Effective software specifications enable modular reasoning, allowing clients to establish program properties without knowing the details of module implementations. While some modules' operations behave atomically, others admit weaker consistencies to increase performance. Consequently, since current methodologies do not capture the guarantees provided by operations of varying non-atomic consistencies, specifications are ineffective, forfeiting the ability to establish properties of programs that invoke non-atomic operations.In this work we develop a methodology for specifying software modules whose operations satisfy multiple distinct consistency levels. In particular, we develop a simple annotation language for specifying weaklyconsistent operations via visibility relaxation, wherein annotations impose varying constraints on the visibility among operations. To integrate with modern software platforms, we identify a novel characterization of consistency called sequential happens-before consistency, which admits effective validation. Empirically, we demonstrate the efficacy of our approach by deriving and validating relaxed-visibility specifications for Java concurrent objects. Furthermore, we demonstrate an optimality of our annotation language, empirically, by establishing that even finer-grained languages do not capture stronger specifications for Java objects.
ConcurrentHashMap: size{ put(1,0); put(1,1); size() } || { remove(1) } outcome atomic? frequency null, 0, 0, 1 ✓ 949 null, 0, 1, 1 ✓ 746,263 null, 0, 1, null ✓ 2,614,780 null, null, 1, 0 ✓ 14,833 null, null, 2, 0 × 35 ConcurrentHashMap: contains { put(0,0) } || { remove(1) } || { put(1,0); contains(0) } outcome atomic? frequency null, null, null, true ✓ 2,621,646 null, 0, null, true ✓ 134,083 null, 0, null, false ✓ 11 ConcurrentHashMap: contains { put(0,0); remove(1) } || { put(1,0); contains(0) } outcome atomic? frequency null, null, null, true ✓ 1,224,150 null, 0, null, true ✓ 1,827,063 null, 0, null, false × 7