A generic operational memory model specification framework for multithreaded program verification by Yang, Yue
A Generic Operational M emory M odel 
Specification Framework for M ultithreaded  
Program Verification *
Yue Yang, Ganesh Gopalakrishnan, and Gary Lindstrom
School of Computing, University of Utah 
{yyang, ganesh, gary}@cs.utah.edu
Abstract. Given the complicated nature of modern architectural and 
language level memory model designs, it is vital to have a systematic ap­
proach for specifying memory consistency requirements that can support 
verification and promote understanding. In this paper, we develop a spec­
ification methodology that defines a memory model operationally using 
a generic transition system with integrated model checking capability to 
enable formal reasoning about program correctness in a multithreaded 
environment. Based on a simple abstract machine, our system can be 
configured to define a variety of consistency models in a uniform nota­
tion. W e  then apply this framework as a taxonomy to formalize several 
well known memory models. W e  also provide an alternative specification 
for the Java memory model based on a proposal from Manson and Pugh 
and demonstrate how to conduct computer aided analysis for Java thread 
semantics. Finally, we compare this operational approach with axiomatic 
approaches and discuss a method to convert a memory model definition 
from one style to the other.
1 IN T R O D U C T IO N
W i t h  the recent advances in multiprocessor shared m e m o r y  architectures and 
integrated threading support from programming languages such as Java, multi­
threaded programming is becoming an increasingly popular technique for devel­
oping better structured and high performance applications. Unlike a sequential 
program, where each read simply returns the value written by the most recent 
write according to program order, a multithreaded program relies on the m em ­
ory model (also k n o w n  as the thread semantics) to define h o w  threads interact 
in a shared m e m o r y  system.
T h e  m e m o r y  model plays a critical role in developing and debugging concur­
rent programs. Consider, for example, Peterson’s algorithm [1] shown in Figure 1 
designed to solve the two-thread mutual exclusion problem. Each thread first sets 
its o w n  flag indicating its intention to enter the critical section, and then asserts 
that it is the other thread’s turn if appropriate. T he eventual value of the variable
* This work was supported in part by Research Grant No. CCR-0081406 (ITR Pro­
gram) of N S F  and S R C  Task 1031.001.
(Initially, flagl = flag2 = false, turn = 0)
Thread 1 Thread 2
flagl = true; flag2 = true;
turn = 2; turn = 1;
while(turn == 2 && flag2) while(turn == 1 && flag1)
< critical section > < critical section >
flag1 = false; flag2 = false;
Fig. 1. Peterson’s algorithm for mutual exclusion.
Initially, flag1 =  flag2 =  fa lse , tu rn =  0
Thread 1 Thread 2
flag1 =  true; 
turn =  2; 
r1 =  turn; 
r2 =  flag2;
flag2 =  true; 
turn =  1; 
r3 =  turn; 
r4 =  flag1;
Finally, can it result in r1 =  2, r2 =  fa lse, r3 =  1, and r4 =  fa lse? 
Fig. 2. A n  execution that breaks Peterson’s algorithm.
tu r n  determines which thread enters the critical section first. T he correctness 
of this well k n o w n  programming pattern, however, heavily depends on certain 
assumptions about the allowed thread interleavings. Figure 2 abstracts the key 
m e m o r y  operations from Peterson’s algorithm and illustrates a specific thread 
behavior that breaks the algorithm. In Figure 2, if both threads can still ob­
serve the default flag values w h e n  the loop conditions are checked, they are able 
to enter the critical section at the same time. Suppose the underlying m e m o r y  
model permits such a program behavior (which happens to be the case for m a n y  
shared m e m o r y  systems), programs relying on Peterson’s algorithm would be 
erroneous.
Program fragments such as the one in Figure 2 are generally k n o w n  as litmus  
tests. Carefully studying these test programs can reveal critical m e m o r y  model 
properties, which is very helpful for programmers and compiler writers to m a k e  
right decisions in code selection and optimization. For simple cases, one can of­
ten follow a pencil-and-pen approach to reason about the legality of a litmus 
test. But as bigger programs are involved and more complex models are used, 
thread interleavings quickly become non-intuitive and hand-proving program 
compliance can be very difficult and error-prone. T he proliferation of various 
proposed m e m o r y  models also poses a major challenge for programmers to reli­
ably comprehend the differences as well as similarities a m o n g  them, which are 
often subtle yet critical. For example, even experts have experienced difficulties 
in understanding the exact power of certain m e m o r y  models [2].
Multithreaded programming is notoriously difficult. Developing efficient and 
reliable compilation techniques for multithreaded programs is also hard. Given 
that m e m o r y  model compliance is a prerequisite for developing robust concurrent 
systems, it is crucial to have a rigorous methodology for analyzing m e m o r y  model 
specifications. In this paper, we  present a generic specification framework that 
provides integrated model checking capability. W e  also demonstrate h o w  to apply 
this framework to perform multithreaded program verification.
1.1 M e m o r y  M o d e l  O v e r v i e w
M e m o r y  consistency requirements often place various restrictions on program or­
der and visibility order a m o n g  m e m o r y  operations. Program order is the original 
instruction order determined by software. Visibility order is the final observable 
order of m e m o r y  operations perceived by one or more threads (this is similar to 
the notion of visibility order used in [3] and the notion of before order used in
[4]).
M e m o r y  model designs typically involve a tradeoff between programmability 
and efficiency. For example, as one of the earliest m e m o r y  models, Sequential 
Consistency (SC) [5] is intuitive but restrictive. A  m e m o r y  system is sequen­
tially consistent if the result of an execution is the same as if the operations 
of all the threads were executed in some sequential order, and the operations 
of each individual thread appear in this sequence according to program order.1 
M a n y  weaker m e m o r y  models (see [6] for a survey) have since been proposed to 
enable higher performance implementations. S o m e  of these models still require 
Coherence [7] (also k n o w n  as Cache Coherence or Cache Consistency). Infor­
mally, Coherence requires all operations involving a given variable to exhibit a 
total order that also respects program order of each thread.
Early m e m o r y  models, such as Sequential Consistency, are designed for sin­
gle bus systems, where a c o m m o n  visibility order is enforced for all observing 
threads. S o m e  other models, such as Parallel Random  Access M em ory  (P R A M )
[8], allow each individual thread to observe its o w n  visibility order. Informally, 
P R A M  requires the execution sequences containing all operations from the read­
ing thread and all write operations from other threads to exhibit a total order 
that also respects program order of each thread. For example, the outcome of 
the program shown in Figure 3 is not allowed by Sequential Consistency and C o ­
herence since there does not exist a c o m m o n  visibility order that can be agreed 
upon by both threads. However, the behavior is permitted by P R A M  because 
each thread can perceive its o w n  visibility order. That is, thread 1 and thread 2 
m a y  observe interleaving (1)(3)(2) and (3)(1)(4), respectively. Using our frame­
work, we  can formally analyze the behaviors of such test programs guided by 
various m e m o r y  models.
1 Architectural level memory models are usually described in terms of processes and 
memory locations. Language level memory models, on the other hand, are often 
discussed using threads and shared variables. In this paper, we adopt the latter 
terminology for our discussion.
Initially, a = 0
Thread 1 Thread 2
(1) a =  1;
(2) r1 =  a;
(3) a =  2;
(4) r2 =  a;
Finally, can it result in r1 =  2 and r2 =  1?
Fig. 3. A n  execution prohibited by S C  and Coherence but allowed by P R A M .
M a n y  shared m e m o r y  systems allow programmers to use special synchro­
nization operations in addition to read and write operations. In Lazy Release  
Consistency [9], synchronization is performed by release and acquire operations. 
W h e n  release is performed, previous m e m o r y  activities from the issuing thread 
need to be written to the shared memory. A  thread reconciles with the shared 
m e m o r y  to obtain the updated data w h e n  acquire is issued. Lazy Release C o n ­
sistency requires Coherence. This requirement is further relaxed by Location  
Consistency [10]. Operations in Location Consistency are only partially ordered 
if they are from the same thread or if they are synchronized through locks.
1.2 T h e  Existing J ava M e m o r y  M o d e l
Java is the first widely deployed programming language that provides built-in 
threading support at the language level. Java developers routinely rely on threads 
for structuring their programs, sometimes even without explicit awareness. As 
future hardware architectures become more aggressively parallel, multithreaded 
Java also provides an appealing platform for high performance software. The 
Java m e m o r y  model ( J M M )  is a critical component of the Java threading sys­
tem since it imposes significant implications on a broad range of activities, such 
as programming pattern development, compiler optimization, and Java virtual 
machine ( J V M )  implementation. Unfortunately, developing a rigorous and intu­
itive Java m e m o r y  model has turned out to be very difficult.
The existing Java m e m o r y  model is given in Chapter 17 of the Java Language 
Specification [11]. It specifies that every variable has a working copy stored in 
the working memory. Threads communicate via the main  memory. Java thread 
semantics is defined by eight different actions that are constrained by a set of 
informal rules. D u e  to the lack of rigor in specification, however, non-obvious 
implications can be deduced by combining different rules [12]. As a result, the 
existing Java m e m o r y  model is flawed and hard to understand. S o m e  of its major 
issues are listed as follows.
—  T he model requires Coherence. Because of this restriction, important c o m ­
piler optimizations such as fetch elimination are prohibited (see [12] for a 
detailed example).
—  T he model requires a thread to flush all variables to main m e m o r y  before re­
leasing a lock, imposing a strong restriction on visibility order. Consequently, 
some seemingly redundant synchronization operations (such as thread local 
synchronization blocks) cannot be optimized away.
—  T he ordering guarantee for a constructor is not strong enough. O n  weak 
m e m o r y  architectures such as Alpha, uninitialized fields of an object can be 
observable under race conditions even after the object reference is initialized 
and m a d e  visible to other threads. This problem opens a security hole to 
malicious attacks via race conditions.
—  Semantics for final variable operations is omitted.
—  Volatile variable operations specified by the existing Java m e m o r y  model 
do not have synchronization effects on normal variable operations. C o n ­
sequently, volatile variables cannot be applied as synchronization flags to 
indicate the completion of non-volatile variable operations.
1.3 A  Jav a  M e m o r y  M o d e l  P r o p o s e d  b y  M a n s o n  a n d  P u g h
Several improved Java thread semantics have been proposed, including a pro­
posal from M a n s o n  and P u g h  [13, ?] (referred to as J M M M P  in this paper). Since 
the core semantics of J M M M P  is adapted as a concrete case study in this paper, 
we briefly describe J M M M P  here as an overview. Readers are referred to [13] for 
more details.
J M M M P  is based on an abstract global system that executes one operation 
from one thread at each step. A n  operation corresponds to a J V M  opcode, which 
occurs in a total order that respects the program order from each thread. The 
only ordering relaxation explicitly allowed is for prescien t writes under certain 
conditions. A  write is defined as a tuple of (variable, value, Q U I D ) , uniquely 
identified by its global ID GUID. J M M M P  uses set to store history information 
of m e m o r y  activities. In particular, allW rites is a global set that records all 
write events that have occurred. Every thread, monitor, or volatile variable k 
also maintains two local sets, o v e r w r i t t e n k and p r e v io u sk. T he former stores the 
obsolete writes that are k n o w n  to k . T he latter keeps all previous writes that are 
k n o w n  to k . W h e n  a n e w  write is issued, writes in the thread local previous set 
become obsolete to that thread and the n e w  write is added to the previous set as 
well as the allW rites set. W h e n  a read action occurs, the return value is chosen 
from the a l lW r i t e s set. But the writes stored in the o v e r w r i t te n  set of the 
reading thread are not eligible results. A  write w  m a y  be performed early under 
certain situations. To  capture the prescient write semantics, a write action is 
split into initWrite and performWrite. A  special assertion is used in performWrite 
to ensure that proper conditions are met. To solve the Java m e m o r y  model 
problems listed in Section 1.2, J M M M P  proposes the following thread properties 
and mechanisms for achieving them.
—  T he ordering constraint should be relaxed to enable c o m m o n  optimizations. 
J M M M P  essentially follows Location Consistency, which does not require 
Coherence.
—  T he synchronization mechanism should be relaxed to enable the removal of 
redundant synchronization blocks. In J M M M P , visibility states are only syn­
chronized through the same lock. T h e  thread local o v e r w r i t te n  and p re v io u s  
sets are synchronized between threads through release/acquire actions. A n
unlock acts as a release, which passes the local sets from a thread to a moni­
tor. A  lock acts as an acquire, which passes the sets associated with a monitor 
to a thread.
—  Java safety should be guaranteed even under race conditions. J M M m p  en­
forces that all final fields should be initialized properly from a constructor.
—  Reasonable semantics for final variables should be provided. In J M M m p , a 
final field v is frozen at the end of the constructor before the reference of 
the object is returned. If the final variable is “improperly” exposed to other 
threads before it is frozen, v is said to be a pseudo-final field. Another thread 
would always observe the initialized value of v unless it is pseudo-final, in 
which case it can also obtain the default value.
—  Volatile variables should be specified to be more useful for multithreaded pro­
gramming. J M M m p  proposes to add the release/acquire semantics to volatile 
variable operations to achieve synchronization effects for normal variables. 
A  write to a volatile field acts as a release and a read of a volatile field acts 
as an acquire. J M M m p  allows volatile write operations to be non-atomic. To 
capture this relaxation, a volatile write is split into two consecutive instruc­
tions, initVolatileWrite and performVolatileWrite. Special assertions are also 
used to impose proper conditions.
1.4 S u m m a r y  of Results
W e  present a Uniform M e m o r y  Model ( U M M )  specification framework, which 
uses an abstract machine associated with a transition table to execute thread 
instructions in an operational style. Coupled with a model checking utility, it 
can exhaustively exercise a test program to cover all thread interleavings. Fur­
thermore, the simple and flexible design of the system enables one to define 
different thread semantics by crafting a customized transition table. These ad­
vantages m a k e  U M M  suitable as a generic formalism for creating executable 
m e m o r y  model definitions. O ur main insight is that by using two separate kinds 
of buffers, namely local instruction buffers (LIB) and global instruction buffers 
(GIB), we can separately capture requirements on program order and visibility 
order, two pivo ta l properties for understanding shared m e m o r y  thread behaviors. 
Relaxations of the program order are configured through a bypassing table and 
rules in first-order logic are used to express these bypassing policies. Completed 
instructions in GIB are used to construct the legal visibility order subject to 
certain visibility ordering rules. W i t h  this approach, variations between m e m o r y  
models can be isolated into a few well-defined places such as the bypassing table 
and the visibility ordering rules, enabling easy comparison and configuration.
W e  offer the following contributions in this paper. First, we  develop a generic 
transition system that can be used to produce executable m e m o r y  model spec­
ifications. O n e  main result in this paper is to show that this particular design 
of an operational model can capture not only architectural level m e m o r y  m o d ­
els but also language level m e m o r y  models. N o  previous work has treated both 
these categories of m e m o r y  models in a uniform framework; yet, the importance 
of doing so is growing, especially with the advent of multiprocessor machines
on whose architectural m e m o r y  models one has to support the language level 
m e m o r y  model in the most efficient manner. Second, we  apply this framework 
as a taxonomy to formalize a variety of well k n o w n  m e m o r y  model properties 
and use those executable specifications to perform program verification. Third, 
we provide an alternative Java thread specification, based on the semantics pro­
posed by M a n s o n  and Pugh, and demonstrate h o w  to conduct automated ver­
ification for a complex language level m e m o r y  model. Inconsistencies from the 
proposed semantics are also uncovered. Finally, we  discuss the relationship of 
our operational specification approach with trace-based axiomatic specification 
approaches and propose a mechanism to transform a m e m o r y  model definition 
from one style to the other.
R o a d  M a p  In the next section, we  discuss the related work. T hen we  present an 
overview of our specification framework in Section 3. In Section 4, we  show h o w  
to apply our approach to formalize several well k n o w n  m e m o r y  model properties. 
O u r  alternative formal specification of the Java m e m o r y  model is described in 
Section 5. In Section 6, we  provide a thorough analysis of J M M m P . W e  conclude 
and explore future research opportunities in Section 7.
2 R E LA T E D  W O R K
Extensive research has been conducted in the area of model checking based verifi­
cation of multithreaded Java programs, for example [15, ?,?,?,?]. A  tool was also 
developed in [20] to analyze Java byte code. These efforts, however, do not specif­
ically address the Java m e m o r y  model issues. T he m e m o r y  operations analyzed 
in these tools are interpreted using sequentially consistent behaviors instead of 
a strict m e m o r y  model. Therefore, they cannot be used to analyze fine-grained 
thread interleavings under race conditions. W e  can imagine our proposed Uni­
form M e m o r y  Model being incorporated into these tools to m a k e  their analysis 
more realistic. In [21], a type-based framework for race analysis is proposed. 
These authors also seem to tacitly assume Sequential Consistency.
The Java m e m o r y  model problems were pointed out in [12]. Several efforts 
have been conducted to formalize the existing Java m e m o r y  model [22, ?,?]. 
Improved Java thread semantics have also been proposed to replace the cur­
rent Java m e m o r y  model. Besides J M M m P , there was another proposal from 
Maessen, Arvind, and Shen [24] (referred to as J M M c r f  in this paper) based 
on the Commit/Reconcile/Fence (CRF) framework. T he Java m e m o r y  model is 
currently under an official revision process [25]. There is an ongoing discussion 
through the Java m e m o r y  model mailing list [26]. Most recently, M a n s o n  and 
P u g h  announced a n e w  Java m e m o r y  model draft [26] for community review.
Although J M M m P and J M M c r f  have initiated promising improvements on 
Java thread semantics, they are not as easily comprehensible and compara­
ble as first thought. J M M c r f  inherits the design from its predecessor hard­
ware model [27]. Java operations have to be divided into fine grained C o m ­
mit/Reconcile/Fence instructions to capture the precise thread semantics. O n
the one hand, this translation process adds complexities for describing m e m o r y  
properties. O n  the other hand, the dependency on a cache based architecture 
also prohibits J M M c r f  from describing more relaxed models. J M M M P  uses sets 
of m e m o r y  operations to record the history of m e m o r y  activities. Instead of spec­
ifying the intrinsic m e m o r y  model properties such as the ordering rules, it resorts 
to nonintuitive mechanisms to enforce the desired behaviors. While this nota­
tion might be sufficient to express the proposed semantics, adjusting it to specify 
different properties is not trivial. Since designing a m e m o r y  model involves a re­
peated process of testing and fine-tuning, a generic specification framework is 
needed to provide such flexibility.
The area of m e m o r y  model specification has been pursued under different ap­
proaches. S o m e  researchers have used non-operational (also k n o w n  as axiomatic)  
specifications, in which the desired properties are directly defined. Other re­
searchers have employed operational style specifications, in which the update of 
the global state is defined step-by-step with the execution of each instruction.
As an example of non-operational approaches, Collier [28] described m e m ­
ory requirements based on a formal theory of m e m o r y  ordering rules. Using 
methods similar to Collier’s, Gharachorloo [7] developed a generic framework 
for specifying the implementation conditions for various m e m o r y  models. The 
shortcoming of their approaches is that it is nontrivial to infer program behaviors 
from a combination of several ordering constraints. In fact, the lack of a means 
for automatic execution is a noticeable limitation for most specifications with 
a declarative style. In a separate research effort [29], we  developed a method 
to capture m e m o r y  ordering rules as axioms and encode these non-operational 
models into a machine recognizable format. W e  then m a d e  the specifications 
executable by applying a constraint solver or a boolean S A T  solver to check the 
existence of a legal execution for a given test program.
To m a k e  an operational m e m o r y  model executable, Park and Dill [30, ?] pro­
posed a method to integrate a model checker with the Sparc Relaxed M em ory  
Order [32] specification for verifying small assembly synchronization routines. In 
our previous work on the analysis of J M M CRF [33], we extended this method­
ology to the domain of Java thread semantics and demonstrated its feasibility 
and effectiveness for analyzing language level m e m o r y  models. After adapting 
J M M crf to an equivalent executable specification implemented with the Mur- 
phi [34] model checking tool, we systematically exercised the underlying model 
with a suite of test programs to reveal pivotal properties and verify c o m m o n  
programming idioms, e.g. the Double-Checked Locking [35] algorithm. Roychoud- 
hury and Mitra [36] also applied techniques similar to [33] to study the existing 
Java m e m o r y  model. T h e y  formalized the current Java m e m o r y  model with an 
operational representation using a local cache and a set of read/write queues 
and implemented the specification with an invariant checker. Although [33] and 
[36] have improved their respective target models by making t hem executable 
and more rigorous, they are limited to the specific designs from the original 
proposals. As a result, they are not suited as a generic specification framework, 
and the intuitions for the m e m o r y  model requirements based on those notations
Thread i Thread j
GIB
Fig. 4. Basic conceptual architecture of the U M M  specification framework.
are not immediately apparent. Furthermore, the complexity of the specific data 
structures d emands more m e m o r y  consumption during model checking, which 
would worsen the state space explosion problem. In [37], a formal operational 
framework was developed to verify protocol implementation against weak m e m ­
ory models using model checking. In that framework, however, data structures 
of the transition system vary depending on whether a single visibility order or 
multiple visibility orders need to be defined. These variations m a k e  it difficult 
to create a parameterizable analysis tool. This paper improves the method by 
providing a generic abstraction mechanism for executable models based on a 
simple transition system.
Non-operational and operational specification styles are complementary tech­
niques. T h e  non-operational approach is often more intuitive due to its declara­
tive nature. But it does not directly help people (such as the compiler writers) to 
build a mental process of h o w  the desired properties can be achieved. While op­
erational descriptions often mirror a system’s behavior and can be exploited by 
a model checker, they tend to emphasize the how aspects through their usage of 
specific data structures, not the what aspects that formal specifications are sup­
posed to stress. Hence, it is essential for an operational specification framework 
to employ a generic abstract machine that can represent primitive consistency 
properties as opposed to specific architectural designs. In Section 4.7, we  also 
explore a method to transform a m e m o r y  model definition from one style to the 
other.
3 O V E R V IE W  O F T H E  F R A M E W O R K
The U M M  specification framework consists of an abstract transition system with 
an associated transition table. Figure 4 illustrates the basic conceptual architec­
ture of the U M M  transition system. Each thread k has a local instruction buffer 
LI B k that stores its pending instructions in program order. Thread interactions
are communicated through a global instruction buffer GIB, which stores all pre­
viously completed m e m o r y  instructions that are necessary for fulfilling a future 
read request.
The specification of a m e m o r y  system is precisely defined in a transition table 
based on guarded commands. M e m o r y  operations are categorized as events that 
m a y  be completed by carrying out some actions w h e n  certain conditions are 
satisfied. At a given step, any eligible event m a y  be nondeterministically chosen 
and atomically completed by the abstract machine. T he sequence of permissible 
actions from various threads constitutes an execution. A  legal execution is defined 
as a serialization of these m e m o r y  operations, i.e., a read operation returns the 
value from the most recent previous write operation on the same variable subject 
to the ordering constraints specified by the transition table. A  m e m o r y  model 
M  is defined by the results perceived by each read operation in legal executions. 
A n  actual implementation of M ,  I m ,  m a y  choose different architectures and 
optimization techniques as long as the legal executions allowed by I m  are also 
permitted by M .
O u r  notation based on guarded c o m m a n d s  has been widely used in architec­
tural models [38], making it familiar to hardware designers. In contrast to most 
processor level m e m o r y  models that apply a cache structure, only two layers are 
used in the U M M  system, one for thread local information and the other for 
global trace information. For clarity, our framework applies a bypassing table 
called B Y P A S S  to configure the ordering policy for issuing instructions. These 
bypassing rules used in the instruction selection process serve two purposes. O n e  
is to impose an interleaving close to the m e m o r y  model requirement. T he other 
is to presciently enable certain operations w h e n  needed. Completed instructions 
in GIB are used to form the legal visibility order. T he visibility ordering rules are 
imposed as a final filtering mechanism to guarantee proper serialization. Instead 
of a fixed size main memory, we apply a global instruction buffer whose size m a y  
be increased if necessary, which is needed to specify relaxed m e m o r y  models that 
require to keep a trace of multiple writes on a variable.
Integrating the M o d e l  C h e c k i n g  T e c h n i q u e  To  m a k e  the m e m o r y  models 
executable, we  encode them in Murphi [34], a description language with a syn­
tax similar to C  as well as a model checking system that supports exhaustive 
state space enumeration. Since Murphi naturally supports specifications based 
on guarded commands, this translation process is straightforward. T he Murphi 
program consists of two parts. T he first part implements the formal specification 
of a m e m o r y  model. T he transition table is specified as Murphi rules. Bypassing 
conditions and visibility conditions are implemented as Murphi procedures. The 
second part comprises a large collection of idiom-driven test programs. These 
test programs are designed to reveal specific m e m o r y  model properties or to 
simulate c o m m o n  programming idioms. Each test program is defined by specific 
Murphi initial state and invariants, which can be executed with the guidance 
of the transition system to reveal pivotal properties of the model. W h e n  a test 
program is executed under the guidance of the U M M  transition system, the Mur-
phi model checker exhaustively exercises all possible executions allowed by the 
m e m o r y  model. O u r  system can detect deadlocks and invariant violations. To 
examine test results, two techniques can be applied. T he first one uses Murphi 
invariants to specify that a particular scenario can never occur. If it does occur, 
a violation trace can be generated to help understand the cause. T he second 
technique uses a special “thread completion” rule, which is triggered only whe n  
all threads are completed, to output all possible final results.
The Murphi implementation is highly configurable. It allows one to easily set 
up different test programs, abstract machine parameters, and m e m o r y  model 
properties. T he executable m e m o r y  model can also be treated as a “black box” 
whereby the users are not necessarily required to understand all the details of the 
model to benefit from the specification. O u r  operational definition employs rules 
expressed in first-order logic to capture details. Thus, in a sense, it has a dual 
sta tus: the big picture is captured operationally, while the details are captured 
in a declarative manner. This style is also found in some related efforts, e.g. [38]. 
Here, our contributions are twofold: (i) we  employ this style for a wide spectrum 
of m e m o r y  models; (ii) we  retain the first-order logic style in our Murphi model 
which supports first-order logic quantifiers (they are unravelled through state 
enumeration). This also helps m a k e  the implementation of the m e m o r y  model 
reliable.
4 FO R M A L IZ IN G  C O M M O N  M E M O R Y  M O D EL  
P R O P E R T IE S
The U M M  framework can be configured to produce executable specifications for 
a variety of m e m o r y  consistency properties. T he general strategy is to customize 
the bypassing table to control the interleaving and impose proper visibility or­
dering constraints on the execution trace in GIB. This configuration process is 
typically very straightforward for m e m o r y  models involving a single visibility or­
der. For models requiring per-thread visibility orders, a write instruction needs 
to be decomposed into multiple sub-write instructions targeting each different 
thread (including the issuing thread) so that the single GIB can be used to re­
trieve a unique visibility order for every observing thread. This technique is 
inspired by similar methods applied in [3, ?].
W e  demonstrate our approach by formalizing several m e m o r y  model require­
ments representing different categories. In this section, Sequential Consistency 
and Coherence are presented to show the method of defining models involving a 
single visibility order and P R A M  is described to serve as an example of models 
requiring per-thread visibility orders. In Section 5, the core semantics of J M M M P  
is captured to illustrate h o w  synchronization instructions m a y  be handled.
4.1 Instructions
For the c o m m o n  m e m o r y  models discussed in this section, an instruction i is 
represented by a tuple (t, pc, op, var, data , ta rge t ,  t i m e ), where
t ( i ) =  t : issuing thread;
pc(i) =  p c : program counter;
op(i) =  op : operation type, can be Read or Write;
va r ( i) =  v a r : variable;
data(i) =  da ta : data value;
ta rg e t( i ) =  ta rg e t : target thread observing a write; 
t im e ( i ) =  time : global time stamp, incremented each time 
w h e n  an instruction is added to GIB.
4.2 Initial Conditions
Initially, LIB contains all instructions from each thread in their original program 
order. For Sequential Consistency and Coherence, writes do not need to be de­
composed. For P R A M ,  a write instruction i is converted to a set of sub-write 
instructions for each thread k ( ta rge t ( i ) =  k). Th e  sub-write instructions that 
originate from the same write instruction share the same program counter. GIB 
contains the default write instructions for every variable v , with the default value 
of v, a special thread ID t init, and a t im e field of 0. After the abstract machine 
is set up, it operates according to the transition table.
4.3 Transition Table
The generic transition table for Sequential Consistency, Coherence, and P R A M  
is given in Table 1. A  read instruction completes w h e n  the return value is bound. 
A  write instruction completes w h e n  it is added to GIB. A  multithreaded program 
terminates w h e n  all instructions from all threads complete.
Event Condition Action
read 3i G L IBt(i) :
ready(i)  A op(i) =  Read A 
(3w G GIB : lega lW rite(i ,w ))
i.data := data(w);
LIBt(i) : delete(LIBt(i) , i);
write 3i G LIBt(i) :
ready(i)  A op(i) =  Write
GIB := append(GIB,i); 
LIBt(i) : delete(LIBt(i) , i);
Table 1. Transition table for Sequential Consistency, Coherence, and P R A M .
4.4 B y p a s s i n g  Rules
Table 2 outlines the bypassing rules for Sequential Consistency, Coherence, and 
P R A M .  A n  entry BYPASS[op1][op2] in the bypassing table determines whether 
an instruction with type op2 can bypass a previous instruction with type op1. Val­
ues used in table B Y P A S S  include Yes, No, DiffVar, and DiffTgt. Informally, Yes
S C Coherence P R A M
2nd ^  
1st ^
Read Write Read Write Read Write
Read
Write
N o  No  
N o  No
DiffVar DiffVar 
DiffVar DiffVar
N o  DiffTgt 
DiffTgt DiffTgt
Table 2. Bypassing table for Sequential Consistency, Coherence, and P R A M .
permits the bypassing, No prohibits it, DiffVar conditionally enables the bypass­
ing only if the variables are different and not aliased, and DiffTgt conditionally 
enables the bypassing w h e n  a sub-write targeting a different thread is involved. 
According to Table 2, no bypassing is allowed for Sequential Consistency. For 
Coherence, instructions operated on different variables can be issued out of or­
der. For P R A M ,  to allow each thread to perceive an independent visibility order, 
two sub-writes targeting different threads can be reordered. In addition, a sub­
write can be reordered with a read if the sub-write targets another thread. To 
m a k e  these bypassing rules precise, they are formally defined in condition r e a d y.
re a d y ( i)  =
- 3 j e LIBt(i) : p c ( j )  <  pc(i)  A 
(BYPASS[op(j)][op(i)] =  N o  V 
BYPASS[op(j)][op(i)] =  DiffVar A  v a r ( j ) =  va r ( i)  V 
BYPASS[op(j)][op(i)] =  DiffTgt A  o p ( j) =  Write A  op(i) =  Read A 
t a r g e t ( j ) =  t(i) V  
BYPASS[op(j)][op(i)] =  DiffTgt A  o p ( j) =  Read A  op(i) =  Write A 
t ( j ) =  ta rg e t( i )  V 
BYPASS[op(j)][op(i)] =  DiffTgt A  op(j) =  Write A  op(i) =  Write A  
t a r g e t ( j ) =  ta rg e t ( i ) )
4.5 Visibility O r d ering R e q u i r e m e n t
Condition legalWrite is a guard that guarantees the serialization requirement. It 
specifies that a write instruction w is not eligible for a read instruction r if there 
exists an intermediate write instruction w' on the same variable between r and 
w  in the ordering path. T h e  l e g a lW r i te definition of P R A M  is slightly different 
from that of Sequential Consistency and Coherence because a reading thread t  
can only observe a sub-write targeting t or the default write.
For Sequential Consistency and Coherence:
l e g a lW r i t e ( r ,w )  =
op(w) =  Write A  v a r (w ) =  v a r (r )  A
(- 3w' e G I B  : op(w') =  Write A  va r (w ') =  v a r (r )  A
t im e ( r )  >  t im e (w ')  A t im e (w ')  >  t im e (w ) )
For PRAM :
l e g a lW r i t e ( r ,w )  =
op(w)  =  W rite  A v a r (w )  =  v a r (r )  A ( ta rge t(w )  =  t ( r )  V t (w )  =  t in it) A 
(- 3w 7 £  G IB  : op(w')  =  W rite  A va r (w ')  =  v a r (r )  A ta rg e t (w ')  =  t ( r )  A 
t im e ( r )  >  t im e (w ')  A t im e (w ')  >  t im e (w ) )
4 .6  V e r i f y in g  P r o g r a m m i n g  P a t t e r n s  w i t h  E x e c u ta b l e  S p e c i f ic a t io n s
T h e  execu tab le  specifications coded  in  M u rp h i can  help  one analyze com m on 
p rog ram m ing  p a t te rn s  ag a in s t d ifferent m em ory  m odels. F or exam ple, recall 
th e  litm u s te s t show n in  F ig u re  2, w hich reveals a  scenario  th a t  w ould m ake 
P e te rso n ’s a lg o rith m  erroneous. If  th is  p ro g ram  is execu ted  u n d e r P R A M  or 
C oherence, th e  to o l im m ed ia te ly  d e tec ts  ce rta in  th re a d  in te rleav ing  th a t  w ould 
allow th e  resu lts  to  occur, in d ica tin g  th a t  P e te rso n ’s a lg o rith m  is b roken  for 
these  m em ory  m odels. U n d er S equen tial C onsistency, however, th e  execu tion  in  
F igu re  2 w ould n o t b e  possible.
4 .7  R e la t i o n s h ip  t o  A x io m a t ic  S p e c i f i c a t io n  M e th o d s
D esp ite  its  o p e ra tio n a l style, th e  U M M  fram ew ork is closely re la ted  to  ax iom atic  
specification  m e th o d s  such  as [29]. A n ax iom atic  ap p ro ach  d iv ides th e  global or­
dering  re la tio n  in  te rm s of facets, each of w hich co n s tra in ts  a specific aspec t of 
th e  global o rdering . In  [29], th e  v isib ility  o rd er o f a  m em ory  m odel is defined 
as a com plete  se t of o rdering  rules, inc lud ing  a fully  explicit d escrip tio n  a b o u t 
general o rdering  p ro p ertie s , such as to ta lity , tran s itiv ity , an d  circuit-freeness. To 
tak e  a concrete  exam ple, th e  P R A M  m em ory  m odel can  b e  defined in  an  ax ­
iom atic  sty le  as a se t o f co n s tra in ts  im posed  to  an  execu tion  trac e  ops, show n 
in p red ic a te  le g a l.  P re d ica te  r e s t r i c t T h r e a d  selects a su b se t of m em ory  oper­
atio n s from  ops , w hich co n ta in s  all o p era tio n s  from  th e  observ ing  th re a d  t  an d  
all w rites from  o th e r  th read s .
le g a l  ops =  V t  £  T. (3 order.
r e q u i r e P r o g r a m O r d e r  ( r e s t r i c t T h r e a d  ops t)  order  A 
r e q u i r e W e a k T o ta lO r d e r  ( r e s t r i c t T h r e a d  ops t)  order  A 
r e q u i r e T r a n s i t i v e O r d e r  ( r e s t r i c t T h r e a d  ops t)  order  A 
r e q u i r e A s y m m e t r i c O r d e r  ( r e s t r i c t T h r e a d  ops t)  o rder A 
r e q u i r e R e a d V a lu e  ( r e s t r i c t T h r e a d  ops t ) o rd e r )
E ach  c o n s tra in t is th e n  precisely  defined. For exam ple, th e  p ro g ram  o rd er defi­
n itio n  can  be specified as follows:
r e q u i r e P r o g r a m O r d e r  ops order =
V i , j  £  ops. ( ( t  i =  t  j  A p c  i <  p c  j )  V ( t  i =  t init A t  j  =  t in it)) ^  
o r d e r  i j
T h e U M M  fram ew ork applies a tw o-layer a rc h itec tu re  to  m ake m em ory  m o d ­
els o p era tio n a l. V aria tions of m em ory  consistency  p ro p ertie s  are p a ram ete rized  
as d ifferent bypassing  ru les (defined in  cond ition  ready)  an d  v isib ility  o rdering  
ru les (defined in  cond ition  l e g a lW r i te ) .  As illu s tra te d  by  th e  com m on m em ory  
m odel p ro p e rtie s  defined in  th is  section, th e  to ta l i ty  req u irem en t can  be im plic­
itly  b u ilt u p  d u rin g  th e  execu tion  based  on  in terleav ings allow ed by  th e  bypassing  
rules. If  a m odel allows all in s tru c tio n s  to  b e  sen t to  GIB in  an y  a rb it ra ry  o rder 
an d  th e n  im pose ad d itio n a l o rdering  c o n s tra in ts  w hen  rea d  values are  ob ta in ed , 
a U M M  specification  degenera tes  to  an  ax iom atic  one.
E ach  of th e  tw o sty les has its  ow n advan tages. T h e  ax iom atic  ap p ro ach  is 
dec la ra tive  an d  m ore flexible. O ne can  d isa b le /en a b le  th e  c o n s tra in ts  an d  s tu d y  
th e  im p a c t on  th e  global o rderings. However, each co n s tra in t itse lf  m ay  involve 
aspec ts  th a t  p e r ta in  to  b o th  p ro g ram  orderings an d  global visibility, w hich can ­
n o t be easily  d istingu ished . T h e  o p e ra tio n a l style, on  th e  o th e r  h an d , can  sep­
a ra te  these  m a tte rs  c learly  an d  o ften  sim plify  th e  ru les using  its  in te rleav ing  
m echanism . U n d ers ta n d in g  th e  d ifferent specification  m echanism s can  help  one 
to  tran sfo rm  a m em ory  m odel defin ition  from  one sty le  to  th e  o th e r. To c a p tu re  
an  ax iom atic  defin ition  using  U M M , one needs to  consider all th e  o rdering  ru les 
an d  e x tra c t th o se  th a t  can  be im posed  using  th e  fron t-end  in s tru c tio n  se lection  
process o f th e  U M M  fram ew ork. To convert a U M M  specification  to  an  ax iom atic  
defin ition , one m u st encode all th e  o rdering  req u irem en ts  im plied  by  th e  U M M  
fron t-end  process an d  ad d  th e m  as axiom s to  th e  final execu tion  trace .
5 AN ALTERNATIVE SPECIFICATION OF THE 
JAVA MEMORY MODEL
W e prov ide an  a l te rn a tiv e  Ja v a  m em ory  m odel specification  to  show  how  m em ­
o ry  m odels involving synch ron iza tion  o p era tio n s  m ay  be defined using  ou r fram e­
work. In  ad d itio n , i t  illu s tra te s  how  to  resolve som e of th e  language level m em ory  
m odel issues, such as th e  tre a tm e n t o f local variables. Lastly , i t  d em o n stra te s  th e  
feasib ility  of ou r m ethodo logy  for ana lyz ing  n o n -triv ia l m em ory  m odel designs. 
T h e  core Ja v a  m em ory  m odel sem an tics form alized in  th is  section , includ ing  
defin itions of no rm al m em ory  o p era tio n s  an d  sy nch ron iza tion  o p era tio n s, is p ri­
m arily  based  on JM M m p  [13] as o f Ja n u a ry  11, 2002.
5 .1  V a r ia b le s  a n d  I n s t r u c t i o n s
In  th e  Ja v a  m em ory  m odel, a global variable  refers to  a s ta tic  field of a loaded  
class, an  in s tan ce  field of an  a llo ca ted  ob jec t, or an  elem ent o f an  a lloca ted  
array. I t  can  be fu rth e r  ca tegorized  as a  normal, volatile, o r final variab le. A local 
variable co rresponds to  a Ja v a  local variab le  or an  o p era n d  s tack  location . In  our 
exam ples, we follow a convention  th a t  uses a, b, c to  rep resen t global variables, 
r1 , r2 , r3  to  rep resen t local variables, an d  1, 2, 3 to  rep resen t p rim itive  values.
T h e  in s tru c tio n  tu p le  in  th e  Ja v a  m em ory  m odel is ex ten d ed  to  ca rry  lo­
cal variab le  an d  locking in fo rm ation . A n in s tru c tio n  i is d en o ted  by  a tu p le  








F ig . 5. Extended conceptual architecture for the Java memory model.
t( i )  =  t: issuing th rea d ;
p c(i)  =  pc: p ro g ram  counter;
op(i) =  op: o p e ra tio n  type;
v a r ( i )  =  var:  variable;
data( i)  =  data: d a ta  value;
local(i)  =  local: local variable;
u seLocal( i )  =  useLocal:  ta g  to  in d ica te  if th e  w rite  value is p rov ided  by  local(i);  
lock(i)  =  lock: lock;
t im e ( i )  =  t im e:  g lobal tim e s tam p , inc rem en ted  each tim e
w hen an  in s tru c tio n  is ad d ed  to  GIB.
Since th e  p roposed  sem antics does n o t enforce a  unique p e r - th re a d  v isib ility  
o rder for any observ ing  th re a d , w rite  in s tru c tio n s  do n o t need  to  be decom posed  
in to  sub-w rites.
5 .2  T h e  E x t e n d e d  C o n c e p t u a l  A r c h i t e c t u r e
To c a p tu re  th e  ad d itio n a l req u irem en ts  reg ard in g  local variab les an d  locks in  
th e  Jav a  m em ory  m odel, th e  co ncep tua l a rc h itec tu re  of th e  tra n s itio n  system  is 
sligh tly  ex tended . F ig u re  5 shows th e  a b s tra c t m ach ine for m odelling  th e  Java 
m em ory  m odel. In  a d d itio n  to  th e  local in s tru c tio n  buffer, each th re a d  k also 
m a in ta in s  a se t o f local variab les in  a local variable array  LVk. E ach  elem ent 
LVk[v] co n ta in s  th e  d a ta  value of th e  local variab le  v. To m a in ta in  th e  locking 
s ta tu s , a d ed ica ted  global lock array  LK is also added . E ach  elem ent LK[l] is a 
tu p le  (count, ow ner),  w here count  is th e  n u m b er of recursive lock acqu isitions 
an d  ow n er  is th e  ow ning th rea d .
N e e d  fo r  L o c a l  V a r ia b le  I n f o r m a t i o n  B ecause tra d itio n a l m em ory  m odels 
are designed  for p rocessor level a rch itec tu res , a id ing  softw are analysis is n o t a
com m on p rio rity  in  th o se  specifications. C onsequently , a read  in s tru c tio n  is usu ­
ally  re tire d  im m ed ia te ly  w hen  th e  re tu rn  value is o b ta in ed . Following th e  sam e 
style, n e ith e r JM M m p  n o r JM M c r f  keeps trac k  th e  re tu rn  values from  rea d  op­
era tio n s. However, m ost p ro g ram m in g  ac tiv itie s  in  Java, such as co m p u ta tio n , 
flow contro l, an d  m e th o d  invocation , are ca rried  o u t u sing  local variables. In  or­
d er to  analyze s tra ig h t-lin e  code, i t  is desired  to  ex ten d  th e  scope of th e  m em ory  
m odel fram ew ork by  record ing  th e  values co m m itted  to  local variab les as p a r t 
of th e  global s ta te . T h e  a d d itio n  of local variab le a rray s in  th e  tra n s itio n  system  
also provides a clear se p a ra tio n  of local d a ta  d ep endency  an d  m em ory  m odel 
o rdering  requ irem en ts, w hich will be fu rth e r  d iscussed  in  S ection  5.5.
5 .3  I n i t i a l  C o n d i t io n s
In itia lly , LIB co n ta in s  in s tru c tio n s  from  each th re a d  in  th e ir  orig inal p ro g ram  
order. GIB co n ta in s  th e  defau lt w rite  in s tru c tio n s  for every  variab le  v, w ith  th e  
d e fau lt value of v, a  specia l th re a d  ID  t init, an d  a t im e  field of 0. T h e  count 
fields in  LK are set to  0.
5 .4  T h e  T r a n s i t i o n  T a b le  fo r  t h e  J a v a  M e m o r y  M o d e l
Ja v a  m em ory  o p era tio n s  are  defined in  th e  tra n s itio n  ta b le  given in  T able 3. A 
read o p e ra tio n  on a global variab le  co rresponds to  th e  Jav a  p ro g ram  in s tru c tio n  
w ith  a  fo rm at of r1  =  a. I t  alw ays sto res  th e  d a ta  value in  th e  ta rg e t local 
variab le. A write  o p e ra tio n  on a global variab le  can  have tw o fo rm ats, a =  r 1 
or a = 1 ,  dep en d in g  on w h e th e r th e  useLocal  ta g  is se t. T h e  fo rm at a =  r1  
allows one to  exam ine th e  d a ta  flow im p lica tions caused  by  th e  no n d eterm in ism  
of m em ory  behaviors. If all w rite  in s tru c tio n s  have useLocal  =  f a l s e  an d  all 
rea d  in s tru c tio n s  use non-conflic ting  local variables, th e  sy stem  degenera tes  to  
tra d itio n a l m odels th a t  do  n o t keep local variab le  in fo rm ation . Lock an d  unlock 
in s tru c tio n s  are issued  as d e te rm in ed  by  th e  Jav a  keyw ord synchronized . T h ey  
are  used  to  m odel th e  m u tu a l exclusion effect as well as th e  v isib ility  effect. A 
specia l freeze  in s tru c tio n  for every  final field v  is ad d ed  a t th e  en d  of th e  con­
s tru c to r  th a t  in itia lizes v  to  in d ica te  v  h as  been  frozen. Since we are defin ing th e  
m em ory  m odel, on ly  m em ory  o p era tio n s  are iden tified  in  ou r tra n s itio n  system . 
In s tru c tio n s  such as r1  =  1 an d  r1  =  r2  +  r3  are  n o t inc luded . However, th e  
U M M  fram ew ork can  be easily  ex ten d ed  to  a  com prehensive p ro g ram  analysis 
sy stem  by  add ing  sem antics for co m p u ta tio n a l in s tru c tio n s.
5 .5  B y p a s s in g  P o l ic y  a n d  D a t a  D e p e n d e n c y
Table BYPASS show n in  T able 4 specifies th e  bypassing  ru les for th e  Ja v a  m em ­
o ry  m odel. Since JM M mp resp ec ts  p ro g ram  o rd er excep t for prescient writes, 
Table 4 on ly  allows no rm al w rite  in s tru c tio n s  to  bypass ce rta in  prev ious in­
s tru c tio n s . A lth o u g h  it  m igh t be desired  to  enab le  m ore reo rdering , e.g. betw een  
tw o n o rm al read  o p era tio n s, th e  specification  p resen ted  here follows th e  sam e 
guideline from  JM M mp to  c a p tu re  s im ilar sem antics.
E v e n t C o n d itio n A c tio n
readNormal 3i G LIBt(i) : ready(i)  A op(i) =  ReadNormal A 
(3w G GIB : lega lN orm alW rite (i ,w ))
LVt(i) [local(i)] :=  data(w); 
LIBt(i) :=  delete(LIBt(i), i);
writeNormal 3i G LIBt(i) : ready(i)  A op(i) =  W riteNormal if (useLocal(i))
i.data :=  LVt(i)[local(i)];
end;
GIB :=  append(G IB ,i); 
LIBt(i) : delete(LIBt(i) , i);
lock 3i G LIBt(i) : ready(i)  A op(i) =  Lock A 
(LK[lock(i)].count =  0 V 
LK[lock(i)].owner =  t(i))
LK[lock(i)].count : =
LK[lock(i)].count +  1; 
LK[lock(i)].owner  :=  t(i); 
GIB :=  append(G IB ,i); 
LIBt(i) : delete(LIBt(i) ,i);
unlock 3i G LIBt(i) : ready(i)  A op(i) =  Unlock A 
(LK[lock(i)].count >  0 A 
LK[lock(i)].owner =  t(i))
LK[lock(i)].count : =
LK[lock(i)].count — 1; 
GIB :=  append(G IB ,i); 
LIBt(i) : delete(LIBt(i) ,i);
readVolatile 3i G LIBt(i) : ready(i)  A op(i) =  ReadVolatile A 
(3w G GIB : legalVolatileW rite(i ,w ))
LVt(i) [local(i)] :=  data(w); 
GIB :=  append(G IB ,i); 
LIBt(i) : delete(LIBt(i) , i);
writeVolatile 3i G LIBt(i) : ready(i)  A op(i) =  W riteVolatile if (useLocal(i))
i.data :=  LVt(i)[local(i)];
end;
GIB :=  append(G IB ,i); 
LIBt(i) :=  delete(LIBt(i),i);
readFinal 3i G LIBt(i) : ready(i)  A op(i) =  ReadFinal A 
(3w G GIB : legalF inalW rite(i ,w ))
LVt(i) [local(i)] :=  data(w); 
LIBt(i) : delete(LIBt(i) ,i);
w riteFinal 3i G LIBt(i) : ready(i)  A op(i) =  W riteFinal if (useLocal(i))
i.data  :=  LVt(4)[local(i)];
end;
GIB :=  append(G IB ,i);
LIBt(i) : delete(LIBt(i) , i);
freeze 3i G LIBt(i) : ready(i)  A op(i) =  Freeze GIB :=  append(G IB ,i); 
LIBt(i) :=  delete(LIBt(i),i);
T ab le  3. Transition table for the alternative Java memory model.
2nd ^  
1st ^
Read W rite 
Normal Normal
Lock Unlock Read Write 
Volatile Volatile
Read W rite Freeze 
Final Final
Read Normal No Yes No No No No No No No
Write Normal No Yes No No No No No No No
Lock No R dtLk No No No No No No No
Unlock No Yes No No No No No No No
Read Volatile No R dtLk No No No No No No No
Write Volatile No Yes No No No No No No No
Read Final No Yes No No No No No No No
Write Final No Yes No No No No No No No
Freeze No No No No No No No No No
T a b le  4. Bypassing table for the alternative Java memory model.
In  JM M m p, d ifferent th re a d s  are on ly  synchronized  v ia  th e  same  lock. No 
o rdering  re s tr ic tio n  is im posed  by a Lock in s tru c tio n  if th e re  is no  synchron iza­
tio n  effect assoc ia ted  w ith  it. Since m ost re d u n d a n t synch ron iza tion  o p era tio n s 
are caused  by  th re a d  local an d  n es ted  locks, T able 4 uses a  specia l e n try  RdtLk  
to  enab le  o p tim iza tio n  in  th e  cases involving re d u n d a n t locks. A W riteNormal 
in s tru c tio n  can  bypass a p rev ious Lock or ReadVolatile in s tru c tio n  w hen th e  p re­
vious in s tru c tio n  does n o t im pose an y  synch ron iza tion  effect. C o n d itio n  rea d y  
enforces th e  bypassing  po licy  of th e  m em ory  m odel as well as local d a ta  dep en ­
dency. T h e  h e lp er function  n o tR e d u n d a n t( j )  re tu rn s  true  if in s tru c tio n  j  does 
have a sy nch ron iza tion  effect.
T h e  d a ta  dep en d en cy  im posed  by th e  usage of conflicting  local variab les is 
expressed  in  co n d itio n  localDependent. T h e  h e lp er function  i s W r i t e ( i )  re tu rn s  
true if th e  o p e ra tio n  ty p e  of i is W riteNorm al, W riteVolatile, or W riteFinal. S im i­
larly, i sR ea d ( i)  re tu rn s  true if  th e  o p e ra tio n  of i is ReadNormal, ReadVolatile, or 
ReadFinal.
ready (i) =
- 3j  € LIBt(i) : pc(j) <  pc(i) A 
(localDependent(i, j )  V 
BYPASS[op(j)][op(i)] =  N o V
BYPASS[op(j)][op(i)] =  RdtLk A notRedundant(j))
localDependent(i, j )  =
t( j)  =  t(i) A local(j) =  local(i) A 
(isW rite( i)  A useLocal(i) A isRead(j)  V 
i sW r ite ( j)  A useLocal(j) A isRead(i) V 
isRead(i)  A isR ead( j))
JM M mp applies an  o rdering  c o n s tra in t sim ilar to  L oca tion  C onsistency. As cap ­
tu re d  in  cond ition  L C O r d e r , tw o in s tru c tio n s  a re  o rdered  if one of th e  following 
cases holds:
1. th e y  are o rdered  by  p ro g ram  order;
2. th e y  are synchronized  by  th e  sam e lock or th e  sam e volatile  variab le; or
3. th e re  ex ists  an o th e r  o p e ra tio n  th a t  can  tran s itiv e ly  es tab lish  th e  order.
LCOrder(i1,i2) =
(t(i1) =  t(i2) A pc(i1) >  pc(i2) V t(i1) =  tinit A t(i2) =  tinit) V 
synchronized(i1,i2)  V
(3i' G GIB : time(i') >  time(i2) A time(i') <  time(i1) A 
LCOrder(i1,i')  A LCOrder(i',i2))
T h e sy n ch ro n iza tio n  m echan ism  is form ally  c a p tu re d  in  cond ition  sy n c h ro n ize d . 
In s tru c tio n  i 1 can  be synchron ized  w ith  a  p rev ious in s tru c tio n  i2 v ia a re­
le ase /ac q u ire  process, w here a  lock is first re leased  by  t (i 2) a fte r i 2 is issued 
an d  la te r  acqu ired  by  t (i 1) before i 1 is issued. R elease can  b e  tr ig g e red  by  an 
Unlock or a W riteVolatile in s tru c tio n . A cquire can  b e  triggered  by  a Lock or a 
ReadVolatile in s tru c tio n .
synchronized(i1,i2)  =
3 l ,u  G GIB :
(op(l) =  Lock A op(u) =  Unlock A lock(l) =  lock(u) V
op(l) =  ReadVolatile A op(u) =  W riteVolatile A var(l)  =  var(u)) A
t(l) =  t(i1) A (t(u) =  t(i2) V t(i2) =  tinit) A
time(i2) <  time(u) A time(u) <  time(l) A time(l)  <  time(i1)
A fter es tab lish ing  th e  o rdering  re la tio n sh ip  by  cond ition  L C  O r d e r , th e  re­
qu irem en t o f seria liza tion  is enforced in  legalNormalWrite.  A w rite  in s tru c tio n  w  
ca n n o t p rov ide its  value to  a read  in s tru c tio n  r  if th e re  ex ists  an o th e r  in te rm e­
d ia te  w rite  in s tru c tio n  w'  on  th e  sam e variab le  betw een  r  an d  w  in  th e  o rdering  
p a th .
lega lN orm alW rite (r ,w) =
op(w) =  W riteNorm al A var(w)  =  var(r) A 
(t(w) =  t(r)  ^  pc(w) <  pc(r)) A
(- 3w' G GIB : op(w') =  W riteNorm al A var(w') =  var(r) A 
LCOrder(r ,w ')  A LCOrder(w ',w))
T h e mutual exclusion effect o f Lock an d  Unlock o p era tio n s  is enforced by 
u p d a tin g  an d  track in g  th e  count an d  ow n er  fields o f each lock as specified in  
th e  tra n s itio n  tab le .
5.6 V isib ility  Ordering R equirem ent for th e  Java M em ory M odel
5.7 V olatile Variable Sem antics
W h en  JM M m p  w as p roposed , th e  exac t o rdering  req u irem en t for vo la tile  vari­
able o p era tio n s  w as s till u n d e r d eb a te . O ne suggestion  w as to  requ ire  vo la tile 
variab le o p era tio n s  to  be sequen tia lly  consisten t. A n o th er suggestion  was to  re­
lax  W rite  A tom icity . A lth o u g h  JM M m P prov ides a form al specification  to  allow 
n on-a tom ic  vo la tile  w rite  o p era tio n s, recen t consensus favors S equen tia l C onsis­
te n c y  for all vo la tile  variab le  opera tio n s. T herefore, we define vo la tile  variab le 
sem an tics based  on S equen tial C onsistency  in  th is  p ap er.
W ith  th e  un ifo rm  n o ta tio n  of o u r fram ew ork, p re-defined  m em ory  requ ire­
m en ts  can  b e  easily  reused. H ence, th e  form al defin ition  of S equen tial C onsis­
te n cy  d escribed  in  S ection  4 is app lied  to  define ReadVolatile an d  W riteVolatile 
opera tio n s. T h e  bypassing  ta b le  show n in T able 4 p ro h ib its  an y  reo rdering  am ong 
volatile  o p era tio n s. C o n d itio n  legalVolatileWrite, w hich follows legalWrite  in  Se­
q u en tia l C onsistency, defines th e  legal resu lts  for ReadVolatile opera tions.
legalVolatileW rite(r,w) =
op(w) =  W riteVolatile A var(w)  =  var(r) A
(- 3w' G GIB : op(w') =  W riteVolatile A var(w')  =  var(r) A
time(r) >  time(w') A time(w') >  time(w))
5 .8  F in a l  V a r ia b le  S e m a n t ic s
In Java, a final field can either be a primitive value or a reference to  another object. 
W hen it is a reference, the Java language only requires th a t the reference itself can­
not be modified in the program  after its initialization bu t the fields of the object it 
points to  do not have the same guarantee. JMMmp proposes to  add a special rule to 
those non-final sub-fields th a t are referenced by a final field: if such a sub-field is as­
signed in the constructor, its default value cannot be observed by another thread after 
normal construction. To achieve this, JM M mp uses a special mechanism to “synchro­
nize” initialization inform ation from the constructing thread  to  the final reference and 
eventually to  the elements contained by the final reference. However, w ithout explicit 
support for im m utability from the Java language, this mechanism makes the memory 
semantics substantially more difficult to  understand because synchronization informa­
tion needs to  be carried by every variable. It is also not clear how the exact proposed 
semantics can be efficiently implemented to  support weak memory architectures such 
as A lpha since it involves run-tim e reachability analysis.
Since the m ain goal of this paper is to  illustrate our methodology, finding the 
most reasonable solution for final field semantics is an orthogonal task. To make our 
Java memory model specification complete, yet not to  d istract readers w ith the details 
specific to  certain  semantics, we provide a straightforward definition for final fields. 
It is different from JM M mp in th a t it only requires the final field itself to  be a con­
stan t after being frozen. The visibility criteria for final fields is shown in condition 
legalFinalWrite.  The default value of the final field (when t(w) =  t init) can only be 
observed if the final field is not frozen. In addition, the constructing thread cannot 
observe the default value after the final field is initialized.
legalF inalW rite(r,w) =
op(w) =  W riteFinal A var(w)  =  var(r) A
Initially , a =  0
Thread 1 Thread 2
a = 1 ;  
r1 =  a; 
r2 =  a;
a =  2; 
r3  =  a; 
r4 =  a;
Finally, can it result in r1 =  1, r2  =  2, r3  =  2, and r4  =  1? 
F ig . 6. W rite Atomicity test.
(t(w) — tinit ——
((- 3i1 € GIB : op(i1) =  Freeze A var(i1) =  var(r)) A
(- 3i2 € GIB : op(i2) =  W riteFinal A var(i2)  =  var(r) A t(i2) =  t(r))))
6 Analysis of JMM mp
After adapting JM M mp using our system, we are able to  system atically exercise it 
w ith idiom-driven test programs and gain substantial insight about the underlying 
semantics. Since we have also developed formal executable models for JM M crf [33], 
we can perform a comparison analysis by running the same test programs on both  
models. This helps us understand the subtle differences between the two models.
Running on a PC  w ith a 900 MHz Pentium  III processor and 256 MB of RAM, most 
of our test programs complete in less th an  one second. Our Java memory model M urphi 
im plem entation is available at h ttp ://w w w .c s .u ta h .e d u /fo rm a l_ v e rif ic a tio n /u m m .
6 .1  A n a ly z in g  M e m o r y  M o d e l  P r o p e r t i e s
C o h e re n c e  T e s t  Recall the litmus test shown in Figure 3, which reveals an execu­
tion prohibited by Coherence. W hen variable a is configured as a normal variable, an 
exhaustive enum eration of this test program  under JM M mp reports th a t the outcome 
is indeed perm itted. To further help the users understand the scenario, the UMM tool 
can ou tpu t an interleaving th a t would allow such a result. Thus, based on this simple 
litmus test (without even looking into the internals of the memory model), one can 
make an im m ediate conclusion th a t JM M mp does not enforce Coherence.
W r ite  A to m ic ity  T e s t  The execution in Figure 6 illustrates a violation of W rite 
Atomicity. W hen this test program  (for a norm al variable a) is run using our tool, one 
can quickly find out th a t the result in Figure 6 is allowed by JM M mp bu t forbidden 
by JM M c r f . This reveals a difference between the two models regarding the require­
ment on W rite Atomicity for normal variables. A more thorough analysis of JM M c r f  
indicates th a t the requirem ent of W rite Atomicity in JM M c r f  is a direct consequence 
of the CRF architecture because it uses the shared memory as the rendezvous point 
between threads and caches.
C a u sa l ity  T e s t Causal Consistency [39] requires thread local orderings to be transi­
tive through a causal relationship. The program  shown in Figure 7 reveals a violation 
of causality. W hen it is executed w ith our verification system, a legal interleaving th a t 
allows such a behavior is immediately detected. This proves th a t JM M mp does not
Initially , a =  b =  0
Thread 1 Thread 2 T hread 3
a =  1; r1 =  a; 
b =  1;
r2  =  b 
r3  =  a
Finally, can it result in r1 =  r2 =  1 and r3  =  0? 
F ig . 7. Causality test.
Initially, a =  0
Thread 1 Thread 2
r1 =  a; 
a = 1 ;
r2 =  a; 
a =  r2;
Finally, can it result in r1 =  1 and r2 =  1? 
F ig . 8. Prescient write test.
enforce Causal Consistency for norm al variable operations.
P re s c ie n t W r ite  T es t Figure 8 reveals an interesting case of prescient write, where r1 
in Thread 1 can observe a write th a t is initiated by a later write on the same variable 
from the same thread. O ur system detects th a t such a non-intuitive execution is indeed 
allowed by JMMmp. Therefore, programmers should not assume th a t antidependence 
(dependency of W rite after Read on the same variable) among global variable opera­
tions is always enforced.
Initially, reference  =  f ie ld  =  0
Thread 1 Thread 2
f ie ld  =  1; 
Membar1;  
reference  =  1;
r1 =  reference;  
Membar2  
r2 =  field;
Finally, can it result in r1 =  1 and r2 =  0? 
F ig . 9. Constructor test.
C o n s t ru c to r  P r o p e r ty  The constructor property is illustrated by the program  in Fig­
ure 9. Thread 1 simulates the constructing thread. It initializes the field before releasing 
the object reference. Thread 2 simulates another thread accessing the object field w ith­
out synchronization. M  embar1 and M  embar2 are some hypothetic memory barriers 
th a t prevents instructions from crossing them , which can be easily implemented in our 
program  by simply setting some test specific bypassing rules. This program  essentially 
simulates the object constructing mechanism used by JM M c rf, where Membar1  is a 
special EndCon instruction used in JM M c r f  to  indicate the completion of a construc­
tor and M em bar2 is due to  d a ta  dependency enforced by program  semantics when 
accessing f ie ld  through reference.  If f ie ld  is a norm al variable, this mechanism works 
under JM M c r f  bu t fails under JM M mp. In JM M m p, the default write to  f ie ld  is still a 
valid write for the reading th read  since there does not exist an ordering requirem ent on 
non-synchronized writes. However, if f ie ld  is declared as a final variable and the Freeze
instruction is used for Membar1, Thread 2 would never observe the default value of 
f ie ld  if reference  is initialized. This illustrates the different strategies used by the two 
models for preventing prem ature releases during object construction. JM M c r f  treats 
all fields uniformly and JM M mp guarantees fully initialized fields only if they are final 
or pointed by final fields.
6 .2  V e r i f y in g  P r o g r a m m i n g  P a t t e r n s
In [33], we have proposed to  apply the model checking technique for verifying common 
synchronization idioms, such as the Double-Checked Locking algorithm, for memory 
model compliance. As also dem onstrated by Peterson’s algorithm in Section 1, many 
popular programming patterns developed under certain  memory consistency assum p­
tions might break for more relaxed memory models. An effective strategy for developing 
robust m ultithreaded programs is to  carefully analyze them  based on formal methods. 
For example, when the test program  in Figure 2 is executed using norm al variables, it 
is shown th a t such a violation scenario is indeed allowed by the Java memory model. 
Based on this experiment, one can im m ediately conclude th a t the algorithm is unsafe to 
use in Java programs w ithout applying additional synchronization operations. O n the 
other hand, if one use volatile variables and run the test again, the violation scenario 
would not occur.
6 .3  I n c o n s i s t e n c ie s  in  J M M m p
N o n -A to m ic  V o la tile  W r ite s  JM M mp provides a formal definition th a t allows volatile 
write operations to  be non-atomic. One of the proposed requirem ents for non-atomic 
volatile write semantics is th a t if a thread t  has observed the new value of a volatile 
write, it can no longer observe the previous value. In order to  implement this require­
ment, a special flag readThisVolatilet>w,infot) is initialized to  fa lse  in initVolatileWrite 
[13, Figure 14]. W hen the new volatile value is observed in readVolatile, this flag should 
be set to  true  to  prevent the previous value from being observed again by the same 
thread. However, this critical step is missing and the flag is never set to true  in the 
original proposal. This omission causes inconsistency between the specification and the 
intended goal.
F in a l V a ria b le  S e m a n tic s  A design flaw in the final variable semantics has also been 
discovered. This is about a corner case in the constructor th a t initializes a final variable. 
The scenario is illustrated in Figure 6.3. After the final field a is initialized, it is read by 
a local variable in the same constructor. The readFinal definition [13, Figure 15] would 
allow r  to  read back the default value of a . This is because a t th a t tim e a has not been 
“synchronized” to  be known to the object th a t it has been frozen. B ut the readFinal 
action only checks th a t inform ation from the kF set th a t is associated w ith the object 
reference. This scenario compromises program  correctness because d a ta  dependency is 
violated.
7 CONCLUSIONS
We have presented a specification methodology for formalizing memory consistency 
models in general, and the Java memory model in particular. Coupled w ith a model
class foo {
final int a;
public foo() { 
int r; 
a = 1;
r = a; // can r = 0?
}
}
F ig . 10. A flaw in the final variable semantics.
checking tool, it provides a powerful framework for conducting memory model anal­
ysis and m ultithreaded program  verification. The flexibility of the transition  system 
provides a generic abstraction mechanism for executable consistency models. O ur op­
erational specifications are w ritten  in a parameterizable style. Users can redefine the 
bypassing table and the visibility ordering rules to  obtain an executable specification 
for another memory model. In addition, the simple abstract machine architecture elim­
inates unnecessary complexities introduced by im plem entation specific d a ta  structures. 
Hence, it helps clarify the essential semantics of the shared memory system.
F u tu re  W o rk s  A reliable specification framework may lead to  several interesting fu­
ture works. F irst, currently people need to  develop test programs by hand to  conduct 
verification. To autom ate this process, programming pa tte rn  annotation and infer­
ence techniques can play an im portant role. Second, trad itional com pilation techniques 
should be systematically analyzed for memory model compliance in a m ultithreaded 
environment and new optim ization opportunities allowed by more relaxed consistency 
requirem ents should be explored. Lastly, architectural memory models and the Java 
memory model may be compared through refinement analysis to  aid efficient JVM  
implementations. We hope our work can help pave the way towards future studies in 
these exciting areas.
A c k n o w le d g m e n ts
We sincerely thank  all contributors to  the Java memory model mailing list for their in­
spiring discussions about many aspects of the Java Memory Model. We especially thank  
Bill Pugh  for his insightful comments about our work. We also thank  the anonymous 
referees of this paper and K onrad Slind for their detailed suggestions.
References
1. G. L. Peterson. M yths about the m utual exclusion problem. Information Processing 
Letters, Volume 12, Number 3, June 1981.
2. M ustaque Aham ad, Rida Bazzi, R anjit John, Prince Kohli, and Gil Neiger. The 
power of Processor Consistency. In the 5th Annual ACM  Symposium on Parallel 
Algorithms and Architectures, 1993.
3. A formal specification of Intel Itanium  processor family memory ordering, Appli­
cation Note, Document Number: 251429-001, October 2002.
4. Rajeev Joshi, Leslie Lam port, John M atthews, Serdar Tasiran, M ark Tuttle, Yuan 
Yu. Checking cache-coherence protocols w ith T L A +, Volume 22, Issue 2, Pages 
125-131, M arch 2003.
5. L. Lam port. How to make a multiprocessor com puter th a t correctly executes 
multiprocess programs. IEEE Transactions on Computers, C-28(9):690-691, 1979.
6. S. V. Adve and K. Gharachorloo. Shared memory consistency models: a tutorial. 
IEEE Computer, 29(12):66-76, 1996.
7. K. Gharachorloo. Memory consistency models for shared-m emory multiprocessors. 
Technical Report CSL-TR-95-685, Stanford University, December 1995.
8. R. J. L ipton and J. S. Sandberg. PRAM : a scalable shared memory. Technical 
Report CS-TR-180-88, 1988.
9. P. Keleher, A. L. Cox, and W. Zwaenepoel. Lazy release consistency for software 
distributed  shared memory. In the 19th International Symposium of Computer 
Architecture, pages 13-21, May 1992.
10. G. Gao and V. Sarkar. Location consistency - a new memory model and cache con­
sistency protocol. Technical Report, 16, CAPSL, University of Delaware, February 
1998.
11. J. Gosling, B. Joy, and G. Steele. The Java language specification, chapter 17. 
Addison-Wesley, 1996.
12. W. Pugh. The Java memory model is fatally flawed. Concurrency: Practice and 
Experience, 12(1):1-11, 2000.
13. J. Manson and W. Pugh. Semantics of m ultithreaded Java. Technical Report 
UMIACS-TR-2001-09, 2002.
14. J. Manson and W. Pugh. Core semantics of m ultithreaded Java. In ACM  Java 
Grande Conference, June 2001.
15. Klaus Havelund and Thom as Pressburger. Model checking JAVA programs using 
JAVA PathF inder. In International Journal on Software Tools for Technology 
Transfer, volume 2, number 4, pages 366-381, 2000.
16. W. Visser, K. Havelund, G. B rat, and S. Park. Java P athF inder - second generation 
of a Java model checker. In Post-CAV Workshop on Advances in Verification, 
Chicago, 2000.
17. Jam es C. C orbett. Evaluating deadlock detection m ethods for concurrent software. 
In IEEE Transactions on Software Engineering, volume 22, num ber 3, pages 161­
180, M arch 1996.
18. Jam es C. C orbett, M atthew  B. Dwyer, John Hatcliff, Shawn Laubach, Corina S. 
Pasareanu, Robby, and Hongjun Zheng. Bandera: extracting finite-state models 
from Java source code. In International Conference on Software Engineering, pages 
439-448, 2000.
19. D. Park, U. Stern, and D. Dill. Java model checking. In the First International 
Workshop on Automated Program Analysis, Testing and Verification, Limerick, 
Ireland, 2000.
20. J. Moore, R. Krug, H. Liu, and G. Porter. Formal models of Java a t the JVM 
level -  a survey from the ACL2 perspective. In Workshop on Formal Techniques 
for Java Programs, in association w ith ECO O P 2001, June 2001.
21. Cormac Flanagan and Shaz Qadeer. A type and effect system for atomicity. 
P LD I’03.
22. A. Gontm akher and A. Schuster. Java consistency: non-operational characteriza­
tions for Java memory model. In ACM  Transactions On Computer Systems, vol. 
18, No. 4, pages 333-386, November 2000.
23. Y. Gurevich, W. Schulte, and C. Wallace. Investigating Java concurrency using 
abstract sta te  machines. Technical Report 2000-04, University of Delaware, De­
cember 1999.
24. J.-W . Maessen, Arvind, and X. Shen. Improving the Java memory model using 
CRF. In OOPSLA, pages 1-12, October 2000.
25. Java Specification Request (JSR) 133: Java memory model and thread specification 
revision.
h ttp ://jcp .o rg /js r/d e ta il/1 3 3 .jsp .
26. Java memory model mailing list.
h ttp ://w w w .cs.um d.edu/ pugh/java/m em oryM odel/archive.
27. X. Shen, Arvind, and L. Rudolph. Commit-Reconcile & Fences (CRF): a new mem­
ory model for architects and compiler writers. In the 26th International Symposium 
On Computer Architecture, A tlanta, Georgia, May 1999.
28. W. W. Collier. Reasoning about parallel architectures. Prentice-Hall, 1992.
29. Yue Yang, Ganesh Gopalakrishnan, Gary Lindstrom, and K onrad Slind. Analyzing 
the Intel Itanium  memory ordering rules using logic programming and SAT. In 
the 12th Advanced Research Working Conference on Correct Hardware Design and 
Verification Methods (CHARME 2003), Springer Verlag LNCS, October 2003.
30. D. Dill, S. Park, and A. Nowatzyk. Formal specification of abstract memory models. 
In the 1993 Symposium for Research on Integrated Systems, pages 38-52, 1993.
31. S. P ark  and D. Dill. An executable specification and verifier for Relaxed Memory 
Order. IEEE Transactions on Computers, 48(2):227-235, 1999.
32. D. Weaver and T. Germond. The SPARC A rchitecture M anual Version 9. Prentice 
Hall, 1994.
33. Yue Yang, Ganesh Gopalakrishnan, and Gary Lindstrom. Analyzing the CRF Java 
memory model. In the 8th Asia-Pacific Software Engineering Conference, pages 
21-28, 2001.
34. D. Dill. The Mur<^ verification system. In 8th International Conference on Com­
puter Aided Verification, pages 390-393, 1996.
35. Philip Bishop and Nigel Warren. Java in pratice: design styles and idioms for 
effective Java, chapter 9. Addison-Wesley, 1999.
36. A. Roychoudhury and T. M itra. Specifying m ultithreaded Java semantics for pro­
gram  verification. In International Conference on Software Engineering, 2002.
37. Prosenjit Chatterjee, H em anthkum ar Sivaraj, and Ganesh Gopalakrishnan. Shared 
memory consistency protocol verification against weak memory models: refinement 
via model-checking. In Computer-Aided Verification (C A V ’02), July, 2002.
38. R. G erth. In troduction to  Sequential Consistency and the lazy caching algorithm. 
Distributed Computing, 1995.
39. M ustaque Aham ad, Phillip W. H utto, Gil Neiger, Jam es E. Burns, and Prince 
Kohli. Causal memory: definitions, im plem entation and programming. Technical 
Report G IT-CC-93/55, Georgia Institu te  of Technology, July 1994.
