## win and sin: Predicate transformers for concurrency (1990)

Venue: | ACM Transactions on Programming Languages and Systems |

Citations: | 32 - 3 self |

### BibTeX

@ARTICLE{Lamport90winand,

author = {Leslie Lamport},

title = {win and sin: Predicate transformers for concurrency},

journal = {ACM Transactions on Programming Languages and Systems},

year = {1990},

volume = {12},

number = {3},

pages = {396--428}

}

### Years of Citing Articles

### OpenURL

### Abstract

Digital Equipment Corporation The weakest liberal precondition and strongest postcondition predicate transformers are general-ized to the weakest invariant and strongest invariant. These new predicate transformers are useful for reasoning about concurrent programs containing operations in which the grain of atomicity is unspecified. They can also be used to replace behavioral arguments with more rigorous assertional ones.

### Citations

1505 |
A Discipline of Programming
- Dijkstra
- 1976
(Show Context)
Citation Context ...n) and sp (the strongest postcondition) for proving partial correctness properties of sequential programs were developed in the early 1970's by de Bakker and others [3; 4] and popularized by Dijkstra =-=[5]-=-. Here, we generalize them to the predicate transformers win (the weakest invariant) and sin (the strongest invariant) for proving safety properties of concurrent programs. Some of the ideas presented... |

1469 | An Axiomatic Basis for Computer Programming
- Hoare
- 1969
(Show Context)
Citation Context ... program statement, and (ii) the state includes control variables, not just ordinary program variables. Proving Hoare Triples The language-independent rules for reasoning about ordinary Hoare triples =-=[8]-=- apply to our Hoare triples as well. Because our states include control variables, we do not need a separate axiom or proof rule for every language construct. Instead, we can use the simple rule that,... |

366 |
A distributed algorithm for minimum-weight spanning trees
- Gallager, Humblet, et al.
- 1983
(Show Context)
Citation Context ...xamples to replace the hybrid proof with a simple, assertional one. This is illustrated by a distributed algorithm abstracted from part of a well-known algorithm for computing a minimum spanning tree =-=[6]-=-. This paper is primarily concerned with applications of win and sin rather than with their formal properties. The treatment of the formalism is brief, and no attempt is made to develop a complete pro... |

332 |
An axiomatic proof technique for parallel programs
- Owicki, Gries
- 1976
(Show Context)
Citation Context ...max{num [j] : j #= i}#; # i : cobegin j #=i # ij : #await i # j# coend; cs i : #critical section#; # i : #num[i] := 0# endloop coend Fig. 1. A simplified version of the bakery algorithm. Gries method =-=[10; 14]-=-, and we describe this method only for programs that can be written in a very simple language. 2. ASSERTIONAL REASONING We begin with a review of the traditional approach to concurrent program verific... |

325 | Proving the correctness of multiprocess programs
- Lamport
- 1977
(Show Context)
Citation Context ...rations. Our proof reveals that the algorithm has a subtle bug---more precisely, its correctness depends upon unstated assumptions. Correctness proofs of the bakery algorithm have appeared in [9] and =-=[10]-=-, and a proof of a variant, requiring the same assumptions, appeared in [11]. The fact that none of these other proofs revealed the hidden assumption indicates the utility of the approach presented he... |

223 |
A new solution of Dijkstra’s concurrent programming problem
- Lamport
- 1974
(Show Context)
Citation Context ...g that it is atomic. While not having to introduce unnecessary atomicity is aesthetically pleasing, it offers little practical benefit. The second example, a correctness proof of the bakery algorithm =-=[9]-=-, is more compelling. The bakery algorithm is a mutual exclusion algorithm that makes no atomicity assumptions about its operations. Our proof reveals that the algorithm has a subtle bug---more precis... |

46 |
Proving assertions about parallel programs
- Ashcroft
- 1975
(Show Context)
Citation Context ...es not access any set of variables that does not contain the x p and is not accessed by any of the e p . In the simplified bakery algorithm, the action described by # 2 modifies only the variables num=-=[2]-=-, at(# 2 ), and at(# 2j ) for all j #= 2; it does not access the set {at(# 1 ), at(# 12 )} (as well as many other sets of variables). the set {at(cs i ), at(# i )}. What all this means is that there i... |

31 |
A Calculus for Recursive Program Schemes
- Bakker, Roever
- 1973
(Show Context)
Citation Context ...lp (the weakest liberal precondition) and sp (the strongest postcondition) for proving partial correctness properties of sequential programs were developed in the early 1970's by de Bakker and others =-=[3; 4]-=- and popularized by Dijkstra [5]. Here, we generalize them to the predicate transformers win (the weakest invariant) and sin (the strongest invariant) for proving safety properties of concurrent progr... |

29 | On folk theorems
- Harel
- 1980
(Show Context)
Citation Context ...ic if it contains at most one access to a shared variable. We call this assumption the single-access rule. It was first published by Owicki and Gries in [14], but probably qualifies as a folk theorem =-=[7]-=-. In the traditional method of reasoning about a concurrent program, one first applies the single-access rule to replace the program with one containing larger atomic operations and then applies the a... |

27 | A New Approach to Proving the Correctness of Multiprocess Programs - Lamport - 1979 |

23 | The “Hoare logic” of CSP, and All That
- Lamport, Schneider
- 1984
(Show Context)
Citation Context ...rogram states before and after the execution of each atomic operation of a program. The appropriate generalization of the Hoare triple {P} S {Q} is the assertion that S leaves a predicate I invariant =-=[13]-=-. Because the invariant I describes the program state during execution, it must depend upon the control state as well as on the values of ordinary program variables. The predicate transformers wlp (th... |

17 |
On the completeness of the inductive assertion method
- Bakker, Meertens
- 1975
(Show Context)
Citation Context ...lp (the weakest liberal precondition) and sp (the strongest postcondition) for proving partial correctness properties of sequential programs were developed in the early 1970's by de Bakker and others =-=[3; 4]-=- and popularized by Dijkstra [5]. Here, we generalize them to the predicate transformers win (the weakest invariant) and sin (the strongest invariant) for proving safety properties of concurrent progr... |

10 |
The "Hoare logic" of CSP, and all that
- Lamport, Schneider
- 1984
(Show Context)
Citation Context ...program states before and after the execution of each atomic operation of a program. The appropriate generalization of the Hoare triple {P}S {Q} is the assertion that S leaves a predicate I invariant =-=[13]-=-. Because the invariant I describes the program state during execution, it must depend upon the control state as well as on the values of ordinary program variables. The predicate transformers wlp (th... |

9 |
Reasoning about nonatomic operations
- Lamport
- 1983
(Show Context)
Citation Context ... the predicate transformers win (the weakest invariant) and sin (the strongest invariant) for proving safety properties of concurrent programs. Some of the ideas presented here originally appeared in =-=[12]-=-, but with a di#erent notation. The wlp and sp operators are useful because they allow one to encode partial Authors address: Systems Research Center, Digital Equipment Corporation, 130 Lytton Avenue,... |

6 |
Ten years of Hoare’s logic: A survey—part one
- Apt
- 1981
(Show Context)
Citation Context ...an be used in a program annotation to prove a partial correctness property. While it is well known that the ability to express such predicates is necessary for a logic of Hoare triples to be complete =-=[1]-=-, the practical utility of these predicates in proving partial correctness properties is not widely appreciated. In an analogous fashion, the predicate transformers win and sin are useful for proving ... |