











































Towards the Synthesis of Coherence/Replication Protocols from
Consistency Models via Real-Time Orderings
Citation for published version:
Gavrielatos, V, Nagarajan, V & Fatourou, P 2021, Towards the Synthesis of Coherence/Replication
Protocols from Consistency Models via Real-Time Orderings. in Proceedings of the 8th Workshop on
Principles and Practice of Consistency for Distributed Data (PaPoC '21)., 5, Association for Computing
Machinery (ACM), 8th Workshop on Principles and Practice of Consistency for Distributed Data, Virtual,
26/04/21. https://doi.org/10.1145/3447865.3457964
Digital Object Identifier (DOI):
10.1145/3447865.3457964
Link:




Proceedings of the 8th Workshop on Principles and Practice of Consistency for Distributed Data (PaPoC '21)
General rights
Copyright for the publications made accessible via the Edinburgh Research Explorer is retained by the author(s)
and / or other copyright owners and it is a condition of accessing these publications that users recognise and
abide by the legal requirements associated with these rights.
Take down policy
The University of Edinburgh has made every reasonable effort to ensure that Edinburgh Research Explorer
content complies with UK legislation. If you believe that the public display of this file breaches copyright please
contact openaccess@ed.ac.uk providing details, and we will remove access to the work immediately and
investigate your claim.
Download date: 23. Jul. 2021
Towards the Synthesis of Coherence/Replication
Protocols from Consistency Models via Real-Time
Orderings
Vasilis Gavrielatos, Vijay Nagarajan, Panagiota Fatourou∗
The University of Edinburgh, ∗ University of Crete & FORTH-ICS
FirstName.LastName@ed.ac.uk, ∗ faturu@csd.uoc.gr
Abstract
This work focuses on shared memory systems with a read-
write interface (e.g., distributed datastores or multiproces-
sors). At the heart of such systems resides a protocol respon-
sible for enforcing their consistency guarantees. Designing
a protocol that correctly and efficiently enforces consistency
is a very challenging task. Our overarching vision is to au-
tomate this task. In this work we take a step towards this
vision by establishing the theoretical foundation necessary
to automatically infer a protocol from a consistency specifi-
cation. Specifically, we propose a set of mathematical abstrac-
tions, called real-time orderings (rt-orderings), that model
the protocol. We then create a mapping from consistency
guarantees to the minimal rt-orderings that enforce the guar-
antees. Finally, we informally relate the rt-orderings to proto-
col implementation techniques. Consequently, rt-orderings
serve as an intermediate abstraction between consistency
and protocol design, that enables the automatic translation
of consistency guarantees into protocol implementations.
CCS Concepts • Computer systems organization →
Cloud computing; Multicore architectures; • Software
and its engineering→ Consistency.
Keywords Consistency; Coherence; Replication; Synthesis;
1 Introduction
This work focuses on “shared memory” systems that provide
a read/write interface to the programmer. Such systems are
ubiquitous in both computer architecture and distributed sys-
tems. Prominent examples include shared memory multipro-
cessors (SMPs), GPUs, NoSQL Databases [1], coordination
services[9], and software-based DSMs [10].
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are not
made or distributed for profit or commercial advantage and that copies bear
this notice and the full citation on the first page. Copyrights for components
of this work owned by others than ACMmust be honored. Abstracting with
credit is permitted. To copy otherwise, or republish, to post on servers or to
redistribute to lists, requires prior specific permission and/or a fee. Request
permissions from permissions@acm.org.
PaPoC’21, April 26, 2021, Online, United Kingdom
© 2021 Association for Computing Machinery.
ACM ISBN 978-1-4503-8338-7/21/04. . . $15.00
https://doi.org/10.1145/3447865.3457964
P1 P2
Write (x=1) Read (y=1)
Write (y=1) Read (x=1)
Initially x =0, y = 0
P1
Write (x=1) Read (x=1)
Read (x=1)
Initially x =0, y = 0
P2 P3 P4
Read (y=0)
Write (y=1) Read (y=1)
a) Producer-consumer b) IRIW
Figure 1: a) The producer-consumer synchronization pattern man-
dates that if P2 reads P1’s write to 𝑦, then it must also read P1’s
write to 𝑥 . b) The independent-reads independent-writes (IRIW)
pattern mandates that if P2 sees P1’s writes but not P3’s and P4
sees P3’s write, then P4 must see P1’s write.
Such systems commonly replicate data – sometimes for
performance (through caching), sometimes for fault toler-
ance and sometimes for both. To enable reasoning in the
presence of replication, a memory consistency model (MCM)
is specified as part of the system’s interface, providing the
rules that dictate what values a read can return. In order
to enforce the MCM, the system deploys a protocol which
ensures that the replicas behave in accordance to the MCM.
This protocol is called coherence protocol in computer archi-
tecture and replication protocol in distributed systems. We
simply refer to it as the protocol.
The MCM specifies the behaviour of the system when
executing parallel programs by enumerating all patterns
through which parallel programs can synchronize. For exam-
ple, anMCM𝐶𝑀𝑎 can guarantee the synchronization pattern
of Figure 1a (commonly known as “producer-consumer”).
Specifically, in Figure 1a, process P1 writes object 𝑥 and then
𝑦, while process P2 reads 𝑦 and then 𝑥 .𝐶𝑀𝑎 guarantees that
if P2’s read to 𝑦 returns the write of P1, then P2’s read to 𝑥
will also return the write of P1 (i.e., 𝑥 = 1).
The MCM is thus a contract between the programmers
and the designers. While programmers must understand the
behaviour of the system, the designers must understand how
to implement that behaviour. Problematically, enforcing the
MCM is very challenging. For instance, consider two well
known MCMs: TSO [18] and Causal Consistency (CC) [19].
TSO enforces both Figure 1a and b while CC enforces Fig-
ure 1a but not b. Given this information, how is the designer
to implement a correct and efficient protocol for eitherMCM?
Crucially, how is the designer to differentiate between the
two models? E.g., how can one exploit that Figure 1b need
not be enforced in the CC protocol?
PaPoC’21, April 26, 2021, Online, United Kingdom Vasilis Gavrielatos, Vijay Nagarajan, Panagiota Fatourou
Our overarching vision is to automate the above task:
given a target MCM we envision a software tool that can
produce an efficient protocol. We argue that to create this
tool we need one additional level of abstraction which can
act as an intermediary between the MCM and the protocol.
That is: (1) we must be able to automatically translate any
MCM to this abstraction; and (2) we must also be able to
map the abstraction itself into protocol design choices. In
this work, we take a step towards actualizing our vision, by
proposing such an abstraction and, most crucially, present-
ing the mapping from MCMs to this abstraction. We also
informally relate the abstraction to protocol design choices.
To create this abstraction, we observe that a shared mem-
ory system, be it a multiprocessor or a geo-replicated Key-
Value Store (KVS), can be abstracted through the model of
Figure 2, which depicts a set of processes executing a paral-
lel program. Each process inserts its memory operations to
a structure we call the reorder buffer (ROB), allocating one
ROB entry per operation. The memory system executes the
operations it finds in the ROB and writes back the response
of each operation in-place in its dedicated entry.
A process models a client of a KVS or a core of a multipro-
cessor. The ROB abstracts the core’s load-store queue or a
software queue that a KVS must maintain to keep track of
incoming requests. The memory system is modelled as a dis-
tributed system comprising a set of nodes, where each node
contains a controller and a memory. The nodes model the
private caches of the multiprocessor or the geo-replicated
memory servers of the KVS. Finally the network of the mem-
ory system can be thought of as the Network-on-Chip or as
the WAN.
We observe that protocols of real systems enforce various
consistency models using two widgets: 1) the ROB that al-
lows for the reordering of operations; and 2) the memory
system which determines how a read or a write executes,
i.e., how it propagates to each of the replicas. We propose
two sets of mathematical rules to abstract protocols, one that
can abstract the reorderings of the ROB and one that can
abstract the propagation rules of the memory system.
Specifically, we model the ROB using four rules named
program-order real-time orderings (prt-orderings). The 𝑝𝑟𝑡𝑤𝑟
prt-ordering mandates that when write 𝑤 precedes read 𝑟
in a program execution, then 𝑟 can begin executing in the
memory system only after 𝑤 has completed. Similarly, we
define 𝑝𝑟𝑡𝑤𝑤, 𝑝𝑟𝑡𝑟𝑟 , 𝑝𝑟𝑡𝑟𝑤 , for the rest of the combinations
between reads and writes. To summarize, we model an ROB
by specifying the subset of the four prt-orderings it enforces.
We model the memory system using four rules named
synchronization real-time orderings (srt-orderings). The 𝑠𝑟𝑡𝑤𝑟
srt-ordering mandates that if write𝑤 to object 𝑥 completes
before read 𝑟 to object 𝑥 in real time, then 𝑟 must observe
𝑤 . Similarly, we define 𝑠𝑟𝑡𝑤𝑤, 𝑠𝑟𝑡𝑟𝑟 , 𝑠𝑟𝑡𝑟𝑤 . To summarize we



































Figure 2: The model of a shared memory system. Processes P1-P4
execute the IRIW pattern of Figure 1b.
We refer to prt-orderings and srt-orderings as real-time
orderings (rt-orderings). The eight rt-orderings comprise our
designer-centric intermediate abstraction of the protocol.
While the rt-orderings have been employed by otherworks
in the past to model consistency models or protocols (§9),
this work is the first to present a mapping from MCMs to
the rt-orderings. That is, given any MCM, we provide the
set of minimal rt-orderings that enforce it. Crucially, this
mapping, along with relating the rt-orderings with protocol
implementation techniques, pave the way for automating
protocol design.
Using this mapping from MCMs to rt-orderings, we now
revisit the questions we posed on Figure 1. Specifically, prt-
orderings 𝑝𝑟𝑡𝑤𝑤 and 𝑝𝑟𝑡𝑟𝑟 and the srt-ordering 𝑠𝑟𝑡𝑤𝑟 suffice
to enforce the producer-consumer pattern (discussed in Sec-
tion 5.4). Informally, 𝑝𝑟𝑡𝑤𝑤 mandates that writes from the
same process must be executed in the order intended by
the program; 𝑝𝑟𝑡𝑟𝑟 mandates the same for reads; 𝑠𝑟𝑡𝑤𝑟 man-
dates that a read must be able to return the value of the
latest completed write (from any process). To also enforce
the IRIW pattern, 𝑠𝑟𝑡𝑟𝑟 is required (discussed in Section 5.5).
Informally, 𝑠𝑟𝑡𝑟𝑟 mandates that if a read returns the value of
write𝑤 , then any later read must also be able to return the
value of write𝑤 .
Contributions. In summary, in this work we make the fol-
lowing contributions:
• We propose and formalize eight rt-orderings for mathe-
matically modelling consistency enforcement protocols,
serving as an intermediate abstraction between the MCM
and the protocol implementation (§3).
• We create a mapping from MCMs to rt-orderings, speci-
fying the minimal set of rt-orderings sufficient to enforce
any MCM (§5) and vice versa, specifying the MCM en-
forced by any set of rt-orderings (§6).
• We informally map rt-orderings to protocol implementa-
tion techniques (§7).
Synthesis of Coherence/Replication Protocols from Consistency Models PaPoC’21, April 26, 2021, Online, United Kingdom
2 Preliminaries
In this section, we first establish the system model, then we
describe the notation we will use throughout the paper and
finally we discuss how executions are modeled.
2.1 System Model
Figure 2 illustrates our system model. Specifically, there is
a set of 𝑃 processes, each of which executes a program and
there is a protocol which enforces the MCM. The protocol is
comprised of a set of reorder buffers (ROBs) and the memory
system. The memory system stores a set 𝑋 of shared objects,
each of a unique name and value. A memory operation (or
simply operation) can be either a read or a write of an object.
A read returns a value and a write overwrites the value of
the object and returns an ack.
ROBs. The ROBs are used to facilitate communication be-
tween the processes and the protocol. There are three events
in the lifetime of an operation within the ROB: issuing, begin
and completion. Specifically, we write that a process “issues
an operation”, when the operation is first inserted in the
ROB. A process pushes operations in the ROB in the order
that they are encountered within its program. We refer to
this order as the program order. Furthermore, we write that
“an operation begins” when the memory system begins exe-
cuting the operation. In this case the memory system marks
the operation’s ROB entry as beginned. Similarly, we write
that “an operation completes” when the memory system has
finished executing the operation. In this case, the memory
system marks the operation’s ROB entry as completed (and
writes back the result if it is a read).
Notably, a process can use the value returned by a read, as
soon as the read is marked completed by the memory system,
irrespective of whether preceding operations are completed.
An operation is removed from the ROB, if all three conditions
hold: 1) it is the oldest operation, 2) it is completed and 3)
the process has consumed its value, if it is a read.
Memory system. We model the memory system as a dis-
tributed system comprised of a set of nodes, where each node
contains a controller and a memory. Furthermore, each node
is connected to one ROB, from which it reads the operations
that must be executed. The controller of each node is respon-
sible for the execution of the operations. The memory of
each node stores every object in 𝑋 .
2.2 Notation
The notation used throughout this paper is the one used by
Alglave et al. [2]. We repeat it here for completeness. The
notation is based on relations. Specifically, we will denote
the transitive closure of 𝑟 with 𝑟 ∗ and the composition of 𝑟1,
𝑟2 with 𝑟1; 𝑟2. We say that 𝑟 is acyclic if its transitive closure
is irreflexive and we denote by writing acyclic(r). Finally, we
say that 𝑟 is a partial order, when 𝑟 is transitive and irreflexive.
We say that a partial order 𝑟 is a total order over a set 𝑆 , if
for every 𝑥,𝑦 in 𝑆 , it is that (𝑥,𝑦) ∈ 𝑟 ∨ (𝑦, 𝑥) ∈ 𝑟 .
We use small letters to refer to memory operations (e.g., 𝑎,
𝑏, 𝑐 etc.). In figures that show executions (e.g., Figure 3),
we denote a write with 𝑊𝑥 = 𝑣𝑎𝑙 where 𝑥 is the object
to be written and 𝑣𝑎𝑙 is the new value. Similarly, reads are
represented as 𝑅𝑥 = 𝑣𝑎𝑙 , where 𝑣𝑎𝑙 is the value returned.
When required relations between operations are denoted
with red arrows in figures.
2.3 Modelling executions
To model executions, we use the framework created by Al-
glave et al. [2], introducing minor changes where necessary.
Specifically, we model an execution as a 𝑡𝑢𝑝𝑙𝑒 (𝑀 , 𝑝𝑜 , 𝑟 𝑓 ,
ℎ𝑏, 𝑅𝐿). M is the set of memory operations included in the
execution, 𝑝𝑜, 𝑟 𝑓 and ℎ𝑏 are relations over the operations
and 𝑅𝐿 is a set of relations 𝑟𝑙 over the operations.
Execution relations (po, rf, hb and rl). The program order
𝑝𝑜 relation is a total order over the operations issued by a
single process, specifying the order in which memory oper-
ations are ordered in the program executed by the process.
Operations are issued by a process in this order. Only opera-
tions from the same process are ordered. For two operations
𝑎, 𝑏 from process 𝑖 ∈ 𝑃 , if 𝑎 is issued before 𝑏 then (𝑎, 𝑏) ∈ 𝑝𝑜 .
The reads-from 𝑟 𝑓 relation contains a pair for each read
operation in𝑀 , relating it with a write on the same object.
For the pair (𝑎, 𝑏) ∈ 𝑟 𝑓 , it must be that 𝑎 is a read that returns
the value created by the write 𝑏, i.e., 𝑎 reads-from 𝑏.
The happens-before ℎ𝑏 relation is a partial order over all
operations, specifying the real-time relation of operations.
Specifically, for two operations 𝑎, 𝑏, if (𝑎, 𝑏) ∈ ℎ𝑏, then that
means that 𝑎 completes before 𝑏 begins.
Finally, the read-legal 𝑟𝑙 relation is a total order over all
operations, with the restriction that 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (𝑟𝑙 ∪ 𝑟 𝑓 ). Given
the 𝑟 𝑓 of an execution 𝐸, it is often possible to construct
more than one 𝑟𝑙 . We associate each execution 𝐸, with a set
𝑅𝐿 which contains every 𝑟𝑙 that can be constructed from 𝐸.
For each 𝑟𝑙 ∈ 𝑅𝐿, we derive the following relations.
Relations derived from rl (ws, fr, syn). The write-seriali-
zation𝑤𝑠 relation is a total order of writes to the same object
that can be derived from 𝑟𝑙 , such that 𝑤𝑠 ⊆ 𝑟𝑙 . Intuitively,
𝑤𝑠 captures the order in which writes to the same object
serialize.
The from-reads 𝑓 𝑟 relation connects a read to writes from the
same object that precede the read in 𝑟𝑙 . Specifically, for every
read 𝑎 and a write 𝑏 to the same object where (𝑎, 𝑏) ∈ 𝑟𝑙 ,
then (𝑎, 𝑏) ∈ 𝑓 𝑟 . It follows that 𝑓 𝑟 is transitive and 𝑓 𝑟 ⊆ 𝑟𝑙 .
Finally, the synchronization 𝑠𝑦𝑛 relation combines the 𝑟 𝑓 , 𝑓 𝑟
and𝑤𝑠 relations. Specifically, 𝑠𝑦𝑛 is a partial order over op-
erations on the same object defined as the transitive closure
of the union of 𝑟 𝑓 ,𝑤𝑠 and 𝑓 𝑟 , i.e., 𝑠𝑦𝑛 ≜ (𝑟 𝑓 ∪ 𝑤𝑠 ∪ 𝑓 𝑟 )∗.
Two operations on the same object are said to synchronize if
PaPoC’21, April 26, 2021, Online, United Kingdom Vasilis Gavrielatos, Vijay Nagarajan, Panagiota Fatourou
one of them is a write. Formally, for any pair of operations
(𝑎, 𝑏) on the same object, if at least one of 𝑎, 𝑏 is a write then
it must be that (𝑎, 𝑏) ∈ 𝑠𝑦𝑛 ∨ (𝑏, 𝑎) ∈ 𝑠𝑦𝑛. If both 𝑎, 𝑏 are
reads, then (𝑎, 𝑏) ∈ 𝑠𝑦𝑛 iff there exists a write 𝑐 , such that
(𝑎, 𝑐) ∈ 𝑠𝑦𝑛 ∧ (𝑐, 𝑏) ∈ 𝑠𝑦𝑛.
Helper relations (po-type, syn-type, hb-type). Given the
set of operationsM,we define four relations𝑊𝑊,𝑊𝑅, 𝑅𝑅, 𝑅𝑊
over𝑀 that contain all write-write, write-read, read-read and
read-write pairs found in𝑀 , respectively. Table 2 uses these
four relations to define the 𝑝𝑜-𝑡𝑦𝑝𝑒 , 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 and ℎ𝑏-𝑡𝑦𝑝𝑒
relations. Specifically, by taking the intersection of 𝑝𝑜 with
each of𝑊𝑊,𝑊𝑅, 𝑅𝑅, 𝑅𝑊 , we define 𝑝𝑜𝑤𝑤, 𝑝𝑜𝑤𝑟 , 𝑝𝑜𝑟𝑟 , 𝑝𝑜𝑟𝑤 .
We write 𝑝𝑜-𝑡𝑦𝑝𝑒 as a placeholder that can be replaced by
any of these four relations. Notably, every pair in 𝑝𝑜 is also
in one of the 𝑝𝑜-𝑡𝑦𝑝𝑒 relations. I.e.,
𝑝𝑜 ≜ 𝑝𝑜𝑤𝑤 ∪ 𝑝𝑜𝑤𝑟 ∪ 𝑝𝑜𝑟𝑟 ∪ 𝑝𝑜𝑟𝑤
Similarly, we define 𝑠𝑦𝑛𝑤𝑟 and 𝑠𝑦𝑛𝑟𝑟 . Note that we do not
need to define 𝑠𝑦𝑛𝑤𝑤 and 𝑠𝑦𝑛𝑟𝑤 , because they would be the
same as 𝑤𝑠 and 𝑓 𝑟 , respectively. We write 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 as a
placeholder for𝑤𝑠, 𝑠𝑦𝑛𝑤𝑟 , 𝑠𝑦𝑛𝑟𝑟 , 𝑓 𝑟 . We note that every pair
in 𝑠𝑦𝑛 is also in one of the 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations and that 𝑟 𝑓 is
a subset of 𝑠𝑦𝑛𝑤𝑟 .
𝑠𝑦𝑛 ≜ 𝑤𝑠 ∪ 𝑠𝑦𝑛𝑤𝑟 ∪ 𝑠𝑦𝑛𝑟𝑟 ∪ 𝑓 𝑟
𝑟 𝑓 ⊆ 𝑠𝑦𝑛𝑤𝑟
Finally, in the same spirit, we define the ℎ𝑏-𝑡𝑦𝑝𝑒 relations:
ℎ𝑏𝑤𝑤, ℎ𝑏𝑤𝑤, ℎ𝑏𝑟𝑟 , ℎ𝑏𝑟𝑤 .
3 Real-time orderings
In this section we introduce and formally define the real-
time orderings (rt-orderings), through which we model the
protocol. There are two types of rt-orderings: the program-
order real-time orderings (prt-orderings) through which we
model the operation of the ROB and the synchronization
real-time orderings (srt-orderings), through which we model
the operation of the memory system. Table 1 provides the
definition of each of the eight rt-orderings. Below we first
describe the prt-orderings and then the srt-orderings.
3.1 Program-order Real-time Orderings
An execution 𝐸 (𝑀 , 𝑝𝑜 , 𝑟 𝑓 ,ℎ𝑏,𝑅𝐿) is said to enforce the 𝑝𝑟𝑡𝑤𝑟
if:
∀𝑤, 𝑟 ∈ 𝑀 𝑠.𝑡 . (𝑤, 𝑟 ) ∈ 𝑝𝑜𝑤𝑟 → (𝑤, 𝑟 ) ∈ ℎ𝑏𝑤𝑟
Plainly, a read 𝑟 cannot begin before all writes that precede it
in program order have completed. Table 1 extends this defini-
tion to write-write, read-read and read-write pairs. When all
four prt-orderings are enforced then it follows that 𝑝𝑜 ⊆ ℎ𝑏.
3.2 Synchronization Real-time Orderings
The synchronization real-time orderings (srt-orderings) are
constraints over operations to the same object. There are four
srt-orderings: 𝑠𝑟𝑡𝑤𝑤, 𝑠𝑟𝑡𝑤𝑟 , 𝑠𝑟𝑡𝑟𝑟 , 𝑠𝑟𝑡𝑤𝑟 . An execution 𝐸 (𝑀 ,
prt-orderings srt-orderings
𝑝𝑟𝑡𝑤𝑤 𝑝𝑜𝑤𝑤 ⊆ ℎ𝑏𝑤𝑤 𝑠𝑟𝑡𝑤𝑤 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (ℎ𝑏𝑤𝑤 ∪ 𝑠𝑦𝑛)
𝑝𝑟𝑡𝑤𝑟 𝑝𝑜𝑤𝑟 ⊆ ℎ𝑏𝑤𝑟 𝑠𝑟𝑡𝑤𝑟 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (ℎ𝑏𝑤𝑟 ∪ 𝑠𝑦𝑛)
𝑝𝑟𝑡𝑟𝑟 𝑝𝑜𝑟𝑟 ⊆ ℎ𝑏𝑟𝑟 𝑠𝑟𝑡𝑟𝑟 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (ℎ𝑏𝑟𝑟 ∪ 𝑠𝑦𝑛)
𝑝𝑟𝑡𝑟𝑤 𝑝𝑜𝑟𝑤 ⊆ ℎ𝑏𝑟𝑤 𝑠𝑟𝑡𝑟𝑤 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (ℎ𝑏𝑟𝑤 ∪ 𝑠𝑦𝑛)
Table 1: The condition required to enforce each rt-ordering.
po-type syn-type hb -type
𝑝𝑜𝑤𝑤 ≜ 𝑝𝑜 ∩𝑊𝑊 𝑤𝑠 ≜ 𝑠𝑦𝑛 ∩𝑊𝑊 ℎ𝑏𝑤𝑤 ≜ ℎ𝑏 ∩𝑊𝑊
𝑝𝑜𝑤𝑟 ≜ 𝑝𝑜 ∩𝑊𝑅 𝑠𝑦𝑛𝑤𝑟 ≜ 𝑠𝑦𝑛 ∩𝑊𝑅 ℎ𝑏𝑤𝑟 ≜ ℎ𝑏 ∩𝑊𝑅
𝑝𝑜𝑟𝑟 ≜ 𝑝𝑜 ∩ 𝑅𝑅 𝑠𝑦𝑛𝑟𝑟 ≜ 𝑠𝑦𝑛 ∩ 𝑅𝑅 ℎ𝑏𝑟𝑟 ≜ ℎ𝑏 ∩ 𝑅𝑅
𝑝𝑜𝑟𝑤 ≜ 𝑝𝑜 ∩ 𝑅𝑊 𝑓 𝑟 ≜ 𝑠𝑦𝑛 ∩ 𝑅𝑊 ℎ𝑏𝑟𝑤 ≜ ℎ𝑏 ∩ 𝑅𝑊
Table 2: The types of po, syn and hb relations
𝑝𝑜 , 𝑟 𝑓 , ℎ𝑏, 𝑅𝐿) enforces the srt-ordering 𝑠𝑟𝑡𝑤𝑟 if there exists
𝑟𝑙 ∈ 𝑅𝐿 such that:
𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (ℎ𝑏𝑤𝑟 ∪ 𝑠𝑦𝑛)
In other words the 𝑠𝑟𝑡𝑤𝑟 mandates that for a write 𝑎 and
a read 𝑏 if (𝑎, 𝑏) ∈ ℎ𝑏𝑤𝑟 , then it must be that (𝑏, 𝑎) ∉ 𝑠𝑦𝑛.
Table 1 describes the condition required to enforce each of
the srt-orderings. A memory system is said to enforce an srt-
ordering, if that srt-ordering is enforced in every execution
that can be generated by the memory system. Notably, a com-
bination of the srt-orderings can be enforced, for example
𝑠𝑟𝑡𝑤𝑤, 𝑠𝑟𝑡𝑤𝑟 are both enforced when 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (𝑠𝑦𝑛 ∪ ℎ𝑏𝑤𝑤 ∪
ℎ𝑏𝑤𝑟 ). When all four srt-orderings are enforced then lineariz-
ability is enforced [8] (we expand on this on Section 8.1).
4 Memory consistency models (MCMs)
In order to create a mapping from memory consistency mod-
els (MCMs) to the rt-orderings we need to establish a formal-
ism for the MCMs. In this section, we use the formalism of
Alglave et al. [2] to describe synchronization patterns (sync-
pats) and assert that any MCM 𝐶𝑀 is defined as a set of
sync-pats 𝑆𝐶𝑀 . An execution enforces 𝐶𝑀 iff it enforces ev-
ery sync-pat in 𝑆𝐶𝑀 . Below we define what a sync-pat is and
what its enforcement entails.
A sync-pat is a path between two operations to the same
object. The path can be constructed through any composition
of 𝑝𝑜-𝑡𝑦𝑝𝑒 and 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations, with the only restriction
being that at least one 𝑝𝑜-𝑡𝑦𝑝𝑒 must be included (explained
in the remarks below). Table 2 describes which relations are
denoted 𝑝𝑜-𝑡𝑦𝑝𝑒 and 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 .
For example, consider the sync-pat 𝑠 that consists of a
𝑝𝑜𝑤𝑟 relation, then an 𝑓 𝑟 relation and then a 𝑝𝑜𝑤𝑟 (depicted
in Figure 3a). We can describe 𝑠 by composing the three
relations as follows:
𝑠 ≜ 𝑝𝑜𝑤𝑟 ; 𝑓 𝑟 ; 𝑝𝑜𝑤𝑟








































Initially x =0, y = 0
Figure 3: Four examples of sync-pats
Given an execution 𝐸 (𝑀, 𝑝𝑜, 𝑟 𝑓 , ℎ𝑏, 𝑅𝐿), we assert that 𝐸
enforces 𝑠 if there exists 𝑟𝑙 ∈ 𝑅𝐿 from which we can derive a
𝑠𝑦𝑛 such that:
𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (𝑠 ∪ 𝑠𝑦𝑛)
In other words, a sync-pat that starts from operation 𝑎 and
ends on operation 𝑏 is said to be enforced if (𝑏, 𝑎) ∉ 𝑠𝑦𝑛.
Figure 3 depicts four sync-pats to serve as examples. In
the execution of Figure 3a, the 𝑠 sync-pat occurs between
operations 𝑎 and 𝑑 . In this instance, 𝑠 is enforced because
𝑑 returns the value created by 𝑎. If 𝑑 were to return 0, that
would mean that there is a 𝑠𝑦𝑛 relation between 𝑑 and 𝑎 and
thus 𝑠 is not enforced.
Remarks.Note the following two remarks. First, we use 𝑠𝑦𝑛
rather than 𝑟𝑙 to test whether a sync-pat is enforced. This
is because the sync-pat is a path between two operations
to the same object, but 𝑟𝑙 is a total order of all operations
across all objects. Second, note that a sync-pat must have
at least one 𝑝𝑜-𝑡𝑦𝑝𝑒 , because otherwise it would just be a
composition of 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations. Any such composition is
a subset of 𝑠𝑦𝑛, which means that the execution enforces it
by definition.
Consistencymodels. AnMCM𝐶𝑀𝑖 is defined by asserting
that a set of sync-pats 𝑆𝐶𝑀 must be enforced. Plainly, an
execution enforces 𝐶𝑀𝑖 iff it enforces every 𝑠 ∈ 𝑆𝐶𝑀 As an
example, assume that 𝐶𝑀𝑖 is defined through the four sync-
pats depicted in Figure 3, which are formalized as follows:
𝑠1 ≜ 𝑝𝑜𝑤𝑟 ; 𝑓 𝑟 ;𝑝𝑜𝑤𝑟 , 𝑠2 ≜ 𝑝𝑜𝑤𝑤 ; 𝑟 𝑓 ; 𝑝𝑜𝑟𝑤,
𝑠3 ≜ 𝑝𝑜𝑟𝑤 ;𝑤𝑠;𝑝𝑜𝑤𝑟 , 𝑠4 ≜ 𝑝𝑜𝑟𝑟 ; 𝑠𝑦𝑛𝑟𝑟 ;𝑝𝑜𝑟𝑤
We define 𝐶𝑀𝑖 to be the following rule:
𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (𝑠1 ∪ 𝑠𝑦𝑛) ∧ 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (𝑠2 ∪ 𝑠𝑦𝑛)
∧ 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (𝑠3 ∪ 𝑠𝑦𝑛) ∧ 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (𝑠4 ∪ 𝑠𝑦𝑛)
5 From MCMs to rt-orderings
In this section, we provide a mapping from MCMs to rt-
orderings. Specifically, given an MCM 𝐶𝑀𝑖 that is specified
through a set 𝑆𝐶𝑀 of sync-pats, we automatically infer a set
of rt-orderings, sufficient to enforce 𝐶𝑀𝑖 . In the rest of this
section, we first differentiate between regular and irregular
sync-pats (§5.1). Then we provide the mapping (§5.2), prove
its correctness for an example sync-pat (§5.3), extend the
proof to all regular sync-pats (§5.4) and finally extend the
proof to irregular sync-pats (§5.5). In Table 3, we provide the
mapping of 16 sync-pats to rt-orderings.
5.1 Regular and irregular sync-pats
We first categorize sync-pats into two classes: regular and
irregular. A regular sync-pat is 1) composed by alternating
𝑝𝑜-𝑡𝑦𝑝𝑒 and 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations and 2) starts and ends on a
𝑝𝑜-𝑡𝑦𝑝𝑒 . Thus, any regular sync-pat 𝑠 , is of the following
form:
𝑠 ≜ 𝑝𝑜-𝑡𝑦𝑝𝑒; 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒;𝑝𝑜-𝑡𝑦𝑝𝑒; ... 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒;𝑝𝑜-𝑡𝑦𝑝𝑒
Any sync-pat that does not conform to regularity rules is
irregular. The distinction between regular and irregular sync-
pats will aid in the presentation of the mapping from sync-
pats to rt-orderings. Specifically, we will first create a map-
ping from a regular sync-pat to the sufficient rt-orderings to
enforce it. Then, in order to use the same mapping for irregu-
lar sync-pats, we will show that for every irregular sync-pat
𝑠𝑖 , there exists a regular sync-pat 𝑠𝑟 , such that enforcing 𝑠𝑟
is sufficient to enforce 𝑠𝑖 .
5.2 The mapping
We assert the following three conditions to enforce any reg-
ular sync-pat, assuming that an operation can be of type𝑚
or 𝑛 where𝑚,𝑛 ∈ {𝑟𝑒𝑎𝑑,𝑤𝑟𝑖𝑡𝑒}.
• Cond-1: for every 𝑝𝑜-𝑡𝑦𝑝𝑒 relation 𝑝𝑜𝑚𝑛 found in 𝑠 , the cor-
responding prt-ordering 𝑝𝑟𝑡𝑚𝑛 must be enforced. Plainly
any 𝑝𝑜-𝑡𝑦𝑝𝑒 relation must also be an ℎ𝑏 relation.
• Cond-2: for every 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relation 𝑠𝑦𝑛𝑚𝑛 , if it is not an
𝑟 𝑓 , then the reverse srt-ordering 𝑠𝑟𝑡𝑛𝑚 must be enforced.
• Cond-3: if the first operation in 𝑠 is of type𝑚 and the last
of type 𝑛, the corresponding srt-ordering 𝑠𝑟𝑡𝑚𝑛 must be
enforced.
5.3 Proof for an example sync-pat
We will start by first proving that the three conditions are
sufficient for the simple sync-pat, that is portrayed in Fig-
ure 3a. Then we will extend to any regular sync-pat. The
simple sync-pat 𝑠 is the following:
𝑠 ≜ 𝑝𝑜𝑤𝑟 ; 𝑓 𝑟 ; 𝑝𝑜𝑤𝑟
For 𝑠 the three conditions require the following rt-orde-
rings:
• Cond-1: The 𝑝𝑟𝑡𝑤𝑟 is required for both 𝑝𝑜𝑤𝑟 relations.
• Cond-2: The 𝑠𝑟𝑡𝑤𝑟 for the 𝑓 𝑟 (i.e., 𝑠𝑦𝑛𝑟𝑤) relation.
• Cond-3: The 𝑠𝑟𝑡𝑤𝑟 because 𝑠 starts with a write and ends
on a read.






















Figure 4: a) 𝑏 begins before 𝑐 completes b) 𝑐 completes before 𝑏
begins.
We will show that for any execution 𝐸 (𝑀 , 𝑝𝑜 , 𝑟 𝑓 , ℎ𝑏, 𝑅𝐿),
if 𝑝𝑟𝑡𝑤𝑟 is enforced and there exists 𝑟𝑙 ∈ 𝑅𝐿 such that 𝑠𝑟𝑡𝑤𝑟
is enforced then for the 𝑠𝑦𝑛 that is derived from that 𝑟𝑙 it
holds that 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (𝑠 ∪ 𝑠𝑦𝑛).
To prove this, we first establish a new relation named
begins-before-completes (𝑏𝑏𝑐). For two operations 𝑎, 𝑏 we as-
sert that if 𝑏 does not complete before 𝑎 begins (i.e., (𝑏, 𝑎) ∉
ℎ𝑏), then 𝑎 begins before 𝑏 completes (i.e., (𝑎, 𝑏) ∈ 𝑏𝑏𝑐). We
establish the following rule:
∀𝑎, 𝑑 ∈ 𝑀 𝑠.𝑡 . (𝑎, 𝑑) ∈ (ℎ𝑏;𝑏𝑏𝑐;ℎ𝑏) → (𝑎, 𝑑) ∈ ℎ𝑏
We sketch a proof for this rule using Figure 4a . Figure 4a
illustrates this through four operations (𝑎, 𝑏, 𝑐, 𝑑), each of
which is associated with a timestamp (𝑡𝑎, 𝑡𝑏, 𝑡𝑐 , 𝑡𝑑). Oper-
ation 𝑏 begins before 𝑐 completes (i.e., (𝑏, 𝑐) ∈ 𝑏𝑏𝑐), while
also (𝑎, 𝑏), (𝑐, 𝑑) ∈ ℎ𝑏. Therefore, (𝑎, 𝑑) ∈ (ℎ𝑏;𝑏𝑏𝑐 ;ℎ𝑏). Since
𝑎 completes before 𝑏 begins (𝑡𝑎 < 𝑡𝑏) and 𝑏 begins before
𝑐 completes (𝑡𝑏 < 𝑡𝑐), it follows that 𝑎 completes before 𝑐
completes (𝑡𝑎 < 𝑡𝑐). Because 𝑐 completes before 𝑑 begins
(𝑡𝑐 < 𝑡𝑑), it follows that𝑎 completes before𝑑 begins (𝑡𝑎 < 𝑡𝑑).
Therefore, (𝑎, 𝑑) ∈ ℎ𝑏.
Figure 4b illustrates the counter-example, where 𝑐 com-
pletes before 𝑏 begins; in this case it is possible for 𝑑 to begin
before 𝑎 completes.
Consider an execution 𝐸 (𝑀 , 𝑝𝑜 , 𝑟 𝑓 , ℎ𝑏, 𝑅𝐿), for which
there exists an 𝑟𝑙 ∈ 𝑅𝐿 such that all three conditions we
asserted are satisfied. Assume four operations 𝑎, 𝑏, 𝑐, 𝑑 ∈ 𝑀
such that (𝑎, 𝑏) ∈ 𝑝𝑜𝑤𝑟 ∧ (𝑏, 𝑐) ∈ 𝑠𝑦𝑛𝑤𝑟 ∧ (𝑐, 𝑑) ∈ 𝑝𝑜𝑤𝑟 .
This implies that (𝑎, 𝑑) ∈ 𝑠 . Let us now assume that (𝑎, 𝑑) ∈
(ℎ𝑏;𝑏𝑏𝑐 ;ℎ𝑏) and thus (𝑎, 𝑑) ∈ ℎ𝑏. Specifically, (𝑎, 𝑑) ∈ ℎ𝑏𝑤𝑟 .
This is illustrated in Figure 4a. From the cond-3 (𝑠𝑟𝑡𝑤𝑟 ), we
can assert that since (𝑎, 𝑑) ∈ ℎ𝑏𝑤𝑟 it follows that (𝑑, 𝑎) ∉ 𝑠𝑦𝑛
and thus it must be that 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (𝑠 ∪ 𝑠𝑦𝑛). Plainly, cond-3
ensures that 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (𝑠∪𝑠𝑦𝑛) if the following condition holds:
∀𝑎, 𝑑 ∈ 𝑀 𝑠.𝑡 . (𝑎, 𝑑) ∈ 𝑠 → (𝑎, 𝑑) ∈ ℎ𝑏
Therefore it suffices to prove that cond-1 and cond-2 guar-
antee the above condition. We will do so by proving that
(𝑎, 𝑑) ∈ (ℎ𝑏;𝑏𝑏𝑐;ℎ𝑏).
Firstly, cond-1 (𝑝𝑟𝑡𝑤𝑟 ) mandates that 𝑝𝑜𝑤𝑟 ⊆ ℎ𝑏𝑤𝑟 . There-
fore, (𝑎, 𝑏), (𝑐, 𝑑) ∈ ℎ𝑏. We need only prove that (𝑏, 𝑐) ∈ 𝑏𝑏𝑐 .
Let’s assume that (𝑏, 𝑐) ∉ 𝑏𝑏𝑐 . It follows that (𝑐, 𝑏) ∈ ℎ𝑏.
Recall, that 𝑏 is a write and 𝑐 is a read. Cond-2 mandates
that 𝑠𝑟𝑡𝑤𝑟 is enforced: since (𝑐, 𝑏) ∈ ℎ𝑏 then (𝑏, 𝑐) ∉ 𝑠𝑦𝑛. We
have reached a contradiction, and therefore it must be that
(𝑏, 𝑐) ∈ 𝑏𝑏𝑐 .
Figure 4b provides the counter example where (𝑏, 𝑐) ∉ 𝑏𝑏𝑐 .
In this case it cannot be that (𝑎, 𝑑) ∈ 𝑠 because (𝑏, 𝑐) ∈ ℎ𝑏
and therefore from cond-2 it follows that (𝑐, 𝑏) ∈ 𝑠𝑦𝑛. Plainly,
the sync-pat 𝑠 will not occur here because P1’s read to 𝑦 will
observe P2’s write to 𝑦.
As we have shown above, from cond-1 and cond-2 it fol-
lows that (𝑎, 𝑑) ∈ ℎ𝑏 and thus from cond-3 it follows that
(𝑎, 𝑑) ∉ 𝑠𝑦𝑛. Therefore the three conditions are sufficient to
enforce 𝑠 .
5.4 Extending to all regular sync-pats
Note the intuition behind the three conditions. Cond-1 en-
sures that every 𝑝𝑜-𝑡𝑦𝑝𝑒 relation of the sync-pat is also an
ℎ𝑏 relation. Similarly, cond-2 ensures that every 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒
relation is also a 𝑏𝑏𝑐 relation. As a regular sync-pat is com-
posed by alternating 𝑝𝑜-𝑡𝑦𝑝𝑒 and 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations, enforc-
ing cond-1 and cond-2 ensures that the sync-pat can be ex-
pressed as a composition of alternating ℎ𝑏 and 𝑏𝑏𝑐 relations.
As we saw ℎ𝑏;𝑏𝑏𝑐;ℎ𝑏 ⊆ ℎ𝑏. By induction we can extend
this rule for any sequence of alternating ℎ𝑏 and 𝑏𝑏𝑐 relations.
Specifically:
∀𝑎, 𝑏 ∈ 𝑀 𝑠.𝑡 . (𝑎, 𝑏) ∈ ℎ𝑏;𝑏𝑏𝑐;ℎ𝑏 .... ℎ𝑏;𝑏𝑏𝑐;ℎ𝑏 → (𝑎, 𝑏) ∈ ℎ𝑏
Therefore, cond-1 and cond-2 ensure that if (𝑎, 𝑏) ∈ 𝑠 then
(𝑎, 𝑏) ∈ ℎ𝑏 for any regular sync-pat 𝑠 . Finally, cond-3 ensures
that the sync-pat is enforced, by ensuring that if (𝑎, 𝑏) ∈ ℎ𝑏
then (𝑏, 𝑎) ∉ 𝑠𝑦𝑛. This means that our three conditions can
be used to enforce any regular sync-pat.
Examples – Table 3. Table 3 depicts the sufficient rt-orde-
rings for 16 sync-pats. Specifically, each cell represents a
distinct sync-pat between operations 𝑎, 𝑏, 𝑐, 𝑑 . For instance,
the highlighted cell where 𝑎 =𝑊𝑥 , 𝑏 = 𝑅𝑦, 𝑐 =𝑊𝑦, 𝑑 = 𝑅𝑥 ,
corresponds to the sync-pat of Figure 3a.
Cond-2 exception: rf . Recall that cond-2 is not required for
𝑟 𝑓 edges. This is because the purpose of cond-2 is to ensure
that the 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relation is also a 𝑏𝑏𝑐 relation. However,
this is implied by the 𝑟 𝑓 as it is impossible for a read 𝑟 to
read-from a write𝑤 if 𝑟 completes before𝑤 begins. Plainly:
∀𝑤, 𝑟 ∈ 𝑀 𝑠.𝑡 . (𝑤, 𝑟 ) ∈ 𝑟 𝑓 → (𝑤, 𝑟 ) ∈ 𝑏𝑏𝑐 .
Producer-consumer (Figure 1a). Let 𝑠𝑝𝑐 be the producer-
consumer sync-pat of Figure 1a (discussed in the Introduc-
tion). We assert that 𝑠𝑝𝑐 ≜ 𝑝𝑜𝑤𝑤 ; 𝑟 𝑓 ; 𝑝𝑜𝑟𝑟 . To enforce 𝑠𝑝𝑐 ,
cond-1 requires prt-orderings 𝑝𝑟𝑡𝑤𝑤, 𝑝𝑟𝑡𝑟𝑟 , cond-2 does not
require any srt-ordering because the only 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 is an 𝑟 𝑓
and cond-3 requires the 𝑠𝑟𝑡𝑤𝑟 .
5.5 Extending to irregular sync-pats
A sync-pat is deemed irregular if 1) it has consecutive 𝑝𝑜-𝑡𝑦𝑝𝑒
relations or 2) it has consecutive 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations or 3)
it does not start with a 𝑝𝑜-𝑡𝑦𝑝𝑒 relation (i.e., starts with













𝑠𝑟𝑡𝑤𝑤 , 𝑠𝑟𝑡𝑤𝑟 ,
𝑝𝑟𝑡𝑤𝑟 , 𝑝𝑟𝑡𝑤𝑤
𝑠𝑟𝑡𝑤𝑟 , 𝑠𝑟𝑡𝑟𝑟 ,
𝑝𝑟𝑡𝑤𝑟 , 𝑝𝑟𝑡𝑟𝑟








𝑠𝑟𝑡𝑤𝑟 , 𝑠𝑟𝑡𝑟𝑤 ,
𝑝𝑟𝑡𝑤𝑤 , 𝑝𝑟𝑡𝑟𝑟




𝑠𝑟𝑡𝑟𝑟 , 𝑠𝑟𝑡𝑤𝑟 ,
𝑝𝑟𝑡𝑟𝑟 , 𝑝𝑟𝑡𝑤𝑟








𝑠𝑟𝑡𝑟𝑟 , 𝑠𝑟𝑡𝑤𝑤 ,
𝑝𝑟𝑡𝑟𝑤 , 𝑝𝑟𝑡𝑤𝑟
𝑠𝑟𝑡𝑟𝑤 , , 𝑠𝑟𝑡𝑤𝑤 ,
𝑝𝑟𝑡𝑟𝑤 , 𝑝𝑟𝑡𝑤𝑤




Table 3: The mapping of 16 sync-pats to rt-orderings. Each cell
represents a sync-pat of the form 𝑠 ≜ 𝑝𝑜-𝑡𝑦𝑝𝑒; 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒; 𝑝𝑜-𝑡𝑦𝑝𝑒 ,
where the first 𝑝𝑜-𝑡𝑦𝑝𝑒 includes (𝑎, 𝑏), the 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 includes (𝑏, 𝑐)
and the second 𝑝𝑜-𝑡𝑦𝑝𝑒 includes (𝑐, 𝑑). The highlighted cell corre-
sponds to Figure 3a.
𝑠𝑦𝑛-𝑡𝑦𝑝𝑒) or 4) it does not endwith a𝑝𝑜-𝑡𝑦𝑝𝑒 relation (i.e., ends
with 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒). For each such sync-pat 𝑠 , we derive a sync-
pat 𝑠 ′ such that 1) 𝑠 ′ is regular and 2) if 𝑠 ′ is enforced then 𝑠
must also be enforced.
Consecutive po-type.We start with sync-pats with consec-
utive 𝑝𝑜-𝑡𝑦𝑝𝑒 relations. We use the insight that any compo-
sition of 𝑝𝑜-𝑡𝑦𝑝𝑒 relations must be the subset of one of 𝑝𝑜𝑤𝑤 ,
𝑝𝑜𝑤𝑟 , 𝑝𝑜𝑟𝑟 , 𝑝𝑜𝑟𝑤 relation. For instance𝑝𝑜𝑤𝑤 ; 𝑝𝑜𝑤𝑟 ;𝑝𝑜𝑟𝑟 ; 𝑝𝑜𝑟𝑤
is a subset of 𝑝𝑜𝑤𝑤 . Therefore, for any 𝑠 that has consecutive
composed 𝑝𝑜-𝑡𝑦𝑝𝑒 relations, we derive a 𝑠 ′ which replaces
them with a single 𝑝𝑜-𝑡𝑦𝑝𝑒 relation, such that 𝑠 ⊆ 𝑠 ′ and we
assert that enforcing 𝑠 ′ is sufficient to also enforce 𝑠 . Below
is an example of 𝑠 and the derived 𝑠 ′ using the insight that
(𝑝𝑜𝑤𝑟 ;𝑝𝑜𝑟𝑤) ⊆ 𝑝𝑜𝑤𝑤 .
𝑠 ≜ 𝑝𝑜𝑤𝑟 ;𝑝𝑜𝑟𝑤 ; 𝑠𝑦𝑛𝑤𝑟 ;𝑝𝑜𝑟𝑟
𝑠 ′ ≜ 𝑝𝑜𝑤𝑤 ; 𝑠𝑦𝑛𝑤𝑟 ;𝑝𝑜𝑟𝑟
Note that an alternative approach would have been to omit
deriving 𝑠 ′ and instead simply asserting that the first con-
dition is applied for each 𝑝𝑜-𝑡𝑦𝑝𝑒 relation in 𝑠 . That would
still be correct and can be used.
Consecutive syn-type. Our approach is identical for sync-
pats with consecutive composed 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations. Specifi-
cally, a composition of 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations is always a subset
of one of 𝑓 𝑟 ,𝑤𝑠 , 𝑠𝑦𝑛𝑤𝑟 , 𝑠𝑦𝑛𝑟𝑤 . This is because any pair in a
composition of 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations is also in 𝑠𝑦𝑛 and thus it
must be in one of 𝑓 𝑟,𝑤𝑠, 𝑠𝑦𝑛𝑤𝑟𝑠𝑦𝑛𝑟𝑤 , as 𝑠𝑦𝑛 is the union of
these four relations. Therefore, for any 𝑠 that has consecutive
composed 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations, we derive an 𝑠 ′ which replaces
them with a single 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relation, such that 𝑠 ⊆ 𝑠 ′.
Begin with syn-type. When a sync-pat 𝑠 begins with a
𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relation, then we derive 𝑠 ′ by simply removing it.
Let us see why through an example. Assume the following 𝑠
which starts with an 𝑓 𝑟 and the derived 𝑠 ′ which removes
the 𝑓 𝑟 :
𝑠 ≜ 𝑓 𝑟 ;𝑝𝑜𝑤𝑟 𝑓 𝑟 ; 𝑝𝑜𝑤𝑟
𝑠 ′ ≜ 𝑝𝑜𝑤𝑟 𝑓 𝑟 ;𝑝𝑜𝑤𝑟
Assume now that (𝑎, 𝑐) ∈ 𝑠 , (𝑏, 𝑐) ∈ 𝑠 ′ and (𝑎, 𝑏) ∈ 𝑓 𝑟 .
Let us now prove that if 𝑠 ′ is enforced, 𝑠 is enforced too.
Assume 𝑠 ′ is enforced but 𝑠 is not. Therefore, (𝑐, 𝑏) ∉ 𝑠𝑦𝑛
but (𝑐, 𝑎) ∈ 𝑠𝑦𝑛. We know that (𝑎, 𝑏) ∈ 𝑓 𝑟 and thus (𝑎, 𝑏) ∈
𝑠𝑦𝑛. By the transitivity property of 𝑠𝑦𝑛 we assert that since
(𝑐, 𝑎) ∈ 𝑠𝑦𝑛 ∧ (𝑎, 𝑏) ∈ 𝑠𝑦𝑛 it must be that (𝑐, 𝑏) ∈ 𝑠𝑦𝑛. This
contradicts our assumption that 𝑠 ′ is enforced. Therefore
enforcing 𝑠 ′ is sufficient to also enforce 𝑠 .
End on syn-type. Similarly, if 𝑠 ends on a 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relation,
we remove it to derive 𝑠 ′. Assume the following example.
𝑠 ≜ 𝑝𝑜𝑤𝑟 𝑓 𝑟 ;𝑝𝑜𝑤𝑟 𝑓 𝑟
𝑠 ′ ≜ 𝑝𝑜𝑤𝑟 𝑓 𝑟 ;𝑝𝑜𝑤𝑟
Assume now that (𝑎, 𝑐) ∈ 𝑠 , (𝑎, 𝑏) ∈ 𝑠 ′ and (𝑏, 𝑐) ∈ 𝑓 𝑟 .
Using the same proof as above, we can infer that if 𝑠 ′ is
enforced then (𝑏, 𝑎) ∉ 𝑠𝑦𝑛 and thus it follows that (𝑐, 𝑎) ∉
𝑠𝑦𝑛. Therefore enforcing 𝑠 ′ is sufficient to also enforce 𝑠 .
A combination of the above (IRIW – Figure 1b).When
a sync-pat falls into more than one of the above irregular
categories, we combine the techniques discussed above. For
instance, let 𝑠𝑖𝑟𝑖𝑤 be the IRIW sync-pat of Figure 1b (dis-
cussed in the Introduction).
𝑠𝑖𝑟𝑖𝑤 ≜ 𝑟 𝑓 ;𝑝𝑜𝑟𝑟 ; 𝑓 𝑟 ; 𝑟 𝑓 ;𝑝𝑜𝑟𝑟
This is an irregular sync-pat, which both starts with a 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒
and includes a composition of consecutive 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations.
We use the rules above to derive 𝑠 ′𝑖𝑟𝑖𝑤 ≜ 𝑝𝑜𝑟𝑟 ; 𝑠𝑦𝑛𝑟𝑟𝑝𝑜𝑟𝑟 and
assert that if 𝑠 ′𝑖𝑟𝑖𝑤 is enforced then 𝑠𝑖𝑟𝑖𝑤 is also enforced.
To enforce 𝑠 ′𝑖𝑟𝑖𝑤 , cond-1 requires the prt-ordering 𝑝𝑟𝑡𝑟𝑟 and
cond-2 requires the srt-ordering 𝑠𝑟𝑡𝑟𝑟 which is also required
by cond-3.
6 From rt-orderings to MCMs
So far we have created a mapping from MCMs to rt-orde-
rings, by establishing the sufficient rt-orderings to enforce
any sync-pat. In this section, we use this result to obtain
the reverse mapping from rt-orderings to MCMs, focusing
our discussion solely on regular sync-pats, seeing as the en-
forcement of irregular sync-pats is done by mapping them
to regular ones. To obtain the mapping from rt-orderings to
sync-pats, we reverse each of the three conditions, assum-
ing that an operation can be of type 𝑚 or 𝑛 where 𝑚,𝑛 ∈
{𝑟𝑒𝑎𝑑,𝑤𝑟𝑖𝑡𝑒}. Specifically, given a protocol that enforces a
set of prt-orderings 𝑅𝑝 and a set of srt-orderings 𝑅𝑠 , a sync-
pat 𝑠 is enforced when it abides by the following conditions:
• Cond-1′ : 𝑠 can include a 𝑝𝑜-𝑡𝑦𝑝𝑒 relation 𝑝𝑜𝑚𝑛 if 𝑝𝑟𝑡𝑚𝑛 ∈
𝑅𝑝 .
PaPoC’21, April 26, 2021, Online, United Kingdom Vasilis Gavrielatos, Vijay Nagarajan, Panagiota Fatourou
• Cond-2′: 𝑠 can include a 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relation 𝑠𝑦𝑛𝑚𝑛 if it is an
𝑟 𝑓 relation or 𝑠𝑟𝑡𝑛𝑚 ∈ 𝑅𝑠 .
• Cond-3′: 𝑠 can start with an operation of type𝑚 and end
on an operation of type 𝑛, if 𝑠𝑟𝑡𝑚𝑛 ∈ 𝑅𝑠 .
Example. To showcase how these conditions can be used
in practice, let us specify the MCM 𝐶𝑀𝑖 that is enforced by
a protocol that enforces the rt-orderings 𝑝𝑟𝑡𝑤𝑤, 𝑝𝑟𝑡𝑤𝑟 , 𝑠𝑟𝑡𝑟𝑤
and 𝑠𝑟𝑡𝑤𝑟 . To do so we must specify a set of sync-pats 𝑆𝐶𝑀
where each regular sync-pat 𝑠 ∈ 𝑆𝐶𝑀 abides by the following
rules:
• Any 𝑝𝑜-𝑡𝑦𝑝𝑒 relation in 𝑠 is either a 𝑝𝑜𝑤𝑤 or a 𝑝𝑜𝑤𝑟
• Any 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relation in 𝑠 is either a 𝑠𝑦𝑛𝑤𝑟 or a 𝑠𝑦𝑛𝑟𝑤 . (𝑟 𝑓
is included in 𝑠𝑦𝑛𝑤𝑟 )
• 𝑠 must either start on a write and end on a read, or start
on a read and end on a write.
Notably, the interplay amongst the rules can be used to
further simplify them. For instance the third rule asserts
that from the available srt-orderings (𝑠𝑟𝑡𝑟𝑤 and 𝑠𝑟𝑡𝑤𝑟 ) it fol-
lows that either the first operation must be a read and the
last a write or the reverse. However, neither of the available
𝑝𝑜-𝑡𝑦𝑝𝑒𝑠 (𝑝𝑜𝑤𝑤 and 𝑝𝑜𝑤𝑟 ) start with a read and since a reg-
ular sync-pat must start with a 𝑝𝑜-𝑡𝑦𝑝𝑒 relation, it cannot
be that the first operation is a read. Consequently, the first
operation can only be a write, and thus the last operation
must be a read, to abide by the third rule.
Similarly, because a regular sync-pat, is a composition of
alternating 𝑝𝑜-𝑡𝑦𝑝𝑒 and 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations, it follows that
the available 𝑝𝑜-𝑡𝑦𝑝𝑒 and 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relations can only be used
if they can synergize. For instance, the 𝑠𝑦𝑛𝑤𝑟 cannot be used
at all because neither of the available 𝑝𝑜-𝑡𝑦𝑝𝑒𝑠 (𝑝𝑜𝑤𝑤 and
𝑝𝑜𝑤𝑟 ) starts from a read. Similarly, because the 𝑠𝑦𝑛𝑤𝑟 cannot
be used, the 𝑝𝑜𝑤𝑤 cannot be used before any 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 , nor
can it be used as the last relation because the sync-pat must
end on a read.
Therefore the rules for a sync-pat 𝑠 ∈ 𝑆𝐶𝑀 are simplified as
follows:
• Any 𝑝𝑜-𝑡𝑦𝑝𝑒 relation in 𝑠 must be a 𝑝𝑜𝑤𝑟
• Any 𝑠𝑦𝑛-𝑡𝑦𝑝𝑒 relation in 𝑠 must be a 𝑠𝑦𝑛𝑟𝑤 .
• 𝑠 must start on a write and end on a read.
As a result any regular sync-pat 𝑠 ∈ 𝑆𝐶𝑀 is a composition
of alternating 𝑝𝑜𝑤𝑟 ans 𝑠𝑦𝑛𝑟𝑤 relations. Below, we list a few
examples sync-pats in 𝑆𝐶𝑀
𝑠1 ≜ 𝑝𝑜𝑤𝑟 ; 𝑠𝑦𝑛𝑟𝑤 ;𝑝𝑜𝑤𝑟
𝑠2 ≜ 𝑝𝑜𝑤𝑟 ; 𝑠𝑦𝑛𝑟𝑤 ;𝑝𝑜𝑤𝑟 ; 𝑠𝑦𝑛𝑟𝑤 ;𝑝𝑜𝑤𝑟
𝑠3 ≜ 𝑝𝑜𝑤𝑟 ; 𝑠𝑦𝑛𝑟𝑤 ; 𝑝𝑜𝑤𝑟 ; ... 𝑠𝑦𝑛𝑟𝑤 ; 𝑝𝑜𝑤𝑟
Notably, enforcing the 𝑝𝑟𝑡𝑤𝑤 and 𝑠𝑟𝑡𝑟𝑤 are not contribut-
ing towards enforcing any 𝑠 ∈ 𝑆𝐶𝑀 .
7 From rt-orderings to Protocols
In previous sections we established the mappings between
the sync-pats and the rt-orderings. In this section, we relate
rt-orderings to some well-known protocol design techniques.
We start with a brief discussion on the prt-orderings and then
we focus on the srt-orderings.
7.1 Enforcing rt-orderings
Prt-orderings model the operation of the ROB specifying
when the memory system can begin executing an opera-
tion. Upholding the prt-orderings is as simple as inspecting
the state of the ROB. For instance, enforcing 𝑝𝑟𝑡𝑤𝑟 implies
that the memory system cannot begin executing a read 𝑟
from process 𝑝 , until every preceding write in the ROB is
completed.
Srt-orderings models how the memory system executes
reads and writes. Below we discuss two common techniques
that can be used to enforce srt-orderings 1) overlap and 2)
lockstep.
Overlap. The srt-ordering 𝑠𝑟𝑡𝑚𝑛 can be enforced simply
by ensuring that operations of type 𝑚 must overlap with
operations of type 𝑛 in a physical location. For instance, we
can enforce 𝑠𝑟𝑡𝑤𝑟 , by ensuring that a write is propagated
to 𝑥 nodes and a read queries 𝑦 nodes, where 𝑥 + 𝑦 > 𝑁
and 𝑁 is the number of nodes. Alternatively, both types of
operations can “meet” in some centralized physical location
(e.g., the directory for multiprocessors). To ensure all four
srt-orderings and thus linearizability, both reads and writes
must query 𝑦 nodes to learn about completed operations and
must broadcast their results to 𝑥 nodes. This is exactly how
the multi-writer variant of ABD [14] operates.
Lockstep. Lockstep is a technique, where a memory sys-
tem node first “grabs a lock” on the object before beginning
an operation and releases it when the operation completes.
Upon grabbing the lock, the node learns about the operation
executed by the previous lock holder. The act of “grabbing
the lock” is similar to getting a cache-line in 𝑀 or 𝑆 state
in a coherence protocol [17], or becoming the leader of the
next log entry in a state machine replication protocol, such
as Paxos [11]. Notably, lockstep entails overlap as operations
must meet in a physical location to exchange the lock, but it
also precludes the operations from executing concurrently.
There are two aspects of lockstep that can enforce srt-
orderings. First, the srt-ordering between two operations
is enforced if a lock must be passed from one to the other.
For example we can enforce 𝑠𝑟𝑡𝑤𝑤 by mandating that a lock
must be grabbed to perform a write. Second, locking also
ensures that certain operations cannot overlap in real-time.
When a write cannot overlap with a write and 𝑠𝑟𝑡𝑤𝑤 is en-
forced then 𝑠𝑟𝑡𝑟𝑤 is also enforced. This is because if a read
𝑟 returns the value of write 𝑤 , then a write 𝑘 that begins
after 𝑟 has completed must also begin after𝑤 has completed.
Similarly, when a write cannot overlap with a read and 𝑠𝑟𝑡𝑤𝑟
Synthesis of Coherence/Replication Protocols from Consistency Models PaPoC’21, April 26, 2021, Online, United Kingdom
is enforced, then 𝑠𝑟𝑡𝑟𝑟 is enforced. This is because if a read
𝑟 returns the value of write𝑤 , then it must be that𝑤 com-
pletes before 𝑟 begins. Therefore, a read𝑚 that begins after
𝑟 has completed, must also begin after 𝑤 has completed
and thus will observe 𝑤 . Protocols often combine the two
aspects of lock-step to enforce the single-writer multiple-
reader invariant (SWMR) [17], where for any given object
at any given time there is either a single write in progress
or multiple reads. This ensures that writes must grab a lock
from each other (𝑠𝑟𝑡𝑤𝑤), reads must grab a lock from writes
(𝑠𝑟𝑡𝑟𝑤), writes cannot overlap in time (𝑠𝑟𝑡𝑟𝑤) and writes do
not overlap in time with reads (𝑠𝑟𝑡𝑟𝑟 ).
8 Discussion
In this work, we have used the rt-orderings to model the
protocol, allowing us to create a mapping from MCMs to
protocols. In this section, we discuss other use-cases of the rt-
orderings.We start by describing the relation of srt-orderings
to linearizability and then we discuss how they can be used
to describe the real-time guarantees of existing protocols
and to decide the consistency guarantees provided when
protocols are composed.
8.1 Relation of srt-orderings to linearizability
Formally, the lin criterion [8] can be written in our notation
as follows. An execution 𝐸 (𝑀 , 𝑝𝑜 , 𝑟 𝑓 , ℎ𝑏, 𝑅𝐿) is linearizable
if there exists 𝑟𝑙 ∈ 𝑅𝐿 such that ℎ𝑏 ⊆ 𝑟𝑙 . Furthermore, be-
cause lin is a local property, it suffices that only operations to
the same object abide by the rule. Plainly, for two operations
𝑎, 𝑏 to the same object 𝑥 , if (𝑎, 𝑏) ∈ ℎ𝑏 then it must be that
(𝑎, 𝑏) ∈ 𝑟𝑙 . This is equivalent to: 𝑎𝑐𝑦𝑐𝑙𝑖𝑐 (ℎ𝑏, 𝑠𝑦𝑛). This, in
turn, is equivalent to enforcing all four srt-orderings. There-
fore, the lin property is the property of enforcing all four
srt-orderings.
Intuition. Informally, the lin property can be defined by
writing that each memory operation appears to take effect at
some point between its invocation and completion [7]. Notably,
each of the srt-orderings is a specialization of this definition.
For instance, 𝑠𝑟𝑡𝑤𝑟 mandates that each write appears to take
effect at some point between its invocation and completion
w.r.t. every read. Combining all four srt-orderings mandates
that each write or read appears to take effect at some point
between its invocation and completion w.r.t. every read or
write. This is equivalent to the lin definition.
8.2 Srt-orderings for compositionality
So far we have viewed the srt-orderings solely as a mathemat-
ical model of the protocol. However, in distributed systems,
it is often necessary to describe the real-time guarantees
offered by a system, in order to compose different systems.
Consider the example of Zookeeper. Zookeeper does not
offer linearizability, and thus multiple Zookeeper instances
cannot be composed. However, researchers have found that
Zookeeper does offer some real-time guarantees that can be
leveraged to achieve compositionality [12].
Srt-orderings can be used to capture these real-time guar-
antees. For example, the precise real-time guarantees of
Zookeeper are the 𝑠𝑟𝑡𝑤𝑤 and the 𝑠𝑟𝑡𝑟𝑤 srt-orderingsand all
four prt-orderings. More importantly, given this knowledge
we can specify the MCM provided by composing different
Zookeeper instances: the composed system will enforce the
same rt-orderings as a single Zookeeper instance and thus
we can use the reverse mapping from rt-orderings to sync-
pats to specify the resulting MCM. In fact, we can use srt-
orderings in the same spirit, to specify the MCM of any
combination of composed systems, by asserting that the com-
posed system will enforce any rt-ordering that is enforced
by all of its subsystems.
9 Related Work
This work is the first to provide a mapping fromMCMs to the
protocols that can enforce them. To present this mapping we
have used an abstract system model and the formalism pre-
sented by Alglave et al. [2] in order to describe MCMs, exe-
cutions and real-time guarantees. Several works [4–6, 13, 20]
have also described similar system models and formalism,
but differ from our work in that they do not provide a map-
ping from MCMs to the protocols. Specifically, Szekeres and
Zhang [20] provide a system model and a formalism called
result visibility to describe consistency guarantees, including
real-time guarantees. Crooks et al. [5], focusing on databases,
provide a state-based formalization of isolation guarantees.
Burckhardt, in his book on Eventual Consistency [4], pro-
vides a formalism to describe consistency models and proto-
cols, with a focus on weaker guarantees. Lev-ari et al. [13]
define Ordered Sequential Consistency, OSC(A), in order to
specify the real-time guarantees of a protocol (with a fo-
cus on Zookeeper [9]). Similarly, Gotsman and Burckhardt
propose GSC [6], a generic operational model for systems
that totally order all writes, which can capture all of the
srt-orderings for such systems.
In the cache coherence literature, the four program-orderings
are used to describe consistency guarantees [17]. In fact, re-
searchers have shown that when the coherence protocol
enforces the single-writer multiple-reader (SWMR) invari-
ant, the MCM depends solely on the enforced program or-
derings [3, 16]. Program orderings are very similar to prt-
orderings with the subtle difference that program order-
ings carry the implication that the memory system enforces
SWMR. In contrast, prt-orderings make no such assumption,
allowing us to explore all possible behaviours of the memory
system.
Finally, CCICheck [15] provides a way to verify an existing
coherence protocol against its target MCM using the notion
of µhb orderings, which are related to real-time. Our work
PaPoC’21, April 26, 2021, Online, United Kingdom Vasilis Gavrielatos, Vijay Nagarajan, Panagiota Fatourou
provides a mapping from MCMs to protocols, enabling the
design of minimal protocols for any MCM.
10 Conclusion
In this work, we took an important step towards actualizing
our overarching vision, which is the automation of the design
of protocols that are responsible to enforce the consistency
model (MCM) in shared memory systems. Specifically, we
argued for the need of an intermediate abstraction between
the MCM and the protocol implementation, that will allow
us to map the MCM to specific protocol implementation tech-
niques. We proposed such an abstraction by mathematically
modelling the protocol through eight rt-orderings. To do so,
we observed that any such protocol is comprised by two
widgets: the ROB and the memory system. We mathemat-
ically abstracted the ROB with the four prt-orderings and
the memory system with the four srt-orderings. Crucially,
we created a mapping from consistency guarantees to the
rt-orderings, such that any MCM can be translated into the
minimal set of rt-orderings that are required to enforce it. Fi-
nally, we completed the picture, by relating the rt-orderings
to protocol implementation techniques, paving the way for
automating protocol design.
Acknowledgments
We would like to thank the anonymous reviewers for their
valuable comments and Dan Sorin for the insightful discus-
sions and valuable feedback. This work was supported in
part by EPSRC grant EP/L01503X/1 to The University of
Edinburgh and ARM through its PhD Scholarship Program.
References
[1] “Manhattan, our real-time, multi-tenant distributed database for twit-
ter scale,” https://bit.ly/2Vgu0wd, April 2014, (Accessed on 07/08/2019).
[2] J. Alglave, L. Maranget, and M. Tautschnig, “Herding Cats,” ACM
TOPLAS, vol. 36, no. 2, pp. 1–74, jul 2014.
[3] Arvind and J.-W. Maessen, “Memory Model = Instruction Reordering
+ Store Atomicity,” in Proceedings of the 33rd Annual International
Symposium on Computer Architecture, ser. ISCA ’06. USA: IEEE
Computer Society, 2006, p. 29–40. [Online]. Available: https:
//doi.org/10.1109/ISCA.2006.26
[4] S. Burckhardt, “Principles of Eventual Consistency,” Found. Trends
Program. Lang., vol. 1, no. 1-2, pp. 1–150, Oct. 2014. [Online]. Available:
http://dx.doi.org/10.1561/2500000011
[5] N. Crooks, Y. Pu, L. Alvisi, and A. Clement, “Seeing is believing: A
client-centric specification of database isolation,” in Proceedings of the
ACM Symposium on Principles of Distributed Computing, ser. PODC ’17.
New York, NY, USA: Association for Computing Machinery, 2017, p.
73–82. [Online]. Available: https://doi.org/10.1145/3087801.3087802
[6] A. Gotsman and S. Burckhardt, “Consistency models with global
operation sequencing and their composition,” in Leibniz International
Proceedings in Informatics (LIPIcs); 31st International Symposium on
Distributed Computing (DISC 2017), vol. 91. Dagstuhl Publishing,
October 2017, pp. 0.959 027 778–0.969 444 444. [Online]. Available:
https://www.microsoft.com/en-us/research/publication/consistency-
models-with-global-operation-sequencing-and-their-composition/
[7] M. Herlihy and N. Shavit, The Art of Multiprocessor Programming. San
Francisco, CA, USA: Morgan Kaufmann Publishers Inc., 2008.
[8] M. P. Herlihy and J. M. Wing, “Linearizability: A Correctness
Condition for Concurrent Objects,” ACM Trans. Program. Lang.
Syst., vol. 12, no. 3, pp. 463–492, Jul. 1990. [Online]. Available:
http://doi.acm.org/10.1145/78969.78972
[9] P. Hunt, M. Konar, F. P. Junqueira, and B. Reed, “ZooKeeper: Wait-free
Coordination for Internet-scale Systems,” in Proceedings of the 2010
USENIX Conference on USENIX Annual Technical Conference, ser.
USENIXATC’10. Berkeley, CA, USA: USENIX Association, 2010, pp.
11–11. [Online]. Available: http://dl.acm.org/citation.cfm?id=1855840.
1855851
[10] P. Keleher, A. L. Cox, S. Dwarkadas, and W. Zwaenepoel, “TreadMarks:
Distributed Shared Memory on Standard Workstations and Operating
Systems,” in Proceedings of the USENIX Winter 1994 Technical
Conference on USENIX Winter 1994 Technical Conference, ser. WTEC’94.
Berkeley, CA, USA: USENIX Association, 1994, pp. 10–10. [Online].
Available: http://dl.acm.org/citation.cfm?id=1267074.1267084
[11] L. Lamport, “The part-time parliament,”ACMTransactions on Computer
Systems (TOCS), vol. 16, no. 2, pp. 133–169, 1998.
[12] K. Lev-Ari, E. Bortnikov, I. Keidar, and A. Shraer, “Modular Composi-
tion of Coordination Services,” in USENIX Annual Technical Conference,
2016.
[13] ——, “Composing ordered sequential consistency,” Inf. Process.
Lett., vol. 123, no. C, p. 47–50, Jul. 2017. [Online]. Available:
https://doi.org/10.1016/j.ipl.2017.03.004
[14] N. A. Lynch and A. A. Shvartsman, “Robust emulation of shared mem-
ory using dynamic quorum-acknowledged broadcasts,” in Proceedings
of IEEE 27th International Symposium on Fault Tolerant Computing,
June 1997, pp. 272–281.
[15] Y. A. Manerkar, D. Lustig, M. Pellauer, and M. Martonosi, “CCICheck:
using `hb graphs to verify the coherence-consistency interface,” in
MICRO’15, 2015, pp. 26–37.
[16] A. Meixner and D. J. Sorin, “Dynamic Verification of Sequential
Consistency,” in Proceedings of the 32nd Annual International
Symposium on Computer Architecture, ser. ISCA ’05. USA: IEEE
Computer Society, 2005, p. 482–493. [Online]. Available: https:
//doi.org/10.1109/ISCA.2005.25
[17] V. Nagarajan, D. J. Sorin, M. D. Hill, and D. A. Wood, “A
primer on memory consistency and cache coherence, second
edition,” Synthesis Lectures on Computer Architecture, vol. 15,
no. 1, pp. 1–294, 2020. [Online]. Available: https://doi.org/10.2200/
S00962ED2V01Y201910CAC049
[18] S. Owens, S. Sarkar, and P. Sewell, “A Better x86 Memory Model:
X86-TSO,” in Proceedings of the 22Nd International Conference on
Theorem Proving in Higher Order Logics, ser. TPHOLs ’09. Berlin,
Heidelberg: Springer-Verlag, 2009, pp. 391–407. [Online]. Available:
http://dx.doi.org/10.1007/978-3-642-03359-9_27
[19] K. Petersen, M. J. Spreitzer, D. B. Terry, M. M. Theimer, and
A. J. Demers, “Flexible Update Propagation for Weakly Consistent
Replication,” in Proceedings of the Sixteenth ACM Symposium on
Operating Systems Principles, ser. SOSP ’97. New York, NY, USA:
Association for Computing Machinery, 1997, p. 288–301. [Online].
Available: https://doi.org/10.1145/268998.266711
[20] A. Szekeres and I. Zhang, “Making consistency more consistent:
A unified model for coherence, consistency and isolation,” in
Proceedings of the 5th Workshop on the Principles and Practice of
Consistency for Distributed Data, ser. PaPoC ’18. New York, NY,
USA: Association for Computing Machinery, 2018. [Online]. Available:
https://doi.org/10.1145/3194261.3194268
