0
play

0 The evil that men do lives after them. Julius Caesar , by William - PowerPoint PPT Presentation

Temporal Logic: The Lesser of Three Evils Leslie Lamport Microsoft Research 0 The evil that men do lives after them. Julius Caesar , by William Shakespeare 0 Where I Started Making sure my concurrent algorithms were right. Proving the


  1. The Real Problem Writing a specification as a list of properties doesn’t work. No one can understand the consequences of a list of properties. 6

  2. An Example: Weak Memory Models Typically specified by axioms. Even their designers don’t understand them. The original Alpha memory specification model allowed this: Initially: ① = ② = 0 Process 1: if ① = 23 then ② := 42 Process 2: if ② = 42 then ① := 23 After execution: ① = 23, ② = 42 7

  3. An Example: Weak Memory Models Typically specified by axioms. Even their designers don’t understand them. The original Alpha memory specification model allowed this: Initially: ① = ② = 0 Process 1: if ① = 23 then ② := 42 Process 2: if ② = 42 then ① := 23 After execution: ① = 23, ② = 42 7

  4. An Example: Weak Memory Models Typically specified by axioms. Even their designers don’t understand them. The original Alpha memory specification model allowed this: Initially: ① = ② = 0 Process 1: if ① = 23 then ② := 42 Process 2: if ② = 42 then ① := 23 After execution: ① = 23, ② = 42 7

  5. An Example: Weak Memory Models Typically specified by axioms. Even their designers don’t understand them. The original Alpha memory specification model allowed this: Initially: ① = ② = 0 Process 1: if ① = 23 then ② := 42 Process 2: if ② = 42 then ① := 23 After execution: ① = 23, ② = 42 7

  6. An Example: Weak Memory Models Typically specified by axioms. Even their designers don’t understand them. The original Alpha memory specification model allowed this: Initially: ① = ② = 0 Process 1: if ① = 23 then ② := 42 Process 2: if ② = 42 then ① := 23 After execution: ① = 23, ② = 42 7

  7. An Example: Weak Memory Models Typically specified by axioms. Even their designers don’t understand them. The original Alpha memory specification model allowed this: Initially: ① = ② = 0 Process 1: if ① = 23 then ② := 42 Process 2: if ② = 42 then ① := 23 After execution: ① = 23, ② = 42 7

  8. An Example: Weak Memory Models Typically specified by axioms. Even their designers don’t understand them. The original Alpha memory specification model allowed this: Initially: ① = ② = 0 Process 1: if ① = 23 then ② := 42 Process 2: if ② = 42 then ① := 23 After execution: ① = 23, ② = 42 7

  9. An Example: Weak Memory Models Typically specified by axioms. Even their designers don’t understand them. The original Alpha memory specification model allowed this: Initially: ① = ② = 0 Process 1: if ① = 23 then ② := 42 Process 2: if ② = 42 then ① := 23 After execution: ① = 23, ② = 42 7

  10. An Example: Weak Memory Models Typically specified by axioms. Even their designers don’t understand them. The original Itanium memory specification document. We wrote a TLA + specification and used our tools to check the document’s tiny examples. We found several errors. 7

  11. An Example: Weak Memory Models Typically specified by axioms. Even their designers don’t understand them. The original Itanium memory specification document. We wrote a TLA + specification and used our tools to check the document’s tiny examples. We found several errors. 7

  12. An Example: Weak Memory Models Typically specified by axioms. Even their designers don’t understand them. The original Itanium memory specification document. We wrote a TLA + specification and used our tools to check the document’s tiny examples. We found several errors. 7

  13. An Example: Weak Memory Models Typically specified by axioms. Even their designers don’t understand them. No one can figure out from a list of axioms what a tiny bit of concurrent code can do. 8

  14. What works Specify liveness with Amir’s original temporal logic. Specify safety by a state machine (abstract program). How to do this in temporal logic: Generalize Amir’s temporal logic. Don’t add new temporal operators. Do generalize elementary formulas from state predicates to transition predicates. But that’s another story. 9

  15. What works Specify liveness with Amir’s original temporal logic. Specify safety by a state machine (abstract program). How to do this in temporal logic: Generalize Amir’s temporal logic. Don’t add new temporal operators. Do generalize elementary formulas from state predicates to transition predicates. But that’s another story. 9

  16. What works Specify liveness with Amir’s original temporal logic. Specify safety by a state machine (abstract program). How to do this in temporal logic: Generalize Amir’s temporal logic. Don’t add new temporal operators. Do generalize elementary formulas from state predicates to transition predicates. But that’s another story. 9

  17. What works Specify liveness with Amir’s original temporal logic. Specify safety by a state machine (abstract program). How to do this in temporal logic: Generalize Amir’s temporal logic. Don’t add new temporal operators. Do generalize elementary formulas from state predicates to transition predicates. But that’s another story. 9

  18. What works Specify liveness with Amir’s original temporal logic. Specify safety by a state machine (abstract program). How to do this in temporal logic: Generalize Amir’s temporal logic. Don’t add new temporal operators. Do generalize elementary formulas from state predicates to transition predicates. But that’s another story. 9

  19. What works Specify liveness with Amir’s original temporal logic. Specify safety by a state machine (abstract program). How to do this in temporal logic: Generalize Amir’s temporal logic. Don’t add new temporal operators. Do generalize elementary formulas from state predicates to transition predicates. But that’s another story. 9

  20. What works Specify liveness with Amir’s original temporal logic. Specify safety by a state machine (abstract program). How to do this in temporal logic: Generalize Amir’s temporal logic. Don’t add new temporal operators. Do generalize elementary formulas from state predicates to transition predicates. But that’s another story. 9

  21. What works Specify liveness with Amir’s original temporal logic. Specify safety by a state machine (abstract program). How to do this in temporal logic: Generalize Amir’s temporal logic. Don’t add new temporal operators. Do generalize elementary formulas from state predicates to transition predicates. But that’s another story. 9

  22. What works Specify liveness with Amir’s original temporal logic. Specify safety by a state machine (abstract program). How to do this in temporal logic: Generalize Amir’s temporal logic. Don’t add new temporal operators. Do generalize elementary formulas from state predicates to transition predicates. But that’s another story. 9

  23. What is Evil About Temporal Logic A fundamental rule of ordinary math: to prove ❆ ⇒ ❇ , we assume ❆ and prove ❇ . The Deduction Principle: P ◗ P ⇒ ◗ The deduction principle is not valid for temporal logic (and other modal logics). For example, a basic rule of temporal logic asserts that if P is true then it is always true. P ✷ P 9

  24. What is Evil About Temporal Logic A fundamental rule of ordinary math: to prove ❆ ⇒ ❇ , we assume ❆ and prove ❇ . The Deduction Principle: P ◗ P ⇒ ◗ The deduction principle is not valid for temporal logic (and other modal logics). For example, a basic rule of temporal logic asserts that if P is true then it is always true. P ✷ P 9

  25. What is Evil About Temporal Logic A fundamental rule of ordinary math: to prove ❆ ⇒ ❇ , we assume ❆ and prove ❇ . The Deduction Principle: P ◗ P ⇒ ◗ The deduction principle is not valid for temporal logic (and other modal logics). For example, a basic rule of temporal logic asserts that if P is true then it is always true. P ✷ P 9

  26. What is Evil About Temporal Logic A fundamental rule of ordinary math: to prove ❆ ⇒ ❇ , we assume ❆ and prove ❇ . The Deduction Principle: P ◗ P ⇒ ◗ The deduction principle is not valid for temporal logic (and other modal logics). For example, a basic rule of temporal logic asserts that if P is true then it is always true. P ✷ P 9

  27. What is Evil About Temporal Logic A fundamental rule of ordinary math: to prove ❆ ⇒ ❇ , we assume ❆ and prove ❇ . The Deduction Principle: P ◗ P ⇒ ◗ The deduction principle is not valid for temporal logic (and other modal logics). For example, a basic rule of temporal logic asserts that if P is true then it is always true. P ✷ P 9

  28. From P ◗ P ⇒ ◗ and P ✷ P by substituting ✷ P for ◗ we deduce P ⇒ ✷ P which asserts that if P is true now then it is always true. 10

  29. From P ◗ P ⇒ ◗ and P ✷ P by substituting ✷ P for ◗ we deduce P ⇒ ✷ P which asserts that if P is true now then it is always true. 10

  30. From P ◗ P ⇒ ◗ and P ✷ P by substituting ✷ P for ◗ we deduce P ⇒ ✷ P which asserts that if P is true now then it is always true. 10

  31. From P ◗ P ⇒ ◗ and P ✷ P by substituting ✷ P for ◗ we deduce P ⇒ ✷ P which asserts that if P is true now then it is always true. 10

  32. From ❝ ★★ ❝ ❝ ★★★★★ P ❝ ❝ ◗ ❝ ❝ P ⇒ ◗ ❝ ★★ ❝ ❝ ★★★★★ and ❝ ❝ N O T ❝ P ❝ ★★ ❝ ✷ P ❝ ★★★★★ ❝ ❝ by substituting ✷ P for ◗ we deduce ❝ ❝ ❝ P ⇒ ✷ P ★★★★ ❝ ❝ ❝ which asserts that if P is true now then it is always true. ❝ 10

  33. In modal logics, implication ( P ⇒ ◗ ) and inference ( P ◗ ) are different. This is confusing. Martín Abadi and I once believed a false result for several days because this confused us. A logic that can confuse Martín is evil. 10

  34. In modal logics, implication ( P ⇒ ◗ ) and inference ( P ◗ ) are different. This is confusing. Martín Abadi and I once believed a false result for several days because this confused us. A logic that can confuse Martín is evil. 10

  35. In modal logics, implication ( P ⇒ ◗ ) and inference ( P ◗ ) are different. This is confusing. Martín Abadi and I once believed a false result for several days because this confused us. A logic that can confuse Martín is evil. 10

  36. In modal logics, implication ( P ⇒ ◗ ) and inference ( P ◗ ) are different. This is confusing. Martín Abadi and I once believed a false result for several days because this confused us. A logic that can confuse Martín is evil. 10

  37. Greater Evil #1 Temporal logic is modal because it has an implicit time variable. A solution: make time explicit. For example: P ❀ ◗ becomes ∀ t : ( P ( t ) ⇒ ∃ s ≥ t : ◗ ( s )) . This makes formulas ugly and hard to understand. Trying to eliminate this is what led Amir to temporal logic. (He was inspired by Nissim Francez’s thesis.) 11

  38. Greater Evil #1 Temporal logic is modal because it has an implicit time variable. A solution: make time explicit. For example: P ❀ ◗ becomes ∀ t : ( P ( t ) ⇒ ∃ s ≥ t : ◗ ( s )) . This makes formulas ugly and hard to understand. Trying to eliminate this is what led Amir to temporal logic. (He was inspired by Nissim Francez’s thesis.) 11

  39. Greater Evil #1 Temporal logic is modal because it has an implicit time variable. A solution: make time explicit. For example: P ❀ ◗ becomes ∀ t : ( P ( t ) ⇒ ∃ s ≥ t : ◗ ( s )) . This makes formulas ugly and hard to understand. Trying to eliminate this is what led Amir to temporal logic. (He was inspired by Nissim Francez’s thesis.) 11

  40. Greater Evil #1 Temporal logic is modal because it has an implicit time variable. A solution: make time explicit. For example: P ❀ ◗ becomes ∀ t : ( P ( t ) ⇒ ∃ s ≥ t : ◗ ( s )) . This makes formulas ugly and hard to understand. Trying to eliminate this is what led Amir to temporal logic. (He was inspired by Nissim Francez’s thesis.) 11

  41. Greater Evil #1 Temporal logic is modal because it has an implicit time variable. A solution: make time explicit. For example: P ❀ ◗ becomes ∀ t : ( P ( t ) ⇒ ∃ s ≥ t : ◗ ( s )) . This makes formulas ugly and hard to understand. Trying to eliminate this is what led Amir to temporal logic. (He was inspired by Nissim Francez’s thesis.) 11

  42. Greater Evil #1 Temporal logic is modal because it has an implicit time variable. A solution: make time explicit. For example: P ❀ ◗ becomes ∀ t : ( P ( t ) ⇒ ∃ s ≥ t : ◗ ( s )) . This makes formulas ugly and hard to understand. Trying to eliminate this is what led Amir to temporal logic. (He was inspired by Nissim Francez’s thesis.) 11

  43. Greater Evil #2 Use a programming logic. Some programming logics: Hoare Logic (Tony Hoare 1968) Dynamic Logic (Vaughan Pratt 1974) Weakest Preconditions (Edsger Dijkstra 1975) Action Systems (Ralph Back ∼ 1983) What they have in common: programs appear in formulas of the “logic”. Why are they evil? First a digression. 12

  44. Greater Evil #2 Use a programming logic. Some programming logics: Hoare Logic (Tony Hoare 1968) Dynamic Logic (Vaughan Pratt 1974) Weakest Preconditions (Edsger Dijkstra 1975) Action Systems (Ralph Back ∼ 1983) What they have in common: programs appear in formulas of the “logic”. Why are they evil? First a digression. 12

  45. Greater Evil #2 Use a programming logic. Some programming logics: Hoare Logic (Tony Hoare 1968) Dynamic Logic (Vaughan Pratt 1974) Weakest Preconditions (Edsger Dijkstra 1975) Action Systems (Ralph Back ∼ 1983) What they have in common: programs appear in formulas of the “logic”. Why are they evil? First a digression. 12

  46. Greater Evil #2 Use a programming logic. Some programming logics: Hoare Logic (Tony Hoare 1968) Dynamic Logic (Vaughan Pratt 1974) Weakest Preconditions (Edsger Dijkstra 1975) Action Systems (Ralph Back ∼ 1983) What they have in common: programs appear in formulas of the “logic”. Why are they evil? First a digression. 12

  47. Greater Evil #2 Use a programming logic. Some programming logics: Hoare Logic (Tony Hoare 1968) Dynamic Logic (Vaughan Pratt 1974) Weakest Preconditions (Edsger Dijkstra 1975) Action Systems (Ralph Back ∼ 1983) What they have in common: programs appear in formulas of the “logic”. Why are they evil? First a digression. 12

  48. Greater Evil #2 Use a programming logic. Some programming logics: Hoare Logic (Tony Hoare 1968) Dynamic Logic (Vaughan Pratt 1974) Weakest Preconditions (Edsger Dijkstra 1975) Action Systems (Ralph Back ∼ 1983) What they have in common: programs appear in formulas of the “logic”. Why are they evil? First a digression. 12

  49. Greater Evil #2 Use a programming logic. Some programming logics: Hoare Logic (Tony Hoare 1968) Dynamic Logic (Vaughan Pratt 1974) Weakest Preconditions (Edsger Dijkstra 1975) Action Systems (Ralph Back ∼ 1983) What they have in common: programs appear in formulas of the “logic”. Why are they evil? First a digression. 12

  50. Greater Evil #2 Use a programming logic. Some programming logics: Hoare Logic (Tony Hoare 1968) Dynamic Logic (Vaughan Pratt 1974) Weakest Preconditions (Edsger Dijkstra 1975) Action Systems (Ralph Back ∼ 1983) What they have in common: programs appear in formulas of the “logic”. Why are they evil? First a digression. 12

  51. Greater Evil #2 Use a programming logic. Some programming logics: Hoare Logic (Tony Hoare 1968) Dynamic Logic (Vaughan Pratt 1974) Weakest Preconditions (Edsger Dijkstra 1975) Action Systems (Ralph Back ∼ 1983) What they have in common: programs appear in formulas of the “logic”. Why are they evil? First a digression. 12

  52. We can derive Program 2 from Program 1 by substituting ♣ + q mod 2 for ① . Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while Two-Phase Handshake , an important hardware protocol 14

  53. We can derive Program 2 from Program 1 by substituting ♣ + q mod 2 for ① . Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while Two-Phase Handshake , an important hardware protocol 14

  54. We can derive Program 2 from Program 1 by substituting ♣ + q mod 2 for ① . Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while Two-Phase Handshake , an important hardware protocol 14

  55. We can derive Program 2 from Program 1 by substituting ♣ + q mod 2 for ① . Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while Two-Phase Handshake , an important hardware protocol 14

  56. We can derive Program 2 from Program 1 by substituting ♣ + q mod 2 for ① . Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while Two-Phase Handshake , an important hardware protocol 14

  57. We can derive Program 2 from Program 1 by substituting ♣ + q mod 2 for ① . Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while Two-Phase Handshake , an important hardware protocol 14

  58. We can derive Program 2 from Program 1 by substituting ♣ + q mod 2 for ① . Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while Two-Phase Handshake , an important hardware protocol 14

  59. We can derive Program 2 from Program 1 by substituting ♣ + q mod 2 for ① . Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while Two-Phase Handshake , an important hardware protocol 14

  60. We can derive Program 2 from Program 1 by substituting ♣ + q mod 2 for ① . Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while Two-Phase Handshake , an important hardware protocol 14

  61. We can derive Program 2 from Program 1 by substituting ♣ + q mod 2 for ① . Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while Two-Phase Handshake , an important hardware protocol 14

  62. We can derive Program 2 from Program 1 by substituting ♣ + q mod 2 for ① . See festschrift for Willem-Paul de Roever. Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while 15

  63. We can derive Program 2 from Program 1 by substituting ♣ + q mod 2 for ① . See festschrift for Willem-Paul de Roever. Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while 15

  64. A derivation is a refinement proof run backwards. Refinement is substitution. Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while 15

  65. A derivation is a refinement proof run backwards. Refinement is substitution. Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while 15

  66. How do you substitute ♣ + q mod 2 for ① in a program? It can’t be done. Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while 16

  67. How do you substitute ♣ + q mod 2 for ① in a program? It can’t be done. Program 1: initially ① = 0 while TRUE do if ① = 0 then Pr♦❞ else ❈♦♥s end if ; ① := ① + 1 mod 2 end while Program 2: initially ♣ = q = 0 Process 1: while TRUE do await ♣ = q ; Prod ; ♣ := ♣ + 1 mod 2 end while Process 2: while TRUE do await ♣ � = q ; Cons ; q := q + 1 mod 2 end while 16

  68. Why Programming Logics are Evil Substitution of an expression for a variable is a fundamental operation of mathematics. A logic that doesn’t permit substitution is evil. Program refinement is based on substitution. A programming logic that doesn’t permit substitution is especially evil. Refinement by substitution is not a problem with temporal logic. Temporal logic is a lesser evil. 17

Recommend


More recommend