PROGRESS-BASED VERIFICATION AND DERIVATION OF CONCURRENT PROGRAMS Brijesh Dongol A THESIS SUBMITTED FOR THE DEGREE OF DOCTOR OF PHILOSOPHY AT THE UNIVERSITY OF QUEENSLAND IN MARCH 2009 SCHOOL OF INFORMATION TECHNOLOGY AND ELECTRICAL ENGINEERING Declaration by author This thesis is composed of my original work, and contains no material previously pub- lished or written by another person except where due reference has been made in the text. I have clearly stated the contribution by others to jointly-authored works that I have included in my thesis. I have clearly stated the contribution of others to my thesis as a whole, including statistical assistance, survey design, data analysis, significant technical procedures, professional editorial advice, and any other original research work used or reported in my thesis. The content of my thesis is the result of work I have carried out since the commencement of my research higher degree candidature and does not include a substantial part of work that has been submitted to qualify for the award of any other degree or diploma in any university or other tertiary institution. I have clearly stated which parts of my thesis, if any, have been submitted to qualify for another award. I acknowledge that an electronic copy of my thesis must be lodged with the Univer- sity Library and, subject to the General Award Rules of The University of Queensland, immediately made available for research and study in accordance with the Copyright Act 1968. I acknowledge that copyright of all material contained in my thesis resides with the copyright holder(s) of that material. Statement of Contributions to Jointly Authored Works Contained in the Thesis • B. Dongol and I. J. Hayes. Enforcing safety and progress properties: An approach to concurrent program derivation. 2009. To appear in ASWEC 09. I was the primary author of this paper. My principal advisor Ian J. Hayes super- vised the work and helped clarify the notion of an enforced property. He provided valuable feedback and encouragement on early drafts and was actively involved in the final editing of the paper. ii • B. Dongol and I. J. Hayes. Trace semantics for the Owicki-Gries theory inte- grated with the progress logic from UNITY. Technical Report SSE-2007-02, The University of Queensland, 2007. I was the primary author of this paper. My supervisor Ian J. Hayes provided valuable feedback and encouragement on early drafts of the paper. • R. Colvin and B. Dongol. A general technique for proving lock-freedom. Sci. Comput. Program., 74(3):143–165, 2009. Both authors were actively involved in the development of all material contained within this paper. The proofs within this paper do not appear in this thesis, how- ever, the ideas behind the proof technique have been applied to a simpler example (Section 5.4.1). • B. Dongol and A. J. Mooij. Streamlining progress-based derivations of concurrent programs. Formal Aspects of Computing, 20(2):141–160, March 2008. Earlier version appeared as Tech Report SSE-2006-06, The University of Queensland. Both authors were actively involved in the development of all material contained within this paper. This thesis contains a more general and improved version of the theorems in this paper. The example derivation in this paper (Dekker’s algorithm) has also been improved and related to refinement using enforced properties. • R. Colvin and B. Dongol. Verifying lock-freedom using well-founded orders. In Cliff B. Jones, Zhiming Liu, and Jim Woodcock, editors, ICTAC, volume 4711 of Lecture Notes in Computer Science, pages 124–138. Springer, 2007. Both authors were actively involved in the development of all material contained within this paper. These earlier ideas have been superseded by [CD09]. • B. Dongol and A. J. Mooij. Progress in deriving concurrent programs: Empha- sizing the role of stable guards. In Tarmo Uustalu, editor, 8th International Con- ference on Mathematics of Program Construction, volume 4014 of LNCS, pages 140–161. Springer, 2006. iii Both authors were actively involved in the development of all material contained within this paper. This thesis contains a more general and improved version of the theorems in this paper. The example derivations in this paper (Initialisation Pro- tocol and Peterson’s algorithm) have also been improved and related to refinement using enforced properties. • B. Dongol and D. Goldson. Extending the theory of Owicki and Gries with a logic of progress. Logical Methods in Computer Science, 2(6):1–25, March 2006. Both authors were actively involved in the development of all material contained within this paper. This thesis contains an improved version of the logic contained within this paper. Some errors have also been corrected. • D. Goldson and B. Dongol. Concurrent program design in the extended theory of Owicki and Gries. In M. Atkinson and F. Dehne, editors, CATS, volume 41 of CRPIT, pages 41–50. Australian Computer Society, 2005. I was the secondary author of this paper. My then supervisor Doug Goldson came up with the original derivation, which I helped refine and proofread. I was also involved in preparation and editing of the paper. This early derivation of Dekker’s algorithm has been improved several times and does not appear in this thesis. Statement of Contributions by Others to the Thesis as a Whole This thesis has significantly benefited from the direction and supervision provided by my principal advisor Ian J. Hayes. We engaged in active discussions on all material within this thesis. I was given valuable feedback on both technical and typographical errors. This thesis would not be in its current form without the input of Ian J. Hayes. I acknowledge the input of my co-advisor Robert Colvin, who provided me with valuable feedback on earlier drafts of this thesis. I also acknowledge the input of my co-authors to jointly published work. iv Statement of Parts of the Thesis Submitted to Qualify for the Award of Another Degree None. Published Works by the Author Incorporated into the Thesis • B. Dongol. Formalising progress properties of non-blocking programs. In Zhim- ing Liu and Jifeng He, editors, ICFEM, volume 4260 of LNCS, pages 284–303. Springer, 2006. Incorporated into Section 3.3. The presentation in this thesis uses an improved logic, which simplifies the presentation. • B. Dongol. Towards simpler proofs of lock-freedom. In Proceedings of the 1st Asian Working Conference on Verified Software, pages 136–146, 2006. This work has been superseded by the work in [CD07, CD09]. Additional Published Works by the Author Relevant to the Thesis but not Forming Part of it B. Dongol. Derivation of Java Monitors. In Australian Software Engineering Conference (ASWEC), pages 211-220, 2006. v Acknowledgements I would first like to thank my supervisor Prof. Ian J. Hayes, whose dedication, attention to detail, and wonderfully insightful comments have not only shaped this thesis, but also allowed me to develop as an academic. His formal methods expertise has been invaluable for developing my own research, and I have appreciated his support of my teaching duties. I would like to thank my co-supervisor Dr. Robert Colvin for his many insightful comments, corrections, and tireless re-readings of earlier drafts. I started my candida- ture under supervision of Dr. Doug Goldson, who provided me with early direction and research advice. Our early collaborative work has fostered many of the ideas contained within this thesis. I have also enjoyed my collaborations with Dr. Arjan Mooij, whom I have yet to meet in person. I am indebted to A/Prof. Lindsay Groves for providing me with a summer position at the Victoria University of Wellington prior to my candidature. I would like to thank my referees Profs Michael Butler and John Derrick for additional comments. I also thank Simon Doherty, Roger Duke, Larissa Meinicke, Rakesh Shukla, and Maggie Wojcicki for support. Of course, I am grateful to all my family and friends for their support, in particular, my parents Bilas and Sama, and my brother Robin. This thesis would not have been possible without and funding provided by the Aus- tralian Research Council. I am thankful for the facilities provided by the School of Information Technology and Electrical Engineering at The University of Queensland. Abstract Concurrent programs are known to be complicated because synchronisation is required amongst the processes in order to ensure safety (nothing bad ever happens) and progress (something good eventually happens). Due to possible interference from other processes, a straightforward rearrangement of statements within a process can lead to dramatic changes in the behaviour of a program, even if the behaviour of the process executing in isolation is unaltered. Verifying concurrent programs using informal arguments are vi usually unconvincing, which makes formal methods a necessity. However, formal proofs can be challenging due to the complexity of concurrent programs. Furthermore, safety and progress properties are proved using fundamentally different techniques. Within the literature, safety has been given considerably more attention than progress. One method of formally verifying a concurrent program is to develop the program, then perform a post-hoc verification using one of the many available frameworks. How- ever, this approach tends to be optimistic because the developed program seldom satisfies its requirements. When a proof becomes difficult, it can be unclear whether the proof technique or the program itself is at fault. Furthermore, following any modifications to program code, a verification may need to be repeated from the beginning. An alter- native approach is to develop a program using a verify-while-develop paradigm. Here, one starts with a simple program together with the safety and progress requirements that need to be established. Each derivation step consists of a verification, followed by introduction of new program code motivated using the proofs themselves.