logic of global synchrony - pkusei.pku.edu.cn/~cyf/toplas05.pdf · 2010-06-27 · logic of global...

Logic of Global Synchrony

YIFENG CHENUniversity of LeicesterandJ. W. SANDERSUniversity of Oxford

An intermediate-level specification formalism (i.e., specification language supported by laws and asemantic model), LOGS, is presented for PRAM and BSP styles of parallel programming. It extendspre-post sequential semantics to reveal states at points of global synchronization. The result is anintegration of the pre-post and reactive-process styles of specification. The language consists of onlysix commands from which other useful commands can be derived. Parallel composition is simplylogical conjunction and hence compositional. A simple predicative semantics and a complete set ofalgebraic laws are presented. Novel ingredients include the separation, in our reactive context, ofthe processes for nontermination and for abortion which coincide in standard programming models;the use of partitions, combining the terminating behavior of one program with the nonterminatingbehavior of another; and a fixpoint operator, the partitioned fixpoint. Our semantics benefits fromthe recent “healthiness function” approach for predicative semantics. Use of LOGS, along with thelaws for reasoning about it, is demonstrated on two problems: matrix multiplication (a terminatingnumerical computation) and the dining philosophers (a reactive computation). The style of reason-ing is so close to programming practice that direct transformation from LOGS specifications to realPRAM and BSP programs becomes possible.

Categories and Subject Descriptors: D.3.1 [Programming Languages]: Formal Definitions andTheory—Semantics; D.3.3 [Programming Languages]: Language Constructs and Features—Concurrent programming structures; recursion; F.1.2 [Computation by Abstract Devices]:Modes of Computation—Alternation and nondeterminism; interactive and reactive computation;parallelism and concurrency; F.3.1 [Logic and Meanings of Programs]: Specifying and Verify-ing and Reasoning about Programs—Logics of programs; specification techniques; F.3.2 [Logicsand Meanings of Programs]: Semantics of Programming Languages—Denotational semantics

General Terms: Languages, Theory

Additional Key Words and Phrases: Bulk-Synchronous Parallelism, PRAM, reactive programming

1. INTRODUCTION

In this section we point out some of the difficulties confronting the design ofparallel/distributed programs and show how this paper addresses them.

Authors’ addresses: Y. Chen, Department of Computer Science, University of Leicester, UniversityRoad, Leicester LE1 7RH, U.K.; email: [email protected]; J. W. Sanders, Programming ResearchGroup, OUCL, Parks Road, Oxford OX1 3QD, U.K.; email: [email protected] to make digital/hard copy of part or all of this work for personal or classroom use isgranted without fee provided that the copies are not made or distributed for profit or commercialadvantage, the copyright notice, the title of the publication, and its date appear, and notice is giventhat copying is by permission of ACM, Inc. To copy otherwise, to republish, to post on servers, or toredistribute to lists requires prior specific permision and/or a fee.C© 2004 ACM 0164-0925/04/0300-0221 $5.00

ACM Transactions on Programming Languages and Systems, Vol. 26, No. 2, March 2004, Pages 221–262.

222 • Chen and Sanders

Parallel programs are not only hard to develop in practice but also notoriouslydifficult to model in theory. That may be part of the reason that no languagehas gained the ascendancy for parallel programming which Dijkstra’s guarded-command language [Dijkstra 1976] has gained for sequential programming. Avital property of any programming model is compositionality: each combinator⊗ of the programming language satisfies: if program P ′ refines P and Q ′ refinesQ then P ′ ⊗ Q ′ refines P ⊗ Q . Without that, it is hard to imagine the modelsupporting a useful programming methodology since modular development ofprograms would at best be ad hoc. Unfortunately among notations for concur-rency, only models based on point-to-point message passing such as CSP [Hoare1985] and CCS [Milner 1989] seem to be compositional. Most variable-sharingmodels allowing communication interference (e.g., TLA [Lamport 1994] andUNITY [Chandy and Misra 1988]) are not; nor are the implementation lan-guages PRAM [Fortune and Wyllie 1978; Leppnnen and Penttonen 1995] and(in particular) BSP [Valiant 1990; Hill and et al. 1998], which we target, forsake of definiteness, in this paper.

Distributed systems are conveniently specified using global information, al-though they are efficiently and robustly implemented by relying on only localstate and point-to-point communications. The derivation of such systems isthus the task of moving from properties of specified global state through in-termediate designs to communicating executable components with their ownlocal state. We present here an intermediate-level language for describing andreasoning about programming paradigms based on global synchrony. Since ithas been designed to emphasize description (rather than execution) we call theintermediate language a logic, the Logic of Global Synchrony or LOGS. LOGS

has the following features:

(1) a process is a predicate on initial state, final state and all intermediatestates, which formalism integrates the pre-post and reactive (includingsafety and liveness) styles of specification;

(2) its parallel composition simply becomes logical conjunction, resulting inimportant properties including compositionality and strong refinementlaws;

(3) the reasoning style of LOGS is so close to programming intuition that onlya minimum knowledge of first-order predicate calculus is required;

(4) a full set of laws is available for the transformation from LOGS to executableBSP programs [Chen 2001].

The popularity of global synchrony can be traced back to the ParallelRandom-Access Machine (or PRAM) model. A PRAM is a collection of processesthat update global variables. Every update command is globally synchronizedwith each process, which is always able to access the latest value of any remotevariable. For example, the PRAM program x := 1 ;

y := x − 1

∥∥∥∥∥∥ y := 2 ;

x := y + 1

(1)

ACM Transactions on Programming Languages and Systems, Vol. 26, No. 2, March 2004.

Logic of Global Symmetry • 223

consists of two processes in which the variables x and y are located on theleft-hand (LHS) and right-hand (RHS) processes, respectively. Sequential com-position serves to synchronize commands. Hence command x := 1 is synchro-nized with command y := 2 ; while command y := x − 1 is synchronized withcommand x := y + 1 . Because of the synchronizations, y := x − 1 on the LHSwill be executed after y := 2 on the RHS. The final values of x and y become 3and 0 , respectively. The use of global synchronization greatly simplifies parallelprogramming, although it is inherently costly to implement. Inserting a globalsynchronization point between any pair of consecutive assignment statementsis often unnecessary. Another advantage of the PRAM model is the simplicity ofan effective measure of complexity: the cost of an algorithm is simply the num-ber of global synchronizations, although the measure is not always accuratefor real performance of PRAM programs. Some recent practical applications ofPRAM can be found in Abolhassan et al. [1999].

To allow more flexible use of global synchronization, Valiant [1990] proposeda model called Bulk-Synchronous Parallelism (or BSP). Unlike PRAM, BSPprocesses are synchronized by explicit synchronization commands. Arbitrar-ily many local computational commands are allowed between two consecutivesynchronizations and all communications are delayed until the following syn-chronization point where their delivery is guaranteed.

The PRAM program (1) has an equivalent BSP programx := 1 ;

put y := x − 1 ;

get x := y + 1 ;

sync

∥∥∥∥∥∥∥∥∥∥∥∥

y := 2 ;

sync

in which variable x is local to the left-hand program and y to the right-hand,put is a communication command that writes a value (calculated locally) to aremote variable, and get is a command that reads the value (just before thefollowing synchronization) of a remote variable. Any communication is com-pleted at the following synchronization barrier set by the corresponding synccommands. Thus the result is as before. An advantage of the BSP model is thatprogram cost is determined by the simple formula

W + H · g + S · l , (2)

where W is the maximum number of local computation steps, H is the maxi-mum volume of incoming or outgoing communications, and S is the number ofglobal synchronizations. A BSP computer is characterized by three parameters:p= number of processors, l = number of steps for synchronization, and g =number of steps per byte of communication. With that architecture-independentcost measure, BSP programs have the advantage of being portable, predictableand scalable. Recent practical applications of BSP can be found in McColl [1996]and Inda and Bisseling [2001]. Examples appear in Sections 6 and 7.

An important issue of variable sharing is the potential risk of communica-tion interference: two processes trying to write different values to a variable



during the same step. In standard PRAM and BSP models, the result is theirnondeterministic combination. In most applications communication interfer-ence is undesirable because it destroys compositionality: a program componentcannot always preserve its properties if it is conjoined in parallel with anothercomponent that interferes with its local state.

PRAM and BSP are mainly used in parallel scientific computing with dataparallelism, where performance analysis is a primary concern. However, anylarge-scale application in scientific computing is inevitably involved with re-source sharing and communication-flow management. These represent typi-cal kinds of task parallelism in distributed computing. For example, in atmo-spheric simulation [Foster 1995], the global state of the system is partitionedinto smaller blocks, each of which is located on one processor. But no matterhow the space is partitioned, there may be severe load imbalance due to con-stant changes in global state. This problem can be solved using a dynamic-load-balancing algorithm to migrate blocks between processors when load imbalanceoccurs. Such migration must eventually reduce the overall cost but must notinterfere with the actual computation. Although, strictly speaking, globally syn-chronized systems are not distributed at the level of individual steps, typicalcharacteristics of distributed computing such as safety and liveness still natu-rally arise at the level across multiple steps. In general a parallel application ismixed with data and task parallelism. A successful specification language mustmeet the challenges of both forms of parallelism by supporting rigorous perfor-mance analysis and intuitive reasoning about safety and liveness properties.

Dijkstra’s guarded-command language, like any sequential language, is sup-ported by semantics (either relational or predicate-transformer) in which a pro-gram is described by the way it transforms initial state to final state. In LOGS, inorder to encompass reactive processes, we reveal the sequence of intermediatestates of a computation at the points of global synchrony. That provides the ab-straction necessary to describe the effect of BSP code but frees the programmerfrom preoccupation with how such synchrony is achieved. This view providesthe primitive LOGS command, a computation with n points of global synchrony.If the computation terminates then the sequence of intermediate states is fi-nite; if it is a reactive nonterminating computation then the sequence is infinitewith no final state.

In general, a LOGS command corresponds to a set of behaviors, each of whichconsists of an initial state, a final state and a sequence of intermediate states.The nondeterministic choice of two LOGS commands corresponds to the unionof all behaviors from the two commands. Negation of a LOGS command corre-sponds to the set of all behaviors not belonging to the command. These simplecombinators are desirable at the level of specification, although neither appearsin program code. Nondeterminism accompanies the hiding of local variables ac-complished in local blocks, and negation is particularly convenient for specifyingassumptions.

Various forms of parallelism can be defined. We are particularly interestedin conjunctive parallelism. The conjunctive parallel composition of two LOGS

commands corresponds to the set of their common behaviors. It is the most ab-stract form of parallelism and so enjoys a number of powerful laws. For example



the conjunctive composition of two commands satisfies all properties of the com-mands. In this sense the parallelism is compositional, although if the commandsare not consistent with each other (for example due to communication inter-ference), their conjunctive composition becomes magic with empty set of be-haviors. The inclusion of magic is advantageous. Detecting inconsistency thenbecomes the same as detecting magic. It allows us to reason about inconsis-tency within the specification language itself. Like nondeterministic choice andnegation, conjunctive parallelism represents only a certain abstraction level ofparallel computation and is not directly implementable on parallel computers.Nevertheless, it has captured the essence of global synchrony. As long as wecan use the composition to describe real parallel algorithms and derive parallelprograms, it has fully served the aims of specification. We shall use two casestudies, in Sections 6 and 7, to demonstrate the suitability of conjunctive par-allelism for global synchrony. The resulting specifications are so close to realPRAM/BSP programs that automated transformation becomes possible [Chen2001]. Conjunction as parallel composition has also been used not only in pro-cess algebra but also in concurrent constraint programming [Saraswat et al.1991]. In this paper we consider conjunctive parallelism in an imperative set-ting from which imperative parallel programs can be derived.

Parallel computation has been modeled in a variety of styles. The asser-tional style, developed originally for sequential programming, has been usedwith only limited success in the parallel case [Owicki and Gries 1976]. For itoffers limited support to the programmer for how state should be expected todepend on later state through extra auxiliary variables. However, we follow theuse of a relational model and represent assertions as binary relations (whichwe shall identify as 0 LOGS commands). The rely-guarantee style, emphasizingthe importance of assumptions, is used as a higher-level specification constructin parallel programming [Jones 1983]. We define rely-guarantee as a generalimplication using negation and nondeterministic choice. Previous research intoPRAM specification [Farrell and Kieronska 1996] has focused mainly on dataparallelism and Single-Instruction Stream Multiple-Data Stream (SIMD) pro-gramming and simply becomes a special case of LOGS.

A complicated specification language makes formal reasoning unnecessarilycomplicated. Here the concern must be that the interposition of intermediatestates in a computation has that effect, of necessary complication, at least onthe semantics of LOGS. An important feature of our work has been to providea relatively simple predicative semantics and manner of demonstrating sound-ness with respect to it of the laws governing the notation. That is achievedby the technique of healthiness conditions [Dijkstra 1976; Hoare and He 1998;Chen 2002]. The greatest semantic challenge comes from general recursion.Although LOGS is simple, it has incorporated sequentiality, unbounded nonde-terminism, infinite-trace computation, negation, and parallelism. We apply anew fixpoint technique called partitioned fixpoint [Chen 2003] to determine thefixpoint of LOGS recursion.

In Section 2 the primitive commands of LOGS are defined and their lawsgiven; their soundness and completeness are verified in the appendix. Section 3identifies a number of derived commands for imperative programming.



Table I. Primitive LOGS Commands

〈p〉n n -step command

P # Q sequential composition

P u Q nondeterministic choice (glb)

P t Q parallel composition (lub)

∼P negation (complement)

φ f recursion

Section 4 sketches the semantics of LOGS whose well-formedness is demon-strated in the appendix. Important derived commands of safety and livenessand their laws are defined in Section 5. Section 6 indicates use of LOGS on thederivation of a numerical terminating computation for matrix multiplication,and Section 7 shows LOGS at work on the benchmark reactive example of thedining philosophers.

2. SPECIFICATION LANGUAGE LOGS

No matter how useful it is, global synchronization is expensive to implementon parallel/distributed systems. There is a case to be made for providing theprogrammer with a language intermediate in abstraction between the standardlow-level language (like BSP, for example, with explicit global synchronizationsvia the put and get events with respect to which they are implemented) and onewhich abstracts them completely. Indeed a language of the latter type, thoughimportant for requirements capture, does not enable a programmer to maketradeoffs based on efficiency; and that is the concern at intermediate stages ofdesign.

In this paper we introduce language LOGS. It makes explicit the intermediateglobal states at synchronization points between start and (possible) termina-tion, in such a way that the programmer is aware of the presence of global syn-chronizations without having to implement them (at this level). It also enablesthe programmer to reason, in a simple way, about safety and liveness prop-erties. On the other hand communications are abstracted in LOGS. That is toencourage the programmer to focus on the proposed effect of communicationson the global state rather than to decide prematurely which communicationcommands to use. LOGS is thus an intermediate specification language, chosenfor convenience, with no pretense at being as abstract as possible.

The semantic space (see Section 4) of LOGS is a complete Boolean lattice ofpredicates in which the order v is reverse implication and so corresponds toremoval of nondeterminism. The operators are denoted by > (top), ⊥ (bottom),u (the glb operator), t (the lub operator), and ∼ (the complement operator).

For a vector ω of program variables, the primitives of LOGS are commands(Table I) on ω taking n steps, for n∈N∞ where N∞ =̂ N∪{∞} . Each commandstarts in its initial state ←−ω (pronounced “pre-ω ”) and, after n intermediatesteps, if n<∞ terminates in a final state −→ω (pronounced “post-ω ”) but other-wise does not terminate, generating an infinite sequence of intermediate states(in which case there is no final state).



A typical n -step command is written 〈p〉n , where predicate

p = p(←−ω , ω0, . . . , ωn−1,−→ω )

is called the internal predicate of the command; in it each ωk with k<n denotesthe state at the kth intermediate synchronization point; thus ω0 records thefirst synchronization after the initial state ←−ω . The set of all n -step commandsis written n LOGS . An n-step command is called feasible if, for any initial state,there exist some final state and a sequence of intermediate states.

Example.⟨←−x + 1 = x0 = −→x − 1

⟩1 is a 1 LOGS command in which the pro-

gram variable x is increased by 1 by the time of its intermediate synchroniza-tion point x0 and increased by 1 again by termination. Alternatively we canthink of this command as a predicate

(←−x + 1 = x0 = −→x −1) ∧ (# = 1),

where # denotes the number of intermediate synchronizations. Such interpre-tation helps understanding; a more accurate semantics will be introduced inSection 4.

The sequential composition of P and Q , written P # Q as usual, is asso-ciative, and the composition of an nLOGS command with an m LOGS commandforms an (n+m) LOGS command. Note that, in a sequential composition, the fi-nal state of the first command is connected to only the initial state of the secondcommand. No additional synchronization point is inserted by the composition.This reflects the fact that, in BSP, the sequential composition can be placedeither at a synchronization point or between two consecutive synchronizationpoints.

LAW 1.⟨p(←−ω , ω0, . . . , ωn−1,−→ω )

⟩n #

⟨q(←−ω , ω0, . . . , ωm−1,−→ω )

⟩m

= ⟨∃ω · (p(←−ω , ω0, . . . , ωn−1, ω) ∧ q(ω, ωn, . . . , ωn+m−1,−→ω ))⟩n+m,

where n ∈ N and m ∈ N∞ .

The case n=∞ is considered in Law 2.

Example. The following command is a composition of a 0 LOGS commandwithout any synchronization and a 1 LOGS command with exactly one synchro-nization point:⟨←−x = −→x + 1

⟩0 #

⟨←−x + 1 = x0 = −→x − 1⟩1 =

⟨←−x = x0 = −→x − 1⟩1,

which is indeed the relational composition of the internal predicates. The finalstate of the first LOGS command is linked to the initial state of the second, andthe interface is then hidden.

The final state of a nonterminating command is not observable. If a commandis nonterminating, it will not be affected by any following command.

LAW 2. (1) 〈p〉∞ =⟨∃−→ω · p⟩∞ (2) 〈p〉∞ # 〈q〉n = 〈p〉∞ (n∈N∞)

The nondeterministic choice between two nLOGS commands is the disjunctionof their internal predicates. That implies monotonicity of the embedding which



takes an internal predicate to an nLOGS command. Nondeterministic choicebetween two LOGS commands with different numbers of steps is considered inthe next example.

LAW 3. (1) 〈p〉n u 〈q〉n = 〈p∨ q〉n (2) 〈p〉n v 〈q〉n iff q⇒p

where n∈N∞ .

The parallel composition of two nLOGS commands is the conjunction of theirinternal predicates. If the lengths of nLOGS commands are not equal, their par-allel composition becomes the “magic” command, which indicates inconsistency.

LAW 4. (1) 〈p〉n t 〈q〉n = 〈p∧ q〉n (2) 〈p〉n t 〈q〉m = > (m 6= n)

where n, m∈N∞ .

Both nondeterministic choice and parallel composition are idempotent, com-mutative, associative, and distributive with each other.

Example. Laws 3 and 4 can be easily understood in terms of our informalnotations: assume 〈p〉n= (p∧ #=n) and 〈q〉m= (q ∧ #=m) . Nondeterministicchoice is disjunction. If n = m then the commands are merged into a singlenLOGS command (p ∨ q) ∧ #=n ; otherwise, they become a disjunction (p∧ #=n)∨ (q ∧ # = m) , which cannot be further simplified. Parallel composition isconjunction: if n = m then the commands are merged into a single nLOGS

command p ∧ q ∧ #=n ; otherwise, their conjunction becomes magic.

The top and bottom elements of the semantic lattice are themselves usefulspecifications. Magic > (the top) specifies inconsistency and does not containany behavior! Chaos ⊥ (the bottom) specifies a command with all possiblebehaviors.

LAW 5. (1) > = 〈false〉n (n ∈ N∞) (2) ⊥ = dn≤∞ 〈true〉n

Negation constitutes a complement, which will be used in particular to definerely-guarantee specifications in Section 5. The negation of an nLOGS commandcan be calculated inductively on the construction of the command. De Morgan’slaws hold for negation of (arbitrary) disjunctions and conjunctions so that eitherone might have been introduced as a derived construct.

LAW 6. (1) P t ∼P = >(3) ∼∼P = P

(5) ∼dP =⊔{∼P | P ∈ P}

(2) P u ∼P = ⊥(4) ∼

dn≤∞ 〈pn〉n =

dn≤∞ 〈¬pn〉n

(6) ∼⊔P = d{∼P | P ∈ P}

where n ∈ N∞ and P is a set of predicates.

Example. The command 〈true〉∞ specifies a process that is nonterminatingand generates arbitrary intermediate states. Its negation ∼ 〈true〉∞ , however,equals

dn<∞ 〈true〉n and specifies a process that terminates in finitely many

steps, generating arbitrary intermediate states.



Table II. Definitions of Derived Imperative Commands

=̂d

n<∞ 〈true〉n termination (terminating behaviors)

^ =̂ 〈true〉∞ nontermination (nonterminating behaviors)

P | Q =̂ (P t ) u (Q t ^) partition

II =̂ ⟨←−ω =−→ω ⟩0 skip (unit of sequential composition)

(b)> =̂ ⟨b(−→ω ) ∧ ←−ω =−→ω ⟩0 conditional magic

P�b�Q =̂ ((b)> # P ) u ((¬ b)> # Q) conditional (if b then P else Q )

while b do P =̂ φX · (P # X )�b�II loop

Table III. Interactions between ExtremeCommands (P on the Left and Q at the Top)

P # Q > ⊥ ^

> > > > >⊥ ^ ⊥ ⊥ ^

> ⊥ ^^ ^ ^ ^ ^

A general recursion is normally written as an equation: X = f (X ) in whichX is called the recursive argument, and f (X ) called the recursion. In thispaper, the fixpoint of a recursion f (X ) is denoted by φX · f (X ) , or φ f forshort.

LAW 7. f (φ f ) = φ f

It will become clear in Section 4 why we use φ , rather than µ , to denote thefixpoint.

Example. The recursion φX · (⟨←−x = x0 = −→x − 1⟩1 # X ) generates an infi-

nite sequence of intermediate states and increases variable x at every step.Thus it equals a command

⟨∧k<∞ xk =←−x + k

⟩∞ .

3. DERIVED IMPERATIVE COMMANDS

Table II lists the LOGS commands for imperative programming, all defined withprimitive LOGS commands.

Termination (or nontermination ^ ) specifies a command that contains allpossible terminating (or nonterminating) behaviors. and ^ are complementsof each other. The (sequential) interactions between the extreme commands areshown in Table III.

LAW 8. (1) u ^ = ⊥ (2) t ^ = >Evidently (from the top and bottom rows) both > and ^ are left zeroes for se-

quential composition. Of course the laws do not enable us to show they coincide.



The important composition, partition will be used to define recursion. As seenfrom its definition (Table II), the partition P | Q combines the terminatingbehavior of P with the nonterminating behavior of Q .

LAW 9. (1) (P | R) | Q = P | Q (2) P | (R | Q) = P | Q

(3) P = (P | P ) = (P | >) u (> | P ) (4) (> | P ) # Q = > | P

LAW 10. (1) P # Q = (P |> # Q |>) | (>|P u (P |> # >|Q))

(2) P u Q = (P |> u Q |>) | (>|P u >|Q)

(3) P t Q = (P |> t Q |>) | (>|P t >|Q)

(4) ∼P = ∼(P |>) | ∼(>|P )

Skip II (the unit of sequential composition) and conditional magic (b)>(skip if b else magic) are special 0LOGS commands. They satisfy the fol-lowing straightforward laws, which can be used to manipulate specificationassumptions.

LAW 11. (1) (b)> # P = P t ((b)> # ⊥)

(3) (b)> # 〈p〉m =⟨b(←−ω ) ∧ p

⟩m

(5) (a)> # (b)> = (a ∧ b)>

(2) P # (b)> = P t (⊥ # (b)>)

(4) 〈p〉n # (b)> =⟨p∧ b(−→ω )

⟩n


Binary conditional P� b�Q can be derived from conditional magic: if b istrue in the initial state then P is executed; otherwise Q is executed. Loop(while b do P ) is a special recursion that repeats P if b is true and other-wise skips. For example, the simplest recursion φX · X equals the empty loop(while true do II) that never terminates.

4. SEMANTICS OF LOGS

This section presents a denotational semantics for LOGS, following the approachof Hoare and He [1998]. In discovering the correspondence between semanticproperties (i.e., healthiness conditions) and algebraic laws of (generalized) pro-grams, Hoare and He made essential use of predicative semantics and healthi-ness transformers.

In a predicative semantics the denotation of each (generalized) program Pis a predicate, thought of as a binary relation describing the set of behav-iors of P . For example, a predicate −→x = ←−x + 1 (or equivalently a relation{(x, x+ 1) | x ∈ S} where S is the state space) denotes a sequential programx := x + 1 that increases x by 1. The syntax of the predicate is no longer ofprimary importance: two predicates are considered the same if they describethe same relation. This style of semantics has the substantial advantage of em-ploying only elementary widely known mathematics, rendering the resultingtheory accessible to most computer scientists. Technically, its advantages arefirst that it makes available the set-theoretic operators like universal union andintersection for specifications; and second that it enables semantic denotations



to be characterized using some fixpoint equations called healthiness conditions.One semantic model is more concrete than another model if it satisfies morehealthiness conditions.

For simplicity, we assume that x is the only program variable in ω . That islittle restriction since in general the type of ω is a direct product of a type foreach component. A LOGS specification corresponds to a set of behaviors, each ofwhich is a triple (←−x , s,−→x ) in which ←−x denotes the initial state, −→x denotesthe final state, and s denotes a potentially infinite sequence of intermediatestates. In describing sequences we let S† =̂ S∗ ∪ Sω denote the set of allsequences of states (including infinite sequences). If s, t ∈ S† we let sat denotetheir concatenation; if s is infinite, then sat = s . We write s ≤ t to mean that sis a prefix of t and write |s| for the length of s ; the length of the empty sequence[ ] is 0.

A set of behaviors is thus identified with a predicate p(←−x , s,−→x ) on threevariables. For example the command II is identified with the predicate (←−x =−→x ∧ s= [ ]) . A more convenient presentation is to encode the sequence s as thedifference of two sequences←−tr and −→tr , which record the states before the initialand final states respectively [Hoare and He 1998]. A predicate p(←−x , s,−→x ) onthree variables can be transformed to a predicate on four variables using apredicate transformer G :

G(p) =̂ ∃s · (p ∧ ←−tr as = −→tr ).

For example (←−x =−→x ∧ s= [ ]) is represented as (←−x =−→x ∧ ←−tr =−→tr ) .We now explain the use of healthiness transformers in characterizing the

predicates arising as denotations of commands. Let us begin with an example.Suppose that a predicate X (←−tr ,−→tr ), of two free sequence variables, is deemedhealthy iff←−tr is a prefix of −→tr :←−tr ≤ −→tr . In other words,

X (←−tr ,−→tr ) ⇒ (←−tr ≤−→tr ),

which by Boolean algebra holds iff

X = X ∧ (←−tr ≤ −→tr ) .

Defining predicate transformer H to equal the right-hand side there, that iden-tity becomes X =H(X ). Thus the predicates we wish to call healthy are the fixedpoints of the transformer H. But for idempotent H (i.e., satisfying H ◦H = H),the set of fixed points equals the range of H. Since H is also monotonic, thatrange is a complete sublattice of predicates (though in the general case, withdiffering glb and lub). Such a predicate transformer transforms any unhealthypredicate to a healthy one. If the healthiness condition of a semantic model isexpressed as the combination of several small healthiness conditions, we mustshow that the composition of the healthiness transformers is also idempotentand monotonic. For details we refer the reader to Hoare and He [1998] andChen [2001, 2002].

We apply that approach now to LOGS. A predicate on four variables ←−x ,←−tr , −→x , and −→tr denotes a valid LOGS command iff it satisfies the following



restrictions:

(1) if ←−tr is infinite, the behavior is arbitrary;(2) ←−tr is a prefix of −→tr and the computation represented by the predicate does

not depend on the states (of←−tr ) before the initial state;(3) if −→tr is infinite, the final state −→x is not observable.

These restrictions can be expressed using three healthiness transformerswhose composition forms the healthiness transformer of LOGS. We first definethe transformer

H0(X ) =̂ X ∨ ∞(←−tr )

that forces the computation to be chaotic if ←−tr is already infinite, where thepredicate ∞(s) =̂ (|s|=∞) tests whether a sequence s is infinite. A predicateX observes restriction (1) iff it satisfies the healthiness condition X = H0(X ) .

Another transformer

H↔(X ) =̂ ∃uv · ( X [u/←−tr , v/−→tr ]

∧ ∃s · (uas = v ∧ ←−tr as = −→tr )

∧ u ∼←−tr ∧ v ∼ −→tr )

allows the sequences tr and tr′ to be shifted forward or backward where thepredicate s ∼ t =̂ (∞(s)⇔∞(t)) limits the the distance of shifting by requiringtwo sequences to be either both finite or both infinite. The transformer mapsthe argument to a computation whose behaviors do not depend on the historybefore its initial state. The above healthiness condition also requires ←−tr to bea prefix of −→tr , that is, ←−tr ≤−→tr . A predicate X observes restriction (2) iff itsatisfies the healthiness condition X = H↔(X ) .

The third transformer

H∞(X ) =̂ ∃x · (X [x/−→x ] ∧ (∞(−→tr ) ∨ x=−→x ))

forces the final state −→x to be chaotic, if −→tr is infinite. A predicate X observesrestriction (3) iff it satisfies the healthiness condition X = H∞(X ) . (Thosedefinitions can be systematically simplified using the technique of generic com-position [Chen 2002].)

All three predicate transformers H0, H↔ and H∞ are monotonic and idem-potent; so is their functional composition H(X ) =̂ H∞ ◦ H↔ ◦ H0 (X ) , whichtransforms any predicate on the four variables to a predicate that correspondsto some valid LOGS command. A predicate X observes the three restrictions iffit is healthy in the sense that it satisfies the healthiness condition X = H(X ) .

The healthy predicates form a complete lattice under the refinement order

X v Y =̂ ∀←−x ,←−tr ,−→x ,−→tr · (Y ⇒ X )

whose top, bottom, glb, and lub are > , ⊥ , ∨ , and ∧ , respectively, where

> =̂ ∞(←−tr ) ∧ ←−tr =−→tr and ⊥ =̂ ←−tr ≤−→tr .Table IV lists the semantic definitions of the primitive LOGS commands.In an nLOGS command 〈p〉∞ the sequence of intermediate states is infinite.

Since we take a set-theoretic view of predicates, such flexibility of infinitely



Table IV. Semantics of Primitive LOGS Commands

〈p〉n =̂ H ◦ G (∃x0 · · · xn−1 · (p ∧ s = [x0, . . . , xn−1]))

P # Q =̂ ∃x, tr · (P [x/−→x , tr/−→tr ] ∧ Q[x/←−x , tr/←−tr ])

P u Q =̂ P ∨ Q

P t Q =̂ P ∧ Q

∼P =̂ H(¬ P )

φ f =̂ µX · f (ν f | X )

many variables causes no inconvenience. Sequential composition is simply re-lational composition, nondeterministic choice is disjunction, and parallel com-position is conjunction. In the appendix we show that the disjunction and con-junction of two healthy predicates are also healthy; however we shall see thatnegation is logical negation followed by the predicate transformer H to leavea healthy result.

The modeling of general recursion is subtle. Since (unbounded) nondeter-minism is allowed, a recursion does not guarantee a unique fixpoint. Among allfixpoints, we must determine the fixpoint that is consistent with programmer’sintuition and at the same time convenient for our semantic studies. Tarski’sfixpoint theorem [Tarski 1955; Cousot and Cousot 1979] is a standard tech-nique to determine the least fixpoint of a monotonic function over a completelattice (or a well-founded partial order if the function is known to have somefixpoint). LOGS specifications can be ordered by various well-founded partial or-ders. The least fixpoint with regard to the refinement order v is the weakest(or most chaotic) fixpoint denoted by µf . The least fixpoint with regard to thereverse refinement order w is the strongest (or most miraculous) fixpoint ν f .Various other orders have been proposed. All of them are applicable in somecircumstances, but none of them is universally applicable.

Let v> be a well-founded partial order. Any calculation of Tarski’s least fix-point starts from the bottom ⊥> of the order. Note that v> should be a partialorder, if we want to pinpoint fixpoints uniquely using Tarski’s theorem. The cor-responding function f (X )=X of the empty loop φX · X immediately reachesits least fixpoint ⊥> . Since the empty loop never terminates, its semantics mustnot contain any terminating behavior; otherwise, for example, if its semanticswere chaos ⊥ , we would have an undesirable inequality: ⊥> # 〈s = [1]〉1 6= ⊥>in which tr and tr′ can be equal on the right-hand side but cannot not be equalon the left-hand side. Such a counterintuitive interpretation is the result of theincorrect semantic assumption concerning the empty loop. Thus we concludethat ⊥> w ^ . On the other hand, the empty loop is an executable program thatat least generates some outputs. Thus its semantics must not be empty, that is,> A ⊥> .

In summary, the required order v> must satisfy the following:

(A) v> is a well-founded partial order,(B) > A ⊥> w ^ where ⊥> is the bottom of the order,(C) all LOGS compositions are v> -monotonic.



Unfortunately such an order v> does not exist [Chen 2003]. We need a newtechnique called partitioned fixpoint (see Table IV for the definition). The basicproperty of partitioned fixpoint is that if a v-monotonic function f is distribu-tive f (X |>) = f (X |>)|> for any command X , then the partitioned fixpointsatsifies Law 7. In general, a LOGS recursion without negation is monotonicwith regard to the refinement order. For example, the empty loop φX · X canbe determined as ^ .

Law 10 guarantees that all LOGS compositions (including negation) sat-isfy the distributivity condition and thus the partitioned fixpoint of any v-monotonic LOGS recursion is well defined. For a thorough analysis of partitionedfixpoints, see Chen [2003].

The syntactic structure of any LOGS command is a tree whose leaves arenLOGS commands and internal nodes are compositions or the recursion operator.A command is said to be finite if its syntactic structure consists of only a finitenumber of finite primitive LOGS commands, each of which is an nLOGS com-mand (where n<∞ and the internal predicate has finite syntax), a sequentialcomposition, a binary nondeterministic choice, a binary parallel composition,or a negation. For example, the command 〈←−x + 1=−→x 〉0 t ∼〈←−x =−→x 〉1 is finite;but the commands 〈←−x + 1 = −→x 〉∞ ,

⊔n<∞〈←−x + 1 = −→x 〉n , and φX · (〈←−x + 1 =−→x 〉1 # X ) are not.

The following basic results of LOGS semantics are proved in the appendix.

THEOREM 1 (HEALTHINESS). All LOGS commands are healthy.

THEOREM 2 (SOUNDNESS). All LOGS laws are sound.

THEOREM 3 (COMPLETENESS). The set of LOGS laws are complete in the sensethat if two finite LOGS commands are semantically equal, then their equality canbe proved using (just) the laws of LOGS and first-order logic.

The completeness result has important implications. For example, inconsis-tency within a finite command is always detectable by checking whether thecommand is equal to magic > . There is no similar result for nonfinite commandswith recursion. Nevertheless, semantic properties of nonfinite commands maystill be manually provable in many circumstances. This will be demonstratedin the second case study in Section 7.

5. DERIVED LOGS COMMANDS FOR SAFETY AND LIVENESS

In specifying reactive systems several derived LOGS commands are extremelyuseful. Table V lists the definitions of the LOGS commands for safety and live-ness properties, all derived from the primitive LOGS commands.

Repetition Pn repeats a command P sequentially n times. Zero repeti-tion P0 is skip. Infinite repetition P∞ repeats P infinitely many times. Forexample 〈←−x + 1 = x0 = −→x 〉∞1 specifies a nonterminating command that in-creases variable x by 1 at every synchronization point. General repetition Pλ ,for λ a nonempty subset of N∞ , is the nondeterministic choice of n-time rep-etitions for all n∈ λ . Other repetition operators are special cases of general



Table V. Definitions of Derived Commands for Safety and Liveness

P0 =̂ II zero repetition

Pn =̂ P # Pn−1 repetition n times (0<n<∞)

P∞ =̂ ⊔n<∞(Pn # ^) infinite repetition

P∗ =̂d

n≤∞Pn arbitrary repetition

P~ =̂d

n<∞Pn finite repetition

P+ =̂ P # P∗ nonzero repetition

P⊕ =̂ P # P~ nonzero finite repetition

Pλ =̂d

n∈λ Pn general repetition ( {} ⊂ λ ⊆ N∞ )[p(←−ω ,−→ω )

] =̂ ⟨p∧←−ω =ω0

⟩1 transition

|p| =̂ [p]+ always-true safety property∣∣[q(←−ω ,−→ω )]∣∣ =̂

dn<∞

⟨q(←−ω ,−→ω )

⟩n terminating liveness property

P ⇒ Q =̂ ∼P u Q rely-guarantee specification

3 P =̂ # P # ⊥ temporal operator of possibility

¤ P =̂ ∼3∼P temporal operator of necessaity

Table VI. Repetitions of the Extreme Commands and Skip ( 0<n<∞ )

P P0 Pn P∞ P∗ P~ P+ P⊕

> II > > II II > >⊥ II ⊥ ^ ⊥ ⊥ ⊥ ⊥

II ^ ⊥ ⊥^ II ^ ^ II u ^ II u ^ ^ ^II II II ^ II u ^ II II u ^ II

repetition:

Pn = P {n} (n∈N∞), P∗ = PN∞ , P~ = PN, P+ = PN∞\{0}, P⊕ = PN\{0} .

Repetitions of some primitive commands are shown in Table VI.General repetition is always monotonic with regard to the refinement order.

Infinite repetition can always be refined by a nonterminating loop.

LAW 12. (1) Pλ v Qλ if P v Q

(2) Pλ # ^ v P∞ v Pλ # P∞ v while true do P

The pointwise sum of two sets λ, µ ⊆ N∞ is λ+µ =̂ {n+m | n∈ λ, m∈µ}and satisfies λ+µ = µ+ λ where we assume that ∞+n = n+∞ =∞ for anyn∈N∞ . Let n · λ denote the sum of λ for n<∞ times, ∞· λ =̂ {∞} ( 0 6∈ λ ),and µ · λ =̂ ⋃

n∈µ n · λ . General repetitions of a LOGS command can be merged.

LAW 13.

(1) Pλ # Pµ = P (λ+µ) (∞∈ λ or∞ 6∈µ)

(3) Pλ u Pµ = P (λ∪µ)

(2) (Pλ)µ = P (µ·λ) (0 6∈ λ or∞ 6∈µ)

(4) Pλ t Pµ v P (λ∩µ)



Using partitions, we can reason separately about the terminating and nonter-minating behaviors of a repetition. The following laws are essential propertiesof repetitions.

LAW 14. (1) P∗ = (P |>)∗ # (II|P )

(3) P+ = (P |>)∗ # P

(2) P~ = (P |>)~ # (II|P )

(4) P⊕ = (P |>)~ # P

(5) P∞ = > | P∞ = (P |>)∗ # (>|P )

The initial state of a process in a distributed system is local and so notdirectly accessible to other processes. A transition [ p(←−ω ,−→ω ) ] is a 1 LOGS com-mand that keeps a stable state up to the first synchronization point so thatother processes can access the process’s initial state by observing its first in-termediate state. For example the transition [←−x + 1=−→x ] increases the valueof x by 1 in the final state but keeps the intermediate state unchanged fromthe initial state. In PRAM, the above transition is implemented as an assign-ment statement x := x + 1 . In BSP, however, it is normally implemented as(put x := x+ 1 ; sync) in which the local update of the state is postponed untilthe synchronization sync completes. If some other processes also have cachedcopies of the variable x , the communication command put can broadcast tothose processes and “simultaneously” update all the copies at the synchroniza-tion point. That means all processes that share a variable are able to read thelatest value of the variable at the same time after the synchronization point.Such a feature can help tremendously to simplify the reasoning of reactivesystems (see the case study in Section 7).

Infinite repetition of transitions satisfies the following laws in which ( #[p]∞) describes a process that eventually repeats the transition [p] continu-ously forever. Infinite repetition of a transition is an infinite LOGS commandand equals the transition’s nonterminating loop.

LAW 15. (1) #[p(←−ω )

]∞ = #[p(−→ω )

]∞(2) ( # [p]∞) t ( # [q]∞) = # [p∧ q]∞

(3) [p]∞= ⟨←−ω =ω0 ∧∧

n<∞ p(ωn, ωn+1)⟩∞= while true do [p]

An important kind of always-true safety property |p| , the nonzero arbitraryrepetition of the transition [p], becomes, respectively, magic, an n-time repeti-tion (n> 0), a finite repetition, or an infinite repetition if it is conjoined with a0 LOGS command, an nLOGS command, termination , or nontermination ^ inparallel. A transition conjoined with a safety property is still a transition. Twosafety properties in parallel form a conjunctive safety property.

LAW 16. (1) |p| t 〈q〉0 = >(3) |p| t = [ p ]~

(5) |p| t [q] = [p∧ q]

(2) |p| t 〈q〉n = [ p ]n t 〈q〉n (n> 0)

(4) |p| t ^ = [ p ]∞

(6) |p| t |q| = |p∧ q|For example |true| = d

0<n≤∞⟨←−ω =ω0

⟩n specifies a safety property stating

that the first intermediate state is unchanged from the initial state, so that allstates are globally observable. A command P satisfying the safety property



(i.e., P w |true| ) is called global. All transitions are global. Safety property |p|distributes various structures of global commands including sequential compo-sition and repetition. In particular, Law 17(3) allows a safety property “eventu-ally” to distribute the infinite repetition of a terminating global command. InLaw 17, we assume all P , Q , and R to be global.

LAW 17. (1) |p| t Pλ = (|p| t P )λ (0 6∈ λ)

(2) |p| t (Q # R) = (|p| t Q) # (|p| t R)

(3) ( # |p|) t ( # P∞) = # (|p| t P )∞ if P wTerminating pre-post specification |[p(←−ω ,−→ω )]| is a typical kind of liveness

property in which the final state is related to its initial state by the inter-nal predicate p . A finite number of synchronization points are allowed beforetermination, although the intermediate states at these points are “chaotic,”and no useful information can be extracted by observing them. For example|[←−x + 1 = −→x ]| terminates after finitely many steps and eventually increasesthe value of x by 1. The parallel composition of pre-post commands becomesa conjunction of their internal predicates, while a nondeterministic choice be-comes a disjunction.

LAW 18. (1) |[p]| t |[q]| = |[p ∧ q]| (2) |[p]| u |[q]| = |[p ∨ q]|(3) |[p]| # |[q]| =

∣∣[∃ω · (p(←−ω , ω) ∧ q(ω,−→ω ))]∣∣

Rely-guarantee specification is a general form of logical implication. A com-putation satisfies a rely-guarantee condition P ⇒ Q iff whenever P is satisfiedQ is guaranteed. Thus P ⇒ Q allows any computation that does not satisfy P ,in which case it may not guarantee Q . This corresponds to the rely-guaranteespecifications in TLA [Lamport 1994] and UNITY [Chandy and Misra 1988]and satisfies the following laws:

LAW 19. (1) P t (P ⇒ Q) = P t Q

(2) P ⇒ Q = ⊥ iff Q v P

The temporal operator 3 P specifies the liveness property that the computa-tion “eventually” behaves like the command P , while temporal operator ¤ Pspecifies the safety property that the computation “always” behaves like thecommand P . Here, P can be any LOGS command, not necessarily a transi-tion. Both temporal operators are semantic notions. Standard logical axioms[Blackburn et al. 2001] of reflexivity, transitivity, and seriality now becomealgebraic laws.

LAW 20. (1) ¤ P ⇒ P = ⊥(3) ¤ P ⇒ 3 P = ⊥

(2) ¤ P ⇒ ¤¤ P = ⊥

The above LOGS commands can be used to support rely-guarantee andtemporal-logic styles of reasoning, although the emphasis of this paper is im-perative parallel programming.



6. CASE STUDY I: MATRIX MULTIPLICATION

In this section we demonstrate LOGS at work on a numerical terminating BSPalgorithm.

The multiplication of two n × n matrices A and B is written C = A · Bwhere the result C is also an n×n matrix. For any pair of indices a, b < n wehave

C[a][b] =∑c<n

A[a][c]× B[c][b] .

The problem can be formalized in LOGS as a (terminating) pre-post specification(with finitely many intermediate synchronizations):

SPEC 1. =̂ |[−→C = ←−A · ←−B |]A standard parallel algorithm for p processors is to partition the result

matrix C into p1/2×p1/2 blocks, each of which includes n/p1/2 rows and n/p1/2

columns located on a single processor. We shall use Cij to denote the block inrow i and column j where i, j < p1/2 ; A and B are partitioned similarly andarbitrarily and evenly distributed over processors.

Each processor locating block Cij must receive H= O(n2/p1/2) data fromother processes to carry out W= O(n3/p) local multiplications. All communi-cations can be done in one step, and thus only S= 1 synchronization is needed.

SPEC 2. =̂ ⊔i, j<p1/2

⟨−→C ij =∑

k<p1/2←−A ik · ←−B kj

⟩1

Its BSP cost, using (2), is

O(n3/p) + O(n2/p1/2) · g + l , (3)

and the following proposition is apparent:

PROPOSITION 4. SPEC 1 v SPEC 2

However, the above algorithm turns out not to be optimal for communica-tions. Valiant [1990] proposed another parallel algorithm for matrix multipli-cation. Input matrix A (or B ) is partitioned into p1/3 × p1/3 blocks, each Aij(or Bij ) ( i, j < p1/3 ) of size (n/p1/3)× (n/p1/3) . All matrices A , B , and C aredistributed arbitrarily and evenly.

To record the intermediate results, we need a new p1/3 × p1/3 × p1/3 matrixD of (n/p1/3)× (n/p1/3) blocks. Each block Dij k is located on a single processorPij k and can be calculated in one step.

SPEC 3. =̂ ⊔i, j ,k<p1/3

⟨−→D ij k = ←−A ij · −→B j k

⟩1

Each processor locating Dij k receives only O(n2/p2/3) data from Aij andBj k , whose multiplication takes O(n3/p) steps sequentially. Thus the BSP costis

O(n3/p) + O(n2/p2/3) · g + l . (4)



In the second step, each element C[a][b] of the result matrix is calculated bysumming the intermediate results of D from the p1/3 corresponding proces-sors. Let Ii j k denote the set of n2/p index pairs of matrix C located on eachprocessor Pij k .

SPEC 4 =̂⊔i, j ,k<p1/3

⟨∧(a,b)∈Ii j k

−→C [a][b] =∑ j<m

(←−D (a div m) j (b div m)

)[a mod m][b mod m]

⟩1

where m =̂ n/p1/3 and each ←−D (a div m) j (b div m) is an m×m matrix.

For each C[a][b] , this step requires only O(p1/3) communications and nomore than the same number of local additions. Each processor locates n2/pelements of the result matrix C . Thus the total BSP cost of this step is boundedby

O(n2/p2/3) + O(n2/p2/3) · g + l . (5)

The sequential composition of the two steps forms a refinement of the originalspecification:

PROPOSITION 5. SPEC 1 v (SPEC 3 # SPEC 4) .

PROOF. We simply use Law 1 to calculate the right-hand side:

SPEC 3 # SPEC 4

w⟨∧

a,b<n−→C [a][b] = ∑

j<m

(←−A (a div m) j · ←−B j (b div m)

)[a mod m][b mod m]

⟩2

=⟨∧

a,b<n−→C [a][b] = ∑

j<m∑

l<m

(←−A [a][ j×m+l ]×←−B [ j×m+l ][b])⟩

2

=⟨−→C =←−A · ←−B ⟩

2

w∣∣∣[−→C =←−A · ←−B ]∣∣∣

= SPEC 1 . ¤

The local computational cost of (4) overwhelms that of (5). Thus the over-all costs (4)+(5) contain fewer communications but one more synchronizationthan (3):

O(n3/p) + O(n2/p2/3) · g + 2l .

The final specification can be transformed to pseudo BSP code using refine-ment laws for local variables (see Chen [2001]).

‖ i, j ,k<p1/3 ( get Dij k := Aij · Bj k ;

sync ;

for (a, b)∈ Ii j k

get C[a][b] := ∑ j<m

(D(a div m) j (b div m)

)[a mod m][b mod m] ;

sync )



7. CASE STUDY II: THE DINING PHILOSOPHERS

In this section we treat a more comprehensive example, this time of a popularreactive system.

7.1 Dining Philosophers

Since it was first described in Dijkstra [1978], the example of the dining philoso-phers has become a benchmark for the calibration of theories of concurrency andthe way they facilitate reasoning about resource contention. Five philosophersare seated at a circular dining table. Each philosopher cycles through the phasesof thinking, t , being hungry, h , and eating, e . Neighboring philosophers maynot eat at the same time. We require that a hungry philosopher eventually eatsprovided that thinking and eating are achieved in finitely many steps.

Let each philosopher have state xk ∈ {t, h, e} and let the state of the vec-tor of philosophers be x =̂ x0, x1, . . . , x4 . The abstract requirement of thedining philosophers is specified as follows, with k− =̂ (k−1) mod 5 andk+ =̂ (k+1) mod 5.

SPEC 5. =̂ ⊔k

[←−x k = t

]⊕ #[←−x k = h]⊕ #[←−x k− 6= ←−x k = e 6= ←−x k+

]⊕∞

The term[←−x k = h

]⊕, for example, specifies philosopher k ’s terminatinghungry phase.

Each philosopher’s state is accessible to only his neighboring philosophers.The use of transitions guarantees that the value of each variable can be up-dated simultaneously on all processes sharing it. Local variable update mustbe postponed until the next synchronization point at which the variable’s copieson other processes can be updated via communication broadcasting.

The above LOGS specification is remarkably similar to the specification ofthe dining philosophers based on fair interleaving. If we regard the change of avariable as an event, there can be arbitrarily many steps between two consecu-tive events. For any two events occurring on different processes, one event mayoccur before the other (like fair interleaving), or both events may occur dur-ing the same step (unlike fair interleaving). The concern of safety and livenessproperties naturally arises from such specifications. Apart from global synchro-nization, all other communications are restricted to those between adjacentphilosophers. This means, at the level across multiple steps, the above specifi-cation describes a distributed system although, at the level of individual steps,global synchronization supports nondistributed data-parallel computation.

7.2 Forks

The specification is to be refined by a distributed design in which contentionis mediated by forks, one between adjacent philosophers and numbered likethe philosophers: philosopher k requires forks k and k+ in order to eat. Letthe state of fork k be denoted yk with the vector of forks being denotedy =̂ y0, y1, . . . , y4 . Each fork has two states: either l (being used by the



philosopher to its left) or r (to its right). Thus, to eat, philosopher k requiresyk = r and yk+ = l .

SPEC 6. =̂ ⊔k

[←−x k = t

]⊕ #[←−x k = h]⊕ #[←−x k = e]⊕

∞

t ∣∣ forks∣∣

where forks =̂ ∀k · (←−x k = e ⇒ −→y k = r ∧−→y k+ = l)

Note that the safety property∣∣forks

∣∣ is the arbitrary repetition of the transi-tion

[forks

], and when the safety property is conjoined with a nonterminating

specification, it becomes the same as[forks

]∞ . The validity of that design isensured as follows.

THEOREM 6. SPEC 5 v SPEC 6

PROOF.

SPEC 6= Law 16(6) and Laws 17(1) and 17(2)

⊔k

[←−x k = t ∧ forks

]⊕ #[←−x k = h ∧ forks]⊕ #[←−x k = e ∧−→y k = r ∧−→y k+ = l

]⊕∞

w monotonicity of sequential composition and Law 12(1)SPEC 5. ¤

7.3 A Strategy

In this design the forks are resources and the philosophers are consumers.The thinking phase represents a period during which a consumer needs noshared resource; the hungry phase represents a period of waiting for requiredresources; the eating phase represents a resource-consuming period. Thus ter-mination of both thinking and eating must be guaranteed by each resourceconsumer, while termination of the hungry phase has to be guaranteed by adistributed resource manager.

Initially we suppose that termination of the hungry phase is unknown. Wepropose the following rules for each philosopher k:

(1) a thinking philosopher may either continue thinking or become hungry;

(←−x k = t) ⇒ (−→x k=←−x k ∨ −→x k=h)

(2) a hungry philosopher may either remain hungry or immediately eat, pro-vided that two adjacent forks are available;

(←−x k=h) ⇒ (if ←−y k=r ∧←−y k+ = l then −→x k=e else −→x k =←−x k)

(3) an eating philosopher may either continue eating or stop to think;

(←−x k=e) ⇒ (−→x k=←−x k ∨ −→x k=t)



(4) if two adjacent philosophers are thinking, the fork between them will notchange direction;

(←−x k− =t=←−x k) ⇒ (←−y k=−→y k)(5) if a philosopher is thinking while his left-hand neighbor is not, then the

philosopher will “lose” the fork between them;(←−x k− 6= t=←−x k) ⇒ (−→y k= l)

(6) if a philosopher is not thinking but his left-hand neighbor is, the neighborwill lose the fork between them;

(←−x k− =t 6= ←−x k) ⇒ (−→y k=r)(7) if neither of two adjacent philosophers is thinking, the fork between them

will not change direction.(←−x k− 6= t 6= ←−x k) ⇒ (←−y k=−→y k).

Each philosopher must follow all rules, but how do we know these rules areconsistent? On the one hand, the syntax of the predicates of these rules is finiteand the state space is finite. It is hence possible in principle to use truth tablesor more advanced model-checking techniques to check their consistency. On theother hand, if we are able to refine the specification with a real parallel program,the original rules must have been consistent. Here we take the latter approach.

That strategy is formalized as follows.

SPEC 7. =̂ (acyc)> #⊔

k Pk where

Pk =̂(T⊕k # H+k # E⊕k

)∞Tk =̂

[←−x k = t ∧ strategyk]

Hk =̂[←−x k = h ∧ strategyk

]Ek =̂

[←−x k = e ∧ strategyk]

acyc =̂ ¬( y0 = y1 = · · · = y4)

and stategyk is the conjunction of the seven rules just introduced.

Each Pk represents philosopher k, while Tk , Hk , and Ek represent thinking,being hungry, and eating, respectively. SPEC 7 is initialized by the requirementacyc that the forks form an acyclic priority graph. The following lemma statesthat the fork graph is always acyclic. (In the case of improper initialization,SPEC 7 becomes miraculous and so still refines SPEC 6.) The acyclic conditionis defined only for a ring of philosophers. In the case of other topologies,standard generalization can be used.

LEMMA 7 (ACYCLIC SAFETY). SPEC 7 w [←−−acyc]∞

PROOF. Let strategy =̂ ∧k strategyk . Then, according to Law 12(1),

Law 15(3), and Law 4(1), we have SPEC 7 w (acyc)> # [strategy]∞ .From monotonicity of [·] it follows, by considering all possible global states

of the philosophers, that

(1) if all philosophers are thinking then[strategy ∧←−x = t, t, t, t, t

] w [←−y =−→y ] w [←−−acyc⇒ −−→acyc]

;



(2) if a philosopher k is eating then[strategy ∧←−x k=e

] w [−→y k 6= −→y k+] w [−−→acyc

];

(3) if all philosophers are hungry then[strategy ∧←−x = h, h, h, h, h

] w [←−y =−→y ] w [←−−acyc⇒ −−→acyc]

;

(4) if philosophers i, i+ 1, . . . , j are thinking while philosophers i− and j+ arehungry then[

strategy ∧ (←−x i=←−x i+ =· · ·=←−x j =t) ∧ (←−x i− =←−x j+ =h)]

w [r = −→y i 6= −→y j+ = l

]w [−−→acyc

].

Thus

SPEC 7w Law 12(1)(acyc)> # [strategy]∞

w proved facts and Law 12(1)(acyc)> #

[−−→acyc ∨ (←−−acyc⇒ −−→acyc)]∞

w Law 12(1)(acyc)> #

[←−−acyc⇒ −−→acyc]∞

w Laws 11(1) and 11(2)[←−−acyc]∞. ¤

7.4 Liveness

To reason about liveness we first decompose each philosopher k in two:

Lk =̂(T⊕k # H⊕k # E⊕k

)∞ ,

Dk =̂(T⊕k # H⊕k # E⊕k

)~ # T⊕k # H∞k .

We think of Lk as denoting a “living” philosopher and Dk as denoting a“dying” one who eventually remains hungry forever. For each philosopher lifeor death is a nondeterministic choice!

Pk= definition(T⊕k # H+k # E⊕k

)∞= Law 13(3)(T⊕k # (H⊕k u H∞k ) # E⊕k

)∞= distributivity, Law 14(5), and Law 9(4)((T⊕k # H⊕k # E⊕k ) u (T⊕k # H∞k )

)∞= (T⊕k # H⊕k # E⊕k ) w , (T⊕k # H∞k ) w ^ and Law 14(5)(T⊕k # H⊕k # E⊕k

)∗ # T⊕k # H∞k= Law 13(3), Law 14(5), and Law 9(4)((

T⊕k # H⊕k # E⊕k)~ # T⊕k # H∞k

)u (T⊕k # H⊕k # E⊕k

)∞= definitions of Dk and Lk

Dk u Lk .



Now we observe that SPEC 7 is refined by a group of living philosophers:

SPEC 8. =̂ (acyc)> #⊔

k Lk

In fact SPEC 8 equals SPEC 7 because the strategy guarantees that everyphilosopher lives. To prove that, we need to eliminate the possibility ofdeadlock or starvation. Lemma 8 excludes the possibility that all philosophersdie by waiting for forks from their neighbors (i.e., deadlock), while Lemma 10excludes that of starvation.

LEMMA 8 (DEADLOCK FREEDOM). (acyc)> #⊔

k Dk = >

PROOF. Let h(←−x ) =̂ (←−x = h, h, h, h, h) and h(−→x ) =̂ (−→x = h, h, h, h, h) .

(acyc)> #⊔

k Dk= definition of Dk

(acyc)> #⊔

k

(T⊕k # H⊕k # E⊕k

)~ # T⊕k # H∞kw Law 12(1) and

(T⊕k # H⊕k # E⊕k

)~ # T⊕k w(acyc)> #

⊔k

[strategyk

]∞ t (acyc)> #⊔

k

(#[←−x k=h

]∞)w Lemma 7 and Law 15(2)[strategy ∧←−−acyc

]∞ t ((acyc)> # #[h(←−x )

]∞)w Law 12(1) and (ac yc)> w[h(←−x )⇒ ¬h(−→x )

]∞ t ( #[h(←−x )

]∞)w weakening and Law 15(2)#[h(←−x ) ∧ ¬h(−→x )

]∞= Law 13(2)

#([

h(←−x ) ∧ ¬h(−→x )]2)∞

= Laws 11(1), 11(2), and 11(5)# >∞= Table III and VI> . ¤

The following lemma shows that a living philosopher is unable to dine witha dying neighbor.

LEMMA 9. Lk− t Dk = >

PROOF.

Lk− t Dk

w weakening and(T⊕k # H⊕k # E⊕k

)~ # T⊕k w( # Lk− ) t ( # H∞k )= Law 17(3)# ((T⊕k− # H⊕k− # E⊕k− ) t H+k )∞

= Laws 17(1) and 17(2) and Law 16(5)#((Tk− t Hk)⊕ # (Hk− t Hk)⊕ # (Ek− t Hk)⊕

)∞w Law 12(1) and definition of strategyk



#

[−→y k=r

]⊕ #[(←−x k− =h) ∧ (←−y k=−→y k) ∧ (←−y k=r⇒←−x k− =−→x k− )

]⊕ #[←−x k− =e]⊕

∞

w Law 12(1)

#([−→y k=r

]⊕ #[−→x k− =h

]⊕ #[←−x k− =e

]⊕)∞w Laws 11(1) and 11(2)

#([−→y k=r

]⊕ #[−→x k− =h

]⊕ # (xk− =h)> # (xk− =e)> # [xk− =e]⊕)∞

w Law 11(5) and weakening# ( # > # )∞

= Tables III and VI> . ¤

We infer that at least one philosopher is living and no living philosophercan sit beside a dying neighbor. Consequently all philosophers are living.

LEMMA 10 (STARVATION FREEDOM). SPEC 7 = SPEC 8

PROOF.

SPEC 7= proved fact(acyc)> #

⊔k(Lk u Dk)

= distributivity

(acyc)> # (⊔

k Lk u (D0 t L1 t · · · t L4)

u · · · · · ·u (L0 t D1 t · · · t D4) u ⊔k Dk)

= Lemmas 8 and 9(acyc)> #

(⊔k Lk u > u >

)=SPEC 8. ¤

In fact specification SPEC 8 is very close to a BSP program. For details of sucha program and its derivation from SPEC 8 we refer the reader to Chen [2001].Here we are interested simply in validity of SPEC 7 with respect to SPEC 5:

THEOREM 11. SPEC 6 v SPEC 7

PROOF. According to Lemma 10 we need to check only that SPEC 6 vSPEC 8 . But

SPEC 8w Law 12(1)[strategy]∞

w Law 12(1)[∀k · (←−x k=e⇒ −→y k=r) ∧ (←−x k− =e⇒ −→y k= l)]∞

w Law 12(1)


246 • Chen and Sanders[∀k · (←−x k=e)⇒ (−→y k=r ∧−→y k+ = l)]∞

w P∞ w P+∣∣forks∣∣ . ¤

8. CONCLUSION

This paper has introduced a specification language, LOGS, which supportsthe design of parallel programs based on global synchronizations. Althoughthe language is simple and consists of only six primitive commands, it hasintegrated specifications of pre-post, finite, and infinite reactive processes ina compositional imperative programming style and various useful commandscan be derived from the primitive commands. Examples of targeted parallelimplementation languages include PRAM and BSP.

The most significant property of LOGS is its compositionality (or parallel mod-ularity), which appears to be absent from other variable-sharing based models.Lack of parallel modularity is due to the potential communication interferenceand has been the main difficulty confronting PRAM and BSP programming.In LOGS, parallel composition is simply logical conjunction. A parallel compo-sition contains only the common behaviors agreed by two commands. From theviewpoint of specification, it proves to be rather powerful and, most importantly,to guarantee compositionality. If there is communication interference or anyother inconsistency, a parallel composition becomes magic. In parallel programdesign, reasoning about inconsistency (such as communication interference) isinevitable. By incorporating magic, we can then conduct such formal reasoningwithin our semantics instead of relying on informal reasoning outside of thesemantics.

The first case study, matrix multiplication, shows the style of LOGS pro-gramming and reasoning for numerical analysis problems. Although LOGS

does not directly incorporate distribution, partition, or costs, the solution of theproblem demonstrates nonetheless that the analysis can be properly achievedin LOGS. The solution to the benchmark problem of the dining philosophersis genuinely distributed (at the level across multiple steps) and its freedomfrom livelock guaranteed. Furthermore the circle of five philosophers is easilyextended to more general topologies. Our refinement and solution appearencouragingly simple compared with that in, say, UNITY [Chandy and Misra1988] because of the distinctive program-like reasoning style for safety andliveness. Deadlock/livelock freedom is proved by calculating those undesirablebehaviors to be “magic.” Such simple calculation fully justifies the use ofinfeasible specifications like magic, which is vital to the compositionality ofspecifications. A modification of the algorithm is needed in order to allowphilosophers to be forever thinking. In that case it must be shown thata dining philosopher generates an infinite sequence of dying philosopherneighbors [Dijkstra 1978]. In any finite graph, the sequence will form acircle, which leads to magic according to Lemma 8. Although in this paperwe take program derivation only as far as LOGS, refinement laws can beintroduced to transform compositional LOGS specifications into BSP programs[Chen 2001].



The reasoning style of LOGS also distinguishes it from standard temporallogic and, as a standard method for specifications of safety and liveness, issimple and elegant with a solid foundation in modal logic. LOGS uses the styleof Dijkstra’s guarded-command language for the specifications of safety andliveness. We favor an imperative programming style because it is closer to mostprogramming practice. In particular, we are now able to use index numbers toidentify steps and reason about the relation of several consecutive steps. Thishas helped us tremendously in proving deadlock/livelock freedom. It can nolonger be sustained that BSP is suitable only for SPMD/SIMD data-parallelprogramming. Our derivation technique differs substantially from previouswork on BSP, allows synchronizations in the body of a loop, and therefore fullysupports Multiple-Instruction Stream Multiple-Data Stream (MIMD) parallelprogramming.

APPENDIX

A.1 Healthiness

The three predicate transformers H0 , H↔, and H∞ can be combined into onebig transformer H that is again monotonic and idempotent. Assuming thedefinitions from Section 4, we let z =̂ (←−x ,←−tr ,−→x ,−→tr ) . The following lemma,giving an explicit characterization of H, can be proved by routine manipulationof predicates.

LEMMA 12. H(X ) = F (X ) ∨ > where

F (X ) =̂ ∃z ′ · ( X [z ′/z] ∧ R(z ′, z)),

R(z ′, z) =̂ ∃s · (←−tr ′as = −→tr ′ ∧ ←−tr as = −→tr )

∧ ←−tr ′ ∼ ←−tr ∧ −→tr ′ ∼ −→tr∧ ¬∞(←−tr ) ∧ ←−x ′ =←−x∧ (∞(−→tr ) ∨ −→x ′ =−→x ).

The predicate R constitutes a partial equivalence relation:

(1) partial reflexivity: R(z ′, z) v (z ′ =z ∧ ⊥) ,(2) idempotence: ∃z ′′ · R(z ′, z ′′) ∧ R(z ′′, z) = R(z ′, z) ,(3) symmetry: R(z ′, z) = R(z, z ′) .

The transformer F satisfies F (P ∨ Q) = F (P )∨ F (Q) , F (F (P )) = F (P ) , andF (>) = (F (P ) # >) = (> # F (P )) = (F (P ) ∧ >) = false for any P and Q .We also have > # > = > .

LEMMA 13. The sequential composition of healthy predicates is healthy.

PROOF. We must show that sequential composition is closed un-der the transformer H. Let y =̂ (x, tr) , R1 =̂ R(a1, a2,←−y ,−→y ) , andR2 =̂ R(b1, b2,←−y ,−→y ) . We first reason:

R1 # R2= definition of sequential composition



∃ y · (R(a1, a2,←−y , y) ∧ R(b1, b2, y ,−→y ))= definition of R∃←−y ′−→y ′ y · (R(a1, a2,←−y ′, y) ∧ R(b1, b2, y ,−→y ′) ∧ R(←−y ′,−→y ′,←−y ,−→y ))= definition of FF (R1 # R2)

Thus for any two predicates P and Q :

H(P ) # H(Q)= properties of F(F (P ) # F (Q)) ∨ >= definition of F∃a1a2 · (P (a1, a2) ∧ R(a1, a2,←−y ,−→y )) # ∃b1b2 · (Q(b1, b2) ∧ R(b1, b2,←−y ,−→y )) ∨ >= definition of sequential composition and predicate calculus∃a1a2b1b2 · (P (a1, a2) ∧ Q(b1, b2) ∧ ∃ y · (R(a1, a2,←−y , y) ∧ R(b1, b2, y ,−→y ))∨>= definition of sequential composition∃a1a2b1b2 · (P (a1, a2) ∧ Q(b1, b2) ∧ (R1 # R2)) ∨ >= just established∃a1a2b1b2 · (P (a1, a2) ∧ Q(b1, b2) ∧ F (R1 # R2)) ∨ >= predicate calculus and definition of H∃←−y ′−→y ′ · (∃a1a2b1b2 · (P (a1, a2) ∧ Q(b1, b2) ∧ (R1 # R2))[←−y ′/←−y ,−→y ′/−→y ]∧ R) ∨>= just established∃←−y ′−→y ′ · ((F (P ) # F (Q))[←−y ′/←−y ,−→y ′/−→y ] ∧ R) ∨ >= definition of F and F (>) = false

F (F (P ) # F (Q)) ∨ F (>) ∨ >= disjunctivity of F and properties of >H(H(P ) # H(Q)).

¤LEMMA 14. The parallel composition of healthy predicates is healthy.

PROOF. We must show that parallel composition is closed under thetransformer H . Let z =̂ (←−y ,−→y ) . We first reason:

R(a, z) ∧ R(b, z)= predicate calculus and R ∧⊥ = R∃z ′ · (R(a, z ′) ∧ R(b, z ′) ∧ ⊥ ∧ z ′ =z)w property of R∃z ′ · (R(a, z ′) ∧ R(b, z ′) ∧ R(z ′, z))= definition of FF (R(a, z) ∧ R(b, z))w idempotence of R and monotonicity of sequential composition∃z ′ · (R(a, z ′) ∧ R(z ′, z)) ∧ ∃z ′ · (R(b, z ′) ∧ R(z ′, z))= idempotence of RR(a, z) ∧ R(b, z) .

We next reason that, for any P and Q on variables ←−x , ←−tr , −→x and −→tr ,

H(P ) t H(Q)= properties of F



(F (P ) ∧ F (Q)) ∨ >= definition of F∃a · (P (a) ∧ R(a, z)) ∧ ∃b· (Q(b) ∧ R(b, z)) ∨ >= predicate calculus∃ab· (P (a) ∧ Q(b) ∧ R(a, z) ∧ R(b, z)) ∨ >= proved fact∃ab· (P (a) ∧ Q(b) ∧ F (R(a, z) ∧ R(b, z))) ∨ >= definition of H and predicate calculus∃z ′ab· (P (a) ∧ Q(b) ∧ R(a, z ′) ∧ R(b, z ′) ∧ R(z ′, z)) ∨ >= definition of F and F (>) = false

F (F (P ) ∧ F (Q)) ∨ F (>) ∨ >= properties of FH(H(P ) t H(Q)) .

¤THEOREM 1 (HEALTHINESS). All LOGS commands are healthy.

PROOF. We need to check healthiness of only primitive LOGS commands.First, nLOGS commands are healthy according to definition. Sequential andparallel composition of healthy predicates are healthy according to Lemma 13and 14. The transformer H is disjunctive. Thus nondeterministic choice ofhealthy predicates is healthy, as is the partition of two healthy predicates. Infact universal lub and glb of healthy predicates are healthy. Negation is alwayshealthy by definition. If a recursion f (X ) satisfies H ◦ f ◦ H(X ) = f ◦ H(X ) ,then its weakest fixpoint µf and strongest fixpoint ν f are also healthy (bytransfinite induction [Chen 2003]); so is the partitioned fixpoint φ f . Thusany operator is healthy if its arguments are healthy. Consequently all LOGS

commands are healthy (by transfinite induction on the structure of LOGS

commands). ¤

A.2 Soundness

Again for simplicity we assume x to be the only variable in ω and let⊥n =̂ 〈true〉n. We first note that if n<∞ then

〈p〉n = ∃x0x1 · · · xn−1 · (p ∧ ←−tr a[x0, x1, . . . , xn−1] = −→tr ) ∨ > ;

otherwise, if n = ∞ then

〈p〉∞ = ∃x0x1 · · · −→x · (p ∧ ←−tr a[x0, x1, . . . ] = −→tr ) ∨ > .Each healthy predicate P can be decomposed into a universal nondeter-

ministic choice of nLOGS commands:

P = dn≤∞ 〈pn〉n ,

where pn =̂ ∃←−tr−→tr · (P ∧ ←−tr a[x0, x1, . . . , xn−1]=−→tr ∧ ¬∞(←−tr )) for any n<∞and p∞ =̂ ∃←−tr−→tr · (P ∧ ←−tr a[x0, x1, . . . ]=−→tr ∧ ¬∞(←−tr )) .

LAW 1 (1).⟨p(←−x , x0, . . . , xn−1,−→x )

⟩n #

⟨q(←−x , x0, . . . , xm−1,−→x )

⟩m⟨∃ω · (p(←−x , x0, . . . , xn−1, ω) ∧ q(ω, xn, . . . , xn+m−1,−→x ))

⟩n+m ,




LAW 2. (1) 〈p〉∞ =⟨∃−→x · p⟩∞ (2) 〈p〉∞ # 〈q〉m = 〈p〉∞

LAW 3. (1) 〈p〉n u 〈q〉n = 〈p∨ q〉n (2) 〈p〉n v 〈q〉n iff q⇒p

where n∈N∞ .

LAW 4. (1) 〈p〉n t 〈q〉n = 〈p∧ q〉n (2) 〈p〉n t 〈q〉m = > (m 6= n)

where n, m∈N∞ .

LAW 5. (1) > = 〈false〉n (n ∈ N∞) (2) ⊥ = dn≤∞ 〈true〉n

PROOF. Law 1 can be obtained by calculating 〈p〉n # 〈q〉m and 〈p〉n # 〈q〉∞ ,respectively. Law 2(1) is the result of predicate manipulation. For Law 2(2),we have 〈p〉∞ # 〈q〉∞ = 〈p〉∞ # > = 〈p〉∞ . Law 3, Law 4, and Law 5 are theresults of routine predicate manipulation. ¤

Nondeterministic choice and parallel composition are disjunction andconjunction, respectively, and hence are idempotent, commutative, associative,and distributive with each other. Healthy predicates are closed under universaldisjunction and conjunction (as we take a set-theoretic view of predicates) andthus form a complete lattice. Predicative semantics is essentially set-theoretic.A predicate here corresponds to a set of assignments to the logical variables.Thus universal nondeterministic choice

dand universal parallel composition⊔

are, in fact,⋃

(or∨

) and⋂

(or∧

), respectively (see Table IV forthe definitions). That means Law 3 and Law 4 hold for universal nondeter-ministic choice and parallel composition as well. For example, we also have⊔

i∈I 〈pi〉n =⟨∧

i∈I pi⟩n , where I is a set of indices. Thus the operator

d, like

the union operator in set theory, is continuous:⊔{dP | P ∈ P} = d{⊔P | P ∈ P}where P is a family of v-directed sets of subsets of commands.

LAW 6. (1) P t ∼P = >(3) ∼∼P = P

(5) ∼dP =⊔{∼P | P ∈ P}

(2) P u ∼P = ⊥(4) ∼

dn≤∞ 〈pn〉n =

dn≤∞ 〈¬pn〉n

(6) ∼⊔P = d{∼P | P ∈ P}

where n ∈ N ∪ {∞} and P is a set of predicates.

PROOF. For Law 6(1), we calculate cyclically to infer equivalence:

∼P t P= definitionsH(¬H(P )) ∧ H(P )= properties of F(F (¬(F (P ) ∨>) ∨>) ∧ F (P )) ∨ >= predicate calculus and properties of F(F (¬F (P )) ∧ F (F (P )) ∨ >= definitions



(∃a · (¬F (P )[a/z] ∧ R(a, z)) ∧ ∃b· (F (P )[b/z] ∧ R(b, z))) ∨ >= predicate calculus∃ab· (¬F (P )[a/z] ∧ F (P )[b/z] ∧ R(a, z) ∧ R(b, z)) ∨ >w definition of F and symmetry and idempotence of R∃ab· (¬F (P )[a/z] ∧ ∃c · (P [c/z] ∧ R(c, b)) ∧ R(b, a)) ∨ >w predicate calculus and idempotence of R∃ab· (¬F (P )[a/z] ∧ ∃c · (P [c/z] ∧ R(c, a))) ∨ >= definition of F∃ab· (¬F (P )[a/z] ∧ F (P )[a/z]) ∨ >= predicate calculus>w top∼P t P .

Law 6(2) is the direct consequence of disjunctivity of H . Thus negation ∼is the complement in the complete lattice and satisfies Laws 6(3), 6(5), and (6).Law 6(4) is a result of Laws 5(1) and (2) and Laws 6(1) and 6(2). ¤

The proof of Law 7 can be found in Chen [2003]. Law 8 and Table III can beproved using the laws of primitive commands.

LAW 9. (1) (P | R) | Q = P | Q (2) P | (R | Q) = P | Q

(3) P = (P | P ) = (P | >) u (> | P ) (4) (> | P ) # Q = > | P

PROOF. Let, as above, P = dn≤∞ 〈pn〉n and Q = d

m≤∞ 〈qm〉m . Laws 9(1)–9(3) are direct consequences of the definition of partition, and

(> | P ) # Q= decomposition and definitions(d

n≤∞ 〈pn〉n t ⊥∞) #d

m≤∞ 〈qm〉m= Laws 4(1) and 4(2) and distributivityd

m≤∞(〈p∞〉∞ # 〈qm〉m)= Law 2(2) and idempotence〈p∞〉∞= proved fact> | P . ¤

LAW 10. (1) P # Q = (P |> # Q |>) | (>|P u (P |> # >|Q))

(2) P u Q = (P |> u Q |>) | (>|P u >|Q)

(3) P t Q = (P |> t Q |>) | (>|P t >|Q)

(4) ∼P = ∼(P |>) | ∼(>|P )

PROOF. For Law 10(1), we first notice that (P |>) w and hence that(P |>) # (Q |>) w ( # ) = . Similarly (> | P ) w ^ hence (P |>) # (>|Q) w( # ^) = ^ . Now we reason

P # Q= Law 9(3)(P |> u >|P ) # (Q |> u >|Q)



= distributivity(P |> # Q |>) u (>|P # Q) u (P |> # >|Q)= Law 9(4)(P |> # Q |>) u (>|P ) u (P |> # >|Q)= proved fact and Law 9(3)(P |> # Q |>) | (>|P u (P |> # >|Q))

Laws 10(2) and 10(3) are the results of routine predicate manipulation. ForLaw 10(4), we notice that (P | >) w and hence ∼(P | >) v ^ , and similarly∼(> | P ) v .

∼P= Law 9(3)∼(P |> u >|P )= Law 6(5)∼(P |>) t ∼(>|P )= proved fact and definition of partition(∼(P |>) | ⊥) t (⊥ | ∼(>|P ))= Law 10(3) and Law 9(1)∼(P |>) | ∼(>|P ) . ¤

Law 11 is a result of Law 1. Table VI results from routine calculation usingthe laws of the primitive commands and the definition of P∞ in Table V.

LAW 12. (1) Pλ v Qλ if P v Q

(2) Pλ # ^ v P∞ v Pλ # P∞ v while true do P

PROOF. For Law 12(1), the operator P0 is evidently monotonic. Sequentialcomposition is monotonic, as is n-fold repetition. For infinite repetition, ifP v Q then for any n∈N , we have Pn v Qn and

P∞ = ⊔n<∞(Pn # ^) v ⊔

n<∞(Qn # ^) = Q∞.

Nondeterministic choice of monotonic commands is monotonic, as arethe other repetition operators. For Law 12(2), we have, for any n∈N , P∞ =⊔

n<∞(Pn # ^) w (Pn # ^) , P∞ = P∞ # ^ , and thus P∞ w Pλ # ^ for distribu-tivity. If 0<n<∞ , then P # P∞ w (P # Pn−1 # ^) = (Pn # ^) w ^ = (P0 # ^)and hence P # P∞ w P∞. Thus Pn # P∞ w P∞ for any n<∞ by induction,and P∞ # P∞ = P∞. These results lead directly to Pλ # P∞ w P∞ for distribu-tivity. For the last part of Law 12(2), we apply Tarski’s fixpoint theory [Tarski1955; Cousot and Cousot 1979; Nelson 1989] and define S0 =̂ (> | ⊥) = ^and

Sκ =̂ ⊔ {P # Sι | ι is an ordinal, ι≺ κ}as the κ-repetition of P for any ordinal κ 6= 0 . It can be shown that for anyn∈N , Sn = (Pn # ^) , Sω = P∞ , Sω+n = (Pn # P∞) , and φX · (P # X ) =⊔ {Sκ | κ is an ordinal} . Thus Pλ # P∞ v φX · (P # X ). ¤



LAW 13.

(1) Pλ # Pµ= P (λ+µ)(∞∈ λ or∞ 6∈µ)

(3) Pλ u Pµ= P (λ∪µ)

(2) (Pλ)µ= P (µ·λ) (0 6∈ λ or∞ 6∈µ)

(4) Pλ t Pµ v P (λ∩µ)

PROOF. Laws 13(3) and 13(4) are a simple consequence of routine predicatemanipulation. For Law 13(1), if l , m<∞ then (Pm # Pl ) = Pm+l can beproved by natural induction. According to Law 14(5) (a result of Law 12(2))and Law 9(4), we have P∞ # Q = (> | P∞) # Q = > | P∞ = P∞ . ThusP∞ # Pn = P∞+n for any n∈N∞. If ∞ 6∈µ , then above results lead directly toLaw 13(1) according to the definition of general repetition and distributivity.If ∞∈ (λ ∩ µ) , then let λ′ =̂ λ \ {∞} and µ′ =̂ µ \ {∞} so that

Pλ # Pµ

≡ definition(Pλ′ u P∞) # (Pµ′ u P∞)≡ distributivity(Pλ′ # Pµ′ ) u (Pλ′ # P∞) u (P∞ # Pµ)≡ Law 13(1)Pλ′+µ′ u (Pλ′ # P∞) u P∞

≡ P∞ v Pλ′ # P∞

Pλ′+µ′ u P∞

≡ definitionPλ+µ .

For Law 13(2), we first consider (Pl )m . If l , m<∞ then (Pl )m = Pl ·m can beproved by natural induction. If 0<m<∞ then (P∞)m = P∞ # (P∞)m−1 = P∞ .We also have (P∞)0 = P0 = II . On the other hand, if 0< l <∞ , then(Pl )∞ = P∞, because we have P∞ w (P (l ·m) # ^) = ((Pl )m # ^) for any m<∞and hence P∞ w (Pl )∞ , and for similar reasons, (Pl )∞ w P∞. To calculate(P∞)∞ , we show that (P∞)∞ w ((P∞)1 # ^) = P∞ w ((P∞)m # ^) for anym<∞ . Thus (P∞)∞ = P∞ .

We then consider (Pλ)µ where λ, µ ⊆ N∞. If m = 0 then (Pλ)0 = II =P (0·λ) . If ∞ 6∈ λ and 0<m<∞ , then we have (Pλ)m = Pλ # Pλ # · · · # Pλ =P{

∑i≤m ni |ni ∈ λ} = P (m·λ) by natural induction based on Law 13(1). If ∞∈ λ and

0<m<∞ , then let ν be λ \ {∞} :(Pλ)m

≡ definition(P ν u P∞)m

≡ distributivity, P∞ # Q = P∞, and (P∞)m = P∞ (m > 0)(P ν)m u d

0<k<m((P ν)k # P∞) u (P∞)m

≡ ∞ 6∈ ν , proved fact, and distributivityP (m·ν) u d

0<k<m((P (k·ν) # P∞) u P∞)≡ P∞ v Pk×n # P∞ (k, n<∞ )P (m·ν) u P∞

≡ definitionP (m·λ).



Finally, if 0 6∈ λ , then (Pλ)∞ w (Pλ)m # ^ = P (m·λ) # ^ w (Pm # ^) and hence(Pλ)∞ w P∞ . For similar reasons, P∞ w P (m·λ) # ^ = (Pλ)m # ^ and henceP∞ w (Pλ)∞ . That means (Pλ)∞ = P∞ = P (∞·λ) . These results lead toLaw 13(2): (Pλ)µ = d

m∈µ(Pλ)m = dm∈µP (m·λ) = P

⋃m∈µ m·λ = P (µ·λ) , if 0 6∈ λ

or ∞ 6∈µ . ¤

LAW 14. (1) P∗ = (P |>)∗ # (II|P )

(3) P+ = (P |>)∗ # P

(2) P~ = (P |>)~ # (II|P )

(4) P⊕ = (P |>)~ # P

(5) P∞ = > | P∞ = (P |>)∗ # (>|P )

PROOF. We first consider Law 14(5). Its first half is a direct result ofdefinition: P∞ = ⊔

n<∞(Pn # ^) w ⊔n<∞(⊥ # ^) = ^ . For its second part,

we let A =̂ (P |>) and B =̂ (>|P ) and reason that

P∞

= definition and A u B = P⊔n<∞((A u B)n # ^)= distributivity and B w ^⊔

n<∞((An # ^) u dk<n(Ak # B))

= (An # ^) v (An # Ak−n # B) = (Ak # B) for any k such that n≤ k<∞⊔n<∞((An # ^) u d

n≤ k<∞(Ak # B) u dk<n(Ak # B))

= predicate calculus⊔n<∞((An # ^) u d

k<∞(Ak # B))= distributivity and definition⊔

n<∞((An # ^) u (A~ # B))= distributivity and proved factA∞ u (A~ # B)= A∞ = A∞ # B and distributivityA∗ # B .

Now set C =̂ (II|P ) so that, by routine calculation, C = II u B = C u B . Sofor Law 14(2), we have

P~

= definition and Law 9(3)dn<∞(A u B)n

= distributivity and B w ^dn<∞An u d

n<∞d

k<n(Ak # B)= distributivity and definitionsA~ u (A~ # B)= C = II u BA~ # C .

For Law 14(1), we have

P∗

= definitionP~ u P∞



= Law 14(2)(A~ # C) u (A∗ # B)= A∞ # B = A∞

(A~ # C) u (A~ # B) u A∞

= distributivity, C = C u B, and A∞ = A∞ # CA∗ # C .

For Law 14(3), we have C # P = P and P+ = P∗ # P = A∗ #C # P = A∗ # P , and for Law 14(4), P⊕ = P~ # P = A~ # C # P =A~ # P . ¤

LEMMA 15. 〈p〉n #⊔

i∈I Pi =⊔

i∈I (〈p〉n # Pi) where each Pi is a nonter-minating global command, and I a nonempty set of indices.

PROOF. For each Pi , there exists an internal predicate pi = pi(x0, x1, . . . )such that Pi =

⟨←−x =x0 ∧ pi⟩∞ by decomposition. So we reason:

〈p〉n #⊔

i∈I Pi= decomposition〈p〉n #

⊔i∈I

⟨←−x =x0 ∧ pi⟩∞= Law 4(1) for universal parallel composition

〈p〉n #⟨∧

i∈I (←−x =x0 ∧ pi)⟩∞= Law 1⟨

p[xn/−→x ] ∧ ∧i∈I pi(xn, xn+1, . . . )

⟩∞= Law 4(1) for universal parallel composition⊔

i∈I

⟨p[xn/

−→x ] ∧ pi(xn, xn+1, . . . )⟩∞= proved fact⊔

i∈I (〈p〉n # Pi) . ¤

LAW 15. (1) #[p(←−x )

]∞ = #[p(−→x )

]∞(2) ( # [p]∞) t ( # [q]∞) = # [p∧ q]∞

(3) [p]∞= ⟨←−x =x0 ∧∧

n<∞ p(xn, xn+1)⟩∞= while true do [p]

PROOF. We first consider Law 15(3) and reason cyclically for its first half:

[p]∞

= definition and property of chain⊔1<m<∞([p]m # ^)= Law 1⊔

1<m<∞⟨←−x =x0 ∧

∧n<m−1 p(xn, xn+1) ∧ ∃x · p(xm−1, x)

⟩∞w weakening⊔

n<∞⟨←−x =x0 ∧ p(xn, xn+1)

⟩∞= Law 4(1) for universal parallel composition⟨←−x =x0 ∧

∧n<∞ p(xn, xn+1)

⟩∞= Law 4(1) for universal parallel composition and predicate calculus⊔

1<m<∞⟨←−x =x0 ∧

∧n<m−1 p(xn, xn+1) ∧ p(xm−1, xm)

⟩∞w weakening


256 • Chen and Sanders⊔1<m<∞

⟨←−x =x0 ∧∧

n<m−1 p(xn, xn+1) ∧ ∃x · p(xm−1, x)⟩∞= proved fact

[p]∞ .

For the second half of Law 15(3), we only need to check that [p]∞ is theweakest fixedpoint µX · ([p] # >|X ) . According to the definition of infiniterepetition, we only need to check that it is indeed a fixedpoint:

[p] # [p]∞

= definition of transition and proved fact⟨←−x =x0 ∧ p(←−x ,−→x )⟩1 #

⟨←−x =x0 ∧∧

n<∞ p(xn, xn+1)⟩∞= Law 1 and predicate calculus⟨←−x =x0 ∧ p(x0, x1) ∧ ∧0<n<∞ p(xn, xn+1)

⟩∞= predicate calculus and proved fact

[p]∞ .

We notice that ⊥m # [p]∞ = ⟨∧m≤n<∞ p(xn, xn+1)

⟩∞ . Thus Law 15(1) follows:

#[p(←−x )

]∞= definition of and Law 15(3)d

m<∞⟨∧

m≤n<∞ p(xn)⟩∞= ∧

n<∞ p(xn) ⇒ ∧m≤n<∞ p(xn) and predicate calculusd

m<∞⟨∧

m<n<∞ p(xn)⟩∞= definition of and Law 15(3)

#[p(−→x )

]∞.

Law 15(2) is a special case of 17(3):

( # [p]∞) t ( # [q]∞)= # [q]∞ w ^( # |p|) t ( # [q]∞)= Law 17(3)# (|p| t [q])∞

= Law 16(2) and definition of transition# [p∧ q]∞ . ¤Law 16 is the result of Law 15(3), Law 3, and routine predicate manipulation.

LAW 17. (1) |p| t Pλ = (|p| t P )λ (0 6∈ λ)

(2) |p| t (Q # R) = (|p| t Q) # (|p| t R)

(3) ( # |p|) t ( # P∞) = # (|p| t P )∞ if P wPROOF. We first notice that 〈p〉n w |true| iff n> 0 and p ⇒ (←−x = x0) . By

routine calculation, we can show that

|p| t (〈q〉n # 〈r〉m) = (|p| t 〈q〉n) # (|p| t 〈r〉m),

where q ⇒ (←−x =x0) and r ⇒ (←−x =x0) and 0<n, m≤∞ . Thus, for Law 17(2),if Q , R w |true| , then



|p| t (Q # R)= decomposition and distributivityd

n≤∞d

m≤∞(|p| t (〈q〉n # 〈r〉m))= proved factd

n≤∞d

m≤∞((|p| t 〈q〉n) # (|p| t 〈r〉m))= decomposition and distributivity(|p| t Q) # (|p| t R) .

Thus |p| also distributes n-fold repetition Pn if 0<n<∞ . Note that if acommand P is global, so is (P # ^) . For infinite repetition, we reason cyclically:

|p| t P∞

= definition and property of chain|p| t ⊔0<n<∞(Pn # ^)= distributivity⊔

0<n<∞(|p| t (Pn−1 # P # ^))= proved fact⊔

0<n<∞((|p| t Pn−1) # |p| t (P # ^))w proved fact and weakening⊔

0<n<∞((|p| t P )n−1 # ^)= definition(|p| t P )∞

w Law 12(1) and property of complete lattice|p|∞ t P∞

= Law 13(2)|p| t P∞ .

That means |p| also distributes general repetition, and so Law 17(1) holds.In proving Law 17(3) we must be careful not to use Law 15(2), previously

established as a special case of Law 17(3). If m<n<∞ and P w [true]⊕, thenwe let l =̂ n−m and note

(⊥n # [p]∞) t (⊥m # P∞)= definition and property of chain(⊥n # [p]∞) t (⊥m #

⊔l<i<∞(Pi+1 # ^))

= Lemma 15 and distributivity⊔l<i<∞

((⊥n # [p]∞) t (⊥m # Pi+1 # ^)

)= decomposition Pl = d

l≤k<∞ 〈qk〉k and P w [true]⊕⊔l<i<∞

((⊥n # [p]∞) t (⊥m #

dl≤k<∞ 〈qk〉k # Pi+1−l # ^)

)= distributivity and Law 15(3)⊔

l<i<∞d

l≤k<∞((⊥n # [p]k−l # [p]∞) t (⊥m # 〈qk〉k # Pi+1−l # ^)

)w weakening⊔

l<i<∞d

l≤k<∞((⊥k+m # [p]∞) t (⊥k+m # Pi+1−l # ^)

)w Lemma 16 and proved fact⊔

l<i<∞d

l≤k<∞(⊥k+m # (|p| t P )i−l # ^

)= continuity of

din predicative semanticsd

l≤k<∞⊔

l<i<∞(⊥k+m # (|p| t P )i−l # ^

)= Lemma 16 and distributivity



dl≤k<∞

(⊥k+m #⊔

l<i<∞((|p| t P )i−l # ^))

w weakening, property of chain, and definition# (|p| t P )∞.

Thus we argue cyclically:

# (|p| t P )∞

w Law 12(1) and property of complete lattice( # |p|∞) t ( # P∞)= Law 13(2)( # [p]∞) t ( # P∞)= definition of and distributivityd

n<∞d

m<∞((⊥n # [p]∞) t (⊥m # P∞)

)= predicate calculus and Law 15(3)d

n<∞d

n≤m<∞((⊥n # [p]m−n # [p]∞) t (⊥m # P∞))

u dn<∞

dm<n((⊥n # [p]∞) t (⊥m # P∞))

w weakening, Lemma 15 and proved factdn<∞

dn≤m<∞(⊥m # ([p] t P )∞) u d

n<∞d

m<n( # (|p| t P )∞)w weakening, definition of , and distributivity# (|p| t P )∞ . ¤Law 18 can be proved using Laws 3 and 4 and definitions.

LAW 19. (1) P t (P ⇒ Q) = P t Q

(2) P ⇒ Q = ⊥ iff Q v P

PROOF. According to Law 6(1), we have the first law:

P t (P ⇒ Q) = (P t ∼P ) u (P t Q) = P t Q .

For the second we argue cyclically:

Q v P⇒ Boolean algebra∼P u Q = ⊥⇔ definitionP ⇒ Q = ⊥⇒ definition and Boolean algebra(∼P u Q) t P = ⊥ t P⇔ Boolean algebraQ t P = P⇔ property of latticeQ v P . ¤

LAW 20. (1) ¤ P ⇒ P = ⊥(3) ¤ P ⇒ 3 P = ⊥

(2) ¤ P ⇒ ¤¤ P = ⊥

PROOF. For Law 20(1), we have

⊥v bottom



¤ P ⇒ P= definitions∼ (∼ ( # ∼ P # ⊥)) u P= Law 6(3)( # ∼ P # ⊥) u Pv strengthening∼ P u P= bottom⊥ .


¤ P ⇒ ¤¤ P= definitions∼ (∼ ( # ∼ P # ⊥)) u ∼3 ∼ ∼3 ∼ P= definition and Law 6(3)( # ∼ P # ⊥) u ∼ ( # # ∼P # ⊥ # ⊥)= Table III( # ∼ P # ⊥) u ∼ ( # ∼P # ⊥)= Law 6(2)⊥ .


¤ P ⇒ 3 P= definitions∼ (∼ ( # ∼ P # ⊥)) u ( # P # ⊥)= definitions( # ∼ P # ⊥) u ( # P # ⊥)= distributivity# (∼ P u P ) # ⊥= Law 6(2)# ⊥ # ⊥= Table III⊥ . ¤

THEOREM 2 (SOUNDNESS). All LOGS laws are sound.

A.3 Completeness

LOGS specifications composed of binary compositions have a normal form:

NORM 1.d

n≤∞ 〈pn〉nLEMMA 16. Any LOGS command may be reduced to normal form using

(just) the laws of LOGS.

PROOF. It suffices to demonstrate that nondeterminism can be moved tothe front of any composition, leaving an nLOGS term. Consider the different



commands:

(1) any nLOGS command is already in normal form;(2) nondeterministic choice (Law 3(1))

dn≤∞ 〈pn〉n u

dn≤∞ 〈qn〉n =

dn≤∞ 〈pn ∨ qn〉n ,

(3) sequential composition (Law 1 and Law 3(1))d

i≤∞ 〈pi〉i #d

j≤∞⟨qj⟩

j =dn<∞〈

∨i≤n(pi # qn−i) 〉n u

⟨p∞ ∨

∨i<∞(pi # q∞)

⟩∞ ,

(4) parallel composition (Law 4(1))d

n≤∞ 〈pn〉n td

n≤∞ 〈qn〉n =d

n≤∞ 〈pn ∧ qn〉n ,

(5) negation (Law 6(5))

∼d

n≤∞ 〈pn〉n =d

n≤∞ 〈¬pn〉n ,

and the proof is complete. ¤

LEMMA 17. For any finite LOGS command P, there exists N ∈ N andpredicates p0, p1, . . . , pN , such that either

P = dn≤N 〈pn〉n u

dn>N 〈false〉n or


dn>N⊥n.

Furthermore the reduction to that form may be achieved in finitely many stepsusing (just) the laws of LOGS.

The former command is called a terminating finite norm, while the latter iscalled a nonterminating finite norm. The syntax of each internal predicate pnmust be finite. Negation converts one finite norm into the other. The proof ofthe lemma is similar to that of the previous lemma and so is omitted.

THEOREM 3 (COMPLETENESS). The set of LOGS laws are complete in thesense that if two finite LOGS commands P and Q are semantically equal, thenthe equality P = Q can be proved using (just) the laws of LOGS and first-orderlogic.

PROOF. Let P and Q be finite LOGS commands. According to Lemma 17,they may be reduced to either a terminating finite norm or a nonterminatingfinite norm. If both P and Q are nonterminating finite norms (assumeN ≤ M ),


dn>N⊥n,

Q = dm≤M 〈qm〉m u

dm>M⊥m,

then they are semantically equal iff for any k ≤ N ,

` (∀←−ω , ω0, . . . , ωk−1,−→ω · pk ⇔ qk)



and for any k such that N<k≤M ,

` (∀←−ω , ω0, . . . , ωk−1,−→ω ·qk).

Similarly P and Q can be compared if they are both terminating finitenorms. ¤

ACKNOWLEDGMENTS

This paper, of which Chen and Sanders [2001] was an early version, hasbenefited from wide-ranging comments from its referees, to whom we areindebted.

REFERENCES

ABOLHASSAN, F., KELLER, J., AND PAUL, W. 1999. On the cost-effectiveness of PRAMs. ActaInformatica 36, 6, 463–487.

BLACKBURN, P., DE RIJKE, M., AND VENEMA, Y. 2001. Modal Logic. Cambridge University Press,Cambridge, U.K.

CHANDY, K. M. AND MISRA, J. 1988. Parallel Program Design: A Foundation. Addison-Wesley,Reading, MA.

CHEN, Y. 2001. Formal methods for global synchrony. Ph.D. dissertation. Oxford UniversityComputing Laboratory, Oxford, U.K.

CHEN, Y. 2002. Generic composition. Form. Aspects Comput. 14, 2, 108–122.CHEN, Y. 2003. A fixpoint theory for non-monotonic parallelism. Theoret. Comput. Sci. 308, 1–3,

367–392.CHEN, Y. AND SANDERS, J. W. 2001. Logic of global synchrony. In 12th International Conference

on Concurrency Theory. Lecture Notes in Computer Science, vol. 2154. Springer-Verlag, Berlin,Germany, 487–501.

COUSOT, P. AND COUSOT, R. 1979. Constructive versions of Tarski’s fixedpoint theorems. Pacific J.Math. 82, 1, 43–57.

DIJKSTRA, E. 1976. A Discipline of Programming. Prentice-Hall, Englewood Cliffs, N.J.DIJKSTRA, E. 1978. Two starvation free solutions to a general exclusion problem. Unpublished

Tech. Note EWD 625. Plataanstraat 5, 5671 Al Nuenen, The Netherlands.FARRELL, C. A. AND KIERONSKA, D. H. 1996. Formal specification of parallel SIMD execution.

Theoret. Comput. Sci. 169, 1, 39–65.FORTUNE, S. AND WYLLIE, J. 1978. Parallelism in random access machines. In Proceedings of

the 10th Annual ACM Symposium on Theory of Computing. ACM Press, New York, NY 114–118.

FOSTER, I. 1995. Designing and Building Parallel Programs. Addison Wesley, Reading, MA.HILL, J. M. D., ET AL. 1998. BSPlib: The BSP programming library. Parallel Comput. 24, 14,

1927–2148.HOARE, C. A. R. 1985. Communicating Sequential Processes. Prentice Hall, Englewood Cliffs, NJ.HOARE, C. A. R. AND HE, J. 1998. Unifying Theories of Programming. Prentice Hall, Englewood

Cliffs NJ.INDA, M. AND BISSELING, R. 2001. A simple and efficient parallel FFT algorithm using the BSP

model. Parallel Comput. 27, 14, 1847–1878.JONES, C. 1983. Specification and design of parallel programs. In IFIP 9th World Congress.

Kluwer Academic Publishers, Norwell, MA, 321–332.LAMPORT, L. 1994. A temporal logic of actions. ACM Trans. Programm. Lang. Syst. 16, 3, 872–

923.LEPPNNEN, V. AND PENTTONEN, M. 1995. Work-optimal simulation of PRAM models on meshes.

Nordic J. Comput. 2, 1, 51–69.



MCCOLL, W. F. 1996. Scalability, portability and predictability: The BSP approach to parallelprogramming. Fut. Gen. Comput. Syst. 12, 4, 265–272.

MILNER, R. 1989. Communication and Concurrency. Prentice Hall, Englewood Cliffs, NJ.NELSON, G. 1989. A generalisation of Dijkstra’s calculus. ACM Trans. Programm. Lang.

Syst. 11, 4, 517–561.OWICKI, S. AND GRIES, D. 1976. An axiomatic proof technique for parallel programs I. Acta

Informatica 6, 4, 319–340.SARASWAT, V., RINARD, M., AND PANANGADEN, P. 1991. Semantic foundations of concurrent con-

straint programming. In Proceedings of the Eighteenth Annual ACM Symposium on Principlesof Programming Languages. ACM Press, New York, NY, 333–352.

TARSKI, A. 1955. A lattice-theoretical fixpoint theorem and its applications. Pacific J. Math. 5,285–309.

VALIANT, L. 1990. A bridging model for parallel computation. Commun. ACM 33, 8, 103–111.

Received September 2001; revised August 2002; accepted April 2003


logic of global synchrony - pkusei.pku.edu.cn/~cyf/toplas05.pdf · 2010-06-27 · logic of global...

Documents