How to reason with Strong-fairness and No-fairness

Similar documents
Design of Distributed Systems Melinda Tóth, Zoltán Horváth

A walk over the shortest path: Dijkstra s Algorithm viewed as fixed-point computation

A Temporal Logic of Actions. Leslie Lamport April 1, 1990

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Verifying Properties of Parallel Programs: An Axiomatic Approach

Program Composition in Isabelle/UNITY

arxiv: v1 [cs.pl] 5 Apr 2017

Decomposing Specifications of Concurrent Systems

Chapter 4. Progress. Jayadev Misra 1. Department of Computer Sciences. The University of Texas at Austin. Austin, Texas (512)

Control Predicates Are Better Than Dummy Variables For Reasoning About Program Control

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Floyd-Hoare Style Program Verification

The Underlying Semantics of Transition Systems

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Trace Semantics for the Owicki-Gries Theory Integrated with the Progress Logic from UNITY

Extending the theory of Owicki and Gries with a logic of progress

Knuth-Morris-Pratt Algorithm

Loosely-Coupled Processes

Introduction to Kleene Algebra Lecture 14 CS786 Spring 2004 March 15, 2004

Programming Languages and Compilers (CS 421)

On the Impossibility of Certain Ranking Functions

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

A Theory for Composing Distributed Components, Based on Temporary Interference

String Matching. Jayadev Misra The University of Texas at Austin December 5, 2003

Probabilistic Guarded Commands Mechanized in HOL

S = {x 1 2 _< x n, x prime} for any given n 2. (2.1)

Laws of Parallel Synchronised Termination

Guarded resolution for Answer Set Programming

Footnotes to Linear Algebra (MA 540 fall 2013), T. Goodwillie, Bases

Revising Distributed UNITY Programs is NP-Complete

Atomic m-register operations

Hoare Logic and Model Checking

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Specifying and Verifying Conditional Progress

Verification Frameworks and Hoare Logic

Proving Liveness Properties of Concurrent Programs

Temporal Logic of Actions

This is logically equivalent to the conjunction of the positive assertion Minimal Arithmetic and Representability

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Hoare Calculus and Predicate Transformers

Diagnosis of Repeated/Intermittent Failures in Discrete Event Systems

Program verification using Hoare Logic¹

A Short Introduction to Hoare Logic

1 Introduction. Uri Abraham, Ben-Gurion University, Beer-Sheva, Israel

Revising Distributed UNITY Programs is NP-Complete

Comment: The induction is always on some parameter, and the basis case is always an integer or set of integers.

a + b = b + a and a b = b a. (a + b) + c = a + (b + c) and (a b) c = a (b c). a (b + c) = a b + a c and (a + b) c = a c + b c.

Properties of the Integers

n Empty Set:, or { }, subset of all sets n Cardinality: V = {a, e, i, o, u}, so V = 5 n Subset: A B, all elements in A are in B

Predicate Abstraction in Protocol Verification

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

TLA in Pictures Leslie Lamport

The TLA + proof system

Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group

Verification, Refinement and Scheduling of Real-time Programs

Program Analysis Part I : Sequential Programs

Lecture 11: Measuring the Complexity of Proofs

Circular Compositional Reasoning about Liveness

Verification Using Temporal Logic

Pairing Transitive Closure and Reduction to Efficiently Reason about Partially Ordered Events

Fall 2004 Homework 7 Solutions

3 Propositional Logic

Mathematical Logic Prof. Arindama Singh Department of Mathematics Indian Institute of Technology, Madras. Lecture - 15 Propositional Calculus (PC)

Mathematical Induction

Lecture Notes on Identity and Inversion

Computer Science and State Machines

PHI 120 Introductory Logic Consistency of the Calculus

MA651 Topology. Lecture 9. Compactness 2.

Equivalence of Regular Expressions and FSMs

Deterministic Program The While Program

Proof Theoretical Studies on Semilattice Relevant Logics

Consistent Fixed Points and Negative Gain

Dynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007

win and sin: Predicate Transformers for Concurrency

Learning Goals of CS245 Logic and Computation

IN THIS paper we investigate the diagnosability of stochastic

Integrating State Constraints and Obligations in Situation Calculus

Automata-Theoretic Model Checking of Reactive Systems

Revising UNITY Programs: Possibilities and Limitations 1

The Assignment Axiom (Hoare)

Verifying Concurrent Programs

A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING

The Logic of Geometric Proof

Mathematical Logic Propositional Logic - Tableaux*

Efficiently merging symbolic rules into integrated rules

Logic Model Checking

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

Component-Based Construction of Deadlock-Free Systems

Another Glance at the Alpern-Schneider. Characterization of Safety andliveness in. Concurrent Executions. Abstract

Math From Scratch Lesson 28: Rational Exponents

2 Ralph J. R. Back, Qiwen. Xu systems with respect to total correctness. Reactive renement of action systems was investigated by Back [4] basing on th

A CONSTRUCTION OF ARITHMETIC PROGRESSION-FREE SEQUENCES AND ITS ANALYSIS

Safety and Liveness Properties

Math 4606, Summer 2004: Inductive sets, N, the Peano Axioms, Recursive Sequences Page 1 of 10

Pairing Transitive Closure and Reduction to Efficiently Reason about Partially Ordered Events

Proof Calculus for Partial Correctness

CS 6110 Lecture 21 The Fixed-Point Theorem 8 March 2013 Lecturer: Andrew Myers. 1 Complete partial orders (CPOs) 2 Least fixed points of functions

MATH2206 Prob Stat/20.Jan Weekly Review 1-2

Transcription:

How to reason with Strong-fairness and No-fairness Notes on UNITY: 31 92 Jayadev Misra Department of Computer Sciences The University of Texas at Austin Austin, Texas 78712 (512) 471-9547 misra@cs.utexas.edu 7/2/92 1 The Problem Some feel that the UNITY-logic is deficient because it embeds a fixed notion of fairness, namely that each statement be executed infinitely often in any execution. Other notions of fairness, such as every statement that is enabled infinitely often is executed infinitely often (known as strong fairness ), or, as long as there is an enabled statement some (enabled) statement is executed (known as minimal progress condition, or no-fairness in this note) might be more appropriate for certain problems. In fact, [3] and [4] allow different forms of fairness to be specified for different statements of a program. I believe that the weakest notion of fairness that is adequate to establish absence of individual starvation is the only useful type of fairness. Strong-fairness can be added as an axiom if desired. The advantage of embedding a particularly weak form of fairness into the logic is that the appropriate logical operators and the corresponding inference rules can be postulated once for all, and these can be exploited to reduce proof lengths. As an example, we prove a program from [4] that assumes strong-fairness for some statements, using UNITY-logic. Later, we show that the proof is still valid if the weak-fairness of UNITY is replaced by no-fairness (and the same strong-fairness assumption is retained). Program (reproduced from [4], p. 3) var integer x, y = 0 ; semaphore sem = 1 ; cobegin loop α 1 : P(sem) ; β 1 : x := x + 1 ; γ 1 : V(sem) endloop [] loop α 2 : P(sem) β 2 : y := y + 1 γ 2 : V(sem) coend endloop This material is based in part upon work supported by the Texas Advanced Research Program under Grant No. 003658 219, by the Office of Naval Research Contract N00014-90-J-1640 and by the National Science Foundation Award CCR 9111912. 1

It is required to show that assuming strong-fairness for the action at α 1 i.e., if sem > 0 holds infinitely often then the action at α 1 executes infinitely often x grows arbitrarily large. Notes 1. Lamport assumes strong-fairness for actions at α 1 and α 2. Strong-fairness of the latter action is unnecessary for this particular proof. 2. Initial values of x, y are irrelevant for the proof. 3. Weak-fairness for the other statements, I believe, is assumed by Lamport in constructing his proof. This is unnecessary; we return to this issue in Section 4. 2 The Mathematical Model I will model this program this program is a mathematical object, no doubt, but it is poorly suited for rigorous analysis by a UNITY program. In the following, pc 1, pc 2 denote the program counters of process 1 and process 2. I have replaced sem by s (since shorter identifiers are preferable for formal manipulations by hand). (SF) var pc 1, pc 2 : (α, β, γ) ; s, x, y : integer initially s, x, y, pc 1, pc 2 = 1, 0, 0, α, α assign {code for process 1} s, pc 1 := s 1, β if s > 0 pc 1 = α [] x, pc 1 := x + 1, γ if pc 1 = β [] s, pc 1 := s + 1, α if pc 1 = γ [] {code for process 2} s, pc 2 := s 1, β if s > 0 pc 2 = α [] y, pc 2 := y + 1, γ if pc 2 = β [] s, pc 2 := s + 1, α if pc 2 = γ end The strong-fairness constraint for the first action in the first process is modelled by the axiom true s > 0 pc 1 = α true pc 1 = β Note that true p is one way of representing that p holds infinitely often. 3 The Proof We will establish (P ) ( n :: x = n x = n + 1) Note: A better representation of x grows arbitrarily large is ( n :: true x > n) This property follows from (P) by applying the induction rule of. 2

Proof Outline 1. true s > 0 pc 1 = α, see below true pc 1 = β, using SF x = n unless x = n + 1, code inspection x = n (pc 1 = β x = n) x = n + 1, PSP on the above two pc 1 = β x = n x = n + 1, code inspection for ensures x = n x = n + 1, cancellation on the above two Proof of (1): true s > 0 pc 1 = α Now, By code inspection prove the following invariant. 0 s 1 (pc 1 = α pc 2 = α) [s = 1 (pc 1 = α pc 2 = α)] s = 0 {from the invariant} pc 1 α pc 2 α {pc 1 {α, β, γ}, pc 2 {α, β, γ} } pc 1 = β pc 1 = γ pc 2 = β pc 2 = γ {pc 1 = β pc 1 = γ, using code inspection for ensures. Similarly, for pc 2. Apply cancellation} pc 1 = γ pc 2 = γ {pc 1 = γ s = 0, from the invariant. Similarly, for pc 2.} (pc 1 = γ s = 0) (pc 2 = γ s = 0) {pc 1 = γ s = 0 s > 0, using code inspection for ensures. Similarly, for pc 2. Apply cancellation} s > 0 Hence, The given invariant s = 0 s = 1 s > 0 s > 0 s > 0 Applying the substitution axiom, true s > 0 Properties requiring code inspection The following properties have to be proven by code inspection. 2. x = n unless x = n + 1 3. pc 1 = β x = n ensures x = n + 1 4. invariant 0 s 1 (pc 1 = α pc 2 = α) [s = 1 (pc 1 = α pc 2 = α)] 5. pc 1 = β ensures pc 1 = γ 6. pc 1 = γ s = 0 ensures s > 0 3

Properties (3,5) can be replaced by (7) pc 1 = β x = n ensures pc 1 = γ x = n + 1 Note that (3) follows from (7) by weakening the latter s rhs to x = n + 1. Property (5) does not follow from (7); we, however, need only pc 1 = β pc 1 = γ in the proof. This follows from (7) by pc 1 = β x = n ensures pc 1 = γ, weakening the rhs of (7) pc 1 = β x = n pc 1 = γ, definition of pc 1 = β pc 1 = γ, disjunction over all n Compositional Proof The proof can be shortened further by employing the union theorem, in particular to prove the propeties (2,6,7). Since pc 1, x are local to process 1, it suffices to prove (2,7) in process 1 only. For property 6, from the invariant (4) we have, Then, s = 0 unless s > 0 in process 2 pc 1 = β x = 0 unless s > 0 in process 2, locality of pc 1. Therefore, it suffices using the union theorem to prove property (6) in process 1 alone. Property (4), the invariant, does require a proof over both processes; it has to follow from the initial conditions and be shown stable over both processes. 4 No-fairness The following treatment is inspired by [2]. The progress property, (P), holds even when no fairness is assumed for any statement of the program besides the strong fairness property, (SF). Fortunately, exactly the same proof applies; only, the ensures properties have different definitions and they have to be reverified. It is extremely lucky that all inference rules of UNITY except the union theorem continue to hold for the new ensures. Hence, the proof in Section 3 continues to hold as long as the ensures properties are not proven compositionally. (As a matter of fact, there is a weaker union theorem for the new ensures that is adequate for this particular problem.) For a loop of the form do [i : 0 i < N : g i A i ] where g i is the guard of command A i, define p ensures q p q i :: g i i :: {p q g i } A i {q} Thus, p ensures q says that (1) some statement is enabled whenever p q holds, and (2) execution of any enabled statement in a state satisfying p q establishes q. It is easy to show that the properties of ensures given in Sec. 3.6.2 of [1] hold for ensures, as well. (Unless will be defined as before.) Hence, other derived rules, such as PSP, continue to hold with ensures. 4

We have the following weaker union theorem with ensures. p ensures q in F, p ensures q in F [] G p ensures q in F [] G Note that p ensures q in F and p unless q in G does not establish p ensures q in F [] G. In particular, G could contain the single statement true skip which could be executed forever. Also, the converse of this rule does not hold; p ensures q may hold in F [] G though it holds in neither F nor G. To see this, consider F :: x = 0 x := 2 {if x 0 this statement execution is skip} G :: x = 1 x := 2 0 x ensures x > 1 holds in F [] G, though in neither F nor G. Finally, a disjunction rule, similar to the disjunction rule for, holds for ensures but not ensures. References [1] K. Mani Chandy and Jayadev Misra. Parallel Program Design: A Foundation. Addison Wesley, 1988. [2] Charanjit S. Jutla and Josyula R. Rao. On the Design of Proof Rules for Fair Parallel Programs. Formal Aspects of Computing (submitted). [3] Simon S. Lam and A. Udaya Shankar. Refinement and Projection of Relational Specifications. Proc. REX Workshop on Stepwise Refinement of Distributed Systems, Plasmolen-Mook, The Netherlands, May 1989, LNCS series, Springer-Verlag. [4] Leslie Lamport. A Temporal Logic of Actions. DEC, Systems Research Center, Palo Alto, CA, April 1990. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback