The control part of many concurrent and distributed programs reduces to a set Π = {p1, . . . , pn} of symmetric processes containing mainly assignments and tests on Boolean variables. However, the assignments, the guards and the program invariants can be Π-quantified, so the corresponding verification conditions also involve Π-quantifications. We propose a systematic procedure allowing the elimination of such quantifications for a large class of program invariants. At the core of this procedure is a variant of the Herbrand Theorem for many-sorted first-order logic with equality.
Abstract. The algorithm for mutual exclusion proposed by B. Szymanski is an interesting challenge for verification methods and tools. Several full proofs have been described in the literature, but they seem to require lengthy interactive sessions with powerful theorem provers. As far as this algorithm makes use of only the most elementary facts of arithmetics, we conjectured that a simple, non-interactive proof should exist; this paper gives such a proof, describes its development and how an elementaxy tool has been used to complete the verification.
We describe CAVEAT, a technique and a tool (under development) for the stepwise design and verification of nearly finite-state concurrent systems (NFCS). A concurrent system is nearly finite-state when most of its variables have a finite range (Booleans, bounded integers). The heart of CAVEAT is a tool for verifying invariants, i.e., inductive safety properties. The underlying method is classical : formula I is an invariant for system ,S if and only if some formula ~r =def {I}S{I} is valid. If ,S is an NFCS, the formula ~5i contains only a small set of non-boolean variables. CAVEAT uses the connection method to extract from ~I a (small) set ~ of paths (some kind of assertions) about the non-boolean variables; ~5i is valid if and only if all paths contain connections, i.e., are inconsistent. For typical NFCS given with a correct invariant, the formula ~I is rather large (more than 100 lines) but k~ is quite small (a dozen one-line formulas). The second part of CAVEAT (not implemented yet) supports an incremental development method that is fairly systematic, but has proved to be flexible enough in practice.
A b s t r a c t . Concurrent programming is usually considered as a difficult task. This conunon opinion is investigated, while developing an example of concurrent system.The conclusion is that the difficulty of programming does not lie in concurrency, provided that adequate formal tools are used. These tools mnst not be more difficult than those used in sequential programming.
I n t r o d u c t i o n and related workThe formal tools to deal with concurrency are usually considered to be adequate; in fact, most of them have been derived from those used in sequential programming. Unfortunately, formal tools become most useful only when there are appropriate methodologies to deal with them.Such methodologies exist for sequential programming; for instance, Dijkstra's programming calculus [Dijkstra (1976), Gries (1981)] allows the systematic use of the concept of invariant to derive programs correct with respect to their specifications.Good methodologies are usually compositional, that is, the meaning of a structured object can be expressed as a function of the meanings of the components. The main problem in concurrency is that the meaning of the system (PIlQ) can be expressed as a function of the meanings of the processes P and Q only when the notion of the meaning of a process is defined in a rather complex way. As a consequence, a compositional, process-based semantics for concurrent systems is not trivial, and the same is true for the methodologies derived from those semantics [Hoare (1985)]. A solution can be to get rid of the notion of process itself, in order to keep both compositionality and simplicity. Such an approach has been recently proposed in [Chandy and Misra (1988)]. Nevertheless, the notion of process has still to be introduced at the end of the development procedure; furthermore, as the notion of process is intuitive, we would like to keep it.Despite of the lack of a simple methodology, many non-trivial concurrent systems have been designed and proved correct. Although the authors do not often describe the methodology they have used to obtain their results, a piece of method is often evoked: the "stepwise refinement".The idea is very simple: several systems are considered in sequence, the first ones being more abstract and easier to understand than the last ones, which are more oriented towards an 1Supported in part by the ESPRIT project ATES.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.