Group Title: Department of Computer and Information Science and Engineering Technical Reports
Title: Exploiting historical information about computations
CITATION PDF VIEWER THUMBNAILS PAGE IMAGE ZOOMABLE
Full Citation
STANDARD VIEW MARC VIEW
Permanent Link: http://ufdc.ufl.edu/UF00095394/00001
 Material Information
Title: Exploiting historical information about computations
Series Title: Department of Computer and Information Science and Engineering Technical Report ; 96-034
Physical Description: Book
Language: English
Creator: Sanders, Beverly A.
Chandy, K. Mani
Affiliation: California Institute of Technology
University of Florida
Publisher: Department of Computer and Information Science and Engineering, University of Florida
Place of Publication: Gainesville, Fla.
Copyright Date: 1996
 Record Information
Bibliographic ID: UF00095394
Volume ID: VID00001
Source Institution: University of Florida
Holding Location: University of Florida
Rights Management: All rights reserved by the source institution and holding location.

Downloads

This item has the following downloads:

1996232 ( PDF )


Full Text
















Exploiting Historical Information about

Computations *

UF ('iS. Technical Report 96-034

Beverly A. Sanders t K. ii' i Clib.dlyt



Abstract
This paper explores the question: How can we exploit the information
that a state predicate p holds at some point in a computation in reasoning
about the remainder of the computation? This question is relevant be-
cause partial global snapshots of I< 1 i1 1,1 i I systems can determine that
a predicate holds at a point in the computation, even though the partial
snapshot does not determine the complete global state. This question is
also relevant in extending the substitution axiom of UNITY.

Keywords: .i ,1, !i program correctness, program specification UNITY.


1 Introduction

A state predicate p of a program F is stable if and only if: for all state transitions
(s, t) of F, if p holds in s then p holds in t as well. Therefore, for ;,~i- stable
predicate p of a program F and ,iii state s of F, if p holds in s then p holds in
all states reachable from s.
If a stable predicate p holds at some point x in a computation, then p
continues to hold for the remainder of the computation. Informally speaking,
when we reason about the remainder of a computation from point x onwards,
we can restrict universal quantification to mean quantification over states for
which p holds because all other states are unreachable; so, in reasoning about
the remainder of the computation we can substitute true for p (and vice versa).
This idea is made precise in this paper.
-,. i...i 1.. in part by U.S. Air Force Office of Scientific Research and the University of
Florida
tDepartment of Computer and Information Science and Engineering, P.O. Box 116120,
University of Florida, Gainesville, FL 32611-6120, sandersocise.ufl.edu.
+Department of Computer Science, California Institute of !.. ....... m/c 256-80,
Pasadena, CA 91125, mani cs.caltech.edu.
















In UNITY, the fact that some states are unreachable is handled with the
substitution axiom: An invariant can be replaced by true, and vice versa, in
i~,- program property. All states reachable from initial states satisfy invariants.
Just as the initial condition is helpful in reasoning about all computations, a
predicate that holds at a point in a computation is helpful in reasoning about
the remainder of the computation.
We propose a class of program properties, called since properties after Manna
and Pnueli [10]. The interpretation of --j : X, read as "-! .. p X, is that if a
stable state predicate p holds at ;,!! point in ;,!! computation, then property X
holds from that point onwards in that computation. (A property is a predicate
on computations; always p, .. 'i,. l., p, and p next q, are examples [10, 9, 2].)
After reviewing some preliminary results, we give a general definition and
theory of since properties. An important requirement is that the theory be
applicable in composed -I. ii,- where one deduces the properties of a -1. 11,
from the properties of its components. To this end, we develop the rules in the
context of the theory of composed -I. ii- presented in [3, 4].


2 Preliminaries

A program is a tuple (V, T), where V is a set of I-" I1 variables defining a
state space Ev and T is a set of commands where T includes skip, and the
weakest-precondition predicate transformers for each command is universally-
, .,i,'li jr. [ and or-continuous. Including skip in T has the effect of allowing
"-i i. I. i ni" steps that leave the state unchanged in computations. The restric-
tions on the predicate transformer ensure that the corresponding commands
always terminate, and have demonic and bounded non-determinism.
A computation of a program is an infinite sequence of pairs (ci, si) for i > 0
where ci E T and si E Ev and ci represents a command that can take state
si to state si+l. Initial conditions are discussed later. Progress properties
usually depend on some sort of fairness assumption: For the purposes of this
paper, we assume that all commands must be executed infinitely often in every
computation.
Since at each step in a computation, ,!!, command can be executed next,
the . .! ii I, I -,- i of the weakest preconditions of the commands gives the weakest
precondition of a computation step. We have [3]:

[awp.F.q = (Vt : t E T: t.q)]. (1)

Thus if at some point in a program, the state satisfies awp.F.q, then after the
next step, the state satisfies q. Since wp.skip is the i1. ,ii [awp.F.q = q] for
all q. Since wp.s is required to be universally *. .!!i l,! I- for all s, so is awp.
We define a function stable from state predicates to program properties next.
For a state predicate p of a program F, stable.p is a program property, and hence
















stable.p.F is a boolean. It is defined as:


stable.q.F = [awp.F.q = q]. (2)
Thus if q is stable predicate of a program F, and q holds at some point in a
computation, then q continues to hold in the remainder of that computation.
It has been shown [13] that .- -iiLii. ; .1, and .1l -ii [ Il. of stable predicates
are stable, and that the set of stable predicates of a program forms a lattice
where false is the strongest stable predicate and true is the weakest.


3 Since properties

3.1 Properties defined by [q = f.r]
Several program properties of interest can be defined in terms of a predicate
transformer f as follows:

q r = [q f.r] (3)
The above notation is used for convenience, the following table lists several
predicate transformers along with their more common notation and operational
interpretation.

next awp p next q if p holds, then q holds [12, 3]
after the next step
'leads-to' wit p q if p holds, then eventu- [11, 8, 7]
ally, at that point or later
q holds
'to-stable' wto p -+ q if [3, 6]
p holds, then eventually
-q becomes unreachable
'to- 1;- wta p -q if p holds, then -q will [1, 6]
hold at most a finite
number of steps


All the predicate transformers f in this table satisfy the following formula
that we call a "!, Il .I -- [i .!1- I. For the program F under consideration:
f is monotonic and satisfies
stable.p.F => r! A f.q = f.(p A q)] (4)
We define a since version of the property determined by f as

"1': q -f r = stable.pA [pA q f.r] (5)
















Operationally, j,: q -+ r means that ifp holds at some point in a compu-
tation, then the property q -+ r holds for the remainder of that computation.
Several rules follow immediately from the definition, For instance,

stable.p== (('1.' : q r) = ('j. Ap' : q r))
In addition to these rules since properties admit a substitution rule analogous
to the UNITY substitution axiom. The essence of the idea is that if p holds
at some point in a computation of a program then p can be replaced by true
in properties of the remainder of the computation. Next, we present a precise
definition of this notion.

Substitution rule Let p,q, and r be punctual1 and f be a monotonic predi-
cate transformer r11 f i! (4).


,j1,: q.p -L r.p = .j]: q.true -: r.p (6)
= "1': q.p -* r.true
= -pj: q.true -* r.true
(7)

Proof From the definition and predicate calculus, it -itlhi that the following
two conditions hold;

r (q.p = q.true)] (8)

(f.(r.p) = f.(r.true))] (9)
The first condition (8) is simply a restatement of the assumption of punctuality.
The second (9) requires a proof since f is I i- '. 11 not a punctual function of
its arguments.


[p = (f.(q.p) = f.(q.true))]
{ predicate calculus }
[pA f.(q.p) = f.(q.true)] A [pA f.(q.true) = f.(q.p)]
4 { stable p, f satisfies (4 }
[f.(q.p Ap) = f.(q.true)] A [f.(q.true Ap) = f.(q.p)]
4{ f monotonic }
[q.p A p = q.true] A [q.true A p => q.p]
Recall that a function q is punctual if for all x and y, [(x = y) = (q.x = q.y)]. The
punctuality theorem [5] states that expressions built from variables and punctual operators
are punctual functions of the variables. It is also the case that the logical connectives (A, V,
,<-, ) are punctual in their arguments.

















[p = (q.true = q.p)]
4< { q punctual }
true


The condition (4) obviously holds for awp and also has been shown to hold
for wit, wto, and wta. Indeed, we postulate it as a "!-. HihII!. -- i .!.1ii1.ii for
predicate transformers used to define temporal properties.

3.2 Transient predicates
Transient predicates are important as they form the basis of practical proof
rules for leads-to, to-stable, and to-always properties [11, 4, 6]. Transient does
not, however, have the shape given in the previous section and is thus treated
separately here. We define a function transient from state predicates to program
properties as follows. For a program F = (, T),

transient.q.F = (3t : t E : [q 4 wp.t.-q]) (10)

with the operation interpretation that transient q means that -q will hold in-
finitely often in ;:~I computation.
The since property for transient is

"1'.: transient.q.F = stable.p A (3t : T : [p A q = wp.t.hq]) (11)

with the operational interpretation that if stable predicate p holds in a com-
putation, then -q will hold infinitely often in that computation. Since wp.s
satisfies (4) and preserves I li, i ,t l -I a proof similar to the one given for (9)
establishes, for punctual q, that

: transient q.p = : transient q.true

thus extending the substitution rule for transient properties.

3.3 Properties of since properties
We list a few fairly obvious facts below. X, Y, and Z are properties.

For programs with unspecified initial conditions

X = .,., : X

For programs with specified initial conditions and strongest invariant SI
[13]:


Y = -;I: X
















stable pA '.I: X => .' Ap: X

If (VF : X.F A Y.F = Z.F) then

,1j.: X A j.: Y => Ij. : Z


4 Parallel Composition

4.1 Definitions
In this section, we define parallel composition in our model and [i; f- review
an approach to component specifications presented in [3, 4]. Then, we give rules
for since properties of components.
For F = (VI, TF) and G = (Vc, To), the parallel composition of F and G is
given by

F | G = (VF U Vc, TF U T,) (12)

and is defined if all variables appearing in both VI and V'c have the same I I "
From the definition, I| is commutative and associative.
We define a function component so that component.G.F holds for a program
F if G is a component of F. From the definition of parallel composition (12),

component.G.F =_ (V C Vi A To C TI).

Viewing properties as predicates on programs, we have a property trans-
former wg [3] defined as follows

wg.F.X = (VH : component.F.H = X.H)

with the interpretation that wg.F.X is the weakest property so that if a program
containing F as a component satisfies that property, then the program satisfies
property X. In ;,i ,1.._ with the way the predicate transformer f admitted a
property, we have

(X guaranteesY).F = (X Y).F
= (X = wg.F.X) (13)

Thus (X guarantees Y).F means that if property X holds for a program
containing F as a component, then property Y also holds for the program.2
Given (X guarantees Y).F as a part of the specification of F, after proving
X.I IG, we can conclude Y.I IG. This is useful when X is more easily proved
than Y.
..I. that this does not say that if property X holds for an environment E that Y holds
for j /
















4.2 Compositional specification with all-component and
exist component properties
Two classes of program properties have useful special characteristics:

All-component properties Property X is called an all-component property
if for some set of programs g,

(VG: G E : X.G) = (IG: G E : G).X

An all-component property can be proved for a -1. i, by showing that it holds
for each component.

Exist-component properties A property X is called an exist-component
property if for ;,Ii set of programs g,

(3G:GE : G.X) = (IG:GE : G).X

For an exists-component property X,

X.F = (true= (wg.F.X).l IG)

Of the properties mentioned earlier, in our model next (Oa-p) and stable are all-
component properties, transient is an exist component property, and all proofs
of 'leads-to', (-, ), 'to-stable' (-i), and 'to-alway' -) can be proved as com-
binations of all-component and exist-component properties.
The following theorems follow easily from the definitions:

All-component since properties If X is an all-component property, then
" T' : X is an all-component property.

Exist-component since properties If ("'p : X).F and X is an exist-
component, then

(stable p) = (wg.F.('.: X))

or alternatively,

((stable p) guarantees (': X)).F


5 Partial Global Snapshots

A global snapshot records the global state of a computation. A partial global
snapshot records a predicate that holds at some point in a computation. For
instance, a partial global snapshot ii determine that there is at least one
token in a distributed -- -I. in or that processes F and G are waiting. The
















question we explore next is: How can we exploit knowledge that a predicate p
holds at a point in a computation?
We define a predicate transformer sst, for strongest stable, as follows [13]:
sst.p is the strongest stable predicate weaker than p. Therefore, sst.p holds
exactly in those states reachable from states for which p holds. So, if p holds at
a point in a computation, then sst.p holds from that point onwards.
If a program F has the property -j'' : X, and '!, = p'], then if p holds at
a point in a computation of F, then X is a property of the remainder of the
computation from that point onwards. Similarly, if - : X holds, then if p
holds at a point in the computation of F, then X is a property of the remainder
of the computation. Thus, partial global snapshots can be used to reason about
the computation from the snapshot point onwards.


6 Conclusion

Rather than taking advantage of knowledge of only of the initial state of a
computation, we have proposed a class of properties that take into account
knowledge of the state at :i ; point in a computation. Not only are these
properties more expressive, but they offer a more practical alternative to the
'substitution axiom' for composed -- -I. !-


References

[1] K. Mani ('!C i 1 1. Properties of parallel programs. Formal Aspects of Com-
..,, .,, 1993.

[2] K. Mani ('!h ii-I' and .- ,1. Misra. Parallel Program Design: A Foun-
dation. Addison-W -1. 1988.

[3] K. Mani ('!C !-I'L and Beverly A. Sanders. Predicate transformers for rea-
soning about concurrent computation. Science of Computer F.' ............ .,
24:129-148, 1995.

[4] K. Mani ('!C !I 'L and Beverly A. Sanders. Reasoning about program com-
position. submitted for publication, 1996.

[5] Edsger W. Di i:-ii and Carel S. Scholten. Predicate Calculus and Program
Semantics. Springer-Verlag, 1990.

[6] Rutger M. Diil:-Ii, and Beverly A. Sanders. A predicate transformer for
the progress property 'to- 1;- ,- -'. submitted for publication, 1996.

[7] C.S. Jutla, E. Knapp, and J.R. Rao. A predicate transformer approach to
semantics of parallel programs. In Proceeding of the 8th AC .1 S,.I ...." .'
on Principles of Distributed C....'i, ..", 1989.
















[8] Edgar Knapp. A predicate tranformer for progress. f.. .f1.... Processing
Letters, 33, 1989/90.

[9] Leslie Lamport. A temporal logic of actions. AC.1 I ...... ..... on Pro-
gramming Languages and S,,,i' .... 16(3):872-923, 1994.

[10] Z. Manna and A. Pnueli. Completing the temporal picture. 1! ... ,,,/
Computer Science, 83(1):97-130, 1991.

[11] J. Misra. A logic for concurrent programming: Progress. Journal of Com-
puter and Sf!. ... F '.,,, ,..,, 3(2):273-300, 1995.

[12] J. Misra. A logic for concurrent programming: Safety. Journal of Computer
and ,f!i .... ., .. .',,, .., 3(2):239-272, 1995.

[13] Beverly Sanders. I.Iini ii!ii the substitution axiom from UNITY logic.
Formal Aspects of C...i. .'.". 3(2), 1991.




University of Florida Home Page
© 2004 - 2010 University of Florida George A. Smathers Libraries.
All rights reserved.

Acceptable Use, Copyright, and Disclaimer Statement
Last updated October 10, 2010 - - mvs