

# Proof of mutual-exclusion and non-starvation of a program with weak memory model: PostgreSQL

Patrick Cousot (NYU, Emer. ENS, PSL)  
(joint work with Jade Alglave)

International joint research project ``Analysis and verification of dependable cyber physical software''  
National Natural Science Foundation of China  
Changsha, December 9 , 2016

# PostgreSQL

```
{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: do
2:   do
3:     r[] R10 latch0
4:     while (R10=0)
5:     w[] latch0 0
6:     r[] Rf0 flag0
7:     if (Rf0≠0) then
8:       (* critical section *)
9:       w[] flag0 0
10:      w[] flag1 1
11:      w[] latch1 1
12:    fi
13:  while true
14:
```

|||

```
21:do
22:  do
23:    r[] R11 latch1
24:    while (R11=0)
25:    w[] latch1 0
26:    r[] Rf1 flag1
27:    if (Rf1≠0) then
28:      (* critical section *)
29:      w[] flag1 0
30:      w[] flag0 1
31:      w[] latch0 1
32:    fi
33:
```

# Methodology



# Methodology

## Invariance



# Methodology



# Methodology



# Methodology



# Methodology



# Conditional invariance proof: Mutual exclusion

# Algorithm



# PostgreSQL

```
{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: do {i}
2:   do {ji}
3:     r[] R10 latch0 {~~ L0iji}
4:     while (R10=0) {ki}
5:     w[] latch0 0
6:     r[] Rf0 flag0 {~~ F0i}
7:     if (Rf0≠0) then
8:       (* critical section *)
9:       w[] flag0 0
10:      w[] flag1 1
11:      w[] latch1 1
12:    fi
13:  while true
14:
15:  ||| do {ℓ}
16:    do {mℓ}
17:      r[] R11 latch1 {~~ L1ℓmℓ}
18:      while (R11=0) {nℓ}
19:      w[] latch1 0
20:      r[] Rf1 flag1 {~~ F1ℓ}
21:      if (Rf1≠0) then
22:        (* critical section *)
23:        w[] flag1 0
24:        w[] flag0 1
25:        w[] latch0 1
26:      fi
27:    while true
28:
29:  |||
```

# Stamps

```
{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: do {i}
2:   do {ji}
3:     r[] R10 latch0 {~~ L0iji}
4:     while (R10=0) {ki}
5:     w[] latch0 0
6:     r[] Rf0 flag0 {~~ F0i}
7:     if (Rf0≠0) then
8:       (* critical section *)
9:       w[] flag0 0
10:      w[] flag1 1
11:      w[] latch1 1
12:    fi
13:  while true
14:
15:  do {ℓ}
16:    do {mℓ}
17:      r[] R11 latch1 {~~ L1ℓmℓ}
18:      while (R11=0) {nℓ}
19:      w[] latch1 0
20:      r[] Rf1 flag1 {~~ F1ℓ}
21:      if (Rf1≠0) then
22:        (* critical section *)
23:        w[] flag1 0
24:        w[] flag0 1
25:        w[] latch0 1
26:      fi
27:    while true
28:
29:
```

Ensure that events are unique (your choice)

# Variables in Hoare logic & L/O-G

- program variables: `int x;`
- in predicates you need to name the value of variable  $x$  to express properties of this value of  $x$ :
  - $\text{valueof}(x)$
  - $x$
- WCM: no notion of “the” value of a shared variable  $x$
- The only way to know something about “the” value of a shared variable  $x$  is to read it
- **Pythia variable**: name given to the read value
- Not necessary in the semantics, only in assertions (but we put them in the semantics)

# Pythia variables

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: do {i}
2:   do {j_i}
3:     r[] R10 latch0 {~~ L0^i_{j_i}}
4:   while (R10=0) {k_i}
5:   w[] latch0 0
6:   r[] Rf0 flag0 {~~ F0^i}
7:   if (Rf0≠0) then
8:     (* critical section *)
9:     w[] flag0 0
10:    w[] flag1 1
11:    w[] latch1 1
12:  fi
13: while true
14:
15: do {l}
16:   do {m_l}
17:     r[] R11 latch1 {~~ L1^l_{m_l}}
18:   while (R11=0) {n_l}
19:   w[] latch1 0
20:   r[] Rf1 flag1 {~~ F1^l}
21:   if (Rf1≠0) then
22:     (* critical section *)
23:     w[] flag1 0
24:     w[] flag0 1
25:     w[] latch0 1
26:   fi
27: while true
28:
29:
30:
31:
32:
33:

```

# Invariant specification $S_{inv}$



# Mutual exclusion

```
{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: do {i}
2:   do {ji}
3:     r[] R10 latch0 {↔ L0jii}
4:     while (R10=0) {ki}
5:     w[] latch0 0
6:     r[] Rf0 flag0 {↔ F0i}
7:     if (Rf0≠0) then
8:       ¬at{28}
      (* critical section *)
      w[] flag0 0
9:     w[] flag1 1
10:    w[] latch1 1
11:  fi
12:while true
13:
```

  

```
||| 21:do {ℓ}
||| 22:  do {mℓ}
||| 23:    r[] R11 latch1 {↔ L1mℓℓ}
||| 24:    while (R11=0) {nℓ}
||| 25:    w[] latch1 0
||| 26:    r[] Rf1 flag1 {↔ F1ℓ}
||| 27:    if (Rf1≠0) then
||| 28:      ¬at{8}
      (* critical section *)
      w[] flag1 0
||| 29:      w[] flag0 1
||| 30:      w[] latch0 1
||| 31:    fi
||| 32:while true
||| 33:
```

(invariant  $S_{inv}$  is elsewhere true)

Analytic semantics =  
Anarchic semantics +  
communication constraints

# Analytics semantics with cuts

```

0:{ x = 0; y = 0; }
P0          || P1           ;
1:r[] r1 x  || 11:r[] r2 y;
2:w[] y 1   || 12:w[] x 1 ;
3:          || 13:          ;

```

- Anarchic semantics: set of executions:

$$\pi = \varsigma \times \pi \times rf$$

- $\varsigma$  is the *computation*
- $\pi$  is the *cut sequence*
- $rf$  is the *communication*



- Communication semantics:  
restrictions on  $rf$  in cat

# Local invariants



# Local invariant



- Attached to each program point  $\ell$  of each process  $p$
- Depends on
  - Program points of all other processes  $\kappa$
  - Stamps  $\theta$  of all processes
  - Local registers of all processes  $\rho$
  - Pythia variables  $\nu$
  - Communications (rf)

# Communication relation rf

- rf: relation between write and read events
- Each rf is encoded by  $\Gamma$ , a set of pairs



- $\Gamma \in \Gamma$ . (the set of all possible communications rf)

# Anarchic communications

# Anarchic communications

- Any read can read from any write on the same shared variable (location)

$$\text{RL0}_{j_i}^i \triangleq \{\text{rf}\langle L0_{j_i}^i, \langle 0: , -, 0 \rangle \rangle, \text{rf}\langle L0_{j_i}^i, \langle 5: , i_5, 0 \rangle \rangle, \text{rf}\langle L0_{j_i}^i, \langle 30: , \ell_{30}, 1 \rangle \rangle \mid i_5 \in \mathbb{N} \wedge \ell_{30} \in \mathbb{N}\}$$

```
{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: do {i}
2:   do {ji}
3:     r[] Rl0 latch0 {~~ L0jii}
4:     while (Rl0=0) {ki}
5:     w[] latch0 0
6:     r[] Rf0 flag0 {~~ F0i}
7:     if (Rf0≠0) then
8:       (* critical section *)
9:       w[] flag0 0
10:      w[] flag1 1
11:      w[] latch1 1
12:    fi
13:  while true
14:
15: 21:do {ℓ}
16:    do {mℓ}
17:      r[] Rl1 latch1 {~~ L1mℓℓ}
18:      while (Rl1=0) {nℓ}
19:      w[] latch1 0
20:      r[] Rf1 flag1 {~~ F1ℓ}
21:      if (Rf1≠0) then
22:        (* critical section *)
23:        w[] flag1 0
24:        w[] flag0 1
25:        w[] latch0 1
26:      fi
27:    while true
28:
```

```
14:
15: 21:do {ℓ}
16:    do {mℓ}
17:      r[] Rl1 latch1 {~~ L1mℓℓ}
18:      while (Rl1=0) {nℓ}
19:      w[] latch1 0
20:      r[] Rf1 flag1 {~~ F1ℓ}
21:      if (Rf1≠0) then
22:        (* critical section *)
23:        w[] flag1 0
24:        w[] flag0 1
25:        w[] latch0 1
26:      fi
27:    while true
28:
```

# Anarchic communications

- Possible communications for each read at each stamp (point in the execution):

$$\text{RL0}_{j_i}^i \triangleq \{\text{rf}\langle L0_{j_i}^i, \langle 0:, \_, 0 \rangle \rangle, \text{rf}\langle L0_{j_i}^i, \langle 5:, i_5, 0 \rangle \rangle, \text{rf}\langle L0_{j_i}^i, \langle 30:, \ell_{30}, 1 \rangle \rangle \mid i_5 \in \mathbb{N} \wedge \ell_{30} \in \mathbb{N}\}$$

$$\text{RF0}^i \triangleq \{\text{rf}\langle F0^i, \langle 0:, \_, 0 \rangle \rangle, \text{rf}\langle F0^i, \langle 8:, i_8, 0 \rangle \rangle, \text{rf}\langle F0^i, \langle 29:, \ell_{29}, 1 \rangle \rangle \mid i_8 \in \mathbb{N} \wedge \ell_{29} \in \mathbb{N}\}$$

$$\text{RL1}_{m_\ell}^\ell \triangleq \{\text{rf}\langle L1_{m_\ell}^\ell, \langle 0:, \_, 1 \rangle \rangle, \text{rf}\langle L1_{m_\ell}^\ell, \langle 25:, \ell_{25}, 0 \rangle \rangle, \text{rf}\langle L1_{m_\ell}^\ell, \langle 10:, i_{10}, 1 \rangle \rangle \mid \ell_{25} \in \mathbb{N} \wedge i_{10} \in \mathbb{N}\}$$

$$\text{RF1}^\ell \triangleq \{\text{rf}\langle F1^\ell, \langle 0:, \_, 1 \rangle \rangle, \text{rf}\langle F1^\ell, \langle 28:, \ell_{28}, 0 \rangle \rangle, \text{rf}\langle F1^\ell, \langle 9:, i_9, 1 \rangle \rangle \mid \ell_{28} \in \mathbb{N} \wedge i_9 \in \mathbb{N}\}$$

- Anarchic communications:

$$\bar{\Gamma} = \{\{\text{rl0}_{j_i}^i, \text{rf0}^i, \text{rl1}_{m_\ell}^\ell, \text{rf1}^\ell \mid i \in \mathbb{N} \wedge j_i \in [0, k_i] \wedge \ell \in \mathbb{N} \wedge j \in [0, n_\ell]\} \mid \forall i \in \mathbb{N} . \forall j_i \in [1, k_i] . \\ \text{rl0}_{j_i}^i \in \text{RL0}_{j_i}^i \wedge \text{rf0}^i \in \text{RF0}^i \wedge \forall \ell \in \mathbb{N} . \forall m_\ell \in [1, m_\ell] . \text{rl1}_{m_\ell}^\ell \in \text{RL1}_{m_\ell}^\ell \wedge \text{rf1}^\ell \in \text{RF1}^\ell\}$$

- Anarchic semantics:  $\Gamma \in \bar{\Gamma}$

- WCM semantics:  $\Gamma \in \Gamma, \Gamma \subseteq \bar{\Gamma}$

# Inductive invariant $S_{ind}$



# Inductive invariant

- $S_{ind}$  is inductive under hypothesis  $S_{com}$  iff, assuming  $S_{com}$ , we have:
  - $S_{ind}$  is true at the beginning of an execution
  - If  $S_{ind}$  is true during execution is remains true after one more computation or communication step
- $S_{inv}$  holds under hypothesis  $S_{com}$ 
$$S_{ind} \Rightarrow S_{inv}$$

---

$$S_{com} \Rightarrow S_{inv}$$

# Inductive invariant

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }

1: { $\Gamma \in \Gamma$ }
   do {i}
2: { $\Gamma \in \Gamma$ }
   do {ji}
3: { $\Gamma \in \Gamma$ }
   r[] Rl0 latch0 { $\rightsquigarrow L0_{j_i}^i$ }
4: { $\Gamma \in \Gamma \wedge Rl0 = L0_{j_i}^i \wedge (r0Rl0_{j_i}^i[\Gamma] \vee r1Rl0_{j_i}^i[\Gamma])$ }
   while (Rl0=0) {ki}
5: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma]$ }
   w[] latch0 0
6: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma]$ }
   r[] Rf0 flag0 { $\rightsquigarrow F0^i$ }
7: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma] \wedge Rf0 = F0^i$ }
    $\wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])$ 
   if (Rf0≠0) then
8: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ }
   (* critical section *)
   w[] flag0 0
9: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ }
   w[] flag1 1
10: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ }
   w[] latch1 1
11: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ }
   fi
12: { $\Gamma \in \Gamma$ }
   while true
13:{false}

21:{ $\Gamma \in \Gamma$ }
   do {ℓ}
22: { $\Gamma \in \Gamma$ }
   do {mℓ}
23: { $\Gamma \in \Gamma$ }
   r[] Rl1 latch1 { $\rightsquigarrow L1_{m_\ell}^\ell$ }
24: { $\Gamma \in \Gamma \wedge Rl1 = L1_{m_\ell}^\ell \wedge (r0Rl1_{m_\ell}^\ell[\Gamma] \vee r1Rl1_{m_\ell}^\ell[\Gamma])$ }
   while (Rl1=0) {nℓ}
25: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma]$ }
   w[] latch1 0
26: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma]$ }
   r[] Rf1 flag1 { $\rightsquigarrow F1^\ell$ }
27: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma] \wedge Rf1 = F1^\ell$ }
    $\wedge (r0Rf1^\ell[\Gamma] \vee r1Rf1^\ell[\Gamma])$ 
   if (Rf1≠0) then
28: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ }
   (* critical section *)
   w[] flag1 0
29: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ }
   w[] flag0 1
30: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ }
   w[] latch0 1
31: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ }
   fi
32: { $\Gamma \in \Gamma$ }
   while true
33:{false}

```

# Inductive invariant

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }

1:  $\{\Gamma \in \Gamma\}$   
 do  $\{i\}$   
 2:  $\{\Gamma \in \Gamma\}$       do  $\{j_i\}$        $\{\Gamma \in \Gamma\}$   
 3:  $\{\Gamma \in \Gamma\}$   
 $r[] R10 \text{latch0 } \{\sim L0_{j_i}^i\}$   
 4:  $\{\Gamma \in \Gamma \wedge R10 = L0_{j_i}^i \wedge (r0R10_{j_i}^i[\Gamma] \vee r1R11_{m_\ell}^{\ell}[\Gamma])\}$   
 while ( $R10=0$ )  $\{k_i\}$   
 5:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma]\}$   
 $w[] \text{latch0 } 0$   
 6:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma]\}$   
 $r[] Rf0 \text{flag0 } \{\sim F0^i\}$   
 7:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge Rf0 = F0^i \wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])\}$   
 if ( $Rf0 \neq 0$ ) then  
 8:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]\}$   
 (\* critical section \*)  
 $w[] \text{flag0 } 0$   
 9:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]\}$   
 $w[] \text{flag1 } 1$   
 10:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]\}$   
 $w[] \text{latch1 } 1$   
 11:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]\}$   
 fi  
 12:  $\{\Gamma \in \Gamma\}$   
 while true  
 13:  $\{\text{false}\}$

||| 21:  $\{\Gamma \in \Gamma\}$   
 do  $\{\ell\}$   
 22:  $\{\Gamma \in \Gamma\}$   
 $w[] \text{latch1 } 0$   
 26:  $\{\Gamma \in \Gamma \wedge r1R11_{n_\ell}^{\ell}[\Gamma]\}$   
 $r[] R11 \text{flag1 } \{\sim F1^\ell\}$   
 27:  $\{\Gamma \in \Gamma \wedge r1R11_{n_\ell}^{\ell}[\Gamma] \wedge Rf1 = F1^\ell \wedge (r0Rf1^\ell[\Gamma] \vee r1Rf1^\ell[\Gamma])\}$   
 if ( $Rf1 \neq 0$ ) then  
 28:  $\{\Gamma \in \Gamma \wedge r1R11_{n_\ell}^{\ell}[\Gamma] \wedge r1Rf1^\ell[\Gamma]\}$   
 (\* critical section \*)  
 $w[] \text{flag1 } 0$   
 29:  $\{\Gamma \in \Gamma \wedge r1R11_{n_\ell}^{\ell}[\Gamma] \wedge r1Rf1^\ell[\Gamma]\}$   
 $w[] \text{flag0 } 1$   
 30:  $\{\Gamma \in \Gamma \wedge r1R11_{n_\ell}^{\ell}[\Gamma] \wedge r1Rf1^\ell[\Gamma]\}$   
 $w[] \text{latch0 } 1$   
 31:  $\{\Gamma \in \Gamma \wedge r1R11_{n_\ell}^{\ell}[\Gamma] \wedge r1Rf1^\ell[\Gamma]\}$   
 fi  
 32:  $\{\Gamma \in \Gamma\}$   
 while true  
 33:  $\{\text{false}\}$

**Possible communications**

$R11_{m_\ell}^{\ell}[\Gamma])\}$

# Inductive invariant

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }

1: { $\Gamma \in \Gamma$ }
   do {i}
2: { $\Gamma \in \Gamma$ }
   do {ji}
3: { $\Gamma \in \Gamma$ }
   r[] R10 latch0 { $\rightsquigarrow L0_{j_i}^i$ }
4: { $\Gamma \in \Gamma \wedge R10 = L0_{j_i}^i \wedge (r0RI0_{j_i}^i[\Gamma] \vee r1RI0_{j_i}^i[\Gamma])$ }
   while (R10=0) {ki}
5: { $\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma]$ }
   w[] latch0 0
6: { $\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma]$ }
   r[] Rf0 flag0 { $\rightsquigarrow F0^i$ }
7: { $\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma] \wedge Rf0 = F0^i$ }
    $\wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])$ 
if (Rf0 < 0) then
8: { $\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma] \wedge Rf0 = F0^i \wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])$ }
   (* c *)
   w[] :
9: { $\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma] \wedge Rf0 = F0^i \wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])$ }
   w[] :
10: { $\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma] \wedge Rf0 = F0^i \wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])$ }
   w[] :
11: { $\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma] \wedge Rf0 = F0^i \wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])$ }
   fi
12: { $\Gamma \in \Gamma$ }
   while true
13:{false}

21: { $\Gamma \in \Gamma$ }
   do {l}
22: { $\Gamma \in \Gamma$ }
   do {ml}
23: { $\Gamma \in \Gamma$ }
   r[] R11 latch1 { $\rightsquigarrow L1_{m_l}^l$ }
24: { $\Gamma \in \Gamma \wedge R11 = L1_{m_l}^l \wedge (r0RI1_{m_l}^l[\Gamma] \vee r1RI1_{m_l}^l[\Gamma])$ }
   while (R11=0) {nl}
25: { $\Gamma \in \Gamma \wedge r1RI1_{n_l}^l[\Gamma]$ }
   w[] latch1 0
26: { $\Gamma \in \Gamma \wedge r1RI1_{n_l}^l[\Gamma]$ }
   r[] Rf1 flag1 { $\rightsquigarrow F1^l$ }
27: { $\Gamma \in \Gamma \wedge r1RI1_{n_l}^l[\Gamma] \wedge Rf1 = F1^l$ }
    $\wedge (r0Rf1^l[\Gamma] \vee r1Rf1^l[\Gamma])$ 

if (Rf1 > 0) then
28: { $\Gamma \wedge r1RI1_{n_l}^l[\Gamma] \wedge r1Rf1^l[\Gamma]$ }
   (* critical section *)
   lag1 0
29: { $\Gamma \wedge r1RI1_{n_l}^l[\Gamma] \wedge r1Rf1^l[\Gamma]$ }
   lag0 1
30: { $\Gamma \wedge r1RI1_{n_l}^l[\Gamma] \wedge r1Rf1^l[\Gamma]$ }
   latch0 1
31: { $\Gamma \wedge r1RI1_{n_l}^l[\Gamma] \wedge r1Rf1^l[\Gamma]$ }

32: { $\Gamma \in \Gamma$ }
   while true
33:{false}

```

Register assignment of  
 the Pythia variable  
 after read event

# Inductive invariant

|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <pre> {0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }  1: {<math>\Gamma \in \Gamma</math>}    do {i} 2: {<math>\Gamma \in \Gamma</math>}    do {j<sub>i</sub>} 3: {<math>\Gamma \in \Gamma</math>}    r[] R10 latch0 {<math>\rightsquigarrow L0_{j_i}^i</math>} 4: {<math>\Gamma \in \Gamma \wedge R10 = L0_{j_i}^i \wedge (r0R10_{j_i}^i[\Gamma] \vee r1R10_{j_i}^i[\Gamma])</math>}    while (R10=0) {k<sub>i</sub>} 5: {<math>\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma]</math>}    w[] latch0 0 </pre> | <pre> 21: {<math>\Gamma \in \Gamma</math>}    do {<math>\ell</math>} 22: {<math>\Gamma \in \Gamma</math>}    do {m<sub><math>\ell</math></sub>} 23: {<math>\Gamma \in \Gamma</math>}    r[] R11 latch1 {<math>\rightsquigarrow L1_{m_\ell}^\ell</math>} 24: {<math>\Gamma \in \Gamma \wedge R11 = L1_{m_\ell}^\ell \wedge (r0R11_{m_\ell}^\ell[\Gamma] \vee r1R11_{m_\ell}^\ell[\Gamma])</math>}    while (R11=0) {n<sub><math>\ell</math></sub>} 25: {<math>\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma]</math>}    w[] latch1 0 </pre> |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

Possible values of Pythia variables depending on communications

$$\begin{aligned}
r0R10_{j_i}^i[\Gamma] &\triangleq (\text{rf}\langle L0_{j_i}^i, \langle 0:, \_, 0 \rangle \rangle \in \Gamma \wedge L0_{j_i}^i = 0) \vee (\exists i_5 \in \mathbb{N} . \text{rf}\langle L0_{j_i}^i, \langle 5:, i_5, 0 \rangle \rangle \in \Gamma \wedge L0_{j_i}^i = 0) \\
r1R10_{j_i}^i[\Gamma] &\triangleq (\exists \ell_{30} \in \mathbb{N} . \text{rf}\langle L0_{j_i}^i, \langle 30:, \ell_{30}, 1 \rangle \rangle \in \Gamma \wedge L0_{j_i}^i = 1)
\end{aligned}$$

|                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <pre> w[] flag0 0 9: {<math>\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]</math>}    w[] flag1 1 10: {<math>\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]</math>}    w[] latch1 1 11: {<math>\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]</math>}    fi 12: {<math>\Gamma \in \Gamma</math>}    while true 13: {false} </pre> | <pre> w[] flag1 0 29: {<math>\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]</math>}    w[] flag0 1 30: {<math>\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]</math>}    w[] latch0 1 31: {<math>\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]</math>}    fi 32: {<math>\Gamma \in \Gamma</math>}    while true 33: {false} </pre> |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

# Communicated values

- Notation:



$$r0Rl0^i_{j_i}[\Gamma] \triangleq (\text{rf}\langle L0^i_{j_i}, \langle 0: , \_, 0 \rangle \rangle \in \Gamma \wedge L0^i_{j_i} = 0) \vee (\exists i_5 \in \mathbb{N} . \text{rf}\langle L0^i_{j_i}, \langle 5: , i_5, 0 \rangle \rangle \in \Gamma \wedge L0^i_{j_i} = 0)$$

$$r1Rl0^i_{j_i}[\Gamma] \triangleq (\exists \ell_{30} \in \mathbb{N} . \text{rf}\langle L0^i_{j_i}, \langle 30: , \ell_{30}, 1 \rangle \rangle \in \Gamma \wedge L0^i_{j_i} = 1)$$

$$r0Rf0^i[\Gamma] \triangleq (\text{rf}\langle F0^i, \langle 0: , \_, 0 \rangle \rangle \in \Gamma \wedge F0^i = 0) \vee (\exists i_8 \in \mathbb{N} . \text{rf}\langle F0^i, \langle 8: , i_8, 0 \rangle \rangle \in \Gamma \wedge F0^i = 0)$$

$$r1Rf0^i[\Gamma] \triangleq (\exists \ell_{29} \in \mathbb{N} . \text{rf}\langle F0^i, \langle 29: , \ell_{29}, 1 \rangle \rangle \in \Gamma \wedge F0^i = 1)$$

$$r0Rl1^\ell_{m_\ell}[\Gamma] \triangleq (\exists \ell_{25} \in \mathbb{N} . \text{rf}\langle L1^\ell_{m_\ell}, \langle 25: , \ell_{25}, 0 \rangle \rangle \in \Gamma \wedge L1^\ell_{m_\ell} = 0)$$

$$r1Rl1^\ell_{m_\ell}[\Gamma] \triangleq (\text{rf}\langle L1^\ell_{m_\ell}, \langle 0: , \_, 1 \rangle \rangle \in \Gamma \wedge L1^\ell_{m_\ell} = 1) \vee (\exists i_{10} \in \mathbb{N} . \text{rf}\langle L1^\ell_{m_\ell}, \langle 10: , i_{10}, 1 \rangle \rangle \in \Gamma \wedge L1^\ell_{m_\ell} = 1)$$

$$r0Rf1^\ell[\Gamma] \triangleq (\exists m_{28} \in \mathbb{N} . \text{rf}\langle F1^\ell, \langle 28: , m_{28}, 0 \rangle \rangle \in \Gamma \wedge F1^\ell = 0)$$

$$r1Rf1^\ell[\Gamma] \triangleq (\text{rf}\langle F1^\ell, \langle 0: , \_, 1 \rangle \rangle \in \Gamma \wedge F1^\ell = 1) \vee (\exists i_9 \in \mathbb{N} . \text{rf}\langle F1^\ell, \langle 9: , i_9, 1 \rangle \rangle \in \Gamma \wedge F1^\ell = 1)$$

# Communication specification



# Calculational design of the communication specification

$$\begin{aligned}
& (\neg S_{inv}(\Gamma, \Gamma)) \wedge S_{ind}(\Gamma, \Gamma) \\
\triangleq & \text{at}\{8\} \wedge \text{at}\{28\} \wedge S_{ind}(\Gamma, \Gamma) \quad \{ \text{def. invariance specification } S_{inv} \} \\
\Rightarrow & \text{at}\{8\} \wedge \text{at}\{28\} \wedge (\exists i, k_i, \ell, n_\ell \in \mathbb{N} . \Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma] \wedge \\
& r1Rf0^i[\Gamma] \wedge r1Rl1_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]) \quad \{ \text{by invariant } S_{ind}(\Gamma, \Gamma) \} \\
\Rightarrow & \text{at}\{8\} \wedge \text{at}\{28\} \wedge (\exists i, k_i, \ell, n_\ell, \ell_{30}, \ell_{29} \in \mathbb{N} . \Gamma \in \Gamma \wedge (\text{rf}\langle L0_{k_i}^i, \\
& \langle 30:, \ell_{30}, 1 \rangle \rangle \in \Gamma) \wedge (\text{rf}\langle F0^i, \langle 29:, \ell_{29}, 1 \rangle \rangle \in \Gamma) \wedge (\text{rf}\langle L1_{n_\ell}^\ell, \\
& \langle 0:, \_, 1 \rangle \rangle \in \Gamma) \wedge (\text{rf}\langle F1^\ell, \langle 0:, \_, 1 \rangle \rangle \in \Gamma)) \vee \\
& (\exists i, k_i, \ell, n_\ell, \ell_{30}, \ell_{29}, i_9 \in \mathbb{N} . \Gamma \in \Gamma \wedge (\text{rf}\langle L0_{k_i}^i, \langle 30:, \ell_{30}, \\
& 1 \rangle \rangle \in \Gamma) \wedge (\text{rf}\langle F0^i, \langle 29:, \ell_{29}, 1 \rangle \rangle \in \Gamma) \wedge (\text{rf}\langle L1_{n_\ell}^\ell, \langle 0:, \_, \\
& 1 \rangle \rangle \in \Gamma) \wedge (\text{rf}\langle F1^\ell, \langle 9:, i_9, 1 \rangle \rangle \in \Gamma)) \vee \\
& (\exists i, k_i, \ell, n_\ell, \ell_{30}, \ell_{29}, i_{10} \in \mathbb{N} . \Gamma \in \Gamma \wedge (\text{rf}\langle L0_{k_i}^i, \langle 30:, \ell_{30}, \\
& 1 \rangle \rangle \in \Gamma) \wedge (\text{rf}\langle F0^i, \langle 29:, \ell_{29}, 1 \rangle \rangle \in \Gamma) \wedge (\text{rf}\langle L1_{n_\ell}^\ell, \langle 10:, i_{10}, \\
& 1 \rangle \rangle \in \Gamma) \wedge (\text{rf}\langle F1^\ell, \langle 0:, \_, 1 \rangle \rangle \in \Gamma)) \vee \\
& (\exists i, k_i, \ell, n_\ell, \ell_{30}, \ell_{29}, i_{10}, i_9 \in \mathbb{N} . \Gamma \in \Gamma \wedge (\text{rf}\langle L0_{k_i}^i, \langle 30:, \ell_{30}, \\
& 1 \rangle \rangle \in \Gamma) \wedge (\text{rf}\langle F0^i, \langle 29:, \ell_{29}, 1 \rangle \rangle \in \Gamma) \wedge (\text{rf}\langle L1_{n_\ell}^\ell, \langle 10:, i_{10}, \\
& 1 \rangle \rangle \in \Gamma) \wedge (\text{rf}\langle F1^\ell, \langle 9:, i_9, 1 \rangle \rangle \in \Gamma)) \\
& \{ \text{def. } r1Rl0_{k_i}^i[\Gamma], r1Rf0^i[\Gamma], r1Rl1_{n_\ell}^\ell[\Gamma], \text{ and } r1Rf1^\ell[\Gamma], \text{ rf}\langle x_\theta, \\
& \langle \ell:, \theta', v \rangle \rangle \text{ implies that } x_\theta = v, A \wedge (B \vee C) = (A \wedge B) \vee \\
& (A \wedge C), \exists \text{ distributes over } \vee, \text{ and } (\exists x . A(x)) \wedge B = \exists x . \\
& (A(x) \wedge B) \text{ when } x \text{ is not free in } B \} \\
\Rightarrow & \text{at}\{8\} \wedge \text{at}\{28\} \wedge (\neg S_{com_1}(\Gamma, \Gamma) \vee \neg S_{com_2}(\Gamma, \Gamma) \vee \neg S_{com_3}(\Gamma, \Gamma) \vee \\
& \neg S_{com_4}(\Gamma, \Gamma)) \\
\Rightarrow & \neg S_{com}(\Gamma, \Gamma)
\end{aligned}$$

# Calculational design of the communication specification

- where

$$S_{com}(\Gamma, \bar{\Gamma}) \triangleq (\text{at}\{8\} \wedge \text{at}\{28\}) \implies (S_{com_1}(\Gamma, \bar{\Gamma}) \wedge S_{com_2}(\Gamma, \bar{\Gamma}) \wedge S_{com_3}(\Gamma, \bar{\Gamma}) \wedge S_{com_4}(\Gamma, \bar{\Gamma}))$$

$$S_{com_1} \triangleq \neg(\exists i, k_i, \ell, n_\ell, \ell_{30}, \ell_{29} \in \mathbb{N} . \Gamma \in \Gamma \wedge \text{rf}\langle L0_{k_i}^i, \langle 30:, \ell_{30}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F0^i, \langle 29:, \ell_{29}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle L1_{n_\ell}^\ell, \langle 0:, \_, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F1^\ell, \langle 0:, \_, 1 \rangle \rangle \in \Gamma)$$

$$S_{com_2} \triangleq \neg(\exists i, k_i, \ell, n_\ell, \ell_{30}, \ell_{29}, i_9 \in \mathbb{N} . \Gamma \in \Gamma \wedge \text{rf}\langle L0_{k_i}^i, \langle 30:, \ell_{30}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F0^i, \langle 29:, \ell_{29}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle L1_{n_\ell}^\ell, \langle 0:, \_, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F1^\ell, \langle 9:, i_9, 1 \rangle \rangle \in \Gamma)$$

$$S_{com_3} \triangleq \neg(\exists i, k_i, \ell, n_\ell, \ell_{30}, \ell_{29}, i_{10} \in \mathbb{N} . \Gamma \in \Gamma \wedge \text{rf}\langle L0_{k_i}^i, \langle 30:, \ell_{30}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F0^i, \langle 29:, \ell_{29}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle L1_{n_\ell}^\ell, \langle 10:, i_{10}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F1^\ell, \langle 0:, \_, 1 \rangle \rangle \in \Gamma)$$

$$S_{com_4} \triangleq \neg(\exists i, k_i, \ell, n_\ell, \ell_{30}, \ell_{29}, i_{10}, i_9 \in \mathbb{N} . \Gamma \in \Gamma \wedge \text{rf}\langle L0_{k_i}^i, \langle 30:, \ell_{30}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F0^i, \langle 29:, \ell_{29}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle L1_{n_\ell}^\ell, \langle 10:, i_{10}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F1^\ell, \langle 9:, i_9, 1 \rangle \rangle \in \Gamma)$$

- This proves  $S_{com}$  sufficient for correctness
- Counter-examples prove  $S_{com}$  necessary  $\Rightarrow S_{com}$  is the weakest WCM requirement for correctness

# Example of counter-example to $S_{com_1}$

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1:
  do {i}
2:
  do {j_i}
3:
    r[] R10 latch0 {~> L0ij_i}
4:
    while (R10=0) {k_i}
5:
    w[] latch0 0
6:
    r[] Rf0 flag0 {~> F0i}
7:
    if (Rf0≠0) then
8:
      (* critical section *)
      w[] flag0 0
9:
      w[] flag1 1
10:
      w[] latch1 1
11:
      fi
12:
      while true
13:

21:
  do {ℓ}
22:
  do {m_ℓ}
23:
    r[] R11 latch1 {~> L1ℓm_ℓ}
24:
    while (R11=0) {n_ℓ}
25:
    w[] latch1 0
26:
    r[] Rf1 flag1 {~> F1ℓ}
27:
    if (Rf1≠0) then
28:
      (* critical section *)
      w[] flag1 0
29:
      w[] flag0 1
30:
      w[] latch0 1
31:
      fi
32:
      while true
33:

```

The diagram illustrates a counter-example to the safety property  $S_{com_1}$ . It shows two parallel processes separated by a vertical line. The left process (labeled 1 to 13) contains a loop where it reads from  $R10$ , writes to  $latch0$ , and checks  $Rf0$ . The right process (labeled 21 to 33) contains a similar loop for  $R11$  and  $latch1$ . Red arrows show transitions between states. A pink dashed line at the bottom of both processes indicates a critical section. A large red 'cut' is shown on the right side of the diagram, indicating a point where the two processes diverge or interact in a way that violates the safety property.

# Proof of mutual exclusion

- $S_{com}$  implies mutual exclusion (for any  $\Gamma$ )

$$\begin{aligned} & (\neg S_{inv}(\Gamma, \Gamma) \wedge S_{ind}(\Gamma, \Gamma)) \implies \neg(S_{com}(\Gamma, \Gamma)) \\ \implies & S_{com}(\Gamma, \Gamma) \implies (S_{inv}(\Gamma, \Gamma) \vee \neg S_{ind}(\Gamma, \Gamma)) \quad \{\text{contraposition}\} \\ \implies & S_{com}(\Gamma, \Gamma) \implies (S_{ind}(\Gamma, \Gamma) \implies S_{inv}(\Gamma, \Gamma)) \quad \{\text{implication}\} \\ \implies & (S_{com}(\Gamma, \Gamma) \wedge S_{ind}(\Gamma, \Gamma)) \implies S_{inv}(\Gamma, \Gamma) \quad \{\text{implication}\} \\ \implies & S_{com}(\Gamma, \bar{\Gamma}) \Rightarrow S_{inv}(\Gamma, \bar{\Gamma}) \quad \{\text{since } S_{com}(\Gamma, \bar{\Gamma}) \Rightarrow S_{ind}(\Gamma, \bar{\Gamma})\} \end{aligned}$$

# Conditional invariance proof



# Sequential proof $\ell = \kappa$ and $p = q$

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }

1:  $\{\Gamma \in \Gamma\}$

2:   do  $\{i\}$

3:      $\{\Gamma \in \Gamma\}$

    r[] R10 lat  
4:      $\{\Gamma \in \Gamma \wedge R10\}$

    while (R10=0)

5:      $\{\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma]\}$

    w[] latch0 0

6:      $\{\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma]\}$

    r[] Rf0 flag0  $\{\rightsquigarrow F0^i\}$

7:      $\{\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma] \wedge Rf0 = F0^i$

$\wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])\}$

    if (Rf0 ≠ 0) then

8:        $\{\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]\}$

        (\* critical section \*)

        w[] flag0 0

9:        $\{\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]\}$

        w[] flag1 1

10:       $\{\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]\}$

        w[] latch1 1

11:       $\{\Gamma \in \Gamma \wedge r1RI0_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]\}$

        fi

12:      $\{\Gamma \in \Gamma\}$

    while true

13:{false}

|| 21:{ $\Gamma \in \Gamma\}$ }

For a *read instruction*  $\kappa : r[ts] R x \kappa'$ : (read)

$$\text{PRE}_{p,r}^{\ell,\kappa}[\theta_r, \rho_r, \nu_r, \text{rf}] \wedge \text{rf}[\mathfrak{w}(\langle q, \ell', w[ts] x \text{ r-value}, \theta' \rangle, v), \\ \mathfrak{r}(\langle r, \ell, r[ts] R x, \theta_r \rangle, x_{\theta_r})] \in \text{rf}$$

$$\Rightarrow \text{POST}_{p,r}^{\ell,\kappa'}[\rho_r \leftarrow \rho_r[R := x_{\theta_r}], \nu_r \leftarrow \nu_r[x_{\theta_r} := v]]$$

25:  $\{\Gamma \in \Gamma \wedge r1RI1_{n_e}^\ell[\Gamma]\}$

w[] latch1 0

26:  $\{\Gamma \in \Gamma \wedge r1RI1_{n_e}^\ell[\Gamma]\}$

r[] Rf1 flag1  $\{\rightsquigarrow F1^\ell\}$

27:  $\{\Gamma \in \Gamma \wedge r1RI1_{n_e}^\ell[\Gamma] \wedge Rf1 = F1^\ell$

$\wedge (r0Rf1^\ell[\Gamma] \vee r1Rf1^\ell[\Gamma])\}$

if (Rf1 ≠ 0) then

28:     $\{\Gamma \in \Gamma \wedge r1RI1_{n_e}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]\}$

        (\* critical section \*)

        w[] flag1 0

29:     $\{\Gamma \in \Gamma \wedge r1RI1_{n_e}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]\}$

        w[] flag0 1

30:     $\{\Gamma \in \Gamma \wedge r1RI1_{n_e}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]\}$

        w[] latch0 1

31:     $\{\Gamma \in \Gamma \wedge r1RI1_{n_e}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]\}$

        fi

32:     $\{\Gamma \in \Gamma\}$

    while true

33:{false}

# Sequential proof $\ell = \kappa$ and $p = q$

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }

1:  $\{\Gamma \in \Gamma\}$

do  $\{i\}$

2:  $\{\Gamma \in \Gamma\}$

do  $\{j_i\}$

3:  $\{\Gamma \in \Gamma\}$

r[] R10 lat

4:  $\{\Gamma \in \Gamma \wedge R10\}$

while (R10=0)

5:  $\{\Gamma \in \Gamma \wedge r1R10\}$

w[] latch0 0

6:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma]\}$

r[] Rf0 flag0  $\{\rightsquigarrow F0^i\}$

7:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge Rf0 = F0^i$

$\wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])\}$

if (Rf0 $\neq$ 0) then

8:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]\}$

(\* critical section \*)

w[] flag0 0

9:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]\}$

w[] flag1 1

10:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]\}$

w[] latch1 1

11:  $\{\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]\}$

fi

12:  $\{\Gamma \in \Gamma\}$

while true

13:{false}

21:  $\{\Gamma \in \Gamma\}$

do  $\{\ell\}$

22:  $\{\Gamma \in \Gamma\}$

do  $\{m_\ell\}$

For a *test instruction*  $\kappa : b[ts]$  operation  $l_t \kappa'$ :

(test)

$PRE_{p,r}^{\ell,\kappa}[\rho_r, \nu_r] \wedge sat(E[\text{operation}](\rho_r, \nu_r) \neq 0) \Rightarrow POST_{p,r}^{\ell,l_t}$

$PRE_{p,r}^{\ell,\kappa}[\rho_r, \nu_r] \wedge sat(E[\text{operation}](\rho_r, \nu_r) = 0) \Rightarrow POST_{p,r}^{\ell,\kappa'}$

26:  $\{\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma]\}$

r[] Rf1 flag1  $\{\rightsquigarrow F1^\ell\}$

27:  $\{\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge Rf1 = F1^\ell$

$\wedge (r0Rf1^\ell[\Gamma] \vee r1Rf1^\ell[\Gamma])\}$

if (Rf1 $\neq$ 0) then

28:  $\{\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]\}$

(\* critical section \*)

w[] flag1 0

29:  $\{\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]\}$

w[] flag0 1

30:  $\{\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]\}$

w[] latch0 1

31:  $\{\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]\}$

fi

32:  $\{\Gamma \in \Gamma\}$

while true

33:{false}

# Sequential proof $\ell = \kappa$ and $p = q$

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }

1: { $\Gamma \in \Gamma$ }
   do { $i$ }
2: { $\Gamma \in \Gamma$ }
   do { $j_i$ }
3: { $\Gamma \in \Gamma$ }
   r[] R10 latch0 { $\rightsquigarrow L0_{j_i}^i$ }
4: { $\Gamma \in \Gamma \wedge R10 = L0^i \wedge (m0R10^i[\Gamma] \vee r1R10^i[\Gamma])$ }
   while (R10=0)
5: { $\Gamma \in \Gamma \wedge r1R10^i$ }
   w[] latch0 0
6: { $\Gamma \in \Gamma \wedge r1R10^i$ }
   r[] Rf0 flag0
7: { $\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge m0 = r0$ 
    $\wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])$ }
   if (Rf0≠0) then
8: { $\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ }
   (* critical section *)
   w[] flag0 0
9: { $\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ }
   w[] flag1 1
10: { $\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ }
   w[] latch1 1
11: { $\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ }
   fi
12: { $\Gamma \in \Gamma$ }
   while true
13:{false}

```

For local side-effect free **marker instructions**  $\kappa$  :  $instr \kappa'$   
 where  $instr = f[ts] [l_1^0 \dots l_1^m] [l_2^0 \dots l_2^q]$ ,  $w[ts] x r\text{-value}$ ,  
 $beginrmw[ts] x$ ,  $endrmw[ts] x$ : (marker)  
 $PRE_{p,r}^{\ell,\kappa} \Rightarrow POST_{p,r}^{\ell,\kappa'}$

```

21: { $\Gamma \in \Gamma$ }
   do { $\ell$ }
22: { $\Gamma \in \Gamma$ }
   do { $m_\ell$ }
23: { $\Gamma \in \Gamma$ }
   r[] R11 latch1 { $\rightsquigarrow L1_{m_\ell}^\ell$ }
24: { $\Gamma \in \Gamma \wedge R11 = L1^\ell \wedge (m0R11^\ell[\Gamma] \vee r1R11^\ell[\Gamma])$ }
   while (R11=0)
25: { $\Gamma \in \Gamma \wedge r1R11^\ell$ }
   w[] latch1 0
26: { $\Gamma \in \Gamma \wedge r1R11^\ell$ }
   r[] Rf1 flag1
27: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge m1 = r1$ 
    $\wedge (r0Rf1^\ell[\Gamma] \vee r1Rf1^\ell[\Gamma])$ }
   if (Rf1≠0) then
28: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ }
   (* critical section *)
   w[] flag1 0
29: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ }
   w[] flag0 1
30: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ }
   w[] latch0 1
31: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ }
   fi
32: { $\Gamma \in \Gamma$ }
   while true
33:{false}

```

# Non-interference proof

```
{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
```

```

1: { $\Gamma \in \Gamma$ }
   do { $i$ }
2: { $\Gamma \in \Gamma$ }
   do { $j_i$ }
3: { $\Gamma \in \Gamma$ }
   r[] R10 latch0 { $\rightsquigarrow L0^i$ }
4: { $\Gamma \in \Gamma \wedge R10 = L0_{j_i}^i \wedge (r$ }
   while ( $R10=0$ ) { $k_i$ }
5: { $\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma]$ }
   w[] latch0 0
6: { $\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma]$ }
   r[] Rf0 flag0 { $\rightsquigarrow F0^i$ }
7: { $\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge Rf0 = F0^i$ 
    $\wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])$ }
   if ( $Rf0 \neq 0$ ) then
8: { $\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ 
   (* critical section *)
   w[] flag0 0
9: { $\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ 
   w[] flag1 1
10: { $\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ 
    w[] latch1 1
11: { $\Gamma \in \Gamma \wedge r1R10_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ 
    fi
12: { $\Gamma \in \Gamma$ }
    while true
13:{false}
```

The local invariants of process  $p$   
 depend only on  $\Gamma$  and local registers  
 or Pythia variables unchanged by a  
 step in the other process

```

26: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma]$ }
   r[] Rf1 flag1 { $\rightsquigarrow F1^\ell$ }
27: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge Rf1 = F1^\ell$ 
    $\wedge (r0Rf1^\ell[\Gamma] \vee r1Rf1^\ell[\Gamma])$ }
   if ( $Rf1 \neq 0$ ) then
28: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ 
   (* critical section *)
   w[] flag1 0
29: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ 
   w[] flag0 1
30: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ 
   w[] latch0 1
31: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ 
   fi
32: { $\Gamma \in \Gamma$ }
   while true
33:{false}
```

# Communication proof

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }

```

1: { $\Gamma \in \Gamma$ } do { $i$ } { $\Gamma \in \Gamma$ }
2: { $\Gamma \in \Gamma$ } do { $j_i$ } . . .
3: { $\Gamma \in \Gamma$ } r[] R10 latch0 { $\rightsquigarrow L0^i$ }
4: { $\Gamma \in \Gamma \wedge R10 = L0_{j_i}^i \wedge (r$ } while ( $R10=0$ ) { $k_i$ } { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma]$ }
5: w[] latch0 0
6: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma]$ } r[] Rf0 flag0 { $\rightsquigarrow F0^i$ }
7: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma] \wedge Rf0 = F0^i$ }  $\wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])$ 
   if ( $Rf0 \neq 0$ ) then
8: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ } (* critical section *)
   w[] flag0 0
9: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ } w[] flag1 1
10: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ } w[] latch1 1
11: { $\Gamma \in \Gamma \wedge r1Rl0_{k_i}^i[\Gamma] \wedge r1Rf0^i[\Gamma]$ } fi
12: { $\Gamma \in \Gamma$ } while true
13:{false}

```

- *Communication condition*

$$COM_p^\ell[rf] \triangleq S_{ind\ p}(\ell)[rf] \wedge S_{comp}(\ell)[rf]$$

- A read event can read from only one write event.

$$COM_p^\ell[rf] \wedge rf[r, w_1] \in rf \wedge rf[r, w_2] \in rf \quad (\text{singleness}) \\ \Rightarrow w_1 = w_2 .$$

```

26: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma]$ } r[] Rf1 flag1 { $\rightsquigarrow F1^\ell$ }
27: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma] \wedge Rf1 = F1^\ell$ }  $\wedge (r0Rf1^\ell[\Gamma] \vee r1Rf1^\ell[\Gamma])$ 
   if ( $Rf1 \neq 0$ ) then
28: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ } (* critical section *)
   w[] flag1 0
29: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ } w[] flag0 1
30: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ } w[] latch0 1
31: { $\Gamma \in \Gamma \wedge r1Rl1_{n_\ell}^\ell[\Gamma] \wedge r1Rf1^\ell[\Gamma]$ } fi
32: { $\Gamma \in \Gamma$ } while true
33:{false}

```

# Communication proof

```
{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
```

```

1: { $\Gamma \in \Gamma$ }
   do {i}
2:  { $\Gamma \in \Gamma$ }
   do {ji}
3:   { $\Gamma \in \Gamma$ }
      r[] R10 latch0 { $\rightsquigarrow L_0$ }
4:   { $\Gamma \in \Gamma \wedge R10 = L_0^{i_{j_i}} \wedge (r$ }
   while (R10=0) {ki}
5:   { $\Gamma \in \Gamma \wedge r1R10^{i_{k_i}}[\Gamma]$ }
      w[] latch0 0
6:   { $\Gamma \in \Gamma \wedge r1R10^{i_{k_i}}[\Gamma]$ }
      r[] Rf0 flag0 { $\rightsquigarrow F_0^i$ }
7:   { $\Gamma \in \Gamma \wedge r1R10^{i_{k_i}}[\Gamma] \wedge Rf0 = F_0^i$ 
      $\wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])$ }
     if (Rf0 ≠ 0) then
8:     { $\Gamma \in \Gamma \wedge r1R10^{i_{k_i}}[\Gamma] \wedge r1Rf0^i[\Gamma]$ }
     (* critical section *)
     w[] flag0 0
9:     { $\Gamma \in \Gamma \wedge r1R10^{i_{k_i}}[\Gamma] \wedge r1Rf0^i[\Gamma]$ }
     w[] flag1 1
10:    { $\Gamma \in \Gamma \wedge r1R10^{i_{k_i}}[\Gamma] \wedge r1Rf0^i[\Gamma]$ }
```

- All process read instructions  $\ell : r[ts] R x \ell'$  must read either from an initial or a reachable program write, allowed by the communication hypothesis ( $\exists P[X_1, \dots, X_m]$  means that all free variables in  $COM_p^{\ell}[\theta_p, rf] \wedge rf \neq \emptyset \Rightarrow \exists rf[w(\langle q, \ell_q, w[ts] x r\text{-value}, \theta' \rangle, v),$   $r(\langle p, \ell, r[ts] R x, \theta_p \rangle, x_{\theta_p})] \in rf$ . (satisfaction))
- $((q \in \mathbb{P}_i \wedge \exists PRE_q^{\ell_q}[\theta_q \leftarrow \theta', rf]) \vee (q = \text{start} \wedge v = 0))$ .

```

26: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^{\ell}[\Gamma]$ }
     r[] Rf1 flag1 { $\rightsquigarrow F_1^{\ell}$ }
27: { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^{\ell}[\Gamma] \wedge Rf1 = F_1^{\ell}$ 
      $\wedge (r0Rf1^{\ell}[\Gamma] \vee r1Rf1^{\ell}[\Gamma])$ }
     if (Rf1 ≠ 0) then
28:   { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^{\ell}[\Gamma] \wedge r1Rf1^{\ell}[\Gamma]$ }
     (* critical section *)
     w[] flag1 0
29:   { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^{\ell}[\Gamma] \wedge r1Rf1^{\ell}[\Gamma]$ }
     w[] flag0 1
30:   { $\Gamma \in \Gamma \wedge r1R11_{n_\ell}^{\ell}[\Gamma] \wedge r1Rf1^{\ell}[\Gamma]$ }
```

$$r0Rf0^i[\Gamma] \triangleq (rf\langle F_0^i, \langle 0:, \_, 0 \rangle \rangle \in \Gamma \wedge F_0^i = 0) \vee (\exists i_8 \in \mathbb{N}. rf\langle F_0^i, \langle 8:, i_8, 0 \rangle \rangle \in \Gamma \wedge F_0^i = 0)$$

$$r1Rf0^i[\Gamma] \triangleq (\exists \ell_{29} \in \mathbb{N}. rf\langle F_0^i, \langle 29:, \ell_{29}, 1 \rangle \rangle \in \Gamma \wedge F_0^i = 1)$$

```

12: { $\Gamma \in \Gamma$ }
   while true
13: {false}
```

```

32: { $\Gamma \in \Gamma$ }
   while true
33: {false}
```

# Communication proof

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }

```

1: { $\Gamma \in \Gamma$ }
   do { $i$ }
2: { $\Gamma \in \Gamma$ }
   do { $j_i$ }
3: { $\Gamma \in \Gamma$ }
   r[] R10 latch0 { $\rightsquigarrow L_0$ }
4: { $\Gamma \in \Gamma \wedge R10 = L_0^i_{j_i} \wedge (r$ }
   while ( $R10=0$ ) { $k_i$ }
5: { $\Gamma \in \Gamma \wedge r1Rl0^i_{k_i}[\Gamma]$ }
   w[] latch0 0
6: { $\Gamma \in \Gamma \wedge r1Rl0^i_{k_i}[\Gamma]$ }
   r[] Rf0 flag0 { $\rightsquigarrow F0^i$ }
7: { $\Gamma \in \Gamma \wedge r1Rl0^i_{k_i}[\Gamma] \wedge Rf0 = F0^i$ 
    $\wedge (r0Rf0^i[\Gamma] \vee r1Rf0^i[\Gamma])$ 
   if ( $Rf0 \neq 0$ ) then
8: { $\Gamma \in \Gamma \wedge r1Rl0^i_{k_i}[\Gamma] \wedge r1Rf0^i[\Gamma]$ 
   (* critical section *)
   w[] flag0 0
9: { $\Gamma \in \Gamma \wedge r1Rl0^i_{k_i}[\Gamma] \wedge r1Rf0^i[\Gamma]$ 
   w[] flag1 1
10: { $\Gamma \in \Gamma \wedge r1Rl0^i_{k_i}[\Gamma] \wedge r1Rf0^i[\Gamma]$ 

```

- The values  $v$  allowed to be read by the communication hypothesis must originate from reachable program write instructions  $\ell : w[ts] \times r\text{-value } \ell'$ :
$$\forall rf . \forall rf[w(\langle q, \ell_q, w[ts] \times r\text{-value}, \theta_p \rangle, v), r] \in rf \text{ (match)}$$

$$COM_p^\ell[\theta_q, \rho_q, \nu_q, rf] \Rightarrow v = E[r\text{-value}](\rho_q, \nu_q)$$

$r0Rf0^i[\Gamma] \triangleq (\text{rf}\langle F0^i, \langle 0:, \_, 0 \rangle \rangle \in \Gamma \wedge F0^i = 0) \vee (\exists i_8 \in \mathbb{N} . \text{rf}\langle F0^i, \langle 8:, i_8, 0 \rangle \rangle \in \Gamma \wedge F0^i = 0)$

$r1Rf0^i[\Gamma] \triangleq (\exists \ell_{29} \in \mathbb{N} . \text{rf}\langle F0^i, \langle 29:, \ell_{29}, 1 \rangle \rangle \in \Gamma \wedge F0^i = 1)$

```

12: { $\Gamma \in \Gamma$ }
   while true
13: {false}

```

```

26: { $\Gamma \in \Gamma \wedge r1Rl1^{\ell}_{n_\ell}[\Gamma]$ }
   r[] Rf1 flag1 { $\rightsquigarrow F1^\ell$ }
27: { $\Gamma \in \Gamma \wedge r1Rl1^{\ell}_{n_\ell}[\Gamma] \wedge Rf1 = F1^\ell$ 
    $\wedge (r0Rf1^{\ell}[\Gamma] \vee r1Rf1^{\ell}[\Gamma])$ 
   if ( $Rf1 \neq 0$ ) then
28: { $\Gamma \in \Gamma \wedge r1Rl1^{\ell}_{n_\ell}[\Gamma] \wedge r1Rf1^{\ell}[\Gamma]$ 
   (* critical section *)
   w[] flag1 0
29: { $\Gamma \in \Gamma \wedge r1Rl1^{\ell}_{n_\ell}[\Gamma] \wedge r1Rf1^{\ell}[\Gamma]$ 
   w[] flag0 1
30: { $\Gamma \in \Gamma \wedge r1Rl1^{\ell}_{n_\ell}[\Gamma] \wedge r1Rf1^{\ell}[\Gamma]$ 

```

```

32: { $\Gamma \in \Gamma$ }
   while true
33: {false}

```

# Inclusion proof



# Method

- The communication specification is

$$S_{com}(\Gamma, \bar{\Gamma}) \triangleq (\text{at}\{8\} \wedge \text{at}\{28\}) \implies (S_{com_1}(\Gamma, \bar{\Gamma}) \wedge S_{com_2}(\Gamma, \bar{\Gamma}) \wedge S_{com_3}(\Gamma, \bar{\Gamma}) \wedge S_{com_4}(\Gamma, \bar{\Gamma}))$$

- The consistency specification must satisfy

$$H_{com}(\Gamma, \bar{\Gamma}) \Rightarrow S_{com}(\Gamma, \bar{\Gamma}) \quad \text{i.e.} \quad \neg S_{com}(\Gamma, \bar{\Gamma}) \Rightarrow \neg H_{com}(\Gamma, \bar{\Gamma})$$

- So the design of  $H_{com}(\Gamma, \bar{\Gamma})$  must forbid the erroneous communications specified by the communication specification

$$\left( \text{at}\{8\} \wedge \text{at}\{28\} \wedge \bigvee_{i=1}^4 \neg S_{com_i}(\Gamma, \bar{\Gamma}) \right) \implies \bigvee_{i=1}^4 \neg H_{com_i}(\Gamma, \bar{\Gamma})$$

$$S_{com_1} \triangleq \neg(\exists i, k_i, \ell, n_\ell, \ell_{30}, \ell_{29} \in \mathbb{N} . \Gamma \in \Gamma \wedge \text{rf}\langle L0_{k_i}^i, \langle 30:,, \ell_{30}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F0^i, \langle 29:,, \ell_{29}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle L1_{n_\ell}^\ell, \langle 0:,, \_, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F1^\ell, \langle 0:,, \_, 1 \rangle \rangle \in \Gamma)$$



no prophecy beyond cut during execution

$$S_{com_2} \triangleq \neg(\exists i, k_i, \ell, n_\ell, \ell_{30}, \ell_{29}, i_9 \in \mathbb{N}. \Gamma \in \Gamma \wedge \text{rf}\langle L0_{k_i}^i, \langle 30:,, \ell_{30}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F0^i, \langle 29:,, \ell_{29}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle L1_{n_\ell}^\ell, \langle 0:,, \_, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F1^\ell, \langle 9:,, i_9, 1 \rangle \rangle \in \Gamma)$$



no prophecy beyond cut during execution

$$S_{com_3} \triangleq \neg(\exists i, k_i, \ell, n_\ell, \ell_{30}, \ell_{29}, i_{10} \in \mathbb{N}. \Gamma \in \Gamma \wedge \text{rf}\langle L0_{k_i}^i, \langle 30: , \\ \ell_{30}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F0^i, \langle 29: , \ell_{29}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle L1_{n_\ell}^\ell, \\ \langle 10: , i_{10}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F1^\ell, \langle 0: , \_, 1 \rangle \rangle \in \Gamma)$$

```
{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
```

```
1: do {i}
```

```
2:   do {ji}
```

```
3:     r[] Rl0 latch0 {~~ L0jii}
```

```
4:   while (Rl0=0) {ki}
```

```
5:   w[] latch0 0
```

```
6:   r[] Rf0 flag0 {~~ F0i}
```

```
7:   if (Rf0≠0) then
```

```
8:     (* critical section *)
```

```
      w[] flag0 0
```

```
      w[] flag1 1
```

```
10:    w[] latch1 1
```

```
11: fi
```

```
12:while true
```

```
13:
```

```
21:do {ℓ}
```

```
22:  do {mℓ}
```

```
23:    r[] Rl1 latch1 {~~ L1mℓℓ}
```

```
24:   while (Rl1=0) {nℓ}
```

```
25:   w[] latch1 0
```

```
26:   r[] Rf1 flag1 {~~ F1ℓ}
```

```
27:   if (Rf1≠0) then
```

```
28:     (* critical section *)
```

```
      w[] flag1 0
```

```
      w[] flag0 1
```

```
30:      w[] latch0 1
```

```
31: fi
```

```
32:while true
```

```
33:
```

cut

no prophecy beyond cut during execution

$$S_{com_4} \triangleq \neg(\exists i, k_i, \ell, n_\ell, \ell_{30}, \ell_{29}, i_{10}, i_9 \in \mathbb{N} . \Gamma \in \Gamma \wedge \text{rf}\langle L0_{k_i}^i, \langle 30:, \ell_{30}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F0^i, \langle 29:, \ell_{29}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle L1_{n_\ell}^\ell, \langle 10:, i_{10}, 1 \rangle \rangle \in \Gamma \wedge \text{rf}\langle F1^\ell, \langle 9:, i_9, 1 \rangle \rangle \in \Gamma)$$

```
{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
```

```
1: do {i}
```

```
2:   do {ji}
```

```
3:     r[] Rl0 latch0 {~~ L0jii}
```

```
4:   while (Rl0=0) {ki}
```

```
5:   w[] latch0 0
```

```
6:   r[] Rf0 flag0 {~~ F0i}
```

```
7:   if (Rf0≠0) then
```

```
8:     (* critical section *)
```

```
     w[] flag0 0
```

```
     w[] flag1 1
```

```
10:    w[] latch1 1
```

```
11: fi
```

```
12:while true
```

```
13:
```

```
21:do {ℓ}
```

```
22:   do {mℓ}
```

```
23:     r[] Rl1 latch1 {~~ L1mℓℓ}
```

```
24:   while (Rl1=0) {nℓ}
```

```
25:   w[] latch1 0
```

```
26:   r[] Rf1 flag1 {~~ F1ℓ}
```

```
27:   if (Rf1≠0) then
```

```
28:     (* critical section *)
```

```
     w[] flag1 0
```

```
     w[] flag0 1
```

```
30:     w[] latch0 1
```

```
31: fi
```

```
32:while true
```

```
33:
```

cut

no prophecy beyond cut during execution

# Conclusion on mutual exclusion

- PostgreSQL is correct on architectures satisfying the ``no prophecy beyond cut during execution'' property



- Intuition on necessity: when waiting for a spinlock, you should look at its current value, not at later ones!

# in cat

- A static condition to impose a dynamic condition:

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: do {i}
2:   do {ji}
3:     r[] Rl0 latch0 {~~ L0iji}
4:     while (Rl0=0) {ki}
5:     w[] latch0 0
6:     r[] Rf0 flag0 {~~ F0i}      po
7:     if (Rf0≠0) then               cut
8:       f[cut] (* critical section *)  rf
9:       w[] flag0 0
10:      w[] flag1 1
11:      w[] latch1 1
12:    fi
13:  while true
14:
enum fences = 'cut
instructions F[{'}cut}]

let cut = (tag2events('cut) * tag2events('cut)) & ext
irreflexive rf; po; cut; po
21:do {ℓ}
22:  do {mℓ}
23:    r[] Rl1 latch1 {~~ L1ℓmℓ}
24:    while (Rl1=0) {nℓ}
25:    w[] latch1 0
26:    r[] Rf1 flag1 {~~ F1ℓ}
27:    if (Rf1≠0) then
28:      f[cut] (* critical section *)
29:      w[] flag0 0
30:      w[] flag1 1
31:      w[] latch0 1
32:    fi
33:

```

# Prevents valid executions



# Non-starvation

# Difference with Lamport/Owicki-Gries

- The communications in L/O-G are fixed in the semantics (SC) for all executions:



⇒ entangled with the verification conditions  
⇒ impossible to reason on one execution trace only

# Reasoning on only one execution

- An execution is entirely determined by its read-from relation  $rf$
- The verification conditions depend on a set  $\Gamma$  of verification conditions
- By choosing  $\Gamma = \{rf\}$ , we can reason on this execution
- This execution satisfies the inductive invariant  $S_{ind}(\{rf\})$
- To prove that this execution is impossible it is sufficient to prove that  $S_{ind}(\{rf\})$  cannot hold (according to the verification conditions)
- Since the method is sound, if the verification conditions are not satisfied, the execution is excluded by the semantics

# 9 cases of starvation



# (I) Both processes starve in spin loops

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: {true}
  do {i}
2:   {true}
    do {ji}
3:     {true}
      r[] Rl0 latch0 {~~ L0iji}
4:     {Rl0 = L0iji ∧
       (r0Rl0iji[Γrf] ∨ r1Rl0iji[Γrf])}
      while (Rl0=0) {ki}
5:     {r1Rl0iki[Γrf]}
      w[] latch0 0
6:     {r1Rl0iki[Γrf]}
      r[] Rf0 flag0 {~~ F0i}
7:     {r1Rl0iki[Γrf] ∧ Rf0 = F0i ∧
       (r0Rf0i[Γrf] ∨ r1Rf0i[Γrf])}
     if (Rf0≠0) then
9:       {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
       (* critical section *)
      w[] flag0 0
10:    {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
      w[] flag1 1
11:    {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
      w[] latch1 1
12:    {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}

     fi
13: {true}
  while true
14: {false}

```

```

21: {true}
  do {ℓ}
22:   {true}
    do {mℓ}
23:     {true}
      r[] Rl1 latch1 {~~ L1ℓmℓ}
24:     {Rl1 = L1ℓmℓ ∧
       (r0Rl1ℓmℓ[Γrf] ∨ r1Rl1ℓmℓ[Γrf])}
      while (Rl1=0) {nℓ}
25:     {r1Rl1ℓnℓ[Γrf]}
      w[] latch1 0
26:     {r1Rl1ℓnℓ[Γrf]}
      r[] Rf1 flag1 {~~ F1ℓ}
27:     {r1Rl1ℓnℓ[Γrf] ∧ Rf1 = F1ℓ ∧
       (r0Rf1ℓ[Γrf] ∨ r1Rf1ℓ[Γrf])}
     if (Rf1≠0) then
28:       {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
       (* critical section *)
      w[] flag1 0
29:       {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
      w[] flag0 1
30:       {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
      w[] latch0 1
31:       {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}

     fi
32: {true}
  while true
33: {false}

```

- let rf be the communication for such a trace (encoded in  $\Gamma_{rf}$ )
- invariant false after both spin loops
- so latch1 in 23: can only be read from initialization
- so latch1 is 1 not 0, a contradiction

## (2) Both processes never enter their critical section

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: {true}
  do {i}
2: {true}
  do {ji}
3: {true}
  r[] Rl0 latch0 {~~ L0iji}
4: {Rl0 = L0iji ∧
   (r0Rl0iji[Γrf] ∨ r1Rl0iji[Γrf])}
  while (Rl0=0) {ki}
5: {r1Rl0iki[Γrf]}
  w[] latch0 0
6: {r1Rl0iki[Γrf]}
  r[] Rf0 flag0 {~~ F0i}
7: {r1Rl0iki[Γrf] ∧ Rf0 = F0i ∧
   (r0Rf0i[Γrf] ∨ r1Rf0i[Γrf])}
  if (Rf0≠0) then
8:  {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
    (* critical section *)
  w[] flag0 0
9:  {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
  w[] flag1 1
10: {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
   w[] latch1 1
11: {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}

  fi
12: {true}
  while true
13:{false}

```

  

```

21:{true}
  do {ℓ}
22: {true}
  do {mℓ}
23: {true}
  r[] Rl1 latch1 {~~ L1ℓmℓ}
24: {Rl1 = L1ℓmℓ ∧
   (r0Rl1ℓmℓ[Γrf] ∨ r1Rl1ℓmℓ[Γrf])}
  while (Rl1=0) {nℓ}
25: {r1Rl1ℓnℓ[Γrf]}
  w[] latch1 0
26: {r1Rl1ℓnℓ[Γrf]}
  r[] Rf1 flag1 {~~ F1ℓ}
27: {r1Rl1ℓnℓ[Γrf] ∧ Rf1 = F1ℓ ∧
   (r0Rf1ℓ[Γrf] ∨ r1Rf1ℓ[Γrf])}
  if (Rf1≠0) then
28:  {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
    (* critical section *)
  w[] flag1 0
29:  {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
  w[] flag0 1
30:  {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
  w[] latch0 1
31:  {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}

  fi
32: {true}
  while true
33:{false}

```

- let rf be the communication for such a trace (encoded in  $\Gamma_{rf}$ )

## (2) Both processes never enter their critical section

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: {true}
  do {i}
2: {true}
  do {ji}
3: {true}
  r[] Rl0 latch0 {~~ L0iji}
4: {Rl0 = L0iji ∧
   (r0Rl0iji[Γrf] ∨ r1Rl0iji[Γrf])}
  while (Rl0=0) {ki}
5: {r1Rl0iki[Γrf]}
  w[] latch0 0
6: {r1Rl0iki[Γrf]}
  r[] Rf0 flag0 {~~ F0i}
7: {r1Rl0iki[Γrf] ∧ Rf0 = F0i ∧
   (r0Rf0i[Γrf] ∨ r1Rf0i[Γrf])}
  if (Rf0≠0) then
8: {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf] } ]
  (* critical section *)
  w[] flag0 0
9: {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf] }
  w[] flag1 1
10: {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf] }
   w[] latch1 1
11: {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf] }
  fi
12: {true}
  while true
13:{false}

```

  

```

21:{true}
  do {ℓ}
22: {true}
  do {mℓ}
23: {true}
  r[] Rl1 latch1 {~~ L1ℓmℓ}
24: {Rl1 = L1ℓmℓ ∧
   (r0Rl1ℓmℓ[Γrf] ∨ r1Rl1ℓmℓ[Γrf])}
  while (Rl1=0) {nℓ}
25: {r1Rl1ℓnℓ[Γrf] }
  w[] latch1 0
26: {r1Rl1ℓnℓ[Γrf] }
  r[] Rf1 flag1 {~~ F1ℓ}
27: {r1Rl1ℓnℓ[Γrf] ∧ Rf1 = F1ℓ ∧
   (r0Rf1ℓ[Γrf] ∨ r1Rf1ℓ[Γrf])}
  if (Rf1≠0) then
28: {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf] } ]
  (* critical section *)
  w[] flag1 0
29: {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf] }
  w[] flag0 1
30: {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf] }
  w[] latch0 1
31: {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf] }
  fi
32: {true}
  while true
33:{false}

```

- let rf be the communication for such a trace (encoded in  $\Gamma_{rf}$ )
- the invariant inside critical sections must be false

## (2) Both processes never enter their critical section

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: {true}
  do {i}
2: {true}
  do {ji}
3: {true}
  r[] Rl0 latch0 {~~ L0iji}
4: {Rl0 = L0iji ∧
   (r0Rl0iji[Γrf] ∨ r1Rl0iji[Γrf])}
  while (Rl0=0) {ki}
5: {r1Rl0iki[Γrf]}
  w[] latch0 0
6: {r1Rl0iki[Γrf]}
  r[] Rf0 flag0 {~~ F0i}
7: {r1Rl0iki[Γrf] ∧ Rf0 = F0i ∧
   (r0Rf0i[Γrf] ∨ r1Rf0i[Γn])}
  if (Rf0≠0) then
8: {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf] }  

  (* critical section *)
  w[] flag0 0
9: {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf] }  

  w[] flag1 1
10: {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf] }  

  w[] latch1 1
11: {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf] }
  fi
12: {true}
  while true
13:{false}

21:{true}
  do {ℓ}
22: {true}
  do {mℓ}
23: {true}
  r[] Rl1 latch1 {~~ L1ℓmℓ}
24: {Rl1 = L1ℓmℓ ∧
   (r0Rl1ℓmℓ[Γrf] ∨ r1Rl1ℓmℓ[Γrf])}
  while (Rl1=0) {nℓ}
25: {r1Rl1ℓnℓ[Γrf] }
  w[] latch1 0
26: {r1Rl1ℓnℓ[Γrf] }
  r[] Rf1 flag1 {~~ F1ℓ}
27: {r1Rl1ℓnℓ[Γrf] ∧ Rf1 = F1ℓ ∧
   (r0Rf1ℓ[Γrf] ∨ r1Rf1ℓ[Γn])}
  if (Rf1≠0) then
28: {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf] }  

  (* critical section *)
  w[] flag1 0
29: {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf] }  

  w[] flag0 1
30: {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf] }  

  w[] latch0 1
31: {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf] }  

  fi
32: {true}
  while true
33:{false}

```

- let rf be the communication for such a trace (encoded in  $\Gamma_{rf}$ )
- the invariant inside critical sections must be false
- tests ( $Rf0 \neq 0$ ) and ( $Rf1 \neq 0$ ) must be false (written ~~xxx~~)

## (2) Both processes never enter their critical section

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: {true}
  do {i}
2:   {true}
    do {ji}
3:     {true}
      r[] Rl0 latch0 {~~ L0jii}
4:     {Rl0 = L0jii ∧
      (r0Rl0jii[Γrf] ∨ r1Rl0jii[Γrf])}
      while (Rl0=0) {ki}
5:     {r1Rl0kii[Γrf]}
      w[] latch0 0
6:     {r1Rl0kii[Γrf]}
      r[] Rf0 flag0 {~~ F0ii}
7:     {r1Rl0kii[Γrf] ∧ Rf0 = F0ii ∧
      (r0Rf0ii[Γrf] ∨ r1Rf0ii[Γn])}
      if (Rf0≠0) then
8:       {r1Rl0kii[Γrf] ∧ r1Rf0ii[Γrf] } rf
        (* critical section *)
        w[] flag0 0
9:       {r1Rl0kii[Γrf] ∧ r1Rf0ii[Γrf] }
        w[] flag1 1
10:      {r1Rl0kii[Γrf] ∧ r1Rf0ii[Γrf] }
        w[] latch1 1
11:      {r1Rl0kii[Γrf] ∧ r1Rf0ii[Γrf] }
        fi
12:    {true}
      while true
13:{false}

```

```

21: {true}
  do {ℓ}
22:   {true}
    do {mℓ}
23:     {true}
      r[] Rl1 latch1 {~~ L1mℓℓ}
24:     {Rl1 = L1mℓℓ ∧
      (r0Rl1mℓℓ[Γrf] ∨ r1Rl1mℓℓ[Γrf])}
      while (Rl1=0) {nℓ}
25:     {r1Rl1nℓℓ[Γrf] }
      w[] latch1 0
26:     {r1Rl1nℓℓ[Γrf] }
      r[] Rf1 flag1 {~~ F1ℓ}
27:     {r1Rl1nℓℓ[Γrf] ∧ Rf1 = F1ℓ ∧
      (r0Rf1iℓ[Γrf] ∨ r1Rf1iℓ[Γn])}
      if (Rf1≠0) then
28:       {r1Rl1nℓℓ[Γrf] ∧ r1Rf1iℓ[Γrf] } rf
        (* critical section *)
        w[] flag1 0
29:       {r1Rl1nℓℓ[Γrf] ∧ r1Rf1iℓ[Γrf] }
        w[] flag0 1
30:       {r1Rl1nℓℓ[Γrf] ∧ r1Rf1iℓ[Γrf] }
        w[] latch0 1
31:       {r1Rl1nℓℓ[Γrf] ∧ r1Rf1iℓ[Γrf] }
        fi
32:     {true}
      while true
33:{false}

```

- let  $rf$  be the communication for such a trace (encoded in  $\Gamma_{rf}$ )
- the invariant inside critical sections must be false
- tests ( $Rf0 \neq 0$ ) and ( $Rf1 \neq 0$ ) must be false (written ~~xxx~~)
- so read of  $Rf0$  and  $Rf1$  is 0 from a reachable write

## (2) Both processes never enter their critical section

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: {true}
  do {i}
2:   {true}
    do {j_i}
3:     {true}
      r[] Rl0 latch0 {~~ L0ij_i}
4:     {Rl0 = L0ij_i ∧
      (r0Rl0ij_i[Γrf] ∨ r1Rl0ij_i[Γrf])}
      while (Rl0=0) {k_i}
5:     {r1Rl0ik_i[Γrf]}
      w[] latch0 0
6:     {r1Rl0ik_i[Γrf]}
      r[] Rf0 flag0 {~~ F0i}
7:     {r1Rl0ik_i[Γrf] ∧ Rf0 = F0i ∧
      (r0Rf0i[Γrf] ∨ r1Rf0i[Γn])}
      if (Rf0≠0) then
8:       {r1Rl0ik_i[Γrf] ∧ r1Rf0i[Γrf] } rf
      (* critical section *)
      w[] flag0 0
9:       {r1Rl0ik_i[Γrf] ∧ r1Rf0i[Γrf] }
      w[] flag1 1
      {r1Rl0ik_i[Γrf] ∧ r1Rf0i[Γrf] }
      w[] latch1 1
11:      {r1Rl0ik_i[Γrf] ∧ r1Rf0i[Γrf] }
      fi
12: {true}
      while true
13:{false}

```

```

21: {true}
  do {ℓ}
22:   {true}
    do {m_ℓ}
23:     {true}
      r[] Rl1 latch1 {~~ L1ℓm_ℓ}
24:     {Rl1 = L1ℓm_ℓ ∧
      (r0Rl1ℓm_ℓ[Γrf] ∨ r1Rl1ℓm_ℓ[Γrf])}
      while (Rl1=0) {n_ℓ}
25:     {r1Rl1ℓn_ℓ[Γrf] }
      w[] latch1 0
26:     {r1Rl1ℓn_ℓ[Γrf] }
      r[] Rf1 flag1 {~~ F1ℓ}
27:     {r1Rl1ℓn_ℓ[Γrf] ∧ Rf1 = F1ℓ ∧
      (r0Rf1ℓ[Γn] ∨ r1Rf1ℓ[Γn])}
      if (Rf1≠0) then
28:       {r1Rl1ℓn_ℓ[Γrf] ∧ r1Rf1ℓ[Γrf] } rf
      (* critical section *)
      w[] flag1 0
29:       {r1Rl1ℓn_ℓ[Γrf] ∧ r1Rf1ℓ[Γrf] }
      w[] flag0 1
30:       {r1Rl1ℓn_ℓ[Γrf] ∧ r1Rf1ℓ[Γrf] }
      w[] latch0 1
31:       {r1Rl1ℓn_ℓ[Γrf] ∧ r1Rf1ℓ[Γrf] }
      fi
32: {true}
      while true
33:{false}

```

- let rf be the communication for such a trace (encoded in  $\Gamma_{rf}$ )
- the invariant inside critical sections must be false
- tests ( $Rf0 \neq 0$ ) and ( $Rf1 \neq 0$ ) must be false (written ~~xxx~~)
- so read of  $Rf0$  and  $Rf1$  is 0 from a reachable write
- impossible for  $Rf1$  so loop 23 —24 is never exited

⇒ we are in case (3), PI stuck in spin loop

### (3) Process P1 stuck in spin loop (no hypothesis on P0)

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: {true}
  do {i}
2:   {true}
    do {ji}
3:     {true}
      r[] Rl0 latch0 {~~ L0iji}
4:     {Rl0 = L0iji ∧
      (r0Rl0iji[Γrf] ∨ r1Rl0iji[Γrf])}
      while (Rl0=0) {ki}
5:     {r1Rl0iki[Γrf]}
      w[] latch0 0
6:     {r1Rl0iki[Γrf]}
      r[] Rf0 flag0 {~~ F0i}
7:     {r1Rl0iki[Γrf] ∧ Rf0 = F0i ∧
      (r0Rf0i[Γrf] ∨ r1Rf0i[Γrf])}
      if (Rf0≠0) then
8:       {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
        (* critical section *)
      w[] flag0 0
9:       {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
      w[] flag1 1
10:      {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
      w[] latch1 1
11:      {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
      fi
12:    {true}
      while true
13:{false}

```

  

```

21:{true}
  do {ℓ}
22: {true}
  do {mℓ}
23: {true}
  r[] Rl1 latch1 {~~ L1ℓmℓ}
24: {Rl1 = L1ℓmℓ ∧
  (r0Rl1ℓmℓ[Γrf] ∨ r1Rl1ℓmℓ[Γrf])}
  while (Rl1=0) {nℓ}
25: {r1Rl1ℓnℓ[Γrf]}
  w[] latch1 0
26: {r1Rl1ℓnℓ[Γrf]}
  r[] Rf1 flag1 {~~ F1ℓ}
27: {r1Rl1ℓnℓ[Γrf] ∧ Rf1 = F1ℓ ∧
  (r0Rf1ℓ[Γrf] ∨ r1Rf1ℓ[Γrf])}
  if (Rf1≠0) then
28:   {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
    (* critical section *)
  w[] flag1 0
29:   {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
  w[] flag0 1
30:   {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
  w[] latch0 1
31:   {r1Rl1ℓnℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
  fi
32: {true}
  while true
33:{false}

```

- let rf be the communication for such a trace (encoded in  $\Gamma_{rf}$ )
- the invariant after 25: must be false
- read of latch1 in 23: must be a 0
- only possibility if from 25:
- A contradiction since 25: is unreachable

# (4) Process P0 starves in spin loop, no hypothesis on P1

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: {true}
  do {i}
2:   {true}
    do {j_i}
3:     {true}
      r[] R10 latch0 {~~ L0ij_i}
4:     {R10 = L0ij_i ∧
      (r0Rl0i[Γrf] ∨ r1Rl0i[Γrf])}
      while (R10=0) {k_i}
5:       {r1Rl0ik_i[Γrf]}
      w[] latch0 0
6:       {r1Rl0ik_i[Γrf]}
      r[] Rf0 flag0 {~~ F0i}
7:       {r1Rl0ik_i[Γrf] ∧ Rf0 = F0i ∧
      (r0Rf0i[Γrf] ∨ r1Rf0i[Γrf])}
      if (Rf0≠0) then
8:        {r1Rl0ik_i[Γrf] ∧ r1Rf0i[Γrf]}
        (* critical section *)
      w[] flag0 0
9:        {r1Rl0ik_i[Γrf] ∧ r1Rf0i[Γrf]}
      w[] flag1 1
10:       {r1Rl0ik_i[Γrf] ∧ r1Rf0i[Γrf]}
      w[] latch1 1
11:       {r1Rl0ik_i[Γrf] ∧ r1Rf0i[Γrf]}

      fi
12:     {true}
      while true
13:   {false}

  CO
  fr
  
```

↑

```

21: {true}
  do {ℓ}
22:   {true}
    do {m_ℓ}
23:     {true}
      r[] R11 latch1 {~~ L1ℓm_ℓ}
24:     {R11 = L1ℓm_ℓ ∧
      (r0Rl1ℓm_ℓ[Γrf] ∨ r1Rl1ℓm_ℓ[Γrf])}
      while (R11=0) {n_ℓ}
25:       {r1Rl1ℓn_ℓ[Γrf]}
      w[] latch1 0
26:       {r1Rl1ℓn_ℓ[Γrf]}
      r[] Rf1 flag1 {~~ F1ℓ}
27:       {r1Rl1ℓn_ℓ[Γrf] ∧ Rf1 = F1ℓ ∧
      (r0Rf1ℓ[Γrf] ∨ r1Rf1ℓ[Γrf])}
      if (Rf1≠0) then
28:        {r1Rl1ℓn_ℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
        (* critical section *)
      w[] flag1 0
29:        {r1Rl1ℓn_ℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
      w[] flag0 1
30:        {r1Rl1ℓn_ℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}
      w[] latch0 1
31:        {r1Rl1ℓn_ℓ[Γrf] ∧ r1Rf1ℓ[Γrf]}

      fi
32:     {true}
      while true
33:   {false}
  
```

- let rf be the communication for such a trace (encoded in  $\Gamma_{rf}$ )
- the invariant after 5: must be false so P0 never enters its critical section
- read of latch0 in 3: must be a 0, with 2 possibilities
- cannot be from write at 5: which is unreachable
- so is from initial write 0:
- but P1 enters its critical section (otherwise see case I)
- so w[] latch0 1 will be executed later in **co** order
- so all 3:r[] R10 latch0 are **fr** to all 30: w[] latch0 1
- by fairness of communications, this write of 1 to latch0 will eventually be read at 3: in contradiction with always reading 0

## (4) Process P0 starves in spin loop, P1 does not



# Communication fairness hypothesis<sup>(\*)</sup>

- All writes eventually hit the memory:
  - If, at a cut of the execution, all the processes infinitely often write the same value  $v$  to a shared variable  $x$  and only that value  $v$
  - and from a later cut point of that execution, a process infinitely often repeats reads to that variable  $x$
  - then the reads will end up reading that value  $v$

---

<sup>(\*)</sup> The SPARC Architecture Manual, Version 8, Section K2, p. 283: ``if one processor does an  $S$  , and another processor repeatedly does  $L$  's to the same location, then there is an  $L$  that will be after the  $S$  ''.

# (5) Process P1 never enters its CS

```

{0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: {true}
  do {i}
2:   {true}
    do {ji}
3:     {true}
      r[] Rl0 latch0 {~~ L0iji}
4:     {Rl0 = L0iji ∧
       (r0Rl0iji[Γrf] ∨ r1Rl0iji[Γrf])}
      while (Rl0=0) {ki}
5:     {r1Rl0iki[Γrf]}
      w[] latch0 0
6:     {r1Rl0iki[Γrf]}
      r[] Rf0 flag0 {~~ F0i}
7:     {r1Rl0iki[Γrf] ∧ Rf0 = F0i ∧
       (r0Rf0i[Γrf] ∨ r1Rf0i[Γrf])}
      if (Rf0≠0) then
8:        {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
        (* critical section *)
      w[] flag0 0
9:        {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
      w[] flag1 1
10:       {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}
      w[] latch1 1
11:       {r1Rl0iki[Γrf] ∧ r1Rf0i[Γrf]}

      fi
12:     {true}
      while true
13:{false}

```

21: {true}

do {ℓ}

22: {true}

do {m<sub>ℓ</sub>}

23: {true}

r[] Rl1 latch1 {~~ L1<sup>ℓ</sup><sub>m<sub>ℓ</sub></sub>}

24: {Rl1 = L1<sup>ℓ</sup><sub>m<sub>ℓ</sub></sub> ∧
 (r0Rl1<sup>ℓ</sup><sub>m<sub>ℓ</sub></sub>[Γ<sub>rf</sub>] ∨ r1Rl1<sup>ℓ</sup><sub>m<sub>ℓ</sub></sub>[Γ<sub>rf</sub>])}
 while (Rl1=0) {n<sub>ℓ</sub>}

25: {r1Rl1<sup>ℓ</sup><sub>n<sub>ℓ</sub></sub>[Γ<sub>rf</sub>]}

w[] latch1 0

26: {r1Rl1<sup>ℓ</sup><sub>n<sub>ℓ</sub></sub>[Γ<sub>rf</sub>]}

r[] Rf1 flag1 {~~ F1<sup>ℓ</sup>}

27: {r1Rl1<sup>ℓ</sup><sub>n<sub>ℓ</sub></sub>[Γ<sub>rf</sub>] ∧ Rf1 = F1<sup>ℓ</sup> ∧
 (r0Rf1<sup>ℓ</sup>[Γ<sub>rf</sub>] ∨ r1Rf1<sup>ℓ</sup>[Γ<sub>rf</sub>])}
 if (Rf1≠0) then
28: {r1Rl1<sup>ℓ</sup><sub>n<sub>ℓ</sub></sub>[Γ<sub>rf</sub>] ∧ r1Rf1<sup>ℓ</sup>[Γ<sub>rf</sub>]}
 (\* critical section \*)
 w[] flag1 0
29: {r1Rl1<sup>ℓ</sup><sub>n<sub>ℓ</sub></sub>[Γ<sub>rf</sub>] ∧ r1Rf1<sup>ℓ</sup>[Γ<sub>rf</sub>]}

 w[] flag0 1
30: {r1Rl1<sup>ℓ</sup><sub>n<sub>ℓ</sub></sub>[Γ<sub>rf</sub>] ∧ r1Rf1<sup>ℓ</sup>[Γ<sub>rf</sub>]}

 w[] latch0 1
31: {r1Rl1<sup>ℓ</sup><sub>n<sub>ℓ</sub></sub>[Γ<sub>rf</sub>] ∧ r1Rf1<sup>ℓ</sup>[Γ<sub>rf</sub>]}

 fi
32: {true}
 while true
33:{false}

- let rf be the communication for such a trace (encoded in  $\Gamma_{rf}$ )
- P1 exits loop 23–24: (else see cases (1) or (3))
- must read  $Rl1 = 1$  from 0: or 10:
  - read of  $Rf1$  at 26: must be 0
  - only possibility is from 28:
  - impossible from unreachable code

# (5) Process P0 leaves spin loop but always fails entering its CS

```

0: latch0 = 0; flag0 = 0; latch1 = 1; flag1 = 1; }
1: {true}
do {i}
2: { $\Gamma_{rf}$ }
do {ji}
{true}
3: r[] Rl0 latch0 {~~ L0iji}
4: r[] Rl0 = L0iji  $\wedge$  (r0Rl0iji[ $\Gamma_{rf}$ ]  $\vee$  r1Rl0iji[ $\Gamma_{rf}$ ])
while (Rl0=0) {ki}
5: {r1Rl0iki[ $\Gamma_{rf}$ ]}

w[] latch0 0
{r1Rl0iki[ $\Gamma_{rf}$ ]}

f[fdep] {3} {6}
{r1Rl0iki[ $\Gamma_{rf}$ ]}

6: r[] Rf0 flag0 {~~ F0i}
{r1Rl0iki[ $\Gamma_{rf}$ ]  $\wedge$  Rf0 = F0i  $\wedge$  fre
(r0Rf0i[ $\Gamma_{rf}$ ]  $\vee$  r1Rf0i[ $\Gamma_{rf}$ ])
if (Rf0 $\neq$ 0) then
7: {r1Rl0iki[ $\Gamma_{rf}$ ]  $\wedge$  r1Rf0i[ $\Gamma_{rf}$ ]}

(* critical section *)
w[] flag0 0
{r1Rl0iki[ $\Gamma_{rf}$ ]  $\wedge$  r1Rf0i[ $\Gamma_{rf}$ ]}

w[] flag1 1
{r1Rl0iki[ $\Gamma_{rf}$ ]  $\wedge$  r1Rf0i[ $\Gamma_{rf}$ ]}

false
w[] latch1 1
{r1Rl0iki[ $\Gamma_{rf}$ ]  $\wedge$  r1Rf0i[ $\Gamma_{rf}$ ]}

fi
12: {true}
while true
13:{false}

1: {true}
do { $\ell$ }
2: { $\Gamma_{rf}$ }
do {m $\ell$ }
{true}
3: r[] Rl1 latch1 {~~ L1 $\ell$ m $\ell$ }
4: Rl1 = L1 $\ell$ m $\ell$   $\wedge$  (r0Rl1 $\ell$ m $\ell$ [ $\Gamma_{rf}$ ]  $\vee$  r1Rl1 $\ell$ m $\ell$ [ $\Gamma_{rf}$ ])
while (Rl1=0) {n $\ell$ }
5: {r1Rl1 $\ell$ n $\ell$ [ $\Gamma_{rf}$ ]}

w[] latch1 0

6: {r1Rl1 $\ell$ n $\ell$ [ $\Gamma_{rf}$ ]}

r[] Rf1 flag1 {~~ F1 $\ell$ }
{r1Rl1 $\ell$ n $\ell$ [ $\Gamma_{rf}$ ]  $\wedge$  Rf1 = F1 $\ell$   $\wedge$  (r0Rf1 $\ell$ [ $\Gamma_{rf}$ ]  $\vee$  r1Rf1 $\ell$ [ $\Gamma_{rf}$ ])}

if (Rf1 $\neq$ 0) then
7: {r1Rl1 $\ell$ n $\ell$ [ $\Gamma_{rf}$ ]  $\wedge$  r1Rf1 $\ell$ [ $\Gamma_{rf}$ ]}

(* critical section *)
w[] flag1 0
{r1Rl1 $\ell$ n $\ell$ [ $\Gamma_{rf}$ ]  $\wedge$  r1Rf1 $\ell$ [ $\Gamma_{rf}$ ]}

w[] flag0 1
{r1Rl1 $\ell$ n $\ell$ [ $\Gamma_{rf}$ ]  $\wedge$  r1Rf1 $\ell$ [ $\Gamma_{rf}$ ]}

f[flw] {29} {30}
{r1Rl1 $\ell$ n $\ell$ [ $\Gamma_{rf}$ ]  $\wedge$  r1Rf1 $\ell$ [ $\Gamma_{rf}$ ]}

30: w[] latch0 1
{r1Rl1 $\ell$ n $\ell$ [ $\Gamma_{rf}$ ]  $\wedge$  r1Rf1 $\ell$ [ $\Gamma_{rf}$ ]}

31: {r1Rl1 $\ell$ n $\ell$ [ $\Gamma_{rf}$ ]  $\wedge$  r1Rf1 $\ell$ [ $\Gamma_{rf}$ ]}

fi
32: {true}
while true
33:{false}

```

- let rf be the communication for such a trace (encoded in  $\Gamma_{rf}$ )
- loop 2–4: exited
- read of Rl0 = 1 at 3: is from 30:
- invariant false in critical section 8–11:
- read of Rf0 = 0 at 6: is from 0: (8: not reachable)

withco

```

let l-fencerel(S) =
((po&(_*S));po)&fromto(S)
let Fdep = F & tag2events('fdep')
let deps = l-fencerel(Fdep) & (R*_)
let Flw = F & tag2events('flw')
let flw = l-fencerel(Flw)
let fences = deps | flw
let fre = (rf^-1;co) & ext
irreflexive fre;fences;rfe;fences

```

In TSO there is no need for a fence since it is MP. For weaker than PSO, a fence is needed.

# (6) Both processes eventually starve in spin loop



- let  $rf$  be the communication for such a trace (encoded in  $\Gamma_{rf}$ )
- so  $latch0$  is always 0 and  $latch1$  is always 0
- so  $latch0$  in 23 is always read from 25:
- so 10:  $w$   $latch1$  1 was co-before (since otherwise by the communication hypothesis it would be eventually read)
- and 3:  $R10$   $latch0$  0 is from 0: or 5:
- so 30:  $w$   $latch0$  1 is co-before them (since otherwise by the communication hypothesis it would be eventually read)
- impossible by fences
- **irreflexive co; bar; co; bar**

## (7) Eventually, P0 starves in spin loop, P1 never enters its CS



(8) Eventually, P1 starves in spin loop, P0 never enters its CS

symmetric of (7)

(9) P0 and P1 always leave spin loop and never enter their CS

```

{0:  w[] latch0 0;
   w[] flag0 0;

...
3:  r[] Rl0 latch0 1
5:  w[] latch0 0
6:  r[] Rf0 flag0 1
8:  (* critical section *)
    w[] flag0 0
9:  w[] flag1 1
10: w[] latch1 1

...
3:  r Rl0 latch0 1
5:  w[] latch0 0
6:  r[] Rf0 flag0 1
8:  (* critical section *)
    w[] flag0 0
9:  w[] flag1 1
10: w[] latch1 1

...
3:  r[] Rl0 latch0 1
5:  w[] latch0 0
6:  r[] Rf0 flag0 0

...
3:  r[] Rl0 latch0 1
5:  w[] latch0 0
6:  r[] Rf0 flag0 0

...
3:  r[] Rl0 latch0 1
5:  w[] latch0 0
6:  r[] Rf0 flag0 0

```

- P0 and P1 eventually never starve and never enter their critical sections
  - They both have a last entrance in their critical sections
  - This last write of 1 to the latches will, by communication fairness, eventually reach the memory
  - Then we only have infinitely many writes of 0 to the latches
  - So the read of the latches in the spin loops will eventually always read 0
  - So from then on, by communication fairness, all the reads will be from 0, in reads of the latch will be zero
  - In contradiction with the fact that the spin loop is always exited
  - The barrier prevents infinitely postponing the write 0 actions

# Conclusion

# Conclusion

- The proof method is **parameterized by consistency hypotheses**, expressed in
  - Invariance form:  $S_{com}$
  - Consistency form:  $H_{com}$  (e.g. in cat)
- Program not logic/architecture/consistency model dependent (hence the proof is **portable**)
- Can reason on *arbitrary* subsets of anarchic executions (hence **flexible** e.g. non-starvation)

# Proposed design methodology

- I. Design the algorithm  $A$  and its specification  $S_{inv}$  (e.g. in the sequential consistency model of parallelism)
2. Consider the anarchic semantics of algorithm  $A$
3. Add communication specifications  $S_{com}$  to restrict anarchic communications and ensure the correctness of  $A$  with respect to specification  $S_{inv}$
4. Do the invariance proof under WCM with  $S_{com}$
5. Infer  $H_{com}$  (in cat) from invariant  $S_{com}$
6. Prove that the machine memory model  $M$  in cat implies  $H_{cm}$

# Challenges

- Modern machines have complex memory models
  - ⇒ portability has a price (refencing)
  - ⇒ debugging is very hard/quasi-impossible
  - ⇒ proofs are much harder than with sequential consistency (but still feasible?, mechanically?)
  - ⇒ static analysis parameterized by a WCM will be a challenge
  - ⇒ but we can start with  $S_{com}$

# Thanks

- *Patrick Cousot thanks Luc Maranget for his precious help at Dagstuhl on the non-starvation part.*

# The End, Thank You