L. Lamport. A new approach to proving the correctness of multiprocess programs. Trans. on Prog. Lang. and Syst., 1(1):84--97, July 1979.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....that reflect the temporal ordering on the events. They were introduced by Lainport [13] as structures of the form (E, but here we need only one relation, which is written C, since we accept the global time assumption (see [2] More details about this notion can be found in Lamport s [12], 13] in Pratt s [iS] and in [3] 4] We begin by defining interval orderings. An irrefiexive and transitive relation R on a set E is called an interval ordering iff Va, b,c, deE(aRb A (cRb) A cRdaRd) 1) This is the Russell Wiener property) It is easy to prove that if a (a, a2) b ....

L. Lamport, A new approach to proving the correctness of multiprocess programs, ACM Trans. on Prog. Lang. and systems 1, (1979) 84-97.

....work and why the more general notion of refinement we are proposing is useful in practice. The second example tries to illustrate the increased power of the design method on an example that is closer connected to a real design problem, namely the implementation of a semaphore described by Lamport [12, 13, 14]. 5.1 Printing a file This example is inspired by the example of the design of a sender presented in [22] Assume that one wants to read a certain text encoded in DVI format. In order to do this one first has to print it with an event print dvi, and then read it with an event read. It is clear ....

....for his execution of the p operation until P 1 leaves the critical section and executes the subsequent v. A question tackled typically in the theory of operating systems is how a semaphore might be implemented by means of a more basic mechanism. One proposed implementation is the bakery algorithm [12, 13, 14]. This algorithm is inspired by the orderly manner in which the customers of American bakeries are apparently served. Each customer on entering the shop draws a ticket with a number on it that increases with each successively drawn ticket. There is a display behind the counter which holds the ....

L. Lamport. A new approach to proving the correctness of multiprocess programs. ACM Trans. Prog. Lang. Syst., 1(1):84--97, July 1979.

....formalism: A B means that operation execution A precedes operation execution B; A 9 9 KB means that A can causally a ect B. These relations actually come from an earlier paper of Lamport s, where a similar formalism is used to prove the correctness of a nonatomic variant of the bakery algorithm [41]. The arrow relations are used in [42] to state general axioms that de ne the e ects of concurrent read and write operations. Some similar axioms are stated in [41] in the context of the bakery algorithm. Four mutual exclusion algorithms are presented in [43] The four algorithms di er in the ....

....earlier paper of Lamport s, where a similar formalism is used to prove the correctness of a nonatomic variant of the bakery algorithm [41] The arrow relations are used in [42] to state general axioms that de ne the e ects of concurrent read and write operations. Some similar axioms are stated in [41] in the context of the bakery algorithm. Four mutual exclusion algorithms are presented in [43] The four algorithms di er in the progress and fault tolerance properties they satisfy. Each algorithm is constructed using communication variables , which are simply single writer, multi reader ....

L. Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, 1(1):84-97, July 1979.

....[Logic and Meanings of Programs] Specifying and Verifying and Reasoning about Programs. 1 1 Preface The Critical Section Problem is so well known that it suces to refer to any operating system text book for its description. One solution, the Bakery Algorithm (Lamport [9] and a variant in [10]) stands up for its naturalness and simplicity. Perhaps I should say deceiving simplicity since concurrent protocols can be very tricky sometimes. In this solution (reproduced below in Section 2) unbounded time stamps (natural numbers) are used to coordinate the processes access to their ....

....the Bakery Speci cation property 3 and the fact that X is nonterminating imply that ydominatesx. This however is not the case (by assumption) and hence y j H x. By de nition this implies that y ) x. But this is again a contradiction, and hence there is no deadlock. 35 6 Conclusions Lamport [10] describes the limitations of assertional proof techniques and advocates his new approach. Assertional techniques he writes are satisfactory for proving the correctness of individual subroutines (for which the correctness conditions can be expressed in terms of objects used directly by the ....

L. Lamport. A new approach to proving the correctness of multiprocess programs. ACM Trans. on Prog. Lang. and systems 1, pp.84-97, 1979.

....timestamps is old and natural is illustrated by ancient ostracons (about 800 BC) from Sumeria which show how o erings of vine and oil were marked by date, place of origin, and destination. 1 critical section algorithm which ensures mutual exclusion with rst come rstserve property, see [19] and [20]) is an example of an algorithm that uses the natural numbers as pure timestamps. This unbounded protocol has stimulated much research, dealing mostly with the problem of devising timestamps with only bounded values (see [3] 12] 13] 16] 17] 18] We o er here a solution to the ....

L. Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, Vol. 1: 84-97, 1979.

....timestamps is old and natural is illustrated by ancient ostracons (about 800 BC) from Sumeria which show how o erings of vine and oil were marked by date, place of origin, and destination. 1 critical section algorithm which ensures mutual exclusion with rst come rstserve property, see [19] and [20]) is an example of an algorithm that uses the natural numbers as pure timestamps. This unbounded protocol has stimulated much research, dealing mostly with the problem of devising timestamps with only bounded values (see [3] 12] 13] 16] 17] 18] We o er here a solution to the ....

L. Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, Vol. 1: 84-97, 1979.

....proof could be naturally carried out in the evolving algebra framework of [Gurevich91] since the latter uses a notion of atomic instantaneous action. We construct, in Section 1, two evolving algebras, reflecting the lower and higher views of Lamport s improved version of the bakery algorithm (see [Lamport79]) In Section 2 we display abstract conditions on higher level actions, in terms of atomic action semantics, enabling a simple and concise proof of the first come first served property (FCFS) and deadlock freedom. The conditions are easily seen to be satisfied by corresponding lower level ....

....by CNR Gnasaga grant 2.94. the proof of the previous section goes through with only slight modifications. For the more general case of safe registers correctness of the algorithm from [Lamport74] is then easily proved by a slight adaptation of the present argument the improved algorithm from [Lamport79] is not correct for safe registers, as shown by a simple counterexample. Thus the two interpretations of evolving algebra dynamics reflect two disciplines for accessing shared registers by atomic and non overlapping reads and writes, or by durative and possibly overlapping ones. What really ....

[Article contains additional citation context not shown here]

Leslie Lamport, A New Approach to Proving the Correctness of Multiprocess Programs , in: ACM Transaction on Programming Languages and Systems, vol. 1:1, July 1979, 84--97.

No context found.

Lamport, L. A new approach to proving the correctness of multiprocess programs. ACM Trans. Program. Lang. Syst. 1, 1 (July 1979), 84--97.

No context found.

Leslie Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, 1(1):84--97, July 1979.

No context found.

Leslie Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, 1(1):84--97, July 1979.

.... of actions) 38] Along the way, he wrote many other important and widely read papers on veri cation and speci cation issues (there are too many such papers to mention them all here) Of particular relevance to this survey article is the work he did on verifying programs with nonatomic statements [27, 28, 31, 33, 37]. Some of this work is considered in the next section. 4 Atomicity Questioned The bakery algorithm showed that the circularity caused by assuming that statements execute atomically can be eliminated, at the price of using unbounded memory. This gives rise to several questions. Is it possible to ....

....formalism: A B means that operation execution A precedes operation execution B; A 9 9 KB means that A can causally a ect B. These relations actually come from an earlier paper of Lamport s, where a similar formalism is used to prove the correctness of a nonatomic variant of the bakery algorithm [27]. The arrow relations are used in [31, 33] to state general axioms that de ne the e ects of concurrent read and write operations, and to de ne what it means for a low level system to correctly implement a highlevel one. Some similar axioms are stated in [27] in the context of the bakery ....

[Article contains additional citation context not shown here]

L. Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, 1(1):84-97, July 1979.

....Proofs based on these formalisms, including invariance proofs [4, 16] and temporal logic proofs [17] therefore seem incapable of yielding the necessary synchronization requirements. We derive these requirements from proofs based on a little used formalism that makes no atomicity assumptions [11, 12, 14]. This proof method is quite general and has been applied to a number of algorithms. The method of extracting synchronization commands from a proof is described by an example a simple mutual exclusion algorithm. It can be applied to the proof of any algorithm. Most programs are written in ....

Leslie Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, 1(1):84--97, July 1979.

....written by the writer before the read operation or a value written during the read. Moreover, if one read is completed before a second read is begun, then the first read cannot obtain a later value than the second. A future paper will describe the problem more rigorously, using the formalism of [1]. However, here I will be as informal as Peterson and pretend that my algorithm is also, in the words of [2] su#ciently simple that there is no need to provide complicated . formal proofs. The algorithm uses Solution 2 of [2] in which, using one copy of the data plus a few flags, the ....

....never waits but the readers can be starved by repeated writing. For any data item x, let read .of (x) and write.of (x) denote the reading and writing operations in an instance of Peterson s Solution 2 for that item. The current value of the data is kept in one of the two bu#ers bu# [0] and bu# [1], where the value of the variable num indicates which. Initially, num = 0 and bu# [0] has the starting data value. The basic idea of the algorithm is that a reader first reads num to see which bu#er contains the current value, then reads that value. The presumed correctness of the read.of and ....

Leslie Lamport. A New Approach to Proving the Correctness of Multiprocess Programs. ACM Trans. on Prog. Lang. and Systems 1, 1 (July 1979), 84-97.

....mutual exclusion problem itself is discussed in Part II [5] The formal model we have developed is radically di#erent from commonly used ones, and will appear strange to computer scientists accustomed to thinking in terms of atomic operations. It is a slight extension to the one we introduced in [6]. When diverging from the beaten path in this way, one is in great danger of becoming lost in a morass of irrelevance. To guard against this, we have continually used physical reality as our guidepost. Perhaps this is why hardware designers seem to understand our ideas more easily than computer ....

....this is quite unusual in theoretical computer science, we feel that it is necessary in explaining and justifying our departure from the traditional approach. 2 The Model We begin by describing a formal model in which to state the problem and the solution. Except for the one introduced by us in [6], all formal models 2 of concurrent processes that we know of are based upon the concept of an indivisible atomic operation. The concurrent execution of any two atomic operations is assumed to have the same e#ect as executing them in some order. However, if two operations can a#ect one ....

[Article contains additional citation context not shown here]

Leslie Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, 1(1):84--97, July 1979.

....transition is atomic. These models are not appropriate for studying such fundamental questions as what it means to implement an atomic operation, in which the nonatomicity of operations must be directly addressed. More conventional formalisms are therefore eschewed in favor of one introduced in [7] and refined in [6] in which the primitive elements are 1 In the context of databases, atomicity often denotes the additional property that a failure cannot leave the database in a state reflecting a partially completed transaction. In this paper, the possibility of failure is ignored, so no ....

....in a state reflecting a partially completed transaction. In this paper, the possibility of failure is ignored, so no distinction between atomicity and serializability is made. 2 operation executions that are not assumed to be atomic. This formalism is described below; the reader is referred to [7] and [6] for more details. A system execution consists of a set of operation executions, together with certain temporal precedence relations on these operation executions. Recall that an operation execution represents a single execution of some operation. When all operations are assumed to be ....

[Article contains additional citation context not shown here]

Leslie Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, 1(1):84--97, July 1979.

....about its operations. Our proof reveals that the algorithm has a subtle bug more precisely, its correctness depends upon unstated assumptions. Correctness proofs of the bakery algorithm have appeared in [9] and [10] and a proof of a variant, requiring the same assumptions, appeared in [11]. The fact that none of these other proofs revealed the hidden assumption indicates the utility of the approach presented here. Our final example illustrates a di#erent use of the predicate transformers. Assertional reasoning, based upon invariance, has proved to be more reliable than behavioral ....

....win and sin. In judging the utility of win and sin, it is instructive to consider why previous correctness proofs of the bakery algorithm did not discover its hidden assumptions. The original proof in [9] is an informal behavioral one, so it is not surprising that it is incorrect. The proof in [11] utilizes a set of axioms for reasoning about behaviors involving nonatomic operations. While the use of axioms gives an appearance of extreme rigor, the method ultimately reduces to the unstructured, informal reasoning of ordinary mathematics. The undetected assumptions in the bakery algorithm ....

Lamport, L. A new approach to proving the correctness of multiprocess programs. ACM Trans. Program. Lang. Syst. 1, 1 (July 1979), 84--97.

....Proofs based on these formalisms, including invariance proofs [4, 16] and temporal logic proofs [17] therefore seem incapable of yielding the necessary synchronization requirements. We derive these requirements from proofs based on a little used formalism that makes no atomicity assumptions [11, 12, 14]. This proof method is quite general and has been applied to a number of algorithms. The method of extracting synchronization commands from a proof is described by an example a simple mutual exclusion algorithm. It can be applied to the proof of any algorithm. Most programs are written in ....

Leslie Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, 1(1):84--97, July 1979.

....transition is atomic. These models are not appropriate for studying such fundamental questions as what it means to implement an atomic operation, in which the nonatomicity of operations must be directly addressed. More conventional formalisms are therefore eschewed in favor of one introduced in [7] and refined in [6] in which the primitive elements are 1 In the context of databases, atomicity often denotes the additional property that a failure cannot leave the database in a state reflecting a partially completed transaction. In this paper, the possibility of failure is ignored, so no ....

....in a state reflecting a partially completed transaction. In this paper, the possibility of failure is ignored, so no distinction between atomicity and serializability is made. operation executions that are not assumed to be atomic. This formalism is described below; the reader is referred to [7] and [6] for more details. A system execution consists of a set of operation executions, together with certain temporal precedence relations on these operation executions. Recall that an operation execution represents a single execution of some operation. When all operations are assumed to be ....

[Article contains additional citation context not shown here]

Leslie Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, 1(1):84--97, July 1979.

....about its operations. Our proof reveals that the algorithm has a subtle bug more precisely, its correctness depends upon unstated assumptions. Correctness proofs of the bakery algorithm have appeared in [9] and [10] and a proof of a variant, requiring the same assumptions, appeared in [11]. The fact that none of these other proofs revealed the hidden assumption indicates the utility of the approach presented here. Our final example illustrates a different use of the predicate transformers. Assertional reasoning, based upon invariance, has proved to be more reliable than ....

....win and sin. In judgingthe utilityof winand sin, it is instructive to consider why previous correctness proofs of the bakery algorithm did not discover its hidden assumptions. The original proof in [9] is an informal behavioral one, so it is not surprising that it is incorrect. The proof in [11] utilizes a set of axioms for reasoning about behaviors involvingnonatomic operations. While the use of axioms gives an appearance of extreme rigor, the method ultimately reduces to the unstructured, informal reasoning of ordinary mathematics. The undetected assumptions in the bakery algorithm ....

Leslie Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, 1(1):84-- 97, July 1979.

No context found.

L. Lamport. A new approach to proving the correctness of multiprocess programs. Trans. on Prog. Lang. and Syst., 1(1):84--97, July 1979.

No context found.

L. Lamport. A new approach to proving the correctness of multiprocess programs. Trans. on Prog. Lang. and Syst., 1(1):84--97, July 1979.

No context found.

Leslie Lamport, A New Approach to Proving the Correctness of Multiprocess Programs , in: ACM Transaction on Programming Languages and Systems, vol. 1:1, July 1979, 84--97.

No context found.

L. Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, Vol. 1: 84-97, 1979.

No context found.

Leslie Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, 1(1):84--97, July 1979.

No context found.

L. Lamport. A new approach to proving the correctness of multiprocess programs. ACM Transactions on Programming Languages and Systems, 1(1):84-97, July 1979.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC