-
methods-for-industrial-critical-systems-and-16th-international-
workshop-on-automated-verification-of-critical-systems-
fmicsavocs-2016-pisa-italy-1st-edition-maurice-h-ter-beek-5607836
Critical Systems Formal Methods And Automated Verification Joint 22nd
International Workshop On Formal Methods For Industrial Critical
Systems And 17th International Workshop On Automated Verification Of
Critical Systems Fmicsavocs 2017 Turin Italy Laure Petrucci
https://ebookbell.com/product/critical-systems-formal-methods-and-
automated-verification-joint-22nd-international-workshop-on-formal-
methods-for-industrial-critical-systems-and-17th-international-
workshop-on-automated-verification-of-critical-systems-
fmicsavocs-2017-turin-italy-laure-petrucci-6753812
Automated Validation Verification Of Umlocl Models Using
Satisfiability Solvers 1st Edition Nils Przigoda
https://ebookbell.com/product/automated-validation-verification-of-
umlocl-models-using-satisfiability-solvers-1st-edition-nils-
przigoda-6842936
Validation And Verification Of Automated Systems Results Of The
Enables3 Project 1st Ed 2020 Andrea Leitner
https://ebookbell.com/product/validation-and-verification-of-
automated-systems-results-of-the-enables3-project-1st-ed-2020-andrea-
leitner-10796504

Fundamentals Of Logic And Computation With Practical Automated
Reasoning And Verification Zhe Hou
https://ebookbell.com/product/fundamentals-of-logic-and-computation-
with-practical-automated-reasoning-and-verification-zhe-hou-36515622
Fundamentals Of Logic And Computation With Practical Automated
Reasoning And Verification 1st Edition Zhe Hou
https://ebookbell.com/product/fundamentals-of-logic-and-computation-
with-practical-automated-reasoning-and-verification-1st-edition-zhe-
hou-35162232
Computeraided Verification Of Coordinating Processes The
Automatatheoretic Approach Course Book Robert P Kurshan
https://ebookbell.com/product/computeraided-verification-of-
coordinating-processes-the-automatatheoretic-approach-course-book-
robert-p-kurshan-51950022
Advances In Verification Of Time Petri Nets And Timed Automata A
Temporal Logic Approach 1st Edition Docdrhab Wojciech Penczek
https://ebookbell.com/product/advances-in-verification-of-time-petri-
nets-and-timed-automata-a-temporal-logic-approach-1st-edition-
docdrhab-wojciech-penczek-4191266
Automated Technology For Verification And Analysis 6th International
Symposium Atva 2008 Seoul Korea October 2023 2008 Proceedings 1st
Edition Sriram K Rajamani Auth
https://ebookbell.com/product/automated-technology-for-verification-
and-analysis-6th-international-symposium-atva-2008-seoul-korea-
october-2023-2008-proceedings-1st-edition-sriram-k-rajamani-
auth-2039314

Automated Verification of Concurrent Search Structures
Siddharth Krishna, Microsoft Research, Cambridge
Nisarg Patel, New York University
Dennis Shasha, New York University
Thomas Wies, New York University
Search structures support the fundamental data storage primitives on key-value pairs: insert
a pair, delete by key, search by key, and update the value associated with a key. Concurrent
search structures are parallel algorithms to speed access to search structures on multicore and
distributed servers. These sophisticated algorithms perform fine-grained synchronization
between threads, making them notoriously difficult to design correctly. Indeed, bugs have been
found both in actual implementations and in the designs proposed by experts in peer-reviewed
publications. The rapid development and deployment of these concurrent algorithms has
resulted in a rift between the algorithms that can be verified by the state-of-the-art techniques
and those being developed and used today.The goal of this book is to show how to bridge this
gap in order to bring the certified safety of formal verification to high-performance concurrent
search structures. Similar techniques and frameworks can be applied to concurrent graph and
network algorithms beyond search structures.
store.morganclaypool.com
About SYNTHESIS
This volume is a printed version of a work that appears in the Synthesis
Digital Library of Engineering and Computer Science. Synthesis
books provide concise, original presentations of important research and
development topics, published quickly, in digital and print formats.
KRISHNA
•
ET
AL
AUTOMATED
VERIFICATION
OF
CONCURRENT
SEARCH
STRUCTURES
MORGAN
&
CLAYPOOL
Series ISSN: 1932-1228

Automated Veriﬁcation of
Concurrent Search Structures

Synthesis Lectures on
Computer Science
Automated Veriﬁcation of Concurrent Search Structures
Siddharth Krishna, Nisarg Patel, Dennis Shasha, and Thomas Wies
2021
Blockchain Platforms: A Look at the Underbelly of Distributed Platforms
Shaoshan Liu, Liyun Li, Jie Tang, Shuang Wu, and Jean-Luc Gaudiot
2020
Blockchain Platforms: A Look at the Underbelly of Distributed Platforms
Stijn Van Hijfte
2020
Analytical Performance Modeling for Computer Systems, Third Edition
Y.C. Tay
2018
Creating Autonomous Vehicle Systems
Shaoshan Liu, Liyun Li, Jie Tang, Shuang Wu, and Jean-Luc Gaudiot
2017
Introduction to Logic, Third Edition
Michael Genesereth and Eric Kao
2016
Analytical Performance Modeling for Computer Systems, Second Edition
Y.C. Tay
2013
Introduction to Logic, Second Edition
2013
Introduction to Logic
2013

iii
Science Fiction Prototyping: Designing the Future with Science Fiction
Brian David Johnson
2011
Storing Clocked Programs Inside DNA: A Simplifying Framework for Nanocomputing
Jessica P. Chang and Dennis E. Shasha
2011
Analytical Performance Modeling for Computer Systems
Y.C. Tay
2010
The Theory of Timed I/O Automata
Dilsun K. Kaynar, Nancy Lynch, Roberto Segala, and Frits Vaandrager
2006

Copyright © 2021 by Morgan & Claypool
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means—electronic, mechanical, photocopy, recording, or any other except for brief quotations
in printed reviews, without the prior permission of the publisher.
Automated Veriﬁcation of Concurrent Search Structures
www.morganclaypool.com
ISBN: 9781636391281 paperback
ISBN: 9781636391298 ebook
ISBN: 9781636391304 hardcover
DOI 10.2200/S01089ED1V01Y202104CSL013
A Publication in the Morgan & Claypool Publishers series
SYNTHESIS LECTURES ON COMPUTER SCIENCE
Lecture #13
Series ISSN
Synthesis Lectures on Computer Science
Print 1932-1228 Electronic 1932-1686

Automated Veriﬁcation of
Concurrent Search Structures
Siddharth Krishna
Microsoft Research, Cambridge
Nisarg Patel
New York University
Dennis Shasha
New York University
Thomas Wies
New York University
SYNTHESIS LECTURES ON COMPUTER SCIENCE #13
C
M
& cLaypool
Morgan publishers
&

ABSTRACT
Search structures support the fundamental data storage primitives on key-value pairs: insert a
pair, delete by key, search by key, and update the value associated with a key. Concurrent search
structures are parallel algorithms to speed access to search structures on multicore and distributed
servers. These sophisticated algorithms perform fine-grained synchronization between threads,
making them notoriously difficult to design correctly. Indeed, bugs have been found both in
actual implementations and in the designs proposed by experts in peer-reviewed publications.
The rapid development and deployment of these concurrent algorithms has resulted in a rift
between the algorithms that can be verified by the state-of-the-art techniques and those being
developed and used today. The goal of this book is to show how to bridge this gap in order to
bring the certified safety of formal verification to high-performance concurrent search structures.
Similar techniques and frameworks can be applied to concurrent graph and network algorithms
beyond search structures.
KEYWORDS
verification, separation logic, concurrency, data structures, search structures, B trees,
hash structures, log-structured merge trees

vii
Contents
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Algorithmic Modularity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Concurrent Search Structure Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 Summary and Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1 Basics and Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Programming Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3 Template Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3 Separation Logic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.1 Separation Logic by Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2 Separating Conjunction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.3 Propositions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.4 Abstract Predicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.5 Invariants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.6 Atomic Triples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.7 Proving Atomic Triples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4 Ghost State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.2 Ghost States and Resource Algebras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4.3 Proof of the Single-Node Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.4 Aside: Abstract Lock Speciﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5 The Keyset Resource Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.1 A Two-Node Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.2 Disjoint Keysets and the Keyset RA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.3 Proof of the Two-Node Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

viii
6 The Edgeset Framework for Single-Copy Structures . . . . . . . . . . . . . . . . . . . . . 59
6.1 An Intuitive Introduction to Edgesets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.2 B-link Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.3 Abstracting Search Structures Using Edgesets . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.4 The Link Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.5 From Edgesets to Keysets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
7 The Flow Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
7.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
7.2 Local Reasoning about Global Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
7.3 The Flow Interface Resource Algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
7.4 Encoding Keysets Using Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
8 Verifying Single-Copy Concurrent Search Structures . . . . . . . . . . . . . . . . . . . . 77
8.1 The Give-Up Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
8.1.1 Proof of the Give-Up Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
8.1.2 Maintenance Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
8.2 The Link Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8.2.1 Inreach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8.2.2 Proof of the Link Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
8.2.3 Maintenance Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
8.3 The Lock-Coupling Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
8.4 Verifying Implementations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
9 Verifying Multicopy Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
9.1 A Library Analogy to Multicopy Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
9.2 Differential File Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
9.3 Log-Structured Merge Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
10 The Edgeset Framework for Multicopy Structures . . . . . . . . . . . . . . . . . . . . . . 103
10.1 Multicopy Structures Formally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
10.2 Client-Level Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
10.3 Template-Level Specification: Search Recency . . . . . . . . . . . . . . . . . . . . . . . . 105

ix
11 Reasoning about Non-Static and Non-Local Linearization Points. . . . . . . . . 107
11.1 Challenges and Proof Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
11.2 Adding Prophecies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
11.3 Decoupling the Helping and Template Proofs . . . . . . . . . . . . . . . . . . . . . . . . 109
11.4 The Helping Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
12 Verifying the LSM DAG Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
12.1 The LSM DAG Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
12.2 Verifying the Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
12.2.1 High-Level Proof Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
12.2.2 Iris Invariant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
12.2.3 Detailed Proof Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
12.3 Multicopy Maintenance Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
12.3.1 Maintenance Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
12.3.2 Proof of Maintenance Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
12.4 Verifying Implementations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
13 Proof Mechanization and Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
14 Related Work, Future Work, and Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 149
14.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
14.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
14.2.1 Proving Liveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
14.2.2 Generalizations and Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
14.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Authors’ Biographies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

xi
Acknowledgments
We would like to acknowledge the very careful external reviews by Maurice Herlihy, Eddie
Kohler, Robbert Krebbers, K. Rustan M. Leino, and Peter Müller. In addition, we warmly
acknowledge Elizabeth Dietrich and Rafael Sofaer for their careful reading during the prepa-
ration of this manuscript. We are also thankful to Alexander Summers for his contributions to
the development of the flow framework, which is one of the pillars of our verification technique.
Because our work was built largely on Iris, we would like to acknowledge the support received
from the Iris Helpdesk, especially from Ralf Jung and Robbert Krebbers. Much of this work has
been funded by the National Science Foundation under grants CCF-1618059, CCF-1815633,
MCB-0929339, and NYU Wireless. The first author is grateful for the support of Microsoft
Research Cambridge and his research team. Our publisher, Diane Cerra of Morgan & Clay-
pool, has been very understanding with our obsessive natures. In addition to Diane, we would
like to thank Christine Kiilerich, C.L. Tondo, and Brent and Sue Beckley.
April 2021

1
C H A P T E R 1
Introduction
For the last 60 years or so, the processing power of computers has been doubling approximately
every two years. For most of that time, this growth has been backed by the increase in the
number of transistors present on integrated circuit chips, a phenomenon commonly known as
Moore’s Law. Until about 2000, this was accompanied by a corresponding increase in clock
speed, the speed at which computers perform each step of computation. However, in the early
2000s, computer hardware started reaching the physical limits of clock speed, mostly due to
heating and quantum effects. To counter this, manufacturers have turned to parallel architectures
where increased transistor densities are being used to provide multiple cores on a single chip,
enabling multiple computations to be performed in parallel.
Having n processing cores on a chip, however, does not immediately imply a factor of n
increase in speed. To make the most of these multicore machines, software needs to be carefully
designed to efficiently divide work into threads, sequences of instructions that can be executed
in parallel.
Well-designed parallel algorithms distribute the workload among threads in a way that
minimizes the amount of time each thread spends waiting for other threads. A standard way
to achieve this is to store any shared data in so-called concurrent data structures, supported
by multi-threaded algorithms that store and organize data. These data structures are now core
components of critical applications such as drive-by-wire controllers in cars, database algorithms
managing financial, healthcare, and government data, and the software-defined-networks of
internet service providers. The research and practitioner communities have developed concurrent
data structure algorithms that are fast, scalable, and adaptable to changing workloads.
Unfortunately, these algorithms are also among the most difficult software artifacts to
develop correctly. Despite being designed and implemented by experts, the sheer complexity
and subtlety of the ways in which different threads can interact with one another means that
even these experts sometimes fail to anticipate subtle bugs. These bugs can cause the data to be
corrupted or the program to misbehave in unexpected ways. For instance, consider the standard
textbook on concurrent algorithms, The Art of Multiprocessor Programming [Herlihy and Shavit,
2008]. Although written by renowned experts who have developed many of the most widely
used concurrent data structures, the errata of the book list several subtle but severe errors in
the algorithms included in the book’s first edition. There have also been many such examples of
concurrent algorithms in peer-reviewed articles with (pencil-and-paper) mathematical proofs
that have later turned out to contain mistakes [Burckhardt et al., 2007, Michael and Scott,

2 1. INTRODUCTION
1995]. Therefore, it is clear that we need systematic and dependable techniques to reason about
and ensure correctness of these complex algorithms.
Formal verification aims to use mathematical techniques to prove, in a rigorous and
machine-checkable manner, the absence of bugs and the conformity of a system to its intended
specification. Several projects have demonstrated the successful use of formal verification to im-
prove the reliability of real-world software designs. These success stories roughly fall into two
groups. At one end are projects that use interactive or semi-automated theorem provers to ver-
ify that a software system meets its functional correctness specification. Prominent examples
are the verified optimizing C compiler CompCert [Leroy, 2006], the verified OS microkernel
seL4 [Klein et al., 2010], and the verified HTTPS replacement developed in Project Ever-
est [Bhargavan et al., 2017]. The degree of reliability achieved by these systems is impressive.
For instance, Yang et al. [2011] reported that out of 11 commercial and open-source C com-
pilers, CompCert was the only one that did not exhibit wrong code generation errors when
exposed to extensive random testing. However, the human effort needed to establish functional
correctness proofs that provide such high reliability remains tremendous. For each of the above
projects, it involved several years of work done by verification experts.
At the other end are automatic static analysis and model checking tools. Notable exam-
ples are the ASTRÉE analyzer [Blanchet et al., 2003] for verifying the absence of run-time
errors of embedded systems code, which has been applied to large code bases in the avionics
industry, and Microsoft’s Static Driver Verifier [Ball et al., 2011] for verifying domain-specific
properties of Windows device drivers. More recently, Amazon and Facebook have started to
incorporate such tools into their continuous integration tool chains, automatically analyzing
millions of lines of code written by ordinary software engineers [Chong et al., 2020, Distefano
et al., 2019]. However, to achieve such a high degree of automation and scalability, static anal-
ysis tools target generic correctness properties (e.g., absence of run-time errors) rather than full
functional correctness, or focus on detecting errors rather than proving their absence. Therefore,
these tools can still miss intricate errors in the analyzed software.
Against this backdrop, this monograph aims to bring the certified safety of formal veri-
fication to concurrent search structures. A search structure is a key-based store that implements a
mutable set of keys or, more generally, a mutable map of keys to values. It provides five basic
operations: (i) create an empty structure, (ii) insert a key-value pair, (iii) search for a key and
return its value, (iv) delete the entry associated with a key, and (v) update the value associated
with a particular key.
We demonstrate a strategy that reduces the manual effort involved in establishing func-
tional correctness proofs of the concurrent search structures that are in use every day. We achieve
this reduction by increasing the modularity of the proof argument and by making the proofs
reusable across diverse data structure implementations. While we do not aim for fully auto-
mated verification here, we hope that the presented techniques will also inform the design of

1.1. ALGORITHMIC MODULARITY 3
future automated static analysis tools by providing a uniform framework for reasoning about the
correctness of concurrent search structures.
1.1 ALGORITHMIC MODULARITY
Concurrent algorithms are complex because they have to perform two very difficult tasks si-
multaneously: manage interference among threads in such a way as to ensure correctness, and
organize the data in memory so as to maximize performance. The resulting combination of del-
icate thread protocols and advanced data layouts used by concurrent search structures makes
formally verifying them challenging.
Modularity is as important in simplifying formal proofs as it has been for the design and
maintenance of large systems. There are four main types of modular proof techniques: (i) Hoare
logic [Hoare, 1969] enables proofs to be compositional in terms of program structure; (ii) local
reasoning techniques [Banerjee et al., 2013, Kassios, 2006, Müller, 2001, O’Hearn et al., 2001,
Reynolds, 2002] allow proofs of programs to be decomposed in terms of the state they modify;
(iii) thread modular techniques [Herlihy and Wing, 1990, Jones, 1983, Owicki and Gries, 1976]
allow one to reason about each thread in isolation; and (iv) refinement techniques [Back, 1981,
Dijkstra, 1968, Hoare, 1972] enable reasoning about properties of a system at different levels of
abstraction.
Concurrent separation logics [Brookes, 2007, Brookes and O’Hearn, 2016, da Rocha
Pinto et al., 2014, Dinsdale-Young et al., 2013, 2010, Dodds et al., 2016, Feng et al., 2007,
Fu et al., 2010, Jung et al., 2015, Leino et al., 2009, Nanevski et al., 2014, O’Hearn, 2007,
Svendsen and Birkedal, 2014, Vafeiadis and Parkinson, 2007] incorporating all of the above
techniques have led to great progress in the verification of practical concurrent search structures,
including recent milestones such as a formal paper-based proof of the B-link tree [da Rocha
Pinto et al., 2011].
An important reason why many proofs, such as that of the B-link tree, are still complicated
is that they argue simultaneously about thread safety (i.e., how threads synchronize) and memory
safety (i.e., how data is laid out in the heap). We contend that safety proofs should instead
be decomposed so as to reason about these two aspects independently. When verifying thread
safety, we should abstract from the concrete heap structure used to represent the data and when
verifying memory safety, we should abstract from the concrete thread synchronization algorithm.
Such an approach promises reusable proofs and simpler correctness arguments, which in turn
aids proof automation.
As an example, consider the B-link tree, which uses a forward pointer-based technique for
thread redirection. The following analogy [Shasha and Goodman, 1988] captures the essence of
the link-based technique on a macroscopic data structure.
Bob wants to borrow book k from the library. He looks at the library’s catalog to locate
k and makes his way to the appropriate shelf n. Before arriving at n, Bob gets caught up in a
conversation with a friend. Meanwhile, Alice, who works at the library, reorganizes shelf n and

4 1. INTRODUCTION
moves k as well as some other books to n0
. She updates the library catalog and also leaves a sticky
note at n indicating the new location of the moved books. Finally, Bob continues his way to n,
reads the note, proceeds to n0
, and takes out k. The synchronization protocol of leaving a note
(the link) when books are moved ensures that Bob can find k.
The library patron corresponds to a thread searching for and performing an operation
on the key k stored at some node n in the tree having links and the librarian corresponds to
a thread performing a split operation involving nodes n and n0
. As in our library analogy, the
synchronization technique of creating a forward pointer (the link) when nodes are split can work
for various data organizations within and between nodes (e.g., if the nodes are organized as a
B-tree or hash table). Hence, it applies to vastly different concrete data structures.
Our goal is to verify the correctness of template algorithms once and for all so that their
proofs can be reused across different data structure implementations. The template algorithms
act on an abstract model of data structures as acyclic graphs in which each edge is associated with
a set of possible keys, e.g., in a binary search tree, the right-pointing child edge of a node with
key 15 is associated with all key values greater than 15. To verify that a data structure implements
a template algorithm, one then needs only to define how the concrete memory representation
of the data structure is mapped to the abstract graph and check that this mapping meets all
assumptions made by the template algorithm about how its primitive operations manipulate
this graph. Crucially, this second verification step involves only sequential reasoning.
This idea of algorithmic proof modularity follows the classical approach of refinement-based
reasoning. The technical challenge is to reconcile this idea with orthogonal techniques for achiev-
ing proof modularity, in particular, that of reasoning locally about modifications to the data
structure graph, as it is supported, e.g., in separation logic (SL) [Ishtiaq and O’Hearn, 2001,
O’Hearn et al., 2001, Reynolds, 2002]. Only by combining these orthogonal techniques can we
obtain simple proofs that are easy to mechanize. As compared to the state of the art in verifica-
tion technology, the proof of a template algorithm depends on certain invariants about the paths
that a search for a key k follows in the data structure graph. In contrast, with the standard heap
abstractions used in SL (e.g., inductive predicates), it is hard to express these synchronization
invariants independently of the invariants that capture how the data structure is represented in
memory. That is why existing proofs such as the one of the B-link tree in da Rocha Pinto et al.
[2011] intertwine the synchronization invariants and the memory invariants, making the proof
complex and difficult to reuse on different structures.
1.2 CONCURRENT SEARCH STRUCTURE TEMPLATES
This monograph shows how to adapt and combine recent advances in compositional abstrac-
tions and separation logic in order to achieve the envisioned algorithmic proof modularity for
concurrent search structures.
We refer to the act of a thread searching for, inserting, or deleting a key k in a search
structure as an operation on k, and to k as the operation key. We call the set of all keys the

1.3. CASE STUDIES 5
key space (e.g., the set of all natural numbers), written K. For simplicity, the presentation in
this monograph treats search structures as containing only keys, but all our proofs can be easily
extended to consider search structures that store key-value pairs.
Our proof methodology for search structures is based on the template algorithms for con-
current search structures by Shasha and Goodman [1988], who identified the invariants needed
for decoupling reasoning about synchronization and memory representation for such data struc-
tures. We apply those templates here for single-copy structures (structures containing at most
one copy of a key at any point in time, for example B-trees), and extend them significantly
to cover multicopy algorithms (structures that may contain multiple copies of a single key, for
example log-structured merge trees [O’Neil et al., 1996]).
The second ingredient is the concurrent separation logic Iris [Jung et al., 2016, 2018,
2015, Krebbers et al., 2018, 2017a,b]. We show how to capture the high-level idea of our proof
methodology in terms of new Iris resource algebras, yielding a general methodology for modular
verification of concurrent search structures.
This methodology independently verifies (1) that each template algorithm satisfies the
(atomic) abstract specification of search structures assuming that node-level operations maintain
certain data structure-agnostic invariants and (2) that the implementations of these operations
for each concrete data structure maintains these invariants.
The correctness criterion we target throughout this monograph is that of linearizabil-
ity [Herlihy and Wing, 1990]. A concurrent data structure is linearizable if for every concurrent
execution history of its operations, each operation appears to take effect at a single atomic step
between its invocation and return point. We note that we focus on establishing partial correct-
ness, which means that we do not prove progress guarantees, such as that a thread executing a
search structure operation will always terminate. We discuss other correctness criteria as well as
future extensions to proving progress properties in Chapter 14.
Our new resource algebras, in combination with Iris’ notion of atomic triples [da Rocha
Pinto et al., 2014, Jung et al., 2020, 2015], allows us to establish linearizability without having
to explicitly reason about execution histories. Moreover, it yields a local proof technique that
eliminates the need to reason explicitly about the global abstract state of the data structure. The
latter crucially relies on the recently proposed flow framework [Krishna et al., 2018, 2020c], the
final ingredient of our methodology.
The flow framework, as explained in Chapter 7, provides an SL-based abstraction mech-
anism that allows one to reason about global inductive invariants of general graphs in a local
manner. Using this framework, we can do SL-style reasoning about the correctness of a concur-
rent search structure template while abstracting from the specific low-level heap representation
of the underlying data structure.

Discovering Diverse Content Through
Random Scribd Documents

[218]
then came again later. It was on this visit last week that
I got some inkling of what was in his mind. He started
hinting around about the secrets which passed through
my hands for filing and for safe-guarding. After an hour
or so he came out in the open and made me a
proposition. He knew where he could sell the secret of
this new radio-propelled and guided plane if I could get
my hands on the War Department papers.”
The filing chief stopped to pour out another glass of
water.
“Go on,” urged Bob, who was desperately anxious to
learn the full story and then resume the hunt for his
uncle.
“Fritz offered me $5,000 for my share if I would only tell
him when the papers reached the office. He said that
was all they needed to know. I could have used the
$5,000, but I told him I wouldn’t do such a thing. Then
a couple of days later I got a letter from him. It was
mailed somewhere over in Maryland and he repeated
his offer and threatened me with exposing an old family
scandal.”
“That was the letter Condon Adams found,” exclaimed
Bob, and the filing chief nodded.
“I was careless about that. I tossed it in the fireplace,
but didn’t make sure that it had been consumed.”
“But did you supply your brother with the necessary
information?” asked Bob, pressing hard for more
concrete information.
Arthur Jacobs lowered his head.

[219]
“Fritz came back the other night. He was in a terrible
rage. He had promised to get this information from me,
and had failed. You’ll never know the fear I’ve always
had of Fritz. He was bigger, older and he always bullied
me. He threatened to beat me to death and I finally told
him what he wanted to know.”
Bob saw tears welling into the chief clerk’s eyes and he
turned his own face away, for it had not been easy to
hear this confession. When the young federal agent
finally looked back, Arthur Jacobs was composed and
calm once more.
“When did you give him this information?”
“It was the night before you caught Fritz in the office,”
replied Jacobs.
“Have you seen him since then?”
“Yes, he came to my apartment after his escape and I
sheltered him for a few hours. I didn’t want to, but he
was armed and forced me to do it. That’s all I know
about it.”
“Don’t you know who’s behind Fritz? Who is supplying
him with the money?”
Arthur Jacobs shook his head.
“I didn’t even see any money,” he said bitterly. “Fritz
said that would come later after this thing had been
forgotten.”
Bob felt sorry for the little man, for he knew now that
Jacobs had been the unwilling dupe of an older and
bullying brother.

[220]
There was one bit of information Bob must have, one
thing that was vital.
“Did you save the envelope in which the letter Fritz sent
you from Maryland was mailed?” he asked.
Jacobs ran his fingers through his thinning hair.
“I can’t remember.”
“Did you toss it in the fireplace?”
“No, I don’t think so. I probably dropped it in the
wastebasket. The maid cleans my apartment each day.”
“Then where would this type of rubbish go?”
“Down to the janitor, who would burn it in the
incinerator.”
Bob reached for the telephone on the other table.
“Give me the number of your apartment house,” he
urged, and Jacobs supplied the needed information.
The building superintendent answered and Bob’s words
fairly tumbled over the wire.
“This is Bob Houston, a federal agent speaking,” he
said. “Get hold of your janitor at once. Don’t allow him
to burn any more waste paper or refuse of any type
from the floor on which Arthur Jacobs lives. I’ll be there
within half an hour to check up on you.”
The building superintendent was inclined to argue, but
Bob cut him short.

[221]
“This is no time for words,” he said. “Do as you’re told
or I’ll file a charge against you for interfering with the
work of a federal officer.”
Actually Bob didn’t know whether he had that power or
not, but the words sounded well and the threat did
what was intended—the superintendent changed his
tone and agreed to halt the burning of any more
wastepaper or refuse.
Bob turned back from the telephone and Jacobs looked
at him with a brighter face.
“I don’t know what’s going to happen to me,” he said,
“but I feel better for having told you.”
“I’ll help you all I can,” promised Bob heartily, turning to
call for Lieutenant Gibbons.
The intelligence officer opened the door almost instantly
and Condon Adams and Tully Ross crowded in close
behind him.
“Well, can you solve the mystery for us now?” asked
Adams, his voice heavy with sarcasm.
“I think so,” replied Bob.
“Let’s have it, then.”
“Hardly. Solve it in your own way. Remember that I’m
working with my uncle on this case. You have the
invaluable help of Tully.”
“That’s enough of smart cracks like that,” replied
Adams, his face flushing a little. “I want to know what
Jacobs said.”

[222]
[223]
“I’m making my report direct to Mr. Edgar. You’ll have to
get it from him.”
With that Bob left the room and went directly to the
office of the federal chief, Lieutenant Gibbons trailing at
his heels.
Waldo Edgar listened intently while Bob recounted what
Jacobs had told him.
“I rather sensed what his story would be,” mused the
chief investigator.
“Don’t you believe it?” asked Bob.
“Yes, every word of it. Just another case of an older and
bullying brother taking advantage of a weaker one. It
looks like Jacobs has supplied us with the key
information we have been groping for. Good work, Bob.”
“I’m afraid I don’t deserve any congratulations. Adams
turned up Jacobs as a suspect.”
“True enough, but Jacobs would never have talked for
Adams or any of the rest of us. The important thing is
that he did talk to you. Now what are you planning?”
Bob told of the letter from Maryland and of his orders to
the building superintendent.
“The postmark on that letter should give us a clue to
where the gang took my uncle,” he said. “There isn’t
much chance of finding it, but it’s worth the time and
effort.”
Waldo Edgar’s eyes brightened.

[224]
“You’re going to do, my boy. It’s things like that that
count. You never can tell when even the tiniest slip of
paper is going to give you the key to the case you’re
working on.”
The chief agent turned to Lieutenant Gibbons.
“You’re staying on the case with Bob?” he asked.
“I’m going to try and keep up with him,” smiled the
intelligence officer.
“Splendid. Then we’ll expect your uncle and the missing
radio paper within the next twenty-four hours, Bob.”

[225]
Chapter XXVIII
WASTE PAPER
★
There was a real feeling of hope in Bob’s heart as he
stepped out of the Department of Justice building with
Lieutenant Gibbons at his side.
“Things are going to move fast from now on,” predicted
the lieutenant. “By the way, Bob, aren’t you a little
young to be a federal agent?”
“I’m not a full-fledged agent,” explained Bob. “When my
uncle was assigned to this case and it looked like some
valuable information might be gained by an inside man
in our office, I was delegated to help him and given
papers as a provisional agent. If I make good on this
case I may get into the service permanently, even
though I’m a little young.”
“I think you’re going in with a rush and I know you’re
going to make good even though Edgar gave you a
pretty short time when he said you’d have the case
solved within twenty-four hours.”
“That’s what scares me,” confessed Bob, “but I’ve got to
find my uncle. Once he’s safe I’ll start worrying about

[226]
the radio secret.”
“When you find him you’ll recover the radio secret,”
predicted the intelligence officer.
Fifteen minutes of fast driving in a taxi took them to the
apartment where Arthur Jacobs resided.
The building superintendent, curious and somewhat
worried over Bob’s telephoned orders, was waiting at
the door to meet them.
Bob identified himself and the superintendent admitted
them to the building, taking them into the basement
where an incinerator bulked in the background. Beside it
were a number of bales of paper.
“We’ve been baling and selling the waste paper,” he
explained, “but I can’t tell you in what bale the paper
from the fourth floor, where Jacobs lives, can be found.
It’s a good thing you phoned. We were going to have
this trucked out sometime during the day.”
Bob looked at the bales and a feeling of dismay crept
into his heart. All he wanted was one envelope—a small
slip of paper—yet there were literally hundreds of pieces
of paper in each one of the bales. He turned to
Lieutenant Gibbons. The intelligence officer grinned.
“Looks like we’re in for it. Better get off your coat, Bob,
and we’ll start on the first bale.”
“You mean you want to open up all those bales?”
demanded the building superintendent.
“That’s right,” nodded the intelligence officer. “We not
only want to, but we’re going to do it. Get some

[227]
snippers and cut through the wires on this bale.” He
indicated the huge stack of paper nearest him.
The superintendent snapped on additional lights and
grudgingly cut the wires on the first bale while Bob took
off his coat.
“Save every envelope with a Maryland postmark on it,”
he said.
It looked like an endless task, but Bob and the
lieutenant, squatting on their heels, started through the
pile of paper.
The building superintendent, after watching them for
several minutes, joined in the hunt.
At the end of half an hour they had found four letters
with Maryland postmarks on them, but none of them
addressed to Arthur Jacobs.
“We’ve got to have more help,” decided the intelligence
officer when an hour had slipped away and they had
gone through only one bale. He went to a telephone
and called the Department of Justice, with the result
that within half an hour six other agents were on the
job, delving through the growing pile of papers.
By noon they had examined every scrap of paper from
five bales and their arms and backs were aching
sharply.
“I’m dizzy,” confessed the intelligence officer when they
finally stopped for lunch. Leaving one of the agents to
guard the bales in the basement, the others went to a
nearby restaurant. Lunch was eaten quickly and with a
minimum of talk, for every one of them knew that

[228]
perhaps a man’s life hinged on the quickness with which
they could find the tell-tale envelope.
They carried a tray of lunch back to the agent who had
been left on guard and plunged once more into the
mountainous task which still faced them.
The early hours of the afternoon slipped away. Bale
after bale of paper was scanned with care and Bob felt
his hopes sinking.
Another bale was finished and one more pulled down
and clipped open. He knelt down again and picked up a
handful of waste paper. An envelope drew his attention,
but it was for another resident on the floor on which the
filing chief lived.
Lieutenant Gibbons, whose lanky form was almost
doubled in a knot from the hours of bending down and
looking at slips of paper, suddenly straightened up with
a triumphant cry.
“Here’s the letter!” he cried, waving a badly torn
envelope.
The federal men, dropping the paper they had been
sorting, rushed to his side.
Bob was the first to see the postmark on the envelope.
It was marked from Rubio, Maryland, and was
addressed to Arthur Jacobs.
The handwriting on the envelope was large and heavy
and the pen which had been used was none too good
for it had dropped ink in two places on the envelope.

[229]
[230]
Bob felt his heart leap. This was the clue they had
sought for so many weary, back-breaking hours in the
litter of paper in the basement.
“How far is it to Rubio?” Bob asked the intelligence
officer.
“I’m not sure that I even know what part of Maryland
it’s in, but I believe if we go by plane, we should be
there in an hour.”
“Then we’ll go by plane,” decided Bob.
Just how he could obtain a plane was a question he
couldn’t have answered at the moment, but he was
determined to make the trip with the least possible loss
of time for he felt that either in Rubio or near it he
would find the solution to the mystery.

[231]
Chapter XXIX
INTO THE AIR
★
Bob and Lieutenant Gibbons left the other federal
agents at the apartment building to help the
superintendent clean up the litter of paper they had
strewn about the basement while they hastened back to
the Department of Justice building.
Waldo Edgar himself was waiting for their report and he
smiled contentedly when he heard it.
“You’re on the right track, Bob. Follow it hard and don’t
let a single trick get away from you. How are you going
to Rubio?”
Bob turned to a wall map which showed the entire state
of Maryland. As Lieutenant Gibbons had surmised,
Rubio was on the east shore, a tiny dot of a town, well
isolated from any of the other shore villages.
“That’s a desolate stretch,” said the chief. “You may
need help in rounding up this gang.”
“We’ll try it alone,” said Bob. “If we find them, we can
send in a call for assistance. Can you arrange for us to

[232]
fly there?”
The chief of the division of investigation looked at his
watch. It was just three o’clock.
“A plane will be ready in half an hour at Antacostia,” he
said. “Make sure that you are well armed and don’t take
unnecessary risks. Understand?”
“Yes, sir,” replied Bob.
“Then start for Antacostia at once. You’re going, too,
lieutenant?”
“I wouldn’t miss this,” replied the intelligence officer.
“Besides, we have a considerable stake in this game.”
“Splendid. But don’t let Bob take any needless risks. I’m
counting on his developing into one of my aces one of
these days.”
Bob’s temperature rose about three degrees and he
looked at the federal chief to see if he was joking, but
Waldo Edgar was serious.
“Looks to me like you’re making headway rapidly,” said
Lieutenant Gibbons as they left the Department of
Justice building. “You carrying a gun?” he asked.
Bob patted his coat pocket.
“I’ve got a special .45 with an extra clip of cartridges.
That ought to be enough for a trip like this.”
“Let’s hope so,” said the intelligence officer.
When they reached Antacostia, a cabin plane, a navy
ship, was out on the ramp waiting for them. It was an

[233]
amphibian and while they were paying the driver of
their cab, the pilot started the motor with a roar that
shook the ground.
An officer ran toward them.
“Which one of you is Bob Houston?” he asked.
Bob stepped forward.
“You’re wanted on the phone at once,” he said.
“Step on it, Bob. We’re ready to go,” warned Lieutenant
Gibbons.
Bob ran toward the administration building and a clerk
there handed him a telephone.
Bob recognized instantly the voice of the chief of the
bureau of investigation. Waldo Edgar, usually so calm,
was deeply moved.
“Bob, get to Rubio with all possible speed. We’ve just
had reports that an unknown yet tremendously powerful
radio station has just come on the air. The Department
of Commerce has had radio direction finders on it for
the last ten minutes and they report that the station
must be on the east shore of Maryland, probably near
Rubio. They’re throwing on extra power on their
experimental station here to gum up the sending from
this unknown outfit. I’m afraid they’re trying to get the
secret of the radio-controlled plane out of the country in
this way.”
“We’re all ready to go. The plane’s on the ramp now
with the motor on.”

[234]
“Then hurry. Let me know the minute you land at Rubio
and I can send more information. I’m starting agents
out of Baltimore by motor and I’ll send another plane
with men within the hour. Good luck.”
Bob turned and raced toward the waiting plane.
“What news?” asked Lieutenant Gibbons.
“Tell you when we’re in the air,” replied Bob.
They climbed into the cabin and were no sooner seated
than the ship started rolling across the field.
Almost before they knew it the ground was dropping
away and they were headed for the east shore of
Maryland.

[235]
Chapter XXX
ON THE EAST SHORE
★
The air that fall afternoon was clear and the entire
panorama of the city of Washington spread out below
them. But Bob’s thoughts were not on the beauties of
the afternoon or of the flight. His mind was centered far
ahead on the east shore village of Rubio and what he
might learn there.
The cabin was well insulated, so Bob and Lieutenant
Gibbons could converse in comparative ease.
“What did Edgar have to say?” asked the intelligence
officer.
“He’s afraid the gang is trying to get the secret radio
information out of the country by using an unlicensed
station which has just started broadcasting from
somewhere along the east shore of Maryland.”
Lieutenant Gibbons whistled.
“What’s he doing about it?”

[236]
“Federal agents are being sent from Baltimore by motor
and another plane is to follow us within a few minutes.
The Department of Commerce believes the station is
near Rubio and they’re trying to gum up the broadcast
as much as possible. Oh, it all clicks beautifully. My
uncle was taken down the river in a fast boat and
landed somewhere near Rubio. He had the paper they
desired and now they are trying to send the information
someplace in Europe by using this powerful but
unlicensed radio.”
“Sounds logical,” agreed the lieutenant. “Looks like
we’re going to have some busy hours ahead of us. Made
any plans yet?”
Bob shook his head.
“I haven’t thought any beyond getting to Rubio as fast
as we can and trying to learn there whether a boat like
the one which slipped out of the tidal basin last night
has been sighted there.”
“Think we can swing it alone or are you going to wait
for the other agents to catch up with us?”
There was no hesitation in Bob’s reply.
“We’re going on as rapidly as we can. Every minute
counts now. We may run straight into a whole kettle of
trouble, but we’ll have to handle it in some fashion.”
They lapsed into silence as the sturdy amphibian sped
out over Chesapeake Bay. Fishing boats could be seen
below and several freighters, bound for Baltimore,
churned up a white wake in the blue of the bay. It was
indeed a calm and peaceful afternoon but Bob’s mind
was anything but peaceful or calm.

[237]
Then they were over Maryland and a few minutes later
the uneven line of the east shore was visible.
The pilot, in his cockpit up ahead, was scanning the
ground intently. The ship veered a little to the right and
they circled over a sprawling village before which a
broad, sandy beach broke the gentle swell of the
Atlantic. Half a mile from the village proper was a
sheltered cove with a score of small fishing wharfs. It
was toward this that the pilot of the amphibian nosed
his craft.
As they swung over the cove Bob could see the
upturned faces of fishermen as they stared at the
unexpected visitor. Bob looked at the boats in the cove
with extreme care, but none of them were unusual and
none appeared capable of great speed.
The amphibian smacked the water and spray flew out
on both sides as they slowed down and taxied in toward
the shore. The pilot cut the engine when they were near
a low wharf and dropped a light anchor.
A friendly fisherman put out in a dory and pulled
alongside the plane.
“Any trouble?” he asked.
“Not yet,” replied Lieutenant Gibbons, “but we’re looking
for a black speed boat. It’s been described as about 30
feet long and capable of 40 miles an hour. It’s a cabin
boat with an antennae above the cabin. Ever seen
anything like it around here?”
Bob, watching the fisherman closely, thought he
detected a slight narrowing of the other’s eyes, but he

[238]
knew that the men of the east shore were by nature
extremely cautious.
“Don’t know as I’ve seen just that boat,” replied the
fisherman, “but there’s a good many crafts slip around
the coves here.”
“This boat would have come in this morning.”
“Better climb in. We’ll ask some of the other boys.”
Bob and the intelligence officer seated themselves in the
dory and were quickly put ashore, where a little group
gathered about them.
The man who had brought them ashore acted as
spokesman.
“These fellows are looking for a speedboat that might
have come around here this morning. Anybody seen
anything of such a craft?”
There was no immediate reply and Bob could see doubt
as to the wisdom of answering the question in the eyes
of a number of the men. It was then that he decided to
tell them the importance of their visit.
He drew out his billfold and handed the nearest man his
identification card.
“We’re federal officers,” he explained, “and we’re
looking for a man who was kidnaped last night in
Washington in a speedboat and brought somewhere
near Rubio. If you can give us any information it may
save a man’s life.”

[239]
The entire attitude of the group changed and a young
man who had been in the background stepped forward.
“I saw such a boat just about mid-forenoon,” he said.
“It was coming up from the south, and coming fast,
maybe forty an hour, but I didn’t see it put in any
place.”
A radio in one of the fishing shacks screeched as though
in agony and the owner of the set hurried away to tune
it down.
“Somebody ought to break that thing up; it’s been doing
that all afternoon,” grunted another fisherman.
“Did it work all right before?” asked Bob.
“Sure. But this afternoon something went wrong and we
can’t get anything.”
Bob knew then that the end of the trail was nearing.
“Tell me this: Are there any old estates near here which
have been recently occupied?”
The owner of the radio, who had shut it off, rejoined the
group in time to hear Bob’s question, and it was he who
replied.
“There’s the old Haskins place about five miles up the
shore,” he said. “Someone’s been around there for the
last month or so. I went up one day to try and sell some
provisions, but they ordered me off.”

[240]
[241]
“Could this speedboat have been bound for the Haskins
place?” asked Bob, aiming his question at the young
fisherman who had told him about the boat.
“Sure, it was going up the shore. But I’ve never seen
that boat around here before.”
Bob turned to Lieutenant Gibbons.
“Looks to me like the Haskins place is our goal. Let’s
reconnoiter it in the plane.”
“The sooner the better,” agreed the intelligence officer.
Bob swung back to the fishermen.
“Federal agents are coming in here from Baltimore by
car and from Washington by plane. If they arrive before
we return, direct them to the Haskins place.”

[242]
Chapter XXXI
THE CHASE ENDS
★
With its motor on full, the amphibian flashed across the
cove and wheeled into the air. Bob felt that they were
on the last leg of their hunt and he sensed a tenseness
of his whole body that was unsettling. Lieutenant
Gibbons realized how Bob felt and he leaned over and
spoke to the young federal agent.
“Let your nerves loosen up a little and keep your head
when we get on the ground. If we get in a jam, use
your gun only as a last resort. Remember that help will
be along soon.”
The intelligence officer took out his own automatic and
examined it, making sure that the firing mechanism was
working perfectly. Bob did likewise and shifted the gun
into his right-hand coat pocket. He knew that with the
gun there he could shoot through his pocket if
necessary.
The village of Rubio dropped behind them and a
desolate stretch of shore unfolded before their eyes.

[243]
Lieutenant Gibbons was the first to sight the Haskins
place, a rambling old structure well out on a neck of
land that projected into the Atlantic. He signalled to the
pilot that this was their destination and the naval airman
banked the amphibian gracefully.
The plane dropped low, flying not more than a hundred
feet above the shore. The expansive old house, which
had several long wings, was badly in need of paint, as
were the outbuildings clustered to the rear. A long, low
boathouse was built as a part of the run-down pier and
one door was closed, but as the plane flashed by Bob
caught a glimpse of a black motorboat and his heart
leaped. He seized Lieutenant Gibbons’ arm.
“I saw a boat in the shed!” cried Bob. “Let’s get down as
soon as possible.”
But already the flyer was dropping the amphibian low.
They spattered down on the water and their speed
dropped off as they neared the old wharf.
Bob watched the house closely for some sign of life. The
windows, many of them broken, betrayed no
movements. From all outward appearances the house
had not been occupied in years.
The amphibian, now less than 50 yards from the beach,
lost headway and drifted.
“Looks like some bad rocks ahead,” said the pilot. “I
don’t dare get any closer. You’ll have to swim if you
want to land here unless I taxi out and down a ways. It
looked better further down.”
But Bob had no intention of wasting any more time.

[244]
“I’m going ashore,” he told Lieutenant Gibbons. “You
can stay here and see if anything happens.”
Before the intelligence officer could protest, Bob eased
himself out of the cabin and started swimming for
shore. In a few yards he was able to touch bottom, but
just as he straightened up there was a sharp puff from
one of the lower windows of the old house and a bullet
ricocheted along the water.
Bob, acting by instinct, ducked and started swimming
under water. He should have been greatly alarmed, but
instead he felt a strange exultation for the firing of that
shot had told him what he wanted to know—he was at
the end of the trail.
The young federal agent came up for air and as soon as
his head appeared, three shots sounded in rapid
succession, each fired from different windows in the
house.
Two of the bullets went wide of their mark, but the third
splashed water in Bob’s eyes. Before he ducked again
he heard Lieutenant Gibbons firing back and then
another gun joined in the battle and Bob knew that the
naval flyer had taken a hand in the party.
Swimming with a powerful stroke, Bob shot along under
water. When he came up this time he was in the shelter
of the boathouse. He was able to stand erect and he
waved back to Lieutenant Gibbons. The firing from the
house had suddenly ceased and Bob made his way
alongside the squat, powerful speedboat.
He climbed into the craft and with several well aimed
blows with the butt of his gun disabled the ignition

[245]
[246]
apparatus. At least the kidnapers would not escape in
the boat.
From some place behind the house the sound of an
automobile exhaust roared out and Bob leaped to the
door of the boathouse. A car wheeled around the far
corner of the house and he saw three men inside, two
in front and one in the rear. It was the first time Bob
had ever fired a gun with a human being as a target,
but he fired rapidly from the automatic and it seemed to
him that a whole volley of bullets issued from the
weapon in his hands. Then the gun was silent and
before he could get the other clip from his pocket the
car had disappeared.
Bob started running for the house, pausing only once
when a cry from Lieutenant Gibbons caused him to turn
his head. The intelligence officer was wading ashore
and motioning for Bob to wait for him. But Bob had
more pressing duties.
The front door of the house was half open and Bob
charged through. The interior was dusty and unkempt,
although there were some signs that an effort had been
made to live in two of the front rooms.
Lieutenant Gibbons pounded up the front steps and
burst into the hallway. He joined Bob and together they
resumed the frantic search of the house. The first floor
was combed, room for room and closet by closet, and it
was not until they reached a shed at the back of the
house that they found what they were seeking. There,
laying on a roll of dirty bedding, was Merritt Hughes,
bound, gagged and with a red welt along one side of his
head.

[247]
Bob, a cry of joy at finding his uncle on his lips, bent
down to untie the gag while Lieutenant Gibbons slashed
at the rope which fastened the federal agent’s wrists
and ankles.
Together they helped Merritt Hughes to his feet. His
tongue was badly swollen from the gag, but he
managed to say a few words.
“Did they get away?” he asked slowly.
“Yes, but I don’t think they’ll get far. Agents are on their
way from Baltimore and Washington,” said Bob.
“How about their radio?”
“The Department of Commerce heard them come on
the air and gummed up their broadcasts,” replied Bob.
Lieutenant Gibbons, who had gone in search of water,
returned with a tin cup and Merritt Hughes drank it with
relish, taking slow, deep draughts of the refreshing
liquid.
Then he bathed his face and hands and felt much
refreshed. He looked quizzically at Bob and the
lieutenant.
“You fellows may catch pneumonia running around here
in wet clothes,” he warned.
“What happened to your head?” demanded the
lieutenant.
“They creased me with a bullet during the scrap back in
Washington last night,” replied the federal agent grimly.
“I want you to see their radio.”

[248]
[249]
He led them to the top floor of the old house where one
room had been fitted up for broadcasting purposes. Bob
knew little about radio, but he could tell that a great
deal of money had been expended here.
“Where’s the aerial?” he asked.
“They used an underground antennae,” replied his
uncle.
Lieutenant Gibbons picked up a heavy chair which was
in the room and deliberately smashed the delicate
equipment.
“I guess that’s the end of this station.”
“But we haven’t recovered the radio document,”
groaned Bob.
“I rather think we have,” replied the lieutenant, pointing
from a window to a cavalcade of cars which was
approaching through a clearing.

[250]
Chapter XXXII
“FEDERAL AGENT”
★
The scene that night in the office of the chief of the
bureau of investigation was one that would remain
stamped forever in Bob’s memory.
Waldo Edgar was there. So was Bob’s uncle and on the
other side of the room were Tully Ross and Condon
Adams and in the background Lieutenant Gibbons
chuckled occasionally.
It was a brief session with Waldo Edgar doing most of
the talking in that close, clipped manner of speech of
his which inspired his own agents and instilled fear in
the hearts of the men he was pursuing.
“The reports you have turned over to me tonight are
highly gratifying,” he said, “and I think we can call this
case completed. While most of the honor of the final
catch goes to Bob Houston, Condon Adams and Tully
Ross deserve credit for uncovering that vital clue in the
fireplace of Arthur Jacobs’ apartment.”
The federal chief shuffled through some papers on his
desk.

[251]
“All of the men involved in the case have been
apprehended, including Fritz Jacobs, who appeared to
be the ringleader. Their radio station has been
destroyed and they were unable to make use of the
information which they had for nearly 24 hours. You
may be sure that their punishment will be swift and
sure. As for Arthur Jacobs, I am inclined to feel sorry for
him for his record in the government service up to this
time had been excellent and I will do all that I can to
help him.”
Then Waldo Edgar turned to Tully Ross.
“As a result of your work on this case, I am pleased to
be able to tell you that you are now a full fledged
federal agent.”
The chief of the bureau of investigation then faced Bob
and he smiled warmly as he spoke.
“To you, Bob, I extend my most sincere congratulations.
You were under a great strain, yet you used your head
every minute of the time and when the showdown
came, you were in there fighting. I don’t know when
anything has pleased me more than to hand you your
commission as a federal agent. You’re young, but I
predict that as Agent Nine you are going a long ways in
the federal service.”
In spite of himself, tears welled into Bob’s eyes for his
heart was overflowing with happiness.
“I’ll do my best to make good,” he promised. “When do
I go on another case?”
Waldo Edgar chuckled. “You’d better rest a day or two
from this one. There will be plenty for you later.”

He was, indeed, a wise prophet, for in less than 24
hours Bob was to get the call that was to send him out
on the famous Jewel Mystery, about which you will learn
in “Agent Nine and the Jewel Mystery.”
THE END

Transcriber’s Notes
★
Copyright notice provided as in the original—this e-text
is public domain in the country of publication.
Silently corrected palpable typos; left non-standard
spellings and dialect unchanged.

*** END OF THE PROJECT GUTENBERG EBOOK AGENT NINE
SOLVES HIS FIRST CASE: A STORY OF THE DARING EXPLOITS OF
THE "G" MEN ***
Updated editions will replace the previous one—the old editions will
be renamed.
Creating the works from print editions not protected by U.S.
copyright law means that no one owns a United States copyright in
these works, so the Foundation (and you!) can copy and distribute it
in the United States without permission and without paying
copyright royalties. Special rules, set forth in the General Terms of
Use part of this license, apply to copying and distributing Project
Gutenberg™ electronic works to protect the PROJECT GUTENBERG™
concept and trademark. Project Gutenberg is a registered trademark,
and may not be used if you charge for an eBook, except by following
the terms of the trademark license, including paying royalties for use
of the Project Gutenberg trademark. If you do not charge anything
for copies of this eBook, complying with the trademark license is
very easy. You may use this eBook for nearly any purpose such as
creation of derivative works, reports, performances and research.
Project Gutenberg eBooks may be modified and printed and given
away—you may do practically ANYTHING in the United States with
eBooks not protected by U.S. copyright law. Redistribution is subject
to the trademark license, especially commercial redistribution.
START: FULL LICENSE

THE FULL PROJECT GUTENBERG
LICENSE

Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.
More than just a book-buying platform, we strive to be a bridge
connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.
Join us on a journey of knowledge exploration, passion nurturing, and
personal growth every day!
ebookbell.com

Automated Verification Of Concurrent Search Structures Siddharth Krishna

More Related Content

Similar to Automated Verification Of Concurrent Search Structures Siddharth Krishna (20)

Recently uploaded (20)

Automated Verification Of Concurrent Search Structures Siddharth Krishna