# Lecture 5: Memory and Concurrent Access

Based on material from Chapter 5, Specifying Systems by Leslie Lamport

#### Today's plan

- Review TLA+
- Specify a memory interface
- Specify linearizable memory
- Implement a linearizable cache on top of linearizable memory
- Review refinement

### TLA+ review

#### Definition: State

- A *state* is an assignment of values to (*all*) variables
- TLA+ notation:  $[var_1 = value_1, var_2 = value_2, \cdots]$

#### Definition: *Behavior*

- A *behavior* is a sequence of states
- Notation:  $state_1 \rightarrow state_2 \rightarrow state_3 \rightarrow \cdots$
- Example:  $[hr = 11] \rightarrow [hr = 12] \rightarrow [hr = 1]$

#### Definition: Step

- A *step* consists of two consecutive states in a behavior
- aka transition
- Notation:  $state_1 \rightarrow state_2$
- Example:  $[hr = 3] \rightarrow [hr = 4]$

#### Definition: Specification

- A specification is a set of all possible behaviors
- Consists of at least two parts
  - 1. Set of all possible *initial states*
  - 2. A "next-state" relation that describes the ways a state may change in a step
    - i.e., the set of all possible pairs of states
- May also contain a liveness condition and some theorems

#### Set of Initial States

- Example: HCini  $\triangleq hr \in \{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12\}$
- A set of states can often be succinctly described by a predicate
  - Example: HCini  $\triangleq hr \in \mathbb{N} \land 1 \leq hr \land hr \leq 12$

#### Definition: Action

- An *action* is a predicate over a pair of states in a step
- Example: HCnxt  $\triangleq hr' = hr \% 12 + 1$
- hr' is the value of hr in the new state; hr is the value in the old state

#### Definition: Stuttering steps

- A stuttering step keeps (certain) state variable unchanged
- Example:

 $[hr' = hr \% 12 + 1]_{hr} \triangleq (hr' = hr \% 12 + 1) \lor (hr' = hr)$ 

#### Definition: State Function/Predicate

- A state function is a first-order logic expression
- A *state predicate* is a Boolean state function

#### Definition: Temporal Formula

- A *temporal formula* F assigns a Boolean value to a behavior  $\sigma$
- $\sigma \models F$  means that F holds over  $\sigma$
- If P is a state predicate, then  $\sigma \vDash P$  means that P holds over the first state in  $\sigma$
- If A is an action, then  $\sigma \vDash A$  means that A holds over the first two states in  $\sigma$
- If A is an action, then  $\sigma \models [A]_v$  means that the first step in  $\sigma$  is an A step or a stuttering step with respect to v



- $\sigma \models \Box F$  means that F holds over every suffix of  $\sigma$
- More formally
  - Let  $\sigma^{+n}$  be  $\sigma$  with the first n states removed
  - Then  $\sigma \models \Box F \triangleq \forall n \in \mathbb{N}$ :  $\sigma^{+n} \models F$

#### Example specification: hardware clock

Module HourClock

- VARIABLE hr
- HCini  $\triangleq hr \in \{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12\}$
- HCnxt  $\triangleq hr' = hr \mod 12 + 1$
- HC  $\triangleq$  HCini  $\land \Box$  [HCnxt]<sub>hr</sub>

#### Definition: Theorem

- A *theorem* is a temporal formula that holds over every behavior of the specification
- Example:  $HC \Rightarrow \Box hr \in \{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12\}$ 
  - That is,  $HC \Rightarrow \Box$  HCini

#### Definition: Invariant

• If S is a specification and I is a predicate and  $S \Rightarrow \Box I$  is a theorem then we call I an *invariant* of S.

# Modeling Shared Memory

#### (naïve) attempt: function [Address → Value]

- CONSTANTS Adr, Val
- VARIABLE mem
- TypeInvariant  $\triangleq mem \in [Adr \rightarrow Val]$
- $\operatorname{Read}(a) \triangleq mem[a]$
- Write(a, v)  $\triangleq mem' = [mem EXCEPT ! [<math>a$ ] = v]

#### (naïve) attempt 1: function [Address → Value]

- CONSTANTS Adr, Val
- VARIABLE mem
- TypeInvariant  $\triangleq mem \in [Adr \rightarrow Val]$
- $\operatorname{Read}(a) \triangleq mem[a]$
- Write(a, v)  $\triangleq mem' = [mem EXCEPT ! [a] = v]$

Ignores how processes interact with memory Ignores memory coherence properties

#### A Memory System



VARIABLE memInt

| CONSTANTS $Send(\_, \_, \_, \_)$ | , _),  | A $Send(p, d, memInt, memInt')$ step represents processor $p$ sending value $d$ to the memory. |
|----------------------------------|--------|------------------------------------------------------------------------------------------------|
| $Reply(\_,\_,\_,\_),$            |        | A $Reply(p, d, memInt, memInt')$ step represents the memory sending value d to processor p.    |
| InitMemInt,                      | The se | et of possible initial values of <i>memInt</i> .                                               |
| Proc,                            | The se | et of processor identifiers.                                                                   |
| Adr,                             | The se | et of memory addresses.                                                                        |
| Val                              | The se | et of memory values.                                                                           |

ASSUME  $\forall p, d, miOld, miNew : \land Send(p, d, miOld, miNew) \in BOOLEAN$  $\land Reply(p, d, miOld, miNew) \in BOOLEAN$ 

| VARIABLE memInt                |                                                                                                   |   |  |  |  |
|--------------------------------|---------------------------------------------------------------------------------------------------|---|--|--|--|
| CONSTANTS $Send(\_, \_, \_,,)$ | ), A $Send(p, d, memInt, memInt')$ step represents processor $p$ sending value $d$ to the memory. |   |  |  |  |
| $Reply(\_, \_, \_, \_,$        | -), A Reply(p, d, memInt, memInt') step represents the memory sending value d to processor p.     | Ţ |  |  |  |
| InitMemInt,                    | The set of possible initial values of <i>memInt</i> .                                             |   |  |  |  |
| Proc,                          | The set of processor identifiers.                                                                 |   |  |  |  |
| Adr,                           | The set of memory addresses.                                                                      |   |  |  |  |
| Val                            | The set of memory values.                                                                         |   |  |  |  |

 $\begin{array}{l} \text{ASSUME } \forall \ p, \ d, \ miOld, \ miNew \ : \ \land \ Send(p, \ d, \ miOld, \ miNew) \in \text{BOOLEAN} \\ & \land \ Reply(p, \ d, \ miOld, \ miNew) \in \text{BOOLEAN} \end{array}$ 

VARIABLE memInt

| CONSTANTS             | $Send(\_,\_,\_,\_),$ |        | A $Send(p, d, memInt, memInt')$ step represents processor $p$ sending value $d$ to the memory. |
|-----------------------|----------------------|--------|------------------------------------------------------------------------------------------------|
| $Reply(\_,\_,\_,\_),$ |                      | , _),  | A $Reply(p, d, memInt, memInt')$ step represents the memory sending value d to processor p.    |
|                       | InitMemInt,          | The se | t of possible initial values of <i>memInt</i> .                                                |
|                       | Proc,                | The se | t of processor identifiers.                                                                    |
|                       | Adr,                 | The se | t of memory addresses.                                                                         |
|                       | Val                  | The se | t of memory values.                                                                            |

ASSUME  $\forall p, d, miOld, miNew : \land Send(p, d, miOld, miNew) \in BOOLEAN \land Reply(p, d, miOld, miNew) \in BOOLEAN$ 

 $MReq \triangleq [op: \{ "\mathsf{Rd}" \}, adr: Adr] \cup [op: \{ "\mathsf{Wr}" \}, adr: Adr, val: Val ]$ 

The set of all requests; a read specifies an address, a write specifies an address and a value.

#### A Memory System



VARIABLE memInt

| CONSTANTS $Send(\_, \_, \_, \_,$ | , _),                             | A $Send(p, d, memInt, memInt')$ step represents processor $p$ sending value $d$ to the memory. |  |
|----------------------------------|-----------------------------------|------------------------------------------------------------------------------------------------|--|
|                                  |                                   | A $Reply(p, d, memInt, memInt')$ step represents the memory sending value d to processor p.    |  |
| InitMemInt,                      | The se                            | t of possible initial values of <i>memInt</i> .                                                |  |
| Proc,                            | The set of processor identifiers. |                                                                                                |  |
| Adr,                             | The set of memory addresses.      |                                                                                                |  |
| Val                              | The se                            | t of memory values.                                                                            |  |

 $MReq \triangleq [op: \{ \text{``Rd''}\}, adr: Adr] \cup [op: \{ \text{``Wr''}\}, adr: Adr, val: Val]$ The set of all requests; a read specifies an address, a write specifies an address and a value.

 $NoVal \triangleq$  CHOOSE  $v : v \notin Val$  An arbitrary value not in Val.

# A Linearizable Memory System

#### Linearizability [Herlihy & Wing 1990]



#### MODULE InternalMemory

EXTENDS MemoryInterface VARIABLES mem, ctl, buf

Initially, memory locations have any values in Val, each processor is ready to issue requests, each buf[p] is arbitrarily initialized to NoVal, and memInt is any element of InitMemInt.

TypeInvariant  $\triangleq$  The type-correctness invariant.

 $\begin{tabular}{ll} &\wedge mem \in [Adr \rightarrow Val] \\ &\wedge ctl \in [Proc \rightarrow \{``rdy", ``busy", ``done"\}] \\ &\wedge buf \in [Proc \rightarrow MReq \cup Val \cup \{NoVal\}] \end{tabular} \end{tabul$ 

#### Behaviors

 $req \equiv [op \mapsto "Wr", adr \mapsto a, val \mapsto v]$ 

$$\begin{bmatrix} ctl[p] &= "rdy" \\ buf[p] &= & \dots \\ mem[a] &= & \dots \end{bmatrix} \xrightarrow{Req(p)} \begin{bmatrix} ctl[p] &= "busy" \\ buf[p] &= & req \\ mem[a] &= & \dots \end{bmatrix} \xrightarrow{Do(p)} \begin{bmatrix} ctl[p] &= "done" \\ buf[p] &= & NoVal \\ mem[a] &= & v \end{bmatrix} \xrightarrow{Rsp(p)} \begin{bmatrix} ctl[p] &= "rdy" \\ buf[p] &= & NoVal \\ mem[a] &= & v \end{bmatrix}$$

 $req \equiv [op \mapsto "Rd", adr \mapsto a]$ 

$$\begin{bmatrix} ctl[p] &= "rdy" \\ buf[p] &= & \dots \\ mem[a] &= & \dots \end{bmatrix} \xrightarrow{Req(p)} \begin{bmatrix} ctl[p] &= "busy" \\ buf[p] &= & req \\ mem[a] &= & v \end{bmatrix} \xrightarrow{Do(p)} \begin{bmatrix} ctl[p] &= "done" \\ buf[p] &= & v \\ mem[a] &= & v \end{bmatrix} \xrightarrow{Rsp(p)} \begin{bmatrix} ctl[p] &= "rdy" \\ buf[p] &= & v \\ mem[a] &= & \dots \end{bmatrix}$$

# $\begin{aligned} Req(p) &\triangleq & \text{Processor } p \text{ issues a request.} \\ &\land ctl[p] = \text{``rdy''} & \text{Enabled iff } p \text{ is ready to issue a request.} \\ &\land \exists req \in MReq : & \text{For some request } req: \\ &\land Send(p, req, memInt, memInt') & \text{Send } req \text{ on } \\ &\land buf' = [buf \text{ EXCEPT } ![p] = req] & \text{Set } buf[p] \text{ to} \\ &\land ctl' = [ctl \text{ EXCEPT } ![p] = \text{``busy''}] & \text{Set } ctl[p] \text{ to} \\ &\land unchanged mem \end{aligned}$

Send 
$$req$$
 on the interface.  
Set  $buf[p]$  to the request.  
Set  $ctl[p]$  to "busy".

$$\begin{bmatrix} ctl[p] &= "rdy" \\ buf[p] &= \dots \\ mem[a] &= \dots \end{bmatrix} \xrightarrow{Req(p)} \begin{bmatrix} ctl[p] &= "busy" \\ buf[p] &= req \\ mem[a] &= \dots \end{bmatrix} \xrightarrow{Do(p)}$$

 $Do(p) \stackrel{\Delta}{=}$  Perform p's request to memory.  $\wedge ctl[p] =$ "busy" Enabled iff *p*'s request is pending.  $\wedge mem' = IF buf[p].op = "Wr"$ THEN [mem EXCEPT]Write to memory on a ![buf[p].adr] = buf[p].val] "Wr" request. ELSE *mem* Leave *mem* unchanged on a "Rd" request.  $\wedge buf' = [buf \text{ EXCEPT}]$ ![p] = IF buf[p].op = "Wr"Set buf[p] to the response: THEN No Val *NoVal* for a write; ELSE mem[buf[p].adr] the memory value for a read.  $\wedge ctl' = [ctl \text{ EXCEPT } ![p] = "done"]$ Set ctl[p] to "done".  $\wedge$  unchanged *memInt* 

$$\begin{bmatrix} ctl[p] &= "busy" \\ buf[p] &= req \\ mem[a] &= \dots \end{bmatrix} \xrightarrow{Do(p)} \begin{bmatrix} ctl[p] &= "done" \\ buf[p] &= NoVal \\ mem[a] &= v \end{bmatrix} \xrightarrow{Rsp(p)}$$

 $Rsp(p) \triangleq$  Return the response to p's request.

 $\land ctl[p] = "done"$  $\land Reply(p, buf[p], memInt, memInt')$  $\land ctl' = [ctl EXCEPT ![p] = "rdy"]$  $\land UNCHANGED \langle mem, buf \rangle$ 

Enabled iff req. is done but resp. not sent. Send the response on the interface. Set ctl[p] to "rdy".

$$\begin{bmatrix} ctl[p] &= "done" \\ buf[p] &= NoVal \\ mem[a] &= v \end{bmatrix} \xrightarrow{Rsp(p)} \begin{bmatrix} ctl[p] &= "rdy" \\ buf[p] &= NoVal \\ mem[a] &= v \end{bmatrix}$$

EXTENDS MemoryInterface VARIABLES mem, ctl, buf

*Hinit*  $\triangleq$  The initial predicate  $\land mem \in [Adr \rightarrow Val]$ Initially, memory locations have any values in Val,  $\wedge ctl = [p \in Proc \mapsto "rdy"]$ each processor is ready to issue requests,  $\land$  buf = [ $p \in Proc \mapsto NoVal$ ] each buf[p] is arbitrarily initialized to NoVal,  $\land$  memInt  $\in$  InitMemInt and *memInt* is any element of *InitMemInt*. INext  $\triangleq \exists p \in Proc : Req(p) \lor Do(p) \lor Rsp(p)$ The next-state action.  $ISpec \triangleq IInit \land \Box[INext]_{\langle memInt, mem, ctl, buf \rangle}$ The specification. THEOREM  $ISpec \Rightarrow \Box TypeInvariant$ 

EXTENDS MemoryInterface  $Inner(mem, ctl, buf) \triangleq INSTANCE InternalMemory$  $Spec \triangleq \exists mem, ctl, buf : Inner(mem, ctl, buf)!ISpec$ 

Note, this is a "specification" describing behaviors of linearizable memory more than an "implementation" (mapping onto physical hardware). Of course, both can be described by TLA+ formulas.

## Implementing a Write-Through Cache Implements the linearizable memory interface (on top of another)



#### - MODULE WriteThroughCache

EXTENDS Naturals, Sequences, MemoryInterface VARIABLES wmem, ctl, buf, cache, memQ CONSTANT QLen ASSUME (QLen  $\in$  Nat)  $\land$  (QLen > 0)

mem renamed for clarity

 $M \stackrel{\Delta}{=} \text{INSTANCE InternalMemory WITH } mem \leftarrow wmem$ 

Init  $\triangleq$  The initial predicate

 $\wedge M! IInit$  wmem, buf, and ctl are initialized as in the internal memory spec.

 $\wedge$  cache = All caches are initially empty (cache[p][a] = NoVal for all p, a).

$$[p \in Proc \mapsto [a \in Adr \mapsto NoVal]]$$

 $\land memQ = \langle \rangle$  The queue memQ is initially empty.

New *ctl* state "waiting" added

 $\land buf \quad \in [Proc \to MReq \cup Val \cup \{NoVal\}]$ 

 $\land cache \in [Proc \rightarrow [Adr \rightarrow Val \cup \{NoVal\}]]$ 

 $\land memQ \in Seq(Proc \times MReq) \quad memQ \text{ is a sequence of } (proc., request) pairs.$ 

#### Note

In TLA+

- Sequences and tuples are functions [[1 ... ]  $\rightarrow$  values]
- Recall: records are functions [String  $\rightarrow$  values]

#### - MODULE WriteThroughCache

EXTENDS Naturals, Sequences, MemoryInterface VARIABLES wmem, ctl, buf, cache, memQ CONSTANT QLen ASSUME (QLen  $\in$  Nat)  $\land$  (QLen > 0)

mem renamed for clarity

 $M \stackrel{\Delta}{=} \text{INSTANCE InternalMemory WITH } mem \leftarrow wmem$ 

Init  $\triangleq$  The initial predicate

 $\wedge M! IInit$  wmem, buf, and ctl are initialized as in the internal memory spec.

 $\wedge$  cache = All caches are initially empty (cache[p][a] = NoVal for all p, a).

$$[p \in Proc \mapsto [a \in Adr \mapsto NoVal]]$$

 $\land memQ = \langle \rangle$  The queue memQ is initially empty.

New *ctl* state "waiting" added

 $\land buf \quad \in [Proc \to MReq \cup Val \cup \{NoVal\}]$ 

 $\land cache \in [Proc \rightarrow [Adr \rightarrow Val \cup \{NoVal\}]]$ 

 $\land memQ \in Seq(Proc \times MReq) \quad memQ \text{ is a sequence of } (proc., request) pairs.$ 

#### Cache Coherence

 $\begin{array}{ll} Coherence & \triangleq \\ \forall \, p, \, q \in Proc, \, a \in Adr : \\ (No \, Val \notin \{ cache[p][a], \, cache[q][a] \} ) \ \Rightarrow \ (cache[p][a] = cache[q][a]) \end{array}$ 

### External Interface is the same

$$\begin{bmatrix} ctl[p] &= "rdy" \\ buf[p] &= \dots \\ \dots \end{bmatrix} \xrightarrow{Req(p)} \quad ???????? \xrightarrow{Rsp(p)} \begin{bmatrix} ctl[p] &= "rdy" \\ buf[p] &= \dots \\ \dots \end{bmatrix}$$

 $DoWr(p) \triangleq$  Write to p's cache, update other caches, and enqueue memory update. LET  $r \triangleq buf[p]$  Processor p's request. IN  $\wedge (ctl[p] = "busy") \wedge (r.op = "Wr")$ Enabled if write request pending  $\wedge$  Len(memQ) < QLen and memQ is not full.  $\wedge$  cache' = Update p's cache and any other cache that has a copy.  $[q \in Proc \mapsto IF \ (p = q) \lor (cache[q][r.adr] \neq NoVal)$ THEN [cache[q]] EXCEPT ![r.adr] = r.val]ELSE cache[q] $\wedge memQ' = Append(memQ, \langle p, r \rangle)$ Enqueue write at tail of memQ.  $\wedge$  buf' = [buf EXCEPT ![p] = NoVal] Generate response.  $\wedge ctl' = [ctl \text{ EXCEPT } ![p] = "done"]$ Set *ctl* to indicate request is done.  $\land$  UNCHANGED  $\langle memInt, wmem \rangle$ 

 $MemQWr \stackrel{\Delta}{=}$  Perform write at head of memQ to memory.

- LET  $r \triangleq Head(memQ)[2]$  The request at the head of memQ.
- IN  $\land (memQ \neq \langle \rangle) \land (r.op = "Wr")$  Enabled if Head(memQ) a write.  $\land wmem' =$  Perform the write to memory.

$$[wmem \text{ EXCEPT } ! [r.adr] = r.val]$$

 $\wedge memQ' = Tail(memQ)$ 

Remove the write from memQ.

 $\land$  unchanged (memInt, buf, ctl, cache)

 $RdMiss(p) \triangleq$  Enqueue a request to write value from memory to p's cache.

$$\land (ctl[p] = "busy") \land (buf[p].op = "Rd") \\ \land cache[p][buf[p].adr] = NoVal \\ \land Len(memQ) < QLen \\ \land memQ' = Append(memQ, \langle p, buf[p] \rangle) \\ \land ctl' = [ctl \ \text{EXCEPT} \ ![p] = "waiting"] \\ \land \text{ UNCHANGED } \langle memInt, \ wmem, \ buf, \ cache \rangle$$

Enabled on a read request when the address is not in p's cache and memQ is not full.
Append (p, request) to memQ.
Set ctl[p] to "waiting".

Enabled if a readrequest is pending andaddress is in cache.Get result from cache.Set ctl[p] to "done".

IN f[Len(memQ)]

### Completing the spec

$$\begin{array}{rcl} Next & \triangleq & \lor \exists \ p \in Proc \ : \lor \ Req(p) \lor Rsp(p) \\ & \lor \ RdMiss(p) \lor \ DoRd(p) \lor \ DoWr(p) \\ & \lor \ \exists \ a \in Adr \ : \ Evict(p, a) \\ & \lor \ MemQWr \lor \ MemQRd \end{array}$$

 $Spec \triangleq Init \land \Box[Next]_{(memInt, wmem, buf, ctl, cache, memQ)}$ 

### Theorems

THEOREM  $Spec \Rightarrow \Box TypeInvariant$ THEOREM  $Spec \Rightarrow \Box Coherence$  More like lemmas

 $LM \triangleq$  INSTANCE Memory THEOREM Spec  $\Rightarrow LM!Spec$ 

### Inductive Invariants

THEOREM TypeInvariant  $\land Next \Rightarrow TypeInvariant'$ 

*TypeInvariant* is an invariant of the next-state action

Thus, if *TypeInvariant* holds over initial states, by induction it holds over all states

# Coherence is not an inductive invariant

- Consider a state in which:
  - cache[p1][a] = 1
  - $\forall \langle q, b \rangle$ : cache[q][b] = NoVal
  - wmem[a] = 2
  - $memQ = \langle \langle p2, [op \mapsto "Rd", adr \mapsto a] \rangle \rangle$
- Now take the *MemQRd* step:
  - cache[p1][a] = 1
  - cache[p2][a] = 2

Coherence violated

**Coherence** satisfied

Need to prove an inductive invariant that implies Coherence Suggestions?

# A proposed stronger invariant

- Recall that function *vmem* represents current state of memory
- Inductive Invariant:

 $\forall p \in Proc, a \in Adr: (cache[p][a] = NoVal) \lor (cache[p][a] = vmem[a])$ 

• Implies Coherence

Proving  $Spec \Rightarrow LM! Spec$ 

By definition of *LM*! *Spec*, we need to prove

THEOREM Spec  $\Rightarrow \exists mem, ctl, buf : LM!Inner(mem, ctl, buf)!ISpec$ 

Which means we have to find "*witnesses*" for *mem*, *ctl* and *buf*: this is called a *refinement mapping* 

Any guesses?

Proving 
$$Spec \Rightarrow LM! Spec$$

By definition of *LM*! *Spec*, we need to prove

THEOREM Spec  $\Rightarrow \exists mem, ctl, buf : LM!Inner(mem, ctl, buf)!ISpec$ 

Which means we have to find "*witnesses*" for *mem*, *ctl* and *buf*: this is called a *refinement mapping*:

EXTENDS MemoryInterface VARIABLES mem, ctl, buf

*Hinit*  $\triangleq$  The initial predicate  $\land mem \in [Adr \rightarrow Val]$ Initially, memory locations have any values in Val,  $\wedge ctl = [p \in Proc \mapsto "rdy"]$ each processor is ready to issue requests,  $\land$  buf = [ $p \in Proc \mapsto NoVal$ ] each buf[p] is arbitrarily initialized to NoVal,  $\land$  memInt  $\in$  InitMemInt and *memInt* is any element of *InitMemInt*. INext  $\triangleq \exists p \in Proc : Req(p) \lor Do(p) \lor Rsp(p)$ The next-state action.  $ISpec \triangleq IInit \land \Box[INext]_{\langle memInt, mem, ctl, buf \rangle}$ The specification. THEOREM  $ISpec \Rightarrow \Box TypeInvariant$ 

# Proving refinement

- If F is a formula of module InternalMemory (the high-level spec), let
  - $\overline{F} \equiv LM! Inner(omem, octl, obuf)$
  - That is: F with omem, octl, and obuf substituted for mem, ctl, and buf
- Then we need to prove that  $Spec \Rightarrow \overline{ISpec}$
- Replacing definitions, we need to prove:

$$[nit \land \Box[Next]_{\langle memInt, wmem, buf, ctl, cache, memQ \rangle}$$

$$\Rightarrow \overline{IInit} \land \Box [\overline{INext}]_{\langle memInt, \overline{mem}, \overline{ctl}, \overline{buf} \rangle}$$

• Find an invariant *Inv*:  $\land$  *Init*  $\Rightarrow$  *IInit* step simulation  $\land Inv \land Next \Rightarrow \lor \overline{INext}$  $\lor UNCHANGED \langle memInt, \overline{mem}, \overline{ctl}, \overline{buf} \rangle$ 

Show every step of *WriteThroughCache* is a step of *InternalMemory* or a stuttering step of *InternalMemory* 

## About memory

- Real memory is not linearizable
  - Linearizability is not strong enough for modern processors that submit multiple requests to memory
    - If a processor submits a write and, before completion, a read to the same address, linearizability would allow the second operation to be ordered before the first
  - Linearizability is too strong for concurrent processing
    - If p1 submits operation o1 and p2 submits operation o2 and o1 completes before o2, we
      do not need to require that o1 is ordered before o2 (use locks if you need that)
- Sequential Consistency is more realistic and easier to implement
  - Serializability: result of execution same as some total order of operations
  - Local ordering: operations of a process ordered in submission order
- See Figure 11.7 in *Specifying Systems*

# Final words

- We use TLA+ to *model* a system. You get to choose a level of abstraction. Choose it too high and you won't reveal problems. Choose it too low and you get stuck in the weeds.
- Choosing the level of abstraction involves choosing what constitutes (atomic) steps: grain of atomicity
- Also involves how accurately to model the state (data structures). Consider where you are trying to reveal problems.