Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396--428, July 1990.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....because they allow a property to be established for all possible program executions by considering a single step of the program. A predicate Q is a safety property of P if Q holds in all states reachable in any execution of P . Let Q 0 be the initial state predicate of P . It can be shown (see [14]) that Q is a safety property of P if and only if there is an invariant I such that Q 0 ) I and I ) Q. Often, finding an invariant requires the insight of the designer, and this approach is taken for some of the proofs in this paper. In some cases, invariants can be found automatically by ....

....of P if and only if there is an invariant I such that Q 0 ) I and I ) Q. Often, finding an invariant requires the insight of the designer, and this approach is taken for some of the proofs in this paper. In some cases, invariants can be found automatically by model checking [7] Let win(P; Q) [14] be the least fixpoint of wp(P ) starting from Q, i.e. apply the wp operator until it converges. If the state space of P is finite, this computation will converge in a finite number of steps. The predicates in this fixpoint computation can be represented either explicitly or by symbolic means such ....

L. Lamport. win and sin: Predicate transformers for concurrency. Technical Report 17, Digital Equipment Corporation, Systems Research Center, Palo Alto, CA, May 1987.

....A predicate I is an invariant if I holding in some state ensures that I will hold in all possible subsequent states of the program. In particular, I is an invariant of P iff I ) wp(P; I) A predicate Q is a safety property of P if Q holds in all states reachable in any execution of P . As shown in [28], Q is a safety property of P if and only if there is an invariant I such that Q 0 ) I and I ) Q. is a refinement of P if every reachable state transition that P can make corresponds to a move of P . More formally, refinement is defined with respect to an abstraction mapping A that maps the ....

Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Trans. Program. Lang. Syst., 12(3):396--428, July 1990.

....A predicate I is an invariant if I holding in some state ensures that I will hold in all possible subsequent states of the program. In particular, I is an invariant of P iff I ) wp(P; I) A predicate Q is a safety property of P if Q holds in all states reachable in any execution of P . As shown in [12], Q is a safety property of P if and only if there is an invariant I such that Q 0 ) I and I ) Q. Intuitively, program P is a refinement of P if every reachable state transition that P can make corresponds to a move of P . More formally, refinement is defined with respect to an abstraction ....

Leslie Lamport. win and sin: Predicate transformers for concurrency. Technical Report 17, Digital Equipment Corporation, Systems Research Center, Palo Alto, CA, May 1987.

....work and why the more general notion of refinement we are proposing is useful in practice. The second example tries to illustrate the increased power of the design method on an example that is closer connected to a real design problem, namely the implementation of a semaphore described by Lamport [12, 13, 14]. 5.1 Printing a file This example is inspired by the example of the design of a sender presented in [22] Assume that one wants to read a certain text encoded in DVI format. In order to do this one first has to print it with an event print dvi, and then read it with an event read. It is clear ....

....for his execution of the p operation until P 1 leaves the critical section and executes the subsequent v. A question tackled typically in the theory of operating systems is how a semaphore might be implemented by means of a more basic mechanism. One proposed implementation is the bakery algorithm [12, 13, 14]. This algorithm is inspired by the orderly manner in which the customers of American bakeries are apparently served. Each customer on entering the shop draws a ticket with a number on it that increases with each successively drawn ticket. There is a display behind the counter which holds the ....

L. Lamport. win and sin: Predicate transformers for concurrency. ACM Trans. Prog. Lang. Syst., 12(3):396--428, July 1990. 37

....proof of the state transformation semantics O st in the previous subsection. Remark 2. 14 The above definition shows some similarities with the definition of the weakest invariant in terms of the weakest liberal precondition, i.e. win (oe; Q) 2oe wlp ( Q) as at page 408 of [Lam90]. By means of the above defined predicate transformer semantics O pt , the predicate transformer semantics O pt , which maps statements to predicate transformers, is defined. Definition 2.15 The predicate transformer semantics O pt : Stat PT is defined by O pt (s) G n O pt (s; n) ....

L. Lamport. win and sin: Predicate Transformers for Concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396--428, July 1990.

....of system S implied by A and win[S; B] is the weakest invariant implying B. These invariants always exist and can be defined as extremal fixpoints of continuous functionals. They can be written in infinitary logic, that is, classical logic extended with infinite conjunction and disjunction. See [14, 23, 28] for more details. 2.5 A temporal logic Hoare logic is appropriate to deal with invariance properties, but not with liveness properties. Several programming logics have been proposed that take into account both kinds of properties. As the language fcs is similar to the language unity, the ....

....determined. From the theoretical point of view, the best choice for the refined invariant is the strongest choice I 0 = def sin[I ; S 0 ] a state s satisfies this formula if and only if a computation (s 0 ; s 1 ; of S 0 exists such that s 0 satisfies I and s = s n for some n. See [23] for more details about the predicate transformer sin. Fixpoint based methods exist for computing a monotonic sequence of formulas whose limit is the strongest invariant [8, 30] but the limit itself cannot be determined in a systematic way, except in the degenerate case where S 0 is a ....

L. Lamport, win and sin : Predicate Transformers for Concurrency, ACM Trans. Programming Languages Syst. 12 (1990) 396-428.

....in particular by Sanders[24] Knapp[13] and Misra[22] the interpretation given in this chapter is from Knapp. A clear example of the distinction between invariant and always true is in van Gasteren and Tel[27] The notion of the strongest invariant has been around for a long time; see Lamport[16] and Sanders[24] in particular. Section 3.5.6, Auxiliary Variables, follows the treatment in Misra[21] For completeness of UNITY logic see Jutla, Knapp and Rao[12] and Cohen[5] Exercise 18 is from the latter reference. There are many other formalisms that are effective for expressing safety ....

L. Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396--428, 1990.

....are central to this verification. Manually finding a suitable invariant can be a difficult task. In the next section, we describe how invariants can be automatically derived. 6 Deriving Invariants Given a program, Q, and a safety property, P , we are interested in finding the weakest invariant [Lam87] of Q that implies P . We write win P;Q to denote this invariant. When we say that win P;Q is the weakest invariant of Q that implies P , we mean that if I is any other invariant of Q that implies P , then if I is satisfied in some state s, win P;Q is satisfied in s as well. The existence of a ....

Leslie Lamport. win and sin: Predicate transformers for concurrency. Technical Report 17, Digital Equipment Corporation, Systems Research Center, Palo Alto, CA, May 1987.

.... predicate transformers for the language of guarded commands, weakest precondition predicate transformers have been developed for other sequential constructs such as recursion and various notions of fairness [Nel89, Hes92, BN94] For concurrency, additional predicate transformers such as sin, win [Lam90] and several temporal properties [JKR89, CS95, DS96] have been proposed. Predicate transformers have also been used as a basis for defining program refinement [BvW89, Bac89, GM91, San96] for both sequential and concurrent programs. The advantage of this work is that once appropriate predicate ....

Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3), 1990.

....(not universally) disjunctive is probably new, but we are not particularly enthusiastic about its importance; we presented this material primarily for its use in the proof of (101) The predicate transformer hAi is also an old idea. Most similar in spirit to our use of hAi is the work of Lamport [Lam90] where, for example, we find (approximately) the following theorem: p stable in A) A dec B) hBi:p stable in A) SIN3, p.410) 1 Convergence We are not the first to recommend the use of convergence properties. Two other examples that we are aware of are [Gou89] where they are used as a ....

L. Lamport. win and sin: Predicate transformers for concurrency. TOPLAS, 12(3), 1990.

No context found.

Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396--428, July 1990.

No context found.

Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396--428, July 1990.

No context found.

Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396-- 428, July 1990.

.... (Number [p] p) Number [q] q) Although the argument given here ostensibly seems correct, as Lamport discovered some years later, it is actually somewhat awed, because it is based on some implicit (though mild) assumptions regarding how nonatomic writes of Number [q] are implemented; see [37] for details. Another interesting property of the bakery algorithm is that it is resilient to the premature termination of processes. When a process p terminates prematurely, it is required to set both Choosing [p] and Number [p] to 0 and then return to its noncritical section and halt. It is ....

.... of actions) 38] Along the way, he wrote many other important and widely read papers on veri cation and speci cation issues (there are too many such papers to mention them all here) Of particular relevance to this survey article is the work he did on verifying programs with nonatomic statements [27, 28, 31, 33, 37]. Some of this work is considered in the next section. 4 Atomicity Questioned The bakery algorithm showed that the circularity caused by assuming that statements execute atomically can be eliminated, at the price of using unbounded memory. This gives rise to several questions. Is it possible to ....

L. Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396-428, July 1990.

....(N # A) In case (i) we can extend # to a behavior satisfying S # GSF(P , A) by taking a finite (possibly null) sequence of N 9 The P # in the definition of gw is redundant and is included for symmetry. All these operators can be expressed in terms of the weakest invariant operator win [11], since Enabled (N # B) is equivalent to win(N , Enabled B ) for any action B . A state predicate Q is considered to be an action by letting #s , t# satisfy Q i# s does. 10 For a state predicate Q , the formula S # #Q asserts that Q holds for every state of every behavior satisfying S ....

Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396-- 428, July 1990.

....are closed under the operations of first order logic (conjunction, quantification, etc. priming, forming tuples, and primitive recursive definitions. Relative completeness results for programming logics are generally based on some form of predicate transformer analogous to the sin operator of [7]. For any action A and state predicate P , the state predicate sin(A, P) can be defined by [ sin(A, P ) s) # = #s 0 , s n # S : s = s n ) # [ P ] s 0 ) # (#i n : A] s i , s i 1 ) 6) for all states s. We first show completeness of the TLA rules for proving invariance ....

Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396--428, July 1990.

....operations are needed. A less obvious approach uses the predicate transformers win (weakest invariant) and sin (strongest invariant) to write assertional proofs for algorithms in which no atomic operations are assumed, requirements on the memory architecture being described by axioms [15]. Such a proof would establish the correctness of an algorithm for a large class of memory architectures. However, in this approach, all intraprocess # relations are encoded in the algorithm, so the proofs are unlikely to help discover the very precedence relations that lead to the introduction ....

Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396--428, July 1990.

....angle brackets from Figure 2. However, it is not so easy to say precisely what such a specification means and how one verifies the correctness of an implementation. The transition axiom method can be extended to handle nonatomic operations by introducing the formal concepts described in [11] and [10]. 4.3 Modularity and Hierarchical Decomposition Can one hierarchically decompose transition axiom specifications There are two kinds of hierarchical decomposition: 1) decomposition within a single level of abstraction, and (2) representation of a higher level system as a composition of ....

Leslie Lamport. win and sin: Predicate Transformers for Concurrency. Research Report 17, Digital Equipment Corporation, Systems Research Center, May 1987.

....either GWF(P,A) or GSF(P,A) for state predicate P and action A, then #S , L# is machine closed iff S implies #gw(P,N , A) 7 6 The P # in the definition of gw is redundant and is included for symmetry. All these operators can be expressed in terms of the weakest invariant operator win [11], since ENABLED (N # B) is equivalent to win(N , ENABLED B) for any action B . A state predicate Q is considered to be an action by letting #s, t# satisfy Q iff s does. 7 For a state predicate Q , the formula S # #Q asserts that Q holds for every state of every behavior satisfying S . ....

Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396--428, July 1990.

....operations are needed. A less obvious approach uses the predicate transformers win (weakest invariant) and sin (strongest invariant) to write assertional proofs for algorithms in which no atomic operations are assumed, requirements on the memory architecture being described by axioms [15]. Such a proof would establish the correctness of an algorithm for a large class of memory architectures. However, in this approach, all intraprocess relations are encoded in the algorithm, so the proofs are unlikely to help discover the very precedence relations that lead to the introduction ....

Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396--428, July 1990.

....angle brackets from Figure 2. However, it is not so easy to say precisely what such a specification means and how one verifies the correctness of an implementation. The transition axiom method can be extended to handle nonatomic operations by introducing the formal concepts described in [11] and [10]. 4.3 Modularity and Hierarchical Decomposition Can one hierarchically decompose transition axiom specifications There are two kinds of hierarchical decomposition: 1) decomposition within a single level of abstraction, and (2) representation of a higher level system as a composition of ....

Leslie Lamport. win and sin: Predicate Transformers for Concurrency. Research Report 17, Digital Equipment Corporation, Systems Research Center, May 1987.

....are closed under the operations of first order logic (conjunction, quantification, etc. priming, forming tuples, and primitive recursive definitions. Relative completeness results for programming logics are generally based on some form of predicate transformer analogous to the sin operator of [7]. For any action A and state predicate P , the state predicate sin(A; P) can be defined by [ sin(A; P) s) Delta = 9s 0 ; s n 2 S : s = s n ) P ] s 0 ) 8i n : A] s i ; s i 1 ) 6) for all states s. We first show completeness of the TLA rules for proving invariance ....

Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396--428, July 1990.

No context found.

Leslie Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on programming languages and systems, 12(3), June 1990.

No context found.

L. Lamport. win and sin: Predicate transformers for concurrency. ACM Transactions on Programming Languages and Systems, 12(3):396--428, July 1990.

No context found.

L. LAMPORT, \win and sin : Predicate Transformers for Concurrency", DEC SRC Report 17, 1987

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC