Transactions in the Jungle by Guerraoui, Rachid et al.
Transactions in the Jungle
Rachid Guerraoui Thomas A. Henzinger Michal Kapalka Vasu Singh
E´cole Polytechnique Fe´de´rale de Lausanne (EPFL), Switzerland
{rachid.guerraoui,tah,michal.kapalka,vasu.singh}@epfl.ch
Abstract
Transactional memory (TM) has shown potential to simplify the
task of writing concurrent programs. However, the semantics of
interactions between transactions managed by a TM and non-
transactional operations, while widely studied, lacks a clear for-
mal specification. Those interactions can vary, sometimes in subtle
ways, between TM implementations and underlying memory mod-
els.
We propose a new correctness condition for TMs, parametrized
opacity, which captures the two following intuitive requirements:
first, every transaction appears as if it is executed instantaneously
with respect to other transactions and non-transactional operations,
and second, non-transactional operations conform to a given mem-
ory model. Parametrized opacity corresponds to the well-studied
strong atomicity property, which lacks a formal definition and is, in
fact, ambiguous.
We use our formalization to theoretically investigate the inher-
ent cost of implementing parametrized opacity. We first prove that
parametrized opacity requires either instrumenting non-transactional
operations (for most memory models) or writing to memory by
transactions using potentially expensive read-modify-write instruc-
tions (such as compare-and-swap). Then, we show that for a class
of relaxed memory models, parametrized opacity can indeed be im-
plemented with constant-time instrumentation of non-transactional
writes and no instrumentation of non-transactional reads. We show
that, in practice, parametrizing the notion of correctness allows to
develop more efficient TM implementations.
1. Introduction
Transactional memory (TM) [14, 26] offers a promising paradigm
for concurrent programming in the multi-core era. A TM allows
a programmer to think in terms of coarse-grained code blocks—
transactions—that appear to be executed atomically, and at the
same time, a TM yields a high level of parallelism. Ideally, a pro-
gram could execute all operations on shared data within transac-
tions, and have non-transactional operations on thread-local data. In
practice, however, not all operations on shared data can be wrapped
in transactions. For example, a programmer may wish to make
shared data local to a thread, operate non-transactionally upon it for
a while, and make it shared again [20, 30]. It is thus not surprising
to see a large body of research dedicated to exploring the various
models of interactions between transactions and non-transactional
code [1, 6, 8, 30, 19, 21], and building TM implementations that
implement those models [27, 20].
The mutual interaction between transactions is formalized by
the notion of serializability [22] or opacity [12]. Serializability, a
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. To copy otherwise, to republish, to post on servers or to redistribute
to lists, requires prior specific permission and/or a fee.
POPL’10
Copyright c© 2010 ACM . . . $5.00
Thread 1 Thread 2
atomic {
x := 1
y := 1 r1 := x
} r2 := y
Figure 1. Can r1 = 1 and r2 = 0? It depends on the memory
model (initially x = y = 0).
common correctness notion in database transactions, requires that
committed transactions look as if they executed sequentially. But, it
was observed [7, 13] that serializability is not sufficient for memory
transactions, where it is important that even aborted transactions do
not observe an inconsistent state of the memory. This gave rise to
a new correctness criterion called opacity. The idea of opacity is
to give programmers an illusion that there is no concurrency be-
tween transactions, whether committed or aborted. That is, opacity
requires that all transactions “look like” they executed in some se-
quential order, consistent with their real-time order. Most of the TM
implementations [7, 13, 23] satisfy opacity. The formal definition
of opacity has allowed for a clear understanding of transactions [12]
and also development of model checking techniques for TM algo-
rithms [9, 10].
The interaction between transactions and non-transactional op-
erations has been defined using a notion of strong atomicity [19, 17]
in the literature. The intuition behind strong atomicity is that trans-
actions execute atomically with respect to other transactions and
non-transactional operations. Unfortunately, strong atomicity has
not been formally defined, which has thus led to multiple inter-
pretations [29]. Consider, for example, the execution depicted in
Figure 1 (adapted from [8]). The transaction executed by thread 1
updates variables x and y. Thread 2 reads the variables x and y
non-transactionally. Is it possible that thread 2 reads x as 0 and y
as 1? According to the definition by Martin et al. [19], strong atom-
icity allows this result. But, according to the definition of strong
atomicity by Larus et al. [17], this result is not allowed. The ambi-
guity in this definition can be attributed to an implicit assumption
on the interaction between non-transactional operations, which in
turn, depends upon the underlying memory model [2]. A memory
model specifies the set of allowed behaviors of memory accesses in
a shared memory program. A relaxed memory model allows the un-
derlying system to reorder memory instructions, while a stringent
memory model like sequential consistency enforces instructions to
execute in program order. While Martin et al. [19] assume a re-
laxed memory model which allows to reorder independent reads
(for example, RMO [31]), Larus et al. [17] assume a sequentially
consistent memory model.
We provide a general formal framework for describing the in-
teractions between transactions and non-transactional operations.
We consider opacity as a correctness condition for transactions,
and parametrize it by a memory model. We claim that while a
TM can be implemented in a way to ensure opacity for transac-
tions, there is little one can do (on a given platform or run-time
environment) to change the underlying memory model. Hence, it
is desirable to define opacity parametrized by a memory model.
Thread 1 Thread 2
atomic {
x := 1
x := 2 atomic {
} z := x− y
atomic { }
y := 2
}
(a) Can z < 0?
Thread 1 Thread 2
x := 1 r1 := y
y := 1 r2 := x
(b) Can r1 = 1 and r2 = 0?
Thread 1 Thread 2
atomic { z := x
x := 1
x := 2
}
atomic {
r1 := z
r2 := z
}
(c) Can z = 1 or r1 6= r2?
Figure 2. Motivating examples for the definition of parametrized opacity (initially x = y = z = 0 in every case)
Moreover, we want the definition of parametrized opacity to be
implementation-agnostic (like opacity), so that it allows for trans-
actional objects with semantics richer than that of simple read-write
variables (which could help describing, for example, TMs that im-
plement transactional boosting [15] or similar techniques).
We present a definition of a memory model which is general
enough to capture a variety of memory models. Intuitively, we for-
malize a memory model as a function which, depending upon the
sequence of operations, gives the set of possible order of opera-
tions. Our formalism can capture common memory models like
TSO, PSO, RMO, and Alpha. Moreover, we allow different pro-
cesses to observe different order of operations, which allows us to
capture memory models with non-atomic stores, like IA-32. We
classify memory models on the basis of the possible reorderings of
operations they allow.
Our formalization of parametrized opacity is guided by the
following intuition:
1. Opacity for transactions. Whatever the memory model is, exe-
cutions that are purely transactional must ensure opacity. In-
deed, the semantics of transactions should be intuitive and
strong—in the end, we want TMs to be as easy to use as coarse-
grained locking. For example, consider Figure 2(a). Thread 2
should observe x as 0 or 2, because the intermediate state of a
transaction (x = 1) is not visible to other transactions. Also,
y can be observed as 0 or 2. Moreover, y can be observed as 2
only if x is observed as 2, because the effect of transactions is
visible in real-time order. Thus, the possible values of z are 0
and 2. Note that even if thread 2 aborts, opacity requires that z
is 0 or 2.
2. Efficiency of non-transactional operations. Executions that are
purely non-transactional have to adhere to the given mem-
ory model. In particular, parametrized opacity should not
strengthen the semantics of non-transactional operations. The
motivation here is to avoid a framework that would inherently
require non-transactional operations to be instrumented with
additional memory fences or software barriers, even for very
weak memory models. For example, in Figure 2(b), a memory
model may relax the order of write operations in Thread 1 or
the read operations in Thread 2, resulting in r1 = 1 and r2 = 0.
3. Isolation of transactions from non-transactional operations.
Transactions should appear, both to other transactions and non-
transactional operations, as if they were executed instanta-
neously. In particular, isolation of transactions should be re-
spected, regardless of the memory model. That is, first, the in-
termediate computations of transactions, or updates by aborted
transactions, should never be visible to non-transactional opera-
tions, and, second, the non-transactional operations concurrent
to a transaction should appear as if they happened before or
after this transaction. For example, in Figure 2(c), Thread 2
cannot observe an intermediate state of a transaction, and thus
z 6= 1. Moreover, the effect of a non-transactional operation
cannot show up in the middle of a transaction. Thus, r1 = r2.
Note that opacity parametrized by sequential consistency gives
the notion of strong atomicity as proposed by Larus et al. [17]. On
the other hand, parametrized opacity for a relaxed memory model
like RMO matches the notion of strong atomicity given by Martin
et al. [19].
In practice, TM implementations that guarantee strong atomic-
ity require that non-transactional operations, instead of accessing
memory directly, adhere to an access protocol as defined by the
TM implementation. This modification of the semantics of non-
transactional operations is known as instrumentation. For exam-
ple, Tabatabai et al. [27] propose a TM implementation, where
the non-transactional read and write operations follow the lock-
ing discipline as done by the transactions. The formal definition
of opacity parametrized by a memory model allows us to theoret-
ically analyze the cost of creating TM implementations that guar-
antee parametrized opacity. While parametrized opacity is the in-
tuitive correctness property for transactional programs with non-
transactional operations, we show that, without instrumentation, it
is impossible to achieve on most memory models. Even for the
small class of idealized memory models, where parametrized opac-
ity can be achieved without instrumentation, we show that a TM
implementation must use expensive read-modify-write operations
for each object modified by a transaction.
Next, we focus on TM implementations that instrument non-
transactional write operations, without any instrumentation for
non-transactional read operations. We start with a basic result
which shows that for a class of memory models which allows to
reorder independent reads, it is possible to achieve parametrized
opacity without instrumenting the read operations, and treating
every non-transactional write as a transaction in itself. Note that
this might not provide a practical solution, as we do not want a
non-transactional operation to carry the overhead associated with
a transaction. Moreover, we want non-transactional operations to
finish in bounded time, while a transaction, in general, may take
arbitrarily long to finish. The next question we ask is whether we
can obtain parametrized opacity for a class of memory models with
constant-time instrumentation on the writes? We show that for a
class of memory models which allows to reorder a read of a vari-
able following a read or write of another variable (like Alpha [28]),
it is indeed possible to achieve parametrized opacity with constant-
time instrumentation for non-transactional write operations. We
also discuss how to adapt the constant-time write instrumentation
solution for memory models which do not allow to reorder data-
dependent reads (like RMO [31] and Java [18]).
Using our theoretical framework, we examine existing TM im-
plementations that guarantee parametrized opacity. TM implemen-
tations in the literature that satisfy strong atomicity [27], in fact,
satisfy parametrized opacity with respect to sequential consistency.
We observe that the TM implementation can be designed to be more
efficient, if it is to satisfy opacity parametrized by a weaker memory
model. We discuss examples of modifications that can be applied
to the TM implementation by Tabatabai et al. [27] which remove
overhead, while keeping it parametrized opaque with respect to a
wide class of relaxed memory models. We also show that our the-
oretical framework can be used to specify weaker notions of cor-
rectness. As an example, we formalize single global lock atomicity
(SGLA) [8, 17, 20]. Moreover, we show that the impossibility re-
sults we obtain for parametrized opacity do not hold for SGLA.
2. Preliminaries
We first describe a framework of a shared memory system consist-
ing of shared objects and operations on those objects.
Operations. Let Obj denote a set of shared objects. We consider
a shared-memory system consisting of a set P of processes, which
communicate by executing commands on (shared) objects. Let C
be a set of commands on shared objects, where arguments and re-
turn values are treated as part of a command. For example, in a
system that supports only reading and writing of shared (natural
number) variables, we have C = {rd, wr} × N. We define oper-
ations O ⊆ C × Obj as the set of all allowed command-object
pairs.
Besides operations that issue commands on shared objects, ev-
ery process p ∈ P can execute the following special operations:
start to start a new transaction, operation commit to commit a
transaction, and abort to abort a transaction. Let Oˆ = O ∪ {start,
commit, abort}.
Histories. We define an operation instance as (o, p, k), where
o ∈ Oˆ is an operation, p ∈ P is a process which issues the
operation, and k ∈ N is a natural number representing the identifier
of the operation instance.
A history h ∈ (Oˆ × P × N)∗ is a sequence of operation in-
stances, such that for every pair (o, p, i), (o′, p′, j) of operation
instances in h, we have i 6= j. Intuitively, we want each operation
instance in a history to have a unique identifier. For a natural num-
ber k, when we say “operation k”, we mean “operation instance
with identifier k”, i.e., the element of h of the form (o, p, k), where
o ∈ Oˆ and p ∈ P .
A transaction of a process p is a subsequence (o1, p, i1) . . .
(on, p, in) of a history h such that (i) o1 is a start operation, (ii)
either operation in is the last operation instance of p in h, or we
have on ∈ {commit, abort}, and (iii) all operations o2, . . . , on−1
belong to set O .
A transaction T is committed (resp. aborted) in a history h if
the last operation instance of T has a commit operation (resp. an
abort operation). A transaction T is completed if T is committed
or aborted.
Given a history h and a natural number k, we say that oper-
ation k is transactional in h if operation k is part of a transac-
tion in h. Otherwise, operation k is said to be non-transactional.
We assume that every history h is well-formed: that is, every non-
transactional operation in h belongs to set O . Intuitively, well-
formedness of a history requires that every commit and abort of
a transaction matches with a corresponding start, and there are no
nested transactions. We denote by H the set of all histories.
Given a history h, we define the real-time partial order relation
≺h⊂ N × N of the operation identifiers in h, such that for two
natural numbers i and j, we have i ≺h j if:
1. operations i and j belong to transactions T and T ′, respectively,
where T is completed in h and the last operation instance of T
precedes the first operation instance of T ′ in h, or
2. operation i precedes operation j in h, both operations are exe-
cuted by the same process, and at least one of those operation
instances is transactional.
For example, consider the history h illustrated in Figure 3(a).
The transaction of process p1 finishes before the transaction of
process p3 starts. The precedence relation ≺h consists of elements
(1, 2), (5, 7), and (1, 9). On the other hand, (1, 6) and (6, 9) are
not in ≺h.
Object semantics. We use the concept of a sequential specifica-
tion [16, 32] to describe the semantics of objects. Given an object
x ∈ Obj , we define the semantics [[x]] ⊆ C∗ as the set of all
sequences of commands on x that could be generated by a single
process accessing x.
For example, let x be a shared variable that supports only the
commands to read and write its value (with initial value 0). Then,
[[x]] is a subset of ({rd, wr} × N)∗, such that, for every sequence
c1 . . . cn in [[x]], and for all i, v ∈ N, if ci = (rd, v) then either
(a) the latest write operation preceding ci in c1 . . . cn is (wr, v), or
(b) v = 0 and no write operation precedes ci in c1 . . . cn.
Sequential histories. We say that a history h is sequential if, for
every transaction T in h, every operation instance between the start
operation instance of T and the last operation instance of T in h
is a part of T . That is, intuitively, no transaction T overlaps with
another transaction or with any non-transactional operation in h.
We say that a sequential history s respects a partial or a total
order ≺⊆ N × N if, for every pair (i, j), if i ≺ j then operation i
precedes operation j in s.
Let s be a sequential history. We denote by s|x the longest
subsequence of all commands invoked on object x in s. We say
that s is legal if for every object x, we have s|x ∈ [[x]].
We denote by visible(s) the longest subsequence of s that does
not contain any operation instance of a non-committed transac-
tion T , except if the T is not followed in s by any other transaction
or non-transactional operation instance. We say that an operation k
in s is legal in s if history visible(s′) is legal, where s′ is the prefix
of s that ends with operation k.
Two examples of sequential histories are given in Figure 3(b)
and Figure 3(c). Note that s1 and s2 respect ≺h (where h is the
history shown in Figure 3(a)). History s1 is legal if v = v′ = 1.
Similarly, s2 is legal if v = 0 and v′ = 1.
3. Parametrized Opacity
We first formalize a memory model in our framework. Then, we
define opacity parametrized by a memory model.
3.1 Memory models
A memory model describes the semantics of memory accesses in a
shared memory system. We formalize a memory model as a trans-
formation followed by per-process reordering of the history. The
reordering function is defined in such a way that it allows different
processes to have different views of the history, similar to the for-
malism by Sarkar et al. [25]. The transformation function allows to
have complex operations at the level of the history, which may need
a sequence of operations at the level of the implementation. More-
over, the transformation function allows to capture memory models
which do not provide out-of-thin-air guarantees (e.g., in languages
like C/C++ for unsynchronized code).
We define a process view v : P → 2N×N as a function such
that v(p) is a partial order on the set of natural numbers for every
process p ∈ P . Let V be the set of all process views. A memory
model is a pair M = (τ, R), where
• τ : O → O∗ is a transformation function that maps an
operation to a sequence of operations, and
p1 p2 p3
((wr, x, 1), 1)
((start), 2)
((rd, y, 1), 3)
((wr, y, 1), 4)
((commit), 5)
((rd, x, v), 6)
((start), 7)
((commit), 8)
((rd, x, v′), 9)
(a) History h
p1 p2 p3
((wr, x, 1), 1)
((start), 2)
((wr, y, 1), 4)
((commit), 5)
((rd, y, 1), 3)
((rd, x, v), 6)
((start), 7)
((commit), 8)
((rd, x, v′), 9)
(b) Sequential history s1
p1 p2 p3
((rd, x, v), 6)
((wr, x, 1), 1)
((start), 2)
((wr, y, 1), 4)
((commit), 5)
((rd, y, 1), 3)
((start), 7)
((commit), 8)
((rd, x, v′), 9)
(c) Sequential history s2
Figure 3. Examples of histories and sequential histories. Every history is read top to bottom. Notation: (wr, x, 1), 1) under a column marked
with process p stands for the operation instance (((wr, 1), x), p, 1).
• R : H → 2V is a reordering function that maps a history to a
set of process views.
Intuitively, τ maps every operation to its internal representation
(e.g., in hardware or a run-time environment). For instance, a write
to a 64-bit memory word might be, on some systems, executed
as two writes to its 32-bit parts. Moreover, if a memory model
does not give out-of-thin-air guarantees, τ can map every write
to a special havoc operation followed by the write. A read which
follows the havoc operation and precedes the write operation can
return any value. A process view allows different processes to
observe different orders of operations in a given history. This can
capture memory models, like IA-32 [5] which allow non-atomic
stores.
If h is a well-formed history, then τ(h) denotes a well-formed
history obtained from h by replacing every operation instance
(o, pj , k) of h with a sequence (o1, pj , k1), . . ., (om, pj , km),
where τ(o) = o1, . . ., om and k1, . . . , km ∈ N. (Note that identi-
fiers of operation instances of τ(h) can be arbitrary, as long as they
are unique.)
Well-formed memory models. A transformation function τ is
well-formed if for every well-formed, sequential and legal his-
tory s, sequence τ(s) is also a well-formed, sequential, and legal
history. Intuitively, a transformation is well-formed if it does not
change the semantics of transactional operations.
A reordering function R is well-formed if for every history
h ∈ H , for every view v ∈ R(h), for every process p ∈ P : (i)
if (i, j) ∈ v(p), then operations i and j are non-transactional in h,
(ii) if (i, j) ∈ v(p), then i precedes j in h, and (iii) if (i, j) ∈ v(p),
then (j, i) /∈ v(p′) for all processes p′ ∈ P . Intuitively, condition
(i) requires that a reordering function can impose an order only
on non-transactional operations, condition (ii) requires that a view
does not force a process to observe operations of some process in
out of program order, and condition (iii) requires that a view should
not force two processes to observe operations to occur in different
orders. A memory model M = (τ,R) is well-formed if τ and R
are well-formed. All memory models we know of are indeed well-
formed.
Capturing dependence of operations. Often, a memory model [18,
31] allows to reorder operations unless the latter operation is
control-dependent or data-dependent on the former operation. We
need to distinguish dependent reads from independent reads in
our framework to capture these memory models. We can capture
these dependencies in our framework using additional commands:
{cdrd, ddrd, cdwr, ddwr} × N × 2N. For example, an operation
instance (o, p, k) in h with o = (cdrd, v, {k1, . . . , kn}), x) de-
notes a read operation which is control-dependent on operations
k1 . . . kn in h. Well-formedness of a history with control and data
dependent operations requires that if an operation k is dependent
on k1 . . . kn in h, then all operations k1 . . . kn precede k in h.
3.2 Examples of memory models
We now give examples of memory models for histories on read
and write operations on shared variables. We first define an identity
transformation function τI such that τI(o) = o for every opera-
tion o ∈ O . We say that a view v is identical across processes, if
v(p) = v(p′) for all processes p, p′ ∈ P .
• Sequential consistency requires that the order of operations of a
process in a history is preserved in every view, and all processes
view an identical order of operations of different processes.
Formally, MSC = (τI , RSC ) such that for all histories h, we
have v ∈ RSC (h) if (a) v is identical across processes, and (b)
for every process p ∈ P , for every pair (o1, p, i), (o2, p, j) of
operations such that operation i precedes operation j in h, we
have (i, j) ∈ v(p).
• Total store order allows a write operation to forward the value
of a variable to a following read operation, and allows to re-
order a write operation followed a read operation to a different
variable. Formally, the memory model Mtso = (τI , Rtso) such
that for all histories h, we have v ∈ Rtso(h) if (a) v is identi-
cal across processes, and (b) for every process p, for every pair
(o1, p, i), (o2, p, j) of operations such that operation i precedes
operation j in h, we have (i, j) ∈ v(p) if one of following
conditions holds:
o2 is a write operation1,
o1 and o2 are to the same object x, or
o1 is a read operation of the form (rd, x, v) such that
(wr, x, v) is the last preceding write operation to x by pro-
cess p in h.
The intuition for the last case is to allow two read operations to
different variables to reorder if the first read obtains the value
from a store buffer.
• Relaxed memory order allows to reorder read and write op-
erations to different variables, unless the first operation is a
read, and the second operation is either a write control/data-
dependent on the first operation, or a read data-dependent on
the first operation. RMO is specified by the memory model
Mrmo = (τI , Rrmo) such that for all histories h, we have
v ∈ Rrmo(h) if (a) v is identical across processes, and (b) for
every process p, for every pair (o1, p, i), (o2, p′, j) of opera-
tions such that operation i precedes operation j in h, we have
(i, j) ∈ v(p) if one of the following conditions holds:
1 We use the term “write operation” as a general term for a simple write, or
a control/data dependent write. Similarly, for read operation.
o1 and o2 are to the same object x,
o1 is a read of a variable x and o2 = ((cdwr, v,K), y) or
o2 = ((ddwr, v,K), x) for some v ∈ V and K ⊆ N such
that i ∈ K, or
o1 is a read of a variable x and o2 = ((ddrd, v,K), y) for
some v ∈ V and K ⊆ N such that i ∈ K.
• Junk-SC is a memory model we describe here to show how
memory models that allow junk (out-of-thin-air) values can
be expressed in our formalism. Junk-SC requires sequential
consistency, but if there exist a read and a write to a vari-
able, such that they are not real-time ordered with respect to
each other, then the read can observe any junk value. We de-
note Junk-SC as Mjunk = (τ, RSC ), where τ is given as:
τ(wr, x, v) = havoc(x) · (wr, x, v) and τ(o) = o otherwise.
Classes of memory models. We now present a classification of
memory models on the basis of reorderings they allow. We build
the following four classes depending upon the restrictions posed
by the memory model.
1. We first describe the class Mrr which represents the read-read
restrictive memory models. We let Mrr = M irr ∪Mcrr ∪Mdrr ,
where:
M irr is the set of memory modelsM = (τI , R) such that for all
histories h, for all i, j ∈ N, if operation i is a read operation to
x and operation j is a read operation to y such that x 6= y, and
both operations i, j are by process p, then for all view orders
v ∈ R(h), for all p′ ∈ P , we have (i, j) ∈ v(p′).
Mcrr be the set of memory modelsM = (τI , R) such that for all
histories h, for all i, j ∈ N, if operation i is a read operation to x
and operation j is of the form (((cdrd, v,K), y), p, j) for some
v and K ⊆ N such that x 6= y and i ∈ K, and both operations
i, j are by process p, then for all view orders v ∈ R(h), for all
p′ ∈ P , we have (i, j) ∈ v(p′).
Similarly, we defineMdrr as the set of memory models which do
not allow to reorder two read operations to different variables,
if the second operation is data-dependent on the first operation.
Generally, if a memory model M is in M irr , then M ∈ Mcrr
and M ∈Mdrr .
2. We define the class of read-write restrictive memory models as
Mrw =M
i
rw ∪Mcrw ∪Mdrw , where:
M irw is the set of memory modelsM = (τI , R) such that for all
histories h, for all i, j ∈ N, if operation i is a read operation to
x and operation j is a write operation to y such that x 6= y, and
both operations i, j are by process p, then for all view orders
v ∈ R(h), for all p′ ∈ P , we have (i, j) ∈ v(p′).
Mcrw is the set of memory modelsM = (τI , R) such that for all
histories h, for all i, j ∈ N, if operation i is a read operation to x
and operation j is of the form (((cdwr, v,K), y), p, j) for some
v and K ⊆ N such that x 6= y and i ∈ K, and both operations
i, j are by process p, then for all view orders v ∈ R(h), for all
p′ ∈ P , we have (i, j) ∈ v(p′).
Similarly, we define Mdrw as the set of memory models which
do not allow to reorder a read followed by a write operation to a
different variable, if the second operation is data-dependent on
the first operation.
3. We define the class of write-read restrictive memory models as
Mwr , where M = (τI , R) belongs to Mwr if for all histories
h, for all i, j ∈ N, if operation i is a write operation to x
and operation j is a read operation to y such that x 6= y, and
both operations i, j are by process p, then for all view orders
v ∈ R(h), for all p′ ∈ P , we have (i, j) ∈ v(p′).
4. We define the class of write-write restrictive memory models as
Mww , where M = (τI , R) belongs to Mww if for all histories
h, for all i, j ∈ N, if operations i and j are write operations to
x and y such that x 6= y, and both operations i, j are by process
p, then for all view orders v ∈ R(h), for all p′ ∈ P , we have
(i, j) ∈ v(p′).
We classify some well-known memory models in these classes.
• SC memory model MSC is in M irr ∩M irw ∩Mwr ∩Mww .
• TSO memory modelMtso is inM irr ∩M irw ∩Mww andMtso /∈
Mwr .
• Partial store order (PSO) memory modelMpso is inM irr ∩M irw
and Mpso /∈Mww ∪Mwr .
• Relaxed memory order (RMO) Mrmo is in Mdrr ∩ Mrw and
Mrmo /∈ Mww ∪Mwr . Moreover, note that Mrmo /∈ M irr and
Mrmo /∈M irw .
• Alpha memory model Malpha is in Mrw and Malpha /∈ Mrr ∪
Mwr ∪Mww .
Note that these classes do not impose any restrictions on views
of different processes, and thus memory models which allow non-
atomic stores (like IA-32 [5]) can also be classified under these
classes. For example, the IA-32 memory model has a similar clas-
sification as TSO.
3.3 Parametrized opacity
We now define the notion of parametrized opacity, i.e., opacity
parametrized by a given memory modelM . Recall that, intuitively,
parametrized opacity requires that (1) every transaction appears as
if it took place instantaneously between its first and last operation,
and (2) non-transactional operations ensure the requirements spec-
ified by the given memory model.
We say that a history h ensures opacity parametrized by a mem-
ory model M = (τ,R), if there exists a total order  on the set
of transactional operations in h and a process view v ∈ R(τ(h)),
such that, for every process p ∈ P , there exists a sequential his-
tory s that satisfies the following conditions:
1. s is a permutation of τ(h),
2. s respects relation ∪ ≺h ∪ v(p), and
3. every operation is legal in s.
For example, the history h shown in Figure 3(a) is parametrized
opaque with respect to memory model MSC if v = 1. This is
because: (a) operation 3 reads the value of y as 1 which is written
by the transaction of process p1, (b) operation 1 writes x as 1
before the transaction, and (c) SC requires that p2 reads x after
y. Moreover, h is parametrized opaque with respect to memory
model Mrmo if v = 0 or v = 1. This is because RMO allows
to reorder reads of different variables. h is parametrized opaque
with respect to Mjunk if v = 1 for the same reasons as for MSC .
But note that if operation 3 read y as 0, then opacity parametrized
by Mjunk allows operation 6 to read any value v ∈ N.
4. TM Implementations
In this section, we define a TM implementation I, and when a given
TM implementation ensures opacity parametrized by a given mem-
ory model M . Intuitively, I ensures opacity parametrized by M if
every history generated by I ensures opacity parametrized by M .
We thus need to define what a TM implementation is, and precisely
which histories are generated by a given TM implementation.
Instructions. We start by defining hardware primitives that a TM
implementation is allowed to use. Let Addr be a set of memory
p1 p2
((., start), 1)
(〈cas g, 0, 1〉, 1)
((., (rd, x, 1)), 2)
((/, start), 1)
((〈load x, 1〉), 2)
((., (wr, x, 1)), 3)
((/, (rd, x, 1)), 2)
((〈store ax, 1〉, 3)
((/, (wr, x, 1)), 3)
((., commit), 4)
(〈store g, 0〉, 4)
((/, commit), 4)
(a) Trace r
p1 p2
(start, 1)
((rd, x, 1), 2)
((wr, x, 1), 3)
(commit, 4)
(b) History h1
p1 p2
((rd, x, 1), 2)
(start, 1)
((wr, x, 1), 3)
(commit, 4)
(c) History h2
Figure 4. A trace and corresponding histories. Notation: (in, k)
under column p represents the instruction instance (in, p, k)
addresses. We define the set In of instructions as follows, where
a ∈ Addr and v, v′ ∈ N:
In ::= 〈load a, v〉 | 〈store a, v〉 | 〈cas a, v, v′〉
We call the store and CAS instructions as update instructions.
An operation of a history corresponds to a sequence of instructions.
To know the begin and end points of an operation at the level of
hardware, we use two special instructions ., / for each operation.
For every operation o ∈ Oˆ , we denote the invocation (instruction)
of o as (., o), and the response (instruction) of o as (/, o). Let
Iˆn = In ∪ ({., /} × Oˆ).
Traces. We define an instruction instance as (in, p, k), where
in ∈ Iˆn is an instruction, p ∈ P is the process that issues the
instance, and k ∈ N is an operation identifier. Every instruction
instance (in, p, k) is said to correspond to operation k.
A trace r ∈ (Iˆn × P × N)∗ is a sequence of instruction in-
stances. Let k ∈ N be an operation identifier. A complete opera-
tion trace of operation k is a sequence of the form ((., o), p, k)
(in1, p, k) . . . (inm, p, k) ((/, o), p, k), where p ∈ P is a process,
o ∈ Oˆ is an operation, and in1 . . . inm ∈ In are instructions. An
incomplete operation trace of operation k is a sequence of the form
((., o), p, k) (in1, p, k) . . . (inm, p, k), where p ∈ P , o ∈ Oˆ , and
in1 . . . inm ∈ In .
Let r be a trace. Given a process p ∈ P , we denote by r|p
the longest subsequence of instruction instances in r issued by
process p. We assume that every trace r satisfies the following
property: for every process p ∈ P , the sequence r|p is a sequence
of complete operation traces, possibly ending with an incomplete
operation trace. We say that a history h corresponds to a trace r if:
1. Given any natural number k, an operation k is in h if and only if
there is an instruction instance that corresponds to operation k
in r, and
2. Operation k occurs before operation j if some instruction in-
stance that corresponds to operation k occurs in r before some
instruction instance that corresponds to operation j.
Intuitively, a history h that corresponds to a trace r represents the
logical order of operations in r. If we assigned a point in time to
every instruction in r, and every operation in h, then every oper-
ation (o, k) in h must be somewhere in between the correspond-
ing invocation instruction ((., o), p, k)) and response instruction
((/, o), p, k) in r.
For example, consider the trace r shown in Figure 4(a). In r, the
start operation issues a CAS instruction to address g to change the
value from 0 to 1, and the commit instruction stores value 0 to g.
Histories h1 and h2 are two examples of histories that correspond
to r.
A trace r is well-formed if every history h corresponding to r is
well-formed. We assume that every trace is well-formed.
Let r be a trace, and p be a process. A transaction T of p in r
is a sequence in r|p of the form ((., start), p, k) (in1, p, k1) . . .
(inm, p, km), where the following conditions are satisfied:
• inm ∈ {(/, commit), (/, abort)}, or (inm, p, km) is the last
instruction instance of rp, and
• for all j s.t. 1 ≤ j < m, we have inj /∈ {(., start),(/, commit),
(/, abort)}
Moreover, T is committed (resp. aborted) if the last instruction
instance in T is a response of a commit (resp. abort) operation.
An instance ((., o), p, k) of an invocation is said to be transac-
tional in a trace r if it belongs to some transaction in r. Otherwise,
the instance is said to be non-transactional. For example, consider
the trace r shown in Figure 4(a). The (single) invocation instance
of process p2 is non-transactional, while all invocation instances of
process p1 are transactional in r.
TM implementations. A TM implementation I = 〈IT , IN 〉 is a
pair, where IT : Oˆ → 2In∗ is the implementation for transactional
operations, and IN : O → 2In∗ is the implementation for non-
transactional operations.
Let I = 〈IT , IN 〉 be a TM implementation. We say that a
complete operation trace ((., o), p, k) (in1, p, k) . . . (inm, p, k)
((/, o), p, k) is transactionally (resp. non-transactionally) gener-
ated by I, if sequence in1 . . . inm is in IT (o) (resp. in IN (o)).
We say that an incomplete operation trace ((., o), p, k) (in1, p, k)
. . . (inm, p, k) is transactionally (resp. non-transactionally) gen-
erated by I, if sequence in1 . . . inm is a prefix of some element
in IT (o) (resp. in IN (o)).
Given a trace r and a TM implementation I, we say that r is
generated by I if for every transactional (resp. non-transactional)
operation k in r, the complete or incomplete operation trace of op-
eration k in r is transactionally (resp. non-transactionally) gener-
ated by I.
Instrumentation. We say that a TM implementation I = 〈IT , IN 〉
is uninstrumented if for every variable x, we have IN (rd, x, v) =
{〈load ax, v〉} and IN (wr, x, v) = {〈store ax, v〉}, where ax is
the address of variable x. Otherwise, the TM implementation is in-
strumented. Note that these terms refer only to the implementation
of non-transactional operations.
Languages. We define the language L(I) of a TM implemen-
tation as the set of all traces generated by a TM implementa-
tion. We define that a TM implementation I guarantees opacity
parametrized by a memory model M if, for every trace r ∈ L(I),
there is a history h that corresponds to r such that h ensures opacity
parametrized by M .
Note that our definition of a trace does not require that after
an instruction of the form 〈store ax, v〉, the subsequent load of ax
is of the form 〈load ax, v〉. Indeed, the underlying hardware may
execute a relaxed memory model (which, in principle, may be dif-
ferent from the programmer’s memory model at the level of opera-
tions). For example, a programmer may wish to guarantee opacity
parametrized by sequential consistency on a hardware with mem-
ory model RMO. But for the sake of simplicity, in this follow-
ing sections, we assume that the underlying hardware guarantees
a strong memory model equivalent to linearizability, that is, every
instruction is executed to completion when it is issued. Note that
our impossibility results hold even when the underlying hardware
executes a weaker memory model.
5. Achieving Parametrized Opacity
We use our framework to investigate the inherent cost of achieving
opacity parametrized by a memory model.
5.1 Uninstrumented TM implementations
We first study uninstrumented TM implementations. We show that
for most of the practical memory models, uninstrumented TM
implementations cannot achieve parametrized opacity. Moreover,
we show that even to achieve opacity parametrized by very relaxed
memory models, it is required that transactional write operations
are implemented as expensive compare-and-swap instructions.
We start with a lemma which states that if a committed transac-
tion consists of a write operation, then the transaction must consist
of a store or a compare-and-swap instruction.
Lemma 1. For every memory model M , an uninstrumented TM
implementation I guarantees parametrized opacity only if for all
traces r ∈ L(I), for every committing transaction T in r, if there
is an operation (wr, x, v) in T , then the transaction T in r consists
of an update instruction to ax with value v.
Proof. Let the value of ax be initially 0. Consider a trace r with
a single process p (shown in Figure 5(a)). Let T be a committed
transaction of process p in r, such that T consists of an opera-
tion o1 = (wr, x, v). Let r consist of a non-transactional opera-
tion o2 = (rd, x, v′), such that the invocation of o2 occurs after
the last instruction of T , that is, the response of the commit op-
eration. As the TM implementation I is uninstrumented, we have
IN (rd, x, v′) = {〈load ax, v′〉}. Note that as r has a single pro-
cess, there is only one history h corresponding to r. By definition
of ≺h, we know that o1 ≺h o2. Thus, to guarantee parametrized
opacity, we must have v = v′. Thus, T must issue an update in-
struction to ax with value v.

Using the above lemma, we now prove that for memory models
which restrict the order of some pair of read or write operations to
different variables, parametrized opacity cannot be achieved.
Theorem 1. Given a memory model M such that M ∈ (Mrr ∪
Mrw ∪Mwr ∪Mww ), there does not exist an uninstrumented TM
implementation that guarantees opacity parametrized with respect
to M .
Proof. We prove the theorem in four parts, where each part corre-
sponds to one of the cases of ordering restrictions between read and
write operations. In every case, we construct a trace r with two pro-
cesses p1 and p2, where p1 executes a transaction T , and p2 issues
non-transactional (and possibly transactional) operations in such a
way that for every history corresponding to r, there is no sequen-
tial history s which respects the restriction posed by the memory
model, and at the same time, every operation in s is legal. In every
case, ax and ay are initialized to 0.
Case 1. Let M ∈ Mrr . That is, M does not allow to reorder two
read operations to different variables. The trace r is shown in Fig-
ure 5(b). Let T consist of operations (wr, x, v1) and (wr, y, v2).
From Lemma 1, we know that T updates addresses ax and ay with
values v1 and v2 respectively. Without loss of generality, we as-
sume that ax is updated before ay .2 Let the trace r consist of two
non-transactional operations (rd, x, v3) and (rd, y, v4) issued by
process p2 (with identifiers j and k respectively). As I is unin-
strumented, the non-transactional read operations are implemented
as load instructions. Let the two load instructions 〈load a, v3〉 and
〈load a, v4〉 of process p2 execute between the updates of ax and
2 Figure 5(b) shows the updates as part of the commit operation. In general,
the updates can happen anywhere during the transaction, but always as two
separate instructions.
p
(., start)
. . .
(/, start)
(., (wr, x, v))
. . .
(/, (wr, x, v))
(., commit)
. . .
(/, commit)
(., (rd, x, v′))
〈load ax, v′〉
(/, (rd, x, v′))
(a) Lemma 1
p1 p2
(., start)
. . .
(/, start)
(., (wr, x, v1))
. . .
(/, (wr, x, v1))
(., (wr, y, v2))
. . .
(/, (wr, y, v2))
(., commit)
. . .
〈update ax, v1〉
. . .
(., (rd, x, v3))
〈load ax, v3〉
(/, (rd, x, v3))
(., (rd, y, v4))
〈load ay , v4〉
(/, (rd, y, v4))
〈update ay , v2〉
. . .
(/, commit)
(b) Theorem 1, Case 1
p1 p2
(., start)
. . .
(/, start)
(., (rd, x, v1))
. . .
(/, (rd, x, v1))
(., (wr, y, v2))
. . .
(/, (wr, y, v2))
(., commit)
. . .
(., (wr, x, v3))
〈store ax, v3〉
(/, (wr, x, v3))
(., (rd, y, 0))
〈load ay , 0〉
(/, (rd, y, 0))
〈update ay , v2〉
. . .
(/, commit)
(c) Theorem 1, Case 2
p1 p2
(., start)
. . .
(/, start)
(., (wr, x, v1))
. . .
(/, (wr, x, v1))
(., (wr, y, v2))
. . .
(/, (wr, y, v2))
(., commit)
. . .
〈update ax, v〉
(., (rd, x, v3)
〈load ax, v3〉
(/, (rd, x, v3)
(., (wr, y, v4))
〈store ay , v4〉
(/, (wr, y, v4))
((., (wr, y, 0))
〈store ay , 0〉
((/, (wr, y, 0))
〈update ay , v〉
. . .
(/, commit)
(., start)
. . .
(/, commit)
(., (rd, x, v5))
〈load ax, v5〉
(/, (rd, x, v5))
(., (rd, y, v6))
〈load ay , v6〉
(/, (rd, y, v6))
(d) Theorem 1, Case 3
p1 p2
(., start)
. . .
(/, start)
(., (rd, x, v))
. . .
(/, (rd, x, v))
(., (wr, x, v′))
. . .
(/, (wr, x, v′))
(., commit)
. . .
(., (wr, x, v1)
〈store ax, v1〉
(/, (wr, x, v1)
〈store ax, v′〉
(., (rd, x, v2)
〈load ax, v2〉
(/, (rd, x, v2)
. . .
(/, commit)
(., start)
. . .
(/, commit)
(., (rd, x, v3))
〈load ax, v3〉
(/, (rd, x, v3))
(e) Theorem 2
Figure 5. Different traces r constructed in Lemma 1, Theorem 1,
and Theorem 2. An 〈update a, v〉 instruction denotes a store or a
successful cas instruction to address a with value v. We omit the
instruction idenfiers. We use . . . as a shorthand for a sequence of
instructions.
ay . Thus, we have v3 = v1 and v4 = 0. Note that if T is an
aborted transaction in r, then there is no history h corresponding to
r such that h satisfies opacity parametrized by M . This is because
operation j observes the update to ax. Thus, let T be a committed
transaction in r. Consider an arbitrary history h corresponding to r.
By definition of Mrr , every view function v ∈ R(h) requires that
(j, k) ∈ v(p) for all p ∈ P . On the other hand, legality requires
operation j to appear after T , and operation k to appear before T .
Thus, there does not exist a sequential history which satisfies con-
ditions 2 and 3 at the same time.
Case 2. Let M ∈ Mwr . That is, M does not allow to re-
order a write followed by a read operation to a different variable.
The trace r is shown in Figure 5(c). Let T consist of operations
o1 = (rd, x, v1) and o2 = (wr, y, v2). From Lemma 1, we know
that T updates address ay with value v2. Let r consist of two non-
transactional operations of p2 in the order (wr, x, v3) (with identi-
fier j) followed by (rd, y, 0) (with identifier k), such that v3 6= v1.
As I is uninstrumented, p2 executes 〈store ax, v3〉 followed by
〈load ay, 0〉. Let these two instructions execute after the response
of o1 and immediately before the update of ay by process p1.3 Note
that as p2 does not change the value of ay , the use of CAS instruc-
tion by p1 to update ay will be successful. Moreover, the key point
to note here is that once p1 updates ay with value v2, the transaction
T cannot abort. This is because r can be extended to trace r′, where
a non-transactional read by process p2 executes 〈load ay, v2〉. If T
is an aborted transaction, then no history corresponding to r′ is
parametrized opaque with respect to M . Thus, T is a committed
transaction. Consider an arbitrary history h corresponding to r. Le-
gality requires that operation k occurs before T and operation j
occurs after T . By definition of Mwr , every view v ∈ R(h) re-
quires that (j, k) ∈ v(p) for all p ∈ P . Thus, h does not ensure
opacity parametrized by M .
Case 3. Let M ∈ Mrw . That is, M does not allow to re-
order a read followed by a write operation to a different variable.
The trace r is shown in Figure 5(d). Let T consist of operations
o1 = (wr, x, v1) and o2 = (wr, y, v2). From Lemma 1, we know
that T updates addresses ax and ay with values v3 and v4. Without
loss of generality, we assume that ax is updated before ay . Process
p2 issues the following operations non-transactionally in the order:
(rd, x, v3), (wr, y, v4), (wr, y, 0). As I is uninstrumented, these
three operations are executed as: 〈load ax, v3〉, 〈store ay, v4〉, and
〈store ay, 0〉. Let r be such that these three instructions occur im-
mediately before the update of ay with value v2. As p2 changes
and restores the value of ay to 0, process p1 does not observe the
change, and thus, the update of ay with value v2 is successful. As
in case 2, T cannot be an aborting transaction, once T updates ay .
We now extend r as follows: after the response of the commit op-
eration of T , let p2 execute a transaction T ′ followed by two non-
transactional operations: (rd, x, v5), (rd, y, v6). Note that v5 = v1
and v6 = v2. Consider an arbitrary history h corresponding to r.
Legality requires that the first non-transactional read by process p2
occurs after T , and the two non-transactional writes of p2 occur
before T . This contradicts the expected view order for a memory
model M ∈ Mrw . Thus, the history h does not ensure opacity
parametrized by M . We also show that T cannot update ay with
value 0 due to the following argument: consider a trace r′ which
is identical to r, except that in r′, process p2 does not issue the
two non-transactional writes. At the point where p1 updates ay , it
cannot observe a difference from trace r (as process p2 uses two
store instructions for the non-transactional write operations). Con-
sider an arbitrary history h corresponding to r′. Legality requires
3 For simplicity, we assume that the transaction loads the value of ax before
the response of o1. The argument holds in general, as the value of ax is
loaded before the update of ay .
that the last two non-transactional operations by p2 see value v1
and v2. Thus, p1 cannot update ay to 0 in transaction T .
Case 4. Let M ∈ Mww . That is, M does not allow to reorder
two write operations to different variables. The trace r is similar
to the one for case 3, shown in Figure 5(d), except that p1 has
two read operations, and the first operation of p2 is a write instead
of a read operation. Let T consist of four operations: (rd, x, v1),
(rd, y, v2), (wr, x, v3) and (wr, y, v4). As in case 3, we know
that T updates addresses ax and ay with values v3 and v4, and
we assume that ax is updated before ay . Let the trace r consist
of three non-transactional operations of process p2 in the order
(wr, x, v5), (wr, y, v6), (wr, y, 0). As I is uninstrumented, the non-
transactional write operations are implemented as store instruc-
tions. Let the three store instructions: 〈store ax, v5〉, 〈store ay, v6〉,
and 〈store ay, 0〉 by process p2 occur immediately before the up-
date of ay with value v4 by process p1 in trace r. As in case 2,
T cannot be an aborting transaction, after it updates ay . We can
extend the trace r exactly as in case 3 now, and show a contradic-
tion between the legality and the view order required by a memory
model M ∈ Mww . Thus, for every history h corresponding to r,
we know that h does not ensure opacity parametrized by M .

We saw in classification of memory models (Section 3.2) that
most of the practical memory models do restrict some order of
operations. Thus, Theorem 1 gives an intuition that without in-
strumentation, it is not possible to achieve opacity parametrized
by practical memory models. We now show that for an idealized
memory model, which allows reordering all operations to different
variables, achieving parametrized opacity is still expensive: a TM
implementation must use cas instruction within a transaction to up-
date every variable which is read and written by the transaction.
Theorem 2. For a memory model M , an uninstrumented TM
implementation I guarantees parametrized opacity with respect to
M only if for all traces r ∈ L(I), for all variables x, if a committed
transaction T consists of operations (rd, x, v) and (wr, x, v′), then
T consists of a 〈cas x, v, v′〉 instruction.
Proof. Consider a trace r with two processes p1 and p2 as shown
in Figure 5(e). Let T be a transaction of process p1 in r, such that
T consists of operations (rd, x, v) and (wr, x, v′). By Lemma 1,
we know that T updates ax with value v′ using either a store or
a compare-and-swap instruction. Suppose T changes the value of
ax using a store instruction. Let r consist of two non-transactional
operations (wr, x, v1) followed by (rd, x, v2) of process p2. As I
is uninstrumented, we know that a read operation is implemented
as a load, and a write as a store. Consider the trace r where
〈store ax, v1〉 instruction of process p2 occurs immediately be-
fore 〈store ax, v′〉 instruction of process p1 and the instruction
〈load x, v2〉 occurs immediately after 〈store x, v′〉, such that we
get v2 = v′. For a corresponding history of r to be parametrized
opaque with respect to M , the transaction T has to be a commit-
ted transaction. After the response of the commit of T , let there
be an empty transaction T ′ of process p2 in r followed by a non-
transactional read of x, with a load instruction 〈load x, v3〉. Note
that we have v3 = v′. We argue that irrespective of the memory
model M , there does not exist a history h corresponding to r such
that h ensures opacity parametrized by M . This is because the op-
eration (wr, x, v1) of process p1 can appear neither before T (as the
read of v in T returns 0), nor after T (as the read after T ′ returns
v′). Thus, an uninstrumented TM implementation has to use a cas
instruction to update a variable in a transaction T , if T consists of
both read and write operations to T .

Now, we establish a complementary result to Theorem 1. We
show that with an idealized memory model which relaxes the order
On transaction start:
lg := g
while (lg 6= p) do
〈cas g, lg, p〉
endwhile
return
On transaction write of x with value v′:
issue a transactional read of x
if x ∈ writeset(p) then
update (x, v) to (x, v′) in writeset(p)
return
endif
add (x, v) to writeset(p)
On transaction read of x:
if x /∈ readset(p) then
〈load ax, v〉
add (x, v) to readset(p)
return v
endif
return v s.t. (x, v) ∈ readset(p)
On transaction abort:
empty readset(p)
empty writeset(p)
On transaction commit:
while writeset(p) is not empty
pick and remove (x, v′) from writeset(p)
pick and remove (x, v) from readset(p)
〈cas x, v, v′〉
endwhile
〈store g, 0〉
return
Figure 6. A global lock based TM implementation
of all operations to different variables, it is possible to obtain
parametrized opacity with an uninstrumented TM implementation.
Theorem 3. Given a memory model M /∈ (Mrr ∪Mrw ∪Mwr ∪
Mww ), there exists an uninstrumented TM implementation which
guarantees parametrized opacity with respect to M .
Proof. Consider an uninstrumented global lock based TM imple-
mentation I described in pseudo code in Figure 6. I acquires a
global lock g during the start of each transaction, and releases the
lock (using 〈store g, 0〉) immediately before the response of the
commit or abort of the transaction. Moreover, for every variable x,
every transaction T loads the value of ax only at the first read or
write operation to x within T (if such an operation exists in T ), and
if T writes to x, then I uses a CAS instruction to update ax in T .
Consider an arbitrary trace r ∈ L(I). Consider a history h corre-
sponding to the trace r obtained by choosing the following logical
points of execution of an operation within an operation trace: start
operation at the successful cas instruction, commit and abort oper-
ations at 〈store g, 0〉 instruction, every non-transactional read at the
load instruction, every non-transactional write at the store instruc-
tion, and every transactional read or write at the invocation. First,
we note that the history h obtained is such that for every pair T, T ′
of transactions in h, either T ≺h T ′ or T ′ ≺h T . Now, consider
a variable x and a transaction T in h. Let k1 . . . kn be a sequence
of non-transactional operation instances to x in h, which occur be-
tween the first and last operations of the transaction T . We create
a sequential history s from h by repeating the following two steps
for all variables:
Step 1. Consider an non-transactional write operation ki for some
1 ≤ i ≤ n. If there is no load or cas of x in T after the
store instruction with identifier ki in r, we place all operations
ki . . . kn after the transaction T in s. For all other non-transactional
write operations ki, we we place all operations k1 . . . ki before
the transaction T in s. We now have no non-transactional write
operation to x between the first and last operations of T .
Step 2. For all remaining non-transactional read operations o, we
place o before T in s if the load instruction corresponding to o
precedes the update to x by T in r, and after T otherwise.
Note that as the memory model freely allows to reorder instruc-
tions to independent variables, we can move operations of different
variables freely with respect to each other. Moreover, the two steps
do not change the order of non-transactional operations of a process
to a variable.

5.2 Instrumented TM implementations
In practice, TM implementations use instrumentation of non-
transactional operations to achieve parametrized opacity. We now
investigate instrumented TM implementations. Generally, a his-
tory contains more read operations than write operations. So, it is
worthwhile to study whether we can achieve parametrized opacity
by just instrumenting the non-transactional write operations and
leaving the non-transactional read operations uninstrumented.
We first show that it is indeed possible to achieve parametrized
opacity with uninstrumented reads for a class of memory models
that allow to reorder read operations. The construction implements
non-transactional write operations as single operation transactions.
Theorem 4. There exists a TM implementation with uninstru-
mented reads that guarantees parametrized opacity for memory
models M /∈Mrr .
Proof. Consider a global lock based TM implementation I that
treats transactional operations as in the proof of Theorem 3, and
shown in Figure 6. Moreover, I implements a non-transactional
write operation (wr, x, v) as: acquire the global lock g using cas (as
in transaction start), followed by the instruction 〈store x, v〉, fol-
lowed by 〈store g, 0〉. Intuitively, I treats every non-transactional
write operation as a transaction in itself. I implements non-
transactional read operations as load instructions (no instrumen-
tation).
Consider an arbitrary trace r ∈ L(I). Note that there exists a
history h corresponding to r (obtained using the logical points as
in Theorem 3) such that no non-transactional write occurs between
the start and commit/abort of a transaction, and for every pair T, T ′
of transactions, either T ≺h T ′ or T ′ ≺h T . Consider a variable x.
Given a transaction T in h, let k1 . . . kn be the identifiers of non-
transactional operation instances in h, which occur between the
first and last operation of the transaction T . We create a sequential
history s from h as in Theorem 3: for all non-transactional read
operations o to x, we place o before T in s if the load instruction
corresponding to o precedes the cas instruction to x by T in r, and
after T otherwise. Note that as the memory model freely allows to
reorder read operations to different variables, we can move reads of
different variables freely with respect to each other.

Note that this construction implements non-transactional write
operations using a cas instruction to acquire locks. Thus, a non-
transactional write operation is implemented in an expensive man-
ner. Moreover, a non-transactional write may may take an arbitrar-
ily long time to complete in this construction. Formally speaking,
we have (〈load g, 0〉)∗ ∈ I(o) if o is a write operation. We would
like to create a TM implementation with inexpensive instrumenta-
tion.
Given a TM implementation I, we say that a non-transactional
write operation has constant-time instrumentation in I if there
exists a constant c such that for every operation o ∈ (wr×Obj×N),
every instruction sequence in IN (o) has length at most c. We now
prove an interesting result, where we present a TM implementation,
with no instrumentation on reads and constant-time instrumentation
on writes, which guarantees opacity parametrized by a memory
models that allow reordering read/write followed by a read of a
different variable.
Theorem 5. There exists a TM implementation I with constant-
time instrumentation of writes and no instrumentation of reads such
that I guarantees opacity parametrized by a memory model M ,
where M /∈Mrr ∪Mwr .
Proof. We build a TM implementation I which uses a global lock
to execute transactions (as in Theorem 3 and 4). Moreover, I uses
a version number per process. When a process p issues a non-
transactional write operation , p increments its version number,
and writes the value, the process id, and the version number us-
ing a store instruction. I does not use instrumentation for non-
transactional read operations. Now, we prove that I guarantees
opacity parametrized by M , where M /∈Mrr ∪Mwr . Consider an
arbitrary trace r ∈ L(I). Consider a history h corresponding to the
trace r obtained by choosing the logical points as in Theorem 3. We
know thhat for every two transactions T, T ′ in h, we have T ≺h T ′
or T ′ ≺h T . Consider an arbitrary transaction T in h and a variable
x. Let k1 . . . km be the identifiers of the non-transactional opera-
tions to x that occur between the first and last operation of T in h.
Note that as I uses cas instruction for variables which are written in
a transaction, no non-transactional write to x stores to ax between
a load and an update of ax in T . We thus can obtain a sequential
history from h by repeating the following for all variables x and for
all transactions in h: for a non-transactional operation ki to x such
that operation ki occurs between the start and end of transaction T ,
if the corresponding store (or load) to ax occurs after the update
of ax in T , we place operation ki after T in s, otherwise we place
ki before T in s. We place remaining non-transactional read oper-
ations before T . Note that it cannot happen that the corresponding
store of a non-transactional write operation ki to ax occurs after a
load and before an update to ax.
If a process issues non-transactional reads of x and y, such
that their corresponding loads occur between the updates by a
transaction, we need to reorder the non-transactional reads for
legality. Thus, we want M /∈Mrr . Similarly, note that if a process
issues a non-transactional write of x followed by a read of y, such
that the corresponding store to ax and load of ay occur between
the updates to ax and ay , we need to reorder the non-transactional
access for legality. Thus, we wantM /∈Mwr . But interestingly, we
built I in such a way that it first adds all variables to be updated
in the writeset. Only then, I starts updating the variables using
cas instruction. Hence, if a process issues a non-transactional read
which loads a value updated by T , we know that every following
non-transactional write can also occur after T . Thus, we do not
require that M /∈ Mrw . Similarly, if a process issues two non-
transactional writes, then we know that either both the writes occur
before T or after T . This implies that I guarantees parametrized
opacity even for memory models which restrict the order of a
read/write followed by a write to a different variable, but allow
reordering read/write followed by a read to a different variable.

Relaxed memory models like Alpha [28] are neither in Mrr ,
nor in Mwr . So, this construction provides an inexpensive way
to guarantee opacity parametrized by memory models like Alpha.
Moreover, memory models like RMO and Java are in Mdrr , that
is, they do not allow data dependent reads to reorder. But, these
memory models do allow independent reads or control-dependent
reads to reorder. This implies that if we use special synchronization
for data-dependent reads, we can use the result of Theorem 5 for a
vast class of memory models.4
6. Discussion
We first discuss the practical implications of our work. Then, we
discuss how our framework can be extended to formalize weaker
notions of correctness, like single global lock atomicity.
6.1 Impact on practical TM implementations
The core contribution of our theoretical framework is to provide
TM designers with a correctness property that exploits the inherent
relaxations of the underlying memory model. For example, most
memory models, like TSO, PSO, RMO, Alpha, and Java allow to
reorder a write operation followed by a read/write operation. On the
other hand, the only TM implementation [27] we know of which
guarantees strong atomicity, indeed guarantees parametrized opac-
ity with respect to sequential consistency. Given that a programmer
expects behavior of non-transactional operations within the scope
of behaviors under the given memory model, one can build a more
efficient implementation which guarantees opacity with respect to
the programmer’s memory model.
A TM implementation for strong atomicity. We give a brief de-
scription of the TM implementation by Shpeisman [27]. Intuitively,
the TM implementation maintains a transactional record for ev-
ery variable. The record implements the locking discipline. Each
record can be in four possible states: shared, exclusive, exclusive
anonymous, and private. The shared state allows concurrent ac-
cess to a number of reading transactions. The exclusive state allows
read-write access to a single transaction. The exclusive anonymous
state allows a process to have read-write access non-transactionally.
Variables in private state are visible to only one process. In this TM
implementation, a non-transactional read needs to check whether
the variable is being written concurrently by a transaction. More-
over, non-transactional writes have to gain ownership (go to exclu-
sive anonymous state) of a variable before performing the write.
We argue that depending upon the memory model M , this
design can be optimized to guarantee opacity parametrized by M .
Carrying our results from the previous section, if M allows to
reorder a read/write with a following read of a different variables,
then the non-transactional read operations can be uninstrumented.
6.2 Weaker notions of correctness
Apart from the intuitive strong correctness property, parametrized
opacity, which requires that transactions be isolated from other
transactions and non-transactional operations, weaker notions of
correctness have also been considered in the literature. Some claim
that transactions should behave as global locks, thus isolating trans-
actions from other transactions, but not from non-transactional op-
erations. This yields the correctness property called single global
lock atomicity (SGLA). We now formalize SGLA and show that
SGLA is strictly weaker than parametrized opacity for every mem-
ory model M . We also show that the impossibility result given in
Theorem 1 for parametrized opacity does not hold for SGLA.
SGLA. We slightly modify the framework we developed in Sec-
tion 2 and 3. SGLA requires a weaker notion of sequential history,
where transactions execute sequentially, but non-transactional op-
erations may be concurrent with transactions. A history h is trans-
4 In practice, memory models like Java enforce strict ordering of operations
marked with the volatile keyword. Indeed, these volatile accesses have to be
treated differently than simple non-transactional accesses. For example, a
volatile access may be considered as a single operation transaction. Volatile
accesses are few and inherently expensive, even in non-transactional pro-
grams.
actionally sequential if for every transaction T in h, every opera-
tion instance between the start operation instance of T and the last
operation instance of T in h is either an operation instance of T , or
a non-transactional operation instance.
The behavior of locks in terms of reorderings with other oper-
ations of the process depends upon the memory model. Thus, we
cannot enforce a strict ordering between non-transactional opera-
tions and following or preceding transactions. Instead of defining
a precedence relation between operations in a history using ≺h,
we now define the partial order using the memory model. Recall
that when we talk of a memory model for parametrized opacity, a
view does not enforce an order on start, commit, and abort oper-
ations. Whereas, when we formalize SGLA, a start operation has
the memory model semantics of a lock operation, whereas commit
and abort operations have the memory model semantics of an un-
lock operation. Thus, a memory model for SGLA can be seen as an
extension of a memory model for parametrized opacity.
We say that a history h ensures SGLA parametrized by a mem-
ory model M = (τ, R), if there exists an ordering function v ∈
R(τ(h)), such that, for every process p ∈ P , there exists a trans-
actionally sequential history s such that
1. s is a permutation of τ(h)
2. s respects the total order v(p), and
3. every operation in legal in s.
Note that the general definition of a memory model for SGLA
may allow counterintuitive results, when a non-transactional access
following a transaction is allowed to precede the transaction in
a view, or two processes may view two transactions to execute
in different orders. Based on this intuition, in the framework for
SGLA, we define that M ′ = (τ,R′) is a well-formed extension of
M = (τ, R) if: (i) for every history h, for every view v ∈ R′(h),
for every pair (o, p1, i), (o′, p2, j) of operation instances such that
o and o′ belong to {start,commit,abort}, for all processes p, p′ ∈
P , if (i, j) ∈ v(p), then (i, j) ∈ v(p′), (ii) for every history h and
for every process p ∈ P , if a non-transactional operation j of p
precedes a transaction T of p in h, then there exists a v ∈ R(h),
such that for every process p′ ∈ P , we have (k, j) ∈ v, where
operation k is the start operation of transaction T . (iii) for every
history h and for every process p ∈ P , if a non-transactional
operation j of p precedes a transaction T of p in h, then there does
not exist v ∈ R(h), such that for some process p′ ∈ P , we have
(k, j) ∈ v, where operation k is the commit or abort operation of
transaction T .
Theorem 6. Given a history h and a memory model M , if h
ensures parametrized opacity with respect to M , then h ensures
SGLA with respect to M ′, where M ′ is a well-formed extension of
M .
Proof idea. Consider a history h. As h ensures parametrized opacity
with respect to M , we know that there exists a view function
v ∈ R(h) such that for every process p ∈ P , there exists a
sequential history s such that s satisfies the three requirements for
parametrized opacity. Now, we note that a sequential history is, by
definition, transactionally sequential. Moreover, as s respects the
partial order ∪ ≺h, we know that s respects the view function
v′ ∈ R′(h), where the order of a transactional operation with
respect to all other operations of a process is maintained in v′. We
know that such a v′ exists, as M ′ is a well-formed extension of M .
This implies that h ensures SGLA with respect to M ′.

Theorem 7. Given a memory model M , there exists an uninstru-
mented TM implementation that guarantees SGLA parametrized
by M .
Proof idea. Consider an uninstrumented TM implementation I
which executes every transaction using a global lock as shown in
Figure 6 and explained in Theorem 3. Consider an arbitrary trace
r ∈ L(I). Note that there exists a history h corresponding to
r (as explained in Theorem 3) such that for every pair T, T ′ of
transactions, either T ≺h T ′ or T ′ ≺h T . This means that h is
transactionally sequential. Moreover, every operation in h is legal.
Thus, h ensures SGLA parametrized by M .

7. Related Work
Various formalisms for memory models have been proposed in the
literature [3, 4, 11, 24, 25]. Most of these formalisms are tailored to
capture the intricacies of specific memory models. Our reason for
building a formalism for memory models was to obtain a general
framework, with the focus on classification of memory models on
the basis of reordering of instructions they allow.
The interaction of transactions with non-transactional opera-
tions has been widely studied. The study was pioneered by Gross-
man et al. [8], where the authors raised several issues that need to
be tackled in order to create TM implementations that handle non-
transactional operations properly. The authors express the correct-
ness property using sample executions, and thus it lacks a formal
specification. Work by Scott et al. [29] focuses on providing a set of
rules that should hold irrespective of the memory model. This work
is restricted to memory models that do not allow out-of-thin-air val-
ues. Menon et al. [20] define correctness by mapping transactions
to critical sections, thus providing an intuitive definition of single
global lock atomicity. Type systems and operational semantics for
transactional programs with non-transactional accesses have been
proposed by Abadi et al. [1] and Grossman et al. [21]. We believe
that while each of the above approaches sheds light on the intrica-
cies involved in transactional programs with non-transactional op-
erations, none provides a formal specification of the correctness
property in the presence of relaxed memory models.
8. Conclusion
We formalized the correctness property of opacity parametrized by
a memory model. Intuitively, parametrized opacity requires two
things. Firstly, transactions are isolated from other transactions
and non-transactional operations. Secondly, the behavior of non-
transactional operations is governed by the underlying memory
model. We used our formalism to prove several results on achiev-
ing parametrized opacity with instrumented or uninstrumented TM
implementations under different memory models. In particular, we
show that for most memory models, parametrized opacity cannot be
achieved without instrumenting non-transactional operations. On
the positive side, we show that with constant-time instrumentation
for writes, and no instrumentation for reads, it is indeed possible
to achieve opacity parametrized by a significant class of memory
models. The practical relevance of our definition lies in the fact
that while creating TM implementations, one may use the relax-
ations provided by the memory model to create more efficient TM
implementations. In future, we plan to use our formal framework
to verify different TM implementations in the literature.
References
[1] Martı´n Abadi, Andrew Birrell, Tim Harris, and Michael Isard.
Semantics of transactional memory and automatic mutual exclusion.
In POPL, pages 63–74, 2008.
[2] Sarita V. Adve and Kourosh Gharachorloo. Shared memory
consistency models: A tutorial. IEEE Computer, 29(12):66–76,
1996.
[3] Ge´rard Boudol and Gustavo Petri. Relaxed memory models: An
operational approach. In POPL, pages 392–403, 2009.
[4] Sebastian Burckhardt, Madanlal Musuvathi, and Vasu Singh. Veri-
fying compiler transformations for concurrent programs. Technical
Report MSR-TR-2008-171, Microsoft Research, 2008.
[5] Intel Corporation. Intel 64 and IA-32 Architectures Software
Developer’s Manual, Volume 3A. 2006.
[6] Luke Dalessandro and Michael Scott. Strong isolation is a weak idea.
In TRANSACT, 2009.
[7] D. Dice, O. Shalev, and N. Shavit. Transactional locking II. In DISC,
pages 194–208. Springer, 2006.
[8] Dan Grossman, Jeremy Manson, and William Pugh. What do high-
level memory models mean for transactions? In Memory System
Performance and Correctness, 2006.
[9] Rachid Guerraoui, Thomas A. Henzinger, Barbara Jobstmann, and
Vasu Singh. Model checking transactional memories. In PLDI, pages
372–382. ACM, 2008.
[10] Rachid Guerraoui, Thomas A. Henzinger, and Vasu Singh. Nondeter-
minism and completeness in transactional memories. In CONCUR.
Springer, 2008.
[11] Rachid Guerraoui, Thomas A. Henzinger, and Vasu Singh. Software
transactional memory on relaxed memory models. In CAV, pages
321–336, 2009.
[12] Rachid Guerraoui and Michał Kapałka. On the correctness of
transactional memory. In PPoPP, 2008.
[13] M. Herlihy, V. Luchangco, M. Moir, and W. N. Scherer. Software
transactional memory for dynamic-sized data structures. In PODC,
pages 92–101, 2003.
[14] M. Herlihy and J. E. B. Moss. Transactional memory: Architectural
support for lock-free data structures. In ISCA, pages 289–300. ACM
Press, 1993.
[15] Maurice Herlihy and Eric Koskinen. Transactional boosting: A
methodology for highly-concurrent transactional objects. In PPoPP,
2008.
[16] Maurice Herlihy and Jeannette M. Wing. Linearizability: A
correctness condition for concurrent objects. ACM Transactions
on Programming Languages and Systems, 12(3), 1990.
[17] J. R. Larus and R. Rajwar. Transactional Memory. Synthesis Lectures
on Computer Architecture. Morgan & Claypool, 2007.
[18] Jeremy Manson, William Pugh, and Sarita V. Adve. The Java memory
model. In POPL, pages 378–391. ACM, 2005.
[19] Milo M. K. Martin, Colin Blundell, and E. Lewis. Subtleties of
transactional memory atomicity semantics. Computer Architecture
Letters, 5(2), 2006.
[20] Vijay Menon, Steven Balensiefer, Tatiana Shpeisman, Ali-Reza Adl-
Tabatabai, Richard L. Hudson, Bratin Saha, and Adam Welc. Practical
weak-atomicity semantics for Java STM. In SPAA, 2008.
[21] Katherine F. Moore and Dan Grossman. High-level small-step
operational semantics for transactions. In POPL, pages 51–62. ACM,
2008.
[22] C. H. Papadimitriou. The serializability of concurrent database
updates. Journal of the ACM, pages 631–653, 1979.
[23] Bratin Saha, Ali-Reza Adl-Tabatabai, Richard L. Hudson, Chi Cao
Minh, and Ben Hertzberg. McRT-STM: A high performance software
transactional memory system for a multi-core runtime. In PPoPP,
pages 187–197. ACM, 2006.
[24] Vijay A. Saraswat, Radha Jagadeesan, Maged Michael, and Christoph
von Praun. A theory of memory models. In PPoPP, pages 161–172,
New York, NY, USA, 2007. ACM.
[25] Susmit Sarkar, Peter Sewell, Francesco Zappa Nardelli, Scott Owens,
Tom Ridge, Thomas Braibant, Magnus O. Myreen, and Jade Alglave.
The semantics of x86-CC multiprocessor machine code. In POPL,
pages 379–391, 2009.
[26] N. Shavit and D. Touitou. Software transactional memory. In PODC,
pages 204–213, 1995.
[27] Tatiana Shpeisman, Vijay Menon, Ali-Reza Adl-Tabatabai, Steven
Balensiefer, Dan Grossman, Richard L. Hudson, Katherine F. Moore,
and Bratin Saha. Enforcing isolation and ordering in STM. In PLDI,
pages 78–88. ACM, 2007.
[28] Richard L. Sites, editor. Alpha Architecture Reference Manual.
Digital Press, 2002.
[29] Michael F. Spear, Luke Dalessandro, Virendra J. Marathe, and
Michael L. Scott. Ordering-based semantics for software transactional
memory. In OPODIS, 2008.
[30] Michael F. Spear, Virendra J. Marathe, Luke Dalessandro, and
Michael L. Scott. Privatization techniques for software transactional
memory. In PODC, pages 338–339, 2007.
[31] D. Weaver and T. Germond, editors. The SPARC Architecture Manual
(version 9). Prentice-Hall, Inc., 1994.
[32] William E. Weihl. Local atomicity properties: Modular concurrency
control for abstract data types. ACM Transactions on Programming
Languages and Systems, 11(2), 1989.
