A Constructive Proof on the Compositionality of Linearizability
AA Constructive Proof on the Compositionality ofLinearizability
Haoxiang Lin [email protected] Abstract
Linearizability is the strongest correctness property for both shared memory and message passingsystems. One of its useful features is the compositionality: a history (execution) is linearizable ifand only if each object (component) subhistory is linearizable. In this paper, we propose a newhierarchical system model to address challenges in modular development of cloud systems. Objectare defined by induction from the most fundamental atomic Boolean registers, and histories arerepresented as countable well-ordered structures of events to deal with both finite and infiniteexecutions. Then, we present a new constructive proof on the compositionality theorem oflinearizability inspired by Multiway Merge. This proof deduces a theoretically efficient algorithmwhich generates linearization in O (N × log P) running time with O (N) space, where P and N areprocess/event numbers respectively. C.2.4 Distributed Systems
Keywords and phrases linearizability, compositionality, execution history, well-ordered structure
Digital Object Identifier © Haoxiang Lin;licensed under Creative Commons License CC-BYLeibniz International Proceedings in InformaticsSchloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany a r X i v : . [ c s . D C ] F e b X:2 A Constructive Proof On the Compositionality of Linearizability
Linearizability [13] is the strongest correctness property for both shared memory and messagepassing systems. Informally, a piece of process execution (e.g. a method call) is linearizableif it appears to take effect instantaneously at some moment during the lifetime. This impliesthat a concurrent linearizable execution by multiple processes should produce exactly thesame result by some single-process sequential execution. Thus, linearizability is compositional :a history (execution) is linearizable if and only if each object (component) subhistory islinearizable. To prove this property, previous work [14, 9, 13, 12] claims that there existsa global partial ordering among linearizations of object subhistories , and then extendsit to the final linearization(s) by Order-Extension Principle [23]. Compositionality is veryimportant because the correctness of a concurrent system can rely on its components insteadof a centralized scheduler or additional component constraints [13, 12].Recently, new challenges are emerging in modular development of cloud systems. Peopleusually design, implement and test a complex system from the bottom up with existingcomponents layer by layer. However, previous system model and compositionality resulton linearizability assume flat components and are not able to handle such hierarchy well,leaving a gap between theory and practice. In addition, previous studies on linearizabilitynormally investigate finite executions so that infinite executions of long running cloudservices are ruled out unfortunately. The last challenge lies in system verification to provide aconcrete linearization from component executions. A typical algorithm traverses componentlinearizations to build the global partial ordering (e.g. represented by a directed acyclicgraph), and then uses topological sorting [6] for a final linearization. Because a cloudsystem has lots of processes/threads and their executions take long enough, such algorithmis considerably time consuming.To address the above challenges, we begin by proposing a universal model for hierarchicalsystems in section 2, which demonstrates theoretical benefits on concurrent properties notlimited to linearizability. An object is defined by induction from the most fundamental atomic Boolean registers with only six atomic primitive operations. An object operation isdefined similarly by induction from subobjects’ operations following the syntax of a simpleimperative programming language. Histories are then defined as countable well-orderedstructures of events to deal with both finite and infinite executions, and reveal precisely theinternal event ordering. Such history definition over a simple sequence by previous workhas advantages of simplicity and extensibility in later discussion on history properties andoperations. Section 3 defines linearizability using our new system model, and we make aremedy to the original definition by excluding an intricate case. In section 4, we present aconstructive proof on the compositionality theorem with our new methodology. The proofdeduces a Multiway Merge alike algorithm to generate a final linearization without the needto build the global partial ordering. Section 5 concludes and discusses future work. When referring to an ordering, we assume the strictness in that the ordering is irreflexive. Proofs in [14, 9, 12] are not sound. In [14, 9], the inter-object partial ordering is omitted by mistake.In [12], a case is left out that there could be no maximal method call among the last method calls fromobject subhistories. Paper [8] proves that linearizability may not be always a safety property on infinite histories. Weassume objects with finite nondeterminism to resolve the problem. aoxiang Lin XX:3
In this subsection, we briefly state our system model and recall notions that we use in thepaper. Formal definitions follow later.Registers are historical names for shared memory locations. For simplicity, we use onlyatomic Boolean registers [17, 18] with six atomic primitive operations for two reasons. First,registers of other primitive data types such as 32-bit signed integer can be representedby Boolean registers in theoretical unary notation. We implement any M -valued registeras an array of M Boolean registers [12], although it is astonishingly inefficient. Second,for Boolean-size (1 byte) memories, nowadays computer architectures already offer atomicread/write semantics as well as other atomic instructions for Compare-And-Swap, Or etc.Processes are single-threaded and exchange information with each other through sharedobjects (Definition 1) in parallel. From a pedantic viewpoint, processes can be thoughtas instances of program graphs [20]. Each object has some non-overlapped and persistentregisters for keeping values, an associated type defining the value domain, and some primitiveoperations as the only interfaces for object creation and manipulation. A concurrent systemis thus viewed as a finite set of processes and objects.Operations can be mapped to actions [15]. Their executing instances are denoted asmethod calls. We assume that object operation set is also finite, and require processes carryout one method call by another until the process itself or the system halts. This implies thatprocesses issue a new method call only after all previous ones complete. The set of methodcalls issued by a process is assumed countable to model infinite executions. From the abovedescription, we can separately number processes, objects, operations, and method calls withintegers.During the lifetime of a method call, we assume that unique events are generated. E.g.there is an invocation event at the very beginning when the method call starts, and a response event right at the moment it finishes; while in the middle some others such as a print event areemitted. An event could be modeled as a triple of program location, action, and evaluationof the belonging object. Only invocation and response events are considered because theyare enough to completely depict the behavior of method calls.Formally, we characterize invocation and response events by five key factors: in whichprocess it is generated, which method call it belongs to, on which object the method callmanipulates, operation id, and the associated payloads. An invocation event is then formalizedas inv h i, j, x, y, args ∗ i , while a response event as resp h i, j, x, y, term ( res ∗ ) i . i, j, x, y are allnatural numbers. If some event factors (e.g. payloads) are inessential to our discussion, “_”will be used instead. Explicit event types are for convenience, and they could be encoded in thepayloads in fact. Such definition expresses that the event belongs to the j -th method call issuedby process p i on the operation op y of object o x . args ∗ and res ∗ stand for arguments and resultsrespectively while term is termination condition. An invocation event inv h i, j, x, y, args ∗ i andresponse event resp h r, s, u, v, term ( res ∗ ) i are matching if ( i = r ) ∧ ( j = s ) ∧ ( x = u ) ∧ ( y = v ). Suppose we implement our system in a simple imperative programming language. Anoperation is just a program statement or normally a finite sequence of statements. Here is
X:4 A Constructive Proof On the Compositionality of Linearizability the language abstract syntax : b ∈ BExp ::= true | false | ¬ b | b ∨ b | b ∧ b ST ∈ Stmt ::= [ o.op ] | ST ; ST | if [ b ] then ST else ST | while [ b ] do ST b is a Boolean expression, and [ o.op ] represents the function call of operation op on object o .Arithmetic expressions are not listed separately since they correspond to object operations.The abstract syntax serves for later inductive definition of object/operation (2.3). Objects are defined by induction from atomic Boolean registers. (cid:73)
Definition 1.
Say that o is an object if it is(1) a register object: h r, { Read , Write , CompAndSwap , And , Or , Not }i .(a) r is an atomic Boolean register.(b) Read / · · · / Not are the only six atomic and primitive operations .(2) a composite object: h{ o i , o i , · · · , o i n } , { op j , op j , · · · , op j k }i .(a) { o i , o i , · · · , o i n } is a finite set of objects which are called o ’s subobjects. This setvaries for each o .(b) { op j , op j , · · · , op j k } is a finite set of operations, and each is a finite sequence ofone or more program statements (2.2) on o i ∈ [1 ,n ] following the syntax of previouslydefined language.We define a function obj-level on objects by recursion to return their levels: obj-level ( o ) = ( , if o is a register objectmax { obj-level ( o ) , · · · , obj-level ( o n ) } + 1 , otherwiseAlthough there may be many objects in a system, we are more interested in those shared ones, which are not subobjects of others and should be accessed by at least two processes intheory. This excludes stack and thread-local objects since their changes are not externallyvisible.As mentioned earlier, a concurrent system is a finite set of processes and shared objects.When we refer to a system state, it is not the mathematical state defined in a formal statemachine [3]. Instead, in this paper we denote it as the instantaneous snapshot [1] of thoseshared objects’ encapsulated registers, returned by the following recursive function: get-regiters ( o ) = { r } , if o is a register object n [ i =1 get-regiters ( o i ) , otherwiseShared objects are additionally non-overlapped so as to strictly limit manipulationonly on predefined interfaces. That is, for every two different shared objects o, o , get-regiters ( o ) T get-regiters ( o ) = ∅ . Other operands of
CompAndSwap , And , and Or are passed as arguments. aoxiang Lin XX:5 Events in an execution have inherent causal relationship with each other. E.g. An invocationevent and its matching response event are intra-process cause and effect. If process p i sendsa message to p j , the response event of Send method call is the inter-process cause of theinvocation event of
Receive .We have three assumptions on events and their causal relationship:(1) Each event is generated by only one process.(2) The causal relationship is a partial ordering, which means if event e is the cause of e and e is the cause of e , then e is the cause of e .(3) Events from the same process are countable, well-ordered under the causal relationshipand thus isomorphic to a subset of natural numbers.Due to the finiteness of processes, this causal relationship is in fact a partial well orderingbecause of its well-foundedness [7] that every nonempty event subset contains a causal-minimal element. To compare each two events and find a least one from any nonempty eventsubset, we extend it to a well ordering by the following Lemma 2 . In practice, if the systemhas a global high-precision clock, the event generation time could be leveraged. (cid:73) Lemma 2.
Assume h E , ≺i is a countable partially-ordered structure that:(1) There exists a finite partition Π = { E , E , · · · , E m } of E.(2) For each E i ∈ Π , ≺ T ( E i × E i ) is a well ordering.Then ≺ can be extended to a well ordering. Proof.
By Order-Extension Principle [23], ≺ can be extended to a linear ordering ≺ on E .We claim that ≺ itself is the desired well ordering. For each E i ∈ Π, ≺ T ( E i × E i ) = ≺ T ( E i × E i ) since the latter is already a well ordering. Let A be a nonempty subset of E .Π = { A i | ( A i = A T E i ) ∧ ( A i is not empty) } is a partition of A . Assume | Π | = k ∈ [1 , m ].In each part of A , there exists a least element e j ∈ [1 ,k ] under ≺ . The set { e , e , · · · , e k } is anonempty finite set, so it has a least element e ? which is apparently the least of A . (cid:74) Now we define a concurrent execution by a history : (cid:73) Definition 3.
A history H is a countable well-ordered structure h E , ≺i of invocation andresponse events such that:(1) There exists a unique finite partition Π = { E , E , · · · , E m } of E where events in each E i share the same process id i .(2) It is well-formed such that for each E i ∈ Π:(a) The least element in each E i is an invocation event.(b) Let e ∈ E i , and e (if existing) be the least of E i T { e | e ≺ e } under ≺ :(i) If e is an invocation event, then e is the matching response event.(ii) If e is a response event, then e is an invocation event.Such history definition over a simple sequence by previous work has advantages of simplicityand extensibility in later discussion on history properties and operations.For brevity, inv and resp stand for an invocation event and a response event respectively. e or e is either type of events. If inv and resp are matching invocation and response For extending arbitrary partial well orderings, please refer to [19].
X:6 A Constructive Proof On the Compositionality of Linearizability events, then m = h{ inv, resp } , {h inv, resp i}i represents a method call, and inv ( m ) = inv , resp ( m ) = resp . m ( e ) is e ’s belonging method call. H, H are histories. E H is the eventset of H, while ≺ H is the corresponding well ordering on E H . We say e ∈ H if e ∈ E H , and m ∈ H if inv ( m ) , resp ( m ) ∈ E H . o stands for an object, and p for a process.Two histories H and H are equal if E H = E H and ≺ H = ≺ H . H is a subhistory of H if ( E H ⊆ E H ) ∧ ( ≺ H ⊆≺ H ). Conversely, H is called an extension of H. We denote suchsubhistory-extension relationship as H ⊆ H . If E ⊆ E H , then H = h E , ≺ H T ( E × E ) i is a subhistory of H , because ≺ H T ( E × E ) is a well ordering [7] and H apparentlymeets the two requirements of history definition. For H ⊆ H , we define their difference H − H = h ( E H \ E H ) , ≺ H T (( E H \ E H ) × ( E H \ E H )) i . H − H is a history too. We define the concatenation function on histories by H ∗ H = h E H S E H , ≺ H S ≺ H S ( ≺ H × ≺ H ) i .The resulted structure is still well-ordered [7] to be a history. H i ∈ N is an abbreviation to anempty history H ∅ if i = 0, or H ∗ H · · · ∗ H for i times.An invocation event is pending if its matching response event does not exist. A methodcall is pending if its invocation event is pending; it is complete if both invocation and responseevents are in the history. Function cmplt (H) is the maximal subhistory of H without anypending invocation events. A history H is complete if cmplt (H) = H.From the well ordering on events, we induce a partial well ordering on method calls suchthat such that m ≺ call m if resp ( m ) ≺ inv ( m ). Here, m may be pending. Two methodcalls are concurrent if neither’s response event (if there exists one) precedes the invocationevent of the other. A history H is sequential if:(1) The least event of H is an invocation event.(2) Let e be the least of { e | e ≺ e } under ≺ : if e is an invocation event, then e is thematching response; if e is a response event, then e is an invocation.It is obvious that there will be at most one pending method call in a sequential history, andthe partial well ordering of method calls is indeed a well ordering. A history is concurrent ifit is not sequential.A process subhistory H | p is the maximal subhistory of H in which all events are generatedby process p . Then the well-formed requirement of history definition can be restated as: everyprocess subhistory is sequential. An object subhistory H | o is defined similarly for an object o .H is a single-object history written as H o if there exists o such that H | o = H. Two historiesH and H are equivalent if for each process p , H | p = H | p . H and H are effect-equivalent in acertain system state s if there exists another state s such that s −→ s ⇐⇒ s −→ s .We adopt the techniques in [13] to define history correctness. H is a prefix of H ifH ⊆ H and for all events e ∈ H and e ∈ H − H it holds that e ≺ H e . A set of histories is prefix-closed if whenever H is in the set, every prefix of H are also the members. A sequentialspecification for an object is a prefix-closed set of single-object sequential histories for thatobject. A sequential history H is legal if for each object o , H | o belongs to o ’s sequentialspecification. (cid:73) Definition 4.
A history H = h E , ≺i is linearizable if: L1:
H can be extended to a new history H = h E , ≺ i such that (H − H) contains onlyresponse events.
L2: cmplt (H ) is equivalent to some legal sequential history S. L3:
For two different method calls m and m , if m ≺ cmplt (H ) m , then m ≺ S m . aoxiang Lin XX:7 Pending method calls in the original history may or may not have taken effects. Thosehaving taken effects are captured by extending H with future matching response events. Laterrestriction to cmplt (H ) eliminates remaining pending method calls without real impact onthe system. Original definition of linearizability [13] takes event ordering inclusion ≺ H ⊆≺ S as condition L3 . However, it is not rigorous and misses an intricate case in which a pendingmethod call in H without real impact is excluded from cmplt (H ) and thus from S. That iswhy we take ≺ cmplt (H ) instead in the third condition.The above legal sequential history S is called a linearization of H. H may have more thanone linearization. E.g. if two concurrent complete method calls m, m operate on differentobjects, either one precedes the other could be legal in the final linearization. In this subsection, we deduce some properties of history for later usage in proving thecompositionality of linearizability. (cid:73)
Proposition 5.
Two histories H and H are equal if(1) e ∈ H ⇐⇒ e ∈ H (2) e ≺ H e ⇐⇒ e ≺ H e Proof.
This is a restatement of history equality. Condition 1 implies E H = E H whilecondition 2 implies ≺ H = ≺ H . (cid:74)(cid:73) Proposition 6.
Two sequential and complete histories H and H are equal if(1) m ∈ H ⇐⇒ m ∈ H (2) m ≺ H m ⇐⇒ m ≺ H m Proof. (a) e ∈ H ⇐⇒ ( m ( e ) is complete) ∧ ( m ( e ) ∈ H) ⇐⇒ m ( e ) ∈ H ⇐⇒ e ∈ H (b) Assume e ≺ H e , then there are two cases:(i) m ( e ) = m ( e ). That is, e and e are matching events. Then m ( e ) is also in H and e ≺ H e .(ii) m ( e ) = m ( e ). That is, e and e belong to two different complete method calls.There are four subcases on the types of e and e . In each subcase, we have m ≺ H m since a response event is the immediate successor of its matching invocation eventin a sequential history. By condition 2, we get m ≺ H m and then e ≺ H e .In both cases we have e ≺ H e = ⇒ e ≺ H e . Similarly, we have e ≺ H e = ⇒ e ≺ H e .By Proposition 5, we conclude that H and H are equal. (cid:74)(cid:73) Proposition 7. cmplt (H) is complete.
Proof. cmplt (H) does not have pending invocation events any more, therefore its maximalsubhistory without pending invocation events is itself. (cid:74)
X:8 A Constructive Proof On the Compositionality of Linearizability (cid:73)
Proposition 8.
If H is complete, then both H | o and H | p are complete. Proof. H | o and H | p do not have any pending invocation events. (cid:74)(cid:73) Proposition 9.
If H and H are equivalent, then m ∈ H ⇐⇒ m ∈ H . Proof. m ∈ H ⇐⇒ ∃ p ( m ∈ H | p ) ⇐⇒ ∃ p ( m ∈ H | p ) ⇐⇒ m ∈ H (cid:74)(cid:73) Proposition 10.
If H ⊆ H and e , e ∈ H, then e ≺ H e ⇐⇒ e ≺ H e . Proof.
By the definition of subhistory. (cid:74)(cid:73)
Proposition 11.
If H ⊆ H and m , m ∈ H, then m ≺ H m ⇐⇒ m ≺ H m . Proof.
By Proposition 10. (cid:74)(cid:73)
Proposition 12.
If H ⊆ H , then (H − H) | o = H | o − H | o . Proof. (a) It is obvious that H | o ⊆ H | o .(b) e h i, j, x, y, _ i ∈ (H − H) | o ⇐⇒ ( o x = o ) ∧ ( e h i, j, x, y, _ i ∈ H ) ∧ ( e h i, j, x, y, _ i / ∈ H) ⇐⇒ ( e h i, j, x, y, _ i ∈ H | o ) ∧ ( e h i, j, x, y, _ i / ∈ H | o ) ⇐⇒ e h i, j, x, y, _ i ∈ H | o − H | o (c) e ≺ (H − H) | o e ⇐⇒ ( e, e ∈ (H − H) | o ) ∧ ( e ≺ H − H e ) ⇐⇒ ( e, e ∈ H | o − H | o ) ∧ ( e ≺ H − H e ) ⇐⇒ ( e, e ∈ H | o ) ∧ ( e, e / ∈ H | o ) ∧ ( e ≺ H e ) ⇐⇒ ( e, e ∈ H | o ) ∧ ( e, e / ∈ H | o ) ∧ ( e ≺ H | o e ) ⇐⇒ e ≺ H | o − H | o e (cid:74)(cid:73) Proposition 13.
Assume H ⊆ H , H − H contains only response events and e , e areinvocation events, then:(1) e ∈ H ⇐⇒ e ∈ cmplt (H) ⇐⇒ e ∈ H ⇐⇒ e ∈ cmplt (H )(2) e ≺ H e ⇐⇒ e ≺ cmplt (H) e ⇐⇒ e ≺ H e ⇐⇒ e ≺ cmplt (H ) e Proof. cmplt (H), H and cmplt (H ) do not affect the orders between invocation events ofthe original H. (cid:74)(cid:73) Proposition 14. (H | o ) | p = (H | p ) | o aoxiang Lin XX:9 Proof. (a) e h i, j, x, y, _ i ∈ (H | o ) | p ⇐⇒ ( p i = p ) ∧ ( e h i, j, x, y, _ i ∈ H | o ) ⇐⇒ ( p i = p ) ∧ ( o x = o ) ∧ ( e h i, j, x, y, _ i ∈ H) ⇐⇒ ( e h i, j, x, y, _ i ∈ H | p ) ∧ ( o x = o ) ⇐⇒ e h i, j, x, y, _ i ∈ (H | p ) | o (b) e ≺ (H | o ) | p e ⇐⇒ e ≺ H | o e ⇐⇒ e ≺ H e ⇐⇒ e ≺ H | p e ⇐⇒ e ≺ (H | p ) | o e Therefore (H | o ) | p = (H | p ) | o . (cid:74)(cid:73) Proposition 15. cmplt (H | o ) = cmplt (H) | o . Proof. (a) e h i, j, x, y, _ i ∈ cmplt (H | o ) ⇐⇒ ( m ( e ) is complete) ∧ ( o x = o ) ⇐⇒ ( e h i, j, x, y, _ i ∈ cmplt (H)) ∧ ( o x = o ) ⇐⇒ e h i, j, x, y, _ i ∈ cmplt (H) | o (b) Because cmplt (H) and cmplt (H | o ) are also subhistories of H, we have e ≺ cmplt (H | o ) e ⇐⇒ e ≺ H | o e ⇐⇒ e ≺ H e ⇐⇒ e ≺ cmplt (H) e ⇐⇒ e ≺ cmplt (H) | o e Therefore cmplt (H | o ) = cmplt (H) | o . (cid:74) (cid:73) Theorem 16.
H is linearizable if and only if, for each object o , H | o is linearizable. We prove “only if” and “if” parts separately. (cid:73)
Lemma 17.
H is linearizable only if for each object o , H | o is linearizable. Proof.
Suppose S is one linearization of history H, and H is the corresponding extension.We claim that S | o is a linearization of H | o whose extension is just H | o .(a) H | o is a history since H is a history, and it is obviously that H | o ⊆ H | o . SinceH | o − H | o = (H − H) | o by Proposition 12 and H − H contains only response events,H | o − H | o contains only response events too.(b) S is a legal, sequential and complete history, therefore S | o is also a legal, sequential andcomplete history.(c) Because cmplt (H ) is equivalent to S, cmplt (H ) | p = S | p .(d) cmplt (H | o ) | p = ( cmplt (H ) | o ) | p by Proposition 15= ( cmplt (H ) | p ) | o by Proposition 14= (S | p ) | o = (S | o ) | p Thus cmplt (H | o ) is equivalent to S | o . X:10 A Constructive Proof On the Compositionality of Linearizability (e) m ≺ cmplt (H | o ) m = ⇒ m ≺ cmplt (H ) | o m = ⇒ m ≺ cmplt (H ) m = ⇒ m ≺ S m = ⇒ m ≺ S | o m since m, m ∈ S | o (cid:74)(cid:73) Lemma 18.
H is linearizable if for each object o , H | o is linearizable. The original proof [14, 9, 13, 12] of this lemma is a proof of existence, by demonstratinga global partial ordering among object linearizations exists. Our idea, inspired by MultiwayMerge Algorithm [6], is to construct the final linearization directly without building suchglobal partial ordering. The following Algorithm 1 shows the details for finite histories. Thealgorithmic step 3 always succeeds because invocation events in each S o are also in H byProposition 13, and events in H are already well-ordered. Algorithm 1
Construct a linearization from object linearizations
Input: n objects { o , o , · · · , o n } ;A history H and its object subhistories { H o , H o , · · · , H o n } ;Linearizations of object subhistories { S o , S o , · · · , S o n } ; Output:
A linearization S of H; INITIALIZE S = h∅ , ∅i while some S o = h∅ , ∅i do Select a method call m ∈ S o i , whose invocation event is least in H S o i ← S o i − m S ← S ∗ m end while We briefly discuss the asymptotic time and space complexity. Suppose there are Pprocesses and N events in H in which P (cid:28)
N. Although there may be r ∈ [0, P] pendinginvocation events in H, we assume the total event number of all linearizations of objectsubhistories equals to N for simplicity since P (cid:28) N. Events are associated with unique integertime stamps (may be P-ary vector clocks in practice) to determine their order. Thus, ouralgorithm finishes in O (N × log P) running time with O (N) space. A typical algorithm in theoriginal compositionality proof has two steps: the global partial ordering construction using aDAG runs in O (N ) time with O (N+ | Edges | ) space, in which | Edges |∈ [ N2 − P , N × (N − ];the topological sorting runs in O (N+ | Edges | ) time with O (N+ | Edges | ) space. Proof.
Let (H | o ) be an extension of H | o such that (H | o ) − H | o contains only response events,and S o be the corresponding linearization. We construct a sequential history S = h E S , ≺ S i as: E S = [ o E S o ≺ S = ( [ o ≺ S o ) [ {h e, e i | ∃ m, m , o i , o j (( e ∈ m ∈ S o i ) ∧ ( e ∈ m ∈ S o j ) ∧ ( i = j ) ∧ ( inv ( m ) ≺ H inv ( m ))) } aoxiang Lin XX:11 Beware the fact that events in (H | o i ) − H | o i have no causality with those in both(H | o j ) − H | o j and H | o j if i = j . Therefore, we could give them an arbitrary ordering. Nowwe construct the extension history H : E H = [ o E (H | o ) ≺ H = ( [ o ≺ (H | o ) ) [ {h e, e i | ( e ∈ H | o i ) ∧ ( e ∈ (H | o j ) − H | o j ) ∧ ( i = j ) } [ {h e, e i | ( e ∈ (H | o i ) − H | o i ) ∧ ( e ∈ (H | o j ) − H | o j ) ∧ ( i < j ) } We have the following facts on the constructed S and H :(a) S is a history. It is obvious that ≺ S is a linear ordering. Suppose A is a non-empty subsetof E S . Then Π = { A i | ( A i = A T E S oi ) ∧ ( A i is not empty) } is a partition of A becauseall E S oi are pair-wisely disjoint. The set { e | e = inv ( m ( e i )) where e i is the least of A i } does exist since each A i is well-ordered under ≺ S oi . Let e ? be the least event of such finiteset. Then, either e ? or its matching response event is the least element of A dependingon whether e ? ∈ A or not. Thus ≺ S is a well ordering.Similarly, H is a history too.(b) S | o = S o and H | o = (H | o ) (c) m ∈ S if and only if there exists an object o such that m ∈ S o (d) m ∈ cmplt (H ) if and only if m ∈ S because: m ∈ cmplt (H ) ⇐⇒ ∃ o ( m ∈ cmplt (H ) | o ) ⇐⇒ ∃ o ( m ∈ cmplt (H | o )) by Proposition 15 ⇐⇒ ∃ o ( m ∈ cmplt ((H | o ) )) ⇐⇒ ∃ o ( m ∈ S o ) since cmplt ((H | o ) ) and S o are equivalent ⇐⇒ m ∈ S by the construction of SWe claim that S is the linearization of H, and H is the corresponding extension.First, E H − H = ( S o E (H | o ) ) \ E H = S o ( E (H | o ) \ E H | o ) = S o E (H | o ) − H | o . This is a setcontaining only response events.Second, S is sequential because:(a) The least event e ? of S is also the least one of some S o . Since S o is a sequential history, e ? is an invocation event.(b) Let m = h inv, resp i be a complete method call. Suppose there exists a third event e ∈ m that inv ≺ S e ≺ S resp . Then m and m are from different S o since each S o is asequential history. However, inv ≺ S e implies that inv ≺ H inv ( m ), then resp ≺ S e bythe construction of S. Such contradiction explains that the immediate successor of aninvocation event must be its matching response event.(c) Let e be a response event and e be its immediate successor in S. Let m and m be thetwo events’ belonging method calls. If m and m are from the same S o , then e mustbe an invocation event since S o is sequential. If m and m are from different S o and e is a response event, e ≺ S e implies that inv ( m ) ≺ H inv ( m ), then e ≺ S inv ( m ) ≺ S e .Such contradiction means that the immediate successor of a response event must be aninvocation event.Third, S is a legal history because S is sequential and S | o = S o which is the linearizationof a single-object history.Fourthly, for two different method calls m and m , if m ≺ cmplt (H ) m , then m ≺ S m : X:12 A Constructive Proof On the Compositionality of Linearizability (a) Both m and m are on the same object: m ≺ cmplt (H ) m = ⇒ ∃ o (( m, m ∈ cmplt (H ) | o ) ∧ ( m ≺ cmplt (H ) m ))= ⇒ m ≺ cmplt (H ) | o m = ⇒ m ≺ cmplt (H | o ) m = ⇒ m ≺ cmplt ((H | o ) ) m = ⇒ m ≺ S o m since S o is a linearization= ⇒ m ≺ S m (b) m and m are on different objects: m ≺ cmplt (H ) m = ⇒ ∃ o i , o j (( i = j ) ∧ ( m ∈ cmplt (H ) | o i ) ∧ ( m ∈ cmplt (H ) | o j ) ∧ ( m ≺ cmplt (H ) m ))= ⇒ inv ( m ) ≺ cmplt (H ) resp ( m ) ≺ cmplt (H ) inv ( m )= ⇒ inv ( m ) ≺ H inv ( m ) by Proposition 13= ⇒ inv ( m ) ≺ S resp ( m ) ≺ S inv ( m ) ≺ S resp ( m )= ⇒ m ≺ S m Finally, S is equivalent to cmplt (H ) because:(a) cmplt (H ) | p and S | p are sequential and complete histories.(b) m h i, j, x, y, _ i ∈ cmplt (H ) | p ⇐⇒ ( p i = p ) ∧ ( m h i, j, x, y, _ i ∈ cmplt (H )) ⇐⇒ ( p i = p ) ∧ ( m h i, j, x, y, _ i ∈ S) ⇐⇒ m h i, j, x, y, _ i ∈ S | p (c) m h i, j, x, y, _ i ≺ cmplt (H ) | p m h r, s, u, v, _ i⇐⇒ ( m h i, j, x, y, _ i ≺ cmplt (H ) m h r, s, u, v, _ i ) ∧ ( p i = p r = p ) ⇐⇒ ( m h i, j, x, y, _ i ≺ S m h r, s, u, v, _ i ) ∧ ( p i = p r = p ) ⇐⇒ m h i, j, x, y, _ i ≺ S | p m h r, s, u, v, _ i We complete the proof and conclude that S is indeed the linearization of H. (cid:74)
Our contribution is twofold. First, we propose a new hierarchical system model to reasonabout concurrent properties not limited to linearizability. Histories are defined as countablewell-ordered structures of events to deal with both finite and infinite executions, and revealprecisely the internal event ordering. This definition has advantages of simplicity andextensibility over a simple sequence. Second, we present a new constructive proof on thecompositionality theorem of linearizability. The proof deduces a more theoretically efficientMultiway Merge alike algorithm to generate a final linearization without the need to buildthe global partial ordering. aoxiang Lin XX:13
Since objects are defined in a hierarchical way by induction, it is possible to unwind ahistory on high level objects to another one on low level objects, or to fold a history onlow level objects conversely. Let o = h{ o , o , · · · , o n } , { op , op , · · · , op k }i be a compositeobject. Informally, if we replace each method call in H | o with effect-equivalent consecutivemethod calls on o i ∈ [1 ,n ] , we say the resulted H c is a concretization of H on o . On contrary,we aggregate all maximal consecutive method calls on o i ∈ [1 ,n ] in each H | p into individualeffect-equivalent method calls on o , and the final H s is called the summarization of H on o .To be noted, we need to assure they are histories.Thus, one interesting and natural future work is to study property preservation acrosssystem layers by history concretization and summarization. It is not surprising that historysummarization may break linearizability because operation semantics could change acrosslayers. Find out the exact conditions under which linearizability holds upward will guide usin bottom-up system construction and verification [4, 25, 5, 24, 27].Another work is to automatically optimize linearizable implementation. After havingidentified the linearizable region through history concretization, code motion technique [2, 21]may be used to move program statements unrelated to linearizability out of such regionto boost synchronization performance (e.g. people use coarse-grained locking). It is alsopromising to apply our methodology and the hierarchical viewpoint to other propertiessuch as sequential consistency [16], eventual consistency [26, 22], wait-freedom [10] andobstruction-freedom [11]. References Yehuda Afek, Hagit Attiya, Danny Dolev, Eli Gafni, Michael Merritt, and Nir Shavit.Atomic snapshots of shared memory.
J. ACM , 40(4):873–890, September 1993. URL: http://doi.acm.org/10.1145/153724.153741 , doi:10.1145/153724.153741 . Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman.
Compilers: Principles, Techniques, andTools . Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1986. Christel Baier and Joost-Pieter Katoen.
Principles of model checking . MIT Press, 2008. Sebastian Burckhardt, Chris Dern, Madanlal Musuvathi, and Roy Tan. Line-up: Acomplete and automatic linearizability checker. In
Programming Language Design andImplementation (PLDI) . Association for Computing Machinery, Inc., June 2010. URL: http://research.microsoft.com/apps/pubs/default.aspx?id=121499 . Robert Colvin, Lindsay Groves, Victor Luchangco, and Mark Moir. Formal verification ofa lazy concurrent list-based set. In
In 18th CAV , pages 475–488. Springer, 2006. Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein.
Introductionto Algorithms, Third Edition . The MIT Press, 3rd edition, 2009. H. B. Enderton.
Elements of Set Theory . Academic Press, 1977. Rachid Guerraoui and Eric Ruppert. Linearizability is not always a safety property. In
Networked Systems - Second International Conference, NETYS 2014, Marrakech, Morocco,May 15-17, 2014. Revised Selected Papers , pages 57–69, 2014. URL: http://dx.doi.org/10.1007/978-3-319-09581-3_5 , doi:10.1007/978-3-319-09581-3_5 . M. P. Herlihy and J. M. Wing. Axioms for concurrent objects. In
POPL ’87: Proceedingsof the 14th ACM SIGACT-SIGPLAN symposium on Principles of programming languages ,pages 13–26, New York, NY, USA, 1987. ACM. URL: http://portal.acm.org/citation.cfm?id=41627 , doi:http://doi.acm.org/10.1145/41625.41627 . Maurice Herlihy. Wait-free synchronization.
ACM Trans. Program. Lang. Syst. , 13(1):124–149, January 1991. URL: http://doi.acm.org/10.1145/114005.102808 , doi:10.1145/114005.102808 . X:14 A Constructive Proof On the Compositionality of Linearizability Maurice Herlihy, Victor Luchangco, and Mark Moir. Obstruction-free synchronization:Double-ended queues as an example. In
Proceedings of the 23rd International Conferenceon Distributed Computing Systems , ICDCS ’03, pages 522–, Washington, DC, USA, 2003.IEEE Computer Society. URL: http://dl.acm.org/citation.cfm?id=850929.851942 . Maurice Herlihy and Nir Shavit.
The Art of Multiprocessor Programming . Morgan Kaufman,April 2008. Maurice Herlihy and Jeannette M. Wing. Linearizability: A correctness condition forconcurrent objects.
ACM Transactions on Programming Languages and Systems , 12(3):463–492, July 1990. Maurice P. Herlihy and Jeannette M. Wing. Axioms for concurrent objects. TechnicalReport CMU-CS-86-154, Carnegie Mellon Computer Sciences, 1986. Thomas Kropf.
Introduction to Formal Hardware Verification . Springer, 1999. L. Lamport. How to make a multiprocessor computer that correctly executes multiprocessprograms.
IEEE Trans. Comput. , 28(9):690–691, September 1979. URL: http://dx.doi.org/10.1109/TC.1979.1675439 , doi:10.1109/TC.1979.1675439 . L. Lamport. The mutual exclusion problem: Part I — the theory of interprocess commu-nication.
J. of the ACM , 33(2):313, April 1986. L. Lamport. The mutual exclusion problem: Part II — statement and solutions.
J. of theACM , 33(2):327, April 1986. Haoxiang Lin. On the well extension of partial well orderings, July 27 2015. URL: http://arxiv.org/abs/1503.06514 . Zohar Manna and Amir Pnueli. Completing the temporal picture.
Theoretical ComputerScience , 83(1):97–130, 1991. Flemming Nielson, Hanne Riis Nielson, and Chris Hankin.
Principles of Program Analysis .Springer, 2010. Marco Serafini, Dan Dobre, Matthias Majuntke, Péter Bokor, and Neeraj Suri. Even-tually linearizable shared objects. In
Proceedings of the 29th ACM SIGACT-SIGOPSSymposium on Principles of Distributed Computing , PODC ’10, pages 95–104, NewYork, NY, USA, 2010. ACM. URL: http://doi.acm.org/10.1145/1835698.1835723 , doi:10.1145/1835698.1835723 . E. Szpilrajn. Sur l’extension de l’ordre partiel.
Fund. Math. , 16:386–389, 1930. Viktor Vafeiadis. Proving correctness of highlyconcurrent linearisable objects. In
In PPoPP ,pages 129–136. ACM Press, 2006. Viktor Vafeiadis. Shape-value abstraction for verifying linearizability. In
Verification, ModelChecking, and Abstract Interpretation , pages 335–348. Springer, 2009. Werner Vogels. Eventually consistent.
Commun. ACM , 52(1):40–44, January 2009. URL: http://doi.acm.org/10.1145/1435417.1435432 , doi:10.1145/1435417.1435432 . Oren Zomer, Guy Golan-Gueta, G. Ramalingam, and Mooly Sagiv. Checking lineariz-ability of encapsulated extended operations. In
Programming Languages and Systems - , pages 311–330, 2014. URL: http://dx.doi.org/10.1007/978-3-642-54833-8_17 , doi:10.1007/978-3-642-54833-8_17doi:10.1007/978-3-642-54833-8_17