# Hyperproperty-Preserving Register Specifications

ORI LAHAV

JOINT WORK WITH: YOAV BEN SHIMON AND SHARON SHOHAM

(PRESENTED IN DISC'24)

#### Verification via Abstraction



#### Verification via Abstraction



#### Verification via Abstraction



# Example: Program using Shared Register

```
write(1);
     write(2);
                         b \leftarrow \text{read()};
Register Implementation
      Method write(v)
      Method read()
```

```
b \in \{0,1,2\}
```

# Abstraction via Linearizability [Filipović, O'Hearn, Rinetzky, Yang'10]



# Example: Program using Shared Register



 $egin{aligned} \mathbf{Method} \ \mathbf{write}(v) \ X \leftarrow v; \ \mathbf{return}; \end{aligned} \ \mathbf{Method} \ \mathbf{read}() \ | \ out \leftarrow X; \ \mathbf{return} \ out; \end{aligned}$ 

**Atomic Register** 

Since it holds for the atomic register, it will hold for any other linearizable implementation.

## Linearizability [Herlihy, Wing '90]

•  $e \sqsubseteq s$ : concurrent execution e linearized by sequential history s



•An implementation I is *linearizable* (wrt a sequential specification Seq) if there exists a mapping L: executions(I) → Seq such that  $\forall e.e \sqsubseteq L(e)$ 

#### ABD [Attiya, Bar-Noy, Dolev '95]

```
Method read()
                                                                     Function query()
     \langle v, ts \rangle \leftarrow \text{query()};
                                                                          broadcast m = query;
                                                                          wait until |Replies(m)| > N/2;
     update(v, ts);
                                                                          Q \leftarrow \mathbf{pick} \ Q \subseteq Replies(m) \ s.t. \ |Q| > N/2;
     return v;
                                                                          return \max Q;
Method write(v)
                                                                     Background activity by process p:
     \langle \_, \langle t, \_ \rangle \rangle \leftarrow \text{query()};
     update(v, \langle t+1, my\_process\_id()\rangle);
                                                                     when m \in Broadcasts received
                                                                          if m = query then
     return;
                                                                                reply \langle v_p, ts_p \rangle to m;
Function update (v, ts)
                                                                          if m = update(v, ts) then
     broadcast m = update(v, ts);
                                                                                \langle v_p, ts_p \rangle \leftarrow \max\{\langle v, ts \rangle, \langle v_p, ts_p \rangle\};
     wait until |Replies(m)| > N/2;
                                                                               reply "ack" to m;
     return;
```

- Message passing implementation of a register
- Tolerates process crashes as long as less than half of the processes crash
- Linearizable

#### Abstraction via Linearizability [Filipović, O'Hearn, Rinetzky, Yang'10]



- •Works when  $\varphi$  is a **trace property** (e.g., bad state not reachable)
- Does not work for hyperproperties! [Golab, Higham, Woelfel '11] [Attiya, Enea '19]

# Example: Program using Shared Register

 $egin{aligned} \mathbf{Method\ write}(v) \ & X \leftarrow v; \ & \mathbf{return}; \end{aligned} \ \mathbf{Method\ read}() \ & out \leftarrow X; \ & \mathbf{return\ }out; \end{aligned}$ 

**Atomic Register** 

 $\varphi = \text{"Pr}[a = b] \neq 1 \text{ for any strong adversary"}$ 

sees coin toss results controls scheduling & non-determinism

# Example: Program using Shared Register

**Atomic Register** 



sees coin toss results controls scheduling & non-determinism

```
write(1);
write(2); ||b \leftarrow \text{read}();
a \leftarrow \text{coin()};
```

Method write (v)

$$X \leftarrow v;$$
 return;

Method read()

```
out_1 \leftarrow X;
out_2 \leftarrow X;
if * then return out_1;
else return out_2;
```

 $\varphi = \text{"Pr}[a = b] \neq 1 \text{ for }$ any strong adversary"

sees coin toss results controls scheduling & non-determinism

linearizable

#### Method write(v)

 $X \leftarrow v;$  return;

Method read()

$$out_1 \leftarrow X;$$
  
 $out_2 \leftarrow X;$   
**if** \* **then return**  $out_1;$   
**else return**  $out_2;$ 

 $\varphi = \text{"Pr}[a = b] \neq 1 \text{ for any strong adversary"}$ 



sees coin toss results controls scheduling & non-determinism



# Hyperproperty Preservation via Strong Linearizability

•If  $\varphi$  is a <u>property of sets</u> of traces generated by strong adversaries: "hyperproperty"



# Strong Linearizability [Golab, Higham, Woelfel '11]

- •An implementation *I* is:
  - **Linearizable** if there exists a mapping L: executions(I) → Seq s.t.  $\forall e.e \sqsubseteq L(e)$
  - •Strongly Linearizable if  $e_1 \leq_{\text{prefix}} e_2 \Longrightarrow L(e_1) \leq_{\text{prefix}} L(e_2)$

$$L($$
  $) =$ 

|          | Linearizability | Strong Linearizability |
|----------|-----------------|------------------------|
| <u> </u> | ✓               | ✓                      |
| <b>─</b> | ✓               | X                      |
| <u> </u> | ✓               | X                      |

#### Double-Load Register is not Strongly Linearizable



# Strong Linearizability is Rarely Achievable

- Various impossibility results for strongly linearizable implementations
- Example: Crash-resilient message passing register implementation
  - No strongly linearizable implementation exists
  - In particular, ABD is not strongly linearizable

How to reason about hyperproperties of clients that use non-strongly linearizable implementations, such as ABD?

#### Our Contributions

- Simple shared memory register specifications
  - In the form of (non-atomic) reference-implementations
  - Enable reasoning about hyperproperties of clients that use *non*-strongly linearizable implementations
  - "Complete" for a range of linearizability classes, including:
    - Write strong-linearizability
       [Hadzilacos, Hu, Toueg '21]
    - Decisive linearizability

**Novel linearizability class** 





# Key idea: Hyperproperty Preservation via Simulation

Preservation of hyperproperties ≡ forward simulation [Attiya, Enea '19] (for a strong adversary)



# Key idea: Hyperproperty Preservation via Simulation

Preservation of hyperproperties ≡ forward simulation [Attiya, Enea '19] (for a strong adversary)



#### Forward Simulation

ullet A relation R relating states of the implementation to states of the specification satisfying the following conditions:







## Double Load Register vs. Atomic Register

**Double-Load Register** 

```
egin{aligned} \mathbf{Method} & \mathtt{write}(v) \ X \leftarrow v; \ & \mathtt{return}; \end{aligned} \ \mathbf{Method} & \mathtt{read}() \ & out_1 \leftarrow X; \ out_2 \leftarrow X; \ & \mathbf{if} * \mathbf{then} & \mathbf{return} & out_1; \ & \mathbf{else} & \mathbf{return} & out_2; \end{aligned}
```

≰simulation

**Atomic Register** 

```
egin{aligned} \mathbf{Method} \ \mathbf{write}(v) \ & X \leftarrow v; \ & \mathbf{return}; \end{aligned} \ \mathbf{Method} \ \mathbf{read}() \ & out \leftarrow X; \ & \mathbf{return} \ out; \end{aligned}
```

# Strong linearizability ≡ forward simulation

(Side note: linearizability  $\equiv$  trace inclusion)

An implementation I is strongly linearizable wrt a sequential specification Seq iff

 $I \leq_{\text{simulation}} At(Seq)$  where At(Seq) is an atomic implementation of Seq



## Complete Implementations

- ${}^{ullet}{\mathcal{C}}$  class of implementations
- ■An implementation I is  $\mathcal{C}$ -hard if  $I' \leq_{\text{simulation}} I$  for all  $I' \in \mathcal{C}$
- ■An implementation I is C- complete if it is C-hard and  $I \in C$
- Example: Atomic implementation is complete for the class of strongly linearizable implementations

 Problem reformulation: devise simple complete implementations for (non-strong) linearizability classes

## Complete Implementations

- ${}^{ullet}{\mathcal{C}}$  class of implementations
- ■An implementation I is  $\mathcal{C}$ -hard if  $I' \leq_{\text{simulation}} I$  for all  $I' \in \mathcal{C}$
- ■An implementation I is C- complete if it is C-hard and  $I \in C$
- Example: Atomic implementation is complete for the class of strongly linearizable implementations

- Problem reformulation: devise simple complete implementations for (non-strong) linearizability classes
- Focus on registers

# $\mathcal{C} = \text{Write Strong Linearizability}_{\text{[Hadzilacos, Hu, Toueg '21]}}$

- •A condition stronger than linearizability but weaker than strong linearizability.
- Write strongly-linearizable MWMR registers are implementable from SWMR registers, unlike for strong linearizability.
- Any linearizable implementation of SWMR registers is write stronglylinearizable (including single-writer ABD)

# $\mathcal{C} = \text{Write Strong Linearizability}_{\text{[Hadzilacos, Hu, Toueg '21]}}$

- An implementation *I* is:
  - **Linearizable** if there exists a mapping L: executions(I) → Seq s.t.  $\forall e.e \sqsubseteq L(e)$
  - Write Strongly Linearizable if  $e_1 \leq_{\text{prefix}} e_2 \Longrightarrow L(e_1)|_W \leq_{\text{prefix}} L(e_2)|_W$
  - Strongly Linearizable if  $e_1 \leq_{\text{prefix}} e_2 \Longrightarrow L(e_1) \leq_{\text{prefix}} L(e_2)$
- Example: the "Double Load Register" is write strongly linearizable
- •How to reason about write strongly linearizable implementations?

"Some randomized algorithms that fail to terminate with linearizable registers, work with write strongly-linearizable ones..."

## A complete implementation for this class

Write Strong Register

```
\begin{array}{lll} \textbf{Method write}(v) & \textbf{Method read()} \\ & X \leftarrow v; & \mathcal{V} \leftarrow \{X\}; \\ & \textbf{return}; & \textbf{do} \\ & & | & \langle \mathcal{V}_{\text{prev}}, \mathcal{V} \rangle \leftarrow \langle \mathcal{V}, \mathcal{V} \cup \{X\} \rangle; \\ & \textbf{while } \mathcal{V} \neq \mathcal{V}_{\text{prev}}; \\ & out \leftarrow \textbf{pick } v \in \mathcal{V}; \\ & \textbf{return } out; \end{array}
```

# A complete implementation for this class

Write Strong Register

Captures hyperproperties of single-writer ABD

#### A complete implementation for this class

Write Strong Register

- Captures hyperproperties of single-writer ABD
- ■What about multi-writer ABD?

## Example: Multiple Writers

```
\begin{array}{c|c} \text{write}(1); & \text{write}(2); \\ a \leftarrow \text{coin}(); & \text{barrier}(); \\ b \leftarrow \text{read}(); \end{array}
```

- •When using multi-writer ABD, a strong adversary can force a=b
- Shared memory implementation capturing this behavior: Try-not-to-store register

# Example: Multiple Writers

```
 \begin{array}{c|c} \text{write}(1); & \text{write}(2); \\ a \leftarrow \text{coin}(); & \text{barrier}(); \\ b \leftarrow \text{read}(); \end{array}
```

Iry-not-to-store Register

- •When using multi-writer ABD, a strong adversary can force a=b
- Shared memory implementation capturing this behavior: Try-not-to-store register



## Reference Implementation for Multi-Writer ABD

- Combines ideas from the "Write-strong" and "Try-not-to-store" registers
  - Comparing version numbers instead of register values
  - Communicating "overwritten" writes to concurrent reads

```
Method write (v)
                                                                                          Method read()
       await L = 0 do s \leftarrow Ver;
                                                                                                  await L = 0 do \langle s, \mathcal{V} \rangle \leftarrow \langle Ver, \{X\} \rangle;
       if * then
                                                                                                  do
              await L = 0 do \langle X, Ver \rangle \leftarrow \langle v, Ver + 1 \rangle;
                                                                                                         atomic
                                                                                                          | \mathcal{V}_{\text{prev}} \leftarrow \mathcal{V}; 
| \mathbf{if} \ Ver \geq s \ \mathbf{then} \ \mathcal{V} \leftarrow \mathcal{V} \cup \{X\};
       else
              await L = 0 \land Ver > s do
                    \langle L, tmp, X, Ver \rangle \leftarrow \langle 1, X, v, Ver - 1 \rangle;
                                                                                                 while V \neq V_{\text{prev}};
             \langle L, X, Ver \rangle \leftarrow \langle 0, tmp, Ver + 1 \rangle;
                                                                                                  out \leftarrow \mathbf{pick} \ v \in \mathcal{V};
       return;
                                                                                                  return out;
```

Captures hyperproperties of multi-writer ABD

# Simple Application

```
write(1); write(2); arrier(); a \leftarrow coin(); b \leftarrow read();

ABD
```

We can use our "Decisive Register" to conclude that a strong adversary **cannot** force a = b

# Simple Application



We can use our "Decisive Register" to conclude that a strong adversary **cannot** force a = b

•Applications beyond ABD?

Decisive linearizability: a new class for which the decisive register is complete

# Decisive Linearizability

- •An implementation *I* is:
  - **Linearizable** if there exists a mapping L: executions(I)  $\rightarrow$  Seq s.t.  $\forall e. e \sqsubseteq L(e)$
  - **Decisively Linearizable** if  $e_1 \leq_{\text{prefix}} e_2 \Longrightarrow L(e_1) \leq_{\text{subsequence}} L(e_2)$
  - Strongly Linearizable if  $e_1 \leq_{\text{prefix}} e_2 \Longrightarrow L(e_1) \leq_{\text{prefix}} L(e_2)$

**Decisive** 

Strong

Lin.

#### Conclusion

- Simple shared memory register specifications:
  - Write strong register
  - Decisive register
  - General construction (in the paper)
- Enable reasoning about hyperproperties of clients that use implementations satisfying different linearizability criteria
- New linearizability class: decisive linearizability
  - Applicable beyond registers





# Ongoing and Future Work

- Compositionality of decisive linearizability
- Using complete objects for automatic linearizability verification
- Going beyond registers (consensus protocols?)
- •Weaker adversaries?
- Preserving certain hyperproperties

# Ongoing and Future Work

- Compositionality of decisive linearizability
- Using complete objects for automatic linearizability verification
- Going beyond registers (consensus protocols?)
- •Weaker adversaries?
- Preserving certain hyperproperties

#### Thank You!