Reduction: A Method of Proving
Properties of Parallel Programs
By Richard J. Lipton
Presented at the Second ACM Symposium of
Principles of Programming Languages, Palo
Alto, Calif. 1975
1
Motivation
Prove that a Parallel Program does not halt
S0
acq(this)
S1
2
X
S2
j=bal
S3
Y
S4
bal=j+n
S5
Z
S6
rel(this)
S7
Motivation
Prove that a Parallel Program does not halt
S0
acq(this)
X
X
Y
S1
S0
3
T1
j=bal
S2
S3
acq(this)
T2
T3
Y
j=bal
S4
bal=j+n
S4
bal=j+n
S5
S5
Z
rel(this)
S6
rel(this)
T6
Z
S7
S7
Goal
• When proving that a system of processes has
a given property it is often convenient to
assume that a routine is atomic
• The paper presents a reduction that preserves
basic properties such as halting.
• Thus correctness proofs of a system of
processes can often be greatly simplified
4
Definitions
5
uninterruptible
• A statement is atomic provided it is never
interleaved with the rest of the program.
– For instance: A statement might be the three
actions:
Assuming it is uninterruptible reduces it to the
single action: 𝑥 + 1 → 𝑥
S0
6
X
T1
Y
T2
𝒙→𝒓
T3
inc r
S4
𝒓→𝒙
S5
Z
S7
Reduction of P by R
• Reduction of P by R is defined to be the
parallel program obtained from P by reducing
R to one uninterruptible action.
• Notation: P/R
• Two ways in which the reduced Q=P/R
program is simpler than P:
1) Q has fewer actions than P
2) Assertions about Q are often simpler than
assertions about P.
7
parbegin…parend
• parbegin 𝑆1 , … , 𝑆𝑘 parend is to interleave the
statements 𝑆1 , … , 𝑆𝑘 in some arbitrary order
until no further execution is possible.
• The statement of each 𝑆𝑖 form a distinct
process
8
A computation
• A computation is a sequence 𝑡1 , … , 𝑡𝑚 of
statements such that 𝑡1 is executed first, then 𝑡2
is executed, and so on until the last statement 𝑡𝑚
is executed. Since an 𝑆𝑖 may be a compound
statement, m>k is possible.
• For example if 𝑆𝑖 is:
then 𝑡𝑖 might be the statement
or the statement
or even “part” of these statements.
9
Indivisible statement
• Notation: 𝑆
– We assume S has a single entry and a single exit.
• The semantics of 𝑆 are:
– In a given state of the parallel program, 𝑆 can
execute provided in this state control is ready to enter
S and after S is applied control has left S
– In a given state of the parallel program, the effect of
the applying 𝑆 , provided it can execute, is the same
as that of S.
• The key to the definition of 𝑆 is that we can
never apply it when we cannot fully complete its
execution
10
P(a), V(a)
• P(a) = 𝐿: 𝑖𝑓 𝑎 > 0 𝑡ℎ𝑒𝑛 𝑎 − 1
11
When is 𝛼 𝑆 a computation?
• 𝛼 𝑆 is a computation provided 𝛼 is a
computation and 𝑆 can execute in the state
that results after 𝛼 is executed.
12
When is 𝛼 𝑆 a computation? – cont.
• Example:
S0
S0
S0
13
a=0
a=0
a=0
T1
T1
T1
B:V(a)
B:V(a)
A:P(a)
T2
A:P(a)
T3
T2
T2
B:V(a)
T3
Halt
• Intuitively halt is like deadlock
• Usually want to show that a program does not
halt.
• A program halts if there is some computation
𝛼 such that 𝛼𝑓 is not a computation for all
statements f.
14
What is the relationship between P
and P/S?
15
P/S halts iff P halts?
• This is false.
• Consider:
• This program halts:
Let both repeat’s execute their first P’s; then
a=b=0 and the program has halted.
16
P/S halts iff P halts? – cont.
• Now consider the following program P/S:
• 𝑃 𝑎 ; 𝑃 𝑏 ; 𝑉 𝑎 ; 𝑉(𝑏) leaves both a and b
fixed.
17
Why is the assertion false?
• It is possible to enter S and not to ever be able
to leave it.
• This leads to one restriction on statement S:
• (R1) If a statement S is ever entered, then it
must be possible eventually to exit S.
18
Is (R1) enough?
• No.
• Consider:
• The program halts.
• Also, the statement 1 → 𝑥, 𝑥 → 𝑦 satisfies (R1)
19
Is (R1) enough? – cont.
• The program P/S is:
• 1 → 𝑥; 𝑥 → 𝑦 always sets y to 1.
• This program does not halt.
20
Why is the assertion false?
• This example fails to satisfy assertion because
the effect 1 → 𝑥 and 𝑥 → 𝑦 when
separated and when together is not the same.
• This observation leads to further restriction:
• (R2) The effect of the statement in S when
together and separated must be the same.
21
Right Mover
b
c
c
b
b is right mover
22
Right Mover
ACQ(l,t)
c
23
c
ACQ(l,t)
Left Mover
b
c
c
b
c is left mover
24
Left Mover
b
REL(l,t)
25
REL(l,t)
b
Right and Left Movers
S0
acq(this)
S1
X
S2
j=bal
S3
Y
S4
bal=j+n
Red thread holds lock
 Blue thread does not hold lock
 operation y does not access balance
(assuming balance protected by lock)
 operations commute
26
S5
Z
S6
rel(this)
S7
Right and Left Movers
S0
S0
acq(this)
X
acq(this)
X
S1
S1
27
S2
S2
j=bal
Y
S3
T3
Y
j=bal
S4
S4
bal=j+n
bal=j+n
S5
S5
Z
Z
S6
S6
rel(this)
rel(this)
Red thread holds lock after acquire
 operation x does not modify lock
 operations commute
S7
S7
Right and Left Movers
S0
S0
acq(this)
X
acq(this)
X
X
acq(this)
S1
S1
S0
28
T1
S2
S2
S2
j=bal
Y
Y
S3
T3
T3
Y
j=bal
j=bal
S4
S4
S4
bal=j+n
bal=j+n
bal=j+n
S5
S5
S5
Z
Z
Z
S6
S6
S6
rel(this)
rel(this)
rel(this)
S7
S7
S7
Right and Left Movers
S0
S0
acq(this)
X
acq(this)
X
X
acq(this)
S1
S1
S0
X
S0
29
T1
T1
Y
S2
S2
S2
j=bal
Y
Y
acq(this)
T2
S3
T3
T3
T3
Y
j=bal
j=bal
j=bal
S4
S4
S4
S4
bal=j+n
bal=j+n
bal=j+n
bal=j+n
S5
S5
S5
S5
Z
Z
Z
Z
S6
S6
S6
S6
rel(this)
rel(this)
rel(this)
rel(this)
S7
S7
S7
S7
Right and Left Movers
S0
S0
acq(this)
X
acq(this)
X
X
acq(this)
S1
S1
S0
X
S0
X
S0
30
T1
T1
T1
Y
Y
S2
S2
S2
j=bal
Y
Y
acq(this)
T2
acq(this)
T2
S3
T3
T3
T3
T3
Y
j=bal
j=bal
j=bal
j=bal
S4
S4
S4
S4
S4
bal=j+n
bal=j+n
bal=j+n
bal=j+n
bal=j+n
S5
S5
S5
S5
S5
Z
Z
Z
Z
rel(this)
S6
S6
S6
S6
T6
rel(this)
rel(this)
rel(this)
rel(this)
Z
S7
S7
S7
S7
S7
Right and left movers
• f is a right mover provided
– for any 𝛼𝑓ℎ a computation where f and h lie in
different processes, then 𝛼ℎ𝑓 is also a computation
– The values of all the program variables in 𝛼𝑓ℎ and
𝛼ℎ𝑓 are the same.
• f is a left mover provided
– For any 𝛼ℎ𝑔 a computation where h and g lie in
different processes, then 𝛼𝑔ℎ is also a computation
– The values of all the program variables in 𝛼ℎ𝑔 and
𝛼𝑔ℎ are the same.
31
PV parallel program
• A program is a PV parallel program provided
there is a distinguished subset of the program
variables 𝑎1 , … , 𝑎𝑘 called semaphores with
integer values such that they can be used only
in either 𝑃 𝑎𝑖 ′ 𝑠 or 𝑉 𝑎𝑖 ′ 𝑠.
32
D-reduction
• Replacing 𝑆1 ; … ; 𝑆𝑘 with 𝑆1 ; … ; 𝑆𝑘 is a Dreduction provided, for some i, 𝑆1 , … , 𝑆𝑖−1 are
right movers and 𝑆𝑖+1 ; … , 𝑆𝑘 are left movers
(𝑆𝑖 is unconstrained) and each 𝑆2 , … , 𝑆𝑘 can
always execute.
33
Theorem 1.
In any PV parallel program all P(a)’s are right
movers, and all V(a)’s are left movers.
Theorem 2.
Suppose that S is a D-reduction in P. Then P
halts iff P/S halts.
34
Proof of Theorem 2
• If P/S halts then P halts
• This is true because for every scheduling in
which P/S halts, p halts since the same
scheduling can be applied to it.
35
Proof of Theorem 2
• If P halts then P/S halts
• Proof outline:
–
–
–
–
Assume P halts
Let 𝛼 be a computation that halts in P.
Assume that 𝑆 = 𝑆1 ; … ; 𝑆𝑛
Construct a computation 𝛽 such that all the program
variables agree after 𝛼 and 𝛽 are executed, and
𝑆1 ; … ; 𝑆𝑛 always occur atomically in 𝛽.
– Assume that there are no goto’s in 𝑆1 ; … ; 𝑆𝑛
36
Proof of Theorem 2
• LEMMA 1. Suppose that 𝛼𝑆𝑖 𝛽 is a
computation in P with i>1. Then 𝛼 = 𝜆𝑆𝑖−1 𝜇
where no statement from the process of 𝑆𝑖 is
in 𝜇.
• This follows because S has a single entry and
no goto’s.
37
Proof of Theorem 2
• LEMMA 2. Suppose that 𝛼𝑆𝑖 𝛽 is a computation
that halts in P with i<n. Then 𝛽 = 𝜆𝑆𝑖+1 𝜇 where
no statement from the process of 𝑆𝑖 is in 𝜆.
• This follows because:
– If any f occurs in 𝛽 where f is in the process of 𝑆𝑖 then
the first such f must be 𝑆𝑖+1 .
– Assume that no such f is in 𝛽. In 𝛼𝑆𝑖 𝛽 control must be
ready to enter 𝑠𝑖+1 ; therefore 𝛼𝑆𝑖 𝛽𝑆𝑖+1 is a
computation (because by definition D-reduction can
always execute), which is a contradiction because
𝛼𝑆𝑖 𝛽 halts.
38
Proof of Theorem 2
• If no 𝑆𝑖 is in 𝛼
A
S0
S1
X
S2
𝑩
S3
Y
S4
C
S5
Z
S6
then 𝛼 is already in the desired form. (let 𝛽
= 𝛼)
39
D
S7
Proof of Theorem 2
Thus suppose that some 𝑆𝑖 is in 𝛼.
S1
𝜶′
S2
𝝀
S0
𝝀
S0
𝝀
S0
𝑺𝒊
S1
𝑺𝒊−𝟏
S1
S1
𝑺𝒊−𝟏
𝑺𝟏
S3
𝜷′
S2
S2
S2
S4
𝝁
S3
𝝁
𝝁
𝑺𝒊
S3
S3
𝜷′
S4
𝑺𝒊
𝑺𝟐
S4
S4
𝝀
…
S5
S5
S5
𝑺𝒊+𝟏
𝑺𝒏
S6
S6
𝝁′
𝝁′
S7
S7
By definition of D-reduction
𝝀
S0
40
S1
𝝁
S2
𝑺𝟏
S3
…
S4
𝑺𝒏
S5
𝝀
S6
𝝁′
S7
Proof of Theorem 2
• This can be repeated to for the desired
computation 𝛽.
Now 𝛽 = 𝛽1 𝑆𝛽2 … 𝛽𝑚−1 𝑆𝛽 𝑚 = 𝛿 is a
computation where no 𝑆𝑗 is in any 𝛽𝑟 and 𝛼 and
𝛽 agree on all program variables.
• If 𝛿 halts in P\S then the theorem is proved.
• Assume that 𝛿 does not halt in P\S, and that 𝛿ℎ is
a computation in P\S.
• Then 𝛿ℎ is a computation in P, since 𝛼 and 𝛽
agree on all program variables. This is a
contradiction.
41
Applications
42
Example 1
• By theorem 1 and 2, the aforementioned halts
iff the following program halts:
43
Example 1 – cont.
• 𝑃 𝑐 ; 𝑉 𝑏 ; 𝑉(𝑐) = 𝑉 𝑏
• 𝑃 𝑐 ; 𝑉 𝑎 ; 𝑉(𝑐) = 𝑉 𝑎
• Therefore Example 1 halts iff the following
halts:
44
Example 1 – cont.
• Once again theorem 1 and 2 can be applied;
hence the aforementioned halts iff the
following halts:
45
Example 1 – cont.
• 𝑃 𝑏 ; 𝑉 𝑎 ; 𝑉(𝑏) = 𝑉 𝑎
• 𝑃 𝑏 ;𝑉 𝑏 = 𝜖
• Therefore the aforementioned halts iff the
following halts:
• This program never halts!
Thus Example 1 never halts
46
Example 2
• After applying theorem 1 and 2, Example 2
halts iff the following halts:
47
Example 2 – cont.
• The effect of 𝑃 𝑎 ; 𝑉 𝑏 is to decrement a
by 1 and increment b by 1.
• The effect of 𝑃 𝑏 ; 𝑉 𝑎 is to decrement b
by 1 and increment a by 1.
• Thus a+b is conserved and is always equal to
N.
48
Example 2 – cont.
• 𝑃 𝑎 ; 𝑉 𝑏 can execute iff a>0 and
𝑃 𝑏 ; 𝑉 𝑎 can execute iff b>0.
• Since a+b=N>0, it is not possible for the
program to halt.
• Hence Example 2 does not halt.
49
Conclusion
• In a wide number of nontrivial instances
reduction preserves important properties.
• Reduction aids in correctness proof
• Note theorem 2 proved that for every 𝛼
computation that halts in P there’s a computation
𝛽 that halts in P/S that agrees on all program
variables.
• Thus if S is a D-reduction the final states of P
equal the final states of P/S
• D-reduction then preserves any property that
depends only on a program’s final state.
50
Questions?
51