|
|
|---|
|
|
|
|---|
J S. Moore, “A
Mechanically Checked Proof of a Multiprocessor Result via a Uniprocessor
View”, J S. Moore, Formal Methods in System Design,
14(2), pp. 213-228, March, 1999.
Relevance: proving a relationship between two state
machines
Abstract
We describe a mechanically checked correctness proof for a system of n processes, each running a simple, non-blocking counter algorithm. We prove that if the system runs longer than 5n steps, the counter is increased. The theorem is formalized in applicative Common Lisp and proved with the ACL2 theorem prover. The value of this paper lies not so much in the trivial algorithm addressed as in the method used to prove it correct. The method allows one to reason accurately about the behavior of a concurrent, multiprocess system by reasoning about the sequential computation carried out by a selected process, against a memory that is changed externally. Indeed, we prove general lemmas that allow shifting between the multiprocess and uniprocess views. We prove a safety property using a multiprocess view, project the property to a uniprocess view, and then prove a global progress property via a local, sequential computation argument. Our uniprocessor view is a formal compositional semantics for a shared memory system.
See the ACL2 script