KAME STM — Formal Verification Coverage Overview

A lock-free STM core verified end-to-end by three complementary methods

KAME's lock-free software-transactional-memory core is verified by three complementary methods that together close the gap between an abstract protocol and the shipping binary. At the foundation, GenMC exhaustively model-checks the tagged-pointer atomic_shared_ptr reference-counting primitive under the C/C++ RC11 weak-memory model (18 programs, up to ~1.17M executions), proving every memory_order annotation safe against use-after-free, double-free, and leaks. Above it, TLA+/TLC exhaustively explores all thread interleavings: Layer 1 proves atomic_shared_ptr plus commit primitives memory-safe across tens of millions of states (66.5M at 2 threads) and deliberately shows the bare primitive is NOT livelock-free; Layer 2 proves the multi-phase bundle/unbundle STM protocol for 2- and 3-level trees, static and dynamic, both safe AND livelock-free via Lamport-clock priority arbitration, scaling past 1.1 billion states. A hard-link family of six topologies reproduces and fixes the real-world "30/30 abort" production race. Finally, seven C++ stress tests (~27M iterations, 4-8 threads) run the actual implementation on real hardware to catch compiler-, layout-, and timing-dependent bugs the abstract models cannot. The result: the protocol is mathematically guaranteed and the implementation is empirically hardened, with no daylight between them.

Three-method stack (bottom-up)

┌──────────────────────────────────────────────────────────────┐
│ C++ runtime stress — real hardware / probabilistic / 7 tests, ~27M iter │
├──────────────────────────────────────────────────────────────┤
│ TLA+ / TLC — all interleavings exhaustively / seq. consistency │
│ Layer 2 bundle/unbundle STM (safety + livelock-free) │
│ Layer 1 atomic_shared_ptr + commit (safety; LL-free = counter-ex) │
├──────────────────────────────────────────────────────────────┤
│ GenMC (RC11) — weak-memory model exhaustively / atomic_shared_ptr │
└──────────────────────────────────────────────────────────────┘
Each layer's guarantee feeds the next (bottom-up).

This overview is a hub linking each layer's detail deck. Canonical data: kamestm/tests/VERIFICATION.md / doc/verification_log.md / doc/proof_semantics.md.

Coverage Matrix

Every layer × target × tool × largest verified run × deck

Layer	Spec / test	Tool	What it verifies	Largest verified run	Result	Deck
L0	`cds_test_.c` (9) `tlaplus/test_.c` (9)	GenMC v0.17 (RC11)	Tagged-pointer reference counting; `memory_order` safety under weak memory	multi_cas: 464,164 complete + 705,296 blocked (~270s)	All Pass	—（VERIFICATION.md §1）
L1	`atomic_shared_ptr.tla`	TLC	atomic_shared_ptr + commit primitives (drain release, scoped_atomic_view); 10 safety invariants	66,537,058 / depth 84 / 1h30m (2t full)	Pass liveness intentionally FAIL	slides_layer1_en.html
L2	`BundleUnbundle_2level_LLfree.tla`	TLC	2-level bundle/unbundle + LL-free priority gating	137,333,348 (3t confC live, 2:53) 127,586,599 (MaxCommits=2, 4:40)	Pass + liveness	slides_layer2_LLfree.html
L2	`BundleUnbundle_2level_LLfree_dynamic.tla`	TLC	+ online insert/release	413,884,516 (release superfine live, 7:13)	Pass + liveness	slides_layer2_LLfree_dynamic_en.html
L2	`BundleUnbundle_3level_LLfree.tla`	TLC	3-level tree, recursive inner bundle, multi-level unbundle walk	1,154,807,632 (3t confC safety, 4:09) 640,894,951 (confC live, 15:25)	Pass (+ liveness on live cfg)	slides_layer2_LLfree_3level_en.html
L2	`BundleUnbundle_3level_LLfree_dynamic.tla`	TLC	3-level + online insert/release	921,351,233 (release superfine, 3h24m, safety) 6.8M (coarse 2t live)	Pass	slides_layer2_LLfree_dynamic_en.html
HL	`BundleUnbundle_hardlink_*.tla` (6)	TLC	2-parent / 1-child hard-link topologies; Phase 4 reachability gate; per-action fairness	self_collision FAIL→114; 4node FAIL→531; external_migration 3t 1,202	Pass + liveness (after fix)	slides_hardlink_en.html
RT	7 C++ tests (`tests/`)	C++ on HW	High-contention stress on the implementation: lifecycle balance, snapshot consistency, empirical starvation-freedom	negotiation 6t (2 slow + 4 fast × 5M); ~27M iter total	All Pass	—（VERIFICATION.md §6）

Largest-run highlight: the largest state space across all verification is 1,154,807,632 states (3-level static confC, safety-only, ohtaka 4:09). The largest including safety+liveness is 640,894,951 (3-level confC live, 15:25). The largest dynamic-spec run is 921,351,233 (3L-dyn release superfine, 3h24m). All are CONSTRAINT-free full exhaustions.

Deck Directory

Detail slides per layer (click to navigate)

L1 Layer 1: atomic_shared_ptr

slides_layer1_en.html →

Tagged-pointer reference counting, drain release, scoped_atomic_view RAII, 10 invariants, intentionally-violated liveness.

L2 Layer 2: base spec (Gen 1/2)

slides_layer2_en.html →

bundle/unbundle + commit base explanation. Pointers to Gen 3 LLfree. Historical modular-serial framing.

L2 Layer 2 LLfree (Gen 3 core)

slides_layer2_LLfree.html →

priority-TID negotiate, CanProceed / TagAfterFail / PreemptTag / ClearMyTags, CONSTRAINT-free structural LL-free proof.

L2 3-level LLfree

slides_layer2_LLfree_3level_en.html →

Grand→Parent→Child, recursive inner bundle (InnerPhase2/3/4), multi-level unbundle walk.

L2 Dynamic LLfree

slides_layer2_LLfree_dynamic_en.html →

online insert(online=true) / release, thread-role config, 413M-state verification.

HL Hard-link family

slides_hardlink_en.html →

5 topologies + non-atomic, production-race repro + fix, first per-action fairness, Phase 4 reachability gate.

L0 GenMC RC11 (no deck yet)

VERIFICATION.md §1 →

18 programs (cds_test_*.c 9 + test_*.c 9), reference-counting safety under weak memory. No slide deck yet (raw data only).

RT Runtime stress (no deck yet)

VERIFICATION.md §6 →

7 C++ tests, real hardware / real binary. The bridge from proven protocol to hardened binary. No slide deck yet.

Japanese decks: an identically structured Japanese set lives in ../doc_ja/ (slides_layer1.html, slides_layer2.html, slides_layer2_LLfree.html, slides_layer2_LLfree_3level.html, slides_layer2_LLfree_dynamic.html, slides_hardlink.html). Japanese overview: ../doc_ja/slides_overview.html.

Method complementarity + appendix

Division of labor: formal methods × stress tests

Property	C++ stress	GenMC (L0)	TLA+ (L1/L2)
Memory-ordering correctness	Probabilistic (timing)	Exhaustive (RC11)	N/A (seq. consistency)
Protocol logic (refcount/drain/scope)	Probabilistic	Assertion-based	Exhaustive (L1)
STM commit correctness	`gn2 ≤ gn3` invariant	N/A	Exhaustive (L1+L2)
bundle/unbundle protocol	Implicit (via STM tests)	N/A	Exhaustive (L2, up to 1.15B states)
livelock-freedom	Asymmetric stress	N/A	Exhaustive (L2; L1 counter-example)
fairness / starvation	`transaction_negotiation_test`	N/A	Modeled via per-action WF in hard-link
Real compiler/hardware bugs	Yes (actual binary)	No (abstract)	No (abstract)

Note: the §6 complementarity table cites a stale "622M states"; the current largest is 1,154,807,632 (3L static confC).

Appendix: superseded specs (footnote for full coverage)

Spec	Status
`BundleUnbundle.tla` (3-level) `BundleUnbundle_2level.tla`	Gen 1/2 non-LL-free versions, superseded by LLfree (Gen 3). Rely on modular serial / CONSTRAINT. Pass, but kept as baselines.
`MC.tla` / `MC_2level.tla` / `MC_3level.tla`	Old-style model-checker config modules; now use `*_mc.cfg` directly.
`test_stm_commit.c` / `test_bundle_2level.c` / `test_bundle_3level.c`	Non-LL-free TLA+-derived C11 tests (legacy), superseded by the LLfree variants.

References (paper-ready)

GenMC: Kokologiannakis, Raad, Vafeiadis. "Model Checking for Weakly Consistent Libraries." PLDI 2019.
RC11: Lahav, Vafeiadis, Kang, Hur, Dreyer. "Repairing Sequential Consistency in C/C++11." PLDI 2017.
TLA+ / TLC: Lamport. "Specifying Systems." Addison-Wesley, 2002. / Yu, Manolios, Lamport. CHARME 1999.