Lecture Notes ni Computer Science Edited yb .G Goos dna .J sinamtraH 131 I I scigoL fo smargorP ,pohskroW Yorktown Heights, New ,kroY yaM 1891 detidE yb Dexter nezoK galreV-regnirpS Berlin Heidelberg NewYork 1982 Editorial Board W, Brauer P. Brinch Hansen D. Gries C. Moler G. Seegm(Jller .J Stoer N. Wirth Editor Dexter Kozen IBM Research Yorktown Heights, NY 10598, USA OR Subject Classifications (1979): 5.21, 5.24 ISBN 3-540-11212-X Springer-Verlag Berlin Heidelberg New York 1SBN 0-387-11212-X Springer-Verlag NewYork Heidelberg Berlin is work This tcejbus to .thgirypoc rights All era ,devreser the of part or whole the whether lairetam is ,denrecnoc those specifically of ,noitalsnart ,gnitnirper esu-er of ,snoitartsulli ,gnitsacdaorb noitcudorper yb photocopying enihcam or similar ,snaem dna storage ni data .sknab rednU the § of 54 namreG Copyright waL copies where era private than other for made ,esu fee a si elbayap to tfahcsttesegsgnutrewreV" ,"troW .hcinuM © yb galreV-regnirpS Berlin t982 Heidelberg detnirP ni ynamreG gnitnirP dna Beltz binding: ,kcurdtesffO .rtsgreB/hcabsmeH 012345-0413/5412 FOR EWORD It is almost twenty years since the foundations of programming logic were laid, and the field is as active now as ever. Current interest ranges all the way from prac- tical program verification and specification to model theory and complexity. With such a broad field, it was inevitable that distinct schools would develop, each with its own language and philosophy, leading at times to duplicated effort and misunder- stand ing. The Logics of Programs Workshop was conceived as a way to bring the various schools together to air new ideas and old grudges, share results and tech- niques, and perhaps reach some consensus about where the field should be heading. The workshop was held at the IBM Thomas J. Watson Research Center in Yorktown Heights, New York on May 4, 5, and 6, 1981. Fifty-five participants from nine countries took part [n two and a half days of technical presentations and a half day of round-table discussion. The technical papers which appear in Part I of this vol- ume have not been refereed and are to be considered working papers. Part II con- tains an edited transcript of the discussion. The workshop was made possible through the generous support of the National Science Foundation 1 and IBM Corporation. I sincerely thank everyone who helped make the workshop a success, especially Leonard E3erman, Celeste Bertin, Meera Blattner, JohnCherniavsky, Jeanne Ferrante~ Steve Fortune, Albert Meyer, Karen MCdler, Rohit Parikh, Vaughan Pratt, Dana V~ering, and Mark Wegman. Special thanks go to Michelte Cofer for her expert handling of minor crises, Jim Thatcher and Diana Seidel for providing accommodations and organizing a superb party, and Frances Kozen fop general support in ways too numerous to mention. Dexter Kozen Yorktown Heights, New York September 1, 1981 1Grant MCSS0 19346. ill CONTENTS I. Technical and Position Papers ...................................... Krzysztof R. Apt and Ernst-Rudiger Olderog Proof Rules Dealing with Fairness ................................. | J. Bergstra~ A. Chmielinska~ and J. Tiuryn Roarers Logic is Incomplete When It Does Not Have To Be ............ 9 J, Bergstra and J.V. Tucker The Refinement of Specifications and the Stability of Roarers Logic . .. 24, Robert Cartwright Toward a Logical Theory of Program Data .......................... 37 Edmund M. Clarke and E. Allen Emerson Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic .................................................. 52 Robert L. Constable and Daniel R. Zlatin The Type Theory of PL/CV3 ...................................... ?2 J.W. de Bakker~ J.W. Klop~and J.-J. Ch. Meyer Correctness of Programs with Function Procedures .................. 94 Willem P. de Roever A Formalism for Reasoning about Fair Termination .................. t13 Brent Hailpern Keeping a Foot on the Ground (position paper) ....................... 122 D. Harel~ A. Pnueli~ and J. Stavi Further Results on Propositional Dynamic Logic of Nonregular Programs 124 Theo M.V. Janssen and Peter van Emde Boas Some Observations on Compositional Semantics ...................... 137 A.J. Kfoury Some Connections Between Iterative Programs ~ Recursive Programs~ and First-Order Logic ............................................ 150 Dexter Kozen On Induction vs. *-Continuity ..................................... t67 Les I le Lamport TIME-SETS -- A New Method for Temporal Reasoning about programs .. I?'? Leslie Lamport and Susan Owicki ProgramLogics and Program Verification (position paper) ............ 197 Zohar Manna and Amir Pnuefi Verification of Concurrent Programs: Temporal Proof Principles ...... 2,00 Zohar Manna and Pierre Wolper Synthesis of Communicating Processes from Temporal Logic Specifications ................................................... 2,53 Albert Meyer and Jerzy Tiuryn A Note On Equivalences Among Logics of Programs .................. 282 Gra ~-yna Mirkowska The Representation Theorem for Algorithmic Algebras ............... 300 .I N~meti Nonstandard Dynamic Logic ....................................... 31 | Michael J. O~Donnell A Critique of the Foundations of Hoare-Style Programming Logics ..... 3/4,9 V Rohit Par ikh Some Applications of Topology to Program Semantics ................ 375 V.R. Pratt Using Graphs to Understand PDL ................................. 387 A, Salwicki Critical Remarks on MAX Model of Concurrency ..................... 39'7 .11 Transcript of Panel Discussion .................................... 406 VI PROOF RULES DEALING WITH FAI~ESS - Extended Abstract - )e Krzysztof R. Apt Ernst-RHdiger Olderog University of Rotterdam University of Kiel Abstract. We provide proof rules allowing to deal with two fairness assumptions in the context of Dijkstra's do-od programs. These proof rules are obtained by considering a translated version of the original program which uses random assignment x::? and admits only fair runs. The proof rules use infinite ordinals and deal with the original programs and not their translated versions. .I Introduction One of the troublesome issues concerning non-deterministic and parallel programs is that of fairness. This assumption states roughly speaking that each possible continuation is scheduled for execution sufficiently often. The meaning of a continuation depends on the language considered. For example, in the case of Dijkstra's guarded commands a possible contin- uation is a branch guarded by a guard evaluating to true. "Sufficiently often" can be interpreted here in a variety of ways the simplest of them being "eventually". The aim of this paper is to develop a simple proof theoretic approach to the issue of fairness. This approach was originally suggested in APT & PLOTEIN [I]. We restrict our attention to Dijkstra's do-od-programs whose compo- nents are simple while-programs. Each fairness assumption (we study here two of them) can be incorporated here by providing an appropriate equi- valent version of the original program which uses the random assignment x:=? (set x to an arbitrary non-negative integer) for scheduling purposes Author's addresses: K.R. Apt, Faculty of Economics, University of Rotterdam, P.O. Box 1738, 3000 DR Rotterdam, The Netherlands; E.-R. Oiderog, Institut fHr Informatik und Praktische Mathematik, Christian-Albrechts-Universit~t Kiel, Olshausenstr. 40-60, D-23OO Kiel ,I West Germany. )e The full version of this paper is available as Bericht Nr. 8104, Institut fHr Informatik und Praktische Mathematik, University of Kiel, March 1981, and has been submitted for publication. and admits only fair computations. By applying to this version of program Hoare-style proof-rules considered in APT & PLOTKIN [I] we arrive at proof rules dealing with fairness. It should be stressed that these proof rules deal with the original program - the applied transformations are "absorbed" into the assertions leaving the program in question intact. Using these proof rules total correctness of do-od-programs under the assumption of (weak and strong) fairness can be proved. The proof rules use infinite ordinals. The use of such infinitistic methods seems to be needed in view of the results of EMERSON & CLARKE [3] who show that termination under fairness assumption is not first order definable. The results of APT & PLOTKIN [I] imply soundness and relative completeness of our system for a special type of assertion languages - those which allow the use of the least fixed point operator and ordinals. .2 Definitions We consider programs of the form S = o~_d B I-+ ~ I S ...~ Bn--~ n S od where the i B are quantifier-free formulas and the i S are deterministic while-programs. We have a simple model of state in mind, viz. :Y( 9~-~ . denotes here the set of program variables and ~ is a domain of an interpretation. Thus the meaning of a subprogram i S is a partially defined mapping J~t(S )i from states to states. To state the notions of fairness and total correctness properly we employ so-called computation sequences of S defined as follows: For iE{1,...,n} and states ~, 'ro we write i ~, ~C >C~' iff ~ Bi(C~ ) and J~i(S )i (~) = and i ~ iff ~ Bi(<x) and (O-) /v[(Si) is undefined. Computation sequences of S are now exactly those sequences ~ of states which fall into one of the following cases: I° ~ = ~I 11> • ~2 12~' ... i m-1. <rm where ij e {I, .... n] and ~ (-IB 1A ...A~B ( n) ~m . ) Then ~ is said to properly terminate. I i ~2) ... im_ I 2° ~ = O'1 ....... > 2~< where ~ ij I{ ..... n] . Then ~ is said to fail. I i 2 i ij_1> ,i 30 ~ = ~I ~ ~2 > ... ~j 3>... where ij6{1 ..... n} and ~ is infinite. Then ~ is said to diverge. (Note that all finite sequences ~ of maximal length must fall into the cases ° I or ° 2 because B i(~) is always defined, i.e. ~ Bi(~) or ~Bi(~) holds.) A computation sequence ~ of S is said to be weakly fair iff ~ is either finite (i.e. properly terminates or fails) or infinite, i.e. of the form I i " i. = ~I > ~2 12>''" ~j ..... 3> ... with ij e I{ .... ,n}, but then fulfils the following condition ~/i E I{ ..... n} (( ~j E ~ ~ Bi(~j)) ~ ( ~ j~ ij = i)) )~ i.e. if i B is almost always true then the i-th component is infinitely often chosen. In other words we explicitly disallow infinite sequences with A computation sequence ~ of S is said to be stron@lY fair iff [ is either finite or infinite, i.e. of the form i ' i = ~t .......... !) ~2 12~... ~j ___~3 ... with ij E .... {I, n], but then fulfils the following condition ~i E {I ..... n} (( ~JE~ ~ Bi( ~ ~ j))--~( j ~ ij = i)) i.e. if i B is infinitely often true then the i-th component is infinitely often chosen. In other words we explicitly disallow infinite sequences with ~ iE{1 ..... n} (~j~ ~ Bi(~j)A ~j~ N ij % )i Now we can state precisely what we understand by total correctness of programs with or without fairness assumptions. For arbitrary first order formulas P and Q we define: )~ The quantifier ~ means "for all, but finitely may" and ~ means "there exist infinitely many .~' ~{P] S {Q} [under weak (strong) fairness assumption] iff every [weakly (strongly) fair] computation sequence of S starting in a state ~C with ~ P(fz) is properly terminating, i.e. is of the form I i i , , 7( ~ .... ~ , and ~ fulfils ~Q(~'). Thus under fairness assumption we need not bother about unfair compu- tation sequences. .3 The Transformations Let S = oo__d BI-9S ] ~ ... n ~ B ~-- n S od. We consider the weak fairness assumption first. We use the following transformation Tweak(S) = f~_i I B -~ turn::1 ~ o.. ~ Bn--~turn:=n ~ m(B I v...v Bn)-+skip f ;i for i:= I oo_t n do ] i z [ :=? o d; do . °, BiA turn=i >--- Si; ff_i mBivmini~< O then turn:=indexi; z Eturn ] :=? f ;i for j:=1 to n do i ff j%turn then if Bj then z [ j]:=z [ j] -I else [ z j]:=? fi fi od od where i ranges from I to n. The random assignment z [i]:=? means "Set z [i] to an arbitrary non- negative integer", min i and index i are shorthands defined as follows mini [+oo otherwise ~min{ j I j~iA BjAZ j [ ]= mini] if V B. index i = jmi 3 • otherwise