A Survey of
Rely-Guarantee Approaches in
Compositional Verification
Murat Demirbas
OSU
Typical verification methods:
• Deduction:
– Temporal and Modal Logic, Emerson 90
– TLA, Lamport 94
– UNITY Logic, Chandy & Misra 88
• Model Checking
Typical verification methods:
• non compositional
• require a global examination of the entire
system
• effective on small examples, however, fail
to scale up for large-scale systems
A plea for Compositional
Verification
•  ≜ any automaton with 10 states
• A ≜ parallel composition of 80 of such ’s
• A has 1080 states
– Greater than the # of electrons in the universe
• Now, consider the Internet …
• The verification method should scale
linearly rather than exponentially in the
number of components
Compositional Verification
Methods:
• shift the burden of verification from the
global level to the component (local) level
• so that global properties are established by
composing independently verified
component properties.
Compositional Verification
Methods: (cont.)
• Enables us to verify whether a program
meets its spec on the basis of the specs of its
components (without assuming any
knowledge of the interiors of those
components).
Rely-Guarantee Approach
• The best studied approach to compositional
verification
• A rely-guarantee spec for M is (R, G)
– R: the conditions that M relies on its
environment to provide
– G: the conditions that M guarantees in return
Rely-Guarantee Approach (cont.)
• The intuition for using R-G specs for M
– M needs to behave correctly only when its
environment does
• M ⊨ (R,G) : the environment of M violates
R before M fails to satisfy G
Composition Principle
Let M be the composition of Mi s.t. iI. If
• j:: R  /\ Gi  Rj
• i:: Mi ⊨ (Ri, Gi)
• /\ Gi  G
Then
M ⊨ (R,G)
M
Cyclic Dependencies
1
M
2
c
output var d initially 0;
input var c;
loop
<d:=c>
endloop
output var c initially 0;
input var d;
loop
<c:=d>
endloop
d
Safety properties in Rely
• M1
– R1: always d=0
– G1: always c=0
• M ≜ M1 || M2
• R: true
• G: always c=0  d=0
• M2
– R2: always c=0
– G2: always d=0
Liveness properties in Rely
• M1
– R1: eventually d=1
– G1: eventually c=1
• M ≜ M1 || M2
• R: true
• G: ???
• M2
– R2: eventually c=1
– G2: eventually d=1
Outline
1.
2.
3.
4.
5.
6.
7.
8.
History of compositional verification
Stark’s work
Abadi & Lamport’s work
Lazy composition
Modified Rely-Guarantee rules
Other work
Rely-Guarantee wrappers for f-t
Conclusion
1. History of Compositional
Verification
• Compositionality in predicate logic, Frege
1923
• Sequential program verification
– Inductive assertion method (non
compositional), Floyd 67
– axiomatic compositional proof style, Hoare 69
History of Compositional
Verification (cont.)
• Concurrent & distributed systems
– Proof system for shared variable concurrency:
interference freedom test (non compositional),
Owicky & Gries 76
– Temporal logic (non compositional), Pnueli 77
– Rely-guarantee formalism (compositional),
Misra & Chandy 81
– Rely-guarantee formalism for safety properties
in shared-memory, Jones 81, 83
Misra & Chandy: Proofs of
Network of Processes
• Spec for a process Mi is “Ri | Mi | Gi”
– Gi holds for empty trace
– for all traces t of Mi, if Ri holds for all proper prefixes
of t, then Gi holds for all prefixes (proper & improper)
of t
• R | M | G holds if
– R  /\ Gi  /\ Rj
– i:: Ri | Mi | Gi
– /\ Gi
 G
Hoare’s proof rule is an instance
of composition principle
• Precondition: the rely of the program on the
program state when the control reaches that
point
• Postcondition: what the program guarantees
in return if and when the control leaves that
point
• Limited to the verification of safety
properties only
M = M1;M2
• If
– RR1, {R1}M1{G1},
– G1R2, {R2}M2{G2}, G2G
• Then
{R}M{G}
– R  G1  G2 R1 , R  G1  G2 R2
– M1 ⊨ (R1, G1),
Mi ⊨ (Ri, Gi)
– G1  G2 G
2. Stark’s Proof Technique for
Rely-Guarantee Properties
• Stark’s proof technique rules out circular
dependencies in liveness conditions; one
can derive global liveness properties of a
system from its components’ liveness
properties.
Stark’s work
• Intuition: Find a set of specs that “cuts” the
dependence between a component Mi and
its environment. Analogy: loop invariant
• RGi,j = what Mi guarantees to Mj = what Mj
relies on Mi to provide
{RGi,j: i,jI{ext}} is a cut set:
• R 
/\jI RGext,j
• /\iI RGi,ext  G
• (j:: /\iI{ext} RGi,j  Rj )
• (i:: Gi  /\jI{ext} RGi,j )
Acyclic cut sets
• If no Ri holds, then no Gi holds, hence G
does not hold
• m:: \/k{0...m-1} RGik, ik+1
• Finding a cut set is analogous to finding a
loop invariant, no algorithm exists
Rely-Guarantee Proof Rule
• M is a program, RG is an acyclic cut set for
M, R, G, and {Ri, Gi: iI}
• If (i: iI : M⊨ (Ri, Gi) )
• Then M⊨ (R, G)
Examples
• Verification of a mutual exclusion algorithm
(token ring ME)
• Verification of a distributed resource
allocation algorithm
• The proof technique is compared against
other liveness proof techniques such as
Proof Lattice Method (Lamport & Owicky),
and Variant Function Method (Floyd)
3. Abadi & Lamport’s work
• Composing Specifications, 92
• Conjoining Specifications, 93
• Main thm: If all the “rely” specifications (R,
i:: Ri) are safety properties, then
circularity in “Composition Principle” is
safe (i.e., does not lead to circular
reasoning).
Stuttering Equivalence
• Specifications should allow “stuttering”
steps that leave the state unchanged.
• Consider F, G. A behavior of their
composition is obtained by interleaving
actions from the two components.
• However, this interleaved behavior does not
satisfy F, since it contains steps that do not
belong to actions of F, nor does it satisfy G.
Conjoining Specs
•
•
•
•
Parallel composition is conjunction.
Temporal Logic of Actions
Composition thm
Decomposition thm
(R,G) ≜ R→+ G (R secures G)
• R →+ G ≜ {σRG | i: σ[i] S(R) 
σ[i+1] S(G) }
• S(R) :the strongest safety property containing R
(i.e., safety closure of R)
• R →+ G rules out unrealizable implementations of
RG where S(G) fails before the failure of S(R)
can be detected by the component.
• RG  R →+ G for machine realizable specs.
They allow the same implementations.
Safety properties in rely specs
• R →+ G ≜ (RG)  (S(R) →+ S(G))
• R →+ G = S(R) →+ (S(G)  (R G))
• Thus, any rely/guarantee spec can be
converted to one whose rely is a pure safety
property.
Composition Thm
Let M be the composition of Mi s.t. iI. If
• j:: S(R)  /\ S(Gi)  Rj
• i:: Mi ⊨ (Ri, Gi) (i.e., i:: Ri →+ Gi )
• R →+ (/\ Gi  G)
Then
M ⊨ (R,G)
(i.e., R →+ G )
Decomposition Problem
• Let M ≜ M1 || …|| Mn, Ml ≜ Ml1 || …||
Mln.
• Prove that Ml implements M by proving
((E, /\iI Mli )  (E, /\iI Mi))
• Trivially true if (i: iI : MliMi)
• However, MliMi is not necessarily the
case in top down refinements of a system.
Decomposition
• We can relax MliMi and still reason about
one component at a time:
– (i: iI: Ei  MliMi )
• However, the composition principle requires
proving (i: iI: (/\kI Mlk Ei)
• Instead, we can avoid reasoning about the
entire low level system:
– (i: iI: (/\kI Mk Ei))
Decomposition Thm
If
• j:: S(E)  /\ S(Mi)  Ej
• Ei →+ (Mli  Mi)
Then
E →+ (/\iI Mli  /\iI Mi)
Queue example
• Q1, Q2: queues of length N.
• Q of length 2N+1 can be obtained by
composing Q1 and Q2.
• The example is wrong
– Q1 and Q2 refer to N
– Q1 and Q2 are not aware of each other
• Shankar 97 presents a buffer example very
similar to the queue example
4. Lazy Composition, Shankar 97
• Difficult to apply R-G specs to composition
– Gi should be strong enough to imply any
potential constraint Rj.
– It is not easy to anticipate all the potential
constraints that might be placed on Mi.
• In lazy composition Gi of Mi is proved of
the system Mi|| Ei where Ei captures the
expected behavior of the abstract
environment for Mi.
Lazy Composition (cont.)
• Gi might not hold for Mi|| Mj , however it
holds for Mi|| (Mj  Ei).
– Thus, the proof obligation that Mj satisfies Ei
can be delayed till later.
• Lazy composition: cited as the main
contribution of the paper
– Same delay of proof is also possible for the
regular R-G specs.
Composition
• Let Me1= M1|| E1
• Closed co-imposition
– Me1 Me2 ≜ (M1  E2) || (M2  E1)
• Open co-imposition
– Me1 Me2 ≜ Me1 Me2 || (E1  E2)
• Thm:
[Me1Me2]  [Me1]
[Me1  Me2]  [Me1]
Elimination of Ei’s by using
Refinement Proofs
• One can show that
(M1  E2) || (M2  E1) || (E1  E2) is refined by
M1|| (M2  E1) || (E1  E2) to eliminate E2
• This is the main advantage of this approach
– we do not have to prove G1 →+ R2
– instead we can employ a refinement proof to
eliminate E2 (i.e. to satisfy R2)
5. Modified Rely-Guarantee
rules, Manohar, Sivilotti 96
• M ⊨ (R,G) ≜ (E:: (E||M⊨ R) (E||M⊨
G))
– Thus, one has to consider all E to prove above.
• Modified Rely-Guarantee: R and G can
refer only the local variables in M.
• M ⊨ (R⌦G) ≜ (M ⊨ R)  (M ⊨ G) .
Modified Rely-Guarantee rules
(cont.)
• Compositionality:
– Let M ⊨ (R⌦G)
– Then (N:: M||N ⊨ (R⌦G) )
• Handles the verification of liveness
properties easily.
Composition Thm
Let M be the composition of Mi s.t. iI. If
• j:: R  ( /\i<j Ri  Gi )  Rj
• i:: Mi ⊨ (Ri ⌦Gi)
Then
M ⊨ (R ⌦ (i:: Ri  Gi) )
Composition Thm: (safety props)
Let M be the composition of Mi s.t. iI. If
• i:: Ri ,Gi are safety properties
• j:: R  /\Gi  Rj
• i:: Mi ⊨ (Ri ⌦Gi)
Then
M ⊨ (R ⌦ (i:: Ri  Gi) )
Examples
• K mutual exclusion in a ring (works very
good)
• Synchronization with Gossip
6. Other work
• The need for compositional proof systems,
deRoever 97
– Decomposition thm  Dijkstra’s verify while develop
approach
• Systematic composition of distributed objects:
Processes & Sessions, Chandy & Rifkin 97
– Considers Internet (anarchic system) as an application
of bottom up design using composition
Other work (cont.)
• Composition: A way to make proofs harder,
Lamport 97
– Decomposition thm is popular only because it
can be expressed in terms of PPL favored by
CS people
– Decomposition thm is not necessary; when a
system is specified using mathematics,
decomposition trivially follows from math.
Other work (cont.)
• Towards a compositional approach to the
design & verification of distributed systems,
Charpentier&Chandy
– UNITY framework
– Resource allocator example
• Both top-down and bottom-up approaches used
– A component should publish its provided spec
as well as different weaker specs to simplify
reuse in different applications.
7. Rely-Guarantee wrappers for
fault-tolerance
• Let M be the composition of Mi s.t. iI.
• Compositionality principle holds
– (i:: Mi ⊨ (Ri, Gi))  M ⊨ (R,G)
– I.e., (i:: Si )  S
Rely-Guarantee wrappers (cont.)
• S’i ≜ (Fspan(Ri ) , Gi)
:masking F-tolerant version of Mi = M’i
• S’’i ≜ (Fspan(Ri ) , (Si unless Ri)S(Gi)) 
(Fspan(Ri ) , SiS(Gi))
:fail-safe F-tolerant version of Mi = M’’i
• S’’’i ≜ (Fspan(Ri ) , Si(True ↦ Ri))
:nonmasking F-tolerant Mi = M’’’i
Rely-Guarantee wrappers (cont.)
• Let w’i be the wrapper to be added to Mi to
get M’i (i.e., M’i ≜ w’i || Mi )
• R1: Calculate R-G specs for w’i , w’’i , w’’’i
• Si  w’i = S’i then w’i ≜ Si  S’i
• w’’i ≜ (Si , S’’i )  (Si , (FSpan (Ri ) S(Gi))
• w’’’i ≜ (Si , S’’i ) 
(Si , (FSpan (Ri ) ↦ Ri))
Proposal:
• Problem: How to calculate FSpan(Ri)?
• Using modified R-G would help
– local reasoning while calculating FSpan(Ri)
– In general, we might not avoid global reasoning
• Use abstract faulty environment EFi
– Lazy composition for refinement proofs
• If F is a transient fault: FSpan(Ri) =True
Rely-Guarantee wrappers (cont.)
• R2: Prove that
– (i:: S’i )  S’
– (i:: S’’i )  S’’
– (i:: S’’’i )  S’’’
• Can M be made F-tolerant by composing
each Mi with wi ?
R2
Need to show
– j:: Rx  /\ Gxi  Rxj
– Rx  /\ Gxi  Gx
To deduce (i:: RxiGxi )  (Rx  Gx )
• Easy for closed systems (R=True);
– reuse criterion Gxi  Gj
– Ri  Fspan(Rj )
– Interference freedom rule might be needed for
nonmasking f-t
8. Conclusion
• (R,G) specs provide a natural (and also
graybox) way to specify components
• Composition (via conjunction) provides a
simple but powerful model for reasoning
about large-scale distributed programs
• It is a good model to study graybox
dependability wrappers