C refers to its version as. X[*]. 3. Module. Specifications and Verification ...... William. Maybury, and. Richard. Sweet. Mesa language manual. (version. 5.0).
Modular
Verification
of Concurrent
Brent Computer IBM
Hailpern
Sciences
T. J. Watson
Yorktown
Programs
Department
Research
Heights,
New
Center
York
10598
Susan Owicki Computer
Systems
Stanford Stanford,
California
Verifying because
concurrent
of
tween
the
system
to
calls.
The properties
technique. straints
a If
the modules into
straints
ensure
sense that
that
the
they
by current
monotonic forever.
ified
to prove
safety
programs—the
using
temporal
for of
(Systems
based
modelled
using
consist
sequential
of
a
verifica-
to
may be either
[8,
as an
15]
can be
the com-
[11]. ) Modules Simple
ADA
modinclude
tasks
last
monitor-like
treat
of
calls.
Examples
the
is simply
simple
a set
by treating
14],
[5];
with
module
passing
code.
[4,
processes activity
as
[7],
two
and
combine
procedures.
A
a set of modules
that
entity;
its
components
or compound.
logic.
of Susan Owicki
Defense
Advanced
contract
MDA903-79-C-0680.
Research
was supported Project
Agency
by the
service
under
visible
Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the pubfieation and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission.
that
can exist
with
other
fication, states
is usually However,
typically
$00.75
322
An it
occur.
to run take
three
The
dual
forever; form
the
that
liveness
concurrent
to interact
certain
a guarantee
good termi-
of inter-
programs
of
bad
is liveness.
property
liveness
speci-
certain
programs,
their
the states
safety
2
of safety
sequential
the only
describes are
that
guarantee
many
is
com-
and a set of
is about
invariant
guarantees
For
the
these
the module
occur.
of
invariant
module;
properties
will
nation
when
because
Liveness
The
the
modules.
never
states
of
consists
a commitment,
specifications.
tended
0-89791-065-6/82/001/0322
specification
an invariant, states
est.
1982 ACM
we present
or compound.
monitors
A module
@
21, and
procedure
as a module
ules
choose
20,
modular
program
technique
simple
we
of
are spec-
paper for
on message this
medium
compound
[7,
specification
through
be either
process
can
interact
may
ponents: The research
In this method
a concurrent
that
which
in
be
is a central
languages
exploited
if the can
programs.
view
processes,
that
Modularity
9, 31].
modules
distributed
properties
properties
[8,
of parallel
varia-
technique
been
easier
modules
programming
has
munication
in the
predicates, Our
and liveness liveness
con-
actions
many
We
can be guaranteed
once
be used
tion
of the
it to local
and
con-
The
or used,
of
32],
is much
of
independently.
verification
compose
are robust
are defined
m by restricting true
of
may
system.
A specification
remain
a set
we
and the properties of
bles of m, or by using
parallel
are
part
programs
composed
language-independent
verification
satisfy paper,
are unaffected
module
true
of each module
the specifications
where
they
for
this
a system
modules.
robust
modules in
properties
each module other
the
into
modules
by
about
are
understood
a par-
interact
sequential-program
presented
be-
modular
We model that
programs
we pro-
task:
proofs.
Reasoning
difficult
paper,
the
as a set of modules
using
be
possible
In this
simplify
of sequential
procedure
can
interactions
components.
program
proved
systems
complex
a technique
composition allel
94305
1. Introduction
Abstract
pose
Laboratory
University
are in-
requirements that
some
service
is eventually
tions,
which
given
by
service
provided.
are expressed the
module
using
specifica-
temporal
logic,
commitment.
specifications
describe
Finally,
the
ness properties
of any
makes
to its environment.
available
Liveness
safety
procedures
that
and the
Auxiliary
are
and proofs;
the
by
remainder
follows.
of this
In section
2 we review
will
be used in module
we
discuss
the
verification are
they
module
bounded
buffer,
distributed mary
specifications. Sections
demonstrate
and comparison
system,
Section
to related
that
3
class
a
and a
variables.
quence
that
in
specifications
the results
included
in
about
24].
the
null
produced
the
the
code
for
program,
but
the
is the class of
have
frequently
value
a history
of
the
only
se-
between
systems
and
is useful
is an unbounded
interactions
concurrent
initial
sequence,
mo-
been [8,
used
11,
16,
variable
is
operation
allowed
a new vi~lue. class of auxiliary
variables,
module
that
programs
A. history variables
The
variables
parallel
about
Another vate
auxiliary
records
History
23,
work.
2. Tools
of
history
is appending
7 is a sum-
are
reasoning
about
in reasoning
6
used
do not have to be implemented.
dules.
the
techniques:
paging
server.
that
4, 5, and
our
a distributed
registration
argue
in
for reasoning
as
In section
and
is sound.
that
is organized
a set of tools
specifications,
system
examples
summary
They
convenience
live-
are
do not affect
a module.
One The
variables they
are useful
procedure
variables,
when
calls.
called
dealing
pri-
with
It is convenient
inter-
to specify
the properties of these procedures in terms of variables that are local to both the called and calling In this will
section
use in
auxiliary
we briefly
module
review
four
specifications:
variables,
histories,
tools
temporal
and private
modules. A variable module M will have
we
logic,
that
variables.
calls
caller Temporal to include
logic
an abstract
complished about
by
program
sequence
of
execution. tion
adding
states
the
present,
in
The
version
and
[18].
logic
[26,
are
The
two
basic
are El (henceforth)
not
3. Module
The
formula
true
for
❑ P (lzence~orth
all points
OP (eventually
P) means
the computation
at which
that
formula
a temporal that
it
P)
be the
is true
that
there
is true
for
all
P
specifications
have
When
for
computations
of
we
informally
subsequent
as representing states
we can think
it will
interpret
time.
the the
as representing
of the temporal Under
first
state
present the
operators
this interpretation,
we that
and
future,
of
a
the
at some time
pre-
refers
to
to its version
as
proof
of module
procedure;
interpretation.
typically
used
module
One way of ensuring prove
that
in the other
it
meets
achieve
its speciof oth-
this,
we re-
specifications for
and
m, meaning
can make that
is invariant
modules
con-
terminate.
of the code
in the
m to be robust
liveness
it gives
must
a module
be independent To
of
which
describes
th~e procedure
of any other
is to
properties
post-conditions, that
that
speciand The
procedure.
safety
partial-correctness
assertions
false.
that module a commitment,
each
and
in the system.
the
statement
then
for
the proof
quire
robust
that
the asser-
an assertion over
of the system
is
every [22].
This approach does not meet our goals for modularity: we want assertions that can be determined
as quantify-
❑ P means
to be robust
P is true now and will remain true forever. formula OP states that either P is true now or be true
as if local M
Verification
express
which
should
no action
computation
that The
under
er modules
tion
ing over
usual
Ideally,
we say
by
of the
fications
program. If
and
is also a live-condition
dkions
in
a program,
their
properties
is
is some point
procedure
There
of temthat
specifications
service
The formula
P is true.
; C refers
Specifications
service the
described
means
Module
We have already mentioned fications contain an iinvariant,
() (eventually).
in the computation.
of x as x[C]
C.
M.
re-
we use was
operators
and
can be treated
and
to
C calls
states
can
that
when
X[*].
of the program,
it is further
variable M
corresponding
only
program
subsequent
logic
27];
instance
is a
in a computa-
computation
of temporal
by Pnueli
by Lamport
mean
during
state
the
modified
of both
C’s version
reasoning
Computations one
is ac-
and be
the private
in proofs
state in another.
developed poral
arise
at the beginning
state
This
for
Thus
logic
A computation
can
future.
to starting
so a future
of time.
the first
the
of ordinary
operators
that
Informally,
represent
present
notion
computations.
represents
stricted
is an extension
M,
C can
x declared as private [23] in a one instance for each module
modules. tions that
in the future.
methodology
323
without
examining
the
code
of other
We indicate below two kinds of assersatisfy this requirement. Our verification depends
on
specifications
being
ro-
bust
in modules
depend
where
they
appear,
on the way robustness
but
it does not
We dule
is established.
with The
simplest
fication variables the
way
of guaranteeing
that
invariant
and
variables
commitment
of
local
module.
to that
a module
another the
when
a process
ADA
both
the
being
rendezvous
that
calls
in
the
proofs
procedure,
of
both
and post-conditions
that
are
local in
private
to
For
the
to
the
module
they
will
appear
this
reason,
calling
an
the
module.
important
is often
of
makes ap-
ment
robust
for
verified
from
be-
without
examining
it,
another
to hold
when
module
is
see
interpreta-
invariants
than
this
the more
we will
attractive
Verifying
a call
it is at a
from
however,
more
module
be possible.
our
of
required;
compound
otherwise
another
is a much
is or
or when a call
the invariant to
a monitor within
Similarly, an to call a proce-
it is ready for
by
we will
to execute
module.
waiting
or
times
Thus,
or package,
calls
the result
tion
and
This
part
point
than
that
when
task
makes
strict
called
parameters
is open
mo-
to interact
accepting
such
it is ready
another
Requiring
module
the
in
a simple
is executing
within
in another
module.
to variables
and
procedure
of the called
variables
and
are restricted
both
effect,
variables
private
because
modules.
pre-
module:
specified
task
dure
by At
is open.
process
a procedure
of a service specification are a case. They must be robust for
module
no
of
is ready
either call.
module
when
and post-conditions more complicated
invariant
module,
open to
pre-
the
the module
a procedure
say that
must
The
that
whenever
initiating
a speci-
is robust for module m is to restrict it to that are local to m. With this approach,
use only
require
holds
would
extra
require-
causes no difficulties.
proach. For An
assertion
module
m if
comes
true
predicate
can also be guaranteed
it
is monotonic,
it remains
P is one
true
that
that
is,
forever.
satisfies
once
it
temporal
are
logic
example,
ed, never
ahistory
shrunk,
so for
canonly
any history
tions
be extend-
variable
of
over
h
means
of h.
M—onotonic
any module, More
monotonic not
to
variable
sertion
x indicates temporal fined as ❑ l(a ~ ()/r) ). bles
in
those ted
the
represent
had before
the operation
x’ in a post-condition
as x in the vention
that
private
changed
We
by that
not
an
values
error
use the
recovery
Rather
The then
the private
at any
input
history
has been
increased
by
PW;
operation
will
The
repeatedly 0 T full
not
full
is not
states
must
the
ensure
means
if
infinitely
enough
to guarantee
process
could
and leave
process
blocked.
manage
communication
is
groups.
A prime
—
process
termination
be-
use up an empty
space
robust
BN belongs
to become
ing put guarantees empty
(possibly
specification
that
true.)
at the time
other
than
Furthermore,
eventually
alias
n
call-
the buffer
block
use the
that put is called).
in the next
two
buffer
Example:
also
on X.
to B ~ are read input
The
that
the
port
network mirror
received
by the
Paging
System
Accent
is a communication-oriented
tem
a number
operating
of processors
(nodes)
Many processes can exist goals of Accent are ( 1) the
of
in
transparent, ture provided provided ry
distributed
instead
by a process and
communication
processes tion
as being
Processes with port,
at a time though
provided
communicate
but
not
can have
processes
In this paper we port (or process) assume
that
processes,
(for
all
should
the
example,
through
that Mes-
alias
to
require
communication must
be delivered
port,
they
were
and messages
access
of ports, between
Accent
system, resource. stores
virtual
memory
Pages
(or
anywhere
tem the pages
are sent in messages
which
for
In the rest
of this
we will
munication
between
a server tion
we show
through
with
that
that
server
on the net-
to a paging
backing
a user process
a port
a
knowing that its virtual at its node. In this sys-
is responsible section
is
segments)
up the
discuss
serdata.
the com-
and such a pag-
communication
is equivalent
with
such
to communica-
over the network.
the
appear
General-Port
Specification
to
a communicaWe
through
can have
the existence
a
memo-
except
should
ports.
Only send
one process access the
define
a
general-port
module
with
scribed
below)
meet
the
specification
of
the
general-port.
port, to it.
issues we
the existence ports
will
which a user and a paging server communicate. Our goal is to show that both a bounded buffer (port) and a more complex module (net-port, de-
Assosent to
to a given
will not deal with creation/destruction;
and the binding
reliable
will
in the same order
on backing
ing system;
be
for any feakernel to be
services
received.
receive
to N.
We
a process not resided
ver,
at each location
is a queue of messages
yet
sending
A believes
Y.
work, without memory does
interface.
each port
many
(3)
primitives
(message-passing)
ciated
system
(2) it should be possible by the operating-system
management),
basic
that
the
sys-
connected
by a network. node. Three resources
provide
N on X has an
it belongs
messages
network’s
process-provided
second example comes from the virtual and network paging system of Accent [29].
for
on
may not be lost.
are stored Our memory
if
B runs
by N and forwarded
provides port
process server:
can
of A
Process
of B on
ports:
N
server
to B, but in fact
than
A and B can com-
situation
actual
as a building
server
network
sages sent
sections,
Distributed
create
rather
process
Y so that
the
In 5.
for-
can be used to distinct
X and
the
The
BN
between
bounded
we
is a network
network
Consider to B.
port
processes
be
will
of get is similar.
will
that
between
in X and
to the destination We
that
full
(A)
are sent to ports,
example
the
ports
municate.
to n — no process
to remain
processes
on node
Y, then
mirror message
can cause full
that
node
A runs
if only
respect
port.
assume
Yp.fufl).
intermediary
to
one process n can call put on a buffer, then O ~ full does suffice, because the assertion ~full is then with
all
messages
to processes,
buffer often)
(Note
(no
that
passed
the
on a full
we will
ports
this is permit
(A).
Because
process
item
terminate
its input
that ports
opera-
terminates
of the calling
exactly
(00
the
If put
cause another this
that
time.
Accent
feature,
Vpb auxiliary
post-conditions
variables
(thus
concatenation
implication The primed
of ports
will of
User u and paging for communication:
server s use two generalThe user us and SU.
sends pages to be backed backed-up pages to us. The
and proc-
326
up and requests for server returns backed-
up pages us and
through receive
SU.
The
access
user has send
to SU; similarly,
has send access to su and receive other
process
access the
to
server
access to us.
No
may access these general-ports.
alias
ports
ping
8 from
The
network
server
either
a page request
or
port
that
we will
processes;
names
nw takes
Note
modules; item:
the sending
local
and delivers
ports. Type
for
it has a map-
to remote
messages
port
from
tlhem to their
proper
both
nw
not
ns and
consider
network
destination
are
their
names.
the
compound
underlying
im-
plementations.
page contents The
Variables in: auxiliary
history
initially out:
null
auxiliary
history
initially empty:
of item, of item,
null
auxiliary
port
sages
from
and
sends
port
np.
true
process
ip. ip, the The
np, strips
boolean,
initially
sending
input
adds
the
destination
composite
message
to the output
port
receive
Network
Server
messages
server
nw takes
the address,
ess will
send
network
network
off
will
The
address to
the
mes8(ip),
network
the messages
and delivers
c$(ip),
to the
ns takes
where
from
the message
the receiving
proc-
the message.
Invariant out
(at put
get (var pre:
after ->
put)
Invariant
A
Vu (proj(np.in,addr
-empty)
i: item) true
post:
We define
proj
ries.
formula
The
obtained out = out’
which
@ i
tion live: (at get A ()_ empty)
‘>
after
It is obvious the
these
that
assumption
that
In the rest of this show
that
the bounded
specifications
it
only
section
also
meets
with
buffer
one process we specify the
(our
function
that
deleting
all
so thlat h.f
for
m for
sub-field
nota-
history
h represents to the field f the invariant
in np come
and Let
can call put. a net-port
the history
messages
the record
the messages
on histo-
= c) means
from
the vari-
ous ip ‘s.
port)
(A)
specification
a by
< ipu.out) —
the history with its I“rh element equal of the ith element of h. Therefore,
get
assumption
proj(a,b
We extend
to histories,
states
meets
as the projection
from m.b#c.
= 8(ipu)).data
❑0
I be the assertion
- np.full.
and of
a
general-port.
Net-Port
Description (1 ~ Vd Vu (([d]
A net-port
is a complex
five sub-modules: network server, server
module
that
consists
Assuming
of
sages
three ports (bounded buffers), a and the network. The network
ns is an intermediary
process
that
provides
327
that
from
np,
~ip,u.in)
the
‘>
[8(@u),d]~np.in)))
network
repeatedly
ns guarantees
to
messages
from
all of its input
messages
from
its input
ports
ports to np.
takes
repeatedly
mestake
and to pass on
Network
Specification
The similar
specification to that
of the
of the network
node
n, nw has an input
these
ports
are pairs:
of the destination tination
network
ports
server
port
n.np.
addr
over
of information are named
nw is
dividuals
or other
each
primarily
for
maintain
group
For
let d range
registration
database Groups
messages
where
(We
and n range
ns.
The
[addr,data],
ports.
module
Grapevine
in
is one
over
tions,
des-
server
lists;
their
groups.
message
may
for
for
a file of
are
be in-
uses groups
but
lists
functions
be considered
and groups.
Grapevine
distribution,
only
membership
a distributed
members
membership
the
to
group
manages
on individuals
such as access lists
discussion,
nodes. )
server
it can
other system. the
those
also
applicaIn this
registration
concerned
with
lists.
Invariant
Vd ~n (din
< proj(n.np.out,addr —
Grapevine
= d).data)
interact
is a distributed
with
a name in a group, group.
Vd (Elo~d.@l).
Let J be the assertion
The
stamps
are used
database (J ~ Vn (00-n.
np.ftdl))
A
However,
be inconsistent (J ~ (VxVn
(x~n.np.in)
(x.data~x.addr. (J
(VxVn
~
~>
in)))
(x~n.np.in
ered
A
A x$n.np.our)
acceptable example,
and
a message
bers
of the group,
final
clause
of the
is a message
work
input
port,
commitment
for
that
implies
a destination destination
port
port
that
if
will
face
eventual-
Net-Port
the
It
should
the
compound
8(ip).
The
mented The
put
by
the
for get
which
the modules
on the input
ports. that
guarantee
the
ignore
and
assume
for
(A)
which
module the
on
by
by
is
we created The
once
gates
that
nw
tl(ip) get.
for
same
group
For
stamped operation
underlying consider
ip.put
is
called
query
invariant invariants
then
the local
sub-modules.
but Example:
Our tion
Distributed
final
server
example
Registration
is derived
of the Grapevine
mail
the registra-
system
[3].
the
the
most
and
The
328
sites
recent
each
add
or
this The
update
procedures name),
name,
and
for
update
ordering; ordering
are not
may
Delete from
the timestamped n.
discarding Note
is most this
because
perfectly
a
var present:
procedures Add and with a time obtained
which
delete
has no members.
s.g. Delete (n:
update
for
a time-
initially
merge
an update
monitor
name;
updates,
to real-time
particular,
most
of
spond different
The
to
monitor
It contains
then
on timestamp
propa-
and a group
They
based
at each
of updates
record of
system
a queue
s.g.
on
recent
of fail-
which
s.g.IsMember(n:
clock. into
determination
Server
from
the
The update boolean). stamp the new update
is imof the
the
provides
name)
operates
impact
process,
maintained.
and the group
procedure
update 6.
sites,
being
monitor
s.g.Add(n:
we
operation,
hardware
of
a forwarder
of
in the
and commudiscussion,
the
by the forwarder,
group
reliably
section.
to other
is null
group
(A)
are
propagate
in reliable
the
performed
of ns and rzw
to
of oqr
briefly
record
record
guarantees
most
g at site s is denoted
destination
may
machines
components
updates
be processed
do not violate
commitments
major
each
mem-
A few minutes
to perform
the issues involved
is impleas
to the individual
update
of some host
are a clock,
commitment
the
the
by the ns commitment that
site
question.
to a group,
mailed added
to
is consid-
in
is added
the
is designed
We
The
does
Consider
procedure
()= d(ip).empty. The general-port plied by the conjunction of the five
net-port
ip - ns - np - nw -
empty
Assumption (J),
the
general-port.
module
variable
implies (I),
that
the
procedure
ip.put;
8(ip) empty. implies
obvious
net-port
auxiliary
ports that
be
implement
applications
newly
ures at the end of this
accurately
the databases
and this
the message.
channels.
will
correctly.
Verification
the
of the
be discussed
the system.
of failures
nication
ly be non-empty.
for
are
Time-
copies
will
time,
is immediately
Grapevine
in a net-
that
if an individual
sufficient
throughout
(~x.addr.empty)))
there
for
For
normally
The
a short
is in the
sites.
various
it is possible for
or may not receive
‘>
the
in a way
can
and updates
between
to keep
consistent,
below.
a name
is replicated,
propagated
A user
to add or delete
or ask whether
database
automatically Commitment
system.
any site in the system
may the
any
that recent not
have
is
corre-
clocks
synchronized.
already
the
been
at In re-
ceived
from
another
than
the one being
new
update
propagation
is added
to
sites.
other
if the
there
is no record
most
simple
this
forwarder The
t
