Willem P. de Roever

A Principle for Sequential Reasoning about Distributed Algorithms

Designers of network algorithms often give elegant informal descriptions of the intuition behind their algorithms (see [GHS83, Hum83, MeS79, Seg82, Seg83, ZeS80]). Usually these descriptions are structured as if subtasks are performed one after the other. Although these subtasks are performed sequentially from a logical point of view, they are performed concurrently from an operational point of view. The current paper presents a principle for formally designing and verifying these kinds of algorithms. It is formulated in Manna and Pnueli’s linear time temporal logic [MaP83, MaP92]. This principle is applicable to large classes of algorithms, such as those for computing minimum-paths, connectivity, network flow, and minimum-weight spanning trees.

Predicates are predicate transformers: a unified compositional theory for concurrency

He Jifeng and Hoare’s [He Jifeng] approach to integrate theories for “program8 as predicates” and “programs as predicate transformers” in sequential setting i generalieed to a compositional verification theory for concurrency, using idea8 of Zwiers’ [Zwiers]. Due to the generality of the approach, a variety of parallel composition operators, based on shared variables, communication events, interleaving, maximal progress and the like, can be expressed as derived operations.

Formal Justification of the Rely-Guarantee Paradigm for Shared-Variable Concurrency: A Semantic Approach

This paper introduces a semantic analysis of th Rely-Guarantee (R-G) approach to the compositional verification of shared-variable concurrency. The main Contridution is a new completeness proof.

Modular Completeness: Integrating the Reuse of Specified Software in Top-down Program Development

Reuse of correctly specified software is crucial in bottomup program development. Compositional specification formalisms have been designed to reduce the specification of a syntactically composed construct to specifications of its components, and therefore support topdown development methodology. Thus, the integration of reuse of correctly specified software components in a compositional setting calls for adaptation of a given specification to specifications needed in particular circumstances (depending on their application). Proof systems in which such adaptation steps can be performed whenever they are valid are called modular complete [Z89]. We present a generic way of constructing such systems for sequential and concurrent Hoare logics.

Hoare-Style Compositional Proof Systems for Reactive Shared Variable Concurency

A new compositional logic for verifying safety properties of shared variable concurrency is presented, in which, in order to characterize infinite computations, a Hoare-style I/pre/post format is used where I expresses the communication interface, enabling the characterization of reactive programs. This logic relates to the Rely/Guarantee paradigm of Jones [11], in that Rely/Guarantee formulae can be expressed within our formalism. As novel feature we characterize prefixes of computations through so-called time-diagrams, a mapping from a discrete total wellfounded ordering to states, and combine these with action predicates (already introduced in old work of, e.g., Lamport) in order to obtain a compositional formalism. The use of time diagrams enables the expression of strongest postconditions and strongest invariants directly within the assertion language, instead of through encoding within the natural numbers. A proof of Dekkers mutual exclusion algorithm is given.

A Compositional Proof System for Shared Variable Concurrency

This paper presents a compositional proof system for shared variable concurrency. The proof system is based on an assertion language which describes a computation, i.e. a sequence of state-changes, in terms of a qualitive notion of time represented by a discrete total well-founded ordering.

Call-by-Value versus Call-by-Name: A proof-Theoretic Comparison

Minimal fixed point operators were introduced by Scott and De Bakker in order to describe the input-output behaviour of recursive procedures. As they considered recursive procedures acting upon a monolithic state only, i.e., procedures acting upon one variable, the problem remained open how to describe this input-output behaviour in the presence of an arbitrary number of components which as a parameter may be either called-by-value or called-by-name. More precisely, do we need different formalisms in order to describe the input-output behaviour of these procedures for different parameter mechanisms, or do we need different minimal fixed point operators within the same formalism, or do different parameter mechanisms give rise to different transformations, each subject to the same minimal fixed point operator? Using basepoint preserving relations over cartesian products of sets with unique basepoints, we provide a single formalism in which the different combinations of call-by-value and call-by-name are represented by different products of relations, and in which only one minimal fixed point operator is needed. Moreover this mathematical description is axiomatized, thus yielding a relational calculus for recursive procedures with a variety of possible parameter mechanisms.

Compositional Proof Methods for Concurrency: A Semantic Approach

This paper focusses on the mathematical theory of state-based reasoning about program constructs solely through specifications of their parts, without any reliance on their implementation mechanism. That is, the semantic foundations of compositional state-based reasoning about concurrency. The main advantages of a purely semantic approach are that: it highlights the very concept of compositional state-based reasoning about concurrency without any syntactic overhead, and it serves as a basis for the encoding of the program semantics and corresponding proof rules inside tools such as PVS which support program verification.

Synthesizing Different Development Paradigms: Combining Top-Down with Bottom-Up Reasoning About Distributed Systems

Our goal is the presentation of a uniform framework for compositional reasoning about the development of distributed processes and data structures. This framework should be a synthesis because, depending on the structure of the processes involved and the verification steps required, different formalisms are most suitable for carrying out ones reasoning. We illustrate this uniform framework by presenting a methodology for reasoning about refinement of distributed data structures, i.e., data structures implemented by means of distributed networks. Our synthesis is compositional, state-based, history-based, and contains sat style, Hoare style, trace-invariant reasoning and assumption/commitment style specifications as dialects. The resulting formalism can be unfolded as if it were a portable telescope, yielding the style required according to its degree of unfolding.

Towards a practitioners' approach to Abadi and Lamport's method

Our own basic intuitions are presented when introducing the method developed by Abadi and Lamport in [AbL88a] for proving refinement between specifications of nondeterministic programs correct to people unacquainted with it. The example we use to illustrate this method is a nontrivial communication protocol that provides a mechanism analogous to message passing between migrating processes within a fixed finite network of nodes due to Kleinman, Moscowitz, Pnueli and Shapiro [KMP91]. Especially the cruel last step of a three step refinement proof of that protocol gives rise to a deeper understanding of, and some small enhancements to, Abadi and Lamports 1988 method.