Invariants Progress

COMP3151/9151 Foundations ofConcurrency Lecture 4

Invariants and Progress

Kai Engelhardt

CSE, UNSW (and data61)

Revision: 1.5 of Date: 2017/08/14 00:35:24 UTC

(Credits: parts may be borrowed from M. Ben-Ari, G Andrews, andothers)

1

Invariants Progress

Why Prove?

Model checking—be it manually on the state diagram ormechanically with spin—is restricted to systems with a fixed smallnumber of processes.1

To prove programs correct even if they are parametric in the numberof processes (or buffer places etc), we can hardly use brute forcemodel checking.

1Technically we can deal with process creation, also in spin, but therestriction to relatively small systems remains.

2

Invariants Progress

Invariants

Safety properties of a system S are often captured conveniently byinvariants, i.e., formulae that are true for all reachable states of S .

Example

In any correct critical section algorithm implementation for spin, theformula ¬(p@csp ∧ q@csq) is an invariant.

Invariants of S are proved by induction over the length ofcomputations of S .

3

Invariants Progress

Inductive proofs of invariants

To prove that φ is an invariant of the system S the following musthold.

Base cases: φ is true for every initial state of S .

Inductive steps: If φ holds is all states of a computation up to thek ’th, then φ also holds for the k + 1’st.

This precisely what we ended up doing for Dekker’s algorithm in theOwicki/Gries method!

4

Invariants Progress

Limitations of Invariants

Invariants are good for proving safety properties but insufficient forliveness, for instance eventual entry.

Once we add past time temporal operators such as B for weak sinceand �̃ for weak previous every safety property can be expressed as0φ for some LTL formula φ without future operators.

5

Invariants Progress

More LTL SematicsWith past operators, we need to adapt the previous definition.

Definition

The satisfaction relation |= between σ = (si )i∈N and k ∈ N, andLTL formulae is defined inductively by:

σ, k |= p ⇔ p ∈ sk

σ, k |= ¬ψ ⇔ σ, k 6|= ψ

σ, k |= ψ ∨ ψ′ ⇔ σ, k |= ψ or σ, k |= ψ′

σ, k |=2ψ ⇔ σ, k + 1 |= ψ

σ, k |= ψ U ψ′ ⇔ ∃` ≥ k(σ, ` |= ψ′ ∧ ∀j (m ≤ j < `⇒ σ, j |= ψ)

)σ, k |= �̃ψ ⇔ k = 0 or σ, k − 1 |= ψ

σ, k |= ψ B ψ′ ⇔ ∀` ≤ k((σ, ` |= ψ) ∨ ∃j

(` ≤ j ≤ k ∧ σ, j |= ψ′))

6

Invariants Progress

More LTL Past Operators

�̃ and B are a minimal set (just as 2 and U for the future) but forconvenience we’d add

� for previous �ψ = ¬�̃¬ψ` for till now `ψ = φ B false

Q for once Qψ = ¬`¬ψS for (strong) since ψ S ψ′ = ψ B ψ′ ∧Qψ′

7

Invariants Progress

LTL Examples

No cause c without effect e:

0(c →1e)

or, if the next cause has to wait for the effect to happen:

0(c →2(¬c) U e)

No effect without cause:

0(e →Qc)

8

Invariants Progress

Progress

To prove progress we use LTL and some of its proof rules.

A rule Ben-Ari singles out as particularly helpful for proving simpleprogress properties is

0φ→1ψ, 10φ

1ψ

What does it mean?

9

Invariants Progress

On Interpretations of LTLObserve that this particular progress rule is only

useful when considered in the presence of a program Prestricting the states and behaviours considered, and

sound in the nowadays less fashionable floating interpretationof temporal logic that evaluates formulas not just overanchored sequences of states but also all of their suffixes.(See [MP92, p. 246, 266] and [Sch97, p. 82]. An early write-upof the various issues appeared as [MP88].)

More precisely the rule should read

P ||=0φ→1ψ, P ||=10φP ||=1ψ

where P ||= Φ iff, σ|i |= Φ for all executions σ of program P and alltimes i ∈ N.

10

Invariants Progress

Floating vs. Anchored

In contrast to Ben-Ari, we’re going to use an anchored interpretationof LTL where a corresponding sound proof rule would be

P ` 0(0φ→1ψ), P `10φP `1ψ

But how can we refer to the program P in our proofs of thepremises of such a rule?

11

Invariants Progress

Weak Fairness Assumptions

To prove progress we tend to assume at least weak fairness to ensureprocesses are not prevented from participating in an execution.

In general, we allow adding a set W of weak fairness assumptions toour parallel compositions of transition diagrams. The elements of Ware sets of transitions drawn from the same process: W ⊆

⋃i 2Ti .

We say that an execution σ of P respects W if, for every w ∈ W

σ |= 0(0∨π∈wenabled(π)→1

∨π∈w taken(π))

The assumption baked into our interleaving model is{ Ti | 1 ≤ i ≤ n }, i.e., processes that aren’t stuck must moveeventually.

12

Invariants Progress

Classes of Progress PropertiesThe simplest progress properties are of the form 1φ (for some pastformula φ).

Example

Termination

The next level is 0(φ→1ψ) (for some past formulae φ and ψ)

Example

Eventual entry

This type is so common and important that we introduce the“leads-to” notation

φ ψ = 0(φ→1ψ) .

13

Invariants Progress

Classes of Progress Properties

The final class is 01φ→ 01ψ.

Example

“Whenever I’ve watched these TAB ads often enough, I’ll go andplace a bet.”

14

Invariants Progress

How does all that relate to our programs?

In the context of our CS solutions and with weak fairness,assignment statements must progress eventually.

Critical sections progress by assumption but non-critical sectionsneed not.

Control statements (if, while, await) can be trickier but can behandled.

Next we’ll see how.

15

Invariants Progress

Proof Rules for Progress: LTL Part

Let us focus on the leads-to properties. Before looking atprogram-dependent rules, we note some logical rules for .

φ φ rflx

φ ψ, ψ ρ

φ ρtrns

φ ρ, ψ ρ

(φ ∨ ψ) ρdisj

16

Invariants Progress

Proof Rules for Progress: Program PartFor the following, suppose we’ve found an assertion network Q thatsatisfies all the conditions of an Owicki/Gries-style proof of{pre}P {post}.

Let us abuse that notation for a set T ⊆ T of transitions:

{p} T {q} = ∀` c→f−−−→ `′ ∈ T (0(Q` ∧ c ∧ p → q ◦ f ))

even for past formulae p and q.

The simplest rule lets us deduce progress when that’s the only thingthat can happen in a single step:

0(p → (q ∨ φ)), {p}T {q} , 0(φ→ enabled(T ))

p q1-resp

This doesn’t even use weak fairness beyond “someone has to moveif that’s possible”.

17

Invariants Progress

Proof Rules for Progress: Program Part

Suppose we can identify a set H of helpful transitions that allestablish the goal q and become enabled when p occurs, then thefollowing rule can be used:

H ∈ W, 0(p → q ∨ φ), {φ}T \ H {φ ∨ q}{φ}H {q} , 0(φ→ enabled(H))

p qW-resp

(There’s a variant with strong fairness assumptions for H and aweakened last premiss of the form φ (q ∨ enabled(H)).)

18

Invariants Progress

After One Step

0(p → q), q r , 0(r → t)

p tRM

Let δ : Σ 9 A where (A,≺) is a well-founded relation

0(p → q ∨ φ), 0(φ→ δ ∈ A), (φ ∧ (δ = α)) q ∨ (φ ∧ δ ≺ α)

p qWell

19

Invariants Progress

Revisiting Invariants

pre → φ, {φ}T {φ}0φ

Inv

20

Invariants Progress

Example: Dekker’s Algorithm p

p2

p1

p3 p8

p4p5p6

p9

p:

wp := T

wq

t = 1

t = 2wp := F

t = 1

¬wq

t := 2

wp := F

21

Invariants Progress

Example: Dekker’s Algorithm q

q2

q1

q3 q8

q4q5q6

q9

q:

wq := T

wp

t = 2

t = 1wq := F

t = 2

¬wp

t := 1

wq := F

22

Invariants Progress

Example: Dekker’s Algorithm InvariantThe single difference compared to notes 3 is highlighted in red:

t ∈ {1, 2} (1)

wp,wq ∈ B (2)

wp↔ p3..5,8,9 (3)

wq↔ q3..5,8,9 (4)

p8,9 → ¬q8,9 (5)

q8,9 → ¬p8,9 (6)

p9 → t = 2 (7)

q9 → t = 1 (8)

cpp, cpq ∈ {1, 2, 3, 4, 5, 6, 8, 9} (9)

With pre = (t ∈ {1, 2} ∧ p1 ∧ q1) and φ =∧9

i=1(i) we see that therule Inv mimics Owicki/Gries in the presence of an invariant suchas ours.

23

Invariants Progress

Example: Dekker’s Algorithm Ev. EntryThe desired property is expressed as

p2 p8 (10)

Let us first collect some 1-step progress properties for p that can allbe shown P-valid with the rule 1-resp.

p3 ∧ t = 1 p8 ∨ (p4 ∧ t = 1) (11)

p3 ∧ t = 2 p8 ∨ p4 (12)

p4 ∧ t = 1 p3 ∧ t = 1 (13)

p4 ∧ t = 2 p5 ∨ (p3 ∧ t = 1) (14)

p5 p6 (15)

p6 ∧ t = 1 p2 ∧ t = 1 (16)

p2 ∧ t = 1 p3 ∧ t = 1 (17)

p8 p9 (18)

p9 p1 (19)

24

Invariants Progress

More of the same:

p6 ∧ q4 ∧ t = 2 p6 ∧ q6 ∧ t = 2 (20)

p6 ∧ q5 ∧ t = 2 p6 ∧ q6 ∧ t = 2 (21)

p6 ∧ q6 ∧ t = 2 p6 ∧ q2 ∧ t = 2 (22)

p6 ∧ q2 ∧ t = 2 p6 ∧ q3 ∧ t = 2 (23)

p6 ∧ q3 ∧ t = 2 p6 ∧ q8 ∧ t = 1 (24)

p6 ∧ q8 ∧ t = 2 p6 ∧ q9 ∧ t = 1 (25)

We can summarise these to

p6 ∧ q2..8 ∧ t = 2 p6 ∧ q9 ∧ t = 1 (26)

We still need to argue why p6 ∧ t = 2→ ¬q1.

25

Invariants Progress

Last steps

Another P-valid invariant is

p6 ∧ t = 2→ (t = 2 S (p3 ∧ wq)) (27)

which allows us to deduce that q cannot be at q1 (and not at q9

either by φ).

26

Invariants Progress

Bibliography

Zohar Manna and Amir Pnueli.The anchored version of the temporal framework.In J. W. de Bakker, W.-P. de Roever, and G. Rozenberg,editors, Linear Time, Branching Time and Partial Order inLogics and Models of Concurrency, volume 354 of LNCS, pages201–284, 1988.

Zohar Manna and Amir Pnueli.The Temporal Logic of Reactive and Concurrent Systems:Specification.Springer-Verlag, 1992.

Fred B. Schneider.On Concurrent Programming.Springer-Verlag, 1997.

27