Group Title: Department of Computer and Information Science and Engineering Technical Reports
Title: Reasoning about program composition
Full Citation
Permanent Link:
 Material Information
Title: Reasoning about program composition
Series Title: Department of Computer and Information Science and Engineering Technical Reports
Physical Description: Book
Language: English
Creator: Sanders, Beverly A.
Publisher: Department of Computer and Information Science and Engineering, University of Florida
Place of Publication: Gainesville, Fla.
Copyright Date: 1996
 Record Information
Bibliographic ID: UF00095395
Volume ID: VID00001
Source Institution: University of Florida
Holding Location: University of Florida
Rights Management: All rights reserved by the source institution and holding location.


This item has the following downloads:

1996233 ( PDF )

Full Text

Reasoning about Program Composition*

K. M.iili Cli.iiilyt Beverly A. Sanders $

UF CISE Technical Report 96-035
November 18, 1996

This paper presents a theory for concurrent program composition
based on a predicate transformer call the the weakest guarantee and a
corresponding binary relation guarantees. The theory stems from a novel
view of rely-guarantee techniques for reasoning about program composi-
tion and provides a general and uniform framework for handling temporal
properties as well as other kinds of program properties such as refinement
and encapsulation.

1 Introduction

The contribution of this paper is a predicate-transformer based theory for rea-
soning about the composition of concurrent programs. This section contains
the motivation for this contribution and a discussion of the central issues.
The predicate transformers wp and wlp provide an elegant basis for reasoning
about sequential programs because they focus attention on the most fundamen-
tal aspects of these programs: their initial and final states [DS90]. By ;1 i I f ; i,
a program with its predicate transformer, we can reason about programs using
the universal notation of the predicate calculus. Predicate transformer theory
is the fundamental theory of sequential .I 6- ii ,,, so extending the theory
to concurrent composition is of interest.
Concurrent programs cannot be specified exclusively in terms of initial and fi-
nal states. Temporal logic, which deals with computations of programs, [Pnu81,
('.I !', Lam94, 1 i'lIl] has been used for -i," i f ir!- and reasoning about con-
current programs. Our theory uses concepts from temporal logic, but our con-
tribution is to extend predicate transformer theory to concurrent programming.
-,. i...i .~ 1. in part by U.S. Air Force Office of Scientific Research and the University of
tDepartment of Computer Science, California Institute of !.. ...... m/c 256-80,
Pasadena, CA 91125, mani
+Department of Computer and Information Science and Engineering, P.O. Box 116120,
University of Florida, Gainesville, FL 32611-6120, sanders

Temporal properties are not usually compositional. Even if all computations
of programs F and G satisfy a temporal logic formula, computations of I IG
i! i- not (where | is a program composition operator). We propose a common
theoretical foundation, based on predicate transformers, for proving properties
of composed programs from properties of their components.
In the literature on program composition, components have been speci-
fied with properties variously called rely/guarantee [Jon83, 1I ,,,], 1i- I .!11-
esis/conclusion [( '.I ], assumption/commitment [Col94, ('i'ij,], offers/using
L.S'1 L 1.S'2] and assumption/guarantee [AL93, Al.'i' ] The common idea is
that assumptions about the environment form part of the specification of a
component. In this paper, we develop this idea using predicate-transformers
and a different view of how to specify the environment. This leads to a simple
theory of program composition.
The main aspects of our approach are summarized next:

1. We define a program property as a predicate on programs. Our theory
uses predicates on both programs and states.

2. Our theory provides a uniform framework for handling temporal properties
and other kinds of program properties such as refinement and encapsula-

3. We specify program components with the dyadic operator guarantees on
program properties where for a program F and properties X and Y,
(X guarantees Y) is a property of program F if and only if all programs
that have F as a component and have X as a property also have Y as
a property. In contrast to the semantics for rely/guarantee specifications
in the literature, the antecedent X is a property of the -- -.i ,1 1 Iif in
which the component F is embedded, not the environment H; likewise the
consequent Y is also a property of the same -I. i i, I if. The guarantees
property has i ii -i of the nice properties of implication because both X
and Y in (X guarantees Y) are properties of the same -- -1 i! Theories
in which X refers to one program and Y refers to another program appear
to be more complex than our theory and often restrict X to be if.

4. In il, 1,_- with the wp.F calculus, we define a property transformer wg
where for a program F and properties X and Y: wg.F.Y is the weakest X
such that (X guarantees Y) is a property of F. The property transformer
wg.F is monotonic, universally i i!ii- Ii .,, and idempotent. Like wp in
sequential I'l-- ii iiii ,- wg anchors the theory of guarantees properties
in the predicate calculus.

5. We explore simple compositional properties called all-component and exists-
component properties. A program has an all-component property if and

only if all its components have that property. A program has an exists-
component property if there exists a component that has that property.
We also propose compositional methods of proving properties that are
neither all-component nor exists-component by using the guarantees op-

6. We propose a method for -i, if i!_- and reasoning about program com-
ponents that has two parts:

The theory for guarantees properties that relies on simple properties
of | such as associativity and existence of an 1 Il Iili- and is largely
independent of; i i particular program model.
Model-specific proof rules for showing that a program satisfies a guar-
antees property.

This aspect of our approach is reminiscent of the algebraic specifica-
tion method Larch [(; \\ '.] which also has a two-tiered approach with
language-independent and language-specific parts.

In the remainder of the paper, we develop the theory of guarantees and wg,
give an example of model-specific proof rules using a programming model similar
to UNITY, and develop an example program in the model. We conclude with
some observations.

2 Preliminary definitions

We ii! 1. predicates on states and predicates on programs. A program property
is a predicate on programs, and a state predicate is a predicate on states. We
use letters X, Y and Z for program properties, p, q and r for state predicates,
and F, G and H for programs.
The application of a function f to an argument x is denoted by f.x and
function application associates to the left. Therefore, for a program property Z
and a program F, the value of Z.F is boolean: Z.F has value true if and only
if property Z holds for program F.
A fundamental property of a program is whether or not it conforms to some
criteria. The precise definition of conforms depends on the program model,
but I'' ,11- involves satisfaction of the kinds of 'iii- and encapsulation con-
straints found in iii ii- programming languages and enforced by compilers. We
restrict our theory to conformant programs. For instance, a conformant pro-
gram can be defined as one that compiles successfully, and we do not want our
theory to have to deal with programs that do not compile. We introduce a
property ....f/'... where .f/',. .... F holds if and only if program F conforms
to the criteria of interest.

A program is a state transition -- -1. 11 A computation of a program is an
infinite sequence of state transitions that satisfies certain restrictions, discussed
later. An important kind of program property is a predicate on computations
that holds for all computations of the program. For example, for state predicates
p and q, we define a predicate p --- q on computations as follows: p --- q holds
for a computation c exactly when, for each point in c at which p holds, q holds
at that point or a later point in c [Lam94, ( '. I The program property p -- q
holds for a program F exactly when p --> q holds for all computations of F. The
notion of a property is not, however, restricted to temporal properties such as
-'.. Examples of other kinds of properties will be seen in the paper.
We use formulae that have both state-predicates and program properties,
as, for instance in:

(p q).F A (q > r).F = (p > r).F

As in [DS90] we use 'I.] to denote the boolean: state predicate p holds in all
states. Similarly, we use [X] to denote the boolean: program property X holds
for all conformant programs. For instance, the previous formula which holds for
all programs F can be expressed as:

[(p q) A (q - r) => (p - r)]

If there is ;,~i I...--.1i;l1i-I of ;!ii.,li;_i- when using [X], we use the explicit
notation: (VF : ... ...... F : X.F).

3 Program Composition and the Guarantees Op-

3.1 Parallel composition
In this section, we assume the existence of a program composition operator |,
and use it to define an operator, called guarantees, on program properties. We
require I| to be associative and have an i1l. I il SKIP. We also require that |
and ...r... satisfy

(VF, G :: ....f..... F IIG ... .. ... F. A G.......... G ) (1)

An immediate consequence of (1) is that either SKIP is conformant or there are
no conformant programs. Note that I| has higher binding power than function
Most theorems require that I| be commutative as well, and in such cases we
make the commutativity assumption explicit. For commutative |I, we postulate
the following pairwise property: if the composition of each pair of programs in a
set is conformant, then the composition of all programs in the set is conformant

as well:
For ,i!i set of programs g:

(VG,G ': G,G' e : ') G: g ...,.,. ,') : : G) (2)

From (1) and (2):

(VG ,G' : G,G' e g : ..... ... G') ..... ... : : G) (3)

In this paper, we are only interested in conformant programs. For '.i. -i-
we often leave the restriction to conformant programs implicit. For example,
we ii ,- write quantification over a set of programs as (VH :: X.(J I1f)
Y.(J |i/)), instead of (VH : t If..... 1.... ( f ) : X.(J I11) = Y.(J1 |i)).

3.2 Definition of guarantees
The dyadic operator guarantees on program properties is defined as follows. For
program properties X and Y, we define a program property (X guarantees Y)

(X guarantees Y).F = (VH : .... f.. .... i if: X.I If => Y.(i Ilf)) (4)

Therefore, (X guarantees Y) is a property of a program F if and only if all
conformant programs that have F as a component and have X as a property
also have Y as a property. From the definition of guarantees:

[X = Y] = [X guarantees Y] (5)

We are, however, interested in cases where the fact that F is a component allows
the left side of the guarantees properties to be weaker than the right.
In contrast to the rely/guarantee specifications mentioned in the introduc-
tion, the meaning of (X guarantees Y).F is not that if the environment H of F
has property X then the composed -- -. i I if has property Y it is that if
the composed I -. i,1 Iif has property X then the composed -1. I -, Iif has
property Y. By using only properties of the composed -- -I'. i instead of the
properties of the environment, we obtain a simple theory in which guarantees
- !i, i O~I of the properties of implication.

3.3 Theorems about Guarantees
The proofs of these theorems are straightforward and are not given here. In
these theorems, we use X and Y to denote sets of program properties.
The next five properties are analogous to properties of implication.

Universally Disjunctive for Left Operand

[(VX : X E X : guarantees Y)

(3X : X eX : X) guarantees Y]

Universally Conjunctive for Right Operand
[(VY : YE : X guarantees Y) = X guarantees (VY : YE Y : Y)]


[(X guarantees Y) A (Y guarantees Z) = (X guarantees Z)]


[(X guarantees Y) (true guarantees (X = Y))]


[(X guarantees Y) (-Y guarantees -X)]

Exists-component Guarantees properties are exists-component properties.
(X guarantees Y).G = (VH :: (X guarantees Y) I, 1if)
Therefore, guarantees properties of a program G are inherited by all programs
that have G as a component.

4 Weakest guarantees

4.1 Definition of component
We define a function component from programs to program properties as follows:
For a program F, component.F is a property that holds for all programs that
have F as a component and only such programs.
component.F.H = (3G : .... f,., .... i IG : I IG = H)
The definition of i i l of programs depends on the program model and how
parallel composition is defined.
From the definition of component:
component.G.H A component.H.F = component.G.F

(VF :: component.F.F)

and for commutative |i:

[component.- Ilf = component.F A component.H].
Next, we prove the following formula that is helpful in deriving theorems about
the weakest guarantee.
(X guarantees Y).F = [X = (component.F = Y)] (6)

(X guarantees Y).F
{ definition of guarantees }
(VH :: X.H A component.F.H = Y.H)
{meaning of [ ] }
[X A component.F = Y]
{ predicate calculus }
[X = (component.F = Y)]

4.2 The property transformer .,J.F
A predicate transformer is a function from predicates to predicates. Likewise,
a property transformer is a function from properties to properties. Motivated
by the weakest precondition, wp, we define weakest guarantee, wg, and present
theorems about wg. For a program F, wg.F is a property transformer defined
as follows: for a property Y, wg.F.Y is the weakest property X such that
(X guarantees Y).F.

wg.F.Y = weakest X : (X guarantees Y).F

From (6):

[wg.F.Y = component.F = Y] (7)

From this definition, it follows that the property transformer wg.F is mono-
tonic, universally ..,i, 1ii, i- -, and idempotent.

4.3 Theorems about wg
We give several theorems about wg. (We omit straightforward proofs.)

Component theorem

[component.F = (wg.F.Y = Y)] (8)

Conjunction, disjunction and composition theorem For commutative
|, program property X, and I'i !ii l set of programs T:
(3F: F E F: wg.F.X).( IF: F E : F) X..( IF: F E : F)


(VF : F E F: wg.F.X).( IF: F e ~F: F) X.( IF: F E CF: F)

Proof: Let F = ( |F : F E : F). Then
{ (8)}
(VF : F E F : component.F.F = (wg.F.X.F = X.F))
{ I| commutative, thus F E F => component.F.F }
(VF : Fe F: (wg.F.X.F = X.F))
{ predicate calculus }
(VF : F c F: wg.F.X.F) = X.F
(3F : F E : wg.F.X.F) = X.F

Corollary: Properties in isolation The next result shows that wg is -,Lt-
cient to specify a program in isolation. From the component theorem (8), and
using component.F.F:

wg.F.Y.F = Y.F

5 Towards compositional specifications

We seek compositional proof techniques that allow us to prove properties of
composed programs from properties of their components. Next we identify
classes of properties that are useful for constructing compositional proofs.

5.1 Exists-Component Properties
A program property X is an exists-component property if and only if,

X.G = (VH :: \ f) (9)

Therefore, for :,!- set g of programs, :,i! exists-component property X, and
commutative |i:

(3G:G e : X.G) = X.( IG :G e : G) (10)

If there exists a component of a program that satisfies an exists-component
property then the program itself also satisfies that property.

Theorem For ;,i~ exists-component property X and ;,I~ program F:

X.F = [wg.F.X]

{ definition of exists-component }

(VH:: X.iJ If)
{ definition of component }
(VG :: component.F.G = X.G)
{ definitions of [] and wg }

As noted in section 3.3, guarantees properties are exists-component proper-
For some properties and program models, the implication in (10) can be
strengthened to equivalence; we call such properties strong exists-component
properties. Thus, a property X is a strong exists-component property if and
only if:

(3G : G e : X.G) _= X.( IG : G : G) (11)

Setting g to the !i!!i- set in this equation, we observe (false = X.SKIP) that
the program SKIP does not have ;,~i strong exists-component properties.
We use strong exists-component properties in discussing refinement.

5.2 All-component properties
For commutative |I, a program property X is an all-component property if and
only if, for ;,~i set Q of programs:

(VG : G e : X.G) = X.( IG: G e : G) (12)

A program has an all-component property if and only if all components of the
program have that property [('S,',.]
From the definition, setting Q to the ii !,*l set, it follows that all-component
properties are properties of the program SKIP.

Theorem For ;~i- all-component property X and ;,I~ program F:

(3H : component.F.H : X.H) = X.F

Proof is by implication in both directions:

{ component.F.F }
(3H : component.F.H : X.H)
{ definition of component }
(3G IG G= H : X.H)
{ definition of all-component property }
(G : IG= H : X.F A X.G)
{ predicate calculus }

Theorem For oi!i all-component property X and i!i programs F and H:

wg.F.X.H = (VG : 1 IG-=H: X.F A X.G)

(VG: G= H: X.F A X.G)
{ definition of all-component }
(VG: I G H: X.H)
{ predicate calculus }
(3G::J IG = H) = X.H
{ definition of component }
component.F.H = X.H
{ definition of wg }

5.3 Properties of the environment
5.3.1 The property transformer env
Often, for a program F, .... I,,, -I.. i IG implies that program G has a property
that can be exploited in proofs. A common example is a program F that
encapsulates a 1... 11- -!Hi..1,i ,1,.1- variable u, defined to be a variable that can
only be modified by F. In this case ...'., I. I G implies that G has the
property that it leaves u unchanged. To capture this, we introduce a new
property transformer environment, denoted by env, where env.X is a property
of a program F means that X is a property of all programs that can be composed
with F in a conformant way.

(VF, X : conrforms.F : env.X.F (VH : .... ... FH : X.H)). (13)

5.3.2 Theorems about env
env is universally conjunctive with respect to properties

[env.(VX : X X : X) =_ (VX : YX X : env.X)]
As a consequence, env is monotonic with respect to properties and strict with
respect to property true.

env is strict with respect to property false

[ ..,. r,.l, =- false]

env.X is an exists-component property
For commutative |i : env.X.F =(VG : ....f, ... IG : env.X.1 IG)
The proof uses a "l"!io-"'!i" -1 1. proving implications in both directions.
(VG : ... ,., .... IG : env.X.1 IG
{ definition of env (13) }
(VG : f.....f.... I I G : (VH : ...1.,.. ... I |, I\ : X .H ))
{ predicate calculus }
(VG ,H :: ... ,... .. FIIG A ..... ... .. i I I[ : X .H )
{From (1),) ... ,.... I I l ~ ... ,., ... I CG }
(VG, H : .... ... .... i I, If: X .H )
{ let G := SKIP }
(VH : ... I,....... Ifi : X .H )
{ definition of env }
S ~ I{ ... .... I I [ = I .. F,, ..-. i IG, i| commutative }
(VG, H : .... .. .... i I' If: X .H )
{ definition of env }
(VG : ....... i G: env.X.J IG

Environment factorization For all-component properties Y and Z,

[env.X A [X A Y = Z] A Z = Yguarantees Z] (14)

Left-side weakening For :i! all-component property X,

[env.X A X A (Xguarantees Y) => (true guarantees Y)] (15)

6 Refinement

We can replace one component of a program by another component if the re-
placement does not violate program correctness. If the specification of a program
I I if is that the program must satisfy property X, then we can replace compo-
nent F by G if <, If[ also has property X. We refer to H as the environment of
F in the composed program IIf.
We define refinement of a program F by a program G with respect to a
property X over an environment H as follows: F is refined by G with respect
to X and H if and only if:
X.i If => X.', ,if
F is refined by G with respect to X and all environments if the above formula
holds for all programs H. F is refined by G with respect to X in isolation if the

above formula holds with H = SKIP; therefore, F is refined by G with respect
to X in isolation if and only if:

X.F = X.G

The refinement theorem relates refinement in isolation and refinement over all

The Refinement Theorem Let X be :,i- property that is a ..~ in. Mll.,!
of all-component and strong exists-component properties. G refines F with
respect to X and all environments if and only if G refines F with respect to X
in isolation.

(VH :: X. I if =>X., if) =- (X.F => X.G) (16)

Proof: We prove the theorem by proving it for all-component properties; the
proof for strong exists-component properties is similar and is omitted.

Lemma: Strong exists-component property refinement Let X be a
strong exists-component property. Then

(VH :: X.I if [= X.', Iif) = X.F = X.G

(VH :: X.I \lf =i X.,, |1f)
={ X strong exist component (11) }
(VH :: X.F V X.H = X.G V X.H)
{ predicate calculus }
(VH :: X.F = X.G V X.H)
{ H := SKIP }
(X.F = X.G V X.SKIP) A (VH :: X.F = X.G V X.H)
={ X strong exist component (11) }
(X.F X.,, I,/!P) A (VH :: X.F == X.G v X.H)
{ SKIP .,I. OlBl- of | }
X.F = X.G A (VH :: X.F = X.G V X.H)
{ predicate calculus }
X.F = X.G

Lemma: All-component refinement For :;, all-component property X:

(VH:: X.Ji If = X., IIf) = X.F = X.G

(VH:: X.I If[ => X.,' I\f)
{ X is all-component }
(VH :: X.F A X.H == X.G A X.H)

{ predicate calculus }
(VH :: X.H = (X.F = X.G))
{ predicate calculus }
(3H :: X.H) = (X.F = X.G)
{ X is all-component, thus X.SKIP, and setting H := SKIP }
true = (X.F = X.G)
{ predicate calculus }
X.F = X.G

7 Model-specific theory: an example

We present a model which is a small generalization of the operational model in
UNITY. This operational model helps to motivate our use of predicate trans-
formers. The predicate transformers can also be used for models in addition to
the one presented here.

7.1 Operational model
A program is a 4-tuple (V, L, C, D) where

1. V is a set of I -" .1 variables. This set of variables defines a state space in
a state-transition -1. i, Each state in the -1. i, is given by the values
of the variables in V.

2. L is a subset of V. L is the set of locally modifiable variables. Local
variables I'1 a role in the definition of conformant composition.

3. C is a set of commands where each command terminates when initiated in
;,i~ state, and each command has bounded nondeterminism. C includes
the skip command which leaves the state unchanged. The computation
proceeds by nondeterministically selecting ;,i~ command in C, and exe-
cuting it.

4. D is a subset of C. The fairness requirement is that commands in D are
executed infinitely often. (There is no fairness requirement for commands
in C that are not in D.)

Equality of programs Letting F = (VF, LF, CF, DF) and G = (V'c, LG, CG, Do),

(F = G) = (VF = Vc A LF = LG A CF = Cc A DF = D;)

Computations A program describes a state-transition -1. i1 There exists
a transition from state s to state t in the state transition -1. i, if and only if
there exists a command c in C where the execution of c can take the -1. i
from s to t.
A computation is an infinite sequence of states sj, j > 0, where:
1. There exists a transition in the state transition -1. i, from each state in
the computation to the next.

2. For every command d in D, there exists an infinite number of pairs of
successive states si, si+l in the computation such that execution of d can
take the -- -I. i1 from si to si+l.

Parallel composition Letting F = (Vp, LF, CF, DY) and G = (VO', L, Cc, Dc),
we define the parallel composition operator as follows:
i IG = (V U V, LF U LG, CF U C, DF U D).

where I| G is conformant if and only if variables with the same name in V i U 1V
have the same I I. and variables in LF are modified only by commands in
CF (which includes commands common to CF and Co), and likewise variables
in LG are modified only by commands in Cc.
Some consequences of the definition are that | is commutative, associative
and idempotent. The unit element for parallel composition is the program
SKIP where

SKIP = (0, 0, skip, )

In this model, the definition of component is

component.F.H =
(V1F C VH) A (LH C LH) A (CF C CH) A (DF C DH)

7.2 Program properties of interest: Safety
The State Predicate Transformer awp.F For a program F = (V, L, C, D)
define a state-predicate transformer awp.F as follows:

awp.F = (Vc : c C: wp.c)
(The letters in awp stand for all wp because awp.F is the ,i ..iii. Gr.i! of all
the transformers wp.c.) Since all commands c in C terminate when initiated
in ,iii state, and since c has bounded nondeterminism, wp.c is a universally-
S,-iii..i lr or-continuous, state-predicate transformer. Therefore, awp.F is
likewise a universally- ...ii 1 LI r- or-continuous, state-predicate transformer.
Since, [wp.skip.q = q], for all q:

[awp.F.q = q]

From the definition of parallel composition,

[awp. I11 .! = awp.F.q A awp.H.q] (17)

Next properties For state predicates p and q we define a property (p next q)
as follows:
For a program F,

(p next q).F = r w awp.F.q]

Since skip E C, we have

(p next q).F = 'r => q]

The next property describes the next state relation of a program. (This
property is based on Misra's co property ., !1-'i I l], but there are some slight dif
ferences due to .t1!. i. in in the programming model.) The property p next q
holds for a program exactly when for all points in all computations of the pro-
gram at which (state predicate) p holds, q holds at the next point in the com-
putation. Therefore, p next q holds for a program exactly when all transitions
of the program from states in which p holds are to states in which q holds.

Lemma: p next q is an all-component property.
Proof: Follows from the definition of next.

(p next q). if
{ definition of next }
[p j awp. I|i .i]
[p = awp.F.q A awp.H.q]
{ predicate calculus }
[p > awp.F.q] A '! =~ awp.H.q]
{ definition of next }
(p next q).F A (p next q).H

Stable We define a useful function stable from state predicates to program
properties as follows:

[stable.q = (q next q)]

If stable.q holds for a program F then all transitions from states in which q
holds are to states in which q holds. Since q next q is an all-component property
it follows that stable.q is also an all-component property.

Initial States and Always In our theory, the predicate that holds on initial
states is a property that can be asserted about a program. Thus ',. ''.,ll. .- is
the property that asserts that all computations begin in a state 11 i- F i11 q. We
1 I'' '11 have properties of the form (''. i!,'ll, ./ guarantees X).
The property always.q is defined as follows:

[always.q = stable.q A ".''.,ll, .- ]

This property indicates that q holds at every point in all computations. As a
result, we obtain the so-called substitution axiom [('. !' San91, SC96] that
allows true and q to be interchanged in program properties1

[always.q = (X = X jru) A (X = Xlr'e)

A more complete discussion is given in [SC96].

7.3 Program properties of interest: Progress
Transient Transience !Ii-' i. ] is a basic progress property of a -I. i, that
follows from fairness assumptions. Let F = ({ L, C, D); we define a function
transient from state predicates to program properties, as follows:

transient.p.F = (3d : d E D : wp.d.-p])

Operationally, p is false infinitely often in every computation of every program
that has F as a component because each command d in D is executed infinitely
often, and there exists at least one command that establishes -p if p holds.
From the definition of transient: transient.p is a strong exists-component
property. Therefore,

[transient.p = (true guarantees transient.p)]

Leads-to (s-*) properties Leads-to properties are useful for describing progress.
Operationally, (p -- q).F holds if in every computation of F, if p holds at some
point in the computation, then q holds then or at a later point. Leads-to prop-
erties can be derived from transient and next properties. In [('., I j leads-to is
defined as the strongest relation r, i i, 3 axioms based on a simple progress
property ensures. This axiomatization has been shown to be sound and rel-
atively complete LS ,i 'l, Rao91, Pac92]. A problem is that '. i -,n. the key
element in UNITY theory about progress is neither an all-component nor an ex-
ist component property. Below, we list an alternative axiomatization of leads-to
that allows leads-to properties to be derived only from all-component and exist-
component properties.
1Ve use the notation .'. to indicate textual substitution of q with r.

1. Transient rule

[transient q q -' -q]

2. Implication rule

[q => r] =:[< r]

3. Disjunction rule For arbitrary set of predicates Q:

[(Vq : q E Q : q (> r) (3q : q E Q : q) ~> r]

4. Transitivity rule

[q -> r A r-'s = q s]

5. PSP rule

[q -- r A s next t (q A s) -- (r A s) V (-s A t)]

The straightforward proof that these axioms are equivalent to those of [('. ],
and thus sound and relatively complete, is omitted.
From the axioms, we obtain

[transient.p = ((p next pV q) guarantees (p q))] (18)

7.4 Properties of environment
Constant expressions For i! expression e, we define the property constant.e
as follows: constant.e.F holds if and only if all computations of F leave the value
of e unchanged. Therefore

[constant.e = (Vk : stable.(e = k))]
Since locally modifiable variables are unchanged by other components:

(v E L) = env.(constant.v).F

Local predicates For a predicate p, local.p is a property that holds if p
mentions only variables in L. We have

[local.p = env.(constant.p)]

and from (15) and [constant.p = p next q],
r! next q A local.p = (true guarantees (p next q))] (19)

Program properties Let v be an integer variable. We define a property
nondecreasing.v for a program to mean that the value of v does not decrease
during computations of the program. Formally, this is expressed as

nondecreasing.v = (Vk :: stable.(v > k))

For two integer variables v and w, we define a property w follows v, as:

w follows v (Vk :: v > k ---* w > k)

From the proof rules for -'-, follows is transitive.
These properties are useful in developing compositional proofs of properties
of composed programs.

8 Example

8.1 Overview

We consider the following problem: The members of a committee, who are
located at two or more sites, need to determine the earliest time, e at or after
some given time t, at which they can all meet.2
We structure the solution by dividing the members into geographic areas
and letting each area determine the earliest meeting time that all members
associated with that area can meet after some proposed time. The earliest
times are combined to generate a new proposed meeting time until a time is
found when all members can meet.
This problem is simple enough to be handled easily without modularity.
However, since different areas i, i- use ,1!I. i. I i techniques to determine the
earliest meeting time of their subset of committee members, modular reasoning
based on specifications of components is helpful, and also serves to illustrates
our approach.

8.2 Specification
Definitions For -;!ii.!li l- we represent time as a non-negative integer. For
each member m there is a function m.earliest mapping time to time such that

m.earliest.t = earliest time at least t when m can meet.

m.earliest is monotonic and idempotent, and for technical reasons, we assume
m.earliest.0 = 0. We define a boolean function

.,- free.t = (m.earliest.t = t)

thus ,- free.t holds if and only if m can meet at time t.
2This is a special case of the problem of asynchronous computation of fixed points.

Let Com be the set of members of the committee and S C Com. Then
S.earliest.t is the earliest time at least t that all members in S can meet.

S.earliest.t = (min u : u > t : S f.... ..)

Sf = (Vr : S : free.t)

We assume that Com.earliest.t exists for all t.

Components G(t, e, S) is a program that finds the earliest time e at or after
t at which all members in set S can meet.
Let Si be subsets of members so that S = (Ui :: Si), and the cardinality
of each subset is strictly smaller than that of S. (Subsets can have common
members.) We propose to implement G(t,e,S) as a parallel composition of
components G(u,ai,Si) for each subset Si, and a coordinator program that
computes the meeting time e for all sites from the meeting times ai of subset
Si, all i. The coordinator is C(t,e, u, A), where A = (Ui:: {ai}).

G(t,e,S)= C(t,e,u, I :: G(u, a, Si))
1 i -I we define the 1 ... 11 -!i,,,i 1J1.- variables and their initial values. S is
a fixed set, e is a locally-modifiable variable with initial value 0, and t is un-
modified by G(t, e, S). The same restrictions (with appropriate actual variables)
applies to G(u, ai, Si).
Variables u and e are 1'.. 11- -!i.I1fi ,1. 1,.- in C(t,e,u,A), and their initial
values are set by C to be 0. C leaves t and A unchanged. All shared variables
are passed explicitly as parameters; so, for instance, G(u, ai, Si) does not access
These restrictions allow C(t, e, u, A) and G(u, ai, Si) all i to be composed in
Now, we give the guarantees properties in a table where the left column is
the antecedent and the right column is the consequent. All entries in a box are
to be ..,i. .i!. I 1 and all items mentioning subscript i are implicitly quantified
over all i.

Guarantees Properties for G(t, e, S)

always.(e < S.earliest.t)
e follows S.earliest.t (20)
trualways. (

From the above properties, the value of S.earliest.T for :;i- time T can be
determined in the following way: the environment of G sets t to T, and leaves
t unchanged until e > t, at which point, e = S.earliest.T.

Guarantees Properties for C(t,e, u, A)

..... ,. ....' .. ., always.(e < S.earliest.t)
always.((ai < Si.earliest.u) always.(S f.,.. .)
always.(S f.. .. ) e follows S.earliest.t (21)
ai follows Si.earliest.u

8.3 Proof of the composed program
The properties of the program G(t, e, S) are derived from properties of its com-
ponents. The proofs are straightforward, for the purposes of illustration, we
give a detailed proof of (20)

Proof of (20) : Since guarantees is an exist component property, the following
component properties hold in G:

(Vi :: nondecreasing.u guarantees (ai follows Si.earliest.u)) (22)

nondecreasing.t A (Vi :: (ei follows Si.earliest.u))
guarantees (e follows S.earliest.t) (23)

true guarantees nondecreasing.u (24)

Now, we have
{ From (22), (24), and transitivity of guarantees }
(Vi :: true guarantees (ai follows Si.earliest.u))
{ *. !ii!~rir i of guarantees }
true guarantees (Vi :: (ai follows Si.earliest.u))
S{'.. !!it!in i .'!! with nondecreasing.t guarantees nondecreasing.t }
nondecreasing.t guarantees nondecreasing.t A (Vi :: (ai follows Si.earliest.u))
transitivityy with (23) }
nondecreasing.t guarantees (e follows S.earliest.t)

The previous proof illustrated how the proof rules for guarantees, which
can be used to prove the properties of a program from guarantees properties of
its components. Note that once we used the exist component rule to lift the
properties of the components to G, the other proof rules needed were the same
as rules for implication.

8.4 Implementation of the Program Components
Implementation of C(t,e,u, A) Now, we give possible implementation of
C(t, e, u, A).
Initially e = 0 and u = 0. The program has two commands both of which
are executed infinitely often:

1. if (Vi :: u = ai) then {e := max(u, e); u := max(u, t); }

2. if u < max{ai } then u := max {ai}

The proofs are straightforward, except for the progress property (21). This
proof required proof of two transient properties and induction and is sketched
in the appendix.
This property illustrates one of the advantages of our approach. ',-
rely/guarantee approaches require the left side to be a ,f. I property, and
the right side to be a property that holds for the component in isolation. For
this example, that would have forced us to do the induction .P, each pro-
gram composition, rather than doing it once and capturing the results of the
complicated proof in the specification of C.

Implementations of G

Singleton Sets If S has only a single member, then a design for program
G(t, e, S) is as follows. Initially e = 0. The program has the following single
command which is executed infinitely often:

e < S.F.t e := S.F.t

Sets with more than one member If S has more than one member, then
partition S into k ii..i. ii.l subsets, Si where the cardinality of each subset
Si is strictly less than the cardinality of S. Implement G(t,e, S) as a parallel
composition of a program C(t,e, u, A) where A = (U : 0 < i < k : {ai}), and
program G(u, ai, Si), for 0 < i < k. Process G(u, ai, Si) computes the earliest
time at or after u at which all members of set Si can meet. Process C computes
the meeting time for the entire set S from the meeting times of each of the
subsets Si.

9 Related work

Predicate transformers The relationship between Hoare logic [Hoa69] and
wp was a motivation for our definition of wg. Just as the triple (or property)
{p}F{q} can be defined as [p = wp.F.q] for a sequential program F, we have a
defined the property Xguarantees Y as [X = wg.F.Y].

Since Di!: -,I ,'s initial formulation of predicate transformers for the lan-
guage of guarded commands, weakest precondition predicate transformers have
been developed for other sequential constructs such as recursion and various
notions of fairness 'L I' Hes92, BN94]. For ..i 11, 11. additional predicate
transformers such as sin, win [Lam90] and several temporal properties [JKR89,
('S'i., DS96] have been proposed. Predicate transformers have also been used
as a basis for defining program refinement [1; \\ -* Bac89, (;. 1 I t't,] for
both sequential and concurrent programs. The advantage of this work is that
once appropriate predicate transformers have been defined, reasoning can be
carried out in the familiar context of predicate calculus.
The treatment of properties as predicates on programs, and the use of both
predicates on programs and predicates on states in formulae, is found in [('S' 1.]
This approach coupled with the results on predicate transformers led to our idea
of a predicate transformer for dealing with parallel program composition.
Variants of rely/guarantee specifications have been proposed in numerous
papers including [Jon83, AL93, 1 S'11t. for 1,1. i.1 --1. i in LIS'l I1 LS.'j2,
in temporal logic frameworks in [Pnu84, 9i ,]J, and for TLA in particular in

The temporal logic approaches are more expressive than ours in the sense
that the specifications are statements about individual computations. For exam-
ple, in .\i.'i I, E -> M means that for each computation, the component will
satisfy M for at least one step longer than the environment satisfies E, where E
is a If; property. In contrast, a similar specification in our approach would
be essentially: If all computations satisfy E, than all computations satisfy M. A
, t,!. i. I .. is that both the property relied upon and the property guaranteed, in
our theory, are properties of the composed -- -1. 11 we do not use one property
for the environment and the other for the component or -- -1. i, and our model
does not have restrictions on sharing of state between components.
An axiomatic semantics based on predicate transformers for rely/guarantee
properties for UNITY with local variables has been given in [Col94, ('iK',,]
They define properties of the form F sat P w.r.t. R where F is a program, P
is a UNITY property such as leads-to, and R is an '".. !, '., ".. predicate con-
straining the next state relation of the environment. Two components cooperate
with respect to their interference predicates if neither violates the interference
predicate of the other. Proof rules allow rely/guarantee properties of compo-
sitions that cooperate with respect to the interference predicates to be derived
from the rely/guarantee properties of the components. Our ideas, particularly
with regard to the all-component and exists-component properties are directly
influenced by UNITY. The point of departure is that our guarantees properties
do not deal with properties of environments and components.

10 Summary

Predicate-transformers form the basis for axiomatic semantics for sequential
programming. !I, i researchers have contributed to a deep and elegant the-
ory of transformers. This paper applied the theory to an associative program
composition operator I| which has an i1l. !ii- element.
Our theory uses predicates on states of programs, and predicates on pro-
grams. We defined a program property as a predicate on programs. We intro-
duced a dyadic operator guarantees on program properties where X guarantees Y
has a litl. I. 1 I meaning than the traditional meaning of guarantee Y i.1 i-,
on X. The guarantees operator has i11i I, of the properties of implication.
We identified three useful kinds of properties, exists-component properties, all-
component properties, and encapsulation properties. We defined a property
transformer weakest guarantee, and presented theorems about the property, and
showed how it can help in modular reasoning about programs composed with |I.
Experience has shown that the theory of predicate transformers is very valu-
able in sequential programming. Using predicate transformers for I| has the
advantage that the powerful theory, developed initially for sequential program-
ming, can be applied to a different program composition operator. A unified
theory for a collection of program composition operators has benefits.


[AL93] Martin Abadi and Leslie Lamport. Composing specifications. AC.1
I .....-... : .... on Programming Languages and S.,,". .... 15(1):73-132,
Jan 1993.

AL\.'.] Martin Abadi and Leslie Lamport. C ..!ii.i!i!i- specifications. AC .1
I,' .....-... .- on Programming Languages and S.,,,i ... 17(3, .1
534, May 1995.

[Bac89] R.J.R. Back. Refinement calculus, Part II: Parallel and reactive pro-
grams. In J.W. de Bakker, W.-P. de Roever, and G. Rozenberg,
editors, Lecture Notes in Computer Science Volume 430, pages 67-
93. REX Workshop on i-. p i-. Refinement of Distributed Systems,

[BN94] Manfred Broy and Greg Nelson. Adding fair choice to Di1:-1 i 's cal-
culus. AC .1 I........ ..... on Programming Languages and S,,,i... '
16(3):924-938, 1994.

[1; \\ '*'] R.J.R. Back and J. von Wright. Refinement calculus, Part I: Sequen-
tial nondeterministic programs. In J.W. de Bakker, W.-P. de Roever,

and G. Rozenberg, editors, Lecture Notes in Computer Science Vol-
ume 430, pages 42-66. REX Workshop on *, l-, Refinement of
Distributed Systems, 1989.

[('i',i] Pierre Collette and Edgar Knapp. Logical foundations for com-
positional verification and development of concurrent programs in
UNITY. In Fourth International C-f', ... on Algebraic Methodol-
ogy and Sf1 .... T,. ... ..l.,, 95.

[(' !] K. Mani ('I! ,!AI1 and .,- ,1. Misra. Parallel Program Design: A
Foundation. Addison-W -1. 1988.

[Col94] Pierre Collette. Composition of assumption-commitment specifica-
tions in a UNITY -1 1. Science of Computer `,....i' ......, 23:107-
125, 1994.
[(S''.] K. Mani ('I !A1, and Beverly A. Sanders. Predicate transformers
for reasoning about concurrent computation. Science of Computer
F.,, '.....'.. "1. ., 24:129-148, 1995.

[DS90] Edsger W. Diil:-lI and Carel S. Scholten. Predicate Calculus and
Program Semantics. Springer-Verlag, 1990.

[DS96] Rutger Diil:-lI and Beverly Sanders. A predicate transformer for
the progress property 'to- ,1;- -'. Technical Report 96-033, Depart-
ment of Computer and Information Science and FI! -i.. ,i, 1996.

[(; 1 \\ .] J.V. Guttag, J.J. Horning, and J.M. Wing. The larch family of spec-
ification languages. IEEE Sf, .... , 2(5):24-36, 1985.

[( I'] P.H.B. Gardiner and Carroll Morgan. Data refinement of predicate
transformers. 1! ..' .,, Computer Science, 87:143-162, 1991.

[Hes92] Wim H. Hesselink. Programs, Recursion, and Unbounded ( !....
Predicate I, ...,I .. Semantics and I, .. I .. ..i .... Rules. Cam-
bridge tracts in theoretical computer science 27. Cambridge Univer-
-i- Press, 1992.

[Hoa69] C.A.R. Hoare. An axiomatic basis for computer programming.
( .1/, 12(10), October 1969.

[JKR89] C.S. Jutla, E. Knapp, and J.R. Rao. A predicate transformer ap-
proach to semantics of parallel programs. In Proceeding of the 8th
A( S,1,,' ...' .' I on Principles of Distributed C... .i.,i'' ,. 1989.

[Jon83] C.B. Jones. Tentative steps toward a development method for inter-
fering programs. AC .1 L ...I- ..!. : ... on Programming Languages and
S,,,,." .! 5(4):596-619, 1983.

[Lam90] Leslie Lamport. win and sin: Predicate transformers for concurrency.
AC(.1 ...-.... ..... on Programming Languages and S.,,". ..' 12(3),

[Lam94] Leslie Lamport. A temporal logic of actions. .I 1....!... ..f... on
Programming Languages and S.,i' ..." 16(3):872-923, 1994.

L1i.'2] S. S. Lam and A. U i 1!,: i I I! if i! i modules to satisfy interfaces-
a state transition approach. Distributed C'....i',,i '. 6(1):39-63, July

i.S''] S. S. Lam and A. U I!, !: ,i A theory of interfaces and modules 1:
Composition theorem. IEEE I ..i. ; .... on ,fi ..... r; ...
20(1):55-71, January 1994.

!-', ,J] J. Misra. A logic for concurrent programming: Progress. Journal of
Computer and .i .... .. ,.,F, .... .., 3(2):273-300, 1995.

!-'i.1i] J. Misra. A logic for concurrent programming: Safety. Journal of
Computer and fI,,, F...'. .,'' .... 3(2):239-272, 1995.

[ i 'll] Z. Manna and A. Pnueli. Completing the temporal picture. I
ical Computer Science, 83(1):97-130, 1991.

.IS' !I] R. Manohar and P. Sivilotti. Composing processes using modified
rely-guarantee specifications. Caltech technical report CS-TR-96-22,

I'i] Greg Nelson. A generalization of Di i:-1 i 's calculus. AC .f l........ -
tions on Programming Languages and S.,,'. .-.. 11(4):517-561, 1989.

[Pac92] Jan Pachl. A simple proof of a completeness result for leads-to in the
UNITY logic. T.f .. .. !,..' Processing Letters, 41, 1992.

[Pnu81] Amir Pnueli. The temporal semantics of concurrent programs. l
oretical Computer Science, 13:45-60, 1981.

[Pnu84] Amir Pnueli. In transition from global to modular temporal reasoning
about programs. In Krzysztof R. Apt, editor, Logics and Models of
Concurrent S,,i' .!. pages 123-144. Springer-Verlag, 1984.

[Rao91] J.-- ,il R. Rao. On a notion of completeness for the leads-to. Notes
on UNITY: 24-90, July 1991.

W' ,'i] Beverly Sanders. i.liii! hl,! the substitution axiom from UNITY
logic. Formal Aspects of C' .. /,,"'.", 3(2), 1991.

0 h' t.] Beverly A. Sanders. Data refinement of mixed specification: A gen-
eralization of UNITY. Acta f,.f ...!,,, 1996. to appear. Pre-
liminary version available as UF ('iSi. Technical Report 96-010
[SC96] Beverly A. Sanders and K. Mani ('!i ,, 1[ Exploiting historical infor-
mation about computations. Technical Report 96-034, Department
of Computer and Information Science and Fi-ii,.. i- Ci ,i -l
of Florida. 1996.
S I, .] Eugene W. Mi !: A proof technique for rely/guarantees properties.
In S. N. Maheshwari, editor, Foundations of S f ....... T, ......I,,, and
I !...... ,, Computer Science, pages 369-391, 1985. volume 206 of
Lecture Notes in Computer Science.

11 Appendix

We sketch the proof of (21), omitting steps that are just applications of UNITY-
-1 1.- proof rules in order to focus on compositional reasoning as presented in
this paper.
The desired property is (e follows S.earliest.t).C. In the interest of',i i -
we will omit the argument C in the following.

Lemma 1
Y A Y A ......... ... -., -* I guarantees e follows S.earliest.t
X = (u = k- (Vi: ai = u) A u = S.earliest.k)
Y = ((Vi : a = u) A u =S.earliest.k --- e (> S.earliest.k A u > t).

Lemma 2 From the text of C,
transient.((Vi : u = ai) A u = k A -(e > k A u > t))

Lemma 3 From lemma 2 and (18),
Z guarantees (Vi: a =u) Au= k --> e> kAu>t
Z = (Vi : u = ai Au= kA -(e> kAu>t)
((Vi:u = a) A u= k) V(e > kAu >t)

Lemma 5 From lemmas 1 and 3,

X A Z A nondecreasing.t guarantees e follows S.earliest.t

Lemma 6 From the text of C,


Lemma 7

[always.(ai < Si.earliest.u) A ....... ....... ., A always.( A constant.u =- Z]

Lemma 8 From lemmas 6 and 7 with 14 and env.constant.u,

(Vi:: < Si.earliest.u) A (Vi :: ....... .......,', ) A (Vi :: always.(

Now, it remains to find a convenient guarantees properties for X.

Lemma 9 From the text of C,

transient. ( > k) A u < I

Lemma 10 From lemma 9 and (18),

(Vi : ....... ... ... ., ) guarantees raxi.{ai} > k >u > k

Lemma 11

(Vi :: ai follows Si.earliest.u) A (Vi :: ....... .... .... ., )
u > k --- raxi..{ai} > maxi.{((Si,.earliest.k )}

Lemma 12 From lemmas 10 and 11, and induction,

(Vi : ai follows Si.earliest.u) A (Vi : .......1 ....... ,, ., 1
u > k --- u > S.earliest.k

Lemma 13 From lemma 12 and (Vl : k < I < S.earliest.k : S.earliest.l =

((u > k A u < S.earliest.k A -(Vi :: ai = u) next u < S.earliest.k
A(Vi :: always.(
A(Vi :: always.(ai <
A(Vi :: ai follows Si.earliest.u)
A(Vi .... ))

The right side of the next property only mentions u, which is locally-modifiable
in C. The property therefore holds if it holds in C. Since this is indeed the
case, we can simplify the above to

Lemma 14

(Vi :: always.(
A(Vi :: always.(ai <
A(Vi :: aifollowsSi.earliest.u)
A (V i :: ,,,,, ,, .. . .. ., ,

From lemmas 5 and 14, we conclude (21).
From lemmas 5 and 14, we conclude (21).

University of Florida Home Page
© 2004 - 2010 University of Florida George A. Smathers Libraries.
All rights reserved.

Acceptable Use, Copyright, and Disclaimer Statement
Last updated October 10, 2010 - - mvs