Picturing program execution

1. Picturing program execution Tony Hoare and Peter O’Hearn November 2008

2. 1. Traces are sets of atomic events linked by data flow drawn as a labelled arrow

3. Atomic Events e f

4. A program command R1 := R1+y

5. a traceis a set of events d!(x – z) c?z R1:=r1 + y d?y

6. with arrowslinking dependent events d!(x–z) c?z R1:=R1 + y d?y

7. labelled by locations z c d!(x–z) c?z z x d x x := x + y d?y y y x

8. ...and by values transmitted z c 3 3 d!(x–z) c?z z 3 x d 9 x 12 x := x + y 5 d?y y y 9 7 x 12

9. Dependence • p  q means perhaps • q uses a value assigned by p • or p outputs a value input by q • or p releases a resource used next by q • Define separation between pairs of events as absence of dependence

10. Four degrees of separation • p ( ) q = p  q • p (;) q = p  q &  q  p • p (||)q = p  q &  q  p &  p  q • p ([]) q = false • Theorems: ([])  (||)  (;)  (*) ([]) (||) (*) commute p ([]) p = p (;) p = p (||) p = p (*) p = false

11. Separation of traces • We define four separation operators splitting a trace into separate parts. • The weakest is disjoint union of events: tr = tp + tq  tr = tp  tq & p,q. p ε tp & q ε tq  p ( ) q (equivalently, tr = tp  tq &tp tq = { } )

12. Separation of traces • sequence: tr = tp ; tq  tr = tp  tq & p,q. p εtp & q εtq  p (;) q • parallel: tr = tp || tq  tr = tp  tq & p,q. p εtp & q εtq p (||) q • choice: tr = tp [] tq  tr = tp  tq & p,q. p εtp & q εtq false (equivalently, tr = tp  tq & (tp = {} V tq = {}) )

13. A trace tr may be split in four ways

14. concurrently tp+tq

15. sequentially tp ; tq

16. Disjointly tp || tq

17. by Choice tp[]tq

18. Linearity theorem e ε tr   tp, tq . tr = (tp ; {e} ; tq) Proof: tp = {d|d  … e} and  is acyclic tq tp + e

19. Programs are predicates We identify program P with a predicate P(tr) which describes each of its possible traces. The free variable tr refers to an arbitrary trace. We define total binary separators over programs by ‘lifting’ the trace separators to predicates

20. Concurrency (fine-grained) (P*Q) (tr) =  tp, tq. P(tp) & Q(tq) & tr = tp+ tq any trace tr of (P*Q) can be split into tp and tq, where tp is a trace of P and tq is a trace of Q, and tp is disjoint from tq .

21. Sequential composition (P ; Q) (tr) =  tp, tq. P(tp) & Q(tq) & tr = tp; tq any trace tr of (P;Q) can be split into tp and tqwhere tp is a trace of P and tq is a trace of Q , and tp nowhere depends on tq.

22. Parallel composition (disjoint) (P||Q) (tr) =  tp, tq. P(tp) & Q(tq) & tr = tp || tq Any trace tr of (P||Q) can be split into tp and tqwhere tp is a trace of P and tqis a trace of Q , and tp is everywhere separate from tq.

23. Choice (P[]Q) (tr) =  tp, tq. P(tp) & Q(tq) & tr = tp[] tq Any trace tr of (P[]Q) can be split into tp and tqwhere tp is a trace of P and tqis a trace of Q , and either tp or tq is empty.

24. Conjunction (not separating) (P&Q) (tr) =  tp, tq. P(tp) & Q(tq) & tr = tp  tq & tp= tq Any trace tr of (P&Q) can be split into tp and tqwhere tp is a trace of P and tqis a trace of Q , and tp is the same as tq.

25. Disjunction (not choice) (PvQ) (tr) =  tp, tq. P(tp) & Q(tq) & tr = tp  tq & tp = tq Any trace tr of (PvQ) is either a trace of P or a trace of Q ,

26. Implicationsearlier lines imply the later lines P [] Q P || Q P ; Q P * Q Proof: ([])  (;)  (||)  (*)

27. 2. The logic of programming familiar axioms of the Hoare calculus are derived as theorems

28. Theorems Our proofs use only the properties (;)  (*) and (*) commutes They apply to any such pair of relations [P  Q] means tr . P(tr)  Q(tr) P = Q means[P  Q] & [Q  P]

29. Theorems (P ; Q) ; R = P ; (Q ; R) association P ; (Q V R) = (P ; Q) V (P ; R) distribution (Q V R) ; P = (Q ; P) V (Q ; R) [P  Q]  [P ; R  Q ; R] monotonicity & [R ; P  R ; Q] Proof: Predicate calculus only

30. Theorems Def: skip  tr = { } P ; skip = P = skip ; P unit skip P ; false = false = false ; P zero false valid for all separators including P [] false = false (versus P false = false)

31. Hoare Triples Def: P { Q } R   tr. (P ; Q)(tr)  R(tr) Theorems P { Q } R & P { Q } R’  P { Q } R & R’ P { Q } R & P’ { Q } R  (P V P’) { Q } R P { Q } S & S { Q’ } R  P { Q ; Q’ } R P { Q } R & P {Q’ } R  P { Q V Q’ } R

32. Galois connection Def: (Q ; R)(tp)   tq. Q(tq)  R(tp; tq) Theorem:P {Q} R  [P (Q ; R)] Q ; R = weakest prespec (Q, R) specifies what is needed before Q to achieve R Theorems: (Q -; R) ; Q  R P  Q -; (P ; Q) Proof: Predicate calculus

33. Program algebra (P * Q) ; R  P * (Q ; R) (*assoc;) P ; (Q * R)  (P ; Q) * R (*assoc;) (P*Q) ; (R*S)  (P;R) * (Q;S) (*exchange;) Proofs: event algebra.

34. (P * Q ) ; R  P * (Q ; R) • RHS has less prohibitions than LHS. P P  R R Q Q

35. Separation logic (Theorems) P { Q } R  F * P { Q } F * R frame P { Q } R & P’ { Q’ } R’  P * P’ { Q * Q’ } R * R’concurrency • Proof: program algebra

36. P { Q } R  F * P { Q } F * R • LHS = P ; Q  R (def { }) so F * (P ; Q)  F * R (* mon) (F * P) ; Q  F * R (*assoc;) = RHS (def { })

37. 3. Rely/guarantee calculus extends sequential reasoning to concurrent programs

38. Invariant algebra Def: G G’(tr) = (r. r εtr  G({r}) V G’({r}) ) Thm: G;G’ G G’ and G*G  G G’, etc. Def: G is invariant iffG = G G or equivalently, G(tr) = (r. r εtr  G({r}) ) Thm: G({ }) G(tp tq) = G(tp) & G(tq) G;G = G and G*G = G .... etc.

39. Guarantee conditionsdescribe commitment of thread to environment Def: Q guar G  [Q  G] , for G invariant Thm: skip guar G (tr = {e}) guar G  G({e}) Q guar G & Q’ guar G’  (Q ; Q’) guar (G G’) and(Q * Q’) guar (G G’) ...etc

40. Rely conditionsdescribe the environment of a thread Thm: If R and R’ are invariant, so is R&R’ R & R’  (R ; R’) andR & R’  (R*R’) ,... etc. R*{e}  R ; {e} ; R (R & R’) * (Q ; Q’)  (R * Q) ; (R’ * Q’) (R & R’) * (Q * Q’)  (R * Q) * (R’ * Q’)

41. R*{e}  R ; {e} ; R LHS =  ts . R(ts) & tr = ts + {e}   tr1, tr2 . tr = tr1 ; {e} ; tr2 (linearity)   tr1, tr2 . R(tr1) & R(tr2) & tr = tr1 ; {e} ; tr2  RHS  R * {e} * R (event algebra)  R * R * {e} (* assoc comm)  LHS (R invariant)

42. Jones quintuple Def: P R {Q} G S  P {R*Q} S & Q guar G where G and R are invariants Thm: P R {skip} G P if P {R} P P R {e} G S  P {R ; e ; R} S & G({e}) P R {Q} G S & S R’ {Q’} G’ S’  P R&R’ {Q ; Q’} (G  G’) S’

43. Concurrency [G’  R] & [G  R’] & P R {Q} G S & P’ R’ {Q’} G’ S’  P&P’ R&R’ {Q * Q’} (G  G’) S&S’

44. Example LetR = R’ = G = G’ = P = P’ = (a . a ε tr n > 0. prog(a) = {x := x + n } ) S = (R &  a . a ε tr & prog(a) = {x := x + 1}) S’ = (R &  a . a ε tr & prog(a) = {x := x + 2}) Then P R {x := x + 1 | x := x + 2} G S&S’ a very weak result, because we cannot rely on memory.

45. 4. Arrows cross interfaces carry values between events as described by assertions

46. arrows d!(x–z) c?z x := x + y d?y

47. Source and target a0 a’ Def: a0 is the source event of arrow a Def: a’ is the target event of arrow a • Def: e  f =  a . e = a0 & f = a’ • defines what was earlier an undefined primitive • so all previous theorems remain true

48. Boundary • drawn around an arbitrary set of events

49. External boundary Def: in(tr) = {a|a’ εtr & a0  tr} Def: out(tr) = {a|a0εtr & a’  tr} Thm: in(tr)  out(tr) = { }

50. Internal boundary tq tp Thm: out(tp*tq) = out(tp)\in(tq)  out(tq)\in(tp) in(tp*tq) = in(tp)\out(tq)  in(tq)\out(tp) … the same for the other three separators