Ogre and Pythia: An Invariance Proof Method for Weak Consistency Models by Alglave, J & Cousot, P
Ogre and Pythia: An Invariance Proof
Method for Weak Consistency Models
Jade Alglave
Microsoft Research Cambridge, University College London, UK
ocsl tc o@ ml .fia g rva m oaj , ag k.l .l cl v auc@ea.j u
Patrick Cousot
New York University, USA, emer. E´cole Normale Supe´rieure, PSL.
dt . y .so mu i un us co ec @p , .s rt fseu @oc no
Abstract
We design an invariance proof method for concurrent programs
parameterised by a weak consistency model. The calculational
design of the invariance proof method is by abstract interpretation
of a truly parallel analytic semantics. This generalises the methods
by Lamport and Owicki-Gries for sequential consistency. We use
cat as an example of language to write consistency speciﬁcations
of both concurrent programs and machine architectures.
Categories and Subject Descriptors D.1.3 (Concurrent Program-
ming); D.2.4 (Veriﬁcation); F.3.1 (Invariants); F.3.2 (Semantics).
Keywords concurrency, distributed and parallel programming, in-
variance, veriﬁcation, weak consistency models.
When an ogre (Owicki-GRies Extended) meets a pythia (vari-
able) classic tales get retold: in this paper we investigate an in-
variance proof method for concurrent (parallel or distributed) al-
gorithms parameterised by weak consistency models.
Different program semantics styles can be used to describe con-
current program executions, for example operational, denotational
or axiomatic semantics. We introduce here a new style, that we call
analytic; it is more abstract than operational models (Boudol et al.
2012) or pomsets (Brookes 2016; Grief 1975)). In this context, we
separate the individual traces of the different processes that consti-
tute the program from the communications between processes.
Weak consistency models (WCMs) are seen as placing more or less
restrictions on communications. WCMs are now a ﬁxture of com-
puting systems: for example Intel x86 or ARM processors, Nvidia
graphics cards, programming languages such as C++ or OpenCL,
or distributed systems such as AmazonWeb Services orMicrosoft’s
Azure. In this context, the execution of a concurrent program can
be seen as an interleaving of the individual traces of the differ-
ent processes that constitute the program, but the communication
between processes are unlike what is prescribed by Lamport’s Se-
quential Consistency (SC) (Lamport 1979). Indeed the read of a
shared variable may read another value than the one written by the
last previous write (for example due to hardware features such as
store buffers and caches).
Different consistency semantics styles can be used to describe
WCMs. Operational models deﬁne abstract machines in which
executions of programs are sequences of transitions made to or
from formal entities modelling e.g. hardware features such as store
buffers and caches. Axiomatic models abstract away from such
concrete features and describe executions as relations over events
modelling e.g. read or write memory accesses, and synchronisation.
We calculate our invariance proof method as an abstraction
of the analytic semantics. Thus our method is parameterised by a
WCM.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without
fee provided that copies are not made or distributed for proﬁt or commercial advantage and that copies bear this notice
and the full citation on the ﬁrst page. Copyrights for components of this work owned by others than ACM must be
honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to
lists, requires prior speciﬁc permission and/or a fee. Request permissions from permissions@acm.org or Publications
Dept., ACM, Inc., fax +1 (212) 869-0481.
POPL’17 January 18–20, 2017, Paris, France
Copyright c⃝ 20yy ACM 978-1-4503-4660-3/17/01. . . $15.00
DOI: http://dx.doi.org/10.1145/10.1145/3009837.3009883
1. Overview of the Analytic Semantics
Our analytic semantics describes program executions as their an-
archic semantics (process computations without any restriction on
communications), and their communication semantics (restrictions
on communication between processes). To illustrate our analytic
semantics, we will use the load buffering example lb in Fig. 1.
0:{ x = 0; y = 0; }
P0 P1 ;
1:r[] r1 x 11:r[] r2 y;
2:w[] y 1 12:w[] x 1 ;
3: 13: ;
Figure 1: lb algorithm in LISA
In lb, processes P0 and P1 communicate via shared variables x
and y (initialised to 0 at line 0). Each process reads a variable (x
at line 1 for P0, and y at line 11 for P1), then writes to the other
variable (y at line 2 for P0 and x at line 12 for P1).
1.1 Anarchic Semantics
Fig. 2 gives one of the four anarchic executions of lb. After initial-
0:
w0x! "# $
x = 0;
w0y! "# $
y = 0
1: r1 = 0; ∅
r1x! "# $
1:r[] r1 x! x1
2: r1 = x1; x1 = 1
w2y! "# $
2:w[] y 1
3: r1 = x1; x1 = 1
11: r2 = 0; ∅
r11y! "# $
11:r[] r2 y! y11
12: r2 = y1; y1 = 1
w12x! "# $
12:w[] x 1
13: r2 = y1; y1 = 1
π0
π1π2π3
π4
rfrf
Figure 2: One anarchic execution for lb
ising x and y to 0, the computations of P0 and P1 are formalised
by traces, viz., ﬁnite or inﬁnite sequences of states separated by
unique events. States and events appear along a trace in the process
execution order.
Events give a semantics to instructions, for example accesses
to registers or memory locations. States record a process program
point, the value of local variables (registers r1 for P0 and r2 for
P1) and the value of pythia variables.
A pythia variable is the unique name given to the value of a read
event, e.g. x1 for the read r1x = 1:r[] r1 x. Our pythia variables
are different from ghost variables; ghost variables compensate for
objects that do not exist in the chosen program semantics.
The read-from relation rf describes communications between
processes. In Fig. 2, the read r1x takes its value from the write w12x
(so the value 1 is assigned to the pythia variable x1).
The interleaving of the processes’ executions is given by cuts.
The sequence of cuts π0;π1;π2;π3;π4 in Fig. 2 formalises the in-
terleaving x=0; y=0; r[] r1 x; r[] r2 y; w[] x 1; w[] y 1.
Contrary to operational models, the anarchic semantics does not
deﬁne the coherence order i.e., the order in which the writes to a
given memory location hit the shared memory, since this is part
of the WCM. Independently of the order of execution of the write
actions (deﬁned by the cuts), all possible coherence orders are a
priori possible (and will be considered in cat with with co from
AllCo (Alglave et al. 2016)).
1.2 Communication Semantics
The communication semantics ﬁlters anarchic executions accord-
ing to certain restrictions on the communication between processes
(i.e., the read-from relation rf).
To apply these restrictions more easily, we abstract anarchic
executions into candidate executions, where communicated values
and cuts are abstracted away. A candidate execution consists of the
set of events (partitioned into reads, writes—including the initial-
isation writes IW, tests, fences), the process execution order po (a
total per process, between consecutive events on a trace), and the
read-from relation rf. Fig. 3 shows the candidate execution which
abstracts the anarchic execution of lb of Fig. 2.
r1x! "# $
1:r[] r1 x! x1
w2y! "# $
2:w[] y 1
r11y! "# $
11:r[] r2 y! y11
w12x! "# $
12:w[] x 1
0:
w0x! "# $
x = 0;
w0y! "# $
y = 0
rfrf
popo
IW
Figure 3: Candidate execution for lb
We use the domain-speciﬁc language cat (Alglave et al. 2016)
as an example of a language to specify restrictions on communica-
tions. In cat, we can forbid the anarchic execution of lb in Fig. 3
by asking its candidate execution abstraction in Fig. 3 to satisfy the
constraint irreflexive po;rf;po;rf. Thus the candidate exe-
cution of Fig. 3 should not have a reﬂexive sequence that alternates
process execution order (po) and communications (rf). This is not
the case since: r1x po w2y rf r11y po w12x rf r1x .
1.3 Invariance Semantics
We follow (Cousot and Cousot 1980) and deﬁne the invariance
semantics by abstraction of the analytic semantics. The invariance
semantics relates each local program point to the values of the other
program points, local variables, pythia variables, and rf along all
cuts of all executions going through that local program point. For
example Scom ⇒ Sinv is invariant for lb where Sinv = (at{3} ∧
at{13}) ⇒ ¬(r1 = 1 ∧ r2 = 1) and the communication
hypothesis Scom = {⟨w12x , r1x ⟩, ⟨w2y , r11y ⟩} ̸∈ rf excludes the case
of Fig. 2 and 3. The veriﬁcation conditions are formally derived
by calculational design from the formal deﬁnition of the analytic
semantics and proceed by induction along cuts. In addition to
the initialisation, sequential, and non-interference proof, the main
difference with (Owicki and Gries 1976; Lamport 1977) is the
use of pythia variables and the read-from relation rf in assertions
and the communication proof showing that rf is well-formed. This
proof method design methodology is independent of the considered
language. We apply it to the Litmus Instruction Set Architecture
(LISA) language (Alglave and Cousot 2016) of the herd7 tool
(Alglave and Maranget 2015)
2. Overview of the Invariance Proof Method
We aim at developing correct algorithms for a wide variety of weak
consistency models M0, . . . ,Mn. Given an algorithm A and a
consistency modelM ∈ {M0, . . . ,Mn}, our method is articulated
as follows—we detail each of these points in turn below, and show
a graphical representation in Fig. 4:
1. Design the algorithm A, state its invariant speciﬁcation Sinv
(see Sect. 2.1), and its communication speciﬁcation Scom (see
Sect. 2.2).
We write A in LISA, using LISA’s special fence synchronisation
markers if needed, which allow to deﬁne in cat between which
algorithm A
invariant
speciﬁcation of A
Sinv
communication
speciﬁcation of A
Scom
consistency
hypothesis of A
Hcom
consistency
modelM
conditional
invariance proof
Scom ⇒ Sinv
inclusion proof
Hcom ⇒ Scom
consistency proof
M ⇒ Hcom
algorithm A proved
correct w.r.t.
Hcom and Sinv
Hcom ⇒ Sinv
algorithm A proved
correct w.r.t.
M and Sinv
M ⇒ Sinv
Figure 4: Our method
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do {i} 12:do {j}
4: r[] R1 F2 {❀ F2i4} 13: r[] R3 F1; {❀ F1j13}
5: r[] R2 T {❀ Ti5} 14: r[] R4 T; {❀ Tj14}
6:while R1 ∧ R2 ̸= 1 {iend} 15:while R3 ∧ R4 ̸= 2; {jend}
7: (* CS1 *) 16: (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
9: 18:
Figure 5: Peterson algorithm in LISA
program points (perhaps sets of program points) synchronisation
is needed for correctness;
2. Prove the correctness Scom ⇒ Sinv of the algorithm A w.r.t. the
invariant speciﬁcation Sinv , under the communication speciﬁca-
tion Scom (see Sect. 2.3.1);
3. Prove that the consistency modelM guarantees the communic-
ation speciﬁcation Scom that we postulated for the correctness of
algorithm A (i.e.,M ⇒ Scom , see Sect. 2.3.3 and Sect. 2.3.4).
To illustrate our preamble, we use the classical mutual exclu-
sion algorithm of Peterson (Peterson 1981), which requires explicit
synchronisation to be correct on WCMs.
2.1 Algorithm: Design and Speciﬁcations
2.1.1 Writing our running example
We give the code of Peterson’s algorithm in LISA in Fig. 5. The
algorithm uses two shared ﬂags, F1 for the ﬁrst process P0 (resp. F2
for the second process P1), indicating that the process P0 (resp. P1)
wants to enter its critical section. The shared turn T grants priority
to the other process: when T is set to 1 (resp. 2), the priority is given
to P0 (resp. P1).
Let’s look at the process P0: P0 busy-waits before entering its
critical section (see the do instruction at line 3) until (see the while
clause at line 6) the process P1 does not want to enter its critical
section (viz., when F2=false, which in turn means R1=false
thanks to the read at line 4) or if P1 has given priority to P0 by
setting turn T to 1, which in turn means that R2=1 thanks to the
read at line 5.
Sect. 4 details the syntax and semantics of the LISA language.
Annotations We placed a few annotations in our LISA code, to
ensure the unicity of events in invariants and proofs:
• iteration counters: each loop is decorated with an iteration
counter, e.g. i at line 3 for the ﬁrst process and j at line 12:
for the second process. The names (iend at line 6 and jend at 15)
represent the iteration counter when exiting the loop.
• pythia variables: each read, at lines 4 and 5 for the ﬁrst process,
and lines 13 and 14 for the second process, is decorated with
a pythia variable. A read r[] R x at line ℓ in the program,
reading the variable x and placing its result into register R, is
decorated with the pythia variable {❀ xnℓ }, where n is the
iteration counter (for nested loops we record all iteration counters
of all surrounding loops).
2.1.2 Invariant speciﬁcation Sinv
Fig. 6 gives an invariant speciﬁcation of Peterson stating that both
processes may not be simultaneously in their critical sections.
1: {true} 10: {true}
... ...
7: {¬at{16}} 16: {¬at{7}}
... ...
9: {true} 18: {true}
Figure 6: Invariant speciﬁcation Sinv for Peterson’s algorithm
2.2 Communication Speciﬁcation Scom
The next step in our speciﬁcation process consists in stating an in-
variant communication speciﬁcation Scom , expressing which inter-
process communications are allowed for the algorithm A.
2.2.1 Peterson can go wrong under WCMs
Under certain WCMs, such as x86-TSO or any weaker model,
Peterson’s algorithm does not satisfy the mutual exclusion speciﬁc-
ation Sinv of Fig. 6.
To see this, consider Fig. 7a. The plain red arrows rf are an
informal representation of a communication scenario where:
• on process P0, the read at line 4 reads the value that F2 was
initialised to, at line 0, so that R1 contains false. And, the read
at line 5 reads from any write of T, so that R2 contains one of the
values 0, 1, or 2, indifferently.
• on process P1, the read at line 13 reads from the initial value of
F1 so that R3 contains false. The read at line 14 reads from 0,
11, or 2 so that R4 contains 0, 1, or 2, indifferently.
In this situation (which is impossible under SC), both loop exit
conditions can be true so that both processes can be simultaneously
in their critical section, thus invalidating the speciﬁcation Sinv .
Another erroneous behaviour is illustrated in Fig. 7b. The value of
��
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do 12:do
4: r[] R1 F2 13: r[] R3 F1;
5: r[] R2 T 14: r[] R4 T;
6:while R1 ∧ R2 ̸= 1 15:while R3 ∧ R4 ̸= 2;
7: (* CS1 *) 16: (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
(a) Incorrect ﬂags
��
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do 12:do
4: r[] R1 F2 13: r[] R3 F1;
5: r[] R2 T 14: r[] R4 T;
6:while R1 ∧ R2 ̸= 1 15:while R3 ∧ R4 ̸= 2;
7: (* CS1 *) 16: (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
(b) Incorrect turns
Figure 7: Incorrect executions of Peterson algorithm with WCM
F2 and F1 is indifferent. But process P0 reads T in R2 from the
write 11 so R2=1 while P1 reads T in R4 from the write 2 so R4=2.
In this situation (impossible under SC) the turns are wrong, so that
both processes can be simultaneously in their critical section, again
invalidating the speciﬁcation Sinv .
2.2.2 Communication speciﬁcation Scom
Let us express the communication scenarios depicted in Fig. 7 as
an invariant. We write the pythia triple rf⟨xθ, ℓ, v⟩ to mean that the
read event r = ℓ′: r[] R x {❀ xθ}, or more precisely its unique
pythia variable xθ , takes its value v from evaluating the expression
e of the write event w = ℓ: w[] x e to v (so ⟨w, r⟩ ∈ rf at ℓ and
ℓ′ and xθ = v at ℓ′). (The communication veriﬁcation conditions
will check that ⟨w, r⟩ ∈ rf and the local invariant at ℓ implies
that e = v.) We deﬁne our communication speciﬁcation Scom as
follows:
Scom ≜ ¬[∃i, j.[rf⟨F2i4, 0, false⟩ ∨ rf⟨F2i4, 17, false⟩ (1)
∨ rf⟨Ti5, 11, 1⟩] ∧ [rf⟨F1j13, 0, false⟩
∨ rf⟨F1j13, 8, false⟩ ∨ rf⟨Tj14, 2, 2⟩]]
Scom states the read-froms should yield values in the registers ensur-
ing that both processes may not simultaneously leave their waiting
loops. The scenarios in Fig. 7 are therefore impossible. This en-
sures that both processes cannot be simultaneously in their critical
section.
Therefore, there cannot be two iteration counters i and j such
that:
• The ﬁrst process PO enters its critical section at the ith iteration
of its waiting loop (corresponding to the pythia variables F2i4 and
Ti5) because
either the read at line 4 and ith iteration (corresponding to the
pythia variable F2i4) takes its value, false, from the initialisa-
tion of the variable F2 (in the prelude at line 0) or from the write
to F2 at line 17;
or, the read at line 5 and ith iteration (corresponding to the
pythia variable Ti5) takes its value, 1, from the write at line 11;
• And the second process P1 enters its critical section at the j th
iteration of its waiting loop (corresponding to the pythia variables
F1
j
13 and T
j
14) because
either the read at line 13 and j th iteration (corresponding to the
pythia variable F1j13) takes its value, false, from the initial-
isation of the variable F1 (in the prelude at line 0) or from the
write to F1 at line 8;
or, the read at line 14 and j th iteration (corresponding to the
pythia variable Tj14) takes its value, 2, from the write at line 2.
Scom expresses hypotheses on the communications made by the
threads of the program. Scom is independent from any consistency
models. Scom is the weakest communication invariant since weaken-
ing any of its hypotheses provides a counter-example. Scom belongs
to the abstract domain of invariants.
2.3 Our Proof Method
Recall Fig. 4; given an algorithm A, an invariant speciﬁcation Sinv ,
a communication speciﬁcation Scom , and a WCM M we have to
proveM ⇒ Sinv . Our method is articulated as follows:
1. Conditional invariance proof Scom ⇒ Sinv : we prove that if
the communications occur like prescribed by Scom , then the
processes satisfy the invariant Sinv ;
2. Inclusion proof M ⇒ Scom : we prove that the WCMM guaran-
tees the communication hypotheses made in Scom .
We now detail each proof in turn.
2.3.1 Conditional invariance proof Scom ⇒ Sinv
We have to prove that each process of the algorithm A satisﬁes the
invariant Sinv under the hypothesis Scom ; to do so we:
1. invent a stronger invariant Sind , which is inductive;
2. prove that Sind is indeed inductive, i.e., satisﬁes veriﬁcation
conditions implying that if it is true, it stays true after one step of
computation or a communication that satisﬁes Scom ; effectively
we prove Scom ⇒ Sind .
3. prove that Sind is indeed stronger than Sinv (i.e., Sind ⇒ Sinv );
From Scom ⇒ Sind and Sind ⇒ Sinv we conclude that Scom ⇒ Sinv ,
which was our goal. We now illustrate the correctness proof method
on Peterson.
• An inductive invariant Sind , stronger than Sinv is given in Fig. 8
as local invariants (depicted in blue in curly brackets) for each pro-
gram point of each process. Each local invariant attached to a pro-
gram point can depend on the program state that is on registers
(both the ones local to the process under scrutiny, and from other
processes), pythia variables and, as in (Lamport 1977), on the pro-
gram counter of the other processes. In general the local invari-
ants may also depend on the possible communications rf i.e., which
reads may read their values from which writes (but this is not ne-
cessary in Fig. 8 since the program logic does not restricts in any
way the possible communications as, e.g., would be the case for
unreachable reads or writes).
0: { w F1 false; w F2 false; w T 0; }
{F1=false ∧ F2=false ∧ T=0} }
1: {R1=0 ∧ R2=0} 10: {R3=0 ∧ R4=0}
w[] F1 true w[] F2 true;
2: {R1=0 ∧ R2=0} 11: {R3=0 ∧ R4=0}
w[] T 2 w[] T 1;
3: {R1=0 ∧ R2=0} 12: {R3=0 ∧ R4=0}
do {i} do {j}
4: {(i=0 ∧ R1=0 ∧ R2=0) ∨
(i>0 ∧ R1=F2i−14 ∧ R2=T
i−1
5 )}
13: {(j=0 ∧ R3=0 ∧ R4=0) ∨
(j>0 ∧ R3=F1j−113 ∧ R4=T
j−1
14 )}
r[] R1 F2 {❀ F2i4} r[] R3 F1 {❀ F1j13};
5: {R1=F2i4 ∧ (i=0 ∧ R2=0) ∨
(i>0 ∧ R2=Ti−15 )}
14: {R3=F1j13 ∧ (j=0 ∧ R4=0) ∨
(j>0 ∧ R4=Tj−114 )}
r[] R2 T {❀ Ti5} r[] R4 T; {❀ Tj14}
6: {R1=F2i4 ∧ R2=Ti5} 15: {R3=F1j13 ∧ R4=T
j
14)}
while R1 ∧ R2̸=1 {iend} while R3 ∧ R4̸=2 {jend} ;
7: {¬F2iend4 ∨ T
iend
5 =1} 16: {¬F1
jend
13 ∨ T
jend
14 =2}
skip (* CS1 *) skip (* CS2 *)
8: {¬F2iend4 ∨ T
iend
5 =1} 17: {¬F1
jend
13 ∨ T
jend
14 =2}
w[] F1 false w[] F2 false;
9: {¬F2iend4 ∨ T
iend
5 =1} 18: {¬F1
jend
13 ∨ T
jend
14 =2}
Figure 8: (Anarchic) invariants of Peterson algorithm
Following (Lamport 1977), we use program counters so we do
not need (Owicki and Gries 1976)’s shared auxiliary variables. The
equivalence proof of (Cousot and Cousot 1980) shows that the aux-
iliary variables in (Owicki and Gries 1976) can always be chosen
as local variables (i.e., registers in LISA) simulating program coun-
ters. This proof easily generalises to the WCM anarchic semantics.
So we avoid the problem that “OG’s auxiliary variables, in general,
are unsound under weak memory because they can be used to re-
cord the exact thread interleavings and establish completeness un-
der SC” (Lahav and Vafeiadis 2015). Our solution, using program
counters or auxiliary registers is both sound and (relatively) com-
plete, and simpler and more general that the ghost states of (Lahav
and Vafeiadis 2015; Jung et al. 2016).
• Sind is inductive under the hypothesis Scom is decomposed into
an initialisation proof that the entry invariant is true, a sequential
proof that the invariants hold when executing one process sequen-
tially, a non-interference proof when running processes concur-
rently, and ﬁnally a communication proof.
The novelty of our approach is in the communication proof.
We must prove that if an invariant is true at some process point
ℓ of a process p and a read for xθ is performed then the value
received into xθ is that of a matching write. Of course only the
communications allowed by the communication invariant Scom and
all of them have to be taken into account.
For Peterson, the invariants do not say anything on the value
assigned to the pythia variables so that the invariants are true for
any value carried by the pythia variables. More precisely, the read
at line 4 can read from the writes at line 0, 10 or 17. The invariant
at line 4 does not make any distinction on these cases and just states
that some value F2i4 has been read and assigned to R1. Similarly the
read of T at line 5 can read from the writes at line 0, 2, or 11 and
the invariant just states that some value Ti5 is read and assigned to
R2.
The invariant of Fig. 8 holds for the anarchic semantics since no
hypothesis is made on communications rf and therefore no possible
communication has been forgotten.
• Sind is stronger than Sinv under the hypothesis Scom ; On the
Peterson example, the invariance proof does not make any use
of the communication hypothesis Scom . It is however used in the
mutual exclusion proof, that Sind is stronger than Sinv . We prove
that (Scom ∧ Sind ) ⇒ Sinv or equivalently (Sind ∧ ¬Sinv ) ⇒ ¬Scom ,
as follows:
at 7 ∧ at 16 ∧ Sind
⇒ (¬F2iend4 ∨ Tiend5 = 1) ∧ (¬F1jend13 ∨ Tjend14 = 2)}
�i.e., the invariant Sind holds at lines 7 and 16�
⇒ ¬Scom �since by taking i = iend and j = jend, we have
(F2i4 = false ∨ Ti5 = 1) ∧ (F1j13 = false ∨ Tj14 = 2)�
Note that this calculation of Scom from the speciﬁcation Sinv and
the anarchic inductive invariant Sind provides a formal method to
discover Scom by calculational design. Scom is sufﬁcient but also ne-
cessary, hence the weakest communication hypothesis, since for
each possible case of communication excluded by Scom , it is pos-
sible to ﬁnd a counter-example execution of Peterson violating mu-
tual exclusion (see Fig. 7 and 10).
2.3.2 WCM speciﬁcation Hcom
We have proved Scom ⇒ Sinv . To ensure that Sinv holds in the
context of the consistency model M , we must prove M ⇒ Scom
i.e., that all the behaviours allowed by M are allowed by Scom . In
general we have to consider several WCMs M = Mi, i ∈ [0, n].
To factorize the proofs ∀i ∈ [1, n] . Mi ⇒ Scom , we look for a
(preferably weakest else minimal) consistency speciﬁcation Hcom
that encompasses our speciﬁcation Scom . We prove Hcom ⇒ Scom
and then ∀i ∈ [1, n] . Mi ⇒ Hcom which are the only bits of proof
that must be adapted when considering different models.
2.3.3 Inclusion proof Hcom ⇒ Scom
As illustrated in Fig. 9, the WCMs Hcom andMi, i ∈ [1, n] belong
to the domain of consistency speciﬁcations (e.g. candidate execu-
tions for cat) while Scom belongs to the different domain of invari-
ants. The proof Hcom ⇒ Scom must therefore be done in the most
→α�
←−−−γ�
→αΞ
←−γΞ
Set of candidate executions domain
Set of executions domain
Invariant domain
Figure 9: Hierarchy of abstractions
abstract domain more concrete than both of these domains, which
is the semantic domain of sets of executions. The same way that we
derived Scom from the program speciﬁcation ¬Sinv , we derive Hcom
from the communication speciﬁcation ¬Scom . This is an abstrac-
tion since e.g. in cat shared variable names and their values are
abstracted away. So, in general, Hcom will allow less behaviors that
Scom and theMi less that Hcom . The proof Hcom ⇒ Scom proceeds as
follows:
• we build the communication scenarios corresponding to the py-
thia triples given in the communication speciﬁcation ¬Scom from
an anarchic invariant Sainv ;
• we write a consistency speciﬁcationHcom (e.g. in cat) which will
forbid each of these communication scenarios.
We illustrate the proof method with Peterson’s algorithm of Fig. 5
using Scom in (1) of Sect. 2.2.2, Sainv in Fig. 8, and the consistency
speciﬁcation language cat which requires reasoning on candidate
executions (see Sect. 11).
• Building the communication scenarios corresponding to the
pythia triples for cat requires us building several candidate execu-
tions involving relations between accesses (i.e., read/write events)
as follows (we illustrate on case 1 of Fig. 10).
• read-from rf: for each pythia triple, we depict the read-from
relation rf in red; for example for rf⟨F2i4, 0, false⟩, we create
a read-from relation between the initial write of false to the
variable F2 at line 0 and the read of F2 from line 4, at the ith
iteration.
• program order po: we also depict the program order edges
between the accesses which are either the source or the target
of a communication edge (viz., read-from and coherence). In
case 1 of Fig. 10, the po edges in purple are between the lines 1
and 4 on process P0, and lines 10 and 13 on process P0. po is
irreﬂexive and transitive (not represented on Fig. 10).
The cat speciﬁcation introduces additional relations between
events.
• the coherence co (deﬁned as with co from AllCo): we depict
the coherence edges co relative to the variables that are men-
tioned by the pythia triples, in our case F1, F2 and T: see in case
1 of Fig. 10 the co edge in blue between the write of F1 in the
prelude at line 0 and the write of F1 at line 1.
• the from-read fr (deﬁned as fr = rf−1;co): we depict in brown
the edges from a read relative to a variable x that is mentioned by
the pythia triples to all the writes to x coming after the write read
by this read; For example in case 1 of Fig. 10 where the read r[]
R1 F2 of F2 at line 4 is from the initial write 0: w[] F2 0 and
the fr relation shows that write 10:w[] F2 true comes later.
Moreover, we depict relations that might not be directly expressible
in cat such as in cases 6 and 7 of Fig. 10:
• the cut relations linking events in different processes that may
appear on the same cut during a program execution.
rf co
po
co
fr
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do 12:do
4: r[] R1 F2 13: r[] R3 F1;
5: r[] R2 T 14: r[] R4 T;
6:while R1 ∧ R2 ̸= 1 15:while R3 ∧ R4 ̸= 2;
7: (* CS1 *) 16: (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
po
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do 12:do
4: r[] R1 F2 13: r[] R3 F1;
5: r[] R2 T 14: r[] R4 T;
6:while R1 ∧ R2 ̸= 1 15:while R3 ∧ R4 ̸= 2;
7: (* CS1 *) 16: (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
rf po
co fr
4 fr 10 po 13 fr 1 po 4
case 1: 0:F2,0:F1
14 fr 11 po 14
case 2a: 0:F2,1:F1 (2 co 11)
rf co po
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do 12:do
4: r[] R1 F2 13: r[] R3 F1;
5: r[] R2 T 14: r[] R4 T;
6:while R1 ∧ R2 ̸= 1 15:while R3 ∧ R4 ̸= 2;
7: f[p0] (* CS1 *) 16: f[p1] (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
co
frpo
fr
co
po
co
rf
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do 12:do
4: r[] R1 F2 13: r[] R3 F1;
5: r[] R2 T 14: r[] R4 T;
6:while R1 ∧ R2 ̸= 1 15:while R3 ∧ R4 ̸= 2;
7: (* CS1 *) 16: (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
po
11 co 2 po 4 fr 10 po 11
case 2b: 0:F2,1:F1 (11 co 2)
2 co 11 po 13 fr 1 po 2
case 3a: 10:F2,0:F1 (2 co 11)
rf
po co
fr
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do 12:do
4: r[] R1 F2 13: r[] R3 F1;
5: r[] R2 T 14: r[] R4 T;
6:while R1 ∧ R2 ̸= 1 15:while R3 ∧ R4 ̸= 2;
7: (* CS1 *) 16: (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
rf po
co fr
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do 12:do
4: r[] R1 F2 13: r[] R3 F1;
5: r[] R2 T 14: r[] R4 T;
6:while R1 ∧ R2 ̸= 1 15:while R3 ∧ R4 ̸= 2;
7: (* CS1 *) 16: (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
5 fr 2 po 5
case 3b: 10:F2,0:F1 (11 co 2)
14 fr 11 po 14
case 4a: 10:F2,1:F1 (2 co 11)
rfpo
cofr
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do 12:do
4: r[] R1 F2 13: r[] R3 F1;
5: r[] R2 T 14: r[] R4 T;
6:while R1 ∧ R2 ̸= 1 15:while R3 ∧ R4 ̸= 2;
7: (* CS1 *) 16: (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
�� ��
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do 12:do
4: r[] R1 F2 13: r[] R3 F1;
5: r[] R2 T 14: r[] R4 T;
6:while R1 ∧ R2 ̸= 1 15:while R3 ∧ R4 ̸= 2;
7: (* CS1 *) 16: (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
5 fr 2 po 5
case 4b: 10:F2,1:F1 (11 co 2)
4 po 8 rf 13 po 17 rf 4
case 5: 17:F2,8:F1
rf
po
cut
po
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do 12:do
4: r[] R1 F2 13: r[] R3 F1;
5: r[] R2 T 14: r[] R4 T;
6:while R1 ∧ R2 ̸= 1 15:while R3 ∧ R4 ̸= 2;
7: (* CS1 *) 16: (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
��
cut po
po
0:{ w F1 false; w F2 false; w T 0; }
P0: P1:
1:w[] F1 true 10:w[] F2 true;
2:w[] T 2 11:w[] T 1;
3:do 12:do
4: r[] R1 F2 13: r[] R3 F1;
5: r[] R2 T 14: r[] R4 T;
6:while R1 ∧ R2 ̸= 1 15:while R3 ∧ R4 ̸= 2;
7: (* CS1 *) 16: (* CS2 *)
8:w[] F1 false 17:w[] F2 false;
No prophecy beyond cuts
case 6: 8:F1
No prophecy beyond cuts
case 7: 17:F2
Figure 10: Communication scenarios violating Scom for Peterson
In Fig. 10, each case has a reason written underneath for being
rejected. This is for example a reﬂexive sequence that our cat
speciﬁcation Hcom will forbid. Before detailing how we write Hcom
in cat, we give a glimpse of the cat language.
• The cat language (Alglave et al. 2016) is a domain speciﬁc
language to describe consistency models succinctly by constraining
an abstraction of program executions into a candidate execution ⟨e,
po, rf, IW⟩ providing
• events e , giving a semantics to instructions; Events e are parti-
tionned into the set W of writes (including initial writes IW), the
set R of reads, F of fences, B of tests;
• the program order po, relating accesses in their order of execution
(which is the program order in the original LISA program);
• the read-from rf describing a communication between a write
and a read event;
The language provides additional basic built-in semantics bricks:
• the relation loc relating events accessing the same variable;
• the relation ext relating events from different processes;
• operators over relations, such as intersection &, union |, inverse
of a relation ^-1, sequence of relations ;, transitive closure +,
cartesian product *, set difference \.
The cat user can deﬁne new relations using let or with...from...,
and declare constraints over relations r, such irreflexive r and
acyclic r (i.e., irreflexive r+).
• Sequential consistency in cat. Fig. 11 gives a deﬁnition of
Sequential Consistency (SC) in cat. The intuition is that if e1 po
acyclic po | rf | co | fr as sc
Figure 11: SC in cat
e2 then event e1 should appear on a cut before that of e2 (since
instructions are executed in program order), if w rf r then the write
eventw should appear on a cut before that of the read event r (since
it is only possible to read from past writes), if w co w′ then the
write event w should appear on a cut before that of the write event
w′ (since the write events hit the shared memory in the coherence
order co), and if r fr w then the write event w should appear on a
cut after that of the read event r (since otherwise the read event r
has not read from the last write). If the events do not appear in this
prescribed order, there will be a cycle in the disjunction of these
relations, which is disallowed by acyclic.
Lamport SC (Lamport 1979) is deﬁned by imposing that cuts
on anarchic executions (see Fig. 2) must satisfy the requirements
illustrated in Fig. 12 that is (12a) no read on a cut can read from
a write on a later cut and (12b) a read on a cut from a write on
a previous cut must be from the last previous cut with such a
write. Theorem SC is SC (Alglave 2010, 2012, Th. 3) shows that
rf
w
r
✗
✓
w
rf
(no prophecy)
this and (always
(a) No prophecy beyond cuts
r ✓
rf
w
w
✗
rf
(always last)
(b) Read from last write
Figure 12: Lamport SC
Lamport’s SC implies SC by cat. However, there can be executions
with cuts deﬁned by SC by cat that is disallowed by Lamport’s SC.
An example is case 7 in Fig. 10 where executing P1 and next P0 is
accepted in both cases while entering simultaneously both critical
sections is forbidden by Lamport’s SC but allowed by SC by cat
(the reason being that in both cases terminated executions have the
same abstraction as candidate executions).
• Deﬁning the consistency speciﬁcation Hcom . For each case in
Fig. 10, we forbid a reﬂexive sequence. In cat, the speciﬁcation
given in Fig. 13.
• Proving that all the behaviours allowed by Hcom are allowed by
Scom is done contrapositively i.e., ¬Scom ⇒ ¬Hcom . By ¬Scom in
(1), we get ∃i, j . [rf⟨F2i4, 0, false⟩ ∨ rf⟨F2i4, 17, false⟩ ∨ rf⟨Ti5, 11,
1⟩] ∧ [rf⟨F1j13, 0, false⟩ ∨ rf⟨F1
j
13, 8, false⟩ ∨ rf⟨T
j
14, 2, 2⟩]] which
we put in disjunctive normal form and give the cases illustrated in
Fig. 10, thus proving ¬Hcom .
irreflexive fr; po; fr; po
irreflexive fr; po
irreflexive co; po; fr; po
irreflexive rf; po; rf; po
and there are no prophecies on cuts.
Figure 13: A possible speciﬁcation Hcom of Peterson algorithm
2.3.4 Consistency proofM ⇒ Hcom
Proving that all the behaviours allowed by M = Mi, i ∈ [1, n]
are allowed by Hcom is done by reductio ad absurdum in the se-
mantic domain of the consistency speciﬁcation language (e.g. can-
didate executions for cat). Suppose an execution of Peterson that
is forbidden by Hcom yet allowed by M . By deﬁnition of Hcom in
Fig. 13, there are 5 cases. Each of these cases may be forbidden by
the WCMM (e.g. SC) or prevented by adding fences (e.g. TSO).
• When M is SC. In cat speak, SC is modelled as given in
Fig. 11. Now, all 4 sequences required to be irreﬂexive by Hcom
are included in the transitive closure of po | rf | co | fr, and
rejected on SC. Moreover, Lamport’s SC has no prophecies on cuts,
thus excluding cases 6 and 7 in Fig. 10.
• Adding labelised fences (in case of no prophecy beyond cuts).
Some WCMs (like those weaker than TSO) authorize the reorder-
ing of write and read events on different shared variables against
the program order po. In this case, the restrictions ofHcom in Fig. 13
are not satisﬁed and Peterson is incorrect. In the case where there
are no prophecies on cuts, the solution is to add labelised fences as
shown in Fig. 14.
P0 | P1 ;
f[br] {1} {2} | f[br] {10} {11};
f[br] {2} {4} | f[br] {11} {13};
(which can be placed anywhere in the process, e.g. before
the second label). The speciﬁcation of the fence is
let fre = (rf^-1 ; co) & ext
let rfe = rf & ext
let fence = fromto(tag2events(’br))
irreflexive fre;fence;fre;fence
irreflexive rfe;fence;rfe;fence
irreflexive co;fence;fre;fence
Figure 14: Labelised fences for Peterson
In the invariance proof, fences are skip so the proof is unchanged.
The fence semantics must be deﬁned by a cat speciﬁcation (F is the
set of fence events) andHcom strengthened as shown in Fig. 14. This
implies the consistency speciﬁcation ofHcom for Peterson algorithm
in Fig. 13 since fence ⊆ po.
• When M is TSO. In cat speak, TSO is modeled as given in
Fig. 15 (omiting the no-prophecy beyond cuts satisﬁed by TSO).
The difference with SC in Fig. 11 is that w po r is required if the
let po-loc = po & loc
acyclic po-loc | rf | co | fr as scpv
let ppo = po \ (W*R)
acyclic ppo | rfe | co | fr as tso
Figure 15: TSO in cat
write event w and the read event r refer to the same variable (as
required by scpv, see the intersection with the relation loc). Else,
it is not required on different variables as shown by tso (using the
relation ppo (for preserved program order) as the program order
po relieved from (see the setminus operator \) the write-read pairs
(W*R)).
Thus certain executions forbidden by our speciﬁcation Hcom of
Peterson (see Fig. 13) will not be forbidden by the TSO model
given in Fig. 15. Indeed all the executions that contain a sequence
fr; po; fr; po forbidden by our speciﬁcation of Peterson in-
volves a pair write-read in program order. These write-read pairs
are explicitly removed from the tso acyclicity check of Fig. 15,
thus will not contribute to executions forbidden by the model. It
is therefore necessary to implement the fences of Fig. 14. The ﬁrst
one between {1}/{2} and {10}/{11} is implemented naturally in
TSO since write-write pairs cannot be reordered with respect to po.
The second labelised fence between 2/4 and 11/13 can be imple-
mented by mfence in x86.
• In presence of prophecy beyond cuts, e.g. in LISA, implement-
ing a spinlock where the busy waiting can anticipate the lock re-
lease is incorrect. So we introduce a synchronisation marker at the
beginning of both critical sections, as shown in Fig. 16, to prevent
such prophecies beyond cuts.
P0 | P1 ;
f[cut] (* CS1 *) | f[cut] (* CS2 *);
The speciﬁcation of the synchronisation marker is (see Fig. 12a)
let cut = (tag2events(’cut) * tag2events(’cut)) & ext
irreflexive rf; po; cut; po
Figure 16: Anti-prophecy synchronisation markers for Peterson
3. Related Works on Invariance Proof for WCM
Contrary to our approach, previous attempts to generalise the
(Owicki and Gries 1976) invariance proof method from SC to
WCM are not parameterised by a formal speciﬁcation of the WCM.
Our formal speciﬁcation of the WCM parameter takes the form
of program-speciﬁc programmer-speciﬁed communication asser-
tion Scom shown to be implied by a program-speciﬁc programmer-
speciﬁed consistency speciﬁcation Hcom (e.g. in cat) itself implied
by an architectural consistency speciﬁcation M (e.g. (Shasha and
Snir 1988; Alglave 2010; Alglave et al. 2016)). These constraints
Scom hence Hcom are on communications only, in contrast to con-
straints on the execution order and the visibility of writes (Crary
and Sullivan 2015) or the ordering between commands of (Bornat
et al. 2015).
Our invariance proof method deals with WCMs without getting
back to the world of SC. This is in contrast to previous methods
exposing the store buffers in the program states (e.g. (Dan et al.
2015)) or explicitly considering all possible reshufﬂes e.g. by pro-
gram transformation (e.g. (Atig et al. 2011; Alglave et al. 2013;
Mine´ 2012)).
In the classical (Turing 1949; Naur 1966; Floyd 1967; Hoare
1969) invariance proof method, (shared) variable names are used
in proofs to denote the value of the program variables. This is a
severe restriction for previous invariance proof methods since in
WCM there is no notion of global time hence of “the” instantaneous
value of a shared variable. We solve the problem using pythia
variables, based on the idea that the value of a shared variable
is locally known when a read is satisﬁed. Pythia variables are
loosely akin to the “fresh variables” used in the semantics and
implementation of Prolog (Cousot et al. 2009). They differ from
ghost variables used for behavior-preserving instrumentation of
program with non-physical resources and from prophecy variables
for backward reasonings (Abadi and Lamport 1991; Cousot 1981).
They are used in the herd7 tool (Alglave and Maranget 2015).
The literature sticks to SC with communicated value naming
by shared variable names through restrictions on the considered al-
gorithm, programming language, assertion, and/or memory model.
Speciﬁc restrictions on the considered algorithm are concurrent
stacks (Dodds et al. 2015), Read-Copy-Update (RCU) implement-
ation of linked lists (Tassarotti et al. 2015)).
Speciﬁc restrictions on the considered programming language
with a speciﬁc memory model include ARMmachine-code (Myreen
et al. 2007; Myreen and Gordon 2007)) or a speciﬁc programming
discipline such as data-race-free programs for causal memory (e.g.
(Ahamad et al. 1995; Owens 2010)), total store order with store
buffer forwarding (e.g. (Cohen and Schirmer 2010)), or coherent
causal memory (e.g. (Cohen 2014)).
Speciﬁc restrictions on the considered assertions mostly involve
some form of abstraction (Dinsdale-Young et al. 2010; Batty et al.
2013).
Finally, the most common restriction is on the considered spe-
ciﬁc WCM (e.g. the release-acquire fragment of the C11 memory
model (Norris and Demsky 2013; Vafeiadis and Narayan 2013;
Turon et al. 2014; Lahav and Vafeiadis 2015; Tassarotti et al.
2015; Doko and Vafeiadis 2016; Lahav et al. 2016) ((Turon et al.
2014) “also considers isolation / ownership transfer properties”),
TSO/PSO/RMO in (Burckhardt and Musuvathi 2008; Atig et al.
2010; Wehrman and Berdine 2011; Sieczkowski et al. 2015), the
Java Memory Model in (Klebanov 2004), a hierarchical memory
model in (Barthe et al. 2008), causal consistency in (Gotsman et al.
2016; Najafzadeh et al. 2016), the “relaxed” memory model in
(Burckhardt et al. 2006, 2007), the RMC memory model in (Crary
and Sullivan 2015), etc.).
We don’t have any of the above restrictions since the WCM is
a parameter of our proof method and deﬁnes the communication
relation rf explicily appearing in invariants.
4. The LISA Language and its Analytic Semantics
We present here the LISA language (Litmus Instruction Set Archi-
tecture) (Alglave and Cousot 2016). Its vocation is purely pedago-
gical at the moment, with an ambition to be quite minimal. It is
supported by the herd7 tool (Alglave and Maranget 2015). To il-
lustrate this section we will use Peterson’s algorithm in Fig. 5.
4.1 Syntax
LISA programs P = {Pstart}�P0∥. . . ∥Pn−1� on shared variables
x ∈ loc�P� contain:
• a prelude Pstart assigning initial values to shared variables (0
(false) by default). In the case of Peterson algorithm in Fig. 5,
the prelude at line 0 assigns the value false to both variables F1
and F2, and the value 0 to T.
• processes P0 . . .Pn−1 in parallel; each process:
has an identiﬁer p ∈ Pi�P� ≜ [0, n[; in the case of Peterson we
have used P0 for the ﬁrst process (on the left) and P1 for the
second process (on the right);
has local registers (e.g. R0, R1); registers are assumed to be
different from one process to the next; if not we make them
different by afﬁxing the process identiﬁer like so: (p:R));
is a sequence of instructions.
Instructions can be:
• register instructions mov R1 operation, where the operation has
the shape op R2 r-value:
the operator op is arithmetic (e.g. add, sub, mult) or boolean
(e.g. eq, neq, gt, ge);
R1 and R2 are local registers;
r-value is either a local register or a constant;
• read instructions r[ts] R x initiate the reading of the value of the
shared variable x and write it into the local register R;
• write instructions w[ts] x e initiate the writing of the value of the
register expression e into the shared variable x;
• branch instructions b[ts] operation lt branch to label lt if the
operation has value true and go on in sequence otherwise;
• fence instructions f[ts]
[{l01 . . . lm1 } {l02 . . . lq2} ]. The optional
sets of labels {l01 . . . lm1 } and {l02 . . . lq2} indicate that the fence
f[] only applies between instructions in the ﬁrst set and instruc-
tions in the second set. The semantics of the fence f[] as applied
to the instructions at l01, . . . , or lm1 and l02, . . . , l
q
2, is to be deﬁned
in a cat speciﬁcation;
• read-modify-write instructions (RMW) rmw[ts] R (reg-instrs) x
reads shared variable x into local register R, the register instruc-
tions reg-instrs are executed, and R is written back to x. Any
semantics requirement on RMWs, such as the fact that there can
be no intervening write to x between the read and the write of the
RMW, has to be ensured by a cat speciﬁcation.
Instructions can be labelled (i.e., be preceded by a control label
ℓ) to be referred to in branches or fences for example. Labels
are unique; if not we make them different by afﬁxing the process
identiﬁer like so: p:l . instr�P�pℓ is the instruction at label ℓ ∈ L(p)
of process p of program P. Moreover, instructions can bear tags ts
(to model for example C++ release and acquire annotations).
4.2 Anarchic Semantics
4.2.1 Executions
The anarchic semantics of a parallel program is a set of executions;
an execution has the form ξ = ς × π × rf ∈ Ξ , where ς is the
computation, π is the cut sequence, and rf is the communication
part. An example is given in Fig. 2.
Communications are relations rf, which gather read-from pairs
rf [w, r] linking a (possibly initial) write event w and a read event
r relative to the same shared variable x with the same value. Com-
munications are anarchic: we place no restriction on which write a
read can read from; restrictions can be made in a WCM speciﬁca-
tion however.
Computations have the form ς = τstart × ∏p∈Pi τp, where τstart
is an execution trace of the prelude process, and τp are execution
traces of the processes p ∈ Pi. A ﬁnite (resp. inﬁnite) non-empty
trace τp, p ∈ Pi ∪ {start} is a ﬁnite (resp. inﬁnite) sequence
τp = ⟨ τpk−−−−→ τp
k
| k ∈ [0, 1 +m[⟩ ∈ Tr
of computation steps
τpk−−−−→ τp
k
(with τpk an event and τpk the
next state—see below for the deﬁnitions of event and state) such
that τp0 = ϵstart is the start event (not represented in Fig. 2),
|τp| ≜ m ∈ N∗ for ﬁnite traces and |τp| ≜ m = ω = 1 + ω
for inﬁnite traces where ω is the ﬁrst inﬁnite limit ordinal so that
[0, 1 + ω[ = [0,ω[ = N. Abstracting away the cut sequence
π, we get a true parallelism semantics since there is a notion of
local time in each trace τp, p ∈ Pi ∪ {start} of an execution ξ =
τstart ×∏p∈Pi τp × rf but no global time, since it is impossible to
state that an event of a process happens before or after an event of
another process or when communications in rf do happen.
Events indicate several things:
• their nature, e.g. read (r), write (w), branch (b), fence (f), etc.;
• the identiﬁer p of the process that they come from;
• the control label ℓ of the instruction that they come from;
• the instruction that they come from—which gives the shared
variables and local registers affected by the event, if any, e.g. x
and R in the case of a read r[ts] R x;
• their stamp θ ∈ T(p); they ensure that events in a trace are
unique. In our examples, stamps gather the control label and it-
eration counters of all surrounding loops, but this is not man-
datory: all we need is for events to be uniquely stamped. Dif-
ferent processes have non-comparable stamps. Stamps are totally
ordered per process by ✁p (which is irreﬂexive and transitive,
while events on different processes are different and incompar-
able). The successor function succp is s.t. θ ✁p succp(θ) (but
not necessarily the immediate successor); infp is a minimal stamp
for process p. We consider executions up to the isomorphic order-
preserving renaming ∼= of stamps;
• their value v ∈ D, whether ground or symbolic (for writes. as in
symbolic execution). To identify the ground or symbolic values
that are communicated in invariants, we use pythia variables
P(p) ≜ {xθ | x ∈ X ∧ θ ∈ T(p)} (note that the uniqueness
of stamps on traces ensures the uniqueness of pythia variables
for reads). More precisely, traditional methods such as Lamport’s
and Owicki-Gries’ name x the value of the shared variable x, but
we cannot use the same idea in the context of weak consistency
models. Instead we name xθ the value of shared variable x read
at local time θ.
The events τp on a trace τp of process p are as follows (e.g.
Fig. 10):
• register events: a(⟨p, ℓ, mov R1 operation, θ⟩, v);
• read events: r(⟨p, ℓ, r[ts] R1 x, θ⟩, xθ));
• write events: w(⟨p, ℓ, w[ts] x r-value, θ⟩, v);
• branch events are of two kinds:
t(⟨p, ℓ, b[ts] operation lt, θ⟩) for the true branch;
t(⟨p, ℓ, b[ts] operation lt, θ⟩) for the false branch;
• fence events: m(⟨p, ℓ, f[ts]
[{l01 . . . lm1 } {l02 . . . lq2}], θ⟩);• RMW events are of two kinds:
begin event: m(⟨p, ℓ, beginrmw[ts] x, θ⟩);
end event: m(⟨p, ℓ, endrmw[ts] x, θ⟩)
States σ = s⟨ℓ, θ, ρ, ν⟩ of a process p mention:
• ℓ, the current control label of process p (we have done�P�(p)ℓ
which is true if and only if ℓ is the last label of process p which
is reached when process p does terminate);
• θ is the stamp of the state in process p;
• ρ is an environment mapping the local registers R of process p to
their ground or symbolic value ρ(R);
• ν is a valuation mapping the pythia variables xθ ∈ P(p) of
a process p to their ground or symbolic value ν(xθ). This is a
partial map since the pythia variables (i.e., the domain dom(ν)
of the valuation ν) augment as communications unravel. Values
can be ground, or symbolic expressions over pythia variables.
The prelude process has no state (represented by •).
Sequence of cuts A cut of a computation ς = τstart × ∏p∈Pi τp
is a tuple
∏
p∈Pi⟨τpk, τpk⟩ of pairs of events and states of traceτp, p ∈ Pi. A cut records the point each process has reached
in its computation. A well-formed sequence of cuts records an
interleaving of computation steps.
4.2.2 Well-formedness conditions
We specify our anarchic semantics by the means of well-formedness
conditions over executions ξ = ς × π × rf ∈ Ξ .
Conditions over computations ς= τstart×∏p∈Pi τp are as follows:
• Start: traces τ must all start with a unique fake start event ϵstart:
τ0 = ϵstart ∧ ∀i ∈ ]0, 1 + |τ |[ . τ i ̸= ϵstart . Wf 2(ξ)
• Uniqueness: the stamps of events must be unique:
∀p q ∈ Pi ∪ {start} . ∀i ∈ [0, 1 + |τp|[ . ∀j ∈ [0, 1 + |τq|[ .
(p = q ⇒ i ̸= j)⇒ stamp(τpi) ̸= stamp(τqj) . Wf 3(ξ)
It immediately follows that events of a trace are unique, and the
pythia variable xθ in any read r(⟨p, ℓ, r := x, θ⟩, xθ) is unique.
• Initialisation: all shared variables x are initialised once and only
once to a value vx in the prelude (or to vx = 0 by default).
∃τ0 τ1 . τstart = τ0 (w(⟨start, ℓstart, x := e, θ⟩, vx)) τ1 ∧
∀τ0 τ1 τ2 . (τstart = τ0 ϵ−−→στ1w(⟨start, ℓ, x := e, θ⟩, vx) τ2)
⇒ (ϵ ∈W(start, y) ∧ y ̸= x) . Wf 4(ξ)
• Maximality: a ﬁnite trace τp of a process p must be maximal
i.e., must describe a process whose execution is ﬁnished. Note
that inﬁnite traces are maximal by deﬁnition, hence need not be
included in the following maximality condition:
∃ ℓ θ ρ ν . τp|τ | = s⟨ℓ, θ, ρ, ν⟩ ∧ done�P�(p)ℓ Wf 5(ξ)
i.e., the control state of the last state of the trace is at the end of
the process, as indicated by done�P�(p)ℓ.
Conditions over the cut sequence π of a computation ς = τstart ×∏
p∈Pi τp are as follows:
• Start: The initial cut is π0 =
∏
p∈Pi
⟨τp0, τp0⟩ Wf 6(ξ)
• Step: But for the ﬁnal cut, if any, the next cut follows from a
computation step. If πi =
∏
p∈Pi
⟨τpki,p , τpki,p⟩ ∧ ∃q ∈ Pi .
ki,q < |τq| then ∃q ∈ Pi such that ki,q + 1 ⩽ |τq| and
πi+1 =
∏
p∈Pi\{q}
⟨τpki,p , τpki,p⟩× ⟨τqki,q+1, τqki,q+1⟩ Wf 7(ξ)
Conditions over the communications rf are as follows:
• Satisfaction: a read event has at least one corresponding commu-
nication in rf:
∀i ∈ ]0, 1 + |τp|[ . ∀r . (τpi = r)⇒ (∃w . rf [w, r] ∈ rf) .
Wf 8(ξ)
• Singleness: a read event in the trace τp must have at most one
corresponding communication in rf:
∀r w w′ . (rf [w, r] ∈ rf ∧ rf [w′, r] ∈ rf) ⇒ (w = w′) .
Wf 9(ξ)
Note however that a read instruction can be repeated in a program
loop and may give rise to several executions of this instruction,
each recorded by a unique read event.
• Match: if a read reads from a write, then the variables read and
written must be the same:
(rf [w(⟨p, ℓ, x := r, θ⟩, v), r(⟨p′, ℓ′, r′ := x′, θ′⟩, x′θ)] ∈ rf)
⇒ (x = x′) . Wf 10(ξ)
• Inception: no communication is possible without the occurrence
of both the read and (maybe initial) write it involves:
∀r w.(rf [w, r] ∈ rf) ⇒ (∃p ∈ Pi, q ∈ Pi ∪ {start}. Wf 11(ξ)
∃j ∈ [0, 1 + |τp|[ . ∃k ∈ [0, 1 + |τq|[ . τpj = r ∧ τqk = w) .
Note that this does not prevent a read to read from a future write.
Language-dependent conditions for LISA are as follows:
• Start: the initial state of a trace τp should be of the form:
τp
0
= s⟨l0p, infp, λ R . 0, ∅⟩ Wf 12(ξ)
where l0p is the entry label of process p and infp is a minimal
stamp of p.
• Next state: if at point k of a trace τp of process p of an execu-
tion ξ = τstart ×∏p∈Pi τp × π × rf the computation is in state
τp
k−1 = s⟨ℓ, θ, ρ, ν⟩ then:
the next event must be generated by the instruction instr ≜
instr�P�pℓ at label ℓ of process p
the next event has the form τpk = e⟨⟨p, ℓ, instr, θ⟩, xθ, v⟩
the next state τp
k
= s⟨κ′, θ′, ρ′, ν′⟩ has κ′ = ℓ′ which is the
label after the instruction instr
the stamp θ′ = succp(θ) is larger, and
the value v as well as the new environment ρ′ and valuation ν′
are computed as a function of the previous environment ρ, the
valuation ν, and the execution ξ.
Formally: ∀k ∈ ]0, 1 + |τp|[ . ∀κ′ ρ ρ′ ν ν′ θ θ′ .
(τp
k−1 = s⟨ℓ, θ, ρ, ν⟩ ∧ τpk = e⟨⟨p, ℓ, instr, θ⟩, xθ, v⟩ ∧
τp
k
= s⟨κ′, θ′, ρ′, ν′⟩) ⇒ (κ′ = ℓ′ ∧ θ′ = succp(θ) ∧
v = v(ρ) ∧ ρ′ = ρ(v, ρ) ∧ ν(v, ρ, ν, ξ, ν′)) .
We give the form of the next event τpk for each LISA instruction:
• Fence (instr = ℓ : f[ts]
[{l01 . . . lm1 } {l02 . . . lq2}]; ℓ′ : . . .):
τpk = m(⟨p, ℓ, f[ts]
[{l01 . . . lm1 } {l02 . . . lq2}], θ⟩)
(ρ′ = ρ ∧ ν′ = ν) . Wf 13(ξ)
• Register instruction (instr = ℓ : mov R1 operation; ℓ′ : . . .):
τpk = a(⟨p, ℓ, mov R1 operation, θ⟩, v) Wf 14(ξ)
(v = E�operation�(ρ, ν) ∧ ρ′ = ρ[R1 := v] ∧ ν′ = ν) .
where E�e�(ρ, ν) is the evaluation of the expression e in the
environment ρ and valuation ν.
• Write (instr = ℓ : w[ts] x r-value; ℓ′ : . . .):
τpk = w(⟨p, ℓ, w[ts] x r-value, θ⟩, v) Wf 15(ξ)
(v = E�r-value�(ρ, ν) ∧ ρ = ρ′ ∧ ν′ = ν) .
• Read (instr = ℓ : r[ts] R1 x; ℓ′ : . . .):
τpk = r(⟨p, ℓ, r[ts] R1 x, θ⟩, xθ) Wf 16(ξ)
(ρ′ = ρ[R1 := xθ] ∧ ∃q ∈ Pi ∪ {start} . ∃!j ∈ [1, 1 + |τq|[ .
∃ℓ′′, θ′′, v . (τqj = w(⟨q, ℓ′′, w[ts] x r-value, θ′′⟩, v) ∧
rf [τqj , τpk] ∈ rf ∧ ν′ = ν[xθ := v])) .
• RMW (instr = rmw[ts] r (reg-instrs) x ): for the begin (instr =
beginrmw[ts] x) and end event (instr = endrmw[ts] x):
τpk = m(⟨p, ℓ, instr, θ⟩) Wf 17(ξ)
(ρ′ = ρ ∧ ν′ = ν) .
• Test (instr = ℓ : b[ts] operation lt; ℓ′ : . . .):
on the true branch:
τpk = t(⟨p, ℓ, b[ts] operation lt, θ⟩) Wf 18t(ξ)
(sat(E�operation�(ρ, ν) ̸= 0) ∧ κ′ = lt ∧ ρ′ = ρ ∧ ν′ = ν)
on the false branch:
τpk = t(⟨p, ℓ, b[ts] operation lt, θ⟩) Wf 18f (ξ)
(sat(E�operation�(ρ, ν) = 0) ∧ κ′ = ℓ′ ∧ ρ′ = ρ ∧ ν′ = ν)
4.2.3 Anarchic semantics
The anarchic semantics of a program P is
Sa�P� ≜ {ξ ∈ Ξ | Wf 2(ξ) ∧ . . . ∧Wf 18(ξ)} .
Theorem 1 In an execution ξ = ς × π × rf ∈ Ξ , the communic-
ation rf uniquely determines the computation ς .
4.2.4 Consistency speciﬁcation of a semantics
The semantics S �Hcom� ∈ Ξ → {allowed, forbidden} of a
consistency speciﬁcation Hcom checks whether an execution ξ ∈
Ξ is allowed or forbidden by Hcom . Deﬁning the consistency
abstraction αana�Hcom�(S) ≜ {ξ ∈ S | S �Hcom�ξ = allowed},
we have the Galois connection ⟨℘(Ξ), ⊆⟩ −−−−−−−−−−→←−−−−−−−−−−αana�Hcom �
γana�Hcom � ⟨℘(Ξ),
⊆⟩. The analytic semantics of a program P for the consistency
speciﬁcation Hcom is then S �P� ≜ αana�Hcom�(Sa�P�).
Example 1 (cat speciﬁcation) The candidate execution abstrac-
tion αΞ(ξ) abstracts the execution ξ = ς×π×rf ∈ Ξ into a candid-
ate executionαΞ(ξ) = ⟨e, po, rf , iw⟩where e is the set of events in
ς (partitionned into fence, read, write, . . . events), po is the program
order (transitively relating successive events on a trace of each pro-
cess), rf = rf is the set of communications, and iw is the set of ini-
tial write events. Then we deﬁne αΞ(S ) ≜ {⟨ξ, αΞ(ξ)⟩ | ξ ∈ S}
and α �Hcom�(C) ≜ {ξ | ∃Γ . ⟨ξ, Ξ⟩ ∈ C ∧ ⟨allowed,
Γ ⟩ ∈ �Hcom�(Ξ)} where the consistence �Hcom�(Ξ) of a can-
didate execution Ξ for a cat consistency model Hcom is deﬁned
in (Alglave et al. 2016) and returns communication relations Γ
specifying communication constraints on communication events
(e.g. containing co of with co from AllCo in Hcom ). The con-
sistency abstraction for a cat speciﬁcation Hcom is then αana�Hcom�
≜ α �Hcom� ◦ αΞ . ✷
5. Invariance Abstraction
The semantics S �P� of a program P is a set of executions ξ ∈ Ξ
so belongs to ℘(Ξ). Representing properties by the set of elements
which have this property, semantic properties P are elements of
P ∈ ℘(℘(Ξ)). So P has semantic property P means S �P� ∈ P ,
equivalently {S �P�} ⊆ P where {S �P�} is the strongest semantic
property (called collecting semantics) and ⊆ is implication.
The join abstraction α∪(P) = ∪P such that ⟨℘(℘(Ξ)), ⊆⟩
−−−−→←−−−−α∪
γ∪ ⟨℘(Ξ), ⊆⟩ yields execution properties P ∈ ℘(Ξ). So P
has execution property P means S �P� ∈ γ∪(P ) that is {S �P�} ⊆
k0, . kn−1, kp ��, k1
τstart × π × rf)ς =
⟨κ0,k0 , θ0,k0 , ρ0,k0 , ν0,k0 κn−1,kn−1 , θn−1,kn−1 , ρn−1,kn−1 , νn−1,kn−1
, θp,kp , ρp,kp , νp,kp ,ℓ
τpτ0 τ1 τn−1
… … …
Figure 17: Invariance abstraction of an execution
γ∪(P ) equivalently α∪({S �P�}) ⊆ P i.e., S �P� ⊆ P . The
strongest execution property of P is S �P�.
The invariance abstraction αinv(P ), P ∈ ℘(Ξ) on Fig. 17
collects states on all cuts of all traces at each control point of each
process. αinv(P ) ≜
∏
p∈Pi
∏
ℓ∈L(p)
∪
ξ∈P
αinv(ξ)p(ℓ) (19)
αinv(τstart ×
n−1∏
p=0
τp × π × rf)p(ℓ) ≜ {⟨κ0,k0 , θ0,k0 , ρ0,k0 , ν0,k0 ,
. . . , νp−1,kp−1 , θp,kp , ρp,kp , νp,kp ,κp+1,kp+1 , . . . ,κn−1,kn−1 ,
θn−1,kn−1 , ρn−1,kn−1 , νn−1,kn−1 , rf⟩ | ∀q ∈ [0, n[ . ∀kq < |τq| .
τq
kq
= s⟨κq,kq , θq,kq , ρq,kq , νq,kq ⟩ ∧ κp,kp = ℓ}.
An invariance property I ∈ I, in particular the strongest invari-
ant αinv(S �P�) ∈ I, attaches a local invariance property Ip(ℓ) at
each program point ℓ of each process p, which is a relation between
the process state and the state of all other processes (including their
control state) on all cuts of all executions going through point ℓ
of process p. We have ⟨℘(Ξ), ⊆⟩ −−−−→←−−−−αinv
γinv ⟨I, ⊆˙⟩ so P has in-
variance property Sinv ∈ I means S �P� ∈ γ∪(γinv(Sinv )) i.e.,
S �P� ⊆ γinv(Sinv ) that is αinv(S �P�) ⊆˙ Sinv .
In practice local invariance properties are often expressed as
logical formulæ Sindp(ℓ) attached to program points ℓ ∈ L(p)
of each process p ∈ Pi which logical interpretation is a set-
theoretic property in I. Formally, a logical assertion Sind is a logical
formula Sindp(ℓ) with free variables κ0, θ0, ρ0, ν0, . . ., νp−1, θp,
ρp, νp, κp+1 . . ., κn−1, θn−1, ρn−1, νn−1, and rf attached to
each program point ℓ of each process p of the program (excluding
κp = ℓ).
The assertions on control are often written atp{ℓ} (or at{ℓ}
if the label ℓ is unique to process p) to mean that κp = ℓ. We
write atp{ℓ1, . . . , ℓm} for ∨ℓmℓ=ℓ1 atp{ℓ}. Moreover the assertions
on environments and valuations are expressed using assertions on
registers and pythia variables. For example, ρ ∈ R is expressed
by the logical formula ∀ρ ∈ R . ∧r∈dom(ρ) r = ρ(r), or any
equivalent logical formula. The initial values of shared variables is
determined by the prelude (0 by default) so Sindp,ℓ states assertional
properties. For relational invariance (Cousot and Cousot 1982) the
initial value of shared variables is set to an initial pythia variable.
6. Calculational Design of the Proof Method
Given a program P and an invariance speciﬁcation Sinv , the invari-
ance proof method consists in proving thatαinv(αana�Hcom�(Sa�P�))
⊆˙ Sinv . The design of the invariance proof method by calculus starts
as follows (⇐ is soundness and⇒ is completeness):
αinv(αana�Hcom �(Sa�P�)) ⊆˙ Sinv
⇔ αinv({ξ ∈ Sa�P� | S �Hcom �ξ = allowed}) ⊆˙ Sinv �def. αana�Hcom ��
⇔ αinv(Sa�P� ∩ {ξ ∈ Sa�P� | S �Hcom �ξ = allowed}) ⊆˙ Sinv �def. ∩�
⇔ αinv(Sa�P�) ∩ αinv({ξ ∈ Ξ | S �Hcom �ξ = allowed}) ⊆˙ Sinv
�since αinv preserves intersections�
⇔ αinv(Sa�P�) ∩˙ αinv(αana�Hcom �(Sa�P�)) ⊆˙ Sinv �def. αana�Hcom ��
⇔ ∃Scom . αinv(Sa�P�)∩˙Scom ⊆˙ Sinv ∧αinv(αana�Hcom �(Sa�P�)) ⊆˙ Scom
�(⇐) For soundness, we have αinv(Sa�P�) ∩˙αinv(αana�Hcom �(Sa�P�))
⊆˙ αinv(Sa�P�) ∩˙ Scom ⊆˙ Sinv ;
(⇒) For completeness, we choose to describe exactly the communica-
tions that is Scom = αinv(αana�Hcom �(Sa�P�)).�
⇔ ∃Scom . (Scom ⇒ Sinv ) ∧ (Hcom ⇒ Scom )
by deﬁning the conditional invariance proof Scom ⇒ Sinv to be
αinv(Sa�P�) ∩˙ Scom ⊆˙ Sinv and the inclusion proof Hcom ⇒ Scom to
be αinv(αana�Hcom �(Sa�P�)) ⊆˙ Scom .
This calculation justiﬁes the decomposition of the correctness
proof in Fig. 4 into an invariance proof and an inclusion proof using
an intermediate communication speciﬁcation Scom .
7. Conditional Invariance Veriﬁcation Conditions
We now present our invariance veriﬁcation conditions for proving
Scom ⇒ Sinv , i.e., the properties that the logical assertions at each
program point must satisfy to qualify as inductive invariants Sind .
7.1 Pre, Post and Communication Conditions
For each of our veriﬁcation conditions, we need to deﬁne general
shapes of assertions; more speciﬁcally we have:
• Precondition
PREℓ,κp,r ≜ Sindp(ℓ)[κr ← κ, θr, ρr, νr, rf] ∧
Sindr(κ)[κp ← ℓ, θr, ρr, νr, rf]
PREℓp ≜ PREℓ,ℓp,p = Sindp(ℓ)[θp, ρp, νp, rf]
(where A[x1, . . . , xm] stipulates that A has, among others, free
variables x1, . . . , xm, A[x← e] is the substitution of e for x with
renaming of quantiﬁed variables to avoid variable capture, and
PREℓp does not depend upon κp so the substitution [κp ← ℓ] has
no effect.)
• Postcondition
POSTℓ,κ
′
p,r ≜ (Scomp ˙=⇒ Sindp)(ℓ)[κr ← κ′, θr ← succr(θr)]
POSTℓ
′
p ≜ POSTℓ′,ℓ′p,p = (Scomp ˙=⇒Sindp)(ℓ′)[θp ← succp(θp)]
(wherePOSTℓ
′
p does not depend upon κp so the substitution [κp ←
ℓ′] has no effect.)
• Communication condition
COMℓp[rf] ≜ Sind p(ℓ)[rf] ∧ Scomp(ℓ)[rf]
meaning that a read or write instruction at ℓ of process p may
execute (since the invariant Sind p(ℓ)[rf] holds) and communicate
according to rf (as speciﬁed by Scomp(ℓ)[rf]).
7.2 Initialisation Veriﬁcation Condition
For each process p, the invariant at the entry point ℓ0p must be true
when the other processes are also at their entry, with all registers
initialised to 0 and no pythia variable:
• PREℓ
0
p
p
∏
r∈Pi[κr ← ℓ0r, θr ← infr, ρr ← λ R . 0, νr ← ∅]
(where A
∏m
i=1[xi ← ei] is A[x1 ← e1] . . . [xm ← em].)
7.3 Sequential Veriﬁcation Conditions
The veriﬁcation conditions for the sequential proof require to prove
that if the precondition inductive invariant PREℓp holds at point ℓ
of process p and the instruction at label ℓ is executed and goes to
ℓ′ and the communication is allowed by speciﬁcation Scomp then
the postcondition inductive invariant POSTℓ
′
p holds at point ℓ′
with the updated stamp, environment and valuation. The sequential
veriﬁcation conditions are the special case of the non-interference
ones given below for PREℓp = PREℓ,ℓp,p and POSTℓ
′
p = POST
ℓ′,ℓ′
p,p .
7.4 Non-interference Veriﬁcation Conditions
The veriﬁcation conditions for the non-interference proof require to
prove that if the precondition inductive invariant PREℓ,κp,r holds at
point ℓ of process p and any other process r executes an instruction
κ : instr κ′ at label κ, goes to κ′, and the communication is
allowed by speciﬁcation Scomp , then the postcondition inductive
invariant POSTℓ,κ
′
p,r at point ℓ still holds with the updated stamp,
environment and valuation.
• For local side-effect free marker instructions κ : instr κ′
where instr = f[ts]
[{l01 . . . lm1 } {l02 . . . lq2} ], w[ts] x r-value,
beginrmw[ts] x, endrmw[ts] x: (marker)
PREℓ,κp,r ⇒ POSTℓ,κ
′
p,r
• For the register assignment κ : mov R operation κ′; (assign)
PREℓ,κp,r[ρr, νr]
⇒ POSTℓ,κ′p,r [ρr ← ρr[R := E�operation�(ρr, νr)]]
• For a read instruction κ : r[ts] R x κ′: (read)
PREℓ,κp,r[θr, ρr, νr, rf]∧ rf [w(⟨q, ℓ′, w[ts] x r-value, θ′⟩, v),
r(⟨r, ℓ, r[ts] R x, θr⟩, xθr )] ∈ rf
⇒ POSTℓ,κ′p,r [ρr ← ρr[R := xθr ], νr ← νr[xθr := v]]
• For a test instruction κ : b[ts] operation lt κ′: (test)
PREℓ,κp,r[ρr, νr]∧sat(E�operation�(ρr, νr) ̸= 0) ⇒ POSTℓ,ltp,r
PREℓ,κp,r[ρr, νr]∧sat(E�operation�(ρr, νr) = 0) ⇒ POSTℓ,κ
′
p,r
where sat checks for satisﬁability of symbolic boolean expressions
or for truth of ground values. These formal non-interference veriﬁc-
ation conditions can be rephrased as inference rules (in an informal
style “{Pi}Si{Qi}, i ∈ [1, n] are interference free” (Owicki and
Gries 1976)).
7.5 Communication Veriﬁcation Conditions.
Assertions associated with read and write instructions must satisfy
certain sanity conditions that stem from the semantics:
•All process read instructions ℓ : r[ts] R x ℓ′ must read either from
an initial or a reachable program write, allowed by the communica-
tion hypothesis (∃P[X1, . . . , Xm] means that all free variables in
predicate P butX1, . . . , Xm are existentially quantiﬁed):
COMℓp[θp, rf] ∧ rf ̸=∅ ⇒ ∃ rf [w(⟨q, ℓq, w[ts] x r-value, θ′⟩, v),
r(⟨p, ℓ, r[ts] R x, θp⟩, xθp)] ∈ rf . (satisfaction)
((q ∈ Pi ∧ ∃PREℓqq [θq ← θ′, rf]) ∨ (q = start ∧ v = 0)) .
• A read event can read from only one write event.
COMℓp[rf] ∧ rf [r, w1] ∈ rf ∧ rf [r, w2] ∈ rf (singleness)
⇒ w1 = w2 .
• The values v allowed to be read by the communication hypo-
thesis must originate from reachable program write instructions
ℓ : w[ts] x r-value ℓ′:
∀rf . ∀ rf [w(⟨q, ℓq, w[ts] x r-value, θp⟩, v), r] ∈ rf .(match)
COMℓp[θq, ρq, νq, rf]⇒ v = E�r-value�(ρq, νq)
• The inception condition Wf 11(ξ) is not required since non-
existent communications can only lead to more imprecise invari-
ants, which is sound. However, it is always possible to take incep-
tion into account to get precise invariants for completeness.
The communications taken into account in rf must include all
those of the anarchic semantics as restricted by Scom (by Sect. 10
and Sect. 11) and the imprecision can only be on communicated
values (including in absence of inception).
Example (Thin air 1) In absence of loops, stamps are the unique
program labels. We write rf⟨xℓp , ℓq, v⟩ for rf [w(⟨q, ℓq, w[ts] x
r-value, ℓq⟩, v), r(⟨p, ℓp, r[ts] R1 x, ℓp⟩, xℓp)] and deﬁne Γt ≜
{rf⟨x1, 0, 0⟩, rf⟨x1, 7, 42⟩)} × {rf⟨y5, 0, 0⟩, rf⟨y5, 3, 42⟩)}.
{ 0: w[] x 0; w[] y 0; {x=0 ∧ y=0} }
1: {R1=0 ∧ rf ∈ Γt} 5: {R2=0 ∧ rf ∈ Γt}
r[] R1 x {❀ x1} r[] R2 y {❀ y5};
2: {R1=x1 ∧ x1 ∈ {0, 42} ∧ rf ∈ Γt} 6: {R2=y5∧y5 ∈ {0, 42}∧rf ∈ Γt}
b[] (R1 =/= 42) 4 b[] (R2 =/= 42) 8;
3: {R1=x1 ∧ x1=42 ∧ rf ∈ Γt} 7: {R2=y5 ∧ y5=42 ∧ rf ∈ Γt}
w[] y R1 w[] x R2;
4: {R1=x1 ∧ x1 ∈ {0, 42}} 8: {R2=y5 ∧ y5 ∈ {0, 42}}
By the communication proof for any rf ∈ Γt, communicated val-
ues cannot be different (match), rf can neither be chosen to be a
superset by (satisfaction) and (singleness) nor a subset (which is
the subject of Sect. 10 and 11). For example, at 2, x1 ∈ {0} is
prevented by the read rule, all communicated values are readable.
Values must come from writes so x1 ∈ {0, 42, 43} at 2 is preven-
ted by (match). In case of an unconditional branch b true 8; at
6, any rf⟨x1, 7, —⟩ ∈ rf is prevented by (satisfaction) i.e., it is not
possible to read from a non-reachable write. ✷
8. Calculation of the Invariance Proof Scom ⇒ Sinv ,
Soundness and Completeness by Design
The calculation for the invariance proof Scom ⇒ Sinv , formally
αinv(Sa�P�) ∩˙ Scom ⊆˙ Sinv , goes on by induction on the length of
trace preﬁxes, which requires the use of the inductive invariant Sind .
The basis Wf 12(ξ) yields the initialisation condition. The sequen-
tial veriﬁcation condition for Sindp(ℓ) is obtained when performing
a computation step Wf 13(ξ), . . . , Wf 18(ξ) in the current process
p while the non-interference is obtained when performing a step
in another process r ̸= p. The communication proof requirements
follow fromWf 8(ξ) toWf 11(ξ).
This calculational design yields Th. 2 showing that the proposed
proof method is sound (i.e., if the veriﬁcation conditions are all sat-
isﬁed then the invariance statement Sinv is true for the program an-
archic semantics Sa�P� with communications restricted by the spe-
ciﬁcation Scom ). Reciprocally, the proof method is complete so that
if an invariance statement Sinv is true for the program anarchic se-
mantics Sa�P� with communications restricted by the speciﬁcation
Scom then this can always be proved thanks to a stronger inductive
invariant Sind satisfying all veriﬁcation conditions.
As usual the completeness proof provides no clue on how to
choose the inductive invariant Sind since it is based on the choice
Sind = αinv(Sa�P�) ∩˙ Scom , i.e., the exact abstraction of the se-
mantics which in general is not computable.
The soundness and completeness proof is set-theoretical. In
practice, one uses a logic with an interpretation, and so the sound-
ness prove is identical using the interpretation of the logical
fomulæ. This is a problem however for the completeness proof
since, in general, Sind = αinv(Sa�P�) ∩˙Scom cannot be expressed as
a formula of the chosen logic. One can consider higher-order logics
as in e.g. (Back and von Wright 1990) but they cannot be handled
e.g. by SMT solvers. The usual restriction is to relative complete-
ness under the assumption that αinv(Sa�P�) ∩˙Scom is expressible in
the logic (Cook 1978, 1981).
Theorem 2 (Invariance proof Scom ⇒ Sinv ) Scom ⇒ Sinv , form-
ally αinv(Sa�P�) ∩˙Scom ⊆˙ Sinv , if and only if there exists Sind ⊆˙ Sinv
which is inductive for P, i.e., satisﬁes the interpretation of the ini-
tialisation (7.2), sequential (7.3), non-interference (7.4), and com-
munication (7.5) veriﬁcation conditions of Sect. 7.
The following Th. 3 supports our claim that our invariance proof
method for WCM is an extension of Lamport’s invariance proof
method for sequential consistency.
Theorem 3 (Generalisation of Lamport proof method) The veri-
ﬁcation conditions of Th. 2 for the inductive invariant Sind reduce
to (Lamport 1977) proof method for sequential consistency.
Our invariance proof method for WCM is also an extension of
(Owicki and Gries 1976) for sequential consistency since, by the
argument given in (Cousot and Cousot 1980), the auxiliary vari-
ables can always be chosen as local registers (simulating program
counters) so auxiliary variables need not to be shared.
9. Calculation of the Inclusion Proof Hcom ⇒ Scom ,
Soundness and Completeness by Design
The calculation of the inclusion proof Hcom ⇒ Scom , formally
αinv(αana�Hcom�(Sa�P�)) ⊆˙ Scom , yields the veriﬁcation conditions
for the communication speciﬁcation Scom in Th. 4 below. Deﬁne
Sana�Hcom�P = αana�Hcom�(Sa�P�) = {ξ ∈ Sa�P� | S �Hcom�ξ =
allowed}. We have
αinv(αana�Hcom �(Sa�P�)) ⊆˙ Scom
⇔ αinv(Sana�Hcom �P) ⊆˙ Scom �def. Sana�Hcom �P�
⇔ ∀ξ ∈ Sana�Hcom �P . αinv({ξ}) ⊆˙ Scom �αinv preserves ∪�
⇔ ∀ξ ∈ Sana�Hcom �P .
n∪˙
p=1
∪˙
L∈Pp
{αinv(ξ′)p(L) | ξ′ ∈ {ξ}} ⊆˙ Scom
�def. (19) of αinv�
⇔ ∀(τstart×
n−1∏
p=0
τp×π× rf) ∈ Sana�Hcom �P . ∀p ∈ [1, n] . ∀L ∈ Pp .
αinv(τstart ×
n−1∏
p=0
τp × π × rf)p(L) ⊆ Scomp(L)
�def. ∈, ∪˙, ⊆˙, and Sana�Hcom �P so that ξ has the form ξ =
τstart ×
∏n−1
p=0 τp × π × rf . By def. (19) of αinv and ⊆, we
get�
⇔ ∀(τstart ×
n−1∏
p=0
τp × π × rf) ∈ Sana�Hcom �P . ∀i ∈
[1, n] . ∀L ∈ Pp . ∀q ∈ [0, n[ . ∀kq < |τq | .
(τq
kq
= s⟨κq,kq , θq,kq , ρq,kq , νq,kq ⟩ ∧ κp,kp = L) ⇒
⟨κ0,k0 , θ0,k0 , ρ0,k0 , ν0,k0 , . . . , νp−1,kp−1 , θp,kp , ρp,kp , νp,kp ,
κp+1,kp+1 , . . . ,κn−1,kn−1 , θn−1,kn−1 , ρn−1,kn−1 , νn−1,kn−1 , rf⟩
∈ Scom i(L)
(20)
i.e., any cut of any anarchic execution history allowed by the consistency
speciﬁcation Hcom must satisfy all local invariants Scom along the cut.
So we have proved
Theorem 4 (Inclusion proof) The veriﬁcation conditions (20) are
sound and complete for proving the inclusion Hcom ⇒ Scom .
Observe that the completeness proof of Th. 4 assumes that Hcom ⇒
Scom . If the consistency speciﬁcation language is not expressive
enough there might be no way to express a strong enough consist-
ency speciﬁcationHcom , a source of incompleteness. This is the case
e.g. of cat designed to describe architectures so that e.g. memory
values are abstracted away which may not be the case in Scom . This
means that the design of the program P must ensure that Scom is
weak enough to be implementable.
Observe also that Th. 4 requires analyzing all possible execu-
tions of the program, which is seldom feasible. Moreover, this is
in contradiction with the idea of invariance proof which purpose
is precisely to avoid to reason directly on program executions. We
explore an alternative inclusion proof method Hcom ⇒ Scom using
an anarchic invariant i.e., an invariant of the anarchic semantics.
10. Anarchic Invariant
An anarchic invariant Sainv of the anarchic semantics Sa�P� is an in-
variant that takes into account all possible communications allowed
by the program semantics (programmers would say the program lo-
gic). A general invariant is not enough. The problem is that a gen-
eral invariant can be of the form “if the communications satisfy
given hypotheses then the computations satisfy an invariant prop-
erty”. Obviously this is an invariant of the anarchic semantics but
since not all possible communications allowed by the program se-
mantics are characterized by the invariant, this is not an anarchic
invariant.
The following Th. 5 shows how to ﬁnd an anarchic invariant
of the anarchic semantics using our proof method with the guar-
antee that no hypothesis has been made on the communications
(but for those disallowed by the semantics as in e.g. [r[] R1 x;
R1=R1+1; w[] R1 x] with no feasible execution on Z).
The anarchic semantics Sa�P� considers all possible write
eventsW �P�(θq, x), q ∈ Pi ∪ {start}, θq ∈ T(q)
W �P�(θq, x) ≜ {w(⟨q, ℓq, w[ts] x r-value, θq⟩, vθq ) | ℓq ∈ L(q)
∧ instr�P�ℓqq = w[ts] x r-value ∧ vθq ∈ D}
and all possible read events R�P�(θp, x), p ∈ Pi, θp ∈ T(p).
R�P�(θp, x) ≜ {r(⟨p, ℓp, r[ts] R x, θp⟩, xθp) | ℓp ∈ L(p) ∧
instr�P�ℓpp = r[ts] R x}
The anarchic communications rf ∈ Γ�P� are between matching
write and read events for any shared variable x ∈ loc�P�.
Γ�P� ≜ {{rf [wθq ,x, rθp,x] | x ∈ loc�P� ∧ q ∈ Pi ∪ {start} ∧ θq ∈
T(q) ∧ p ∈ Pi ∧ θp ∈ T(p)}
 ∀x, q, θq, p, θp .
wθq ,x ∈W �P�(θq, x) ∧ rθp,x ∈ R�P�(θp, x)
}
Deﬁne an anarchic invariant to be
Sainv ≜
∪
{Saind [rf] | rf ∈ Γ�P� ∧ Saind [rf] is inductive for P and
Scom = ˙true}.
Theorem 5 (Anarchic invariant) Sinv is an invariant of the an-
archic semantics Sa�P� (i.e., αinv(Sa�P�) ⊆˙ Sinv ) if and only if
there exists an anarchic invariant Sainv such that S
a
inv ⊆˙ Sinv .
Sainv can be obtained by considering the values vθq to be symbolic,
applying the sequential, non-interference, and communication veri-
ﬁcation conditions of Th. 2, and solving the resulting constraints in
the symbolic variables vθq .
Example 2 (Thin air 2) Consider the following program mono-
process P. The possible anarchic communications are
Γ�P� ≜ {{rf⟨x1, 0, v0⟩ | v0 ∈ D}}∪ {{rf⟨x1, 3,
v3⟩ | v3 ∈ D}} ∪ {{rf⟨x1, 4, v4⟩} | v4 ∈ D}}.
Deﬁne
com0 ≜ x1 = v0 ∧ rf = {rf⟨x1, 0, v0⟩}
com3 ≜ x1 = v3 ∧ rf = {rf⟨x1, 3, v3⟩}
com4 ≜ x1 = v4 ∧ rf = {rf⟨x1, 4, v4⟩}
0:{ x = 0 } [
1:r[] R1 x; {❀x1}
2:if R1=42 then
3: w[] x 41;
4: w[] x R1;
5:fi; ]
6:
where v0, v3, and v4 are fresh symbolic variables. Consider the
following invariant (including the terms overlined in red).
0: { x = 0 } [
1: {R1 = 0 ∧ (com0 ∨ com3 ∨ com4)}
r[] R1 x; {❀ x1}
2: {R1 = x1 ∧ (com0 ∨ com3 ∨ com4)}
if R1=42 then
3: { R1 = x1 = 42 ∧ (com0 ∨ com3 ∨ com4)} }
w[] x 41;
4: { R1 = x1 = 42 ∧ (com0 ∨ com3 ∨ com4)} }
w[] x R1;
5: { R1 = x1 = 42 ∧ (com0 ∨ com3 ∨ com4)} }
fi;
6: {R1 = x1 ∧ (com0 ∨ com3 ∨ com4)} ]
By the (match) rule at 0 v0 = 0, at 3 v3 = 41, and at 4 v4 =
x1 = 42. It follows that com0 and com3 are false at 3, 4 and 5.
By the (satisfaction) rule for the read 1, com3 where v3 = 41 must
hold at 3 and it doesn’t so com3 does not hold at 1. Then, by the
(read) rule com3 is false at 1 hence, by the (test) rule, com3 is
false 6. We get the anarchic inductive invariant Sainv (excluding the
infeasible communications of the terms overlined in red which are
false according to the program semantics).
0: { x = 0 } [
1: {R1 = 0 ∧ ((x1 = 0 ∧ rf = {rf⟨x1, 0, 0⟩}) ∨
(x1 = 42 ∧ rf = {rf⟨x1, 4, 42⟩}))}
r[] R1 x; {❀ x1}
2: {R1 = x1 ∧ ((x1 = 0 ∧ rf = {rf⟨x1, 0, 0⟩}) ∨
(x1 = 42 ∧ rf = {rf⟨x1, 4, 42⟩}))}
if R1=42 then
3: { R1 = 42 ∧ rf = {rf⟨x1, 4, 42⟩} }
w[] x 41;
4: { R1 = 42 ∧ rf = {rf⟨x1, 4, 42⟩} }
w[] x R1;
5: { R1 = 42 ∧ rf = {rf⟨x1, 4, 42⟩} }
fi;
6: { (R1 = 0 ∧ rf = {rf⟨x1, 0, 0⟩}) ∨
(R1 = 42 ∧ rf = {rf⟨x1, 4, 42⟩}) } ] ✷
11. Candidate Executions for cat Speciﬁcations
The proof of Hcom ⇒ Scom by Th. 4 requires extracting exe-
cutions from the semantics Sana�Hcom�P = αana�Hcom�(Sa�P�) =
α �Hcom� ◦ αΞ(Sa�P�) i.e., candidate executions αΞ(Sa�P�) for
cat speciﬁcations. Th. 6 shows that it is sound to extract a super-
set of the anarchic candidate executions αΞ(Sa�P�) directly from
an anarchic invariant Sainv (excluding no possible communication)
and the program P. Notice that a general invariant would not do
since some possible communications could be omitted, hence the
insistence on the use of an anarchic invariant Sainv (i.e., satisfying
the invariance veriﬁcation conditions of Sect. 7 with Scom = ˙true).
Moreover, by the completeness result, the extraction can be exact
by choosing a precise enough anarchic invariant.
Theorem 6 (Candidate executions out of an anarchic invariant)
The over-approximation of the anarchic program candidate exe-
cutions {αΞ(ξ) | ξ ∈ Sa�P�} by extraction αaΞ(Sainv) from an
anarchic invariant Sainv is sound (⊆) and complete (⊇).
where the set of candidate executions deﬁned by an assertion A at
point ℓ of process p for a program P is
αaΞ(A) ≜
∪
{αaΞp,l(A) | p ∈ Pi ∧ ℓ ∈ L(p)}
αaΞp,l(A) ≜ {αaΞ(A, rf′) | rf′ ∈ Cp,ℓ(A)}
and the possible communication relations are
Cp,ℓ(A) ≜ {rf′ | ∃κ0, θ0, ρ0, ν0, . . . , νp−1, θp, ρp, νp,κp+1,
. . . ,κn−1, θn−1, ρn−1, νn−1 . Ap,ℓ[rf ← rf′]}
αaΞ(A, rf′) ≜ ⟨e(A, rf′), po(A, rf′), rf′, iw⟩
e(A, rf′) ≜ {N(ℓ)(p, ℓ, instr�P�ℓp, θ[, xθ][, v]) | p∈Pi ∧ ℓ∈L(p)
∧ ∃κ0, θ, ρ0, ν0, . . . , νp−1, ρp, νp,κp+1, . . . ,κn−1,
θn−1, ρn−1, νn−1 . Ap,ℓ[θp ← θ, rf ← rf′]} ∪ iw
N(ℓ) ≜ w, r, t, or m whether the LISA instruction instr�P�ℓp at ℓ of p is
a write to x, read of x, test, fence, or begin/end of read-modify-
write (register assignments are ignored in cat speciﬁcations)
iw ≜ {w(⟨start, ℓstart, x := e, θ⟩, vθ) | x ∈ loc�P�}
po(A, rf′) ≜ (iw × (e(A, rf′) \ iw) ∪ {⟨N(ℓ)(p, ℓ, instr, θ[, x]),
N(ℓ′)(p, ℓ′, instr ′, θ′[, y])⟩ ∈ e(A, rf′)2 | p ∈ Pi ∧
θ ✁p θ′} .
Considering local process invariants, we get Cor. 7 ensuring that
all possible anarchic communications allowed by the progran se-
mantics are taken into account when proving Scom .
Corollary 7 (Candidate executions out of local anarchic invariants)
For all p ∈ Pi and ℓ ∈ L(p), the extraction αaΞp,l(Sainvp(ℓ)) of the
program candidate executions from an anarchic invariant Sainv (i.e.,
αinv(Sa�P�) ⊆ Sainv ) is sound (i.e., {αΞ(ξ) | ξ ∈ γinvp,ℓ(Sainvp(ℓ))}
⊆ αaΞp,l(Sainvp(ℓ))) and complete.
12. Inclusion Proof Revisited for cat Specs
To prove Hcom ⇒ Scom (without reasoning directly on the anarchic
semantics Sa�P�), we have to consider (a superset of) all feasible
communications, which by Th. 1 determine (a superset of) all feas-
ible executions. Extracting these communications from an anarchic
invariant Sainv by def. C(Sainv), we can, by Th. 6 and Cor. 7 and for
each of these communication relations, extract (an approximation
of) the corresponding candidate execution (which can be as pre-
cise as necessary by completeness) on which the semantics of the
cat language can be applied to check whether the candidate exe-
cution, hence essentially the communication relation, is consistent
with the WCM deﬁned by Hcom . If this is the case, it should be
accepted by the communication speciﬁcation invariant Scom . It fol-
lows that Scom does not forget any feasible (allowed by the program
semantics/logic) and consistent (allowed by Hcom ) communication
relation, hence by Th. 1 execution.
Theorem 8 (Inclusion proof for cat) Hcom ⇒ Scom (formally
αinv(α �Hcom� ◦ αΞ(Sa�P�)) ⊆˙ Scom ) if and only if there exists
an anarchic invariant Sainv satisfying the following (inclusion) veri-
ﬁcation condition:
∀p ∈ Pi . ∀ℓ ∈ L(p) . ∀rf ′ ∈ Cp,ℓ(Sainvp(ℓ)) . (inclusion)( �Hcom�(αaΞ(Sainvp(ℓ), rf′)) ∧ Sainvp(ℓ)[rf ← rf′])
⇒ Scomp(ℓ)[rf ← rf′] .
The cat speciﬁcation Hcom is a conjunction of conditions on a
candidate execution ⟨e, po, rf , iw⟩ of the form
let r = R(⟨e, po, rf , iw⟩)
acyclic | irreflexive | empty | not empty r
where the relation r ∈ ℘(e×e) is a functionR of e, po, rf , and iw ,
as deﬁned by the cat language semantics �Hcom� (Alglave et al.
2016). We have acyclic(r) if and only if irreflexive(r+) so
we only have to handle irreﬂexivity and emptyness.
The proof ¬Scomp(ℓ)[rf] ⇒ ¬ �Hcom�(αaΞ(Sainv [rf])) is by
contraposition, i.e., any communication rejected by Scom is also re-
jected by Hcom . Assuming ¬Scomp(ℓ)[rf], the check ¬ �Hcom�(⟨e,
po, rf , iw⟩) considers each of these reﬂexivity or emptyness con-
ditions in turn.
13. A Proof of PostgreSQL
The PostgreSQL example1 of Fig. 21 was considered in (Alglave
et al. 2013) for bounded bug-ﬁnding on a multi-core PowerPC sys-
tem. We prove, under appropriate hypotheses, the critical section
(CS) speciﬁcation Sinv ≜ ¬(at{8} ∧ at{28}) plus non-starvation
(CSs are entered inﬁnitely often).
Anarchic communications of PostgreSQL. The anarchic commu-
nications Γ are given in Fig. 21. We write rf⟨xθ, ⟨ℓ:, θ′, v⟩⟩ to
state that the read into pythia variable xθ was from an write event
marked θ′ of value v generated by the action at process label ℓ. The
markers θ/θ′ are the vectors of iteration counters of the loops en-
closing the read/write instruction. We write Rvpθ for the possible
read-froms of variable latchp (v =L) or variable flagp (v =F)
in process Pp, p ∈ {0, 1} for unique stamp θ (as encoded by loop
counters). All possible cases are considered in Fig. 21.
All possible communications are obtained by considering that
each read of a shared variable in the loops can read from any initial,
past or future write to this variable, a different choice being possible
at each read. So each Γ ∈ Γ , Γ = {rl0iji , rf0i, rl1ℓmℓ , rf1ℓ | i ∈
N ∧ ji ∈ [0, ki] ∧ ℓ ∈ N ∧ j ∈ [0, nℓ]} encodes a particular
read-from relation rf specifying that for the ith iteration in the
external loop 1–12 and the jith iteration in the internal loop 2–4 of
process P0, 3: r[] Rl0 latch0 {❀ L0iji} will read as speciﬁed
by rl0iji ∈ RL0iji while 6: r[] Rf0 flag0 {❀ F0i} will read
as speciﬁed by rf0i ∈ RF0i.
(Anarchic) inductive invariant of PostgreSQL. The inductive
invariant Sind is given in Fig. 21. It depends on Γ encoding a
communication rf. Sind assumes that Γ belongs to a unspeciﬁed
set Γ of possible communications (this dependency is written
Sind (Γ, Γ)). So Sind (Γ, Γ) is valid under the communication hy-
pothesis Scom (Γ, Γ) ≜ (Γ ∈ Γ). It follows that Sind (Γ, Γ) is an
inductive anarchic invariant.
Necessary and sufﬁcient communication speciﬁcation Scom for
mutual exclusion. We derive in Fig. 19 the communication spe-
ciﬁcation Scom in Fig. 18 by calculational design from the critical
section requirements.
It follows that (Scom (Γ, Γ) ∧ Sind (Γ, Γ)) ⇒ Sinv (Γ, Γ) so
Scom (Γ, Γ) ⇒ Sinv (Γ, Γ) (since Scom (Γ, Γ) ⇒ Sind (Γ, Γ)), prov-
ing mutual exclusion under the Scom communication hypothesis.
The proof that Scom (Γ, Γ) is also necessary is done by providing
counter-examples. For example, a candidate execution counter-
example to Scom1 is given in Fig. 20 (where the control points of
1 www.postgresql.org/message-id/24241.1312739269@sss.pgh.pa.us
the cut of the traces where the error occurs (i.e., both processes are
simultaneously in their critical section) is marked ▶).
Consistency speciﬁcation Hcom for mutual exclusion. The con-
sistency speciﬁcation Hcom is obtained by excluding all executions
Scomi(Γ, Γ), i ∈ [1, 4] for the anarchic communications Γ .
For Scom1(Γ, Γ), Fig. 20 corresponds to a incorrect scenario
where process P1 reads from the initialisation, enters its critical
section, P0 reads the latch0 and flag0 to be later set by process
P1 and so also enters its critical section. This is excluded on ar-
chitectures with no prophecy beyond cuts (see Fig. 12a where no
read before a cut can read from a write after the cut, hence when
the write is not yet executed). Another correct scenario would have
process P1 reads from the initialisation, enters and exits its critical
section, writes latch0 and flag0, later read by process P0 which
in turn enters its critical section. Both scenarios abstract to the same
candidate execution (since cuts are abstracted away) so the incor-
rect scenario can hardly be excluded in cat without referring to
cuts (by adding synchronisation markers in case of prophecy bey-
ond cuts, see Fig. 16).
Non-starvation.Wemust prove that there exists no single execution
ξ such that either from the initialisation or from a later local time
in this execution, one process (or both) never enter their critical
section (under the non-blocking and communication satisfaction
Wf 8(ξ) fairness hypotheses), which yields six cases. We assume
there is one such execution ξ, and derive a contradiction. Let Γrf be
the encoding of the communication relation rf of this execution ξ.
Γrf uniquely determines rf, hence by Th. 1, uniquely determine the
execution ξ. The inductive invariant Sind (Γ, {Γrf}) of Fig. 21 holds
for this single execution ξ. By completeness in Th. 2, the strongest
such inductive invariant Sind (Γ, {Γrf}) ≜ αinv({ξ}) exists and sat-
isﬁes the interpretation of the initialisation (7.2), sequential (7.3),
non-interference (7.4), and communication (7.5) veriﬁcation con-
ditions of Sect. 7. The contradiction is that this is not the case.
(This reasoning is not possible with (Owicki and Gries 1976; Lam-
port 1977) since the inductive invariant holds for communications
wired in the interleaved semantics hence in the veriﬁcation con-
ditions. If every execution ultimately never reaches some critical
section, the conclusion is that some execution ultimately reaches
the critical section. This does not mean non-starvation, which is to
show that every execution ultimately reaches the critical section.
The difﬁculty with (Owicki and Gries 1976; Lamport 1977) is to
prove liveness using sets of states (Pnueli et al. 2005; Podelski and
Rybalchenko 2005). Here the reasoning is on only one erroneous
execution, which is shown impossible. Moreover, we don’t need a
ranking function on a well-founded set (Pnueli et al. 2005) since
there are only two processes with a ﬁxed scheduling). Let us con-
sider two of these cases.
• Assume process P1 never enters its critical section on the erro-
neous execution ξ. Since process P1 never enters its critical section
on this execution ξ, the strongest inductive invariant Sinv (Γ, {Γrf})
is false at{28} hence false at{28, 29, 30, 31}. So ¬r1Rf1ℓ[Γrf ]
hence r0Rf1ℓ[Γrf ] holds. By the (satisfaction) veriﬁcation condi-
tion the read at{26} must be from a reachable write of value 0
to flag1. The only possible one at{28} is not reachable so this
strongest inductive invariant Sinv (Γ, {Γrf}) cannot satisfy the veri-ﬁcation conditions, the desired contradiction.
• Assume process P0 never enters its critical section on the erro-
neous execution ξ. The strongest inductive invariant Sinv (Γ, {Γrf})
is false at{8} (hence at{8, 9, 10, 11}).
So by the invariant at{7} must have ¬r1Rf0i[Γrf ] and so
r1Rl0iki [Γrf ] ∧ r0Rf0i[Γrf ].
By def. of r1Rl0iji [Γrf ]≜ ∃ℓ30 ∈ N . rf⟨L0iji , ⟨30:, ℓ30, 1⟩⟩ ∈
Γrf ∧ L0iji = 1, the read of 1 at{3} is from at{30}, which cannot
be unreachable by the previous case. By def. of r1Rl1ℓmℓ [Γrf ] ≜
(rf⟨L1ℓmℓ , ⟨0:, , 1⟩⟩ ∈ Γrf ∧L1ℓmℓ = 1)∨ (∃i10 ∈ N . rf⟨L1ℓmℓ ,
⟨10:, i10, 1⟩⟩ ∈ Γrf ∧ L1ℓmℓ = 1) the read of 1 at{23} is from
at{0} since at{10} is unreachable.
By def. of r0Rf0i[Γrf ], the read of 0 at{6} has only two possib-
ilities (i.e., a read from 0 or from 8).
1. Either rf⟨F0i, ⟨0:, , 0⟩⟩ ∈ Γrf ∧ F0i = 0, which is the
scenario of Fig. 20. This is prevented using LISA fences with
the following cat speciﬁcation.
with co from AllCo
let fencerel(S) = ((po&( *S));po)&fromto(S)
let Fdep = F & tag2events(’fdep)
let deps = fencerel(Fdep) & (R * )
let Flw = F & tag2events(’flw)
let flw = fencerel(Flw)
let fcs = deps | flw
let fr = rf^-1;co
let fre = fr & ext
acyclic fre;fcs;rfe;fcs
2. Or ∃i8 ∈ N . rf⟨F0i, ⟨8:, i8, 0⟩⟩ ∈ Γ ∧ F0i = 0, but
the read is from an unreachable write (in the critical section
of P0 assumed to be never entered on execution ξ), which is
impossible by the (satisfaction) veriﬁcation condition.
This LISA fence can be implemented for SC (fences = po), TSO
(fences = po, this incorrect communication for PostgreSQL is
natively forbidden in TSO without using mfence), for PowerPC
(deps = addr | data flw = lwsync), and ARM (flw = dmb |
dsb). Other cases are handled similarly, the ﬁnal result cumulates
all LISA fences.
14. Conclusion and Perspectives
We introduced a new style of analytic speciﬁcation of parallel pro-
gram semantics decomposed into (a) an anarchic semantics with
true parallelism and separate communications and (b) consistency
requirements on communications (e.g. with labelised synchroniza-
tion markers in cat).
This leads to a new style of invariance speciﬁcation for arbitrary
weak consistency models using pythia variables and a communic-
ation relation to denote communicated values. This allows us to
consider arbitrary subsets of the anarchic communications hence
of the anarchic executions.
By calculational design using an invariance abstraction of the
analytic semantics, we designed a new sound and complete con-
ditional invariance proof method (where the communication hypo-
theses are expressed as an invariant) and a new sound and complete
inclusion proof method (to prove the communication hypotheses
valid for a consistency requirement e.g. in cat).
This leads to a new way of designing portable concurrent pro-
grams, by porting programs and their proofs from one architecture
to another with different architectural speciﬁcations by refencing.
Other proof methods can be derived by applying the proof
method transformations of (Cousot and Cousot 1982) e.g. back-
ward reasonings or by reductio ad absurdum. Alternative, more
modular, proof methods can de designed in the same vein, such
as rely-guarantee (Coleman and Jones 2007; Mine´ 2014), Induct-
ive Data Flow Graphs to suppress irrelevant details of an invariance
proof (Farzan et al. 2013), or Separation logic (O’Hearn 2007).
References
M. Abadi and L. Lamport. The existence of reﬁnement mappings. Theor.
Comput. Sci., 82(2):253–284, 1991.
M. Ahamad, G. Neiger, J. E. Burns, P. Kohli, and P. W. Hutto. Causal
memory: Deﬁnitions, implementation, and programming. Distributed
Computing, 9(1):37–49, 1995.
J. Alglave. A Shared Memory Poetics. PhD thesis, Universite´ Paris 7, 2010.
J. Alglave. A formal hierarchy of weak memory models. Form. Methods
Syst. Des. (2012) 41:178210.
J. Alglave and P. Cousot. Syntax and analytic semantics of LISA. CoRR,
abs/1608.06583, 2016. URL http://arxiv.org/abs/1608.06583.
J. Alglave and L. Maranget. herd7. virginia.cs.ucl.ac.uk/herd, 31
Aug. 2015.
J. Alglave, D. Kroening, V. Nimal, andM. Tautschnig. Software veriﬁcation
for weak memory via program transformation. ESOP 2013, LNCS 7792,
512–532. Springer, 2013.
J. Alglave, P. Cousot, and L. Maranget. Syntax and semantics of the weak
consistency model speciﬁcation language cat. CoRR, abs/1608.07531,
2016. URL http://arxiv.org/abs/1608.07531.
M. F. Atig, A. Bouajjani, S. Burckhardt, and M. Musuvathi. On the
veriﬁcation problem for weak memory models. ACMPOPL 2010 , 7–18.
M. F. Atig, A. Bouajjani, and G. Parlato. Getting rid of store-buffers in TSO
analysis. CAV 2011, LNCS 6806, 99–115. Springer, 2011.
R. Back and J. von Wright. Reﬁnement concepts formalised in higher order
logic. Formal Asp. Comput., 2(3):247–272, 1990.
G. Barthe, C. Kunz, and J. L. Sacchini. Certiﬁed reasoning in memory
hierarchies. APLAS 2008, LNCS 5356, 75–90. Springer, 2008.
M. Batty, M. Dodds, and A. Gotsman. Library abstraction for C/C++
concurrency. In Giacobazzi and Cousot (2013), 235–248.
R. Bodı´k and R. Majumdar, editors. ACM Proceedings of POPL 2016.
R. Bornat, J. Alglave, and M. J. Parkinson. New lace and arsenic: adven-
tures in weak memory with a program logic. CoRR, abs/1512.01416,
2015. URL http://arxiv.org/abs/1512.01416.
G. Boudol, G. Petri, and B. P. Serpette. Relaxed operational semantics of
concurrent programming languages. EXPRESS/SOS 2012, 19–33, 2012.
S. D. Brookes. A denotational approach to weak memory concurrency.
MFPS XXXII, LNCS. Springer, 2016.
S. Burckhardt and M. Musuvathi. Effective program veriﬁcation for relaxed
memory models. CAV 2008, LNCS 5123, 107–120. Springer, 2008.
S. Burckhardt, R. Alur, and M. M. K. Martin. Bounded model checking of
concurrent data types on relaxed memory models: A case study. CAV
2006, LNCS 4144, 489–502. Springer, 2006.
S. Burckhardt, R. Alur, and M. M. K. Martin. Checkfence: checking
consistency of concurrent data types on relaxed memory models. ACM
PLDI 2007, 12–21.
E. Cohen. Coherent causal memory. CoRR, abs/1404.2187, 2014. URL
http://arxiv.org/abs/1404.2187.
E. Cohen and B. Schirmer. From total store order to sequential consist-
ency: A practical reduction theorem. ITP 2010, LNCS 6172, 403–418.
Springer, 2010.
J. W. Coleman and C. B. Jones. A structural proof of the soundness of
rely/guarantee rules. J. Log. Comput., 17(4):807–841, 2007.
S. A. Cook. Soundness and completeness of an axiom system for program
veriﬁcation. SIAM J. Comput., 7(1):70–90, 1978.
S. A. Cook. Corrigendum: Soundness and completeness of an axiom system
for program veriﬁcation. SIAM J. Comput., 10(3):612, 1981.
P. Cousot. Semantic foundations of program analysis. In Program Flow
Analysis: Theory and Applications, 303–342, Prentice-Hall, 1981.
P. Cousot and R. Cousot. Reasoning about program invariance proof meth-
ods. Res. rep. CRIN-80-P050, Centre de Recherche en Informatique
de Nancy (CRIN), Institut National Polytechnique de Lorraine, Nancy,
France, July 1980.
P. Cousot and R. Cousot. Induction principles for proving invariance
properties of programs. In Tools & Notions for Program Construction:
an Advanced Course, 75–119. CUP, Cambridge, UK, 1982.
P. Cousot, R. Cousot, and R. Giacobazzi. Abstract interpretation of
resolution-based semantics. Theor. Comput. Sci., 410(46):4724–4746,
2009.
K. Crary and M. J. Sullivan. A calculus for relaxed memory. In Rajamani
and Walker (2015), 623–636.
A. M. Dan, Y. Meshman, M. T. Vechev, and E. Yahav. Effective abstractions
for veriﬁcation under relaxed memory models. VMCAI 2015, LNCS
8931, 449–466. Springer, 2015.
T. D’Hondt, editor. ECOOP 2010, LNCS 6183, 2010. Springer.
T. Dinsdale-Young, M. Dodds, P. Gardner, M. J. Parkinson, and V. Vafei-
adis. Concurrent abstract predicates. In D’Hondt (2010), 504–528.
M. Dodds, A. Haas, and C. M. Kirsch. A scalable, correct time-stamped
stack. In Rajamani and Walker (2015), 233–246.
M. Doko and V. Vafeiadis. A program logic for C11 memory fences.
VMCAI 2016, LNCS 9583, 413–430. Springer, 2016.
A. Farzan, Z. Kincaid, and A. Podelski. Inductive data ﬂow graphs. In
Giacobazzi and Cousot (2013), 129–142.
R. W. Floyd. Assigning meaning to programs. Proc. Symp. in Applied
Math., volume 19, 19–32. Amer. Math. Soc., 1967.
R. Giacobazzi and R. Cousot, editors. ACM Proceedings of POPL 2013.
A. Gotsman, H. Yang, C. Ferreira, M. Najafzadeh, and M. Shapiro. ’cause
i’m strong enough: reasoning about consistency choices in distributed
systems. In Bodı´k and Majumdar (2016), 371–384.
I. Grief. Semantics of communicating parallel processes. PhD thesis,
Massachusetts Institute of Technology. Dept. of Electrical Engineering
and Computer Science, Sept. 1975. URL https://dspace.mit.edu/
handle/1721.1/57710.
C. A. R. Hoare. An axiomatic basis for computer programming. Commun.
ACM, 12(10):576–580, 1969.
A. L. Hosking, P. T. Eugster, and C. V. Lopes, editors. ACM Proceedings of
OOPSLA 2013.
R. Jung, R. Krebbers, L. Birkedal, and D. Dreyer. Higher-order ghost state.
ICFP 2016, 256–269.
V. Klebanov. A jmm-faithful non-interference calculus for Java. FIDJI
2004, LNCS 3409, 101–111. Springer, 2004.
O. Lahav and V. Vafeiadis. Owicki-Gries reasoning for weak memory
models. ICALP 2015, LNCS 9135, 311–323. Springer, 2015.
O. Lahav, N. Giannarakis, and V. Vafeiadis. Taming release-acquire con-
sistency. In Bodı´k and Majumdar (2016), 649–662.
L. Lamport. Proving the correctness of multiprocess programs. IEEE Trans.
Software Eng., 3(2):125–143, 1977.
L. Lamport. How to make a multiprocessor computer that correctly executes
multiprocess programs. IEEE Trans. Computers, 28(9):690–691, 1979.
L. Lamport. How to make a correct multiprocess program execute correctly
on a multiprocessor. IEEE Trans. Computers, 46(7):779–782, 1997.
A. Mine´. Static analysis of run-time errors in embedded real-time parallel
C programs. Logical Methods in Computer Science, 8(1), 2012.
A. Mine´. Relational thread-modular static value analysis by abstract inter-
pretation. VMCAI 2014, LNCS 8318, 39–58. Springer, 2014.
M. O. Myreen and M. J. C. Gordon. Hoare logic for realistically modelled
machine code. TACAS 2007, LNCS 4424, 568–582. Springer, 2007.
M. O. Myreen, A. C. J. Fox, and M. J. C. Gordon. Hoare logic for ARM
machine code. FSEN 2007, LNCS 4767, 272–286. Springer, 2007.
M. Najafzadeh, A. Gotsman, H. Yang, C. Ferreira, and M. Shapiro. The
CISE tool: proving weakly-consistent applications correct. ACM PaPo-
CEuroSys 2016, 2:1–2:3.
P. Naur. Proofs of algorithms by general snapshots. BIT, 6:310–316, 1966.
B. Norris and B. Demsky. CDSCHECKER: checking concurrent data struc-
tures written with C/C++ atomics. In Hosking et al. (2013), 131–150.
P. W. O’Hearn. Resources, concurrency, and local reasoning. Theor.
Comput. Sci., 375(1-3):271–307, 2007.
S. Owens. Reasoning about the implementation of concurrency abstractions
on x86-tso. In D’Hondt (2010), 478–503.
S. S. Owicki and D. Gries. An axiomatic proof technique for parallel
programs I. Acta Inf., 6:319–340, 1976.
J. Palsberg and M. Abadi, editors. ACM Proceedings of POPL 2005.
G. L. Peterson. Myths about the mutual exclusion problem. Inf. Process.
Lett., 12(3):115–116, 1981.
A. Pnueli, A. Podelski, and A. Rybalchenko. Separating fairness and well-
foundedness for the analysis of fair discrete systems. TACAS, LNCS
3440, 124–139. Springer, 2005.
A. Podelski and A. Rybalchenko. Transition predicate abstraction and fair
termination. In Palsberg and Abadi (2005), 132–144.
S. K. Rajamani and D. Walker, editors. ACM Proceedings of POPL 2015.
D. Shasha and M. Snir. Efﬁcient and correct execution of parallel programs
that share memory. ACM Trans. Program. Lang. Syst., 10(2):282–312,
1988.
F. Sieczkowski, K. Svendsen, L. Birkedal, and J. Pichon-Pharabod. A
separation logic for ﬁctional sequential consistency. ESOP 2015, LNCS
9032, 736–761. Springer, 2015.
J. Tassarotti, D. Dreyer, and V. Vafeiadis. Verifying read-copy-update in a
logic for weak memory. ACM PLDI 2015, 110–120.
A. M. Turing. Checking a large routine. Report of a Conference on
High Speed Automatic Calculating Machines, Mathematical Laborat-
ory, Cambridge, UK, 67–69, 24 June 1949. Reproduced as “An early
program proof by Alan Turing”, in F.L. Morris and C.B. Jones (Eds),
Annals of the History of Computing, Vol. 6, Apr. 1984, http://www.
turingarchive.org/browse.php/B/8.
A. Turon, V. Vafeiadis, and D. Dreyer. GPS: navigating weak memory with
ghosts, protocols, and separation. In ACM OOPSLA 2014, 691–707.
V. Vafeiadis and C. Narayan. Relaxed separation logic: a program logic for
C11 concurrency. In Hosking et al. (2013), 867–884.
I. Wehrman and J. Berdine. A proposal for weak-memory local reasoning.
LOLA workshop, volume 11, 55–70, 2011.
Scom1 ≜ ¬(∃i, ki, ℓ, nℓ, ℓ30, ℓ29 ∈ N . Γ ∈ Γ ∧ rf⟨L0iki , ⟨30:,
ℓ30, 1⟩⟩ ∈ Γ ∧ rf⟨F0i, ⟨29:, ℓ29, 1⟩⟩ ∈ Γ ∧ rf⟨L1ℓnℓ ,
⟨0:, , 1⟩⟩ ∈ Γ ∧ rf⟨F1ℓ, ⟨0:, , 1⟩⟩ ∈ Γ
Scom2 ≜ ¬(∃i, ki, ℓ, nℓ, ℓ30, ℓ29, i9 ∈ N . Γ ∈ Γ ∧ rf⟨L0iki , ⟨30:,
ℓ30, 1⟩⟩ ∈ Γ ∧ rf⟨F0i, ⟨29:, ℓ29, 1⟩⟩ ∈ Γ ∧ rf⟨L1ℓnℓ ,
⟨0:, , 1⟩⟩ ∈ Γ ∧ rf⟨F1ℓ, ⟨9:, i9, 1⟩⟩ ∈ Γ
Scom3 ≜ ¬(∃i, ki, ℓ, nℓ, ℓ30, ℓ29, i10 ∈ N . Γ ∈ Γ∧rf⟨L0iki , ⟨30:,
ℓ30, 1⟩⟩ ∈ Γ ∧ rf⟨F0i, ⟨29:, ℓ29, 1⟩⟩ ∈ Γ ∧ rf⟨L1ℓnℓ ,
⟨10:, i10, 1⟩⟩ ∈ Γ ∧ rf⟨F1ℓ, ⟨0:, , 1⟩⟩ ∈ Γ
Scom4 ≜ ¬(∃i, ki, ℓ, nℓ, ℓ30, ℓ29, i10, i9 ∈ N . Γ ∈ Γ ∧ rf⟨L0iki ,
⟨30:, ℓ30, 1⟩⟩ ∈ Γ ∧ rf⟨F0i, ⟨29:, ℓ29, 1⟩⟩ ∈ Γ ∧
rf⟨L1ℓnℓ , ⟨10:, i10, 1⟩⟩ ∈ Γ ∧ rf⟨F1ℓ, ⟨9:, i9, 1⟩⟩ ∈ Γ
Figure 18: Communication speciﬁcation for PostgreSQL
(¬Sinv (Γ, Γ)) ∧ Sind (Γ, Γ)
≜ at{8} ∧ at{28} ∧ Sind (Γ, Γ) �def. invariance speciﬁcation Sinv �
⇒ at{8} ∧ at{28} ∧ (∃i, ki, ℓ, nℓ ∈ N . Γ ∈ Γ ∧ r1Rl0iki [Γ ] ∧
r1Rf0i[Γ ] ∧ r1Rl1ℓnℓ [Γ ] ∧ r1Rf1
ℓ[Γ ]) �by invariant Sind (Γ, Γ)�
⇒ at{8} ∧ at{28} ∧ (∃i, ki, ℓ, nℓ, ℓ30, ℓ29 ∈ N . Γ ∈ Γ ∧ (rf⟨L0iki ,
⟨30:, ℓ30, 1⟩⟩ ∈ Γ ) ∧ (rf⟨F0i, ⟨29:, ℓ29, 1⟩⟩ ∈ Γ ) ∧ (rf⟨L1ℓnℓ ,
⟨0:, , 1⟩⟩ ∈ Γ ) ∧ (rf⟨F1ℓ, ⟨0:, , 1⟩⟩ ∈ Γ )
)
∨(
∃i, ki, ℓ, nℓ, ℓ30, ℓ29, i9 ∈ N . Γ ∈ Γ ∧ (rf⟨L0iki , ⟨30:, ℓ30,
1⟩⟩ ∈ Γ ) ∧ (rf⟨F0i, ⟨29:, ℓ29, 1⟩⟩ ∈ Γ ) ∧ (rf⟨L1ℓnℓ , ⟨0:, ,
1⟩⟩ ∈ Γ ) ∧ (rf⟨F1ℓ, ⟨9:, i9, 1⟩⟩ ∈ Γ )
)
∨(
∃i, ki, ℓ, nℓ, ℓ30, ℓ29, i10 ∈ N . Γ ∈ Γ ∧ (rf⟨L0iki , ⟨30:, ℓ30,
1⟩⟩ ∈ Γ ) ∧ (rf⟨F0i, ⟨29:, ℓ29, 1⟩⟩ ∈ Γ ) ∧ (rf⟨L1ℓnℓ , ⟨10:, i10,
1⟩⟩ ∈ Γ ) ∧ (rf⟨F1ℓ, ⟨0:, , 1⟩⟩ ∈ Γ )
)
∨(
∃i, ki, ℓ, nℓ, ℓ30, ℓ29, i10, i9 ∈ N . Γ ∈ Γ ∧ (rf⟨L0iki , ⟨30:, ℓ30,
1⟩⟩ ∈ Γ ) ∧ (rf⟨F0i, ⟨29:, ℓ29, 1⟩⟩ ∈ Γ ) ∧ (rf⟨L1ℓnℓ , ⟨10:, i10,
1⟩⟩ ∈ Γ ) ∧ (rf⟨F1ℓ, ⟨9:, i9, 1⟩⟩ ∈ Γ )
)
�def. r1Rl0iki [Γ ], r1Rf0
i[Γ ], r1Rl1ℓnℓ [Γ ], and r1Rf1
ℓ[Γ ], rf⟨xθ,
⟨ℓ:, θ′, v⟩⟩ implies that xθ = v, A ∧ (B ∨ C) = (A ∧B) ∨
(A ∧ C), ∃ distributes over ∨, and (∃x . A(x)) ∧ B = ∃x .
(A(x) ∧B) when x is not free in B�
⇒ at{8} ∧ at{28} ∧ (¬Scom1 (Γ, Γ)∨¬Scom2 (Γ, Γ)∨¬Scom3 (Γ, Γ)∨¬Scom4 (Γ, Γ))
⇒ ¬Scom (Γ, Γ)
by deﬁning Scom (Γ, Γ) ≜ (at{8} ∧ at{28}) ⇒ (Scom1 (Γ, Γ) ∧
Scom2 (Γ, Γ)∧Scom3 (Γ, Γ)∧Scom4 (Γ, Γ)) and the Scomi (Γ, Γ) as in Fig. 18.
Figure 19: Calculational design of Scom for PostgreSQL
{0: w latch0 0; w latch1 1;
w flag0 0; w flag1 1;}
3: r Rl0 latch0 1 23: r Rl1 latch1 1
5: w latch0 0 25: w latch1 0
fence[fdep] {3:} {6:}
6: r Rf0 flag0 1 26: r Rf1 flag1 1
! 8: (* critical section *) ! 28: (* critical section *)
w flag1 0
29: w flag0 1
fence[flw] {29:} {30:}
30: w latch0 1
31:
 rf�-1
 rf�-1 {0: w latch0 0; w latch1 1;
w flag0 0; w flag1 1;}
3: r Rl0 latch0 1 23: r Rl1 latch1 1
5: w latch0 0 25: w latch1 0
f[fdep] {3:} {6:} 26:
! 6: r Rf0 flag0 0 r Rf1 flag1 1
7: ... 28: (* critical section *)
w flag1 0
29: w flag0 1
f[flw] {29:} {30:}
30: w latch0 1
! 31: ...
rf
rf
co
fre fcs
fcs
counter-example to Scom1 counter-example to non-starvation
Figure 20: Counter-examples to PostgreSQL with WCM
Supported in part by NSF Grant CCF-1617717.
{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: {Γ ∈ Γ} 21:{Γ ∈ Γ}
do {i} do {ℓ}
2: {Γ ∈ Γ} 22: {Γ ∈ Γ}
do {ji} do {mℓ}
3: {Γ ∈ Γ} 23: {Γ ∈ Γ}
r[] Rl0 latch0 {❀ L0iji} r[] Rl1 latch1 {❀ L1ℓmℓ}
4: {Γ ∈ Γ ∧ Rl0 = L0iji ∧ (r0Rl0iji [Γ ] ∨ r1Rl0iji [Γ ])} 24: {Γ ∈ Γ∧Rl1 = L1ℓmℓ∧(r0Rl1ℓmℓ [Γ ]∨r1Rl1ℓmℓ [Γ ])}
while (Rl0=0) {ki} while (Rl1=0) {nℓ}
5: {Γ ∈ Γ ∧ r1Rl0iki [Γ ]} 25: {Γ ∈ Γ ∧ r1Rl1ℓnℓ [Γ ]}
w[] latch0 0 w[] latch1 0
6: {Γ ∈ Γ ∧ r1Rl0iki [Γ ]} 26: {Γ ∈ Γ ∧ r1Rl1ℓnℓ [Γ ]}
r[] Rf0 flag0 {❀ F0i} r[] Rf1 flag1 {❀ F1ℓ}
7: {Γ ∈ Γ ∧ r1Rl0iki [Γ ] ∧ Rf0 = F0i
∧ (r0Rf0i[Γ ] ∨ r1Rf0i[Γ ])}
27: {Γ ∈ Γ ∧ r1Rl1ℓnℓ [Γ ] ∧ Rf1 = F1ℓ
∧ (r0Rf1ℓ[Γ ] ∨ r1Rf1ℓ[Γ ])}
if (Rf0̸=0) then if (Rf1̸=0) then
8: {Γ ∈ Γ ∧ r1Rl0iki [Γ ] ∧ r1Rf0i[Γ ]} 28: {Γ ∈ Γ ∧ r1Rl1ℓnℓ [Γ ] ∧ r1Rf1ℓ[Γ ]}
(* critical section *) (* critical section *)
w[] flag0 0 w[] flag1 0
9: {Γ ∈ Γ ∧ r1Rl0iki [Γ ] ∧ r1Rf0i[Γ ]} 29: {Γ ∈ Γ ∧ r1Rl1ℓnℓ [Γ ] ∧ r1Rf1ℓ[Γ ]}
w[] flag1 1 w[] flag0 1
10: {Γ ∈ Γ ∧ r1Rl0iki [Γ ] ∧ r1Rf0i[Γ ]} 30: {Γ ∈ Γ ∧ r1Rl1ℓnℓ [Γ ] ∧ r1Rf1ℓ[Γ ]}
w[] latch1 1 w[] latch0 1
11: {Γ ∈ Γ ∧ r1Rl0iki [Γ ] ∧ r1Rf0i[Γ ]} 31: {Γ ∈ Γ ∧ r1Rl1ℓnℓ [Γ ] ∧ r1Rf1ℓ[Γ ]}
fi fi
12: {Γ ∈ Γ} 32: {Γ ∈ Γ}
while true while true
13:{false} 33:{false}
Invariants:
r0Rl0iji [Γ ] ≜ (rf⟨L0iji , ⟨0:, , 0⟩⟩ ∈ Γ ∧ L0iji = 0) ∨ (∃i5 ∈ N . rf⟨L0iji , ⟨5:, i5, 0⟩⟩ ∈ Γ ∧ L0iji = 0)
r1Rl0iji [Γ ] ≜ (∃ℓ30 ∈ N . rf⟨L0iji , ⟨30:, ℓ30, 1⟩⟩ ∈ Γ ∧ L0iji = 1)
r0Rf0i[Γ ] ≜ (rf⟨F0i, ⟨0:, , 0⟩⟩ ∈ Γ ∧ F0i = 0) ∨ (∃i8 ∈ N . rf⟨F0i, ⟨8:, i8, 0⟩⟩ ∈ Γ ∧ F0i = 0)
r1Rf0i[Γ ] ≜ (∃ℓ29 ∈ N . rf⟨F0i, ⟨29:, ℓ29, 1⟩⟩ ∈ Γ ∧ F0i = 1)
r0Rl1ℓmℓ [Γ ] ≜ (∃ℓ25 ∈ N . rf⟨L1ℓmℓ , ⟨25:, ℓ25, 0⟩⟩ ∈ Γ ∧ L1ℓmℓ = 0)
r1Rl1ℓmℓ [Γ ] ≜ (rf⟨L1ℓmℓ , ⟨0:, , 1⟩⟩ ∈ Γ ∧ L1ℓmℓ = 1) ∨ (∃i10 ∈ N . rf⟨L1ℓmℓ , ⟨10:, i10, 1⟩⟩ ∈ Γ ∧ L1ℓmℓ = 1)
r0Rf1ℓ[Γ ] ≜ (∃m28 ∈ N . rf⟨F1ℓ, ⟨28:, m28, 0⟩⟩ ∈ Γ ∧ F1ℓ = 0)
r1Rf1ℓ[Γ ] ≜ (rf⟨F1ℓ, ⟨0:, , 1⟩⟩ ∈ Γ ∧ F1ℓ = 1) ∨ (∃i9 ∈ N . rf⟨F1ℓ, ⟨9:, i9, 1⟩⟩ ∈ Γ ∧ F1ℓ = 1)
Communications:
RL0iji ≜ {rf⟨L0iji , ⟨0:, , 0⟩⟩, rf⟨L0iji , ⟨5:, i5, 0⟩⟩, rf⟨L0iji , ⟨30:, ℓ30, 1⟩⟩ | i5 ∈ N ∧ ℓ30 ∈ N}
RF0i ≜ {rf⟨F0i, ⟨0:, , 0⟩⟩, rf⟨F0i, ⟨8:, i8, 0⟩⟩, rf⟨F0i, ⟨29:, ℓ29, 1⟩⟩ | i8 ∈ N ∧ ℓ29 ∈ N}
RL1ℓmℓ ≜ {rf⟨L1ℓmℓ , ⟨0:, , 1⟩⟩, rf⟨L1ℓmℓ , ⟨25:, ℓ25, 0⟩⟩, rf⟨L1ℓmℓ , ⟨10:, i10, 1⟩⟩ | ℓ25 ∈ N ∧ i10 ∈ N}
RF1ℓ ≜ {rf⟨F1ℓ, ⟨0:, , 1⟩⟩, rf⟨F1ℓ, ⟨28:, ℓ28, 0⟩⟩, rf⟨F1ℓ, ⟨9:, i9, 1⟩⟩ | ℓ28 ∈ N ∧ i9 ∈ N}
Anarchic communications:
Γ = {{rl0iji , rf0i, rl1ℓmℓ , rf1ℓ | i ∈ N ∧ ji ∈ [0, ki] ∧ ℓ ∈ N ∧ j ∈ [0, nℓ]} | ∀i ∈ N . ∀ji ∈ [1, ki] . rl0iji ∈ RL0iji ∧ rf0i ∈ RF0i ∧ ∀ℓ ∈
N . ∀mℓ ∈ [1,mℓ] . rl1ℓmℓ ∈ RL1ℓmℓ ∧ rf1ℓ ∈ RF1ℓ}
Figure 21: Inductive invariant Sind (Γ, Γ) of PostgreSQL (under hypothesis Scom (Γ, Γ) ≜ (Γ ∈ Γ ), Γ ⊆ Γ )
