Distributed Computing

, Volume 22, Issue 3, pp 129–145 | Cite as

Model checking transactional memories

  • Rachid Guerraoui
  • Thomas A. Henzinger
  • Vasu Singh


Model checking transactional memories (TMs) is difficult because of the unbounded number, length, and delay of concurrent transactions, as well as the unbounded size of the memory. We show that, under certain conditions satisfied by most TMs we know of, the model checking problem can be reduced to a finite-state problem, and we illustrate the use of the method by proving the correctness of several TMs, including two-phase locking, DSTM, and TL2. The safety properties we consider include strict serializability and opacity; the liveness properties include obstruction freedom, livelock freedom, and wait freedom. Our main contribution lies in the structure of the proofs, which are largely automated and not restricted to the TMs mentioned above. In a first step we show that every TM that enjoys certain structural properties either violates a requirement on some program with two threads and two shared variables, or satisfies the requirement on all programs. In the second step, we use a model checker to prove the requirement for the TM applied to a most general program with two threads and two variables. In the safety case, the model checker checks language inclusion between two finite-state transition systems, a nondeterministic transition system representing the given TM applied to a most general program, and a deterministic transition system representing a most liberal safe TM applied to the same program. The given TM transition system is nondeterministic because a TM can be used with different contention managers, which resolve conflicts differently. In the liveness case, the model checker analyzes fairness conditions on the given TM transition system.


Transactional memories Model checking 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alur R., McMillan K.L., Peled D.: Model-checking of correctness conditions for concurrent objects. Inf. Comput. 160, 167–188 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Anderson J.H., Kim Y., Herman T.: Shared-memory mutual exclusion: major research trends since 1986. Distrib. Comput. 16, 75–110 (2003)CrossRefGoogle Scholar
  3. 3.
    Browne M.C., Clarke E.M., Grumberg O.: Reasoning about networks with many identical finite state processes. Inf. Comput. 81(11), 13–31 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Burckhardt, S., Alur, R., Martin, M.M.K.: CheckFence: checking consistency of concurrent data types on relaxed memory models. In: PLDI, pp. 12–21 (2007)Google Scholar
  5. 5.
    Cohen, A., O’Leary, J., Pnueli, A., Tuttle, M.R., Zuck, L.: Verifying correctness of transactional memories. In: FMCAD, pp. 37–44 (2007)Google Scholar
  6. 6.
    Cohen, A., Pnueli, A., Zuck, L.D.: Mechanical verification of transactional memories with non-transactional memory accesses. In: CAV, pp. 121–134. Springer (2008)Google Scholar
  7. 7.
    Dice, D., Shalev, O., Shavit, N.: Transactional locking II. In: DISC, pp. 194–208. Springer (2006)Google Scholar
  8. 8.
    Flé M., Roucairol G.: Maximal serializability of iterated transactions. Theor. Comput. Sci. 38(11), 1–16 (1985)zbMATHCrossRefGoogle Scholar
  9. 9.
    Fraser, K., Harris, T.: Concurrent programming without locks. ACM Trans. Comput. Syst. (2007)Google Scholar
  10. 10.
    Gopalakrishnan, G., Yang, Y., Sivaraj, H.: QB or Not QB: an efficient execution verification tool for memory orderings. In: CAV, pp. 401–413. Springer (2004)Google Scholar
  11. 11.
    Guerraoui, R., Henzinger, T.A., Jobstmann, B., Singh, V.: Model checking transactional memories. In: PLDI, pp. 372–382 (2008)Google Scholar
  12. 12.
    Guerraoui, R., Henzinger, T.A., Singh, V.: Completeness and nondeterminism in model checking transactional memories. In: CONCUR, pp. 21–35 (2008)Google Scholar
  13. 13.
    Guerraoui, R., Henzinger, T.A., Singh, V.: Software transactional memory on relaxed memory models. In: CAV, pp. 321–336 (2009)Google Scholar
  14. 14.
    Guerraoui, R., Herlihy, M., Pochon, B.: Polymorphic contention management. In: DISC, pp. 303–323 (2005)Google Scholar
  15. 15.
    Guerraoui, R., Kapalka, M.: On the correctness of transactional memory. In: PPoPP, pp. 175–184 (2008)Google Scholar
  16. 16.
    Henzinger, T.A., Qadeer, S., Rajamani, S.K.: Verifying sequential consistency on shared-memory multiprocessor systems. In CAV, pp. 301–315. Springer (1999)Google Scholar
  17. 17.
    Herlihy M.: Wait-free synchronization. ACM Trans. Program. Lang. Syst. 13(1), 124–149 (1991)CrossRefGoogle Scholar
  18. 18.
    Herlihy, M., Luchangco, V., Moir, M.: Obstruction-free synchronization: double-ended queues as an example. In: ICDCS, pp. 522–529. IEEE Computer Society (2003)Google Scholar
  19. 19.
    Herlihy, M., Luchangco, V., Moir, M., Scherer, W.N.: Software transactional memory for dynamic-sized data structures. In: PODC, pp. 92–101 (2003)Google Scholar
  20. 20.
    Herlihy, M., Moss, J.E.B.: Transactional memory: architectural support for lock-free data structures. In: ISCA, pp. 289–300. ACM Press (1993)Google Scholar
  21. 21.
    Larus, J.R., Rajwar, R.: Transactional Memory. Synthesis Lectures on Computer Architecture. Morgan & Claypool (2007)Google Scholar
  22. 22.
    Papadimitriou C.H.: The serializability of concurrent database updates. J. ACM 26(4), 631–653 (1979)zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Qadeer, S.: Verifying sequential consistency on shared-memory multiprocessors by model checking. IEEE Transactions on Parallel and Distributed Systems, 730–741 (2003)Google Scholar
  24. 24.
    Scherer, W.N., Scott, M.L.: Advanced contention management for dynamic software transactional memory. In: PODC, pp. 240–248 (2005)Google Scholar
  25. 25.
    Scott, M.L.: Sequential specification of transactional memory semantics. In: TRANSACT (2006)Google Scholar
  26. 26.
    Shavit, N., Touitou, D.: Software transactional memory. In: PODC, pp. 204–213 (1995)Google Scholar
  27. 27.
    Streett R.S.: Propositional dynamic logic of looping and converse is elementarily decidable. Inf. Control 54, 121–141 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    De Wulf, M., Doyen, L., Henzinger, T.A., Raskin, J.-F.: Antichains: a new algorithm for checking universality of finite automata. In: CAV, pp. 17–30. Springer (2006)Google Scholar

Copyright information

© Springer-Verlag 2009

Authors and Affiliations

  • Rachid Guerraoui
    • 1
  • Thomas A. Henzinger
    • 2
  • Vasu Singh
    • 2
  1. 1.LPDI&C, EPFLLausanneSwitzerland
  2. 2.MTCI&C, EPFLLausanneSwitzerland

Personalised recommendations