On Parallel Snapshot Isolation and Release/Acquire Consistency

Parallel snapshot isolation (PSI) is a standard transactional consistency model used in databases and distributed systems. We argue that PSI is also a useful formal model for software transactional memory (STM) as it has certain advantages over other consistency models. However, the formal PSI definition is given declaratively by acyclicity axioms, which most programmers find hard to understand and reason about. To address this, we develop a simple lock-based reference implementation for PSI built on top of the release-acquire memory model, a well-behaved subset of the C/C++11 memory model. We prove that our implementation is sound and complete against its higher-level declarative specification. We further consider an extension of PSI allowing transactional and nontransactional code to interact, and provide a sound and complete reference implementation for the more general setting. Supporting this interaction is necessary for adopting a transactional model in programming languages.


Introduction
Following the widespread use of transactions in databases, software transactional memory (STM) [19,35] has been proposed as a programming language abstraction that can radically simplify the task of writing correct and efficient concurrent programs. It provides the illusion of blocks of code, called transactions, executing atomically and in isolation from any other such concurrent blocks.
In theory, STM is great for programmers as it allows them to concentrate on the high-level algorithmic steps of solving a problem and relieves them of such concerns as the low-level details of enforcing mutual exclusion. In practice, however, the situation is far from ideal as the semantics of transactions in the context of non-transactional code is not at all settled. Recent years have seen a plethora of different STM implementations [1,2, 3,6,17,20], each providing a slightly different-and often unspecified-semantics to the programmer.
Simple models in the literature are lock-based, such as global lock atomicity (GLA) [28] (where a transaction must acquire a global lock prior to execution and release it afterwards) and disjoint lock atomicity (DLA) [28] (where a transaction must acquire all locks associated with the locations it accesses prior to execution and release them afterwards), which provide serialisable transactions. That is, all transactions appear to have executed atomically one after another in some total order. The problem with these models is largely their implementation cost, as they impose too much synchronisation between transactions.
The database community has long recognised this performance problem and has developed weaker transactional models that do not guarantee serialisability. The most widely used such model is snapshot isolation (SI) [10], implemented by major databases, both centralised (e.g. Oracle and MS SQL Server) and distributed [16,30,33], as well as in STM [1, 11,25,26]. In this article, we focus on a closely related model, parallel snapshot isolation (PSI) [36], which is known to provide better scalability and availability in large-scale geo-replicated systems. SI and PSI allow conflicting transactions to execute concurrently and to commit successfully, so long as they do not have a write-write conflict. This in effect allows reads of SI/PSI transactions to read from an earlier memory snapshot than the one affected by their writes, and permits outcomes such as the following: Initially, x = y = 0 The above is also known as the write skew anomaly in the database literature [14]. Such outcomes are analogous to those allowed by weak memory models, such as x86-TSO [29,34] and C11 [9], for non-transactional programs. In this article, we consider-to the best of our knowledge for the first time-PSI as a possible model for STM, especially in the context of a concurrent language such as C/C++ with a weak memory model. In such contexts, programmers are already familiar with weak behaviours such as that exhibited by SB+txs above.
A key reason why PSI is more suitable for a programming language than SI (or other stronger models) is performance. This is analogous to why C/C++ adopted non-multi-copy-atomicity (allowing two different threads to observe a write by a third thread at different times) as part of their concurrency model. Consider the following "IRIW" (independent reads of independent writes) litmus test: Initially, x = y = 0 In the annotated behaviour, transactions T2 and T3 disagree on the relative order of transactions T1 and T4. Under PSI, this behaviour (called the long fork anomaly) is allowed, as T1 and T4 are not ordered-they commit in parallel-but it is disallowed under SI. This intuitively means that SI must impose ordering guarantees even on transactions that do not access a common location, and can be rather costly in the context of a weakly consistent system.
A second reason why PSI is much more suitable than SI is that it has better properties. A key intuitive property a programmer might expect of transactions is monotonicity. Suppose, in the (SB+txs) program we split the two transactions into four smaller ones as follows: Initially, x = y = 0 T1: x := 1; T3: a := y; / /reads 0 T2: y := 1; One might expect that if the annotated behaviour is allowed in (SB+txs), it should also be allowed in (SB+txs+chop). This indeed is the case for PSI, but not for SI! In fact, in the extreme case where every transaction contains a single access, SI provides serialisability. Nevertheless, PSI currently has two significant drawbacks, preventing its widespread adoption. We aim to address these here.
The first PSI drawback is that its formal semantics can be rather daunting for the uninitiated as it is defined declaratively in terms of acyclicity constraints. What is missing is perhaps a simple lock-based reference implementation of PSI, similar to the lock-based implementations of GLA and DLA, that the programmers can readily understand and reason about. As an added benefit, such an implementation can be viewed as an operational model, forming the basis for developing program logics for reasoning about PSI programs.
Although Cerone et al. [15] proved their declarative PSI specification equivalent to an implementation strategy of PSI in a distributed system with replicated storage over causal consistency, their implementation is not suitable for reasoning about shared-memory programs. In particular, it cannot help the programmers determine how transactional and non-transactional accesses may interact.
As our first contribution, in §4 we address this PSI drawback by providing a simple lock-based reference implementation that we prove equivalent to its declarative specification. Typically, one proves that an implementation is sound with respect to a declarative specification-i.e. every behaviour observable in the implementation is accounted for in the declarative specification. Here, we also want the other direction, known as completeness, namely that every behaviour allowed by the specification is actually possible in the implementation. Having a (simple) complete implementation is very useful for programmers, as it may be easier to understand and experiment with than the declarative specification.
Our reference implementation is built in the release-acquire fragment of the C/C++ memory model [8,9,21], using sequence locks [13,18,23,32] to achieve the correct transactional semantics.
The second PSI drawback is that its study so far has not accounted for the subtle effects of non-transactional accesses and how they interact with transactional accesses. While this scenario does not arise in 'closed world' systems such as databases, it is crucially important in languages such as C/C++ and Java, where one cannot afford the implementation cost of making every access transactional so that it is "strongly isolated" from other concurrent transactions.
Therefore, as our second contribution, in §5 we extend our basic reference implementation to make it robust under uninstrumented non-transactional accesses, and characterise declaratively the semantics we obtain. We call this extended model RPSI (for "robust PSI") and show that it gives reasonable semantics even under scenarios where transactional and non-transactional accesses are mixed.
Outline The remainder of this article is organised as follows. In §2 we present an overview of our contributions and the necessary background information. In §3 we provide the formal model of the C11 release/acquire fragment and describe how we extend it to specify the behaviour of STM programs. In §4 we present our PSI reference implementation (without non-transactional accesses), demonstrating its soundness and completeness against the declarative PSI specification. In §5 we formulate a declarative specification for RPSI as an extension of PSI accounting for non-transactional accesses. We then present our RPSI reference implementation, demonstrating its soundness and completeness against our proposed declarative specification. We conclude and discuss future work in §6.

Background and Main Ideas
One of the main differences between the specification of database transactions and those of STM is that STM specifications must additionally account for the interactions between mixed-mode (both transactional and non-transactional) accesses to the same locations. To characterise such interactions, Blundell et al. [12,27] proposed the notions of weak and strong atomicity, often referred to as weak and strong isolation. Weak isolation guarantees isolation only amongst transactions: the intermediate state of a transaction cannot affect or be affected by other transactions, but no such isolation is guaranteed with respect to nontransactional code (e.g. the accesses of a transaction may be interleaved by those of non-transactional code.). By contrast, strong isolation additionally guarantees full isolation from non-transactional code. Informally, each non-transactional access is considered as a transaction with a single access. In what follows, we explore the design choices for implementing STMs under each isolation model ( §2.1), provide an intuitive account of the PSI model ( §2.2), and describe the key requirements for implementing PSI and how we meet them ( §2.3).

Implementing Software Transactional Memory
Implementing STMs under either strong or weak isolation models comes with a number of challenges. Implementing strongly isolated STMs requires a conflict detection/avoidance mechanism between transactional and non-transactional code. That is, unless non-transactional accesses are instrumented to adhere to the same access policies, conflicts involving non-transactional code cannot be detected. For instance, in order to guarantee strong isolation under the GLA model [28] discussed earlier, non-transactional code must be modified to acquire the global lock prior to each shared access and release it afterwards.
Implementing weakly-isolated STMs requires a careful handling of aborting transactions as their intermediate state may be observed by non-transactional code. Ideally, the STM implementation must ensure that the intermediate state of aborting transactions is not leaked to non-transactional code. A transaction may abort either because it failed to commit (e.g. due to a conflict), or because it encountered an explicit abort instruction in the transactional code. In the former case, leaks to non-transactional code can be avoided by pessimistic concurrency control (e.g. locks), pre-empting conflicts. In the latter case, leaks can be prevented either by lazy version management (where transactional updates are stored locally and propagated to memory only upon committing), or by disallowing explicit abort instructions altogether -an approach taken by the (weakly isolated) relaxed transactions of the C++ memory model [6].
As mentioned earlier, our aim in this work is to build an STM with PSI guarantees in the RA fragment of C11. As such, instrumenting non-transactional accesses is not feasible and thus our STM guarantees weak isolation. For simplicity, throughout our development we make a few simplifying assumptions: i) transactions are not nested; ii) the transactional code is without explicit abort instructions (as with the weakly-isolated transactions of C++ [6]); and iii) the locations accessed by a transaction can be statically determined. For the latter, of course, a static over-approximation of the locations accessed suffices for the soundness of our implementations.

Parallel Snapshot Isolation (PSI)
The initial model of PSI introduced in [36] is described informally in terms of a multi-version concurrent algorithm as follows. A transaction T at a replica r proceeds by taking an initial snapshot S of the shared objects in r. The execution of T is then carried out locally: read operations query S and write operations similarly update S. Once the execution of T is completed, it attempts to commit its changes to r and it succeeds only if it is not write-conflicted. Transaction T is write-conflicted if another committed transaction T has written to a location in r also written to by T, since it recorded its snapshot S. If T fails the conflict check it aborts and may restart the transaction; otherwise, it commits its changes to r, at which point its changes become visible to all other transactions that take a snapshot of replica r thereafter. These committed changes are later propagated to other replicas asynchronously.
The main difference between SI and PSI is in the way the committed changes at a replica r are propagated to other sites in the system. Under the SI model, committed transactions are globally ordered and the changes at each replica are propagated to others in this global order. This ensures that all concurrent transactions are observed in the same order by all replicas. By contrast, PSI does not enforce a global order on committed transactions: transactional effects are propagated between replicas in causal order. This ensures that, if replica r 1 commits a message m which is later read at replica r 2 , and r 2 posts a response m , no replica can see m without having seen the original message m. However, causal propagation allows two replicas to observe concurrent events as if occurring in different orders: if r 1 and r 2 concurrently commit messages m and m , then replica r 3 may initially see m but not m , and r 4 may see m but not m. This is best illustrated by the (IRIW+txs) example in §1.

Towards a Lock-Based Reference Implementation for PSI
While the description of PSI above is suitable for understanding PSI, it is not very useful for integrating the PSI model in languages such as C, C++ or Java. From a programmer's perspective, in such languages the various threads directly access the shared memory; they do not access their own replicas, which are loosely related to the replicas of other threads. What we would therefore like is an equivalent description of PSI in terms of unreplicated accesses to shared memory and a synchronisation mechanism such as locks.
In effect, we want a definition similar in spirit to global lock atomicity (GLA) [28], which is arguably the simplest TM model, and models committed transactions as acquiring a global mutual exclusion lock, then accessing and updating the data in place, and finally releasing the global lock. Naturally, however, the implementation of PSI cannot be that simple.
A first observation is that PSI cannot be simply implemented over sequentially consistent (SC) shared memory. 3 To see this, consider the IRIW+txs program from the introduction. Although PSI allows the annotated behaviour, SC forbids it for the corresponding program without transactions. The point is that under SC, either the x := 1 or the y := 1 write first reaches memory. Suppose, without loss of generality, that x := 1 is written to memory before y := 1. Then, the possible atomic snapshots of memory are x = y = 0, x = 1 ∧ y = 0, and x = y = 1. In particular, the snapshot read by T3 is impossible.
To implement PSI we therefore resort to a weaker memory model. Among weak memory models, the "multi-copy-atomic" ones, such as x86-TSO [29,34], SPARC PSO [37,38] and ARMv8-Flat [31], also forbid the weak outcome of (IRIW+txs) in the same way as SC, and so are unsuitable for our purpose. We thus consider release-acquire consistency (RA) [8,9,21], a simple and well-behaved non-multi-copy-atomic model. It is readily available as a subset of the C/C++11 memory model [9] with verified compilation schemes to all major architectures.
RA provides a crucial property that is relied upon in the earlier description of PSI, namely causality. In terms of RA, this means that if thread A observes a write w of thread B, then it also observes all the previous writes of thread B as well as any other writes B observed before performing w.
A second observation is that using a single lock to enforce mutual exclusion does not work as we need to allow transactions that access disjoint sets of locations to complete in parallel. An obvious solution is to use multiple locksone per location-as in the disjoint lock atomicity (DLA) model [28]. The question remaining is how to implement taking a snapshot at the beginning of a transaction.
A naive attempt is to use reader/writer locks, which allow multiple readers (taking the snapshots) to run in parallel, as long as no writer has acquired the lock. In more detail, the idea is to acquire reader locks for all locations read by a transaction, read the locations and store their values locally, and then release the reader locks. However, as we describe shortly, this approach does not work.
Consider the (IRIW+txs) example in §1. For T2 to get the annotated outcome, it must release its reader lock for y before T4 acquires it. Likewise, since T3 observes y = 1, it must acquire its reader lock for y after T4 releases it. By this point, however, it is transitively after the release of the y lock by T2, and so, because of causality, it must have observed all the writes observed by T2 by that point-namely, the x := 1 write. In essence, the problem is that reader-writer locks over-synchronise. When two threads acquire the same reader lock, they synchronise, whereas two read-only transactions should never synchronise in PSI.
To resolve this problem, we use sequence locks [13,18,23,32]. Under the sequence locking protocol, each location x is associated with a sequence (version) number vx, initialised to zero. Each write to x increments vx before and after its update, provided that vx is even upon the first increment. Each read from x checks vx before and after reading x. If both values are the same and even, then there cannot have been any concurrent increments, and the reader must have seen a consistent value. That is, read(x) do{v:=vx; s:=x} while(is-odd(v) || vx!=v). Under SC, sequence locks are equivalent to reader-writer locks; however, under RA, they are weaker exactly because readers do not synchronise.
Handling Non-transactional Accesses Let us consider what happens if some of the data accessed by a transaction is modified concurrently by an atomic non-transactional write. Since non-transactional accesses do not acquire any locks, the snapshots taken can include values written by non-transactional accesses. The result of the snapshot then depends on the order in which the variables are read. Consider for example the following litmus test: x := 1; y := 1; T: a := y; / /reads 1 b := x; / /reads 0 In our implementation, if the transaction's snapshot reads y before x, then the annotated weak behaviour is not possible, because the underlying model (RA) disallows the weak "message passing" behaviour. If, however, x is read before y by the snapshot, then the weak behaviour is possible. In essence, this means that the PSI implementation described so far is of little use, when there are races between transactional and non-transactional code.
Another problem is the lack of monotonicity. A programmer might expect that wrapping some code in a transaction block will never yield additional behaviours not possible in the program without transactions. Yet, in this example, removing the T block and unwrapping its code gets rid of the annotated weak behaviour! To get monotonicity, it seems that snapshots must read the variables in the same order they are accessed by the transactions. How can this be achieved for transactions that say read x, then y, and then x again? Or transactions that depending on some complex condition, access first x and then y or vice versa? The key to solving this conundrum is surprisingly simple: read each variable twice. In more detail, one takes two snapshots of the locations read by the transaction, and checks that both snapshots return the same values for each location. This ensures that every location is read both before and after every other location in the transaction, and hence all the high-level happens-before orderings in executions of the transactional program are also respected by its implementation.
There is however one caveat: since equality of values is used to determine whether the two snapshots are the same, we will miss cases where different nontransactional writes to a variable write the same value. In our formal development (see §5), we thus assume that if multiple non-transactional writes write the same value to the same location, they cannot race with the same transaction. This assumption is necessary for the soundness of our implementation and cannot be lifted without instrumenting non-transactional accesses.

The Release-Acquire Memory Model for STM
We present the notational conventions used in the remainder of this article and proceed with the declarative model of the release-acquire (RA) fragment [21] of the C11 memory model [9], in which we implement our STM. In §3.1 we describe how we extend this formal model to specify the behaviour of STM programs.
Notation Given a relation r on a set A, we write r ? , r + and r * for the reflexive, transitive and reflexive-transitive closure of r, respectively. We write r −1 for the inverse of r; r| A for r ∩ A 2 ; [A] for the identity relation on A, i.e. (a, a) a ∈ A ; irreflexive(r) for ¬∃a. (a, a) ∈ r; and acyclic(r) for irreflexive(r + ). Given two relations r 1 and r 2 , we write r 1 ; r 2 for their (left) relational composition, Lastly, when r is a strict partial order, we write r| imm for the immediate edges in r: The RA model is given by the fragment of the C11 memory model, where all read accesses are acquire (acq) reads, all writes are release (rel) writes, and all atomic updates (i.e. RMWs) are acquire-release (acqrel) updates. The semantics of a program under RA is defined as a set of consistent executions.
Definition 1 (Executions in RA). Assume a finite set of locations Loc; a finite set of values Val; and a finite set of thread identifiers TId. Let x, y, z range over locations, v over values and τ over thread identifiers. An RA execution graph of an STM implementation, G, is a tuple of the form (E , po, rf, mo) with its nodes given by E and its edges given by the po, rf and mo relations such that: • E ⊂ N is a finite set of events, and is accompanied with the functions tid(.) : E → TId and lab(.) : E → Label, returning the thread identifier and the label of an event, respectively. We typically use a, b, and e to range over events. The label of an event is a tuple of one of the following three for update events. The lab(.) function induces the functions typ(.), loc(.), val r (.) and val w (.) that respectively project the type (R, W or U), location, and read/written values of an event, where applicable. The set of read events is denoted by R e ∈ E typ(e) ∈ {R, U} ; similarly, the set of write events is denoted by W e ∈ E typ(e) ∈ {W, U} and the set of update events is denoted by U R ∩ W.
We further assume that E always contains a set E 0 of initialisation events consisting of a write event with label W(x, 0) for every x ∈ Loc.
• po ⊆ E × E denotes the 'program-order' relation, defined as a disjoint union of strict total orders, each orders the events of one thread, together with E 0 × (E \ E 0 ) that places the initialisation events before any other event. • rf ⊆ W × R denotes the 'reads-from' relation, defined as a relation between write and read events of the same location and value; it is total and functional on reads, i.e. every read event is related to exactly one write event; • mo ⊆ W × W denotes the 'modification-order' relation, defined as a disjoint union of strict orders, each of which totally orders the write events to one location.
We often use "G." as a prefix to project the various components of G (e.g. G.E ).
Analogously, given a set A ⊆ E , we write A x for A∩ a loc(a) = x . Lastly, given the rf and mo relations, we define the 'reads-before' relation rb rf Executions of a given program represent traces of shared memory accesses generated by the program. We only consider "partitioned" programs of the form τ ∈TId c τ , where denotes parallel composition, and each c i is a sequential program. The set of executions associated with a given program is then defined by induction over the structure of sequential programs. We do not define this construction formally as it depends on the syntax of the implementation programming language. Each execution of a program P has a particular program outcome, prescribing the final values of local variables in each thread (see example in Fig. 1).
In this initial stage, the execution outcomes are unrestricted in that there are no constraints on the rf and mo relations. These restrictions and thus the permitted outcomes of a program are determined by the set of consistent executions: Among all executions of a given program P , only the RA-consistent ones define the allowed outcomes of P .

Software Transactional Memory in RA: Specification
Our goal in this section is to develop a declarative framework that allows us to specify the behaviour of mixed-mode STM programs under weak isolation guar-antees. Whilst the behaviour of transactional code is dictated by the particular isolation model considered (e.g. PSI), the behaviour of non-transactional code and its interaction with transactions is guided by the underlying memory model. As we build our STM in the RA fragment of C11, we assume the behaviour of non-transactional code to conform to the RA memory model. More concretely, we build our specification of a program P such that i) in the absence of transactional code, the behaviour of P is as defined by the RA model; ii) in the absence of non-transactional code, the behaviour of P is as defined by the PSI model.

Definition 3 (Specification executions). Assume a finite set of transaction identifiers
TXId. An execution graph of an STM specification, Γ , is a tuple of the form (E , po, rf, mo, T ) where: • E R ∪ W ∪ B ∪ E, denotes the set of events with R and W defined as the sets of read and write events as described above; and the B and E respectively denote the set of events marking the beginning and end of transactions. For each event a ∈ B ∪ E, the lab(.) function is extended to return B when a ∈ B, and E when a ∈ E. The typ(.) function is accordingly extended to return a type in R, W, U, B, E , whilst the remaining functions are extended to return default (dummy) values for events in B ∪ E. • po, rf and mo denote the 'program-order', 'reads-from' and 'modificationorder' relations as described above; • T ⊆ E denotes the set of transactional events with B ∪ E ⊆ T . For transactional events in T , event labels are extended to carry an additional component, namely the associated transaction identifier. As such, a specification graph is additionally accompanied with the function tx(.) : T → TXId, returning the transaction identifier of transactional events. The derived 'same-transaction' relation, st ∈ T × T , is the equivalence relation given by We write T /st for the set of equivalence classes of T induced by st; [a] st for the equivalence class that contains a; and T ξ for the equivalence class of transaction ξ ∈ TXId: T ξ a tx(a)=ξ . We write N T for non-transactional events: N T E \ T . We often use "Γ." as a prefix to project the Γ components.
Specification consistency The consistency of specification graphs is modelspecific in that it is dictated by the guarantees provided by the underlying model. In the upcoming sections, we present two consistency definitions of PSI in terms of our specification graphs that lack cycles of certain shapes. In doing so, we often write r T for lifting a relation r ⊆ E × E to transaction classes: Analogously, we write r I to restrict r to the internal events of a transaction: r ∩ st.
Comparison to dependency graphs Adya et al. proposed dependency graphs for declarative specification of transactional consistency models [5,7]. Dependency graphs are similar to our specification graphs in that they are constructed from a set of nodes and a set of edges (relations) capturing certain dependencies. However, unlike our specification graphs, the nodes in dependency graphs denote entire transactions and not individual events. In particular, Adya et al. propose three types of dependency edges: i) a read dependency edge, T 1 WR → T 2 , denotes that transaction T 2 reads a value written by T 1 ; ii) a write dependency edge T 1 WW → T 2 denotes that T 2 overwrites a value written by T 1 ; and iii) an antidependency edge T 1 RW → T 2 denotes that T 2 overwrites a value read by T 1 . Adya's formalism does not allow for non-transactional accesses and it thus suffices to define the dependencies of an execution as edges between transactional classes. In our specification graphs however, we account for both transactional and non-transactional accesses and thus define our relational dependencies between individual events of an execution. However, when we need to relate an entire transaction to another with relation r, we use the transactional lift (r T ) defined above. In particular, Adya's dependency edges correspond to ours as follows. Informally, the WR corresponds to our rf T ; the WW corresponds to our mo T ; and the RW corresponds to our rb T . Adya's dependency graphs have been used to develop declarative specifications of the PSI consistency model [14]. In §4, we revisit this model, redefine it as specification graphs in our setting, and develop a reference lock-based implementation that is sound and complete with respect to this abstract specification. The model in [14] does not account for non-transactional accesses. To remedy this, later in §5, we develop a declarative specification of PSI that allows for both transactional and non-transactional accesses. We then develop a reference lock-based implementation that is sound and complete with respect to our proposed model.

Parallel Snapshot Isolation (PSI)
We present a declarative specification of PSI ( §4.1), and develop a lock-based reference implementation of PSI in the RA fragment ( §4.2). We then demonstrate that our implementation is both sound ( §4.3) and complete ( §4.4) with respect to the PSI specification. Note that the PSI model in this section accounts for transactional code only; that is, throughout this section we assume that Γ.E = Γ.T . We lift this assumption later in §5.

A Declarative Specification of PSI STMs in RA
In order to formally characterise the weak behaviour and anomalies admitted by PSI, Cerone and Gotsman [14,15] formulated a declarative PSI specification. (In fact, they provide two equivalent specifications: one using dependency graphs proposed by Adya et al. [5,7]; and the other using abstract executions.) As is standard, they characterise the set of executions admitted under PSI as graphs that lack certain cycles. We present an equivalent declarative formulation of PSI, adapted to use our notation as discussed in §3. It is straightforward to verify that our definition coincides with the dependency graph specification in [15]. As with [14,15], throughout this section, we take PSI execution graphs to be those in which E = T ⊆ (R ∪ W) \ U. That is, the PSI model handles transactional code only, consisting solely of read and write events (excluding updates).
PSI consistency A PSI execution graph Γ =(E , po, rf, mo, T ) is consistent, written psi-consistent(Γ ), if the following hold: Informally, int ensures the consistency of each transaction internally, while ext provides the synchronisation guarantees among transactions. In particular, we note that the two conditions together ensure that if two read events in the same transaction read from the same location x, and no write to x is po-between them, then they must read from the same write (known as 'internal read consistency').
Next, we provide an alternative formulation of PSI-consistency that is closer in form to RA-consistency. This formulation is the basis of our extension in §5 with non-transactional accesses.
Proof. The full proof is provided in the technical appendix [4].
Note that this acyclicity condition is rather close to that of RA-consistency definition presented in §3, with the sole difference being the definition of 'happensbefore' relation by replacing hb with psi-hb. The relation psi-hb is a strict extension of hb with rf T ∪ mo T , which captures additional synchronisation guarantees resulting from transaction orderings, as described shortly. As in RA-consistency, the po and rf are included in the 'PSI-happens-before' relation psi-hb. Additionally, the rf T and mo T also contribute to psi-hb.
Intuitively, the rf T corresponds to synchronisation due to causality between transactions. A transaction T 1 is causally-ordered before transaction T 2 , if T 1 writes to x and T 2 later (in 'happens-before' order) reads x. The inclusion of rf T ensures that T 2 cannot read from T 1 without observing its entire effect. This in turn ensures that transactions exhibit an atomic 'all-or-nothing' behaviour. In particular, transactions cannot mix-and-match the values they read. For instance, if T 1 writes to both x and y, transaction T 2 may not read the value of x from T 1 but read the value of y from an earlier (in 'happens-before' order) transaction T 0 .
The mo T corresponds to synchronisation due to conflicts between transactions. Its inclusion enforces the write-conflict-freedom of PSI transactions. In other words, if two transactions T 1 and T 2 both write to the same location x via events w 1 and w 2 such that w 1 mo → w 2 , then T 1 must commit before T 2 , and thus the entire effect of T 1 must be visible to T 2 .

A Lock-Based PSI Implementation in RA
We present an operational model of PSI that is both sound and complete with respect to the declarative semantics in §4.1. To this end, in Fig. 2 we develop a pessimistic (lock-based) reference implementation of PSI using sequence locks [13,18,23,32], referred to as version locks in our implementation. In  order to avoid taking a snapshot of the entire memory and thus decrease the locking overhead, we assume that a transaction T is supplied with its read set, RS, containing those locations that are read by T. Similarly, we assume T to be supplied with its write set, WS, containing the locations updated by T. 4 The implementation of T proceeds by exclusively acquiring the version locks on all locations in its write set (line 0). It then obtains a snapshot of the locations in its read set by inspecting their version locks, as described shortly, and subsequently recording their values in a thread-local array s (lines 1-7). Once a snapshot is recorded, the execution of T proceeds locally (via T on line 8) as follows. Each read operation consults the local snapshot in s; each write operation updates the memory eagerly (in-place) and subsequently updates its local snapshot to ensure correct lookup for future reads. Once the execution of T is concluded, the version locks on the write set are released (line 9). Observe that as the writer locks are acquired pessimistically, we do not need to check for write-conflicts in the implementation.
To facilitate our locking implementation, we assume that each location x is associated with a version lock at address x+1, written vx. The value held by a version lock vx may be in one of two categories: i) an even number, denoting that the lock is free; or ii) an odd number, denoting that the lock is exclusively held by a writer. For a transaction to write to a location x in its write set WS, the x version lock (vx) must be acquired exclusively by calling lock vx. Each call to lock vx reads the value of vx and stores it in v[x], where v is a thread-local array. It then checks if the value read is even (vx is free) and if so it atomically increments it by 1 (with a 'compare-and-swap' operation), thus changing the value of vx to an odd number and acquiring it exclusively; otherwise it repeats this process until the version lock is successfully acquired. Conversely, each call to unlock vx updates the value of vx to v[x]+2, restoring the value of vx to an even number and thus releasing it. Note that deadlocks can be avoided by imposing an ordering on locks and ensuring their in-order acquisition by all transactions. For simplicity however, we have elided this step as we are not concerned with progress or performance issues here and our main objective is a reference implementation of PSI in RA.
Analogously, for a transaction to read from the locations in its read set RS, it must record a snapshot of their values (lines 1-7). To obtain a snapshot of location x, the transaction must ensure that x is not currently being written to by another transaction. It thus proceeds by reading the value of vx and recording it in v[x]. If vx is free (the value read is even) or x is in its write set WS, the value of x can be freely read and tentatively stored in s[x]. In the latter case, the transaction has already acquired the exclusive lock on vx and is thus safe in the knowledge that no other transaction is currently updating x. Once a tentative snapshot of all locations is obtained (lines 1-5), the transaction must validate it by ensuring that it reflects the values of the read set at a single point in time (lines 6-7). To do this, it revisits the version locks, inspecting whether their values have changed (by checking them against v) since it recorded its snapshot. If so, then an intermediate update has intervened, potentially invalidating the obtained snapshot; the transaction thus restarts the snapshot process. Otherwise, the snapshot is successfully validated and returned in s.

Implementation Soundness
The PSI implementation in Fig. 2 is sound : for each RA-consistent implementation graph G, a corresponding specification graph Γ can be constructed such that psi-consistent(Γ ) holds. In what follows we state our soundness theorem and briefly describe our construction of consistent specification graphs. We refer the reader to the technical appendix [4] for the full soundness proof.
Theorem 1 (Soundness). For all RA-consistent implementation graphs G of the implementation in Fig. 2, there exists a PSI-consistent specification graph Γ of the corresponding transactional program that has the same program outcome.

Constructing Consistent Specification Graphs
For each specification trace θ i we construct the 'reads-from' relation as: That is, we construct our graph such that each read event t j from location x in Ts i either i) is preceded by a write event w to x in Ts i without an intermediate write in between them and thus 'reads-from' w (lines two and three); or ii) is not preceded by a write event in Ts i and thus 'reads-from' the write event w from which the initial snapshot read r in S i obtained the value of x (last two lines).
Given a consistent implementation graph G = (E , po, rf, mo), we construct a consistent specification graph Γ = (E , po, rf, mo, T ) such that: • Γ.E i∈{1···t} θ i .E -the events of Γ.E is the union of events in each transaction trace θ i of the specification constructed as above; rf is the union of RF i relations defined above; • Γ.mo G.mo| Γ.E -the Γ.mo is that of G.mo limited to the events in Γ.E ; • Γ.T Γ.E , where for each e ∈ Γ.T , we define tx(e) = i when e ∈ θ i .

Implementation Completeness
The PSI implementation in Fig. 2 is complete: for each consistent specification graph Γ a corresponding implementation graph G can be constructed such that RA-consistent(G) holds. We next state our completeness theorem and describe our construction of consistent implementation graphs. We refer the reader to the technical appendix [4] for the full completeness proof.
Theorem 2 (Completeness). For all PSI-consistent specification graphs Γ of a transactional program, there exists an RA-consistent execution graph G of the implementation in Fig. 2 that has the same program outcome.
Constructing Consistent Implementation Graphs In order to construct an execution graph of the implementation G from the specification Γ , we follow similar steps as those in the soundness construction, in reverse order. More concretely, given each trace θ i of the specification, we construct an analogous trace of the implementation by inserting the appropriate events for acquiring and inspecting the version locks, as well as obtaining a snapshot. For each transaction class T i ∈ T /st, we must first determine its read and write sets and subsequently decide the order in which the version locks are acquired (for locations in the write set) and inspected (for locations in the read set). This then enables us to construct the 'reads-from' and 'modification-order' relations for the events associated with version locks. Given a consistent execution graph of the specification Γ = (E , po, rf, mo, T ), and a transaction class T i ∈ Γ.T /st, we write WS Ti for the set of locations written to by T i . That is, WS Ti e∈Ti∩W loc(e). Similarly, we write RS Ti for the set of locations read from by T i , prior to being written to by T i . For each location x read from by T i , we additionally record the first read event in T i that retrieved the value of x. That is, Note that transaction T i may contain several read events reading from x, prior to subsequently updating it. However, the internal-read-consistency property ensures that all such read events read from the same write event. As such, as part of the read set of T i we record the first such read event (in program-order).
Determining the ordering of lock events hinges on the following observation. Given a consistent execution graph of the specification Γ = (E , po, rf, mo, T ), let for each location x the total order mo be given as: Observe that this order can be broken into adjacent segments where the events of each segment belong to the same transaction. That is, given the transaction classes Γ.T /st, the order above is of the following form where T 1 , · · · , T m ∈ Γ.T /st and for each such T i we have x ∈ WS Ti and w (i,1) · · · w (i,ni) ∈ T i :

Tm
Were this not the case and we had w 1 mo → w mo → w 2 such that w 1 , w 2 ∈ T i and w ∈ T j = T i , we would consequently have w 1 mo T → w mo T → w 1 , contradicting the assumption that Γ is consistent. Given the above order, let us then define Γ.MO x = [T 1 · · · T m ]. We write Γ.MO x | i for the i th item of Γ .MO x . As we describe shortly, we use Γ.MO x to determine the order of lock events.
Note that the execution trace for each transaction T i ∈ Γ.T /st is of the form is a transaction-begin (B) event, E i is a transactionend (E) event, and Ts i = t 1 po → · · · po → t n for some n, where each t j is either a read or a write event. As such, we have Γ.E = Γ.
For each trace θ i of the specification, we construct a corresponding trace of our implementation θ i as follows. Let RS Ti = {(x 1 , r 1 ) · · · (x p , r p )} and WS Ti = {y 1 · · · y q }. We then construct i has the same identifier as that of B i , the last event U y q i has the same identifier as that of E i , and the identifiers of the remaining events are picked fresh: We then define the mo relation for version locks such that if transaction T i writes to y immediately after T j (i.e. T i is MO y -ordered immediately after T j ), then T i acquires the vy version lock immediately after T j has released it.
On the other hand, if T i is the first transaction to write to y, then it acquires vy immediately after the event initialising the value of vy, written init vy . Moreover, each vy release event of T i is mo-ordered immediately after the corresponding vy acquisition event in T i : This partial mo order on lock events of T i also determines the rf relation for its lock acquisition events: , with t j defined as follows: When t j is a read event, the t j has the same identifier as that of t j . When t j is a write event, the first event in t j has the same identifier as that of t j and the identifier of the second event is picked fresh.
We are now in a position to construct our implementation graph. Given a consistent execution graph Γ of the specification, we construct an execution graph G = (E , po, rf, mo) of the implementation as follows.
• G.po is defined as Γ.po extended by the po for the additional events of G, given by the θ i traces defined above.

Robust Parallel Snapshot Isolation (RPSI)
In the previous section we adapted the PSI semantics in [14] to STM settings, in the absence of non-transactional code. However, a reasonable STM should account for mixed-mode code where shared data is accessed by both transactional and non-transactional code. To remedy this, we explore the semantics of PSI STMs in the presence of non-transactional code with weak isolation guarantees (see §2.1). We refer to the weakly isolated behaviour of such PSI STMs as robust parallel snapshot isolation (RPSI), due to its ability to provide PSI guarantees between transactions even in the presence of non-transactional code.
In §5.1 we propose the first declarative specification of RPSI STM programs. Later in §5.2 we develop a lock-based reference implementation of our RPSI specification in the RA fragment. We then demonstrate that our implementation is both sound ( §5.3) and complete ( §5.4) with respect to our proposed specification.

A Declarative Specification of RPSI STMs in RA
We formulate a declarative specification of RPSI semantics by adapting the PSI semantics presented in §4.1 to account for non-transactional accesses. As with the PSI specification in §4.1, throughout this section, we take RPSI execution graphs to be those in which T ⊆ (R ∪ W) \ U. That is, RPSI transactions consist solely of read and write events (excluding updates). As before, we characterise the set of executions admitted by RPSI as graphs that lack cycles of certain shapes. More concretely, as with the PSI specification, we consider an RPSI execution graph to be consistent if acyclic(rpsi-hb loc ∪ mo ∪ rb) holds, where rpsi-hb denotes the 'RPSI-happens-before' relation, extended from that of PSI psi-hb.
Definition 4 (RPSI consistency). An RPSI execution graph Γ = (E , po, rf, mo, T ) is consistent, written rpsi-consistent(Γ ), if acyclic(rpsi-hb loc ∪ mo ∪ rb) holds, where rpsi-hb denotes the 'RPSI-happens-before' relation, defined as the smallest relation that satisfies the following conditions: The trans and psi-hb ensure that rpsi-hb is transitive and that it includes po, rf and mo T as with its PSI counterpart. The nt-rf ensures that if a value written by a non-transactional write w is observed (read from) by a read event r in a transaction T, then its effect is observed by all events in T. That is, the w happens-before all events in T and not just r. This allows us to rule out executions such as the one depicted in Fig. 3a, which we argue must be disallowed by RPSI.
Consider the execution graph of Fig. 3a, where transaction T 1 is denoted by the dashed box labelled T 1 , comprising the read events r 1 and r 2 . Note that as r 1 and r 2 are transactional reads without prior writes by the transaction, they constitute a snapshot of the memory at the time T 1 started. That is, the values read by r 1 and r 2 must reflect a valid snapshot of the memory at the time it was taken. As such, since we have (w 2 , r 2 ) ∈ rf, any event preceding w 2 by the 'happens-before' relation must also be observed by (synchronise with) T 1 . In particular, as w 1 happens-before w 2 ((w 1 , w 2 ) ∈ po), the w 1 write must also be observed by T 1 . The nt-rf thus ensures that a non-transactional write read from by a transaction (i.e. a snapshot read) synchronises with the entire transaction.
Recall from §4.1 that the PSI psi-hb relation includes rf T which has not yet been included in rpsi-hb through the first three conditions described. As we describe shortly, the t-rf is indeed a strengthening of rf T to account for the presence of non-transactional events. In particular, note that rf T is included in the left-hand side of t-rf: when rpsi-hb in ([W]; st; (rpsi-hb \ st); st; [R]) is replaced with rf ⊆ rpsi-hb, the left-hand side yields rf T . As such, in the absence of non-transactional events, the definitions of psi-hb and rpsi-hb coincide.
Recall that inclusion of rf T in psi-hb ensured transactional synchronisation due to causal ordering: if T 1 writes to x and T 2 later (in psi-hb order) reads x, then T 1 must synchronise with T 2 . This was achieved in PSI because either i) T 2 reads x directly from T 1 in which case T 1 synchronises with T 2 via rf T ; or ii) T 2 reads x from another later (mo-ordered) transactional write in T 3 , in which case T 1 synchronises with T 3 via mo T , T 3 synchronises with T 2 via rf T , and thus T 1 synchronises with T 2 via mo T ; rf T . How are we then to extend rpsi-hb to guarantee transactional synchronisation due to causal ordering in the presence of non-transactional events?
To justify t-rf, we present an execution graph that does not guarantee synchronisation between causally ordered transactions and is nonetheless deemed RPSI-consistent without the t-rf condition on rpsi-hb. We thus argue that this execution must be precluded by RPSI, justifying the need for t-rf. Consider the execution in Fig. 3b. Observe that as transaction T 1 writes to x via w 1 , transaction T 2 reads x via r 2 , and (w 1 , r 2 ) ∈ rpsi-hb (w 1 rf → r 1 po → w 3 rf → r 2 ), T 1 is causally ordered before T 2 and hence T 1 must synchronise with T 2 . As such, the r 3 in T 2 must observe w 2 in T 1 : we must have (w 2 , r 3 ) ∈ rpsi-hb, rendering the above execution RPSI-inconsistent. To enforce the rpsi-hb relation between such causally ordered transactions with intermediate non-transactional events, t-rf stipulates that if a transaction T 1 writes to a location (e.g. x via w 1 above), another transaction T 2 reads from the same location (r 2 ), and the two events are related by 'RPSI-happens-before' ((w 1 , r 2 ) ∈ rpsi-hb), then T 1 must synchronise with T 2 . That is, all events in T 1 must 'RPSI-happen-before' those in T 2 . Effectively, this allows us to transitively close the causal ordering between transactions, spanning transactional and non-transactional events in between.

A Lock-Based RPSI Implementation in RA
We present a lock-based reference implementation of RPSI in the RA fragment (Fig. 2) by using sequence locks [13,18,23,32]. Our implementation is both sound and complete with respect to our declarative RPSI specification in §5.1.
The RPSI implementation in Fig. 2 is rather similar to its PSI counterpart. The main difference between the two is in how they validate the tentative snapshot recorded in s. As before, in order to ensure that no intermediate transactional writes have intervened since s was recorded, for each location x in RS, the validation phase revisits vx, inspecting whether its value has changed from that recorded in v [x]. If this is the case, the snapshot is deemed invalid and the process is restarted. However, checking against intermediate transactional writes alone is not sufficient as it does not preclude the intervention of non-transactional writes. This is because unlike transactional writes, non-transactional writes do not update the version locks and as such their updates may go unnoticed. In order to rule out the possibility of intermediate non-transactional writes, for each location To understand this, consider the mixed-mode program on the left of Fig. 4 comprising a transaction in the left-hand thread and a non-transactional program in the right-hand thread writing the same value (1) to z twice. Note that the annotated behaviour is disallowed under RPSI: all execution graphs of the program with the annotated behaviour yield RPSI-inconsistent execution graphs. Intuitively, this is because the values read by the transaction (x : 0, y : 0, z : 1) do not constitute a valid snapshot: at no point during the execution of this program, are the values of x, y and z as annotated.
Nevertheless, it is possible to find an RA-consistent execution of the RPSI implementation in Fig. 2 that reads the annotated values as its snapshot. Consider the execution graph on the right-hand side of Fig. 4, depicting a particular execution of the RPSI implementation (Fig. 2) of the program on the left. The rx, ry and rz denote the events reading the initial snapshot of x, y and z and recording them in s (line 5), respectively. Similarly, the rx , ry and rz denote the events validating the snapshots recorded in s (line 7). As T is the only transaction in the program, the version numbers vx, vy and vz remain unchanged throughout the execution and we have thus omitted the events reading (line 2) and validating (line 7) their values from the execution graph. Note that this execution graph is RA-consistent even though we cannot find a corresponding RPSI-consistent execution with the same outcome. To ensure the soundness of our implementation, we must thus rule out such scenarios.
To do this, we assume that if multiple non-transactional writes write the same value to the same location, they cannot race with the same transaction. More concretely, we assume that every RPSI-consistent execution graph of a given program satisfies the following condition: That is, given a transactional read r from location x, and any two distinct non-transactional writes w, w of the same value to x, either i) at least one of the writes RPSI-happen-after r; or ii) they both RPSI-happen-before r.
Observe that this does not hold of the program in Fig. 2. Note that this stipulation does not prevent two transactions to write the same value to a location x. As such, in the absence of non-transactional writes, our RPSI implementation is equivalent to that of PSI in §4.2.

Implementation Soundness
The RPSI implementation in Fig. 2 is sound : for each consistent implementation graph G, a corresponding specification graph Γ can be constructed such that rpsi-consistent(Γ ) holds. In what follows we state our soundness theorem and briefly describe our construction of consistent specification graphs. We refer the reader to the technical appendix [4] for the full soundness proof.
Theorem 3 (Soundness). Let P be a program that possibly mixes transactional and non-transactional code. If every RPSI-consistent execution graph of P satisfies the condition in ( * ), then for all RA-consistent implementation graphs G of the implementation in Fig. 2, there exists an RPSI-consistent specification graph Γ of the corresponding transactional program with the same program outcome.

Constructing Consistent Specification Graphs
Constructing an RPSIconsistent specification graph from the implementation graph is similar to the corresponding PSI construction described in §4.3. More concretely, the events associated with non-transactional events remain unchanged and are simply added to the specification graph. On the other hand, the events associated with transactional events are adapted in a similar way to those of PSI in §4.3. In particular, observe that given an execution of the RPSI implementation with t transactions, as with the PSI implementation, the trace of each transaction i ∈ {1 · · · t} is of the form θ i = Ls i po → FS i po → S i po → Ts i po → Us i , with Ls i , FS i , S i , Ts i and Us i denoting analogous sequences of events to those of PSI. The difference between an RPSI trace θ i and a PSI one is in the FS i and S i sequences, obtaining the snapshot. In particular, the validation phases of FS i and S i in RPSI include an additional read for each location to rule out intermediate non-transactional writes. As in the PSI construction, for each transactional trace θ i of our implementation, we construct a corresponding trace of the specification Given a consistent RPSI implementation graph G = (E , po, rf, mo), let G.N T G.E \ i∈{1···t} θ.E denote the non-transactional events of G. We construct a consistent RPSI specification graph Γ = (E , po, rf, mo, T ) such that: • Γ.E G.N T ∪ i∈{1···t} θ i .E -the Γ.E events comprise the non-transactional events in G and the events in each transactional trace θ i of the specification; • Γ.po G.po| Γ.E -the Γ.po is that of G.po restricted to the events in Γ.E ; rf is the union of RF i relations for transactional reads as defined in §4.3, together with the G.rf relation for non-transactional reads; • Γ.mo G.mo| Γ.E -the Γ.mo is that of G.mo restricted to the events in Γ.E ; • Γ.T i∈{1···t} θ i .E , where for each e ∈ θ i .E , we define tx(e) = i. We refer the reader to the technical appendix [4] for the full proof demonstrating that the above construction of Γ yields a consistent specification graph.

Implementation Completeness
The RPSI implementation in Fig. 2 is complete: for each consistent specification graph Γ a corresponding implementation graph G can be constructed such that RA-consistent(G) holds. We next state our completeness theorem and describe our construction of consistent implementation graphs. We refer the reader to the technical appendix [4] for the full completeness proof.

Theorem 4 (Completeness)
. For all RPSI-consistent specification graphs Γ of a program, there exists an RA-consistent execution graph G of the implementation in Fig. 2 that has the same program outcome.
Constructing Consistent Implementation Graphs In order to construct an execution graph of the implementation G from the specification Γ , we follow similar steps as those in the corresponding PSI construction in §4.4. More concretely, the events associated with non-transactional events are unchanged and simply added to the implementation graph. For transactional events, given each trace θ i of a transaction in the specification, as before we construct an analogous trace of the implementation by inserting the appropriate events for acquiring and inspecting the version locks, as well as obtaining a snapshot. For each transaction class T i ∈ T /st, we first determine its read and write sets as before and subsequently decide the order in which the version locks are acquired and inspected. This then enables us to construct the 'reads-from' and 'modification-order' relations for the events associated with version locks.
Given a consistent execution graph of the specification Γ = (E , po, rf, mo, T ), and a transaction class T i ∈ Γ.T /st, we define WS Ti and RS Ti as described in §4.4. Determining the ordering of lock events hinges on a similar observation as that in the PSI construction. Given a consistent execution graph of the specification Γ = (E , po, rf, mo, T ), let for each location x the total order mo be given as: w 1 mo|imm → · · · mo|imm → w nx . This order can be broken into adjacent segments where the events of each segment are either non-transactional writes or belong to the same transaction. That is, given the transaction classes Γ.T /st, the order above is of the following form where T 1 , · · · , T m ∈ Γ.T /st and for each such T i we have x ∈ WS Ti and w (i,1) · · · w (i,ni) ∈ T i : w (1,1) mo|imm → · · · mo|imm → w (1,n1) Γ.N T ∪T1 mo|imm → · · · mo|imm → w (m,1) mo|imm → · · · mo|imm → w (m,nm) Γ.N T ∪Tm written by the initial write, init x , then ivr xj i and fvr xj i read the value written to vx j by the initial write to vx, init vx . Lastly, if transaction T i does not write to x j and it reads x j from a write other than init x , then ir xj i and vr xj i read from the unlock event of a transaction T j (i.e. U x j ), who has x in its write set and whose write to x, w x , maximally 'RPSI-happens-before' r. That is, for all other such writes that 'RPSI-happen-before' r, then w x 'RPSI-happens-after' them.
We are now in a position to construct our implementation graph. Given a consistent execution graph Γ of the specification, we construct an execution graph of the implementation, G = (E , po, rf, mo), such that: • G.po is defined as Γ.po extended by the po for the additional events of G, given by the θ i traces defined above; • G.rf =

Conclusions and Future Work
We studied PSI, for the first time to our knowledge, as a consistency model for STMs as it has several advantages over other consistency models, thanks to its performance and monotonic behaviour. We addressed two significant drawbacks of PSI which prevent its widespread adoption. First, the absence of a simple lockbased reference implementation to allow the programmers to readily understand and reason about PSI programs. To address this, we developed a lock-based reference implementation of PSI in the RA fragment of C11 (using sequence locks), that is both sound and complete with respect to its declarative specification. Second, the absence of a formal PSI model in the presence of mixed-mode accesses. To this end, we formulated a declarative specification of RPSI (robust PSI) accounting for both transactional and non-transactional accesses. Our RPSI specification is an extension of PSI in that in the absence of non-transactional accesses it coincides with PSI. To provide a more intuitive account of RPSI, we developed a simple lock-based RPSI reference implementation by adjusting our PSI implementation. We established the soundness and completeness of our RPSI implementation against its declarative specification. As directions of future work, we plan to build on top of the work presented here in three ways. First, we plan to explore possible lock-based reference implementations for PSI and RPSI in the context of other weak memory models, such as the full C11 memory models [9]. Second, we plan to study other weak transactional consistency models, such as SI [10], ALA (asymmetric lock atomicity), ELA (encounter-time lock atomicity) [28], and those of ANSI SQL, including RU (readuncommitted), RC (read-committed) and RR (repeatable reads), in the STM context. We aim to investigate possible lock-based reference implementations for these models that would allow the programmers to understand and reason about STM programs with such weak guarantees. Third, taking advantage of the operational models provided by our simple lock-based reference implementations (those presented in this article as well as those in future work), we plan to develop reasoning techniques that would allow us to verify properties of STM programs. This can be achieved by either extending existing program logics for weak memory, or developing new program logics for currently unsupported models. In particular, we can reason about the PSI models presented here by developing custom proof rules in the existing program logics for RA such as [22,39].