Formal Aspects of Computing

, Volume 30, Issue 5, pp 597–625 | Cite as

Mechanized proofs of opacity: a comparison of two techniques

  • John Derrick
  • Simon Doherty
  • Brijesh DongolEmail author
  • Gerhard Schellhorn
  • Oleg Travkin
  • Heike Wehrheim
Open Access
Original Article


Software transactional memory (STM) provides programmers with a high-level programming abstraction for synchronization of parallel processes, allowing blocks of codes that execute in an interleaved manner to be treated as atomic blocks. This atomicity property is captured by a correctness criterion called opacity, which relates the behaviour of an STM implementation to those of a sequential atomic specification. In this paper, we prove opacity of a recently proposed STM implementation: the Transactional Mutex Lock (TML) by Dalessandro et al. For this, we employ two different methods: the first method directly shows all histories of TML to be opaque (proof by induction), using a linearizability proof of TML as an assistance; the second method shows TML to be a refinement of an existing intermediate specification called TMS2 which is known to be opaque (proof by simulation). Both proofs are carried out within interactive provers, the first with KIV and the second with both Isabelle and KIV. This allows to compare not only the proof techniques in principle, but also their complexity in mechanization. It turns out that the second method, already leveraging an existing proof of opacity of TMS2, allows the proof to be decomposed into two independent proofs in the way that the linearizability proof does not.


Software transactional memory Opacity Verification Refinement KIV Isabelle 


  1. AGHR13.
    Attiya H, Gotsman A, Hans S, Rinetzky N (2013) A programming language perspective on transactional memory consistency. In: Fatourou P, Taubenfeld G (eds) PODC’13. ACM, pp 309–318Google Scholar
  2. AGHR14.
    Attiya H, Gotsman A, Hans S, Rinetzky N (2014) Safety of live transactions in transactional memory: TMS is necessary and sufficient. In: Kuhn F (ed) DISC, volume 8784 of LNCS. Springer, pp 376–390Google Scholar
  3. ASP16.
    Anand AS, Shyamasundar RK, Peri S (2016) Opacity proof for CaPR+ algorithm. In: Proceedings of the 17th international conference on distributed computing and networking, ICDCN ’16, New York, NY, USA. ACM, pp 16:1–16:4Google Scholar
  4. COC+15.
    Cristal A, Kulahcioglu Ozkan B, Cohen E, Kestor G, Kuru I, Unsal OS, Tasiran S, Mutluergil SO, Elmas T (2015) Verification tools for transactional programs. In: Guerraoui R, Romano P (eds) Transactional memory. Foundations, algorithms, tools, and applications—COST Action Euro-TM IC1001, volume 8913 of lecture notes in computer science. Springer, pp 283–306Google Scholar
  5. COP+07.
    Cohen A, O’Leary JW, Pnueli A, Tuttle MR, Zuck LD (2007) Verifying correctness of transactional memories. In: FMCAD, Washington, DC, USA. IEEE Computer Society, pp 37–44Google Scholar
  6. DD15.
    Dongol B, Derrick J (2015) Verifying linearisability: a comparative survey. ACM Comput Surv 48(2): 19CrossRefGoogle Scholar
  7. DDS+10.
    Dalessandro L, Dice D, Scott ML, Shavit N, Spear MF (2010) Transactional mutex locks. In: D’Ambra P, Guarracino MR, Talia D (eds) Euro-Par (2), volume 6272 of LNCS. Springer, pp 2–13Google Scholar
  8. DDS+15.
    Derrick J, Dongol B, Schellhorn G, Travkin O, Wehrheim H (2015) Verifying opacity of a transactional mutex lock. In: FM, volume 9109 of LNCS. Springer, pp 161–177Google Scholar
  9. DGLM04.
    Doherty S, Groves L, Luchangco V, Moir M (2004) Formal verification of a practical lock-free queue algorithm. In: FORTE, volume 3235 of LNCS. Springer, pp 97–114Google Scholar
  10. DGLM13.
    Doherty S, Groves L, Luchangco V, Moir M (2013) Towards formally specifying and verifying transactional memory. Formal Asp Comput 25(5): 769–799MathSciNetCrossRefzbMATHGoogle Scholar
  11. DSS06.
    Dice D, Shalev O, Shavit N (2006) Transactional locking II. In: Dolev S (ed) DISC, volume 4167 of LNCS. Springer, pp 194–208Google Scholar
  12. DSS10.
    Dalessandro L, Spear MF, Scott ML (2010) Norec: streamlining STM by abolishing ownership records. In: Govindarajan R, Padua DA, Hall MW (eds) PPoPP. ACM, pp 67–78Google Scholar
  13. DSW11.
    Derrick J, Schellhorn G, Wehrheim H (2011) Verifying linearisabilty with potential linearisation points. In: Proceedings formal methods (FM), LNCS 6664. Springer, pp 323–337Google Scholar
  14. EMM10.
    Emmi M, Majumdar R, Manevich R (2010) Parameterized verification of transactional memories. SIGPLAN Not 45(6): 134–145CrossRefGoogle Scholar
  15. EPS+14.
    Ernst G, Pfähler J, Schellhorn G, Haneberg D, Reif W (2015) KIV: overview and VerifyThis competition. Int J Softw Tools Technol Transfer 17(6):677–694. doi: 10.1007/s10009-014-0308-3
  16. GHS08.
    Guerraoui R, Henzinger TA, Singh V (2008) Completeness and nondeterminism in model checking transactional memories. In: van Breugel F, Chechik M (eds) CONCUR. Springer, pp 21–35Google Scholar
  17. GHS10.
    Guerraoui R, Henzinger TA, Singh V (2010) Model checking transactional memories. Distrib Comput 22(3): 129–145CrossRefzbMATHGoogle Scholar
  18. GK08.
    Guerraoui R, Kapalka M (2008) On the correctness of transactional memory. In: Chatterjee S, Scott ML (eds) PPOPP. ACM, pp 175–184Google Scholar
  19. GK10.
    Guerraoui R, Kapalka M (2010) Principles of transactional memory. Synthesis lectures on distributed computing theory. Morgan & Claypool Publishers, San RafaelGoogle Scholar
  20. HLMSI03.
    Herlihy M, Luchangco V, Moir M, Scherer III WN (2003) Software transactional memory for dynamic-sized data structures. In: PODC. ACM, pp 92–101Google Scholar
  21. HLR10.
    Harris T, Larus JR, Rajwar R (2010) Transactional memory. In: Synthesis lectures on computer architecture, 2nd edn. Morgan & Claypool Publishers, San RafaelGoogle Scholar
  22. HW90.
    Herlihy M, Wing JM (1990) Linearizability: a correctness condition for concurrent objects. ACM TOPLAS 12(3): 463–492CrossRefGoogle Scholar
  23. IR12.
    Imbs D, Raynal M (2012) Virtual world consistency: a condition for STM systems (with a versatile protocol with invisible read operations). Theor Comput Sci 444: 113–127MathSciNetCrossRefzbMATHGoogle Scholar
  24. Lam79.
    Lamport L (1979) How to make a multiprocessor computer that correctly executes multiprocess programs. IEEE Trans Comput 28(9): 690–691CrossRefzbMATHGoogle Scholar
  25. Les14.
    Lesani M (2014) On the correctness of transactional memory algorithms. Ph.D. thesis, UCLAGoogle Scholar
  26. LLM12a.
    Lesani M, Luchangco V, Moir M (2012) A framework for formally verifying software transactional memory algorithms. In: Koutny M, Ulidowski I (eds) CONCUR 2012. Springer, Berlin, pp 516–530Google Scholar
  27. LLM12b.
    Lesani M, Luchangco V, Moir M (2012) Putting opacity in its place. In: Workshop on the theory of transactional memoryGoogle Scholar
  28. LP13.
    Lesani M, Palsberg J (2013) Proving non-opacity. In: Afek Y (ed) DISC, volume 8205 of LNCS. Springer, pp 106–120Google Scholar
  29. LP14.
    Lesani M, Palsberg J (2014) Decomposing opacity. In: Kuhn F (ed) DISC, volume 8784 of LNCS. Springer, pp 391–405Google Scholar
  30. LT87.
    Lynch NA, Tuttle MR (1987) Hierarchical correctness proofs for distributed algorithms. In: PODC, New York, NY, USA. ACM, pp 137–151Google Scholar
  31. LV95.
    Lynch N, Vaandrager F (1995) Forward and backward simulations. Inf Comput 121(2): 214–233MathSciNetCrossRefzbMATHGoogle Scholar
  32. LZCF10.
    Li Y, Zhang Y, Chen Y-Y, Fu M (2010) Formal reasoning about lazy-STM programs. J Comput Sci Technol 25(4): 841–852MathSciNetCrossRefGoogle Scholar
  33. Mül98.
    Müller O (1998) I/O Automata and beyond: temporal logic and abstraction in Isabelle. In: Grundy J, Newey M (eds) TPHOLs. Springer, Berlin, pp 331–348Google Scholar
  34. NPW02.
    Nipkow T, Paulson LC, Wenzel M (2002) Isabelle/HOL— a proof assistant for higher-order logic, volume 2283 of LNCS. SpringerGoogle Scholar
  35. ORS92.
    Owre S, Rushby JM, Shankar N (1992) PVS: A prototype verification system. In: Kapur D (ed) Automated deduction—CADE-11, 11th international conference on automated deduction, Saratoga Springs, NY, USA, June 15–18, 1992, proceedings, volume 607 of LNCS. Springer, pp 748–752Google Scholar
  36. Pap79.
    Papadimitriou CH (1979) The serializability of concurrent database updates. J ACM 26(4): 631–653MathSciNetCrossRefzbMATHGoogle Scholar
  37. SDW14.
    Schellhorn G, Derrick J, Wehrheim H (2014) A sound and complete proof technique for linearizability of concurrent data structures. ACM Trans Comput Log 15(4):31:1–31:37Google Scholar
  38. SMvP08.
    Spear MF, Michael MM, von Praun C (2008) RingSTM: scalable transactions with a single atomic instruction. In: Proceedings of the twentieth annual symposium on parallelism in algorithms and architectures. ACM, pp 275–284Google Scholar
  39. TML16.
    Verification of opacity of a Transactional Mutex Lock with KIV and Isabelle, 2016.
  40. Vaf07.
    Vafeiadis V (2007) Modular fine-grained concurrency verification. Ph.D. thesis, University of CambridgeGoogle Scholar
  41. Wen02.
    Wenzel M (2002) Isabelle/Isar-a versatile environment for human-readable formal proof documents. Ph.D. thesis, Institut für Informatik, Technische Universität MünchenGoogle Scholar

Copyright information

© The Author(s) 2017

Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (, which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Authors and Affiliations

  1. 1.Department of ComputingUniversity of SheffieldSheffieldUK
  2. 2.Department of Computer ScienceBrunel UniversityLondonUK
  3. 3.Institut für InformatikUniversität AugsburgAugsburgGermany
  4. 4.Institut für InformatikUniversität PaderbornPaderbornGermany

Personalised recommendations