Reasoning about Transactional Isolation Levels with Isolde

Abstract

Most databases can be configured to operate under isolation levels weaker than serializability. These enforce fewer restrictions on the concurrent access to data and consequently allow for more performant implementations. While formal frameworks for rigorously specifying isolation levels exist, reasoning about the semantic differences between specifications remains notoriously difficult. This paper proposes a tool -- Isolde -- that can automatically generate examples that are allowed by an isolation level but disallowed by another. This simple primitive unlocks a range of useful reasoning tasks, including checking equivalence between definitions, and verifying (by refutation) subtle semantic properties of isolation levels. For example, Isolde allowed us to easily and automatically reproduce a famously elusive result from the literature and to discover a previously unknown bug in the alternative specification of a standard isolation level used in a state-of-the-art isolation checker.

Figures (8)

• Figure 1: A history allowed by NLU but not by UA.
• Figure 2: A hierarchy of five isolation levels that have been formalized in both frameworks considered.
• Figure 3: Total instances solved within the one-hour timeout across different implementations, scopes and problem types.
• Figure 4: Runtime performance comparison across different implementations, scopes, and problem types.
• Figure 5: Cumulative number of benchmark instances solved as a function of the total number of CEGIS candidates evaluated, broken down by problem type (rows) and scope (columns). Each curve represents a different implementation; a point $(c, k)$ indicates that $k$ instances were solved using at most $c$ candidates.