Z Manna and A Pnszabolcs/CompSys/apch1.pdf · y prop erties do not dep end on the fairness require men ts for their v alidit y progress prop erties do In Chapters ... tains prop erties

c� Z� Manna and A� Pnueli� �� Aug� �� Not for Distribution

Chapter �� Response �

Chapter �

Response

In the preceding chapters we discussed methods for proving safety properties�While the class of safety properties is very important� and normally occupies alarge portion of a speci�cation� it must be complemented by properties in theother classes�

It is interesting to note that the expression of safety properties and their ver�i�cation use relatively little temporal logic� The main emphasis there is directedtowards �nding assertions that are invariant over the computation of a program�Most of the veri�cation e�orts are concentrated on showing that the assertionsare inductive� This requires proving a set of veri�cation conditions� which are ex�pressed by nontemporal state formulas� Temporal logic is used mainly for statingthe �nal result of invariance of the assertion� It is true that� when consideringprecedence properties� we extensively use the past part of temporal logic� But aswe commented there� an equivalent� though sometimes less elegant� state formu�lation of these properties can be managed through auxiliary or history variables�

It is only when we enter the realm of more general properties� that temporallogic becomes an essential and irreplaceable tool� Thus if� for some reason� one iswilling to restrict himself to the study of safety properties of reactive programs�he does not need the full power of temporal logic�

A related observation is that� only when we go beyond safety properties doesfairness become meaningful� Recall the de�nition of a run as a state sequencethat satis�es the requirements of initiation and consecution but not necessarilyany of the fairness requirements� It can be shown that a safety formula holds overall runs of a program if and only if it holds over all computations� i�e�� fair runs�Thus� safety properties cannot distinguish between fair and unfair runs�

This is no longer the case with progress �nonsafety� properties� Note� forexample� that the in�nite sequence s�� s�� is a legal run of any program P �provided s� q � This run is generated by continuously taking the idling transition�I� There are very few progress properties that hold over this run�


� Chapter �� Response

Consequently� while safety properties do not depend on the fairness require�ments for their validity� progress properties do� In Chapters �� we concentrateon the important class of response properties� which is one of the progress classes�This class contains properties that can be expressed by a formula of the form

� � p�

for a past formula p� In these chapters� we introduce a family of rules for responseproperties that rely on the di�erent fairness requirements� Chapters � presentrules that rely on justice� while Chapter � presents rules that rely on �justice and�compassion�

Chapter � completes the picture by presenting rules for the highest progressclass� that of reactivity�

Chapter deals with response properties that rely on the just transitions ofthe system for their validity� Chapter � generalizes the treatment to propertiesthat rely on both justice and compassion for their validity�

In Section � we consider a single�step rule that relies on the activation of asingle just transition�

Section � shows how to combine several applications of the single�step ruleinto a rule that relies on a �xed number of activations of just transitions�

Section �� generalizes the rule to the case that the number of just activationsnecessary to achieve the goal is not �xed and may depend� for example� on aninput parameter�

In Section �� we extend all the above methods to prove properties expressedby response formulas that contain past subformulas�

Section �� deals with the class of guarantee formulas� treating them as aspecial case of response properties�

In a similar way� Section �� considers the class of obligation properties�Again� their veri�cation is based on their consideration as a special case of theresponse class�

�� Response Rule

Even though there are several di�erent classes of progress properties� their veri��cation is almost always based on the establishment of a single construct � theresponse formula

p � � q�

for past formulas p and q� This formula states that any position in the computa�tion which satis�es p must be followed by a later position which satis�es q� Since


�� Response Rule �

the canonical response formula � � q is equivalent to T � � q� it follows thatevery response property can be expressed by a formula of the form p� � q�

A general response property allows p and q to be general past formulas� InSections �� we consider the simpler case that p and q are assertions� InSection �� we will generalize the treatment to the case that p and q are pastformulas�

A Single�Step Rule

A single�step rule� relying on justice� is provided by rule RESP�J presented inFig� ��

For assertions p� q� �� and transition �h � J �

J� p � q � �

J � f�g T fq � �g

J�� f�g �h fqg

J�� En��h�

p � � q

Fig� �� Rule RESP�J �single�step response under justice��

The rule calls for the identi�cation of an intermediate assertion � and a justtransition �h � J � to which we refer as the helpful transition�

Premise J of the rule states that� in any position satisfying p� either the goalformula q already holds� or the intermediate formula �� bridging the passage fromp to q� holds� The q�disjunct of this premise covers the case that the distancebetween the p�position and the q�position is �� The ��disjunct and the otherpremises cover the case that the distance between these two positions is positive�

Premise J requires that every transition leads from a ��position to a positionthat satis�es q � �� That is� either a position satisfying the goal formula q isattained or� if not� then at least the intermediate � is maintained�

Premise J� requires that the helpful transition �h always leads from a ��position to a q�position�

Premise J� requires that the helpful transition �h is enabled at every ��position�



Justi�cation To justify the rule� consider a computation � which satis�es thefour premises of the rule� Assume that p holds at position k� k � �� We wish toshow that q holds at some position i� i � k� Assume� to the contrary� that it doesnot� That means that for all i� i � k� q does not hold at i� By J� � holds atposition k� By J � every successor of a ��state is a �q � ��state�

Since we assumed that q never occurs beyond k� it follows that � holds con�tinuously beyond k� By J�� the just transition �h must be continuously enabled�However� �h is never taken beyond k� This is because if �h were taken� it wouldhave been taken from a ��position� and by J� the next position would have sat�is�ed q� Thus we have that �h is continuously enabled� but never taken beyondk� It follows that the sequence � is not just with respect to �h� and is� therefore�not a computation�

This shows that� for all computations� there must exist an i� i � k such thatq holds at i�

In applications of the rule� it is su�cient to establish premise J for all � �� h�since J for � � �h is implied by J�� It is also unnecessary to check premise J for � � �

I� the idling transition� since f�g �

If�g is trivially state valid�

Example �program ANY�Y�

Program ANY�Y of Fig� � illustrates a simple program consisting of two processescommunicating by the shared variable x� initially set to �� Process P� keepsincrementing variable y as long as x � �� Process P� has only one statement�which sets x to � Obviously� once x is set to � process P� terminates� and sometime later so does P�� as soon as it observes that x ��

local x� y� integer where x � y � �

P� ��

�� while x � � do

�� y �� y �

��

�� P� ��

�m�� x ��

m��

�

Fig� � � Program ANY�Y�

We illustrate the use of rule RESP�J for proving the response property

at�m� � � �x � �

for program ANY�Y�


�� Response Rule �

As the helpful transition �h we take m�� As the intermediate assertion � wetake p� at�m�� Premise J assumes the form

at�m� z �p

� � � �z�q

� at�m� z ��

�

which is obviously valid� Premise J is established by showing that all transitions�excluding m�� preserve �� at�m�� which is clearly the case�

Premise J� requires showing that m� leads from any ��state to a q�state�expressed by

� � � x� � z ��m�

� � �z��

� x� � z �q�

�

which is obviously valid� Finally� J� requires

at�m� z ��

� at�m� z �En�m��

�

which is also valid� This establishes that the property speci�ed by the responseformula at�m� � � �x � � is valid over program ANY�Y�

Combining Response Properties

Rule RESP�J by itself is not a very strong rule� and is su�cient only for proving one�step response properties� i�e�� properties that can be achieved by a single activationof a helpful transition� For example� while program ANY�Y always terminates� itstermination cannot be proven by a single aplication of rule RESP�J�

In general� most response properties of the form p � � q require severalhelpful steps in order to get from a p�position to a q�position�

To establish such properties we may use several rules that enable us to com�bine response properties� each established by a single application of rule RESP�J�These rules are based on general properties of response formulas that allow usto form these combinations� We list some of these properties as proof rules� Allof these rules can be established as derived rules� using the standard deductivesystem for temporal logic� �

Monotonicity

An important property of response formulas is the monotonicity of both the an�tecedent and the consequent� This can be summarized in the form of the �mono�tonicity� rule MON�R� presented in Fig� ��

� For example� the one presented in Chapter � of Volume I�


Chapter �� Response

p � q q � � r r � t

p � � t

Fig� �� Rule MON�R �monotonicity of response�

Rule MON�R enables us to strengthen the antecedent and weaken the conse�quent� Thus� if we managed to prove the response formula

at�� x � ��

we can infer from it� using rule MON�R� the formula

at�� x � ��

Reexivity

Property RFLX�R of Fig� �� states that the � operator is re�exive�

p � � p

Fig� �� Property RFLX�R �re�exivity of response�

We may use this property to prove simple response formulas such as

x � � � � �x � ��

Transitivity

The transitivity property of response formulas is expressed by the �transitivity�rule TRNS�R� presented in Fig� ��

p � � q q � � r

p � � r

Fig� �� Rule TRNS�R �transitivity of response�


�� Response Rule

Thus� if we managed to prove for program ANY�Y the two response formulas

at�� at�m� x � � � �at�� at�m� x � �

at�� at�m� x � � � �at�� at�m��

we may use rule TRNS�R to conclude

at�� at�m� x � � � �at�� at�m��

The soundness of rule TRNS�R is obvious� Consider a computation � such thatthe �rst two premises are valid over �� Let i be a position satisfying p� By the�rst premise� there exists a position j� j � i� satisfying q� By the second premise�there exists a position k� k � j� satisfying r� Thus� we are ensured of a positionk� k � i� satisfying r� which establishes p� � r�

Proof by Cases

Another useful property of response formulas is that it is amenable to proof bycases� This possibility is presented by rule CASES�R of Fig� ��

p � � r q � � r

�p � q� � � r

Fig� �� Rule CASES�R �case analysis for response�

Assume� for example� that we have proved for program ANY�Y the two fol�lowing reponse formulas�

at�� at�m� x � � � �at�� at�m��

at�� at�m� x � � � �at�� at�m��

Then� we may use rule CASES�R to conclude

�at�� at�m� x � � � �at�� at�m� x � � �

� �at�� at�m��

from which� by rule MON�R� we can infer

at�� at�m� x � � � �at�� at�m��


We will illustrate the use of these rules by proving termination of program ANY�Y�This property can be expressed by the response formula



� � �at�� at�m��

where

� � f��m�g x � � y � �

is the initial condition of program ANY�Y�

The proof consists of the following steps�

� at�� at�m� x � � � � �at�� at�m� x � �by rule RESP�J� taking �h� m� and �� at�� at�m� x � �

� at�� at�m� x � � � �at�� at�m��by rule RESP�J� taking �h� �� and �� at�� at�m� x �

�� at�� at�m� x � � � �at�� at�m� x � �by rule RESP�J� taking �h� �� and �� at�� at�m� x �

�� at�� at�m� x � � � �at�� at�m��by rule TRNS�R� applied to � and

�� at�� at�m� x � � � �at�� at�m� x � � �� at�� at�m��

by rule CASES�R� applied to and �

�� at�� at�m� x � ��at�� at�m� x � � � �at�� at�m� x � �

an assertional validity

�� at�� at�m� x � � � �at�� at�m��by rule MON�R� using � and �

�� at�� at�m� x � � � � �at�� at�m��by rule TRNS�R� applied to and �

�� at�� at�m� x � � an assertional validity

�� at�� at�m�� by rule MON�R� applied to � and ��

�� Chain Rule

The proof of the last example follows a very speci�c pattern that occurs oftenin proofs of response properties� According to this pattern� to establish p �� q� we identify a sequence of intermediate situations described by assertions�m� �m�� such that p implies one of �m� � � � � �� and q is identical with


�� Chain Rule �

�� or is implied by �� We then show that for every i � �� being at �i impliesthat eventually we must reach �j for some j i�

We can interpret the index i of the intermediate formula �i as a measure ofthe distance of the current state from a state that satis�es the goal q� Thus� thelower the index� the closer we are to achieving the goal q� For a position j� let �ibe the intermediate formula with the smallest i s�t� �i holds at j� We refer to theindex i as the rank of position j�

This proof pattern is summarized in rule CHAIN�J �Fig� ��

For assertions p and q � �� m andtransitions �� m � J

J� p �m�j�

�j

J � f�ig T

�j�i

�j

�

J�� f�ig �i

�j�i

�j

�J�� i � En��i�

��for i � � � � � �m

p � � q

Fig� �� Rule CHAIN�J �chain rule under justice��

According to premise J� p implies that one of the intermediate formulas �i�possibly �� implying q� holds� Premise J requires that taking any transitionfrom a �i�position results in a next position which satis�es �j � for some j i�Premise J� requires that taking the helpful transition �i from a �i�position resultsin a next position which satis�es �j for j i� We can view premise J as statingthat the rank never increases� while premise J� states that the helpful transitionguarantees that the rank decreases� Premise J� claims that the helpful transition�i is enabled at every �i�position�

Justi�cation Assume that all four premises are P �state valid� Consider aP �computation � and a position t that satis�es p� We wish to prove that some



later position satis�es q� Assume to the contrary that all positions later than t�including t itself� do not satisfy q� By J� position t satis�es �j for some j � ��Index j cannot be � because �� q and we assumed that no position beyond tsatis�es q� Thus� position t satis�es �j � for some j � �� By J � position t � satis�es some �k� k j� Again� k � � due to �� q� Continuing in this manner�it follows that every position beyond t satis�es some �j for j � �� to which werefer as the rank of the position�

By J � the rank of the position can either decrease or remain the same� Itfollows that there must exist some position k � t� beyond which the rank neverdecreases�

Assume that i is the rank of the state at position k� Since q is never satis�edand the rank never decreases beyond position k� it follows �by J � that �i holdscontinually beyond k� By J�� i cannot be taken beyond k� because that wouldhave led to a rank decrease� By J�� i is continually enabled beyond k yet� by theargument above� it is never taken� This violates the requirement of justice for �i�

It follows that if all the premises of the rule are P �state valid then the con�clusion p� � q is P �valid�

Note that since premise J� implies premise J for � � �i� it is su�cient tocheck premise J for a given i � � � � � �m� only for � �� i� Also� it is unnecessaryto check premise J for � � �

I� since f�ig �I f�ig trivially holds�

Example �Reproving termination of program ANY�Y�

Let us show how termination of program ANY�Y can be proved �again� by a singleapplication of rule CHAIN�J�

The property we wish to prove is

at�� at�m� x � � y � � z �p

� � at�� at�m� z �q

�

Inspired by our previous proof of this property� we choose four assertions andcorresponding helpful transitions as follows�

�� at�� at�m� x � � �� m�

�� at�� at�m� x � ��

�� at�� at�m� x � ��

�� q� at�� at�m��

Let us consider each of the premises of rule CHAIN�J�

� Premise J

This premise calls for proving


�� Chain Rule ��

p ��

j�

�j �

We will prove p� �� which amounts to

at�� at�m� x � � y � � z �p

� at�� at�m� x � � z ��

which obviously holds�

� Premises J �J� for i � ��

We list below the premises that are proven for each i� i � ��

Assertion �� at�� at�m� x � �nat�� at�m� x � � z �

��

o�nat�� at�m� x � � z �

��

ofor each � �� m�

nat�� at�m� x � � z �

��

om�

��at�� at�m� x � z �

��

�

at�� at�m� x � z ��

��at�� at�m� x � � z �

��

� at�m� z �En�m��

�

Assertion �� at�� at�m� x � nat�� at�m� x � z �

��

o�nat�� at�m� x � z �

��

ofor every � �� n

at�� at�m� x � z ��

o��

nat�� at�m� x � z �

��

ohat�� at�m� x � z �

��

i� at�� z �

En��

�

Assertion �� at�� at�m� x � nat�� at�m� x � z �

��

o�nat�� at�m� x � z �

��

ofor every � ��


�� Chapter �� Response

nat�� at�m� x � z �

��

o��

nat�� at�m� z �

��

oat�� at�m� x � z �

��

� at�� z �En��

�

All of these implications and veri�cation conditions are obviously state valid�which establishes the conclusion

� � �at�� at�m��

Relation to rule NWAIT

There is a strong resemblance between the premises of rule CHAIN�J and those ofrule NWAIT �Fig� �� on page �� of the SAFETY book�� This is not surprising�since in both cases we wish to establish the evolution from p to q �q� in the caseof NWAIT� by successively passing through �m� �m��

The main di�erence is that� in rule NWAIT� we are quite satis�ed if� from acertain point on� we stay forever within �j for some j � �� This is unacceptablein a response rule� where we are anxious to establish eventual arrival at �� Thisdi�erence is expressed in premise J� which requires that activation of the helpfultransition �i takes us out of a �i�state� and premise J� which requires that �i isenabled on all �i�states� These premises have no counterparts in rule NWAIT� Thisexcludes computations that consist of states whose rank� from a certain point on�never decreases below some j � ��

Another di�erence is that� in rule NWAIT� we allow a transition to lead from

�i� i � �� back to �i� This is expressed by the disjunction��j�i

�j � appearing in

the postcondition of premise N�� Rule CHAIN�J allows this in premise J for allbut the helpful transition� which is required in J� to lead to a position with astrictly lower rank�

In spite of these di�erences� many of the approaches used in the study ofprecedence properties are also applicable to the analysis of response properties�One of these useful approaches is that of veri�cation diagrams introduced inSection �� of the SAFETY book�

�� Chain Diagrams

As observed in the previous example �program ANY�Y�� in many cases it su�cesto specify the intermediate assertions �� m and to identify the helpfultransitions �� m� The proofs of the actual veri�cation conditions is a detail


�� Chain Diagrams ��

that can be left to skeptical readers� and eventually to an automated system�Only some of the veri�cation conditions raise interesting questions� and those areusually elaborated in a presentation of a proof� However� the main structure of theproof is adequately represented by the list of assertions and their correspondinghelpful transitions�

A concise visual summary of this information� and some additional details� isprovided by veri�cation diagrams� Veri�cation diagrams were already introducedin Section �� of the SAFETY book to represent proofs using rule NWAIT� However�we give here an independent description of the diagrams that support proofs ofresponse properties by rule CHAIN�J�

Veri�cation Diagrams

A veri�cation diagram is a directed labeled graph constructed as follows�

� Nodes in the graph are labeled by assertions� We will often refer to a nodeby the assertion labeling it�

� Edges in the graph represent transitions between assertions� The diagramspresenting proofs by rule CHAIN�J allow edges of two types� represented graph�ically by single ��lined� and double ��lined� arrows� Each edge of either typedeparts from one assertion� connects to another� and is labeled by the nameof a transition� We refer to an edge labeled by � as a � �edge�

� One of the nodes may be designated as a terminal node ��goal� node�� Inthe graphical representation� this node is distinguished by having a boldfaceboundary� No edges depart from a terminal node� Terminal nodes correspondto �goal� assertions such as �� in rule CHAIN�J�

Chain Diagrams

A veri�cation diagram is said to be a chain diagram if its nodes are labeled byassertions �� m� with �� being the terminal node� and if it satis�es thefollowing requirements�

� If a single ��line� edge connects node �i to node �j � then i � j�

� If a double ��line� edge connects node �i to node �j � then i � j�

� Every node �i� i � �� has a double edge departing from it� This identi�esthe transition labeling such an edge as helpful for assertion �i� All helpfultransitions must be just�

The �rst two requirements ensure that the diagram is weakly acyclic in the sensede�ned in Section �� of the SAFETY book for WAIT diagrams� That is� the terminalnode is labeled by �� and whenever node �i is connected by an edge �single ordouble� to node �j � then j i� The stronger second requirement ensures thatthe subgraph based on the double edges is acyclic� forbidding self�connections by



double edges� The third requirement demands that every nonterminal assertion�i�e�� i for i � �� has at least one helpful transition associated with it�

Veri�cation Conditions for CHAIN Diagrams

The assertions labeling nodes in a diagram are intended to represent the inter�mediate assertions appearing in a CHAIN�J proof� A � �labeled edge connectingnode �i to node �j implies that it is possible for a �i�state to have a � �successorsatisfying �j � A double edge departing from node � and labeled by transition� identi�es � as helpful for assertion �� Consequently� we associate veri�cationconditions with nodes and the edges departing from them� These conditions�expressed by implications� represent premises J �J� of rule CHAIN�J�

For a node �i and transition � � connecting �i to �j � we say that �j is a� �successor of �i� Let � be a nonterminal node and �� k� k � �� be the� �successors of ��

V� If all the edges connecting � to its � �successors are single ��lined�� then weassociate with � and � the veri�cation condition

f�g � f� � �� kg�

Transition � � labeling only single edges� is identi�ed as unhelpful for �� Thiscondition� similar to premise J � allows � to lead from a ��state back to a��state� recording no progress�

The case of a transition � that does not label any edges departing from �is interpreted as though � labels k � � single�lined edges departing from ��That is� with such a transition we associate the veri�cation condition

f�g � f�g�

V � If some edge departing from � is double �hence k � �� we associate with �and � the veri�cation condition

f�g � f�� kg�

This condition corresponds to premise J�� requiring a transition � � identi�edas helpful� to lead away from ��

V�� If � labels some double edge departing from �� we require

� � En��

This condition corresponds to premise J�� requiring that a transition helpfulfor � is enabled on all ��states� We refer to this requirement as the enabling

requirement �

Valid CHAIN Diagrams

A CHAIN diagram is said to be valid over a program P �P �valid for short� if allthe veri�cation conditions associated with nodes of the diagram are P �state valid�



The consequences of having a P �valid CHAIN diagram are stated by the fol�lowing claim�

Claim � �CHAIN diagrams�

A P �valid CHAIN diagram establishes that the response formula

m�j�

�j � � ��

is P �valid�

If� in addition� we can establish the P �state validity of the following implica�tions�

�J� p �m�j�

�j and �J�� q

then� we can conclude the P �validity of

p � � q�

Justi�cation First� we show the �rst part of the claim� stating the P �validityof

m�j�

�j � � ��

We use rule CHAIN�J with p�Wmj� �j � q � �� and� for each i � � � � � �m� we

take �i �the helpful transition for �i� to be the transition labeling the double edgedeparting from �i�

For our choice of p and q� premise J of rule CHAIN�J assumes the form

�J�m�j�

�j �m�j�

�j �

which is trivially state�valid� We proceed to show that the P �state validity ofpremises J �J� follows from the P �validity of the diagram� for each i � � � � � �m�

Premise J requires showing

�J � �� i � �� i�

for each � � T � Let �i� � � � � � �ik be the � �successors of �i in the P �valid diagram�for � � T � f�i� �Ig� By the requirement of weak acyclicity i� i� � � � � ik i�Since � �� i� all the � �edges departing from node � are single�line edges and thefollowing veri�cation condition holds�

V� �� i � ��i � ��i� � � � � � ��ik �



Since ij i for each j � � � � � � k� the disjunction on the right�hand side of V istaken over a subset of the assertions appearing on the right�hand side of premiseJ � It follow that J is state�valid for assertion �i and transition � � For � � �

I�

premise J holds trivially since ��I

implies ��i � �i� For � � �i� premise J isimplied by J��

Premise J� requires

�J�� i �i � �� i��

Let �i� � � � � � �ik be the �i�successors of �i in the P �valid diagram� Since all �i�edges departing from �i are double� ij i for j � � � � � � k and the followingveri�cation condition holds�

V � �� i � ��i� � � � � � ��ik �

Repeating the subset argument� this implies the state validity of premise J��

Premise J� is identical to condition V� for every �i and �i� i � � � � � �m�

Next� we consider the more general case of p and q which are not identical toWmj� �j and �� respectively� but satisfy the implications J and J�� Applying

rule MON�R to p�Wmj� �j � �� and q �standing for p� q� r� and t in MON�R�� we

obtain the conclusion p � � q�

Note that chain diagrams and their notion of validity are a conservativeextension of the WAIT diagrams� introduced in Section �� of the SAFETY book�The additional requirements that disallow a self�connecting edge all refer to doubleedges which are not present in WAIT diagrams� It follows that a P �valid CHAIN

diagram is also P �valid for proving the nested waiting�for formula

m�j�

�j � �m W �m�� W ��


Consider again program ANY�Y �Fig� � �� The CHAIN diagram of Fig� �� providesa graphical representation for the proof of the response property

at�� at�m� x � � z �p

� ��at�� at�m� z �

q��

��

for program ANY�Y�

The diagram identi�es �� as the intermediate assertions and m�� as their corresponding helpful transitions� This CHAIN diagram is valid over pro�gram ANY�Y� which establishes the P �validity of


�� Chain Diagrams �

��

�� at�� at�m� x � �

m�

�

m�

�

��

��

�� at�� at�m� x �

��

��

�� at�� at�m� x �

��

��

�� at�� at�m�

Fig� �� CHAIN diagram for termination�

��j�

�j � � �at�� at�m��

over this program� Since �as shown above� � �� the second part of Claim �establishes the P �validity of the termination property

� � �at�� at�m��

The Advantages of Diagrams

One of the advantages of the presentation of a CHAIN�J proof sketch by a CHAIN

diagram� over its presentation by a list of assertions and their correspondinghelpful transitions is that the diagram provides a stronger �and more detailed�version of premises J and J� than is standardly provided by rule CHAIN�J and alist of the assertions and helpful transitions�

Consider� for example� the proof presented in Fig� �� Both the diagramand the textual proof identify �� as at�� at�m� x � and �� as its helpfultransition�

However� while rule CHAIN�J suggests that we prove for premise J� the veri��cation condition

f��g �� f�� g�

the diagram claims that the even stronger condition

f��g �� f��g



is P �state valid� This results from the fact that there is no ��edge connecting ��to ��

Encapsulation Conventions

There are several encapsulation conventions that lead to more structured hierar�chical diagrams and improve the readability and manageability of large complexdiagrams� These conventions were introduced in Section �� of the SAFETY bookand we reproduce them here brie�y� to make the presentation self contained� Thebasic construct of encapsulation is that of a compound node that may containseveral internal nodes� The encapsulation conventions attribute to a compoundnode aspects and relations that are common to all of their contained nodes� Werefer to the contained nodes as descendants of the compound node� Nodes thatare not compound are called basic nodes� We use three encapsulation conventions�

� Departing edges

An edge departing from a compound node is interpreted as though it departedfrom each of its descendants� This is represented by the graphical equivalenceof Fig� ��

��

��

C

DE

F

��

��

��

C

DE

F

��

�

�

j

�

Fig� �� Departing edges�

� Arriving edges

In a similar way� an edge arriving at a compound node is interpreted as thoughit arrived at each of its descendants� This is represented in the graphicalequivalence of Fig� ��

� Common factors

An assertion � labeling a compound node is interpreted as though it were aconjunct added to each of the labels of its descendants� This is representedby the graphical equivalence of Fig� �� We refer to � as a common factor

of the two nodes�



��

��

C

DE

F

��

��

��

��

C

DE

F

��

��

q�

Fig� �� Arriving edges�

��

��

C

DE

F

��

��

C

DE

F�

Fig� �� Common factors�

Example In Fig� � we present a veri�cation diagram which is the encapsu�lated version of the veri�cation diagram of Fig� ��

This encapsulation uses the arriving edge convention to denote by a singlearrow the two edges connecting �� to �� and to �� It uses the common factorconvention to simplify the presentation of �� and ��

Additional Examples

Let us consider a few more examples for the application of rule CHAIN�J and CHAIN

diagrams� illustrating the encapsulation conventions�

Example �Peterson�s Algorithm � version �

For the next example� we return to program MUX�PET�� Peterson�s algorithm formutual exclusion �Fig� �� This program was previously studied in Section ��of the SAFETY book� where we established for it the following invariants�

�� s � � s �

�� y� � at��



��

�� at�� at�m� x � �

m�

� C

DE

Fat�m� x � ��

�� at��

��

��

�� at��

��

�� at�� at�m�

Fig� � � Encapsulated version of CHAIN diagram for termination�

�� y� � at�m��

We wish to prove for this program the response property of accessibility�given by

at�� z �p

� � at�� z �q

�

To use rule CHAIN�J or its diagram representation� we have to identify in�termediate assertions that characterize the intermediate situations between thestarting assertion p� at�� and the goal assertion q� at�� It is obvious that the�rst helpful step in the progress from �� to �� is process P� moving from �� to�� Consequently� we can safely take �m to be at�� and the helpful transition�m to be �� We cannot yet determine the value of m because it depends on thenumber of helpful steps necessary to get from �� to �� We can now concentrateon showing how to get from �� to ��

Similar to the heuristics employed in the application of rule NWAIT �Sec�tion �� of the SAFETY book�� it is often useful to work backwards from the goalassertion at�� Consequently� we take �� to be at��

For the previous intermediate assertion �� we look for situations that areonly one helpful step away from �� Clearly� the only transition that can accom�plish �� in one step is �� If we choose the helpful transition �� to be �� then



local y�� y�� boolean where y� � y� � F

s � integer where s �

P� ��

��

�� loop forever do�� noncritical

�� y�� s� �� T� �

�� await �y� � s ��

�� critical

�� y� �� F

��

��

P� ��

��

m�� loop forever do��m�� noncritical

m�� y�� s� �� T� �

m�� await �y� � s ��

m�� critical

m�� y� �� F

��

��Fig� �� Program MUX�PET� �Peterson�s algorithm� � version �

the appropriate �� is the assertion characterizing all the states on which �� isenabled� Therefore� as �� we take the enabling condition of ��

�� at�� y� � s ��

Assertion �� does not yet cover all the accessible states satsifying at��Consequently� we cannot take m to be � and must search for additional assertions�characterizing states that satisfy at�� and that are one helpful step away from�� Therefore� we look for transitions of P� that may change the disjunction�y� � s � from F to T� The only candidate transition is m�� which sets y� to F�Consequently� we take

�� at�� at�m� y� s � �

The conjunct y� s � can be safely added to �� since all the states satisfyingat�� y� � s �� are already covered by ��

Looking for �at�� y� s � ��states that are one helpful step away from�� we easily identify

�� at�� at�m� y� s � �



In a similar way� we can identify the preceding assertion as

�� at�� at�m� y� s � �

Note that m�� which is the helpful transition for �� is enabled on all statessatisfying ��

At this point� we �nd out that the disjunction �� covers the rangeof all accessible �at��states� This is because P� must be in one of the locationsm�� m�� Due to �� the range m�� is covered by �� under the �y� disjunct�Locations m� � � � �m� for s �� are covered by �� under the disjunct s �� whilethe same locations for the case that s � are covered by assertions �� respectively�

In Fig� �� we present a CHAIN diagram using the intermediate assertionsconstructed through the preceding analysis�

Note that we have grouped under �� many possible states of P�� and havenot represented the movement of P� through them� This is justi�ed by the factthat �� is enabled on all of these states and is the transition declared as helpfulfor �� In contrast� we separated m�� m�� and m�� because the helpful transitionsthere changed from one of these states to the next�

In Problem �� the reader is requested to establish accessibility for anotheralgorithm for mutual exclusion�

Example �Peterson�s Algorithm � Version �

Consider the re�ned program MUX�PET�� version of Peterson�s algorithm� pre�sented in Fig� ��

In Section �� of the SAFETY book� we established the following invariants forthis program�

�� s � � s �

�� y� � at��

�� y� � at�m��

We intend to verify the property of accessibility for program MUX�PET�� whichcan be expressed by the response formula

at�� z �p

� � at�� z �q

�

The construction of the appropriate veri�cation diagram starts in a similarway to the diagram for program MUX�PET� of the previous example� We take �mto be at�� From �� process P� can proceed at its own pace to �� which wetake as �m�� The next step taken by P� leads into �� where a more detailedanalysis is necessary�



��

�� at��

��

� C

DE

Fat�� y�C

DE

Fy�� s � ��

�� at�m�

m�

��

�� at�m�

m�

��

�� at�m�

m�

��

�� y� � s ��

��

�� at��

Fig� �� CHAIN diagram for program MUX�PET��

To perform this detailed analysis we take �� to be the goal assertion at��What should we take as �� In the preceding case� we characterized �� as beingone helpful step away from �� This characterization is not su�cient here� An�other requirement is that if s� is a successor of a ��state� then s� should satisfyeither �� or �� at�� This shows that we cannot take �� to be� as before� theassertion at�� y� � s �� This is because the accessible state

s�� f��m�g� y��T� y�� F� s�

�satis�es the candidate assertion at�� y� � s �� but has an m��successor



local y�� y�� boolean where y� � y� � F

s � integer where s �

P� ��

��

�� loop forever do��

�� noncritical

�� y� �� T

�� s ��

��

��a�� await �y�or

�b�� await s ��

�� critical

� � y� �� F

��

��

P� ��

��

m�� loop forever do��

m�� noncritical

m�� y� �� T

m�� s ��

m��

��ma�� await �y�or

mb�� await s ��

��m�� critical

m � y� �� F

��

��Fig� �� Program MUX�PET� �Peterson�s algorithm� � version �

given by

s�� f��m�g� y��T� y��T� s�

�which satis�es neither the candidate assertion nor ��

We observe that the cause for this problem is the disjunct �y� which can befalsi�ed �changed from T to F� by transition m� of P�� There is no such problemwith the disjunct s �� which cannot be falsi�ed by P�� Consequently� we take

�� at�� s ��



The only transition that can lead from a ��state to a ��state is m��Therefore� we take �� to be

�� at�� at�m� s � �

We also realize that the transition leading into �� is m� which changes y�from F to T and preserves the value of s� Consequently� we take �� to be

�� at�m�� y� s � �

By now� we have covered all the states satisfying at�� y��s �� Fromnow on� the analysis proceeds as it did for program MUX�PET�� The �nal CHAINdiagram is presented in Fig� ��

This diagram partitions the range m�� into three regions� The region m��represented by �� guarantees the enableness of �a� �but not the enableness ofm� which is therefore drawn as a single edge�� However it may evolve into ��where no transition of P� is guaranteed to be enabled� Being at �� m� is thehelpful transition which eventually leads into �� In �� b� is enabled� and since

P� cannot falsify s �� eventually �b� is taken and leads to ��

The edge labeled �a� connecting node �� to node �� represents the possibilitythat �a� may be enabled on a state satisfying s �� A more careful analysis showsthat �� in this diagram can be strenghened to the assertionb�� at�m� s �� y��

and then this edge is unnecessary�

In Problem �� the reader is requested to verify accessibility for a familyof mutual exclusion algorithms� known as the bakery algorithms�

Example �Dekker�s algorithm�

Dekker�s algorithm for solving the mutual exclusion problem is presented in pro�gram MUX�DEK of Fig� ��

In comparison to Peterson�s algorithm� Dekker�s algorithm has a relativelysimple safety proof but rather elaborate proof of accessibility�

� Invariants

In Section �� of the SAFETY book we derived the following invariants forprogram MUX�DEK�

�� t � � t �

�� y� � �at��

�� y� � �at�m��

These are the invariants we needed to prove the mutual exclusion property� i�e��the invariance of



��

�� at��

��

��

�� at��

�� C

DE

Fat�� y�C

DE

Fy�� s � ��

�� at�m�

mb�

��

�� at�m�

m�

��

�� at�m

m

��

�� at�m�� y� s �

m�

�

�a��

�

��

�� at�m� s �

m�

��

�� s ��

�b�

�

�a��

�� at��

Fig� �� CHAIN diagram for program MUX�PET��


�� Chain Diagrams �

local y�� y�� boolean where y� � F� y� � F

t � integer where t �

P� ��

��


�� noncritical

�� y� �� T

�� while y� do

�� if t �

then

�� y� �� F

� � await t �

�� y� �� T

�� critical

�� t ��

�� y� �� F

��

��

P� ��

��


m�� noncritical

m�� y� �� T

m�� while y� do

m�� if t �

then

��m�� y� �� F

m � await t �

m�� y� �� T


m�� t ��

m�� y� �� F

��

��Fig� �� Program MUX�DEK �Dekker�s algorithm

for mutual exclusion��

�� at�� at�m��

As we will see� additional invariants are needed for the support of the responseproperty� We will develop them as they are needed�

� Response



The main response property of this algorithm is� of course� that of accessi�bility� It is stated by

�� at�� at��

We partition the proof of the accessibility property into three lemmas� provingrespectively�

Lemma A at�� at�� t � � � �at�� t � � � at��

�Lemma B at�� t � � � �at�� t � �

Lemma C at�� t � � � at��

Obviously� the di�cult part of the protocol is the loop at �� Being withinthis loop� P� is considered to have a higher priority when t � � Lemma A claimsthat if P� is just starting its journey towards the critical section� then it will eitherreach �� with a lower priority� or get to �� with a higher priority� or reach ��Lemma B claims that if P� is at �� with a low priority it will stay within the loopand eventually gain a high priority� Lemma C shows that if P� is within this loopand has a higher priority� then it will eventually get to ��

Clearly� by combining these three response properties� using the transitivityof response rule TRNS�R we obtain the required accessibility property�

Proof of Lemma A

The proof of the response property

at��

�at�� t � � � �at�� t � � � at��

�is presented in the CHAIN diagram of Fig� ��

It is easy to follow P� from �� to �� If t � on entry to �� then we arealready at the goal at�� t � � Otherwise� we enter �� with t � � settingy� to T� Here we examine the possible locations of P�� Assertions �� and ��cover all the possibilities� The possible motions of P� within these three assertionsconsist of taking m�� setting t to � which raises the priority of P� and attainsthe goal at�� t � � The other possible movements are from �� to �� andthen to �� Being at m�� with y� � T and t � � P� cannot move elsewhere�Transition mode �T� is enabled on �� and �� states� while mode �F� is enabled on�� Both are helpful since they lead to at�� t � and at�� respectively�

Proof of Lemma B

The proof of the response property

at�� t � � � �at�� t � �



��

�� at��

��

�

��

�

C

DE

Fat�� y�� t � ��

�� at�m�� y�

�T��

�

m��m��

�

m�

�

�

��

�� at�m�� y��F��

��

m��m�

��

�� at�m�� y�

�T��

� �

��

��at�� t �

��at��

��

��at�� t �

Fig� �� CHAIN diagram for Lemma A�

is presented in the CHAIN diagram of Fig� ��

From �� P� proceeds to �� since t � � and then to � while resetting y� toF� While being at �� P� may still set t to by performing m�� which leads tothe goal at�� t � �

However� once P� enters � � it stays at � waiting for t to change to � Atthat point we have to inspect where P� may currently be� We consider as possiblelocations of P� all of m��m�� tracing their possible �ow under the relatively stablesituation of t � � y� � F� We see that all transitions are enabled and lead to m�which eventually sets t to as required�

A tacit assumption made in this diagram is the exclusion of m�� m�� andm�� as possible locations while P� is at � with y� � F and t � � This assumptionmust hold for the program� if we believe Lemma B to be valid� Indeed� considerthe situation that P� is waiting at � with y� � F and t � � while P� is at m��



C

DE

Ft � C

DE

Fy� ��

�� at��

��

�� at��

��

�

m�

�

��

C

DE

Fat�� y� ��

�� at�m�

m�

��

�� at�m

m ��

�� at�m�

m��

��

�� at�m�

m��

��

�� at�m�

m�

��

�� at�m�

m��

�� at�m�

m�

��

�� at�m�

m�

�� at�� t �

Fig� �� CHAIN diagram for Lemma B�

Since P� is allowed to stay at the noncritical section forever� this would lead to adeadlock� denying accessibility from P��

We must therefore conclude that if the algorithm is correct� and guaranteesaccessibility to both processes� then the following assertion must be invariant



at�� t � � at�m��

This invariance follows from the stronger invariant

�� at�� t � � at�m��

which we will prove�

By symmetry one can also require the invariance of

� at�m�� t � � at��

Proof of invariant � hh Exercise� ii

Clearly�

� � � at�� z �

� at�� t � � at�m�� z � �

holds�

Let us check the veri�cation conditions for assertion �� which are of theform

at�� at�m� �y� �y� t � z �

at�� t � � at�m�� z � �

�

at �� t� � � at ��m�� z � �

�

�

There are three transitions that may potentially falsify assertion ��

Transition m�

Sets t to which makes t� � false and hence preserves the assertion�

Transition ��

Leads to at�� which makes at �� false�

�T� while t �

This is possible only if y� � T which� by �� implies at�m�� at�m��and therefore at�m�� This almost gives us at�m�� with the exceptionof m�� We thus need additional information that will exclude the possibilityof P� being at m�� while t � �

Clearly� while entering m�� from m�� P� sets t to � Can P� change it back to �while P� is still at m�� The answer is no� because m�� as we see in �� is stilla part of the critical section and is therefore exclusive of �� the only statementcapable of changing t to �

This suggests the invariant

�� at�m�� t �



and its symmetric counterpart

�� at�� t � �

To prove �� we should inspect two transitions�

Transition m�

Sets t to �

�� while at�m��

Impossible due to ��

This establishes � and similarly �� Having � we can use it to show that the lasttransition considered in the proof of �� namely �T� while t � � implies at�m��which establishes ��

Proof of Lemma C

Lemma C states that if P� is within the waiting loop �� with higher priority�i�e�� t � � then eventually it will reach �� It is stated by

at�� t � � � at��

The proof is presented in the CHAIN diagram of Fig� � ��

Note our e�orts to minimize the number of assertions by grouping togethersituations with di�erent control con�gurations� wherever possible� Thus for all thestates where y� � T and P� is either at �� or at �� we do not distinguish betweenthese two possibilities� but partition the diagram according to the location of P��This is because� in this general situation� it is P� which is the helpful process andwe have to trace its progress� On the other hand� when y� � F� P� becomes thehelpful process and we start distinguishing between the cases of at�� and at��while lumping together the locations of P� into two groups� m�� and m � Thesetwo groups must be distinguished because it is possible �though not guaranteed�to exit the �rst group into a situation where y� � T� but it is impossible to exitm into such a situation� This is because when P� is at m with t � � it cannotprogress until t is changed to �

InProblem �� the reader is requested to prove accessibility for two variantsof Dekker�s algorithm�

Case Splitting According to the Helpful Transitions

In the preceding examples� the main reason for using rule CHAIN�J with m � intermediate assertions has been that the program requires m helpful steps toreach the goal� In most of these applications there always was a worst casecomputation that actually visited each of the assertions� starting with �m andproceeding through �m�� m�� up to �� q�



C

DE

Ft �

�� at�� at��

� �� at��

�� C

DE

Fat�� y�

C

DE

Fy�� at�m�m� �� at�m�

m� �� at�m��

m��

� C

DE

Fat�m�� y� �� at�� at��

��

��

m��m�

�

C

DE

Fy�� at�m�m� �� at�m�

m� �� at�m�

m�

� C

DE

Fat�m � �y� �� at�� at��

��

�� at��

Fig� � �� CHAIN diagram for Lemma C�



This is not the only motivation for using several intermediate assertions�Another good reason for wishing to partition the state space lying between p andq into several assertions is that di�erent states in that space may require di�erenthelpful transitions for getting them closer to the goal�

Example �maximum�

Consider� for example� program MAX presented in Fig� � � This program placesin output variable z the maximum of inputs x and y� The program consists oftwo parallel statements that compare the values of x and y�

in x� y� integerout z � integer

�� if x � y then

�� z �� x��

�� m�� if x y thenm�� z �� y

m��

��Fig� � � Program MAX �maximum��

The response statement we would like to prove for this program is

at�� at�m� z �p

� � maximal�z� x� y� z �q

�

where maximal�z� x� y� stands for the formula

maximal�z� x� y�� z � x � z � y� z � x z � y�

claiming that z is the maximum of x and y�

Clearly� the goal of this response property is achieved in the helpful stepswhich are either �� and �� or m� and m�� Perhaps one would expect a proof ofthis property by rule RESP�J that only uses one intermediate assertion ��

However� no such proof exists� The reason for this is that we cannot identifya single transition that is helpful for all the states satisfying p� at�� at�m��Clearly� for all states satisfying p x � y� �� is the helpful transition� while forstates satisfying px y� m� is the helpful transition� Consequently� we need atleast four intermediate assertions in a proof of this property by rule CHAIN�J�

We choose the following assertions and helpful transitions

�� at�m� x y �� m�

�� at�� x � y ��


�� Well�Founded Rule ��

�� at�m� x y �� m�

�� at�� x � y ��

�� q�

It is straightforward to verify that all the premises of rule CHAIN�J are satis�ed bythis choice�

In Fig� � � we present a CHAIN diagram for the proof of the consideredresponse property�

C

DE

Fx � y��

�� at��

��

��

�� at��

��

�

C

DE

Fx y��

�� at�m�

m�

��

�� at�m�

m�

�� maximal �z� x� y�

Fig� � � CHAIN diagram for program MAX�

Assertions �� and �� partition �non�exclusively� the situation at��at�m�

into states for which �� is helpful and has not been taken yet� and states for whichm� is helpful and has not been taken yet�

It is not di�cult to verify that taking �� from a ��state� as well as takingm� from a ��state� leads to �� and �� respectively� Choosing �� to rank above�� is quite arbitrary� In particular� we do not have a computation that goes from��states to ��states� Every computation follows either the �� route or the�� route�

�� Well�Founded Rule

In rule CHAIN�J we treated each of the participating assertions �� m asseparate entities� and made no attempt to �nd a uniform representation for �j as



a single formula involving j� This approach is adequate for response propertieswhich require a bounded number of steps for their achievement� e�g�� at most �vein the case of program MUX�PET� �Fig� �� The bound must be uniform andindependent of the initial state�

There are many cases� however� in which no such bound can be given apriori� To deal with these cases� we must generalize the induction over a �xed�nite subrange of the integers� such as �� m in rule CHAIN�J� into an explicitinduction over an arbitrary well�founded relation�

Well�Founded Domains

We de�ne a well�founded domain �A�� to consist of a set A and a well�founded

order relation � on A� A binary relation � is called an order if it is

� transitive� a � b and b � c imply a � c� and

� irre�exive� a � a for no a � A�

The relation� is called well�founded if there does not exist an in�nitely descendingsequence a�� a�� of elements of A such that

a� � a� � � � � �

A typical example of a well�founded domain is �N� �� where N are the nat�ural numbers �including �� and � is the greater�than relation� Clearly� � iswell�founded over the natural numbers� because there cannot exist an in�nitelydescending sequence of natural numbers

n� � n� � n� � � � � �

For an arbitrary order relation � on A� we de�ne its re�exive extension �

to hold between a� a� � A� written a� a�� if either a � a� or a � a��

The Lexicographic Product

Given two well�founded domains� �A�� and �A�� we can form their lexi�

cographical product �A�� where

A is de�ned as A� �A�� i�e�� the set of all pairs �a�� a�� such that a� � A�

and a� � A��

� is an order de�ned for �a�� a�� b�� b�� A by

�a�� a�� b�� b�� i� a� �� b� or a� � b� a� �� b��

Thus� in comparing the two pairs �a�� a�� and �b�� b�� we �rst compare a� againstb�� If a� �� b�� then this determines the relation between the pairs to be �a�� a�� b�� b�� If a� � b�� we compare a� with b�� and the result of this comparisondetermines the relation between the pairs�


�� Well�Founded Rule �

The order � is called lexicographic� which implies that� as when searchingin a dictionary� we locate the position of a word by checking the �rst letter �rstand only after locating the place where the �rst letter matches� do we continuematching the subsequent letters�

The importance of the lexicographic product follows from the following claim�

Claim �lexicographic product�

If the domains �A�� and �A�� are well�founded� then so is their lexi�cographic product �A��

Clearly� by the above� the domain �N�� where � is the lexicographic orderbetween pairs of natural numbers� is well�founded� This order is de�ned by

�n�� n�� m��m�� i� n� � m� or n� � m� n� � m��

According to this de�nition

��

New well�founded domains can be constructed by taking lexicographic prod�ucts of more than two well�founded domains� Applying this construction to thedomain �N� �� of natural numbers� we obtain the domain �Nk�� for k � �where � is the lexicographic order between k�tuples of natural numbers� Theorder � is de�ned by

�n�� nk� � �m�� mk� i� n� � m�� ni�� mi�� ni � mi

for some i� i k�

For example� for k � �

��

It is easy to show that the domain �Nk�� is well�founded�

The Rule

Let �A�� be a well�founded domain� As in rule CHAIN�J� we use several inter�mediate assertions �� m to describe the evolution from p to q � �� RuleCHAIN�J uses the index of the assertion as a measure of the distance from thegoal q� The rule presented here associates an explicit ranking function �i witheach assertion �i� i � �� k� The function �i maps states into the set A andis intended to measure the distance of the current state to a state satisfying thegoal q�

We refer to the value of �i in a �i�state as a rank of the state� The well�founded rule WELL for response properties is given in Fig� � �� Premise W states



that every p�position satis�es one of �� m� Premise W states that every�i�position with positive i and rank u is eventually followed by a position whichsatis�es some �j � with a rank lower than u�

For assertions p and q � �� m�a well�founded domain �A�� andranking functions �� m� � �� A

W� p �m�i�

�i

W � �i �i � u � �� m�j�

��j u � �j

��for i � � � � � �m

p � � q

Fig� � �� Rule WELL �well�founded response��

Justi�cation It is straightforward to justify rule WELL� Consider a computation� that satis�es premises W� W � and let t� be a position in � which satis�es p�By W� some �i is satis�ed at t�� If it is �� q� we are done� Otherwise� let �i� �i� � �� be the assertion holding at t� and let u� denote the rank of the state atposition t�� By W � there exists a position t�� t� � t�� such that some �j holdsat t� with a rank u� � A� such that u� � u�� If j � �� we are done� Otherwise�we proceed to locate a position t� � t��

In this way we construct a sequence of positions

t� t� t� � � � �

and a corresponding sequence of elements from A �ranks�

u� � u� � u� � � � � �

such that either the sequence is of length k and q � �� holds at the positiontk� or the sequence is in�nite and some �j � j � �� holds at each ti with rank�j � ui there� The later case is impossible since that would lead to an in�nitelydescending sequence of elements of A� in contrast to the well�foundedness of �over A� It follows that for some tk � t�� q � �� holds at tk� which shows that� q holds at t��

Example �factorial�



Consider program FACT of Fig� � �� This program computes in z the factorial ofa nonnegative integer x� We wish to prove for this program the response property

at�� x � � y � x z � z �p

� � at�� z � x z �q��

�

in x� integer where x � �local y � integer where y � xout z � integer where z �

�� while y � � do

�� y� z� �� y � � z � y�

��

��Fig� � �� Program FACT �factorial��

Intending to use rule WELL with m � � it only remains to choose the assertion�� and the ranking functions �� and �� This necessitates the identi�cation ofa well�founded domain �A�� where A serves as the range of �i� Obviously� ��should describe the intermediate stage in the process of getting from p to q� and�� should measure the distance of this intermediate stage from the goal q � ��Premise W ensures that steps in the computation always bring us closer to thegoal�

For program FACT� a good measure of the distance from termination is thevalue of y� This is because when we are at �� there are y more iterations ofthe while loop before the program terminates� We therefore choose �N� �� as ourwell�founded domain and jyj as the ranking function� Thus�

�A� �� N� �� and �� jyj� �

The choice of �� is natural because� being at a ��state� we are alreadyat the goal� and the distance to the goal can therefore be taken as ��

The intermediate assertion �� should represent the progress the computationhas made� so that when y � �� we can infer that z � x � Clearly� the way theprogram operates is that it accumulates in z the product of the terms x��x�� In an intermediate stage� z contains the product x � �x� � � � � �y � �� which canalso be expressed as x �y � provided � y x�

We thus arrive at the intermediate assertion

�� at�� y x z � x �y �



It only remains to show that premises W�W are satis�ed by these choices�

Premise W

This premise requires

at�� x � � y � x z � z �p

�

� � �z��

� at�� y x z � x �y z ��

�

This implication is obviously valid�

Premise W

This premise requires showing

at�� y x z � x �y z ��

jyj� � n �

�

�BBBBBB�

at�� z � x z ��

n � �z��

�

at�� y x z � x �y z ��

n � jyj� z ��

CCCCCCA�

Since �� jyj � � n implies that n � �� it is su�cient to prove thisimplication for every n � �� As �� implies y � �� we may replace jyj by y�

Case n � �

For this value of n� we prove

at�� y x z � x �y z ��

y � � �

��at�� z � x z �

��

� ��

which simpli�es to

at�� z � x y � � � � �at�� z � x � �

This� of course� can be proven by a single application of rule RESP�J� observingthat� under the situation described by the antecedent� only transition �� isenabled� and taking it leads to at�� z � x �

Case n � �

In this case� we will prove



at�� y x z � x �y z ��

y � � n � �

��at�� y x z � x �y z �

��

n � y � ��

This can be proven by rule CHAIN�J using three assertions� �� and ��

The top assertion �� corresponds to �� y � � n� Assertion �� describesthe intermediate state� after passing the test of the while statement� andbeing at �� The �nal assertion �� implies �� y � � n � n� anddescribes the situation after performing the assignment �� and arriving backat �� The veri�cation diagram in Fig� � � describes this proof�

C

DE

F� y x� z � x �y

C

DE

Fy � � n � ��

�� at��

��

��

�� at��

��

�� at�� y � � n �

Fig� � �� Veri�cation diagram for case n � �

Thus� by treating separately the cases n � and n � � we conclude that premiseW holds for every n � � This establishes that the conclusion

at�� x � � y � x z � z �p

� � at�� z � x z �q

of rule WELL is valid�

A Rule with Nontemporal Premises



Rule WELL� used for proving response formulas� has as its premise W � anotherresponse formula� This allows a recursive use of the rule� by which the temporalpremise W is proved either by the simpler rule RESP�J� or by rule WELL again�only applied to simpler assertions� As a matter of fact� if we closely examine theproof of the previous example� we can identify there the use of those two options�For proving W for n � � we used rule RESP�J� since the response property forthis case is accomplished in one step� On the other hand� the case of n � accomplishes W in two steps� and we therefore had to use rule CHAIN�J�

However� in many cases� we do not need the recursive application of the rule�which means that premise W is proved directly by rule RESP�J� In these cases itis advantageous to replace the temporal premise W by the nontemporal premisesof rule RESP�J� which are necessary for its derivation� This leads to a �combined�form of the rule in which all premises are nontemporal� Such a form is oftenmore satisfactory because it explicitly manifests the power of the rule to derivetemporal statements from nontemporal ones�

This leads to rule WELL�J �Fig� � ��

For assertions p and q � �� m�transitions �� m � J �a well�founded domain �A�� andranking functions �� m� � �� A

JW� p �m�j�

�j

JW � �� i �

��m�j�

��j �i � ��j �

� ��i �i � ��i�

��for every � � T

JW�� i �i �m�j�

��j �i � ��j�

JW�� i � En��i�

��for i � � � � � �m

p � � q

Fig� � �� Rule WELL�J �well�founded response under justice��



The rule requires �nding auxiliary assertions �i and transitions �i� i �� m� a well�founded domain �A�� and ranking functions �i� � �� A� Eachassertion �i� i � � is associated with the transition �i that is helpful at positionssatisfying �i� and with its own ranking function �i�

Premise JW requires that every p�position satis�es one of �� m�

Premises JW �JW� impose three requirements for each i � � � � � �m�

Premise JW requires that� taking any transition from a �i�position k� alwaysleads to a successor position k� � k � � such that

� either some �j � j � �� m� holds at k� with a rank ��j lower than �i at k�or

� �i holds at k� with a rank ��i equal to the rank �i at k�

The main implication of premise JW is that if the situation has not improvedin any noticeable way in going from k to k�� i�e�� the new rank still equals theold rank� at least we have not lost the identity of the helpful transition and thetransition that was helpful in k is also helpful at k��

Premise JW� requires that transition �i� which is helpful for �i� always leadsfrom a �i�position k to a next position which satis�es some �j and has a ranklower than that of k� i�e�� i � ��j �

Premise JW� requires that the helpful transition �i is enabled at every �i�position�

Justi�cation To justify the rule� assume a computation such that p holds atposition k� and no later position i � k� satis�es q � �� By this assumption andJW� some �j � j � �� must hold at position k� Let �i� be the formula holdingat k� and denote the rank �i� at k by u�� By JW�� transition �i� is enabled atposition k�

Consider the transition � taken at position k� leading into position k� � ByJW and JW�� either position k � has a lower rank u�� u��u�� or it has thesame rank� but then �i� is still the helpful transition at k� and is enabled there�In the case that the rank is still u�� we can continue the argument from k � to k � � k � �� etc� However� we cannot have all positions i � k with the samerank� To see this� assume that all positions beyond k do have the same rank�By JW and JW�� this implies that �i� is continuously helpful and enabled� ByJW�� i� is not taken beyond k because taking it would have led to a state witha rank lower than u�� Thus� our assumption that all positions beyond k have thesame rank leads to the situation that �i� is continuously enabled and not taken�violating the justice requirement for �i� �

Thus� eventually� we must reach a position k�� k� � k� with lower rank u��where u��u�� In a similar way we can establish the existence of a positionk� � k�� with rank u� where u�� u�� Continuing in this manner� we construct



an in�nitely descending sequence u� � u� � u� � � � � of elements of A� This isimpossible� due to the well�foundedness of � on A�

We conclude that every p�position must be followed by a q�position� estab�lishing the consequence of the rule�

Note that since premise JW� implies premise JW for � � �i� it is su�cientto check premise JW only for � �� i�

Rule CHAIN�J can be viewed as a special case of rule WELL�J which uses �i � i�for i � �� m� as ranking functions� It is not di�cult to see that the premisesJ � J�� and J� of rule CHAIN�J correspond precisely to premises JW � JW�� andJW� of rule WELL�J� The well�founded domain used in this special case is the�nite segment !��m" of the natural numbers ordered by ��


We use rule WELL�J to prove that program FACT of Fig� � � satis�es the responseproperty of total correctness

at�� x � � y � x z � z �p

� � at�� z � x z �q��

�

Obviously� except for the terminating state� execution of program FACT al�ternates between states satisfying at�� in which �� is the helpful transition� andstates satisfying at�� in which �� is helpful�

Consequently� we take m � and use the following intermediate assertions�

�� at�� y x z � x �y

�� at�� y x z � x �y

�� at�� z � x �

Note that when control is at �� y is required to be greater than or equal to �

It remains to determine the ranking functions �i� i � �� Our previousanalysis of the considered response property for program FACT �using rule WELL�identi�ed jyj as a good measure of progress over �N� �� Variable y keeps decreas�ing as the program gets closer to termination� Unfortunately� premise JW� of ruleWELL�J requires that � decreases on each activation of a helpful transition� As wesee� not every helpful transition causes jyj to decrease� In particular� �� does notchange jyj� Consequently� we have to supplement jyj by an additional componentthat will decrease when jyj stays the same� This leads to the following choice�

��jyj�

��

�jyj�

��

��

��



The corresponding well�founded domain is�N�f� g� �

�� where � is the lexico�

graphical order between pairs of integers�

In the previous proof of this property� we used the measure jyj� to ensurethat the rank decreases also on the transition from �� to �� Since the use of pairsguarantees such a decrease by a decreasing second component� we can omit the� increment and take the �rst component to be simply jyj�

We may view the ranking function �i� �jyj� i� as consisting of a major and aminor measures of progress� Function jyj measures large steps of progress� suchas one full iteration of the loop at �� The minor component i measures smallersteps of progress� Observe that transition �� actually causes the minor measure ito increase from to � but at the same time it decreases the major measure jyj�

Let us consider the premises of rule WELL�J� Since both �i�s imply y � �� wemay replace jyj by y�

� Premise JW

We prove JW by showing

at�� x � � y � x z � z �p

�

� � � � at�� y x z � x �y z ��

�

which is obviously valid�

� Premises JW � JW� for i �

For i � we will show

�� at�� y x z � x �y z ��

�

�BBBBBBB�

at �� z � x z ��

�

�y� � z ��

� �y�� z ��

�

�

at �� y� x z� � x �y� z ��

�

�y� � z ��

� �y�� z ��

�

CCCCCCCA�

for each transition � � f�� g� not necessarily the helpful one� Obviously� this willsatisfy both JW and JW�� Since at�� implies that transition �� is disabled� theleft�hand side of the implication for � � �� is false and the implication is triviallytrue�

For � � �� we prove the implication by separately considering the casesy � � and y ��



Case y � ��

In this case �� implies at �� y� � y � �� and z� � z� Since z � x �y andy � � imply z � x � it follows that the left�hand side implies ��

Case y ��

In this case �� implies that y � �� which together with �� implies at ��y� � y� and z� � z� Assertion �� implies y x z � x �y which togetherwith y � � establishes �� The rank decrease �y� � � �y� � is obvious�

� Premises JW � JW� for i �

For i � we will show

�� at�� y x z � x �y z ��

�

� � � ��at �� y� x z� � x �y� z �

��

�

�y� � z ��

� �y�� z ��

�

��

for each transition � � f�� g� not necessarily the helpful one� Obviously� this willsatisfy both JW and JW�� Since at�� implies that transition �� is disabled� theleft�hand side of the implication for � � �� is false and the implication is triviallytrue�

For � � �� we observe that �� implies at �� y� � y � � and z� � z � y�Substituting these expressions in the right�hand side of the implication reducesthe conjunction to

� y � x z � y � x ��y � � �y� � � �y � � ��

all of which are either obviously valid or are implied by ��

� Premises JW�

The helpful transitions for �� and �� are �� and �� with enabling conditionsat�� and at�� respectively� Obviously� they satisfy

at�� z ��

� at�� z �En��

at�� z ��

� at�� z �En��

as required by premise JW��

This establishes the four premises of rule WELL�J� proving the response prop�erty of total correctness for program FACT

at�� x � � y � x z � � � �at�� z � x ��


�� Well�Founded Rule �

A Condensed Representation of Ranking Functions

Many of our proofs consider ranking functions that consist of lexicographic pairsof natural numbers� i�e��

� � �d�� d��

Such a function decreases over a transition even if d� increases� provided d� de�creases at the same time� Lexicographic order implies that even a small decreasein d� outweights an arbitrarily large increase in d�� In some cases there exists abound M � M � �� which is larger than any possible increase in d�� In these caseswe may use the ranking functionb� � M � d� � d��

which ranges over N� instead of the original � � �d�� d�� which ranges over N�N�

We refer to b� as a condensed representation ranking function�

In Problem �� the reader is requested to prove that in such cases�b� � M � d� � d� � b� � � M � d�� d�� i� �� d�� d�� d�� d��

For example� in the above proof of program FACT� we used the ranking func�tions

�i� �jyj� i��

Since the maximal increase in the value of i is which is smaller than � we couldhave used instead the condensed ranking functionb�i� � jyj � i�

Example �up down�

Consider program UP�DOWN presented in Fig� � �� This program can be viewedas an extension of program ANY�Y of Fig� � � Process P� increments y� countingup in �� as long as x � �� Once P� �nds that x is di�erent from �� it proceedsto �� where y is decremented until it becomes �� Process P��s single action isto set x to � Obviously� due to justice� x will eventually be set to � However�one cannot predict the number of helpful steps required for P� to terminate� Thelonger P� waits before performing m�� the higher the value y will attain on themove to �� It is this value of y which determines the number of remaining stepsto termination�

In fact� for every n � �� we can construct a computation requiring more than�n helpful steps to achieve y � �� This computation allows P� to increase y upto n� and only then activates m�� At least n more steps of P� are needed todecrement y back to ��

Consequently� we need rule WELL�J to prove the response property




P� ��

�� while x � � do

�� y �� y �

�� while y � � do

�� y �� y �

��

�� P� ��

�m�� x ��

m��

�

Fig� � �� Program UP�DOWN�

at�� at�m� x � y � � z �p

� � at�� at�m� z �q

for program UP�DOWN�

In order to construct the intermediate assertions and the ranking functions�i� we observe that there are three distinct phases in the achievement of at�� at�m�� The �rst phase waits for P� to perform m�� This phase terminates whenm� is executed� In the second phase� P� senses that x has been set to and movesto �� In the third phase� P� is within �� and decrements y until y reaches � andP� moves to ��

Consequently� it seems advisable to use the well�founded domain �N�� oflexicographic triples �n�� n�� n�� whose �rst element n� identi�es the phase� andwhose remaining elements� n� and n�� identify progress within the phase� Recallthat lexicographic ordering on triples of natural numbers is de�ned by

�n�� n�� n�� m�� m�� m�� i�

��n� � m� or

n� � m�� n� � m� or

n� � m�� n� � m�� n� � m��

Obviously� this ordering is a well�founded relation on N��

Consider the remaining elements needed to measure progress within a phase�The �rst phase terminates after one helpful step� m�� The second phase terminatesin two helpful steps� �� followed by �� The last phase has y measuring coarseprogress� and it takes two steps to decrement y� �� followed by ��

Consequently� we de�ne the following assertions� helpful transitions and rank�ing functions�

�� at�� at�m� x � � y � � �� m� ��

�� at�� at�m� x � y � � ��



�� at�� at�m� x � y � � ��

�� at�� at�m� x � y � � �� jyj� �

�� at�� at�m� x � y � � �� jyj� �

�� at�� at�m� ��

Note that progress within the second phase is measured by the third component�which moves from to � on execution of �� Progress within the third phase ismeasured by the pair �y� � at�� which decreases on execution of both �� and��

hh Exercise�ii

Let us show that all premises of rule WELL�J are satis�ed by these choices�

� Premise JW

For this premise we have to show the implication

at�� at�m� x � y � � z �p

�

� � � � at�� at�m� x � � y � � z ��

�

which is obvious�

� Premise JW for ��

It is su�cient to show the following for each � �� m�

�� at�� at�m� x � � y � � z ��

�

� � � ��at �� at ��m� x� � � y� � � z �

��

�

� � �� z ��

� � � �� z ��

�

��

The only transitions � �� m� enabled on ��states are �� and �� For each of them�� implies at �� x� � x � �� and y� � y � �� Consequently� the implication isvalid�

� Premise JW� for ��

We show

�m� at�� at�m� x � � y � � z �

��

�


� Chapter �� Response��

at �� at ��m� x� � y� � � z ��

�

� � �� z ��

� �� z ��

�

�

at �� at ��m� x� � y� � � z ��

�

� � �� z ��

� �� z ��

�

��

Clearly� �m�implies x� � � y� � y� at ��m� and at ��i � at��i for i � �� By

�� either at�� or at�� holds� In the case that at�� T� the second disjunctis implied� In the case that at�� T� the �rst disjunct is implied� The decreasein rank is obvious in both cases�

� Premises JW � JW� for ��

Since �� is the only transition enabled on ��states� the following implicationestablishes both JW and JW� for ��

�� at�� at�m� x � y � � z ��

�

� � � ��at �� at ��m� x� � y� � � z �

��

�

�� z ��

� �� z ��

�

��

Transition relation �� implies at �� at ��m� � at�m�� x� � x� and y� � y� By�� it follows that �� holds� and the decrease in rank is obvious�



�� at�� at�m� x � y � � z ��

�

� � � ��at �� at ��m� x� � y� � � z �

��

�

�� z ��

� �� jy�j� � z ��

�

�

Transition relation �� under x � implies at�� and at ��m� � at�m�� It alsoimplies x� � x and y� � y� The rank decrease �� jy�j� � is obvious� since� the �rst component of the left�hand side� is larger than �� the �rst componentof the right�hand side�





�� at�� at�m� x � y � � z ��

�

�BBBBBBB�

at �� at ��m� z ��

�

�� jyj� � z ��

� �� z ��

�

�

at �� at ��m� x� � y� � � z ��

�

�� jyj� � z ��

� �� jy�j� � z ��

�

CCCCCCCA�

We distinguish between two cases�

Case y � ��

In this case� �� implies at �� y� � y � �� and at ��m� � at�m�� Since ��implies at�m� � T� the left�hand side of this veri�cation condition impliesthe right�hand side disjunct �� jyj� � � ��

Case y ��

By �� it follows that y � �� In this case� �� implies at �� at ��m� � at�m��x� � x� and y� � y � �� Together with �� these imply �� To show the rankdecrease� we observe that jyj � jy�j and � �



�� at�� at�m� x � y � z ��

�

� � � ��at �� at ��m� x� � y� � � z �

��

�

�� jyj� � z ��

� �� jy�j� � z ��

�

��

Transition relation �� implies at �� at ��m� � at�m�� x� � x� and y� � y � �By the clause y � � in �� we have y� � y � � �� The decrease in rank followsfrom y � � and �� jyj� � � �� y� � � �� y � � � � �� jy�j� ��

� Premise JW�

This premise requires showing the following implication for each i � � � � � � ��

�i � En��i��

By inspecting �i for each i � � � � � � �� we see that this is indeed the case�

This concludes the proof�



Persistence of the Helpful Transitions

Premise JW of rule WELL�J requires that� in the case that a transition does notattain a lower rank in the next state� it must maintain the rank and lead to astate that still satis�es �i� and therefore maintain �i as the helpful transition� Werefer to this clause as a requirement for the persistence of helpful transitions� Onemay wonder how essential this requirement is� and whether it would be possibleto relax this requirement� In Problem � � we request the reader to consider aversion of rule WELL�J in which premise JW has been relaxed to allow the helpfultransition to change without rank decrease� The problem shows that the resultingrule is unsound�

�� Rank Diagrams

To represent by diagrams proofs of response properties that require the use ofwell�founded ranking� we have to add some more components to the labels ofnodes�

A veri�cation diagram is said to be a RANK diagram if its nodes are labeledby assertions �� m� with �� being the terminal node� and ranking func�tions �� m� where each �i maps states into A� and it satis�es the followingrequirement�

� Every node �i� i � �� has a double edge departing from it� This identi�esthe transition labeling such an edge as helpful for assertion �i� All helpfultransitions must be just�

Note that� unlike CHAIN diagrams� we allow node �i to be connected to �j forj � i�

Veri�cation and Enabling Conditions for RANK Diagrams

Consider a nonterminal node labeled by assertion � and ranking function �� andlet �� k� k � �� be the � �successors of � and �� k be their respectiveranking functions�

� If transition � is unhelpful for �� i�e�� labels only single edges departing fromthe node� then we associate with � and � the following veri�cation conditionn� � � u

o�n

�� u� �� u � �� k u � �k�o�

� If � is helpful for � �labels double edges�� we associate with � and � thefollowing veri�cation conditionn

� � � uo

�n

�� u � �� k u � �k�o�


�� Rank Diagrams ��

� For every nonterminal node � and a transition � labeling a double edgedeparting from �� we require

� � En��

Note that in the case of an unhelpful transition� we allow a � �successor with arank equal to that of �� provided it satis�es the same assertion ��

Valid RANK Diagrams

A RANK diagram is said to be valid over program P �P �valid for short� if allthe veri�cation and enabling conditions associated with the diagram are P �statevalid�

The consequences of having a valid RANK diagram are stated in the followingclaim�

Claim �� RANK diagrams�

A P �valid RANK diagram establishes that the response formula

m�j�

�j � � ��

is P �valid�

If� in addition� we can establish the P �state validity of the following implica�tions�

p �m�j�

�j and �� q

then� we can conclude the validity of

p � � q�

Justi�cation It is not di�cult to see that a valid RANK diagram establishes thepremises of rule WELL�J with p�

Wmj� �j � q� �� and �i the transition helpful for

�i being the transition labeling the double edge departing from �i in the diagram�This establishes the P �validity of

m�j�

�j � � ��

Given assertions p and q� satisfying the implications

p �m�j�

�j and �� q�

we can use rule MON�R of Fig� �� to infer



p � � q�


The diagram of Fig� � � presents a valid RANK diagram that establishes totalcorrectness for program FACT �Fig� � ��

C

DE

Fy x� z � x �y

��

�� at�� y

�� jyj� �

��

�

��

�

��

�� at�� y

�� jyj� �

��

��

�

�� at�� z � x �y

�� jyj� ��

Fig� � �� RANK diagram for total correctness of program FACT�

This diagram contains a connection from�� to �� which is disallowed in chaindiagrams� However� the validity of the implied veri�cation conditions ensuresthat� whenever a transition is taken from a ��state s� to a ��state s�� the rankdecreases� i�e�� s�� s��

Distributing the Ranking Functions

To make RANK diagrams more readable� we introduce additional encapsulationconventions�

One of the useful conventions is that compound nodes may be labeled by alist of assertions� Such labeling indicates that the full assertion associated with abasic �noncompound� node ni is a conjunction of the assertion labeling the nodeitself and all the assertions labeling compound nodes that contain ni�


�� Rank Diagrams ��

Thus� while the label of node �� in the diagram of Fig� � � is at�� y�the full assertion associated with this node is

at�� y y x z � x �y �

We can view this representation as distribution of the full assertion into the partat�� y labeling the node itself and the part y x z � x �y labeling theenclosing node� which is common to both �� and ��

In a similar way� we introduce a convention for distribution of ranking func�tions� The convention allows us to label a compound node by

�� f �

where f is some ranking function mapping states into a well�founded domain A�In most of our examples� the domains are either �N� �� or lexicographic productsof this domain�

Consider a basic node ni labeled by assertion �i and local ranking functionfb� Assume that node ni is contained in a nested sequence of compound nodesthat are labeled by ranking labels �� f�� fm� as we go from the outermostcompound node towards ni� This situation is depicted in Fig� � �� Then the fullranking function associated with the node �i is given by the tuple

�i � �f�� fm� fb��

That is� we consider the outermost ranking f� to be the most signi�cant compo�nent in �i� and the local ranking fb to be the least signi�cant component�

C

DE

F�� f� rrrC

DE

F�� fm rrr �

��

�i� � � �

�� fbni rrrrrr

Fig� � �� Encapsulated sequence of nodes�




In Fig� �� we present a version of the RANK diagram of Fig� � �� in whicha common component of the ranking function appears as a ranking label of theenclosing compound state�

C

DE


�� jyj

��

�� at�� y

��

��

�

��

�

��

�� at�� y

��

��

��

�

�� at�� z � x �y

�� jyj� ��

Fig� �� RANK diagram with distributed ranking functions�

The full ranking functions associated with the nodes in the RANK diagram ofFig� �� are identical to those appearing in Fig� � ��

Another rank distribution convention allows one to omit the local rank label�ing a node �i altogether� This is interpreted as if the node were labeled with theranking function �� i� where i is the index of the node �and the assertion labelingit�� In Fig� �� we present another version of the RANK diagram for programFACT� using this convention�

The full ranking functions associated with the nodes in this diagram are�

�� jyj� �� jyj� �� and ��

This raises the question of how to compare lexicographic tuples of unequallengths such as �� jyj� � and ��

Since all our examples will be based on tuples of non�negative integers� weagree that the relation holding between �a�� ai� and �b�� bk� for i k is de�termined by lexicographically comparing �a�� ai� �� to �b�� bi� bi��


�� Rank Diagrams �

C

DE


�� jyj

�� at�� y

��

�

��

�

�� at�� y��

��

�

�� at�� z � x �y

Fig� �� RANK diagram with default local ranking�

� � � � bk�� That is� we pad the shorter tuple by zeros on the right until it assumesthe length of the longer tuple�

According to this de�nition� �jyj� � � �� since �jyj� � � ��

Example �up�down�

In Fig� �� we present a valid RANK diagram which implies� by monotonicity� theproperty of termination for program UP�DOWN �Fig� � ��

at�� at�m� x � y � � z �p

� � at�� at�m� z ��

�

The diagram provides a detailed description of the progress of the computa�tion from �� to �� It shows that progress from �� to �� is due to a CHAIN�likereasoning� Then� the progress from �� and �� to �� requires a well�founded ar�gument with the measure jyj for coarse progress� and the index j � � of �j formeasuring �ne progress�

The ranking functions appearing in this diagram are somewhat di�erent fromthe ones used originally� When padded to the maximumlength of �� they are givenby

��

��



C

DE

Fy � � ��

�� at�� at�m� x � �

m�

�

� � ��

C

DE

Fat�m�� x � ��

�� at��

��

�

� � ��

��

�� at��

��

�

� � ��

C

DE

Fat�m�� x � �� jyj

��

�� at��

��

�

��

�

� � � � jyj� �

��

�� at�� y � ��

��

� � � � jyj� �

� �� at�� at�m� � � ��

Fig� �� RANK diagram for termination of UP�DOWN�

��

�� jyj� �

�� jyj� �

��

Note that the diagram contains a connection from �� to �� This is allowedbecause �� decrements y and leads to a decrease in rank� stated by


�� Response with Past Subformulas ��

� � jyj� � � � � jy � j� ��

In Problems �� the reader is requested to prove total correctness ofseveral programs�

�� Response with Past Subformulas

In this section we generalize the methods and proof rules presented in the pre�ceding sections to handle response formulas p � � q� where p and q are pastformulas�

The generalization is straightforward� It involves the following systematicmodi�cations and replacements�

� Wherever a rule calls for one or more intermediate assertions� the past�versionof the rule requires �nding past formulas�

� Each premise of the form � � �� for assertions � and �� is replaced by anentailment b�� b� for corresponding past formulas b� and b��

� A veri�cation condition fpg � fqg� for past formulas p and q and transition� � is interpreted as the entailment �� p � q�� where the primed version ofa past formula is calculated as in Section �� of the SAFETY book�

For example� in Fig� �� we present the past version of rule WELL�J�

Similar past versions can be derived for rules RESP�J and CHAIN�J�

Example Let us illustrate the use of the past version of rule WELL�J for provingthe response property

� n y � � �y � n Q �at�� y � n��

for program UP�DOWN of Fig� � ��

This property states that any position i at which y is greater or equal to somen � �� is followed by a position j at which y � n and such that� at a precedingposition k j� y equaled n while control was at �� This property characterizesa feature of program UP�DOWN by which a computation that achieves y � n atsome state� has at least two occurrences of states in which y � n� One occurrencehas control at �� while the other occurrence has control at ��

In our proof� we use the following invariants for program UP�DOWN

�� y � �

�� at�� at�m� x � �� at�� at�m� x � �

�� at�� y � �

�� y n � Q �at�� y � n��



For past formulas p and q � �� m�transitions �� m � J �a well�founded domain �A�� andranking functions �� m� � �� A

JW� p �m�j�

�j

JW � �� i �

��m�j�

��j �i � ��j �

� ��i �i � ��i�

��for every � � T

JW�� i �i �m�j�

��j �j � ��j �

JW�� i � En��i�

��for i � � � � � �m

p � � q

Fig� �� Past version of rule WELL�J�

State invariants �� and � are derived and proven in the usual way�

Proving the Invariance of �

Formula � is a past invariant� and can be proven by rule P�INV� taking� � �� y n � Q �at�� y � n�� Premise P of rule P�INV is trivial since� � �� Premise P requires

� � �at�� y � � � � � z �

� y n � �at�� y � n� z ��

�

As n � �� we consider two cases� If n � � then y � � implies y n� If n � �then at�� y � � implies at�� y � n�

Finally� premise P requires showing

�� y n � Q �at�� y � n� z ��

�


�� Response with Past Subformulas �

y� n � �at �� y� � n� � Q �at�� y � n� z ��

�

This can be shown by temporal instantiation of the implication

�� y n � p� ��y� n � �at �� y� � n� � p

��

Obviously if p � T the implication is trivially valid� It therefore remains to showthat the following holds�

�� y n � y� n � �at �� y� � n��

This implication can be potentially falsi�ed only by a transition that cantransform a state satisfying y n into a next state satisfying ��y� n�� i�e��y� � n� The only candidate transition is �� Therefore� we consider

� � � at �� y� � y � z ��

y n � y� n � �at �� y� � n��

As y n� we consider two cases� If y n � then y� � y � n� If y � n � then at�� y� � y � implies at �� y� � n�

This concludes the proof of past invariant ��

Proving the Response Formula

To prove the response formula

� n y z �p

� � y � n Q �at�� y � n� z �q

�

we use the past version of rule WELL�J as presented in Fig� ��

The choice of intermediate past formulas�� helpful transitions and rank�ing functions is presented in the veri�cation diagram of Fig� ��

Note that each of �� is a past formula� For example� the full formula�� is given by

�� at�� at�m� x � y � n � � Q �at�� y � n��

Let us consider some of the premises required by rule WELL�J� Premise JWrequires the following implication

� n y �

Q �at�� y � n� �y � n � y � n

�B�at�� at�m� x � �

�

at�� at�m� x �

CA� z �

��

�



C

DE

Fy � n � �� Q �at�� y � n��

�� at�� at�m� x � �

m�

� C

DE

Fat�m�� x � ��

�� at��

��

��

�� at��

��

� C

DE

Fat�m�� x � �� jyj

��

�� at��

��

�

��

�

��

�� at�� y � ��

��

� �� y � n Q �at�� y � n�

Fig� �� RANK diagram for �� n y� � � �y � n Q �at�� y � n��

It is not di�cult to see that this entailment follows from invariants ��

Observe that each �i� i � �� can be written in the form

�i � Q �at�� y � n� b�i�where b�i is a state formula�

Consequently� premise JW can be written as follows

�� b�i Q �at�� y � n� �


�� Compositional Veri�cation of Response Properties �

�Q �at�� y � n��

�b��

j�

�b��j �i � ��j� � �b�i �i � ��i�

��

Since Q �at�� y � n� entails�Q �at�� y � n�

�� which expands to the

disjunction �Q �at�� y � n��

� �at �� y� � n� � Q �at�� y � n��

it only remains to establish the following state entailment

�� b�i � b��

j�

�b��j �i � ��j� � �b�i �i � ��i��

This entailment can be proven in a way similar to the proof of the veri�cationconditions in the RANK diagram of Fig� �� whose ranking functions are identicalto those of Fig� ��

The past conjunct Q �at�� y � n� can be similarly factored out also forpremise JW��

This concludes the proof that property

� n y � � �n � y Q �at�� y � n��

for program UP�DOWN�

�� Compositional Veri�cation of ResponseProperties

Compositional veri�cation is a method intended to reduce the complexity of ver�ifying properties of large programs� The method infers properties of the wholesystem from properties of its components� which are proven separately for eachcomponent�

We apply compositional veri�cation to programs that can be decomposedinto several top�level processes� called components� which communicate by sharedvariables and such that every variable of the program can be modi�ed by at mostone of these components� A variable which is modi�ed by component Pi is saidto be owned by Pi�

Modular Computations

Let P ��!declarations#

!P� �� !�� S�"k � � �kPk �� !�k� � Sk "

""be a program� and

Pi be a component of P � Denote by V � fg � Y the set of system variables ofP � and let Yi � Y be the set of variables owned by Pi� Let Li denote the set oflocations of process Pi�



Assume that we have constructed the fair transition system �FTS� SP

� hV��T �J � Ci corresponding to P � We assume that the initial condition has the form

� � f�� k�g

#y�Y

py�y��

where� for each y � Y � py�y� is an assertion constraining the initial values ofvariable y� Obviously� py�y� is derived from one of the where clauses in thedeclarations of variables in P � If there is no where clause constaining y� thenpy�y� � T� Let Ti denote the transitions of S

Passociated with the statements of

Pi�

Based on the FTS SP

and process Pi� we construct a new FTS SMPi

� hVi�i� Ti�

Ji� Cii called the modular FTS corresponding to Pi� The FTS SMPi

is intended to

capture the possible behavior of process Pi in any context �not necessarily thatof P � which respects the ownership of Yi by Pi� That is� we are ready to considerany context whose only restriction is that it cannot modify any variable ownedby Pi� The constituents of SM

Pi

ar given by�

� Vi� V

The system variables of SMPi

are identical to the system variables of the com�

plete FTS SP

�

� i�� Li � f�i�g

�

#y�Yi

py�y�

The initial condition of SMPi

requires that� initially� the only Li�location con�

tained in is �i� and all the variables owned by Pi satisfy their initial con�straints as speci�ed in the where clauses of the program declarations� Exceptfor � nothing is required by i concerning the system variables not ownedby Pi�

� Ti � Ti � f�Eg

The transitions of SMPi

include all transitions associated with statements of

Pi �Ti� and a special environment transition �E

� Transition �E

is intendedto represent the actions of an arbitrary context which respects the ownershipof Yi by Pi� For each � � Ti� the transition relation SM

Pi

associates with � is

�� the transition relation SP

associates with � � The transition relation for�E

is given by

�E

� �� Li � � Li� press�Yi��

This transition relation guarantees the preservation of the Li�part of andpreservation of the values of all variables owned by Pi� The special treatmentof can be described by saying that� in addition to owning the variables inYi� Pi also owns the Li�part of �projection of on Li��



� Ji � J � Ti

The just transitions of SMPi

are the just transitions among Ti�

� Ci � C � Ti

The compassionate transitions of SMPi

are the compassionate transitions

among Ti�

There is no need to include the idling transition �I

in Ti because the e�ect of �I�

a transition that changes no system variable� can be obtained as a special case of�E

�

We refer to each computation of FTS SMPi

as a modular computation of process

Pi� As previously explained� any such computation represents a possible behaviorof process Pi when put in an arbitrary context which is only required to respectthe ownership rights of Pi�

Example �program KEEPING�UP�

Consider program KEEPING�UP presented in Fig� �� Top�level process P� ownsvariable x and the ��part of � We use �� as abbreviation for f�� g� Wecan construct SM

P�

� the modular FTS corresponding to process P� as follows�


P� ��

�� loop forever do$

�� await x y �

�� x �� x �

%�� P� ��

��m�� loop forever do$

m�� await y x�

m�� y �� y �

%��Fig� �� Program KEEPING�UP�

� V�� f� x� yg

� �� f��g

� x � �

� T�� f�� Eg

with the following transition relations �after some simpli�cations��

�� move�� pres�x� y�

�� move�� x y � pres�x� y�

�� move�� x� � x � pres�y�



�E

� �� pres�x�

In this relations� we used the following abbreviation�

move��i� �j�� at��i � �� f�ig

�� f�jg

� J�� f�� g

� C��

The following is a modular computation of process P��b�� f��m�g� x� �� y� �

� �� f��m�g� x� �� y� �

� �� f��m�g� x� �� y� �

� �E�� f��m�g� x� �� y��

� �� f��m�g� x� � y��

��

In a similar way� we can construct SMP�

� the modular FTS corresponding to

process P��

The following claim establishes a connection between computations of theentire program and modular computations of its processes�

Claim �� computations of programs and modular computations�

Every computation of a program is a modular computation of each of itstop�level processes�

Thus� the set of computations of the entire program is a subset of the set ofmodular computations of each of its top�level processes�

Example Consider� for example� the following computation of program KEE�

PING�UP

�� f��m�g� x� �� y� �

� �� f��m�g� x� �� y� �

� �� f��m�g� x� �� y� �

� m�� f��m�g� x� �� y� �

� �� f��m�g� x� � y� �

� m�� f��m�g� x� � y� �

� m�� f��m�g� x� � y�

� �� f��m�g� x� � y�

��

Viewed as a modular computation of process P�� this computation can be pre�sented as�


�� Compositional Veri�cation of Response Properties

�� f��m�g� x� �� y� �

� �� f��m�g� x� �� y� �

� �� f��m�g� x� �� y� �

� �E�� f��m�g� x� �� y� �

� �� f��m�g� x� � y� �

� �E�� f��m�g� x� � y� �

� �E��

� f��m�g� x� � y� � ��

�� f��m�g� x� � y�

��

Viewed as a modular computation of process P�� this computation can be pre�sented as�

�� f��m�g� x� �� y� �

� �E�� f��m�g� x� �� y� �

� �E��

� f��m�g� x� �� y� �� m��

�� f��m�g� x� �� y� �

� �E��

� f��m�g� x� � y� �� m��

�� f��m�g� x� � y� �

� m�� f��m�g� x� � y�

� �E�� f��m�g� x� � y�

��

This illustrates that a computation of a program is a modular computationof each of its top�level processes�

The weak converse of Claim �� is not true� There are modular computationsof process Pi which do not correspond to computations of the entire program� Thisis illustrated by b� the previously presented modular computation of process P�in program KEEPING�UP� This computation contains a state with y � � as a�E

�successor of a state with y � �� No such state can occur in a computation ofKEEPING�UP� This shows that the de�nition of modular computations of processPi allows more general contexts than the actual context provided by the programcontaining Pi� The actual context of P� within program KEEPING�UP is processP� which can never change y from a value of � to a value of ��

On the other hand� the strong converse of Claim �� is true� Let � be amodel �in�nite state sequence� such that the interpretation of is a subset of thelocations of P � The valid converse of Claim �� states that if � is simultaneouslya modular computation of every top�level process of P then � is a computationof P � In Problem �� we request the reader to prove this fact�

Modular Validity and a Basic Compositionality Rule

For a top�level process Pi within program P � we say that formula � is modularly

valid over Pi� denoted

Pi qm

��

if � holds over all modular computations of Pi� For example� the formula � �x �x�� stating that x never decreases� is modularly valid over process P� of programKEEPING�UP �Fig� �� while � �y � y�� is modularly valid over process P� ofthe same program� �

� x� and y� denote the values of x and y in the preceding state�



Rule COMP�B� presented in Fig� �� infers the P �validity of a formula � fromthe premise that � is modularly valid over some top�level process of P �

For a program p� Pi a top�level process of P � and � a tempo�ral formula

Pi qm �

P q �

Fig� �� Rule COMP�B �basic compositionality��

Soundness

Let P be a program and Pi be a top�level process of P � Assume that formula �is modularly valid over Pi� i�e� Pi qm �� This means that � holds over all modularcomputations of Pi� By Claim �� every computation of P is also a modularcomputation of Pi� It follows that all computations of P satisfy � and� hence� �is P �valid�

Rule COMP�B can be used to reduce the goal of establishing P q � into thesubgoals of establishing several modular validities �not necessarily of the sameformula �� In Problem � the reader is requested to establish this fact�

A Compositional Rule for Safety Properties

In theory� rule COMP�B is adequate for compositional veri�cation of any temporalformula� In practice� however� its application often proves inconvenient and callsfor additional temporal reasoning� Therefore� it is advantageous to derive morespeci�c rules� each of which is tailored to deal with temporal formulas of particularclasses�

In Fig� �� we present rule COMP�S which can be used for compositionalveri�cation of safety formulas�

Premise CS states that is an invariant of the entire program P � PremiseCS states that the entailment � � p is modularly valid over some top�levelprocess Pi� From these two assumptions� the rule infers that p is an invariant ofP �

Justi�cation Assume that premises CS and CS hold and let � be a compu�tation of program P � By premise CS� formula holds at all positions of �� Since



For Pi� a top�level process of program P � and past formulas � p�

CS� P q �

CS � Pi qm� � p

P q � p

Fig� �� Rule COMP�S �compositional veri�cation of safety properties��

every computation of P is also a modular computation of Pi� premise CS impliesthat the formula � � p holds at all positions of ��

Consider an arbitrary position j � � of �� By D� holds at all positionsk j and� therefore � holds at j� By CS � � � p holds at j and� therefore�so does p�

We conclude that p holds at all positions of ��

Rule COMP�S is often used in an incremental style� As a �rst step we take � T and prove Pi qm � p�� From this the rule infers

P q � p��

Next� we take � p� and prove Pi qm � p� � p�� This leads to

P q � p��

which may be followed by additional steps�

The advantage of this proof pattern is that in each step we concentrate onproving a modular validity over a single process Pi� If Pi is only a small partof the program� each compositional veri�cation step has to consider only a smallfraction of the transitions in the complete program�

We illustrate the use of rule COMP�S on a simple example�

Example �program KEEPING�UP�

Consider program KEEPING�UP presented in Fig� �� Process P� in this programrepeatedly increments x� provided x does not exceed y � � In a symmetric way�process P� repeatedly increments y� provided y does not exceed x � �

We wish to prove for this program the invariance of the assertion jx�yj �i�e��

� jx� yj z �p

�



claiming that the di�erence between x and y never exceeds in absolute value�

We prove this property by compositional veri�cation� using rules INV�P andCOMP�S� We �rst show the P �validities

P q � �x � x�� and P q � �y � y��

and then the P �validities

P q � �x y � � and P q � �y x � ��

The invariants x y � and y x � imply the desired P �validity

P q � �jx� yj ��

For more details of this proof� we refer the reader to Section �� of the SAFETYbook�

A Compositional Rule for Response Properties

Next� we present a rule that can support compositional veri�cation of responseproperties and illustrate its use� This is rule COMP�R� presented in Fig� ��

For Pi� a top�level process of program P � and past formulas � p� and q�

CR� P q �

CR � Pi qm p � � �q � � �

P q p � � q

Fig� �� Rule COMP�R �compositional veri�cation of response properties��

Justi�cation Assume that premises CR and CR hold and let � be a com�putation of program P � By premise CR� formula holds at all positions of ��Since every computation of P is also a modular computation of Pi� premise MR implies that the formula p � � �q � � � holds at all positions of �� Let j be ap�position of �� By MR � there exists a position k � j such that either q holdsat k or is false at k� The second alternative is impossible� due to CR� Weconclude that every p�position is followed by a q�position and� therefore� p� � qis valid over P �

Example �program PING�PONG�



local x� y� z� integer where x � y � z � �

P� ��

��own out x� z

�� x ��

�� await y � �

�� z ��

��

�� P� ��

��own out y

m�� await x � �

m�� y ��

m��

��Fig� �� Program PING�PONG�

We illustrate the use of rule COMP�R for compositional veri�cation of responseproperties on an example� In Fig� �� we present program PING�PONG�

The two processes of this program maintain a coordination protocol� Theprotocol starts by P� setting x to at statement �� This is sensed by P� at m��and is responded to by setting y to at statement m�� This is sensed by P� at�� and is responded to by setting z to at ��

We wish to establish for this program the response property

� � �z � ��

We start by proving� using rule P�INV� the modular invariance

P� qm� �x � x��

This is easy to prove since the local formula x � x� is inductive over themodular FTS corresponding to process P��

By rule COMP�B we can infer

P q � �x � x��

In a similar way� we establish P� qm� �y � y�� leading to

P q � �y � y��

Now� we use rule RESP�J to prove

P� qm z�p

� � x � � z �q

�

As the intermediate assertion and helpful transition� we take �� at�� and�h� ��

Using rule COMP�R with � T� we conclude

P q � � �x � ��



Next� we intend to establish

P� qm

x � � � � �y � � � x x��

As a �rst step� we use rule INV to prove

P� qm� at�m�� y � � z �

��

�

Having established the modular invariance of �� over P�� the following veri�cationdiagram proves that x � � � � �y � � � x x�� is modularly valid over P��

��at�m�m� ��at�m�m� ��

��

�x � � �E�� y � � � x x�

Note that the diagram allows the possibility that the environment changesx from a positive value to a nonpositive one� However� such a change leads to aposition satisfying x x��

Now� use rule COMP�R with � x � x�� p� x � �� and q� y � �� to conclude

P q x � � � � �y � ��

Next� we plan to establish

P� qm y � � � � �z � � y y��

As a �rst step� we use rule INV to prove

P� qm� �at�� z � ��

Having established this modular invariant� the following veri�cation diagramproves that y � � � � �z � � y y�� is modularly valid over P��

��at�� at�� at��

��

�y � � �E�� z � � y y�

Now� use rule COMP�R with � y � y� � p� y � �� and q� z � � to conclude

P q y � � � � �z � ��

Thus� we have shown that the three response properties � � �x � ��x � � � � �y � �� and y � � � � �z � � are all valid over program PING�PONG�Using rule TRNS�R� we conclude


�� Guarantee Properties �

� � �z � ��

�� Guarantee Properties

In this and the following section we consider methods for proving properties be�longing to the guarantee and obligation classes� Our approach to these classes isto consider them as special cases of the response class� and to use response ruleswith some simpli�cations for their veri�cation�

As de�ned in Section �� of the SAFETY book� guarantee properties are prop�erties that can be speci�ed by a formula of the form

� r

for some past formula r�

Clearly� guarantee properties are a special case of response properties� p �� r� where the antecedent p refers to the beginning of the computation� Conse�quently� an obvious rule for proving guarantee properties� is rule GUAR �Fig� ��

For past formula r

�rst � � r

� r

Fig� �� Rule GUAR �proving guarantee properties��

The rule requires as a premise a response property by which the initial con�dition of the program guarantees the eventual realization of r�

Example Consider system INC�� presented in Fig� ��

We wish to establish the guarantee property

� �x � � Q �x � ��

for system INC�� using rule GUAR� The premise of rule GUAR requires the responseproperty

pz � �rst x � � z �

� ��x � � Q �x � �� z �

r

��

This response property can be proven by rule WELL�J� using the intermediatepast formula



V � fx� integerg

� x � �

T � f�I� �g where �� x� � x�

J � f�g

C� �

Fig� �� System INC��

�� even�x� � x � �x � � � Q �x � ��

��

the helpful transition � � and the ranking function �� j �� xj�

Let us establish premise JW of rule WELL�J� It requires showing

� � � x � � z �p

� � � � � even�x� � x � �x � � � Q �x � ��

� z ��

�

Clearly� x � � entails all three conjuncts comprising �� Note that� in this case�we do not use the conjunct �rst which is part of p�

By rule GUAR� we conclude that property

� �x � � Q �x � ��

is valid over system INC��

The premise of rule GUAR contains �rst as part of the antecedent� Its purposeis to ensure that we only consider at the beginning of the computation� Asillustrated in the last example� in many cases we do not use this conjunct andsimply prove � � p� There are� however� some cases in which this conjunct isnecessary� as illustrated below�

Example Consider the simple program

local x� integer where x �

�� loop forever do !�� skip# �� x �� x"�

We consider the guarantee property

�� at�� x � ��

This property states that every computation of the program contains a posi�tion j satisfying at�� and such that x � at all positions i j�


�� Guarantee Properties �

This property is certainly valid for the program� To prove it� we have toestablish the response property

�rst at�� x � � � �at�� x � ��

Note� however� that the �rst conjunct is essential in this case� since the formula

at�� x � � � �at�� x � ��

is not valid over the program�

Consider position i in the computation� corresponding to the third visit to�� At this position x � � but there exist earlier positions in which x � ��Therefore� there exists no position later than i� at which at�� x � � holds�It follows that the implication at�� x � � � �at�� x � �

�does not

hold at i�

To prove that the full premise

�rst at�� x � z �p

� ��at�� x � � z �

r

��

is valid� we may use rule CHAIN�J �Fig� �� with the following intermediate pastformulas and helpful transitions�

�� at�� x � � ��

�� at�� x � � ��

�� r� at�� x � � ��

Premise J requires showing

�rst at�� x � z �p

� � � � � at�� x � � z ��

�

Clearly� the antecedent implies at�� To see that it also implies � �x � ��we observe that under �rst � any past formula p is congruent to �p�� the initialversion of p� Since the initial version of � �x � � is�� x � �

�� x � ��

the right�hand side simpli�es to at�� x � which is entailed by the left�handside�

Another premise that has to be checked is J� for transition ��

�� at�� x � � z ��

� � � � � at �� x� � � �x � � z ��

�

�

Since �� implies at �� and x� � x� and � �x � � implies x � � the entailmentis valid�



The rest of the premises are proven in a similar way� This establishes thevalidity of � �at�� x � �

��

Completeness of Rule GUAR

Rule GUAR is obviously sound� which means that the P �validity of the premise�rst � � r implies the P �validity of the conclusion � r�

The rule is also complete� which means that the P �validity of the conclusionimplies the P �validity of the premise� Consider �� an arbitrary computation ofprogram P � By the assumption that � r is P �valid� there exists a position k atwhich r holds� For � to satisfy the premise we have to show that every positioni � �� satisfying �rst � is followed by a position j� j � i� satisfying r� Since �is the only position satisfying �rst � we can take j to be k�

Completeness of rule GUAR is important because it tells us that the rule isadequate for proving all P �valid guarantee formulas�

�� Obligation Properties

Before studying the class of obligation properties� we introduce a special class ofresponse formulas�

Escape Formulas

Some response properties are naturally expressed by formulas of the form

p � � q � � r�

for past formulas p� q� and r�

This formula claims that� following a p�state� either q will hold forever or reventually occurs� We may view such a formula as stating that� following p� qshould hold continually unless we escape to a state that eventually leads to r�Consequently� we refer to formulas of this form as escape formulas�

To see that this formula speci�es a response property� observe that it isequivalent to

�q ��r� � �p �r� � � r�

In this form� the formula states that every �q�position preceded by a p�positionsuch that no r has occured since� must be followed by an r�position�

While� in principle� it is possible to use the general response rules to establishescape formulas� it is more convenient to use a special rule� presented in Fig� ��


�� Obligation Properties

For past formulas p� q� r� and �

E� p � q W �

E � � � � r

p � � q � � r

Fig� �� Rule ESC �escape��

Rule ESC uses an auxiliary past formula �� Premise E requires that� follow�ing a p�position� either q will hold forever or q will hold until an occurrence of ��Premise E requires that every ��position is followed by an r�position� Typically�we prove E by rule P�WAIT� a past version of rule WAIT �Fig� �� of the SAFETY

book�� and E by appropriate response rules�

Example Consider program MAY�HALT of Fig� �� This trivial program hasa nondeterministic choice at �� between getting deadlocked at �� or� taking the�a� branch� proceeding to �� Consequently� the program has some computationsthat reach �� and stay there forever� and some computations that never halt�


��a�� skip

or

�b�� skip# �� halt

�� skip

�� skip

��Fig� �� Program MAY�HALT �possible deadlock��

We use rule ESC to prove the property

�� at�� z �p

� � at�� z �q

� � at�� z �r

for this program�

Take



�� at��

Consider the two premises of rule ESC�

� Premise E


at�� z �p

� at�� z �q

W at�� z ��

�

It is straightforward to derive this property by rule WAIT�

� Premise E

at�� z ��

� � at�� z �r

�

A single application of rule RESP�J establishes this property�

This establishes the considered escape property�

From Escape to Obligation

The �simple� obligation class includes all the properties that can be speci�ed bya formula of the form

� q � � r�

for past formulas q and r�

We observe that such a formula can be rewritten as

�rst z �p

� � q � � r�

which represents it as a special case of an escape formula�

This observation inspires rule OBL �Fig� �� for proving obligation proper�


�� Obligation Properties �

For past formulas q� r� and ��

O� �rst � q W �

O � � � � r

� q � � r

Fig� �� Rule OBL �proving obligation properties��

ties�

Premise O requires that� from the beginning of the computation� q holdscontinuously and can be interrupted only at a position satisfying �� Premise O states that � guarantees an eventual r� Consequently� q can be interrupted onlywhen r is guaranteed� It follows that qW �� r� is valid� By properties of thewaiting�for operator� we may deduce � q � � r�

Example �incrementor�decrementor�

Consider Program INC�DEC presented in Fig� �� which nondeterministically in�crements or decrements an integer variable y�

local x� boolean where x � T

y � integer where y � �

�� loop forever do

��

��a�� hwhen x do y �� y � i

or

�b�� hwhen x do x �� Fi

or

�c�� hwhen �x do y �� y � i

��Fig� �� Program INC�DEC �nondeterministic

incrementor�decrementor��

We wish to prove for this program the obligation property

� y � � z �q

� � y � � z �r

�



Intending to apply rule OBL� it only remains to identify the intermediate formula�� The main characterization of � is that it describes the event whose occurrenceguarantees the eventual realization of r�

Examining the program� we see that the �rst moment we realize that y � �is going to happen is when x becomes false� Consequently we take

�� x y � ��

The premises that have to be veri�ed are as follows�

Premise O

To establish this premise it su�ces to prove

� � � z �bp � y � � z �bqq W �x y � � z �br� �

To prove this we use rule WAIT �Fig� �� of the SAFETY book� with the intermediateassertion b�� x y � ��

The three premises of rule WAIT require

W� at�� x y � � z �bp � x y � � z �b� � � � � �

which is obviously state valid�

W � x y � � z �b� � y � � z �bq �

which is trivially state valid�

W�� x y � � z �b� � x� y� � � z �b��

� �x� y� � � z �br�

�

for all transitions � in the program� It is not di�cult to see that all three require�ments are valid�

Premise O

To establish this premise we have to prove

�x y � � z ��

� � y � � z �r

�

This is proven by the RANK veri�cation diagram presented in Fig� ��

This concludes the proof of

� �y � �� y � ��


�� Obligation Properties ��

��

�� at��

��

��

�� at��

�c�

�

�c��

�

��

��x� y � �� y

��

�� y � �

Fig� �� Veri�cation diagram for �x y � � � � �y � ��

A general obligation property is a conjunction of the form

n#i�

�� qi � � ri��

Consequently� to prove the validity of such a formula� it is su�cient �and neces�sary� to prove the validity of each conjunct� which is a simple obligation property�

Completeness of rule OBL

Rule OBL is complete for proving �simple� obligation properties� This means that�whenever � q�� r is P �valid� we can �nd a past formula �� such that premisesO and O are also P �valid� The choice we can always make is taking

�� r � ��q � �r��We will show that� if the property � q � � r is P �valid� then the two premisesof rule OBL are also P �valid for this choice of ��

Premise O

For premise O it su�ces to show that

q W r � ��q � �r� z ��

is P �valid�

This formula states that either q holds forever� or it is interrupted by an r� or



it is interrupted by a �q�position which is not preceded by any r�position� Thisformula is valid in general so� in particular� it holds over all computations�

Premise O


r � ��q � �r� z ��

� � r�

for which it is su�cient to show

�q � �r � � r�

Assume to the contrary� that there exists a computation � and a position i suchthat �q � �r holds at i� but r does not hold at any position j � i� Since�q � r holds at i� r does not occur at any position j i� Therefore � does notsatisfy � r� On the other hand� since �q at i� � also does not satisfy � q� Thiscontradicts our assumption that � q � � r is P �valid�

Consequently� premise O is also P �valid�

As we continuously remind the reader� the auxiliary formula � constructedduring a proof of completeness is not necessarily the one we recommend for actualuse� In practice� we can almost always �nd better assertions�

Problems

Problem � �three values� page

Prove accessibility for process P� of program MUX�VAL�� of Fig� �� This programuses the shared integer variables y� and y�� Obviously� these variables can onlyassume one of the values f�� g�

Accessibility for P� is stated by the response formula

at�� at��

Problem �� bakery algorithms� page �

�a� Prove accessibility for process P� of program MUX�BAK�A of Fig� �� Notethat the two processes are not exactly symmetric due to the di�erence betweenstatements �b� and mb

��

The algorithm is called the bakery algorithm� since it is based on the ideathat customers� as they enter� pick numbers which form an ascending sequence�Then� a customer with a lower number has higher priority in accessing its criticalsection� Statements �� and m� ensure that the number assigned to yi� i � � � isgreater than the current value of yj � j �� i�


Problems ��

local y�� y�� integer where y� � y� � �

��


�� noncritical

��

&if y� � �

then y� ��

else y� ��

'

�� await y� �� y�

�� critical

�� y� ��

��

��

��


m�� noncritical

m��

&if y� � �

then y� ��

else y� ��

'

m�� await y� �� y�m�� critical

m�� y� ��

��

��Fig� �� Program MUX�VAL��

local y�� y�� integer where y� � y� � ��


�� noncritical

�� y� �� y� �

��

��a�� await y� � �

or

�b�� await y� y�

�� critical

�� y� ��

��

��

��


m�� noncritical

m�� y� �� y� �

m��

��ma� � await y� � �

or

mb�� await y� y�


m�� y� ��

��

��Fig� �� Program MUX�BAK�A�

�b� Program MUX�BAK�A does not obey the LCR restriction� In particular� state�ments �� and m� each contain two critical references� to y� and to y�� To correctthis situation� we propose program MUX�BAK�C of Fig� �� This LCR�programcontains two additional await statements that ensure that processes do not waittoo long at locations �� or m�� Show that program MUX�BAK�C guarantees acces�sibility for process P��

Problem �� variants of Dekker�s algorithm�� page �



local y�� y�� t�� t�� integer where y� � y� � �x�� x� � integer where x� � x� � �

��


�� noncritical

�� x� ��

�� t� �� y� �

�� y� �� t�� x� ��

� � await x� � �

��

��await y� � �

or

await y� y�

�� critical

�� y� ��

��

��

��


m�� noncritical

m�� x� ��

m�� t� �� y� �

m�� y� �� t�m�� x� ��

m � await x� � �

m��

��await y� � �

or

await y� y�


m�� y� ��

��

��Fig� �� Program MUX�BAK�C�

�a� Prove accessibility for process P� of program MUX�DEK�A of Fig� �� Thatis� show that the response formula

at�� at��

is valid over MUX�DEK�A�

�b� Prove accessibility for process P� of program MUX�DEK�B of Fig� �� Thatis� show that the response formula

at�� at��

is valid over MUX�DEK�B�

Problem �� condensed form of ranking functions� page ��

In the text� it was suggested that a ranking function � � �d�� d�� where d� andd� M are natural numbers� can always be replaced by the ranking functionb� � M � d� � d�� Show that if both d� M and d�� M � then

b� � M � d� � d� � b�� M � d�� d�� i� �� d�� d�� d�� d��

Problem � �rule with relaxed premise JW � page �


Problems ��

local y�� y�� t� integer where y� � y� � �� t � ��


�� noncritical

�� y� ��

�� while y� � do�� y� ��

��

��await t �

or

await y� � �

�� y� ��

�� critical

�� t ��

�� y� ��

��

��

��


m�� noncritical

m�� y� ��

m�� while y� � do��m�� y� ��

m��

��await t �

or

await y� � �

��m � y� ��


m�� t ��

m�� y� ��

��

��Fig� �� Program MUX�DEK�A �a variant of Dekker�s algorithm��

Consider a version of rule WELL�J in which premise JW has been replaced by theweaker premise

dJW � �� i � q� �k�

j�

��j �i � ��j ��

where �i� ��j stands for ��i � ��j � � ��i � ��j�� This premise requires that either

q is achieved by � � or the rank does not increase and some assertion �j �notnecessarily �i� holds after the transition�

Show that the resulting rule is unsound� That is� show a property thatsatis�es premises JW� dJW � JW�� and JW�� over a given program� and yet isinvalid� This will show that persistence of helpful transitions is essential�

Problem �� integer division� page ��

Program IDIV of Fig� �� accepts two positive integers in variables x and y andplaces in variable z their integer quotient x div y� and in variable w the remainderof their division xmod y� Prove total correctness of program IDIV� which can bespeci�ed by the response formula

� � �at�� x � z � y � w � w y��



local y�� y�� t� integer where y� � �� y� � �� t � ��


�� noncritical

�� y� ��

�� while y� � do�� if t � then�� y� ��

� � await t �

�� y� ��

��

�� critical

�� t ��

�� await y� ��

�� y� ��

��

��

��


m�� noncritical

m�� y� ��

m�� while y� � do��m�� if t � then��m�� y� ��

m � await t �

m�� y� ��

��

m�� critical

m�� t ��

m�� await y� ��

m�� y� ��

��

��Fig� �� Program MUX�DEK�B�

This formula states that every computation of program IDIV terminates �i�e��reaches the terminal location �� with values of z� w satisfying x � z � y � wand � w y�

in x� y � integer where x � �� y � �local t � integerout z� w � integer where z � w � �

�� t �� x

�� while t � � do

�� if w � � y

then �� z� w� t� �� z � � �� t� �

else �� z� w� t� �� z� w � � t � �

��

Fig� �� Program IDIV �integer division��


Problems �

Problem �� greatest common divisor� page ��

Program GCDM of Fig� �� accepts two positive integers in variables x� and x��It computes in z the greatest common divisor �gcd � of x� and x�� and in variablesw� and w� two integers which express z as a linear combination of the inputs x�and x�� Prove total correctness of program GCDM� which can be stated by theresponse formula

� � �at�� z � gcd�x�� x�� z � w� � x� � w� � x��

in x�� x� � integer where x� � �� x� � �local y�� y�� t�� t�� t�� t�� u � integerout z� w � integer

�� y�� y�� t�� t�� t�� t�� x�� x��

�� y�� y�� u� �� y�mod y�� y�� y� div y��

�� while y� �� do$�� t�� t�� t�� t�� t� � u � t�� t�� t� � u � t�� t��

�� y�� y�� u� �� y�mod y�� y�� y� div y��

%�� z� w�� w�� y�� t�� t��

� �

Fig� �� Program GCDM�greatest common divisor with multipliers��

The program uses the operation div of integer division and the operation mod

which computes the remainder of an integer division� In your proof you may usethe following properties of the gcd function which hold for every nonzero integersm and n �possibly negative��

gcd�m�n� � gcd �m � n� n� for every m �� n

gcd�m�m� � jmj�

Problem �� computing the gcd and lcm� page ��

Program GCDLCM of Fig� �� accepts two positive integers in variables x� andx�� It computes in variable z their greatest common divisor and in variable wtheir least common multiple� Prove total correctness of program GCDLCM� whichcan be stated by the response formula

� � �at�� z � gcd�x�� x�� w � lcm�x�� x��



in x�� x� � integer where x� � �� x� � �local y�� y�� y�� y� � integerout z� w � integer

�� y�� y�� y�� y�� x�� x�� x��

�� while y� �� y� do�� if y� � y� then

�� y�� y�� y� � y�� y� � y��

�� if y� y� then

�� y�� y�� y� � y�� y� � y��

�� z� w� �� y�� y� � y��

��

Fig� �� Program GCDLCM �computing the gcd and lcm��

In your proof you may use the properties of the gcd function listed in Prob�lem �� and the following property of the lcm function�

lcm�m�n� � m � n�gcd�m�n��

Problem �� set partitioning� page ��

Consider program EXCH presented in Fig� �� The program accepts as input twosets of natural numbers S and T � whose initial values are S� and T�� respectively�

Process P� repeatedly identi�es and removes the maximal element in S andsends it to P� which places it in T � Symmetrically� P� identi�es and removes theminimal element in T and sends it to P� which places it in S� The processes usethe operations max�S� and min�T � which �nd� respectively� the maximal elementin the set S and the minimal element in the set T � Show total correctness ofprogram EXCH� which can be speci�ed by the response formula

� � �at�� at�m� jSj � jS�j jT j � jT�j S T ��

This formula states that the program terminates and on termination� sets S andT have preserved their initial sizes and that every element in S is smaller than orequal to every element in T �

Problem �� converse of Claim �� page ��

Let P �� !P� �� S�k � � �kPk �� Sk " be a program whose top�level processes commu�nicate by shared variables and such that every program variable is owned by one


Problems ��

in S�� T�� set of natural where S� �� T� �� out S� T � set of natural where S � S�� T � T�local �� channel of integer

P� ��

��

local x� mx� integer

�� x ��

�� mx �� max�S�

�� while x mx do�� mx

�� S �� S � fmxg

�� x

� � S �� S � fxg

�� mx �� max�S�

��

��

��

P� ��

��

local y� mn� integer

m�� y

m�� while y � � do��m�� T �� T � fyg

m�� mn �� min�T �

m�� mn

m�� T �� T � fmng

m � �� y

��m��

��

Fig� �� Program EXCH �partitioning two sets��

of the top�level processes� Let � be a model such that the interpretation of isa subset of the locations of P and � is simultaneously a modular computation ofevery Pi� i � � � � � � k� Show that � is a computation of P �

Problem � �completeness of rule COMP�B� page ��

Let P �� !P� �� S�k � � �kPk �� Sk " be a program whose top�level processescommunicate by shared variables and such that every program variable is ownedby one of the top�level processes� Let � be a P �valid formula� Show that theP �validity of � can be compositionally inferred from modular validities� usingrule COMP�B and temporal reasoning� This establishes the completeness of ruleCOMP�B for compositional veri�cation�

A solution to this problem can be organized as follows�

� For each top�level process Pi� i � � � � � � k� construct a formula �i capturingthe temporal modular semantics of Pi� That is� a model � satis�es �i i� �is a modular computation of Pi� Argue semantically that

Pi qm �i�

for each i � � � � � � k�

� Use rule COMP�B and temporal reasoning to infer



P q �� k�

� Argue semantically that a model � satis�es �� k i� � is a computationof the entire program P � Therefore� if � is P �valid� then the following generalvalidity holds�

q �� k � ��

� Apply temporal reasoning to P q �� k and q �� k � � toinfer

P q ��

Z Manna and A Pnszabolcs/CompSys/apch1.pdf · y prop erties do not dep end on the fairness require men ts for their v alidit y progress prop erties do In Chapters ... tains prop erties

Documents