On the Axiomatic Treatment of Concurrency

T h i s p a p e r descr ibes a s e m a n t i c a l l y b a s e d ax iomat i c t r e a t m e n t of a s imple para l le l p r o g r a m m i n g l anguage . We consider an impera t ive l anguage w i t h sha red var iab le concurrency a n d a cr i t ical region cons t ruc t . After giving a s t r u c t u r a l ope ra t iona l semant ics for t h e l anguage we use t h e s eman t i c s t r u c t u r e to sugges t a class of asser t ions for expressing seman t i c p rope r t i e s of c o m m a n d s . T h e s t r u c t u r e of the asser t ions reflects t h e s t r u c t u r e of the s eman t i c r ep resen ta t ion of a c o m m a n d . We t h e n define syn tac t i c ope ra t ions on assert ions wh ich co r respond precisely to t h e co r respond ing syn tac t i c c o n s t r u c t s of the p r o g r a m m i n g l anguage ; in pa r t i cu l a r , we define sequent ia l a n d para l le l compos i t ion of asser t ions . T h i s enables us to design a t ru ly compos i t iona l proof sys tem for p r o g r a m p rope r t i e s . O u r proof sys t em is sound a n d rela t ively comple te . We examine t h e re la t ionsh ip be tween our proof sys tem a n d t h e Owicki -Gr ies proof sys t em for t h e same language , a n d we see how Owicki ' s para l le l proof rule can be r e fo rmula ted in our se t t ing . O u r asser t ions are more expressive t h a n Owicki ' s , a n d her proof outlines co r respond roughly to a special subse t of our asser t ion l anguage . Owicki ' s para l le l rule can be t h o u g h t of as be ing based on a sl ightly different form of para l le l compos i t ion of asser t ions ; our form does n o t require interferencefreedom, a n d our proof sys tem is re la t ively comple t e w i t h o u t t h e need for auxi l iary variables . Connec t i ons w i t h t h e "Genera l ized Hoare Logic" of L a m p o r t a n d Schneider , a n d w i t h t h e Trans i t i on Logic of G e r t h , are discussed briefly, a n d we ind ica te how to ex tend our ideas to include some more p r o g r a m m i n g cons t ruc t s , inc luding condi t iona l c o m m a n d s , condi t iona l cr i t ical regions , a n d loops. 1. I n t r o d u c t i o n . It is widely accepted t h a t formal reason ing a b o u t p r o g r a m p rope r t i e s is des i rable . Hoa re s p a p e r [12] has led to a t t e m p t s to give ax iomat ic t r e a t m e n t s for a wide var ie ty of programming l anguages . Hoare ' s p a p e r t r e a t e d p a r t i a l cor rec tness p rope r t i e s of c o m m a n d s in a sequent ia l p r o g r a m m i n g language , us ing s imple asser t ions based on prea n d postcondi t ions ; the ax iom sys tem given in t h a t p a p e r is sound and relat ively comple te [8]. T h e proof sys tem was syntax-directed, in t h a t ax ioms or rules were given for each syn tac t i c cons t ruc t . T h e asser t ions chosen by Hoare are a d m i r a b l y su i ted to the task: t hey are concise in s t r u c t u r e and have a clear cor re la t ion wi th a n a t u r a l s t a t e t r a n s f o r m a t i o n semant ics for t h e p r o g r a m m i n g l anguage ; th is m e a n s t h a t fairly s t r a igh t fo rward proofs of t h e soundness a n d comple teness of Hoare ' s proof sys t em can be given [1,8]. W h e n we consider more compl ica ted p r o g r a m m i n g languages the p i c tu re is n o t so s imple . M a n y exis t ing ax iomat ic t r e a t m e n t s of p r o g r a m m i n g languages have tu rned o u t to be c i ther unsound or incomple te [25]. T h e task of es tab l i sh ing soundness a n d comple teness of proof sys t ems for p r o g r a m p rope r t i e s can be compl ica ted by an excessive a m o u n t of de ta i l used in t h e s e m a n t i c desc r ip t ion of the p r o g r a m m i n g language . T h i s po in t seems to be qui te well k n o w n , a n d is m a d e , for ins tance in [ l ] . Similar p rob lems can be caused by t h e use of an excessively in t r ica te or poor ly s t r u c t u r e d asser t ion l anguage , or by overly compl ica ted proof rules . Ce r t a in ly for sequent ia l l anguages wi th s t a t e t r a n s f o r m a t i o n semant ics t he usual Hoare-s ty le asser t ions w i th prea n d pos t -condi t ions are su i t ab le . B u t for more compl ica ted l anguages wh ich requi re m o r e sophis t i ca ted s eman t i c t r e a t m e n t we believe t h a t it is i n a p p r o p r i a t e to t r y to force asser t ions to Bt into t h e prea n d post condi t ion mou ld ; such an a t t e m p t t ends to lead to prea n d pos t cond i t ions w i t h a r a t h e r complex s t r u c t u r e , w h e n i t could be s impler to use a class of asser t ions w i t h a different s t r u c t u r e which more accura te ly co r responds to the semant ics . T h e po ten t i a l benefits of bas ing an ax iomat ic t r e a t m e n t d i rec t ly on a well chosen semant ics has been a rgued , for ins tance , in [7], where an ax iomat i c t r e a t m e n t of al iasing was given. Paral le l p r o g r a m m i n g languages cer ta in ly requi re a more soph i s t i ca ted seman t i c mode l t h a n sequent ia l l anguages , a n d th is p a p e r a t t e m p t s t o c o n s t r u c t a m o r e soph i s t i ca ted ax iomat ic t r e a t m e n t based on t h e resumption mode l of Hennessy a n d P l o t k i n [22]. P r o o f sys tems for reason ing a b o u t var ious forms of para l le l i sm have been p roposed b y several a u t h o r s , n o t a b l y [2,3,4,11,15,16,17,18,19,20,21]. Owicki a n d Gries [20,21] gave a Hoare-s ty le ax iom sys t em for a s imple para l le l p r o g r a m m i n g l anguage in which para l le l c o m m a n d s can i n t e r ac t t h r o u g h the i r effects on sha red var iab les . T h e i r proof rule for para l le l compos i t ion involved a no t ion of interference-freedom a n d used proof outlines for paral le l processes , r a t h e r t h a n t h e usua l Hoare-s ty le asser t ions . In order to o b t a i n a comple te proof sys tem Owicki found it necessary to use auxiliary variables and to a d d proof rules for deal ing w i t h t h e m . T h e s e fea tures have been the sub jec t of cons iderable discussion in t h e l i t e r a tu re , such as [5,16]. O u r a p p r o a c h is t o begin w i t h an a p p r o p r i a t e s eman t i c mode l , chosen to allow compos i t iona l reasoning a b o u t p r o g r a m p rope r t i e s . We use t h e s t r u c t u r e of th is mode l more di rec t ly t h a n is usua l in the design of an asser t ion language for p r o g r a m proper t i e s , a n d th is leads to proof rules w i th a very s imple s t r u c t u r e , a l t hough (or r a t h e r , because) our asser t ions are more powerful t h a n convent ional Hoarestyle asser t ions ; Owicki ' s proof out l ines emerge as special cases of our asser t ions . T h e 3 soundness and comple teness of our proof sys tem are a rguab ly less difficult to es tabl ish, as the proof sys tem is closely based on the semant i c s and the semant ics has been chosen to embody as l i t t le compl ica t ion as possible while still s u p p o r t i n g formal reasoning a b o u t the desired p rope r t i e s of p r o g r a m s . T h e p r o g r a m m i n g language discussed here is a subse t of t he language considered b y Owicki [20,21], and by Hennessy and P lo tk in [22]. A d o p t i n g the s t r u c t u r a l ope ra t iona l semant ics of [22,26] for this l anguage , we design a class of asser t ions for express ing semantic p rope r t i e s of c o m m a n d s . We then define syntactic ope ra t ions on asser t ions which correspond to the semantics of the var ious syn tac t i c cons t ruc t s in t he p r o g r a m m i n g language; in pa r t i cu l a r , we define sequent ia l a n d para l le l composi t ion for asser t ions . T h i s leads n a t u r a l l y to compositional, or syn tax-d i rec ted , proof rules for the syn tac t i c cons t ruc t s . We do n o t need an in terference-f reedom condi t ion in our rule for paral le l composi t ion , in cont r a s t to Owick i ' s sys tem. Similar ly, we do n o t need an auxi l iary var iables rule in order to o b t a i n comple teness . We show how to cons t ruc t Owicki ' s rule for paral le l composi t ion a n d t h e need for her in terference-freedom condi t ion , us ing our m e t h o d s . Essent ia l ly , Owicki ' s sys t em uses a r e s t r i c t ed subse t of our asser t ions a n d a v a r i a n t form of para l le l compos i t ion of asser t ions . We c o m p a r e our work briefly w i t h t h a t of some o ther a u t h o r s in th i s field, discuss some of i ts p r e sen t l imi ta t ions , a n d the p a p e r ends w i t h a few suggest ions for fur ther research a n d some conclusions . In pa r t i cu l a r , we ind ica te t h a t our ideas can be ex tended to cover fea tures o m i t t e d from the b o d y of t h e pape r , such as condi t iona l cr i t ical regions, loops a n d condi t iona ls . We also believe t h a t w i t h a few modif icat ions in the asser t ion language we will be able to i nco rpo ra t e g u a r d e d c o m m a n d s [9,10], a n d w i t h an a p p r o p r i a t e definition of para l le l compos i t ion for asser t ions we will be able to t r e a t CSP-l ike para l le l compos i t ion [13], in wh ich processes do n o t share var iables b u t ins tead in t e r ac t solely by means of synchron ized c o m m u n i c a t i o n . 2. A P a r a l l e l P r o g r a m m i n g L a n g u a g e . We begin w i t h a s imple p r o g r a m m i n g language con ta in ing a s s ignment a n d sequent ia l compos i t ion , t o g e t h e r w i t h a s imple form of paral le l composi t ion , a n d a "cri t ical region" cons t ruc t . Paral le l c o m m a n d s i n t e r a c t solely t h r o u g h the i r effects on sha red var iables . For s impl ic i ty of p r e sen t a t i on we o m i t condi t iona ls a n d loops , a t least for t he p resen t , as we w a n t to focus on the p r o b l e m s caused b y para l le l i sm. We will r e t u r n briefly to these fea tures la te r . As usua l for impera t ive l anguages , we d is t inguish the syn tac t i c categories of identifiers, express ions , a n d c o m m a n d s . T h e a b s t r a c t syn t ax for expressions a n d identifiers will be t a k e n for g r a n t e d .