A multiprocess program executing on a modern multiprocessor must issue explicit commands to synchronize memory accesses. A method is proposed for deriving the necessary commands from a correctness proof of the underlying algorithm in a formalism based on temporal relations among operation executions. index terms concurrency, memory consistency, multiprocessor, synchronization, verification

The UNITY-logic is a fragment of linear temporal logic. It was designed to specify safety and and progress properties of reactive systems. Experience gained in applying this logic in practice has led us to modify some of its operators. In particular, we had adopted unless as the primary operator for expressing safety properties for many years. We suggest a new operator, co, to take its place. Our experience suggests that the simplicity of formal manipulations is at least as important as the expressive power of an operator. Theoretically, unless and co are equally expressive, while the latter has more pleasing derived rules that allow simpler manipulations. This research is presented in two papers. We study safety properties in the first paper and progress properties in the second paper. We use a small amount of theory to introduce the co operator. The major portion of the paper is devoted to applying the theory in practice: showing how various safety properties can be expressed and manipulated using co.

The notion of fairness in trace-based formalisms is examined. It is argued that, in general, fairness means machine closure. The notion of hyperfairness introduced by Attie, Francez, and Grumberg is generalized to arbitrary action systems. Also examined are the fairness criteria proposed by Apt, Francez, and Katz.

This paper presents a theory for concurrent program composition based on a predicate transformer call the the weakest guarantee and a corresponding binary relation guarantees. The theory stems from a novel view of rely-guarantee techniques for reasoning about program composition and provides a general and uniform framework for handling temporal properties as well as other kinds of program properties such as refinement and encapsulation. 1 Introduction The contribution of this paper is a predicate-transformer based theory for reasoning about the composition of concurrent programs. This section contains the motivation for this contribution and a discussion of the central issues. The predicate transformers wp and wlp provide an elegant basis for reasoning about sequential programs because they focus attention on the most fundamental aspects of these programs: their initial and final states [DS90]. By identifying a program with its predicate transformer, we can reason about programs using...

We present an N-process local-spin mutual exclusion algorithm, based on nonatomic reads and writes, in which each process performs \Theta (log N) remote memory references to enter and exit its critical section. This algorithm is derived from Yang and Anderson's atomic tree-based local-spin algorithm in a way that preserves its time complexity. No atomic read/write algorithm with better asymptotic worst-case time complexity (under the remote-memory-references measure) is currently known. This suggests that atomic memory is not fundamentally required if one is interested in worst-case time complexity. The same cannot be said if one is interested in fast-path algorithms (in which contention-free time complexity is required to be O(1)) or adaptive algorithms (in which time complexity is required to be proportional to the number of contending processes). We show that such algorithms fundamentally require memory accesses to be atomic. In particular, we show that for any N-process nonatomic algorithm, there exists a single-process execution in which the lone competing process executes \Omega (log N / log log N) remote operations to enter its critical section. Moreover, these operations must access \Omega (plog N / log log N) distinct variables, which implies that fast and adaptive algorithms are impossible even if caching techniques are used to avoid accessing the processors-to-memory interconnection network.

We argue that it is possible, and sometimes useful, to reason about nonatomic programs within the conventional atomic model of concurrency.

Mutual exclusion is a topic that Leslie Lamport has returned to many times throughout his career. This article, which is being written in celebration of Lamport's sixtieth birthday, is an attempt to survey some of his many contributions to research on this topic.

. Formal tools and methods for the design of concurrent programs can be very similar to their sequential counterparts, but nevertheless concurrent programming seems more difficult than sequential programming. Detailed examples in the literature suggest that this particular difficulty originates from interaction problems, when a fine grain of parallelism is required. A systematic technique is proposed to transform a coarse-grained version of a concurrent system into a finer-grained one, through a series of refinements. This technique is illustrated with a classical but still unproved algorithm for mutual exclusion. The incremental development clearly involves two kinds of steps. "Creative" transformations appear mainly at the beginning; these steps are short but rather subtle. "Technical " transformations are routine steps but involve lengthy formal developments. With a careful separation of creative and technical refinements, developments of concurrent programs become lon...

v Table of Contents vi 1. Introduction 1 1.1 Subject : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1 1.2 Method : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 3 1.3 Organization : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 5 1.4 Caveats : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 6 I Theory 7 2. Preliminaries 8 2.1 Notational conventions : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 8 2.2 Predicate transformers : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 9 2.3 Programs : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 13 2.4 Properties : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 14 2.5 Closures : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 21 2.6 Guarding : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 22 3. Cont...

Timed Abstract Speed-Indep.