Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft...
Transcript of Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft...
![Page 1: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/1.jpg)
Temporal Logic:The Lesser of Three Evils
Leslie LamportMicrosoft Research
0
![Page 2: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/2.jpg)
The evil that men do lives after them.
Julius Caesar, by William Shakespeare
0
![Page 3: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/3.jpg)
Where I Started
Making sure my concurrent algorithms were right.
Proving the Correctness of Multiprocess Programs(IEEE TSE, 1977)
Proved:
Safety Properties: Invariance
Liveness Properties: P ; Q
1
![Page 4: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/4.jpg)
Where I Started
Making sure my concurrent algorithms were right.
Proving the Correctness of Multiprocess Programs(IEEE TSE, 1977)
Proved:
Safety Properties: Invariance
Liveness Properties: P ; Q
1
![Page 5: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/5.jpg)
Where I Started
Making sure my concurrent algorithms were right.
Proving the Correctness of Multiprocess Programs(IEEE TSE, 1977)
Proved:
Safety Properties: Invariance
Liveness Properties: P ; Q
1
![Page 6: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/6.jpg)
Where I Started
Making sure my concurrent algorithms were right.
Proving the Correctness of Multiprocess Programs(IEEE TSE, 1977)
Proved:
Safety Properties: Invariance
Liveness Properties: P ; Q
1
![Page 7: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/7.jpg)
Where I Started
Making sure my concurrent algorithms were right.
Proving the Correctness of Multiprocess Programs(IEEE TSE, 1977)
Proved:
Safety Properties: Invariance
Liveness Properties: P ; Q
1
![Page 8: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/8.jpg)
My Introduction to Temporal Logic
In 1977–78, Susan Owicki started a little seminar on Amir’s 1977FOCS paper.
It sounded like formal nonsense to me, but I attended anyway.
I discovered that:
It was simple: One primitive temporal operator 2
3∆= ¬2¬
It worked beautifully for liveness: P ; Q∆= 2(P ⇒ 3Q)
Eventually, Susan and I wrote Proving Liveness Properties ofConcurrent Programs (TOPLAS, 1982).
2
![Page 9: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/9.jpg)
My Introduction to Temporal Logic
In 1977–78, Susan Owicki started a little seminar on Amir’s 1977FOCS paper.
It sounded like formal nonsense to me, but I attended anyway.
I discovered that:
It was simple: One primitive temporal operator 2
3∆= ¬2¬
It worked beautifully for liveness: P ; Q∆= 2(P ⇒ 3Q)
Eventually, Susan and I wrote Proving Liveness Properties ofConcurrent Programs (TOPLAS, 1982).
2
![Page 10: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/10.jpg)
My Introduction to Temporal Logic
In 1977–78, Susan Owicki started a little seminar on Amir’s 1977FOCS paper.
It sounded like formal nonsense to me, but I attended anyway.
I discovered that:
It was simple: One primitive temporal operator 2
3∆= ¬2¬
It worked beautifully for liveness: P ; Q∆= 2(P ⇒ 3Q)
Eventually, Susan and I wrote Proving Liveness Properties ofConcurrent Programs (TOPLAS, 1982).
2
![Page 11: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/11.jpg)
My Introduction to Temporal Logic
In 1977–78, Susan Owicki started a little seminar on Amir’s 1977FOCS paper.
It sounded like formal nonsense to me, but I attended anyway.
I discovered that:
It was simple: One primitive temporal operator 2
3∆= ¬2¬
It worked beautifully for liveness: P ; Q∆= 2(P ⇒ 3Q)
Eventually, Susan and I wrote Proving Liveness Properties ofConcurrent Programs (TOPLAS, 1982).
2
![Page 12: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/12.jpg)
My Introduction to Temporal Logic
In 1977–78, Susan Owicki started a little seminar on Amir’s 1977FOCS paper.
It sounded like formal nonsense to me, but I attended anyway.
I discovered that:
It was simple: One primitive temporal operator 2
3∆= ¬2¬
It worked beautifully for liveness: P ; Q∆= 2(P ⇒ 3Q)
Eventually, Susan and I wrote Proving Liveness Properties ofConcurrent Programs (TOPLAS, 1982).
2
![Page 13: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/13.jpg)
My Introduction to Temporal Logic
In 1977–78, Susan Owicki started a little seminar on Amir’s 1977FOCS paper.
It sounded like formal nonsense to me, but I attended anyway.
I discovered that:
It was simple: One primitive temporal operator 2
3∆= ¬2¬
It worked beautifully for liveness: P ; Q∆= 2(P ⇒ 3Q)
Eventually, Susan and I wrote Proving Liveness Properties ofConcurrent Programs (TOPLAS, 1982).
2
![Page 14: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/14.jpg)
My Introduction to Temporal Logic
In 1977–78, Susan Owicki started a little seminar on Amir’s 1977FOCS paper.
It sounded like formal nonsense to me, but I attended anyway.
I discovered that:
It was simple: One primitive temporal operator 2
3∆= ¬2¬
It worked beautifully for liveness: P ; Q∆= 2(P ⇒ 3Q)
Eventually, Susan and I wrote Proving Liveness Properties ofConcurrent Programs (TOPLAS, 1982).
2
![Page 15: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/15.jpg)
Specification
Around 1980, my colleagues and I started trying to writespecifications.
Instead of stating some properties about an algorithm, say exactlywhat it has to do.
Write the properties an algorithm/system/protocol should have.
3
![Page 16: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/16.jpg)
Specification
Around 1980, my colleagues and I started trying to writespecifications.
Instead of stating some properties about an algorithm, say exactlywhat it has to do.
Write the properties an algorithm/system/protocol should have.
3
![Page 17: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/17.jpg)
Specification
Around 1980, my colleagues and I started trying to writespecifications.
Instead of stating some properties about an algorithm, say exactlywhat it has to do.
Write the properties an algorithm/system/protocol should have.
3
![Page 18: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/18.jpg)
Specification
Around 1980, my colleagues and I started trying to writespecifications.
Instead of stating some properties about an algorithm, say exactlywhat it has to do.
Write the properties an algorithm/system/protocol should have.
3
![Page 19: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/19.jpg)
Temporal logic seemed ideal for this.
We had been using an exogenous logic:
|= F (validity of F ) depends on underlying system.
Just had to switch to an endogenous logic:
Single notion of |= .
System specified by temporal logic formula S
|= F becomes |= S ⇒ F
4
![Page 20: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/20.jpg)
Temporal logic seemed ideal for this.
We had been using an exogenous logic:
|= F (validity of F ) depends on underlying system.
Just had to switch to an endogenous logic:
Single notion of |= .
System specified by temporal logic formula S
|= F becomes |= S ⇒ F
4
![Page 21: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/21.jpg)
Temporal logic seemed ideal for this.
We had been using an exogenous logic:
|= F (validity of F ) depends on underlying system.
Just had to switch to an endogenous logic:
Single notion of |= .
System specified by temporal logic formula S
|= F becomes |= S ⇒ F
4
![Page 22: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/22.jpg)
Temporal logic seemed ideal for this.
We had been using an exogenous logic:
|= F (validity of F ) depends on underlying system.
Just had to switch to an endogenous logic:
Single notion of |= .
System specified by temporal logic formula S
|= F becomes |= S ⇒ F
4
![Page 23: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/23.jpg)
Temporal logic seemed ideal for this.
We had been using an exogenous logic:
|= F (validity of F ) depends on underlying system.
Just had to switch to an endogenous logic:
Single notion of |= .
System specified by temporal logic formula S
|= F becomes |= S ⇒ F
4
![Page 24: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/24.jpg)
Temporal logic seemed ideal for this.
We had been using an exogenous logic:
|= F (validity of F ) depends on underlying system.
Just had to switch to an endogenous logic:
Single notion of |= .
System specified by temporal logic formula S
|= F becomes |= S ⇒ F
4
![Page 25: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/25.jpg)
Temporal logic seemed ideal for this.
We had been using an exogenous logic:
|= F (validity of F ) depends on underlying system.
Just had to switch to an endogenous logic:
Single notion of |= .
System specified by temporal logic formula S
|= F becomes |= S ⇒ F
4
![Page 26: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/26.jpg)
It Didn’t Work!
My colleagues spent days unsuccessfully trying to specify a FIFOqueue.
The reason was obvious: the simple logic of Amir’s 1977 paper wasnot expressive enough.
An arms race ensued. Who could invent the biggest, most powerfultemporal logic?
I was not immune:TIMESETS — A New Method for Temporal Reasoning About Programs
(in LNCS 131, 1981)
5
![Page 27: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/27.jpg)
It Didn’t Work!
My colleagues spent days unsuccessfully trying to specify a FIFOqueue.
The reason was obvious: the simple logic of Amir’s 1977 paper wasnot expressive enough.
An arms race ensued. Who could invent the biggest, most powerfultemporal logic?
I was not immune:TIMESETS — A New Method for Temporal Reasoning About Programs
(in LNCS 131, 1981)
5
![Page 28: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/28.jpg)
It Didn’t Work!
My colleagues spent days unsuccessfully trying to specify a FIFOqueue.
The reason was obvious: the simple logic of Amir’s 1977 paper wasnot expressive enough.
An arms race ensued. Who could invent the biggest, most powerfultemporal logic?
I was not immune:TIMESETS — A New Method for Temporal Reasoning About Programs
(in LNCS 131, 1981)
5
![Page 29: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/29.jpg)
It Didn’t Work!
My colleagues spent days unsuccessfully trying to specify a FIFOqueue.
The reason was obvious: the simple logic of Amir’s 1977 paper wasnot expressive enough.
An arms race ensued. Who could invent the biggest, most powerfultemporal logic?
I was not immune:TIMESETS — A New Method for Temporal Reasoning About Programs
(in LNCS 131, 1981)
5
![Page 30: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/30.jpg)
It Didn’t Work!
My colleagues spent days unsuccessfully trying to specify a FIFOqueue.
The reason was obvious: the simple logic of Amir’s 1977 paper wasnot expressive enough.
An arms race ensued. Who could invent the biggest, most powerfultemporal logic?
I was not immune:TIMESETS — A New Method for Temporal Reasoning About Programs
(in LNCS 131, 1981)
5
![Page 31: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/31.jpg)
The Real Problem
Writing a specification as a list of properties doesn’t work.
No one can understand the consequences of a list of properties.
6
![Page 32: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/32.jpg)
The Real Problem
Writing a specification as a list of properties doesn’t work.
No one can understand the consequences of a list of properties.
6
![Page 33: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/33.jpg)
The Real Problem
Writing a specification as a list of properties doesn’t work.
No one can understand the consequences of a list of properties.
6
![Page 34: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/34.jpg)
An Example: Weak Memory Models
Typically specified by axioms.
Even their designers don’t understand them.
The original Alpha memory specification model allowed this:
Initially: x = y = 0
Process 1: if x = 23 then y := 42
Process 2: if y = 42 then x := 23
After execution: x = 23, y = 42
7
![Page 35: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/35.jpg)
An Example: Weak Memory Models
Typically specified by axioms.
Even their designers don’t understand them.
The original Alpha memory specification model allowed this:
Initially: x = y = 0
Process 1: if x = 23 then y := 42
Process 2: if y = 42 then x := 23
After execution: x = 23, y = 42
7
![Page 36: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/36.jpg)
An Example: Weak Memory Models
Typically specified by axioms.
Even their designers don’t understand them.
The original Alpha memory specification model allowed this:
Initially: x = y = 0
Process 1: if x = 23 then y := 42
Process 2: if y = 42 then x := 23
After execution: x = 23, y = 42
7
![Page 37: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/37.jpg)
An Example: Weak Memory Models
Typically specified by axioms.
Even their designers don’t understand them.
The original Alpha memory specification model allowed this:
Initially: x = y = 0
Process 1: if x = 23 then y := 42
Process 2: if y = 42 then x := 23
After execution: x = 23, y = 42
7
![Page 38: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/38.jpg)
An Example: Weak Memory Models
Typically specified by axioms.
Even their designers don’t understand them.
The original Alpha memory specification model allowed this:
Initially: x = y = 0
Process 1: if x = 23 then y := 42
Process 2: if y = 42 then x := 23
After execution: x = 23, y = 42
7
![Page 39: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/39.jpg)
An Example: Weak Memory Models
Typically specified by axioms.
Even their designers don’t understand them.
The original Alpha memory specification model allowed this:
Initially: x = y = 0
Process 1: if x = 23 then y := 42
Process 2: if y = 42 then x := 23
After execution: x = 23, y = 42
7
![Page 40: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/40.jpg)
An Example: Weak Memory Models
Typically specified by axioms.
Even their designers don’t understand them.
The original Alpha memory specification model allowed this:
Initially: x = y = 0
Process 1: if x = 23 then y := 42
Process 2: if y = 42 then x := 23
After execution: x = 23, y = 42
7
![Page 41: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/41.jpg)
An Example: Weak Memory Models
Typically specified by axioms.
Even their designers don’t understand them.
The original Alpha memory specification model allowed this:
Initially: x = y = 0
Process 1: if x = 23 then y := 42
Process 2: if y = 42 then x := 23
After execution: x = 23, y = 42
7
![Page 42: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/42.jpg)
An Example: Weak Memory Models
Typically specified by axioms.
Even their designers don’t understand them.
The original Itanium memory specification document.
We wrote a TLA+ specification and used our tools to checkthe document’s tiny examples.
We found several errors.
7
![Page 43: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/43.jpg)
An Example: Weak Memory Models
Typically specified by axioms.
Even their designers don’t understand them.
The original Itanium memory specification document.
We wrote a TLA+ specification and used our tools to checkthe document’s tiny examples.
We found several errors.
7
![Page 44: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/44.jpg)
An Example: Weak Memory Models
Typically specified by axioms.
Even their designers don’t understand them.
The original Itanium memory specification document.
We wrote a TLA+ specification and used our tools to checkthe document’s tiny examples.
We found several errors.
7
![Page 45: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/45.jpg)
An Example: Weak Memory Models
Typically specified by axioms.
Even their designers don’t understand them.
No one can figure out from a list of axiomswhat a tiny bit of concurrent code can do.
8
![Page 46: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/46.jpg)
What works
Specify liveness with Amir’s original temporal logic.
Specify safety by a state machine (abstract program).
How to do this in temporal logic:
Generalize Amir’s temporal logic.
Don’t add new temporal operators.
Do generalize elementary formulas from state predicatesto transition predicates.
But that’s another story.
9
![Page 47: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/47.jpg)
What works
Specify liveness with Amir’s original temporal logic.
Specify safety by a state machine (abstract program).
How to do this in temporal logic:
Generalize Amir’s temporal logic.
Don’t add new temporal operators.
Do generalize elementary formulas from state predicatesto transition predicates.
But that’s another story.
9
![Page 48: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/48.jpg)
What works
Specify liveness with Amir’s original temporal logic.
Specify safety by a state machine (abstract program).
How to do this in temporal logic:
Generalize Amir’s temporal logic.
Don’t add new temporal operators.
Do generalize elementary formulas from state predicatesto transition predicates.
But that’s another story.
9
![Page 49: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/49.jpg)
What works
Specify liveness with Amir’s original temporal logic.
Specify safety by a state machine (abstract program).
How to do this in temporal logic:
Generalize Amir’s temporal logic.
Don’t add new temporal operators.
Do generalize elementary formulas from state predicatesto transition predicates.
But that’s another story.
9
![Page 50: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/50.jpg)
What works
Specify liveness with Amir’s original temporal logic.
Specify safety by a state machine (abstract program).
How to do this in temporal logic:
Generalize Amir’s temporal logic.
Don’t add new temporal operators.
Do generalize elementary formulas from state predicatesto transition predicates.
But that’s another story.
9
![Page 51: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/51.jpg)
What works
Specify liveness with Amir’s original temporal logic.
Specify safety by a state machine (abstract program).
How to do this in temporal logic:
Generalize Amir’s temporal logic.
Don’t add new temporal operators.
Do generalize elementary formulas from state predicatesto transition predicates.
But that’s another story.
9
![Page 52: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/52.jpg)
What works
Specify liveness with Amir’s original temporal logic.
Specify safety by a state machine (abstract program).
How to do this in temporal logic:
Generalize Amir’s temporal logic.
Don’t add new temporal operators.
Do generalize elementary formulas from state predicatesto transition predicates.
But that’s another story.
9
![Page 53: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/53.jpg)
What works
Specify liveness with Amir’s original temporal logic.
Specify safety by a state machine (abstract program).
How to do this in temporal logic:
Generalize Amir’s temporal logic.
Don’t add new temporal operators.
Do generalize elementary formulas from state predicatesto transition predicates.
But that’s another story.
9
![Page 54: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/54.jpg)
What works
Specify liveness with Amir’s original temporal logic.
Specify safety by a state machine (abstract program).
How to do this in temporal logic:
Generalize Amir’s temporal logic.
Don’t add new temporal operators.
Do generalize elementary formulas from state predicatesto transition predicates.
But that’s another story.
9
![Page 55: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/55.jpg)
What is Evil About Temporal Logic
A fundamental rule of ordinary math: to prove A⇒ B , we assume A
and prove B .
The Deduction Principle:
P
Q
P ⇒ Q
The deduction principle is not valid for temporal logic (and othermodal logics).
For example, a basic rule of temporal logic asserts that if P is truethen it is always true.
P
2P
9
![Page 56: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/56.jpg)
What is Evil About Temporal Logic
A fundamental rule of ordinary math: to prove A⇒ B , we assume A
and prove B .
The Deduction Principle:
P
Q
P ⇒ Q
The deduction principle is not valid for temporal logic (and othermodal logics).
For example, a basic rule of temporal logic asserts that if P is truethen it is always true.
P
2P
9
![Page 57: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/57.jpg)
What is Evil About Temporal Logic
A fundamental rule of ordinary math: to prove A⇒ B , we assume A
and prove B .
The Deduction Principle:
P
Q
P ⇒ Q
The deduction principle is not valid for temporal logic (and othermodal logics).
For example, a basic rule of temporal logic asserts that if P is truethen it is always true.
P
2P
9
![Page 58: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/58.jpg)
What is Evil About Temporal Logic
A fundamental rule of ordinary math: to prove A⇒ B , we assume A
and prove B .
The Deduction Principle:
P
Q
P ⇒ Q
The deduction principle is not valid for temporal logic (and othermodal logics).
For example, a basic rule of temporal logic asserts that if P is truethen it is always true.
P
2P
9
![Page 59: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/59.jpg)
What is Evil About Temporal Logic
A fundamental rule of ordinary math: to prove A⇒ B , we assume A
and prove B .
The Deduction Principle:
P
Q
P ⇒ Q
The deduction principle is not valid for temporal logic (and othermodal logics).
For example, a basic rule of temporal logic asserts that if P is truethen it is always true.
P
2P
9
![Page 60: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/60.jpg)
From
P
Q
P ⇒ Q
and
P
2P
by substituting 2P for Q we deduce
P ⇒ 2P
which asserts that if P is true now then it is always true.
10
![Page 61: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/61.jpg)
From
P
Q
P ⇒ Q
and
P
2P
by substituting 2P for Q we deduce
P ⇒ 2P
which asserts that if P is true now then it is always true.
10
![Page 62: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/62.jpg)
From
P
Q
P ⇒ Q
and
P
2P
by substituting 2P for Q we deduce
P ⇒ 2P
which asserts that if P is true now then it is always true.
10
![Page 63: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/63.jpg)
From
P
Q
P ⇒ Q
and
P
2P
by substituting 2P for Q we deduce
P ⇒ 2P
which asserts that if P is true now then it is always true.
10
![Page 64: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/64.jpg)
From
P
Q
P ⇒ Q
and
P
2P
by substituting 2P for Q we deduce
P ⇒ 2P
which asserts that if P is true now then it is always true.##
##
##
##
##
##
##
##
##
##
##
##
#
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
c
N O T
10
![Page 65: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/65.jpg)
In modal logics, implication (P ⇒ Q) and inference (P
Q) are different.
This is confusing.
Martín Abadi and I once believed a false result for several daysbecause this confused us.
A logic that can confuse Martín is evil.
10
![Page 66: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/66.jpg)
In modal logics, implication (P ⇒ Q) and inference (P
Q) are different.
This is confusing.
Martín Abadi and I once believed a false result for several daysbecause this confused us.
A logic that can confuse Martín is evil.
10
![Page 67: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/67.jpg)
In modal logics, implication (P ⇒ Q) and inference (P
Q) are different.
This is confusing.
Martín Abadi and I once believed a false result for several daysbecause this confused us.
A logic that can confuse Martín is evil.
10
![Page 68: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/68.jpg)
In modal logics, implication (P ⇒ Q) and inference (P
Q) are different.
This is confusing.
Martín Abadi and I once believed a false result for several daysbecause this confused us.
A logic that can confuse Martín is evil.
10
![Page 69: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/69.jpg)
Greater Evil #1
Temporal logic is modal because it has an implicit time variable.
A solution: make time explicit.
For example: P ; Q becomes ∀ t : (P(t)⇒ ∃ s ≥ t :Q(s)) .
This makes formulas ugly and hard to understand.
Trying to eliminate this is what led Amir to temporal logic.
(He was inspired by Nissim Francez’s thesis.)
11
![Page 70: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/70.jpg)
Greater Evil #1
Temporal logic is modal because it has an implicit time variable.
A solution: make time explicit.
For example: P ; Q becomes ∀ t : (P(t)⇒ ∃ s ≥ t :Q(s)) .
This makes formulas ugly and hard to understand.
Trying to eliminate this is what led Amir to temporal logic.
(He was inspired by Nissim Francez’s thesis.)
11
![Page 71: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/71.jpg)
Greater Evil #1
Temporal logic is modal because it has an implicit time variable.
A solution: make time explicit.
For example: P ; Q becomes ∀ t : (P(t)⇒ ∃ s ≥ t :Q(s)) .
This makes formulas ugly and hard to understand.
Trying to eliminate this is what led Amir to temporal logic.
(He was inspired by Nissim Francez’s thesis.)
11
![Page 72: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/72.jpg)
Greater Evil #1
Temporal logic is modal because it has an implicit time variable.
A solution: make time explicit.
For example: P ; Q becomes ∀ t : (P(t)⇒ ∃ s ≥ t :Q(s)) .
This makes formulas ugly and hard to understand.
Trying to eliminate this is what led Amir to temporal logic.
(He was inspired by Nissim Francez’s thesis.)
11
![Page 73: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/73.jpg)
Greater Evil #1
Temporal logic is modal because it has an implicit time variable.
A solution: make time explicit.
For example: P ; Q becomes ∀ t : (P(t)⇒ ∃ s ≥ t :Q(s)) .
This makes formulas ugly and hard to understand.
Trying to eliminate this is what led Amir to temporal logic.
(He was inspired by Nissim Francez’s thesis.)
11
![Page 74: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/74.jpg)
Greater Evil #1
Temporal logic is modal because it has an implicit time variable.
A solution: make time explicit.
For example: P ; Q becomes ∀ t : (P(t)⇒ ∃ s ≥ t :Q(s)) .
This makes formulas ugly and hard to understand.
Trying to eliminate this is what led Amir to temporal logic.
(He was inspired by Nissim Francez’s thesis.)
11
![Page 75: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/75.jpg)
Greater Evil #2
Use a programming logic.
Some programming logics:
Hoare Logic (Tony Hoare 1968)
Dynamic Logic (Vaughan Pratt 1974)
Weakest Preconditions (Edsger Dijkstra 1975)
Action Systems (Ralph Back ∼1983)
What they have in common:
programs appear in formulas of the “logic”.
Why are they evil? First a digression.
12
![Page 76: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/76.jpg)
Greater Evil #2
Use a programming logic.
Some programming logics:
Hoare Logic (Tony Hoare 1968)
Dynamic Logic (Vaughan Pratt 1974)
Weakest Preconditions (Edsger Dijkstra 1975)
Action Systems (Ralph Back ∼1983)
What they have in common:
programs appear in formulas of the “logic”.
Why are they evil? First a digression.
12
![Page 77: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/77.jpg)
Greater Evil #2
Use a programming logic.
Some programming logics:
Hoare Logic (Tony Hoare 1968)
Dynamic Logic (Vaughan Pratt 1974)
Weakest Preconditions (Edsger Dijkstra 1975)
Action Systems (Ralph Back ∼1983)
What they have in common:
programs appear in formulas of the “logic”.
Why are they evil? First a digression.
12
![Page 78: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/78.jpg)
Greater Evil #2
Use a programming logic.
Some programming logics:
Hoare Logic (Tony Hoare 1968)
Dynamic Logic (Vaughan Pratt 1974)
Weakest Preconditions (Edsger Dijkstra 1975)
Action Systems (Ralph Back ∼1983)
What they have in common:
programs appear in formulas of the “logic”.
Why are they evil? First a digression.
12
![Page 79: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/79.jpg)
Greater Evil #2
Use a programming logic.
Some programming logics:
Hoare Logic (Tony Hoare 1968)
Dynamic Logic (Vaughan Pratt 1974)
Weakest Preconditions (Edsger Dijkstra 1975)
Action Systems (Ralph Back ∼1983)
What they have in common:
programs appear in formulas of the “logic”.
Why are they evil? First a digression.
12
![Page 80: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/80.jpg)
Greater Evil #2
Use a programming logic.
Some programming logics:
Hoare Logic (Tony Hoare 1968)
Dynamic Logic (Vaughan Pratt 1974)
Weakest Preconditions (Edsger Dijkstra 1975)
Action Systems (Ralph Back ∼1983)
What they have in common:
programs appear in formulas of the “logic”.
Why are they evil? First a digression.
12
![Page 81: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/81.jpg)
Greater Evil #2
Use a programming logic.
Some programming logics:
Hoare Logic (Tony Hoare 1968)
Dynamic Logic (Vaughan Pratt 1974)
Weakest Preconditions (Edsger Dijkstra 1975)
Action Systems (Ralph Back ∼1983)
What they have in common:
programs appear in formulas of the “logic”.
Why are they evil? First a digression.
12
![Page 82: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/82.jpg)
Greater Evil #2
Use a programming logic.
Some programming logics:
Hoare Logic (Tony Hoare 1968)
Dynamic Logic (Vaughan Pratt 1974)
Weakest Preconditions (Edsger Dijkstra 1975)
Action Systems (Ralph Back ∼1983)
What they have in common:
programs appear in formulas of the “logic”.
Why are they evil? First a digression.
12
![Page 83: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/83.jpg)
Greater Evil #2
Use a programming logic.
Some programming logics:
Hoare Logic (Tony Hoare 1968)
Dynamic Logic (Vaughan Pratt 1974)
Weakest Preconditions (Edsger Dijkstra 1975)
Action Systems (Ralph Back ∼1983)
What they have in common:
programs appear in formulas of the “logic”.
Why are they evil? First a digression.
12
![Page 84: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/84.jpg)
We can derive Program 2 from Program 1 by substitutingp + q mod 2 for x .
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
Two-Phase Handshake, an important hardware protocol
14
![Page 85: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/85.jpg)
We can derive Program 2 from Program 1 by substitutingp + q mod 2 for x .
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
Two-Phase Handshake, an important hardware protocol
14
![Page 86: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/86.jpg)
We can derive Program 2 from Program 1 by substitutingp + q mod 2 for x .
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
Two-Phase Handshake, an important hardware protocol
14
![Page 87: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/87.jpg)
We can derive Program 2 from Program 1 by substitutingp + q mod 2 for x .
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
Two-Phase Handshake, an important hardware protocol
14
![Page 88: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/88.jpg)
We can derive Program 2 from Program 1 by substitutingp + q mod 2 for x .
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
Two-Phase Handshake, an important hardware protocol
14
![Page 89: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/89.jpg)
We can derive Program 2 from Program 1 by substitutingp + q mod 2 for x .
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
Two-Phase Handshake, an important hardware protocol
14
![Page 90: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/90.jpg)
We can derive Program 2 from Program 1 by substitutingp + q mod 2 for x .
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
Two-Phase Handshake, an important hardware protocol
14
![Page 91: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/91.jpg)
We can derive Program 2 from Program 1 by substitutingp + q mod 2 for x .
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
Two-Phase Handshake, an important hardware protocol
14
![Page 92: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/92.jpg)
We can derive Program 2 from Program 1 by substitutingp + q mod 2 for x .
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
Two-Phase Handshake, an important hardware protocol
14
![Page 93: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/93.jpg)
We can derive Program 2 from Program 1 by substitutingp + q mod 2 for x .
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
Two-Phase Handshake, an important hardware protocol
14
![Page 94: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/94.jpg)
We can derive Program 2 from Program 1 by substitutingp + q mod 2 for x . See festschrift for Willem-Paul de Roever.
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
15
![Page 95: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/95.jpg)
We can derive Program 2 from Program 1 by substitutingp + q mod 2 for x . See festschrift for Willem-Paul de Roever.
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
15
![Page 96: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/96.jpg)
A derivation is a refinement proof run backwards.Refinement is substitution.
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
15
![Page 97: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/97.jpg)
A derivation is a refinement proof run backwards.Refinement is substitution.
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
15
![Page 98: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/98.jpg)
How do you substitute p + q mod 2 for x in a program?It can’t be done.
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
16
![Page 99: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/99.jpg)
How do you substitute p + q mod 2 for x in a program?It can’t be done.
Program 1:
initially x = 0
while TRUE do if x = 0 then Prod else Cons end if;x := x + 1 mod 2
end while
Program 2:
initially p = q = 0
Process 1: while TRUE do await p = q ; Prod ; p := p + 1 mod 2end while
Process 2: while TRUE do await p 6= q ; Cons ; q := q + 1 mod 2end while
16
![Page 100: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/100.jpg)
Why Programming Logics are Evil
Substitution of an expression for a variable is a fundamentaloperation of mathematics.
A logic that doesn’t permit substitution is evil.
Program refinement is based on substitution.
A programming logic that doesn’t permit substitution is especially evil.
Refinement by substitution is not a problem with temporal logic.
Temporal logic is a lesser evil.
17
![Page 101: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/101.jpg)
Why Programming Logics are Evil
Substitution of an expression for a variable is a fundamentaloperation of mathematics.
A logic that doesn’t permit substitution is evil.
Program refinement is based on substitution.
A programming logic that doesn’t permit substitution is especially evil.
Refinement by substitution is not a problem with temporal logic.
Temporal logic is a lesser evil.
17
![Page 102: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/102.jpg)
Why Programming Logics are Evil
Substitution of an expression for a variable is a fundamentaloperation of mathematics.
A logic that doesn’t permit substitution is evil.
Program refinement is based on substitution.
A programming logic that doesn’t permit substitution is especially evil.
Refinement by substitution is not a problem with temporal logic.
Temporal logic is a lesser evil.
17
![Page 103: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/103.jpg)
Why Programming Logics are Evil
Substitution of an expression for a variable is a fundamentaloperation of mathematics.
A logic that doesn’t permit substitution is evil.
Program refinement is based on substitution.
A programming logic that doesn’t permit substitution is especially evil.
Refinement by substitution is not a problem with temporal logic.
Temporal logic is a lesser evil.
17
![Page 104: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/104.jpg)
Why Programming Logics are Evil
Substitution of an expression for a variable is a fundamentaloperation of mathematics.
A logic that doesn’t permit substitution is evil.
Program refinement is based on substitution.
A programming logic that doesn’t permit substitution is especially evil.
Refinement by substitution is not a problem with temporal logic.
Temporal logic is a lesser evil.
17
![Page 105: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/105.jpg)
Why Programming Logics are Evil
Substitution of an expression for a variable is a fundamentaloperation of mathematics.
A logic that doesn’t permit substitution is evil.
Program refinement is based on substitution.
A programming logic that doesn’t permit substitution is especially evil.
Refinement by substitution is not a problem with temporal logic.
Temporal logic is a lesser evil.
17
![Page 106: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/106.jpg)
A Necessary Evil
Temporal logic is the best way I know of to reason aboutsystems—especially for liveness properties.
Someone as good as Amir would not have done anything evil unlessit was necessary.
We are all grateful that he did it.
I am grateful that I had the privilege of being his colleague.
He was a great scientist and a wonderful human being.
17
![Page 107: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/107.jpg)
A Necessary Evil
Temporal logic is the best way I know of to reason aboutsystems—especially for liveness properties.
Someone as good as Amir would not have done anything evil unlessit was necessary.
We are all grateful that he did it.
I am grateful that I had the privilege of being his colleague.
He was a great scientist and a wonderful human being.
17
![Page 108: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/108.jpg)
A Necessary Evil
Temporal logic is the best way I know of to reason aboutsystems—especially for liveness properties.
Someone as good as Amir would not have done anything evil unlessit was necessary.
We are all grateful that he did it.
I am grateful that I had the privilege of being his colleague.
He was a great scientist and a wonderful human being.
17
![Page 109: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/109.jpg)
A Necessary Evil
Temporal logic is the best way I know of to reason aboutsystems—especially for liveness properties.
Someone as good as Amir would not have done anything evil unlessit was necessary.
We are all grateful that he did it.
I am grateful that I had the privilege of being his colleague.
He was a great scientist and a wonderful human being.
17
![Page 110: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/110.jpg)
A Necessary Evil
Temporal logic is the best way I know of to reason aboutsystems—especially for liveness properties.
Someone as good as Amir would not have done anything evil unlessit was necessary.
We are all grateful that he did it.
I am grateful that I had the privilege of being his colleague.
He was a great scientist and a wonderful human being.
17
![Page 111: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/111.jpg)
A Necessary Evil
Temporal logic is the best way I know of to reason aboutsystems—especially for liveness properties.
Someone as good as Amir would not have done anything evil unlessit was necessary.
We are all grateful that he did it.
I am grateful that I had the privilege of being his colleague.
He was a great scientist and a wonderful human being.
17
![Page 112: Temporal Logic: The Lesser of Three Evils · The Lesser of Three Evils Leslie Lamport Microsoft Research 0. The evil that men do lives after them. Julius Caesar, by William Shakespeare](https://reader036.fdocuments.in/reader036/viewer/2022070211/60fcba8e291e182a05575d97/html5/thumbnails/112.jpg)
Thank you.
17