Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

VerIso: Verifiable Isolation Guarantees for Database Transactions

Shabnam Ghasemirad, Si Liu, Christoph Sprenger, Luca Multazzu, David Basin

TL;DR

VerIso presents a mechanized, Isabelle/HOL-based framework for rigorously verifying that database transaction protocols satisfy chosen isolation guarantees. By formalizing an abstract transaction model parameterized by isolation level and refining concrete protocols as LTSs, the approach proves correctness for arbitrary numbers of processes and transactions and supports automation through a large lemma library. The paper demonstrates the framework on Strict Two-Phase Locking (S2PL) to verify SSER, and uses it to uncover TAPIR’s atomic-visibility violations via counterexamples, illustrating both verification and falsification capabilities. This work offers a scalable, tool-supported pathway to design-stage correctness for concurrency-control protocols with broad practical impact for reliable database systems.

Abstract

Isolation bugs, stemming especially from design-level defects, have been repeatedly found in carefully designed and extensively tested production databases over decades. In parallel, various frameworks for modeling database transactions and reasoning about their isolation guarantees have been developed. What is missing however is a mathematically rigorous and systematic framework with tool support for formally verifying a wide range of such guarantees for all possible system behaviors. We present the first such framework, VerIso, developed within the theorem prover Isabelle/HOL. To showcase its use in verification, we model the strict two-phase locking concurrency control protocol and verify that it provides strict serializability isolation guarantee. Moreover, we show how VerIso helps identify isolation bugs during protocol design. We derive new counterexamples for the TAPIR protocol from failed attempts to prove its claimed strict serializability. In particular, we show that it violates a much weaker isolation level, namely, atomic visibility.

VerIso: Verifiable Isolation Guarantees for Database Transactions

TL;DR

VerIso presents a mechanized, Isabelle/HOL-based framework for rigorously verifying that database transaction protocols satisfy chosen isolation guarantees. By formalizing an abstract transaction model parameterized by isolation level and refining concrete protocols as LTSs, the approach proves correctness for arbitrary numbers of processes and transactions and supports automation through a large lemma library. The paper demonstrates the framework on Strict Two-Phase Locking (S2PL) to verify SSER, and uses it to uncover TAPIR’s atomic-visibility violations via counterexamples, illustrating both verification and falsification capabilities. This work offers a scalable, tool-supported pathway to design-stage correctness for concurrency-control protocols with broad practical impact for reliable database systems.

Abstract

Isolation bugs, stemming especially from design-level defects, have been repeatedly found in carefully designed and extensively tested production databases over decades. In parallel, various frameworks for modeling database transactions and reasoning about their isolation guarantees have been developed. What is missing however is a mathematically rigorous and systematic framework with tool support for formally verifying a wide range of such guarantees for all possible system behaviors. We present the first such framework, VerIso, developed within the theorem prover Isabelle/HOL. To showcase its use in verification, we model the strict two-phase locking concurrency control protocol and verify that it provides strict serializability isolation guarantee. Moreover, we show how VerIso helps identify isolation bugs during protocol design. We derive new counterexamples for the TAPIR protocol from failed attempts to prove its claimed strict serializability. In particular, we show that it violates a much weaker isolation level, namely, atomic visibility.

Paper Structure

This paper contains 40 sections, 1 theorem, 7 equations, 14 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Isolation Levels
  4. Operational Semantics for Transactions
  5. Isabelle/HOL and Notation
  6. System Modeling and Refinement
  7. System Models
  8. Invariants and Refinement
  9. The VerIso Formal Framework
  10. Formalizing the Abstract Transaction Model
  11. Parametrized abstract transaction model
  12. Instantiation to concrete isolation levels
  13. Discussion of formalization
  14. Protocol Modeling
  15. Protocol configurations
  16. ...and 25 more sections

Key Result

Theorem 1

$\ttfamily{TPL} \mathrel{\preccurlyeq}_{r_{\ttfamily{TPL}}, \pi_{\ttfamily{TPL}}} \mathcal{I}\!(\ttfamily{SSER})$.

Figures (14)

  • Figure 1: A hierarchy of prevalent isolation levels. RC: read committed si; RA: read atomicity ramp; UA: update atomicity uaDBLP:conf/concur/Cerone0G15; TCC: transactional causal consistency Cure:ICDCS2016Eiger:NSDI2013; PC: prefix consistency pc; SI: snapshot isolation si; PSI: parallel SI psi; SER: serializability serializability; SSER: strict SER serializability. $A \to B$ means $A$ is weaker than $B$. VerIso covers the green levels.
  • Figure 2: Configurations of abstract transaction model.
  • Figure 3: Pseudocode for remote computation.
  • Figure 4: Client, server, and global configurations.
  • Figure 5: Events for remote computation example.
  • ...and 9 more figures

Theorems & Definitions (1)

  • Theorem 1