RGITL: A temporal logic framework for compositional reasoning about interleaved programs

  • Gerhard SchellhornEmail author
  • Bogdan Tofan
  • Gidon Ernst
  • Jörg Pfähler
  • Wolfgang Reif


This paper gives a self-contained presentation of the temporal logic Rely-Guarantee Interval Temporal Logic (RGITL). The logic is based on interval temporal logic (ITL) and higher-order logic. It extends ITL with explicit interleaved programs and recursive procedures. Deduction is based on the principles of symbolic execution and induction, known from the verification of sequential programs, which are transferred to a concurrent setting with temporal logic. We include an interleaving operator with compositional semantics. As a consequence, the calculus permits proving decomposition theorems which reduce reasoning about an interleaved program to reasoning about individual threads. A central instance of such theorems are rely-guarantee (RG) rules, which decompose global safety properties. We show how the correctness of such rules can be formally derived in the calculus. Decomposition theorems for other global properties are also derivable, as we show for the important progress property of lock-freedom. RGITL is implemented in the interactive verification environment KIV. It has been used to mechanize various proofs of concurrent algorithms, mainly in the area oflinearizable and lock-free algorithms.


Interval temporal logic Program verification Compositional reasoning Concurrency Rely-Guarantee reasoning Lock-Freedom 

Mathematics Subject Classifications (2010)

03B35 03B44 03B70 68Q60 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Lamport, L.: Composing specifications. In: de Bakker, J.W., de Roever, W.P., Rozenberg, G. (eds.) Stepwise Refinement of Distributed Systems - Models, Formalisms, Correctness, vol. 430, pp. 1–41. Springer LNCS, Berlin (1989)Google Scholar
  2. 2.
    Abadi, M., Lamport, L.: Conjoining Specifications. ACM Transactions on Programming Languages and Systems, pp. 507–534 (1995)Google Scholar
  3. 3.
    Adve, S.V., Gharachorloo, K.: Shared memory consistency models: a tutorial. IEEE Comput. 29, 66–76 (1995)CrossRefGoogle Scholar
  4. 4.
    Apt, K.R., de Boer, F., Olderog, E.R.: Verification of Sequential and Concurrent Programs, 3rd edn. Springer (2009)Google Scholar
  5. 5.
    Bäumler, S., Balser, M., Nafz, F., Reif, W., Schellhorn, G.: Interactive verification of concurrent systems using symbolic execution. AI Commun. 23(2, 3), 285–307 (2010)zbMATHMathSciNetGoogle Scholar
  6. 6.
    Bäumler, S., Schellhorn, G., Tofan, B., Reif, W.: Proving linearizability with temporal logic. FAC J. 23(1), 91–112 (2011)zbMATHGoogle Scholar
  7. 7.
    Bjørner, N., Manna, Z., Sipma, H., Uribe, T.: Deductive verification of real-time systems using STeP. Theor. Comput. Sci. 253(1) (2001)Google Scholar
  8. 8.
    Börger, E., Stärk, R.F.: Abstract State Machines — A Method for High-Level System Design and Analysis. Springer (2003)Google Scholar
  9. 9.
    Brookes, S.: A semantics for concurrent separation logic. Theor. Comput. Sci. 375(1–3), 227–270 (2007)CrossRefzbMATHMathSciNetGoogle Scholar
  10. 10.
    Burstall, R.M.: Program proving as hand simulation with a little induction. Inf. Process. 74, 309–312 (1974)Google Scholar
  11. 11.
    Cau, A., Moszkowski, B.: Using PVS for Interval Temporal Logic proofs. Part 1: The syntactic and semantic encoding. Tech. rep., De Montfort University (1996)Google Scholar
  12. 12.
    Cau, A., Moszkowski, B.: ITL – Interval Temporal Logic. Software Technology Research Laboratory. De Montfort University, UK. (2013). Accessed 1 July 2013
  13. 13.
    Coleman, J.W., Jones, C.B.: A structural proof of the soundness of rely/guarantee rules. J. Log. Comput. 17, 807–841 (2007)CrossRefzbMATHMathSciNetGoogle Scholar
  14. 14.
    Doherty, S., Groves, L., Luchangco, V., Moir, M.: Formal verification of a practical lock-free queue algorithm. In: FORTE 2004, LNCS, vol. 3235, pp. 97–114 (2004)Google Scholar
  15. 15.
    Dongol, B., Derrick, J., Hayes, I.J.: Fractional permissions and non-deterministic evaluators in interval temporal logic. ECEASST 53 (2012)Google Scholar
  16. 16.
    Floyd, R.W.: Assigning meanings to programs. In: Schwartz, J.T. (ed.) Proceedings of the Symposium on Applied Mathematics, vol. 19, pp. 19–32. American Mathematical Society (1967)Google Scholar
  17. 17.
    Gotsman, A., Cook, B., Parkinson, M., Vafeiadis, V.: Proving that nonblocking algorithms don’t block. In: POPL, pp. 16–28. ACM (2009)Google Scholar
  18. 18.
    Groves, L.: Verifying michael and scott’s lock-free queue algorithm using trace reduction. In: Proceedings on CATS ’08, pp. 133–142. Australian Computer Society Inc (2008)Google Scholar
  19. 19.
    Guelev, D.P., Van Hung, D.: Prefix and projection onto state in duration calculus. Electr. Notes Theor. Comput. Sci. 65(6), 101–119 (2002)CrossRefGoogle Scholar
  20. 20.
    Harel, D., Kozen, D., Tiuryn, J.: Dynamic Logic. MIT Press (2000)Google Scholar
  21. 21.
    Herlihy, M., Wing, J.: Linearizability: a correctness condition for concurrent objects. ACM Trans. Prog. Lang. Syst. 12(3), 463–492 (1990)CrossRefGoogle Scholar
  22. 22.
    Holzmann, G.: The Spin Model Checker: Primer and Reference Manual. Addison Wesley (2003)Google Scholar
  23. 23.
    Jacobs, B., Piessens, F.: The VeriFast Program Verifier. Technical Report CW-520. KU Leuven (2008)Google Scholar
  24. 24.
    Jones, C.B.: Development Methods for Computer Programs Including a Notion of Interference. Ph.D. thesis, Oxford University. Available as Programming Research Group Technical Monograph 25 (1981)Google Scholar
  25. 25.
    Jones, C.B.: Specification and design of (parallel) programs. In: Proceedings of IFIP’83, pp. 321–332. North-Holland (1983)Google Scholar
  26. 26.
    King, J.C.: A Program Verifier. Ph.D. Thesis. Carnegie Mellon University (1970)Google Scholar
  27. 27.
    KIV Download: (2012). Accessed 1 September 2013
  28. 28.
    KIV: Presentation of a higher-order specifications of RGITL. (2012). Accessed 1 September 2013
  29. 29.
    KIV: Presentation of proofs for concurrent algorithms in RGITL. (2013). Accessed 1 September 2013
  30. 30.
    Lamport, L.: The temporal logic of actions. ACM Trans. Program. Lang. Syst. 16(3), 872–923 (1994). doi: 10.1145/177492.177726 CrossRefGoogle Scholar
  31. 31.
    Manna, Z., Pnueli, A.: Temporal Verification of Reactive Systems – Safety. Springer (1995)Google Scholar
  32. 32.
    Manna, Z., Pnuelli, A.: Temporal verification diagrams. In: Hagiya, M., Mitchell, J. (eds.) International Symposium on Theoretical Aspects of Computer Software, vol. 789, pp. 726–765. Springer Verlag (1994)Google Scholar
  33. 33.
    Massalin, H., Pu, C.: A Lock-Free Multiprocessor OS Kernel. Tech. Rep. CUCS-005-91. Columbia University (1991)Google Scholar
  34. 34.
    Michael, M.M.: Hazard pointers: safe memory reclamation for lock-free objects. IEEE Trans. Parallel Distrib. Syst 15(6), 491–504 (2004)CrossRefGoogle Scholar
  35. 35.
    Michael, M.M., Scott, M.L.: Simple, fast, and practical non-blocking and blocking concurrent queue algorithms. In: Proceedings of the 15th ACM Symposium on Principles of Distributed Computing, pp. 267–275 (1996)Google Scholar
  36. 36.
    Misra, J., Chandy, K.M.: Proofs of networks of processes. IEEE Trans. Softw. Eng. 7, 417–426 (1981)CrossRefzbMATHMathSciNetGoogle Scholar
  37. 37.
    Moore, J.S.: A mechanically checked proof of a multiprocessor result via a uniprocessor view. Form. Methods Syst. Des. 14, 213–228 (1999)CrossRefGoogle Scholar
  38. 38.
    Moszkowski, B.: A temporal logic for multilevel reasoning about hardware. IEEE Comput. 18(2), 10–19 (1985)CrossRefGoogle Scholar
  39. 39.
    Moszkowski, B.: Executing Temporal Logic Programs. Cambridge University Press, Cambridge (1986)Google Scholar
  40. 40.
    Moszkowski, B.: Compositional reasoning about projected and infinite time. In: Proceedings of the 1st ICECCS, pp. 238–245. IEEE Computer Society (1995)Google Scholar
  41. 41.
    Moszkowski, B.: An automata-theoretic completeness proof for interval temporal logic. In: ICALP ’00: Proceedings of the 27th International Colloquium on Automata, Languages and Programming, pp. 223–234. Springer-Verlag, London (2000)Google Scholar
  42. 42.
    Moszkowski, B.: Interconnections between classes of sequentially compositional temporal formulas. Inf. Process. Lett. 113(9), 350–353 (2013)CrossRefzbMATHMathSciNetGoogle Scholar
  43. 43.
    Nafz, F., Seebach, H., Steghöfer, J.P., Bäumler, S., Reif, W.: A formal framework for compositional verification of organic computing systems. In: Proceedings of the 7th International Conference on Autonomic and Trusted Computing (ATC 2010), pp. 17–31. Springer, LNCS (2010)Google Scholar
  44. 44.
    Peterson, G.L.: Myths about the mutual exclusion problem. Inf. Process. Lett. 12(3), 115–116 (1981)CrossRefzbMATHGoogle Scholar
  45. 45.
    Pnueli, A.: The temporal logic of programs. In: Proceedings of the 18th Annual IEEE Symposium on the Foundation of Computer Science (FOCS), pp. 46–57. IEEE Computer Society Press (1977)Google Scholar
  46. 46.
    Reif, W., Schellhorn, G., Stenzel, K., Balser, M.: Structured specifications and interactive proofs with KIV. In: Bibel, W., Schmitt, P. (eds.) Automated Deduction—A Basis for Applications, vol. II, pp. 13–39. Kluwer, Dordrecht (1998)Google Scholar
  47. 47.
    de Roever, W.P., de Boer, F., Hannemann, U., Hooman, J., Lakhnech, Y., Poel, M., Zwiers, J.: Concurrency Verification: Introduction to Compositional and Noncompositional Methods. No. 54 in Cambridge Tracts in Theoretical Computer Science. Cambridge University Press (2001)Google Scholar
  48. 48.
    Schellhorn, G., Tofan, B., Ernst, G., Reif, W.: Interleaved programs and rely-guarantee reasoning with ITL. In: Proceedings of the 18th International Symposium on Temporal Representation and Reasoning (TIME), pp. 99–106. IEEE Computer Society Press (2011)Google Scholar
  49. 49.
    Stølen, K.: A method for the development of totally correct shared-state parallel programs. In: CONCUR’91, vol. 527, pp. 510–525. Springer LNCS (1991)Google Scholar
  50. 50.
    Tofan, B., Bäumler, S., Schellhorn, G., Reif, W.: Temporal logic verification of lock-freedom. In: Proceedings of MPC 2010, pp. 377–396. Springer LNCS 6120 (2010)Google Scholar
  51. 51.
    Tofan, B., Schellhorn, G., Ernst, G., Pfähler, J., Reif, W.: Compositional Verification of a Lock-Free Stack with RGITL. In: Proceedings of International Workshop on Automated Verification of Critical Systems (to appear in ECEASST) (2013)Google Scholar
  52. 52.
    Tofan, B., Schellhorn, G., Reif, W.: Formal verification of a lock-free stack with hazard pointers. In: Proceedings ICTAC, pp. 239–255. Springer LNCS 6916 (2011)Google Scholar
  53. 53.
    Vafeiadis, V., Parkinson, M.J.: A marriage of rely/guarantee and separation logic. In: CONCUR, vol. 4703, pp. 256–271. Springer LNCS (2007)Google Scholar
  54. 54.
    Xu, Q., de Roever, W.P., He, J.: The rely-guarantee method for verifying shared variable concurrent programs. FAC J. 9(2), 149–174 (1997)zbMATHGoogle Scholar
  55. 55.
    Xu, Q., Swarup, M.: Compositional reasoning using the assumption-commitment paradigm. Lect. Notes Comput. Sci. 1536, 565–583 (1998)CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media Dordrecht 2014

Authors and Affiliations

  • Gerhard Schellhorn
    • 1
    Email author
  • Bogdan Tofan
    • 1
  • Gidon Ernst
    • 1
  • Jörg Pfähler
    • 1
  • Wolfgang Reif
    • 1
  1. 1.Institute for Software and Systems EngineeringUniversity of AugsburgAugsburgGermany

Personalised recommendations