Composing Leadsto Properties
David Meier*and Beverly Sanderst
TR 96013
April 15, 1996
Abstract
Compositionality is of great practical importance when building sys
tems from individual components. Unfortunately, leadsto properties are
not, in general, compositional, and theorems describing the special cases
where they are, are needed.
In this paper, we develop a general theory of compositional leads
to properties, and use it to derive a composition theorem based on the
notion of progress sets, where progress sets can be defined in various ways.
Appropriate definitions of progress sets yield new results and generalized
versions of known theorems.
1 Introduction
Although leadsto properties are not compositional, in general, it is worthwhile
to identify the special cases where they are. Composition theorems for leadsto
properties have been proposed, for example, in [Rao92, Mi91a, Mi91b]. In this
paper, we develop a general theory about composition of leadsto properties,
then specialize the results to give a composition theorem based on the notion of
progress sets. A progress set for a program F and target q is a set of predicates
satisfying certain properties. The theorem essentially states that if for each
predicate in the progress set, program G satisfies a particular property, then any
"leadsto q" property that holds for F, also holds in the parallel composition of
F and G. Several different composition theorems can be obtained by choosing
particular ways of constructing progress sets.
First, we will introduce our program model, define the necessary background
information, and develop a very general theorem for composing programs in a
SI .1. .. .. 1, 8044 Zurich, Switzerland.
tDepartment of Computer and Information Science and Engineering, University of Florida,
Gainesville, FL 326116120. sanders@cis.ufl.edu
way that preserves leadsto properties. This theorem is then specialized to ob
tain the main result of the paper a composition theorem based on progress sets.
Finally, we explore different choices for the way a progress set is constructed
and give several useful corollaries.
2 Preliminaries
2.1 Programs and Properties
A program F is a pair (VF, SF) where V is a set of typed variables and S is a set
of predicate transformers that includes the identity transformer and represents
the weakest preconditions of a set of nonmiraculous, always terminating, and
boundedly nondeterministic commands. Thus each s E SF is universally con
junctive, strict w.r.t. false, and orcontinuous. Since the identity transformer
corresponds to the command skip, all programs in our model allow stuttering
steps. The state space of F is a Cartesian product with a coordinate for each
variable of V. If VF is the empty set, the state space is a single state representing
the empty Cartesian product.
A computation of F is an initial state oo, and a sequence of pairs (si, oi), i >
0, where si E S is a command and oi is a program state, and execution of
command si can take the program from state oi_l to state ai, for i > 0, and
each command in the program appears infinitely often. This definition follows
the one in [Cs''.,] or may also be viewed as a generalized version of UNITY
[C('1] with no initially section. In contrast with UNITY, our model does
not explicitly restrict the initial condition of a program. Thus we will not be
able to use a rule such as the UNITY substitution axiom to eliminate states
unreachable from a specified initial state from consideration. We will, however,
take into account that after any point in the computation, not just the initial
one, some states may be no longer reachable or are not reachable in some interval
of interest.
Now we define several predicate transformers and program properties. The
square brackets in the definitions are the everywhere operator from [DS90].
The predicate transformers awp.F and properties co and stable. The
predicate transformer awp [Cs"',,], is defined as
[awp.F.q (Vs : s S: s.q)]. (1)
Using awp.F, we define a property co.F L I' I, (C','] that describes the
next state relation of the program F.
p coF q = [p awp.F.q]. (2)
Operationally, p coFq means that if p holds at some point during a computation,
then q holds and will still hold after executing any command of F.
The property stable.F.q is defined as
stable.F.q = [q = awp.q], (3)
which indicates that q will never be falsified by any command of F.
Refinement of awp.F For two programs F and F', we say that F is refined
by F',1 denoted F < F' when the following formula holds.
(Vp : [awp.F.p = awp.F'.p]) (4)
For our purposes in this paper, we use the fact that if F is refined by F', every
co property of F is also a co property of F'.
The predicate transformer wens.F.s, and properties ensures and leads
to ('). The weakest predicate that will hold until q does, and which will be
taken to q by a single s step is denoted wens.F.s.q. It is defined as
[wens.F.s.q vx : [x (s.q A awp.F.(q V x)) V q]]. (5)
The predicate transformer wens.F.s is monotonic (i.e. [p = q] 4 [wens.F.s.p 4
wens.F.s.q]) and weakening (i.e. [q 4 wens.F.s.q]).
From predicate calculus and the fixpoint induction rule,
[pA q 4 (s.q A awp.F.(q Vp))] = [p = wens.F.s.q]. (6)
From [C"' ,] we have a rule stating that if a predicate is stable, then its wens
is also stable.
stable.F.q = stable.F.(wens.F.s.q) (7)
If [t A q = awp.F.t] holds, then operationally, we have that if t A q holds,
at some point, then t will continue to hold while q does, and it will also hold
after the step that has established q. In this case, the states that satisfy both t
and wens.F.s.q are the same as those satisfying both t and wens.F.s.(q A t):
[t A q = awp.F.t] = [tA wens.F.s.q t A wens.F.s.(t A q)]. (8)
Proof of (8):
The proof is by mutual induction.
true
{ With [p wens.F.s.q], from the definition of wens (5) }
[p s.q A awp.F.(p V q) V q]
4 { predicate calculus }
[pA q = s.q A awp.F.(pV q)]
1This definition of refinement only considers safety properties. A more general notion,
where progress properties are taken into account is described in [San95]
S { hypothesis, [t A q = awp.F.t] }
[pAtAq = s.qAawp.F.(pVq) A awp.F.t]
{ def awp, A idempotent, thus [awp.F.t awp.F.t A s.t] }
[pAt Aq = s.q As.tAawp.F.(pVq) A awp.F.t]
{ s, awp.F conjunctive }
[pAtAq = ~ s.(qAt) awp.F.((pVq) At)]
{ predicate calculus }
[(pA t) A (q A t) = s.(q At) A awp.F.((p A t) V (qA t))]
> { (6), p := (pA t), q := (qA t) }
[(pA t) = wens.F.s.(q At)]
{ predicate calculus, p := wens.F.s.q }
[(t A wens.F.s.q) = t A wens.F.s.(q A t)]
and
true
{ predicate calculus }
[(qA t) > q]
I { wens.F.s monotonic }
[wens.F.s.(q A t) = wens.F.s.q]
I{ A monotonic }
[t A wens.F.s.(q At) = t A wens.F.s.q]
The ensures property p ensures q in F [C'\I1] can be defined as
p ensures q (3s : [p wens.F.s.q]) (9)
Operationally, this means that if at some point pA q holds, then eventually
q will hold, and furthermore, there is a single command that, when executed,
will establish q.
From (8), we easily obtain
t A q coF t A p ensures q = pAt ensures qAt. (10)
From [C'\I1 ], p "F q, read p leadsto q in F, is the unique strongest
relation (on predicates) satisfying
[p ensures q] = p q (11)
[p ensures r] Ar ,F q p PF q (12)
(Vw: w W: w F q) ( (3w: w W : w) F q (13)
where W is an arbitrary set of predicates on the state space of F.
A function from programs to predicate transformers wil (weakest leadsto)
has been given in [JKR89, Kna90] where
p F q = [p = wit.F.q] (14)
We will give a new formulation of wit below.
2.2 The weakest ensures set of q, E.F.q
Now, we introduce a new concept. For program F and predicate q, E.F.q is
defined as the minimal set of predicates satisfying
q E E.F.q (15)
p E.F.q = wens.F.s.p E E.F.q (16)
(Vw:w W:w E .F.q) = (3w:w W:w) E.F.q (17)
where W is an arbitrary set of predicates on the state space of F.
Some properties of E.F.q that will be used later are
p E.F.q 4 [q 4 p] (18)
and
p F q = (3r:r c E.F.q :[p r]), (19)
or alternatively,
wit.F.q (3r : r E.F.q : r). (20)
Induction on the structure of E.F.q A look at the properties (15),(16) and
(17) shows that we can prove that all elements of E.F.q have a certain property
by showing that
(1) the property holds for q,
(2) if the property holds for r then for all s, the property holds for wens.F.s.r ,
(3) if the property holds for all ri with i E I then the property holds for
(3i : i e I : ri).
Several proofs in the sequel will use induction on the structure of E.F.q.
2.3 Parallel Composition
For two programs F = (VF, SF) and G = (VG, SG), their parallel composition
or union, denoted FIIG is defined as
FIIG = (VF U VG,SF U SG). (21)
Parallel composition is only defined when common elements of VF and VG have
the same type, however, we will assume that FG is defined whenever we write
it. Predicates on the state space of, say F, may be also be viewed as predicates
on the state space of FG since the union may only increase the number of
variables.
The following theorems follow easily from the definitions:
[awp.F.q A awp.G.q awp.FIIG.q] (22)
[p 4 wens.F.s.q]A[pAq = awp.G.(pVq)] = [p 4 wens.FG.s.q](23)
[wens.FG.s.q = wens.F.s.q] (24)
3 Composing leadsto properties
While co and ensures admit simple composition theorems [C'\I'], simple com
position theorems do not hold, in general, for leadsto properties. We can,
however, use the relationship between leadsto properties and the elements of
E.F.q to give a general composition theorem that provides a starting point for
more useful theorems.
Below, we give a union theorem for E.F.q. Intuitively, the theorem says
that if for every predicate r in E.F.q, if r A q holds at some point, then r
continues to hold until q is established, then r is also in E.FCG.q. The theorem
is actually more general, introducing a predicate t satisfying [t A q = awp.F.t].
This allows us, in essence, to restrict attention to the parts of the state space
satisfying t.
Union Theorem for E.F.q.
[g At = awp.F.t] (25)
(Vr : r E.F.q : [q A (r A t) = awp.G.(r A t)]) (26)
(Vr : r E.F.q : (3r' : r' c E.FIIG.q : [r A t r' A t])) (27)
Proof of Union Theorem for E.F.q. We show a stronger result:
(Vr : r E.F.q : (3r' : r' c E.FG.q : [r' 4 r] A [r At r' A t]))
The proof is by induction on the structure of the set E.F.q.
Base:
From (15), we have for r = q, r' = q.
Induction with (16):
Let r = wens.F.s.x and r' = wens.FG.s.x'.
The induction hypothesis is [x A t x' A t] A [x' 4 x]
* wens.F.s.x At
{ (8),(25)
wens.F.s.(x A t) At
4 { (23) with
p := wens.F.s.(x A t) A t,
q :=tAx,
and using that p A q awp.G.(p V q) follows
from (26) and [q = x] }
wens.FIIG.s.(x A t)
{ induction hypothesis, [x A t x' A t] }
wens.FG.s.(x' At)
4 { wens.FIIG.s monotonic }
** wens.FG.s.(x')
4 { wens.FIIG.s monotonic, induction hypothesis, [x' = x] }
wens.FG.s.(x)
S { (24) }
*** wens.F.s.(x)
Thus we have, from the starred lines in the proof that
[r' = r] and [r At r' At].
Induction with (17):
Follows from the predicate calculus.
As a simple consequence of the union theorem for E.F.q and (19), we obtain
a union theorem for leadsto.
Leadsto Union Theorem
[q At = awp.F.t] (28)
(Vr : r E.F.q : [ A (r A t) = awp.G.(r A t)]) (29)
(wit.F.q)At FIIG q (30)
Proof From the union theorem for E.F.q and the fact that wlt.F.q E E.F.q,
we have (3r' : r' c E.FIIG.q : [wlt.F.q A t r' A t]. Thus [(wlt.F.q) A t = r'],
which, together with (19), imply (wlt.F.q) At \FIIG q.
A corollary of the above is the following.
Corollary to the leadsto union theorem
P "F q
[q At = awp.F.t]
(Vr : r c E.F.q : [q A (r A t) = awp.G.(r A t)])
pAt FIIG q
Note that if t is such that [p = t], then the conclusion is p "FIIG q.
Example In the next example we explore the composition of two simple single
statement programs. The variable x is an integer.
F:x:= x+
G : := 2x
Let q = (x > k), for some k. First, we determine E.F.q. For a program with a
single command s, wens.F.s.q = q V s.q. Using now s.(x > i) (x + 1 > i), we
get
E.F.q = {i : i < k : (x > i)} U {true}
and [wlt.F.(x > k) true]. The union theorem can be applied, provided
(Vr : r E.F.q [(x > k) ArAt 4 (awp.G.(r A t)]) (31)
where [awp.G.(r A t) (x := 2x)(r A t)]. It is easy to see that (31) does
not hold for any k if t is true, however, it does hold for all k if t is x > 0. In
addition, this choice of t satisfies (28). Thus we can conclude from the analysis
that
x > 0 FIIG x> _k
The example indicates the importance of being able to restrict the state space
under consideration. The condition on t essentially says that once t holds in
FG then it will continue to hold at least until q, the target, does. We use this
to weaken the requirements on G at the price of having t on the left side of the
leadsto properties of the composed program.
In most cases, one is concerned that a particular progress property of F,
say (x > 3) z (x > 10) is preserved in a composition, and the corallary is
applicable. In this case (x > 3) A (x > 0) is just (x > 3). Even though the
restriction of the state space to states satisfying (x > 0) has not impacted the
conclusion, it was still needed to apply the theorem.
A generalization of Misra's Fixed Point Union Theorem Directly ap
plying the union theorem for leadsto is usually not practical. However, we show
below how it can be specialized to yield Misra's fixed point union theorem.
A predicate q is a fixed point if the state no longer changes once q holds.
Formally,
q is a fixed point of G = (Vp : stable.G.(p A q))
Once a program has reached a fixpoint, its state no longer changes. The follow
ing theorem follows is a simple corollary of the leadsto union theorem since,
from the definition of fixed point, (29) holds for all predicates.
Generalized fixed point union theorem
P F q
[q At = awp.F.t]
q A t is a fixed point of G (32)
pAt FIIG q
Misra's version 1\i1'la] is obtained from the above with [t true] and the
observation that in this case [q A t = awp.F.t] hold trivially.
4 A composition theorem using progress sets
In this section, we give conditions under which a set C.F.q of predicates is
guaranteed to contain E.F.q. The idea is that this set of predicates is easier to
describe than E.F.q.
First, we require that C.F.q is closed under arbitrary conjunction and dis
junction. For arbitrary R:
(Vr :r R: r C) = (Vr :r R: r) C (33)
(Vr:r R: r C) ( (3r :r R: r)EC (34)
Since R may be empty, the above formulae imply that true E C and false E C.
The predicate transformer cl.C. Given the set C, we define a predicate
transformer cl.C., where cl.C.r is the strongest predicate in C weaker than r:
cl.C.r _ i : x:x C A [r> ] (35)
The postulated properties of C are sufficient to guarantee the existence of cl.C.r.
In addition, cl.C.r is monotonic, weakening, and universally disjunctive. Also,
[cl.C.r r] = r E C (36)
Progress sets For a program F, and predicates t and q, we say that C is a
progress set for the triple (F, t, q) if
C is closed under arbitrary conjunction and disjunction, (33, 34)(37)
q C (38)
t E CA stable.F.t (39)
(Vm, s : [q => m], s F : (tA m) C = (tA (q V s.m)) E C) (40)
The following lemma says that if C is a progress set for (F, t, q), then for all
predicates r E E.F.q, (r A t) E C. The lemma will allow us to reformulate the
leadsto union theorem in terms of a progress set instead of E.F.q.
Lemma
C is closed under arbitrary conjunction and disjunction
qEC
q E CA stable.F.t
(Vm,s : [q = m],s E F : (tAm) EC => (t A (q V s.m)) E C)
(Vr : r E.F.q : (r A t) E C)
The proof is by induction on the structure of E.F.q. The base case follows
from the hypothesis (i.e. q c C, t C) and the fact that C is closed under
conjunction,(33). The induction step with disjunction follows from the fact
that C is closed under disjunction (34). The remaining induction requires us to
show that:
(tA m) E C = (t A wens.F.s.m) C C (41)
Let r= wens.F.s.m,
irue
{ definition of wens.s, (5) }
[r = (s.m A awp.F.(m V r)) V m]
= { predicate calculus }
[r A t = t A ((s.m A awp.F.(m V r)) V m)]
{ stable.F.t thus [t awp.t] }
[t Ar = t A ((s.m A awp.F.(m V r) A awp.F.t) V m)]
{ awp.F. conjunctive }
[t Ar = t A (s.m A awp.F.((m V r) A t) V m)]
I { awp monotonic, [((m V r) A t) = (m V (rA t)] weaken right side }
[t Ar = t A (s.m A awp.F.(m V (r A t)) V m)]
S { cl.C. weakening, awp.F. monotonic, weaken right side }
[t Ar = t A (s.m A awp.F.(m V cl.C.(r A t)) V m)]
{ cl.C. monotonic }
[cl.C.(t A r) = cl.C.(t A (s.m A awp.F.(m V cl.C.(r A t)) V m))]
{ (t A (s.m A awp.F.(m V cl.C.(r A t)) V m)) c C, see below }
[cl.C.(t A r) = t A (s.m A awp.F.(m V cl.C.(r A t)) V m)]
S { weaken right side }
[cl.C.(t A r) = s.m A awp.F.(m V cl.C.(r A t)) V m]
{ fixpoint, (6) }
[cl.C.(t Ar) = wens.F.s.m]
{ definition of r }
[cl.C.(t A r) => r]
S { [t = cl.C.t], cl.C. monotonic, thus [cl.C.(t A r t] }
[cl.C.(t Ar) = tAr]
= { cl.C. weakening, thus [t A r = cl.C.(t A r)] }
[tAr l.C.(tA r)]
{ definition of r, property of cl.C., (36) }
t A wens.F.s.m c C
Now we show
(t A (s.m A awp.F.(m V cl.C.(r A t)) V m)) E C
that was assumed above. By the induction hypotheses t A m G C.
true
{ induction hypothesis }
(t A m) E C
I { C closed under disjunction }
((tA m) V cl.C.(r A t)) E C
I { predicate calculus, using [cl.C.(r A t) = t] }
(t A (m V cl.C.(r A t)) E C
S { hypothesis }
(t A (q V s.(m V cl.C.(r A t)))) E C
= { conjunction over s E TE, C closed under conjunction }
(t A (q V awp.F.(m V cl.C.(r A t)) )) E C
= { induction hypothesis and hypothesis of lemma give
(t A (q V s.m)) E C, C closed under conjunction }
(t A (q V (s.m A awp.F.(m V cl.C.(r A t))))) E C
S { (t A m) E C, C closed under disjunction, [q = ] }
(t A (m V (s.m A awp.F.(m V cl.C.(r A t)))) E C))
A monotonicity property of progress sets From the conjunction and
disjunction properties of a progress set C for (F, t, q) one derives the following
monotonicity property.
C is a progress set for (F, t, q)
[q > q'] A q' C
C is a progress set for (F, t, q')
Now, we have the final theorem of this section, and a main result of the
paper. It follows immediately from the lemma and the leadsto union theorem.
Progress set union theorem Let C be a progress set for (F,t, q).
(Vcc : C : cA q COG c) (42)
[q q'] A q' C (43)
wlt.F.q' At "FIG q' (44)
5 Some progress sets
In this section, we give several examples of how progress sets can be defined.
The set of all predicates The set of all predicates on the state space of F is
a progress set for (F, true, q). Then (42) is equivalent to q being a fixed point
of G, so that we get yet another proof of Misra's fixed point union theorem.
The set of all predicates is primarily of interest because it demonstrates the
existence of a progress set for every program and predicate.
The set of all stable predicates The set of all stable predicates of any
program on the appropriate state space is closed under arbitrary conjunction
(33) and disjunction (34) and is therefore a candidate for progress sets.
Rao [Rao92] gave two union theorems for leadsto based on the notion of
decoupling and weak decoupling in terms of stability. His results are
Rao's Decoupling Theorem
P "F q
stable.G.q
FdecsafeG
P F\G q
where
F decsafe G (Vs, r : s SF A stable.G.r : stable.G.s.r),
and
Rao's Weak Decoupling Theorem
P F q
stable.FG.q
FwdecsafeG
P FG q
where
F wdecsafe G
Fdec,,feFIIG.
Both of these theorems are simple corollaries of the progress set union theo
rem. For the decoupling theorem, let C.F.q = {r stable.G.r } From F decAafp G
and stable.G.q, C.F.q is a progress set for (F, true, q). Since stable.G.r
r A q COG r, the theorem follows.
For the weak decoupling theorem, let C.F.q = {r stable.FIIG.r}. From
F wdecsafC G, and stable.FG.q, C.F.q is a progress set for (F, true, q). Since
stable.FG.r = r A q COG r, the theorem follows.
Rao used these result to explore notions of commutativity that allow compo
sitional progress results rather than advocating their direct use in programming.
Indeed, direct use would seem to be counterproductive since the theorems them
selves are rather noncompositional, requiring detailed knowledge of both F and
G in order to determine whether they are decoupled or weakly decoupled.
On the other hand, our more general theorem can be used in a similar,
but more "compositional" way where F and G can be decoupled via a third
program G'. Instead of checking whether two programs F and G are decoupled
or weakly decoupled, given F, we choose a program G' so that the set of stable
predicates of G' is a progress set for F. Ideally, G' is chosen so that its set
of stable predicates has a simple structure and is easily described. Then, to
compose a program G with F, it is only necessary to check that G satisfy (42)
for the stable predicates of G'. It suffices that G is refinement of G', thus the
stable predicates of G' are stable in G, and we have the following corollary of
the progress set union theorem.
Decoupling via G' union theorem Let the set of all stable predicates of
G' be a progress set for (F, true, q).
G' < G (45)
> (46)
wlt.F.q `FJG q (47)
It is worth noting that when the set of stable predicates of G is taken as a
progress set, C, then cl.C.r is the strongest stable predicate weaker than r in
G, or sst.G.r [ ,i'il]. The set of states of G that are reachable from r is given
by sst.G.r.
Additional program properties that generate potential progress sets
In the previous section, we discussed using the set of all stable properties of
some program G as a potential progress set for (F,t, q). In this section, we
give three more program properties that are slightly weaker than stable such
that all predicates satisfying the property for some program G are closed under
conjunction and disjunction and are therefore potential progress sets for (F, t, q).
(We still need to check the remaining conditions on progress sets.) Like the set
of all stable predicates, all of the predicates so obtained satisfy (42) for G.
Stable. Gnotleavingq
{rrA q coG r A [rAq COG rVq]} (48)
In this case, cl.C.r is the set of states that are reachable from r along a
sequence of states satisfying the requirement that once q holds for some state
in the sequence, it holds for all later states in the sequence.
For two states a and 7 connected by such a sequence we write a Reach.G.nl.q 7.
Stable. Gnotleaving qalldirections
{rr A (q V awp.q) COG r} (49)
Here, cl.C.r is the set of states that are reachable from r via a sequence of states
where once q holds, the sequence cannot be extended without maintaining q.
Stable.Goutsideq
{rlr A q COG r} (50)
In this latter case, cl.C.r is the set of states that are reachable from r via a
sequence of states where q holds for at most the final state in the sequence.
Also, note that for each of these choices for C, q E C trivially, thus providing
alternatives to the set of all stable predicates, which requires that q be stable
in G. For later use we also note that a predicate p with [q = p] satisfies (48)
and (49) if it satisfies (50)
Progress sets from a relation Let R be a reflexive, transitive relation on
the state space and a and 7 be representative states. Then the set of predicates
r such that
(V, 7 : r.A aR > r.) (51)
is closed under arbitrary conjunction and disjunction.2
5.1 Composition theorems based on monotonicity and com
mutativity
The previous section listed several ways that sets of predicates closed under
arbitrary conjunction and disjunction can be generated. In this section, we give
two theorems that are helpful in showing (40), repeated here for convenience,
under the assumption of (33, 34, 38, and 39).
(Vm, s : [q = m],se F : (tA m) E C = (t A (q V s.m)) E C) (52)
21f we let R be defined by TR = (cl.C.()).r, where (a) is the point predicate that holds
at a then the set of predicates generated by R is just C.
Commutativity of cl.C and command Assuming (33, 34, 38, and 39), the
following implies (40):
(Vs : s SF : (Vm : [q m] : [cl.C.(t A s.m) t A (q V s.(cl.C.(t A m)))])) (53)
Proof:
[q j m] At A m C
= { (53) and cl.C.t Am = tAm }
[cl.C.t A s.m t A (q V s.(t A m))]
f { monotonicity of s }
[cl.C.t A s.m = t A (q V s.m)]
I { disjunction of left and right side with t A q which is equal cl.C.t A q }
[cl.C.t A q V cl.C.t A s.m t A (q V s.m)]
I { disjunctivity of cl.C }
[cl.C.t A (q V s.m) = t A (q V s.m)]
I { def. of closed }
t A (q V s.m) E C
In the next theorem, we require that the command corresponding to each s
is deterministic and given by a functional state transformer f,.
Commutativity of functions and relation. Let R be defined by R7 =
(cl.C.(u)).7. Then the condition below implies (53).
(Vs : s c SF : (Vo, 7 c state space of FIG :
oR7 A t.o = q.o V q.7 V (f,. R f,.7))) (54)
Proof:
[q = m] A (cl.C.t A s.m).7
S { definition of R }
3o : oR : (t A s.m).o
S { rewritten with f, using stable.F.t }
(t A m).f,.o
S { (54)> (q.o V q. V f.o R f,.7) }
q.o V q.7 V (cl.C.t A m).f,.7
S { q E C and oR }
q.7 V (cl.C.t A m)..f.7
= { rewritten with s instead of f. }
q.7 V (s.cl.C.t A m).7
S { t E C implies t.o t.7 }
(t A (q V s.cl.C.t A m)).7
5.2 Monotonicity
This section gives a composition theorem based on monotonicity with respect
to a partial order <.
We use the following definitions.
A predicate q is called monotonic with respect to < if
(Vo, :q.(o A (a < y) = q.7). (55)
A function f is called monotonic with respect to < if
(V, 7 : (a < 7) = f.a < f.7). (56)
A function f is called nondecreasing with respect to < if
(Va : a < f.a). (57)
If we take the set of all monotonic predicates as C, then the condition
(Vs s E SF : f, is monotonic with respect to <) implies (54) and (Vs :s s
SG : gt is nondecreasing with respect to <) implies that all predicates in C
are stable and satisfy therefore (42), so that we have the following corollary:
For a partial order <
q is monotonic with respect to <
(Vs : s SF : fs is monotonic with respect to <)
(Vss : s SG : s is nondecreasing with respect to <)
wlt.F.q "FIIG q
This result can be applied in many programming situations. One example is
PCN, see for example [FOT], processes communicate via socalled definitional
variables. A definitional variable is initially undefined and may have assigned
a value at most once. We can express this as monotonicity with respect to the
partial order given by (o < 7) (o undefined V o = 7). Another example
are processes that communicate by message passing where the partial order is
given by the length of the messages that have been sent along a communication
channel.
6 Generalized commutativity conditions
The importance of commutativity in program composition has been known for
some time. Both Lipton [Lip75] and Misra 1\i1,'b] have proposed relevant
conditions and their relationship has been explored by Rao [Rao92]. Here, we
give generalized definitions of both Lipton and Misra commutativity and prove
a composition theorem using these results. The advantage of our results is that
they apply when q in p q is not stable.
The commutativity conditions are conditions on functions, we therefore as
sume that all commands are deterministic and are expressed by functional state
transformers f, for program F and g, for program G. In addition, we assume
that for each function, there is a guard predicate written b, or [ ]f,, and if the
guard predicate is false, then the state is unchanged, i.e.
[b, = (f, = id)]
where id is the identity function.
If b,.c, then we say that f, is enabled at a and write this as [o]f,
Now we assume that we have a second function gt with guard ct. The
composition of functions fgt is evaluated from the right, i.e. fgst. = f,.(gt.)
and we define enabled for the composition as
[o]f,gt = ct.o A b,.gt.o. (58)
Left Lipton commutativity outside q Lipton proposed a commutativity
condition where left commutativity can be briefly stated as: If for all states,
[o]fg, then [o]gf and f.g.o = g.f.a, i.e. if fg is enabled, then so is gf and both
give the same result.
Here, we give a definition that applies to states where some predicate q does
not hold. For two guarded functions f and g left Lipton commutativity outside
q is given by:
(f lcot.q g) 
(V : q.o A [o]fg A q.g. : [o]gf A f.g.o = gf.o A (q.f.o q.fg(5)
Operationally left Lipton commutativity outside q can be described as fol
lows: If ao is outside q,i.e. if q.o and fg is enabled and g.o is outside q, then
gf is enabled and fg = gf and if the result fg.o is outside q then f.o is outside
q. Note that if q = false we get the original definition given in [Lip75, Rao92].
Left Lipton commutativity is extended to programs by requiring all pairs of
functions from the programs to commute. For two programs F and G:
(F lcot.q G) (Vf,, gt : s S A t T : f, lco.q gt) (60)
Misra Commutativity outside q Misra defined a slightly different commu
tativity condition. Two functions f and g Misra commute if at points when
both are enabled, both compositions are enabled and give the same result. As
above, we give a modified condition that applies to states where a predicate q
does not hold.
For two guarded functions f and g:
(f con.q g) 
(V : q.a A [0]f A [0]g : [a]fg A [0]gf A fg.0 = gf. A (61)
(q.f.o V q.g.o = q.fg. V q.f.o A q.g.o))
Operationally this can be described as follows: If a is outside q and f and
g are enabled then fg and gf are enabled and fg = gf and if the result fg.o
is outside q and if f or g is outside q at a, then both are. If q = false, then we
get the original definition of 1 ,'ilb].
Misra commutativity is extended to programs in the obvious way. For two
programs F and G:
(F con.q G) (Vf, gt : s S At T: f, com.q gt) (62)
Now we show the main result of this section, if we have Left Lipton and
Misra commutativity outside q that the set of predicates that are stable.G 
not leaving q (48) are a progress set for (F.true.q).
Commutativity outside q and stable.G not leaving q
(F Icof.q G) A (F co,.q G)
The set of all predicates that are stable.G not leaving q
is a progress set for (F.true.q)
Proof Since q is stable.G not leaving q, it is sufficient to show that (40)
holds, or the stronger (54) with relation Reach.G.nl.q, (48), i.e.
(Vs : s E S : a Reach.G.nl.q 7 = q. V q.7 V (fs.o Reach.G.nl.q f,. ))
(1) q.7
(a Reach.G.nl.q 7) A q.7
q. V q.7 V (f s. Reach.G.nl.q f,.7)
(2) q.7
(2a)
(o Reach.G.nl.q 7) A (o 7) A q.7
S { (48) }
30 = 0o, 1, . n = 7 :: (Vi : 0 < i < n : 3t : t T : oi+i = gt.oi)
A(Vi : 0 < i < n : q.oi q.oi+,)
o { omitting all oi with i+ = }
E3 =0o, 01, .... On = 7 :: (Vi : 0 < i < n : 3t : T : [i]gt A 0+i1 = gt.i)
A(Vi : 0 < i < n : q.oi q.i+i)
S { q(7) }
30 = 0o,1, ...., n = 7 :: (Vi : 0 < i < n : 3t : t e T : [i]gt A 0+i+ = gt.i)
A(Vi 0 < i < n : q.)
(2b)
sES
I { construction of a set for ,) }
(i : 0 < i < n : = f,."i if f, is enabled for ai, o" = "i otherwise
(2c) It is now sufficient to proof:
Vi : 0 < i < n : 3t : t E T : oi+ = gt.o' A (q.o' = q.'"+,)
(2cl) o+i A o i+
oi+1 f Oi+1
= { f, must be enabled at oi+ }
[0i+i]f, A oi+ = f,.oi+i
=> { By (2a) q(oi) A [oi]gt A q.oi+l A o+i = gt.oi }
q.o'i A [oi]fgt A q.gt.oi A oi+ = fsgt.'i
{ F com.qG }
[0i]gtfs A gtfs.0o = fsgt.0i A (q.f,.0"i q.gtf,.i)
S({ 0"+1 = fsgt."i }
["i]gtfs A o+i = gtf,.oi
{ [oi]gtf ["i]f, def.o }
(2c2) o, = o,+ A o o
[oi]fgt A [igtf A fgt.i = gtfs.0i A (q.f,.i = q.gtf,.i)
h p{ [0i]fsgt = [gt.i]fs I
[oi+l]fs A fs.i+l = gt."i
{ def. of i+1 }
q.0" A "i1 = gt."i A (q.u'i q.'+1)
(2c3) o = oi+1 A o = oi
By (2a) oi+1 = g,.o" A (q.o q.+o,i)
Now we can state the theorem on commutativity, which follows now from
the progress set union theorem.
Commutativity outside q theorem
P 2F r
q Ar co.G rV q
(F Icof.q G) A (F co,.q G) (63)
P "FIIG rVq
The next example applies the theorem to a simple handshaking protocol.
The results of Rao are not applicable here since the target predicate is not
stable.
Example: Consumer and producer Variable x is a local variable of F, y
of G. Both programs share a one element buffer b.
F : Consumer
consume : x, b := b, I if b fl
additional assignments that do not modify b
or any variable of G
G : Producer
produce : b :=y if b =I
additional assignments that do not modify b
or any variable of F
Now b = k F b =I. We want to apply the theorem to show b = k "\FIIG
b =I.
With q = (b =), the conditions of the theorem (63) hold:
(1) q A r co.G q V r holds because in our case r = q.
(2) F Icof.q G and F com.q G:
Since there is no interaction between between F and G except via b and the
value of q is changed only by consume and produce, we need only look at pairs
of functions involving consume and produce.
The conditions q.o A [o]fg A q.g.o or q.o A [o]f A [o]g never hold if
g = produce, so that the case with f = consume and g f produce remains.
The commutativity in this case follows because there is no interaction be
tween consume and g and q.consume.g holds.
7 Conclusions
Starting from "first pi1" i1.1. we gave a general composition theorem for
leadsto, then specialized it to a theorem based on the notion of a progress set.
Progress sets proved to be an extremely useful device by choosing different
definitions of progress sets, we were able to obtain several different theorems for
composing programs without invalidating leadsto properties.
References
[C('\I"] K.M.Chandy, J.Misra. Parallel program design, a foundation.
AddisonWesley, 1988.
[C'"',.] K.M.Chandy, B.A.Sanders. Predicate transformers for reasoning
about concurrent computation Science of Computer Programming,
1995.
[DS90] E.W.Dijkstra, C.S.Scholten. Predicate calculus and program seman
tics Springer, 1990.
[FOT] Foster, Olson, Tuecke. Productive parallel programming: The PCN
approach. To appear in Scientific Programming.
[JKR89] C.S.Jutla, E.Knapp, J.R.Rao. A predicate transformer approach to
semantics of parallel programs. Proceedings of the 8th AC'\I sympo
sium on Principles of Distributed Computing, (1989), 249 263.
[Kna90] E.Knapp. A predicate transformer for progress. Information Process
ing Letters 33 (1989/90), 323 330.
[Lip75] R.J.Lipton. Reduction: A method of proving properties of parallel
programs. Communications of the AC'M\ 18 (1 i',), 717 721.
1I',ila] J.Misra. A programcomposition theorem involving a fixedpoint.
Notes on UNITY: 28 91.
b1i',lb] J.Misra. Loosely coupled processes. Proceedings of PARLE'91, Par
allel Architectures and Languages Europe, Eindhoven, The Nether
lands. LNCS 506: 1 26.
1' i] J.Misra. A logic for concurrent programming: Safety. Journal of
Computer and Software Engineering, 3(2) (1 ,',.) 239 272.
[Rao92] J.R.Rao. Building on the UNITY experience: Compositionality, fair
ness and probability in parallelism. Ph.D. Dissertation, The Univer
sity of Texas at Austin, 1992.
I i'i l] B.A.Sanders. Eliminating the substitution axiom from UNITY logic.
Formal Aspects of Computing, 3 (1991), 189 205.
'] BB.A.Sanders. Refinement of mixed specifications: A Generaliza
tion of UNITY. University of Florida Department of Computer
and Information Science and Engineering Technical Report 96010.
http://www.cis.ufl.edu/techreports/tr96/tr96010.ps.
