Transactions in the Jungle by Guerraoui, Rachid et al.
Transactions in the Jungle∗
Rachid Guerraoui
EPFL Switzerland
rachid.guerraoui@epfl.ch
Thomas A. Henzinger
IST Austria
tah@ist.ac.at
Michał Kapałka
EPFL Switzerland
michal.kapalka@epfl.ch
Vasu Singh
IST Austria
vasu.singh@ist.ac.at
ABSTRACT
Transactional memory (TM) has shown potential to simplify the
task of writing concurrent programs. Inspired by classical work
on databases, formal definitions of the semantics of TM executions
have been proposed. Many of these definitions assumed that ac-
cesses to shared data are solely performed through transactions. In
practice, due to legacy code and concurrency libraries, transactions
in a TM have to share data with non-transactional operations. The
semantics of such interaction, while widely discussed by practi-
tioners, lacks a clear formal specification. Those interactions can
vary, sometimes in subtle ways, between TM implementations and
underlying memory models.
We propose a correctness condition for TMs, parametrized opac-
ity, to formally capture the now folklore notion of strong atomic-
ity by stipulating the two following intuitive requirements: first,
every transaction appears as if it is executed instantaneously with
respect to other transactions and non-transactional operations, and
second, non-transactional operations conform to the given underly-
ing memory model. We investigate the inherent cost of implement-
ing parametrized opacity. We first prove that parametrized opac-
ity requires either instrumenting non-transactional operations (for
most memory models) or writing to memory by transactions us-
ing potentially expensive read-modify-write instructions (such as
compare-and-swap). Then, we show that for a class of practical
relaxed memory models, parametrized opacity can indeed be im-
plemented with constant-time instrumentation of non-transactional
writes and no instrumentation of non-transactional reads. We show
that, in practice, parametrizing the notion of correctness allows de-
veloping more efficient TM implementations.
Categories and Subject Descriptors
D.1.3 [Programming Techniques]: Concurrent Programming;
D.2.4 [Software Engineering]: Software/Program Verification
∗This research was supported by the Swiss National Science Foun-
dation and by the Velox FP7 European project.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
SPAA’10, June 13–15, 2010, Thira, Santorini, Greece.
Copyright 2010 ACM 978-1-4503-0079-7/10/06 ...$10.00.
General Terms
Theory, Verification
Keywords
Transactional memory, memory models, correctness
1. INTRODUCTION
Transactional memory (TM) [15, 25] offers a promising
paradigm for concurrent programming in the multi-core era. A
TM allows a programmer to think in terms of coarse-grained code
blocks—transactions—that appear to be executed atomically; and
at the same time, a TM yields a high level of parallelism. The mu-
tual interaction between transactions is formalized by the notion
of serializability [22] or opacity [13]. Serializability, a common
correctness notion in database transactions, requires that commit-
ted transactions look as if they executed sequentially. But, it was
observed [8, 14] that serializability is not sufficient for memory
transactions, where it is important that even aborted transactions
do not observe an inconsistent state of the memory. This gave rise
to a new correctness criterion called opacity. The idea of opacity
is to give programmers an illusion that there is no concurrency be-
tween transactions, whether committed or aborted. That is, opacity
requires that all transactions “look like” they executed in some se-
quential order, consistent with their real-time order. Most of the
TM implementations [8, 14] satisfy opacity. The formal definition
of opacity has allowed for a clear understanding of transactions [13]
and also for development of model checking techniques for TM al-
gorithms [10, 11, 12].
Ideally, a program could execute all operations on shared
data within transactions, and have non-transactional operations on
thread-local data. In practice, however, due to the presence of
legacy code and concurrency libraries, and due to programming
idioms like privatization and publication, transactions have to inter-
act with non-transactional operations [1, 7, 9, 29, 19, 21, 26, 20].
Moreover, demanding segregation of transactional data from non-
transactional data poses an additional burden on the programmer.
The interaction between transactions and non-transactional opera-
tions has been expressed using a notion of strong atomicity [19,
17] in the literature. The intuition behind strong atomicity is that
transactions execute atomically with respect to other transactions
and non-transactional operations. Unfortunately, strong atomicity
has not been formally defined, which has thus led to multiple in-
terpretations [28]. Consider, for example, the execution depicted in
Figure 1 (adapted from [9]). The transaction executed by thread 1
updates variables x and y. Thread 2 reads the variables x and y
non-transactionally. Is it possible that thread 2 reads x as 1 and y
as 0? According to the definition by Martin et al. [19], strong atom-
Thread 1 Thread 2
atomic {
x := 1
y := 1 r1 := x
} r2 := y
Figure 1: Can r1 = 1 and r2 = 0? It depends on the memory
model (initially x = y = 0).
icity allows this result. But, according to the definition of strong
atomicity by Larus et al. [17], this result is not allowed. The ambi-
guity in this definition can be attributed to an implicit assumption
on the interaction between non-transactional operations, which in
turn, depends upon the underlying memory model [2]. A memory
model specifies the set of allowed behaviors of memory accesses in
a shared memory program. A relaxed memory model allows the un-
derlying system to reorder memory instructions, while a stringent
memory model like sequential consistency enforces instructions to
execute in program order. While Martin et al. [19] assume a re-
laxed memory model which allows reordering independent reads
(for example, RMO [30]), Larus et al. [17] assume a sequentially
consistent memory model.
We provide a general formal framework for describing the inter-
actions between transactions and non-transactional operations. We
consider opacity as a correctness condition for transactions, and
parametrize it by a memory model. We claim that while a TM can
be implemented in a way to ensure opacity for transactions, there
is little one can do (on a given platform or run-time environment)
to change the underlying memory model. Hence, it is desirable to
define opacity parametrized by a memory model. Moreover, we
want the definition of parametrized opacity to be implementation-
agnostic (like opacity), so that it allows for transactional objects
with semantics richer than that of simple read-write variables.
We present a definition of a memory model which is general
enough to capture a variety of memory models. Intuitively, we
formalize a memory model as a function which, depending upon
the sequence of operations, gives the set of possible orders of op-
erations. Our formalism can capture common memory models like
TSO, PSO, RMO [30], and Alpha [27]. Moreover, we allow dif-
ferent processes to observe different orders of operations, which
allows us to capture memory models with non-atomic stores, like
IA-32 [6]. We classify memory models on the basis of the possible
reorderings of operations they allow.
Our formalization of parametrized opacity is guided by the fol-
lowing intuition:
Opacity for transactions. Whatever the memory model is, exe-
cutions that are purely transactional must ensure opacity. Indeed,
the semantics of transactions should be intuitive and strong—in the
end, we want TMs to be as easy to use as coarse-grained locking.
Consider Figure 2(a). Thread 2 should observe x as 0 or 2, because
the intermediate state of a transaction (x = 1) is not visible to other
transactions. Also, y can be observed as 0 or 2. Moreover, y can
be observed as 2 only if x is observed as 2, because the effect of
transactions is visible in real-time order. Thus, the possible values
of z are 0 and 2. Note that even if thread 2 aborts, opacity requires
that z is 0 or 2.
Efficiency of non-transactional operations. Executions that are
purely non-transactional have to adhere to the given memory
model. In particular, parametrized opacity should not strengthen
the semantics of non-transactional operations. The motivation
here is to avoid a framework that would inherently require non-
transactional operations to be instrumented with additional mem-
ory fences or software barriers, even for very weak memory mod-
els. This supports the ideology of software memory models like
Java which inherently provide weak guarantees, and require special
synchronization for stronger guarantees. In Figure 2(b), a memory
model may relax the order of write operations in Thread 1 or the
read operations in Thread 2, resulting in r1 = 1 and r2 = 0.
Isolation of transactions from non-transactional operations. Trans-
actions should appear, both to other transactions and non-
transactional operations, as if they were executed instantaneously.
In particular, isolation of transactions should be respected, regard-
less of the memory model. The intermediate computations of trans-
actions, or updates by aborted transactions, should never be visible
to non-transactional operations. Moreover, the non-transactional
operations concurrent to a transaction should appear as if they hap-
pened before or after this transaction. In Figure 2(c), Thread 2 can-
not observe an intermediate state of a transaction, and thus z 6= 1.
Moreover, the effect of a non-transactional operation cannot show
up in the middle of a transaction. Thus, r1 = r2.
Note that opacity parametrized by sequential consistency gives
the notion of strong atomicity as proposed by Larus et al. [17]. On
the other hand, parametrized opacity for a relaxed memory model
like RMO matches the notion of strong atomicity given by Martin
et al. [19].
In practice, TM implementations that guarantee strong atomic-
ity require that non-transactional operations, instead of accessing
memory directly, adhere to an access protocol as defined by the
TM implementation. This modification of the semantics of non-
transactional operations is known as instrumentation. For exam-
ple, Tabatabai et al. [26] propose a TM implementation, where the
non-transactional read and write operations follow the locking dis-
cipline as required by the transactions. The formal definition of
opacity parametrized by a memory model allows us to theoreti-
cally analyze the cost of creating TM implementations that guar-
antee parametrized opacity. While parametrized opacity is the in-
tuitive correctness property for transactional programs with non-
transactional operations, we show that, without instrumentation, it
cannot be achieved on most memory models. Even for the small
class of idealized memory models, where parametrized opacity
can be achieved without instrumentation, we show that a TM im-
plementation must use expensive read-modify-write operations for
each object read and modified by a transaction.
Next, we focus on TM implementations that instrument non-
transactional write operations, without any instrumentation for
non-transactional read operations. We start with a basic result that
shows that for memory models that allow reordering independent
reads, it is possible to achieve parametrized opacity without instru-
menting the read operations, and treating every non-transactional
write as a transaction in itself. Note that this might not provide a
practical solution, as we do not want a non-transactional operation
to carry the overhead associated with a transaction. Moreover, we
want non-transactional operations to finish in bounded time, while
a transaction, in general, may take arbitrarily long to finish. The
next question we ask is whether we can obtain parametrized opac-
ity for a class of memory models with constant-time instrumenta-
tion on the writes? We show that for a class of memory models
that allows reordering a read of a variable following a read or write
of another variable (like Alpha [27] and Java [18]), it is indeed
possible to achieve parametrized opacity with constant-time instru-
mentation for non-transactional write operations. We also discuss
how to adapt the constant-time write instrumentation solution for
memory models that do not allow to reorder data-dependent reads
(like RMO [30]).
Using our theoretical framework, we examine existing TM im-
plementations that guarantee parametrized opacity. TM implemen-
Thread 1 Thread 2
atomic {
x := 1
x := 2 atomic {
} z := x− y
atomic { }
y := 2
}
(a) Can z < 0?
Thread 1 Thread 2
x := 1 r1 := y
y := 1 r2 := x
(b) Can r1 = 1 and r2 = 0?
Thread 1 Thread 2
atomic { z := x
x := 1
x := 2
}
atomic {
r1 := z
r2 := z
}
(c) Can z = 1 or r1 6= r2?
Figure 2: Motivating examples for the definition of parametrized opacity (initially x = y = z = 0 in every case)
tations in the literature that satisfy strong atomicity [26], in fact, are
implemented with sequential consistency of non-transactional op-
erations in mind. We observe that a TM implementation can be de-
signed to be more efficient, if it is to satisfy opacity parametrized by
a weaker memory model. We extract the key practical ideas from
our proofs which shall help to design more efficient TM imple-
mentations that guarantee opacity parametrized by relaxed memory
models.
2. PRELIMINARIES
We first describe a framework of a shared memory system con-
sisting of shared objects and operations on those objects.
Operations. We consider a shared-memory system consisting of a
set P of processes that communicate by executing commands on a
set Obj of shared objects. Let C be a set of commands on shared
objects, where arguments and return values are treated as part of a
command. For example, in a system that supports only reading and
writing of shared (natural number) variables, we have C = {rd,
wr} × N. We define operations O ⊆ C × Obj as the set of all
allowed command-object pairs. For ease of readability, we write
(rd, v, x) and (wr, v, x) instead of, respectively, ((rd, v), x) and
((wr, v), x).
Besides commands on shared objects, every process p ∈ P can
execute the following special operations: start to start a new trans-
action, commit to commit the current transaction, and abort to
abort the transaction. Let Oˆ = O ∪ {start, commit, abort}.
Object semantics. We use the concept of a sequential specifica-
tion [16] to describe the semantics of objects. Given an object
x ∈ Obj , we define the semantics [[x]] ⊆ C∗ as the set of all
sequences of commands on x that could be generated by a single
process accessing x.
Example. Let x be a shared variable (with initial value 0) that sup-
ports only the commands to read and write its value. Then, [[x]] is a
subset of ({rd, wr} × N)∗, such that, for every sequence c1 . . . cn
in [[x]], and for all i, v ∈ N, if ci = (rd, v), then either (a) the latest
write operation preceding ci in c1 . . . cn is (wr, v), or (b) v = 0
and no write operation precedes ci in c1 . . . cn.
Histories. We define an operation instance as (o, p, k), where
o ∈ Oˆ is an operation, p ∈ P is a process that issues the oper-
ation, and k ∈ N is a natural number representing the identifier of
the operation instance. A history h ∈ (Oˆ ×P ×N)∗ is a sequence
of operation instances such that, for every pair (o, p, i), (o′, p′, j)
of operation instances in h, we have i 6= j. Intuitively, we want
each operation instance in a history to have a unique identifier. For
a natural number k, when we say “operation k”, we mean “oper-
ation instance with identifier k”, i.e., the element of h of the form
(o, p, k), where o ∈ Oˆ and p ∈ P . A transaction of a process p
is a subsequence (o1, p, i1) . . . (on, p, in) of a history h, such that
(i) o1 is a start operation, (ii) either operation in is the last oper-
ation instance of p in h, or on ∈ {commit, abort}, and (iii) all
operations o2, . . . , on−1 belong to set O . A transaction T is com-
mitted (resp. aborted) in a history h if the last operation instance of
T has a commit operation (resp. an abort operation). A transaction
T is completed if T is committed or aborted. Given a history h and
a natural number k, we say that operation k is transactional in h
if operation k is part of a transaction in h. Otherwise, operation k
is said to be non-transactional. We assume that every history h
is well-formed: that is, every non-transactional operation in h be-
longs to set O . Intuitively, well-formedness of a history requires
that every commit and abort of a transaction matches a correspond-
ing start, and that there are no nested transactions. We denote by H
the set of all histories.
Given a history h, we define the real-time partial order relation
≺h⊂ N × N of the operation identifiers in h, such that, for two
natural numbers i and j, we have i ≺h j, if:
(i) operations i and j belong to transactions T and T ′, respectively,
where T is completed in h and the last operation instance of T
precedes the first operation instance of T ′ in h, or
(ii) operation i precedes operation j in h, both operations are ex-
ecuted by the same process, and at least one of those operation
instances is transactional.
Sequential histories. We say that a history h is sequential if, for
every transaction T in h, every operation instance between the start
operation instance of T and the last operation instance of T in h
is a part of T . That is, intuitively, no transaction overlaps with
another transaction or with any non-transactional operation in h.
We say that a sequential history s respects a partial or a total order
≺⊆ N×N if, for every pair (i, j), if i ≺ j then operation i precedes
operation j in s.
Let s be a sequential history. We denote by s|x the subsequence
of all commands invoked on object x in s. We say that s is legal
if, for every object x, we have s|x ∈ [[x]]. We denote by visible(s)
the longest subsequence of s that does not contain any operation
instance of a non-committed transaction T , except if T is not fol-
lowed in s by any other transaction or non-transactional operation
instance. We say that an operation k in s is legal in s if history
visible(s′) is legal, where s′ is the prefix of s that ends with opera-
tion k.
Example. Consider the history h depicted in Figure 3(a). The trans-
action of process p1 finishes before the transaction of process p3
starts. The precedence relation ≺h consists of elements (1, 2),
(5, 7), (1, 9), and many more. On the other hand, (1, 6) and (6, 9)
are not in ≺h. An example of a sequential history is given in Fig-
ure 3(b). Note that s respects ≺h. History s is legal if v = 0 and
v′ = 1.
3. DEFINING PARAMETRIZED OPACITY
In this section, we first formalize the notion of a memory model.
Then, we define parametrized opacity, i.e., opacity parametrized by
id p1 p2 p3
1 wr, 1, x
2 start
3 rd, 1, y
4 wr, 1, y
5 commit
6 rd, v, x
7 start
8 commit
9 rd, v′, x
(a) History h
id p1 p2 p3
6 rd, v, x
1 wr, 1, x
2 start
4 wr, 1, y
5 commit
3 rd, 1, y
7 start
8 commit
9 rd, v′, x
(b) Sequential history s
Figure 3: An example of a history and a sequential history. Ev-
ery history is read top to bottom. Notation: wr, 1, x in the col-
umn marked with process p and in the row marked with id k
stands for the operation instance (((wr, 1), x), p, k).
a given memory model. Finally, we give a classification of memory
models based on the reorderings of operations they allow.
3.1 A Memory Model
A memory model describes the semantics of memory accesses in
a shared memory system. We formalize a memory model as a per-
process reordering of the history. The memory model is defined in
such a way that it allows different processes to have different views
of the history, similar to the formalism by Sarkar et al. [24].
We define a process view as a function view : P → 2N×N such
that view(p) is a partial order on the set of natural numbers for
every process p ∈ P . Let V be the set of all process views. A
memory model is given by the function M : H → 2V that maps a
history to a set of process views. Intuitively, a process view allows
different processes to observe different orders of operations in a
given history. This helps capturing memory models that allow non-
atomic stores, e.g., IA-32 [6].
Well-formed memory models. A memory model M is well-
formed if, for every history h ∈ H , every view view ∈ M(h),
every process p ∈ P , and every pair (i, j) ∈ view(p): (i) op-
erations i and j are non-transactional in h, (ii) i precedes j in h,
and (iii) (j, i) /∈ view(p′) for every process p′ ∈ P . Intuitively,
condition (i) requires that a memory model imposes an order only
on non-transactional operations, condition (ii) requires that a view
does not force a process to observe some operations out of program
order, and condition (iii) requires that a view does not force two
processes to observe operations in different orders.1 All memory
models we know of are indeed well-formed.
Capturing dependence of operations. Often, memory models
disallow reordering two operations if the latter one is control- or
data-dependent on the former one [18, 30]. To capture those mem-
ory models, we distinguish between dependent and independent
operation instances. We do so by using additional commands:
{cdrd, ddrd, cdwr, ddwr} × N × 2N. For example, an operation
instance (o, p, k) in h with o = ((cdrd, v, {k1, . . . , kn}), x) de-
notes a read operation which reads value v from variable x, and is
control-dependent on operations k1 . . . kn in h.
Examples. We consider histories with only read and write op-
erations on shared variables. We say that a view view is iden-
tical across processes, if view(p) = view(p′) for all processes
p, p′ ∈ P .
Sequential consistency MSC requires that the order of opera-
1Note that condition (iii) does not disallow non-atomic stores,
where different processes may observe stores in different orders.
The condition disallows memory models that force processes to ob-
serve different orders.
tions of a process in a history is preserved in every view, and all
processes view an identical order of operations of different pro-
cesses. Formally, for all histories h, we have view ∈ MSC (h)
if (a) view is identical across processes, and (b) for every pro-
cess p ∈ P , and every pair (o1, p, i), (o2, p, j) of non-transactional
operations such that operation i precedes operation j in h, we have
(i, j) ∈ view(p).
Total store order Mtso allows a write operation to forward the
value of a variable to a following read operation, and allows re-
ordering of a write operation followed by a read operation to a dif-
ferent variable. Formally, for every history h, we have view ∈
Mtso(h) if (a) view is identical across processes, and (b) for
every process p, and for every pair (o1, p, i), (o2, p, j) of non-
transactional operations such that operation i precedes operation
j in h, we have (i, j) ∈ view(p) if one of following conditions
holds:
(i) o2 is a write operation,
(ii) o1 and o2 are to the same object x, or
(iii) o1 is a read operation of the form (rd, v, x) such that (wr, v, x)
is not the last preceding write operation to x by process p in h.
The intuition for the last case is to allow two read operations to
different variables to be reordered if the first read obtains the value
from a store buffer.
Relaxed memory order allows reordering of reads to the same
variable. It also allows reordering of read and write operations to
different variables, unless the first operation is a read, and the sec-
ond operation is either a write control/data-dependent on the first
operation, or a read data-dependent on the first operation. RMO
is specified by the memory model Mrmo such that, for every his-
tory h, we have view ∈ Mrmo(h) if (a) view is identical across
processes, and (b) for every process p, and for every pair (o1, p, i),
(o2, p, j) of non-transactional operations such that operation i pre-
cedes operation j in h, we have (i, j) ∈ view(p) if one of the
following conditions holds:
(i) o1 and o2 are to the same object x, and one of them is a write,
(ii) o1 is a read of a variable x and o2 = ((cdwr, v,K), y) or
o2 = ((ddwr, v,K), y) for some v ∈ N and K ⊆ N such that
i ∈ K, or
(iii) o1 is a read of a variable x and o2 = ((ddrd, v,K), y) for
some v ∈ N and K ⊆ N such that i ∈ K.
3.2 Parametrized Opacity
We now define the notion of parametrized opacity, i.e., opacity
parametrized by a given memory model. Recall that, intuitively,
parametrized opacity requires that (1) every transaction appears as
if it took place instantaneously between its first and last operation,
and (2) non-transactional operations ensure the requirements spec-
ified by the given memory model.
We say that a history h ensures opacity parametrized by a mem-
ory model M , if there exists a total order on the set of transac-
tional operations in h and a process view view ∈M(h), such that,
for every process p ∈ P , there exists a sequential history s that
satisfies the following conditions: (i) s is a permutation of h, (ii) s
respects relation ∪ ≺h ∪ view(p), and (iii) every operation is
legal in s.
Example. The history h depicted in Figure 3(a) is parametrized
opaque with respect to memory model MSC if v = 1 and v′ = 1.
This is because: (a) operation 3 reads the value of y as 1 which is
written by the transaction of process p1, (b) operation 1 writes x as
1 before the transaction, and (c) SC requires that p2 reads x after
y. Moreover, h is parametrized opaque with respect to memory
model Mrmo if v is either 0 or 1, and v′ = 1. This is because RMO
allows reordering of reads of different variables.
3.3 Classes of Memory Models
We now present a classification of memory models on the ba-
sis of reorderings they allow. We build the following four classes
depending upon the restrictions posed by the memory model.
We define the class read-read restrictive memory models, de-
noted by Mrr , as the set of memory models M such that for all his-
tories h, for all i, j ∈ N, if operation i is a read operation to x and
operation j is a read operation to y such that x 6= y, and both opera-
tions i, j are by process p, then for all process views view ∈M(h),
for all p′ ∈ P , we have (i, j) ∈ view(p′). Intuitively, Mrr restricts
the order of read operations to different variables.
We define the class read-write restrictive memory models, de-
noted by Mrw , as the set of memory models M such that for all
histories h, for all i, j ∈ N, if operation i is a read operation to
x and operation j is a write operation to y such that x 6= y, and
both operations i, j are by process p, then for all process views
view ∈M(h), for all p′ ∈ P , we have (i, j) ∈ view(p′).
Analogously, we define the class write-read restrictive memory
models Mwr and the class write-write restrictive memory models
Mww .
Examples. The SC memory model MSC is in Mrr ∩Mrw ∩Mwr ∩
Mww . The TSO memory model Mtso is in Mrr ∩ Mrw ∩ Mww
and Mtso /∈ Mwr . The partial store order (PSO) memory model
Mpso is in Mrr ∩Mrw and Mpso /∈Mww ∪Mwr . Note that these
classes do not impose any restrictions on views of different pro-
cesses, and thus memory models which allow non-atomic stores
(like IA-32 [6]) can also be classified under these classes. For
example, the IA-32 memory model has a similar classification as
TSO.
4. TM IMPLEMENTATIONS
We now define a TM implementation I, and when a given TM
implementation ensures opacity parametrized by a given memory
model M . Intuitively, I ensures opacity parametrized by M if
every history generated by I ensures opacity parametrized by M .
We thus need to define what a TM implementation is, and precisely
which histories are generated by a given TM implementation.
Instructions. We start by defining hardware primitives that a TM
implementation is allowed to use. Let Addr be a set of memory
addresses. We define the set In of instructions as follows, where
a ∈ Addr and v, v′ ∈ N:
In ::= 〈load a, v〉 | 〈store a, v〉 | 〈cas a, v, v′〉
We call the store and CAS instructions update instructions. An
operation of a history corresponds to a sequence of instructions.
To know the begin and end points of an operation at the level of
hardware, we use two special instructions ., / for each operation.
For every operation o ∈ Oˆ , we denote the invocation (instruction)
of o as (., o), and the response (instruction) of o as (/, o). Let
Iˆn = In ∪ ({., /} × Oˆ).
Traces. We define an instruction instance as (in, p, k), where in ∈
Iˆn is an instruction, p ∈ P is the process that issues the instance,
and k ∈ N is an operation identifier. A trace r ∈ (Iˆn×P×N)∗ is a
sequence of instruction instances. Let k ∈ N be an operation identi-
fier. A complete operation trace of operation k is a sequence of the
form ((., o), p, k) (in1, p, k) . . . (inm, p, k) ((/, o), p, k), where
p ∈ P is a process, o ∈ Oˆ is an operation, and in1 . . . inm ∈ In
are instructions. An incomplete operation trace of operation k
is a sequence of the form ((., o), p, k) (in1, p, k) . . . (inm, p, k),
where p ∈ P , o ∈ Oˆ , and in1 . . . inm ∈ In .
Let r be a trace. Given a process p ∈ P , we denote by r|p
the longest subsequence of instruction instances in r issued by pro-
id p1 p2
1 (., start)
1 〈cas g, 0, 1〉
2 (., (rd, 1, x))
1 (/, start)
2 〈load x, 1〉
3 (., (wr, 1, x))
2 (/, (rd, 1, x))
3 〈store ax, 1〉
3 (/, (wr, 1, x))
4 (., commit)
4 〈store g, 0〉
4 (/, commit))
(a) Trace r
id p1 p2
1 start
2 rd, 1, x
3 wr, 1, x
4 commit
(b) History h1
id p1 p2
2 rd, 1, x
1 start
3 wr, 1, x
4 commit
(c) History h2
Figure 4: A trace and corresponding histories. Notation for
trace: in in column p and row marked with id k represents the
instruction instance (in, p, k)
cess p. We assume that every trace r satisfies the following prop-
erty: for every process p ∈ P , the sequence r|p is a sequence of
complete operation traces, possibly ending with an incomplete op-
eration trace. We say that a history h corresponds to a trace r if:
(i) given any natural number k, an operation (o, p, k) is in h if and
only if there is an instruction instance ((., o), p, k) in r, and
(ii) operation k occurs before operation j if some instruction in-
stance with identifier k occurs in r before some instruction instance
with identifier j.
Intuitively, a history h that corresponds to a trace r represents
the logical order of operations in r. If we assign a point in time to
every instruction in r, and every operation in h, then every op-
eration (o, p, k) in h must be somewhere in between the corre-
sponding invocation instruction ((., o), p, k) and response instruc-
tion ((/, o), p, k) in r.
Example. Consider the trace r shown in Figure 4(a). In r, the start
operation issues a CAS instruction to address g to change the value
from 0 to 1, and the commit instruction stores value 0 to g. Histo-
ries h1 and h2 are two examples of histories that correspond to r.
In the trace given in Figure 4(a), the (single) invocation instance
of process p2 is non-transactional, while all invocation instances of
process p1 are transactional in r.
A trace r is well-formed if every history h corresponding to r
is well-formed. We assume that every trace is well-formed. Let
r be a trace, and p be a process. A transaction T of p in r
is a sequence in r|p of the form ((., start), p, k) (in1, p, k1) . . .
(inm, p, km), where the following conditions are satisfied:
• inm ∈ {(/, commit), (/, abort)}, or (inm, p, km) is the last
instruction instance of rp, and
• for all j s.t. 1 ≤ j < m, we have inj /∈
{(., start),(/, commit), (/, abort)}
Moreover, T is committed (resp. aborted) if the last instruction in-
stance in T is a response of a commit (resp. abort) operation. An
instance ((., o), p, k) of an invocation is said to be transactional
in a trace r if it belongs to some transaction in r. Otherwise, the
instance is said to be non-transactional.
TM implementations. A TM implementation I = 〈IT , IN 〉 is a
pair, where IT : Oˆ → 2In∗ is the implementation for transactional
operations, and IN : O → 2In∗ is the implementation for non-
transactional operations.
Let I = 〈IT , IN 〉 be a TM implementation. We say that a
complete operation trace ((., o), p, k) (in1, p, k) . . . (inm, p, k)
((/, o), p, k) is transactionally (resp. non-transactionally) gener-
ated by I, if sequence in1 . . . inm is in IT (o) (resp. in IN (o)).
We say that an incomplete operation trace ((., o), p, k) (in1, p, k)
. . . (inm, p, k) is transactionally (resp. non-transactionally) gen-
erated by I, if sequence in1 . . . inm is a prefix of some element
in IT (o) (resp. in IN (o)).
Given a trace r and a TM implementation I, we say that r is
generated by I if for every transactional (resp. non-transactional)
operation k in r, the complete or incomplete operation trace of op-
eration k in r is transactionally (resp. non-transactionally) gener-
ated by I.
Instrumentation. We say that a TM implementation I =
〈IT , IN 〉 is uninstrumented if for every variable x, we
have IN (rd, v, x) = {〈load ax, v〉} and IN (wr, v, x) =
{〈store ax, v〉}, where ax is the address of the global copy of
variable x. Otherwise, the TM implementation is instrumented.
Note that these terms refer only to the implementation of non-
transactional operations.
Languages. We define the language L(I) of a TM implemen-
tation as the set of all traces generated by a TM implementa-
tion. We define that a TM implementation I guarantees opacity
parametrized by a memory model M if, for every trace r ∈ L(I),
there is a history h that corresponds to r such that h ensures opacity
parametrized by M .
Note that our definition of a trace does not require that after
an instruction of the form 〈store ax, v〉, the subsequent load of
ax is of the form 〈load ax, v〉. Indeed, the underlying hardware
may execute a relaxed memory model (which, in principle, may
be different from the programmer’s memory model at the level of
operations). For example, a programmer may wish to guarantee
opacity parametrized by sequential consistency on a hardware with
memory model RMO. But for the sake of simplicity, in the follow-
ing sections, we assume that the underlying hardware guarantees
a strong memory model equivalent to linearizability, that is, every
instruction is executed to completion when it is issued. Note that
our impossibility results hold even when the underlying hardware
executes a weaker memory model.
5. ACHIEVING PARAMETRIZED OPAC-
ITY
We use our theoretical framework to investigate the inherent cost
of achieving opacity parametrized by a memory model.
5.1 Uninstrumented TM Implementations
We first study uninstrumented TM implementations, as those
ones do not pose any overhead on non-transactional operations.
We show that for most of the practical memory models, uninstru-
mented TM implementations cannot achieve parametrized opacity
(Theorem 1). Moreover, we show that even to achieve opacity
parametrized by very relaxed memory models, it is required that
transactional write operations for variables read and modified are
implemented as expensive compare-and-swap instructions (Theo-
rem 2). Finally, we establish a complementary result to Theorem 1.
We show that with an idealized memory model that relaxes the or-
der of all operations to different variables, it is possible to obtain
parametrized opacity with an uninstrumented TM implementation
(Theorem 3).
We first prove an auxiliary lemma, which states that if a solo run-
ning committed transaction consists of a write operation, then the
transaction must consist of a store or a compare-and-swap instruc-
tion.
Lemma 1. For every memory model M , an uninstrumented TM
implementation I guarantees parametrized opacity only if, for all
traces r ∈ L(I), and for every committing transaction T in r such
that there is no instruction instance of another transaction between
the first and last instruction instances of T in r, if there is an opera-
tion (wr, v, x) in T , then the transaction T in r contains an update
instruction to ax with value v.
PROOF. Let the value of ax be initially 0. Consider the trace r
depicted in Figure 5(a). Let T be the committed transaction of
process p in r. We observe that T consists of an operation o1 =
(wr, v, x). Note that the invocation of the non-transactional opera-
tion o2 = (rd, v′, x) occurs after the last instruction of T , that is,
the response of the commit operation. As the TM implementation I
is uninstrumented, we have IN (rd, v′, x) = {〈load ax, v′〉}. Note
that as r has a single process, there is only one history h corre-
sponding to r. By definition of ≺h, we know that o1 ≺h o2. Thus,
to guarantee parametrized opacity, we must have v = v′. Thus, T
must issue an update instruction to ax with value v.
Theorem 1. Given a memory model M such that M ∈ (Mrr ∪
Mrw ∪Mwr ∪Mww ), there does not exist any uninstrumented TM
implementation that guarantees opacity parametrized by M .
PROOF. By contradiction, we assume that there exists an
uninstrumented TM implementation I that ensures opacity
parametrized by a memory model M ∈ (Mrr ∪ Mrw ∪ Mwr ∪
Mww ). We consider four cases, each corresponding to a different
class of memory models, in each case showing a trace r of I, in-
volving two processes p1 and p2, that violates opacity parametrized
by M . In the following, we assume that ax and ay are initialized
to 0.
Case 1. Let M ∈ Mrr . That is, M does not allow reordering two
read operations to different variables. Trace r is depicted in Fig-
ure 5(b). Let T consist of operations (wr, v1, x) and (wr, v2, y).
Let v1 6= 0 and v2 6= 0. From Lemma 1, we know that T up-
dates addresses ax and ay with values v1 and v2, respectively.
Without loss of generality, we assume that ax is updated before
ay .2 Let the trace r consist of two non-transactional operations
(rd, v3, x) and (rd, v4, y) issued by process p2 (with identifiers j
and k respectively). As I is uninstrumented, the non-transactional
read operations are implemented as load instructions. Let the two
load instructions 〈load ax, v3〉 and 〈load ay, v4〉 of process p2 ex-
ecute between the updates of ax and ay . Thus, we have v3 = v1
and v4 = 0. Note that if T is an aborted transaction in r, then
there is no history h corresponding to r such that h satisfies opac-
ity parametrized by M . This is because operation j observes the
update to ax. Thus, T is a committed transaction in r. Consider an
arbitrary history h corresponding to r. By definition of Mrr , every
process view view ∈ M(h) requires that (j, k) ∈ view(p) for all
p ∈ P . On the other hand, legality requires operation j to appear
after T , and operation k to appear before T . Thus, there does not
exist a sequential history which satisfies conditions (ii) and (iii) of
parametrized opacity at the same time.
Case 2. Let M ∈ Mwr . That is, M does not allow reorder-
ing a write followed by a read operation to a different variable.
The trace r is shown in Figure 5(c). Let T consist of operations
o1 = (rd, v1, x) and o2 = (wr, v2, y). Let v2 6= 0. From
Lemma 1, we know that T updates address ay with value v2. Let
r consist of two non-transactional operations of p2 in the order
2Figure 5(b) shows the updates as part of the commit operation. In
general, the updates can happen anywhere during the transaction,
but always as two separate instructions.
p
., start
. . .
/, start
., (wr, v, x)
. . .
/, (wr, v, x)
., commit
. . .
/, commit
., (rd, v′, x)
〈load ax, v′〉
/, (rd, v′, x)
(a) Lemma 1
p1 p2
., start
. . .
/, start
., (wr, v1, x)
. . .
/, (wr, v1, x)
., (wr, v2, y)
. . .
/, (wr, v2, y)
., commit
. . .
〈upd ax, v1〉
. . .
., (rd, v3, x)
〈load ax, v3〉
/, (rd, v3, x)
., (rd, v4, y)
〈load ay , v4〉
/, (rd, v4, y)
〈upd ay , v2〉
. . .
/, commit
(b) Theorem 1, Case 1
p1 p2
., start
. . .
/, start
., (rd, v1, x)
. . .
/, (rd, v1, x)
., (wr, v2, y)
. . .
/, (wr, v2, y)
., commit
. . .
., (wr, v3, x)
〈store ax, v3〉
/, (wr, v3, x)
., (rd, 0, y)
〈load ay , 0〉
/, (rd, 0, y)
〈upd ay , v2〉
. . .
/, commit
(c) Theorem 1, Case 2
p1 p2
., start
. . .
/, start
., (wr, v1, x)
. . .
/, (wr, v1, x)
., (wr, v2, y)
. . .
/, (wr, v2, y)
., commit
. . .
〈upd ax, v1〉
., (rd, v3, x)
〈load ax, v3〉
/, (rd, v3, x)
., (wr, v4, y)
〈store ay , v4〉
/, (wr, v4, y)
., (wr, 0, y)
〈store ay , 0〉
/, (wr, 0, y)
〈upd ay , v2〉
. . .
/, commit
., start
. . .
/, commit
., (rd, v5, x)
〈load ax, v5〉
/, (rd, v5, x)
., (rd, v6, y)
〈load ay , v6〉
/, (rd, v6, y)
(d) Theorem 1, Case 3
p1 p2
., start
. . .
/, start
., (rd, v, x)
. . .
/, (rd, v, x)
., (wr, v′, x)
. . .
/, (wr, v′, x)
., commit
. . .
., (wr, v1, x)
〈store ax, v1〉
/, (wr, v1, x)
〈store ax, v′〉
., (rd, v2, x)
〈load ax, v2〉
/, (rd, v2, x)
. . .
/, commit
., start
. . .
/, commit
., (rd, v3, x)
〈load ax, v3〉
/, (rd, v3, x)
(e) Theorem 2
Figure 5: Different traces r constructed in Lemma 1, Theo-
rem 1, and Theorem 2. An 〈upd a, v〉 instruction denotes a
store or a successful cas instruction to address a with value v.
We omit the instruction identifiers. We use . . . as a shorthand
for a sequence of instructions.
(wr, v3, x) (with identifier j) followed by (rd, 0, y) (with identi-
fier k), such that v3 6= v1. As I is uninstrumented, p2 executes
〈store ax, v3〉 followed by 〈load ay, 0〉. Let these two instructions
execute after the response of o1 and immediately before the update
of ay by process p1.3 Note that as p2 does not change the value of
ay , the use of CAS instruction by p1 to update ay will be success-
ful. The key point to note here is that once p1 updates ay with value
v2, transaction T cannot abort. This is because r can be extended
to trace r′, where a non-transactional read by process p2 executes
〈load ay, v2〉. If T is an aborted transaction, then no history corre-
sponding to r′ is parametrized opaque with respect to M . Thus, T
is a committed transaction. Consider an arbitrary history h corre-
sponding to r. Legality requires that operation k occurs before T
and operation j occurs after T . By definition of Mwr , every view
view ∈ M(h) requires that (j, k) ∈ view(p) for all p ∈ P . Thus,
h does not ensure opacity parametrized by M .
Case 3. Let M ∈ Mrw . That is, M does not allow reordering
a read followed by a write operation to a different variable. The
trace r is depicted in Figure 5(d). Let T consist of operations
o1 = (wr, v1, x) and o2 = (wr, v2, y). Let v1 6= 0 and v2 6= 0.
From Lemma 1, we know that T updates addresses ax and ay with
values v1 and v2. Without loss of generality, we assume that ax
is updated before ay . Process p2 issues the following operations
non-transactionally in the order: (rd, v3, x), (wr, v4, y), (wr, 0, y).
Since I is uninstrumented, those three operations are executed as:
〈load ax, v3〉, 〈store ay, v4〉, and 〈store ay, 0〉. Let r be such that
those three instructions occur immediately before the update of ay
with value v2. As p2 changes and restores the value of ay to 0,
process p1 does not observe the change, and thus, the update of ay
with value v2 is successful. As in case 2, T cannot be an aborting
transaction, once T updates ay . We now extend r as follows: after
the response of the commit operation of T , let p2 execute a transac-
tion T ′ followed by two non-transactional operations: (rd, v5, x),
(rd, v6, y).
We show now that the value of ay must remain equal to v2 after
T commits. Assume otherwise: that T stores value v′ 6= v2 to ay
just before committing. Consider a trace r′ in which p1 performs
the same actions as in r and then reads y non-transactionally, and in
which p2 does not perform any actions. Since p1 cannot distinguish
r′ from r, p1 returns value v′ in the non-transactional read after T ,
thus violating opacity parametrized by M—a contradiction.
Therefore, v6 = v2. Note also that v5 = v1. Consider an arbi-
trary history h corresponding to r. Legality requires that the first
non-transactional read by process p2 occurs after T , and the two
non-transactional writes of p2 occur before T . This contradicts the
expected process view for a memory model M ∈ Mrw . Thus, the
history h does not ensure opacity parametrized by M .
Case 4. Let M ∈ Mww . That is, M does not allow reordering
two write operations to different variables. The trace r is similar
to the one for case 3, except that (1) T consists of four operations:
(rd, v′1, x), (rd, v′2, y), (wr, v1, x) and (wr, v2, y), and (2) p2 exe-
cutes operation (wr, v3, x) instead of (rd, v3, x). Let v1 6= 0 and
v2 6= 0 and v3 6= 0. As in case 3, we know that T updates addresses
ax and ay with values v1 and v2, and we assume that ax is updated
before ay . Since I is uninstrumented, the non-transactional write
operations are implemented as store instructions. Let the three store
instructions: 〈store ax, v3〉, 〈store ay, v4〉, and 〈store ay, 0〉 by
process p2 occur immediately before the update of ay with value
v2 by process p1 in trace r. As in case 2, T cannot be an abort-
ing transaction, after it updates ay . Now, note that after updating
3For simplicity, we assume that the transaction loads the value of
ax before the response of o1. The argument holds in general, as the
value of ax is loaded before the update of ay .
On transaction start:
lg := g
while (lg 6= p) do
if lg = 0
〈cas g, lg, p〉
endif
lg := g
endwhile
return
On transaction write of x with value v′:
issue a transactional read of x
if ∃v · (x, v) ∈ writeset(p)
update (x, v) to (x, v′) in writeset(p)
return
endif
add (x, v) to writeset(p)
return
On transaction read of x:
if ∃v · (x, v) ∈ readset(p)
return v
endif
〈load ax, v〉
add (x, v) to readset(p)
return v
On transaction abort:
empty readset(p)
empty writeset(p)
〈store g, 0〉
return
On transaction commit:
while writeset(p) is not empty
pick and remove (x, v′) from writeset(p)
pick and remove (x, v) from readset(p)
〈cas x, v, v′〉
endwhile
empty readset(p)
〈store g, 0〉
return
Figure 6: A global lock based TM implementation
ay , even if T observes the non-transactional write to ax, T cannot
overwrite ax with v2: this requires the non-transactional write to x
to appear before the transaction, but T observes x as 0, and not as
v′1. We can extend the trace r exactly as in case 3 now, and show a
contradiction between the legality and the process view required by
a memory modelM ∈Mww . Thus, for every history h correspond-
ing to r, we know that h does not ensure opacity parametrized by
M .
We saw in the classification of memory models (Section 3.3)
that most of the practical memory models do restrict some order
of operations. Thus, Theorem 1 gives an intuition that without in-
strumentation, it is not possible to achieve opacity parametrized
by practical memory models. We now show that for an idealized
memory model, which allows reordering all operations to different
variables, achieving parametrized opacity is still expensive: a TM
implementation must use a cas instruction within a transaction to
update every variable which is read and written by the transaction.
Theorem 2. For every memory model M , an uninstrumented
TM implementation I guarantees parametrized opacity with re-
spect to M only if, for all traces r ∈ L(I), and for every variable
x, if a committed transaction T consists of operations (rd, v, x) and
(wr, v′, x), then T contains a 〈cas x, v, v′〉 instruction.
PROOF. Consider a trace r with two processes p1 and p2 as
shown in Figure 5(e). Let T be a transaction of process p1 in r,
such that T consists of operations (rd, v, x) and (wr, v′, x). By
Lemma 1, we know that T updates ax with value v′ using either a
store or a compare-and-swap instruction. Suppose T changes the
value of ax using a store instruction. Let r consist of two non-
transactional operations (wr, v1, x) followed by (rd, v2, x) of pro-
cess p2. As I is uninstrumented, we know that a read operation is
implemented as a load, and a write as a store. Consider the trace r
where 〈store ax, v1〉 instruction of process p2 occurs immediately
before 〈store ax, v′〉 instruction of process p1 and the instruction
〈load ax, v2〉 occurs immediately after 〈store ax, v′〉, such that we
get v2 = v′. For a corresponding history of r to be parametrized
opaque with respect to M , the transaction T has to be a commit-
ted transaction. After the response of the commit of T , let there
be an empty transaction T ′ of process p2 in r followed by a non-
transactional read of x, with a load instruction 〈load x, v3〉. Note
that we have v3 = v′. We argue that irrespective of the memory
model M , there does not exist a history h corresponding to r such
that h ensures opacity parametrized by M . This is because the op-
eration (wr, v1, x) of process p2 can appear neither before T (as the
read of v in T returns 0), nor after T (as the read after T ′ returns
v′). Thus, an uninstrumented TM implementation has to use a cas
instruction to update a variable x in a transaction T , if T consists
of both read and write operations to x.
Theorem 3. Given a memory model M /∈ (Mrr ∪ Mrw ∪
Mwr ∪Mww ), there exists an uninstrumented TM implementation
that guarantees opacity parametrized by M .
PROOF. Consider an uninstrumented global lock based TM im-
plementation I described in pseudo code in Figure 6. I acquires
a global lock g during the start of each transaction, and releases
the lock (using 〈store g, 0〉) immediately before the response of the
commit or abort of the transaction. Moreover, for every variable x,
every transaction T loads the value of ax only at the first read or
write operation to x within T (if such an operation exists in T ), and
if T writes to x, then I uses a CAS instruction to update ax in T .
Consider an arbitrary trace r ∈ L(I). Consider a history h corre-
sponding to the trace r obtained by choosing the following logical
points of execution of an operation within an operation trace: start
operation at the successful cas instruction, commit and abort oper-
ations at 〈store g, 0〉 instruction, every non-transactional read at the
load instruction, every non-transactional write at the store instruc-
tion, and every transactional read or write at its invocation. First,
we note that the history h obtained is such that for every pair T, T ′
of transactions in h, either T ≺h T ′ or T ′ ≺h T . Now, consider
a variable x and a transaction T in h. Let k1 . . . kn be a sequence
of non-transactional operation instances to x in h, which occur be-
tween the first and last operations of the transaction T . We create
a sequential history s from h by repeating the following two steps
for all variables:
Step 1. Consider a non-transactional write operation ki for some
1 ≤ i ≤ n. If there is a load of x in T before the store instruction,
or there is no load or cas of x in T after the store instruction with
identifier ki in r, we place all operations ki . . . kn after the transac-
tion T in s. For all other non-transactional write operations ki, we
place all operations k1 . . . ki before the transaction T in s. We now
have no non-transactional write operation to x between the first and
last operations of T .
Step 2. For all remaining non-transactional read operations o, we
place o before T in s if the load instruction corresponding to o
precedes the update to x by T in r, and after T otherwise.
Note that as the memory model freely allows reordering instruc-
tions to independent variables, we can move operations of different
variables freely with respect to each other. Moreover, the two steps
do not change the order of non-transactional operations of a process
to a variable.
5.2 Instrumented TM Implementations
In practice, TM implementations use instrumentation of non-
transactional operations to achieve parametrized opacity. We now
investigate instrumented TM implementations. Typically, a history
contains more read operations than write operations. So, it is worth-
while to study whether we can achieve parametrized opacity by just
instrumenting the non-transactional write operations and leaving
the non-transactional read operations uninstrumented.
We first show that it is indeed possible to achieve parametrized
opacity with uninstrumented reads for a class of memory models
that allow to reorder read operations (Theorem 4). The construction
implements non-transactional write operations as single operation
transactions. Then, we show that for memory models that do not
belong to set Mrr ∪Mwr , it is possible to implement parametrized
opacity with uninstrumented reads and with constant-time instru-
mentation of writes (Theorem 5).
Theorem 4. There exists a TM implementation with uninstru-
mented reads that guarantees parametrized opacity for memory
models M /∈Mrr .
PROOF. Consider a global lock based TM implementation
I that treats transactional operations as in the proof of Theo-
rem 3, and shown in Figure 6. Moreover, I implements a non-
transactional write operation (wr, x, v) as: acquire the global lock
g using cas (as in transaction start), followed by the instruction
〈store x, v〉, followed by 〈store g, 0〉. Intuitively, I treats every
non-transactional write operation as a transaction in itself. I im-
plements non-transactional read operations as load instructions (no
instrumentation).
Consider an arbitrary trace r ∈ L(I). Note that there exists a
history h corresponding to r (obtained using the logical points as
in Theorem 3) such that no non-transactional write occurs between
the first and last operation of a transaction, and for every pair T, T ′
of transactions, either T ≺h T ′ or T ′ ≺h T . Consider a variable x.
Given a transaction T in h, let k1 . . . kn be the identifiers of non-
transactional read operation instances in h, which occur between
the first and last operation of the transaction T . We create a se-
quential history s from h as in Theorem 3: for all non-transactional
read operations o to x, we place o before T in s if the load instruc-
tion corresponding to o precedes the cas instruction to x by T in
r, and after T otherwise. Note that as the memory model freely al-
lows reordering read operations to different variables, we can move
reads of different variables freely with respect to each other.
Theorem 5. There exists a TM implementation I with constant-
time instrumentation of writes and no instrumentation of reads,
such that I guarantees opacity parametrized by any memory model
M /∈Mrr ∪Mwr .
PROOF. We build a TM implementation I which uses a global
lock to execute transactions (as in Theorem 3 and 4). Moreover,
I uses a version number per process. When a process p issues
a non-transactional write operation, p increments its version num-
ber, and writes the value, the process id, and the version number
using a store instruction. I does not use instrumentation for non-
transactional read operations. Now, we prove that I guarantees
opacity parametrized by M , where M /∈Mrr ∪Mwr .
Consider an arbitrary trace r ∈ L(I). Consider a history h cor-
responding to the trace r obtained by choosing the logical points
as in Theorem 3. We know that for every two transactions T, T ′
in h, we have T ≺h T ′ or T ′ ≺h T . Consider an arbitrary trans-
action T in h and a variable x. Let k1 . . . km be the identifiers of
the non-transactional operations to x that occur between the first
and last operation of T in h. Note that as I uses cas instruction for
variables which are written in a transaction, no non-transactional
write to x stores to ax between a load and a successful update of
ax in T . We thus can obtain a sequential history from h by repeat-
ing the following for all variables x and for all transactions in h:
for a non-transactional write operation ki to x such that operation
ki occurs between the start and end of transaction T , if the corre-
sponding store to ax occurs after a load of ax in T , then we place
operation ki after T in s. Otherwise we place ki before T in s. If
the load corresponding to a non-transactional read occurs after the
update of ax in T , then we place the operation after T , otherwise
before T .
If a process issues non-transactional reads of x and y, such that
their corresponding loads occur between the updates by a trans-
action, we need to reorder the non-transactional reads for legality.
Thus, we want M /∈Mrr . Similarly, note that if a process issues a
non-transactional write of x followed by a read of y, such that the
corresponding store to ax and load of ay occur between the updates
to ax and ay , we need to reorder the non-transactional accesses for
legality. Thus, we want M /∈ Mwr . But interestingly, we built I
in such a way that it first adds all variables to be updated in the
writeset. Only then, I starts updating the variables using cas in-
struction. Hence, if a process issues a non-transactional read which
loads a value updated by T , we know that every following non-
transactional write can also occur after T . Thus, we do not require
that M /∈Mrw . Similarly, if a process issues two non-transactional
writes, then we know that either both the writes occur before T
or after T . This implies that I guarantees parametrized opacity
even for memory models which restrict the order of a read/write
followed by a write to a different variable, but allow reordering
read/write followed by a read to a different variable.
6. CONCLUDING REMARKS
Discussion. Given that a programmer expects behavior of non-
transactional operations within the scope of behaviors under the
given memory model, one can build a more efficient implemen-
tation which guarantees opacity with respect to the programmer’s
memory model. Relaxed memory models like Alpha [27] and
Java [18] are neither in Mrr , nor in Mwr . So, our construction
provides an inexpensive way to guarantee opacity parametrized
by memory models like Alpha. Moreover, memory models like
RMO [30] relax the order of reads as long as they are not data de-
pendent. This implies that if we use special synchronization for
data-dependent reads, we can use the construction of Theorem 5
for a vast class of memory models.
We now discuss the construction we used in Theorems 3 and 5.
We use global locks for transactions in the construction for the sake
of simplicity. But the central idea of the construction, given below,
can be extended to practical lazy-versioning TM implementations
which rely on some form of two-phased locking. The idea is that
for many memory models, it is not necessary for a transaction to
successfully update all variables it writes, if there is a concurrent
non-transactional write. For example, in Theorem 5, if a transac-
tion observes that a non-transactional operation has written a new
value, then the transaction’s cas operation fails, but the transaction
can still commit. This sounds counterintuitive to the general be-
lief that transactions must be atomic, and thus, appear to perform
their updates completely. We suggest that the non-transactional op-
erations, although isolated from transactions from a programmer’s
point of view, can be used to mask updates of transactions.
Using our theoretical framework, we also observe that no matter
what the given memory model M is, if a TM implementation al-
lows a transaction to update the value of an address ax more than
once, then the TM implementation needs to instrument read oper-
ations in order of guarantee opacity parametrized by M . This is
because a load of ax (corresponding to a non-transactional opera-
tion), if sandwiched between the two updates of ax, can observe
the intermediate state of a transaction. This is also known as dirty
reads in the literature.
Related work. Various formalisms for memory models have been
proposed in the literature [3, 4, 5, 12, 23, 24]. Most of these for-
malisms are tailored to capture the intricacies of specific memory
models. Our reason for building a formalism for memory models
was to obtain a general framework, with the focus on classifica-
tion of memory models on the basis of reordering of instructions
they allow. The interaction of transactions with non-transactional
operations has been widely studied. The study was pioneered by
Grossman et al. [9], where the authors raised several issues that
need to be tackled in order to create TM implementations that han-
dle non-transactional operations properly. The authors express the
correctness property using sample executions, and thus it lacks a
formal specification. Work by Scott et al. [28] focuses on pro-
viding a set of rules that should hold irrespective of the memory
model. Menon et al. [20] define correctness by mapping trans-
actions to critical sections, thus providing an intuitive definition
of single global lock atomicity. Type systems and operational se-
mantics for transactional programs with non-transactional accesses
have been proposed by Abadi et al. [1] and Grossman et al. [21].
Conclusion. We formalized the correctness property of opacity
parametrized by a memory model. Intuitively, parametrized opac-
ity requires two things. Firstly, transactions are isolated from
other transactions and non-transactional operations. Secondly, the
behavior of non-transactional operations is governed by the un-
derlying memory model. We used our formalism to prove sev-
eral results on achieving parametrized opacity with instrumented
or uninstrumented TM implementations under different memory
models. In particular, we show that for most memory models,
parametrized opacity cannot be achieved without instrumenting
non-transactional operations. On the positive side, we show that
with constant-time instrumentation for writes, and no instrumenta-
tion for reads, it is indeed possible to achieve opacity parametrized
by a significant class of memory models. The practical relevance
of our work lies in the fact that while creating TM implementa-
tions, one may use the relaxations provided by the memory model
to create more efficient TM implementations.
7. REFERENCES
[1] Martín Abadi, Andrew Birrell, Tim Harris, and Michael
Isard. Semantics of transactional memory and automatic
mutual exclusion. In POPL, pages 63–74, 2008.
[2] Sarita V. Adve and Kourosh Gharachorloo. Shared memory
consistency models: A tutorial. IEEE Computer,
29(12):66–76, 1996.
[3] Arvind and Jan-Willem Maessen. Memory Model =
Instruction Reordering + Store Atomicity. In ISCA, pages
29–40, 2006.
[4] Gérard Boudol and Gustavo Petri. Relaxed memory models:
An operational approach. In POPL, pages 392–403, 2009.
[5] Sebastian Burckhardt, Madanlal Musuvathi, and Vasu Singh.
Verifying local transformations on relaxed memory models.
In CC, pages 104–123, 2010.
[6] Intel Corporation. Intel 64 and IA-32 Architectures Software
Developer’s Manual Volume 3A. 2008.
[7] Luke Dalessandro and Michael Scott. Strong isolation is a
weak idea. In TRANSACT, 2009.
[8] D. Dice, O. Shalev, and N. Shavit. Transactional locking II.
In DISC, pages 194–208. Springer, 2006.
[9] Dan Grossman, Jeremy Manson, and William Pugh. What do
high-level memory models mean for transactions? In MSPC,
pages 62–69, 2006.
[10] Rachid Guerraoui, Thomas A. Henzinger, Barbara
Jobstmann, and Vasu Singh. Model checking transactional
memories. In PLDI, pages 372–382. ACM, 2008.
[11] Rachid Guerraoui, Thomas A. Henzinger, and Vasu Singh.
Nondeterminism and completeness in transactional
memories. In CONCUR, pages 21–35. Springer, 2008.
[12] Rachid Guerraoui, Thomas A. Henzinger, and Vasu Singh.
Software transactional memory on relaxed memory models.
In CAV, pages 321–336, 2009.
[13] Rachid Guerraoui and Michał Kapałka. On the correctness of
transactional memory. In PPoPP, 2008.
[14] M. Herlihy, V. Luchangco, M. Moir, and W. N. Scherer.
Software transactional memory for dynamic-sized data
structures. In PODC, pages 92–101, 2003.
[15] M. Herlihy and J. E. B. Moss. Transactional memory:
Architectural support for lock-free data structures. In ISCA,
pages 289–300. ACM Press, 1993.
[16] Maurice Herlihy and Jeannette M. Wing. Linearizability: A
correctness condition for concurrent objects. ACM
Transactions on Programming Languages and Systems,
12(3):463–492, 1990.
[17] J. R. Larus and R. Rajwar. Transactional Memory. Synthesis
Lectures on Computer Architecture. Morgan & Claypool,
2007.
[18] Jeremy Manson, William Pugh, and Sarita V. Adve. The Java
memory model. In POPL, pages 378–391. ACM, 2005.
[19] Milo M. K. Martin, Colin Blundell, and E. Lewis. Subtleties
of transactional memory atomicity semantics. Computer
Architecture Letters, 5(2), 2006.
[20] Vijay Menon, Steven Balensiefer, Tatiana Shpeisman,
Ali-Reza Adl-Tabatabai, Richard L. Hudson, Bratin Saha,
and Adam Welc. Practical weak-atomicity semantics for Java
STM. In SPAA, pages 314–325, 2008.
[21] Katherine F. Moore and Dan Grossman. High-level
small-step operational semantics for transactions. In POPL,
pages 51–62. ACM, 2008.
[22] C. H. Papadimitriou. The serializability of concurrent
database updates. Journal of the ACM, pages 631–653, 1979.
[23] Vijay A. Saraswat, Radha Jagadeesan, Maged Michael, and
Christoph von Praun. A theory of memory models. In
PPoPP, pages 161–172, New York, NY, USA, 2007. ACM.
[24] Susmit Sarkar, Peter Sewell, Francesco Zappa Nardelli, Scott
Owens, Tom Ridge, Thomas Braibant, Magnus O. Myreen,
and Jade Alglave. The semantics of x86-CC multiprocessor
machine code. In POPL, pages 379–391, 2009.
[25] N. Shavit and D. Touitou. Software transactional memory. In
PODC, pages 204–213, 1995.
[26] Tatiana Shpeisman, Vijay Menon, Ali-Reza Adl-Tabatabai,
Steven Balensiefer, Dan Grossman, Richard L. Hudson,
Katherine F. Moore, and Bratin Saha. Enforcing isolation
and ordering in STM. In PLDI, pages 78–88. ACM, 2007.
[27] Richard L. Sites, editor. Alpha Architecture Reference
Manual. Digital Press, 2002.
[28] Michael F. Spear, Luke Dalessandro, Virendra J. Marathe,
and Michael L. Scott. Ordering-based semantics for software
transactional memory. In OPODIS, pages 275–294, 2008.
[29] Michael F. Spear, Virendra J. Marathe, Luke Dalessandro,
and Michael L. Scott. Privatization techniques for software
transactional memory. In PODC, pages 338–339, 2007.
[30] D. Weaver and T. Germond, editors. The SPARC Architecture
Manual (version 9). Prentice-Hall, Inc., 1994.
