6-2-2011

**Constant-RMR Abortable Reader-Priority Reader-Writer Algorithm**

Nan Zheng

*Dartmouth College*

Follow this and additional works at: https://digitalcommons.dartmouth.edu/senior_theses

Part of the Computer Sciences Commons

**Recommended Citation**


https://digitalcommons.dartmouth.edu/senior_theses/71

This Thesis (Undergraduate) is brought to you for free and open access by the Theses and Dissertations at Dartmouth Digital Commons. It has been accepted for inclusion in Dartmouth College Undergraduate Theses by an authorized administrator of Dartmouth Digital Commons. For more information, please contact dartmouthdigitalcommons@groups.dartmouth.edu.
Abstract

The concurrent reader-writer problem \cite{6} involves two classes of processes: readers and writers, both of which wish to access a shared resource. Many readers can access the shared resource at the same time. However, if a writer is accessing the resource, no readers or other writers can access the resource at the same time. In the reader-priority version of the problem, readers are prioritized over writers when processes from both classes are trying to access the shared resource. Previous research \cite{2} showed a reader-priority constant-RMR multi-reader, multi-writer algorithm for Cache-Coherent (CC) systems. However, this algorithm does not allow for readers or writers to abort, which allows readers and writers waiting for the resource to stop trying to access the resource and to quickly return to the Remainder Section of the code, where the process performs tasks unrelated to the shared resource.

This thesis presents an abortable constant-RMR reader-priority multi-reader single-writer algorithm for CC systems. Additionally, we show how to generalize the algorithm into a multi-reader multi-writer algorithm using any given abortable mutual exclusion algorithm. The algorithm is proven rigorously by invariants and tested using a system of mathematical specification and model-checking tools (PlusCal/TLA+/TLC).
Contents

1 Introduction 4

2 Background and Definitions 6
   2.1 Mutual Exclusion ........................................ 6
   2.2 Reader-Writer Problem ................................... 7
   2.3 Reader Priority ............................................. 8
   2.4 Abortability of Reader-Writer Algorithms ................. 9
   2.5 Specification of the Abortable Reader-Priority Reader-Writer Algorithm .......... 10
   2.6 Explanation of RMR (Remote Memory References) complexity ................. 10

3 Hardware Support 12
   3.1 Registers .................................................. 12
   3.2 Fetch and Add (F&A) ....................................... 12
   3.3 Compare and Swap (CAS) .................................. 12
   3.4 Cache Invalidation Models in Cache-Coherent Systems ...................... 13

4 Previous Work 14
   4.1 Constant RMR Reader-Priority Multi-Reader Single-Writer Algorithm ........ 14
   4.2 Abortable Mutual Exclusion Algorithm ................................ 14

5 Abortable Reader-Priority Single-Writer Multi-Reader Algorithm 17
   5.1 Description of the Variables and Their Purpose .......................... 17
   5.2 Reader’s Protocol: Line-by-Line Commentary ................................ 20
   5.4 Promote Procedure: Line-by-Line Commentary ................................ 22

6 Model Checking 24
   6.1 PlusCal ..................................................... 24
   6.2 TLA+ .......................................................... 24
   6.3 TLC ............................................................ 24
7 Proof of Algorithm

7.1 Notation .................................................. 26
7.2 Invariants .................................................. 27
7.3 Proof of Invariants ......................................... 31
7.4 Proof of Properties ........................................ 41

8 Worst-case O(1)-RMR in Conservative Cache Model 47

9 Generalization to Multi-Reader Multi-Writer Algorithm 48

10 Conclusion .................................................. 49

11 Acknowledgments ........................................... 50

References ..................................................... 52

A Appendix ..................................................... 54

A.1 Algorithm and Invariants Specified in PlusCal and TLA+ ................. 54
1 Introduction

In concurrent systems, computation is performed by multiple processes with a shared memory framework. Processes may perform computations asynchronously, involving both local and shared variables. Processes can execute atomic steps (i.e. a step that whose execution cannot be interrupted by that of another process) of code in any order. Concurrent algorithms define code for individual processes to execute in order to correctly interact with other processes in the system.

One of the central areas of research in concurrent programming is the problem of mutual exclusion[9], where many processes contend for a common shared resource that can only be accessed by one process at a time. A well-studied variation of the mutual exclusion problem is the reader-writer problem, where processes attempting to access the shared resource are divided into two classes: readers and writers. Many readers can access the shared resource at the same time. However, if a writer is accessing the resource, no readers or other writers can access the resource at the same time.

There are a number of ways to specify the problem depending on how one prioritizes the classes accessing the shared resource. The three most common specifications include reader-priority (where readers have priority over writers), writer-priority (where writers have priority over readers), and fair-switching or starvation-free (where neither class has priority over the other, and any process wishing to access the shared resource will eventually get its turn). This thesis studies only the reader-priority version of the problem.

Previous research by Bhatt and Jayanti[2] showed a constant-time reader-priority reader-writer algorithm satisfying a large set of desirable properties. However, this algorithm does not allow for reader or writer abort, which allows readers and writers waiting for the resource to stop trying to access the resource and to quickly return to the Remainder Section of the code, where the process performs tasks unrelated to the shared resource.

This thesis presents an abortable reader-priority multi-reader single-writer algorithm. The algorithm presented has constant-time reader and writer abort features while preserving constant-time for the rest of the algorithm in hardware systems where caches are not invalidated when a variable is updated with the same value. In systems where caches are invalidated when a variable is updated to the same value, we show that our algorithm runs in amortized constant-time. We also present
a modification to our algorithm for it to run in constant-time in the latter hardware model for up to $R$ readers (where $R$ is a constant), beyond which the time-complexity will be $O(\frac{n_r}{R})$, where $n_r$ is the number of actual readers in the algorithm.

Additionally, we show how to generalize the algorithm into a multi-reader multi-writer algorithm using any given abortable mutual exclusion algorithm. For example, we can use Jayanti’s abortable mutual exclusion algorithm [10] to generate a $O(\min(k, \log(n_w)))$-time multi-reader multi-writer algorithm, for which $k$ is the number of contending writers for the critical section and $n_w$ is the total number of writers.

Additionally, we provide a formal specification of the single-writer version of the algorithm in PlusCal [13], a formal language that translates pseudocode into TLA+ (Temporal Logic of Actions) [12], a language for specifying and proving properties of both concurrent and sequential systems. We then verify the specifications in the TLC model checker [12] for small sample sets. Finally, we present a formal invariant proof for our algorithm.
2 Background and Definitions

In our computing model, processes communicate asynchronously using shared variables. Each process has its own unique identifier called a process ID (pid). We denote the set of all pids as PID. Each process p has a state, which is the current value of p’s program counter (PC) and all of p’s local variables. We denote p’s PC as PC_p. The configuration of a the system is defined by the values of all the shared variables and the states of all the processes in the system. The initial configuration (C_0) of a system is the configuration before any processes have executed any lines of code.

Processes execute atomic operations by taking steps. When it is a process p’s turn, p transitions from its current configuration C by taking a step s (by executing one line of the code at PC_p) and moving to a new configuration, C.s. We refer to C as the start configuration and C.s as the end configuration of the step s. A series of steps from the initial configuration, C_0, is called a run. A configuration C’ is reachable if the last step of some finite run of the algorithm has an end configuration of C’. We say that a process p has crashed in an infinite run σ if there exists some time t such that after t, p never takes a step.

2.1 Mutual Exclusion

In concurrent programming, there are times when multiple processes wish to access a shared resource (e.g. a global file or data structure). However, accessing and modifying shared data are not always atomic actions and may take multiple steps, during which the shared resource should not be accessed by other processes since it could result in undesirable behavior or race conditions. Thus, mutual exclusion algorithms ensure that a shared resource is only available to one process at a time. The structure of mutual exclusion algorithms is commonly broken down into four sections:

- **Try Section**: the section of code that a process executes when it is attempting to access the shared resource. The Try Section is composed of two parts: a doorway and a waiting room. The **doorway** is a section of code that runs in a bounded number of steps in which a process declares its presence and wish to access the shared resource to the other processes. Immediately following the doorway, the process enters the **waiting room**, where it busy-waits until it is granted permission to enter the CS or decides to abort.
• **Critical Section (CS):** the section of code where the shared resource can be accessed.

• **Exit Section:** the section of code that a process executes just after it leaves the Critical Section, informing other processes that it has finished using the shared resource.

• **Remainder Section:** the section of code that a process executes between the Exit Section and the Try Section when the process has no interest in using the shared resource.

### 2.2 Reader-Writer Problem

The reader-writer problem [6] is a variation of the mutual exclusion program where the processes involved are divided into two classes: readers and writers. If a reader is in the Critical Section (CS) or is enabled to enter the CS, then other readers can be in the CS at the same time. However, if a writer is in the CS, no other readers or writers can be in the CS at the same time.

Each time a process \( p \) tries to access the shared resource is called an *attempt*. An attempt lasts from the moment \( p \) enters the Try Section to the moment \( p \) exits either the Exit Section or the Abort Section. A *read attempt* is an attempt from a reader, and a *write attempt* is an attempt from a writer.

We also introduce the terms *doorway precedes*, *doorway concurrent*, and *enabled*, which we shall use in our description of the properties for the reader-writer problem, modified from Bhatt and Jayanti’s paper [2] to allow for abort:

**Definition 1.** If \( A \) and \( A' \) are any two attempts in a run (possibly by different processes), \( A \) *doorway precedes* \( A' \) if \( A \) completes the doorway before \( A' \) begins the Try Section. \( A \) and \( A' \) are *doorway concurrent* if neither doorway precedes the other.

**Definition 2.** A process \( p \) is *enabled* to enter the CS in configuration \( C \) if \( p \) is in the Try Section in \( C \) and there is an integer \( b \) such that, in all runs from \( C \), \( p \) enters the CS in at most \( b \) of its own steps if \( p \) does not choose to abort in any of those steps.

Effective reader-writer algorithms must satisfy a set of useful properties beyond solving the basic problem. For consistency, the following list of desirable properties in a reader-writer system is replicated almost in verbatim from Bhatt and Jayanti’s paper [2], with edits made to allow for the notion of abortability:
(P1) **Mutual Exclusion:** If a writer is in the CS at any time, then no other process is in the CS at the same time.

(P2) **Bounded Exit:** There is an integer $b$ such that in every run, every process completes the Exit section in at most $b$ of its own steps.

(P3) **First-Come-First-Served (FCFS) among writers:** If $w$ and $w'$ are any two write attempts in a run and $w$ doorway precedes $w'$, then $w'$ does not enter the CS before $w$ if $w$ does not abort during its attempt.

(P4) **First-In-First-Enabled (FIFE) among readers:** Let $r$ and $r'$ be any two read attempts in a run such that $r$ doorway precedes $r'$. If $r'$ enters the CS before $r$, then $r$ is enabled to enter the CS at the time $r'$ enters the CS.

(P5) **Concurrent Entering:** Informally, if all writers are in the Remainder section, readers should not experience any waiting, i.e., every reader in the Try Section should be able to proceed to the CS in a bounded number of its own steps. More precisely, there is an integer $b$ such that, if $\sigma$ is any run from a reachable configuration such that all writers are in the Remainder section in every configuration in $\sigma$, then every read attempt in $\sigma$ executes at most $b$ steps of the Try section before entering the CS.

(P6) **Livelock-freedom:** If no process crashes in an infinite run, then infinitely many attempts complete in that run.

### 2.3 Reader Priority

There are a number of ways to specify the problem depending on the priorities given to the two classes of processes in accessing the shared resource. The three most common specifications include reader-priority (where readers have priority over writers), writer-priority (where writers have priority over readers), and fair-switching or starvation-free (where neither class has priority over the other, and any process wishing to access the shared resource will eventually get its turn). This thesis studies only the reader-priority specification of the problem.

We begin by providing Bhatt and Jayanti’s definition of $>_rp$ in verbatim [2]:

Page 8
Definition 3. Let $r$ and $w$ be a read attempt and a write attempt, respectively, in a run. We define $r >_{rp} w$ if $r$ doorway precedes $w$, or there is a time when some reader or writer is in the CS, $r$ is in the waiting room, and $w$ is in the Try Section.

We now provide Bhatt and Jayanti’s definition of reader priority in verbatim as follows [2]:

(RP1) **Reader Priority**: Let $r$ and $w$ be a read attempt and a write attempt, respectively, in a run. If $r >_{rp} w$, then $w$ does not enter the CS before $r$.

(RP2) **Unstopable Reader Property**: Let $C$ be any reachable configuration in which some read attempt $r$ is in the waiting room. Then we have:

1. If a reader is in the CS in $C$, then $r$ is enabled to enter the CS in $C$.
2. If no writer is in the CS or the Exit section in $C$ and $r >_{rp} w$ holds for all write attempts $w$ that are in the Try Section in $C$, then $r$ is enabled to enter the CS in $C$.

2.4 **Abortability of Reader-Writer Algorithms**

The main feature of our algorithm is the addition of the abortability properties, which allows processes in the waiting room to call the Read-Abort or Write-Abort functions, and return to the Remainder Section. We define the properties as follows:

(A1) **Wait-Free Reader-Abort**: A reader in a busy-wait loop in the Try Section can decide to execute the Read-Abort function. We require that a process be able to complete the execution of Read-Abort in a bounded number of its own steps and subsequently enter the Remainder Section.

(A2) **Wait-Free Writer-Abort**: A writer in a busy-wait loop in the Try Section can decide to execute the Write-Abort function. We require that a process be able to complete the execution of Write-Abort in a bounded number of its own steps and subsequently enter the Remainder Section.
2.5 Specification of the Abortable Reader-Priority Reader-Writer Algorithm

In this thesis, we will show algorithms that solve the reader-writer problem, fulfilling properties (P1), (P2), (P3), (P4), (P5), (P6), (RP1), (RP2), (A1), (A2) for Cache-Coherent systems with different Compare-And-Swap caching models.

2.6 Explanation of RMR (Remote Memory References) complexity

In concurrent systems, processes have access to both remote memory and local memory. While accesses to local memory are relatively fast, accesses to remote memory must travel over a network and cause delays and congestion. Thus, time complexity in concurrent systems is measured in terms of the number of Remote Memory References (RMR). In essence, local memory accesses take 0-RMRs while each access to remote memory will take 1-RMR. Thus, efficient concurrent algorithms must aim to reduce the number of RMRs made.

However, what is considered to be an RMR varies depending on the underlying memory system of the machine running the algorithm. Among modern systems, there are two prevalent shared memory models: the Distributed Shared Memory (DSM) model (also known as the Non-Uniform Memory Access (NUMA) model) and the Cache-Coherent (CC) model.

In the DSM model, each process has its own local memory and when a process accesses its local memory, it incurs 0-RMRs. In addition, a process can also access the local memory of other processes. However, an access to the local memory of another process is remote and thus incurs 1-RMR.

In the CC model, shared memory is remote to all processes, but each process is equipped with a local cache. Accesses to a process’ local cache incur 0-RMR. When a process $p$ accesses a shared variable $v$ from shared memory for the first time (making 1-RMR), $p$ will store a copy of $v$ in its cache. As long as no processes change the value of $v$, future reads of $v$ by $p$ will be made to its cache instead of the shared memory, incurring 0-RMR. However, if another process $q$ makes a change to $v$, $q$ will incur 1-RMR for writing to the shared memory and invalidating all the caches containing a copy of $v$. Thus, the next time $p$ accesses $v$, $p$ incurs 1-RMR in order to transfer the new value of $v$ into $p$’s cache.

In previous research, Danek and Hadzilacos showed that a sublinear-RMR reader-writer al-
gorithm is not possible for the DSM model [7]. Thus, our focus for this thesis will be on the constant-RMR implementation for the CC model.
3  Hardware Support

For our algorithm, we assume that the following set of atomic operations are supported by the hardware. These atomic operations are supported in most CPUs, including x86 [1] and SPARC v9 [15] systems.

3.1  Registers

Let $A$ be a register with a value of $c$. $A$ supports the following functions:

- $Read(A)$: Return $c$.
- $Write(A, v)$: Set $c := v$.

If $j$ is a local variable and $K$ is a shared variable, we equate $j \leftarrow K$ with $j = Read(K)$. Similarly, we equate $K \leftarrow j$ with $Write(K, j)$.

3.2  Fetch and Add (F&A)

Let $A$ be a F&A object with a value of $c$. $A$ supports the following functions:

- $Read(A)$: Return $c$.
- $Write(A, v)$: Set $c := v$.
- $F&A(A, v)$: Return $c$ and set $c := c + v$.

3.3  Compare and Swap (CAS)

Let $A$ be a F&A object with a value of $c$. $A$ supports the following functions:

- $Read(A)$: Return $c$.
- $Write(A, v)$: Set $c := v$.
- $CAS(A, u, v)$: If $c = y$, set $c := v$ and return $true$. Otherwise, return $false$. 
3.4 Cache Invalidation Models in Cache-Coherent Systems

The cache invalidation scheme in Cache-Coherent (CC) systems can vary depending on the underlying hardware system. In the case with CAS, a failed CAS by a process may or may not invalidate the caches of the other processes. This discrepancy causes different hardware systems to have different RMR complexities when running the same algorithm. To discuss this issue, we define two models describing how CAS operates in CC systems:

- **Smart-Cache Model for CAS**: In any CAS($A,u,v$) operation where a CAS fails (and thus not changing the value of $A$), the system does not invalidate any caches containing $A$.

- **Conservative-Cache Model for CAS**: In any CAS($A,u,v$) operation where a CAS fails (and thus not changing the value of $A$), the system may or may not invalidate any caches containing $A$.

Although we hope to design algorithms for the Conservative-Cache model (which has fewer hardware requirements), this prevents us from busy-waiting on any CAS variables, which is a hinderance for our algorithm.

We shall later show that our algorithm has constant-RMR for CC systems with the Smart-Cache model for CAS and amortized constant-RMR for CC systems with the Conservative-Cache model for CAS (see Section 3.4). We also present an adjustment to the algorithm for it to have constant-RMR in the Conservative-Cache model for up to $R$ readers (where $R$ is a constant), beyond which the RMR-complexity algorithm will be $O(\frac{n_r}{R})$, where $n_r$ is the number of actual readers in the algorithm.
4 Previous Work

4.1 Constant RMR Reader-Priority Multi-Reader Single-Writer Algorithm

We chose Bhatt and Jayanti’s constant-RMR reader-priority multi-reader single-writer algorithm [2] as the basis for our abortable algorithm because to our knowledge, it is the only constant-RMR reader-priority algorithm satisfying (P1), (P2), (P3), (P4), (P5), (P6), (RP1), (RP2). Prior to Bhatt’s work, there were a number of reader-writer algorithms previously proposed for Cache-Coherent systems. However, these algorithms either do not satisfy concurrent entering [16, 11], or has linear RMR [3, 4] or $O(\log n)$ RMR complexity (where $n_r$ is the number of readers in the system)[8]. To the best of our knowledge, abortable reader-writer algorithms for cache-coherent systems do not yet exist.

Figure 1 on page 15 shows Bhatt and Jayanti’s algorithm. The figure is attached for ease of comparing the abortable version with the unabortable version of the algorithm for readers already familiar with Bhatt and Jayanti’s algorithm. For a detailed description and proof of the unabortable algorithm, refer to [2].

4.2 Abortable Mutual Exclusion Algorithm

For the multi-reader multi-writer construction of our algorithm, we can use any abortable mutual exclusion algorithm in conjunction with our single-writer multi-reader construction. The RMR-complexity of the resulting multi-reader multi-writer algorithm will depend directly on the RMR-complexity of the abortable mutual exclusion algorithm. This RMR limitation is acceptable because in the absence of readers, the abortable multi-reader multi-writer algorithm is equivalent to the abortable mutual exclusion problem.

Since Scott and Scherer proposed the need for abortability in mutual exclusion algorithms [18], several FCFS algorithms have been introduced in the literature satisfying $O(\log n)$-RMR complexity, where $n$ is the number of processes in the system [10, 14]. Any of these algorithms can be used with our construction of the multi-reader multi-writer algorithm.

As an example, we will assume that we can use the abortable mutual exclusion algorithm by Jayanti [10] to produce a $\min(k, \log(n_w))$-RMR algorithm for abortable multi-reader multi-writer algorithm (where $k$ is the number of writers contending to enter the CS and $n_w$ is the total number
Constants:

\( PID \) is the set of process IDs

Variables:

\( D \in \{0, 1\} \) is a read/write variable, initialized to 0
\( Gate \in \{0, 1\} \) is a read/write variable, initialized to 0
\( X \in PID \cup \{true\} \) is a CAS variable, initialized to any \( PID \)
\( Permit \in \{true, false\} \) is a CAS variable, initialized to true
\( C \) is a fetch&add variable, initialized to 0

```
procedure Write-Lock_i()
{
    \textbf{REMAINDER SECTION}
    1. \textit{prevD} \leftarrow D
    2. \textit{currD} \leftarrow \textit{prevD}
    3. \textit{D} \leftarrow \textit{currD}
    4. \textit{Permit} \leftarrow false
    5. \textit{Promote}_i()
    6. \textbf{wait till} \textit{Permit}
    \textbf{CRITICAL SECTION}
    7. \textit{Gate} \leftarrow \textit{currD}
    8. \textit{X} \leftarrow i
}

procedure Promote_i()
{
    9. \textit{x} \leftarrow \textit{X}
    10. \textbf{if} \( (x \neq true) \)
    11. \textbf{if} (CAS(\textit{X}, \textit{x}, \textit{i}))
    12. \textbf{if} (\textit{Permit} \neq true)
    13. \textbf{if} (\textit{C} = 0)
    14. \textbf{if} (CAS(\textit{X}, \textit{i}, \textit{true}))
    15. \textit{Permit} \leftarrow true
}

procedure Read-Lock_i()
{
    \textbf{REMAINDER SECTION}
    16. \textit{F&A}(C, 1)
    17. \textit{d} \leftarrow \textit{D}
    18. \textit{x} \leftarrow \textit{X}
    19. \textbf{if} (\textit{x} \in \textit{PID})
    20. \textit{CAS} (\textit{X}, \textit{x}, \textit{i})
    21. \textbf{if} (\textit{X} = true)
    22. \textbf{wait till} \textit{Gate} = \textit{d}
    \textbf{CRITICAL SECTION}
    23. \textit{F&A}(C, -1)
    24. \textit{Promote}_i()
}
```

Figure 1: Bhatt and Jayanti’s [Unabortable] Reader-Priority Multi-Reader Single-Writer Algorithm [2]
of writers). To our knowledge, this is the most efficient abortable mutual-exclusion algorithm for the CC system and it uses LL/SC objects, which can be implemented by CAS [17].
5 Abortable Reader-Priority Single-Writer Multi-Reader Algorithm

Figure 2 on page 18 shows our abortable reader-priority single-writer multi-reader algorithm satisfying properties (P1), (P2), (P3), (P4), (P5), (P6), (RP1), (RP2), (A1), (A2).

The labels to the left of the algorithm (w1, w2, etc.) represent the atomic steps of the algorithm. Note that we have combined local computations into the same atomic steps as remote operations (e.g. Line w3) in order to shorten the length and complexity of our subsequent proof. This is permitted because local operations by a process p do not affect the global state and thus other processes cannot distinguish if the step has or has not been executed.

The algorithm in Figure 2 on page 18 shows five procedures: Write-Lock, Read-Lock, Write-Abort, Read-Abort, and Promote. The Write-Lock and Read-Lock procedures provides the code for the Try and Exit Sections of the writers and readers, respectively. The Write-Abort and Read-Abort procedures are called from either w6 or r6 to allow writers and readers to abort, respectively. Finally, the Promote procedure is used by both writers and readers to attempt to promote a writer into the Critical Section if there are no enabled readers and if the writer is waiting for permission.

5.1 Description of the Variables and Their Purpose

*D* The “Direction” variable used to inform readers of the side (0 or 1) on which it should enter and wait if required.

*Gate* The Gate controls the direction (0 or 1) in which readers are allowed to enter the CS. As observed from Line r6, a reader r trapped in the waiting room must wait until the Gate is equal to the D value that r previously read before r can access the CS.

*X* A tuple in the form \([x_1, x_2]\). We shall use \(x_1\) and \(x_2\) to address the individual components of X in the rest of this thesis. \(x_1\) is used as a way to determine if the writer is interested in entering the CS, to prevent bad interleavings, and for readers to steal permission from the writers in the Try Section. When \(x_1\) is true, the writer either already has permission to enter the CS or is in the Remainder Section. In both cases, the writer does not want any help in getting permission to enter the CS and readers much check the Gate to see if it is allowed to enter the CS or if it must wait for the writer. When
**Constants:**

*PID* is the set of process IDs

*nPID* is any value such that *nPID* ∉ *PID* ∪ {true}

**Variables:**

\( D \in \{0, 1\} \) is a read/write variable, initialized to 0

\( \text{Gate} \in \{0, 1\} \) is a read/write variable, initialized to 0

\( X \in (\text{PID} \cup \{\text{true}, \text{nPID}\}) \times (\text{PID} \cup \{\text{nPID}\}) \) is a CAS variable, initialized to \([\text{true}, \text{nPID}]\)

\( \text{Permit} \in \text{PID} \cup \{\text{true}, \text{nPID}\} \) is a CAS variable, initialized to true

\( C \) is a fetch&add variable, initialized to 0

**Persistent Variables:**

Each Process has a *SafeID* ∈ *PID*, initialized to *i*, the *PID* of the process.

```plaintext
procedure Write-Lock\(i\)()
    \( \text{w_ncs: REMAINDER SECTION} \)
    \( w1: \ [\ast, b] \leftarrow X \)
    \( w2: \ X \leftarrow [i, b] \)
    \( w3: \ prevD \leftarrow D \)
        \( \text{currD} \leftarrow prevD \)
    \( w4: \ D \leftarrow currD \)
    \( w5: \ \text{Permit} \leftarrow b \)
    \( wp: \ \text{Promote}_i() \)
    \( w6: \ \text{wait till} \ \text{Permit} \)
        \( \text{or Write-Abort}_i() \)
    \( \text{w_cs: CRITICAL SECTION} \)
    \( w7: \ \text{Gate} \leftarrow currD \)
}

procedure Read-Lock\(i\)()
    \( \text{r_ncs: REMAINDER SECTION} \)
    \( r1: \ \text{F&A}(C, 1) \)
    \( r2: \ d \leftarrow D \)
    \( r3: \ [a, b] \leftarrow X \)
    \( r4: \ \text{if}(a \in \text{PID}) \)
        \( \text{CAS}(X, [a, b], [i, b]) \)
    \( r5: \ \text{if}(X = \text{true}, \ast) \)
    \( r6: \ \text{wait till} \ \text{Gate} = d \)
        \( \text{or Read-Abort}_i() \)
    \( \text{r_cs: CRITICAL SECTION} \)
    \( r7: \ \text{F&A}(C, -1) \)
    \( rp: \ \text{Promote}_i() \)
}

procedure Write-Abort\(i\)()
    \( \text{wa1: \text{Permit} \leftarrow \text{true} } \)
    \( wa2: \ [a, b] \leftarrow X \)
    \( wa3: \ \text{if}(a \neq \text{true}) \)
    \( \text{CAS}(X, [a, b], \text{nPID}, b) \)
    \( wa4: \ \text{if}(X \neq \text{true}, \ast) \)
    \( wa5: \ D \leftarrow \text{prevD} \)
    \( \text{return} \)

procedure Read-Abort\(i\)()
    \( \text{ra1: \text{F&A}(C, -1) } \)
    \( rap: \ \text{Promote}_i() \)
}

procedure Promote\(i\)()
    \( f1: \ [a, b] \leftarrow X \)
    \( \text{if}(a \neq \text{true}) \)
    \( f2: \ \text{if}(\text{CAS}(X, [a, b], [i, b])) \)
    \( f3: \ \text{if}(\text{Permit} \neq \text{true}) \)
    \( f4: \ \text{if}(C = 0) \)
    \( f5: \ \text{if}(\text{CAS}(X, [i, b], [true, \text{SafeID}])) \)
    \( f6: \ \text{CAS}(\text{Permit}, b, \text{true}) \)

\( \text{SafeID} \leftarrow b \)
```

Figure 2: Abortable Reader-Priority Single-Writer Multi-Reader Algorithm. Code for process with *pid* \(i\). The doorway for the reader is Lines \(r1\) to \(r5\).
$x_1$ is $\neg$true, it is either a pid or nPID, indicating that it might be attempting to enter the CS. Thus, exiting readers will attempt promote the writer into the CS under the correct conditions. On the other hand, $x_2$ is used to store either a value that isn’t being used as a SafeID by any process. This is used for ensuring that the permission given by a reader is current, and not for a previous iteration of Write-Lock.

**Permit**

The permission used to determine if a writer is allowed to enter the CS or if it wants to access the CS at all. The Permit is what the writer busy-waits on to see if it is allowed to enter the CS. (Note that writers cannot busy-wait on $X$ because $X$ can change an unbounded number of times during a single iteration of Write-Lock). Permit is true when the writer has permission to enter the CS or when the writer does not want to access the CS at all (i.e. in the Remainder, Exit, or Abort Sections). In both cases, the writer is indicating that it does not need to be promoted into the CS. However, when the writer wishes to access the CS (i.e. in the Try or Critical Section), it sets Permit to the value present in the current $x_2$ value, which helps distinguish the iteration of Write-Lock calls, to prevent readers at Line $f6$ from accidentally granting permission to the writer after the writer has aborted.

**C**

A count of the readers in the Try Section or CS of the algorithm. This helps writers in the Try Section or leaving readers determine if there are any remaining readers. If not, the process should proceed with attempting to grant permission to the writer.

**SafeID**

A unique persistent variable (a variable that a process retains even when it completes the Write-Lock or Read-Lock procedures, so it can be used in the next call of Write-Lock or Read-Lock) stored by all processes indicating the next number that is safe to be used for $x_2$. This is used to prevent readers from incorrectly giving a writer permission to enter the CS if a writer has aborted and subsequently returns to the Try Section. Each time a process $p$ executes Line $f5$ of the algorithm, it atomically switches SafeID and $x_2$, since $x_2$ is no longer a safe value to be used until process $p$ executes Line $f6$, where it tries to grant permission to the writer.
5.2 Reader’s Protocol: Line-by-Line Commentary

We walk through possible steps of a reader $r$:

$r1$ When $r$ enters the Try Section, it first declares its presence by incrementing $C$. This prevents processes at $f4$ from granting permission to the writer.

$r2$ $r$ reads $D$ to find out the “direction” that it belongs to. This will allow $r$ to determine whether it has permission to enter the CS at $r6$ in the case that $X = true$.

$r3$ $r$ reads $X$ for the next step.

$r4$ $r$ attempts to CAS $X$ in order to steal permission away from any potential processes trying to promote the writer (since this is a reader-priority algorithm).

$r5$ $r$ checks the current value of $X$. If it is $¬true$, $r$ knows it is permitted to enter the CS. If it is $true$, then the writer might have permission to enter the CS, so $r$ must then check if the Gate to its direction is open in $r6$.

$r6$ $r$ sees if the Gate for its direction is open (i.e. $Gate = D$). If it is, $r$ can go into the CS. If it isn’t, $r$ must wait until the writer flips the Gate at $w7$ or $wa6$.

$r7$ After the CS, $r$ erases its existence by decrementing $C$ and then running $Promote$ to see if it can give permission to the writer.

$ra1$ To abort, $r$ simply executes the Exit Section. Identical to $r7$.

5.3 Writer’s Protocol: Line-by-Line Commentary

Let the writer be denoted as $w$. Here is a list of the potential steps of the writer:

$w1$ $w$ reads $X$ for the next step.

$w2$ $w$ sets $X$ to $w$’s $pid$, so that in the case that $X$ was $true$, it is now a non-$true$ value, informing readers that $X$ is interested in accessing the CS. Note, however, that since $Permit = true$ at this point and $w$ just set $x_1$ to its own $PID$, other readers will not be able to give permission to $w$ yet.
w3 \(w\) reads \(D\) in preparation for toggling it.

w4 \(w\) toggles \(D\) so that \(D \neq \text{Gate}\). This ensures that readers who come in after \(w\) is granted permission for the CS will be blocked at \(r6\). Note that if there are still readers \(r\) for which \(r.d = \text{Gate}\), the writer will need to wait for all of them to leave the CS before \(w\) can enter the CS. Thus, when \(w\) is in the CS, all the readers must have the same direction.

w5 The Permit is set to \(x_2\). Since \(x_2\) is only changed at Line \(f5\) (where \(w\) is granted permission), and since the line will not be successfully executed until Permit is set to a non-true value, we know that \(w.b = x_2\) at the time of execution of \(w5\).

wp \(w\) tries to give itself permission to enter the CS

w6 Since \(X\) can undergo many changes from true to various \(pids\) during each call of Write-Lock, \(w\) cannot busy-wait on \(X\) because that will produce linear-RMR. Thus, \(w\) waits on Permit instead. At Line \(w6\), \(w\) continuously checks to see if Permit = true so it can enter the CS. Notice how readers can only set Permit to true and nothing else, so in the Smart-Cache model, \(w\) will only have at most two cache misses at Line \(w6\)

w7 Upon exiting the CS, \(w\) can simply toggle the Gate to let any waiting readers enter. Note: this will set Gate = D, so new readers will no longer be blocked.

wa1 \(w\) can choose to abort at Line \(w6\). In the Abort Section, \(w\) first sets Permit = true to stop readers before line \(f3\) from granting \(w\) permission to enter the CS.

wa2 \(w\) reads \(X\) in preparation of the next step

wa3 \(w\) checks if \(x_1\) is true. If so, \(w\) must have been granted permission to enter the CS already, so it can just execute the Exit Section at \(wa6\). However, if it doesn’t have permission yet, \(w\) tries to CAS \(nPID\) into \(x_1\). This is done to prevent other readers from granting \(w\) permission. If a reader is at Line \(f4\) or \(f5\), it must have read Permit = true before \(w\) executed \(wa1\). Thus, if \(w\) CASes \(nPID\) into \(x_1\) before any readers execute \(f5\), it guarantees that either \(w\) or another reader before \(f3\) has changed the value of \(x_1\). Thus, Line \(f5\) should fail from now on.
wa4  

$w$ checks to see the current value of $x_1$. If $x_1$ is true, a reader must have executed $f_5$ before $w$ executed Line $wa3$. Thus, $w$ has permission to enter the CS, so it can simply execute the Exit Section at $wa6$. Otherwise, if $x_1$ is $\neg$true, we know that from now on, processes at $f_5$ will fail. Thus, $w$ will not be granted permission by any other processes from now on.

wa5  

Since it is guaranteed that $w$ will not be given permission by any readers from this point onwards, $w$ simply reverses $D$. Notice that until the next iteration of Write-Lock, $x_1$ will stay $\neg$true, so readers will be able to enter the CS via $r5$.

w6  

Identical to $w7$

5.4 Promote Procedure: Line-by-Line Commentary

The Promote procedure is executed by either a writer or an exiting reader in order to check if permission needs to be given to a writer. Let $p$ be the process executing Promote:

$f1$  

$p$ reads $X$ and checks if $x_1$ is true. If it is true, the writer has no intention of accessing the CS, so $p$ can just leave.

$f2$  

If $X$ isn’t true, $p$ attempts to CAS its own $pid$ into $x_1$ to let other processes know that it is trying to give permission to the writer. This prevents multiple processes from granting the writer permission at the same time and also allows new readers at Line $r4$ to alert $p$ not to give the writer permission. If the CAS fails, another process must have successfully CASed $X$ for one of the above reasons, so $p$ can simply leave. Otherwise, $p$ proceeds to Line $f3$.

$f3$  

$p$ checks if Permit is true. If Permit is true, the writer either does not want permission or has already been granted permission, so $p$ can simply leave. Otherwise, $p$ proceeds to Line $f4$.

$f4$  

$p$ checks to $C$ to see if there are other readers between lines $r2...r7$. If so, $p$ can leave because one of those readers will eventually grant the writer permission if necessary. Otherwise, if $C = 0$, $p$ must be the writer or one of the last exiting readers. So it can proceed.
\( f_5 \) attempts to grant the writer permission by CASing \( x_1 \) with \textit{true} and \( x_2 \) with \( p.SafeID \). If the CAS fails, then \( x_1 \) is either \textit{true} (in which case the writer has permission already or is not interested in the CS) or \( \neg \textit{true} \), in which case the process with \( pid = x_1 \) is either in an earlier step of \textit{Promote} (in which case it can grants the permission to the writer) or a reader is in the Try Section, in which case the writer should not yet be granted permission. Otherwise, if the CAS succeeds, the writer now has permission to enter the CS. Note that \( p \) also switches the values of \( x_2 \) and \( p.SafeID \). This provides the writer with a safe \( x_2 \) value to use as a \textit{Permit} in the future. Also, since the CAS at Line \( f_5 \) can only be successfully executed once for every call of \textit{Write-Lock}, only one process can swap \( b \) with its own \( SafeID \), and only one process will have that \( b \) value at Line \( f_6 \).

\( f_6 \) tries to grant permission to the waiting writer. \( f_6 \) should succeed unless if the writer decided to abort from \textit{Write-Abort} during that iteration, in which case \( p \) will fail at Line \( f_6 \) because \( p.b \) will either be set to \textit{true} or another process’ \( SafeID \), which must be distinct from \( p.b \), which is equal to \( p.SafeID \).
6 Model Checking

In the prototyping stage of algorithm design, we used a series of specification and modelling tools (PlusCal, TLA+, and TLC) to verify the correctness of our algorithm.

Appendix Section A shows the PlusCal, TLA+ specification of our abortable reader-priority single-writer multi-reader algorithm and its invariants.

6.1 PlusCal

PlusCal[13] (formerly +Cal) is a language that allows programmers to formally specify both concurrent and sequential algorithms and translate it into TLA+ (6.2). PlusCal allows programmers to specify their algorithms at a high level, providing a very flexible granularity of atomicity (for concurrent systems).

We first designed our algorithm in PlusCal and used the built-in translator to translate our algorithm to TLA+. Since PlusCal is a relatively high-level language built with concurrency in mind, our experience with PlusCal was very positive and it was easy to make changes confidently in PlusCal without having to change much of the code.

6.2 TLA+

TLA+ (Temporal Logic of Actions) [12] is a formal specification language that defines an algorithm in terms of the initial state, subsequent states and their transitions. The advantages of using TLA+ is that languages specified in TLA+ can quickly be debugged or verified using the TLC model checker (6.3).

For this thesis, now only did we translate our algorithm from PlusCal to TLA+, we also specified our invariants (see Section 7.2) in TLA+.

6.3 TLC

TLC is a model-checking program that runs simulations of TLA+ specifications for every possible execution up to a certain collision probability and verifies any assumptions and invariants provided at each state of the execution. If an assumption or invariant is violated, TLC prints out the execution where the violation occurred. TLC can verify the correctness of a two-process mutex algorithm to a
high degree of accuracy within about 2 or 3 minutes. However, the tool has several limitations. First, it is only able to verify safety properties and not liveness properties. However, since our invariants are all safety properties, this was not an issue in our case. Second, it can only be run realistically on small datasets. For example, verifying the correctness of a single-writer 3-reader version of our algorithm took over 1 day to complete. Finally, since there are infinitely many states in the system, TLC will only model-check until the state collision rate becomes sufficient. Moreover, it can only verify executions for a given number of processes, so it merely serves as a tool for prototyping and debugging.

In the proof process, TLC was extremely useful to quickly verify new invariants or changes in invariants. In the case that an invariant is violated in some run, TLC outputs the list of configurations in the run, which was helpful to understanding where we went wrong. Furthermore, we used TLC to verify if certain lines in the algorithm could be omitted or changed. While the model checker could potentially run for a very long time, from our experience, most errors were identified within the first 10 minutes of execution.
7 Proof of Algorithm

We prove our algorithm correct by invariants. We do this in two parts. First, we will prove that the set of invariants listed in Section 7.2 is true in every reachable configuration of the algorithm. Then, we will consider the invariants as facts and use them to prove the properties of the algorithm.

7.1 Notation

Here are the notations used in defining our invariants (derived from [2]):

- We denote the value of a local variable $y$ of process $p$ by $p.y$. Similarly, we denote the PID of process $p$ by $p.i$

- We let $X = [x_1, x_2]$ for the global variable $X$ so we can address $x_1$ and $x_2$ separately in our invariants

- $PC_p$ denotes the program counter of a process $p$. As there is only one writer at any time, we denote it by $w$ and its program counter by $PC_w$. Note that at any time $t$, $PC_w \in \{w1...w7, wa1...wa6, f1...f6\}$ and for a reader $r$, $PC_r \in \{r1...r7, ra1, f1...f6\}$

- $R(condition A)$ denotes the set of readers which satisfy the condition $A$, e.g., $R(PC \in \{r3...r6\}, d \neq Gate)$ is the set of all readers $r$, such that $PC_r \in \{r3...r6\}$ and $r.d \neq Gate$

- $P(H)$, denotes the set of pids corresponding to the processes with their PCs coming from set $H$. More formally, $P(H) = \{p.i : PC_p \in H\}$
7.2 Invariants

Let $I = I_G \land I_{w1,w2} \land I_{w3,w4} \land I_{w5} \land I_{f1} \land I_{f2} \land I_{f3,f4} \land I_{f5} \land I_{w6,w7} \land I_{wa} \land I_{wa1} \land I_{wa2} \land I_{wa3} \land I_{wa4} \land I_{wa5}$, where $I_G$ is the global invariant which holds in every reachable configuration of the algorithm. The other invariants are denoted by $I_A$, meaning that the invariant applies when $PC_w \in \{A\}$.

Bold font is used to represent lines where the invariant has changed from step to step for ease of understanding the proof.

$I_G$:  
1. $C = |R(PC \in \{r2\ldots r7, ra1\})|$
2. $|\{x_2\} \cup \{SafeID_i\}| = n + 1$

$I_{w1,w2}: PC_w \in \{w1, w2\} \implies$
1. $Gate = D$
2. $Permit = true$
3. $R(PC \in \{r3\ldots r6\} \land d \neq Gate) = \phi$
4. $x_1 \neq true \implies R(PC = r6 \land d \neq Gate) = \phi$
5. $R(PC \in \{f4, f5\} \land x_1 = i) = \phi$

$I_{w3,w4}: PC_w \in \{w3, w4\} \implies$
1. $Gate = D$
2. $Permit = true$
3. $x_1 \in PID$
4. $R(PC = r6 \land d \neq Gate) = \phi$
5. $R(PC \in \{f4, f5\} \land x_1 = i) = \phi$

$I_{w5}: PC_w = w5 \implies$
1. $Gate = \overline{D}$
2. $Permit = true$
3. $x_1 \in PID$
4. $R(PC = r6 \land d \neq Gate) = \phi$
5. $R(PC \in \{f4, f5\} \land x_1 = i) = \phi$

$I_{f1}: PC_w = f1 \implies$
1. $Gate = \overline{D}$
2. $Permit \in \{true, nPID\} \cup PID$
3. $x_1 \in (PID \cup \{true\})$
4. $R(PC = f5 \land x_1 = i) \neq \phi \implies$
   (a) $R(PC \in \{r6, r7\}) = \phi$
   (b) $R(PC \in \{r3\ldots r5\} \land d = Gate) = \phi$
5. $x_1 \in PID \implies$
   (a) $R(PC = r6 \land d \neq Gate) = \phi$
   (b) $Permit = w.b$
6. $x_1 = true \implies$
(a) $R(PC \in \{r3...r6\} \land d = Gate) = \phi$

(b) $(Permit \neq true \implies |R(PC = f6 \land b = Permit)| = 1)$

(c) $R(PC = r7) = \phi$

$I_{f2}$: $PC_w = f2 \implies$

1. $Gate = \overline{D}$
2. $Permit \in \{true, nPID\} \cup PID$
3. $x_1 \in (PID \cup \{true\})$
4. $R(PC = f5 \land x_1 = i) \neq \phi \implies$
   (a) $R(PC \in \{r6, r7\}) = \phi$
   (b) $R(PC \in \{r3...r5\} \land d = Gate) = \phi$
5. $x_1 \in PID \implies$
   (a) $R(PC = r6 \land d \neq Gate) = \phi$
   (b) $Permit = w.b$
   (c) $x_1 \neq w.a \implies R(PC \in \{r2...r7, ra1, f1\}) \cup R(a = x_1, PC = f2) \neq \phi \lor x_1 \in P(f3...f5)$
6. $x_1 = true \implies$

$I_{f5}$: $PC_w = f5 \implies$

1. $Gate = \overline{D}$
2. $Permit \in \{true, nPID\} \cup PID$
3. $x_1 \in PID \cup \{true\}$
4. $x_1 \in PID \implies$
(a) \( R(\text{PC} = r6) = \phi \)

(b) \(\text{Permit} = w.b\)

(c) \(x_1 \neq w.i \implies R(\text{PC} \in \{r2...r7, ra1, f1\} \cup \{a = x_1, \text{PC} = f2\}) = \phi \lor x_1 \in P(f3...f5)\)

5. \( R(\text{PC} \in \{r3...r6\} \land d = \text{Gate}) = \phi \)

6. \(x_1 = \text{true} \implies \)
   
   (a) \((\text{Permit} \neq \text{true} \implies |R(\text{PC} = f6 \land b = \text{Permit})| = 1)\)

7. \( R(\text{PC} = r7) = \phi \)

I_{f6}: \(PC_w = f6 \implies \)

1. \(\text{Gate} = D\)

2. \(\text{Permit} = w.b\)

3. \(x_1 = \text{true}\)

4. \(R(\text{PC} \in \{r3...r6\} \land d = \text{Gate}) = \phi \)

5. \(R(\text{PC} = f6 \land b = \text{Permit}) = \phi \)

6. \(R(\text{PC} = r7) = \phi \)

I_{w6,wa1}: \(PC_w \in \{w6, wa1\} \implies \)

1. \(\text{Gate} = D\)

2. \(\text{Permit} \in \{\text{true, nPID}\} \cup \text{PID}\)

3. \(x_1 \in (\text{PID} \cup \{\text{true}\})\)

4. \(R(\text{PC} = f5 \land x_1 = i) \neq \phi \implies \)

5. \(R(\text{PC} = r7) = \phi \)

I_{wa2}: \(PC_w = wa2 \implies \)

1. \(\text{Gate} = D\)

2. \(\text{Permit} = \text{true}\)

3. \(x_1 \in (\text{PID} \cup \{\text{true}\})\)

4. \(R(\text{PC} = f5 \land x_1 = i) \neq \phi \implies \)
(a) $R(PC \in \{r6, r7\}) = \phi$
(b) $R(PC \in \{r3...r5\} \land d = Gate) = \phi$

5. $x_1 \in PID \implies$

(a) $R(PC = r6 \land d \neq Gate) = \phi$

I_{wa}\;\text{Iwa: } PC_w = wa_3 \implies$

1. $Gate = \overline{D}$
2. $Permit = \text{true}$
3. $x_1 \in (PID \cup \{\text{true, nPID}\})$
4. $R(PC \in \{f4, f5\} \land x_1 = i) = \phi$

6. $x_1 = \text{true} \implies$

(a) $R(PC \in \{r3...r6\} \land d = Gate = \phi$
(b) $R(PC = r7) = \phi$

I_{wa}\;\text{Iwa: } PC_w = wa_4 \implies$

1. $Gate = \overline{D}$
2. $Permit = \text{true}$
3. $x_1 \neq \text{true} \implies R(PC = r6 \land d \neq Gate) = \phi$

I_{wa}\;\text{Iwa: } PC_w = wa_5 \implies$

1. $Gate = \overline{D}$
2. $Permit = \text{true}$
3. $x_1 \neq \text{true}$

4. $R(PC \in \{f4, f5\} \land x_1 = i) = \phi$

5. $R(PC = r6 \land d \neq Gate) = \phi$
7.3 Proof of Invariants

To prove the invariants correct, we must prove that:

- $I$ holds in the initial configuration $C_0$, and
- if $I$ holds in a reachable configuration $C$, and if some process takes a step $s$, $I$ also holds in $C.s$.

**Lemma 4.** $I$ holds in $C_0$.

**Proof.** Let $ReaderSet$ be the set of all readers and let $w$ represent the writer. It suffices to prove that $I_G$ and $I_{w_1w_2}$ hold in $C_0$, since all other invariants hold trivially by the fact that in $C_0$, $PC_w = w1$ and $\forall r \in ReaderSet : PC_r = r1$.

**Claim 5.** $I_G$ holds in $C_0$:

**Proof.** Item 1 of $I_G$ holds because $C = 0$ initially and we observe that $|R(\text{PC} \in \{r2...r7, ra\})| = 0$. Item 2 of $I_G$ holds since $x_2 = nPID$ and $\forall p \in ReaderSet \cup \{w\}, p.SafeID = p.i$, and $nPID \notin PID$ by definition.

**Claim 6.** $I_{w_1w_2}$ holds in $C_0$:

**Proof.** Items 1,2 of $I_{w_1w_2}$ hold by the initial specification of $C_0$. Item 3 holds because $\forall r \in ReaderSet : PC_r = r1$. Items 4,5 hold trivially since $x_1 = true$ in $C_0$.

**Lemma 7.** If $I$ holds in $C$, then $I$ holds in $C.s$, where $C.s$ is the configuration after some process $p$ took a step $s$ in $C$.

**Claim 8.** If $I$ holds in $C$, $I_G$ holds in $C.s$

**Proof.** Item 1: by simple observation of the algorithm, we see that $C$ is only incremented at Line $r1$ and decremented at Line $r7$ or $ra1$. Thus, $C = |R(\text{PC} \in \{r2...r7, ra1\})|$. Item 2: By observation, we only switch $SafeID_i$ and $x_2$ at Line $f5$ atomically, so if Item 2 of $I_G$ holds in $C$, it will continue to hold in $C.s$. 

Page 31
For the rest of the invariants, we will use the following table of proofs for clarity.

In an entry where Invariant = A, w = B, r = D, Step = E, and Item = F, the context of the proof presented is as follows: If $I$ holds in configuration $C$, then Item F of A holds in $C.s$, where $PC_w \in B$, $PC_r \in D$, and E takes a step.

For example, in entry 3 of the invariant table below, the context of the proof is as follows: If $I$ holds in $C$, then Item 3 of $I_{w1,w2}$ holds in $C.s$ when $PC_w \in \{w1, w2\}$, $PC_r \in \{r2\}$, and $r$ takes a step.

<table>
<thead>
<tr>
<th>Invariant</th>
<th>$w$</th>
<th>$r$</th>
<th>Step</th>
<th>Item</th>
<th>Proof</th>
</tr>
</thead>
<tbody>
<tr>
<td>$I_{w1,w2}$</td>
<td>$w1$</td>
<td>-</td>
<td>$w$</td>
<td>all</td>
<td>Since $I_{w1,w2}$ holds in $C$, it continues to hold in $C.s$ after step $w1$. From here onwards, we will simply say this is obvious.</td>
</tr>
<tr>
<td>$I_{w1,w2}$</td>
<td>$w1$, $w2$</td>
<td>$r1, r3, r6, r7, r_{a1}, f1, f4, f6$</td>
<td>$r$</td>
<td>all</td>
<td>obvious</td>
</tr>
<tr>
<td>$I_{w1,w2}$</td>
<td>$w1$, $w2$</td>
<td>$r2$</td>
<td>$r$</td>
<td>3</td>
<td>In $C$, Gate = D by $I_{w1,w2}$, and $d=D$ by step $r2$, so $d=Gate$ in $C.s$, as req’d</td>
</tr>
<tr>
<td>$I_{w1,w2}$</td>
<td>$w1$, $w2$</td>
<td>$r2$</td>
<td>$r$</td>
<td>rest</td>
<td>obvious</td>
</tr>
</tbody>
</table>
| $I_{w1,w2}$ | $w1$, $w2$ | $r4$    | $r$  | 3,4  | If $x1 = \text{true}$ in $C$, the global vars remain unchanged in $C.s$, so Items 3, 4 will hold.  
If $x1 \neq \text{true}$ in $C$, the CAS in step $r4$ will succeed but still, $x1 \neq \text{true}$ in $C.s$, so Items 3, 4 will hold. |
| $I_{w1,w2}$ | $w1$, $w2$ | $r4$    | $r$  | rest | obvious                                                              |
| $I_{w1,w2}$ | $w1$, $w2$ | $r5$    | $r$  | 3,4  | If $x1 = \text{true}$ in $C$, Item 3 in $C.s$ follows from Item 3 of $I_{w1,w2}$ in $C$ and Item 4 holds trivially.  
If $x1 \neq \text{true}$ in $C$, by step $r5$, $r$ will not enter Line $r6$, trivially satisfying Items 3, 4. |
<table>
<thead>
<tr>
<th>( I_{w1,w2} )</th>
<th>( w1, w2 )</th>
<th>( r5 )</th>
<th>( r )</th>
<th>( \text{rest} )</th>
<th>( \text{obvious} )</th>
</tr>
</thead>
<tbody>
<tr>
<td>( I_{w1,w2} )</td>
<td>( w1, w2 )</td>
<td>( r5 )</td>
<td>( r )</td>
<td>( \text{3,4} )</td>
<td>Proof analogous to that of ( I_{w1,w2} ), step ( r4 ), Items 3, 4</td>
</tr>
<tr>
<td>( I_{w1,w2} )</td>
<td>( w1, w2 )</td>
<td>( r5 )</td>
<td>( r )</td>
<td>( \text{rest} )</td>
<td>( \text{obvious} )</td>
</tr>
<tr>
<td>( I_{w1,w2} )</td>
<td>( w1, w2 )</td>
<td>( f3 )</td>
<td>( r )</td>
<td>( \text{5} )</td>
<td>In ( C ), since ( \text{Permit} = \text{true} ) by Item 2 of ( I_{w1,w2} ), ( r ) will not step into Line ( f4 ), satisfying Item 5</td>
</tr>
<tr>
<td>( I_{w1,w2} )</td>
<td>( w1, w2 )</td>
<td>( f3 )</td>
<td>( r )</td>
<td>( \text{rest} )</td>
<td>( \text{obvious} )</td>
</tr>
<tr>
<td>( I_{w1,w2} )</td>
<td>( w1, w2 )</td>
<td>( f5 )</td>
<td>( r )</td>
<td>( \text{3,4} )</td>
<td>By Item 5 of ( I_{w1,w2} ) in ( C ), the CAS in step ( f5 ) must fail. Thus, ( r ) will not step into Line ( f6 ).</td>
</tr>
<tr>
<td>( I_{w1,w2} )</td>
<td>( w1, w2 )</td>
<td>( f5 )</td>
<td>( r )</td>
<td>( \text{rest} )</td>
<td>( \text{obvious} )</td>
</tr>
<tr>
<td>( I_{w3,w4} )</td>
<td>( w2 )</td>
<td>( - )</td>
<td>( w )</td>
<td>( \text{3} )</td>
<td>Follows from step ( w2 )</td>
</tr>
<tr>
<td>( I_{w3,w4} )</td>
<td>( w2 )</td>
<td>( - )</td>
<td>( w )</td>
<td>( \text{4} )</td>
<td>Follows from Item 4 of ( I_{w1,w2} ) and step ( w2 )</td>
</tr>
<tr>
<td>( I_{w3,w4} )</td>
<td>( w2 )</td>
<td>( - )</td>
<td>( w )</td>
<td>( \text{rest} )</td>
<td>( \text{obvious} )</td>
</tr>
<tr>
<td>( I_{w3,w4} )</td>
<td>( w3 )</td>
<td>( - )</td>
<td>( w )</td>
<td>( \text{all} )</td>
<td>( \text{obvious} )</td>
</tr>
<tr>
<td>( I_{w3,w4} )</td>
<td>( w3, w4 )</td>
<td>( \text{all} )</td>
<td>( r )</td>
<td>( \text{all} )</td>
<td>Proof analogous to that of ( I_{w1,w2} )</td>
</tr>
<tr>
<td>( I_{w5} )</td>
<td>( w4 )</td>
<td>( - )</td>
<td>( w )</td>
<td>( \text{1} )</td>
<td>Follows from Item 1 of ( I_{w3,w4} ) and step ( w4 )</td>
</tr>
<tr>
<td>( I_{w5} )</td>
<td>( w4 )</td>
<td>( - )</td>
<td>( w )</td>
<td>( \text{rest} )</td>
<td>( \text{obvious} )</td>
</tr>
<tr>
<td>( I_{w5} )</td>
<td>( w5 )</td>
<td>( \text{all} )</td>
<td>( r )</td>
<td>( \text{Proof analogous to that of} ( I_{w1,w2} )</td>
<td></td>
</tr>
<tr>
<td>( I_{f1} )</td>
<td>( w5 )</td>
<td>( - )</td>
<td>( w )</td>
<td>( \text{2} )</td>
<td>Follows from step ( w5 ) and the fact that ( x2 \in {nPID} \cup \text{PID}s. )</td>
</tr>
<tr>
<td>( I_{f1} )</td>
<td>( w5 )</td>
<td>( - )</td>
<td>( w )</td>
<td>( \text{4} )</td>
<td>Follows trivially from Item 5 in ( I_{w5} )</td>
</tr>
<tr>
<td>( I_{f1} )</td>
<td>( w5 )</td>
<td>( - )</td>
<td>( w )</td>
<td>( \text{5a} )</td>
<td>Follows from Item 4 of ( I_{w5} )</td>
</tr>
<tr>
<td>( I_{f1} )</td>
<td>( w5 )</td>
<td>( - )</td>
<td>( w )</td>
<td>( \text{5b} )</td>
<td>Follows from step ( w5 )</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$w5$</td>
<td>$-$</td>
<td>$w$</td>
<td>6</td>
<td>Trivially holds by Item 3 of $I_{w5}$</td>
</tr>
<tr>
<td>---------</td>
<td>------</td>
<td>-----</td>
<td>-----</td>
<td>---</td>
<td>-------------------------------------</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$w5$</td>
<td>$-$</td>
<td>$w$</td>
<td>rest</td>
<td>obvious</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$r1,r3,r7,$</td>
<td>$r$</td>
<td>all</td>
<td>obvious</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$r2$</td>
<td>$r$</td>
<td>4b, $d = D$ by step $r2$, and $Gate = \overline{D}$ in $C$ by $I_{f1}$, so</td>
<td>6a</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$r2$</td>
<td>$r$</td>
<td>rest</td>
<td>obvious</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$r4$</td>
<td>$r$</td>
<td>all</td>
<td>Proof analogous to that of $I_{w1,w2}$, step $r4$</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$r5$</td>
<td>$r$</td>
<td>4a</td>
<td>We will show that if there is a reader at $r5$, $R(PC = f5 \land x_1 = i) = \phi$, so Item 4a will trivially hold. Assume the contradiction and let $r_{f5}$ be the reader for which $PC_{r_{f5}} = f5$ and $x_1 = r_{f5}.i$ and $PC_r = r5$ at time $t$. We observe that $r_{f5}$ must have executed Line $f4$ before $r$ executed Line $r1$ because $r_{f5}$ read $C$ to be 0. Thus, the value of $x_1$ that $r$ read at Line $r3$ must be $r_{f5}.i$ or another pid that overwrote $r_{f5}.i$. At Line $r4$, either $r$ successfully CASes and overwrites the value of $x_1$, or another process wrote a different value into $x_1$. From inspection of the code, since no other processes would write $r_{f5}.i$ into $x_1$ besides $r_{f5}$ itself, the value of $x_1 \neq r_{f5}.i$ at time $t$, which is a contradiction.</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$r5$</td>
<td>$r$</td>
<td>5a</td>
<td>If $x_1 = true$, Item 5a trivially holds</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>If $x_1 \neq true$, by step $r5$, $r$ will not step into $r6$</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$r5$</td>
<td>$r$</td>
<td>6a</td>
<td>Follows from Item 6a of $I_{f1}$ in $C$</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$r5$</td>
<td>$r$</td>
<td>6c</td>
<td>If $x_1 \neq true$, Item 6c trivially holds</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>If $x_1 = true$, by step $r5$, $r$ will not step into $r7$</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$r5$</td>
<td>$r$</td>
<td>rest</td>
<td>obvious</td>
</tr>
<tr>
<td>-----</td>
<td>-----</td>
<td>-----</td>
<td>-----</td>
<td>------</td>
<td>---------</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$r6$</td>
<td>$r$</td>
<td>4a</td>
<td>Follows from Item 4a of $I_{f1}$ in $C$</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$r6$</td>
<td>$r$</td>
<td>6c</td>
<td>Follows from Item 6a of $I_{f1}$ in $C$</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$r6$</td>
<td>$r$</td>
<td>rest</td>
<td>obvious</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$f2$</td>
<td>$r$</td>
<td>all</td>
<td>Proof analogous to that of $I_{w1,w2}$, step r4</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$f4$</td>
<td>$r$</td>
<td>4</td>
<td>Follows from Item 1 of $I_G$, and step f4</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$f4$</td>
<td>$r$</td>
<td>rest</td>
<td>obvious</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$f5$</td>
<td>$r$</td>
<td>6a</td>
<td>Follows from Item 4b of $I_{f1}$</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$f5$</td>
<td>$r$</td>
<td>6b</td>
<td>Assume by contradiction that in $C.s,$</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>$Permit \neq true \implies</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>Since $SafeID = b$ by step f5, the two processes in</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>$R(PC = f6 \land b = Permit)$ must have the same</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>$SafeID$, which contradicts Item 2 of $I_G$</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>6c</td>
<td>Follows from Item 4a of $I_{f1}$</td>
</tr>
<tr>
<td>$I_{f1}$</td>
<td>$f1$</td>
<td>$f5$</td>
<td>$r$</td>
<td>rest</td>
<td>obvious</td>
</tr>
</tbody>
</table>
We will show that the CAS at Line 6 will only succeed if \( x_1 = true \).

Assume by contradiction that \( r \) successfully CASes \( Permit \) at Line 6 at time \( t \) and \( x_1 \neq true \). We know that \( r \) had successfully set \( x_1 \) to \( true \) in step 5. By observation of the code, only the writer can change \( x_1 \) from \( true \) to a non-\( true \) value. Thus, the writer must have executed lines \( w2 \) to just before \( f1 \) after \( r \) executed Line 5. Thus, it must have executed Line \( w5 \), setting \( Permit \) to \( x_2 \). However, since \( b = r.SafeID \) by step 5 of \( r \), by Item 2 of \( Ig \), \( x_2 \neq r.SafeID \), so \( x_2 \neq r.b \) while \( r \) is at Line 6. Thus, the CAS at Line 6 fails, which is a contradiction.

<table>
<thead>
<tr>
<th>( If1 )</th>
<th>( f1 )</th>
<th>( f6 )</th>
<th>( r )</th>
<th>5b</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>We will show that the CAS at Line 6 will only succeed if ( x_1 = true ).</td>
</tr>
</tbody>
</table>

Assume by contradiction that \( r \) successfully CASes \( Permit \) at Line 6 at time \( t \) and \( x_1 \neq true \). We know that \( r \) had successfully set \( x_1 \) to \( true \) in step 5. By observation of the code, only the writer can change \( x_1 \) from \( true \) to a non-\( true \) value. Thus, the writer must have executed lines \( w2 \) to just before \( f1 \) after \( r \) executed Line 5. Thus, it must have executed Line \( w5 \), setting \( Permit \) to \( x_2 \). However, since \( b = r.SafeID \) by step 5 of \( r \), by Item 2 of \( Ig \), \( x_2 \neq r.SafeID \), so \( x_2 \neq r.b \) while \( r \) is at Line 6. Thus, the CAS at Line 6 fails, which is a contradiction.

<table>
<thead>
<tr>
<th>( If2 )</th>
<th>( f1 )</th>
<th>( - )</th>
<th>( w )</th>
<th>5c</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>Trivially true since ( w.a = x_1 ) by step 5</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>( If2 )</th>
<th>( f1 )</th>
<th>( - )</th>
<th>( w )</th>
<th>rest</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>obvious</td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>( If2 )</th>
<th>( f2 )</th>
<th>( r1...r3, r5...r7, ra1, f6 )</th>
<th>( r )</th>
<th>all</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>Analogous to proof for ( If1 )</td>
</tr>
</tbody>
</table>

Note: Item 5c is satisfied for these steps by Item 5c of \( If2 \) being satisfied in \( C \)

<table>
<thead>
<tr>
<th>( If2 )</th>
<th>( f2 )</th>
<th>( r4 )</th>
<th>( r )</th>
<th>5c</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>( r ) satisfies Item 5c</td>
</tr>
</tbody>
</table>

Analogous to proof for \( If1 \)

<table>
<thead>
<tr>
<th>( If2 )</th>
<th>( f2 )</th>
<th>( f1 )</th>
<th>( r )</th>
<th>5c</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>If ( r.a \neq true ) in ( C ), then ( r ) will enter the set</td>
</tr>
</tbody>
</table>

\( R(a = x_1, PC = f2) \) by step \( f1 \), satisfying Item 5c.

If \( r.a = true \) in \( C \), since \( x_1 = r.a \) (apparent in step \( f1 \), \( x_1 = true \), so Item 5 is satisfied trivially.

<table>
<thead>
<tr>
<th>( If2 )</th>
<th>( f2 )</th>
<th>( f1 )</th>
<th>( r )</th>
<th>rest</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>Analogous to proof for ( If1 )</td>
</tr>
<tr>
<td>$I_{f_2}$</td>
<td>$f_2$</td>
<td>$f_2$</td>
<td>$r$</td>
<td>5c</td>
</tr>
<tr>
<td>---</td>
<td>---</td>
<td>---</td>
<td>---</td>
<td>---</td>
</tr>
<tr>
<td>If $x_1 = r.a$ in $C$, then it will satisfy $x_1 \in P(f3\ldots f5)$ in $C.s$ by Item 5c of $I_{f_2}$ and step $f_2$. If $x_1 \neq r.a$ in $C$, by inspection of Item 5c of $I_{f_2}$ and step $f_2$, $r$ must not be the reader satisfying Item 5c in $C$. Thus, there must exist another reader $r'$ satisfies Item 5c in $C$ and thus, $r'$ will still satisfy Item 5c in $C.s$.</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f_2}$</th>
<th>$f_2$</th>
<th>$f_3$</th>
<th>$r$</th>
<th>5c</th>
</tr>
</thead>
<tbody>
<tr>
<td>If $x \notin PID$ in $C$, Item 5 is satisfied trivially. If $x \in PID$ in $C$, by Item 5b $I_{f_2}$, Permit = $w.b$, so step $f_3$ must succeed, satisfying Item 5c.</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f_2}$</th>
<th>$f_2$</th>
<th>$f_3$</th>
<th>$r$</th>
<th>rest</th>
</tr>
</thead>
<tbody>
<tr>
<td>Analogous to proof for $I_{f_1}$</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f_2}$</th>
<th>$f_2$</th>
<th>$f_4$</th>
<th>$r$</th>
<th>5c</th>
</tr>
</thead>
<tbody>
<tr>
<td>If $C = 0$ in $C$, step $f_4$ succeeds, satisfying 5c. If $C \neq 0$ in $C$, by $I_G$, $</td>
<td>R(PC \in {r2\ldots r7, ra1})</td>
<td>\neq 0$. Since the cardinality of the set is always positive, some process in $R(PC \in {r2\ldots r7, ra1}$ satisfies $I_{f_2}$ in $C$ and will satisfy $I_{f_2}$ in $C.s$ also.</td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f_2}$</th>
<th>$f_2$</th>
<th>$f_4$</th>
<th>$r$</th>
<th>rest</th>
</tr>
</thead>
<tbody>
<tr>
<td>Analogous to proof for $I_{f_1}$</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f_2}$</th>
<th>$f_2$</th>
<th>$f_5$</th>
<th>$r$</th>
<th>5</th>
</tr>
</thead>
<tbody>
<tr>
<td>If $x_1 = r.i$ in $C$, $x_1 = true$ in $C.s$ by step $f_5$, so Item 5 is satisfied trivially. If $x_1 \neq r.i$ in $C$, by inspection of Item 5c of $I_{f_2}$ and step $f_5$, $r$ must not be the reader satisfying Item 5c in $C$. Thus, there must exist another reader satisfying Item 5c in $C$ and will continue to satisfy 5c in $C.s$.</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f_2}$</th>
<th>$f_2$</th>
<th>$f_5$</th>
<th>$r$</th>
<th>rest</th>
</tr>
</thead>
<tbody>
<tr>
<td>Analogous to proof for $I_{f_1}$</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f_3, f_4}$</th>
<th>$f_2$</th>
<th>$-</th>
<th>w</th>
<th>5c</th>
</tr>
</thead>
<tbody>
<tr>
<td>Trivially true since $x_1 = w.i$ by step $f_2$</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f_3, f_4}$</th>
<th>$f_2$</th>
<th>$-</th>
<th>w</th>
<th>rest</th>
</tr>
</thead>
<tbody>
<tr>
<td>Proof analogous to that of $I_{f_2}$</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f_3, f_4}$</th>
<th>$f_3$</th>
<th>$-</th>
<th>w</th>
<th>all</th>
</tr>
</thead>
<tbody>
<tr>
<td>Proof analogous to that of $I_{f_2}$</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>$I_{f3,f4}$</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>---</td>
<td>---</td>
<td>---</td>
<td>---</td>
<td>---</td>
</tr>
<tr>
<td>$f3,$</td>
<td>all</td>
<td>$r$</td>
<td>all</td>
<td>Proof analogous to that of $I_{f2}$</td>
</tr>
<tr>
<td>$f4$</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f5}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f4$</td>
<td>-</td>
<td>$w$</td>
<td>4a, 5</td>
<td>Follows from Item 1 of $I_G$ since $C = 0$</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f5}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f4$</td>
<td>-</td>
<td>$w$</td>
<td>rest</td>
<td>Proof analogous to that of $I_{f3,f4}$ or obvious</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f5}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f5$</td>
<td>$r1,r3...r7$, $ra1,f1...f6$</td>
<td>$r$</td>
<td>all</td>
<td>Proof analogous to that of $I_{f3,f4}$ or obvious</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f5}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f5$</td>
<td>$r2$</td>
<td>$r$</td>
<td>5</td>
<td>$d = D$ by step $r2$, and $Gate = \overline{D}$ in $C$ by $I_{f5}$, so $d \neq Gate$ in $C.s$, as req’d</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f6}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f5$</td>
<td>-</td>
<td>$w$</td>
<td>2,3</td>
<td>Follows from step $f5$</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f6}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f5$</td>
<td>-</td>
<td>$w$</td>
<td>rest</td>
<td>Proof analogous to that of $I_{f5}$ or obvious</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f6}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f6$</td>
<td>$r1...r7,ra1$, $f1...f4,f6$</td>
<td>$r$</td>
<td>all</td>
<td>Proof analogous to that of $I_{f5}$ or obvious</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f6}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f6$</td>
<td>$f5$</td>
<td>$r$</td>
<td>5</td>
<td>Assume by contradiction that in $C.s,$ $R(PC = f6 \land b = Permit) \neq \phi$. Since $w.SafeID = w.b$ by step $f5$, the process(es) in $R(PC = f6 \land b = Permit)$ must have the same $SafeID$ as $w$, which contradicts Item 2 of $I_G$.</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{f6}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f6$</td>
<td>$f5$</td>
<td>$r$</td>
<td>rest</td>
<td>Proof analogous to that of $I_{f5}$ or obvious</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{w6,wa1}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f1$</td>
<td>-</td>
<td>$w$</td>
<td>5c</td>
<td>Trivial because $x_1 = true$ from step $f1$</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{w6,wa1}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f1$</td>
<td>-</td>
<td>$w$</td>
<td>rest</td>
<td>Proof analogous to that of $I_{f1}$ or obvious</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{w6,wa1}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f2$</td>
<td>-</td>
<td>$w$</td>
<td>5c</td>
<td>In order for the CAS to fail, $x_1 \neq w.a$ in $C$, so Item 5c was satisfied by another reader in $C$ by $I_{f2}$ and will satisfy Item 5c in $C.s$</td>
<td></td>
</tr>
</tbody>
</table>

<table>
<thead>
<tr>
<th>$I_{w6,wa1}$</th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>$f2$</td>
<td>-</td>
<td>$w$</td>
<td>rest</td>
<td>Proof analogous to that of $I_{f2}$ or obvious</td>
<td></td>
</tr>
</tbody>
</table>

Page 38
\[
\begin{array}{|c|c|c|c|c|}
\hline
I_{w6,wa1} & f3 & - & w & 5c \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f3 & - & w & \text{rest} \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f3 & - & w & \text{rest} \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f3 & - & w & \text{rest} \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f4 & - & w & 5c \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f5 & - & w & 4a & \text{Trivially holds since } x_1 = \text{true} \text{ in } C \text{ by Item } 3 \text{ of } I_{f6} \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f5 & - & w & 5a & \text{Satisfied by Item } 4a \text{ of } I_{f5} \text{ in } C \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f5 & - & w & 5b & \text{Satisfied by Item } 4b \text{ of } I_{f5} \text{ in } C \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f5 & - & w & 5c & \text{Since the CAS in step } f5 \text{ failed, } x_1 \neq w.i \text{ in } C, \text{ so another reader must have satisfied Item } 4c \text{ of } I_{f5}, \text{ and will satisfy Item } 5c \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f5 & - & w & \text{rest} & \text{Proof analogous to that of } I_{f5} \text{ or obvious} \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f6 & - & w & 4, 5 & \text{Trivially holds since } x_1 = \text{true} \text{ in } C \text{ by Item } 3 \text{ of } I_{f6} \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f6 & - & w & 6a & \text{Follows from Item } 4 \text{ in } I_{f6} \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f6 & - & w & 6b & \text{Trivially holds since } Permit = w.b \text{ in } C \text{ by Item } 2 \text{ of } I_{f6}, \text{ after step } f6, Permit = \text{true} \text{ in } C.s \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f6 & - & w & 6c & \text{Follows from Item } 6 \text{ in } I_{f6} \\
\hline
& & & & \\
\hline
I_{w6,wa1} & f6 & - & w & \text{rest} & \text{Proof analogous to that of } I_{f6} \text{ or obvious} \\
\hline
& & & & \\
\hline
I_{w6,wa1} & w6 & - & w & \text{all} & \text{Proof analogous to that of } I_{f2} \text{ or obvious} \\
\hline
\end{array}
\]
<table>
<thead>
<tr>
<th>$I_{wa1}$</th>
<th>$w6, wa1$</th>
<th>all</th>
<th>$r$</th>
<th>all</th>
<th>Proof analogous to that of $I_{f2}$ or obvious</th>
</tr>
</thead>
<tbody>
<tr>
<td>$I_{wa2}$</td>
<td>$wa1$</td>
<td>-</td>
<td>$w$</td>
<td>2</td>
<td>Follows from step $wa1$</td>
</tr>
<tr>
<td>$I_{wa2}$</td>
<td>$wa1$</td>
<td>-</td>
<td>$w$</td>
<td>5a, 6</td>
<td>Follows from Item 5, 6 of $I_{w6,wa1}$</td>
</tr>
<tr>
<td>$I_{wa2}$</td>
<td>$wa1$</td>
<td>-</td>
<td>$w$</td>
<td>rest</td>
<td>Proof analogous to that of $I_{w6,wa1}$ or obvious</td>
</tr>
<tr>
<td>$I_{wa2}$</td>
<td>$wa2$</td>
<td>all</td>
<td>$r$</td>
<td>all</td>
<td>Proof analogous to that of $I_{w6,wa1}$ or obvious</td>
</tr>
<tr>
<td>Note: Since $Permit = true$ by Item 2 of $I_{wa2}$, the CAS in step $f6$ must fail</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>$I_{wa3}$</td>
<td>$wa2$</td>
<td>-</td>
<td>$w$</td>
<td>5b</td>
<td>$x_1 = w.a$ by step $wa2$</td>
</tr>
<tr>
<td>$I_{wa3}$</td>
<td>$wa2$</td>
<td>-</td>
<td>$w$</td>
<td>rest</td>
<td>Proof analogous to that of $I_{wa2}$ or obvious</td>
</tr>
<tr>
<td>$I_{wa3}$</td>
<td>$wa3$</td>
<td>$r1...r4, ra1, f1, f2, f4...f6$</td>
<td>$r$</td>
<td>all</td>
<td>Proof analogous to that of $I_{wa2}$ or obvious</td>
</tr>
<tr>
<td>$I_{wa3}$</td>
<td>$wa3$</td>
<td>$f3$</td>
<td>$r$</td>
<td>5b</td>
<td>Since $Permit = true$ by $I_{wa3}$ in $C$, $PC_r$ cannot be in ${f4, f5}$ in $C.s$, so Item 5b holds.</td>
</tr>
<tr>
<td>$I_{wa3}$</td>
<td>$wa3$</td>
<td>$f3$</td>
<td>$r$</td>
<td>rest</td>
<td>Proof analogous to that of $I_{wa2}$ or obvious</td>
</tr>
<tr>
<td>$I_{wa4}$</td>
<td>$wa3$</td>
<td>-</td>
<td>$w$</td>
<td>4</td>
<td>Case 1 ($x_1 \neq w.a$ in $C$): follows from Item 5b of $I_{wa3}$</td>
</tr>
<tr>
<td>$I_{wa4}$</td>
<td>$wa3$</td>
<td>-</td>
<td>$w$</td>
<td>rest</td>
<td>Proof analogous to that of $I_{wa3}$ or obvious</td>
</tr>
<tr>
<td>$I_{wa4}$</td>
<td>$wa4$</td>
<td>all</td>
<td>$r$</td>
<td>all</td>
<td>Proof analogous to that of $I_{wa3}$ or obvious</td>
</tr>
<tr>
<td>$I_{wa5}$</td>
<td>$wa4$</td>
<td>-</td>
<td>$w$</td>
<td>3</td>
<td>Follows from step $wa4$</td>
</tr>
<tr>
<td>$I_{wa5}$</td>
<td>$wa4$</td>
<td>-</td>
<td>$w$</td>
<td>5</td>
<td>Follows from step $wa4$ and Item 5 of $I_{wa4}$</td>
</tr>
<tr>
<td>$I_{wa5}$</td>
<td>$wa4$</td>
<td>-</td>
<td>$w$</td>
<td>rest</td>
<td>Proof analogous to that of $I_{wa4}$ or obvious</td>
</tr>
<tr>
<td>$I_{wa5}$</td>
<td>$wa5$</td>
<td>$r1...r6, ra1, f1...f4, f6$</td>
<td>$r$</td>
<td>all</td>
<td>Proof analogous to that of $I_{wa4}$ or obvious</td>
</tr>
<tr>
<td>$I_{wa5}$</td>
<td>$wa5$</td>
<td>$f5$</td>
<td>$r$</td>
<td>3</td>
<td>The CAS at Line $f5$ must fail because of Item 4 in $I_{wa5}$ in $C$</td>
</tr>
<tr>
<td>$I_{wa5}$</td>
<td>$wa5$</td>
<td>$f5$</td>
<td>$r$</td>
<td>rest</td>
<td>Proof analogous to that of $I_{wa4}$ or obvious</td>
</tr>
</tbody>
</table>
\begin{table}
\centering
\begin{tabular}{|c|c|c|c|c|}
\hline
$I_{w7,wa6}$ & $wa3$ & - & $w$ & 3 & Follows from step $wa3$ \\
\hline
$I_{w7,wa6}$ & $wa3$ & - & $w$ & 4, 5 & Follows from Item 6 in $I_{wa3}$ and the fact that $x_1 = true$ by step $wa3$ \\
\hline
$I_{w7,wa6}$ & $wa3$ & - & $w$ & rest & obvious \\
$I_{w7,wa6}$ & $wa4$ & - & $w$ & 3 & Follows from step $wa4$ \\
$I_{w7,wa6}$ & $wa4$ & - & $w$ & 4, 5 & Follows from Item 6 in $I_{wa4}$ and the fact that $x_1 = true$ by step $wa4$ \\
\hline
$I_{w7,wa6}$ & $wa4$ & - & $w$ & rest & obvious \\
$I_{w1,w2}$ & $w7$, $wa6$ & - & $w$ & 1 & Follows from Item 1 in $I_{w7,wa6}$ and step $w7$ or step $wa6$ \\
$I_{w1,w2}$ & $w7$, $wa6$ & - & $w$ & 3 & Follows from Item 3, 4 in $I_{w7,wa6}$ \\
$I_{w1,w2}$ & $w7$, $wa6$ & - & $w$ & 4, 5 & Trivially holds since $x_1 = true$ from Item 3 of $I_{w7,wa6}$ \\
$I_{w1,w2}$ & $w7$, $wa6$ & - & $w$ & rest & obvious \\
$I_{w1,w2}$ & $wa5$ & - & $w$ & 1 & Follows from Item 1 in $I_{wa5}$ and step $wa5$ \\
$I_{w1,w2}$ & $wa5$ & - & $w$ & 3 & Trivially holds since $x_1 \neq true$ from Item 3 of $I_{w5}$ \\
$I_{w1,w2}$ & $wa5$ & - & $w$ & 4 & Follows from Item 3,5 in $I_{wa5}$ \\
$I_{w1,w2}$ & $wa5$ & - & $w$ & 5 & Follows from Item 4 in $I_{wa5}$ \\
$I_{w1,w2}$ & $wa5$ & - & $w$ & rest & obvious \\
\hline
\end{tabular}
\end{table}

7.4 Proof of Properties

Lemma 9. (Mutual Exclusion): A reader $r$ and the writer $w$ cannot be in the CS together

Proof. One can easily see from $I_{w7}$ that there is no reader $r$ in the CS($PC_r = r7$)
Lemma 10. (Bounded Exit): There is an integer $b$ such that in every run, every process completes the Exit Section in at most $b$ of its steps.

Proof. From inspection of Figure 2 on page 18, $w_7$, $r_7$, and $f_1..f_6$ can be executed in a bounded number of steps. Hence the lemma.

Lemma 11. (Concurrent Entering): There is an integer $b$ such that, if $\sigma$ is any run from a reachable configuration such that all writers are in the Remainder Section in every configuration in $\sigma$, then every read attempt in $\sigma$ executes at most $b$ steps of the Try Section before entering the CS.

Proof. Let $b = 7$. Assume by contradiction that there is some reader $r$ who takes more than 7 steps to enter the CS from the Try Section, then $r$ must have stepped multiple times at $PC_r = r_6$, meaning that $r.d \neq Gate$ at some point when $r_6$ was executed. Since $PC_w = w_1$, by inspection of Item 3, 4 of $I_{w_1,w_2}$, $R(PC \in \{r_3...r_6\} \land r.d \neq Gate) = \phi$, which is a contradiction.

The following lemmas will be useful to prove the rest of the properties:

Lemma 12. If at time $t$, a reader $r$ is at Line $r_6$ and $PC_w = w_1$ then Gate = $D$ while $r$ is at line $r_6$.

Proof. As $PC_r = r_6 \land PC_w = w_1$, from $I_{w_1,w_2}$, one can see that $r.d = Gate = D$. W.L.O.G., let $d = D = 1$. To prove this lemma we will show that Gate is not changed while $r$ is at Line $r_6$. Say Gate is set to 0, while $r$ is still at Line $r_6$. It means $w$ executes Gate ← 0 ($w_7$ or $wa_6$) at some time after $t$, such that $PC_r = r_6$, $D = 0$ at $t$. But by item 4 of $I_7$, $R(d = 1, PC \in \{r_3...r_6\}) = \phi$, which is a contradiction.

Lemma 13. If at time $t$, a reader $r$ is at Line $r_6$ and some reader is in the CS, then $r$ is CS-enabled

Proof. Looking through all of the invariants, in any invariant step that does not state $R(PC = r_7) = \phi$ as a property, $R(PC = r_6 \land d \neq Gate) = \phi$ is a property, so $r$ must be enabled. Hence the lemma.

Lemma 14. (Unstoppable Reader Property) If a reader $r$ is in the waiting room ($PC_r = r_6$) at time $t$, then $r$ is CS-enabled at $t$ if any of the following holds:

1. if some reader is in CS at time $t$

2. $r >_r w$, and $w$ is not in the CS or Exit Section
Proof. The first case is a mere consequence of Lemma \ref{lemma:priority}. For the second case, as \( r >_{rp} w \), it means that either \( r \) doorway precedes \( w \), or some reader is in the CS when \( r \) is in the waiting room \((PC_r = r6)\). In the former case it means that there is some time when \( PC_r = r6 \) and \( PC_w = w1 \), hence by Lemma \ref{lemma:waiting} \( r \) should be CS-enabled. In the latter case there is some time when \( PC_r = r6 \) and some other reader is in the CS, hence by Lemma \ref{lemma:priority} \( r \) should be CS-enabled. \hfill \square

Lemma 15. (First-In-First-Enabled) Let \( r \) and \( r' \) be any two read attempts in a run such that \( r \) doorway precedes that of \( r' \). If \( r' \) enters the CS before \( r \), then \( r \) is enabled to enter the CS at the time \( r' \) enters the CS.

Proof. FIFE follows directly from Item 1 of the Unstoppable Reader Property. \hfill \square

Lemma 16. (Reader Priority Property): If an algorithm supports only one Writer and satisfies Mutual Exclusion and Unstoppable Reader Property, then the algorithm satisfies Reader Priority property. (reproduced in verbatim from \cite{2})

Proof. Say \( r \) and \( w \) are read and write attempts respectively, such that \( r >_{rp} w \). Assume for contradiction that \( w \) enters the CS before \( r \), we’ll call earliest such configuration \( C'' \). Say \( C' \) is the earliest configuration in which \( r \) is in the waiting room. By the definition of \( r >_{rp} w \), \( w \) is not in the CS or Exit Section in \( C' \). This means that between \( C' \) and \( C'' \), there is an intermediate configuration \( C \), such that \( w \) is in the Try Section and \( r \) is in the waiting room in \( C \). As \( r >_{rp} w \) and the fact that there is only one writer in the system, by the Unstoppable Reader property, we get that \( r \) is CS-enabled in \( C \). Hence, \( r \) is also CS-enabled in \( C'' \) which violates Mutual Exclusion. \hfill \square

Before we prove Livelock freedom we show that no reader starves.

Lemma 17. If a reader \( r \) is in the Try Section and no process crashes, then \( r \) eventually enters the CS.

Proof. Suppose \( r \) stays in the Try Section forever. Then we first claim that the writer \( w \) also stays in the Try Section forever. This is true because, if \( r \) keeps taking steps it will eventually complete its doorway. Now if \( w \) ever enters the remainder section \((PC_w = w1)\), by Lemma \ref{lemma:waiting} \( r \) will be CS-enabled. And by assumptions of the lemma, as no process crashes, one can see both \( r \) and \( w \) will be in the Try section forever after some time \( t \), which means\( PC_r = r6 \), \( PC_w = w6 \), and...
Lemma 18. (Livelock Freedom) If some process is in the Try Section and no process crashes, then some process enters the CS eventually.

Proof. In the previous lemma we have shown that no reader starves. So to prove this lemma, we show that if no reader is active for all times after some time $t$, then the writer cannot stay in the Try Section forever. Say the writer stays in the Try Section forever after all time $t' > t$. As the writer can only stay at Line $w6$ in the Try Section forever, it means that there is some $t^* > t'$, such that for all times after $t^*$, $PC_w = w6$, $Permit \neq true$ and no readers are active.

We first claim that $X = true$ at $t^*$, as $PC_w = w6$ at $t^*$, by Item 5c of $I_{w6}$, one can see that some reader should be active at $t^*$, which is a contradiction.

So $X \neq true \land PC_w = w6 \land Permit \neq true$. By Item 6b of $I_6$, one can again see that some reader should be active, which is a contradiction. Hence, it means that in the absence of the readers, the writer cannot stay in the Try Section forever. \hfill \Box

Lemma 19. (Wait-Free Reader Abort) A reader in a busy-wait loop in the Try Section can decide to execute the Read-Abort function. We require that a process be able to complete the execution of Read-Abort in a bounded number of its own steps and subsequently enter the Remainder Section.

Proof. From inspection of Figure 2 on page 18, Read – Abort$(i)$ clearly fulfills this property. \hfill \Box

Lemma 20. (Wait-Free Writer Abort) A writer in a busy-wait loop in the Try Section can decide to execute the Write-Abort function. We require that a process be able to complete the execution of Write-Abort in a bounded number of its own steps and subsequently enter the Remainder Section.

Proof. From inspection of Figure 2 on page 18, Write – Abort$(i)$ clearly fulfills this property. \hfill \Box

Lemma 21. (Constant RMR Complexity in the Smart-Cache Model) The algorithm given in Figure 2 on page 18 has $O(1)$ RMR complexity in the Smart-Cache CC model (See Section 3.4).

Proof. From the algorithm, we observe that all lines except Lines $w6$ and $r6$ have a constant number of steps.
Consider Line \( w6 \). Permit is only ever set to \( \neg \text{true} \) by the writer. Since there is only one writer and readers are only capable of setting Permit to \text{true}, the writer can only have a cache miss at \( w6 \) at most 2 times (once initially, and once when Permit changes to \text{true}).

Now consider Line \( r6 \). W.L.O.G., say \( r \) is waiting for Gate to be set to 1. By the arguments similar to the proof of Lemma 12, we know that once the Gate is set to 1 while \( r \) is still at Line \( r6 \), it will not change to 0. Also, by the inspection of the algorithm, one can see that Gate is never overwritten with the same value (either at Line \( w7 \) or \( wa6 \) ). More precisely, the writer writes alternating values (1 and 0) into the Gate. Combining the two facts, one can see that while \( r \) is at Line \( r6 \), only a single write operation is performed on Gate. Thus, the writer will have a cache miss at \( r6 \) at most 2 times (once initially, and once when Gate changes).

Recall that in the Conservative-Cache model, in any \( \text{CAS}(A, u, v) \) operation where a CAS fails (and thus not changing the value of \( A \)), the system may or may not invalidate any caches containing \( A \). In the algorithm presented in Figure 2 on page 18, this generates a worst-case RMR-complexity of \( O(n_r) \), where \( n_r \) is the number of readers.

Example 22. Consider the case when there is a reader \( r1 \) in the CS. In the meantime, a writer \( w \) enters the Try Section, executes up to Line \( w6 \) and sleeps. At this time, \( r1 \) executes up to Line \( f6 \) and sleeps. \( w \) then decides to abort. At this time, another reader \( r2 \) enters the CS and \( w \) enters the Try Section again. If this cycle repeats, we could have an execution where \( n_r - 1 \) readers are at Line \( f6 \) and 1 reader is in the CS. If at this point, \( w \) arrives at Line \( w6 \), \( X \neq \text{true} \), and Permit = \( w.b \) by \( I_{w6} \). If each readers now wake up and execute Line \( f6 \) (and experience a CAS failure), in the Conservative-Cache model, \( w \) could potentially experience \( n_r - 1 \) cache misses if \( w \) wakes up in between each reader’s execution of Line \( f6 \).

However, we can prove that our algorithm has constant amortized RMR complexity in the Conservative-Cache model by associating potential CAS failures with writer aborts.

Lemma 23. (Constant Amortized RMR Complexity: Conservative-Cache Model) The algorithm given in Figure 2 on page 18 has \( O(1) \) amortized RMR complexity in the Conservative-Cache CC model.

Proof. We will show that each CAS failure incurred by the writer \( w \) at Line \( w6 \) can be attributed
to a previous call of \textit{Write - Lock}. Since from observation of the code, \( w \) is the only process that can change \( X \) from \textit{true} to a \textit{non-true} value (at Line \( w2 \)), Line \( f5 \) can be successfully completed at most once for every call of \textit{Write-Lock}. (Note, however, because \( w \) can abort, not all of the \textit{Write-Lock} calls incur the cache miss in its designated iteration). Nonetheless, each \textit{Write-Lock} call incurs a constant amortized RMR complexity.
8 Worst-case O(1)-RMR in Conservative Cache Model

Provided that pids are contiguous, we can modify our algorithm to have constant RMR for up to \( R \) readers (where \( R \) is a constant), beyond which the algorithm will have a worst-case \( O\left(\frac{n_r}{R}\right)\)-RMR, where \( n_r \) is the number of readers executing the algorithm. Thus, in a case where \( n_r < R \), we will incur constant RMR.

To do this, we modify \textit{Permit} to be an array of size \( R \) and replace all instances of \( \textit{Permit} \) in Figure 2 on page 18 with \( \textit{Permit}[b\%R] \).

Thus, at any iteration of \textit{Write - Lock}, the writer will only be waiting on the \( \textit{Permit} \) at index \( x_2\%R \), which can have a maximum of \( \frac{n_r}{R} \) readers at Line \textit{f6} that map to index \( x_2\%R \). However, from \( I_G \), we know that each reader will have a distinct \textit{SafeID}, and thus, a distinct \( b \) value (from step \textit{f5}), only one reader is poised to have a successful CAS at Line \textit{f6} at any given time.

This variation of the algorithm can also be proved in a similar manner using invariants. However, that is beyond the scope of this thesis and we shall be omitting this proof.


9 **Generalization to Multi-Reader Multi-Writer Algorithm**

Given any Abortable Mutual Exclusion algorithm $Z$ satisfying FCFS, Bounded Exit, and Starvation Freedom, we can simply generate the abortable reader-priority multi-writer multi-reader algorithm as follows:

Let the Write-Lock procedure in Figure 2 on page 18 be referred to as $SW$-Write-Lock in the code below and let $Abortable$-Mutex-Lock$_i()$ and $Abortable$-Mutex-Unlock$_i()$ be the Lock and Unlock functions of $Z$:

```plaintext
procedure Write-Lock$_i()$
    Abortable-Mutex-Lock$_i()$
    $SW$-Write-Lock$_i()$
    Abortable-Mutex-Unlock$_i()$
}
```

The Read-Lock procedure remains the same as in Figure 2 on page 18.

It is easy to observe that properties ensuring reader priority and liveness (P4, P5, RP1, RP2, A1) are fulfilled by this algorithm, as writers do not obstruct readers in the execution of $Z$. Moreover, P1, P2, P3, P6, and A2 are satisfied because the same properties also hold in $Z$.

The RMR-complexity of the resulting algorithm is the same as that of $Z$, since our multi-reader single-writer algorithm has constant-RMR complexity. This RMR limitation is acceptable because in the absence of readers, the abortable multi-reader multi-writer algorithm is equivalent to the abortable mutual exclusion problem. For example, we can let $Z$ be the abortable mutual exclusion algorithm by Jayanti [10], which produces a $\min(k, \log(n_w))$-RMR algorithm for abortable multi-reader multi-writer algorithm (where $k$ is the number of writers contending to enter the CS and $n_w$ is the total number of writers). To our knowledge, this is the most efficient abortable mutual-exclusion algorithm for the CC system and it uses LL/SC objects (which can be implemented by CAS [17]).
10 Conclusion

The reader-writer problem is a variation of the mutual exclusion problem where processes are divided into readers and writers such that when a writer is accessing a shared resource, no other processes can access the resource, but may readers can access the resource at the same time.

In this thesis, we presented a constant-RMR abortable reader-priority reader-writer algorithm for Smart-Cache/Cache-Coherent Systems. We also showed that this algorithm has amortized constant-RMR in Conservative-Cache Systems. We verified the model empirically using PlusCal/TLA+ to specify the algorithm and model-checking it in TLC. We then proved the algorithm using invariants. In the process of verifying this algorithm, we felt that it was inadequate to prove the algorithm without using invariants, since temporal arguments about a sufficiently long algorithm and arguments would be harder to understand and could easily be incorrect. However, it is often also laborious to manually check invariants to ensure the correctness of an invariant proof. In this thesis, an extensive attempt was made to prove the algorithm using TLAPS (TLA+ Proof System) [9]. We found TLAPS to still be in its developmental stages, as it does not reason about concepts necessary to our proof, such as set cardinality. Even besides that, perhaps due to unfamiliarity with TLAPS, we did not successfully produce a TLAPS proof of the algorithm. Regardless, we found model checking to be a powerful verification to give us confidence in our algorithm and invariants.

Moreover, we provided a constant-RMR version of the algorithm for up to $R$ readers (where $R$ is a constant), beyond which the RMR-complexity algorithm will be $O(n_r^2)$, where $n_r$ is the number of readers in the algorithm.

We also showed how to generalize the algorithm into a multi-reader multi-writer algorithm which uses (and is dependent on the time complexity of) any given abortable mutual exclusion algorithm.
11 Acknowledgments

First and foremost, I want to extend my thanks to my advisor, Professor Prasad Jayanti, and his loving family, who not only provided academic and intellectual support through one of the most challenging and exciting experiences of my time at Dartmouth, but also treated me like a member of their family and left me with a broader understanding of culture and spirituality. The time we spent together, be it hours of spent verifying invariants, learning about the Puja, or experiencing the tension of the moment before India won the Cricket World Cup, are moments that will stay with me for life. Thank you for being so amazing!

I would also like to give my warmest thanks to my thesis committee members. First, to Professor Thomas Cormen, who has been my biggest influence at Dartmouth, for his continual support and encouragement to pursue computer science since my freshman fall at Dartmouth. Not only was he a great mentor, but he made me feel welcome and accepted in a major that I was very uncertain about. Truly, thank you for everything.

And also, to Professor Andrew Campbell, for being a wonderful mentor and friend who opened my eyes to the world of hacking. Never did I think I could even understand, not to mention build, a search engine, network stack, and bittorrent in mere weeks. Thank you for bringing excitement into the world of CS!

I would like to thank the members of the Dartmouth Concurrent Research Group (DCRG), Jack Bowman, Jonathan Choi, Michael Diamond, Matthew Elkherj, and Zhiyu Liu for all our great discussions and intellectual pursuit. It was wonderful getting to know all of you and going through the same experience together. I learnt so much from each one of you and our time together has truly made me even more excited about concurrent algorithms! I wish you all the best in your future endeavors.

Also, a big thank you to Ranganath Kondapally and Vibhor Bhatt for being wonderful mentors throughout my discovery of the world of algorithms and theory in computer science. I have lost count of the number of times I crowded your office hours, but had it not been for you two, I might have ended up being a biology major instead.

To my loving and caring friends who shared so much laughter and tears with me during the past four years, this would not have been possible without your love and support. Thank you so much.
And finally, to my loving parents who were behind me for the past 21 years of my life, thank you for all your love and sacrifices. There are no words to express my gratitude towards you, but truly, thank you for everything that you have done for me.
References


A Appendix

A.1 Algorithm and Invariants Specified in PlusCal and TLA+
EXTENDS Naturals, FiniteSets, TLC
CONSTANTS WriterProc, ReaderProc, nPID, true

TLC complains if we use true/false in X1 and Permit, so let us define 0 = true and 1 = false. Thus, WriterProc and ReaderProc cannot contain \{0, 1\}

ASSUME ProcType ≜ 
\[\begin{align*}
&\text{WriterProc } \in \text{Nat} \setminus \{\text{true, nPID}\} \\
&\text{ReaderProc } \subseteq \text{Nat} \setminus \{\text{true, nPID}\} \\
&\{\text{WriterProc}\} \cap \text{ReaderProc} = \{\}
\end{align*}\]
\[\begin{align*}
&\text{nPID } \in \text{Nat} \\
&\text{true } \in \text{Nat}
\end{align*}\]

PlusCal Algorithm
\[\begin{align*}
\text{-algorithm ReaderPriority} \{ \\
&\text{GLOBAL VARIABLES} \\
&\text{variables } D = \text{false}, \\
&\hspace{1cm} \text{Gate} = \text{false}, \\
&\hspace{1cm} X_1 = \text{true}, \\
&\hspace{1cm} X_2 = \text{nPID}, \\
&\hspace{1cm} \text{Permit} = \text{true}, \\
&\hspace{1cm} C = 0; \\
&\text{process(} \text{writerprocess } = \text{WriterProc}\}\{ \\
&\text{variables } \text{wSafeID} = \text{WriterProc, wa, wb, prevD, currD}; \\
&\text{w_1\_nes : while(} \text{true}\text{)}\{ \\
&\text{w_1 : wb } := X_2; \\
&\text{w_2 : X_1 } := \text{WriterProc}; \\
&\hspace{1cm} X_2 := \text{wb}; \\
&\text{w_3 : prevD } := D; \\
&\hspace{1cm} \text{currD } := \neg prevD; \\
&\text{w_4 : D } := \text{currD}; \\
&\text{w_5 : Permit } := \text{wb}; \\
&\text{\* Promote(i). Not a procedure so we can reason without the stack} \\
&\text{w_1\_f : if(} \text{wa } \neq \text{true}\text{){} \\
&\text{w_2 : if(} X_1 = \text{wa } \wedge X_2 = \text{wb}\text{) } \{\text{CAS(} X, [\text{wa}, \text{wb}], [i, \text{wb}]\}\} \\
&\hspace{1cm} X_1 := \text{WriterProc}; \\
&\hspace{1cm} X_2 := \text{wb}; \\
&\text{w_3 : if(} \text{Permit } \neq \text{true}\text{){} \\
&\text{w_4 : if(} C = 0\text{){} \\
&\text{w_5 : if(} X_1 = \text{WriterProc } \wedge X_2 = \text{wb}\text{)} \{\text{CAS(} X, [\text{i, wb}], [\text{true, wSafeID}]\}\} \\
&\hspace{1cm} X_1 := \text{true}; \\
&\hspace{1cm} X_2 := \text{wSafeID}; \\
&\hspace{1cm} \text{wSafeID } := \text{wb}; \\
&\text{w_6 : if(} \text{Permit } = \text{wb}\text{) } \{\text{CAS(Permit, wb, true)} \}
&\text{Permit } := \text{true}; \\
&\}\}
\end{align*}\]
\* *WRITER ABORT SEQUENCE*

\begin{align*}
\text{wa1} : & \quad \text{Permit} := \text{true}; \\
\text{wa2} : & \quad \text{wa} := X_1; \\
\text{wa} : & \quad \text{wb} := X_2; \\
\text{wa}3 : & \quad \text{if}(\text{wa} \neq \text{true})\{
\quad \text{if}(X_1 = \text{wa} \land X_2 = \text{wb})\{ \quad \text{CAS}(X, [\text{wa}, \text{wb}], [\text{nPID}, \text{wb}]) \\
\quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad X_1 := \text{nPID}; \\
\quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad X_2 := \text{wb}; \\
\quad \}
\}
\text{wa}4 : & \quad \text{if}(X_1 \neq \text{true})\{
\}
\text{wa}5 : & \quad \text{D} := \text{prevD}; \\
\text{wa}6 : & \quad \text{goto w7;}
\end{align*}

\* *READ-LOCK CODE*

\begin{align*}
\text{process}(\text{readerprocess} \in \text{ReaderProc})
\quad \text{variables rSafeID} = \text{self}, d, ra, rb; \{
\text{r} \_\text{ncs} : \text{while}(\text{true})\{
\quad r1 : C := C + 1; \quad \text{atomic F \& A} \\
\quad r2 : d := D; \\
\quad r3 : ra := X_1; \quad \text{atomic read on X1 and X2} \\
\quad \text{rb} := X_2; \\
\quad r4 : \text{if}(ra \in (\{\text{WriterProc}\} \cup \text{ReaderProc}))\{
\quad \text{if}(X_1 = ra \land X_2 = \text{rb})\{\quad \text{CAS}(X, [ra, \text{rb}], [i, \text{rb}]) \\
\quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad X_1 := \text{self}; \\
\quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad X_2 := \text{rb}; \\
\quad \}
\}
\quad r5 : \text{if}(X_1 = \text{true})\{
\}
\quad r6 : \quad \text{while}(\text{Gate} \neq d)\{
\quad \text{either} \{\text{goto ra1;} \text{or} \{\text{goto r6;} \} \; \text{\* abort or wait}
\}
\end{align*}
BEGIN TRANSLATION

\begin{align*}
& \text{constant } \text{defaultInitValue} \\
& \text{variables } D, \text{Gate}, X_1, X_2, \text{Permit}, C, pc, \text{wSafeID}, wa, wb, \text{prevD}, \text{currD}, \\
& \hspace{1cm} \text{rSafeID}, d, ra, rb \\
& \text{vars } \triangleq (D, \text{Gate}, X_1, X_2, \text{Permit}, C, pc, \text{wSafeID}, wa, wb, \text{prevD}, \text{currD}, \\
& \hspace{2cm} \text{rSafeID}, d, ra, rb) \\
& \text{ProcSet } \triangleq \{ \text{WriterProc} \} \cup (\text{ReaderProc}) \\
& \text{Init } \triangleq \text{Global variables} \\
& \hspace{1cm} \land D = \text{false} \\
& \hspace{1cm} \land \text{Gate} = \text{false} \\
& \hspace{1cm} \land X_1 = \text{true} \\
& \hspace{1cm} \land X_2 = \text{nPID} \\
& \hspace{1cm} \land \text{Permit} = \text{true} \\
& \hspace{1cm} \land C = 0 \\
& \hspace{1cm} \text{Process writerprocess} \\
\end{align*}

\text{\textbf{BEGIN TRANSLATION}}

\text{\textbf{CONSTANT defaultInitValue}}

\text{\textbf{VARIABLES D, Gate, X1, X2, Permit, C, pc, wSafeID, wa, wb, prevD, currD,}}

\text{\textbf{rSafeID, d, ra, rb}}

\text{\textbf{vars } \triangleq (D, Gate, X1, X2, Permit, C, pc, wSafeID, wa, wb, prevD, currD,}}

\text{\textbf{rSafeID, d, ra, rb)}}

\text{\textbf{ProcSet } \triangleq \{ WriterProc \} \cup (ReaderProc)}}
\( w_{\text{SafeID}} = \text{WriterProc} \)
\( w_a = \text{defaultInitValue} \)
\( w_b = \text{defaultInitValue} \)
\( \text{prevD} = \text{defaultInitValue} \)
\( \text{currD} = \text{defaultInitValue} \)

\[ \text{Process readerprocess} \]
\( r_{\text{SafeID}} = [\text{self} \in \text{ReaderProc} \mapsto \text{self}] \)
\( d = [\text{self} \in \text{ReaderProc} \mapsto \text{defaultInitValue}] \)
\( r_a = [\text{self} \in \text{ReaderProc} \mapsto \text{defaultInitValue}] \)
\( r_b = [\text{self} \in \text{ReaderProc} \mapsto \text{defaultInitValue}] \)
\( pc = [\text{self} \in \text{ProcSet} \mapsto \text{case self = WriterProc \rightarrow "w_{\text{ncs}}" \atop \square \text{self} \in \text{ReaderProc} \rightarrow "r_{\text{ncs}}"}] \)

\( w_{\text{ncs}} \triangleq \land pc[\text{WriterProc}] = "w_{\text{ncs}}" \)
\( \land pc' = [pc \text{ except } ![\text{WriterProc}] = "w1"] \)
\( \land \text{UNCHANGED} (D, \text{Gate}, X_1, X_2, \text{Permit}, C, w_{\text{SafeID}}, w_a, w_b, \text{prevD}, \text{currD}, r_{\text{SafeID}}, d, r_a, r_b) \)

\( w_1 \triangleq \land pc[\text{WriterProc}] = "w1" \)
\( \land w_b' = X_2 \)
\( \land pc' = [pc \text{ except } ![\text{WriterProc}] = "w2"] \)
\( \land \text{UNCHANGED} (D, \text{Gate}, X_1, X_2, \text{Permit}, C, w_{\text{SafeID}}, w_a, \text{prevD}, \text{currD}, r_{\text{SafeID}}, d, r_a, r_b) \)

\( w_2 \triangleq \land pc[\text{WriterProc}] = "w2" \)
\( \land X_1' = \text{WriterProc} \)
\( \land X_2' = w_b \)
\( \land pc' = [pc \text{ except } ![\text{WriterProc}] = "w3"] \)
\( \land \text{UNCHANGED} (D, \text{Gate}, \text{Permit}, C, w_{\text{SafeID}}, w_a, \text{prevD}, \text{currD}, r_{\text{SafeID}}, d, r_a, r_b) \)

\( w_3 \triangleq \land pc[\text{WriterProc}] = "w3" \)
\( \land \text{prevD}' = D \)
\( \land \text{currD}' = (\neg \text{prevD}') \)
\( \land pc' = [pc \text{ except } ![\text{WriterProc}] = "w4"] \)
\( \land \text{UNCHANGED} (D, \text{Gate}, X_1, X_2, \text{Permit}, C, w_{\text{SafeID}}, w_a, \text{wb}, r_{\text{SafeID}}, d, r_a, r_b) \)

\( w_4 \triangleq \land pc[\text{WriterProc}] = "w4" \)
\( \land D' = \text{currD} \)
\( \land pc' = [pc \text{ except } ![\text{WriterProc}] = "w5"] \)
\( \land \text{UNCHANGED} (\text{Gate}, X_1, X_2, \text{Permit}, C, w_{\text{SafeID}}, w_a, \text{wb}, \text{prevD}, \text{currD}, r_{\text{SafeID}}, d, r_a, r_b) \)

\( w_5 \triangleq \land pc[\text{WriterProc}] = "w5" \)
\( \land \text{Permit}' = w_b \)
\( \land pc' = [pc \text{ except } ![\text{WriterProc}] = "w_{f1}"] \)
\(\wedge\text{UNCHANGED}\langle D, \text{Gate}, X_1, X_2, C, w\text{SafeID}, wa, wb, \text{prevD}, \text{currD},\)
\(r\text{SafeID}, d, ra, rb\rangle\)

\(wf_1 \triangleq \wedge pc[\text{WriterProc}] = "wf1"
\wedge wa' = X_1
\wedge wb' = X_2
\wedge \text{IF } wa' \neq \text{true}
\text{THEN } \wedge pc' = [pc \text{ EXCEPT } ![\text{WriterProc}] = "wf2"]
\text{ELSE } \wedge pc' = [pc \text{ EXCEPT } ![\text{WriterProc}] = "wf6"]
\wedge\text{UNCHANGED}\langle D, \text{Gate}, X_1, X_2, \text{Permit}, C, w\text{SafeID}, \text{prevD}, \text{currD},\)
\(r\text{SafeID}, d, ra, rb\rangle\)

\(wf_2 \triangleq \wedge pc[\text{WriterProc}] = "wf2"
\wedge X_1 = wa \wedge X_2 = wb
\text{THEN } \wedge X_1' = \text{WriterProc}
\wedge X_2' = wb
\wedge pc' = [pc \text{ EXCEPT } ![\text{WriterProc}] = "wf3"]
\text{ELSE } \wedge pc' = [pc \text{ EXCEPT } ![\text{WriterProc}] = "wf6"]
\wedge\text{UNCHANGED}\langle X_1, X_2\rangle\)

\(wf_3 \triangleq \wedge pc[\text{WriterProc}] = "wf3"
\wedge \text{IF } \text{Permit} \neq \text{true}
\text{THEN } \wedge pc' = [pc \text{ EXCEPT } ![\text{WriterProc}] = "wf4"]
\text{ELSE } \wedge pc' = [pc \text{ EXCEPT } ![\text{WriterProc}] = "wf6"]
\wedge\text{UNCHANGED}\langle D, \text{Gate}, X_1, X_2, \text{Permit}, C, w\text{SafeID}, wa, wb, \text{prevD}, \text{currD},\)
\(r\text{SafeID}, d, ra, rb\rangle\)

\(wf_4 \triangleq \wedge pc[\text{WriterProc}] = "wf4"
\wedge \text{IF } C = 0
\text{THEN } \wedge pc' = [pc \text{ EXCEPT } ![\text{WriterProc}] = "wf5"]
\text{ELSE } \wedge pc' = [pc \text{ EXCEPT } ![\text{WriterProc}] = "wf6"]
\wedge\text{UNCHANGED}\langle D, \text{Gate}, X_1, X_2, \text{Permit}, C, w\text{SafeID}, wa, wb, \text{prevD}, \text{currD}, r\text{SafeID}, d, ra, rb\rangle\)

\(wf_5 \triangleq \wedge pc[\text{WriterProc}] = "wf5"
\wedge \text{IF } X_1 = \text{WriterProc} \wedge X_2 = wb
\text{THEN } \wedge X_1' = \text{true}
\wedge X_2' = w\text{SafeID}
\wedge w\text{SafeID}' = wb
\wedge pc' = [pc \text{ EXCEPT } ![\text{WriterProc}] = "wf6"]
\text{ELSE } \wedge pc' = [pc \text{ EXCEPT } ![\text{WriterProc}] = "wf6"]
\wedge\text{UNCHANGED}\langle X_1, X_2, w\text{SafeID}\rangle\)
\wedge\text{UNCHANGED}\langle D, \text{Gate}, \text{Permit}, C, wa, wb, \text{prevD}, \text{currD}, r\text{SafeID}, d, ra, rb\rangle\)
\( \text{wf6} \overset{\triangle}{=} \land pc[WriterProc] = \text{"wf6"} \)
\( \land \text{IF Permit = wb} \)
\( \text{THEN} \land \text{Permit'} = \text{true} \)
\( \text{ELSE} \land \text{true} \)
\( \land \text{UNCHANGED Permit} \)
\( \land pc' = [pc \text{ EXCEPT !}[WriterProc] = \text{"wf6"}] \)
\( \land \text{UNCHANGED (D, Gate, X1, X2, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb)} \)

\( \text{w6} \overset{\triangle}{=} \land pc[WriterProc] = \text{"w6"} \)
\( \land \text{IF Permit \neq true} \)
\( \text{THEN} \land \lor \land pc' = [pc \text{ EXCEPT !}[WriterProc] = \text{"w6"}] \)
\( \lor \land pc' = [pc \text{ EXCEPT !}[WriterProc] = \text{"wa1"}] \)
\( \text{ELSE} \land pc' = [pc \text{ EXCEPT !}[WriterProc] = \text{"w_cs"}] \)
\( \land \text{UNCHANGED (D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb)} \)

\( \text{wa1} \overset{\triangle}{=} \land pc[WriterProc] = \text{"wa1"} \)
\( \land \text{Permit'} = \text{true} \)
\( \land pc' = [pc \text{ EXCEPT !}[WriterProc] = \text{"wa2"}] \)
\( \land \text{UNCHANGED (D, Gate, X1, X2, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb)} \)

\( \text{wa2} \overset{\triangle}{=} \land pc[WriterProc] = \text{"wa2"} \)
\( \land wa' = X1 \)
\( \land wb' = X2 \)
\( \land pc' = [pc \text{ EXCEPT !}[WriterProc] = \text{"wa3"}] \)
\( \land \text{UNCHANGED (D, Gate, X1, X2, Permit, C, wSafeID, prevD, currD, rSafeID, d, ra, rb)} \)

\( \text{wa3} \overset{\triangle}{=} \land pc[WriterProc] = \text{"wa3"} \)
\( \land \text{IF wa \neq true} \)
\( \text{THEN} \land \text{IF X1 = wa \land X2 = wb} \)
\( \text{THEN} \land X1' = npID \)
\( \land X2' = wb \)
\( \text{ELSE} \land \text{true} \)
\( \land \text{UNCHANGED (X1, X2)} \)
\( \text{ELSE} \land pc' = [pc \text{ EXCEPT !}[WriterProc] = \text{"wa4"}] \)
\( \land \text{UNCHANGED (X1, X2)} \)
\( \land \text{UNCHANGED (D, Gate, Permit, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb)} \)

\( \text{wa4} \overset{\triangle}{=} \land pc[WriterProc] = \text{"wa4"} \)
\( \land \text{IF X1 \neq true} \)
\( \text{THEN} \land pc' = [pc \text{ EXCEPT !}[WriterProc] = \text{"wa5"}] \)
\begin{align*}
\text{else} & \land pc' = [pc \text{ except } ![WriterProc] = \text{“wa6”}] \\
& \land \text{UNCHANGED} \langle D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, \\
& \quad currD, rSafeID, d, ra, rb \rangle \\
wa5 & \triangleq \land pc[WriterProc] = \text{“wa5”} \\
& \land D' = prevD \\
& \land pc' = [pc \text{ except } ![WriterProc] = \text{“w\_ncs”}] \\
& \land \text{UNCHANGED} \langle D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, \\
& \quad rSafeID, d, ra, rb \rangle \\
wa6 & \triangleq \land pc[WriterProc] = \text{“wa6”} \\
& \land pc' = [pc \text{ except } ![WriterProc] = \text{“wT”}] \\
& \land \text{UNCHANGED} \langle D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, \\
& \quad rSafeID, d, ra, rb \rangle \\
w\_cs & \triangleq \land pc[WriterProc] = \text{“w\_cs”} \\
& \land \text{TRUE} \\
& \land pc' = [pc \text{ except } ![WriterProc] = \text{“wT”}] \\
& \land \text{UNCHANGED} \langle D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, \\
& \quad rSafeID, d, ra, rb \rangle \\
w7 & \triangleq \land pc[WriterProc] = \text{“wT”} \\
& \land Gate' = currD \\
& \land pc' = [pc \text{ except } ![WriterProc] = \text{“w\_ncs”}] \\
& \land \text{UNCHANGED} \langle D, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, \\
& \quad rSafeID, d, ra, rb \rangle \\
\text{writerprocess} & \triangleq w\_ncs \lor w1 \lor w2 \lor w3 \lor w4 \lor w5 \lor wf1 \lor wf2 \lor wf3 \\
& \quad \lor wf4 \lor wf5 \lor wf6 \lor w6 \lor wa1 \lor wa2 \lor wa3 \lor wa4 \\
& \quad \lor wa5 \lor wa6 \lor w\_cs \lor w7 \\
\text{r\_ncs(self)} & \triangleq \land pc[\text{self}] = \text{“r\_ncs”} \\
& \land pc' = [pc \text{ except } ![\text{self}] = \text{“r1”}] \\
& \land \text{UNCHANGED} \langle D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, \\
& \quad prevD, currD, rSafeID, d, ra, rb \rangle \\
\text{r1(self)} & \triangleq \land pc[\text{self}] = \text{“r1”} \\
& \land C' = C + 1 \\
& \land pc' = [pc \text{ except } ![\text{self}] = \text{“r2”}] \\
& \land \text{UNCHANGED} \langle D, Gate, X1, X2, Permit, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb \rangle \\
\text{r2(self)} & \triangleq \land pc[\text{self}] = \text{“r2”} \\
& \land d' = [d \text{ except } ![\text{self}] = D] \\
& \land pc' = [pc \text{ except } ![\text{self}] = \text{“r3”}] \\
& \land \text{UNCHANGED} \langle D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, rSafeID, ra, rb \rangle
\end{align*}
\[ r3(self) \triangleq \land pc[\text{self}] = "r3" \]
\[ \land ra' = \left\{ \begin{array}{ll}
ra & \text{IF ra[\text{self}] } \in (\{WriterProc\} \cup ReaderProc) \\
ra' = \{ra \text{ except } ![\text{self}] = X1\} & \text{ELSE}
\end{array} \right. \]
\[ \land rb' = \left\{ \begin{array}{ll}
rb & \land X1 = ra[\text{self}] \land X2 = rb[\text{self}] \\
rb' = \{rb \text{ except } ![\text{self}] = "r4"\} & \text{ELSE}
\end{array} \right. \]
\[ \land pc' = \left\{ \begin{array}{ll}
pc & \land ![\text{self}] = X1 \\
pc' = \{pc \text{ except } ![\text{self}] = "rf1"\} & \text{ELSE}
\end{array} \right. \]
\[ \land \text{UNCHANGED } \langle D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, rSafeID, d \rangle \]

\[ r4(self) \triangleq \land pc[\text{self}] = "r4" \]
\[ \land \text{IF ra[\text{self}] } \in (\{WriterProc\} \cup ReaderProc) \]
\[ \text{THEN } \land X1 = ra[\text{self}] \land X2 = rb[\text{self}] \]
\[ \land X1' = self \]
\[ \land X2' = rb[\text{self}] \]
\[ \land pc' = \left\{ \begin{array}{ll}
pc & \land ![\text{self}] = X1 \\
pc' = \{pc \text{ except } ![\text{self}] = "r5"\} & \text{ELSE}
\end{array} \right. \]
\[ \land \text{UNCHANGED } \langle X1, X2 \rangle \]

\[ r5(self) \triangleq \land pc[\text{self}] = "r5" \]
\[ \land \text{IF } X1 = \text{true} \]
\[ \text{THEN } \land \land pc' = \left\{ \begin{array}{ll}
\text{UNCHANGED } & \land ![\text{self}] = "r6" \\
\land pc' = \{pc \text{ except } ![\text{self}] = "r\_cs"\} & \text{ELSE}
\end{array} \right. \]
\[ \land \text{UNCHANGED } \langle D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb \rangle \]

\[ r6(self) \triangleq \land pc[\text{self}] = "r6" \]
\[ \land \text{IF } Gate \neq d[\text{self}] \]
\[ \text{THEN } \land \lor \land pc' = \left\{ \begin{array}{ll}
\text{UNCHANGED } & \land ![\text{self}] = "ra1" \\
\lor \land pc' = \{pc \text{ except } ![\text{self}] = "r6"\} & \text{ELSE}
\end{array} \right. \]
\[ \land \text{UNCHANGED } \langle D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb \rangle \]

\[ r\_cs(self) \triangleq \land pc[\text{self}] = "r\_cs" \]
\[ \land \text{TRUE} \]
\[ \land pc' = \left\{ \begin{array}{ll}
\text{UNCHANGED } & \land ![\text{self}] = "r7" \\
\land pc' = \{pc \text{ except } ![\text{self}] = "rf1"\} & \text{ELSE}
\end{array} \right. \]
\[ \land \text{UNCHANGED } \langle D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb \rangle \]

\[ r7(self) \triangleq \land pc[\text{self}] = "r7" \]
\[ \land C' = C - 1 \]
\[ \land pc' = \left\{ \begin{array}{ll}
\text{UNCHANGED } & \land ![\text{self}] = "r\_cs" \\
\land pc' = \{pc \text{ except } ![\text{self}] = "rf1"\} & \text{ELSE}
\end{array} \right. \]
\[ \land \text{UNCHANGED } \langle D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb \rangle \]
\[ r_{a1}(self) \triangleq \wedge pc[self] = "ra1" \\
\wedge C' = C - 1 \\
\wedge pc' = \{pc\ \text{except} \ ![self] = "rf1"\} \\
\wedge \text{UNCHANGED} (D, Gate, X1, X2, Permit, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb) \]

\[ r_{f1}(self) \triangleq \wedge pc[self] = "rf1" \\
\wedge ra' = [ra\ \text{except} \ ![self] = X1] \\
\wedge rb' = [rb\ \text{except} \ ![self] = X2] \\
\wedge \text{IF} ra'\![self] \neq \text{true} \\
\hspace{1em} \text{THEN} \wedge pc' = \{pc\ \text{except} \ ![self] = "rf2"\} \\
\hspace{1em} \text{ELSE} \wedge pc' = \{pc\ \text{except} \ ![self] = "r_{ncs}"\} \\
\wedge \text{UNCHANGED} (D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb) \]

\[ r_{f2}(self) \triangleq \wedge pc[self] = "rf2" \\
\wedge \text{IF} X1 = ra\![self] \land X2 = rb\![self] \\
\hspace{1em} \text{THEN} \wedge X1' = self \\
\hspace{2em} \wedge X2' = rb\![self] \\
\hspace{1em} \wedge pc' = \{pc\ \text{except} \ ![self] = "rf3"\} \\
\hspace{1em} \text{ELSE} \wedge pc' = \{pc\ \text{except} \ ![self] = "r_{ncs}"\} \\
\wedge \text{UNCHANGED} (X1, X2) \\
\wedge \text{UNCHANGED} (D, Gate, Permit, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb) \]

\[ r_{f3}(self) \triangleq \wedge pc[self] = "rf3" \\
\wedge \text{IF} Permit \neq \text{true} \\
\hspace{1em} \text{THEN} \wedge pc' = \{pc\ \text{except} \ ![self] = "rf4"\} \\
\hspace{1em} \text{ELSE} \wedge pc' = \{pc\ \text{except} \ ![self] = "r_{ncs}"\} \\
\wedge \text{UNCHANGED} (D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb) \]

\[ r_{f4}(self) \triangleq \wedge pc[self] = "rf4" \\
\wedge \text{IF} C = 0 \\
\hspace{1em} \text{THEN} \wedge pc' = \{pc\ \text{except} \ ![self] = "rf5"\} \\
\hspace{1em} \text{ELSE} \wedge pc' = \{pc\ \text{except} \ ![self] = "r_{ncs}"\} \\
\wedge \text{UNCHANGED} (D, Gate, X1, X2, Permit, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb) \]

\[ r_{f5}(self) \triangleq \wedge pc[self] = "rf5" \\
\wedge \text{IF} X1 = self \land X2 = rb\![self] \\
\hspace{1em} \text{THEN} \wedge X1' = true \\
\hspace{2em} \wedge rSafeID' = \{rSafeID\ \text{except} \ ![self] = rb\![self]\} \\
\hspace{2em} \wedge pc' = \{pc\ \text{except} \ ![self] = "rf6"\} \\
\hspace{1em} \text{ELSE} \wedge pc' = \{pc\ \text{except} \ ![self] = "r_{ncs}"\} \]
∧ UNCHANGED \{X_1, X_2, rSafeID\} \\
∧ UNCHANGED \{D, Gate, Permit, C, wSafeID, wa, wb, prevD, currD, d, ra, rb\}

rf6(self) ≜ ∧ pc[self] = “rf6” \\
∧ IF Permit = rb[self] \\
  THEN ∧ Permit' = true \\
  ELSE ∧ TRUE \\
∧ UNCHANGED Permit \\
∧ pc' = [pc EXCEPT ![self] = “r_ncs”]
∧ UNCHANGED \{D, Gate, X_1, X_2, C, wSafeID, wa, wb, prevD, currD, rSafeID, d, ra, rb\}

readerprocess(self) ≜ r_ncs(self) ∨ r1(self) ∨ r2(self) ∨ r3(self) \\
  ∨ r4(self) ∨ r5(self) ∨ r6(self) ∨ r_cs(self) \\
  ∨ r7(self) ∨ ra1(self) ∨ rf1(self) ∨ rf2(self) \\
  ∨ rf3(self) ∨ rf4(self) ∨ rf5(self) ∨ rf6(self)

Next ≜ writerprocess \\
  ∨ (∃ self ∈ ReaderProc : readerprocess(self))

Spec ≜ Init ∧ □[Next] vars

Termination ≜ ◇(∀ self ∈ ProcSet : pc[self] = “Done”)

END TRANSLATION

List of Invariants:

TypeOK ≜ ∧ D ∈ \{TRUE, FALSE\} \\
∧ Gate ∈ \{TRUE, FALSE\} \\
∧ X_1 ∈ (ProcSet ∪ \{true, nPID\}) \\
∧ X_2 ∈ (ProcSet ∪ ReaderProc ∪ \{nPID\}) \\
∧ Permit ∈ (ProcSet ∪ \{true, nPID\}) \\
∧ C ∈ Nat \\
∧ wSafeID ∈ (ProcSet ∪ \{nPID\}) \\
∧ ∀ i ∈ ReaderProc : rSafeID[i] ∈ (ProcSet ∪ \{nPID\}) \\
∧ WriterProc ∈ Nat \{true, nPID\} \\
∧ ReaderProc ⊆ Nat \{true, nPID\} \\
∧ \{WriterProc\} ∩ ReaderProc = { }

I_Global ≜ ∧ C = Cardinality\{i ∈ ReaderProc : pc[i] ∈ \{“r2”, “r3”, “r4”, “r5”, “r6”, “r7”, “ra1”, “r_cs”\}\} \\
∧ Cardinality\{X_2\} ∪ \{wSafeID} \\
  ∪ \{rSafeID[i] : i ∈ ReaderProc\} = Cardinality(ProcSet) + 1

I_w1w2 ≜ pc[WriterProc] ∈ \{“w_ncs”, “w1”, “w2”\} ⇒ \\
∧ Gate = D
\( \wedge \text{Permit} = \text{true} \)
\( \wedge (X_1 = \text{true}) \Rightarrow (\{ \} = \{ j \in \text{ReaderProc} : \wedge pc[j] \in \{ "r3", "r4", "r5", "r6" \} \\
\wedge d[j] \neq \text{Gate} \}) \)
\( \wedge (X_1 \neq \text{true}) \Rightarrow (\{ \} = \{ j \in \text{ReaderProc} : \wedge pc[j] = "r6" \\
\wedge d[j] \neq \text{Gate} \}) \)
\( \wedge (\{} = \{ j \in \text{ReaderProc} : \wedge pc[j] \in \{ "rf4", "rf5" \} \\
\wedge X_1 = j \} ) \)

\( I_{w3w4} \triangleq pc[\text{WriterProc}] \in \{ "w3", "w4" \} \Rightarrow \\
\wedge \text{Gate} = D \\
\wedge \text{Permit} = \text{true} \\
\wedge X_1 \in \text{ProcSet} \\
\wedge \{ \} = \{ j \in \text{ReaderProc} : \wedge pc[j] = "r6" \\
\wedge d[j] \neq \text{Gate} \} \\
\wedge \{ \} = \{ j \in \text{ReaderProc} : \wedge pc[j] \in \{ "rf4", "rf5" \} \\
\wedge X_1 = j \} \)

\( I_{w5} \triangleq pc[\text{WriterProc}] = "w5" \Rightarrow \\
\wedge \text{Gate} = \neg D \\
\wedge \text{Permit} = \text{true} \\
\wedge X_1 \in \text{ProcSet} \\
\wedge \{ \} \neq \{ j \in \text{ReaderProc} : \wedge pc[j] \in \{ "rf5" \} \\
\wedge X_1 = j \} \Rightarrow \\
\wedge \{ \} = \{ j \in \text{ReaderProc} : pc[j] \in \{ "r6", "r7" \} \} \\
\wedge \{ \} = \{ j \in \text{ReaderProc} : \wedge pc[j] \in \{ "r3", "r4", "r5" \} \\
\wedge d[j] = \text{Gate} \} \\
\wedge X_1 \in \text{ProcSet} \Rightarrow \\
\wedge \{ \} = \{ j \in \text{ReaderProc} : \wedge pc[j] = "r6" \\
\wedge d[j] \neq \text{Gate} \} \\
\wedge \text{Permit} = wb \\
\wedge X_1 = \text{true} \Rightarrow \\
\wedge \{ \} = \{ j \in \text{ReaderProc} : \wedge pc[j] \in \{ "r3", "r4", "r5", "r6" \} \\
\wedge d[j] = \text{Gate} \} \\
\wedge \text{Permit} \neq \text{true} \Rightarrow \\
1 = \text{Cardinality}(\{ j \in \text{ReaderProc} : \wedge pc[j] = "rf6" \\
\wedge rb[j] = \text{Permit} \}) \\
\wedge \{ \} = \{ j \in \text{ReaderProc} : pc[j] \in \{ "r7" \} \} \)
\[I_{f2} \triangleq pc[WriterProc] \in \{"wf2"\} \Rightarrow\]
\[\wedge Gate = \neg D\]
\[\wedge Permit \in \{true, nPID\} \cup ProcSet\]
\[\wedge X1 \in ProcSet \cup \{true\}\]
\[\wedge \{\} \neq \{j \in ReaderProc : \wedge pc[j] \in \{"rf5"\} \wedge X1 = j\} \Rightarrow\]
\[\wedge \{\} = \{j \in ReaderProc : pc[j] \in \{"r6", "r7"\}\}
\[\wedge \{\} = \{j \in ReaderProc : \wedge pc[j] \in \{"r3", "r4", "r5"\} \wedge d[j] = Gate\}\]
\[\wedge X1 \in ProcSet \Rightarrow\]
\[\wedge \{\} = \{j \in ReaderProc : \wedge pc[j] = \text{"r6"} \wedge d[j] \neq Gate\}\]
\[\wedge Permit = wb\]
\[\wedge X1 \neq wa \Rightarrow \lor \{\} \neq \{j \in ReaderProc : pc[j] \in \{"r2", "r3", "r4", "r5", "r6", \text{"r cs"}, "r7", "ra1", "rf1"\}\}
\[\cup\]
\[\{j \in ReaderProc : \wedge pc[j] = "rf2" \wedge X1 = ra[j]\}\]
\[\lor \{\} \neq \{j \in ReaderProc : \wedge pc[j] \in \{"rf3", "rf4", "rf5"\} \wedge X1 = j\}\]
\[\wedge X1 = true \Rightarrow\]
\[\wedge \{\} = \{j \in ReaderProc : \wedge pc[j] \in \{"r3", "r4", "r5", "r6"\} \wedge d[j] = Gate\}\]
\[\wedge Permit \neq true \Rightarrow\]
\[1 = \text{Cardinality}(\{j \in ReaderProc : \wedge pc[j] = "rf6" \wedge rb[j] = Permit\})\]
\[\wedge \{\} = \{j \in ReaderProc : pc[j] \in \{"r7"\}\}\]

\[I_{f3f4} \triangleq pc[WriterProc] \in \{"wf3", "wf4"\} \Rightarrow\]
\[\wedge Gate = \neg D\]
\[\wedge Permit \in \{true, nPID\} \cup ProcSet\]
\[\wedge X1 \in ProcSet \cup \{true\}\]
\[\wedge \{\} \neq \{j \in ReaderProc : \wedge pc[j] \in \{"rf5"\} \wedge X1 = j\} \Rightarrow\]
\[\wedge \{\} = \{j \in ReaderProc : pc[j] \in \{"r6", "r7"\}\}
\[\wedge \{\} = \{j \in ReaderProc : \wedge pc[j] \in \{"r3", "r4", "r5"\} \wedge d[j] = Gate\}\]
\[\wedge X1 \in ProcSet \Rightarrow\]
\[\wedge \{\} = \{j \in ReaderProc : \wedge pc[j] = \text{"r6"} \wedge d[j] \neq Gate\}\]
\[\wedge Permit = wb\]
\[\wedge X1 \neq WriterProc \Rightarrow (\lor \{\} \neq \{j \in ReaderProc : pc[j] \in \{"r2", "r3", "r4", "r5", "r6", \text{"r cs"}, "r7", "ra1", "rf1"\}\}
\[\cup\]
\[\{j \in ReaderProc : \wedge pc[j] = "rf2"\}\]
\[ \wedge X_1 = ra[j] \] \\
\lor \{ \} \neq \{ j \in ReaderProc : \wedge pc[j] \in \{"rf3", "rf4", "rf5"\} \\
\wedge X_1 = j \})
\]

\[ \wedge X_1 = true \Rightarrow \]
\[ \wedge \{ \} = \{ j \in ReaderProc : \wedge pc[j] \in \{"r3", "r4", "r5", "r6"\} \\
\wedge d[j] = Gate \} \]
\[ \wedge Permit \neq true \Rightarrow \]
\[ 1 = \text{Cardinality}(\{ j \in ReaderProc : \wedge pc[j] = "rf6" \\
\wedge rb[j] = Permit \}) \]
\[ \wedge \{ \} = \{ j \in ReaderProc : pc[j] \in \{"r7"\} \}
\]

\[ I_f5 \triangleq pc[WriterProc] = "wf5" \Rightarrow \]
\[ \wedge Gate = \neg D \]
\[ \wedge Permit \in \{true, nPID\} \cup \text{ProcSet} \]
\[ \wedge X_1 \in \text{ProcSet} \cup \{true\} \]
\[ \wedge X_1 \in \text{ProcSet} \Rightarrow \]
\[ \wedge \{ \} = \{ j \in ReaderProc : pc[j] = "r6" \} \]
\[ \wedge Permit = wb \]
\[ \wedge X_1 \neq \text{WriterProc} \Rightarrow \]
\[ \lor \{ \} \neq \{ j \in ReaderProc : pc[j] \in \{"r2", "r3", "r4", "r5", "r6", "r_cs", "r7", "ra1", "rf1"\} \}
\cup
\{ j \in ReaderProc : \wedge pc[j] = "rf2" \\
\wedge ra[j] = X_1 \}
\lor \{ \} \neq \{ j \in ReaderProc : \wedge pc[j] \in \{"rf3", "rf4", "rf5"\} \\
\wedge j = X_1 \}) \]
\[ \wedge \{ \} = \{ j \in ReaderProc : \wedge pc[j] \in \{"r3", "r4", "r5", "r6"\} \\
\wedge d[j] = Gate \} \]
\[ \wedge X_1 = true \Rightarrow \]
\[ \wedge Permit \neq true \Rightarrow \]
\[ 1 = \text{Cardinality}(\{ j \in ReaderProc : \wedge pc[j] = "rf6" \\
\wedge rb[j] = Permit \}) \]
\[ \wedge \{ \} = \{ j \in ReaderProc : pc[j] \in \{"r7"\} \}
\]

\[ I_f6 \triangleq pc[WriterProc] = "wf6" \Rightarrow \]
\[ \wedge Gate = \neg D \]
\[ \wedge Permit = wb \]
\[ \wedge X_1 = true \]
\[ \wedge \{ \} = \{ j \in ReaderProc : \wedge pc[j] \in \{"r3", "r4", "r5", "r6"\} \\
\wedge d[j] = Gate \} \]
\[ \wedge \{ \} = \{ j \in ReaderProc : \wedge pc[j] = "rf6" \\
\wedge rb[j] = Permit \} \]
\[ \wedge \{ \} = \{ j \in ReaderProc : pc[j] \in \{"r7"\} \}
\]

\[ I_w6wa1 \triangleq pc[WriterProc] \in \{"w6", "wa1"\} \Rightarrow \]
\[ \wedge Gate = \neg D \]
\[ \wedge Permit \in \{true, nPID\} \cup \text{ProcSet} \]
\( X_1 \in \text{ProcSet} \cup \{ \text{true} \} \)
\( \wedge \{ \} \neq \{ j \in \text{ReaderProc} : \wedge \text{pc}[j] \in \{ \text{“rf5”} \} \)
\( \wedge X_1 = j \) \( \Rightarrow \)
\( \wedge \{ \} = \{ j \in \text{ReaderProc} : \text{pc}[j] \in \{ \text{“r6”, “r7”} \} \}
\( \wedge \{ \} = \{ j \in \text{ReaderProc} : \wedge \text{pc}[j] \in \{ \text{“r3”, “r4”, “r5”} \} \)
\( \wedge d[j] = \text{Gate} \)

\( X_1 \in \text{ProcSet} \Rightarrow \)
\( \wedge \{ \} = \{ j \in \text{ReaderProc} : \wedge \text{pc}[j] = \text{“r6”} \)
\( \wedge d[j] \neq \text{Gate} \)

\( \wedge \text{Permit} = \text{wb} \)
\( \wedge \vee \{ \} \neq \{ j \in \text{ReaderProc} : \text{pc}[j] \in \{ \text{“r2”, “r3”, “r4”, “r5”, “r6”, “r_cs”, “r7”, “ra1”, “rf1”} \} \)
\( \cup \)
\( \{ j \in \text{ReaderProc} : \wedge \text{pc}[j] = \text{“rf2”} \)
\( \wedge r_a[j] = X_1 \)
\( \vee \{ \} \neq \{ j \in \text{ReaderProc} : \wedge \text{pc}[j] \in \{ \text{“rf3”, “rf4”, “rf5”} \}
\( \wedge j = X_1 \}

\( X_1 = \text{true} \Rightarrow \)
\( \wedge \{ \} = \{ j \in \text{ReaderProc} : \wedge \text{pc}[j] \in \{ \text{“r3”, “r4”, “r5”, “r6”} \}
\( \wedge d[j] = \text{Gate} \)

\( \wedge \text{Permit} \neq \text{true} \Rightarrow \)
\( 1 = \text{Cardinality}(\{ j \in \text{ReaderProc} : \wedge \text{pc}[j] = \text{“rf6”} \)
\( \wedge r_b[j] = \text{Permit} \}) \)
\( \wedge \{ \} = \{ j \in \text{ReaderProc} : \text{pc}[j] \in \{ \text{“r7”} \} \}

\( I_{w7wa6} \triangleq \text{pc[WriterProc]} \in \{ \text{“w7”, “wa6”} \} \Rightarrow \)
\( \wedge \text{Gate} = \neg D \)
\( \wedge \text{Permit} = \text{true} \)
\( \wedge X_1 = \text{true} \)
\( \wedge \{ \} = \{ j \in \text{ReaderProc} : \wedge \text{pc}[j] \in \{ \text{“r3”, “r4”, “r5”, “r6”} \}
\( \wedge d[j] = \text{Gate} \)
\( \wedge \{ \} = \{ j \in \text{ReaderProc} : \text{pc}[j] \in \{ \text{“r7”} \} \}

\( I_{wa2} \triangleq \text{pc[WriterProc]} \in \{ \text{“wa2”} \} \Rightarrow \)
\( \wedge \text{Gate} = \neg D \)
\( \wedge \text{Permit} = \text{true} \)
\( \wedge X_1 \in \text{ProcSet} \cup \{ \text{true} \} \)
\( \wedge \{ \} \neq \{ j \in \text{ReaderProc} : \wedge \text{pc}[j] \in \{ \text{“rf5”} \}
\( \wedge X_1 = j \) \( \Rightarrow \)
\( \wedge \{ \} = \{ j \in \text{ReaderProc} : \text{pc}[j] \in \{ \text{“r6”, “r7”} \} \}
\( \wedge \{ \} = \{ j \in \text{ReaderProc} : \wedge \text{pc}[j] \in \{ \text{“r3”, “r4”, “r5”} \}
\( \wedge d[j] = \text{Gate} \)

\( X_1 \in \text{ProcSet} \Rightarrow \)
\( \wedge \{ \} = \{ j \in \text{ReaderProc} : \wedge \text{pc}[j] = \text{“r6”} \)
\( \wedge d[j] \neq \text{Gate} \)

\( \wedge X_1 = \text{true} \Rightarrow \)
\[ \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"r3"}, \text{"r4"}, \text{"r5"}, \text{"r6"} \} \\
\land \, \text{d}[j] = \text{Gate} \} \]
\[ \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"r7"} \} \} \]
\[ I_{wa3} \triangleq \text{pc}(\text{WriterProc}) \in \{ \text{"wa3"} \} \implies \land \text{Gate} = \neg D \land \text{Permit} = \text{true} \land X_1 \in \text{ProcSet} \cup \{ \text{true} \} \land \{ \} \neq \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"rf5"} \} \land X_1 = j \} \implies \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"r5"}, \text{"r7"} \} \} \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"r3"}, \text{"r4"}, \text{"r5"} \} \land \text{d}[j] = \text{Gate} \} \]
\[ \land X_1 \in \text{ProcSet} \implies \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] = \text{"r6"} \land \text{d}[j] \neq \text{Gate} \} \land X_1 \neq \text{wa} \implies \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"rf4"}, \text{"rf5"} \} \land X_1 = j \} \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"r7"} \} \} \]
\[ I_{wa4} \triangleq \text{pc}(\text{WriterProc}) \in \{ \text{"wa4"} \} \implies \land \text{Gate} = \neg D \land \text{Permit} = \text{true} \land X_1 \in \text{ProcSet} \cup \{ \text{true}, \text{nPID} \} \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"rf4"}, \text{"rf5"} \} \land X_1 = j \} \land \{ \} \neq \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] = \text{"r6"} \land \text{d}[j] \neq \text{Gate} \} \land X_1 = \text{true} \implies \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"r3"}, \text{"r4"}, \text{"r5"}, \text{"r6"} \} \land \text{d}[j] = \text{Gate} \} \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"r7"} \} \} \]
\[ I_{wa5} \triangleq \text{pc}(\text{WriterProc}) \in \{ \text{"wa5"} \} \implies \land \text{Gate} = \neg D \land \text{Permit} = \text{true} \land X_1 \neq \text{true} \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"rf4"}, \text{"rf5"} \} \land X_1 = j \} \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] = \text{"r6"} \land \text{d}[j] \neq \text{Gate} \} \land X_1 = \text{true} \implies \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"r3"}, \text{"r4"}, \text{"r5"}, \text{"r6"} \} \land \text{d}[j] = \text{Gate} \} \land \{ \} = \{ j \in \text{ReaderProc} : \land \, \text{pc}[j] \in \{ \text{"r7"} \} \} \]
$InvAll \triangleq \wedge TypeOK$
$\wedge I_{\text{Global}}$
$\wedge I_{w1 \& w2}$
$\wedge I_{w3 \& w4}$
$\wedge I_{w5}$
$\wedge I_{f1}$
$\wedge I_{f2}$
$\wedge I_{f3 \& f4}$
$\wedge I_{f5}$
$\wedge I_{f6}$
$\wedge I_{w6 \& wa1}$
$\wedge I_{w7 \& wa6}$
$\wedge I_{wa2}$
$\wedge I_{wa3}$
$\wedge I_{wa4}$
$\wedge I_{wa5}$