Exploiting Historical Information about
Computations *
UF ('iS. Technical Report 96034
Beverly A. Sanders t K. ii' i Clib.dlyt
Abstract
This paper explores the question: How can we exploit the information
that a state predicate p holds at some point in a computation in reasoning
about the remainder of the computation? This question is relevant be
cause partial global snapshots of I< 1 i1 1,1 i I systems can determine that
a predicate holds at a point in the computation, even though the partial
snapshot does not determine the complete global state. This question is
also relevant in extending the substitution axiom of UNITY.
Keywords: .i ,1, !i program correctness, program specification UNITY.
1 Introduction
A state predicate p of a program F is stable if and only if: for all state transitions
(s, t) of F, if p holds in s then p holds in t as well. Therefore, for ;,~i stable
predicate p of a program F and ,iii state s of F, if p holds in s then p holds in
all states reachable from s.
If a stable predicate p holds at some point x in a computation, then p
continues to hold for the remainder of the computation. Informally speaking,
when we reason about the remainder of a computation from point x onwards,
we can restrict universal quantification to mean quantification over states for
which p holds because all other states are unreachable; so, in reasoning about
the remainder of the computation we can substitute true for p (and vice versa).
This idea is made precise in this paper.
,. i...i 1.. in part by U.S. Air Force Office of Scientific Research and the University of
Florida
tDepartment of Computer and Information Science and Engineering, P.O. Box 116120,
University of Florida, Gainesville, FL 326116120, sandersocise.ufl.edu.
+Department of Computer Science, California Institute of !.. ....... m/c 25680,
Pasadena, CA 91125, mani cs.caltech.edu.
In UNITY, the fact that some states are unreachable is handled with the
substitution axiom: An invariant can be replaced by true, and vice versa, in
i~, program property. All states reachable from initial states satisfy invariants.
Just as the initial condition is helpful in reasoning about all computations, a
predicate that holds at a point in a computation is helpful in reasoning about
the remainder of the computation.
We propose a class of program properties, called since properties after Manna
and Pnueli [10]. The interpretation of j : X, read as "! .. p X, is that if a
stable state predicate p holds at ;,!! point in ;,!! computation, then property X
holds from that point onwards in that computation. (A property is a predicate
on computations; always p, .. 'i,. l., p, and p next q, are examples [10, 9, 2].)
After reviewing some preliminary results, we give a general definition and
theory of since properties. An important requirement is that the theory be
applicable in composed I. ii, where one deduces the properties of a 1. 11,
from the properties of its components. To this end, we develop the rules in the
context of the theory of composed I. ii presented in [3, 4].
2 Preliminaries
A program is a tuple (V, T), where V is a set of I" I1 variables defining a
state space Ev and T is a set of commands where T includes skip, and the
weakestprecondition predicate transformers for each command is universally
, .,i,'li jr. [ and orcontinuous. Including skip in T has the effect of allowing
"i i. I. i ni" steps that leave the state unchanged in computations. The restric
tions on the predicate transformer ensure that the corresponding commands
always terminate, and have demonic and bounded nondeterminism.
A computation of a program is an infinite sequence of pairs (ci, si) for i > 0
where ci E T and si E Ev and ci represents a command that can take state
si to state si+l. Initial conditions are discussed later. Progress properties
usually depend on some sort of fairness assumption: For the purposes of this
paper, we assume that all commands must be executed infinitely often in every
computation.
Since at each step in a computation, ,!!, command can be executed next,
the . .! ii I, I , i of the weakest preconditions of the commands gives the weakest
precondition of a computation step. We have [3]:
[awp.F.q = (Vt : t E T: t.q)]. (1)
Thus if at some point in a program, the state satisfies awp.F.q, then after the
next step, the state satisfies q. Since wp.skip is the i1. ,ii [awp.F.q = q] for
all q. Since wp.s is required to be universally *. .!!i l,! I for all s, so is awp.
We define a function stable from state predicates to program properties next.
For a state predicate p of a program F, stable.p is a program property, and hence
stable.p.F is a boolean. It is defined as:
stable.q.F = [awp.F.q = q]. (2)
Thus if q is stable predicate of a program F, and q holds at some point in a
computation, then q continues to hold in the remainder of that computation.
It has been shown [13] that . iiLii. ; .1, and .1l ii [ Il. of stable predicates
are stable, and that the set of stable predicates of a program forms a lattice
where false is the strongest stable predicate and true is the weakest.
3 Since properties
3.1 Properties defined by [q = f.r]
Several program properties of interest can be defined in terms of a predicate
transformer f as follows:
q r = [q f.r] (3)
The above notation is used for convenience, the following table lists several
predicate transformers along with their more common notation and operational
interpretation.
next awp p next q if p holds, then q holds [12, 3]
after the next step
'leadsto' wit p q if p holds, then eventu [11, 8, 7]
ally, at that point or later
q holds
'tostable' wto p + q if [3, 6]
p holds, then eventually
q becomes unreachable
'to 1; wta p q if p holds, then q will [1, 6]
hold at most a finite
number of steps
All the predicate transformers f in this table satisfy the following formula
that we call a "!, Il .I  [i .!1 I. For the program F under consideration:
f is monotonic and satisfies
stable.p.F => r! A f.q = f.(p A q)] (4)
We define a since version of the property determined by f as
"1': q f r = stable.pA [pA q f.r] (5)
Operationally, j,: q + r means that ifp holds at some point in a compu
tation, then the property q + r holds for the remainder of that computation.
Several rules follow immediately from the definition, For instance,
stable.p== (('1.' : q r) = ('j. Ap' : q r))
In addition to these rules since properties admit a substitution rule analogous
to the UNITY substitution axiom. The essence of the idea is that if p holds
at some point in a computation of a program then p can be replaced by true
in properties of the remainder of the computation. Next, we present a precise
definition of this notion.
Substitution rule Let p,q, and r be punctual1 and f be a monotonic predi
cate transformer r11 f i! (4).
,j1,: q.p L r.p = .j]: q.true : r.p (6)
= "1': q.p * r.true
= pj: q.true * r.true
(7)
Proof From the definition and predicate calculus, it itlhi that the following
two conditions hold;
r (q.p = q.true)] (8)
(f.(r.p) = f.(r.true))] (9)
The first condition (8) is simply a restatement of the assumption of punctuality.
The second (9) requires a proof since f is I i '. 11 not a punctual function of
its arguments.
[p = (f.(q.p) = f.(q.true))]
{ predicate calculus }
[pA f.(q.p) = f.(q.true)] A [pA f.(q.true) = f.(q.p)]
4 { stable p, f satisfies (4 }
[f.(q.p Ap) = f.(q.true)] A [f.(q.true Ap) = f.(q.p)]
4{ f monotonic }
[q.p A p = q.true] A [q.true A p => q.p]
Recall that a function q is punctual if for all x and y, [(x = y) = (q.x = q.y)]. The
punctuality theorem [5] states that expressions built from variables and punctual operators
are punctual functions of the variables. It is also the case that the logical connectives (A, V,
,<, ) are punctual in their arguments.
[p = (q.true = q.p)]
4< { q punctual }
true
The condition (4) obviously holds for awp and also has been shown to hold
for wit, wto, and wta. Indeed, we postulate it as a "!. HihII!.  i .!.1ii1.ii for
predicate transformers used to define temporal properties.
3.2 Transient predicates
Transient predicates are important as they form the basis of practical proof
rules for leadsto, tostable, and toalways properties [11, 4, 6]. Transient does
not, however, have the shape given in the previous section and is thus treated
separately here. We define a function transient from state predicates to program
properties as follows. For a program F = (, T),
transient.q.F = (3t : t E : [q 4 wp.t.q]) (10)
with the operation interpretation that transient q means that q will hold in
finitely often in ;:~I computation.
The since property for transient is
"1'.: transient.q.F = stable.p A (3t : T : [p A q = wp.t.hq]) (11)
with the operational interpretation that if stable predicate p holds in a com
putation, then q will hold infinitely often in that computation. Since wp.s
satisfies (4) and preserves I li, i ,t l I a proof similar to the one given for (9)
establishes, for punctual q, that
: transient q.p = : transient q.true
thus extending the substitution rule for transient properties.
3.3 Properties of since properties
We list a few fairly obvious facts below. X, Y, and Z are properties.
For programs with unspecified initial conditions
X = .,., : X
For programs with specified initial conditions and strongest invariant SI
[13]:
Y = ;I: X
stable pA '.I: X => .' Ap: X
If (VF : X.F A Y.F = Z.F) then
,1j.: X A j.: Y => Ij. : Z
4 Parallel Composition
4.1 Definitions
In this section, we define parallel composition in our model and [i; f review
an approach to component specifications presented in [3, 4]. Then, we give rules
for since properties of components.
For F = (VI, TF) and G = (Vc, To), the parallel composition of F and G is
given by
F  G = (VF U Vc, TF U T,) (12)
and is defined if all variables appearing in both VI and V'c have the same I I "
From the definition, I is commutative and associative.
We define a function component so that component.G.F holds for a program
F if G is a component of F. From the definition of parallel composition (12),
component.G.F =_ (V C Vi A To C TI).
Viewing properties as predicates on programs, we have a property trans
former wg [3] defined as follows
wg.F.X = (VH : component.F.H = X.H)
with the interpretation that wg.F.X is the weakest property so that if a program
containing F as a component satisfies that property, then the program satisfies
property X. In ;,i ,1.._ with the way the predicate transformer f admitted a
property, we have
(X guaranteesY).F = (X Y).F
= (X = wg.F.X) (13)
Thus (X guarantees Y).F means that if property X holds for a program
containing F as a component, then property Y also holds for the program.2
Given (X guarantees Y).F as a part of the specification of F, after proving
X.I IG, we can conclude Y.I IG. This is useful when X is more easily proved
than Y.
..I. that this does not say that if property X holds for an environment E that Y holds
for j /
4.2 Compositional specification with allcomponent and
exist component properties
Two classes of program properties have useful special characteristics:
Allcomponent properties Property X is called an allcomponent property
if for some set of programs g,
(VG: G E : X.G) = (IG: G E : G).X
An allcomponent property can be proved for a 1. i, by showing that it holds
for each component.
Existcomponent properties A property X is called an existcomponent
property if for ;,Ii set of programs g,
(3G:GE : G.X) = (IG:GE : G).X
For an existscomponent property X,
X.F = (true= (wg.F.X).l IG)
Of the properties mentioned earlier, in our model next (Oap) and stable are all
component properties, transient is an exist component property, and all proofs
of 'leadsto', (, ), 'tostable' (i), and 'toalway' ) can be proved as com
binations of allcomponent and existcomponent properties.
The following theorems follow easily from the definitions:
Allcomponent since properties If X is an allcomponent property, then
" T' : X is an allcomponent property.
Existcomponent since properties If ("'p : X).F and X is an exist
component, then
(stable p) = (wg.F.('.: X))
or alternatively,
((stable p) guarantees (': X)).F
5 Partial Global Snapshots
A global snapshot records the global state of a computation. A partial global
snapshot records a predicate that holds at some point in a computation. For
instance, a partial global snapshot ii determine that there is at least one
token in a distributed  I. in or that processes F and G are waiting. The
question we explore next is: How can we exploit knowledge that a predicate p
holds at a point in a computation?
We define a predicate transformer sst, for strongest stable, as follows [13]:
sst.p is the strongest stable predicate weaker than p. Therefore, sst.p holds
exactly in those states reachable from states for which p holds. So, if p holds at
a point in a computation, then sst.p holds from that point onwards.
If a program F has the property j'' : X, and '!, = p'], then if p holds at
a point in a computation of F, then X is a property of the remainder of the
computation from that point onwards. Similarly, if  : X holds, then if p
holds at a point in the computation of F, then X is a property of the remainder
of the computation. Thus, partial global snapshots can be used to reason about
the computation from the snapshot point onwards.
6 Conclusion
Rather than taking advantage of knowledge of only of the initial state of a
computation, we have proposed a class of properties that take into account
knowledge of the state at :i ; point in a computation. Not only are these
properties more expressive, but they offer a more practical alternative to the
'substitution axiom' for composed  I. !
References
[1] K. Mani ('!C i 1 1. Properties of parallel programs. Formal Aspects of Com
..,, .,, 1993.
[2] K. Mani ('!h iiI' and . ,1. Misra. Parallel Program Design: A Foun
dation. AddisonW 1. 1988.
[3] K. Mani ('!C !I'L and Beverly A. Sanders. Predicate transformers for rea
soning about concurrent computation. Science of Computer F.' ............ .,
24:129148, 1995.
[4] K. Mani ('!C !I 'L and Beverly A. Sanders. Reasoning about program com
position. submitted for publication, 1996.
[5] Edsger W. Di i:ii and Carel S. Scholten. Predicate Calculus and Program
Semantics. SpringerVerlag, 1990.
[6] Rutger M. Diil:Ii, and Beverly A. Sanders. A predicate transformer for
the progress property 'to 1; , '. submitted for publication, 1996.
[7] C.S. Jutla, E. Knapp, and J.R. Rao. A predicate transformer approach to
semantics of parallel programs. In Proceeding of the 8th AC .1 S,.I ...." .'
on Principles of Distributed C....'i, ..", 1989.
[8] Edgar Knapp. A predicate tranformer for progress. f.. .f1.... Processing
Letters, 33, 1989/90.
[9] Leslie Lamport. A temporal logic of actions. AC.1 I ...... ..... on Pro
gramming Languages and S,,,i' .... 16(3):872923, 1994.
[10] Z. Manna and A. Pnueli. Completing the temporal picture. 1! ... ,,,/
Computer Science, 83(1):97130, 1991.
[11] J. Misra. A logic for concurrent programming: Progress. Journal of Com
puter and Sf!. ... F '.,,, ,..,, 3(2):273300, 1995.
[12] J. Misra. A logic for concurrent programming: Safety. Journal of Computer
and ,f!i .... ., .. .',,, .., 3(2):239272, 1995.
[13] Beverly Sanders. I.Iini ii!ii the substitution axiom from UNITY logic.
Formal Aspects of C...i. .'.". 3(2), 1991.
