3 research outputs found
Proving opacity of a pessimistic STM
Transactional Memory (TM) is a high-level programming abstraction for concurrency control that provides
programmers with the illusion of atomically executing blocks of code, called transactions. TMs come in
two categories, optimistic and pessimistic, where in the latter transactions never abort. While this simplifies
the programming model, high-performing pessimistic TMs can complex.
In this paper, we present the first formal verification of a pessimistic software TM algorithm, namely,
an algorithm proposed by Matveev and Shavit. The correctness criterion used is opacity, formalising the
transactional atomicity guarantees. We prove that this pessimistic TM is a refinement of an intermediate
opaque I/O-automaton, known as TMS2. To this end, we develop a rely-guarantee approach for reducing
the complexity of the proof. Proofs are mechanised in the interactive prover Isabelle
Mechanized proofs of opacity: A comparison of two techniques
Software transactional memory (STM) provides programmers with a high-level programming abstraction
for synchronization of parallel processes, allowing blocks of codes that execute in an interleaved manner to be treated
as atomic blocks. This atomicity property is captured by a correctness criterion called opacity, which relates the
behaviour of an STM implementation to those of a sequential atomic specification. In this paper, we prove opacity of
a recently proposed STM implementation: the Transactional Mutex Lock (TML) by Dalessandro et al. For this, we
employ two different methods: the first method directly shows all histories of TML to be opaque (proof by induction),
using a linearizability proof of TML as an assistance; the second method shows TML to be a refinement of an existing
intermediate specification called TMS2 which is known to be opaque (proof by simulation).
Both proofs are carried out within interactive provers, the first with KIV and the second with both Isabelle and
KIV. This allows to compare not only the proof techniques in principle, but also their complexity in mechanization.
It turns out that the second method, already leveraging an existing proof of opacity of TMS2, allows the proof to be
decomposed into two independent proofs in the way that the linearizability proof does not