A EQUIVALENCE OF THE PTSO OPERATIONAL AND … · 2018. 7. 24. · 1569 1570 1571 1572 1573 1574...

1324

1325

1326

1327

1328

1329

1330

1331

1332

1333

1334

1335

1336

1337

1338

1339

1340

1341

1342

1343

1344

1345

1346

1347

1348

1349

1350

1351

1352

1353

1354

1355

1356

1357

1358

1359

1360

1361

1362

1363

1364

1365

1366

1367

1368

1369

1370

1371

1372

1:28 Azalea Raad and Viktor Vafeiadis

A EQUIVALENCE OF THE PTSO OPERATIONAL AND DECLARATIVE SEMANTICSA.1 Intermediate Operational Semantics

Types.

Annotated persistent memoryM 2 AM�� ,

n

f 2 L��n! W [ U 8x 2 dom(f ). loc(f (x)) = x

o

Annotated persistent sub-bu�ers(o, pb) 2 APSB�� ,

n

(o, pb) 2 O�� hPFi ⇥ L��n! S�� hW [ U i 8x, e . e 2 pb(x) ) loc(e) = x

o

Annotated persistent bu�ersPB 2 APB�� , S�� hAPSB��i \ �

Annotated volatile bu�ersb 2 AB�� , S�� hW i

Annotated volatile bu�er mapsB 2 ABM�� ,

n

B 2 TI��n! AB�� 8w . 8� 2 dom(B). w 2 B(� ) ) tid(w) = �

o

Annotated labelsAL�� 3 � ::= Rhr ,wi where r 2 R,w 2 W [ U , loc(r )=loc(w), val

r

(r )=valw

(w)| Uhu,wi where u 2 U ,w 2 W [ U , loc(u)=loc(w), val

r

(u)=valw

(w)| Whwi wherew 2 W| Fhf i where f 2 F| PFhpf i where pf 2 PF| PShpsi where ps 2 PS| Bhwi where w 2 W| PBhei where e 2 W [ U [ PF| Eh� i where � 2 TI�

� 2 P�� , S��⌦

AL�� \ �Eh� i � 2 TI� ↵

Event paths� 2 PP�� , S��

⌦

AL�� \ �

Bhei,PBhei e 2 E ↵

Propagation pathsH 2 T�� , PP�� ⇥ P�� TracesH 2 H�� , S�� hT��i Histories

LetAM�� 3 M0 s.t. 8x. M0(x) = init

x

with lab(initx

) , W(x, 0)APSB�� 3 pb0 s.t. 8x. pb0(x) = �APB�� 3 PB0 , (N��, pb0)

AB�� 3 b0 , �ABM�� 3 B0 s.t. 8� . B0(� ) = b0

Storage Subsystem

tid(w) = �M, PB,B

Whw i��! M, PB,B[� 7! w .B(� )](AM�W��)

Proceedings of the ACM on Programming Languages, Vol. 1, No. CONF, Article 1. Publication date: January 2018.

1373

1374

1375

1376

1377

1378

1379

1380

1381

1382

1383

1384

1385

1386

1387

1388

1389

1390

1391

1392

1393

1394

1395

1396

1397

1398

1399

1400

1401

1402

1403

1404

1405

1406

1407

1408

1409

1410

1411

1412

1413

1414

1415

1416

1417

1418

1419

1420

1421

Persistence Semantics for Weak Memory 1:29

B(� ) = b.w loc(w)=x PB=(N��, pb).PB00 PB0=(N��, pb[x 7! w .pb(x)]).PB00

M, PB,BBhw i��! M, PB0,B[� 7! b]

(AM�BP��)

PB=PB00.(o, pb) pb(x)=S .e PB0=PB00.(o, pb[x 7! S])M, PB,B

PBhe i��! M[x 7! e], PB0,B(AM�PBP��)

M, PB.(S��(pf ), pb0),BPBhpf i��! M, PB.(N��, pb0),B

(AM�PBP��F)

PB , �

M, PB.(N��, pb0),BE h� i��! M, PB,B

(AM�PBP��E)

tid(r ) = � loc(r ) = x B(� ) = b read(M, PB, b, x) = e

M, PB,BRhr,e i��! M, PB,B

(AM�R��)

tid(u) = � loc(u) = x B(� )=� PB=(N��, pb).PB0read(M, PB, �, x)=e

M, PB,BUhu,e i��! M, (N��, pb[x 7! u .pb(x)]).PB0,B

(AM�RMW)

tid(f ) = � B(� ) = �

M, PB,BFhf i��! M, PB,B

(AM�F��)

tid(pf ) = � B(� )=� PB = (N��, pb).PB0

M, PB,BPFhpf i��! M, (N��, pb0).(S��(pf ), pb).PB0,B

(AM�PF��)

tid(pf ) = � B(� )=�M, PB0,B

PShpsi��! M, PB0,B(AM�PS��)

whereread(., ., ., .) : AM�� ⇥ APB�� ⇥ AB�� ⇥ L�� ! W [ U

read(M, PB, b, x),8

>

>

><

>

>

>

:

e if rdb

(b, x) = e

e if rdpb

(PB, x) = e

M(x) otherwisewith

rd

b

(., .) : S�� hW [ U i ⇥ L��* E

rd

b

(�, x) undef rd

b

(e .s, x) ,(

e loc(e)=xrd

b

(s, x) otherwiserd

pb

(., .) : APB�� ⇥ L��*W [ U

rd

pb

(�, x) undef rd

pb

((o, pb).PB, x) ,(

e if rdb

(pb(x), x) = e

rd

pb

(PB, x) otherwise

Thread SubsystemThread-local steps.

c1, s��! c01, s

0

c1; c2, s��! c01; c2, s

0(AT�S��1)

skip; c, sE h� i��! c, s

(AT�S��2)

s(e) , 0

if e then c1 else c2, sE h� i��! c1, s

(AT�I�T)


1422

1423

1424

1425

1426

1427

1428

1429

1430

1431

1432

1433

1434

1435

1436

1437

1438

1439

1440

1441

1442

1443

1444

1445

1446

1447

1448

1449

1450

1451

1452

1453

1454

1455

1456

1457

1458

1459

1460

1461

1462

1463

1464

1465

1466

1467

1468

1469

1470


s(e) = 0

if e then c1 else c2, sE h� i��! c2, s

(AT�I�F)

while e do c, sE h� i��! if e then (c;while e do c) else skip, s

(AT�W��)

s0 = s[a 7! s(e)]a := e, s

E h� i��! skip, s0(AT�R��L)

r = (n,� , R(x ,�)) s0 = s[a 7! �]a := x , s

Rhr,w i��! skip, s0(AT�R��)

w = (n,� , W(x , s(e)))x := e, s

Whw i��! skip, s(AT�W��)

r = (n,� , R(x ,�)) � , s(e) s0 = s[a 7! 0]a := CAS(x , e, e 0), s Rhr,w i��! skip, s0

(AT�CAS0)

u = (n,� , U(x , s(e), s(e 0))) s0 = s[a 7! 1]a := CAS(x , e, e 0), s Uhu,w i��! skip, s0

(AT�CAS1)

u = (n,� , U(x ,�,�+s(e))) s0 = s[a 7! �]a := FAA(x , e), s Uhu,w i��! skip, s0

(AT�FAA)fence, s

Fhf i��! skip, s(AT�F��)

pfence, sPFhpf i��! skip, s

(AT�PF��)psync, s

PShpsi��! skip, s(AT�PS��)

Program Steps.

P(� ), S(� ) ��! c, s tid(�) = �P, S

��! P[� 7! c], S[� 7! s](AP�S��)

where

tid(Rhr ,wi) , tid(r )tid(Uhu,wi) , tid(u)tid(Whwi) , tid(w)tid(Fhf i) , tid(f )

tid(PFhpf i) , tid(pf )tid(PShpsi) , tid(ps)tid(Bhwi) , tid(w)tid(PBhei) , tid(e)tid(Eh� i) , �


1471

1472

1473

1474

1475

1476

1477

1478

1479

1480

1481

1482

1483

1484

1485

1486

1487

1488

1489

1490

1491

1492

1493

1494

1495

1496

1497

1498

1499

1500

1501

1502

1503

1504

1505

1506

1507

1508

1509

1510

1511

1512

1513

1514

1515

1516

1517

1518

1519


Event-Annotated Operational Semantics

P, SE h� i��! P0, S0

P, S,M, PB,B,H ,� ) P0, S0,M, PB,B,H ,� (A�S��P)

M, PB,BE h� i��! M 0, PB0,B0

P, S,M, PB,B,H ,� ) P, S,M 0, PB0,B0,H ,� (A�S��M)

M, PB,B��! M 0, PB0,B0 � 2 �

Bhei,PBhei fresh(�,� ) fresh(�,H)P, S,M, PB,B,H ,� ) P, S,M 0, PB0,B0,H , �.� (A�P��M)

P, S��! P0, S0 M, PB,B

��! M 0, PB0,B0 � , Eh�i fresh(�,� ) fresh(�,H)P, S,M, PB,B,H ,� ) P0, S0,M 0, PB0,B0,H , �.� (A�S��)

M, PB,B� 0!p M 0, PB0,B0

P, S,M, PB,B,H ,� ) recover, S0,M, PB0,B0, ((� 0,� ).H), � (A�C��)

with

(M, PB,B) �!p (M, PB,B)(M, PB,B) PBhe i��! (M 00, PB00,B00) (M 00, PB00,B00) �!p (M 0, PB0,B0)

(M, PB,B) PBhe i.�!p (M 0, PB0,B0)(M, PB,B) Bhe i��! (M 00, PB00,B00) (M 00, PB00,B00) �!p (M 0, PB0,B0)

(M, PB,B) Bhe i.�!p (M 0, PB0,B0)

and

fresh(�,� ), � < � ^ 8e,w,w 0.(�=Rhe,wi ) Rhe,w 0i < � ) ^ (�=Uhe,wi ) Uhe,w 0i < � )

fresh(�,H), 8(� 0,� ) 2 H . fresh(�,� 0.� )

De�nition A.1.

complete(� ) , 8e . Whei 2 � ) Bhei 2 �Bhei 2 � ) PBhei 2 �Uhe,�i 2 � ) PBhei 2 �PFhei 2 � ) PBhei 2 �


1520

1521

1522

1523

1524

1525

1526

1527

1528

1529

1530

1531

1532

1533

1534

1535

1536

1537

1538

1539

1540

1541

1542

1543

1544

1545

1546

1547

1548

1549

1550

1551

1552

1553

1554

1555

1556

1557

1558

1559

1560

1561

1562

1563

1564

1565

1566

1567

1568


wfp(� ,H) , 8�,�1,�2, e, r , e1, e2.nodups(� .� 0.� 00)�=�2.Rhr , ei.�1 _ �=�2.Uhr , ei.�1 ) wfrd(r , e,�1,� 0)Bhei 2 � ) Whei �� BheiPBhei 2 � )(Bhei �� PBhei _ Uhe,�i �� PBhei _ PFhei �� PBhei)

tid(e1) = tid(e2) )Bhe2i 2 � ^Whe1i �� Whe2i () Bhe1i �� Bhe2i

Whe1i �� Fhe2i ^ tid(e1) = tid(e2) ) Bhe1i �� Fhe2iWhe1i �� Uhe2, ei ^ tid(e1) = tid(e2) ) Bhe1i �� Uhe2, eiWhe1i �� PFhe2i ^ tid(e1) = tid(e2) ) Bhe1i �� PFhe2iWhe1i �� PShe2i ^ tid(e1) = tid(e2) ) Bhe1i �� PShe2iloc(e1) = loc(e2) ^ e1, e2 2 W [ U )

PBhe2i 2 � ^©

≠

≠

≠

´

Bhe1i �� Bhe2i_Bhe1i �� Uhe2,�i_Uhe1,�i �� Bhe2i_Uhe1,�i �� Uhe2,�i

™

Æ

Æ

Æ

¨

() PBhe1i �� PBhe2i

e1, e2 2 (PE ⇥ PE) \ (W [ U ⇥W [ U ) )

PBhe2i 2 � ^©

≠

≠

≠

≠

≠

´

Bhe1i �� PFhe2i_Uhe1,�i �� PFhe2i_PFhe1i �� Bhe2i_PFhe1i �� Uhe2,�i_PFhe1i �� PFhe2i

™

Æ

Æ

Æ

Æ

Æ

¨

() PBhe1i �� PBhe2i

©

≠

´

Bhe1i �� PShe2i_Uhe1,�i �� PShe2i_PFhe1i �� PShe2i

™

Æ

¨

) PBhe1i �� PShe2i

where � 0 = �n . · · · .�1 and � 00 = � 0n . · · · .� 0

1, whenH = (� 0n ,�n). · · · .(� 0

1,�1); and

nodups(� ) , 8�1,�2, �. � = �1.�.�2 ) fresh(�,�1.�2)

wfrd(r , e,� ,� 0) ,

©

≠

≠

≠

≠

≠

≠

≠

≠

≠

≠

≠

≠

≠

´

9�1,�2, �. � = �1.�.�2^ (�=Bhei _ �=Uhe,�i _ (�=Whei ^ tid(e) = tid(r )))

^©

≠

≠

≠

´

(�=Bhei _ �=Uhe,�i) )�

Bhe 0i,Uhe 0,�i 2 �1 loc(e 0)=loc(r ) = ;^

⇢

e 0 Whe 0i 2 � ^ Bhe 0i < �^ loc(e 0)=loc(r ) ^ tid(e 0)=tid(r )

�

= ;

™

Æ

Æ

Æ

¨

^ ©

≠

´

�=Whei )Bhei < �1 ^

⇢

Whe 0i 2 �1loc(e 0)=loc(r )^tid(e 0)=tid(r )

�

= ;™

Æ

¨

™

Æ

Æ

Æ

Æ

Æ

Æ

Æ

Æ

Æ

Æ

Æ

Æ

Æ

¨

_©

≠

≠

≠

´

9�1,�2. � 0 = �1.PBhei.�2

^8

>

><

>

>

:

Bhe 0i,Uhe 0,�i 2 � ,Whe 00i 2 � ,PBhe 0i 2 �1

loc(e 0)=loc(r )^loc(e 00)=loc(r )^tid(e 00)=tid(r )

9

>

>=

>

>

;

= ;™

Æ

Æ

Æ

¨

_ ©

≠

´

e = initloc(e) ^

8

>

><

>

>

:

Bhe 0i,Uhe 0,�i 2 � ,Whe 00i 2 � ,PBhe 0i 2 � 0


9

>

>=

>

>

;

= ;™Æ

¨


1569

1570

1571

1572

1573

1574

1575

1576

1577

1578

1579

1580

1581

1582

1583

1584

1585

1586

1587

1588

1589

1590

1591

1592

1593

1594

1595

1596

1597

1598

1599

1600

1601

1602

1603

1604

1605

1606

1607

1608

1609

1610

1611

1612

1613

1614

1615

1616

1617


De�nition A.2.

wf(M, PB,B,H ,� ) def() mem(H ,� ) = M ^ pbuff(PB0,� ) ^ bmap(B0,� )^wfp(� ,H) ^ wfh(H)

wheremem(H ,� ) = M

def() 8x 2 L��. M(x) = read(H ,� , x)

read(H , �.� , x) ,(

e 9e . � = PBhei ^ loc(e) = x

read(H ,� , x) otherwiseread((�,� ).H , �, x) , read(H ,� , x)read(�, �, x) , init

x

pbuff(PB, �) , PB

pbuff((N��, pb).PB,� .�) ,

8

>

>

>

>

>

>

>

>

>

>

>

><

>

>

>

>

>

>

>

>

>

>

>

>

:

pbuff((N��, pb[x 7! e .pb(x)]).PB,� ) if 9e, x.� 2 {Uhe,�i,Bhei}^ loc(e)=x^PBhei < �

pbuff((N��, pb0).(S��(e), pb).PB,� ) if 9e . � = PFhei^PBhei < �

pbuff((N��, pb).PB,� ) otherwise

bmap(B, �) , B

bmap(B,� .�) ,8

>

>

><

>

>

>

:

bmap(B[� 7! e .B(� )],� ) if 9e, x. � =Whei ^ tid(e)=�^Bhei < �

bmap(B,� ) otherwise

wfh(�) def() true

wfh((� 0,� ).H) def() wfp(� 0.� ,H) ^ complete(� 0.� ) ^ wfh(H)Lemma A.1. For all P,P0, S, S0, PB, PB0,B,B0,H ,H 0,� ,� 0:

• wf(M0, PB0,B0, �, �)• if P, S,M, PB,B,H ,� ) P0, S0,M 0, PB0,B0,H 0,� 0 and wf(M, PB,B,H ,� ),then wf(M 0, PB0,B0,H 0,� 0)

• if P, S0,M0, PB0,B0, �, � )⇤ skip, S,M, PB,B,H ,� , then wf(M, PB,B,H ,� )P��. The proof of the �rst part follows trivially from the de�nitions of M0, PB0, and B0. The

second part follows straightforwardly by induction on the structure of ). The last part followsfrom the previous two parts and induction on the length of )⇤. ⇤

Graph Operational SemanticsLet

� 2 GH�� , S�� hG�� ⇥ T��i Graph histories

P, SE h� i��! P0, S0

P, S, �,� ) P0, S0, �,�(G�S��P)

� 2 �

Bhei,PBhei fresh(�,� ) fresh(�, �)P, S, �,� ) P, S, �, �.�

(G�P��)


1618

1619

1620

1621

1622

1623

1624

1625

1626

1627

1628

1629

1630

1631

1632

1633

1634

1635

1636

1637

1638

1639

1640

1641

1642

1643

1644

1645

1646

1647

1648

1649

1650

1651

1652

1653

1654

1655

1656

1657

1658

1659

1660

1661

1662

1663

1664

1665

1666


P, S��! P0, S0 � , Eh�i fresh(�,� ) fresh(�, �)

P, S, �,� ) P0, S0, �, �.�(G�S��)

comp(� ,� 0) getG(�,� ,� 0)=GP, S, �,� ) recover, S0, (G, (� 0,� )).�, � (G�C��)

where

fresh(�, �) def() 8(�, (� 0,� )) 2 �. fresh(�,� 0.� )comp(., .) : P�� ⇥ PP�� ! {true, f alse}

comp(� ,� 0) def() 8e . Whei 2 � ^ Bhei < � () Bhei 2 � 0

^ ©

≠

´

(Whei 2 � ^ PBhei < � )_(Uhe,�i 2 � ^ PBhei < � )_(PFhei 2 � ^ PBhei < � )

™

Æ

¨

() PBhei 2 � 0

getG(�,� ,� 0) ,(

(E0, EP , E, po, rf, tso, nvo) if wfp(� 0.� , hist(�)) ^ complete(� 0.� )unde�ned otherwise

with

hist(�) = � hist((G,H ).�) = H .hist(�)

E0 =8

>

><

>

>

:

n

initx

x 2 L��o

if � = �n

max⇣

G .nvo|G .EP\(Ux

[W x )⌘

x 2 L��o

if � = (G,�).�0

EP = E0 [ �

e 9� 2 � . getPE(�) = e

E = E0 [ �

e 9� 2 � . getE(�) = e

rf =�(w, e) Rhe,wi 2 � _ Uhe,wi 2 �

po = E0 ⇥ (E \ E0) [ –

� 2TI�

8

>

>

>

><

>

>

>

>

:

(e1, e2)9�1, �2 2 � .e1 = getE(�1) ^ e2 = getE(�2)^ tid(e1) = tid(e2) = �^ �1 �� 2

9

>

>

>

>=

>

>

>

>

;

tso , E0 ⇥ (E \ E0)[

⇢

(e1, e2) 9�1, �2 2 � 0.� .e1 = getBE(�1) ^ e2 = getBE(�2) ^ �1 �� 0 .� �2

�

nvo , E0 ⇥ (E \ E0)[

⇢

(e1, e2) 9�1, �2 2 � 0.� .e1 = getPE(�1) ^ e2 = getPE(�2) ^ �1 �� 0 .� �2

�


1667

1668

1669

1670

1671

1672

1673

1674

1675

1676

1677

1678

1679

1680

1681

1682

1683

1684

1685

1686

1687

1688

1689

1690

1691

1692

1693

1694

1695

1696

1697

1698

1699

1700

1701

1702

1703

1704

1705

1706

1707

1708

1709

1710

1711

1712

1713

1714

1715


andgetE(.) : AL��* E

getE(�),(

e if 9e,w . � 2 {Rhe,wi,Uhe,wi,Whei, Fhei,PFhei,PShei}unde�ned otherwise

getPE(.) : AL��* E

getPE(�),(

e if 9e . � 2 {Rhe, , iFhei,PShei,PBhei}unde�ned otherwise

getBE(.) : AL��* E

getBE(�),(

e if 9e,w . � 2 {Rhe,wi,Uhe,wi, Fhei,PFhei,PShei,Bhei}unde�ned otherwise

A.2 Soundness of the Intermediate Semantics against PTSO Declarative SemanticsTheorem 4 (soundness). For all P, S, M , H = (�n�1,� 0

n�1). · · · .(�1,� 01), �n and � 0

n = � :

P, S0,M0, PB0,B0, �, � )⇤ skip| | · · · | |skip, S,M, PB0,B0,H ,�nthen(1) P, S0, �, � )⇤ skip| | · · · | |skip, S, �,�n where

� = �n�1=� �j+1=(G j , (� 0

j ,�j )). · · · .(G1, (� 01,�1)) for j 2 {1 · · ·n�1}

Gi = getG(�i ,�i ,� 0i ) for i 2 {1 · · ·n}

(2) E = G1; · · · ;Gn is PTSO-valid.

P��. Pick arbitrary P, S,M,H = (�n�1,� 0n�1). · · · .(�1,� 0

1),�n such that

P, S0,M0, PB0,B0, �, � )⇤ skip| | · · · | |skip, S,M, PB0,B0,H ,�nand let � 0

n = � . The proof of the �rst part follows from Lemma A.1 and by induction on the lengthof the event-annotated transition )⇤.For the second part, for all i 2 {1 · · ·n} let Ei = Ri [ F i [ PEi with PEi = W i [ U i [ PF i [ PSi . AsGi = getG(�i ,�i ,� 0

i ), we know that wfp(� 0i .�i , hist(�i )) and complete(� 0

i .�i ) hold. It then su�cesto show that for all i 2 {1 · · ·n} and Gi = (E0i , EPi , Ei , poi , rfi , tsoi , nvoi ):

E0i ✓ EPi (1)

EPi ✓ Ei (2)

E0i ⇥ (Ei \ E0i ) ✓ poi (3)

E0i ⇥ (Ei \ E0i ) ✓ tsoi (4)

E0i ⇥ (Ei \ E0i ) ✓ nvoi (5)

dom(nvoi ; [EPi ]) ✓ EPi and EPn = En (6)

E00 =�

initx

x 2 L��

and E0i+1 =n

max⇣

nvoi |EPi \(U x

[W x )⌘

x 2 L��o

(7)

Ri [ F i [ PSi ✓ EPi and poi ; [PSi ] ✓ EPi (8)poi is a strict total order on Ei (9)


1716

1717

1718

1719

1720

1721

1722

1723

1724

1725

1726

1727

1728

1729

1730

1731

1732

1733

1734

1735

1736

1737

1738

1739

1740

1741

1742

1743

1744

1745

1746

1747

1748

1749

1750

1751

1752

1753

1754

1755

1756

1757

1758

1759

1760

1761

1762

1763

1764


rfi ✓ (W i [ U i ) ⇥ (Ri [ U i ) and is total and functional on Ri [ U i (10)tsoi ✓ Ei ⇥ Ei and is total on Ei \ Ri (11)poi \ (W i ⇥ Ri ) ✓ tsoi (12)rfi ✓ tsoi [ poi (13)

8(w, r ) 2 rfi . 8w 0 2 W i [ U i .(w 0, r ) 2 tsoi [ poi ^ loc(w 0)=loc(r ) ) (w,w 0) < tsoi

(14)

nvoi is a strict total order on PEi (15)8x 2 L��. (nvoi )x ✓ tsoi (16)[PSi ]; tsoi ; [PEi ] [ [PEi ]; tsoi ; [PSi ] ✓ nvoi (17)[PF i ]; tsoi ; [PEi ] [ [PEi ]; tsoi ; [PF i ] ✓ nvoi (18)

The proofs of parts (1), (3), (4), (5), (7), and (9) follow immediately from the construction of Gi .

RTS. (2)Pick an arbitrary e 2 EPi . We then know there exist � 2 �i and e such that e = getPE(�) and either� = Rhe,�i, or � = Fhei, or � = PShei, or � = PBhei. In the �rst three cases, from the de�nition ofgetE(.) we know that e = getE(�) and thus from the de�nition of Ei we have e 2 Ei , as required.In the last case, from wfp(� 0

i .�i , hist(�i )) we know that there existsw such that either Whei 2 �i ,or Uhe,wi 2 �i , or PFhei 2 �i . As such, from the de�nition of Ei we have e 2 Ei , as required.

RTS. (6)Pick an arbitrary e1, e2 such that (e1, e2) 2 nvoi and e2 2 EPi . From the de�nition of nvoi we thenknow there exist �1, �2 2 � 0

i .�i such that e1 = getPE(�1), e2 = getPE(�2) and �1 �� 0i .�i �2. On

the other hand, from the de�nition of EPi and since e2 2 EPi we know that �2 2 �i . As such, since�1 �� 0

i .�i �2 and labels in � 0i .�i are fresh (wfp(� 0

i .�i , hist(�i )) holds), we also know that �1 2 �i .Consequently, since e1 = getPE(�1) and �1 2 �i , from the de�nition of EPi we have e1 2 EPi , asrequired.

To demonstrate that EPn = En , it su�ces to show that En ✓ EPn , as in part (2) we established thatEPn ✓ En . Pick arbitrary e 2 En . From the de�nition of En we then know there exists � 2 �n such thatgetE(�) = e . There are then two cases to consider: 1) e < Wn[Un[PFn ; or 2) e 2 Wn[Un[PFn . Incase (1) from the de�nition of getPE(.) we know that getPE(�) = e and thus e 2 EPn , as required. Incase (2) from complete(� 0

n .�n)we know that there exists �0 such that �0 = PBhei and �0 2 � 0n .�n . As

� 0n = � we know that �0 2 �n . As such, from the de�nition of getPE(.) we know that getPE(�0) = e

and thus e 2 EPn , as required.

RTS. (8)The proof of the �rst part follows immediately from the de�nitions of EPi and getPE(.). For thesecond part, pick an arbitrary (e, ps) 2 poi ; [PSi ], i.e. (e, ps) 2 poi and ps 2 PSi . From the de�nitionof poi we then know there exist �, �0 2 �i such that e = getE(�), �0 = PShpsi, ps = getE(�0),� ��i �

0, and tid(e) = tid(ps). There are now two cases to consider: 1) e < U i [W i [ PF i ; or 2)e 2 U i [W i [ PF i .

In case (1) from the de�nition of getPE(.) we have getPE(�) = e and thus from the de�nition ofEPi we have e 2 EPi , as required.

In case (2) fromwfp(� 0i .�i , hist(�i ))we know there exists �00 = PBhei such that � ��i �

00 ��i �0.

That is, �00 2 �i . As such, such from the de�nition of EPi we have e 2 EPi , as required.


1765

1766

1767

1768

1769

1770

1771

1772

1773

1774

1775

1776

1777

1778

1779

1780

1781

1782

1783

1784

1785

1786

1787

1788

1789

1790

1791

1792

1793

1794

1795

1796

1797

1798

1799

1800

1801

1802

1803

1804

1805

1806

1807

1808

1809

1810

1811

1812

1813


RTS. (10)To demonstrate that rfi ✓ (W i [U i )⇥ (Ri [U i ), pick an arbitrary (ew , er ) 2 rfi . From the de�nitionof rfi we then know there exists � 2 �i such that � = Rher , ew i or � = Uher , ew i. As such from thetype of annotated labels we know er 2 R [ U and ew 2 W [ U .

To demonstrate that rfi is total on Ri , pick an arbitrary r 2 Ri . Form the de�nition of Ei we thenknow there exist � 2 �i and e such that � = Rhr , ei. As such we know (e, r ) 2 rfi and thus rfi istotal on Ri . The proof of rfi being total on U i is analogous and omitted here.To show rfi is functional on Ri , pick an arbitrary r 2 Ri . Form the de�nition of Ei we know

there exists � 2 �i and e such that � = Rhr , ei. As such we know (e, r ) 2 rfi and thus rfi . Moreover,since �i contains unique labels (wfp(� 0

i .�i , hist(�i )) holds), we know 8e 0,e . Rhr , e 0i < �i andthus 8e 0,e . (e 0, r ) < rfi . That is, rfi is functional on Ri . The proof of rfi being functional on U i isanalogous and omitted here.

RTS. (11)To demonstrate that tsoi ✓ Ei ⇥ Ei , pick an arbitrary (e1, e2) 2 tsoi . From the de�nition of tsoi wethen know there exists �1, �2 2 � 0

i .�i such that e1 = getBE(�1) and e2 = getBE(�2). For j 2 {1, 2},we then know that either 1) ¬9e . �j = Bhei; or 2) �j = Bhej i. In case (1) since � 0

i 2 PP�� we knowthat �j 2 �i and thus from the de�nition of Ei we know ej 2 Ei . In case (2) fromwfp(� 0

i .�i , hist(�i ))we know thatWhej i 2 � 0

i .�i . As such, since �0i 2 PP��, we know thatWhej i 2 �i and thus from

the de�nition of Ei we have ej 2 Ei . As such, in both cases we have (e1, e2) 2 Ei ⇥ Ei , as required.Transitivity and strictness of tsoi follow from the de�nition of tsoi , transitivity and strictness of

�� 0i .�i and the freshness of events in � 0

i .�i (wfp(� 0i .�i , hist(�i ))holds).

To demonstrate that tsoi is total on Ei \ Ri , pick arbitrary e1, e2 2 Ei \ Ri such that e1 , e2. Forj 2 {1, 2}, from the de�nitions of Ei we know there exist �j 2 �i such that either 1) ej 2 Ei \(Ri[W i )and �j = getE(�j ); or 2) ej 2 W i and �j = Whej i. In case (1) we then have �j 2 � 0

i .�i andgetBE(�j ) = ej . In case (2) from complete(� 0

i .�i ) we then know there exists �0j = Bhej i 2 � 0i .�i and

getBE(�0j ) = ej . As such, in both cases we know there exist �1, �2 2 � 0i .�i such that e1 = getBE(�1)

and e2 = getBE(�2). As e1 , e2 and � 0j .�j contains fresh labels (wfp(� 0

i .�i , hist(�i )) holds), weknow that �1 , �2 and thus either �1 �� 0

i .�i �2 or �2 �� 0i .�i �1. As such, from the de�nition of tsoi

we have either (e1, e2) 2 tsoi or (e2, e1) 2 tsoi , as required.

RTS. (12)Pick an arbitrary (e1, e2) 2 poi \ (W i ⇥ Ri ). From the de�nition of poi we then know there exist �and �1, �2 2 �i such that e1 = getE(�1), e2 = getE(�2), tid(e1) = tid(e2) = � and �1 ��i �2. Thatis, �1 �� 0

i .�i �2. There are then three cases to consider: e1, e2 < W i ; or 2) e1 < W i ^ e2 2 W i ; or 3)e1 2 W i .

In case (1) from the de�nition of getBE(.) we know that e1 = getBE(�1), e2 = getBE(�2). Assuch, from the de�nition of tsoi we have (e1, e2) 2 tsoi .

In case (2), from the de�nition of getBE(.)we know that e1 = getBE(�1). On the other hand, fromwfp(� 0

i .�i , hist(�i )) and complete(� 0i .�i ) we know there exists � = Bhe2i such that �2 �� 0

i .�i �.That is, e2 = getBE(�). Since we also have �1 �� 0

i .�i �2, from the transitivity of � we have�1 �� 0

i .�i �. As such, from the de�nition of tsoi we have (e1, e2) 2 tsoi , as required.In case (3) , there are three additional cases to consider: i) �2 = Fhe2i or �2 = PFhe2i or �2 =

Uhe2,�i; or ii) �2 =Whe2i; or iii) �2 = PShe2i.In case (3.i) from the de�nition of getBE(.) we know that e2 = getBE(�2). On the other hand,

from wfp(� 0i .�i , hist(�i )) and complete(� 0

i .�i ) we know there exists � = Bhe1i such that �1 �� 0i .�i


1814

1815

1816

1817

1818

1819

1820

1821

1822

1823

1824

1825

1826

1827

1828

1829

1830

1831

1832

1833

1834

1835

1836

1837

1838

1839

1840

1841

1842

1843

1844

1845

1846

1847

1848

1849

1850

1851

1852

1853

1854

1855

1856

1857

1858

1859

1860

1861

1862


� �� 0i .�i �2. That is, e1 = getBE(�). As such, from the de�nition of tsoi we have (e1, e2) 2 tsoi , as

required.In case (3.ii) from wfp(� 0

i .�i , hist(�i )) and complete(� 0i .�i ) we know there exist �01 = Bhe1i and

�02 = Bhe2i such that �01 �� 0i .�i �

02. That is, e1 = getBE(�01) and e2 = getBE(�02). As such, from the

de�nition of tsoi we have (e1, e2) 2 tsoi , as required.In case (3.iii) from the de�nition of getBE(.) we know that e2 = getBE(�2). On the other hand,

from wfp(� 0i .�i , hist(�i )) and complete(� 0

i .�i ) and since tid(e1) = tid(e2), we know there exist�01 = Bhe1i such that �1 �� 0

i .�i �01 �� 0

i .�i PBhe1i �� 0i .�i �2. That is, e1 = getBE(�01). As such, from

the de�nition of tsoi we have (e1, e2) 2 tsoi , as required.

RTS. (13)Pick arbitrary (w, r ) 2 rfi . From the construction of rfi we then know there exist � 2 �i suchthat either � = Rhr ,wi or � = Uhr ,wi. From wfp(� 0

i .�i , hist(�i )) we then know that either 1)Bhwi ��i r ; or 2) Uhw,�i ��i r ; or 3) Whwi ��i r and tid(w) = tid(r ); or 4) w 2 E0i . In cases(1-2) from the de�nition of tsoi we have (w, r ) 2 tsoi , as required. In cases (3-4) from the de�nitionof poi we have (w, r ) 2 poi , as required.

RTS. (14)Pick arbitrary (w, r ) 2 rfi andw 0 2 U i [W i such that (w 0, r ) 2 tsoi [ poi and loc(w 0) = loc(r ). Ifw 0 = w , from the strictness of tsoi we immediately know that (w,w 0) < tsoi , as required.

Now let us consider the case wherew 0 , w . From the construction of rfi we then know thereexist � 2 �i such that either �r = Rhr ,wi or �r = Uhr ,wi. Fromwfp(� 0

i .�i , hist(�i ))we then knowthat either 1) there exists � = Bhwi ��i �r ; or 2) there exists � = Uhw,�i ��i �r ; or 3) there exists� =Whwi ��i �r and tid(w) = tid(r ); or 4)w 2 E0i .

On the other hand, from the construction of tsoi , poi and since (w 0, r ) 2 tsoi [ poi we know thateither: a) there exists �0 = Bhw 0i ��i r ; or b) there exists �0 = Uhw 0,�i ��i r ; or c)w 0 2 E0i .However, from wfp(� 0

i .�i , hist(�i )) and since � = Rhr ,wi 2 �i or � = Uhr ,wi 2 �i , in cases(1.a), (1.b), (2.1), (2.b), (3.a), (3.b) we have �0 ��i �. Consequently, in cases (1.a), (1.b), (2.1), (2.b)from the de�nition of tsoi we have (w 0,w) 2 tsoi , i.e. (w,w 0) < tsoi , as required. In cases (3.a) and(3.b) from wfp(� 0

i .�i , hist(�i )) and complete(� 0i .�i ) we additionally know there exist �00 = Bhwi

such that � �� 0i .�i �

00 and thus from the transitivity of � we have �0 �� 0i .�i �

00. Consequently, fromthe de�nition of tsoi we have (w 0,w) 2 tsoi , i.e. (w,w 0) < tsoi , as required.In cases (2.c), (3.c) from the de�nition of tsoi we have (w 0,w) 2 tsoi , i.e. (w,w 0) < tsoi , as

required. Similarly, in case (1.c) from wfp(� 0i .�i , hist(�i )) we know Whwi 2 �i and thus from the

de�nition of tsoi we have (w 0,w) 2 tsoi , i.e. (w,w 0) < tsoi , as required.Cases (4.1), (4.b) cannot arise as from wfp(� 0

i .�i , hist(�i )) we arrive at a contradiction. Case (4.c)cannot arise as w , w 0 and from the de�nition of E0i we cannot have two distinct events of thesame location in E0i .

RTS. (15)Transitivity and strictness of nvoi follow from the de�nition of nvoi , transitivity and strictness of�� 0

i .�i and the freshness of events in � 0i .�i (wfp(� 0

i .�i , hist(�i ))holds).To demonstrate that nvoi is total on PEi , pick arbitrary e1, e2 2 PEi such that e1 , e2. For

j 2 {1, 2}, from the de�nitions of PEi we know there exist �j 2 �i such that either 1)ej 2 U i and�j = Uhej ,�i; or 2) ej 2 W i and �j = Whej i; or 3) ej 2 PF i and �j = PFhej i; or 4) ej 2 PSi and�j = PShej i. In cases (1-3) from complete(� 0

i .�i ) we then know there exists �0j = PBhej i 2 � 0i .�i

and getPE(�0j ) = ej . In case (4) we have getPE(�j ) = ej . As such, in both cases we know there


1863

1864

1865

1866

1867

1868

1869

1870

1871

1872

1873

1874

1875

1876

1877

1878

1879

1880

1881

1882

1883

1884

1885

1886

1887

1888

1889

1890

1891

1892

1893

1894

1895

1896

1897

1898

1899

1900

1901

1902

1903

1904

1905

1906

1907

1908

1909

1910

1911


exist �1, �2 2 � 0i .�i such that e1 = getPE(�1) and e2 = getPE(�2). As e1 , e2 and � 0

j .�j containsfresh labels (wfp(� 0

i .�i , hist(�i )) holds), we know that �1 , �2 and thus either �1 �� 0i .�i �2 or

�2 �� 0i .�i �1. As such, from the de�nition of nvoi we have either (e1, e2) 2 nvoi or (e2, e1) 2 nvoi ,

as required.

RTS. (16)Pick arbitrary x 2 L�� and (e1, e2) 2 (nvoi )x. From the de�nition of nvoi we then know thereexist �1, �2 2 � 0

i .�i such that e1 = getPE(�1), e2 = getPE(�2), loc(e1) = loc(e2) = x, �1 ��i �2,e1, e2 2 W i [ U i and �1 = PBhe1i and �2 = PBhe2i. From wfp(� 0

i .�i , hist(�i )) we then knowthat either 1) e1, e2 2 W i and Bhe1i �� 0

i .�i Bhe2i; or 2) e1, e2 2 U i and there exist e 01, e02 such that

Uhe1, e 01i �� 0i .�i Uhe2, e 02i; or 3) e1 2 W , e2 2 U i and there exists e 02 such that Bhe1i �� 0

i .�i Uhe2, e 02i;or 4) e1 2 U i , e2 2 W i and there exists e 01 such that Uhe1, e 01i �� 0

i .�i Bhe2i. In all four cases fromthe de�nition of tsoi we have (e1, e2) 2 tsoi , as required.

RTS. (17)To demonstrate [PSi ]; tsoi ; [PEi ] ✓ nvoi , pick arbitrary (e1, e2) 2 [PSi ]; tsoi ; [PEi ]. From the def-inition of tsoi we then know that that there exist �1, �2 2 � 0

i .�i such that e1 = getBE(�1),e2 = getBE(�2) and �1 �� 0

i .�i �2. Moreover, since e1 2 PSi we know that getPE(�1) = e1. There arenow three cases to consider: 1) e2 < W i [ U i [ PF i ; or 2) e2 2 U i [ PF i ; or 3) e2 2 W i .

In case (1), from the de�nitions of getPE(.) and getBE(.) we know that getPE(�2) = e2 and thusfrom the de�nition of nvoi we have (e1, e2) 2 nvoi , as required.In case (2) from the de�nition of getBE(.) we know that either �2 = Uhe2,�i or �2 = PFhe2i

and thus from wfp(� 0i .�i , hist(�i )) and complete(� 0

i .�i ) we know there exists � = PBhe2i suchthat �2 �� 0

i .�i �. Since we also have �1 �� 0i .�i �2, from the transitivity of �� 0

i .�i we also have�1 �� 0

i .�i �. Moreover, from the de�nition of getPE(.) we have getPE(�) = e2. Consequently, wehave (e1, e2) 2 nvoi , as required.Similarly, in case (3) from the de�nition of getBE(.) we know �2 = Bhe2i and thus from

wfp(� 0i .�i , hist(�i )) and complete(� 0

i .�i ) we know there exists � = PBhe2i such that �2 �� 0i .�i �.

Since we also have �1 �� 0i .�i �2, from the transitivity of �� 0

i .�i we also have �1 �� 0i .�i �. Moreover,

from the de�nition of getPE(.) we have getPE(�) = e2. Consequently, we have (e1, e2) 2 nvoi , asrequired.

To demonstrate [PEi ]; tsoi ; [PSi ] ✓ nvoi , pick arbitrary (e1, e2) 2 [PEi ]; tsoi ; [PSi ]. From thede�nition of tsoi we then know that that there exist �1, �2 2 � 0

i .�i such that e1 = getBE(�1),e2 = getBE(�2) and �1 �� 0

i .�i �2. Moreover, since e2 2 PSi we know that getPE(�2) = e2. There arenow four cases to consider: 1) e1 < W i [ U i [ PF i ; or 2) e1 2 U i ; or 3) e1 2 W i ; or 4) e1 2 PF i .

In case (1), from the de�nitions of getPE(.) and getBE(.) we know that getPE(�1) = e1 and thusfrom the de�nition of nvoi we have (e1, e2) 2 nvoi , as required.

In case (2) from the de�nition of getBE(.)we know �1 = Uhe1,�i and thus fromwfp(� 0i .�i , hist(�i ))

and complete(� 0i .�i ) we know there exists � = PBhe1i such that �1 �� 0

i .�i � �� 0i .�i �2. Moreover,

from the de�nition of getPE(.) we have getPE(�) = e1. Consequently, we have (e1, e2) 2 nvoi , asrequired.Similarly, in case (3) from the de�nition of getBE(.) we know �1 = Bhe1i and thus from

wfp(� 0i .�i , hist(�i )) and complete(� 0

i .�i ) we know there exists � = PBhe1i such that �1 �� 0i .�i

� �� 0i .�i �2. Moreover, from the de�nition of getPE(.) we have getPE(�) = e1. Consequently, we

have (e1, e2) 2 nvoi , as required.


1912

1913

1914

1915

1916

1917

1918

1919

1920

1921

1922

1923

1924

1925

1926

1927

1928

1929

1930

1931

1932

1933

1934

1935

1936

1937

1938

1939

1940

1941

1942

1943

1944

1945

1946

1947

1948

1949

1950

1951

1952

1953

1954

1955

1956

1957

1958

1959

1960


Analogously, in case (4) from the de�nition of getBE(.) we know �1 = PFhe1i and thus fromwfp(� 0

i .�i , hist(�i )) and complete(� 0i .�i ) we know there exists � = PBhe1i such that �1 �� 0

i .�i� �� 0

i .�i �2. Moreover, from the de�nition of getPE(.) we have getPE(�) = e1. Consequently, wehave (e1, e2) 2 nvoi , as required.

RTS. (18)To demonstrate that [PEi ]; tsoi ; [PF i ] ✓ nvoi , pick an arbitrary (e1, e2) 2 [PEi ]; tsoi ; [PF i ]. If e1 2 PSi ,then the desired result holds immediately from part (17). On the other hand if e1 < PSi , then fromthe de�nition of tsoi we then know that that there exist �1, �2 2 � 0

i .�i such that e1 = getBE(�1),e2 = getBE(�2), �2 = PFhe2i, �1 �� 0

i .�i �2 and either 1) �1 = Bhe1i; 2) �1 = Uhe1,�i; or 3)�1 = PFhe1i. From wfp(� 0

i .�i , hist(�i )) and complete(� 0i .�i ) we know there exists �02 = PBhe2i

such that �2 �� 0i .�i �

02. As such we have getPE(�02) = e2. As �2 = PFhe2i and �1 �� 0

i .�i �2, in allthree cases from wfp(� 0

i .�i , hist(�i )) and complete(� 0i .�i ) we know there exist �01 = PBhe1i such

that �01 �� 0i .�i �

02. That is, getPE(�01) = e1. From the de�nition of nvoi we thus have (e1, e2) 2 nvoi ,

as required.Similarly, to demonstrate that [PF i ]; tsoi ; [PEi ] ✓ nvoi , pick an arbitrary (e1, e2) 2 [PF i ]; tsoi ; [PEi ].

If e2 2 PSi , then the desired result holds immediately from part (17). On the other hand ife2 < PSi , then from the de�nition of tsoi we then know that that there exist �1, �2 2 � 0

i .�isuch that e1 = getBE(�1), e2 = getBE(�2), �1 = PFhe1i, �1 �� 0

i .�i �2 and either 1) �2 = Bhe2i; 2)�2 = Uhe2,�i; or 3) �2 = PFhe2i. From wfp(� 0

i .�i , hist(�i )) and complete(� 0i .�i ) we know there

exists �01 = PBhe1i 2 � 0i .�i . As such we have getPE(�01) = e1. As �1 = PFhe1i and �1 �� 0

i .�i �2, in allthree cases from wfp(� 0

i .�i , hist(�i )) and complete(� 0i .�i ) we know there exist �02 = PBhe2i such

that �01 �� 0i .�i �

02. That is, getPE(�02) = e2. From the de�nition of nvoi we thus have (e1, e2) 2 nvoi ,

as required. ⇤

A.3 Completeness of the Intermediate Semantics against PTSO Declarative SemanticsDe�nition A.3. Let E = G1; · · · ;Gn denote a PTSO-valid execution chain. Let S1 = � and S j+1 =G j . · · · .G1 for j 2 {1 · · ·n}. For each execution era Gi , the set of traces induced by Gi , writtentraces(Gi , Si ), includes those traces (� 0,� ) that satisfy the following condition:

(� 0i ,�i ). · · · .(� 0

1,�1) 2 traces(Gi , Si ) def()i

€

k=1getG(�k ,�k ,� 0

k ) = Gk

where �1 = � and �j+1 = (� 0j ,�j ). · · · .(� 0

1,�1) for j 2 {1 · · · i�1}.Lemma A.2. Let E = G1; · · · ;Gn denote a PTSO-valid execution chain. Let S1 = � and S j+1 =G j . · · · .G1 for j 2 {1 · · ·n}. For all i 2 {1 · · ·n}, traces(Gi , Si ) , ;.

P��. Pick an arbitrary PTSO-valid execution E = G1; · · · ;Gn . Let S1 = � and S j+1 = G j . · · · .G1for j 2 {1 · · ·n}. For an arbitrary PTSO-valid Gi , we demonstrate how to construct a trace s =(� 0

i ,�i ). · · · .(� 01,�1) such that s 2 traces(Gi , Si ).

For each k 2 {1 · · · i} and Gk = (E0, EP , E, po, rf, tso, nvo),we construct (� 0k ,�k ) as follows. Let

R = {r1 · · · rq} denote an enumeration of Gk .R and {w1, · · · ,ws } denote an enumeration of Gk .W .For each j 2 {1 · · ·q} and l 2 {0 · · · s�1} where (w, r j ) 2 rf, we then de�ne

tsol+1j ,

8

>

>

>

>

>

><

>

>

>

>

>

>

:

⇣

tsolj [n

(r j ,wl+1)o⌘+

if (r j ,wl+1) < tsolj [ (tsolj )�1and (w,wl+1) 2 tso

tsolj otherwise


1961

1962

1963

1964

1965

1966

1967

1968

1969

1970

1971

1972

1973

1974

1975

1976

1977

1978

1979

1980

1981

1982

1983

1984

1985

1986

1987

1988

1989

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004

2005

2006

2007

2008

2009


where tso01 = tso and tso0j+1 = tsosj for j 2 {1 · · ·q�1}. Note that each tsolj is 1) total on writes andrespects with tso; and 2) is a strict order on E. We next show that:

8j 2 {1 · · ·q}. 8l 2 {0 · · · s}. 8w, r . 8w 0 2 W [ U .(w, r ) 2 rf ^ (w 0, r ) 2 tsolj [ po ^ loc(w) = loc(w 0) ) (w,w 0) < tsolj (RFJ)

Let (w, r j ) 2 rf. We proceed by double induction on j and l .

Base case j = 1 and l = 0As Gk is PTSO-valid, we know that the desired property holds of tso and thus of tso01 = tso byde�nition.

Inductive case j = 1 and l = a+1 with 0 a < s

8l 0 2 {1 · · ·a}. 8w, r . 8w 0 2 W [ U .(w, r ) 2 rf ^ (w 0, r ) 2 tsol

01 [ po ^ loc(w) = loc(w 0) ) (w,w 0) < tsol 01

(I.H.)

From the de�nition of tsol1, we know that either i) tsol1 = tsoa1 ; or ii) tsol1 =

�

tsoa1 [�(r1,wl )

�+,(r1,wl ) < tsoa1 [ (tsoa1 )�1 and (w,wl ) 2 tso. In case (i) the desired result holds immediately from(I.H.).

In case (ii) we proceed by contradiction. Let us assume there existswc ,w 0c , rc such that (wc , rc ) 2

rf, (w 0c , rc ) 2 tsol1 [ po ^loc(wc ) = loc(w 0

c ) and (wc ,w 0c ) 2 tsol1. As (wc ,w 0

c ) 2 tsol1 and tsol1is a strict order, we know that wc , w 0

c . On the other hand, from (I.H.) we then know that

(w 0c , rc ) < tsoa1 [ po. As such, form the de�nition of tsol1 we know that w 0

ctsoa1! r1

tsol1! wltsoa1! rc .

However, as tsoa1 is strict and is total on writes, we know that either a) (wl ,w 0c ) 2 tsoa1 ; or b)

(w 0c ,wl ) 2 tsoa1 . In case (ii.a) we then have wl

tsoa1! w 0c

tsoa1! r1, contradicting the assumption that

(r1,wl ) < tsoa1 [ (tsoa1 )�1. In case (ii.b) we havew 0ctsoa1! wl

tsoa1! rc , i.e. (w 0c , rc ) 2 tsoa1 . As such, from

(I.H.) we have (wc ,w 0c ) < tsoa1 , i.e. (w 0

c ,wc ) 2 tsoa1 ✓ tsol1, and thus (wc ,w 0c ) < tsol1, contradicting

our assumption that (wc ,w 0c ) 2 tsol1.

Inductive case j = b+1 and l = 0 with 1 b < q�18j 0 2 {1 · · ·b}. 8l 0 2 {1 · · · s}. 8w, r . 8w 0 2 W [ U .

(w, r ) 2 rf ^ (w 0, r ) 2 tsol0j0 ) (w,w 0) < tsol 0j0 (I.H.)

As tso0j , tsosb , the desired result holds immediately from (I.H.).

Inductive case j = b+1 and l = a+1 with 1 b < q�1 and 0 a < s

8l 0 2 {1 · · ·a}. 8w, r . 8w 0 2 W [ U .(w, r ) 2 rf ^ (w 0, r ) 2 tsol

0j ) (w,w 0) < tsol 0j (I.H.)

From the de�nition of tsolj , we know that either i) tsolj = tsoaj ; or ii) tsolj =

⇣

tsoaj [�(r j ,wl )

⌘+

,(r j ,wl ) < tsoaj [ (tsoaj )�1 and (w,wl ) 2 tso. In case (i) the desired result holds immediately from(I.H.).

In case (ii), we proceed by contradiction. Let us assume there existswc ,w 0c , rc such that (wc , rc ) 2

rf, (w 0c , rc ) 2 tsolj [ po ^loc(wc ) = loc(w 0

c ) and (wc ,w 0c ) 2 tsolj . As (wc ,w 0

c ) 2 tsolj and tsoljis a strict order, we know that wc , w 0

c . On the other hand, from (I.H.) we then know that

(w 0c , rc ) < tsoaj [ po. As such, form the de�nition of tsolj we know that w 0

c

tsoaj! r jtsolj! wl

tsoaj! rc .


2010

2011

2012

2013

2014

2015

2016

2017

2018

2019

2020

2021

2022

2023

2024

2025

2026

2027

2028

2029

2030

2031

2032

2033

2034

2035

2036

2037

2038

2039

2040

2041

2042

2043

2044

2045

2046

2047

2048

2049

2050

2051

2052

2053

2054

2055

2056

2057

2058


However, as tsoaj is strict and is total on writes, we know that either a) (wl ,w 0c ) 2 tsoaj ; or b)

(w 0c ,wl ) 2 tsoaj . In case (ii.a) we then have wl

tsoaj! w 0c

tsoaj! r j , contradicting the assumption that

(r j ,wl ) < tsoaj [ (tsoaj )�1. In case (ii.b) we havew 0c

tsoaj! wltsoaj! rc , i.e. (w 0

c , rc ) 2 tsoaj . As such, from(I.H.) we have (wc ,w 0

c ) < tsoaj , i.e. (w 0c ,wc ) 2 tsoaj ✓ tsolj , and thus (wc ,w 0

c ) < tsolj , contradictingour assumption that (wc ,w 0

c ) 2 tsolj . ⇤

Let tsot denote an extension of tsosq to a strict total order on E. Once again, we demonstrate that:

8w, r . 8w 0 2 W [ U . (w, r ) 2 rf ^ (w 0, r ) 2 tsot ^ loc(w) = loc(w 0) ) (w,w 0) < tsot (RF)

Pick arbitrary w,w 0, r such that (w, r ) 2 rf ^loc(w) = loc(w 0) and (w 0, r ) 2 tsot . There are twocases to consider: 1) (w 0, r ) 2 tsosq ; or 2) (w 0, r ) 2 tsot \ tsosq . In case (1) the result holds from(RFJ) established above. In case (2), as tsot is a strict order we know that (r ,w 0) < tsot and thus(r ,w 0) < tsosq . Moreover, as (w 0, r ) 2 tsot \ tsosq , i.e. (w 0, r ) < tsosq . As such, from the de�nitionof tsosq we know that (w,w 0) < tso, i.e. (w 0,w) 2 tso ✓ tsot . As tsot is a strict order, we have(w,w 0) < tsot . ⇤

Let {e1, · · · , en} denote an enumeration ofGk .E \ E0 that respects tsot ; {w1, · · · ,wm} denote anenumeration of Gk .W \ E0 that respects tso; and {e 01, · · · , e 0o} denote an enumeration of Gk .(W [U [ PF) \ E0 that respects nvo. Since Gk is PTSO-valid and thus dom(nvo; [EP ]) ✓ EP , we knowthere exists p such that 0 p o and {e 01, · · · , e 0p } 2 EP \ E0 and {e 0p+1, · · · , e 0o} 2 E \ (EP [ E0).

Let � 0 = �n . · · · .�1, where �j = genBL(ej ,Gk ) for j 2 {1 · · ·n} and:

genBL(e,G) ,8

>

>

><

>

>

>

:

Bhei if e 2 G .WgenL(e,G) if e 2 G .E \G .Wunde�ned otherwise

For each j 2 {1 · · ·m}, let Nj =�

e (w j , e) 2 po ^ e < {w j+1 · · ·wm} ; and nj = min(po|Nj ) whensuch an element exists. For each j 2 {1 · · ·m}, let � j = addW(� j�1,w j ,nj ), where:

addW(� ,w,n) ,

8

>

>

>

>

><

>

>

>

>

>

:

Whwi.Bhwi.s if 9s . � = Bhwi.sWhwi.n.s if 9s . � = genL(n,Gk ).se .addW(s,w,n) if 9s . � = e .s

unde�ned otherwise

genL(e,G) ,

8

>

>

>

>

>

>

>

>

>

>

>

><

>

>

>

>

>

>

>

>

>

>

>

>

:

Rhe, e 0i if e 2 G .R ^ (e 0, e) 2 G .rfWhei if e 2 G .WUhe, e 0i if e 2 G .U ^ (e 0, e) 2 G .rfFhei if e 2 G .FPFhei if e 2 G .PFPShei if e 2 G .PSunde�ned otherwise

Note that for all j 2 {1 · · ·m}, the addW(� j�1,w j ,nj ) is always de�ned as Bhw j i 2 � j�1.


2059

2060

2061

2062

2063

2064

2065

2066

2067

2068

2069

2070

2071

2072

2073

2074

2075

2076

2077

2078

2079

2080

2081

2082

2083

2084

2085

2086

2087

2088

2089

2090

2091

2092

2093

2094

2095

2096

2097

2098

2099

2100

2101

2102

2103

2104

2105

2106

2107


For each j 2 {1 · · ·p}, let Pj =�

e (e, e 0j ) 2 nvo

; and pj = max⇣

nvo|Pj⌘

when such an elementexists. Let �̂ 0 = �m and for each j 2 {1 · · ·p}, let �̂ j = addP(�̂ j�1, e 0j ,pj ), where:

addP(� , e,p) ,

8

>

>

>

>

><

>

>

>

>

>

:

s .genPL(e,Gi ).genBL(e,Gi ) if 9s . � = s .genBL(e,Gi )s .genPL(e,Gi ).genPL(p,Gi ) if 9s . � = s .genPL(p,Gi )addP(s, e,p).e 0 if 9s, e 0. � = s .e 0


genPL(e,G) ,8

>

>

><

>

>

>

:

PBhei if e 2 G .(W [ U [ PF)genL(e,G) if e 2 G .PSunde�ned otherwise

Note that for all j 2 {1 · · ·p}, the addP(�̂ j�1, e 0j ,pj ) is always de�ned as genBL(e 0j ,Gk ) 2 �̂ j�1. Let�k = �̂p and let � 0

k = genPL(eo ,Gk ). · · · .genPL(ep+1,Gk ).We next demonstrate that wfp(� 0

k .�k , hist(�k )) and complete(� 0k .�k ) hold.

Goal: wfp(� 0k .�k , hist(�k ))

Let � = � 0k .�k . We are then required to show that for all �,�1,�2, e, r , e1, e2:

nodups(� .� 00.� 000) (19)�=�2.Rhr , ei.�1 _ �=�2.Uhr , ei.�1 ) wfrd(r , e,�1,� 00) (20)Bhei 2 � ) Whei �� Bhei (21)PBhei 2 � )(Bhei �� PBhei _ Uhe,�i �� PBhei _ PFhei �� PBhei) (22)

tid(e1) = tid(e2) )Bhe2i 2 � ^Whe1i �� Whe2i () Bhe1i �� Bhe2i (23)

Whe1i �� Fhe2i ^ tid(e1) = tid(e2) ) Bhe1i �� Fhe2i (24)Whe1i �� Uhe2, ei ^ tid(e1) = tid(e2) ) Bhe1i �� Uhe2, ei (25)Whe1i �� PFhe2i ^ tid(e1) = tid(e2) ) Bhe1i �� PFhe2i (26)Whe1i �� PShe2i ^ tid(e1) = tid(e2) ) Bhe1i �� PShe2i (27)loc(e1) = loc(e2) ^ e1, e2 2 W [ U )

PBhe2i 2 � ^©

≠

≠

≠

´

Bhe1i �� Bhe2i_Bhe1i �� Uhe2,�i_Uhe1,�i �� Bhe2i_Uhe1,�i �� Uhe2,�i

™

Æ

Æ

Æ

¨

() PBhe1i �� PBhe2i (28)

e1, e2 2 (PE ⇥ PE) \ (W [ U ⇥W [ U ) )

PBhe2i 2 � ^©

≠

≠

≠

≠

≠

´

Bhe1i �� PFhe2i_Uhe1,�i �� PFhe2i_PFhe1i �� Bhe2i_PFhe1i �� Uhe2,�i_PFhe1i �� PFhe2i

™

Æ

Æ

Æ

Æ

Æ

¨

() PBhe1i �� PBhe2i (29)

©

≠

´

Bhe1i �� PShe2i_Uhe1,�i �� PShe2i_PFhe1i �� PShe2i

™

Æ

¨

) PBhe1i �� PShe2i (30)


2108

2109

2110

2111

2112

2113

2114

2115

2116

2117

2118

2119

2120

2121

2122

2123

2124

2125

2126

2127

2128

2129

2130

2131

2132

2133

2134

2135

2136

2137

2138

2139

2140

2141

2142

2143

2144

2145

2146

2147

2148

2149

2150

2151

2152

2153

2154

2155

2156


where � 00 = �k�1. · · · .�1 and � 000 = � 0k�1. · · · .� 0

1.The proof of parts (19), (21), (22) follow immediately from the constructions of � 0

k and �k .

For part (20), pick arbitrary �1,�2, r , e such that �=�2.Rhr , ei.�1 or �=�2.Uhr , ei.�1. From theconstruction of � we then know that (e, r ) 2 rf. There are now two cases to consider: 1) e 2 E \ E0;or 2) e 2 E0.

In case (1), asGk is PTSO-valid, we know that (e, r ) 2 rf ✓ tso[po. As such, from the constructionof � we know that there exists �3 such that �1 = �3.�.� and �=Bhei _ �=Uhe,�i _ (�=Whei ^tid(e) = tid(r )). There are two more cases to consider: i) �=Bhei _ �=Uhe,�i; or ii) �=Whei.

In case (i) let us assume there exists e 0 such that loc(e 0)=loc(r ) and Bhe 0i 2 �3 or Uhe 0,�i 2 �3.From the construction of � we then have e 0 2 W [ U , (e 0, r ) 2 tsot and (e, e 0) 2 tsot . Thishowever contradicts our result in (RF) and thus we have

�

Bhe 0i,Uhe 0,�i 2 �3 loc(e 0)=loc(r ) = ;,as required. Similarly, let us assume there exists e 0 such that loc(e 0)=loc(r ), tid(e 0) = tid(r ),Whe 0i 2 �3 and Bhe 0i < �3. From the construction of � we then have e 0 2 W [ U , (e 0, r ) 2 poand (e, e 0) 2 po \ (W [ U ) ⇥ (W [ U ) ✓ tsot . This however contradicts our result in (RF) and

thus we have⇢

e 0 Whe 0i 2 �3 ^ Bhe 0i < �3loc(e 0)=loc(r ) ^ tid(e 0) = tid(r )

�

= ;, as required. Similarly, in case (ii) we

know that either Bhei 2 �3 or Bhei < �3. In the former case the desired result follows fromthe proof of case (i). In the latter case, let us assume there exists e 0 such that loc(e 0)=loc(r ),tid(e 0) = tid(r ) and Whe 0i 2 �3 . From the construction of � we then have e 0 2 W , (e 0, r ) 2 poand (e, e 0) 2 po \ (W [ U ) ⇥ (W [ U ) ✓ tsot . This however contradicts our result in (RF) and thuswe have

�

Whe 0i 2 �3 loc(e 0)=loc(r ) ^ tid(e 0) = tid(r ) = ;, as required.In case (2), as Gk is PTSO-valid, we know either i) k = 1 ^ e = init

loc(e); or ii) k > 0 ^ e =

max⇣

Gk�1.nvo|Gk�1 .EP\(U loc(e )[W loc(e ))⌘

. Let us now assume there exists e 0 such that Bhe 0i 2 �1or Uhe 0,�i 2 �1, and loc(e 0)=loc(r ). That is, e 0 2 W [ U . From the construction of � we thenhave (e 0, r ) 2 tsot and (e, e 0) 2 tsot . This however contradicts our result in (RF) and thus wehave

�

Bhe 0i,Uhe 0,�i 2 �1 loc(e 0)=loc(r ) = ;. Similarly, let us assume there exists e 0 such thatloc(e 0)=loc(r ), tid(e 0) = tid(r ), Whe 0i 2 �1. That is, e 0 2 W [ U . From the construction of � wethen have (e 0, r ) 2 po and (e, e 0) 2 po \ (W [ U ) ⇥ (W [ U ) ✓ tsot . This however contradicts ourresult in (RF) and thus we have

�

Whe 0i 2 �1 loc(e 0)=loc(r ) ^ tid(e 0) = tid(r ) = ;. In case (i),as �k = � , we know � 00 = � and thus we simply have

�

PBhe 0i 2 � 00loc(e 0)=loc(r ) = ;

as required.In case (ii), we then know either:

a) for all b 2 {1 · · ·k�1}, e 2 Gb .E0 and Gb .(W [ U )loc(e) \ E0 = ; and thus e = init

loc(e); orb) there exists a 2 {1 · · ·k�1} such that e 2 Ga .EP \ E0, 8e 0 2 Ga .(W [U )

loc(e). (e 0, e) 2 Ga .nvoand for all b 2 {a+1 · · ·k�1}, e 2 Gb .E0 and Gb .(W [ U )

loc(e) \ E0 = ;.In case (a), let us assume there exists e 0 such that PBhe 0i 2 � 00 and loc(e 0) = loc(r ) = loc(e). Wethen know there existsb 2 {1 · · ·k�1} such that e 2 Gb .(W[U )

loc(e) \E0, leading to a contradiction.As such, we have

�

PBhe 0i 2 � 00loc(e 0)=loc(r ) = ;

as required.In case (b), from the construction of �1 · · · �k�1, we know there exists �3,�4 such that �a =

�3.PBhei.�4, and � 00 = �k�1. · · · �a . · · · .�1. Let us assume there exists e 0 such that PBhe 0i 2�k�1. · · · .�a+1 and loc(e 0) = loc(r ) = loc(e). We then know either there exists b 2 {k�1 · · ·a+1}such that e 2 Gb .(W [ U )

loc(e) \ E0, leading to a contradiction. Similarly, let us assume there exists


2157

2158

2159

2160

2161

2162

2163

2164

2165

2166

2167

2168

2169

2170

2171

2172

2173

2174

2175

2176

2177

2178

2179

2180

2181

2182

2183

2184

2185

2186

2187

2188

2189

2190

2191

2192

2193

2194

2195

2196

2197

2198

2199

2200

2201

2202

2203

2204

2205


e 0 such that PBhe 0i 2 �3 and loc(e 0) = loc(r ) = loc(e). We then know (e, e 0) 2 Ga .nvo, leading toa contradiction. As such, we have

�

PBhe 0i 2 �k�1. · · · .�a+1.�3 loc(e 0)=loc(r ) = ;, as required.

For part (23), pick arbitrary e1, e2 such that tid(e1) = tid(e2). For the ) direction assumeWhe1i �� Whe2i. Moreover, from the construction of � we know that for all e such that tid(e) =tid(e1) we have (e1, e) 2 po () Whe1i �� genL(e,Gk ). As such, we have (e1, e2) 2 po. As Gk isPTSO-valid, we then know that (e1, e2) 2 tso. Consequently, from the construction of � we haveBhe1i �� Bhe2i, as required.For the( direction, assume Bhe1i �� Bhe2i. From the construction of � we have (e1, e2) 2 tso.

AsGk is PTSO-valid, we then know that (e1, e2) 2 po. Consequently, from the construction of � wehave Whe1i �� Whe2i, as required.

For part (24), pick arbitrary e1, e2 such that tid(e1) = tid(e2) andWhe1i �� Fhe2i. We then knowthere exists j such thatw j = e1. Moreover, from the construction of � we know that for all e suchthat tid(e) = tid(e1) we have (e1, e) 2 po () Whe1i �� genL(e,Gk ). As such, by de�nition wehave (e1, e2) 2 po. As Gk is PTSO-valid, we then know that (e1, e2) 2 tso. Consequently, from theconstruction of � we have Bhe1i �� Fhe2i, as required.

The proofs of parts (25), (26) and (27) are analogous and omitted here.For part (28), pick arbitrary e1, e2 such that loc(e1) = loc(e2). For the ) direction, assume

Bhe1i �� Bhe2i or Bhe1i �� Uhe2,�i or Uhe1,�i �� Bhe2i or Uhe1,�i �� Uhe2,�i. From theconstruction of � we then know that (e1, e2) 2 tso. As Gk is PTSO-valid, we then know that(e1, e2) 2 nvo. Consequently, from the construction of � we have PBhe1i �� PBhe2i, as required.For the ( direction, assume PBhe1i �� PBhe2i. From the construction of � we then know

that (e1, e2) 2 nvo. As Gk is PTSO-valid, we then know that (e1, e2) 2 tso. Consequently, fromthe construction of � we have Bhe1i �� Bhe2i or Bhe1i �� Uhe2,�i or Uhe1,�i �� Bhe2i orUhe1,�i �� Uhe2,�i, as required.

Similarly, for part (29), pick arbitrary e1, e2 2 (PE ⇥ PE) \ (W [U ⇥W [U ). For the) direction,assume Bhe1i �� PFhe2i or Uhe1,�i �� PFhe2i or PFhe1i �� Bhe2i or PFhe1i �� Uhe2,�iorPFhe1i �� PFhe2i. From the construction of � we then know that (e1, e2) 2 tso. Moreover, we knowthat (e1, e2) 2 [W [ U [ PF]; tso; [PF] [ [PF]; tso; [W [ U [ PF]. As Gk is PTSO-valid, we thenknow that (e1, e2) 2 nvo. Consequently, from the construction of � we have PBhe1i �� PBhe2i, asrequired.

For the ( direction, assume PBhe1i �� PBhe2i. From the construction of � we then know that(e1, e2) 2 nvo. As (e1, e2) 2 [W [U [ PF]; tso; [PF] [ [PF]; tso; [W [U [ PF] andGk is PTSO-valid,we then know that (e1, e2) 2 tso. Consequently, from the construction of � we have Bhe1i �� PFhe2ior Uhe1,�i �� PFhe2i or PFhe1i �� Bhe2i or PFhe1i �� Uhe2,�ior PFhe1i �� PFhe2i, as required.

For part (30), pick arbitrary e1, e2 such that Bhe1i �� PShe2i or Uhe1,�i �� PShe2i or PFhe1i ��PShe2i. From the construction of � we then know that (e1, e2) 2 tso. Moreover, we know that(e1, e2) 2 tso|PE; [PS]. As Gk is PTSO-valid, we then know that (e1, e2) 2 nvo. Consequently, fromthe construction of � we have PBhe1i �� PBhe2i, as required.

Goal: complete(� 0k .�k )

Follows immediately from the constructions of � 0k and �k .


2206

2207

2208

2209

2210

2211

2212

2213

2214

2215

2216

2217

2218

2219

2220

2221

2222

2223

2224

2225

2226

2227

2228

2229

2230

2231

2232

2233

2234

2235

2236

2237

2238

2239

2240

2241

2242

2243

2244

2245

2246

2247

2248

2249

2250

2251

2252

2253

2254


As wfp(� 0k .�k , hist(�k )) and complete(� 0

k .�k ) hold, we know getG(�k ,�k ,� 0k ) is de�ned. From

the constructions of � 0k and �k , it is now straightforward to demonstrate that getG(�k ,�k ,� 0

k ) =Gk . ⇤

De�nition A.4. Given a � = (Gn , (� 0n ,�n)). · · · .(G1, (� 0

1,�1)) and an event path � , let

wf(�,� ) def() wfp(� ,H) ^n€

i=1getG(�i ,�i ,� 0

i ) = Gi ^ wfh(H)

where �1=� ; �i+1 = (Gi , (� 0i ,�i )). · · · .(G1, (� 0

1,�1)) for i 2 {1 · · ·n�1}; andH=hist(�).Lemma A.3. Let E = G1; · · · ;Gn denote a PTSO-valid execution chain. Let S1 = � and S j+1 =G j . · · · .G1 for j 2 {1 · · ·n}. For all i 2 {1 · · ·n}:

(1) for all (� 0i ,�i ). · · · .(� 0

1,�1) 2 traces(Gi , Si ), and for all � ,� 0:

� 0i .�i = � 0.� ) wf(�i ,� )

where �1=� and �j+1=(G j , (� 0j ,�j )). · · · .(G1, (� 0

1,�1)) for j 2 {1 · · · i�1}.(2) for all (� 0

n ,�n). · · · .(� 01,�1) 2 traces(Gn , Sn), � 0

n = � .

P��. Pick an arbitrary PTSO-valid execution chain E = G1; · · · ;Gn . Let S1 = � and S j+1 =G j . · · · .G1 for j 2 {1 · · ·n}.

RTS. (1) We proceed by induction on i .

Base case i = 1Pick arbitrary (� 0

1,�1) 2 traces(G1, S1) and � ,� 0 such that � 01.�1 = � 0.� . We are then required to

show wf(�1,� ), where �1 = � . It thus su�ces to show:

wfp(� , hist(�1)) ^ wfh(hist(�1))The second conjunct follows trivially from the fact that hist(�1) = � and the de�nition of wfh(�).As (� 0

1,�1) 2 traces(G1, S1), from the de�nition of traces(., .) we have getG(�1,�1,� 01). Conse-

quently, from the de�nition of getG(�1,�1,� 01) we know that wfp(� 0

1.�1, hist(�1)) holds implyingthe result in the �rst conjunct.

Base case i = j+1

8(� 0j ,�j ). · · · .(� 0

1,�1) 2 traces(G j , S j ). 8� ,� 0. � 0j .�j = � 2.� 1 ) wf(�0j ,� ) (I.H.)

where �01=� and �0l+1=(Gl , (� 0l ,�l )). · · · .(G1, (� 0

1,�1)) for l 2 {1 · · · j�1}.Pick arbitrary (� 0

i ,�i ). · · · .(� 01,�1) 2 traces(Gi , Si ) and � ,� 0 such that � 0

i .�i = � 0.� . We arethen required to show wf(�i ,� ). It thus su�ces to show:

wfp(� , hist(�i )) ^j

€

k=1getG(�k ,�k ,� 0

k ) = Gk ^ wfh(hist(�i ))

where �1=� and �l+1=(Gl , (� 0l ,�l )). · · · .(G1, (� 0

1,�1)) for l 2 {1 · · · j�1}.The second conjunct follows from the de�nition of traces(., .) and the fact that (� 0

i ,�i ). · · · .(� 0

1,�1) 2 traces(Gi , Si ). Similarly, as (� 0i ,�i ). · · · .(� 0

1,�1) 2 traces(Gi , Si ), from the de�nitionof traces(., .) we know getG(�i ,�i ,� 0

i ) = Gi and thus wfp(� 0i .�i , hist(�i )) holds implying the

result in the �rst conjunct.


2255

2256

2257

2258

2259

2260

2261

2262

2263

2264

2265

2266

2267

2268

2269

2270

2271

2272

2273

2274

2275

2276

2277

2278

2279

2280

2281

2282

2283

2284

2285

2286

2287

2288

2289

2290

2291

2292

2293

2294

2295

2296

2297

2298

2299

2300

2301

2302

2303


For the third conjunct, observe that hist(�i ) = (� 0j ,�j ).hist(�j ). As (� 0

i ,�i ). · · · .(� 01,�1) 2

traces(Gi , Si ), from the de�nition of traces(., .) we know that getG(�j ,�j ,� 0j ) = G j and thus

wfp(� 0j .�j , hist(�j )) and complete(� 0

j .�j ) hold. On the other hand, from (I.H.) we havewfh(hist(�j )).As such, from the de�nition of wfh(.) we have wfh(�i ), as required.

RTS. (2) We proceed by contradiction. Assume there exists (� 0n ,�n). · · · .(� 0

1,�1) 2 traces(Gn , Sn)such that � 0

n , � . Let �1=� and �j+1=(G j , (� 0j ,�j )). · · · .(G1, (� 0

1,�1)) for j 2 {1 · · · i�1}. From thede�nition of traces(., .) we then know that getG(�n ,�n ,� 0

n) = Gn , i.e. wfp(� 0n .�n , hist(�n)) and

complete(� 0n .�n) hold. As � 0

n , � , we then know there exists e 2 Gn .E such that PBhei 2 � 0n , i.e.

(from the well-formedness of the path) PBhei < �n . As such, since getG(�n ,�n ,� 0n) = Gn , from its

de�nition we know that e < Gn .EP . This however contradicts the assumption thatGn is PTSO-valid.⇤

Lemma A.4. Let E = G1; · · · ;Gn denote a PTSO-valid execution chain of program P with outcomeO and Gi = (E0i , EPi , Ei , poi , rfi , tsoi , nvoi ) for i 2 {1, · · · ,n}. For each Gi , let e1i , · · · , emi denote anenumeration of Ei \ E0i that respects poi . Then there exists P1i · · · Pmi , S1i , Smi such that:

• Pj�1i , Sj�1i ( E h� i��!)⇤ genL(e ji ,Gi )��! ( E h� i��!)⇤ Pji , Sji , for i 2 {1 · · ·n} and j 2 {1 · · ·m}

• Pmn = skip| | · · · | |skip and Smn = Owhere P01 = P; P0i = recover for i 2 {2 · · ·n}; and S0i = S0 for i 2 {1 · · ·n}.Lemma A.5. Let E = G1; · · · ;Gn denote a PTSO-valid execution chain of program P with outcomeO . Let S1 = � and S j+1 = G j . · · · .G1 for j 2 {1 · · ·n}. Then, for all i 2 {1 · · ·n}, and all Hi . · · · .H1 2traces(Gi , Si ):(1) if i < n then

P0i , S0, �i , � )⇤ recover, S0, �i+1, �(2) P0n , S0, �n , � )⇤ skip| | · · · | |skip,O, �n ,�n

where P01 = P; P0j+1 = recover; �1 = � and �j+1=(G j ,Hj ). · · · .(G1,H1), for j 2 {1 · · ·n�1}.P��. Pick an arbitrary program P and a PTSO-valid execution chain E of P with outcome

O such that E = G1; · · · ;Gn . Let S1 = � and S j+1 = G j . · · · .G1 for j 2 {1 · · ·n}. Let P01 = P andP0j = recover for j 2 {2 · · ·n} For all i 2 {1 · · ·n}, pick arbitrary (� 0

i ,�i ) 2 traces(Gi , Si ). Let�1 = � and �j+1 = (G j , (� 0

j ,�j )). · · · .(G1, (� 01,�1)) for j 2 {1 · · ·n}.

P�� (1). Pick arbitrary i < n. From traces(Gi , Si ) we know �i respects Gi .po. That is, �i is ofthe form: sm .genL(em ,Gi ). · · · .s1.genL(e1,Gi ).s0, where:i) For each j 2 {0 · · ·m}, sj = �(j,kj ). · · · .�(j,1) and each �(j,r ) is either of the form Bh�i or of theform PBh�i, for r 2 {1 · · ·kj }; andii) e1 · · · em denotes an enumeration of Gi .E that respects Gi .po (for all e, e 0, if (e, e 0) 2 Gi .po thengenL(e,Gi ) ��i genL(e 0,Gi )).Moreover, since (� 0

i ,�i ) 2 traces(Gi , Si ), from the de�nition of traces(., .) we know thatgetG(Si ,�i ,� 0

i )=Gi . Additionally, from Lemma A.3 we know

8�,p,q. � 0i .�i = p.�.q ) fresh(�,p.q) ^ fresh(�, �i ) (31)

From (G�P��) we thus have P0i , S0, �i , � )⇤ P0i , S0, �i , s0. There are now two cases to consider: 1)m = 0; or 2)m > 0.

In case (1), we have �i = s0 and thus (since each event in s0 is either of the form Bh�i or ofthe form PBh�i) from Lemma A.3 we know s0 = �i = � 0

i = � . As such, we have P0i , S0, �i , � )⇤


2304

2305

2306

2307

2308

2309

2310

2311

2312

2313

2314

2315

2316

2317

2318

2319

2320

2321

2322

2323

2324

2325

2326

2327

2328

2329

2330

2331

2332

2333

2334

2335

2336

2337

2338

2339

2340

2341

2342

2343

2344

2345

2346

2347

2348

2349

2350

2351

2352


P0i , S0, �i , � . Moreover, since � 0i = � then comp(�i ,� 0

i ) holds. As such from (G�C��) we haveP0i , S0, �i , � )⇤ recover, S0, �i+1, � , as required.

In case (2) from Lemma A.4 we know there exists P1i · · · Pmi , S1i , Smi such that for j 2 {1 · · ·m}:

Pj�1i , Sj�1i ( E h� i��!)⇤ genL(e ji ,Gi )��! ( E h� i��!)⇤ Pji , Sji (32)

where S0i = S0 for i 2 {1 · · ·n}.For each j 2 {1 · · ·m}, from (32) we then know there exist P0j , P

00j , S

0j , S

00j such that Pj�1i , S

j�1i ( E h� i��!

)⇤P0j , S0jgenL(e ji ,Gi )��! P00j , S

00j (

E h� i��!)⇤ Pji , Sji . Letp0 = s0 andpj = sj .genL(ej ,Gi ). · · · .s1.genL(e1,Gi ).s0,for j 2 {1 · · ·m}. As such, from (G�S��P), (G�S��), (G�P��), and (31) we then have:

Pj�1i , Sj�1i , �i ,pj�1)⇤ P0

j , S0j , �i ,pj�1

) P00j , S

00j , �i , genL(ej ,Gi ).pj�1

)⇤ Pji , Sji , �i , genL(ej ,Gi ).pj�1

) Pji , Sji , �i ,pj

Consequently, we have

P0i , S0, �i , � )⇤ P0i , S0i , �i ,p0 )⇤ P1i , S

1i , �i ,p1 )⇤ · · · )⇤ Pmi , S

mi , �i ,pm

That is, we haveP0i , S

0i , �i , � )⇤ Pmi , S

mi , �i ,�i

On the other hand fromLemmaA.3we know that comp(� ,� 0) holds. As such, since getG(Si ,�i ,� 0i )=Gi ,

from (G�C��) we havePmi , S

mi , �i ,�i )⇤ recover, S0, �i+1, �

That is, we have P0i , S0i , �i , � )⇤ recover, S0, �i+1, � , as required.

P�� (2). From traces(Gn , Sn)we know�n respectsGn .po. That is,�n is of form: sm .genL(em ,Gn). · · · .s1.genL(e1,Gn).s0, where:i) For each j 2 {0 · · ·m}, sj = �(j,kj ). · · · .�(j,1) and each �(j,r ) is either of the form Bh�i or of theform PBh�i, for r 2 {1 · · ·kj }; andii) e1 · · · em denotes an enumeration of Gn .E that respects Gi .po (for all e, e 0, if (e, e 0) 2 Gn .po thengenL(e,Gn) ��n genL(e 0,Gn)).Moreover, since (� 0

n ,�n) 2 traces(Gn , Sn), from the de�nition of traces(., .) we know thatgetG(Sn ,�n ,� 0

n)=Gn . Additionally, from Lemma A.3 we know:

� 0n = � ^ 8�,p,q. � 0

n .�n = p.�.q ) fresh(�,p.q) ^ fresh(�, �n) (33)

From (G�P��) we thus have P0n , S0, �n , � )⇤ P0n , S0, �n , s0. There are now two cases to consider: 1)m = 0; or 2)m > 0.

In case (1), we have P0n = skip| | · · · | |skip, S0n = S0 = O , and �n = s0 and thus (since each eventin s0 is either of the form Bh�i or of the form PBh�i) from Lemma A.3 we know s0 = �n = � 0

n = � .As such, we trivially have P0n , S0, �n , � )⇤ skip| | · · · | |skip,O, �n , � , as required.

In case (2), in similar steps to that of the proof of part (1) we have:

P0n , S0n , �n , � )⇤ Pmn , S

mn , �n ,�n

That is, we have P0n , S0n , �n , � )⇤ skip| | · · · | |skip,O, �n ,�n , as required.⇤


2353

2354

2355

2356

2357

2358

2359

2360

2361

2362

2363

2364

2365

2366

2367

2368

2369

2370

2371

2372

2373

2374

2375

2376

2377

2378

2379

2380

2381

2382

2383

2384

2385

2386

2387

2388

2389

2390

2391

2392

2393

2394

2395

2396

2397

2398

2399

2400

2401


Corollary 1. Let E = G1; · · · ;Gn denote a PTSO-valid execution chain of program P with outcomeO .Let S1 = � and S j+1 = G j . · · · .G1 for j 2 {1 · · ·n}. Then, there exists Hn . · · · .H1 2 traces(Gn , Sn),with Hn = (�,�n) such that

P, S0, �, � )⇤ skip| | · · · | |skip,O, (Gn�1,Hn�1). · · · .(G1,H1),�nP��. Follows from Lemma A.2 and Lemma A.5. ⇤

Given an execution path � and a graph history �, the set of con�gurations induced by � and � ,written confs(�,� ), includes those con�gurations that satisfy the following condition:

confs(�,� ) , �(M, PB,B) wf(M, PB,B, hist(�),� )

Lemma A.6. For all P,P0, S, S0, �, �0, � ,� 0:if

wf(�,� ) ^ wf(�0,� 0) ^ P, S, �,� ) P0, S0, �0,� 0

then for all (M, PB,B) 2 confs(�,� ), there exists (M 0, PB0,B) 2 confs(�0,� 0) such that

P, S,M, PB,B, hist(�),� )⇤ P0, S0,M 0, PB0,B0, hist(�0),� 0

P��. Pick arbitrary P,P0, S, S0, �, �0, � ,� 0 such that wf(�,� ), wf(�0,� 0), and P, S, �,� )P0, S0, �0,� 0. Pick arbitrary (M, PB,B) 2 confs(�,� ). Let H = hist(�). From the de�nition ofconfs(., .) we then know that wf(M, PB,B,H ,� ) holds. We then proceed by induction on thestructure of ).

Case (G�S��P)From (G�S��P) we then know that P, S

E h� i��! P0, S0, and that �0 = �, � 0 = � . As such, from(A�S��P) we have P, S,M, PB, B,H ,� ) P0, S0,M, PB, B,H ,� . Moreover, as wf(M, PB, B,H ,� )holds, the required result holds immediately.

Case (G�P��)From (G�P��) we then know that there exists e and � 2 �

Bhei,PBhei such that � 0 = �.� ,fresh(�,� ), fresh(�, �), P0 = P, S0 = S and �0 = �. From the de�nition of fresh(., .) we then knowthat fresh(�,H) holds. There are now three cases to consider. Either 1) � = Bhei; or 2) � = PBheiand e 2 W [ U ; or 3) � = PBhei and e 2 PF .

In case (1), let tid(e) = � , loc(e) = x. Sincewf(M, PB, B,H ,� ) holds, from its de�nition we knowthere exist pb00, PB such that PB = (N��, pb).PB00. In what follows, we demonstrate that there

exists b such that B(� ) = b.e . From (AM�BP��) we then have M, PB,BBhe i��! M, (N��, pb[x 7!

e .PB(x)]).PB00,B[� 7! b]. As such, from (A�P��M) we have:

P, S,M, PB,B,H ,� ) P, S,M, (N��, pb[x 7! e .PB(x)]).PB0,B[� 7! b],H , �.�That is, there exists M 0 = M , PB0 = (N��, pb[x 7! e .pb00(x)]).PB00 and B0 = B[� 7! b] suchthat P, S,M, PB,B,H ,� ) P, S,M 0, PB0,B0,H ,� 0. Moreover, since wf(M, PB,B,H ,� ) holds, fromits de�nition we also have wf(M 0, PB0,B0,H ,� 0) and thus from the de�nition of confs(., .) wehave (M 0, PB0,B0) 2 confs(�,� 0), as required. We next demonstrate that there exists b such thatB(� ) = b.e .Since wf(�0,� 0) holds, we know that Whei 2 � . Moreover, as fresh(�,� ), we know that � < � .

As such, from the de�nition of wf(M, PB, B,H ,� ) we know that e 2 B(� ). Now let us suppose thate is not at the head of B(� ), i.e. there exists e 0 , e and b such that e 0 �B(� ) e . Once again, from the


2402

2403

2404

2405

2406

2407

2408

2409

2410

2411

2412

2413

2414

2415

2416

2417

2418

2419

2420

2421

2422

2423

2424

2425

2426

2427

2428

2429

2430

2431

2432

2433

2434

2435

2436

2437

2438

2439

2440

2441

2442

2443

2444

2445

2446

2447

2448

2449

2450


de�nition of wf(M, PB,B,H ,� ) we know that Whe 0i 2 � , Bhe 0i < � (and thus Bhe 0i < �.� ) andthatWhe 0i �� Whei. Moreover, since alb 2 �.� and wf(�, �.� ) holds, from the de�nition of wf(., .)and the de�nition of wfp(., .) we know that Bhe 0i �� .� Bhei. This however leads to a contradictionas Bhe 0i < �.� . We can thus conclude that there exists b such that B(� ) = b.e .

In case (2), let PB = PB00.(o, pb) and let loc(e) = x. In what follows, we demonstrate that

there exists s such that pb(x) = s .e . From (AM�PBP��) we then have M, PB,BPBhe i��! M[x 7!

e], PB00.(N��, pb[x 7! s]),B. As such, from (A�P��M) we have:P, S,M, PB,B,H ,� ) P, S,M[x 7! e], PB00.(o, pb[x 7! s]),B,H , �.�

That is, there existsM 0 = M[x 7! e], PB0 = PB00.(o, pb[x 7! s]) and B0 = B such that P, S,M, PB, B,H ,� )P, S,M 0, PB0,B0,H ,� 0. Moreover, since wf(M, PB,B,H ,� ) holds, from its de�nition we also havewf(M 0, PB0, B0,H ,� 0) and thus from the de�nition of confs(., .)wehave (M 0, PB0, B0) 2 confs(�,� 0),as required. We next demonstrate that there exists s such that pb(x) = s .e .Since wf(�0,� 0) holds, we know that there exists �e 2 � such that �e = Uhe,�i or �e = Bhei�.

Moreover, as fresh(�,� ), we know that � < � . As such, from the de�nition of wf(M, PB, B,H ,� ) weknow there exists (oe , pbe ) 2 PB such that e 2 pbe (x). Now let us suppose that e is not the next eventin PB to be propagated, i.e. either i) there exists (oe 0, pbe 0) 2 PB such that (oe 0, pbe 0) �PB (oe , pbe )and either oe 0 = S��(e 0) or there exists y such that e 0 2 pbe 0(y); or ii) e 0 �pbe (x) e . Once again,from the de�nition of wf(M, PB,B,H ,� ) we know that there exists �e 0 2 � such that �e 0 = Bhe 0i,or �e 0 = Uhe 0,�i or �e 0 = PFhe 0i, that PBhe 0i < � (and thus PBhe 0i < �.� ) and that �e 0 �� e .Moreover, since � 2 �.� and wf(�, �.� ) holds, from the de�nition of wf(., .) and the de�nition ofwfp(., .) we know that PBhe 0i �� .� PBhei. This however leads to a contradiction as PBhe 0i < �.� .We can thus conclude that there exists s such that pb(x) = s .e .

In case (3), let PB = PB00.(o, pb). In what follows, we demonstrate that (o, pb) = (S��(e), pb0).From (AM�PBP��F)we then haveM, PB, B

PBhe i��! M, PB00.(N��, pb0), B. As such, from (A�P��M)we have:

P, S,M, PB,B,H ,� ) P, S,MPB00.(N��, pb0),B,H , �.�That is, there exists M 0 = M , PB0 = PB00.(N��, pb0) and B0 = B such that P, S,M, PB,B,H ,� )P, S,M 0, PB0,B0,H ,� 0. Moreover, since wf(M, PB,B,H ,� ) holds, from its de�nition we also havewf(M 0, PB0, B0,H ,� 0) and thus from the de�nition of confs(., .)wehave (M 0, PB0, B0) 2 confs(�,� 0),as required. We next demonstrate that (o, pb) = (S��(e), pb0).

Sincewf(�0,� 0) holds, we know PFhei 2 � . Moreover, as fresh(�,� ), we know that � < � . As such,from the de�nition ofwf(M, PB, B,H ,� )we know there exists (oe , pbe ) 2 PB such that oe = S��(e).Now let us suppose that e is not the next event in PB to be propagated, i.e. either i) there exists(oe 0, pbe 0) 2 PB such that (oe 0, pbe 0) �PB (oe , pbe ) and either oe 0 = S��(e 0) or there exists y suchthat e 0 2 pbe 0(y); or ii) there exists y such that e 0 2 pbe (y). Once again, from the de�nition ofwf(M, PB,B,H ,� ) we know that there exists �e 0 2 � such that �e 0 = Bhe 0i, or �e 0 = Uhe 0,�i or�e 0 = PFhe 0i, that PBhe 0i < � (and thus PBhe 0i < �.� ) and that �e 0 �� PFhei. Moreover, since� 2 �.� and wf(�, �.� ) holds, from the de�nition of wf(., .) and the de�nition of wfp(., .) we knowthat PBhe 0i �� .� PBhei. This however leads to a contradiction as PBhe 0i < �.� . We can thusconclude that (o, pb) = (S��(e), pb0).

Case (G�S��)We know there exists e, r ,u and � 2 {Rhr , ei,Whei,Uhu, ei, Fhei,PFhei,PShei} such that � 0 = �.� ,fresh(�,� ), fresh(�, �), �0 = � and P, S

��! P0, S0. From the de�nition of fresh(., .) we then know


2451

2452

2453

2454

2455

2456

2457

2458

2459

2460

2461

2462

2463

2464

2465

2466

2467

2468

2469

2470

2471

2472

2473

2474

2475

2476

2477

2478

2479

2480

2481

2482

2483

2484

2485

2486

2487

2488

2489

2490

2491

2492

2493

2494

2495

2496

2497

2498

2499


that fresh(�,H) holds. There are now six cases to consider. Either 1) � = Rhe,wi; or 2) � =Whei;or 3) � = Uhe,wi; or 4) � = Fhei; or 5) � = PFhei; or 6) � = PShei.

Case 1: � = Rhr , eiLet tid(r ) = � , loc(r ) = x and B(� ) = b. In what follows we demonstrate that read(M, PB, b, x) = e .From (AM�R��) we then have M, PB,B

Rhr,e i��! M, PB,B. As such, from (A�S��) we have:

P, S,M, PB,B,H ,� ) P, S,M, PB,B,H , �.�That is, there existsM 0 = M , PB0 = PB and B0 = B such that P, S,M, PB, B,H ,� ) P, S,M 0, PB0, B0,H ,� 0.Moreover, since wf(M, PB,B,H ,� ) holds, from its de�nition we also have wf(M 0, PB0,B0,H ,� 0)and thus from the de�nition of confs(., .) we have (M 0, PB0,B0) 2 confs(�,� 0), as required. Wenext demonstrate that read(M, PB, b, x) = e .From the de�nition of wf(�, �.� ) we know that wfrd(r , e,� ,�h), where �h = �n . · · · .�1, when

� = (�, (�n ,�)). · · · .(�, (�1,�)). From the de�nition of wfrd(r , e,� ,�h) there are now four cases toconsider:

i) 9�1,�2. � = �1.Whei.�2 ^ tid(e) = tid(r ) ^ Bhei < �1^ �

Whe 0i 2 �1 loc(e 0)=loc(r ) ^ tid(e 0)=tid(r ) = ;ii) 9�1,�2, �e . � = �1.�e .�2 ^ (�e=Bhei _ �e=Uhe,�i)

^ �

Bhe 0i,Uhe 0,�i 2 �1 loc(e 0)=loc(r ) = ;^

⇢

e 0 Whe 0i 2 � ^ Bhe 0i < �^ loc(e 0)=loc(r ) ^ tid(e 0)=tid(r )

�

= ;iii) 9�1,�2. �h = �1.PBhei.�2

^8

>

><

>

>

:

Bhe 0i,Uhe 0,�i 2 � ,Whe 00i 2 � ,PBhe 0i 2 �1


9

>

>=

>

>

;

= ;

iv) e = initx

^8

>

><

>

>

:

Bhe 0i,Uhe 0,�i 2 � ,Whe 00i 2 � ,PBhe 0i 2 �h


9

>

>=

>

>

;

= ;

In case (i), since wf(M, PB,B,H ,� ) holds, from its de�nition we know there exists b0 such thatb = e .b0. As such, by de�nition we have read(M, PB, b, x) = e .In case (ii), since wf(M, PB,B,H ,� ) holds, from its de�nition we know that for all e 0 2 b,

loc(e 0) , x; and that there exists PB1, PB2, (o, pb), s such that PB = PB1.(o, pb).PB2, PB(x) = e .s andfor all (o0, pb0) 2 PB1, pb0(x) = � . As such, by de�nition we have read(M, PB, b, x) = e .In case (iii), since wf(M, PB,B,H ,� ) holds, from its de�nition we know that for all e 0 2 b,

loc(e 0) , x; that for all (o, pb) 2 PB, PB(x) = � ; and that M(x) = e . As such, by de�nition we haveread(M, PB, b, x) = e .In case (iv), , since wf(M, PB,B,H ,� ) holds, from its de�nition we know that for all e 0 2 b,

loc(e 0) , x; that for all (o, pb) 2 PB, PB(x) = � ; and that M(x) = initx

. As such, by de�nition wehave read(M, PB, b, x) = e .

Case 2: � =WheiLet tid(e) = � . From (AM�W��) we then have M, PB,B

Whe i��! M, PB,B[� 7! e .B(� )]. As such,from (A�S��) we have:

P, S,M, PB,B,H ,� ) P, S,M, PB,B[� 7! e .B(� )],H , �.�


2500

2501

2502

2503

2504

2505

2506

2507

2508

2509

2510

2511

2512

2513

2514

2515

2516

2517

2518

2519

2520

2521

2522

2523

2524

2525

2526

2527

2528

2529

2530

2531

2532

2533

2534

2535

2536

2537

2538

2539

2540

2541

2542

2543

2544

2545

2546

2547

2548


That is, there exists M 0 = M , PB0 = PB and B0 = B[� 7! e .B(� )] such that P, S,M, PB,B,H ,� )P, S,M 0, PB0,B0,H ,� 0. Moreover, since wf(M, PB,B,H ,� ) holds, from its de�nition we also havewf(M 0, PB0, B0,H ,� 0) and thus from the de�nition of confs(., .)wehave (M 0, PB0, B0) 2 confs(�,� 0),as required.

Case 3: � = Uhu, eiLet tid(u) = � and loc(u) = x. Inwhat followswe demonstrate that B(� ) = � . Sincewf(M, PB, B,H ,� )holds, from its de�nition we know there exist pb00, PB such that PB = (N��, pb).PB00. Moreover, inan analogous way to that in case (2) we can demonstrate that read(M, PB, b, x) = e . From (AM�

RMW) we then have M, PB,BUhu,e i��! M, (N��, pb[x 7! u .pb(x)]).PB00,B. As such, from (A�S��)

we have:P, S,M, PB,B,H ,� ) P, S,M, (N��, pb[x 7! u .pb(x)]).PB00,B,H , �.�

That is, there existsM 0 = M , PB0 = (N��, pb[x 7! u .pb(x)]).PB00 and B0 = B such that P, S,M, PB, B,H ,� )P, S,M 0, PB0,B0,H ,� 0. Moreover, since wf(M, PB,B,H ,� ) holds, from its de�nition we also havewf(M 0, PB0, B0,H ,� 0) and thus from the de�nition of confs(., .)wehave (M 0, PB0, B0) 2 confs(�,� 0),as required. We next demonstrate that B(� ) = � .Let us suppose that there exists e 0 such that e 0 2 b(� ). We then know that tid(e 0) = � . From

the de�nition of wf(M, PB, B,H ,� ) we then know that Whe 0i 2 � , Bhe 0i < � and thus Bhe 0i < �.� .That is, we haveWhe 0i �� .� �. Moreover, since alb 2 �.� and wf(�, �.� ) holds, from the de�nitionof wf(., .) and the de�nition of wfp(., .) we know that Bhe 0i �� .� Fhei. This however leads to acontradiction as Bhe 0i < �.� . We can thus conclude that B(� ) = � .

Case 4: � = FheiLet tid(e) = � . In an analogous way to that in case (3) we can demonstrate that B(� ) = � . From

(AM�F��) we then have M, PB,BFhe i��! M, PB,B. As such, from (A�S��) we have:

P, S,M, PB,B,H ,� ) P, S,M, PB,B,H , �.�That is, there existsM 0 = M , PB0 = PB and B0 = B such that P, S,M, PB, B,H ,� ) P, S,M 0, PB0, B0,H ,� 0.Moreover, since wf(M, PB,B,H ,� ) holds, from its de�nition we also have wf(M 0, PB0,B0,H ,� 0)and thus from the de�nition of confs(., .) we have (M 0, PB0,B0) 2 confs(�,� 0), as required.

Case 5: � = PFheiLet tid(e) = � . In an analogous way to that in case (3) we can demonstrate that B(� ) = � . Onthe other hand, from wf(M, PB,B,H ,� ) and the de�nition of pbuff(., .) in particular, we knowthat there exists pb and PB00 such that PB = (N��, pb).PB00. As such, from (AM�PF��) we have:

M, PB,BPFhe i��! M, (N��, pb0).(S��(e), pb).PB00,B. As such, from (A�S��) we have:

P, S,M, PB,B,H ,� ) P, S,M, (N��, pb0).(S��(e), pb).PB00,B,H , �.�That is, there existsM 0 = M , PB0 = (N��, pb0).(S��(e), pb).PB00 and B0 = B such that P, S,M, PB, B,H ,� ) P, S,M 0, PB0,B0,H ,� 0. Moreover, since wf(M, PB,B,H ,� ) holds, from its de�nition wealso have wf(M 0, PB0, B0,H ,� 0) and thus from the de�nition of confs(., .) we have (M 0, PB0, B0) 2confs(�,� 0), as required.

Case 6: � = PSheiLet tid(e) = � . In an analogous way to that in case (3) we can demonstrate that B(� ) = � . In what

follows we demonstrate that PB = PB0. As such, from (AM�PS��)we have:M, PB, BPShe i��! M, PB, B.


2549

2550

2551

2552

2553

2554

2555

2556

2557

2558

2559

2560

2561

2562

2563

2564

2565

2566

2567

2568

2569

2570

2571

2572

2573

2574

2575

2576

2577

2578

2579

2580

2581

2582

2583

2584

2585

2586

2587

2588

2589

2590

2591

2592

2593

2594

2595

2596

2597


As such, from (A�S��) we have:P, S,M, PB,B,H ,� ) P, S,M, PB,B,H , �.�

That is, there existsM 0=M , PB0=PB and B0=B such that P, S,M, PB, B,H ,� ) P, S,M 0, PB0, B0,H ,� 0.Moreover, since wf(M, PB,B,H ,� ) holds, from its de�nition we also have wf(M 0, PB0,B0,H ,� 0)and thus from the de�nition of confs(., .) we have (M 0, PB0,B0) 2 confs(�,� 0), as required. Wenext demonstrate that PB = PB0.

Let us suppose PB , PB0, i.e. there exist e 0 and (oe 0, pbe 0) 2 PB such that either i) oe 0 = S��(e 0);or ii) there exists y such that e 0 2 pbe 0(y). Once again, from the de�nition of wf(M, PB,B,H ,� )we know that there exists �e 0 2 � such that �e 0 = Bhe 0i, or �e 0 = Uhe 0,�i or �e 0 = PFhe 0i, thatPBhe 0i < � (and thus PBhe 0i < �.� ) and that �e 0 �� .� �. Moreover, since � 2 �.� and wf(�, �.� )holds, from the de�nition of wf(., .) and the de�nition of wfp(., .) we know that PBhe 0i �� .� PShei.This however leads to a contradiction as PBhe 0i < �.� . We can thus conclude thatPB = PB0.

Case (G�C��)Let � = (Gn ,�). · · · .(G1,�). From (G�C��) we know there exists � 00 and G such that P0 =recover, S0 = S0, �0 = (G, (� 00,� )).�, � 0 = � , comp(� ,� 00) and getG(Gn . · · · .G1,� ,� 00) = G. sincewf(M, PB,B,H ,� ) holds, from its de�nition we know that for all events e and all (o, pb) 2 PB:

i) e 2 B(tid(e)) () Whei 2 � ^ Bhei < � ; and thatii) e 2 pb(loc(e)) _ o = S��(e) () PBhei < � ^ (Bhei 2 � _ Uhe,�i 2 � _ PFhei 2 � ).

As such, from the de�nition of comp(., .) we know for all events e and all (o, pb) 2 PB:i) e 2 B(tid(e)) () Bhei 2 � 00;ii) e 2 pb(loc(e)) _ o = S��(e) () PBhei 2 � 00.

As such, from the de�nition of!p we have M, PB,B� 00!p �, PB0,B0. Consequently, from (A�S��)

we have:P, S,M, PB,B,H ,� ) P0, S0,M, PB0,B0, (� 00,� ).H ,� 0

That is, there exists M 0 = M , PB0 = PB0, B0 = B0 and H 0 = (� 00,� ).H = hist(�0) such that:P, S,M, PB,B,H ,� ) P, S,M 0, PB0,B0,H 0,� 0. Since comp(� ,� 00) holds, by de�nition we havecomplete(� 00.� ). Moreover, since wf(M, PB,B,H ,� ) holds and wf(�0,� 0) holds, from their de�-nitions we also have wf(M 0, PB0,B0,H 0,� 0) and thus from the de�nition of confs(., .) we have(M 0, PB0,B0) 2 confs(�,� 0), as required.

⇤

Theorem 5 (Completeness). Given a program P, for all PTSO-valid execution chains E of P withoutcome O , there exists M ,H and � such that

P, S0,M0, PB0,B0, �, � )⇤ skip| | · · · | |skip,O,M, PB0,B0,H ,�P��. Follows from Corollary 1, Lemma A.3 and Lemma A.6. ⇤

A.4 Equivalence of PTSO Operational and Intermediate SemanticsLet

Rl ,⇢

((� : l), �) (9e . getE(�) = e ^ tid(e) = � ^ lab(e) = l) _ (� = Eh� i ^ l = �)_(9e . � = Bhei ^ tid(e) = � ^ l = �) _ (9e . � = PBhei ^ l = �)

�

Lemma A.7. For all P, S,P0, S0:

• for all � , l, if P, S� :l��! P0, S0, then there exists � such that: ((� , l), �) 2 Rl and P, S

��! P0, S0;• for all �, if P, S

��! P0, S0, then there exists � , l such that: ((� , l), �) 2 Rl and P, S� :l��! P0, S0.


2598

2599

2600

2601

2602

2603

2604

2605

2606

2607

2608

2609

2610

2611

2612

2613

2614

2615

2616

2617

2618

2619

2620

2621

2622

2623

2624

2625

2626

2627

2628

2629

2630

2631

2632

2633

2634

2635

2636

2637

2638

2639

2640

2641

2642

2643

2644

2645

2646


P��. By straightforward induction on the structures of � :l��! and ��!. ⇤

Let

Rm ,

8

>

>

>

><

>

>

>

>

:

((M,PB,B),(M, PB,B))

(M,PB,B) 2 M�� ⇥ PB�� ⇥ BM��^(M, PB,B) 2 AM�� ⇥ APB�� ⇥ ABM��^8x,� . M(x) = � () val

w

(M(x)) = �^simpb(PB, PB) ^ simb(B,B)

9

>

>

>

>=

>

>

>

>

;

simpb(PB, PB) , PB = PB = � _9pb, pb,PB0, PB0. PB = PB0.(�, pb) ^ PB = PB0.pb ^ simpb(PB0, PB0)^8x. simw(pb(x), pb(x))

simw(s1, s2) , (s1 = s2 = �) _ (9�, s 01, s 02, e . s1 = s 01.� ^ s2 = s 02.e ^ val

w

(e) = �)simb(B,B) , (B = B = �) _ (9x,�,B0,B0, e . B = B0.(x,�) ^ B = B0.e ^ val

w

(e) = � ^ loc(e) = x)

Lemma A.8. For allM,PB,B,M, PB,B,M 0, PB0,B0:• ((M0,PB0,B0), (M0, PB0,B0)) 2 Rm ;• for allM0,PB0,B0,� , l, if ((M,PB,B), (M, PB,B)) 2 Rm and (M,PB,B) � :l��! (M0,PB0,B0), thenthere exist M 0, PB0,B0, � such that ((� , l), �) 2 Rl , ((M0,PB0,B0), (M 0, PB0,B0)) 2 Rm and(M, PB,B) ��! (M 0, PB0,B0).

• for all M 0, PB0,B0, �, if ((M,PB,B), (M, PB,B)) 2 Rm and (M, PB,B) ��! (M 0, PB0,B0), thenthere exist M0,PB0,B0,� , l such that ((� , l), �) 2 Rl , ((M0,PB0,B0), (M 0, PB0,B0)) 2 Rm and(M,PB,B) � :l��! (M0,PB0,B0).

P��. The proof of the �rst part follows immediately from the de�nitions of M0, PB0, B0, M0,PB0, B0. The proofs of the last two parts follow from straightforward induction on the structures of� :l��! and ��!. ⇤

Let

R ,⇢((P, S,M,PB,B),(P, S,M, PB,B,H ,� ))

P 2 P�� ^ S 2 SM�� ^H 2 H�� ^ � 2 P��^((M,PB,B), (M, PB,B)) 2 Rm

�

Lemma A.9. For all P,M,PB,B,M, PB,B,M 0, PB0,B0,H ,� :• ((P, S0,M0,PB0,B0), (P, S0,M0, PB0,B0, �, �)) 2 R;• for all P0, S0,M0,PB0,B0, if ((P, S,M,PB,B), (P, S,M, PB, B,H ,� )) 2 R and (P, S,M,PB,B) )(P0, S0,M0,PB0,B0), then there existM 0, PB0, B0,H 0,� 0 such that ((P0, S0,M0,PB0,B0), (P0, S0,M 0,PB0,B0,H 0,� 0)) 2 R and (P, S,M, PB,B,H ,� ) ) (P, S0,M 0, PB0,B0,H 0,� 0).

• for all P0, S0,M 0, PB0, B0,H 0,� 0, if ((P, S,M,PB,B), (P, S,M, PB, B,H ,� )) 2 R and (P, S,M, PB,B,H ,� ) ) (P0, S0,M 0, PB0, B0,H 0,� 0), then there existM0,PB0,B0 such that ((P0, S0,M0,PB0,B0), (P0, S0,M 0, PB0,B0,H 0,� 0)) 2 R and (P, S,M, PB,B) ) (P0, S0,M 0, PB0,B0).

P��. The proof of the �rst part follows immediately from the de�nitions of R and Lemma A.8.The proofs of the last two parts follow from straightforward induction on the structures of � :l��!, ��!,Lemma A.7 and Lemma A.8. ⇤

Theorem 6 (Intermediate and operational semantics equivalence). For all P, S:


2647

2648

2649

2650

2651

2652

2653

2654

2655

2656

2657

2658

2659

2660

2661

2662

2663

2664

2665

2666

2667

2668

2669

2670

2671

2672

2673

2674

2675

2676

2677

2678

2679

2680

2681

2682

2683

2684

2685

2686

2687

2688

2689

2690

2691

2692

2693

2694

2695


• for allM, if P, S0,M0,PB0,B0 )⇤ skip| | · · · | |skip, S,M,PB0,B0, then there existM ,H , � suchthat P, S0,M0, PB0, B0, �, � )⇤ skip| | · · · | |skip, S,M, PB0, B0,H ,� and ((M,PB0,B0), (M, PB0,B0)) 2 Rm ;

• for all M,H ,� , if P, S0,M0, PB0,B0, �, � )⇤ skip| | · · · | |skip, S,M, PB0,B0,H ,� , then thereexistsM such that P, S0,M0,PB0,B0 )⇤ skip| | · · · | |skip, S,M,PB0,B0 and ((M,PB0,B0), (M,PB0,B0)) 2 Rm .

P��. Follows from Lemma A.9 and straightforward induction on the length of )⇤. ⇤


2696

2697

2698

2699

2700

2701

2702

2703

2704

2705

2706

2707

2708

2709

2710

2711

2712

2713

2714

2715

2716

2717

2718

2719

2720

2721

2722

2723

2724

2725

2726

2727

2728

2729

2730

2731

2732

2733

2734

2735

2736

2737

2738

2739

2740

2741

2742

2743

2744


B SIMPLE QUEUE LIBRARYFor an arbitrary program P and a PTSO-valid execution E = G1; · · · ;Gn of a program P withGi = (E0, EP , E, po, rf, tso, nvo), observe that when P comprisesk threads, the trace of each executionera (via start() or recover()) comprises two stages: i) the trace of the setup stage by the masterthread �0 performing initialisation or recovery, prior to the call to run(P); followed (in po order)by ii) the trace of each of the constituent program threads �1 · · · �k , provided that the execution didnot crash during the setup stage.Note that as the execution is PTSO-valid, thanks to the placement of the persistent fence oper-

ations (pfence), for each thread �j , we know that the set of persistent events in execution era i ,namely EPi , contains roughly a pre�x (in po order) of thread �j ’s trace. More concretely, for eachconstituent thread �j 2 {�1 · · · �k } = dom(P), there exist P j1 · · · P jn such that:

1) P[�j ] = o0j ; · · · ;oP j1j ;oP

j1+1

j ; · · ·oPj2

j ; · · · ;oPjn�1+1j ; · · · ;oP jnj , comprising enq and deq operations;

and2) at the beginning of each execution era i 2 {1 · · ·n}, the program executed by thread �j

(calculated in P’ and subsequently executed by calling run(P’)) is that of sub(P[�j ],P i�1j +1),where P0

j = �1, for all j; and3) in each execution era i 2 {1 · · ·n}, the trace H(i, j) of each constituent thread �j 2 dom(P) is of

the following form:

H(i, j) , H (oPi�1j +1

j , P i�1j +1,�j ,nP i�1j +1j ) po! · · · po! H (oP

ij

j , Pij ,�j ,n

P ijj )

po! H (oPij +1

j , P ij+1,�j ,nP ij +1j ) po! · · · po! H (om

ij�1

j ,mij�1,�j ,n

mij�1

j )po! H 0(om

ij

j ,mij ,�j ,n

mij

j )

for somemij , n

P i�1j +1j , · · · ,nP

ij

j ,nP ij +1j , · · · ,nm

ij

j , where:

• The �rst line denotes the execution of the (P i�1j +1)st to (P ij )th library calls of thread �j , withH (o,� ,p,n) de�ned shortly. Moreover, before crashing and proceeding to the next era, allvolatile events (those in PE) inH (oP

i�1j +1

j , P i�1j +1,�j ,nP i�1j +1j ) po! · · · po! H (oP

ij �1

j , P ij�1,�j ,nP ij �1j )

have persisted, and a pre�x (in po order) of the volatile events in H (oPij

j , Pij ,�j ,n

P ijj ) have per-

sisted. Note that this pre�x may be equal to H (oPij

j , Pij ,�j ,n

P ijj ), in which case all its events

have persisted.• The second line denotes the execution of the subsequent library calls of thread �j wheremi

j Pnj , with none of their volatile events having persisted.• The last line denotes the execution of the (mi

j )th call of thread �j (mij Pnj ), during which the

program crashed and thus the execution of era i ended. TheH 0(o,� ,p,n) denotes a (potentiallyfull) pre�x of H (o,� ,p,n).

The trace H (o,� ,p,n) of each library call is de�ned as follows:

H (deq(),� ,p,n) , inv=I(�p , deq, ()) po! R(pc,p) po! R(tid� ,� )po! R(q.lock, 1)⇤ po! ql=U(q.lock, 0, 1)po! r=R(q.head,h) po! r=R(q.data[h],n)po! lin1=W(map[�], (p,n)) po! S1

po! PF

po! S2po! qu=W(q.lock, 0) po! ack=A(�p , deq,n)


2745

2746

2747

2748

2749

2750

2751

2752

2753

2754

2755

2756

2757

2758

2759

2760

2761

2762

2763

2764

2765

2766

2767

2768

2769

2770

2771

2772

2773

2774

2775

2776

2777

2778

2779

2780

2781

2782

2783

2784

2785

2786

2787

2788

2789

2790

2791

2792

2793


with

S1 =

(

; if n = null

R(n.t,� 0) po! R(n.pc,p 0) po! R(map[� 0], (tp, tn)) po! S3 otherwise

S3 =

8

>

>

><

>

>

>

:

; if tp > p 0

U(map[� 0], (tp 0, tn0), (p 0+1,?)) if tp p 0 and (tp 0, tn0)=(tp, tn)R(map[� 0], (tp 0, tn0)) otherwise

S2 =

(

; if n = null

lin2=W(q.head,h+1) po! PF otherwise

for some � 0, p 0, tp, tn, tp 0, tn0; and

H (enq(�),� ,p,n) , inv=I(�p , enq,n) po! R(pc,p) po! R(tid� ,� )po! W(n.val,�) po! W(n.tid,� ) po! W(n.pc,p)po! W(map[�], (p,n)) po! PF

po! R(q.lock, 1)⇤ po! U(q.lock, 0, 1) po! R(q.head,h)po! R(q.data[h],�0) po! · · · po! R(q.data[h+s�1],�s�1)| {z }

s timespo! R(q.data[h+s], null) po! lin=W(q.data[h+s],n)po! PF

po! W(q.lock, 0) po! ack=A(�p , enq, ())for some s � 0, and for all � 2 {�0 · · ·�s�1}, � , null. In the above traces, for brevity we haveomitted the thread identi�ers (�j ) and event identi�ers and represent each event with its label only.We use the H (enq(-),� ,p,n) pre�x to extract its speci�c events, e.g. H (enq(-),p,n).inv.

It is straightforward to demonstrate that hbi = (poi [ rfi )+ restricted to the lock events in–

�j 2dom(P)

mij

–

l=P i�1j +1{H (olj ,�j , l ,nlj ).ql,H (olj ,�j , l ,nlj ).qu} is a strict total order.

In particular, we know there exists an enumeration Ci = H (c1i ,� 1i ,p1i ,n1i ). · · · . H (ctii ,� tii ,ptii ,ntii )of

–

�j 2dom(P){H (oP

i�1j +1

j ,�j , P i�1j +1,nP i�1j +1j ) · · ·H (oP

ij

j ,�j , Pij ,n

P ijj }, such that:

⇢(H (cki ,� ki ,pki ,nki ).ql,H (cki ,� ki ,pki ,nki ).qu),(H (cli ,� li ,pli ,nli ).qu,H (cl+1i ,�

l+1i ,p

l+1i ,n

l+1i ).ql)

k 2 {1 · · · ti }^ l 2 {1 · · · ti�1}

�+

✓(hbi )loc |imm

Let lp(H (o,� ,p,n)) ,8

>

>

><

>

>

>

:

H (o,� ,p,n).lin if o=enq(�)H (o,� ,p,n).lin1 if o=deq() and H (o,� ,p,n).S2=;H (o,� ,p,n).lin2 if o=deq() and H (o,� ,p,n).S2,;

For each �j 2 dom(P) let:EP(i, j) = EPi \ �

e tid(e) = �j

E0(i, j) = EP(i, j) [ S(i, j)


2794

2795

2796

2797

2798

2799

2800

2801

2802

2803

2804

2805

2806

2807

2808

2809

2810

2811

2812

2813

2814

2815

2816

2817

2818

2819

2820

2821

2822

2823

2824

2825

2826

2827

2828

2829

2830

2831

2832

2833

2834

2835

2836

2837

2838

2839

2840

2841

2842


where

S(i, j) ,

8

>

>

>

>

>

>

><

>

>

>

>

>

>

>

:

A(�,m, r )

9o,a,p,n, inv.inv = I(�,m,a) = max

⇣

nvo|EP(i, j )\I⌘

^ inv 2 H (o,�j ,p,n) ^ 8r 0. A(�,m, r 0) < H (o,�j ,p,n)^ lp(H (o,�j ,p,n)) 2 EP(i, j)^ (m=deq ) r=n) ^ (m=enq ) r=())

9

>

>

>

>

>

>

>=

>

>

>

>

>

>

>

;

Let E0i =

–

�j 2dom(P)E0(i, j). From the de�nition of each E0

(i, j) and EP(i, j) we then know that EPi ✓ E0i and

E0i 2 comp(EPi ). Let Ti = trunc(E0

i ) andHi =H (c1i ,� 1i ,p1i ,n1i ).inv . H (c1i ,� 1i ,p1i ,n1i ).ack. · · · .H (ctii ,� tii ,ptii ,ntii ).inv . H (ctii ,� tii ,ptii ,ntii ).ack

LetisQ(q,Q, nvo, E0, EP ) , (initq = max

⇣

nvo|EP\(W[U )q⌘

^Q=�)_(9h, s . |Q | =s ^ 8� 2 Q . � , null

^valw

(max⇣

nvo|EP\(W[U )q .head⌘

)=h^8k 2 {0 · · · s�1}.val

w

(max⇣

nvo|EP\(W[U )q .data[h+k]⌘

)= Q |k^8k � s .

val

w

(max⇣

nvo|E0\(W[U )q .data[h+k]⌘

)=null^(EP \ E0) \ (W [ U )q .data[h+k] = ;)

and

getQ(s,H ) ,

8

>

>

>

>

>

>

>

>

>

><

>

>

>

>

>

>

>

>

>

>

:

s if H=�getQ(s;n,H 0) if 9n,H 0, �. n,null ^ H=I(�, enq,n).A(�, enq, ()).H 0

getQ(s 0,H 0) if 9n,H 0, �, s 0. n,null ^ s=n; s 0

^ H=I(�, deq, ()).A(�, deq,n).H 0

getQ(s,H 0) if 9H 0, �. s=� ^ H=I(�, deq, ()).A(�, deq, null).H 0


Lemma B.1. Given a PTSO-valid execution E = G1; · · · ;Gn , let for all i 2 {1 · · ·n}, Hi be de�nedas above with Ci = H (c1i ,� 1i ,p1i ,n1i ). · · · .H (ctii ,� tii ,ptii ,ntii ). For all i 2 {1 · · ·n}, and a,b, let Ob

a =

H (cai ,� ai ,pai ,nai ).inv.H (cai ,� ai ,pai ,nai ).ack. · · · .H (cbi ,�bi ,pbi ,nbi ).inv.H (cbi ,�bi ,pbi ,nbi ).ack.For all Gi = (E0i , EPi , Ei , poi , rfi , tsoi , nvoi ), Hi , for all Q0

i and for all l 2 {0 · · · ti }, k=ti�l , Eki =EPi \

ti–

x=k+1H (cxi ,� xi ,pxi ,nxi ).E, and Qk

i :

getQ(Q0i ,O

k1 ) = Qk

i ^ isQ(q,Qki , nvoi , E

0i , E

ki ) )

9Qti . getQ(Qk

i ,Otik+1) = Qt

i ^ isQ(q,Qti , nvoi , E

0i , E

Pi )

P��. Pick an arbitrary PTSO-valid execution E = G1; · · · ;Gn . Let Hi and Ci be as de�ned asabove for all i 2 {1 · · ·n}. Pick an arbitrary i 2 {1 · · ·n}, Gi = (E0i , EPi , Ei , poi , rfi , tsoi , nvoi ) andHi . We proceed by induction on l .


2843

2844

2845

2846

2847

2848

2849

2850

2851

2852

2853

2854

2855

2856

2857

2858

2859

2860

2861

2862

2863

2864

2865

2866

2867

2868

2869

2870

2871

2872

2873

2874

2875

2876

2877

2878

2879

2880

2881

2882

2883

2884

2885

2886

2887

2888

2889

2890

2891


Base case l = 0, k = tiPick arbitrary Q0

i and Qki such that getQ(Q0

i ,Ok1 ) = Qk

i and isQ(q,Qki , nvoi , E

0i , E

ki ). As k = ti , we

have isQ(q,Qki , nvoi , E

0i , E

Pi ). As Oti

k+1=� , we have getQ(Qki ,O

tik+1) = Qk

i , as required.

Inductive case 0 < l ti

8Q . 8k 0 > k . getQ(Q0i ,O

k 01 ) = Q ^ isQ(q,Q, nvoi , E0i , Ek

0i ) )

9Qti . getQ(Q,Oti

k 0+1) = Qti ^ isQ(q,Qt

i , nvoi , E0i , E

Pi )

(I.H.)

Pick arbitrary Q0i and Q

ki such that getQ(Q0

i ,Ok1 ) = Qk


0i , E

ki ). We are then

required to show that there exists Qti such that getQ(Qk

i ,Otik+1) = Qt

i and isQ(q,Qti , nvoi , E

0i , E

Pi ).

We then know:Otik+1 = H (ck+1i ,�

k+1i ,pk+1i ,n

k+1i ).inv.H (ck+1i ,�

k+1i ,pk+1i ,n

k+1i ).ack.Oti

k+2

There are now three cases to consider: 1) there existsm such that ck+1i =enq(m) and nk+1i =m; or 2)there existsm , null such that ck+1i =deq() and nk+1i =m; or 3) ck+1i =deq() and nk+1i =null.

In case (1), as getQ(Q0i ,O

k1 ) = Qk

i , from its de�nitionwe have getQ(Q0i ,O

k+11 ) = Qk

i .m. LetQk+1i =

Qki .m. Given H (ck+1i ,�

k+1i ,pk+1i ,n

k+1i ), since from the PTSO-validity ofGi we have E0i ⇥ (EPi \ E0i ) ✓

nvoi and as isQ(q,Qki , nvoi , E

0i , E

ki ) holds, from its de�nition we have isQ(q,Qk+1

i , nvoi , E0i , E

k+1i ).

From (I.H.) we know there exists Qti such that getQ(Qk+1

i ,Otik+2) = Qt


0i , E

Pi ).

As getQ(Qk+1i ,O

tik+2) = Qt

i , from its de�nition we also have getQ(Qki ,O

tik+1) = Qt

i , as required.

In case (2), given the trace of H (ck+1i ,�k+1i ,pk+1i ,n

k+1i ) we know that there existsw, r ,a such that

w=W(q.data[a],m), r = H (ck+1i ,�k+1i ,pk+1i ,n

k+1i ).r and (w, r ) 2 rfi . As hbi is acyclic and Gi is

PTSO-valid, we know either:i)w 2 E0i and for all j 2 {1 · · ·k}, H (c ji ,� ji ,p ji ,nji ).E \ (W [ U )

q.data[a] = ;; orii) exists j s.t. 1 j k andw 2 H (c ji ,� ji ,p ji ,nji ) and for all j 0 2 {j+1 · · ·k}, H (c j0i ,� j

0i ,p

j0i ,n

j0i ).E \(W [ U )

q.data[a] = ;.As E0i ✓ EPi and the events ofH (c ji ,� ji ,p ji ,nji ) are persistent (discussed above in the construction of

Hi ), we know thatw 2 Eki . Moreover, as the lock events are totally ordered by hbi , and hbi ✓ po[tso(Lemma E.2), given the placement of pfence instructions and the construction of the enumerationCi , we know that for all locations x, ifw1 = W(x,�) 2 H (c fi ,�,�,�),w2 = W(x,�) 2 H (c�i ,�,�,�),and f < �, then (w1,w2) 2 nvoi . As such, in both cases we know thatmax

⇣

nvo|Eki \(W[U )q.data[a]

⌘

=w .

Moreover, since isQ(q,Qki , nvoi , E

0i , E

ki ) holds, we know that val

w

(max⇣

nvo|Eki \W q.data[a]

⌘

)= Qki

�

�

0.We thus have Qk

i

�

�

0 =m.LetQk

i =m.Q0 for someQ 0 and letQk+1

i = Q 0. As getQ(Q0i ,O

k1 ) holds, from its de�nition we also

have getQ(Q0i ,O

k+11 ) = Qk+1

i . Given the trace H (ck+1i ,�k+1i ,pk+1i ,n

k+1i ), as isQ(q,Qk

i , nvoi , E0i , E

ki )

holds, from its de�nition we have isQ(q,Qk+1i , nvoi , E

0i , E

k+1i ). From (I.H.) we then know there

existsQti such that getQ(Qk+1

i ,Otik+2) = Qt


0i , E

Pi ). As getQ(Qk+1

i ,Otik+2) = Qt

i ,from its de�nition we also have getQ(Qk

i ,Otik+1) = Qt

i , as required.Case (3) is analogous to that of case (2) and is omitted here.

⇤

Corollary 2. Given a PTSO-valid execution E = G1; · · · ;Gn , let for all i 2 {1 · · ·n}, Hi be de�nedas above. For all Gi = (E0i , EPi , Ei , poi , rfi , tsoi , nvoi ), Hi and for all Q0

i :

isQ(q,Q0i , nvoi , E

0i , E

0i ) )


2892

2893

2894

2895

2896

2897

2898

2899

2900

2901

2902

2903

2904

2905

2906

2907

2908

2909

2910

2911

2912

2913

2914

2915

2916

2917

2918

2919

2920

2921

2922

2923

2924

2925

2926

2927

2928

2929

2930

2931

2932

2933

2934

2935

2936

2937

2938

2939

2940


9Qti . getQ(Q0

i ,Hi ) = Qti ^ isQ(q,Qt

i , nvoi , E0i , E

Pi )

P��. Follows immediately from the previous lemma when k = 0. ⇤

Lemma B.2. Given a PTSO-valid execution E = G1; · · · ;Gn , if H = H1. · · · .Hn with Hi de�ned asabove for all i 2 {1 · · ·n}, then:

9Q . getQ(�,H ) = QP��. Pick an arbitrary PTSO-valid execution E = G1; · · · ;Gn , with H = H1. · · · .Hn and Hi

de�ned as above for all i 2 {1 · · ·n}. LetQ01 = � . By de�nition we then have isQ(q,Q0

1, nvo1, E01, E

01).

On the other hand from Corollary 2 we have:

9Qt1 . getQ(Q0

1,H1) = Qt1 ^ isQ(q,Qt

1, nvo1, E01, E

P1 )

8Q02 . isQ(q,Q0

2, nvo2, E02, E

02) )

9Qt2 . getQ(Q0

2 ,H2) = Qt2 ^ isQ(q,Qt

2, nvo2, E02, E

P2 )

· · ·8Q0

n . isQ(q,Q0n , nvon , E0n , E0n) )

9Qtn . getQ(Q0

n ,Hn) = Qtn ^ isQ(q,Qt

n , nvon , E0n , EPn )For all j 2 {2 · · ·n}, let Q0

j = getQ(Q0j�1,Hj�1). From above we then have :

9Qt1, · · · ,Qt

n .getQ(Q0

1,H1) = Qt1 ^ getQ(Qt

1,H2) = Qt2 ^ · · · ^ getQ(Qt

n�1,Hn) = Qtn

From its de�nition we thus know there exists Qtn such that getQ(Q0

1,H1. · · · .Hn) = Qtn . That is,

there exists Q such that getQ(�,H ) = Q , as required. ⇤

Theorem 7. For all client programs P of the queue library (comprising calls to enq and deq only)and all PTSO-valid executions E of start(P), E is persistently linearisable.

P��. Pick an arbitrary program P and a PTSO-valid execution E = G1; · · · ;Gn of P. For eachi 2 {1 · · ·n}, construct Ti and Hi as above. It then su�ces to show that:

8i 2 {1 · · ·n}. 8a,b 2 Ti . (a,b) 2 hbi ) a �Hi b (34)fifo(�,H ) holds when H = H1. · · · .Hn (35)

TS. (34)Pick arbitrary i 2 {1 · · ·n},a,b 2 Ti such that (a,b) 2 hbi .We then know there exist c,� ,p,n, c 0,� 0,p 0,n0 such that a 2 H (c,� ,p,n), b 2 H (c 0,� 0,p 0,n0) and either:1) H (c,� ,p,n)=H (c 0,� 0,p 0,n0), a=H (c,� ,p,n).inv and b = H (c,� ,p,n).ack; or2) H (c,� ,p,n)=H (c 0,� 0,p 0,n0), a=H (c,� ,p,n).ack and b = H (c,� ,p,n).inv; or3) H (c,� ,p,n) , H (c 0,� 0,p 0,n0), a=H (c,� ,p,n).inv and b=H (c 0,� 0,p 0,n0).ack; or4) H (c,� ,p,n) , H (c 0,� 0,p 0,n0), a=H (c,� ,p,n).inv and b=H (c 0,� 0,p 0,n0).inv; or5) H (c,� ,p,n) , H (c 0,� 0,p 0,n0), a=H (c,� ,p,n).ack and b=H (c 0,� 0,p 0,n0).inv; or6) H (c,� ,p,n) , H (c 0,� 0,p 0,n0), a=H (c,� ,p,n).ack and b=H (c 0,� 0,p 0,n0).ack.In case (1) the desired result holds immediately. In case (2) we have b

poi! ahbi! b, and since

poi ✓ hbi we have bhbi! a

hbi! b. Consequently, from the transitivity of hbi we have (b,b) 2 hbi ,contradicting the acyclicity of hbi in Lemma E.1.

In case (3) from the totality of hbi on lock events (see above), we know that either i) (H (c,� ,p,n).qu,H (c 0,� 0,p 0,n0).ql) 2 hbi ; or ii) (H (c 0,� 0,p 0,n0).qu,H (c,� ,p,n).ql) 2 hbi . In case (3.i) from the con-struction of Ci we know that a �Hi b, as required.


2941

2942

2943

2944

2945

2946

2947

2948

2949

2950

2951

2952

2953

2954

2955

2956

2957

2958

2959

2960

2961

2962

2963

2964

2965

2966

2967

2968

2969

2970

2971

2972

2973

2974

2975

2976

2977

2978

2979

2980

2981

2982

2983

2984

2985

2986

2987

2988

2989


In case (3.ii), as (a,b) 2 hbi andH (c,� ,p,n) , H (c 0,� 0,p 0,n0), we know there existsw, r ,d, e,w 0, r 0such that either:

a) d < H (c,� ,p,n), e < H (c 0,� 0,p 0,n0) and a poi! dhbi! e

poi! b; or

b)w 2 W \ H (c,� ,p,n), e < H (c 0,� 0,p 0,n0) and a poi! H (c,� ,p,n).ql hbi!⇤w

rfi! rhbi! e

poi! b; or

c) r 2 R \ H (c 0,� 0,p 0,n0), d < H (c,� ,p,n) and a poi! dhbi!

⇤w

rfi! rpoi! H (c 0,� 0,p 0,n0).qu poi! b; or

d) w 2 W \ H (c,� ,p,n), r 2 R \ H (c 0,� 0,p 0,n0) and apoi! H (c,� ,p,n).ql poi! w

rfi! r 0hbi! w 0 rfi!

rpoi! H (c 0,� 0,p 0,n0).qu poi! b.We next demonstrate that in all four cases (a-d) we have H (c,� ,p,n).ql hbi! H (c 0,� 0,p 0,n0).qu. We

then have H (c,� ,p,n).ql hbi! H (c 0,� 0,p 0,n0).qu hbi! H (c,� ,p,n).ql, and thus from the transitivity ofhbi we have (H (c,� ,p,n).ql,H (c,� ,p,n).ql) 2 hbi , contradicting the acyclicity of hbi in Lemma E.1.In case (3.ii.a) we also have H (c,� ,p,n).ql poi! d and e

poi! H (c 0,� 0,p 0,n0).qu. As such wehave H (c,� ,p,n).ql poi! d

hbi! epoi! H (c 0,� 0,p 0,n0).qu, i.e. from the transitivity of hbi we have

H (c,� ,p,n).ql hbi! H (c 0,� 0,p 0,n0).qu. In case (3.ii.b) we also have epoi! H (c 0,� 0,p 0,n0).qu. As such

we have H (c,� ,p,n).ql hbi!⇤w

rfi! rhbi! e

poi! H (c 0,� 0,p 0,n0).qu, i.e. from the transitivity of hbi wehave H (c,� ,p,n).ql hbi! H (c 0,� 0,p 0,n0).qu. In case (3.ii.c) we also have H (c,� ,p,n).ql poi! d . As such

we have H (c,� ,p,n).ql poi! dhbi!

⇤w

rfi! rpoi! H (c 0,� 0,p 0,n0).qu, i.e. from the transitivity of hbi

we have H (c,� ,p,n).ql hbi! H (c 0,� 0,p 0,n0).qu. In case (3.ii.d) from the transitivity of hbi we haveH (c,� ,p,n).ql hbi! H (c 0,� 0,p 0,n0).qu.In case (4) we then have a

hbi! bpoi! H (c 0,� 0,p 0,n0).ack, and thus as poi ✓ hbi and hbi is tran-

sitively closed, we have ahbi! H (c 0,� 0,p 0,n0).ack. As such, from the proof of part (3) we have

a �Hi H (c 0,� 0,p 0,n0).ack, and consequently since H (c,� ,p,n),H (c 0,� 0,p 0,n0), from the construc-tion Hi we have a �Hi b, as required.

In case (5) we then have H (c,� ,p,n).inv poi! ahbi! b

poi! H (c 0,� 0,p 0,n0).ack, and thus as poi ✓hbi and hbi is transitively closed, we have H (c,� ,p,n).inv hbi! H (c 0,� 0,p 0,n0).ack. As such, fromthe proof of part (3) we have H (c,� ,p,n).inv �Hi H (c 0,� 0,p 0,n0).ack, and consequently sinceH (c,� ,p,n) , H (c 0,� 0,p 0,n0), from the construction Hi we have a �Hi b, as required.

In case (6) we then have H (c,� ,p,n).inv poi! ahbi! b, and thus as poi ✓ hbi and hbi is transitively

closed, we haveH (c,� ,p,n).inv hbi! b. As such, from the proof of part (3) we haveH (c,� ,p,n).inv �Hi

b, and consequently since H (c,� ,p,n),H (c 0,� 0,p 0,n0), from the construction Hi we have a �Hi b,as required.

TS. (35)From Lemma B.2 we know there exists Q such that getQ(�,H ) = Q . From the de�nition of fifo(., .)we know fifo(�,H ) holds if and only if there exists Q such that getQ(�,H ) = Q . As such we havefifo(�,H ), as required.

⇤

C MICHAEL-SCOTT QUEUE LIBRARYAs before, for an arbitrary program P and a PTSO-valid execution E = G1; · · · ;Gn of P withGi = (E0, EP , E, po, rf, tso, nvo), observe that when P comprisesk threads, the trace of each execution


2990

2991

2992

2993

2994

2995

2996

2997

2998

2999

3000

3001

3002

3003

3004

3005

3006

3007

3008

3009

3010

3011

3012

3013

3014

3015

3016

3017

3018

3019

3020

3021

3022

3023

3024

3025

3026

3027

3028

3029

3030

3031

3032

3033

3034

3035

3036

3037

3038


era (via start() or recover()) comprises two stages: i) the trace of the setup stage by the masterthread �0 performing initialisation or recovery, prior to the call to run(P); followed (in po order)by ii) the trace of each of the constituent program threads �1 · · · �k , provided that the execution didnot crash during the setup stage.

As before, thanks to the placement of the persistent fence operations (pfence), for each thread �j ,we know that the set of persistent events in execution era i , namely EPi , contains roughly a pre�x (inpo order) of thread �j ’s trace. More concretely, for each constituent thread �j 2 {�1 · · · �k } = dom(P),there exist P1

j · · · Pnj such that:

1) P[�j ] = o0j ; · · · ;oP 1j

j ;oP 1j +1

j ; · · ·oP2j

j ; · · · ;oPn�1j +1

j ; · · · ;oPnj

j , comprising enq and deq operations;and2) at the beginning of each execution era i 2 {1 · · ·n}, the program executed by thread �j

(calculated in P’ and subsequently executed by calling run(P’)) is that of sub(P[�j ],P i�1j +1),where P0

j = �1, for all j; and3) in each execution era i 2 {1 · · ·n}, the trace H(i, j) of each constituent thread �j 2 dom(P) is of

the following form:

H(i, j) , H (oPi�1j +1

j ,�j , P i�1j +1,nP i�1j +1j , e

P i�1j +1j )

po! · · · po! H (oPij

j ,�j , Pij ,n

P ijj , e

P ijj )

po! H (oPij +1

j ,�j , P ij+1,nP ij +1j , e

P ij +1j )

po! · · · po! H (omij�1

j ,�j ,mij�1,n

mij�1

j , emij�1

j )po! H 0(om

ij

j ,�j ,mij ,n

mij

j , emij

j )

for somemij , n

P i�1j +1j , · · · ,nP

ij

j ,nP ij +1j , · · · ,nm

ij

j , eP i�1j +1j , · · · , eP

ij

j , eP ij +1j , · · · , em

ij

j where:

• The �rst two lines denote the execution of the (P i�1j +1)st to (P ij )th library calls of thread �j ,with H (o,� ,p,n, e) de�ned shortly. Moreover, before crashing and proceeding to the next era,all volatile events (those in PE) in H (oP

i�1j +1

j , · · · ) po! · · · po! H (oPij �1

j , · · · ) have persisted, anda pre�x (in po order) of the volatile events in H (oP

ij

j ,�j , Pij ,n

P ijj , e

P ijj ) have persisted. Note that

this pre�x may be equal to H (oPij

j ,�j , Pij ,n

P ijj , e

P ijj ), in which case all its events have persisted.

• The next two lines denote the execution of the subsequent library calls of thread �j wheremi



program crashed and thus the execution of era i ended. As before, the H 0(o,� ,p,n, e) denotesa (potentially full) pre�x of H (o,� ,p,n, e).

The trace H (o,� ,p,n, e) of each library call is de�ned as follows:

H (deq(),� ,p,n,h) , inv=I(�p , deq, ())po! R(pc,p) po! R(tid� ,� )

po! FEpo! rh=R(q.head,h)

po! r=R(q.data[h],n)po! S0

po! lin1=W(map[�][p],n)po! S1

po! PF

po! S2po! ack=A(�p , deq,n)

where FE denotes the sequence of events, attempting but failing to set the rem �eld of the headnode, with

S0 =

(

; if n = null

U(n.rem, null,� ) otherwise


3039

3040

3041

3042

3043

3044

3045

3046

3047

3048

3049

3050

3051

3052

3053

3054

3055

3056

3057

3058

3059

3060

3061

3062

3063

3064

3065

3066

3067

3068

3069

3070

3071

3072

3073

3074

3075

3076

3077

3078

3079

3080

3081

3082

3083

3084

3085

3086

3087


S1 =

(

; if n = null

R(n.t,� 0) po! R(n.pc,p 0) po! W(map[� 0][p 0],>) otherwise

S2 =

(

; if n = null

lin2=W(q.head,h+1) po! PF otherwisefor some � 0, p 0; and

H (enq(�),� ,p,n, e) , inv=I(�p , enq,n)po! R(pc,p) po! R(tid� ,� )

po! W(n.val,�) po! W(n.tid,� ) po! W(n.pc,p) po! W(n.rem, null)po! W(map[�][p],n) po! PF

po! R(q.head,h)po! R(q.data[h],�0)

po! A0 · · · R(q.data[h+s�1],�s�1)po! As�1

| {z }s times

po! R(q.data[h+s], null) po! lin=U(q.data[h+s], null,n)po! PF

po! ack=A(�p , enq, ())for some s � 0 such that h+s = e , and for all k 2 {0 · · · s�1}, either 1) �k , null and Ak = ;; or�k = null andAk = R(q.data[h+k],� 0

k )with� 0k , null. In the above traces, for brevity we have

omitted the thread identi�ers (�j ) and event identi�ers and represent each event with its label only.We use the H (enq(-),� ,p,n, e) pre�x to extract its speci�c events, e.g. H (enq(-),� ,p,n, e).inv.

Let us write q.tail to denote the index of the last entry in the queue. Observe that eachenq operation leaves the q.head value unchanged while increasing q.tail by 1. Similarly, eachdeq operation leaves q.tail unchanged while increasing q.head by one. Note that in eachH (enq(�),� ,p,n, e), the e�1 denotes the value of q.tail immediately before the insertion of noden by H (enq(�),� ,p,n, e), i.e. the e denotes the value of q.tail immediately after the insertionof node n by H (enq(�),� ,p,n, e). Similarly, in each H (deq(),� ,p,n,h), the h denotes the value ofq.head immediately before the removal of node n by H (deq(),� ,p,n,h).Let:

lp(H (o,� ,p,n, e)) ,8

>

><

>

>

:

H (o,� ,p,n, e).lin if o=enq(�)H (o,� ,p,n, e).lin1 if o=deq() and H (o,� ,p,n, e).S2=;H (o,� ,p,n, e).lin2 if o=deq() and H (o,� ,p,n, e).S2,;

For each �j 2 dom(P) let:EP(i, j) = EPi \ �

e tid(e) = �j

E0(i, j) = EP(i, j) [ S(i, j)

where

S(i, j) ,

8

>

>

>

>

>

>

><

>

>

>

>

>

>

>

:

A(�,m, r )

9o,a,p,n, inv, e .

inv = I(�,m,a) = max✓

nvo|EP(i, j )\I◆

^ inv 2 H (o,�j ,p,n, e) ^ 8r 0. A(�,m, r 0) < EP(i, j)^ lp(H (o,�j ,p,n, e)) 2 EP(i, j)^ (m=deq ) r=n) ^ (m=enq ) r=())

9

>

>

>

>

>

>

>=

>

>

>

>

>

>

>

;

Let E0i =

–




i ).LetCi denote an enumeration of

–

�j 2dom(P){H (oP

i�1j +1

j ,�j , P i�1j +1,nP i�1j +1j ) · · ·H (oP

ij

j ,�j , Pij ,n

P ijj } that

respectsmemory order (in tsoi ) of linearisation points. That is, for allH (o,�j ,p,n, e),H (o0,�j0,p 0,n0, e 0),if lp(H (o,�j ,p,n, e)) tsoi! lp(H (o0,�j0,p 0,n0, e 0)), then H (o,�j ,p,n, e) �Ci H (o0,�j0,p 0,n0, e 0).


3088

3089

3090

3091

3092

3093

3094

3095

3096

3097

3098

3099

3100

3101

3102

3103

3104

3105

3106

3107

3108

3109

3110

3111

3112

3113

3114

3115

3116

3117

3118

3119

3120

3121

3122

3123

3124

3125

3126

3127

3128

3129

3130

3131

3132

3133

3134

3135

3136


When Ci is enumerated as Ci = H (c1i ,� 1i ,p1i ,n1i , e1i ). · · · . H (ctii ,� tii ,ptii ,ntii , etii ), let us de�neHi =H (c1i ,� 1i ,p1i ,n1i , e1i ).inv . H (c1i ,� 1i ,p1i ,n1i , e1i ).ack. · · · .H (ctii ,� tii ,ptii ,ntii , etii ).inv . H (ctii ,� tii ,ptii ,ntii , etii ).ack

Lemma C.1. Given a PTSO-valid execution E = G1; · · · ;Gn , let for all i 2 {1 · · ·n}, Ci be asde�ned above. Then, for all H (o,� ,p,n, e), H (o0,� 0,p 0,n0, e 0), a,b, c,d , if a 2 H (o,� ,p,n, e) and b 2H (o0,� 0,p 0,n0, e 0), Ci |c = H (o,� ,p,n, e), Ci |d = H (o0,� 0,p 0,n0, e 0) and (a,b) 2 hbi , then either 1)c = d and (a,b) 2 poi ; or 2) c < d .

P��. Pick an arbitrary PTSO-valid execution E = G1; · · · ;Gn , with Ci de�ned as above forall i 2 {1 · · ·n}. Let hb0i = poi [ rfi and hbj+1i = hb0i ; hb

ji for all j 2 N. It is then straightforward

to demonstrate that hbi =–

j 2Nhbji . As such, it su�ces to show that for all j 2 N, H (o,� ,p,n, e),

H (o0,� 0,p 0,n0, e 0), a,b, c,d :a 2 H (o,� ,p,n, e) ^ b 2 H (o0,� 0,p 0,n0, e 0) ^ (a,b) 2 hbji^ Ci |c = H (o,� ,p,n, e) ^ Ci |d = H (o0,� 0,p 0,n0, e 0)

) (c = d ^ (a,b) 2 poi ) _ c < d

We thus proceed by induction on j.

Base case j = 0Pick arbitrary H (o,� ,p,n, e), H (o0,� 0,p 0,n0, e 0), a,b, c,d such that a 2 H (o,� ,p,n, e) and b 2H (o0,� 0,p 0,n0, e 0), Ci |c = H (o,� ,p,n, e), Ci |d = H (o0,� 0,p 0,n0, e 0) and (a,b) 2 hb0i .

There are now 5 cases to consider: 1) c = d ; or 2) c , d , o = enq(�) and o0 = enq(� 0) for some

�,� 0; or 3) c , d , o = enq(�) and o0 = deq() for some � ; or 4) c , d , o = deq() and o0 = enq(� 0)

for some � 0; or 5) c , d , o = deq() and o0 = deq().In case 1) we then know that either (a,b) 2 poi or (b,a) 2 poi . In the former case the desired

result holds immediately. In the latter case we then have ahb0i! b

poi! a, i.e (a,a) 2 hbi , contradictingthe assumption that hbi is acyclic (Lemma E.1).In case (2), there are two more cases to consider: i) (a,b) 2 poi , or ii) (a,b) 2 rfi . In case (2.i),

we then know that lp(H (o,� ,p,n, e)) poi! lp(H (o0,� 0,p 0,n0, e 0)). As both linearisation points are inW[U , from the PTSO-validity ofGi we also know that lp(H (o,� ,p,n, e)) tsoi! lp(H (o0,� 0,p 0,n0, e 0)).As such, from the de�nition of Ci we know that c < d , as required.

In case (2.ii) we know that either a) � = � 0 or b) � , � 0. In case (2.ii.a) we then have (a,b) 2 poi(since otherwise we would have a cyclic hbi ) and thus from t he proof of part (2.i) we have c < das required. In case (2.ii.b) we then know that a = lp(H (o,� ,p,n, e)), i.e. loc(a) = q.data[e].Moreover, from the PTSO-validity of Gi and since (a,b) 2 rfi we know that (a,b) 2 tsoi . Onthe other hand, from the shape of enq traces we know that (b, lp(H (o0,� 0,p 0,n0, e 0))) 2 poi andthus from the PTSO-validity of Gi we have (b, lp(H (o0,� 0,p 0,n0, e 0))) 2 tsoi . We thus have a

tsoi!b

tsoi! lp(H (o0,� 0,p 0,n0, e 0)) and thus from the transitivity of tsoi we have a=lp(H (o,� ,p,n, e)) tsoi!lp(H (o0,� 0,p 0,n0, e 0)). As such, from the de�nition of Ci we know that c < d , as required.In case (3) there are two more cases to consider: i) (a,b) 2 poi , or ii) (a,b) 2 rfi . In case (3.i),



3137

3138

3139

3140

3141

3142

3143

3144

3145

3146

3147

3148

3149

3150

3151

3152

3153

3154

3155

3156

3157

3158

3159

3160

3161

3162

3163

3164

3165

3166

3167

3168

3169

3170

3171

3172

3173

3174

3175

3176

3177

3178

3179

3180

3181

3182

3183

3184

3185


In case (3.ii) we know that either a) � = � 0 or b) � , � 0. In case (3.ii.a) we then have (a,b) 2 poi(since otherwise we would have a cyclic hbi ) and thus from t he proof of part (3.i) we have c < d asrequired.In case (3.ii.b) we then know that either 1) a = lp(H (o,� ,p,n, e)), b = H (o0,� 0,p 0,n0, e 0).r , i.e.

e = e 0; or 2) loc(a) = n.t or loc(a) = n.pc. In case (3.ii.b.1) from the PTSO-validity ofGi and since(a,b) 2 rfi we know that (a,b) 2 tsoi . On the other hand, from the shape of deq traces we know that(b, lp(H (o0,� 0,p 0,n0, e 0))) 2 poi . Thus from PTSO-validity ofGi we have (b, lp(H (o0,� 0,p 0,n0, e 0)))2 tsoi . We thus have a

tsoi! btsoi! lp(H (o0,� 0,p 0,n0, e 0)) and thus from the transitivity of tsoi we

have a=lp(H (o,� ,p,n, e)) tsoi! lp(H (o0,� 0,p 0,n0, e 0)). As such, from the de�nition of Ci we knowthat c < d , as required.

In case (3.ii.b.2) from the shape of the traceswe also know�

lp(H (o,� ,p,n, e)),H (o0,� 0,p 0,n0, e 0).r �2 rfi and thus from the proof of part (3.ii.b.1) we have c < d , as required.In case (4) there are two more cases to consider: i) (a,b) 2 poi , or ii) (a,b) 2 rfi . In case (4.i),


In case (4.ii) we know that either a) � = � 0 or b) � , � 0. In case (4.ii.a) we then have (a,b) 2 poi(since otherwise we would have a cyclic hbi ) and thus from t he proof of part (4.i) we have c < d asrequired.In case (4.ii.b) we then know that a = lp(H (o,� ,p,n, e)). From the PTSO-validity of Gi and

since (a,b) 2 rfi we know that (a,b) 2 tsoi . On the other hand, from the shape of enq traceswe know that (b, lp(H (o0,� 0,p 0,n0, e 0))) 2 poi and thus from the PTSO-validity of Gi we have(b, lp(H (o0,� 0,p 0,n0, e 0))) 2 tsoi . We thus have a

tsoi! btsoi! lp(H (o0,� 0,p 0,n0, e 0)) and thus from

the transitivity of tsoi we have a=lp(H (o,� ,p,n, e)) tsoi! lp(H (o0,� 0,p 0,n0, e 0)). As such, from thede�nition of Ci we know that c < d , as required.In case (5) there are two more cases to consider: i) (a,b) 2 poi , or ii) (a,b) 2 rfi . In case (5.i),


In case (5.ii) we know that either a) � = � 0 or b) � , � 0. In case (5.ii.a) we then have (a,b) 2 poi(since otherwise we would have a cyclic hbi ) and thus from t he proof of part (5.i) we have c < d asrequired.In case (5.ii.b) we then know that a = lp(H (o,� ,p,n, e)) From the PTSO-validity of Gi and

since (a,b) 2 rfi we know that (a,b) 2 tsoi . On the other hand, from the shape of deq traceswe know that (b, lp(H (o0,� 0,p 0,n0, e 0))) 2 poi and thus from the PTSO-validity of Gi we have(b, lp(H (o0,� 0,p 0,n0, e 0))) 2 tsoi . We thus have a

tsoi! btsoi! lp(H (o0,� 0,p 0,n0, e 0)) and thus from

the transitivity of tsoi we have a=lp(H (o,� ,p,n, e)) tsoi! lp(H (o0,� 0,p 0,n0, e 0)). As such, from thede�nition of Ci we know that c < d , as required.

Inductive case j =m+1

8j 0 2 N. 8H (o,� ,p,n, e),H (o0,� 0,p 0,n0, e 0),a,b, c,d .j 0 m ^ a 2 H (o,� ,p,n, e) ^ b 2 H (o0,� 0,p 0,n0, e 0) ^ (a,b) 2 hbj

0i

^ Cki

�

�

c = H (o,� ,p,n, e) ^ Cki

�

�

d = H (o0,� 0,p 0,n0, e 0)) (c = d ^ (a,b) 2 poi ) _ c < d

(I.H.)


3186

3187

3188

3189

3190

3191

3192

3193

3194

3195

3196

3197

3198

3199

3200

3201

3202

3203

3204

3205

3206

3207

3208

3209

3210

3211

3212

3213

3214

3215

3216

3217

3218

3219

3220

3221

3222

3223

3224

3225

3226

3227

3228

3229

3230

3231

3232

3233

3234


Pick arbitrary H (o,� ,p,n, e), H (o0,� 0,p 0,n0, e 0), a,b, c,d such that a 2 H (o,� ,p,n, e) and b 2H (o0,� 0,p 0,n0, e 0), Ck

i

�

�

c = H (o,� ,p,n, e), Cki

�

�

d = H (o0,� 0,p 0,n0, e 0) and (a,b) 2 hbji . From thede�nition of hbji we then know there exists f such that (a, f ) 2 hb0i and (f ,b) 2 hbm . Wethus know there exists H (o00,� 00,p 00,n00, e 00) and � such that f 2 H (o00,� 00,p 00,n00, e 00) and Ci |� =H (o00,� 00,p 00,n00, e 00). From the proof of the base case we then know that (c = �^(a, f ) 2 poi )_c < �.Similarly, from (I.H.) we know (� = d ^ (f ,b) 2 poi ) _� < d . There are then four cases to consider:1) (c = �^ (a, f ) 2 poi ) and (� = d ^ (f ,b) 2 poi ); or 2) (c = �^ (a, f ) 2 poi ) and � < d ; or 3) c < �and (� = d ^ (f ,b) 2 poi ); or 4) c < � and � < d .

In case (1) from the transitivity of = and poi we have c = d ^ (a,b) 2 poi , as required. In case (2)since c = � and � < d we have c < d , as required. In case (3) since c < � and � = d we have c < d ,as required. In case (4) from the transitivity of < we have c < d , as required.

⇤

Lemma C.2. Given a PTSO-valid execution E = G1; · · · ;Gn , let for all i 2 {1 · · ·n}, Hi be de�ned asabove withCi = H (c1i ,� 1i ,p1i ,n1i , e1i ). · · · .H (ctii ,� tii ,ptii ,ntii , etii ). For all i 2 {1 · · ·n}, and a,b, letOb

a =

H (cai ,� ai ,pai ,nai , eai ).inv.H (cai ,� ai ,pai ,nai , eai ).ack. · · · .H (cbi ,�bi ,pbi ,nbi , ebi ).inv.H (cbi ,�bi ,pbi ,nbi , ebi ).ack.For all Gi = (E0i , EPi , Ei , poi , rfi , tsoi , nvoi ), Hi , for all Q0


ti–

x=k+1H (cxi ,� xi ,pxi ,nxi , exi ).E, and Qk

i :

getQ(Q0i ,O

k1 ) = Qk


0i , E

ki ) )

9Qti . getQ(Qk

i ,Otik+1) = Qt


0i , E

Pi )

P��. Pick an arbitrary PTSO-valid execution E = G1; · · · ;Gn . Let Hi and Ci be as de�ned asabove for all i 2 {1 · · ·n}. Pick an arbitrary i 2 {1 · · ·n}, Gi = (E0i , EPi , Ei , poi , rfi , tsoi , nvoi ) andHi . We proceed by induction on l .

Base case l = 0, k = tiPick arbitrary Q0

i and Qki such that getQ(Q0

i ,Ok1 ) = Qk


0i , E

ki ). As k = ti , we

have isQ(q,Qki , nvoi , E

0i , E

Pi ). As Oti

k+1=� , we have getQ(Qki ,O

tik+1) = Qk

i , as required.

Inductive case 0 < l ti

8Q . 8k 0 > k . getQ(Q0i ,O

k 01 ) = Q ^ isQ(q,Q, nvoi , E0i , Ek

0i ) )

9Qti . getQ(Q,Oti

k 0+1) = Qti ^ isQ(q,Qt

i , nvoi , E0i , E

Pi )

(I.H.)

Pick arbitrary Q0i and Q

ki such that getQ(Q0

i ,Ok1 ) = Qk


0i , E

ki ). We are then

required to show that there exists Qti such that getQ(Qk

i ,Otik+1) = Qt


0i , E

Pi ).

We then know:

Otik+1 = H (ck+1i ,�

k+1i ,pk+1i ,n

k+1i , e

k+1i ).inv.H (ck+1i ,�

k+1i ,pk+1i ,n

k+1i , e

k+1i ).ack.Oti

k+2

There are now three cases to consider: 1) there existsm such that ck+1i =enq(m) and nk+1i =m; or 2)there existsm , null such that ck+1i =deq() and nk+1i =m; or 3) ck+1i =deq() and nk+1i =null.In case (1), as getQ(Q0

i ,Ok1 ) = Qk

i , from its de�nition we have getQ(Q0i ,O

k+11 ) = Qk

i .m. LetQk+1i = Qk

i .m. Given the trace H (ck+1i ,�k+1i ,pk+1i ,n

k+1i , e

k+1i ), since from the PTSO-validity of Gi

we have E0i ⇥ (EPi \ E0i ) ✓ nvoi and as isQ(q,Qki , nvoi , E

0i , E

ki ) holds, from its de�nition we have

isQ(q,Qk+1i , nvoi , E

0i , E

k+1i ). From (I.H.) we know there exists Qt

i such that getQ(Qk+1i ,O

tik+2) = Qt

iand isQ(q,Qt

i , nvoi , E0i , E

Pi ). As getQ(Qk+1

i ,Otik+2) = Qt

i , by de�nition we also have getQ(Qki ,O

tik+1)


3235

3236

3237

3238

3239

3240

3241

3242

3243

3244

3245

3246

3247

3248

3249

3250

3251

3252

3253

3254

3255

3256

3257

3258

3259

3260

3261

3262

3263

3264

3265

3266

3267

3268

3269

3270

3271

3272

3273

3274

3275

3276

3277

3278

3279

3280

3281

3282

3283


= Qti , as required.

In case (2), given the trace of H (ck+1i ,�k+1i ,pk+1i ,n

k+1i ) we know that there existsw, r ,a such that

w 2 U , loc(w)=q.data[a], valw

(w)=m, r = H (ck+1i ,�k+1i ,pk+1i ,n

k+1i ).r and (w, r ) 2 rfi . Since Gi

is PTSO-valid, we know either:i)w 2 E0i and for all j 2 {1 · · ·k} H (c ji ,� ji ,p ji ,nji , e ji ).E \ (W [ U )

q.data[a]

=;; orii) there exists j such that 1 j k andw=H (c ji ,� ji ,p ji ,nji , e ji ).lin and c ji = enq(m).As E0i ✓ EPi and the events ofH (c ji ,� ji ,p ji ,nji , e ji ) are persistent (discussed above in the construction

of Hi ), in both cases we know thatw 2 Eki .It is straightforward to demonstrate that each enq operation in Hi writes to a unique index

in q.data. I case (ii) we thus know for all j 0 2 {1 · · ·k} \ {j}, H (c j0i ,� j0

i ,pj0i ,n

j0i , e

j0i ).E \ (W [

U )q.data[a] = ;. That is, max

⇣


⌘

= w . Consequently, in both cases we have

max⇣


⌘

= w . On the other hand, since isQ(q,Qki , nvoi , E

0i , E

ki ) holds, from its

de�nition we know val

w

(max⇣


⌘

) = Qki

�

�

0. We thus have Qki

�

�

0 =m.LetQk

i =m.Q0 for someQ 0 and letQk+1

i = Q 0. As getQ(Q0i ,O

k1 ) holds, from its de�nition we also

have getQ(Q0i ,O

k+11 ) = Qk+1

i . Given the traceH (ck+1i ,�k+1i ,pk+1i ,n

k+1i , e

k+1i ), as isQ(q,Qk

i , nvoi , E0i , E

ki )

holds, from its de�nition we have isQ(q,Qk+1i , nvoi , E

0i , E

k+1i ). From (I.H.) we then know there exists

Qti such that getQ(Qk+1

i ,Otik+2) = Qt


0i , E

Pi ). As getQ(Qk+1

i ,Otik+2) = Qt

i , fromits de�nition we also have getQ(Qk

i ,Otik+1) = Qt

i , as required.Case (3) is analogous to that of case (2) and is omitted here.

⇤


i :


0i , E

0i ) )

9Qti . getQ(Q0


i , nvoi , E0i , E

Pi )


Lemma C.3. Given a PTSO-valid execution E = G1; · · · ;Gn , if H = H1. · · · .Hn with Hi de�ned asabove for all i 2 {1 · · ·n}, then:

9Q . getQ(�,H ) = Q

P��. Pick an arbitrary PTSO-valid execution E = G1; · · · ;Gn , with H = H1. · · · .Hn and Hide�ned as above for all i 2 {1 · · ·n}. LetQ0

1 = � . By de�nition we then have isQ(q,Q01, nvo1, E

01, E

01).

On the other hand from Corollary 3 we have:

9Qt1 . getQ(Q0

1,H1) = Qt1 ^ isQ(q,Qt

1, nvo1, E01, E

P1 )

8Q02 . isQ(q,Q0

2, nvo2, E02, E

02) )

9Qt2 . getQ(Q0

2 ,H2) = Qt2 ^ isQ(q,Qt

2, nvo2, E02, E

P2 )

· · ·8Q0


9Qtn . getQ(Q0


n , nvon , E0n , EPn )


3284

3285

3286

3287

3288

3289

3290

3291

3292

3293

3294

3295

3296

3297

3298

3299

3300

3301

3302

3303

3304

3305

3306

3307

3308

3309

3310

3311

3312

3313

3314

3315

3316

3317

3318

3319

3320

3321

3322

3323

3324

3325

3326

3327

3328

3329

3330

3331

3332


For all j 2 {2 · · ·n}, let Q0j = getQ(Q0

j�1,Hj�1). From above we then have :

9Qt1, · · · ,Qt

n .getQ(Q0


1,H2) = Qt2 ^ · · · ^ getQ(Qt

n�1,Hn) = Qtn


1,H1. · · · .Hn) = Qtn . That is,





TS. (36)Pick arbitrary i 2 {1 · · ·n},a,b 2 Ti such that (a,b) 2 hbi .We then know there exist c,� ,p,n, e, c 0,� 0,p 0,n0, e 0 such that a 2 H (c,� ,p,n, e), b 2 H (c 0,� 0,p 0,n0, e 0) and either:1) H (c,� ,p,n, e)=H (c 0,� 0,p 0,n0, e 0), a=H (c,� ,p,n, e).inv and b = H (c,� ,p,n, e).ack; or2) H (c,� ,p,n, e)=H (c 0,� 0,p 0,n0, e 0), a=H (c,� ,p,n, e).ack and b = H (c,� ,p,n, e).inv; or3) H (c,� ,p,n, e) , H (c 0,� 0,p 0,n0, e 0).In case (1) the desired result holds immediately. In case (2) we have b



hbi! b. Consequently, from the transitivity of hbi we have (b,b) 2 hbi ,contradicting the acyclicity of hbi in Lemma E.1. In case (3) from Lemma C.1 and the de�nition ofHi we have a �Hi b, as required.

TS. (37)From Lemma C.3 we know there exists Q such that getQ(�,H ) = Q . From the de�nition of fifo(., .)we know fifo(�,H ) holds if and only if there exists Q such that getQ(�,H ) = Q . As such we havefifo(�,H ), as required.

⇤

D NON-BLOCKING MICHAEL-SCOTT QUEUE LIBRARYAs before, for an arbitrary program P and a PTSO-valid execution E = G1; · · · ;Gn of P withGi = (E0, EP , E, po, rf, tso, nvo), observe that when P comprisesk threads, the trace of each executionera (via start() or recover()) comprises two stages: i) the trace of the setup stage by the masterthread �0 performing initialisation or recovery, prior to the call to run(P); followed (in po order)by ii) the trace of each of the constituent program threads �1 · · · �k , provided that the execution didnot crash during the setup stage.

As before, thanks to the placement of the persistent fence operations (pfence), for each thread �j ,we know that the set of persistent events in execution era i , namely EPi , contains roughly a pre�x (inpo order) of thread �j ’s trace. More concretely, for each constituent thread �j 2 {�1 · · · �k } = dom(P),there exist P1

j · · · Pnj such that:

1) P[�j ] = o0j ; · · · ;oP 1j

j ;oP 1j +1

j ; · · ·oP2j

j ; · · · ;oPn�1j +1

j ; · · · ;oPnj

j , comprising enq and deq operations;and


3333

3334

3335

3336

3337

3338

3339

3340

3341

3342

3343

3344

3345

3346

3347

3348

3349

3350

3351

3352

3353

3354

3355

3356

3357

3358

3359

3360

3361

3362

3363

3364

3365

3366

3367

3368

3369

3370

3371

3372

3373

3374

3375

3376

3377

3378

3379

3380

3381


1. q.enq(v) ,2. pc:= getPC(); t:= getTC();

3. n:= newNode(v,t,pc);

4. map[t][pc]:= n; pfence;

5. h:= q.head;

6. find: while (q.data[h] != null)

7. h:= h+1;

8. if (!CAS(q.data[h], null, n))

9. goto find;

10. pfence;

11. q.deq() ,12. pc:= getPC(); t:= getTC();

13. try: h:= q.head; n:= q.data[h];

14. map[t][pc]:= n;

15. if (n != null) {

16. t’:= n.t; pc’:= n.pc;

17. map[t’][pc’]+1:=>;18. } pfence;

19. if (n!=null) {

20. if (!CAS(q.head,h,h+1))

21. goto try;

22. pfence;

23. map[t][pc]+1:=>; pfence

24. } return n;

25. rem(n) ,26. for(t in P){

27. pc:= 0

28. while(map[t][pc]!=?){29. m:= map[t][pc];

30. a:= map[t][pc]+1;

31. if(n==m && a==>) return 1;

32. pc++;

33. }

34. }

35. return 0;

36. recover() ,37. if (q==null || map==null)

38. goto start();

39. for(t in P) enq[t]:= -1;

40. for(t in P) {

41. (pc,n,a):= getProg(t);

42. if (pc>=0 && isDeq(P[t][pc])) {

43. if (n==null)

44. P’[t]:= sub(P[t],pc+1);

45. else {

46. if (a==>)47. P’[t]:= sub(P[t],pc+1);

48. else if (inIn(q,n) || rem(n))

49. P’[t]:= sub(P[t],pc);

50. else {

51. P’[t]:= sub(P[t],pc+1);

52. map[t][pc]+1:=>}53. t’:= n.t; pc’:= n.pc;

54. enq[t’]:=max(enq[t’],pc’+1);}

55. } else if (pc<0) P’[t]:= P[t]; }

56. for(t in P) {

57. (pc,n,a):= getProg(t);

58. if (pc>=0 && isEnq(P[t][pc])) {

59. if (pc < enq[t])

60. P’[t]:= sub(P[t],enq[t]);

61. else if (a==> || isIn(q,n))

62. P’[t]:= sub(P[t],pc+1);

63. else

64. P’[t]:= sub(P[t],pc); }

65. } pfence;

66. run(P’);

67. getProg(t) ,68. pc:= -1; n:=?; a:=?;69. while (map[t][pc+1] !=?) pc++;70. if (pc>=0) {

71. n:= map[t][pc]; a:= map[t][pc]+1;

72. } return (pc,n,a);

Fig. 8. A non-blocking persistent Michael-Sco� queue implementation with persistence code in blue

2) at the beginning of each execution era i 2 {1 · · ·n}, the program executed by thread �j(calculated in P’ and subsequently executed by calling run(P’)) is that of sub(P[�j ],P i�1j +1),where P0

j = �1, for all j; and


3382

3383

3384

3385

3386

3387

3388

3389

3390

3391

3392

3393

3394

3395

3396

3397

3398

3399

3400

3401

3402

3403

3404

3405

3406

3407

3408

3409

3410

3411

3412

3413

3414

3415

3416

3417

3418

3419

3420

3421

3422

3423

3424

3425

3426

3427

3428

3429

3430


3) in each execution era i 2 {1 · · ·n}, the trace H(i, j) of each constituent thread �j 2 dom(P) is ofthe following form:

H(i, j) , H (oPi�1j +1

j ,�j , P i�1j +1,nP i�1j +1j , e

P i�1j +1j )

po! · · · po! H (oPij

j ,�j , Pij ,n

P ijj , e

P ijj )

po! H (oPij +1

j ,�j , P ij+1,nP ij +1j , e

P ij +1j )

po! · · · po! H (omij�1

j ,�j ,mij�1,n

mij�1

j , emij�1

j )po! H 0(om

ij

j ,�j ,mij ,n

mij

j , emij

j )

for somemij , n

P i�1j +1j , · · · ,nP

ij

j ,nP ij +1j , · · · ,nm

ij

j , eP i�1j +1j , · · · , eP

ij

j , eP ij +1j , · · · , em

ij

j where:

• The �rst two lines denote the execution of the (P i�1j +1)st to (P ij )th library calls of thread �j ,with H (o,� ,p,n, e) de�ned shortly. Moreover, before crashing and proceeding to the next era,all volatile events (those in PE) in H (oP

i�1j +1

j , · · · ) po! · · · po! H (oPij �1

j , · · · ) have persisted, anda pre�x (in po order) of the volatile events in H (oP

ij

j ,�j , Pij ,n

P ijj , e

P ijj ) have persisted. Note that

this pre�x may be equal to H (oPij

j ,�j , Pij ,n

P ijj , e

P ijj ), in which case all its events have persisted.

• The next two lines denote the execution of the subsequent library calls of thread �j wheremi



program crashed and thus the execution of era i ended. As before, the H 0(o,� ,p,n, e) denotesa (potentially full) pre�x of H (o,� ,p,n, e).

The trace H (o,� ,p,n, e) of each library call is de�ned as follows:

H (deq(),� ,p,n,h) , inv=I(�p , deq, ()) po! R(pc,p) po! R(tid� ,� ) po! FEpo! rh=R(q.head,h)

po! r=R(q.data[h],n)po! lin1=W(map[�][p],n) po! S1

po! PF

po! S2po! ack=A(�p , deq,n)

where FE denotes the sequence of events, attempting but failing to set the rem �eld of the headnode, with

S1 =

(

; if n = null

R(n.t,� 0) po! R(n.pc,p 0) po! W(map[� 0][p 0]+1,>) otherwise

S2 =

(

; if n = null

lin2=W(q.head,h+1) po! PF

po! c=W(map[�][p]+1,>) po! PF otherwisefor some � 0, p 0; and

H (enq(�),� ,p,n, e) , inv=I(�p , enq,n)po! R(pc,p) po! R(tid� ,� )

po! W(n.val,�) po! W(n.tid,� ) po! W(n.pc,p)po! W(map[�][p],n) po! PF

po! R(q.head,h)po! R(q.data[h],�0)

po! A0 · · · R(q.data[h+s�1],�s�1)po! As�1

| {z }s times

po! R(q.data[h+s], null) po! lin=U(q.data[h+s], null,n)po! PF

po! ack=A(�p , enq, ())


3431

3432

3433

3434

3435

3436

3437

3438

3439

3440

3441

3442

3443

3444

3445

3446

3447

3448

3449

3450

3451

3452

3453

3454

3455

3456

3457

3458

3459

3460

3461

3462

3463

3464

3465

3466

3467

3468

3469

3470

3471

3472

3473

3474

3475

3476

3477

3478

3479


for some s � 0 such that h+s = e , and for all k 2 {0 · · · s�1}, either 1) �k , null and Ak = ;; or�k = null andAk = R(q.data[h+k],� 0

k )with� 0k , null. In the above traces, for brevity we have

omitted the thread identi�ers (�j ) and event identi�ers and represent each event with its label only.We use the H (enq(-),� ,p,n, e) pre�x to extract its speci�c events, e.g. H (enq(-),� ,p,n, e).inv.

Let us write q.tail to denote the index of the last entry in the queue. Observe that eachenq operation leaves the q.head value unchanged while increasing q.tail by 1. Similarly, eachdeq operation leaves q.tail unchanged while increasing q.head by one. Note that in eachH (enq(�),� ,p,n, e), the e�1 denotes the value of q.tail immediately before the insertion of noden by H (enq(�),� ,p,n, e), i.e. the e denotes the value of q.tail immediately after the insertionof node n by H (enq(�),� ,p,n, e). Similarly, in each H (deq(),� ,p,n,h), the h denotes the value ofq.head immediately before the removal of node n by H (deq(),� ,p,n,h).Let:

lp(H (o,� ,p,n, e)) ,8

>

><

>

>

:

H (o,� ,p,n, e).lin if o=enq(�)H (o,� ,p,n, e).lin1 if o=deq() and H (o,� ,p,n, e).S2=;H (o,� ,p,n, e).lin2 if o=deq() and H (o,� ,p,n, e).S2,;

For each �j 2 dom(P) let:

EP(i, j) = EPi \ �

e tid(e) = �j

E0(i, j) = EP(i, j) [ S(i, j)

where

S(i, j) ,

8

>

>

>

>

>

>

><

>

>

>

>

>

>

>

:

A(�, enq, ())

9o,p,n, inv, e .

inv = I(�, enq,n) = max✓

nvo|EP(i, j )\I◆

^ inv 2 H (o,�j ,p,n, e) ^ 8r 0. A(�, enq, r 0) < EP(i, j)^ lp(H (o,�j ,p,n, e)) 2 EP(i, j)

9

>

>

>

>

>

>

>=

>

>

>

>

>

>

>

;

[

8

>

>

>

>

>

>

><

>

>

>

>

>

>

>

:

A(�, deq,n)

9o,p, inv, e .

inv = I(�, deq, ()) = max✓

nvo|EP(i, j )\I◆

^ inv 2 H (o,�j ,p,n, e) ^ 8r 0. A(�, deq, r 0) < EP(i, j)^ lp(H (o,�j ,p,n, e)) 2 EP(i, j) ^ (n , null ) H (o,�j ,p,n, e).c 2 EP(i, j))

9

>

>

>

>

>

>

>=

>

>

>

>

>

>

>

;

[

8

>

>

>

>

>

>

>

>

>

>

>

>

>

><

>

>

>

>

>

>

>

>

>

>

>

>

>

>

:

A(�, deq,n)

n , null ^ 9o,p, inv, e .

inv = I(�, deq, ()) = max✓

nvo|EP(i, j )\I◆

^ inv 2 H (o,�j ,p,n, e) ^ 8r 0. A(�, deq, r 0) < EP(i, j)^H (o,�j ,p,n, e).lin1 2 EP(i, j)^8k < j . 8p0, e 0. H (deq(),�k ,p0,n, e 0).lin1 < EP(i,k )^9k,p0, e 0. k � j ^ H (deq(),�k ,p0,n, e 0).lin2 2 EP(i,k )

^H (deq(),�k ,p0,n, e 0).c < EP(i,k ))

9

>

>

>

>

>

>

>

>

>

>

>

>

>

>=

>

>

>

>

>

>

>

>

>

>

>

>

>

>

;

Let E0i =

–




i ).LetCi denote an enumeration of

–

�j 2dom(P){H (oP

i�1j +1

j ,�j , P i�1j +1,nP i�1j +1j ) · · ·H (oP

ij

j ,�j , Pij ,n

P ijj } that

respectsmemory order (in tsoi ) of linearisation points. That is, for allH (o,�j ,p,n, e),H (o0,�j0,p 0,n0, e 0),if lp(H (o,�j ,p,n, e)) tsoi! lp(H (o0,�j0,p 0,n0, e 0)), then H (o,�j ,p,n, e) �Ci H (o0,�j0,p 0,n0, e 0).


3480

3481

3482

3483

3484

3485

3486

3487

3488

3489

3490

3491

3492

3493

3494

3495

3496

3497

3498

3499

3500

3501

3502

3503

3504

3505

3506

3507

3508

3509

3510

3511

3512

3513

3514

3515

3516

3517

3518

3519

3520

3521

3522

3523

3524

3525

3526

3527

3528


When Ci is enumerated as Ci = H (c1i ,� 1i ,p1i ,n1i , e1i ). · · · . H (ctii ,� tii ,ptii ,ntii , etii ), let us de�neHi =H (c1i ,� 1i ,p1i ,n1i , e1i ).inv . H (c1i ,� 1i ,p1i ,n1i , e1i ).ack. · · · .H (ctii ,� tii ,ptii ,ntii , etii ).inv . H (ctii ,� tii ,ptii ,ntii , etii ).ack

Lemma D.1. Given a PTSO-valid execution E = G1; · · · ;Gn , let for all i 2 {1 · · ·n}, Ci be asde�ned above. Then, for all H (o,� ,p,n, e), H (o0,� 0,p 0,n0, e 0), a,b, c,d , if a 2 H (o,� ,p,n, e) and b 2H (o0,� 0,p 0,n0, e 0), Ci |c = H (o,� ,p,n, e), Ci |d = H (o0,� 0,p 0,n0, e 0) and (a,b) 2 hbi , then either 1)c = d and (a,b) 2 poi ; or 2) c < d .

P��. The proof of this lemma is analogous to he proof of its counterpart lemma (Lemma C.1)for the blocking MS queue implementation and is omitted here.

Lemma D.2. Given a PTSO-valid execution E = G1; · · · ;Gn , let for all i 2 {1 · · ·n}, Hi be de�ned asabove withCi = H (c1i ,� 1i ,p1i ,n1i , e1i ). · · · .H (ctii ,� tii ,ptii ,ntii , etii ). For all i 2 {1 · · ·n}, and a,b, letOb

a =

H (cai ,� ai ,pai ,nai , eai ).inv.H (cai ,� ai ,pai ,nai , eai ).ack. · · · .H (cbi ,�bi ,pbi ,nbi , ebi ).inv.H (cbi ,�bi ,pbi ,nbi , ebi ).ack.For all Gi = (E0i , EPi , Ei , poi , rfi , tsoi , nvoi ), Hi , for all Q0


ti–

x=k+1H (cxi ,� xi ,pxi ,nxi , exi ).E, and Qk

i :

getQ(Q0i ,O

k1 ) = Qk


0i , E

ki ) )

9Qti . getQ(Qk

i ,Otik+1) = Qt


0i , E

Pi )

P��. The proof of this lemma is analogous to he proof of its counterpart lemma (Lemma C.2)for the blocking MS queue implementation and is omitted here.


i :


0i , E

0i ) )

9Qti . getQ(Q0


i , nvoi , E0i , E

Pi )


Lemma D.3. Given a PTSO-valid execution E = G1; · · · ;Gn , if H = H1. · · · .Hn with Hi de�ned asabove for all i 2 {1 · · ·n}, then:

9Q . getQ(�,H ) = QP��. Pick an arbitrary PTSO-valid execution E = G1; · · · ;Gn , with H = H1. · · · .Hn and Hi

de�ned as above for all i 2 {1 · · ·n}. LetQ01 = � . By de�nition we then have isQ(q,Q0

1, nvo1, E01, E

01).

On the other hand from Corollary 4 we have:9Qt

1 . getQ(Q01,H1) = Qt

1 ^ isQ(q,Qt1, nvo1, E

01, E

P1 )

8Q02 . isQ(q,Q0

2, nvo2, E02, E

02) )

9Qt2 . getQ(Q0

2 ,H2) = Qt2 ^ isQ(q,Qt

2, nvo2, E02, E

P2 )

· · ·8Q0


9Qtn . getQ(Q0


n , nvon , E0n , EPn )For all j 2 {2 · · ·n}, let Q0

j = getQ(Q0j�1,Hj�1). From above we then have :

9Qt1, · · · ,Qt

n .getQ(Q0


1,H2) = Qt2 ^ · · · ^ getQ(Qt

n�1,Hn) = Qtn


3529

3530

3531

3532

3533

3534

3535

3536

3537

3538

3539

3540

3541

3542

3543

3544

3545

3546

3547

3548

3549

3550

3551

3552

3553

3554

3555

3556

3557

3558

3559

3560

3561

3562

3563

3564

3565

3566

3567

3568

3569

3570

3571

3572

3573

3574

3575

3576

3577



1,H1. · · · .Hn) = Qtn . That is,





TS. (38)Pick arbitrary i 2 {1 · · ·n},a,b 2 Ti such that (a,b) 2 hbi .We then know there exist c,� ,p,n, e, c 0,� 0,p 0,n0, e 0 such that a 2 H (c,� ,p,n, e), b 2 H (c 0,� 0,p 0,n0, e 0) and either:1) H (c,� ,p,n, e)=H (c 0,� 0,p 0,n0, e 0), a=H (c,� ,p,n, e).inv and b = H (c,� ,p,n, e).ack; or2) H (c,� ,p,n, e)=H (c 0,� 0,p 0,n0, e 0), a=H (c,� ,p,n, e).ack and b = H (c,� ,p,n, e).inv; or3) H (c,� ,p,n, e) , H (c 0,� 0,p 0,n0, e 0).In case (1) the desired result holds immediately. In case (2) we have b



hbi! b. Consequently, from the transitivity of hbi we have (b,b) 2 hbi ,contradicting the acyclicity of hbi in Lemma E.1. In case (3) from Lemma D.1 and the de�nition ofHi we have a �Hi b, as required.

TS. (39)From Lemma D.3 we know there exists Q such that getQ(�,H ) = Q . From the de�nition of fifo(., .)we know fifo(�,H ) holds if and only if there exists Q such that getQ(�,H ) = Q . As such we havefifo(�,H ), as required.

⇤


3578

3579

3580

3581

3582

3583

3584

3585

3586

3587

3588

3589

3590

3591

3592

3593

3594

3595

3596

3597

3598

3599

3600

3601

3602

3603

3604

3605

3606

3607

3608

3609

3610

3611

3612

3613

3614

3615

3616

3617

3618

3619

3620

3621

3622

3623

3624

3625

3626


E AUXILIARY RESULTSLemma E.1. For all PTSO-valid execution graphs G = (E0, EP , E, po, rf, tso, nvo), then acyclic(hb)holds, where hb = (po [ rf)+.

P��. We proceed by contradiction. Let us assume that acyclic(hb) does not hold and thereexists a such that (a,a) 2 hb. From Lemma E.2 below we then have (a,a) 2 po[ tso. That is, either:1) (a,a) 2 po; or 2) (a,a) 2 tso. However, both cases lead to a contradiction as since G is valid, weknow both po and tso are strict orders.

⇤

Lemma E.2. For all PTSO-valid execution graphs G = (E0, EP , E, po, rf, tso, nvo) and for all a,b, if(a,b) 2 hb = (po [ rf)+, then (b,a) 2 po [ tso.

P��. Pick an arbitrary PTSO-valid execution graph G = (E0, EP , E, po, rf, tso, nvo). Note thathb = (po [ rf)+ = (po [ (rf \ po))+. Let hb0 = po [ (rf \ po) and hbi+1 = hb0; hbi , for all i 2 N. Ashb is a transitive closure, it is straightforward to demonstrate that hb =

–

i 2Nhbi . We thus show

instead that:8i 2 N. 8a,b . (a,b) 2 hbi ) (a,b) 2 po [ tso

We proceed by induction on i .

Base case i = 0Pick an arbitrary a,b such that (a,b) 2 hb0. There are two cases to consider: either (a,b) 2 po, or(a,b) 2 rf \ po. In the former case the desired result holds immediately. In the latter case, as fromthe PTSO-validity of G we know rf ✓ tso [ po and as (a,b) 2 rf \ po, we know that (a,b) 2 tso, asrequired.

Inductive case i = n+18j 2 N. 8a,b . j n ^ (a,b) 2 hbj ) (a,b) 2 po [ tso (I.H.)

Pick an arbitrary a,b such that (a,b) 2 hbi . From the de�nition of hbi we then know there exists csuch that (a, c) 2 po [ (rf \ po) and (c,b) 2 hbn .

There are two cases to consider: either 1) (a, c) 2 po; or 2) (a, c) 2 rf \ po.In case (1), let hb�1 = id. From the de�nition of hbn we then know there exists d such that

(c,d) 2 po [ (rf \ po) and (d,b) 2 hbn�1. There are two more cases to consider: i) (c,d) 2 po; or ii)(c,d) 2 rf \ po.

In case (1.i) we have apo! c

po! d and thus from the transitivity of po we have (a,d) 2 po ✓ hb0.As (d,b) 2 hbn�1, from the de�nition of hbn we have (a,b) 2 hbn . Consequently, from (I.H.) wehave (a,b) 2 po [ tso, as required.

In case (1.ii), from the PTSO-validity of G we know rf ✓ tso [ po. Since (c,d) 2 rf \ po, we thusknow that (c,d) 2 tso. On the other hand, from the validity of G we know po \ (W ⇥ R) ✓ tso.Moreover, as (c,d) 2 rf, we know that c 2 W . As (a, c) 2 po and c 2 W , we thus have (a, c) 2 tso.We then have a tso! c

tso! d , and thus from the transitivity of tso we have (a,d) 2 tso. There are nowto cases to consider: a) n = 0 and thus hbn�1 = id; or b) n > 0.

In case (1.ii.a), as (d,b) 2 hbn�1 = id, we have d = b and thus (a,b) 2 tso, as required.In case (1.ii.b), since (d,b) 2 hbn�1, from (I.H.) we have (d,b) 2 po [ tso. On the other hand,

from the validity of G we know po \ (W ⇥ R) ✓ tso. Moreover, as (c,d) 2 rf, we know that d 2 R.As such, we have (d,b) 2 tso. We then have a tso! d

tso! b, and thus from the transitivity of tso wehave (a,b) 2 tso, as required.


3627

3628

3629

3630

3631

3632

3633

3634

3635

3636

3637

3638

3639

3640

3641

3642

3643

3644

3645

3646

3647

3648

3649

3650

3651

3652

3653

3654

3655

3656

3657

3658

3659

3660

3661

3662

3663

3664

3665

3666

3667

3668

3669

3670

3671

3672

3673

3674

3675


In case (2), from the PTSO-validity of G we know rf ✓ tso [ po. Since (a, c) 2 rf \ po, we thusknow that (a, c) 2 tso. On the other hand, since(c,b) 2 hbn , from (I.H.) we have (c,b) 2 po [ tso.There are two more cases to consider: i) (c,b) 2 tso; or ii) (c,b) 2 po.

In case (2.i) we have a tso! ctso! b, and thus from the transitivity of tso we have (a,b) 2 tso, as

required.In case (2.ii), from the validity of G we know po \ (W ⇥ R) ✓ tso. On the other hand, since

(a, c) 2 rf, we know that c 2 R. As such, we have (c,b) 2 tso. We thus have a tso! ctso! b, and thus

from the transitivity of tso we have (a,b) 2 tso, as required.⇤


A EQUIVALENCE OF THE PTSO OPERATIONAL AND … · 2018. 7. 24. · 1569 1570 1571 1572 1573 1574...

Documents

Transcript of A EQUIVALENCE OF THE PTSO OPERATIONAL AND … · 2018. 7. 24. · 1569 1570 1571 1572 1573 1574...