E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....1. INTRODUCTION A variety of methods have been proposed for reasoning about concurrent programs. Most of these are for proving safety properties properties asserting that the program never enters an unacceptable state. Some methods deal with concurrent programs that use shared variables [2, 4, 11, 12, 16, 18]; more recently, the absence of shared variables in CSP [10] has led to other techniques for reasoning about such programs [1, 5, 15, 19] This diversity of methods has obscured the fact that there is really a simple principle involved in all of them: proving the invariance of an assertion. The ....

....the invariance of a predicate. This, in turn, has led to new specification methods for concurrent programs [14] and we hope it will lead to improved techniques for constructing concurrent programs. Using invariance to reason about concurrent programs is not new, having been proposed by Ashcroft [2] and Keller [11] What GHL does is provide a logic for deriving invariance properties of a program. In this paper, we show how various techniques for establishing safety properties of concurrent programs can be formulated in GHL in terms of invariance. Section 2 contains an overview of GHL and ....

ASHCROFT, E.A. Proving assertions about parallel programs. J. Cornput. Syst. Sci. 10 (Jan. 1975), 110-135.

....significantly complicates the analysis because of the potential for interference between threads; each atomic step of a thread can influence the subsequent behavior of other threads. For multithreaded programs, more complex analysis techniques are necessary. The classical assertional approach [Ash75, OG76, Lam77, Lam88] requires control predicates at each program point to specify the reachable program states, but the annotation burden for using this approach is high. Some promising tools [CDH 00, Yah01] use model checking and abstract interpretation to infer the reachable state set ....

E.A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, January 1975.

....of what makes an implementation correct. Finding the right invariant, and proving its invariance, suffices to prove the desired safety properties of many concurrent algorithms. This is the basis of the first practical method for reasoning about concurrent algorithms, which is due to Ashcroft [5]. 3.6 A Formula by any Other Name We have been calling formulas like # and # descriptions or models of a system. It is customary to call them specifications. This term is sometimes reserved for high level description of systems, with low level descriptions being called implementations. We ....

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

....essence of what makes an implementation correct. Finding the right invariant, and proving its invariance, su#ces to prove the desired safety properties of many concurrent algorithms. This is the basis of the first practical method for reasoning about concurrent algorithms, which is due to Ashcroft [5]. 3.6 A Formula by any Other Name We have been calling formulas like # and # descriptions or models of a system. It is customary to call them specifications. This term is sometimes reserved for high level description of systems, with low level descriptions being called implementations. We ....

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

....The commonly used formalisms for describing multiprocess programs assume atomicity of memory accesses. When an assumption is built into a formalism, it is di#cult to discover from a proof where the assumption is actually needed. Proofs based on these formalisms, including invariance proofs [4, 16] and temporal logic proofs [17] therefore seem incapable of yielding the necessary synchronization requirements. We derive these requirements from proofs based on a little used formalism that makes no atomicity assumptions [11, 12, 14] This proof method is quite general and has been applied to a ....

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

....generals problem and give a rigorous, hierarchically structured proof of its correctness. We demonstrate that this is an engineering exercise, requiring no new scientific ideas. 1 Introduction Assertional verification of concurrent systems began almost twenty years ago with the work of Ashcroft [4]. By the early 1980 s, the basic principles of formal specification and verification of concurrent systems were known [10, 12, 19] More precisely, we had learned how to specify and verify those aspects of a system that can be expressed as the correctness of an individual execution. Faulttolerant ....

....Issue(h) 2(p) 1 denotes the formula rcvd # [h] rcvd [h] except [h] p] Theorem SpecGood is of the form Spec # #P , for a state predicate P . If Spec were of the canonical form Init ##[N ] v , then this would be a completely standard proof using the method first described by Ashcroft [4]: find a state predicate I (the invariant) such that (i) Init implies I , ii) I implies P , and (iii) I # [N ] v implies I # . This TLA formulation of the proof method is more transparent than its original description as a method for reasoning about programs. Since Spec is written as the ....

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

....[AS85] Although the proofs of both types of properties can be carried out in the same temporal logic of actions, they use di#erent styles of reasoning. 4. 1 Safety Properties Assertional methods for proving safety properties, including Floyd s method for sequential programs, and the Ashcroft [Ash75] and Owicki Gries [OG76] 12 methods for concurrent programs, all have the same logical basis: the Invariance Rule is used to prove a formula = # # #P , for some predicate P . We give two simple examples of how such proofs are expressed in the temporal logic of actions. The first safety ....

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

....as Cartesian products; data refinement is just a function from one set of states to another. The Floyd Hoare method works because it reduces reasoning about programs to everyday mathematical reasoning. It is the basis of most practical methods of sequential program verification. Ashcroft [8] extended state based reasoning to concurrent programs. He generalized Floyd s method for proving partial correctness to concurrent programs, where concurrency is expressed by fork and join operations. As in Floyd s method, one assigns to each control point an assertion that should hold whenever ....

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

....t 0 , t n of #, if t 0 = Init then t i = Q, for 0 # i # n. This property is equivalent to For all states t and u: if t ## =# u and t = Init , then u = Q. Properties of the form Init # #Q are proved with the Owicki Gries method [10] and similar assertional methods [2, 6]. Moreover, by adding 6 auxiliary variables to the program, any safety property can be expressed in this form. 3.1.5 Operations The notion of a statement is meaningful only in the context of a programming language. To make our results independent of any language, we will define reduction with ....

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

....any of those variables. The action (2) does not modify any variables other than the x p ; it does not access any set of variables that does not contain the x p and is not accessed by any of the e p . In the simplified bakery algorithm, the action described by # 2 modifies only the variables num[2], at(# 2 ) and at(# 2j ) for all j #= 2; it does not access the set at(# 1 ) at(# 12 ) as well as many other sets of variables) the set at(cs i ) at(# i ) What all this means is that there is no unique definition of the set of variables that are accessed by a state function. ACM ....

....body of a loop statement consists of a single atomic operation #, then # is its own predecessor. 2. 6 The Owicki Gries Method Decomposing the Invariant One can prove directly that a predicate I is a program invariant by proving I # I for every atomic operation #, as proposed by Ashcroft [2]. However, in the OwickiGries method [10; 14] the proof is decomposed into smaller steps by writing I as a conjunction of simpler predicates. For our cobegin programs, I is written in the form # ### (at(#) # I # ) # (after(#) # I # # ) 3) for predicates I # and I # # . Intuitively, I is ....

Ashcroft, E. A. Proving assertions about parallel programs. J. Comput. Syst. Sci. 10, 1 (Feb. 1975), 110--135.

....the ordinary Owicki Gries method that makes it easier to write annotations. Our strengthening of the Owicki Gries method eliminates a well known weakness in the original method. Assertional methods for proving safety properties involve proving the invariance of an assertion. In the Ashcroft method [1], one writes a single global assertion; in the Owicki Gries method, the global assertion is decomposed into an annotation of the program. It often happens that when the global invariant used in an Ashcroft method proof is decomposed in the obvious way, the original Owicki Gries method cannot prove ....

Ashcroft, E. Proving assertions about parallel programs. J. Comput. Systm. Sci. 10 (Jan. 1975), 110--135.

....programs. These methods go back to Floyd [1967] who first proved partial correctness and termination of sequential programs. Hoare [1969] recast partial correctness reasoning into a logical framework. The first practical assertional method for reasoning about concurrent programs was proposed by Ashcroft [1975]. Ashcroft s work was followed by a number of variations on the same theme [Flon and Suzuki 1978; Keller 1976; Lamport 1977] but the one that became popular is the Owicki Gries method, developed by Susan Owicki in her thesis [Owicki 1975] which was supervised by David ACM Transactions on ....

Ashcroft, E. A. 1975. Proving assertions about parallel programs. J. Comput. Syst. Sci. 10, 110--135.

....stabilizing solutions for maintaining spanning trees (due to Perlman) data links and virtual circuits (due to Spinelli) We have found even fewer timing based protocols in the literature that are formally verified. As regards verification methods, our approach builds on previous work [3 10]. We restrict our proofs of timing properties to the use of two bounded temporal concepts, namely bounded response and bounded invariance. These two concepts appear to be sufficient for reasoning about the timing properties of fault tolerant protocols [11] We use timing properties essentially to ....

....within bounded time a state where S holds. 2.2 Verification An established method for verifying the correctness of untimed protocols is to exhibit a state invariant. Intuitively, the state invariant of a protocol is a state predicate that characterizes the intended states of protocol execution [3, 4, 5]. Thus, every computation of an untimed protocol that starts at a state where its state invariant holds is an intended computation, one that meets the (safety and progress properties of the) problem specification that the protocol satisfies. This method of state invariants remains valid for ....

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, 1975.

....analyze control flows of a parallel program. Our approach is based on the assertional method, which was originated for sequential program verification by Hoare [5] and Floyd [3] There are a number of authors who used the assertional method for parallel program verification. They include Ashcroft [1], Owicki and Gries [13] Lamport [9] etc. Generally speaking, we can not verify a parallel program by checking the consistencies of assertions on program variables in the comprising processes locally, since an assertion in one process is affected by where other processes are currently being ....

Ashcroft, E.: Proving assertions about parallel programs, JCSS , Vol. 10, pp. 110-- 135 (1975).

....of what makes an implementation correct. Finding the right invariant, and proving its invariance, suffices to prove the desired safety properties of many concurrent algorithms. This is the basis of the first practical method for reasoning about concurrent algorithms, which is due to Ashcroft [5]. 3.6 A Formula by any Other Name We have been calling formulas like # and # descriptions or models of a system. It is customary to call them specifications. This term is sometimes reserved for high level description of systems, with low level descriptions being called implementations. We ....

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

....specification and a description of the implementation in TLA, and proving that the implementation description logically implies the specification. Implementation is implication. The proof is carried out by using the assertional method [Gri81] as adapted to concurrent programs by Ashcroft [Ash75]. Section 8 gives a general TLA proof scheme for showing that one description implements another. A proof using this schema may be many pages long, for examples see [LLOR95] A TLA specification has the form Init 2[N ] vars F vars (M) Init is a description of the initial state in which the ....

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

No context found.

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

No context found.

Ashcroft, E. A. Proving assertions about parallel programs. J. Comput. Syst. Sci. 10, 1 (Feb. 1975), 110--135.

No context found.

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

No context found.

Ashcroft, E. Proving assertions about parallel programs. J. Comput. Systm. Sci. 10 (Jan. 1975), 110--135.

No context found.

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

No context found.

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

No context found.

E. A. Ashcroft. Proving assertions about parallel programs. Journal of Computer and System Sciences, 10:110--135, February 1975.

No context found.

E. A. Ashcroft. Proving assertions about parallel programs. JCSS, 10:110-135, February 1975.

No context found.

E. A. Ashcroft, "Proving assertions about parallel programs," J. Comput. Syst. Sci., vol. 10, no. 1, pp. 110--135, 1975.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC