Decomposing Specifications of Concurrent Systems

Large systems are built from smaller parts. We present a method for deducing properties of a system by reasoning about its components. We show how to represent an individual component Πi by a formula Si so that the parallel composition usually denoted cobegin Π1 ‖ . . . ‖Πn coend is represented by the formula S1 ∧ . . . ∧ Sn. Composition is conjunction. We reduce composition to conjunction not for the sake of elegance, but because it is the best way we know to prove properties of composite systems. Rigorous reasoning requires logic, and hence a language of logical formulas. It does not require a conventional programming language for describing systems. We find it most convenient to regard programs and circuit descriptions as low-level specifications, and to represent them in the same logic used for higher-level specifications. The logic we use is TLA, the Temporal Logic of Actions [14]. We do not discuss here the important problem of translating from a low-level TLA specification to an implementation in a conventional language. The idea of representing concurrent programs and their specifications as formulas in a temporal logic was first proposed by Pnueli [17]. It was later observed that, if specifications allow “stuttering” steps that leave the state unchanged, then Sl ⇒ Sh asserts that Sl implements Sh [12]. Hence, proving that a lower-level specification implements a higherlevel one was reduced to proving a formula in the logic. Still later, it was noticed that the formula ∃x : S specifies the same system as S except with the variable x hidden [1,13], and variable hiding became logical quantification. The idea of composition as conjunction has also been suggested [5,6,20], but our method for reducing composition to conjunction is new.