Abstract. This paper presents SOAR: the first oblivious atomicity assertion with polynomial complexity. SOAR enables to check atomicity of a single-writer multi-reader register implementation. The basic idea underlying the low overhead induced by SOAR lies in greedily checking, in a backward manner, specific points of an execution where register operations could be linearized, rather than exploring all possible precedence relations among these. We illustrate the use of SOAR by implementing it in +CAL. The performance of the resulting automatic verification outperforms comparable approaches by more than an order of magnitude already in executions with only 6 read/write operations. This difference increases to 3-4 orders of magnitude in the "negative" scenario, i.e., when checking some nonatomic execution, with only 5 operations. For example, checking atomicity of every possible execution of a single-writer single-reader (SWSR) register with at most 2 write and 3 read operations with the state of the art oblivious assertion takes more than 58 hours to complete, whereas SOAR takes just 9 seconds.
Introduction
With multi-core architectures becoming mainstream, concurrent programming is expected to become the norm, even among average developers who might not always have the right skills and experience. Concurrent programming is however notoriously difficult. In particular, it is hard to control the interference between concurrent threads without compromising correctness on the one hand, or restricting parallelism on the other hand.
Among consistency criteria for concurrent programming, atomicity (also known as linearizability [14] ) is one of the most popular. This is because atomicity reduces the difficult problem of reasoning about a concurrent program into the simpler problem of reasoning about its sequential counterpart. Roughly speaking, atomicity guarantees that concurrently-executing requests on shared objects appear sequential: namely, each request appears to be executed at some point (known as the linearization point [14] ) between its invocation and response time (real-time ordering). An example of an atomic execution of a read/write register is depicted in Figure 1 , along with its linearization points (assuming the register is initialized to 0). In contrast, the execution in Figure 2 is not atomic. This is because we cannot place linearization points such that the sequential specification of a register is satisfied, i.e., every read returns the last value written. Precisely because it simplifies the job of the programmers by encapsulating the difficulty underlying synchronizing shared atomic objects, atomicity is hard to implement. As pointed out in [7] , an evidence of this difficulty is that several published implementations of atomic shared memory objects have later shown to be incorrect. Not surprisingly, tools for checking atomicity are of crucial importance, in particular automatic ones that are suitable for machine verification [11] .
So far, tools for checking atomicity have mainly been designed for specific programming languages (e.g., Concurrent Java [10] ). Some exceptions have been proposed in the form of language-oblivious execution assertions, which enable to check the atomicity of implementation histories. Some of these (e.g., [15, 16] ) are still non-algorithm-oblivious in the sense that a fair amount of knowledge about the checked algorithm is needed in order to check correctness.
Genuinely oblivious assertions were proposed in [24] (Lemma 13.16) and [18] . These assertions do not require any knowledge, neither about the language nor about the checked algorithm. One specific such assertion is of particular interest: the one of Chockler et al. (Property 1 of [7] ) for it was especially devised for automatic verification. This assertion, which we refer to as CLMT, can be written as a simple logical predicate and is very appealing for automatic verification especially when paired with a model checker such as the TLC for the +CAL algorithm language [22, 23] .
Unfortunately, the CLMT assertion does not scale well as we discuss below. Consider the (non-atomic) execution on a single-writer multi-reader (SWMR) read/write register depicted in Figure 2 . When implemented in +CAL, the CLMT assertion takes more than one minute on our 4 dual-core Opteron machine to verify that this execution is not-atomic. This is even without taking into the account the operations invoked by reader2. When considering a single operation of reader2, the verification takes hours.
On the other hand, it is very simple for a human to verify manually that the execution of Figure 2 is not-atomic. For the execution to be atomic, the linearization point of the write operation w1 must come before that of read r11, since r11 does not return the initial value 0. Similarly, w2 must be linearized before r12. This leaves r13 which violates the sequential specification of the read/write register, meaning that the execution is not atomic.
What makes CLMT slow is the very fact that it reasons about atomicity by identifying the adequate properties of a precedence relation among read/write operations. Namely, CLMT checks atomicity by establishing the existence of a precedence relation among operations that: a) is a non-reflexive partial order, and b) satisfies certain (five different) properties. Without diving into the details of these properties, it is easy to see that this verification scheme cannot scale for it does imposes an exponential computational complexity on a model checker. Namely, with 2 |op| 2 different possible relations over the set of |op| different operations, there is simply too many relations to check, even for modest values of |op|, regardless of the nature of the properties that are to be checked. This is especially true when the "good" precedence relation does not exist, i.e., when the execution is not atomic. The motivation of this paper is to ask whether it is possible to devise an oblivious, yet scalable atomicity assertion.
We present SOAR (Scalable and Oblivious Atomicity asseRtion), the first oblivious atomicity assertion with polynomial complexity. SOAR is devised for single-writer multi-reader concurrent objects, of which the single-writer multireader register is a very popular representative [6, 24] . Indeed, many applications of the register abstraction make use mainly of its single-writer variant. Such applications include for example consensus [2, 5, 12] as well as snapshot implementations [3] .
Like CLMT, SOAR gives a sufficient condition for atomicity (in fact, in Section 3.3 we prove SOAR equivalent to CLMT in our single-writer setting).
Interestingly, we could also use SOAR in +CAL to verify that some seemingly natural simplifications of the celebrated Tromp's algorithm [26] (implementing an atomic bit out of three safe bits) lead to incorrect solutions. By doing this, we show that our SOAR implementation in +CAL can be used successfully in identifying non-atomic executions and algorithm debugging.
SOAR has a low-degree polynomial complexity (O(|op| 3 ) in the worst case). It outperforms CLMT [7] by more than an order of magnitude already in verifying atomicity of executions with only 6 read/write operations.
1 This difference increases to 3-4 orders of magnitude in the "negative" scenario, i.e., when checking some non-atomic execution. For example, checking atomicity of every possible execution of a single-writer single-reader (SWSR) register with at most 2 write and 3 read operations with CLMT takes more than 58 hours to complete, whereas SOAR takes just 9 seconds.
Underlying SOAR lies the idea of greedy linearization. Basically, SOAR looks for linearization points in an execution ex rather than checks for precedence relations. SOAR performs its search in a backward manner starting from the end of the execution, linearizing the last write operation in ex (say w) and then trying to linearize as many read operations as possible after w. Then, the linearized operations are removed from ex and the linearization reiterates. It is important to emphasize that the greedy linearization is without loss of generality. We prove this by establishing the equivalence between SOAR and CLMT (for the single-writer case). As we pointed out however, SOAR is designed specifically for verifying atomicity of single writer objects, whereas CLMT is a general assertion suitable also for multi-writer applications.
While SOAR is specified with an atomic read/write data structure in mind, we believe that it is not difficult to extend it to cover other atomic objects in which only one process can change the state of the object (single-writer). Extending SOAR and the underlying greedy linearization idea to optimize model checking of multi-writer objects is very interesting open problem. This is left as future work.
The rest of the paper is organized as follows. After giving some preliminary definitions in Section 2, we describe our assertion in details and prove its correctness in Section 3. In Section 4 we illustrate how SOAR can be used for model checking Tromp's algorithm and its variations in +CAL/TLC. We also report on some performance measurements. We overview related work in Section 5.
Preliminaries

Processes and objects
We model processes and shared objects using the non-deterministic I/O Automata model [25] . We simply give here the elements that are needed to recall atomicity, state our assertion and prove its correctness. In short, an I/O automaton is a state machine whose state can change by discrete atomic transitions called actions. We consider two sets of processes: a singleton writer and a set of processes called readers (we refer to a process belonging to the union of these sets as client).
A read/write register is a shared object consisting of the following: 
To access the register, a client issues an operation descriptor that consists of the identifier of the operation id ∈ {'write , 'read } and the identifier of the client; in case of a write, a value v is added to the descriptor. To simplify the presentation, we sometimes refer to an operation descriptor op simply as an operation op. A single-writer multi-reader (SWMR) register is a read/write object in which only the process writer may issue write operations. We denote by wrs (resp., rds) the set of write (resp., read) operations.
Clients use the actions of the form invoke(op) and response(op, v), where op ∈ wrs ∪ rds and v ∈ D ∪ {ack}, to invoke operations and to receive responses. A sequence β of invoke and response actions is called an execution. An invoked operation op is said to be complete (in some execution β) if β contains response(op, v), for some v ∈ D ∪ {ack} (we say response(op, v) matches invoke(op)). An operation op is said to be pending in β if β contains the invoke(op) action but not its matching response.
The execution ex is sequential if (a) the first action is an invocation, (b) each invocation, except possibly the last, is immediately followed by its matching response, and (c) every response is immediately followed by an invocation.
We say that an execution β is well-formed if (1) for every response(op, v) action in β there is a unique invoke(op) action in β that precedes response(op, v), (2) for every client c there is at most one pending operation issued by c in β.
Moreover, we assume that each well-formed execution β contains the invocation and the response action of the special operation w 0 = write(v 0 ) called the initial write, such that the response action for w 0 precedes invocations of any other operation. All executions considered in this paper are assumed to be well-formed. A well-formed, sequential execution β is called legal, if β is in the sequential specification of the register.
Finally, we say that a complete operation op precedes an operation op (or, alternatively, that op follows op) in a well formed execution β if the response action of op precedes the invocation action of op in β (we denote this by op < β op ). Let op and op be two invoked operations in β; if neither op < β op ), nor op < β op), we say that op and op are concurrent (in β).
Atomicity
We define atomicity (or linearizability) in the following way [6] : a (well-formed) execution β is atomic if there is a permutation π(β) of all operations in ex such that: (1) π(ex) is legal, and (2) if op < β op then op < π(β) op .
In this paper we rely on the Partial Order (PO) property [7] for proving atomicity. As shown in Lemma 2 of [7] , PO is sufficient for atomicity, i.e., if β satisfies PO then β is atomic. Moreover, we use the PO property to establish the correctness of our atomicity assertion in Section 3.3.
Definition 1. (PO Property).
Let op be the set of all operations invoked in the execution β that contains no pending operations and wrs (resp., rds) subset of all writes (resp., reads) in op. An execution β satisfies a Partial Order (PO) property if there is an irreflexive partial ordering ≺ on all elements of op, such that, in β:
5. Let π ∈ rds and let v be the value returned by π. Then, v is written by some write w ∈ LastP recW rites(π, ≺).
The PO property can be simply written as a logical predicate (assertion), to which we refer as CLMT.
A Scalable and Oblivious Atomicity asseRtion (SOAR)
Intuition: Greedy linearization
Our SOAR assertion is motivated by the observation that it is easy to linearize (in the single-writer case) the fragments of the execution between every two writes. Consider for example the fragment of the execution of Figure 2 in between initial time t 0 and time t 1 , the time of completion of write w1, that contains only those read operations that are invoked before t 1 (i.e., r 11 , r 12 and r 21 ). It is clear that only read operations that return the value written by w 0 (say v 0 ) can be linearized between w 0 and w 1 . Moreover, such reads cannot be preceded by reads that return values other than v 0 . In other words, in the execution of Figure 2 , only r 21 can be linearized between w 0 and w 1 while the other reads must be linearized after w 1 . We can repeat this partitioning of the execution between two writes and apply the above reasoning iteratively, until we exhaust all write operations. When a single write operation w W is left, the remaining (still nonlinearized) read operations must return the value written by w W in order for the execution to be atomic. In the example of Figure 2 the operations would be linearized in the following order: w 0 , r 21 , w 1 , r 11 , w 2 , r 12 , leaving r 13 which actually violates the sequential specification of the atomic read/write register. The greedy linearization idea described above is based on checking the fragments of the execution that are between every two writes, starting from the beginning of the execution. While this is the natural way for a human to linearize executions, this approach leads to reasoning about execution suffixes (that remain after removing linearized operations). In our case, we found it more convenient to reason formally about execution prefixes; hence, we choose to apply greedy linearization starting from the end of the execution, using the similar idea. Consider, again the execution of Figure 2 . It is trivial to see that the last write to be linearized is w 2 . Now we can try to linearize as many reads as possible after w 2 ; however, this cannot be done with any of the reads. We can remove all linearized operations from the execution (i.e., in our case, only w 2 ) and apply the same reasoning to the remaining execution prefix. However, before reiterating, we must make sure that removing linearized operations indeed leaves us with the execution prefix; more concretely, we must check that none of the reads that will remain in the execution was invoked after the completion of the linearized write. In the case of w 2 , this condition is satisfied (no operations are invoked after w 2 completes). In the next iteration, we would linearize w 1 and r 13 . Finally, in the last iteration we could see that the atomicity is violated since not all of the remaining read operations return the value written by the initial write (r 11 returns 1).
Description
We formalize our greedy linearization approach to obtain a generic assertion for atomicity in the following way. We denote:
-by W the total number of writes (not counting the initial write) in some execution ex that contains no incomplete operations, -by w i the i th write in ex, -by rds W the set of all read operations in ex, and -by ex rdsi i (i = 0 . . . W ) the prefix of the execution ex that contains only write operations from w 0 to w i , and only read operations from set rds i .
Notice that ex
We assert the atomicity of every partial execution ex (a) remove from rds i every read r that satisfies the following properties (we denote the set of such reads linRds(i):
i. r returns the value written by the write w i , ii. r does not precede w
i).
Given the recursive nature of SOAR, the assertion can be written more compactly (and more precisely) as a logical predicate (Figure 3) . We write it as follows, using the TLA+ [21] . In Figure 3 , SOAR() takes five arguments: (i) the sets wrs and rds containing the identifiers of all write and read operations in the execution ex, respectively, (ii) the functions (arrays) Inv, Resp : wrs ∪ rds → N at (where N at is the set of natural numbers), containing the global logical time [17] of invocations and responses of operations, respectively, and (iii) the function (array) Ret : wrs ∪ rds → D (where D is the domain of values that an implemented read/write register can assume), which maps the operations to values which are written/read. Moreover, SOAR makes use of the function lastW R(wrs) which returns the write in wrs that follows all other writes in ex. It is not difficult to see that the very approach that underlies SOAR yields a low degree polynomial complexity (O(|op| 3 ) in the worst case, where op is the number of operations in the execution), which is to be contrasted with the exponential one of the CLMT assertion.
Correctness
To establish the correctness of SOAR we rely on the CLMT assertion, defined by the PO property, Def. 1, Section 2.2. We prove the correctness of SOAR by showing its equivalence with CLMT (in our single writer multi-reader model). First, in Lemma 1, we show that each sequence of read/write operation β (that does not contain incomplete operations) for which SOAR returns true, also satisfies the PO property. Then, in Lemma 2, we show that whenever β satisfies PO, SOAR returns true. Lemma 1. If the assertion SOAR of Figure 3 applied on the sequence of read/write operations β returns T RU E, then β satisfies the PO property.
Proof. Assume the assertion SOAR() on β returns T RU E, and denote by wrs (resp., rds) the set of all write (resp., read) operations in β. Denote also |wrs|−1 by W (i.e., W is the number of non-initial writes in β). Consider the write operations w i and subsets of read operations R i defined as follows:
-for i = 0 . . . W , w i = lastW R(wrs i ), where wrs W =wrs and wrs i−1 = wrs i \ lastW R(wrs i ) (i = 1..W ), and -for i = 1 . . . W , R i = linRds(wrs i , rds i ) 4 , where rds W = rds, rds i−1 = rds i \ R i and R 0 = rds 0 .
In other words, each w i is one of the W write operations in wrs, whereas each R i is (a possibly empty) subset of rds. By construction of R i and rds i and Figure 3 , it is not difficult to see that sets R i are pairwise non-intersecting and that i R i = rds.
Moreover, consider the following precedence relation ≺:
where we implicitly think of ≺ as of transitive relation.
Notice that two elements (read operations) belonging to the same R i are not ordered by the relation ≺. Obviously, ≺ is an irreflexive partial order and, moreover, if π ≺ φ then ¬(φ ≺ π) (for any two operations π and φ). We now prove that the relation ≺, as defined by (*), satisfies each of the 5 properties of Definition 1.
To prove Property 1, we distinguish 4 cases:
(a) π, φ ∈ wrs. Property 1 is satisfied by the implementation of the function lastW R(), (b) π ∈ wrs, φ ∈ rds. Fix i, such that π = w i . If i > 0, suppose by contradiction that φ ∈ R j such that j < i. Then, φ ∈ rds j , i.e., φ ∈ rds i \ linRds(wrs i , rds i ). Since π completes before φ is invoked, by condition in line a2 of Figure 3 , SOAR returns FALSE -a contradiction. On the other hand, if π = w 0 , then ¬φ ≺ π by (*). (c) π ∈ rds, φ ∈ wrs. Fix i > 0 such that φ = w i . Suppose by contradiction that π ∈ R j = linRds(wrs j , rds j ), such that j > i. Since π precedes w i which precedes w j , π precedes w j (i.e., π completes before w j is invoked). Hence, by line l2 of Figure 3 , π / ∈ R j -a contradiction.
(d) π, φ ∈ rds. Fix i, j such that π ∈ R i and φ ∈ R j . Suppose by contradiction that j < i. In this case, π, φ ∈ rds i . If π and φ return the same value, then, since π ∈ R i , by lines l1 − l3 of Figure 3 , φ ∈ R i , and j = i -a contradiction. In case π and φ do not return the same value, then, by line l3 of Figure 3 , π / ∈ R i -a contradiction. 2. Property 2 trivially follows from the definition of ≺ (see (*)). Proof. We prove this lemma by induction on the number of write operations in β. In the following, we denote by W β the number of (non-initial) write operations in β, and by wrs (resp., rds) the set of write (resp., read) operations in β.
Base step: (W β = 0) In this case, the only write in β is the initial write w 0 . By definition of w 0 , in every execution, w 0 completes before any other operation is invoked. Since β satisfies PO, by Property 3 of PO, w 0 precedes all reads in β. Moreover, since w 0 is the only write in β, for any read π in β, LastP recW rites(π, ≺) = {w 0 }. Hence, all reads in β return v 0 . By definition of lastW R(), we have lastW R(wrs) = {w 0 }. Hence, by line a1 of Figure 3 , SOAR() returns T RU E.
Induction hypothesis: Suppose Lemma 2 holds for all W β < k, for some natural number k.
Induction step:. We show that Lemma 2 holds for W β = k. Since β satisfies PO, there is a irreflexive partial order relation ≺, and non empty sets of read/write operations OP 1 . . . OP m (where m ≤ k + 1 + |rds|, such that i=1...m OP i = wrs ∪ rds and, for all i, j, ∀op i ∈ OP i , op j ∈ OP j : op i ≺ op j ≡ i < j. Moreover, by Property 2 of PO, there is no OP i that contains two different write operations.
Denote by OP lwr the set OP i that contains a write operation, such that all sets OP j (if any), where i < j, contain only read operations. We denote the union of all such sets OP j by OP and the write contained in OP lwr by w k . Note that, for all op in OP w k ≺ op .
Consider SOAR applied to β. Since in case k > 0 wrs = {lastW R(wrs)}, in order to prove that SOAR returns T RU E, we prove that the conditions in lines a2 and a3, Figure 3 hold.
To prove that the condition in line a2 holds, we first prove that ∀op ∈ OP : op ∈ linRds(wrs, rds) (where arguments 3-5 of linRds() are implicit).
-First, notice that, for all op in OP , LastP recW rites(op , ≺) = {w k }. Hence, by Property 5 of PO, every op returns the value written by w k , i.e., the condition in line l1 of the predicate linRds(wrs, rds) is satisfied by each op ∈ OP . -Furthermore, by Property 1 of PO, since w k ≺ op for each op ∈ OP , it is not possible that some op completes before w k is invoked. Hence, the condition in line l2 of the predicate linRds(wrs, rds) is satisfied by each op ∈ OP . -Finally, by Property 4 of PO and since for each op ∈ OP LastP recW rites(op , ≺ ) = {w k }, if op completes before some read op is invoked then w k ≺ op -i.e., op ∈ OP . Moreover, by Property 5 of PO, all (read) operations in OP return the value written by w k . Hence, the condition in line l3 of the predicate linRds(wrs, rds) is satisfied by each op ∈ OP .
Since all operations in OP are in linRds(wrs, rds), it is not difficult to see that the condition in line a2 of Figure 3 holds. Indeed, if this condition is false then there is a read rd that follows w k such that ¬(w k ≺ rd), a violation of Property 3 of PO.
To prove that the condition in line a3 of Figure 3 holds, we first show that the execution β obtained after removing read operations from linRds(wrs, rds) and w k satisfies PO, with the same relation ≺. Properties 1-3 of PO for β follow directly from the corresponding Properties for β. To prove Properties 4 and 5, notice that for all operations op from β , w k / ∈ LastP recW rites(op, ≺) (otherwise w k ≺ op and op in OP and linRds(wrs, rds), i.e., op is not in β ). Notice also that β has the same write operations as β, except for w k . Hence, Properties 4 and 5 of PO hold in β as well. Finally, β satisfies PO and W β = k − 1 -hence, by the Induction hypothesis, the condition in line a3 evaluates to T RU E.
Application to Tromp's algorithm
We applied SOAR and CLMT to the celebrated algorithm of Tromp [26] which we implemented in the +CAL algorithm language. We compared SOAR and CLMT performance, and evaluated SOAR's applicability to detection of nonatomic executions and, hence, to debugging.
Our +CAL implementation of Tromp's algorithm with SOAR is given in Figure 4 5 (the code used for testing is given in Figure 5 ). It consists of two parts: (1) the SOAR part (comprised of lines 006-011, 037-043, 058-060, 064-068 and 102-106), and (2) the +CAL implementation of the Tromp's algorithm (comprised of the remaining lines of Figure 4 ). We explain both parts of the code, starting with Part 2 (Tromp's algorithm). In the following we refer to Figure 4 . 001: -------------------MODULE TrompSOAR2 ---------------- In short, Tromp's algorithm gives an implementation of a single-writer singlereader (SWSR) atomic bit, using 3 safe 6 [18] (SWSR) bits: V, W and R, all initialized to 0. Bits V and W are owned (written) by the writer, whereas R is owned by the reader of the atomic bit. To simulate safe registers in +CAL, we use the variables busy and value (lines 012-014), as well as macros in lines 020-034. The main code of the Tromp's algorithm is given in lines 044-057 (the write code) and 069-101 (the read code). Comments in these portions of code (e.g., in lines 046, 050, or 070, 076, etc.) give the lines of the pseudocode as stated in the original paper [26] . Below each such comment, there is a +CAL translation of the corresponding pseudocode.
The SOAR part of the code in Figure 4 consists of operations on certain history variables necessary for the implementation of SOAR (as well as CLMT). History variables [1] and (ii) writeCount and readCount the counters for write and read operation identifiers, respectively, which take values from non-overlapping domains. All these variables/arrays are accessed only at the beginning (invocation) and the end (completion) of read/write operations. We believe that the operations on history variables are very intuitive and simple to follow. We clarify, however, two lines: (a) in line 041, the response time of the newly invoked write is set to IN F , where IN F (infinity) represents a constant that such that the globalClock cannot get greater than IN F , and (b) in line 103, the returned value of the read is taken from the returnV alue variable in which the main read code of Tromp's algorithm (lines 069-101) stores the read value.
Finally, constants M AXW RIT E (resp., M AXREAD) denote the maximum number of write (resp., read) operations invoked in the checked execution.
Asserting non-atomic executions
We used our implementation of Figure 4 to verify that certain, seemingly plausible, "optimizations" of Tromp's algorithm lead to the incorrect solution. Fig. 4) . However, removing this condition (i.e., lines 080-082 and 085 of Fig. 4 ) leads to a violation of atomicity, which can be detected by SOAR. Using the error output of the TLC model checker, we were able to extract the execution that leads to the atomicity violation (see Figure 6) . Interestingly, such "simplified" Tromp's algorithm remains regular [18] , but it is not atomic. In a similar way, we were also able to show that the instruction in line 6 of the original pseudocode (line 095, Fig. 4 ) is also necessary. This demonstrates the usability of SOAR in debugging and asserting non-atomicity in practice.
Performance
All our performance results are obtained running TLC model checker (using 4 processors) on a 4 dual-core Opteron 8216 with 8 GB of RAM. TLC model checker is ran on an implementation of the Tromp's algorithm in +CAL, varying the number of invoked read/write operations.
Model checking was done to verify the atomicity of the Tromp's algorithm using both the CLMT and SOAR. Obtained graphs are given in Figure 7 . Results are given for a specific variation of the CLMT, optimized for a single writer scenario. Notably the optimization modifies the condition 2 of Definition 1, Section 2.2 to impose that for any precedence relation ≺ and every i ∈ 1 . . . W − 1 w i ≺ w i+1 (where W is the total number of writes, represented by the variable writeCount in our +CAL implementation, Figure 4) . Moreover, the initial write w 0 was always pre-linearized before running the CLMT assertion, which significantly improves its performance. From Figure 7 it can be seen that already in model checks of Tromp's algorithm with as few as 6 read/write operations (e.g., with 3 reads and 3 writes) a model check with SOAR takes more than an order of magnitude less time than with CLMT. The difference is even more glaring if a non-atomic execution is checked. For example, it takes only 15 milliseconds for SOAR to state that an execution of 2 (without the read r 21 ) is not atomic, whereas CLMT takes more than 70 seconds. This represents a difference of 3-4 orders of magnitude already for an execution with only 5 operations, and, by its design, the complexity of CLMT grows exponentially with the number of operations in the execution.
In practice, when checking executions with a fairly small number of operations, SOAR is as fast as any assertion maintaining the global clock can be. By maintaining the global clock, we mean maintaining the execution history in the form of: 1) set of all operations invoked in the execution, 2) arrays of operations' invocation and response times, and 3) the array of values written/read by operations. Indeed, our results show that, for all the points represented in Figure 7 , SOAR introduces no visible overhead with respect to a dummy assertion that maintains the global clock.
Concluding Remarks
The concept of an atomic object was first introduced by Lamport [19, 20] in the context of read/write registers. This concept was later extended to objects other than registers by Herlihy and Wing [14] , under the notion of linearizability. In this paper, we use notions of atomicity and linearizability interchangeably.
Atomicity assertions were proposed by Hesselink [15, 16] . These assertions are not oblivious since they are based on the history variables that are inserted in specific places of the checked algorithm. A fair amount of knowledge of the checked algorithm is thus required.
As we discussed in the introduction, Chockler et al., [7] proposed a genuinely oblivious atomicity assertion (quoted CLMT) that does not require any knowledge, neither on the language nor on the algorithm. In [7] , CLMT has been used as the basis for the Partial Order machine automaton, that was in turn used in forward simulations to prove the correctness of various atomic object implementations (another simulation based atomicity proof (of a lock-free queue) can be found in the paper by Doherty et al. [8] ). However, as we show in this paper, CLMT imposes exponential complexity on the model checker. This is not surprising given the result of Alur et al. [4] , showing that model checking linearizability is in EXPSPACE. SOAR circumvents this result by focusing on the single-writer implementations.
In [26] , Tromp proposed an atomicity automaton suitable for designing and verifying atomic variable constructions. The automaton nodes represent the state of a run on the atomic variable, whereas transitions represent read and write operations. This automaton addresses only the single-writer single-reader atomic constructions.
Some work was also devoted to checking the atomicity of transactional blocks of code, e.g., [9, 10, 13] .
The simple greedy linearization idea that we employ in this paper is not new. A similar idea was exploited by Wang and Stoller [27] as one of the steps in the context of atomicity inference for programs with non-blocking synchronization.
