On the existence of sound and complete axiomatizations of the monitor concept

On the existence of sound and complete axiomatizations of

the monitor concept

Citation for published version (APA):

Gerth, R. T. (1987). On the existence of sound and complete axiomatizations of the monitor concept. (Computing science notes; Vol. 8701). Technische Universiteit Eindhoven.

Document status and date: Published: 01/01/1987

Document Version:

Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)

Please check the document version of this publication:

• A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website.

• The final author version and the galley proof are versions of the publication after peer review.

• The final published version features the final layout of the paper including the volume, issue and page numbers.

Link to publication

General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain

• You may freely distribute the URL identifying the publication in the public portal.

If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement:

www.tue.nl/taverne Take down policy

If you believe that this document breaches copyright please contact us at: openaccess@tue.nl

CSH

On the Existence of Sound

and Complete Axiomatizations

of the Monitor Concept

by

On the Existence of Sound

and Complete Axiomatizations

of the Monitor Concept

by

Rob Gerth

ON THE EXISTENCE OF SOUND AND COMPLETE

AXIOMATIZATIONS OF THE MONITOR

CONCEPT

Rob Gerth*t

Eindboven University of Technology:

January

1989

Abstract

This paper presents an axiomatization for the partial correctness properties of Commu-llicating Modules, a monitor-based programming language. This axiomatization is certified through soundness and (relative) completeness proofs, which constitute the major part of . the paper. The system is based on the well-known notions of cooperation and interference freedom, however does not incorporate them as second order notions and is syntax-directed in a formal way.

1 Introduction

Monitors constitute the first attempt at formulating concurrent programming concepts beyond low-level mutual exclusion primitives such as semaphores ([Dij6B]). The concept originates from Hoare and Brinch Hansen ([Hoa74, BHa73]) in their work on resource management in operating systems and is influenced by the SIMULA class concept ([DMN67]).

Monitors combine ideas from abstract data types with a notion of concurrency that derives from the independence of the various sets of data in the system achieved through the aforemen-tioned data-abstraction. Programming languages based on it, include Concurrent Pascal [BHa75],

Distributed Processes [BHa7B], Mesa [MMS79] and most recently, Wirth's Modula (-2) [WirB4].

Also, the rendezvous concept of Ada [ARM83] clearly derives from it. In a different but related area, these ideas surface in the concept of object in object oriented systems [AmB6].

Although the monitor concept is a relatively old one, it has never been adequately axiomatized (in the sense of [Hoa69]). It is well known that previous attempts, [Hoa74, How76], resulted in sets of rules that are incomplete in the technical sense of the word. Recent attempts to correct this, [ABSI], remained unsuccessful.

This contrasts sharply with work on other concepts of concurrent programming: Concurrent languages based on the sharing of variables between concurrent procses were successfully axiom-atized by Owicki, [OG76]. Hoare's "Communicating Sequential Processes" has been dealt with in [AFdeRBO, LG81, Sou84] and Ada in [GdeR84].

·The author was financially .upported, through the Foundation for Computer Science Research in the Nether-lands (SION), by the NetherNether-lands Organization for the Advancement of Pure Research (ZWO).

tThe author is currently working in and partially .upported by ESPRIT project 931: "Debugging and Specifi-cation of Ada Real-Time Embedded Sy.tema (DESCARTES)".

tDepartment of Mathematics and Computing Science, Eindhoven Univers.ity of Technology, P.O.Box 613, 6600 MB Eindhoven, The Netherlands. Electronic mail: mcvax!eutrc3!wsinrobg.UUCP or WSDCROBGC HEITUE5 .BITNET.

The current paper, implicitly, offers an explanation for this state of affairs. The reported axiomatization in fact combines the notions of interference freedom - developed to axiomatize shared variable languages - and cooperation (in its generalized form of [GdeR84]) - introduced to axiomatile synchronously communicating languages. Both notions, although formulated in different ways, reflect the insight that the specification or verification of a concurrent agent in

isola.tion from an interacting environment, has to incorporate assumptions about such interactions.

Assumptions that have to be proved compatible or non-conflicting when combining the separate agents'specifications. It is this basic insight that is missing in earlier axiomatization attempts.

The present axiomatization evolved from work on Brinch Hansen's Distributed Processes, DP ([BH78]), reported in [RDKdeR81, GdeRR82a, GdeRR82b) with the following difference: usually, cooperation and interference freedom is formula.ted as the way to combine proofs of specifications rather than as the way to combine specifications themselves. Hence, the resulting proof systems might be better called verification algorithms, instead oUormal aDomatizations. The paper shows that this traditional rendering is not forced by these notions, and gives an aDomatization that complies with the usual meaning of the term. This aDomatization is syntax-directed in the sense that every program constructor has an associated formal proof rule and every basic statement an associated axiom.

The current paper is a companion to [GdeR86). That paper informally introduces and moti-vates the proposed aDomatization. Here, the concentration is on the formal justification of the proof system. Formally speaking, this paper independent from [GdeR86). However, the reader seeking (more) motivation is referred to that paper.

For a different approach towards axiomatizing monitors in the context of DP, the reader should consult [SS85,Gje88). Those works are based on the Soundararajan-Dahl approach, [SoD82) and are most easily described as the rendering of an operational semantics into proof rules and as-sertions. The resulting set of rules is complete, too. In this approach one reasons directly with the computation history, whereas here one may choose auxiliary variables that retain just the needed information about the history. This has the advantage of ease of use; it has the technical disadvantage that the completeness of the proof system is more restricted. See also Section 7.3 and the conclusions in Section 8.

The next section introduces the language Communicating Modules, CM. Then its syntax is extended to provide "hooks" for the aDomatization presented in Section 5. Section 3 gives a syntax directed operational semantics that will be used in the soundness and completeness proofs. Next, in Section 4, two essential theorems are proved: the local and global merging tbeorems. These theorems express when separate executions of program parts are compatible in the sense that they are part of an execution of the combination of the program parts. The theorems have non-trivial content, since the program parts may interact. Section 5 introduces the specification language and the proof system. The section concludes with a substitution lemma used in the next two sections. The soundness and completeness proofs are the subject of Section 6 and 7. A final discussion occupies Section 8.

This introduction concludes with

1.1

A

summary of some notation

The (well-ordered) set of integers, {O, 1,2, ... }, is denoted by W; its cardinality by

No.

There is a denumerable, well-ordered set of variables Var. For any nEw, Yarn ~ Vcr contains the

first n variables. Hence Var =

U

Yarn. If ~ is some signature or similarity type, then Tm(~)

nEw

and L(~) denote the set of terms and first order formulae over~. Elements of L(I::) are usually denoted by letters p, q, rj terms bye,

t

and variables by u, v, :c, y, z. As usual, p[e/:z:) (t[e/:z:]) stands for the formula (term) obtained by substituting the term or expression e for every free occurence of z in p

(t).

The set of free variables of a formula or term ¢J is denoted by FV(¢J). ~-structures or I::-algebra's,

A,

are defined as usual and give interpretations of the symbols in E. Given a E-structure A, states u, T, v are partial functions from Var into

104.1,

the universe of A. The domain of a state (or any other function) u, is Dom(u); its range is

Ran(cr).

0 denotes the totally undefined statej i.e., the partial function Var t-+

104.1

with Dom(O) =

0.

Define

St n = {u : Var t-+

104.1 I

Dom(u) S; Yarn} and St

=

U

Stn. For a state

cr,

u

t

V restricts the

nEw

domain of u to V (S; Var)j u{a/x} (a E

104.1)

denotes the state u' such that for y

t.

:z: u'(y) = u(y) and

cr'(z)

= a. For states u, T such that

cr

tw

= T

tw

where W = Dom(u)

n

Dom(T),

cr

U Tis defined in the obvious way. For any states, u and T, let U{T} = U{T(:Z:)/:Z:, :z: E Dom(T)}. The value of a term

t

in a state

cr, u(t),

and the truth-value or satisfaction of a formula p in a state

cr,

u ~ p or A, u ~ p, are defined as usual, provided FV(p) S; Dom(u), and are undefined otherwise. In the sequel, states are always assumed to nave large enough domains so that they valuate every variable in a term or formula used. Write A ~ p if p E L(~) is valid in A., i.e., if

A,

u ~ p holds for every state u (for which FV(p) S; Dom(u)). Let Th(A) denote the set {p E L(~)

I

A ~ p}, where ~ is

A's

signature. The term computable will be used in its informal sensej recursive will be its formalization.

2

The language communicating modules,

eM

As stated in the introduction, monitors combine

1. the notion of abstract data type, where the concepts of data and the set of legal (=mean-ingful) operations on it, are seen as logically inseparable, with

2. a notion of concurrency that derives from the logical independence of the various data sets within a system, originating in the abstraction of (1).

Interactions within a system occur through the data type interface. The logical integrity of the data type abstraction and the functionality of the operations are maintained by

1. imposing strict synchronization between a monitor and the entity requesting its service, while performing this service and by

2. allowing a monitor to be serving at most one request at a time.

This does not imply that the data type operations of a monitor are strictly serialized, but merely that a monitor cannot be serving two or more requests at the same time. In fact, it implies

the possibility of a finer grain of serialization in monitors than there is in sequential abstract data types.

When a monitor is servicing a requestor, hence is performing a data type operation, the requestor is said to be active within the monitor and to have acquired the monitor-Ioel, effectively

locking out (the servicing of) any other requestor until the former relinquishes the lock. At such a time a monitor may start (again) servicing someone else.

Even at this level of description one can discern an interleaving of actions: actions associated with the data type operations and bracketed in time by the acquiring and relinquishing of the monitor lock by the requestors of the particular operations.

Traditionally, a monitor is a passive object, only reacting to external requests. Modules are a generalization of this concept and may also initiate requests to other modules.

2.1

Syntax

Let E be a signature. Partition Var as VarR U VarIC, VarIC

=

{ico

liE w}. The programming

language CM(E) is generated by the following Backus-Naur grammar

(z,

il, ii ~ VarR, :c E VarR,

e

~ Tm(E) and bE L(E) quantifier-free): • CM(E) ::=

[MD11I···1I

MDnl n

2:

1 • M D ::= Mi :: DC : [5)

• DC ::= ai(il#ii):

[5)

DC

• 5 ::= :c:= e

I

wait

I

call Mi.ai(e#z) 151 ; 52

I

if b then 51 else 52 fi

I

while b do 50d

Note that no variable of the form ico can appear in any C M (E)-program. These so-called

instance counters have a special meaning in the proof system of Section 5.2. The non-terminal DC may also produce the empty string.

2.2 Informal semantics

A module consists of a number of procedure-declarations and an initial statement. Execution of a module starts with its initial statement and continues until either the initial statement ter-minates or a wait-statement is encountered. Such statements are the primary way to establish

synchronization.

Synchronization occurs in a module: • when arriving at a wait-statement,

• upon completing the execution of the intial statement, and

• upon completing the execution of an (instance of an) entry procedure. Such points are called waiting poin ts.

By synchronization is meant either

• the ad of honouring and arbitrarily selected call to one of the module's entries (global synchronization) or

• the act of passing some wait-statement having been a waiting point at an earlier time and hence possibly different from the one execution just arrived at (local synchronization). Observe that at waiting points the monitor-lock is relinquished.

Honouring a call constitutes the only form of communication and synchronisation between modules. It results in a new procedure-instance being activated and executed. Until its comple-tion, the caller remains fully synchronized, whence its execution suspended, with the callee. The parameter-mechanism is call-by-value-result and within a procedure~body no assignment to any

value-parameter is allowed. Formal parameters are local with respect to the procedure-body. All other variables are global with respect to the module. Modules do not share variables.

In Section 3, the meaning of a program or module is formally defined in the form of an operational semantics.

The following notation and conventions will be used throughout the paper:

• the modules in a program comprising of n modules, are named Ml , M2, ... , Mn ,

• module Mi contains procedures ai, a~, ... , a~,i its initial statement is denoted by at, • procedure

a}

in Mi (j ~ 0) is declared as a~ (Us,j#iii,j):

[5}J;

the initial statement, a~, as

: [5bJ,

• Lid

=

{Us,j, v',j} (Li,o

=

0)i l'i,j is the set of variables, not including L.,j, that appear free

fl.,

n,

wi thin procedure aj of module M. i 1';

=

U

l'i,j, L.

=

U

L',j.

j=O j=O

I shall usually ignore the superscripts in procedure-names. Note that by this convention, I assume procedure-names to be unique. L.,j collects the local variables of procedure a~.

The following context conditions apply to any program:

• l'i n

V,

=

0 if i

#

j,

• Li,"

n

Lj,l

=

0

if i

#

j or k

#

I,

n

• l'i n

U

Lj

=

0,

j=1

• in any statement callM •. aj(e#f), the variables in f are pairwise disjoint and FV(e)n{f} =

0.

2.3 The extended language, CMe(:E)

Some syntactic extensions to CM(E) are necessary in order to obtain the proof system of Section 5. Specifically, labels are introduced and so-called bracketed sections.

Introduce a denumerable set, Lab, of labels with typical elements l, l' ,l", ... such that Lab

n

Var

=

0. In the grammar generating CMe(E), the same convention as in Section 2.1 is used.

• CM(E) ::= [MDllI···IIMDn ] n~l • MD ::= Mi :: DC : [5.l]

• DC ::= aj(u#v): [Tli l.}i5l'.{iT2] DC • T .. - 5

I

• 5 .. - :t:= e

It.wait.l'

Il.{Tlil'.call M •. aj(e#f)i T2i l ".)

I

51i 52

I

if b then 51 else 52 fi

I

while b do 5 ad

In a procedure body, Tl and T2 are called the prelude respectively the postlude ofthe procedure. Statements '[Tli1.}', 'l'.{iT2J' and 'l.{i···l'.call"·il".)' are called bracketed sections. A label that either labels the front of a wait or the initial statement will be said to label a .. aWng point.

In addition to the ones introduced in Section 2.2, the following context conditions apply to CMe(E) programs:

• any label may have at most one occurrence

• the statements Tl and T2 within bracketed sections, may contain no wait or call-statements. These syntactic extensions induce no semantic differences, other than that executing a bracket,

l.( or i.), is equivalent with executing a skip-action (e.g. z:= z).

For any CMe(E)-statement, procedure, module or program T, FLB(T) denotes the set of labels occurring in T. If l E FLB(ai) and ai is a procedure of Mi then L(l) denotes Li,;.

3

Operational semantics for

CMep:)

In this section the behaviour or semantics of C Me (E) programs is formally defined. I will use the

structured operational semantics approach as advocated by

G.

Plotkin

[PI82).

3-1 DEFINITION. A labeled E transition system, lu~, is a tuple (C, -, SC, TC, TL,A), where

• C is a set of configurations

• SC ~ C is a set of start configurations

• TC ~ C is the set of terminal configurations

• T L is a set of transitions labels or records • - ~ C x T L x C is the transition relation

• A is a E-structure

A structured operational semantics is an It" which transition relation is defined using induction on the structure of the configurations. In the current case this implies that also the semantics of CMe(E) modules and statements has to be defined, independent of a surrounding program.

To define the set of configurations, CMe(E) has to be extended, again, to CM*(E):

3-2 DEFINITION. CM*(E) is generated as in Section 2.3 except that the productions for the non-terminals DC and S are replaced by

• DC ::= ai(ii#ii):

[5)

DC

I

• S ::= z:= e li.wait.i'

I

block.ll·ill.( Ii.)

I

endv,iJ li.calIMi.ai(e#z)

I

l.rendz,iJ

I

Sl; S2

I

if b then Sl else S2 fi

I

while b do Sod

I

A

A block.i-action signifies that a wait has been encountered and that the monitor lock was released at this point. In the configuration of a caller, i.rendf,iJ records that an instance of procedure ai in Mi has been activated but not yet completed. The set of value-result parameters of the call is

z.

Statements end.e,i,j are used to identify the caller (procedure ai in Mi) which caused the current instance to be created. Here, ii denotes the set offormal value-result parameters of the corresponding procedure. A denoted the empty statement.

Fix some signature E and a E-structure.4.. From now on, I assume that E contains

+, -,

0 and 1 and that

A

contains as sub-structure the standard model

(w,

+, -,

0, 1). This assumption is needed to valuate the instance counters and, later on, is needed to reason about them. The semantics of CM(E)-programs, however, is not influenced.

3-3 DEFINITION (The configuration set C).

• A local configuration, LC, has the form Id : (S,B), where

- ld

==

(i, j, k) E w3 ; i indexes a module, j a procedure and k characteri~es the instance, - S is a CM*(E)-statement or procedure,

- B

=

(ZI, p), where ZI E St with Dom(ZI) ~ Var and p E Lab U {0}.

• A module configuration MC has the form (X 10

10')

or (X

I

a

I

LCo, .. . , LCn , O'), where

- X is either A or a CMe(E) module, - a E {-I, 0, 1, ... , n}, tbe activity pointer

- for 0 SiS n, LCi is a local configuration: Idi : (Si, Zli' Pi) and Idj

1-

Idi for i

¥

j,

- 0'

is a state such that Dom(O')

n

Dom(Zli)

=

0 for i

=

1 ... n • A program configuration PC, has the form (MCo, . .. , MCm ), where

- M Co, ... , M Cm are module configurations.

• The configuration set, C, consists of all program and module configurations.

During execution of a module, several procedure instances coexist together with the module's initial statement. The local configurations record the progress in each of these instances. Since for-mal parameters are local variables, each LC has a local state; the label records control information. The identification, ld, of a local configuration indicates where the configuration originates from: ld

=

(i, j, k)

¥

(0,0, k) implies that it records a configuration of procedure or initial statement

a)

while k identifies the instance; Id

=

(0,0, k) gives no such information and is the "identification" of a configuration of some statement. The variables that are global in the module, are valuated by the MC's state. Its activity pointer points to the LC that is currently active or equals -I, signifying a change of activity at a waiting point.

The variables in VarIC are proof-variables and are used to count the number of instances of a procedure. I assume that there is some canonical enumeration of the procedure names in a program, so that I can write ic.a~ for the VarIC -variable that refers to procedure

a)

(in module Mi).

Conventions: As generic indicants for module configurations, C, C', C", Ci , •.• are used. C has

the form (Mj

I

a

I

LCo, ... ,LCm,O') where LCi

==

Idi : (Si,Bi ) and Bi

==

(Zli' Pi). In Cff the components of C inherit the sub and superscripts (except for a module text):

Program configurations are generically denoted as C, C', .... C has the form

(Cl, ...

,cn)

and otherwise follows the above conventions. Finally, sometimes only part of a configuration is explicitly given; the other parts are then assumed to follow these conventions. Similar conventions hold for program configurations.

3-4 DEFINITION (The transition label set, TL) .

• TL

=

{E}U{(i,j,h,ZI,i,O')li,j,hEw,ZI,O'ESt,iELab}

U

{(i,j, Q, k, I, ind)

I

i,i,

k, I E W,Q ~

IAI,

ind E {in,

tel } .

• Records of the form (i,

i,

ii, k, I, ind) are called global records; the other ones are called local records.

Transition labels will be interpreted as words or sequences consisting of 0 or 1 records. Global records originate from module communicationsj ii is the sequence of transmitted values, the first index pair - a module and procedure index - specifies the sender, the second pair the receiver and ind indicates whether the record witnesses the initiation of a rendezvous (in) or the termination of one

(te).

Non-empty local records originate from waiting points and the index pair points to the originator. The pair of states, 11 and 0', record the local state, 11, of the procedure instance and the global state, O'j

i

identifies the waiting point. Finally, h characterizes the executing procedure instance.

3-5 DEFINITION (The front label of a statement, S, lab(S)).

• for S

==

~ := e, if b then S' else S" fl, while b do Sod, a(u#ii) : [i.S] , end;;,i,; or A:

lab(S)

=

0,

• for S

==

i.wait.i', block.i, .i, i.(, t.), i.calIMi.a;(e#f) or i.rend."i,;: lab(S)

=

{£}

• for S

==

S1; S2: lab(S)

=

lab(S2} if S1

==

A

=

lab(Sd otherwise.

All is set now for the definition of the transition relation. In its definition, whenever an M G of the form (X

I

a

I ...

LG···, 0'), occurs, the shown LG is the one pointed to by a, unless a

=

-1.

Write G

~

G' instead of (G, A, G') E-.

3-6 DEFINITION (The transition relation, -+) . • -+ ~ G

x

T L

x

G is tbe smallest relation satisfying

e

1. (A

I

0 lId: (~:= e, 11, 0), 0') ---+ (A

I

0

I

Id: (A, 11',0),0"), wherel 11',0"

=

lI{lIUO'(e)/z},O' ifz E Dom(lI)

=

1I,0'{lIuO'(e)/z} ifz

rt.

Dom(lI) (U, 11, i, 0')

2. (A

I

0

I

Id: (i.wait.i',lI,t),O') I (A

1-11

Id: (block.i',lI,i'),O')

e

3. (A

I

-1 lId: (block.i, 11, i), 0') ---+ (A

I

0 lId: (block.i, 11', i), 0")

f

4. (A

I

0 lId: (block.i, 11, i), 0') - - (A

I

0 lId: (A, 11, 0),0')

5.

6.

(r, 6,0' U lI(e,

f),

i, j, in) (A

I

0

I

r, 6, k : (i. call Mi.a;(e#f), 11, i), 0 ' ) . I

(A

10

I

r, 6, k: (i.rend."i,;, 11, i), 0')

(i,j,a,r,6,te)

(A

I

0

I

r, 6, k : (i.rend."i,;, 11, i), 0') I

where (or

z"

E f lI'(Z,,),

O"(z,,)

=

a",

O'(z,,)

=

V(Zk),

a"

11' tf C

=

ii tfC, 0" tf C

=

0' tfC

(A

10

I

r, s, k :

(A,

11',

0),

0") , UZk E Dorn(lI) and

ifzk

rt.

Dorn(lI) (Ii, 0,

i,

0')

7. (A

I

0

lId: (.i,O,i),O') I

(A

1-11

Id: (.i,O,i),O') f

8. (A

I

-1 lId: (.i, 0, i), 0') ---+ (A

I

0

I

Id : (A, 0, i), 0"),

e

9. (A

I

0 lId: (i.(, 11, i), 0') ---+ (A

I

0

I

Id : (A, 11,0),0')

E

10.

(A

I

0

I

Id : (i.), 11, f), 0-) ~

(A

I

0

I

Id : (A, 11,

0), cr)

E

11.

(A

I

0

I

Id:

(A,8),cr)

~

(A

I

0

I

cr)

(r,

6,

ii,

c,

i, j,

in)

(A

I

0

I

i,j,k: (a~(u#ii): [5),1I,0),cr)

12.

(A

I

0

I

i, j,

k : (5j

endt", .. ,,,

O{b,

c/u,

ii}, O),

cr),

where

b

=

0-U 11 (u) and c

=

0-U 11 (ii)

E

13. (A

I

0

I

Id : (: [5.l], 0,

O), cr)

---+

(A

I

0

lId: (5.l, fl,

0),

0-)

. . (i,j,lI(ii),r,s,te)

14. (A

I

0

I

t,), k : (end", .. ,,, 11,

0),

cr)

J

(A

I

0

I

i, j, k : (A, 11,

O),

cr)

15.

(A

I

0 lid: (if b then

51

else

52

ft, 11,

O),

0-)

...!.-

(A

I

0

I

Id : (51,11, Iab(5d), 0-)

if A,

cr

U 11

F

b

16.

(A

I

0

I

Id : (if b then

51

else

52

ft, 11, 0),0-)

...!.-

(A

10

lId: (52,11, Iab(52)) ,

cr)

if A,

cr

U 11

p!:

b

(A

I

0

I

Id : (while b do 5 od, 11,

O),

cr)

...!.-17.

(A

I

0

I

ld :

(5j

while b do

5

od,lI, Iab(5)),

cr)

if

A, cr

U 11

F

b

18. (A

I

0

I

Id : (while b do 5 od, 11, O), 0-)

...!.-

(A

I

0

I

ld : (A, 11, O),

cr)

if A,

cr

U 11

p!:

b

A

(A

I

a

I

Id : (5,11, p), 0-) -

(A

I

a' lId: (5',11', p'), 0-')

19. A ' where

(A

I

a

I

Id :

(5j

T, 11,

p), cr) -

(A

I

a' lId: (5,11', Iab(5)),

cr')

5

==

5' j T if 5'

"I

A and T otherwise A

(A

I

a lId:

(5,8),cr)

- - +

(A

I

a'

I

Id: (5',8'),0-')

20. -1 A ' provided

(MI.I···ld:(5,8) ..• ,0-)-(Ml b l···ld:(5',8' ) .•. ,o-')

~

5"1 .i, if a

=

-1 then

cr,

11

=

0-',11', and if a'

=

-1 then b

=

-1 else b

=

i

(Id, lI,t, 0-)

21. (M

Ii

I .. ·ld: (.i,8).",o-) J (M 1-11,,·ld: (.£,8)".,0-)

>.

(A

10

II,j,k: (a~(u#ii):

[5],0,0),0-) -

(A

10

II,j:

(5',8'),cr')

22. A

(M/

I

-1

I

LCD, .. " LC

n -l , 0-) - - +

(M/

I

n

I

LCD, .. " LC

n - lo

1,

j :

(5',8'), cr")

provided aj is declared in Mz as in the premisr, ldi

"I

(1,

j, k) for i

<

n and

cr"

=

0-' {ie.a}

+

l/ie.aD·

2In case j

=

0, the declaration stands for the initiel statement of Mi and I aasume the pllZ'8Uleter part to be empty.

(Id, 0,

0,

u')

(M

I

i

I

LCo ··· LCi-1, Id : (A,II, 0), LCi+1 ... LC .. , 0') I

23. ') ,

(M

1-11

LCo ·· ·LCi-11 LCi+1·· ·LCn , 0'

wbere 0"

=

O'{ic.a~ - l/ic.a}}.

f

24. (M;

1-1

lId: (.i, 8), 0') - (Mi

10 10')

(M"

I ... )

~

(M"

I ... )'

~

A

«(M1 1···)···(M"

I···)···(M .. I···) - -

«(M1 I···)···(M" I···)'

provided A is local and (Mk

I ... )'

~ (Mk

I

0

I

'T) for any'T.

(M.

I ... )

~

(Mi

I ... )' ,

(Mj

I ... )

~

(Mj

I ... )'

26. A

«(M1 1···)···(Mi 1···) .• ·(Mj

I···) .. .

(M ..

I···))--... (Mn

I·· .))

«(M1

I···)···

(M.

I·· .)' ...

(Mj

I·· .)' ...

(M ..

I···))

provided A is global.

f «(M1

1-11

Id 1 : (.i1,81),0'1), ... , (M ..

1-11

Id .. : (.£",8 .. ),0' ..

))--27. . «(M1

I

0

I

0'1), ... , (M .. I

0 10' .. )

• -*

is tbe reflexive and transitive closure of-.

Remarks: The above definition intends to capture not only the behaviour of CMe(E)-programs, but also the behaviour of modules and statements, independent from their context. So, e.g., the states in axiom 3 can change arbitrarily, reflecting the fact that nothing is known about the module text, hence about the statements that can be interleaved at waiting points. In contrast, rule 20 does not allow such changes. Likewise for axiom 8 versus axiom 24. Axioms 3, 7, 8 and 11 are irrelevant as far as the transisitons of modules and programs are concerned. Additionally, rule 24 can be ignored for program transitions.

3-7 DEFINITION (Start and terminal configurations). Let 'T be any state. • for a statement or initial statement S

- SC .. (S)

=

{(A

I

0

I

0,0,0:

(S,O,lab(S)),'T)}

- TC .. (S)

=

(A

I

0

I

'T)

• for a declaration,

D,

of a procedure Q~

(j

¥

0)

- SC .. (D)

=

{(A

10

I

i,i,k: (D,O,0),'T)

I

k EW}

- TC .. (D)

=

(A

I

0

I'T)

• for a module M. witb initial statement So.i - SC .. (M.)

=

(M. 10

Ii,

0, 0: (So.i,

0,0),

T),

wbere T

=

'T{O/ic.Q~

i

=

Lni}. - TC .. (Mi}

=

(M.

10

I'T)

• for a program P

==

[Mi

II· ··11

M .. ]

- TC,.(P)

=

(TC .. rv1(M1), ... ,SC .. rv .. (Mn», where V'

=

Var\

U

Vi

;¢' i~i~n

• SC

=

{SC .. (X)

I

T a state, X a CMe(E)-statement, procedure,

module or program} • TC

=

{TC .. (X)

I

T a state, X a CMe(E)-statement, procedure,

module or program} .

3-8 DEFINITION (Configuration states, s(C)).

• for a module configuration C

==

(X

I

a lIdo: (So, (0 ), ••• , Idn : (Sn,6n

),0"),

{ _ _ I

for 0 ~ i

5 n, if a

=

-1 or a

=

i then }

s(C)

=

(a,80 , ••• ,8n

,0")

E, _ n,

I

E, - (

,0) ,

11. - 11. e se 11. -

lI.,

• for a program configuration C

=

(MClt ..• , MCm )

Configuration states extract from configurations the information on which satisfaction of spec-ifications depend. Configuration states, usually denoted by 0, 0', ... , inherit the notational con-ventions as introduced for configurations.

3-9 DEFINITION (CM*(E)-computations and semantics).

For any C M*(E)-statement, procedure, module or program T, set of states X and set of configu-rations

Y:

• Define

C(T X Y)

= {

C

~

C

~

...

~

c

I

Co E SC .. (T), T E X, }

, , 0 1 n '10

<

_-

i

_-

<

n C·

.

E Y • The set of (X, Y -legal) computations, Comp(T, X, Y), is defined by

- C(T, X, Y) ifT is a module or program, and C(T,X,Y)U

{

Am+1

~

...

~

An 3Co A1 A • • • A Am I Cm such that }

Cm I C_n elm-1

=

-1 and A1 ••.• ~ A

Co n I C_n E C(T, St, Y) ifT is a statement or procedure

• its semantics, [T](X, Y), is

{

>'1

~

...

~

>'n

}

3 Co I Cn E Comp(T, X, Y) such that

(00 A • • • A On, t) if C_n

=

TC

If,. (T)

t~en

t

=

.L otherwise t

=

T and 6,

=

s(

C,) for 0

5 ,

~

n,

This definition of computation sequence, and hence of semantics, reflects the knowledge of the state at waiting points: only in modules and programs is the state known when execution resumes at a waiting point; for statements and procedures the state at these points is arbitrary (see, e.g., the transition rule 3 in Definition 3-6). For that reason, suffixes of computation sequences are

11

included, too. This will become clearer when defining satisfaction of specifications in Definition 5-3.

Observe that the usual notion of computation and semantics is obtained as Comp(',

St,

C) and

[.](St, C).

As a matter of notation, if no restrictions are placed on states or configurations, the corre-sponding sets are not mentioned. E.g., instead of Comp(·,

St,

C) I shall write Comp(·). Moreover, whenever I associate configuration states with the configurations in a computation, the conditions of the second part of Definition 3-8 will be assumed

For future use, there are four simple observations to be made:

The relation between instance-counters (VarIC) and configurations is given by the following

).

3-10 OBSERVATION. Let M/ be some module, let Co

-...*

Cn E Comp(T) and let

aL

be some procedure in M/. Then

• O'n(ic.aL)

=

m ¢:> there are m LC's, Idj : (Sj, 8j ), in Cn such that Idj

=

(1,

k, h) for some h and for j

=

l..m.

This is obvious.

3-11 OBSERVA.TION. Given, for i

=

0,1,

Cb

~*

C!; E Comp(M/,r), assume that >.0

=

).1

and O'~o

=

0';" Then, iffor some i and j, 8!!,i

=

8;'J' Id~o,i

==

Id;,,; and P~O,i :/;

0,

conclude that LCoo .

=

LC1 , ..

n ,I n "

If Mz only contains straightline code (Le., no while loops) this is clear. Next, observe that between any two successive arrivals "at" P~O,i in the procedure instance determined by Id~O,i at least one record is generated. Moreover, if this record is a global one, so that the generating procedure instance is not known, there is another local record that does identify the generating instance.

In the sequel this observation shall mostly be used implicitly.

>.

*

3-12 OBSERVA.TION. Let Co ---+ _Cn E Comp(M,) with

an

=

-1 and let II

ESt, i

E Lab. Tben tbe following two statements are equivalent:

• (II,

i)

=

8n,i, 1 E FLB(a~) and Un,i

=

(l,j, k)

• ). =

).0 A

(1,

j, k, II, i', 0') A ).1, where

1. 1 E FLB(a}),

2. if llabels the rear of a wait, tben i' labels its front and if ilabels tbe rear of a& tben

l' =l

3. ).1 does not contain a local record of the form (l,j, k, ii,

l, 0')

for any ii, 0' and

l.

Notation: (h, l, II) is determined by)..

Because

an

=

-1 every Pn,i labels a waiting point. Hence, 'arriving' at any ofthe 8n,.'s has been

witnessed by some local record. Consider the last time the computation arrived at (II, l). Clearly,). has the form as suggested. Alternatively, if A has the above form then the configuration responsible for producing the local record cannot have moved during the A1-computation (remember,

an

=

-1).

3-13 OBSERVATION. For any CM*(~)-statement, procedure, module or program T and

com-putable sets of states X, and configurations, Y, Comp(T, X, Y) and [T](X, Y) are computable relations.

4

The merging lemmas

The aim is a syntax directed axiomatization of communicating modules. Specifically, it must be possible

(1)

to combine the specifications of procedures and the initial statement into a module specification and

(2)

to combine module specifications into a program specification.

Now, specifications describe sets of allowed or legal computations of the specified program parts. Also, for completeness of the axiom system, specifications must be able to fully characterize the legal computations. Consequently the following question arises:

Given computations of some statements. When are such computations compatible in the sense that they are sub-computations of the composite statement?

In this section the two less trivial cases are treated. Section 4.1 contains the local merging lemma which states the conditions under which computations of a set of procedures and an initial statement can be combined into a single computation of the resulting module. In Section 4.2 the

global merging lemma is formulated, which states when module-computations can be combined.

4.1

The local merging lemma,

LML

4-1 DEFINITION (local reachability, lr).

Let MI be a CMe(~)-module, 7'0, 7'1, 7'2, "'0, ••• ,"'A" (T ESt, K a set of configurations, lo, ... ,lk E

Lab, ho, . .. ,hk E w and ~ a record sequence. Define for i

=

O .. k, ii by

t.

E FLB(a}J.

Then (ho, lo, ... , hk' lk) is (MI, 7', K, "'0, ••• , "'k, (T, ~)-lr iff

3 Co

~*

Cn E Comp(MI, {i}, K) such that

• (T

t

Vi

=

(Tn

t

Vi

and A

=

X,

• there is an injection, c!: {O .. .

k}

1-+

{o ...

m}, where m is the number oflocal records in Cn,

and V' i

=

O ... k ("'i,t.)

=

8n,cJ(i) and Idn,cJ(i)

=

(l,i-,k.)

So, configurations as characterized by ("'j, Ii), hi and (T, are locally reachable from some state 'T, precisely if there is a computation of Mi, starting in 'T, reaching such a configuration via intermediate configurations in K and which associated record sequence is ~.

.

~

* .

4-2 DEFINITION (LC-independence). Let

CO -

0;.,

E Comp(MI, 'T, K) for

i

=

0,1 and let

C~ E C be obtained from C~o by replacing or adding Le's from C~l' Then, K is called LC-independent if

). * ,

( )

Co - - + C_n E Comp M" 'T

=>

Co -

~

* ,

en

E Comp

(

MI, 'T, K

)

4-3 LEMMA (Local Merging Lemma, LML). With notation as in Definition 4-1, suppose that

• (ho, f

o, ... , h"_l,l"_l)

is (M"

TO,

K,

Vo, ... , VIo-1,

0', )'}-Ir,

• (h",l,,)

is (M" 1'1, K, II", 0', )'}-Ir, and

• K is LC-independent.

Then

(ho,lo, ... ,h",l,,)

is

(M"T2,K,vo, ...

,II",O',)'}-lr, provided

• TO

r

Vi

=

1'1

r

Vi

=

1'2

r

Vi ,

• V i

<

k

i.

=

jlo :::} h. :f:. hlo'

• there is at most one

to

E FLB(ab) and • at most one I. does not label a waiting point

PROOF. W.l.o.g., assume that Dom(Ti) ~

Vi

for

i :::;

2 and that Dom(O') ~

Vi.

Let l'

=

TO

=

1'1

=

1'2. If ). does not contain local records, then

lo, . .. , l" E

FLB(a~), so that the Lemma holds

vacuously.

Otherwise, split). as

>.

A

X,

where

X

is the largest suffix of

>.

that does not contain any local

record. By assumption, there are computations,

>.

*

X

*

Co - Cm - Cn (1)

both in

Comp(M,,{T},K),

such that

(v.,4)

=

8n ,c/('), Un,c/(')

=

(/,ii,ht)

for i

<

k and

(II", flo)

=

en,c/(")'

id

_{n ,c/(lo)}

=

(/,i",

h,,);

moreover, Un

=

Un

=

0'. Define m as the (largest)

index such that Clm

=

-1; likewise, define

m

such that iim

=

-1.

Choose any LC_{m,. from} C_{m and apply Observation 3-12 to the second computation in (1):}

). =

>'0 A

(I,

j, p, ii

m," Pm,., 0')

A >'1 and ).1 does not witness any other activity in the corresponding

procedure instance. Now, apply the Observation (in the reverse direction) to the first computation in (1) and conclude that

em,.

=

8m,j for some j. Repeating this argument gives that every local

state in C m is also reached in Cm. If m

=

n, this concludes the proof.

Next, let m

<

n. the Cm -1 - Cm and

C

m-1 --+ Cm-transitions are both witnessed by the same last (local) record in )., so that

u

m

=

u

m .

Finally, the

Co

~*

Cm-computation must be extended. There are two separate cases.

1) Clm+l ~ Ro.n(cf). This means that

(vi,4)

=

8m ,c/(') for i

<

k. If

e

m,ii"'+1 exists, define I as

the index oUhe corresponding local state in Cm; otherwise, let I be 1 larger than the number of LC's in Cm. Define configurations Cm

+.

for 1:::;

i:::; n - m

by

• LCm+.,;

=

LCm,; for j :f:. 1,

• LCm+.,I

=

LCm+.,ii"'+1' • O'm+'

=

Um

+.,

and

• Clm+'

=

I.

oX

As K is LC-independent, I have

Co

- *

Cm

+

n-

m E Comp(M"

{r}, K).

Hence, 8m

+

A -m,c/(')

=

(IIi,

4)

for i

<

k. Moreover, by construction, 8m

+

A-m,"

=

(1I",l,,)

and O'm+n-m

=

0'. The Lemma follows.

There seems to be a third case: Cm+1 E Ran(e!) and Zim+1

=

el(k); say Cm+1

=

el(O). This, however, cannot happen because either lo or LIe labels a waiting point, but

X

does not contain a

local record. 0

4.2

The global merging lemma, GML

4-4 DEFINITION (projection). Let A be some record sequence o[ a program

[M1

II ···11

Mn). • .x 11 is the subsequence o[.x obtained by erasing all records that do not involve module M,.

• A 19 1 is the subsequence of A 11 obtained by erasing all local records.

4-5 DEFINITION (global reachability, gr). Let P be a CMeE-program, [Ml

\I ...

II

Mnli T,

Vo, ... ,VI.; ESt, A a record sequence, 1:

{l. . .

k} 1-+

{l. . . n}

an injection,

ho, ...

,h" E w and

lo, ... ,l" E Lab such that 4 E FLB(M'(i» [or i ::; k.

Then (ho, lo, ..• , hIe, l,,) is (P, T, Vo, ... , Vk, 0', A)-gr iff

X

3 Co

---+*

en E Comp(P,

T)

such tbat • Xli

=

Ali [or every

i

E Ran(l)

I(i) • there is a [unction e/:{O .•. k} 1-+ w sucb tbat [or all i

=

1. .. k 0' tV,(i)

=

O'n

rv,(i),

8~~~J(i)

=

(vi,4)

and

Id~:~J(i)

=

(l(i),

r,

ht) with

4

E FLB(a!.(i».

4-6 LEMMA (Global Merging Lemma, GML). With notation as above, suppose • (ho, lo, ... , hl.;-I,

l"_I)

is (P, TO, Vo, ... , Vk-I, 0', .x')-gr,

• (h",l,,) is (P,TI,V",O',.x")-gr, • ( ) is (P, T2, O'),)-gr, and

n

• Ti

tv

=

Tj rV [or i,j

=

0 ... 2 and V

=

U

Vi,

X

19l(i)

=

A' 19 l(i) [or i

<

k and _{).19 l(k)}

=

i=1

.x" 19 l(k).

Then (ho, lo, ... , h",l,,) is (P, T,1I0," .,lIk, O',A)-gr, where T

r

V

=

TO

r

V, A ll(i)

=

A' ll(i) [or

i

<

k and A 11(k) =.x" 11(k).

PROOF. W.l.o.g., assume that TO = TI

=

T2 = T. The Lemma is proven with induction on the

number of global records in

X.

A stronger version of the Lemma is, however, needed to carry this induction: Suppose A

~

*

A 1. Co - - + Cli E Comp(P, T),

-

X

*-2. Co - - + Cli E Comp(P, T),

-

).

*-3. Co - - + Cn E Comp(P,

T)

and

4. Ao U Al

~ {I. . .

n} with Ao

n

Al =

0

and

X

19 i =

~

19 i i[ i E Ao,

X

19 i =

X

19 i

i[

i

E AI'

Then there is a computation Co

~*

Cn E Comp(P, T), with

~

1

i

=

).1

i for i E Ao,

{

C~ ifi E Ao ~li=~liforiEA1,~li=Xlifori~AoUA1ande!= ~~ ifiEA1 ·

e;.

otherwise Note that the reformulation is symmetrical with respect to the partition of

{I .. .

n}.

If X does not contain any global records (hence, neither do )., ~ and ~) the claim obviously holds, because the module computations all are independent.

Next, split X as Xo A Xli where Xl is the smallest suffix of X containing one global record,

(p, q,

a,

r, 8, ind). By symmetry, there are only two cases: (1) p and r are in different partitions and (2) p and r are in the same partition. The strengthened form of the Lemma is needed in case {p,r}S?;AoUA 1.

Case 1) W.l.o.g., let p E Ao and rEAl. The splitting of X induces splittings of ). and ~ into

>'0

A

).1

and

>'0

A ~1 such that for i

=

0,1: Xi 19 j

= )..

19 j if j E Ao and Xi 19 j

=

~i 19 j

if j E A1 and ).1 and ~1 are as small as possible. Define 171 to be the largest index such that Co

~*

C

m

l *

C,,;

likewise, define

m

and

m

w.r.t. the latter two computations. Induction gives a computation Co

~*

Cm E Comp(P,

T)

such that

~o

1 i

=

).1 i for i E A

o,

~o

1 i

=

>'01 i

for i E A 1, ~o

1

i

=

Xo

1

i if i ~ Ao U A 1, e;,.

=

C:n

if i E

Ao,

e;,.

=

6!n

if i E A1 and e;,.

=

C!n

otherwise. By definition of Crn (i.e., of 171 and m) a transition to Cm+1 is possible producing the

global record in Xl, where e;"+1

=

e;,. for i ~

{p,

r}, C!.+1

=

G:;.+1 and e:;'+1

=

6;;'+1' The remainder ofthe three computations (if any) are independent and hence can be grafted onto

e

m+1: first all the steps involving modules (whose indices are) in Ao from computation 1; then the steps invoving modules in A1 from the second one; and finally the steps in the remaining modules from

~ ~

the third computation. This results in a computation Co ~* Cm ~* Cn E Comp(P, T). By construction, Cn and ~1 (hence ~o A ~d satisfy the conditions of the Lemma.

Case 2) W.l.o.g., let p, r E Ao. As in case I, the label sequences X and). can be split, which also determines

m

and 171. Since the second computation is not involved in the last communication, I can take

>'0

=

~, Xl

=

~ and in

=

n.

Note that

.\0

19 i

=

>.

19 i for i E A1 • The rest of the

argument is as in the first case. 0

The strengthened form of the Lemma together with its proof show the essential triviality of the Global Merging Lemma: a transition label sequence really determines the complete computation. An inspection of the proof also suggests that if Ao and A1 are singleton sets (or empty) it suffices to assume local instead of global reachability for the Ao and A1 computations. In fact, the following special case is worth recording:

4-7 LEMMA. With notation as above, assume that

• (h, l)

is

(M"

f,

K,

v, 17, '5.)-lr,

• ( ) is (P, T, 17, ~)-gr and

• T

r

Vi

=

f

r

Vi

and ~ 19 I

=

X.

Then (h,l) is (P, T, V, 17, ~)-gr.

PROOF. The proof is in fact very easy and does not require an induction. Just take the global computation, Co

~*

Cn E Comp(P,

T)

and remove all transitions involving M,. In their place,

substitute the transitions from

Cb

~

*

c!,.

E Comp(Mz, r, K). Because in both computations Mz starts in the same state and because).

!g

1

=

X,

the resulting computation is in Comp(P, r)

and shows the required global reachability. 0

4-8 OBSERVATION. Local and global reach ability are semi computable relations.

5

Specifications and Proofrules

5.1

Specifications and their interpretation

5-1 DEFINITION (Specifications). Let T be a CMe(E)-statement or procedure, M. a module and

P a program; p, q, MI E L(E). Specifications are o[ one o[ the following three [arms:

• (1) (CA, WA, CO, MI

I

{p}T{q}) or (2) (CA,

0,

CO, MI

I

{P}M.{q}), where

(1'

stands [or T or M.)

CA ~ {i: p It labels a closing bracket in

1',

p E L(E)}

WA ~ {l: p Ii labels the rear of a wait in

l'

or

l'

==

T'.l, p E L(E)} CO ~ {i : p Ii labels an opening bracket, a call or the fron t o[ a

wait in

1',

p E L(E)} - in case (2),

*

FV(MI)

n

L.

=

0,

*

[or alli : p-term: FV(p)

n

L. ~ L(i) and

*

any iCT E Var

IC _{that appears in any assertion refers to a procedure in M}

i ; i.e., has

the form ic.a}.

- i[ T is a procedure with formal parameters, u, then FV(p,q) n {u}

=

0 • (3) (0,0,0,true

I

{p}P{q})

5-2 DEFINITION. Let A ~ {i: p

Ii

E Lab, p E L(E)}

• A(i)

=

A{p Ii:

pEA} E L(E). (Note that

A

0

==

true).

• A is disjoint if ...,3

i

E Lab, p, q E L(E) such that

{t :

p,

t :

q} ~ A and p

'1-

q.

Intuitively, a formula like l : p is true in configuration-state either if control is not at the i-labeled point, or p is satisfied in the (local

+

global) state at such a point. The meaning of a specification for T is, that on any execution sequence of T that starts in a state satisfying p and for which CA and WA are true in every configuration-state, CO will be true in the last configuration state of the sequence, MI will hold if it is a waiting point and q will hold if T terminated. So, e.g. (0,0,0, true I {p}S{q}) is an ordinary partial correctness specification and (hence) clause 3 expresses the paper's basic interest in partial correctness properties.

This Dotion of specification is essential for syntax-directedness. The communication-assumption,

CA, waiting-assumption, WA, and commitment, CO, make explicit (1) the various assumptions about the environment's behaviour upon which validity of the specification (i.e. CO and q) depends and (2) the behaviour to which the statement commits, necessary to validate the environment's assumptions. Finally, there is a module-invariant, MI, that characterizes the (global) module state at waiting points; hence the states in which procedures start executing.

5-3 DEFINITION (satisfaction and validity). Let E be & signature and A a E-structurej T a

CMe(E)-statement, procedure, module or program, p E L(E), A ~ {i : p

Ii

E Lab, p E L(E)} and 0 a configuration-state

_,.

{(~, 9i,0, 8"1, ... ,8,,,.;, O'i)

Ii

==

l..m}.

Let if

==

U

0',

and ii

=

U{lIi,G;

Illi

¢ -1,

i

=

l .. m}. i=l

• A, 0

F

p iff A, if U ii

F

p

• A,o

F

A iff ~ ¢ -1

=>

A,

0', U

IIi"

F

A(Pi,,) for j

=

O .. n"

i

=

l..m

• A,o F*

A iff A,

0',

U IIi"

p:

A(p,,j) for j

=

O ..

n"

i

=

l..m

• Satisfaction can be trivially extended to conjunctions of first order formulae and formulae of the form A. Validity is defined in the standard way.

• Let

p

=

{O'

I

A,

0'

p:

p} and

A

=

{C

I

A,

6(

C) FA},

- A, (00 ~ ... ~ 0,.,

t)

F

(CA, WA, CO, MI

I

{p}T{q}} iff

(00~ .. ·~6,.,t)E[T](p,CAUWA) ~ A,6,.

F

CO&.

a,.

=

-1

=>

A,6,.

F

MI &.

t

=

T

=>

A, 0,.

F q

3

- A,

(00 ~ ... ~

0,.,

t)

F*

(CA, WA, CO, MI

I

{P}T{q}} iff (00 ~ ... ~ 0,., t) E

[T](p,

CA U

iVA)

and

A, (00 ~ ... ~ 0,., t)

F

(CA, WA, CO, MI

I

{p}T{q}} • A

F

(CA, WA, CO, MI

I

{P}T{q}} iff

'V (00 ~ ... ~ 6,., t) E [T]

A,

(00 ~ ... ~

0,.,

t)

F

(CA, WA, CO, MI

I

{p}T{q}}

The definition itself is straightforward. Note that local states can only be specified by "labeled" formulae and that satisfaction of non-labeled formulae at waiting points does not involve the local state. The meaning of satisfaction of a labeled formula interacts with the definition of configuration state: remember that in a (module) configuration state, 0

=

(a, 8o, ... , 8m ,

0'),

the label part of a

local state, 8" is included only if a

=

i or a

=

-1. In other words

Hence, if a ¢ -1 then the relations

F

and

p:*

coincide, but if a

=

-1 then A, 0

F

A is vacuously true, whereas for

p:*

I have that

a=-1

=>

A,6F*A iff O'UlliFA(p.)fori=I ... m Note that if a

==

-1 then Pi

¥

0 for

i

=

1 ... m.

The definition of satisfaction can be turned around - as usual - and be used to characterize sets of states, respectively, configuration states by formulae, respectively, sets of labeled formulae. In the sequel, such correspondences will be implicitly understood and I shall write, e.g.,

[S](p,

CAl.

5-4 OBSERVATION. Satisfaction is a computable relation. Non-validity is a semi-computa.ble relation.

5.2

The proof system,

P S(T)

Let T

s::;

L(~) for some signature ~. In the rules below, some of the premises are L{E)-formulae. The interpretation of such a rule - as usual - is that it can be applied provided every L(~)­ formula among its premises is in T.

The proof system consists of the following rules and axioms.

5.2(1.) assignment a.xiom.

(0, 0,0, true

I

{p[e/:z:]}:z::=

e{p})

5.2(2.) wait axiom.

p -q AMI

(0, {t' :

r}, {t : q}, MI

I

{P}t.wait.L1{r}) 5.2(3.) call rule.

(0,0,0, true

I

{p}SI

{II

f q}),

(0,0,0, true

I

{q}Sz{'})

({f" : r},

0,

{L: p,

l' :

q},

true

I

{P}L,(Sli t'.call M,.aj(e#f)i Szi L".){r /\ ,})

5.2( 4.) sequential composition rule.

(CA"

WA.,

CO" MI,

I

{p,}S,{q,})

i

=

1,2, ql - P2

(CAl U CAz, WAI U WAz, COl U COz,Mh V MIzl {PI}SI;Sz{qz})'

provided that CAl U CAz, WAI U WAz and COl U CO 2 are disjoint.

5.2(5.) if rule.

(CAl, WAll COlo MIl

I

{p/\ b}Sdq}), (CAz, WA

z,

COz, MIz

I

{p/\ ...,b}Sz{q}) (CAl U CAz, WAI U WA z, COl U C02, MIt V MIz

I

{P}if b

then

Sl

else

Sz

fi{q})'

provided that CAl U CAz , WAI U WAz and COl U COz are disjoint.

5.2(

6.)

while rule.

(CA, WA, CO,MI

I

{p/\b}S{p})

(CA, WA, CO, MI

I

{p}while

b

do

S od{p /\ ...,b}) 5.2( 7.) initial statement rule.

(CA, WA, CO,MI

I

{p}S{MI}) (CA, WA U {t :

q},

CO, MI

I

{P} : [S.l]{q}) ' provided WA U {f: q} is disjoint.

5.2( 8.) procedure rule.

(0,0,0, true

I

{P}Sl{q}), (CA, WA, CO, MI

I

{q /\ r}S{,})

(0,0,0, true

I

{8}SZ{t}}, t - MI

(CA U {L: r}, WA, CO U

{t' :

I},

MI

I

{p}a)(il#ii) : [Sl;l.}; S; l'.(; S2]{t}) ' provided FV(p,

t)

n

{il, ii}

= 0

and CA U {l : r} and CO U {ll : ,} are disjoint.

5.2(9.) module rule.

Let the module MI be declared as

MI:: a1 (ill #vd : [: Sl]

ak(ilk#Vk) : [: Sk] : [So.lo]

Then

(CA;, WAj, CO;, MI

I

{MI}a}(u;#v;): [S;]{MI}), j

=

1, ... ,1: (CAo, WAo, COo, MI

I

{p A IN}So{MI A WAo(lo)}), MI A WAo(lo) -+ q

k

U

WA;

#

(CAj, WA;, MI, {u;, V;}, a~(i1j#v;) : [lj.Sj]) j

=

1, ... ,1: j=O

I:

U

WAj

#

(CAo, WA o, false,

0,

So) j=l

k I:

for every l.wait.l' in MI:

U

CO. (i) -+ MI A

U

WA.(l')

.-0

.=0

I: I:

(U

CAt,

0,

U

CO., MI

I

{p}MI{q}),

.=0

.=0

I: I: I:

provided

U

CAj,

U

WAj and

U

CO j are disjoint and where

j=O ;=0 ;=0

• IN

==

A{ic.a}

=

0

I

j

=

1 ...

nl}.

Let A

=

{l: p Ii E Lab, p E L(E)}. Then the expression A

#

(CA, WA,p,

z,

S) stands for the set of interference freedom specifications

({CA, WA(q'), CO, true

I

{p'}S{q'})

I

l: q E A} where

• q'

==

q[yJi] (y

does not appear free in CA, WA, p,

q

or S), • p' =pAq',

• WA(r)

==

{l' : WA(l') 1\ r A ie.a} ~ N

Ii'

labels the rear of a wait,

• CO

==

{l: q' Illabels the front of a wait},

5.2(10.) program rule.

in S; FLB(a~)

=

FLB(S) for j

>

0 and if l E FLB(a}) then N

=

2 else N

=

I}

(CA.,

0,

CO., MI.

I

{p.}M.{q.}), i

=

1, ... , n

Coop({{CA., 0, CO., MI.

I

{P.}M.{qi})

Ii

=

1, ... , n}, GI)

(0,0,0,

true

I

{P1

A··· APn A GI}[M1

II ···11

Mn]{q1/\'" A qn /\ GI})

provided

n n n

• U

CAi,

U

WAi and

U

CO. are disjoint