Abstract
While causal consistency is one of the most fundamental consistency models weaker than sequential consistency, the decidability of safety verification for (finite-state) concurrent programs running under causally consistent shared memories is still unclear. In this article, we establish the decidability of this problem for two standard and well-studied variants of causal consistency. To do so, for each variant, we develop an equivalent “lossy” operational semantics, whose states track possible futures, rather than more standard semantics that record the history of the execution. We show that these semantics constitute well-structured transition systems, thus enabling decidable verification. Based on a key observation, which we call the “shared-memory causality principle,” the two novel semantics may also be of independent use in the investigation of weakly consistent models and their verification. Interestingly, our results are in contrast to the undecidability of this problem under the Release/Acquire fragment of the C/C++11 memory model, which forms another variant of causally consistent memory that, in terms of allowed outcomes, lies strictly between the two models studied here. Nevertheless, we show that all these three variants coincide for write/write-race-free programs, which implies the decidability of verification for such programs under Release/Acquire.
1 INTRODUCTION
Causal consistency is one of the most fundamental consistency models weaker than sequential consistency, which is especially common and well studied in distributed data stores (see, e.g., References [44, 57]). Roughly speaking, by allowing nodes to disagree on the relative order of some operations, and requiring global consensus only on the order of “causally related” operations, unlike sequential consistency, causal consistency allows scalable, partition-tolerant and available implementations, and is considered as an “optimal tradeoff between user-perceived correctness and coordination overhead” [57]. Nowadays, causal consistency also plays a central role in shared memory multithreaded programming. For instance, the Release/Acquire fragment (RA) of the C/C++11 standard [15, 27, 28], which specifies the guarantees C and C++ ensure for their widely used
Despite their centrality, until recently not much was known about the safety verification problem under causal consistency models. That is: Can we automatically verify that a given program satisfies a certain safety specification (e.g., it never crashes) when it runs under a causally consistent memory? When the program’s data domain is bounded, this verification problem is trivially decidable under sequential consistency (SC). Indeed, such a program can be represented as a finite-state transition system; the SC memory constitutes another finite-state system; and their synchronization is easily expressible as a finite-state system as well. However, if the memory does not ensure sequential consistency but rather provides weaker consistency guarantees, causal consistency, in particular, then the decidability of the safety verification problem becomes completely unclear.
The challenge arises since causally consistent memories are inherently infinite-state. In these models threads may generally read from an unbounded past, and whether or not a thread can read some value depends on the arbitrarily long execution history. More technically speaking, by “operationalizing” the declarative (a.k.a. axiomatic) formulations of causal consistency, one obtains infinite-state machines where each state records the (partially ordered) unbounded execution history that led to this state (either explicitly or implicitly using, e.g., timestamps). A more concrete evidence for this verification challenge is provided by the reduction of Atig et al. [12] from reachability in lossy FIFO channel machines to safety verification under x86-TSO semantics. This reduction straightforwardly applies to causally consistent models, which implies a tough non-primitive recursive lower bound on the safety verification problem under causal consistency. In fact, recently, Abdulla et al. [2] proved that for the \( {\mathsf {RA}} \) fragment of C/C++11 this verification problem is undecidable.
The main contribution of this article is a novel operational semantics for two causally consistent models that is equivalent to their original semantics and allows us to establish the decidability of safety verification for these models. The two models, called Strong Release/Acquire (SRA) and Weak Release/Acquire (WRA), are standard well-studied variants of causal consistency. The \( {\mathsf {SRA}} \) model is the causal consistency model employed in distributed data stores as defined in [19]. As shown in [36] it also precisely captures the guarantees provided by the POWER architecture for programs compiled from the C/C++’s \( {\mathsf {RA}} \) fragment. In turn, the \( {\mathsf {WRA}} \) model provides the most minimal guarantees required from a model to satisfy causal consistency, it is equivalent to the model called CC studied in [17], and it was considered as a useful candidate for shared-memory concurrency semantics [31, 34].1
The key idea in the new semantics for the \( {\mathsf {SRA}} \) or \( {\mathsf {WRA}} \) memory models is that, instead of keeping track of the execution past (a.k.a. history) in the system’s states as often done in weakly consistent models, we maintain the possible execution future. Concretely, the states of the new memory systems record the potential of each thread that prescribes what sequences of operations the thread may perform. Thus, read transitions are simple—they deterministically consume a prefix of the potential. The complexity is left to write transitions that non-deterministically “set the future”: what the thread will read from the executed write and when. This requires us to identify how to increase the potentials of the threads when a write is performed in a way that is defined solely in terms of the threads’ potentials before the write, and is both sound (sufficiently constrained to ensure only causally consistent behaviors) and complete (sufficiently free to allow every causally consistent behavior). To do so, we identify a key property that characterizes causal consistency in terms of the threads’ potentials, which we call the shared-memory causality principle (see Section 5). We prove the correspondence of our semantics to \( {\mathsf {SRA}} \)’s and \( {\mathsf {WRA}} \)’s original formulations using simulation arguments (forward simulation for one direction and backward simulation for the converse). We believe that the framework of potential-based semantics may be applicable for other variants of causal consistency and also beyond the context of causal consistency.
Decidability of verification in the new semantics follows by using the framework of well-structured transition systems [1, 8, 25]. Intuitively speaking, this framework allows one to establish decidability of control state reachability under infinite-state “lossy” systems, where (i) states may non-deterministically forget some information they include, and (ii) the relation determining whether one state is obtained from another by losing information constitutes a well-quasi-ordering.
When states consist of execution histories, this approach cannot be applied. First, in many cases forgetting information from an execution history results in strictly weaker constraints that allow outcomes that cannot be obtained without losing the information. Second, execution histories are only partially ordered and embedding between (general) partial orders is not a well-quasi-ordering. However, the potential-based semantics, that tracks possible futures easily lends itself to verification in this framework. It is naturally “lossy”: losing some parts of a possible potential never allows for additional behaviors. In addition, unlike histories, potentials are represented using total orders (lists of future actions), whose embedding relation (based on the ordinary subsequence relation) is a well-quasi-ordering.
Interestingly, the \( {\mathsf {RA}} \) model, which induces an undecidable verification problem [2], is placed in between \( {\mathsf {WRA}} \) and \( {\mathsf {SRA}} \)—the behaviors allowed under \( {\mathsf {SRA}} \) are a subset of those allowed by \( {\mathsf {RA}} \), which are a subset of those allowed by \( {\mathsf {WRA}} \). Thus, if one is specifically interested in verification under \( {\mathsf {RA}} \), then our results provide both an over-approximation (successful verification under \( {\mathsf {WRA}} \) implies safety under \( {\mathsf {RA}} \)) and an under-approximation (a bug under \( {\mathsf {SRA}} \) implies a bug under \( {\mathsf {RA}} \)). Furthermore, we show that \( {\mathsf {RA}} \), \( {\mathsf {SRA}} \), and \( {\mathsf {WRA}} \) coincide on write/write-race-free programs, and hence, we obtain the decidability of safety verification also under \( {\mathsf {RA}} \) for this large and widely used class of programs (see Section 3.2).
Outline. The rest of this article is organized as follows. In Section 2, we define the safety verification problem under general declarative models. In Section 3, we present the \( {\mathsf {WRA}} \), \( {\mathsf {RA}} \), and \( {\mathsf {SRA}} \) declarative models and prove that they coincide for write/write-race-free programs. In Section 4, we present operational presentations of these models and define their induced reachability problem. In Sections 5 and 6, we introduce our novel operational lossy semantics of \( {\mathsf {SRA}} \) and \( {\mathsf {WRA}} \) based on the “shared-memory causality principle” (starting with \( {\mathsf {SRA}} \), since its semantics is simpler). In Section 7, we establish the correspondence of the lossy systems to the original semantics. In Section 8, we show how the lossy systems are used to decide the safety verification problem. In Section 9, we survey related work. We conclude and discuss several avenues for future work in Section 10. Appendix A presents the full proofs of the equivalence results sketched in Section 7.
To establish confidence, we have formalized the equivalence proofs in the Coq proof assistant. Claims that were proved in Coq are marked with a
symbol, and the formalization is available at https://www.cs.tau.ac.il/~orilahav/papers/causal_verification/.
Differences with the conference version of this article. This article is an extension and a continuation of the conference paper [35]. The latter studied only the \( {\mathsf {SRA}} \) model and naturally skipped most of the proofs. In turn, in this article, we show that the potential technique is more widely applicable, by extending it to the much weaker \( {\mathsf {WRA}} \) model. Thus, interestingly, we “surround” the \( {\mathsf {RA}} \) model whose verification problem is undecidable with two models, one stronger and one weaker, and for both of which, we establish the decidability of verification. We also include more examples, detailed discussions, proof outlines, and full proofs.
2 PRELIMINARIES: SAFETY VERIFICATION UNDER DECLARATIVE MODELS
In this section, we describe the safety verification problem for finite-state concurrent programs running under a (general) declarative memory model. For this matter, we introduce a toy programming language and the interpretation of its programs as transition systems (Section 2.1) and present the generic framework of declarative shared-memory semantics using execution graphs (Section 2.2).
2.1 Programming Language
Let \( \mathsf {Val}\subseteq {\mathbb {N}} \), \( \mathsf {Loc}\subseteq \lbrace {\mathtt { x},\mathtt { y},\ldots }\rbrace \), \( \mathsf {Reg}\subseteq \lbrace {\mathtt { a},\mathtt { b},\ldots }\rbrace \), and \( \mathsf {Tid}\subseteq \lbrace {\mathtt {T}_1,\mathtt {T}_2,\ldots }\rbrace \) be finite sets of values, (shared) memory locations, register names, and thread identifiers, respectively. Figure 1 presents our toy programming language. Its expressions are constructed from registers (local variables) and values. Instructions include assignments and conditional branching, as well as memory operations. Intuitively speaking, an assignment \( r\;{:=}\;e \) assigns the value of \( e \) to register \( r \) (involving no memory access); \( {\bf {\texttt {if}}} \; e \; {\bf {\texttt {goto}}} \; n \) sets the program counter to \( n \) iff the value of \( e \) is not 0; a “write” \( {x}\;{:=}\;e \) stores the value of \( e \) in \( {x} \); a “read” \( r \;{:=}\;{x} \) loads the value of \( {x} \) to register \( r \); \( r \;{:=}\;{\bf {\texttt {FADD}}}({{x}},{e}) \) atomically increments \( {x} \) by the value of \( e \) and loads the old value of \( {x} \) to \( r \); \( r \;{:=}\;{\bf {\texttt {XCHG}}}({{x}},{e}) \) atomically swaps \( {x} \) to the value of \( e \) and loads the old value of \( {x} \) to \( r \); and \( r \;{:=}\;{\bf {\texttt {CAS}}}({{x}},{e_{\mathtt {R}}},{e_{\mathtt {W}}}) \) atomically loads the value of \( {x} \) to \( r \), compares it to the value of \( e_{\mathtt {R}} \), and if the two values are equal, replaces the value of \( {x} \) by the value of \( e_{\mathtt {W}} \).
Fig. 1. Domains, metavariables, and programming language syntax.
A sequential program \( S \) is a function from a finite subset of \( {\mathbb {N}}=\lbrace {0,1,2,\ldots }\rbrace \) (possible values of the program counter) to instructions. We denote by \( \mathsf {SProg} \) the set of all sequential programs. A (concurrent) program \( {P} \) is a top-level parallel composition of sequential programs, defined as a mapping from \( \mathsf {Tid} \) of thread identifiers to \( \mathsf {SProg} \). In our examples, we often write sequential programs as sequences of instructions delimited by line breaks, use “\( \parallel \)” for parallel composition, ignore threads that are mapped to the empty sequential program and refer to the program threads as \( \mathtt {T}_1,\mathtt {T}_2,\ldots \) following their left-to-right order in the program listing (see, e.g., Example 3.3 on page 9).
Sequential and concurrent programs induce labeled transition systems.
Labeled transition systems. A labeled transition system(LTS) \( {A} \) over an alphabet \( \Sigma \) is a triple \( {\langle {Q,Q_0,T}\rangle } \), where \( Q \) is a set of states, \( Q_0\subseteq Q \) is the set of initial states, and \( T\subseteq Q\times \Sigma \times Q \) is a set of transitions. We denote by \( {A}.{\mathtt {Q}} \), \( {A}.{\mathtt {Q}_0} \) and \( {A}.{\mathtt {T}} \) the three components of an LTS \( {A} \); write \( \mathrel {{\xrightarrow {\sigma }}}_{A} \) for the relation \( \lbrace {{\langle {q,q^{\prime }}\rangle } \; | \;{\langle {q,\sigma ,q^{\prime }}\rangle }\in {} {A}.{\mathtt {T}}}\rbrace \) and \( \mathrel {{\xrightarrow {}}}_{A} \) for \( \bigcup _{\sigma \in \Sigma } \mathrel {{\xrightarrow {\sigma }}}_{A} \). A state \( q\in {A}.{\mathtt {Q}} \) is reachable in \( {A} \) if \( q_0 \mathrel {{\xrightarrow {}}}^{\mathchoice{\displaystyle *}{\textstyle *}{\scriptstyle *}{\scriptscriptstyle *}}_{A}q \) for some \( q_0\in {A}.{\mathtt {Q}_0} \). A sequence \( \sigma _1 ,\ldots , \sigma _n \) is a trace of \( {A} \) if \( q_0 \mathrel {{\xrightarrow {\sigma _1}}}_{{A}} \mathinner {\cdotp \hspace{-1.111pt}\cdotp \hspace{-1.111pt}\cdotp }\mathrel {{\xrightarrow {\sigma _n}}}_{{A}} q \) for some \( q_0\in {A}.{\mathtt {Q}_0} \) and \( q \in {A}.{\mathtt {Q}} \). The set of predecessors of a set \( S\subseteq {A}.{\mathtt {Q}} \) w.r.t. a symbol \( \sigma \in \Sigma \), denoted by \( \mathsf {pred}^{\sigma }_{{A}}({S}) \), is given by \( \lbrace {q\in {A}.{\mathtt {Q}}\; | \;\exists q^{\prime }\in S.\; q \mathrel {{\xrightarrow {\sigma }}}_{A}q^{\prime }}\rbrace \). The set of predecessors of a set \( S\subseteq {A}.{\mathtt {Q}} \), denoted by \( \mathsf {pred}_{{A}}({S}) \), is given by \( \bigcup _{\sigma \in \Sigma } \mathsf {pred}^{\sigma }_{{A}}({S}) \).
For sequential programs the alphabet \( \Sigma \) is the set of labels (extended with \( \varepsilon \) for silent transitions), as defined next.
A label is either \( {{\mathtt {R}}}^{}({{x}},{v_{\mathtt {R}}}) \) (read label), \( {{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}}) \) (write label) or \( {{\mathtt {RMW}}}^{}({{x}},{v_{\mathtt {R}}},{v_{\mathtt {W}}}) \) (read-modify-write label), where \( {x}\in \mathsf {Loc} \) and \( v_{\mathtt {R}},v_{\mathtt {W}}\in \mathsf {Val} \). We denote by \( \mathsf {Lab} \) the set of all labels. The functions \( {\mathtt {typ}} \), \( {\mathtt {loc}} \), \( {\mathtt {val}_{\mathtt {R}}} \), and \( {\mathtt {val}_{\mathtt {W}}} \) return (when applicable) the type (\( {\mathtt {R}}/{\mathtt {W}}/{\mathtt {RMW}} \)), location, read value, and written value, respectively, of a given label \( {l}\in \mathsf {Lab} \).
A sequential program \( S\in \mathsf {SProg} \) induces an LTS over \( \mathsf {Lab}\cup \lbrace {\varepsilon }\rbrace \). Its states are pairs \( s={\langle {\mathit {pc},\phi }\rangle } \) where \( pc\in {\mathbb {N}} \) (called program counter) and \( \phi :\mathsf {Reg}\rightarrow \mathsf {Val} \) (called local store, and extended to expressions in the obvious way). Its only initial state is \( {\langle {0,\lambda r \in \mathsf {Reg}.\, 0}\rangle } \) and its transitions are given in Figure 2, following the informal description above. Note that at this level, the loaded values are not restricted whatsoever, so that, in particular, a read instruction in \( S \) induces \( |{\mathsf {Val}}| \) transitions with different read values. The execution of a sequential program \( S \) terminates when \( \mathit {pc} \) reaches a value that is not in the domain of \( S \). In the sequel, we identify sequential programs with their induced LTSs (when writing, e.g., \( S.{\mathtt {Q}} \) and \( \mathrel {{\xrightarrow {}}}_S \) for a sequential program \( S \)).
Fig. 2. Transitions of LTS induced by a sequential program \( S\in \mathsf {SProg} \) .
In turn, a concurrent program \( {P} \) is identified with an LTS over the alphabet \( \mathsf {Tid}\times (\mathsf {Lab}\cup \lbrace {\varepsilon }\rbrace) \). Its states are functions, denoted by \( \overline{p} \), assigning a state in \( {P}({\tau }).{\mathtt {Q}} \) to every \( {\tau }\in \mathsf {Tid} \); its initial states set is \( \lbrace {\overline{p}\; | \;\forall {\tau }.\; \overline{p}({\tau })\in {P}({\tau }).{\mathtt {Q}_0}}\rbrace \); and its transitions are “interleaved transitions” of \( {P} \)’s components, given by

2.2 Declarative Memory Models and their Reachability Problem
A declarative memory model is formulated as a collection of constraints on execution graphs, which determine the consistent execution graphs—the ones allowed by the model. Each execution graph describes a (partially ordered) history of a particular program run. Next, we present the general notions used to assign such semantics to concurrent programs. First, we define execution graphs, starting with their nodes, called events.
An event is a triple \( e={\langle {{{\tau }},{n},{{l}}}\rangle } \), where \( {\tau }\in \mathsf {Tid} \) is a thread identifier, \( n\in {\mathbb {N}} \) is a serial number and \( {l}\in \mathsf {Lab} \) is a label (of the form \( {{\mathtt {R}}}^{}({{x}},{v_{\mathtt {R}}}) \), \( {{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}}) \) or \( {{\mathtt {RMW}}}^{}({{x}},{v_{\mathtt {R}}},{v_{\mathtt {W}}}) \), as defined in Definition 2.1). The function \( {\mathtt {tid}} \) returns the thread identifier of an event. The functions \( {\mathtt {typ}} \), \( {\mathtt {loc}} \), \( {\mathtt {val}_{\mathtt {R}}} \) and \( {\mathtt {val}_{\mathtt {W}}} \) are lifted to events in the obvious way. We denote by \( \mathsf {E} \) the set of all events, and use \( \mathsf {R},\mathsf {W},\mathsf {RMW} \) for its subsets: \( \mathsf {R}\triangleq \lbrace {e\; | \;{\mathtt {typ}}(e)\in \lbrace {{\mathtt {R}},{\mathtt {RMW}}}\rbrace }\rbrace \), \( \mathsf {W}\triangleq \lbrace {e\; | \;{\mathtt {typ}}(e)\in \lbrace {{\mathtt {W}},{\mathtt {RMW}}}\rbrace }\rbrace \) and \( \mathsf {RMW}\triangleq \mathsf {R}\cap \mathsf {W} \). Sub/superscripts are used to restrict these sets to certain location (e.g., \( \mathsf {W}_{x}=\lbrace {w\in \mathsf {W}\; | \;{\mathtt {loc}}(w)={x}}\rbrace \)) and/or thread identifier (e.g., \( \mathsf {E}^{\tau }= \lbrace {e\in \mathsf {E}\; | \;{\mathtt {tid}}(e)={\tau }}\rbrace \)).
Our representation of events induces a partial order \( \lt \) on them: events of the same thread are ordered according to their serial numbers (i.e., \( {\langle {{\tau }_1,n_1,{l}_1}\rangle } \lt {\langle {{\tau }_2,n_2,{l}_2}\rangle } \) iff \( {\tau }_1={\tau }_2 \) and \( n_1 \lt n_2 \)). In turn, an execution graph consists of a set of events, a reads-from mapping that determines the write event from which each read event reads its value, and a modification order (a.k.a. coherence order or store order) that totally orders the writes to each location.2
A relation \( {\color{green} {\mathit {rf}}} \) is a reads-from relation for a set \( E \) of events if the following hold:
If \( {\langle {w,r}\rangle }\in {\color{green} {\mathit {rf}}} \), then \( w\in E\cap \mathsf {W} \), \( r\in E\cap \mathsf {R} \), \( {\mathtt {loc}}(w)={\mathtt {loc}}(r) \) and \( {\mathtt {val}_{\mathtt {W}}}(w)={\mathtt {val}_{\mathtt {R}}}(r) \).
If \( {\langle {w_1,r}\rangle },{\langle {w_2,r}\rangle }\in {\color{green} {\mathit {rf}}} \), then \( w_1=w_2 \) (that is, \( {\color{green} {\mathit {rf}}}^{-1}=\lbrace {{\langle {r,w}\rangle } \; | \;{\langle {w,r}\rangle }\in {\color{green} {\mathit {rf}}}}\rbrace \) is functional).
\( \forall r \in E \cap \mathsf {R}.\; \exists w.\; {\langle {w,r}\rangle }\in {\color{green} {\mathit {rf}}} \) (each read event reads from some write event).
A relation \( {\color{orange} {\mathit {mo}}} \) is a modification order for a set \( E \) of events if \( {\color{orange} {\mathit {mo}}} \) is a disjoint union of relations \( \lbrace {{\color{orange} {\mathit {mo}}}_{x}}\rbrace _{{x}\in \mathsf {Loc}} \) where each \( {\color{orange} {\mathit {mo}}}_{x} \) is a strict total order on \( E \cap \mathsf {W}_{x} \).
An execution graph is a triple \( G={\langle {E,{\color{green} {\mathit {rf}}},{\color{orange} {\mathit {mo}}}}\rangle } \) where \( E \) is a finite set of events, \( {\color{green} {\mathit {rf}}} \) is a reads-from relation for \( E \) and \( {\color{orange} {\mathit {mo}}} \) is a modification order for \( E \). We denote by \( \mathsf {EGraph} \) the set of all execution graphs. The components of \( G \) are denoted by \( G.{\mathtt {E}} \), \( G.{\color{green} {\mathsf {rf}}} \) and \( G.{\color{orange} {\mathtt {mo}}} \). The program order in \( G \), denoted by \( G.{\mathtt {po}} \), is the restriction of \( \lt \) to \( G.{\mathtt {E}} \) (i.e., \( G.{\mathtt {po}}\triangleq \lbrace {{\langle {e_1,e_2}\rangle }\in E \times E \; | \;e_1 \lt e_2}\rbrace \)). For a set \( E\subseteq \mathsf {E} \), we write \( G.E \) for \( G.{\mathtt {E}}\cap E \) (e.g., \( G.\mathsf {W}_{x}=G.{\mathtt {E}}\cap \mathsf {W}_{x} \)).
The next definition is used to associate execution graphs to programs. Multiple examples below (e.g., on pages 9 and 10) illustrate execution graphs of different programs.
For a set \( E \) of events, thread identifier \( {\tau }\in \mathsf {Tid} \) and label \( {l}\in \mathsf {Lab} \), \( {\mathsf {NextEvent}}(E,{\tau },{l}) \) denotes the event given by \( {\langle {{{\tau }},{1 + \max (\lbrace {n\in {\mathbb {N}}\; | \;\exists {l}^{\prime }\in \mathsf {Lab}.\; {\langle {{\tau },n,{l}^{\prime }}\rangle } \in E}\rbrace)},{{l}}}\rangle } \).
An execution graph \( G \) is generated by a program \( {P} \) with final state \( \overline{p} \) if \( {\langle {\overline{p}_0,{G_\mathtt {0}}}\rangle } \rightarrow ^* {\langle {\overline{p},G}\rangle } \) for some \( \overline{p}_0\in {P}.{\mathtt {Q}_0} \), where \( {G_\mathtt {0}} \) denotes the empty execution graph (given by \( {G_\mathtt {0}}\triangleq {\langle {\emptyset , \emptyset , \emptyset }\rangle } \)) and \( \rightarrow \) is defined by

The \( {\color{green} {\mathit {rf}}} \) and \( {\color{orange} {\mathit {mo}}} \) components are arbitrary at this stage, except for the fact that they have to satisfy the conditions of Definitions 2.3 and 2.4 (so that \( {\langle {E,{\color{green} {\mathit {rf}}},{\color{orange} {\mathit {mo}}}}\rangle } \) at each step is indeed an execution graph).3 Restrictions on \( {\color{green} {\mathit {rf}}} \) and \( {\color{orange} {\mathit {mo}}} \) are determined by the particular model at hand (see Section 3).
A declarative model \( {\mathsf {X}} \) is a set of execution graphs. We often refer to the elements of \( {\mathsf {X}} \) as \( {\mathsf {X}} \)-consistent execution graphs.
Then, reachable program states under a declarative model are formally defined as follows.
A state \( \overline{p} \) of a concurrent program \( {P} \) is reachable under a declarative model \( {\mathsf {X}} \) if some \( {\mathsf {X}} \)-consistent execution graph is generated by \( {P} \) with final state \( \overline{p} \).
In turn, for a declarative model \( {\mathsf {X}} \), the \( {\mathsf {X}} \) reachability problem asks whether for a given concurrent program \( {P} \) and “bad state” \( \overline{p}\in {P}.{\mathtt {Q}} \), we have that \( \overline{p} \) is reachable under \( {\mathsf {X}} \). Unfolding the definitions, this is equivalent to asking whether the state \( \overline{p} \) is reachable in the transition system induced by the given program \( {P} \) via a program trace \( {\langle {{{\tau }_1},{{l}_1}}\rangle } {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}{\langle {{{\tau }_n},{{l}_n}}\rangle } \) and some graph that is generated by this trace according to Definition 2.7 is \( {\mathsf {X}} \)-consistent.
3 DECLARATIVE CAUSALLY CONSISTENT MEMORY MODELS
In this section, we formulate the three variants of causal consistency discussed in this article as declarative models: \( {\mathsf {WRA}} \), \( {\mathsf {RA}} \), and \( {\mathsf {SRA}} \). Our presentation generally follows [34]. Figure 3 illustrates the different consistency constraints described below, and Table 1 summarizes the constraints of each model.
Fig. 3. Illustration of forbidden patterns in the causally consistent models.
After presenting the models and various examples, in Section 3.1, we discuss alternative formulations from the literature that result in models that are similar or equivalent to the ones presented here; and in Section 3.2, we establish a race freedom guarantee showing that the three models coincide for write-write-race free programs.
To formulate constraints on execution graphs, we use several additional notations.
Given a relation \( R \), \( {\it dom}{({R})} \) denotes its domain; \( R^? \) and \( R^+ \) denote its reflexive and transitive closures; and \( R^{-1} \) denotes its inverse. The (left) composition of relations \( R_1,R_2 \) is denoted by \( R_1\mathbin {;}\,R_2 \). We denote by \( [A] \) the identity relation on a set \( A \), and so \( [A]\mathbin {;}\,R\mathbin {;}\,[B] = R\cap (A\times B) \).
The causal consistency models are based on the following basic derived “happens-before” relation:


The next condition requires that the modification order \( {\color{orange} {\mathtt {mo}}} \) “agrees” with the causality order. There are two natural ways to formally state this property. The first, followed by the \( {\mathsf {RA}} \) model, requires a local agreement:


The next condition intuitively requires that “a thread cannot read a value when it is aware of a later value written to the same location”. There is more than one way to precisely interpret this requirement: what do “aware” and “later” mean? The three models agree on the interpretation of “aware”, identifying a thread \( {\tau } \) being aware of some write event \( w \) with \( {\color{blue} {\mathtt {hb}}} \) from \( w \) to (some event of) \( {\tau } \). They do, however, differ in their interpretation of one write being “later” than another. \( {\mathsf {RA}} \) and \( {\mathsf {SRA}} \) employ the modification order \( {\color{orange} {\mathtt {mo}}} \) for this purpose. Thus, \( {\mathsf {RA}} \) and \( {\mathsf {SRA}} \) require that

\( {\mathsf {WRA}} \) imposes a weaker condition by using \( {\color{blue} {\mathtt {hb}}} \) to decide whether a write is “later” than another write to the same location, thus only partially ordering the writes. To state \( {\mathsf {WRA}} \)’s formal condition, it is convenient to use a per-location restriction of the happens-before relation:


Finally, an additional condition ensures the “atomicity” of RMWs (without such condition an RMW would be nothing more than a read followed by a write). In \( {\mathsf {RA}} \) and \( {\mathsf {SRA}} \), RMWs can only read from their immediate \( {\color{orange} {\mathtt {mo}}} \)-predecessors:


Figure 3 illustrates the different constrains, and Table 1 lists the constraints of each model. Since write-coherence and read-coherence together imply weak-read-coherence; write-coherence and atomicity together imply weak-atomicity; and strong-write-coherence implies both irr-hb and write-coherence, the following proposition trivially holds.
\( {\mathsf {SRA}} \)-consistency implies \( {\mathsf {RA}} \)-consistency, which in turn implies \( {\mathsf {WRA}} \)-consistency.
Consequently, we clearly have that all states of a program \( {P} \) that are reachable under \( {\mathsf {SRA}} \) are also reachable under \( {\mathsf {RA}} \); and all states of \( {P} \) reachable under \( {\mathsf {RA}} \) are also reachable under \( {\mathsf {WRA}} \). The converses of the claims in Proposition 3.2 do not hold in general (see examples below), but, as we show in Section 3.2, they do hold for the class of write/write-race-free programs.
Next, we list some examples to demonstrate the different models (some of which are revisited in the sequel). Most of the examples are well-known litmus tests. To simplify the presentation, instead of referring to reachable program states, we consider possible program outcomes assigning final values to (some) registers. An outcome \( O : \mathsf {Reg}\rightharpoonup \mathsf {Val} \) is allowed for a program under a declarative model \( {\mathsf {X}} \) if some state in which the registers have their values in \( O \) and the program counters have their maximal values is reachable under \( {\mathsf {X}} \) (see Definition 2.9). We use program comment annotations (“//”) to denote particular outcomes.
To simplify our presentation, we require explicit initialization of memory locations and adapt well-known examples to include explicit initialization. Reading from an uninitialized location blocks the thread. (For example, only the initial execution graph \( {G_\mathtt {0}} \) is generated by a program consisting of a single thread that reads from some location, without previously writing to it.) This is only a presentation matter: one may always achieve implicit initialization by augmenting the program with an additional thread that sets each variable to its initial value, and then signals all other threads (using an additional flag) to start running.
(Store Buffering).
The following program outcome is allowed by all three causal consistency models. The justifying execution graph is presented on the right.
The \( {\color{green} {\mathsf {rf}}} \) edges are forced because of the read values, whereas the \( {\color{orange} {\mathtt {mo}}} \) edges in \( {\mathsf {RA}} \) and \( {\mathsf {SRA}} \) are forced due to write-coherence and strong-write-coherence. It can be easily verified that the execution graph is \( {\mathsf {SRA}} \)-consistent, and thus it is also \( {\mathsf {RA}} \)-consistent and \( {\mathsf {WRA}} \)-consistent.

(Message Passing).
Causal consistency models support “flag-based” synchronization (which makes them useful in shared-memory concurrent programs). That is, the following outcome is disallowed under each of the models defined above.
An execution graph for this outcome must have \( {\color{green} {\mathsf {rf}}} \) edges as depicted on the right. However, we have \( {\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}} \) from \( {{\mathtt {W}}}^{}({\mathtt { x}},{0}) \) to \( {{\mathtt {W}}}^{}({\mathtt { x}},{1}) \), \( {\color{blue} {\mathtt {hb}}} \) from \( {{\mathtt {W}}}^{}({\mathtt { x}},{1}) \) to \( {{\mathtt {R}}}^{}({\mathtt { x}},{0}) \) and \( {\color{green} {\mathsf {rf}}} \) from \( {{\mathtt {W}}}^{}({\mathtt { x}},{0}) \) to \( {{\mathtt {R}}}^{}({\mathtt { x}},{0}) \). Hence, weak-read-coherence does not hold, and the execution graph is not \( {\mathsf {WRA}} \)-consistent.

Note that \( {\mathtt {po}} \) and \( {\color{green} {\mathsf {rf}}} \) edges equally contribute to \( {\color{blue} {\mathtt {hb}}} \) in causal consistency. Hence, for the same reason the following outcome is disallowed as well:

(Independent Reads of Independent Writes).
A main difference between the causal consistency models and the x86-TSO model [48] is that the former are non-multi-copy-atomic: a write by some thread could become visible to some other threads before becoming visible to all other threads. Thus, unlike x86-TSO, the three causal consistency models allow the following outcome, in which \( \mathtt {T}_2 \) observes \( {{\mathtt {W}}}^{}({\mathtt { x}},{1}) \) but not \( {{\mathtt {W}}}^{}({\mathtt { y}},{1}) \), while \( \mathtt {T}_3 \) observes \( {{\mathtt {W}}}^{}({\mathtt { y}},{1}) \) but not \( {{\mathtt {W}}}^{}({\mathtt { x}},{1}) \). The justifying execution graph appears on the right:

The following example, adapted from [58], demonstrates the fact that the local agreement between \( {\color{orange} {\mathtt {mo}}} \) and \( {\color{blue} {\mathtt {hb}}} \) required in \( {\mathsf {RA}} \) is indeed weaker than the global agreement required by \( {\mathsf {SRA}} \):

Unlike \( {\mathsf {RA}} \) and \( {\mathsf {SRA}} \), \( {\mathsf {WRA}} \) does not provide “sequential-consistency-per-location”—even programs with a single location may exhibit non-sequentially-consistent behaviors. For instance, this happens in the following programs:
Interestingly, \( {\mathsf {WRA}} \) validates a particular form of the store forwarding optimization that applies when a certain read is preceded (in program order) by a write to the same location and there are no writes between these two operations. In this case, the compiler may eliminate the read by assuming that it reads the value written by the write. This optimization, performed by certain Java compilers (see [24, Section 2.2]), is particularly applicable when pointers are involved, e.g., \( {\mathtt { x}\;{:=}\;1 ; \mathtt { a}\;{:=}\;\mathtt {*p} ; \mathtt { b}\;{:=}\;\mathtt { x}} \) can be optimized to \( \mathtt { x}\;{:=}\;1 ; \mathtt { a}\;{:=}\;\mathtt {*p} ; \mathtt { b}\;{:=}\;1 \) without any pointer analysis (that is, without knowing whether \( \mathtt {p} \) points to \( \mathtt { x} \) or not). The (SF) example above shows that it is an unsound optimization for \( {\mathsf {RA}} \) and \( {\mathsf {SRA}} \)—the annotated outcome is disallowed under these models, but if we apply the above optimization, we may replace \( \mathtt { b}\;{:=}\;\mathtt { x} \) by \( \mathtt { b}\;{:=}\;1 \), and the get \( \mathtt { a}=2 \) and \( \mathtt { b}=1 \) even under \( {\mathsf {SC}} \). We note that the standard store forwarding that only applies when the read immediately follows the write (with no operations in between) is sound in all three models.
For implementing locks using RMWs it is crucial that two different RMWs never read from the same write. This is enforced directly in \( {\mathsf {WRA}} \), and follows from atomicity in \( {\mathsf {RA}} \) and \( {\mathsf {SRA}} \). Indeed, in the following example, any (total) \( {\color{orange} {\mathtt {mo}}} \) order of the three events cannot place the write of 0 as the immediate predecessor of both RMWs:

RMWs to an otherwise-unused (unique) location can be used as fences. Indeed, the consistency constraints (of any of the models) imply that if, except for the initialization write event, all write events to some location \( {x} \) in \( G \) are RMWs then \( {\color{blue} {\mathtt {hb}}} \) must totally order \( G.\mathsf {W}_{x} \). For example, placing such fences forbids the weak outcome of the SB program (Example 3.3). An execution graph for this outcome must have the edges as depicted on the right, and any choice of the two missing \( {\color{green} {\mathsf {rf}}} \) edges (to the two RMW events) will violate some condition of \( {\mathsf {WRA}} \):

3.1 Alternative Formulations
Our presentation follows C/C++11’s mathematical formalization [15, 40], where the \( {\mathsf {RA}} \) model above is the fragment of the C/C++11 model consisting of release stores, acquire reads and acquire-release RMWs. In turn, \( {\mathsf {SRA}} \) is a strengthening of \( {\mathsf {RA}} \) proposed in [36], whereas \( {\mathsf {WRA}} \) is a natural weakening of \( {\mathsf {RA}} \) that is a fragment of the weak RC11 model proposed in [31], and is sufficiently strong for the race-freedom result (Theorem 3.1 below) to hold. The \( {\mathsf {WRA}} \) and \( {\mathsf {SRA}} \) models appear in the literature in multiple disguises, especially as correctness criteria for distributed data stores:
POWER. As proved in [36], \( {\mathsf {SRA}} \) precisely coincides with the POWER model of [10] (which was validated by extensive testing against real hardware), when the latter is restricted to programs that result from compiling C/C++11 programs in the release/acquire fragment, using the standard compilation scheme [45] (that is, placing
Causal Convergence. Ignoring RMWs, the \( {\mathsf {SRA}} \) model is equivalent to the causal convergence model, denoted by CCv, of [17] (when the latter is applied to the standard sequential specification of a key-value store supporting read and write operations), as well as to the causal consistency model of [44] when restricted to single-instruction transactions. These models are formulated in [19, 21] in terms of visibility (\( vis \)) and arbitration (\( ar \)) relations. For example, the graph on the left for the IRIW program (Example 3.5) is captured in these terms by the graph on the right (where the dotted arrow is used for the visibility relation and circled numbers denote the arbitration order):

RMWs in distributed databases require expensive global coordination. A naive implementation of RMWs as transactions that read and write from/to the same location does not guarantee atomicity, as it allows the lost update anomaly (e.g., it will allow the outcome in Example 3.8). In the particular case when a certain location is only accessed by RMWs, its accesses are totally ordered by \( {\color{blue} {\mathtt {hb}}} \), which corresponds to marking of certain transactions as serializable, as in the Red-Blue model of [16, 43].
Basic Causal Consistency. \( {\mathsf {WRA}} \) (without RMWs) is equivalent to a basic causal consistency model called CC in [17], when CC is applied to the standard sequential specification of a key-value store supporting read and write operations. The CC model requires the existence of a partial “causal” order \( S \) such that for every read event \( r \), the restriction of \( S \) on \( {\it dom}{({S;[\lbrace {r}\rbrace ]})} \) can be extended to a total order in which the value written by the last write to \( {\mathtt {loc}}(r) \) is \( {\mathtt {val}_{\mathtt {R}}}(r) \). This condition is equivalent to the constraints of \( {\mathsf {WRA}} \).
Parallel-Snapshot-Isolation. Parallel snapshot isolation (PSI) is a standard transactional consistency model used in databases and distributed systems that offers scalability and availability in large-scale geo-replicated systems [11, 16, 20, 49, 52]. When restricted to single-instruction transactions, \( {\mathsf {PSI}} \) is captured by strengthening read-coherence to require:

The following behavior is allowed by \( {\mathsf {SRA}} \) but disallowed by \( {\mathsf {PSI}} \):

It can be shown that when all store instructions are implemented using atomic exchanges (implementing \( {x}\;{:=}\;e \) as \( \_ \;{:=}\;{\bf {\texttt {XCHG}}}({{x}},{e}) \)), \( {\mathsf {SRA}} \) precisely captures \( {\mathsf {PSI}} \). Hence, our decidability result for \( {\mathsf {SRA}} \) entails the decidability for \( {\mathsf {PSI}} \) with single-instruction transactions, via a simple reduction substituting all stores in a given program by atomic exchanges that do not use the values being exchanged. For instance, if we use in the above example \( \mathtt { c} \;{:=}\;{\bf {\texttt {XCHG}}}({\mathtt { y}},{2}) \) instead of \( \mathtt { y}\;{:=}\;2 \), then the \( {\color{orange} {\mathtt {mo}}} \) edge between the two writes to \( \mathtt { y} \) would become an \( {\color{green} {\mathsf {rf}}} \) edge (and the second write would be labeled with \( {{\mathtt {RMW}}}^{}({\mathtt { y}},{1},{2}) \)), so the annotated outcome would violate read-coherence and be forbidden also under \( {\mathsf {SRA}} \).
3.2 Write/Write-Race Freedom Guarantee
Following Proposition 3.2, we have that \( {\mathsf {WRA}} \) is weaker than \( {\mathsf {RA}} \), which is weaker than \( {\mathsf {SRA}} \). The examples above show that these relations are strict: the annotated behaviors of the programs in Example 3.7 are allowed by \( {\mathsf {WRA}} \) but not by \( {\mathsf {RA}} \); and the annotated behavior of the 2+2W program in Example 3.6 is allowed by \( {\mathsf {RA}} \) but not by \( {\mathsf {SRA}} \). We note that in all these examples, the programs exhibit write/write races, namely, two different threads write to the same location with no happens-before relation between the conflicting writes. Roughly speaking, since the difference between the models concerns the \( {\color{orange} {\mathtt {mo}}} \) relation, only a write/write race might expose the gap between them. In this section, we formally prove this fact by showing that the three models coincide on write/write-race-free programs. We note that the vast majority of concurrent algorithms we know of do not employ write/write races (in fact, it is rather hard to locate ones that do), which makes the next theorem widely applicable.5
Inspired by DRF models and results [9, 14, 40], which ensure \( {\mathsf {SC}} \) semantics for programs that are data-race-free under \( {\mathsf {SC}} \)-semantics, we show that write/write-race freedom of all \( {\mathsf {SRA}} \)-consistent execution graphs of a given program suffices for the established correspondence. This allows programmers to adhere to a safe programming discipline (that is, avoid write/write races, e.g., using locks) without even understanding the two weaker models, \( {\mathsf {WRA}} \) and \( {\mathsf {RA}} \). Indeed, to establish the premise of the following theorem, one only needs to know the \( {\mathsf {SRA}} \)-consistency predicate.
An execution graph \( G \) is write/write-race free if for every \( w_1,w_2\in G.\mathsf {W} \) with \( {\mathtt {loc}}(w_1)={\mathtt {loc}}(w_2) \), we have \( w_1 = w_2 \), \( {\langle {w_1,w_2}\rangle }\in G.{\color{blue} {\mathtt {hb}}} \) or \( {\langle {w_2,w_1}\rangle }\in G.{\color{blue} {\mathtt {hb}}} \).
Let \( {P} \) be a concurrent program such that every \( {\mathsf {SRA}} \)-consistent execution graph that is generated by \( {P} \) is write/write-race free. Then, the sets of states of \( {P} \) that are reachable under (1) \( {\mathsf {SRA}} \), (2) \( {\mathsf {RA}} \) and (3) \( {\mathsf {WRA}} \) all coincide.
Using Proposition 3.2, it suffices to show that every state of \( {P} \) that is reachable under \( {\mathsf {WRA}} \) is also reachable under \( {\mathsf {SRA}} \).
We call an execution graph \( G \) \( {\mathsf {SRA}} \)-pre-consistent if some execution graph \( G^{\prime } \) with \( G^{\prime }.{\mathtt {E}}=G.{\mathtt {E}} \) and \( G^{\prime }.{\color{green} {\mathsf {rf}}}=G.{\color{green} {\mathsf {rf}}} \) (but possibly \( G^{\prime }.{\color{orange} {\mathtt {mo}}}\ne G.{\color{orange} {\mathtt {mo}}} \)) is \( {\mathsf {SRA}} \)-consistent. Let \( \mathcal {G} \) be the set of all \( {\mathsf {WRA}} \)-consistent but not \( {\mathsf {SRA}} \)-pre-consistent execution graphs that are generated by \( {P} \). To show that every state of \( {P} \) that is reachable under \( {\mathsf {WRA}} \) is also reachable under \( {\mathsf {SRA}} \), it suffices to show that \( \mathcal {G} \) is empty.
Suppose otherwise and let \( G \) be a minimal element in \( \mathcal {G} \), in the sense that every proper \( G.{\color{blue} {\mathtt {hb}}} \)-prefix of \( G \) is not in \( \mathcal {G} \) (where a proper \( G.{\color{blue} {\mathtt {hb}}} \)-prefix of \( G \) is any execution graph of the form \( {\langle {E_p,[E_p]\mathbin {;}\,G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[E_p], [E_p]\mathbin {;}\,G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,[E_p]}\rangle } \) for some \( E_p\subsetneq G.{\mathtt {E}} \) such that \( {\it dom}{({G.{\color{blue} {\mathtt {hb}}}\mathbin {;}\,[E_p]})}\subseteq E_p \)). Note that \( G \) cannot be empty, since the empty execution graph \( {G_\mathtt {0}} \) is trivially \( {\mathsf {SRA}} \)-pre-consistent.
Let \( e \) be some \( G.{\color{blue} {\mathtt {hb}}} \)-maximal event in \( G.{\mathtt {E}} \), and let \( E^{\prime }=G.{\mathtt {E}}\setminus \lbrace {e}\rbrace \). The minimality of \( G \) ensures that the restriction of \( G \) to \( E^{\prime } \) (namely, the execution graph \( {\langle {E^{\prime },[E^{\prime }] \mathbin {;}\,G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[E^{\prime }],[E^{\prime }] \mathbin {;}\,G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,[E^{\prime }]}\rangle } \)) is \( {\mathsf {SRA}} \)-pre-consistent. Let \( {\color{orange} {\mathit {mo}}}^{\prime } \) be a modification order for \( E^{\prime } \) such that \( G^{\prime }={\langle {E^{\prime },[E^{\prime }] \mathbin {;}\,G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[E^{\prime }], {\color{orange} {\mathit {mo}}}^{\prime }}\rangle } \) is \( {\mathsf {SRA}} \)-consistent. Note that our assumption on \( {P} \) ensures that \( G^{\prime } \) is write/write-race free, thus using strong-write-coherence, it follows that \( {\color{orange} {\mathit {mo}}}^{\prime } \subseteq G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\subseteq G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}} \).
We consider the possible types of \( e \). In each case, we define a modification order \( \widehat{{\color{orange} {\mathit {mo}}}} \) for \( G.{\mathtt {E}} \) and show that \( \widehat{G}={\langle {G.{\mathtt {E}},G.{\color{green} {\mathsf {rf}}},\widehat{{\color{orange} {\mathit {mo}}}}}\rangle } \) is \( {\mathsf {SRA}} \)-consistent, which contradicts the fact that \( G \) is not \( {\mathsf {SRA}} \)-pre-consistent.
\( {\mathtt {typ}}(e)={\mathtt {R}} \): We define \( \widehat{{\color{orange} {\mathit {mo}}}}={\color{orange} {\mathit {mo}}}^{\prime } \). Then, \( \widehat{G} \) satisfies strong-write-coherence, as a \( (\widehat{G}.{\color{blue} {\mathtt {hb}}}\cup \widehat{{\color{orange} {\mathit {mo}}}}) \)-cycle would have implied a cycle in \( G.{\color{blue} {\mathtt {hb}}}\cup {\color{orange} {\mathit {mo}}}^{\prime }\subseteq G.{\color{blue} {\mathtt {hb}}} \), which cannot exist, since \( G \) satisfies irr-hb. In addition, \( \widehat{G} \) satisfies atomicity, since its violation does not involve read events, and would have occurred also in \( G^{\prime } \). Assume toward contradiction that \( \widehat{G} \) does not satisfy read-coherence. Since \( e \) is \( G.{\color{blue} {\mathtt {hb}}} \)-maximal, there exist \( w_1,w_2\in E^{\prime } \) such that \( {\langle {w_1,w_2}\rangle }\in {\color{orange} {\mathit {mo}}}^{\prime } \), \( {\langle {w_2,e}\rangle }\in G.{\color{blue} {\mathtt {hb}}} \) and \( {\langle {w_1,e}\rangle }\in G.{\color{green} {\mathsf {rf}}} \). It follows that \( {\langle {w_1,w_2}\rangle }\in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}} \), and so \( G \) does not satisfy weak-read-coherence, which contradicts the fact that \( G \) is \( {\mathsf {WRA}} \)-consistent.
\( {\mathtt {typ}}(e)={\mathtt {W}} \): We define \( \widehat{{\color{orange} {\mathit {mo}}}}={\color{orange} {\mathit {mo}}}^{\prime } \cup (G.\mathsf {W}_{x}\times \lbrace {e}\rbrace) \) where \( {x}= {\mathtt {loc}}(e) \). It is easy to see that \( \widehat{G} \) is \( {\mathsf {SRA}} \)-consistent.
\( {\mathtt {typ}}(e)={\mathtt {RMW}} \): Let \( {x}= {\mathtt {loc}}(e) \) and let \( w\in G.\mathsf {W} \) such that \( {\langle {w,e}\rangle }\in G.{\color{green} {\mathsf {rf}}} \). We define \( \widehat{{\color{orange} {\mathit {mo}}}} = {\color{orange} {\mathit {mo}}}^{\prime } \cup (W \times \lbrace {e}\rbrace) \cup (\lbrace {e}\rbrace \times (G.\mathsf {W}_{x}\setminus W)) \) where \( W=\lbrace {w^{\prime }\in G.\mathsf {W}_{x}\; | \;{\langle {w^{\prime },w}\rangle }\in {\color{orange} {\mathit {mo}}}^{\prime ?}}\rbrace \).
Assume toward contradiction that \( \widehat{G} \) is not \( {\mathsf {SRA}} \)-consistent. At least one of the following hold:
strong-write-coherence is not satisfied by \( \widehat{G} \): Then, since \( G^{\prime } \) is \( {\mathsf {SRA}} \)-consistent, there exists \( w^{\prime }\in E^{\prime } \) such that \( {\langle {e,w^{\prime }}\rangle }\in \widehat{{\color{orange} {\mathit {mo}}}} \) and \( {\langle {w^{\prime },e}\rangle }\in G.{\color{blue} {\mathtt {hb}}} \). Hence, we have \( {\langle {w,w^{\prime }}\rangle }\in {\color{orange} {\mathit {mo}}}^{\prime } \subseteq G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}} \), and since \( {\langle {w,e}\rangle }\in G.{\color{green} {\mathsf {rf}}} \), this contradicts the fact that \( G \) satisfies weak-read-coherence.
read-coherence is not satisfied by \( \widehat{G} \): Then, since \( G^{\prime } \) is \( {\mathsf {SRA}} \)-consistent, there exist \( w^{\prime }\in E^{\prime } \) such that \( {\langle {w,w^{\prime }}\rangle }\in \widehat{{\color{orange} {\mathit {mo}}}} \) and \( {\langle {w^{\prime },e}\rangle }\in G.{\color{blue} {\mathtt {hb}}} \). It follows that \( {\langle {w,w^{\prime }}\rangle }\in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}} \), which again contradicts the fact that \( G \) satisfies weak-read-coherence.
atomicity is not satisfied by \( \widehat{G} \): Then, since \( G^{\prime } \) is \( {\mathsf {SRA}} \)-consistent, it follows that there exist \( w^{\prime } \in E^{\prime }.\mathsf {W} \) and \( u\in E^{\prime }.\mathsf {RMW} \), such that \( {\langle {w^{\prime },e}\rangle },{\langle {e,u}\rangle } \in \widehat{{\color{orange} {\mathit {mo}}}} \) and \( {\langle {w^{\prime },u}\rangle }\in G.{\color{green} {\mathsf {rf}}} \). The construction of \( \widehat{{\color{orange} {\mathit {mo}}}} \) ensures that \( {\langle {w^{\prime },w}\rangle } \in {\color{orange} {\mathit {mo}}}^{\prime ?} \) and \( {\langle {w,u}\rangle }\in {\color{orange} {\mathit {mo}}}^{\prime } \). Hence, \( {\langle {w^{\prime },w}\rangle } \in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}^? \) and \( {\langle {w,u}\rangle }\in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}} \). Now, if \( {\langle {w^{\prime },w}\rangle } \in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}} \), then again we obtain a contradiction to the fact that \( G \) satisfies weak-read-coherence. Otherwise, we have \( w^{\prime }=w \). Thus, we have both \( {\langle {w,e}\rangle }\in G.{\color{green} {\mathsf {rf}}} \) and \( {\langle {w,u}\rangle }\in G.{\color{green} {\mathsf {rf}}} \) (where \( e\ne u \), since \( u\in E^{\prime } \)), which contradicts the fact that the \( G \) satisfies weak-atomicity. \( \Box \)
4 AN OPERATIONAL LOOK AT CAUSAL CONSISTENCY AND ITS INDUCED REACHABILITY PROBLEM
While the above formulations of the casual consistency models are declarative, it is straightforward to “operationalize” these definitions. Indeed, for the models above, instead of first generating a program execution graph (using Definition 2.7) and a posteriori checking its consistency, one may impose consistency at each step during an incremental construction of the execution graph. This results in equivalent operational presentations, which are easier to relate to the alternative lossy semantics we define below. In this section, we present such operational reformulations of the declarative semantics above, formulating them as memory systems.6 We will reuse this operational framework for the lossy semantics (Sections 5 and 6).
A memory system is a (possibly infinite) LTS over the alphabet \( (\mathsf {Tid}\times \mathsf {Lab}) \cup \lbrace {\varepsilon }\rbrace \).
The alphabet symbols of the memory system are either pairs in \( \mathsf {Tid}\times \mathsf {Lab} \), representing the thread identifier and the label of the performed operation, or \( \varepsilon \) for internal (silent) memory actions.
(Sequential Consistency as a Memory System).
The most well-known memory system is the one of sequential consistency, denoted here by \( {\mathsf {SC}} \). This memory system simply tracks the most recent value written to each location (or \( \bot \) for uninitialized locations). Formally, it is defined by \( {\mathsf {SC}}.{\mathtt {Q}}\triangleq \mathsf {Loc}\rightarrow (\mathsf {Val}\cup \lbrace {\bot }\rbrace) \), \( {\mathsf {SC}}.{\mathtt {Q}_0}\triangleq \lbrace {\lambda {x}\in \mathsf {Loc}.\, \bot }\rbrace \) and \( \mathrel {{\xrightarrow {}}}_{\mathsf {SC}} \) is given by

Note that \( {\mathsf {SC}} \) is oblivious to the thread that takes the action (we have \( {\mu } {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {SC}}}}{}} {\mu ^{\prime }} \) iff \( {\mu } {{}\mathrel {{\xrightarrow {{\pi },{l}}}_{{\mathsf {SC}}}}{}} {\mu ^{\prime }} \)), and it has no silent transitions.
By synchronizing a program and a memory system, we obtain a concurrent system:
A program \( {P} \) and a memory system \( {{M}} \) form a concurrent system, denoted by \( {{P}} \parallel {{{M}}} \). It is an LTS over \( (\mathsf {Tid}\times (\mathsf {Lab}\cup \lbrace {\varepsilon }\rbrace)) \cup \lbrace {\varepsilon }\rbrace \) whose set of states is \( {P}.{\mathtt {Q}}\times {{M}}.{\mathtt {Q}} \); its initial states set is \( {P}.{\mathtt {Q}_0}\times {{M}}.{\mathtt {Q}_0} \); and its transitions are “synchronized transitions” of \( {P} \) and \( {{M}} \), given by

To relate a declarative model \( {\mathsf {X}} \) and a memory system \( {{M}} \), we use the following definitions.
A state \( \overline{p} \) of a concurrent program \( {P} \) is reachable under a memory system \( {{M}} \) if \( {\langle {\overline{p},m}\rangle } \) is reachable in \( {{P}} \parallel {{{M}}} \) for some \( m\in {{M}}.{\mathtt {Q}} \).
A memory system \( {{M}} \) characterizes a declarative model \( {\mathsf {X}} \) if for every concurrent program \( {P} \), the set of program states that are reachable under \( {\mathsf {X}} \) (see Definition 2.9) coincides with the set of program states that are reachable under \( {{M}} \).
Next, we present the memory systems \( {\mathsf {op}{{\mathsf {WRA}}}} \), \( {\mathsf {op}{{\mathsf {RA}}}} \), and \( {\mathsf {op}{{\mathsf {SRA}}}} \) that characterize the respective declarative model. (The \( {\mathsf {op}{{\mathsf {RA}}}} \) memory system is defined here for the completeness of the presentation, but it is not used in the sequel.) The states of these systems are execution graphs capturing (partially ordered) histories of executed actions, and the only initial state is \( {G_\mathtt {0}} \) (recall that \( {G_\mathtt {0}} \) denotes the empty execution graph \( {\langle {\emptyset , \emptyset , \emptyset }\rangle } \)). Formally, \( {{M}}.{\mathtt {Q}}\triangleq \mathsf {EGraph} \) and \( {{M}}.{\mathtt {Q}_0}\triangleq \lbrace {{G_\mathtt {0}}}\rbrace \) for \( {{M}}\in \lbrace {{\mathsf {op}{{\mathsf {WRA}}}},{\mathsf {op}{{\mathsf {RA}}}},{\mathsf {op}{{\mathsf {SRA}}}}}\rbrace \). Before providing the transitions, we refer the reader to Figure 4 on page 22, which illustrates a run of \( \mathsf {op} \)\( {\mathsf {SRA}} \) (or \( \mathsf {op} \)\( {\mathsf {RA}} \), \( \mathsf {op} \)\( {\mathsf {WRA}} \)) for the SB program from Example 3.3.
Fig. 4. Illustration of runs of \( \mathsf {op} \) \( {\mathsf {SRA}} \) (top) and \( \mathsf {lo} \) \( {\mathsf {SRA}} \) (bottom) for the SB program (Example 3.3). In \( \mathsf {op} \) \( {\mathsf {SRA}} \) ’s states (execution graphs), events of \( \mathtt {T}_1 \) are on the left and of \( \mathtt {T}_2 \) on the right. In \( \mathsf {lo} \) \( {\mathsf {SRA}} \) ’s states (a potential for each thread), the potential of \( \mathtt {T}_1 \) is at the top and of \( \mathtt {T}_2 \) at the bottom. In this simple example, all option lists consist of at most one option and all potentials are singletons.
Following [31], our formulation of the memory systems below does not directly refer to the consistency predicates, but rather articulate necessary and sufficient conditions that ensure that the target state is a consistent execution graph provided the consistency of the source state. It is possible to take a step further and develop an equivalent semantics with more economical states that may feel “more operational” and intuitive. Indeed, for the systems below, it suffices to maintain a partially ordered set of write events, together with a mapping of which writes each thread is already aware of (the “observed writes set” of [23]). When the writes to each location are totally ordered (as in \( {\mathsf {RA}} \) and \( {\mathsf {SRA}} \)), this can be implemented using timestamps, messages and thread views, as was done, e.g., in [29] for \( {\mathsf {RA}} \).
Weak Release/Acquire.
The transitions of \( \mathsf {op} \)\( {\mathsf {WRA}} \) are given by

A write step simply adds a corresponding fresh write event to the graph placed in the end of the thread executing the write. A read step adds a corresponding fresh read event and justifies it with a reads-from edge. Its source \( w \) must be a write event to the same location (\( w \in G.\mathsf {W}_{x} \)), writing the value being read (\( {\mathtt {val}_{\mathtt {W}}}(w)=v \)), and the thread executing the read must not be aware of an \( {\color{blue} {\mathtt {hb}}} \)-later write to the same location (\( w\not\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \)). An rmw step is similar to a read step (adding an RMW event), with the additional condition on \( w \): it should not be read by any RMW event in the current execution graph (\( w\not\in {\it dom}{({G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}]})} \)). We note that the write step in \( \mathsf {op} \)\( {\mathsf {WRA}} \) is deterministic, while the read and rmw steps are non-deterministic—often more than one write can be chosen as the source of the new \( {\color{green} {\mathsf {rf}}} \) edges.
Given a \( {\mathsf {WRA}} \)-consistent execution graph \( G \), one obtains a run of \( \mathsf {op} \)\( {\mathsf {WRA}} \) by following any total order extending \( G.{\color{blue} {\mathtt {hb}}} \). The preconditions required by each step follow directly from the fact that \( G \) is \( {\mathsf {WRA}} \)-consistent. For the converse, it suffices to note that all reachable states of \( \mathsf {op} \)\( {\mathsf {WRA}} \) are \( {\mathsf {WRA}} \)-consistent execution graphs. Hence, if \( {\langle {\overline{p},G}\rangle } \) is reachable in \( {{P}} \parallel {{\mathsf {op}{{\mathsf {WRA}}}}} \), then \( G \) is a \( {\mathsf {WRA}} \)-consistent execution graph that is generated by \( {P} \) with final state \( \overline{p} \).□
Instead of requiring \( w\not\in {\it dom}{({G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}]})} \) in the rmw step, we may equivalently require that \( \lbrace {e \in \mathsf {RMW}\; | \;{\langle {w,e}\rangle }\in G.{\color{green} {\mathsf {rf}}}}\rbrace \subseteq \mathsf {E}^{\tau } \) (namely, if \( w \) is read by an RMW event, then that RMW event is in thread \( {\tau } \)). Indeed, \( w\not\in {\it dom}{({G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}]})} \) trivially implies this condition. Conversely, if this condition holds, then since \( w\not\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), we cannot have \( w\in {\it dom}{({G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}]})} \). While this reformulation is an unnecessary complication at this stage, it plays a key role in the alternative lossy semantics for \( {\mathsf {WRA}} \) in Section 6.
Release/Acquire. To handle modification order (\( {\color{orange} {\mathtt {mo}}} \)) updates in transitions of \( \mathsf {op} \)\( {\mathsf {RA}} \), we use the following notation:
Given a relation \( R \) that contains a total order on a set \( A \), a subset \( A_\text{before}\subseteq A \) that is downward closed (\( {\it dom}{({R \mathbin {;}\,[A_\text{before}]})} \subseteq A_\text{before} \)) and an element \( b\not\in A \), \( {\mathsf {AddAfter}}(R,A,A_\text{before},b) \) denotes the extension of \( R \) obtained by placing \( b \) after all elements in \( A_\text{before} \) and before all elements of \( A \setminus A_\text{before} \) (formally, \( {\mathsf {AddAfter}}(R,A,A_\text{before},b) \triangleq R \cup (A_\text{before} \times \lbrace {b}\rbrace) \cup (\lbrace {b}\rbrace \times (A \setminus A_\text{before})) \)).
The transitions of \( \mathsf {op} \)\( {\mathsf {RA}} \) are given by

The write step adds a corresponding fresh write event \( e \) to the graph (placed after all events of thread \( {\tau } \)) and extends \( {\color{orange} {\mathtt {mo}}} \) to order the freshly added event w.r.t. all previously added writes to the same location. The extension of \( {\color{orange} {\mathtt {mo}}} \) must respect write-coherence (“local agreement” between \( {\color{orange} {\mathtt {mo}}} \) and \( {\color{blue} {\mathtt {hb}}} \)). Thus, all of \( e \)’s successors in the new \( {\color{orange} {\mathtt {mo}}} \) order cannot be events of which thread \( {\tau } \) is aware. Equivalently, \( e \) should be placed as the immediate successor of some event \( w=\max _{G.{\color{orange} {\mathtt {mo}}}} W \), such that thread \( {\tau } \) is not aware of any \( {\color{orange} {\mathtt {mo}}} \)-successors of \( w \) (\( w \not\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \)). In addition, for the extension of \( {\color{orange} {\mathtt {mo}}} \) to respect atomicity, the new write \( e \) should not intervene between an RMW event and its reads-from source (which, according to atomicity, must be its immediate \( {\color{orange} {\mathtt {mo}}} \)-predecessor). Hence, \( w \) cannot be read by an RMW event (\( w \not\in {\it dom}{({G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}]})} \)). We note that for the very first write to each location, we must have \( W=\emptyset \), in which case we assume that the two conditions on \( w \) (\( w \not\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \) and \( w \not\in {\it dom}{({G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}]})} \)) hold by definition.
A read step by thread \( {\tau } \) adds a corresponding fresh read event and justifies it with a reads-from edge. This is exactly as in \( \mathsf {op} \)\( {\mathsf {WRA}} \), but to capture later writes, instead of using \( G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}} \) (as per read-coherence), we now use \( {\color{orange} {\mathtt {mo}}} \) (as per weak-read-coherence).
An rmw step is a combination of read and write. To respect atomicity, it forces the reads-from source of the freshly added RMW event to be its immediate predecessor in the extended \( {\color{orange} {\mathtt {mo}}} \).
The proof proceeds exactly as the proof for \( {\mathsf {WRA}} \) (Theorem 4.6). Given an \( {\mathsf {RA}} \)-consistent execution graph \( G \), one obtains a run of \( \mathsf {op} \)\( {\mathsf {RA}} \) by following any total order extension of \( G.{\color{blue} {\mathtt {hb}}} \). The preconditions required by each step follow directly from the fact that \( G \) is \( {\mathsf {RA}} \)-consistent. For the converse, it suffices to note that all reachable states of \( \mathsf {op} \)\( {\mathsf {RA}} \) are \( {\mathsf {RA}} \)-consistent execution graphs. Hence, if \( {\langle {\overline{p},G}\rangle } \) is reachable in \( {{P}} \parallel {{\mathsf {op}{{\mathsf {RA}}}}} \), then \( G \) is a \( {\mathsf {RA}} \)-consistent execution graph that is generated by \( {P} \) with final state \( \overline{p} \).□
Strong Release/Acquire.
The transitions of \( \mathsf {op} \)\( {\mathsf {SRA}} \) are given by

A write step by thread \( {\tau } \) adds a fresh write event \( e \) placed after all events of thread \( {\tau } \) and extends \( {\color{orange} {\mathtt {mo}}} \) to order \( e \)after all existing writes to the same location. The read is identical to the read step of \( \mathsf {op} \)\( {\mathsf {RA}} \). The rmw is also similar to the rmw step of \( \mathsf {op} \)\( {\mathsf {RA}} \), but it must pick \( w \) to be the \( {\color{orange} {\mathtt {mo}}} \)-maximal write to the relevant location in the current execution graph. We note that the write and rmw steps in \( \mathsf {op} \)\( {\mathsf {SRA}} \) are deterministic, while the read step is non-deterministic.
This semantics exploits the fact that \( {\color{blue} {\mathtt {hb}}}\cup {\color{orange} {\mathtt {mo}}} \) is acyclic in \( {\mathsf {SRA}} \)-consistent execution graphs (“global agreement” between \( {\color{orange} {\mathtt {mo}}} \) and \( {\color{blue} {\mathtt {hb}}} \), as per strong-write-coherence). Hence, to generate an \( {\mathsf {SRA}} \)-consistent execution graph in a run of an operational semantics, we can follow a total order extending \( {\color{blue} {\mathtt {hb}}}\cup {\color{orange} {\mathtt {mo}}} \), which guarantees that writes are executed following their \( {\color{orange} {\mathtt {mo}}} \)-order. In turn, since RMWs should read from their immediate \( {\color{orange} {\mathtt {mo}}} \)-predecessor, we require that RMWs read from the current \( {\color{orange} {\mathtt {mo}}} \)-maximal write. Accordingly, the next theorem is proved as for \( {\mathsf {WRA}} \) and \( {\mathsf {RA}} \), using \( G.{\color{blue} {\mathtt {hb}}}\cup G.{\color{orange} {\mathtt {mo}}} \) instead of \( G.{\color{blue} {\mathtt {hb}}} \) when traversing an \( {\mathsf {SRA}} \)-consistent execution graph \( G \).
4.1 The Reachability Problem for Memory Systems
When an operational semantics for a declarative model \( {\mathsf {X}} \) is available (in the form of a memory system as defined above), the \( {\mathsf {X}} \) reachability problem (formulated in Section 2.2) can be stated in more standard terms.
If a memory system \( {{M}} \) characterizes a declarative model \( {\mathsf {X}} \), then the \( {\mathsf {X}} \) reachability problem is equivalent to the problem given by:
Input: a concurrent program \( {P} \) and a “bad state” \( \overline{p}\in {P}.{\mathtt {Q}} \).
Question: is \( \overline{p} \) reachable under \( {{M}} \) (i.e., by Definition 4.4, is \( \overline{p} \) reachable in the concurrent system \( {{P}} \parallel {{{M}}} \) for some \( m\in {{M}}.{\mathtt {Q}} \))?
For the causal models defined above, as mentioned in the introduction to this article, the challenge in solving this problem stems from the fact that \( {{P}} \parallel {{{M}}} \) is an infinite transition system (since \( {\mathsf {op}{{\mathsf {WRA}}}} \), \( {\mathsf {op}{{\mathsf {RA}}}} \) and \( {\mathsf {op}{{\mathsf {SRA}}}} \) are all infinite state). This is in contrast to \( {{P}} \parallel {{\mathsf {SC}}} \) (see Definition 4.2), which is a finite system of size polynomial in the size of \( {P} \) (since \( {\mathsf {SC}} \) is of size quadratic in the number of locations and values), thus inducing a PSPACE-complete reachability problem [32].
The reduction of Atig et al. [12] from reachability in lossy FIFO channel machines to reachability under the \( \times \)86-TSO model holds without any change for \( {\mathsf {WRA}} \), \( {\mathsf {RA}} \), and \( {\mathsf {SRA}} \).
For \( {\mathsf {X}} \in \lbrace {{\mathsf {WRA}},{\mathsf {RA}},{\mathsf {SRA}}}\rbrace \), the \( {\mathsf {X}} \) reachability is non-primitive-recursive.
In fact, it was recently shown that \( {\mathsf {RA}} \) reachability is undecidable via a delicate reduction from Post correspondence problem [2]. The rest of this article is devoted to establishing decidability for \( {\mathsf {SRA}} \) and \( {\mathsf {WRA}} \). To do so, we use the framework of well-structured transition systems (see Section 8.1 for a brief reminder). We note that we are unable to directly use \( \mathsf {op} \)\( {\mathsf {SRA}} \) and \( \mathsf {op} \)\( {\mathsf {WRA}} \) in this framework. Roughly speaking, the challenges here stem from: (i) losing parts of the state (the current execution graph) may allow for behaviors that were not allowed without losing this part (e.g., if we discard a write event, then we may read overwritten writes); and (ii) naive ordering of partial orders via their induced embedding relation is not a well-quasi order.
In the sequel, we overcome these challenges by introducing alternative memory systems for \( {\mathsf {SRA}} \) and \( {\mathsf {WRA}} \) that are still infinite, but fit well in the framework of well-structured transition systems.
5 Making Strong Release/Acquire Lossy: The \( {\mathsf {lo}{{\mathsf {SRA}}}} \) memory system
In this section, we introduce an alternative memory system, which we call \( \mathsf {lo} \)\( {\mathsf {SRA}} \) (for “lossy-\( {\mathsf {SRA}} \)”). Later, we will establish the equivalence of \( \mathsf {lo} \)\( {\mathsf {SRA}} \) to \( \mathsf {op} \)\( {\mathsf {SRA}} \), and show how \( \mathsf {lo} \)\( {\mathsf {SRA}} \) is used to decide the reachability problem in the framework of well-structured transition systems. We begin with an intuitive discussion to motivate our definitions, and later spell out the formal details.
A memory state of \( \mathsf {lo} \)\( {\mathsf {SRA}} \) maintains for each thread a set of “option lists,” called the potential of the thread, where each (read) option \( {o} \) contains a location \( {\mathtt {loc}}({o}) \), a value \( {\mathtt {val}}({o}) \) and two other components that are explained below. Each option list stands for a sequence of possible future reads of the thread, listing the values that it may read in the order that it may read them. For example, the list \( {o}_1 \cdot {o}_2 \) allows the thread to read \( {\mathtt {val}}({o}_1) \) from location \( {\mathtt {loc}}({o}_1) \) and then \( {\mathtt {val}}({o}_2) \) from location \( {\mathtt {loc}}({o}_2) \). These lists do not ascribe mandatory continuations, but rather possible futures (hence, options). In the beginning, the empty list is assigned to all threads—before any write is executed, no reads are possible (recall that we assume explicit initialization, see Remark 1). In addition, the semantics is designed so that option lists are “lossy,” allowing a non-deterministic step that removes arbitrary options from the lists.
The option lists in the potentials dictate the possible read steps threads can take: for a thread \( {\tau } \) to read \( v \) from \( {x} \), an option \( {o} \) with \( {\mathtt {val}}({o})=v \) and \( {\mathtt {loc}}({o})={x} \) must be the first in each of \( {\tau } \)’s lists. Then, to progress to the next option in the list, the thread may consume these options, and discard the first element from each of its lists.
A write step is more involved, encapsulating the requirements of \( \mathsf {op} \)\( {\mathsf {SRA}} \). First, since \( \mathsf {op} \)\( {\mathsf {SRA}} \) performs write events following their \( {\color{orange} {\mathtt {mo}}} \)-order, when a thread writes to \( {x} \), it cannot later read the value of \( {x} \) from a write that was already performed (this would violate read-coherence in terms of \( {\mathsf {SRA}} \)). Accordingly, we do not allow a thread to write to \( {x} \) if some read option \( {o} \) with \( {\mathtt {loc}}({o})={x} \) appears in its potential. Second, when a thread performs a write of \( v \) to \( {x} \), it allows future reads from this write. That is, new read options \( {o} \) with \( {\mathtt {loc}}({o})={x} \) and \( {\mathtt {val}}({o})=v \) may be added to every list of every thread. This makes the write step in \( \mathsf {lo} \)\( {\mathsf {SRA}} \) (unlike the one of \( \mathsf {op} \)\( {\mathsf {SRA}} \)) non-deterministic—the writer essentially has to “guess” which threads will read from the new write and when.
But, where in the lists should we allow to add such options? The following examples demonstrate two possible cases. We write in them \( {o}_{{x}}^v \) for a read option of value \( v \) from location \( {x} \).
Consider the IRIW program with its (\( {\mathsf {SRA}} \)-allowed) outcome in Example 3.5. Clearly, the first step may only be a write by \( \mathtt {T}_1 \) or \( \mathtt {T}_4 \). Suppose, w.l.o.g., that \( \mathtt {T}_1 \) begins. Since \( \mathtt {T}_3 \) reads 0 from \( \mathtt { x} \), an option \( {o}_{\mathtt { x}}^0 \) should be added in the lists of \( \mathtt {T}_3 \). Now, before reading 0 from \( \mathtt { x} \), \( \mathtt {T}_3 \) has to read 1 from \( \mathtt { y} \). Hence, when \( \mathtt {T}_4 \) writes 1 to \( \mathtt { y} \), an option \( {o}_{\mathtt { y}}^1 \) should be placed before \( {o}_{\mathtt { x}}^0 \) in the lists of \( \mathtt {T}_3 \).
Consider the MP program with its outcome in Example 3.4. It is forbidden under \( {\mathsf {SRA}} \), and so we need to avoid the following scenario: First, \( \mathtt {T}_1 \) writes 0 to \( {\mathtt { x}} \) and adds a corresponding option \( {o}_{\mathtt { x}}^0 \) to the (initially empty) list of \( \mathtt {T}_2 \), and then writes 1 to \( {\mathtt { x}} \) without adding any option to any list (no thread reads 1 from \( {\mathtt { x}} \) in this program outcome). Then, \( \mathtt {T}_1 \) further writes 1 to \( {\mathtt { y}} \) and adds a corresponding option \( {o}_{\mathtt { y}}^1 \) in the list of \( \mathtt {T}_1 \) placed before \( {o}_{\mathtt { x}}^0 \). Finally, \( \mathtt {T}_2 \) may run: read 1 from \( {\mathtt { y}} \) (consuming \( {o}_{\mathtt { y}}^1 \)) and then 0 from \( {\mathtt { x}} \) (consuming \( {o}_{\mathtt { x}}^0 \)).
How can we resolve the tension between the two examples? The restriction we impose on the positions of the added read options is based on the following key observation7:
Shared-memory causality principle: After thread \( {\pi } \) reads from a certain write executed by thread \( {\tau } \), thread \( {\pi } \) can perform a sequence of operations only if thread \( {\tau } \) could perform the same sequence immediately after it executed the write.
Indeed, if thread \( {\tau } \) has just performed a write \( w \), then after thread \( {\pi } \) reads from \( w \), it “synchronizes” with \( {\tau } \) and it is thus confined by the sequences of reads that \( {\tau } \) may perform. (Note that the converse does not hold: thread \( {\tau } \) may be able to read values that thread \( {\pi } \) cannot read anymore, since thread \( {\pi } \) may be already aware of later writes to other locations.) Hence, to allow the addition of a read option \( {o} \) in certain positions of a list \( L \) of some thread \( {\pi } \), we require a justification: the suffix of \( L \) after the first occurrence of \( {o} \) should be a subsequence of an option list of the writing thread \( {\tau } \). This guarantees that after \( {\pi } \) reads from a write \( w \) of \( {\tau } \), it will not be able to read something that \( {\tau } \) could not read at the time that it wrote \( w \). (Revisiting Example 5.2, the read option \( {o}_{\mathtt { y}}^1 \) cannot be placed before \( {o}_{\mathtt { x}}^0 \), because \( \mathtt {T}_1 \) cannot have \( {o}_{\mathtt { x}}^0 \) in its lists at the point of writing 1 to \( {\mathtt { y}} \).)
We revisit Example 5.1 and show how the weak outcome of the IRIW program (see Example 3.5) is obtained in the lossy \( {\mathsf {SRA}} \) machine \( \mathsf {lo} \)\( {\mathsf {SRA}} \). One possible way to obtain this outcome is depicted as follows8:

Now, since the potential of thread \( {\tau } \) is used both for (i) dictating future reads of \( {\tau } \), and (ii) justifying placement of read options that are generated by \( {\tau } \)’s write steps, we may need more than one option list for each thread. We also allow to discard existing lists in silent moves of the memory system. This is demonstrated in the following example.
Consider the following program, whose annotated outcome is allowed under \( {\mathsf {SRA}} \):

Another complication arises due to the fact that read options do not uniquely identify write events in the execution graph (this is unavoidable—for the decision procedure, we need the alphabet of read options to be finite):
Consider the following program:


To remedy this problem, we make read options to be more informative. Together with location and value, read options also include the thread identifier that performed the write. When a thread writes, it adds options with its own thread identifier in the different lists. For a thread \( {\tau } \) to read \( v \) from \( {x} \), a read option \( {o} \) with \( {\mathtt {val}}({o})=v \) and \( {\mathtt {loc}}({o})={x} \) and some unique writing thread identifier must be the first in every option list of \( {\tau } \). In this example, the two \( {o}_{\mathtt { z}}^1 \) options will carry different thread identifiers, which forces \( \mathtt {T}_3 \) to discard one of its lists before reading.
Even with thread identifiers, read options do not uniquely identify write events. Nevertheless, as our proof shows, the ambiguity inside the writing thread does not harm the adequacy of the semantics. Roughly speaking, it can be resolved by picking the \( {\mathtt {po}} \)-earliest write event, as reading from it enforces the weakest constraints for the rest of the run.
Finally, RMWs behave like an atomic combination of a read and a write, with a slight adaptation of the above semantics. Recall that in \( \mathsf {op} \)\( {\mathsf {SRA}} \), an RMW may only read from the \( {\color{orange} {\mathtt {mo}}} \)-maximal write to the relevant location. To achieve this in \( \mathsf {lo} \)\( {\mathsf {SRA}} \), we include an additional flag in read options whose value is either \( {\mathtt {R}} \) or \( {\mathtt {RMW}} \). Intuitively, an \( {\mathtt {RMW}} \) value means that the read option is set to read from the \( {\color{orange} {\mathtt {mo}}} \)-maximal write. Accordingly, an rmw step may only consume read options marked as \( {\mathtt {RMW}} \). Since write steps to \( {x} \) replace the \( {\color{orange} {\mathtt {mo}}} \)-maximal write to \( {x} \) in the execution graph, they may choose to mark any of the added read options as \( {\mathtt {RMW}} \), but they can only execute when no existing read option (of any thread) from location \( {x} \) is marked as an \( {\mathtt {RMW}} \).
Next, we turn to the formal definitions.
We use \( \epsilon \) to denote the empty sequence. The length of a sequence \( s \) is denoted by \( |{s}| \) (in particular \( |{\epsilon }| = 0 \)). We often identify a sequence \( s \) over \( \Sigma \) with its underlying function in \( \lbrace {1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{s}|}\rbrace \rightarrow \Sigma \), and write \( s(k) \) for the symbol at position \( 1 \le k \le |{s}| \) in \( s \). We write \( \sigma \in s \) if the symbol \( \sigma \) appears in \( s \), that is if \( s(k)=\sigma \) for some \( 1 \le k \le |{s}| \). We use “\( \cdot \)” for the concatenation of sequences, and lift it to concatenation of sets \( S_1 \) and \( S_2 \) of sequences in the obvious way (\( S_1 \cdot S_2 \triangleq \lbrace {s_1\cdot s_2 \; | \;s_1\in S_1, s_2\in S_2}\rbrace \)). We identify symbols with sequences of length 1 or their singletons when needed (e.g., in expressions like \( \sigma \cdot S \) for \( \sigma \in \Sigma \) and a set \( S \) of sequences over \( \Sigma \)).
Read options, option lists and potentials are defined as follows:
We define an ordering on option lists, which extends to potentials and to mappings of potentials to threads.
The (overloaded) relation \( \sqsubseteq \) is defined by:
The \( \mathsf {lo} \)\( {\mathsf {SRA}} \) memory system is formally defined (in the setting of Definition 4.1) as follows. Figure 4 illustrates a run of \( \mathsf {lo} \)\( {\mathsf {SRA}} \) for the SB program (Example 3.3) alongside with a corresponding run of \( \mathsf {op} \)\( {\mathsf {SRA}} \).
\( \mathsf {lo} \) \( {\mathsf {SRA}} \) is defined by: \( {\mathsf {lo}{{\mathsf {SRA}}}}.{\mathtt {Q}} \) is the set of functions \( {\mathcal {{B}}} \) assigning a potential to every \( {\tau }\in \mathsf {Tid} \); \( {\mathsf {lo}{{\mathsf {SRA}}}}.{\mathtt {Q}_0}= \lbrace {\lambda {\tau }\in \mathsf {Tid}.\; \lbrace {\epsilon }\rbrace }\rbrace \);9 and the transitions are as follows:

The definition of the write step generally follows the intuitive explanation above. (See an illustration in Figure 5.) Every option list of thread \( {\pi } \) (\( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \)) after a write transition by thread \( {\tau } \) is obtained by adding \( n\ge 0 \) read options (\( {{\mathtt {O}}_{\mathtt {R}}}({{\tau }},{{x}},{v_{\mathtt {W}}},{u_1}) {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}{{\mathtt {O}}_{\mathtt {R}}}({{\tau }},{{x}},{v_{\mathtt {W}}},{u_n}) \)) of the current write to an existing list \( L \) of thread \( {\pi } \) (\( L=L_0 \cdot \!\ldots \!\cdot L_n \in {\mathcal {{B}}}({\pi }) \)), provided that: (i) the suffix of the existing list right after the position of the first added option is an option list of the writing thread (\( L_1 \cdot \!\ldots \!\cdot L_n \in {\mathcal {{B}}}({\tau }) \)); (ii) the list \( L^{\prime } \) cannot have other read options from location \( {x} \) after the first added read option (\( \forall {o}\in L_1 \cdot \!\ldots \!\cdot L_n.\; {\mathtt {loc}}({o}) \ne {x} \)); (iii) before the first added read option (i.e., in \( L_0 \)) thread \( {\tau } \) should not have other read options from \( {x} \) (that is, if \( {\pi }={\tau } \), then the list \( L^{\prime } \) cannot have any read options from \( {x} \) besides of the newly added ones), and other threads may have read options from \( {x} \), but these options cannot be \( {\mathtt {RMW}} \) options (\( \forall {o}\in L_0.\; {\mathtt {loc}}({o}) = {x}\Rightarrow {\pi }\ne {\tau }\wedge {\mathtt {rmw}}({o})={\mathtt {R}} \)).
Fig. 5. Illustration of \( \mathsf {lo} \) \( {\mathsf {SRA}} \) ’s write step, as defined in Definition 5.9. Two read options \( {\color [XC]{green!40!black!}{{{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_1},{\mathtt {x}},{4},{{\mathtt {R}}})}} \) are added to the option list \( L^{\prime } \) of thread \( \mathtt {T}_2 \) in \( {\mathcal {{B}}}^{\prime } \) , constructed from the list \( L \) of \( \mathtt {T}_2 \) and justified by the list \( \hat{L} \) of \( \mathtt {T}_1 \) in \( {\mathcal {{B}}} \) . Observe that \( \hat{L}= L_1 \cdot L_2 \) , \( L= L_0 \cdot L_1 \cdot L_2 \) and \( L^{\prime } = L_0 \cdot {\color [XC]{green!40!black!}{{{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_1},{\mathtt { x}},{4},{{\mathtt {R}}})}} \cdot L_1 \cdot {\color [XC]{green!40!black!}{{{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_1},{\mathtt { x}},{4},{{\mathtt {R}}})}}\cdot L_2 \) , where \( L_0 = {{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_1},{\mathtt { x}},{0},{{\mathtt {R}}}) \) , \( L_1 = {{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_2},{\mathtt { y}},{3},{{\mathtt {R}}})\; {{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_1},{\mathtt { y}},{0},{{\mathtt {R}}}) \) and \( L_2 = {{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_2},{\mathtt { y}},{1},{{\mathtt {RMW}}}) \) .
When \( n=0 \) (no new options are added to some list), we assume that the conditions involving \( L_1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}L_n \) vacuously hold, and thus we only require \( L^{\prime }=L_0\in {\mathcal {{B}}}({\pi }) \) (the list is left intact) and \( \forall {o}\in L_0.\; {\mathtt {loc}}({o}) = {x}\Rightarrow {\pi }\ne {\tau }\wedge {\mathtt {rmw}}({o})={\mathtt {R}} \). Note that since the universal quantification is on lists of the new state, the step allows to “duplicate” lists before modifying them, as well as to “discard” complete lists (as often useful when a certain list is needed only as a justification for positioning a read option; see, e.g., Example 5.5). We also note that several \( {\mathtt {RMW}} \) options can be added, but only one of them may be later fulfilled.
Our formal write step insists on having a justification in the form of a complete option list of the writing thread (\( L_1 \cdot \!\ldots \!\cdot L_n \in {\mathcal {{B}}}({\tau }) \)). It suffices, however, for the suffix after the first added read option to be a subsequence of some list of the writing thread (\( \lbrace {L_1 \cdot \!\ldots \!\cdot L_n}\rbrace \sqsubseteq {\mathcal {{B}}}({\tau }) \)). Indeed, this less restrictive step is derivable by combining a lower step and a write step. For \( {\pi }={\tau } \) (adding read options in the lists of the thread that performed the write), this means that no justification is needed (since \( L_0 \cdot \!\ldots \!\cdot L_n \in {\mathcal {{B}}}({\tau }) \) implies \( \lbrace {L_1 \cdot \!\ldots \!\cdot L_n}\rbrace \sqsubseteq {\mathcal {{B}}}({\tau }) \)). Similarly, no justification is required for placing read options in the end of existing lists (since \( \lbrace {\epsilon }\rbrace \sqsubseteq {\mathcal {{B}}}({\tau }) \) always holds).
The read step requires that the first option in all lists in the executing thread’s potential are the same read option \( {o} \), and allows the thread to read the value of \( {o} \) from the location of \( {o} \), while consuming \( {o} \) from all these lists. Note that, by definition, the potential \( {\mathcal {{B}}}^{\prime }({\tau }) \) is non-empty, and so the set \( {\mathcal {{B}}}({\tau }) \) as defined in the step is non-empty. When all options are consumed, \( {\tau } \)’s potential consists of a single empty list.
Our formal read step always discards the first option from the lists, which was used to justify the read. An alternative semantics that keeps the lists unchanged in read steps (allowing to discard the first option using the lower step) would be equivalent. Indeed, the write step that added the consumed option could always add multiple identical consecutive read options.
The rmw step is an atomic sequencing of read and write to the same location. The read part can only be performed provided that the first option in all lists is marked with \( {\mathtt {RMW}} \).
The lower transition allows to remove read options, as well as full option lists, at any point. It also allows to add new lists, provided that each new list is “at most as powerful” as some existing list (as used in Remark 4). Intuitively, lower can only reduce the possible traces, while it allows us to show that \( \mathsf {lo} \)\( {\mathsf {SRA}} \) is a well-structured transition system.
Consider the 2+2W program with its (\( {\mathsf {SRA}} \)-disallowed) outcome in Example 3.6. To see that this outcome cannot be obtained by \( \mathsf {lo} \)\( {\mathsf {SRA}} \), consider the last write executed in a run of this program. Suppose, w.l.o.g., that it is \( \mathtt { y}\;{:=}\;2 \) by \( \mathtt {T}_1 \). After executing this write, \( \mathtt {T}_1 \) cannot have any other read options of location \( \mathtt { y} \) in its lists. Hence, a read option of the form \( {{{\mathtt {O}}_{\mathtt {R}}}({\_},{\mathtt { y}},{1},{\_})} \) should be added to \( \mathtt {T}_1 \)’s potential after \( \mathtt {T}_1 \) executed \( \mathtt { y}\;{:=}\;2 \). This contradicts our assumption that \( \mathtt { y}\;{:=}\;2 \) was the last executed write.
Consider the 2RMW program with its (\( {\mathsf {SRA}} \)-disallowed) outcome in Example 3.8. To try to obtain this outcome in \( \mathsf {lo} \)\( {\mathsf {SRA}} \), the \( \mathtt { x}\;{:=}\;0 \) by \( \mathtt {T}_1 \) must add a read option \( {{{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_1},{\mathtt { x}},{0},{{\mathtt {RMW}}})} \) in both its own list and in a list of \( \mathtt {T}_2 \). But, the execution of the first RMW, which consumes one of these options, cannot proceed if there is another option marked with \( {\mathtt {RMW}} \). Hence, the second RMW cannot read 0, and this outcome cannot be obtained by \( \mathsf {lo} \)\( {\mathsf {SRA}} \).
We conclude with the equivalence of \( \mathsf {op} \)\( {\mathsf {SRA}} \) and \( \mathsf {lo} \)\( {\mathsf {SRA}} \). We postpone its proof to Section 7, after we introduce a similar system for \( {\mathsf {WRA}} \).
6 Making Weak Release/Acquire Lossy: The \( {\mathsf {lo}{{\mathsf {WRA}}}} \) memory system
As we did for \( {\mathsf {SRA}} \), we introduce an alternative memory system, which we call \( \mathsf {lo} \)\( {\mathsf {WRA}} \) (for “lossy-\( {\mathsf {WRA}} \)”), that is equivalent to \( \mathsf {op} \)\( {\mathsf {WRA}} \). Like \( \mathsf {lo} \)\( {\mathsf {SRA}} \), the \( \mathsf {lo} \)\( {\mathsf {WRA}} \) memory system is based on thread potentials, where machine states record information on what can be done from now on, rather than on what was done until now, as in \( \mathsf {op} \)\( {\mathsf {SRA}} \) and \( \mathsf {op} \)\( {\mathsf {WRA}} \). The causality constraints are maintained by adhering to the “shared-memory causality principle” (see Section 5), thus requiring appropriate justifications for the positioning of added read options in other threads’ lists. However, as we explain below \( \mathsf {lo} \)\( {\mathsf {WRA}} \) requires a key change w.r.t. \( \mathsf {lo} \)\( {\mathsf {SRA}} \) that has to do with what thread potentials consist of.
The first observation about \( \mathsf {lo} \)\( {\mathsf {WRA}} \) is that it must allow existing read options from location \( {x} \) to appear in the potential of thread \( {\tau } \) after \( {\tau } \) writes to \( {x} \). Indeed, this is necessary for allowing certain outcomes that \( \mathsf {lo} \)\( {\mathsf {SRA}} \) forbids (e.g., Examples 3.6 and 3.7). Intuitively speaking, the fact that thread \( {\tau } \) writes to \( {x} \) should not restrict the thread from later reading from a write that was executed before \( {\tau } \)’s write, as long as \( {\tau } \) is not already aware of the other write at the point of writing. This is in contrast to \( {\mathsf {SRA}} \), where writes can be executed following their \( {\color{orange} {\mathtt {mo}}} \) order, and thus writing to some location makes the thread aware of the latest write.
We further observe that simply allowing read options from \( {x} \) in write steps to \( {x} \) as mentioned above would make the semantics overly weak. First, if \( {\tau } \) writes to \( {x} \) and adds read options \( {o}_1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}{o}_n \) in one of its own lists, then it should not write again to \( {x} \) before consuming (or discarding) each of \( {o}_1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}{o}_n \). Indeed, if \( {\tau } \) writes to \( {x} \) again, then the second write is aware (via \( {\mathtt {po}}\subseteq {\color{blue} {\mathtt {hb}}} \)) of the first one, and reading from the first one after executing the second would violate weak-read-coherence. Second, if \( {o}_1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}{o}_n \) are added in a list of another thread \( {\pi } \), then after consuming \( {o}_1 \) but before consuming \( {o}_n \) thread \( {\pi } \) should not write to \( {x} \). Indeed, performing the read specified by \( {o}_1 \) will make thread \( {\pi } \) aware of the write \( w \) associated with \( {o}_2 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}{o}_n \). When \( {\pi } \) writes to \( {x} \), its write will be \( {\color{blue} {\mathtt {hb}}} \)-after \( w \), and reading again from \( w \) will violate weak-read-coherence.
Thus, we need to put certain limitations on the ability to write to a location \( {x} \) that are related to the read options from \( {x} \) in the potentials. The key idea is that such restrictions can be supported by setting the potentials of \( \mathsf {lo} \)\( {\mathsf {WRA}} \) to include write options in addition to read options. Write options take the form \( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \) where \( {x}\in \mathsf {Loc} \). In the initial states, all lists consist solely of write options (to some locations), which reflect the initial possible continuations of each thread. Then, when \( {\tau } \) writes to \( {x} \), it (1) has to discard all of its lists that do not begin with \( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \), and consume the \( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \) option from the head of each of its remaining lists; (2) cannot place read options in its own lists after some \( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \) option; and (3) cannot place new read options in other threads’ lists in a way that will make some \( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \) option appear between two of the added read options.
The “shared-memory causality principle” now applies not only to read options but also to write options: If \( {\tau } \) has just performed a write \( w \), then after \( {\pi } \) reads from \( w \), it “synchronizes” with \( {\tau } \), and so its continuations (sequences of both reads and writes) should all be possible continuations of \( {\tau } \). In fact, as our correspondence proofs show, enforcing the “shared-memory causality principle” and conditions \( (1)\text{--}(3) \) above suffices to precisely capture \( {\mathsf {WRA}} \).
The annotated outcome of the WW program in Example 3.7 can be obtained with the following run (using subscripts and superscripts for locations and values while eliding the other components of read options):

The annotated outcome of the oscillating program in Example 3.7 can be obtained with the following (prefix of) run (using subscripts and superscripts as above):

We demonstrate why \( \mathsf {lo} \)\( {\mathsf {WRA}} \) disallows the annotated outcome of the MP-trans program in Example 3.4. The first executed operation must be \( \mathtt { x}\;{:=}\;0 \) by \( \mathtt {T}_1 \). Since \( \mathtt {T}_3 \) reads 0 from \( \mathtt { x} \), a corresponding read option \( {o}_\mathtt { x}^0 \) has to be added to lists of \( \mathtt {T}_3 \). Then, since \( \mathtt {T}_3 \) will read 1 from \( \mathtt { x} \) (which is written by \( \mathtt {T}_2 \)) before it reads 0, when \( \mathtt {T}_2 \) executes \( \mathtt { x}\;{:=}\;1 \), a read option \( {o}_\mathtt { x}^1 \) has to be added to lists of \( \mathtt {T}_3 \) and be placed before \( {o}_\mathtt { x}^0 \). The semantics of \( \mathsf {lo} \)\( {\mathsf {WRA}} \) requires a justification for placing \( {o}_\mathtt { x}^1 \) before \( {o}_\mathtt { x}^0 \): a list of \( \mathtt {T}_2 \) that contains \( {{\mathtt {O}}_{\mathtt {W}}}({\mathtt { x}}) \) and somewhere after it \( {o}_\mathtt { x}^0 \). Hence, when \( \mathtt {T}_1 \) executes \( \mathtt { x}\;{:=}\;0 \), the read option \( {o}_\mathtt { x}^0 \) should also be added to the lists of \( \mathtt {T}_2 \) after \( {{\mathtt {O}}_{\mathtt {W}}}({\mathtt { x}}) \). Now, since \( \mathtt {T}_2 \) reads 1 from \( \mathtt { y} \) before it executes \( \mathtt { x}\;{:=}\;1 \), when \( \mathtt {T}_1 \) executes \( \mathtt { y}\;{:=}\;1 \), a read option \( {o}_\mathtt { y}^1 \) has to be added to lists of \( \mathtt {T}_2 \), and be placed before \( {{\mathtt {O}}_{\mathtt {W}}}({\mathtt { x}}) \) (which precedes \( {o}_\mathtt { x}^0 \)). In turn, this requires a justification in the form of a list of \( \mathtt {T}_1 \) that contains \( {{\mathtt {O}}_{\mathtt {W}}}({\mathtt { x}}) \) that precedes \( {o}_\mathtt { x}^0 \). Therefore, when \( \mathtt {T}_1 \) executes \( \mathtt { x}\;{:=}\;0 \), the read option \( {o}_\mathtt { x}^0 \) should also be added to the lists of \( \mathtt {T}_1 \), somewhere after \( {{\mathtt {O}}_{\mathtt {W}}}({\mathtt { x}}) \), which is disallowed by \( \mathsf {lo} \)\( {\mathsf {WRA}} \).
Finally, RMWs in \( \mathsf {lo} \)\( {\mathsf {WRA}} \) are handled differently than in \( \mathsf {lo} \)\( {\mathsf {SRA}} \). Indeed, all we have in \( {\mathsf {WRA}} \) is that two RMWs never read from the same event, and thus we cannot require, as required in \( \mathsf {lo} \)\( {\mathsf {SRA}} \), that after executing a write, no RMW will read from a write that was executed earlier. Naively, \( {\mathsf {WRA}} \)’s weak-atomicity constraint could be supported by adding at most one option marked with \( {\mathtt {RMW}} \) when performing a write. This is in contrast, however, with the “shared-memory causality principle”: If we decide to give thread \( {\pi } \) an \( {\mathtt {RMW}} \)-option, then later when it reads from a write of thread \( {\tau } \), it may still be able to perform an RMW, while thread \( {\tau } \) never had such option. To resolve this mismatch, we utilize the observation in Remark 3, and slightly modify \( \mathsf {lo} \)\( {\mathsf {WRA}} \)’s read options. Instead of marking read options with RMW flags, we instrument them with RMW thread identifiers, denoting the (unique) thread that may consume this option when executing an RMW. When a thread writes, it picks an arbitrary but unique thread identifier to include in this field of its added options; reads ignore this field; and RMWs by thread \( {\tau } \) can only consume read options whose RMW thread identifier is \( {\tau } \). Now, in the above scenario, instead of saying that \( {\pi } \) has some option that \( {\tau } \) has not, we will have that both threads have the same option, which is a conditional option to perform an RMW if their identifier matches the RMW thread identifier of the option. This allows us to maintain the “shared-memory causality principle.”
We turn to the formal definitions. Some notions (e.g., read optionsg) overlap with these of Section 5. To improve readability, we use the same terms, and the ambiguity is resolved by the context.
An option \( {o} \) is either \( {{\mathtt {O}}_{\mathtt {R}}}({{\tau }},{{x}},{v},{{\pi }_{\mathtt {RMW}}}) \) (read option) or \( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \) (write option), where \( {\tau },{\pi }_{\mathtt {RMW}}\in \mathsf {Tid} \), \( {x}\in \mathsf {Loc} \) and \( v\in \mathsf {Val} \). The functions \( {\mathtt {typ}} \), \( {\mathtt {tid}} \), \( {\mathtt {loc}} \), \( {\mathtt {val}} \), and \( {\mathtt {rmw}\mbox{-}{\mathtt {tid}}} \) return (when applicable) the type (\( {\mathtt {R}}/{\mathtt {W}} \)), thread identifier (\( {\tau } \)), location (\( {x} \)), value (\( v \)), and RMW thread identifier (\( {\pi }_{\mathtt {RMW}} \)) of a given option.
Option lists (which now include both read and write options) and potentials, as well as the \( \sqsubseteq \) ordering, are defined as in Definitions 5.7 and 5.8 (using Definition 6.4 instead of \( \mathsf {lo} \)\( {\mathsf {SRA}} \)’s read options).
The memory system \( \mathsf {lo} \)\( {\mathsf {WRA}} \) is defined by: \( {\mathsf {lo}{{\mathsf {WRA}}}}.{\mathtt {Q}} \) is the set of functions \( {\mathcal {{B}}} \) assigning a potential to every \( {\tau }\in \mathsf {Tid} \); \( {\mathsf {lo}{{\mathsf {WRA}}}}.{\mathtt {Q}_0}= \lbrace { {\mathcal {{B}}}\; | \;\forall {\tau }\in \mathsf {Tid}, L\in {\mathcal {{B}}}({\tau }),{o}\in L.\; {\mathtt {typ}}({o})={\mathtt {W}}}\rbrace \); and the transitions are as follows:

The read, rmw, and lower steps are as in \( \mathsf {lo} \)\( {\mathsf {SRA}} \) (except for the precondition \( {\mathtt {rmw}\mbox{-}{\mathtt {tid}}}({o})={\tau } \) instead of \( {\mathtt {rmw}}({o})={\mathtt {RMW}} \) in the rmw step).
The write step follows the intuitive explanation above. Keeping in mind that the writing thread consumes a write option to the written location, every option list after the write transition is obtained from some previous list (\( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot L_0 \cdot \!\ldots \!\cdot L_n \in {\mathcal {{B}}}({\tau }) \) for the writing thread and \( L_0 \cdot \!\ldots \!\cdot L_n \in {\mathcal {{B}}}({\pi }) \) for other threads), with the addition of \( n\ge 0 \) read options of the current write (all with the same RMW thread identifier), provided that: (1) the suffix of the existing list right after the position of the first added read option is an option list (after consuming the first write option) of the writing thread (\( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot L_1 \cdot \!\ldots \!\cdot L_n \in {\mathcal {{B}}}({\tau }) \)); (2) for the writing thread, the prefix of the existing list (after consuming the first write option) before the position of the last added read option cannot have options to write to \( {x} \) (\( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \not\in L_0 \cdot \!\ldots \!\cdot L_{n-1} \)); and (3) for the other threads, the part of the existing list between the first and the last positions of the added read options cannot have options to write to \( {x} \) (\( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \not\in L_1 \cdot \!\ldots \!\cdot L_{n-1} \)).
When \( n=0 \) for some \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \) (no new options are added to some list), we only require \( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot L^{\prime } \in {\mathcal {{B}}}({\tau }) \) if \( {\pi }= {\tau } \), and \( L^{\prime } \in {\mathcal {{B}}}({\pi }) \) otherwise.
We conclude with the equivalence of \( \mathsf {op} \)\( {\mathsf {WRA}} \) and \( \mathsf {lo} \)\( {\mathsf {WRA}} \). The proof is given in the next section, together with the proof of the corresponding theorem for \( {\mathsf {SRA}} \) (Theorem 5.12).
7 Equivalence of \( {\mathsf {lo}{{\mathsf {SRA}}}} \) and \( {\mathsf {op}{{\mathsf {SRA}}}} \) and of \( {\mathsf {lo}{{\mathsf {WRA}}}} \) and \( {\mathsf {op}{{\mathsf {WRA}}}} \)
In this section, we establish the equivalence of \( \mathsf {lo} \)\( {\mathsf {SRA}} \) and \( \mathsf {op} \)\( {\mathsf {SRA}} \) (Theorem 5.12) and of \( \mathsf {lo} \)\( {\mathsf {WRA}} \) and \( \mathsf {op} \)\( {\mathsf {WRA}} \) (Theorem 6.6). We use the same approach for both \( {\mathsf {SRA}} \) and \( {\mathsf {WRA}} \), while having some different technical arguments for each. Here, we provide the approach and proof sketch, while detailing the full proofs in Appendix A. Whenever possible, we speak of \( \mathsf {op} \)\( {\mathsf {XRA}} \) and \( \mathsf {lo} \)\( {\mathsf {XRA}} \), standing for both \( \mathsf {op} \)\( {\mathsf {SRA}} \) and \( \mathsf {op} \)\( {\mathsf {WRA}} \), and for both \( \mathsf {lo} \)\( {\mathsf {SRA}} \) and \( \mathsf {lo} \)\( {\mathsf {WRA}} \), respectively.
To establish the equivalence of \( \mathsf {lo} \)\( {\mathsf {XRA}} \) and \( \mathsf {op} \)\( {\mathsf {XRA}} \), we define a simulation \( {}\curlyvee {} \subseteq {\mathsf {lo}{{\mathsf {XRA}}}}.{\mathtt {Q}}\times {\mathsf {op}{{\mathsf {XRA}}}}.{\mathtt {Q}} \), formalizing the intuitive relation between \( \mathsf {lo} \)\( {\mathsf {XRA}} \)’s potentials and \( \mathsf {op} \)\( {\mathsf {XRA}} \)’s execution graphs. For defining \( \curlyvee \), we first define a “write list” linking the read options in an option list \( L \) to write events in an execution graph \( G \). For \( \mathsf {lo} \)\( {\mathsf {WRA}} \), a write list also has write options that need to be identical to the write options in \( L \); and we also assume a mapping \( \mathit {tid}_{\mathtt {RMW}}: \mathsf {W}\rightarrow \mathsf {Tid} \) relating every write event to the unique thread that may read from it in an RMW event.
A write list is a sequence of write events and write options. Let \( G \) be an execution graph, \( L \) an option list and \( \mathit {tid}_{\mathtt {RMW}}: \mathsf {W}\rightarrow \mathsf {Tid} \). A write list \( W \) is a \( {\langle {G,L}\rangle } \)-write-list (for \( {\mathsf {SRA}} \)) or a \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list (for \( {\mathsf {WRA}} \)) if \( |{L}|=|{W}| \) and the following hold for every \( 1 \le k \le |{W}| \):
If \( {\mathtt {typ}}(L(k))={\mathtt {R}} \) (i.e., \( L(k) \) is a read option), then the following hold:
If \( {\mathtt {typ}}(L(k))={\mathtt {W}} \) (i.e., \( L(k) \) is a write option), then \( W(k)=L(k) \) (relevant only for \( {\mathsf {WRA}} \)).
The following notion of \( {\langle {G,{\tau }}\rangle } \)-consistency of a write list \( W \) intuitively means that \( {\mathsf {XRA}} \)-consistency is satisfied by the extension of the execution graph \( G \) with a sequence of reads and writes of thread \( {\tau } \) obtained by following \( W \): For an element \( w\in W \) that is in \( G.\mathsf {W} \), the corresponding extension of \( G \) is a read event reading from \( w \), and for an element of \( W \) of the form \( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \), the extension of \( G \) is a write event to \( {x} \) (writing an arbitrary value).
Ensuring this consistency depends on the constraints of \( {\mathsf {XRA}} \) and is thus different for \( {\mathsf {SRA}} \) and \( {\mathsf {WRA}} \). For \( {\mathsf {SRA}} \), we should ensure that \( {\tau } \) is not already aware of some write that is \( {\color{orange} {\mathtt {mo}}} \)-later than some write of \( W \), and that after reading from a write \( w_1 \) of \( W \), thread \( {\tau } \) will not become aware of some write that is \( {\color{orange} {\mathtt {mo}}} \)-later than some write \( w_2 \) that appears after \( w_1 \) in \( W \). Formally:
A write list \( W \) is \( {\langle {G,{\tau }}\rangle } \)-consistent for \( {\mathsf {SRA}} \) if for every \( 1 \le k \le |{W}| \), we have \( W(k)\not\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {W(j)\; | \;1\le j \lt k}\rbrace ]})} \).
For \( {\mathsf {WRA}} \), we should ensure that (1) \( {\tau } \) is not already aware of some write that is \( {\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}} \)-later than some write of \( W \); (2) after reading from a write \( w_1 \) of \( W \), \( {\tau } \) will not become aware of some write that is \( {\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}} \)-later than some write \( w_2 \) that appears after \( w_1 \) in \( W \); (3) if \( {\tau } \) is already aware of some write \( w \) to \( {x} \), then it cannot write to \( {x} \) and then read from \( w \); and (4) if \( {\tau } \) is becoming aware of some write \( w \) to \( {x} \) by reading from a write (not necessarily to \( {x} \)), then it cannot later write to \( {x} \) and then read from \( w \).
In the following definition, the first two properties are covered by condition 1, and the third and fourth by conditions 2 and 3, respectively:
A write list \( W \) is \( {\langle {G,{\tau }}\rangle } \)-consistent for \( {\mathsf {WRA}} \) if for every \( 1 \le k \le |{W}| \) with \( W(k)\in \mathsf {E} \):
Now, \( \curlyvee \) relates an \( \mathsf {lo} \)\( {\mathsf {XRA}} \) state \( {\mathcal {{B}}} \) with an execution graph \( G \) if each option list in \( {\mathcal {{B}}} \) has an appropriate write list. For \( \mathsf {lo} \)\( {\mathsf {WRA}} \), we require in addition the existence of a mapping \( \mathit {tid}_{\mathtt {RMW}}: \mathsf {W}\rightarrow \mathsf {Tid} \) relating every write event to the unique thread that may read from it in an RMW event, and enforce that \( \mathit {tid}_{\mathtt {RMW}} \) matches the execution graph \( G \) (the last requirement in the following definition).
A state \( {\mathcal {{B}}}\in {\mathsf {lo}{{\mathsf {XRA}}}}.{\mathtt {Q}} \) matches an execution graph \( G \), denoted by \( {\mathcal {{B}}}\curlyvee G \), if:
For \( {\mathsf {SRA}} \): for every \( {\tau }\in \mathsf {Tid} \) and \( L\in {\mathcal {{B}}}({\tau }) \), there exists a \( {\langle {G,{\tau }}\rangle } \)-consistent \( {\langle {G,L}\rangle } \)-write-list.
For \( {\mathsf {WRA}} \): there exists a function \( \mathit {tid}_{\mathtt {RMW}}: \mathsf {W}\rightarrow \mathsf {Tid} \), such that the following hold:
Equipped with these definitions, we show that every trace of \( \mathsf {op} \)\( {\mathsf {XRA}} \) is a trace of \( \mathsf {lo} \)\( {\mathsf {XRA}} \), and vice versa. In one direction, we will show a forward simulation from \( \mathsf {lo} \)\( {\mathsf {XRA}} \) to \( \mathsf {op} \)\( {\mathsf {XRA}} \) and for the other direction a backward simulation. Notice that \( \varepsilon \)-transitions (using lower) do not affect reachability of program states, and thus the trace equivalence ignores \( \varepsilon \)-transitions.
Two traces are equivalent if their restrictions to non \( \varepsilon \)-transitions are equal.
The next theorem encompasses the right-to-left direction of both Theorems 5.12 and 6.6.
For every trace of \( \mathsf {lo} \)\( {\mathsf {XRA}} \) there is an equivalent trace of \( \mathsf {op} \)\( {\mathsf {XRA}} \).
We show that \( \curlyvee \) constitutes a forward simulation relation from \( \mathsf {lo} \)\( {\mathsf {XRA}} \) to \( \mathsf {op} \)\( {\mathsf {XRA}} \). First, the initial states clearly match: For \( {\mathsf {SRA}} \): we clearly have \( (\lambda {\tau }\in \mathsf {Tid}.\; \lbrace {\epsilon }\rbrace) \curlyvee {G_\mathtt {0}} \). For \( {\mathsf {WRA}} \): for every \( {\mathcal {{B}}}\in {\mathsf {lo}{{\mathsf {WRA}}}}.{\mathtt {Q}_0} \), we have \( {\mathcal {{B}}}\curlyvee {G_\mathtt {0}} \), since (using any function \( \mathit {tid}_{\mathtt {RMW}}:\mathsf {W}\rightarrow \mathsf {Tid} \)) for every \( {\tau }\in \mathsf {Tid} \) and \( L\in {\mathcal {{B}}}({\tau }) \), \( L \) itself, having only write options, is a \( {\langle {G,{\tau }}\rangle } \)-consistent \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, regardless of what \( G \) is.
Now, suppose that \( {\mathcal {{B}}}\curlyvee G \) and \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {XRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \) for some \( {\tau }\in \mathsf {Tid} \) and \( {l}\in \mathsf {Lab} \). We show that there exists \( G^{\prime } \) such that \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \) and \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {XRA}}}}}}{}} G^{\prime } \) (as depicted on the right).

Unfolding Definition 7.4:
For \( {\mathsf {SRA}} \): For every \( {\pi }\in \mathsf {Tid} \) and \( L\in {\mathcal {{B}}}({\pi }) \), let \( W_{\langle {{\pi },L}\rangle } \) be a \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L}\rangle } \)-write-list.
For \( {\mathsf {WRA}} \): Let \( \mathit {tid}_{\mathtt {RMW}}: \mathsf {W}\rightarrow \mathsf {Tid} \) be a function satisfying the conditions of Definition 7.4, and for every \( {\pi }\in \mathsf {Tid} \) and \( L\in {\mathcal {{B}}}({\pi }) \), let \( W_{\langle {{\pi },L}\rangle } \) be a \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list.
Consider the possible cases:
write step, \( {l}={{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}}) \): We obtain \( G^{\prime } \) by extending \( G \) with the appropriate write event \( w \). Then, using the write lists that exist for \( G \), we construct the required write lists for \( G^{\prime } \). For this matter, let \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \). Let \( L \) be the option list in \( {\mathcal {{B}}}({\pi }) \) from which \( L^{\prime } \) is constructed by adding new read options; and \( L^\text{justify} \) be the option list in \( {\mathcal {{B}}}({\tau }) \) that justifies the positioning of the new read options in \( L^{\prime } \). A write list \( W^{\prime } \) for \( L^{\prime } \) is constructed as follows (we informally identify read options with their indices in the corresponding list, but the intention should be clear):
Now, it is possible to show that any violation of consistency of \( W^{\prime } \) (Definitions 7.2 and 7.3) entails a violation of consistency of \( W_{\langle {{\pi },L}\rangle } \) or of \( W_{\langle {{\tau },L^\text{justify}}\rangle } \). (For \( {\mathsf {WRA}} \), we use the function \( \mathit {tid}_{\mathtt {RMW}}[w \mapsto {\pi }_{\mathtt {RMW}}] \) where \( {\pi }_{\mathtt {RMW}} \) is the RMW thread identifier of the read options added in the step.) This establishes the required simulation invariant and shows that \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \).
read step, \( {l}={{\mathtt {R}}}^{}({{x}},{v_{\mathtt {R}}}) \): We obtain the graph \( G^{\prime } \) by extending \( G \) with the appropriate read event \( r \). As \( r \)’s reads-from source in \( G^{\prime } \), we have multiple candidates: each option list \( L \) in \( {\tau } \)’s potential in \( {\mathcal {{B}}} \) has to start with \( {{\mathtt {O}}_{\mathtt {R}}}({{\eta }},{{x}},{v_{\mathtt {R}}},{\_}) \) for some (unique) \( {\eta }\in \mathsf {Tid} \), which is mapped by the write list \( W_{\langle {{\tau },L}\rangle } \) to some write event \( w_L \) of thread \( {\eta } \) writing \( v_{\mathtt {R}} \) to \( {x} \). Among all these writes, we pick the \( {\mathtt {po}} \)-minimal one as the reads-from source of \( r \) in \( G^{\prime } \). Using the consistency of the write lists for \( G \) (in particular, condition 1 for \( {\mathsf {WRA}} \)), we show that \( \mathsf {op} \)\( {\mathsf {XRA}} \) can indeed take the read step from \( G \) to \( G^{\prime } \). In turn, write lists for \( G^{\prime } \) are obtained from those for \( G \) in the straightforward way (since no read options are added in this step). Their consistency is again derived from the consistency of the \( W_{\langle {{\tau },L}\rangle } \) lists for \( G \). Intuitively speaking, picking the \( {\mathtt {po}} \)-minimal write as the reads-from source of \( r \) in \( G^{\prime } \), imposes on \( {\tau } \) the weakest constraints in \( G^{\prime } \), and allows us to prove the consistency of the new write lists.
rmw step, \( {l}={{\mathtt {RMW}}}^{}({{x}},{v_{\mathtt {R}}},{v_{\mathtt {W}}}) \): This case is handled by carefully combining the write and read steps. We note that for \( {\mathsf {SRA}} \), each option list \( L \) in \( {\tau } \)’s potential has to start with \( {{\mathtt {O}}_{\mathtt {R}}}({\_},{{x}},{v_{\mathtt {R}}},{{\mathtt {RMW}}}) \), and thus, all these options are mapped by the corresponding write lists to the \( {\color{orange} {\mathtt {mo}}} \)-maximal write event to \( {x} \) in \( G \). This ensures that \( \mathsf {op} \)\( {\mathsf {SRA}} \) can take the RMW step.
In turn, for \( {\mathsf {WRA}} \), we have to show that the reads-from source of the new RMW event in \( G^{\prime } \) is not already read by another RMW. Here, we use the fact that each option list \( L \) in \( {\tau } \)’s potential has to start with \( {{\mathtt {O}}_{\mathtt {R}}}({\_},{{x}},{v_{\mathtt {R}}},{{\tau }}) \). Thus, the first write event in each of the corresponding write lists is mapped by \( \mathit {tid}_{\mathtt {RMW}} \) to \( {\tau } \), which means that it is read by RMWs only by thread \( {\tau } \). Together with 1, this implies that none of these write events is read by an RMW event, and so, \( \mathsf {op} \)\( {\mathsf {WRA}} \) can take the RMW step (see also Remark 3).
Finally, for handling the lower step, suppose that \( {\mathcal {{B}}}\curlyvee G \) and \( {\mathcal {{B}}}\mathrel {{\xrightarrow {\varepsilon }}}_{\mathsf {lo}{{\mathsf {XRA}}}} {\mathcal {{B}}}^{\prime } \). To see that \( {\mathcal {{B}}}^{\prime } \curlyvee G \), we adapt the write lists that exist for \( {\mathcal {{B}}} \) to “skip” on all indices that were removed by the lower transition. That is, if \( f \) is an increasing function such that \( L^{\prime }(k) = L(f(k)) \) where \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\tau }) \) and \( L\in {\mathcal {{B}}}({\tau }) \), we derive a write list \( W^{\prime } \) for \( L^{\prime } \) from the write list \( W_{\langle {{\tau },L}\rangle } \) by setting: \( W^{\prime } = \lambda k.\; W_{\langle {{\tau },L}\rangle }(f(k)) \). Then, the required properties of \( W^{\prime } \) follow from the corresponding properties of \( W \).□
For the converses (left-to-right direction of both Theorems 5.12 and 6.6), we favor backward simulation, since \( \mathsf {lo} \)\( {\mathsf {XRA}} \) requires to “guess” the future, and without knowing the target state, we cannot construct the next step.
For every trace of \( \mathsf {op} \)\( {\mathsf {XRA}} \) there is an equivalent trace of \( \mathsf {lo} \)\( {\mathsf {XRA}} \).
We show that \( \curlyvee ^{-1} \) constitutes a backward simulation from \( {\mathsf {op}{{\mathsf {XRA}}}} \) to \( {\mathsf {lo}{{\mathsf {XRA}}}} \).10 The two first requirements of a backward simulation clearly hold for \( \curlyvee \):
We move to the third requirement. Suppose that \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {XRA}}}}}}{}} G^{\prime } \) and \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \).
We construct a state \( {\mathcal {{B}}} \) such that \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {XRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \) and \( {\mathcal {{B}}}\curlyvee G \) (depicted on the right).

Unfolding Definition 7.4:
For \( {\mathsf {SRA}} \): For every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \), let \( W^{\prime }_{{\langle {{\pi },L^{\prime }}\rangle }} \) be a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G,L^{\prime }}\rangle } \)-write-list.
For \( {\mathsf {WRA}} \): Let \( \mathit {tid}_{\mathtt {RMW}}: \mathsf {W}\rightarrow \mathsf {Tid} \) be a function satisfying the conditions of Definition 7.4, and for every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \), let \( W^{\prime }_{{\langle {{\pi },L^{\prime }}\rangle }} \) be a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list.
Consider the possible cases:
write step, \( {l}={{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}}) \): Let \( w \) be the write event that is added in thread \( {\tau } \) when \( \mathsf {op} \)\( {\mathsf {XRA}} \) moves from \( G \) to \( G^{\prime } \). We obtain \( {\mathcal {{B}}} \) by:
Using the correlation between every option list \( L^{\prime } \) and the write list \( W^{\prime }_{{\langle {{\pi },L^{\prime }}\rangle }} \), we are able to show that \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {XRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \). It remains to show that \( {\mathcal {{B}}}\curlyvee G \), namely, that for every thread \( {\pi } \) and option list \( L\in {\mathcal {{B}}}({\pi }) \), there exists an appropriate write-list \( W \). Since every list \( L\in {\mathcal {{B}}}({\pi }) \) is obtained from some list \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \), as described above, we can construct \( W \), by removing from \( W^{\prime }_{{\langle {{\pi },L^{\prime }}\rangle }} \) the write events that correspond to the read options that where removed from \( L^{\prime } \) in the process of generating \( L \). (For \( {\mathsf {WRA}} \), we also add a write option \( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \) in the beginning of \( W \), in case that \( {\pi }={\tau } \).)
read step, \( {l}={{\mathtt {R}}}^{}({{x}},{v_{\mathtt {R}}}) \): Let \( r \) be the read event that is added in thread \( {\tau } \) when \( \mathsf {op} \)\( {\mathsf {XRA}} \) moves from \( G \) to \( G^{\prime } \), and \( w \) be the write event from which \( r \) reads (i.e., \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}}\cup \lbrace {{\langle {w,r}\rangle }}\rbrace \)). Let \( {o} \) be the read option given by \( {o}\triangleq {{\mathtt {O}}_{\mathtt {R}}}({{\mathtt {tid}}(w)},{{x}},{v_{\mathtt {R}}},{{\mathtt {R}}}) \) for \( {\mathsf {SRA}} \) and \( {o}\triangleq {{\mathtt {O}}_{\mathtt {R}}}({{\mathtt {tid}}(w)},{{x}},{v_{\mathtt {R}}},{\mathit {tid}_{\mathtt {RMW}}(w)}) \) for \( {\mathsf {WRA}} \). We obtain \( {\mathcal {{B}}} \) by adding \( {o} \) in the beginning of every option list \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\tau }) \) of the reading thread \( {\tau } \). By definition, we have \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {XRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \).
We show that \( {\mathcal {{B}}}\curlyvee G \). For every thread \( {\pi } \) that is not the reading thread \( {\tau } \), we have that the option lists in \( {\mathcal {{B}}}({\pi }) \) are exactly the same as the lists in \( {\mathcal {{B}}}^{\prime }({\pi }) \), and we can thus use for them the same write lists as we have for \( {\mathcal {{B}}}^{\prime }({\pi }) \). Now, every option list \( L\in {\mathcal {{B}}}({\tau }) \) of the reading thread \( {\tau } \) is obtained from some option list \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\tau }) \). We define an appropriate write list \( W \), by adding \( w \) at the beginning of the write list \( W^{\prime }_{{\langle {{\tau },L^{\prime }}\rangle }} \). Following the preconditions of the read step in \( \mathsf {op} \)\( {\mathsf {XRA}} \), we are able to show that these write lists are indeed consistent.
rmw step, \( {l}={{\mathtt {RMW}}}^{}({{x}},{v_{\mathtt {R}}},{v_{\mathtt {W}}}) \): This case combines the proofs given for the read and write cases. In particular, since we consider backward simulation, we obtain \( {\mathcal {{B}}} \) by first manipulating \( {\mathcal {{B}}}^{\prime } \) into an intermediate state \( {\mathcal {{B}}}^{\prime \prime } \) according to the write case, and then manipulating \( {\mathcal {{B}}}^{\prime \prime } \) into \( {\mathcal {{B}}} \) according to the read step. Observe, however, that the condition for performing the rmw step requires from \( {\mathcal {{B}}} \) more than the condition for performing the read step: the first read option in all option lists of \( {\mathcal {{B}}} \) should have the RMW flag for \( {\mathsf {SRA}} \) and the same RMW-thread identifier for \( {\mathsf {WRA}} \). We generate \( {\mathcal {{B}}} \) to meet these requirements by changing the added read option \( {o} \), as defined above for the read step, to have the RMW flag for \( {\mathsf {SRA}} \) and the thread \( {\tau } \) as the RMW-thread identifier for \( {\mathsf {WRA}} \) (since we add the same read option to all lists of \( {\mathcal {{B}}} \), they share the same RMW-thread identifier).
The write lists that witness \( {\mathcal {{B}}}\curlyvee G \) are also defined by first generating, as in the write case, the write lists that are consistent with respect to \( {\mathcal {{B}}}^{\prime \prime } \) and from them, as in the read case, the write lists that are consistent with respect to \( {\mathcal {{B}}} \). \( \Box \)
8 Decidability of the Reachability Problems under \( {\mathsf {SRA}} \) and \( {\mathsf {WRA}} \)
In this section, we solve the reachability problems under \( {\mathsf {SRA}} \) and \( {\mathsf {WRA}} \) using the framework of well-structured transition systems. As in Section 7, whenever possible we speak of \( {\mathsf {XRA}} \), standing for both \( {\mathsf {SRA}} \) and \( {\mathsf {WRA}} \).
Given the equivalence between \( {\mathsf {XRA}} \) and \( \mathsf {op} \)\( {\mathsf {XRA}} \) (Theorems 4.9 and 4.6) and Proposition 4.10, the reachability problem under the declarative \( {\mathsf {XRA}} \) model is reduced to reachability under \( \mathsf {op} \)\( {\mathsf {XRA}} \). In turn, given the equivalence between \( \mathsf {op} \)\( {\mathsf {XRA}} \) and \( \mathsf {lo} \)\( {\mathsf {XRA}} \) (Theorems 5.12 and 6.6), to show the decidability of the reachability problem under \( {\mathsf {XRA}} \), it suffices to establish the decidability of reachability under \( \mathsf {lo} \)\( {\mathsf {XRA}} \). That is, for a concurrent program \( {P} \) and a “bad state” \( \overline{p}\in {P}.{\mathtt {Q}} \), we need to check whether \( \overline{p} \) is reachable (see Definition 4.4) under the memory system \( {\mathsf {lo}{{\mathsf {XRA}}}} \).
To show the decidability of this problem, we use the framework of well-structured transition systems. More precisely, we reduce reachability under \( \mathsf {lo} \)\( {\mathsf {XRA}} \) to coverability in a well-structured transition system that meets the conditions ensuring that coverability is decidable.
We start in Section 8.1 with preliminaries on well-structured transition systems, continue in Section 8.2 with reformulation of the write step, which will be useful in Section 8.3, where we conclude with showing that \( \mathsf {lo} \)\( {\mathsf {XRA}} \) is indeed a well-structured transition system that admits the required properties.
8.1 Preliminaries on Well-structured Transition Systems
We recall the relevant definitions and propositions about well-structured transition systems. We refer the reader to [8, 25, 51] for a more detailed exposition.
A well-quasi-ordering (wqo) on a set \( S \) is a reflexive and transitive relation \( \precsim \) on \( S \) such that for every infinite sequence \( s_1, s_2,\ldots \) of elements of \( S \), we have \( s_i \precsim s_j \) for some \( i\lt j \). In a context of a set \( S \) and a wqo \( \precsim \) on \( S \), the upward closure of a set \( U\subseteq S \), denoted by \( \mathord {\uparrow }{U} \), is given by \( \lbrace {s\in S \; | \;\exists u\in U.\; u \precsim s}\rbrace \); a set \( U\subseteq S \) is called upward closed if \( U=\mathord {\uparrow }{U} \); and a set \( B\subseteq U \) is called a basis of \( U \) if \( U=\mathord {\uparrow }{B} \). The properties of a wqo ensure that every upward closed set has a finite basis.
A well-structured transition system(WSTS) is an LTS \( {A} \) equipped with a wqo \( \precsim \) on \( {A}.{\mathtt {Q}} \) that is compatible with \( {A} \), that is: If \( q_1 \mathrel {{\xrightarrow {}}}_{A}q_2 \) and \( q_1 \precsim q_3 \), then there exists \( q_4\in {A}.{\mathtt {Q}} \) such that \( q_3 \mathrel {{\xrightarrow {}}}^{\mathchoice{\displaystyle *}{\textstyle *}{\scriptstyle *}{\scriptscriptstyle *}}_{A}q_4 \) and \( q_2 \precsim q_4 \). The coverability problem for \( {\langle {{A},\precsim }\rangle } \) asks whether an input state \( q\in {A}.{\mathtt {Q}} \) is coverable, namely: Is some state \( q^{\prime } \) with \( q\precsim q^{\prime } \) reachable in \( {A} \)?
Coverability is decidable (see, e.g., [8, 25]) for a WSTS \( {\langle {{A},\precsim }\rangle } \) provided that \( \precsim \) is decidable and the following hold:
Roughly speaking, these conditions ensure that (1) backward reachability analysis from \( q \) will converge to a fixed point; (2) each step in its calculation is effective; and (3) we can check whether the fixed point contains an initial state.
8.2 Backwards Formulation of the write Step
The following alternative formulation of the write step is convenient to use in our proofs. This formulation “works backwards”—choosing read options to omit from the target state for reaching the source state. Each such possibility is an “index choice”:
An index choice for a state \( {\mathcal {{B}}}^{\prime }\in {\mathsf {lo}{{\mathsf {XRA}}}}.{\mathtt {Q}} \) is a function \( {\mathcal {{P}}} \) assigning a set \( {\mathcal {{P}}}({\pi },L^{\prime }) \subseteq \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace \) to every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \). An index choice \( {\mathcal {{P}}} \) for \( {\mathcal {{B}}}^{\prime } \) supports a \( {\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle } \)-step, denoted by \( {{\mathcal {{P}}}}\models _{{\mathsf {XRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \), if the following hold for some (unique) \( {\pi }_{\mathtt {RMW}}\in \mathsf {Tid} \) (in the case of \( {\mathsf {WRA}} \)) and every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \):
For every \( k\in {\mathcal {{P}}}({\pi },L^{\prime }) \):
For \( {\mathsf {SRA}} \): \( L^{\prime }(k)\in \lbrace {{{\mathtt {O}}_{\mathtt {R}}}({{\tau }},{{x}},{v_{\mathtt {W}}},{{\mathtt {R}}}),{{\mathtt {O}}_{\mathtt {R}}}({{\tau }},{{x}},{v_{\mathtt {W}}},{{\mathtt {RMW}}})}\rbrace \).
For \( {\mathsf {WRA}} \): \( L^{\prime }(k)={{\mathtt {O}}_{\mathtt {R}}}({{\tau }},{{x}},{v_{\mathtt {W}}},{{\pi }_{\mathtt {RMW}}}) \).
For every \( k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace \setminus {\mathcal {{P}}}({\pi },L^{\prime }) \):
For \( {\mathsf {SRA}} \): \( {\mathtt {loc}}(L^{\prime }(k))\ne {x} \) whenever at least one of the following hold:
–
\( k\gt p \) for some \( p\in {\mathcal {{P}}}({\pi },L^{\prime }) \).
–
–
For \( {\mathsf {WRA}} \): \( L^{\prime }(k) \ne {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \) whenever at least one of the following hold:
The first condition requires that each read option included in the index choice corresponds to a write by thread \( {\tau } \) to location \( {x} \) of value \( v_{\mathtt {W}} \), and for \( {\mathsf {WRA}} \) all the read options should also share the same RMW thread identifier. The second condition requires that, besides the positions in the index choice (i.e., for options that existed before the write step): For \( {\mathsf {SRA}} \)—the location \( {x} \) does not appear in any list after the first position in \( {\mathcal {{P}}}({\pi },L^{\prime }) \); the location \( {x} \) does not appear at all in lists of thread \( {\tau } \); and options to read from \( {x} \) are not \( {\mathtt {RMW}} \) options. For \( {\mathsf {WRA}} \)—there are no write options to \( {x} \) between two positions in the index choice, and for lists of thread \( {\tau } \) there are also no write options to \( {x} \) before the first position in the index choice.
To formulate the justification requirement, we use the following notations:
For a list \( L \) and a set \( P\subseteq \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace \) of positions in \( L \), we define:
\( {L} \setminus {P} \) is the list derived from \( L \) by removing from it the positions in \( P \). The mapping of the positions of \( L \) that are not in \( P \) to their matching positions in \( {L} \setminus {P} \) is denoted by \( {{\mathsf {Map}}}_{{\langle {{L},{P}}\rangle }} \) (formally, \( {{\mathsf {Map}}}_{{\langle {{L},{P}}\rangle }}\triangleq \lambda k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace \setminus P.\; k - |{\lbrace {j\in P \; | \;j \lt k}\rbrace }| \)).
\( {L} {~\setminus \!\setminus ~} {P} \) further removes from \( L \) the positions before the first position in \( P \), namely, returns the list \( {L} \setminus {(P \cup \lbrace {1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}\min (P)-1}\rbrace)} \) (undefined if \( P=\emptyset \)). The mapping of the positions of \( L \) that are not in \( P \) and not before the first position in \( P \) to their matching positions in \( {L} {~\setminus \!\setminus ~} {P} \) is denoted by \( {{\mathsf {MMap}}}_{{\langle {{L},{P}}\rangle }} \) (formally, \( {{\mathsf {MMap}}}_{{\langle {{L},{P}}\rangle }} \triangleq \lambda k\in \lbrace {\min (P){,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace \setminus P.\; {{\mathsf {Map}}}_{{\langle {{L},{P}}\rangle }}(k) - \min (P) +1 \)).
For example, for the option list of \( \mathsf {lo} \)\( {\mathsf {SRA}} \) (used in Figure 5),

\( {L^{\prime }} \setminus {P}={{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_1},{\mathtt { x}},{0},{{\mathtt {R}}})\; {{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_2},{\mathtt { y}},{3},{{\mathtt {R}}})\; {{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_1},{\mathtt { y}},{0},{{\mathtt {R}}})\; {{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_2},{\mathtt { y}},{1},{{\mathtt {RMW}}}), \)
\( {{\mathsf {Map}}}_{{\langle {{L^{\prime }},{P}}\rangle }}=[1 \mapsto 1; 3 \mapsto 2; 4 \mapsto 3 ; 6 \mapsto 4], \)
\( {L^{\prime }} {~\setminus \!\setminus ~} {P}={{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_2},{\mathtt { y}},{3},{{\mathtt {R}}})\; {{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_1},{\mathtt { y}},{0},{{\mathtt {R}}})\; {{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_2},{\mathtt { y}},{1},{{\mathtt {RMW}}}), \)
\( {{\mathsf {MMap}}}_{{\langle {{L^{\prime }},{P}}\rangle }}=[3 \mapsto 1; 4 \mapsto 2 ; 6 \mapsto 3]. \)
The source of \( {\mathcal {{B}}}^{\prime } \) w.r.t. a thread \( {\tau } \) and an index choice \( {\mathcal {{P}}} \) for \( {\mathcal {{B}}}^{\prime } \), denoted by \( \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}}) \), is given by

The following proposition follows directly from our definitions:
\( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}_{{\mathsf {lo}{{\mathsf {XRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \) iff the following hold for some index choice \( {\mathcal {{P}}} \) for \( {\mathcal {{B}}}^{\prime } \):
\( {{\mathcal {{P}}}}\models _{{\mathsf {XRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \).
\( \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\pi }) \subseteq {\mathcal {{B}}}({\pi }) \) for every \( {\pi }\in \mathsf {Tid}\setminus \lbrace {{\tau }}\rbrace \).
For \( {\mathsf {SRA}} \): \( \phantom{{{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot {} }\mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\tau }) \subseteq {\mathcal {{B}}}({\tau }) \).
For \( {\mathsf {WRA}} \): \( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\tau }) \subseteq {\mathcal {{B}}}({\tau }) \).
8.3 \( \mathsf {lo} \)\( {\mathsf {XRA}} \) as a WSTS
We continue with showing that concurrent systems with \( \mathsf {lo} \)\( {\mathsf {XRA}} \) serving as the memory system are well-structured transition systems that satisfy the above requirements.
The \( \sqsubseteq \) ordering on the states of \( \mathsf {lo} \)\( {\mathsf {XRA}} \) (see Definition 5.8) is clearly decidable and also forms a wqo. Indeed, by Higman’s lemma [26], \( \sqsubseteq \) is a wqo on the set of all option lists. In turn, its lifting to potentials (which are finite by definition) is a wqo on the set of all potentials (see [51]). Finally, by Dickson’s lemma [22], the pointwise lifting of \( \sqsubseteq \) to functions assigning a potential to every \( {\tau }\in \mathsf {Tid} \) (i.e., states of \( \mathsf {lo} \)\( {\mathsf {XRA}} \)) is also a wqo.
Now, let \( {P} \) be a program. The \( \sqsubseteq \) ordering is naturally lifted to states of the concurrent system \( {{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}} \) (that is, pairs \( {\langle {\overline{p},{\mathcal {{B}}}}\rangle }\in {P}.{\mathtt {Q}}\times {\mathsf {lo}{{\mathsf {XRA}}}}.{\mathtt {Q}} \); see Definition 4.3) by defining \( {\langle {\overline{p},{\mathcal {{B}}}}\rangle } \sqsubseteq {\langle {\overline{p}^{\prime },{\mathcal {{B}}}^{\prime }}\rangle } \) iff \( \overline{p}=\overline{p}^{\prime } \) and \( {\mathcal {{B}}}\sqsubseteq {\mathcal {{B}}}^{\prime } \). We show next that \( {{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}} \) equipped with \( \sqsubseteq \) is indeed a WSTS that admits the required conditions for having a decidable coverability problem.
\( {\langle {{{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}},\sqsubseteq }\rangle } \) is a WSTS that admits effective initialization and effective pred-basis.
\( \sqsubseteq \) is compatible with \( {{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}} \): First, since \( {P}.{\mathtt {Q}} \) is (by definition) finite and \( \sqsubseteq \) is a wqo on \( {\mathsf {lo}{{\mathsf {XRA}}}}.{\mathtt {Q}} \), we have that \( \sqsubseteq \) is a wqo on \( ({{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}}).{\mathtt {Q}} \). Second, since lower is explicitly included in \( \mathsf {lo} \)\( {\mathsf {XRA}} \), \( \sqsubseteq \) is trivially compatible with \( {{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}} \). Indeed, given \( q_1={\langle {\overline{p}_1,{\mathcal {{B}}}_1}\rangle } \), \( q_2={\langle {\overline{p}_2,{\mathcal {{B}}}_2}\rangle } \) and \( q_3={\langle {\overline{p}_3,{\mathcal {{B}}}_3}\rangle } \) such that \( q_1 \mathrel {{\xrightarrow {}}}_{{{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}}} q_2 \) and \( q_1 \sqsubseteq q_3 \) (so \( \overline{p}_1=\overline{p}_3 \)), for \( q_4=q_2 \), we have \( q_3 \mathrel {{\xrightarrow {}}}^{\mathchoice{\displaystyle *}{\textstyle *}{\scriptstyle *}{\scriptscriptstyle *}}_{{{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}}} q_4 \) (since \( {\mathcal {{B}}}_3 \mathrel {{\xrightarrow {\varepsilon }}}_{\mathsf {lo}{{\mathsf {XRA}}}} {\mathcal {{B}}}_1 \) using the lower step) and \( q_2 \sqsubseteq q_4 \).
Effective initialization: \( {{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}} \) trivially admits effective initialization. Indeed, the states \( {\langle {\overline{p},{\mathcal {{B}}}}\rangle } \) for which \( \mathord {\uparrow }{\lbrace {{\langle {\overline{p},{\mathcal {{B}}}}\rangle }}\rbrace } \cap ({{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}}).{\mathtt {Q}_0}\ne \emptyset \) are exactly the initial states themselves—\( {P}.{\mathtt {Q}_0}\times {\mathsf {lo}{{\mathsf {XRA}}}}.{\mathtt {Q}_0} \).
Effective pred-basis: To prove that \( {{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}} \) has effective pred-basis, it suffices to show how to calculate a finite basis \( Q^\alpha \) of \( \mathord {\uparrow }{\mathsf {pred}^{\alpha }_{{\mathsf {lo}{{\mathsf {XRA}}}}}({\mathord {\uparrow }{\lbrace {{\mathcal {{B}}}^{\prime }}\rbrace }})} \) for each \( \alpha \) of the form \( {\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle } \), \( {\langle {{{\tau }},{{{\mathtt {R}}}^{}({{x}},{v_{\mathtt {R}}})}}\rangle } \), \( {\langle {{{\tau }},{{{\mathtt {RMW}}}^{}({{x}},{v_{\mathtt {R}}},{v_{\mathtt {W}}})}}\rangle } \) or \( \varepsilon \). Then, a finite basis of \( \mathord {\uparrow }{\mathsf {pred}^{\alpha }_{{{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}}}({\mathord {\uparrow }{\lbrace {{\langle {\overline{p}^{\prime },{\mathcal {{B}}}^{\prime }}\rangle }}\rbrace }})} \) is given by \( \mathsf {pred}^{\alpha }_{{P}}({\lbrace {\overline{p}^{\prime }}\rbrace }) \times Q^\alpha \) for \( \alpha \ne \varepsilon \); and by \( \lbrace {\overline{p}^{\prime }}\rbrace \times Q^\alpha \) for \( \alpha =\varepsilon \) (silent memory step). In addition, for a silent program step, a finite basis of \( \mathord {\uparrow }{\mathsf {pred}^{{\langle {{{\tau }},{\varepsilon }}\rangle }}_{{{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}}}({\mathord {\uparrow }{\lbrace {{\langle {\overline{p}^{\prime },{\mathcal {{B}}}^{\prime }}\rangle }}\rbrace }})} \) is given by \( \mathsf {pred}^{{\langle {{{\tau }},{\varepsilon }}\rangle }}_{{P}}({\lbrace {\overline{p}^{\prime }}\rbrace }) \times \lbrace {{\mathcal {{B}}}^{\prime }}\rbrace \).
Silent memory step. The set of predecessors of \( {\mathcal {{B}}}^{\prime } \) with respect to a silent memory step (i.e., using lower) is very simple—it contains any state \( {\mathcal {{B}}} \) such that \( {\mathcal {{B}}}^{\prime } \sqsubseteq {\mathcal {{B}}} \). Thus, \( \lbrace {{\mathcal {{B}}}^{\prime }}\rbrace \) is a finite basis of \( \mathord {\uparrow }{\mathsf {pred}^{\varepsilon }_{{\mathsf {lo}{{\mathsf {XRA}}}}}({\lbrace {{\mathcal {{B}}}^{\prime }}\rbrace })} \).
Read. We split the handling of \( \mathsf {lo} \)\( {\mathsf {SRA}} \) and \( \mathsf {lo} \)\( {\mathsf {WRA}} \).
For \( \mathsf {lo} \)\( {\mathsf {SRA}} \): A predecessor \( {\mathcal {{B}}} \) of \( {\mathcal {{B}}}^{\prime } \) with respect to a read step \( {\mathcal {{B}}} \) is similar to \( {\mathcal {{B}}}^{\prime } \), except for having in each option list of \( {\tau } \) an additional first read option \( {o} \) with \( {\mathtt {loc}}({o})={x} \) and \( {\mathtt {val}}({o})=v_{\mathtt {R}} \). Hence, for \( \alpha ={\langle {{{\tau }},{{{\mathtt {R}}}^{}({{x}},{v_{\mathtt {R}}})}}\rangle } \), the set \( \lbrace {{\mathcal {{B}}}^{\prime }[{\tau }\mapsto {{\mathtt {O}}_{\mathtt {R}}}({{\tau }_{\mathtt {W}}},{{x}},{v_{\mathtt {R}}},{u}) \cdot {\mathcal {{B}}}^{\prime }({\tau })] \; | \;{\tau }_{\mathtt {W}}\in \mathsf {Tid}, u\in \lbrace {{\mathtt {R}},{\mathtt {RMW}}}\rbrace }\rbrace \) is a finite basis of \( \mathord {\uparrow }{\mathsf {pred}^{\alpha }_{{\mathsf {lo}{{\mathsf {SRA}}}}}({\lbrace {{\mathcal {{B}}}^{\prime }}\rbrace })} \). It is also a basis of \( \mathord {\uparrow }{\mathsf {pred}^{\alpha }_{{\mathsf {lo}{{\mathsf {SRA}}}}}({\mathord {\uparrow }{\lbrace {{\mathcal {{B}}}^{\prime }}\rbrace }})} \): For a state \( {\mathcal {{B}}}^{\prime \prime } \) with \( {\mathcal {{B}}}^{\prime } \sqsubseteq {\mathcal {{B}}}^{\prime \prime } \), a corresponding read option \( {{\mathtt {O}}_{\mathtt {R}}}({{\tau }_{\mathtt {W}}},{{x}},{v_{\mathtt {R}}},{u}) \) appears in the lists of \( {\tau } \) in \( \mathsf {pred}^{\alpha }_{{\mathsf {lo}{{\mathsf {SRA}}}}}({\lbrace {{\mathcal {{B}}}^{\prime \prime }}\rbrace }) \) before some additional read options, ensuring that \( \mathsf {pred}^{\alpha }_{{\mathsf {lo}{{\mathsf {SRA}}}}}({\lbrace {{\mathcal {{B}}}^{\prime }}\rbrace }) \sqsubseteq \mathsf {pred}^{\alpha }_{{\mathsf {lo}{{\mathsf {SRA}}}}}({\lbrace {{\mathcal {{B}}}^{\prime \prime }}\rbrace }) \).
For \( \mathsf {lo} \)\( {\mathsf {WRA}} \): The calculation is almost the same as for \( \mathsf {lo} \)\( {\mathsf {SRA}} \), with the only difference that for \( \alpha ={\langle {{{\tau }},{{{\mathtt {R}}}^{}({{x}},{v_{\mathtt {R}}})}}\rangle } \), the set \( \lbrace {{\mathcal {{B}}}^{\prime }[{\tau }\mapsto {{\mathtt {O}}_{\mathtt {R}}}({{\tau }_{\mathtt {W}}},{{x}},{v_{\mathtt {R}}},{{\pi }_{\mathtt {RMW}}}) \cdot {\mathcal {{B}}}^{\prime }({\tau })] \; | \;{\tau }_{\mathtt {W}},{\pi }_{\mathtt {RMW}}\in \mathsf {Tid}}\rbrace \) is a finite basis of \( \mathord {\uparrow }{\mathsf {pred}^{{\langle {{{\tau }},{{{\mathtt {R}}}^{}({{x}},{v_{\mathtt {R}}})}}\rangle }}_{{\mathsf {lo}{{\mathsf {WRA}}}}}({\lbrace {{\mathcal {{B}}}^{\prime }}\rbrace })} \).
Write. We construct the basis of the predecessors w.r.t. a write step by considering all (finitely many) possibilities of omitting read options from lists of \( {\mathcal {{B}}}^{\prime } \), using Proposition 8.4 and the following technical lemma, which shows that if \( {\mathcal {{B}}}^{\prime } \sqsubseteq {\mathcal {{B}}}^{\prime \prime } \) then for every source state \( \mathsf {src}({{\mathcal {{B}}}^{\prime \prime }},{{\tau }},{{\mathcal {{P}}}^{\prime \prime }}) \) of \( {\mathcal {{B}}}^{\prime \prime } \) there exists a source state \( \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}^{\prime }}) \) of \( {\mathcal {{B}}}^{\prime } \), such that \( \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}^{\prime }}) \sqsubseteq \mathsf {src}({{\mathcal {{B}}}^{\prime \prime }},{{\tau }},{{\mathcal {{P}}}^{\prime \prime }}) \).
Let \( {\mathcal {{P}}}^{\prime \prime } \) be an index choice for \( {\mathcal {{B}}}^{\prime \prime }\in {\mathsf {lo}{{\mathsf {XRA}}}}.{\mathtt {Q}} \) such that \( {{\mathcal {{P}}}^{\prime \prime }}\models _{{\mathsf {XRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \). If \( {\mathcal {{B}}}^{\prime } \sqsubseteq {\mathcal {{B}}}^{\prime \prime } \), then \( \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}^{\prime }}) \sqsubseteq \mathsf {src}({{\mathcal {{B}}}^{\prime \prime }},{{\tau }},{{\mathcal {{P}}}^{\prime \prime }}) \) for some index choice \( {\mathcal {{P}}}^{\prime } \) for \( {\mathcal {{B}}}^{\prime } \) such that \( {{\mathcal {{P}}}^{\prime }}\models _{{\mathsf {XRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \).□
Since \( {\mathcal {{B}}}^{\prime } \sqsubseteq {\mathcal {{B}}}^{\prime \prime } \), for every \( {\pi }\in \mathsf {Tid} \), there exists a function \( F_{\pi }:{\mathcal {{B}}}^{\prime }({\pi }) \rightarrow {\mathcal {{B}}}^{\prime \prime }({\pi }) \) such that for every \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \), we have \( L^{\prime }\sqsubseteq F_{\pi }(L^{\prime }) \), witnessed by a strictly increasing function \( f_{{\langle {{\pi },L^{\prime }}\rangle }}:\lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace \rightarrow \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{F_{\pi }(L^{\prime })}|}\rbrace \), such that \( L^{\prime }(k)= (F_{\pi }(L^{\prime }))(f_{{\langle {{\pi },L^{\prime }}\rangle }}(k)) \) for every \( k\in \lbrace {1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace \).
We define \( {\mathcal {{P}}}^{\prime } \) to be the positions in \( {\mathcal {{P}}}^{\prime \prime } \) that originated in \( {\mathcal {{B}}}^{\prime } \), according to the \( f_{{\langle {{\pi },L^{\prime }}\rangle }} \) functions. That is,

Recall that for every thread \( {\pi }\!\in \!\mathsf {Tid} \), we have that every list \( L^{\prime }_0\!\in \! {\mathcal {{B}}}^{\prime }_0({\pi }) \) is equal to \( {L^{\prime }} \setminus {{\mathcal {{P}}}^{\prime }({\pi },L^{\prime })} \) (or, respectively, to \( {L^{\prime }} {~\setminus \!\setminus ~} {{\mathcal {{P}}}^{\prime }({\eta },L^{\prime })} \)) for some list \( L^{\prime } \) of \( {\mathcal {{B}}}^{\prime }({\pi }) \) (respectively, for some list \( L^{\prime } \) of \( {\mathcal {{B}}}^{\prime }({\eta }) \) for some \( {\eta }\in \mathsf {Tid} \) with \( {\mathcal {{P}}}^{\prime }({\eta },L^{\prime })\ne \emptyset \)). Hence, we can define a function \( H_{\pi }: {\mathcal {{B}}}^{\prime }_0({\pi }) \rightarrow \mathsf {src}({{\mathcal {{B}}}^{\prime \prime }},{{\tau }},{{\mathcal {{P}}}^{\prime \prime }})({\pi }) \), by setting \( H_{\pi }(L^{\prime }_0)= {F_{\pi }(L^{\prime })} \setminus {{\mathcal {{P}}}^{\prime \prime }({\pi },F_{\pi }(L^{\prime }))} \). Observe that for every \( L^{\prime }_0\in {\mathcal {{B}}}^{\prime }_0({\pi }) \), we have \( L^{\prime }_0\sqsubseteq H_{\pi }(L^{\prime }_0) \), witnessed by the function \( h_{{\langle {{\pi },L^{\prime }_0}\rangle }}:\lbrace {1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }_0}|}\rbrace \rightarrow \lbrace {1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{H_{\pi }(L^{\prime }_0)}|}\rbrace \) that adapts \( f_{\langle {{\pi },{L^{\prime }}}\rangle } \) to the positions of \( L^{\prime }_0 \) that originated from \( L^{\prime } \). Namely, for every \( k\in \lbrace {1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }_0}|}\rbrace \), the value of \( h_{{\langle {{\pi },L^{\prime }_0}\rangle }}(k) \) is the position in \( H_{\pi }(L^{\prime }_0) \) that corresponds (according to \( {\mathcal {{P}}}^{\prime \prime } \)) to the position in \( F_{\pi }(L^{\prime }) \) that is the value of \( f_{\langle {{\pi },{L^{\prime }}}\rangle } \) on the position in \( L^{\prime } \) that corresponds (according to \( {\mathcal {{P}}}^{\prime } \)) to \( k \). Formally,

By Proposition 8.4 and Lemma 8.6, we get a finite basis of \( \mathord {\uparrow }{\mathsf {pred}^{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }}_{{\mathsf {lo}{{\mathsf {XRA}}}}}({\mathord {\uparrow }{\lbrace {{\mathcal {{B}}}^{\prime }}\rbrace }})} \), given by:
For \( {\mathsf {SRA}} \): \( \lbrace { \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}}) \; | \;\ {\mathcal {{P}}}\in S_{\mathsf {SRA}} ({\mathcal {{B}}}^{\prime },{\tau },{x},v_{\mathtt {W}})}\rbrace , \)
For \( {\mathsf {WRA}} \): \( \lbrace { \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})[{\tau }\mapsto {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\tau })] \; | \;\ {\mathcal {{P}}}\in S_{\mathsf {WRA}} ({\mathcal {{B}}}^{\prime },{\tau },{x},v_{\mathtt {W}})}\rbrace , \)
where: \( S_{\mathsf {XRA}} ({\mathcal {{B}}}^{\prime },{\tau },{x},v_{\mathtt {W}}) = \lbrace {\mathcal {{P}}}\; | \;{\mathcal {{P}}}\text{ is an index choice for} {\mathcal {{B}}}^{\prime } \text{such that } {{\mathcal {{P}}}}\models _{{\mathsf {XRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }}\rbrace \). Indeed, Proposition 8.4 provides the direct correspondence between the source states and predecessor states of \( {\mathcal {{B}}}^{\prime } \); the left upward closure of \( \mathord {\uparrow }{\mathsf {pred}^{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }}_{{\mathsf {lo}{{\mathsf {XRA}}}}}({\mathord {\uparrow }{\lbrace {{\mathcal {{B}}}^{\prime }}\rbrace }})} \) preserves the equivalence, since a finite basis refers by definition to an upward closed set; and Lemma 8.6 shows that the equivalence holds also with the right upward closure: If \( {\mathcal {{B}}}^{\prime } \sqsubseteq {\mathcal {{B}}}^{\prime \prime } \), then for every source state \( \mathsf {src}({{\mathcal {{B}}}^{\prime \prime }},{{\tau }},{{\mathcal {{P}}}^{\prime \prime }}) \) of \( {\mathcal {{B}}}^{\prime \prime } \) there exists a source state \( \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}^{\prime }}) \) of \( {\mathcal {{B}}}^{\prime } \), such that \( \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}^{\prime }}) \sqsubseteq \mathsf {src}({{\mathcal {{B}}}^{\prime \prime }},{{\tau }},{{\mathcal {{P}}}^{\prime \prime }}) \).
RMW. The predecessor with respect to an RMW step intuitively combines the predecessors with respect to the read and write steps. By Proposition 8.4 and Lemma 8.6, we get that the following is a finite basis of \( \mathord {\uparrow }{\mathsf {pred}^{{\langle {{{\tau }},{{{\mathtt {RMW}}}^{}({{x}},{v_{\mathtt {R}}},{v_{\mathtt {W}}})}}\rangle }}_{{\mathsf {lo}{{\mathsf {XRA}}}}}({\mathord {\uparrow }{\lbrace {{\mathcal {{B}}}^{\prime }}\rbrace }})} \):
For \( {\mathsf {SRA}} \): \( \lbrace \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})[{\tau }\mapsto {{\mathtt {O}}_{\mathtt {R}}}({{\tau }_{\mathtt {W}}},{{x}},{v_{\mathtt {R}}},{{\mathtt {RMW}}}) \cdot \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\tau })] \; | \;{\mathcal {{P}}}\in S_{\mathsf {SRA}} ({\mathcal {{B}}}^{\prime },{\tau }, {x},v_{\mathtt {W}})\rbrace , \)
For \( {\mathsf {WRA}} \): \( \lbrace \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})[{\tau }\mapsto {{\mathtt {O}}_{\mathtt {R}}}({{\tau }_{\mathtt {W}}},{{x}},{v_{\mathtt {R}}},{{\tau }}) \cdot {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\tau })] \; | \;{\mathcal {{P}}}\in S_{\mathsf {WRA}} ({\mathcal {{B}}}^{\prime },{\tau }, {x},v_{\mathtt {W}})\rbrace , \)
where: \( S_{\mathsf {XRA}} ({\mathcal {{B}}}^{\prime },{\tau },{x},v_{\mathtt {W}}) = \lbrace {\mathcal {{P}}}\; | \;{\mathcal {{P}}}\text{ is an index choice for} \ {\mathcal {{B}}^{\prime } \text{such that } {\mathcal {{P}}}}\models _{{\mathsf {XRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }}\rbrace \). \( \Box \)
It is now easy to establish the decidability of reachability under \( \mathsf {lo} \)\( {\mathsf {SRA}} \) and under \( \mathsf {lo} \)\( {\mathsf {WRA}} \).
(\( \mathsf {lo} \)\( {\mathsf {SRA}} \) and \( \mathsf {lo} \)\( {\mathsf {WRA}} \) Reachability)
Given a program \( {P} \) and a state \( \overline{p}\in {P}.{\mathtt {Q}} \), it is decidable to check whether \( \overline{p} \) is reachable (see Definition 4.4) under the memory systems \( \mathsf {lo} \)\( {\mathsf {SRA}} \) and \( \mathsf {lo} \)\( {\mathsf {WRA}} \).
Since the first component (the program state) in \( \sqsubseteq \)-ordered pairs of \( {{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}} \)’s states is equal, reachability under \( \mathsf {lo} \)\( {\mathsf {XRA}} \) is reduced to coverability in \( {{P}} \parallel {{\mathsf {lo}{{\mathsf {XRA}}}}} \) w.r.t. \( \sqsubseteq \) (a.k.a. control-state reachability), which is decidable by Lemma 8.5 and the results of [8].□
The \( {\mathsf {SRA}} \) and \( {\mathsf {WRA}} \) reachability problems are decidable.
Directly follows from Theorems 4.9 and 5.12 (for \( {\mathsf {SRA}} \)) or Theorems 4.6 and 6.6 (for \( {\mathsf {WRA}} \)), as well as Proposition 4.10 and Theorem 8.7.□
(\( {\mathsf {RA}} \) Race-free Reachability)
Given a program \( {P} \) such that every \( {\mathsf {SRA}} \)-consistent execution graph that is generated by \( {P} \) is write/write-race free (see Definition 3.11), and a state \( \overline{p}\in {P}.{\mathtt {Q}} \), it is decidable to check whether \( \overline{p} \) is reachable under \( {\mathsf {RA}} \).
9 RELATED WORK
Decidability results. The reachability problem was previously investigated for the total store ordering (TSO) model of \( \times \)86 multiprocessors. TSO is a multi-copy-atomic model stronger than any of the models studied here (in particular it disallows the weak behavior of the IRIW program in Example 3.5). Atig et al. [12], 13] established the decidability of the problem (and a non-primitive recursive lower bound) by reducing it to (and from) reachability in lossy channel systems. Since causal consistency models are not multi-copy atomic and they lack any notion of a global mapping from locations to values, the idea behind their reduction to reachability in lossy channel system cannot be applied for the models studied here. Notably, unlike TSO and other (less realistic) models studied in [13], the models studied in the current article cannot be fully explained by program transformations (instruction reordering and merging) [39]. However, the reduction of [12] from reachability in lossy channel systems to reachability under TSO, which establishes the non-primitive recursive lower bound, applies as is to the causal models.
More recently, Abdulla et al. [4] greatly simplified the previous proofs for TSO (and demonstrated much better practical running times on certain benchmarks) by developing and utilizing a “load-buffer” semantics for TSO. Load-buffers are roughly similar to our potential lists, but while load buffers are FIFO queues, our lists necessarily allow the insertion of future reads at different positions, subject to certain (novel) conditions ensuring that causal consistency is not violated. In addition, while the “load-buffer” semantics for TSO includes a global machine memory, our causal consistency semantics are, roughly speaking, based on point-to-point communication, allowing our “shared-memory causality principle” to govern the interactions between threads. Finally, our semantics employs more than one option list per thread, while the “load-buffer” semantics for TSO has exactly one buffer of reads per thread.
Undecidability results. Abdulla et al. [2] proved the undecidability of safety verification under \( {\mathsf {RA}} \) using a reduction from Post correspondence problem. More recently, in [5] the reachability problem was shown to be undecidable for the relaxed fragment of PS 2.0 (a version of the promising semantics) [41], and in [3] undecidability was established for the full POWER model as well.
Causal consistency and its related verification problems. Different causally consistent shared-memory models, their verification problems and approaches to address these problems were recently outlined in [34], where the problems we resolve here were left open. Operational “message-passing” semantics for \( {\mathsf {SRA}} \) was developed in [36], but it is inadequate for our purposes, since making it “lossy” would affect its allowed outcomes. Verification of programs under causal consistency (especially under \( {\mathsf {RA}} \)) has received considerable amount of attention in recent years. The different approaches include (non-automated) program logics [23, 29, 38, 55, 56], (bounded) model checking [2, 6, 31, 42] and robustness verification [18, 37, 47]. The latter reduces the verification problem to the verification under sequential consistency and the verification of the program’s robustness against causal consistency. Thus, this approach cannot work for programs that meet their safety specification but still exhibit non-sequentially-consistent behaviors. Finally, the problem asking whether a given implementation provides causal consistency guarantees was studied in [17]. It is, however, completely independent from verification of client programs assuming causal consistency, as we study here.
10 CONCLUSION AND FUTURE WORK
We have established the decidability of reachability under two main causal consistency models, \( {\mathsf {SRA}} \) and \( {\mathsf {WRA}} \). To do so, we developed novel operational semantics for the two models that are based on the notion of thread potentials and meet the requirements for decidability of the framework of well-structured transition systems. Besides the theoretical interest, Abdulla et al. [4] demonstrate that similar verification procedures (also of non-primitive recursive complexity) may be actually practical for challenging (even though naturally quite small) algorithms and synchronization mechanisms. We plan to explore this in the future.
In contrast to our results, reachability is undecidable under \( {\mathsf {RA}} \), the C/C++11’s causal consistency model [2]. Intuitively, this stems from the fact that \( {\mathsf {RA}} \) requires one to maintain \( {\color{orange} {\mathtt {mo}}} \) separately from the execution order, while \( {\mathsf {SRA}} \) allows the execution of writes following \( {\color{blue} {\mathtt {hb}}}\cup {\color{orange} {\mathtt {mo}}} \), and \( {\mathsf {WRA}} \) does not use \( {\color{orange} {\mathtt {mo}}} \) at all. More concretely, to support \( {\mathsf {RA}} \), the condition of \( \mathsf {lo} \)\( {\mathsf {SRA}} \) that ensures that writes to each location \( {x} \) cannot execute when there are options to read \( {x} \) in the thread’s potential has to be weakened (see Example 5.10). In turn, the conditions of \( \mathsf {lo} \)\( {\mathsf {WRA}} \) are too weak, as they, in particular, do not ensure that all threads observe the writes to each location \( {x} \) in a way that is consistent across all threads (see Example 6.1). Finding alternative conditions on the write steps that will capture conditions closer to those of \( {\mathsf {RA}} \) (either from above, like \( {\mathsf {SRA}} \), or from below, like \( {\mathsf {WRA}} \)) is rather delicate and left to future work. In particular, we note that while the undecidability of \( {\mathsf {RA}} \) implies that no similar WSTS can be developed for \( {\mathsf {RA}} \), the existing reduction that shows undecidability crucially relies on RMWs, and the decidability of \( {\mathsf {RA}} \) without RMW operations is (to the best of our knowledge) still open.
We note that since \( {\mathsf {SRA}} \), \( {\mathsf {RA}} \), and \( {\mathsf {WRA}} \) coincide on write/write-race-free programs, and write/write-race freedom can be checked under \( {\mathsf {SRA}} \) (Theorem 3.1), our result allows the verification of safety properties under \( {\mathsf {RA}} \) for this class of programs. Concurrent separation logics [29, 55, 56], designed for verification under \( {\mathsf {RA}} \), are also essentially limited to reason only about write/write-race-free programs and stateless model checking is significantly simpler with this assumption (see [31 Section 5 and Remark 3]). We also note that it is straightforward to support C/C++11’s non-atomics, with “catch-fire” semantics (i.e., data races are errors) in addition to release/acquire accesses and sequentially consistent fences (which are modeled as RMWs as in Example 3.9). Indeed, as demonstrated in [29], it suffices to check for data races assuming \( {\mathsf {RA}} \) semantics. Supporting other features of C/C++11, such as relaxed and sequentially consistent accesses, is left to future work.
We believe that the potential-based semantics—both specifically for \( {\mathsf {SRA}} \) and \( {\mathsf {WRA}} \) and as a general idea for operational semantics—may be of independent interest in the development of verification techniques for programs running under weak consistency, including program logics and model-checking techniques. In particular, we are interested in developing abstraction techniques, as was done for TSO and similar buffer-based models (see, e.g., [33, 53]). Other directions for future work include handling other variants of causally consistent shared-memory (see, e.g., [17]), supporting transactions (to enable, e.g., full verification of client programs under \( {\mathsf {PSI}} \), see Section 3.1) and studying verification of parametrized programs under causal consistency (which is decidable for TSO [4, 7]).
Appendix
A FULL EQUIVALENCE PROOFS
In this Appendix, we provide full proofs of Lemmas 7.7 and 7.6, first for \( {\mathsf {SRA}} \) and then for \( {\mathsf {WRA}} \). Our proofs assume the alternative definition of \( \mathsf {lo} \)\( {\mathsf {XRA}} \)’s write steps that is given in Proposition 8.4.
A.1 Equivalence of \( \mathsf {lo} \)\( {\mathsf {SRA}} \) and \( \mathsf {op} \)\( {\mathsf {SRA}} \)
For every trace of \( \mathsf {lo} \)\( {\mathsf {SRA}} \) there is an equivalent trace of \( \mathsf {op} \)\( {\mathsf {SRA}} \).
As described in Section 7, we show that \( \curlyvee \) constitutes a forward simulation relation from \( {\mathsf {lo}{{\mathsf {SRA}}}} \) to \( {\mathsf {op}{{\mathsf {SRA}}}} \). We detail here the simulation step. Suppose that \( {\mathcal {{B}}}\curlyvee G \) and \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {SRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \) for some \( {\tau }\in \mathsf {Tid} \) and \( {l}\in \mathsf {Lab} \). We show that there exists \( G^{\prime } \) such that \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \) and \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {SRA}}}}}}{}} G^{\prime } \). Consider the possible cases:
write step, \( {l}={{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}}) \):
Let \( w={\mathsf {NextEvent}}(G.{\mathtt {E}},{\tau },{l}) \). Let \( G^{\prime } \) be the execution graph defined by \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {w}\rbrace \), \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}} \) and \( G^{\prime }.{\color{orange} {\mathtt {mo}}}= G.{\color{orange} {\mathtt {mo}}}\cup (G.\mathsf {W}_{x}\times \lbrace {w}\rbrace) \). By definition, we have \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {SRA}}}}}}{}} G^{\prime } \). We show that \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \). By Proposition 8.4, since \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {SRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \), there exists an index choice \( {\mathcal {{P}}} \) for \( {\mathcal {{B}}}^{\prime } \) such that \( {{\mathcal {{P}}}}\models _{{\mathsf {SRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \). and \( \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\pi }) \subseteq {\mathcal {{B}}}({\pi }) \) for every \( {\pi }\in \mathsf {Tid} \). Let \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \). We construct a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list \( W^{\prime } \). Let \( P\triangleq {\mathcal {{P}}}({\pi },L^{\prime }) \), \( L\triangleq {L^{\prime }} \setminus {P} \), \( f \triangleq {{\mathsf {Map}}}_{{\langle {{L^{\prime }},{P}}\rangle }} \), \( L_{\tau }\triangleq {L^{\prime }} {~\setminus \!\setminus ~} {P} \) and \( f_{\tau }\triangleq {{\mathsf {MMap}}}_{{\langle {{L^{\prime }},{P}}\rangle }} \) (the last two are only defined if \( P\ne \emptyset \)).
Since \( {\mathcal {{B}}}\curlyvee G \), there exist a \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L}\rangle } \)-write-list \( W \), and a \( {\langle {G,{\tau }}\rangle } \)-consistent \( {\langle {G,L_{\tau }}\rangle } \)-write-list \( W_{\tau } \). We define \( W^{\prime } \) as follows:

It is easy to see that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list. In particular, to show that \( {\mathtt {rmw}}(L^{\prime }(k))={\mathtt {RMW}} \) implies \( W^{\prime }(k)\not\in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}})} \), we use the fact that \( {{\mathcal {{P}}}}\models _{{\mathsf {SRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \), and so for every \( k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace \setminus P \), we have that \( {\mathtt {rmw}}(L^{\prime }(k))={\mathtt {RMW}} \) implies \( {\mathtt {loc}}(L^{\prime }(k)) \ne {x} \).
We show that \( W^{\prime } \) is \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent.
Let \( 1 \le k \le |{L^{\prime }}| \). We prove that \( W^{\prime }(k) \not\in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }\cup \lbrace {W^{\prime }(j)\; | \;1\le j \lt k}\rbrace ]})} \). Suppose otherwise. First, note that we cannot have \( k \in P \), since \( w \) is a maximal element in \( G^{\prime }.{\color{orange} {\mathtt {mo}}} \). Let \( w_{\pi }=W(f(k)) \) and \( w_{\tau }=W_{\tau }(f_{\tau }(k)) \) (the latter is only defined if \( k\gt \min (P) \)). Consider the two possible cases:
\( W^{\prime }(k) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \): The definition of \( W^{\prime } \) ensures that \( {\langle {w_{\pi },W^{\prime }(k)}\rangle }\in G^{\prime }.{\color{orange} {\mathtt {mo}}}^? \), and so \( w_{\pi }\in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \). From the \( {\langle {G,{\pi }}\rangle } \)-consistency of \( W \), we know that \( w_{\pi }\not\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \), and therefore it must be the case that \( {\pi }={\tau } \) and \( {\langle {w_{\pi },w}\rangle }\in G^{\prime }.{\color{orange} {\mathtt {mo}}} \). Hence, \( {\mathtt {loc}}(w_{\pi })={x} \), and so \( {\mathtt {loc}}(L^{\prime }(k))={x} \) , which contradicts the fact that \( {{\mathcal {{P}}}}\models _{{\mathsf {SRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \).
\( {\langle {W^{\prime }(k),W^{\prime }(j)}\rangle } \in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \) for some \( 1\le j \lt k \). Consider the two possible cases:
\( W^{\prime }(j)=w \): In this case, we must have \( k \gt \min (P) \), and so \( W^{\prime }(k)=\max _{G.{\color{orange} {\mathtt {mo}}}} \lbrace {w_{\pi },w_{\tau }}\rbrace \). Hence, we have \( {\langle {w_{\tau },W^{\prime }(k)}\rangle }\in G.{\color{orange} {\mathtt {mo}}}^? \), and so \( {\langle {w_{\tau },w}\rangle } \in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \). Now, if \( {\langle {w_{\tau },w}\rangle } \in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}} \), then we also have \( w_{\tau }\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), which contradicts the fact that \( W_{\tau } \) is \( {\langle {G,{\tau }}\rangle } \)-consistent. Therefore, we have \( {\langle {w_{\tau },w}\rangle } \in G^{\prime }.{\color{orange} {\mathtt {mo}}} \). Hence, \( {\mathtt {loc}}(w_{\tau })={x} \), and so \( {\mathtt {loc}}(L^{\prime }(k))={x} \) , which contradicts the fact that \( {{\mathcal {{P}}}}\models _{{\mathsf {SRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \).
\( W^{\prime }(j)\ne w \): In this case, we must have \( {\langle {W^{\prime }(k),W^{\prime }(j)}\rangle } \in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \). The definition of \( W^{\prime } \) ensures that \( {\langle {w_{\pi },W^{\prime }(k)}\rangle }\in G.{\color{orange} {\mathtt {mo}}}^? \), and so \( {\langle {w_{\pi },W^{\prime }(j)}\rangle } \in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \). Now, since \( W \) is \( {\langle {G,{\pi }}\rangle } \)-consistent, we cannot have \( W^{\prime }(j)=W(f(j)) \). Hence, \( j \gt \min (P) \) and \( W^{\prime }(j)=W_{\tau }(f_{\tau }(j)) \). Let \( w^{\prime }_{\tau }= W_{\tau }(f_{\tau }(j)) \). It follows that \( k \gt \min (P) \), and so \( {\langle {w_{\tau },W^{\prime }(k)}\rangle }\in G.{\color{orange} {\mathtt {mo}}}^? \). Hence, we have \( {\langle {w_{\tau },w^{\prime }_{\tau }}\rangle }\in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \). This contradicts the fact that \( W_{\tau } \) is \( {\langle {G,{\tau }}\rangle } \)-consistent.
read step, \( {l}={{\mathtt {R}}}^{}({{x}},{v_{\mathtt {R}}}) \):
By definition, since \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {SRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \), there exists a read option \( {o} \) with \( {\mathtt {loc}}({o})={x} \) and \( {\mathtt {val}}({o})=v_{\mathtt {R}} \) such that \( {\mathcal {{B}}}({\tau }) = {o}\cdot {\mathcal {{B}}}^{\prime }({\tau }) \). Since \( {\mathcal {{B}}}\curlyvee G \), for every \( L\in {\mathcal {{B}}}({\tau }) \) there exists a \( {\langle {G,{\tau }}\rangle } \)-consistent \( {\langle {G,L}\rangle } \)-write-list \( W_L \). Let \( A = \lbrace { W_L(1) \; | \;L\in {\mathcal {{B}}}({\tau })}\rbrace \). Since \( {\mathcal {{B}}}({\tau }) \) is non-empty, we know that \( A \) is not empty. Since each \( W_L \) is a \( {\langle {G,L}\rangle } \)-write-list, we have that \( {\mathtt {tid}}(w)={\mathtt {tid}}({o}) \) for every \( w\in A \). Hence, \( G.{\mathtt {po}} \) totally orders \( A \). Let \( w=\min _{G.{\mathtt {po}}} A \) and let \( L_{\text{min}}\in {\mathcal {{B}}}({\tau }) \) such that \( w=W_{L_{\text{min}}}(1) \). Let \( r={\mathsf {NextEvent}}(G.{\mathtt {E}},{\tau },{l}) \) and let \( G^{\prime } \) be the execution graph given by \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {r}\rbrace \), \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}}\cup \lbrace {{\langle {w,r}\rangle }}\rbrace \) and \( G^{\prime }.{\color{orange} {\mathtt {mo}}}= G.{\color{orange} {\mathtt {mo}}} \).
We show that \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {SRA}}}}}}{}} G^{\prime } \). By definition, it suffices to show the following:
\( w\in G.\mathsf {W}_{x} \) and \( {\mathtt {val}_{\mathtt {W}}}(w)=v_{\mathtt {R}} \): We have \( w= W_{L_{\text{min}}}(1) \), and since \( W_{L_{\text{min}}} \) is a \( {\langle {G,{L_{\text{min}}}}\rangle } \)-write-list, we have that \( w\in G.\mathsf {W} \), \( {\mathtt {loc}}(w)={\mathtt {loc}}(W_{L_{\text{min}}}(1))={\mathtt {loc}}({L_{\text{min}}}(1))={\mathtt {loc}}({o})={x} \) and \( {\mathtt {val}_{\mathtt {W}}}(w)={\mathtt {val}_{\mathtt {W}}}(W_{L_{\text{min}}}(1))={\mathtt {val}}({L_{\text{min}}}(1))={\mathtt {val}}({o})=v_{\mathtt {R}} \).
\( w\not\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \): Since \( W_{L_{\text{min}}} \) is \( {\langle {G,{\tau }}\rangle } \)-consistent and \( w=W_{L_{\text{min}}}(1) \), we cannot have \( w\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \).
It remains to show that \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \). Let \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \). We define a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list. Consider two cases:
\( {\pi }\ne {\tau } \): By definition, since \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {SRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \), we have \( L^{\prime }\in {\mathcal {{B}}}({\pi }) \). Since \( {\mathcal {{B}}}\curlyvee G \), there exists a \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L^{\prime }}\rangle } \)-write-list \( W \). It is easy to see that \( W \) is a \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list. We show that \( W \) is also \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent. Let \( 1\le k\le |{L^{\prime }}| \).
Suppose by contradiction that \( W(k) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }\cup \lbrace {W(j)\; | \;1\le j \lt k}\rbrace ]})} \). It follows that \( W(k) \in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }\cup \lbrace {W(j)\; | \;1\le j \lt k}\rbrace ]})} \). This contradicts the fact that \( W \) is \( {\langle {G,{\pi }}\rangle } \)-consistent.
\( {\pi }= {\tau } \): Let \( L= {o}\cdot L^{\prime } \). Then, \( L\in {\mathcal {{B}}}({\tau }) \). Let \( W^{\prime } = \lambda k \in \lbrace {1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace .\; W_L(1 + k) \). It is easy to see that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list. We show that \( W^{\prime } \) is \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistent. Suppose by contradiction that \( W^{\prime }(k) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {W^{\prime }(j)\; | \;1\le j \lt k}\rbrace ]})} \).
Now, if \( W^{\prime }(k) \in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {W^{\prime }(j)\; | \;1\le j \lt k}\rbrace ]})} \), it follows that

rmw step, \( {l}={{\mathtt {RMW}}}^{}({{x}},{v_{\mathtt {R}}},{v_{\mathtt {W}}}) \):
This case is handled by carefully combining the write and read steps. By definition, since \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {SRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \), there exists a read option \( {o} \) with \( {\mathtt {loc}}({o})={x} \), \( {\mathtt {val}}({o})=v_{\mathtt {R}} \) and \( {\mathtt {rmw}}({o})={\mathtt {RMW}} \) such that \( L(1)={o} \) for every \( L\in {\mathcal {{B}}}({\tau }) \). Since \( {\mathcal {{B}}}\curlyvee G \), for every \( L\in {\mathcal {{B}}}({\tau }) \) there exists a \( {\langle {G,{\tau }}\rangle } \)-consistent \( {\langle {G,L}\rangle } \)-write-list \( W_L \). Moreover, since \( {\mathtt {rmw}}({o})={\mathtt {RMW}} \), we have \( W_L(1)=\max _{G.{\color{orange} {\mathtt {mo}}}} G.\mathsf {W}_{{x}} \) for every \( L\in {\mathcal {{B}}}({\tau }) \).
Let \( w=\max _{G.{\color{orange} {\mathtt {mo}}}} G.\mathsf {W}_{{x}} \), \( e={\mathsf {NextEvent}}(G.{\mathtt {E}},{\tau },{l}) \) and \( G^{\prime } \) be the execution graph given by \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {e}\rbrace \), \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}}\cup \lbrace {{\langle {w,e}\rangle }}\rbrace \) and \( G^{\prime }.{\color{orange} {\mathtt {mo}}}= G.{\color{orange} {\mathtt {mo}}}\cup (G.\mathsf {W}_{x}\times \lbrace {e}\rbrace) \).
For showing that \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {SRA}}}}}}{}} G^{\prime } \), it suffices, by definition, to show that \( {\mathtt {val}_{\mathtt {W}}}(w)=v_{\mathtt {R}} \). Indeed, since \( {\mathcal {{B}}}({\tau }) \) is (by definition) non-empty, we can take some \( L\in {\mathcal {{B}}}({\tau }) \). We have \( w= W_L(1) \), and since \( W_L \) is a \( {\langle {G,L}\rangle } \)-write-list, we have that \( {\mathtt {val}_{\mathtt {W}}}(w)={\mathtt {val}_{\mathtt {W}}}(W_L(1))={\mathtt {val}}(L(1))={\mathtt {val}}({o})=v_{\mathtt {R}} \).
It remains to show that \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \). Using Proposition 8.4, since \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {SRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \), we know that there exists an index choice \( {\mathcal {{P}}} \) for \( {\mathcal {{B}}}^{\prime } \) such that \( {{\mathcal {{P}}}}\models _{{\mathsf {SRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \), \( \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\pi }) \subseteq {\mathcal {{B}}}({\pi }) \) for every \( {\pi }\in \mathsf {Tid}\setminus \lbrace {{\tau }}\rbrace \) and \( {o}\cdot \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\tau }) \subseteq {\mathcal {{B}}}({\tau }) \).
Let \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \). We construct a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list \( W^{\prime } \). Let \( P\triangleq {\mathcal {{P}}}({\pi },L^{\prime }) \) and (\( L_{\tau } \) and \( f_{\tau } \) and are only defined if \( P\ne \emptyset \)):

Since \( {\mathcal {{B}}}\curlyvee G \), there exist a \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L}\rangle } \)-write-list \( W \), and a \( {\langle {G,{\tau }}\rangle } \)-consistent \( {\langle {G,L_{\tau }}\rangle } \)-write-list \( W_{\tau } \). We define \( W^{\prime } \) as follows:

It is easy to see that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list. In particular, to show that \( {\mathtt {rmw}}(L^{\prime }(k))={\mathtt {RMW}} \) implies \( W^{\prime }(k)\not\in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}})} \), we use the fact that \( {{\mathcal {{P}}}}\models _{{\mathsf {SRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \), and so for every \( k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace \setminus P \), we have that \( {\mathtt {rmw}}(L^{\prime }(k))={\mathtt {RMW}} \) implies \( {\mathtt {loc}}(L^{\prime }(k)) \ne {x} \).
We show that \( W^{\prime } \) is \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent.
Let \( 1 \le k \le |{L^{\prime }}| \). We prove that \( W^{\prime }(k) \not\in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }\cup \lbrace {W^{\prime }(j)\; | \;1\le j \lt k}\rbrace ]})} \). Suppose otherwise. First, note that we cannot have \( k \in P \), since \( e \) is a maximal element in \( G^{\prime }.{\color{orange} {\mathtt {mo}}} \). Let \( w_{\pi }=W(f(k)) \) and \( w_{\tau }=W_{\tau }(f_{\tau }(k)) \) (the latter is only defined if \( k\gt \min (P) \)). Consider the two possible cases:
\( W^{\prime }(k) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \): The definition of \( W^{\prime } \) ensures that \( {\langle {w_{\pi },W^{\prime }(k)}\rangle }\in G^{\prime }.{\color{orange} {\mathtt {mo}}}^? \), and so \( w_{\pi }\in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \). From the \( {\langle {G,{\pi }}\rangle } \)-consistency of \( W \), we know that \( w_{\pi }\not\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \), and therefore it must be the case that \( {\langle {w_{\pi },e}\rangle } \in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,(G.{\color{blue} {\mathtt {hb}}}\mathbin {;}\,G^{\prime }.{\color{green} {\mathsf {rf}}})^? \) and \( {\pi }={\tau } \). Since \( {{\mathcal {{P}}}}\models _{{\mathsf {SRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \), we have \( {\mathtt {loc}}(L^{\prime }(k))\ne {x} \), and so \( {\mathtt {loc}}(w_{\pi })\ne {x} \). Hence, \( {\langle {w_{\pi },e}\rangle } \not\in G^{\prime }.{\color{orange} {\mathtt {mo}}} \), and so we have \( {\langle {w_{\pi },e}\rangle } \in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}\mathbin {;}\,G^{\prime }.{\color{green} {\mathsf {rf}}} \), namely, \( {\langle {w_{\pi },w}\rangle } \in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}} \). However, \( W(1)=w \), contradicting the \( {\langle {G,{\pi }}\rangle } \)-consistency of \( W \).
\( {\langle {W^{\prime }(k),W^{\prime }(j)}\rangle } \in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \) for some \( 1\le j \lt k \). Consider the two possible cases:
\( W^{\prime }(j)=e \): In this case, we must have \( k \gt \min (P) \), and so \( W^{\prime }(k)=\max _{G.{\color{orange} {\mathtt {mo}}}} \lbrace {w_{\pi },w_{\tau }}\rbrace \). There are three possibilities:
\( W^{\prime }(k)=w \): Then \( {\mathtt {loc}}(w_{\tau })={\mathtt {loc}}(L^{\prime }(k))={x} \), which contradicts the fact that \( {{\mathcal {{P}}}}\models _{{\mathsf {SRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \).
\( {\langle {W^{\prime }(k),w}\rangle } \in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \): This contradicts the \( {\langle {G,{\tau }}\rangle } \)-consistency of \( W_{\tau } \), as \( W_{\tau }(1)=w \) and \( {\langle {w_{\tau },W^{\prime }(k)}\rangle }\in G^{\prime }.{\color{orange} {\mathtt {mo}}}^? \), implying that \( {\langle {w_{\tau },W_{\tau }(1)}\rangle }\in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \).
\( {\langle {W^{\prime }(k),e}\rangle } \in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,G^{\prime }.{\mathtt {po}} \): This also contradicts the \( {\langle {G,{\tau }}\rangle } \)-consistency of \( W_{\tau } \), as we get that \( w_{\tau }\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \).
\( W^{\prime }(j)\ne e \): In this case, we must have \( {\langle {W^{\prime }(k),W^{\prime }(j)}\rangle } \in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \). The definition of \( W^{\prime } \) ensures that \( {\langle {w_{\pi },W^{\prime }(k)}\rangle }\in G.{\color{orange} {\mathtt {mo}}}^? \), and so \( {\langle {w_{\pi },W^{\prime }(j)}\rangle } \in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \). Now, since \( W \) is \( {\langle {G,{\pi }}\rangle } \)-consistent, we cannot have \( W^{\prime }(j)=W(f(j)) \). Let \( w^{\prime }_{\tau }= W_{\tau }(f_{\tau }(j)) \). Hence, \( j \gt \min (P) \) and \( W^{\prime }(j)=w^{\prime }_{\tau } \). It follows that \( k \gt \min (P) \), and so \( {\langle {w_{\tau },W^{\prime }(k)}\rangle }\in G.{\color{orange} {\mathtt {mo}}}^? \). Hence, we have \( {\langle {w_{\tau },w^{\prime }_{\tau }}\rangle }\in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \). This contradicts the fact that \( W_{\tau } \) is \( {\langle {G,{\tau }}\rangle } \)-consistent.
Finally, for handling the lower step, suppose that \( {\mathcal {{B}}}\curlyvee G \) and \( {\mathcal {{B}}}\mathrel {{\xrightarrow {\varepsilon }}}_{\mathsf {lo}{{\mathsf {SRA}}}} {\mathcal {{B}}}^{\prime } \). We show that \( {\mathcal {{B}}}^{\prime } \curlyvee G \). Let \( {\tau }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\tau }) \). We define a \( {\langle {G,{\tau }}\rangle } \)-consistent \( {\langle {G,L^{\prime }}\rangle } \)-write-list \( W^{\prime } \). By definition, since \( {\mathcal {{B}}}\mathrel {{\xrightarrow {\varepsilon }}}_{\mathsf {lo}{{\mathsf {SRA}}}} {\mathcal {{B}}}^{\prime } \), there exists \( L\in {\mathcal {{B}}}({\tau }) \) such that \( L^{\prime } \sqsubseteq L \). Let \( f : \lbrace {1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace \rightarrow {\mathbb {N}} \) be an increasing function such that \( L^{\prime }(k) = L(f(k)) \) for every \( k\in {\it dom}{({f})} \). Since \( {\mathcal {{B}}}\curlyvee G \), there exists a \( {\langle {G,{\tau }}\rangle } \)-consistent \( {\langle {G,L}\rangle } \)-write-list \( W \). Let \( W^{\prime } = \lambda k \in \lbrace {1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace .\; W(f(k)) \). It is easy to see that \( W^{\prime } \) is a \( {\langle {G,L^{\prime }}\rangle } \)-write-list. We show that \( W^{\prime } \) is \( {\langle {G,{\tau }}\rangle } \)-consistent. Let \( 1\le k\le |{L^{\prime }}| \). Suppose by contradiction that \( W^{\prime }(k) \in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {W^{\prime }(j)\; | \;1\le j \lt k}\rbrace ]})} \). It follows that \( W(f(k)) \in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {W(f(j))\; | \;1\le j \lt k}\rbrace ]})} \). This contradicts the fact that \( W \) is \( {\langle {G,{\tau }}\rangle } \)-consistent.□
For every trace of \( \mathsf {op} \)\( {\mathsf {SRA}} \) there is an equivalent trace of \( \mathsf {lo} \)\( {\mathsf {SRA}} \).
As described in Section 7, we show that \( \curlyvee ^{-1} \) constitutes a backward simulation from \( {\mathsf {op}{{\mathsf {SRA}}}} \) to \( {\mathsf {lo}{{\mathsf {SRA}}}} \). We detail here the simulation step. Suppose that \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {SRA}}}}}}{}} G^{\prime } \) and \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \). We construct a state \( {\mathcal {{B}}} \) such that \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {SRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \) and \( {\mathcal {{B}}}\curlyvee G \) (depicted on the right). Consider the possible cases:
write step, \( {l}={{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}}) \):
Let \( w={\mathsf {NextEvent}}(G.{\mathtt {E}},{\tau },{l}) \). Since \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {SRA}}}}}}{}} G^{\prime } \), we have \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {w}\rbrace \), \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}} \) and \( G^{\prime }.{\color{orange} {\mathtt {mo}}}= G.{\color{orange} {\mathtt {mo}}}\cup (G.\mathsf {W}_{x}\times \lbrace {w}\rbrace) \). Since \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \), for every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \) there exists a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list \( W^{\prime }_{{\langle {{\pi },L^{\prime }}\rangle }} \). Let \( {\mathcal {{P}}} \) be the index choice for \( {\mathcal {{B}}}^{\prime } \) that assigns the set of “new” positions in \( {\mathcal {{B}}}^{\prime } \):
Then, we define \( {\mathcal {{B}}}\triangleq \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}}) \).
By Proposition 8.4, to show that \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {SRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \), it suffices to prove that \( {{\mathcal {{P}}}}\models _{{\mathsf {SRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \). Thus, we show that the following hold for every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \), where \( P={\mathcal {{P}}}({\pi },L^{\prime }) \) and \( W^{\prime }=W^{\prime }_{{\langle {{\pi },L^{\prime }}\rangle }} \):
Let \( k\in P \). To see that \( L^{\prime }(k)\in \lbrace {{{\mathtt {O}}_{\mathtt {R}}}({{\tau }},{{x}},{v_{\mathtt {W}}},{{\mathtt {R}}}),{{\mathtt {O}}_{\mathtt {R}}}({{\tau }},{{x}},{v_{\mathtt {W}}},{{\mathtt {RMW}}})}\rbrace \), note that since \( k\in P \), we have \( W^{\prime }(k)=w \), and since \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list, we must have \( {\tau }={\mathtt {tid}}(w)={\mathtt {tid}}(L^{\prime }(k)) \), \( {x}={\mathtt {loc}}(w)={\mathtt {loc}}(L^{\prime }(k))={x} \) and \( v_{\mathtt {W}}={\mathtt {val}_{\mathtt {W}}}(w)={\mathtt {val}_{\mathtt {W}}}(L^{\prime }(k)) \).
Let \( k\in \lbrace {m+1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace \setminus P \) where \( m=\min (P) \). We show that \( {\mathtt {loc}}(L^{\prime }(k))\ne {x} \). Suppose otherwise. Let \( w^{\prime }=W^{\prime }(k) \). Since \( k\not\in P \), we have \( w^{\prime }\ne w \). Hence, since \( G^{\prime }.{\color{orange} {\mathtt {mo}}}= G.{\color{orange} {\mathtt {mo}}}\cup (G.\mathsf {W}_{x}\times \lbrace {w}\rbrace) \), we have \( {\langle {w^{\prime },w}\rangle }\in G^{\prime }.{\color{orange} {\mathtt {mo}}} \). Thus, \( {\langle {w^{\prime },W^{\prime }(m)}\rangle } \in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \). Since \( k\gt m \), this contradicts the fact that \( W^{\prime } \) is \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent.
Suppose that \( {\pi }={\tau } \) and let \( k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace \setminus P \). We show that \( {\mathtt {loc}}(L^{\prime }(k))\ne {x} \). Suppose otherwise. Let \( w^{\prime }=W^{\prime }(k) \). Since \( k\not\in P \), we have \( w^{\prime }\ne w \). Hence, since \( G^{\prime }.{\color{orange} {\mathtt {mo}}}= G.{\color{orange} {\mathtt {mo}}}\cup (G.\mathsf {W}_{x}\times \lbrace {w}\rbrace) \), we have \( {\langle {w^{\prime },w}\rangle }\in G^{\prime }.{\color{orange} {\mathtt {mo}}} \). Thus, we have \( w^{\prime } \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), which contradicts the fact that \( W^{\prime } \) is \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistent.
Let \( k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace \setminus P \), such that \( {\mathtt {loc}}(L^{\prime }(k)) = {x} \). We show that \( {\mathtt {rmw}}(L^{\prime }(k))={\mathtt {R}} \). Let \( w^{\prime }=W^{\prime }(k) \). Since \( k\not\in P \), we have \( w^{\prime } \ne w \). Since \( G^{\prime }.{\color{orange} {\mathtt {mo}}}= G.{\color{orange} {\mathtt {mo}}}\cup (G.\mathsf {W}_{x}\times \lbrace {w}\rbrace) \), it follows that \( {\langle {w^{\prime },w}\rangle }\in G^{\prime }.{\color{orange} {\mathtt {mo}}} \). However, since \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list, if \( {\mathtt {rmw}}(L^{\prime }(k))={\mathtt {RMW}} \), then we must have \( w^{\prime }=\max _{G^{\prime }.{\color{orange} {\mathtt {mo}}}} G^{\prime }.\mathsf {W}_{x} \), reaching a contradiction.
It remains to show that \( {\mathcal {{B}}}\curlyvee G \). Let \( {\pi }\in \mathsf {Tid} \) and \( L\in {\mathcal {{B}}}({\pi }) \). We show that there exists a \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L}\rangle } \)-write-list \( W \). Following the construction of \( {\mathcal {{B}}} \), one of the following holds:
\( L= {L^{\prime }} \setminus {{\mathcal {{P}}}({\pi },L^{\prime })} \) for some \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \). Let \( P={\mathcal {{P}}}({\pi },L^{\prime }) \), \( W^{\prime }=W^{\prime }_{{\langle {{\pi },L^{\prime }}\rangle }} \) and \( f={{\mathsf {Map}}}^{-1}_{{\langle {{L^{\prime }},{P}}\rangle }} \). We define \( W=\lambda k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace .\; W^{\prime }(f(k)) \). Using the fact that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list, it is easy to see that \( W \) is a \( {\langle {G,L}\rangle } \)-write-list. (In particular, note that \( {\mathtt {rmw}}(L(k))\ne {\mathtt {RMW}} \) whenever \( {\mathtt {loc}}(L(k))={x} \).)
It remains to show that \( W \) is \( {\langle {G,{\pi }}\rangle } \)-consistent, namely, to prove that for every \( k \), we have \( W(k) \not\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }\cup \lbrace {W(j)\; | \;1\le j \lt k}\rbrace ]})} \). Indeed, in the case that we have \( W(k) \in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \), since \( G.{\color{orange} {\mathtt {mo}}}\subseteq G^{\prime }.{\color{orange} {\mathtt {mo}}} \) and \( G.{\color{blue} {\mathtt {hb}}}\subseteq G^{\prime }.{\color{blue} {\mathtt {hb}}} \), it follows that \( W^{\prime }(f(k)) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \), which contradicts the \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistency of \( W^{\prime } \). Analogously, if \( W(k) \in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,\lbrace {W(j)\; | \;1\le j \lt k}\rbrace })}, \) then since \( f \) is an increasing function, we have \( W^{\prime }(f(k)) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,\lbrace {W^{\prime }(f(j))\; | \;1\le j \lt k}\rbrace })} \), which contradicts the \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistency of \( W^{\prime } \).
\( {\pi }= {\tau } \) and \( L= {L^{\prime }} {~\setminus \!\setminus ~} {{\mathcal {{P}}}({\eta },L^{\prime })} \) for some \( {\eta }\in \mathsf {Tid} \) and \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\eta }) \) such that \( {\mathcal {{P}}}({\eta },L^{\prime })\ne \emptyset \). Let \( P={\mathcal {{P}}}({\eta },L^{\prime }) \), \( m=\min (P) \), \( W^{\prime }=W^{\prime }_{{\langle {{\eta },L^{\prime }}\rangle }} \) and \( f={{\mathsf {MMap}}}^{-1}_{{\langle {{L^{\prime }},{P}}\rangle }} \). We define \( W=\lambda k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace .\; W^{\prime }(f(k)) \). Using the fact that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list, it is easy to see that \( W \) is a \( {\langle {G,L}\rangle } \)-write-list. (In particular, note that \( {\mathtt {rmw}}(L(k))\ne {\mathtt {RMW}} \) whenever \( {\mathtt {loc}}(L(k))={x} \).) It remains to show that \( W \) is \( {\langle {G,{\tau }}\rangle } \)-consistent, namely, that for every \( k \) we have \( W(k) \not\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {W(j)\; | \;1\le j \lt k}\rbrace ]})} \). Indeed, since \( f \) is increasing, if we have \( W(k) \in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\lbrace {W(j)\; | \;1\le j \lt k}\rbrace ]})} \) for some \( k \), then we also have that \( W^{\prime }(f(k)) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\lbrace {W^{\prime }(j)\; | \;1\le j \lt f(k)}\rbrace ]})} \), which contradicts the \( {\langle {G^{\prime },{\eta }}\rangle } \)-consistency of \( W^{\prime } \). Now, if \( W(k) \in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), then since \( w=\max _{G^{\prime }.{\mathtt {po}}} G^{\prime }.\mathsf {E}^{\tau } \), we have that \( {\langle {W^{\prime }(f(k)),w}\rangle } \in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \). However, we have \( W^{\prime }(m)=w \) and \( f(k)\gt m \), from which it follows that \( W^{\prime }(f(k)) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\lbrace {W^{\prime }(j)\; | \;1\le j \lt f(k)}\rbrace ]})} \), which contradicts the \( {\langle {G^{\prime },{\eta }}\rangle } \)-consistency of \( W^{\prime } \).
read step, \( {l}={{\mathtt {R}}}^{}({{x}},{v_{\mathtt {R}}}) \):
Let \( r={\mathsf {NextEvent}}(G.{\mathtt {E}},{\tau },{l}) \). Since \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {SRA}}}}}}{}} G^{\prime } \), we have \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {r}\rbrace \), \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}}\cup \lbrace {{\langle {w,r}\rangle }}\rbrace \) and \( G^{\prime }.{\color{orange} {\mathtt {mo}}}= G.{\color{orange} {\mathtt {mo}}} \), for some write event \( w\in G.\mathsf {W}_{{x}} \) such that \( {\mathtt {val}_{\mathtt {W}}}(w)=v_{\mathtt {R}} \) and \( w\not\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \).
Let \( {o} \) be the read option given by \( {o}\triangleq {{\mathtt {O}}_{\mathtt {R}}}({{\mathtt {tid}}(w)},{{x}},{v_{\mathtt {R}}},{{\mathtt {R}}}) \). We define \( {\mathcal {{B}}} \) by
By definition, \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {SRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \).
We show next that \( {\mathcal {{B}}}\curlyvee G \). For a thread \( {\pi }\ne {\tau } \) and an option list \( L\in {\mathcal {{B}}}({\pi }) \), observe that \( L\in {\mathcal {{B}}}^{\prime }({\pi }) \), and since \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \), there is a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L}\rangle } \)-write-list \( W^{\prime } \). Since \( G.{\color{orange} {\mathtt {mo}}}\subseteq G^{\prime }.{\color{orange} {\mathtt {mo}}} \) and \( G.{\color{blue} {\mathtt {hb}}}\subseteq G^{\prime }.{\color{blue} {\mathtt {hb}}} \), \( W^{\prime } \) is also \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L}\rangle } \)-write-list.
Consider an option list \( L\in {\mathcal {{B}}}({\tau }) \). Let \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\tau }) \) such that \( L= {o}\cdot L^{\prime } \). Since \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \), there is a \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list \( W^{\prime } \). Define \( W\triangleq w\cdot W^{\prime } \). Using the fact that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list, it is easy to see that \( W \) is a \( {\langle {G,L}\rangle } \)-write-list. It is left to show that \( W \) is \( {\langle {G,{\tau }}\rangle } \)-consistent. For this matter, let \( 1 \le k \le |{L}| \). We prove that \( W(k) \not\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {W(j)\; | \;1\le j \lt k}\rbrace ]})} \). Suppose otherwise. Consider the two possible cases:
\( k=1 \). Then \( w \in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), which contradicts the properties of \( w \) as stated above.
\( k\gt 1 \). Observe that \( W(k) = W^{\prime }(k-1) \). If \( W(k) \in dom (G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {W(j)\; | \;2\le j \lt k}\rbrace ]), \) then \( W^{\prime }(k-1) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {W^{\prime }(j)\; | \;1\le j \lt k-1}\rbrace ]})} \), contradicting the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \). Thus, \( {\langle {W(k),W(1)}\rangle } \in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \). Yet, \( W(1)=w \), \( r\in \mathsf {E}^{\tau } \) and \( {\langle {w,r}\rangle }\in G^{\prime }.{\color{green} {\mathsf {rf}}} \). Hence, \( W^{\prime }(k-1) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), contradicting the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \).
rmw step, \( {l}={{\mathtt {RMW}}}^{}({{x}},{v_{\mathtt {R}}},{v_{\mathtt {W}}}) \):
This case combines the proofs given for the read and write cases. Let \( e={\mathsf {NextEvent}}(G.{\mathtt {E}},{\tau },{l}) \). Since \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {SRA}}}}}}{}} G^{\prime } \), we have \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {e}\rbrace \), \( G^{\prime }.{\color{orange} {\mathtt {mo}}}= G.{\color{orange} {\mathtt {mo}}}\cup (G.\mathsf {W}_{x}\times \lbrace {e}\rbrace) \), \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}}\cup \lbrace {{\langle {w,e}\rangle }}\rbrace \) and \( {\mathtt {val}_{\mathtt {W}}}(w)=v_{\mathtt {R}} \), where \( w=\max _{G.{\color{orange} {\mathtt {mo}}}}\mathsf {W}_{x} \). Since \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \), for every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \) there exists a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list \( W^{\prime }_{{\langle {{\pi },L^{\prime }}\rangle }} \).
Let \( {\mathcal {{P}}} \) be the index choice for \( {\mathcal {{B}}}^{\prime } \) that assigns the set of “new” positions in \( {\mathcal {{B}}}^{\prime } \):
Then, we define
where \( {o} \) is the read option given by \( {o}\triangleq {{\mathtt {O}}_{\mathtt {R}}}({{\mathtt {tid}}(w)},{{x}},{v_{\mathtt {R}}},{{\mathtt {RMW}}}) \).
The arguments for why \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {SRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \) are analogous to those of the write case. Using Proposition 8.4, to show that \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {SRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \), it suffices to prove that \( {{\mathcal {{P}}}}\models _{{\mathsf {SRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \). This is done exactly as in the write case.
It remains to show that \( {\mathcal {{B}}}\curlyvee G \). Let \( {\pi }\in \mathsf {Tid} \) and \( L\in {\mathcal {{B}}}({\pi }) \). We show that there exists a \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L}\rangle } \)-write-list \( W \). Following the construction of \( {\mathcal {{B}}} \), one of the following holds:
\( L= {L^{\prime }} \setminus {{\mathcal {{P}}}({\pi },L^{\prime })} \) for some \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \). This case is exactly the same as the analogous case in the write step.
\( {\pi }= {\tau } \) and \( L= {o}\cdot ({L^{\prime }} \setminus {{\mathcal {{P}}}({\tau },L^{\prime })}) \) for some \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\tau }) \). Let \( P={\mathcal {{P}}}({\tau },L^{\prime }) \), \( W^{\prime }=W^{\prime }_{{\langle {{\tau },L^{\prime }}\rangle }} \) and \( f=\lambda k\in \lbrace {2{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace .\; {{\mathsf {Map}}}^{-1}_{{\langle {{L^{\prime }},{P}}\rangle }}(k-1) \). We define
Using the fact that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime }}\rangle } \)-write-list and that \( w=\max _{G.{\color{orange} {\mathtt {mo}}}}\mathsf {W}_{x} \), it is easy to see that \( W \) is a \( {\langle {G,L}\rangle } \)-write-list. (In particular, note that for \( k\gt 1 \), \( {\mathtt {rmw}}(L(k))\ne {\mathtt {RMW}} \) whenever \( {\mathtt {loc}}(L(k))={x} \).) It remains to show that \( W \) is \( {\langle {G,{\tau }}\rangle } \)-consistent, namely, to prove that for every \( k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace \), we have \( W(k) \not\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {W(j)\; | \;1\le j \lt k}\rbrace ]})} \). For \( k=1 \), this is trivial, since \( W(1)=w=\max _{G.{\color{orange} {\mathtt {mo}}}}\mathsf {W}_{x} \). Let \( k\in \lbrace {2{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace \). If \( W(k) \in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})}, \) then since \( G.{\color{orange} {\mathtt {mo}}}\subseteq G^{\prime }.{\color{orange} {\mathtt {mo}}} \) and \( G.{\color{blue} {\mathtt {hb}}}\subseteq G^{\prime }.{\color{blue} {\mathtt {hb}}} \), we have \( W^{\prime }(f(k)) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), which contradicts the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \). Analogously, if \( {\langle {W(k),W(j)}\rangle } \in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \) for \( 2\le j \lt k, \) then \( {\langle {W^{\prime }(f(k)),W^{\prime }(f(j))}\rangle }\in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \), and since \( f \) is an increasing function this contradicts the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \). Now, if \( {\langle {W(k),W(1)}\rangle } \in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \), then since \( W(1)=w \), \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {e}\rbrace \) and \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}}\cup \lbrace {{\langle {w,e}\rangle }}\rbrace \), we have \( W^{\prime }(f(k)) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[G^{\prime }.{\mathtt {E}}^{\tau }]})} \), which contradicts the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \).
\( {\pi }= {\tau } \) and \( L= {o}\cdot ({L^{\prime }} {~\setminus \!\setminus ~} {{\mathcal {{P}}}({\eta },L^{\prime })}) \) for some \( {\eta }\in \mathsf {Tid} \) and \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\eta }) \). Let \( P={\mathcal {{P}}}({\eta },L^{\prime }) \), \( m=\min (P) \), \( W^{\prime }=W^{\prime }_{{\langle {{\eta },L^{\prime }}\rangle }} \) and \( f=\lambda k\in \lbrace {2{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace .\; {{\mathsf {MMap}}}^{-1}_{{\langle {{L^{\prime }},{P}}\rangle }}(k-1) \).
We define
As above, \( W \) is a \( {\langle {G,L}\rangle } \)-write-list, and we show that it is \( {\langle {G,{\tau }}\rangle } \)-consistent. Namely, we prove that \( W(k) \not\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {W(j)\; | \;1\le j \lt k}\rbrace ]})} \) for every \( k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace \). Again, for \( k=1 \), this is trivial, since \( W(1)=w=\max _{G.{\color{orange} {\mathtt {mo}}}}\mathsf {W}_{x} \). Let \( k\in \lbrace {2{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace \). If \( {\langle {W(k),W(j)}\rangle } \in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \) for \( 2\le j \lt k \), then \( {\langle {W^{\prime }(f(k)),W^{\prime }(f(j))}\rangle }\in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \), and since \( f \) is an increasing function this contradicts the \( {\langle {G^{\prime },{\eta }}\rangle } \)-consistency of \( W^{\prime } \). Now, if \( {\langle {W(k),W(1)}\rangle } \in G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \), then since \( W(1)=w \) and \( {\langle {w,e}\rangle }\in G^{\prime }.{\color{green} {\mathsf {rf}}} \), we have \( {\langle {W^{\prime }(f(k)),e}\rangle } \in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \). However, \( W^{\prime }(m)=e \) and \( f(k)\gt m \) together imply that we have \( W^{\prime }(f(k)) \in {\it dom}{({G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\lbrace {W^{\prime }(j)\; | \;1\le j \lt f(k)}\rbrace ]})} \), which contradicts the \( {\langle {G^{\prime },{\eta }}\rangle } \)-consistency of \( W^{\prime } \).
Last, if \( W(k)\in {\it dom}{({G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), then \( {\langle {W^{\prime }(f(k)),e}\rangle } \in G^{\prime }.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \) (since \( e=\max _{G^{\prime }.{\mathtt {po}}} G^{\prime }.\mathsf {E}^{\tau } \)). However, \( W^{\prime }(m)=e \) and \( f(k)\gt m \), implying that
which contradicts the \( {\langle {G^{\prime },{\eta }}\rangle } \)-consistency of \( W^{\prime } \). \( \Box \)
A.2 Equivalence of \( \mathsf {lo} \)\( {\mathsf {WRA}} \) and \( \mathsf {op} \)\( {\mathsf {WRA}} \)
For every trace of \( \mathsf {lo} \)\( {\mathsf {WRA}} \) there is an equivalent trace of \( \mathsf {op} \)\( {\mathsf {WRA}} \).
As described in Section 7, we show that \( \curlyvee \) constitutes a forward simulation relation from \( {\mathsf {lo}{{\mathsf {WRA}}}} \) to \( {\mathsf {op}{{\mathsf {WRA}}}} \). We detail here the simulation step. Suppose that \( {\mathcal {{B}}}\curlyvee G \) and \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {WRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \). Let \( \mathit {tid}_{\mathtt {RMW}}: \mathsf {W}\rightarrow \mathsf {Tid} \) that satisfies the conditions of Definition 7.4. We show that there exists \( G^{\prime } \) such that \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \) and \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {WRA}}}}}}{}} G^{\prime } \). Consider the possible cases11:
\( {l}={{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}}) \): Let \( w={\mathsf {NextEvent}}(G.{\mathtt {E}},{\tau },{l}) \). Let \( G^{\prime } \) be the execution graph defined by \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {w}\rbrace \) and \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}} \). By definition, we have \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {WRA}}}}}}{}} G^{\prime } \).
We show that \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \). First, since \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {WRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \), by Proposition 8.4, there exists an index choice \( {\mathcal {{P}}} \) for \( {\mathcal {{B}}}^{\prime } \) such that \( {{\mathcal {{P}}}}\models _{{\mathsf {WRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \), \( \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\pi }) \subseteq {\mathcal {{B}}}({\pi }) \) for every \( {\pi }\in \mathsf {Tid}\setminus \lbrace {{\tau }}\rbrace \) and \( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\tau }) \subseteq {\mathcal {{B}}}({\tau }) \). Since \( {{\mathcal {{P}}}}\models _{{\mathsf {WRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \), there exists \( {\pi }_{\mathtt {RMW}}\in \mathsf {Tid} \), such that \( L^{\prime }(k)={{\mathtt {O}}_{\mathtt {R}}}({{\tau }},{{x}},{v_{\mathtt {W}}},{{\pi }_{\mathtt {RMW}}}) \) for every \( {\pi }\in \mathsf {Tid} \), \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \) and \( k\in {\mathcal {{P}}}({\pi },L^{\prime }) \). (If \( {\mathcal {{P}}}({\pi },L^{\prime })=\emptyset \) for every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \), then \( {\pi }_{\mathtt {RMW}} \) is arbitrary.)
Let \( \mathit {tid}_{\mathtt {RMW}}^{\prime } = \mathit {tid}_{\mathtt {RMW}}[w \mapsto {\pi }_{\mathtt {RMW}}] \). Since \( w\not\in G^{\prime }.{\color{green} {\mathsf {rf}}} \), we vacuously have \( {\mathtt {tid}}(e)=\mathit {tid}_{\mathtt {RMW}}^{\prime }(w) \) for every \( {\langle {w,e}\rangle }\in G^{\prime }.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}] \). It follows that for every \( {\langle {w^{\prime },e}\rangle }\in G^{\prime }.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}] \), we have \( {\mathtt {tid}}(e)=\mathit {tid}_{\mathtt {RMW}}^{\prime }(w) \).
We show that for every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \), there exists a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}^{\prime }}\rangle } \)-write-list. Let \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \). We construct a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}^{\prime }}\rangle } \)-write-list \( W^{\prime } \). Let \( P\triangleq {\mathcal {{P}}}({\pi },L^{\prime }) \) and (\( L_{\tau } \) and \( f_{\tau } \) are only defined if \( P\ne \emptyset \)):

We define \( W^{\prime } \) as follows:

\( {l}={{\mathtt {R}}}^{}({{x}},{v_{\mathtt {R}}}) \):
By definition, since \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {WRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \), there exists a read option \( {o} \) with \( {\mathtt {loc}}({o})={x} \) and \( {\mathtt {val}}({o})=v_{\mathtt {R}} \) such that \( {\mathcal {{B}}}({\tau }) = {o}\cdot {\mathcal {{B}}}^{\prime }({\tau }) \). For every \( L\in {\mathcal {{B}}}({\tau }) \), let \( W_L \) be a \( {\langle {G,{\tau }}\rangle } \)-consistent \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. Let \( A = \lbrace { W_L(1) \; | \;L\in {\mathcal {{B}}}({\tau })}\rbrace \). Since \( {\mathcal {{B}}}({\tau }) \) is non-empty, we know that \( A \) is not empty. Since each \( W_L \) is a \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, we have that \( {\mathtt {tid}}(w)={\mathtt {tid}}({o}) \) for every \( w\in A \). Hence, \( G.{\mathtt {po}} \) totally orders \( A \). Let \( w=\min _{G.{\mathtt {po}}} A \) and let \( L_{\text{min}}\in {\mathcal {{B}}}({\tau }) \) such that \( w=W_{L_{\text{min}}}(1) \). Let \( r={\mathsf {NextEvent}}(G.{\mathtt {E}},{\tau },{l}) \) and let \( G^{\prime } \) be the execution graph given by \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {r}\rbrace \) and \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}}\cup \lbrace {{\langle {w,r}\rangle }}\rbrace \).
Now, \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {WRA}}}}}}{}} G^{\prime } \) follows exactly as in the proof for \( {\mathsf {SRA}} \). It remains to show that \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \). We use the same \( \mathit {tid}_{\mathtt {RMW}} \) mapping and show that for every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \), there exists a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. Let \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \). We define a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. Consider two cases:
\( {\pi }\ne {\tau } \): By definition, since \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {WRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \), we have \( L^{\prime }\in {\mathcal {{B}}}({\pi }) \). Let \( W \) be a \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. It is easy to see that \( W \) is also a \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. It remains to show that \( W \) is \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent. Condition 1 follows exactly as for \( {\mathsf {SRA}} \). To see that conditions 2 and 3 hold as well, note that if we have \( W(k) \in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \) or \( {\langle {W(k),W(j)}\rangle }\in G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \), then the same holds in \( G \). Therefore, the \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistency of \( W \) directly follows from its \( {\langle {G,{\pi }}\rangle } \)-consistency.
\( {\pi }= {\tau } \): Let \( L= {o}\cdot L^{\prime } \). Then, \( L\in {\mathcal {{B}}}({\tau }) \). Let \( W^{\prime } = \lambda k \in \lbrace {1 {,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace .\; W_L(1 + k) \). It is easy to see that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. We show that \( W^{\prime } \) is \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistent. Let \( 1\le k\le |{W^{\prime }}| \) such that \( W^{\prime }(k)\in \mathsf {E} \). Condition 1 follows exactly as for \( {\mathsf {SRA}} \). We prove conditions 2 and 3.
(2) Suppose by contradiction that there exists \( i\lt k \) with \( W^{\prime }(i)={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(W^{\prime }(k))}) \) (and so, \( W_L(1 + i)={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(W_L(1 + k))}) \)) but \( W^{\prime }(k) \in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \). If \( W^{\prime }(k) \in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), then \( W_L(1 + k) \in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), which contradicts the fact that \( W_L \) is \( {\langle {G,{\tau }}\rangle } \)-consistent. Hence, we must have \( {\langle {W^{\prime }(k),w}\rangle } \in G.{\color{blue} {\mathtt {hb}}}^? \). Since \( L(1)={o} \), the definition of \( w \) ensures that \( {\langle {w,W_L(1)}\rangle }\in G.{\mathtt {po}}^? \). It follows that \( {\langle {W_L(1 + k),W_L(1)}\rangle }\in G.{\color{blue} {\mathtt {hb}}} \) while \( W_L(1 + i)={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(W_L(1 + k))}) \) where \( i\lt k \). Again, this contradicts the fact that \( W_L \) is \( {\langle {G,{\tau }}\rangle } \)-consistent.
(3) Suppose by contradiction that there exists \( j\lt i\lt k \) with \( W^{\prime }(i)={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(W^{\prime }(k))}) \) (and so, \( W_L(1 + i)={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(W_L(1 + k))}) \)) but \( {\langle {W^{\prime }(k),W^{\prime }(j)}\rangle }\in G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \). In this case, since \( W^{\prime }(j)\in \mathsf {W} \), we must have \( {\langle {W^{\prime }(k),W^{\prime }(j)}\rangle }\in G.{\color{blue} {\mathtt {hb}}}^? \). Hence, \( {\langle {W_L(1 + k)),W_L(1 + j)}\rangle }\in G.{\color{blue} {\mathtt {hb}}}^? \), which contradicts the fact that \( W_L \) is \( {\langle {G,{\tau }}\rangle } \)-consistent.
\( {l}={{\mathtt {RMW}}}^{}({{x}},{v_{\mathtt {R}}},{v_{\mathtt {W}}}) \):
First, \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {WRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \) provides us with the following:
(1) | There exists a read option \( {o} \) with \( {\mathtt {loc}}({o})={x} \), \( {\mathtt {val}}({o})=v_{\mathtt {R}} \) and \( {\mathtt {rmw}\mbox{-}{\mathtt {tid}}}({o})={\tau } \) such that \( L(1)={o} \) for every \( L\in {\mathcal {{B}}}({\tau }) \). | ||||
By Proposition 8.4, there exists an index choice \( {\mathcal {{P}}} \) for \( {\mathcal {{B}}}^{\prime } \) such that \( {{\mathcal {{P}}}}\models _{{\mathsf {WRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \), \( \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\pi }) \subseteq {\mathcal {{B}}}({\pi }) \) for every \( {\pi }\in \mathsf {Tid}\setminus \lbrace {{\tau }}\rbrace \) and \( {o}\cdot {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot \mathsf {src}({{\mathcal {{B}}}^{\prime }},{{\tau }},{{\mathcal {{P}}}})({\tau }) \subseteq {\mathcal {{B}}}({\tau }) \). | |||||
For every \( L\in {\mathcal {{B}}}({\tau }) \), let \( W_L \) be a \( {\langle {G,{\tau }}\rangle } \)-consistent \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. Let \( A = \lbrace { W_L(1) \; | \;L\in {\mathcal {{B}}}({\tau })}\rbrace \). Since \( {\mathcal {{B}}}({\tau }) \) is non-empty, we know that \( A \) is not empty. Since each \( W_L \) is a \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, we have that \( {\mathtt {tid}}(w)={\mathtt {tid}}({o}) \) for every \( w\in A \). Hence, \( G.{\mathtt {po}} \) totally orders \( A \). Let \( w=\min _{G.{\mathtt {po}}} A \) and let \( L_{\text{min}}\in {\mathcal {{B}}}({\tau }) \) such that \( w=W_{L_{\text{min}}}(1) \). Let \( e={\mathsf {NextEvent}}(G.{\mathtt {E}},{\tau },{l}) \) and let \( G^{\prime } \) be the execution graph given by \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {e}\rbrace \) and \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}}\cup \lbrace {{\langle {w,e}\rangle }}\rbrace \).
Note that \( w= W_{L_{\text{min}}}(1) \), and since \( W_{L_{\text{min}}} \) is a \( {\langle {G,{L_{\text{min}}},\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, we have that:
\( {\mathtt {loc}}(w)={\mathtt {loc}}(W_{L_{\text{min}}}(1))={\mathtt {loc}}({L_{\text{min}}}(1))={\mathtt {loc}}({o})={x} \).
\( {\mathtt {val}_{\mathtt {W}}}(w)={\mathtt {val}_{\mathtt {W}}}(W_{L_{\text{min}}}(1))={\mathtt {val}}({L_{\text{min}}}(1))={\mathtt {val}}({o})=v_{\mathtt {R}} \).
\( \mathit {tid}_{\mathtt {RMW}}(w)=\mathit {tid}_{\mathtt {RMW}}(W_{L_{\text{min}}}(1))= {\mathtt {rmw}\mbox{-}{\mathtt {tid}}}(L_{\text{min}}(1))={\tau } \).
Then, to show that \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {WRA}}}}}}{}} G^{\prime } \), it suffices, by definition, to show the following:
\( w\not\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \): Since \( W_{L_{\text{min}}} \) is \( {\langle {G,{\tau }}\rangle } \)-consistent and \( w=W_{L_{\text{min}}}(1) \), we cannot have \( w\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \).
\( w\not\in {\it dom}{({G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}]})} \): Suppose otherwise, and let \( e^{\prime } \in \mathsf {RMW} \) such that \( {\langle {w,e^{\prime }}\rangle }\in G.{\color{green} {\mathsf {rf}}} \). Then, since \( \mathit {tid}_{\mathtt {RMW}}(w)={\tau } \), the second condition for \( {\mathsf {WRA}} \) in Definition 7.4 ensures that \( {\mathtt {tid}}(e)={\tau } \). Hence, \( w\in {\it dom}{({G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}\cap \mathsf {E}^{\tau }]})} \subseteq {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), which contradicts the previous item.
It remains to show that \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \). Since \( {{\mathcal {{P}}}}\models _{{\mathsf {WRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \), there exists \( {\pi }_{\mathtt {RMW}}\in \mathsf {Tid} \), such that \( L^{\prime }(k)={{\mathtt {O}}_{\mathtt {R}}}({{\tau }},{{x}},{v_{\mathtt {W}}},{{\pi }_{\mathtt {RMW}}}) \) for every \( {\pi }\in \mathsf {Tid} \), \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \) and \( k\in {\mathcal {{P}}}({\pi },L^{\prime }) \).
Let \( \mathit {tid}_{\mathtt {RMW}}^{\prime } = \mathit {tid}_{\mathtt {RMW}}[w \mapsto {\pi }_{\mathtt {RMW}}] \). Since \( e\not\in G^{\prime }.{\color{green} {\mathsf {rf}}} \), we vacuously have \( {\mathtt {tid}}(e^{\prime })=\mathit {tid}_{\mathtt {RMW}}^{\prime }(e) \) for every \( {\langle {e,e^{\prime }}\rangle }\in G^{\prime }.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}] \). In addition, we have \( {\mathtt {tid}}(e)={\tau }=\mathit {tid}_{\mathtt {RMW}}(w)=\mathit {tid}_{\mathtt {RMW}}^{\prime }(w) \). Since \( w \) is the unique event such that \( {\langle {w,e}\rangle }\in G^{\prime }.{\color{green} {\mathsf {rf}}} \), it follows that for every \( {\langle {w^{\prime },e^{\prime }}\rangle }\in G^{\prime }.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}] \), we have \( {\mathtt {tid}}(e^{\prime })=\mathit {tid}_{\mathtt {RMW}}^{\prime }(w^{\prime }) \).
We show that for every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \), there exists a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}^{\prime }}\rangle } \)-write-list. Let \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \). We construct a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}^{\prime }}\rangle } \)-write-list \( W^{\prime } \). Let \( P\triangleq {\mathcal {{P}}}({\pi },L^{\prime }) \) and (\( L_{\tau } \) and \( f_{\tau } \) are only defined if \( P\ne \emptyset \)):


It is easy to see that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}^{\prime }}\rangle } \)-write-list. We show that \( W^{\prime } \) is \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent. Let \( 1 \le k \le |{L^{\prime }}| \) such that \( W^{\prime }(k)\in \mathsf {E} \). Let \( {y}= {\mathtt {loc}}(W^{\prime }(k)) \), \( w_{\pi }=W(f(k)) \) and \( w_{\tau }=W_{\tau }(f_{\tau }(k)) \) (the latter is only defined if \( k\gt \min (P) \)). We prove that each of the conditions in Definition 7.3 holds:
(1)
We prove that \( W^{\prime }(k) \not\in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }\cup \lbrace {W^{\prime }(j)\; | \;1\le j \lt k}\rbrace ]})} \). Suppose otherwise. First, note that we cannot have \( k \in P \), since \( e \) is a maximal element in \( G^{\prime }.{\color{blue} {\mathtt {hb}}} \). Consider the two possible cases:
\( W^{\prime }(k) \in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \): The definition of \( W^{\prime } \) ensures that we have \( {\langle {w_{\pi },W^{\prime }(k)}\rangle }\in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}^? \), and so \( w_{\pi }\in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \). Since \( W \) is \( {\langle {G,{\pi }}\rangle } \)-consistent, we have that \( w_{\pi }\not\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \), and therefore it must be the case that \( {\langle {w_{\pi },e}\rangle } \in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,(G.{\color{blue} {\mathtt {hb}}}\mathbin {;}\,G^{\prime }.{\color{green} {\mathsf {rf}}})^? \) and \( {\pi }={\tau } \). Now, if \( w_{\pi }\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}^? \mathbin {;}\,[\mathsf {E}^{\tau }]})} \), then since \( {\pi }={\tau } \), we have \( W(2)=L(2)={{\mathtt {O}}_{\mathtt {W}}}({{x}})={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(w_{\pi })}) \), and we obtain a contradiction to the fact that \( W \) is \( {\langle {G,{\tau }}\rangle } \)-consistent. Otherwise, we have \( {\langle {w_{\pi },w}\rangle } \in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}} \). Since \( {\pi }={\tau } \), we have \( L(1)={o} \), and the definition of \( w \) ensures that \( {\langle {w,W(1)}\rangle }\in G.{\mathtt {po}}^? \). It follows that \( {\langle {w_{\pi },W(1)}\rangle }\in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \), which again contradicts the fact that \( W \) is \( {\langle {G,{\tau }}\rangle } \)-consistent.
\( {\langle {W^{\prime }(k),W^{\prime }(j)}\rangle } \in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \) for some \( 1\le j \lt k \). Consider the two possible cases:
\( W^{\prime }(j)=e \): In this case, we must have \( k\gt \min (P) \), and so \( W^{\prime }(k)=\max _{G.{\color{blue} {\mathtt {hb}}}} \lbrace {w_{\pi },w_{\tau }}\rbrace \). Hence, we have \( {\langle {w_{\tau },W^{\prime }(k)}\rangle }\in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}^? \). There are four possibilities:
\( W^{\prime }(k)=w \): In this case, we have \( {\langle {w_{\tau },w}\rangle } \in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}^? \). Since \( L_{\tau }(1)={o} \), the definition of \( w \) ensures that \( {\langle {w,W_{\tau }(1)}\rangle }\in G.{\mathtt {po}}^? \). Hence, \( {\langle {w_{\tau },W_{\tau }(1)}\rangle } \in G.{\color{blue} {\mathtt {hb}}}^? \). Since \( L_{\tau }(2)={{\mathtt {O}}_{\mathtt {W}}}({{x}})={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(W_{\tau }(f_{\tau }(k)))}) \), we obtain a contradiction to the fact that \( W_{\tau } \) is \( {\langle {G,{\tau }}\rangle } \)-consistent.
\( {\langle {W^{\prime }(k),w}\rangle } \in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \): This contradicts the \( {\langle {G,{\tau }}\rangle } \)-consistency of \( W_{\tau } \), as \( {\langle {w,W_{\tau }(1)}\rangle }\in G.{\mathtt {po}}^? \) and \( {\langle {w_{\tau },W^{\prime }(k)}\rangle }\in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}^? \), implying that \( {\langle {w_{\tau },W_{\tau }(1)}\rangle }\in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \).
\( {\langle {W^{\prime }(k),e}\rangle } \in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,G^{\prime }.{\mathtt {po}} \): This also contradicts the \( {\langle {G,{\tau }}\rangle } \)-consistency of \( W_{\tau } \), as we get that \( w_{\tau }\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \).
\( {y}={x} \) and \( {\langle {W^{\prime }(k),e}\rangle } \in G^{\prime }.{\color{blue} {\mathtt {hb}}}\mathbin {;}\,G^{\prime }.{\mathtt {po}} \): In this case, we have \( {\langle {w_{\tau },e}\rangle } \in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}^?\mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}\mathbin {;}\,G^{\prime }.{\mathtt {po}} \), and so \( w_{\tau }\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}^? \mathbin {;}\,[\mathsf {E}^{\tau }]})} \). But, since \( W_{\tau }(2)=L_{\tau }(2)={{\mathtt {O}}_{\mathtt {W}}}({{x}})={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(w_{\tau })}) \), we obtain a contradiction to the fact that \( W_{\tau } \) is \( {\langle {G,{\tau }}\rangle } \)-consistent.
\( W^{\prime }(j)\ne e \): This case is proved exactly as the corresponding case in the proof for \( {\mathsf {SRA}} \).
(2)
Suppose by contradiction that there exists \( i\lt k \) with \( W^{\prime }(i)={{\mathtt {O}}_{\mathtt {W}}}({{y}}) \) but \( W^{\prime }(k) \in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \). Note that the definition of \( W^{\prime } \) ensures that \( W^{\prime }(i)=L^{\prime }(i)={{\mathtt {O}}_{\mathtt {W}}}({{y}}) \), and since \( W \) is a \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, it follows that \( W(f(i))={{\mathtt {O}}_{\mathtt {W}}}({{y}}) \). Consider the two possible cases:
\( W^{\prime }(k)=e \): In this case, we must have \( {y}={x} \), \( {\pi }={\tau } \) and \( i \lt \max ({\mathcal {{P}}}({\tau },L^{\prime })) \). Since \( {{\mathcal {{P}}}}\models _{{\mathsf {WRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \), we cannot have \( L^{\prime }(i) = {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \).
\( W^{\prime }(k)\ne e \): In this case, the definition of \( W^{\prime } \) ensures that \( {\langle {w_{\pi },W^{\prime }(k)}\rangle }\in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}^? \), and so \( w_{\pi }\in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \). Since \( w_{\pi }\ne e \) (as \( w_{\pi }\in G.{\mathtt {E}} \)), it follows that \( w_{\pi }\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\pi }]})} \). Since \( W(f(i))={{\mathtt {O}}_{\mathtt {W}}}({{y}}) \), this contradicts the fact that \( W \) is \( {\langle {G,{\pi }}\rangle } \)-consistent.
(3) Suppose by contradiction that there exists \( j\lt i\lt k \) with \( W^{\prime }(i)={{\mathtt {O}}_{\mathtt {W}}}({{y}}) \) but \( {\langle {W^{\prime }(k),W^{\prime }(j)}\rangle }\in G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \). Note that the definition of \( W^{\prime } \) ensures that \( W^{\prime }(i)=L^{\prime }(i)={{\mathtt {O}}_{\mathtt {W}}}({{y}}) \), and since \( W \) is a \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, it follows that \( W(f(i))={{\mathtt {O}}_{\mathtt {W}}}({{y}}) \). In addition, since \( W_{\tau } \) is \( {\langle {G,L_{\tau },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, it follows that \( W_{\tau }(f_{\tau }(i))={{\mathtt {O}}_{\mathtt {W}}}({{y}}) \) if \( i\gt \min (P) \). Consider the possible cases:
\( W^{\prime }(k)=e \): In this case, we must have \( {y}={x} \) and \( W^{\prime }(j)=e \). It follows that \( k,j\in P \), and since \( {{\mathcal {{P}}}}\models _{{\mathsf {WRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \), we cannot have \( L^{\prime }(i) = {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \).
\( W^{\prime }(k)\ne e \) and \( W^{\prime }(j)= e \): In this case, we must have \( i,k\gt \min (P) \), and so \( W^{\prime }(k)=\max _{G.{\color{blue} {\mathtt {hb}}}} \lbrace {w_{\pi },w_{\tau }}\rbrace \) and \( W_{\tau }(f_{\tau }(i))={{\mathtt {O}}_{\mathtt {W}}}({{y}}) \). Hence, we have \( {\langle {w_{\tau },W^{\prime }(k)}\rangle }\in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}^? \), and so \( {\langle {w_{\tau },e}\rangle } \in G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \). Since \( w_{\tau }\ne e \) (as \( w_{\tau }\in G.{\mathtt {E}} \)), it follows that \( w_{\tau }\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}^? \mathbin {;}\,[\mathsf {E}^{\tau }]})} \). Since \( W_{\tau }(f_{\tau }(i))={{\mathtt {O}}_{\mathtt {W}}}({{y}}) \), this contradicts the fact that \( W_{\tau } \) is \( {\langle {G,{\tau }}\rangle } \)-consistent.
\( W^{\prime }(k)\ne e \) and \( W^{\prime }(j) \ne e \): In this case, we must have \( {\langle {W^{\prime }(k),W^{\prime }(j)}\rangle }\in G.{\color{blue} {\mathtt {hb}}}^? \). Let \( w^j_{\pi }=W(f(j)) \) and \( w^j_{\tau }=W_{\tau }(f_{\tau }(j)) \) (the latter is only defined if \( j\gt \min (P) \)). Our construction ensures that one of the following holds:
\( W^{\prime }(j)=w^j_{\pi } \): Since \( W^{\prime }(k)\ne e \), the definition of \( W^{\prime } \) ensures that \( {\langle {w_{\pi },W^{\prime }(k)}\rangle }\in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}^? \), and so \( {\langle {w_{\pi },w^j_{\pi }}\rangle } \in G.{\color{blue} {\mathtt {hb}}}^? \). This contradicts the fact that \( W \) is \( {\langle {G,{\pi }}\rangle } \)-consistent.
\( W^{\prime }(j)=w^j_{\tau } \): In this case, we have \( j\gt \min (P) \), and so \( k\gt \min (P) \). Since \( W^{\prime }(k)\ne e \), the definition of \( W^{\prime } \) ensures that \( {\langle {w_{\tau },W^{\prime }(k)}\rangle }\in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}^? \), and so \( {\langle {w_{\tau },w^j_{\tau }}\rangle } \in G.{\color{blue} {\mathtt {hb}}}^? \). This contradicts the fact that \( W_{\tau } \) is \( {\langle {G,{\tau }}\rangle } \)-consistent.
Finally, the lower step is handled exactly as for \( {\mathsf {SRA}} \).□
For every trace of \( \mathsf {op} \)\( {\mathsf {WRA}} \) there is an equivalent trace of \( \mathsf {lo} \)\( {\mathsf {WRA}} \).
As described in Section 7, we show that \( \curlyvee ^{-1} \) constitutes a backward simulation from \( {\mathsf {op}{{\mathsf {WRA}}}} \) to \( {\mathsf {lo}{{\mathsf {WRA}}}} \). We detail here the simulation step. Suppose that \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {WRA}}}}}}{}} G^{\prime } \) and \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \). Let \( \mathit {tid}_{\mathtt {RMW}}: \mathsf {W}\rightarrow \mathsf {Tid} \) be a function satisfying the conditions of Definition 7.4, and for every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \), we let \( W^{\prime }_{{\langle {{\pi },L^{\prime }}\rangle }} \) be a \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistent \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. We construct a state \( {\mathcal {{B}}} \) such that \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {WRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \) and \( {\mathcal {{B}}}\curlyvee G \). Consider the possible cases:
\( {l}={{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}}) \):
Let \( w={\mathsf {NextEvent}}(G.{\mathtt {E}},{\tau },{l}) \). Since \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {WRA}}}}}}{}} G^{\prime } \), we have \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {w}\rbrace \) and \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}} \).12 Let \( {\mathcal {{P}}} \) be the index choice for \( {\mathcal {{B}}}^{\prime } \) that assigns the set of “new” positions in \( {\mathcal {{B}}}^{\prime } \):
Then, we define

By Proposition 8.4, to show that \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {WRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \), it suffices to prove that \( {{\mathcal {{P}}}}\models _{{\mathsf {WRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \). Let \( {\pi }_{\mathtt {RMW}}=\mathit {tid}_{\mathtt {RMW}}(w) \). Thus, we show that the following hold for every \( {\pi }\in \mathsf {Tid} \) and \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\pi }) \), where \( P={\mathcal {{P}}}({\pi },L^{\prime }) \) and \( W^{\prime }=W^{\prime }_{{\langle {{\tau },L^{\prime }}\rangle }} \):
Let \( k\in P \). Then, we have \( W^{\prime }(k)=w \), and thus \( L^{\prime }(k)={{\mathtt {O}}_{\mathtt {R}}}({{\tau }},{{x}},{v_{\mathtt {W}}},{{\pi }_{\mathtt {RMW}}}) \).
Let \( k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace \setminus P \) such that \( p_1 \lt k \lt p_2 \) for some \( p_1,p_2\in P \). We show that \( L^{\prime }(k) \ne {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \). Since \( p_1,p_2\in P \), we have \( W^{\prime }(p_1)=W^{\prime }(p_2)=w \), and so \( {\langle {W^{\prime }(p_1),W^{\prime }(p_2)}\rangle }\in G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \). Since \( W^{\prime } \) is \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistent (by 3), we cannot have \( W^{\prime }(k)={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(W^{\prime }(p_2))}) \), and so \( L^{\prime }(k) \ne {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \).
Suppose that \( {\pi }={\tau } \) and let \( k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L^{\prime }}|}\rbrace \setminus P \) such that \( k\lt p \) for some \( p\in P \). We show that \( L^{\prime }(k) \ne {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \). Since \( p\in P \), we have \( W^{\prime }(p)=w \), and so \( W^{\prime }(p)\in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \). Since \( W^{\prime } \) is \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistent (by 2), we cannot have \( W^{\prime }(k)={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(W^{\prime }(p))}) \), and so \( L^{\prime }(k) \ne {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \).
Next, we prove that \( {\mathcal {{B}}}\curlyvee G \), by showing that for every \( {\pi }\in \mathsf {Tid} \) and \( L\in {\mathcal {{B}}}({\pi }) \), there exists a \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. (Since \( G.{\color{green} {\mathsf {rf}}}\subseteq G^{\prime }.{\color{green} {\mathsf {rf}}} \), the second condition of \( \curlyvee \) for \( {\mathsf {WRA}} \) (Definition 7.4), namely, that for every \( {\langle {w,e}\rangle }\in G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}] \), we have \( {\mathtt {tid}}(e)=\mathit {tid}_{\mathtt {RMW}}(w) \), trivially holds.) Let \( {\pi }\in \mathsf {Tid} \) and \( L\in {\mathcal {{B}}}({\pi }) \). Following the construction of \( {\mathcal {{B}}} \), one of the following holds:
\( {\pi }\ne {\tau } \) and \( L= {L^{\prime }} \setminus {{\mathcal {{P}}}({\pi },L^{\prime })} \) for some \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \). Let \( P={\mathcal {{P}}}({\pi },L^{\prime }) \), \( W^{\prime }=W^{\prime }_{{\langle {{\pi },L^{\prime }}\rangle }} \) and \( f={{\mathsf {Map}}}^{-1}_{{\langle {{L^{\prime }},{P}}\rangle }} \). We define \( W\triangleq \lambda k\in \lbrace {1{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace .\; W^{\prime }(f(k)) \). Using the fact that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, it is easy to see that \( W \) is a \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list.
It remains to show that \( W \) is \( {\langle {G,{\pi }}\rangle } \)-consistent, namely, to prove that for every \( k \), such that \( W(k)\in \mathsf {E} \), the conditions of Definition 7.3 hold. Indeed, the construction of \( W \) and the fact that \( G.{\color{blue} {\mathtt {hb}}}\subseteq G^{\prime }.{\color{blue} {\mathtt {hb}}} \) directly ensure that these conditions follows from the \( {\langle {G^{\prime },{\pi }}\rangle } \)-consistency of \( W^{\prime } \).
\( {\pi }= {\tau } \) and \( L= {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot ({L^{\prime }} \setminus {{\mathcal {{P}}}({\tau },L^{\prime })}) \) for some \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\tau }) \). Let \( P={\mathcal {{P}}}({\tau },L^{\prime }) \), \( W^{\prime }=W^{\prime }_{{\langle {{\tau },L^{\prime }}\rangle }} \) and \( f=\lambda k\in \lbrace {2{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace .\; {{\mathsf {Map}}}^{-1}_{{\langle {{L^{\prime }},{P}}\rangle }}(k-1) \). We define
By the fact that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, we get that \( W \) is a \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. It remains to show that it is \( {\langle {G,{\tau }}\rangle } \)-consistent. Conditions 1 and 3 in Definition 7.3 follow directly from the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \). Condition 2, however, deserves more attention, as we added \( {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \) at the start of the list. Assume toward contradiction some \( k \), such that \( W(k)\in \mathsf {E} \), \( {\mathtt {loc}}(W(k)) = {x} \) and \( W(k) \in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \). Then, since \( W^{\prime }(f(k))=W(k) \), \( w=\max _{G^{\prime }.{\mathtt {po}}} G^{\prime }.\mathsf {E}^{\tau } \) and \( {\mathtt {loc}}(W(k))={\mathtt {loc}}(w) \), we have \( {\langle {W^{\prime }(f(k)),w}\rangle }\in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \), contradicting (1 in) the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \).
\( {\pi }= {\tau } \) and \( L= {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot ({L^{\prime }} {~\setminus \!\setminus ~} {{\mathcal {{P}}}({\eta },L^{\prime })}) \) for some \( {\eta }\in \mathsf {Tid} \) and \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\eta }) \).
Let \( P={\mathcal {{P}}}({\eta },L^{\prime }) \), \( m=\min (P) \), \( W^{\prime }=W^{\prime }_{{\langle {{\eta },L^{\prime }}\rangle }} \) and \( f=\lambda k\in \lbrace {2{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace .\; {{\mathsf {MMap}}}^{-1}_{{\langle {{L^{\prime }},{P}}\rangle }}(k-1) \). We define:
By the fact that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, we get that \( W \) is a \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. It remains to show that it is \( {\langle {G,{\tau }}\rangle } \)-consistent. Condition 3 follows directly from the \( {\langle {G^{\prime },{\eta }}\rangle } \)-consistency of \( W^{\prime } \). We prove the other two conditions:
(1)
The existence of some \( k \), such that \( W(k) \in {\it dom}(G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\lbrace W(j)\; | \;1\le j \lt k)]\rbrace \) directly contradicts the same condition in the \( {\langle {G^{\prime },{\eta }}\rangle } \)-consistency of \( W^{\prime } \). Now, assume toward contradiction some \( k \), such that \( W(k) \in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \). Then, since \( W^{\prime }(f(k))=W(k) \), \( f(k)\gt m \), \( W^{\prime }(m)=w \) and \( w=\max _{G^{\prime }.{\mathtt {po}}} G^{\prime }.\mathsf {E}^{\tau } \), we have \( W^{\prime }(f(k)) \in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\lbrace {W^{\prime }(j)\; | \;1\le j \lt f(k)}\rbrace ]})} \), contradicting (1 in) the \( {\langle {G^{\prime },{\eta }}\rangle } \)-consistency of \( W^{\prime } \).
(2)
Assume toward contradiction the existence of some \( i\lt k \), such that \( W(i)={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(W(k))}) \) and \( W(k) \in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \). First if \( i=1 \), then \( {\mathtt {loc}}(W(k))={x} \), and as above, since \( W^{\prime }(f(k))=W(k) \), \( f(k)\gt m \), \( W^{\prime }(m)=w \) and \( w=\max _{G^{\prime }.{\mathtt {po}}} G^{\prime }.\mathsf {E}^{\tau } \), we have \( W^{\prime }(f(k)) \in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\lbrace {W^{\prime }(j)\; | \;1\le j \lt f(k)}\rbrace ]})} \), contradicting (1 in) the \( {\langle {G^{\prime },{\eta }}\rangle } \)-consistency of \( W^{\prime } \). Now, suppose that \( i\gt 1 \). Then, again, since \( W^{\prime }(f(k))=W(k) \), \( f(k)\gt f(i) \gt m \), \( W^{\prime }(m)=w \) and \( w=\max _{G^{\prime }.{\mathtt {po}}} G^{\prime }.\mathsf {E}^{\tau } \), we have \( {\langle {W^{\prime }(f(k)),W^{\prime }(m)}\rangle } \in G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \), contradicting (3 in) the \( {\langle {G^{\prime },{\eta }}\rangle } \)-consistency of \( W^{\prime } \).
\( {l}={{\mathtt {R}}}^{}({{x}},{v_{\mathtt {R}}}) \):
Let \( r={\mathsf {NextEvent}}(G.{\mathtt {E}},{\tau },{l}) \). Since \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {WRA}}}}}}{}} G^{\prime } \), we have that \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {r}\rbrace \) and \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}}\cup \lbrace {{\langle {w,r}\rangle }}\rbrace \) for some write event \( w\in G.\mathsf {W}_{{x}} \setminus {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \) with \( {\mathtt {val}_{\mathtt {W}}}(w)=v_{\mathtt {R}} \).
Let \( {o}={\langle {{\mathtt {tid}}(w), {x}, v_{\mathtt {R}}, \mathit {tid}_{\mathtt {RMW}}(w)}\rangle } \). We define \( {\mathcal {{B}}} \) by:
By definition, we have \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {WRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \). We show that \( {\mathcal {{B}}}\curlyvee G \). Note that the second condition of \( \curlyvee \) for \( {\mathsf {WRA}} \) (Definition 7.4) trivially holds, and we need to show that for every \( {\pi }\in \mathsf {Tid} \) and \( L\in {\mathcal {{B}}}({\pi }) \), there exists a \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list.
For \( {\pi }\ne {\tau } \) and \( L\in {\mathcal {{B}}}({\pi }) \), observe that \( L\in {\mathcal {{B}}}^{\prime }({\pi }) \), and since \( G.{\color{blue} {\mathtt {hb}}}\subseteq G^{\prime }.{\color{blue} {\mathtt {hb}}} \), we have that \( W^{\prime }_{{\langle {{\pi },L^{\prime }}\rangle }} \) is also a \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list.
Consider an option list \( L\in {\mathcal {{B}}}({\tau }) \). Let \( L^{\prime } \in {\mathcal {{B}}}^{\prime }({\tau }) \) such that \( L= {o}\cdot L^{\prime } \). Let \( W^{\prime }= W^{\prime }_{{\langle {{\tau },L^{\prime }}\rangle }} \). We define \( W\triangleq w \cdot W^{\prime } \). By the fact that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, we get that \( W \) is a \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. It remains to show that it is \( {\langle {G,{\tau }}\rangle } \)-consistent. Given the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \), for 1, we only need to show that \( w \not\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), which is guaranteed by the properties of \( w \) as stated above (it follows from the preconditions of the read step in \( \mathsf {op} \)\( {\mathsf {WRA}} \)). Condition 2 directly follows from the \( W \) is \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \). For 3, given the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \), it suffices to handle the case that \( j=1 \). Thus, assume toward contradiction some \( 1 \lt k \le |{L}| \) and \( 1 \lt i \lt k \), such that \( W(i)={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(W(k))}) \) and \( {\langle {W(k),w}\rangle }\in G.{\color{blue} {\mathtt {hb}}}^? \). Then, since \( r\in G^{\prime }.\mathsf {E}^{\tau } \) and \( {\langle {w,r}\rangle }\in G^{\prime }.{\color{green} {\mathsf {rf}}} \), we get that \( W^{\prime }(k-1) \in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), while \( W^{\prime }(i-1)={{\mathtt {O}}_{\mathtt {W}}}({{\mathtt {loc}}(W^{\prime }(k-1))}) \), contradicting (2 in) the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \).
\( {l}={{\mathtt {RMW}}}^{}({{x}},{v_{\mathtt {R}}},{v_{\mathtt {W}}}) \):
Let \( e={\mathsf {NextEvent}}(G.{\mathtt {E}},{\tau },{l}) \). Since \( G {{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {op}{{\mathsf {WRA}}}}}}{}} G^{\prime } \), we have \( G^{\prime }.{\mathtt {E}}= G.{\mathtt {E}}\cup \lbrace {e}\rbrace \), \( G^{\prime }.{\color{green} {\mathsf {rf}}}= G.{\color{green} {\mathsf {rf}}}\cup \lbrace {{\langle {w,e}\rangle }}\rbrace \) and \( {\mathtt {val}_{\mathtt {W}}}(w)=v_{\mathtt {R}} \), for some \( w\in \mathsf {W}_{x} \), such that \( w\not\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}]\mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \) and \( w\not\in {\it dom}{({G.{\color{green} {\mathsf {rf}}}\mathbin {;}\,[\mathsf {RMW}]})} \).
Let \( {\mathcal {{P}}} \) be the index choice for \( {\mathcal {{B}}}^{\prime } \) that assigns the set of “new” positions in \( {\mathcal {{B}}}^{\prime } \):
Then, we define:
where \( {o} \) is the read option given by \( {o}\triangleq {{\mathtt {O}}_{\mathtt {R}}}({{\mathtt {tid}}(w)},{{x}},{v_{\mathtt {R}}},{{\tau }}) \).
Using Proposition 8.4, to show that \( {\mathcal {{B}}}{{}\mathrel {{\xrightarrow {{\tau },{l}}}_{{\mathsf {lo}{{\mathsf {WRA}}}}}}{}} {\mathcal {{B}}}^{\prime } \), it suffices to prove that \( {{\mathcal {{P}}}}\models _{{\mathsf {WRA}}}{{\langle {{{\tau }},{{{\mathtt {W}}}^{}({{x}},{v_{\mathtt {W}}})}}\rangle }} \). This is done as in the write case, together with the following observation: Since \( e\in G^{\prime }.{\mathtt {E}}^{\tau } \), \( e\in \mathsf {RMW} \) and \( {\langle {w,e}\rangle }\in G^{\prime }.{\color{green} {\mathsf {rf}}} \), the fact that \( \mathit {tid}_{\mathtt {RMW}} \) witnesses \( {\mathcal {{B}}}^{\prime } \curlyvee G^{\prime } \), guarantees that \( \mathit {tid}_{\mathtt {RMW}}(w) = {\tau } \).
It remains to show that \( {\mathcal {{B}}}\curlyvee G \). We show that for every \( {\pi }\in \mathsf {Tid} \) and \( L\in {\mathcal {{B}}}({\pi }) \), there exists a \( {\langle {G,{\pi }}\rangle } \)-consistent \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list. (The second condition of \( \curlyvee \) for \( {\mathsf {WRA}} \) (Definition 7.4) trivially holds.) Let \( {\pi }\in \mathsf {Tid} \) and \( L\in {\mathcal {{B}}}({\pi }) \). Following the construction of \( {\mathcal {{B}}} \), one of the following holds:
\( {\pi }\ne {\tau } \) and \( L= {L^{\prime }} \setminus {{\mathcal {{P}}}({\pi },L^{\prime })} \) for some \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\pi }) \). This case is exactly the same as the analogous case in the write step.
\( {\pi }= {\tau } \) and \( L= {o}\cdot {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot ({L^{\prime }} \setminus {{\mathcal {{P}}}({\tau },L^{\prime })}) \) for some \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\tau }) \). Let \( P={\mathcal {{P}}}({\tau },L^{\prime }) \), \( W^{\prime }=W^{\prime }_{{\langle {{\tau },L^{\prime }}\rangle }} \) and \( f=\lambda k\in \lbrace {3{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace .\; {{\mathsf {Map}}}^{-1}_{{\langle {{L^{\prime }},{P}}\rangle }}(k-2) \). We define:

By the fact that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, we get that \( W \) is a \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, and we show that it is \( {\langle {G,{\tau }}\rangle } \)-consistent:
(1)
Observe first that \( W(1)=w \) and \( w \not\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \) is guaranteed by the properties of \( w \) as stated above (it follows from the preconditions of the rmw step in \( \mathsf {op} \)\( {\mathsf {WRA}} \)). Now, consider some \( 2\lt k \le |{L}| \). By the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \), we have \( W(k) \not\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {W(j)\; | \;3\le j \lt k}\rbrace ]})} \). It is left to show that \( {\langle {W(k),w}\rangle } \not\in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \). Indeed, were it not the case, since \( {\langle {w,e}\rangle } \in G^{\prime }.{\color{green} {\mathsf {rf}}} \) and \( e\in \mathsf {E}^{\tau } \), we would have had \( W^{\prime }(f(k)) \in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), contradicting (1 in) the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \).
(2)
Due to adding \( W(2)={{\mathtt {O}}_{\mathtt {W}}}({{x}}) \), which is not present in \( W^{\prime } \), we should ensure that \( W(k) \not\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \) for every \( 2\lt k\le |{L}| \). Indeed, this is guaranteed by (1 in) the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \), as \( e=\max _{G^{\prime }.{\mathtt {po}}} G^{\prime }.\mathsf {E}^{\tau } \), \( {\mathtt {loc}}(W(k))={\mathtt {loc}}(e) \), \( e\in \mathsf {W} \), \( W^{\prime }(f(k))=W(k) \), and \( W^{\prime }(f(k)) \not\in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \).
(3)
Due to adding \( W(1)=w \) and \( W(2)={{\mathtt {O}}_{\mathtt {W}}}({{x}}) \), we should ensure that for every \( 2\lt k\le |{L}| \), if \( {\mathtt {loc}}(W(k))={x} \) then \( {\langle {W(k),w}\rangle }\not\in G.{\color{blue} {\mathtt {hb}}}^? \). First observe that \( W(k)\ne w \), as otherwise, we would have had \( W^{\prime }(f(k)) \in {\it dom}{({G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \), since \( W^{\prime }(f(k))= W(k) = w \), \( {\langle {w,e}\rangle }\in G^{\prime }.{\color{green} {\mathsf {rf}}} \) and \( e\in \mathsf {W} \), which contradicts (1 in) the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime } \). Then, observe that \( {\langle {W(k),w}\rangle }\not\in G.{\color{blue} {\mathtt {hb}}} \), as \( w\in \mathsf {W} \), and we showed while handling 1 that \( {\langle {W(k),w}\rangle } \not\in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \).
\( {\pi }= {\tau } \) and \( L= {o}\cdot {{\mathtt {O}}_{\mathtt {W}}}({{x}}) \cdot ({L^{\prime }} {~\setminus \!\setminus ~} {{\mathcal {{P}}}({\eta },L^{\prime })}) \) for some \( {\eta }\in \mathsf {Tid} \) and \( L^{\prime }\in {\mathcal {{B}}}^{\prime }({\eta }) \).
Let \( P={\mathcal {{P}}}({\eta },L^{\prime }) \), \( W^{\prime }=W^{\prime }_{{\langle {{\eta },L^{\prime }}\rangle }} \), \( m=\min (P) \) and \( f=\lambda k\in \lbrace {3{,}\hspace{-1.0pt}\ldots \hspace{-1.0pt}{,}|{L}|}\rbrace .\; {{\mathsf {MMap}}}^{-1}_{{\langle {{L^{\prime }},{P}}\rangle }}(k-2) \). We define:

By the fact that \( W^{\prime } \) is a \( {\langle {G^{\prime },L^{\prime },\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, we get that \( W \) is a \( {\langle {G,L,\mathit {tid}_{\mathtt {RMW}}}\rangle } \)-write-list, and we show that it is \( {\langle {G,{\tau }}\rangle } \)-consistent:
(1)
The difference from the previous case is that we have the \( {\langle {G^{\prime },{\tau }}\rangle } \)-consistency of \( W^{\prime }_{{\langle {{\eta },L^{\prime }}\rangle }} \) rather than of \( W^{\prime }_{{\langle {{\tau },L^{\prime }}\rangle }} \). Hence, we should show that for every \( 2\lt k\le |{L}| \), we still have \( W(k) \not\in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }\cup \lbrace {w}\rbrace ]})} \). Assume first toward contradiction some \( k \) such that \( W(k) \in {\it dom}{({G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\,[\mathsf {E}^{\tau }]})} \). Since \( W^{\prime }(f(k))=W(k) \), \( f(k)\gt m \), \( W^{\prime }(m)=e \) and \( e=\max _{G^{\prime }.{\mathtt {po}}} G^{\prime }.\mathsf {E}^{\tau } \), we have \( W^{\prime }(f(k)) \in {\it dom}(G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^?\mathbin {;}\, \) \( [\lbrace {W^{\prime }(j)\; | \;1\le j \lt f(k)}\rbrace ]) \), contradicting (1 in) the \( {\langle {G^{\prime },{\eta }}\rangle } \)-consistency of \( W^{\prime } \). Next, assume toward contradiction some \( k \), such that \( {\langle {W(k),w}\rangle } \in G.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G.{\color{blue} {\mathtt {hb}}}^? \). Then, we reach an analogous contradiction, since \( {\langle {w,e}\rangle }\in G^{\prime }.{\color{green} {\mathsf {rf}}} \).
(2)
Handled exactly as in the analogous case of the write step (referring to \( e \) instead of \( w \)).
(3)
Due to adding \( W(1)=w \) and \( W(2)={{\mathtt {O}}_{\mathtt {W}}}({{x}}) \), we should ensure that for every \( 2\lt k\le |{L}| \), if \( {\mathtt {loc}}(W(k))={x} \) then \( {\langle {W(k),w}\rangle }\not\in G.{\color{blue} {\mathtt {hb}}}^? \). Indeed, assume toward contradiction that \( {\langle {W(k),w}\rangle }\in G.{\color{blue} {\mathtt {hb}}}^? \). Then, since \( {\langle {w,e}\rangle }\in G^{\prime }.{\color{green} {\mathsf {rf}}} \), \( W^{\prime }(m)=e \) and \( e\in \mathsf {W} \), we get that \( {\langle {W^{\prime }(f(k)),W^{\prime }(m)}\rangle } \in G^{\prime }.{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \mathbin {;}\,G^{\prime }.{\color{blue} {\mathtt {hb}}}^? \). Since \( f(k)\gt m \), this contradicts (1 in) the \( {\langle {G^{\prime },{\eta }}\rangle } \)-consistency of \( W^{\prime } \). \( \Box \)
Acknowledgments
We thank the anonymous reviewers for their helpful feedback, and Jean Pichon-Pharabod and Christopher Pulte for their comments on a previous version of this paper.
Footnotes
1 We refer the reader to Section 3.1 for a detailed discussion on the relation between \( {\mathsf {SRA}} \) and \( {\mathsf {WRA}} \) to other models.
Footnote2 To define the \( {\mathsf {WRA}} \) model below, we do not need the modification order. Nevertheless, for uniformity, we include it in the general definition.
Footnote3 Since \( {\color{green} {\mathit {rf}}} \) must be an inverse of a function from \( E \cap \mathsf {R} \) (by Definition 2.3) and we require \( {\color{green} {\mathit {rf}}}\subseteq {\color{green} {\mathit {rf}}}^{\prime } \) at each step, we can only generate graphs \( G \) with \( G.{\mathtt {po}}\cup G.{\color{green} {\mathsf {rf}}} \) being acyclic. This suffices for the purpose of this article, but will require certain generalization if applied for other weak memory models.
Footnote4 Note that because of the domain restrictions on \( {\color{green} {\mathsf {rf}}} \) and \( {\color{orange} {\mathtt {mo}}} \), only RMW events can have both an incoming \( {\color{green} {\mathsf {rf}}} \) edge and an incoming \( {\color{orange} {\mathtt {mo}}} \) edge, so atomicity can be equivalently stated as \( G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,G.{\color{orange} {\mathtt {mo}}}\mathbin {;}\,[\mathsf {RMW}] \mathbin {;}\,G.{\color{green} {\mathsf {rf}}}^{-1} \) is irreflexive.
Footnote5 This fact was previously utilized in [31, Section 5] that provided an improved bounded model checking algorithm for write/write-race free programs, and identified that (sound but incomplete) separation-logic-based program logics for \( {\mathsf {RA}} \) are essentially making a similar simplification, and do not support reasoning about concurrent writes.
Footnote6 A similar construction appears in [10] for hardware memory models and the resulting memory systems are called “Intermediate Machines.”
Footnote7 A weaker observation, which only considers single reads, was essential for the soundness of OGRA—an Owicki Gries logic for \( {\mathsf {RA}} \) introduced in [38].
Footnote8 We adopt the \( \cdot \parallel \ldots \parallel \cdot \) notation to denote the states of the lossy system. For example, \( {B_1} \parallel {B_2} \parallel {B_3} \parallel {B_4} \) denotes a mapping from \( \mathsf {Tid} \) that assigns \( B_i \) to \( \mathtt {T}_i \) for \( 1\le i\le 4 \) and \( \lbrace {\epsilon }\rbrace \) to all other threads in \( \mathsf {Tid} \).
Footnote9 To achieve implicit initialization of all locations to 0, one should take \( {\mathsf {lo}{{\mathsf {SRA}}}}.{\mathtt {Q}_0} \) to consist of all functions assigning to each thread sequences consisting of read options of the form \( {{\mathtt {O}}_{\mathtt {R}}}({\mathtt {T}_0},{{x}},{0},{u}) \) where \( \mathtt {T}_0 \) is a distinguished thread identifier that is not used in programs (corresponds to the initializing thread, see Remark 1).
Footnote10 Recall that a backward simulation from an LTS \( A \) to an LTS \( B \) is a relation \( R \subseteq A.{\mathtt {Q}}\times B.{\mathtt {Q}} \) such that (1) \( R \) is total (for every \( q\in A.{\mathtt {Q}} \), we have \( {\langle {q,p}\rangle }\in R \) for some \( p\in B.{\mathtt {Q}} \)); (2) if \( {\langle {q,p}\rangle }\in R \) and \( q\in A.{\mathtt {Q}_0} \), then \( p\in B.{\mathtt {Q}_0} \); and (3) if \( q \mathrel {{\xrightarrow {\sigma }}}_A q^{\prime } \) and \( {\langle {q^{\prime },p^{\prime }}\rangle }\in R \), then there exists \( p\in B.{\mathtt {Q}} \) such that \( p \mathrel {{\xrightarrow {\sigma }}}_B p^{\prime } \) and \( {\langle {q,p}\rangle }\in R \).
Footnote11 In \( {\mathsf {WRA}} \), the \( {\color{orange} {\mathtt {mo}}} \)-component is immaterial and can be defined arbitrarily, so we ignore this component in this proof. To reduce the amount of duplication, when possible, we refer to the corresponding case in the proof for \( {\mathsf {SRA}} \). To do that one should replace \( {\color{orange} {\mathtt {mo}}} \) in the proof for \( {\mathsf {SRA}} \) with \( [\mathsf {W}] \mathbin {;}\,{\color{blue} {\mathtt {hb}}}|_{{\mathtt {loc}}}\mathbin {;}\,[\mathsf {W}] \) in the current proof.
12 As before, since the \( {\color{orange} {\mathtt {mo}}} \)-component is immaterial in \( {\mathsf {WRA}} \), we ignore \( {\color{orange} {\mathtt {mo}}} \) in this proof.
- [1] . 2010. Well (and better) quasi-ordered transition systems. Bull. Symbol. Logic 16, 4 (2010), 457–515. Retrieved from http://www.jstor.org/stable/40961367.Google Scholar
Cross Ref
- [2] . 2019. Verification of programs under the release-acquire semantics. In Proceedings of the PLDI. ACM, New York, NY, 1117–1132. Google Scholar
Digital Library
- [3] . 2021. On the state reachability problem for concurrent programs under Power. In Proceedings of the NETYS. Springer International Publishing, Cham, 47–59. Google Scholar
Digital Library
- [4] . 2018. A load-buffer semantics for total store ordering. Logical Methods in Computer Science, Vol. 14, Issue 1 (
Jan. 2018). Google ScholarCross Ref
- [5] . 2021. The decidability of verification under PS 2.0. In Proceedings of the ESOP. Springer International Publishing, Cham, 1–29. Google Scholar
Digital Library
- [6] . 2018. Optimal stateless model checking under the release-acquire semantics. Proc. ACM Program. Lang. 2, OOPSLA, Article
135 (Oct. 2018), 29 pages. Google ScholarDigital Library
- [7] . 2019. Parameterized verification under TSO is PSPACE-complete. Proc. ACM Program. Lang. 4, POPL, Article
Article 26 (Dec. 2019), 29 pages. Google ScholarDigital Library
- [8] . 2000. Algorithmic analysis of programs with well quasi-ordered domains. Info. Comput. 160, 1 (2000), 109–127. Google Scholar
Cross Ref
- [9] . 1990. Weak ordering—A new definition. In Proceedings of the ISCA. ACM, New York, NY, 2–14. Google Scholar
Digital Library
- [10] . 2014. Herding cats: Modelling, simulation, testing, and data mining for weak memory. ACM Trans. Program. Lang. Syst. 36, 2, Article
7 (July 2014), 74 pages. Google ScholarDigital Library
- [11] . 2013. Non-monotonic snapshot isolation: Scalable and strong consistency for geo-replicated transactional systems. In Proceedings of the SRDS. IEEE Computer Society, Washington, DC, 163–172. Google Scholar
Digital Library
- [12] . 2010. On the verification problem for weak memory models. In Proceedings of the POPL. ACM, New York, NY, 7–18. Google Scholar
Digital Library
- [13] . 2012. What’s decidable about weak memory models? In Proceedings of the ESOP. Springer-Verlag, Berlin, 26–46. Google Scholar
Digital Library
- [14] . 2015. The problem of programming language concurrency semantics. In Proceedings of the ESOP. Springer, Berlin, 283–307. Google Scholar
Cross Ref
- [15] . 2011. Mathematizing C++ concurrency. In Proceedings of the POPL. ACM, New York, NY, 55–66. Google Scholar
Digital Library
- [16] . 2016. Robustness against consistency models with atomic visibility. In Proceedings of the CONCUR. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 7:1–7:15. Google Scholar
Cross Ref
- [17] . 2017. On verifying causal consistency. In Proceedings of the POPL. ACM, New York, NY, 626–638. Google Scholar
Digital Library
- [18] . 2018. Static serializability analysis for causal consistency. In Proceedings of the PLDI. ACM, New York, NY, 90–104. Google Scholar
Digital Library
- [19] . 2014. Principles of eventual consistency. Found. Trends Program. Lang. 1, 1–2 (
Oct. 2014), 1–150. Google ScholarDigital Library
- [20] . 2015. Transaction chopping for parallel snapshot isolation. In Proceedings of the DISC. Springer-Verlag, Berlin, 388–404. Google Scholar
Digital Library
- [21] . 2017. Algebraic laws for weak consistency. In Proceedings of the CONCUR. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 26:1–26:18. Google Scholar
Cross Ref
- [22] . 1913. Finiteness of the odd perfect and primitive abundant numbers with n distinct prime factors. Amer. J. Math. 35, 4 (1913), 413–422. http://www.jstor.org/stable/2370405.Google Scholar
Cross Ref
- [23] . 2019. Verifying C11 programs operationally. In Proceedings of the PPoPP. ACM, New York, NY, 355–365. Google Scholar
Digital Library
- [24] . 2018. Bounding data races in space and time. In Proceedings of the PLDI. ACM, New York, NY, 242–255. Google Scholar
Digital Library
- [25] . 2001. Well-structured transition systems everywhere!Theoret. Comput. Sci. 256, 1 (2001), 63–92. Google Scholar
Digital Library
- [26] . 1952. Ordering by divisibility in abstract algebras. Proc. London Math. Soc. s3-2, 1 (1952), 326–336. Google Scholar
Cross Ref
- [27] . 2011. Programming language C++.Google Scholar
- [28] . 2011. Programming language C.Google Scholar
- [29] . 2017. Strong logic for weak memory: Reasoning about release-acquire consistency in Iris. In Proceedings of the ECOOP. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 17:1–17:29. Google Scholar
Cross Ref
- [30] . 2017. A promising semantics for relaxed-memory concurrency. In Proceedings of the POPL. ACM, New York, NY, 175–189. Google Scholar
Digital Library
- [31] . 2017. Effective stateless model checking for C/C++ concurrency. Proc. ACM Program. Lang. 2, POPL, Article
17 (Dec. 2017), 32 pages. Google ScholarDigital Library
- [32] . 1977. Lower bounds for natural proof systems. In Proceedings of the SFCS. IEEE Computer Society, Washington, 254–266. Google Scholar
Digital Library
- [33] . 2011. Partial-coherence abstractions for relaxed memory models. In Proceedings of the PLDI. ACM, New York, NY, 187–198. Google Scholar
Digital Library
- [34] . 2019. Verification under causally consistent shared memory. ACM SIGLOG News 6, 2 (
April 2019), 43–56. Google ScholarDigital Library
- [35] . 2020. Decidable verification under a causally consistent shared memory. In Proceedings of the PLDI. ACM, New York, NY, 211\( - \)226. Google Scholar
Digital Library
- [36] . 2016. Taming release-acquire consistency. In Proceedings of the POPL. ACM, New York, NY, 649–662. Google Scholar
Digital Library
- [37] . 2019. Robustness against release/acquire semantics. In Proceedings of the PLDI. ACM, New York, NY, 126–141. Google Scholar
Digital Library
- [38] . 2015. Owicki-Gries reasoning for weak memory models. In Proceedings of the ICALP. Springer-Verlag, Berlin, Heidelberg, 311–323. Google Scholar
Digital Library
- [39] . 2016. Explaining relaxed memory models with program transformations. In Proceedings of the FM. Springer, Cham, 479–495. Google Scholar
Cross Ref
- [40] . 2017. Repairing sequential consistency in C/C++11. In Proceedings of the PLDI. ACM, New York, NY, 618–632. Google Scholar
Digital Library
- [41] . 2020. Promising 2.0: Global optimizations in relaxed memory concurrency. In Proceedings of the PLDI. ACM, New York, NY, 362\( - \)376. Google Scholar
Digital Library
- [42] . 2016. Chapar: Certified causally consistent distributed key-value stores. In Proceedings of the POPL. ACM, New York, NY, 357–370. Google Scholar
Digital Library
- [43] . 2012. Making geo-replicated systems fast as possible, consistent when necessary. In Proceedings of the OSDI. USENIX Association, Berkeley, CA, 265–278. Retrieved from http://dl.acm.org/citation.cfm?id=2387880.2387906.Google Scholar
- [44] . 2011. Don’t settle for eventual: Scalable causal consistency for wide-area storage with COPS. In Proceedings of the SOSP. ACM, New York, NY, 401–416. Google Scholar
Digital Library
- [45] . 2019. C/C++11 mappings to processors. Retrieved from http://www.cl.cam.ac.uk/pes20/cpp/cpp0xmappings.html.Google Scholar
- [46] . 2012. A tutorial introduction to the ARM and POWER relaxed memory models. Retrieved from http://www.cl.cam.ac.uk/~pes20/ppc-supplemental/test7.pdf. (2012).Google Scholar
- [47] . 2018. Automated detection of serializability violations under weak consistency. In Proceedings of the CONCUR. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 41:1–41:18. Google Scholar
Cross Ref
- [48] . 2009. A better x86 memory model: x86-TSO. In Proceedings of the TPHOLs. Springer, Heidelberg, 391–407. Google Scholar
Digital Library
- [49] . 2018. On parallel snapshot isolation and release/acquire consistency. In Proceedings of the ESOP. Springer, Berlin, 940–967. Google Scholar
Cross Ref
- [50] . 2011. Understanding POWER multiprocessors. In Proceedings of the PLDI. ACM, New York, NY, 175–186. Google Scholar
Digital Library
- [51] . 2012. Algorithmic aspects of WQO theory. Retrieved from https://cel.archives-ouvertes.fr/cel-00727025.
Lecture notes. Google Scholar - [52] . 2011. Transactional storage for geo-replicated systems. In Proceedings of the SOSP. ACM, New York, NY, 385–400. Google Scholar
Digital Library
- [53] . 2016. From array domains to abstract interpretation under store-buffer-based memory models. In Proceedings of the SAS. Springer, Berlin, 469–488. Google Scholar
Cross Ref
- [54] . 1994. Session guarantees for weakly consistent replicated data. In Proceedings of the PDIS. IEEE Computer Society, Washington, DC, 140–149. http://dl.acm.org/citation.cfm?id=645792.668302.Google Scholar
Cross Ref
- [55] . 2014. GPS: Navigating weak memory with ghosts, protocols, and separation. In Proceedings of the OOPSLA. ACM, New York, NY, 691–707. Google Scholar
Digital Library
- [56] . 2013. Relaxed separation logic: A program logic for C11 concurrency. In Proceedings of the OOPSLA. ACM, New York, NY, 867–884. Google Scholar
Digital Library
- [57] . 2016. Consistency in non-transactional distributed storage systems. ACM Comput. Surv. 49, 1, Article
19 (June 2016), 34 pages. Google ScholarDigital Library
- [58] . 2017. Automatically comparing memory consistency models. In Proceedings of the POPL. ACM, New York, NY, 190–204. Google Scholar
Digital Library
Index Terms
What’s Decidable About Causally Consistent Shared Memory?
Recommendations
Decidable verification under a causally consistent shared memory
PLDI 2020: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and ImplementationCausal consistency is one of the most fundamental and widely used consistency models weaker than sequential consistency. In this paper, we study the verification of safety properties for finite-state concurrent programs running under a causally ...
Partial-coherence abstractions for relaxed memory models
PLDI '11We present an approach for automatic verification and fence inference in concurrent programs running under relaxed memory models. Verification under relaxed memory models is a hard problem. Given a finite state program and a safety specification, ...
Partial-coherence abstractions for relaxed memory models
PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and ImplementationWe present an approach for automatic verification and fence inference in concurrent programs running under relaxed memory models. Verification under relaxed memory models is a hard problem. Given a finite state program and a safety specification, ...












Comments