Synthesis of Large Dynamic Concurrent Programs from Dynamic Specifications

Syn thesis of Large Dynamic Concurren t Programs from Dyn amic Sp eciﬁcations P aul C. A ttie Departmen t of Computer Science American Univ ersit y of Beirut and Cen ter for Adv anced Mathematical Sciences American Univ ersit y of Beirut paul.att ie@aub.e du.lb August 23 , 2021 Abstract W e present a tractable metho d for s y nt hesizing arbitr a rily lar ge concurr ent programs, for a shared memory mo del with co mmo n hardware-av ailable primitives suc h as atomic registers, compare-a nd-swap, load-linked/store conditiona l, etc. The progra ms we synthesize are dynamic: new pro cesses can b e created and added at run-time, and so our pro g rams are no t ﬁnite-state, in general. Nev ertheles s, we successfully explo it a utomatic synthesis a nd mo del-chec king metho ds based on pro p ositional tempo ral logic . Our metho d is alg orithmically eﬃcient, with co mplexity po lynomial in the num b er of comp onent pro cesses (of the progr a m) that a re “alive” at a ny time. Our metho d does not explicitly co nstruct the automata-theoretic pro duct of a ll pro cesses that are alive, thereby avoiding st ate ex plosion . Instead, for ea ch pair of pro cess es whic h int era ct, our metho d constructs an a utomata-theor e tic product ( p air-machine ) whic h embo die s all the po ssible in teractions of these t wo pr o cesses. F rom each pair-ma chine, we can synt hesize a correct p air-pr o gr am which co ordinates the tw o inv o lved proces ses as needed. W e allow such pair-pro grams to be added dynamically at run-time. They are then “comp osed conjunctiv ely” with the current ly alive pair-pr ograms to re-synthesize the pr ogra m as it results after additio n of the new pair-pr ogra m. W e a r e thus able to add new b ehaviors, which result in new prop erties being satisﬁed, at r un-time. This “incremental comp osition” step has complexity independent of the total num b er of pro cesses , it only requir es the mechanical analy sis of the tw o pro cesses in the pair-progr am, and their immediate neighbors, i.e., the o ther pro cesses whic h they int era ct directly with. W e e stablish a “large mo del” theorem which shows that the synthesized larg e progra m inherits corr ectness pro p e rties from the pa ir-pro g rams. 1 In tro duction W e exhibit a method of mec hanically syn thesizing a concurrent program consisting of a large, a nd dynamically v arying, num b er of sequent ial p ro cesses executing in p arallel. Our p rograms op er ate in shared memory , commonly a v ailable hard w are primitiv es, suc h as using rea d and write operations on atomic r egisters, compare-and-sw ap, load-link ed /store conditional. Ev en thought o ur synt hesis metho d is largely mechanica l, w e only require th at eac h pr o cess hav e a ﬁ nite num b er of actions, and that the d ata referred to in actio n guard s b e ﬁnite. Underlying data that pro cesses op erate on, and whic h do es n ot aﬀect action guard s , can b e inﬁnite. Also, since the num b er of pro cesses can in crease without limit, th e synthesized pr ogram as a whole is n ot ﬁ n ite-state. In ad d ition, our metho d is computationally eﬃcien t, it do es not explicitly constru ct the automata-theo retic pro d uct of a large num b er of pro cesses (e.g., all pro cesses that are “aliv e” at some p oin t) and is therefore not susceptible to the state-explosion pr oblem , i.e ., the exp onential gro wth of the n umber o f gl obal 1 states with the num b er of p ro cesses, whic h is widely a c knowledge d to b e th e primary impediment to la rge-scale application of mechanica l veriﬁcatio n metho ds. Rather than bu ild a global pro du ct, our metho d constructs the pro du ct of small num b ers of sequen tial p ro cesses, and in particular, the prod uct of eac h pair of processes that interact , thereby a v oiding the exp onentia l complexit y in the n um b er of pr o cesses th at are “ aliv e” at an y time. The pro du ct of eac h p air of in teracting pro cesses, or p air-machine , is a Kr ipk e structure whic h embo dies the inte raction of the t wo pro cesses. The pair-mac hines can b e constructed manually , and then eﬃcien tly mo del-c hec k ed (since it is small) to verify p air-pr op erties : b eha vioral prop erties of the in teraction of the t wo pro cesses, when view ed in isolation from the r emaining pro cesses. Alterna- tiv ely , the pair-prop erties can b e sp eciﬁed ﬁrst, and the pair-mac hine automatically syn thesized from the pair-prop erties by the u se of mec hanical synthesis metho ds su c h as [EC82, MW84, K V97]. Again this is eﬃcien t sin ce the pair-mac hines are small. Corresp on d ing to eac h pair-mac hine is a p air-pr o gr am , a synta ctic realization of the pair- mac hine, wh ic h generates the pair-mac hine as its global-state transition diagram. Finally , we syn tactically comp ose all of the pair-programs. Th is co mp osition has a conjunctiv e nature: a pro- cess P i can mak e a transition iﬀ that transition is p ermitted b y al l of the pair-programs in whic h P i participates. W e allo w such “pair-programs” to b e added dyn amically at run-time. They are then comp osed with the curr ently alive pair-programs to r e-synthesize the pr ogram as it results after add ition of the new pair-program. W e are th us able to add n ew b eha viors, whic h result in new prop erties b eing satisﬁed, at run-time. The u se of pairw ise comp osition greatly f acilitat es this, since the add ition of a new pair-program d o es not distur b the correctness prop erties whic h are satisﬁed b y the curren tly presen t pair-programs. W e establish a “large mo d el” theorem whic h sho ws that th e syn thesized large program inherits c orrectness prop erties from the pair-programs. Since the pair-mac hines are small, and since the comp osition step op erates on syn tax, i.e., the pair-programs themselv es, and n ot their state-transition diagrams, our metho d is computationally eﬃcien t. In particular, the dynamic addition of a s ingle pair-program requires a mec hanical syn the- sis or model c hec king step whose complexit y is indep endent of the to tal num b er of aliv e p ro cesses at the time, but whic h dep ends only on the c hec king pro du cts of the t wo pro cesses in vo lve d in t he pair-program, together with some of their neigh b ors, i.e., the pro cesses whic h th ey immediately in teract with. Our metho d th us o vercomes the sev ere limitations previously imp osed by state- explosion on the app licabilit y of automatic synthesis metho d s, and extends th ese metho ds to the new domain of dynamic programs. Our metho d can generate systems und er arbitrary pr o c ess inter c onne c tion schemes, e.g., fully connected, r ing, star. In our mo del of parallel computation, t wo pro cesses are interco nn ected if and only if ei ther (1) one pro cess can insp ect the lo cal state of the other pro cess or (2) b oth pro cesses read a nd /or write a common v ariable, or both. The metho d r equires the pair-programs to satisfy certain tec hnical assumptions, thus it is not completely general. Nev ertheless, it is applicable in many interesting cases. W e illustr ate our metho d by synthesizing a rin g-based tw o phase commit p r oto col. Using the large m o del theorem, we sho w that correctness p rop erties that t w o pro cesses of the r ing satisfy wh en interac ting in isolation carry o ver when th ose processes are part of the ring. W e then easily construct a c orrectness pr o of for the ring using these prop erties. W e note that the ring can con tain an arbitrarily large n u m b er of pro cesses, i.e., we really syn thesize a family of rings, one for ea c h natural n umb er. A crucial asp ect of our metho d is its soundness: w hic h correctness prop er ties can b e estab- lished for ou r synthesiz ed programs? W e establish a “large mod el” theorem whic h sho ws that 2 the s y nthesized program in herits all of the correctness prop erties of the pair-programs, i.e., the pair-prop er ties. W e express our p air-prop erties in the b ranc hing time temp oral logic A CTL [GL94] min us the nexttime op erator. In p articular, prop ositional in v ariants and s ome temp oral leads-to prop erties of an y pair-program also h old of the synthesiz ed pr ogram. (A temp oral leads-to pr op- ert y has the follo wing f orm: if cond ition 1 holds no w, then condition 2 ev entually holds. A CTL can expr ess temp oral leads-to if condition 1 is p u rely pr op ositional.) In addition, we can use a suitable deductiv e system to com b ine the pair-prop erties to d educe correctness p r op erties of the large program wh ic h are not directly e xpr essible in pairw ise fash ion. This pap er extends our previous work [AE98 ] on the synthesis of large co ncurr en t programs in four imp ortan t directio ns: 1. It eliminates the requirement that all pair-programs b e isomorphic to eac h other, w h ic h in eﬀect constrains th e synthesize d program to con tain only one t yp e of in teraction amongst its comp onent pro cesses. In our metho d , every pro cess can b e nonisomorphic with eve ry other pro cess, and our metho d w ould still b e compu tationally eﬃcie nt. 2. It extend s th e set of correctness prop erties th at are p reserv ed from prop ositional inv ariants and prop ositional temp oral leads-to prop erties (i,e., leads-to prop erties w here the conditions are purely prop ositional) to form ulae that can con tain arbitrary nesting of temp oral mo dali- ties. 3. It eliminates the requiremen t that the n umber of pro cesses of the syn thesized program b e ﬁxed: our pr evious work synthesized an inﬁnite family of programs, eac h of whic h cont ains a large, b ut ﬁxed, num b er of p r o cesses. By con trast, the cu rrent metho d pro duces a s in gle program, in w h ic h the num b er of pro cesses can dynamically increase at run-time. 4. It pro duces programs that d o not require a large grain of atomicit y: in [A tt99, AE98], eac h pro cess needed to atomically insp ect the state of all of its neigh b ors (i.e., all pro cesses with whic h it is composed in some pair-program) in a single transition. By con trast, the cu r- ren t m etho d pro duces programs th at op erate us ing only hard w are-a v ailable primitive s for in terpro cess comm unication and sync hr onization. T o demonstrate the utilit y of o ur metho d, w e app ly it to syn thesize a tw o-phase commit proto col, and a replicated data service . Related w ork. Previous synthesis metho ds [AM94, D WT90, EC82, KMTV00, K V97, MW84, PR89a, PR89b] all rely on some form of exhau s tiv e state space s earch, and th us suﬀer from the state-explosion pr oblem : syn thesizing a concurrent program consisting of K sequential pro cesses, eac h w ith O ( N ) lo cal states, requires buildin g the global state trans ition diagram of size O ( N K ). There are a n umb er of metho d s prop osed for v erifying correctness prop erties of an inﬁnite family of ﬁ nite-state pro cesses [APR + 01, C GB86, EK00 , EN96, PRZ01, S G92]. All of these deal with an inﬁnite family of concurr ent programs, where eac h p rogram consists of a p ossibly large, but ﬁxe d set of pr o cesses. No metho d to date can v erify or synthesize a sing le concurrent p rogram in wh ic h p ro cesses can b e d ynamically created at run time . F urthermore, all metho ds to date that deal with large concurrent p rograms, apart from our o wn previous w ork [A tt99, AE98] make the “parametrized system” assum ption: the p ro cesses can b e p artitioned into a small num b er of “equiv alence classes,” within eac h of which all p ro cesses are isomorphic. Hence, in eliminating these t w o signiﬁcan t restrictions, our metho d is a signiﬁcant imp ro v ement ov er the pr evious literature, 3 and mo ve s automate d synthesis metho ds close to the r ealm of practical d istributed algorithms. W e illustr ate this p oint b y usin g our metho d to synthesize a replicated d ata s ervice based on th e algorithms of [F GL + 99, LLSG92]. Our algorithm is act ually more ﬂ exible, sin ce it p ermits the dynamic addition of more replicas at run time. Some synthesis metho d in the literature syn thesize “op en systems,” or “reactiv e mo d ules,” wh ic h in teract with an environmen t, and are r equired to satisfy a sp eciﬁcation r egardless of the environmen t’s b eha vior. The main argument for op en systems synthesis is that op en systems can dea l with any “input” which the en vironm ent present s. W e can ac hiev e this eﬀect b y usin g the “exists nexttime” ( EX ) mo dalit y of the temp oral logic CT L [EC82, Eme90]. W e illustrate this in our replicated data service exa mple, wh er e we sp ecify that a clien t can submit op erations at an y time. The rest of th e pap er is as follo w s. Section 2 presents ou r mo del of concurrent computation. Section 3 discusses temp oral logic and fairness. Secti on 4 presen ts a restricted v ersion of the metho d, whic h is only app licable to static concurrent p rograms: those with a ﬁxed set of pro cesses. This app roac h simpliﬁes the dev elopmen t and exp osition of our metho d, S ection 5 establishes the sound ness of the synthesis metho d for static pr ograms. Section 6 presents the t wo phase commit example, w hic h can b e tr eated with the restricted metho d. Section 7 presents the general syn thesis method , which can pro d uce dynamic concurren t pr ograms. Section 8 sho ws that the general metho d is sound. S ection 9 outlines ho w th e synthesized programs can b e implement ed using atomic registers. In Section 10 w e use our metho d to s yn thesize an eve ntually- serializable replicated data s er v ice. Sectio n 11 discusses f urther w ork and concludes. 2 Mo d el of Concurren t Computation W e assu me the existence of a p ossibly inﬁ nite, universal set Pids of un ique pr o cess indices. A concurrent program P consists of a ﬁ nite, u n b ounded, and p ossibly v ary in g num b er of sequentia l pro cesses P i , i ∈ Pids r unnin g in parallel, i.e., P = P 1 k · · · k P K where P 1 , . . . , P K execute in parallel and are the pr o cesses that h a v e b een “ created” so far. F or tec hnical conv enience, w e do not allo w pro cesses to b e “d estroy ed” in our model. Process destruction c an b e easily emulate d by h a ving a pro cess en ter a “sink” sta te, from whic h it has n o enab led actions. With ev ery pro cess P i , w e asso ciate a single, u nique index, n amely i . Tw o p ro cesses are si milar if and only if one can b e obtained from the other by sw app ing their ind ices. Int uitive ly , this corresp onds to concurrent algorithms where a single “generic” indexed piece of co d e giv es the co de b o d y for all p ro cesses. As stated ab o v e, we comp ose a dyn amically v arying num b er of pair-programs to synthesize the o v erall program. T o deﬁne the syn tax and seman tics of the p air-programs, w e u se the synchr o- nization skeleton mo del of [EC82]. Th e sync hronization sk eleton of a p ro cess P i is a state-mac hine where eac h state represents a region of code that p erform s some sequentia l computation and eac h arc represents a conditional transition (b et wee n diﬀeren t regions of sequential co de) used to enforce sync hronization constraints. F or example, a n o de lab eled C i ma y repr esen t the critical section of P i . While in C i , P i ma y increment a single v ariable, or it ma y p erform an extensive series of up d ates on a large database. I n general, the inte rnal structure and int ended app lication of the r egions of sequen tial co d e are unsp eciﬁed in the syn c hronization skelet on. The abstraction to s ync hronization sk eletons th us eliminates al l steps of the sequen tial computation f rom co nsider ation. F ormally , the sync hr on ization skeleto n of eac h pr o cess P i is a directed graph wh ere eac h n o de 4 s i is a un ique lo c al state of P i , and eac h arc has a lab el of the form ⊕ ℓ ∈ [ n ] B ℓ → A ℓ , 1 where eac h B ℓ → A ℓ is a guarded co mmand [Dij76 ], and ⊕ is gu ard ed command “disjunction,” i.e., the arc is equiv alen t to n arcs, b etw een the same pair of no des, eac h lab eled w ith one of the B ℓ → A ℓ . Let ˆ P i denote the synchronizati on skele ton of pro cess i with all the arc la b els remo ved. Roughly , the op erational sema ntic s of ⊕ ℓ ∈ [ n ] B ℓ → A ℓ is t hat if one o f the B ℓ ev aluates to true, then the corresp onding b o d y A ℓ can b e executed. If none of the B ℓ ev aluates to tru e, th en the command “blo c ks,” i.e., w aits until one of th e B ℓ holds. 2 Eac h no de must hav e at least one outgoing arc, i.e., a skele ton con tains no “dead ends,” and tw o n o des are connected by at most one arc in eac h d irection. A (glob al) state is a tuple of the form ( s 1 , . . . , s K , v 1 , . . . , v m ) where eac h s i is the current lo cal state of P i , and v 1 , . . . , v m is a list giving the current v alues of all the shared v ariables, x 1 , . . . , x m (w e assume these are ordered in a ﬁxed w a y , so that v 1 , . . . , v m sp eciﬁes a uniqu e v alue for eac h shared v ariable). A gu ard B is a pred icate on s tates, and a b o dy A is a p arallel assignmen t statemen t th at up dates the v alues of the shared v ariables. If B is omitted from a command, it is inte rp reted as true , and we write th e command as A . If A is omitted, the shared v ariables are unaltered, and we write the co mmand as B . W e mo del p arallelism in the u s ual wa y by the n ondeterministic inte rlea ving of the “atomic” transitions of the in d ividual sync hronization skelet ons of the pro cesses P i . Hence, at eac h step of the compu tation, some pro cess with an “enabled” arc is nondeterministically selected to b e executed next. Ass ume that the current state is s = ( s 1 , . . . , s i , . . . , s K , v 1 , . . . , v m ) and that P i con tains an arc from s i to s ′ i lab eled by the command B → A . If B is true in s , then a perm issible next state is ( s 1 , . . . , s ′ i , . . . , s K , v ′ 1 , . . . , v ′ m ) where v ′ 1 , . . . , v ′ m is the list of up d ated v alues for the shared v ariables pro duced b y executing A in stat e s . The arc fr om s i to s ′ i is sa id to b e enable d in state s . An arc that is not enabled is disable d , or blo cke d . A (c omputation) p ath is an y sequence of states wh er e eac h successiv e pair of states is related by the ab o v e next-state relation. If the n umb er of pr o cesses is ﬁ xed, then the concurren t p rogram can b e w r itten as P 1 k · · · k P K , w here K is ﬁxed. I n this c ase, w e also sp ecify a a set S 0 of glo bal states in whic h execution is p er m itted to start. These are the initial stat es . T he program is then written as ( S 0 , P 1 k · · · k P K ). An initialized (computation) p ath is a computation path whose ﬁ rst state is an initial state. A state is r e achable iﬀ it lies along some initialized path. 3 T emp oral Logic and F airness CTL ∗ is a prop ositional branc hing time temp oral logic [Eme90] whose formulae are built up from atomic prop ositions, prop ositional connectiv es, the u niv ersal ( A ) and existen tial ( E ) p ath quan ti- ﬁers, and the linear-time mo dalities nexttime (b y pr o cess j ) X j , and strong until U . The sublogic A CTL ∗ [GL94] is the “u n iv ersal f ragmen t” of CTL ∗ : it results from CT L b y r estricting n egation to prop ositions, and eliminating the existen tial p ath q u an tiﬁer E . The sublogic CTL [EC82] results from restricting CTL ∗ so that ev ery lin ear-time mo dalit y is paired with a p ath quantiﬁer, and vice- v ersa. The su blogic ACTL [GL94] results from r estricting ACTL ∗ in the same wa y . Th e linear-time temp oral logic P T L [MW84] results from r emo ving the path quantiﬁers from CTL ∗ . W e hav e the follo wing s y ntax f or CTL ∗ . W e inductiv ely deﬁne a class of s tate formulae (tru e or false of states) using rules (S 1)–(S3) b elo w and a class of path f orm ulae (true or false of paths) using rules (P1)–(P3) b elo w: 1 [ n ] denotes th e integers from 1 to n inclusiv e. 2 This interpretation was p rop osed by [Dij82]. 5 (S1) The constan ts true and false are state form ulae. p is a state formulae for an y atomic p rop osition p . (S2) If f , g are state form ulae, then so are f ∧ g , ¬ f . (S3) If f is a path form u la, then A f is a sta te formula. (P1) Eac h state form ula is a lso a path formula; (P2) If f , g are path formulae, then so are f ∧ g , ¬ f . (P3) If f , g are path formulae, then so are X j f , f U g . The linear-time temp oral logi c PT L [MW84] consists of the set of path formula e generated by rules (S1) and (P1)–(P3 ). W e also in tro d uce some additional mo dalities as abbreviations: F f (ev en tually) for [ true U f ], G f (alw a ys) for ¬ F ¬ f , [ f U w g ] (wea k un til) for [ f U g ] ∨ G f , ∞ F f (inﬁnitely often) for GF f , and ∞ G f (ev en tually alwa ys) for F G f . Lik ewise, w e ha v e the f ollo win g syn tax for ACTL ∗ . (S1) The constan ts true and false are state f orm ulae. p and ¬ p are state form ulae for any atomic prop osition p . (S2) If f , g are state form ulae, then so are f ∧ g , f ∨ g . (S3) If f is a path form u la, then A f is a sta te formula. (P1) Eac h state form ula is a lso a path formula; (P2) If f , g are path formulae, then so are f ∧ g , f ∨ g . (P3) If f , g are path formulae, then so are X j f , f U g , and f U w g . The log ic A CTL [GL94] is obtained b y replacing rules (S3),(P1)–( P3) by (S3’): (S3’) If f , g are state f orm ulae, then so are AX j f , A [ f U g ], and A [ f U w g ]. The set of state formulae generated b y ru les (S1)–(S3) and (P0) forms ACTL. The logic A CTL − is the logic ACTL with ou t the AX j mo dalit y . W e d eﬁ ne the logic A CTL ∗ − X to b e the logic A CTL ∗ without the X j mo dalit y , and the logic A CTL − to b e ACTL with ou t the AX j mo dalit y , and the logic A CTL − ij to be A CTL − where the atomic prop ositions are d r a wn o nly from AP i ∪ AP j . F ormally , we deﬁne the seman tics of CTL ∗ form ulae with resp ect to a structure M = ( S, R ) consisting of • S , a counta ble set of states. Eac h state is a m apping from the set AP of atomic prop ositions in to { true , f alse } , and • R = S i ∈ Pids R i , w here R i ⊆ S × { i } × S is a bin ary relation on S giving the transitions of pro cess i . Here AP = S i ∈ Pids AP i , where AP i is the set of atomic prop ositions that “b elong” to pro cess i . Other pro cesses can r ead prop ositions in AP i , b ut only pro cess i can mo d ify these p rop ositions (whic h coll ectiv ely deﬁn e the lo cal state of p ro cess i ). A p ath is a s equence of states ( s 1 , s 2 . . . ) suc h that ∀ i, ( s i , s i +1 ) ∈ R , and a ful lp ath is a maximal path. A fu llpath ( s 1 , s 2 , . . . ) is inﬁnite unless for some s k there is no s k +1 suc h that ( s k , s k +1 ) ∈ R . W e use the con v ent ion (1) th at π = ( s 1 , s 2 , . . . ) denotes a fullpath and (2) that π i denotes the suﬃx ( s i , s i +1 , s i +2 , . . . ) of π , provided i ≤ | π | , where | π | , the length of π , is ω w hen π is in ﬁnite and k w h en π is ﬁnite and of the form ( s 1 , . . . , s k ); otherwise π i is und eﬁned. W e also use the usu al 6 notation to indicate truth in a structure: M , s 1 | = f (resp ectiv ely M , π | = f ) means th at f is true in stru cture M at state s 1 (resp ectiv ely of fullpath π ). In addition, we use M , S | = f to m ean ∀ s ∈ S : ( M , s | = f ), where S is a set of states. W e deﬁn e | = inductiv ely: (S1) M , s 1 | = true and M , s 1 6| = false . M , s 1 | = p iﬀ s 1 ( p ) = true . M , s 1 | = ¬ p iﬀ s 1 ( p ) = false . (S2) M , s 1 | = f ∧ g iﬀ M , s 1 | = f and M , s 1 | = g M , s 1 | = f ∨ g iﬀ M , s 1 | = f or M , s 1 | = g (S3) M , s 1 | = A f iﬀ for ev ery fullp ath π = ( s 1 , s 2 , . . . ) in M : M , π | = f (P1) M , π | = f iﬀ M , s 1 | = f (P2) M , π | = f ∧ g iﬀ M , π | = f and M , π | = g M , π | = f ∨ g iﬀ M , π | = f or M , π | = g (P3) M , π | = X j f iﬀ π 2 is deﬁned and ( s 1 , s 2 ) ∈ R j and M , π 2 | = f M , π | = f U g iﬀ there exists i ∈ [1 : | π | ] suc h that M , π i | = g and for all j ∈ [1 : ( i − 1)]: M , π j | = f M , π | = f U w g iﬀ for al l i ∈ [1 : | π | ] if M , π j 6| = g f or a ll j ∈ [1 : i ], then M , π i | = f When the structure M is understo o d from con text, it may b e omitted (e.g., M , s 1 | = p is w r itten as s 1 | = p ). Since the other logics are all sublogics of CTL ∗ , th e ab ov e deﬁnition pro vides seman tics for them as w ell. W e refer the reader to [Eme90] for d etails in general, and to [GL94] for details of A CTL. 3.1 F airness T o guaran tee liveness prop erties of the syn thesized pr ogram, w e u se a form of w eak fairness. F airness is usually sp eciﬁed as a linear-time logic (i.e. , PTL) formula Φ, and a f u llpath is fair iﬀ it satisﬁes Φ. T o state correctness prop erties under the assum ption of fairness, we relativi ze satisfaction ( | =) so th at only fair fullpaths are considered. The r esulting notion of satisfaction, | = Φ , is d eﬁned b y [EL87] a s follo w s: (S3-fair) M , s 1 | = Φ A f iﬀ for ev ery Φ-fair fullpath π = ( s 1 , s 2 , . . . ) in M : M , π | = f Eﬀectiv ely , path quan tiﬁcation is only o v er the paths that satisfy Φ. 4 Syn thesis of Static Concurren t Programs T o simplify the dev elopment and exp osition of our metho d , we ﬁrst pr esen t a restricted case, w h ere w e synthesize static concurren t pr ograms, i.e., those with a ﬁxed set of pro cesses. W e extend the metho d to d y n amic concur r en t programs in Section 7 b elo w. As stated earlier, our aim is to synthesize a large concurrent program P = P i 1 k . . . k P i K without explicitly generating its global state transition diagram, and thereb y incurring time and space complexit y exp onentia l in the num b er of comp onent p ro cesses of P . W e ac h iev e this by breaking the synthesis pr oblem d o wn in to t wo steps: 1. F or ev ery pair of p ro cesses in P that in teract directly , synthesize a p air-pr o gr am that d escrib es their in teraction. 7 2. Com bine all the pair-programs to prod uce P . When w e sa y P i and P j in teract directly , we mean that eac h pro cess ca n read th e other pro cesse’s atomic prop ositions (whic h, r ecall, encod e the pro cesse’s lo cal state), and that they ha v e a s et S H ij of shared v ariables that they b oth read and write. W e d eﬁne the inter c onne ction r elation I ⊆ { i 1 , . . . , i K } × { i 1 , . . . , i K } × ACTL − as follo ws: ( i, j, f ij ) ∈ I iﬀ P i and P j in teract directly , and f ij is an A CTL − form ula sp ecifying this in teraction. I n the sequel we let sp e c ij denote the sp eciﬁcation asso ciated w ith i, j , and w e say that { i 1 , . . . , i K } is the domain of I . W e in tro du ce the “spatial mo dalit y” V V V ij whic h quant iﬁes o v er all pairs ( i, j ) su c h that i and j are related by I . Th us, V V V ij sp e c ij is equiv alent to ∀ ( i, j, sp e c ij ) ∈ I : sp e c ij . W e stipu late that I is “irreﬂexiv e,” that is, ( i, i, f ij ) 6∈ I for all i, f ij , and that ev ery pr o cess in teracts directly with at least one other pro cess: ∀ i ∈ { i 1 , . . . , i K } : ( ∃ j, f ij : ( i, j, f ij ) ∈ I ∨ ( j, i, f ij ) ∈ I ). F urtherm ore, for any pair of pro cess in dices i, j , I con tains at most one p air ( k , ℓ, f k ℓ ) su c h that k ∈ { i, j } and ℓ ∈ { i, j } . In the sequel, w e sa y th at i and j are neighb ors when ( i, j, f ij ) ∈ I or ( j , i, f ij ) ∈ I , for so me f ij . W e shall sometimes abuse notation and write ( i, j ) ∈ I (or i I j ) for ∃ f ij : (( i, j, f ij ) ∈ I ∨ ( j, i, f ij ) ∈ I ). W e also introdu ce the follo wing abbr eviations: I ( i ) denotes th e set { j | i I j } ; and ˆ I ( i ) denotes the s et { i } ∪ { j | i I j } . Since the int erconnection relation I embo dies a complete sp eciﬁcation, w e shall refer to a pr ogram that has b een synthesize d from I as an I -pr o gr am , and to its comp onen t pro cesses as I -pr o c e sses . Since our fo cus in this article is on a vo iding state-explosion, w e sh all not explicitly address step 1 of the synthesis m etho d outlined ab o ve. An y metho d for derivin g concurrent programs from temp oral logic sp eciﬁcations can b e used to generate the r equ ired p air-programs, e.g., the syn thesis metho d of [EC82]. S in ce a pair-program has only O ( N 2 ) states (wh ere N is the size of eac h sequenti al pro cess), the problem of deriving a pair-program from a sp eciﬁcation is considerably easier than that of deriving an I -program from the sp eciﬁcation. Hence, the con tribution of this article, namely the second step ab o v e, is to redu ce the more d iﬃcult pr ob lem (deriving the I - program) to the easier p roblem (deriving th e p air-programs). W e pro ceed as follo w s. F or sak e of argumen t, let us ﬁrst assume that all the pair-programs are act ually isomorp hic to eac h other. Let i I j . W e d enote the p air-program for pro cesses i and j by ( S 0 ij , P j i k P i j ), wh ere S 0 ij is the set of initial states, P j i is th e syn c hronization sk eleton for p ro cess i in this pair-program, and P i j is the synchronizatio n sk eleton for p ro cess j . W e tak e ( S 0 ij , P j i k P i j ) and generalize it in a natural wa y to an I -program. W e sho w that our generalization p reserv es a large class of correctness prop erties. Roughly the id ea is as follo ws. Consider ﬁ rst the generaliza tion to thr ee pairwise interco nn ected pro cesses i, j, k , i.e., I = { ( i, j ) , ( j, k ) , ( k , i ) } 3 . With resp ect to p ro cess i , the p rop er interact ion (i.e., the in teraction requ ir ed to satisfy the sp eciﬁcation) b et we en pr o cess i and pro cess j is captur ed by the s ync hronization co mmand s that lab el the arcs of P j i . Like wise, the pr op er int eraction b et w een pro cess i and pr o cess k is captured by the arc lab els of P k i . T herefore, in th e three-pro cess program consisting of pro cesses i, j, k executing concurrently , (and where p ro cess i is interconnected to b oth pro cess j and process k ), the prop er in teraction f or pro cess i w ith pr o cesses j and k is captured as follo ws : when pr o cess i tra v erses an arc, th e sync hronization command w hic h lab els that a rc in P j i is executed “sim ultaneously” with the sync hronization command w hic h lab els the corresp ondin g arc in P k i . F or example, taking as our sp eciﬁcation the mutual exclusion problem, if P i executes the mutual exclusion proto col with resp ect to b oth P j and P k , then, wh en P i en ters its critical section, b oth P j and P k m ust b e o utside their o wn critical secti ons. Based on the ab o v e reasoning, we determine that the syn c hronization skel eton for p ro cess i 3 Note the abuse of n otation: w e have omitted the ACTL − form ulae. 8 in the aforement ioned three-pro cess pr ogram (call it P j k i ) has th e same basic grap h structure as P j i and P k i , and an arc lab el in P j k i is a “comp osition” of the lab els of the corresp onding arcs in P j i and P k i . In add ition, the initial states S 0 ij k of the three-pro cess program are exactly those states that “pro j ect” on to initial states of all three pair-programs (( S 0 ij , P j i k P i j ), ( S 0 ik , P k i k P i k ), and ( S 0 j k , P k j k P j k )). Generalizing the ab o v e to th e case of an arbitrary in terconnection relation I , we see that the sk eleton for p r o cess i in the I -program (ca ll it P i ) has the same basic graph structure as P j i , and a transition lab el in P i is a “comp osition” of the lab els of the corresp onding transitions in P j 1 i , . . . , P j n i , where { j 1 , . . . , j n } = I ( i ), i.e., pro cesses j 1 , . . . , j n are all the I -neig hb ors of p ro cess i . Lik ewise th e set S 0 I of initial states of the I -program is exactly those states all of wh ose “pro j ections” on to all t he pairs in I give in itial s tates of the corresp onding pair-program. W e now note that the ab o v e discussion do es not use in an y essent ial wa y th e assu m ption that pair-programs are isomorphic to eac h other. In fact, the ab ov e argument can still b e made if pair-programs are not isomorphic, provided that they induce the same lo c al structur e on all common pro cesses. That is, for pair-programs ( S 0 ij , P j i k P i j ) an d ( S 0 ik , P k i k P i k ), we r equire that gr aph ( P j i ) = gr aph ( P k i ), wh ere gr aph ( P j i ) , gr aph ( P k i ) result f r om r emo ving all arc lab els from P j i , P k i resp ectiv ely . Also, the in itial state sets of all the pair-programs must b e so that there is at least one I -stat e that pro jects onto some initial state of ev ery pair-p r ogram (and hence the initial state set of the I -program will b e nonempty). W e assume, in the sequel, that these conditions hold. Also, all quote d results from [AE98] h a v e b een rev eriﬁed to hold in our setting, i.e., when the similarit y assumptions of [AE98] are dropp ed. Before formally deﬁning our syn thesis method, w e need some tec h nical deﬁnitions. Since P j i and P i ha v e the same lo cal str u cture, they hav e the same n o des (remember th at P j i and P i are sync hronization sk eletons). A no de o f P j i , P i is a mapping of A P i to { true , false } . W e w ill refer to such no des as i -states. A state of the pair-program ( S 0 ij , P j i k P i j ) is a tuple ( s i , s j , v 1 ij , . . . , v m ij ) where s i , s j are i -states, j -states, resp ectiv ely , and v 1 ij , . . . , v m ij giv e the v alues of all the v ariables in S H ij . W e refer to states of P j i k P i j as ij -states. An ij -state in herits the assig nments deﬁn ed by its comp onent i - and j -states: s ij ( p i ) = s i ( p i ), s ij ( p j ) = s j ( p j ), wh ere s ij = ( s i , s j , v 1 ij , . . . , v m ij ), and p i , p j are arbitrary atomic prop ositions in A P i , AP j , r esp ectiv ely . W e no w turn to I -programs. If in terconnection relation I has domain { i 1 , . . . , i K } , then w e de- note an I -program by ( S 0 I , P I i 1 k . . . k P I i K ). S 0 I is th e set of in itial states, and P i is th e syn c hronization sk eleton for pro cess i ( i ∈ { i 1 , . . . , i K } ) in this I -pr ogram. A state of ( S 0 I , P I i 1 k . . . k P I i K ) is a tuple ( s i 1 , . . . , s i K , v 1 , . . . , v n ), wh ere s i , ( i ∈ { i 1 , . . . , i K } ) is an i -state and v 1 , . . . , v n giv e the v alues of all th e shared v ariables of the I -program (w e assu me s ome ﬁxed ordering of these v ariables, so that the v alues assigned to them are uniquely determined by the list v 1 , . . . , v n ). W e refer to states of an I -program as I -sta tes. An I -state in herits the assignments deﬁ n ed by its comp onent i -states ( i ∈ { i 1 , . . . , i K } ): s ij ( p i ) = s i ( p i ), where s = ( s i 1 , . . . , s i K , v 1 , . . . , v n ), and p i is an arb itrary atomic prop osition in AP i ( i ∈ { i 1 , . . . , i K } ). W e shall usu ally use s, t, u to denote I -states. If J ⊆ I , th en w e deﬁne a J -p rogram exactly lik e an I -program, but using in terconnection relation J instead of I . J -state is similarly deﬁned. Let s i b e an i -state. W e deﬁne a s tate-to -formula op erator { | s i | } that tak es an i -state s i as an argumen t and r eturns a prop ositional form ula that c haracterizes s i in that s i | = { | s i | } , and s ′ i 6| = { | s i | } for all i -states s ′ i suc h that s ′ i 6 = s i : { | s i | } = ( V s i ( p i )= true p i ) ∧ ( V s i ( p i )= f alse ¬ p i ), where p i ranges o v er the mem b ers of AP i . { | s ij | } is deﬁn ed similarly . W e deﬁn e the state pro jection 9 op erator ↾ . Th is op erator has sev eral v arian ts. First of all, we deﬁne pr o jection onto a single pro cess from b oth I -states and ij -states: if s = ( s i 1 , . . . , s i K , v 1 , . . . , v n ), then s ↾ i = s i , and if s ij = ( s i , s j , v 1 ij , . . . , v m ij ), th en s ij ↾ i = s i . Th is giv es the i -state corresp ondin g to th e I -state s , ij -state s ij , r esp ectiv ely . Next w e deﬁne pro j ection of an I -stat e onto a pair-program: if s = ( s i 1 , . . . , s i K , v 1 , . . . , v n ), then s ↾ ij = ( s i , s j , v 1 ij , . . . , v m ij ), where v 1 ij , . . . , v m ij are those v alues from v 1 , . . . , v n that denote v alues of v ariables in S H ij . Th is giv es the ij -state corresp onding to the I -stat e s , and is w ell deﬁned only wh en i I j . W e also deﬁne p ro jection on to the sh ared v ariables in S H ij from b oth ij -states and I -sta tes: if s ij = ( s i , s j , v 1 ij , . . . , v m ij ), then s ij ↾ S H ij = ( v 1 ij , . . . , v m ij ), and if s = ( s i 1 , . . . , s i K , v 1 , . . . , v n ), then s ↾ S H ij = ( v 1 ij , . . . , v m ij ), wh ere v 1 ij , . . . , v m ij are those v alues from v 1 , . . . , v n that denote v alues of v ariables in S H ij . Finally , w e deﬁne pro jection o f an I -state on to a J -p r ogram. If s = ( s i 1 , . . . , s i K , v 1 , . . . , v n ), then s ↾ J = ( s j 1 , . . . , s j L , v 1 J , . . . , v m J ), where { j 1 , . . . , j L } is the domain of J , and v 1 J , . . . , v m J are those v alues from v 1 , . . . , v n that denote v alues of v ariables in S ( i,j ) ∈ J S H ij . This give s the J -state (deﬁn ed analogously to an I -state) corresp ond ing to the I -state s and is w ell deﬁned o nly when J ⊆ I . T o deﬁne pro jection for paths, w e ﬁr s t extend the d eﬁnition of path (and fullpath) to includ e the ind ex of the pro cess making the transition, e .g., eac h transition is lab eled by an ind ex denoting this pro cess. F or example, a p ath in M I w ould b e represente d as s 1 d 1 → s 2 · · · s n d n → s n +1 d n +1 → s n +2 · · · , where ∀ m ≥ 1 : ( d m ∈ do m ( I )). Let π b e an arbitrary path in M I . F or any J suc h that J ⊆ I , deﬁne a J -blo ck (cf. [CGB86] and [BCG88]) of π to b e a maximal subsequence of π that starts and ends in a state and d o es not conta in a transition b y an y P i suc h th at i ∈ dom ( J ). Th us we can consider π to b e a sequence of J -blo cks with successiv e J -blo c ks link ed by a s ingle P i -transition suc h that i ∈ dom ( J ) (note that a J -block can consist of a single stat e). It also follo ws th at s ↾ J = t ↾ J for an y pair of states s, t in the same J -b lo c k. This is b ecause a transition that is not b y some P i suc h that i ∈ dom ( J ) cannot aﬀect an y atomic prop osition in S i ∈ dom ( J ) AP i , nor can it c h ange the v alue of a v ariable in S ( i,j ) ∈ J S H ij ; and a J -blo ck con tains no su c h P i transition. Th us, if B is a J -blo c k, w e deﬁne B ↾ J to b e s ↾ J for some state s in B . W e no w gi ve the f orm al deﬁnition of path pro jection. W e use the same n otatio n ( ↾ ) as for state pro jection. Let B n denote the n th J -blo c k of π . Deﬁnition 1 (Path pro jection) L et π b e B 1 d 1 → · · · B n d n → B n +1 · · · wher e B m is a J -blo ck for al l m ≥ 1 . Then the P ath Pro jection O p erator ↾ J is given b y: π ↾ J = B 1 ↾ J d 1 → · · · B n ↾ J d n → B n +1 ↾ J · · · Th us ther e is a one-to-one corresp ond en ce b et w een J -blo c ks of π and states of π ↾ J , w ith the n th J -blo ck of π corresp ond ing to the n th state of π ↾ J (n ote that p ath pro j ection is well deﬁned when π is ﬁnite). The ab o ve discussion leads to the follo wing d eﬁnition of the synt hesis metho d , whic h sh o ws ho w an I -pro cess P i of the I -program ( S 0 I , P I i 1 k . . . k P I i K ) is deriv ed from the pair-pro cesses { P j i | j ∈ I ( i ) } of the the pair-programs { ( S 0 ij , P j i k P i j ) | j ∈ I ( i ) } : Deﬁnition 2 (Pairwise syn thesis) An I -p ro cess P i is derive d fr om the p air-pr o c esses P j i , for al l j ∈ I ( i ) as fol lows: P i c ontains a move fr om s i to t i with lab el ⊗ j ∈ I ( i ) ⊕ ℓ ∈ [1: n ] B j i,ℓ → A j i,ℓ iﬀ for eve ry j in I ( i ): P j i c ontains a move fr om s i to t i with lab el ⊕ ℓ ∈ [1: n ] B j i,ℓ → A j i,ℓ . The initial state s et S 0 I of the I -pr o gr am is derive d fr om the initial state S 0 ij of the p air-pr o gr am as 10 fol lows: S 0 I = { s | ∀ ( i, j ) ∈ I : ( s ↾ ij ∈ S 0 ij ) } . Here ⊕ and ⊗ are guarded command “disjunction” and “c onju n ction,” resp ectiv ely . Roughly , the op erational seman tics of B j i, 1 → A j i, 1 ⊕ B j i, 2 → A j i, 2 is that if one of the guards B j i, 1 , B j i, 2 ev aluates to true, then the corresp ondin g b o dy A j i, 1 , A j i, 2 resp ectiv ely , can b e executed. If neither B j i, 1 nor B j i, 2 ev aluates to true, then the command “ blo cks,” i.e., w aits u n til one of B j i, 1 , B j i, 2 ev aluates to true. 4 W e call an arc wh ose lab el has the form ⊕ ℓ ∈ [1: n ] B j i,ℓ → A j i,ℓ a p air-move . In compact notation, a pair-pro cess has at most one mov e b et ween a ny pair of local states. The op erational semant ics of B j i, 1 → A j i, 1 ⊗ B j i, 2 → A j i, 2 is that if b oth of the gu ard s B j i, 1 , B j i, 2 ev aluate to true, then the b o dies A j i, 1 , A j i, 2 can b e execute d in parallel. If at lea st one of B j i, 1 , B j i, 2 ev aluates to f alse, then the command “blo c ks,” i.e., waits un til b oth of B j i, 1 , B j i, 2 ev aluate to tru e. W e call an arc whose lab el has the form ⊗ j ∈ I ( i ) ⊕ ℓ ∈ [1: n ] B j i,ℓ → A j i,ℓ an I -move . In compact n otation, an I -pro cess has at most one m o v e b et wee n any pair of lo cal states. The ab ov e deﬁnition is, in eﬀect, a syntactic tr ansformat ion that can b e carried out in linear time and space (in b oth ( S 0 ij , P j i k P i j ) and I ). In particular, we a v oid explicitly constr u cting the global state transition d iagram of ( S 0 I , P I i 1 k . . . k P I i K ), whic h is of size exp onent ial in K = |{ i 1 , . . . , i K }| . Let M ij , M I b e t he gl obal state transition d iagrams of ( S 0 ij , P j i k P i j ) , ( S 0 I , P I i 1 k . . . k P I i K ), r esp ec- tiv ely . The tec hnical deﬁnitions are give n b elo w, and follo w the op erational seman tics give n in Section 2. Deﬁnition 3 (Pair-structure) L et i I j . The semantics of ( S 0 ij , P j i k P i j ) is given by the p air- structure M ij = ( S 0 ij , S ij , R ij ) wher e 1. S ij is a set of ij -states, 2. S 0 ij ⊆ S ij gives the initial states of ( S 0 ij , P j i k P i j ) , and 3. R ij ⊆ S ij × { i, j } × S ij is a tr ansition r e lation gi v ing the tr ansitions of ( S 0 ij , P j i k P i j ) . A tr ansition ( s ij , h, t ij ) by P ¯ h h is in R ij if and only i f al l of the fol lowing hold: (a) h ∈ { i, j } , (b) s ij and t ij ar e ij -states, and (c) ther e exists a move ( s ij ↾ h, ⊕ ℓ ∈ [1: n ] B ¯ h h,ℓ → A ¯ h h,ℓ , t ij ↾ h ) in P ¯ h h such that ther e e xi sts m ∈ [1 : n ] : (i) s ij ( B ¯ h h,m ) = tr ue , (ii) < s ij ↾ S H ij > A ¯ h h,m < t ij ↾ S H ij > , and (iii) s ij ↾ ¯ h = t ij ↾ ¯ h . Her e ¯ h = i if h = j and ¯ h = j if h = i . 4 This interpretation was p rop osed by [Dij82]. 11 In a transition ( s ij , h, t ij ), we say that s ij is t he start state and th at t ij is t he ﬁnish s tate. The transition ( s ij , h, t ij ) is call ed a P ¯ h h -transition. In the sequ el, w e us e s ij h → t ij as an alte rn ative notation f or the transition ( s ij , h, t ij ). < s ij ↾ S H ij > A < t ij ↾ S H ij > is Hoare triple notation [Hoa69] for total correctness, whic h in this case means that execution of A alwa ys terminates, 5 and, wh en the shared v ariables in S H ij ha v e the v alues assigned b y s ij , lea v es these v ariables w ith the v alues assigned by t ij . s ij ( B ¯ h h ) = tr ue states th at the v alue of guard B ¯ h h in state s ij is tr ue . 6 W e consider that ( S 0 ij , P j i k P i j ) p ossesses a correctness prop erty expressed b y an CT L ∗ form ula f ij if a nd only if M ij , S 0 ij | = f ij . The seman tics of ( S 0 I , P I i 1 k . . . k P I i K ) is give n by the global state transition diagram M I generated b y its execution. W e call the glo bal state transition d iagram of an I -system an I -structur e . Deﬁnition 4 ( I -structure) The semantics of ( S 0 I , P I i 1 k . . . k P I i K ) is given by the I -structure M I = ( S 0 I , S I , R I ) wher e 1. S I is a set of I -states, 2. S 0 I ⊆ S I gives the initial states of ( S 0 I , P I i 1 k . . . k P I i K ) , and 3. R I ⊆ S I × dom ( I ) × S I is a tr ansition r elation giving the tr ansitions of ( S 0 I , P I i 1 k . . . k P I i K ) . A tr ansition ( s, i, t ) b y P i is in R I if and only i f (a) i ∈ dom ( I ) , (b) s and t ar e I -states, and (c) ther e e xists a move ( s ↾ i, ⊗ j ∈ I ( i ) ⊕ ℓ ∈ [1: n ] B j i,ℓ → A j i,ℓ , t ↾ i ) in P i such that al l of the fol lowing hold: (i) f or al l j in I ( i ) , ther e exists m ∈ [1 : n ] : s ↾ ij ( B j i,m ) = tr ue and < s ↾ S H ij > A j i,m < t ↾ S H ij > , (ii) for al l j in dom ( I ) − { i } : s ↾ j = t ↾ j , and (iii) for al l j, k in dom ( I ) − { i } , j I k : s ↾ S H j k = t ↾ S H j k . In a transitio n ( s, i, t ), we sa y that s is the start state, and t is the ﬁnish state. The transition ( s, i, t ) is called a P i -transition. In the s equ el, we use s i → t as alternativ e notation for the tr ansition ( s, i, t ). Also, if I is set to {{ i, j }} in Deﬁnition 4, then the result is, as exp ected, the pair-structure deﬁnition (3). In other w ords, the tw o deﬁnitions are consisten t. F u rthermore, the seman tics of a J -system, J ⊆ I is giv en by the J -structure M J = ( S 0 J , S J , R J ), whic h is obtained b y using J for I in De ﬁn ition 4. As M I giv es the semant ics of ( S 0 I , P I i 1 k . . . k P I i K ), we consider that ( S 0 I , P I i 1 k . . . k P I i K ) p ossesses a correctness prop ert y expressed b y a form ula V V V k ℓ f k ℓ if and only if M I , S 0 I | = V V V k ℓ f k ℓ , i.e., M I , S 0 I | = ∀ ( i, j ) ∈ I : ( f ij ). M ij and M I can b e in terpreted as CTL ∗ structures. W e call M ij a p air-structur e , since it give s the semant ics of a pair-program, ad M I an I -structur e , since it giv es the semantic s of an I -program. W e state our main soun dness result b elow b y r elating the A CTL formulae that hold in M I to those that hold in M ij . 5 T ermination is obvious, since th e right-hand side of A is a list of constants. 6 s ij ( B ¯ h h ) is deﬁ n ed by t he usual in ductive sc heme: s ij (“ x ij = h ij ”) = tr ue iﬀ s ij ( x ij ) = h ij , s ij ( B 1 ¯ h h ∧ B 2 ¯ h h ) = tr ue iﬀ s ij ( B 1 ¯ h h ) = tr ue and s ij ( B 2 ¯ h h ) = tr ue , s ij ( ¬ B 1 ¯ h h ) = tr ue iﬀ s ij ( B 1 ¯ h h ) = f alse . 12 This charact erization of transitions in the I -program as comp ositions of transitions in all the relev an t pair-programs is formalized in the transition mapping lemma: Lemma 1 (T ransition mapping [AE98 ]) F or al l I -states s, t ∈ S I and i ∈ dom ( I ) , s i → t ∈ R I iﬀ : ∀ j ∈ I ( i ) : ( s ↾ ij i → t ↾ ij ∈ R ij ) and ∀ j ∈ { i 1 , . . . , i K } − ˆ I ( i ) : ( s ↾ j = t ↾ j ) and ∀ j, k ∈ { i 1 , . . . , i K } − { i } , j I k : ( s ↾ S H j k = t ↾ S H j k ) . Pr o of. Th is was established in [AE98] as Lemma 6.4.1. The p ro of ther e did not assume that the M ij are isomorphic. Hence, it carries o v er to the setting of th is paper. ✷ In similar m an n er, w e establish: Corollary 2 (T ransition mapping [AE98]) L et J ⊆ I and i ∈ dom ( J ) . If s i → t ∈ R I , then s ↾ J i → t ↾ J ∈ R J . By applying the transition-mappin g corollary to ev ery transition along a path π in M I , we sh ow that π ↾ J is a path in M J . Again, the proof carries ov er from [AE98]. Lemma 3 (Path mapping [AE98]) L et J ⊆ I . If π is a p ath in M I , then π ↾ J is a p ath in M J . In p articular, wh en J = { ( i, j, sp e c ij ) } , Lemma 3 forms the basis for our soundn ess pro of, since it relat es computations of the synthesize d program to compu tations o f the pair-programs. Since every reac hable state lies at the end of some initialized path, we can u se the p ath-mapping corollary to relate reac hable states in M I to their pro jections in M J : Corollary 4 (St ate mapping [AE98]) L et J ⊆ I . If t is a r e achable state in M I , then t ↾ J is a r e achable state in M J . 5 Soundness of the Metho d for Static Programs 5.1 Deadlo c k-freedom As we s h o w ed in [AE98], it is p ossible for the synthesiz ed program P to b e deadlo c k-prone ev en though all the pair-pr ograms are d eadlo c k-free. T o ensure deadlock-freedom of P , we imp osed a condition on the “b lo c king b eha vior” of processes: after a pro cess exec utes a mo ve , it m ust either ha v e another mo v e enabled, or it must not b e b lo c king an y other p ro cess. In general, any b ehavio ral condition wh ic h preve nts the o ccurrence of certain p atterns of b lo c king (“sup ercycles”) is s uﬃcien t. W e form alize our notion of blo c king b ehavio r b y the n otion of wait-for-gr aph . Th e w ait-for- graph in a particular I -state s con tains as no des all the pro cesses, and all the m o v es whose start state is a comp on ent of s . Th ese mo v es h a v e an outgoing edge to every p r o cess w hic h blo c ks them. Deﬁnition 5 (W ait-for-graph W I ( s ) ) L et s b e an arbitr ary I -state. The w ait-for-graph W I ( s ) of s is a dir e c te d b ip artite gr aph, wher e 13 1. the no des of W I ( s ) ar e (a) the I -pr o c esses { P i | i ∈ dom ( I ) } , and (b) the moves { a I i | i ∈ dom ( I ) and a I i ∈ P i and s ↾ i = a I i .star t } 2. ther e is an e dge fr om P i to every no de of the form a I i in W I ( s ) , and 3. ther e is an e dge fr om a I i to P j in W I ( s ) if and only if i I j and a I i ∈ W I ( s ) and s ↾ ij ( a I i .g uar d j ) = f als e . Here a I i .g uar d j is the conjun ct of the guard of mo v e a I i whic h is ev aluated o ve r the (pairwise) shared state with P j . W e c h aracterize a deadlo c k as the o ccur r ence in the wa it-for-graph of a graph-theoretic construct that we call a sup e r cycle : Deﬁnition 6 (Sup ercycle) S C is a sup er cycle in W I ( s ) if and only if al l of the fol lowing hold: 1. S C is nonempty, 2. if P i ∈ S C then for al l a I i such that a I i ∈ W I ( s ) , P i − → a I i ∈ S C , and 3. if a I i ∈ S C then ther e e xists P j such that a I i − → P j ∈ W I ( s ) and a I i − → P j ∈ S C . Note that this deﬁnition implies th at S C is a su b graph o f W I ( s ). Our conditions will b e stated o v er “small” programs, i.e,. p rograms that result f rom comp ositing a small n umb er of pro cesses together. T o then infer that the large p rogram P has similar b eha vior, w e use th e follo wing pr op osition. Prop osition 5 (W ait-for-graph pro jection) L et J ⊆ I and i J j . F urthermor e, let s I b e an arbitr ary I -state. Then 1. P i − → a I i ∈ W I ( s I ) iﬀ P i − → a J i ∈ W J ( s I ↾ J ) , and 2. a I i − → P j ∈ W I ( s I ) iﬀ a J i − → P j ∈ W J ( s I ↾ J ) . Pr o of. B y assumption, i J j and J ⊆ I . Hence i I j . Pro of of clause (1). By the wa it-for-graph deﬁn ition (5), P i − → a I i ∈ W I ( s I ) iﬀ s I ↾ i = a I i .star t . Since i ∈ dom ( J ), w e ha v e ( s I ↾ J ) ↾ i = s I ↾ i b y deﬁnition of ↾ J . Thus s I ↾ i = a I i .star t iﬀ ( s I ↾ J ) ↾ i = a J i .star t (since a I i .star t = a J i .star t = s i ). Finally , by the wai t-for-graph deﬁn ition (5) and i J j , ( s I ↾ J ) ↾ i = a J i .star t iﬀ P i − → a J i ∈ W J ( s I ↾ J ). Th ese three equ iv alences together yield clause (1) (using transitivit y of equiv alence). Pro of of clause (2 ). By the w ait-for-graph deﬁnition (5), a I i − → P j ∈ W I ( s I ) iﬀ s ↾ ij 6| = a I i .g uar d j . Since i J j , w e ha ve ( s I ↾ J ) ↾ ij = s I ↾ ij by deﬁn ition of ↾ J . Also, a I i .g uar d j = a J i .g uar d j = W ℓ ∈ [1: n ] B j i,ℓ . Th us s I ↾ ij 6| = a I i .g uar d j iﬀ ( s I ↾ J ) ↾ ij 6| = a J i .g uar d j Finally , by the wa it-for-graph deﬁnition (5) and i J j , ( s I ↾ J ) ↾ ij 6| = a J i .g uar d j iﬀ a J i − → P j ∈ W J ( s I ↾ J ). Th ese th ree equiv alences together yield clause (2), (us in g transitivit y of equiv alence, and noting that s 6| = B and s ( B ) = f al se ha v e ident ical meaning). ✷ 14 5.1.1 The W ait-for-graph C ondition In [AE98], we giv e a criterion, the w ait-for-graph assumption, whic h can b e ev aluated o ver the pro du ct of a s m all num b er of pro cesses, thereby a v oiding state-explosion. W e sho w there that if the wait -for-graph assumption holds, then W I ( s ) cannot con tain a sup ercycle for an y r eac hable state s of M I . T he wait -for-graph condition em b o dies the requirement that, after a p ro cess executes a mo ve , it m ust either h a v e another mo ve enabled, or it must not b e blocking any other pro cess. Deﬁnition 7 (St atic wait-for-graph condition) L et t k b e an arbitr ary r e achable lo c al state of P ℓ k in M k ℓ for al l ℓ ∈ I ( k ) , and let n = | t k .mov es | . Also let J b e an arbitr ary inter c onne ction r elation such that J ⊆ I and J has the form { ( j, k , sp e c j k ) , ( k , ℓ 1 , sp e c k ℓ 1 ) , . . . , ( k , ℓ n , sp e c k ℓ n ) } , wher e k 6∈ { j, ℓ 1 , . . . , ℓ n } . Then, for eve ry r e achable J -state t J in M J such that t J ↾ k = t k and s J k → t J ∈ R J for some r e achable J -state s J , we have ∀ a J j : ( a J j − → P k 6∈ W J ( t J )) or ∃ a J k ∈ W J ( t J ) : ( ∀ ℓ ∈ { ℓ 1 , . . . , ℓ n } : a J k − → P ℓ 6∈ W J ( t J )) . Theorem 6 (St atic sup ercycle-free wait-for-graph) If the wait-for-gr aph c ondition holds, and W I ( s 0 I ) is sup er cycle- f r e e for every initial state s 0 I ∈ S 0 I , then for every r e achable state t of M I , W I ( t ) is sup er cycle-fr e e . Pr o of. Let t b e an arbitrary r eac hable state of M I , and let s b e an arb itrary reac hable state of M I suc h that s k → t for s ome k ∈ dom ( I ). W e shall establish th at if W I ( t ) is su p ercyclic, then W I ( s ) is sup ercyclic. (P1) The con trap ositiv e of P1 together w ith the assu mption that W I ( s 0 I ) is su p ercycle-free for all s 0 I ∈ S 0 I is suﬃcien t to establish the conclusion of the theorem (by induction on the length of a path from some s 0 I ∈ S 0 I to t ). W e sa y that an edge is k -inc i dent iﬀ at least one of its vertic es is P k or a I k . The follo wing (P2) will b e usefu l in provi ng P1 if e dge e is not k -inciden t, then e ∈ W I ( t ) iﬀ e ∈ W I ( s ). (P2) Pro of of P2. If e is not k -inciden t, then, b y th e wait-fo r-graph deﬁnition (5), either e = P h − → a I h , or e = a I h − → P ℓ , for some h, ℓ s uc h that h 6 = k , ℓ 6 = k . F rom h 6 = k , ℓ 6 = k and s k → t ∈ R I , we ha ve s ↾ h = t ↾ h and s ↾ hℓ = t ↾ hℓ by the wait-for-g raph deﬁnition (5). Sin ce e ∈ W I ( t ) , e ∈ W I ( s ) are determined solely b y t ↾ hℓ, s ↾ hℓ resp ectiv ely , ( see the w ait-for-graph deﬁnition (5), P2 follo w s. (End pro of of P2.) Let v b e a ve rtex in a sup ercycle S C . W e deﬁne depth S C ( v ) to b e the length of the longest bac kw ard path in S C whic h starts in v . If there exists an in ﬁnite bac kward path (i.e., one that tra v erses a cycle) in S C s tarting in v , th en depth S C ( v ) = ω ( ω for “inﬁnity”) . W e n o w establish that ev ery sup ercycle S C conta ins at least o ne cycle. (P3) Pro of of P3. Sup p ose P 3 do es not hold, and S C is a sup ercycle conta ining no cycles. Therefore, all bac kw ard p aths in S C are ﬁnite, and so by deﬁnition of depth S C all v ertices of S C hav e ﬁ n ite depth. Thus, there is at least one v ertex v in S C w ith maximal depth. But, by deﬁnition of depth S C , v has no successors in S C , which, by th e sup ercycle deﬁn ition (6), con tr adicts the assumption that S C is a su p ercycle. (End pro of of P3.) 15 Our ﬁnal p rerequisite for the pro of o f P1 is if S C is a su p ercycle in W I ( s ), then the grap h S C ′ obtained from S C by remo ving all vertice s of ﬁnite d ep th from S C (along with incident edges) is also a sup ercycle in W I ( s ). (P4) Pro of of P4. By P3, S C ′ 6 = ∅ . Thus S C ′ satisﬁes clause (1) of the sup er cycle deﬁnition (6). Let v b e an arbitrary verte x of S C ′ . Thus v ∈ S C and depth S C ( v ) = ω b y deﬁn ition of S C ′ . Let w b e an arbitrary successor of v in S C . depth S C ( w ) = ω by deﬁnition of depth . Hence w ∈ S C ′ . F urthermore, w is a succe ssor of v in S C ′ , by deﬁnition of S C ′ . Thus ev ery v ertex v of S C ′ is also a v ertex of S C , and the successors of v in S C ′ are the same as th e su ccessors of v in S C No w since S C is a sup ercycle, ev ery ve rtex v in S C has enough successors in S C to satisfy clauses (2) and (3) of th e sup ercycle deﬁnition (6) . It follo ws that ev ery verte x v in S C ′ has enough su ccessors in S C ′ to sat isfy clauses (2) and (3) of the sup ercycle deﬁn ition (6). (End pr o of of P4.) W e n ow present the pro of of (P1). W e assume the antece dent of P1 and establish the consequen t. Let S C b e some sup ercycle in W I ( t ). Let S C ′ b e the graph obtained from S C by remo ving all v ertices of ﬁnite depth from S C (along with incident edges). W e no w show th at P I k 6∈ S C ′ and that S C ′ con tains no mo v e ve rtex of the form a I k . Ther e are tw o cases. Case 1: P k 6∈ S C . Then obviously P k 6∈ S C ′ . No w sup p ose some no de of the form a I k is in S C ′ . By deﬁnition of S C ′ , w e ha v e a I k ∈ S C an d depth S C ( a I k ) = ω . Hence, b y deﬁnition of depth , there exists an inﬁn ite b ac kw ard path in S C starting in a I k . Thus a I k m ust hav e a predecessor in S C . By the sup ercycle deﬁnition (6), P k is the o nly p ossible predecessor of a I k in S C , and h ence P k ∈ S C , con trary to the case assump tion. W e therefore conclude that S C ′ con tains no v ertices of the form a I k . (End of case 1.) Case 2: P k ∈ S C . By the sup ercycle deﬁ n ition (6), ∀ a I k ∈ W I ( t ) : ( ∃ ℓ : ( a I k − → P ℓ ∈ W I ( t ))). (a) Since th er e are exactly n mo ve s a I k of pr o cess P I k in W I ( t ) ( n = | t k .mov es | ), we can select ℓ 1 , . . . , ℓ n (where ℓ 1 , . . . , ℓ n are n ot necessa rily pairwise distinct) suc h that ∀ a I k ∈ W I ( t ) : ( ∃ ℓ ∈ { ℓ 1 , . . . , ℓ n } : ( a I k − → P ℓ ∈ W I ( t ))). (b) No w let J = {{ j, k } , { k , ℓ 1 } , . . . , { k , ℓ n }} where j is an arbitrary elemen t of I ( k ). App lyin g the w ait-for-graph pro jection prop osition (5) to (b) gi ve s us ∀ a J k ∈ W J ( t ↾ J ) : ( ∃ ℓ ∈ { ℓ 1 , . . . , ℓ n } : ( a J k − → P ℓ ∈ W J ( t ↾ J ))). (c) No w s k → t ∈ R I b y assu mption. Hence s ↾ J k → t ↾ J ∈ R J b y the transition-mapping corollary (2). Also, b y the state-ma pp ing corollary (4) s ↾ J is reac hable in M J , since s is reac hable in M I . Th us w e can a pp ly t he w ait-for-graph assumption to t ↾ J to g et ∀ a J j : ( a J j − → P k 6∈ W J ( t ↾ J )) or ∃ a J k ∈ W J ( t ↾ J ) : ( ∀ ℓ ∈ { ℓ 1 , . . . , ℓ n } : ( a J k − → P ℓ 6∈ W J ( t ↾ J ))). (d) No w (c) con tr adicts the seco nd disjun ct of (d). Hence ∀ a J j : ( a J j − → P k 6∈ W J ( t ↾ J )), and applying the w ait-for-graph pro jection prop osition (5) to this gives us ∀ a J j : ( a I j − → P k 6∈ W I ( t )). Since j is an arbitrary elemen t of I ( k ), we conclude that P k has n o incoming edges in W I ( t ). Th us, b y deﬁnition of depth , depth S C ( P k ) = 0, and so P k 6∈ S C ′ . No w supp ose some no d e of the form a I k is in S C ′ . By deﬁnition of S C ′ , w e h a v e a I k ∈ S C and depth S C ( a I k ) = ω . Hence, b y deﬁ n ition of depth , there exists an inﬁnite bac kw ard p ath in S C starting in a I k . Th us a I k m ust hav e a predecessor in S C . By the sup ercycle deﬁnition (6), P k is the only p ossible predecessor of a I k in S C , and hence there exists an inﬁnite b ac kward path 16 in S C starting in P I k . Thus depth S C ( P I k ) = ω b y deﬁn ition of depth . But w e ha ve established depth S C ( P k ) = 0, so w e conclude that S C ′ con tains no ve rtices of the form a I k . (End of c ase 2.) In b oth cases, P I k 6∈ S C ′ , and S C ′ con tains no mo ve v ertex of the form a I k . Th us ev ery edge of S C ′ is not k -inciden t. Hence, by P2, ev ery edge of S C ′ is an edge of W I ( s ) (since S C ′ ⊆ W I ( t )). By P4, S C ′ is a sup ercycle, so W I ( s ) is sup ercyclic. Th us P1 is established, w hic h establishes the theorem. ✷ 5.1.2 Establishing Deadlo c k-freedom W e sh o w that the absence of sup ercycles in th e wait- for-graph of a state implies that there is at least one enabled mo v e in that state. Prop osition 7 (Sup ercycle [AE98]) If W I ( s ) is sup er cycle-fr e e, then some move a I i has no out- going e dges in W I ( s ) . Pr o of. W e establish the contrapositive . S in ce ev ery lo cal state of a pro cess h as at least one outgoing arc (Section 2), there exists at least one mo v e of the form a I i for eve ry i ∈ dom ( I ) in W I ( s ). S upp ose that every such mo v e has at least one outgoing edge in W I ( s ). C on s ider the subgraph S C of W I ( s ) consisting of these edges together with all edges of the form P i − → a I i in W I ( s ). By th e w ait-for-graph deﬁnition (5), and the su p ercycle deﬁn ition (6), it is clear that S C is a sup ercycle in W I ( s ). Thus W I ( s ) is not sup ercycle-free. ✷ Prop osition 8 (Mo ve enablement) L et s b e an arbitr ary I -state such that s ↾ i = a I i .star t . If a I i has no outgoing e dges i n W I ( s ) , then a I i c an b e exe cute d in state s . Pr o of. If a I i has no outgoing edges in W I ( s ), then by the w ait-for-graph deﬁnition (5), s ↾ ij ( a I i .g uar d j ) = tr ue for all j ∈ I ( i ). Hence, b y the I -structure deﬁnition (4 ), a I i can b e exec uted in state s . ✷ Theorem 9 (Deadlo c k freedom [AE98]) If, f or every r e achable state s of M I , W I ( s ) is sup er cycle- fr e e, then M I , S 0 I | = A GEX true . Pr o of. Let s b e an arbitrary reac hable state of M I . By th e an teceden t, W I ( s ) is sup ercycle- free. Hence, b y the s up ercycle prop osition (7), some m ov e a I i has no outgoing edges in W I ( s ). By Prop osition 8, a I i can b e executed in state s . Since s is an arbitrary reac h ab le state of M I , w e conclude th at eve ry reac h able state of M I has at lea st one enabled mo v e a I i , (wh ere, in ge neral, a I i dep end s on s ). Hence M I , S 0 I | = A GEX tr ue . ✷ 5.2 Liv eness T o assur e liv eness prop erties of th e synthesize d programs, we n eed to assume a form of w eak fairness. Let CL ( f ) b e the s et of all sub form ulae of f , includ in g f itself. Let ex i b e an assertion that is true along a transition in a structur e iﬀ that transition results from executing pro cess i . W e giv e our fai rn ess c riterion as a formula of the li near time temp oral logic PTL [MW8 4 ]. Deﬁnition 8 (Sometimes-blo c king, bl k j i , blk i ) An i -state s i is sometimes-bloc king in M ij if and only if: ∃ s 0 ij ∈ S 0 ij : ( M ij , s 0 ij | = EF ( { | s i | } ∧ ( ∃ a i j ∈ P i j : ( { | a i j .star t | } ∧ ¬ a i j .g uar d )) )) . Also , blk i df = = ( W { | s i | } : s i is sometimes-blo cking in M ij ) , and bl k i df = = W j ∈ I ( i ) blk j i . 17 Note that a i j .star t is the start state of the t wo -pro cess mov e a i j , and a i j .g uar d is its guard . Deﬁnition 9 (W eak blo cking fairness Φ b ) Φ b df = = V i ∈ dom ( I ) ∞ G ( blk i ∧ en i ) ⇒ ∞ F ex i . Deﬁnition 10 (P ending ev en tuality , pnd i ) An ij -state s ij has a p ending ev entuali t y if and only if: ∃ f ij ∈ CL ( sp e c ij ) : ( M ij , s ij | = ¬ f ij ∧ AF f ij ) . Also , pnd ij df = = ( W { | s ij | } : s ij has a p e nding eventuality ) . In other words, s ij has a p ending eve ntualit y if there is a subf orm ula of th e pair-sp eciﬁcation sp e c ij whic h do es not hold in s ij , but is guaran teed to ev en tually h old along ev ery fullpath of M ij that starts in s ij . Deﬁnition 11 ( W eak e ven tua lity fairness, Φ ℓ ) Φ ℓ df = = V ( i,j ) ∈ I ( ∞ G en i ∨ ∞ G en j ) ∧ ∞ G pnd ij ⇒ ∞ F ( ex i ∨ ex j ) . Our ov erall f airness n otion Φ is then the conjun ction of we ak blo c king and w eak ev en tualit y fairness: Φ df = = Φ b ∧ Φ ℓ . Deﬁnition 12 (Liv eness condition f or static programs) F or every r e achable state s ij in M ij , M ij , s ij | = A ( G ex i ⇒ ∞ G aen j ) , wher e aen j df = = ∀ a i j ∈ P i j : ( { | a i j .star t | } ⇒ a i j .g uar d )) . aen j means that every mo v e of P i j whose start s tate is a comp onen t of the current global state is also enabled in th e current glo bal state. T h e liv eness condition requires, in ev ery pair-pr ogram ( S 0 ij , P j i k P i j ), that if P j i can execute con tinuously along some p ath, then there exists a suﬃ x of that path al ong which P j i do es not b lo c k an y mo ve of P i j . Lemma 10 (Progress for static programs) If 1. the liveness c ondition holds, and 2. for every r e achable I -state u , W I ( u ) is sup er cycle- fr e e, and 3. M ij , s ↾ ij | = ¬ h ij ∧ AF h ij for some h ij ∈ CL ( sp e c ij ) , then M I , s | = Φ AF ( ex i ∨ ex j ) Pr o of. By assumption 2 and Theorem 9, M I , S 0 I | = A GEX true . Hence ev ery fullpath in M I is inﬁnite. Let π b e an arbitrary Φ-fair fullpath s tarting in s . If M I , π | = F ( ex i ∨ ex j ), then we are done. Hence w e assume π | = G ( ¬ ex i ∧ ¬ ex j ) (*) in the remaind er of the pro of. No w deﬁne ψ inf df = = { k | π | = ∞ F ex k } and ψ ﬁn df = = { k | π | = ∞ G ¬ ex k } . 18 Let ρ b e a suﬃx of π s uc h that no pro cess in ψ ﬁn executes along ρ , and let t b e the ﬁrst state of ρ . Note that, b y (* ), i ∈ ψ ﬁn , j ∈ ψ ﬁn . Let W b e the p ortion of W I ( t ) in d uced b y s tarting in P i , P j and follo wing w ait-for edges that en ter pro cesses in ψ ﬁn or their mo ve s. By assumption 2 , W is sup ercycle-free. Hence, there exists a p ro cess P k in W su c h that P k has some mo v e a I k with no w ait-for edges to an y process in W , by Prop osition 7. Hence, in state t ↾ k ℓ , a ℓ k is enabled in all pair-mac hines M k ℓ suc h that ℓ ∈ ψ ﬁn , i.e., t ↾ k ℓ | = { | a ℓ k . start | } ∧ en ( a ℓ k ). Also, k ∈ ψ ﬁn , by deﬁnition of W . S in ce t is the ﬁ rst state of ρ and no pro cess in ψ ﬁn executes along ρ , w e ha v e from ab o v e, that V ℓ ∈ ψ ﬁn ∩ I ( k ) : ρ ↾ k ℓ | = G en ( a ℓ k ). No w consider a pair-mac h ine M k ℓ suc h that ℓ ∈ ψ inf (if an y). Hence ρ | = ∞ F ex ℓ ∧ G ¬ ex k , since k ∈ ψ ﬁn . Hence ρ ↾ k ℓ | = G ex ℓ ∧ G ¬ ex k . By Lemma 3, ρ ↾ k ℓ is a path in M k ℓ . S in ce ρ is an inﬁnite path an d ρ | = ∞ F ex ℓ , ρ ↾ k ℓ is an in ﬁ nite path. Hence ρ ↾ k ℓ is a fullpath in M k ℓ . By the liv eness condition f or static programs (Deﬁnition 12), ρ ↾ k ℓ | = ∞ G aen k . No w t ↾ k ℓ | = { | a ℓ k . start | } . Since ρ ↾ k ℓ | = G ¬ ex k , P k ’s lo cal state do es not c hange along ρ ↾ k ℓ . Hence ρ ↾ k ℓ | = G { | a ℓ k . start | } . Hence, by d eﬁnition of aen k , ρ ↾ k ℓ | = ∞ G en ( a ℓ k ). Since ℓ is an arbitrary element of ψ inf ∩ I ( k ), w e ha v e V ℓ ∈ ψ inf ∩ I ( k ) : ρ ↾ k ℓ | = ∞ G en ( a ℓ k ). Sin ce ( ψ inf ∩ I ( k )) ∪ ( ψ ﬁn ∩ I ( k )) = I ( k ), w e conclude V ℓ ∈ I ( k ) : ρ ↾ k ℓ | = ∞ G en ( a ℓ k ). By Deﬁnitions 1 and 2, w e ha v e ρ | = ∞ G en ( a I k ). Hence, w e conclude ρ | = ∞ G en k . (a) Assume k 6∈ { i, j } . T hen, by deﬁnition of W , in state t P k blo c ks some mo v e a k ℓ of s ome pr o cess P ℓ , i.e., t | = { | a k ℓ . start | } ∧ ¬ a k ℓ . guar d . By Deﬁnition 8, t ↾ k is sometimes-blo c king in M k ℓ (since t is reac hable, so is t ↾ k , by [AE98, Corollary 6.4.5]). Hence t ↾ k | = blk ℓ k , and so t | = bl k ℓ k . No w ρ | = G ¬ ex k . S ince t is the ﬁrst state of ρ , this means that t ↾ k = u ↾ k for any sta te u of ρ , i.e., the lo cal state of P k do es n ot change along ρ . Thus, ρ | = G bl k ℓ k , since t | = bl k ℓ k . Thus ρ | = G bl k k , by deﬁnition of bl k k . F r om this and (a), w e h a v e ρ | = ∞ G ( bl k k ∧ en k ). Hence, b y weak blo cking fairness, (Deﬁnition 9), ρ | = ∞ F ex k , w hic h con tradicts ρ | = G ¬ ex k . Hence the assumption k 6∈ { i, j } do es not hold, and so k ∈ { i, j } . Since π | = G ( ¬ ex i ∧ ¬ ex j ), by assumption (*), and s = ﬁrst ( π ), we ha v e u ↾ ij = s ↾ ij for every state u along π . No w M ij , s ↾ ij | = ¬ h ij ∧ AF h ij for some h ij ∈ CL ( sp e c ij ) b y assumption 3. Hence M ij , u ↾ ij | = ¬ h ij ∧ AF h ij for all u along π . Hence M ij , u ↾ ij | = pnd ij for all u along π by Deﬁn ition 10. Hence, M I , u | = pnd ij for all u along π , s in ce pnd ij is p urely pr op ositional, and so M I , π | = G pnd ij . Since ρ is a su ﬃ x of π and k ∈ { i, j } , we conclude from (a) that π | = ∞ G en i ∨ ∞ G en j . Hence M I , π | = ( ∞ G en i ∨ ∞ G en j ) ∧ ∞ G pnd ij . By w eak ev entual it y fairness (Deﬁnition 11), π | = ∞ F ( ex i ∨ ex j ). This con tradicts the assumption (*), w hic h is therefore f alse. Hence π | = F ( ex i ∨ ex j ). Since π is an a rb itrary Φ-fair fullpath sta rting in s , the lemma follo ws. ✷ 5.3 The Large Mo del Theorem for Static P rograms Theorem 11 (Large mo del) L et ( i, j, sp e c ij ) ∈ I , wher e sp e c ij ∈ A CTL − ij , and let s b e an arbi- tr ary r e achable I -state. If 1. the liveness c ondition for static pr o gr ams holds, 19 2. W I ( u ) is sup er cycle-fr e e for every r e achable I -state u , and 3. M ij , s ↾ ij | = f ij for some f ij ∈ CL ( sp e c ij ) , then M I , s | = Φ f ij . Pr o of. The proof is by ind uction o n the structure of f ij . Thr oughout, le t s ij = s ↾ ij . f ij = p i , or f ij = ¬ p i , where p i ∈ AP i , i.e., p i is a n atomic prop osition. By d eﬁnition of ↾ ij , s and s ↾ ij agree on all at omic prop ositions in A P i ∪ AP j . The result follo ws. f ij = g ij ∧ h ij . The ant eceden t is M ij , s ij | = g ij ∧ h ij . So, b y CTL ∗ seman tics, M ij , s ij | = g ij and M ij , s ij | = h ij . Since f ij ∈ CL ( sp e c ij ), we h a v e g ij ∈ CL ( sp e c ij ) and h ij ∈ CL ( sp e c ij ). Hence, applying the ind uction h yp othesis, w e get M I , s | = Φ g ij and M I , s | = Φ h ij . So b y CTL ∗ seman tics w e get M I , s | = Φ ( g ij ∧ h ij ). f ij = g ij ∨ h ij . The ant eceden t is M ij , s ij | = g ij ∨ h ij . So, b y CTL ∗ seman tics, M ij , s ij | = g ij or M ij , s ij | = h ij . Since f ij ∈ CL ( sp e c ij ), we hav e g ij ∈ CL ( sp e c ij ) and h ij ∈ CL ( sp e c ij ). Hence, applying the ind uction hyp othesis, w e get M I , s | = Φ g ij or M I , s | = Φ h ij . S o b y CTL ∗ seman tics w e get M I , s | = Φ ( g ij ∨ h ij ). f ij = A [ g ij U w h ij ]. Let π b e an arb itrary Φ-fair fullp ath starting in s . W e establish π | = [ g ij U w h ij ]. By Deﬁnition 1, π ↾ ij starts in s ↾ ij = s ij . Hence, b y CTL seman tics, π ↾ ij | = [ g ij U w h ij ] (note that this holds even if π ↾ ij is not a fullpath, i.e., is a ﬁnite p ath). W e ha ve t wo cases. Case 1: π ↾ ij | = G g ij . Let t b e an arb itrary state along π . By Deﬁnition 1, t ↾ ij lies alo ng π ↾ ij . Hence t ↾ ij | = g ij . By the induction h yp othesis, t | = g ij . Hence π | = G g ij , sin ce t w as arb itrarily c hosen. Hence π | = [ g ij U w h ij ] by CTL ∗ seman tics. Case 2: π ↾ ij | = [ g ij U h ij ]. Let s m ′ ij b e th e ﬁrst state along π ↾ ij that satisﬁes h ij 7 . By Deﬁnition 1, there exists at least one state t along π suc h that t ↾ ij = s m ′ ij . Let s n ′ b e the ﬁrst such state. By the induction hypothesis, s n ′ | = h ij . Let s n b e an y state along π u p to but not including s n ′ (i.e., 0 ≤ n < n ′ ). Then, by Deﬁnition 1, s n ↾ ij lies along the p ortion of π ↾ ij up to, and p ossibly including, s m ′ ij . T h at is, s n ↾ ij = s m ij , where 0 ≤ m ≤ m ′ . Now supp ose s n ↾ ij = s m ′ ij (i.e., m = m ′ ). Then, by s m ′ ij | = h ij and the induction h yp othesis, s n | = h ij , contradicting the fact that s n ′ is the ﬁrst state along π th at satisﬁes h ij . Hence, m 6 = m ′ , and so 0 ≤ m < m ′ . S ince s m ′ ij is th e ﬁrst state along π ↾ ij that satisﬁes h ij , and π ↾ ij | = [ g ij U h ij ], we ha v e s m ij | = g ij b y CT L ∗ seman tics. F rom s n ↾ ij = s m ij and the in d uction h yp othesis, w e get s n | = g ij . Since s n is an y state alo ng π up to b ut not includin g s n ′ , and s n ′ | = h ij , we ha v e π | = [ g ij U h ij ] by CTL ∗ seman tics. Hence π | = [ g ij U w h ij ] b y CTL ∗ seman tics. In b oth cases, we sho w ed π | = [ g ij U w h ij ]. Since π is an arbitrary Φ-fair fu llpath starting in s , w e conclude M I , s | = Φ A [ g ij U w h ij ]. f ij = A [ g ij U h ij ]. Since f ij ∈ CL ( sp e c ij ), w e h a v e g ij ∈ CL ( sp e c ij ) and h ij ∈ CL ( sp e c ij ). Sup p ose s ij | = h ij . Hence s | = h ij b y th e indu ction h yp othesis, and so s | = A [ g ij U h ij ] and we are done. 7 W e use s n ij to denote th e n ′ th state along π ↾ ij , i.e., π ↾ ij = s 0 ij , s 1 ij , . . . , and we let s ij = s 0 ij . 20 Hence w e assume s ij | = ¬ h ij in the remainder of the proof. Since s ij | = A [ g ij U h ij ] b y assumption, w e ha ve s ij | = ¬ h ij ∧ AF h ij . Let π b e an arbitrary Φ-fair fullpath starting in s . By Th eorem 9, π is a n inﬁn ite path. W e n o w esta blish π | = Φ F h ij . Pr o of of π | = Φ F h ij . Assume π | = Φ ¬ F h ij , i.e., π | = Φ G ¬ h ij . Let t b e an arbitrary state along π . Let ρ b e the segment of π from s to t . By Deﬁnition 1, ρ ↾ ij is a path from s ij to t ↾ ij . By Lemma 3, ρ ↾ ij is a path in M ij . S upp ose ρ ↾ ij con tains a state u ij suc h that u ij | = h ij . By Deﬁnition 1, ther e exists a state u along ρ such that u ↾ ij = u ij . By the induction h yp othesis, w e ha v e u | = Φ h ij , contradicting the assumption π | = Φ G ¬ h ij . Hence ρ ↾ ij cont ains no state that satisﬁes h ij . Since s ij | = AF h ij and ρ ↾ ij is a path from s ij to t ↾ ij (inclusiv e) w hic h con tains no state satisfying h ij , we must ha v e t ↾ ij | = ¬ h ij ∧ AF h ij b y CTL seman tics. Let π ′ b e th e su ﬃx of π s tarting in t . Since t ↾ ij | = ¬ h ij ∧ AF h ij and h ij ∈ CL ( sp e c ij ), we can apply the Progress Lemma to conclud e M I , t | = Φ AF ( ex i ∨ ex j ). Since t is an arbitrary state along π , we conclud e M I , π | = ∞ F ( ex i ∨ ex j ). Hence, b y Deﬁn ition 1, π ↾ ij is a fullpath. By Lemma 3, π ↾ ij is a fullpath in M ij . Sin ce π ↾ ij starts in s ij = s ↾ ij , and s ij | = AF h ij , π ↾ ij must con tain a state v ij suc h that v ij | = h ij . By Deﬁnition 1, π con tains a state v su c h that v ↾ ij = v ij . By the induction h yp othesis and v ij | = h ij , we h a v e v | = Φ h ij . Hence π | = Φ F h ij , con trary to assumption, and w e are d one. (End of pro of of π | = Φ F h ij ). By assump tion, s ij | = A [ g ij U h ij ]. Hence s ij | = A [ g ij U w h ij ]. F r om the ab o v e pro of case for A [ g ij U w h ij ], we ha v e s | = Φ A [ g ij U w h ij ]. Hence π | = Φ [ g ij U w h ij ], since π is a Φ -fair fullpath starting in s . F r om th is and π | = Φ F h ij , w e ha v e π | = Φ [ g ij U h ij ] b y CTL ∗ seman tics. Since π is an arbitrary Φ-fair fullpath starting in s , we ha ve s | = Φ A [ g ij U h ij ]. ✷ Corollary 12 (Large mo del) If the liveness c ondition for static pr o gr ams holds, and W I ( u ) is sup er cycle-fr e e for every r e achable I -state u , then ( ∀ ( i, j ) ∈ I : M ij , S 0 ij | = sp e c ij ) implies M I , S 0 | = Φ V ( i,j ) ∈ I sp e c ij . Unlik e [AE98], sp e c ij and sp e c k ℓ , where { k , ℓ } 6 = { i, j } , can b e completely diﬀerent formulae , whereas in [AE98] these formulae had to b e “similar,” i.e., one was obtained fr om the other b y substituting pro cess indices. 6 Example—A Tw o Phase Commit Proto col W e illustrate our metho d by synthesizing a ring-based (non fault tole rant) tw o-ph ase commit pro- to col P I = P 0 k P 1 k · · · k P n − 1 , where I sp eciﬁes a r ing. P 0 is the c o or dinator , and P i , 1 ≤ i < n are the participan ts: eac h participan t repr esen ts a trans action. The proto col pro ceeds in t wo cycles around the r in g. The co ord inator initiates the ﬁ rst cycle, in whic h eac h participan t decides to either submit its transaction or un ilaterally ab ort. P i can submit only after it observes that P i has submitted. After the ﬁrst cycle, the co ordinator obser ves the state of P n − 1 . If P n − 1 has su b mitted its transaction, that means that all participan ts h a v e sub mitted their transactions, and so the co - ordinator decides commit. If P n − 1 has ab orted, that means that some participant P i unilaterally ab orted th ereb y causin g all p articipan ts P j , i < j ≤ n − 1 to ab ort. In that case, the co ord inator decides ab ort. The second cycl e th en rela ys the co ordinators decisio n around the ring. The p artic- ipan t pro cesses are a ll similar to eac h other, but the c o ord in ator is not similar to the participan ts. Hence, there are three pair-p r ograms to consider : P 0 n − 1 k P n − 1 0 , P 1 0 k P 0 1 , and P i i − 1 k P i − 1 i . These are giv en in Figures 1, 2, and 3, resp ectiv ely , where ter m i df = = cm i ∨ ab i , and an in coming arro w 21 with no sour ce indicates an initial lo cal state. Figures 5, 6, and 7 giv e the resp ective global state transition d iagrams (i.e., pair-structures). The syn thesized t wo phase co mmit protocol P I is giv en in Fig ure 4. W e establish the c orrectness of P I as f ollo ws: 1. cm 0 → s b n − 1 LMT 2. V 2 ≤ i A j i,m < ( t ↾ ij ) ↾ S H ij > 2. for al l j in pr o cs ( s ) − { i } : s ↾ j = t ↾ j , and 3. for al l { j, k } in p airs ( s ) , i 6∈ { j, k } : s ↾ j k = t ↾ j k . 4. s. I = t. I and s. A = t. A Th us, P i can execute a transition from global state s to global s tate t only if, f or every { i, j } ∈ p airs ( s ), P j i can execute a tr an s ition fr om s ↾ ij to t ↾ ij . Also, P i reads the lo cal state of its neigh b ors, and reads/wr ites v ariables that are sh ared pairwise, i.e., b etw een P i and exactly on e n eighb or. Thus P enjo ys a sp atial lo c ality p rop erty , wh ic h is useful when implemen ting P in atomic read/write memory . < ( s ↾ ij ) ↾ S H ij > A < ( t ↾ ij ) ↾ S H ij > is Hoare triple n otation [Hoa69] for total correctness, whic h in this case means that execution of A alwa ys terminates, 8 and, wh en the shared v ariables in S H ij ha v e the v alues assigned b y s ↾ ij , lea ves these v ariables with the v alues assigned by t ↾ ij . s ↾ ij ( B j i,m ) = tr ue states that the v alue of guard B j i,m in stat e s ij is true . The semantics of th e syn thesized p rogram P is giv en b y its global state transition diagram (GSTD), wh ich is obtained by starting with the initial conﬁgurations, and taking the closure und er all the norm al and c reate transitions. Deﬁnition 17 (Global-state transition diagram of P ) The semantics of P is give n by the structur e M P = ( S 0 , S, R n , R c ) wher e 8 T ermination is obvious, since th e right-hand side of A is a list of constants. 31 1. S 0 is the set of initial c onﬁgur ations of P , and c onsists of al l the c onﬁgur ations s 0 such that s 0 = h h hI 0 , A , S i i i , A = { ( S 0 ij , P j i k P i j ) | { i, j } ∈ p airs ( I 0 ) } , and S ( { i, j } ) ∈ S 0 ij , i.e., the p air-sp e ciﬁc ations i n I 0 ar e initial ly active, and al l p air-pr o gr ams ar e in one of their start states. 2. S is the set of al l c onﬁgur ations suc h that (1) S 0 ⊆ S and (2) if s ∈ S and ther e is a normal or cr e ate tr ansition fr om s to t , then t ∈ S . 3. R n ⊆ S × Pids × S is a tr ansition r elation c onsisting of the normal tr ansitions of P , as given by Deﬁnition 16. 4. R c ⊆ S × create × S is a tr ansition r elation c onsisting of the cr e ate tr ansitions of P , as given by Deﬁnition 14. It is clear that R c and R n are disjoin t. The creation of a p air-program is mo d eled in th e ab ov e deﬁ nition as a single transition. A t a lo wer lev el of abstraction, this creation is realized by a p roto col whic h sync hronizes the “activ ation” of ( S 0 ij , P j i k P i j ) with th e current computation of P i and P j , if they are already presen t. W e giv e details in the full pap er . Let M ij = ( S 0 ij , S ij , R ij , V ij ) b e the GSTD of ( S 0 ij , P j i k P i j ) as deﬁned in Section 3. M ij giv es the seman tics of ( S 0 ij , P j i k P i j ) exe cuting in isolation . 7.5 The Creation P roto col When a new pair-program ( S 0 ij , P j i k P i j ) is to b e added, it m ust b e syn c hronized with P i and P j , if these are already present, so that the (pair-consistency) requiremen t is not violated. Crea te (( S 0 ij , P j i k P i j )) 1. if P i is a liv e, the n send P i a request to halt e xecution; 2. if P j is aliv e, then send P j a request to halt e xecution; 3. W ait for the nece ssary ac kno wledgment s from P i , P j ; 4. Select a reac h able state s ij of M ij suc h that s ij ↾ i = s i if P i is a liv e, and s ij ↾ j = s j if P j is a liv e. (W e requ ire t hat the c reation rule imp oses suﬃcien t constrain ts on pair-program creation so that this is guaran teed to hold). 5. Set the current state of ( S 0 ij , P j i k P i j ) to s ij 6. Send P i , P j p ermission to resume execution 8 Soundness of the Metho d for Dynamic Programs Let π b e a computation path of P . Let J ⊆ Pi ds × Pids be su c h that J ⊆ p airs ( s. I ) for all s along P . Then, the p ath-pr oje ction of π ont o J , denoted π ↾ J , is obtained as follo ws. Start w ith the ﬁr st conﬁguration s along π such that p airs ( s ) ∩ J 6 = ∅ . (If no suc h conﬁgur ation exists, then π ↾ J is the emp t y sequence.) Replace ev ery conﬁguration t that o ccurs after s along π by t ↾ J , and then remo v e all trans itions t i → t ′ along π suc h that P i is not a pro cess in some pair in J , coalescing the source a nd ta rget states of a ll suc h transitio ns, whic h must b e the same, since th ey do not refer to 32 P i . Deﬁne M J to b e the M P for the case wh en I 0 = J , and no create transitions o ccur, i.e., the set of activ e pairs is alwa ys J . Let M ij = ( S 0 ij , S ij , R ij ) b e the global state transition diagram of ( S 0 ij , P j i k P i j ), as giv en b y Deﬁnition 3. S 0 ij , S ij are the set of initial states, set of all states, r esp ectiv ely , of M ij . R ij ⊆ S ij × { i, j } × S ij is the sets of transitions of M ij . M ij and M P can b e interpreted as A CTL structur es. M ij giv es the seman tics of ( S 0 ij , P j i k P i j ) exe cuting in isolation , and M P giv es the seman tics of P . Our main soun dness result b elo w (the large mod el theorem) relates the A C TL form u lae that hold in M P to those t hat hold in M ij . W e characte rize transitions in M P as comp ositions of transitions in al l the relev an t M ij : Lemma 13 (T ransition mapping) F or al l c onﬁgur ations s, t ∈ S and i ∈ pr o cs ( s ) : s i → t ∈ R n iﬀ ∀ j ∈ s . I ( i ) : s ↾ ij i → t ↾ ij ∈ R ij and ∀{ j, k } ∈ p airs ( s ) , i 6∈ { j, k } : s ↾ j k = t ↾ j k . Pr o of. In conﬁguration s , the constrain ts on a transition b y P i are giv en by exactly the pair- programs of which P i is a mem b er, i.e., those ( i, j ) ∈ p airs ( s ). If all suc h pairs p ermit a transition ( ∀ j ∈ s. I ( i ) : s ↾ ij i → t ↾ ij ∈ R ij ), and if all pair-programs in whic h P i is n ot a mem b er d o n ot execute a transition ( ∀{ j, k } ∈ p airs ( s ) , i 6∈ { j , k } : s ↾ j k = t ↾ j k ), th en P i can in deed execute the transition s i → t , according to the semantic s of M P . The other direction follo ws by similar r easoning. The tec hn ical formulation of this argument follo ws exactly the same lines as the pro of of Lemma 6.4.1 in [AE98]. ✷ Corollary 14 (T ransition mapping) F or al l c onﬁgur ations s, t ∈ S , J ⊆ p airs ( s ) , and i ∈ pr o cs ( J ) , if s i → t ∈ R n , then s ↾ J i → t ↾ J ∈ R J . Lemma 15 (Path mapping) If π is a p ath in M , and let J ⊆ Pids × Pids b e such that J ⊆ p airs ( s ) for every c onﬁgur ation s along π . Then π ↾ J i s a p ath in M J . Pr o of. The pro of carries o v er from [AE98] with the straightfo rward mo d iﬁ cations to deal w ith create transitions. ✷ In particular, when J = { ( i, j ) } , Lemma 15 forms the b asis for our soundn ess pr o of, since it relates computations of the syn thesized program P to compu tations o f the pair-programs. 8.1 Deadlo c k-F reedom In our dyn amic mo del, the deﬁnition of wait -for-graph is essentiall y the same as the static case (Deﬁnition 5), except that the set of pr o cess no des are also a function of the current conﬁguration. Deﬁnition 18 (W ait-f or-graph W ( s ) ) L et s b e an arbitr ary c onﬁgur ation. The wait-fo r-graph W ( s ) of s i s a dir e cte d bip artite gr aph, wher e 1. the no des of W ( s ) ar e (a) the pr o c esses { P i | i ∈ pr o cs ( s ) } , and (b) the ar cs { a i | i ∈ pr o cs ( s ) and a i ∈ P i and s ↾ i = a I i .star t } 33 2. ther e is an e dge fr om P i to every no de of the form a i in W ( s ) , and 3. ther e i s an e dge fr om a i to P j in W ( s ) if and only if { i, j } ∈ p airs ( s ) and a i ∈ W ( s ) and s ↾ ij ( a i .g uar d j ) = false . Recall that a i .g uar d j is the conjun ct of the guard of arc a i whic h references the state s hared by P i and P j (in eﬀect, AP j and S H ij ). As b efore, w e c haracterize a deadlo c k as the o ccurr ence in the w ait-for-graph of a sup er cycle : Deﬁnition 19 (Sup ercycle) S C is a sup ercycle in W ( s ) if and only i f : 1. S C is nonempty, 2. if P i ∈ S C then for al l a i such that a i ∈ W ( s ) , P i − → a i ∈ S C , and 3. if a i ∈ S C then ther e exists P j such that a i − → P j ∈ W ( s ) and a i − → P j ∈ S C . Note that this deﬁnition implies th at S C is a su b graph o f W ( s ). T o extend the wait- for-graph condition (Section 5.1.1) to the dynamic mo del, we need to tak e the create transitions ( R c ) in to accoun t. Thus, we mo dify the w ait-for-graph condition as follo ws. In addition to the static W ait-F or-Graph Condition of Deﬁnition 7, we require that a newly added pair-mac hine ha v e at lea st one of its pro cesses initially enabled. Deﬁnition 20 (Dynamic w ait-for-graph condition) L et k ∈ Pids , and let t k b e an arbitr ary lo c al state of ˆ P k , and let n b e the numb e r of outgoing ar cs of t k in ˆ P k . L e t s, t b e arbitr ary c onﬁgur ations such that either 1. ( s, k , t ) ∈ R n , p airs ( s ) = p airs ( t ) = {{ j, k } , { k , ℓ 1 } , . . . , { k , ℓ n }} , k 6∈ { j, ℓ 1 , . . . , ℓ n } , and t ↾ k = t k , or 2. ( s, create , t ) ∈ R c , p airs ( s ) = {{ k , ℓ 1 } , . . . , { k , ℓ n }} , p airs ( t ) = {{ j, k } , { k , ℓ 1 } , . . . , { k , ℓ n }} , k 6∈ { j, ℓ 1 , . . . , ℓ n } , and t ↾ k = t k . Then, ∀ a j : ( a j − → P k 6∈ W ( t )) or ∃ a k ∈ W ( t ) : ( ∀ ℓ ∈ { ℓ 1 , . . . , ℓ n } : a k − → P ℓ 6∈ W ( t )) . Theorem 16 (Dynamic sup ercycle-free w ait-for-graph) If the wait-for-gr aph c ondition holds, and W ( s 0 ) is sup er cycle-fr e e for e very initial c onﬁgur ation s 0 ∈ S 0 , then for ev e ry r e achable c on- ﬁgur ation t of M P , W ( t ) is sup er cycle-fr e e. Pr o of. Similar to the pr o of of Theorem 6 with straight forward adaptations to dea l with the creat e transitions (assumption 2 of De ﬁn ition 20 ). ✷ 8.1.1 Establishing Deadlo c k-freedom W e show that the absence of sup ercycles in the w ait-for-graph of a conﬁguration imp lies that there is at least one enabled mov e in that conﬁguration. The p ro ofs are very similar to the static case, and are omitted. 34 Prop osition 17 (Sup ercycle [AE98]) If W ( s ) is sup er cycle- fr e e, then some move a i has no outgoing e dges in W ( s ) . Theorem 18 (Deadlo c k freedom) If, for ev e ry r e achable c onﬁgur ation s of M P , W ( s ) is sup er cycle- fr e e, then M P , S 0 | = A GEX true . 8.2 Liv eness T o assu re liv eness prop erties of the syn thesized program P , we assume a form of weak fairness. Let CL ( f ) b e the s et of all su b formula e of f , including f itself. Let ex i b e an assertion that is true along a transition in a stru cture iﬀ that transition resu lts fr om executing p ro cess i . Let en i hold in a conﬁguration s iﬀ P i has some arc that is enabled in s . Let normal b e an assertion that is true along all transitions of M P that are drawn from R n . Let π b e a fullpath of M P . Deﬁne states ( π ) = { s | s occurs along π } . Deﬁne pr o cs ( π ) = S s ∈ states ( π ) pr o cs ( s ), and p airs ( π ) = S s ∈ states ( π ) p airs ( s ). Deﬁnition 21 (W eak blo cking fairness Φ b ) Φ b ( π ) df = = V i ∈ pr o cs ( π ) ∞ G ( blk i ∧ en i ) ⇒ ∞ F ex i W eak blo c king fairness requires that a p ro cess that is con tin uously enabled and in a s ometimes- blo c king state is ev ent ually executed. Deﬁnition 22 ( W eak e ven tua lity fairness, Φ ℓ ) Φ ℓ ( π ) df = = V ( i,j ) ∈ p airs ( π ) ( ∞ G en i ∨ ∞ G en j ) ∧ ∞ G pnd ij ⇒ ∞ F ( ex i ∨ ex j ) . W eak ev entualit y fairness requires that if an ev entualit y is con tinuously p endin g, and o ne of P i or P j is con tinuously enabled, then ev en tually one of them will be executed. Deﬁnition 23 (Creation fa irne ss Φ c ) Φ c df = = ∞ F normal . A f ullpath π satisﬁes creation f airness iﬀ it con tains an inﬁnite num b er o f normal transitions. A fullpath π is fair iﬀ π | = L Φ b ( π ) ∧ Φ ℓ ( π ) ∧ Φ c , wh ere | = L is the satisfaction relation of prop ositional linear-time temp oral logic [Eme90, MW84]. Our o veral l fairness n otion Φ is th u s the conjunction of w eak blo cking fairness, w eak ev en tualit y fairness, and creation f airn ess: Φ df = = Φ b ∧ Φ ℓ ∧ Φ c . Let aen j df = = ∀ a i j ∈ P i j : ( { | a i j .star t | } ⇒ a i j .g uar d ), i.e., aen j holds iﬀ ev ery arc of P i j whose start state is a comp onent of the curr en t ij -state s ij is also enabled in s . W e sa y that P k blo cks P i in conﬁguration s iﬀ, in W ( s ), there is a path from P i to P k . Deﬁne W t ij ( s ) to b e the set of all k suc h that th ere is a path in W ( s ) from at least one of P i or P j to P k . Thus, Wt ij ( s ) is the set of pro cesses that b lo c k the p air-program ( S 0 ij , P j i k P i j ) from executing some arc of P j i or P i j . Deﬁnition 24 (Liv eness condition f or dynamic programs) The liveness c ondition is the c on- junction of the fol lowing: 1. L et s b e an arbitr ary r e achable c onﬁgur ation. Then, for every { i, j } ∈ p airs ( s ) : M ij , S 0 ij | = A GA ( G ex i ⇒ ∞ G aen j ) 35 2. L et s b e an arbitr ary r e achable c onﬁgur ation. F or every { i, j } ∈ p airs ( s ) suc h tha t s | = pnd ij , the fol lowing must hold. Ther e exists a ﬁnite W ⊆ Pi ds such that for al l t r e achable fr om s along p aths in which pnd ij holds in al l c onﬁgur ations, Wt ij ( t ) ⊆ W . The ﬁ r st condition ab o ve is a “local one,” i.e., it is ev aluated on p air-programs in isolation. I t requires that, for ev ery p air-program ( S 0 ij , P j i k P i j ), wh en executing in isolat ion, that if P j i can execute con tinuously along some path, then th ere exists a suﬃx of that path along whic h P j i do es not block any arc of P i j . The second condition is “g lobal,” it requires that a pro cess is n ot forev er dela y ed b ecause new p ro cesses whic h blo c k it are constantl y b eing ad d ed. Giv en the liveness condition and the absence of deadlocks and the use of Φ -fair scheduling, w e can sh o w that one of P i or P j is guarant eed to b e executed from any conﬁ gu r ation wh ose ij - pro jection has a p ending ev entualit y . Let | = Φ b e the satisfact ion relation of CTL ∗ when the path quan tiﬁers A and E are r estricted to fair fullp aths ( A : for all fair fullpaths, E : for some fair f u llpath) [EL87]. Lemma 19 (Progress for dynamic programs) L et s b e an arbitr ary r e achable c onﬁgur ation and { i, j } ∈ p airs ( s ) . If 1. the liveness c ondition holds, and 2. for every r e achable c onﬁgur ation u , W ( u ) is sup er c yc le- fr e e, and 3. M ij , s ↾ ij | = ¬ h ij ∧ AF h ij for some h ij ∈ CL ( sp e c ij ) , then M P , s | = Φ AF ( ex i ∨ ex j ) . Pr o of. By assumption 2 and Th eorem 18, M P , S 0 | = A GEX true . Hence ev ery fullpath in M P is inﬁnite. Let π b e an arb itrary Φ-fair fullpath starting in s . If M P , π | = F ( ex i ∨ ex j ), then w e are done. Hence w e assume π | = G ( ¬ ex i ∧ ¬ ex j ) (*) in the remainder of the pro of. Let t b e an arbitrary conﬁguration along π . By clause 2 of the liv eness cond ition for dynamic p rograms (Deﬁnition 24), Wt ij ( t ) ⊆ W for some ﬁnite W ⊆ Pi ds . Hence, these exists a conﬁguration v along π su c h that, for all su bsequent co nﬁgur ations w along π , Wt ij ( w ) ⊆ Wt ij ( v ), i.e., after v , the set of pro cesses that blo c k ( S 0 ij , P j i k P i j ) do es not increase. No w consider the s tatic concurren t p rogram P J with interco nn ection rela tion J = {{ k , l } | { k, l } ∈ p airs ( v ) and { k, l } ⊆ Wt ij ( v ) } and initial state set { v ↾ J } . By applying Lemma 10 to P J , w e conclude that M J , v ↾ J | = Φ AF ( ex i ∨ ex j ). No w let ρ J = π v ↾ J , wh ere π v is the inﬁnite suﬃx of π starting in v . W e n ow establish ρ J is a n inﬁnite path in M J (**) giv en the assumption that (*) h olds. F rom (*) and w eak ev entualit y f airness (Deﬁnition 22), w e see that Wt ij ( t ) is nonempty for ev ery conﬁgur ation t along π , since otherwise one of P i , P j w ould b e executed. By deﬁnition, ther e is no path in W ( t ) fr om a pro cess in Wt ij ( t ) to a p ro cess outside Wt ij ( t ). Hence, by assum p tion 2 and Prop osition 17, ther e exists some P k ∈ Wt ij ( t ) suc h that P k has an enabled m ov e in conﬁguration t . S ince this holds for all conﬁgur ations t along π , we 36 conclude by W eak blo c king fairness (Deﬁnition 21), that inﬁnitely often along π , some pro cess in Wt ij ( v ) is exe cuted. Hence, b y Deﬁnition 1 and the d eﬁnition of J , ρ J is inﬁnite. F rom Lemma 15 ρ J is a path in M J . Hence, ρ J is a fullp ath in M J . By Deﬁnition 1, the ﬁrst s tate of ρ J is v ↾ J . Hence, by M J , v ↾ J | = Φ AF ( ex i ∨ ex j ), w e hav e ρ J | = F ( ex i ∨ ex j ). F rom ρ J = π v ↾ J and Deﬁnition 1, w e conclude π v | = F ( ex i ∨ ex j ). Hence, π | = F ( ex i ∨ ex j ), con tr ary to assumption. ✷ 8.3 The Large Mo del Theorem for Dynamic Programs The large mo del theorem establishes the soun dness of our synthesis metho d . The large-model theorem states that any su bformula of sp e c ij whic h holds in the ij -p r o jection of a conﬁ guration s also h olds in s itself. T hat is, correctness prop erties satisﬁed b y a p air-p r ogram executing in isolation also hold in the synthesize d program P . Theorem 20 (Large mo del) L et i, j ∈ Pids and let s b e an arbitr ary r e achable c onﬁgur ation in M P such that h h h{ i, j } , s pec ij i i i ∈ s. I , wher e sp e c ij is an ACTL − ij formula. If 1. the liveness c ondition for dynamic pr o gr ams holds, 2. W ( u ) is sup er cycle-f r e e for every r e achable c onﬁgur ation u in M P , and 3. M ij , s ↾ ij | = f ij for some f ij ∈ CL ( sp e c ij ) , then M P , s | = Φ f ij . Pr o of. The theorem follo ws from Theorem 18 and Lemma 19 in essenti ally the same w a y that Theorem 11 follo ws from Theorem 9 and Lemma 10, i.e., th e static ca se. T he p ro of is v ery similar, since th e statemen ts (but not the p r o ofs) of Th eorem 18 and Lemma 19 are identic al to those of Theorem 9 and Lemma 10. The only diﬀerence in the pro of is in dealing with create trans itions. This is str aightforw ard, sin ce ( S 0 ij , P j i k P i j ) is created with its current state set to one of its reac hable states, and so the same pro jection relationships h old b etw een M P and M ij in the dynamic case as b et we en M I and M ij in the static case, in particular, Lemma 15 provides the exact dyn amic analogue for Lemma 3, and is the only pro jection result used in establishing the large mo del theorem. Th e only diﬀerence is that in the d ynamic case the pro jection starts from the p oint that ( S 0 ij , P j i k P i j ) is created. Since we d o not requ ir e computation p aths to start from an initial state, this do es not p ose a p roblem. W e note that the only resu lt for static p rograms that inv olves reac h abilit y is Corollary 4, and this is only used to establish deadlo c k-freedom f or the static case. F or the dyn amic case, deadlock freedom is guarantee d by the dynamic w ait-for-graph cond ition (Deﬁnition 20 ), which con tains an explicit c lause (clause 2) to deal with creation. ✷ W e n ote the imp ortan t case of f ij = AG g ij , i.e., f ij expresses a glob al prop erty , since g ij holds in al l conﬁgurations reac hable fr om s . 9 Implemen tation in A tomic read/write Shared Memory W e now sho w ho w th e synthesized p r ogram can b e implemented in atomic read/write memory . T o br eak do wn the atomicit y of an arc in the synt hesized program, we requ ire that, in all pair- 37 programs, all guards are temp or arily stable , [K at86 ], that is, once th e guard holds, it contin ues to hold un til some arc is executed, not necessarily th e arc corresp ond ing to the guard. W e generalize this discussion as follo ws . Let ( s i , ⊕ ℓ ∈ [ n ] B ℓ → A ℓ , t i ) b e an arc of P j i in pair- program ( S 0 ij , P j i k P i j ). W e require M ij , S 0 ij | = V ℓ ∈ [ n ] A G (( { | s i | } ∧ B j i,ℓ ) ⇒ A [( { | s i | } ∧ B j i,ℓ ) U w ¬ s i ]). (TST AB) No w consider, in pr o cess P i of P , the arc in P i s i to t i . By Deﬁnition 15, this arc has the lab el ⊗ j ∈ s. I ( i ) ⊕ ℓ ∈ [1: n j ] B j i,ℓ → A j i,ℓ in conﬁguration s . Since P i will b e explicitly inv olv ed in an y creation step whic h adds a pair of whic h P i is a mem b er, we assume that this lab el d o es not c h ange, for the time b eing. No w, P i can ev aluate eac h of the B j i,ℓ sequen tially , rather than s imultaneously , since once tr ue, eac h B j i,ℓ will remain true until P i executes either the ab o v e arc or some other arc. Once P i has observed that j ∈ s. I ( i ), there exists ℓ ∈ [1 : n j ] su c h that B j i,ℓ holds, then P i can execute the arc. The cond ition (TST AB) can b e c hec k ed in p olynomial time b y the mo del-c hec king algorithm of [CES86]. Execution of the arc will also in v olv e the s im ultaneous execution of the assignmen ts A j i,ℓ . T o break this multiple assignmen t do wn into atomic read and write op erations, we use eﬃcien t solu- tions to the dining/drinking philosophers problem [SP88, CM88] to guarantee mutual exclusion of neigh b orin g pr o cesses. Once a pr o cess has excluded all its neigh b ors (i.e., it “has all the forks”), it can then p erform the m u ltiple assignment sequenti ally . The f ollo win g subsection giv es details of this implemen tation. As an alternativ e to us in g d in ing/drinking philosophers, if w e hav e av ailable hardware op erations suc h as compare-and-swap. or load-link ed/store conditional, then we can use the co nstru ctions of [Moi97, Moi00]. These algorithms p erm it the eﬃcien t, w ait-free implementat ion of the m ultiple assignmen ts. 9.1 Implemen tation using underlying dining/drinkin g philosophers algorithm The problem is to implement ev ery mov e a i = ⊗ j ∈ s. I ( i ) ⊕ ℓ ∈ [1: n j ] B j i,ℓ → A j i,ℓ of ev ery pro cess P i , in conﬁgur ation s . The implemen tation consists of the f ollo win g three p ro cedures. The ﬁrst, Poll ( P i , a i ) rep eatedly p olls all the guards of the mov e a i , u n til a g uard B j i,ℓ for eac h neigh b or P j of P i is found wh ic h is true. When this o ccurs, the mov e a i can b e exec uted. Poll ( P i , a i ) 1. X [ a i ] := s. I ( i ); 2. rep eat p oll all the B j i,ℓ for j ∈ X , ℓ ∈ [1 : n j ]; for every j such that B j i,ℓ p olled true for some ℓ X := X − { j } ; choice j i [ a i ] := ℓ un til X [ a i ] = ∅ No w in a lo cal state s i , P i will usu ally ha ve a c hoice of seve ral mo ve s. The second pr o cedure, Choose ( P i , s i ), rep eatedly p oll the guards of all such mo ve s, u nt il one is found all of whose guards are true. Th is mo ve can then b e executed b y P i . Th e actual execution is carried out b y the 38 Execute ( P i , s i ) pro cedu re. Execute ( P i , s i ) ﬁ rst in vo ke s Choose ( P i , s i ) to d etermine w hic h mo ve to execute. It th en obtains the exclusiv e access to all the shared v ariables that execution of a i up d ates, and exclusiv e access to the atomic prop ositions of P i . Once all n ecessary lo c ks are obtained, the mo ve chose n mo ve a i can b e exec uted in an “ atomic” manner. Choose ( P i , s i ) 1. Let a 1 i . . . a k i b e a ll the mo ves o f P i with start state s i ; 2. In v ok e Poll ( P i , a 1 i ) . . . Poll ( P i , a k i ) sim u ltaneously , an d in an “inte rlea v ed” manner, i.e. , inte rlea ve the executions of Poll ( P i , a 1 i ) . . . Poll ( P i , a k i ); 3. Let a c i = ( s i , ⊗ j ∈ s. I ( i ) ⊕ ℓ ∈ [1: n j ] B j i,ℓ → A j i,ℓ , t i ) b e th e ﬁ rst mo ve f or whic h X [ a c i ] = ∅ b ecomes true 4. return ( a c i , choice j i ) Execute ( P i , s i ) 1. In v ok e Choose ( P i , s i ) and let a c i , choice j i b e the returned v alues; 2. forall j ∈ s. I ( i ) do obtain a lo c k on all v ariables in A j i,ℓ , ℓ = choice j i [ a c i ], e.g ., by using a d rinking philosophers algorithm; obtain a lo c k on the atomic prop ositions of P i (i.e., those in AP i ) 3. forall j ∈ s. I ( i ) do execute A j i,ℓ , ℓ = choice j i [ a c i ]; c hange the lo cal state of P i to t i 4. forall j ∈ s. I ( i ) do 5. release all lo cks The o v erall implemen tation is giv en b y the pro cedure Main ( P i ), which implements the pro cess P i . Main ( P i ) rep eatedly inv okes Execut e ( P i , s i ), wh ere s i is the cur ren t lo cal state of P i . Th e lo w -lev el co ncur ren t p r ogram P r is then giv en b y the concurren t comp osition of Main ( P i ) for eve ry pro cess P i that has b een create d so far. Let M r b e the global state transition d iagram of P r . M r can b e formally deﬁned in a similar manner to M P (Deﬁnition 17 ). Main ( P i ) 1. Let s i b e an initial local state of P i ; 2. rep eat f orev er in v ok e Execute ( P i , s i ); up d ate s i to be the resulting lo cal state of P i ; 3. participate in any outstanding Crea te p roto cols, if a request to sus p end execution has b een rece iv ed Note that P i participates in executions of Crea te only when it is not executing n ormal tran- sitions. This prev ents the in terlea ving of the lo w atomicit y implementa tions of n ormal and create transitions. Thus, in particular, durin g the lo w atomicit y execution of a single n ormal transi- tion, the v alue of s. I ( i ), i.e., the set of neigh b ors of P i , do es not c hange. This is essen tial to th e correctness of the implemen tation. 39 9.2 Soundness of the Implemen tation in A tomic read/write shared memory W e sho w that M r satisﬁes the same A CTL − ij form ulae as M P . Roughly , we can consider M r to consist of a “stretc h ed out” v ersion of M P , in w h ic h eac h tr ansition of M P is replaced by a sequence of transitions, tog ether with all of the p ossible inte rlea vings that r esult from th is reﬁnemen t of the transitions in M P . Due to our use of lo c king, this r eﬁnement do es not generat e an y co nﬁ gurations that are un reac hable in M P . Lik ewise, paths in M r ha v e “corresp onding” paths in M P . Hence, so correctness is p reserv ed. Let s, u be conﬁgurations of M P , M r resp ectiv ely . Th en deﬁ ne s ∼ u iﬀ ∀ p ∈ AP : s ( p ) = u ( p ) and ( ∀ x ∈ S H : s ( x ) = u ( x )). Let π , ρ b e fullpaths of M P , M r resp ectiv ely . Then deﬁn e π ∼ ρ iﬀ π can b e w ritten as a s equ ence of ﬁ nite b o cks of conﬁgurations π 1 , π 2 , . . . , ρ can b e written as a sequence of ﬁnite b o c ks of conﬁgur ations ρ 1 , ρ 2 , . . . , and for all i ≥ 0, for ev ery s in π i and every u in ρ i , s ∼ u . Lemma 21 L et s, u b e c onﬁgur ations of M P , M r r esp e ctively su ch that s ∼ u . Then, for every ful lp ath ρ of M r starting in u , ther e exists a ful lp ath π of M P starting in s su ch that π ∼ ρ . Pr o of. W e assume that line 3 of Execute ( P i , s i ) is execute d atomically . This is reasonable, since exclusiv e ac cess lo c ks to all the shared v ariables and atomic prop ositions mo d iﬁed b y line 3 of Execute ( P i , s i ) are obtained ﬁ r st. W e do not assume the atomic execution of any other part of the implemen tation alg orithm. Giv en ρ , consider the su bsequence of the transitions of ρ giv en by the transitions that corresp ond to the execution of line 3 of Execute ( P i , s i ). These are the only transitions of ρ whic h c hange the shared v ariables and ato mic p rop ositions, and so aﬀect the truth of ∼ . F r om the constr u ction of the implementati on algorithm, w e can show th at there exists a fullpath π of M P starting in s whic h executes the s ame sequen ce of c hanges to the shared v ariables and atomic p rop ositions. It follo ws that π ∼ ρ . ✷ Theorem 22 L et s, u b e c onﬁgur ations of M P , M r r esp e ctively such that s ∼ u . L et π , ρ b e ful lp aths of M P , M r r esp e ctively such that π ∼ ρ . L et f b e any formula of A CTL ∗ − X . Then, If M P , s | = Φ f , then M r , u | = Φ f . If M P , π | = Φ f , then M r , ρ | = Φ f . Pr o of. The pro of is b y induction on the str u cture of f , i.e., by induction on the num b er of times rules S2, S3, and P1–3 of the d eﬁ nition of A CTL ∗ syn tax are ap p lied to generate f . Ru le S 1 of that deﬁnition give s the base c ase. Base c ase : f is one of true , fal se , p , ¬ p for some atomic prop osition p . Since s and u ag ree on all a tomic prop ositions, M r , u | = f follo ws immediately from M P , s | = f . Induction step : There are sev eral cases. Case 1: S2 is applied, and f is g ∨ h , a state formula. Hence M P , s | = g ∨ h . By A CTL ∗ seman tics, M P , s | = g or M P , s | = h . By the induction hypothesis, M r , u | = g or M r , u | = h . Hence, by A CTL ∗ seman tics, M r , u | = g ∨ h . Case 2: S2 is applied, and f is g ∧ h , a state formula. Hence M P , s | = g ∧ h . By A CTL ∗ seman tics, M P , s | = g and M P , s | = h . By the in d uction hyp othesis, M r , u | = g an d M r , u | = h . Hence, by A CTL ∗ seman tics, M r , u | = g ∧ h . 40 Case 3: S 3 is app lied, and f is A g , a state formula. Hence g is a path formula. Assume M P , s | = A g . Let ρ b e an arb itrary fullpath o f M r starting in u . By Lemma 2 1, there exists a f ullpath π of M P starting in s suc h that π ∼ ρ . Since M P , s | = A g , w e ha ve M P , π | = g , by A CTL ∗ seman tics. F rom π ∼ ρ and the ind u ction hyp othesis, w e obtain M r , ρ | = g . Since ρ was chosen arb itrarily from the fullpaths starting in u , w e conclude M r , u | = A g , by A CTL ∗ seman tics. Case 4: P1 is applied, and f is g , where f is a path form ula and g is a state formula.. Assume M P , π | = f . Hence, M P , s | = g , wh ere s is the ﬁrst state of π . Let u b e the ﬁrst state of ρ . Then, s ∼ u , by the deﬁnition of π ∼ ρ . By the induction hyp othesis, M P , s | = g , and s ∼ u , we obtain M r , u | = g . Hence, b y A CTL ∗ seman tics, M , ρ | = f . Case 5: P2 is app lied, and f is g ∨ h , a path form ula. Hence M P , π | = g ∨ h . By ACTL ∗ seman tics, M P , π | = g or M P , π | = h . By the induction hyp othesis, M r , ρ | = g or M r , ρ | = h . Hence, b y ACTL ∗ seman tics, M r , ρ | = g ∨ h . Case 6: P2 is app lied, and f is g ∧ h , a path form ula. Hence M P , π | = g ∧ h . By ACTL ∗ seman tics, M P , π | = g and M P , π | = h . By the induction hyp othesis, M r , ρ | = g and M r , ρ | = h . Hence, by A CTL ∗ seman tics, M r , ρ | = g ∧ h . Case 7: P3 is applied, and f is g U h , a path formula. Assu me M P , π | = f . Hence, there exists i ≥ 1 suc h that M P , π i ′ | = h and ( ∀ i : 1 ≤ i < i ′ : M P , π i | = g ). Let j ′ b e the sm allest n atural n umber suc h that π i ′ ∼ ρ j ′ . By the ind u ction h yp othesis, M r , ρ j ′ | = h . Let j b e an y natural num b er such that 1 ≤ j < j ′ . By the d eﬁnition of π ∼ ρ , there exists some i su c h that 1 ≤ i < i ′ and π i ∼ ρ j . Since 1 ≤ i < i ′ , we hav e M P , π i | = g . Hence, by the ind uction hyp othesis, M r , ρ j | = g . W e hav e th us sho wn M r , ρ j ′ | = h and ( ∀ j : 1 ≤ j < j ′ : M r , ρ j | = g ). By A CTL ∗ seman tics, M r , ρ | = g U h . Case 8: P3 is app lied, and f is g U w h , a path formula. Assu me M P , π | = f . Hence, b y A CTL ∗ seman tics, M P , π | = g U h or M P , π | = G g . M P , π | = g U h is just Case 6 ab o ve. M P , π | = G g h can also b e treated with an argument analogous to that of Case 6. Hence, we can establish M r , ρ | = g U h or M r , ρ | = G g . T hus, M r , ρ | = g U w h . ✷ Theorem 23 (Large mo del theorem for lo w-atomicity implementation) L et i, j ∈ Pids and let u b e an arbitr ary r e achable c onﬁgur ation in M r such that h h h{ i, j } , s pec ij i i i ∈ u. I , wher e sp e c ij is an A CTL − ij formula. If 1. the liveness c ondition for dynamic pr o gr ams holds, 2. W ( v ) is sup er c yc le- fr e e for every r e achable c onﬁgur ation v in M r , and 3. M ij , s ↾ ij | = f ij for some f ij ∈ CL ( sp e c ij ) , then M r , u | = Φ f ij . Pr o of. Immediate from Theorem 20 and Theorem 22. ✷ 10 Example—The Ev en tually Serializable Data Service The ev en tually-serializable data service (ESDS) of [F GL + 99, LLSG92] is a replicated, distributed data service that trades oﬀ immediate consistency for impro v ed eﬃcie ncy . A shared data ob ject is 41 replicated, and the resp onse to an op eration at a particular replica may b e out of date, i.e., not reﬂecting the eﬀects of other op erations that hav e not y et b een r eceiv ed by that replica. Th us, op erations ma y b e r eordered after the resp onse is issued. Replicas communicate amongst eac h other the op er ations they receiv e, so that ev en tually every operation “stabilizes,” i.e., its ordering is ﬁxed with resp ect to all other op erations. C lien ts ma y require an op er ation to b e strict , i.e., stable at th e time of resp ons e (and so it cannot be reordered after the resp onse is issued). Clients ma y also sp ecify , in an op eration x , a set x. pr ev of other op erations that should precede x (clien t- sp eciﬁed constraints, CSC ). W e let O b e the (coun table) s et of all op erations, R the set of all replicas (wh ich ma y in crease dyn amically), c lie nt ( x ) b e the client issuing op eration x , r eplic a ( x ) b e the replica that handles op eration x . W e use x to index ov er op erations, c to ind ex o v er client s, and r , r ′ to ind ex o ve r replicas. F or eac h op eration x , w e deﬁne a clien t pro cess C x c and a replica pro cess R x r , where c = client ( x ), r = r eplic a ( x ). Thus, a clien t consists of man y pro cesses, one for eac h op eration it issues. As the clien t issu es op erations, these pro cesses are created d ynamically . Lik ewise a rep lica consists of man y pro cesses, one for eac h op eration it pro cesses. Th us, w e can use dy n amic pro cess creation and ﬁnite-state pro cesses to m o del an inﬁnite-state sys tem, su c h as the one here, whic h in general hand les an u nboun d ed n u m b er of op erations with time. T he pair- sp eciﬁcations are as f ollo ws. The local structure sp eciﬁcation of a p ro cess are implicitl y conjoined with any pair-sp eciﬁcation referr in g to that pr o cess. The ato mic predicates ha v e the follo wing meaning for op eration x . in is the initial state. w t means that x is s ubmitted but not y et done. dn means that x is d one. st means that x is table. s nt means that the result of x has b een sen t to the clien t. W e giv e pair-programs for a strict op eration x . The pair-pr ograms for a non-strict op eration are similar, except that the trans itions f r om dn x r to st x r to [ st x r snt x r ] can also b e p erformed in the rev erse order (i .e., there is a branc h f rom the dn x r state), since the result of x can b e sent b efore x stabilizes. F or example, Figure 11 giv es the pair-program R x r k R x r ′ when x is not strict. L o c al structur e of c lients C x c in x c : x is initially p ending A G ( in x c ⇒ ( A X c wt x c ∧ EX c wt x c )) ∧ AG ( wt x c ⇒ A X c dn x c ) ∧ A G ( dn x c ⇒ ( A X c dn x c ∧ EX c dn x c )): C x c mo v es from in x c to w t x c to dn x c , and thereafter remains in dn x c , and C x c can alw a ys mo ve from in x c to wt x c . A G (( in x c ≡ ¬ ( w t x c ∨ dn x c )) ∧ ( w t x c ≡ ¬ ( in x c ∨ dn x c )) ∧ ( dn x c ≡ ¬ ( in x c ∨ wt x c ))): C x c is alwa ys in exactly one of the state s in x c (initial s tate), w t x c ( x h as b een s u bmitted, and the clien t is w aiting for a resp onse), or dn x c ( x is done). L o c al structur e of r eplic as R x r This is as s ho wn in Figures 8, 9, and 10. W e omit the temp oral logic formulae to sa ve space. They are constru cted in an analogo us manner to those f or t he cli ents Client-r eplic a inter action, C x c k R x r , x ∈ O , c = client ( x ), r = r eplic a ( x ) A G ( wt x r ⇒ w t x c ): x is not receiv ed by its replica b efore it is submitted A G ( wt x c ⇒ A F w t x r ): ev ery submitted x is ev en tually receiv ed b y its r eplica A G ( wt x c ⇒ A F dn x c ): ev ery submitted x is ev entuall y p erform ed A G ( dn x c ⇒ AG dn x c ): once an op eration x is done, it remains done CSC c onstr aints, p air-machine R x r k R x ′ r ′ , x ∈ O , x ′ ∈ x. pr ev , r = r eplic a ( x ), r ′ = r eplic a ( x ′ ) A G ( dn x r ⇒ dn x ′ r ′ ): ev ery op eration in x. pr ev is perf ormed b efore x is A G ( dn x r ⇒ AG dn x r ) ∧ AG ( dn x ′ r ′ ⇒ AG dn x ′ r ′ ): once an op eration is done, it remains done 42 in x r dn x r st x r wt x c wt x r R x r snt x r snt x r st x r in x c wt x c dn x c dn x r ∨ st x r || C x c Figure 8: Clien t-replica in teraction: pair-program C x c k R x r , r = r eplic a ( x ). dn x ′ r ′ ∨ st x ′ r ′ in x r dn x r st x r wt x ′ r ′ R x ′ r ′ snt x r snt x ′ r ′ st x ′ r ′ dn x ′ r ′ st x ′ r ′ in x ′ r ′ wt x r R x r snt x r snt x r st x r || Figure 9: CSC constrain ts: pair-program R x r k R x ′ r ′ , r = r eplic a ( x ), x ′ ∈ x. pr ev , r ′ = r eplic a ( x ′ ). Strictness c onstr aints, p air-machine R x r k R x r ′ , x ∈ O , x.str ict , r = r eplic a ( x ), r ′ ∈ R−{ r eplic a ( x ) } A G ( snt x r ⇒ V i st x i ): a strict op eration is not p erformed un til it is stable at all replicas A G ( snt x r ⇒ AG snt x r ) ∧ AG ( st x r ⇒ AG st x r ): once op eration results are sent, they r emain sent , and once an o p eration is stable, it remains stable Eventual stabilization, R x r k R x r ′ , x ∈ O , r = r eplic a ( x ), r ′ ∈ R − { r eplic a ( x ) } A G ( wt x r ⇒ V i AF st x i ): ev ery submitted operation ev en tually stabilizes R ule for Dynamic pr o c ess cr e ation A t an y p oint, a client C c can create the pair-programs r e- quired for the pro cessing of a new op eration x , for whic h client ( x ) = C c . These pair-programs are C x c k R x r where r = r eplic a ( x ), R x r k R x ′ r ′ where x ′ ∈ x. pr ev , r ′ = r eplic a ( x ′ ), and R x r k R x i r = r eplic a ( x ), i ∈ R . It is p ermissible for r eplic a ( x ) to b e a “new” replica, i.e., one th at cur - ren tly do es not occur in an y pair-program. Th us, the set of “curr en t replicas” can b e expand ed at run-time. This is d on e imp licitly when the ﬁr st op eration whic h is p ro cessed b y that r eplica is instan tiated. Likewise, a “new” clien t can submit an op eration for the ﬁrst time. Thus, clien ts can dn x r ′ st x r [ v := v al ( x, l b r )] in x r dn x r st x r wt x r R x r snt x r snt x r st x r || in x r ′ st x r ′ dn x r wt x r ′ R x r ′ [ lb r ( x ) := next ( l b r )] dn x r → sk ip [ lb r ′ ( x ) := lb r ( x )] Figure 10: T he P air-program R x r k R x r ′ , w hen x is strict, r = r eplic a ( x ), r ′ ∈ R − { r eplic a ( x ) } . 43 [ v := v al ( x, l b r )] dn x r ′ st x r dn x r ′ [ v := v al ( x, l b r )] in x r dn x r st x r st x r wt x r R x r snt x r snt x r st x r [ lb r ( x ) := next ( l b r )] in x r ′ st x r ′ dn x r wt x r ′ R x r ′ [ lb r ′ ( x ) := lb r ( x )] dn x r → sk ip || Figure 11: The P air-program R x r k R x r ′ , when x is not strict also be created d ynamically . F or eac h pair-sp eciﬁcation, w e s y nthesize a pair-program satisfying it, e.g., us in g the metho d of [EC82]. Figures 8, 9, and 10 sho w the resu lting pair-programs. W e then apply Deﬁnition 15 to syn thesize the ESDS program with a dynamic num b er of clie nts and rep licas, shown in Figure 12. The ES DS program, and the p air-program R x r k R x r ′ of Figure 10 b oth manipu late some “un derlying” data, i.e., data w hic h is up d ated, but not referenced in an y guard, and so do es not aﬀect con trol- ﬂo w. Th is data consists of a lab eling function lb r whic h assigns to eac h op eration x at replica r a lab el, drawn from a w ell-ordered set. The assignment l b r ( x ) := next ( lb r ) take s the smallest lab el not yet allo cated by lb r and assigns it to l b r ( x ). The lab els encod e ord er in g inf ormation for the op erations. The a ssignment v := v al ( x, l b r ) computes a v alue v for op eration x , us in g the ordering giv en by l b r : op erations with a smaller label are ordered b efore op erations with a larger lab el. In the ﬁgur es, these assignmen ts to u nderlying data are sh o wn within [ .. ] brac k ets, alongside the arc-lab els obtained by pairwise synt hesis. Th ey are not u sed wh en ve rifyin g correctness prop erties; the ordering constrain ts giv en b y the x. pr ev sets are suﬃcient to verify that th e clien t-sp eciﬁed constrain ts are ob eye d. Finally , we add self-lo ops to the ﬁ nal lo cal s tate of every pro cess for tec h n ical reasons relat ed to esta blish in g deadlock-freedom. Correctness of the E SDS p rogram follo w s immediately fr om Theorem 20, since the conjun ction of the pair-sp eciﬁcations giv es us the desired correctness p rop erties (formulae of th e forms AG ( p i ⇒ AX i q i ), AG ( p i ⇒ EX i q i ) are not in A CTL − ij , but were sh o wn to b e pr eserv ed in [AE98], and the pro of giv en there still a pp lies). 11 Conclusions and F urther W ork W e presented a synthesis metho d w hic h deals with an arbitrary and dyn amically changing num b er of comp onent pr o cesses without incu r ring the exp onential ov erhead due to state-explosion. Our metho d app lies to an y pro cess in terconnection scheme, do es not m ak e an y assu mption of similarit y among the comp onent p ro cesses, preserves all pairwise correctness prop erties expr essed as nexttime- free f orm ulae of A CTL, and pr o duces eﬃcient lo w-grain atomicit y programs w hic h require only op erations commonly a v ailable in hardw are. 44 st x r ⊗ r ′ ∈R ′ dn x r ′ [ v := v al ( x, l b r )] ⊗ r ′ ∈R ′ dn x ′ r ′ ∨ st x ′ r ′ in x r st x r dn x r || || in x r ′ st x r ′ dn x r wt x r ′ R x r ′ in x c wt x c dn x c dn x r C x c wt x c wt x r R x r snt x r snt x r st x r [ lb r ′ ( x ) := lb r ( x )] dn x r → sk ip [ lb r ( x ) := next ( l b r )] Figure 12: The Sy nthesized ESDS System. c = client ( x ), r = r eplic a ( x ). x ′ ranges ov er x. pr ev , and r ′ ranges ov er R ′ = R − { r eplic a ( x ) } in ⊗ r ′ . R x ′ r ′ is not s ho wn since it is iso morph ic to R x r . F urther w ork includ es extendin g the metho d to a mo del of concur r en t computation whic h facil- itates abstraction and r eﬁnement , v ia a notion of external b ehavio r, suc h as the mo del of [AL01], whic h also handles dynamic pro cess creation. W e also plan to deal w ith fault-tolerance by in- corp orating the work of [AAE98], and to in vestig ate extend in g th e method to other mo dels of computation suc h as real-ti me and probabilistic. References [AAE98] A. Arora, P . C. A ttie, and E . A. Emerson. Synthesis of fault-toleran t concurrent programs. In 7th Annual ACM Symp osium on the P rinciples of Distribute d Computing , pages 173 – 182, June 1998. [AE98] P . C. A ttie and E. A. Em erson. Synthesis of concurrent sys tems with man y similar pro cesses. ACM T r ans. Pr o gr am. L ang. Syst. , 20(1): 51–115, Jan. 1998. [AE01] P . C. A ttie and E. A. Emerson. S yn thesis of concurrent systems for an ato mic read/write mo del of computation. ACM T r ans. Pr o gr am. L ang. Syst. , 23(2):187 –242, Mar. 2001. Extended abstract app ears in ACM Symp osium on Principles of Distributed Comp uting (PODC) 199 6. [AL01] P . C. Attie and N.A. Lync h. Dynamic inpu t/output automata: a formal mo del for dy- namic systems (extended abstract). In CONCUR’01: 12th International Confer enc e on Concurr ency The ory , LNCS. Springer-V erlag, Aug. 20 01. [AM94] A. An uchita nukul and Z. Manna. Realizabilit y and s y nthesis of reactiv e mo dules. In Pr o c e e dings of the 6th International Confer enc e on Computer Aide d V eriﬁc ation , vol ume 818 of L e ctur e Notes in Computer Scienc e , pages 1 56–169, Berlin, 199 4. S p ringer-V erlag. [APR + 01] T. Ar ons, A. Pnueli, S. Ruah, J. Xu, and L. Zuc k. P arameterized v eriﬁcation with automatica lly computed inductiv e assertions. In CA V , 2 001. [A tt99] P . C. Att ie. Synthesis of large concurrent p rograms via pairwise comp osition. In CON- CUR’99: 10th International Confer enc e on Concurr ency The ory , num b er 1664 in LNCS , Aalb org, Denmark, Aug. 1999. Springer-V erlag. 45 [BCG88] M.C. Bro w ne, E. M. Clark e, and O. Grumberg. Characterizing ﬁn ite krip ke stru ctures in prop ositional temp oral logi c. The or etic al Computer Sci e nc e , 59:11 5–131, 1988. [CES86] E. M. Clarke , E. A. Emerson, and P . Sistla. Automatic veriﬁcatio n of ﬁnite-state con- current systems u sing temp oral logic sp eciﬁcations. ACM T r ans. P r o gr am. L ang. Syst. , 8(2):2 44–263, Apr. 1986. Extended abstract in Pro ceedings of the 10th Ann ual A CM S ym- p osium on P rinciples of Pr ogramming Languages. [CGB86] E. M. Clarke, O. Grumb erg, and M. C. Bro wne. Reasoning ab out netw orks with many iden tical ﬁnite-state pr o cesses. In P r o c e e dings of the 5th Annual ACM Symp osium on Principles of D istribute d Computing , pages 240 – 248, Ne w Y ork, 1986. ACM. [CM88] K. M. Chandy and J. Misra. Par al lel Pr o gr am Design . Addison-W esley , Reading, Mass., 1988. [Dij76] E. W. Dijkstr a. A Discipline of Pr o gr amming . Pr entice- Hall Inc., Englew o o d Cliﬀs, N.J., 1976. [Dij82] E. W. Dijkstra. Sele cte d Writings on Computing: A Personal Persp e ctive , p ages 188–199 . Springer-V erlag, New Y ork, 1982. [D WT90] D.L. Dill an d H. W ong-T oi. S ynt hesizing pro cesses and sc h ed ulers from temp oral sp ec- iﬁcations. In Internatio nal Confer enc e on Computer-Aide d V eriﬁc ation , num b er 531 in LNCS, pages 272–281. Springer-V erlag, 1990 . [EK00] E. A. Emerson and V. Kahlon. Reducing mo d el c hec king of the many to th e few. In CADE , pages 23 6–254, 2000. [Eme90] E. A. Emerson. T emp oral and mo d al logic. In J. V an Leeu we n, editor, Handb o ok of The or etic al Computer Scienc e , vo lume B, F ormal Mo dels and Semantics . The MIT Press/Elsevier, Cam bridge, Mass., 1 990. [EC82] E. A. Emerson and E. M. Clark e. Using br anc hing time temp oral logic to synt hesize sync hronization sk eletons. Sci. Comput. Pr o gr am. , 2:241 – 266, 1982 . [EL87] E. A. Emerson and C. Lei. Mo dalities for mo del c hec king: Branc hin g time logic strik es bac k. Sci. Comput. Pr o gr am. , 8:275– 306, 1987. [EN96] E. A. Emerson and K. S. Namjoshi. Automatic v eriﬁ cation of parameterize d synchronous systems (extended abstract). In CA V , p ages 87–98 , 1996. [F GL + 99] A. F ek ete, D. Gup ta, V. Luchango , N. Lync h, and A. Shv artsman. Ev entual ly-serializable data services. The or e tic al Computer Scienc e , 220:11 3–156, 1999. Conference v ersion app ears in A CM Symp osium on Principles of Distribu ted Computing, 199 6. [GL94] O. Grumberg and D.E. Long. Model chec king and mo dular v eriﬁcation. ACM T r ans. Pr o gr am. L ang. Syst. , 16(3):84 3–871, Ma y 199 4. [Hoa69 ] C. A. R. Hoare. An axiomatic basis for computer p r ogramming. Commun. ACM , 12(10 ):576–580 , 583, 1969 . [Kat86] S. Katz. T emp orary stabilit y in parallel programs. T ech. Rep., Comp uter Science Dept., T ec hnion, Haifa, Israel, 1986. 46 [KMTV00] O. K upferman, P . Madhusudan, P .S. Thiagara jan, and M.Y. V ardi. O p en sys tems in reactiv e en vir onmen ts: Cont rol and s yn thesis. In Pr o c. 11th Int. Conf. on Concurr ency The ory , vo lume 1877 of L e ctu r e Notes in Computer Scienc e , p ages 92–107, State College, P ennsylv an ia, 2000. Springer-V erlag. [KV97] O. Ku pferman and M.Y. V ard i. S y nthesis with incomplete in formation. In 2nd Interna- tional Confer enc e on T e mp or al L o gic , p ages 91–10 6, Mancheste r, July 1997. Kluw er Aca- demic Publishers. [LLSG92] R. Ladin, B. Lisko v, L. Shrira, and S. Ghema wat. Pro viding high a v ailabilit y u sing lazy replication. ACM T r ansactions on Computer Systems , 10( 4):360–3 91, No v. 199 2. [Moi97] M. Moi r. T r ansparent su pp ort for wait- free transactions. In W orkshop on Distribute d Algor ithms , 1997. [Moi00] M. Moir. Laziness pa ys! using lazy synchronizat ion mec hanisms to improv e non-blo cking constructions. In Symp osium on Principles of Distribute d Computing , 2 000. [MW84] Z. Manna and P . W olp er. S yn thesis of communicating pro cesses from temp oral logic sp eciﬁcations. ACM T r ans. Pr o gr am. L ang. Syst. , 6(1):68–9 3, Jan. 1984. Also app ears in Pro ceedings of the W orksh op on Logics of Programs, Y orkto wn-Heigh ts, N.Y., S p ringer- V erlag Lecture No tes in Computer Science (1981). [PR89a] A. Pnueli and R. Rosner. On the syn thesis of a reactiv e mo dule. In Pr o c e e dings of the 16th ACM Symp osium on Princi ples of Pr o gr amming L anguages , pages 179–190, New Y ork, 1989. A CM. [PR89b] A. Pn ueli and R. Rosner. On the synthesis of async hronous reactiv e m o dules. In Pr o c e e d- ings o f the 16th ICALP , volume 372 of L e ctur e Notes in Com puter Scienc e , pages 652– 671, Berlin, 198 9. Sp ringer-V erlag. [PRZ01] A. Pnueli, S. Ruah, and L. Zuck. Automatic deductive v eriﬁcation w ith in visible inv ari- an ts. In T ACAS , 2001. [SG92] A. P . Sistla and S . M. German. Reasoning ab out systems w ith man y p ro cesses. J. ACM , 39(3): 675–735, 1992. Conference version app ears in IEEE Logic in Computer Science 1987. [SP88] E. St y er and G. Peterson. Im p ro v ed algorithms for distributed resource allocation. In Pr o c e e dings of the 7th Annua l ACM Symp osium on P rinciples of Di stribu te d Computing , New Y ork, Jan. 19 88. ACM. 47

Synthesis of Large Dynamic Concurrent Programs from Dynamic Specifications

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment