A Framework for Modelling, Verification and Transformation of Concurrent Imperative Programs
aa r X i v : . [ c s . L O ] J u l A FRAMEWORK FOR MODELLING, VERIFICATION ANDTRANSFORMATION OF CONCURRENT IMPERATIVE PROGRAMS
MAKSYM BORTINDepartment of Software Science, Tallinn University of Technology e-mail address : [email protected]
Abstract.
The paper gives a comprehensive presentation of a framework, embedded intothe simply typed higher-order logic, and aimed at providing a sound assistance in formalreasoning about models of imperative programs with interleaved computations. As a casestudy, a model of the Peterson’s mutual exclusion algorithm will be scrutinised in thecourse of the paper illustrating applicability of the framework.
Introduction
The behaviours of programs running in parallel can become entangled to such an extent thatproviding resilient assurances about these simply escapes the capabilities of mere reviewingand testing the code. On the other hand, such assurances are hardly dispensable, forexample when safe functioning of some nearly invaluable autonomous devices is at stake. Afundamentally rigorous and systematic reasoning about program properties in presence ofinterleaving is unavoidable to this end.From the specific perspective of safety- and mission-critical software, more recent stan-dards encourage application of formal methods in certification processes. On the otherhand, they also demand to explicitly outline the limits of the chosen method regarding com-pliance with the actual requirements specification, as the formal methods supplement toDO-178C [Rad11] in particular stresses. Indeed, like with outcomes of any other measure,applicability of formally derived conclusions to requirements on eventual implementationsis bound to series of assumptions that one shall attempt to keep as short and reasonable aspossible.In comparison to the sequential case, development of concurrent software has signifi-cantly more sources for this kind of assumptions. For example, it is a common practiceto model and verify sequential programs at a conveniently structured level and to rely ona compiler that translates these to an assembly code with some corresponding behaviour.However, in the context of interleaved computations one can observe that such compilationsin particular tend to fraction the granularity, modelled at the structured level, meaning thattheir outcomes could potentially be exposed to interferences that were basically ruled out
Research partly supported by the ESF funded Estonian IT Academy measure 2014-2020.4.05.19-0001.
Preprint submitted toLogical Methods in Computer Science c (cid:13)
M. Bortin CC (cid:13) Creative Commons
M. BORTIN when reasoning about their structured counterparts or, in other words, were implicitly as-sumed to be nonexistent.To address these kinds of problems in a cohesive manner, the paper presents a frame-work geared towards verification and transformation of models of imperative concurrentprograms encompassing state abstractions as well as high- and low-level language featuressimultaneously. It shall enable ways to reach detailed representations by chains of trans-formations reusing verified properties along these chains. In this sense, the approach isparticularly related to the Event-B [Abr10] method, which offers a homogeneous frameworkfor transformation of models of reactive systems, gradually addressing more detailed systemrequirements. In contrast to Event-B, however, the presented framework is less generic asit is specifically tailored to concurrent programs. Moreover, it is a conservative extensionto the simply typed higher-order logic and is thus as sound as the underlying logic.A sound framework is surely a must, but addresses only a part of the problem: deriva-tions of properties of programs that exceed the size of what is usually called a ‘toy example’typically require an impressive amount of successive applications of various logical ruleswhich also need to be correctly instantiated at each particular step. Even a tiniest mis-take during this process is likely to compromise all efforts to reach a sound conclusion.And this is the point where proof assistants ultimately become relevant, being capableto accomplish these complex, yet largely mechanisable, tasks in a highly reliable and effi-cient way. Based on Robin Milner’s influential work [Mil72, Mil84], there are tools suchas [NPW02], [Har09], [Gor91] that provide the sought assistance.Regarding related work, the paper brings together and further elaborates on the follow-ing approaches:- the Hoare-style rely/guarantee program logic development essentially follows the system-atic extension [Sti88] of the Owicki-Gries method [OG76];- the technique of blending deep and shallow embeddings with abstraction over state andatomic state transformations has been adopted from
SIMPL (Sequential Imperative Pro-gramming Language) [Sch06];- the light-weight approach to enable state relations as postconditions using the power ofthe underlying logic has been taken from [vS15] and slightly adjusted.The paper is structured as follows. Next section contains a superficial introduction tothe basic decisions behind the framework’s design. Section 2 gives a formal presentationof the framework’s language accompanied by a computational model featuring interleaving.Section 3 is devoted to program correspondences and their properties. Section 4 introducesthe relevant conditions on potential computations, and based on these, Section 5 presents aHoare-style program logic. Section 6 applies this to verify properties of a model of Peterson’smutual exclusion algorithm. Section 7 shows how the program logic can be lifted to staterelations as postconditions, whereas Section 8 utilises this extension to strengthen the resultsof Section 6. Section 9 describes an approach to verification of basic liveness properties, suchthat Section 10 can conclude the case study presenting how termination of the mutex modelcan be established. Furthermore, in Section 11 an approach to splitting of atomic programsteps will be sketched. Finally, Section 12 concludes the paper.1.
Outlining Basic Ideas
This section contains a brief overview of some basic ideas behind the framework’s ‘low-level’commands and program transformations involving these. Although reaching some lower
ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 3 level representations of a concurrent program does not need to be a goal of a developmentprocess, enabling this option nonetheless mints the framework’s design in certain ways, out-lined below. This will be accomplished without delving into much detail, appealing ratherto the intuition. The more so as assembly level languages and their execution models are notdirectly in the formal scope of the paper: the claim is merely that programs having an ap-propriate form would be evaluated by the framework’s computational model ( cf.
Section 2.2)basically in the same way assembly interpreters would do.One of the most striking differences between a structured and an assembly-level lan-guage is that in the former case computational effects are conveniently defined for each ofthe language constructors by viewing these as nodes of an abstract syntax tree. Thus, forinstance, a program cjump C to i otherwise p end ; q is evaluated ( cf. Section 2.2) by firstpicking the node cjump C to i otherwise p end , checking if the condition C holds, and ifso, retrieving the code ρ i associated to the label i and ‘pasting’ it back, which results in ρ i ; q . Likewise, if C does not hold, we would continue with p ; q . Whereas evaluations ofthe node cjump C to i otherwise p end essentially mimic processing of a conditional jump byassembly interpreters, evaluations of cjump C to i otherwise p end ; q do not: they follow theabstract syntax tree structure and simply advance to the same q in both branches ρ i ; q and p ; q once ρ i or p are done with their computations. However, such behaviour can generallybe achieved at the assembly level only when either ρ i or p concludes with an explicit jumpto the entry label of q . These considerations shall underline that invocation of jumps intree-structured programs demands certain preparations to make sense from the assemblylanguage perspective and the transformations, sketched below, take care of that.First transformation ought to replace all conditional statements by conditional jumpsacross a program, and will be backed by the observation that if C then p else p fi isessentially the same as cjump C to i otherwise p end when ρ i “ p ( C will denote thecomplement of the condition C ). As stressed above, applied to if C then p else p fi ; q thetransformation would result in cjump C to i otherwise p end ; q with ρ i “ p . To repairthat, if C then p else p fi ; q is first replaced by the equivalent if C then p ; q else p ; q fi ,distributing all subsequent code to both branches. Now, replacing if C then p ; q else p ; q fi yields cjump C to i otherwise p ; q end with ρ i “ p ; q , whose evaluations do not make useof any implicit jumps and simply halt when p ; q or p ; q has been processed.With while C do p od we would have a similar situation: evaluations of while C do p od ; q make use of the syntax tree structure to advance to q when C does not hold. In order toenable a normalisation similar to the conditional statements, the syntax of while -statementswill be extended to while C do p subsequently q od , such that while C do p subsequently q od ; q can be transformed to the equivalent while C do p subsequently q ; q od . Thus, having ac-cess to all of subsequent code, while C do p subsequently q od can safely be replaced by cjump C to j otherwise p ; jump i end with ρ i “ cjump C to j otherwise p ; jump i end and ρ j “ q . Note that the extra unconditional jump following p is not completely ‘for free’ andwill appear in form of an extra skip when defining how while C do p subsequently q od shallbe evaluated.Successive applications of the above transformations using consistent labelling eventu-ally reach an equivalent ‘while-free’ program which essentially corresponds to flat lists oflabelled instructions. For instance, p k q with some sequential p and q would yield two suchlists: one corresponding to p and one – to q .To sum up, this section outlined questions that arise when viewing programs, whereconditional and while -statements are replaced by jumps, from the perspective of an assembly M. BORTIN interpreter, and how these questions are addressed by the framework. All that will reappearin the remainder of the paper which, by contrast, is kept formal.2.
A Generic Concurrent Imperative Language
The notions of shallow and deep embeddings arise quite naturally when a language needsto be modelled in a formal system such as a proof assistant ( cf. [Har09]). The techniqueapplied here ( cf. [Sch06]) aims to combine the merits of both. At the first glance the syntaxof the framework’s language is deeply embedded by means of a free construction. However,all indivisible state transformations as well as control flow conditions (such as the variable C in conditional statements mentioned in the previous section) are embedded shallowly or,in other words, the language is generated over the logical terms having an interpretation sothat no extra evaluations are needed.2.1. The syntax.
The parameterised type L α , where α is a type parameter representingunderlying states and L – a type constructor giving a new type for any actual type suppliedfor α , captures the syntax. For example, L int ˆ int would be an instance acting on the stateswith two integer variables. Note that such instantiations will appear in specific modellingsonly. Otherwise, states will be kept abstract for the sake of uniform reasoning.Terms of type L α are constructed by the following grammar: L α ::= skip | basic f | cjump C to i otherwise L α end | while C do L α subsequently L α od | if C then L α else L α fi | L α ; L α | kL ` α | await C do L α od where- i is called a label , and ranges over the natural numbers (in principle, any infinitely count-able set of identifiers, such as strings, might also be employed to this end);- f is called a state transformer , and ranges over the values of type α ñ α ;- C is called a state predicate , and ranges over the values of type α ñ bool .Furthermore, L ` α stands for a finite, non-empty sequence of elements of type L α . So, forinstance, k p , p , p constructs a new value of type L α out of the three values of this type.The term k p , p , p is then called the parallel composition of p , p , p . In the sequel wewill more conveniently write p k p in place of k p , p . The reasons for having k p , . . . , p n as a primitive, as opposed to the binary operator with nesting, will be outlined in thefollowing section. Regarding sequential composition, p ; p ; p will be used as a shorthandfor p ; p p ; p q . Moreover, if C then p fi abbreviates if C then p else skip fi and, accordingly, while C do p od stands for while C do p subsequently skip od .A term of type L α will be called jump-free if it does not contain any cjump , and locallysequential if the parallel operator does not occur in it. The motivation behind this explicitlocality will also be given below. ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 5
The computational model.
This comprises two components: program steps andenvironment steps. To ensure fine-grained interleaving for program steps, we follow theprinciples of ‘Structural Operational Semantics’ [Plo04]. Inheriting the state abstractionfrom L α , let α be a fixed arbitrary type throughout this section.2.2.1. Program steps.
Let ρ be a code retrieve function, i.e. a function of type nat ñ L α .Then in the context of ρ , the effects of performing a program step are captured by meansof the relation Ñ P of type L α ˆ α ñ L α ˆ α ñ bool , connecting two configurations thatcomprise a program part of type L α and a state part of type α . We will use the notation ρ $ p p, σ q Ñ P p q, σ q to indicate that p p, σ q can be transformed via Ñ P to p q, σ q using ρ .This transformation is defined inductively by the rules listed in Figure 1 and explained inmore detail below.- The rule ‘Basic’ declares one indivisible computation step given by a state transformer f .Note that ‘indivisibility’ is actually a modelling decision: we might have a configuration p basic p g ˝ h q , σ q transforming σ to g p h σ q in one atomic step but, conceptually, nothingkeeps us from breaking it in two atomic steps p basic h ; basic g, σ q . This, however, wouldlead to a different model with a finer granularity ( cf. Section 11).- The rules ‘CJump-True’ and ‘CJump-False’ declare how a conditional jump is handledin dependence on C . There and throughout the paper, σ P C denotes that σ satisfies thestate predicate C . Furthermore, from now on let J τ denote the universal predicate onthe type τ , i.e. the one which is true for any element of type τ . For the sake of brevitywe will just write J whenever τ is clear from the context. In particular, consideringconfigurations over a fixed arbitrary type of states α , we just write J for J α . Now, the unconditional jump command can be defined by jump i def “ cjump J to i otherwise skip end such that ρ $ p jump i, σ q Ñ P p ρ i, σ q holds with p ρ i, σ q as the only possible successor of p jump i, σ q .It is worth to be highlighted once more that the framework does not impose anyrestrictions on C , except its type α ñ bool , whereas according to the rules it alwaystakes one step to evaluate the condition, regardless how complex it is. Such libertyis useful in abstract modelling, but one has to keep in mind that certain interferencescould be ruled out this way. In other words, when attempting to reach some low-levelrepresentations, C shall comprise a condition that indeed can be evaluated in one atomicstep.- The rule ‘Await’ declares that if C is satisfied and p can terminate without beinginterrupted in some state then the entire await -statement terminates in this state bymeans of a single, indivisible step. By the inductive construction, await C do p od isblocked, i.e. cannot perform any step, in cases when the current state does not satisfy C . Thus, await J do p od never blocks but creates an atomic section , which allows us tomodel situations where one process forces all others to hold on with their computationsupon termination of p . As this particular construction will be used quite frequently, wejust write x p y for it.- The rule ‘While-True’ has largely the standard form, except that it additionally accountsfor transformation to a representation using jumps, sketched in Section 1. This amountsto the additional (and otherwise obsolete) skip in p p ; skip ; x, σ q that will act as a sortof placeholder for a jump in the proof of Proposition 3.19. Here, however, this skip has M. BORTIN
Basic ρ $ p basic f, σ q Ñ P p skip , f σ q CJump-True σ P Cρ $ p cjump C to i otherwise p end , σ q Ñ P p ρ i, σ q CJump-False σ R Cρ $ p cjump C to i otherwise p end , σ q Ñ P p p, σ q Await σ P C ρ $ p p, σ q ‹ Ñ P p skip , σ q ρ $ p await C do p od , σ q Ñ P p skip , σ q Conditional-True σ P Cρ $ p if C then p else p fi , σ q Ñ P p p , σ q Conditional-False σ R Cρ $ p if C then p else p fi , σ q Ñ P p p , σ q While-True σ P C x “ while C do p subsequently p od ρ $ p x, σ q Ñ P p p ; skip ; x, σ q While-False σ R Cρ $ p while C do p subsequently p od , σ q Ñ P p p , σ q Sequential ρ $ p p , σ q Ñ P p p , σ q ρ $ p p ; p , σ q Ñ P p p ; p , σ q Sequential-Skip ρ $ p skip ; p, σ q Ñ P p p, σ q Parallel ρ $ p p i , σ q Ñ P p p i , σ q ď i ď m m ą ρ $ p k p , . . . p i . . . , p m , σ q Ñ P p k p , . . . p i . . . , p m , σ q Parallel-Skip @ i P t , . . . , m u . p i “ skip m ą ρ $ p k p , . . . , p m , σ q Ñ P p skip , σ q Figure 1: Inductive rules for program steps.no other effect than to delay computations, introducing an additional ‘break’ between p and x which opens more possibilities for interleaving.Notice that the computational model has more of such technical delays. It takes forexample two steps to reach p from p skip ; skip q ; p . In other words, the model is gearedtowards enabling more interleaving which is basically safer than to cut it.- The rule ‘Parallel’ states that a computation step of m components composed in parallelis accomplished by random picking of a component that can perform its step. Note thatthis rule makes Ñ P in general non-deterministic.Now we can justify the choice of having k p , . . . , p n as a primitive operator. Suppose p is not skip and also not blocked by an await -statement then p k p skip k skip q can make ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 7 program steps either to p k skip or to p k p skip k skip q with some successor p , whereas p p k skip q k skip can do the step to p p k skip q k skip only. This observation in principlereveals that the binary k is not associative at the level of small-step computations. Al-though the deviations might be regarded as small and technical, they nonetheless wouldlead to unnecessary complications if we were not able to resort to the ‘flat’ composition k p , . . . , p n instead.2.2.2. Environment steps.
In addition to Ñ P , the second integral component of the com-putational model is the already mentioned environment which can also perform indivisiblesteps via the Ñ E relation defined as follows: p p, σ q Ñ E p p , σ q holds iff p “ p . That is, anenvironment can arbitrarily modify the state of a configuration, leaving the program partunchanged.2.3. Programs.
In line with the computational model, a program is constituted by a pair p ρ, p q where ρ is a retrieve function and p is a term of type L α . It should be clear thatif p is jump-free then it does not actually need a retrieve function to perform any of itscomputation steps or, more precisely, performs same steps independently of how ρ has beendefined. Therefore we will mostly omit it in such cases for the sake of brevity. By contrast,if p contains a jump, say jump i , then the choice of a retrieve function can surely affect thebehaviour: we could have ρ $ p p, σ q Ñ P p p , σ q and ρ $ p p, σ q Ñ P p p , σ q with potentiallyarbitrarily unrelated p and p if ρ i ‰ ρ i .Furthermore, note that with certain pairs p ρ, p q we could achieve something intuitivelycomparable to programs comprising infinite source code. So, for instance, setting p “ jump ρ i “ jump p i ` q in principle corresponds to the ‘program’, written below in a sort ofpseudo assembly, jump
00 : jump
11 : jump . . . (that is, i : jump i ` i ) doing nothingexcept perpetual jumping forward through the code. Such creations can surely be regardedas a byproduct, and in the sequel we will only focus on pairs p ρ, p q that are well-formed.Intuitively, p ρ, p q shall be considered well-formed if all labels that are invoked in the processof its evaluation can be computed beforehand. Formally, we can first note that for any p we can define the finite set of labels J umps local p that occur in p . Further, given a set oflabels L , we can define N ρ L to be the set t i | D j P L. i P J umps local p ρ j qu , and consider theclosure J umps p ρ, p q def “ ď n ě N nρ p J umps local p q A program p ρ, p q is then called well-formed if J umps p ρ, p q is finite.Further, if there is some ρ that coincides with ρ on J umps p ρ, p q then ρ $ p p, σ q Ñ P p p , σ q implies ρ $ p p, σ q Ñ P p p , σ q for any p , σ and σ . In other words, ρ can arbitrarily be alteredoutside of J umps p ρ, p q without any effect on evaluations of p ρ, p q . In the particular casewhen p is jump-free, it follows immediately from the definition that J umps p ρ, p q “ H holdsfor any ρ , highlighting once more that a retrieve function does not matter in such cases. M. BORTIN
Lastly, taking up the question of sequentiality, a program p ρ, p q is called sequential if p is locally sequential and, moreover, ρ i is locally sequential for any label i P J umps p ρ, p q .Clearly, if p is jump-free then p ρ, p q is sequential iff p is locally sequential, regardless which ρ we take. Also note that by contrast to local sequentiality, program steps retain sequentiality, i.e. ρ $ p p, σ q Ñ P p p , σ q implies that p ρ, p q is sequential if p ρ, p q is.2.4. Potential computations of a program.
Having defined all possible one-step trans-formations on configurations, an infinite potential computation of a program p ρ, p q comprisesa sequence of configurations sq “ p p , σ q , p p , σ q , . . . where p “ p and either ρ $ p p i , σ i q Ñ P p p i ` , σ i ` q or p p i , σ i q Ñ E p p i ` , σ i ` q holds for each i P N . Note that any program has at least one such computation, since any type has atleast one inhabitant such that some environment step can always be performed.In the sequel sq i will denote the i -th configuration of sq , whereas P p sq i q and S p sq i q –the program and the state of this configuration, respectively.Furthermore, let n | sq and n | sq denote the sequences obtained by taking the first n configurations from sq , and by removing the first n configurations from sq , respectively. If sq is an infinite computation and n ą n | sq yields a finite potential computation of p sq “ p p , σ q , . . . , p p n ´ , σ n ´ q of length n , denoted by | sq | . In case a computation sq is already finite, the prefix n | sq is afinite potential computation as well, provided 0 ă n ď | sq | holds. Similarly, the condition i ă | sq | must be provided when accessing the i -th configuration sq i in finite cases.Moreover, when sq is finite, for m | sq to be well-defined m ď | sq | must be provided, butit yields a potential computation of P p sq m q only if m ă | sq | holds, as it would be emptyotherwise. In case sq is an infinite sequence, m | sq is one of its infinite suffixes. Generally, wehave m | sq i “ sq i ` m , i.e. the i -th configuration of the suffix is the p i ` m q -th configurationof the original sequence.Two finite computations sq and sq can be composed to a single computation of length | sq | ` | sq | ´ sq is the same as the first of sq . In suchcases we can drop the first configuration of sq taking the suffix | sq (which could also beempty, just meaning that sq is already the composition) and attach it to sq by means ofthe first transition of sq .By v p w ωρ and v p w ρ we summarise the sets of all infinite and finite potential computationsof p ρ, p q , respectively. Since computation steps of a jump-free p do not depend on the choiceof ρ , we will write v p w ω and v p w in such cases. It is worth noting that the explicit distinctionbetween finite and infinite computations will be useful later on: the Hoare-style programlogic ( cf. Section 5) will conveniently focus on finite computations, taking accounts of theinfinite ones only implicitly. However, v p w ω will be inevitable for reasoning about liveness( cf. Section 9).Next section is devoted to program correspondences: a generic approach to semanticrelations between programs, covering in particular all transformations, sketched in Section 1.
ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 9 Stepwise Correspondence between Programs
Let X be a relation of type L α ˆ L β ñ bool , where α and β are state type abstractions.Further, let r be of type α ˆ β ñ bool , i.e. a relation between the underlying states, and ρ and ρ – two retrieve functions of type nat ñ L α and nat ñ L β , respectively. Then X is a simulation w.r.t. ρ, ρ and r if the following conditions hold:(1) if p p, q q P X and p σ , σ q P r then for any program step ρ $ p q, σ q Ñ P p q , σ q there isa program step ρ $ p p, σ q Ñ P p p , σ q such that p p , q q P X and p σ , σ q P r ,(2) if p skip , q q P X then q “ skip ,(3) and if p p, skip q P X then p “ skip . Definition 3.1.
Two programs p ρ, p q and p ρ , q q correspond w.r.t. r if there exists some X that contains the pair p p, q q and is a simulation w.r.t. ρ, ρ and r . This will be denotedby ρ, ρ |ù p Ě r q . Furthermore, we say that p ρ, p q and p ρ , q q mutually correspond w.r.t. r if additionally ρ , ρ |ù q Ě r ˝ p holds, where r ˝ is the converse of r . This, in turn, will bedenoted by ρ, ρ |ù p « r q .The notation ρ |ù p Ě r q will be used whenever the retrieve functions ρ and ρ are the same,and write ρ, ρ |ù p Ě q when r is the identity relation on the underlying states. In line withthe correspondence, we also write ρ, ρ |ù p « q whenever r is an identity, and ρ |ù p « r q when ρ and ρ are the same.3.1. Properties of correspondences.
Firstly, notice that the singleton set tp skip , skip qu istrivially a simulation with respect to any (appropriately typed) ρ, ρ and r . Hence, ρ, ρ |ù skip Ě r skip holds, i.e. the correspondence relation is not empty for any ρ, ρ and r . Italso follows immediately from the definition that the inequalities ρ, ρ |ù x Ě r skip and ρ, ρ |ù skip Ě r x possess only one solution x “ skip . Proposition 3.2.
Assume ρ, ρ |ù p Ě r q , p σ , σ q P r and ρ $ p q, σ q n Ñ P p q , σ q with n P N . Then there exist p , σ such that ρ $ p p, σ q n Ñ P p p , σ q with ρ, ρ |ù p Ě r q and p σ , σ q P r .Proof. ρ, ρ |ù p Ě r q gives us a simulation X w.r.t. ρ, ρ , r . By induction on n we obtainsome p , σ such that ρ $ p p, σ q n Ñ P p p , σ q with p p , q q P X and p σ , σ q P r .Note that the above statement is in general not true with ρ, ρ |ù p « r q in place of ρ, ρ |ù p Ě r q .Next proposition shows how correspondences can be composed. There and in whatfollows, r ˛ s denotes the relational composition tp a, b q | D c. p a, c q P r ^ p c, b q P s u . Proposition 3.3. If ρ , ρ |ù p Ě r p and ρ , ρ |ù p Ě s p then ρ , ρ |ù p Ě r ˛ s p .Proof. The assumptions give us two simulations: X w.r.t. ρ , ρ , r containing p p , p q , and X w.r.t. ρ , ρ , s containing p p , p q . We use their composition X ˛ X containing p p , p q ,as a witness to establish the conclusion: that X ˛ X is a simulation w.r.t. ρ , ρ , r ˛ s follows from the simulation properties of X and X .With identity in place of r , the above statement assumes the following form. Corollary 3.4. If ρ , ρ |ù p Ě p and ρ , ρ |ù p Ě p then ρ , ρ |ù p Ě p . The following proposition states that Ě is also reflexive and, hence, a preorder. Proposition 3.5. ρ |ù p Ě p .Proof. The relevant set is the identity on L α , which is a simulation with respect to theidentity on α .Thus, ρ |ù p « q is an equivalence relation and, in particular, allows us to exchange p and q arbitrarily when reasoning with correspondences.Regarding more specific equivalences, one would expect the sequential composition tobe associative. As mentioned in the previous section, the question of associativity of theparallel operator does not arise since we can apply it to any finite non-empty sequence ofcomponents. However, one would expect the parallel composition to be commutative. Proposition 3.6. ρ |ù p ; p ; p « p p ; p q ; p .Proof. We show ρ |ù p ; p ; p Ě p p ; p q ; p , whereas the opposite direction follows similarly.The set X def “ tp u ; p ; p , p u ; p q ; p q | u P Ju Y id contains the pair p ; p ; p and p p ; p q ; p .Further, suppose ρ $ pp u ; p q ; p , σ q Ñ P p x, σ q for some u . If u “ skip then x “ p ; p and σ “ σ , such that we can match this by ρ $ p skip ; p ; p , σ q Ñ P p p ; p , σ q . If u ‰ skip thenthere is a step ρ $ p u, σ q Ñ P p u , σ q with some u such that x “ p u ; p q ; p . Also in thiscase we have ρ $ p u ; p ; p , σ q Ñ P p u ; p ; p , σ q with p u ; p ; p , p u ; p q ; p q P X . Proposition 3.7.
Let π be a permutation on t , . . . , m u with m ą , and assume q i “ p π p i q for all i P t , . . . , m u . Then ρ |ù k p , . . . , p m Ě k q , . . . , q m .Proof. Let X def “ tp k u , . . . , u m , k v , . . . , v m q | @ i P t , . . . , m u . v i “ u π p i q u Y tp skip , skip qu .Further, suppose ρ $ p k v , . . . , v m , σ q Ñ P p x, σ q and p k u , . . . , u m , k v , . . . , v m q P X hold. If x is skip so are all of v , . . . , v m and we are done.Otherwise there is some i P t , . . . , m u such that ρ $ p k v , . . . , v i , . . . , v m , σ q Ñ P p x, σ q holds with x “ k v , . . . , w, . . . , v m due to a step ρ $ p v i , σ q Ñ P p w, σ q . Since v i “ u π p i q , wecan match it by ρ $ p k u , . . . , u π p i q , . . . , u m , σ q Ñ P p k u , . . . , w, . . . , u m , σ q . Corollary 3.8.
Let π be a permutation on t , . . . , m u with m ą , and assume q i “ p π p i q for all i P t , . . . , m u . Then ρ |ù k p , . . . , p m « k q , . . . , q m .Proof. The direction ρ |ù k p , . . . , p m Ě k q , . . . , q m follows straight from the previous propo-sition. Turning the things around, we once more apply Proposition 3.7, but now with π ´ for π . This is sound since p i “ p π p π ´ p i qq “ q π ´ p i q holds for all i P t , . . . , m u .3.2. Closure properties.
One of the central goals of this section is to enable derivationsof program correspondences in a syntax-driven manner.
Proposition 3.9.
Assume m ą and ρ, ρ |ù p i Ě r q i for all i with ď i ď m . Then ρ, ρ |ù k p , . . . , p m Ě r k q , . . . , q m .Proof. From the assumption we obtain simulations X , . . . , X m w.r.t. ρ, ρ , r such that p p i , q i q P X i for all i P t , . . . , m u . Then let X def “ tp k u , . . . , u m , k v , . . . , v m q | @ i P t , . . . , m u . p u i , v i q P X i u Y tp skip , skip qu which contains the pair p k p , . . . , p m , k q , . . . , q m q . Further, to show that X is a simulationw.r.t. ρ, ρ , r suppose we have a step ρ $ p k v , . . . , v m , σ q Ñ P p x, σ q with p σ , σ q P r and ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 11 p k u , . . . , u m , k v , . . . , v m q P X . If x “ skip then v i “ skip for all i P t , . . . , m u , and therefore u i “ skip for all i P t , . . . , m u as well, since p u i , v i q P X i .If x ‰ skip then for some i P t , . . . , m u we have a step ρ $ p v i , σ q Ñ P p v i , σ q suchthat x “ k v , . . . , v i , . . . , v m holds. Since p u i , v i q P X i and p σ , σ q P r , we obtain some u i and σ such that ρ $ p u i , σ q Ñ P p u i , σ q holds with p u i , v i q P X i and p σ , σ q P r .This enables the transition ρ $ p k u , . . . , u i , . . . , u m , σ q Ñ P p k u , . . . , u i , . . . , u m , σ q with p k u , . . . , u i , . . . , u m , k v , . . . , v i , . . . , v m q P X . Proposition 3.10. If ρ, ρ |ù p Ě r q and ρ, ρ |ù p Ě r q then ρ, ρ |ù p ; p Ě r q ; q .Proof. From the assumptions we get simulations X , X w.r.t. ρ, ρ , r with p p , q q P X and p p , q q P X . Then let X be defined by tp u ; p , v ; q q | p u, v q P X u Y X , such that p p ; p , q ; q q P X . Further, let ρ $ p v ; q , σ q Ñ P p x, σ q with p σ , σ q P r and p u, v q P X .If v “ skip then u “ skip and x “ q and σ “ σ , such that we are done, since p p , q q P X and X Ď X .If v ‰ skip then we have a step ρ $ p v, σ q Ñ P p v , σ q such that x “ v ; p . Since p u, v q P X , we also have a step ρ $ p u, σ q Ñ P p u , σ q with p σ , σ q P r and p u , v q P X .Therefore, ρ $ p u ; p , σ q Ñ P p u ; p , σ q with p u ; p , x q P X .In the following three propositions we also have to take accounts of branching andblocking conditions. Proposition 3.11.
Assume (1) ρ, ρ |ù p Ě r p , (2) ρ, ρ |ù q Ě r q , (3) σ P C iff σ P C for any p σ , σ q P r .Then ρ, ρ |ù if C then p else q fi Ě r if C then p else q fi .Proof. From (1) and (2) we get simulations X p , X q w.r.t. ρ, ρ , r with p p , p q P X p and p q , q q P X q . Then let X def “ X p Y X q Y tp if C then p else q fi , if C then p else q fi qu .First, note that as the union of simulations, X p Y X q is again a simulation. Thenfor the remaining case, suppose we have ρ $ p if C then p else q fi , σ q Ñ P p x, σ q and p σ , σ q P r . If σ P C then x “ p and, since σ P C by (3), we get the transition ρ $ p if C then p else q fi , σ q Ñ P p p , σ q with p σ , σ q P r . Likewise with σ R C . Proposition 3.12.
Assume (1) ρ, ρ |ù p Ě r p , (2) ρ, ρ |ù q Ě r q , (3) σ P C iff σ P C for any p σ , σ q P r .Then ρ, ρ |ù while C do p subsequently q od Ě r while C do p subsequently q od .Proof. From (1) and (2) we get simulations X p , X q w.r.t. ρ, ρ , r with p p , p q P X p and p q , q q P X q . The relevant set of pairs is, however, slightly more involved than in theprevious proof: X def “ tp L, R q , p skip ; L, skip ; R qu Y tp u ; skip ; L, v ; skip ; R q | p u, v q P X p u Y X q where L is while C do p subsequently q od , whereas R – while C do p subsequently q od .Further, assume p σ , σ q P r and consider the following cases.First suppose we have a step ρ $ p R, σ q Ñ P p x, σ q . If σ P C then x “ p ; skip ; R and σ “ σ . This can be matched by ρ $ p L, σ q Ñ P p p ; skip ; L, σ q , since σ P C by (3), and pp p ; skip ; L, p ; skip ; R q P X . If σ R C then x “ q and σ “ σ , which can bematched by ρ $ p L, σ q Ñ P p q , σ q .Further, the case ρ $ p skip ; R, σ q Ñ P p R, σ q is clear, since the step can be matchedby ρ $ p skip ; L, σ q Ñ P p L, σ q .Finally, suppose we have ρ $ p v ; skip ; R, σ q Ñ P p x, σ q and p u, v q P X p . If v “ skip then u “ skip , which leads to essentially the same situation as in the previous case. Otherwisethere exists some v such that ρ $ p v, σ q Ñ P p v , σ q and x “ v ; skip ; R . Since X p is asimulation, we also have a transition ρ $ p u, σ q Ñ P p u , σ q with p u , v q P X p and p σ , σ q P r .This, in turn, enables the matching step ρ $ p u ; skip ; L, σ q Ñ P p u ; skip ; L, σ q . Proposition 3.13.
Assume (1) ρ, ρ |ù p Ě r p , (2) σ P C implies σ P C for any p σ , σ q P r .Then ρ, ρ |ù await C do p od Ě r await C do p od .Proof. In order to establish ρ, ρ |ù await C do p od Ě r await C do p od let X bedefined by tp await C do p od , await C do p od q , p skip , skip qu . Further, suppose we havesome p σ , σ q P r and a step ρ $ p await C do p od , σ q Ñ P p x, σ q . This entails σ P C , ρ $ p p , σ q ‹ Ñ P p skip , σ q and x “ skip . Then using (1), from Proposition 3.2 we obtainsome σ such that ρ $ p p , σ q ‹ Ñ P p skip , σ q and p σ , σ q P r . Since σ P C holds by (2),this enables the matching step ρ $ p await C do p od , σ q Ñ P p skip , σ q .Lastly, the remaining two propositions show how correspondences between indivisiblesteps can be established. Proposition 3.14. If p f σ , g σ q P r for all p σ , σ q P r then ρ, ρ |ù basic f Ě r basic g .Proof. From the assumption we can infer that the set tp basic f, basic g q , p skip , skip qu is asimulation w.r.t. ρ, ρ , r . Proposition 3.15.
Assume that for any p σ , σ q P r there exists σ such that p σ , f σ q P r and ρ $ p p, σ q ‹ Ñ P p skip , σ q hold. Then ρ, ρ |ù x p y Ě r basic f .Proof. Let X def “ tpx p y , basic f q , p skip , skip qu . In order to establish that X is a simulationw.r.t. ρ, ρ , r , suppose we have some p σ , σ q P r , such that from the assumption we furtherobtain σ with p σ , f σ q P r and ρ $ p p, σ q ‹ Ñ P p skip , σ q . Since ρ $ p p, σ q ‹ Ñ P p skip , σ q implies ρ $ px p y , σ q Ñ P p skip , σ q , we are done.3.3. Sequential normalisation.
Section 1 pointed out the necessity of code restructuringsprior to transformations of conditional and while -statements into corresponding representa-tions using jumps. Next two propositions justify these restructurings semantically.
Proposition 3.16.
The following equivalence holds: ρ |ù if C then p else p fi ; q « if C then p ; q else p ; q fi . Proof.
We establish ρ |ù if C then p else p fi ; q Ě if C then p ; q else p ; q fi by means ofthe set tp if C then p else p fi ; q, if C then p ; q else p ; q fi qu Y id . Suppose we have a step ρ $ p if C then p ; q else p ; q fi , σ q Ñ P p x, σ q . If σ P C then x “ p ; q and σ “ σ . Thisenables the matching step ρ $ p if C then p else p fi ; q, σ q Ñ P p p ; q, σ q . The case σ R C issymmetric and the opposite direction ρ |ù if C then p ; q else p ; q fi Ě if C then p else p fi ; q can be concluded likewise. ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 13
Proposition 3.17.
The following equivalence holds: ρ |ù while C do p subsequently p od ; q « while C do p subsequently p ; q od . Proof.
As in the previous proof, we first show the direction ρ |ù L Ě R where L abbreviates while C do p subsequently p od ; q and R – while C do p subsequently p ; q od . This is doneby means of the set X def “ tp skip ; L, skip ; R q , p L, R qu Y tp v ; skip ; L, v ; skip ; R q | v P Ju Y id .The case with p skip ; L, skip ; R q is clear. Next, suppose ρ $ p R, σ q Ñ P p x, σ q . If σ P C then x “ p ; skip ; R and σ “ σ . Then the step from p L, σ q to the configuration p p ; skip ; L, σ q matches that with p p ; skip ; L, x q P X . If σ R C then x “ p ; q and σ “ σ , such that we canmake a step from p L, σ q to exactly the same configuration.Finally, suppose ρ $ p v ; skip ; R, σ q Ñ P p x, σ q . If v “ skip then x “ skip ; R and σ “ σ ,and we accordingly have ρ $ p skip ; skip ; L, σ q Ñ P p skip ; L, σ q . If v ‰ skip then there issome v with ρ $ p v, σ q Ñ P p v , σ q such that x “ v ; skip ; R . This enables the step ρ $p v ; skip ; L, σ q Ñ P p v ; skip ; L, σ q .The opposite direction, i.e. ρ |ù R Ě L , follows in a symmetric way.Note that these equivalences subsume ρ |ù if C then p fi ; q « if C then p ; q else skip ; q fi and ρ |ù while C do p od ; q « while C do p subsequently skip ; q od .3.4. Replacing conditional and while-statements by jumps.Proposition 3.18.
The following equivalence holds: ρ |ù if C then p else ρ j fi « cjump C to j otherwise p end . Proof.
Taking the set of pairs tp if C then p else ρ j fi , cjump C to j otherwise p end qu Y id for the Ě -direction and tp cjump C to j otherwise p end , if C then p else ρ j fi qu Y id for theopposite.Next proof is the only motivation for the extra skip in the rule ‘While-True’ ( cf. Figure 1).
Proposition 3.19.
Assume (1) ρ i “ cjump C to j otherwise p ; jump i end , (2) ρ j “ q .Then ρ |ù while C do p subsequently q od « cjump C to j otherwise p ; jump i end .Proof. A set of pairs to establish the Ě -direction is X def “ tp L, ρ i q , p skip ; L, jump i qu Y tp u ; skip ; L, u ; jump i | u P Ju Y id where L abbreviates while C do p subsequently q od .First, suppose we have a transition ρ $ p ρ i, σ q Ñ P p x, σ q with some x, σ and σ . If σ P C then x “ p ; jump i and σ “ σ . We can match that by ρ $ p L, σ q Ñ P p p ; skip ; L, σ q since p p ; skip ; L, p ; jump i q P X . If σ R C then x “ ρ j “ q and σ “ σ , such that we canmake a step from p L, σ q to exactly the same configuration.Next, if we have a transition ρ $ p jump i, σ q Ñ P p ρ i, σ q then this is matched by the onlypossible transition ρ $ p skip ; L, σ q Ñ P p L, σ q , since p L, ρ p i qq P X .Finally, suppose ρ $ p u ; jump i, σ q Ñ P p x, σ q with some u . If u “ skip then x “ jump i and σ “ σ , which is matched by ρ $ p skip ; skip ; L, σ q Ñ P p skip ; L, σ q . Otherwise, there is astep ρ $ p u, σ q Ñ P p u , σ q with some u such that x “ u ; jump i . This enables the transition ρ $ p u ; skip ; L, σ q Ñ P p u ; skip ; L, σ q with p u ; skip ; L, u ; jump i q P X .The opposite direction can be shown likewise. Note that the aim of the above proposition is merely to convey the basic principlebehind the transformation. In particular, the statement does not take into account that p ; jump i on the rhs can, in turn, become subject to the sequential normalisation.4. Conditions on Potential Computations
This section takes up the topic of potential computations and puts program correspondencein that context. We start with the conditions allowing us to systematically restrict the setof potential computations of a program.
Definition 4.1.
Let R be a state relation. Then the environment condition E nv ω R com-prises the set of infinite potential computations sq satisfying p S p sq i q , S p sq i ` qq P R for any i P N with sq i Ñ E sq i ` .We need to recast the definition to finite computations. Definition 4.2.
Let R be a state relation. Then the environment condition E nv R comprisesthe set of finite potential computations sq satisfying p S p sq i q , S p sq i ` qq P R for any i ă| sq | ´ sq i Ñ E sq i ` .The reason for this distinction is the following. The set of actual computations ( cf. [Sti88])of a program is a subset of its potential computations and comprises those without any envi-ronment steps. Now, consider E nv ω K and E nv K , where K denotes the empty relation – theopposite to the already introduced J . Then E nv ω K specifies all infinite actual computations,whereas E nv K – all finite. There are, however, terminating programs that do have onlyfinite actual computations, which consequently form a subset of E nv K but not of E nv ω K .In other words, we do not get E nv K just by prefixing E nv ω K . Nonetheless, for the sake ofbrevity, in the sequel only E nv R will be used, as it will be clear from the context whichversion is meant. Definition 4.3.
Let G be a state relation. Then the program condition P rog G comprisesthe set of infinite potential computations sq satisfying p S p sq i q , S p sq i ` qq P G for any i P N with ρ $ sq i Ñ P sq i ` , as well as all finite non-empty prefixes thereof. Definition 4.4.
Let C be a state predicate. A (finite or infinite) potential computation sq satisfies the input condition I n C if S p sq q P C . Furthermore, a (finite or infinite) potentialcomputation sq , where for the first index i with sq i “ p skip , σ q , if such exists, we have σ P C ,satisfies the output condition O ut C .Note that the definition of output conditions is, in essence, the same as in [Sti88].4.1. Program correspondence and finite potential computations.
The followingproposition resorts to environment conditions in order to describe how finite potential com-putations can be replayed along program correspondences.
Proposition 4.5.
Assume ρ, ρ |ù p Ě r q , sq q P v q w ρ , sq q P E nv R , r ˛ R Ď R ˛ r . Moreover,let σ be a state with p σ, S p sq q qq P r . Then there exists a computation sq p P v p w ρ with thesame length as sq q such that the following conditions hold: (1) S p sq p q “ σ , (2) sq p P E nv R , (3) p S p sq pi q , S p sq qi qq P r for any i ă | sq q | , ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 15 (4) ρ, ρ |ù P p sq pi q Ě r P p sq qi q for any i ă | sq q | , (5) sq pi Ñ E sq pi ` iff sq qi Ñ E sq qi ` for any i ă | sq q | ´ .Proof. We proceed by induction on the length of sq q . The case | sq q | “ sq q P v q w ρ implies that sq q is not empty. Next, if | sq q | “ p p, σ q P v p w ρ which satisfies the conditions (1)–(5).Further, suppose sq q “ sq q , . . . , sq qn ´ , sq qn with n ą
1, such that n | sq q “ sq q , . . . , sq qn ´ is a non-empty prefix of sq q . Hence, n | sq q P v q w ρ X E nv R holds, such that by the inductionhypothesis we obtain some computation sq p P v p w ρ with | sq p | “ n satisfying the conditions(1)–(5). In particular, we have(a) p S p sq pn ´ q , S p sq qn ´ qq P r and(b) ρ, ρ |ù P p sq pn ´ q Ě r P p sq qn ´ q .In case of an environment step sq qn ´ Ñ E sq qn , p S p sq qn ´ q , S p sq qn qq P R follows from theassumption sq q P E nv R . Hence, with (a) we can infer p S p sq pn ´ q , S p sq qn qq P r ˛ R , and from r ˛ R Ď R ˛ r consequently obtain some σ such that p S p sq pn ´ q , σ q P R and p σ , S p sq qn qq P r hold. Thus, we can extend sq p to sq p , . . . , sq pn ´ , p P p sq pn ´ q , σ q , which is a computation in v p w ρ satisfying the conditions (1)–(5).Otherwise, assume a program step ρ $ sq qn ´ Ñ P sq qn . Then (a) and (b) entail acorresponding program step ρ $ sq pn ´ Ñ P p p , σ q , such that ρ, ρ |ù p Ě r P p sq qn q and p σ , S p sq qn qq P r hold. Using this, sq p can be extended to sq p , . . . , sq pn ´ , p p , σ q which is, inturn, a computation in v p w ρ satisfying the conditions (1)–(5).5. A Hoare-style Rely/Guarantee Program Logic
Having the environment, program, input and output conditions on potential computationsdefined, this section is devoted to a Hoare-style ( cf. [Hoa69]) logic for reasoning aboutparallel programs by means of extended Hoare triples ρ |ù t R, P u p t Q, G u , where R is called the rely, P – the precondition, Q – the postcondition, and G – the guarantee.Following [Sti88], the word ‘extended’ emphasises that such triples arise by generalisation ofthe Owicki-Gries method [OG76], moving annotated assertions to the level of state relations:the rely and the guarantee, namely. Definition 5.1.
Let p ρ, p q be a program, R and G – state relations, whereas P and Q –state predicates. Then ρ |ù t R, P u p t Q, G u holds iff E nv R X I n P X v p w ρ Ď O ut Q X P rog G does.Next definition subsumes this, encompassing also infinite computations. Definition 5.2.
The extended Hoare triple ρ |ù ω t R, P u p t Q, G u holds iff(1) E nv R X I n P X v p w ωρ Ď O ut Q X P rog G and(2) ρ |ù t R, P u p t Q, G u hold.That the program logic rules can conveniently focus on finite computations withoutlosing anything regarding ρ |ù ω t R, P u p t Q, G u is due to the following statement. Proposition 5.3. ρ |ù ω t R, P u p t Q, G u iff ρ |ù t R, P u p t Q, G u . Proof.
The if-direction amounts to showing that E nv R X I n P X v p w ωρ Ď O ut Q X P rog G is implied by ρ |ù t R, P u p t Q, G u . To this end, let sq be an infinite computation in v p w ωρ satisfying E nv R and I n P .We first show sq P O ut Q . Assume P p sq i q “ skip for some i P N and consider the prefix i ` | sq . Then i ` | sq P E nv R X I n P X v p w ρ holds, such that i ` | sq P O ut Q follows from theassumption ρ |ù t R, P u p t Q, G u . Since the last element of i ` | sq is the skip -configuration sq i , we get some j ď i with P p sq j q “ skip and S p sq j q P Q .In order to establish sq P P rog G a similar argumentation can be applied. Suppose ρ $ sq i Ñ P sq i ` holds for some i P N . Now we take the prefix i ` | sq . From the assumption ρ |ù t R, P u p t Q, G u we can first conclude i ` | sq P P rog G , and then p S p sq i q , S p sq i ` qq P G .The opposite direction is immediate.5.1. The program correspondence rule.
To start with the program logic, next proposi-tion shows how extended Hoare triples can be moved along program correspondences. Fromnow on, let R ¨ X denote the image of a set X under a relation R , i.e. t b | D a P X. p a, b q P R u . Proposition 5.4.
Assume ρ, ρ |ù p Ě r q , ρ |ù t R, P u p t Q, G u and (1) r ˛ R Ď R ˛ r , (2) P Ď r ¨ P , (3) r ¨ Q Ď Q , (4) r ˝ ˛ G ˛ r Ď G .Then ρ |ù t R , P u q t Q , G u .Proof. Let sq q P v q w ρ be a finite potential computation such that sq q P E nv R X I n P holds.Then from (2) we obtain some σ P P with p σ, S p sq q qq P r . Thus, Proposition 4.5 providesthe existence of a potential computation sq p P v p w ρ such that | sq p | “ | sq q | and(a) sq p P E nv R X I n P ,(b) p S p sq pi q , S p sq qi qq P r for any i ă | sq q | ,(c) ρ, ρ |ù P p sq pi q Ě r P p sq qi q for any i ă | sq q | ,(d) sq pi Ñ E sq pi ` iff sq qi Ñ E sq qi ` for any i ă | sq q | ´ ρ |ù t R, P u p t Q, G u and (a) entail sq p P O ut Q X P rog G , whichwe will use below to establish sq q P O ut Q X P rog G .First, suppose P p sq qi q “ skip for some i ă | sq q | . Then P p sq pi q “ skip follows from (c).Since sq p P O ut Q , there must be some j ď i with sq pj “ p skip , σ q and σ P Q . Then from (b)and (c) we can infer sq qj “ p skip , σ q with p σ, σ q P r . That is, σ is in the image of Q under r such that σ P Q follows from (3).Second, in order to show sq q P P rog G assume ρ $ sq qi Ñ P sq qi ` with some i ă | sq q |´ ρ $ sq pi Ñ P sq pi ` at the same position, so that sq p P P rog G implies p S p sq pi q , S p sq pi ` qq P G . Furthermore, from (b) we can conclude p S p sq pi q , S p sq qi qq P r and p S p sq pi ` q , S p sq qi ` qq P r . Thus, p S p sq qi q , S p sq qi ` qq P G follows from (4).In particular, assuming p “ q and taking id for r , Proposition 5.4 yields the canonicalrule of consequence. Another result of Proposition 5.4 is the following Corollary 5.5.
Assume ρ, ρ |ù p « q . Then ρ |ù t R, P u p t Q, G u iff ρ |ù t R, P u q t Q, G u .Proof. With id in place of r , the conditions (1)–(4) of Proposition 5.4 hold due to thereflexivity of Ď . ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 17
Rules for basic and skip .Proposition 5.6. ρ |ù t R, P u skip t P, G u . Proof.
Any computation sq P v skip w ρ trivially satisfies P rog G , whereas sq P O ut P is providedby the initial configuration sq . Proposition 5.7.
Assume (1) R ¨ P Ď P , (2) P Ď t σ | f σ P Q ^ p σ, f σ q P G u .Then ρ |ù t R, P u basic f t Q, G u .Proof. Let sq P E nv R X I n P X v basic f w ρ . If sq does not contain a program step thenboth, sq P O ut Q and sq P P rog G , hold trivially. Otherwise, let ρ $ sq n Ñ P sq n ` be thefirst program step, such that sq n “ p basic f, σ n q and sq n ` “ p skip , f σ n q with some σ n hold. Furthermore, for any m ă n we have sq m Ñ E sq m ` with sq m “ p basic f, σ m q and sq m ` “ p basic f, σ m ` q . Using the stability assumption (1) and S p sq q P P we can concludethat σ n P P holds. Hence, f σ n P Q and p σ n , f σ n q P G by (2). Since n ` | sq P v skip w ρ , thereare no other program steps apart from ρ $ sq n Ñ P sq n ` , i.e. we have sq P P rog G . Finally, sq P O ut Q holds, since sq n ` is the first skip -configuration.The stability assumption (1) in the above statement ensures that any environmentstep retains the initial condition P , and is a general way to systematic reasoning aboutinterleaving. It is also worth noting that skip is the only language constructor that can getaway without any stability assumptions.5.3. A rule for the parallel composition.
The following rule and the proof are, inessence, extensions of the rule and the proof given in [Sti88] for the binary operator p k q . Proposition 5.8.
Let I “ t , . . . , m u with m ą . Furthermore, assume G is a reflexivestate relation and (1) P Ď Ş k P I P i , (2) R Ď Ş k P I R i , (3) ρ |ù t R k , P k u p k t Q k , Ş l P I zt k u R l X G u for any k P I , (4) R k ¨ Q k Ď Q k for any k P I , (5) Ş k P I Q k Ď Q .Then ρ |ù t R, P u k p , . . . , p m t Q, G u .Proof. Suppose sq P E nv R X I n P X v k p , . . . , p m w ρ , and let sq be the longest prefix of sq that does not contain a skip -configuration. First, notice that if sq does not contain such aconfiguration at all then sq “ sq . Second, since sq is a non-empty prefix of sq , we have sq P E nv R X I n P X v k p , . . . , p m w ρ as well. Third, the program part of each configurationof sq has the form k x , . . . , x m .Thus, sq can be ‘split’ into m computations sq k P v p k w ρ for k P I , all having the samelength | sq | such that(a) P p sq i q “ k P p sq i q , . . . , P p sq mi q for any i ă | sq | ,(b) S p sq i q “ S p sq ki q for any i ă | sq | and k P I ,(c) sq i Ñ E sq i ` iff for all k P I we have sq ki Ñ E sq ki ` , for any i ă | sq | ´ By this construction, sq k P I n P k follows immediately from (1) for any k P I .Next, we show by contradiction that sq k P E nv R k holds for all k P I as well. Assumingthe opposite, the set Ť k P I M k where M k def “ t i | i ă | sq | ´ ^ sq ki Ñ E sq ki ` ^ p S p sq i q , S p sq i ` qq R R k u is not empty. Then let µ be the least index in Ť k P I M k and let k µ P I be chosen such that µ P M k µ . Note that there must be some n P I with a program step at µ , i.e. ρ $ sq nµ Ñ P sq nµ ` ,for otherwise we could first conclude sq µ Ñ E sq µ ` by (c), then p S p sq µ q , S p sq µ ` qq P R from sq P E nv R , and finally p S p sq µ q , S p sq µ ` qq P R k µ by (2). Further, note that the prefix µ ` | sq n must satisfy E nv R n . Otherwise there would be some j ă µ with sq nj Ñ E sq nj ` and p S p sq j q , S p sq j ` qq R R n , i.e. j P M n contradicting to µ ď j . Thus, µ ` | sq n P I n P n X E nv R n such that µ ` | sq n P P rog p Ş l P I zt n u R l X G q follows from (3). Since k µ ‰ n , for the programstep ρ $ sq nµ Ñ P sq nµ ` this yields p S p sq µ q , S p sq µ ` qq P R k µ , in contradiction to µ P M k µ .The intermediate result is that sq k P v p k w ρ X I n P k X E nv R k holds for all k P I , suchthat sq k P O ut Q k X P rog p Ş l P I zt k u R l X G q follows from (3) for all k P I . This will be utilisedin the remainder of the proof showing sq P O ut Q X P rog G .First, in order to establish sq P O ut Q , let n “ | sq | and assume some j ă | sq | with P p sq j q “ skip . Then n ď j since sq does not contain any skip -configurations. Further, thestep of sq at the position n ´ skip -configuration, forotherwise sq would not be the longest prefix without reaching a skip -configuration. Thatis, we have ρ $ sq n ´ Ñ P sq n with sq n ´ “ p k skip , . . . , skip , σ q and sq n “ p skip , σ q for somestate σ and need to show σ P Q . Since sq k P O ut Q k and sq kn ´ “ p skip , σ q hold for all k P I ,we obtain sq ki k “ p skip , σ i k q with σ i k P Q k and i k ď n ´ k P I . The assumption(4) ensures that each Q k is retained by all steps of sq k from i k on, since these can compriseenvironment steps only. Therefore, we can first infer σ P Ş k P I Q k , and then σ P Q by (5).Regarding the program condition, assume ρ $ sq i Ñ P sq i ` with i ă | sq | ´ n “ | sq | . If i ă n ´ k P I with ρ $ sq ki Ñ P sq ki ` and, since sq k P P rog G holds, we can conclude p S p sq i q , S p sq i ` qq “ p S p sq ki q , S p sq ki ` qq P G .Further, if i ` “ n then sq i “ p k skip , . . . , skip , σ q and sq i ` “ p skip , σ q with some state σ must hold, since otherwise sq would not be the longest prefix without a skip -configuration.This step is covered by the reflexivity assumption on G . Finally, if i ě n then sq i must bea skip -configuration, which contradicts the assumption ρ $ sq i Ñ P sq i ` .By setting m “
2, the statement of Proposition 5.8 assumes the following form.
Corollary 5.9.
Assume G is reflexive and (1) P Ď P X P , (2) R Ď R X R , (3) ρ |ù t R , P u p t Q , R X G u , (4) ρ |ù t R , P u p t Q , R X G u , (5) R ¨ Q Ď Q , (6) R ¨ Q Ď Q , (7) Q X Q Ď Q .Then ρ |ù t R, P u p k p t Q, G u . ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 19
These rules enable structured reasoning about interleaved computations, but are farfrom being complete: the famous ‘parallel increment’ parallel - inc def “ x : “ x ` k x : “ x ` σ on which a program operates comprises a mapping thatsends each state variable that occurs in the program (such as x in parallel - inc above) to avalue of a fixed type assigned to the variable, e.g. σ x is an integer in parallel - inc . Then anassignment of an appropriately typed term t to a state variable a amounts to the indivisiblestep basic p λσ. σ r a : “ t s q , where σ r a : “ t s denotes the updated state sending a to t and any b ‰ a – to σ b . Whenever a state variable occurs in t , such as x in x `
1, it actually stands for σ x . That is, the assignment x : “ x ` basic p λσ. σ r x : “ σ x ` s q . Similarconventions apply to state predicates: a condition like a “ t σ | σ a “ u .Moreover, with state relations we will resort to prime variables: for instance a “ a ^ b “ a stands for tp σ, σ q | σ a “ σ a ^ σ b “ σ a u .Now, consider the following extended Hoare triple: |ù tK , x “ u parallel - inc t x “ , Ju (5.1)where the rely condition K rules out any environment that could interleave with parallel - inc .It is actually not too difficult to directly verify that (5.1) is indeed a property of parallel - inc :this amounts to checking the postcondition on seven computations starting from σ r x : “ s andperforming up to three program steps.On the other hand, it is impossible to derive the same property immediately using theparallel rule in Corollary 5.9 because, assuming the opposite, we would have found some R i , P i , Q i with i P t , u such that(1) |ù t R , P u x : “ x ` t Q , R u ,(2) |ù t R , P u x : “ x ` t Q , R u and, moreover, σ r x : “ s P P X P and Q X Q Ď x “ σ r x : “ s P Q , provided by the computation p x : “ x ` , σ r x : “ s q Ñ P p skip , σ r x : “ s q that triviallysatisfies E nv R . Since σ r x : “ s P Q similarly follows from (2), we have σ r x : “ s P Q X Q and therefore a contradiction in form of σ r x : “ s P p x “ q .However, this shall not lead to the hasty conclusion that (5.1) is not derivable bythe rules at all, for it is: in order to apply the parallel rule we first have to introducetwo auxiliary variables, each local to one thread, and then show a generalised property.Subsequently, showing (5.1) in principle amounts to discarding the auxiliaries by means ofthe program correspondence rule.To sum up, placing auxiliary variables is often required for a successful application ofthe parallel rule, and the case study, starting in Section 6, will appeal to this technique too.5.4. A rule for the sequential composition.Proposition 5.10.
Assume G is a reflexive state relation and (1) ρ |ù t R, P u p t S, G u , (2) ρ |ù t R, S u q t Q, G u , (3) q “ skip implies R ¨ Q Ď Q . Then ρ |ù t R, P u p ; q t Q, G u .Proof. Suppose sq P E nv R X I n P X v p ; q w ρ and let sq be the longest prefix of sq that doesnot contain a configuration of the form p skip ; q, σ q . Then we can construct a computation sq p P v p w ρ with the length | sq | such that(a) P p sq i q “ P p sq pi q ; q for any i ă | sq | ,(b) S p sq i q “ S p sq pi q for any i ă | sq | ,(c) sq i Ñ E sq i ` iff sq pi Ñ E sq pi ` for any i ă | sq | ´ sq p P E nv R X I n P holds, so that sq p P O ut S X P rog G follows from (1).If sq does not contain a configuration of the form p skip ; q, σ q at all then sq P O ut Q holds trivially, whereas sq P P rog G holds due to sq p P P rog G .Otherwise, let n “ | sq | and assume n ă | sq | . Then we have ρ $ p P p sq n ´ q , σ n ´ q Ñ P p P p sq n q , σ n q with P p sq n ´ q “ P p sq pn ´ q ; q and P p sq n q “ skip ; q . Thus, we can extend sq p to sq p byappending the configuration p skip , σ n q such that sq p P E nv R X I n P X v p w ρ , and hence sq p P O ut S X P rog G hold. In particular, note that sq p P O ut S implies σ n P S .Further, in case there is no m ą n with ρ $ sq m ´ Ñ P sq m we once more have that sq P O ut Q holds trivially, whereas sq P P rog G holds because sq p P P rog G does and G isassumed to be reflexive.Otherwise, assume sq makes a program step at m with n ď m ă | sq | ´ m be the least such index. That is, we have ρ $ sq m Ñ P sq m ` with sq m “ p skip ; q, σ m q and sq m ` “ p q, σ m q . Now consider the subsequence sq n Ñ E . . . Ñ E sq m where for eachconfiguration sq k with n ď k ď m we have P p sq k q “ skip ; q . From this we obtain thecomputation sq q “ p q, σ n q Ñ E . . . Ñ E p q, σ m q . Then composing sq q with the suffix m ` | sq yields the computation sq q P E nv R X I n S X v q w ρ such that sq q P O ut Q X P rog G followsfrom (2).Next, to show sq P O ut Q , let j ă | sq | be an index with P p sq j q “ skip . Then j ą m must hold, whereas j “ m ` q “ skip . If q “ skip then P p sq qm ´ n q “ skip ,and from sq q P O ut Q we obtain some i ď m ´ n with P p sq qi q “ skip and S p sq qi q P Q .Using (3) we can extend this to S p sq qm ´ n q “ S p sq m q “ σ m P Q . If q ‰ skip then by theremark above we have m ` ă j . Therefore, P p sq qj ´ n ´ q “ P p sq j q “ skip such that from sq q P O ut Q we obtain some i ď j ´ n ´ P p sq qi q “ skip and S p sq qi q P Q . Notice that i ď m ´ n would imply q “ skip , i.e. i ą m ´ n must hold and hence j ě i ` n ` ą m ` P p sq i ` n ` q “ P p sq qi q “ skip and S p sq i ` n ` q “ S p sq qi q P Q .Lastly, sq P P rog G follows from sq p P P rog G and m ` | sq P P rog G , if taking also intoaccount that the ‘omitted’ transition ρ $ sq m Ñ P sq m ` is covered by G as we assumedit to be reflexive.It must be stressed that the assumptions (1) and (2) in the above proposition arenot sufficient to remain sound. To substantiate that, suppose Proposition 5.10 would holdwithout the assumption (3). Then the statement |ù t a “ a , a “ u b : “ a ` skip t b “ , Ju would follow from |ù t a “ a , a “ u b : “ a ` t b “ , Ju and |ù t a “ a , b “ u skip t b “ , Ju , where the former is an instance of Proposition 5.7, and the latter – of Proposition 5.6since this does not have any stability assumptions. On the other hand, starting in somestate σ with σ a “
0, the computation p b : “ a ` skip , σ q Ñ P p skip ; skip , σ r b : “ s q Ñ E p skip ; skip , σ r b : “ s q Ñ P p skip , σ r b : “ s q ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 21 clearly satisfies E nv p a “ a q X I n p a “ q X v b : “ a ` skip w but not O ut p b “ q .This and similar argumentations fail with Proposition 5.10: the assumption (3) forcesus to provide stability of the postcondition b “ a “ a , which is impossible.5.5. A rule for while -statements.Proposition 5.11.
Assume G is a reflexive state relation and (1) R ¨ P Ď P , (2) ρ |ù t R, P X C u p t P, G u , (3) ρ |ù t R, P X C u q t Q, G u .Then ρ |ù t R, P u while C do p subsequently q od t Q, G u .Proof. Let p while abbreviate while C do p subsequently q od . Then we have to show that sq P E nv R X I n P X v p while w ρ implies sq P O ut Q X P rog G , and proceed by induction on thelength of sq . Thus, the induction hypothesis is- if sq P E nv R X I n P X v p while w ρ then sq P O ut Q X P rog G for any sq with | sq | ă | sq | which, in turn, implies the statement(4) if sq “ p p while , σ q and σ P P then sq P O ut Q X P rog G for any proper and non-emptysuffix sq of sq that we will additionally assume.In case there is no n ă | sq | ´ ρ $ sq n Ñ P sq n ` , we are done. Otherwise, let n be the first such index. That is, ρ $ sq n Ñ P sq n ` holds with sq n “ p p while , σ n q and sq n ` “ p u, σ n q for some u . Using the stability assumption (1) we can further infer σ n P P .First, if σ n R C then u “ q , and hence n ` | sq P E nv R X I n p P X C q X v q w ρ . Then n ` | sq P O ut Q X P rog G follows from (3), and therefore sq P O ut Q X P rog G holds, since n is the first index with a program step and G is reflexive.If σ n P C then u “ p ; skip ; p while , and hence n ` | sq P E nv R X I n p P X C q X v u w ρ . Let sq be the longest prefix of the suffix n ` | sq that does not contain a configuration of the form p skip ; skip ; p while , σ q with some state σ . Then we can construct a computation sq p P v p w ρ with the length | sq | such that(a) P p sq n ` i ` q “ P p sq pi q ; skip ; p while for all i ă | sq | ,(b) S p sq n ` i ` q “ S p sq pi q for all i ă | sq | ,(c) sq n ` i ` Ñ E sq n ` i ` iff sq pi Ñ E sq pi ` for any i ă | sq | ´ sq p P E nv R X I n p P X C q holds, and sq p P O ut P X P rog G follows from (2).If n ` | sq does not reach a configuration of the form p skip ; skip ; p while , σ q then sq P O ut Q holds trivially, whereas sq P P rog G holds because sq p P P rog G does and ρ $ sq n Ñ P sq n ` is covered by G due to the reflexivity assumption.Otherwise, let n “ | sq | . Then n ` n ă | sq | ´ ρ $ p P p sq n ` n q , σ n ` n q Ñ P p P p sq n ` n ` q , σ n ` n ` q with P p sq n ` n q “ sq pn ´ ; skip ; p while and P p sq n ` n ` q “ skip ; skip ; p while . Using this, sq p can be extended to sq p by appending the configuration p skip , σ n ` n ` q . Since sq p differsfrom sq p only in one program step, sq p P E nv R X I n p P X C q X v p w ρ holds and hence sq p P O ut P X P rog G follows from (2). In particular, sq p P O ut P implies σ n ` n ` P P .For the suffix n ` n ` | sq this yields n ` n ` | sq P E nv R X I n P X v skip ; skip ; p while w ρ . If n ` n ` | sq does not contain two program steps (from skip ; skip ; p while to skip ; p while andfrom skip ; p while to p while ) then sq P O ut Q holds once more trivially, whereas sq P P rog G holds since sq p P P rog G does and G is reflexive.Otherwise, we have some n with n ` n ` ă n ă | sq | and sq n “ p p while , σ n q .Using the stability assumption (1), we can also infer σ n P P from σ n ` n ` P P . Thus, theinduction hypothesis (4) applies to n | sq , yielding n | sq P O ut Q X P rog G .To show the output condition for sq , let j ă | sq | be an index with P p sq j q “ skip . Fromthe above considerations follows that n ă j holds. Since this implies P p n | sq j ´ n q “ skip ,from n | sq P O ut Q we obtain some i ď j ´ n such that P p sq i ` n q “ P p n | sq i q “ skip and S p sq i ` n q “ S p n | sq i q P Q , i.e. sq P O ut Q .Finally, sq P P rog G follows from sq p P P rog G and n | sq P P rog G .5.6. A rule for await -statements.
The particular difficulty with await C do p od is thatone has to express that a state before entering p is related by means of the given guaranteeto a state where p terminates, which, by contrast to Proposition 5.7, can be connected bya computation involving several program steps. Therefore, in the assumption (2) below, σ is used as a reference to states before entering p , such that in the postcondition we canspecify that inputs and outputs must be related by the guarantee G . The same approachcan be encountered e.g. in [Nie03]. It is also worth noting that appealing to the assumption p P X C q ˆ Q Ď G instead, is in principle possible but would yield a significantly weaker rule,since p P X C qˆ Q in general gives only a rough overapproximation of the actual input/outputbehaviour of p . Proposition 5.12.
Assume (1) R ¨ P Ď P , (2) ρ |ù tK , P X C X t σ uu p tt σ | σ P Q ^ p σ, σ q P G u , Ju for any state σ .Then ρ |ù t R, P u await C do p od t Q, G u .Proof. Let sq P E nv R X I n P X v await C do p od w ρ . If sq does not make a program step thenwe are done. Otherwise, assume ρ $ sq i Ñ P sq i ` with i ă | sq | ´ sq i “ p await C do p od , σ i q and sq i ` “ p skip , σ i ` q with σ i P C and, moreover, σ i P P due to the stability assumption (1). Furthermore, ρ $ p p, σ i q n Ñ P p skip , σ i ` q holdsfor some n P N . That is, we have a computation sq p P E nv K X I n t σ i u X v p w ρ with the length n ` sq p “ p p, σ i q and sq pn “ p skip , σ i ` q hold.Hence, by instantiation of σ by σ i in (2) we can first infer sq p P O ut A , where A is t σ | σ P Q ^ p σ i , σ q P G u , and then σ i ` P Q and p σ i , σ i ` q P G . The former provides sq P O ut Q , since sq i ` is the first skip -configuration on sq , whereas the latter – sq P P rog G ,since ρ $ sq i Ñ P sq i ` is also the last program step on sq .5.7. A rule for conditional statements.Proposition 5.13.
Assume G is a reflexive state relation and (1) R ¨ P Ď P , (2) ρ |ù t R, P X C u p t Q, G u , (3) ρ |ù t R, P X C u q t Q, G u .Then ρ |ù t R, P u if C then p else q fi t Q, G u . ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 23 thread cs def “ flag : “ True ; turn : “ True ; while flag ^ turn do skip od ; cs ; flag : “ Falsethread cs def “ flag : “ True ; turn : “ False ; while flag ^ turn do skip od ; cs ; flag : “ False
Figure 2: Two threads in the mutual exclusion algorithm.
Proof.
Let sq P E nv R X I n P X v if C then p else q fi w ρ . If sq does not make a program stepthen we are done. Otherwise, assume ρ $ sq i Ñ P sq i ` with i ă | sq | ´ sq i “ p if C then p else q fi , σ q and sq i ` “ p x, σ q with some x and σ P P due tothe stability assumption (1). If σ P C then x “ p and i ` | sq P E nv R X I n P X v p w ρ . Hence, i ` | sq P O ut Q X P rog G by (2), from which sq P O ut Q X P rog G follows using reflexivity of G . The case σ R C is symmetric.5.8. A brief summary.
Starting with the definition of extended Hoare triples, this sectionpresented the program correspondence rule as well as a program logic rule for each of thelanguage constructors, except cjump C to j otherwise p end , which is surely not because itis impossible: the equivalence in Proposition 3.18 combined with Proposition 5.13 gives arule for cjump , which, however, would have ρ |ù t R, P X C u ρ j t Q, G u as an assumptionabout a jump destination.6. Case Study: Peterson’s Mutual Exclusion Algorithm
This section embarks on the first part of the case study employing the techniques developedso far. The definitions of thread and thread , shown in Figure 2, shall represent the threadsin the well-known Peterson’s mutual exclusion algorithm [Pet81]. They are parameterisedby cs and cs , which can be instantiated by any term of type L τ for any specific type τ ,and regarded as placeholders for whatever needs to be performed within the critical sections.Thus, the definition mutex cs cs def “ thread cs k thread cs models the entire protocol, featuring abstraction over the contents of critical sections. Notethat this model is not tailored to be transformed to some low-level representations, inparticular due to the compound conditions flag ^ turn and flag ^ turn in the while -statements. However, in this form it suits more the actual purpose of the case study:to elicit the logical principles behind the algorithm without delving into technical details.More specifically, the central goal of this section is to establish that mutex enables certain thread aux cs def “ flag : “ True ; x turn : “ True ; turn aux : “ True y ; while flag ^ turn do skip od cs ; flag : “ Falsethread aux cs def “ flag : “ True ; x turn : “ False ; turn aux : “ True y ; while flag ^ turn do skip od cs ; flag : “ False
Figure 3: The threads augmented by the auxiliary variables.privileged conditions to cs and cs regarding interference, despite that thread and thread can run in an arbitrarily interleaved way.In order to pinpoint what these privileged conditions are, let shared be a variablerepresenting some resource that both cs and cs are entitled to access for reading andwriting. Moreover, let P , Q and P , Q be predicates that can depend on the values of shared such that, e.g. P shared can be used to specify some conditions on these valuesbefore entering the critical section cs , whereas Q shared – when cs terminates. Thus,specifications of the critical sections can be sketched by means of the following extendedHoare triples: |ù t shared “ shared . . . , P shared u cs t Q shared , . . . u|ù t shared “ shared . . . , P shared u cs t Q shared , . . . u Among the relies, shared “ shared essentially captures a half of the privileged conditionsmentioned above: each critical section can treat shared as its local variable. Another halfof the privileged conditions will consequently amount to the absence of shared “ shared among the yet unspecified guarantees: its presence there would prohibit any modificationof shared within cs and cs , making the whole abstraction straight away useless.The parallel increment example in Section 5.3 has stressed the occasional necessity toappeal to auxiliary variables in order to make the parallel composition rule applicable. Andthey will play a rˆole here too: the verification process requires access to the informationwhether a thread has performed its assignment to turn or not. This can be indicated onlyby means of an auxiliary variable. The definitions of thread aux and thread aux , shown inFigure 3, employ turn aux and turn aux to this end. Then the auxiliary model of themutual exclusion algorithm is defined by mutex aux cs cs def “ thread aux cs k thread aux cs The states, on which mutex and mutex aux operate, are shaped as follows. Firstly, flag , flag , and turn carry the Boolean values used for communication between threads.Secondly, we have the Boolean values turn aux and turn aux used for verification pur-poses explained above. Thirdly, there are shared , local , local whose exact type can ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 25 remain open yet. The anticipated purpose of local and local is to allow cs and cs tomake local copies of the shared resource and modify these before submitting the resultsback to shared .Now, from the logical perspective the conditions cond def “ flag ^ p turn aux _ flag _ turn q cond def “ flag ^ p turn aux _ flag _ turn q are at the core of the algorithm: if turn aux and turn aux hold in a state then cond and cond cannot both be true in this state.With all these preparations, we can formulate the following statement for thread : |ù t R , turn aux ^ P shared u thread aux cs t Q shared , R u (6.1)where R abbreviates the rely condition flag “ flag ^ turn aux “ turn aux ^ local “ local ^ (a) p turn aux ^ cond ÝÑ shared “ shared q ^ (b) p turn aux ^ turn aux ÝÑ turn q ^ (c) p turn aux ÝÑ turn “ turn q ^ (d) p turn aux ^ flag ÝÑ flag q ^ (e) p P shared ÝÑ P shared q ^ p Q shared ÝÑ Q shared q (f)specifying that thread aux can rely on(a) thread aux never modifies flag , turn aux and local ;(b) if thread aux makes a step from a state where turn aux and cond hold then shared will retain its value to the next state;(c) if thread aux makes a step from σ to σ such that σ turn aux and σ turn aux holdthen σ turn must hold as well: this condition addresses exactly the transition where thread aux makes its assignment to turn ;(d) thread aux will not modify turn after turn aux was set;(e) thread aux can only reset flag after turn aux was set;(f) the conditions P shared ÝÑ P shared and Q shared ÝÑ Q shared capture thepoint that thread aux shall not compromise what thread aux is trying to accomplish;as a result, this can further restrict actions of thread aux on the shared resource, butis necessary in order to achieve some meaningful cooperation of the two threads.The guarantee R in (6.1) is symmetric to R : flag “ flag ^ turn aux “ turn aux ^ local “ local ^p turn aux ^ cond ÝÑ shared “ shared q ^p turn aux ^ turn aux ÝÑ turn q ^p turn aux ÝÑ turn “ turn q ^p turn aux ^ flag ÝÑ flag q ^p P shared ÝÑ P shared q ^ p Q shared ÝÑ Q shared q and will accordingly serve as the rely for thread aux in the triple |ù t R , turn aux ^ P shared u thread aux cs t Q shared , R u Further, the extended Hoare triple |ù t shared “ shared ^ local “ local , P shared u cs t Q shared , G u (6.2) specifies the behaviour of cs , where G stands for the guarantee condition flag “ flag ^ flag “ flag ^ turn “ turn ^ (a) local “ local ^ turn aux “ turn aux ^ turn aux “ turn aux ^ (b) p P shared ÝÑ P shared q ^ p Q shared ÝÑ Q shared q (c)Note once more the presence of shared “ shared among the rely conditions and itsabsence in G which, however, does not leave indivisible steps of cs completely unrestrictedrequiring from cs (a) not to modify flag , flag , turn , as these are used for communication between threads;(b) not to modify the variable local , which is supposed to be local to thread aux , as wellas the auxiliary variables;(c) to retain the conditions P shared and Q shared in line with the guarantees of thread aux .The specification of cs consequently assumes the following form: |ù t shared “ shared ^ local “ local , P shared u cs t Q shared , G u where G abbreviates flag “ flag ^ flag “ flag ^ turn “ turn ^ local “ local ^ turn aux “ turn aux ^ turn aux “ turn aux p P shared ÝÑ P shared q ^ p Q shared ÝÑ Q shared q i.e. the counterpart to G .6.1. Processing thread aux . In order to establish (6.1), for the first part of thread aux up to the critical section thread aux pre def “ flag : “ True ; x turn : “ True ; turn aux : “ True y ; while flag ^ turn do skip od we can derive |ù t R , turn aux ^ P shared u thread aux pre t flag ^ turn aux ^ P shared ^ p flag ^ turn q , R u using flag ^ turn aux ^ P shared and flag ^ turn aux ^ P shared as intermediateconditions. Note that both are stable under R , and the latter is invariant to the while -statement. This yields the following goal for the critical section: |ù t R , flag ^ turn aux ^ P shared ^ p flag ^ turn qu cs t Q shared , R u (6.3)According to the assumption (6.2), cs can rely on the condition shared “ shared . On theother hand, R provides only turn aux ^ cond ÝÑ shared “ shared , making plain rely-weakening impossible. Hence, to apply the program correspondence rule (Proposition 5.4)a suitable state relation is sought.To this end, notice that flag ^ p flag ^ turn q implies cond and is present in theprecondition of (6.3). Then we define r def “ tp σ, σ q | σ “ σ ^ σ turn aux ^ σ cond u ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 27 such that r Ď id , i.e. r is a coreflexive state relation which shall act as an invariant for thecritical section cs . The additional assumption |ù cs Ě r cs (6.4)captures this partly, as it does not take accounts of interleaving, i.e. stability of r under R .This part will be addressed in (1) below. Also note that it is reasonable to assume (6.4) asit holds for any instance of cs which does not modify flag , flag , turn and the auxiliaryvariables.With (6.2) and (6.4) the program correspondence rule becomes applicable because- r ˛ R Ď p shared “ shared ^ local “ local q ˛ r holds, as explained in detail below;- flag ^ turn aux ^ P shared ^ p flag ^ turn q Ď r ¨ p P shared q holds since flag ^ p flag ^ turn q implies cond ;- r ¨ p Q shared q Ď Q shared holds due to the coreflexivity of r ;- r ˛ G ˛ r Ď R holds since turn aux ^ cond and turn aux ^ cond are mutuallyexclusive and therefore trivially imply shared “ shared .That r ˛ R Ď p shared “ shared ^ local “ local q ˛ r holds is one of the most crucialpoints in this context. In essence, it amounts to showing that σ shared “ σ shared and σ turn aux ^ σ cond follow from σ turn aux ^ σ cond and p σ, σ q P R .Firstly, note that p σ, σ q P R simply subsumes that σ shared “ σ shared is implied by σ turn aux ^ σ cond , whereas deriving the condition σ turn aux ^ σ cond correspondsto showing stability of r under R , which complements (6.4) as mentioned above.To this end, note that σ turn aux and σ flag follow immediately from σ turn aux , σ flag and p σ, σ q P R , such that only the condition σ turn aux _ σ flag _ σ turn remains to be shown. Assuming σ turn aux , σ flag and σ turn , we consider the cases if σ turn aux holds.If it does then from p σ, σ q P R we can first obtain σ flag , since σ turn aux and σ flag hold. Hence, from σ cond we can infer σ turn . Furthermore, p σ, σ q P R alsosubsumes that σ turn aux implies σ turn “ σ turn , from which σ turn follows.Lastly, assume σ turn aux . This situation arises exactly at the point when thread aux makes its assignment to turn , which is captured in R by means of the condition that σ turn aux and σ turn aux imply σ turn .6.2. Summarising the intermediate results.
What has been achieved so far was toderive the extended Hoare triple |ù t R , turn aux ^ P shared u thread aux cs t Q shared , R u under the assumptions |ù t shared “ shared ^ local “ local , P shared u cs t Q shared , G u and |ù cs Ě r cs . In an entirely symmetric way we can also derive |ù t R , turn aux ^ P shared u thread aux cs t Q shared , R u under the assumptions |ù t shared “ shared ^ local “ local , P shared u cs t Q shared , G u and |ù cs Ě r cs where we accordingly define r def “ tp σ, σ q | σ “ σ ^ σ turn aux ^ σ cond u The following proposition summarises the intermediate result.
Proposition 6.1.
Assume (1) |ù t shared “ shared ^ local “ local , P shared u cs t Q shared , G u , (2) |ù t shared “ shared ^ local “ local , P shared u cs t Q shared , G u , (3) |ù cs Ě r cs , (4) |ù cs Ě r cs .Then |ù t id , P shared ^ P shared ^ turn aux ^ turn aux u thread aux cs k thread aux cs t Q shared ^ Q shared , Ju Proof.
By the parallel composition rule (Corollary 5.9).The next step will be to derive the corresponding rule for mutex .6.3.
Removing the auxiliaries.
We once more resort to the program correspondence rule,now using the state relation r eqv def “ tp σ, σ q | σ flag “ σ flag ^ σ flag “ σ flag ^ σ turn “ σ turn ^ σ shared “ σ shared ^ σ local “ σ local ^ σ local “ σ local u i.e. the equivalence on states up to the values of auxiliary variables. Proposition 6.2.
Assume (1) |ù t shared “ shared ^ local “ local , P shared u cs t Q shared , G u , (2) |ù t shared “ shared ^ local “ local , P shared u cs t Q shared , G u , (3) |ù cs Ě r cs , (4) |ù cs Ě r cs , (5) |ù cs Ě r eqv cs , (6) |ù cs Ě r eqv cs .Then |ù t id , P shared ^ P shared u thread cs k thread cs t Q shared ^ Q shared , Ju .Proof. Firstly, the extended triple |ù t id , P shared ^ P shared ^ turn aux ^ turn aux u thread aux cs k thread aux cs t Q shared ^ Q shared , Ju follows from Proposition 6.1 using (1) – (4). Secondly, the correspondence |ù thread aux cs k thread aux cs Ě r eqv thread cs k thread cs follows from (5) and (6), since |ù x turn : “ True ; turn aux : “ True y Ě r eqv turn : “ True
ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 29 and |ù x turn : “ False ; turn aux : “ True y Ě r eqv turn : “ False can be derived, e.g. using Proposition 3.15.Although not present in the conclusion of Proposition 6.2, the auxiliary variables stillpersist in its premises: as the condition turn aux “ turn aux ^ turn aux “ turn aux in both guarantees G and G , and in the state relations r , r . This essentially only rulesout instances of cs and cs which modify or depend on the auxiliaries.6.4. Deploying the mutex.
In order to illustrate applicability of the rule in Proposi-tion 6.2, cs and cs will be instantiated by programs, each adding an element to a sharedset. Recall that the type of shared , local and local was left open, as it did not mat-ter for the actual mutual exclusion protocol. Now, however, we instantiate this type by int ñ bool , i.e. sets of integers. Then cs shall add 0 to shared , whereas cs – 1, suchthat the purpose of the mutual exclusion is to ensure that when the critical sections haveaccomplished their respective tasks, shared always contains both: 0 and 1.Formally, this is modelled by the definitions shared update def “ local : “ shared ; local : “ t u Y local ; shared : “ local shared update def “ local : “ shared ; local : “ t u Y local ; shared : “ local such that the property we want to establish is accordingly |ù t id , Ju mutex shared update shared update t P shared ^ P shared , Ju . This conjecture matches the conclusion of Proposition 6.2 by setting P , P to J and Q , Q to 0 P shared , P shared , respectively. To match its premises we first need to establish |ù t shared “ shared ^ local “ local , Ju shared update t P shared , G u where G is the following instance of G : flag “ flag ^ flag “ flag ^ turn “ turn ^ local “ local ^ turn aux “ turn aux ^ turn aux “ turn aux ^p P shared ÝÑ P shared q The most interesting part here is clearly the condition that 1 P shared implies 1 P shared , whose purpose was to ensure that shared update does not compromise what shared update is trying to accomplish. And indeed, it would be challenging to guaranteethis if shared update would, for instance, randomly remove elements from shared . Similarobservations can be made about the statement for shared update : |ù t shared “ shared ^ local “ local , Ju shared update t P shared , G u where G is the respective instance of G . Thus, the remaining obligations |ù shared update Ě r shared update |ù shared update Ě r shared update |ù shared update Ě r eqv shared update |ù shared update Ě r eqv shared update are concerned with program correspondences and amount to routine tasks since the criticalsections are ‘well-defined’: shared update and shared update neither modify nor depend on flag , flag , turn , turn aux or turn aux .7. State Relations as Postconditions
A closer look at Definition 5.1 and the final result of the previous section |ù t id , Ju mutex shared update shared update t P shared ^ P shared , Ju reveals that the postcondition 0 P shared ^ P shared gives us a property of the valuesof shared in all final states without any accounts to its initial values. So, for instance, shared could initially hold the value t u , but t , u and t , , u and the like would perfectlysatisfy the postcondition although each of the critical sections merely adds its entry to theshared resource. Would postconditions comprise state relations rather than predicates then shared Ď shared ^ P shared ^ P shared would be a significantly more accuratespecification of the mutex shared update shared update behaviours.The insight is surely not new, and [vS15] in particular addresses this point by meansof an elegant approach: having a single state σ in a precondition allows us to use its imageunder a state relation Q in place of a postcondition, i.e. ρ |ù t R, t σ uu p t Q ¨ t σ u , G u . In linewith that, instead of ρ |ù t R, P u p t Q, G u one considers a set of triples ρ |ù t R, t σ uu p t Q, G u for each σ P P : Proposition 7.1.
An extended triple ρ |ù t R, P u p t Q, G u holds iff ρ |ù t R, t σ uu p t Q, G u holds for any σ P P .Proof. A direct consequence of Definition 5.1.The only deficiency in specifying behaviours of some p ρ, p q by ρ |ù t R, t σ uu p t Q ¨t σ u , G u for all σ P P is that P remains a state predicate which creates a certain disbalance posingparticular challenges for the sequential composition. This motivates the following Definition 7.2.
Let p ρ, p q be a program, whereas R, P, Q, G – state relations. Then ρ |ù t R, P u p t Q, G u holds iff ρ |ù t R, P ¨ t σ uu p t Q ¨ t σ u , G u holds for any state σ .A remarkable effect of the definition is that each of the program logic rules from Section 5can seamlessly be lifted to ρ |ù t R, P u p t Q, G u , which largely amounts to consequent re-placement of relational images by relational compositions. This principle will be illustratedbelow by means of the program correspondence rule and the rule for basic . Proposition 7.3.
Assume ρ, ρ |ù p Ě r q , ρ |ù t R, P u p t Q, G u and (1) r ˛ R Ď R ˛ r , (2) P Ď P ˛ r , (3) Q ˛ r Ď Q , (4) r ˝ ˛ G ˛ r Ď G .Then ρ |ù t R , P u q t Q , G u . ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 31
Proof.
According to Definition 7.2 we have to show ρ |ù t R , P ¨ t σ uu q t Q ¨ t σ u , G u forany σ . Then consider the instance of Proposition 5.4 with P ¨ t σ u for P and Q ¨ t σ u for Q as well as P ¨ t σ u for P and Q ¨ t σ u for Q .First, ρ |ù t R, P ¨ t σ uu p t Q ¨ t σ u , G u follows immediately from the assumption ρ |ù t R, P u p t Q, G u by Definition 7.2. Next, the condition P ¨ t σ u Ď r ¨ p P ¨ t σ uq is thesame as P ¨ t σ u Ď p P ˛ r q ¨ t σ u and follows from (2). Similarly, r ¨ p Q ¨ t σ uq Ď Q ¨ t σ u isthe same as p Q ˛ r q ¨ t σ u Ď Q ¨ t σ u and follows from (3). Proposition 7.4.
Assume (1) P ˛ R Ď P , (2) P Ď tp σ, σ q | p σ, f σ q P Q ^ p σ , f σ q P G u .Then ρ |ù t R, P u basic f t Q, G u .Proof. We have to show ρ |ù t R, P ¨ t σ uu basic f t Q ¨ t σ u , G u for any σ . Then consider theinstance of Proposition 5.7 with P ¨ t σ u for P and Q ¨ t σ u for Q , such that the condition R ¨ p P ¨ t σ uq Ď P ¨ t σ u follows from (1) whereas P ¨ t σ u Ď t σ | f σ P Q ¨ t σ u ^ p σ, f σ q P G u – from (2).7.1. Abstracting code fragments.
The language L does not provide any specific built-inmechanism for abstraction of frequently used code fragments by means of a procedure, andthere are reasons for that. First of all, procedure is a high-level concept, and probablythe most distinct feature of structured programming. But just to stress it explicitly: anyprocedure call within a program ultimately amounts to certain series of low-level operationsand could therefore be prone to additional interferences. This was already mentioned inthe introduction, pointing out that compilations tend to fraction the granularity of com-putations. In other words, correct behaviour of each procedure call would be subject toa number of side conditions such as interference freedom during the phase of argumentsloading which, by the way, would also impose a specific structure on the underlying states,typically in form of stacks, violating the basic idea of state abstraction. Nonetheless, whatcan be avoided in this framework is that certain reusable fragments, whose input/outputproperties can be captured by postconditions, need to be verified at each invocation. Thefollowing small example illustrates that.Let inc def “ x : “ x ` |ù t x “ x , id u inc t x “ x ` , x ď x u (7.1)clearly holds. So, whenever the variable x needs to be incremented, we can apply inc anduse (7.1). For instance, we shall write inc ; inc rather than x : “ x ` x : “ x ` x twice, and consequently appeal to (7.1) twice in order to establish |ù t x “ x , id u inc ; inc t x “ x ` , x ď x u However, this treatment demands additional considerations since for the second invocationof inc we would be prompted to show |ù t x “ x , x “ x ` u inc t x “ x ` , x ď x u (7.2)which is not an immediate instance of (7.1), motivating the following Proposition 7.5.
Assume (1) ρ |ù t R, id u p t Q , G u , (2) P ˛ Q Ď Q .Then ρ |ù t R, P u p t Q, G u .Proof. We have to show ρ |ù t R, P ¨ t σ uu p t Q ¨ t σ u , G u for any σ . Using Proposition 7.1,this can be done by showing ρ |ù t R, t σ uu p t Q ¨ t σ u , G u for any state σ with p σ , σ q P P .To this end, note that ρ |ù t R, t σ uu p t Q ¨ t σ u , G u follows from (1), and consequently only Q ¨ t σ u Ď Q ¨ t σ u remains to be established. Assuming p σ, σ q P Q with some σ , we canfirst derive p σ , σ q P P ˛ Q , and then p σ , σ q P Q by (2).Thus, with (7.1) as (1) and p x “ x ` q ˛ p x “ x ` q Ď x “ x ` Case Study: Strengthening Critical Sections’ Specifications
In comparison to the development in Section 6, the only difference is that the parameters P , Q , P , Q , capturing the behaviours of critical sections, can now depend on values of shared in two states. So, for instance, the triple for thread aux cs ( cf. |ù t R , turn aux ^ P shared shared u thread aux cs t Q shared shared , R u where R now abbreviates the rely flag “ flag ^ turn aux “ turn aux ^ local “ local ^p turn aux ^ cond ÝÑ shared “ shared q ^p turn aux ^ turn aux ÝÑ turn q ^p turn aux ÝÑ turn “ turn q ^p turn aux ^ flag ÝÑ flag q ^p@ v. P v shared ÝÑ P v shared q ^ p@ v. Q v shared ÝÑ Q v shared q which deviates from Section 6 consequently only in the conditions ensuring that thread aux does not compromise what thread aux is trying to accomplish. More precisely, the condition @ v. P v shared ÝÑ P v shared is a part of the rely R , such that shared and shared refer here to the respective values in two consecutive states of any environment step, asopposed to, e.g. P shared shared in the precondition, where shared refers to some initialstate and shared – to a state before entering thread aux . Therefore, if thread aux makes astep from σ to σ then @ v. P v shared ÝÑ P v shared requires that any value σ shared ,which is linked to σ shared by P , will be linked to σ shared by P as well. Similar appliesto @ v. Q v shared ÝÑ Q v shared and the postcondition Q shared shared .Since these additional capabilities of P , Q , P , Q do not affect anything regardingthe actual process of acquiring exclusive access to the shared resource, the new statementfor mutex is almost the same as in Proposition 6.2, except that, for instance, P shared isreplaced by P shared shared in all preconditions, whereas the guarantee G changes to flag “ flag ^ flag “ flag ^ turn “ turn ^ local “ local ^ turn aux “ turn aux ^ turn aux “ turn aux ^p@ v. P v shared ÝÑ P v shared q ^ p@ v. Q v shared ÝÑ Q v shared q The actual benefit of these modifications becomes apparent when we instantiate cs , cs and the conditions P , Q , P , Q . Recall that in Section 6 we had |ù t id , Ju mutex shared update shared update t P shared ^ P shared , Ju ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 33 i.e. P , P were just J , Q was instantiated by 0 P shared , whereas Q – by 1 P shared .By contrast, now we can additionally take accounts of the property that shared update and shared update do not remove elements from the shared resource. To this end we instantiateboth, P and P , by shared Ď shared , Q – by shared Ď shared ^ P shared , whereas Q – by shared Ď shared ^ P shared . This yields the following statement |ù t id , shared Ď shared u mutex shared update shared update t shared Ď shared ^ P shared ^ P shared , Ju (8.1)such that for shared update we need to show |ù t shared “ shared ^ local “ local , shared Ď shared u shared update t shared Ď shared ^ P shared , G u (8.2)where G is accordingly flag “ flag ^ flag “ flag ^ turn “ turn ^ local “ local ^ turn aux “ turn aux ^ turn aux “ turn aux ^p@ v. v Ď shared ÝÑ v Ď shared qp@ v. p v Ď shared ^ P shared q ÝÑ p v Ď shared ^ P shared qq (8.3)Note once more that shared and shared serve different purposes in the rely and in the pre-and postcondition of (8.2). In the former, shared and shared refer to the values in twoconsecutive states of an environment step whereas in, e.g. shared Ď shared ^ P shared , shared refers to an input and shared – to an output value of cs . In this setting, bycontrast to Section 6 where critical sections did not have any specific preconditions, relyingon shared “ shared is essential as it provides stability for the precondition shared Ď shared , namely p shared Ď shared q ˛ p shared “ shared q Ď p shared Ď shared q . More-over, both guarantees @ v. v Ď shared ÝÑ v Ď shared and @ v. p v Ď shared ^ P shared q ÝÑ p v Ď shared ^ P shared q follow straight from the property that shared update only adds its entry to the sharedresource and, in particular, cannot remove 1 from shared whenever shared update hasadded it to shared first. All that symmetrically applies to shared update .Finally, we can strengthen the precondition of (8.1) to bring it into the form |ù t id , id u mutex shared update shared update t shared Ď shared ^ P shared ^ P shared , Ju That is, for any initial state, the value of shared in any final state not only contains 0 and1, but is also a superset of the value of shared in this initial state. Verifying Basic Liveness Properties
Liveness covers a variety of questions that is usually summarised by ‘will something goodeventually happen?’, answering which demands very involved considerations in many in-stances. Keeping it slightly down, we recast the above question to the current contextby restricting ‘something good’ to certain computations of a given program reach a statesatisfying some given predicate . Making this point clear, let p be the program while a ą do skip od ; b : “ True whereas p shall comprise the assignment a : “ certain computations of p k p , starting in a state σ P p a “ ^ b q , willeventually reach a state satisfying b . Intuitively, certain computations should address thelargest set for which the answer to the question is yes . More precisely, consider the followingpotential candidates:(1) v p k p w , i.e. all finite potential computations of p k p ;(2) v p k p w ω X E nv K , i.e. all infinite potential computations of p k p with no environmentsteps;(3) v p k p w ω X E nv id , i.e. all infinite potential computations of p k p in presence of a‘stuttering’ environment.With (1) the answer is no : v p k p w includes all prefixes, such as the initial configuration p p k p , σ q as the simplest instance. With (2) the answer is also no : we basically take intoconsideration all infinite actual computations of p k p , thereby ruling out those that reacha state satisfying b and terminate. The option (3) not only covers all relevant computationsreaching b , but also those with infinitely long runs of the ‘stuttering’ environment having b as an invariant, as well as with infinitely long runs of while a ą do skip od . Excludingthese would result in an adequate set of computations of p k p for which the answer tothe above question would be yes .These considerations ineluctably lead to the conclusion that some form of fairness amongthreads and the environment must be assumed in order to achieve rational reasoning aboutliveness properties, which is by no means a new insight: this subject is particularly well-explored in the contexts of process algebras and temporal logics ( cf. [vG19, KV96, KPRS01]to name only a few). Therefore, a notion of fairness for this framework will be elaboratednext.9.1. Fair computations.
The starting point is that any term in L α gives rise to a finite setof redexes , i.e. subprograms in different parallel components that can perform the next step.In the example above, p k p has two such redexes: p and p . We can identify redexesby their positions ( cf. [BN98] for positions of terms in general) which comprise strings overthe alphabet of natural numbers. That is, the function P os maps any element of L α to aset of strings over natural numbers, as defined by the following recursive equations using ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 35 pattern matching: P os skip “ H P os p skip ; q q “ t u P os p p ; q q “ t x | x P P os p u P os p k skip , . . . , skip q “ t u P os p k p , . . . , p m q “ Ť mi “ t ix | x P P os p i u P os p “ t u For instance, in the above example P os p p k p q yields t , u . Note that P os p containsmore than one element only if the parallel operator, applied to at least two argumentsdifferent from skip , occurs in p . In particular, any locally sequential p has at most one x P P os p .Functions, providing access to the subprogram associated with a position, satisfy theequations: p | “ p p p ; q q| x “ p | x p k p , . . . , p m q| ix “ p i | x such that p | x is well-defined for any x P P os p . Moreover, at any position x P P os p we cansubstitute some p , denoted by p r p s x : p r p s “ p p p ; q qr p s x “ p p r p s x q ; q p k p , . . . , p m qr p s ix “ k p , . . . , p i r p s x , . . . , p m such that the following proposition puts all that together. Proposition 9.1. ρ $ p p, σ q Ñ P p q, σ q holds iff there exist a position x P P os p and p suchthat ρ $ p p | x , σ q Ñ P p p , σ q and q “ p r p s x hold.Proof. The if-direction can be shown by induction on p , whereas the opposite – by structuralinduction on Ñ P .It is worth noting that x P P os p does not imply that for any state σ there exist some p and σ such that ρ $ p p | x , σ q Ñ P p p , σ q holds, which is due to certain await -statements.Firstly, p await C do p od , σ q would be blocked when σ R C . Secondly, p also does not needto terminate starting from σ otherwise. In other words, await C do p od is in general notalways available to perform a step, as opposed to any other redex. In order to simplifythe matter, in what follows the focus will be on positions that do not require some specificstates to perform a step. Definition 9.2.
A position x P P os p is always available if p | x “ await C do p od implies C “ J and for any σ there exists σ such that ρ $ p p , σ q ‹ Ñ P p skip , σ q holds.That is, if x P P os p is always available then for any σ there exist some p and σ suchthat ρ $ p p | x , σ q Ñ P p p , σ q as well as ρ $ p p, σ q Ñ P p p r p s x , σ q hold.Regarding fairness we should expect that whenever an always available position ispresent in a configuration then any fair computation starting from it eventually performs aprogram step at this position, which is captured formally as follows. Definition 9.3.
A computation sq P v p w ωρ is called fair if for any i P N and any alwaysavailable x P P os p P p sq i qq there exists j ě i with x P P os p P p sq j qq and P p sq j q| x “ P p sq i q| x ,and there exists p such that P p sq j ` q “ P p sq j qr p s x with ρ $ p P p sq j q| x , S p sq j qq Ñ P p p , S p sq j ` qq holds. This will be denoted by sq P v p w fair ρ .Note that the notion of fairness leaves open whether some await C do p od where C Ă J will ever be executed, for otherwise we would simply force fair computations to reach a statesatisfying C , which could easily and inconspicuously lead to vacuous liveness properties evenwhen K Ă C .As already mentioned, if p is locally sequential then there exists at most one x P P os p and, hence, at most one always available position. Therefore, assuming a program p ρ, p q to be sequential, sq P v p w fair ρ becomes equivalent to the following condition: sq P v p w ωρ and if x P P os p P p sq i qq is always available then there exists j ě i with a program step ρ $ sq j Ñ P sq j ` for any i and x . In other words, if P p sq i q can perform a program stepthat does not require some particular state condition then there cannot be only environmentsteps from sq i on.Lastly, we can sketch how fairness enables the liveness property in the above example.Any computation in v p k p w fair X E nv id starting with σ will eventually perform a : “ p k p , leaving 100 as the only available position. Thus,the states of all subsequent configurations will satisfy a “
0. Appealing to the fairnessonce more, the environment, prior to keep on ‘stuttering’ ad infinitum , will let the firstcomponent exit while a ą do skip od , assign True to b and terminate.9.2. A refutational approach.
To show that any computation in v p w fair X I n P X E nv id reaches a state satisfying some given condition Q , one can attempt to refute the opposite,namely that there exists a computation sq P v p w fair X I n P X E nv id having Q as an invariant.Let sq , P Ż p Ż Q denote the condition sq P v p w fair X I n P with S p sq n q R Q for all n P N .Further, let sq , T P Ż p Ż Q Ż n def “ sq , P Ż p Ż Q ^ P p sq n q “ skip ^ p@ m ă n. P p sq m q ‰ skip q sq , N P Ż p Ż Q def “ sq , P Ż p Ż Q ^ p@ n. P p sq n q ‰ skip q That is, sq , P Ż p Ż Q can be split in two exclusive cases: the condition sq , T P Ż p Ż Q Ż n additionally captures that sq reaches the first skip -configuration by n transitions, whereas sq , N P Ż p Ż Q – that sq does not reach a skip -configuration at all.Furthermore, note that sq , P Ż p Ż K is the same as sq P v p w fair X I n P , whereasrefuting sq , N P Ż p Ż K means that any computation in v p w fair X I n P eventually reaches a skip -configuration.In order to systematically draw conclusions about a computation sq from statementslike sq , N P Ż p Ż K , a set of rules for sq , N P Ż p Ż Q and sq , T P Ż p Ż Q Ż n , where p isa specific language constructor, will be presented in the remainder of this section. To startwith the simplest, the statement sq , N P Ż skip Ż Q is already a contradiction for any sq , P and Q , whereas from sq , T P Ż skip Ż Q Ż n we can infer n “
0, thus gaining an additionalpiece of information.Similarly to skip , sq , N P Ż basic f Ż Q immediately leads to a contradiction. However,fairness is required to this end, for otherwise sq could also comprise an infinite sequence ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 37 of environment steps. By contrast, without any fairness assumptions we can infer from sq , T P Ż basic f Ż Q Ż n that n ą sq n ´ “ p basic f, σ q and sq n “ p skip , f σ q must holdfor some σ . Since sq , T P Ż basic f Ż Q Ż n subsumes S p sq n q R Q , this might give a directargument for a contradiction.Next two propositions handle the cases with conditional and await -statements. Proposition 9.4.
The following implications hold: (1) if sq , N P Ż x p y Ż Q then there exists a state σ such that p does not terminate startingfrom this; (2) if sq , T P Ż await C do p od Ż Q Ż n then n ą , S p sq n ´ q P C and ρ $ p p, S p sq n ´ qq ‹ Ñ P p skip , S p sq n qq . Proof.
In (1) we appeal to fairness as follows. Assume that for all states σ there exists σ such that ρ $ p p, σ q ‹ Ñ P p skip , σ q . Then the position 0 in P p sq q , i.e. x p y , becomes alwaysavailable, and since sq is fair we obtain some j such that ρ $ px p y , S p sq j qq Ñ P p p , S p sq j ` qq holds. This implies p “ skip , contradicting the assumption that sq does not terminate.As with basic , fairness is not required for (2) such that we can handle any possible await -statement and not only atomic sections: from sq , T P Ż await C do p od Ż Q Ż n wecan infer that sq n is the first skip -configuration, such that n ą ρ $ p await C do p od , S p sq n ´ qq Ñ P p skip , S p sq n qq must hold, which implies S p sq n ´ q P C and ρ $ p p, S p sq n ´ qq ‹ Ñ P p skip , S p sq n qq . Proposition 9.5.
The following implications hold: (1) if sq , N P Ż if C then p else q fi Ż Q then there exists some n with n ą such that either n | sq , N C Ż p Ż Q or n | sq , N C Ż q Ż Q ; (2) if sq , T P Ż if C then p else q fi Ż Q Ż n then there exists some m with ă m ď n suchthat either m | sq , T C Ż p Ż Q Ż n ´ m or m | sq , T C Ż q Ż Q Ż n ´ m .Proof. In (1) the fairness assumption ensures that a step at the position 0 in P p sq q willeventually be performed. That is, there must be some n ą ρ $ sq n ´ Ñ P sq n and P p sq n ´ q “ if C then p else q fi . If S p sq n ´ q P C then P p sq n q “ p and S p sq n q “ S p sq n ´ q such that the suffix n | sq (a) starts in a state satisfying C ,(b) does not terminate and does not reach a state satisfying Q ,(c) last but not least, is fair as a suffix of a fair computation, i.e. n | sq P v p w fair .The case with S p sq n ´ q R C is entirely symmetric.In (2) sq , T P Ż if C then p else q fi Ż Q Ż n implies that there must be some i ă n with ρ $ sq i Ñ P sq i ` and P p sq i q “ if C then p else q fi . Thus, the suffix i ` | sq starts eitherwith P p sq i ` q “ p or with P p sq i ` q “ q and reaches the first skip -configuration in n ´ i ´ sq „ sq from now on denote that computations sq and sq run through the samestates, i.e. S p sq i q “ S p sq i q for any i P N . Proposition 9.6.
The following implications hold: (1) if sq , N P Ż p ; q Ż Q then there exists sq with sq „ sq and either sq , N P Ż p Ż Q orthere exist m and n such that m ă n , sq , T P Ż p Ż Q Ż m , and n | sq , N J Ż q Ż Q ; (2) if sq , T P Ż p ; q Ż Q Ż n then there exist sq , k, l such that k ă l ď n , sq „ sq ,sq , T P Ż p Ż Q Ż k and l | sq , T J Ż q Ż Q Ż n ´ l .Proof. In (1) we have a non-terminating sq P v p ; q w fair ρ . First, in case P p sq i q ‰ skip ; q holdsfor all i , we can conclude that for any i there is some u i such that P p sq i q “ u i ; q holds,and define sq i def “ p u i , S p sq i qq . Thus, we have sq „ sq by construction. Furthermore, sq is fair: let x P P os u i be an always available position with some i to this end. Then 0 x is an always available position of u i ; q . Hence, by fairness of sq we obtain some j ě i such that ρ $ p P p sq j q| x , S p sq j qq Ñ P p p , S p sq j ` qq holds with P p sq j ` q “ P p sq j qr p s x .This is the same as ρ $ p P p sq j q| x , S p sq j qq Ñ P p p , S p sq j ` qq with P p sq j ` q “ u j r p s x ; q , i.e. P p sq j ` q “ P p sq j qr p s x , establishing sq , N P Ż p Ż Q .Second, suppose there is some k such that P p sq k q “ skip ; q and let m be the least suchindex. Then we can define sq i def “ p u i , S p sq i qq for all i ď m , and sq i def “ p skip , S p sq i qq with sq i ´ Ñ E sq i for all i ą m , such that sq „ sq and sq , T P Ż p Ż Q Ż m hold by construction.Further, fairness of sq provides that starting from sq m we eventually reach some n ą m with P p sq n q “ q . Note that the state S p sq n q does not need to possess any property otherthan S p sq n q R Q , such that we can conclude n | sq , N J Ż q Ż Q .In (2) we assume that sq P v p ; q w fair ρ reaches skip in n steps. Hence, there also mustbe the least index k with P p sq k q “ skip ; q . Then for any i ď k there is some u i such that P p sq i q “ u i ; q . As above, we define sq i def “ p u i , S p sq i qq for all i ď k , and sq i def “ p skip , S p sq i qq with sq i ´ Ñ E sq i for all i ą k . Further, there must be some l with k ă l ď n and P p sq l q “ q ,for otherwise we would have P p sq n q ‰ skip . Thus, l | sq , T J Ż q Ż Q Ż n ´ l .For the sake of brevity, next proposition handles the cases for the parallel compositionof two components only. However, the same principle can be applied to k p , . . . , p m bysplitting it e.g. into p and k p , . . . , p m which would consequently lead to 2 m ´ Proposition 9.7.
The following implications hold: (1) if sq , N P Ż p k q Ż Q then there exist sq p with sq „ sq p and sq q with sq „ sq q suchthat either (a) sq p , N P Ż p Ż Q and sq q , N P Ż q Ż Q , or (b) sq p , N P Ż p Ż Q and there exists some n with sq q , T P Ż q Ż Q Ż n , or (c) sq q , N P Ż q Ż Q and there exists some n with sq p , T P Ż p Ż Q Ż n ; (2) if sq , T P Ż p k q Ż Q Ż n then there exist sq p with sq „ sq p , sq q with sq „ sq q , n ă n and n ă n such that sq p , T P Ż p Ż Q Ż n and sq q , T P Ż q Ż Q Ż n .Proof. In (1) we can assume that sq P v p k q w fair ρ does not terminate. First, note that ifthere would be some u, v, k, l with P p sq k q “ skip k v and P p sq l q “ u k skip then with m as the maximum of k and l we would have P p sq m q “ skip k skip . Furthermore, fairness of sq would provide some n ą m with P p sq n q “ skip , contradicting non-termination. Hence,we particularly have that for all i there are some u i and v i such that P p sq i q “ u i k v i .Then we can define sq pi def “ p u i , S p sq i qq such that sq pi Ñ P sq pi ` if sq i Ñ P sq i ` is due toa program step from u i to u i ` and sq pi Ñ E sq pi ` otherwise. This construction provides sq „ sq p . Regarding fairness of sq p , let x P P os u i be an always available position with some i . Then 1 x is an always available position of u i k v i , and by fairness of sq we obtain some j ě i such that ρ $ p P p sq j q| x , S p sq j qq Ñ P p p , S p sq j ` qq holds with P p sq j ` q “ P p sq j qr p s x .This is the same as ρ $ p P p sq pj q| x , S p sq j qq Ñ P p p , S p sq j ` qq with P p sq j ` q “ u j r p s x k v j ` , ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 39 i.e. P p sq pj ` q “ P p sq pj qr p s x . A computation sq q P v q w fair ρ with sq „ sq q can be constructedlikewise.Thus, if u i ‰ skip and v i ‰ skip hold for all i then sq p , N P Ż p Ż Q and sq q , N P Ż q Ż Q follow from the above construction. In case u i ‰ skip holds for all i but there is some j with v j “ skip , we have sq p , N P Ż p Ż Q and sq q , T P Ż q Ż Q Ż n where n is the least indexwith v n “ skip . The remaining case with v i ‰ skip for all i , and some j with u j “ skip issymmetric.In (2) we have P p sq n q “ skip with n ą u i and v i such that P p sq i q “ u i k v i holds for all i ă n . Since n is the least such index, P p sq n ´ q “ skip k skip must hold as well.Hence, there exists the least index n ă n with u n “ skip and the least index n ă n with v n “ skip . Then we can define sq p def “ p u i , S p sq i qq for all i ď n , and sq p def “ p skip , S p sq i qq with sq pi ´ Ñ E sq pi for all i ą n , such that sq „ sq p and sq p , T P Ż p Ż Q Ż n follow byconstruction. Finally, sq q can be defined likewise to derive sq q , T P Ż q Ż Q Ż n .Regarding while -statements, the case sq , T P Ż while C do p subsequently q od Ż Q Ż n does not entail that sq ever visits a state satisfying C . What we can infer is that there mustbe some i ă n with the step sq i Ñ P sq i ` such that P p sq i q “ while C do p subsequently q od , P p sq i ` q “ q and S p sq i q “ S p sq i ` q R C hold. That is, i ` | sq , T C Ż q Ż Q Ż n ´ i ´ sq , N P Ż while C do p subsequently q od Ż Q follows that sq visitscertain states satisfying C infinitely often, provided p and q terminate when starting from C and C , respectively. Proposition 9.8.
If sq , N P Ż while C do p subsequently q od Ż Q then either (1) there exists a strictly ascending infinite sequence of natural numbers φ such that for any i there exist n ă φ i ` ´ φ i and sq with φi | sq „ sq and sq , T C Ż p Ż Q Ż n , or (2) there exist n ą and sq such that n | sq „ sq and sq , N C Ż p Ż Q , or (3) there exists some n ą with n | sq , N C Ż q Ż Q .Proof. Let p while abbreviate while C do p subsequently q od and assume sq P v p while w fair ρ X I n P has Q as an invariant and does not reach a skip -configuration. Further, we will also assumethe respective negations of (2) and (3), which do not need to take accounts of Q :(a) for any sq P v p w fair ρ X I n C and n ą such that n | sq „ sq there exists some j with P p sq j q “ skip ,(b) for any n ą such that n | sq P v q w fair ρ X I n C there exists some j with P p sq n ` j q “ skip ,in order to establish (1). To this end, we first show that for any i such that ρ $ sq i Ñ P sq i ` with P p sq i q “ p while and S p sq i q P C there exists j ą i such that ρ $ sq j Ñ P sq j ` with P p sq j q “ p while and S p sq j q P C . Note that sq i ` “ p p ; skip ; p while , S p sq i qq and suppose thereis no k ą i with P p sq k q “ skip ; skip ; p while . Consequently, for all k ą i there is some u k such that P p sq k q “ u k ; skip ; p while holds, and we can define sq k def “ p u i ` k ` , S p sq i ` k ` qq forall k P N . Thus, sq P v p w fair ρ X I n C and i ` | sq „ sq such that (a) yields some j with P p sq j q “ skip , i.e. P p sq i ` j ` q “ skip ; skip ; p while , which is a contradiction.Then let k ą i with P p sq k q “ skip ; skip ; p while . Fairness of sq ensures that there arealso some l ą k with P p sq l q “ skip ; p while , and some m ą l with P p sq m q “ p while . Oncemore, since the position 0 of P p sq m q is always available, by fairness of sq we obtain some n ě m with ρ $ sq n Ñ P sq n ` and P p sq n q “ p while . In case S p sq n q P C we are done.Otherwise, we have sq n ` “ p q, S p sq n qq , Hence, n ` | sq P v q w fair ρ X I n C , such that (b) provides some j with P p sq n ` ` j q “ skip , contradicting the assumption that sq does notreach a skip -configuration.The intermediate result is a function ψ that sends each i P N with ρ $ sq i Ñ P sq i ` , P p sq i q “ p while and S p sq i q P C to ψ i ą i with ρ $ sq ψ i Ñ P sq ψ i ` , P p sq ψ i q “ p while and S p sq ψ i q P C . Furthermore, fairness of sq ensures that there exists some i with ρ $ sq i Ñ P sq i ` and P p sq i q “ p while . Note that S p sq i q P C must hold, for otherwise wewould have i ` | sq P v q w fair ρ X I n C and, hence, a contradiction due to (b) as above. Thenwe define a strictly ascending infinite sequence φ n by ψ n i ` i be an arbitrary natural number in the remainder of the proof. The definitionof φ induces P p sq φ i q “ p ; skip ; p while , S p sq φ i q P C and, moreover, P p sq φ i ` ´ q “ p while .Hence, there must be the least index n with φ i ď n ă φ i ` and P p sq n q “ skip ; skip ; p while .Furthermore, for any l with φ i ď l ď n there is some u l with P p sq l q “ u l ; skip ; p while suchthat we can define a computation sq by sq l def “ p u φ i ` l , S p sq φ i ` l qq for any l ď n ´ φ i , and sq l def “ p skip , S p sq φ i ` l qq with sq l ´ Ñ E sq l if l ą n ´ φ i . Thus, for sq we have φi | sq „ sq and sq , T C Ż p Ż Q Ż n ´ φ i .9.3. Program correspondence and fair computations.
Proposition 4.5 shows howfinite potential computations of a program can be replayed by computations of some corre-sponding program, and this statement can be extended to infinite potential computations.However, things get significantly more involved when attempting to do likewise with faircomputations. The major difficulty thereby is that apart from program correspondencethere also must be some kind of matching between positions of the configurations on thecorresponding computations. To sketch that, suppose p has the form k u , . . . , u m whereas q – k v , . . . , v m and we additionally have ρ, ρ |ù u i Ě r v i for all i P t , . . . , m u . Now, if q performs a program step which is due to a position ix with x P P os v i then it can bematched by a step of p in u i , based on some position x P P os u i . Intuitively, in this settingpositions of p and q can be matched componentwise and an exact definition for that will beelaborated below. Definition 9.9.
A program p ρ, p q is called locally non-blocking if for any await C do p od occurring in p we have C “ J and for any σ there exists σ such that ρ $ p p , σ q ‹ Ñ P p skip , σ q .Furthermore, p ρ, p q will be called non-blocking if it is locally non-blocking and for any label i P J umps p ρ, p q the program p ρ, ρ i q is locally non-blocking as well.In other words, p ρ, p q is locally non-blocking iff all x P P os p are always available. Notealso that as with sequential programs, if p ρ, p q is non-blocking then p ρ, p q is non-blockingfor any program step ρ $ p p, σ q Ñ P p p , σ q . Definition 9.10.
Any p and q will be called corresponding componentwise w.r.t. m, r, ρ, ρ if there exist p , . . . , p m and q , . . . , q m such that p “ k p , . . . , p m , q “ k q , . . . , q m , and(1) ρ, ρ |ù p i Ě r q i ,(2) p ρ, p i q is sequential,(3) p ρ , q i q is non-blockinghold for all i P t , . . . , m u .Moreover, in this setting we need to know which position in P os p has actually been ‘fired’by a program step ρ $ p p, σ q Ñ P p q, σ q . Proposition 9.1 does not provide unique existence ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 41 of such position due to the following technical complication. Consider jump i k jump j with ρ i “ jump i and ρ j “ jump j . Thus, ρ $ p jump i k jump j, σ q Ñ P p jump i k jump j, σ q is theonly possible program step for any σ , regardless which of the positions 10 or 20 we choose.This ambiguity poses a particular difficulty to replaying fair computations. Furthermore,it is worth noting that any computation sq P v jump i k jump j w ωρ X E nv K has the form p jump i k jump j, S p sq qq , p jump i k jump j, S p sq qq , . . . and within the framework one canneither prove nor disprove that sq is fair: this would require access to the informationwhich of the components has been chosen at any given step to apply the computational rule‘Parallel’ in Figure 1.Avoiding the ambiguity, only those retrieve functions ρ will be considered in the fol-lowing for which we have ρ i ‰ cjump C to i otherwise u end for any C, i and u . Withthis assumption, any transition ρ $ p p, σ q Ñ P p q, σ q entails a unique position x P P os p with ρ $ p p | x , σ q Ñ P p p , σ q and q “ p r p s x . Such x will be called the fired position of ρ $ p p, σ q Ñ P p q, σ q . Proposition 9.11.
Assume p “ k p , . . . , p m and q “ k q , . . . , q m correspond componentwisew.r.t. m, r, ρ, ρ , and sq q P v q w ωρ X E nv id . Further, let σ be a state with p σ, S p sq q qq P r . Thenthere exists a computation sq p P v p w ωρ X E nv id such that S p sq p q “ σ as well as the followingconditions hold for all i P N :(1) either P p sq pi q and P p sq qi q correspond componentwise w.r.t. m, r, ρ, ρ or both are skip , (2) p S p sq pi q , S p sq qi qq P r , (3) if i ą and we have ρ $ sq qi ´ Ñ P sq qi with the fired position jx where ď j ď m thenwe have the program step ρ $ sq pi ´ Ñ P sq pi which is due to the fired position jx withsome x .Proof. We show that any finite computation sq P v p w ρ X E nv id of length n that satisfiesthe conditions (1)–(3) for all i ă n can be extended to sq P v p w ρ X E nv id of length n ` i ď n . This way we can construct a computation sq p P v p w ωρ X E nv id by assigning p p, σ q to sq p first, so that for any n P N a configurationextending sq p , . . . , sq pn can be assigned to sq pn ` .Then assume sq P v p w ρ X E nv id satisfies the conditions (1)–(3) for all i ă n with n “ | sq | .Since sq q P E nv id , in case of an environment step sq qn ´ Ñ E sq qn we have sq qn “ sq qn ´ , suchthat we can extend sq by an environment step to sq , . . . , sq n ´ , sq n where sq n “ sq n ´ .Otherwise, we have a program step ρ $ sq qn ´ Ñ P sq qn , i.e. P p sq qn ´ q cannot be skip .Hence, P p sq n ´ q and P p sq qn ´ q must correspond componentwise w.r.t. m, r, ρ, ρ , such that P p sq n ´ q “ k u , . . . , u m and P p sq qn ´ q “ k v , . . . , v m particularly hold with some u , . . . , u m and v , . . . , v m .If sq qn ‰ skip then the transition ρ $ sq qn ´ Ñ P sq qn has the fired position of the form jx where 1 ď j ď m and x P P os v j , such that ρ $ p v j | x , S p sq qn ´ qq Ñ P p w, S p sq qb qq and P p sq qn q “ k v , . . . , v j r w s x , . . . , v m hold with some w . For the component v j we thus havethe program step ρ $ p v j , S p sq qn ´ qq Ñ P p v j r w s x , S p sq qn qq , and using the correspondence ρ, ρ |ù u j Ě r v j we obtain a step ρ $ p u j , S p sq n ´ qq Ñ P p u j , σ q with some u j and σ satisfying ρ, ρ |ù u j Ě r v j r w s x and p σ, S p sq qi qq P r . Hence, there must be a position x P P os u j andsome w such that ρ $ p u j | x , S p sq pn ´ qq Ñ P p w , σ q with u j “ u j r w s x holds. This furtherimplies the program step ρ $ p k u , . . . , u j , . . . , u m , S p sq n ´ qq Ñ P p k u , . . . , u j , . . . , u m , σ q ,such that we can extend sq to sq , . . . , sq n ´ , p k u , . . . , u j , . . . , u m , σ q with the fired position jx . Lastly, in case sq qn “ skip we have v j “ skip and u j “ skip for all j P t , . . . , m u , suchthat we can extend sq to sq , . . . , sq n ´ , p skip , S p sq n ´ qq .Next proposition shows that computations retain the fairness property when replayedas described above. Proposition 9.12.
Let sq p P v p w ωρ and sq q P v q w ωρ be computations satisfying the conditions (1)–(3) of Proposition for all i P N . Then sq p is fair whenever sq q is.Proof. Let i be a natural number and y – an always available position of P p sq pi q . Then bythe condition (1), P p sq pi q and P p sq qi q must correspond componentwise w.r.t. m, r, ρ, ρ , suchthat P p sq pi q “ k u , . . . , u m and P p sq qi q “ k v , . . . , v m particularly hold with some u , . . . , u m and v , . . . , v m .If y “ u k “ skip for all k P t , . . . , m u and, hence, v k “ skip for all k Pt , . . . , m u due to the componentwise correspondence. By fairness of sq q we obtain some j ě i with P p sq qj q “ k skip , . . . , skip and P p sq qj ` q “ skip . Thus, sq qj ` is the first skip -configurationon sq q and, consequently, sq pj ` must be the first skip -configuration on sq p . That is, P p sq pj q| “ P p sq pi q| “ k skip , . . . , skip as well as ρ $ p P p sq pj q| , S p sq pj qq Ñ P p skip , S p sq pj ` qq hold with P p sq pj ` q “ skip “ P p sq pj qr skip s .Next, assume y “ kx with some k P t , . . . , m u and x P P os u k . Then v k ‰ skip due to ρ, ρ |ù u k Ě r v k . Furthermore, since p ρ , v k q is locally non-blocking there must besome x P P os v k which is always available, i.e. kx is an always available position of sq qi and fairness of sq q provides some j ě i such that the following conditions hold for some v , . . . , v m :(a) P p sq qj q “ k v , . . . , v m ,(b) x P P os v k ,(c) ρ $ sq qj Ñ P sq qj ` has the fired position kx .Thus, we have sq pj “ k u , . . . , u m and the condition (3) of Proposition 9.11 provides some x P P os u k that has been fired by ρ $ sq pj Ñ P sq pj ` . Now, the position kx in sq pi couldhave been fired prior to j by some step ρ $ sq pl Ñ P sq pl ` with i ď l ă j . If this is thecase then we are done. Otherwise, kx remains available up to j and, moreover, we have P p sq pi q| kx “ P p sq pj q| kx . That is, we have x, x P P os u k , and since by the condition (1) ofProposition 9.11 u k is locally sequential, x must be equal to x .As a preparation to the next section, the following corollary explicitly states how ter-mination can be established by means of componentwise correspondence. Corollary 9.13.
Assume p “ k p , . . . , p m and q “ k q , . . . , q m correspond componentwisew.r.t. m, r, ρ, ρ and (1) P Ď r ¨ P , (2) for any computation sq P v p w fair ρ X E nv id X I n P there exists some i with P p sq i q “ skip .Then for any computation sq P v q w fair ρ X E nv id X I n P there exists some i with P p sq i q “ skip .Proof. Let sq q P v q w fair ρ X E nv id X I n P . Since (1) provides some σ P P with p σ, S p sq q qq P r ,from Proposition 9.11 we obtain a computation sq p P v p w ωρ X E nv id X I n P that is fair byProposition 9.12. Then from (2) follows that there must be some i with P p sq pi q “ skip , andwith ρ, ρ |ù P p sq pi q Ě r P p sq qi q we can conclude that P p sq qi q must be skip as well. ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 43
Case Study: Termination of Mutex
Recall the model of the Peterson’s mutual exclusion algorithm shown in Figure 2. The de-velopments in Section 6 and Section 8 have implicitly utilised its property that the threadscannot be simultaneously in their critical sections to show that some specified task will be ac-complished correctly upon termination. However, in this sense any other model that simplykeeps one of the threads from entering its critical section would exhibit the same propertyand deviate from mutex only regarding liveness. Therefore, the question of termination willbe addressed in this section, ultimately establishing correctness of mutex .Fairness is central to this end: it is not overly difficult to come up with a computationin v thread cs k thread cs w ω that does not terminate without any environment stepswhatsoever. For example, one may consider the following scenario: when both flag and flag have been set, thread also sets turn , enters its ‘busy waiting’ phase, and is busyto such an extent that it keeps thread from performing turn : “ False . This could goon perpetually, violating the fairness condition, though. Hence, the goal of this sectionshall be to establish that any computation in v thread cs k thread cs w fair X E nv id willeventually terminate, provided that cs and cs terminate. Also for this task the auxiliaryvariables turn aux and turn aux are essential, and once more we will consider the modelin Figure 3 first.According to the approach from the previous section, this goal can be achieved by arefutation of the statement D sq P E nv id . sq , N turn aux ^ turn aux Ż thread aux cs k thread aux cs Ż K Thus, for the remainder of this section, let sq i nit P E nv id be a fixed computation such that sq i nit , N turn aux ^ turn aux Ż thread aux cs k thread aux cs Ż K (10.1)Sketching a rough refutation plan for (10.1), application of the rule for the parallelcomposition (Proposition 9.7) would lead to the three cases: either both, thread aux and thread aux , do not terminate, or thread aux terminates but thread aux does not, or viceversa.In the first case with non-terminating thread aux and thread aux we can infer that flag ^ turn as well as flag ^ turn must hold infinitely often on sq i nit . In particular,this means that the value of turn alternates ad infinitum on sq i nit . Furthermore, from acertain point both, turn aux and turn aux , will hold perpetually. Then taking also intoaccount the mutex aux guarantee condition turn aux ^ turn aux ÝÑ turn “ turn ,from a certain point turn will remain constant, contradicting the previous conclusion that turn flips infinitely often.In the second case, termination of thread aux entails that at some point turn aux hasbeen set on sq i nit and, at some later point, flag has been reset. Thus, using the guarantees turn aux ÝÑ turn aux and turn aux ^ flag ÝÑ flag , we could infer that flag holds perpetually starting from the point where it has been reset. On the other hand, non-termination of thread aux entails that the condition flag ^ turn holds infinitely often.Altogether, this would yield the existence of a state where both, flag and flag , hold.To start rendering all that more accurately, consider the following extended Hoare triple,derivable using the program logic rules from Section 5: |ù ω t id , turn aux ^ turn aux u thread aux cs k thread aux cs tJ , G global u (10.2) provided |ù tJ , Ju cs tJ , G cs u and |ù tJ , Ju cs tJ , G cs u hold, where G cs abbreviatesthe guarantee condition turn aux “ turn aux ^ turn aux “ turn aux ^ flag “ flag ^ flag “ flag ^ turn “ turn which simply forces critical sections not to modify the auxiliary and the protocol variables.As opposed to Section 6, where guarantees of thread aux cs k thread aux cs remainedunspecified, in (10.2) G global stands for p turn aux ÝÑ turn aux q ^ p turn aux ÝÑ turn aux q ^p turn aux ^ flag ÝÑ flag q ^ p turn aux ^ flag ÝÑ flag q ^p turn aux ^ turn aux ÝÑ turn “ turn q and contains the rules which thread aux cs k thread aux cs follows when modifying theauxiliary and protocol variables. Now, sq i nit P P rog G global is the essential consequence of sq i nit P E nv id , (10.1) and (10.2), such that the property sq i nit P E nv id X P rog G global enablesthe following two propositions, where σ i denotes the state of the i -th configuration on sq i nit , i.e. S p sq i nit i q . Proposition 10.1.
Assume σ n turn aux and σ m turn aux . Then there exists some d such that σ i turn “ σ j turn holds for all i ě d and j ě d .Proof. Let d be the maximum of n and m . Due to the guarantees turn aux ÝÑ turn aux and turn aux ÝÑ turn aux we have σ i turn aux ^ σ i turn aux for all i ě d . Further-more, turn aux ^ turn aux ÝÑ turn “ turn implies σ i turn “ σ i ` turn for all i ě d ,which induces σ i turn “ σ j turn for all i ě d and j ě d . Proposition 10.2.
Assume σ m turn aux and σ n flag with m ď n . Then σ i turn aux and σ i flag hold for all i ě n .Proof. The assumption σ m turn aux and the guarantee turn aux ÝÑ turn aux induce σ i turn aux for all i ě m , and for all i ě n in particular. Then σ n flag and the guarantee turn aux ^ flag ÝÑ flag additionally induce σ i flag for all i ě n .Regarding critical sections, we will assume termination of cs and cs : each of thestatements sq , N P Ż cs Ż K (10.3)and sq , N P Ż cs Ż K (10.4)shall lead to a contradiction for any sq and P .With all these preparations we can advance to processing (10.1) by successive appli-cation of the rules from the previous section. In the first step, Proposition 9.7 yields twocomputations sq with sq i nit „ sq and sq with sq i nit „ sq such that either sq , N turn aux ^ turn aux Ż thread aux cs Ż K (10.5)and sq , N turn aux ^ turn aux Ż thread aux cs Ż K (10.6)or sq , T turn aux ^ turn aux Ż thread aux cs Ż K Ż n (10.7) ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 45 and sq , N turn aux ^ turn aux Ż thread aux cs Ż K (10.8)hold with some n . Note once more that the third case is symmetric to (10.7) and (10.8)and therefore not treated here.Processing (10.5) and (10.6) leads to several trivially refutable branches with statementssuch as sq , N turn aux ^ turn aux Ż flag : “ True Ż K , or sq , N J Ż x turn : “ True ; turn aux : “ True y Ż K for some sq and sq . Also notice that all of the subcases claiming terminating while -statements are similarly simply refutable since none of the subsequent code can be non-terminating due to (10.3) and (10.4). The remaining essential case comprises(a) some m , m with σ m turn aux and σ m turn aux ,(b) two strictly ascending sequences of natural numbers φ, ψ and some d ą m , d ą m such that σ φ i ` d flag ^ σ φ i ` d turn and σ ψ i ` d flag ^ σ ψ i ` d turn hold for all i P N ,where we continue to write σ i for the state of the i -th configuration on sq i nit . Then Propo-sition 10.1 and (a) imply that there exists some d with σ i turn “ σ j turn for all i, j ě d . Inparticular, we have σ φ d ` d turn “ σ ψ d ` d turn , since φ d ` d ě d and ψ d ` d ě d , whereas σ φ d ` d turn and σ ψ d ` d turn follow from (b).Next, backtracking to the case with (10.7) and (10.8), the termination assumption(10.7) provides σ n flag as well as some m ă n with σ m turn aux . Then Proposition 10.2yields σ i flag for all i ě n . On the other hand, (10.8) entails some strictly ascendingsequence φ and some d with σ φ i ` d flag ^ σ φ i ` d turn for all i P N . Thus, we can deriveboth, σ φ n ` d flag and σ φ n ` d flag , since φ n ` d ě n .The following proposition summarises what has been derived so far. Proposition 10.3.
Assume (1) |ù tJ , Ju cs tJ , G cs u , (2) |ù tJ , Ju cs tJ , G cs u , (3) sq , N P Ż cs Ż K leads to a contradiction for any sq and P , (4) sq , N P Ż cs Ż K leads to a contradiction for any sq and P .Then any sq P v thread aux cs k thread aux cs w fair X E nv id , additionally satisfying theinput condition I n p turn aux ^ turn aux q , eventually reaches a skip -configuration. Removing the auxiliaries.
As in the first part of the case study in Section 6, the ac-tual goal of this section is to prove liveness of the mutual exclusion model that does not makeuse of auxiliary variables, i.e. mutex shown in Figure 2. Consequently, the correspondences |ù thread aux cs Ě r eqv thread cs and |ù thread aux cs Ě r eqv thread cs , establishedin the proof of Proposition 6.2 can be reused to show that thread aux k thread aux corre-sponds componentwise to thread k thread since thread aux and thread aux are sequential,whereas thread and thread – non-blocking, provided cs and cs are both: sequential andnon-blocking. The proof of the following proposition utilises the componentwise correspon-dence. Proposition 10.4.
Assume (1) |ù tJ , Ju cs tJ , G cs u , (2) |ù tJ , Ju cs tJ , G cs u , (3) sq , N P Ż cs Ż K leads to a contradiction for any sq and P , (4) sq , N P Ż cs Ż K leads to a contradiction for any sq and P , (5) |ù cs Ě r eqv cs , (6) |ù cs Ě r eqv cs , (7) cs and cs are sequential and non-blocking.Then any sq P v thread cs k thread cs w fair X E nv id eventually reaches a skip -configuration.Proof. Using the assumptions (1)–(4), from Proposition 10.3 follows that any computation sq P v thread aux cs k thread aux cs w fair X E nv id X I n p turn aux ^ turn aux q eventu-ally reaches a skip -configuration. Thus, in order to apply Corollary 9.13 it remains to show J Ď r eqv ¨ p turn aux ^ turn aux q , i.e. for any σ there must be σ with σ turn aux , σ turn aux and p σ , σ q P r eqv . This state is σ r turn aux : “ False , turn aux : “ False s .Finally, instantiating critical sections cs and cs in Proposition 10.4 by shared update and shared update , defined in Section 6.4, leads to the conclusion that any computation sq P v mutex shared update shared update w fair X E nv id reaches a skip -configuration.11. Dividing Indivisible Steps
Program correspondences have been defined stepwise such that it is possible to establishconnections like |ù basic t Ě basic p t ˝ t q with some state transformers t , t , t , butimpossible to extend the chain to basic t ; basic t .Taking the particular perspective of the rely/guarantee program logic, one can explainthat by means of Proposition 5.4: the program correspondence rule would imply that anyproperty |ù t R, P u basic p t ˝ t q t Q, G u is also a property of basic t ; basic t if assuming |ù basic p t ˝ t q Ě basic t ; basic t . This cannot be the case in general, since basic t ; basic t could be subject to more interferences in first place. Moreover, that basic p t ˝ t q complieswith the guarantee G does not imply that basic t and basic t do, meaning that not onlyanything that might run in parallel to a thread containing basic p t ˝ t q can potentially affectits behaviours if basic p t ˝ t q becomes replaced by basic t ; basic t , but also behaviours ofanything that might run in parallel to the thread could be affected too. Nonetheless, quitefrequently many properties can be retained replacing some basic p g ˝ f q by basic f ; basic g across a program, and the goal of the section is, in principle, to give sufficient conditionsfor that.Regarding extended Hoare triples, an approach can be to focus on their derivationsfor sequential program components by means of the rules presented in Section 5. Moreprecisely, let $ seq t R, P u p t Q, G u be the smallest set that is closed under the rules ofSection 5, excluding the parallel composition rule (Proposition 5.8). As we want to keepthe focus on the essentials in this section, suppose that the program correspondence rule(Proposition 5.4) is omitted as well, with the sole aim to make the induction and the ruleinversion for $ seq t R, P u p t Q, G u simpler.This construction exhibits the following two key properties. First, any derivation $ seq t R, P u p t Q, G u , having $ seq t R , P u q t Q , G u as a subderivation, can be replayed with $ seq t R , P u q t Q , G u in place of $ seq t R , P u q t Q , G u , provided the latter implies theformer. This would yield a derivation of $ seq t R, P u p t Q, G u where p is obtained byreplacing q by q within p . Second, the rely R and the guarantee G remain fixed acrossany derivation of $ seq t R, P u p t Q, G u , unless an await -statement occurs in p . In such ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 47 cases, however, the rule for await (Proposition5.12) merely alters R and G to K and J ,respectively. Therefore, if we make global assumptions about R and G , which particularlyhold with K and J in place of R and G , then these would apply to any subderivation of $ seq t R, P u p t Q, G u . The conditions (1) and (2) in the following proposition, where f G denotes the graph of a function f , act as such global assumptions. Proposition 11.1.
Assume $ seq t R, P u basic p g ˝ f q t Q, G u and (1) f G ˛ R Ď R ˛ f G , (2) p σ, f σ q P G and p f σ, p g ˝ f q σ q P G for any state σ with p σ, p g ˝ f q σ q P G .Then $ seq t R, P u basic f ; basic g t Q, G u .Proof. Note that $ seq t R, P u basic p g ˝ f q t Q, G u implies(3) R ¨ P Ď P and(4) P Ď t σ | p g ˝ f q σ P Q ^ p σ, p g ˝ f q σ q P G u by inversion of the rule for basic (Proposition 5.7).As the first step, we show $ seq t R, P u basic f t f G ¨ P, G u . To this end, notice that p σ, f σ q P G holds for any σ P P , since for any such σ we can obtain p σ, p g ˝ f q σ q P G from (4), and then p σ, f σ q P G by (2). Thus, $ seq t R, P u basic f t f G ¨ P, G u follows fromProposition 5.7 and (3).Second, we show $ seq t R, f G ¨ P u basic g t Q, G u . In that case, however, in order toapply Proposition 5.7 we also need to establish the stability condition R ¨ p f G ¨ P q Ď f G ¨ P ,which holds since R ¨ p f G ¨ P q “ p f G ˛ R q ¨ P Ď by (1) p R ˛ f G q ¨ P “ f G ¨ p R ¨ P q Ď by (3) f G ¨ P .Furthermore, p f σ, p g ˝ f q σ q P G holds for any σ P P , since we first derive p σ, p g ˝ f q σ q P G from (4) and then p f σ, p g ˝ f q σ q P G from (2).Altogether, with f G ¨ P as S in the rule for the sequential composition (Proposition 5.10)we can infer $ seq t R, P u basic f ; basic g t Q, G u , since basic g ‰ skip .As a result, replacing any basic p g ˝ f q by basic f ; basic g across p yields a program p such that in any derivation $ seq t R, P u p t Q, G u we can also replace any subderivation $ seq t R, P u basic p g ˝ f q t Q , G u by $ seq t R, P u basic f ; basic g t Q , G u in order to obtain $ seq t R, P u p t Q, G u , provided R, G, f and g satisfy the conditions (1) and (2) of the abovestatement. Note that since we can infer |ù t R, P u p t Q, G u from $ seq t R, P u p t Q, G u but notthe other way around, in order to utilise this method, transformational developments wouldhave to focus on sequential components in separate first, and assemble these by means ofthe parallel composition only when all necessary splits have been done.Shifting now the attention to liveness properties, such splits can produce different effects.In the simplest situations when p does not contain any while - and await -statements and there-fore terminates on all inputs, any split in p will clearly retain this property. For instance,such situation was present in the previous section with shared update and shared update .Regardless which splits will be performed to obtain some shared update and shared update , e.g. the statement sq , N P Ż shared update Ż K would still lead to a contradiction for any sq and P .Generally, however, that sq , N P Ż p Ż K yields a contradiction for any sq does notneed to imply that sq , N P Ż p Ż K can be refuted as well. For instance, refutation of thestatement (10.1) in the previous section was in particular based on the guarantees G global derived via the extended Hoare triple (10.2). As described above, splitting some atomic stepin thread aux cs k thread aux cs does not need to retain the property (10.2). But without this argument, termination of the transformed model would, in turn, become questionable.12. Conclusion and Outlook
The paper gave a comprehensive presentation of a framework, built as a conservative exten-sion to the simply typed higher-order logic and geared towards modelling, verification andtransformation of concurrent imperative programs. The essential points were:- a concise computational model encompassing fine-grained interleaving, state abstractionand jumps;- stepwise program correspondence relations, in particular capturing program equivalenceand providing transformations to low-level representations;- a Hoare-style rely/guarantee program logic, independent from the type of the underlyingstates, and featuring the program correspondence rule as a generalised rule of consequence;- a light-weight extension of the logic to enable state relations in place of postconditions;- a notion of fair computations;- a refutational approach to verification of basic liveness properties using the fairness notion;- and, last but not least, conditions that enable splits of indivisible steps without loss ofprogram properties, complementing transformations by program correspondence.Many of the presented methods could be enhanced. This applies in first place to verificationof liveness properties. A challenging task would be to extend the notion of fairness towardsfairer treatment of await -statements in general and not only in the very special case ofatomic sections. As pointed out in Section 9.1, this would demand lots of care in order toavert inconspicuous reasoning with non-existent computations. The refutational approachcould also be further refined to address more sophisticated questions such as whether faircomputations not just reach certain states, but visit these infinitely often. Furthermore, theapproach could be enhanced towards more modularity as well as more advanced reasoningabout effects of atomicity splits, as sketched in the previous section.The case study described a verification process of a model of the Peterson’s mutualexclusion algorithm, featuring abstraction from the actual contents of critical sections. Itsurely did not aim at proclaiming correctness of something that is well-known to be correctanyway, but to illustrate how the framework can assist in proving properties of intricatemodels with interleaved computations. Apart from that, it also attempted to highlight thelogical principles behind the algorithm that achieves mutual exclusion and termination ina remarkable way without any restrictions on interleaving, save fairness, of course.What the case study might also have conveyed is how entangled the behaviours ofprograms running in parallel can become. And maybe a concept or a line of argumentation,presented in the course of the paper, could contribute to the development of provably safeand secure concurrent software systems.
References [Abr10] J-R. Abrial.
Modeling in Event-B: System and Software Engineering . Cambridge University Press,2010.[BN98] F. Baader and T. Nipkow.
Term Rewriting and All That . Cambridge University Press, 1998.
ODELLING, VERIFICATION AND TRANSFORMATION OF CONCURRENT PROGRAMS 49 [Gor91] M. J. C. Gordon. Introduction to the HOL system. In Myla Archer, Jeffrey J. Joyce, Karl N.Levitt, and Phillip J. Windley, editors,
Proceedings of the 1991 International Workshop on theHOL Theorem Proving System and its Applications, August 1991, Davis, California, USA , pages2–3. IEEE Computer Society, 1991.[Har09] J. Harrison. HOL light: An overview. In Stefan Berghofer, Tobias Nipkow, Christian Urban,and Makarius Wenzel, editors,
Theorem Proving in Higher Order Logics, 22nd InternationalConference, TPHOLs 2009, Munich, Germany, August 17-20, 2009. Proceedings , volume 5674 of
Lecture Notes in Computer Science , pages 60–66. Springer, 2009.[Hoa69] C. A. R. Hoare. An axiomatic basis for computer programming.
Commun. ACM , 12(10):576580,October 1969.[KPRS01] Y. Kesten, A. Pnueli, L. Raviv, and E. Shahar. Model checking with strong fairness. Technicalreport, ISR, 2001.[KV96] O. Kupferman and M. Y. Vardi. Verification of fair transition systems. In Rajeev Alur andThomas A. Henzinger, editors,
Computer Aided Verification , pages 372–382, Berlin, Heidelberg,1996. Springer Berlin Heidelberg.[Mil72] R. Milner. Implementation and applications of Scotts logic for computable functions.
SIGPLANNot. , 7(1):16, January 1972.[Mil84] R. Milner. The use of machines to assist in rigorous proof.
Philosophical Transactions of the RoyalSociety of London A: Mathematical, Physical and Engineering Sciences , 312(1522):411–422, 1984.[Nie03] L. P. Nieto. The rely-guarantee method in Isabelle/HOL. In Pierpaolo Degano, editor,
Program-ming Languages and Systems , pages 348–362, Berlin, Heidelberg, 2003. Springer Berlin Heidel-berg.[NPW02] T. Nipkow, L. Paulson, and M. Wenzel.
Isabelle/HOL — A Proof Assistant for Higher-OrderLogic , volume 2283 of
Lecture Notes in Computer Science . Springer, 2002.[OG76] S. Owicki and D. Gries. An axiomatic proof technique for parallel programs.
Acta Informatica ,6:319–340, 1976.[Pet81] G. L. Peterson. Myths about the mutual exclusion problem.
Information Processing Letters ,12(3):115 – 116, 1981.[Plo04] G. D. Plotkin. The origins of structural operational semantics.
The Journal of Logic and AlgebraicProgramming , 60-61:3 – 15, 2004. Structural Operational Semantics.[Rad11] Radio Technical Commission for Aeronautics (RTCA).
DO-178C: Software Considerations inAirborne Systems and Equipment Certification , 2011.[Sch06] N. Schirmer.
Verification of Sequential Imperative Programs in Isabelle/HOL . PhD thesis, Tech-nische Universit¨at M¨unchen, 2006.[Sti88] C. Stirling. A generalization of Owicki-Gries’s Hoare logic for a concurrent while language.
The-oretical Computer Science , 58(1):347 – 359, 1988.[vG19] R. van Glabbeek. Ensuring liveness properties of distributed systems: Open problems.
Journalof Logical and Algebraic Methods in Programming , 109:100480, 2019.[vS15] S. van Staden. On rely-guarantee reasoning. In Ralf Hinze and Janis Voigtl¨ander, editors,
Mathe-matics of Program Construction - 12th International Conference, MPC 2015, K¨onigswinter, Ger-many, June 29 - July 1, 2015. Proceedings , volume 9129 of
Lecture Notes in Computer Science ,pages 30–49. Springer, 2015.
This work is licensed under the Creative Commons Attribution License. To view a copy of thislicense, visit https://creativecommons.org/licenses/by/4.0/https://creativecommons.org/licenses/by/4.0/