Robustness Against Transactional Causal Consistency by Beillahi, Sidi Mohamed et al.
ar
X
iv
:1
90
6.
12
09
5v
1 
 [c
s.P
L]
  2
8 J
un
 20
19
Robustness Against Transactional Causal Consistency
Sidi Mohamed Beillahi, Ahmed Bouajjani, and Constantin Enea
IRIF, University Paris Diderot & CNRS
{beillahi,abou,cenea}@irif.fr
Abstract
Distributed storage systems and databases are widely used by various types of applications. Transac-
tional access to these storage systems is an important abstraction allowing application programmers
to consider blocks of actions (i.e., transactions) as executing atomically. For performance reasons,
the consistency models implemented by modern databases are weaker than the standard serial-
izability model, which corresponds to the atomicity abstraction of transactions executing over a
sequentially consistent memory. Causal consistency for instance is one such model that is widely
used in practice.
In this paper, we investigate application-specific relationships between several variations of
causal consistency and we address the issue of verifying automatically if a given transactional pro-
gram is robust against causal consistency, i.e., all its behaviors when executed over an arbitrary
causally consistent database are serializable. We show that programs without write-write races
have the same set of behaviors under all these variations, and we show that checking robustness is
polynomial time reducible to a state reachability problem in transactional programs over a sequen-
tially consistent shared memory. A surprising corollary of the latter result is that causal consistency
variations which admit incomparable sets of behaviors admit comparable sets of robust programs.
This reduction also opens the door to leveraging existing methods and tools for the verification
of concurrent programs (assuming sequential consistency) for reasoning about programs running
over causally consistent databases. Furthermore, it allows to establish that the problem of checking
robustness is decidable when the programs executed at different sites are finite-state.
2012 ACM Subject Classification General and reference → General literature; General and refer-
ence
Keywords and phrases Distributed Systems, Causal Consistency, and Model Checking
1 Introduction
Distribution and replication are widely adopted in order to implement storage systems and
databases offering performant and available services. The implementations of these systems
must ensure consistency guarantees allowing to reason about their behaviors in an abstract
and simple way. Ideally, programmers of applications using such systems would like to have
strong consistency guarantees, i.e., all updates occurring anywhere in the system are seen
immediately and executed in the same order by all sites. Moreover, application programmers
also need an abstract mechanism such as transactions, ensuring that blocks of actions (writes
and reads) of a site can be considered as executing atomically without interferences from
actions of other sites. For transactional programs, the consistency model offering strong
consistency is serializability [36], i.e., every computation of a program is equivalent to an-
other one where transactions are executed serially one after another without interference.
In the non-transactional case this model corresponds to sequential consistency (SC) [30].
However, while serializability and SC are easier to apprehend by application programmers,
their enforcement (by storage systems implementors) requires the use of global synchroniz-
ation between all sites, which is hard to achieve while ensuring availability and acceptable
performances [23, 24]. For this reason, modern storage systems ensure weaker consistency
guarantees. In this paper, we are interested in studying causal consistency [29].
Causal consistency is a fundamental consistency model implemented in several produc-
tion databases, e.g., AntidoteDB, CockroachDB, and MongoDB, and extensively studied in
the literature [7, 22, 32, 33, 38]. Basically, when defined at the level of actions, it guarantees
2 Robustness Against Transactional Causal Consistency
t1 [z = 1
x = 1]
t2 [y = 1]
||
t3 [x = 2
r1 = z] //0
t4 [r2 = y //1
r3 = x] //2
(a) CCv but not CM.
t1 [x = 1]
t2 [r1 = x] //2 ||
t3 [x = 2]
t4 [r2 = x] //1
(b) CM but not CCv.
t1 [x = 2] ||
t2 [x = 1]
t3 [r1 = x] //2
t4 [r2 = x] //1
(c) CC but not CM nor CCv.
Figure 1 Program computations showing the relationship between CC, CCv and CM. Transactions
are delimited using brackets and the transactions issued on the same site are aligned vertically. The
values read in a transaction are given in comments.
that every two causally related actions, say a1 is causally before (i.e., it has an influence on)
a2, are executed in that same order, i.e., a1 before a2, by all sites. The sets of updates visible
to different sites may differ and read actions may return values that cannot be obtained in
SC executions. The definition of causal consistency can be lifted to the level of transactions,
assuming that transactions are visible to a site in their entirety (i.e., all their updates are
visible at the same time), and they are executed by a site in isolation without interference
from other transactions. In comparison to serializability, causal consistency allows that con-
flicting transactions, i.e., which read or write to a common location, be executed in different
orders by different sites as long as they are not causally related. Actually, we consider
three variations of causal consistency introduced in the literature, weak causal consistency
(CC) [13, 37], causal memory (CM) [3, 37], and causal convergence (CCv) [17].
The weakest variation of causal consistency, namely CC, allows speculative executions
and roll-backs of transactions which are not causally related (concurrent). For instance, the
computation in Fig. 1c is only feasible under CC: the site on the right applies t2 after t1
before executing t3 and roll-backs t2 before executing t4. CCv and CM offer more guarantees.
CCv enforces a total arbitration order between all transactions which defines the order in
which delivered concurrent transactions are executed by every site. This guarantees that all
sites reach the same state when all transactions are delivered. CM ensures that all values
read by a site can be explained by an interleaving of transactions consistent with the causal
order, enforcing thus PRAM consistency [31] on top of CC. Contrary to CCv, CM allows
that two sites diverge on the ordering of concurrent transactions, but both models do not
allow roll-backs of concurrent transactions. Thus, CCv and CM are incomparable in terms of
computations they admit. The computation in Fig. 1a is not admitted by CM because there
is no interleaving of those transactions that explains the values read by the site on the right:
reading 0 from z implies that the transactions on the left must be applied after t3 while
reading 1 from y implies that both t1 and t2 are applied before t4 which contradicts reading
2 from x. However, this computation is possible under CCv because t1 can be delivered to
the right after executing t3 but arbitrated before t3, which implies that the write to x in
t1 will be lost. The CM computation in Fig. 1b is not possible under CCv because there is
no arbitration order that could explain both reads from x.
As a first contribution of our paper, we show that the three causal consistency semantics
coincide for transactional programs containing no write-write races, i.e., concurrent trans-
actions writing on a common variable. We also show that if a transactional program has a
write-write race under one of these semantics, then it must have a write-write race under
any of the other two semantics. This property is rather counter-intuitive since CC is strictly
weaker than both CCv and CM, and CCv and CM are incomparable (in terms of admitted beha-
viors). Notice that each of the computations in Figures 1b, 1a, and 1c contains a write-write
race which explains why none of these computations is possible under all three semantics.
Then, we investigate the problem of checking robustness of application programs against
causal consistency relaxations: Given a program P and a causal consistency variation X ,
we say that P is robust against X if the set of computations of P when running under
S.M. Beillahi, A. Bouajjani, and C. Enea 3
X is the same as its set of computations when running under serializability. This means
that it is possible to reason about the behaviors of P assuming the simpler serializability
model and no additional synchronization is required when P runs under X such that it
maintains all the properties satisfied under serializability. Checking robustness is not trivial,
it can be seen as a form of checking program equivalence. However, the equivalence to
check is between two versions of the same program, obtained using two different semantics,
one more permissive than the other one. The goal is to check that this permissiveness
has actually no effect on the particular program under consideration. The difficulty in
checking robustness is to apprehend the extra behaviors due to the reorderings introduced
by the relaxed consistency model w.r.t. serializability. This requires a priori reasoning
about complex order constraints between operations in arbitrarily long computations, which
may need maintaining unbounded ordered structures, and make the problem of checking
robustness hard or even undecidable.
We show that verifying robustness of transactional programs against causal consistency
can be reduced in polynomial time to the reachability problem in concurrent programs over
SC. This allows to reason about distributed applications running on causally consistent
storage systems using the existing verification technology and it implies that the robustness
problem is decidable for finite-state programs; the problem is PSPACE-complete when the
number of sites is fixed, and EXPSPACE-complete otherwise. This is the first result on the
decidability and complexity of verifying robustness against causal consistency. In fact, the
problem of verifying robustness has been considered in the literature for several consistency
models of distributed systems, including causal consistency [11, 15, 16, 19, 34]. These
works provide (over- or under-)approximate analyses for checking robustness, but none of
them provides precise (sound and complete) algorithmic verification methods for solving this
problem, nor addresses its decidability and complexity.
The approach we adopt for tackling this verification problem is based on a precise char-
acterization of the set of robustness violations, i.e., executions that are causally consistent
but not serializable. For both CCv and CM, we show that it is sufficient to search for a
special type of robustness violations, that can be simulated by serial (SC) computations
of an instrumentation of the original program. These computations maintain the informa-
tion needed to recognize the pattern of a violation that would have occurred in the original
program under a causally consistent semantics (executing the same set of operations). A
surprising consequence of these results is that a program is robust against CM iff it is robust
against CC, and robustness against CM implies robustness against CCv. This shows that the
causal consistency variations we investigate can be incomparable in terms of the admitted
behaviors, but comparable in terms of the robust applications they support.
The complete formalizations and proofs are given in the Appendix.
2 Causal Consistency
Program syntax. We consider a simple programming language where a program is parallel
composition of processes distinguished using a set of identifiers P. Each process is a sequence
of transactions and each transaction is a sequence of labeled instructions. Each transaction
starts with a begin instruction and finishes with an end instruction. Each other instruction
is either an assignment to a process-local register from a set R or to a shared variable from
a set V, or an assume statement. The assignments use values from a data domain D. An
assignment to a register 〈reg〉 := 〈var〉 is called a read of 〈var〉 and an assignment to a
shared variable 〈var〉 := 〈reg-expr〉 is called a write to 〈var〉 (〈reg-expr〉 is an expression
over registers). The statement assume 〈bexpr〉 blocks the process if the Boolean expression
4 Robustness Against Transactional Causal Consistency
〈bexpr〉 over registers is false. Each instruction is followed by a goto statement which defines
the evolution of the program counter. Multiple instructions can be associated with the same
label which allows us to write non-deterministic programs and multiple goto statements
can direct the control to the same label which allows us to mimic imperative constructs like
loops and conditionals. We assume that the control cannot pass from one transaction to
another without going as expected through begin and end instructions.
Causal memory (CM) semantics. Informally, the semantics of a program under causal
memory is defined as follows. The shared variables are replicated across each process, each
process maintaining its own local valuation of these variables. During the execution of a
transaction in a process, the shared-variable writes are stored in a transaction log which
is visible only to the process executing the transaction and which is broadcasted to all the
other processes at the end of the transaction1. To read a shared variable x, a process p
first accesses its transaction log and takes the last written value on x, if any, and then its
own valuation of the shared variables, if x was not written during the current transaction.
Transaction logs are delivered to every process in an order consistent with the causal delivery
relation between transactions, i.e., the transitive closure of the union of the program order
(the order in which transactions are executed by a process), and the delivered-before relation
(a transaction t1 is delivered-before a transaction t2 iff the log of t2 has been delivered at
the process executing t1 before t1 starts). By an abuse of terminology, we call this property
causal delivery. Once a transaction log is delivered, it is immediately applied on the shared-
variable valuation of the receiving process. Also, no transaction log can be delivered to a
process p while p is executing another transaction, we call this property transaction isolation.
Causal convergence (CCv) semantics. Compared to causal memory, causal convergence
ensures eventual consistency of process-local copies of the shared variables. Each transaction
log is associated with a timestamp and a process applies a write on some variable x from a
transaction log only if it has a timestamp larger than the timestamps of all the transaction
logs it has already applied and that wrote the same variable x. For simplicity, we assume that
the transaction identifiers play the role of timestamps, which are totally ordered according
to some relation <. CCv satisfies both causal delivery and transaction isolation as well.
Weak causal consistency (CC) semantics. Compared to the previous semantics, CC
allows that reads of the same process observe concurrent writes as executing in different
orders. Each process maintains a set of values for each shared variable, and a read returns
any one of these values non-deterministically. Transaction logs are associated with vector
clocks [29] which represent the causal delivery relation, i.e., a transaction t1 is before t2 in
causal-delivery iff the vector clock of t1 is smaller than the vector clock of t2. We assume that
transactions identifiers play the role of vector clocks, which are partially ordered according
to some relation <. When applying a transaction log on the shared-variable valuation of
the receiving process, we only keep the values that were written by concurrent transactions
(not related by causal delivery). CC satisfies both causal delivery and transaction isolation.
Program execution. The semantics of a program P under a causal consistency semantics
X ∈ {CCv, CM, CC} is defined using a labeled transition system [P ]X where the set Ev of
transition labels, called events, is defined by:
Ev = { begin(p, t), ld(p, t, x, v), isu(p, t, x, v), del(p, t), end(p, t) : p ∈ P, t ∈ T, x ∈ V, v ∈ D}
where begin and end label transitions corresponding to the start, resp., the end of a transac-
1 For simplicity, we assume that every transaction commits. The effects of aborted transactions shouldn’t
be visible to any process.
S.M. Beillahi, A. Bouajjani, and C. Enea 5
begin(p1, t1)
isu(p1, t1, x, 1)
end(p1, t1)
·
begin(p2, t3)
isu(p2, t3, x, 2)
end(p2, t3)
· del(p1, t3) · del(p2, t1) ·
begin(p2, t4)
ld(p2, t4, x, 1)
end(p2, t4)
·
begin(p1, t2)
ld(p1, t2, x, 2)
end(p1, t2)
(a) CM execution of the program in Fig. 1b.
begin(p1, t1)
isu(p1, t1, z, 1)
isu(p1, t1, x, 1)
end(p1, t1)
·
begin(p2, t3)
isu(p2, t3, x, 2)
ld(p2, t3, z, 0)
end(p2, t3)
· del(p1, t3) · del(p2, t1) ·
begin(p1, t2)
isu(p1, t2, y, 1)
end(p1, t2)
· del(p2, t2) ·
begin(p2, t4)
ld(p2, t4, y, 1)
ld(p2, t4, x, 2)
end(p2, t4)
(b) CCv execution of the program in Figure 1a.
begin(p1, t1)
isu(p1, t1, x, 2)
end(p1, t1)
·
begin(p2, t2)
isu(p2, t2, x, 1)
end(p2, t2)
· del(p2, t1) ·
begin(p2, t3)
ld(p2, t3, x, 2)
end(p2, t3)
·
begin(p2, t4)
ld(p2, t4, x, 1)
end(p2, t4)
· del(p1, t2)
(c) CC execution of the program in Figure 1c.
Figure 2 For readability, the sub-sequences of events delimited by begin and end are aligned
vertically, the execution-flow advancing from left to right and top to bottom.
tion, isu and ld label transitions corresponding to writing, resp., reading, a shared variable
during some transaction, and del labels transitions corresponding to applying a transition
log received from another process on the local copy of the shared variables. An event isu is
called an issue while an event del is called a store. An execution of [P ]X is a sequence of
events ρ = ev1 · ev2 · . . . labeling the transitions. Fig. 2a shows an execution under CM. This
satisfies transaction isolation since no transaction is delivered while another transaction is
executing. The execution in Fig. 2a is not possible under CCv since t4 and t2 read 2 and
1 from x, respectively. This is possible only if t1 and t3 write x at p2 and p1, respectively,
which contradicts the definition of CCv where we cannot have both t1 < t3 and t3 < t1.
Fig. 2b shows an execution under CCv (we assume t1 < t2 < t3 < t4). Notice that del(p2, t1)
did not result in an update of x because the timestamp t1 is smaller than the timestamp
of the last transaction that wrote x at p2, namely t3, a behavior that is not possible under
CM. The two processes converge and store the same shared variable copy at the end of the
execution. Fig. 2c shows an execution under CC, which is not possible under CCv and CM
because t3 and t4 read 2 and 1, respectively. Since the transactions t1 and t2 are concurrent,
p2 stores both values 2 and 1 written by these transactions. A read of x can return any of
these two values.
Execution summary. Let ρ be an execution under X ∈ {CCv, CM, CC}, a sequence τ of
events isu(p, t) and del(p, t) with p ∈ P and t ∈ T is called a summary of ρ if it is obtained
from ρ by substituting every sub-sequence of transitions in ρ delimited by a begin and an
end transition, with a single “macro-event” isu(p, t). For example, isu(p1, t1) · isu(p2, t3) ·
del(p1, t3) · del(p2, t1) · isu(p2, t4) · isu(p1, t2) is a summary of the execution in Fig. 2a.
We say that a transaction t in ρ performs an external read of a variable x if ρ contains
an event ld(p, t, x, v) which is not preceded by a write on x of t, i.e., an event isu(p, t, x, v).
Under CM and CC, a transaction t writes a variable x if ρ contains an event isu(p, t, x, v), for
some v. In Fig. 2a, both t2 and t4 perform external reads and t2 writes to y. A transaction
t executed by a process p writes x at process p′ 6= p if t writes x and ρ contains an event
del(p′, t) (e.g., in Fig. 2a, t1 writes x at p2). Under CCv, we say that a transaction t executed
by a process p writes x at process p′ 6= p if t writes x and ρ contains an event del(p′, t) which
is not preceded by an event del(p′, t′) (or isu(p′, t′)) with t < t′ and t′ writing x (if it would
be preceded by such an event then the write to x of t will be discarded). For example, in
Fig. 2b, t1 does not write x at p2.
3 Write-Write Race Freedom
We say that an execution ρ has a write-write race on a shared variable x if there exist two
concurrent transactions t1 and t2 that were issued in ρ and each transaction contains a write
to the variable x. We call ρ write-write race free if there is no variable x such that ρ has a
6 Robustness Against Transactional Causal Consistency
write-write race on x. Also, we say a program P is write-write race free under a consistency
semantics X ∈ {CCv, CM, CC} iff for every ρ ∈ ExX(P), ρ is write-write race free.
We show that if a given program has a write-write race under one of the three causal
consistency semantics then it must have a write-write race under the remaining two. The
intuition behind this is that the three semantics coincide for programs without write-write
races. Indeed, without concurrent transactions that write to the same variable, every process
local valuation of a shared variable will be a singleton set under CC and no process will ever
discard a write when applying an incoming transaction log under CCv.
◮ Theorem 1. Given a program P and two consistency semantics X,Y ∈ {CCv, CM, CC}, P
has a write-write race under X iff P has a write-write race under Y.
The following result shows that indeed, the three causal consistency semantics coincide for
programs which are write-write race free under any one of these three semantics.
◮ Theorem 2. Let P be a program. Then, ExCC(P) = ExCCv(P) = ExCM(P) iff P has no
write-write race under CM, CCv, or CC.
4 Programs Robustness
4.1 Program Traces
We define an abstraction of executions satisfying transaction isolation, called trace. Intuit-
ively, a trace forgets the order in which shared-variables are accessed inside a transaction
and the order between transactions accessing different variables. The trace of an execution
ρ is obtained by adding several standard relations between events in its summary which
record the data-flow, e.g. which transaction wrote the value read by another transaction.
The trace of an execution ρ is a tuple tr(ρ) = (τ,PO,WR,WW,RW, STO) where τ is
the summary of ρ, PO is the program order, which relates any two issue events isu(p, t) and
isu(p, t′) that occur in this order in τ , WR is the write-read relation (also called read-from),
which relates events of two transactions t and t′ such that t writes a value that t′ reads, WW
is the write-write order (also called store-order), which relates events of two transactions
that write to the same variable, and RW is the read-write relation (also called conflict),
which relates events of two transactions t and t′ such that t reads a value overwritten by t′,
and STO is the same-transaction relation, which relates events of the same transaction.
Formally, WR relates any two events ev1 ∈ {isu(p, t), del(p, t)} and ev2 = isu(p, t
′) that
occur in this order in τ such that t′ performs an external read of x, and ev1 is the last
event in τ before ev2 such that t writes x if ev1 = isu(p, t), and t writes x at p if ev1 =
del(p, t) (we may use WR(x) to emphasize the variable x). Also, WW relates any two events
ev1 ∈ {isu(p, t1), del(p, t1)} and ev2 ∈ {isu(p, t2), del(p, t2)} that occur in this order in τ
provided that t1 and t2 both write the same variable x, and if ρ is an execution under causal
convergence, then (1) if evi = del(p, ti), for some i ∈ {1, 2}, then ti writes x at p, and (2)
if ev1 ∈ {isu(p, t1), del(p, t1)} and ev2 = del(p, t2), then t1 < t2 (we may use WW(x) to
emphasize the variable x). We also define RW(x) = WR−1(x);WW(x) (we use ; to denote
the standard composition of relations) and RW =
⋃
x∈V
RW(x). If a transaction t reads the
initial value of x then RW(x) relates isu(p, t) to isu(p′, t′) of any other transaction t′ which
writes to x (i.e., (isu(p, t), isu(p′, t′)) ∈ RW(x)). Finally, STO relates any event isu(p, t) with
the set of events del(p′, t), where p 6= p′.
Then, we define the happens-before relation HB as the transitive closure of the union of
all the relations in the trace, i.e., HB = (PO ∪ WR ∪ WW ∪ RW ∪ STO)+. Since we reason
about only one trace at a time, we may say that a trace is simply a summary τ , keeping the
S.M. Beillahi, A. Bouajjani, and C. Enea 7
isu(p1, t1) isu(p2, t3) del(p1, t3) del(p2, t1) isu(p1, t2) del(p2, t2) isu(p2, t4)
WW
STO PO
STO
PO
RW
WR
STO WR
t1 t3 t2 t4WW
PO PO
RW
WR
WR
Figure 3 The trace of the execution in Fig. 2b and its transactional happens-before.
relations implicit. The trace of the CCv execution in Fig. 2b is shown on the left of Fig. 3.
Tr(P)X denotes the set of traces of executions of a program P under X ∈ {CCv, CM, CC}.
The causal order CO of a trace tr = (τ,PO,WR,WW,RW, STO) is the transitive closure
of the union of the program order, write-read relation, and the same-transaction relation, i.e.,
CO = (PO∪WR∪ STO)+. For readability, we write ev1 →HB ev2 instead of (ev1, ev2) ∈ HB.
4.2 Program Semantics Under Serializability
The semantics of a program under serializability [36] can be defined using a transition system
where the configurations keep a single shared-variable valuation (accessed by all processes)
with the standard interpretation of read or write statements. Each transaction executes in
isolation. Alternatively, the serializability semantics can be defined as a restriction of [P ]X,
X ∈ {CCv, CM, CC}, to the set of executions where each transaction is immediately delivered
to all processes, i.e., each event end(p, t) is immediately followed by all del(p′, t) with p′ 6= p.
Such executions are called serializable and the set of serializable executions of a program
P is denoted by ExSER(P). The latter definition is easier to reason about when relating
executions under causal consistency and serializability, respectively.
A trace tr is called serializable if it is the trace of a serializable execution. Let TrSER(P) de-
note the set of serializable traces. Given a serializable trace tr = (τ,PO,WR,WW,RW, STO)
we have that every event isu(p, t) in τ is immediately followed by all del(p′, t) with p′ 6= p.
For simplicity, we write τ as a sequence of “atomic macro-events” (p, t) where (p, t) denotes
a sequence isu(p, t) · del(p1, t) · . . . · del(pn, t) for some p ∈ P = {p, p1, . . . , pn}. We say that t
is “atomic". In Fig. 3, t2 is atomic and we can use (p2, t3) instead of isu(p2, t3)del(p1, t3).
Since multiple executions may have the same trace, it is possible that an execution ρ
produced by a variation of causal consistency has a serializable trace tr(ρ) even though
end(p, t) actions may not be immediately followed by del(p′, t) actions. However, ρ would be
equivalent, up to reordering of “independent” (or commutative) transitions, to a serializable
execution. The happens-before relation between events is extended to transactions as follows:
a transaction t1 happens-before another transaction t2 6= t1 if the trace tr contains an event
of transaction t1 which happens-before an event of t2. The happens-before relation between
transactions is denoted by HBt and called transactional happens-before (an example is given
on the right of Fig. 3). The following result characterizes serializable traces.
◮ Theorem 3 ([2, 40]). A trace tr is serializable iff HBt is acyclic.
4.3 Robustness Problem
We consider the problem of checking whether the causally-consistent semantics of a program
produces the same set of traces as the serializability semantics.
◮ Definition 4. A program P is called robust against a semantics X ∈ {CCv, CM, CC} iff
TrX(P) = TrSER(P).
Since TrSER(P) ⊆ TrX(P), the problem of checking robustness of a program P against a
semantics X boils down to checking whether there exists a trace tr ∈ TrX(P) \TrSER(P). We
call tr a robustness violation (or violation, for short). By Theorem 3, HBt of tr is cyclic.
8 Robustness Against Transactional Causal Consistency
p1
t1 [r1 = x //0
x = r1 + 1]
||
p2
t2 [r2 = x //0
x = r2 + 1]
(a) Lost Update (LU).
p1
t1 [x = 1]
t2 [r1 = y] //0
||
p2
t3 [y = 1]
t4 [r2 = x] //0
(b) Store Buffering (SB).
[a = 1
z = 1
x = 1
y = 1]
||
if (a == 1)
[x = 2
r1 = z //0
r2 = y //1
r3 = x] //2
(c) Without transactions,
non-robust against CCv.
[a = 1
x = 1
r1 = x] //2
||
if (a == 1)
[x = 2
r2 = x] //1
(d) Without transactions, non-
robust only against CM.
if ( * )
[x = 1]
else
[r1 = x]
||
if ( * )
[x = 2]
else
[r2 = x]
(e) Robust against both CM
and CCv.
[x = 1]
[r1 = y] ||
[r2 = x
if (r2 == 1)
y = 1]
(f) Robust against both CM
and CCv.
Figure 4 (Non-)robust programs. For non-robust programs, the read instructions are commented
with the values they return in robustness violations. The condition of if-else is checked inside a
transaction whose demarcation is omitted for readability (∗ denotes non-deterministic choice).
We discuss several examples of programs which are (non-) robust against both CM and
CCv or only one of them. Fig. 4a and Fig. 4b show examples of programs that are not
robust against both CM and CCv, which have also been discussed in the literature on weak
memory models, e.g. [6]. The execution of Lost Update under both CM and CCv allows that
the two reads of x in transactions t1 and t2 return 0 although this cannot happen under
serializability. Also, executing Store Buffering under both CM and CCv allows that the reads
of x and y return 0 although this would not be possible under serializability. These values
are possible because the first transaction in each of the processes may not be delivered to
the other process.
Assuming for the moment that each instruction in Fig. 4c and Fig. 4d forms a different
transaction, the values we give in comments show that the program in Fig. 4c, resp., Fig. 4d,
is not robust against CCv, resp., CM. The values in Fig. 4c are possible assuming that the
timestamp of the transaction [x = 1] is smaller than the timestamp of [x = 2] (which means
that if the former is delivered after the second process executes [x = 2], then it will be
discarded). Moreover, enlarging the transactions as shown in Fig. 4c, the program becomes
robust against CCv. The values in Fig. 4d are possible under CM because different processes
do not need to agree on the order in which to apply transactions, each process applying the
transaction received from the other process last. However, under CCv this behavior is not
possible, the program being actually robust against CCv. As in the previous case, enlarging
the transactions as shown in the figure leads to a robust program against CM.
We end the discussion with several examples of programs that are robust against both
CM and CCv. These are simplified models of real applications reported in [27]. The program
in Fig. 4e can be understood as the parallel execution of two processes that either create
a new user of some service, represented abstractly as a write on a variable x or check its
credentials, represented as a read of x (the non-deterministic choice abstracts some code
that checks whether the user exists). Clearly this program is robust against both CM and
CCv since each process does a single access to the shared variable. Although we considered
simple transactions that access a single shared-variable this would hold even for “bigger”
transactions that access an arbitrary number of variables. The program in Fig. 4f can be
thought of as a process creating a new user of some service and reading some additional
data in parallel to a process that updates that data only if the user exists. It is rather easy
to see that it is also robust against both CM and CCv.
S.M. Beillahi, A. Bouajjani, and C. Enea 9
5 Robustness Against Causal Consistency
We consider now the issue of checking robustness against a variation of causal consistency,
considering first the case of CCv and CM. The result concerning CC is derived from the one
concerning CM. We show next that a robustness violation should contain at least an issue and
a store event of the same transaction that are separated by another event that occurs after
the issue and before the store and which is related to both via the happens-before relation.
Otherwise, since any two events which are not related by happens-before could be swapped
in order to derive an execution with the same trace, every store event could be swapped
until it immediately follows the corresponding issue and the execution would be serializable.
◮ Lemma 5. Given a robustness violation τ , there exists a transaction t such that τ = α ·
isu(p, t)·β·del(p0, t)·γ and an event a ∈ β such that (isu(p, t), a) ∈ HB and (a, del(p0, t)) ∈ HB.
The transaction t in the trace τ above is called a delayed transaction. The happens-before
constraints imply that t belongs to an HBt cycle.
Next, we show that a program which is not robust against CCv or CM admits violations
of particular shapes, which enables reducing robustness checking to a reachability problem
in a program running under serializability (presented in Section 6).
5.1 Robustness Violations under Causal Convergence
Roughly, our characterization of CCv robustness violations states that the first delayed trans-
action (which must exist by Lemma 5) is followed by a possibly-empty sequence of delayed
transactions that form a “causality chain”, i.e., every new delayed transaction is causally
ordered after the previous delayed transaction. Moreover, the issue event of the last delayed
transaction happens-before the issue event of another transaction that reads a variable up-
dated by the first delayed transaction (this completes a cycle in HBt). We say that a se-
quence of issue events ev1 ·ev2 · . . . evn forms a causality chain when (evi, evi+1) ∈ CO for all
1 ≤ i ≤ n−1. Also, for simplicity, we use “macro-events” (p, t) even in traces obtained under
causal consistency (recall that this notation was introduced to simplify serializable traces),
i.e., we assume that any sequence of events formed of an issue isu(p, t) followed immediately
by all the store events del(p′, t) is replaced by (p, t). Then, all the relations that held between
an event ev of such a sequence and another event ev ′, e.g., (ev, ev′) ∈ PO, are defined to
hold as well between the corresponding macro-event (p, t) and ev′, e.g, ((p, t), ev ′) ∈ PO.
◮ Theorem 6. A program P is not robust against CCv iff Tr(P)CCv contains a trace of type
τCCv1 = α · isu(p, t) ·β ·(p0, t0) ·del(p0, t) ·γ or τCCv2 = α · isu(p, t) ·β1 · isu(p1, t1) ·β2 ·del(p0, t) ·γ
that satisfies the properties given in Fig. 5.
Above, τCCv1 contains a single delayed transaction while τCCv2 may contain arbitrarily many
delayed transactions. The issue event of the last delayed transactions, i.e., isu(p, t) in τCCv1
and isu(p1, t1) in τCCv2, happens before (p0, t0) and some event in β2, respectively, which
read a variable updated by the first delayed transaction. The theorem above allows β1 = ǫ,
β2 = ǫ, β = ǫ, γ = ǫ, p = p1, t = t1, and t1 to be a read-only transaction. If t1 is a read-only
transaction then isu(p1, t
′) has the same effect as (p1, t1) since t1 does not contain writes.
Fig. 6a and Fig. 6b show two violations under CCv.
The violation patterns in Theorem 6 characterize minimal robustness violations where
the measure defined as the sum of the distances (number of events that are causally related
to the issue) between issue and store events of the same transaction is minimal. Minimality
enforces the constraints stated above. For example, in the context of τCCv2, the delayed
transactions in β1 cannot create a cycle in the transactional happens-before (otherwise,
10 Robustness Against Transactional Causal Consistency
τCCv1:
α isu(p, t)
◦ β
(p0, t0)
◦
del(p0, t)
◦
γ
HB \ CO
∀
CO
∀
WW(x)
RW(x);STO
τCCv2:
α isu(p, t)|¬x
◦ β1|¬x
isu(p1, t1)
◦ β2
del(p0, t)
◦
γ
HB \ CO
∀
CO WW(x) ∪ RW(x)
∃
HB
∀
RW(y 6= x)
∃
τCM1:
α isu(p, t)
◦ β
(p0, t0)
◦
del(p0, t)
◦
γ
HB \ CO
∀
CO
∀
WW(x)
WW(x)
τCM2:
α isu(p, t)|¬x
◦ β1|¬x
isu(p1, t1)
◦ β2
del(p0, t)
◦
γ
HB \ CO
∀
CO RW(x)
∃
RW(y 6= x)
∃
HB
∀
Figure 5 Robustness violation patterns. We use
a β
R ∀
to denote ∀ b ∈ β. (a, b) ∈ R. We
use β1|¬x to say that all delayed transactions in β1 do not access x. For violations τCCv1 and τCM1,
t is the only delayed transaction. For τCCv2 and τCM2, all delayed transactions are in β1|¬x and they
form a causality chain that starts at isu(p, t) and ends at isu(p1, t1).
isu(p1, t1) (p2, t2) del(p2, t1)
WW
STO
RW
(a) Violation of LU pro-
gram in Fig. 4a.
isu(p1, t1) isu(p1, t2) (p2, t3) (p2, t4) del(p2, t1)
PO RW PO RW
(b) Violation of SB program in Fig. 4b.
isu(p1, t1) (p2, t2) del(p2, t1)
WW WW
(c) Violation of LU pro-
gram in Fig. 4a.
Figure 6 (a) A τCCv1 violation where β2 = ǫ, γ = ǫ, and t and t0 correspond to t1 and t2. (b)
A τCCv2 (resp., τCM2) violation where t and t1 correspond to t1 and t2. t1 is a read-only transac-
tion. Also, β1 = ǫ, β2 = (p2, t3) · (p2, t4), γ = ǫ, such that (isu(p1, t2), (p2, t3)) ∈ RW(y) and
((p2, t4), del(p2, t1)) ∈ RW(x). (c) A τCM1 violation with β2 = γ = ǫ, and t and t0 correspond to t1
and t2. In all traces, we show only the relations that are part of the happens-before cycle.
α · isu(p, t) · β1 · del(p0, t) · γ
′ would be a violation with a smaller measure, which contradicts
minimality). Also, if it were to have a delayed transaction t2 in β2 (resp., β for τCCv1), then it
is possible to remove some transaction (all its issue and store events) from the original trace
and obtain a new violation with a smaller measure. For instance, in the case of β2, if t 6= t1,
then we can safely remove the last delayed transaction (i.e., t1), that is causally dependent
on the first delayed transaction, since all events in β2 · del(p0, t) · γ neither read from the
writes of t1 nor are issued by the same process as t1. The resulting trace is still a robustness
violation (because of the HBt cycle involving t2) but with a smaller measure. Note that
all processes that delayed transactions, stop executing new transactions in β2 (resp., β)
because of the relation HB \ CO, shown in Fig. 5, between the delayed transaction t1 (resp.,
t) and events in β2 (resp., β). This precise characterization of minimal violations is essential
for deriving an optimal reduction of robustness checking to SC reachability (presented in
Section 6).
5.2 Robustness Violations under Causal Memory
The characterization of robustness violations under CM is at some level similar to that of
robustness violations under CCv. However, some instance of the violation pattern under CCv
is not possible under CM and CM admits some class of violations that is not possible under
CCv. This reflects the fact that these consistency models are incomparable in general. The
following theorem gives the precise characterization. Roughly, a program is not robust if it
S.M. Beillahi, A. Bouajjani, and C. Enea 11
admits a violation which can either be because of two concurrent transactions that write to
the same variable (a write-write race) or because of a restriction of the pattern admitted
by CCv where the last delayed transaction must be related only by RW in a happens-before
path with future transactions. The first pattern is not admitted by CCv because the writes
to each variable are executed according to the timestamp order.
◮ Theorem 7. A program P is not robust against CM iff Tr(P)CM contains a trace of type
τCM1 = α · isu(p, t) ·β · (p0, t0) ·del(p0, t) ·γ or τCM2 = α · isu(p, t) ·β1 · isu(p1, t1) ·β2 ·del(p0, t) ·γ
that satisfies the properties given in Fig. 5.
The CM violation in Fig. 6b (pattern τCM2) is a violation under CCv as well which corresponds
to the pattern τCCv2. The detection of the violation pattern τCM1 (e.g., Fig. 6c) implies the
existence of a write-write race under CM. Conversely, if a program has a trace which contains
a write-write race under CM, then this trace must be a robustness violation since the two
transactions, that caused the write-write race, form a cycle in the store order hence a cycle
in the transactional happens-before order2. Thus, the program is not robust against CM.
Therefore, a program which is robust against CM is also write-write race free under CM. Since
without write-write races, the CM and the CCv semantics coincide, we get the following.
◮ Lemma 8. If a program P is robust against CM, then P is robust against CCv.
5.3 Robustness Violations under Weak Causal Consistency
If a program is robust against CM, then it must not contain a write-write race under CM (note
that this is not true for CCv). Therefore, by Theorem 2, a program which is robust against
CM has the same set of traces under both CM and CC, which implies that it is also robust
against CC. Conversely, since CC is weaker than CM (i.e., TrCM(P) ⊆ TrCC(P) for any P), if a
program is robust against CC then it is robust against CM. Thus, we obtain the following.
◮ Theorem 9. A program P is robust against CC iff it is robust against CM.
6 Reduction to SC Reachability
We show here the reduction of robustness checking to a reachability problem in a program
executing under the serializability semantics. Essentially, given a program P and a semantics
X ∈ {CCv, CM, CC}, we define an instrumentation of P such that P is not robust against
X iff the instrumentation reaches an error state under the serializability semantics. The
instrumentation uses auxiliary variables in order to simulate the robustness violations (in
particular, the delayed transactions) satisfying the patterns given in Fig. 5. We will focus
our presentation on the second violation pattern of CCv (which is similar to the second
violation pattern of CM): τCCv2 = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ. For lack of
space, we describe the instrumentation only informally. The precise definition is given in
the Appendix.
The process p that delayed the first transaction t is called the Attacker. The other
processes delaying transactions in β1 · isu(p1, t1) are called Visibility Helpers. Recall that all
the delayed transactions must be causally after isu(p, t) and causally before isu(p1, t1). The
processes that execute transactions in β2 and contribute to the happens-before path between
isu(p1, t1) and del(p0, t) are called Happens-Before Helpers. A happens-before helper cannot
be the attacker or a visibility helper since this would contradict the causal delivery guarantee
provided by causal consistency (a transaction of a happens-before helper is not delayed, so
2 Given two concurrent transactions t1 and t2 that write on a common variable x, isu(p1, t1) is in store
order before del(p1, t2) and isu(p2, t2) before del(p2, t1).
12 Robustness Against Transactional Causal Consistency
visible immediately to all processes, and it cannot follow a delayed transaction). γ contains
the stores of the delayed transactions from isu(p, t) · β1 · isu(p1, t1). It is important to notice
that we may have t = t1. In this case, β1 = ǫ and the only delayed transaction is t. Also, all
delayed transactions in β1 including t1 may be issued on the same process as t. In all these
cases, the set of Visibility Helpers is empty.
The instrumentation uses two copies of the set of shared variables in the original program.
We use primed variables x′ to denote the second copy. When a process becomes the attacker
or a visibility helper, it will write only to the second copy that is visible only to these
processes (and remains invisible to the other processes including the happens-before helpers).
The writes made by the other processes including the happens-before helpers are made visible
to all processes, i.e., they are applied on both copies of the shared variables.
To establish the causality chains of delayed transactions performed by the attacker and
the visibility helpers, we look whether a transaction can extend the causality chain started
by the first delayed transaction from the attacker. In order for a transaction to “join” the
causality chain, it has to satisfy one of the following conditions:
the transaction is issued by a process that has already another transaction in the causality
chain. Thus, we ensure the continuity of the causality chain through program order.
the transaction is reading from a variable that was updated by a previous transaction in
the causality chain. Hence, we ensure the continuity of the causality chain through the
write-read relation.
We introduce a flag for each shared variable to mark the fact that it was updated by a
previous transaction in the causality chain. These flags are used by the instrumentation to
establish whether a transaction “joins” a causality chain. Enforcing a happens-before path
starting in the last delayed transaction, using transactions of the happens-before helpers,
can be done in the similar way. Compared to causality chains, there are two more cases in
which a transaction can extend a happens-before path:
the transaction writes to a shared variable that was read by a previous transaction in
the happens-before path. Hence, we ensure the continuity of the happens-before path
through the read-write relation.
the transaction writes to a shared variable that was updated by a previous transaction
in the happens-before path. Hence, we ensure the continuity of the happens-before path
through write-write order.
Therefore, we extend the shared variables flags used for causality chains in order to record if
a variable was read or written by a previous transaction (in this case, a previous transaction
in the happens-before path). Overall, the instrumentation uses a flag x.event or x′.event
for each (copy of a) shared variable, that stores the type of the last access (read or write) to
the variable. Initially, these flags and other flags used by the instrumentation as explained
below are initialized to null (⊥).
In general, whether a process is an attacker, visibility helper, or happens-before helper is
not enforced syntactically by the instrumentation, and can vary from execution to execution.
The role of a process in an execution is set non-deterministically during the execution using
some additional process-local flags. Thus, during an execution, each process chooses to set
to true at most one of the flags p.a, p.vh, and p.hbh, implying that the process becomes an
attacker, visibility helper, or happens-before helper, respectively. At most one process can
be an attacker, i.e., set p.a to true. Before a process becomes an attacker or visibility helper
it passes though a stage where it executes transactions in the usual way without delaying
them.
A process non-deterministically can choose to delay a transaction at which point it
S.M. Beillahi, A. Bouajjani, and C. Enea 13
sets a global flag atrA to true. During the delayed transaction it chooses randomly a write
instruction to a shared variable y and stores the name of this variable in the global variable
astA . The values written during delayed transactions are stored in the primed variables and
are visible only to the attacker and the visibility helpers. Each time the attacker writes to
a variable z′ (the copy of z from the original program) during a delayed transaction, it sets
the flag z′.event to st which will allow other processes that read the same variable to join
the set of visibility helpers and start delaying their transactions. Once the attacker delays
a transaction, it starts reading only from the primed variables (i.e., z′).
When atrA is set to true by the attacker, other processes continue the execution of their
original instructions but, whenever they store a value they write it to both the shared
variable z and the primed variable z′ so it is visible to all processes. When a process chooses
non deterministically to join the visibility helpers, it delays all writes (i.e., writes only to
primed variables) and reads only from the primed variables.
In order for the attacker or a process in the visibility helpers to start the happens-before
path, it has to either read or write a shared variable x that was not accessed by a delayed
transaction (i.e., x′.event =⊥). In this case we set the global flag HB to true to mark the
start of the happens-before path and the end of the causality chain and set the flag x.event
to ld. When the flag HB is set to true the attacker and the visibility helpers stop executing
new transactions. The remaining processes, which are not the attacker or a visibility helper,
can now become a happens-before helper.
Once the flag HB is set to true, some process chooses non-deterministically to join the
set of happens-before helpers, i.e., continue the happens-before path created by the exist-
ing happens-before helpers, the attacker, or visibility helper. The happens-before helpers
continue executing their instructions, until one of them reads from the variable y whose
name was stored in astA . This establishes a happens-before path between the last delayed
transaction and a “fictitious” store event corresponding to the first delayed transaction that
could be executed just after this read of y. The execution doesn’t have to contain this
store event explicitly since it is always enabled. Therefore, at the end of every transaction,
the instrumentation checks whether the transaction reads y. If this is the case, then the
execution stops and goes to an error state to indicate that this is a robustness violation.
As we have already mentioned, the role of a process in an execution is chosen non-
deterministically at runtime. Therefore, the final instrumentation of a given program P ,
denoted by [[P ]], is obtained by replacing each labeled instruction 〈linst〉 with the concaten-
ation of the instrumentations corresponding to the attacker, the visibility helpers, and the
happens-before helpers, i.e., [[〈linst〉]] ::= [[〈linst〉]]A [[〈linst〉]]VH [[〈linst〉]]HbH
The following theorem states the correctness of the instrumentation.
◮ Theorem 10. A program P is not robust against CCv iff [[P ]] reaches the error state.
A similar instrumentation can be defined for the other variations of causal consistency, i.e.,
causal memory (CM) and weak causal consistency (CC).
The following result states the complexity of checking robustness for finite-state pro-
grams 3 against one of the three variations of causal consistency considered in this work (we
use causal consistency as a generic name to refer to all of them). It is a direct consequence
of Theorem 10 and of previous results concerning the reachability problem in concurrent
programs running over SC, with a fixed [26] or parametric number of processes [39].
3 That is, programs where the number of variables and the data domain are bounded.
14 Robustness Against Transactional Causal Consistency
◮ Corollary 11. Checking robustness of finite-state programs against causal consistency is
PSPACE-complete when the number of processes is fixed and EXPSPACE-complete, other-
wise.
7 Related Work
Causal consistency is one of the oldest consistency models for distributed systems [29].
Formal definitions of several variants of causal consistency, suitable for different types of
applications, have been introduced recently [13, 17, 18, 37]. The definitions in this paper
are inspired from these works and coincide with those given in [13]. In that paper, the au-
thors address the decidability and the complexity of verifying that an implementation of a
storage system is causally consistent (i.e., all its computations, for every client, are causally
consistent).
While our paper focuses on trace-based robustness, state-based robustness requires that
a program is robust if the set of all its reachable states under the weak semantics is the
same as its set of reachable states under the strong semantics. While state-robustness is
the necessary and sufficient concept for preserving state-invariants, its verification, which
amounts in computing the set of reachable states under the weak semantics, is in general a
hard problem. The decidability and the complexity of this problem has been investigated in
the context of relaxed memory models such as TSO and Power, and it has been shown that
it is either decidable but highly complex (non-primitive recursive), or undecidable [8, 9]. As
far as we know, the decidability and complexity of this problem has not been investigated for
causal consistency. Automatic procedures for approximate reachability/invariant checking
have been proposed using either abstractions or bounded analyses, e.g., [1, 5, 10, 20]. Proof
methods have also been developed for verifying invariants in the context of weakly consistent
models such as [4, 25, 28, 35]. These methods, however, do not provide decision procedures.
Decidability and complexity of trace-based robustness has been investigated for the TSO
and Power memory models [12, 14, 21]. The work we present in this paper borrows the idea of
using minimal violation characterizations for building an instrumentation allowing to obtain
a reduction of the robustness checking problem to the reachability checking problem over SC.
However, applying this approach to the case of causal consistency is not straightforward and
requires different proof techniques. Dealing with causal consistency is far more tricky and
difficult than dealing with TSO, and requires coming up with radically different arguments
and proofs, for (1) characterizing in a finite manner the set of violations, (2) showing that
this characterization is sound and complete, and (3) using effectively this characterization
in the definition of the reduction to the reachability problem.
As far as we know, our work is the first one that establishes results on the decidability and
complexity issues of the robustness problem in the context of causal consistency, and taking
into account transactions. The existing work on the verification of robustness for distributed
systems consider essentially trace-based concepts of robustness and provide either over- or
under-approximate analyses for checking it. In [11, 15, 16, 19], static analysis techniques
are proposed based on computing an abstraction of the set of computations that is used in
searching for robustness violations. These approaches may return false alarms due to the
abstractions they consider. In particular, [11] shows that a trace under causal convergence is
not admitted by the serializability semantics iff it contains a (transactional) happens-before
cycle with a RW dependency, and another RW or WW dependency. This characterization
alone is not sufficient to prove our result concerning robustness checking. Our result relies
on a characterization of more refined robustness violations and relies on different proof
arguments. In [34] a sound (but not complete) bounded analysis for detecting robustness
REFERENCES 15
violation is proposed. Our approach is technically different, is precise, and provides a decision
procedure for checking robustness when the program is finite-state.
8 Conclusion
We have studied three variations of transactional causal consistency, showing that they are
equivalent for programs without write-write races and devising a sound and complete, linear-
time, reduction of the robustness problem to SC reachability. These results can be extended
to hybrid consistency models where some of the transactions in a program can be declared
serializable. These models include synchronization primitives similar to lock acquire/release
which allow to enforce a serialization order between some transactions. Such mechanisms
can be used as a “repair” mechanism in order to make programs robust.
References
1 Parosh Aziz Abdulla, Mohamed Faouzi Atig, Ahmed Bouajjani, and Tuan Phong Ngo.
Context-bounded analysis for POWER. In Axel Legay and Tiziana Margaria, editors,
Tools and Algorithms for the Construction and Analysis of Systems - 23rd International
Conference, TACAS 2017, Held as Part of the European Joint Conferences on Theory
and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings,
Part II, volume 10206 of Lecture Notes in Computer Science, pages 56–74, 2017.
2 Atul Adya. Weak consistency: A generalized theory and optimistic implementations for
distributed transactions. PhD thesis, 1999.
3 Mustaque Ahamad, Gil Neiger, James E. Burns, Prince Kohli, and Phillip W. Hutto.
Causal memory: Definitions, implementation, and programming. Distributed Computing,
9(1):37–49, 1995.
4 Jade Alglave and Patrick Cousot. Ogre and pythia: an invariance proof method for weak
consistency models. In Giuseppe Castagna and Andrew D. Gordon, editors, Proceedings
of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL
2017, Paris, France, January 18-20, 2017, pages 3–18. ACM, 2017.
5 Jade Alglave, Daniel Kroening, and Michael Tautschnig. Partial orders for efficient
bounded model checking of concurrent software. In Natasha Sharygina and Helmut
Veith, editors, Computer Aided Verification - 25th International Conference, CAV 2013,
Saint Petersburg, Russia, July 13-19, 2013. Proceedings, volume 8044 of Lecture Notes
in Computer Science, pages 141–157. Springer, 2013.
6 Jade Alglave, Luc Maranget, and Michael Tautschnig. Herding cats: Modelling, simu-
lation, testing, and data mining for weak memory. ACM Trans. Program. Lang. Syst.,
36(2):7:1–7:74, 2014.
7 Sérgio Almeida, João Leitão, and Luís E. T. Rodrigues. Chainreaction: a causal+ consist-
ent datastore based on chain replication. In Zdenek Hanzálek, Hermann Härtig, Miguel
Castro, and M. Frans Kaashoek, editors, Eighth Eurosys Conference 2013, EuroSys ’13,
Prague, Czech Republic, April 14-17, 2013, pages 85–98. ACM, 2013.
8 Mohamed Faouzi Atig, Ahmed Bouajjani, Sebastian Burckhardt, and Madanlal
Musuvathi. On the verification problem for weak memory models. In Manuel V. Her-
menegildo and Jens Palsberg, editors, Proceedings of the 37th ACM SIGPLAN-SIGACT
Symposium on Principles of Programming Languages, POPL 2010, Madrid, Spain, Janu-
ary 17-23, 2010, pages 7–18. ACM, 2010.
9 Mohamed Faouzi Atig, Ahmed Bouajjani, Sebastian Burckhardt, and Madanlal
Musuvathi. What’s decidable about weak memory models? In Helmut Seidl, editor, Pro-
gramming Languages and Systems - 21st European Symposium on Programming, ESOP
16 REFERENCES
2012, Held as Part of the European Joint Conferences on Theory and Practice of Soft-
ware, ETAPS 2012, Tallinn, Estonia, March 24 - April 1, 2012. Proceedings, volume
7211 of Lecture Notes in Computer Science, pages 26–46. Springer, 2012.
10 Mohamed Faouzi Atig, Ahmed Bouajjani, and Gennaro Parlato. Getting rid of store-
buffers in TSO analysis. In Ganesh Gopalakrishnan and Shaz Qadeer, editors, Computer
Aided Verification - 23rd International Conference, CAV 2011, Snowbird, UT, USA, July
14-20, 2011. Proceedings, volume 6806 of Lecture Notes in Computer Science, pages 99–
115. Springer, 2011.
11 Giovanni Bernardi and Alexey Gotsman. Robustness against consistency models with
atomic visibility. In Josée Desharnais and Radha Jagadeesan, editors, 27th International
Conference on Concurrency Theory, CONCUR 2016, August 23-26, 2016, Québec City,
Canada, volume 59 of LIPIcs, pages 7:1–7:15. Schloss Dagstuhl - Leibniz-Zentrum fuer
Informatik, 2016.
12 Ahmed Bouajjani, Egor Derevenetc, and Roland Meyer. Checking and enforcing robust-
ness against TSO. In Matthias Felleisen and Philippa Gardner, editors, Programming
Languages and Systems - 22nd European Symposium on Programming, ESOP 2013, Held
as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS
2013, Rome, Italy, March 16-24, 2013. Proceedings, volume 7792 of Lecture Notes in
Computer Science, pages 533–553. Springer, 2013.
13 Ahmed Bouajjani, Constantin Enea, Rachid Guerraoui, and Jad Hamza. On verifying
causal consistency. In Giuseppe Castagna and Andrew D. Gordon, editors, Proceedings
of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL
2017, Paris, France, January 18-20, 2017, pages 626–638. ACM, 2017.
14 Ahmed Bouajjani, Roland Meyer, and Eike Möhlmann. Deciding robustness against total
store ordering. In Luca Aceto, Monika Henzinger, and Jirí Sgall, editors, Automata, Lan-
guages and Programming - 38th International Colloquium, ICALP 2011, Zurich, Switzer-
land, July 4-8, 2011, Proceedings, Part II, volume 6756 of Lecture Notes in Computer
Science, pages 428–440. Springer, 2011.
15 Lucas Brutschy, Dimitar Dimitrov, Peter Müller, and Martin T. Vechev. Serializability
for eventual consistency: criterion, analysis, and applications. In Giuseppe Castagna
and Andrew D. Gordon, editors, Proceedings of the 44th ACM SIGPLAN Symposium
on Principles of Programming Languages, POPL 2017, Paris, France, January 18-20,
2017, pages 458–472. ACM, 2017.
16 Lucas Brutschy, Dimitar Dimitrov, Peter Müller, and Martin T. Vechev. Static serializ-
ability analysis for causal consistency. In Jeffrey S. Foster and Dan Grossman, editors,
Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design
and Implementation, PLDI 2018, Philadelphia, PA, USA, June 18-22, 2018, pages 90–
104. ACM, 2018.
17 Sebastian Burckhardt. Principles of eventual consistency. Foundations and Trends in
Programming Languages, 1(1-2):1–150, 2014.
18 Sebastian Burckhardt, Alexey Gotsman, Hongseok Yang, and Marek Zawirski. Replic-
ated data types: specification, verification, optimality. In Suresh Jagannathan and Peter
Sewell, editors, The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of
Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21, 2014, pages
271–284. ACM, 2014.
19 Andrea Cerone and Alexey Gotsman. Analysing snapshot isolation. J. ACM, 65(2):11:1–
11:41, 2018.
REFERENCES 17
20 Andrei Marian Dan, Yuri Meshman, Martin T. Vechev, and Eran Yahav. Effective ab-
stractions for verification under relaxed memory models. Computer Languages, Systems
& Structures, 47:62–76, 2017.
21 Egor Derevenetc and Roland Meyer. Robustness against power is pspace-complete.
In Javier Esparza, Pierre Fraigniaud, Thore Husfeldt, and Elias Koutsoupias, editors,
Automata, Languages, and Programming - 41st International Colloquium, ICALP 2014,
Copenhagen, Denmark, July 8-11, 2014, Proceedings, Part II, volume 8573 of Lecture
Notes in Computer Science, pages 158–170. Springer, 2014.
22 Jiaqing Du, Sameh Elnikety, Amitabha Roy, and Willy Zwaenepoel. Orbe: scalable
causal consistency using dependency matrices and physical clocks. In Guy M. Lohman,
editor, ACM Symposium on Cloud Computing, SOCC ’13, Santa Clara, CA, USA, Oc-
tober 1-3, 2013, pages 11:1–11:14. ACM, 2013.
23 Michael J. Fischer, Nancy A. Lynch, and Mike Paterson. Impossibility of distributed
consensus with one faulty process. J. ACM, 32(2):374–382, 1985.
24 Seth Gilbert and Nancy A. Lynch. Brewer’s conjecture and the feasibility of consistent,
available, partition-tolerant web services. SIGACT News, 33(2):51–59, 2002.
25 Alexey Gotsman, Hongseok Yang, Carla Ferreira, Mahsa Najafzadeh, and Marc Shapiro.
’cause i’m strong enough: reasoning about consistency choices in distributed systems. In
Rastislav Bodík and Rupak Majumdar, editors, Proceedings of the 43rd Annual ACM
SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2016,
St. Petersburg, FL, USA, January 20 - 22, 2016, pages 371–384. ACM, 2016.
26 Dexter Kozen. Lower bounds for natural proof systems. In 18th Annual Symposium
on Foundations of Computer Science, Providence, Rhode Island, USA, 31 October - 1
November 1977, pages 254–266. IEEE Computer Society, 1977.
27 Arthur Kurath. Analyzing Serializability of Cassandra Applications. Master’s thesis,
ETH Zurich, Switzerland, 2017.
28 Ori Lahav and Viktor Vafeiadis. Owicki-gries reasoning for weak memory models. In
Magnús M. Halldórsson, Kazuo Iwama, Naoki Kobayashi, and Bettina Speckmann, edit-
ors, Automata, Languages, and Programming - 42nd International Colloquium, ICALP
2015, Kyoto, Japan, July 6-10, 2015, Proceedings, Part II, volume 9135 of Lecture Notes
in Computer Science, pages 311–323. Springer, 2015.
29 Leslie Lamport. Time, clocks, and the ordering of events in a distributed system. Com-
mun. ACM, 21(7):558–565, 1978.
30 Leslie Lamport. How to make a multiprocessor computer that correctly executes multi-
process programs. IEEE Trans. Computers, 28(9):690–691, 1979.
31 Richard J Lipton and Jonathan S Sandberg. PRAM: A scalable shared memory. Tech-
nical Report TR-180-88, Princeton University, Department of Computer Science, August
1988.
32 Wyatt Lloyd, Michael J. Freedman, Michael Kaminsky, and David G. Andersen. Don’t
settle for eventual: scalable causal consistency for wide-area storage with COPS. In
Ted Wobber and Peter Druschel, editors, Proceedings of the 23rd ACM Symposium on
Operating Systems Principles 2011, SOSP 2011, Cascais, Portugal, October 23-26, 2011,
pages 401–416. ACM, 2011.
33 Wyatt Lloyd, Michael J. Freedman, Michael Kaminsky, and David G. Andersen. Stronger
semantics for low-latency geo-replicated storage. In Nick Feamster and Jeffrey C. Mogul,
editors, Proceedings of the 10th USENIX Symposium on Networked Systems Design
and Implementation, NSDI 2013, Lombard, IL, USA, April 2-5, 2013, pages 313–328.
USENIX Association, 2013.
18 REFERENCES
34 Kartik Nagar and Suresh Jagannathan. Automatic detection of serializability violations
under weak consistency. In 29th Intern. Conf. on Concurrency Theory (CONCUR’18),
September 2018. to appear.
35 Mahsa Najafzadeh, Alexey Gotsman, Hongseok Yang, Carla Ferreira, and Marc Shapiro.
The CISE tool: proving weakly-consistent applications correct. In Peter Alvaro and
Alysson Bessani, editors, Proceedings of the 2nd Workshop on the Principles and Practice
of Consistency for Distributed Data, PaPoC@EuroSys 2016, London, United Kingdom,
April 18, 2016, pages 2:1–2:3. ACM, 2016.
36 Christos H. Papadimitriou. The serializability of concurrent database updates. J. ACM,
26(4):631–653, 1979.
37 Matthieu Perrin, Achour Mostéfaoui, and Claude Jard. Causal consistency: beyond
memory. In Rafael Asenjo and Tim Harris, editors, Proceedings of the 21st ACM SIG-
PLAN Symposium on Principles and Practice of Parallel Programming, PPoPP 2016,
Barcelona, Spain, March 12-16, 2016, pages 26:1–26:12. ACM, 2016.
38 Nuno M. Preguiça, Marek Zawirski, Annette Bieniusa, Sérgio Duarte, Valter Balegas,
Carlos Baquero, and Marc Shapiro. Swiftcloud: Fault-tolerant geo-replication integrated
all the way to the client machine. In 33rd IEEE International Symposium on Reliable
Distributed Systems Workshops, SRDS Workshops 2014, Nara, Japan, October 6-9, 2014,
pages 30–33. IEEE Computer Society, 2014.
39 Charles Rackoff. The covering and boundedness problems for vector addition systems.
Theor. Comput. Sci., 6:223–231, 1978.
40 Dennis E. Shasha and Marc Snir. Efficient and correct execution of parallel programs
that share memory. ACM Trans. Program. Lang. Syst., 10(2):282–312, 1988.
REFERENCES 19
〈prog〉 ::= program 〈process〉
∗
〈process〉 ::= process 〈pid〉 regs 〈reg〉∗
〈ltxn〉∗
〈ltxn〉 ::= 〈binst〉 〈linst〉∗ 〈einst〉
〈binst〉 ::= 〈label〉: begin; goto 〈label〉;
〈einst〉 ::= 〈label〉: end; goto 〈label〉;
〈linst〉 ::= 〈label〉: 〈inst〉; goto 〈label〉;
〈inst〉 ::= 〈reg〉 := 〈var〉
| 〈var〉 := 〈reg-expr〉
| assume 〈bexpr〉
Figure 7 Program syntax. a∗ indicates zero or more occurrences of a. 〈pid〉, 〈reg〉, 〈label〉,
and 〈var〉 represent a process identifier, a register, a label, and a shared variable, respectively.
〈reg-expr〉 is an expression over registers while 〈bexpr〉 is a Boolean expression over registers.
A Causal Consistency
A.1 Program syntax
Our simple programming language syntax is given in Fig. 7.
A.2 Program Semantics Under Causal Memory
Formally, a program configuration is a triple gs = (ls,msgs) where ls : P → S associates
a local state in S to each process in P, and msgs is a set of messages in transit. A local
state is a tuple 〈pc, store, rval, log〉 where pc ∈ Lab is the program counter, i.e., the label
of the next instruction to be executed, store : V → D is the local valuation of the shared
variables, rval : R → D is the valuation of the local registers, and log ∈ (V × D)∗ is the
transaction log, i.e., a list of variable-value pairs. For a local state s, we use s.pc to denote
the program counter component of s, and similarly for all the other components of s. A
message m = 〈t, log〉 is a transaction identifier t from a set T together with a transaction
log log ∈ (V× D)∗. We let M denote the set of messages.
Then, the semantics of a program P under causal memory is defined using a labeled
transition system (LTS) [P ]CM = (C,Ev, gs0,→) where C is the set of program configurations,
Ev is a set of transition labels called events, gs0 is the initial configuration, and→⊆ C×Ev×C
is the transition relation. As it will be explained later in this section, the executions of P
under causal memory are a subset of those generated by [P ]CM. The set of events is defined
by:
Ev = { begin(p, t), ld(p, t, x, v), isu(p, t, x, v), del(p, t), end(p, t) : p ∈ P, t ∈ T, x ∈ V, v ∈ D}
where begin and end label transitions corresponding to the start, resp., the end of a transac-
tion, isu and ld label transitions corresponding to writing, resp., reading, a shared variable
during some transaction, and del labels transitions corresponding to applying a transition
log received from another process on the local state. An event isu is called an issue while
an event del is called a store.
The transition relation → is partially defined in Fig. 8 (we will present additional con-
straints later in this section). The events labeling a transition are written on top of →. A
begin transition will just reset the transaction log while an end transition will apply the
writes stored in the transaction log on the shared-variable valuation store and add the trans-
action log together with the transaction identifier to the set msgs of messages in transit. An
ld transition will read the value of a shared-variable looking first at the transaction log log
and then, at the shared-variable valuation store, while an isu transition will add a new write
to the transaction log. Finally, a del transition represents the delivery of a transaction log
from another process which is applied immediately on the shared-variable valuation store.
We say that an execution ρ satisfies transaction isolation if no transaction log is delivered
to a process p while p is executing a transaction, i.e., if an event ev = del(p, t) occurs in
ρ before an event ev ′ = end(p, t′) with t′ 6= t, then ρ contains an event ev′′ = begin(p, t′)
20 REFERENCES
begin ∈ inst(ls(p).pc) s = ls(p)[log 7→ ǫ, pc 7→ next(pc)]
(ls,msgs)
begin(p, t)
−−−−−−→ (ls[p 7→ s],msgs)
r := x ∈ inst(ls(p).pc) eval(ls(p), x) = v rval = ls(p).rval[r 7→ v]
s = ls(p)[rval 7→ rval, pc 7→ next(pc)]
(ls,msgs)
ld(p, t, x, v)
−−−−−−−−→ (ls[p 7→ s],msgs)
x := v ∈ inst(ls(p).pc) log = (ls(p).log) · (x, v) s = ls(p)[log 7→ log, pc 7→ next(pc)]
(ls,msgs)
isu(p, t, x, v)
−−−−−−−−→ (ls[p 7→ s],msgs)
end ∈ inst(ls(p).pc) store = ls(p).store[x 7→ eval(ls(p), x) : x ∈ V]
s = ls(p)[store 7→ store, pc 7→ next(pc)]
(ls,msgs)
end(p, t)
−−−−−→ (ls[p 7→ s],msgs ∪ {(t, ls(p).log)})
〈t, log〉 ∈ msgs store = ls(p).store[x 7→ last(log, x) : x ∈ V, last(log, x) 6= ⊥]
s = ls(p)[store 7→ store]
(ls,msgs)
del(p, t)
−−−−−→ (ls[p 7→ s],msgs)
Figure 8 The set of transition rules defining the causal memory semantics. We assume that
all the events which come from the same transaction use a unique transaction identifier t. For a
function f , we use f [a 7→ b] to denote a function g such that g(c) = f(c) for all c 6= a and g(a) = b.
The function inst returns the set of instructions labeled by some given label while next gives the
next instruction to execute. We use · to denote sequence concatenation. The function eval(ls(p), x)
returns the value of x in the local state ls(p): (1) if ls(p).log contains a pair (x, v), for some v,
then eval(ls(p), x) returns the value of the last such pair in ls(p).log, and (2) eval(ls(p), x) returns
ls(p).store(x), otherwise. Also, last(log, x) returns the value v in the last pair (x, v) in log, and ⊥, if
such a pair doesn’t exist.
between ev and ev ′. For an execution ρ satisfying transaction isolation, we assume w.l.o.g.
that transactions executed by different processes don’t interleave, i.e., if an event ev associ-
ated to a transaction t (an event of the process executing t or the delivery of the transaction
log of t) occurs in ρ before ev ′ = end(p′, t′), then ρ contains an event ev′′ = begin(p′, t′)
between ev and ev′. Also, we say that an execution ρ satisfies causal delivery if the following
hold:
for any event begin(p, t), ρ does not contain the event del(p, t), and for any process p′ 6= p,
ρ contains at most one event del(p′, t),
for any events ev1 ∈ {del(p, t1), end(p, t1)}, ev2 = begin(p, t2), and ev
′
2 = del(p
′, t2) with
p 6= p′, if ev1 occurs in ρ before ev2, then there exists ev
′
1 ∈ {del(p
′, t1), end(p
′, t1)} such
that ev′1 occurs before ev
′
2 in ρ.
An execution ρ satisfies causal memory if it satisfies transaction isolation and causal delivery.
The set of executions of P under causal memory, denoted by ExCM(P), is the set of executions
of [P ]CM satisfying causal memory.
Let ρ be an execution under causal memory, a sequence τ of events isu(p, t) and del(p, t)
with p ∈ P and t ∈ T is called a summary of ρ if it is obtained from the projection of ρ on
isu and del events by substituting every sub-sequence of transitions in ρ delimited by a begin
and an end transition, with a single “macro-event” isu(p, t).
A.3 Program Semantics Under Causal Convergence
In causal convergence, we assume that the transaction identifiers play the role of timestamps,
and assume some total order relation < on these identifiers. Formally, we define a variation
of the LTS [P ]CM, denoted by [P ]CCv, where essentially, the transition identifiers play the
role of timestamps and are ordered by a total order <, each process-local state contains an
additional component tstamp storing the largest timestamp the process has seen for each
REFERENCES 21
Φ1 img(ls(p).tstamp) < t
(ls, lk,msgs)
begin(p, t)
−−−−−−→ (ls[p 7→ s], lk,msgs)
end ∈ inst(ls(p).pc) store = ls(p).store[x 7→ eval(ls(p), x) : x ∈ V]
tstamp = ls(p).tstamp[x 7→ t : x ∈ V, last(log, x) 6= ⊥]
s = ls(p)[store 7→ store, tstamp 7→ tstamp, pc 7→ next(pc)]
(ls, lk,msgs)
end(p, t)
−−−−−→ (ls[p 7→ s], lk,msgs ∪ {(t, ls(p).log)})
〈t, log〉 ∈ msgs store = ls(p).store[x 7→ last(log, x) : x ∈ V, last(log, x) 6= ⊥, tstamp(x) < t]
tstamp = ls(p).tstamp[x 7→ t : x ∈ V, last(log, x) 6= ⊥, tstamp(x) < t]
s = ls(p)[store 7→ store, tstamp 7→ tstamp]
(ls, lk,msgs)
del(p, t)
−−−−−→ (ls[p 7→ s], lk,msgs)
Figure 9 Transition rules for defining causal convergence. Φ1 is the hypothesis of the begin(p, t)
transition rule in Fig. 8, and img denotes the image of a function.
variable, and a write on a variable x from a transaction log is applied on the local valuation
store only if it has a timestamp larger than tstamp(x). Also, a begin(p, t) transition will
choose a transaction identifier t greater than those in the image of the tstamp component of
p’s local state. The transition rules of [P ]CCv that change w.r.t. those of [P ]CM are given in
Fig. 9.
The set of executions of P under causal convergence, denoted by ExCCv(P), is the set
of executions of [P ]CCv satisfying transaction isolation, causal delivery, and the fact that
every process p generates monotonically increasing transaction identifiers. The execution in
Fig. 2a is not possible under causal convergence since t4 and t2 read 2 and 1, respectively,
from x which is possible only if t1 and t3 write x at p2 and p1, respectively which contradicts
the definition of del transition given in Fig. 9 where we cannot have both t1 < t3 and t3 < t1
at the same time.
A.4 Program Semantics Under Weak Causal Consistency
In CC semantics, the local valuation of the shared variables store : V → (D × T)∗ is a map
that accepts a shared variable and returns a set of pairs. The pairs are composed of values
that were stored concurrently and identifiers of the associated transactions that wrote those
values. When applying a transaction log on the local valuation store, we keep the values that
are in local valuation store and were written by transactions that are concurrent with the
transaction under consideration. When a process does an external read, it gets a random
value from one of the pairs that are stored at the specified location. Under CC semantics, we
use an additional component in each process local state denoted by storecp ∈ V → (D× T)
that maps each shared variable to a single pair. When a transaction begins, the storecp is
copied from the store where for every shared variable x ∈ V, the set store(x) is projected
to a random element (v, t) ∈ store(x) such that the binary relation ww ⊂ (T × T), where
for each (v′, t′) ∈ store(x) (t′, t) ∈ ww, is a partial order. In this way, storecp ensures that
reads from the same transaction are consistent with each other. In Fig. 10, we provide the
transition rules of [P ]CC that change w.r.t. those of [P ]CCv and [P ]CM.
The set of executions of P under weak causal consistency model, denoted by ExCC(P), is
the set of executions of [P ]CC satisfying transaction isolation and causal delivery. We denote
by Tr(P)CC the set of traces of executions of a program P under weak causal consistency.
22 REFERENCES
begin ∈ inst(ls(p).pc) img(ls(p).tstamp) < t
s = ls(p)[log 7→ ǫ, storecp 7→ Π(store), pc 7→ next(pc)]
(ls,msgs)
begin(p, t)
−−−−−−→ (ls[p 7→ s],msgs)
r := x ∈ inst(ls(p).pc) eval1 (ls(p), x) = (v, t′) rval = ls(p).rval[r 7→ v]
s = ls(p)[rval 7→ rval, pc 7→ next(pc)]
(ls,msgs)
ld(p, t, x, v)
−−−−−−−→ (ls[p 7→ s],msgs)
end ∈ inst(ls(p).pc) store = ls(p).store[x 7→ eval2 (ls(p), x, t) : x ∈ V]
s = ls(p)[store 7→ store, storecp 7→ ǫ, pc 7→ next(pc)]
(ls,msgs)
end(p, t)
−−−−−→ (ls[p 7→ s],msgs ∪ {(t, ls(p).log)})
〈t, log〉 ∈ msgs store = ls(p).store[x 7→ eval3 (ls(p), x, t, last(log, x)) : x ∈ V]
s = ls(p)[store 7→ store, pc 7→ next(pc)]
(ls,msgs)
del(p, t)
−−−−→ (ls[p 7→ s],msgs)
Figure 10 Transition rules for defining weak causal consistency semantics: Π(store) returns an
image of store where each set store(x) is mapped to a single pair (v, t′) such that (v, t′) ∈ store(x) and
there exists a partial order ww where for every (v1, t1) ∈ store(x) we have (t1, t
′) ∈ ww. eval1 (ls(p), x)
returns the pair (last(log, x), t) if last(log, x) 6= ⊥, and returns the pair (v, t′) in ls(p).storecp(x),
otherwise. eval2 (ls(p), x, t) returns the singleton set {(last(log, x), t)} if last(log, x) 6= ⊥, and returns
the set ls(p).store(x), otherwise. eval3 (ls(p), x, t, last(log, x)) returns the result of appending the pair
(last(log, x), t) to the set ls(p).store(x) after removing all pairs that are related causally with t and
were overwritten by t.
B Relations to Axiomatic Definitions
In this section, we show that our operational semantics are equivalent to the existing axio-
matic definitions for the three causal consistency models.
We use the axiomatic definitions for the causal consistency models to help in determining
whether an execution of a program is allowed or not over the given causal consistency models.
Also, whether all histories which are acceptable by the axiomatic definitions can be extracted
from executions under the corresponding causal consistency semantics. In [13], the three
causal consistency models were formalized as sets of axioms that program histories must
satisfy. We will be using these definitions in this section. Given an execution’s trace of a
program P over some consistency semantics X ∈ {CCv, CM, CC}, τ ∈ TrX(P), we formally
define, a history of τ as a poset hτ = (T ,PO, ℓ) where T is the set of transactions identifiers
that were issued in τ , POt is the program order between transactions such that (t1, t2) ∈ POt
iff there exists p1 ∈ P such that (isu(p1, t1), isu(p1, t2)) ∈ PO, and for every t ∈ T , ℓ(t) =
{isu(p, t), del(p′, t) p′ ∈ P p′ 6= p}. Similarly, we define WRt such that (t1, t2) ∈ WRt iff there
exists p1 ∈ P such that (isu(p1, t1), isu(p1, t2)) ∈ WR or (del(p1, t1), isu(p1, t2)) ∈ WR. We
provide in Table 1, the axioms from [13] that should be satisfied by every history h for the
three causal consistency criteria CM, CCv, and CC.
where COt ∈ T ×T is strict partial order named causal order. The axiom AxCausal states
that the causal order must contain the program order and the read-from order. Notice that
an instance of the underlying causal order is the extension of the relation CO to transactions.
The second axiom of CC, AxCausalValue states that for every transaction t ∈ T , the causal
history of t (CausalPast(t), the set of all transactions which are visible to t) can be sequen-
tialized with accordance to the causality order COt in order to obtain a valid sequence under
read/write memory specification [13]. In CC, a process does not need to be consistent with
the past reads from transactions that happened before t, thus the axiom AxCausalValue uses
REFERENCES 23
h is CC ∃ COt, a partial order, s.t. AxCausal∧ AxCausalValue
h is CM ∃ COt, a partial order, s.t. AxCausal∧ AxCausalSeq
h is CCv ∃ COt ARB, a partial and a total orders, s.t. AxCausal∧ AxArb∧ AxCausalArb
AxCausal POt ⊆ COt ∧ WRt ⊆ COt
AxArb COt ⊆ ARB
AxCausalValue ∀ t ∈ T . CausalHist(t){t}  ρt
AxCausalSeq ∀ t ∈ T . CausalHist(t){POPast(t)}  ρt
AxCausalArb ∀ t ∈ T . CausalArb(t){t}  ρt
CausalHist(t) = (CausalPast(t),COt)
CausalArb(t) = (CausalPast(t),ARB)
CausalPast(t) = {t′ ∈ T | t′ ≤COt t}
POPast(t) = {t′ ∈ T | t′ ≤POt t}
Table 1 Axioms definitions of causal consistency.
the causal history of t where only the return values of the read events in the transaction t
are kept. This is denoted by CausalHist(t){t}. If CausalHist(t){t} can be sequentialized to
a sequence ρt that is permissible under read/write memory specification, we denote it by
CausalHist(t){t}  ρt. For CM consistency model, we replace the axiom AxCausalValue by the
axiom AxCausalSeq which is stronger. The axiom AxCausalSeq requires each process to be
consistent with respect to its past reads (i.e., the reads by all transactions in POPast(t)). It
is denoted by CausalHist(t){POPast(t)}. For CCv consistency model we require the existence
of a total order relation ARB ∈ T × T between all transactions in the history, called the
arbitration order which must contain the causal order COt (axiom AxArb). Furthermore,
in CCv we replace the axiom AxCausalValue by the axiom AxCausalArb which is stronger.
The axiom AxCausalArb requires that the causal history of t must be sequentialized with
accordance to the arbitration order ARB instead of the causal order COt.
B.1 From Operational Models to Axiomatic Definitions
In the following theorem we demonstrate that histories which are extracted from execution
traces under the semantics CM, CCv, and CC defined in Sections A.2, A.3, and A.4, respectively,
satisfy the axiomatic definitions given in Table 1.
◮ Theorem 12. Let τ ∈ Tr(P)CC then hτ = (T ,POt, ℓ) is CC.
Let τ ∈ Tr(P)CM then hτ = (T ,POt, ℓ) is CM.
Let τ ∈ Tr(P)CCv then hτ = (T ,POt, ℓ) is CCv.
In the proof, we consider the partial order relation defined as COt = (POt ∪ WRt)
+ to
be the causal order. We get the following lemma about COt.
◮ Lemma 13. CO satisfies the axiom AxCausal.
◮ Lemma 14 (Weak Causal Consistency). Let τ ∈ Tr(P)CC be an execution trace under CC
semantics then hτ is CC.
Proof. We already know that hτ satisfies the axiom AxCausal, hence, we just need to show
that hτ satisfies the axiom AxCausalValue.
24 REFERENCES
The poset CausalHist(t) is defined using CO order. We prove by induction on the number
of instructions in t that we can build a valid sequence from CausalHist(t) that is consistent
with the return values of all the reads in t. For size 1, let a be the only instruction in t. If
a is a write then we can build a sequence of transactions in CausalHist(t) that respects COt
and we assign arbitrary values to the return of all reads in CausalHist(t). Otherwise, if a is
a read that fetches the initial value that means there is no write in CausalHist(t) that writes
to the shared variable accessed by a. Therefore, we can define a sequence of CausalHist(t)
that respects COt and assign arbitrary values to reads in CausalHist(t). If t reads a written
value then there must exist a write instruction a′ from some transaction t′ that wrote this
value. a′ should be the last update to the shared variable in CausalHist(t) by the order COt,
however, there might be some other concurrent transactions that contain writes to the same
shared variable. We can safely construct a sequence order of CausalHist(t) that places t′
to be the last transaction in the sequence that writes to the shared variable accessed by a
which must be compatible with COt since is ordered last by COt and we assign arbitrary
values to the other reads in CausalHist(t).
For the inductive step, we use the property that all reads in the same transaction should
be consistent with each other because at the start of every transaction we instantiate an
image Π(store) of the local memory store and the external reads of the underlying transaction
fetch their values from Π(store) which is a single value memory. Thus, reads from the
same transaction share the same valuation of the local memory. Suppose an+1 is the last
instruction in the transaction t. Let t′ be new transaction constructed from t by the removal
of an+1. If an+1 is not a read then CausalHist(t) \ {t} = CausalHist(t
′) \ {t′} and we can
build a valid CausalHist(t) by adding an+1 to CausalHist(t
′) that we assumed is valid. If
an+1 is a read that either reads the initial value or accesses a location that was accessed
with another read from the same transaction than CausalHist(t) \ {t} = CausalHist(t′) \ {t′}
and we can safely build a valid CausalHist(t) by adding an+1 to CausalHist(t
′) that we
assumed is valid. Otherwise, an+1 is a read that obtains its value from a write in the set
O = (CausalHist(t)\{t})\ (CausalHist(t′)\{t′}) then we can build a sequence of transactions
in CausalHist(t) obtained by appending t and O at the end of CausalHist(t′) which is valid
since Π(store) is constructed using the partial order ww. Thus, we obtain that CausalHist(t)
is valid as well. ◭
◮ Lemma 15 (Causal Memory). Let τ ∈ Tr(P)CM be an execution trace under CM semantics
then hτ is CM.
Proof. Similar to the previous lemma, we already know that hτ satisfies the axiom AxCausal,
hence, we just need to prove that hτ satisfies the axiom AxCausalSeq.
We have to show that we can construct a sequence from CausalHist(t) that is consistent
with the return values of all events from the process p that issued t.
We prove this property by induction on the number of transactions in POPast(t). The
basic case where POPast(t) contains single transaction holds because the operational model
of CM satisfies the axiom AxCausalValue proven in the previous case.
For the inductive step, we assume we were able to construct a valid sequence from
CausalHist(tn) which is consistent with POPast(tn), we prove by induction on the number
of instructions within the transaction tn+1 that we can construct a valid sequence from
CausalHist(tn+1) which is consistent with POPast(tn+1).
For the case where transaction tn+1 contains single instruction, let a be the underlying
instruction. If a is a write then we can build a sequence of transactions in CausalHist(tn+1)
from appending tn+1 at the end of the valid sequence CausalHist(tn) which is consistent
REFERENCES 25
with POPast(tn). The obtained CausalHist(tn+1) is consistent with POPast(tn+1). If t is a
read that reads the initial value then CausalHist(tn) does not contain a write that accesses
the same location. In this case we can build a sequence of transactions in CausalHist(tn+1)
obtained by appending tn+1 at the end of CausalHist(tn). If a is a read that reads its value
from a write in O = CausalHist(tn+1) \CausalHist(tn) then we can build a sequence of trans-
actions in CausalHist(tn+1) obtained by appending tn+1 and O at the end of CausalHist(tn).
If a is a read that obtains its value from a write in CausalHist(tn) then the transaction that
contains the write must be maximal in the store order otherwise in the CM operational model
a cannot read from this transaction. Thus, we obtain a valid CausalHist(tn+1) by appending
tn+1 at the end of the valid sequence CausalHist(tn).
For the case where transaction tn+1 contains n+1 instructions, let tn+1 = t
′
n+1∪{an+1}
such t′n+1 contains n instructions. If an+1 is a write, a read that reads the initial value, or
a read that obtains its value from a write in t′n+1, then the causal past of tn+1 is the same
as the causal past of t′n+1. Otherwise, if an+1 performs an external read then we apply the
some procedure as in the previous case. ◭
Before showing that all histories which are extracted from execution traces under CCv
satisfy the axiomatic definitions, we start by defining the total order relation ARB under
CCv semantics. The formal definition of store order for each process is the following.
◮Definition 16. Given a process p ∈ P, we define the local store order WWp between transac-
tions such that (t1, t2) ∈ WWp iff (isu(p, t1), isu(p, t2)) ∈ WW or (del(p, t1), isu(p, t2)) ∈ WW
or (isu(p, t1), del(p, t2)) ∈ WW or (del(p, t1), del(p, t2)) ∈ WW.
◮ Lemma 17. Given two processes p1, p2 ∈ P then under CCv if (t1, t2) ∈ WWp1 then
(t2, t1) 6∈ WWp2 .
Proof. If both (t1, t2) ∈ WWp1 and (t2, t1) ∈ WWp2 hold then from Fig. 9, we have t2 > t1
and t1 > t2 hold which is not possible. ◭
Next, we give the formal definition of the total store order under the CCv semantics.
◮ Definition 18. (t1, t2) ∈ WWt iff ∃ p ∈ P where (t1, t2) ∈ WWp.
Assuming that the timestamp of a given transaction is calculated based on causally visible
transactions, we get that if (t1, t2) ∈ COt then t2 > t1. Therefore, if (t1, t2) ∈ COt ∪ WWt
then t2 > t1. Thus, COt ∪WWt is acyclic.
◮ Definition 19. We define the arbitration order ARB as any strict total order which con-
tains (COt ∪WWt)
+. Which is possible since COt ∪WWt is acyclic.
◮ Lemma 20 (Causal Convergence). Given an execution α ∈ ExMPI(P) such that α is possible
under CCv model then htr(α) is CCv.
Proof. We have already proved that htr(α) satisfies the axioms AxIsolation and AxCausal,
hence, we just need to prove that htr(α) satisfies the axioms AxArband AxCausalArb. From the
definition ofARB, we can conclude that AxArbis satisfied. Since the operational model of CCv
satisfies the axiom AxCausalValue, thus we can construct a valid sequence from CausalHist(t)
that is consistent with return values of instructions in the transaction of t originated from
process a p. From the definition of the relation WWp, CausalHist(t) must be consistent with
the order WWp. Thus, CausalHist(t) is consistent with the order WWt ⊂ ARB. Therefore,
we can construct a valid sequence from CausalHist(t) that is consistent with return values of
instructions in t and with the total order relation ARB. ◭
26 REFERENCES
B.2 From Axiomatic Definitions to Operational Models
Next, we show that given CC, CM, and CCv histories which satisfy the axioms given in Table 1
we can obtain executions under the operational models as defined in Sections A.2, A.3, and
A.4 from which we produce these histories.
◮ Theorem 21. Let h = (T ,POt, ℓ) be a history which satisfies CC then we can obtain
an execution trace under CC which produces the history h.
Let h = (T ,POt, ℓ) be a history which satisfies CM then we can obtain an execution trace
under CM which produces the history h.
Let h = (T ,POt, ℓ) be a history which satisfies CCv then we can obtain an execution trace
under CCv which produces the history h.
Proof. Given h = (T ,POt, ℓ) to be a history which satisfies CC. Then, h holds the axioms
AxCausal and AxCausalValue. Based on the axiom AxCausal, we can safely assume that
the causal order COt is consistent with the causal delivery guaranteed in CC semantics. In
the remaining of the proof, we say a transaction t is visible to another transaction t′ if
(t, t′) ∈ COt. It remains to show that the returns of every read instruction in h is obtainable
in an execution under CC semantics. If the read is internal (i.e., the read obtain its value
from a write within the same transaction) then it can indeed be explained through the
operational model of CC since eval1 fetches first the transaction log when executing a read
instruction. If the read is external then either it reads the initial value or a value that was
written by another transaction. If the read obtains the initial value, thus implies there is
no visible transaction that updates the underlying shared variable which the read accesses
because the valuation of Π(store) at the underlying shared variable will not return any pair.
Otherwise, the read should obtain its value from one the visible transactions that update
the underlying shared variable which the read accesses. The randomness in the operation
model involved in the value returned by a read that accesses a shared variable that contains
multiple values written by concurrent transactions explain why two consecutive transactions
that read from the same variable and share the same set of visible transactions can return
different values. Also, notice that at the start of every transaction we obtain an image
of the memory local valuation store through Π(store) which is single value memory. This
guarantees that all reads from the same transaction are consistent with each other. Thus,
the obtained execution from the history h is valid under CC model. Therefore, we can obtain
an execution trace τ under CC semantics where h = hτ .
Second, we assume that h satisfies CCv. Then, h satisfies CC which implies that we can
obtain an execution trace τ under CC semantics such that hτ corresponds to h. Since, h
is constrained by an arbitration then it is not permissible that reads from two consecutive
transactions that share the same set of visible transactions to read different values of the
same shared variable without one of the two updating the content of the shared variable.
Therefore, the arbitration order can be seen as timestamp order based on which the writes
are applied to the local memory. Then, it is possible to reproduce the execution trace τ
under CCv semantics as well.
Third, suppose that h satisfies CM. Then, similar to before h satisfies CC and it is not
permissible to reorder the contents of the memory without violating the axiom AxCausalSeq.
Also, since no writes are discarded by the events del then CM semantics guarantees that all
reads of the same process are consistent with each other that is holding for every history
h that satisfies CM. Thus, it is possible to produce an execution trace τ under CM semantics
such that h = hτ .
◭
REFERENCES 27
C Proofs For Section 3 (Write-Write Race Freedom)
C.1 Write-Write Race Definition
Given a program P , let τ ∈ TrX(P) be a trace of the execution of P under a consistency
semantics X ∈ {CCv, CM, CC}.
Suppose we have two transactions t1 and t2 that were issued in τ such that t1 and
t2 are originated from two independent processes p1 and p2, respectively. Formally, if
(isu(p1, t1), isu(p2, t2)) 6∈ CO and (isu(p2, t2), isu(p1, t1)) 6∈ CO then we call the two trans-
actions concurrent.
We say a trace τ has a write-write race on a shared variable x if there exist two transac-
tions t1 t2 that were issued in τ that are concurrent and each transaction contains a write
to the shared variable x. We call τ a write-write race free if there is no shared variable x
such that τ has a write-write race on x. Also, we say a program P has no write-write race
under a consistency semantics X ∈ {CCv, CM, CC} iff for every τ ∈ TrX(P), τ is a write-write
race free.
C.2 Causal Consistency Semantics
◮ Theorem 22. Let P be a parallel program. Then, TrCC(P) = TrCCv(P) = TrCM(P) iff P
has no write-write race under CC.
The proof of this theorem is the combination of the two Lemmas 25 and 26.
◮ Lemma 23. Let τ be an execution trace which has no write-write race under CC. Then
τ ∈ TrCC(P) implies τ ∈ TrCM(P).
Proof. Let τ ∈ TrCC be an execution trace under CC model. Then, τ satisfies transactions
isolation and causal delivery. It is important to notice that if τ has no write-write race,
therefore, the contents of store at a given shared variable will always have single value at a
time. Which implies that store can be considered as single value memory which does not
discard writes. Thus, we obtain a semantics that is the same as the one for CM model. ◭
◮ Lemma 24. Let τ be an execution trace which has no write-write race under CC. Then,
τ ∈ TrCC implies τ ∈ TrCCv
Proof. Similar to the previous lemma, τ satisfies transactions isolation and causal delivery
and the contents of store at a given shared variable will always have single value at a time.
Now, we want to ensure that τ ensure a total arbitration between transactions that store to
the same variable which is ensured by CCv semantics.
Suppose we have two transactions t1 and t2 that are issued in τ that contain writes to
the same shared variable. Thus, (isu(p1, t1), isu(p2, t2)) ∈ CO or (isu(p2, t2), isu(p1, t1)) ∈ CO.
Because the two cases are similar, it is enough to consider one of them. Consider for example
the case (isu(p2, t1), isu(p2, t2)) ∈ CO, thus the timestamp of t2 must be bigger than the
timestamp of t1. Also, since causal delivery is guaranteed then ∀ p
′. (del(p′, t1), del(p
′, t2)) ∈
CO which implies ∀ p′. (del(p′, t1), del(p
′, t2)) ∈ WWp′ , thus, all writes in both transactions
t1 and t2 will be stored in the local memory of p
′ in an ordered fashion, ensuring a store
order between the two transactions that is consistent on all processes. ◭
◮ Lemma 25. Consider a program P which has no write-write race under CC (which implies
no write-write race under CCv and CM see Theorem 1). Then, we must have TrCC(P) =
TrCCv(P) = TrCM(P)
28 REFERENCES
Proof. We have that TrCCv(P) ⊂ TrCC(P) and TrCM(P) ⊂ TrCC(P) for every program P .
If P has no write-write race under CC then combining the Lemmas 23 and 24, we obtain
TrCC(P) ⊂ TrCCv(P) and TrCC(P) ⊂ TrCM(P). ◭
◮ Lemma 26. Let P be a parallel program, if TrCC(P) = TrCCv(P) = TrCM(P) then P has no
write-write race under CC.
Proof. Suppose by contradiction that P has a write-write race under CC. Then, there must
exists an execution trace τ ∈ TrCC(P) and a shared variable x such that we have two
transactions t1 t2 that are issued in τ that are concurrent (i.e., (isu(p1, t1), isu(p2, t2)) 6∈ CO or
(isu(p2, t2), isu(p1, t1)) 6∈ CO) and contain writes to the variable x. Since the set of traces of CC
and CM coincide then under CM semantics we can obtain τ as well. Similar to the proof given
for minimal violation trace, from τ we can extract another execution trace τ ′ under CM in the
form τ ′ = α · isu(p1, t1) · β · (p2, t2) · del(p2, t1) · γ such that (isu(p1, t1), del(p1, t2)) ∈ WW(x)
and (del(p2, t2), del(p2, t1)) ∈ WW(x) and α and β contains both the causal past of (p1, t1)
and the causal past of (p2, t2). It is impossible to obtain τ under CCv because of Lemma
40 it impossible to have (del(p2, t2), del(p2, t1)) ∈ WW(x) if (isu(p1, t1), del(p1, t2)) ∈ WW(x).
Thus, a contradiction. ◭
◮ Theorem 27. Given P a parallel program which has write-write races. Let P ′ be a write-
write synchronized restriction of P where all write-write racy transactions are serialized.
Then,
TrCC(P
′) = TrCCv(P
′) = TrCM(P
′) = TrCM(P) ∩ TrCCv(P) ∩ TrCC(P)
Proof. If P ′ is a write-write date race free then from the Lemma 26 we obtain: TrCC(P
′) =
TrCCv(P
′) = TrCM(P
′). On the other hand, we have that if P ′ is restriction of P then
TrCCv(P
′) ⊂ TrCCv(P), TrCC(P
′) ⊂ TrCC(P), and TrCM(P
′) ⊂ TrCM(P) then because TrCCv(P
′) =
TrCM(P
′) = TrCC(P
′) we obtain:
TrCC(P
′) = TrCCv(P
′) = TrCM(P
′) ⊂ TrCM(P) ∩ TrCCv(P) ∩ TrCC(P)
For the other direction of proof, suppose by contradiction that ∃ τ ∈ TrCM(P) ∩ TrCCv(P) ∩
TrCC(P) such that τ 6∈ TrCM(P
′). Then, τ ∈ TrCM(P)/ TrCM(P
′) which means τ contains
a write-write race. This means there exist two transactions t1 and t2 that were issued
in τ that are concurrent and contain writes to the same shared variable x. Let p1 and
p2 be the two processes that issued the transactions t1 and t2, respectively. Thus, we
assume that in τ both transactions t1 and t2 were delivered to the processes p2 and p1,
respectively. Therefore, under CM semantics we must have (isu(p1, t1), del(p1, t2)) ∈ WW(x)
and (del(p2, t2), del(p2, t1)) ∈ WW(x) which is not possible under CCv. Thus, τ 6∈ TrCM(P) ∩
TrCCv(P) ∩ TrCC(P) which is contradictory to the hypothesis. ◭
Next, we describe the proof of Theorem 1 stated as follow.
◮ Theorem 28. Let P be a parallel program then the following three statements are equival-
ent:
1. The set of executions of P has no write-write race under CC,
2. The set of executions of P has no write-write race under CCv,
3. The set of executions of P has no write-write race under CM.
Proof. To prove the above theorem, it is sufficient to prove the two axioms: directions from
1 to 2 and from 1 to 3. Because the directions from 2 to 1 and from 3 to 1 hold since
CC is weaker than both CCv and CM. For the direction from 1 to 2: suppose we have an
REFERENCES 29
execution trace τ under CC where we have a write-write race between two transactions t1
and t2 that were issued by the processes p1 and p2, respectively. Suppose that executing t1
and t2 concurrently is not possible under CCv, which means that the concurrency between
t1 and t2 was generated by some action that happened under CC and is not possible under
CCv, however, looking at the semantics of both CC and CCv such action can occur only if
we have some other transactions t′1 and t
′
2 that were executed concurrently under CC which
invoked a write-write race. Thus, we differentiate between the possibility of executing t′1
and t′2 concurrently under CCv or not, if it is not possible we repeat the same mechanism
above for t′1 and t
′
2 instead of t1 and t2. Since we are dealing with a finite prefix of the trace
(i.e., macro events that were executed before (p1, t1) and (p2, t2)) and we are backtracking,
we will iteratively obtain the proof. The same proof steps also apply for the proof direction
from 1 to 3. ◭
◮ Lemma 29. Given a parallel program P, if P is not robust under CCv then P is not robust
under CM.
Proof. Suppose by contradiction that P is robust under CM but is not robust under CCv.
Since P is robust under CM then it is not possible to obtain an execution trace of P that has
the shape of the first minimal violation pattern given in Theorem 7. Thus, P has no write-
write race under CM. Then, using Theorem 22 we obtain that TrCCv(P) = TrCM(P). However,
since P is robust under CM then TrSER(P) = TrCM(P). Therefore, TrSER(P) = TrCCv(P) which
implies that P is robust under CCv which is contradicting the hypothesis. ◭
D Proofs For Section 4 (Programs Robustness)
In this section, we give some auxiliary lemmas about the happens-before relation (between
events). We also give the formal definition of minimal violations traces. First, we define the
notation ev1 →HB1 ev2 (resp., (ev1, ev2) ∈ HB
1) to denote (ev1, ev2) ∈ (PO ∪ WW ∪ WR ∪
STO ∪ RW).
To decide if two events in a trace are “independent” (or commutative) we use the inform-
ation about the existence of a happens-before relation between the events. If two events
are not related by happens-before then they can be swapped while preserving the same
happens-before. Thus, we extend the happens-before relation to obtain the happens-before
through relation as follows:
◮ Definition 30. Let τ = α · a · β · b · γ be a trace where a and b are events (or atomic
macro events), and α, β, and γ are sequences of events (or atomic macro events) under a
semantics X ∈ {CCv, CM}. We say that a happens-before b through β if there is a non empty
sub-sequence c1 · · · cn of β that satisfies:
ci →HB1;STO? ci+1 for all i ∈ [0, n]
where c0 = a, cn+1 = b and STO? is the reflexive closure of STO.
Notice that we may have two events ev1 and ev2 which are adjacent and are HB-related but
not HB1-related in the case where ev2 is a store of an issue event ev0 which occurs before
ev1. In this case ev1 can be RW-related to ev0 (e.g., ev1 reads the initial value of x and ev0
writes x) and since ev0 is STO-related to ev2, then ev1 is HB
1; STO-related to ev2. However,
if ev2 does not write x (a plausible case under CCv) then ev1 might not be HB
1-related to
ev2.
30 REFERENCES
D.1 Minimal Violations
Given a trace τ = α · b · β · c · ω containing two events b = isu(p, t) and c, the dis-
tance between b and c, denoted by dτ (b, c), is the number of events in β that are caus-
ally related to b, excluding events that correspond to the deliver of t, i.e., dτ (b, c) =
|{d ∈ β | (b, d) ∈ CO ∧ d 6= del(p′, t) for every p′ ∈ P}|
The number of delays #(τ) in a trace τ is the sum of all distances between issue and
store events that originate from the same transaction:
#(τ) =
∑
isu(p,t), del(p′,t) ∈ τ
dτ (isu(p, t), del(p
′, t))
◮ Definition 31 (Minimal violation). A robust violation τ is called minimal if it has the least
number of delays among all robustness violations (for a given program P and semantics
X ∈ {CCv, CM}).
A non-robust program may admit several minimal violations with different happens-
before. For instance, in Fig. 11 we have two traces which do not have the same happens-
before and both traces have the same number of delays which equals to 0, i.e., both traces
are minimal violation traces. In the trace in Fig. 11b a single transaction is delayed and
on the other hand in the trace in Fig. 11c two transactions are delayed that are not caus-
ally related. For example, for the violation trace τ1 in Fig. 11b, we have that #(τ1) =
dτ1(isu(p2, t2), del(p3, t2)) = 0 since (isu(p2, t2), (p3, t3)) 6∈ CO. Also, for the violation trace
τ2 in Fig. 11c, we have that #(τ2) = dτ2(isu(p1, t1), del(p3, t1))+dτ2(isu(p2, t2), del(p3, t2)) =
0+0 = 0 since (isu(p2, t2), (p3, t3)) 6∈ CO, (isu(p1, t1), (p3, t3)) 6∈ CO, and (isu(p1, t1), isu(p2, t2)) 6∈
CO.
p1:
t1: [x = 1
r1 = y]
||
p2:
t2: [y = 2
r2 = z]
||
p3:
t3: [z = 3
r3 = x
r4 = y]
(a) An example of parallel program.
isu(p2, t2) (p3, t3) del(p3, t2) (p1, t1)
RW
RW
RW
STO
(b) A minimal violation execution trace of (a).
isu(p1, t1) isu(p2, t2) del(p1, t2) (p3, t3) del(p3, t2) del(p3, t1)
RW
STO
RW
RW
RW
(c) Another minimal violation execution trace of (a).
Figure 11 Example of two minimal violation traces which do not have the same happens-before
relation (possible under both CCv and CM). Both traces have the same number of delays which is
equal to 0. However, in (b) the minimal violation trace contains a single delayed transaction (t2),
and in (c) the minimal violation trace contains two delayed transactions (t1 and t2).
Next, we show that a robustness violation should contain at least an issue and a store
event of the same transaction that are related via the happens-before through relation. Oth-
erwise, we can build another trace with the same happens-before where events are reordered
such that every issue isu(p, t) is immediately followed by all corresponding stores del(p′, t)
with p′ 6= p. The latter is a serializable trace which contradicts the initial assumption.
◮ Lemma 32. Given a violation τ , there must exist a transaction t such that τ = α· isu(p, t)·
β · del(p0, t) · γ and isu(p, t) happens-before del(p0, t) through β.
The above lemma corresponds exactly to the Lemma 5 where the happens-before relations
in Lemma 5 where rephrased using the happens-before through relation.
REFERENCES 31
Similarly, given a violation of the from τ = α · isu(p, t) ·β ·del(p0, t) ·γ, we call t a delayed
transaction in the trace τ when isu(p, t) happens-before del(p0, t) through β.
Since the number of delays is defined using the causal order and the concept of delayed
transaction using the happens-before through, the number of delays of a minimal violation
may be zero, although it must contain at least one delayed transaction. For example, consid-
ering the case of Lost Update program given in Fig. 4a, its minimal violation execution trace
given in Fig. 12 has a total number of delays which is zero. In the minimal violation trace,
transaction t1 was delayed after transaction t2. However, since (isu(p1, t1), (p2, t2)) 6∈ CO
(i.e., the two transactions are not causally related) then #(τ) = dτ (isu(p1, t1), del(p2, t1)) = 0
where τ designates the minimal violation trace in Fig. 12.
isu(p1, t1) (p2, t2) del(p2, t1)
WW
RW
RW
STO
Figure 12 A minimal violation trace under CCv for the program in Fig. 4a.
Even though CO ⊂ HB we may have a violation trace with the least number of events
that occur between isu(p1, t1) and del(p2, t1) and are happens-before related to isu(p1, t1)
and the violation trace does not correspond to a minimal violation. For example, consider
the modified Store Buffer program given in Fig. 13a. Its minimal violation trace has a
number of delays which is equal to 1 since only two transactions were delayed (i.e., t1 and
t2). In Fig. 13c, we show another violation trace of the same program which has a number
of delays which is equal to
(N + 2)× (N + 3)
2
since N + 3 transactions were delayed (all
the delayed transactions are from the process p1) that are causally related. However, the
violation trace in Fig. 13c has less number of events, that occur between isu(p1, t1) and
del(p2, t1), than the minimal violation trace given in Fig. 13b.
p1:
t1: [x = 1]
t2: [r1 = y]
(N x ti)
t3: [r2 = z]
||
p2:
t4: [y = 2]
(M x tj)
t5: [z = 3]
t6: [r3 = x]
(a) A Modified version of Store Buffer (MSB) program.
isu(p1, t1) isu(p1, t2) (p2, t4) (M × (p2, tj)) (p2, t5) (p2, t6) del(p2, t1) del(p2, t2)
PO RW PO PO PO RW
(b) A minimal violation execution trace of MSB.
(p2, t4) (M × (p2, tj)) isu(p1, t1) isu(p1, t2) (N × isu(p1, ti)) isu(p1, t3) (p2, t5) (p2, t6) del(p2, t1)
PO PO PO RW PO RW
(c) A non-serializable execution trace of MSB (violation but not minimal).
Figure 13 Examples of violation traces: tj and ti are two abstract transactions that do not
update x, y, and z. (N × (p2, tj)) (resp., N × isu(p1, ti)) denotes the execution of transaction tj
(resp., event isu(p1, ti)), N times. We assume that M > N > 0.
Before giving the proof of Lemma 32, we state an important property of RW under both
32 REFERENCES
CCv and CM semantics.
◮ Lemma 33. Let τ ∈ TrX(P) be a trace under a semantics X ∈ {CCv, CM} and t1
and t2 two transaction from two different processes p1 and p2 that are issued in τ . If
(isu(p1, t1), isu(p2, t2)) ∈ RW(x), then either isu(p1, t1) reads the initial value from x or there
exists another transaction t3 from process p3 such that ((p3, t3), isu(p1, t1)) ∈ WR(x) and
((p3, t3), isu(p2, t2)) ∈ WW(x).
An important property of the happens-before through relation is the stability of the
relation when adding new operations in the middle of a trace. The proof is similar to an
analogous property of traces that consist of individual reads and writes (without transac-
tions).
◮ Lemma 34. Let τ = α · a · β · b · γ and τ ′ = α′ · a · β′ · b · γ′ be two traces such that
τ ↓ p = τ ′ ↓ p for every process p, (where τ ↓ p denotes the projection of the sequence τ on
the set of events of process p). and β is a sub-sequence of β′. Then, if a happens-before b
through β then a happens-before b through β′.
Based on Lemma 34, we can show that any two events in an execution trace which are
not related via the happens-before through relation can be reordered without affecting the
happens-before or can be placed adjacent to each other.
◮ Lemma 35. Let τ be an execution trace of a program P under a semantics X ∈ {CCv, CM},
and a and b two events such that τ = α · a · β · b · γ. Then, either (1) a happens-before b
through β or there is another trace τ ′ that has the same happens-before as τ and (2) τ ′ =
α·β1 ·a·b·β2 ·γ ∈ TrX(P) if (a, b) ∈ HB
1; STO?, otherwise, (3) τ ′ = α·β1 ·b·a·β2 ·γ ∈ TrX(P).
Proof. Let τ be a minimal violation trace of a program P under some semantics X ∈
{CCv, CM}, and a and b two events such that τ = α · a · β · b · γ.
We prove ¬(1) ⇒ ((2) or (3)) using induction on |β| which concludes the disjunction
since ¬((2) or (3))⇒ (1) is the reverse:
Base case: |β| = 0. Then τ0 = α · a · b · γ where a and b are not HB
1; STO?-related
implies that b can move left of a which produces the trace τ ′0 = α · b · a · γ that has the same
happens-before as τ0.
|β| = 1 and β = c. Then τ1 = α · a · c · b · γ where a does not happen before b through c.
Therefore, either a and c are not HB1; STO?-related or c and b are not HB1; STO?-related.
If a and c are not HB1; STO?-related, then we can swap the two obtaining τ ′1 = α · c · a · b · γ
which has the same happens-before as τ1. Also, if a and b are not HB
1; STO?-related then
b can move left of a which produces the trace τ ′′1 = α · b · a · γ that has the same happens-
before as τ ′1. Otherwise, if c and b are not HB
1; STO?-related, then we can swap the two
obtaining τ ′1 = α · a · b · c · γ which has the same happens-before as τ1. Also, if a and b are
not HB1; STO?-related then b can move left of a which produces the trace τ ′′1 = α · b · a · c · γ
that has the same happens-before as τ ′1.
Induction step case: We assume the lemma holds for |β| ≤ n. Consider τn+1 =
α · a ·β · b · γ with |β| = n+1. Consider c the last event in the sequence β = β1 · c. If a does
not happen before b through β, then either a does not happen before c through β1 and a
and c are not HB1; STO?-related, or c and b are not HB1; STO?-related.
First case: suppose a does not happen before c through β1 and a and c are not HB
1; STO?-
related. Using induction hypothesis over τn+1 with respect to a and c (because |β1| ≤ n)
results in τ ′n+1 = α ·β11 · c ·a ·β12 · b ·γ similar to τn+1. Using the Lemma 34, we know that if
a happen before b through β12 then a happens before b through β because β12 is a subset of
REFERENCES 33
β. Therefore, a does not happen before b through β12. Since |β12| ≤ |β1| ≤ n, then we can
apply the induction hypothesis as well to τ ′n+1 with respect to a and b which yields either
τ ′′n+1 = α · β11 · c · β121 · b · a · β122 · γ which has the same happens-before as τ
′
n+1, if a and
b are not HB1; STO?-related, or τ ′′n+1 = α · β11 · c · β121 · a · b · β122 · γ which has the same
happens-before as τ ′n+1, otherwise.
Second case: suppose c and b are not HB1; STO?-related. We apply the induction hypo-
thesis to τn+1 with respect to c and b, and we get τ
′
n+1 = α · a · β1 · b · c · γ with the same
happens-before as τn+1. As we already know that a does not happen before b through β
then using Lemma 34, a does not happen before b through β1. Subsequently by using the
induction hypothesis over τ ′n+1 with respect to a and b, we obtain τ
′′
n+1 = α·β11 ·b ·a ·β12 ·c ·γ
where τ ′′n+1 has the same happens-before as τ
′
n+1, if a and b are not HB
1; STO?-related, or
τ ′′n+1 = α ·β11 ·a ·b ·β12 ·c ·γ where τ
′′
n+1 has the same happens-before as τ
′
n+1, otherwise. ◭
Lemma 32. Let τ be a robustness violation trace, then we must have at least a transaction
t where the event isu(p, t) in τ is not immediately followed by all del(p′, t) with p′ 6= p.
Suppose there exist p′ 6= p such that del(p′, t) does not occur immediately after isu(p, t). Thus,
τ = α· isu(p, t)·β ·del(p′, t)·γ, and (isu(p, t), del(p′, t)) ∈ STO ⊂ HB1; STO?. From Lemma 35,
if isu(p, t) does not happens-before del(p′, t) through β, then τ ′ = α·β1 ·isu(p, t)·del(p
′, t)·β2 ·γ
has the same happens-before as τ . In τ ′, del(p′, t) occurs immediately after isu(p, t) which
contradicts our hypothesis. Therefore, isu(p, t) happens before del(p′, t) through β.
◭
Assuming that t is the first delayed transaction in τ (w.r.t. the order between issue events
of delayed transactions) and that τ is a minimal violation, the following lemma shows that
we can assume w.l.o.g. that γ contains only stores events from transactions that were issued
before.
◮ Lemma 36. Let τ = α · isu(p, t) · β · del(p0, t) · γ be a minimal violation such that isu(p, t)
happens-before del(p′, t) through β. Then, τ ′ = α · isu(p, t) · β · del(p0, t) · γ
′, such that γ′
contains only stores events from transactions that were issued before γ, is also a minimal
violation.
Proof. We can notice that after executing the event del(p0, t), we obtain a cycle in the HBt
relation. Thus, τ ′ is already a robustness violation. ◭
Next, we show that for a minimal violation of the shape τ = α · isu(p, t) · β · del(p0, t) · γ
such that isu(p, t) happens-before del(p0, t) through β, we must have an event isu(p
′, t′) ∈ β
such that isu(p′, t′) happens before del(p0, t).
◮ Lemma 37. Let τ = α · isu(p, t) · β · del(p0, t) · γ be a minimal violation such that isu(p, t)
happens-before del(p0, t) through β. Then, there must exist an event isu(p
′, t′) ∈ β such that
isu(p′, t′) happens-before del(p0, t), i.e., (isu(p
′, t′), del(p0, t)) ∈ HB.
Proof. Suppose by contradiction that β does not contain an event isu(p′, t′) such that
isu(p′, t′) happens before del(p0, t). Then, isu(p, t) happens-before del(p
′, t) through β iff p′ =
p since the happens-before through path is formed only by store events. Thus, we obtain a
contradiction. Therefore, β does contain an event isu(p′, t′) such that (isu(p′, t′), del(p0, t)) ∈
HB. ◭
Based on the above lemma, we obtain a corollary which states that if there exist a
minimal violation trace then we can extract another minimal violation trace which is of the
shape τ = α · isu(p, t) · β · (p′, t′) · del(p0, t) · γ such that isu(p, t) happens-before del(p
′, t)
through β · (p′, t′), (isu(p, t), (p′, t′)) ∈ HB and ((p′, t′), del(p0, t)) ∈ HB
1; STO.
34 REFERENCES
◮ Lemma 38. Let τ = α · isu(p, t) · β · del(p0, t) · γ be a minimal violation such that isu(p, t)
happens-before del(p′, t) through β. Then, τ ′ = α · isu(p, t) · β · (p′, t′) · del(p0, t) · γ such
that isu(p, t) happens-before del(p′, t) through β · (p′, t′), and (isu(p, t), (p′, t′)) ∈ HB, and
((p′, t′), del(p0, t)) ∈ HB
1; STO?, is also a minimal violation.
Proof. From Lemma 37, we know that there must exist an event isu(p′, t′) such that (isu(p′, t′), del(p0, t)) ∈
HB. Suppose isu(p′, t′) is the last issue event that occurs in β such that (isu(p′, t′), del(p0, t)) ∈
HB. Therefore, we can safely remove every issue event and atomic event which occur
after isu(p′, t′) with all related stores (i.e, stores of the issue events) and we obtain τ0 =
α·isu(p, t)·β1 ·isu(p
′, t′)·β2 ·del(p0, t)·γ such that β1 ⊂ β and β2 ⊂ β and the number of delays
of τ0 is less or equal to the one of τ . Since β2 contains only store events, then we can safely
combine isu(p′, t′) with all its store events and obtain τ1 = α·isu(p, t)·β1·(p
′, t′)·β′2·del(p0, t)·γ1
which has the same number of delays as τ0. If (isu(p, t), (p
′, t′)) 6∈ HB then we can swap the
two events and obtain τ2 = α · (p
′, t′) · isu(p, t) · β1 · β3 · del(p0, t) · γ2 as minimal violation as
well.
Then, applying Lemma 37 over τ2 and redoing the above process recursively, we can
construct a minimal violation trace τ ′ = α′ · isu(p, t) · β′1 · (p
′, t′) · β′2 · del(p0, t) · γ
′ which has
the same number of delays as τ (otherwise, we get a contradiction) such that isu(p, t) happens-
before del(p′, t) through β′1 · (p
′, t′) ·β′2, (isu(p, t), (p
′, t′)) ∈ HB, ((p′, t′), del(p0, t)) ∈ HB, and
β′2 contains only store events.
Since in β′2 we have only store events and ((p
′, t′), del(p0, t)) ∈ HB and there is no other is-
sue events of transaction t′′ 6= t such that ((p′, t′), isu(p′′, t′′)) ∈ HB and (isu(p′′, t′′), del(p0, t)) ∈
HB. Then, (isu(p, t), (p′, t′)) 6∈ CO. Therefore, del(p′, t) ∈ β′2 · del(p0, t) · γ
′.
Given τ ′ = α′ · isu(p, t) · β′1 · (p
′, t′) · β′2 · del(p0, t) · γ
′, we will demonstrate that the
store events in β′2 can either be moved to β
′
1 or γ
′. If ((p′, t′), del(p0, t)) ∈ HB
1; STO?
then we can safely move the store events in β′2 to γ
′ also we get that ((p′, t′), del(p′, t)) ∈
HB1; STO? (since del(p′, t) ∈ β′2 · del(p0, t) · γ
′). Otherwise, there must exist a transaction
t′′ such that ((p′, t′), del(p0, t
′′)) ∈ HB1; STO? and (del(p0, t
′′), del(p0, t)) ∈ WW
+. However,
since t is the first delayed transaction then t′′ was issued in β′1. We assume that in β
′
1
we don’t have an (p1, t1) (or isu(p1, t1)) event such that ((p1, t1), del(p1, t)) ∈ HB
1; STO (or
(isu(p1, t1), del(p1, t)) ∈ HB
1; STO?) 4. Thus, if (isu(p′′, t′′), (p′, t′)) ∈ HB then we get a
new minimal violation from τ ′ without delaying transaction t (because of the cycle formed
by (isu(p′′, t′′), (p′, t′)) ∈ HB and ((p′, t′), del(p0, t
′′)) ∈ HB1; STO?). Therefore, if t was
delayed over the issue event of another transaction which causally depends on it, we get a
contradiction. If t was not delayed over another transaction which causally depends on it,
we can safely remove t and related stores, and obtain τ ′′ = α′ · β12 · isu(p
′′, t′′) · β12 · (p
′, t′) ·
del(p0, t
′′)·γ′′ such that (isu(p′′, t′′), (p′, t′)) ∈ HB and ((p′, t′), del(p0, t
′′)) ∈ HB1; STO? which
has the same number of violation.
Thus, in both cases we get a minimal violation trace τ ′ = α·isu(p, t)·β ·(p′, t′)·del(p0, t)·γ
such that isu(p, t) happens-before del(p′, t) through β · (p′, t′), and (isu(p, t), (p′, t′)) ∈ HB,
and ((p′, t′), del(p0, t)) ∈ HB
1; STO?.
◭
4 Otherwise, we take t1 instead of t
′ and repeat the same reasoning.
REFERENCES 35
E Proofs For Section 5.1 (Minimal Violations under CCv)
The characterization of minimal violations under CCv is stated in the following theorem where
we state explicitly the properties of Theorem 6 that were given in Fig. 6. We say that a
sequence of issue events ev1 ·ev2 ·. . . evn forms a causality chain when (evi, evi+1) ∈ CO for all
1 ≤ i ≤ n−1. Also, for simplicity, we use “macro-events” (p, t) even in traces obtained under
causal consistency (recall that this notation was introduced to simplify serializable traces),
i.e., we assume that any sequence of events formed of an issue isu(p, t) followed immediately
by all the store events del(p′, t) is replaced by (p, t). Then, all the relations that held between
an event ev of such a sequence and another event ev ′, e.g., (ev, ev′) ∈ PO, are defined to
hold as well between the corresponding macro-event (p, t) and ev′, e.g, ((p, t), ev ′) ∈ PO.
◮ Theorem 39. A program P is not robust under CCv iff there exists a minimal violation τ
under CCv such that one of the following must hold:
1. τ = α · isu(p, t) · β2 · (p0, t0) · del(p0, t) · γ where:
(a) isu(p, t) is the issue of the first and only delayed transaction in τ (Lemmas 41 and
42);
(b) (isu(p, t), (p0, t0)) ∈ WW(x) and ((p0, t0), isu(p, t)) ∈ RW(x) (Lemma 41);
(c) ∀ a ∈ β2. (isu(p, t), a) ∈ HB \ CO and (a, (p0, t0)) ∈ CO (Lemma 41);
(d) γ contains only stores of t (Lemma 36).
2. τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ where:
(a) isu(p, t) and isu(p1, t1) are the issues of the first and last delayed transactions in τ
(Lemmas 41 and 42);
(b) the issues of all the delayed transactions are in β1 and they are included in a causality
chain that starts with isu(p, t) and ends with isu(p1, t1) (Lemma 42);
(c) for any event a ∈ β2, we have that (isu(p, t), a) ∈ HB \ CO and (a, del(p0, t)) ∈ HB
(Lemma 41);
(d) isu(p1, t1) happens before del(p0, t) through β2 (Lemma 41);
(e) there exist events a and b in β2 such that (isu(p1, t1), a) ∈ WW(x) ∪ RW(x) and
(b, del(p0, t)) ∈ RW(y) with x 6= y (Lemma 41);
(f) all delayed transactions in isu(p, t) · β1 don’t access the variable x (Lemma 45);
(g) γ contains only stores of delayed transactions that were issued in β1 (Lemma 36).
Note that the theorem above allows β = ǫ, γ = ǫ, p = p1, t = t1, and t1 to be a read-
only transaction. If t1 is a read-only transaction then isu(p1, t1) has the same effect as
≡ (p1, t1) and t1 does not contain actions that may or may not be visible. The delayed
transactions in β1 cannot create a cycle in the transactional happens-before (otherwise,
α · isu(p, t) · β1 · del(p0, t) · γ
′ would be a violation with a smaller number of delays than τ ,
which contradicts minimality). Moreover, (c) implies that β2 contains no stores of delayed
transactions from β. If this were the case, then either these stores can be reordered after
del(p0, t) or if this is not possible due to happens-before constraints, then necessarily there
would exist an issue event which is after such a store in the happens-before order and thus
causally after isu(p, t).
We start with an important of property of the store order relation WW that is enforced
by CCv semantics since the writes of different transactions are “visible” to different processes
in the same order given by their timestamps.
36 REFERENCES
◮ Lemma 40. Let τ ∈ TrCCv(P) be a trace. If (isu(p0, t0), del(p0, t1)) ∈ WW(x) where
del(p0, t1) is the store of t1 issued by p1, then (isu(p1, t1), del(p1, t0)) 6∈ WW(x) and for every
other process p 6∈ {p0, p1} we have that (del(p, t1), del(p, t0)) 6∈ WW(x).
Let τ = α·isu(p, t)·β1 ·isu(p1, t1)·β2·del(p0, t)·γ be a trace such that (isu(p, t), isu(p1, t1)) ∈
CO and (isu(p1, t1), del(p0, t)) ∈ HB. Then, we say that isu(p1, t1) was overstepped by
del(p0, t).
The following lemma characterizes the relation between the last delayed transaction that
was overstepped by the first delayed transaction and the store of the first delayed transaction.
Also, it shows the nature of the first and last happens-before relations in the happens-before
path between the issue of the last delayed transaction and the store of the first delayed
transaction.
◮ Lemma 41. Let τ = α · isu(p, t) · β · del(p0, t) · γ be a minimal violation under CCv. Then,
one of the following three cases must hold:
1. σ = {c ∈ β | (isu(p, t), c) ∈ CO} is empty and
τ = α · isu(p, t) · β · (p0, t0) · del(p0, t) · γ where:
(a) (isu(p, t), (p0, t0)) ∈ WW(x) and ((p0, t0), isu(p, t)) ∈ RW(x);
(b) ∀ a ∈ β. (isu(p, t), a) ∈ HB \ CO and (a, (p0, t0)) ∈ CO.
2. σ = {c ∈ β | (isu(p, t), c) ∈ CO} is empty and
τ = α · isu(p, t) · β · del(p0, t) · γ where:
(a) isu(p, t) happens-before del(p0, t) through β;
(b) ∀ a ∈ β. (isu(p, t), a) ∈ HB \ CO and (a, del(p0, t)) ∈ HB;
(c) there exist events a and b in β such that (isu(p, t), a) ∈ WW(x)∪RW(x), (b, del(p0, t)) ∈
RW(y), and x 6= y.
3. σ = {c ∈ β | (isu(p, t), c) ∈ CO} is not empty and isu(p1, t1) is the last issue event from
σ in τ , then
τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ where:
(a) isu(p1, t1) happens-before del(p0, t) through β2;
(b) for any event a ∈ β2, we have that (isu(p, t), a) ∈ HB \ CO and (a, del(p0, t)) ∈ HB;
(c) there exist events a and b in β2 such that (isu(p1, t1), a) ∈ WW(x)∪RW(x), (b, del(p0, t)) ∈
RW(y), and x 6= y.
Proof. It is important to note that ((p0, t0), isu(p, t)) ∈ RW(x) iff ((p0, t0), del(p0, t)) ∈
RW(x); STO.
First, suppose that σ is empty. We know that from Lemma 32, there must exist b ∈ β
such that (isu(p, t), b) ∈ HB1; STO? and (b, del(p0, t)) ∈ HB. Thus, let b be the first event of
β, i.e., β = b·β1. We know that β does not contain events that are related to isu(p, t) through
CO (which includes PO∪WR), therefore, the only possibilities are (isu(p, t), b) ∈ WW; STO?
or (isu(p, t), b) ∈ RW; STO?. Note that if (isu(p, t), del(p, t0)) ∈ RW ∪WW it does not imply
(isu(p, t), del(p, t0)) ∈ CO unless (isu(p, t), isu(p0, t0)) ∈ CO.
It is impossible that b = del(p, t0). If it were the case, then (b, del(p0, t)) ∈ HB would
imply the existence of another event isu(p, t2) which occurs after b and before del(p0, t).
However, since (isu(p, t), isu(p, t2)) ∈ CO we get a contradiction to the fact that σ is empty.
Also, from Lemma 38, there must exist c = (p3, t3) such that β1 = β2 · c (c and b
might be equal) where (c, del(p0, t)) ∈ HB
1; STO?. Which, either implies (c, del(p0, t)) ∈
HB1; STO or (c, del(p0, t)) ∈ HB
1. If (c, del(p0, t)) ∈ HB
1; STO and (c, del(p0, t)) 6∈ HB
1.
REFERENCES 37
Then, (c, del(p0, t)) ∈ (RW ∪ WW); STO and (c, del(p0, t)) 6∈ RW ∪ WW which means that
del(p0, t) discarded some write which is possible only if c and t write to the same shared
variable (see Lemma 46). We obtain that (isu(p, t), c) ∈ WW. Thus, assuming that for every
a ∈ β, (isu(p, t), a) ∈ HB, we can safely remove a from β if (a, c) 6∈ CO and the obtained
trace is a violation since (isu(p, t), c) ∈ WW and (c, del(p0, t)) ∈ (RW ∪WW); STO.
Otherwise, the only remaining cases are b = (p4, t4) such that (isu(p, t), b) ∈ WW(x) or
(isu(p, t), b) ∈ RW(x) such that (b, c) ∈ HB and (c, del(p0, t)) ∈ HB
1 (c and b can be identical)
which is possible only if (c, del(p0, t)) ∈ RW(y), for some y. We assume c corresponds to the
first transaction in β that reads from the shared variable y written by t.
Now, we show by contradiction that x and y cannot be equal. Consider the case
(isu(p, t), b) ∈ RW(x) and b = (p4, t4) which implies b 6= del(p0, t). However, (isu(p, t), b) ∈
RW(x) implies that t4 writes to the variable x, therefore, if x = y then (isu(p, t), del(p, t4)) ∈
WW(x) and (del(p0, t4), del(p0, t)) ∈ WW(x) (because (c, del(p0, t)) ∈ RW(y)) which is not
possible under CCv (Lemma 40). Thus, x 6= y. The remaining cases are similar.
Second, assume that σ is not empty. If all the elements of σ are store events, we obtain
the same characterization as in the first case. Since τ does not contain an issue event that is
causally related to isu(p, t) (because σ contains only stores) then all stores in σ are stores of
t (t is the first delayed transaction in τ). Given del(p2, t) ∈ σ, if (del(p2, t), del(p0, t)) ∈ HB
then there must exist c ∈ β such that (del(p2, t), c) ∈ (PO ∪ WW ∪ WR ∪ STO ∪ RW) and
(c, del(p0, t)) ∈ HB, and since σ contains stores of t then (del(p2, t), c) ∈ WW(x) and c =
(p3, t3) which implies (isu(p, t), c) ∈ WW(x). Thus, we can remove del(p2, t) from τ (because
no event in β depends on del(p2, t)) obtaining τ
′ and we still have (isu(p, t), c) ∈ WW(x)
and (c, del(p0, t)) ∈ HB in τ
′. Therefore, we obtain a new minimal violation trace τ ′ with
the same delay number and happens-before as τ where in τ ′, σ is empty. Thus, we obtain
a minimal violation traces as in the first case.
Otherwise, let d = isu(p1, t1) be the last issue event in σ, i.e., β = β1 · d · β2 where all
the events in β2 are either stores of transactions that are causally related to isu(p, t) (we
can safely remove these stores or move them to be part of γ) or other events that are not
causally related to isu(p, t). We also have that isu(p, t) is in causal order before d.
In the current case, we cannot have c = (p1, t2) ∈ β2 such that (c, del(p0, t)) ∈ HB
1; STO
and (c, del(p0, t)) 6∈ HB
1. Because if it were the case then we can obtain a new minimal viola-
tion by removing all events related to t1 and we have a cycle that is formed by (isu(p, t), c) ∈
HB1 and (c, del(p0, t)) ∈ HB
1; STO, which is a contradiction because the new minimal vi-
olation has less number of delays then the original one because t was not delayed after t′.
We obtain that τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ. Similar to before, we must
have b, c ∈ β2 such that (isu(p1, t1), b) ∈ WW(y) or (isu(p1, t1), b) ∈ RW(y), and (b, c) ∈ HB,
and (c, del(p0, t)) ∈ RW(x) (note that we may have b = c). We show that x 6= y. Assume
by contradiction that x = y. Consider the case (isu(p1, t1), b) ∈ RW(x) and b an event of a
transaction t2 issued by a process p2. Since (c, del(p0, t)) ∈ RW(x), we have that t writes to
x. Therefore, we obtain (isu(p, t), del(p, t2)) ∈ WW(x) and (del(p0, t2), del(p0, t)) ∈ WW(x)
which is not possible under CCv semantics (Lemma 40). Thus, x 6= y. The other cases can
be handled in a similar way. ◭
In the rest of this section we focus on minimal violations that satisfy the third case in
Lemma 41 (the proofs concerning the first two cases are similar and simpler). For a minimal
violation τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ, the transactions t and t1 are
involved in a cycle in the transactional happens-before HBt. By an abuse of terminology,
we say that (isu(p, t), isu(p1, t1), del(p0, t)) is a happens-before cycle. The following lemma
shows that we can always obtain a minimal violation trace where β2 contains no delayed
38 REFERENCES
transaction. Thus, we show that if it were to have a delayed transaction in β2, then it is
possible to remove some transaction from τ that is either causally dependent on the first
delayed transaction in τ , and obtain a new violation with a smaller number of delays which
contradicts the minimality assumption. Otherwise, in the case where there is no transaction
which is causally dependent on the first delayed transaction, we remove the first transaction
and we obtain another minimal violation trace with the same number of delays. Then, we
repeat this recursively until either we obtain a contradiction or a minimal violation trace
where β2 does not contain a delayed transaction.
◮ Lemma 42. Let τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ be a minimal violation.
Then, there exist τ ′ = α · isu(p, t) ·β′1 · isu(p1, t1) ·β
′
2 · del(p0, t) · γ
′ a minimal violation, where
β′2 contains no delayed transactions (τ
′ is obtained from τ , and τ and τ ′ can be equal).
Proof. We consider two cases in the proof: first case is when t1 and t are two distinct
transactions, in which we prove by contradiction that β2 cannot contain a delayed transac-
tion. The second case is t1 and t correspond to the same transaction, in which we extract
new minimal violation trace where we remove the transaction t from the original minimal
violation trace.
First case: Suppose by contradiction that β2 contains a delayed transaction t0 issued by
a process q 6= p. Then, τ is of the form
τ = α · isu(p, t) ·β1 · isu(p1, t1) ·β21 · isu(q, t0) ·β22 · isu(q1, t
′
0) ·β23 · del(q0, t0) ·β24 · del(p0, t) · γ
We can notice that if we don’t have a happens-before relation between isu(q1, t
′
0) and
del(q0, t0) then we can reorder them and obtain new trace with less number of delays. Thus,
isu(q1, t
′
0) and del(q0, t0) are related by a happens-before through relation. We obtain a new
happens-before cycle formed by (isu(q, t0), isu(q1, t
′
0), del(q0, t0)), hence, we deduce that we
can get a violation when the event del(q0, t0) is executed, thus we can remove all issued
transactions from β24 except stores of already issued transactions and we obtain:
τ ′ = α · isu(p, t) ·β1 · isu(p1, t1) ·β21 · isu(q, t0) ·β22 · isu(q1, t
′
0) ·β23 ·del(q0, t0) ·β
′
24 ·del(p0, t) ·γ
which is a minimal violation because of the cycle formed by (isu(q, t0), isu(q1, t
′
0), del(q0, t0))
and its number of delays is less or equal to the one of τ . We know that in β21 · isu(q, t0) ·β22 ·
isu(q1, t
′
0) ·β23 · del(q0, t0) ·β
′
24 · del(p0, t) · γ there are no issued transactions from the process
p1 or that see the transactions of p1. Therefore, isu(p1, t1) is the last issued transaction
from p1 and we don’t have any transaction in τ
′ that depends on it. Thus, we can remove
isu(p1, t
′) and we obtain a valid execution:
τ ′′ = α · isu(p, t) · β1 · β21 · isu(q, t0) · β22 · isu(q1, t
′
0) · β23 · del(q0, t0) · β
′
24 · del(p0, t) · γ
′
τ ′′ is a violating execution’s trace because of the cycle formed by (isu(q, t0), isu(q1, t
′
0), del(q0, t0))
and has less number of delays than τ ′, a contradiction (del(p0, t) did not bypass isu(p1, t1)
that was removed).
Second case: Suppose that β2 contains a delayed transaction t0 issued by a process q 6= p.
Then, τ is of the form
τ = α · isu(p, t) · β21 · isu(q, t0) · β22 · isu(q1, t
′
0) · β23 · del(q0, t0) · β24 · del(p0, t) · γ
Similar to the justification in the previous case, we can safely remove isu(p, t) and its related
stores in del(p0, t)γ. We obtain a new trace:
τ ′ = α · β21 · isu(q, t0) · β22 · isu(q1, t
′
0) · β23 · del(q0, t0) · β24 · γ
′
which has the same number of delays as τ and τ ′ contains a cycle formed by (isu(q, t0), isu(q1, t
′
0), del(q0, t0)).
We recursively repeat the same reasoning we did for τ with τ ′ until we obtain a contradiction
or a minimal violation trace where β2 (β22) does not contain a delayed transaction.
REFERENCES 39
Note that the above proof steps hold in the case isu(q, t0) and isu(q1, t
′
0) are identical as
well.
◭
Next, we demonstrate that a minimal violation cannot have a transaction in β1 that was
delayed after the first delayed transaction but it is not causally dependent on it. We prove
this lemma by showing that if this were possible then we can remove a transaction that is
causally dependent on one of the two delayed transactions and obtain a new violation with
less number of delays, which contradicts the minimality assumption.
◮ Lemma 43. Let τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ be a minimal violation.
Then, isu(p, t) is causally related (i.e., in the relation CO) to all the issue events of delayed
transactions in β.
Proof. Assume by contradiction that β1 contains a delayed transaction t0 from another
process q 6= p that is not causally related isu(p, t). Hence, τ can be of one of the following
forms:
(a) τ = α· isu(p, t)·β11 · isu(q, t0)·β12 · isu(p1, t1)·β21 · isu(q1, t
′
0)·β22 ·del(q0, t0)·β23 ·del(p0, t)·γ
(b) τ = α· isu(p, t)·β11 · isu(q, t0)·β12 · isu(q1, t
′
0)·β13 · isu(p1, t1)·β21 ·del(q0, t0)·β22 ·del(p0, t)·γ
(c) τ = α · isu(p, t) · β11 · isu(q, t0) · β12 · isu(p1, t1) · β21 · del(q0, t0) · β22 · del(p0, t) · γ
Case a: we must have (isu(q1, t
′
0), del(q0, t0)) ∈ HB, otherwise, we can reorder the two
events and obtain a new trace with less number of delays. Hence, (isu(q, t0), isu(q1, t
′
0), del(q0, t0))
forms a happens-before cycle in τ . Since in γ1 ·isu(q1, t
′
0)·γ2 ·del(q0, t0)·γ3 there is no an issued
transaction that depends on isu(p1, t1), therefore, isu(p1, t1) is the last issued transaction by
p1 and we can remove it and obtain a new valid trace:
τ ′ = α · isu(p, t) · β1 · isu(q, t0) · β2 · isu(p1, t1) · γ1 · isu(q1, t
′
0) · γ2 · del(q0, t0) · γ3 · del(p0, t)
The trace τ ′ is a violation because of the happens-before cycle (isu(q, t0), isu(q1, t
′
0), del(q0, t0))
and has less number of delays than τ since del(p0, t) was not delayed after isu(p1, t1), a
contradiction.
Case b: for the same reason as in the case a, we conclude that the tuple (isu(q, t0), isu(q1, t
′
0), del(q0, t0))
forms a happens-before cycle in τ . Hence, after executing del(q0, t0) we get a violation, thus
we can remove all issued transactions in β22 and keep only the stores of already issued
transactions and we obtain:
τ ′ = α · isu(p, t) ·β11 · isu(q, t0) ·β12 · isu(q1, t
′
0) ·β13 · isu(p1, t1) ·β21 ·del(q0, t0) ·β
′
22 ·del(p0, t) ·γ
′.
τ ′ is a violation because of the happens-before cycle (isu(q, t0), isu(q1, t
′
0), del(q0, t0)) and
has less or equal number of delays as τ . In τ ′, we should have (isu(p1, t1), del(p0, t)) ∈ HB,
otherwise, we can reorder the two events and obtain a new trace with less number of delays.
Hence, (isu(p, t), isu(p1, t1), del(p0, t)) forms a cycle in τ
′. Similar to the previous case, since
in β13 · isu(p1, t1) · β21 · del(q0, t0) · β
′
22 · del(p0, t) · γ
′ there is no isu event that depends on
isu(q1, t
′
0), therefore, isu(q1, t
′
0) is the last issued transaction by q1 and we can safely remove
it and its associated stores and obtain a new valid trace:
τ ′′ = α · isu(p, t) · β11 · isu(q, t0) · β12 · β
′
13 · isu(p1, t1) · β
′
21 · del(q0, t0) · β
′′
22 · del(p0, t) · γ
′′
The trace τ ′′ is a violation because of the happens-before cycle (isu(p, t), isu(p1, t1), del(p0, t))
and has less number of delays than τ ′, since del(q0, t0) was not delayed after isu(q1, t
′
0), a
contradiction.
Case c. We know that if we don’t have a happens-before relation between isu(p1, t1) and
del(q0, t0) then we can reorder the two events and obtain new trace with less number of
40 REFERENCES
delays. Thus, isu(p1, t1) and del(q0, t0) are related by a happen before relation. Therefore,
we have a new happens-before cycle formed by (isu(q, t0), isu(p1, t1), del(q0, t0)). Hence, we
must have two events a, b ∈ β21 which correspond to the first transactions that access shared
variables that were updated by t and t0, respectively. This implies (a, del(p0, t)) ∈ RW and
(b, del(q0, t0)) ∈ RW. We take the two possible cases: a and b are from the same transaction
or a and b are from two different transactions.
If a and b are from different transactions, we take the earliest one by the happens before
order, assume it is a. Thus, β21 = β211 · a · β212 · b · β213. After executing a, we know that
we get a violation because of the cycle (isu(p, t), isu(p1, t1), a, del(p0, t)), therefore, we can
remove all issues of transactions (including atomic events) that are in β212 · b ·β213 including
b and we obtain β′212 · β
′
213 such that:
τ ′ = α · isu(p, t) ·β11 · isu(q, t0) ·β12 · isu(p1, t1) ·β211 ·a ·β
′
212 ·β
′
213 ·del(q0, t0) ·β22 ·del(p0, t) ·γ
Note that no transaction in β211 ·a ·β
′
212 ·β
′
213 reads from the shared variables that t0 wrote
to. Thus, we don’t need to delay the transaction t0 and we obtain a violation
τ ′′ = α · isu(p, t) · β11 · (q, t0) · β12 · isu(p1, t1) · β211 · a · β
′
212 · β
′
213 · β
′
22 · del(p0, t) · γ
with less number of delays than τ ′, because (q, t0) was not delayed after isu(p1, t1), which is
a contradiction.
Otherwise, if a and b are of the same transaction, assume the earliest load instruction
a reads from a shared variable that was updated by t (similarly if it was updated by both
t and t0). Thus, β21 = β211 · a · β212. After executing a, we know that we get a violation
because of the cycle (isu(p, t), isu(p1, t1), a, del(p0, t)), therefore, we can remove all issues of
transactions that are in β212 and we obtain β
′
212 such that:
τ ′ = α · isu(p, t) · β11 · isu(q, t0) · β12 · isu(p1, t1) · β211 · a · β
′
212 · del(q0, t0) · β22 · del(p0, t) · γ
Note that no transaction in β′212 reads from the shared variables that t0 wrote to, other than
the transaction corresponding to the event a. Thus, we don’t need to delay the transaction
t0 and we obtain:
τ ′′ = α · isu(p, t) · β11 · (q, t0) · β12 · isu(p1, t1) · β211 · a · β
′
212 · β
′
22 · del(p0, t) · γ
with less number of delays than τ ′ which is a contradiction.
◭
The following lemma shows that if the store of the first delayed transaction in a minimal
violation oversteps some transaction (more precisely, its issue event), then the later must be
causally related to the last delayed transaction. We prove this lemma by showing that if
the contrary were to happen, then the overstepped transaction can be removed to obtain a
violation with a smaller number of delays (the first delayed transaction no longer oversteps
the removed transaction) which contradicts the minimality assumption.
◮ Lemma 44. Let τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ be a minimal violation.
Then, for every issue event ev in {c ∈ β1 | (isu(p, t), c) ∈ CO} of a delayed transaction, we
have that (ev, isu(p1, t1)) ∈ CO.
Proof. Assume by contradiction that τ contains an issue isu(q, t0) of a delayed transaction
which is not causally before isu(p1, t1). Then,
τ = α · isu(p, t) · β11 · isu(q, t0) · β12 · isu(p1, t1) · β2 · del(p0, t) · γ
We know that β12 · isu(p1, t1) ·β2 ·del(p0, t) ·γ contains no issue of transaction that is causally
after isu(q, t0), which implies that t0 is the last transaction issued by q in τ . Thus, we can
safely remove isu(q, t0) (and all related store events in γ) and obtain:
τ ′ = α · isu(p, t) · β11 · β12 · isu(p1, t1) · β2 · del(p0, t) · γ1
REFERENCES 41
which is a violation because of the happens-before cycle formed by (isu(p, t), isu(p1, t1), del(p0, t))
and it has less number of delays because t was not delayed after isu(q, t0), a contradiction. ◭
Next, we show that all delayed transactions in isu(p, t)·β1 don’t access the shared variable
x that starts the happens-before path in β2 (mentioned in the Lemma 41). If this were not
the case, then the last delayed transaction can be removed and still guarantee a happens-
before path to del(p0, t) (starting in the delayed transaction accessing the variable x), thus
obtaining a trace with less number of delays, which contradicts the minimality assumption.
◮ Lemma 45. Let τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ be a minimal violation
such that there exists an event a in β2 with (isu(p1, t1), a) ∈ WW(x)∪ RW(x). Then, all the
delayed transactions in isu(p, t) · β1 don’t access the shared variable x.
Proof. Suppose by contradiction that we have an issue isu(p2, t2) in isu(p, t) · β1 which
accesses the shared variable x with either a load or store instruction. Then, in both cases
(isu(p2, t2), a) ∈ WW(x) ∪ RW(x) because β2 · del(p0, t) · γ does not contain any transaction
that causally depends on isu(p1, t1). Therefore, isu(p1, t1) is the last issued transaction by
the process p1 and we can remove it and all related stores in γ to obtain:
τ ′ = α · isu(p, t) · β11 · isu(p2, t2) · β12 · β2 · del(p0, t) · γ
′
which is a violation because of the happens-before cycle formed by (isu(p, t), isu(p2, t2), del(p0, t)).
Furthermore, τ ′ has less delays, a contradiction to minimality. ◭
◮ Lemma 46. Let τ = α · isu(p, t) · β · (p0, t0) · del(p0, t) · γ be a minimal violation such
that isu(p, t) happens-before del(p0, t) through β · (p0, t0), and (isu(p, t), (p0, t0)) ∈ HB, and
((p0, t0), del(p0, t)) ∈ HB
1; STO?. If ((p0, t0), del(p0, t)) ∈ HB
1; STO and ((p0, t0), del(p0, t)) 6∈
HB1 then (isu(p, t), (p0, t0)) ∈ WW
Proof. ((p0, t0), del(p0, t)) ∈ HB
1; STO implies that ((p0, t0), isu(p, t)) ∈ HB
1. Also, since
(p0, t0) occurs after isu(p, t) and (isu(p, t), (p0, t0)) ∈ HB then ((p0, t0), isu(p, t)) 6∈ CO, hence,
((p0, t0), isu(p, t)) ∈ (WW ∪ RW) and since in CCv semantics the store order is based on
timestamps, thus ((p0, t0), isu(p, t)) ∈ RW. This is possible only if there exist a transaction
t2 such that ((p2, t2), (p0, t0)) ∈ WR and ((p2, t2), isu(p, t)) ∈ WW or (p_0,t_0) reads an
initial value that isu(p, t) tries to overwrite. Also, since ((p0, t0), del(p0, t)) 6∈ HB
1 then
((p0, t0), del(p0, t)) 6∈ RW which means that del(p0, t) discarded some write to a variable x
where ((p0, t0), isu(p, t)) ∈ RW(x) and ((p0, t0), del(p0, t)) 6∈ RW(x). Therefore, there must
exist a transaction t3 which occurs after isu(p, t) and before del(p0, t) which writes x at
process p0. Since the t0 reads from the write of t2 or reads the initial value, thus, the
transaction t3 refers to t0 where the write x occurs after the read from x. Therefore, both
t0 and t write to x which implies that (isu(p, t), (p0, t0)) ∈ WW(x). ◭
F Proofs For Section 5.2 (Minimal Violations under CM)
The following theorem gives the characterization of minimal violations under CM where we
state explicitly the properties of Theorem 7 that were given in Fig. 6. Roughly, a program is
not robust if it admits a minimal violation which can either be because of two “concurrent”
transactions (which are not causally related) that write to the same variable or because of
a restriction of the pattern admitted by CCv where the last delayed transaction must be
related only by RW in a happens-before path with future transactions. The first pattern
is not admitted by CCv because the writes to each variable are executed according to the
timestamp order (CM doesn’t hold the CCv property stated in Lemma 40).
42 REFERENCES
◮ Theorem 47. A program P is not robust under CM iff there exists a minimal violation τ
under CM such that one of the following must hold:
1. τ = α · isu(p, t) · β2 · (p0, t0) · del(p0, t) · γ, where:
(a) isu(p, t) is the issue of the first and only delayed transaction in τ (Lemma 48);
(b) (isu(p, t), (p0, t0)) ∈ WW(x) and ((p0, t0), del(p0, t)) ∈ WW(x) (Lemma 48);
(c) ∀ a ∈ β2. (isu(p, t), a) ∈ HB \ CO and (a, (p0, t
′)) ∈ CO (Lemma 48);
(d) γ contains only stores of t (Lemma 36).
2. τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ, where
(a) isu(p, t) and isu(p1, t1) are the issues of the first and last delayed transactions in τ
(Lemmas 48 and 49);
(b) the issues of all the delayed transactions are in β1 and they are included in a causality
chain that starts with isu(p, t) and ends with isu(p1, t1) (Lemma 49);
(c) for any event a ∈ β2, we have that (isu(p, t), a) ∈ HB \ CO and (a, del(p0, t)) ∈ HB
(Lemma 48);
(d) isu(p1, t1) happens before del(p0, t) through β2 (Lemma 48);
(e) there exist events a and b in β2 such that (isu(p1, t1), a) ∈ RW(x) and (b, del(p0, t)) ∈
RW(y) with x 6= y (Lemma 48);
(f) all delayed transactions in isu(p, t) · β1 don’t access the variable x;
(g) γ contains only stores of delayed transactions that were issued in β1 (Lemma 36).
In this section, we give the lemmas that constitute the properties of minimal violations
traces under causal memory semantics, and which need different arguments than those used
for causal convergence (see Section E).
In the first case of Lemma 41 under CCv model, we have that (isu(p, t), (p0, t0)) ∈ WW(x)
and ((p0, t0), isu(p, t)) ∈ RW(x). Which under CM model implies that (isu(p, t), (p0, t0)) ∈
WW(x) and ((p0, t0), del(p0, t)) ∈ WW(x) since del events in CM semantics do not discard
writes. Therefore, we obtain the case of write-write race.
The next lemma describes the different varieties of minimal violations and characterizes
the relation between the last delayed transaction that was overstepped by the first delayed
transaction and the store of the first delayed transaction.
◮ Lemma 48. Let τ = α · isu(p, t) · β · del(p0, t) · γ be a minimal violation under CM. Then,
one of the following three cases must hold:
1. there exist (p0, t0) ∈ β where (isu(p, t), (p0, t0)) 6∈ CO, (isu(p, t), (p0, t0)) ∈ WW, and
((p0, t0), del(p0, t)) ∈ HB. Therefore,
τ = α · isu(p, t) · β2 · (p0, t0) · del(p0, t) where:
(a) β2 ⊂ β and ∀ a ∈ β2. (isu(p, t), a) ∈ HB and (a, (p0, t0)) ∈ CO.
2. if σ = {c ∈ β | (isu(p, t), c) ∈ CO} is empty, then
τ = α · isu(p, t) · β2 · del(p0, t) where:
(a) β2 ⊂ β and isu(p, t) happens before del(p0, t) through β2;
(b) there exist events a and b in β2 such that (isu(p, t), a) ∈ RW(x), (b, del(p0, t)) ∈ RW(y),
and x 6= y.
3. if σ = {c ∈ β | (isu(p, t), c) ∈ CO} is not empty and isu(p1, t1) is the last issue event from
σ in τ , then
τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ where:
REFERENCES 43
(a) β1 ⊂ β, β2 ⊂ β, and isu(p1, t1) happens before del(p0, t) through β2;
(b) there exist events a and b in β2 such that (isu(p1, t1), a) ∈ RW(x), (b, del(p0, t)) ∈
RW(y), and x 6= y.
Proof. First, assume that β contains a transaction (p0, t0) that is concurrent with (p, t), i.e.,
(isu(p, t), (p0, t0)) 6∈ CO, and which writes to a common shared variable with (p, t). Therefore,
we obtain that (isu(p, t), (p0, t0)) ∈ WW. Also, we must get ((p0, t0), del(p0, t)) ∈ WW as
well. Then, we get a happens-before cycle formed by (isu(p, t), (p0, t0), del(p0, t)) where p
and p0 are two different processes executing two concurrent transactions. Thus, we can
build a violation τ = α · isu(p, t) · β2 · (p0, t0) · del(p0, t) by executing all transactions of p
that are before t and their causal past, and all transactions of p0 and their causal past, then
executing t and t0, and removing all events from β which occur after isu(p, t) and are not
part of the causal past of (p_0,t_0) resulting in β2.
Second, assume that β contains no transaction like above, and that the set of events
σ = {c ∈ β | (isu(p, t), c) ∈ CO} is empty. We know that from Lemma 32, there must exist
b ∈ β such that (isu(p, t), b) ∈ HB and (b, del(p0, t)) ∈ HB. Hence, let b be the first event
of β, i.e., β = b · β1. We know that β does not contain actions that are causally related to
isu(p, t) (which includes PO ∪ WR), therefore, the only possibilities are (isu(p, t), b) ∈ WW
or (isu(p, t), b) ∈ RW. However, if (isu(p, t), b) ∈ WW we get the previous case, which is a
contradiction to the hypothesis of the current case. Also, we have that b 6= del(p, t2), for
any t2, using a similar argument as in Lemma 41. The only remaining case is b = (p2, t2)
and (isu(p, t), b) ∈ RW(x), which implies b 6= del(p0, t). Then, there exists c ∈ β such that
(c, del(p0, t)) ∈ RW(y), for some y. We assume c is the first transaction in β that has a
load that reads from any shared variable y that t writes to. However, (isu(p, t), b) ∈ RW(x)
implies that b writes to x, therefore, if x = y then (isu(p, t), (p2, t2)) ∈ WW(x), hence, we
obtain the first case, a contradiction to the hypothesis. Thus, x 6= y.
Third, assume that β contains no transaction like in first case, and that the set of events
σ = {c ∈ β | (isu(p, t), c) ∈ CO} is not empty and t3 from the first case does not exist. If
all the elements of σ are stores we obtain the same characterization as the previous case.
Since τ does not contain an issue of transaction that is causally related to isu(p, t) (because
σ contains only stores) then all stores in σ are stores of t (t is the first delayed transaction in
τ). Given del(p2, t) ∈ σ, if (del(p2, t), del(p0, t)) ∈ HB then there must exist c ∈ β such that
(del(p2, t), c) ∈ (PO ∪WW ∪WR ∪ STO ∪ RW) and (c, del(p0, t)) ∈ HB, and since σ contains
stores of t then (del(p2, t), c) ∈ WW(x) and c = (p3, t3) which implies (isu(p, t), c) ∈ WW(x).
Thus, we can remove del(p2, t) from τ (because no event in β depends on del(p2, t)) obtaining
τ ′ and we still have (isu(p, t), c) ∈ WW(x) and (c, del(p0, t)) ∈ HB in τ
′. Therefore, we obtain
a new minimal violation trace τ ′ with the same delay number and happens-before as τ where
in τ ′, σ is empty. Thus, we obtain a minimal violation trace as in the second case.
Otherwise, let d = isu(p1, t1) be the last non-store event in {c ∈ β | ((p, t), c) ∈ CO},
i.e., β = β1 · d · β2 which means that all events in β2 are either stores of transactions that
are causally related to t or other transactions that are not causally related to t. Thus,
τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ. Then, (isu(p1, t1), del(p0, t)) ∈ HB or we
can swap the two events and we get a new trace with less number of delays (a contradiction
to minimality). Hence, we must have b, c ∈ β2 such that (isu(p1, t1), b) ∈ WW(y) or
(isu(p1, t1), b) ∈ RW(y) and (b, c) ∈ HB and (c, del(p0, t)) ∈ RW(x). It is not possible that
(isu(p1, t1), b) ∈ WW(y) because if it were the case then we can remove all elements from β2
except b = (p2, t2) and its causal past, β2 = β2 · (p2, t2), and add the store del(p0, t1) (and
its causal past of stores, γ) to τ and we obtain:
τ ′ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · (p2, t2) · del(p0, t) · γ · del(p0, t1)
44 REFERENCES
τ ′ contains a cycle formed by (isu(p1, t1), (p2, t2)) ∈ WW(y) and ((p2, t2), del(p0, t1)) ∈
WW(y) and the number of delays in τ ′ is less or equal to the number of delays of τ . We can
notice that we don’t need to delay t to be after isu(p1, t
′), thus, we obtain:
τ ′′ = α · (p, t) · β1 · isu(p1, t1) · β2 · (p2, t2) · γ
′ · del(p0, t1)
τ ′′ contains the same happens-before cycle as τ ′ and its number of delays is less than τ ′, a
contradiction.
We show that x 6= y. Consider the case, (isu(p1, t1), b) ∈ RW(x) and b = (p2, t2). If
x = y, we obtain that (isu(p, t), (p2, t2)) ∈ WW(x) and ((p2, t2), del(p0, t)) ∈ WW(x). Thus,
b satisfies the conditions of the first case of the lemma which we assumed are not satisfied
in our current case, a contradiction. Therefore, x 6= y. ◭
Next, we show that for a given minimal violation trace, we can obtain another minimal
violation where there are no delayed transactions in β2. The proof of this lemma has many
similarities with the proof of Lemma 42
◮ Lemma 49. Let τ = α·isu(p, t)·β1 ·isu(p1, t1)·β2 ·del(p0, t)·γ be a minimal violation. Then,
there are no delayed transactions in β2. Then, there exist τ
′ = α · isu(p, t) ·β′1 · isu(p1, t1) ·β
′
2 ·
del(p0, t) · γ
′ a minimal violation, where β′2 contains no delayed transactions (τ
′ is obtained
from τ , and τ and τ ′ can be equal).
Proof. We will prove either we obtain a contradiction or we can extract a new minimal
violation trace with one less delayed transaction and recursively we continue this reasoning
until we get a contradiction or obtain a new minima violation trace where β2 does not
contain a delayed transaction.
Suppose that β2 contains a delayed transaction t0 issued by a process q 6= p. Then, τ is
of one of the following forms:
(a) τ = α · isu(p, t) ·β1 · isu(p1, t1) ·β21 · isu(q, t0) ·β22 · isu(q1, t
′
0) ·β23 ·del(q0, t0) ·β24 ·del(p0, t) ·γ
(b) τ = α · isu(p, t) · β1 · isu(p1, t1) · β21 · isu(q, t0) · β22 · (q1, t
′
0) · del(q0, t0) · β23 · del(p0, t) · γ
(c) τ = α · isu(p, t) · β21 · isu(q, t0) · β22 · (q1, t
′
0) · del(q0, t0) · β23 · (p0, t
′) · del(p0, t) · γ
(d) τ = α · isu(p, t) · β21 · isu(q, t0) · β22 · isu(q1, t
′
0) · β23 · del(q0, t0) · β24 · (p0, t
′) · del(p0, t) · γ
The proof of the case (a) is similar to that of Lemma 42. Concerning the case (b), we
know that after executing the event del(q0, t0), we have obtained a violation because of the
happens-before cycle formed by (isu(q, t0), (q1, t
′
0), del(q0, t0)). Also, since β21 · isu(q, t0) ·
β22 · (q1, t
′
0) · del(q0, t0) · β23 · del(p0, t) · γ contains no issue event that is causally related to
isu(p1, t1), and isu(p1, t1) is the last transaction issued by p1 in τ . Therefore, we can remove
isu(p1, t1) and all related stores events from τ and obtain:
τ ′ = α · isu(p, t) · β1 · β21 · isu(q, t0) · β22 · (q1, t
′
0) · del(q0, t0) · β22 · del(p0, t) · γ
′
which is a violation because of the happens-before cycle formed by (isu(q, t0), (q1, t
′
0), del(q0, t0))
and has less number of delays than τ because del(p0, t) was not delayed after isu(p1, t1), a
contradiction. Cases (c) and (d) can be proven in the same way as shown in the previous
case and in the proof of Lemma 42. ◭
◮ Lemma 50. Let τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ be a minimal violation.
Then, isu(p, t) is causally before (i.e., in the relation CO) all the issue events of delayed
transactions in β1.
Proof. Assume by contradiction that β1 contains a delayed transaction t0 from another
process q 6= p that is not causally after isu(p, t). Hence, τ can be of one of the following
forms:
REFERENCES 45
(a) τ = α· isu(p, t)·β11 · isu(q, t0)·β12 · isu(p1, t1)·β21 · isu(q1, t
′
0)·β22 ·del(q0, t0)·β23 ·del(p0, t)·γ
(b) τ = α· isu(p, t)·β11 · isu(q, t0)·β12 · isu(q1, t
′
0)·β13 · isu(p1, t1)·β21 ·del(q0, t0)·β22 ·del(p0, t)·γ
(c) τ = α · isu(p, t) · β11 · isu(q, t0) · β12 · isu(p1, t1) · β21 · del(q0, t0) · β22 · del(p0, t) · γ
(d) τ = α · isu(p, t) · β11 · isu(q, t0) · β12 · (q1, t
′
0) · del(q0, t0) · β13 · isu(p1, t1) · β2 · del(p0, t) · γ
Cases (a), (b), and (c) have the same proof as the cases (a), (b), and (c) in the proof of
Lemma 43, respectively.
We consider now case (d), notice that in τ after executing del(q0, t0) we get a happens-
before cycle formed by (isu(q, t0), (q1, t
′
0), del(q0, t0)). Therefore, we can remove all issued
transactions and their associated stores events from β13 · isu(p1, t1) · β2 · del(p0, t) · γ excepts
the stores of already issued transactions and we obtain:
τ ′ = α · isu(p, t) · β1 · isu(q, t0) · β12 · (q1, t
′
0) · del(q0, t0)β
′
13 · β
′
2 · del(p0, t) · γ
′
τ ′ is a violation because of the happens-before cycle (isu(q, t0), (q1, t
′
0), del(q0, t0)) and has
less number of delays than τ since del(p0, t) was not delayed after isu(p1, t1) which was
removed, a contradiction.
◭
The rest of the properties in Theorem 47 can be proved as in Lemma 44 and Lemma 45.
G The Complete Instrumentation
In this section, we present the instrumentation for all the instructions for the attacker,
visibility helper, and happens-before helper.
G.1 Instrumentation of the Attacker
We provide in Fig. 14, the instrumentation of the instructions of the attacker. Such a process
passes through an initial phase where it executes transactions that are visible immediately
to all the other processes (i.e., they are not delayed), and then non-deterministically it can
choose to delay a transaction. When the attacker randomly chooses the first transaction to
start delaying of transactions, it sets the flag atrA to true in the instruction begin (line (3)).
Then, it sets the flag p.a to 1 to indicate that the current process is the attacker. During
the first delayed transaction, the attacker chooses randomly a write instruction to a shared
variable x and stores the name of this variable in the flag astA (line (8)). The values written
during delayed transactions are stored in the primed variables and are visible only to the
attacker and the visibility helpers. For example, given a variable y, all the writes to y from
the original program are transformed into writes to the primed version y′ (line (6)).
Each time the attacker writes to a variable y′ (the copy of y from the original program)
during a delayed transaction, it sets the flag y′.event to st (line (7)) which will allow other
processes that read the same variable to join the set of visibility helpers and start delaying
their transactions. Once the attacker delays a transaction, it will read only from the primed
variables (i.e., y′). If the attacker wants to start the happens-before path, it has to execute
a transaction that either reads or writes to a shared variable x′ that was not accessed by a
delayed transaction (i.e., x′.event =⊥). In this case we set the variable HB to true (lines (4)
and (9)) to mark the start of the happens before path and the end of the visibility chains,
and set the flag x.event to ld (lines (5) and (10)). When the flag HB is set to true the
attacker stops executing new transactions. We can notice that when the HB is set to true,
we can no longer execute new transactions from the attacker (all conditions in lines (1) and
(2) become false).
46 REFERENCES
[[l1: begin; goto l2;]]A =
// Typical execution of begin
l1: assume HB =⊥ ∧(p.a 6=⊥ ∨atrA =⊥); goto lx1; (1)
lx1: begin; goto l2;
// Begin of first delayed transaction
l1: assume HB =⊥ ∧ atrA =⊥ ; goto lx2; (2)
lx2: begin; goto lx3;
lx3: p.a := 1; goto lx4;
lx4: Foreach x ∈ V. x
′ := x; goto lx5;
lx5: atrA := true; goto l2; (3)
[[l1: r := x; goto l2;]]A =
// Read before attacker starts delaying
// transactions
l1: assume atrA =⊥ ; goto lx1;
lx1: r := x; goto l2;
// Read in delayed transactions
l1: assume atrA 6=⊥ ∧p.a 6=⊥ ; goto lx2;
lx2: r := x
′
; goto lx3;
lx3: x
′
.event := ld; goto l2;
// Special read in last delayed transaction
l1: assume (x
′
.event =⊥ ∧ astA 6=⊥
∧ p.a 6=⊥); goto lx4;
lx4: r := x
′
; goto lx5;
lx5: HB := true; goto lx6; (4)
lx6: x.event := ld; goto l2; (5)
[[l1: x := e; goto l2;]]A =
// Write before attacker starts delaying
// transactions
l1: assume atrA =⊥ ; goto lx1;
lx1: x := e; goto l2;
// Write in delayed transactions
l1: assume atrA 6=⊥ ∧p.a 6=⊥ ; goto lx2;
lx2: x
′ := e; goto lx3; (6)
lx3: x
′
.event := st; goto l2; (7)
// Special write in first delayed transaction
l1: assume astA =⊥ ∧ atrA 6=⊥ ∧p.a 6=⊥ ; goto lx4;
lx4: x
′ := e; goto lx5;
lx5: astA := ‘x‘; goto lx6; (8)
lx6: x
′
.event := st; goto l2;
// Special write in last delayed transaction
l1: assume x
′
.event =⊥ ∧astA 6=⊥ ∧p.a 6=⊥ ; goto lx7;
lx7: x
′ := e; goto lx8;
lx8: HB := true; goto lx9; (9)
lx9: x.event := ld; goto l2; (10)
[[l1: end; goto l2;]]A =
l1: assume atrA =⊥ ∨ p.a 6=⊥ ; goto lx1;
lx1: end; goto l2;
Figure 14 Instrumentation of the Attacker. We use ‘x‘ to denote the name of the shared variable
x.
G.2 Instrumentation of the Visibility Helpers
Fig. 15 lists the instrumentation of the instructions of a process that belongs to the set
of visibility helpers. Such a process passes through an initial phase where it executes the
original code instructions (lines (11) and (19)) until the flag atrA is set to true by the attacker.
Then, it continues the execution of its original instructions but, whenever it stores a value
it writes it to both the shared variable x and the primed variable x′ so it is visible to all
processes. Non deterministically it chooses a first transaction to delay, at which point it
joins the set of visibility helpers. It sets the flag p.vh to false signaling its desire to join the
visibility helpers and randomly chooses a transaction (the begin of this transaction is shown
in line (18)) through which the process will join the set of visibility helpers. The process
directly starts delaying its writes, i.e., writing to primed variables, and reading only from
delayed writes, i.e., from primed variables, and behaving the same as the attacker. When
a process choses a first transaction to delay (during the begin instruction) it has made
a pledge that during this transaction it will read from a variable that was updated by a
another delayed transaction from either the attacker or some other visibility helper. This
is to ensure that this transaction extends the visibility chain. Hence, the local process flag
p.vh will be set to true when the process meets its pledge (line (21)). If the process does
not keep its pledge (i.e., p.vh is equal to false) at the end of the transaction (i.e., during the
end instruction) we block the execution. Thus, when executing the end instruction of the
underlying transaction we check whether the flag p.vh is null, if so we block the execution
(line (16)).
REFERENCES 47
When a process joins the visibility helpers, it delays all writes and reads only from the
primed variables (lines (12) and (20)). Similar to the attacker, a process in the visibility
helpers delays a write to a shared variable y by writing to y′, it sets the flag y′.event to
st (line (13)). In order for a process in the visibility helpers to start the happens-before
path, it has to either read or write a shared variable x that was not accessed by a delayed
transaction (i.e., x′.event =⊥). In this case we set the flag HB to true (lines (14) and (22))
to mark the start of the happens before path and the end of the visibility chains and set the
flag x.event to ld (lines (15) and (23)). When the flag HB is set to true, all processes in the
set of visibility helpers stop issuing new transactions because all conditions for executing
the begin instruction become false.
Notice that in the underlying procedure for selecting a process to join the set of vis-
ibility helpers, it suffices that the first transaction executed by the process to be causally
dependent on some transaction t which was executed by the existing visibility helpers or
the attacker. The transaction t does not need to be the last transaction executed by the
existing visibility helpers or the attacker. Therefore, the instrumentation allows executions
that contain several “concurrent” causality chains that start from the first delayed transac-
tion (of the attacker), however, at least one of these chains must end with the last delayed
transaction in the execution. This is a slight deviation from the characterization of minimal
violations in Theorem 6 and Theorem 7 where all the delayed transactions must be causally
related to the last delayed transaction, which however has no impact on the correctness of
the instrumentation (stated in Theorem 10). The delayed transactions that are not causally
related to the last delayed transaction could be safely removed from the execution in order
to get a minimal violation.
G.3 Instrumentation of the Happens-Before Helpers
The remaining processes, which are not the attacker or a visibility helper, can become a
happens-before helper. Fig. 16 lists the instrumentation of the instructions of a happens-
before helper.
In a first phase, each process executes the original code until the flag atrA is set to true by
the attacker. This flag signals the “creation” of the secondary copy of the shared-variables,
which can be observed only by the attacker and the visibility helpers. At this point, the
process enters a phase where it continues executing its original instructions, however, when it
stores a value it writes it in both the shared variable x and the primed variable x′ (lines (28)
and (29)). The latter is needed in order to make the written values visible to the attacker
and the visibility helpers. Even though it writes to primed variables as well, it only reads
from the original shared variables (line (25)).
Once the flag HB is set to true, the process (which cannot be the Attacker, i.e., the flag
p.a is null, or a visibility helper, i.e., the flag p.vh is null) chooses non-deterministically a
first transaction (the begin of this transaction is shown in line (24)) through which it wants
to join the set of happens-before helpers, i.e., continue the happens-before path created by
the existing happens-before helpers. Similar to visibility helpers, when a process choses
a transaction, it makes a pledge (while executing the begin instruction) that during this
transaction it will either read a variable updated by a delayed transaction or another happens-
before helper, or write to a variable that was accessed (read or written) by another happens-
before helper. When the pledge is met, the process sets the flag p.hbh to true (lines (26)
and (31)). The execution is blocked if a process does not keep its pledge (i.e., the flag p.hbh
is null) at the end of the transaction (line (35)). We use a flag x.event for each variable x
to record the type (read ld or write st) of the last access made by a happens-before helper
48 REFERENCES
[[l1: x := e; goto l2;]]VH =
// Write before attacker starts
// delaying transactions
l1: assume atrA =⊥ ; goto lx1;
lx1: x := e; goto l2; (11)
// Write before joining visibility helpers
l1: assume atrA 6=⊥ ∧p.vh = p.a =⊥ ; goto lx2;
lx2: x
′ := e; goto lx3;
lx3: x := e; goto l2;
// Write after joining visibility helpers
l1: assume atrA 6=⊥ ∧p.vh 6=⊥ ; goto lx4;
lx4: x
′ := e; goto lx5; (12)
lx5: x
′
.event := st; goto l2; (13)
// Special write in last delayed transaction
l1: assume (x
′
.event =⊥ ∧ astA 6=⊥
∧ p.vh 6=⊥); goto lx6;
lx6: HB := true; goto lx7; (14)
lx7: x.event := ld; goto lx8; (15)
lx8: x
′
:= e; goto l2;
[[l1: end; goto l2;]]VH =
// End before joining visibility helpers
l1: assume atrA =⊥ ∨(atrA 6=⊥ ∧ p.vh =⊥); goto lx1;
lx1: end; goto l2;
// End after joining visibility helpers
l1: assume atrA 6=⊥ ∧ p.vh = true; goto lx2;
lx2: end; goto l2;
// Failed attempt to join visibility helpers
l1: assume atrA 6=⊥ ∧ p.vh = false; assume false; (16)
[[l1: begin; goto l2;]]VH =
// Begin before becoming visibility helpers
l1: assume HB =⊥ ∧ (atrA =⊥ ∨p.vh =⊥); goto lx1;
lx1: begin; goto l2; (17)
// Begin of first delayed transaction to join
// visibility helpers
l1: assume HB =⊥ ∧ atrA 6=⊥ ∧ p.vh = p.a =⊥ ; goto lx2;
lx2: begin; goto lx3;
lx3: p.vh := false; goto lx4;
// Copying visibility flags before the first transaction
// starts executing and modifying the flags
lx4: Foreach x
′ ∈ V. x′.event′ := x′.event; goto l2;
// Begin after joining visibility helpers
l1: assume HB =⊥ ∧ atrA 6=⊥ ∧ p.vh = true; goto lx5;
lx5: begin; goto l2; (18)
[[l1: r := x; goto l2;]]VH =
// Read before joining visibility helpers
l1: assume atrA =⊥ ∨(p.vh = p.a =⊥); goto lx1;
lx1: r := x; goto l2; (19)
// Read after joining visibility helpers
l1: assume atrA 6=⊥ ∧ p.vh 6=⊥ ; goto lx2;
lx2: r := x
′
; goto lx3; (20)
lx3: assume x
′
.event
′ = st ∧ p.vh = false; goto lx4;
lx4: p.vh := true; goto l2; (21)
lx3: assume x
′
.event
′ 6= st ∨ p.vh = true; goto l2;
// Special read in last delayed transaction
l1: assume (x
′
.event =⊥ ∧ astA 6=⊥
∧ p.vh 6=⊥); goto lx5;
lx5: HB := true; goto lx6; (22)
lx6: x.event := ld; goto lx7; (23)
lx7: r := x
′
; goto l2;
Figure 15 Instrumentation of the Visibility Helpers.
(lines (27) and (30)). Moreover, once HB is set to true (i.e., there are no more delayed
transactions), the process can write and read only the original shared variables, since the
primed versions are no longer in use.
The happens-before helpers continue executing their instructions, until one of them reads
from the shared variable x whose name was stored in astA . This establishes a happens-before
path between the last delayed transaction and a “fictitious” store event corresponding to
the first delayed transaction that could be executed just after this read of x. The execution
doesn’t have to contain this store event explicitly since it is always enabled. Therefore, at
the end of every transaction, the instrumentation checks whether the transaction read x.
If it is the case, then the execution stops and goes to an error state to indicate that this
is a robustness violation. The happens-before helpers processes continue executing their
instructions, until one of them executes a load that reads from (or a write to) the shared
variable x that was stored in astA which implies the existence of a happens-before cycle. Thus,
when executing the instruction end at the end of every transaction, we have a conditional
check to detect if we have a load or a write accessing the variable x (lines (32), (33), and
(34)). When the check detects that the variable x was accessed, the execution goes to the
error state (line (34)) to indicate that the execution has produced a violating trace and we
REFERENCES 49
[[l1: begin; goto l2;]]HbH =
// Begin before becoming happens-before helpers
l1: assume HB =⊥ ∧p.vh = p.a =⊥ ; goto lx1;
lx1: begin; goto l2;
// Begin of first transactions to join
// happens-before helpers
l1: assume HB 6=⊥ ∧p.hbh = p.vh = p.a =⊥ ; goto lx2;
lx2: begin; goto lx3; (24)
// Copying happens-before flags before
// first transaction first transaction
// starts executing and modifying the flags
lx3: Foreach x ∈ V. x.event
′ := x.event; goto l2;
// Begin after joining happens-before helpers
l1: assume HB 6=⊥ ∧ p.hbh 6=⊥ ; goto lx4;
lx4: begin; goto l2;
[[l1: r := x; goto l2;]]HbH =
// Read before the last delayed transaction
l1: assume HB =⊥ ∧p.vh = p.a =⊥ ; goto lx1;
lx1: r := x; goto l2; (25)
// Read after the last delayed transaction
l1: assume HB 6=⊥ ; goto lx2;
lx2: r := x; goto lx3;
lx3: assume x.event
′ = st ∧ p.hbh =⊥ ; goto lx4;
lx4: p.hbh := true; goto l2; (26)
lx3: assume x.event =⊥ ; goto lx5;
lx5: x.event := ld; goto l2; (27)
lx3: assume x.event 6=⊥ ∨ p.hbh 6=⊥ ; goto l2;
[[l1: x := e; goto l2;]]HbH =
// Write before delayed transactions
l1: assume HB =⊥ ∧ atrA =⊥ ; goto lx1;
lx1: x := e; goto l2;
// Write after delayed transactions and
// before the last delayed transaction
l1: assume HB =⊥ ∧ atrA 6=⊥ ∧p.vh = p.a =⊥ ; goto lx2;
lx2: x
′ := e; goto lx3; (28)
lx3: x := e; goto l2; (29)
// Write after the last delayed transaction
l1: assume HB 6=⊥ ∧p.vh = p.a =⊥ ; goto lx4;
lx4: x := e; goto lx5;
lx5: x.event := st; goto lx6; (30)
lx6: assume x.event
′ 6=⊥ ∧ p.hbh =⊥ ; goto lx7;
lx7: p.hbh := true; goto l2; (31)
lx6: assume x.event
′ =⊥ ∨ p.hbh 6=⊥ ; goto l2;
[[l1: end; goto l2;]]HbH =
// End before joining happens-before helpers
l1: assume HB =⊥ ∧p.vh = p.a =⊥ ; goto lx1;
lx1: end; goto l2;
// End after joining happens-before helpers
l1: assume HB 6=⊥ ∧ p.hbh 6=⊥ ; goto lx2;
lx2: end; goto lx3;
lx3: r˜ := astA ; goto lx4; (32)
lx4: r˜ := r˜.event; goto lx5; (33)
// End after reaching the error state
lx5: assume r˜ 6=⊥ ; assert false; (34)
lx5: assume r˜ =⊥ ; goto l2;
// Failed attempt to join happens-before helpers
l1: assume HB 6=⊥ ∧ p.hbh = p.vh = p.a =⊥ ; assume false; (35)
Figure 16 Instrumentation of Happens-Before Helpers.
denote the reached state of the instrumented program’s execution, the error state.
G.4 Instrumentation For the First Patterns in Theorems 6 and 7
The instrumentation given above is for finding minimal violation of the shape: τ = α ·
isu(p, t) ·β1 · isu(p1, t1) ·β2 · del(p0, t) · γ which corresponds to the pattern τCCv1 in Theorem 6
and the pattern τCM1 in Theorem 7.
The first case in Theorem 6 is of the shape: τ = α · isu(p, t) · β · (p0, t0) · del(p0, t) · γ
where t writes to a variable ‘x‘ and t0 writes and reads from the same variable and t is the
only delayed transaction in τ . Also, in β there must be no write to the variable ‘x‘ and
the read in t0 must occur before the write. To find this minimal violation, we reuse the
above instrumentation for the second case in Theorem 6 where the attacker delays a single
transaction and stops and there are no visibility helpers. In the attacker instrumentation,
the two cases for the special writes in first and last delayed transactions in Fig. 14 will
coincide. In Fig. 17, we show the instrumentation of the attacker that changes w.r.t. those
given in Fig. 14. In Fig. 18, we show the instrumentation of the happens-before helpers
that changes w.r.t. those given in Fig. 16. Note that t0 does read and write accesses to the
variable ‘x‘. Thus, we use two process-local flags p.tr and p.tw which determine if a process
did execute a transaction that does a read and a write accesses to the variable ‘x‘. The flags
50 REFERENCES
[[l1: x := e; goto l2;]]A =
// Write before attacker starts delaying
// transactions
l1: assume atrA =⊥ ; goto lx1;
lx1: x := e; goto l2;
// Write in delayed transactions
l1: assume atrA 6=⊥ ∧p.a 6=⊥ ; goto lx2;
lx2: x
′ := e; goto lx3;
// Special write in first and only delayed transaction
l1: assume astA =⊥ ∧ atrA 6=⊥ ∧p.a 6=⊥ ; goto lx4;
lx4: x
′
:= e; goto lx5;
lx5: astA := ‘x‘; goto lx6;
lx6: HB := true; goto lx7;
lx7: x.event := ld; goto l2;
Figure 17 Modified Instrumentation of the Attacker.
p.tr and p.tw are set to ⊥ each time a happens-before helper starts new transaction, and
each flag is set to true if the underlying transaction performs read or write (p.tr for read and
p.tw for write). Notice that we require that the read occurs before the write in Fig. 18. At
the end of the transaction, we check if both flags are set to true, if it is the case, then the
execution stops and goes to an error state to indicate that this is a robustness violation.
The first case in Theorem 7 is of the shape: τ = α · isu(p, t) · β · (p0, t0) · del(p0, t) · γ
where t and t0 both write to the same variable ‘x‘ and t is the only delayed transaction in τ .
Similar to the previous case, the attacker delays a single transaction and stops and there are
no visibility helpers. Therefore, the instrumentation of the attacker for the underlying case
is the same as the one given in Fig. 17. For the happens-before helpers, we do not require
the flags p.tr and p.tw from the previous case since modifying the condition in line (34) in
Fig. 16 from r˜ 6=⊥ to r˜ = st is sufficient to detect that a transaction in a happens-before
helper writes to the same variable as the delayed transaction.
H Soundness and Completeness of the Instrumentation
The aim of the instrumentation procedure is to reduce the problem of checking the existence
of the violation patterns described in Section 5.1 to reachability under SC of en error state
by the instrumented version of a program.
The instrumentation procedure is sound and complete iff if an error state is reachable,
then we can reconstruct a violation pattern, and every violation pattern ensures that the
error state is reachable by the instrumented version of the program.
◮ Theorem 51 (Soundness and Completeness). A program P is not robust iff the instrumented
version of it, P ′, reaches an error state under SER.
Proof. Soundness. Suppose the instrumented program reaches an error state. Then, the
execution’s trace of the instrumented program is of the form:
τ⋆ = τ1 · (p, t)
♣ · τ2 · (p1, t1)
♣ · τ3 · (p0, t2)
where transactions of the form t♣ designate transactions that write to the auxiliary variables
which are considered to be the delayed transactions. The last transaction, (p0, t2) performed
by a process p0 that has a load accessing the variable x = astA and is part of the happens-
before helpers. Because the conditional check can be performed only by a process (pHbH1)
that is one of the happens-before helpers and is executing.
REFERENCES 51
[[l1: begin; goto l2;]]HbH =
// Before joining happens-before helpers
l1: assume HB =⊥ ∧p.a =⊥ ; goto lx1;
lx1: begin; goto l2;
// Begin of first transactions to join
// happens-before helpers
l1: assume HB 6=⊥ ∧p.hbh = p.a =⊥ ; goto lx2;
lx2: begin; goto lx3;
// Copying happens-before flags ...
lx3: Foreach x ∈ V. x.event
′ := x.event; goto lx5;
// After joining happens-before helpers
l1: assume HB 6=⊥ ∧ p.hbh 6=⊥ ; goto lx4;
lx4: begin; goto lx5;
lx5: p.tr :=⊥ ; goto lx6;
lx6: p.tw :=⊥ ; goto l2;
[[l1: x := e; goto l2;]]HbH =
// Write before the first delayed transaction
l1: assume HB =⊥ ∧ atrA =⊥ ; goto lx1;
lx1: x := e; goto l2;
// Write after the first delayed transaction
l1: assume HB 6=⊥ ∧p.a =⊥ ; goto lx2;
lx2: x := e; goto lx3;
lx3: r1 := astA ; goto lx4;
lx4: r2 := ‘x‘; goto lx5;
lx5: assume r1 = r2; goto lx6;
lx6: p.tw := true; goto lx7;
lx5: assume r1 6= r2; goto lx7;
lx7: x.event := st; goto lx8;
lx8: assume x.event
′ 6=⊥ ∧ p.hbh =⊥ ; goto lx9;
lx9: p.hbh := true; goto l2;
lx8: assume x.event
′
=⊥ ∨ p.hbh 6=⊥ ; goto l2;
[[l1: r := x; goto l2;]]HbH =
// Read before the first delayed transaction
l1: assume HB =⊥ ∧p.a =⊥ ; goto lx1;
lx1: r := x; goto l2;
// Read after the first delayed transaction
l1: assume HB 6=⊥ ; goto lx2;
lx2: r := x; goto lx3;
lx3: r1 := astA ; goto lx4;
lx4: r2 := ‘x‘; goto lx5;
lx5: assume r1 = r2 ∧ p.tw =⊥ ∧x.event 6= st; goto lx6;
lx6: p.tr := true; goto lx7;
lx5: assume r1 6= r2; goto lx7;
lx7: assume x.event
′
= st ∧ p.hbh =⊥ ; goto lx8;
lx8: p.hbh := true; goto l2;
lx7: assume x.event =⊥ ; goto lx9;
lx9: x.event := ld; goto l2;
lx7: assume x.event 6=⊥ ∨ p.hbh 6=⊥ ; goto l2;
[[l1: end; goto l2;]]HbH =
// End before joining happens-before helpers
l1: assume HB =⊥ ∧p.a =⊥ ; goto lx1;
lx1: end; goto l2;
// End after joining happens-before helpers
l1: assume HB 6=⊥ ∧ p.hbh 6=⊥ ; goto lx2;
lx2: end; goto lx3;
// End after reaching the error state
lx3: assume p.tr 6=⊥ ∧ p.tw 6=⊥ ; assert false;
lx3: p.tr =⊥ ∨ p.tw =⊥ ; goto l2;
// Failed attempt to join happens-before helpers
l1: assume HB 6=⊥ ∧ p.hbh = p.a =⊥ ; assume false;
Figure 18 Modified Instrumentation of Happens-Before Helpers Processes.
52 REFERENCES
In order for pHbH1, to join the set of happens-before helpers, it must have found that the
valuation of the flag HB is not null which means there exists some process p that is either
an attacker or one of the visibility helpers that sets the flag HB to true. If p is one of the
visibility helpers then there must be an attacker processes that was the first process to start
the delaying of transactions and setting the flag atrA to true. Otherwise, p is the attacker
itself.
In τ1, the attacker, visibility helpers, and happens-before helpers start executing the
original instructions without setting any flags or delaying any transactions. Afterwards,
the attacker issues its first delayed transaction (p, t)♣ and it starts populating the primed
variables x′ and the visibility flags x′.event. In τ2, the visibility helpers continue executing
the original instructions with an additional check at every instruction whether the flags
x′.event are set to st. If so, they start delaying transactions. In τ2, the happens-before
helpers continue the same execution as in τ1 waiting until the last delayed transaction to
be issued (p′, t′)♣, then the flag HB is set to true. Hence, the happens-before helpers start
checking at every instruction whether the flags x.event are set to either st or ld. If so,
they start populating the flags x.event as well. When HB is set to true, the attacker and
visibility helpers stop issuing new transactions. Therefore, all transaction in τ3 are from the
happens-before helpers.
We now transform τ⋆ into the following CCv (resp., CM) execution trace:
τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ
Here, α′ is the subsequence of all τ1 events that are produced by instructions from P
without the conditionals checking (i.e., the assume statements). β1 is the subsequence of
all events of τ2 produced by transactions from P that were executed by the attacker or
visibility helpers or other processes which are not yet visibility or happens-before helpers.
The transactions which are executed by the attacker and visibility helpers represent the
delayed transactions in β1 with the removal of the conditionals checking and the flags setting.
β2 is the subsequence of all events of τ3 · (p0, t2) produced by transactions from P which
are executed only by the happens-before helpers except the conditionals checking and the
flags setting. We add the store of transaction del(p0, t) to describe the storing of the first
transaction that was delayed by the attacker by a happens-before helper p0 that executed
the last transaction that accessed the variable ‘x‘ = astA . In γ, we add the stores of the
delayed transactions in β1.
τ is a possible execution’s trace of the program P because τ⋆ is result of an execution of
the instrumented version of P and we have removed from τ all the effects of the instrument-
ation, and replaced the stores to auxiliary variables by issues of stores without changing the
dependency between all the events in the execution.
All transactions in β2 are from the happens-before helpers, therefore, ∀ a ∈ β2. (t, a) 6∈
CO. Transactions in β2 form a happens-before path between isu(p1, t1) and del(p0, t). Also,
we have a, b = (p0, t2) ∈ β2 such that (isu(p1, t1), a) ∈ RW(x) ∪WW(x) and (b, del(p0, t)) ∈
RW(y). All the delayed transactions are from the attacker and visibility helpers and were
issued in β1, therefore, all delayed transactions are in β1. Hence, τ indeed holds all the
properties of a minimal violation pattern defined in Theorems 6 and 7.
Completeness. Suppose we have a minimal violation trace pattern of a given program P :
τ = α · isu(p, t) · β1 · isu(p1, t1) · β2 · del(p0, t) · γ
such that τ maintains all the properties given in Theorems 6 and 7. We demonstrate that
there is a possible serializable execution based on τ of the instrumented version of the
program P that reaches the error state. Next, we show how to build the instrumented
REFERENCES 53
program execution.
At the start of the execution, α, the attacker, visibility helpers, and happens-before
helpers execute the original instructions with just conditional checks.
Afterwards, the attacker delays its first transaction (isu(p, t)) and starts delaying transac-
tions and populating the flags. In isu(p, t), the attacker issues a store to the shared variable
‘x‘ = astA and ∃ b ∈ β2 such that (b, del(p0, t)) ∈ RW(x). All delayed transactions in β1
forms a chain of causality that was started by isu(p, t). Thus, the executed transactions
in the chain which are not from the attacker, are from processes which constitute the set
of visibility helpers which are delaying their transactions after joining the set of visibility
helpers which was permissible because of their causal dependency on the attacker. All writes
that were executed in β1 by the processes that are delaying transactions (i.e., attacker and
visibility helpers) are invisible to the remaining processes which includes the happens-before
helpers.
When, the process p1 issues the last transaction, isu(p1, t1), it sets the content of the flag
x.event to ld if (isu(p1, t1), a) ∈ RW(x) or to st if (isu(p1, t1), a) ∈ WW(x) and it sets the
flag HB to true.
On the other hand, the processes which are executing their transactions without delaying
them will attempt to join the happens-before helpers by checking if the flag HB is set to true.
If so, they start the attempt of joining the happens-before helpers and when it succeed they
joining the happens-before helpers and start executing their transactions which constitute
β2. The first executed transaction by the happens-before helpers is a described above which
signals the start of β2 and the happen before path. Thus, in β2, we have only transactions
form the happens-before helpers (because the attacker and visibility helpers stop when the
flag HB is set to true) such that they are related by the happen before path that started from
isu(p1, t1) until it reaches del(p0, t) through β2. We know that there must exist b ∈ β2 such
that (b, del(p0, t)) ∈ RW(‘x‘ = astA). b is equivalent to the last executed transaction by the
happens-before helpers that accesses the shared variable x. Thus, the underlying happens-
before helper will set the content of the flag x.event to ld. Hence, when the underlying
process executes the end instruction of this transaction, it will go to the error state (lines
(32), (33), and (34)) and in this case the instrumented version of the program P has reached
the desired error state. ◭
I Examples of Programs Instrumentation
In this section, we illustrate the instrumentations on the SB and LU programs which lead
to the detection of the minimal violations given in Fig. 6b and Fig. 6a. In Fig. 19 and
Fig. 20, we show the instrumentations of the two processes of SB program, where p1 is the
Attacker and p2 is a Happens-Before Helper. Similarly, in Fig. 21 and Fig. 22, we show the
instrumentations of the two processes of LU program, where p1 is the Attacker and p2 is a
Happens-Before Helper.
54 REFERENCES
// Original Program
l1: begin; goto l2;
l2: x := 1; goto l3;
l3: end; goto l4;
l4: begin; goto l5;
l5: r1 := y; goto l6;
l6: end; goto l7;
// Instrumented Program
[[l1: begin; goto l2;]]A =
l1: assume HB =⊥ ∧(p1.a 6=⊥ ∨atrA =⊥); goto lb1;
lb1: begin; goto l2;
l1: assume HB =⊥ ∧ atrA =⊥ ; goto lb2;
lb2: begin; goto lb3;
lb3: p1.a := 1; goto lb4;
lb4: Foreach z ∈ V. z
′ := z; goto lb5;
lb5: atrA := true; goto l2;
[[l2: x := 1; goto l3;]]A =
l2: assume atrA =⊥ ; goto ls1;
ls1: x := 1; goto l3;
l2: assume atrA 6=⊥ ∧p1.a 6=⊥ ; goto ls2;
ls2: x
′ := 1; goto ls3;
ls3: x
′
.event := st; goto l3;
l2: assume astA =⊥ ∧atrA 6=⊥ ∧p1.a 6=⊥ ; goto ls4;6 66 6
ls4: x
′
:= 1; goto ls5;
ls5: astA := ‘x‘; goto ls6;
ls6: x
′
.event := st; goto l3;
l2: assume (x
′
.event =⊥ ∧astA 6=⊥
∧ p1.a 6=⊥); goto ls7;
ls7: x
′ := 1; goto ls8;
ls8: HB := true; goto ls9;
ls9: x.event := ld; goto l3;
[[l3: end; goto l4;]]A =
l3: assume atrA =⊥ ∨ p1.a 6=⊥ ; goto lc1;6 6
lc1: end; goto l4;
[[l4: begin; goto l5;]]A =
l4: assume HB =⊥ ∧(p1.a 6=⊥ ∨atrA =⊥); goto lb1′;6 6
lb1′: begin; goto l5;
l4: assume HB =⊥ ∧ atrA =⊥ ; goto lb2′;
lb2′: begin; goto lb3′;
lb3′: p1.a := 1; goto lb4′;
lb4′: Foreach z ∈ V. z
′ := z; goto lb5′;
lb5′: atrA := true; goto l5;
[[l5: r1 := y; goto l6;]]A =
l5: assume atrA =⊥ ; goto ll1;
ll1: r1 := y; goto l6;
l5: assume atrA 6=⊥ ∧p1.a 6=⊥ ; goto ll2;
ll2: r1 := y
′
; goto ll3;
ll3: y
′
.event := ld; goto l6;
l5: assume (y
′
.event =⊥ ∧ astA 6=⊥66
∧ p1.a 6=⊥); goto ll4;6 6
ll4: r1 := y
′
; goto ll5;
ll5: HB := true; goto ll6;
ll6: y.event := ld; goto l6;
[[l6: end; goto l7;]]A =
l6: assume atrA =⊥ ∨ p1.a 6=⊥ ; goto lc1′;6 6
lc1′: end; goto l7;
Figure 19 Attacker instrumentation of the process p1 of the SB program in Fig. 4b. Highlighted
are the choices taken during the execution that reaches the error state.
REFERENCES 55
// Original Program
l1: begin; goto l2;
l2: y := 1; goto l3;
l3: end; goto l4;
l4: begin; goto l5;
l5: r2 := x; goto l6;
l6: end; goto l7;
// Instrumented Program
[[l1: begin; goto l2;]]HbH =
l1: assume HB =⊥ ∧p2.vh = p2.a =⊥ ; goto lb1;
lb1: begin; goto l2;
l1: assume (HB 6=⊥66
∧ p2.hbh = p2.vh = p2.a =⊥); goto lb2;
lb2: begin; goto lb3;
lb3: Foreach z ∈ V. z.event
′ := z.event; goto l2;
l1: assume HB 6=⊥ ∧ p2.hbh 6=⊥ ; goto lb4;
lb4: begin; goto l2;
[[l2: y := 1; goto l3;]]HbH =
l2: assume HB =⊥ ∧atrA =⊥ ; goto ls1;
ls1: y := 1; goto l3;
l2: assume (HB =⊥ ∧atrA 6=⊥
∧ p2.vh = p2.a =⊥); goto ls2;
ls2: y
′ := 1; goto ls3;
ls3: y := 1; goto l3;
l2: assume HB 6=⊥ ∧p2.vh = p2.a =⊥ ; goto ls4;6 6
ls4: y := 1; goto ls5;
ls5: y.event := st; goto ls6;
ls6: assume y.event
′ 6=⊥ ∧ p2.hbh =⊥ ; goto ls7;6 6
ls7: p2.hbh := true; goto l3;
ls6: assume y.event
′ =⊥ ∨ p2.hbh 6=⊥ ; goto l3;
[[l3: end; goto l4;]]HbH =
l3: assume HB =⊥ ∧p2.vh = p2.a =⊥ ; goto lc1;
lc1: end; goto l4;
l3: assume HB 6=⊥ ∧ p2.hbh 6=⊥ ; goto lc2;6 66 6
lc2: end; goto lc3;
lc3: r˜ := astA ; goto lc4;
lc4: r˜ := r˜.event; goto lc5;
lc5: assume r˜ 6=⊥ ; assert false;
lc5: assume r˜ =⊥ ; goto l4;
l3: assume HB 6=⊥ ∧ p2.hbh = p2.vh = p2.a =⊥ ; assume false;
[[l4: begin; goto l5;]]HbH =
l4: assume HB =⊥ ∧p2.vh = p2.a =⊥ ; goto lb1′ ;
lb1′ : begin; goto l5;
l4: assume HB 6=⊥ ∧p2.hbh = p2.vh = p2.a =⊥ ; goto lb2′;
lb2′ : begin; goto lb3′;
lb3′ : Foreach z ∈ V. z.event
′ := z.event; goto l5;
l4: assume HB 6=⊥ ∧ p2.hbh 6=⊥ ; goto lb4′;6 66 6
lb4′ : begin; goto l5;
[[l5: r2 := x; goto l6;]]HbH =
l5: assume HB =⊥ ∧p2.vh = p2.a =⊥ ; goto ll1;
ll1: r2 := x; goto l6;
l5: assume HB 6=⊥ ; goto ll2;6 6
ll2: r2 := x; goto ll3;
ll3: assume x.event
′
= st ∧ p2.hbh =⊥ ; goto ll4;
ll4: p2.hbh := true; goto l6;
ll3: assume x.event =⊥ ; goto ll5;
ll5: x.event := ld; goto l6;
ll3: assume x.event 6=⊥ ∨ p2.hbh 6=⊥ ; goto l6;
[[l6: end; goto l7;]]HbH =
l6: assume HB =⊥ ∧p2.vh = p2.a =⊥ ; goto lc1′;
lc1′: end; goto l7;
l6: assume HB 6=⊥ ∧ p2.hbh 6=⊥ ; goto lc2′;6 66 6
lc2′: end; goto lc3′;
lc3′: r˜ := astA ; goto lc4′;
lc4′: r˜ := r˜.event; goto lc5′;
lc5′: assume r˜ 6=⊥ ; assert false;6 6
lc5′: assume r˜ =⊥ ; goto l7;
l6: assume HB 6=⊥ ∧ p2.hbh = p2.vh = p2.a =⊥ ; assume false;
Figure 20 Happens-before helper instrumentation of the process p2 of the SB program in Fig.
4b. Highlighted are the choices taken during the execution that reaches the error state.
56 REFERENCES
// Original Program
l1: begin; goto l2;
l2: r1 := x; goto l3;
l3: x := r1 + 1; goto l4;
l4: end; goto l5;
// Instrumented Program
[[l2: r1 := x; goto l3;]]A =
l2: assume atrA =⊥ ; goto ll1;
ll1: r1 := x; goto l3;
l2: assume atrA 6=⊥ ∧p1.a 6=⊥ ; goto ll2;6 66 6
ll2: r1 := x
′
; goto ll3;
ll3: x
′
.event := ld; goto l3;
l2: assume (x
′
.event =⊥ ∧ astA 6=⊥
∧ p1.a 6=⊥); goto ll4;
ll4: HB := true; goto ll5;
ll5: x.event := ld; goto l3;
[[l4: end; goto l5;]]A =
l1: assume atrA =⊥ ∨ p1.a 6=⊥ ; goto lc1;6 6
lc1: end; goto l2;
[[l1: begin; goto l2;]]A =
l1: assume HB =⊥ ∧(p1.a 6=⊥ ∨atrA =⊥); goto lb1;
lb1: begin; goto l2;
l1: assume HB =⊥ ∧ atrA =⊥ ; goto lb2;
lb2: begin; goto lb3;
lb3: p1.a := 1; goto lb4;
lb4: Foreach z ∈ V. z
′ := z; goto lb5;
lb5: atrA := true; goto l2;
[[l3: x := r1 + 1; goto l4;]]A =
l3: assume atrA =⊥ ; goto ls1;
ls1: x := r1 + 1; goto l4;
l3: assume atrA 6=⊥ ∧p1.a 6=⊥ ; goto ls2;
ls2: x
′ := r1 + 1; goto ls3;
ls3: x
′
.event := st; goto l4;
l3: assume astA =⊥ ∧atrA 6=⊥ ∧p1.a 6=⊥ ; goto ls4;6 66 6
ls4: x
′ := r1 + 1; goto ls5;
ls5: astA := ‘x‘; goto ls6;
ls6: HB := true; goto ls7;
ls7: x.event := ld; goto l4;
Figure 21 Attacker instrumentation of the process p1 of the LU program in Fig. 4a. Highlighted
are the choices taken during the execution that reaches the error state.
REFERENCES 57
// Original Program
l1: begin; goto l2;
l2: r2 := x; goto l3;
l3: x := r2 + 1; goto l4;
l4: end; goto l5;
// Instrumented Program
[[l2: r2 := x; goto l3;]]HbH =
l2: assume HB =⊥ ∧p2.a =⊥ ; goto ll1;
lx1: r2 := x; goto l3;
l2: assume HB 6=⊥ ; goto ll2;6 6
ll2: r2 := x; goto ll3;
ll3: rr1 := astA ; goto ll4;
ll4: rr2 := ‘x‘; goto ll5;
ll5: assume (rr1 = rr2 ∧ p2.tw =⊥
∧ x.event 6= st); goto ll6;6 6
ll6: p2.tr := true; goto ll7;
ll5: assume rr1 6= rr2; goto ll7;
ll7: assume x.event
′ = st ∧ p2.hbh =⊥ ; goto ll8;
ll8: p2.hbh := true; goto l3;
ll7: assume x.event =⊥ ; goto ll9;
ll9: x.event := ld; goto l3;
ll7: assume x.event 6=⊥ ∨ p2.hbh 6=⊥ ; goto l3;
[[l4: end; goto l5;]]HbH =
l4: assume HB =⊥ ∧p2.a =⊥ ; goto lc1;
lc1: end; goto l5;
l4: assume HB 6=⊥ ∧ p2.hbh 6=⊥ ; goto lc2;6 66 6
lc2: end; goto lc3;
lc3: assume p2.tr 6=⊥ ∧ p2.tw 6=⊥ ; assert false;6 66 6
lc3: p2.tr =⊥ ∨ p2.tw =⊥ ; goto l5;
l4: assume HB 6=⊥ ∧ p2.hbh = p2.a =⊥ ; assume false;
[[l1: begin; goto l2;]]HbH =
l1: assume HB =⊥ ∧p2.a =⊥ ; goto lb1;
lb1: begin; goto l2;
l1: assume HB 6=⊥ ∧p2.hbh = p2.a =⊥ ; goto lb2;6 6
lb2: begin; goto lb3;
lb3: Foreach z ∈ V. z.event
′ := z.event; goto lb5;
l1: assume HB 6=⊥ ∧ p2.hbh 6=⊥ ; goto lb4;
lb4: begin; goto lb5;
lb5: p2.tr :=⊥ ; goto lb6;
lb6: p2.tw :=⊥ ; goto l2;
[[l3: x := r2 + 1; goto l4;]]HbH =
l3: assume HB =⊥ ∧atrA =⊥ ; goto ls1;
ls1: x := r2 + 1; goto l4;
l3: assume HB 6=⊥ ∧p2.vh = p2.a =⊥ ; goto ls2;6 6
ls2: x := r2 + 1; goto ls3;
ls3: rr1 := astA ; goto ls4;
ls4: rr2 := ‘x‘; goto ls5;
ls5: assume rr1 = rr2; goto ls6;
ls6: p2.tw := true; goto ls7;
ls5: assume rr1 6= rr2; goto ls7;
ls7: x.event := st; goto ls8;
ls8: assume x.event
′
6=⊥ ∧ p2.hbh =⊥ ; goto ls9;
ls9: p2.hbh := true; goto l4;
ls8: assume x.event
′ =⊥ ∨ p2.hbh 6=⊥ ; goto l4;6 6
Figure 22 Happens-before helper instrumentation of the process p2 of the LU program in Fig.
4a. Highlighted are the choices taken during the execution that reaches the error state.
