Fractional Permissions and Non-Deterministic Evaluators in Interval Temporal Logic


Electronic Communications of the EASST
Volume 53 (2012)

Proceedings of the
12th International Workshop on

Automated Verification of Critical Systems
(AVoCS 2012)

Fractional Permissions and Non-Deterministic Evaluators in Interval
Temporal Logic

Brijesh Dongol, John Derrick, Ian J. Hayes

15 pages

Guest Editors: Gerald Lüttgen, Stephan Merz
Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer
ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122

http://www.easst.org/eceasst/


ECEASST

Fractional Permissions and Non-Deterministic Evaluators in
Interval Temporal Logic

Brijesh Dongol1, John Derrick2∗, Ian J. Hayes 3†

1 B.Dongol@sheffield.ac.uk, 2 J.Derrick@dcs.shef.ac.uk
Department of Computer Science,

The University of Sheffield
3 Ian.Hayes@itee.uq.edu.au

School of Information Technology and Electrical Engineering
The University of Queensland

Abstract: We propose Interval Temporal Logic as a basis for reasoning about con-
current programs with fine-grained atomicity due to the generality it provides over
reasoning with standard pre/post-state relations. To simplify the semantics of paral-
lel composition over intervals, we use fractional permissions, which allows one to
ensure that conflicting reads and writes to a variable do not occur simultaneously.
Using non-deterministic evaluators over intervals, we enable reasoning about the
apparent states over an interval, which may differ from the actual states in the inter-
val. The combination of Interval Temporal Logic, non-deterministic evaluators and
fractional permissions results in a generic framework for reasoning about concurrent
programs with fine-grained atomicity. We use our logic to develop rely/guarantee-
style rules for decomposing a proof of a large system into proofs of its subcom-
ponents, where fractional permissions are used to ensure that the behaviours of a
program and its environment do not conflict.

Keywords: Interval Temporal Logic, Fractional Permissions, Non-deterministic
Expression Evaluation, Parallel Composition, Compositional Reasoning

1 Introduction

Current frameworks for reasoning about shared-variable concurrency are based on interleaving
models (e.g., [OG76, Jon83, STER11]) or are an extension of Hoare’s methods for reasoning
about sequential programs [Hoa69] (e.g., separation logic [Rey02]). A common aspect of these
frameworks is that they consider relations between the pre- and post-states of a program tran-
sition. In the context of modern multicore/multiprocessor systems that use so-called relaxed
memory models, a relational view is not always adequate because it is possible for concurrent
processes to execute in a truly concurrent manner (e.g., by threads that are executed in another
processor core). Thus, program verification poses a difficult challenge because one is often
forced to consider the internal behaviour of a command. In particular, one cannot rely on stabil-
ity of the shared variables from the pre-state of a transition because variables may be modified

∗ Brijesh Dongol and John Derrick are sponsored by EPSRC Grant EP/J003727/1.
† Ian J. Hayes is sponsored by ARC Discovery Grant DP0987452.

1 / 15 Volume 53 (2012)

mailto:B.Dongol@sheffield.ac.uk
mailto:J.Derrick@dcs.shef.ac.uk
mailto:Ian.Hayes@itee.uq.edu.au


Fractional Permissions and Non-Deterministic Evaluators in Interval Temporal Logic

while an expression is being evaluated [HBDJ11]. Our goals for this paper are not to verify
the low-level relaxed memory models [SVN+11]. Instead, we aim to develop a framework for
verifying (high-level) programs in which state predicates may not be evaluated atomically.

Example 1 Consider the parallel program (if u < v then S1 else S2 fi)‖(u := 1 ; v := 1), where
the if and the assignment statements are executed by processes x and y, respectively. Assume that
the initial state of the program satisfies u,v = 0,0. Using an execution model that only considers
pre/post-state relations, process x will always execute S2 because the state in which guard u < v
is evaluated satisfies either u,v = 0,0 (the initial state), u,v = 1,0 (the state after y executes u := 1)
or u,v = 1,1 (the state after y executes v := 1). This execution model does not accurately reflect
the real world where it is possible for values of variables to change while an expression is being
evaluated [CJ07, HBDJ11]. In particular, u could be read in the initial state (which satisfies
u,v = 0,0) and v could be read after both variables have changed (i.e., in a state that satisfies
u,v = 1,1), and hence there is an apparent state that satisfies u,v = 0,1, and it is possible for
process x to execute S1.

In this paper, we use Interval Temporal Logic [Mos00] to reason about a program’s behaviour
within the (discrete) interval of time in which the program executes. By combining interval-
based reasoning with logics for non-deterministic evaluation [HBDJ11], we develop a framework
that allows reasoning about both the actual and apparent states within an observation interval.
Hence, our framework accurately captures the possible fine-grained interleaving between parallel
components. In particular, we are able to identify that, in Example 1 it is possible for process x
to execute S1 (see Section 4.5.2).

An advantage of using Interval Temporal Logic is that the behaviour of the parallel compo-
sition of concurrent components may be defined to be the conjunction of the behaviour of each
component. Clearly, this causes no real problems if the sets of variables of the parallel compo-
nents are pairwise disjoint. However, if this is not the case, strong synchronisation requirements
are sometimes assumed. For example, Cau and Zedan require that any output of any component
is simultaneously (i.e., in the same state) read by another [CZ97], which is unrealistic. In reality,
a process that is writing to a location should prevent other parallel processes from writing to
and reading from the same location simultaneously [Boy03]. For example, with the program in
Example 1, process x should not read u in the transition in which process y updates the value
of u to 1. To formalise conflicting behaviours, we incorporate fractional permissions [Boy03]
into our framework, which allows read/write access to program variables to be controlled in a
straightforward manner. Fractional permissions have been incorporated into separation logic to
ensure that variables are not simultaneously modified [BCOP05].

To the best of our knowledge, a logic that combines Interval Temporal Logic [Mos00], non-
deterministic expression evaluation [HBDJ11] and fractional permissions [Boy03] as a method
for reasoning about fine-grained atomicity within truly concurrent programs is novel. In addition,
we develop a number of rules that enable decomposition of a proof of a larger component into
proofs of the subcomponents.

This paper is structured as follows. In Section 2 we present the theory of interval predicates
and methods for non-deterministically evaluating state predicates over an interval. We present
our treatment of fractional permissions in manner that allows integration with Interval Tempo-

Proc. AVoCS 2012 2 / 15



ECEASST

ral Logic in Section 3. In Section 4 we present commands, their formalisation using interval
predicates and their refinement. Section 5 presents compositional methods for reasoning about
commands.

2 Interval predicates and non-deterministic evaluation

2.1 Interval predicates

An interval is a contiguous set of integers (denoted Z), and hence the set of all intervals is:

Intv =̂ {∆ ⊆Z | ∀t,t′: ∆ • ∀u:Z • t ≤ u ≤ t′ ⇒ u ∈ ∆}

Using ‘.’ for function application, we let lub.∆ and glb.∆ denote the least upper and greatest
lower bounds of an interval ∆, respectively, and we define lub.∅ =̂ −∞ and glb.∅ =̂ ∞. If the size
of ∆ is infinite and glb.∆ ∈Z, then lub.∆ = ∞ (i.e,. is not a member of Z) and if ∆ is infinite and
lub.∆ ∈Z then glb.∆ = −∞.

We must often reason about two adjoining intervals, i.e., intervals that immediately precede
or follow a given interval. For ∆,∆′ ∈ Intv, we define

∆∝∆′ =̂ ∆ ,∅∧ ∆′ ,∅⇒ (lub.∆ < glb.∆′) ∧ (∆∪∆′ ∈ Intv)

Thus, ∆∝∆′ holds if and only if both lub.∆ < glb.∆′ holds (which ensures ∆′ follows ∆ and
that ∆ is disjoint with ∆′) and ∆∪∆′ ∈ Intv holds (which ensures that the union of ∆ and ∆′ is
contiguous). Note that both ∆∝∅ and ∅∝∆ hold trivially.

We use Empty.∆ to denote that the given interval ∆ is empty.

Empty.∆ =̂ ∆ = ∅

Given that variable names are taken from the set Var, a state space over a set of variables
V ⊆ Var is given by StateV =̂ V → Val and a state is a member of StateV , i.e., a state is a total
function mapping variables in V to values in Val. Note that we do not distinguish between
variables and the memory heap (e.g., as done in [Boy03, BCOP05]), however, our methods can
be extended to explicitly distinguish between the two concepts in a straightforward manner.

A stream of behaviours over V is given by the total function StreamV =̂ Z→ StateV , which
maps each time in Z to a state over V . A predicate over type T is a total function PT =̂ T →B
mapping each member of T to a Boolean. For example PStateV and PStreamV denote state and
stream predicates, respectively. To facilitate reasoning about specific parts of a stream, we use
interval predicates, which have type IntvPredV =̂ Intv →PStreamV .

We assume pointwise lifting of operators on stream and interval predicates in the normal
manner, e.g., if p1 and p2 are interval predicates, ∆ is an interval and s is a stream, we have
(p1 ∧ p2).∆.s = (p1.∆.s ∧ p2.∆.s). When reasoning about properties of programs, we would like
to state that whenever a property p1 holds over any interval ∆ and stream s, a property p2 also
holds over ∆ and s. Hence, we define universal implication for p1,p2 ∈ IntvPredV as

p1 V p2 =̂ ∀∆: Intv,s: StreamV • p1.∆.s ⇒ p2.∆.s

We say p1 ≡ p2 holds iff both p1 V p2 and p2 V p1 hold.

3 / 15 Volume 53 (2012)



Fractional Permissions and Non-Deterministic Evaluators in Interval Temporal Logic

2.2 Evaluating state predicates over intervals

Most implementations only guarantee that at most one global variable can be read in a single
atomic step. Thus, in the presence of possibly interfering processes and fine-grained atomic-
ity, an evaluation model that assumes that a state predicate containing multiple variables can be
evaluated in a single state may not be implementable [CJ07, JP11]. That is, although an imple-
mentation evaluates a state predicate using a number of fine-grained atomic steps, this reality
is not reflected in a model that assumes coarse-grained atomicity. Hence, we consider methods
for non-deterministically evaluating state predicates over an observation interval [HBDJ11]. To
this end, we consider the sets of states and sets of apparent states evaluators, which we introduce
using Examples 2 and 3, respectively. The evaluators are formalised using functions states and
apparent, which for an interval ∆ and stream s are defined below:

states.∆.s =̂ {σ: StateV | ∃t: ∆ • σ = s.t}

apparent.∆.s =̂ {σ: StateV | ∀v: V • ∃t: ∆ • σ.v = s.t.v}

Example 2 (Sets of states) Consider the statements u := 1 ; v := 1 from Example 1 which we
assume are executed over an interval ∆ from an initial state that satisfies u,v = 0,0. Assuming no
other (parallel) modifications to u and v, for some stream s over {u,v}, the set of actual states that
the assignments generate are:

states.∆.s =
{
{u 7→ 0,v 7→ 0},{u 7→ 1,v 7→ 0},{u 7→ 1,v 7→ 1}

}
.

The sets-of-states approach evaluates the given state predicate in one of the actual states of the
observation interval. For example, u ≤ v evaluated in s within ∆ above has possible values
{false,true}. Both u < v and v = v only have a single possible value, false and true, respectively.

Although the sets-of-states approach takes the non-determinism that results from concurrent
executions into account, the approach does not reflect the fact that most implementations will
only be able to read at most one variable atomically. Thus, we consider a second approach in
which at most one variable is read in each state of the observation interval. However, each free
variable of a state predicate is read at most once, and the same value is used for each occurrence
of the variable within the state predicate1.

Example 3 (Sets of apparent states.) The set of apparent states corresponding to Example 1 is2:

apparent.∆.s =
{
{u 7→ 0,v 7→ 0},{u 7→ 1,v 7→ 1},{u 7→ 0,v 7→ 1},{u 7→ 1,v 7→ 0}

}
.

Note that apparent.∆.s = states.∆.s∪{{u 7→ 0,v 7→ 1}}. Using a sets of apparent states evaluation,
a predicate is evaluated in one of the states of apparent.∆.s. Hence, unlike the sets of states
approach, the possible values of both u ≤ v and u < v are {false,true}. However, v = v still only
has one possible value, true, because the same value of v is used for both occurrences of v.

1 It is possible to define evaluators that, for example, (re)read a variable for each occurrence of the variable, and hence,
potentially returns false for v = v if the value of v changes during the observation interval [CJ07, JP11, HBDJ11].
2 Note that the apparent states within an interval may differ from the Cartesian product between variables in V and
their values in the interval.

Proc. AVoCS 2012 4 / 15



ECEASST

Two useful operators for a sets of states evaluation of a state predicate c are �c and �c, which
ensure that c holds in all and some actual state of the given stream within the given interval,
respectively. Similarly, two useful operators for a sets of apparent states evaluation allow one to
formalise that c definitely holds (denoted �c) and c possibly holds (denoted �c) in all apparent
states of a stream within an interval.

(�c).∆.s =̂ ∀σ: states.∆.s • c.σ
( �c).∆.s =̂ ∃σ: states.∆.s • c.σ

(�c).∆.s =̂ ∀σ: apparent.∆.s • c.σ
( �c).∆.s =̂ ∃σ: apparent.∆.s • c.σ

The following lemma states a relationship between definitely and always properties, as well as
between possibly and sometime properties [HBDJ11].

Lemma 1 Both �c V �c and �c V �c hold, but the converses of both implications are not
necessarily true.

We say a variable v is stable at time t in stream s (denoted stable at.v.t.s) iff the value of v in
s at time t does not change from its value at time t−1, i.e.,

stable at.v.t.s =̂ s.t.v = s.(t−1).v

Variable v is stable over an interval ∆ in a stream s (denoted stable.v.∆.s) iff the value of v is
stable at each time within ∆. A set of variables V is stable in ∆ (denoted stable.V.∆) iff each
variable in V is stable in ∆. Thus, we define:

stable.v.∆.s =̂ ∀t: ∆ • stable at.v.t.s stable.V.∆ =̂ ∀v: V • stable.v.∆

Note that every variable is stable in an empty interval and the empty set of variables is stable in
any interval, i.e., both stable.V.∅ and stable.∅.∆ hold trivially.

We let vars.c denote the free variables of state predicate c. The following lemma states that if
all but one variable of c is stable over an interval ∆, then c definitely holds in ∆ iff c always holds
in ∆ and c possibly holds in ∆ iff c holds sometime in ∆ [HBDJ11].

Lemma 2 For a state predicate c and variable v,
stable.(vars.c\{v}) V (�c = �c) ∧ ( �c = �c).

If every free variable of a state predicate is stable over the evaluation interval, then the evalu-
ators defined above are equivalent. Lemmas 1 and 2 are used to prove Lemma 3 below, which in
turn is used to prove Theorem 1.

Lemma 3 For a state predicate c,
stable.(vars.c) ∧¬Empty V (�c = �c = �c = �c).

3 Fractional permissions

3.1 Read/write permissions and interference

As we shall see in Section 4.3, the behaviour a process executing a command is formalised by
an interval predicate, and the behaviour of a parallel execution over an interval is given by the

5 / 15 Volume 53 (2012)



Fractional Permissions and Non-Deterministic Evaluators in Interval Temporal Logic

conjunction of these behaviours over the same interval. Because the state-spaces of the two
processes are not disjoint, there is a possibility that a process writing to a variable conflicts with
a read or write to the same variable by another process. To ensure that such conflicts do not
take place, we follow Boyland’s idea of mapping variables to a fractional permission [Boy03],
which is rational number between 0 and 1. A process has write-only access to a variable v if its
permission to access v is 1, has read-only access to v if its permission to access v is above 0 but
below 1, and has no access to v if its permission to access v is 0. Note that a process may not
have both read and write permission to a variable. Because a permission is a rational number,
read access to a variable may be split arbitrarily (including infinitely) among the processes of
the system. However, at most one process may have write permission to a variable in any given
state. Note that the precise value of the read permission is not important, i.e., there is no notion
of priority among processes based on the values of their read permissions.

We let Proc denote the set of all process identifiers and assume that every state contains a
permission variable Π whose value in state σ∈ StateV is a function of type

V → Proc →{n:Q | 0 ≤ n ≤ 1}

Note that it is possible for permissions to be distributed differently within states σ, σ′ even if the
values of the standard variables in σ and σ′ are identical, i.e., it is possible to get σ.Π , σ.Π′

even if ({Π}−Cσ) = ({Π}−Cσ′) holds, where ‘−C’ denotes the domain anti-restriction.

Definition 1 A process x ∈ Proc has write-permission to variable v in state σ iff σ.Π.v.x = 1,
has read-permission to v in σ iff 0 < σ.Π.v.x < 1, and has no-permission to access v in σ iff
σ.Π.v.x = 0 holds.

We introduce the following shorthands, which define state predicates for a process x to have
read-only and write-only permissions to a variable v, and to be denied permission to access v.

R.v.x =̂ 0 < Π.v.x < 1 W.v.x =̂ Π.v.x = 1 D.v.x =̂ Π.v.x = 0

In the context of a stream s, for any time t ∈Z, process x may only write to and read from v in the
transition step from s.(t−1) to s.t if W.v.x and R.v.x, respectively. Thus, W.v.x does not grant
process x permission to write to v in the transition from s.t to s.(t + 1) (and similarly R.v.x).

We may use fractional permissions to characterise interference within a process. One must
often define a closed system that consists of a number of parallel processes. Hence, for a non-
empty set of processes X, we define the following, which states that there may be interference
on v from a process different from x.

I.v.x =̂ ∃y: Proc\{x} • W.v.y

Such notions are particularly useful because we aim to develop rely/guarantee-style reasoning,
where we use rely conditions to characterise the behaviour of the environment.

3.2 Healthiness conditions

In this section, we introduce healthiness conditions on streams using fractional permissions that
formalise our assumptions on the underlying hardware. Below, we assume that the local vari-
ables of set of processes X are members of the set LVarX ⊆ Vars.

Proc. AVoCS 2012 6 / 15



ECEASST

HC1 If no process has write access to v within an interval, then the value of v does not change
within the interval, i.e.,

�(∀x: Proc • ¬W.v.x) ⇒ stable.v

HC2 The sum of the permissions of the processes on any variable v is at most 1, i.e.,

�((Σx∈ProcΠ.v.x) ≤ 1)

HC3 Each local variable in v ∈ LVarX may only be read or written to by the processes in X, i.e.,

�(∀y: Proc\X • D.v.y)

These conditions essentially define the legal streams of the programs we consider. For the rest
of this paper, we implicitly assume that the streams we consider are legal, i.e., satisfy healthiness
conditions HC1-HC3. Such healthiness conditions can be explicitly added to the rely conditions
of a program.

Using these healthiness conditions, we obtain a number of relationships between the values of
a variable and the permissions that a process has to access the variable. For example, we may
prove that if a process has read permission to a variable, then no process has write permission to
the variable. Furthermore, if over an interval no process has write permission to a variable, then
the variable must be stable over the interval.

Lemma 4 Both of the following hold for any variable v

�((∃x: Proc • R.v.x) ⇒ (∀x: Proc • ¬W.v.x)) (1)
�(∀x: Proc • ¬W.v.x) V stable.v (2)

The following result states that for any guard b, if none of the processes write to v ∈ vars.b
over an interval, then �b holds (over the interval) iff �b holds, i.e., any apparent value of a state
predicate is the only apparent value.

Theorem 1 �(∀v: vars.b,x: Proc • ¬W.v.x) ∧¬Empty V (�b = �b).

4 Interval-based semantics of parallel programs

4.1 Chop and iteration

To formalise the semantics of compound commands, we define two operators on interval pred-
icates: chop, which is used to formalise sequential composition, and ω-iteration, which is used
to formalise a possibly infinite iteration (e.g., a while loop).

The chop operator ‘;’ is a basic operator on two interval predicates [Mos00, DH12b], where
(p1 ; p2).∆ holds iff either interval ∆ may be split into two parts so that p1 holds in the first and
p2 holds in the second, or the least upper bound of ∆ is ∞ and p1 holds in ∆. Thus, we define

(p1 ; p2).∆ =̂

(
∃∆1,∆2: Intv • (∆ = ∆1 ∪∆2) ∧ (∆1 ∝∆2) ∧ p1.∆1 ∧ p2.∆2

)
∨

(lub.∆ = ∞∧ p1.∆)

7 / 15 Volume 53 (2012)



Fractional Permissions and Non-Deterministic Evaluators in Interval Temporal Logic

Note that ∆1 may be empty, in which case ∆2 = ∆, and similarly ∆2 may empty, in which case
∆1 = ∆. Furthermore, in the definition of chop, we allow the second disjunct lub.∆ = ∞∧ p1.∆
to enable p1 to model an infinite (divergent or non-terminating) program. We note that for any
interval predicate p, both (Empty ; p) ≡ p and p ≡ (p ; Empty) hold.

We define the possibly infinite iteration of an interval predicate p as follows [DHMS12], where
the interval predicates are assumed to be ordered using universal implication ‘V’ so that false
and true form the bottom and top of the ordering, respectively.

pω =̂ νz • (p ; z) ∨ Empty

Thus, pω is the greatest fixed point that defines either finite or infinite iteration of p [DHMS12].

4.2 States apparent to a process

Reasoning about the apparent states with respect to a process x using function apparent is not
always adequate because it is not enough for an apparent state to exist; process x must also
be able to read the relevant variables in this apparent state. Typically, it is not necessary for a
process to be able to read all of the state variables to determine the apparent value of a given state
predicate. In fact, in the presence of local variables (of other processes), it will be impossible
for x to read the value of each variable. Hence, we define a function apparentx,W where W is
the set of variables whose values process x needs to determine in order evaluate the given state
predicate.

apparentx,W.∆.s =̂ {σ: StateW | ∀v: W • ∃t: ∆ • (σ.v = s.t.v) ∧R.v.x.(s.t)}

Using this function, we are able to define state predicates definitely and possibly hold with re-
spect to a process. For a state predicate c, interval ∆ and stream s, we define:

(�x c).∆.s =̂ ∀σ: apparentx,vars.c.∆.s • c.σ
( �x c).∆.s =̂ ∃σ: apparentx,vars.c.∆.s • c.σ

Example 4 Suppose (u,v,w = 0,0,42∧R.u.x∧R.v.x∧¬R.w.x).(s.1), (u,v,w = 1,0,42∧R.u.x∧
R.v.x ∧ ¬R.w.x).(s.2) and (u,v,w = 1,1,42 ∧ R.u.x ∧ R.v.x ∧ ¬R.w.x).(s.3) hold, where s is
a stream. Then �x(u < v).[1,3].s = true (which is the same scenario as Example 3). Note
that the fact that x cannot read w in any of the states s.1, s.2 or s.3 is irrelevant with re-
spect to evaluation of u < v. Suppose that s′ is another stream such that s′.1,s′.2 = s.1,s.2 and
(u,v,w = 1,1,42 ∧R.u.x ∧¬R.v.x ∧¬R.w.x).(s′.3), i.e., the possible value of v that x can read is
0. Hence, we have �x(u < v).[1,3].s

′ = false even though �(u < v).[1,3].s = true.

4.3 Interval-based command semantics

Definition 2 For a state predicate b, variable v and expression e, the abstract syntax of com-
mands is given by Cmd below, where C,C1,C2 ∈ Cmd.

Cmd ::= Magic | Chaos | Idle | [b] | v := e | C1 ; C2 | C1 uC2 | C
ω
| C1 ‖C2

Proc. AVoCS 2012 8 / 15



ECEASST

Thus, a command may either be Magic (an infeasible statement), Chaos (a chaotic statement),
Idle (an idle statement), a guard [b], an assignment v := e, a sequential composition (C1 ; C2), a
non-deterministic choice C1 uC2, an iteration Cω, or a parallel composition C1 ‖C2.

Definition 3 The behaviour of a command C given by the syntax in Definition 2 executed by a
non-empty set of processes X is given by interval predicate behX.C, which is defined inductively.
For a process x, we let behx denote beh{x}.

behX.Magic =̂ false (3)

behX.Chaos =̂ true (4)

behX.Idle =̂ ∀x: X,v: Var • �¬W.v.x (5)
behx.[b] =̂ �x b ∧ (∀v: Var • �¬W.v.x) (6)

behx.(v := e) =̂ ∃k: Val • behx.[e = k] ;
(
�(v = k) ∧ �W.v.x ∧
(∀u: Var\{v} • �¬W.u.x) ∧¬Empty

)
(7)

behX.(C1 ; C2) =̂ behX.C1 ; behX.C2 (8)

behX.(C1 uC2) =̂ behX.C1 ∨ behX.C2 (9)

behX.C
ω

=̂ (behX.C)
ω (10)

behX.(C1 ‖C2) =̂
∃X1,X2 • (X1 ∪X2 = X) ∧ (X1 ∩X2 = ∅) ∧

behX1.(C1 ; Idle) ∧ behX2.(C2 ; Idle)
(11)

We interpret the behaviours of these commands as follows. Note that the behaviours of a guard
evaluation (6) and an assignment (7) are only defined for a singleton set {x}. By (3), command
Magic has no behaviours and by (4), Chaos allows any behaviour. By (5), an Idle command
executed by set of processes X guarantees that each x ∈ X does not modify any of the variables of
the system. Note that a stronger specification of the behaviour of Idle is ∀x: X,v: Var • �D.v.x,
which guarantees that each process x ∈ X is denied access to v. However, we choose to define
as weak a specification as possible and allow an implementation of Idle executed by process x
to read from a variable v. By (6), the behaviour of a guard evaluation states that there must be
an apparent state in which b holds and process x has permission to read each of the variables
of b in this apparent state. Furthermore, process x does not write to any of the system variables
over the interval in which the evaluation occurs. By (7), an assignment v := e evaluates the
expression e over an interval to a value, say k, then updates the value of v to k. Process x does
not have write permission to any of the other variables while v is being updated. For any state
predicate c, because �c holds trivially in an empty interval, we must explicitly include conjunct
¬Empty to ensure that the value of v is updated. We note that the value of any shared variable
within e may be changing over the evaluation interval, i.e., during the execution of [e = k], and
hence the value assigned to v may be non-deterministic. By (8), the behaviour of the sequential
composition is defined using chop. We note that the chop allows C1 to execute forever, e.g., if C1
models an infinite loop. By (9), the behaviour of the non-deterministic choice is the behaviour
of either C1 or C2. By (10), the behaviour of an iteration Cω is the behaviour of C iterated a
potentially infinite number of times. By (11), the parallel composition behaves as both C1 and
C2, but we must execute an Idle command after both C1 and C2 to achieve schedulability of the
two programs.

9 / 15 Volume 53 (2012)



Fractional Permissions and Non-Deterministic Evaluators in Interval Temporal Logic

4.4 Refinement, equivalence and enforced conditions

Refinement of commands is defined using behavioural implication. That is, command C refines
A with respect to a set of processes X iff every behaviour of C is a possible behaviour of A.

Definition 4 Given commands A and C and a set of processes X, we say A is refined by C with
respect to X (denoted A vX C) iff behX.C V behX.A holds.

We write A vwX C if both A vX C and C vX A hold. Note that vX is a pre-order, i.e., is a reflexive
and transitive relation. Furthermore, for any command C, both C vX Magic and Chaos vX C
hold trivially.3

A convenient approach to constraining the behaviour of a command is to use enforced condi-
tions4, which have been used to derive concurrent programs [Don09, DH12c]. Provided that C is
a command and d is an interval predicate, C with an enforced condition d (denoted Enf d • C) is a
command that behaves as C and in addition ensures that d holds [Don09, DH12c]. In particular,
the behaviour of Enf d • C is defined as follows.

behX.(Enf d • C) =̂ d ∧ behX.C

Note if ¬d holds, then Enf d • C has no behaviours.
The lemma below states that introducing an enforced property and strengthening an existing

property results in a refinement.

Lemma 5 Both of the following hold.

C vX Enf d • C (12)

d′ V d ⇒ Enf d • C vX Enf d
′
• C (13)

The proofs of both properties above are straightforward by expanding the definitions. Enforced
properties may also be used to specify behaviours of other processes, i.e., the environment of a
process. The lemma below states that given there is no interference to the variables of b within
the interval in which b is evaluated, the behaviour of the guard evaluation implies �b and hence
every apparent state satisfies b.

Lemma 6 For any state predicate b and process x,

behx.(Enf(∀v: vars.b • �¬I.v.x) • [b]) V �x b

4.5 Example behaviours

We expand the behaviours of two simple programs to illustrate how interval-based behaviours
together with non-deterministic evaluation and fractional permissions accurately captures fine-
grained interleaving of parallel processes. In particular, in Section 4.5.2 we return to the program
from Example 1 to demonstrate how our framework allows apparent states to be observed.

3 It is possible to obtain a number of refinement laws on behaviours of commands, but we do not discuss these here.
4 These have similar properties to coercions in the refinement calculus.

Proc. AVoCS 2012 10 / 15



ECEASST

4.5.1 Parallel assignments

Suppose v ∈ LVar{x,y} and that the initial value of v is 0. We consider the behaviour of commands
v := v + 1 and v := v + 10 executed by processes x and y, respectively, over a finite interval.

beh{x,y}.((v := v + 1)‖(v := v + 10))
V expanding definitions
∃kx,ky • (behx.[kx = v + 1] ; (�(v = kx) ∧ �W.v.x ∧¬Empty) ; �¬W.v.x) ∧

(behy.[ky = v + 10] ; (�(v = ky) ∧ �W.v.y ∧¬Empty) ; �¬W.v.y)

To simplify the interval predicate above, we make the following substitutions.

x1 =̂ behx.[kx = v + 1] y1 =̂ behy.[ky = v + 10]
x2 =̂ �(v = kx) ∧ �W.v.x ∧¬Empty y2 =̂ �(v = ky) ∧ �W.v.y ∧¬Empty
x3 =̂ �¬W.v.x y3 =̂ �¬W.v.y

Hence, we obtain:

∃kx,ky • (x1 ; x2 ; x3) ∧ (y1 ; y2 ; y3)
≡ using the write permission to order behaviours
∃kx,ky • ((x1 ∧ (y1 ; y2 ; y3)) ; (x2 ∧ y3) ; (x3 ∧ y3)) ∨ ((y1 ∧ (x1 ; x2 ; x3)) ; (x3 ∧ y2) ; (x3 ∧ y3))

Let us consider the first disjunct in more detail.
First, we note that the disjunct already captures behaviours such as

(x1 ∧ (y1 ; y2)) ; (x2 ∧ y3) ; (x3 ∧ y3)

i.e., the write to v by process y may occur immediately before the write by process x, i.e., without
any gaps. This is because because �c holds (for any state predicate c) in an empty interval.

Second, we note that the guard evaluation behx.[kx = v + 1] in process x (i.e., x1) and the
assignment v in process y (i.e., y1 ; y2 ; y3) do not conflict (with HC2), even though x1 and y2
conflict, because the guard evaluation only requires that there is some state in which v can be
read — process x may read v during execution of y1 or y3 because, both y1 and y3 guarantee
�¬W.v.y. Hence it is possible for process x to read the value of v before or after process y
updates v.

By Lemma 6, using the stability of v ∈ LVar{x,y} during guard evaluation and because the initial
value of v is assumed to be 0, the first disjunct above simplifies to:

∃kx •

x1 ∧

�(v = 0 ∧¬W.v.y) ;
(�(v = 10) ∧ �W.v.y ∧¬Empty) ;
�(v = 10 ∧¬W.v.y)


 ; (�(v = kx) ∧�W.v.x ∧�¬W.v.y) ; x3 ∧ y3)

Process x may read variable v (for the guard evaluation x1) either before or after process y writes
to v. Hence, we obtain the following:

(�(v = 0) ; �(v = 10) ; �(v = 1)) ∨ (�(v = 0) ; �(v = 10) ; �(v = 11))

Similarly expanding the second disjunct above results in the following behaviour:

11 / 15 Volume 53 (2012)



Fractional Permissions and Non-Deterministic Evaluators in Interval Temporal Logic

(�(v = 0) ; �(v = 1) ; �(v = 10)) ∨ (�(v = 0) ; �(v = 1) ; �(v = 11))

Thus, by allowing execution of Idle after each assignment as part of the parallel composition,
we obtain the expected behaviour of the two parallel assignments to v. Note that by using an
interval-based logic, we are not only able to specify the possible values of v during the program’s
execution, but also the sequence of values that v may have.

4.5.2 Guard evaluation with parallel assignments

We now return to the original problem described in Example 1 and consider the evaluation of the
guard u < v in parallel with the two assignments. We assume u,v ∈ LVar{x,y} to prevent processes
different from x and y from modifying u and v. Hence, we have:

beh{x,y}.([u < v]‖(u := 1 ; v := 1))
V expanding definitions, using stability properties

�x(u < v) ∧ �(¬W.u.x ∧¬W.v.x) ∧


(�(u,v = 0,0) ∧ �¬W.u.y ∧ �¬W.v.y) ;
(�(u,v = 1,0) ∧ (�W.u.y ; �¬W.u.y)) ;
(�(u,v = 1,1) ∧ (�W.v.y ; �¬W.v.y))


Hence, we obtain the scenario described in Example 3, and it is possible for the guard u < v to
evaluate to true in process x even though there is no actual state in which u < v holds.

5 Compositional reasoning

To accommodate scalable proofs, we develop rely/guarantee-style proof methods where the rely
condition is used to describe properties of the environment of a program. Previous methods for
rely/guarantee reasoning, including those over intervals assume an interleaving between environ-
ment and component transitions [Jon83, STER11]. As we have seen with our sets-of-apparent
states evaluators, such models fail to observe states in which a state predicate (that refers to mul-
tiple non-stable variables) holds. To address this, Coleman and Jones use a small-step operational
semantics that allows rely conditions to formalise the pre-post states after partially evaluating an
expression [CJ07]. Jones and Pierce introduce some new notation for determining the set of all
“possible values” that variable v may have during the execution of an operation [JP11].

In this paper, we have used an interval-based approach in which a program and its environment
execute in a truly concurrent manner. Defining rely/guarantee rules in this model is made difficult
because one must synchronise access to shared variables to avoid conflicting behaviour. In a
real-time setting (with continuous variables), a solution to this problem is to distinguish between
actual values and the rate of change of a variable [DH12d, DH12b], where a real-time controller
is able to modify the rate of change of a variable and the environment modifies the value of the
variable based on its rate of change. Such an approach does not work for the discrete model
used in this paper. However, it turns out that the permission-based approach we have used in this
paper addresses the synchronisation problem for discrete systems by allowing one to distinguish
streams with conflicting variable accesses.

Proc. AVoCS 2012 12 / 15



ECEASST

For an interval predicate r and command C, we let Relyr • C denote a command with a rely
condition r, where

behX.(Relyr • C) =̂ r ⇒ behX.C

Hence, Relyr • C consists of an execution of C under the assumption that r holds [Jon83, JP11,
CJ07]. Note that if ¬r holds, then the behaviour of Relyr • C is chaotic, i.e., any behaviour is al-
lowed. The following lemma allows one to refine programs that execute under a rely conditions.

Lemma 7 Each of the following holds.

r V r′ ⇒ Relyr • C vX Relyr
′
• C (14)

r ∧ behX.C V behX.A ⇒ Relyr • A vX Relyr • C (15)

r ∧ behX.C V d ⇒ Relyr • Enf d • C vX Relyr • C (16)

A vX Enf r • C ⇔ Relyr • A vX C (17)

We use the following theorem to decompose a proof that a parallel composition A1‖A2 in the
context of a rely condition r is refined by C1‖C2. Within Theorem 2, r is an overall rely condition
on the parallel composition A1 ‖A2, r1 is a rely condition for A1 and r2 a rely condition on A2.

Theorem 2 (Relyr • A1 ‖A2) vX C1 ‖C2 holds if there exist X1,X2 ⊆ X where X = X1 ∪X2 and
X1 ∩X2 = ∅ and rely conditions r1 and r2, such that both of the following hold.

(Relyr ∧ r1 • A1) vX1 C1 ∧ (Relyr ∧ r2 • A2) vX2 C2 (18)

(r ∧ behX2.C2 V r1) ∧ (r ∧ behX1.C1 V r2) (19)

We may decompose a rely condition over the whole interval into its subintervals if the rely
condition splits [Hay08, DH12d]. We say an interval predicate p splits iff for any interval ∆, if
p.∆ holds, then for any subinterval ∆′ ⊆ ∆, p.∆′ holds.

Theorem 3 If r splits, then each of the following holds.

(Relyr • C1 ; C2) vX (Relyr • C1) ; (Relyr • C2) (20)

Relyr • Cω vX (Relyr • C)
ω (21)

(Relyr • A vX C) ⇒ (Relyr • A
ω
vX C

ω) (22)

6 Conclusions and future work

We have presented an interval-based approach to modelling the behaviour of concurrent pro-
grams, which better represents the “real-world” behaviour in multicore/multiprocessor systems.
Conflicting accesses to shared variables are modelled using Boyland’s fractional permissions and
non-deterministic expression evaluators are used to reason about apparent behaviour. Using rely
conditions, we have developed rules for decomposing proofs of systems that involve multiple
parallel components, both over the parallel and sequential compositions.

13 / 15 Volume 53 (2012)



Fractional Permissions and Non-Deterministic Evaluators in Interval Temporal Logic

The underlying semantics of Interval Temporal Logic that we present differs from Mosz-
kowski [Mos00]. In particular, we consider complete streams (the behaviour over all discrete
times) and the behaviour over an interval is given by an interval predicate, which restricts the
view of the complete stream to the interval under consideration. An advantage of our model
is that it allows properties outside the given interval to be given in a straightforward manner
[DH12a, DH12c, DH12b, DH12d]. Furthermore, it is possible to extend this theory to reason
about continuous behaviour [DH12c, DH12b, DH12d]. A second difference with [Mos00] is
that Moszkowski allows adjoining intervals to overlap at their boundary, whereas we require that
adjoining intervals are disjoint. Adjoining intervals that overlap at the boundary are problematic
when using fractional permissions if a process writes to a variable, then immediately performs a
guard evaluation that reads from the same variable. If there is an overlap, the write permission for
the update (which must ensure write permission on the variable) conflicts with guard evaluation
at the boundary (which must ensure no write permission is held).

Our treatments of interval predicates has an algebraic structure [BW99] that we hope to further
exploit in our reasoning. For example, rule (17) is similar to the refinement calculus rule ({b} A v
C) ⇔ (A v [b] C) that allows an assertion {b} to be turned into a coercion [b] (and vice versa)
[BW99]. We aim to develop rules that would allow one to exploit the abstract algebraic properties
in our proofs.

Acknowledgements. We thank Lindsay Groves for helpful comments on an earlier draft, in-
cluding the suggestion that we consider a permission-based approach.

Bibliography

[BCOP05] R. Bornat, C. Calcagno, P. W. O’Hearn, M. J. Parkinson. Permission accounting in
separation logic. In Palsberg and Abadi (eds.), POPL. Pp. 259–270. ACM, 2005.

[Boy03] J. Boyland. Checking Interference with Fractional Permissions. In Cousot (ed.),
SAS. LNCS 2694, pp. 55–72. Springer, 2003.

[BW99] R. J. R. Back, J. von Wright. Reasoning algebraically about loops. Acta Informatica
36(4):295–334, July 1999.

[CJ07] J. W. Coleman, C. B. Jones. A Structural Proof of the Soundness of Rely/guarantee
Rules. J. Log. Comput. 17(4):807–841, 2007.

[CZ97] A. Cau, H. Zedan. Refining interval temporal logic specifications. In Bertran and
Rus (eds.), Transformation-Based Reactive Systems Development. LNCS 1231,
pp. 79–94. Springer Berlin / Heidelberg, 1997.

[DH12a] B. Dongol, I. J. Hayes. Approximating idealised real-time specifications using time
bands. In Automated Verification of Critical Systems 2011. Electronic Communica-
tions of the EASST 46, pp. 1–16. EASST, 2012.

Proc. AVoCS 2012 14 / 15



ECEASST

[DH12b] B. Dongol, I. J. Hayes. Deriving Real-Time Action Systems Controllers from Mul-
tiscale System Specifications. In Gibbons and Nogueira (eds.), MPC. LNCS 7342,
pp. 102–131. Springer, 2012.

[DH12c] B. Dongol, I. J. Hayes. Deriving real-time action systems in a sampling logic. Sci-
ence of Computer Programming, 2012. Accepted 17 Oct, 2011.

[DH12d] B. Dongol, I. J. Hayes. Rely/guarantee reasoning for teleo-reactive programs over
multiple time bands. In 9th International Conference on Integrated Formal Methods.
LNCS 7321, pp. 39–53. 2012.

[DHMS12] B. Dongol, I. J. Hayes, L. Meinicke, K. Solin. Towards an Algebra for Real-Time
Programs. In Kahl and Griffin (eds.), RAMICS. Lecture Notes in Computer Sci-
ence 7560, pp. 50–65. Springer, 2012.

[Don09] B. Dongol. Progress-based verification and derivation of concurrent programs. PhD
thesis, The University of Queensland, 2009.

[Hay08] I. J. Hayes. Towards reasoning about teleo-reactive programs for robust real-time
systems. In SERENE ’08. Pp. 87–94. ACM, New York, NY, USA, 2008.

[HBDJ11] I. J. Hayes, A. Burns, B. Dongol, C. B. Jones. Comparing Models of Nondetermin-
istic Expression Evaluation. Technical report CS-TR-1273, Newcastle University,
2011.

[Hoa69] C. A. R. Hoare. An axiomatic basis for computer programming. Commun. ACM
12(10):576–580, 1969.

[Jon83] C. B. Jones. Tentative steps toward a development method for interfering programs.
ACM Trans. Prog. Lang. and Syst. 5(4):596–619, 1983.

[JP11] C. B. Jones, K. Pierce. Elucidating concurrent algorithms via layers of abstraction
and reification. Formal Aspects of Computing 23:289–306, 2011.

[Mos00] B. C. Moszkowski. A Complete Axiomatization of Interval Temporal Logic with
Infinite Time. In LICS. Pp. 241–252. 2000.

[OG76] S. Owicki, D. Gries. Verifying properties of parallel programs: An axiomatic ap-
proach. Commun. ACM 19(5):279–285, 1976.

[Rey02] J. C. Reynolds. Separation Logic: A Logic for Shared Mutable Data Structures. In
LICS. Pp. 55–74. IEEE Computer Society, 2002.

[STER11] G. Schellhorn, B. Tofan, G. Ernst, W. Reif. Interleaved Programs and Rely-
Guarantee Reasoning with ITL. TIME 0:99–106, 2011.

[SVN+11] J. Sevcı́k, V. Vafeiadis, F. Z. Nardelli, S. Jagannathan, P. Sewell. Relaxed-memory
concurrency and verified compilation. In Ball and Sagiv (eds.), POPL. Pp. 43–54.
ACM, 2011.

15 / 15 Volume 53 (2012)


	Introduction
	Interval predicates and non-deterministic evaluation
	Interval predicates
	Evaluating state predicates over intervals

	Fractional permissions
	Read/write permissions and interference
	Healthiness conditions

	Interval-based semantics of parallel programs
	Chop and iteration
	States apparent to a process
	Interval-based command semantics
	Refinement, equivalence and enforced conditions
	Example behaviours
	Parallel assignments
	Guard evaluation with parallel assignments


	Compositional reasoning
	Conclusions and future work