Correctness proofs for two protocols

A methodology for proving the correctness of protocols is presented through two examples. (1) The Bloom two-writer register. (2) The Consumer/Producer buuer implementation. Each proof is divided into two levels: The programs are mentioned only at the lower level, and the speciications obtained at that level are abstractly used in the higher-level stage. In fact, improved versions of the two protocols are given. (1) The protocol of Bloom is improved by not requiring the writers of the implemented register to read data of one another (they only read coordinating values). (2) The buuer implementation given here is more eecient than the traditional one. The aim of this paper is to describe an approach for specifying and proving the correctness of distributed protocols. Our approach is characterized by a clear division of the correctness proofs into two or more layers: The lower layer involves the program, but the higher levels only mention abstract higher-level properties of system executions. We expose this approach via two examples that are variants of simple and well known protocols. The rst is an implementation of a two-writer multireader atomic register which uses only single writer registers (Bloom 1987]). The second is the classical implementation of a circular queue for the producer/consumer problem. The method of proof presented here has enabled us to improve both protocols. This is a natural consequence of an approach that looks at the protocols from a higher-level view and allows for more abstract reasoning. Both protocols are improved by disassociating the control values from the 1 data values. A data value is the useful information carried by the register or the queue, while control values are used by the processes to coordinate their activities. For example, time-stamps are coordinating control values, while a le of data put into the buuer by the writer is a data value. (We are not giving here a formal deenition of this distinction which is quite intuitive.) Most often, the data and control information are mixed into a single record with two elds; the control value is seen then as a `tag' that helps in processing the data. However, a disadvantage of such an association is that for very long data values (which may extend over huge les) a considerable slowing down of the processes may result. For example, in Bloom protocol, the writer processes must also read each other's data values which they never use (and …