Using Temporal Fixpoints to Compositionally Reason about Liveness

The compositional specification and verification of the behavior of concurrent processes is a challenging research area. The assumption/commitmentapproach has emerged as one way to systematically achieve the desired modularity. However, it is generally limited to reasoning about safety properties which apply throughout the execution of a system. Liveness properties involving intermittent behavior are harder to address. We investigate the use of assumptions and commitments in Interval Temporal Logic and show how to augment them with some more information for handling liveness. The proposed techniques are a continuation of our previous research on formalizing assumptions and commitments through the use of fixpoints of certain simple temporal operators. Associated with this is a generalized notion of Owicki and Gries’ proof outlines. We illustrate the approach with examples including a mutual exclusion system with time stamps.


Introduction
Assumptions and commitments are recognized as one way to reasoning about concurrent systems.Jones [6] shows how to augment the pre-and post-conditions found in Hoare logic with compositional assumptions and commitments (called by Jones rely-and guarantee-conditions).Assumptions are especially selected so that if they are true for a system component, then they are automatically true for all sequential subcomponents.Thus one can say that such assumptions are easy to import.Commitments are chosen such that when true for a series of sequential subcomponents are also automatically true for the overall component.Thus, such commitments are easy to export.This style of analysis works best when one reasons about safety properties [11] which hold everywhere but it is more limited when dealing with liveness.One reason is that liveness properties are by definition not necessarily true all the time but only some of the time.Consequently, they are too weak to be exported with conventional compositional commitments.
Other researchers have investigated how to handle liveness.Stølen [23] deals with it by adding a wait-condition to Jones' approach.See also Xu and He [27], and Xu, Cau and Collette [24] and a survey by Xu, de Roever and He [26].Pandya and Joseph [21] and Jonsson and Tsay [7] use linear-time temporal logic.
In this work we show how to augment compositional assumptions and commitments with some extra notation to bridge the gaps where exportable commitments by themselves are not sufficient.Interval Temporal Logic (ITL) [13,4,14], serves as our framework.In previous work [16] we characterized generalized versions of compositional assumptions and commitments in ITL as fixpoints of certain simple temporal operators.An application of this approach to intervals with infinite length was illustrated in [17].We now show that fixpoints of some other ITL operators facilitate reasoning about liveness.Our approach also supports an extended form of the proof outlines of Owicki and Gries [18,19] as a means to visually elucidate compositional proofs about both safety and liveness.
The remaining sections of the paper are organized as follows.In Section 2 we overview how to embed assumptions and commitments in Interval Temporal Logic and briefly discuss how to extend this to handle liveness.Section 3 gives a summary of ITL's syntax and semantics as well as a compositional proof system.Section 4 gives more details about dealing with liveness and includes various examples.For simplicity, Sections 3 and 4 only consider temporal intervals having finite length.Section 5 extends ITL and our compositional methods to reasoning about infinite intervals.We The research described here has been kindly supported by EPSRC research grant GR/K25922.7th BCS-FACS Refinement Workshop, 1996 Compositionally Reason about Liveness include a number of small examples throughout Sections 4 and 5.One involves proving the absence of deadlock in a simple two-process system with shared write access to a counter variable.Section 6 looks at two nontrivial mutual exclusion systems operating over infinite time.The first is easier to describe but can deadlock.The second one remedies this deficiency through the use of time stamps.Both of these systems served as our primary case studies during the development of the methods presented here.

Overview of Assumptions and Commitments in ITL
Modularity is a desirable attribute of any formal method.We wish to address how to modularly specify and prove liveness properties.However, it is necessary to first present some background material.One of the best known modular logical notations is Hoare logic [5].It uses the important insight that proofs about the pre/post-condition behavior of a sequential program can be decomposed into subproofs of the program's parts.In Interval Temporal Logic we can express a Hoare clause as a theorem about discrete intervals of time consisting of one or more states: w ^Sys fin w 0 : Here w and w 0 are state formulas containing no temporal operators and Sys is some arbitrary temporal formula we wish to reason about.The temporal formula fin w 0 is true on an interval iff w 0 is true in the interval's final state.A more precise definition of fin and other ITL operators is given in Section 3.
The pre/post-condition approach is not particularly well suited for specifying and verifying systems in which ongoing and parallel behavior are important.However, this can be remedied through the addition of what are commonly known as assumptions and commitments.Francez and Pnueli [3] are the first to consider them and refer to them as interface predicates.The following implication shows the basic form of an ITL theorem incorporating an assumption As and a commitment Co: w ^As ^Sys Co ^fin w 0 : In general As and Co can be arbitrary temporal formulas.However, when compositional reasoning about sequential parts of a system is needed, it is useful to require that As and Co be respective fixpoints of the ITL operators 2 a (read "box-a") and (read "chop-star") as is now shown: As 2 a As; Co Co : The first equivalence ensures that if the assumption As is true on an interval, it is also true in all subintervals.The second ensures that if zero or more sequential instances of the commitment Co span an interval, Co is also true on the interval itself.The ITL operator (chop-star) used here is a repetitive version of the chop operator mentioned above and is similar to the Kleene star found in regular expressions.The temporal formula 2(K = 1) (read "K always equals 1") is an example of an importable assumption.The temporal formula K K ("K's initial and final values on the interval are equal") is an exportable commitment.Some formulas such as stable K ("K's value remains the same throughout the interval") can be used both as assumptions and commitments.These are precisely the fixpoints of the ITL operator keep, where the formula keep S, for some subformula S, is true on an interval iff S is true on every unit subinterval (i.e., consisting of exactly two adjacent states).For assumptions and commitments obeying the above, the next derivable proof rule is sound: `w ^As ^Sys Co ^fin w 0 ; `w0 ^As ^Sys 0 Co ^fin w 00 `w ^As ^(Sys; Sys 0 ) Co ^fin w 00 : (1) The rule uses the ITL operator ";" (chop) which combines the formulas Sys and Sys 0 in series.That is, Sys; Sys 0 is true on an interval iff Sys is true on a left subinterval and Sys' is true on the corresponding right subinterval which shares one state.
Here is an analogous rule for decomposing a proof for zero or more iterations of a formula Sys: `w ^As ^Sys Co ^fin w `w ^As ^Sys Co ^fin w: (2) Similar rules are possible for if , while and other constructs.
7th BCS-FACS Refinement Workshop, 1996 Note that our approach only requires assumptions and commitments which are used directly in rules such (1) and ( 2) to be compositional.Compositional proofs about a system in ITL typically also involve reasoning about noncompositional assumptions and commitments as well.For instance, there is an important class of formulas using the standard temporal operator 2 (read "box" or "always") and of the form 2S which often occur in temporal logic specifications.In general they can neither be used directly as compositional assumptions or commitments.However, those of the form 2w, for some state formula w, can be used as assumptions since they are fixpoints of the operator 2 a : `2w 2 a 2w: However, even these cannot be used as exportable commitments since, for example, the formula (2w) (and indeed any formula S ) is vacuously true on intervals having exactly one state whereas 2w is not necessarily true on them.In other words (2w) ^:2w is satisfiable for some w and therefore 2w (2w) is not in general a theorem.However, there is a simple way around this.We express 2w as the conjunction of keep w and fin w: `2w keep w ^fin w: Since w is a state formula, keep w turns out to be true on an interval iff w is true on all of the interval's states except possibly the last one.Since we already mentioned that keep S for any formula S is a perfectly good exportable commitment, we can use keep w in compositional proofs and at the very end combine it with fin w to obtain the desired (generally nonexportable) commitment 2w.
The techniques so far presented do not address reasoning about formulas involving liveness such as 23x and 2(x 3x 0 ); where x and x 0 are state formulas.In what follows we investigate how to handle such temporal formulas in compositional proofs.This is facilitated through the exploitation of further fixpoints of ITL operators.In general, such formulas are not suitable as compositional assumptions or commitments.Let us now use the temporal operators 2 m ("box-m") and 3 i ("diamond-i").A formula 2 m S is true on an interval iff the subformula S is true on all terminal (suffix) subintervals with more than one state, that is all the interval's nonempty terminal subintervals.Therefore 2 m ignores the last (empty) terminal subinterval consisting of one state and is slightly weaker than 2. A formula 3 i S is true on an interval iff S is true on some initial (prefix) subinterval (which might be the interval itself).It turns out that for any S, the formula 2 m 3 i S is a fixpoint of chop-star: `2 m 3 i S (2 m 3 i S) : It therefore follows that for any formula DI which is a fixpoint of 3 i , the formula 2 m DI is always a fixpoint of chop-star and is a suitable compositional commitment.Now, for any state formulas x and x 0 , the formula x 3x 0 is a fixpoint of the temporal operator 3 i .Consequently, the formula 2 m (x 3x 0 ) is a fixpoint of chop-star.In order to prove a formula 2(x 3x 0 ), we compositionally establish the related formula 2 m (x 3x 0 ) and also show fin(x 3x 0 ), thus obtaining 2(x 3x 0 ).Here we are using the following lemma relating 2 with 2 m and fin: `2S 2 m S ^fin S: There are also other useful fixpoints of 3 i which we consider later.In addition, the conjunction and disjunction of two such fixpoints are themselves fixpoints of 3 i .The fixpoints of the ITL operator 3 a (read "diamond-a") are also important.In general, 3 a S is true on an interval iff S is true on some subinterval (possibly the interval itself).Formulas such as 3x, where x is a state formula, and : stable A (meaning "The variable A has more than one value over the interval") are fixpoints of 3 a .If DA is a fixpoint of 3 a , then it is also a fixpoint of 3 i so 2 m DA is a fixpoint of chop-star and hence a compositional commitment.More generally, the formula x DA is always a fixpoint of 3 i and therefore 2 m (x DA) is a fixpoint of chop-star.The fixpoints of 3 a are closed under conjunction and disjunction.
Let us consider another benefit of fixpoints of 3 a .Suppose one wishes to prove that a formula Sys; Sys' with a suitable precondition and an importable assumption implies a commitment 2 m (x DA) for some state formula x and some fixpoint DA of 3 a .The most straightforward thing to do is to first show the commitment both for Sys and Sys 0 and then combine the results using proof rule (1).However, this is not always possible since DA might never be true in Sys and only occur in Sys 0 even though x is perhaps somewhere true in Sys.In such cases, we can use the following derivable proof rule as long as all intervals are assumed for simplicity to have finite length: `w ^As ^Sys fin w 0 ; `w0 ^As ^Sys 0 2 m (x DA) ^DA ^fin w 00 `w ^As ^(Sys; Sys 0 ) 2 m (x DA) ^DA ^fin w 00 : (3) 7th BCS-FACS Refinement Workshop, 1996

Review of Interval Temporal Logic
We now describe Interval Temporal Logic.The presentation is rather brief and the reader should refer to references such as [13,4,14,16] for more details.ITL is a linear-time temporal logic with a discrete model of time.An interval in general has a length j j 0 and a finite, nonempty sequence of j j + 1 states 0 ; : : : ; j j .Thus the smallest intervals have length 0 and one state.Each state i for i j j maps variables a, b, c, : : : , A, B, C, : : : to data values.
Lower case variables a, b, c, : : : are called static and do not vary over time.Infinite intervals can also be handled by us but for simplicity we do not consider them until Section 5. Basic ITL contains conventional propositional operators such as ^and first-order ones such as 8 and =.Normally expressions and formulas are evaluated relative to the beginning of the interval.For example, the formula J = I + 1 is true on an interval iff the J's value in 's initial state is one more that I's value in that state.
There are three primitive temporal operators skip, ";" (chop) and " " (chop-star).Here is their syntax, assuming that S and T are themselves formulas: The formula skip has no operands and is true on an interval iff the interval has length 1 (i.e., exactly two states).Both chop and chop-star permit evaluation within various subintervals.A formula S; T is true on an interval with states 0 ; : : : ; j j iff the interval can be chopped into two sequential parts sharing a single state k for some k j j and in which the subformula S is true on the left part 0 ; : : : ; k and the subformula T is true on the right part k ; : : : ; j j .For instance, the formula skip; (J = I + 1) is true on an interval iff has at least two states 0 ; 1 ; : : : and J = I + 1 is true in the second one 1 .A formula S is true on an interval iff the interval can be chopped into zero or more sequential parts and the subformula S is true on each.An empty interval (one having exactly one state) trivially satisfies any formula of the form S (including false ).The following serves as an alternative programming-like syntax for S : for some times do S: We generally use w, w 0 , x, x 0 and so forth to denote state formulas with no temporal operators in them.Expressions are denoted by e, e 0 and so on.Table 1 shows a variety of useful temporal operators definable in ITL.A summary of the kinds of fixpoints used in our approach is shown in Table 2.It also includes examples of them.Note that in general the variables As and Co can refer respectively to arbitrary assumptions and commitments and they are fixpoints only when it is specifically stated, such as when they are supposed to be compositionally importable or exportable.This is the case most of the time in our presentation here.In the long run, it might be better to refer to an assumption which is a fixpoint of 2 a by the name BA and a commitment which is a fixpoint of chop-star by CS.
In [16] we made use of the conventional logical notion of definite descriptions of the form {v: S where v is a variable and S is a formula (see for example Kleene [8, pages 167-171]).These allow a uniform semantic and axiomatic treatment in ITL of expressions such as e (e's next value), fin e (e's final value) and len (the interval's length).For example, e can be defined as follows: where a does not occur freely in e.Here is a way to define temporal assignment using a fin term: (fin e) = e 0 : The following operator stable tests whether an expression's value changes and is also later needed by us: Table 2: Various useful temporal fixpoints 7th BCS-FACS Refinement Workshop, 1996 where the static variable a is chosen so as not to occur freely in the expression e.The formula e gets e 0 is true iff in every unit subinterval, the initial value of the expression e 0 equals the final value of the expression e: e gets e 0 def keep(e e 0 ): An expression is said to be padded iff it is stable except for possibly the last state in the interval: where the static variable a does not to occur freely in e.A useful version of assignment called padded temporal assignment can then be defined: e < e 0 def (fin e) = e 0 ^padded e: This ensures that e does not change until possibly the very end of the interval when the assignment takes effect.

A Practical Proof System
We now present a very powerful and practical compositional proof system for ITL.The reader may prefer to initially omit this subsection.Our experience in rigorously developing hundreds of propositional and first-order proofs has helped us refine the axioms and convinced us they are sufficient for a very wide range of purposes.See Moszkowski [16] for more about this.The proof system is divided into a propositional part and a first-order part.Our discussion looks at each in turn.

Propositional Axioms and Inference Rules.
The propositional axioms and inference rules mainly deal with chop, and skip and operators derived from them.Only one axiom is needed for chop-star.The proof system gives nearly equal treatment to initial and terminal subintervals.This is exceedingly important for the kinds of proofs we do.In addition, this makes the proof system easier to understand since much of it consists simply of duals in this sense.In contrast, most temporal logics cannot handle initial subintervals and even other proof systems for ITL largely neglect them.Rosner and Pnueli [22] and Paech [20] give propositional proof systems for ITL with infinite intervals and prove completeness.Our proof system contains some of the propositional axioms suggested by Rosner and Pnueli but also includes our own axioms and inference rule for the operators 2 i , keepnow, and chop-star.These assist in deducing propositional and first-order theorems and in deriving rules for importing, exporting and other aspects of composition.
We have strengthened axiom P10 in order to facilitate reasoning about initial subintervals and what are called markers (see Subsect. 4.1).The following earlier version used in proofs about the keep operator can be readily deduced from P10 (with w replaced by true), the other axioms and inference rules: `keepnow S : keepnow :S: We now give a sample theorem and its proof: Theorem 3.1 The propositional proof system is complete for quantifier-free formulas containing only boolean-valued static and state variables.
Outline of proof: For a given formula, we construct a finite tableau consisting of a number of states.Each state is represented as a disjunction whose disjuncts are themselves conjunctions of primitive propositions, next formulas and their negations.Now suppose S is a valid formula.Construct a tableau for its negation :S.Call a state in a tableau final if it is satisfiable by some empty interval.No state reachable from the initial state in our tableau for :S is final, since otherwise we can use the path to construct a model for :S.Therefore the tableau reflects that :S is not true in any finite intervals.We convert this to a proof-by-contradiction for S.This technique also applies to a version of Rosner and Pnueli's proof system restricted to finite intervals.

First-Order Axioms and Inference Rules.
Below are axioms and inference rules for reasoning about first-order concepts.They are to be used together with the propositional ones already introduced.See Manna [12] and Kröger [10] for proof systems for chop-free first-order temporal logic.We let v and v 0 refer to both static and state variables.

F1
`All substitution instances of valid nonmodal formulas of conventional first-order logic with arithmetic.F2 where the expression e is sort-compatible with v and v is free for e in S. If e contains any temporal operators, then v must be a state variable not occurring freely in S within the left side of a chop formula or within a chop-star formula.F3 `8v: (S T) (S 8v: T); where v doesn't occur freely in S. F4 `({v: S) = ({v 0 : where v and v 0 are static variables of one sort and v is free for v 0 in S. F5 `8v: (S T) where v is a static variable.F7 `w 2w; where w only contains static variables.

F8
`9v: (S; T) for any static variable n whose sort is the natural numbers.
The axiom F1 permits using properties of conventional first-order logic with arithmetic without proof.Most of the other axioms and the two inference rules at the end are adaptations of conventional nonmodal equivalents for quantifiers and definite descriptions.Only four axioms actually contain temporal operators.Axiom F7 deals with state formulas containing only static variables.The two axioms F8 and F9 show how to move an existential quantifier out of the scope of chop.The remaining temporal axiom F10 shows how to combine two state variables in nearly adjacent subintervals into one state variable for the entire interval.We extensively use it and lemmas derived from it for constructing auxiliary variables.Dutertre [2] gives a complete first-order ITL proof system but with a nonstandard semantics of intervals.

More about Analyzing Liveness
We now review and expand upon some of the ideas presented in Section 2 about liveness.As mentioned there, a formula of the form 2S can not in general be used as a compositional assumption or commitment.A formula of the more restricted form 2w, for some state formula w, can be used directly as an importable assumption and a minor variant of it of the form keep w can be used as an exportable commitment which is ultimately combined with fin w to establish 2w.Now there are many other important formulas of the form 2S which are not addressed by this.We now consider one way to deal with at least some such formulas.Recall that 2 m S to be true on an interval iff S is true on all terminal (suffix) subintervals except possibly the last one: Note that for a state formula w the formulas keep S and 2 m S are in fact provably equivalent: `keep w 2 m w: An important observation already noted in Section 2 is that for any S, the formula 2 m 3 i S is a fixpoint of chop-star: It follows that for any 3 i -fixpoint DI, the formula 2 m DI is a fixpoint of chop-star and is suitable for use as a compositional commitment.Important liveness-related formulas such as 3x and x 3x 0 are in fact fixpoints of 3 i , provided that x and x 0 are state formulas.The important construct keep S which is frequently used as a compositional assumption and commitment in proofs can be expressed with the 2 m operator and a 3 i -fixpoint: `keep S 2 m 3 i (skip ^S): Furthermore, all conjunctions and disjunctions of fixpoints of 3 i are themselves fixpoints of 3 i .
Consider for example the formula (K < K + 1) .We can compositionally prove that this implies the formula 2 m : stable K.The formula 2 m : stable K can be directly used as the commitment in the proof because the subformula : stable K is provably a fixpoint of 3 i : `: stable K 3 i : stable K: In fact it is even a fixpoint of 3 a .We first deduce that K < K + 1 implies the commitment 2 m : stable K: Next, we use this in a simplified version of proof rule (1) in Section 2 which omits pre-and post-conditions as well as assumptions to obtain the desired goal: Let us now look at how to prove the following in a compositional way: Note that we are unable to obtain the commitment 2 m : stable K from the first part of each loop step, that is stable K, by purely local analysis.In order to get around this, more proof techniques are needed as was noted in Section 2. First of all, in addition to compositional assumptions and commitments, we sometimes include another formula DA which is some fixpoint of the temporal operator 3 a .Here is the general form of a suitable implication: Co ^DA ^fin w 0 : Now the formula x DA is a fixpoint of 3 i .Among other things, this ensures that the formula 2 m (x DA) is a fixpoint of chop-star and hence a compositional commitment.However, DA itself is not in general a fixpoint of chop-star and therefore cannot be exported in the usual way.However, if we have a specification Sys; Sys 0 and can show that under appropriate circumstances the second subformula Sys 0 implies both 2 m (x DA) and DA, then both 2 m (x DA) and 7th BCS-FACS Refinement Workshop, 1996 Proof outline for lemma (7).
fK 1g for some times do 2 m : stable K DA can be automatically exported from Sys; Sys 0 .This avoids first proving that Sys implies 2 m (x DA).Here is a derivable proof rule for fixpoints of DA: `w ^As ^Sys fin w 0 ; `w0 ^As ^Sys 0 2 m (x DA) ^DA ^fin w 00 `w ^As ^(Sys; Sys 0 ) 2 m (x DA) ^DA ^fin w 00 : ( The following corollary rule uses 2 m DA as the commitment by replacing x by true and simplifying: `w ^As ^Sys fin w 0 ; `w0 ^As ^Sys 0 2 m DA ^DA ^fin w 00 `w ^As ^(Sys; Sys 0 ) 2 m DA ^DA ^fin w 00 : Such a rule provides a way to export the commitment 2 m : stable K in the example above since : stable K is in fact a fixpoint of 3 a .Below is an application of proof rule (6) to the example: Once this is done, we simply export the commitment 2 m : stable K from the iterative formula (stable K; K < 2K) using proof rule (2) found in Section 2. Owicki and Gries [18,19] developed proof outlines as a visual tool for concisely reasoning about Hoare clauses.Figure 1 contains a small proof outline generalized to include a commitment and which corresponds to the following lemma: The proof outline shows the pre-and post-conditions, the sequential component K < 2K and on the right of the large bracket is the resulting commitment.We keep the assumption implicit here and in other proof outlines since it is usually importable and remains the same in all sequential subcomponents.A generalized proof outline for lemma (4) is shown in Figure 2. In particular, it illustrates the composition of commitments of subcomponents into those for larger parts of a system.A weakened variant of rule ( 6) is sometimes used to export DA from the left part of Sys; Sys 0 without exporting 2 m DA as well: `w ^As ^Sys DA ^fin w 0 ; `w0 ^As ^Sys 0 fin w 00 `w ^As ^(Sys; Sys 0 ) DA ^fin w 00 : 7th BCS-FACS Refinement Workshop, 1996 Figure 3: Proof outline for lemma (9).
Here is another theorem we wish to verify about our example by using a 3 a -fixpoint: The proof of this theorem introduces an auxiliary static variable j and the formula 3K = 2j is used as a 3 a -fixpoint.A generalization of rule ( 6) permitting an additional exportable commitment Co is utilized: `w ^As ^Sys Co ^fin w 0 ; `w0 ^As ^Sys 0 Co ^2 m DA ^DA ^fin w 00 `w ^As ^(Sys; Sys 0 ) Co ^2 m DA ^DA ^fin w 00 : An overview of the proof of theorem ( 8) is given below.Most pre-and post-conditions as well as all assumptions are simply true and we omit them: 1: Figure 3 depicts a proof outline for the lemma now given about the body of the loop: The results of this are used in Figure 4 for the proof outline of a lemma about the overall loop:

Markers
Here is a variant of the previous example with the two sequential parts of the loop body exchanged: Once again we wish to prove that this implies the formula However, the proof is more complicated since we can no longer readily propagate the 3 a -fixpoint 3 a K = 2j from K< 2K back to stable K.A more powerful technique for analyzing reachability is needed.We now introduce the Figure 4: Proof outline for lemma (10).
notion of marker.This is a boolean state variable, called here Mk, which is true exactly at the start and end of loop iterations.A variant of chop-star having a marker can be defined as follows: See Table 1 for the definition of the halt construct.The following programming syntax is also used for this kind of chop-star: for Mk some times do S: Without loss of generality, we can always existentially introduce a marker as an auxiliary variable.The following provable lemma states this: `S 9Mk: (Mk ^chopstar Mk S); where Mk does not occur freely in the formula S. The marker facilitates postponing reachability of a 3 a -fixpoint until a later loop iteration.We originally considered markers in [13, page 127].
In our example, we introduce such a marker and prove the following lemma about liveness: The two commitments are combined using temporal reasoning and ensure that whenever K = i, eventually either K = 2i or the overall interval finishes with K still equalling i: After hiding the marker, we obtain the next lemma: The overall reduced commitment together with the originally given postcondition fin(K = n) imply the desired formula: Co ^DI Figure 5: Proof outline for lemma (17).
The proof of lemma (11) requires a 3 a -fixpoint called here DA and a fixpoint of the temporal operator 2 referred to this formula as BT.In our treatment of loops, BT is always fin Mk.Here is the generalized version of proof rule (5) for chop: `w ^As ^Sys fin w 0 ; `w0 ^BT ^As ^Sys 0 2 m (x DA) ^DA ^fin w 00 `w ^BT ^As ^(Sys; Sys 0 ) 2 m (x DA) ^DA ^fin w 00 : (13) The proof rule now given is for the version of chop-star with a marker.It uses a 3 i -fixpoint DI: `w ^fin Mk ^As ^Sys DI ^fin w `w ^As ^chopstar Mk Sys 2 m (Mk DI) ^fin w: The following variants of these rules permit an additional commitment Co and are in fact the ones used for proving lemma (17) shown above.
`w ^As ^Sys Co ^fin w 0 ; `w0 ^BT ^As ^Sys 0 Co ^2 m (x DA) ^DA ^fin w 00 `w ^BT ^As ^(Sys; Sys 0 ) Co ^2 m (x DA) ^DA ^fin w 00 : (15) `w ^fin Mk ^As ^Sys Co ^DI ^fin w `w ^As ^chopstar Mk Sys Co ^2 m (Mk DI) ^fin w: (16) The analysis of the loop body K < 2K; stable K involves the use of rule (15) to deduce the lemma below: Figure 5 and Figure 6 show proof outlines for establishing lemmas ( 17) and (11), respectively.In these, Co stands for the exportable commitment and DI stands for the 3 i -fixpoint K = i 3K = 2i.

ITL with Infinite Time
The semantics and proof system so far presented is suitable for reasoning about finite intervals.We now discuss some modifications needed to permit infinite intervals as well.First, we apply our semantics of S; T and S to infinite intervals.As before this means S; T is true on such an interval if the interval can be divided into one part for S and another adjacent part for T and that S is true if the interval can be divided into a finite number of parts, each satisfying S. In addition, we now also let S; T be true on an infinite interval which satisfies S. For such an interval, we can ignore T. Furthermore, we let S be true on an infinite interval that is divisible into a finite number of subintervals where the Here sfin S is a strong version of fin S and is true only on finite intervals.In contrast, fin S is vacuously true on all infinite intervals.As we have noted, the formula S can be true on an infinite interval where S occurs infinitely often in successive subintervals each having finite length.We denote this by S !(read "chop-omega") and define it in the following way: The other possibility for S on an infinite interval involves a formula S being true for a finite number of successive subintervals, but where the last one has infinite length, and is possibly the interval itself.The construct S 1 (read "chop-infinity") is used to denote the union of both kinds of behavior for chop-star on infinite intervals: The syntax forever do S is sometimes used as an alternative programming-language based notation for S 1 .In addition, the following two variant notations permit referencing a marker such as Mk: chopinf Mk S; forever Mk do S: The first-order operators for temporal assignment and padded temporal assignment are redefined to be true only on finite intervals: The first-order axiom now given is sometimes needed for constructing auxiliary variables with chop-star: where v and v 0 are state variables and v does not occur freely S.
It seems likely that completeness in the sense of Theorem 3.1 can only be achieved with a nonconventional inference rule.This is not central to our approach.

A Simple Example Involving Infinite Time
The following example requires reasoning about infinite intervals: As it shows, when analyzing such intervals, one must sometimes explicitly specify or prove that certain subintervals have finite length.
Proofs can use the fact that the operators 2 and 2 m are equivalent on infinite intervals: `inf 2S 2 m S: Once infinite intervals are permitted, one must use rules such as the following variant of derived rule ( 18) for reachability proofs: `w ^As ^Sys finite ^fin w 0 ; `w0 ^As ^Sys 0 2 m (x DA) ^DA ^fin w 00 `w ^As ^(Sys; Sys 0 ) 2 m (x DA) ^DA ^fin w 00 : (18) Here we ensure that the interval satisfying Sys is finite, thus guaranteeing that DA does indeed occur in Sys; Sys 0 .Note that the formula finite is not a fixpoint of chop-star.See Figures 7 and 8 for respective proof outlines for the following lemmas needed for the above example: Without loss of generality, Figure 8 uses existential quantification to introduce a static variable j equally K's value at the beginning of each loop iteration.A modified version of rule (18) permitting other exportable commitments as well is used: `w ^As ^Sys Co ^finite ^fin w 0 ; `w0 ^As ^Sys 0 Co ^2 m (x DA) ^DA ^fin w 00 `w ^As ^(Sys; Sys 0 ) Co ^2 m (x DA) ^DA ^fin w 00 : Sometimes each of a sequence of components implies finite.This can be reduced by means of the derived rule now given: `w ^As ^Sys finite ^fin w 0 ; `w0 ^As ^Sys 0 finite ^fin w 00 `w ^As ^(Sys; Sys 0 ) finite ^fin w 00 :

Compositionally Proving Absence of Deadlock
Let us now present a compositional analysis proving the absence of deadlock.This small example illustrates shared write access and involves fewer concepts in its specification and analysis than the mutual exclusion examples considered later in Section 6.For instance, no markers or other auxiliary variables are required here.Figure 9 shows two simple Figure 8: Proof outline for lemma (20).

F1
def for some times do ( F2 def for some times do ( halt odd(K); halt even(K) ) ) Figure 9: A simple parallel system processes F1 and F2 which alternately modify a single variable K.The iterating in F1 and F2 is expressed by means of the chop-star operator in the notation of a for-loop.The predicates even and odd are simple arithmetic tests.Here is the overall system together with K initially equal to 0: When K is even, F1 keeps it stable for a while and then eventually increments it, thus making it odd.At this time, F2 keeps K stable and then increments it, thus handing responsibilityfor it back to F1.This continues for some unspecified, possibly infinite number of times.We use padded temporal assignments in order to ensure proper communication between F1 and F2.
Here is a theorem describing correctness of the overall system: `even(K) ^F1 ^F2

keep(K K K + 1) ^fin even(K):
The theorem uses the keep operator defined earlier to state that K is always stable or increases by 1 over pairs of adjacent states.In addition, K's final value is even.In [16] we consider how to compositionally prove this safety property.The proof holds for both finite and infinite intervals.The discussion so far only deals with showing that the variable K continues to remain stable or increase.It remains for us to ensure that when the combined system operates over an infinite interval, K never gets stuck at some value.
Here is an ITL theorem which expresses this: `inf ^even(K) ^F1 ^F2 2: stable K: The next lemma plays an important role in our overall analysis: This states that if the state variable A is padded and its initial and final values in the (finite) interval differ, then A is not stable in all nonempty terminal subintervals.Here is a slightly simplified substitution instance of this that is used when the variable K increases by 1:

Compositionally Reason about Liveness
We have omitted the subformula K 6 = K + 1 since it is trivially true.The following lemmas consider the behavior of F1 and F2: `even(K) ^F1 2 m even(K) : stable K ^fin even(K); `even(K) ^F2 2 m odd(K) : stable K ^fin even(K): Note that fin is defined to be weak and is therefore trivially true for infinite intervals.The proofs compositionally use lemmas such as those below for the sequential parts of F1: `even(K) ^K < K + 1 2 m even(K) : stable K ^fin odd(K); `odd(K) ^halt even(K) 2 m even(K) : stable K ^fin even(K): We combine lemmas ( 21) and ( 22) for F1 and F2 in parallel to obtain the following: `even(K) ^F1 ^F2 2 m : stable K: Our assumption about infinite time is then introduced in the following lemma: `inf ^2 m : stable K 2: stable K: From this and lemma ( 23) we obtain the desired theorem: `inf ^even(K) ^F1 ^F2 2: stable K: In [17] we deduce this without the use of 3 i -fixpoints by introducing an auxiliary variable.The resulting proof has more steps.

Two Examples Involving Mutual Exclusion
We now analyze the safety and liveness properties of two systems for mutual exclusion.They have served as our main case studies during the development of the methods described in this work.Both are more complex than any of the examples discussed earlier and together require all of the technical machinery presented in the previous sections.The first example is the simpler of the two to describe but can sometimes deadlock.The second, modified system found later in Subsect.6.3 remedies this problem but requires the introduction of extra variables which act as time stamps.
The first system, known as GSys, is composed of two parallel parts G1 and G2 shown in Figure 10.The combined specification together with initialization is as follows: Here G1 sets S1 to true when requesting entry into G1's critical region.Upon entry, G1 sets C1 to true and keeps it true until departure from the critical region.At this time C1 and then S1 are reset to false and remain so until the next attempt for entry is made.The usage by G2 of variables S2 and C2 for controlling its critical region is analogous.We can verify the safety property that C1 and C2 are never both true at the same instant: Liveness of the form 23C1 ^23C2 cannot be proved because G1 and G2 might both simultaneously attempt to enter their respective critical regions and deadlock.To some extent, one can deal with this by including the following assumption asserting that G1 and G2 do not initiate requests at the same time: keep :S1 ^:S2 (:S1 _ :S2) : We instead show a weaker liveness property stating that C1 and C2 are always eventually false: `S1=C1=S2=C2=false ^G1 ^G2 ) ) Figure 10: Simple mutual exclusion system

Safety of GSys
Here is an overview of the proof of safety: (a) Compositionally show that whenever G2 makes no entry request and S2 is false, C2 is also false: `:S2 ^:C2 ^G2 2(:S2 :C2): A theorem for the behavior imposed by G1 on S1 and C1 is analogous but not needed for the proof of theorem (24).
(b) Without loss of generality, introduce an auxiliary boolean variable P2 which is true whenever G2 has been given permission to enter its critical region.More precisely, when S2 and P2 are both true, we know that G2 has advanced passed its step containing the halt formula.Note that C2 is not yet necessarily true.Associated with P2 is an assumption P2 As which we later define.
(c) Prove that whenever S2 is true but P2 is false, G2 forces C2 to be false since G2 has requested approval to enter its critical region but not yet received it: `:S2 ^:C2 ^P2 As ^G2 2(:P2 :C2): This uses the assumption P2 As which characterizes P2.
(d) Import the result of (c) into G1 to show that whenever C1 is true, C2 must be false.
(e) Combine everything together to complete the proof of the main safety theorem (24).
We now look at the proof's steps in more detail.

Step (a).
We desire to prove the following lemma: The consequent 2(:S2 :C2) is not itself exportable (although it is importable) so we recast the lemma using the formula 2 m (:S2 :C2) as the commitment Co instead.Figure 11 shows a proof outline for this.
Here the state variable A and the expression e have the same sort.We allow A to occur in e but not within the context of temporal operators.These restrictions ensure that A is not circularly defined.Here is an instance of this for the variable P2: `9P2: P2 gets (P2 ^S2) _ :S1 : This constructs an auxiliary boolean variable P2 which monitors whether G1 has permission to enter its critical region.
In order to do this, P2 keeps track about whether S1 has ever been false since S2 last become true.Between each pair of adjacent states, the next value of P2 determined based on the current value of P2 and S2 and the next value of S1.
If S2 is false, then the next value of P2 equals the next value of :S1.Otherwise, it is the logical-or of the current value of P2 and the next value of :S1.This ensures that after G2 requests entry and S2 becomes true, P2 is also true iff S1 has been false in at least in one state from then to now, inclusively.When G2 has a successful request, both S2 and P2 are simultaneously true.It is possible to include information about the initial value of P2 but this does not seem to be necessary for our proof.
In what follows, we use the gets subformula in an assumption about P2's behavior called P2 As: P2 As def P2 gets (P2 ^S2) _ :S1 : This is importable because the gets-formula is a 2 a -fixpoint since it is defined in terms of keep.In much of the remainder of the overall proof of safety, we refer to P2 as a free variable.Towards the end, we eliminate it through the use of lemma (26) above.

Step (c).
We wish to show that whenever during G2's operation P2 is false, C2 is also false: The exportable commitment Co used here is m (:P2 :C2).Note that as in step (a), Co uses 2 m instead of 2: `:S2 ^:C2 ^P2 As ^G2 2 m (:P2 :C2): The proof outline for lemma (27) is given in Figure 12.

G1 As:
We then prove the following about G1: `:S1 ^:C1 ^G1 As ^G1 2(:C1 _ :C2): (28) See Figure 13 for a proof outline of this in which the commitment Co is 2 m (:C1 _ :C2).Note that G1 As is only actually needed in the proof of the step where C1 is assigned true since we trivially have 2 m :C1 and hence 2 m (:C1 _ :C2) true everywhere else.

Liveness of GSys
Recall that our liveness theorem for GSys is limited to ensuring that both G1 and G2 are always eventually outside their critical regions at the same time: To establish this, we first prove that G2 is always eventually outside its critical region: `:S2 ^:C2 ^G2 23:C2: A proof outline for this is shown in Figure 14.

Mutual Exclusion Using Time Stamps
We now turn to a variant of the mutual exclusion example called here HSys and based on a suggestion of Xu, Cau and Zedan [25] to maintain time stamps (referred to here as T1 and T2) which record when the most recent changes to S1 and S2 have occurred.Figure 16 shows the parallel parts H1 and H2 which can both try to enter their respective critical regions.In the event that H1 and H2 both make requests (i.e., S1 ^S2), the one with the older request has priority.

Safety for HSys
We first consider proving the theorem about safety.This does not require introducing a new auxiliary variable such as P2 since the time stamps turn out to be sufficient.An assumption imported into H1 and called H1 As is used: H1 As def 2 a (:S2 _ T1 T2) ^2S1 2:C2 ^fin(:S2 _ T1 T2) : It is analogous to G1 As and states that in any interval where H1 maintains an active request (2S1) and initially H2 is not requesting (:S2) or has a request which is not older than H1's (T1 T2) then H2 never enters its critical region (2:C2) and ends up with the same general request status (fin(:S2 _ T1 T2)).
Lemma (38)'s proof involves straightforward temporal reasoning and is not given.See Figure 18 for a proof of lemma (39).The exportable commitment Co used by it is 2 m (:C1 _ :C2).From these we can deduce theorem (34) about safety.

Liveness for HSys
The proof of liveness theorem (35) for HSys involves four key lemmas about the processes H1 and H2: `H2 init ^T12 As ^H2 23T1 T2; (40)  `H1 init ^ T12 As ^2 a (halt T1 T2 finite) ^H1 23C1; (41) `H1 init ^H1 2(C1 3:S1); `H2 init ^ T12 As ^2 a (halt :S1 finite) ^H2 23C2: ( The first of these states that H1's request is at least as old as H2's infinitely often.It ensures that H2 is not making too many requests without giving H1 a chance.The second lemma uses the the first one's results (converted to an importable assumption) to establish that H1 enters its critical region infinitely often.The consequent of the first lemma is converted to a 2 a -fixpoint which is used as part of the second lemma's assumption.Recall that 2 a -fixpoints are closed under conjunction so a number of them can be imported together.The third lemma states that when H1 enters its critical region, it also eventually leaves it and resets the request variable S1 to false.The consequents of the second and third lemmas are combined to form an assumption 2 a (halt :S1 finite) specifying that H1 is never infinitely long requesting entry without success.This assumption is used in the fourth lemma to show that H2 enters its critical region infinitely often.

Conclusion
We have presented some of our experience with using temporal fixpoints for compositional reasoning about safety and liveness.Our plans include applying these and other methods to the formal specification and analysis of various conceptual layers of the EP/3 multithreaded computer [1] being built by Dr. J. N. Coleman at the University of Newcastle.

e e 0
def finite ^(fin e) = e 0 ; e < e 0 def finite ^(fin e) = e 0 ^padded e:Once this is done, all the axioms and basic inference rules remain sound.We also include the following two propositional axioms: P13 `(S ^inf ); T S ^inf ; P14 `S ^2 S (T ^more); S T :

Table 1 :
Some definable ITL operators def (w ^S) ^fin :w repeat S until w def S; while :w do S More interval-oriented operators 3 a S def true; S; true Some subinterval 2 a S def : 3 a :S i S def S; true Some initial subinterval 2 i S def : 3 i :S def 2 a (skip S) All unit subintervals keepnow S def 3 i (skip ^S) First unit subinterval m : stable K "In all nonempty terminal subintervals, K is not stable" The maintenance of time stamps presumes the existence of a state variable we call Timer which always T1 Timer ^Timer As ^ T1 gets (if stable S1 then T1 else Timer) ; T2 Timer ^Timer As ^ T2 gets (if stable S2 then T2 else Timer) ; increases:keep(Timer < Timer):The time stamp variables T1 and T2 are initially less than or equal to Timer and always record the last time S1 and S2 changed, respectively: T1 Timer ^ T1 gets (if stable S1 then T1 else Timer) ; T2 Timer ^ T2 gets (if stable S2 then T2 else Timer) :Note that a time stamp equals the last time immediately after a change (i.e., Timer).The formulas H1 init, H2 init and HSys init denote the respective initial conditions for H1, H2 and HSys:def def