on the existence of sound and complete axiomatizations of ... · on the existence of sound and...
TRANSCRIPT
On the existence of sound and complete axiomatizationsof the monitor conceptGerth, R.T.
Published: 01/01/1987
Document VersionPublisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)
Please check the document version of this publication:
• A submitted manuscript is the author's version of the article upon submission and before peer-review. There can be important differencesbetween the submitted version and the official published version of record. People interested in the research are advised to contact theauthor for the final version of the publication, or visit the DOI to the publisher's website.• The final author version and the galley proof are versions of the publication after peer review.• The final published version features the final layout of the paper including the volume, issue and page numbers.
Link to publication
Citation for published version (APA):Gerth, R. T. (1987). On the existence of sound and complete axiomatizations of the monitor concept.(Computing science notes; Vol. 8701). Eindhoven: Technische Universiteit Eindhoven.
General rightsCopyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright ownersand it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal ?
Take down policyIf you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediatelyand investigate your claim.
Download date: 15. Jun. 2018
CSH
On the Existence of Sound and Complete Axiomatizations
of the Monitor Concept
by
Rob Gerth
On the Existence of Sound and Complete Axiomatizations
of the Monitor Concept
by
Rob Gerth
January, 1989
ON THE EXISTENCE OF SOUND AND COMPLETE AXIOMATIZATIONS OF THE MONITOR
CONCEPT
Rob Gerth*t Eindboven University of Technology:
January 1989
Abstract This paper presents an axiomatization for the partial correctness properties of Commu
llicating Modules, a monitor-based programming language. This axiomatization is certified through soundness and (relative) completeness proofs, which constitute the major part of
. the paper. The system is based on the well-known notions of cooperation and interference freedom, however does not incorporate them as second order notions and is syntax-directed in a formal way.
1 Introduction
Monitors constitute the first attempt at formulating concurrent programming concepts beyond low-level mutual exclusion primitives such as semaphores ([Dij6B]). The concept originates from
Hoare and Brinch Hansen ([Hoa74, BHa73]) in their work on resource management in operating systems and is influenced by the SIMULA class concept ([DMN67]).
Monitors combine ideas from abstract data types with a notion of concurrency that derives from the independence of the various sets of data in the system achieved through the aforementioned data-abstraction. Programming languages based on it, include Concurrent Pascal [BHa75], Distributed Processes [BHa7B], Mesa [MMS79] and most recently, Wirth's Modula (-2) [WirB4]. Also, the rendezvous concept of Ada [ARM83] clearly derives from it. In a different but related area, these ideas surface in the concept of object in object oriented systems [AmB6].
Although the monitor concept is a relatively old one, it has never been adequately axiomatized (in the sense of [Hoa69]). It is well known that previous attempts, [Hoa74, How76], resulted in sets of rules that are incomplete in the technical sense of the word. Recent attempts to correct this, [ABSI], remained unsuccessful.
This contrasts sharply with work on other concepts of concurrent programming: Concurrent languages based on the sharing of variables between concurrent procses were successfully axiomatized by Owicki, [OG76]. Hoare's "Communicating Sequential Processes" has been dealt with in [AFdeRBO, LG81, Sou84] and Ada in [GdeR84].
·The author was financially .upported, through the Foundation for Computer Science Research in the Netherlands (SION), by the Netherlands Organization for the Advancement of Pure Research (ZWO).
tThe author is currently working in and partially .upported by ESPRIT project 931: "Debugging and Specification of Ada Real-Time Embedded Sy.tema (DESCARTES)".
tDepartment of Mathematics and Computing Science, Eindhoven Univers.ity of Technology, P.O.Box 613, 6600 MB Eindhoven, The Netherlands. Electronic mail: mcvax!eutrc3!wsinrobg.UUCP or WSDCROBGC HEITUE5 .BITNET.
1
The current paper, implicitly, offers an explanation for this state of affairs. The reported axiomatization in fact combines the notions of interference freedom - developed to axiomatize shared variable languages - and cooperation (in its generalized form of [GdeR84]) - introduced to axiomatile synchronously communicating languages. Both notions, although formulated in different ways, reflect the insight that the specification or verification of a concurrent agent in isola.tion from an interacting environment, has to incorporate assumptions about such interactions. Assumptions that have to be proved compatible or non-conflicting when combining the separate agents'specifications. It is this basic insight that is missing in earlier axiomatization attempts.
The present axiomatization evolved from work on Brinch Hansen's Distributed Processes, DP
([BH78]), reported in [RDKdeR81, GdeRR82a, GdeRR82b) with the following difference: usually, cooperation and interference freedom is formula.ted as the way to combine proofs of specifications rather than as the way to combine specifications themselves. Hence, the resulting proof systems might be better called verification algorithms, instead oUormal aDomatizations. The paper shows that this traditional rendering is not forced by these notions, and gives an aDomatization that complies with the usual meaning of the term. This aDomatization is syntax-directed in the sense that every program constructor has an associated formal proof rule and every basic statement an associated axiom.
The current paper is a companion to [GdeR86). That paper informally introduces and motivates the proposed aDomatization. Here, the concentration is on the formal justification of the proof system. Formally speaking, this paper independent from [GdeR86). However, the reader seeking (more) motivation is referred to that paper.
For a different approach towards axiomatizing monitors in the context of DP, the reader should consult [SS85,Gje88). Those works are based on the Soundararajan-Dahl approach, [SoD82) and are most easily described as the rendering of an operational semantics into proof rules and assertions. The resulting set of rules is complete, too. In this approach one reasons directly with the computation history, whereas here one may choose auxiliary variables that retain just the
needed information about the history. This has the advantage of ease of use; it has the technical disadvantage that the completeness of the proof system is more restricted. See also Section 7.3 and the conclusions in Section 8.
The next section introduces the language Communicating Modules, CM. Then its syntax is extended to provide "hooks" for the aDomatization presented in Section 5. Section 3 gives a syntax directed operational semantics that will be used in the soundness and completeness proofs. Next, in Section 4, two essential theorems are proved: the local and global merging tbeorems. These theorems express when separate executions of program parts are compatible in the sense that they are part of an execution of the combination of the program parts. The theorems have non-trivial content, since the program parts may interact. Section 5 introduces the specification language and the proof system. The section concludes with a substitution lemma used in the next two sections. The soundness and completeness proofs are the subject of Section 6 and 7. A final discussion occupies Section 8.
This introduction concludes with
1.1 A summary of some notation
The (well-ordered) set of integers, {O, 1,2, ... }, is denoted by W; its cardinality by No. There is a denumerable, well-ordered set of variables Var. For any nEw, Yarn ~ Vcr contains the
2
first n variables. Hence Var = U Yarn. If ~ is some signature or similarity type, then Tm(~) nEw
and L(~) denote the set of terms and first order formulae over~. Elements of L(I::) are usually
denoted by letters p, q, rj terms bye, t and variables by u, v, :c, y, z. As usual, p[e/:z:) (t[e/:z:]) stands for the formula (term) obtained by substituting the term or expression e for every free occurence of z in p (t). The set of free variables of a formula or term ¢J is denoted by FV(¢J). ~-structures or I::-algebra's, A, are defined as usual and give interpretations of the symbols in E. Given a E-structure A, states u, T, v are partial functions from Var into 104.1, the universe of A. The domain of a state (or any other function) u, is Dom(u); its range is Ran(cr). 0 denotes the totally undefined statej i.e., the partial function Var t-+ 104.1 with Dom(O) = 0. Define St n = {u : Var t-+ 104.1 I Dom(u) S; Yarn} and St = U Stn. For a state cr, u t V restricts the
nEw domain of u to V (S; Var)j u{a/x} (a E 104.1) denotes the state u' such that for y t. :z: u'(y) = u(y)
and cr'(z) = a. For states u, T such that cr tw = T tw where W = Dom(u) n Dom(T), cr U Tis defined in the obvious way. For any states, u and T, let U{T} = U{T(:Z:)/:Z:, :z: E Dom(T)}. The value of a term t in a state cr, u(t), and the truth-value or satisfaction of a formula p in a state cr, u ~ p or A, u ~ p, are defined as usual, provided FV(p) S; Dom(u), and are undefined otherwise. In the sequel, states are always assumed to nave large enough domains so that they valuate every variable in a term or formula used. Write A ~ p if p E L(~) is valid in A., i.e., if A, u ~ p holds for every state u (for which FV(p) S; Dom(u)). Let Th(A) denote the set {p E L(~) I A ~ p}, where ~ is A's signature. The term computable will be used in its informal sensej recursive will be its formalization.
2 The language communicating modules, eM
As stated in the introduction, monitors combine
1. the notion of abstract data type, where the concepts of data and the set of legal (=meaningful) operations on it, are seen as logically inseparable, with
2. a notion of concurrency that derives from the logical independence of the various data sets within a system, originating in the abstraction of (1).
Interactions within a system occur through the data type interface. The logical integrity of the data type abstraction and the functionality of the operations are maintained by
1. imposing strict synchronization between a monitor and the entity requesting its service, while performing this service and by
2. allowing a monitor to be serving at most one request at a time.
This does not imply that the data type operations of a monitor are strictly serialized, but merely that a monitor cannot be serving two or more requests at the same time. In fact, it implies
the possibility of a finer grain of serialization in monitors than there is in sequential abstract data
types. When a monitor is servicing a requestor, hence is performing a data type operation, the
requestor is said to be active within the monitor and to have acquired the monitor-Ioel, effectively locking out (the servicing of) any other requestor until the former relinquishes the lock. At such
a time a monitor may start (again) servicing someone else.
3
Even at this level of description one can discern an interleaving of actions: actions associated with the data type operations and bracketed in time by the acquiring and relinquishing of the monitor lock by the requestors of the particular operations.
Traditionally, a monitor is a passive object, only reacting to external requests. Modules are a generalization of this concept and may also initiate requests to other modules.
2.1 Syntax
Let E be a signature. Partition Var as VarR U VarIC , Var IC = {ico liE w}. The programming language CM(E) is generated by the following Backus-Naur grammar (z, il, ii ~ VarR , :c E VarR ,
e ~ Tm(E) and bE L(E) quantifier-free):
• CM(E) ::= [MD11I···1I MDnl n 2: 1
• M D ::= Mi :: DC : [5)
• DC ::= ai(il#ii): [5) DC
• 5 ::= :c:= e I wait I call Mi.ai(e#z) 151 ; 52 I if b then 51 else 52 fi I while b do 50d
Note that no variable of the form ico can appear in any C M (E)-program. These so-called instance counters have a special meaning in the proof system of Section 5.2. The non-terminal
DC may also produce the empty string.
2.2 Informal semantics
A module consists of a number of procedure-declarations and an initial statement. Execution of a module starts with its initial statement and continues until either the initial statement terminates or a wait-statement is encountered. Such statements are the primary way to establish synchronization.
Synchronization occurs in a module:
• when arriving at a wait-statement,
• upon completing the execution of the intial statement, and
• upon completing the execution of an (instance of an) entry procedure.
Such points are called waiting poin ts. By synchronization is meant either
• the ad of honouring and arbitrarily selected call to one of the module's entries (global synchronization) or
• the act of passing some wait-statement having been a waiting point at an earlier time and hence possibly different from the one execution just arrived at (local synchronization).
Observe that at waiting points the monitor-lock is relinquished. Honouring a call constitutes the only form of communication and synchronisation between
modules. It results in a new procedure-instance being activated and executed. Until its completion, the caller remains fully synchronized, whence its execution suspended, with the callee. The parameter-mechanism is call-by-value-result and within a procedure~body no assignment to any
4
value-parameter is allowed. Formal parameters are local with respect to the procedure-body. All other variables are global with respect to the module. Modules do not share variables.
In Section 3, the meaning of a program or module is formally defined in the form of an
operational semantics.
The following notation and conventions will be used throughout the paper:
• the modules in a program comprising of n modules, are named Ml , M2, ... , Mn ,
• module Mi contains procedures ai, a~, ... , a~,i its initial statement is denoted by at,
• procedure a} in Mi (j ~ 0) is declared as a~ (Us,j#iii,j): [5}J; the initial statement, a~, as
: [5bJ,
• Lid = {Us,j, v',j} (Li,o = 0)i l'i,j is the set of variables, not including L.,j, that appear free fl., n,
wi thin procedure aj of module M. i 1'; = U l'i,j, L. = U L',j. j=O j=O
I shall usually ignore the superscripts in procedure-names. Note that by this convention, I
assume procedure-names to be unique. L.,j collects the local variables of procedure a~. The following context conditions apply to any program:
• l'i n V, = 0 if i # j,
• Li," n Lj,l = 0 if i # j or k # I, n
• l'i n U Lj = 0, j=1
• in any statement callM •. aj(e#f), the variables in f are pairwise disjoint and FV(e)n{f} = 0.
2.3 The extended language, CMe(:E)
Some syntactic extensions to CM(E) are necessary in order to obtain the proof system of Section 5. Specifically, labels are introduced and so-called bracketed sections.
Introduce a denumerable set, Lab, of labels with typical elements l, l' ,l", ... such that Lab n Var = 0. In the grammar generating CMe(E), the same convention as in Section 2.1 is used.
• CM(E) ::= [MDllI···IIMDn ] n~l
• MD ::= Mi :: DC : [5.l]
• DC ::= aj(u#v): [Tli l.}i5l'.{iT2] DC
• T .. - 5 I • 5 .. - :t:= e It.wait.l' Il.{Tlil'.call M •. aj(e#f)i T2i l".) I 51 i 52 I
if b then 51 else 52 fi I while b do 5 ad
In a procedure body, Tl and T2 are called the prelude respectively the postlude ofthe procedure.
Statements '[Tli1.}', 'l'.{iT2J' and 'l.{i···l'.call"·il".)' are called bracketed sections. A label that either labels the front of a wait or the initial statement will be said to label a .. aWng point.
In addition to the ones introduced in Section 2.2, the following context conditions apply to
CMe(E) programs:
5
• any label may have at most one occurrence
• the statements Tl and T2 within bracketed sections, may contain no wait or call-statements.
These syntactic extensions induce no semantic differences, other than that executing a bracket,
l.( or i.), is equivalent with executing a skip-action (e.g. z:= z). For any CMe(E)-statement, procedure, module or program T, FLB(T) denotes the set of
labels occurring in T. If l E FLB(ai) and ai is a procedure of Mi then L(l) denotes Li,;.
3 Operational semantics for CMep:)
In this section the behaviour or semantics of C Me (E) programs is formally defined. I will use the
structured operational semantics approach as advocated by G. Plotkin [PI82).
3-1 DEFINITION. A labeled E transition system, lu~, is a tuple (C, -, SC, TC, TL,A), where
• C is a set of configurations • SC ~ C is a set of start configurations • TC ~ C is the set of terminal configurations • T L is a set of transitions labels or records
• - ~ C x T L x C is the transition relation
• A is a E-structure
A structured operational semantics is an It" which transition relation is defined using induction on the structure of the configurations. In the current case this implies that also the semantics of CMe(E) modules and statements has to be defined, independent of a surrounding program.
To define the set of configurations, CMe(E) has to be extended, again, to CM*(E):
3-2 DEFINITION. CM*(E) is generated as in Section 2.3 except that the productions for the non-terminals DC and S are replaced by
• DC ::= ai(ii#ii): [5) DC I • S ::= z:= e li.wait.i' I block.ll·ill.( Ii.) I endv,iJ li.calIMi.ai(e#z) I
l.rendz,iJ I Sl; S2 I if b then Sl else S2 fi I while b do Sod I A
A block.i-action signifies that a wait has been encountered and that the monitor lock was released at this point. In the configuration of a caller, i.rendf,iJ records that an instance of procedure ai in Mi has been activated but not yet completed. The set of value-result parameters
of the call is z. Statements end.e,i,j are used to identify the caller (procedure ai in Mi) which caused the current instance to be created. Here, ii denotes the set offormal value-result parameters of the corresponding procedure. A denoted the empty statement.
Fix some signature E and a E-structure.4.. From now on, I assume that E contains +, -, 0 and 1 and that A contains as sub-structure the standard model (w, +, -, 0, 1). This assumption
is needed to valuate the instance counters and, later on, is needed to reason about them. The
semantics of CM(E)-programs, however, is not influenced.
6
3-3 DEFINITION (The configuration set C). • A local configuration, LC, has the form Id : (S,B), where
- ld == (i, j, k) E w3 ; i indexes a module, j a procedure and k characteri~es the instance,
- S is a CM*(E)-statement or procedure,
- B = (ZI, p), where ZI E St with Dom(ZI) ~ Var and p E Lab U {0}.
• A module configuration MC has the form (X 10 10') or (X I a I LCo, .. . , LCn , O'), where
- X is either A or a CMe(E) module,
- a E {-I, 0, 1, ... , n}, tbe activity pointer
- for 0 SiS n, LCi is a local configuration: Idi : (Si, Zli' Pi) and Idj 1- Idi for i ¥ j, - 0' is a state such that Dom(O') n Dom(Zli) = 0 for i = 1 ... n
• A program configuration PC, has the form (MCo, . .. , MCm ), where
- M Co, ... , M Cm are module configurations.
• The configuration set, C, consists of all program and module configurations.
During execution of a module, several procedure instances coexist together with the module's initial statement. The local configurations record the progress in each of these instances. Since formal parameters are local variables, each LC has a local state; the label records control information.
The identification, ld, of a local configuration indicates where the configuration originates from:
ld = (i, j, k) ¥ (0,0, k) implies that it records a configuration of procedure or initial statement a) while k identifies the instance; Id = (0,0, k) gives no such information and is the "identification" of a configuration of some statement. The variables that are global in the module, are valuated by the MC's state. Its activity pointer points to the LC that is currently active or equals -I, signifying a change of activity at a waiting point.
The variables in VarIC are proof-variables and are used to count the number of instances of
a procedure. I assume that there is some canonical enumeration of the procedure names in a program, so that I can write ic.a~ for the VarIC -variable that refers to procedure a) (in module
Mi).
Conventions: As generic indicants for module configurations, C, C', C", Ci , •.• are used. C has
the form (Mj I a I LCo, ... ,LCm,O') where LCi == Idi : (Si,Bi ) and Bi == (Zli' Pi). In Cff the components of C inherit the sub and superscripts (except for a module text):
Program configurations are generically denoted as C, C', .... C has the form (Cl, ... ,cn) and otherwise follows the above conventions. Finally, sometimes only part of a configuration is
explicitly given; the other parts are then assumed to follow these conventions. Similar conventions hold for program configurations.
3-4 DEFINITION (The transition label set, TL) .
• TL = {E}U{(i,j,h,ZI,i,O')li,j,hEw,ZI,O'ESt,iELab} U {(i,j, Q, k, I, ind) I i,i, k, I E W,Q ~ IAI, ind E {in, tel } .
• Records of the form (i, i, ii, k, I, ind) are called global records; the other ones are called local
records.
7
Transition labels will be interpreted as words or sequences consisting of 0 or 1 records. Global records originate from module communicationsj ii is the sequence of transmitted values, the first
index pair - a module and procedure index - specifies the sender, the second pair the receiver and
ind indicates whether the record witnesses the initiation of a rendezvous (in) or the termination
of one (te). Non-empty local records originate from waiting points and the index pair points to
the originator. The pair of states, 11 and 0', record the local state, 11, of the procedure instance and
the global state, O'j i identifies the waiting point. Finally, h characterizes the executing procedure instance.
3-5 DEFINITION (The front label of a statement, S, lab(S)). • for S == ~ := e, if b then S' else S" fl, while b do Sod, a(u#ii) : [i.S] , end;;,i,; or A: lab(S) = 0,
• for S == i.wait.i', block.i, .i, i.(, t.), i.calIMi.a;(e#f) or i.rend."i,;: lab(S) = {£} • for S == S1; S2: lab(S) = lab(S2} if S1 == A
= lab(Sd otherwise.
All is set now for the definition of the transition relation. In its definition, whenever an M G of
the form (X I a I ... LG···, 0'), occurs, the shown LG is the one pointed to by a, unless a = -1.
Write G ~ G' instead of (G, A, G') E-.
3-6 DEFINITION (The transition relation, -+) . • -+ ~ G x T L x G is tbe smallest relation satisfying
e 1. (A I 0 lId: (~:= e, 11, 0), 0') ---+ (A I 0 I Id: (A, 11',0),0"), wherel
11',0" = lI{lIUO'(e)/z},O' ifz E Dom(lI) = 1I,0'{lIuO'(e)/z} ifz rt. Dom(lI)
(U, 11, i, 0') 2. (A I 0 I Id: (i.wait.i',lI,t),O') I (A 1-11 Id: (block.i',lI,i'),O')
e 3. (A I -1 lId: (block.i, 11, i), 0') ---+ (A I 0 lId: (block.i, 11', i), 0")
f 4. (A I 0 lId: (block.i, 11, i), 0') -- (A I 0 lId: (A, 11, 0),0')
5.
6.
(r, 6,0' U lI(e, f), i, j, in) (A I 0 I r, 6, k : (i. call Mi.a;(e#f), 11, i), 0'). I
(A 10 I r, 6, k: (i.rend."i,;, 11, i), 0')
(i,j,a,r,6,te) (A I 0 I r, 6, k : (i.rend."i,;, 11, i), 0') I
where (or z" E f lI'(Z,,), O"(z,,) = a", O'(z,,) = V(Zk), a"
11' tfC = ii tfC, 0" tfC = 0' tfC
(A 10 I r, s, k : (A, 11', 0), 0") ,
UZk E Dorn(lI) and ifzk rt. Dorn(lI)
(Ii, 0, i, 0') 7. (A I 0 lId: (.i,O,i),O') I (A 1-11 Id: (.i,O,i),O')
f 8. (A I -1 lId: (.i, 0, i), 0') ---+ (A I 0 I Id : (A, 0, i), 0"),
e 9. (A I 0 lId: (i.(, 11, i), 0') ---+ (A I 0 I Id : (A, 11,0),0')
1 Remember that lIDy state i. implicitly aasumed to valuate all the appropriate variables.
8
E 10. (A I 0 I Id : (i.), 11, f), 0-) ~ (A I 0 I Id : (A, 11, 0), cr)
E 11. (A I 0 I Id: (A,8),cr) ~ (A I 0 I cr)
(r, 6, ii, c, i, j, in) (A I 0 I i,j,k: (a~(u#ii): [5),1I,0),cr)
12. (A I 0 I i, j, k : (5j endt", .. ,,, O{b, c/u, ii}, O), cr),
where b = 0- U 11 (u) and c = 0- U 11 (ii) E
13. (A I 0 I Id : (: [5.l], 0, O), cr) ---+ (A I 0 lId: (5.l, fl, 0), 0-)
. . (i,j,lI(ii),r,s,te) 14. (A I 0 I t,), k : (end", .. ,,, 11, 0), cr) J
(A I 0 I i, j, k : (A, 11, O), cr)
15. (A I 0 lid: (if b then 51 else 52 ft, 11, O), 0-) ...!.- (A I 0 I Id : (51 ,11, Iab(5d), 0-)
if A, cr U 11 F b
16. (A I 0 I Id : (if b then 51 else 52 ft, 11, 0),0-) ...!.- (A 10 lId: (52,11, Iab(52)) , cr)
if A, cr U 11 p!: b
(A I 0 I Id : (while b do 5 od, 11, O), cr) ...!.-17. (A I 0 I ld : (5j while b do 5 od,lI, Iab(5)), cr)
if A, cr U 11 F b
18. (A I 0 I Id : (while b do 5 od, 11, O), 0-) ...!.- (A I 0 I ld : (A, 11, O), cr)
if A, cr U 11 p!: b
A (A I a I Id : (5,11, p), 0-) - (A I a' lId: (5',11', p'), 0-')
19. A ' where (A I a I Id : (5j T, 11, p), cr) - (A I a' lId: (5,11', Iab(5)), cr')
5 == 5' j T if 5' "I A and T otherwise
A (A I a lId: (5,8),cr) --+ (A I a' I Id: (5',8'),0-')
20. -1 A ' provided (MI.I···ld:(5,8) ..• ,0-)-(Ml b l···ld:(5',8' ) .•. ,o-')
~
5"1 .i, if a = -1 then cr, 11 = 0-',11', and if a' = -1 then b = -1 else b = i (Id, lI,t, 0-)
21. (M Ii I .. ·ld: (.i,8).",o-) J (M 1-11,,·ld: (.£,8)".,0-)
>. (A 10 II,j,k: (a~(u#ii): [5],0,0),0-) - (A 10 II,j: (5',8'),cr')
22. A (M/ I -1 I LCD, .. " LCn - l , 0-) --+
(M/ I n I LCD, .. " LCn - lo 1, j : (5',8'), cr")
provided aj is declared in Mz as in the premisr, ldi "I (1, j, k) for i < n and cr" = 0-' {ie.a} + l/ie.aD·
2In case j = 0, the declaration stands for the initiel statement of Mi and I aasume the pllZ'8Uleter part to be empty.
9
(Id, 0, 0, u') (M I i I LCo ··· LCi-1, Id : (A,II, 0), LCi+1 ... LC .. , 0') I
23. ') , (M 1-11 LCo ·· ·LCi-11 LCi+1·· ·LCn , 0'
wbere 0" = O'{ic.a~ - l/ic.a}}. f
24. (M; 1-1 lId: (.i, 8), 0') - (Mi 10 10')
(M" I ... ) ~ (M" I ... )' ~ A
«(M1 1···)···(M" I···)···(M .. I···) -- «(M1 I···)···(M" I···)'
provided A is local and (Mk I ... )' ~ (Mk I 0 I 'T) for any'T.
(M. I ... ) ~ (Mi I ... )' , (Mj I ... ) ~ (Mj I ... )' 26. A
«(M1 1···)···(Mi 1···) .• ·(Mj I···) .. . (M .. I···))--
... (Mn I·· .))
«(M1 I···)··· (M. I·· .)' ... (Mj I·· .)' ... (M .. I···)) provided A is global.
f «(M1 1-11 Id 1 : (.i1,81 ),0'1), ... , (M .. 1-11 Id .. : (.£",8 .. ),0' .. ))--
27. . «(M1 I 0 I 0'1), ... , (M .. I 0 10' .. ) • -* is tbe reflexive and transitive closure of-.
Remarks: The above definition intends to capture not only the behaviour of CMe(E)-programs, but also the behaviour of modules and statements, independent from their context. So, e.g., the states in axiom 3 can change arbitrarily, reflecting the fact that nothing is known about the module text, hence about the statements that can be interleaved at waiting points. In contrast, rule 20
does not allow such changes. Likewise for axiom 8 versus axiom 24. Axioms 3, 7, 8 and 11 are
irrelevant as far as the transisitons of modules and programs are concerned. Additionally, rule 24
can be ignored for program transitions.
3-7 DEFINITION (Start and terminal configurations). Let 'T be any state.
• for a statement or initial statement S
- SC .. (S) = {(A I 0 I 0,0,0: (S,O,lab(S)),'T)}
- TC .. (S) = (A I 0 I 'T)
• for a declaration, D, of a procedure Q~ (j ¥ 0)
- SC .. (D) = {(A 10 I i,i,k: (D,O,0),'T) I k EW}
- TC .. (D) = (A I 0 I'T) • for a module M. witb initial statement So.i
- SC .. (M.) = (M. 10 Ii, 0, 0: (So.i, 0,0), T), wbere T = 'T{O/ic.Q~ i = Lni}.
- TC .. (Mi} = (M. 10 I'T) • for a program P == [Mi II· ··11 M .. ]
- SC .. (P) = (SC .. rv.(M1), ••• , SC .. fV" (M .. ))
10
- TC,.(P) = (TC .. rv1(M1), ... ,SC .. rv .. (Mn», where V' = Var\ U Vi ;¢'
i~i~n
• SC = {SC .. (X) I T a state, X a CMe(E)-statement, procedure, module or program}
• TC = {TC .. (X) I T a state, X a CMe(E)-statement, procedure, module or program} .
3-8 DEFINITION (Configuration states, s(C)).
• for a module configuration C == (X I a lIdo: (So, ( 0 ), ••• , Idn : (Sn,6n ),0"),
{ _ _ I for 0 ~ i 5 n, if a = -1 or a = i then } s(C) = (a,80 , ••• ,8n ,0") E, _ n, I E, - ( ,0) ,
11. - 11. e se 11. - lI.,
• for a program configuration C = (MClt ..• , MCm )
Configuration states extract from configurations the information on which satisfaction of specifications depend. Configuration states, usually denoted by 0, 0', ... , inherit the notational con
ventions as introduced for configurations.
3-9 DEFINITION (CM*(E)-computations and semantics).
For any C M*(E)-statement, procedure, module or program T, set of states X and set of configu
rations Y:
• Define
C(T X Y) = { C ~ C ~ ... ~ c I Co E SC .. (T), T E X, } , , 0 1 n '10 < i < n C· E Y - - .
• The set of (X, Y -legal) computations, Comp(T, X, Y), is defined by
- C(T, X, Y) ifT is a module or program, and
C(T,X,Y)U
{
Am+1 ~ ... ~ An 3Co A1 A ••• A Am I Cm such that }
Cm I Cn elm-1 = -1 and A1 ••.• ~ A
Co n I Cn E C(T, St, Y)
ifT is a statement or procedure
• its semantics, [T](X, Y), is
{
>'1 ~ ... ~ >'n } 3 Co I Cn E Comp(T, X, Y) such that
(00 A ••• A On, t) if Cn = TCIf
,. (T) t~en t = .L otherwise t = T and
6, = s( C,) for 0 5 , ~ n,
This definition of computation sequence, and hence of semantics, reflects the knowledge of the state at waiting points: only in modules and programs is the state known when execution resumes
at a waiting point; for statements and procedures the state at these points is arbitrary (see, e.g.,
the transition rule 3 in Definition 3-6). For that reason, suffixes of computation sequences are
11
".:.~~.
included, too. This will become clearer when defining satisfaction of specifications in Definition 5-3.
Observe that the usual notion of computation and semantics is obtained as Comp(', St, C) and [.](St, C).
As a matter of notation, if no restrictions are placed on states or configurations, the corre
sponding sets are not mentioned. E.g., instead of Comp(·, St, C) I shall write Comp(·). Moreover,
whenever I associate configuration states with the configurations in a computation, the conditions
of the second part of Definition 3-8 will be assumed
For future use, there are four simple observations to be made:
The relation between instance-counters (Var IC ) and configurations is given by the following
). 3-10 OBSERVATION. Let M/ be some module, let Co -...* Cn E Comp(T) and let aL be some
procedure in M/. Then
• O'n(ic.aL) = m ¢:> there are m LC's, Idj : (Sj, 8j ), in Cn such that Idj = (1, k, h) for some h
and for j = l..m.
This is obvious.
3-11 OBSERVA.TION. Given, for i = 0,1, Cb ~* C!; E Comp(M/,r), assume that >.0 = ).1
and O'~o = 0';" Then, iffor some i and j, 8!!,i = 8;'J' Id~o,i == Id;,,; and P~O,i :/; 0, conclude that LCoo . = LC1 , ..
n ,I n "
If Mz only contains straightline code (Le., no while loops) this is clear. Next, observe that between
any two successive arrivals "at" P~O,i in the procedure instance determined by Id~O,i at least one record is generated. Moreover, if this record is a global one, so that the generating procedure instance is not known, there is another local record that does identify the generating instance.
In the sequel this observation shall mostly be used implicitly.
>. * 3-12 OBSERVA.TION. Let Co ---+ Cn E Comp(M,) with an = -1 and let II ESt, i E Lab. Tben tbe following two statements are equivalent:
• (II, i) = 8n,i, 1 E FLB(a~) and Un,i = (l,j, k)
• ). = ).0 A (1, j, k, II, i', 0') A ).1, where
1. 1 E FLB(a}),
2. if llabels the rear of a wait, tben i' labels its front and if ilabels tbe rear of a& tben
l' =l
3. ).1 does not contain a local record of the form (l,j, k, ii, l, 0') for any ii, 0' and l.
Notation: (h, l, II) is determined by)..
Because an = -1 every Pn,i labels a waiting point. Hence, 'arriving' at any ofthe 8n ,.'s has been
witnessed by some local record. Consider the last time the computation arrived at (II, l). Clearly,).
has the form as suggested. Alternatively, if A has the above form then the configuration responsible
for producing the local record cannot have moved during the A1-computation (remember, an = -1).
12
3-13 OBSERVATION. For any CM*(~)-statement, procedure, module or program T and com
putable sets of states X, and configurations, Y, Comp(T, X, Y) and [T](X, Y) are computable relations.
4 The merging lemmas
The aim is a syntax directed axiomatization of communicating modules. Specifically, it must be
possible (1) to combine the specifications of procedures and the initial statement into a module
specification and (2) to combine module specifications into a program specification.
Now, specifications describe sets of allowed or legal computations of the specified program parts.
Also, for completeness of the axiom system, specifications must be able to fully characterize the
legal computations. Consequently the following question arises:
Given computations of some statements. When are such computations compatible in
the sense that they are sub-computations of the composite statement?
In this section the two less trivial cases are treated. Section 4.1 contains the local merging lemma which states the conditions under which computations of a set of procedures and an initial
statement can be combined into a single computation of the resulting module. In Section 4.2 the
global merging lemma is formulated, which states when module-computations can be combined.
4.1 The local merging lemma, LML
4-1 DEFINITION (local reachability, lr). Let MI be a CMe(~)-module, 7'0, 7'1, 7'2, "'0, ••• ,"'A" (T ESt, K a set of configurations, lo, ... ,lk E
Lab, ho, . .. ,hk E w and ~ a record sequence. Define for i = O .. k, ii by t. E FLB(a}J.
Then (ho, lo, ... , hk' lk) is (MI, 7', K, "'0, ••• , "'k, (T, ~)-lr iff
3 Co ~* Cn E Comp(MI, {i}, K) such that
• (T t Vi = (Tn t Vi and A = X, • there is an injection, c!: {O .. . k} 1-+ {o ... m}, where m is the number oflocal records in Cn,
and V' i = O ... k ("'i,t.) = 8n ,cJ(i) and Idn,cJ(i) = (l,i-,k.)
So, configurations as characterized by ("'j, Ii), hi and (T, are locally reachable from some state
'T, precisely if there is a computation of Mi, starting in 'T, reaching such a configuration via
intermediate configurations in K and which associated record sequence is ~.
. ~ * . 4-2 DEFINITION (LC-independence). Let CO - 0;., E Comp(MI, 'T, K) for i = 0,1 and let
C~ E C be obtained from C~o by replacing or adding Le's from C~l' Then, K is called LC
independent if
). * , () Co --+ Cn E Comp M" 'T => ~ * , ( ) Co - en E Comp MI, 'T, K
13
4-3 LEMMA (Local Merging Lemma, LML). With notation as in Definition 4-1, suppose that
• (ho, f o, ... , h"_l,l"_l) is (M" TO, K, Vo, ... , VIo-1, 0', )'}-Ir,
• (h",l,,) is (M" 1'1, K, II", 0', )'}-Ir, and
• K is LC-independent. Then (ho,lo, ... ,h",l,,) is (M"T2,K,vo, ... ,II",O',)'}-lr, provided
• TO r Vi = 1'1 r Vi = 1'2 r Vi , • V i < k i. = jlo :::} h. :f:. hlo'
• there is at most one to E FLB(ab) and
• at most one I. does not label a waiting point
PROOF. W.l.o.g., assume that Dom(Ti) ~ Vi for i :::; 2 and that Dom(O') ~ Vi. Let l' = TO = 1'1 = 1'2. If ). does not contain local records, then lo, . .. , l" E FLB(a~), so that the Lemma holds
vacuously. Otherwise, split). as >. A X, where X is the largest suffix of >. that does not contain any local
record. By assumption, there are computations,
>. * X * Co - Cm - Cn (1)
both in Comp(M,,{T},K), such that (v.,4) = 8n ,c/('), Un,c/(') = (/,ii,ht) for i < k and
(II", flo) = en,c/(")' idn ,c/(lo) = (/,i", h,,); moreover, Un = Un = 0'. Define m as the (largest) index such that Clm = -1; likewise, define m such that iim = -1.
Choose any LCm,. from C m and apply Observation 3-12 to the second computation in (1):
). = >'0 A (I, j, p, iim," Pm,., 0') A >'1 and ).1 does not witness any other activity in the corresponding procedure instance. Now, apply the Observation (in the reverse direction) to the first computation
in (1) and conclude that em,. = 8m ,j for some j. Repeating this argument gives that every local
state in C m is also reached in Cm. If m = n, this concludes the proof.
Next, let m < n. the Cm - 1 - Cm and Cm- 1 --+ Cm-transitions are both witnessed by the
same last (local) record in )., so that um = um.
Finally, the Co ~* Cm-computation must be extended. There are two separate cases.
1) Clm+l ~ Ro.n(cf). This means that (vi,4) = 8m ,c/(') for i < k. If em,ii"'+1 exists, define I as the index oUhe corresponding local state in Cm; otherwise, let I be 1 larger than the number of
LC's in Cm. Define configurations Cm+. for 1:::; i:::; n - m by
• LCm+.,; = LCm,; for j :f:. 1,
• LCm+.,I = LCm+.,ii"'+1'
• O'm+' = Um+., and
• Clm+' = I.
oX As K is LC-independent, I have Co -* Cm+n- m E Comp(M" {r}, K). Hence, 8m+A - m,c/(') = (IIi, 4) for i < k. Moreover, by construction, 8m +A- m," = (1I",l,,) and O'm+n-m = 0'. The Lemma follows.
2) iim+1:f:. Cj(k). Hence, 9m,CI(Io) = (IIA"l,,). The first computation in (1) proves the Lemma.
14
There seems to be a third case: Cm+1 E Ran(e!) and Zim+1 = el(k); say Cm+1 = el(O). This, however, cannot happen because either lo or LIe labels a waiting point, but X does not contain a
local record. 0
4.2 The global merging lemma, GML
4-4 DEFINITION (projection). Let A be some record sequence o[ a program [M1 II ···11 Mn).
• .x 11 is the subsequence o[.x obtained by erasing all records that do not involve module M,.
• A 19 1 is the subsequence of A 11 obtained by erasing all local records.
4-5 DEFINITION (global reachability, gr). Let P be a CMeE-program, [Ml \I ... II Mnli T,
Vo, ... ,VI.; ESt, A a record sequence, 1: {l. . . k} 1-+ {l. . . n} an injection, ho, ... ,h" E w and
lo, ... ,l" E Lab such that 4 E FLB(M'(i» [or i ::; k. Then (ho, lo, ..• , hIe, l,,) is (P, T, Vo, ... , Vk, 0', A)-gr iff
X 3 Co ---+* en E Comp(P, T) such tbat
• Xli = Ali [or every i E Ran(l) I(i)
• there is a [unction e/:{O .•. k} 1-+ w sucb tbat [or all i = 1. .. k 0' tV,(i) = O'n rv,(i), 8~~~J(i) = (vi,4) and Id~:~J(i) = (l(i), r, ht) with 4 E FLB(a!.(i».
4-6 LEMMA (Global Merging Lemma, GML). With notation as above, suppose
• (ho, lo, ... , hl.;-I, l"_I) is (P, TO, Vo, ... , Vk-I, 0', .x')-gr,
• (h",l,,) is (P,TI,V",O',.x")-gr,
• ( ) is (P, T2, O'),)-gr, and n
• Ti tv = Tj rV [or i,j = 0 ... 2 and V = U Vi, X 19l(i) = A' 19 l(i) [or i < k and ).19 l(k) = i=1
.x" 19 l(k). Then (ho, lo, ... , h",l,,) is (P, T,1I0," .,lIk, O',A)-gr, where T r V = TO r V, A ll(i) = A' ll(i) [or
i < k and A 11(k) =.x" 11(k).
PROOF. W.l.o.g., assume that TO = TI = T2 = T. The Lemma is proven with induction on the number of global records in X. A stronger version of the Lemma is, however, needed to carry this
induction:
Suppose
A ~ * A 1. Co --+ Cli E Comp(P, T),
- X *-2. Co --+ Cli E Comp(P, T),
- ). *-3. Co --+ Cn E Comp(P, T) and
4. Ao U Al ~ {I. . . n} with Ao n Al = 0 and X 19 i = ~ 19 i i[ i E Ao, X 19 i = X 19 i
i[ i E AI'
15
Then there is a computation Co ~* Cn E Comp(P, T), with ~ 1 i = ).1 i for i E Ao,
{ C~ ifi E Ao
~li=~liforiEA1,~li=Xlifori~AoUA1ande!= ~~ ifiEA1 · e;. otherwise
Note that the reformulation is symmetrical with respect to the partition of {I .. . n}. If X does not contain any global records (hence, neither do )., ~ and ~) the claim obviously
holds, because the module computations all are independent. Next, split X as Xo A Xli where Xl is the smallest suffix of X containing one global record,
(p, q, a, r, 8, ind). By symmetry, there are only two cases: (1) p and r are in different partitions and (2) p and r are in the same partition. The strengthened form of the Lemma is needed in case
{p,r}S?;AoUA 1.
Case 1) W.l.o.g., let p E Ao and rEAl. The splitting of X induces splittings of ). and ~ into >'0 A ).1 and >'0 A ~1 such that for i = 0,1: Xi 19 j = ).. 19 j if j E Ao and Xi 19 j = ~i 19 j if j E A1 and ).1 and ~1 are as small as possible. Define 171 to be the largest index such that
Co ~* Cm l* C,,; likewise, define m and m w.r.t. the latter two computations. Induction
gives a computation Co ~* Cm E Comp(P, T) such that ~o 1 i = ).1 i for i E Ao, ~o 1 i = >'01 i
for i E A 1, ~o 1 i = Xo 1 i if i ~ Ao U A 1, e;,. = C:n if i E Ao, e;,. = 6!n if i E A1 and e;,. = C!n otherwise. By definition of Crn (i.e., of 171 and m) a transition to Cm +1 is possible producing the
global record in Xl, where e;"+1 = e;,. for i ~ {p, r}, C!.+1 = G:;.+1 and e:;'+1 = 6;;'+1' The remainder ofthe three computations (if any) are independent and hence can be grafted onto em +1:
first all the steps involving modules (whose indices are) in Ao from computation 1; then the steps invoving modules in A1 from the second one; and finally the steps in the remaining modules from
~ ~ the third computation. This results in a computation Co ~* Cm ~* Cn E Comp(P, T).
By construction, Cn and ~1 (hence ~o A ~d satisfy the conditions of the Lemma.
Case 2) W.l.o.g., let p, r E Ao. As in case I, the label sequences X and). can be split, which also
determines m and 171. Since the second computation is not involved in the last communication,
I can take >'0 = ~, Xl = ~ and in = n. Note that .\0 19 i = >. 19 i for i E A 1 • The rest of the argument is as in the first case. 0
The strengthened form of the Lemma together with its proof show the essential triviality of the
Global Merging Lemma: a transition label sequence really determines the complete computation. An inspection of the proof also suggests that if Ao and A1 are singleton sets (or empty) it suffices to
assume local instead of global reachability for the Ao and A1 computations. In fact, the following
special case is worth recording:
4-7 LEMMA. With notation as above, assume that
• (h, l) is (M" f, K, v, 17, '5.)-lr,
• ( ) is (P, T, 17, ~)-gr and
• T r Vi = f r Vi and ~ 19 I = X. Then (h,l) is (P, T, V, 17, ~)-gr.
PROOF. The proof is in fact very easy and does not require an induction. Just take the global
computation, Co ~* Cn E Comp(P, T) and remove all transitions involving M,. In their place,
16
substitute the transitions from Cb ~ * c!,. E Comp(Mz, r, K). Because in both computations
Mz starts in the same state and because). !g 1 = X, the resulting computation is in Comp(P, r) and shows the required global reachability. 0
4-8 OBSERVATION. Local and global reach ability are semi computable relations.
5 Specifications and Proofrules
5.1 Specifications and their interpretation
5-1 DEFINITION (Specifications). Let T be a CMe(E)-statement or procedure, M. a module and P a program; p, q, MI E L(E). Specifications are o[ one o[ the following three [arms:
• (1) (CA, WA, CO, MI I {p}T{q}) or (2) (CA, 0, CO, MI I {P}M.{q}), where (1' stands [or T or M.)
CA ~ {i: p It labels a closing bracket in 1', p E L(E)}
WA ~ {l: p Ii labels the rear of a wait in l' or l' == T'.l, p E L(E)}
CO ~ {i : p Ii labels an opening bracket, a call or the fron t o[ a
wait in 1', p E L(E)}
- in case (2),
* FV(MI) n L. = 0, * [or alli : p-term: FV(p) n L. ~ L(i) and
* any iCT E VarIC that appears in any assertion refers to a procedure in Mi ; i.e., has
the form ic.a}.
- i[ T is a procedure with formal parameters, u, then FV(p,q) n {u} = 0
• (3) (0,0,0,true I {p}P{q})
5-2 DEFINITION. Let A ~ {i: p Ii E Lab, p E L(E)}
• A(i) = A{p Ii: pEA} E L(E). (Note that A 0 == true).
• A is disjoint if ...,3 i E Lab, p, q E L(E) such that {t : p, t : q} ~ A and p '1- q.
Intuitively, a formula like l : p is true in configuration-state either if control is not at the i-labeled point, or p is satisfied in the (local + global) state at such a point. The meaning of a specification for T is, that on any execution sequence of T that starts in a state satisfying p and for which CA and WA are true in every configuration-state, CO will be true in the last configuration state of the sequence, MI will hold if it is a waiting point and q will hold if T terminated. So, e.g. (0,0,0, true I {p}S{q}) is an ordinary partial correctness specification and (hence) clause 3 expresses the paper's basic interest in partial correctness properties.
This Dotion of specification is essential for syntax-directedness. The communication-assumption,
CA, waiting-assumption, WA, and commitment, CO, make explicit (1) the various assumptions about the environment's behaviour upon which validity of the specification (i.e. CO and q) depends and (2) the behaviour to which the statement commits, necessary to validate the environment's assumptions. Finally, there is a module-invariant, MI, that characterizes the (global) module state at waiting points; hence the states in which procedures start executing.
17
5-3 DEFINITION (satisfaction and validity). Let E be & signature and A a E-structurej T a CMe(E)-statement, procedure, module or program, p E L(E), A ~ {i : p Ii E Lab, p E L(E)}
and 0 a configuration-state {(~, 9i,0, 8"1, ... ,8,,,.;, O'i) Ii == l..m}. ,. Let if == U 0', and ii = U{lIi,G; Illi ¢ -1, i = l .. m}.
i=l
• A, 0 F p iff A, if U ii F p
• A,o F A iff ~ ¢ -1 => A, 0', U IIi" F A(Pi,,) for j = O .. n" i = l..m
• A,o F* A iff A, 0', U IIi" p: A(p,,j) for j = O .. n" i = l..m
• Satisfaction can be trivially extended to conjunctions of first order formulae and formulae
of the form A. Validity is defined in the standard way.
• Let p = {O' I A, 0' p: p} and A = {C I A, 6( C) FA},
- A, (00 ~ ... ~ 0,., t) F (CA, WA, CO, MI I {p}T{q}} iff
(00~ .. ·~6,.,t)E[T](p,CAUWA) ~ A,6,. F CO&.
a,. = -1 => A,6,. F MI &. t = T => A, 0,. F q 3
- A, (00 ~ ... ~ 0,., t) F* (CA, WA, CO, MI I {P}T{q}} iff
(00 ~ ... ~ 0,., t) E [T](p, CA U iVA) and A, (00 ~ ... ~ 0,., t) F (CA, WA, CO, MI I {p}T{q}}
• A F (CA, WA, CO, MI I {P}T{q}} iff
'V (00 ~ ... ~ 6,., t) E [T] A, (00 ~ ... ~ 0,., t) F (CA, WA, CO, MI I {p}T{q}}
The definition itself is straightforward. Note that local states can only be specified by "labeled" formulae and that satisfaction of non-labeled formulae at waiting points does not involve the local state. The meaning of satisfaction of a labeled formula interacts with the definition of configuration state: remember that in a (module) configuration state, 0 = (a, 8o, ... , 8m , 0'), the label part of a local state, 8" is included only if a = i or a = -1. In other words
Hence, if a ¢ -1 then the relations F and p:* coincide, but if a = -1 then A, 0 F A is vacuously true, whereas for p:* I have that
a=-1 => A,6F*A iff O'UlliFA(p.)fori=I ... m
Note that if a == -1 then Pi ¥ 0 for i = 1 ... m. The definition of satisfaction can be turned around - as usual - and be used to characterize
sets of states, respectively, configuration states by formulae, respectively, sets of labeled formulae.
In the sequel, such correspondences will be implicitly understood and I shall write, e.g., [S](p, CAl.
'Remember the usumption that stllte. alwllY. have domains that cont&in all the appropriate vanllblea.
18
5-4 OBSERVATION. Satisfaction is a computable relation. Non-validity is a semi-computa.ble relation.
5.2 The proof system, P S(T)
Let T s::; L(~) for some signature ~. In the rules below, some of the premises are L{E)-formulae.
The interpretation of such a rule - as usual - is that it can be applied provided every L(~)
formula among its premises is in T. The proof system consists of the following rules and axioms.
5.2(1.) assignment a.xiom. (0, 0,0, true I {p[e/:z:]}:z::= e{p})
5.2(2.) wait axiom. p- q AMI
(0, {t' : r}, {t : q}, MI I {P}t.wait.L1{r})
5.2(3.) call rule.
(0,0,0, true I {p}SI {II f q}), (0,0,0, true I {q}Sz{'}) ({f" : r}, 0, {L: p, l' : q}, true I {P}L,(Sli t'.call M,.aj(e#f)i Szi L".){r /\ ,})
5.2( 4.) sequential composition rule.
(CA" WA., CO" MI, I {p,}S,{q,}) i = 1,2, ql - P2 (CAl U CAz, WA I U WAz, COl U COz,Mh V MIzl {PI}SI; Sz{qz})'
provided that CAl U CAz, WA I U WAz and COl U CO2 are disjoint.
5.2(5.) if rule.
(CAl, WAll COlo MIl I {p/\ b}Sdq}), (CAz, WA z, COz, MIz I {p/\ ...,b}Sz{q}) (CAl U CAz, WA I U WA z, COl U C02, MIt V MIz I {P}if b then Sl else Sz fi{q})'
provided that CAl U CAz , WA I U WAz and COl U COz are disjoint.
5.2( 6.) while rule. (CA, WA, CO,MI I {p/\b}S{p})
(CA, WA, CO, MI I {p}while b do S od{p /\ ...,b})
5.2( 7.) initial statement rule.
(CA, WA, CO,MI I {p}S{MI}) (CA, WA U {t : q}, CO, MI I {P} : [S.l]{q}) '
provided WA U {f: q} is disjoint.
5.2( 8.) procedure rule.
(0,0,0, true I {P}Sl{q}), (CA, WA, CO, MI I {q /\ r}S{,}) (0,0,0, true I {8}SZ{t}}, t - MI
(CA U {L: r}, WA, CO U {t' : I}, MI I {p}a)(il#ii) : [Sl;l.}; S; l'.(; S2]{t}) '
provided FV(p, t) n {il, ii} = 0 and CA U {l : r} and CO U {ll : ,} are disjoint.
19
5.2(9.) module rule.
Let the module MI be declared as
MI:: a1 (ill #vd : [: Sl]
ak(ilk#Vk) : [: Sk] : [So.lo]
Then
(CA;, WAj, CO;, MI I {MI}a}(u;#v;): [S;]{MI}), j = 1, ... ,1:
(CAo, WAo, COo, MI I {p A IN}So{MI A WAo(lo)}), MI A WAo(lo) -+ q k U WA; # (CAj, WA;, MI, {u;, V;}, a~(i1j#v;) : [lj.Sj]) j = 1, ... ,1:
j=O I: U WAj # (CAo, WAo, false, 0, So) j=l
k I: for every l.wait.l' in MI: U CO. (i) -+ MI A U WA.(l') .-0 .=0
I: I: (U CAt, 0, U CO., MI I {p}MI{q}), .=0 .=0
I: I: I: provided U CAj, U WAj and U COj are disjoint and where
j=O ;=0 ;=0
• IN == A{ic.a} = 0 I j = 1 ... nl}.
Let A = {l: p Ii E Lab, p E L(E)}. Then the expression
A # (CA, WA,p, z, S)
stands for the set of interference freedom specifications
({CA, WA(q'), CO, true I {p'}S{q'}) I l: q E A}
where
• q' == q[yJi] (y does not appear free in CA, WA, p, q or S),
• p' =pAq',
• WA(r) == {l' : WA(l') 1\ r A ie.a} ~ N Ii' labels the rear of a wait,
• CO == {l: q' Illabels the front of a wait},
5.2(10.) program rule.
in S; FLB(a~) = FLB(S) for j > 0 and
if l E FLB(a}) then N = 2 else N = I}
(CA., 0, CO., MI. I {p.}M.{q.}), i = 1, ... , n Coop({{CA., 0, CO., MI. I {P.}M.{qi}) Ii = 1, ... , n}, GI)
(0,0,0, true I {P1 A··· APn A GI}[M1 II ···11 Mn]{q1/\'" A qn /\ GI})
provided
n n n • U CAi, U WAi and U CO. are disjoint
i=l i=O i=l
20
• FV( CAi, COi, Mh Pi, qi) n V; = 0 for i:/; j
• no variable free in GI appears on the left-hand side of any assignment outside a brack
eted section in any Mi nor as a formal parameter of any call or procedure.
The expression
stands for the set of cooperation specification pairs
(0, 0, 0, true I {COi(l) 1\ MIj 1\ GI}Slj c.a{ := ic.a{ + Ij S~[.]{ CAj (£')[-] 1\ GI})
and (0, 0, 0, true I V Z CO;(i) 1\ COj(L)[.] 1\ GI}S2[.]j ic.a{ := ic.a{ - Ij S2
where [.] == fe, z/u, ii], for any matching call-procedure pair
l.{jSljf.calIMj.a,,(e#Z)jS2jl.) in M. and
a{(u,ii): [S~j£'.)jSjl.{jS~] in Mj
5.2(11.) consequence rule.
(CA, WA, CO, MI I {p}S{q}), P' -+ p, q -+ q'
{CA.(/) 1\ GI}
ViE FLB(S): CA'(l) -+ CA(l), WA'(l) -+ WA(l), CO(l) -+ CO' (i) if S is not a statement or contains a wait: MI -+ MI' 4
(CA', WA', CO',MI' I {p'}S{q'})
5.2(12.) substitution rule.
(CA, WA, CO,MI I {p}S{q}) (CA[t/z), WA[t/z), CO, MIl {P[t/z]}S{q})
provided z tI. FV(CO, MI,q, S).
5.2(13.} auxiliary variable rule.
Let AV be a set of variables such that :t E AV => :t appears in S' only in assignments,
y := t, where y E AV or as formal value parameter in a procedure declaration.
S is obtained from S' by deleting all assignments to variables in AV and all occurrences as
value parameter in a procedure declaration together with the corresponding actual parame
ters in the syntactically matching calls.
(CA, WA, CO,MI I {p}S'{q}) (CA, WA, CO,MI I {P}S{q}}
provided FV(q, CO, MI) nAV = 0.
5.2(14.} label (and bracketing) rule.
(0,0,0, true I {P}S'{q}} {0, 0, 0, true I {P}S{q})
provided S is obtained from S' by deleting every bracket or label.
Concluding this section are the two theorems proof of which justify the paper.
3Note that if S is a statement but does not contain a wait, 10 that no waitingpoint il reached while executing S, one may take an arbitrary MI'.
21
5-5 THEOREM (Soundness). Let A be a E-structure and T ~ Th(A). P is a CM(E)-program. Then
I-PS(T) (0,0,0,true I {p}P{q}) ::} A 1= (0,0,0,true I {P}P{q})
5-6 THEOREM (Completeness). Let E be the signature of Peano-arithmetic and N the standard
model. Then
N 1= (0,0,0, true I {p}P{q}) ::} I-PS(Th(Af» (0,0,0, true I {p}P{q})
5.3 A substitution lemma
For the soundness of the program rule and for completeness for program specifications, some results
on substitutions are needed to relate the value assignments at the start and end of procedure calls
with the syntactic substitution in the cooperation specifications.
5-7 LEMMA. (The substitution lemma). Let S, S' be CMt(E)-statements not containing call or
wait-statements. Let u, V, if ~ Var, e ~ Tm(E) and p, q E L(E) be such that lui = lei, liil = Iii, the variables in u do not appear as left-hand-side of any assignments in S and the variables in the lists u, v and if are pairwise disjoint. Additionally, assume that the following conditions hold:
un ii = 0, FV(e) n if = 0, {u, v} n FV(q) = 0 and (FV(S') u {u, v}) n (FV(e) u if) = 0. Then
([-] == fe, if/u, v)): 1. A F= {p}Sj S'[.]{q[.]} <=} A F= {p}Sj u, v := e, ifj S'{q}
2. A F= {p[·]}S'[·]i S{q} <=} A F= {P 1\ ii = e}S'i if := Vi S{q}, provided if n FV(p) = 0.
The proof of this Lemma is delegated to the Appendix.
6 Soundness
Validity of rules is defined as usual: validity of the premisses implies validity of the consequence.
Fix some E-structure A and T ~ Th(A).
6-1 LEMMA.. The axioms 1 and 2 and the rules 3, ... , 14 are valid.
Although this paper's specifications are more detailed than partial correctness specifications, the validity proofs for some of the axioms and rules (e.g., sequential composition, if and while rules,
consequence and substitution rules, the auxiliary variable rule) are completely analogous to the
usual proofsi see e.g. [deBBO] and [AptB3]. For the assignment statement this is obvious, since its
execution sequences do not include labels or waiting points. For, e.g., the sequential composition
rule it is because assumptions and commitments cannot refer to labels in the component they are
not associated with. In the proof below, only the non-trivial and new cases will be tackled.
PROOF. [of Lemma 6-1] Generically, for any S~ considered below, let (6~,/3A .. • A6:::t:"t) E [S~] where 6~,/3 = 6(SC60(S~)), The notational conventions of Section 3 will be heavily used. In the proofs, prefixes (6~,/3 A ••• A 6,:,/3 , .L) of the above sequence will be considered, too. Note that if the initial state is not
constrained, any sequence in [S~] can be obtained as a suffix of a sequence as above. Usually,
statements will be embedded within other statements; say, So == Sli S2. In such cases, the following
22
"aliasing" convention applies: the configuration-state sequence associated with Si is 6b ~ ... ~ 6~; for i = 0,1,2. We have that 68 = 6~, 6r = 6L ... , o~, = 6;', = 05, 6~'+1 = 6~, ... , 6~,+n. = 6~ •. I shall mostly ignore the terminal states in completed computation sequences, since it is usually
the last but one state that is needed in the arguments below.
6-1(1) wait axiom: S == i.wait.i', WA == {l' : r} and CO == {l: q}.
By Definition 3-9, 60 = (0, (0, i), 0'), 61 = (-1, (0, i'), 0'), 62 = (0, (0, t'), 0") and 03 = (0, (0, 0), 0"). First assume that 00 F p. Then 60 F co and 01 F MI because F p - CO(l)I\MI.
Note that 61 F WA is trivially true and that 62 F WA holds by assumption. Next, 02 F WA
implies 63 F= r. Here, I ignored the terminating configuration, 04 = (0,0") as explained above.
Obviously, I also have that 04 Fr. 6-1(2) call rule: S' == i'.call Mi.a;(e#i), S == i.(S1jS'jS2jl".), CA == {l": r}
and CO=={l:p,i':q}.
Again by Definition 3-9, oJ = (0, (0, i), 0'1), ob = (0, (0, l'), 0'), 01 = (0, (0, i'), 0'), 62 = (0, (0, 0), 0") and o~. = (0, (0, 0), 0'2) where 0" = O'{a/i} and a ~ IAI.
Now, if 6~ F p then o~ F co. Since 51 does not contain any labels, the next point of interest is the front of S'. By validity of the first premiss of the call rule, 6;', F Vi q (where I assume that
SI terminates as there is nothing to prove otherwise), so that also ob F Vi q and, hence, 6b F q.
This implies that ob F CO, 01 F CO, o~ F q and 65 F q (as 65 = 02). Validity of the second
premiss yields o~. F s, hence 6n F CA(l") 1\ s.
6-1(3) procedure rule: Apply the reasoning of (2) thrice.
6-1(4) initial statement rule: This is a direct consequence of the fact that every computation
sequence of: [S.l] can be obtained from one of S, except for the sequence "starting at l". This
case is covered by the change of WA.
6-1(5) module rule: As above, assume that the premisses ofthe rule hold. The following stronger statement will be proved:
A A k For any Co ~~ ... ~ ~ Cn E Comp(M"p, U CAi) with 6n = a(Cn ):
i=O
k
On F* U (COi u WAt), an = -I:::} 6,. F MI and e,. ETC:::} On F q. i=O
Note that s(Co) F IN by Definition 3-7 and that 6n F* COi ¢::::::> 6n F COi. Hence, I can
concentrate on WAi. Next, observe that MII\ WAo(io) - q. This means that Cn ETC => 6n F q
automatically follows from the first two clainls and the fact that the k + 1st premiss of the rule
establishes WAo(lo) 1\ MI as post condition.
The proof uses induction on the number, L, of 6i's with G.i = -1 for i < n. The computations
in a} will be superscripted with jj those in the initial statement with o. Define 6i = s(Ci ) for
i = l..n and let t = T if C,. E TC and t = .1 otherwise.
L = 0) So, the computation is in fact within the initial statement. Validity of the initial
statement specification implies that 0,. F COo and 6,. F MI in c~e an = -1, since by assumption ,. 60 F p 1\ IN and 6i F CAo for 0 ~ i $ n. Observe that 6,. F* U (WAi U COil trivially holds
i=l in this case and that 6,. F* WAo either holds trivially (in case an #- -1) or follows from the last premiss of the module rule.
L > 0) Let fi be the largest index < n such that an = -1. Let k = an-I and (I, il) = Idn_ l ,k,
23
DO 4,=-1 "
Co ---+ •.• ---+ Cn- 1 ---+ Cn ---+ Cn+1 ---+ ••• ---+ Cn -; ---+ Cn
I I ('1-11 ... ) (·Ikl···ld,.,,,:( ... ) ... )
# -1 I (. I k I ... Idn_l,k : ( ... ) ... ) (l, h)
# -1 I (l, h)
Figure 1:
and let k = Cln+1 and (l, h) = Ic4.+1,'" The situation is depicted in Figure 1 (when Cln # -1).
Extract the ak-computation leading to the kth LC in Cn from this sequence:
First, inductively define a sequence ao, QlI ... , an that traces the sequence of LC's that evolve
into LCn,k:
• an = k • 0 ::; i < n -1: ai = -1 if ai+1 = -lor Ci has less than ai+1 LC's,
= ai+1 + 1 if eli # -1, eli+1 = -1, eli < ai+1 and Ci has more LC's than C'+1, otherwise
This definition sets ai = -1 if the correct instance of ak still is to be created and sets a, = ai+ 1 + 1
if some instance terminates. Next, define a sequence io, i l , ... , i,. inductively as follows5:
• io is the index t such that ao = a1 = '" = at-1 = -1 and at # -1,
• 0 < j ::; r: ii = ii -1 + 1
= the smallest index t > ii-l such that at = at otherwise
This sequence points to those MC's, Ci, in which activity is (the second case) or just ceased to be (the first case) within the LC pointed to byai.
The ah-computation can be extracted in the same way, resulting in sequences /30, /31,'''' /3n and jo, ... , j,. Note that here the sequence ends in Cn.
First I prove that
A: On 1=* WAh U COl., Cln = -1 => On 1= MI.
By Definition 5-3, On can be replaced by 6(LCn ,,,).
Now, define i by i = n - 1 if t = T and by i = n otherwise. Let i be the index such that j; = n + 1 (note that i exists) and define a sequence of configuration states, of, for i ::; i ::; i by:
Of = (p;" 8;"oj;.' 0';') where Pi, = -1 if ai, = -1 and Pi. = 0 otherwise. Then, if h = 0
(O~, ... , o~, t) 1= (CAo, WAo, COo, MI I {P" IN}So{MI " WAo(lo)}) (2)
6,. i. implicitly detennined by the condition that if' = n
24
and, if h ::f. 0
(3)
Suppose that o~ F WAh and o~ F MI in case ;0 = n + Ii i.e., in case the instance of ai was created in the Cfi -+ Cfi+1-transition. Then, A would follow from satisfaction of (2) and (3) and
the fact that the only resumption at a waiting point in the computation is "at" 6~ = .(LCfi +1,"). Hence, there remains to show that
1. o~ F WAh if;o::f. n + I,
2. of F MI if;o = n + 1.
Two cases have to be distinguished.
(1) ;0 > it" or k = k. Here the easy cases are collected where no interleaving takes place: If ;0 > i,. this means that the instance pointed to by the i-sequence is created (the moment) after
the other instance terminates. If k = k and ;0 < i,. this means that control remains in the same instance when passing the waiting point, so that ;,. = i", for k ~ r. Let r be the largest index such that 4-1 < nand at._ 1 = -1 or 1 if such an r does not exist. Define configuration states,
0; by 6; = (Pijl 9i;,Qi;, O"i;) where Pi; = -1 if at; = -1 and Pi; = 0 otherwise, for r ~ i ~ r. It is straightforward to verify that if ii = 0
(4)
and otherwise (5)
for some l-By assumption 0; F P 1\ IN if h = 0 and r = 1; moreover, 0; F CAii for r ~ ; ~ r. Applying
I: _
the induction hypothesis to (60 A ..• A6. j ,l) E [M,](pI\IN, U CAi) yields 6; F WAii for r ~; ~ r .=0
and 6; F MI if h ::f. 0 and f = 1. Note that 6: F WAii, again, follows from the last premiss of
the rule. The claim now follows from validity of (4) and (5): first, O"~ = O"~ (i.e., O"fI. = O"fI.+1); whence
cS~ F MI which completes the proof in case ;0 = n + 1. Second, if jo ::f. n + 1 then k = k and, hence, h = h. This implies that utI = u~. Since v~ = vt, I have that cS~ F COii implies that cSt F WAh using the last premiss of the module rule.
(II) ;0 ~ i,. and Ai ::f. k. I.e., control passed a waiting point and switched to another already existing (!) LC. Hence, a wait was encountered or the end ofthe initial statement or the end of
a procdure instance. To show: Ofi+! F WAh. For this, validity of the interference freedom specifications is needed.
So, let Pfi+l," = l (note that the LC is k and not Ai). Let f be the cardinality of Dom(vfi+1,"') = {:el, ... ,:e,} and let {Yl, ... , til} be a collection of variables not part of the domain of any state
I: I: J:
appearing in any C. for 0 ~ i ~ n and not appearing free in U CA., U WA. , U CO., MI, p, q .=0 .=0 .=0
or M,. Observe that it suffices to show that
(6)
25
where q = WAh(l)[y,/:z:, i = 1../]. Again, let r be the largest index such that ir < n and at~_l = -1 or 1 if this is impossible.
Define 1/ = n{l/n+1,l:(:Z:,)/y" i = 1../} and define a sequence of configuration states by 6; = (p'j,8'j,Qij,Uij U 1/) where P'j = -1 if elij = -1 and P'j = 0 otherwise, for r:5 j:5 r. Then
(7)
for some f, where q' == WAh(l)[y,/:z:" i = 1../]; pi == false ifh = 0 and pi == MIotherwise. Observe n _
that if h = 0 then r:/; 1. Induction gives that O'~_l ~* MII\ U WA,; hence 0; ~ MII\ WAh I\q'. i=O
By definition 0; ~ CAh (r :5 j :5 r), so that I obtain
(O~A."AO:,l) E [S;;](p'l\q', CAhU WAh(q'»
Now, (7) gives o~ ~ CO and 6~ ~ q' if f = T. Hence, 6n+1 1= WAh. n
B: 0 .. ~* U WAh ,=1 ,¢h
.. If Cln :/; -1 and Cln-l :/; -1 this holds trivially. If this is not the case, induction gives On ~* U WAi
,=1 and every WAi (i :/; h) must be shown interference free over the a~-computation in Cn -+* C ...
This is fully analogous to the argument in case A-II and, hence, is omitted.
6-1(6) Program rule:
6-2 DEFINITION. Acceptable configuration.
• A local configuration, 1 d : (S, 8), is acceptable if either
S == i.rend",',i; S' or the following situations do not occur:
• S == S';l.callMi.ai(e#ii);S" and S' does not contain an opening bracket,
• S == S'; i.); S" and S' does not contain a call-statement, or
• S == S';endii ,1',. and S' does not contain an opening bracket.
• A module configuration is acceptable if all its active LC 's are
• A program configuration is acceptable if all its MC's are.
An inactive local configuration is always acceptable, since wait-statements never appear within bracketed sections. Hence, a configuration is acceptable ifno local configuration is within a bracket
section. The following statement - implying soundness of the program rule - will be proved.
Suppose there is a program P == [MIll .. . 11M .. ] and there are CAt, CO" MIt, p, and q, (i = 1 ... n) such that the premisses of the program rule are valid. Then for any
>'1 >'m Co --+ C 1 ••• ---+ Cm E Comp(P,Pl 1\ .•• 1\ P .. 1\ GI), where 0, = I(C,) for
n
o :5 i:5 m: Om 1= U CAt, Cm 1= GI if Cm is acceptable, and Cm = TCtT(P) ~ 0" ~ .=1
26
For every 6., I can assume that Dom(ut) n VI: = 0 and (by definition) that ut r V = 0': r V if V = Dom(01) n Dom(O'n for k =/; j and for j, le = 1 .. . n. The proof is by induction on the computation length, m.
m= 0) Then 60 = 15m, Co is acceptable and by assumption 60 1= GI. Note that CAj(p-,j,IJ .... j) == .. true for 1 ~ j ~ n. Hence 15m 1= U CA." GI. Finally, Co cannot be a terminal configuration.
i=1 .. m > 0) If Cm is a terminal configuration, then 15m 1= U CA. is vacously true. Since in
,=1 this case Cf71 - I is acceptable too, induction implies 6m- 1 1= GI, hence 15m 1= GI as there is no
(variable) state change involved in the Cm- 1 ..!..... Cm-transition. The conditions on the assertions
imply that 6t 1= Pk and, using induction, that 6; 1= CAk for 0 ~ j < m, 1 ~ k ~ n. By projecting the computation sequence on the transitions of each of the individual modules, I may use validity
of the module specifications to conclude that 6:;' 1= qk for 1 ~ k ~ n. Because of the conditions
on the module states and the assertions, I can conclude that 15m 1= ql " ... "q .. " GI. Now suppose that Cm is not a terminal configuration. Since 15m 1= CAk iff 6:;' 1= CAk, I may
assume that em is acceptable. Next, observe that because the free variables in GI may only be assigned to in bracketed sections, it is sufficient to show that GI is reestablished at the end of any bracketed section.
If Cm - 1 is acceptable then the result follows by induction. So assume otherwise. I.e., assume
that Ct,. with at,. =/; -1, has ~ i = i and i labels some closing bracket (in Mj). This implies m,Clm.
that if ),1 - •.. - ),m = )" then), = ),' -c with c == (i, h, ii, j, k, ind) for some i, j, le, h, ind and b. The computation can be split as follows:
),' * c E * Co --+ C Il --+ C q+1 --+ Cm
There are two possibilities: Either c witnesses the start of a synchronization period between M. and Mj or c witnesses the end of such a period. These cases are analyzed separately:
(1) There are statements, L.(j SI;L.call Mj .ak(e#f)j Slj l.} in M. and ak (fi#ii) : [Si j L'.}; Sj l' .(j S~l in Mj; a~ = -1, a~ =/; -1, Cq' IJ' == i,h,a: (i. call Mj.ak(ii#f)jTq ,9'Il· IJ;)' and ~ j = l'.
t , ' 'I m,CI""
This implies that there are configurations Cp and C r such that Cp ~ * Cq , ),11 is a postfix
of )", cpt a i == i, h, a : (f.(SI;i.call Mj.ak(i#f)i Tp , (Ji ,), Cq+1 ~ * C r and cj j == j, Je, b : , p PtaJl '1",0 ..
(f'.) i Sj l'.(S~i end;;,.,h, e;.,IJ~).
- )" * - c * - E * - E *_ Claim: There is a computation Co -- Cp --+ CHI --+ CT' --+ C m such - - - - _.. j -.
that Co = Co, Cm = Cm, Cp and CT' are acceptable, C! -i = C· " iip- = -1, C~ -i == 1',0., p,G" ,. ,a"
C i -j - j - E * - . 1 nl M . . - E *-+1 IJ' ,C __ j = C j' Cji --+ Cq InVO yes 0 y .-transItIons, Cq+1 --+ Ci' only
q ! Q+l t",QfI ",a,.
Mrtransitions and CT' ~ Cm neither M. nor Mrtransitions6 • Hence, C~ _, == Cqi IJi q,af 1 v
and a~ = -1.
This claim follows trivially from the fact that Cm is acceptable and that in any computation, - ),0 * - ),1 * - ).1 * Co - C k -----+ C" if on C" -- C, no communications take place between two modules,
G Remember that"; j = l' m,A ......
27
say Mr and M" any ordering of transitions from Mr and M, is accidental and can be changed.
It suffices to show the Lemma w.r.t. this sequence. fa
Define 6(CA:) = 6" for 0 :5 k :5 m. By induction 6p 1= U CAi 1\ GI, which implies that i=l
6m 1= U CA", hence cm 1= U CA" because FV(CA,,) n V; = 0 for j ::/; k and CAi(l) = true. It "¢j "¢j
remains to show that cm 1= CAj /\ GI and for this it suffices to show that 6,. 1= CAj 1\ GI.
Now define configuration states 6p and 6~ by
_ n _ n. .
cp = (0, (0, 0), U u; U ii~ _; U ( 7 ) and Cf' = (0, (0,0), U u: u ii~ _; U ~ -j) "=1 p,a, 1:=1 ,a. r,a.
By definition, the right-hand sides are defined. Observe that 6p 1= COi(l) 1\ MIj 1\ GI ¢} 6p 1= COi(l) 1\ MIj 1\ GI and 6f' 1= CA;(l) 1\ GI ¢} 6, 1= CAj(l) 1\ GI.
As in the soundness proof of the module rule, extract from 60~" ·~6m for 1 = i, j the configuration
state sequence 6i ~ .. ·~6i corresponding with the M,-transitions in Co ~* Cpo The Ith premiss o "'I
of the program rule implies that (6i ~ ... ~ 6L , t) 1=* (CA" 0, CO" MI, I {P,}M,{q,}). Since by o "'I
assumption 610 1= p, and by induction 6L 1= CA, for 0 :5 v :5 mIl conclude that 6L .. 1= COi and . 6L. 1= MIj ; hence that 6p 1= COi(l) 1\ MI; 1\ GI.
)
Next observe that there is a sequence (60 ~ ••• ~ 6d, T) E [51; ie.a{ := ie.a{ + 1; il, v := e, i; 5~] such that 60 = 6p and 6::' = 6~. Validity of the cooperation specifications says
1= (0,0,0, true I {COi(l) 1\ MIj 1\ GI}51 ; ic.a{ := ie.a{ + 1; 5'[·]{ CAj(l'}[·] 1\ GI}
Substitution lemma 5-7(1) allows the statement-sequence in this specification to be replaced
by 51; ic.a{ := ic.a{ + 1; il, v := e, i; 5~. Since 60 1= eOi(l) 1\ MIj 1\ GI, this implies that
6d 1= CAj(l') 1\ GI which concludes the proof.
(2) There are statements l.(51;t.call Mi.a,,(e#i); 52; I.) in Mj and a,,(il#v) : [l".5~; l'.); 5;
1'.(;5~1 in Mi; a~::/; -1, a{::/; -I, C!,a; == i,h,a: (endj,,,,;;,~,a;)' C'q' a j == i,k,b: (i.ren~,,,,:f; 9 , t q
Tq , ei j) and ~ j = l. 9'09 m,G"",
The proof continues as a complete analogon of the proof of case I, except for the following: the
cooperation specification that has to be used here, is
1= {0, 0,0, true I {Vi COj(t) 1\ COi(I'}[·] 1\ GI}5~[·]; ie.ai := ie.ai - Ii 5 2{ CAj(f) 1\ GI})
Substitution lemma 5-7(2) implies
1= {0, 0, 0, true I {Vi COj(t) 1\ COi(j') "GI 1\ il = e}52i i := Vi ie.ak := ie.ak - Ii 52 {CAj (l) 1\ GI})
Let Cp be the configuration such that 0;,,0; == (i, h, a : (l'.(i 52i endj,"';;' e;"a;)' Then, addi-. , , tionally, I must argue that IIpi a; (u) = uiUv' j (e). This, however, is easy because no M;-transition
, " p,GJI occurred since the procedure instance was created and no Mi-transition will change the valuation
of the variables in il. 0
'Remember that ap,j = -1.
28
6-3 THEOREM (Soundness theorem). Let (CA, WA, Ca,M! I {P}U{q}) be any specification and
T ~ Th(A). Then
r-PS(T) (CA, WA, Ca,MI I {p}U{q}) => A F (CA, WA, CO, MI I {P}U{q})
PROOF. The standard argument, using induction on the length of the proof and using Lemma 6-1
o
7 Relative completeness
From now on, ~ denotes the signature of Peano-arithmetic (or some countable extension) and N is a standard model. Validity is relative to N and the proof system used is PS(Th(N)).
7.1 Some definability results
7-1 THEOREM ([Wei87, Corollary 2.9.12]. Definability of recursive sets).
Let R ~ w be a recursive set. Tben, there is a ¢R E L(~) such that \In E w n E R:: N F ¢R(n), where 11 is the term representing the integer n (i.e., !!:: IUC"(Q)) and ¢R(11) is a sentence.
7-2 LEMMA. If R ~ St .. is computable, then there is a ¢R E L(~) such tbat '110' ESt .. 0' E R => N,u F= ¢R.
PROOF. For any (J ESt .. , define iT E (w2) .. (~ w2 .. ) as the n-tuple of pairs (ao, ... , an-1) satisfying
for 0 ::; i ::; n: . _ { (i, v) if:r:i E Dom(u) and v = U(:r:i)
at - (n, 0) otherwise
Observe that :-: St" 1-+ w 2n is an injection. Let < ... >i: be the (k -1 iterated) pairing function
wi: 1-+ wand let .,...~ (0 ::; i < k) be the associated projections.
Define R ~ w by (ao, ... , an-1) E R =« ao >2,. '" < an-1 >2>nE fl.. Since fl. is recursive
(Church's thesis), there is a ¢'n. E L(~) that defines it. Let .,...1 stand for the L(~)-formula that n-1
defines it. It is easy to show that the wanted formula, ¢R, is given by 3y [¢'n.(y) -+ 1\ (.,...~(.,...~(y)) ::f:. 0=0
11 -+ :r:i = .,...Hy))), where y rt. Yarn, o
7-3 CORROLARY. Let M5 n be tbe set of module specification states sucb tbat the set of variables
that is valuated, is contained in Yarn. If R ~ M5" is a computable set, then there is a f/JR E L(~)
sucb that '116 E M5n : 6 E R ¢::::::> 36 E MIn O'{V} = u{ii} & N,6 F= f/JR
PROOF. Evident. o
Note that in these lemma's, "recursive" can be reJ>laced by "arithmetical" ([Wei87]). De
finability as in Lemma 7-2 and Corollary 7-3 will be called representability. The representing
formula for a module configuration state, (a, 81 , ••• ,8",0'), does neither fix a, nor Pl, ... ,Pn, nor
the partition of Var .. into Dom(u) and Dom(vi) for i = l..n.
29
Facts:
1. For every specification, {CA, WA, CO, MI I {p}T{q}), there is an nEw such that the
variables and formal parameters appearing (free) in the specification, is contained in Yarn.
2. If F (CA, WA, CO, MI I {P}T{q}), then there is an a-priori upperbound, n, such that there is a proof of this specification for which any specification appearing in this proof has its free
variables in Yarn.
Of course, this last fact is a consequence of the completeness proof. Inspection of this proof n
yields that a safe bound is 2m + n + E ki , where m bounds the cardinality of the set of variables i=l
in the specification to be proved, n is the number of modules and ki is the number of procedures
in the i-th module.
1-4 LEMMA. Let F {CA, WA, CO, MI I {P}T{q}) and Jet all free variables be contained in Varm .
H 6 is a configuration state, Jet 6 be the configuration state obtained by restricting every valuation
of 0 to Varm . Then F (CA, WA, CO, MI I {P}T{q}) is equivalent with
PROOF. Evident. o
The consequence of all this is, that given a valid specification, in its proof one can restrict
oneself a priori to a finite set of variables. This allows the "completeness-assertions"to be defined and allows Lemma 7-3 to be used. In the representability definitions in the proof below it will be up to the reader to check that the sets to be represented are in fact arithmetical. These results
are always straightforward consequences of the observations 3-13, 4.2 and 5-4. From now on, every CMe(~)-statement, procedure, module or program and every specification
is assumed only to contain variables from the a priori fixed set YarN. Also, since < ... >" is definable as a term ([Wei87]), it will be freely used in CMe(E)-statements. Concatenation (i.e., paiIing) of two sequences is denoted by h· hi instead of by < h, h' >2. Finally, I shall write < ... > instead of < '" >" and leave the determination of k to the context.
7.2 Completeness for statement and procedure specifications
1-5 DEFINITION (weakest precondition).
H 5 is a statement or procedure, WP( CA, WA, CO, MI, q, S) represents the set
{ 00 100 = ,,(5C.,0 (T)) & VOl! .. " On: (00· .. '· On, t) E [T]( CA U WA) =>}
On F CO & en = -1 => 0,. F MI & t = T => 0,. F q
1-6 LEMMA.
1. N F (CA, WA, CO,MI I {WP(CA, WA, CO,MI,q,5)}5{q})
2. N F (CA, WA, CO,MI I {P}5{q}) <=> N FP- WP(CA, WA, CO,MI,q,5)
PROOF. Directly from the definitions.
30
o
'T-'T LEMMA. For any C Me (E)-statement, procedure, module or program, T, and for any specification, (CA, WA, CO, MI I {P}T{q}):
rps(Th(Ai) (CA, WA, CO, MI I {P}T{q}) ~ rps(Th(Ai) (CA, WA, CO, MI I {P}T{q}},
where • CA, WA and CO are obtained from CA, WA and CO by removing all labeled formulae, l : p,
for which the labell does not appear in T, and
• MI = {true if no waiting point occurs in T MI otherwise
PROOF. This is a trivial application of the consequence rule. o
Specifications as on the left-hand-side of Lemma 7-7 are called minimal.
7-8 THEOREM (completeness). If 5 is a CMt(E)-statement or procedure, then
Af 1= (CA, WA, CO, MI I {p}5{q}) ~ rpS(Th(Jv'» (CA, WA, CO, MI I {p}5{q})
PROOF. Structural induction on 5. Here too, only the representative cases will be treated. Be
cause of Lemma 7-7, I can assume the specification to be minimal.
7-8(1) 5 ==:t := e:
Observe that WP(0, 0,0, true, q, 5) represents the set {(O, (0,0), 0') I O'{O'(e)/:t} 1= q} and hence is equivalent with q[e/:t] ([deB80]). The assignment axiom gives r (0,0,0, true I {q[e/:t]}:t:=e{q}). By Lemma 7-6(2) the consequence rule can be used to obtain the required specification.
7-8(2) 5 == l.wait.l': WP(0, WA, CO, MI, q, 5) represents the set {(O, (O,l), 0') 10'1= CO(l)AMI}. Hence, Lemma 7-
6(2) implies 1= p -+ CO(l) A MI. Since by assumption 1= WA(l') -+ q, the wait and consequence rule can be used to obtain r (0, WA, CO, MI I {P}l.wait.l'{q}).
7-8(3) 5 == l.(51 i l'.callM,.a;(e#f)i 52i [".): Define q' == CA(l") -+ q. Then 1= q' A CA(l") -+ q and q' is the weakest such formula.
Define r == W P(0, 0,0, true, q', 52) and CO' == {l : p, l' : r}. To show (1) 1= {0, 0, 0, true I {CO'(l')}52{q'}) and (2) 1= (0,0,0,true I {P}51{Vf CO'(l')}}.
Validity of (1) follows from the definitions of rand CO'(l'). For validity of (2), first note that a
call acts (locally) as a random assignment, f:=?, so that 1= 'If CO'(l') -+ WP(0,0, 0, true, CO'(l'),
callM,.a;(e#f». Then validity of the specification and the definition of q' (hence of CO'(l'» gives validity of (2). Induction yields proofs of (1) and (2) (in P 5(Th(Af))). The call rule yields
r (CA, 0, CO', true I {p }5{q' A CA(l")}}. By definition 1= CO' (i) -+ CO(l), 1= CO'(l') -+ CO(l') and 1= q' A CA(l') -+ q. So a final application of the consequence rule suffices.
7-8(4) 5 == a(ii#v): [51il.}iSil'.(i52): Define CA, WA and CO in the obvious way as those parts of the assumption and commitment
pertaining to S. Since the formal parameters u and ii do not appear outside 5, FV(p, q)n{u, ii} = 0 maybe assumed. Letr == WP(0,0,0,true,qAMI,S2)ACO(l') and. == WP(CA, WA, CO,MI,r,S).
Clearly 1= CO(l') -+ r, F qAMI -+ MI, 1= (0,0,0, true I {r}S2{qAMI}} and F (CA, WA, CO, MI I {,,}S{r}). Next, define .' == CA(l) -+.. Then F .' A CA(l) -+ " and F (0,0,0, true I
31
{p 1\ WA(l})SI{I'}} by the same reasoning as in (3). Hence, induction allows the procedure rule to be used:
I- {CA, WA, CO, MI I {p}S{q}}
o
7.3 Restricted completeness for module specification
To obtain completeness results in this case, auxiliary variables are needed that record the computation history. The reason for this is the necessity of using the local merging lemma in order
to show validity of the interference freedom specifications. For the same reason, I cannot show general completeness: for that I would need to be able to distinguish between coexisting instances,
which is not always possible. Hence, each procedure, a}, obtains two extra read-only parameters, m} and i}, which are intended to be initiated in each instance so as to uniquely identify this in
stance. Specifically, they are instantiated to the indices of the calling module and procedure. This
makes the local states of coexisting instances unique, provided the communication assumption, CA, expresses the above intention.
Below, I assume that to every label, t, a unique non-zero integer is associated that is also denoted by l; associate 0 with "no label". Also, assume that "in" and "te" stand for some arbitrary but different values.
7-9 DEFINITION. Let MI be some CMe(l:~)-module. Introduce variables, generically denoted by
m}, i}, hi and hi, such that m}, i}, hi, hi ¢ V; for j = 1. . . nl. Let {g} = V; and let {Wi} = LI,; u {m}, i}}. The module M{ is defined as MI except that
• any wait-statement, i.wait.l' in any procedure aj (j ~ 0) is replaced by
h,:= h,~ < l,j,m}, < w; >,l, < ii »;l.wait.l'
• any call-statement, l.(51;i'.callM ... a,(e,#x); S2;i".), in any a} (j ~ 0) is replaced by
f.{51 ; hl := hi· h,· < l,j, < l,j,e, f >,r,8, in >; h, :=<>;f.callM ... a.(I,j,e#x);
h,:= h{ < r, I, < f >, l,j, te >;S2jl".}
• any procedure a}{u#v) : [SI; t.}; S; i'.{; 52] is replaced by
I ( I ·1 -# -) [h h ~ h- ~ 1·1 I" - - 1" h- 5 i) 5 aj mj,lj,U v: ,:=, I < mj,%j,<mj,%j,u,V>, ,),m>; ,:=<>; 1; .; ;
l'{5h h·h-~ l' - "I t ~ l' I 0 - h- 1 .; 2; 1:= I I < ,J,< v >,mj,lj' e> < ,J,mj ,< >, , < y»; 1:=<>
• the initial statement: [So.lol is replaced by So; hi := h,. < l, 0, 0, < >,lo, < ii » .lo.
7-10 DEFINITION (local coding, lc). Let l, mEw and let A1 ~ ••• ~ An be a transititon label sequence. Then
• m locally codes (lc) AI····· An II iffm =« A" >, ... ,< Ail. », where Ail· •••• A,1o = Al ••••• An II and where < Ai; > stands for the code of Aij as sbown above.
Note that there is a 1-1 correspondence between a label sequence and its code.
32
7-11 DEFINITION. Let M, be" CMe(E)-module, p E L(E) and A ~ {i : p Ii E FLB(M1),
p E L(E)}.
• SMI(A, p, M{) represents
{ (-I,n,~.) 3Co - C1 .•• - Cn E C~mp M"
p, A Wlth Co E SC >'1 >'n (') . }
such that an = -1 and O'n(h1 A hi) Ie Al A ••• A An
• COMP(A,p, MI, l) represents
{ (a",8 •••• ,~.) >'1 >'n } 3Co ----+ C1 ••• - Cn E Comp(M{,p,A) with Co E SC
such that a... ::f -1, Pn,o .. = i and O'n(h, A hi) Ie >'1 A ••• A >'n
• Let l E FLB(a~). Then
- if j = 0 then U(l) = true,
- if j > 0 then
U(l) = 3g,g (activeL(hl,g,g,m~,i~) 1\-.3g',g" activel(g,g',g",m~,i~)1\ ic.a} > 1 - 3 g', gil, m, p activeL(g, g', gil, m, p) 1\ aetivel(g, g', gil, m, p) )
where activel(h,/,g,m,p) = 3c h = r < m,p,c,l,j,in > Agl\ -.3g',g",c' g = g,A < l,j,c',m,p, te > Ag"
The predicate activel(h, I, g, m,p) expresses that the (code of the) history h witnesses an active
instance of procedure a} which is being called by procedure a;' (in Mm); moreover I, respectively, g codes the history before, respectively, after this instance becomes active. Then, the assertion
U(l) first claims that as long as an instance of a} with particular values for m} and a} is active,
there can be no second instance with the same values for m} and a}. This implies that these values uniquely identify procedure instances. U(i) also claims that if ic.a} > 1 holds, there must be another active instance of a~.
7-12 LEMMA. Given a speciiication (CA, WA, CO, MI I (P}M,{q}), define
• p == P 1\ h, =<> I\h l =<> I\f = z, with if} = Vi and {z} n Vi = 0
• SWA == {i : COMP( CA,p, Mt,l) 1\ U(i) Illabels the rear of a wait in Mt or the rear of its initial statement}
• seo == {l: eOMP(CA,p,M{,l) 1\ U(i) Illabels the front of a wait, a call or an opening bracket in M{}
• SMI == SMI( CA, p, M{)
• SP == COMP( CA, p, M{, l), where llabels the rear of the intial statement.
• Assume that CA is such tbat
- if ilabels the first (closing) bracket in some a~ (j > 0) then F CA(l) - U(l)
- CA is LC-independent
(These two constraints are compatible.)
Then rpS(Th(.N',» (CA, 0, SCO, SMII {P}M{{SP})
33
PROOF. Observe that 1= SWACt) -+ SMI for any rear wait or rear initial statement label, t. For any A ~ {t : p Ii E La.b, p E L(~)}, let Ai = {i : p Ii : pEA, i E FLB(a~)}.
Again, Lemma 7-7 allows the specification to be taken minimal. By Theorem 7-8, validity of the corresponding premisses of the module rule has to be shown. Only validity of the interference
freedom specifications will be treated in detail.
1-12(1) 1= (CA,,, SWA,,, SCOk, SMI I {SMI}aUii#v) : [Sk]{SMI}), k > 0: The following fact follows directly from the definition of SWA, SCO and SMI, and its proof is
left to the reader:
Supose that (60 ~" .A6 ... , l) ~* (CAk, SWAk, SCOk, SMI I {SMI}a~(u#v) : [Sk]{SMI}), >.
60 1= SMI and 6; 1= CAk for i = O .. n. Then there is a computation Co -...:.... C 1 ~ >.
'" A ~ Cn E Comp(M{,p, CAl, with 6i :::: 6(Ci) [or i = O .. n and 3io, i lt .•• , i.n such
that VO :s j :s m {ij r (Vi U {ie.aD) = Uij r (Vi U {ie.a~}), aj = G;j, if G;j = -1 then
OJ = eij,Girl else OJ = eij,Gi;' and (im(h, ~ h,) Ie >'1 ~ ... A >'n.
From this, validity is easily established.
7-12(2) 1= (CAo,SWAo,SCOo,SMI I {p}So{SMI I\SWAo(lo)}):
Analogous to 1, since a similar fact holds.
7-12(3) 1= SMI/I. SWAo(io) -+ SP: Evident.
7-12(4) for every i.wait.i' in M{: 1= SCO(i) -+ SWA(i'): Immediately from the definitions.
7-12(5) SWA # (CAk, SWAk, SM!, {Uk, iid, aUilk#iik) : [Sk)) for k > 0:
So, for every l : q E SWA, I must prove that
Let i E FLB(a~/), Then, I must show that
). V Co -* Cn E Comp(aL(iik#vk) : [Sk], SM! 1\ q', CA U SWAk(q')) (8)
,,(Cn ) 1= CO & Cn E TC ~ ,,(Cn ) 1= q' .
Fix a computation and let C i = (A I G; I LCi,Ui), LCi::::!di : (Si,ei ) and 6, = 6(Ci) for i:S n.
If Cn 'I. TC or Pn does not label the front of a wait, there is nothing to prove. So, assume otherwise. In either case, I must show that 6n 1= q'. Obviously, it suffices to prove this on sequences for which G; "# -1 for i :s n. There are two cases; namely, Po "# 0 and Po = 0. In the first case, the computation restarts at a block-statement. The latter case corresponds with a computation starting in the procedure's initial configuration.
Case 1: Po"# 0) Then 60 ~ SWA(Po) Aq', with q' == SWA(i)[Y/ilk"iik l ]. Let 110« mL,iL > ) = hand uo( < m~/ ~, » :::: h', where m~, and ~, are the fresh variables substituted for mi, and ii,. Note that h "# h'. By interpreting the assertions, I obtain (as explained below) that
1. 60 F= SWA(Po) => (h,Po) is (M{,p, CA,lIo,O",>')-lr, O"(h, A it,) Ie>. and 17 U 110 F= U(Po),
2. 60 F= q' => (h',l) is (M{,p, CA, lI, 17, >")-lr, O"(hz A h,) Ie >.' and 0" U II F= U(l),
where 17 = 170 rv; and II = O{O"o(Y)/ilk/,iik /}.
These implications depend on the fact that (Lk' U LI:) n V; = 0. This determines the splitting of the variable valuations (in 60 ) into 110. 17 and II, 17, as this must be the case in any configuration of
34
aL and aL" The only moot point is why I can choose h in (1) and h' in (2): Since (J' U 110 F U(Po) there can be no other active instance of aL with the same values for mL and iL. This means that
there is a computation in which the LC leading to (110, Po) is identified by (I, k, h). If k = k' then
c5o(ie.ai) > 1 so that U(Po) implies the existence of another active instance. As h 1= h', the same
argument gives, both in the case that k == k' and in the case that k 1= k', the reachability of (lI,l) by an LC with identification (I, k', h').
As CA is LC-independent, the LML applies, so that (h,Po,h',l) is (M{,p, CA,lIo,II,(J',.\)-lr. Note that>. = >.' because they are both locally coded by the same integer.
Hence, there is a computation,
- .\ - ') Co ---+ Cm E Comp(M"p, CA , (9)
with Oi = s( Ci) for i ::; m and such that 3 r, s 8m , .. = (lI,l), [dm , .. := (I, k', h'), 8m " == 90 ,
[dm" := (I, 1:, h), O"m = (J' and (J'(h, ~ ii.,) Ie A. Also, I can assume that a". == -1: by definition of SWA(Po) and of q' the last record in .\ is a local one and the global state must be attainable at a
waiting point.
- X *-Next, extend (9) with Cm - Cm +n as follows:
• LCm+i,j := LCm,j for j #- I,
• LCm+i" := LCi,
• (J'm+i = (J'i tVi and
• a".+i = s
This extension is well-defined because I can assume that !dm = (I, k, h). Clearly, O"m+n U iim +n , .. F SWA(l) holds. This means that (J' rv,{lI} F SWA(l), hence (J' F q' and, finally, 60 F q'.
Case 2: Po == 0) The argument is analogous to Case I, except that the LML is not needed. k
7-12(6) U SWAj # (CAD, SWAo, SCOo, false, 0, SO): j=l
This is completely analogous to case 1 above. The second case, Po = 0, does not apply because
the pre condition is false, reflecting the fad that on no computation sequence of M, a procedure
instance can be active before the initial statement has reached a waiting point. 0
7.4 Completeness for program specifications
Here, too, auxiliary variables are needed; this time in order to apply the global merging lemma.
7-13 DEFINITION. Let P be a CM(E)-prograrn [Ml II·· ·11 Mn]. Then
• P is a CMe(E)-prograrn [Ml II .. '1IMn] such that P can be r~obtained by removing every bracket or label from P
• P' is the C Me (E)-program, [Mf II ... II M~], obtained uom P by modifying every module
M, as in Definition 7-9.
7-14 DEFINITION (global coding, gc). Let i, mEw and let Al ~ '" ~ An be a transition label
sequence. m globally codes (ge) Al A •• ·~).m 19i iHm ==« ).i1 >, ... , < Ai" » where Ail ~ ••• ~ Ai" == Al ~ ... ~ ).m 19 i
35
7-15 DEFINITION. Let P be a CM{E)-progra.m (M1 1/ ••• " MnJ, p E L(E), l E FLB(M,,) and
A ~ {l: p Ii E Lab, p E L(E)}.
• COMP,,(V,l) represents
{(a, (v, i), u) 3Co ~* C n E Comp(~"p) such that a~ ¥ -1, 9!t(l~ = (v, i),}
. u! r V = u r V and u(h" A h,,) Ic A 1 k
7-16 LEMMA. Given a CM(E)-progra.m, P == (M1 1/ ••• \I MnJ, and p E L(E), let {it} = Vi for n n
i = 1.. n and let Z1, ... ,zn be pairwise disjoin t sequences of variables such tha.t U Z n { U (Vi U
L.) U FV(p» = 0 and Iz.1 = IXil for i = L.n.
Define for i = 1..n n
• P. == p(zj/ij, j = 1..n, j ::j:. i) /I. i. = Zi /I. h. =<> /l.h.. =<> and p == A. P • • :::1
• SCA. == {t: COMP.eVo' U {z.}, t) /I. U(l) Illabels a closing bracket in Mf}
• SGI represents
.=1 .=1
{ (.,B,a) A . } 3Co --+ em E Comp{P',p) With On = 8{Cn ) such that Cn
is acceptable,u{ho) gc oX and u:"(ho) = u{ho) for i = 1 ... n
Then, every specification in the set of cooperation specifications,
Coop({(SCA., 0, SCO., SMI. I {P.}MHSP.}) Ii = 1..n}, SGI),
is valid.
Here, SCO., SMI. and SP. for i = l..n are defined as in Lemma 7-15 (w.r.t. SCA. and pd. The indices i denote the modules to which they belong. Note that SCA is LC~independent because
COMP" is. This proof is somewhat less detailed than that for module specifications, because the construc
tions of the computations are similar. It can be short because much of the work has been done in the proof of the G ML.
PROOF. Take any matching call procedure pair
i,(S1;l.callMj.a,,(e#i)iS2il.) (in MI) and
a,,(u#ii): [Siji'.)jSjl'.(jS2] (in Mi )
Since the assumptions, commitment and monitor invariant are trivial in the cooperation specifications, they will not be mentioned explicitly below.
7-16(1) F {SCO.{l) /I. SMI;" SGI}S1j ic.a{ := ic.at + Ii Si[·]{SCAj{l')[.] " SGI}: Substitution lemma 5-7(1) yields equivalence with
F {SCO.(i) " SMIj " SGI}Slj ic.a{ := ic.a{ + 1; il, Ii := e, Zj S~ {SCAj(l') " SGI} (10)
Denote the statement sequence in (10) by T. Choose any configuration state, 0 such that 0 1= SCO.(i) " SMI, /I. SGI and let the configuration state, 6, be determined by the condition that (6 A .,. A 6, T) E [T]. If there is no such 6, (10) holds trivially. So assume otherwise. To show:
36
61= SCAj(l')1\ SGI. W.l.o.g., assume that Dom(6) = V;'UVjUL. and that [, rv~ = CTIc for k = i,j and that [, r L. = v.
By Lemma 4-7,6 1= SCD,(l) 1\ SCI implies that for some h, (h,l) is (P',p,V,CT,,>')-gT and CT.(h. A h;) Ie >'1 i, whence CT.(h.) ge >'1 i. Similarly, [, 1= SMlj 1\ SGI implies that for some h, (h,l) is (P',p,V,CTj,).)-gr and C1;(h; A hj) Ie ).1 j, whence CT(h;) ge ).1 j, where (v,l) is some arbitrary local state in the final configuration of the computation implied by SMli (note that at least one such state exists).
The GML gives that (h, l, h, l) is (P', p, II, ii, 0-, X)-gr with 0- r (V;' U Vj){v} = 0 and o-(hi A
_ A ~ * . hj) Ie >. 1 j. Hence, there is a computation Co - Cm E Comp(P',p) such that a~ = -I,
Bim 4' = (II, i), CT~ r V~ = CTIc for k = i, j and C1;(hi A hi) Ie ).1 j 'T"'his computation can be extended can be extended by performing the S1-transitions, then the
call-transition and, finally, the S~ -transitions. The net effect is that of executing T. Let Cn be
the resulting configuration. Then 6 rv~ = CT! rv~ for k = i, j and 6 r LJ', Ic = vi ;' Also, CT~ 1= U(i')
, fl.,Oft,
holds because M. cannot be engaged in another call to Mi' Hence, 61= SCA;(l') 1\ SGI.
7-16(2) 1= {Vi SCD.(l) 1\ SCOj(l')[,] 1\ SGI}S~[·]; ie.a{ := ic.a{ - 1; S2{SCA.(l) 1\ SGI}: Substitution Lemma 5-7(2) and the fact that 1= Vi SCD.(I)I\SCD;(l,)[.]I\SGI -+ u = e yields
equivalence with 1= {Vx SCD.(I) /\ SCDj(l') 1\ SGI}S2j x := iij ic{ := ic{ -lj S2{SCAi(l) 1\ SGI}. The rest of the proof is analogous to 1. 0
7-17 THEOREM (Completeness). Let P == [Ml II ... II Mn] be a CM(~)-program and p, q E
L(~). Then JJ 1= (0,0,0, true I {P}P{q}) ~ I-PS(Th(N» (0,0,0, true I {p}P{q})
n
PROOF. Use the notation of Lemma's 7-12 and 7-16. Let SP == "SP,. From Lemma 7-12 ,=1
obtain proofs of the specifications (SCA" 0, SCOi, SMli I {Pi}M{{SPi}) for i = Ln. Lemma 7-16 gives validity of the corresponding cooperation specifications (w.r.t. SGI). The program rule can be applied and yields I- (0,0,0, true I {p 1\ SGI}P'{SP 1\ SGI}}. Next, note that
n
1= p 1\ SGI +-+ p 1\ "(Xi = Z; /\ h. =<> I\h.; =<». The global merging lemma yields that i=1
n n 6 1= SP /\ SCI implies the existence of(60 A ... A On, T) E [PD(p) such that 0" r U ~ = U CT~ r~,
,=1 ,=1 which implies the existence of (60 A ••• A 6n , T) E [P](p) with the same relation between CT and
the CT~. Conclusion: 1= SP /\ SGI -+ q. Apply the consequence and the auxiliary variable rule n
(FV(q) n {h. Ii = l..n} = 0): I- (0,0,0,true I {p/\ "(Xi = i; /\ h. =<> I\h.; =<>)}P{q}) . • =1
Finally use the substitution rule with the substitution [x" <>, <> /i;, ho, ii.;, i = l..n] 0
8 Conclusions
The foregoing proof is a long one indeed. The programming language is, however, quite powerful, embodying both Ada-type task interactions as well as shared variable concurrency. Previously published proofs in this area have dealt with simple shared variable concurrency (d. [Apt81]) and with CSP-type concurrency (d. [Apt83]) separately. This paper has to deal with both and also with their interaction. Moreover, a conscious attempt was made to obtain a notion of specification and a proof system that comes close to being compositional. This contrasts with [Apt81, Apt83] which rather consider global verification algorithms (in the sense of the introduction).
37
A second difference is in the formulation of the two merging lemmas of Section 4. Here, they are statements about the computations of modules and programs whose truth is independent from
whether or not computations of procedures and modules are representable within the assertion
language. Such a separation of concern is absent in earlier proofs and gives some conceptual clarity.
The proof system ultimately deals with partial correctness properties of eM (l::)-programs. In
fact, the ariomatisation is power full enough to support the proof of arbitrary safety properties,
as may be gleaned from the completeness proofs. However, to extend the notion of validity to
program specification with non-trival commitments is not so easy. The problem originates in
the use of the global invariant, GI, and its bracketed sections. The Glonly holds in acceptable program configurations (in which no module is within a bracketed section), so that acceptability
would have to be included in the validity definition. This added complication did not seem worth the trouble.
The proof system is not complete for module specifications. This points to a difference between
the current proof system and a truly compositional one. The local merging lemma shows the need
to distinguish procedure instances other than through the local and global states-which, indeed,
may not show a difference. Here, this has been done by extending the local states of procedures.
It might have been done differently. For instance, by introducing logical variables, id~, that
are initiated in each instance to the third component of the identifier of the corresponding Le. rn either way, the existence of multiple instances can be postulated in the interference freedom
specifications. However, whatever one does, such assumptions must be discharged by associating
such instances with outstanding calls in other modules, for which one needs the communication
histories. In the traditional compositional proof systems (see [Zwi89] for the state-of-the-art) these histories are directly accessible in the specification language, so that the connection between the
coexistence of procedure instances and the communication histories can be expressed as axioms.
This paper's proof system must introduce auxiliary variables first, before anything can be expressed
about communication histories (or rather, about their encodings). The restricted form of module completeness is a direct consequence of this.
Acknowledgements
I thank Frank de Boer for discovering the invalidity of a previous version of the local merging
lemma which pointed to the incompleteness of an earlier form of the proof system. The first version of the paper has been troffed by Mrs. E van Thiel.
A Appendix: the substitution lemma
Here the substitution lemma 5-7 is proved.
A-I DEFINITION. Let R be a binary relation on states, R ~ St x Stj u,:z:, v E Var and e E
Tm(l::) \ Var. Then
• R! is defined by crier/v} R -ria/v} <=> cr{er/:z:}R!-r{a/:z:}
• R: is defined by cr{cr(e)/u} R -r ¢:} CTR:-r.
If z E Var and t E Tm(l::), let z := t stand for the relation {(cr, cr{cr(t)jy}) I cr ESt}.
38
A-2 LEMMA. Use the same notation as in Definition A-1
If (a) u R T =:> u(z) ::: T(Z) and (b) u R T =:> u{/3Jz} R T then 1. u R~ T ¢} U (u := e 0 R) T (0 is the usual composition of relations)
2. u R; T ¢} U (v:= z 0 Ro %:::: v) T{T(%)JV}
PROOF. (1) is trivial, so concentra.te on (2).
For a state II, if 11= v{/3Jz}, z '¥ y then v{/3Jy}::: 1I{II(z)Jy}{v{z)J{z)} Hence, if (T = 5{a/z} and T = r{oJz}, then u R; T is equivalent with u{u(z)Jv}{5{z)J%} R T{T(z)Jv}{r(z)Jz}. By
(a), 5(:Z:) = r(z) and so by (b), u R; T ¢> u{u{z)Jv} R T{T{Z)JV}{u(z)Jz}. The result follows
since u{u{z)Jv}z:= v{f} implies f = T{T{Z)JV}. 0
For the rest of the section, let S denote C Me {E)-statements not containing any call or waitstaments. In other words, consider statements for which state-changes - involving a variable z,
say - can only be effected through assignments z := e. For statements, S, the usual partial
correctness semantics ((S)), is given by
{(u, T) 13 (oo A ••• A on , T) E [5], u = Uo U 1I0{#0}, T = Un U IIn{#n}}.
Facts:
• ((:z::= e)) = z := e (i.e., as a relation)
• ((S[zJv])) = ((S)): provided z ft FV{S)
• ((S[eJu])) = ((S))~ provided FV(e) n FV(S) ::: 0 and 1£ does not appear as the left-hand-side of any asssignment in S.
These facts are sufficiently obvious so as not to warrant a proof. Note that the condition in the second fact implies assumptions (a) and (b) of Lemma A-2. Partial correctness "triples" in this paper's formalism are notated as (0,0,0, true I {p}S{q}). In the rest ofthis section the (trivial) assumptions and commitments will be ignored and I shall write {P}S{q}.
A-3 LEMMA. Let u, V,:I: E Var, e E Tm(E) and p, q E L(E) be such tbat :c ft FV(S), FV(e) n FV(S) = 0 and u does not appear as tbe left-band-side of an assignment in S.
• A F {p}S[%Jv]{q} ¢} A F {P}z := Vi Si:l: := v{q}, provided v ft FV(q)
• A F {p}S[eJ1£]{q} ¢} A F {P}u:= ei S{q}.
PROOF. Directly from the definitions and Lemma A-2. o
The next step is the extention to multiple substitutions.
A-4 LEMMA ([deB 80]). Let e, t E Tm(E), r E Tm(E) U L(E), :1:, y E Var and suppose z '¥ y and
z ft FV(t). Then r[eJ%][tJy) == r[tJy][e[tJy)J%).
A-5 CORROLARY. With tbe same notations and conditions as in Lemma 5.3.4, if additionally y ft FV(e), then r[eJz][tJy) = r[tJy][eJz).
So under these conditions, simultaneous substitution acquires meaning. Obviously, these
substitution-results hold for statements, too (provided the usual assumptions about non-variable
substitutions hold). In the following (and in fact in the rest of the paper) simultaneous assign
ments, 1£1,"" Un := el, ••• f en or 11 := e (with US ~ 1£j if i ¢ i), will be used, with obvious meaning.
Now, Lemma 5-7 can be proven.
39
A-6 LEMMA (The substitution lemma). Let S, S' be CMe(I:)-statements not containing call or
wait-statements. Let u, V, Z S; Var, e S; Tm(I:) and p, q E L(I:) be such that lui = lei, Ivl = Iii, the variables in u do not appear as left-hand-side of any assignments in S and the variables in the lists u, v and f are pairwise disjoint. Additionally, assume that the following conditions hold: un ii = 0, FV(e) n f = 0, {u, v} n FV(q) = 0 and (FV(S') U {u, v}) n (FV(e) U f) = 0. Then ([.] == [e, flu, v]):
1. A F= {P}Sj S'[·]{q[·]} {:::::? A F= {P}Sj u, v := e, Zj S'{q}
2. A F= {p[·]}S'[,]; S{q} {:::::? A F= {p" u = e}S'j Z := Vj S{q}, provided i n FV(p) = 0.
PROOF. Define WP(S,p) = {O' 1(0', r) E ((S}) ::} r F= p} and SP(S,p) = {r I (cr, r) E ((S)} &. 0' F= pl. Extend the signature I: to E = I: U {sp(S,p), wp(S,p) I S a CMe-statement,p E L(I:)} and let A be the extension of A in which the new predicate symbols get their intended meaning:
sp(S,p)..4 = SP(S,p) and wp(S,p)A = WP(S,p).
(1) By Lemma 5.3.3 (and corollary 5.3.5): A F= {sp(S,p)}u,v := Z,ejS'jZ := v{q[.]}. Denote
sp(S,p) by p. From [deB80] obtain that .A 1= wp(z := e,p) ..... p[e/z] and henc equivalence with
A 1= {p}u, v := e, Zj S'{q[e/u]}. Since the variables in u are never assigned to and FV(S') U ({u, v} n FV(e» = 0, I have
A F= {true}u, v := e, Zj S'{u = e}. This implies equivalence of the left-hand side of (A) with
A F= {P}u, v := e, Z; S'{q} and hence with A F= {P}S; il, v := e, Zj S'{q}.
(2) Since I can assume that iinwp(S, q) = 0, Lemma 5.3.3 yields equivalence with A F= {p[·]}u, v := e,fjS/,f:= ii{wp(S,q)}. Denote wp(S,q) by q. Again, [deBBO] learns that.A F= sp(z:= e,p) ..... 3y(p[y/z] "z = e[y/z]), y rt. FV(z := e,p).
As FV(p[·])n{u, v} = 0, the left-hand side of (B) is equivalent with A F= {pAu = e}S'{q[v/f]}. Next observe that (FV(p, e, S', q[ii/f]) U u) n f = 0. This implies equivalence with A F= {p Au = e}S'j f := v{q} and hence with AI= {p Au = e}S'j f := Vj S{q}. 0
References
[Am86] AMERICA, P. (1986), Object-Oriented Programming: a theoretician's introduction, Bull. EATCS 29, pp. 69-84.
[Apt81] APT, K.R. (1981), Recursive Assertions and Parallel Programs, Acta Inform. 15, pp.
219-232.
[Apt83] APT, K.R. (1983), Formal Justification ora Proof System for Communicating Sequential
Processes, J. Assoc. Compo Mach. 30, pp. 197-216.
[AB81] ADAMS, J.M., BLACK, A.P. (1981), "On Proof Rules for Monitors", Report, Department
of Computer Science, New Mexico State University.
[AFdeR80] APT, K.R., FRANCEZ N., DE ROEVER, W.P. (1980), A Proof Systems for Commu
nicating Sequential Processes, ACM Thans. Programm. Lang. Systems 2-3, pp. 359-385.
[ARM83] ADA (1983), The Programming Language Ada Reference Manual, LNCS 155, Springer
Verlag, New York.
40
[deB80] DE BAKKER, 1. (1980), Mathematical Theory of Program Correctness, Prentice Hall.
[BHa73] BRINCH-HANSEN, P. (1973), Concurrent Programming Concepts, Compo Surveys 5-4,
pp. 223-245.
[BHa78] BRINCH-HANSEN, P. (1978), Distributed Processes: A Concurrent Programming Con
cept, Communications ACM 21-11, pp. 934-941.
[DMN67] DAHL, 0.1., MYHRHAUG, B., NYGAARD, N. (1967), "The Simula-67 Common Base Language", Report, Norwegian Computing Centre, Oslo.
[Dij68] DIJKSTRA, E.W. (1968), The structure of the T.H.E. multiprogramming system, Communications ACM 11-5, pp. 341-346.
[GdeR84] GERTH, R., DE ROEVER, W.P. (1984), A Proof Systems for Concurrent Ada Pro
grams, Science of Computer Programming 4, pp. 159-204.
[GdeRR82a] GERTH, R., DE ROEVER, W.P., RONCKEN, M. (1982), Procedures and Concurrency: A Study in Proof, in "Proc. 5th International Symposium on Programming Languages (ISOP)", LNCS 137, pp. 132-164, Springer Verlag, New York.
[GdeRR82b] GERTH, R., DE ROEVER, W.P., RONCKEN, M. (1982), A study in Distributed Sys
tems and Dutch Patriotism, in "Proc. 2nd Confer. on Foundations of Software Technology and Theoretical Computer Science (FST&TCS)", (M. Joseph, ed.), pp. 192-234. Bangalore,
India.
[GdeR86] GERTH, R., DE ROEVER, W.P. (1986), Proving Monitors Revisited: a first step towards verifying object oriented systems, Fundamenta Informaticae IX, pp. 371-400.
[Gje88] GJESSING, S. (1988), Semantics and Verification of Monitors, Distributed Computing, 2-4.
[Hoa69] HOARE, C.A.R. (1969), An Axiomatic Basis for Computer Programming, Communications ACM 12, pp. 576-580.
[Hoa74] HOARE, C.A.R. (1974), Monitors, an operating system structuring concept, Communications ACM 17-10, pp. 537-549.
[How76] HOWARD, J .R. (1976), Proving Monitors, Communications ACM 19-5, pp. 273-279.
[LG81] LEVIN, G.M., GRIES, D. (1981), A Proof Technique for Communicating Sequential
Processes, Acta Inform. 15, pp. 281-302.
[MMS79] MITCHELL, J.G., MAYBURY, W., SWEET, R. (1979), "Mesa Language Manual",
XEROX, Palo Alto Research Center.
[OG76] OWICKI, S.S., GRIES, D. (1976), An Axiomatic Proof Technique for Parallel Programs,
Acta Inform. 6, pp. 319-340.
[RDKdeR81] RONCKEN, M., VAN DIEPEN, N., KRAMER, M., DE ROEVER, W.P. (1981), "A
Proof System for Brinch Hansen's Distributed Processes", Report RUU-CS-81-5, Depart
ment of Computer Science, University of Utrecht.
41
------------------~-~~ --
[Sou84] SOUNDARARAJ.A.N, N. (1984), Axiomatic Semantics for CSP, ACM Trans. Programm. Lang. Systems 6-4, pp. 647-662.
[SoD82] SOUNDARARAJAN, N., DAHL, O.J. (1982), "Partial correctness semantics for commu
nicating sequential processes", Report 66, Institute for Informatics, University of Oslo.
[SS85] SOBEL, A., SOUNDARARAJAN, N. (1985), A Proof System for Distributed Processes, in "Proc. Logics of Programs", LNCS 193, pp. 343-359, Springer Verlag, New York.
[Wei87] WEIHRAUCH, K. (1987), Computability, EATCS Monographs on Theoretical Computer Science, Vol. 9, Springer Verlag, New York.
[Wir84] WIRTH, N. (1984), Programming in Modula-2, Springer Verlag, New York.
[Zwi89] ZWIERS, J. (1989), Compositionality, Concurrency and Partial Correctness,
LNCS 321, Springer Verlag, New York.
42
.. ~-