Introduction and Background
The automatic synthesis of programs is one of the most challenging activities in computational logic. Deductive approaches to the synthesis of sequential programs have met with only limited success, in part because of the relative inadequacy of proposed speci cation languages for such programs. That is, speci cations often turn out to be less enlightening and more di cult to construct than the code they specify. This is not the state of a airs with synchronization code. Desired program properties, such as liveness or freedom from deadlock, are relatively easy to include in a speci cation but are quite di cult to discern in code. Indeed, it is precisely this feature of concurrent programming that makes automated program synthesis an attractive goal. In this paper we discuss an aspect of the automatic synthesis of synchronization code for asynchronous processes.
Our synthesis approach conforms to the following paradigm:
(1) a speci cation is written in a nonconstructive speci cation language; (2) that speci cation is analyzed in an attempt to establish that crucial concurrency properties are respected; and (3) if the concurrency properties of the speci cation are established, then Ada code is generated. Here we report on the most di cult part of this process: establishing that a program speci cation satis es a crucial concurrency requirement, namely liveness. (Other related aspects of our proposed approach, such as safety properties and deadlock avoidance, are discussed elsewhere 4]). By a liveness property we mean a condition that must be satis ed at some point during the execution of a program. A liveness property contrasts with a safety property, a condition that must hold continuously during program execution.
Underlying our approach to synthesis is a model of a concurrent program in c 1990 American Mathematical Society 0000-0000/90 $1.00 + $.25 per page which processes communicate by accessing and modifying shared resources. This resource-oriented model uses temporal logic for speci cation and analysis. By a process we mean an abstract state machine de ning an active computation. A process computation generally requires the allocation of shared resources. By a synchronizer we mean an abstract state machine that de nes a set of encapsulated resources 12] . A synchronizer speci cation states the safety and liveness
properties that the synchronizer must satisfy. Our approach to program specications is similar to that presented in 12] , which, however, does not address the issue of liveness of synchronizer operations. Synchronizer liveness is the main focus of this paper. We believe our approach to synthesis and, in particular, our approach to liveness analysis can be automated for two reasons. First, by identifying indiscernible synchronizer computation states, we drastically reduce the size of the resulting synchronizer state space graph. Second, by using this graph to drive the formal analysis of program speci cations, we limit the need for general theorem proving capabilities.
An experimental prototype has been implemented, which automates a signi cant portion of our analysis. At present we are working on extending the prototype to automate the remaining aspects of the analysis.
This paper is organized as follows. Synchronizer speci cations are described in section 2. A graph model of synchronizer behavior is discussed in section 3. A proof lattice-based method for liveness analysis is given in section 4 along with a portion of the analysis of the familiar readers/writers example. We describe a signi cant portion of the target code for the readers/writers example in section 5. Some conclusions are presented in section 6.
Synchronizer Speci cations
Our speci cation language is built around the concept of the state of the resources encapsulated in a synchronizer. Speci cations are formulated in terms of a set of state variables and a set of operations that can access and modify those variables. Linear-time temporal logic is used to de ne the semantics of the constructs appearing in a synchronizer speci cation. Thus, a synchronizer speci cation consists of a set of clauses de ning the state transitions performed by each synchronizer operation. A speci cation also gives the safety and liveness conditions governing the execution of synchronizer operations. An example, the speci cation of synchronizer bu er from the readers/writers problem, is given in Figure 1 . In this problem a set of reader and a set of writer processes must access a shared memory area simultaneously. Synchronizer bu er controls access and modi cations to the shared memory on behalf of the reader and writer processes. Figure 1 . Speci cation of synchronizer bu er in the readerswriters problem asserts that, in order for a reader (or a writer) process to access the shared memory, the resource read permission (or write permission) must be allocated rst. Allocation is performed by operations start read and start write. Operations end read and end write perform the corresponding deallocations.
The state variables clause de nes the type and initial value of the variables reader # and writer #. The synchronizer uses these variables to represent the state of the encapsulated resources. Together they capture the number of reader and writer processes that are in the synchronizer at any point in time. The operations clause declares the operations that units outside synchronizer bu er can invoke to perform allocation and deallocation of the resources encapsulated in this synchronizer. Whenever a synchronizer operation is invoked, a model of operation execution is used in which the operation invocation goes through a sequence of three phases. In the request phase the operation has been invoked and is waiting to be selected for execution; in the service phase the operation has been selected for execution and will be executed next; in the terminate phase the operation has completed execution. For invocation o of operation O the propositions o@request, o@service and o@terminate are true when o is in the corresponding phase and false otherwise.
The operation preconditions clause speci es the conditions to be satis ed in order for each operation request to be executed. Temporal operators are not allowed in this clause. A request for operation start write can be serviced only if the synchronizer state satis es:
The operation state changes clause speci es the changes in the value of the state variables resulting from the execution of a given operation. Whenever a request for operation start read is executed, the value of the state variable reader # is incremented. The operation priorities clause de nes the order in which instances of invocations of di erent operations are to be considered for service. In synchronizer bu er, operation start write has higher priority than operation start read.
Finally, the liveness clause speci es that invocations of operations start read and start write must eventually be serviced. As with most temporal logic systems, the formula p asserts that predicate p is true in the current state and any subsequent state. The formula p asserts that p is true either in the current state or in at least one subsequent state.
Linear 
Graph Model of Synchronizer Behavior
We model synchronizer behavior using an augmented nite state machine called a Reduced State Transition Graph or RSTG. This model underlies the proof lattice mechanism we introduce to establish liveness. Proof lattice inferences are aimed at identifying valid transition sequences between states of an RSTG.
The RSTG of a synchronizer is a graph G = (N; E). Nodes N in this graph represent sets of synchronizer states; arcs E represent transitions resulting from the execution of enabled operation requests. Each node N i is associated with a set of synchronizer states X i , and each edge E j is associated with a synchronizer operation O j and a predicate P j on the state of the synchronizer, subject to the following conditions. First, the states associated with N i are indiscernible in that they enable the same operations. Second, if edge E j is labeled (P j ; O j ) leading from node N i to N k , if operation O j is executed when the synchronizer is in one of the states associated with N i , and if predicate P j is true, then the synchronizer is in a state associated with N k after O j has been executed. Third, state sets associated with distinct nodes are disjoint.
Construction of an RSTG G = (N; E) is carried out in two phases. First, the nodes N of the graph are de ned. Each node corresponds to a conjunctive normal form combination of the predicates enabling synchronizer operations. Then the edges E are de ned. This is accomplished by identifying the operations that are enabled at each node and by tracking the state transitions caused by the execution of each enabled operation.
For instance, to de ne the nodes in the RSTG of synchronizer bu er we proceed as follows. First, the predicates enabling the synchronizer's operations are identi ed. Here the predicates are (writer # = 0) and (reader # = 0). They are trivially in conjunctive normal form. To these predicates we add additional conditions which take into account the invariant assertions implied by the specication. Invariant assertions are state predicates that must hold of a synchronizer in every time instant. Here the declaration of variable reader # implicitly de nes the following two invariant assertions:
(reader # 0) and (reader # 10) (1) Likewise, the declaration of variable writer # implicitly de nes the following two invariant assertions:
(writer # 0) and (writer # 1) (2) Consequently, a bu er operation can be enabled only if its execution upholds these four assertions, assuming the assertions are true before the operation is executed.
In general, to guarantee that a synchronizer invariant assertion is satis ed, the following two conditions must be true. First, the assertion must hold in the initial synchronizer state. Second, the preconditions for each synchronizer operation must be augmented in such a way as to preserve the truth of the invariant assertion as operations are executed and the synchronizer moves from state to state. This activity can be performed by use of the notion of weakest In synchronizer bu er, variables reader # and writer # are both initially zero, and so invariant assertions (1) and (2) are satis ed in the initial synchronizer state. Now the weakest preconditions for these invariant assertions and each synchronizer operation must be computed. As an example, let us consider the derivation of the weakest precondition for operation start read and assertion (reader # 10). Given that the execution of start read increments the variable reader #, the weakest precondition is given by the predicate (reader # 9). This predicate is then added as a conjunct to the preconditions for operation start read.
After the activity of computing the weakest preconditions for bu er has been completed, a simpli cation procedure can be applied to remove redundant predicates. For instance, the weakest precondition for operation end read and assertion (reader # 10) is the predicate (reader # 11). The latter predicate is implied by the former invariant assertion and therefore can be assumed to be true in every time instant associated with bu er. As a result, the following three predicates are identi ed as the conjuncts appearing in the augmented preconditions for this synchronizer: (reader # = 0), (reader # 9), and (writer # = 0). Consequently, each node in the RSTG of synchronizer bu er corresponds to a particular combination of values of these three predicates. For the purpose of exposition we call these predicates A, B, and C.
After the node set for synchronizer bu er has been de ned, the RSTG is built incrementally, beginning from the node corresponding to the initial synchronizer state. In the initial state predicates A, B, and C are true. Consequently, the node labeled by these three predicates is added to the RSTG for bu er. Then the following expansion procedure is applied. First, the operations enabled in the initial node are identi ed, based on the truth values of the predicates labeling the node. When A, B, and C are true operations start read and start write are enabled. For each enabled operation the state changes resulting from the execution of the operation are considered. For instance, operation start write changes the value of variable writer # to 1. As a result, after this operation is executed, predicates A and B are still true but C is false. Therefore the node labeled A, B and :C is added to the RSTG. In addition, an edge labeled start write is created, leading from the initial node to the new node. In a similar fashion the execution of operation start read when bu er is in the initial state is represented by an arc labeled start read leading from the initial node to the node labeled :A, B and C.
The expansion procedure is applied iteratively to every node added to the RSTG, until all reachable nodes have been expanded. Note that from a given node the execution of an operation may lead to di erent nodes, depending on the actual synchronizer state. For instance, the execution of operation start read when bu er is in a state associated with the node labeled :A, B and C may lead to a state associated with the same node or to a state associated with the node labeled :A, :B and C, depending on the actual value of variable reader #.
The RSTG for synchronizer bu er is shown in Figure 2 , along with the predicate truth values corresponding to each node. Note that while eight nodes are possible, only four actually appear in the RSTG. Node 1 corresponds to the initial synchronizer state. Operations start read and start write are enabled in this state, as shown by the edges leaving node 1. Node 2 represents the synchronizer states in which resource read permission has been allocated to a number of reader processes that is less than the maximum number of readers allowed. Consequently both start read and end read are enabled in the states corresponding to this node. The execution of the former operation leads to node 3 when the variable reader # is one short of the maximum reader number; otherwise it leaves the synchronizer in a state still contained in node 2. Weakest precondition analysis is used here to determine the conditions required for transitions to di erent states. Likewise, the execution of operation end read can either lead to node 1 or back to node 2, depending on whether variable reader # is one or greater than one. Node 3 corresponds to the synchronizer state in which reader # equals the maximum number of readers. Only operation end read is enabled in this state, leading to state 2. Finally, node 4 represents the state in which a writer process is in the synchronizer. Only operation end write is enabled in this state.
An implementation of the RSTG construction described here is currently un-der way. In particular, we are focusing on two crucial aspects in this construction, namely the derivation of weakest preconditions and the computation of the nodes reached by executing a given operation when in the synchronizer is in a given RSTG node. Although in general these aspects can be quite di cult to compute mechanically, we believe that in practice RSTG construction can be fully automated for a broad class of problems. In particular, we are convinced that automation is possible for such traditional examples in the area of concurrent programming as the readers/writers, the producers/consumers and the sleepy barber 8]. In addition, we are investigating the use of existing theorem provers to carry out signi cant portions of this analysis 3, 6] . For instance,
we have found that the simpli cation procedure applied to the predicates associated with RSTG nodes becomes relatively straightforward if the Boyer-Moore theorem prover is used 3].
Proof Lattice-based Analysis
We now describe our deductive method for establishing the following liveness condition:
We prove liveness using the notion of a proof lattice. Proof lattices were introduced in 9] to prove rst-order formulas. They were used in 11] to analyze a subset of rst-order temporal logic. A proof lattice is a nite directed acyclic graph in which each node is labeled with an assertion and such that:
(1) There is a single entry node with no incoming edges (2) There is a single exit node with no outgoing edges (3) If a proof lattice node labeled P has outgoing arcs to nodes labeled R 1 , R 2 , ... R n , the following formula holds for the synchronizer: (P ! (R 1 _ R 2 _ ::: _ R n ))
Proof lattices can be combined with an axiomatic system for a given computational model to control the set of deductions required for the proof of liveness properties in that model. In particular, every arc in a proof lattice represents a logical deduction in the chosen axiomatic system. As an example, an axiomatization for a concurrent dialect of the language Algol is given in 11]. The computational model underlying our proof system is the RSTG of a given synchronizer. In particular, the structure of an RSTG is used to drive the deductions performed during proof lattice construction. Although a complete description of our axiomatization for the RSTG model is beyond the scope of this paper, we outline the major aspects of this approach and illustrate a case of proof lattice construction for the readers/writers example.
Our approach to liveness is based on several assumptions. First we assume that the implementation of a synchronizer uses a fair scheduler, that is, a sched-uler that does not ignore an operation invocation that is enabled in nitely often:
Second, we assume that a resource allocation is always followed by the corresponding deallocation. This assumption is realistic because deadlock analysis is independent of the liveness analysis described here 4]. Thus, if operations A and D allocate and deallocate a given resource, any invocation a of operation A is eventually followed by an invocation d of operation D:
Third, we assume that, whenever a synchronizer state enables an operation O, an invocation o of O has been requested and is waiting for service. This implies that a synchronizer cannot be blocked inde nitely by the lack of invocations of one or more of its operations. In particular, the readers/writers example satis es this assumption. Fourth, we make use of the notion of conformity between a state variable x and a resource R. We say x is conformal with R if the value of x re ects the number of open allocations of R (i.e. the number of executions of the operation that allocates R that have not been followed by matching deallocations). In the bu er example variable reader # is conformal with resource read permission.
The following theorem establishes the validity of the proof lattice-based ap- (2) In (2) :In (2) In (1) reader #= 0 For example, suppose there is a proof lattice node L labeled p. In this case, predicate p can be added to the label of any descendant of node L, based on these two axioms of temporal logic: ( p ! p) and (p ! p).
Rules in the third group re ect the behavior of resource allocation and deallocation induced by our synchronizer model. As an example, consider the allocation completion rule. Suppose that a state variable x of synchronizer S is conformal with resource R, which is allocated and deallocated by operations A and D. Then a proof lattice node L labeled :enabled(A) has a descendant labeled (x = x), where x is the initial value of x. The validity of this rule is proved by use of the assumption of complete resource deallocation. Since operation A is never enabled, eventually all executions of this operation will be followed by executions of operation D. Roughly speaking, the e ects of each execution of operation A on variable x will eventually be \undone" by the corresponding execution of operation D. Consequently, variable x will eventually return to its initial value.
A schematic description of a proof lattice for operation start write is given in Figure 3 . This proof lattice is aimed at proving that the operation is eventually serviced, assuming that it is invoked when synchronizer bu er is in a state corresponding to RSTG node 2. Thus, the entry node is labeled by the predicates In (2) and s@request, assuming s is an invocation of operation start write.
Step (a) is performed by applying the rst set of construction rules to the entry node in the proof lattice. Note that four edges leave node 2 in the RSTG; however, the edges labeled start read are temporarily disabled, because this operation cannot be serviced due to the pending invocation of higher-priority operation start write. Consequently, only two edges are created in the proof lattice, corresponding to the RSTG edges labeled end read.
Step (b) is performed by applying the second set of rules and temporal logic axiom ( p _ :p), where p is instantiated to the predicate In(2). So the formula (In(2) ! ( In(2) _ :In(2))) is also valid. Consequently, the node under consideration has two descendants, one for each of the disjuncts in the temporal logic axiom.
Step (c) is performed by noting that end read is enabled when In (2) is true, whereas start read is not enabled. Moreover, these two operations deallocate and allocate resource read permission, respectively. Since variable reader # is conformal with this resource, the allocation completion rule can be applied to produce a descendant labeled (reader # = 0). This predicate contradicts the earlier assumption In(2). As a result, a rule leading directly to the exit node, whose label is enabled(s), can be applied in the following proof step (f).
Step (d) is performed by applying a construction rule from the rst group. This rule is similar to the rule applied in step (a); however, here the label of a proof lattice node has the additional predicate :In(2). The execution of an enabled operation can lead from node 2 to node 1 or node 3; however, the edge leading to node 3 is disabled due to the priority speci cation. Consequently, the formula (:In(2) ! In (1)) is valid and a descendant labeled In (1) is created for the proof lattice node under consideration. Finally, a rule leading to the exit node can be applied in the step (e), concluding the proof lattice construction.
The above example has shown the liveness of operation start write, assuming this operation is invoked when synchronizer bu er is in a given state subset. Similar proofs have been made for the other synchronizer operations and states in an e ort to complete the liveness proof for synchronizer bu er. These proofs have been generally successful. However, di culties have arisen in the proof of liveness for operation start read, which has a lower priority than operation start write in the speci cation of synchronizer bu er. Because of this priority condition, invocations of start read may \starve" due to the continuous presence of start write invocations.
To avoid the possibility of starvation of operation start read, the speci cation of synchronizer bu er can be modi ed by removing the operation priorities clause appearing in Figure 1 . In this case, all proof lattice constructions for start read are successful; however, the constructions for start write and RSTG nodes 2 and 3 would fail. In particular, start write invocations could be prevented from ever becoming enabled by a continuous presence of start read requests. Nevertheless, an analysis of the failed proof lattice constructions leads to the conclusion that invocations of start read and start write should be placed in the same FIFO queue. In this case, all the proof lattices for synchronizer bu er can be constructed successfully, thus establishing the liveness of this synchronizer.
Our approach to liveness analysis has been applied successfully to a variety of traditional examples in the domain of concurrent programs, such as the producers/consumers, the sleepy barber 8] and a simpli ed version of a memory controller. While the full expressive power of this approach is still under active investigation, a prototype that partially automates the proof lattice construction activity shown here has been implemented. The prototype takes as input an RSTG for a given synchronizer, a synchronizer operation O and an RSTG node N i . The goal of the prototype is to construct a proof lattice for operation O and the input RSTG such that the entry node is labeled In (N i ). An implementation of the Boyer-Moore theorem prover 3] is used to prove theorems that do not contain temporal operators. So far, the prototype has been applied successully to a variety of cases from the above example set. In particular, all the proof lattices for the readers/writers and the sleepy barber example have been constructed automatically.
Although in general proof lattice construction requires the full power of a theorem prover for rst-order temporal logic, which is undecidable 1], in practice the prototype has performed satisfactorily in the case of the above example set. In our opinion there are several reasons for this. First, the state structure of an RSTG is used to drive the activity of proof lattice construction. Second, the liveness analysis is rather stylized, thus sidestepping the need to use the full deductive power of a temporal logic system during proof lattice construction. Third, our assumptions about the behavior of resource allocation and deallocation simplify proof lattice construction. The results obtained automatically for the readers/writers and the sleepy barber examples are of particular signi cance because these examples contain only one synchronizer. Proof lattice construction is also applicable to examples including multiple synchronizers; however, in that case, the interactions among these synchronizers cannot be analyzed completely using the approach described here. Additional techniques for extending the proof lattice based analysis to program speci cations containing multiple synchronizers are under active investigation 4].
Target Code Generation
In our approach, target code generation is a relatively straightforward translation activity that maps a program speci cation into the corresponding target program. In addition to a program speci cation, the code generator is supplied with the results of the analyses that were done in earlier phases. Augmented operation preconditions found during RSTG construction are particularly important. For instance, the predicate (reader # 9) is added to the preconditions of operation start read in the target code of synchronizer bu er.
The proof lattice constructions also play a role in code generation. They can identify queue structures that make it possible for synchronizer target code to satisfy the liveness requirements appearing in the corresponding speci cation. For instance, in the modi ed version of the bu er speci cation shown in Figure 1 the failed proof lattice constructions for operation start write suggest that invocations of this operation and operation start read should be placed in the same request queue.
A subset of Ada is used as our target language 2]. Target program construction is performed by instantiating suitable templates of target code for the processes and the synchronizers contained in the corresponding speci cation. Each process and synchronizer appearing in a program speci cation is implemented as an Ada task. Roughly speaking, an Ada task is a program unit that can be executed in parallel with other units (see 2] for a more detailed description of the Ada language).
Here we limit our discussion to the generation of synchronizer code. For a discussion of process code generation, see 4].
The generation of the Ada task implementing a given synchronizer speci cation is accomplished by template instantiation. The template of target code for a synchronizer S must perform the following activities:
(1) wait for operation invocations by other units; (2) store information about such operation invocations in suitable queues; (3) issue calls to allocate and deallocate resources required by operations de ned in S; (4) check queues de ned in S for enabled operations; and (5) select enabled operations for service and perform the corresponding state changes. To perform the above activities the Ada task implementing synchronizer S de nes variables that correspond to the state variables of S. In addition, the Ada task de nes queue structures for storing information about invoked operations that are waiting for service. An example of target code, namely the Ada task bu er, which implements the modi ed version of synchronizer bu er, is shown in Figure 4 .
The target code for synchronizer bu er consists of a task speci cation and a task body. The task speci cation de nes an Ada entry for each bu er operation. The task body de nes local variables and executable statements of task bu er. In general, the executable code for a synchronizer consists of a main loop. The rst statement in the loop is an Ada select statement which waits for a task entry to be called (i.e. for a synchronizer operation to be requested). When an entry is actually called, a record describing the request is created and placed on a suitable queue. The queue structures in the synchronizer are examined next to determine whether there are any enabled operation requests. If one is found, then the following actions are executed. First, the request is removed from its queue. Next, the changes to the value of the state variables that appear in the synchronizer speci cation are executed. Finally, the queues are checked again to determine whether other operation requests can be selected for service. Note that the bu er code makes use of a standard queue package to handle records describing operation invocations.
Conclusions
In this paper we have brie y sketched the workings of a proposed automatic synthesis system for synchronization code and we have described one particular crucial feature, a deductive system for establishing the liveness of synchronizer operations.
We believe our method is automatable, and is even potentially practical, for several reasons. First, the absence of loop constructs in operation state changes means that loop invariants need not be generated during RSTG construction, thus making this activity relatively straightforward. This is crucial because the RSTG reduces the excessive state information present in system behavior to a small, tractable body. Secondly, we have wedded our proof lattice machinery to the RSTG construction. This means that proof ow is directed by RSTG state transitions, thus controlling the size of the proof search space. Finally, proof lattice construction is facilitated by the absence of loop constructs in operation state transitions, by the absence of temporal operators in operation preconditions, and by the stated assumptions about the behavior of resource allocation and deallocation. As a result, only a limited subset of temporal logic has been required to build the proof lattices in the example set considered so far.
We believe that the practicality of the proposed approach is enhanced by the structure of program speci cations. First, our approach to synchronizer speci cation is close to the way people think about resources (i.e. in terms of operations performing resource allocations and deallocations). Second, high-level support is provided, so that speci cations can include such features as operation preconditions and priorities. Third, these properties are clearly separated in a program speci cation. We believe that these aspects of our approach compare favorably with previous work that does not support the speci cation of these properties explicitly 5, 10] .
