4 The Form of a Specication
4.1 The Form of a Complete Program
We start by considering complete programs. In formal models of complete programs, there are no environment actions, only system actions. Input occurs through initial values of variables or by executing a nondeterministic input statement in the program. (An input statement is nondeterministic because the program text and the execution of the program up to that point do not determine the input value.) Thus, a complete program is a specication in which every agent in
A
is a system agent. Since we want the specication to beA
-abstract, it does not matter what agents perform the steps of a behavior, so we can ignore the agents and consider a behavior to be a sequence of states.4.1.1 The Parts of a Complete Program
A complete program is dened by four things:
set of states
A state provides an \instantaneous picture" of the execution status of the program. It is determined by such things as the values of variables, the loci of control of processes, and the messages in transit|the details depending upon the programming language.
initial predicate
The initial predicateI
is a state predicate that species the set of valid starting states of the program. Recall that the predi-cateI
(a set of states) is interpreted as the property consisting of all behaviors whose starting state is inI
.next-state relation
The next-state relation N is a set of pairs of states that describes the state transitions allowed by the program, where (s;t
) 2 N i executing one step of the program starting in states
can produce the new statet
. It is described explicitly by the program text and the assumptions about what actions are considered to be atomic. The next-state relation N determines a property TA(N), dened by 2TA(N) is
i() =s
i+1() or (s
i(); s
i+1())2N, for alli
0. In other words, TA(N) is the set of all behaviors in which each nonstuttering step is allowed by the next-state relationN.progress property
The next-state relation species what state changes may occur, but it does not require that any state changes actually do occur. The progress propertyL
species what must occur. A commontype of progress property is one asserting that if some state change is allowed by the next-state relation, then some state change must occur.
Formally, the program is the property
I
\TA(N)\L
. Note thatI
andTA(N), and hence
I
\TA(N), are safety properties.All assertional methods of reasoning about concurrent programs are based on a description of the program in terms of a set of states, an ini-tial predicate, and a next-state relation. By now, these methods should be familiar enough that there is no need for us to discuss those parts of the program. Progress properties are less well understood and merit further consideration.
4.1.2 The Progress Property
Assertional methods that deal with liveness properties need some way of specifying the program's progress property. The requirement that the pro-gram be executable in practice constrains the type of progress property that can be allowed. The initial state and the computer instructions executed by a program are derived from the program's code, which species the next-state relation. The progress property should constrain the eventual scheduling of instructions, but not which instructions are executed. For the program to be executable in practice, the state transitions that it may perform must be determined by the initial state and the next-state relation alone; they must not be constrained by the progress property.
As an example, consider the simple next-state relation pictured in Fig-ure 2, where the program state consists of the value of the single variable
x
. Assume that the initial predicate asserts thatx
equals 0. The property asserting thatx
= 3 holds at some time during execution, usually written3(
x
= 3), is a liveness property. However, for the program to satisfy this property, it must not make the state transition fromx
= 0 tox
= 1 allowed by the next-state relation. Thus, if 3(x
= 3) were the program's progress property, a compiler would have to deduce that the transition fromx
= 0 tox
= 1, which is permitted by the next-state relation, must not occur.The condition that the progress property
L
does not further constrain the initial state or the next-state relation is expressed formally by the following conditions, which are all equivalent.For every nite behavior prex
withbinI
\TA(N), there exists a behavior inI
\TA(N)\L
such that is a prex of.
I
\TA(N) =I
\TA(N)\L
&% The last condition asserts that the safety properties satised by the pro-gram are completely determined by the initial predicate and the next-state relation; in other words, the progress property does not add any safety prop-erties.
We dene a pair (
M;P
) of properties to be machine-closed iM
=P
. (The term \machine-closed" was introduced in [AL91].) Machine closure of (M;P
) means thatP
does not imply any safety properties not implied byM
. So, ifL
is a progress property, we expect the pair (I
\TA(N); I
\TA(N) \
L
) to be machine-closed. When this condition is satised, we sometimes informally write that the progress propertyL
or the program is machine-closed. To our knowledge, all the progress assumptions that have been proposed for programs are machine-closed.A program's progress property is usually called a fairness condition.
There have been few attempts to give a general denition of fairness. Manna and Pnueli [MP87] dene a class of \fairness" properties that is independent of any next-state relation, but they provide no justication for their termi-nology. Apt, Francez, and Katz [AFK88] discuss three \fairness criteria";
one of them is machine-closure, which they call \feasibility".
Most of the progress properties that have been proposed can be stated as fairness conditions on program actions|for example, the condition that certain state transitions cannot be enabled forever without occurring. These progress properties are not all generally considered to be fairness properties.
In particular, the property asserting that the entire program never stops if some step can be executed is machine-closed, but multiprocess programs
satisfying only this progress assumption are generally called unfair. We believe that machine-closure provides the proper denition of a progress property, and that any distinction between fairness properties and progress properties is probably language-dependent and not fundamental.