Group Title: Department of Computer and Information Science and Engineering Technical Reports
Title: Exploiting historical information about computations
Full Citation
Permanent Link:
 Material Information
Title: Exploiting historical information about computations
Series Title: Department of Computer and Information Science and Engineering Technical Report ; 96-034
Physical Description: Book
Language: English
Creator: Sanders, Beverly A.
Chandy, K. Mani
Affiliation: California Institute of Technology
University of Florida
Publisher: Department of Computer and Information Science and Engineering, University of Florida
Place of Publication: Gainesville, Fla.
Copyright Date: 1996
 Record Information
Bibliographic ID: UF00095394
Volume ID: VID00001
Source Institution: University of Florida
Holding Location: University of Florida
Rights Management: All rights reserved by the source institution and holding location.


This item has the following downloads:

1996232 ( PDF )

Full Text

Exploiting Historical Information about

Computations *

UF ('iS. Technical Report 96-034

Beverly A. Sanders t K. ii' i Clib.dlyt

This paper explores the question: How can we exploit the information
that a state predicate p holds at some point in a computation in reasoning
about the remainder of the computation? This question is relevant be-
cause partial global snapshots of I< 1 i1 1,1 i I systems can determine that
a predicate holds at a point in the computation, even though the partial
snapshot does not determine the complete global state. This question is
also relevant in extending the substitution axiom of UNITY.

Keywords: .i ,1, !i program correctness, program specification UNITY.

1 Introduction

A state predicate p of a program F is stable if and only if: for all state transitions
(s, t) of F, if p holds in s then p holds in t as well. Therefore, for ;,~i- stable
predicate p of a program F and ,iii state s of F, if p holds in s then p holds in
all states reachable from s.
If a stable predicate p holds at some point x in a computation, then p
continues to hold for the remainder of the computation. Informally speaking,
when we reason about the remainder of a computation from point x onwards,
we can restrict universal quantification to mean quantification over states for
which p holds because all other states are unreachable; so, in reasoning about
the remainder of the computation we can substitute true for p (and vice versa).
This idea is made precise in this paper.
-,. i...i 1.. in part by U.S. Air Force Office of Scientific Research and the University of
tDepartment of Computer and Information Science and Engineering, P.O. Box 116120,
University of Florida, Gainesville, FL 32611-6120,
+Department of Computer Science, California Institute of !.. ....... m/c 256-80,
Pasadena, CA 91125, mani

In UNITY, the fact that some states are unreachable is handled with the
substitution axiom: An invariant can be replaced by true, and vice versa, in
i~,- program property. All states reachable from initial states satisfy invariants.
Just as the initial condition is helpful in reasoning about all computations, a
predicate that holds at a point in a computation is helpful in reasoning about
the remainder of the computation.
We propose a class of program properties, called since properties after Manna
and Pnueli [10]. The interpretation of --j : X, read as "-! .. p X, is that if a
stable state predicate p holds at ;,!! point in ;,!! computation, then property X
holds from that point onwards in that computation. (A property is a predicate
on computations; always p, .. 'i,. l., p, and p next q, are examples [10, 9, 2].)
After reviewing some preliminary results, we give a general definition and
theory of since properties. An important requirement is that the theory be
applicable in composed -I. ii,- where one deduces the properties of a -1. 11,
from the properties of its components. To this end, we develop the rules in the
context of the theory of composed -I. ii- presented in [3, 4].

2 Preliminaries

A program is a tuple (V, T), where V is a set of I-" I1 variables defining a
state space Ev and T is a set of commands where T includes skip, and the
weakest-precondition predicate transformers for each command is universally-
, .,i,'li jr. [ and or-continuous. Including skip in T has the effect of allowing
"-i i. I. i ni" steps that leave the state unchanged in computations. The restric-
tions on the predicate transformer ensure that the corresponding commands
always terminate, and have demonic and bounded non-determinism.
A computation of a program is an infinite sequence of pairs (ci, si) for i > 0
where ci E T and si E Ev and ci represents a command that can take state
si to state si+l. Initial conditions are discussed later. Progress properties
usually depend on some sort of fairness assumption: For the purposes of this
paper, we assume that all commands must be executed infinitely often in every
Since at each step in a computation, ,!!, command can be executed next,
the . .! ii I, I -,- i of the weakest preconditions of the commands gives the weakest
precondition of a computation step. We have [3]:

[awp.F.q = (Vt : t E T: t.q)]. (1)

Thus if at some point in a program, the state satisfies awp.F.q, then after the
next step, the state satisfies q. Since wp.skip is the i1. ,ii [awp.F.q = q] for
all q. Since wp.s is required to be universally *. .!!i l,! I- for all s, so is awp.
We define a function stable from state predicates to program properties next.
For a state predicate p of a program F, stable.p is a program property, and hence

stable.p.F is a boolean. It is defined as:

stable.q.F = [awp.F.q = q]. (2)
Thus if q is stable predicate of a program F, and q holds at some point in a
computation, then q continues to hold in the remainder of that computation.
It has been shown [13] that .- -iiLii. ; .1, and .1l -ii [ Il. of stable predicates
are stable, and that the set of stable predicates of a program forms a lattice
where false is the strongest stable predicate and true is the weakest.

3 Since properties

3.1 Properties defined by [q = f.r]
Several program properties of interest can be defined in terms of a predicate
transformer f as follows:

q r = [q f.r] (3)
The above notation is used for convenience, the following table lists several
predicate transformers along with their more common notation and operational

next awp p next q if p holds, then q holds [12, 3]
after the next step
'leads-to' wit p q if p holds, then eventu- [11, 8, 7]
ally, at that point or later
q holds
'to-stable' wto p -+ q if [3, 6]
p holds, then eventually
-q becomes unreachable
'to- 1;- wta p -q if p holds, then -q will [1, 6]
hold at most a finite
number of steps

All the predicate transformers f in this table satisfy the following formula
that we call a "!, Il .I -- [i .!1- I. For the program F under consideration:
f is monotonic and satisfies
stable.p.F => r! A f.q = f.(p A q)] (4)
We define a since version of the property determined by f as

"1': q -f r = stable.pA [pA q f.r] (5)

Operationally, j,: q -+ r means that ifp holds at some point in a compu-
tation, then the property q -+ r holds for the remainder of that computation.
Several rules follow immediately from the definition, For instance,

stable.p== (('1.' : q r) = ('j. Ap' : q r))
In addition to these rules since properties admit a substitution rule analogous
to the UNITY substitution axiom. The essence of the idea is that if p holds
at some point in a computation of a program then p can be replaced by true
in properties of the remainder of the computation. Next, we present a precise
definition of this notion.

Substitution rule Let p,q, and r be punctual1 and f be a monotonic predi-
cate transformer r11 f i! (4).

,j1,: q.p -L r.p = .j]: q.true -: r.p (6)
= "1': q.p -* r.true
= -pj: q.true -* r.true

Proof From the definition and predicate calculus, it -itlhi that the following
two conditions hold;

r (q.p = q.true)] (8)

(f.(r.p) = f.(r.true))] (9)
The first condition (8) is simply a restatement of the assumption of punctuality.
The second (9) requires a proof since f is I i- '. 11 not a punctual function of
its arguments.

[p = (f.(q.p) = f.(q.true))]
{ predicate calculus }
[pA f.(q.p) = f.(q.true)] A [pA f.(q.true) = f.(q.p)]
4 { stable p, f satisfies (4 }
[f.(q.p Ap) = f.(q.true)] A [f.(q.true Ap) = f.(q.p)]
4{ f monotonic }
[q.p A p = q.true] A [q.true A p => q.p]
Recall that a function q is punctual if for all x and y, [(x = y) = (q.x = q.y)]. The
punctuality theorem [5] states that expressions built from variables and punctual operators
are punctual functions of the variables. It is also the case that the logical connectives (A, V,
,<-, ) are punctual in their arguments.

[p = (q.true = q.p)]
4< { q punctual }

The condition (4) obviously holds for awp and also has been shown to hold
for wit, wto, and wta. Indeed, we postulate it as a "!-. HihII!. -- i .!.1ii1.ii for
predicate transformers used to define temporal properties.

3.2 Transient predicates
Transient predicates are important as they form the basis of practical proof
rules for leads-to, to-stable, and to-always properties [11, 4, 6]. Transient does
not, however, have the shape given in the previous section and is thus treated
separately here. We define a function transient from state predicates to program
properties as follows. For a program F = (, T),

transient.q.F = (3t : t E : [q 4 wp.t.-q]) (10)

with the operation interpretation that transient q means that -q will hold in-
finitely often in ;:~I computation.
The since property for transient is

"1'.: transient.q.F = stable.p A (3t : T : [p A q = wp.t.hq]) (11)

with the operational interpretation that if stable predicate p holds in a com-
putation, then -q will hold infinitely often in that computation. Since wp.s
satisfies (4) and preserves I li, i ,t l -I a proof similar to the one given for (9)
establishes, for punctual q, that

: transient q.p = : transient q.true

thus extending the substitution rule for transient properties.

3.3 Properties of since properties
We list a few fairly obvious facts below. X, Y, and Z are properties.

For programs with unspecified initial conditions

X = .,., : X

For programs with specified initial conditions and strongest invariant SI

Y = -;I: X

stable pA '.I: X => .' Ap: X

If (VF : X.F A Y.F = Z.F) then

,1j.: X A j.: Y => Ij. : Z

4 Parallel Composition

4.1 Definitions
In this section, we define parallel composition in our model and [i; f- review
an approach to component specifications presented in [3, 4]. Then, we give rules
for since properties of components.
For F = (VI, TF) and G = (Vc, To), the parallel composition of F and G is
given by

F | G = (VF U Vc, TF U T,) (12)

and is defined if all variables appearing in both VI and V'c have the same I I "
From the definition, I| is commutative and associative.
We define a function component so that component.G.F holds for a program
F if G is a component of F. From the definition of parallel composition (12),

component.G.F =_ (V C Vi A To C TI).

Viewing properties as predicates on programs, we have a property trans-
former wg [3] defined as follows

wg.F.X = (VH : component.F.H = X.H)

with the interpretation that wg.F.X is the weakest property so that if a program
containing F as a component satisfies that property, then the program satisfies
property X. In ;,i ,1.._ with the way the predicate transformer f admitted a
property, we have

(X guaranteesY).F = (X Y).F
= (X = wg.F.X) (13)

Thus (X guarantees Y).F means that if property X holds for a program
containing F as a component, then property Y also holds for the program.2
Given (X guarantees Y).F as a part of the specification of F, after proving
X.I IG, we can conclude Y.I IG. This is useful when X is more easily proved
than Y.
..I. that this does not say that if property X holds for an environment E that Y holds
for j /

4.2 Compositional specification with all-component and
exist component properties
Two classes of program properties have useful special characteristics:

All-component properties Property X is called an all-component property
if for some set of programs g,

(VG: G E : X.G) = (IG: G E : G).X

An all-component property can be proved for a -1. i, by showing that it holds
for each component.

Exist-component properties A property X is called an exist-component
property if for ;,Ii set of programs g,

(3G:GE : G.X) = (IG:GE : G).X

For an exists-component property X,

X.F = (true= (wg.F.X).l IG)

Of the properties mentioned earlier, in our model next (Oa-p) and stable are all-
component properties, transient is an exist component property, and all proofs
of 'leads-to', (-, ), 'to-stable' (-i), and 'to-alway' -) can be proved as com-
binations of all-component and exist-component properties.
The following theorems follow easily from the definitions:

All-component since properties If X is an all-component property, then
" T' : X is an all-component property.

Exist-component since properties If ("'p : X).F and X is an exist-
component, then

(stable p) = (wg.F.('.: X))

or alternatively,

((stable p) guarantees (': X)).F

5 Partial Global Snapshots

A global snapshot records the global state of a computation. A partial global
snapshot records a predicate that holds at some point in a computation. For
instance, a partial global snapshot ii determine that there is at least one
token in a distributed -- -I. in or that processes F and G are waiting. The

question we explore next is: How can we exploit knowledge that a predicate p
holds at a point in a computation?
We define a predicate transformer sst, for strongest stable, as follows [13]:
sst.p is the strongest stable predicate weaker than p. Therefore, sst.p holds
exactly in those states reachable from states for which p holds. So, if p holds at
a point in a computation, then sst.p holds from that point onwards.
If a program F has the property -j'' : X, and '!, = p'], then if p holds at
a point in a computation of F, then X is a property of the remainder of the
computation from that point onwards. Similarly, if - : X holds, then if p
holds at a point in the computation of F, then X is a property of the remainder
of the computation. Thus, partial global snapshots can be used to reason about
the computation from the snapshot point onwards.

6 Conclusion

Rather than taking advantage of knowledge of only of the initial state of a
computation, we have proposed a class of properties that take into account
knowledge of the state at :i ; point in a computation. Not only are these
properties more expressive, but they offer a more practical alternative to the
'substitution axiom' for composed -- -I. !-


[1] K. Mani ('!C i 1 1. Properties of parallel programs. Formal Aspects of Com-
..,, .,, 1993.

[2] K. Mani ('!h ii-I' and .- ,1. Misra. Parallel Program Design: A Foun-
dation. Addison-W -1. 1988.

[3] K. Mani ('!C !-I'L and Beverly A. Sanders. Predicate transformers for rea-
soning about concurrent computation. Science of Computer F.' ............ .,
24:129-148, 1995.

[4] K. Mani ('!C !I 'L and Beverly A. Sanders. Reasoning about program com-
position. submitted for publication, 1996.

[5] Edsger W. Di i:-ii and Carel S. Scholten. Predicate Calculus and Program
Semantics. Springer-Verlag, 1990.

[6] Rutger M. Diil:-Ii, and Beverly A. Sanders. A predicate transformer for
the progress property 'to- 1;- ,- -'. submitted for publication, 1996.

[7] C.S. Jutla, E. Knapp, and J.R. Rao. A predicate transformer approach to
semantics of parallel programs. In Proceeding of the 8th AC .1 S,.I ...." .'
on Principles of Distributed C....'i, ..", 1989.

[8] Edgar Knapp. A predicate tranformer for progress. f.. .f1.... Processing
Letters, 33, 1989/90.

[9] Leslie Lamport. A temporal logic of actions. AC.1 I ...... ..... on Pro-
gramming Languages and S,,,i' .... 16(3):872-923, 1994.

[10] Z. Manna and A. Pnueli. Completing the temporal picture. 1! ... ,,,/
Computer Science, 83(1):97-130, 1991.

[11] J. Misra. A logic for concurrent programming: Progress. Journal of Com-
puter and Sf!. ... F '.,,, ,..,, 3(2):273-300, 1995.

[12] J. Misra. A logic for concurrent programming: Safety. Journal of Computer
and ,f!i .... ., .. .',,, .., 3(2):239-272, 1995.

[13] Beverly Sanders. I.Iini ii!ii the substitution axiom from UNITY logic.
Formal Aspects of C...i. .'.". 3(2), 1991.

University of Florida Home Page
© 2004 - 2010 University of Florida George A. Smathers Libraries.
All rights reserved.

Acceptable Use, Copyright, and Disclaimer Statement
Last updated October 10, 2010 - - mvs