Hoare-Style Compositional Proof Systems for

Hoare-Style Compositional Proof Systems for Reactive Shared Variable Concurrency F.S. de Boer? 1 , U. Hannemann??2 and W.-P. de Roever??? 2 1

Utrecht University, Department of Computer Science, P.O. Box 80.089, 3508 TB Utrecht, The Netherlands 2 Christian-Albrechts-Universitat zu Kiel, Institut fur Informatik und Praktische Mathematik II, Preusserstrasse 1-9, 24105 Kiel, Germany

Abstract. A new compositional logic for verifying safety properties of

shared variable concurrency is presented, in which, in order to characterize in nite computations, a Hoare-style I/pre/post format is used where I expresses the communication interface, enabling the characterization of reactive programs. This logic relates to the Rely/Guarantee paradigm of Jones [11], in that Rely/Guarantee formulae can be expressed within our formalism. As novel feature we characterize pre xes of computations through so-called time-diagrams, a mapping from a discrete total wellfounded ordering to states, and combine these with action predicates (already introduced in old work of, e.g., Lamport) in order to obtain a compositional formalism. The use of time diagrams enables the expression of strongest postconditions and strongest invariants directly within the assertion language, instead of through encoding within the natural numbers. A proof of Dekker's mutual exclusion algorithm is given.

1 Introduction This paper represents part of our research into the usefulness and the scope of possible approaches to compositional formalisms for shared variable concurrency. It serves as a foundation for the corresponding chapter in [16]. In 1965 E.W. Dijkstra introduced the parbegin statement for describing parallel composition between processes which communicate via shared variables. But it is only recently that the compositional and fully abstract semantics of shared variable concurrency has been studied in [4, 5]. On the other hand the rst complete logic for proving partial correctness properties of concurrent programs ? ?? ???

e-mail: [email protected] e-mail: [email protected] e-mail: [email protected]

appeared already in 1976 and was developed by S. Owicki and D. Gries in [21]. However,their proof method is not compositional in the sense that it does not allow a derivation of a correctness speci cation of a parallel program in terms of local speci cations of its components without reference to their internal structure. Consequently this proof method cannot be used to support top-down programdesign. Moreover, the relevance of a compositional reasoning pattern with respect to the complexity of (mechanically supported) correctness proofs of concurrent systems lies in the fact that the veri cation (in a compositional proof system) of the local components of a system can in most practical cases be mechanized fully (or at least to a very large extent). What remains is a proof that some logical combination of the speci cations of the components implies the desired speci cation of the entire system. This latter proof in general involves purely mathematical reasoning about the underlying data-structures and as such does not involve any reasoning about speci c control structures (see also [12] where the use of `mathematics' for speci cation and veri cation of concurrent programs is strongly advocated). This abstraction from the ow of control allows for a greater control of the complexity of correctness proofs. For the model of concurrency described by CSP, which is based on a synchronous communication mechanism, several (relatively) complete compositional proof methods have been introduced, e.g., in [6, 9, 15, 13, 18, 24, 26]. These proof methods formalize reasoning about synchronous communication in terms of a trace logic, a trace being a sequence of records of communications. For the parallel composition of processes it is important to notice that their speci cation should only refer to projections of the trace onto those communications that involve the process at hand. Interpreting shared variables as CSP-like processes, these methods inspired also proof methods for shared variables [19]. The rst compositional characterization of shared variable concurrency was called the Rely/Guarantee (R/G) method and was conceived by Jones [11]; for complete versions of this proof system consult [17, 22]. Again validity of a R/G speci cation of a process states that provided the environment satis es the rely condition R that process ful lls the guarantee condition G. The dierence with the so-called assumption/commitment (A/C) method [13] introduced by Misra and Chandy in 1981 being that validity of an A/C speci cation of a process S stipulates that C holds after each communication of S provided A holds after all communications before that particular one, whereas for any given so-called reactive sequence of a process, as described in [4, 5], the assumption R in the R/G method refers to all its environmental moves and the commitment G to all its process transitions in every pre x of the computation at hand. The A/C and R/G methods have in common that soundness of the network rules in both system can be proved by an inductive argument on the length of their computation sequence (respectively, traces or reactive sequences). The R/G method can be regarded as a compositional reformulation of the Owicki/Gries method as argued in [23] on the basis of a comparison of their respective completeness proofs, since both are based on the introduction of a special kind of auxiliary variables, namely the so-called history variables which record the sequence of state-changes, and both

proofs use the same style of strongest postcondition assertions. In [2] a compositional proof method is presented which formalizes reasoning about shared variable concurrency directly in terms of histories, i.e. they needn't be introduced through the addition of extra auxiliary variables. In other words, histories form an integral part of our programming logic, similarly as in the compositional proof method of [26] for CSP. In order to be able to describe parallel composition logically as conjunction we represent computation histories by time-diagrams as follows: Given a discrete total well-founded ordering which represents time abstractly, a program variable then is naturally viewed as a function from this abstract notion of time to the domain of values, a socalled time-diagram. Interpreting time-instances as possible interleaving points and introducing boolean variables (so-called action variables) which indicate for each time-instance whether the given process is active or not (these action variables are also used for the same purpose in[3]), we can describe logically the compositional semantics of [4, 5] in terms of time-diagrams. Thus we show in that paper that a compositional pre/post style reasoning about shared variable concurrency, apart from the given underlying data structures, involves reasoning about a discrete total well-founded ordering, the rst-order logic of which is decidable. Since the proof method presented in as described above only reasons about the input/output behaviour of concurrent systems, its applicability to reactive systems is limited. In this paper we extend the method above in order to reason about non-terminating computations. The speci cation style here incorporates additionally to the pre- and postconditions an invariant which is interpreted w.r.t. all computations of a process including in nite ones. These generalized correctness formulae are suited to reactive processes as the invariant can also be seen as an interface speci cation towards the environment that guarantees a certain behaviour. We demonstrate that R/G style proofs can be embedded in our proof method. On the other hand, there is still a not understood dierence between R/G and our time diagram based method in that until now nobody succeeded in extending the R/G method to real time, whereas for our approach this extension is only natural. The plan of the paper is as follows: In the next section we describe a programming language for shared variable concurrency. In Section 3 we introduce the assertion language and correctness speci cations and describe their semantics. The proof system is presented in Section 4. An example of a correctness proof of a mutual exclusion algorithm is presented in Section 5. Section 6 discusses an embedding of the Rely/Guarantee formalism.

2 Programming Language In this section we present a programming language for shared variable concurrency. Let Pvar be the set of program variables, with typical elements x; y; : : :. For ease of presentation we restrict to the domain of values consisting of the integers

and booleans only.

De nition1. In the grammar of the programming language below, boolean

expressions are denoted by b, whereas e denotes either an arithmetic or a boolean expression (we abstract from the syntactical structure of arithmetic and boolean expressions). S ::= b:x := e j S1 ; S2 j [ []ni=1bi ! Si ] j [ []ni=1bi ! Si ] j S1 k S2 The execution of the guarded assignment b:x := e corresponds with the execution of an await-statement of the form await b ! x := e: Namely, the execution b:x := e is suspended in case b evaluates to false. In case b evaluates to true control proceeeds immediately with the execution of the assignment x := e which is executed atomically. Thus the evaluation of the guard and the execution of the assignment cannot be interleaved. Sequential composition is denoted as usual by the semicolon. Execution of the choice construct [ []ni=1bi ! Si ] consists of the execution of Si for which the corresponding guard bi evaluates to true. The control point between the evaluation of bi and the subsequent execution of Si constitutes an interleaving point. The evaluation of a boolean guard itself is atomic. In case none of the boolean guards evaluate to true the execution of the choice construct suspends. The execution of the iterative construct [ []ni=1bi ! Si ] consists of the repeated execution of [ []ni=1bi ! Si ] until all the boolean guards are false. Parallel composition of the statements S1 and S2 is denoted by S1 k S2 . Its execution consists of an interleaving of the atomic actions, that is, the guarded assignments and the boolean guards of S1 and S2 . A program S in which all variables are local, i.e., no parallel environment refers to them, is called closed and will be denoted by [S].

3 The Mathematics of Shared-Variable Concurrency In the section we discuss the mathematical structures and corresponding logics needed to describe and reason about shared-variable concurrency in a compositional manner. Hence we must be able to distiguish between state changes performed by the process at hand and state changes caused by an environment [1]. In [4, 5] a compositional semantics for shared variable concurrency is introduced based on so-called reactive sequences. A reactive sequence is a sequence of pairs of states: h1; 10 i; h2; 20 i; : : :. A pair of states h; 0 i represents a computation step of the process which transforms the input state  into 0. A `gap' h10 ; 2i between two consecutive computation steps h1 ; 10 i and h2; 20 i represents the state-changes introduced by the environment. Parallel composition in this model is then described by interleaving of reactive sequences. In a full, closed, system

gaps have disappeared; then one only considers sequences which are connected, i.e., for which 10 = 2. In order to be able to describe parallel composition logically as conjunction we introduce a representation of reactive sequences as time-diagrams: Given a discrete total well-founded ordering which represents time, a program variable then is naturally viewed as a function from time to the domain of values, a socalled time-diagram. Interpreting time-instances as possible interleaving points and introducing boolean variables which change in time to indicate whether the given process is active or not, we can describe logically the compositional semantics of [4, 5] in terms of time-diagrams. Thus compositional reasoning about shared variable concurrency, apart from the underlying data structures, involves reasoning about a discrete total wellfounded ordering providing a very simple time-structure which is sucient for this purpose. In the context of mechanically supported program veri cation it is of interest here to note that the rst-order logic of discrete total well-founded orderings is decidable. Moreover it should be observed here that we have only a qualitative notion of time which is introduced in order to model interleaving of parallel processes and as such it should be distinguished from the notion of real time as studied in, e.g., [10]. Formally we de ne the (typed) assertion language for describing and reasoning about time-diagrams as follows. We assume given the standard types of the integers, denoted by int, and the type of booleans, denoted by bool. Furthermore we assume given the type of points in time, denoted by time. As introduced in the previous section, the set of program variables is given by Pvar. For each x 2 Pvar we have that x is either an integer or a boolean variable. We distinguish a set Avar  Pvar of boolean variables. Variables of Avar, with typical element a; : : :, will also be called action variables, since they will be used to indicate whether a given process is active or not. We assume that action variables do not occur in statements. The set of logical variables is denoted by Lvar (which is supposed to be disjoint from Pvar). A logical variable can be of any of the above given types int, bool or time. In the sequel we will use the symbols t; : : : both for denoting time variables and time-instances (i.e. the elements of a given time-domain T).

De nition2. We present the following main cases of a logical expression l. l ::= time j z j x(l) j t1  t2 jx1(l) = x2(l)j : : : with z 2 Lvar , x; x1; x2 2 Pvar , t1; t2 of type time. In the above de nition time is a constant of type time which is intended to denote the current time instant. The intended meaning of a logical expression x(l), where it is implicitly assumed that l is of type time, is the value of the program variable x at the time-instant denoted by l. The precedence relation in time is denoted by . More complex logical expressions can be constructed using the standard vocabulary of the integers and booleans.

De nition3. Next we de ne the syntax of an assertion p.

p ::= l j :p j p ^ q j 9z: p j 9a: p where l is of type bool, z 2 Lvar and a 2 Avar . Assertions are constructed from boolean logical expressions by means of the logical operations of negation, conjunction and (existential) quanti cation over logical variables and action variables. Note that we do not allow quanti cation of variables of Pvar n Avar , that is, the variables which may occur in statements. In order to describe formally the semantics of the assertion language we need the following de nitions. De nition4. Let Val denote the set of all possible values. The set of states , with typical element , is given by Pvar ! Val (assuming that a state maps integer variables to integers and boolean variables to booleans). De nition5. Given a discrete well-founded total ordering (T; ), a time-domain T for short, a time-diagram d is an element of D = T !fd , where T !fd  denotes the set of partial functions from T to  the domain of which is nonempty and downward-closed, i.e. if d(t) is de ned and t0  t then also d(t0) is de ned. While a state assigns values to the program variables, as usual, a timediagram describes the state-changes in time. The domain of a diagram d we denote by dom (d). If d is nite, we denote the last time instant of d by max(d). Although computations can be both nite and in nite, we only need to check the nite computations in verifying partial correctness and safety properties, because for any program if there is an in nite computation which is invalid, there is also an invalid nite computation. Therefore, if considering all the nite computations leads to validity, then also considering all the in nite computations leads to validity. Thus the de nition of max(d) is unambiguous as we restrict ourselves to the evaluation of assertions w.r.t nite time diagrams. Semantically assertions are evaluated with respect to a (time) diagram d 2 D = T !fd  and a logical environment e 2 Lvar ! Val . Formally we have the following truth-de nition. De nition6. Let  =v 0 , where v  Pvar , if for all x 2 v we have that (x) = 0 (x). This notion we lift to diagrams as follows: d =v d0 if dom (d) = dom (d0) and, in case both d(t) and d0 (t) are de ned, d(t) =v d0(t), for every t. The value of a logical expression l in a logical environment e and a diagram d, denoted by [ l]](e)(d), is de ned by a straightforward induction on l, for example, [ time ] (e)(d) = max (d) and [ x(l)]](e)(d) = d([[l]](e)(d))(x): The truth-value of an assertion p in a logical environment e and a diagram d, denoted by [ p]](e)(d) (or sometimes also by e; d j= p), is de ned by induction on p. We give the following cases:

{ For z 2 Lvar of type int or bool, we de ne [ 9z:p]](e)(d) if there exists a value v of a corresponding type such that [ p]](efv=z g)(d). { For z 2 Lvar of type time, we de ne [ 9z: p]](e)(d) if there exists a t 2 dom (d) such that [ p]](eft=z g)(d). { For a 2 Avar , we de ne [ 9a: p]](e)(d) if there exists a d0 such that d =v

d0, for v = Pvar n fag, and [ p]](e)(d0).Observe that this introduces in fact quanti cation over sequences of time-instances, i.e., a second order feature. Note that thus quanti cation over time is restricted to the domain of the given diagram. De nition7. A logical environment e and a time-diagram d are de ned to be consistent if e maps every time variable to an element of the domain of d. An assertion p is valid if for any discrete well-founded total ordering (T; ), we have that [ p]](e)(d), for any consistent e and d. For notational convenience we introduce the next-time operator l, where l is an expression of type time, and the strict precedence relation . Note that the next-time operator (like all the other standard temporal operators) and the strict precedence relation can be expressed 3. In order to describe logically progress in time we introduce the following substitution operation. De nition8. Given an assertion p and a time variable t, the assertion p[t=time] denotes the result of (the usual) replacement of (occurrences of) time in p by t and, additionally, the replacement of every subformula 9t0 : q (8t0: q) by the bounded quanti cation 9t0 (t0  t ^ q) (8t0 (t0  t ! q)). (Formulas of the form 9t0(t0  t ^ q) and 8t0(t0  t ! q) we will also denote by 9t0  t: q and 8t0  t: q, respectively.) For example, given an assertion p the passing of one time-unit we can describe by 9t(p[t=time ] ^ time = t). Observe that due to the introduction of bounded quanti cation the assertion p[t=time] thus refers to the time interval determined by t which by the substitution operation is initialized to the `old' value of time. This is formalized by the following substitution lemma.

Lemma 3.1

Let dt , with t a time-instance, denote the time-diagram d restricted to the set of time-instances preceding (and including) t. For any consistent logical environment e and time-diagram d, and assertion p we have e; d j= p[t=time] i e; de(t) j= p In [16] a compositional interleaving semantics of statements is presented which, given a time-domain (T; ), assigns to every statement S a meaning function M[[S]] 2 (T !fd ) ! P (T !fd ) 3

E.g., l = ~l with ~l satisfying 8l :l 0

0

> l

! ~ l

l

0

(the semantics M is a straightforward reformulation of the semantics introduced in [4]). The intuition is that d0 2 M[[S]](d) if d0 is an extension of d which consists of an interleaved terminating execution of S. The semantics M uses a xed action variable a to indicate the state-changes induced by the process itself. We then can de ne the truth of a partial correctness speci cation, denoted by j= fpgS fqg, formally in terms of the semantics M: j= fpgS fqg if we have that whenever [ p]](e)(d) evaluates to true and d0 2 M[[S]](d) then [ q]](e)(d0) evaluates to true as well. A proof system for partial correctness w.r.t. this semantics is presented in [2]. While this style of semantics describes the initial/ nal state transformation, we aim at an appropriate characterization of reactive processes, i.e., possibly non-terminating programs, which require observation of all intermediate states. Therefore we de ne a semantics M which contains all time diagrams which are a pre x of a (possibly in nite) computation. For example the semantics of an assignment b:x := e contains all those timediagrams which consist of a waiting period possibly followed by the actual assignment. De nition9. Generalized correctness speci cations (Invariant speci cations) are of the form I : fpg S fqg. j= I : fpg S fqg if, for all time diagrams d, whenever p holds in d and d0 2 M [ S]] (d) then (i) I holds in d0 , and (ii) if d0 2 M [ S]] (d) then q holds in d0. Note that the condition d0 2 M [ S]] (d) states that d0 is an extension of d which describes a terminating computation of S. We could have avoided this reference to our M semantics by introducing a fin predicate as termination ag of a process. The invariant I has to hold both in the initial state and the the nal state of a terminated computation since d is trivially a pre x of d and if d0 2 M [ S]] (d), then also d0 2 M [ S]] (d) holds.

4 The Proof System In this section we present a proof system for deriving partial correctness speci cations as introduced in the previous section. Within the proof system we frequently use predicate waitb (t; t0) denoting that a process waits between t and t0 to pass the guard b without succeeding. \Failed" test of the guard result in stuttering steps, i.e., all variables (denoted by x) keep their values. waitb (t; t0) def = 8t  ~t  t0 :((a(t~) ! :b(t~)) ^ (a(t~) ! x( t~) = x(t~))) The actual assignment at the moment t is characterized by

exec(b:x := e; y)(t) def = a(t) ^ b(t) ^ time = t ^ y(time) = y(t) ^ x(time) = e(t) Here y(time ) = yV(t)) (where y is a sequence of variables dierent from x) denotes the conjunction i yi (time ) = yi (t) (y = y1 ; : : :; yn ). A guarded assignment b:x := e is characterized w.r.t. a precondition p by the following axiom. Note that we abbreviate x := x by skip. Assignment axiom: Let y be a sequence of variables dierent from x. I : fpg b:x := e fqg where q  9t:((p ^ I)[t=time] ^ 9t0 :waitb(t; t0) ^ exec(b:x := e; y)(t0 ) and I  9t:p[t=time] ^ (9t0 :waitb(t; t0 ) ^ (t0 = time _ exec(b := e; y)(t0 ))) Due to the substitution of time by t in p, the (quanti ed) time variable t in the postcondition refers to the value of time before the execution of b:x := e. The idling period which represents possible interleavings of parallel processes (and stuttering steps) is given by the values of t and t0 . At time t0 the condition b evaluates to true, execution of b:x := e takes place and it takes one time-unit. While q coincides with the well-known characterization of the strongest postcondition of a standard assignment statement x := e in sequential programming ([8]), I can be interpreted as a strongest invariant w.r.t p and b:x := e, as used in completeness proofs for distributed message passing systems, e.g., in [25, 14]. The rules for the other statements are as usual.

Sequential rule:

I : fpgS1 frg; I : frgS2fqg I : fpgS1; S2 fqg

Choice rule: I : fpg bi :skip; Si fqg i = 1; : : :; n I : fpg[]ni=1bi ! Si fqg

Iteration rule:

I : fpg []ni=1bi ! Si fpg; I : fpg

V :b :skip fqg i i

I : fpg  []ni=1bi ! Si fqg Parallel composition is described as follows.

Parallel-rule:

I1 : fp1 gS1fq1g I2 : fp2gS2 fq2g I : fp1 ^ p2 ^ time = t0 gS1 k S2 f9a1 ; a2; t1; t2(q10 ^ q20 ^ n ^ act )g

where qi0 denotes the formula qi [ai; ti=a; time ], for i = 1; 2, n denotes the conjunction of the formulas time = max (t1 ; t2), 8t: ti  t  time ! :ai(t), i = 1; 2, and act denotes the formula 8t:t0  t  time ! :(a1 (t) ^ a2 (t)) ^ a(t) $ (a1 (t) _ a2(t)). Furthermore I denotes the formula 9a1 ; a2:I1[a1=a] ^ I2[a2=a] ^ act. The quanti ed action variables a1 and a2 in the postcondition of the conclusion of the above rule are introduced to distinguish the computation steps of S1 and S2 , respectively. The execution times of S1 and S2 are given by the time variables t1 and t2 , respectively. The initial time of the execution of the parallel composition of S1 and S2 is given by the time variable t0, which is initialized to the value of time in the precondition. The assertion 8t: t0  t  time : :(a1(t) ^ a2(t)) ^ a(t) $ (a1 (t) _ a2(t)) expresses that the execution of S1 k S2 consists of an interleaving of S1 and S2 . For actual reasoning about correctness formulae, the following adaptation rules are used: An invariance axiom which expresses that read-only variables are not changed: Invariance axiom : Let x be a read-only variable of S. 8t0  t  time : a(t) ! x(t) = x( t) : ft0 = time g S ftrueg We have a similar rule to express that local variables (in that sense that any environment has at most read access to them) are not changed outside of a process: Locality axiom : Let x be a local variable of S. 8t0  t  time : :a(t) ! x(t) = x( t) : ft0 = time g S ftrueg

Consequence rule:

I : fpg S fqg I ! I 0 ; p0 ! p; q ! q0 I 0 : fp0g S fq0g

Invariance introduction:

I : fpg S fqg I : fpg S fq ^ I g Reasoning about a statement under the assumption that it cannot be interleaved, i.e., about a closed system, can be axiomatized simply by the following rule.

Non-Interleaving rule:

I : fpg S fqg I ^ 8t:a(t) : fpg [S] fq ^ 8t:a(t)g The additional information in the conclusion of the above rule expresses that S is active at all times. Moreover we have the elimination rule and the the conjunction rule.

In [16] we prove soundness, i.e. every derivable correctness speci cation is valid, and completeness, i.e. every valid correctness speci cation is derivable, of the proof system w.r.t. the compositional semantics M . The completeness proof follows the lines of the general pattern introduced by Cook in [7]. It is based on the expressibility in the assertion language of the strongest postcondition and of the strongest invariant.

De nition10. For a given statement S and precondition p the strongest postcondition, denoted by SP (p; S), is de ned by fd j there exists d0 s.t. d0 j= p and d 2 M [ S]] (d0)g; and the strongest invariant, denoted by SInv(p; S) is de ned by fd j there exists d0 s.t. d0 j= p and d 2 M [ S]] (d0)g; (we assume that p does not contain free logical variables, therefore reference to a logical environment is omitted). It is worthwhile to remark here that we can express both the strongest postcondition and the strongest invariant in the assertion language directly, that is, we do not need the usual coding techniques (see [20]); this constitutes the main advantage of our axiomatization based on time diagrams.

5 Example: Proving a Mutual Exclusion Property This proof style is suited to prove safety properties, e.g., mutual exclusion of concurrent processes. As an example for this type of algorithm we prove the mutual exclusion property for Dekker's well-known algorithm. The algorithm consists of two symmetrical processes P1 and P2 that use boolean variables reqi to establish that Pi requests access to its critical section and a variable turn to report which process may be in its critical section. Pi :  [ true ! < noncriticali > ; reqi := true;  [ reqj ! [ turn = j ! reqi := false ;  [ turn = j ! skip ]; reqi := true ] ]; cflagi := true; < critical1 >; cflagi := false; reqi := false; turn := j ]

for i; j 2 f1; 2g; i 6= j. We introduce local booleans cflagi to indicate when Pi is in its critical section. These processes do not terminate, thus the postcondition of their parallel composition will turn out to be false. The fact that the processes never reach their critical regions simultaneously is expressed by the invariant :(cflag1 ^ cflag2 ). When we start executing the program we assume that no process is in its critical region and none of them has already requested this. Furthermore we regard the program in isolation, i.e., we assume that no other process exists which changes any variable occurring in our program. The correctness formula to be proved is: :(cflag1 ^ cflag2 ) : f:req1 ^ :req2 ^ :cflag1 ^ :cflag2 g [P1kP2] ffalseg.

5.1 Local Proof We will rst consider the processes in isolation, constructing a speci cation from the proof system and then in a second step examine their parallel composition. We assume that both statements called criticali and noncriticali do not refer to the variables req1; req2; turn; cflag1 and cflag2 . Since the processes are symmetrical, we can restrict our local proof w.l.o.g. to P1. P1 essentially is an in nitely often executed loop construct. The following formulae are used frequently in this proof, we de ne the following abbreviations : rely1 def = (8t  time::a(t) ! req1(t) = req1( t) ^ cflag1 (t) = cflag1 ( t)) rely1 formulates the assumption that req1 and cflag1 are local variables of P1. guar1 def = (cflag1 (time) ! ((9t; t0::cflag1 (t) ^ req1(t) ^ :req2(t) ^ wait(t; t0 ) ^ a(t0 ) ^ cflag1 ( t0)) ^8t0  t~  time:a(t~) ! (req1 (t~) = req1 ( t~) ^ cflag1 (t~) = cflag1 ( t~)))) As we will see, the guar1 predicate excludes all possible computations that could violate the mutual exclusion property. inv1 def = (8t  time:a(t) ! (req2 (t) = req2 ( t))) Since req2 is a read-only variable of P1, we can guarantee that it is not changed by P1. De ne the invariant I1 def = (rely1 ! guar1) ^ inv1 , claiming that as long as the environment does not change req1, P1 guarantees that the critical section is entered only if :cflag1 ^ req1 ^ :req2 held before. Furthermore, inv1 states that P1 does not change the value of the read-only variable req2 . We want to prove that I1 : f:req1 ^ :cflag1 g P1 ffalseg Applying the Loop rule, the \desired" postcondition of the loop, false, is obtained trivially since the outer loop's guard is identically true.

We have to check each assignment statement with respect to this invariant. First of all I1 : f(rely1 ! (:cflag1 (time) ^ :req1(time))) ^ I1 g noncritical1 frely1 ! (:cflag1 (time):req1 (time))g is established mainly using the invariance axiom, since neither cflag1 nor req1 occur in noncritical1 , and the consequence rule. Similarly we can prove I1 : frely1 ! (:cflag1 (time) ^ :req1(time)) ^ I1 g req1 := true frely1 ! (:cflag1 (time) ^ req1(time))g with the assignment axiom and the consequence rule.We omit here the details of the derivation of the correctness formula for the inner loop abbreviated by inloop1 : inloop1 def =  [ req2 ! [ turn = 2 ! req1 := false ;  [ turn = 2 ! skip ]; req1 := true ] ]; which satis es the correctness formula I1 : f(rely1 ! (req1(time) ^ :cflag1 (time))) ^ I1 g inloop1 f(9t; t0:((8t0  ~t  t:rely1 [t~=time] ! req1(t) ^ :cflag1 (t)) ^ wait(t; t0) ^ a(t0 ) ^ :req2(t0 ) ^ time = (t0) ^ req1 (time) = req1 (t0) ^ cflag1 (time) = cflag1 (t0)))g using rely1 ! (req1 (time) ^:cflag1 (time)) as loop invariant. The postcondition above implies (rely1 ! (:cflag1 (time) ^ req1(time) ^ :req2(time))): The remaining assignments and critical1 are treated similarly as the assignment and noncritical1 above; we obtain formulae for these with the common invariant I1 and pre- and postconditions s.t. the postcondition of a statement can be adapted to the precondition of the following statement, e.g., by the Invariance introduction rule. Then we apply the sequential composition rule and derive the following formula for the outer loop body P10 : I1 : frely1 ! (:cflag1 (time) ^ :req1(time))g P10 frely1 ! (:cflag1 (time) ^ :req1(time))g for P1  P10 , hence another application of the consequence rule and the loop rule as indicated before leads to the desired correctness formula for P1 .

5.2 Parallel Composition Given the two local proofs of P1 and P2 respectively, we clearly see that the intended precondition is the conjunction of the local preconditions , and that the postcondition is false. Our main focus here is the mutual exclusion property of the critical sections of the processes, formalized by the requirement 8t::(cflag1 (t) ^ cflag2 (t)). First we realize that cflagi is local to Pi, hence the Locality rule allows to establish loci ^ I as invariant of Pi , where loci def = 8t  time::ai (t) ! cflagi (t) = cflagi ( t). Now the parallel composition rule leads to the following invariant for the cooperating processes: I1 ^ I2 ^ 8t::(a1(t) ^ a2 (t)) ^ (a(t) $ (a1 (t) _ a2 (t))) ^ loc1 ^ loc2 Since we are only interested in the cooperation of P1 and P2 we restrict ourselves to the cases where no outside interference has to be regarded - all process variables (including those of the critical sections) are changed only within these two processes. Thus the application of the Non-interleaving rule together with the invariant above implies guar1 ^ guar2 ^ inv1 ^ inv2 ^ (8t::(a1(t) ^ a2(t)) ^ (a1(t) _ a2(t))); since invj ^ locj = relyi under the assumption par, i 6= j, i; j 2 f1; 2g. Next we assume that cflag1 (time) ^ cflag2 (time) holds during the execution of P and show that this assumption together with the formula above yields false, thus proving the requested property. Now cflag1 (time) ^ cflag2 (time) and the formula above imply the following expression: 9t1 :req1(t1 ) ^ :req2(t1 ) ^ 8t1  t  time:req1 (t) = req1( t)

^ 9t3 :req2(t3 ) ^ :req1(t3 ) ^ 8t3  t  time:req2 (t) = req2( t);

and using that although T is a total order,

{ t 6= t , since this contradicts req (t ) ^ :req (t ), { t 6 t , as the above implies that req (t ) ^ 8t 1 1

{

3

1

3

:req1(t3 ). Contradiction, t3 6 t1 for a symmetrical reason,

1

1

1

1

3

1



t



time:req1 (t) ^

we obtain a contradiction. Thus, :(cflag1 (time) ^ cflag2 (time)) is a conclusion from our invariant and we succeeded proving the mutual exclusion property by establishing the formula (:(cflag1 ^ cflag2 )) : f:req1 ^ :req2 ^ :cflag1 ^ :cflag2 g [P1kP2] ffalseg:

6 Embedding the rely and guarantee formalism In the Rely/Guarantee formalism [11, 17, 22] a speci cation is split up into four parts. There exist two assumptions on the environment: a precondition pre characterizing the initial state and a rely condition on state pairs that characterizes a relation any transition from the environment is supposed to satisfy. These assumptions describe conditions under which the program is used. The expected behavior of the program when used under these conditions consists of a postcondition post on the nal state of the program in case it terminates, and a guarantee predicate guar which characterizes a relation any transition performed by the program itself should satisfy. Formally, P sat (pre; rely; guar; post) denotes that program P satis es the speci cation quadruple if for all computations  of P , whenever  starts in a state which satis es pre, and any environment transition in  satis es rely, then any component transition in  satis es guar and if  terminates, its nal state satis es post. Now we can embed the R/G formalism into our (generalized) system in the following way. First note that the pre- and postcondition of the R/G formalism correspond to a restricted kind of pre- and postcondition in our system, namely, we have only to `time' them: pre (time ) and post (time ) denote the formulas obtained from pre and post by replacing every occurrence of a program variable x by x(time ). Using the action variable a to indicate the environmental steps by requiring :a and the steps of the process itself by a , the rely and guar part of a R/G speci cation then corresponds with the following invariant I: 8t:t0  t:(:a(t) ! rely(x(t); x( t))) ! 8t:t0  t:(a(t) ! guar(x(t); x( t))) Hence we can express a R/G formula within our system as follows: P sat (pre; rely; guar; post) def

,

I : fpre(time ) ^ time = t0 g P fpost(time )g

7 Final Remarks In the case of distributed communication for any give fully abstract model basically four dierent compositional logics exist, which are intertranslatable [26, 14]; these are the sat - style, pre/post - style, I/pre/post - style and Assumption/Commitment logics. For shared variable concurrency only one such logic is known, that of Jones [11] based on the Rely/Guarantee (R/G) paradigm. There are several problems with the resulting proof methods, e.g., correctness proofs for mutual exclusion algorithms turn out rather dicult to give. By introducing the concept of time diagrams we were able to give such a compositional logic for real - time shared variable concurrency. In the present paper we extended a Hoare style formalism [2] to a compositional Hoare - style I/pre/post logic for reactive systems communicating through shared variables. We additionally embedded the R/G formalism within this logic

as another step towards a similar mutual intertranslatable system of proof styles for shared variable concurrency as needed for the compositional veri cation of reactive systems.

Acknowledgements The authors would like to thank Qiwen Xu for his helpful comments on various versions of this manuscript.

References 1. P. Aczel. On an inference rule for parallel composition. unpublished note, 1993. 2. F.S. de Boer, U. Hannemann and W.-P. de Roever. A compositional proof system for shared variable concurrency. to appear at FME '97, LNCS, 1997. 3. H. Barringer, R. Kuiper, and A. Pnueli. Now you may compose temporal logic speci cations. In 16th ACM symposium on Theory of Computation, pages 51{63, 1984. 4. F.S. de Boer, J.N. Kok, C. Palamidessi, and J.J.M.M. Rutten. The failure of failures: Towards a paradigm for asynchronous communication. In Proceedings of Concur '91, Lecture Notes in Computer Science, Vol. 527, pages 111{126, 1991. 5. S. Brookes. A fully abstract semantics of a shared variable parallel language. In Proceedings 8th Annual IEEE Symposium on Logic in Computer Science, IEEE Computer Society Press, pages 98{109, 1993. 6. S.D. Brookes, C.A.R. Hoare and A.W. Roscoe. A Theory of Communicating Sequential Processes. JACM 31(7), pp. 560 { 599, 1984. 7. S.A. Cook. Soundness and completeness of an axiom system for program veri cation. In SIAM J. on Computing 7, pp. 70-90, 1978. 8. R.W. Floyd. Assigning meaning to Programs. Mathematical Aspects of Computer Science XIX, American Mathematical Society, 1967. 9. E.C.R. Hehner, C.A.R. Hoare. A more complete model of Communicating Processes. TCS 26, pp. 134 { 120 , 1983. 10. J. Hooman. Speci cation and compositional veri cation of real-time systems. Lecture Notes in Computer Science, Vol. 558, 1992. 11. C.B. Jones. Development methods for computer programs including a notion of interference. PhD thesis, Oxford University Computing Laboratory, 1981. 12. L. Lamport. Veri cation and speci cation of concurrent programs. In A Decade of Concurrency (eds. J.W de Bakker, W.-P. de Roever and G. Rozenberg), Lecture Notes in Computer Science, Vol. 803, 1993. 13. J. Misra and K.M. Chandy. Proofs of networks of processes. IEEE Transactions on Software Engeneering, 7(7):417{426, 1981. 14. P. Pandya: Compositional Veri cation of Distributed Programs. Ph. D. Thesis, University of Bombay, 1988. 15. P. Pandya and M. Joseph: P-A logic { a compositional proof system for distributed programs. Distributed Computing, Vol. 5, pp. 37 { 54, 1991. 16. W.-P. de Roever, F.S. de Boer, U. Hannemann, J. Hooman, Y. Lakhnech, P. Pandya, M. Poel, H. Schepers, Q. Xu and J. Zwiers. State-Based Proof Theory of Concurrency: from Noncompositional to Compositional Methods. to appear 1998.

17. K. Stlen. Development of Parallel Programs on Shared Data-structures. PhD thesis, Computer Science Department, Manchester University, 1990. 18. N. Sounderarajan. Axiomatic semantics of communicating sequential processes. TOPLAS, 6:647{662, 1984. 19. N. Sounderarajan. A proof technique for parallel programs. Theoretical Computer Science, Vol. 31, pp. 13{29, 1984. 20. J.V. Tucker and J.I. Zucker. Program correctness over abstract data types, with error-state semantics. In CWI Monograph Series, vol. 6, Centre for Mathematics and Computer Science/North-Holland, 1988. 21. S. Owicki and D. Gries. An axiomatic proof technique for parallel programs. In Acta Informatika, 6:319-340, 1976. 22. Q. Xu. A theory of state -based parallel programming. PhD thesis, Oxford University Computing Laboratory, 1992. 23. Q. Xu, W.-P. de Roever and J. He. Rely- guarantee method for verifying shared variable concurrent programs. Formal Aspects of Computing 1997 (To appear). 24. C.C. Zhou and C.A.R. Hoare. Partial Correctness of CSP. Proc. IEEE Int. Conf. on Distributed Computer Systems, pp. 1{ 12, 1981. 25. J. Zwiers, W.-P. de Roever and P. van Emde Boas: Compositionality and concurrent networks: soundness and completeness of a proofsystem. Technical Report 57, University of Nijmegen, The Netherland s, 1984. 26. J. Zwiers. Compositionality, Concurrency, and Partial Correctness. Lecture Notes in Computer Science, Vol.321, Springer-Verlag, 1989.

This article was processed using the LATEX macro package with LLNCS style