Static Timing Analysis of Parallel Software Using Abstract Execution
– DRAFT –

Andreas Gustavsson

month year

School of Innovation, Design and Engineering
Mälardalen University
Västerås, Sweden
Abstract

The Power Wall has stopped the past trend of increasing processor throughput by increasing the clock frequency and the instruction level parallelism. Therefore, the current trend in computer hardware design is to expose explicit parallelism to the software level. This is most often done using multiple processing cores situated on a single processor chip. The cores usually share some resources on the chip, such as some level of cache memory (which means that they also share the interconnect, e.g., a bus, to that memory and also all higher levels of memory), and to fully exploit this type of parallel processor chip, programs running on it will have to be parallel as well. Since multi-core processors are the new standard, even embedded real-time systems will (and some already do) incorporate this kind of processor and parallel code.

A real-time system is any system whose correctness is dependent both on its functional and temporal output. For some real-time systems, a failure to meet the temporal requirements can have catastrophic consequences. Therefore, it is of utmost importance that methods to analyze and derive safe estimations on the timing properties of parallel computer systems are developed.

This thesis presents an analysis that derives safe (lower and upper) bounds on the execution time of a given parallel program. The interface to the analysis is a rudimentary parallel programming language that is formally (both syntactically and semantically) defined in the thesis. The analysis is based on abstract execution, which is itself based on abstract interpretation techniques that have been commonly used within the field of timing analysis of single-core computer systems, to derive safe timing bounds in an efficient (although, over-approximative) way. Basically, abstract execution simulates the execution of several real executions of the analyzed program in one go.

The thesis proves the soundness of the presented analysis (i.e., that the estimated timing bounds are indeed safe) and also includes three case studies, each showing an important feature or characteristic of the analysis.
Acknowledgment

Thanks!

Andreas Gustavsson
Västerås, January 1, 2004 ????????????????
## Contents

1 Introduction .............................................. 1  
  1.1 Real-Time Systems ................................. 1  
  1.2 Timing Analysis of Real-Time Systems .......... 3  
  1.3 Research Questions ............................... 5  
  1.4 Pilot Study ........................................ 5  
  1.5 Approach .......................................... 6  
  1.6 Contribution ...................................... 7  
  1.7 Included Publications ............................. 8  
  1.8 Thesis Outline .................................... 9  

2 Related Work ............................................. 11  
  2.1 Static Timing Analysis ............................ 11  
  2.2 Multi-Core Analyzability .......................... 13  

3 Preliminaries ............................................. 15  
  3.1 Partially Ordered Sets & Complete Lattices ...... 15  
  3.2 Constructing Complete Lattices .................. 18  
  3.3 Galois Connections & Galois Insertions .......... 20  
  3.4 Constructing Galois Connections ................ 23  
  3.5 Constructing Galois Insertions ................... 31  
  3.6 The Interval Domain ............................... 33  

4 PPL: A Parallel Programming Language .............. 37  
  4.1 States & Configurations ............................ 38  
  4.2 Semantics ......................................... 40  
  4.3 Collecting Semantics ............................... 52
Chapter 1

Introduction

This chapter starts by introducing the fundamental concepts used within the field of the thesis. It also states the asked research questions, the approach used to answer the questions and the resulting contributions of the thesis. This chapter also presents the papers included in the thesis and a pilot study on using model-checking for timing analysis of parallel real-time systems.

1.1 Real-Time Systems

As computers have become smaller, faster, cheaper and more reliable, their range of use has rapidly increased. Today, everything from wrist watches to airplanes are computer-controlled. These types of systems are commonly referred to as embedded systems; i.e., one or more controller chips with accompanying software are embedded within the product. It has been approximated that over 99 percent of the worldwide production of computer chips are destined for embedded systems [9].

A real-time system is often an embedded system for which the timing behavior is of great importance. More formally, the Oxford Dictionary of Computing gives the following definition of a real-time system [40].

“Any system in which the time at which output is produced is significant. This is usually because the input corresponds to some movement in the physical world, and the output has to relate to that same movement. The lag from input time to output time must be sufficiently small for acceptable timeliness.”
The word “timeliness” refers to the total system and can be dependent on mechanical properties like inertia. One example is the compensation of temporary deviations in the supporting structure (e.g., a twisting frame) when firing a missile to keep the missile’s exit path constant throughout the process. Another example is to fire the airbag in a colliding car. This should not be done too soon, or the airbag will have lost too much pressure upon the human impact, and not too late, or the airbag could cause additional damage upon impact; i.e., the inertia of the human body and the retardation of the colliding car both impact on the timeliness of the airbag system. It should thus be apparent that the correctness of a real-time system depends both on the logical result of the performed computations and the time at which the result is produced.

Real-time systems can be divided into two categories: hard and soft real-time systems. Hard real-time systems are such that failure to produce the computational result within certain timing bounds could have catastrophic consequences. One example of a hard real-time system is the above-mentioned airbag system. Soft real-time systems, on the other hand, can tolerate missing these deadlines to some extent and still function properly. One example of a soft real-time system is a video displaying device. Missing to display a video frame within the given bounds will not be catastrophic (but perhaps annoying to the viewer if it occurs too often). The video will still continue to play (although, perhaps with reduced displaying quality), assuming that the system is not overloaded in general.

The current trend in computer hardware design is to make parallelism explicitly available to the programmer, often in the form of multiple processing cores on the same chip. This strategy helps increasing the chip’s throughput without hitting the power wall since the individual processing cores on the multi-core chip are usually simpler than a single core implemented on the equivalent chip area [70]. The cores typically share some resources, such as some level of on-chip cache memory, which introduces dependencies and conflicts between the cores; e.g., simultaneous accesses from two or more cores to shared resources will introduce delays for some of the cores. Processor chips of this kind of multi-core architecture are currently being used in real-time systems within, for example, the automotive industry.

To fully utilize the multi-core architecture, algorithms will have to be parallelized over multiple tasks (e.g., threads). This means that the tasks will have to share resources and communicate and synchronize with each other. There already exist software libraries for explicitly parallelizing sequential code automatically. One example of such a library available for C/C++ and Fortran code running on shared-memory machines is OpenMP [64]. The conclusion is that
parallel software running on parallel hardware is already available today and
will probably be the standard way of computing in the future, also for real-time
systems.

When proving the correctness of, and/or the schedulability of the tasks in,
a real-time system, it is, as far as the author knows, always assumed that safe
(i.e., not under-approximated) bounds on the timing behavior of all tasks in
the system are known. The timing bounds are, for example, used as input
to algorithms that prove or falsify the schedulability of the tasks in the system
[4, 22, 54]. Therefore, it is of crucial importance that methods for deriving safe
timing bounds (referred to as estimates) for this type of parallel computational
systems are defined.

This thesis presents a method that derives safe estimates on the timing
bounds for the described type of systems. The method mainly targets hard
real-time systems. However, it can be applied to any computer system fitting
the assumptions made in the upcoming chapters.

1.2 Timing Analysis of Real-Time Systems

A program’s execution time (i.e., the amount of time it takes to execute the en-
tire program from its entry point to its exit point) is not constant; it is dependent
on the initial system state. This state includes the input to the program (i.e., the
values of its arguments), the hardware state (e.g., cache memory contents) and
the state of any other software that is executing on the same hardware. How-
ever, for any program and any set of initial states, at least one of the resulting
execution times will be equal to the shortest execution time for the given pro-
gram and set of initial states. The shortest execution time is referred to as
the Best-Case Execution Time (BCET). Likewise, at least one of the resulting
execution times will be equal to the longest execution time for the given pro-
gram and set of initial states. The longest execution time is referred to as the
Worst-Case Execution Time (WCET).

Traditionally, when computers were purely sequential, the main focus of
timing analysis only targeted estimations of the WCET. This was possible be-
because the analyzed systems did not suffer from any timing anomalies, which
meant that the local worst-case scenario (i.e., the longest possible execution
time for a single instruction, or a block of instructions) always resulted in the
global worst-case. However, when introducing multi-core architectures with
shared memory, this is no longer the case [1, 56, 76]. This means that the only
safe option is to take all the possible execution times between, and including,
the local BCET and WCET into account when deriving the global (BCET and) WCET.

Today, there exist several algorithms and tools that strive to derive a safe and tight (i.e., not too over-approximate) estimate of the WCET of a sequential task targeted for sequential hardware. Some examples of such tools are aiT [20, 91], Bound-T [37, 91], Chronos [49, 91], Heptane [91], OTAWA [6], RapiTime [75, 91], SWEET [17, 91], SymTA/P [91] and TuBound [72, 91]. aiT, Bound-T and RapiTime are commercial tools while the others are primarily research prototypes. aiT, Bound-T, Chronos, Heptane, OTAWA and TuBound are purely static tools while SWEET and SymTA/P mainly use static WCET analysis techniques, but also dynamic techniques to some extent. RapiTime is heavily based on dynamic techniques.

In dynamic WCET analysis, measurements of the actual execution time of the software running on the target hardware are performed. This method is not guaranteed to execute the program’s worst-case path, though, which could, for example, include some error-handling routine that is only rarely executed. Thus, the WCET might be gravely under-estimated; i.e., there might exist paths through the code with considerably worse (longer) execution times than the worst execution time detected by the measurements.

In static WCET analysis, the program code and the properties of the target hardware are analyzed without actually executing the program. Instead, the analysis is based on the semantics of the programming language constructs used to define the program and a (timing) model of the target hardware. Static methods usually try to find a tight estimation of the WCET, but always safely over-estimate it.

Static WCET analyses are normally split into three subtasks: the low-level analysis, which attempts to find safe timing estimates for executions of code sequences, the flow analysis, which constrains the possible paths through the code, and the calculation, where the most time-consuming path is found, using information derived in the first two phases. This traditional approach assumes that the analyzed program consists of a single flow of control; i.e., is sequential. In a parallel program, there are several flows of control, possibly with dependencies among them. The consequence is that the traditional three-phase approach is not directly applicable when analyzing arbitrary parallel programs executing on parallel shared-memory architectures.

This thesis presents a static method that derives safe estimations of the BCET and WCET of a parallel program by combining the three phases into one single phase; i.e., the method directly calculates the timing bound estimates while analyzing the semantic behavior of the program, based on a (safe) timing
Note that solving the problem of finding the actual WCET in the general case is comparable to solving the halting-problem (i.e., determining whether the program will terminate), which is an undecidable problem (c.f., [45]). Thus, the space of possible system states that a WCET analysis must search through could be extremely large, or even infinite, in the general case. This means that the analysis itself might not terminate in the general case. Therefore, techniques to increase the probability of, or even more desirable, guarantee, analysis termination must be derived. For many of the traditional methods for analyzing sequential programs, there are ways to guarantee termination using widening/narrowing techniques [62]. These techniques are not directly applicable to the method presented in this thesis, though.

1.3 Research Questions

This thesis mainly tries to answer the following questions.

**Question 1:** “What are the distinguishing features of a parallel computer system (i.e., the hardware and software combination) that must be taken into account in a timing analysis on the code level?”

**Question 2:** “How can a parallel computer system be analyzed to derive safe and tight estimations on its timing bounds?”

**Question 3:** “How can analysis termination be guaranteed?”

1.4 Pilot Study

Model-checking is a technique for verifying properties of a model of some system. The idea of using model-checking to perform WCET analysis has been investigated and shown to be adequate for analyzing parts of a single-core system [38, 60].

Timed automata\(^1\) can be used to model real-time systems [3]. An automaton can be viewed as a state machine with locations and edges [43]. A state represents certain values of the variables in the system and which location of an automaton is active, while the edges represent the possible transitions from one state to another [43]. (Continuous) time is expressed as a set of real-valued

\(^1\)The formal syntax and semantics of timed automata can be found in [2] and [43].
variables called clocks. UPPAAL\textsuperscript{2} [7, 47, 89] is a tool used to model, simulate and verify networks of timed automata [7, 8, 43].

Preceding the work presented in this thesis, an initial study [30] in which UPPAAL was used to model, and derive high precision estimates on the timing bounds of, a small parallel real-time system was performed. The paper shows that timing analysis of parallel real-time systems can be performed using the model-checking techniques available in for example UPPAAL. However, the proposed method (i.e., the way the system was modeled and analyzed) did not scale very well, for example with respect to the number of threads in the analyzed program. Therefore, it was decided not to continue on the pure model-checking path (although, there might be other ways to model the system that would succeed better).

1.5 Approach

The approach used in this thesis is to statically calculate safe BCET and WCET estimations by abstractly executing the analyzed program (c.f., [23, 28]) using a safe timing model of the underlying hardware. As previously discussed, statically computing the exact set of possible semantic states for an arbitrary program is an extremely complex task. Using abstract execution (which is based on abstract interpretation techniques), at least all the possible semantic states, given some set of initial system states, are considered, but in a less complex way.

Abstract interpretation [14, 23, 62] is a method for safely approximating the program semantics and can be used to obtain a set of possible abstract states for each point in a program. An abstract state collects, and most often over-approximates, the information given by a set of concrete semantic states. This means that an analysis based on abstractly interpreting the semantics of a program can become less complex and more efficient, but might suffer from imprecision, compared to an analysis based on the concrete semantics.

The concrete semantics of an arbitrary programming language can be abstracted in many different ways. The choice of abstraction is done by defining an abstract domain. An abstract domain is essentially the set of all possible abstract states that fit the definition of the domain.

An example of an abstract domain is \texttt{Intv}, defined as \{\([z_1, z_2] \mid -\infty \leq z_1 \leq z_2 \leq \infty \land z_1, z_2 \in \mathbb{Z} \cup \{-\infty, \infty\}\}; i.e., the set of all intervals that “fit inside”

\textsuperscript{2}An introduction to UPPAAL and the formal semantics of networks of timed automata are given in [7] and [43], respectively.
(Note that the domain \( \text{Intv} \) is completely defined in Section 3.6.) This domain can be used to over-approximate the concrete domain \( \{ z \in \mathbb{Z} \cup \{-\infty, \infty\} \mid -\infty \leq z \leq \infty \} = \mathbb{Z} \cup \{-\infty, \infty\} \); i.e., the set of all integers between (and including) \(-\infty \) and \( \infty \).

Assume that the program variable \( x \) can have the value \( v \), such that \( v \in \{1, 2, 5, 8\} \), in a given point of the program according to the concrete semantics (i.e., \( x \) has four possible values in the given program point). In the abstract domain, the value of \( x \) could safely be represented by \([1, 8]\). This is an over-approximation since turning the abstract value into a set of concrete values yields \([1, 8] \rightarrow \{1, 2, 3, 4, 5, 6, 7, 8\} \supseteq \{1, 2, 5, 8\}\). It can be noted that \([1, 8]\) is the best (tightest) approximation of the values of \( x \), since \([1, 8]\) is the smallest interval containing all the possible concrete values of \( x \).

Abstract execution is simply a way to abstractly simulate the execution of the analyzed program. This is done by collecting several concrete states into one (or, for some situations, several) abstract states using abstract interpretation, as discussed above. The existence of a timing model (of the underlying architecture) that provides safe information on the timing properties of individual operations within the analyzed program when executed in a particular system state allows the BCET and WCET of the analyzed program to be safely estimated.

Basically, the only assumption made on the underlying architecture is that it provides (or can simulate) a shared memory address space, that can be used for communication, and shared resources, that can be used for synchronization. One example of such an architecture is a multi-core CPU. Another example is a virtualization environment that runs on top of a distributed system and provides a shared memory view. Yet another example is any real-time operating system; e.g., VxWorks [92].

### 1.6 Contribution

The main contributions of this thesis are the following.

1. **PPL**: a formally defined, rudimentary, parallel programming language for real-time systems. The semantics of PPL includes timing behavior and is defined based on the familiar notation of operational semantics (c.f., [63]).

2. An abstraction of the PPL semantics where concrete points in time are abstracted using intervals.
3. A safe timing analysis based on the abstract semantics of PPL. A complete correctness/soundness proof is provided.

1.7 Included Publications

This thesis includes the material presented in the following papers. Andreas Gustavsson is the main author of all the listed publications and has alone contributed with all the technical material presented in them.

Paper A

Worst-Case Execution Time Analysis of Parallel Systems
Andreas Gustavsson.
Presented at the RTiS workshop, 2011.

This Paper addresses contribution 1 and presents the first definition of the parallel programming language and a very simple (non-generalized) hardware timing model.

Paper B

Toward Static Timing Analysis of Parallel Software
Andreas Gustavsson, Jan Gustafsson and Björn Lisper.
Presented at the WCET workshop, 2012.

This Paper addresses contributions 2 and 3 and presents a work-in-progress timing analysis that can analyze all aspects of a parallel program, except synchronization. The presented analysis uses abstract execution to derive safe estimations of the BCET and WCET of the analyzed program.

Paper C

Toward Static Timing Analysis of Parallel Software - Technical Report
Andreas Gustavsson, Jan Gustafsson and Björn Lisper.

This Paper addresses contributions 2 and 3 and is an extended version of Paper B. The Paper includes all the mathematical details and a sketch for the correctness/soundness proof.
Paper D

*Timing Analysis of Parallel Software Using Abstract Execution*
Andreas Gustavsson, Jan Gustafsson and Björn Lisper.
Submitted to the VMCAI conference, 2014.

This paper addresses contributions 1, 2 and 3 and summarizes the work presented in this thesis. It presents a timing analysis that is based on the analysis defined in Papers B and C. The presented analysis derives safe estimations of the BCET and WCET for any program defined using a slightly modified version of the language presented in Paper A (i.e., PPL), given some (safe) timing model of the underlying architecture.

1.8 Thesis Outline

The rest of this thesis is organized as follows.

Chapter 2 presents some research that is closely related to the material presented in this thesis.

Chapter 3 introduces the reader to the fundamental concepts and theories needed to understand the contents of the following chapters.

Chapter 4 formally defines PPL, a parallel programming language.

Chapter 5 presents a semi-safe abstraction of the PPL semantics. Note that the abstraction is not safe for arbitrary PPL programs and that special care must be taken if using it (c.f., Chapter 6).

Chapter 6 defines a safe timing analysis using abstract execution based on the abstraction made in Chapter 5.

Chapter 7 presents some examples that show how the analysis presented in Chapter 6 handles communication and synchronization in PPL programs.

Chapter 8 discusses the research questions and the analysis presented in Chapter 6. The chapter also gives pointers to future work.

For the reader's convenience, the following appendices are provided.

Appendix A summarizes the notations and nomenclature used in this thesis.
Appendices B-H present listings of the assumptions, definitions, figures, tables, algorithms, lemmas and theorems defined in this thesis, respectively.
Chapter 2

Related Work

WCET-related research started with the introduction of timing schemas by Shaw in 1989 [82]. Shaw presents rules to collapse the CFG (Control Flow Graph) of a program until a final single value represents the WCET. Excellent overviews of the WCET research from the years 2000 and 2008 can be found in [73] and [91] respectively. The field of WCET analysis for parallel systems is quite new, so there is no solid foundation of previous research to stand on.

2.1 Static Timing Analysis

The field of static WCET analysis has, just until recently, mainly been focusing on single-processor systems. In the field of low-level analysis, most research efforts have been dedicated to analyzing the effects of different hardware features, including pipelines [16, 35, 52, 83, 88], caches [50, 52, 88, 90], branch predictors [13], and super-scalar CPUs [51, 80].

Within flow analysis, most research has been dedicated to loop bound analysis. Flow analysis can also identify infeasible paths, i.e., paths which are executable according to the program control-flow graph structure, but not feasible when considering the semantics of the program and possible input data values. There are a number of approaches to flow analysis, using e.g., abstract interpretation, symbolic execution, Presburger arithmetics, specialized data flow analyses, and syntactical analysis of parse trees [28, 36, 37, 55, 88].

There is also some research on data flow analysis for parallel programs [15, 21, 46], which is of relevance to WCET analysis. Constant propagation
Three main methods exist for the WCET calculation: The tree-based method [12, 13, 52], originating from Park’s timing schemas [68]; the path-based method [35, 84]; and the Implicit Path Enumeration Technique (IPET) [17, 37, 50, 74, 88], where the WCET calculation problem is formulated as an Integer Linear Programming (ILP) problem, and the set of execution paths is restricted by linear constraints.

An alternative way of computing the ILP problem is by using a graph-based approach [74]. A comparison of the graph-based and IPET approaches is performed in [38]. The graph-based approach is conducted using model-checking in UPPAAL [7, 47, 89]. It is shown that IPET outperforms the model-checking-based approach, but that model-checking allows for calculating tight WCET bounds and easy integration of complex hardware models. A combined approach is proposed, where model-checking is used to analyze local regions of the code, while IPET is used to solve the global analysis. Another motivation to why model-checking could be useful in WCET analysis can be found in [60].

For analyses based on abstract execution, it is possible to calculate the BCET and WCET estimates of sequential programs during the abstract execution, without first generating flow facts [18, 28]. This thesis uses basically the same approach, but applies it to explicitly parallel programs.

Some research has been conducted within the field of static WCET analysis for multi-core and other types of multi-processor systems. A static method for analyzing multi-core processors with a shared L2 instruction cache has been presented [94]. A limitation of this analysis is that the L1 data cache is assumed to be perfect (i.e., all accesses are assumed to be hits, which is generally not the case) and thus does not affect the contents of the L2 cache. Based on this work, the same authors also address the same problem for the case that the shared L2 cache is direct-mapped [95].

There is also an approach for analyzing multi-cores with a shared L2 instruction cache (that still assumes a perfect L1 data cache) that takes effects from timing anomaly influenced pipelines into account [11].

Staschulat et al. [85] consider an integrated task- and system-level analysis to estimate memory access times for sequential tasks running in parallel with tasks executing on other processors. Their approach requires full information about all tasks running in the system, and it makes quite strong assumptions about the task model.

Mittermayr and Blieberger [61] use a graph based approach and Kronecker algebra to calculate an estimation of the WCET of a concurrent program. The
graph is referred to as CPG (Concurrent Program Graph) and plays a role similar to the CFG for sequential programs.

Potop-Butucaru and Puaut [71] target static timing analysis of parallel processors where “channels” are used to communicate between, and synchronize, the parallel tasks. Additional edges representing such communication and synchronization are then used to connect the CFGs of the individual tasks. The goal of this approach is to enable the use of the traditional three-phase analysis when analyzing parallel systems.

Ozaktas et al. [65] focus on analyzing synchronization delays experienced by tasks executing on time-predictable shared-memory multi-core architectures.

Lv et al. [57] and Wu and Zhang [93] use model-checking of timed automata to perform WCET analysis. In this approach, a timed automata-model of the system to be analyzed is created. Then, specific properties of the model are verified to find a WCET estimate for the analyzed system. The achievable tightness of the WCET estimate depends on the level of details in the timed automata-model.

Both papers mainly propose methods for reducing the size of the state space by altering the program model without affecting the true WCET of the model. This is a very important aspect when using model-checking overall. If the model is too large and complex, the state space will “explode”, which means that the number of possible states is very large and analyzing the model becomes infeasible.

Lv et al. [58] have also combined abstract interpretation with model-checking to avoid the scalability problems found in, e.g., [30]. This work does not focus on explicitly parallel software, though.

2.2 Multi-Core Analyzability

Some other research addresses the problem of (low) predictability in multi-core processors. This work mostly gives multi-core design guidelines and suggestions on how to use additional or modified hardware to increase the predictability, and thus, the analyzability. In an extension to the method found in [94], memory bits for each instruction is used to determine whether the instruction should be cached or not [34]. E.g., to avoid pollution of the shared cache, “Static Single Usage” instructions (i.e., instructions in the program that are only referenced/executed once) should not be cached. This generates the possibility to determine a tighter WCET estimate.
Arbiters (hardware circuits) can be added to a shared memory multi-core processor to synchronize the memory accesses from different cores in order to increase the timing predictability of the system [66]. The result is a multi-core architecture that can be analyzed with existing single-core (and single-task) WCET analysis tools.

GAMC [67] is an SDRAM controller which upper bounds the delay a core can suffer from memory-access interferences from other cores. This is an important approach since the largest memory access latency will occur when accessing the main memory. The result is tight WCET approximations which only differ a few percent from the largest measured execution times, for a specific analyzed program suite.

Time Division Multiple Access (TDMA)-based memory bus access policies can also be introduced to make all memory accesses predictable, regarding the WCET [4, 79]. The problem with this approach is that the performance of the processor will be seriously degraded since, in the average case, a memory access from any core will be stalled for half the TDMA period (and the whole period in the worst case).

Kelter et al. [44] suggest to use the Priority Division (PD) protocol instead of the TDMA protocol. They show that PD is a very promising replacement for TDMA that provides predictability while not degrading the performance as severely as TDMA.

The MERASA project [59, 78] strives towards providing a timing analyzable multi-core CPU with a system level software (c.f., operating system). A case study [78] has been performed, in which an estimation of the WCET of a parallel 3D multi-grid solver, executing on the MERASA multi-core platform, is derived. The parMERASA project [69] is a continuation of the MERASA project.
Chapter 3

Preliminaries

In general, basing a timing analysis on the concrete semantics of a program is infeasible due to the enormous number of states that must be explored. As discussed in Section 1.5, abstract interpretation [14, 23, 62] is a method for safely approximating the concrete program semantics and can be used to obtain a set of possible abstract states for each point in a program. An abstract state collects, and most often over-approximates, the information given by a set of concrete semantic states. This means that an analysis based on abstractly interpreting the semantics of a program can become less complex and more efficient compared to an analysis based on the concrete semantics. The analysis presented in this thesis is based on abstract interpretation. Therefore, this chapter introduces the foundations used by abstract interpretation techniques.

NOTE. A summary of the notation and nomenclature used in this thesis can be found in Appendix A.

3.1 Partially Ordered Sets & Complete Lattices

The relation, as described by \( R: A \times B \rightarrow \{ \text{true}, \text{false} \} \) where \( A \times B \) is the Cartesian product of the two sets \( A \) and \( B \), between two elements \( a \in A \) and

\[^1\text{Extensive introductions to complete lattices can be found in many textbooks, e.g., [62].}\]
$b \in B$ is denoted by $a \mathbin{R} b$. Given that for every $a \in A$, there is at most one element, $b \in B$, such that $a \mathbin{R} b$, then $\mathbin{R}$ is said to be a partial function from $A$ to $B$. Given that for every $a \in A$, there is exactly one element, $b \in B$, such that $a \mathbin{R} b$, then $\mathbin{R}$ is said to be a total function from $A$ to $B$.

A partial ordering is a relation $\sqsubseteq : A \times A \to \{\text{true, false}\}$ that is reflexive (i.e., $\forall a \in A : a \sqsubseteq a$), transitive (i.e., $\forall a, a', a'' \in A : ((a \sqsubseteq a' \land a' \sqsubseteq a'') \Rightarrow a \sqsubseteq a'')$) and anti-symmetric (i.e., $\forall a, a' \in A : ((a \sqsubseteq a' \land a' \sqsubseteq a) \Rightarrow a = a')$). The pair $(A, \mathbin{R})$ is a partially ordered set if $\mathbin{R} : A \times A \to \{\text{true, false}\}$ is a partial ordering on $A$.

A subset $A'$ of $A$ has $a \in A$ as an upper bound if $\forall a' \in A' : a' \sqsubseteq a$ and as a lower bound if $\forall a' \in A' : a \sqsubseteq a'$. The element $a \in A$ is the least upper bound of $A'$ if $a$ is an upper bound of $A'$ and for all other upper bounds, $a' \in A$, of $A'$, $a \sqsubseteq a'$ (c.f., Definition 3.28). The element $a \in A$ is the greatest lower bound of $A'$ if $a$ is a lower bound of $A'$ and for all other lower bounds, $a' \in A'$, $a' \sqsubseteq a$ (c.f., Definition 3.27). Note that a greatest lower bound and/or a least upper bound might not exist for all subsets of a partially ordered set. When they do exist, they are unique (since $\sqsubseteq$ is anti-symmetric) and will be denoted $\bigwedge A'$ and $\bigvee A'$, respectively. The shorthand $a \sqcap a'$ will be used to denote $\bigwedge \{a, a'\}$. Likewise, $a \sqcup a'$ will be used to denote $\bigvee \{a, a'\}$.

A complete lattice, $V = (V, \sqsubseteq, \bigsqcup, \bigsqcap, \bot, \top)$, is a partially ordered set, $(V, \sqsubseteq)$, such that all subsets have greatest lower bounds and least upper bounds. The least element of $V$ is denoted $\bot$ (the bottom element) and is defined as $\bot = \bigsqcup \emptyset = \bigsqcap V$. The greatest element of $V$ is denoted $\top$ (the top element) and is defined as $\top = \bigsqcap V = \bigsqcup \emptyset$.

The properties of monotone, completely additive and completely multiplicative functions are given in Definitions 3.1, 3.2 and 3.3, respectively. Note that when $V_1$ and $V_2$ are complete lattices, all subsets of these sets have least upper bounds and greatest lower bounds. Lemma 3.4 states some specific properties of a completely multiplicative function.

**Definition 3.1 (Monotone function):**
A function, $f : V_1 \to V_2$, between the partially ordered sets $V_1 = (V_1, \sqsubseteq_1)$ and $V_2 = (V_2, \sqsubseteq_2)$ is monotone if:

$$\forall v_1, v'_1 \in V_1 : v_1 \sqsubseteq_1 v'_1 \Rightarrow f(v_1) \sqsubseteq_2 f(v'_1)$$
Definition 3.3 (Completely multiplicative function):
A function, \( f : V_1 \to V_2 \), between the partially ordered sets \( V_1 = (V_1, \subseteq_1) \) and \( V_2 = (V_2, \subseteq_2) \) is completely multiplicative if for all \( V'_1 \subseteq V_1 \)

\[
f((\bigsqcup_1 V'_1) = \bigsqcup_2 \{ f(v) \mid v \in V'_1 \}
\]
whenever \( \bigsqcup_1 V'_1 \) and \( \bigsqcup_2 \{ f(v) \mid v \in V'_1 \} \) exist.

Lemma 3.4 (Completely multiplicative functions):
If \( V = \langle V, \subseteq, \cup, \cap, \bot, \top \rangle \) and \( \tilde{V} = \langle \tilde{V}, \subseteq, \cup, \cap, \bot, \top \rangle \) are complete lattices and \( \tilde{V} \) is finite, then the three conditions

1. \( \gamma : \tilde{V} \to V \) is monotone,
2. \( \gamma(\bot) = \top \), and
3. \( \gamma(\tilde{v} \cap \tilde{v}') = \gamma(\tilde{v}) \cap \gamma(\tilde{v}') \), whenever \( \tilde{v} \sqsubseteq \tilde{v}' \land \tilde{v}' \sqsubseteq \tilde{v} \), where \( \tilde{v}, \tilde{v}' \in \tilde{V} \)

are jointly equivalent to \( \gamma : \tilde{V} \to V \) being completely multiplicative.

Proof (c.f., [62]). Assume that \( V = \langle V, \subseteq, \cup, \cap, \bot, \top \rangle \) and \( \tilde{V} = \langle \tilde{V}, \subseteq, \cup, \cap, \bot, \top \rangle \) are complete lattices and that \( \tilde{V} \) is finite.

First note that if \( \gamma : \tilde{V} \to V \) is completely multiplicative, then the three conditions trivially hold. Next, assuming that the three conditions are fulfilled, it will be proven that

\[
\gamma(\bigsqcup \tilde{V}') = \bigsqcup \{ \gamma(\tilde{v}) \mid \tilde{v} \in \tilde{V}' \}
\]

where \( \tilde{V}' \subseteq \tilde{V} \), using induction on the finite cardinality of \( \tilde{V}' \subseteq \tilde{V} \).

If the cardinality of \( \tilde{V}' \) is 0, then \( \gamma(\bigsqcup \tilde{V}') = \bigsqcup \{ \gamma(\tilde{v}) \mid \tilde{v} \in \tilde{V}' \} \) follows from condition 2. This proves the base case of the induction.

If the cardinality of \( \tilde{V}' \) is larger than 0, then \( \tilde{V}' = \tilde{V}'' \cup \{ \tilde{v}' \} \) where \( \tilde{v}' \notin \tilde{V}'' \); which ensures that the cardinality of \( \tilde{V}'' \) is strictly less than that of \( \tilde{V}' \). Note that by condition 1, \( \gamma(\tilde{v} \cap \tilde{v}') = \gamma(\tilde{v}) \cap \gamma(\tilde{v}') \) also when \( \tilde{v} \cap \tilde{v}' \subseteq \tilde{V}'' \). Hence, by assuming that \( \gamma(\bigsqcup \tilde{V}'') = \bigsqcup \{ \gamma(\tilde{v}) \mid \tilde{v} \in \tilde{V}'' \} \) (this is the induction assumption),

\[
\gamma(\bigsqcup \tilde{V}') \overset{\text{calc. ind. ass.}}{=} \gamma(\bigsqcup \tilde{V}'') \cap \gamma(\tilde{v}'),
\]

which proves the lemma. \( \square \)
3.2 Constructing Complete Lattices

There are several different ways to construct complete lattices. Any given set can be lifted into a complete lattice (Theorem 3.5).

**Theorem 3.5 (Complete lattice – Lifting):**

If \( S \) is a set, then \( \langle \mathcal{P}(S), \subseteq, \bigcup, \bigcap, \emptyset, S \rangle \) is a complete lattice.

**Proof.** Assume that \( S \) is a set and let \( S^\mathcal{P} \subseteq \mathcal{P}(S) \). It is then trivially the case that \( \bigcup S^\mathcal{P} = \bigcup S^\mathcal{P}, \cap S^\mathcal{P} = \cap S^\mathcal{P}, \emptyset = \emptyset \) and \( T = S \) if \( \subseteq = \subseteq \) (note that \( \subseteq \) is reflexive, transitive and anti-symmetric by definition).

The Cartesian product of two complete lattices is a complete lattice (Theorem 3.6).

**Theorem 3.6 (Complete lattice – Cartesian product):**

If \( (V_1, \sqsubseteq_1, \sqcap_1, \sqcup_1, \bot_1, \top_1) \) and \( (V_2, \sqsubseteq_2, \sqcap_2, \sqcup_2, \bot_2, \top_2) \) are complete lattices, then so is \( (V, \sqsubseteq, \sqcap, \sqcup, \bot, \top) \) where (let \( V' \subseteq V \)):

\[
V = V_1 \times V_2 = \{(v_1, v_2) \mid v_1 \in V_1 \land v_2 \in V_2\}
\]

\((v_1, v_2) \sqsubseteq (v'_1, v'_2) \iff v_1 \sqsubseteq_1 v'_1 \land v_2 \sqsubseteq_2 v'_2 \text{ where } v_1, v'_1 \in V_1 \text{ and } v_2, v'_2 \in V_2\)

\[
\bigcup V' = \{v_1 \in V_1 \mid \exists v_2 \in V_2 : (v_1, v_2) \in V'\}, \bigcup_2\{v_2 \in V_2 \mid \exists v_1 \in V_1 : (v_1, v_2) \in V'\}
\]

\[
\bigcap V' = \{v_1 \in V_1 \mid \exists v_2 \in V_2 : (v_1, v_2) \in V'\}, \bigcap_2\{v_2 \in V_2 \mid \exists v_1 \in V_1 : (v_1, v_2) \in V'\}
\]

\(\bot = (\bot_1, \bot_2)\)

\(\top = (\top_1, \top_2)\)

**Proof.** Assume that \( (V_1, \sqsubseteq_1, \sqcap_1, \sqcup_1, \bot_1, \top_1) \) and \( (V_2, \sqsubseteq_2, \sqcap_2, \sqcup_2, \bot_2, \top_2) \) are complete lattices and let \( V = \{(v_1, v_2) \mid v_1 \in V_1 \land v_2 \in V_2\} \) and \( (v_1, v_2) \sqsubseteq (v'_1, v'_2) \iff v_1 \sqsubseteq_1 v'_1 \land v_2 \sqsubseteq_2 v'_2 \text{ where } v_1, v'_1 \in V_1 \text{ and } v_2, v'_2 \in V_2 \). (Note that it is straightforward to verify that \( (V, \subseteq) \) is a partially ordered set since \( \sqsubseteq_1 \) and \( \sqsubseteq_2 \) are partial orders.) Also assume that \( V' \subseteq V \).

Since \( \{v_1 \in V_1 \mid \exists v_2 \in V_2 : (v_1, v_2) \in V'\} \subseteq_1 v_1' \) for all upper bounds, \( v'_1 \), of \( \{v_1 \in V_1 \mid \exists v_2 \in V_2 : (v_1, v_2) \in V'\} \) and \( \bigcup_2\{v_2 \in V_2 \mid \exists v_1 \in V_1 : (v_1, v_2) \in V'\} \subseteq_2 v_2' \) for all upper bounds, \( v'_2 \), of \( \{v_2 \in V_2 \mid \exists v_1 \in V_1 : (v_1, v_2) \in V'\} \), it is easy to see that \( \bigcup V' = \{v_1 \in V_1 \mid \exists v_2 \in V_2 : (v_1, v_2) \in V'\}, \bigcup_2\{v_2 \in V_2 \mid \exists v_1 \in V_1 : (v_1, v_2) \in V'\} \subseteq (v_1', v_2') \) (c.f., the definition of \( \subseteq \) above). \( \bigcap V' \) is shown in a similar manner.

Since \( \bot_1 = \bigcup_1 \emptyset \) and \( \bot_2 = \bigcup_2 \emptyset \), it is easy to see that \( \bot = (\bigcup_1 \emptyset, \bigcup_2 \emptyset) = (\bot_1, \bot_2) \). \( \top \) is shown in a similar manner.
A space of total functions where the domain of the functions is a set and the range is a complete lattice is itself a complete lattice (Theorem 3.7).

**Theorem 3.7 (Complete lattice – Total function space):**
If $S$ is a set and $⟨V₁, ⊆₁, ∪₁, ⊥₁, ⊤₁⟩$ is a complete lattice, then $⟨V, ⊆, \bigcup, ⊥, ⊤⟩$ where (let $V' \subseteq V$)

$$V = S \rightarrow V₁ = \{f : S \rightarrow V₁ \mid f \text{ is a total function}\}$$

$f \subseteq f' \iff \forall s \in S : f(s) \subseteq f'(s)$ where $f, f' \in V$

$$\bigcup V' = λs ∈ S. \bigcup₁ \{f(s) \mid f \in V'\},$$

$$\bigcap V' = λs ∈ S. \bigcap₁ \{f(s) \mid f \in V'\},$$

$$⊥ = λs ∈ S. ⊥₁,$$

$$⊤ = λs ∈ S. ⊤₁$$

is also a complete lattice.  

**Proof.** Assume that $S$ is a set and $⟨V₁, ⊆₁, ∪₁, ⊥₁, ⊤₁⟩$ is a complete lattice, $V = S \rightarrow V₁ = \{f : S \rightarrow V₁ \mid f \text{ is a total function}\}$ and $f \subseteq f' \iff \forall s \in S : f(s) \subseteq f'(s)$ where $f, f' \in V$. (Note that it is straightforward to verify that $(V, ⊆)$ is a partially ordered set.) Also assume that $V' \subseteq V$. Note that the totality of $f ∈ V$ will be implicitly used.

It is easy to see that $\forall s : \forall f' ∈ V' : f'(s) \subseteq \bigcup₁ \{f(s) \mid f \in V'\}$ and that $\forall s : \bigcup₁ \{f(s) \mid f \in V'\} \subseteq \bigcup V'$. (c.f., the definition of $⊆$ above). $\bigcap V'$ is shown in a similar manner.

Since $⊥₁ = \bigcup \emptyset$, it is easy to see that $⊥ = λs ∈ S. \bigcup₁ \emptyset = λs ∈ S. ⊥₁$, $⊤$ is shown in a similar manner.

A space of monotone functions where both the domain and the range of the functions are complete lattices is itself a complete lattice (Theorem 3.8).

**Theorem 3.8 (Complete lattice – Monotone function space):**
If $⟨V₁, ⊆₁, ∪₁, ⊥₁, ⊤₁⟩$ and $⟨V₂, ⊆₂, ∪₂, ⊥₂, ⊤₂⟩$ are complete lattices,
then so is \( \langle V, \sqsubseteq, \sqcup, \sqcap, \bot, \top \rangle \) where (let \( V' \subseteq V \)):

\[
V = V_1 \rightarrow V_2 = \{ f : V_1 \rightarrow V_2 \mid f \text{ is a monotone function} \}
\]
\[
f \sqsubseteq f' \iff \forall v_1 \in V_1 : f(v_1) \sqsubseteq f'(v_1) \quad \text{where } f, f' \in V
\]
\[
\sqcup V' = \lambda v_1 \in V_1. \sqcup \{ f(v_1) \mid f \in V' \},
\]
\[
\sqcap V' = \lambda v_1 \in V_1. \sqcap \{ f(v_1) \mid f \in V' \},
\]
\[
\bot = \lambda v_1 \in V_1. \bot_2
\]
\[
\top = \lambda v_1 \in V_1. \top_2
\]

**Proof.** Similar to the proof of Theorem 3.7 with the addition that the monotonicity of \( f \in V \) gives that \( \forall v_1, v_1' \in V_1 : v_1 \sqsubseteq v_1' \Rightarrow f(v_1) \sqsubseteq f(v_1') \) (c.f., Definition 3.1).

## 3.3 Galois Connections & Galois Insertions

The concrete semantics of a programming language can be abstracted in many different ways. The choice of abstraction is done by defining an abstract domain. A domain is, in general, a complete lattice, and an abstract domain is essentially the set of all possible abstract states that fit the definition of the domain. It is often shown that the abstract domain is a safe over-approximation of the concrete domain by deriving a Galois connection between the two domains [62]. A Galois connection between two domains (i.e., complete lattices), \( V \) and \( D \), is described by an abstraction function, \( \alpha \), and a concretization function, \( \gamma \), which must fulfill the criterion in Definition 3.9.

**Definition 3.9 (Galois connection):**

\( \langle \alpha : V \rightarrow D, \gamma : D \rightarrow V \rangle \) is a Galois connection iff \( \alpha \) and \( \gamma \) are monotone functions that fulfill

\[
\begin{cases}
\alpha \circ \gamma \subseteq_D \lambda d. d \\
\gamma \circ \alpha \supseteq_V \lambda v. v
\end{cases}
\]

for all \( v \in V \) and \( d \in D \), where \( V \) is the concrete domain and \( D \) is the abstract domain.

An often useful special case of a Galois connection is called a Galois insertion; c.f., Definition 3.10.
Definition 3.10 (Galois insertion): \(^\langle \alpha : V \rightarrow D, \gamma : D \rightarrow V \rangle\) is a Galois insertion iff \(\alpha\) and \(\gamma\) are monotone functions that fulfill
\[
\begin{align*}
\alpha \circ \gamma &= \lambda.d.d \\
\gamma \circ \alpha &\succeq_V \lambda.v.v
\end{align*}
\]
for all \(v \in V\) and \(d \in D\), where \(V\) is the concrete domain and \(D\) is the abstract domain.

A function in the concrete domain, \(f : V \rightarrow V\), can be safely approximated by a function in the abstract domain, \(\tilde{f} : D \rightarrow D\), iff \(\forall d \in D: f(\gamma(d)) \succeq \gamma(\tilde{f}(d))\). The best approximation is achieved by inducing \(f\) along \(\alpha\) [62]; c.f., Definition 3.11.

Definition 3.11 (Induced function): Assuming that \(\langle \alpha : V \rightarrow D, \gamma : D \rightarrow V \rangle\) is a Galois connection, the best approximation, \(\tilde{f}\), of \(f : V \rightarrow V\) in \(D \rightarrow D\) is given by:
\[
\tilde{f} = \alpha \circ f \circ \gamma
\]

Sometimes, it is more convenient to work with adjunctions (c.f., Definition 3.12) instead of Galois connections.

Definition 3.12 (Adjunction): \(\langle \alpha : V \rightarrow D, \gamma : D \rightarrow V \rangle\) is said to be an adjunction between the complete lattices \(V = \langle V, \sqcap_V, \sqcup_V, \bigwedge_V, \bigvee_V, \top_V \rangle\) and \(D = \langle D, \sqcap_D, \sqcup_D, \bigwedge_D, \bigvee_D, \top_D \rangle\) iff \(\alpha\) and \(\gamma\) are total functions that satisfy
\[
\alpha(v) \sqsubseteq_D d \iff v \sqsubseteq_V \gamma(d)
\]
for all \(v \in V\) and \(d \in D\).

In fact, adjunctions are Galois connections (Theorem 3.13).

Theorem 3.13 (Adjunctions and Galois connections): \(\langle \alpha : V \rightarrow D, \gamma : D \rightarrow V \rangle\) is an adjunction iff it is a Galois connection.

Proof (c.f., [62]). First assume that \(\langle \alpha : V \rightarrow D, \gamma : D \rightarrow V \rangle\) is an adjunction. It will be proven that it also is a Galois connection by showing that \(\gamma \circ \alpha \succeq_V \lambda.v.v\) and \(\alpha \circ \gamma \succeq_D \lambda.d.d\). For any \(v \in V\), trivially \(\alpha(v) \sqsubseteq_D \alpha(v)\). Using that \(\alpha(v) \sqsubseteq_D d \Rightarrow v \sqsubseteq_V \gamma(d)\), it can be established that \(\forall v \sqsubseteq_V \gamma(\alpha(v))\). Similarly, for any \(d \in D\), trivially \(\gamma(d) \sqsubseteq_V \gamma(d)\). Using that \(v \sqsubseteq_V \gamma(d) \Rightarrow \alpha(v) \sqsubseteq_D d\), it can
be established that $\alpha(\gamma(d)) \subseteq d$. Thus, \( \langle \alpha : V \to D, \gamma : D \to V \rangle \) is a Galois connection.

Next assume that \( \langle \alpha : V \to D, \gamma : D \to V \rangle \) is a Galois connection. It will be proven that it also is an adjunction by showing that $\alpha(v) \subseteq D \Rightarrow v \subseteq \gamma(d)$ and $v \subseteq \gamma(d) \Rightarrow \alpha(v) \subseteq D$. So, first assume that $\alpha(v) \subseteq D$. Then, since $\gamma$ is monotone, $\gamma(\alpha(v)) \subseteq \gamma(d)$. Using that $\gamma \circ \alpha \supseteq \lambda \circ \nu$, it can be established that $v \subseteq \gamma(\alpha(v)) \subseteq \gamma(d)$ as required. For the second part of the proof, assume that $v \subseteq \gamma(d)$. Then, since $\alpha$ is monotone, $\alpha(v) \subseteq D(\gamma(d))$. Using that $\alpha \circ \gamma \subseteq \lambda \circ \nu$, it can be established that $\alpha(v) \subseteq D(\gamma(d)) \subseteq D$ as required.

The abstraction and concretization functions are strictly related as described by Lemma 3.14.

**Lemma 3.14 (Relation between $\alpha$ and $\gamma$):**

If $V = \langle V, \subseteq, \cup, \cap, \perp, \top \rangle$ and $\bar{V} = \langle \bar{V}, \subseteq, \cup, \cap, \perp, \top \rangle$ are complete lattices, and $\langle \alpha : V \to \bar{V}, \gamma : \bar{V} \to V \rangle$ is a Galois connection between these lattices, then $\langle v \in V \text{ and } \bar{v} \in \bar{V} \rangle$:

1. $\alpha$ uniquely determines $\gamma$ by $\gamma(\bar{v}) = \bigcup\{v \mid \alpha(v) \subseteq \bar{v}\}$ and $\gamma$ uniquely determines $\alpha$ by $\alpha(v) = \bigcap\{\bar{v} \mid v \subseteq \gamma(\bar{v})\}$.

2. $\alpha$ is completely additive and $\gamma$ is completely multiplicative.

*In particular, $\alpha(\perp) = \perp$ and $\gamma(\top) = \top$. □*

**Proof** (c.f., [62]). Assume that $V = \langle V, \subseteq, \cup, \cap, \perp, \top \rangle$ and $\bar{V} = \langle \bar{V}, \subseteq, \cup, \cap, \perp, \top \rangle$ are complete lattices, $\langle \alpha : V \to \bar{V}, \gamma : \bar{V} \to V \rangle$ is a Galois connection between these lattices, $v \in V$ and $\bar{v} \in \bar{V}$.

To show 1, it will first be shown that $\gamma$ is determined by $\alpha$. Since $\langle \alpha : V \to \bar{V}, \gamma : \bar{V} \to V \rangle$ is an adjunction (Theorem 3.13), it must be that $\gamma(\bar{v}) = \bigcup\{v \mid v \subseteq \gamma(\bar{v})\} = \bigcup\{v \mid \alpha(v) \subseteq \bar{v}\}$. Assume that both $\langle \alpha, \gamma_1 \rangle$ and $\langle \alpha, \gamma_2 \rangle$ are Galois connections, then $\gamma_1(\bar{v}) = \bigcup\{v \mid v \subseteq \gamma_1(\bar{v})\} = \bigcup\{v \mid \alpha(v) \subseteq \bar{v}\} = \bigcup\{v \mid v \subseteq \gamma_2(\bar{v})\} = \gamma_2(\bar{v})$, and thus, $\gamma_1 = \gamma_2$. This shows that $\alpha$ uniquely determines $\gamma$. Similarly, it must be that $\alpha(v) = \bigcap\{\bar{v} \mid v \subseteq \gamma_1(\bar{v})\} = \bigcap\{\bar{v} \mid v \subseteq \gamma_2(\bar{v})\}$. This shows that $\gamma$ uniquely determines $\alpha$.

To show 2, consider $V' \subseteq V$, then

$$\alpha(\bigcup V') \subseteq \bar{v} \quad \text{by Th. 3.13}$$

$$\subseteq_{\text{calc}} \forall v \in V' : v \subseteq \gamma(\bar{v})$$

$$\subseteq_{\text{calc}} \forall v \in V' : \alpha(v) \subseteq \bar{v}$$

$$\subseteq_{\text{calc}} \bigcup\{\alpha(v) \mid v \in V'\} \subseteq \bar{v}$$
and it follows that \( \alpha(\bigsqcup V') = \bigsqcup \{ \alpha(\nu) \mid \nu \in V' \} \).

The proof that \( \gamma(\bigsqcup \bar{V}') = \bigsqcup \{ \gamma(\bar{\nu}) \mid \bar{\nu} \in \bar{V}' \} \) is analogous. ■

Thus, by Lemma 3.15, it suffices to specify either a completely additive abstraction function or a completely multiplicative concretization function in order to obtain a Galois connection.

**Lemma 3.15 (Galois connection – Existence):**

If \( V = \langle V, \sqsubseteq, \sqcup, \sqcap, \bot, \top \rangle \) and \( \bar{V} = \langle \bar{V}, \bar{\sqsubseteq}, \bar{\sqcup}, \bar{\sqcap}, \bar{\bot}, \bar{\top} \rangle \) are complete lattices, and

1. \( \alpha : V \rightarrow \bar{V} \) is completely additive, then there exists a \( \gamma : \bar{V} \rightarrow V \) such that \( \langle \alpha, \gamma \rangle \) is a Galois connection.
2. \( \gamma : \bar{V} \rightarrow V \) is completely multiplicative, then there exists an \( \alpha : V \rightarrow \bar{V} \) such that \( \langle \alpha, \gamma \rangle \) is a Galois connection.

**Proof (c.f., [62]).** Assume that \( V = \langle V, \sqsubseteq, \sqcup, \sqcap, \bot, \top \rangle \) and \( \bar{V} = \langle \bar{V}, \bar{\sqsubseteq}, \bar{\sqcup}, \bar{\sqcap}, \bar{\bot}, \bar{\top} \rangle \) are complete lattices, \( \nu \in V \) and \( \bar{\nu} \in \bar{V} \).

To show 1, assume that \( \alpha \) is completely additive and define \( \gamma \) by:

\[
\gamma(\bar{\nu}) = \bigsqcup \{ \nu' \mid \alpha(\nu') \sqsubseteq \bar{\nu} \}
\]

Then it must be that \( \alpha(\nu) \sqsubseteq \bar{\nu} \Rightarrow \nu \in \{ \nu' \mid \alpha(\nu') \sqsubseteq \bar{\nu} \} \Rightarrow \nu \sqsubseteq \gamma(\bar{\nu}) \), where the last implication follows from the definition of \( \gamma \). For the other direction, first observe that \( \nu \sqsubseteq \gamma(\bar{\nu}) \Rightarrow \alpha(\nu) \sqsubseteq \alpha(\gamma(\bar{\nu})) \) since \( \alpha \) is completely additive and thus monotone. Then,

\[
\alpha(\gamma(\bar{\nu})) = \alpha(\bigsqcup \{ \nu' \mid \alpha(\nu') \sqsubseteq \bar{\nu} \}) = \bigsqcup \{ \alpha(\nu') \mid \alpha(\nu') \sqsubseteq \bar{\nu} \}
\]

and so \( \nu \sqsubseteq \gamma(\bar{\nu}) \Rightarrow \alpha(\nu) \sqsubseteq \bar{\nu} \). Thus, \( \langle \alpha, \gamma \rangle \) is a Galois connection (Theorem 3.13).

The proof of 2 is similar. ■

### 3.4 Constructing Galois Connections

A Galois connection can be constructed in several ways. The following theorems (except Theorem 3.21) specify some of them.

The Cartesian product can be used to combine two existing Galois connections (Theorem 3.16).
Chapter 3. Preliminaries

Theorem 3.16 (Galois connection – Independent attribute method):
If \( \langle \alpha_1 : V_1 \rightarrow D_1, \gamma_1 : D_1 \rightarrow V_1 \rangle \) and \( \langle \alpha_2 : V_2 \rightarrow D_2, \gamma_2 : D_2 \rightarrow V_2 \rangle \) are Galois connections, then so is \( \langle \alpha : (V_1 \times V_2) \rightarrow (D_1 \times D_2), \gamma : (D_1 \times D_2) \rightarrow (V_1 \times V_2) \rangle \), where
\[
\begin{align*}
\alpha((v_1, v_2)) &= (\alpha_1(v_1), \alpha_2(v_2)) \\
\gamma(d_1, d_2) &= (\gamma_1(d_1), \gamma_2(d_2))
\end{align*}
\]
and \((v_1, v_2) \in V_1 \times V_2 \) and \((d_1, d_2) \in D_1 \times D_2 \).

Proof. Assume that \( \langle \alpha_1 : V_1 \rightarrow D_1, \gamma_1 : D_1 \rightarrow V_1 \rangle \) and \( \langle \alpha_2 : V_2 \rightarrow D_2, \gamma_2 : D_2 \rightarrow V_2 \rangle \) are Galois connections, \((v_1, v_2) \in V_1 \times V_2 \) and \((d_1, d_2) \in D_1 \times D_2 \). Note that \( V_1 \times V_2 \) and \( D_1 \times D_2 \) are complete lattices (Theorem 3.6).

First calculate the following.
\[
\alpha((v_1, v_2)) \subseteq_D (d_1, d_2) \overset{\text{Def}}{\iff} (\alpha_1(v_1), \alpha_2(v_2)) \subseteq_D (d_1, d_2) \overset{\text{calc}}{\iff} \alpha_1(v_1) \subseteq_D d_1 \land \alpha_2(v_2) \subseteq_D d_2 \overset{\text{Th 3.13}}{\iff} v_1 \subseteq_V \gamma_1(d_1) \land v_2 \subseteq_V \gamma_2(d_2) \overset{\text{calc}}{\iff} (v_1, v_2) \subseteq_V \gamma((d_1, d_2)) \overset{\text{Def \gamma}}{\iff} (v_1, v_2) \subseteq_V \gamma((d_1, d_2))
\]

Then, using Theorem 3.13, the result follows.

The Cartesian product can also be used on lifted sets (Theorem 3.17).

Theorem 3.17 (Galois connection – Lifted independent attribute method):
If \( \langle \alpha_1 : \mathcal{P}(V_1) \rightarrow D_1, \gamma_1 : D_1 \rightarrow \mathcal{P}(V_1) \rangle \) and \( \langle \alpha_2 : \mathcal{P}(V_2) \rightarrow D_2, \gamma_2 : D_2 \rightarrow \mathcal{P}(V_2) \rangle \) are Galois connections, then so is \( \langle \alpha : \mathcal{P}(V_1 \times V_2) \rightarrow (D_1 \times D_2), \gamma : (D_1 \times D_2) \rightarrow \mathcal{P}(V_1 \times V_2) \rangle \), where
\[
\begin{align*}
\alpha(V) &= (\alpha_1(V_1) \mid \exists v_2 \in V_2 : (v_1, v_2) \in V), \\
\alpha_2(V_2) &= (v_2 \in V_2 \mid \exists v_1 \in V_1 : (v_1, v_2) \in V), \\
\gamma((d_1, d_2)) &= \gamma_1(d_1) \times \gamma_2(d_2)
\end{align*}
\]
and \( V \subseteq V_1 \times V_2 \) and \((d_1, d_2) \in D_1 \times D_2 \).

Proof. Assume that \( \langle \alpha_1 : \mathcal{P}(V_1) \rightarrow D_1, \gamma_1 : D_1 \rightarrow \mathcal{P}(V_1) \rangle \) and \( \langle \alpha_2 : \mathcal{P}(V_2) \rightarrow D_2, \gamma_2 : D_2 \rightarrow \mathcal{P}(V_2) \rangle \) are Galois connections, \( V \subseteq V_1 \times V_2 \) and \((d_1, d_2) \in D_1 \times D_2 \). Note that \( \mathcal{P}(V_1 \times V_2) \) and \( D_1 \times D_2 \) are complete lattices (Theorems 3.5 and 3.6).
First, calculate

\[ \alpha(V) \subseteq (d_1, d_2) \]  
\[ \overset{\text{Def. } \alpha}{\iff} \]  
\[ (\alpha_1(V'_1), \alpha_2(V'_2)) \subseteq (d_1, d_2) \]  
\[ \overset{\text{calc.}}{\iff} \]  
\[ \alpha_1(V'_1) \subseteq d_1 \land \alpha_2(V'_2) \subseteq d_2 \]  
\[ \overset{\text{Th. 3.13}}{\iff} \]  
\[ V'_1 \subseteq \gamma_1(d_1) \land V'_2 \subseteq \gamma_2(d_2) \]  
\[ \overset{\text{calc.}}{\iff} \]  
\[ V'_1 \times V'_2 \subseteq \gamma_1(d_1) \times \gamma_2(d_2) \]  
\[ \overset{\text{Def. } \gamma}{\iff} \]  
\[ V \subseteq \gamma((d_1, d_2)) \]  

where \( V'_1 = \{ v_1 \in V_1 \mid \exists v_2 \in V_2 : (v_1, v_2) \in V \} \) and \( V'_2 = \{ v_2 \in V_2 \mid \exists v_1 \in V_1 : (v_1, v_2) \in V \} \). Then, using Theorem 3.13, the result follows.

Both the concrete and abstract domains of an existing Galois connection can be lifted to derive a new Galois connection (Theorem 3.20). Note that Lemmas 3.18 and 3.19 give that the specified abstraction and concretization functions are monotone.

**Lemma 3.18 (Monotonicity of \( \alpha_{\mathcal{P}} \)):**

The function \( \alpha_{\mathcal{P}} : \mathcal{P}(V) \to \mathcal{P}(D) \), defined as

\[ \alpha_{\mathcal{P}}(V') = \{ \alpha(v) \mid v \in V' \} \]

where \( V' \subseteq V \), \( \alpha \) is monotone and \( \alpha : V \to D \), is monotone.

**Proof.** This proof amounts to showing that \( \forall V', V'' : (V' \subseteq V'' \Rightarrow \alpha_{\mathcal{P}}(V') \subseteq \alpha_{\mathcal{P}}(V'')) \).

Assume that \( V', V'' \in \mathcal{P}(V) \) and that \( V' \subseteq V'' \). Then, by definition:

\[ \alpha_{\mathcal{P}}(V'') \overset{\text{Def. } \alpha_{\mathcal{P}}}{=} \{ \alpha(v) \mid v \in V'' \} \]  
\[ = \{ \alpha(v) \mid v \in V' \cup (V'' \setminus V') \} \]  
\[ \overset{\text{calc.}}{=} \{ \alpha(v) \mid v \in V' \} \cup \{ \alpha(v) \mid v \in V'' \setminus V' \} \]  
\[ \overset{\text{calc.}}{\supseteq} \{ \alpha(v) \mid v \in V' \} \]  
\[ \overset{\text{Def. } \alpha_{\mathcal{P}}}{=} \alpha_{\mathcal{P}}(V') \]

where the rewriting of \( \alpha(V'') \) and the set splitting are possible since \( V' \subseteq V'' \) and \( \alpha \) is monotone.

Thus, it has been shown that \( \alpha_{\mathcal{P}} \) is monotone.

\[ \Box \]
Lemma 3.19 (Monotonicity of $\gamma_D$):

The function $\gamma_D : \mathcal{P}(D) \to \mathcal{P}(V)$, defined as

$$\gamma_D(D') = \{ v \in V \mid \alpha(v) \in D' \}$$

where $D' \subseteq D$, $\alpha$ is monotone and $\gamma : D \to V$, is monotone.

\[\square\]

PROOF. This proof amounts to showing that $\forall D', D'' \in \mathcal{P}(D) : (D' \subseteq D'' \Rightarrow \gamma_D(D') \subseteq \gamma_D(D''))$.

Assume that $D', D'' \in \mathcal{P}(D)$ and that $D' \subseteq D''$. Then, by definition:

\[
\begin{align*}
\gamma_D(D'') & \overset{\text{Def}}{=} \{ v \in V \mid \alpha(v) \in D'' \} \\
& \overset{\text{calc}}{=} \{ v \in V \mid \alpha(v) \in D' \cup (D'' \setminus D') \} \\
& \overset{\text{calc}}{=} \{ v \in V \mid \alpha(v) \in D' \} \cup \{ v \in V \mid \alpha(v) \in D'' \setminus D' \} \\
& \overset{\text{Def}}{=} \gamma_D(D')
\end{align*}
\]

where the rewriting of $D''$ and the set splitting are possible since $D' \subseteq D''$ and $\alpha$ is monotone.

Thus, $\gamma_D(D') \subseteq \gamma_D(D'')$, and hence it has been shown that $\gamma_D$ is monotone.

\[\square\]

Theorem 3.20 (Galois connection – Double lifting):

If $\langle \alpha : V \to D, \gamma : D \to V \rangle$ is a Galois connection, then so is $\langle \alpha_D : \mathcal{P}(V) \to \mathcal{P}(D), \gamma_D : \mathcal{P}(D) \to \mathcal{P}(V) \rangle$, where

\[
\begin{align*}
\alpha_D(V') &= \{ v \mid \alpha(v) \in V' \} \\
\gamma_D(D') &= \{ v \in V \mid \alpha(v) \in D' \}
\end{align*}
\]

and $V' \subseteq V$ and $D' \subseteq D$. \[\square\]

PROOF. Assume that $\langle \alpha : V \to D, \gamma : D \to V \rangle$ is a Galois connection. Note that $\mathcal{P}(V)$ and $\mathcal{P}(D)$ are complete lattices (Theorem 3.5).

Since $\alpha_D$ and $\gamma_D$ are monotone (Lemmas 3.18 and 3.19, respectively), this proof amounts to showing that (c.f., Definition 3.9)

1. $\gamma_D(\alpha_D(V')) \supseteq V'$
2. $\alpha_D(\gamma_D(D')) \subseteq D'$

[2]

PROOF. This proof amounts to showing that $\forall D', D'' \in \mathcal{P}(D) : (D' \subseteq D'' \Rightarrow \gamma_D(D') \subseteq \gamma_D(D''))$.

Assume that $D', D'' \in \mathcal{P}(D)$ and that $D' \subseteq D''$. Then, by definition:

\[
\begin{align*}
\gamma_D(D'') & \overset{\text{Def}}{=} \{ v \in V \mid \alpha(v) \in D'' \} \\
& \overset{\text{calc}}{=} \{ v \in V \mid \alpha(v) \in D' \cup (D'' \setminus D') \} \\
& \overset{\text{calc}}{=} \{ v \in V \mid \alpha(v) \in D' \} \cup \{ v \in V \mid \alpha(v) \in D'' \setminus D' \} \\
& \overset{\text{Def}}{=} \gamma_D(D')
\end{align*}
\]

where the rewriting of $D''$ and the set splitting are possible since $D' \subseteq D''$ and $\alpha$ is monotone.

Thus, $\gamma_D(D') \subseteq \gamma_D(D'')$, and hence it has been shown that $\gamma_D$ is monotone.

\[\square\]
where $V' \subseteq V$ and $D' \subseteq D$. Note that both cases trivially hold if $V' = \emptyset$ or $D' = \emptyset$, which corresponds to the bottom elements in the two lattices. Therefore, assume that $V' \neq \emptyset$ and $D' \neq \emptyset$.

For case 1, assume that $V' \subseteq V$. Then, by definition:

$$\gamma_p(\alpha_p(V')) = \{v \in V \mid \alpha(v) \in \{\alpha(v') \mid v' \in V'\}\}$$

Assume that $v'' \in V'$, then it must be that $\alpha(v'') \in \{\alpha(v') \mid v' \in V'\}$. But, then $v'' \in \gamma_p(\alpha_p(V'))$ and thus $\gamma_p(\alpha_p(V')) \supseteq V'$.

For case 2, assume that $D' \subseteq D$. Then, by definition:

$$\alpha_p(\gamma_p(D')) = \{\alpha(v) \mid v \in \{\alpha(v') \mid v' \in D'\}\}$$

Assume that $d \in \alpha_p(\gamma_p(D'))$. Then it must be that $\exists v \in \{\alpha(v') \mid v' \in D'\} : d = \alpha(v)$. Hence, for that $v$, it must be that $\alpha(v) \in D'$, and therefore, $d \in D'$. Thus, $\alpha_p(\gamma_p(D')) \subseteq D'$.

It might be tempting to use the definition of $\alpha_p$ and $\gamma_p$ as given in Theorem 3.21, but as the theorem shows, this does not result in a Galois connection.

**Theorem 3.21 (Not a Galois connection – Double lifting):**

If $\langle \alpha : V \rightarrow D, \gamma : D \rightarrow V \rangle$ is a Galois connection, then $\langle \alpha_p : \mathcal{P}(V) \rightarrow \mathcal{P}(D), \gamma_p : \mathcal{P}(D) \rightarrow \mathcal{P}(V) \rangle$ is not a Galois connection, where

\[
\begin{align*}
\alpha_p(V') &= \{\alpha(v) \mid v \in V'\} \\
\gamma_p(D') &= \{\gamma(d) \mid d \in D'\}
\end{align*}
\]

and $V' \subseteq V$ and $D' \subseteq D$.\hfill \Box$

**Proof.** Assume that $\langle \alpha : V \rightarrow D, \gamma : D \rightarrow V \rangle$ is a Galois connection. From the definition of $\alpha_p$ and $\gamma_p$, it clearly follows that they are monotone since $\alpha$ and $\gamma$ are (c.f., Lemma 3.18).

By way of contradiction, assume that $\langle \alpha_p, \gamma_p \rangle$ is a Galois connection. Then, by Definition 3.9, $\gamma_p(\alpha_p(V')) \supseteq V'$. A closer look at $\gamma_p(\alpha_p(V'))$ reveals that:

$$\gamma_p(\alpha_p(V')) = \{\gamma(d) \mid d \in \{\alpha(v) \mid v \in V'\}\}$$

Assume that $v' \in V'$, then $v' \in \gamma_p(\alpha_p(V'))$ since $\gamma_p(\alpha_p(V')) \supseteq V'$. This means that $\exists d' \in \{\alpha(v) \mid v \in V'\} : d' = \alpha(v')$ and hence, for this $d'$, $\exists v'' \in \{\gamma(d) \mid d \in \{\alpha(v) \mid v \in V'\}\} : v'' = \gamma(d') = \gamma(\alpha(v'))$.

But, since $\langle \alpha, \gamma \rangle$ is a Galois connection, $\gamma(\alpha(v')) \supseteq v'$. This means that it could be the case that $\gamma(\alpha(v')) \supseteq v'$, and thus $v' \neq v''$, which means that $\gamma_p(\alpha_p(V')) \nsubseteq V'$ is possible. Thus, $\langle \alpha_p, \gamma_p \rangle$ is not a Galois connection. \hfill \blacksquare
The domains of a Galois connection can be extended to spaces of (total or monotone) functions (Theorem 3.22).

**Theorem 3.22 (Galois connection – Function space):**

If \(<\alpha: V \rightarrow D, \gamma: D \rightarrow V>\) is a Galois connection, then so is \(<\alpha': (S \rightarrow V) \rightarrow (S \rightarrow D), \gamma': (S \rightarrow D) \rightarrow (S \rightarrow V)>\) for some set, \(S\), where:

\[
\begin{align*}
\{ \alpha'(f) &= \alpha \circ f \\
\gamma'(g) &= \gamma \circ g \}
\end{align*}
\]

**Proof (c.f., [62]).** Assume that \(<\alpha: V \rightarrow D, \gamma: D \rightarrow V>\) is a Galois connection and that \(S\) is a set. Note that \(S \rightarrow V\) and \(S \rightarrow D\) are complete lattices (Theorems 3.7 and 3.8).

First note that \(\alpha'\) and \(\gamma'\) are monotone since \(\alpha\) and \(\gamma\) are. Furthermore, since \(<\alpha, \gamma>\) is a Galois connection,

\[
\gamma'(\alpha'(f)) = \gamma \circ \alpha \circ f \sqsupseteq f
\]

and

\[
\alpha'(\gamma'(g)) = \alpha \circ \gamma \circ g \sqsubseteq g
\]

and, thus, the theorem holds.

A lifted concrete domain of a Galois connection can be extended to a lifted space of (total or monotone) functions when also extending the abstract domain (Theorem 3.24). Note that Lemma 3.23 gives that the concretization function is monotone.

**Lemma 3.23 (Monotonicity of \(\gamma_s\)):**

The function \(\gamma_s: (S \rightarrow D) \rightarrow \mathcal{P}(S \rightarrow V)\), defined as

\[
\gamma_s(d) = \begin{cases} 
S \rightarrow V & \text{if } d = \top \\
\emptyset & \text{if } d = \bot \\
\{ \lambda s \in S. v \mid v \in \gamma(d s) \} & \text{otherwise}
\end{cases}
\]

for some set \(S\) and complete lattices \(V\) and \(D\), is monotone, given that \(\gamma: D \rightarrow \mathcal{P}(V)\) is a monotone function and \(d \in S \rightarrow D\).

**Proof.** This proof amounts to showing that \(\forall d', d'' \in S \rightarrow D: (d' \sqsubseteq d'' \Rightarrow \gamma_s(d') \subseteq \gamma_s(d''))\), which is trivially the case if \(d' = \bot\) or \(d'' = \top\).
Assume that $\gamma : D \to \mathcal{P}(V)$ is a monotone function, $d', d'' \in S \to D$ and that $d' \subseteq d'' \land d' \neq \top \land d'' \neq \top$. Then, by definition:

$$\begin{cases}
\gamma_\alpha(d') = \{\lambda s \in S.v \mid v \in \gamma(d' s)\} \\
\gamma_\alpha(d'') = \{\lambda s \in S.v \mid v \in \gamma(d'' s)\}
\end{cases}$$

Since $\gamma$ is monotone, it must be that $\forall s \in S : \gamma(d' s) \subseteq \gamma(d'' s)$. This means that

$$\gamma_\alpha(d') = \{\lambda s \in S.v \mid v \in \gamma(d' s) \cup (\gamma(d'' s) \setminus \gamma(d' s))\}$$

$$\supseteq \{\lambda s \in S.v \mid v \in \gamma(d' s)\} \cup \{\lambda s \in S.v \mid v \in (\gamma(d'' s) \setminus \gamma(d' s))\}$$

$$= \gamma_\alpha(d') \cup \{\lambda s \in S.v \mid v \in (\gamma(d'' s) \setminus \gamma(d' s))\}$$

and thus, trivially, $\gamma_\alpha(d') \subseteq \gamma_\alpha(d'')$.

\begin{proof}
Assume that $\langle \alpha : \mathcal{P}(V) \to D, \gamma : D \to \mathcal{P}(V) \rangle$ is a Galois connection, $S$ is a set, $V' \subseteq S \to V$ and $d \in S \to D$. Note that $\mathcal{P}(S \to V)$ and $S \to D$ are complete lattices (Theorems 3.5, 3.7 and 3.8).

First note that:

$$\gamma_\alpha(\alpha_\alpha(S \to V)) = \gamma_\alpha(\top) = S \to V \supseteq S \to V$$

$$\gamma_\alpha(\alpha_\alpha(\emptyset)) = \gamma_\alpha(\bot) = \emptyset \supseteq \emptyset$$

$$\alpha_\alpha(\gamma_\alpha(\top)) = \alpha_\alpha(S \to V) = \top \subseteq \top$$

$$\alpha_\alpha(\gamma_\alpha(\bot)) = \alpha_\alpha(\emptyset) = \bot \subseteq \bot$$

\end{proof}

\subsection*{Theorem 3.24 (Galois connection – Lifted function space)}
If $\langle \alpha : \mathcal{P}(V) \to D, \gamma : D \to \mathcal{P}(V) \rangle$ is a Galois connection, then so is $\langle \alpha_\alpha : \mathcal{P}(S \to V) \to (S \to D), \gamma_\alpha : (S \to D) \to \mathcal{P}(S \to V) \rangle$, for some set $S$, where

$$\alpha_\alpha(V') = \begin{cases}
\top & \text{if } V' = S \to V \\
\bot & \text{if } V' = \emptyset \\
\lambda s \in S. \alpha(\{v' \mid v' \in V'\}) & \text{otherwise}
\end{cases}$$

$$\gamma_\alpha(d) = \begin{cases}
S \to V & \text{if } d = \top \\
\emptyset & \text{if } d = \bot \\
\{\lambda s \in S.v \mid v \in \gamma(d s)\} & \text{otherwise}
\end{cases}$$

and $V' \subseteq S \to V$ and $d \in S \to D$. \hfill \Box
Then note that $\gamma_s$ is monotone (Lemma 3.23) and calculate the following.

$$\alpha_s(V') \subseteq d \\overset{\text{Def.}}\iff \lambda_s \in S. \alpha(\{v' \mid v' \in V'\}) \subseteq d$$

$$\gamma_s(\lambda_s \in S. \alpha(\{v' \mid v' \in V'\})) \subseteq \gamma_s(d)$$

$$\lambda_s \subseteq \gamma_s(\lambda_s \in S. \alpha(\{v' \mid v' \in V'\})) \subseteq \gamma_s(d)$$

$$\gamma_s(\lambda_s \subseteq \gamma_s(\lambda_s \in S. \alpha(\{v' \mid v' \in V'\})) \subseteq \gamma_s(d))$$

$$\lambda_s \in S. (v' \mid v' \in V') \subseteq \gamma_s(d)$$

$$\alpha_s(V') \subseteq \gamma_s(d)$$

Then, using Theorem 3.13, the result follows. $\blacksquare$

The domains of a Galois connection can be indexed with the elements from some set (Theorem 3.25).

**Theorem 3.25 (Galois connection – Indexing):**

If $\langle \alpha : V \to D, \gamma : D \to V \rangle$ is a Galois connection, then so is $\langle \alpha' : (S \times V) \to (S \times D), \gamma' : (S \times D) \to (S \times V) \rangle$, for some set $S \ni s$ (with the partial order $=$), where

$$\alpha'(s,v) = (s, \alpha(v))$$

$$\gamma'(s',d) = (s', \gamma(d))$$

and $(s,v) \in S \times V$ and $(s',d) \in S \times D$. The top elements, $\top_V$ and $\top_D$, correspond to the elements $(s,v)$ and $(s,d)$ for some $s \in S$, respectively, where $\alpha(v) = \top_D$ and $\gamma(d) = \top_V$. The bottom elements are defined in a corresponding manner.

$\alpha'$ and $\gamma'$ for $\langle \alpha' : (V \times S) \to (D \times S), \gamma' : (D \times S) \to (V \times S) \rangle$ are defined similarly.

**PROOF.** Assume that $\langle \alpha : V \to D, \gamma : D \to V \rangle$ is a Galois connection, $S$ is a set, $(s,v) \in S \times V$ and $(s',d) \in S \times D$. 

First note that:
\[ \gamma'(\alpha'(\top_V)) = \gamma'(\widehat{\top}_D) = \top_V \sqsupseteq V \top_V \]
\[ \gamma'(\alpha'(\bot_V)) = \gamma'(\widehat{\bot}_D) = \bot_V \sqsupseteq V \bot_V \]
\[ \alpha'(\gamma'(\widehat{\top}_D)) = \alpha'(\top_V) = \widehat{\top}_D \sqsubseteq \widehat{\top}_D \]
\[ \alpha'(\gamma'(\widehat{\bot}_D)) = \alpha'(\bot_V) = \widehat{\bot}_D \sqsubseteq \widehat{\bot}_D \]

Then, calculate the following.
\[ \alpha'(s, v) \sqsubseteq_D (s', d) \]
\[ \gamma'(s', v) \sqsubseteq (s, \gamma(v)) \sqsubseteq_D (s', d) \]
\[ \alpha'(s, v) \sqsubseteq_D (s', \gamma(d)) \]
\[ \gamma'(s', v) \sqsubseteq (s, \gamma'(d)) \]

Now, using Theorem 3.13, the result follows.

The proof for \( \langle \alpha', \gamma' \rangle : (V \times S) \to (D \times S), \gamma' : (D \times S) \to (V \times S) \rangle \) being a Galois connection is conducted analogously. 

### 3.5 Constructing Galois Insertions

A Galois insertion \( \langle \alpha, \gamma \rangle \) between two domains, \( D \) and \( \widehat{D} \), can be constructed by following steps 1-5 below [23].

1. A domain, \( D \), with a partial order, \( \sqsubseteq \), a least (bottom) element, \( \bot \), a greatest (top) element, \( \top \), a greatest lower bound, \( \sqcap \), and a least upper bound, \( \sqcup \), so that \( \langle D, \sqsubseteq, \sqcap, \sqcup, \bot, \top \rangle \) is a complete lattice must be given.

2. Define a domain \( \widehat{D} \) and a monotone concretization function \( \gamma : \widehat{D} \to D \).

3. Define the partial order \( \sqsubseteq \) for \( \widehat{D} \).

4. The greatest lower bound \( \sqcap \) and the least upper bound \( \sqcup \) must exist for all subsets of \( \widehat{D} \). Then, by definition, \( \langle \widehat{D}, \sqsubseteq, \sqcup, \sqcap, \bot, \top \rangle \) is a complete lattice.

5. Define the abstraction function \( \alpha : D \to \widehat{D} \), which must be monotone.

Assuming that the domains \( D \) and \( \widehat{D} \) and the monotone concretization function, \( \gamma \), are defined, the partial ordering \( \sqsubseteq \) can easily be defined as given by Definition 3.26 [23].
Definition 3.26 (Partial order):
\[ \preceq \] is a partial order for the domain \( \tilde{D} \) iff \( \forall \tilde{d}_1, \tilde{d}_2 \in \tilde{D} : (\tilde{d}_1 \preceq \tilde{d}_2 \iff \gamma(\tilde{d}_1) \sqsubseteq \gamma(\tilde{d}_2)). \]

Based on this definition of the partial order, the greatest lower bound and least upper bound can be defined as given by Definitions 3.27 and 3.28, respectively [23].

Definition 3.27 (Greatest lower bound):
The element \( \tilde{d} \in \tilde{D} \) is a lower bound of \( \tilde{D}' \subseteq \tilde{D} \) iff \( \forall \tilde{d}' \in \tilde{D}' : \tilde{d} \sqsubseteq \tilde{d}' \). The element \( \tilde{d} \in \tilde{D} \) is the greatest lower bound of \( \tilde{D}' \subseteq \tilde{D} \) \( (\tilde{d} = \bigcap \tilde{D}') \) iff \( \tilde{d} \) is a lower bound of \( \tilde{D}' \) and for all other lower bounds \( \tilde{d}' \) of \( \tilde{D}' \), \( \tilde{d} \sqsubseteq \tilde{d}' \).

Definition 3.28 (Least upper bound):
The element \( \tilde{d} \in \tilde{D} \) is an upper bound of \( \tilde{D}' \subseteq \tilde{D} \) iff \( \forall \tilde{d}' \in \tilde{D}' : \tilde{d}' \sqsubseteq \tilde{d} \). The element \( \tilde{d} \in \tilde{D} \) is the least upper bound of \( \tilde{D}' \subseteq \tilde{D} \) \( (\tilde{d} = \bigcup \tilde{D}') \) iff \( \tilde{d} \) is an upper bound of \( \tilde{D}' \) and for all other upper bounds \( \tilde{d}' \) of \( \tilde{D}' \), \( \tilde{d} \sqsubseteq \tilde{d}' \).

The abstraction function \( \alpha \) can be defined based on the definition of the greatest lower bound operator as given by Definition 3.29 [23].

Definition 3.29 (Abstraction function, \( \alpha \)):
Given two domains \( D \) and \( \tilde{D} \) and a monotone concretization function \( \gamma : \tilde{D} \rightarrow D \), the abstraction function \( \alpha : D \rightarrow \tilde{D} \) is defined by:
\[
\alpha(d) = \bigcap \{ \tilde{d} \mid \tilde{d} \sqsubseteq \gamma(d) \}
\]
where \( d \in D \) and \( \tilde{d} \in \tilde{D} \).

Alternatively, assuming that two domains and a monotone abstraction function have been defined, the concretization function \( \gamma \) can be defined based on the least upper bound operator as given by Definition 3.30 [23].

Definition 3.30 (Alternative definition – Concretization function, \( \gamma \)):
Given two domains \( D \) and \( \tilde{D} \) and a monotone abstraction function \( \alpha : D \rightarrow \tilde{D} \), the concretization function \( \gamma : \tilde{D} \rightarrow D \) is defined by:
\[
\gamma(\tilde{d}) = \bigcup \{ d \mid \alpha(d) \sqsubseteq \tilde{d} \}
\]
where \( d \in D \) and \( \tilde{d} \in \tilde{D} \).
3.6 The Interval Domain

One example of an abstract domain for values is the interval domain [19, 23, 62]. The definition of an interval is given in Definition 3.31.

**Definition 3.31 (Interval):**
An interval is defined as $[n_1, n_2]$, where $n_1, n_2 \in \text{Val} = \mathbb{Z} \cup \{-\infty, \infty\}$ are the lower and upper bounds of the interval, respectively, and $n_1 \leq n_2$. Formally, the set of all intervals is defined as $\text{Intv} = \{\bot\}_\text{int} \cup \{\top\}_\text{int} \cup \{[n_1, n_2] | n_1 \leq n_2 \land n_1, n_2 \in \text{Val}\}$, where $\bot\}_\text{int}$ denotes an invalid interval and $\top\}_\text{int}$ is greater than any other element of $\text{Intv}$.

A Galois insertion will now be created between $\mathcal{P}(\text{Val})$ and $\text{Intv}$, using the steps of Section 3.5. The concretization function $\gamma\text{\textsubscript{int}} : \text{Intv} \rightarrow \mathcal{P}(\text{Val})$ is given by Definition 3.32.

**Definition 3.32 (Concretization of intervals):**
$$\gamma\text{\textsubscript{int}}(i) = \begin{cases} \mathbb{Z} \cup \{-\infty, \infty\} & \text{if } i = \top\}_\text{int} \\ \emptyset & \text{if } i = \bot\}_\text{int} \\ \{n \in \text{Val} | n_1 \leq n \leq n_2\} & \text{otherwise (i.e., } i = [n_1, n_2]\} \\
\end{cases}$$

The partial order relation for intervals, $\sqsubseteq\text{\textsubscript{int}}$, is given by Definition 3.33 (using Definition 3.26).

**Definition 3.33 (Partial order for intervals):**
$$i \sqsubseteq\text{\textsubscript{int}} \top\}_\text{int} \quad \bot\}_\text{int} \sqsubseteq\text{\textsubscript{int}} i \quad [n_1, n_2] \sqsubseteq\text{\textsubscript{int}} [n'_1, n'_2] \iff n'_1 \leq n_1 \land n_2 \leq n'_2$$

The greatest lower bound operator for intervals $\sqcap\text{\textsubscript{int}}$ is defined as given by Definition 3.34 (using Definition 3.27).

**Definition 3.34 (Greatest lower bound for intervals):**
$$\begin{align*}
&i \sqcap\text{\textsubscript{int}} \top\}_\text{int} = \top\}_\text{int} \sqcap\text{\textsubscript{int}} i = i \\
&i \sqcap\text{\textsubscript{int}} \bot\}_\text{int} = \bot\}_\text{int} \sqcap\text{\textsubscript{int}} i = \bot\}_\text{int} \\
&[n_1, n_2] \sqcap\text{\textsubscript{int}} [n'_1, n'_2] = \\
&\begin{cases} 
\max\{\{n_1, n'_1\}, \min\{n_2, n'_2\}\} & \text{if } \max\{\{n_1, n'_1\}\} \leq \min\{n_2, n'_2\} \\
\bot\}_\text{int} & \text{otherwise}
\end{cases}
\end{align*}$$
Chapter 3. Preliminaries

The least upper bound operator for intervals \( \sqcup_{\text{int}} \) is defined as given by Definition 3.35 (using Definition 3.28).

**Definition 3.35 (Least upper bound for intervals):**

\[
\begin{align*}
\forall i, i' \in \text{Intv} : (i \sqsubseteq i' \Rightarrow \gamma_{\text{int}}(i) \subseteq \gamma_{\text{int}}(i')) & \quad & \text{(Definition 3.32)} \\
\forall n_1, n_2, n'_1, n'_2 \in \text{Intv} : [n_1, n_2] \sqcup_{\text{int}} [n'_1, n'_2] = [\min(\{n_1, n'_1\}), \max(\{n_2, n'_2\})] & \quad & \text{(Definition 3.33)}
\end{align*}
\]

The abstraction function \( \alpha_{\text{int}} : \mathcal{P}(\text{Val}) \rightarrow \text{Intv} \) is defined as given by Definition 3.36 (using Definition 3.29).

**Definition 3.36 (Abstraction to interval):**

\[
\alpha_{\text{int}}(V) = \begin{cases} 
\top_{\text{int}} & \text{if } V = \mathbb{Z} \cup \{-\infty, \infty\} \\
\bot_{\text{int}} & \text{if } V = \emptyset \\
[\min(V), \max(V)] & \text{otherwise}
\end{cases}
\]

To show that \( (\alpha_{\text{int}}, \gamma_{\text{int}}) \) is a Galois insertion, it would suffice to show that \( \gamma_{\text{int}} \) is monotone, since the steps of Section 3.5 have been used. However, for clarity, the entire proof is given in the proof of Theorem 3.39. Note that Lemmas 3.37 and 3.38 give that \( \gamma_{\text{int}} \) and \( \alpha_{\text{int}} \), respectively, are monotone.

**Lemma 3.37 (Monotonicity of \( \gamma_{\text{int}} \)):**

The function \( \gamma_{\text{int}} : \text{Intv} \rightarrow \mathcal{P}(\text{Val}) \) is monotone.

**Proof.** It should be shown that \( \forall i, i' \in \text{Intv} : (i \subseteq i' \Rightarrow \gamma_{\text{int}}(i) \subseteq \gamma_{\text{int}}(i')) \).

Assume that \( i = [n_1, n_2] \in \text{Intv} \) and \( i' = [n'_1, n'_2] \in \text{Intv} \), such that \( i \subseteq i' \). Further assume that \( n \in \gamma_{\text{int}}(i) \). Then it must be the case that \( n_1 \leq n \leq n_2 \) (Definition 3.32), since \( i \subseteq i' \). It must be the case that \( n'_1 \leq n \leq n_2 \) (Definition 3.33). But, then it must be the case that \( n \in \gamma_{\text{int}}(i') \) (Definition 3.32), and thus, \( \gamma_{\text{int}}(i) \subseteq \gamma_{\text{int}}(i') \).

**Lemma 3.38 (Monotonicity of \( \alpha_{\text{int}} \)):**

The function \( \alpha_{\text{int}} : \mathcal{P}(\text{Val}) \rightarrow \text{Intv} \) is monotone.

**Proof.** It should be shown that \( \forall V, V' \in \mathcal{P}(\text{Val}) : (V \subseteq V' \Rightarrow \alpha_{\text{int}}(V) \subseteq \alpha_{\text{int}}(V')) \).

Note that the proof is trivial for the case that \( V = \emptyset \) or \( V' = \mathbb{Z} \cup \{-\infty, \infty\} \).
Assume that \( V, V' \in \mathcal{P}(\text{Val}) \), such that \( V \subseteq V' \). Further assume that 
\[ \alpha_{\text{int}}(V) = [n_1, n_2] \] and 
\[ \alpha_{\text{int}}(V') = [n'_1, n'_2]. \] Since \( V \subseteq V' \), it must be that 
\[ \forall v \in V: \{v\} \subseteq V', \] and hence, \( \{n_1, n_2\} \subseteq V' \). But then, it must be that 
\[ \min(V') = n'_1 \leq n_1 = \min(V) \] and 
\[ \max(V) = n_2 \leq n'_2 = \max(V'), \] and thus, 
\[ [n_1, n_2] \subseteq [n'_1, n'_2] \] (Definition 3.33), which means that 
\[ \alpha_{\text{int}}(V) \sqsubseteq \alpha_{\text{int}}(V'). \]

\[ \text{Theorem 3.39 (Galois insertion – Intervals):} \]
\[ (\alpha_{\text{int}}: \mathcal{P}(\text{Val}) \rightarrow \text{Intv}, \gamma_{\text{int}} : \text{Intv} \rightarrow \mathcal{P}(\text{Val})) \text{ is a Galois insertion.} \]

\[ \text{PROOF.} \] The proof amounts to showing that the constraints in Definition 3.10 are fulfilled by \( (\alpha_{\text{int}}, \gamma_{\text{int}}) \). Note that \( \mathcal{P}(\text{Val}) \) and \( \text{Intv} \) are complete lattices [62].

According to Lemmas 3.37 and 3.38, \( \gamma_{\text{int}} \) and \( \alpha_{\text{int}} \) are monotone. To show that 
\[ \alpha_{\text{int}}(\gamma_{\text{int}}(i)) = i, \] assume that \( i \in \text{Intv} \).

- If \( i = \top_{\text{int}} \), then 
\[ \gamma_{\text{int}}(i) = \mathbb{Z} \cup \{-\infty, \infty\}. \] Thus, 
\[ \alpha_{\text{int}}(\gamma_{\text{int}}(i)) = \alpha_{\text{int}}(\mathbb{Z} \cup \{-\infty, \infty\}) = \top_{\text{int}} = i. \]

- If \( i = \bot_{\text{int}} \), then 
\[ \gamma_{\text{int}}(i) = 0. \] Thus, 
\[ \alpha_{\text{int}}(\gamma_{\text{int}}(i)) = \alpha_{\text{int}}(0) = \bot_{\text{int}} = i. \]

- Otherwise (i.e., if \( i = [n_1, n_2] \)) then 
\[ \gamma_{\text{int}}(i) = \{n \in \text{Val} \mid n_1 \leq n \leq n_2\}. \] Thus, 
\[ \alpha_{\text{int}}(\gamma_{\text{int}}(i)) = \alpha_{\text{int}}([n_1, n_2]) = [n_1, n_2] = i. \]

To show that 
\[ \gamma_{\text{int}}(\alpha_{\text{int}}(V)) \supseteq V \], assume that \( V \in \mathcal{P}(\text{Val}) \).

- If \( V = \mathbb{Z} \cup \{-\infty, \infty\} \), then 
\[ \alpha_{\text{int}}(V) = \top_{\text{int}}. \] Thus, 
\[ \gamma_{\text{int}}(\alpha_{\text{int}}(V)) = \gamma_{\text{int}}(\top_{\text{int}}) = \mathbb{Z} \cup \{-\infty, \infty\} \supseteq \mathbb{Z} \cup \{-\infty, \infty\} = V. \]

- If \( V = \emptyset \), then 
\[ \alpha_{\text{int}}(V) = \bot_{\text{int}}. \] Thus, 
\[ \gamma_{\text{int}}(\alpha_{\text{int}}(V)) = \gamma_{\text{int}}(\bot_{\text{int}}) = \emptyset \supseteq \emptyset = V. \]

- Otherwise, 
\[ \alpha_{\text{int}}(V) = [\min(V), \max(V)]. \] Thus, 
\[ \gamma_{\text{int}}(\alpha_{\text{int}}(V)) = \gamma_{\text{int}}([\min(V), \max(V)]) = \{n \in \text{Val} \mid \min(V) \leq n \leq \max(V)\} \supseteq V. \]
Chapter 4

PPL: A Parallel Programming Language

In this chapter, PPL, a parallel programming language will be defined. The parallel entity of execution is referred to as a thread.

PPL provides both thread-private and globally shared memory, referred to as registers, \( r \in \text{Reg} \), and variables, \( x \in \text{Var} \), respectively, and arithmetical operations etc. within a thread can be performed using the values of the thread’s registers. PPL also provides shared resources, referred to as locks, \( lck \in \text{Lck} \), that can be acquired in a mutually exclusive manner by the threads. The operations (statements) provided by the instruction set may have variable execution times. (C.f., multi-core CPUs, which have both local and global memory, a shared memory bus and atomic, i.e., mutually exclusive, operations.)

NOTE. A summary of the notation and nomenclature used in this thesis can be found in Appendix A.

The syntax of PPL, which is a set of operations using the discussed architectural features, is defined in Table 4.1. \( \Pi \in \text{Prg} \) denotes a program, which simply is a set of threads, i.e., \( \Pi = \text{Thrd} \in \mathcal{P}(\text{ThrdID} \times \text{Stm}) = \text{Prg} \), where each thread, \( T \in \text{Thrd} \), is a pair of a unique identifier, \( d \in \text{ThrdID} \), and a statement, \( s \in \text{Stm} \). This makes every thread unique and distinguishable from other
4.1 States & Configurations

A number of sub-states will be used when expressing how a set of given statements affects the state of the entire system when the statements are executed in parallel; i.e., when expressing the semantics of PPL. For each thread, T, of a program, there is an instance of the following states.

\[\text{pc}_T : \text{Lbl}_T\] – a program counter that keeps track of which statement within the thread T that is active.
4.1 States & Configurations

NOTE. The tuple $\langle pc_T^1, \ldots, pc_T^m \rangle$, assuming that $\text{Thrd} = \{ T_1, \ldots, T_m \}$, defines a unique program point.

$\pi_T : \text{Reg}_T \to \text{Val}$ – a mapping from T’s registers to their values.

$t_T : \text{Time}$ – an absolute point in discrete time when the previous statement in T was executed.

For the program as such, there is an instance of the following states.

$x : \text{Var} \to \text{Thrd} \to \mathcal{P}(\text{Val} \times \text{Time})$ – a mapping from variables to a set of writes; i.e., a pair of a value and an absolute point in time.

$l : \text{Lck} \to (\text{Lck}_{\text{stt}} \times \text{Thrd}_{\perp} \times \text{Time} \times \text{Thrd}_{\perp} \times \text{Time})$ – a mapping from locks to their values; i.e., a state $(\text{Lck}_{\text{stt}} = \{ \text{unlocked}, \text{locked} \})$, a current owner $(\text{Thrd}_{\perp} = \text{Thrd} \cup \{ \perp_{\text{thrd}} \})$, an absolute point in time when the lock must be taken by the current owner, a previous owner, and an absolute point in time when the lock was last released. For the case that no thread owns the lock, the owner is $\perp_{\text{thrd}}$.

NOTE. The only information about locks that is needed in the concrete case is the current owner of each lock (c.f., Tables 4.2 and 4.3). The rest of the information is only necessary when expressing the abstract semantics (c.f., Chapter 5). However, the soundness of the abstract semantics is easier proven if this information is included in the concrete case as well.

The types of the states $x$ and $l$ might look a bit peculiar at first glance; the need for their definitions will become apparent when defining an abstract interpretation of the PPL semantics in Section 5.8.

The above listed states, together with the threads of the program, will be referred to as a program state or configuration, $c \in \text{Conf}$. $\text{Conf}$ and $c$ are defined as follows.

\[
\text{Conf} := \mathcal{P}_{T \in \text{Thrd}}(\{ T \} \times \text{Lbl}_T \times (\text{Reg}_T \to \text{Val}) \times \text{Time}) \times \\
(\text{Var} \to \text{Thrd} \to \mathcal{P}(\text{Val} \times \text{Time})) \times \\
(\text{Lck} \to (\text{Lck}_{\text{stt}} \times \text{Thrd}_{\perp} \times \text{Time} \times \text{Thrd}_{\perp} \times \text{Time}))
\]
40  Chapter 4. PPL: A Parallel Programming Language

\[ c := \langle [T, pc_T, x_T, t^T_\mathbb{T} \in \text{Thrd}, x, t] \rangle \]

Since it is not possible to beforehand determine the number of threads specified by a program, \(P_T \in \text{Thrd}(\ldots)\) is defined to expand to \(|\text{Thrd}|\) instances (i.e., one instance for each thread, T, in a given program) of type \(\{T\} \times \text{Lbl}_T \times (\text{Reg}_T \rightarrow \text{Val}) \times \text{Time}\). Likewise, \(\ldots T \in \text{Thrd}\) is defined to expand in the corresponding manner. This way, \(c \in \text{Conf}\) can be regarded as a tuple with a known size when the number of threads in a program is known.

Sub-components of a configuration will also be of interest when considering single threads (see Table 4.2). Therefore, the following “smaller” configurations, \(c_{\text{ax in}} \in \text{Conf}_{\text{ax in}}\) and \(c_{\text{ax out}} \in \text{Conf}_{\text{ax out}}\), are defined for \(T \in \text{Thrd}\).

\[ \text{Conf}_{\text{ax in}} = \{T\} \times \text{Lbl}_T \times (\text{Reg}_T \rightarrow \text{Val}) \times (\text{Var} \rightarrow \text{Thrd} \rightarrow \mathcal{P}(\text{Val} \times \text{Time})) \times (\text{Lck} \rightarrow (\text{Lck}_{\text{stt}} \times \text{Thrd} \times \text{Time} \times \text{Thrd} \times \text{Time})) \times \text{Time} \]

\[ c_{\text{ax in}} := (T, pc, x, t, I) \]

\[ \text{Conf}_{\text{ax out}} = \text{Lbl}_T \times (\text{Reg}_T \rightarrow \text{Val}) \times (\text{Var} \rightarrow \text{Thrd} \rightarrow \mathcal{P}(\text{Val} \times \text{Time})) \times (\text{Lck} \rightarrow (\text{Lck}_{\text{stt}} \times \text{Thrd} \times \text{Time} \times \text{Thrd} \times \text{Time})) \]

\[ c_{\text{ax out}} := (pc, x, t, I) \]

4.2 Semantics

The semantic rules for individual statements within a thread, the language axioms, are described by the relation \(\rightarrow_{\text{ax}} : \text{Conf}_{\text{ax in}} \times \text{Conf}_{\text{ax out}} \rightarrow \{\text{true}, \text{false}\}\), which is formally defined in Table 4.2. The semantic rule for a set of threads (i.e., the program) is described by the relation \(\rightarrow_{\text{prg}} : \text{Conf} \times \text{Conf} \rightarrow \{\text{true}, \text{false}\}\), which is defined based on \(\rightarrow_{\text{ax}}\) as given in Table 4.3. Note that the functions STM and STT, OWN, DL, POWN and REL are defined in Tables 4.4 and 4.5, respectively. Note that STM is a total function.

\(\rightarrow_{\text{ax}}\) and \(\rightarrow_{\text{prg}}\) are relations, not functions, because one single input configuration can have several outputs; e.g., if two or more threads execute \(\text{lock lck}\), where \(\text{STT} \{\text{lck}\} = \text{unlocked}\), then lck is assigned to one of these threads by
in a non-deterministic fashion. $\xrightarrow{prg}$ and the semantic behavior of each statement in PPL are further described below.

To execute a program, or rather, to derive some possible execution trace for a given initial configuration, $c \in \text{Conf}$, a succeeding configuration is given by any $c' \in \text{Conf}$, such that $c \xrightarrow{prg} c'$. Then, a succeeding configuration, $c'' \in \text{Conf}$, to $c'$ is given by $c' \xrightarrow{prg} c''$, and so on.
<table>
<thead>
<tr>
<th>$\text{STM}(T, pc)$</th>
<th>$\langle pc', r', x', 1' \rangle$</th>
<th>If</th>
</tr>
</thead>
<tbody>
<tr>
<td>$\text{[halt]}^pc$</td>
<td>$\langle pc, r, x, 1 \rangle$</td>
<td>$\langle pc + 1, r, x, 1 \rangle$</td>
</tr>
<tr>
<td>$\text{[skip]}^pc$</td>
<td>$\langle pc + 1, r, x, 1 \rangle$</td>
<td>$\langle pc + 1, r, x, 1 \rangle$</td>
</tr>
<tr>
<td>$\text{[r := a]}^pc$</td>
<td>$\langle pc + 1, r, x, 1 \rangle$</td>
<td>$\langle pc + 1, r, x, 1 \rangle$</td>
</tr>
<tr>
<td>$\text{[if b goto l]}^pc$</td>
<td>$\langle l, r, x, 1 \rangle$</td>
<td>$\langle l, r, x, 1 \rangle$</td>
</tr>
<tr>
<td>$\text{[if b goto l]}^pc$</td>
<td>$\langle pc + 1, r, x, 1 \rangle$</td>
<td>$\langle pc + 1, r, x, 1 \rangle$</td>
</tr>
<tr>
<td>$\text{[store r to x]}^pc$</td>
<td>$\langle pc + 1, T, r, x, 1 \rangle$</td>
<td>$\langle pc + 1, T, r, x, 1 \rangle$</td>
</tr>
<tr>
<td>$\text{[load r from x]}^pc$</td>
<td>$\langle pc + 1, T, r, x, 1 \rangle$</td>
<td>$\langle pc + 1, T, r, x, 1 \rangle$</td>
</tr>
<tr>
<td>$\text{[lock lck]}^pc$</td>
<td>$\langle pc + 1, T, r, x, 1 \rangle$</td>
<td>$\langle pc + 1, T, r, x, 1 \rangle$</td>
</tr>
<tr>
<td>$\text{[lock lck]}^pc$</td>
<td>$\langle pc + 1, T, r, x, 1 \rangle$</td>
<td>$\langle pc + 1, T, r, x, 1 \rangle$</td>
</tr>
<tr>
<td>$\text{[unlock lck]}^pc$</td>
<td>$\langle pc + 1, T, r, x, 1 \rangle$</td>
<td>$\langle pc + 1, T, r, x, 1 \rangle$</td>
</tr>
<tr>
<td>$\text{[unlock lck]}^pc$</td>
<td>$\langle pc + 1, T, r, x, 1 \rangle$</td>
<td>$\langle pc + 1, T, r, x, 1 \rangle$</td>
</tr>
</tbody>
</table>

where $\mathcal{A}(r, x, z) = r[v \rightarrow v]$ for some $v$, such that \[
\exists v' \in \text{Time} : (v, v') \in \bigcup_{T \in \text{Thrd}} ((x, v') T') \quad \text{if} \quad \bigcup_{T \in \text{Thrd}} ((x, v') T') \neq \emptyset
\]
\[
v \in \gamma_{\text{tr}}([-\infty, \infty])
\]

otherwise

Table 4.2: $\langle T, pc, r, x, 1, t \rangle \rightarrow^\gamma \langle pc', r', x', 1' \rangle$, the semantics of concrete axiom transitions.
4.2 Semantics

\( \text{Thrd}_{\text{exe}} \neq \emptyset \land \forall T \in \text{Thrd}_{\text{exe}} : (T, pc_T, x, \lambda, l) \xrightarrow{\text{prg}} (pc'_T, x'_T, x, l') \)

where

\( t = \min(\{T \in \text{Thrd} | T \in \text{Thrd}_{\text{exe}} \land (pc_T, x, l) \neq (halt, x, l)\}) \)

\( \text{Thrd}_{\text{exe}} = \{T \in \text{Thrd} | T = \text{Thrd}_{\text{exe}} \& \text{STM}(pc_T, x) \neq (halt, x)\} \)

\( r_T' = \begin{cases} r_T + \text{TIME}(c, T) & \text{if } T \in \text{Thrd}_{\text{exe}} \\ r_T & \text{otherwise} \end{cases} \)

\( x' = \begin{cases} x & \text{if } \text{Thrd}_c = \emptyset \\ \lambda T \in \text{Thrd}_c (T = T' \land (x_T', x) T' : \emptyset) & \text{otherwise} \end{cases} \)

\( l'' = \begin{cases} lck & \text{if } \text{OWN}(l'' \text{ lck}) \in \text{Thrd}_{\text{exe}} \\ lck & \text{otherwise} \end{cases} \)

Table 4.3: \( c \xrightarrow{\text{prg}} c' \), the semantics of concrete program transitions.
STM : \((\text{Thrd} \times \text{Lbl}) \rightarrow \text{Stm} = ((\text{ThrdID} \times \text{Stm}) \times \text{Lbl}) \rightarrow \text{Stm}\)

\[
\text{STM}(d,s,pc) =
\begin{cases}
    \text{s} & \text{if } s = \text{[skip]}^{pc} \\
    \text{s} & \text{if } s = \text{[r:= a]}^{pc} \\
    \text{s} & \text{if } s = \text{[if b goto l']}^{pc} \\
    \text{s} & \text{if } s = \text{[load r from x]}^{pc} \\
    \text{s} & \text{if } s = \text{[store r to x]}^{pc} \\
    \text{s} & \text{if } s = \text{[lock lck]}^{pc} \\
    \text{s} & \text{if } s = \text{[unlock lck]}^{pc} \\
    \text{s} & \text{if } s = \text{[halt]}^{pc} \\
    \text{STM((d,s'),pc)} & \text{if } s = s'; s'' / pc \in \text{LABELS}(s') \\
    \text{STM((d,s''),pc)} & \text{if } s = s'; s'' / pc \in \text{LABELS}(s'')
\end{cases}
\]

LABELS : \text{Stm} \rightarrow \mathcal{P}(\text{Lbl})

\[
\text{LABELS}(s) =
\begin{cases}
    \{l\} & \text{if } s = \text{[skip]} \\
    \{l\} & \text{if } s = \text{[r:= a]} \\
    \{l\} & \text{if } s = \text{[if b goto l']} \\
    \{l\} & \text{if } s = \text{[load r from x]} \\
    \{l\} & \text{if } s = \text{[store r to x]} \\
    \{l\} & \text{if } s = \text{[lock lck]} \\
    \{l\} & \text{if } s = \text{[unlock lck]} \\
    \{l\} & \text{if } s = \text{[halt]} \\
    \text{LABELS}(s') \cup \text{LABELS}(s'') & \text{if } s = s'; s''
\end{cases}
\]

Table 4.4: Definition of STM and LABELS.
4.2 Semantics

Table 4.5: Definition of STT, OWN, DL, POWN and REL.

<table>
<thead>
<tr>
<th>Operation</th>
<th>Signature</th>
<th>Expression</th>
</tr>
</thead>
<tbody>
<tr>
<td>STT</td>
<td>((\text{Lck}<em>{\text{att}} \times \text{Thrd}</em>\bot \times \text{Time} \times \text{Thrd}<em>\bot \times \text{Time}) \rightarrow \text{Lck}</em>{\text{att}})</td>
<td>(\text{STT}(u, T, t, T', t') = u)</td>
</tr>
<tr>
<td>OWN</td>
<td>((\text{Lck}<em>{\text{att}} \times \text{Thrd}</em>\bot \times \text{Time} \times \text{Thrd}<em>\bot \times \text{Time}) \rightarrow \text{Thrd}</em>\bot)</td>
<td>(\text{OWN}(u, T, t, T', t') = T)</td>
</tr>
<tr>
<td>DL</td>
<td>((\text{Lck}<em>{\text{att}} \times \text{Thrd}</em>\bot \times \text{Time} \times \text{Thrd}_\bot \times \text{Time}) \rightarrow \text{Time})</td>
<td>(\text{DL}(u, T, t, T', t') = t)</td>
</tr>
<tr>
<td>POWN</td>
<td>((\text{Lck}<em>{\text{att}} \times \text{Thrd}</em>\bot \times \text{Time} \times \text{Thrd}<em>\bot \times \text{Time}) \rightarrow \text{Thrd}</em>\bot)</td>
<td>(\text{POWN}(u, T, t, T', t') = T')</td>
</tr>
<tr>
<td>REL</td>
<td>((\text{Lck}<em>{\text{att}} \times \text{Thrd}</em>\bot \times \text{Time} \times \text{Thrd}_\bot \times \text{Time}) \rightarrow \text{Time})</td>
<td>(\text{REL}(u, T, t, T', t') = t')</td>
</tr>
</tbody>
</table>
TIME and $\text{Thrd}_{exe}$

TIME is assumed to be provided by a timing model of the underlying architecture. It should return a relative execution time for the active statement of thread $T$, i.e., $\text{STM}(T, pc_T)$, based on the current system state. Given Assumption 4.1, time is guaranteed to move forward when using $\rightarrow_{prg}$ for a given configuration (Lemma 4.2). Assumption 4.3 gives that a thread that is waiting to acquire some lock cannot spin an infinite number of times in zero amount of time.

The set of threads to execute, $\text{Thrd}_{exe}$, in a given configuration, $c@\langle[T, pc_T, x_T, t_T]\rangle_{T\in\text{Thrd}} \in \text{Conf}$, is determined based on $t_T$ and $\text{TIME}(c, T)$, for each thread, $T \in \text{Thrd}$. It simply consists of the threads that will execute their active statements at the nearest point in time, denoted by $t$ in Table 4.3. An illustration of how $\text{Thrd}_{exe}$ is determined is given in Figure 4.6. For $c_1$ in Figure 4.6a, $t = t_T + \text{TIME}(c_1, T_2) = t_T + \text{TIME}(c_1, T_3) = 6$ and

Figure 4.6: Illustration of how $\text{Thrd}_{exe}$ is determined ($c_1 \rightarrow_{prg} c_2$).
\[ t'_T + \text{TIME}(c_1, T_1) = 10. \] Thus, \( \text{Thrd}_{ex} = \{T_2, T_3\} \) and \( e'_T = e'_T = 6 \), while \( e''_T = t'_T = 7 \). For \( c_2 \) in Figure 4.6b, \( \text{Thrd}_{ex} \) is determined in a similar manner (note that \( c_1 \xrightarrow{\operatorname{pare}} c_2 \)).

**Assumption 4.1 (TIME is non-negative):**
It is assumed that \( \forall c \in \text{Conf} : \forall T \in \text{Thrd} : 0 \leq \text{TIME}(c, T) \).

**Lemma 4.2 (Time only moves forward):**
Given that the two configurations \( c @ \langle [T, p_c T, r_T, t'_T]_{\text{Thrd}} \rangle \in \text{Conf} \) and \( c' @ \langle [T, p_c T, r'_T, t''_T]_{\text{Thrd}} \rangle \in \text{Conf} \) are such that \( c \xrightarrow{\text{halt}} c' \), \( \forall T \in \text{Thrd} : t''_T \leq t'_T \).

**Proof.** Assume that \( c @ \langle [T, p_c T, r_T, t'_T]_{\text{Thrd}} \rangle \in \text{Conf} \) and \( c' @ \langle [T, p_c T, r'_T, t''_T]_{\text{Thrd}} \rangle \in \text{Conf} \) are such that \( c \xrightarrow{\text{halt}} c' \). From Table 4.3, it is apparent that there are two possibilities for the value of \( t''_T \).

If \( t''_T + \text{TIME}(c, T) = \min(\{t''_T + \text{TIME}(c, T) \mid T' \in \text{Thrd}\}) \wedge \text{STM}(T, p_c T) \neq [\text{halt}]^{p_c T} \), then \( t''_T = t''_T + \text{TIME}(c, T) \). Thus, \( t''_T \geq t''_T \) (Assumption 4.1).

If \( t''_T + \text{TIME}(c, T) \neq \min(\{t''_T + \text{TIME}(c, T) \mid T' \in \text{Thrd}\}) \vee \text{STM}(T, p_c T) = [\text{halt}]^{p_c T} \), then \( t''_T = t''_T \).

Thus, it must be that \( \forall T \in \text{Thrd} : t''_T \leq t''_T \). \( \Box \)

**Assumption 4.3 (TIME is non-zero when spin-locking):**
It is assumed that \( \forall c @ \langle [T, p_c T, r_T, t'_T]_{\text{Thrd}} \rangle \in \text{Conf} : \forall T \in \text{Thrd} : ((\exists \text{lock} @ \text{Lck} : (\text{STM}(T, p_c T) = [0 \text{ lock} \text{ lock}]^{p_c T} \wedge \text{OWN}(\text{lock}) \notin \{\text{thrd}, T\})) \Rightarrow 0 < \text{TIME}(c, T)) \).

**halt and skip**

As previously discussed, \( \text{halt} \) stops the execution of a thread and \( \text{skip} \) is a no-operation. This is implemented by letting the semantic rule for \( \text{halt} \) return the input state without modifying it, which means that the issuing thread will still be executing the same \( \text{halt} - \)statement in the next iterative step; thus the thread halts. Note that threads issuing a \( \text{halt} - \)statement are not included in \( \text{Thrd}_{ex} \), however. The rule for the \( \text{skip} - \)statement only increments the thread's program counter, \( p_c \), and thus advances the thread to execute its subsequent statement in the next iterative step.

\[ := \text{ and } \neq \]

The statement \( r := a \) returns a register state in which the register \( r \) has the value of the arithmetic expression \( a \). The value of \( a \) is, in the general case,
dependent on the register values in the input register state and is determined using the function \( A : \text{Aexp} \rightarrow (\text{Reg} \rightarrow \text{Val}) \rightarrow \text{Val} \). \( A \) evaluates arithmetic expressions based on a given register state as defined in Table 4.7.

### Table 4.7: Semantics of concrete evaluation of arithmetic expressions.

<table>
<thead>
<tr>
<th>Expression</th>
<th>Semantics</th>
</tr>
</thead>
<tbody>
<tr>
<td>( A[n]r = n )</td>
<td>( A[a_1 - a_2]r = A[a_1]r - A[a_2]r )</td>
</tr>
<tr>
<td>( A[r]r = r )</td>
<td>( A[a_1 \cdot a_2]r = A[a_1]r \cdot A[a_2]r )</td>
</tr>
<tr>
<td>( A[a_1 + a_2]r = A[a_1]r + A[a_2]r )</td>
<td>( A[a_1 / a_2]r = \left\lfloor \frac{A[a_1]r}{A[a_2]r} \right\rfloor )</td>
</tr>
</tbody>
</table>

The statement \( \text{if } b \text{ goto } l \) performs conditional branching. If the boolean expression \( b \) evaluates to \( \text{true} \), the issuing thread’s \( \text{pc} \) is set to \( l \). If \( b \) evaluates to \( \text{false} \), then \( \text{if} \) acts like the \( \text{skip} \)-statement. The value of \( b \) is, in the general case, dependent on the register values in the input register state and is determined using the function \( B : \text{Bexp} \rightarrow (\text{Reg} \rightarrow \text{Val}) \rightarrow \text{Bool} \). \( B \) evaluates boolean expressions based on a given register state as defined in Table 4.8.

### Table 4.8: Semantics of concrete evaluation of boolean expressions.

<table>
<thead>
<tr>
<th>Expression</th>
<th>Semantics</th>
</tr>
</thead>
<tbody>
<tr>
<td>( B[\text{true}]r \leftrightarrow \text{true} )</td>
<td>( B[b_1 &amp; b_2]r \leftrightarrow B[b_1]r \land B[b_2]r )</td>
</tr>
<tr>
<td>( B[\text{false}]r \leftrightarrow \text{false} )</td>
<td>( B[a_1 \rightarrow a_2]r \leftrightarrow A[a_1]r = A[a_2]r )</td>
</tr>
<tr>
<td>( B[!b]r \leftrightarrow \neg B[b]r )</td>
<td>( B[a_1 &lt;= a_2]r \leftrightarrow A[a_1]r \leq A[a_2]r )</td>
</tr>
</tbody>
</table>

To achieve a high precision in the analysis (see Chapters 5 and 6), the abstraction of the state for variables will need to save write history; i.e., what abstract
writes (each write being a pair of value and time) have been performed by each thread on each variable (see Chapter 5). Therefore, to derive a Galois connection between the concrete and abstract domains for variable states, the concrete state, \( x \), has to be defined accordingly. This is why the definition of \( x \) might look a bit peculiar at first glance. In the concrete semantics, only one single write is saved for each variable, though, since this is all the information that is needed in the concrete case. If several threads write to a variable (using the `store`-statement) at the same time, there is a race on that variable and the resulting state will contain one of the writes; i.e., one of the threads will win the race. The winning thread is non-deterministically chosen from one of the threads writing the variable at the given point in time.

`load` is defined to put the value of the saved write (or rather, the value of one of the saved writes in the general case) in the given register.

As the observant reader might have noticed already, the only information that should be needed in order to successfully express the semantic behavior of locks is what thread is currently assigned (i.e., is currently the owner of) a lock. This is truly the case. However, the extra information given in the concrete state for locks, \( l \), will ease the deriving of an approximation of the concrete semantics (see Chapter 5) and achieve a high precision in the analysis (see Chapter 6). This is why the definition of \( l \) might look a bit peculiar at first glance. Here, the state of locks, i.e., `locked` or `unlocked`, is only used to increase the readability of the rules in Tables 4.2 and 4.3. Note that a consequence of this is that, in a given configuration, \( c \oplus ([T, pc_T, \tau_T, \rho_T]_{Thrd}, x, l) \), \( STT(l \text{\textbackslash{} lck}) = \text{\textbackslash{} locked} \) whenever \( \text{\textbackslash{} OWN}(l \text{\textbackslash{} lck}) \neq \bot_{\text{\textbackslash{} thrd}} \) (c.f., Lemma 4.5). Also note that \( (STT(l \text{\textbackslash{} lck}) = \text{\textbackslash{} locked} \wedge \text{\textbackslash{} OWN}(l \text{\textbackslash{} lck}) = \bot_{\text{\textbackslash{} thrd}}) \vee \exists T \in \text{\textbackslash{} Thrd} : \rho_T + \text{\textbackslash{} TIME}(c, T) < \text{\textbackslash{} REL}(l \text{\textbackslash{} lck}) \) implies that the given configuration is actually not valid (c.f., Definition 4.4).

The `lock`-statement has the same behavior as the `halt`-statement as long as the issuing thread is not assigned the given lock; i.e., the issuing thread will wait for its turn to acquire the lock. If the issuing thread is assigned the given lock (within `\rightarrow_{pc_T}`), `lock` is defined to basically take the lock (i.e., set its state to `locked`) and advance the thread's `pc`. Only one single thread can be assigned a given lock at any point in time.

The `unlock`-statement has the same behavior as the `skip`-statement if the given lock is not assigned to the issuing thread. If the issuing thread is assigned the given lock, `unlock` is defined to release the lock so that it can be re-assigned in the next iterative step to some thread, if any, issuing `lock` on it.
Note that a thread can repeatedly acquire a lock that is assigned to, and taken by, it, without first releasing it.

**Definition 4.4 (Valid concrete configuration):**

A concrete configuration, \( c \@ \langle [T, pc_T, t_T^T]_{T \in \text{Thrd}}, x, 1 \rangle \in \text{Conf} \), is valid with respect to the lock state, \( l \), iff

\[
\forall lck \in \text{Lck} : ((\text{STT}(l lck) = \text{locked} \Leftrightarrow \text{OWN}(l lck) \neq \bot_{\text{thrd}}) \land \\
(\text{STT}(l lck) = \text{unlocked} \Leftrightarrow \text{OWN}(l lck) = \bot_{\text{thrd}}) \land \\
\forall T \in \text{Thrd} : \text{REL}(l lck) \leq t_a^T + \text{TIME}(c, T))
\]

**Lemma 4.5 (\( \rightarrow_{\text{prg}} \) preserves lock state validity):**

Given that the configuration \( c \@ \langle [T, pc_T, t_T^T]_{T \in \text{Thrd}}, x, 1 \rangle \in \text{Conf} \) is valid (c.f., Definition 4.4), then so is \( c' \@ \langle [T', pc'_T, t_{T'}^T]_{T \in \text{Thrd}}, x', 1' \rangle \in \text{Conf} \), whenever \( c \rightarrow_{\text{prg}} c' \).

**Proof:** From Table 4.2, it is apparent that the possible axiom output lock states, called \( l'' \) in Table 4.3, given an input lock state, called \( l'' \) in Table 4.3, are

1. \( 1''[lck \mapsto (\text{locked}, T, \text{DL}(l lck), \text{POWN}(l lck), \text{REL}(l lck))] \), whenever \( \text{STM}(T, pc_T) = [\text{lock} lck]^{pc_T} \land \text{OWN}(l lck) = T \),

2. \( 1''[lck \mapsto (\text{unlocked}, \bot_{\text{thrd}}, \text{DL}(l lck), T, t_a^T)] \), whenever \( \text{STM}(T, pc_T) = [\text{unlock} lck]^{pc_T} \land \text{OWN}(l lck) = T \), and

3. \( 1'' \), otherwise.

Assume that the configurations \( c \@ \langle [T, pc_T, t_T^T]_{T \in \text{Thrd}}, x, 1 \rangle \in \text{Conf} \) and \( c' \@ \langle [T', pc'_T, t_{T'}^T]_{T \in \text{Thrd}}, x', 1' \rangle \in \text{Conf} \) are such that \( c \) is valid and \( c \rightarrow_{\text{prg}} c' \).

From Table 4.3, it is apparent that \( \rightarrow_a \) is only applied to axiom input configurations in which \( 1'' \) is such that

1. \( 1'' lck = 1 lck \), or

2. \( 1'' lck = (\text{unlocked}, T, t_a^T, \text{POWN}(l lck), \text{REL}(l lck)) \).

For the first case, it is easy to see that all the three possible output lock states result in a valid configuration since \( c \) is valid.

The second case only occurs when \( \exists T' \in \text{Thrd}_{\text{exe}} : (\text{STM}(T', pc_T) = [\text{lock} lck]^{pc_T} \land \text{OWN}(l lck) = \bot_{\text{thrd}}) \). Note that the assigned owner,
4.2 Semantics

T ∈ \text{Thrd}_{\text{exe}} is one of the threads executing \text{lck}. For thread T, the output lock state is \text{l′′} = \text{STM}(T, pc_T) = [\text{lck}]_{\text{locked}} \rightarrow \text{own}(\text{l′′}) = T. Since time moves forward for each thread (Lemma 4.2), it is easy to see that \text{c′} is valid.

Lemma 4.6 gives some important properties of the “intermediate” lock state, \text{l′′}, defined in Table 4.3, which is used as a means of assigning a lock to a specific thread. These properties will be used when proving the correctness of the abstract semantics in Tables 5.5 and 5.6.

Lemma 4.6 (Properties of \text{l′′})

If some valid configuration, \text{c@}[\text{T, pc_T, x_T, t'_T}] \in \text{Conf}, and lock, \text{lck} ∈ \text{Lck}, \text{own}(\text{lck}) = \bot \uparrow \text{thrd} ∧ \exists T' \in \{ T \mid \text{STM}(T, pc_T) = [\text{lck}]_{\text{locked}} \rightarrow \text{own}(\text{l′′}) = T' \}, where \text{l′′} and \text{Thrd}_{\text{exe}} are as defined in Table 4.3, then

1. \text{STT}(\text{l′′}) = \text{unlocked},

2. \text{DL}(\text{l′′}) \not< t_{T'}^0, and

3. \text{t}_{T'}^0 \not< \text{REL}(\text{l′′}).

\Box

Proof. For this proof, each of the properties above will be shown based on the definition of \text{⇒}_{\text{at}} and \text{⇒}_{\text{prg}} defined in Tables 4.2 and 4.3, respectively.

Assume that for the valid configuration \text{c@}[\text{T, pc_T, x_T, t'_T}] \in \text{Conf} (c.f., Definition 4.4) and some lock, \text{lck} ∈ \text{Lck}, \text{own}(\text{lck}) = \bot \uparrow \text{thrd} ∧ \exists T' \in \{ T \mid \text{STM}(T, pc_T) = [\text{lck}]_{\text{locked}} \rightarrow \text{own}(\text{l′′}) = T' \}, where \text{l′′} and \text{Thrd}_{\text{exe}} are as defined in Table 4.3.

1 follows directly from the definition of \text{l′′} in Table 4.3.

Table 4.3 also gives that \text{DL}(\text{l′′}) = t and that \text{t}_{T'}^0 = t, since \text{T} ∈ \text{Thrd}_{\text{exe}} ∧ \text{STM}(T, pc_T) = [\text{lck}]_{\text{locked}}. Thus, \text{DL}(\text{l′′}) = \text{t}_{T'}^0. and hence, 2 has been shown.

For 3, Assumption 4.1 gives that time moves forward when using \text{⇒}_{\text{prg}} (Lemma 4.2). Thus, it must be that \text{t}_{T'}^0 = t ≥ \text{REL}(1 \text{lck}) = \text{REL}(\text{l′′}) (c.f., Table 4.3), which concludes the proof.\Box
4.3 Collecting Semantics

This section defines the collecting semantics, \( \mathcal{C}(C) \), of a program; i.e., the set of all possible semantic configurations given an initial set of configurations, \( C \), (c.f., Definition 4.7).

**Definition 4.7 (Collecting semantics):**

The collecting semantics, \( \mathcal{C}(C) \), of an initial set of configurations, \( C \), is defined as:

\[
\mathcal{C}(C) = \bigcup_{i \geq 0} C^i \quad \text{where} \quad \begin{cases} 
C^0 = C \\
C^{i+1} = \{ c' \in \text{Conf} \mid \exists c \in C^i : c \xrightarrow{\text{prog}} c' \} 
\end{cases}
\]

As can be seen, the collecting semantics will include all possible configurations that a given initial configuration can ever reach. Note that the collecting semantics might be of infinite size in the case of a non-terminating program; i.e., the accumulated time, \( t^T_\alpha \), for some thread, \( T \in \text{Thrd} \), could increase indefinitely.
Chapter 5

Abstractly Interpreting PPL

In this chapter, the semantics of PPL, defined in Chapter 4, will be abstracted. First it must be decided what parts of the system state to interpret in an abstract way. Abstract states will be crowned with ~.

To allow for the hardware timing model to be approximated as well, \( \text{Time} \) will be abstracted using the interval domain, i.e., \( \text{Time} \approx \text{Intv} \). This approach is also taken by Chattopadhyay et al. [11] to approximate the execution time of pipeline stages in order to deal with timing anomalies in multi-core platforms. \( \text{Val} \) will also be abstracted using intervals, i.e., \( \text{Val} \approx \text{Intv} \), to allow for an efficient handling of data flow (note that many other domains could be used as well). Since \( \text{Thrd, Lbl, Var, Reg, Lck, Aexp} \) and \( \text{Bexp} \) are defined by the software, and the elements of them are used as identifiers, it does not make much sense to abstract them for the defined analysis (see Chapter 6). And, since \( \text{Lck} \) is comparable to \( \text{Bool} \), an abstraction of it would most probably not be very beneficial. The states affected by the abstractions of \( \text{Time} \) and \( \text{Val} \) are \( \tau, x, i^a, I \) and \( e \). The abstraction of these will be referred to as \( \bar{\tau}, \bar{x}, \bar{i}^a, \bar{I} \) and \( \bar{e} \), respectively.

**NOTE.** A summary of the notation and nomenclature used in this thesis can be found in Appendix A.
5.1 Arithmetical Operators for Intervals

Since values and time are abstracted using the interval domain, the operators of PPL must be extended to act on intervals. This is done in Table 5.1; note that \( \infty/\infty, 0/0, 0 \cdot \infty \) and \( -\infty - \infty \) need not be defined – they all result in \( [-\infty, \infty] \).

**NOTE.** In the following, \( \overline{+}_t \) and \( \overline{+}_{\text{val}} \) both refer to \( +_{\text{int}} \), and similarly for the rest of the operators.

5.2 Abstract Register States

Using Theorems 3.24 and 3.39, it is easy to see that there is indeed a Galois connection, \( \langle \alpha_{\text{reg}}, \gamma_{\text{reg}} \rangle \), between the concrete domain \( \mathcal{P}(\text{Reg} \rightarrow \text{Val}) \) and the abstract domain \( (\text{Reg} \rightarrow \tilde{\text{Val}}) \cup \{ \tilde{\bot}_{\text{reg}}, \tilde{\top}_{\text{reg}} \} \) (Theorem 5.6). The concretization function, \( \gamma_{\text{reg}} \), partial order, \( \tilde{\sqsubseteq}_{\text{reg}} \), greatest lower bound, \( \tilde{\sqcap}_{\text{reg}} \), least upper bound, \( \tilde{\sqcup}_{\text{reg}} \), and abstraction function, \( \alpha_{\text{reg}} \), are given by Definitions 5.1, 5.2, 5.3, 5.4 and 5.5, respectively. \( \tilde{\bot} \) is the bottom element, \( \tilde{\bot}_{\text{reg}} \), if \( \exists r \in \text{Reg} : \tilde{r} r = \tilde{\bot}_{\text{val}} \); i.e., if \( \tilde{r} \) maps some register to \( \tilde{\bot}_{\text{val}} \). The top element, \( \tilde{\top}_{\text{reg}} \), corresponds to an abstract mapping for which all registers map to \( \tilde{\top}_{\text{val}} \).

**Definition 5.1 (Concretization of an abstract register state):**

\[
\gamma_{\text{reg}}(\tilde{x}) = \begin{cases} 
\text{Reg} \rightarrow \text{Val} & \text{if } \tilde{x} = \tilde{\top}_{\text{reg}} \\
\emptyset & \text{if } \tilde{x} = \tilde{\bot}_{\text{reg}} \\
\{ \lambda r \in \text{Reg} . v | v \in \gamma_{\text{val}}(\tilde{r} r) \} & \text{otherwise}
\end{cases}
\]

**Definition 5.2 (Partial order for abstract register states):**

\[
\tilde{x} \tilde{\sqsubseteq}_{\text{reg}} \tilde{x'} \iff \exists r \in \text{Reg} : \tilde{x} r \sqsubseteq_{\text{val}} \tilde{x' r}
\]
Table 5.1: PPL operators defined for interval arguments.
Definition 5.3 (Greatest lower bound of abstract register states):
\[
\begin{align*}
\top_{\text{reg}} \cap_{\text{reg}} \hat{x} = \hat{x} \cap_{\text{reg}} \top_{\text{reg}} = \hat{x} \\
\bot_{\text{reg}} \cap_{\text{reg}} \hat{x} = \hat{x} \cap_{\text{reg}} \bot_{\text{reg}} = \bot_{\text{reg}} \\
(\hat{x} \cap_{\text{reg}} \hat{x}') \, r = (\hat{x} \cap_{\text{val}} \hat{x}')
\end{align*}
\]

Definition 5.4 (Least upper bound of abstract register states):
\[
\begin{align*}
\top_{\text{reg}} \cup_{\text{reg}} \hat{x} = \hat{x} \cup_{\text{reg}} \top_{\text{reg}} = \top_{\text{reg}} \\
\bot_{\text{reg}} \cup_{\text{reg}} \hat{x} = \hat{x} \cup_{\text{reg}} \bot_{\text{reg}} = \hat{x} \\
(\hat{x} \cup_{\text{reg}} \hat{x}') \, r = (\hat{x} \cup_{\text{val}} \hat{x}')
\end{align*}
\]

Definition 5.5 (Abstraction of a set of register states):
\[
\alpha_{\text{reg}}(R) = \begin{cases} 
\top_{\text{reg}} & \text{if } R = \text{Reg} \rightarrow \text{Val} \\
\bot_{\text{reg}} & \text{if } R = \emptyset \\
\lambda r \in \text{Reg}. \alpha_{\text{val}}(\{x \mid x \in R\}) & \text{otherwise}
\end{cases}
\]

Theorem 5.6 (Galois connection – Register states):
\[
\langle \alpha_{\text{reg}}, \gamma_{\text{reg}} \rangle, \text{ where } \gamma_{\text{reg}} \text{ and } \alpha_{\text{reg}} \text{ are defined as in Definitions 5.1 and 5.5, respectively, is a Galois connection.}
\]

Proof. Since \(\alpha_{\text{val}} = \alpha_{\text{int}}\) and \(\gamma_{\text{val}} = \gamma_{\text{int}}\), \(\langle \alpha_{\text{val}}, \gamma_{\text{val}} \rangle\) is a Galois insertion between \(\mathcal{P}(\text{Val})\) and \(\tilde{\text{V}}\) (Theorem 3.39).

By Theorem 3.24, \(\langle \alpha_{\text{reg}} : \mathcal{P}(\text{Reg} \rightarrow \text{Val}) \rightarrow ((\text{Reg} \rightarrow \tilde{\text{V}}) \cup \{\top_{\text{reg}}, \bot_{\text{reg}}\}), \gamma_{\text{reg}} : ((\text{Reg} \rightarrow \tilde{\text{V}}) \cup \{\bot_{\text{reg}}, \top_{\text{reg}}\}) \rightarrow \mathcal{P}(\text{Reg} \rightarrow \text{Val}) \rangle\), where \(\gamma_{\text{reg}}\) and \(\alpha_{\text{reg}}\) are as presented in Definitions 5.1 and 5.5, respectively, is a Galois connection.

5.3 Abstract Evaluation of Arithmetical Expressions

The function evaluating arithmetic expressions, \(\mathcal{A}\), must be abstracted since values and register states are abstracted. The abstraction will be \(\mathcal{A} : \text{Aexp} \rightarrow (\text{Reg} \rightarrow \tilde{\text{V}}) \rightarrow \tilde{\text{V}}\), which is equivalent to \(\mathcal{A} : \text{Aexp} \rightarrow (\text{Reg} \rightarrow \text{Intv}) \rightarrow \)
Table 5.2: The abstract function evaluating arithmetic expressions.

\[
\begin{align*}
\mathcal{J}[n] &= \alpha_{\text{val}}(\{n\}) \\
\mathcal{J}[r] &= \tilde{\alpha} r \\
\mathcal{J}[a_1 + a_2] &= \mathcal{J}[a_1] + \text{val} \mathcal{J}[a_2] \\
\mathcal{J}[a_1 - a_2] &= \mathcal{J}[a_1] - \text{val} \mathcal{J}[a_2] \\
\mathcal{J}[a_1 \times a_2] &= \mathcal{J}[a_1] \times \text{val} \mathcal{J}[a_2] \\
\mathcal{J}[a_1 / a_2] &= \mathcal{J}[a_1] / \text{val} \mathcal{J}[a_2]
\end{align*}
\]

5.4 Boolean Restriction

The function \( \tilde{B}_R \), defined in Definition 5.7, will be used in the abstract axiom transition rules (see Table 5.5 on page 84). This function is safely induced from \( B \), using Definition 3.11, so that the concretization of \( \tilde{B}_R[b] \), where \( b \in \text{Bexp} \), always contains (at least) the concrete register states, derived from \( \tilde{r} \), for which \( b \) evaluates to \( \text{true} \).

Definition 5.7 (Boolean restriction):

\[
\tilde{B}_R[b] = \alpha_{\text{reg}}(\{ r \in \gamma_{\text{reg}}(\tilde{r}) \mid \mathcal{B}[b] \})
\]

Intv, and can be derived using Definition 3.11 to induce \( \mathcal{A} \). To do this, \( \mathcal{A} \) must first be lifted to sets of concrete register mappings:

\[
\mathcal{A}_\mathcal{P}[a] = \{ \mathcal{A}(a \mathcal{r}) \mid r \in \mathcal{R} \}
\]

The abstract evaluation function can then be derived as:

\[
\mathcal{J}[a] = \alpha_{\text{val}} \circ \mathcal{A}_\mathcal{P}[a] \circ \gamma_{\text{reg}}
\]

The details of this function can be found in Table 5.2.
5.5 Abstract Variable States

Using Theorems 3.17, 3.20, 3.24 and 3.39, a Galois connection, \( \langle \alpha_{\text{var}}, \gamma_{\text{var}} \rangle \), between the concrete domain \( \mathcal{P}(\text{Var} \rightarrow \text{Thrd} \rightarrow \mathcal{P}(\text{Val} \times \text{Time})) \) and the abstract domain \( (\text{Var} \rightarrow \text{Thrd} \rightarrow \mathcal{P}(\tilde{\text{Val}} \times \tilde{\text{Time}})) \cup \{\tilde{\bot}_{\text{var}}, \tilde{\top}_{\text{var}}\} \) can be established. The concretization function, \( \gamma_{\text{var}} \), abstraction function, \( \alpha_{\text{var}} \), partial order, \( \tilde{\sqsubseteq}_{\text{var}} \), greatest lower bound, \( \tilde{\sqcap}_{\text{var}} \), and least upper bound, \( \tilde{\sqcup}_{\text{var}} \), are given by Definitions 5.8, 5.9, 5.14, 5.15 and 5.16, respectively.

\( \tilde{x} \) is the bottom element, \( \tilde{\bot}_{\text{var}} \), if \( \exists x \in \text{Var} : \exists T \in \text{Thrd} : ((\tilde{x} x) T) = \emptyset \); i.e., some variable and thread combination maps to the empty set (there is no write-history available for that combination). Note that such an abstract variable state has no concrete counterparts (\( \gamma_{\text{var}}(\tilde{\bot}_{\text{var}}) = \emptyset \)). Therefore, an abstract variable state, \( \tilde{x} \), that actually contains no history for thread \( T \) on variable \( x \), should have \( ((\tilde{x} x) T) = \{(\tilde{\bot}_{\text{val}}, \tilde{\bot}_{\text{t}})\} \) to make \( \tilde{x} \neq \tilde{\bot}_{\text{var}} \). Note that \( \gamma_{\text{var}}(\tilde{x}) \), where \( ((\tilde{x} x) T) = \{(\tilde{\bot}_{\text{val}}, \tilde{\bot}_{\text{t}})\} \) for some variable, \( x \), and thread, \( T \), is a set of concrete states, \( \mathcal{X} \), for which all \( \exists \tilde{x} \in \mathcal{X} \) are such that \( ((\tilde{x} x) T) = \emptyset \).

The top element, \( \tilde{\top}_{\text{var}} \), corresponds to a state where all variable and thread combinations are mapped to \( \tilde{\text{Val}} \times \tilde{\text{Time}} \).

**Definition 5.8 (Concretization of an abstract variable state):**

\[
\begin{align*}
\gamma_{\text{var}}(\tilde{x}_{\text{var}}) &= \text{Var} \rightarrow \text{Thrd} \rightarrow (\text{Val} \times \text{Time}) \\
\gamma_{\text{var}}(\tilde{\top}_{\text{var}}) &= \emptyset \\
\gamma_{\text{var}}(\tilde{\bot}_{\text{var}}) &= \{\lambda x \in \text{Var}. f \mid f \in \{\lambda T \in \text{Thrd}. W \mid W \in \{W' \mid (\alpha\text{val}(\{v \in \text{Val} \mid \exists r \in \text{Time} : (v, t) \in W'\}), \\
\quad \alpha\text{t}(\{t \in \text{Time} \mid \exists v \in \text{Val} : (v, t) \in W'\})\}) \in ((\tilde{x} x) T)\}\} \\
\end{align*}
\]

**Definition 5.9 (Abstraction of a set of variable states):**

\[
\begin{align*}
\alpha_{\text{var}}(\text{Var} \rightarrow \text{Thrd} \rightarrow (\text{Val} \times \text{Time})) &= \tilde{x}_{\text{var}} \\
\alpha_{\text{var}}(\emptyset) &= \tilde{\bot}_{\text{var}} \\
\alpha_{\text{var}}(\mathcal{X}) &= \lambda x \in \text{Var}. \lambda T \in \text{Thrd}. \{(\alpha\text{val}(\{v \in \text{Val} \mid \exists r \in \text{Time} : (v, t) \in W\}), \\
\quad \alpha\text{t}(\{t \in \text{Time} \mid \exists v \in \text{Val} : (v, t) \in W\}) \mid \\
\quad W \in \{(\tilde{x} x) T \mid \exists \tilde{x} \in \mathcal{X}\}\} \\
\end{align*}
\]
5.5 Abstract Variable States

Theorem 5.10 (Galois connection – Variable states):
\( (\alpha_{\text{var}}, \gamma_{\text{var}}) \), where \( \gamma_{\text{var}} \) and \( \alpha_{\text{var}} \) are defined as in Definitions 5.8 and 5.9, respectively, defines a Galois connection.

Proof. Since \( \langle \alpha_{\text{int}}, \gamma_{\text{int}} \rangle \) is a Galois insertion (Theorem 3.39) and thus a Galois connection, so are \( \langle \alpha_{\text{val}}, \gamma_{\text{val}} \rangle \) and \( \langle \alpha, \gamma \rangle \) (since \( \alpha_{\text{val}} = \alpha \) and \( \gamma_{\text{val}} = \gamma \)). Using Theorems 3.17, 3.20 and 3.24 to derive \( \alpha_{\text{var}} \) and \( \gamma_{\text{var}} \), the result follows (note that the cases \( \gamma_{\text{var}}(\tilde{\var} \tilde{\tau}), \gamma_{\text{var}}(\tilde{\tau} \tilde{\var}), \alpha_{\text{var}}(\text{Var} \rightarrow \text{Thrd} \rightarrow (\text{Val} \times \text{Time})) \) and \( \alpha_{\text{var}}(\emptyset) \) follow trivially):

\[
\gamma_{\text{var}}(\tilde{\tau}) \overset{\text{Th. 3.24}}{=} \{ \lambda x \in \text{Var}. f \mid f \in \gamma'(\tilde{\tau} x) \}
\]

\[
\gamma_{\text{var}}(\tilde{\tau}) \overset{\text{Th. 3.24}}{=} \{ \lambda x \in \text{Var}. f \mid f \in \{ \lambda T \in \text{Thrd}. W \mid W \in \gamma''((\tilde{\tau} x) T) \} \}
\]

\[
\alpha_{\text{var}}(\tilde{\tau}) \overset{\text{Th. 3.24}}{=} \lambda x \in \text{Var}. \alpha'(\{ \pi x \mid x \in \pi X \})
\]

\[
\alpha_{\text{var}}(\tilde{\tau}) \overset{\text{Th. 3.24}}{=} \lambda x \in \text{Var}. \lambda T \in \text{Thrd}. \alpha''(\{ \lambda x \mid x \in \pi X \})
\]

The state \( \tilde{x} \in (\text{Var} \rightarrow \text{Thrd} \rightarrow \mathcal{P}(\text{\text{Val} \times \text{Time}})) \cup \{ \tilde{\var} \} \) can save any number (i.e., history) of abstract writes, \( \tilde{w} \in \text{\text{Val} \times \text{Time}} \), for each thread that occur on some variable. This is done to counteract the precision loss due to approximating points in time with intervals. The information available in such history makes it possible to use sequence information (within each thread) and timing information (between threads) to get a reasonably tight value when reading a variable.

For convenience in expressing, and increased readability of, the upcoming algorithms, some relations for abstract writes, \( \tilde{w} := (\tilde{v}, \tilde{t}) \), will be defined. The
Chapter 5. Abstractly Interpreting PPL

Partial order, \( \preceq_w \), and least upper bound operator, \( \bigcup_w \), for writes follow naturally (c.f., Definitions 3.26 and 3.28) from the partial orders and least upper bound operators for values, \( \preceq_{val} \) and \( \bigcup_{val} \), and time, \( \preceq_t \) and \( \bigcup_t \). \( \preceq_w \) and \( \bigcup_w \) are given by Definitions 5.11 and 5.12, respectively.

Definition 5.11 (Partial order of writes, \( \preceq_w \)):

\[
\begin{align*}
\preceq_w & \preceq_w \\
\top_w & \preceq_w \wedge w \\
(\tilde{v}_1, \tilde{t}_1) & \preceq_w (\tilde{v}_2, \tilde{t}_2) \iff \tilde{v}_1 \preceq_{val} \tilde{v}_2 \land \tilde{t}_1 \preceq_t \tilde{t}_2
\end{align*}
\]

Definition 5.12 (Least upper bound of writes, \( \bigcup_w \)):

\[
\begin{align*}
\bigcup_w & \bigcup_w \\
\top_w & \bigcup_w \bigcup_w w = \top_w \\
(\tilde{v}_1, \tilde{t}_1) & \bigcup_w (\tilde{v}_2, \tilde{t}_2) = (\tilde{v}_1 \bigcup_{val} \tilde{v}_2, \tilde{t}_1 \bigcup_t \tilde{t}_2)
\end{align*}
\]

The precedence relation, \( \preceq_t \), on abstract times given by Definition 5.13 will be useful to determine whether two writes are performed at disjoint times, or the order two arbitrary events.

Definition 5.13 (Time precedence, \( \preceq_t \)):

\[
\begin{align*}
\tilde{t} & \preceq_t \tilde{t} & \text{if } \tilde{t} \neq \top_t \\
\bot_t & \preceq_t \tilde{t} & \text{if } \tilde{t} \neq \bot_t \\
\tilde{t}_1 & \preceq_t \tilde{t}_2 \iff \max(\gamma_t(\tilde{t}_1)) < \min(\gamma_t(\tilde{t}_2)) & \text{if } \tilde{t}_1, \tilde{t}_2 \notin \{ \bot_t, \top_t \}
\end{align*}
\]

The definitions of \( \preceq_{var} \), \( \bigcup_{var} \) and \( \bigcup_{var} \) follow naturally from the definition of the domain (c.f., Definitions 3.26, 3.27 and 3.28) and are presented in Definitions 5.14, 5.15 and 5.16, respectively. However, these relations and operators cannot be used directly within the analysis to, e.g., join (merge) the histories of writes in several variable states. This is due to the fact that the history in the states might have different sequence information (i.e., traces), that would...
be lost if merging the two states. Reading a safe and tight value for a variable requires the sequence information to be available. Therefore, the operations to be used within the analysis should instead be defined based on Definition 5.18 to ensure that all threads see safe values (see Definition 5.19) at all times. Note that Definition 5.17 defines the uniquely most recent write in a set of writes. This definition defines the most recent write both among several threads (globally) and for single threads (locally).

**Definition 5.14 (Partial order for abstract variable states):**

\[
\begin{align*}
\forall x & \in \text{Var} : \forall T \in \text{Thrd} : (\hat{\xi} x) T \subseteq (\hat{\xi} x) T
\end{align*}
\]

**Definition 5.15 (Greatest lower bound of abstract variable states):**

\[
\begin{align*}
\hat{\xi} \land_{\text{var}} \hat{\xi} = \hat{\xi} \\
\hat{\xi} \land_{\text{var}} \hat{\xi} = \hat{\xi} \\
((\hat{\xi} \land_{\text{var}} \hat{\xi}) x) T = ((\hat{\xi} x) T) \cap ((\hat{\xi} x) T)
\end{align*}
\]

**Definition 5.16 (Least upper bound of abstract variable states):**

\[
\begin{align*}
\hat{\xi} \lor_{\text{var}} \hat{\xi} = \hat{\xi} \\
\hat{\xi} \lor_{\text{var}} \hat{\xi} = \hat{\xi} \\
((\hat{\xi} \lor_{\text{var}} \hat{\xi}) x) T = ((\hat{\xi} x) T) \cup ((\hat{\xi} x) T)
\end{align*}
\]

**Definition 5.17 (Time of most recent write):**

The most recent write(s), \((\hat{\nu}, \hat{i})\), in a set of writes is defined such that \(\min(\gamma_i(\hat{i})) \geq \min(\gamma_i(\hat{i}'))\), for all other writes, \((\hat{\nu}', \hat{i}')\). If several writes, \((\hat{\nu}', \hat{i}')\), are such that \(\min(\gamma_i(\hat{i})) = \min(\gamma_i(\hat{i}'))\), the time of the most recent write, \(\hat{i}\), is uniquely determined from the write(s) with \(\max(\gamma_i(\hat{i})) = \max(\{\max(\gamma_i(\hat{i}')) \mid \hat{i}' \text{ ranges over the time-stamps of the writes such that } \min(\gamma_i(\hat{i})) = \min(\gamma_i(\hat{i}'))\})\).
NOTE. The definition of the “time of the most recent write” and many of the upcoming algorithms could be very much simplified if the notion of lists were known. The positions of the writes in a list could simply correspond to the sequential order in which they occurred within a thread. Therefore, implementations of the upcoming algorithms could look very different from how they are defined here.

Definition 5.18 (Safe write history):
An abstract variable state, $\tilde{x}$, is safe at time $\tilde{t}$ if $\gamma_{\text{var}}(\tilde{x})$ represents at least all the possible concrete variable states that can be valid at time $t \in \gamma_t(\tilde{t})$ for the given thread trace(s).

Thus, to be safe at time $\tilde{t}$, $\tilde{x}$ must, for each variable, $x \in \text{Var}$ and each thread, $T \in \text{Thrd}$, be such that $(\tilde{x}\ x) T$ contains at least

1. all writes, $(\tilde{v}, \tilde{t})$, by $T$ on $x$, such that $\tilde{t} \not< \tilde{t}\ T$ and $\tilde{t} \not< \tilde{t}\ T$,

2. the latest (most recent) write(s), $(\tilde{v}, \tilde{t})$, by $T$ on $x$, such that $\tilde{t} \not< \tilde{t}\ T$ and $\tilde{t} \not< \tilde{t}\ T$.

or,

3. $(\tilde{\bot}_{\text{val}}, \tilde{t})$, otherwise (i.e., if there are no writes that fit 1 or 2 above), or if no writes have occurred by $T$ on $x$.

From how the concrete and abstract domains (c.f., Section 4.1 and this section) and transition rules (c.f., Section 4.2) are defined, it is apparent that $\tilde{x}$ is a safe approximation of $x$ (i.e., $\tilde{x}$ contains safe write history) iff $\exists x' \in \gamma_{\text{var}}(\tilde{x}) : \forall x \in \text{Var} : \forall T \in \text{Thrd} : ((\tilde{x}\ x) T) \subseteq ((\tilde{x}'\ x) T)$.

Definition 5.19 (Safe value of $x$ as seen by thread $T$):
Assuming that $\tilde{x}$ contains safe write history for all threads on variable $x$, according to Definition 5.18, then a safe value of $x$, as seen by thread $T$, at time $\tilde{t}$ is the least upper bound, $\bigsqcup_{\text{val}}$, of the values of at least the following writes on $x$.

1. All writes, $\tilde{w}_{T'} = (\tilde{v}_{T'}, \tilde{t}_{T'})$, for threads $T' \in \text{Thrd} \setminus \{T\}$ on $x$ such that $\tilde{t}_{T'} \not< \tilde{t}\ T \land \tilde{t}_{T'} \not< \tilde{t}\ T$.

2. The most recent write in $\{((\tilde{v}_{T'}, \tilde{t}_{T'}) \in (\tilde{x}\ x) T' \mid \tilde{t}_{T'} \not< \tilde{t}\ T' \land \tilde{t}_{T'} \not< \tilde{t}\ T' \land \tilde{t}_{T'} \not= \tilde{t}_T)\}$ for each thread $T' \in \text{Thrd} \setminus \{T\}$, and the most recent
5.5 Abstract Variable States

write, \((\tilde{v}_T, \tilde{t}_T) \in (\tilde{x} x) T\), such that \(\min(\gamma_i(\tilde{t}_T)) \leq \min(\gamma_i(\tilde{t})))\), if \(\tilde{t}_T \cap \tilde{t}\) \(\tilde{p}_{\text{mrw}} \neq \bot\), where \(\tilde{p}_{\text{mrw}}\) is the time of the (globally) most recent write in \((\tilde{v}_T, \tilde{t}_T) \cup \bigcup_{T \in \text{Thrd}} \{(\tilde{v}_T', \tilde{t}_T') \in (\tilde{x} x) T | \tilde{t}_T' \leq \tilde{t}\}\).

\[\]

Algorithm 5.1 Partial Order of Abstract Variable States

1: function PARTIALORDERVAR(\(\tilde{x}, \tilde{x}'\))
2:     for all \(x \in \text{Var}\) do
3:         for all \(T \in \text{Thrd}\) do
4:             \(\tilde{W} \leftarrow (\tilde{x} x) T\)
5:             \(\tilde{W}' \leftarrow (\tilde{x}' x) T\)
6:             \(\text{while} \ \tilde{W} \neq \emptyset \land \tilde{W}' \neq \emptyset \text{ do}\)
7:                 \(\tilde{w} \leftarrow \text{EARLIESTWRITETHREAD}(\tilde{W})\)
8:                 \(\tilde{w}' \leftarrow \text{EARLIESTWRITETHREAD}(\tilde{W}')\)
9:                 \(\tilde{W} \leftarrow \tilde{W} \setminus \{\tilde{w}\}\)
10:                \(\tilde{W}' \leftarrow \tilde{W}' \setminus \{\tilde{w}'\}\)
11:           if \(\tilde{w} \neq \tilde{w}'\) then
12:               if \(\tilde{W}' = \emptyset\) then
13:                   for all \(\tilde{w}'' \in \tilde{W} \cup \{\tilde{w}\}\) do
14:                       if \(\tilde{w}'' \not\leq \tilde{w}\) then
15:                           return false
16:                   end if
17:               end for
18:               \(\tilde{W} \leftarrow \emptyset\)
19:           else
20:               return false
21:       end if
22:     end if
23: end while
24: if \(\tilde{W} \neq \emptyset\) then
25:     return false
26: else
27:     return true
28: end if
29: end function

The partial order for abstract variable states to be used within the analysis, \(\sqsubseteq_{\text{var}}\), is given by Definition 5.20 based on PARTIALORDERVAR, defined in Algorithm 5.1, taking the safety of write history (Definition 5.18) into account. Note that EARLIESTWRITETHREAD, as defined in Algorithm 5.2, returns a
Algorithm 5.2 Earliest Write for a Thread

1: function EARLIEST_WRITE_THREAD(\( \bar{W} \))
2: if \( \bar{W} = \emptyset \) then
3:  return \( \perp \)
4: end if
5: \( \bar{t}_{\min} \leftarrow A_t(\{ \infty \}) \)
6: for all \((\bar{v}, \bar{t}) \in \bar{W}\) do
7:  if \( \min(\gamma(\bar{t})) < \min(\gamma(\bar{t}_{\min})) \) then
8:    \( \bar{t}_{\min} \leftarrow \bar{t} \)
9:  else if \( \min(\gamma(\bar{t})) = \min(\gamma(\bar{t}_{\min})) \) then
10:    \( \bar{t}_{\min} \leftarrow \bar{t} \cap \bar{t}_{\min} \)
11: end if
12: end for
13: \( \bar{W}' \leftarrow \{ (\bar{v}, \bar{t}) \mid (\bar{v}, \bar{t}) \in \bar{W} \land \bar{t} = \bar{t}_{\min} \} \)
14: \( \bar{v}_{\min} \leftarrow A_{val}(\{ \infty \}) \)
15: for all \((\bar{v}, \bar{t}) \in \bar{W}'\) do
16:  if \( \min(\gamma_{val}(\bar{v})) < \min(\gamma_{val}(\bar{v}_{\min})) \) then
17:    \( \bar{v}_{\min} \leftarrow \bar{v} \)
18:  else if \( \min(\gamma_{val}(\bar{v})) = \min(\gamma_{val}(\bar{v}_{\min})) \) then
19:    \( \bar{v}_{\min} \leftarrow \bar{v} \cap \bar{v}_{\min} \)
20: end if
21: end for
22: return \( (\bar{v}_{\min}, \bar{t}_{\min}) \)
23: end function
5.5 Abstract Variable States

Deterministically defined write. The idea is that the history (trace) for each thread and variable should be the same in both states for the relation to be true. However, the histories are allowed to differ somewhat. The greater state could also contain newer writes than those in the history of the lesser state. It could also be the case that the newest write in the greater state is an upper bound to all of the most recent writes in the lesser state that are not part of both histories.

Definition 5.20 (Safe partial order of abstract variable states):

\[
\begin{align*}
\bar{x} \preceq_{\text{var}} \bar{x}' & \iff \text{PARTIALORDER}(\bar{x}, \bar{x}') \\
\top_{\text{var}} \preceq_{\text{var}} \bar{x} & \iff \text{MEETVAR}(\bar{x}, \bar{x}') \\
\bot_{\text{var}} \preceq_{\text{var}} \bar{x} & \iff \text{JOINVAR}(\bar{x}, \bar{x}') \\
\end{align*}
\]

Based on this partial order relation, the lower bound and upper bound operators to be used within the analysis, \(\cap_{\text{var}}\) and \(\cup_{\text{var}}\), are given by Definitions 5.21 and 5.22, respectively. Note that \(\text{MEETVAR}\) is defined in Algorithm 5.3 and \(\text{JOINVAR}\) is defined in Algorithm 5.4.

Definition 5.21 (Safe lower bound of abstract variable states):

\[
\begin{align*}
\top_{\text{var}} \cap_{\text{var}} \bar{x} & = \bar{x} \cap_{\text{var}} \top_{\text{var}} = \top_{\text{var}} \\
\bot_{\text{var}} \cap_{\text{var}} \bar{x} & = \bar{x} \cap_{\text{var}} \bot_{\text{var}} = \bot_{\text{var}} \\
\bar{x} \cap_{\text{var}} \bar{x}' & = \text{MEETVAR}(\bar{x}, \bar{x}') \\
\end{align*}
\]

Definition 5.22 (Safe upper bound of abstract variable states):

\[
\begin{align*}
\top_{\text{var}} \cup_{\text{var}} \bar{x} & = \bar{x} \cup_{\text{var}} \top_{\text{var}} = \top_{\text{var}} \\
\bot_{\text{var}} \cup_{\text{var}} \bar{x} & = \bar{x} \cup_{\text{var}} \bot_{\text{var}} = \bot_{\text{var}} \\
\bar{x} \cup_{\text{var}} \bar{x}' & = \text{JOINVAR}(\bar{x}, \bar{x}') \\
\end{align*}
\]

Note. Neither \(\preceq_{\text{var}}\), \(\cap_{\text{var}}\) nor \(\cup_{\text{var}}\) is currently used by the analysis (c.f., Chapter 6) but are just presented for completeness of the abstraction since the operators cannot be directly based on the lattice. However, if, e.g., merging of configurations [25] is introduced to lower the complexity of the analysis, at least \(\cup_{\text{var}}\) will be needed.
Algorithm 5.3 Meeting Two Abstract Variable States

1: function \textsc{meetVar}(\tilde{x}, \tilde{x}')
2: $\tilde{x}'' \leftarrow \bot_{\text{var}}$
3: for all $x \in \text{Var}$ do
4: for all $T \in \text{Thrd}$ do
5: $\tilde{W} \leftarrow (\tilde{x}, x)T$
6: $\tilde{W}' \leftarrow (\tilde{x}', x)T$
7: $C \leftarrow \emptyset$
8: while $\tilde{W} \neq \emptyset \land \tilde{W}' \neq \emptyset$ do
9: $(\tilde{v}, \tilde{t}) \leftarrow \text{earliestWriteThread}(\tilde{W})$
10: $(\tilde{v}', \tilde{t}') \leftarrow \text{earliestWriteThread}(\tilde{W}')$
11: $\tilde{W} \leftarrow \tilde{W} \setminus (\tilde{v}, \tilde{t})$
12: $\tilde{W}' \leftarrow \tilde{W}' \setminus (\tilde{v}', \tilde{t}')$
13: if $(\tilde{v}, \tilde{t}) = (\tilde{v}', \tilde{t}')$ then
14: $C \leftarrow C \cup \{(\tilde{v}, \tilde{t})\}$
15: else if $\tilde{v} \cap \tilde{v}' \neq \emptyset \land \tilde{t} \cap \tilde{t}' \neq \emptyset \land \tilde{W} = \emptyset \land \tilde{W}' = \emptyset$ then
16: $C \leftarrow C \cup \{(\tilde{v}, \tilde{t}), (\tilde{v}', \tilde{t}')\}$
17: else
18: $\tilde{W} \leftarrow \emptyset$
19: $\tilde{W}' \leftarrow \emptyset$
20: end if
21: end while
22: if $C = \emptyset$ then
23: $(\tilde{x}'', x)T) \leftarrow \{(\bot_{\text{var}}, \bot_{\text{t}})\}$
24: else
25: $(\tilde{x}'', x)T) \leftarrow C$
26: end if
27: end for
28: end for
29: return $\tilde{x}''$
30: end function
Algorithm 5.4 Joining Two Abstract Variable States

1: function JOINVAR($\tilde{x}, \tilde{x}'$)
2: $\tilde{x}'' \leftarrow \text{VAR}$
3: for all $x \in \text{Var}$ do
4:   for all $T \in \text{Thrhd}$ do
5:     $\tilde{W} \leftarrow (\tilde{x} x) T$
6:     $\tilde{W}' \leftarrow (\tilde{x}' x) T$
7:     $C \leftarrow \emptyset$
8:     $M \leftarrow (\perp_{\text{val}}, \tilde{x})$
9:     while $\tilde{W} \neq \emptyset \lor \tilde{W}' \neq \emptyset$ do
10:       $\tilde{w} \leftarrow \text{EARLIESTWRITETHREAD}(\tilde{W})$
11:       $\tilde{w}' \leftarrow \text{EARLIESTWRITETHREAD}(\tilde{W}')$
12:       if $\tilde{w} = \tilde{w}'$ then
13:         $C \leftarrow C \cup \{\tilde{w}\}$
14:         $\tilde{W} \leftarrow \tilde{W} \setminus \{\tilde{w}\}$
15:         $\tilde{W}' \leftarrow \tilde{W}' \setminus \{\tilde{w}'\}$
16:       else if $\tilde{W} = \emptyset$ then
17:         $C \leftarrow C \cup \tilde{W}'$
18:         $\tilde{W}' \leftarrow \emptyset$
19:       else if $\tilde{W}' = \emptyset$ then
20:         $C \leftarrow C \cup \tilde{W}$
21:         $\tilde{W} \leftarrow \emptyset$
22:       else
23:         $M \leftarrow (\perp_{\text{val}}, \tilde{x}) \cup (\perp_{\text{val}}, \tilde{x}')$
24:         $\tilde{W} \leftarrow \emptyset$
25:         $\tilde{W}' \leftarrow \emptyset$
26:       end if
27:     end while
28:     $(\tilde{x}'' x) T \leftarrow C$
29:     if $M \neq (\perp_{\text{val}}, \tilde{x})$ then
30:       $(\tilde{x}'' x) T \leftarrow (\tilde{x}'' x) T \cup \{M\}$
31:     end if
32:   end for
33: end for
34: $\text{return } \tilde{x}''$
35: end function
Algorithm 5.5 Write to Variable

1: function WRITE(T, \tilde{x}, x, \tilde{w})
2: \[(\tilde{x'} x') T' \leftarrow \begin{cases} ((\tilde{x} x) T) \cup \{\tilde{w}\} & \text{if } x' = x \land T' = T \\ (\tilde{x'} x') T' & \text{otherwise} \end{cases} \]
3: return \tilde{x'}
4: end function

Figure 5.3: The time-stamps of the writes considered by \textsc{READ}(\tilde{x}, x, T_1, \tilde{t}_1) and \textsc{READ}(\tilde{x}, x, T_2, \tilde{t}_2).

WRITE(T, \tilde{x}, x, \tilde{w}), as defined in Algorithm 5.5, safely (Lemma 5.23) adds the write, \tilde{w}, to the set of write-history for thread T, i.e., to \((\tilde{x} x) T)\).

**Lemma 5.23 (Soundness of WRITE):**

Assuming that \(\tilde{x}\) contains safe write history for variable \(x\) and thread \(T\) (c.f., Definition 5.18) before the write by thread \(T\) is performed at time \(\tilde{t}\), then so will WRITE(T, \tilde{x}, x, (v, \tilde{t})) \).

**Proof.** Since WRITE(T, \tilde{x}, x, (v, \tilde{t})) simply adds the write (v, \tilde{t}) to the history of thread T’s writes on variable x in the state \(\tilde{x}\), and \(\tilde{x}\) is assumed to contain safe write history for T on x, WRITE(T, \tilde{x}, x, (v, \tilde{t})) trivially fulfills the safety condition in Definition 5.18 with regards to T and x. □

Using the sequence and timing information provided by Definition 5.19, READ(\tilde{x}, x, T, \tilde{t}), as defined in Algorithm 5.6, only takes the writes that might be valid at \(\tilde{t}\) (the point in time when T issues the \textsc{READ}) into consideration for its returned value \(\tilde{v} \in \text{Val}\), which is safe (Lemma 5.26). These writes, \(\tilde{w} = (v', \tilde{t}')\), come from two categories. The first category covers the writes on x for threads \(T' \in \text{Thrd} \setminus \{T\}\) whose “time-stamps” overlap in time with \(\tilde{t}\), i.e., \(\tilde{t} \cap \tilde{t}' \neq \emptyset\). The second category covers the most recent write on x for all threads (including T) such that its time-stamp overlaps with the overall most recent write of any write, not belonging to the first category. Note that any write for thread T with a time-stamp that begins after the beginning of \(\tilde{t}\) is discarded. So is any write for \(T' \in \text{Thrd} \setminus \{T\}\) such that its time-stamp completely succeeds \(\tilde{t}\). This is because such writes can simply not have occurred at the time of issuing the READ.
Algorithm 5.6 Read from Variable

1: function READ(\(\overline{x}, x, T, \overline{t}\) )
2: \(\overline{x}' \leftarrow \perp_{\text{var}}\)
3: for all \(T' \in \text{Thrd} \setminus \{T\} \) do
4: \(\{(\overline{x}', x) T' \} \leftarrow \{(\overline{v}', \overline{t}') \in ((\overline{x}, x) T) | \overline{v}', \overline{t}' \}\)
5: end for
6: \(\{\overline{x}', x) T \} \leftarrow \{(\overline{v}', \overline{t}') \in ((\overline{x}, x) T) | \min(\gamma_{\overline{t}}(\overline{t}')) \geq \min(\gamma_{\overline{t}}(\overline{t}'))\}
7: \(\overline{W} \leftarrow \emptyset\)
8: for all \(T' \in \text{Thrd} \setminus \{T\} \) do
9: \(\overline{W}_T \leftarrow \{(\overline{v}', \overline{t}') \in ((\overline{x}, x) T') | \overline{v}', \overline{t}' \}\)
10: \(\{(\overline{x}', x) T') \leftarrow \{(\overline{x}', x) T') \setminus \overline{W}_T\)
11: \(\overline{W} \leftarrow \overline{W} \cup \overline{W}_T\)
12: end for
13: \(\overline{p}_{\text{m}} \leftarrow \text{MOSTRECENTWRITE}(\overline{x}, x)\)
14: if \(\overline{p}_{\text{m}} \neq \perp_{\text{t}}\) then
15: for all \(T' \in \text{Thrd} \) do
16: \(\overline{p}_{\text{m}}' \leftarrow \text{MOSTRECENTWRITE}(\overline{x}, x)\)
17: \(\overline{W} \leftarrow \overline{W} \cup \{(\overline{v}', \overline{t}') \in ((\overline{x}, x) T') | \overline{v}', \overline{t}' \}
18: end for
19: end if
20: \(\overline{v} \leftarrow \begin{cases} \bigcup_{\text{val}} \{\overline{v}' | \exists \overline{t}' \in \text{Time} : (\overline{v}', \overline{t}') \in \overline{W}\} & \text{if } \overline{W} \neq \emptyset \\ [-\infty, \infty] & \text{otherwise} \end{cases}\)
21: return \(\overline{v}\)
22: end function

Algorithm 5.7 Time of Most Recent Write

1: function MOSTRECENTWRITE(\(\overline{x}, x\) )
2: return MOSTRECENTWRITE(\(\bigcup_{T \in \text{Thrd}}((\overline{x}, x) T)\) )
3: end function

Algorithm 5.8 Time of Most Recent Write in Thread

1: function MOSTRECENTWRITE(\(\overline{W}\) )
2: if \(\overline{W} = \emptyset\) then
3: return \(\perp_{\text{t}}\)
4: end if
5: \(t_{\text{min}} \leftarrow \max\{\min(\gamma_{\overline{t}}(\overline{t})) | \exists \overline{v} \in \text{Væl} : (\overline{v}, \overline{t}) \in \overline{W}\}\)
6: \(t_{\text{max}} \leftarrow \max\{\min(\gamma_{\overline{t}}(\overline{t}) | \exists \overline{v} \in \text{Væl} : (\overline{v}, \overline{t}) \in \overline{W} \wedge \min(\gamma_{\overline{t}}(\overline{t})) = t_{\text{min}}\}\)
7: return \(\alpha_{t}(\{t_{\text{min}}, t_{\text{max}}\})\)
8: end function
(and will thus usually not be included in \( \bar{z} \) at all). An illustration of the time-stamps of the writes in \( T_1 \) and \( T_2 \) that must be considered by \( \text{READ}(\bar{z}, x, T_1, i_1) \) (lines with arrow heads pointing left) and \( \text{READ}(\bar{z}, x, T_2, i_2) \) (lines with arrow heads pointing right) is given in Figure 5.3. The returned value, \( \bar{r} \), is the least upper bound of the values of the considered writes. Note that \text{MOSTRECENTWRITETIME} and \text{MOSTRECENTWRITETIMETHREAD} are defined based on Definition 5.17 in Algorithms 5.7 and 5.8, respectively, and that these functions give the time of the most recent write among the writes in a set of writes (Lemmas 5.24 and 5.25).

**Lemma 5.24 (Soundness of mostRECENTWRITETIMETHREAD):**

\text{MOSTRECENTWRITETIMETHREAD}(\bar{W}) \text{, defined in Algorithm 5.8, gives the time of the most recent write in } \bar{W}.

\begin{proof}
If \( \bar{W} = \emptyset \), then \( \bigcup \alpha \) is returned. Otherwise, \( t_{\min} \) is the greatest lower limit of the time-stamp of any write in \( \bar{W} \) (max\( \{ \min(\gamma(x, i)) \mid \exists v \in \text{Val}(\bar{v}, i) \in \bar{W} \} \)) and \( t_{\max} \) is the greatest upper limit of the time-stamps of the writes in \( \bar{W} \) such that the lower limit of their time-stamps are equal to \( t_{\min} \) (max\( \{ \gamma(x, i) \mid \exists v \in \text{Val}(\bar{v}, i) \in \bar{W} \} \)). Thus, \( \alpha(\{t_{\min}, t_{\max}\}) \) is the time of the most recent write in \( \bar{W} \), as given by Definition 5.17.
\end{proof}

**Lemma 5.25 (Soundness of mostRECENTWRITETIME):**

\text{MOSTRECENTWRITETIME}(\bar{z}, x), \text{ defined in Algorithm 5.7, gives the time of the globally most recent write on } x \text{ in } \bar{z}.

\begin{proof}
This proof is trivial since \text{MOSTRECENTWRITETIMETHREAD}(\bar{W}) \text{ is the time of the most recent write in } \bar{W} \text{ (Lemma 5.24) and the set of writes, } \bar{W}' \text{, is } \bigcup_{T \in \text{Thrd}}(\text{\{z} x T) \text{; i.e., } \bar{W} \text{ is a set containing the writes by all threads in } \text{Thrd} \text{ on } x. \text{ Thus the time of the globally most recent write, as given by Definition 5.17, is returned.}
\end{proof}

**Lemma 5.26 (Soundness of READ):**

Assuming that \( \bar{z} \) contains safe write history at \( i \) (Definition 5.18), a safe value for \( x \) at \( i \) as seen by thread \( T \) (Definition 5.19) is given by \( \text{READ}(\bar{z}, x, T, i) \).

\begin{proof}
The proof amounts to showing that \( \text{READ}(\bar{z}, x, T, i) \) is an upper bound to the values of the writes given by Definition 5.19; i.e., to show that all writes given by Definition 5.19 are included in \( \bar{W} \).

On line 4, the new variable state, \( \bar{z}' \), is defined to contain all writes, \( (\bar{v}', i') \in (\bar{z} x T) \), such that \( i' \neq i \), for each \( T' \in \text{Thrd} \setminus \{T\} \). On lines 9–11, the writes,
\((\bar{v}', \bar{t}') \in (\bar{x}' \times T')\), for all \(T' \in \text{Thrd} \setminus \{T\}\), such that \(\bar{t}' \not\leq \bar{t}\), are extracted (i.e., identified and removed) from \((\bar{x}' \times T')\) and put in the set \(\bar{W}\). Thus, \(\bar{W}\) contains all the writes specified by 1 in Definition 5.19.

On line 6, \((\bar{x}' \times T)\) is defined to contain all writes, \((\bar{v}', \bar{t}') \in (\bar{x}' \times T)\), such that \(\min(\gamma_{\bar{v}}(\bar{t})) \geq \min(\gamma_{\bar{v}}(\bar{t}'))\), and \((\bar{x}' \times T')\), for each \(T' \in \text{Thrd} \setminus \{T\}\), now contains all the writes, \((\bar{v}', \bar{t}') \in (\bar{x}' \times T')\), such that \(\bar{t}' \leq_{\bar{t}} \bar{t}\).

On line 13, the time of the (global) most recent write on \(x\) among all threads, i.e., the most recent write in \(\bigcup\{(\bar{x}' \times T') \mid T' \in \text{Thrd}\}\), is determined (Lemma 5.25), while at line 16, the time of the most recent write for each thread is determined (Lemma 5.24). If the time of the most recent write for a thread overlaps with the time of the global most recent write, then all writes overlapping in time with the most recent write for that thread are added to \(\bar{W}\) (line 17). Thus, \(\bar{W}\) now also contains (at least) all the writes specified by 2 in Definition 5.19.

Finally, on line 20, the least upper bound of the values of the writes in \(\bar{W}\) is determined. On the next line, it is returned if \(\bar{W} \neq \emptyset\). If \(\bar{W} = \emptyset\), then \([-\infty, \infty]\) is returned, which trivially is a safe approximation of the corresponding value read (i.e., \(v \in \gamma_{\text{mt}}([-\infty, \infty])\)) in the concrete case (c.f., Table 4.2).

Since \(\text{READ}(\bar{x}, x, T, \bar{t})\) discards writes from thread \(T' \in \text{Thrd}\) that are too old to be valid at time \(\bar{t}\) (and writes occurring after \(\bar{t}\)) for its returned value, and since time is assumed to never progress negatively (i.e., backwards; c.f., Lemma 4.2), the discarded writes can safely be removed from \((\bar{x}' \times T')\). \(\text{TRIM}\), defined in Algorithm 5.9, safely (Lemma 5.27) removes the outdated writes from \((\bar{x}' \times T')\) for all \(T' \in \text{Thrd}\). Thus, \(\text{TRIM}\) can be used to lower the space complexity of the analysis. Note that \(\text{SPLIT}(\bar{W}, \bar{t})\), as defined in Algorithm 5.10, is used to split a set of writes into two sets where the first set contains all writes, \((\bar{v}, \bar{t}')\), such that \(\bar{t}' \cap_{\bar{t}} \bar{t} \neq \bot_{\bar{t}}\), and the second set contains all other writes.

**Lemma 5.27 (Soundness of TRIM):**

If \(\bar{x}\) contains safe write history at time \(\bar{t}\) (c.f., Definition 5.18), then so does \(\text{TRIM}(\bar{x}, \bar{t})\).

**Proof.** Given that \(\bar{x}\) is safe, it must be shown that, for any variable, \(x \in \text{Var}\), and any thread, \(T \in \text{Thrd}\), \(((\text{TRIM}(\bar{x}, \bar{t}) \times x) T)\) contains at least (c.f., Definition 5.18)

1. all writes, \((\bar{v}, \bar{t}')\), of \((\bar{x}' \times T)\) such that \(\bar{t}' \not\leq \bar{t} \land \bar{t} \not\leq \bar{t}'\), and
Algorithm 5.9 Trim Variable State

1: function TRIM($\tilde{x}, \tilde{t}$)
2: $\tilde{x}' \leftarrow \perp_{\text{var}}$
3: $\tilde{x}'' \leftarrow \perp_{\text{var}}$
4: for all $x \in \text{Var}$ do
5: $\langle [F_T]_{T \text{-Thrd}} \rangle \leftarrow \langle [\emptyset]_{T \text{-Thrd}} \rangle$
6: $\langle [O_T]_{T \text{-Thrd}} \rangle \leftarrow \langle [\emptyset]_{T \text{-Thrd}} \rangle$
7: $\langle [N_T]_{T \text{-Thrd}} \rangle \leftarrow \langle [\emptyset]_{T \text{-Thrd}} \rangle$
8: for all $T \in \text{Thrd}$ do
9: $F_T \leftarrow \{(\tilde{v}, \tilde{t}) \in (\tilde{x}, T) \mid \tilde{v} \preceq \tilde{t} \}$
10: $(O_T, N_T) \leftarrow \text{SPLITSET}(\tilde{x}, T, \tilde{t})$
11: $(\tilde{x}', T) \leftarrow N_T \setminus F_T$
12: end for
13: end for
14: end function

Algorithm 5.10 Split Set of Writes

1: function SPLITSET($\tilde{W}, \tilde{t}$)
2: $O \leftarrow \{(\tilde{v}, \tilde{t}) \in \tilde{W} \mid \tilde{v} \preceq \tilde{t} \}$
3: $N \leftarrow \{(\tilde{v}, \tilde{t}) \in \tilde{W} \mid \tilde{v} \preceq \tilde{t} \}$
4: return $(O, N)$
5: end function
2. any write, \( (\bar{v}, \bar{v}') \), of \( ((\bar{z} x) T) \) such that \( \bar{v}' \preceq \bar{v} \), if \( \bar{v}' \cap_{\mu} \bar{x}'r \neq \bot_r \), where \( \bar{x}'r \) is the time of the globally most recent write of the writes preceding \( \bar{v}' \), or,

3. \( (\bot_{\text{val}}, \bot_r) \), if there are no writes fitting the definition of the previous two categories (e.g., if all writes made by \( T \) are outdated or no writes have occurred by \( T \) on \( x \); i.e., if \( ((\bar{z} x) T) = \{(\bot_{\text{val}}, \bot_r)\}) \).

Before advancing to the proof procedure, note that \( \neg((\bar{v}' \notin \bar{v} \land \bar{v} \notin \bar{v}') \) whenever \( \bar{v} \) or \( \bar{v}' \) is \( \bot_r \) or \( \top_r \). If they are not, note that (it is implicitly assumed that \( \text{Time} = \text{Intv} \)):

\[
\begin{align*}
\bar{v}' &\notin \bar{v} \land \bar{v} \notin \bar{v}' \quad \text{Def 5.13} \\
\text{calc} &\iff \max(\gamma_1(\bar{v}')) \not< \min(\gamma_1(\bar{v})) \land \max(\gamma_1(\bar{v})) \not< \min(\gamma_1(\bar{v}')) \\
\text{calc} &\iff \max(\gamma_1(\bar{v}')) \not< \min(\gamma_1(\bar{v})) \land \max(\gamma_1(\bar{v})) \not< \min(\gamma_1(\bar{v}')) \\
\text{calc} &\iff \min\{\max(\gamma_1(\bar{v})), \max(\gamma_1(\bar{v}'))\} \not\geq \max\{\min(\gamma_1(\bar{v})), \min(\gamma_1(\bar{v}'))\}
\end{align*}
\]

Now, assume that \( \bar{z} \) contains safe write history. The structure of the algorithm gives that for each \( x \in \text{Var} \):

- For each thread, \( T \in \text{Thrd} \), the set \( F_T \) contains the writes, \( (\bar{v}, \bar{v}') \), by \( T \) on \( x \) such that \( \bar{v} \preceq \bar{v} \); i.e., writes that occur after \( \bar{v} \). Note that this captures all writes, \( (\bar{v}, \bar{v}') \), such that \( \bar{v} = \top_r \) as long as \( \bar{v} \neq \top_r \).

- For each thread, \( T \in \text{Thrd} \), the set \( O_T \) contains the writes, \( (\bar{v}, \bar{v}') \), by \( T \) on \( x \) such that \( \bar{v} \not\preceq \bar{v} \land \bar{v} \not\preceq \bar{v}' \).

- For each thread, \( T \in \text{Thrd} \), the set \( N_T \) contains the writes, \( (\bar{v}, \bar{v}') \), by \( T \) on \( x \) such that \( \bar{v} \preceq \bar{v} \land \bar{v} \preceq \bar{v}' \). Note that this captures all writes, \( (\bar{v}, \bar{v}') \), such that \( \bar{v} = \top_r \) or \( \bar{v}' = \bot_r \).

- \( \bar{x}'r \) is determined from \( \bar{z}' \), for which all writes, \( (\bar{v}, \bar{v}') \in ((\bar{z}' x) T) \), on \( x \) by each thread, \( T \in \text{Thrd} \), are such that \( \bar{v} \preceq \bar{v} \).

- For each thread \( T \in \text{Thrd} \), \( W_T = \{(\bot_{\text{val}}, \bot_r)\} \) whenever \( \bar{x}'r \cap_{\mu} \bar{x}'r = \bot_r \land F_T = \emptyset \land O_T = \emptyset \), otherwise, \( W_T \) contains all the writes by \( T \) on \( x \) such that \( \bar{v} \preceq \bar{v} \land \bar{v} \preceq \bar{v}' \), \( \bar{v}' \cap_{\mu} \bar{x}'r \neq \emptyset \) if \( \bar{x}'r \cap_{\mu} \bar{x}'r \neq \bot_r \), where \( \bar{x}'r \) is the time of the most recent write of the writes, \( (\bar{v}, \bar{v}') \in ((\bar{z}' x) T) \); i.e., the writes, \( (\bar{v}, \bar{v}') \in ((\bar{z} x) T) \), such that \( \bar{v} \preceq \bar{v} \).
Definition 5.28 (Concretization of an abstract lock state):

\[
\gamma_{\text{lock}}(\tilde{\lambda}_{\text{lock}}) = \text{Lck} \rightarrow (\text{Lck}_{\text{att}} \times \text{Thrd}_\perp \times \text{Time} \times \text{Thrd}_\perp \times \text{Time})
\]

\[
\gamma_{\text{lock}}(\tilde{1}_{\text{lock}}) = 0
\]

\[
\gamma_{\text{lock}}(\tilde{1}) = \gamma_{\text{lock}}(\lambda \text{lek} \in \text{Lck}.(u_{\text{lek}}, T_{\text{lek}}, \tilde{t}_{\text{lek}}, T'_{\text{lek}}, \tilde{t}'_{\text{lek}}))
\]

\[
= \{ \lambda \text{lek} \in \text{Lck}.(u_{\text{lek}}, T_{\text{lek}}, t_{\text{lek}}, T'_{\text{lek}}, t'_{\text{lek}}) | u_{\text{lek}} \in \gamma(\tilde{t}_{\text{lek}}) \land t'_{\text{lek}} \in \gamma(\tilde{t}'_{\text{lek}}) \}
\]

Definition 5.29 (Abstraction of a set of lock states):

\[
\alpha_{\text{lock}}(\tilde{\mathbb{L}}) = \bigcap_{\text{lock}} \{ \tilde{1} | \mathbb{L} \subseteq \gamma_{\text{lock}}(\tilde{1}) \}
\]
Table 5.4: Definition of $\tilde{\text{STT}}$, O\text{WN}, D\text{L}, P\text{OWN}$ and R\text{EL} – abstract versions of STT, OWN, DL, POWN and REL.

\begin{align*}
\tilde{\text{STT}} : (\text{Lck}_{\text{att}} \times \text{Thrd}_\bot \times \text{Time} \times \text{Thrd}_\bot \times \text{Time}) & \rightarrow \text{Lck}_{\text{att}} \\
\tilde{\text{STT}}((u, T, \tilde{t}, T', \tilde{t}')) & = u \\
\text{O\text{WN}} : (\text{Lck}_{\text{att}} \times \text{Thrd}_\bot \times \text{Time} \times \text{Thrd}_\bot \times \text{Time}) & \rightarrow \text{Thrd}_\bot \\
\text{O\text{WN}}((u, T, \tilde{t}, T', \tilde{t}')) & = T \\
\text{D\text{L}} : (\text{Lck}_{\text{att}} \times \text{Thrd}_\bot \times \text{Time} \times \text{Thrd}_\bot \times \text{Time}) & \rightarrow \text{Time} \\
\text{D\text{L}}((u, T, \tilde{t}, T', \tilde{t}')) & = \tilde{t} \\
\text{P\text{OWN}} : (\text{Lck}_{\text{att}} \times \text{Thrd}_\bot \times \text{Time} \times \text{Thrd}_\bot \times \text{Time}) & \rightarrow \text{Thrd}_\bot \\
\text{P\text{OWN}}((u, T, \tilde{t}, T', \tilde{t}')) & = T' \\
\text{R\text{EL}} : (\text{Lck}_{\text{att}} \times \text{Thrd}_\bot \times \text{Time} \times \text{Thrd}_\bot \times \text{Time}) & \rightarrow \text{Time} \\
\text{R\text{EL}}((u, T, \tilde{t}, T', \tilde{t}')) & = \tilde{t}'
\end{align*}
The partial order, \(\triangledown_{\text{lock}}\), greatest lower bound, \(\sqcap_{\text{lock}}\), and least upper bound, \(\sqcup_{\text{lock}}\), for abstract lock states follow naturally from Definitions 3.26, 3.27 and 3.28 and are presented in Definitions 5.30, 5.31 and 5.32, respectively.

**Definition 5.30 (Partial order of abstract lock states):**

\[
\begin{align*}
\tilde{I} & \sqsubseteq_{\text{lock}} \tilde{I}' \\
\bot_{\text{lock}} & \sqsubseteq_{\text{lock}} \tilde{I} \\
\tilde{I} & \sqsubseteq_{\text{lock}} \tilde{I}' \iff \forall lck \in \text{Lck} : (\tilde{STT}(\tilde{I} lck) = \tilde{STT}(\tilde{I}' lck) \land \tilde{OWN}(\tilde{I} lck) = \tilde{OWN}(\tilde{I}' lck) \land \tilde{DL}(\tilde{I} lck) \sqsubseteq \tilde{DL}(\tilde{I}' lck) \land \tilde{POWN}(\tilde{I} lck) = \tilde{POWN}(\tilde{I}' lck) \land \tilde{REL}(\tilde{I} lck) \sqsubseteq \tilde{REL}(\tilde{I}' lck))
\end{align*}
\]

**Definition 5.31 (Greatest lower bound of abstract lock states):**

\[
\begin{align*}
\tilde{I} \sqcap_{\text{lock}} \tilde{I}' &= \tilde{I}' \sqcap_{\text{lock}} \tilde{I} = \tilde{I} \\
\tilde{I} \sqcap_{\text{lock}} \bot_{\text{lock}} &= \bot_{\text{lock}} \sqcap_{\text{lock}} \tilde{I} = \bot_{\text{lock}} \\
\lambda lck \in \text{Lck}. (u_{lck}^{I}, T_{lck}^{lck}, \tilde{t}_{lck}^{I}, T_{lck}^{lck}, \tilde{t}_{lck}^{I}') \sqcap_{\text{lock}} \\
\lambda lck \in \text{Lck}. (u_{lck}^{I}, T_{lck}^{lck}, \tilde{t}_{lck}^{I}, T_{lck}^{lck}, \tilde{t}_{lck}^{I}') &= \\
\begin{cases}
\lambda lck \in \text{Lck}. & \text{if } \forall lck \in \text{Lck} : \\
(u_{lck}^{I}, T_{lck}^{lck}, \tilde{t}_{lck}^{I}, T_{lck}^{lck}, \tilde{t}_{lck}^{I}') &= \\
\begin{cases}
(u_{lck}^{I} = u_{lck}^{I}', T_{lck}^{lck} = T_{lck}^{lck}, \tilde{t}_{lck}^{I} = \tilde{t}_{lck}^{I}') & \text{if } \forall lck \in \text{Lck} : \\
\end{cases}
\end{cases}
\end{align*}
\]
Definition 5.32 (Least upper bound of abstract lock states):

\[
\begin{align*}
\varPi_{\text{lock}} \varPi'_{\text{lock}} &= \varPi'_{\text{lock}} \\
\varPi_{\text{lock}} \varPi'_{\text{lock}} &= \varPi_{\text{lock}} \\
\varPi_{\text{lock}} \varPi_{\text{lock}} &= \varPi_{\text{lock}} \\
\exists\varPi_{\text{lock}} \subseteq \varPi'_{\text{lock}} &\quad \text{if } \forall\varPi_{\text{lock}} \in \text{Lck}:
\begin{cases}
\varPi_{\text{lock}} = \varPi_{\text{lock}}' \\
\varPi_{\text{lock}}' = \varPi_{\text{lock}}' \\
\varPi_{\text{lock}} = \varPi_{\text{lock}}'
\end{cases} \\
\text{otherwise}
\end{align*}
\]

Lemma 5.33 (Monotonicity of $\gamma_{\text{lock}}$):

\[\gamma_{\text{lock}}\text{, as given by Definition 5.28, is monotone.}\]

Proof. Assume that $\varPi \subseteq_{\text{lock}} \varPi'$. If $\varPi = \varPi_{\text{lock}}'$, then trivially, $\gamma_{\text{lock}}(\varPi) \subseteq \gamma_{\text{lock}}(\varPi')$. Otherwise, assume that $\varPi \in \gamma_{\text{lock}}(\varPi')$, $\varPi_{\text{lock}} = (u_{\text{lock}}, T_{\text{lock}}, \tilde{r}_{\text{lock}}, T'_{\text{lock}}, \tilde{r}'_{\text{lock}})$ and $\varPi'_{\text{lock}} = (u'_{\text{lock}}, T'_{\text{lock}}, \tilde{r}'_{\text{lock}}, T''_{\text{lock}}, \tilde{r}''_{\text{lock}})$. Since $\varPi \subseteq_{\text{lock}} \varPi'$, it must be that $\forall \varPi_{\text{lock}} \in \text{Lck} : (u_{\text{lock}} = u'_{\text{lock}} \land T_{\text{lock}} = T'_{\text{lock}} \land \tilde{r}_{\text{lock}} \equiv \tilde{r}'_{\text{lock}} \land T''_{\text{lock}} \land \tilde{r}''_{\text{lock}})$. But then, since $\varPi \in \gamma_{\text{lock}}(\varPi')$ and $\gamma$ is monotone (Theorem 3.39), it must be that $\varPi \in \gamma_{\text{lock}}(\varPi')$. This proves the lemma.

Theorem 5.34 (Galois connection – Lock states):

\[\langle\alpha_{\text{lock}}, \gamma_{\text{lock}}\rangle\text{, where } \gamma_{\text{lock}}\text{ and } \alpha_{\text{lock}}\text{ are given by Definitions 5.28 and 5.29, respectively, is a Galois connection.}\]

Proof. First it will be shown that $\gamma_{\text{lock}}$ is completely multiplicative. Thus note that $\gamma_{\text{lock}}$ is monotone (Lemma 5.33). Next observe that $\gamma_{\text{lock}}(\varPi_{\text{lock}}') = \text{Lck} \rightarrow (\text{Lck}_{\text{off}} \times \text{Thrd} \times \text{Time} \times \text{Thrd} \times \text{Time}) = \gamma_{\text{lock}}(\varPi_{\text{lock}}')$.

Now, assume that $\varPi, \varPi' \in \text{Lck} \rightarrow (\text{Lck}_{\text{off}} \times \text{Thrd} \times \text{Time} \times \text{Thrd} \times \text{Time})$ are such that $\varPi \subseteq_{\text{lock}} \varPi'$. From Definition 5.30, it follows that neither of $\varPi$ and $\varPi'$ can be $\varPi_{\text{lock}}$ or $\varPi_{\text{lock}}'$. Thus, it is safe to assume that these states can be expressed as $\varPi_{\text{lock}} = (u_{\text{lock}}, T_{\text{lock}}, \tilde{r}_{\text{lock}}, T'_{\text{lock}}, \tilde{r}'_{\text{lock}})$ and $\varPi'_{\text{lock}} = (u'_{\text{lock}}, T'_{\text{lock}}, \tilde{r}'_{\text{lock}}, T''_{\text{lock}}, \tilde{r}''_{\text{lock}})$.

Based on the above assumptions, it will be shown that:

\[\gamma_{\text{lock}}(\varPi \cap_{\text{lock}} \varPi') = \gamma_{\text{lock}}(\varPi) \cap \gamma_{\text{lock}}(\varPi')\]
First, assume that \( \exists lck \in \text{Lck} : (u_{lck} \neq u'_{lck} \lor T_{lck} \neq T'_{lck} \lor T''_{lck} \neq T''_{lck}) \). Then, \( \tilde{1} \cap_{\text{lock}} \tilde{1}' = \bot_{\text{lock}} \), and thus the L.H.S. becomes \( \gamma_{\text{lock}}(\tilde{1} \cap_{\text{lock}} \tilde{1}') = \gamma_{\text{lock}}(\bot_{\text{lock}}) = 0 \). The R.H.S. becomes \( \gamma_{\text{lock}}(\tilde{1}) \cap \gamma_{\text{lock}}(\tilde{1}') = 0 \), because it must be that \( \forall l \in \gamma_{\text{lock}}(\tilde{1}) : \forall l' \in \gamma_{\text{lock}}(\tilde{1}') : l \neq l' \) since \( \exists lck \in \text{Lck} : (u_{lck} \neq u'_{lck} \lor T_{lck} \neq T'_{lck} \lor T''_{lck} \neq T''_{lck}) \). Thus, L.H.S. = R.H.S.

Next, assume that \( \forall lck \in \text{Lck} : (u_{lck} = u'_{lck} \land T_{lck} = T'_{lck} \land T''_{lck} = T''_{lck}) \) and note that \( (\alpha, \gamma_0) = (\alpha_{\text{int}}, \gamma_{\text{int}}) \) is a Galois connection (Theorem 3.39). Then, \( (\tilde{1} \cap_{\text{lock}} \tilde{1}') \) is defined.

Thus, it has been shown that \( \gamma_{\text{lock}}(\tilde{1} \cap_{\text{lock}} \tilde{1}') = \gamma_{\text{lock}}(\tilde{1}) \cap \gamma_{\text{lock}}(\tilde{1}') \). Now, all the three conditions in Lemma 3.4 are fulfilled, which means that \( \gamma_{\text{lock}} \) is completely multiplicative. Then, by Lemma 3.15, it is obvious that an abstraction function, \( \alpha \), such that \( (\alpha, \gamma_{\text{lock}}) \) is a Galois connection can be defined. Using Lemma 3.14, the definition of this \( \alpha \) is the same as that of \( \alpha_{\text{lock}} \) in Definition 5.29. Thus, \( (\alpha_{\text{lock}}, \gamma_{\text{lock}}) \) is a Galois connection.

### 5.7 Abstract Configurations

In this section, a Galois connection (c.f., Theorem 5.41) between the concrete and abstract domains for configurations, \( \mathcal{P}(\text{Conf}) \) and \( \text{Conf} \), respectively, will be defined. \( \text{Conf} \) is defined as:

\[
\text{Conf} = (\mathcal{P}_{\text{Thrd}} \times \{T\} \times \text{Lbl}_{T} \times (\text{Reg}_{T} \rightarrow \text{VAl}) \times \text{Tiime}) \\
(\text{Var} \rightarrow \text{Thrd} ightarrow \mathcal{P}(\text{VAl} \times \text{Tiime})) \\
(\text{Lck} \rightarrow (\text{Lck}_{\text{reg}} \times \text{Thrd}_{\perp} \times \text{Tiime} \times \text{Thrd}_{\perp} \times \text{Tiime})) \\
\{\bot_{\text{conf}}, \top_{\text{conf}}\}
\]

where \( \text{Thrd}_{\perp} \subseteq \text{Thrd} \) (the reason for this will become apparent when the analysis is presented in Chapter 6). The abstract configuration, \( c \in \text{Conf} \), will be
denoted in the same manner as concrete configurations:

\[ \tilde{c} := \langle [T, p_{cT}, \tilde{x}_T, \tilde{l}_T], x, \tilde{I} \rangle \]

The concretization function for abstract configurations, \( \gamma_{\text{conf}} : \text{Cnf} \rightarrow \mathcal{P}(\text{Conf}) \), is given by Definition 5.35.

**Definition 5.35 (Concretization of an abstract configuration):**

\[
\begin{align*}
\gamma_{\text{conf}}(\tilde{\text{conf}}) &= \text{Conf} \\
\gamma_{\text{conf}}(\bot_{\text{conf}}) &= \emptyset \\
\gamma_{\text{conf}}([T, p_{cT}, \tilde{x}_T, \tilde{l}_T]_{T \in \text{Thrdd}}) &= \{ [T, p_{cT}, \tilde{x}_T, \tilde{l}_T]_{T \in \text{Thrdd}, x, \tilde{I}] | \\
& \quad \exists T \in \gamma_{\text{reg}}(\tilde{x}_T) \land \tilde{x}_T \in \gamma_{\text{var}}(\tilde{x}) \land 1 \in \gamma_{\text{lock}}(\tilde{I}) \} \quad \square
\end{align*}
\]

The partial ordering of abstract configurations, \( \preceq_{\text{conf}} \), follows naturally using Definition 3.26 and is given by Definition 5.36. Note that this relation cannot be directly used within the analysis since \( \preceq_{\text{var}} \) cannot. A safe relation, \( \preceq_{\text{conf}}' \), is obtained by replacing \( \preceq_{\text{var}} \) with \( \preceq_{\text{var}}' \) in the definition of \( \preceq_{\text{conf}} \).

**Definition 5.36 (Partial ordering of two abstract configurations):**

\[
\begin{align*}
\tilde{c} &\preceq_{\text{conf}} \tilde{c}' \\
\bot_{\text{conf}} &\preceq_{\text{conf}} \tilde{c} \\
\{ [T, p_{cT}, \tilde{x}_T, \tilde{l}_T]_{T \in \text{Thrdd}, x, \tilde{I}] \} &\preceq_{\text{conf}} \\
&\quad \{ [T, p_{cT}', \tilde{x}_T', \tilde{l}_T']_{T \in \text{Thrdd}, x', \tilde{I}'} \} \\
&\iff \tilde{x} \preceq_{\text{var}} \tilde{x}' \land \tilde{I} \preceq_{\text{lock}} \tilde{I}' \land \text{Thrdd} = \text{Thrdd}' \land \\
&\forall T \in \text{Thrdd}_x : (p_{cT} = p_{cT}' \land \tilde{x} \preceq_{\text{reg}} \tilde{x}' \land \tilde{l}_T \preceq_{\text{Thrd}} \tilde{l}'_T) \quad \square
\end{align*}
\]

The function \( \gamma_{\text{conf}} \) is monotone with respect to \( \preceq_{\text{conf}} \) (Lemma 5.37).

**Lemma 5.37 (Monotonicity of \( \gamma_{\text{conf}} \)):**

The function \( \gamma_{\text{conf}} : \text{Cnf} \rightarrow \mathcal{P}(\text{Conf}) \) is monotone with respect to \( \preceq_{\text{conf}} \). I.e., if \( \tilde{c}, \tilde{c}' \in \text{Cnf} \) and \( \tilde{c} \preceq_{\text{conf}} \tilde{c}' \), then \( \gamma_{\text{conf}}(\tilde{c}) \subseteq \gamma_{\text{conf}}(\tilde{c}') \). \( \square \)

**Proof:** Assume that \( \tilde{c}, \tilde{c}' \in \text{Cnf} \) such that \( \tilde{c} \preceq_{\text{conf}} \tilde{c}' \). If \( \tilde{c} = \bot_{\text{conf}} \) or \( \tilde{c}' = \bot_{\text{conf}}' \), the lemma holds trivially. Otherwise, \( \tilde{c} \) and \( \tilde{c}' \) can be expressed as \( \tilde{c} = }
\[ \langle [T, pc_T, \tilde{r}_T, \tilde{t}_T] \rangle_{\text{Thrd}_c} \] and \( \tilde{c}' = \langle [T, pc'_T, \tilde{r}'_T, \tilde{t}'_T] \rangle_{\text{Thrd}_c'} \). Assume that \( c \in \gamma_{\text{conf}}(\tilde{c}) \). Since \( \tilde{c} \subseteq \text{conf} \tilde{c}' \), it must be that:

\[ \text{Thrd}_c = \text{Thrd}_c' \wedge \forall T \in \text{Thrd}_c : (pc_T = pc'_T \wedge r_T \subseteq r'_T \wedge t_T \subseteq t'_T) \]

The greatest lower bound operator for abstract configurations, \( \tilde{\sqcap} \text{conf} \), follows naturally using Definition 3.27 and is given by Definition 5.38. Note that this operator cannot be directly used within the analysis since \( \tilde{\sqcap} \text{var} \) cannot. A safe operator, \( \tilde{\sqcap}' \text{conf} \), is obtained by replacing \( \tilde{\sqcap} \text{var} \) by \( \tilde{\sqcap}' \text{var} \) in the definition of \( \tilde{\sqcap} \text{conf} \).

**Definition 5.38 (Greatest lower bound for two abstract configurations):**

\[
\begin{align*}
\tilde{c} \sqcap_{\text{conf}} \tilde{c}' &= \text{conf} \cap_{\text{conf}} \tilde{c} = \tilde{c} \\
\tilde{c} \sqcap_{\text{conf}} \bot_{\text{conf}} &= \bot_{\text{conf}} \cap_{\text{conf}} \tilde{c} = \bot_{\text{conf}} \\
\langle [T, pc_T, \tilde{r}_T, \tilde{t}_T] \rangle_{\text{Thrd}_c} \cap_{\text{conf}} \langle [T, pc'_T, \tilde{r}'_T, \tilde{t}'_T] \rangle_{\text{Thrd}_c'} &= \begin{cases} 
\langle [T, pc_T, \tilde{r}_T, \tilde{t}_T] \rangle_{\text{Thrd}_c} \text{ if } \text{Thrd}_c = \text{Thrd}_c' \\
\bot_{\text{conf}} \end{cases}
\end{align*}
\]

The least upper bound operator for abstract configurations, \( \bigcup \text{conf} \), follows naturally using Definition 3.28 and is given by Definition 5.39. Note that this operator cannot be directly used within the analysis since \( \bigcup \text{var} \) cannot. A safe operator, \( \bigcup' \text{conf} \), is obtained by replacing \( \bigcup \text{var} \) by \( \bigcup' \text{var} \) in the definition of \( \bigcup \text{conf} \).
Theorem 5.41 (Galois connection – Configurations):

Definition 5.39 (Least upper bound for two abstract configurations):

\[
\begin{align*}
\tilde{c} \sqcup_{\text{conf}} \tilde{c} &= \tilde{c} \sqcup \tilde{c} \sqcup_{\text{conf}} \
\tilde{c} \sqcap_{\text{conf}} \tilde{c} &= \tilde{c} \sqcap \tilde{c} \sqcap_{\text{conf}} \\
\langle [T, pc_T, \tilde{c}_T, \tilde{I}_T] \sqcap_{\text{Thrd}_c}, \tilde{c} \rangle \sqcup_{\text{conf}} \\
&= \langle [T, pc_T, \tilde{c}_T, \tilde{I}_T] \sqcap_{\text{Thrd}_c}, \tilde{c} \rangle \\
\end{align*}
\]

The abstraction function, \( \alpha_{\text{conf}} : \mathcal{P}(\text{Conf}) \rightarrow \text{Conf} \), is given by Definition 5.40 and \( (\alpha_{\text{conf}}, \gamma_{\text{conf}}) \) is a Galois connection (Theorem 5.41).

Definition 5.40 (Abstraction of a set of configurations):

\[\alpha_{\text{conf}}(C) = \bigcap_{\text{conf}} \{ \tilde{c} \mid C \subseteq \gamma_{\text{conf}}(\tilde{c}) \}\]

Theorem 5.41 (Galois connection – Configurations):

\( (\alpha_{\text{conf}}, \gamma_{\text{conf}}) \), where \( \gamma_{\text{conf}} \) and \( \alpha_{\text{conf}} \) are given by Definitions 5.39 and 5.40, respectively, is a Galois connection.

Proof. First it will be shown that \( \gamma_{\text{conf}} \) is completely multiplicative. Thus note that \( \gamma_{\text{conf}} \) is monotone (Lemma 5.37). Next observe that \( \gamma_{\text{conf}}(\tilde{c}) = \text{Conf} = \Gamma_{\text{conf}} \).

Now, assume that \( \tilde{c}, \tilde{c}' \in \text{Conf} \) are such that \( \tilde{c} \cup_{\text{conf}} \tilde{c}' \land \tilde{c} \uplus_{\text{conf}} \tilde{c}' \). From Definition 5.36, it follows that neither of \( \tilde{c} \) and \( \tilde{c}' \) can be \( \Gamma_{\text{conf}} \) or \( \tilde{c} \). Thus, it is safe to assume that these configurations can be expressed as \( \tilde{c} = \langle [T, pc_T, \tilde{c}_T, \tilde{I}_T] \sqcap_{\text{Thrd}_c}, \tilde{c} \rangle \) and \( \tilde{c}' = \langle [T, pc'_T, \tilde{c}'_T, \tilde{I}'_T] \sqcap_{\text{Thrd}_c}, \tilde{c}' \rangle \).

Based on the above assumptions, it will be shown that:

\[\gamma_{\text{conf}}(\tilde{c} \cap_{\text{conf}} \tilde{c}') = \gamma_{\text{conf}}(\tilde{c}) \cap \gamma_{\text{conf}}(\tilde{c}')\]

First, assume that \( \text{Thrd}_c \neq \text{Thrd}_{c'} \lor \exists T \in \text{Thrd}_c : pc_T \neq pc'_T \). Then, \( \tilde{c} \cap_{\text{conf}} \tilde{c}' = \tilde{c} \), and thus the L.H.S. becomes \( \gamma_{\text{conf}}(\tilde{c} \cap_{\text{conf}} \tilde{c}') = \gamma_{\text{conf}}(\tilde{c}) = \emptyset \).

The R.H.S. becomes \( \gamma_{\text{conf}}(\tilde{c}) \cap \gamma_{\text{conf}}(\tilde{c}') = \emptyset \), because it must be that \( \forall c \in \gamma_{\text{conf}}(\tilde{c}) \land \forall c' \in \gamma_{\text{conf}}(\tilde{c}') : c \neq c' \), since \( \text{Thrd}_c \neq \text{Thrd}_{c'} \lor \exists T \in \text{Thrd}_c : pc_T \neq pc'_T \). Thus, L.H.S. = R.H.S.
Next, assume that $\text{Thrd}_c = \text{Thrd}_p \land \forall T \in \text{Thrd}_c : pc_T = pc'_T$ and note that $(\alpha, \gamma) = (\alpha_{\text{in}}, \gamma_{\text{in}}), (\alpha_{\text{reg}}, \gamma_{\text{reg}}), (\alpha_{\text{var}}, \gamma_{\text{var}})$ and $(\alpha_{\text{lock}}, \gamma_{\text{lock}})$ are Galois connections (Theorems 3.39, 5.6, 5.10 and 5.34, respectively). Then, $\tilde{c} \cap_{\text{conf}} c' = \langle T, pc_T, \bar{z}_T \cap_{\text{reg}} \bar{z}'_T, \bar{r}_T \cap_{\text{reg}} \bar{r}'_T, \bar{I} \cap_{\text{lock}} \bar{I}' \rangle$ and

$$\gamma_{\text{conf}}(\tilde{c} \cap_{\text{conf}} c') \overset{5.35}{=} \{ \langle T, pc_T, \bar{z}_T \cap_{\text{reg}} \bar{z}'_T, \bar{I} \cap_{\text{lock}} \bar{I}' \rangle \mid \begin{array}{l}
\forall \tau \in \gamma_{\text{reg}}(\bar{z}_T) \land \bar{r}_T \subseteq \gamma_{\text{lock}}(\bar{I}) \land \\
\bar{c} \in \gamma_{\text{var}}(\bar{z}) \land 1 \in \gamma_{\text{lock}}(\bar{I})
\end{array} \}
$$

$$\overset{\text{Lem.3.14}}{=} \{ \langle T, pc_T, \bar{z}_T \cap_{\text{reg}} \bar{z}'_T, \bar{I} \cap_{\text{lock}} \bar{I}' \rangle \mid \begin{array}{l}
\forall \tau \in \gamma_{\text{reg}}(\bar{z}_T) \land \bar{r}_T \subseteq \gamma_{\text{lock}}(\bar{I}) \land \\
\bar{c} \in \gamma_{\text{var}}(\bar{z}) \land 1 \in \gamma_{\text{lock}}(\bar{I})
\end{array} \}
$$

$$\overset{\text{calc}}{=} \{ \langle T, pc_T, \bar{z}_T \cap_{\text{reg}} \bar{z}'_T, \bar{I} \cap_{\text{lock}} \bar{I}' \rangle \mid \begin{array}{l}
\forall \tau \in \gamma_{\text{reg}}(\bar{z}_T) \land \bar{r}_T \subseteq \gamma_{\text{lock}}(\bar{I}) \land \\
\bar{c} \in \gamma_{\text{var}}(\bar{z}) \land 1 \in \gamma_{\text{lock}}(\bar{I})
\end{array} \}
$$

$$\overset{5.35}{=} \gamma_{\text{conf}}(\tilde{c}) \cap \gamma_{\text{conf}}(c')$$

Thus, it has been shown that $\gamma_{\text{conf}}(\tilde{c} \cap_{\text{conf}} c') = \gamma_{\text{conf}}(\tilde{c}) \cap \gamma_{\text{conf}}(c')$. Now, all the three conditions in Lemma 3.4 are fulfilled, which means that $\gamma_{\text{conf}}$ is completely multiplicative. Then, by Lemma 3.15, it is obvious that an abstraction function, $\alpha$, such that $(\alpha, \gamma_{\text{conf}})$ is a Galois connection can be defined. Using Lemma 3.14, the definition of this $\alpha$ is the same as that of $\alpha_{\text{conf}}$ in Definition 5.40. Thus, $(\alpha_{\text{conf}}, \gamma_{\text{conf}})$ is a Galois connection. \\[\Box\]

An alternative approach to derive a Galois connection here could be to use Theorems 3.16, 3.17, 3.20, 3.22, 3.24, 3.25 and 3.39, but the presented Galois connection is easier to understand.

Now, consider the abstract domains, $\text{Conf}_{\text{in}} \supseteq \epsilon_{\text{in}}$, and $\text{Conf}_{\text{out}} \supseteq \epsilon_{\text{out}}$, which will be used for the abstract axiom transition rules in Table 5.5. These domains are defined as:

$$\text{Conf}_{\text{in}} = (\text{Thrd} \times \text{Lbl} \times (\text{Reg} \rightarrow \text{Vl})) \times (\text{Var} \rightarrow \text{Thrd} \rightarrow \mathcal{P}(\text{Vl} \times \text{Time}) \times \text{Lck} \rightarrow (\text{Lck}_{\text{out}} \times \text{Thrd}_{\text{in}} \times \text{Time} \times \text{Thrd}_{\text{in}} \times \text{Time})) \times \text{Time}) \cup \{ \bot_{\text{in}}, \bot_{\text{in}} \}$$

$$\epsilon_{\text{in}} := \langle T, pc, \bar{z}, \bar{I}, \bar{I} \rangle$$
and:

\[ \text{Conf}_{\text{out}}^{\text{ax}} = (\text{Lbl} \times (\text{Reg} \to \text{Val})) \times (\text{Var} \to \text{Thrd}) \times (\text{Lck} \to (\text{Lck}_{\text{att}} \times \text{Thrd}_{\perp} \times \text{Ti}_{\text{me}} \times \text{Thrd}_{\perp} \times \text{Ti}_{\text{me}})) \cup \{ \tilde{\text{ax}}_{\text{out}}, \tilde{\top}_{\text{ax}} \} \]

\[ \tilde{c}_{\text{ax}}^{\text{out}} ::= \{ p_c, \tilde{r}, \tilde{x}, \tilde{l} \} \]

It is easy to see that \( \langle \alpha_{\text{ax}}^{\text{in}}, \gamma_{\text{ax}}^{\text{in}} \rangle \) and \( \langle \alpha_{\text{ax}}^{\text{out}}, \gamma_{\text{ax}}^{\text{out}} \rangle \), where \( \alpha_{\text{ax}}^{\text{in}} : \mathcal{P}(\text{Conf}_{\text{ax}}^{\text{in}}) \to \text{Conf}_{\text{ax}}^{\text{in}} \) and \( \gamma_{\text{ax}}^{\text{in}} : \text{Conf}_{\text{ax}}^{\text{in}} \to \mathcal{P}(\text{Conf}_{\text{ax}}^{\text{in}}) \), \( \alpha_{\text{ax}}^{\text{out}} : \mathcal{P}(\text{Conf}_{\text{ax}}^{\text{out}}) \to \text{Conf}_{\text{ax}}^{\text{out}} \) and \( \gamma_{\text{ax}}^{\text{out}} : \text{Conf}_{\text{ax}}^{\text{out}} \to \mathcal{P}(\text{Conf}_{\text{ax}}^{\text{out}}) \) are given by Definitions 5.42, 5.43, 5.44 and 5.45, respectively, are Galois connections (c.f., Theorems 5.46 and 5.47).

Definition 5.42 (Abstraction of a set of axiom input configurations):

\[ \alpha_{\text{ax}}^{\text{in}}(\text{Conf}_{\text{ax}}^{\text{in}}) = \bigcap_{\text{in}} \{ \tilde{\text{in}}_{\text{in}} | \text{Conf}_{\text{ax}}^{\text{in}} \subseteq \gamma_{\text{ax}}^{\text{in}}(\tilde{\text{in}}_{\text{in}}) \} \]

Definition 5.43 (Concretization of an abstract axiom input configuration):

\[ \gamma_{\text{ax}}^{\text{in}}(\langle T, pc, \tilde{r}, \tilde{x}, \tilde{l}, \tilde{i} \rangle) = \{ \langle T, pc, r, x, l, t \rangle | r \in \gamma_{\text{reg}}(\tilde{r}) \land x \in \gamma_{\text{var}}(\tilde{x}) \land l \in \gamma_{\text{lock}}(\tilde{l}) \land t \in \gamma_{\text{time}}(\tilde{t}) \} \]

Definition 5.44 (Abstraction of a set of axiom output configurations):

\[ \alpha_{\text{ax}}^{\text{out}}(\text{Conf}_{\text{ax}}^{\text{out}}) = \bigcap_{\text{out}} \{ \tilde{\text{out}}_{\text{out}} | \text{Conf}_{\text{ax}}^{\text{out}} \subseteq \gamma_{\text{ax}}^{\text{out}}(\tilde{\text{out}}_{\text{out}}) \} \]

Definition 5.45 (Concretization of an abstract axiom output configuration):

\[ \gamma_{\text{ax}}^{\text{out}}(\langle pc, \tilde{r}, \tilde{x}, \tilde{l} \rangle) = \{ \langle pc, r, x, l \rangle | r \in \gamma_{\text{reg}}(\tilde{r}) \land x \in \gamma_{\text{var}}(\tilde{x}) \land l \in \gamma_{\text{lock}}(\tilde{l}) \} \]

Theorem 5.46 (Galois connection – Axiom input configurations):

\( \langle \alpha_{\text{ax}}^{\text{in}}, \gamma_{\text{ax}}^{\text{in}} \rangle \), where \( \alpha_{\text{ax}}^{\text{in}} \) and \( \gamma_{\text{ax}}^{\text{in}} \) are given by Definitions 5.42 and 5.43, respectively, is a Galois connection.

PROOF. Similar to the proof of Theorem 5.41.

Theorem 5.47 (Galois connection – Axiom output configurations):

\( \langle \alpha_{\text{ax}}^{\text{out}}, \gamma_{\text{ax}}^{\text{out}} \rangle \), where \( \alpha_{\text{ax}}^{\text{out}} \) and \( \gamma_{\text{ax}}^{\text{out}} \) are given by Definitions 5.44 and 5.45, respectively, is a Galois connection.

PROOF. Similar to the proof of Theorem 5.41.
Table 5.5: \( \langle T, pc, \tilde{\mathcal{I}}, \tilde{\mathcal{I}} \rangle \xrightarrow{\alpha} \langle pc', \tilde{\mathcal{I}}', \tilde{\mathcal{I}}' \rangle \), semantics of abstract axiom transitions.
5.8 Abstract Semantics

The abstract transition rules for axiom statements in Table 5.5 are safe approximations of the rules in Table 4.2 with respect to Definition 5.48 (Lemma 5.49).

Definition 5.48 (Soundness of the abstract axiom transition relation):
Assuming that \( \overline{c} \) contains safe write history (c.f., Definition 5.18), the transition relation \( \overline{\rightarrow} \) is a safe approximation of \( \rightarrow \), as used by \( \overline{\rightarrow} \), iff

\[
\forall c^{\text{ax}} \in \text{Conf}^{\text{ax}}_{\text{in}}: \forall c^{\text{ax}} \in \gamma^{\text{ax}}(c^{\text{ax}}) : \forall c^{\text{ax}} \in \text{Conf}^{\text{ax}}_{\text{out}} : \langle \overline{c}^{\text{ax}} \overline{\rightarrow} c^{\text{ax}} \overline{\rightarrow} \exists \overline{c}^{\text{ax}} \in \text{Conf}^{\text{ax}}_{\text{out}} : (\overline{c}^{\text{ax}} \overline{\rightarrow} c^{\text{ax}} \wedge c^{\text{ax}} \in \gamma^{\text{ax}}(\overline{c}^{\text{ax}}))
\]

where \( c^{\text{ax}} \) is generated (c.f., Table 4.3) from a valid configuration (c.f., Definition 4.4); i.e., the lock state is valid with respect to the accumulated time of the given thread.

Lemma 5.49 (Soundness of \( \overline{\rightarrow} \)):
\( \overline{\rightarrow} \) is a safe approximation of \( \rightarrow \), with respect to Definition 5.48.

**PROOF.** This proof will be conducted by showing for each defined transition that it is safe according to Definition 5.48.

Assume that \( \overline{c}^{\text{ax}} \) is a safe approximation of \( \rightarrow \), with respect to Definition 5.48.

1. Assume that \( \text{STM}(T,pc) = [h \text{alt}]^{pc} \). From the concrete semantics, it must be that \( \overline{c}^{\text{ax}} \overline{\rightarrow} c^{\text{ax}} \), where \( c^{\text{ax}} = (pc, r, \bar{x}, 1) \). Choose \( \overline{c}^{\text{ax}} \) so that \( \overline{c}^{\text{ax}} \overline{\rightarrow} c^{\text{ax}} \), i.e., \( c^{\text{ax}}(\overline{c}^{\text{ax}}) = (pc, r, \bar{x}, 1) \). Thus, \( c^{\text{ax}} \in \gamma^{\text{ax}}(\overline{c}^{\text{ax}}) \).

2. Assume that \( \text{STM}(T,pc) = [\text{skip}]^{pc} \). From the concrete semantics, it must be that \( c^{\text{ax}} \overline{\rightarrow} c^{\text{ax}} \), where \( c^{\text{ax}} = (pc + 1, r, \bar{x}, 1) \). Choose \( c^{\text{ax}} \) so that \( \overline{c}^{\text{ax}} \overline{\rightarrow} c^{\text{ax}} \), i.e., \( c^{\text{ax}}(\overline{c}^{\text{ax}}) = (pc + 1, r, \bar{x}, 1) \). Thus, \( c^{\text{ax}} \in \gamma^{\text{ax}}(\overline{c}^{\text{ax}}) \).

3. Assume that \( \text{STM}(T,pc) = [r := a]^{pc} \). From the concrete semantics, it must be that \( c^{\text{ax}} \overline{\rightarrow} c^{\text{ax}} \), where \( c^{\text{ax}} = (pc + 1, r, \bar{x}, 1) \). Choose \( c^{\text{ax}} \) so that \( \overline{c}^{\text{ax}} \overline{\rightarrow} c^{\text{ax}} \), i.e., \( c^{\text{ax}}(\overline{c}^{\text{ax}}) = (pc + 1, r, \bar{x}, 1) \). Since \( \mathcal{A} \) is safely induced from \( \mathcal{A} \) (see Section 5.3), it must be that \( \mathcal{A}[\bar{x}] \in \gamma^{\text{ax}}(\overline{c}^{\text{ax}}(\mathcal{A}[\bar{x}])) \), and hence, \( \overline{c}^{\text{ax}}(\mathcal{A}[\bar{x}]) \in \gamma^{\text{ax}}(\mathcal{A}[\bar{x}]) \). Thus, \( c^{\text{ax}} \in \gamma^{\text{ax}}(\overline{c}^{\text{ax}}) \).
4. Assume that \( STM(T, pc) = [\text{if } b \text{ goto } l]^p \). Then two cases must be considered.

   (a) In the first case, \( B[b] \). This means that \( c_{\text{out}}^a \rightarrow c_{\text{out}}^a \), where \( c_{\text{out}}^a = (l, r, x, 1) \). Now, choose \( c_{\text{in}}^a \) so that \( c_{\text{in}}^a \rightarrow c_{\text{out}}^a \) by the corresponding branch (i.e., \( A[b] \neq \perp \)). i.e., \( c_{\text{in}}^a = (l, A[b], x, \tilde{x}, \tilde{l}) \).

5. Assume that \( STM(T, pc) = [\text{store } r \text{ to } x]^p \). From the concrete semantics, it must be that \( c_{\text{in}}^a \rightarrow c_{\text{out}}^a \), where \( c_{\text{out}}^a = (pc + 1, r, x, 1) \). Choose \( c_{\text{in}}^a \) so that \( c_{\text{in}}^a \rightarrow c_{\text{out}}^a \).

6. Assume that \( STM(T, pc) = [\text{load } r \text{ from } x]^p \). From the concrete semantics, it must be that \( c_{\text{in}}^a \rightarrow c_{\text{out}}^a \), where \( c_{\text{out}}^a = (pc + 1, r, x, \tilde{x}, \tilde{l}) \).

7. Assume that \( STM(T, pc) = [\text{lock } lck]^p \). Then two cases must be considered.

   (a) In the first case, \( OWN(lck) = T \). From the concrete semantics, it must be that \( c_{\text{in}}^a \rightarrow c_{\text{out}}^a \), where \( c_{\text{out}}^a = (pc + 1, r, x, 1, lck \rightarrow \ldots) \).
8. Assume that $\text{STM}$ is considered.

(b) In the second case, $\text{OWN}(lck) \neq T$. From the concrete semantics, it must be that $e_{\text{in}}^{\text{ax}} \rightarrow e_{\text{out}}^{\text{ax}}$, where $e_{\text{out}}^{\text{ax}} = (pc + 1, \bar{x}, \bar{z}, \bar{l}|\text{lock}, T, DL(lck), \text{POWN}(lck))$. Choose $e_{\text{out}}^{\text{ax}}$ so that $e_{\text{in}}^{\text{ax}} \rightarrow e_{\text{out}}^{\text{ax}}$ by the corresponding branch, $\text{OWN}(lck) = T \land (\text{STM}(lck) = \text{unlocked} \Rightarrow (l \bar{z}, R\text{EL}(lck) \land DL(lck) \bar{z}, l)))$; i.e., $e_{\text{out}}^{\text{ax}} = (pc + 1, \bar{x}, \bar{z}, \bar{l}|\text{lock}, T, DL(lck), \text{POWN}(lck), R\text{EL}(lck))$. Note that if $\text{STM}(lck) = \text{unlocked}$, it is implied that $t \not\in \text{REL}(lck) \land DL(lck) \not\in t$ (Lemma 4.6). Thus, it must be the case that $e_{\text{out}}^{\text{ax}} \in \gamma_{\text{out}}(e_{\text{out}}^{\text{ax}})$.

8. Assume that $\text{STM}(T, pc) = [\text{unlock}(lck)]^{pc}$. Then two cases must be considered.

(a) In the first case, $\text{OWN}(lck) = T$. From the concrete semantics, it must be that $e_{\text{in}}^{\text{ax}} \rightarrow e_{\text{out}}^{\text{ax}}$, where $e_{\text{out}}^{\text{ax}} = (pc + 1, \bar{x}, \bar{z}, \bar{l}|\text{lock}, T, DL(lck), \text{POWN}(lck))$. Choose $e_{\text{out}}^{\text{ax}}$ so that $e_{\text{in}}^{\text{ax}} \rightarrow e_{\text{out}}^{\text{ax}}$ by the corresponding branch, $\text{OWN}(lck) = T \land \text{STM}(lck) = \text{locked}$; i.e., $e_{\text{out}}^{\text{ax}} = (pc + 1, \bar{x}, \bar{z}, \bar{l}|\text{lock}, T, DL(lck), \text{POWN}(lck))$. Note that in the concrete case, $\text{STM}(lck) = \text{locked}$ whenever $\text{OWN}(lck) \neq \perp_{\text{thrd}}$ for a valid configuration (Definition 4.4). Thus, it must be the case that $e_{\text{out}}^{\text{ax}} \in \gamma_{\text{out}}(e_{\text{out}}^{\text{ax}})$.

(b) In the second case, $\text{OWN}(lck) \neq T$. From the concrete semantics, it must be that $e_{\text{in}}^{\text{ax}} \rightarrow e_{\text{out}}^{\text{ax}}$, where $e_{\text{out}}^{\text{ax}} = (pc + 1, \bar{x}, \bar{z}, \bar{l})$. Choose $e_{\text{out}}^{\text{ax}}$ so that $e_{\text{in}}^{\text{ax}} \rightarrow e_{\text{out}}^{\text{ax}}$ by the corresponding branch, $\text{OWN}(lck) = T \land \text{STM}(lck) = \text{locked}$; i.e., $e_{\text{out}}^{\text{ax}} = (pc + 1, \bar{x}, \bar{z}, \bar{l})$. Thus, it must be the case that $e_{\text{out}}^{\text{ax}} \in \gamma_{\text{out}}(e_{\text{out}}^{\text{ax}})$.
\[
\begin{align*}
\text{Thrd}_{\text{exe}} \neq \emptyset & \land \forall T \in \text{Thrd}_{\text{exe}} : (T, pc_T, \tilde{x}_T, \tilde{I}_0, \tilde{I}_T^p) \xrightarrow{\tilde{\tau}} (pc_T', \tilde{x}_T', \tilde{I}_T') \\
\tilde{z} @ (T, pc_T, \tilde{x}_T, \tilde{I}_0, \tilde{I}_T^p) & \xrightarrow{\tilde{\tau}} \tilde{z}' @ ((T, (T \in \text{Thrd}_{\text{exe}} \Rightarrow pc_T') : pc_T), (T \in \text{Thrd}_{\text{exe}} \Rightarrow \tilde{x}_T', \tilde{I}_T') | T \in \text{Thrd}_{\text{exe}}, \tilde{z}', \tilde{I}' )
\end{align*}
\]

where

\[
\tilde{I}_T = \text{ABSTIME}(\tilde{c}, T) \\
\tilde{I}_{\text{all}} = \alpha_t(\{ \min(\{ \min(\{ \gamma(\tilde{I}_T^p, \tilde{I}_T^p) \} | B) \} \}, \min(\{ \max(\{ \gamma(\tilde{I}_T^p, \tilde{I}_T^p) \} | B) \} )) \\
\text{Thrd}^{\text{all}}_{\text{exe}} = \{ T \in \text{Thrd}_T | \tilde{I}_{\text{all}} \cap (\tilde{I}_T^p, \tilde{I}_T^p) = \tilde{I} \land \text{STM}(T, pc_T) = [\text{lock} pc_T] \} \\
\text{Thrd}^\prime_{\text{exe}} = \{ T \in \text{Thrd}_T | \exists \tilde{I}_{\text{exe}} : \text{STM}(T, l) = [\text{lock} l] \} \\
\text{Thrd}^\prime_{\text{exe}} = \{ T \in \text{Thrd}_T | \exists \tilde{I}_{\text{exe}} : \text{STM}(T, l) = [\text{lock} l] \} \\
\tilde{I}'' \text{ lock} = \{ \text{POWN}(\tilde{I} \text{ lock}), \text{REL}(\tilde{I} \text{ lock}) \} \text{ if } \exists T \in \text{Thrd}^\prime_{\text{exe}} : \text{STM}(T, pc_T) = [\text{lock} pc_T] \} \land \text{POWN}(\tilde{I} \text{ lock}) = \text{犊演} \\
\text{Thrd}^\prime_{\text{exe}} = \{ T \in \text{Thrd}_T \setminus \text{Thrd}^\prime_{\text{exe}} | \exists \tilde{I}_{\text{exe}} : \text{STM}(T, pc_T) = [\text{lock} pc_T] \} \\
\tilde{I}'' = \text{TRIM}(\tilde{z}, T) \text{ if } \text{Thrd}^\prime_{\text{exe}} = \text{Thrd}^\prime_{\text{exe}} \text{ otherwise} \\
\tilde{z}' = \{ \text{TRIM}(\tilde{z}'', T) \} \text{ if } \text{Thrd}^\prime_{\text{exe}} = \text{Thrd}^\prime_{\text{exe}} \text{ otherwise} \\
\tilde{\tau}_T = \text{ACCTIME}((T', pc_T, \tilde{x}_T, \tilde{I}_T | T \in \text{Thrd}_{\text{exe}}, \tilde{z}', \tilde{I}') \text{ Thrd}_{\text{exe}}, T)
\end{align*}
\]

Table 5.6: \(\tilde{z} @ \xrightarrow{\tilde{\tau}} \tilde{z}'\), semantics of abstract program transitions.
The abstract transition rule for program configurations in Table 5.6 is an approximation of the concrete rule in Table 4.3. The abstract rule now defines a window in time, $\tilde{t}$, (since $\text{Time} = \text{Intv}$) that determines which threads are included in $\text{Thr}_0$. The window reaches from the earliest point in time when some thread might execute its active statements, to the earliest point in time when some thread must execute its active statements. Note that $\text{DL}$ and $\text{ACCTIME}$ are defined in Algorithms 5.11 and 5.12, respectively, and that $\text{ABSTIME}$ is assumed to be a safe approximation of $\text{TIME}$, as specified in Assumption 5.50; however, the definitions of these functions are out of the scope for this thesis.

**Assumption 5.50 (ABSTIME is safe and non-negative):**

It is assumed that $\text{ABSTIME}$ is a “non-negative” function that safely approximates $\text{TIME}$ in the interval domain. More formally, it is assumed that

$$\forall \vec{c} \in \text{Conf} : \forall T \in \text{Thr}_{\vec{c}} : 0 \leq \min(\gamma(t(\text{ABSTIME}(\vec{c}, T))))$$

and

$$\forall \vec{c} \in \text{Conf} : \forall T \in \text{Thr}_{\vec{c}} : ((pc_T = pc_{\vec{c}}) \land \gamma(T) \in \gamma(\text{ABSTIME}(\vec{c}, T)))$$

\[\square\]
Algorithm 5.11 Determine Deadline for Lock Owner Assignment

1: function DLLOCK(\(\tilde{c}@([T',pc_T,\tilde{T},\tilde{T}]|T\in\text{Thrd}_{\tilde{c}},\tilde{I}]), lck)  
2:   \(\tilde{t}_{dl} \leftarrow \tilde{t}_{y} \)
3: for all \(T \in \text{Thrd}_{\tilde{c}}\) do
4:   if STM(T,pc_T) = [lock lck] \(\tilde{c}^T\) then
5:     \(\tilde{c}' \leftarrow \tilde{c} \)
6:     \(\tilde{t}_{a}' \leftarrow \tilde{t}_{a} \)
7:     repeat
8:       \(\tilde{c}' \leftarrow ([T',pc_T,\tilde{T},(T = T' ? \tilde{t}_{a}' : \tilde{t}_{a}^T)])_{T \in \text{Thrd}_{\tilde{c}},\tilde{I}} \)
9:     until REL(\(\tilde{l}_{lck}\lck\)) \(\tilde{c}' \notin \gamma(\text{ABSTIME}(\tilde{c}', T))\)
10: if REL(\(\tilde{l}_{lck}\lck\)) \(\tilde{c}' \notin \gamma(\text{ABSTIME}(\tilde{c}', T))\) then
11:   \(\tilde{t}_{dl} \leftarrow \tilde{t}_{dl} \cup \text{REL}(\tilde{l}_{lck}) \)
12: else
13:   \(\tilde{t}_{dl} \leftarrow \tilde{t}_{dl} \cup (\{0\} \cup \text{ABSTIME}(\tilde{c}', T)) \cup \alpha(\{-\infty\}) \)
14: end if
15: end if
16: end for
17: return \(\tilde{t}_{dl}\)
18: end function

Algorithm 5.12 Determine Accumulated Execution Time

1: function ACCTIME(\(\tilde{c}@([T',pc_T,\tilde{T},\tilde{T}]|T\in\text{Thrd}_{\tilde{c}},\tilde{I}]), \text{Thrd}_{\text{exe}}, T)  
2:   \(\tilde{t}_{a}' \leftarrow \tilde{t}_{a} \)
3: if \(T \in \text{Thrd}_{\text{exe}}\) then
4:   \(\tilde{t}_{a} \leftarrow \text{ABSTIME}(\tilde{c}, T) \)
5: if \(\forall \text{lck} \in \text{Lck} : \text{STM}(T,pc_T) \neq [\text{lock lck}]^{pc_T}\) then
6:   \(\tilde{t}_{a}' \leftarrow \tilde{t}_{a}' + t_{\text{TIME}} \)
7: else

Algorithm 5.12 Cont. Determine Accumulated Execution Time

8: for all lck ∈ Lck do
9: if STM(T, pc_T) = [lock lck]pc_T ∧ OWN(1 lck) = T then
10: if SηT(l lck) = locked then
11: \[\tilde{t}_l^{l\prime} \leftarrow \tilde{t}_l^{l\prime} + \tilde{t}_r^{l\prime}\]
12: else if dL(l lck) \times (\tilde{t}_l^{l\prime} + \tilde{t}_r^{l\prime}) then
13: \[\tilde{t}_l^{l\prime} \leftarrow \tilde{t}_l^{l\prime} + \tilde{t}_r^{l\prime}\]
14: else if (\tilde{t}_l^{l\prime} + \tilde{t}_r^{l\prime}) \leq r REL(l lck) then
15: \[\tilde{c} \leftarrow \tilde{c}\]
16: while (\tilde{t}_l^{l\prime} + \tilde{c}, ABSTIME(c', T)) \leq r, REL(l lck) do
17: \[\tilde{t}_l^{l\prime} \leftarrow (\tilde{t}_l^{l\prime} + \tilde{c}, ABSTIME(c', T))\]
18: \[\tilde{c} \leftarrow (\tilde{t}_l, pc_T, \tilde{c}, (T = T' \rightarrow \tilde{t}^{l\prime} : \tilde{t}^{l\prime} ) \mid T \in \text{Thrd} \land \tilde{c}, \tilde{t})\]
19: end while
20: else if pOWN(l lck) = T \lor REL(l lck) \leq r (\tilde{t}_l^{l\prime} + \tilde{t}_r^{l\prime}) then
21: \[\tilde{t}_l^{l\prime} \leftarrow (\tilde{t}_l^{l\prime} + \tilde{t}_r^{l\prime}) \cap r dL(l lck)\]
22: else \[\text{do } S\eta T(l lck) = unlocked \land REL(l lck) \land (\tilde{t}_l^{l\prime} + \tilde{t}_r^{l\prime}) \neq \tilde{c}, \land\]
23: \[\text{pOWN(l lck) = } T \land dL(l lck) \neq \tilde{c}, (\tilde{t}_l^{l\prime} + \tilde{t}_r^{l\prime})\]
24: \[\tilde{t}_l^{l\prime} \leftarrow \tilde{t}_l^{l\prime} + \tilde{t}_r^{l\prime}\]
25: \[\tilde{c} \leftarrow \tilde{c}\]
26: repeat
27: if dL(l lck) \leq r (\tilde{t}_l^{l\prime} + ABSTIME(c', T)) then
28: \[\tilde{c} \leftarrow \tilde{c}\]
29: else if 0 \in A (ABSTIME(c', T)) then
30: \[\tilde{t} \leftarrow (\tilde{t}_l^{l\prime} \cup \alpha_i(\infty)) \cap r REL(l lck)\]
31: \[\tilde{c} \leftarrow ([\tilde{t}, pc_T, \tilde{c}, (T = T' \rightarrow \tilde{t}^{l\prime} : \tilde{t}^{l\prime} ) \mid T \in \text{Thrd} \land \tilde{c}, \tilde{t})\]
32: \[\tilde{t}_l^{l\prime} \leftarrow \tilde{t}_l^{l\prime} + ABSTIME(c', T)\]
33: \[\tilde{c} \leftarrow (\tilde{t}_l^{l\prime} + \tilde{c}, ABSTIME(c', T))\]
34: end if
35: while \[\tilde{t}_l^{l\prime} = \tilde{c} \lor REL(l lck) \leq r, \tilde{t}_l^{l\prime}\]
36: end if
37: until \[\tilde{t}_l^{l\prime} = \tilde{c} \lor REL(l lck) \leq r, \tilde{t}_l^{l\prime}\]
38: \[\tilde{t}_l^{l\prime} \leftarrow (\tilde{t}_l^{l\prime} \cup r \tilde{t}_l^{l\prime}) \cap r dL(l lck) \cap r (R\tilde{E}L(l lck) \cup r \alpha_i(\infty))\]
39: end if
40: end if
41: end if
42: end if
43: end if
44: return \[\tilde{t}_l^{l\prime}\]
45: end function
Abstractly Interpreting PPL

Since \textbf{Time} is approximated using \textbf{Ti\~ne}, there are some consequences, rendering \textbf{\textarrow{prg}} an unsafe approximation of \textbf{\textarrow{prg}} (c.f., Tables 4.3 and 5.6) in the general case.

1. The sets of threads to execute, i.e., \textbf{Thrd}_{exe}, might differ between \(c \in \textbf{Conf}\) and \(\tilde{c} \in \textbf{C\text{onf}}\), even if \(c \in \gamma_{\text{conf}}(\tilde{c})\). Because of this, different program points might be “visited” in the concrete and abstract cases, and thus, fixed-point calculations on \(\textbf{\textarrow{prg}}\) in the traditional sense cannot be used to find a safe over-approximation of the concrete collecting semantics (see for example [14, 23]).

2. The execution of \textbf{load}-statements cannot be safely approximated using \(\textbf{\textarrow{prg}}\) if \(|\textbf{Thrd}_{exe}| > 1\) and the value of a global variable is to be loaded. The reason for this is that executing \textbf{load}-statements introduces data-dependencies between the threads, and the \textbf{READ}-function could return a value for which all possible writes have not been taken into account; i.e., all \textbf{store}-statements that could affect the variable have not yet been executed (and thus, \(\hat{x}\) does not contain safe write history). To see this, assume that for some abstract configuration, \(\textbf{Thrd}_{exe} = \{T_1, T_2\}\), \(\text{STM}(T_1, pc_{T_1}) = [\text{load} r \text{ from } x]^{pc_{T_1}}, \text{STM}(T_2, pc_{T_1}) = [\text{skip}]^{pc_{T_2}}\) and \(\text{STM}(T_2, pc_{T_2} + 1) = [\text{store } r' \text{ to } x]^{pc_{T_2}+1}\). When a transition occurs, the \textbf{load}- and \textbf{skip}-statements are considered. However, since the execution time of the \textbf{store}-statement (the abstract “point” in time when the thread’s \(pc\) is updated) overlaps with the execution time of the \textbf{load}-statement, the resulting value of \(r\) in \(T_1\) should be affected by the value of \(r'\) in \(T_2\), but this will not be the case.

3. A similar reasoning to that for \textbf{load}-statements holds for \textbf{lock}-statements – an unlocked \textbf{lock}, \(lck \in \textbf{Lck}\), cannot simply be assigned to one of the threads in \textbf{Thrd}_{exe} that issues \textbf{lock} \(lck\). This is because in the concrete case, the lock might be assigned to another thread in \textbf{Thrd}_{exe} (that might not yet be executing \textbf{lock} \(lck\) in the abstract case). Thus, the only safe option is to make assignments to, at least, each thread specified in the considered abstract configuration that at some point might acquire \(lck\). This is because these threads (even if currently not in \textbf{Thrd}_{exe}) could compete for \textbf{lock} \(lck\) with subsequent statements. If a thread that has been assigned \textbf{lock} \(lck\) actually does not compete for \textbf{lock} \(lck\), this can be detected if the thread reaches a \textbf{halt}-statement or using the deadline parameter in the state for \textbf{lock}.
4. A transition sequence containing deadlocked configurations will not be safely approximated. In the concrete case, the threads included in the deadlock are spinning on the locks they are waiting to acquire. This means that time moves forward for these threads (given that \textsc{time} is non-zero). However, in the abstract case, the threads will be frozen and their accumulated times do not increase on a transition.

To handle these issues, the analysis will be proven to safely approximate the timing bounds of any concrete configuration, $c @ \langle [T, pc_T, \tilde{e}_T, \tilde{t}_T] | T \in \text{Thrd} \rangle \in \text{Conf}$, in the finite collecting semantics, $\mathcal{V}(C)$, of a program in the initial states described by the configurations in $C$, such that $\forall T \in \text{Thrd} : \text{STM}(T, pc_T) = [\text{halt}]^{|prg|}$. The analysis will also be proven to safely approximate the timing bounds of some (but not all) collecting semantics that might be infinite. More on this in Chapter 6.

$\rightarrow_{prg}$ will be proven to be a safe approximation of $\rightarrow_{prg}$ in any finite collecting semantics, with respect to each thread individually, for any configuration, $c @ \langle [T, pc_T, \tilde{e}_T, \tilde{t}_T] | T \in \text{Thrd} \rangle \in \text{Conf}$, such that $|\text{Thrd}_{\text{exe}}| 

\exists r \in \text{Reg}_r : \exists x \in \text{Var}_g : \text{STM}(T, pc_T) = [\text{load } r \text{ from } x]^{pc_T} = 0$, where $\text{Var}_g$ is the set of all global variables (i.e., variables that might transfer data between threads); i.e., either no thread issues a load-statement on a global variable, or there is such a thread and it is the sole thread that is executed, which means that $\tilde{z}$ must contain safe write history since no more writes on $x$ can occur before the given load-statement has been executed.

One thing to notice from how $\rightarrow_{prg}$ is defined is that an abstract configuration cannot have the same restrictions for it being valid as a concrete configuration does (c.f., Definition 4.4). When a thread (in $\text{Thrd}_{\text{exe}}$) wants to acquire some unlocked lock, $\rightarrow_{prg}$ can assign the lock to any thread that at some point in the program wants to acquire the lock, as discussed in 3 above. However (quite obviously), the assigned thread might not acquire the lock with its current statement (it is also possible that the thread never acquires the lock at all with its future statements). Therefore, an abstract configuration, $c @ \langle [T, pc_T, \tilde{e}_T, \tilde{t}_T] | T \in \text{Thrd} \rangle \in \text{Conf}$, must be considered temporarily valid even if $\exists lck \in \text{Lck} : (\text{OWN}(lck) \neq \bot_{thd} \wedge \text{STM}(lck) = \text{unlocked})$. As also discussed in 3 above, however, such an abstract configuration can be considered invalid if $\exists lck \in \text{Lck} : (\text{OWN}(lck) \neq \bot_{thd} \wedge \text{STM}(lck) = \text{unlocked} \wedge (\text{DL}(lck) \wedge (\text{ASTIME}(c, \text{OWN}(lck))) \vee \text{STM}(\text{OWN}(lck), pc_{\text{OWN}(lck)}) = [\text{halt}]^{pc_{\text{OWN}(lck)}}))$, given that $\text{DL}(lck)$ is a safe approximation of when $lck$ must have been taken.

\textit{5.8 Abstract Semantics}
by some thread in the corresponding concrete cases (c.f., Lemma 5.53), if any.

In the concrete case, a free (unlocked) lock is acquired as soon as some thread tries to do so (c.f., Tables 4.2 and 4.3 and Lemma 4.5). The purpose of DLLock, defined in Algorithm 5.11, is to derive a safe approximation of this point in time (Lemma 5.53). Note that Lemma 5.51 states that accumulating time for each thread individually is safe and that Lemma 5.52 states that the timing of a thread can be analyzed in isolation from all other threads.

**Lemma 5.51 (Time accumulation):**

Given the two configurations \( c \in \{ \langle T, pc_T, x_T, t^0_T \rangle \in Thrd, \# \} \in Conf \) and \( c' \in \{ \langle T, pc_T', x_T', t'^0_T \rangle \in Thrd, \# \} \in Conf \), such that \( Thrd' \subseteq Thrd \), let \( Thrd' = \{ T \in Thrd | t^0_T \in \gamma(T^2) \land pc_T = pc_T' \} \). Then \( \forall T \in Thrd' : (t^0_T + \text{TIME}(c, T)) \in \gamma(t^0_T + \text{ABSTIME}(c', T)) \).

**Proof.** Assume that the configurations \( c \in \{ \langle T, pc_T, x_T, t^0_T \rangle \in Thrd, \# \} \in Conf \) and \( c' \in \{ \langle T, pc_T', x_T', t'^0_T \rangle \in Thrd, \# \} \in Conf \) are such that \( Thrd' \subseteq Thrd \), and let \( Thrd' = \{ T \in Thrd | t^0_T \in \gamma(T^2) \land pc_T = pc_T' \} \). Then, according to Assumption 5.50, \( \forall T \in Thrd' : \text{TIME}(c, T) \in \gamma(\text{ABSTIME}(c', T)) \). Since \( \forall T \in Thrd' : (t^0_T + \text{TIME}(c, T)) \in \gamma(t^0_T + \text{ABSTIME}(c', T)) \).

**Lemma 5.52 (Thread isolation):**

Given the two configurations \( c^0 \in \{ \langle T, pc_T, x_T, t^0_T \rangle \in Thrd, \# \} \in Conf \) and \( c^0' \in \{ \langle T, pc_T', x_T', t'^0_T \rangle \in Thrd, \# \} \in Conf \), and some thread, \( T \in Thrd' \), such that \( Thrd' \subseteq Thrd \), \( t^0_T \in \gamma(T^2) \), and \( pc^0_T = pc^0_T' \), and some configuration \( c^n+1 \in \{ \langle T, pc^n_T+1, x_T^n+1, t^n_T+1 \rangle \in Thrd, \# \} \in Conf \), where

\[
c^0 \Rightarrow \cdots \Rightarrow c^1 \Rightarrow \cdots \Rightarrow c^n+1
\]

for some \( n \geq 0 \),

\[
t^n_T = \gamma(T^2) + _T \text{ABSTIME}(c^0, T) + _T \cdots + _T \text{ABSTIME}(c^n, T)
\]

given that \( \forall i \in \{1, \ldots, n\} : \gamma(i) = T^2 + _T \text{ABSTIME}(c^i-1, T) \), \( \forall i \in \{0, \ldots, n\} : pc^i_T = pc^i_T' \), \( \forall i \in \{0, \ldots, n\} : T \in Thrd'_{\text{exe}} \), and \( \forall c \in \{ c^0, \ldots, c^n \} \setminus \{ c^0, c^1, \ldots, c^n \} : T \notin Thrd'_{\text{exe}} \), where \( Thrd'_{\text{exe}} \) and \( Thrd'_{\text{exe}} \) are as defined in Table 4.3 for all \( c' \) and all other \( c \) on the trace from \( c^0 \) to \( c^n+1 \).
PROOF. Assume that the configurations \( c^0 @ \langle \{\tau, pc^0_T, \tau^0_\tau, T^0_\tau \} \cap \text{Thrd}_c, \tau^0 \rangle \in \text{Conf} \) and \( c^m @ \langle \{\tau, pc^m_T, \tau^m_\tau, T^m_\tau \} \cap \text{Thrd}_c, \tau^m \rangle \in \text{Conf} \), and some thread, \( T \in \text{Thrd} \), are such that \( \text{Thrd}_{\text{ex}} \subseteq \text{Thrd} \), \( t^0_\dot{T} \in \gamma_i(t^0) \) and \( pc^{0}_T = pc^{0}_T \). Also assume that \( c^0 \rightarrow c^1 \rightarrow \ldots \rightarrow c^{a-1} \rightarrow c^a \rightarrow \ldots \rightarrow c^{n+1} \rightarrow c^n \rightarrow c^{n+1} \) for some configuration \( c^{n+1} @ \langle \{\tau, pc^{n+1}_T, \tau^{n+1}_\tau, T^{n+1}_\tau \} \cap \text{Thrd}_c, \tau^{n+1} \rangle \) and \( n \geq 0 \), for which \( \forall i \in \{0, \ldots, n\} : T \in \text{Thrd}_{\text{ex}}^c \), and \( \forall \gamma \in \{0, \ldots, c^1, \ldots, c^n \} \setminus \{0, c^1, \ldots, c^n \} : T \not\in \text{Thrd}_{\text{ex}}^c \).

From Table 4.3, it is easy to see that:

\[
\begin{align*}
t^0_T &= t^0_0 \\
T^i_T &= t^i_T + \text{time}(c^0, T) \\
& \vdots \\
T^{n+1}_T &= t^{n+1}_T + \text{time}(c^n, T) = \\
& t^0_T + \text{time}(c^0, T) + \ldots + \text{time}(c^n, T)
\end{align*}
\]

Let \( \{c^0, \ldots, c^n @ \langle \{\tau, pc^0_T, \tau^0_\tau, T^0_\tau \} \cap \text{Thrd}_c, \tau^0 \rangle \} \) be a set of some abstract configurations such that \( c^j \) has the properties assumed above, \( \forall i \in \{1, \ldots, n\} : pc^i_T = pc^i_T \) and \( \forall i \in \{1, \ldots, n\} : T^i_T = t^i_T + 1, \text{ABSTIME}(c^{i-1}, T) \). Then, according to Lemma 5.51:

\[
\begin{align*}
\langle T^0_T + \text{time}(c^0, T) \rangle &\in \gamma_i(t^0_T \uparrow, \text{ABSTIME}(c^0, T)) \\
& \vdots \\
\langle T^n_T + \text{time}(c^n, T) \rangle &\in \gamma_i(t^n_T \uparrow, \text{ABSTIME}(c^n, T))
\end{align*}
\]

Since \( T^{n+1}_T = t^{n+1}_T + \text{time}(c^n, T) \), this concludes the proof. ■

Lemma 5.53 (Soundness of D:\( \text{LOCK} \)):

Given the valid concrete configurations (c.f., Definition 4.4), abstract configurations and lock

\[
\begin{align*}
c^0 @ \langle \{\tau, pc^0_T, \tau^0_\tau, T^0_\tau \} \cap \text{Thrd}_c, \tau^0 \rangle &\in \text{Conf}, \\
c^m @ \langle \{\tau, pc^m_T, \tau^m_\tau, T^m_\tau \} \cap \text{Thrd}_c, \tau^m \rangle &\in \text{Conf}, \\
c^n @ \langle \{\tau, pc^n_T, \tau^n_\tau, T^n_\tau \} \cap \text{Thrd}_c, \tau^n \rangle &\in \text{Conf}, \\
c^0 @ \langle \{\tau, pc^0_T, \tau^0_\tau, T^0_\tau \} \cap \text{Thrd}_c, \tau^0 \rangle &\in \text{Conf}, \\
c^j @ \langle \{\tau, pc^j_T, \tau^j_\tau, T^j_\tau \} \cap \text{Thrd}_c, \tau^j \rangle &\in \text{Conf}, \text{ and} \\
lck &\in \text{Lck},
\end{align*}
\]
such that

\[
0 \leq m \leq n, \\
0 \leq j, \\
\text{Thrd}_{\text{ej}} \subseteq \text{Thrd}_{\text{ej}} \subseteq \text{Thrd}, \\
\forall i \in \{m, \ldots, n\} : \text{OWN}(\text{lck}) = \bot_{\text{thr}}, \\
\text{REL}(\text{lck}) \in \gamma_{\text{rel}}(\text{REL}(\text{lck})), \\
\exists T \in \text{Thrd}_{\text{ej}} : (\text{STM}(T, pc)^{\text{ej}}_{T}) = [\text{lock lck}]^{\text{inputs}^0}_T \times [\text{lock lck}]^{\text{inputs}^0}_T \in \gamma_{\text{lock lck}}^{\text{inputs}^0} \land \\
\text{pc}^{\text{ej}}_{T} = \text{pc}^{0}_{T} = \text{pc}^{0}_{T} \land T \in \text{Thrd}_{\text{ej}}^{\text{outputs}^0} \land \\
\forall i \in \{0, \ldots, n\} : \text{OWN}(\text{lck}) \neq T), \\
\forall i \in \{m, \ldots, n - 1\} : \forall T \in \text{Thrd}_{\text{ej}}^{\text{outputs}^i} : \text{STM}(T, pc)^{\text{ej}}_{T} \neq [\text{lock lck}]^{\text{inputs}^i}_T, \\
\text{where Thrd}_{\text{ej}}^{\text{outputs}^i} \text{ is as defined in Table 4.3 for } e^i, \text{ DLOCK satisfies:}
\]

\[
\min\{\{e^{\text{outputs}^i} + \text{TIME}(e^i, T) \mid T \in \text{Thrd}\}\} \in \gamma_\text{DLOCK}(\text{ej}, \text{lck}) \tag*{\square}
\]

**PROOF.** Given the valid concrete configurations (c.f., Definition 4.4), abstract configurations and lock

\[
\text{Thrd}_{\text{ej}}^{\text{inputs}^0} \subseteq \text{Thrd}_{\text{ej}}^{\text{outputs}^0} \subseteq \text{Thrd}, \\
\forall i \in \{m, \ldots, n\} : \text{OWN}(\text{lck}) = \bot_{\text{thr}}, \\
\text{REL}(\text{lck}) \in \gamma_{\text{rel}}(\text{REL}(\text{lck})), \\
\exists T \in \text{Thrd}_{\text{ej}}^{\text{inputs}^0} : (\text{STM}(T, pc)^{\text{ej}}_{T}) = [\text{lock lck}]^{\text{inputs}^0}_T \times [\text{lock lck}]^{\text{inputs}^0}_T \in \gamma_{\text{lock lck}}^{\text{inputs}^0} \land \\
\text{pc}^{\text{ej}}_{T} = \text{pc}^{0}_{T} = \text{pc}^{0}_{T} \land T \in \text{Thrd}_{\text{ej}}^{\text{outputs}^0} \land \\
\forall i \in \{0, \ldots, n\} : \text{OWN}(\text{lck}) \neq T), \\
\forall i \in \{m, \ldots, n - 1\} : \forall T \in \text{Thrd}_{\text{ej}}^{\text{outputs}^i} : \text{STM}(T, pc)^{\text{ej}}_{T} \neq [\text{lock lck}]^{\text{inputs}^i}_T,
\]

are such that

\[
0 \leq m \leq n, \\
0 \leq j, \\
\text{Thrd}_{\text{ej}}^{\text{inputs}^0} \subseteq \text{Thrd}_{\text{ej}}^{\text{outputs}^0} \subseteq \text{Thrd}, \\
\forall i \in \{m, \ldots, n\} : \text{OWN}(\text{lck}) = \bot_{\text{thr}}, \\
\text{REL}(\text{lck}) \in \gamma_{\text{rel}}(\text{REL}(\text{lck})), \\
\exists T \in \text{Thrd}_{\text{ej}}^{\text{inputs}^0} : (\text{STM}(T, pc)^{\text{ej}}_{T}) = [\text{lock lck}]^{\text{inputs}^0}_T \times [\text{lock lck}]^{\text{inputs}^0}_T \in \gamma_{\text{lock lck}}^{\text{inputs}^0} \land \\
\text{pc}^{\text{ej}}_{T} = \text{pc}^{0}_{T} = \text{pc}^{0}_{T} \land T \in \text{Thrd}_{\text{ej}}^{\text{outputs}^0} \land \\
\forall i \in \{0, \ldots, n\} : \text{OWN}(\text{lck}) \neq T), \\
\forall i \in \{m, \ldots, n - 1\} : \forall T \in \text{Thrd}_{\text{ej}}^{\text{outputs}^i} : \text{STM}(T, pc)^{\text{ej}}_{T} \neq [\text{lock lck}]^{\text{inputs}^i}_T,
\]
where $\text{Thrd}^{c_i}_e$ is as defined in Table 4.3 for $c_i$. First note that:

- Since $\forall i \in \{m, \ldots, n-1\} : \forall T \in \text{Thrd}^{c_i}_e : (\text{STM}(T, pc^0_T) \neq [\text{lock} \ \text{lk}\text{c}]_{\text{pc}}^0 \land \text{OWN}(1^n \ lck) = \bot_{\text{thrd}})$, it must be that $\text{REL}(1^n \ lck) = \text{REL}(1^n \ lck)$ (Tables 4.2 and 4.3).

- Since $\forall i \in \{m, \ldots, n-1\} : \text{OWN}(1^n \ lck) = \bot_{\text{thrd}}$ and $\text{REL}(1^n \ lck) = \text{REL}(1^n \ lck)$, it must be that $\forall T \in \text{Thrd} : t^n_T \leq \text{REL}(1^n \ lck)$ (Tables 4.2 and 4.3 and Lemma 4.2).

- Since time only moves forward (Lemma 4.2), it must be that for $c_i$, $\forall T \in \text{Thrd} : \text{REL}(1^n \ lck) \leq t^n_T + \text{TIME}(c_i, T)$.

- Since $\forall i \in \{m, \ldots, n-1\} : \forall T \in \text{Thrd}^{c_i}_e : \text{STM}(T, pc^0_T) \neq [\text{lock} \ \text{lk}\text{c}]_{\text{pc}}^0$, it must be that $\forall T \in \text{Thrd} : (\text{STM}(T, pc^0_T) = [\text{lock} \ \text{lk}\text{c}]_{\text{pc}}^0 \Rightarrow t^n_T = t^n_T)$ (Tables 4.2 and 4.3).

- Since $\exists T \in \text{Thrd}_i : (\text{STM}(T, pc^0_T) = [\text{lock} \ \text{lk}\text{c}]_{\text{pc}}^0 \land t^n_T \in \gamma(1^n_T) \land i^n_T = i^n_T \land pc^0_T = pc^0_T = pc^0_T = pc^0_T = pc^0_T = pc^0_T = pc^0_T = pc^0_T \in \text{Thrd}_i \land \forall i \in \{0, \ldots, n\} : \text{OWN}(1^n \ lck) = \bot_T)$. From here on, it will be assumed that $T' \in \text{Thrd}_i$ is one of the threads such that $\text{STM}(T', pc^0_T) = [\text{lock} \ \text{lk}\text{c}]_{\text{pc}}^0 \land t^n_T \leq \text{REL}(1^n \ lck) \leq t^n_T + \text{TIME}(c_i, T') \land t^n_T \in \gamma(1^n_T) \land i^n_T = i^n_T \land pc^0_T = pc^0_T = pc^0_T = pc^0_T = pc^0_T = pc^0_T = pc^0_T = pc^0_T \in \text{Thrd}_i \land \forall i \in \{0, \ldots, n\} : \text{OWN}(1^n \ lck) = \bot_T).

- Let $\{m_1, \ldots, m_2\}$ be the set of indices, such that $0 \leq m_1 \leq m_2 < m$, $\forall i \in \{m_1, \ldots, m_2\} : T' \in \text{Thrd}^{c_i}_e$ and $\forall i \in \{0, \ldots, m\} \setminus \{m_1, \ldots, m_2\} : T' \not\in \text{Thrd}^{c_i}_e$, where $\text{Thrd}^{c_i}_e$ is as defined in Table 4.3 for $c_i$ (note that it is possible that $\{m_1, \ldots, m_2\} = \emptyset$; it should also be noted that $T' \not\in \text{Thrd}^{c_i}_e$). Since $\text{Thrd}_i \subseteq \text{Thrd}$, $t^n_T \in \gamma(1^n_T)$, $i^n_T = i^n_T$, $c_i \rightarrow \cdots \rightarrow c^m$ and $0 \leq m$, it is easy to see that every configuration, $c'$, created by the repeat-loop within DLLOCK($\vec{c}$, lck) fulfills the assumptions of
Lemma 5.52. Furthermore, it is easy to see that (according to Lemma 5.52)

\[ t^{m}_T \in \gamma(T^{D}_D, \hat{T}) \triangleq \text{ABSTIME}(c^{m_1}, T') \triangleq \ldots \triangleq \text{ABSTIME}(c^{m_2}, T') \]

where \( c^{m_1}, \ldots, c^{m_2} \) correspond to a \( c' \) derived by the repeat-loop (in total, there are \( |\{m_1, \ldots, m_2\}| \) \( c' \)-configurations for the expression above).

For the sake of readability, let

\[ \tilde{t}^{m}_T = \hat{t}^{D}_D, \hat{T}, \text{ABSTIME}(c^{m_1}, T') \triangleq \ldots \triangleq \text{ABSTIME}(c^{m_2}, T') \]

\[ c'^{m} = (\langle [T, \text{pc}_T, \tilde{x}_T, (T = T' ? \tilde{t}^{m}_T : \tilde{t}^{D}_D) \rangle | \tilde{T} \in \text{Thrd} \rangle, \tilde{z}_T, \tilde{I}) \]

where \( c^{m_1}, \ldots, c^{m_2} \) are defined as in the bullet above.

Assuming that \( \tilde{t}^{m}_T \) is safe at the start of each loop-iteration of the for all \( T \in \text{Thrd} \)-loop, where \( T \) is such that \( \text{STM}(T, \text{pc}^{D}_T) = [\text{lock} lck]^{m_2} \), it should be shown that \( \min(\{\tilde{t}^{m}_T, \text{TIME}(c^{m}, T) | T \in \text{Thrd} \}) \) is always fulfilled at the end of each loop-iteration. It is easy to see that the initial value of \( \tilde{t}^{m}_T \) (i.e., \( \tilde{t}^{D}_D \)) is trivially safe since \( \forall T \in \text{Thrd} : T^{D}_D + \text{TIME}(c^{m}, T) \in \gamma(\tilde{t}^{D}_D) \). Note that \( \forall c \in \text{Conf} : \forall T \in \text{Thrd} : \text{TIME}(c, T) \geq 0 \) (Assumption 4.1). Several cases need to be considered.

1. If \( \text{TIME}(c^{m}, T') = 0 \), then \( t^{m}_T = t^{D}_D + \text{TIME}(c^{m}, T') = t^{m}_T = \text{REL}(T^{D}_D, lck) \)
   (remember that \( t^{D}_D = t^{D}_D \) and \( \text{REL}(T^{D}_D, lck) = \text{REL}(T^{D}_D, lck) \)) and \( 0 \in \text{ABSTIME}(c'^{m}, T') \) (Assumption 5.50). Since \( 0 \in \gamma(\text{ABSTIME}(c'^{m}, T')) \), it will not be possible to determine a \( \tilde{t}^{m}_T \) such that \( \text{REL}(\tilde{T}, lck) \triangleright \tilde{t}^{m}_T \). However, for the iteration of the repeat-loop for which \( 0 \in \text{ABSTIME}(c'^{m}, T') \), it must be that \( \text{REL}(\tilde{T}, lck) \triangleright \tilde{t}^{m}_T \). \text{REL}(\tilde{T}, lck) provides a safe base for when \( T' \) would acquire \( lck \) since \( \text{REL}(T^{D}_D, lck) \in \gamma(\text{REL}(\tilde{T}, lck)) \). Thus, according to Assumption 5.50, it must be that \( (t^{D}_D + \text{TIME}(c'^{m}, T')) \in \gamma(\tilde{T}, lck, \text{ABSTIME}(c'^{m}, T')) \bigcup \alpha_r(\{-\infty\}) \), where \( t^{m} = (\langle [T, \text{pc}_T, \tilde{x}_T, (T = T' ? \tilde{t}^{m}_T : \tilde{t}^{D}_D) \rangle | \tilde{T} \in \text{Thrd} \rangle, \tilde{z}_T, \tilde{I}) \). But then, it is easy to see that \( \min(\{t^{D}_D + \text{TIME}(c'^{m}, T') | T \in \text{Thrd} \}) \in \gamma(\langle (\tilde{T}, lck, \text{ABSTIME}(c'^{m}, T')) \bigcup \alpha_r(\{-\infty\}) \rangle \cap \tilde{I}^{D}_D) \).

2. If \( \text{TIME}(c'^{m}, T') > 0 \), then two cases must be considered.
   
   (a) If \( 0 \in \gamma(\text{ABSTIME}(c'^{m}, T')) \) (or for any \( c' \) of the repeat-loop), it will not be possible to determine a \( \tilde{t}^{m}_T \) such that \( \text{REL}(\tilde{T}, lck) \triangleright \tilde{t}^{m}_T \). However, this proof is the same as that of 1 above.
If 0 \not\in \gamma_l(\text{ABSTIME}(\bar{e}''', T')) (as well as for all \bar{e}' of the repeat-loop), then a \bar{t}'''_T such that REL(\bar{I} lck) \preceq_t \bar{t}'''_T can be derived. Since \bar{t}'''_T \leq REL(\bar{I} lck), REL(\bar{I} lck) \in \gamma_l(\text{REL}(\bar{I} lck)) and \bar{t}'''_T \in \gamma_l(\bar{t}'''_T), it must be that REL(\bar{I} lck) \npreceq_t \bar{t}'''_T, and thus, the repeat-loop will iterate at least once more when \bar{t}'''_T = \bar{t}'''_T. Since REL(\bar{I} lck) < \bar{t}'''_T + \text{TIME}(\bar{e}'', T'), it must be that (since \bar{t}'''_T = \bar{t}'''_T) \bar{t}'''_T + \text{TIME}(\bar{e}'', T) \in \gamma_l(\bar{t}'''_T \cup_t \alpha_t(\{\infty\})), where \bar{t}'''_T and \bar{e}' are derived from \bar{e}''' by the repeat-loop, and thus \max(\gamma_l(\bar{t}'''_T)) \leq \max(\gamma_l(\bar{t}'''_T)) (c.f., Assumption 5.50). But then, it is easy to see that \min(\{\bar{t}'''_T + \text{TIME}(\bar{e}'', T) \mid T \in \text{Thrd}_l\}) \in \gamma_l((\bar{t}'''_T \cup_t \alpha_t(\{\infty\}) \cap_t \bar{t}_n)).

Thus, it must be that:

\[
\min(\{\bar{t}'''_T + \text{TIME}(\bar{e}'', T) \mid T \in \text{Thrd}_l\}) \in \gamma_l(\text{DLLOCK}(\bar{e}'', lck))
\]

The accumulated time, \bar{t}'''_T \in \text{Time}, for a thread, T \in \text{Thrd}_l, is determined using \text{ACCTIME}, defined in Algorithm 5.12, which is partially a safe approximation of the concrete accumulated time of T (Lemma 5.54). This is because the way that time accumulates for threads executing lock lck for some lock, lck \in Lck, that is currently acquired by some other thread differs in the concrete and abstract semantics. In the concrete semantics, the lock-statement is just considered to finish its execution, without successfully acquiring lck, after the (relative) time given by \text{TIME}, then a new instance of the same lock-statement is executed (c.f., Tables 4.2 and 4.3); i.e., the thread is actively spinning on the lock.

In the abstract semantics (c.f., Tables 5.5 and 5.6 and Algorithms 5.11 and 5.12), a thread issuing lock lck for some lock, lck \in Lck, that is currently acquired by some other thread would be frozen until it is assigned lck, if this ever occurs; i.e., the thread’s accumulated time would not be increased while it is waiting to be assigned lck. When (and if) the thread is later assigned lck, its accumulated execution time is advanced based on when lck became free (unlocked).

If the lock, lck \in Lck, is not currently assigned to some other thread when some thread issues lock lck, the behavior is the same in both the concrete and abstract semantics in case the lock-issuing thread successfully acquires lck; i.e., the thread’s execution time will be accumulated based on \text{TIME} and \text{ABSTIME}, respectively.
Lemma 5.54 (Partial soundness of $\text{ACCTIME}$):

Given the valid concrete configuration $c @ \langle [T', pc_T, x_T, t'_0] \rangle_{T \in \text{Thrd} \cdot \pi, 1} \in \text{Conf}$ (c.f., Definition 4.4), the abstract configuration $e^{0} @ \langle [T', pc_T', x_T', t'_0'] \rangle_{T \in \text{Thrd}_e \cdot \pi, 1} \in \text{Conf}$, and some thread, $T \in \text{Thrd}_e$, such that

$$\text{Thrd}_e \subseteq \text{Thrd} \land$$

$$pc_T = pc_T' \land$$

$$t'_0 \in \gamma(l'_T) \land$$

$$(T \in \text{Thrd}^e_{\text{ex}} \land \forall lck \in \text{Lck} : (\text{STM}(T, pc_T) = [\text{lck} \land \text{own}(lck) = T]) \iff T \in \text{Thrd}^e_{\text{ex}} \land$$

$$\forall lck \in \text{Lck} : (\text{own}(lck) = T \Rightarrow (\text{own}(lck) = \text{own}(lck) \land$$

$$\text{dL}(lck) \in \gamma(\text{dL}(lck)) \land$$

$$\text{Pown}(lck) = \text{Pown}(lck) \land$$

$$\text{REL}(lck) \in \gamma(\text{REL}(lck)) \land$$

$$\min(\gamma(\text{dL}(lck))) = -\infty)$$

where $\text{Thrd}^e_{\text{ex}}$ and $l''$, and $\text{Thrd}^e_{\text{ex}}$ and $l''$, are as defined in Tables 4.3 and 5.6, respectively,

$$e'_0 \in \gamma(\text{ACCTIME}(\langle [T', pc_T', x_T', t'_0'] \rangle_{T \in \text{Thrd}_e \cdot \pi, 1}, \text{Thrd}^e_{\text{ex}}, T))$$

where $e'_0$ is as defined in Table 4.3.

PROOF. Assume that the (valid; c.f., Definition 4.4) configurations $c @ \langle [T', pc_T, x_T, t'_0] \rangle_{T \in \text{Thrd} \cdot \pi, 1} \in \text{Conf}$ and $e^{0} @ \langle [T', pc_T', x_T', t'_0'] \rangle_{T \in \text{Thrd}_e}$.
\[ \{ x, \bar{i} \} \in \text{Conf} \] and the thread \( T \in \text{Thrd}_E \) are such that

\[
\text{Thrd}_E \subseteq \text{Thrd} \land \text{pc}_T = \text{pc}_T' \land \gamma_T' \in \gamma_T(\bar{t}_E') \land (T \in \text{Thrd}_E^\text{ex} \land \forall \text{lck} \in \text{Lck} : (\text{STM}(T, \text{pc}_T) = [\text{lck}\ lck']^{\text{pc}_T} \Rightarrow (\text{OWN}(1'' \ lck) = T \land \text{OWN}(1' \ lck) = T)) \iff T \in \text{Thrd}_E^\text{ex} \land \forall \text{lck} \in \text{Lck} : (\text{OWN}(1'' \ lck) = T \Rightarrow (\text{OWN}(1'' \ lck) = \text{OWN}(1' ' \ lck) \land \text{DL}(1'' \ lck) \in \gamma_T(\text{DL}(1' ' \ lck)) \land P\text{OWN}(1'' \ lck) = P\text{OWN}(1' ' \ lck) \land \text{REL}(1'' \ lck) \in \gamma_T(\text{REL}(1' ' \ lck)) \land \text{min}(\gamma_T(\text{DL}(1' ' \ lck))) = -\infty)),
\]

where \( \text{Thrd}_E^\text{ex} \) and \( 1'' \), and \( \text{Thrd}_E^\text{ex} \) and \( \bar{i}'' \), are as defined in Tables 4.3 and 5.6, respectively.

For the sake of readability, let \( \tilde{e} = \langle [T',\text{pc}_E',\bar{t}_T',\bar{t}_E'] ; T \in \text{Thrd}_E^\text{ex}, \bar{i}'' \rangle \) when considering the following cases. Note that \( \text{Time} = \text{Intv} \).

1. If \( T \notin \text{Thrd}_E^\text{ex} \) (and thus, \( T \notin \text{Thrd}_E^\text{ex} \)), then \( \bar{t}_T'' = \bar{t}_T' \) (Table 4.3) and \( \text{ACCTIME}(\tilde{e}, \text{Thrd}_E^\text{ex}, T) = \bar{t}_T'' \). Thus, \( \bar{t}_T'' \in \gamma_T(\text{ACCTIME}(\tilde{e}, \text{Thrd}_E^\text{ex}, T)) \).
2. If \( T \in \text{Thrd}_E^\text{ex} \) and for some \( a \in \text{Aexp}, b \in \text{Bexp}, l \in \text{Lbd}_T, r \in \text{Reg}_r, x \in \text{Var} \) and \( \text{lck} \in \text{Lck} \), \( \text{STM}(T, \text{pc}_E) \in \{ \text{[skip]}^{\text{pc}_T}, [\text{if } b \text{ goto } l]^{\text{pc}_T}, [\text{store } r \text{ to } x]^{\text{pc}_T}, [\text{load } r \text{ from } x]^{\text{pc}_T}, [\text{unlock } lck]^{\text{pc}_T}, \text{\_]} \), \( \forall \text{lck}' \in \text{Lck} : \text{STM}(T, \text{pc}_E) \neq [\text{lck}\ lck']^{\text{pc}_T} \) (and thus, \( T \in \text{Thrd}_E^\text{ex} \) since \( T \in \text{Thrd}_E^\text{ex} \land \forall \text{lck}' \in \text{Lck} : (\text{STM}(T, \text{pc}_E) = [\text{lck}\ lck']^{\text{pc}_T} \Rightarrow (\text{OWN}(1'' \ lck') = T \land \text{OWN}(1' ' \ lck) = T)) \iff T \in \text{Thrd}_E^\text{ex} \)), then \( \text{ACCTIME}(\tilde{e}, \text{Thrd}_E^\text{ex}, T) = \bar{t}_T'' + \bar{t}_T \). Thus, \( \bar{t}_T'' = \gamma_T(\text{ACCTIME}(\tilde{e}, \text{Thrd}_E^\text{ex}, T)) \).
3. If \( T \in \text{Thrd}_E^\text{ex} \) and for some \( \text{lck} \in \text{Lck} \), \( \text{STM}(T, \text{pc}_E) = [\text{lck}\ lck']^{\text{pc}_T} \) and \( \text{OWN}(1'' \ lck) = T \), and thus, \( T \in \text{Thrd}_E^\text{ex} \) since \( T \in \text{Thrd}_E^\text{ex} \land \forall \text{lck}' \in \text{Lck} : (\text{STM}(T, \text{pc}_E) = [\text{lck}\ lck']^{\text{pc}_T} \Rightarrow (\text{OWN}(1'' \ lck') = T \land \text{OWN}(1' ' \ lck) = T)) \iff T \in \text{Thrd}_E^\text{ex} \), then several cases need to be considered. Note that \( \text{min}(\gamma_T(\text{DL}(1' ' \ lck))) = -\infty \) since \( \forall \text{lck}' \in \text{Lck} : (\text{OWN}(1'' \ lck') = T \Rightarrow \text{min}(\gamma_T(\text{DL}(1' ' \ lck'))) = -\infty \) and \( \text{OWN}(1'' \ lck') = T \), and that \( T \) cannot acquire \( \text{lck} \) at any time, \( i \), such that \( i \leq \gamma_T(\text{REL}(1'' \ lck)) \), since \( \text{lck} \) has not been released at \( i \), or \( \text{DL}(1' ' \ lck) \preceq i \), since by then some other thread would have taken \( \text{lck} \) (c.f., Tables 5.5 and 5.6).
(a) If $\hat{\text{STT}}(\hat{\text{I}}'' \text{lock}) = \text{locked}$ (and $\hat{\text{STT}}(\hat{\text{I}}'' \text{lock}) = \text{locked}$ since $c$ is valid and $\text{OWN}(\hat{\text{I}}'' \text{lock}) \neq \bot_{\text{thread}}$), then $t''_c = t''_T + \text{TIME}(c, T)$ and $\text{ACCTIME}(\hat{c}, \text{Thrd}_{\text{acq}}^T, T) = t''_c + t_{\text{ABSTIME}(\hat{c}, T)}$. Thus, $t''_c \in \gamma(\text{ACCTIME}(\hat{c}, \text{Thrd}_{\text{acq}}^T))$ (Lemma 5.51).

(b) Assume that $\hat{\text{STT}}(\hat{\text{I}}'' \text{lock}) = \text{unlocked} \land \text{DL}(\hat{\text{I}}'' \text{lock}) \leq (t''_c + t_{\text{ABSTIME}(\hat{c}, T)})$. Then, in the concrete case, it must be that $T$ cannot be the thread acquiring lock since $\text{DL}(\hat{\text{I}}'' \text{lock}) \in \gamma(\text{DL}(\hat{\text{I}}'' \text{lock}))$, $t''_c \in \gamma(t''_c), \text{TIME}(c, T) \in \gamma(\text{ABSTIME}(\hat{c}, T))$ and $t''_c + \text{TIME}(c, T) = \text{DL}(\hat{\text{I}}'' \text{lock})$ whenever $T$ acquires lock (Tables 4.2 and 4.3). But, then it cannot be that $\hat{\text{STT}}(\hat{\text{I}}'' \text{lock}) = \text{unlocked} \land \text{DL}(\hat{\text{I}}'' \text{lock}) \leq (t''_c + t_{\text{ABSTIME}(\hat{c}, T)})$ since in the concrete case, $T$ does successfully acquire lock, which means that the corresponding branch cannot apply for the given case. (Note that such a $\hat{c}$ will not be further considered; c.f., Algorithm 6.6 and Tables 5.5 and 5.6.)

(c) Note that the $\text{STT}(\hat{\text{I}}'' \text{lock}) = \text{unlocked} \land \text{DL}(\hat{\text{I}}'' \text{lock}) \not\leq (t''_c + t_{\text{ABSTIME}(\hat{c}, T)}) \land (t''_c + t_{\text{ABSTIME}(\hat{c}, T)}) \leq \text{REL}(\hat{\text{I}}'' \text{lock})$ conditioned branch, which applies to cases where $T$ has been frozen for sure while waiting to acquire lock but has now been assigned lock, cannot be taken either. To see this, note that since $c$ is valid, it must be that $\text{REL}(\hat{\text{I}}'' \text{lock}) \leq t''_c + \text{TIME}(c, T)$ (Definition 4.4). Then, since $t''_c \in \gamma(t''_c), \text{TIME}(c, T) \in \gamma(\text{ABSTIME}(\hat{c}, T))$ (c.f., Assumption 5.50), $\text{OWN}(\hat{\text{I}}'' \text{lock}) = T$ and $\text{OWN}(\hat{\text{I}}'' \text{lock}) = T \Rightarrow \text{REL}(\hat{\text{I}}'' \text{lock}) \in \gamma(\text{REL}(\hat{\text{I}}'' \text{lock}))$, it must be that $t''_c + t_{\text{ABSTIME}(\hat{c}, T)} \not\leq T \land \text{REL}(\hat{\text{I}}'' \text{lock}) \leq \text{REL}(\hat{\text{I}}'' \text{lock})$, this branch is further considered when the freezing of threads is proven to be safe (c.f., the proof of Lemma 5.57).

(d) If $\hat{\text{STT}}(\hat{\text{I}}'' \text{lock}) = \text{unlocked} \land \text{DL}(\hat{\text{I}}'' \text{lock}) \not\leq (t''_c + t_{\text{ABSTIME}(\hat{c}, T)}) \land (t''_c + t_{\text{ABSTIME}(\hat{c}, T)}) \not\leq \text{REL}(\hat{\text{I}}'' \text{lock}) \land (\text{POWN}(\hat{\text{I}}'' \text{lock}) = T \lor \text{REL}(\hat{\text{I}}'' \text{lock}) \leq \text{REL}(\hat{\text{I}}'' \text{lock}) \not\leq (t''_c + t_{\text{ABSTIME}(\hat{c}, T)}), then two cases must be considered.

i. If $\text{POWN}(\hat{\text{I}}'' \text{lock}) = T$, then the sequential execution of the statements of a thread (c.f., Tables 4.2 and 4.3) gives that $T$ must acquire lock at $t''_c + t_{\text{ABSTIME}(\hat{c}, T)}$, but not at a point in time $\lambda$, such that $\text{DL}(\hat{\text{I}}'' \text{lock}) \leq \lambda$, because by then, some other thread must have already acquired lock (since $\text{DL}(\hat{\text{I}}'' \text{lock}) \in \gamma(\text{DL}(\hat{\text{I}}'' \text{lock})))$. Thus, it must be that $t''_c \in \gamma((t''_c + t_{\text{ABSTIME}(\hat{c}, T)}) \land \text{DL}(\hat{\text{I}}'' \text{lock})).$

ii. If $\text{REL}(\hat{\text{I}}'' \text{lock}) \leq (t''_c + t_{\text{ABSTIME}(\hat{c}, T)}), then Lemma 5.51
This concludes the proof.

5.8 Abstract Semantics

It is important to notice that all the possible orders in which threads can acquire a lock in the concrete case are covered by the abstract transition rela-
tions, even though \( \text{Ti} \sim \text{me} = \text{Intv} \). Since \( \text{Ti} \sim \text{me} = \text{Intv} \), \( \text{Thrd}_{\text{exe}} \) might differ for concrete and abstract cases as discussed above. This means that even if some thread is the first in a set of threads to issue a lock-statement acting on some lock, \( \text{lk} \in \text{Lck} \), some other thread could issue its corresponding lock \( \text{lk} \)-statement first in the abstract case. Lemma 5.55 states that even if this happens, the first thread will be assigned, and eventually acquire, \( \text{lk} \) anyway for some transition sequence(s).

**Lemma 5.55 (Properties of owner assignment for lock-transitions):**

Given the valid concrete configurations (c.f., Definition 4.4), abstract configurations, lock and threads

\[
\begin{align*}
\tilde{c}_0 & \in \text{Conf}, \\
\tilde{c}_j & \in \text{Conf}, \\
\tilde{c}_k & \in \text{Conf}, \\
\tilde{c}_0 & \in \text{Conf}, \\
\tilde{c}_j & \in \text{Conf}, \\
\tilde{c}_k & \in \text{Conf},
\end{align*}
\]

\( \text{lk}' \in \text{Lck} \),
\( T' \in \text{Thrd}_{\text{a}} \) and
\( T'' \in \text{Thrd}_{\text{a}} \).
such that

\[
\begin{align*}
0 & \leq i < n, \\
\varphi_0 \xrightarrow{\text{prg}} \ldots \xrightarrow{\text{prg}} \varphi_i \xrightarrow{\text{prg}} \ldots \xrightarrow{\text{prg}} \varphi_n, \\
0 & \leq j < k, \\
\varphi_0 \xrightarrow{\text{prg}} \ldots \xrightarrow{\text{prg}} \varphi_i \xrightarrow{\text{prg}} \ldots \xrightarrow{\text{prg}} \varphi_k, \\
\text{Thr}_{\delta a} & \subseteq \text{Thr}_{\delta i} \subseteq \text{Thr}_{\delta e} \subseteq \text{Thr}, \\
\text{STM}(T', pc_{\delta T}^e) & = [\text{lock} lck']^{pc_{\delta T}^e}, \\
T' & \in \text{Thr}^e, \\
\text{STM}(T', pc_{\delta T}^d) & = [\text{lock} lck']^{pc_{\delta T}^d}, \\
T' & \in \text{Thr}^d, \\
\forall h \in \{0, \ldots, k - 1\} : (T' \in \text{Thr}_{\delta e} \Rightarrow \text{STM}(T', pc_{\delta T}^e) \neq [\text{lock} lck']^{pc_{\delta T}^e}), \\
\text{REL}(1' lck') & \in \gamma_i(\text{REL}(1 lck')),
\end{align*}
\]

where the trace for \(T'\) in \(\varphi_0 \xrightarrow{\text{prg}} \ldots \xrightarrow{\text{prg}} \varphi_i\) is the same as in \(\varphi_0 \xrightarrow{\text{prg}} \ldots \xrightarrow{\text{prg}} \varphi_i\), the trace for \(T''\) in \(\varphi_0 \xrightarrow{\text{prg}} \ldots \xrightarrow{\text{prg}} \varphi_i\) is the same as in \(\varphi_0 \xrightarrow{\text{prg}} \ldots \xrightarrow{\text{prg}} \varphi_i\). \(\text{Thr}_{\delta e}^n\) is as defined in Table 4.3. and \(\text{Thr}_{\delta e}^d\) and \(\text{Thr}_{\delta e}^e\) are as defined in Table 5.6. \(\xrightarrow{\text{prg}}\) satisfies:

\[
\begin{align*}
\text{OWN}(1^k lck') & = \text{OWN}(1^{i+1} lck') = \text{OWN}(1^{i+1} lck') = T' \land \\
\text{STM}(1' lck') & = \text{STM}(1^{i+1} lck') = \text{STM}(1^{i+1} lck') = \text{STM}(1^{i+1} lck') = \text{unlock} \land \\
\text{DL}(1^k lck') & = \text{DL}(1^{i+1} lck') \land \\
\min(\gamma_i(\text{DL}(1^k lck'))) & = -\infty \land \\
\eta' + \text{TIME}(c', T') & \in \gamma_i(\text{DL}(1^k lck'))
\end{align*}
\]
PROOF. Assume that the valid concrete configurations, abstract configurations, lock and threads

\[
c^0 @ \langle [T, pc^0_T, x^0_T, \ldots, r^0_T] \mid T \in \text{Thrd} \rangle = [0, 1]^n \in \text{Conf},
c^j @ \langle [T, pc^j_T, x^j_T, \ldots, r^j_T] \mid T \in \text{Thrd} \rangle = [0, 1]^n \in \text{Conf},
c^n @ \langle [T, pc^n_T, x^n_T, \ldots, r^n_T] \mid T \in \text{Thrd} \rangle = [0, 1]^n \in \text{Conf},
c^0 @ \langle [T, pc^0_T, x^0_T, \ldots, r^0_T] \mid T \in \text{Thrd} \rangle = [0, 1]^n \in \text{Conf},
\]

\[
\in \{ h, 0, \ldots, n \}
\]

\[
e^j @ \langle [T, pc^j_T, x^j_T, \ldots, r^j_T] \mid T \in \text{Thrd} \rangle = [0, 1]^n \in \text{Conf},
e^k @ \langle [T, pc^k_T, x^k_T, \ldots, r^k_T] \mid T \in \text{Thrd} \rangle = [0, 1]^n \in \text{Conf},
lck^k \in \text{Lck},
T' \in \text{Thrd} \text{ and }
T'' \in \text{Thrd},
\]

are such that

\[
0 \leq i < n,
c^0 \xrightarrow{p_{x^i}} \cdots \xrightarrow{p_{x^i}} c^j \xrightarrow{p_{x^i}} \cdots \xrightarrow{p_{x^i}} c^n,
0 \leq j < k,
\]

\[
\text{Thrd}_{\phi} \subseteq \text{Thrd}_{\psi} \subseteq \text{Thrd}_{\phi} \subseteq \text{Thrd},
\]

\[
\text{STM}(T'', pc^n_{T''}) = [\text{lock lck}^k]^{pc^n_{T''}},
T'' \in \text{Thrd}^{ex},
\]

\[
\text{STM}(T', pc^j_{T'}) = [\text{lock lck}^k]^{pc^j_{T'}},
T' \in \text{Thrd}^{ex},
\]

\[
\forall h \in \{0, \ldots, k - 1\} : (T' \in \text{Thrd}^{ex} \Rightarrow \text{STM}(T', pc^h_{T'}) \neq [\text{lock lck}^k]^{pc^h_{T'}})
\]

\[
\text{REL}(\text{lck}^k) \in \gamma (\text{REL}([\text{lck}^k]))
\]

\[
(pc^h_{T'} = pc^h_{T'} \land
T'' \in \text{Thrd}^{ex} \land
\text{OWN}(\text{lck}^k) = \bot_{\text{thr}} \land
\text{OWN}(\text{lck}^{k+1}) = T') \text{ and }
\]

\[
(pc^h_{T''} = pc^h_{T''} \land
t^h_{T''} \in \gamma (\text{lck}^k) \land
T'' \in \text{Thrd}^{ex} \land
\text{OWN}(\text{lck}^k) = \bot_{\text{thr}} \land
\text{OWN}(\text{lck}^{k+1}) = T'),
\]
where the trace for $T'$ in $T'$ in $c_0 \xrightarrow{p^g} \ldots \xrightarrow{p^g} c_k$ is the same as in $c_0 \xrightarrow{p^g} \ldots \xrightarrow{p^g} c'_i$, the trace for $T''$ in $T''$ in $c_0 \xrightarrow{p^g} \ldots \xrightarrow{p^g} c_j$ is the same as in $c_0 \xrightarrow{p^g} \ldots \xrightarrow{p^g} c^n$, $\text{Thrd}_{\text{exe}}^a$ is as defined in Table 4.3, and $\text{Thrd}_{\text{exe}}^{d(i)}$ and $\text{Thrd}_{\text{exe}}^{d(k)}$ are as defined in Table 5.6.

First note that since the trace for $T'$ in $c_0 \xrightarrow{p^g} \ldots \xrightarrow{p^g} c'$ is the same as in $c_0 \xrightarrow{p^g} \ldots \xrightarrow{p^g} c''$, the trace for $T'$ in $c_0 \xrightarrow{p^g} \ldots \xrightarrow{p^g} c''$ is the same as in $c_0 \xrightarrow{p^g} \ldots \xrightarrow{p^g} c^n$, $\text{STM}(T', pc^n_{T'}) = [\text{lock } lck:]^{p^g_{T'}}$, $T'' \in \text{Thrd}_{\text{exe}}^a$.

$\text{STM}(T', pc^i_{T'}) = [\text{lock } lck:]^{p^g_{T'}}$, $T' \in \text{Thrd}_{\text{exe}}^a$. $pc^i_{T'} = pc^i_{T''}, \text{ Thrd}_{\text{exe}}^{d(i)} \in \gamma_{T''}, T' \notin \text{Thrd}_{\text{exe}}^a$. $\text{OWN}(1^j lck') = \bot_{\text{thrd}}$ and $\text{OWN}(1^{i+1} lck') = T'$, it must be that $T'$ acquires $lck'$ in the transition between $c^i$ and $c^{i+1}$ and $T'$ wants to acquire $lck'$ in a transition from $c^i$, while the abstract trace represents a situation (that can occur due to that $\text{Time} = \text{Intv}$) where $T''$ reaches the $\text{lock } lck'$-statement (i.e., it reaches $pc^i_{T''}$) before $T'$ (i.e., before $T'$ reaches $pc^i_{T'}$), but $lck'$ is assigned to $T'$ as shown below.

Since $\forall h \in \{0, \ldots, k-1\} : (T' \in \text{Thrd}_{\text{exe}}^a \Rightarrow \text{STM}(T', pc^i_{T'}) \neq [\text{lock } lck:]^{p^g_{T'}})$, $\text{OWN}(1^j lck') = \bot_{\text{thrd}}$, $\text{OWN}(1^j lck') = \bot_{\text{thrd}}$ and $\text{OWN}(1^{i+1} lck') = T'$, it is easy to see that $\text{OWN}(1^j lck') = \text{OWN}(1^{i+1} lck') = \text{OWN}(1^{i+1} lck') = T'$, $\text{STM}(1^j lck') = \text{STM}(1^{i+1} lck') = \text{STM}(1^{i+1} lck') = \text{STM}(1^{i+1} lck') = \text{STM}(1^{i+1} lck') = \text{STM}(1^{i+1} lck') = \text{STM}(1^{i+1} lck')$ (c.f., Table 5.6).

Since $D\text{LOCK}$ is used to determine $D\text{L}(1^{i+1} lck')$ and $D\text{L}(1^j lck') = D\text{L}(1^{i+1} lck')$, it is easy to see that $\min(\gamma_{T'}(D\text{L}(1^j lck'))) = -\infty$ since $D\text{LOCK}$ is used only if $\exists T \in \text{Thrd}_{\text{exe}}^a : \text{STM}(T, pc^i_{T'}) = [\text{lock } lck:]^{p^g_{T'}}$ (c.f., Table 5.6) which is the case since $pc^i_{T''} = pc^i_{T'}$, $\text{OWN}(1^j lck') = \bot_{\text{thrd}}$ and $\text{OWN}(1^{i+1} lck') = T'$ (c.f., Algorithm 5.11).

Since $T' \in \text{Thrd}_{\text{exe}}^a$ it must be that $t^d_{T'} + \text{TIME}(c', T') = \min\{t^e_{T'} + \text{TIME}(c', T) \mid T \in \text{Thrd}\}$, and since $T'' \in \text{Thrd}_{\text{exe}}^a$, it must be that $t^e_{T''} + \text{TIME}(c', T'') = \min\{t^e_{T'} + \text{TIME}(c', T) \mid T \in \text{Thrd}\}$. But since $c_0 \xrightarrow{p^g} \ldots \xrightarrow{p^g} c^n$, it must be that $t^d_{T'} + \text{TIME}(c', T') \leq t^d_{T''} + \text{TIME}(c', T'')$ (Lemma 4.2). Note that by choosing $c_0, c''$, $c_i$, $\bar{c}_0$ and $\bar{c}_i$ (defined by Lemma 5.53) to be $c''$, $c''$, $\bar{c}_0$ and $\bar{c}_i$ (defined by this proof), respectively, and assuming that $\text{OWN}(1^j lck') = \bot_{\text{thrd}}$ and $\text{REL}(1^j lck') \in \gamma_{T'(\text{REL}(1^j lck'))}$ (which is actually not necessarily the case since $T''$ acquires $lck'$ in the transition between $c^i$ and $c^{i+1}$), however, note that this assumption is okay since if $T'$ would not
given the valid concrete configurations (c.f., Definition 4.4), abstract configu-
ations described by $\stackrel{\psi}{\rightarrow}$ safely approximate the concrete transitions described by $\rightarrow$. The lemmas hold given that the concrete transition sequences are finite in length (i.e., given that they terminate) and that either no thread issues a load-
statement on a global variable or that the thread issuing the load-statement is the sole thread in $\text{Thr}_{\text{thrd}}$ in any step of the transition sequence. The first lemma shows that the halt-, skip-, :=-, load-, store- and unlock-
statements, and also the lock-statement if the issuing thread immediately is assigned the lock, are safely approximated (Lemma 5.56). Note that a variable is considered global if it could transfer data between two or more threads (c.f., Algorithm 6.9).

Lemma 5.56 (Soundness of $\stackrel{\psi}{\rightarrow}$, no frozen thread):

Given the valid concrete configurations (c.f., Definition 4.4), abstract configu-
rations and thread

\[ e^0 \circ \{ [T, pc^0_T, x^0_T, \tilde{e}^0_T] \}_T \in \text{Thr}_{\text{thrd}}^= \rightarrow^0, T^0 \} \in \text{Conf}, \]
\[ e^i \circ \{ [T, pc^0_T, x^0_T, \tilde{e}^0_T] \}_T \in \text{Thr}_{\text{thrd}}^= \rightarrow^e, T^e \} \in \text{Conf}, \]
\[ e^0 \circ \{ [T, pc^0_T, x^0_T, \tilde{e}^0_T] \}_T \in \text{Thr}_{\text{thrd}}^= \rightarrow^0, T^0 \} \in \text{Conf}, \]
\[ e^k \circ \{ [T, pc^k_T, x^k_T, \tilde{e}^k_T] \}_T \in \text{Thr}_{\text{thrd}}^= \rightarrow^k, T^k \} \in \text{Conf}, \]
\[ T^i \in \text{Thr}_{\text{thrd}}^=, \]
such that

\[
0 \leq n, \quad e^0 \rightarrow \ldots \rightarrow e^n, \\
0 \leq k, \quad e^0 \rightarrow \ldots \rightarrow e^k,
\]

\[
\text{Thrd}_{\text{ex}} \subseteq \text{Thrd}_{\text{ex}} \subseteq \text{Thrd},
\]

\[
p^0 = p^0, \quad r^0 \in \gamma_{\text{ex}}(e^0), \quad t^0 \in \gamma_{\text{ex}}(e^0).
\]

\[
\exists x' \in \gamma_{\text{ex}}(e^0) : \forall x \in \text{Var} : \forall T \in \text{Thrd} : ((x^0, x) T) \subseteq ((x', x) T), \forall lck \in \text{Lck} : ((\text{OWN}(lck)^0) \neq \bot_{\text{thrd}} \Rightarrow (STT(lck)^0) = STT(lck)^0 \land \\
\text{OWN}(lck)^0 = \text{OWN}(lck)^0 \land \\
\text{DL}(lck)^0 \in \gamma_{\text{ex}}(\text{DL}(lck)^0) \land \text{POWN}(lck)^0 = \text{POWN}(lck)^0 \land \text{REL}(lck)^0 \in \gamma_{\text{ex}}(\text{REL}(lck)^0) \land \text{min}(\gamma_{\text{ex}}(\text{DL}(lck)^0))) = \gamma_{\text{ex}}(\text{DL}(lck)^0) \land \\
(\text{OWN}(lck)^0) = \bot_{\text{thrd}} \Rightarrow ((\text{OWN}(lck)^0) = \text{OWN}(lck)^0) \lor \\
(\text{OWN}(lck)^0) = T' \land \\
STT(lck)^0 = \text{unlocked} \land \\
t^0 + \text{TIME}(e^n, T') \in \gamma_{\text{ex}}(\text{DL}(lck)^0) \land \text{min}(\gamma_{\text{ex}}(\text{DL}(lck)^0))) = \gamma_{\text{ex}}(\text{DL}(lck)^0) \land \\
\text{POWN}(lck)^0 = \text{POWN}(lck)^0 \land \text{REL}(lck)^0 \in \gamma_{\text{ex}}(\text{REL}(lck)^0) \land \\
\text{STM}(T', p^0) = [\text{lock} lck] p^0 \Rightarrow \\
(T^* lck = lck^0 \land \\
T^* lck = lck^0)) \}
\]

\[
\forall i \in \{0, \ldots, n - 1\} : T' \not\in \text{Thrd}_{\text{ex}}, \\
\text{STM}(T', p^0) \neq [\text{halt}] p^0 \Rightarrow T' \in \text{Thrd}_{\text{ex}}, \\
\forall i \in \{0, \ldots, k - 1\} : T' \not\in \text{Thrd}_{\text{ex}}', \\
\text{STM}(T', p^0) \neq [\text{halt}] p^0 \Rightarrow T' \in \text{Thrd}_{\text{ex}}', \text{ and } \\
\forall i \in \{0, \ldots, k\} : (\text{Thrd}_{\text{ex}}') \neq 1 \lor \\
\{T \in \text{Thrd}_{\text{ex}}' \mid \exists r \in \text{Reg} \exists x \in \text{Var} : \\
\text{STM}(T, p^0) = [\text{load} r \text{ from } x] p^0 \} = 0),
\]

where for all \(i \in \{0, \ldots, n\}, \text{Thrd}_{\text{ex}} \) is as defined in Table 4.3, for all \(i \in \{0, \ldots, k\}, \text{Thrd}_{\text{ex}}' \) is as defined in Table 5.6, and \(\text{Var}_x \) contains all \(x \in \text{Var} \).
such that $x$ can be written to by one thread and read from by another thread (i.e., there might be a data dependency between the threads; note that $\text{Var}_g$ can be derived using Algorithm 6.9), $\longrightarrow_{prg}$ satisfies:

\[
\forall c \in \langle \{T, pc_T, x_T, t^0_T\} \in \text{Thrd}, x, l \rangle \in \text{Conf} : \\
(c \xrightarrow{\longrightarrow_{prg}} c' \Rightarrow \exists \tilde{c} \in \langle \{T, pc_{\tilde{c}}_T, \tilde{r}_{\tilde{c}}_T, \tilde{t}_{\tilde{c}}_T\} \in \text{Thrd}, \tilde{x}, \tilde{l} \rangle \in \tilde{\text{Conf}} : \\
(\tilde{c} \xrightarrow{\longrightarrow_{prg}} \tilde{c}' \land \\
 pc_T = pc_{\tilde{c}}_T \land \\
 x_T \in \gamma_{reg}(\tilde{x}_T) \land \\
 t^0_T \in \gamma_t(\tilde{t}_{\tilde{c}}_T) \land \\
 \exists x' \in \gamma_{var}(\tilde{x}) : (\forall x \in \text{Var} : ((x, x)' T') \subseteq ((x', x)' T')) \land \\
 \forall lck \in \text{Lck} : ((\text{OWN}(T lck) = T' \lor \text{OWN}(1 lck) = T')) \Rightarrow \\
 (\text{STT}(1 lck) = \text{STT}(\tilde{1} lck) \land \\
 \text{OWN}(1 lck) = \text{OWN}(\tilde{1} lck) \land \\
 \text{DL}(1 lck) \in \gamma_t(\text{DL}(\tilde{1} lck)) \land \\
 \text{POWN}(1 lck) = \text{POWN}(\tilde{1} lck) \land \\
 \text{REL}(1 lck) \in \gamma_t(\text{REL}(\tilde{1} lck)) \land \\
 \min(\gamma_t(\text{DL}(\tilde{1} lck))) = -\infty)))
\]

PROOF. Assume that the valid concrete configurations (c.f., Definition 4.4), abstract configurations and thread

\[
\begin{align*}
&c^0 @ \langle \{T, pc_T^0, x_T^0, t^0_T\} \in \text{Thrd}, x, l \rangle \in \text{Conf}, \\
&c^k @ \langle \{T, pc_T^k, x_T^k, t^k_T\} \in \text{Thrd}, x, l \rangle \in \text{Conf}, \\
&\tilde{c}^0 @ \langle \{T, pc_{\tilde{c}}_T^0, \tilde{x}_{\tilde{c}}_T^0, \tilde{t}_{\tilde{c}}_T^0\} \in \text{Thrd}, \tilde{x}, \tilde{l} \rangle \in \tilde{\text{Conf}}, \\
&T' \in \text{Thrd},
\end{align*}
\]
are such that

\[ 0 \leq n, \]
\[ \forall i \in \{0, \ldots, n-1\} : T' \not\in \text{Thr}_{\text{ext}}^{i}, \]
\[ \forall i \in \{0, \ldots, k-1\} : T' \not\in \text{Thr}_{\text{ext}}^{i}, \]
\[ \forall i \in \{0, \ldots, k\} : (\text{Thr}_{\text{ext}}^{i} \neq 1 \lor \{T \in \text{Thr}_{\text{ext}}^{i} \mid \exists r \in \text{Reg} : \forall x \in \text{Var} : \}
\]
\[ \text{STM}(T, pc_{T}^{i}) = \{\text{load } r \text{ from } x^{pc_{T}^{i}} \} = \emptyset, \]

where for all \( i \in \{0, \ldots, n\}, \) \( \text{Thr}_{\text{ext}}^{i} \) is as defined in Table 4.3, for all \( i \in \{0, \ldots, k\}, \) \( \text{Thr}_{\text{ext}}^{i} \) is as defined in Table 5.6, and \( \text{Var}_{g} \) contains all \( x \in \text{Var} \)
such that \( x \) can be written to by one thread and read from by another thread (i.e., there might be a data dependency between the threads).

First note that:

- Since \( \forall i \in \{0, \ldots, n - 1\} : T' \notin \text{Thrd}^i_{\text{exr}} \), it must be that \( pc_{T'}^i = pc_{T'}^0 \), \( x_{T'}^i = x_{T'}^0 \), \( t_{T'}^i = t_{T'}^0 \), and \( \forall lck \in \text{Lck} : (\text{OWN}(1^0 lck) = T' \Rightarrow 1^n lck = 1^0 lck) \) (c.f., Table 4.3).

- Since \( \forall i \in \{0, \ldots, k - 1\} : T' \notin \text{Thrd}^i_{\text{exr}} \), it must be that \( pc_{T'}^i = pc_{T'}^0 \), \( x_{T'}^i = x_{T'}^0 \), \( t_{T'}^i = t_{T'}^0 \), and \( \forall lck \in \text{Lck} : (\text{OWN}(1^0 lck) = T' \Rightarrow (1^k lck = 1^0 lck \land \min(\gamma_l(\text{DL}(1^k lck))) = -\infty)) \).

- Since \( pc_{T'}^i = pc_{T'}^0 \), \( x_{T'}^i = x_{T'}^0 \), \( t_{T'}^i = t_{T'}^0 \), \( \forall lck \in \text{Lck} : (\text{OWN}(1^0 lck) = T' \Rightarrow 1^n lck = 1^0 lck), pc_{T'}^i = pc_{T'}^0 \), \( x_{T'}^i = x_{T'}^0 \), \( t_{T'}^i = t_{T'}^0 \), \( \forall lck \in \text{Lck} : (\text{OWN}(1^0 lck) = T' \Rightarrow (1^k lck = 1^0 lck \land \min(\gamma_l(\text{DL}(1^k lck))) = -\infty)), pc_{T'}^i = pc_{T'}^0 \), \( x_{T'}^i \in \gamma_{\text{reg}}(x_{T'}^0) \), \( t_{T'}^i \in \gamma_{\text{i}}(t_{T'}^0) \) and \( \forall lck \in \text{Lck} : (\text{OWN}(1^0 lck) = T' \Rightarrow (\text{STT}(1^0 lck) = 1^k lck \land \text{OWN}(1^0 lck) = \text{OWN}(1^0 lck) \land \text{DL}(1^0 lck) \in \gamma_l(\text{DL}(1^0 lck)) \land \text{POWN}(1^0 lck) = \text{POWN}(1^0 lck) \land \text{REL}(1^0 lck) \in \gamma_l(\text{RE}(1^0 lck)) \land \min(\gamma_l(\text{DL}(1^0 lck))) = -\infty)) \), it must be that:

\[
\begin{align*}
& pc_{T'}^i = pc_{T'}^0, \\
& x_{T'}^i \in \gamma_{\text{reg}}(x_{T'}^0), \\
& t_{T'}^i \in \gamma_{\text{i}}(t_{T'}^0), \\
& \forall lck \in \text{Lck} : (\text{OWN}(1^0 lck) = T' \Rightarrow (\text{STT}(1^0 lck) = 1^k lck \land \\
& \text{OWN}(1^0 lck) = \text{OWN}(1^0 lck) \land \\
& \text{DL}(1^0 lck) \in \gamma_l(\text{DL}(1^0 lck)) \land \\
& \text{POWN}(1^0 lck) = \text{POWN}(1^0 lck) \land \\
& \text{REL}(1^0 lck) \in \gamma_l(\text{RE}(1^0 lck)) \land \\
& \min(\gamma_l(\text{DL}(1^0 lck))) = -\infty))
\end{align*}
\]

- Since \( c^0 \xrightarrow{\text{pre}} \ldots \xrightarrow{\text{pre}} c^n \) and \( \forall i \in \{0, \ldots, n - 1\} : T' \notin \text{Thrd}^i_{\text{exr}} \), it must be that for all \( x \in \text{Var}, ((\pi^n x) T') = ((\pi^0 x) T') \) if no thread writes to \( x \) in the sequence \( c^0 \xrightarrow{\text{pre}} \ldots \xrightarrow{\text{pre}} c^n \), or \( ((\pi^n x) T') = \emptyset \) if some other thread has written to \( x \) in the given sequence (c.f., Table 4.3). Thus, \( \forall x \in \text{Var} : ((\pi^n x) T') \subseteq ((\pi^0 x) T') \).
• Since $\exists x' \in y_{\text{var}}(x^0) : \forall x \in \text{Var} : ((x^0 x) T') \subseteq ((x' x) T')$, $e^0 \rightarrow_{p_{gr}} \cdots \rightarrow_{p_{gr}} e^n$, $e^0 \rightarrow_{p_{gr}} \cdots \rightarrow_{p_{gr}} e^n$, $\forall i \in \{0, \ldots, n - 1\} : T' \not\in \text{Thrd}^\text{ex}_{\text{ext}}$, it must be that $\exists x' \in y_{\text{var}}(x^0) : \forall x \in \text{Var} : ((x^0 x) T') \subseteq ((x' x) T')$.

• Since $\forall i \in \{0, \ldots, k\}$ : $\{\text{Thrd}^\text{inc}_{\text{ext}} \neq \emptyset \lor \{T \in \text{Thrd}^\text{inc}_{\text{ext}} \land \exists r \in \text{Reg}_{\text{ex}} : \exists x \in \text{Var}_{\text{ex}} : \text{STM}(T, p_{c_{\text{ex}}}) = \{\text{load} r \text{ from } x^{p_{c_{\text{ex}}}} \} = \emptyset\}$, it must be that $\forall i \in \{0, \ldots, k\}$ : $\{T \in \text{Thrd}^\text{inc}_{\text{ext}} \land \exists r \in \text{Reg}_{\text{ex}} : \exists x \in \text{Var}_{\text{ex}} : \text{STM}(T, p_{c_{\text{ex}}}) = \{\text{load} r \text{ from } x^{p_{c_{\text{ex}}}} \} \neq \emptyset \Rightarrow |\text{Thrd}^\text{inc}_{\text{ext}}| = 1\}$. This means that if some thread in $\text{Thrd}^\text{inc}_{\text{ext}}$, where $i \in \{0, \ldots, k\}$, performs a load-statement, there is only one single thread in $\text{Thrd}^\text{inc}_{\text{ext}}$; thus that thread performs the load-statement. It is then easy to see, from the definition of $\text{Thrd}^\text{inc}_{\text{ext}}$, that there cannot occur any other write than those represented by $z^i$ such that it could affect the load-statement of the thread in $\text{Thrd}^\text{inc}_{\text{ext}}$ (c.f., Assumption 5.50) – thus, it must be that $z^i$ (and also all $z^i$, where $i \in \{0, \ldots, k\}$) contains safe write history (c.f., Definition 5.18).

• Since, trivially, $\forall lck \in \text{Lck} : \{T \in \text{Thrd}^\text{inc}_{\text{ext}} \cap \text{Thrd}_{\text{ex}} : \text{STM}(T, p_{c_{\text{ex}}}) = \{\text{lock} lck^{p_{c_{\text{ex}}}}\} \land \{T \in \text{Thrd}_{\text{ex}} \land \exists l \in \text{Lbl}_{\text{ex}} : \text{STM}(T, l) = \{\text{lock} lck^{p_{c_{\text{ex}}}}\}\}$, it must be that if $T'$ can be assigned a lock in the concrete case, it can also be assigned the lock in the corresponding abstract case.

• If, for some $lck \in \text{Lck}$, $\text{STM}(T', p_{c_{\text{ex}}}) = \{\text{lock} lck^{p_{c_{\text{ex}}}}\}$, it must be that $\text{own}(lck) = \emptyset$, since $\forall i \in \{0, \ldots, k - 1\} : T' \not\in \text{Thrd}^\text{inc}_{\text{ext}}$ and $T' \in \text{Thrd}^\text{inc}_{\text{ext}}$. (5.8 Abstract Semantics 113)
is derived from $c^a \xrightarrow{p_T} \langle [T, pc_T, x_T, t_{T}^{\pi_T}]_{T \in \text{Thrd}}, \pi, 1 \rangle$ and $1^{nT}$ and $1^{kT}$ are defined as in Tables 4.3 and 5.6, respectively.

- Since $\forall lck \in \text{Lck} : (\text{OWN}(1^0 lck) = 1_{\text{Thrd}} \Rightarrow (\text{STM}(T', pc_{T'}, \pi_{T'}) = [lck \text{Lck}]_{\pi_{T'}} \Rightarrow (1^0 lck = 1^0 lck \land 1^k lck = 1^0 lck)), \forall i \in \{0, \ldots, n-1\} : T' \not\in \text{Thrd}^{ex}_{an}, \text{STM}(T', pc_{T'}, \pi_{T'}) \neq [\text{halt}]_{\pi_{T'}} \Rightarrow T' \in \text{Thrd}^{ex}_{an}$ and $\text{OWN}(1^0 lck) = T'$, it must be that $T'$ immediately acquires $lck$ (i.e., without any other thread acquiring and possibly releasing $lck$ in the sequence $c^0 \xrightarrow{p_T} \ldots \xrightarrow{p_T} c^a$) if $\text{STM}(T', pc_{T'}) = [lck \text{Lck}]_{\pi_{T'}}$, both in the concrete and abstract cases (based on $c^a$ and $c^b$).

- If, for some lock, $lck' \in \text{Lck}$, $\text{STM}(T', pc_{T'}) = [lck lck']_{\pi_{T'}}$ and $\text{OWN}(1^0 lck') = 1_{\text{Thrd}}$, it must be that $\min \{ (t_{T'}^a + \text{TIME}(c^a, T') \mid T' \in \text{Thrd}) \} \in \gamma(\text{DLLOCK}(\tilde{c}, lck'))$, since $T' \in \text{Thrd}_{an}, \text{Thrd}_{an} \subseteq \text{Thrd}, m, n$ and $j$ (c.f., Lemma 5.53) can be chosen to be $0, n$ and $k$ (given by this proof), respectively. $t_{T'}^a \in \in \gamma(\emph{pc}_{T'}^a)$, $t_{T'}^0 = \gamma_{T'}^a, t_{T'}^0 = \gamma_{T'}^a, pc_{T'}^a = pc_{T'}^a = pc_{T'}^a = pc_{T'}^a, T' \in \text{Thrd}^{ex}_{an}$ and (since $\forall lck \in \text{Lck} : (\text{OWN}(1^0 lck) = 1_{\text{Thrd}} \Rightarrow (\text{STM}(T', pc_{T'}) = [lck \text{Lck}]_{\pi_{T'}} \Rightarrow (1^0 lck = 1^0 lck \land 1^k lck = 1^0 lck))))$ and $\text{REL}(1^0 lck') \in \gamma(\text{REL}(1^0 lck')) \Rightarrow \text{REL}(1^0 lck') \in \gamma(\text{REL}(1^0 lck'))$ (Lemma 5.53). Thus, $t_{T'}^a + \text{TIME}(c^a, T') \in \gamma(\text{DLLOCK}(\tilde{c}, lck'))$, since $T' \in \text{Thrd}^{ex}_{an}$ which means that $t_{T'}^a + \text{TIME}(c^a, T') = \min \{ (t_{T'}^a + \text{TIME}(c^a, T') \mid T' \in \text{Thrd}) \}$ (c.f., Table 4.3).

The proof will now be conducted by considering the different statements that $T'$ could issue in $c^a$ (i.e., in $c^b$).

1. If $\text{STM}(T', pc_{T'}^a) = [\text{halt}]_{\pi_{T'}}$, then it must be that $T' \not\in \text{Thrd}^{ex}_{an}$. Thus, it must be that $c^a \xrightarrow{p_T} c$, where $c \in \text{c} @ \langle [T, pc_T, x_T, t_{T}^{\pi_T}]_{T \in \text{Thrd}}, \pi, 1 \rangle$ is such that $pc_T = pc_{T'}, x_T = x_{T'}, t_{T}^a = t_{T'}^a, \forall lck \in \text{Lck} : (\text{OWN}(1^0 lck) = T' \Rightarrow 1 lck = 1^0 lck)$ and $\forall x \in \text{Var} : ((\pi, x) T') \subseteq ((\pi, x) T')$, provided that $\exists T' \in \text{Thrd} : \text{STM}(T', pc_{T'}^a) \neq [\text{halt}]_{\pi_{T'}}$ (otherwise $\xrightarrow{p_T}$ is not applicable; c.f., Table 4.3).

Note that $T' \not\in \text{Thrd}^{ex}_{an}$ and choose $c @ \langle [T, pc_{T'}^a, x_{T'}, t_{T'}^{\pi_T}]_{T \in \text{Thrd}_{\hat{T}}, \hat{\pi}, \hat{1}} \rangle$ such that $c^k \xrightarrow{p_T} c$, i.e., $pc_{T'}^a = pc_{T'}^a, x_{T'} = x_{T'}, t_{T'}^a = t_{T'}^a, \forall lck \in \text{Lck} :
(\text{OWN}(l^0 lck) = T' \Rightarrow (\tilde{l} lck = \tilde{l}^k lck \land \min(\gamma_1(\text{DL}(\tilde{l} lck))) = -\infty)).

Note that $\tilde{x}$ must still be such that for all $x \in \text{Var}$, $((\tilde{x}, x) T')$ is a safe approximation of the writes performed on $x$ by $T'$ since TRIM is safe (Lemma 5.27). Thus, it must be that:

\begin{align*}
&pc_T' = pc_T' \land \\
&x_T' \in \gamma_\text{reg}(\tilde{x}_T') \land \\
&t_T' \in \gamma(\tilde{t}_T') \land \\
&\exists x' \in \gamma_\text{var}(\tilde{x}) : (\forall x \in \text{Var} : ((\tilde{x}, x) T') \subseteq ((\tilde{x}', x) T')) \land \\
&\forall lck \in \text{Lck} : ((\text{OWN}(l^0 lck) = T' \lor \text{OWN}(l lck) = T') \Rightarrow \\
&(\text{STT}(l lck) = \text{STT}(\tilde{l} lck) \land \\
&\text{OWN}(l lck) = \text{OWN}(\tilde{l} lck) \land \\
&\text{DL}(l lck) = \gamma_1(\text{DL}(\tilde{l} lck)) \land \\
&\text{PWN}(l lck) = \text{PWN}(\tilde{l} lck) \land \\
&\text{REL}(l lck) = \gamma_1(\text{REL}(\tilde{l} lck)) \land \\
&\min(\gamma_1(\text{DL}(\tilde{l} lck))) = -\infty))
\end{align*}

2. If, for some $a \in \text{Aexp}$, $b \in \text{Bexp}$, $l \in \text{Lbl}_T$, $r \in \text{Reg}_T$, $x \in \text{Var}$ and $lck \in \text{Lck}$, $\text{STM}(T', pc_T') \in \{\text{[skip]}^{pc_T' \land [r := a]}_{pc_T'}, [\text{if } b \text{ goto } l]^{pc_T' \land [\text{r := a}]}_{pc_T'}, [\text{store } r \text{ to } x]^{pc_T' \land [\text{r := a}]}_{pc_T'}, [\text{unlock } lck]^{pc_T' \land [\text{r := a}]}_{pc_T'}\}$, then let the configuration $c @ [T, pc_T, x_T, t_T]_{T \in \text{Thrd}_e, \tilde{x}, \tilde{l}}$ be such that $c^{p_{pc_T'} \land [r := a]}_{pc_T'}$ and choose $\tilde{c} @ [T, pc_T', x_T', t_T']_{T \in \text{Thrd}_{e, \tilde{x}, \tilde{l}}}$ such that $\tilde{c}^{p_{pc_T'} \land [r := a]}_{pc_T'}$. Thus, since $\forall i \in \{0, \ldots, n - 1\} : T' \not\in \text{Thrd}_{e, \tilde{x}, \tilde{l}}$, $T' \in \text{Thrd}_{e, \tilde{x}, \tilde{l}}$, $\forall i \in \{0, \ldots, n - 1\} : T' \not\in \text{Thrd}_{e, \tilde{x}, \tilde{l}}$, $\overrightarrow{\text{PC}}_e$ is a safe approximation of $\overrightarrow{\text{PC}}_e$ (Lemma 5.49), TRIM is safe (Lemma 5.27), $\text{Thrd}_{e, \tilde{x}, \tilde{l}} \subseteq \text{Thrd}$ and $\text{ACCTime}$ is safe (Lemma 5.54), it must be that:

\begin{align*}
&pc_{T'} = pc_{T'} \land \\
&x_{T'} \in \gamma_\text{reg}(\tilde{x}_{T'}) \land \\
&t_{T'} \in \gamma(\tilde{t}_{T'}) \land \\
&\exists x' \in \gamma_\text{var}(\tilde{x}) : (\forall x \in \text{Var} : ((\tilde{x}, x) T') \subseteq ((\tilde{x}', x) T')) \land \\
&\forall lck \in \text{Lck} : ((\text{OWN}(l^0 lck) = T' \lor \text{OWN}(l lck) = T') \Rightarrow \\
&(\text{STT}(l lck) = \text{STT}(\tilde{l} lck) \land \\
&\text{OWN}(l lck) = \text{OWN}(\tilde{l} lck) \land \\
&\text{DL}(l lck) = \gamma_1(\text{DL}(\tilde{l} lck)) \land \\
&\text{PWN}(l lck) = \text{PWN}(\tilde{l} lck) \land \\
&\text{REL}(l lck) = \gamma_1(\text{REL}(\tilde{l} lck)) \land \\
&\min(\gamma_1(\text{DL}(\tilde{l} lck))) = -\infty))
\end{align*}
Note that in the case $\text{STM}(T',pc^0_T) = [\text{if } b \text{ goto } l]^n_{p^c_T}$, $\tilde{c}$ can be chosen so that the corresponding branch to that taken in $c$ is taken since $x^0_T \in \gamma_{\text{reg}}(\varepsilon_T^n)$ (c.f., Table 5.5 and Definition 5.7).

3. If, for some $r \in \text{Reg}_T$ and $x \in \text{Var}$, $\text{STM}(T',pc^0_T) = [\text{load } r \text{ from } x]^n_{p^c_T}$, then let $c@([T,pc_T,x_T,T^n_{\text{Thrd}},\pi,1])$ be such that $c^n \xrightarrow{prg} c$ and choose $\tilde{c}@([T,pc_T,x_T,T^n_{\text{Thrd}},\pi,\tilde{l},\tilde{I})$ such that $\tilde{c}^k \xrightarrow{prg} \tilde{c}$. Since $\forall i \in \{0, \ldots, n-1\} : T' \not\in \text{Thrd}_{\text{ext}}^{-c}\text{set}, T' \in \text{Thrd}_{\text{ext}}$, $\forall i \in \{0, \ldots, k-1\} : T' \not\in \text{Thrd}_{\text{ext}}^{\tilde{c}\text{set}}, T' \in \text{Thrd}_{\text{ext}}^{\tilde{c}\text{set}}$ is a safe approximation of $\tilde{c}^{k}\xrightarrow{prg} \tilde{c}$. Since $\forall i \in \{0, \ldots, n-1\} : T' \not\in \text{Thrd}_{\text{ext}}^{-c}\text{set}, T' \in \text{Thrd}_{\text{ext}}$, $\forall i \in \{0, \ldots, k-1\} : T' \not\in \text{Thrd}_{\text{ext}}\tilde{c}\text{set}, T' \in \text{Thrd}_{\text{ext}}\tilde{c}\text{set}$ contains safe write history, TRIM is safe (Lemma 5.27), $\text{Thrd}_{\text{ext}} \subseteq \text{Thrd}$ and ACCTIME is safe (Lemma 5.54), it must be that:

$$
\begin{align*}
pc_T^\prime &= pc_T^\prime \land \\
x_T^\prime &\in \gamma_{\text{reg}}(\varepsilon_T^\prime) \land \\
l_T^\prime &\in \gamma(\varepsilon_T^\prime) \land \\
\exists \xi' &\in \gamma_{\text{var}}(\xi) : (\forall x \in \text{Var} : ((\pi x) T') \subseteq ((\pi' x) T')) \land \\
\forall \text{lock} &\in \text{Lck} : ((\text{OWN}(1^0 \text{lock}) = T' \lor \text{OWN}(1 \text{lock}) = T') \Rightarrow \\
&\text{(STT}(1 \text{lock}) = \text{STT}(1 \text{lock}) \land \\
&\text{OWN}(1 \text{lock}) = \text{OWN}(1 \text{lock}) \land \\
&\text{DL}(1 \text{lock}) = \gamma(\text{DL}(1 \text{lock})) \land \\
&\text{POWN}(1 \text{lock}) = \text{POWN}(1 \text{lock}) \land \\
&\text{REL}(1 \text{lock}) = \gamma(\text{REL}(1 \text{lock})) \land \\
&\min(\gamma(\text{DL}(1 \text{lock}))) = \text{--\infty})
\end{align*}
$$

4. If, for some $\text{lock}^\prime \in \text{Lck}$, $\text{STM}(T',pc^0_T) = [\text{lock } \text{lock}^\prime]^n_{p^c_T}$, only the case that $T'$ successfully and immediately acquires $\text{lock}^\prime$ needs to be considered. (Note that the remaining cases will be considered in the proofs of Lemmas 5.57 and 5.58.) Hence, ACCTIME is safe since it must be that $\text{OWN}(1^0 \text{lock}^\prime) = T'$ and $\text{OWN}(1^\prime \text{lock}^\prime) = T'$ (Lemma 5.54).

Since $\text{OWN}(1^0 \text{lock}^\prime) = T' \Rightarrow \text{OWN}(1^0 \text{lock}^\prime) = T'$ and $\text{OWN}(1^0 \text{lock}^\prime) = \perp_{\text{halt}} \Rightarrow (\perp_{\text{halt}} \lor \text{OWN}(1^0 \text{lock}^\prime) = T'$), there are three cases to consider.

(a) Assume that $\text{OWN}(1^0 \text{lock}^\prime) = T'$ (and thus, $\text{OWN}(1^0 \text{lock}^\prime) = T'$) and let $c@([T,pc_T,x_T,T^n_{\text{Thrd}},\pi,1])$ be such that $c^n \xrightarrow{prg} c$. Then choose $\tilde{c}@([T,pc_T,x_T,T^n_{\text{Thrd}},\pi,\tilde{l},\tilde{I})$ such that $\tilde{c}^k \xrightarrow{prg} \tilde{c}$. It is
trivially the case that \( \text{OWN}(1 \text{lk'}) = \text{OWN}(\overline{1} \text{lk'}) = T' \) and thus
\[
\begin{align*}
p_{c_{T'}} &= p_{c_{T'}}', \\
\tau_{T'} &\in \gamma_{\text{reg}}(\overline{c_{T'}}) \land \\
t_{T'} &\in \gamma_{\text{reg}}(\overline{\text{lk'''}}) \land \\
\exists x' \in \gamma_{\text{var}}(\overline{x}) : (\forall x \in \overline{\text{Var}} : ((\overline{x} x) T') \subseteq ((\overline{x'} x) T')) \land \\
\forall \text{lk} \in \overline{\text{Lck}} : ((\text{OWN}(1 \text{lk}) = T' \lor \text{OWN}(1 \text{lk}) = T') \Rightarrow \\
(\text{SSTT}(1 \text{lk}) = \text{SSTT}(\overline{1} \text{lk}) \land \\
\text{OWN}(1 \text{lk}) = \text{OWN}(\overline{1} \text{lk}) \land \\
\text{DL}(1 \text{lk}) \in \gamma_{l}(\text{DL}(\overline{1} \text{lk})) \land \\
\text{POWN}(1 \text{lk}) = \text{POWN}(\overline{1} \text{lk}) \land \\
\text{REL}(1 \text{lk}) \in \gamma_{t}(\text{REL}(\overline{1} \text{lk})) \land \\
\text{min}(\gamma_{l}(\text{DL}(\overline{1} \text{lk}))) = -\infty))
\end{align*}
\]

since \( \forall i \in \{0, \ldots, n-1\} : T' \not\in \overline{\text{Thrd}_{\text{ex}}'} \) and \( \forall i \in \{0, \ldots, k-1\} : T' \not\in \overline{\text{Thrd}_{\text{ex}}} \), \( T' \) is a safe approximation of \( \overline{c_{ex}} \) (Lemma 5.49) and \( \text{TRIM} \) is safe (Lemma 5.27).

(b) Assume that \( \text{OWN}(1 \text{lk'}) = \text{OWN}(\overline{1} \text{lk'}) = \perp_{\text{thd}} \) and let \( c @ (\overline{1}, p_{c_{T}}, \overline{r_{T}})_{\overline{\text{Thrd} \cdot \overline{\pi} \cdot 1}} \) be such that \( c_{\overline{\pi}} \xrightarrow{\text{prg}} c \land \text{OWN}(1 \text{lk'}) = T' \) and choose \( \overline{c} @ (\overline{T}, p_{c_{T}}, \overline{r_{T}})_{\overline{\text{Thrd} \cdot \overline{\pi} \cdot 1}} \) such that \( \overline{c_{\pi}} \xrightarrow{\text{prg}} \overline{c} \).

Then it must be that \( \text{OWN}(1 \text{lk'}) = T' \) (since \( T' \in \overline{\text{Thrd}_{\text{ex}}} \)) and \( \text{OWN}(\overline{1} \text{lk'}) = T' \) and
\[
\begin{align*}
p_{c_{T'}} &= p_{c_{T'}}', \\
\tau_{T'} &\in \gamma_{\text{reg}}(\overline{c_{T'}}) \land \\
t_{T'} &\in \gamma_{\text{reg}}(\overline{\text{lk'''}}) \land \\
\exists x' \in \gamma_{\text{var}}(\overline{x}) : (\forall x \in \overline{\text{Var}} : ((\overline{x} x) T') \subseteq ((\overline{x'} x) T')) \land \\
\forall \text{lk} \in \overline{\text{Lck}} : ((\text{OWN}(1 \text{lk}) = T' \lor \text{OWN}(1 \text{lk}) = T') \Rightarrow \\
(\text{SSTT}(1 \text{lk}) = \text{SSTT}(\overline{1} \text{lk}) \land \\
\text{OWN}(1 \text{lk}) = \text{OWN}(\overline{1} \text{lk}) \land \\
\text{DL}(1 \text{lk}) \in \gamma_{l}(\text{DL}(\overline{1} \text{lk})) \land \\
\text{POWN}(1 \text{lk}) = \text{POWN}(\overline{1} \text{lk}) \land \\
\text{REL}(1 \text{lk}) \in \gamma_{t}(\text{REL}(\overline{1} \text{lk})) \land \\
\text{min}(\gamma_{l}(\text{DL}(\overline{1} \text{lk}))) = -\infty))
\end{align*}
\]

since \( \forall i \in \{0, \ldots, n-1\} : T' \not\in \overline{\text{Thrd}_{\text{ex}}} \) and \( \forall i \in \{0, \ldots, k-1\} : T' \not\in \overline{\text{Thrd}_{\text{ex}}} \), \( T' \) is a safe approxi-
This concludes the proof. ■
Lemma 5.57 shows that $\rightarrow_{prg}$ safely approximates the case that a thread issuing $\text{lock} \ lck$ for some lock, $lck \in \text{Lck}$, has to wait for an arbitrary number of owner switches on $lck$ before it acquires $lck$. Note that the lemma holds if all threads wanting to acquire some lock eventually will be able to do so (which obviously is the case if the concrete transition sequences are finite in length) and if either no thread issues a $\text{load}$-statement on a global variable or that the thread issuing the $\text{load}$-statement is the sole thread in $\text{Thrd}_{exe}$ in any step of the transition sequence.

Lemma 5.57 (Soundness of $\rightarrow_{prg}$, frozen thread):
Given the valid concrete configurations (c.f., Definition 4.4), abstract configurations, lock and thread

\[
\begin{align*}
  c^0 @ \langle [T, pc^0_T, r^0_T, t^0_T], T \in \text{Thrd}$, $
  \pi^0, \tau^0 \rangle \in \text{Conf}, \\
  c^1 @ \langle [T, pc^1_T, r^1_T, t^1_T], T \in \text{Thrd}$, $
  \pi^1, \tau^1 \rangle \in \text{Conf}, \\
  c^2 @ \langle [T, pc^2_T, r^2_T, t^2_T], T \in \text{Thrd}$, $
  \pi^2, \tau^2 \rangle \in \text{Conf}, \\
  \vdots \\
  c^n @ \langle [T, pc^n_T, r^n_T, t^n_T], T \in \text{Thrd}$, $
  \pi^n, \tau^n \rangle \in \text{Conf}, \\
  c^0 @ \langle [T, pc^0_T, r^0_T, t^0_T], T \in \text{Thrd}$, $
  \pi^0, \tau^0 \rangle \in \text{Conf}, \\
  c^k @ \langle [T, pc^k_T, r^k_T, t^k_T], T \in \text{Thrd}$, $
  \pi^k, \tau^k \rangle \in \text{Conf}, \\
  lck' \in \text{Lck}$, and \\
  T' \in \text{Thrd}_{exe},
\end{align*}
\]
such that

\[ STM(T', pc_{\Theta, T}') = [\text{lock } \text{lck}]^{pc_{\Theta, T}'}, \]

\[ 0 \leq n_1 \leq n_2 \leq n_m \leq n, \]

\[ e^0 \xrightarrow{prg} \ldots \xrightarrow{prg} e^{n_1} \xrightarrow{prg} \ldots \xrightarrow{prg} e^{n_2} \xrightarrow{prg} \ldots \xrightarrow{prg} e^{n_m} \xrightarrow{prg} \ldots \xrightarrow{prg} e^k, \]

\[ 0 \leq k, \]

\[ e^0 \xrightarrow{prg} \ldots \xrightarrow{prg} e^k, \]

\[ \text{Thrd}_{x, \theta} \subseteq \text{Thrd}_{x, \theta} \subseteq \text{Thrd}, \]

\[ pc_{\Theta, T}' = pc_{\Theta, T}, \]

\[ x_{\Theta, T}' \in \gamma_{\Theta}(\Theta_{\Theta, T}'), \]

\[ t_{\Theta, T}' \in \gamma_{\Theta}(\Theta_{\Theta, T}'). \]

\[ \exists x' \in \gamma_{\Theta}(\Theta_{\Theta, T}'): \forall x \in \text{Var} : \forall T \in \text{Thrd} : ((\pi^0 x) T) \subseteq ((\pi' x) T), \]

\[ \forall \text{lck} \in \text{Lck} : ((\text{OWN}(\Gamma_{\text{lck}}) \neq \perp_{\text{thrd}} \Rightarrow (\text{STM}(\Gamma_{\text{lck}}) = \perp_{\text{thrd}}) \wedge \]

\[ \text{OWN}(\Gamma_{\text{lck}}) = \text{OWN}(\Gamma_{\text{lck}}) \wedge \]

\[ \text{DL}(\Gamma_{\text{lck}}) \subseteq \gamma(\text{DL}(\Gamma_{\text{lck}})) \wedge \]

\[ \text{POWN}(\Gamma_{\text{lck}}) = \text{POWN}(\Gamma_{\text{lck}}) \wedge \]

\[ \text{REL}(\Gamma_{\text{lck}}) \in \gamma(\text{REL}(\Gamma_{\text{lck}})) \wedge \]

\[ \min(\gamma(\text{REL}(\Gamma_{\text{lck}}))) = -\infty ) \wedge \]

\[ \text{(OWN}(\Gamma_{\text{lck}}) = \perp_{\text{thrd}} \Rightarrow ((\text{OWN}(\Gamma_{\text{lck}}) = \text{OWN}(\Gamma_{\text{lck}}) \vee \]

\[ \text{(OWN}(\Gamma_{\text{lck}})\gamma(\text{STM}(\Gamma_{\text{lck}})) = \perp_{\text{thrd}} \wedge \]

\[ \text{STM}(\Gamma_{\text{lck}}) = \perp_{\text{thrd}} \wedge \]

\[ \text{STM}(\Gamma_{\text{lck}}) = \text{unlocked } \wedge \]

\[ c_{\Theta, T} = \text{TIME}(c_{\Theta, T'}) \in \gamma(\text{DL}(\Gamma_{\text{lck}})) \wedge \]

\[ \min(\gamma(\text{DL}(\Gamma_{\text{lck}}))) = -\infty ) \wedge \]

\[ \text{POWN}(\Gamma_{\text{lck}}) = \text{POWN}(\Gamma_{\text{lck}}) \wedge \]

\[ \text{REL}(\Gamma_{\text{lck}}) \in \gamma(\text{REL}(\Gamma_{\text{lck}}))) \}), \]

\[ \forall i \in \{0, \ldots, n-1\} \setminus \{n_1, n_2, \ldots, n_m\} : T' \not\subseteq \text{Thrd}_{\pi^x}, \]

\[ \forall i \in \{n_1, n_2, \ldots, n_m\} : (T' \not\subseteq \text{Thrd}_{\pi^x} \wedge \text{OWN}(\Pi_{\text{lck}}') \neq T'), \]

\[ T' \not\subseteq \text{Thrd}_{\pi^x}, \]

\[ T' \not\subseteq \text{Thrd}_{\pi^x}, \]

\[ \forall i \in \{0, \ldots, k-1\} : (T' \not\subseteq \text{Thrd}_{\pi^x} \wedge \text{OWN}(\Pi_{\text{lck}}') = T'), \]

\[ T' \not\subseteq \text{Thrd}_{\pi^x}, \]

\[ \forall i \in \{0, \ldots, k\} : (\text{Thrd}_{\pi^x} \neq 1 \vee \]

\[ \{T \in \text{Thrd}_{\pi^x} \mid \exists x \in \text{Reg}_T : \exists x \in \text{Var}_x : \]

\[ \text{STM}(T, pc_{\pi^x}) = [\text{load } r \text{ from } x]^{pc_{\pi^x}} = \emptyset), \]

where for all \( i \in \{0, \ldots, n\} \), \( \text{Thrd}_{\pi^x} \) is as defined in Table 4.3, for all \( i \in \{0, \ldots, k\} \), \( \text{Thrd}_{\pi^x} \) is as defined in Table 5.6, and \( \text{Var}_x \) contains all \( x \in \text{Var} \) such that \( x \) can be written to by one thread and read from by another thread.
5.8 Abstract Semantics

(i.e., there might be a data dependency between the threads; note that $\text{Var}_g$ can be derived using Algorithm 6.9), $\stackrel{\rightarrow}{\preceq}$ satisfies:

\[ \forall c \in \{T, pc_T, r_T, lck_T | T \in \text{Thrd} : \exists, 1\} \in \text{Conf} : \]

\[ (c^n \stackrel{\rightarrow}{\preceq} c) \Rightarrow \exists \bar{c} @ \{T, pc_T, r_T, lck_T | T \in \text{Thrd} : \exists, 1\} \in \text{Conf} : \]

\[ p = p^n_T \land \]

\[ r_T \in \gamma_{\text{reg}}(\bar{c}) \land \]

\[ lck_T \in \gamma(\bar{c}) \land \]

\[ \exists n' : \forall \in \text{Var} : ((\exists x) T') \subseteq ((\exists x') T') \land \]

\[ \forall lck \in \text{Lck} : (\text{OWN}(lck) = T' \Rightarrow \text{SST}(lck) = \text{STT}(lck)) \land \]

\[ \text{OWN}(lck) = \text{OWN}(lck) \land \]

\[ \text{DL}(lck) \in \gamma(DL(lck)) \land \]

\[ \text{POWN}(lck) = \text{POWN}(lck) \land \]

\[ \text{REL}(lck) \in \gamma(REL(lck)) \land \]

\[ \min(\gamma(DL(lck))) = -\infty)) \]

\[ \square \]

**Proof.** Assume that the valid concrete configurations (c.f., Definition 4.4), abstract configurations, lock and thread

\[ c^0 @ \{T, pc_T^0, r_T^0, lck_T^0 | T \in \text{Thrd} : \exists, 1\} \in \text{Conf} , \]

\[ c^1 @ \{T, pc_T^1, r_T^1, lck_T^1 | T \in \text{Thrd} : \exists, 1\} \in \text{Conf} , \]

\[ c^2 @ \{T, pc_T^2, r_T^2, lck_T^2 | T \in \text{Thrd} : \exists, 1\} \in \text{Conf} , \]

\[ \vdots \]

\[ c^n @ \{T, pc_T^n, r_T^n, lck_T^n | T \in \text{Thrd} : \exists, 1\} \in \text{Conf} , \]

\[ c^m @ \{T, pc_T^m, r_T^m, lck_T^m | T \in \text{Thrd} : \exists, 1\} \in \text{Conf} , \]

\[ c^0 @ \{T, pc_T^0, r_T^0, lck_T^0 | T \in \text{Thrd} : \exists, 1\} \in \text{Conf} , \]

\[ c^k @ \{T, pc_T^k, r_T^k, lck_T^k | T \in \text{Thrd} : \exists, 1\} \in \text{Conf} , \]

\[ lck' \in \text{Lck}, \text{and} \]

\[ T' \in \text{Thrd}, \]
are such that

\[
\text{STM}(T', pc_{T'}^0) = [\text{lock } lck']pc_{T'}^0, \\
0 \leq m_1 \leq m_2 \leq m_n \leq n, \\
\sigma_{pg}^0 \rightarrow \cdots \rightarrow \sigma_{pg}^k, \quad \sigma_{pg}^k \rightarrow \cdots \rightarrow \sigma_{pg}^{m_n} \rightarrow \cdots \rightarrow \sigma_{pg}^n.
\]

\[0 \leq k, \quad \sigma_{pg}^k \rightarrow \cdots \rightarrow \sigma_{pg}^n, \]

\[\text{Thrd}_{a} \subseteq \text{Thrd}_{0} \subseteq \text{Thrd}, \]

\[pc_{T'}^0 = pc_{T}^0, \]

\[\tau_{T}^0 \in \gamma_{\text{var}}(\tau_{T}^0), \]

\[\gamma_{\text{var}}(\tau_{T}^0) \in \gamma_{\text{Thrd}}(\tau_{T}^0), \]

\[\exists \gamma' \in \gamma_{\text{var}}(\gamma') : \forall \gamma' \in \text{Var} : \forall T \in \text{Thrd} : ((\gamma' T) \leq (\gamma' x) T), \]

\[\forall lck \in \text{Lck} : ((\text{OWN}(lck') \neq \bot_{\text{thrd}} \Rightarrow (\text{STM}(lck) = \text{STM}(lck))) \land \text{STM}(lck) = \text{STM}(lck) \land \]

\[\text{OWN}(lck') = \text{OWN}(lck') \land \\
\text{DL}(lck) \in \gamma_{\text{DL}}(\text{DL}(lck)) \land \]

\[\text{POWN}(lck) = \text{POWN}(lck) \land \\
\text{REL}(lck) \in \gamma_{\text{REL}}(\text{REL}(lck)) \land \]

\[\text{min}(\gamma_{\text{DL}}(\text{DL}(lck))) = \gamma_{\text{DL}}(\text{DL}(lck)) = -\infty) \land \\
(\text{OWN}(lck') = \bot_{\text{thrd}} \Rightarrow ((\text{OWN}(lck') = \text{OWN}(lck') \land \\
(\text{OWN}(lck') = T' \land \\
\text{STM}(lck) = \text{STM}(lck) \land \\
\text{STM}(lck) = \text{STM}(lck))) \land \\
\text{DL}(lck) \in \gamma_{\text{DL}}(\text{DL}(lck)) \land \\
\text{POWN}(lck) = \text{POWN}(lck) \land \\
\text{REL}(lck) \in \gamma_{\text{REL}}(\text{REL}(lck))))) \land \\
\forall i \in \{0, \ldots, n + 1\} \setminus \{n_1, n_2, \ldots, n_m\} : T' \not\in \text{Thrd}_{\text{ext}}, \\
\forall i \in \{n_1, n_2, \ldots, n_m\} : (T' \in \text{Thrd}_{\text{ext}} \land \text{OWN}(lck') \neq T'), \\
T' \in \text{Thrd}_{\text{ext}}, \quad \text{and} \\
\forall i \in \{0, \ldots, k\} : (|\text{Thrd}_{\text{ext}}| \neq 1 \lor \\
(T \in \text{Thrd}_{\text{ext}} \land \exists r \in \text{Reg}_T : \exists x \in \text{Var}_r : \\
\text{STM}(T, pc_r^x) = [\text{load } r \text{ from } x]pc_r^x = \emptyset),
\]

where for all \(i \in \{0, \ldots, n\}\), \(\text{Thrd}_{\text{ext}}^i\) is as defined in Table 4.3, for all \(i \in \{0, \ldots, k\}\), \(\text{Thrd}_{\text{ext}}^i\) is as defined in Table 5.6, and \(\text{Var}_r\) contains all \(x \in \text{Var}\) such that \(x\) can be written to by one thread and read from by another thread.
(i.e., there might be a data dependency between the threads; note that $\text{Var}_g$ can be derived using Algorithm 6.9).

First note that:

- Since $\forall i \in \{0, \ldots, n-1\} \setminus \{n_1, n_2, \ldots, n_m\} : T' \notin \text{Thrd}_{\text{ex}}$, $\forall i \in \{n_1, n_2, \ldots, n_m\} : (T' \in \text{Thrd}_{\text{ex}} \land \text{OWN}(lck') \neq T')$ and $\text{STM}(T', p^0_{\text{T'}}) = [\text{lock} \ lck']^{p^0_{\text{T'}}}$, it must be that $p_{\text{c}T'} = p_{\text{c}T'}, x_{\text{T'}} = x_{\text{T}}$, $t_{\text{T'}} = t_{\text{T}} + \text{TIME}(c_0, T') + \text{TIME}(c_1, T') + \ldots + \text{TIME}(c_m, T')$ and $\forall \text{lock} \in \text{Lck} : (\text{OWN}(\text{lck}) = T' \Rightarrow \text{lx} \ lck = \text{lck})$ (c.f., Table 4.3).

- Since $\forall i \in \{0, \ldots, k-1\} : T' \notin \text{Thrd}_{\text{ex}}$, it must be that $p_{\text{c}T'} = p_{\text{c}T'}, x_{\text{T'}} = x_{\text{T}}$, and $\forall \text{lock} \in \text{Lck} : (\text{OWN}(\text{lck}) = T' \Rightarrow \text{lx} \ lck = \text{lck} \land \text{min}(\gamma(\text{DL}(\text{lx} \ lck))) = -\infty)$.

- Since $p_{\text{c}T'} = p_{\text{c}T'}, x_{\text{T'}} = x_{\text{T}}$, $\forall \text{lock} \in \text{Lck} : (\text{OWN}(\text{lck}) = T' \Rightarrow \text{lx} \ lck = \text{lck})$, $p_{\text{c}T'} = p_{\text{c}T'}, x_{\text{T'}} = x_{\text{T}}$, $\forall \text{lock} \in \text{Lck} : (\text{OWN}(\text{lck}) = T' \Rightarrow \text{lx} \ lck = \text{lck} \land \text{min}(\gamma(\text{DL}(\text{lx} \ lck))) = -\infty)$).

- Since $\exists \gamma' \in \gamma_{\text{var}}(x_0) : \forall x \in \text{Var} : ((x_0, x) T') \subseteq ((x', x) T')$, $\gamma '_{\text{pre}} \rightarrow \ldots \rightarrow \gamma '_{\text{pre}} \rightarrow \ldots \rightarrow \gamma '_{\text{pre}} \rightarrow \ldots \rightarrow \gamma '_{\text{pre}}$, $\forall i \in \{0, \ldots, n-1\} \setminus \{n_1, n_2, \ldots, n_m\} : T' \notin \text{Thrd}_{\text{ex}}$, $\forall i \in \{n_1, n_2, \ldots, n_m\} : \text{OWN}(lck') \neq T'$, $\forall i \in \{0, \ldots, k-1\} : T' \notin \text{Thrd}_{\text{ex}}$, $\text{STM}(T', p^0_{\text{T'}}) = [\text{lock} \ lck']^{p^0_{\text{T'}}}$ and $\text{TRIM}$ is safe (Lemma 5.27), it must be that $\exists \gamma' \in \gamma_{\text{var}}(x_0) : \forall x \in \text{Var} : ((x_0, x) T') \subseteq ((x', x) T')$. 

The proof will be conducted using induction based on $T'$. Since $\text{STM}$ (Table 5.6, Algorithm 5.11 and Lemmas 5.53 and 5.55). However, if $\text{STM}(T', p_{c_T}) = [\text{lck}]_{p_{c_T}}$ and $\text{OWN}(T, lck) = \bot_{\text{thread}}$, and $\text{STM}(T, lck) = \bot_{\text{thread}}$, then it must be that $T'$ is the first thread in a set of competing threads to successfully acquire $lck'$; i.e., $j = 0$. Then it must be that $\{n_1, n_2, \ldots, n_m\} = \emptyset$, and thus, $\forall i \in \{0, \ldots, n - 1\} : T' \not\in \text{Thrd}_{\text{ex}}$. (Note
that $c^0$ can be chosen to be the first configuration satisfying $\text{OWN}(1^{0} lck') = \bot_{\text{thrd}} \land \text{STM}(T',p_{T'}^{0}) = [\text{lock} lck']^{p_{T'}^{0}}$ and the rest of the assumptions of the lemma. It must also be that the case $\text{OWN}(1^{n} lck') = \bot_{\text{thrd}}$, $\text{OWN}(1^{k} lck') \in \{\bot_{\text{thrd}}, T'\}$ and $\text{OWN}(1^{\text{own}} lck') = \text{OWN}(1^{k_{\text{ovr}}} lck') = T'$ must be considered.

Since $T'$ is the first thread to acquire $lck'$ it must be that $1^{n} lck' = 1^{0} lck'$ and $1^{k} lck' = 1^{0} lck'$. Thus, since $\text{OWN}(1^{0} lck') = \bot_{\text{thrd}}$ and $\text{STM}(T',p_{T'}^{0}) = [\text{lock} lck']^{p_{T'}^{0}}$, it must be that $\text{OWN}(1^{0} lck') = \bot_{\text{thrd}} \Rightarrow (\text{STM}(T',p_{T'}^{0}) = [\text{lock} lck']^{p_{T'}^{0}} \Rightarrow (1^{n} lck' = 1^{0} lck' \land 1^{k} lck' = 1^{0} lck'))$. But, then all the assumptions of Lemma 5.6 are fulfilled, and thus, it must be that:

\[
\forall c \in \text{Conf} \exists \overline{\exists} @((\overline{\pi}, \overline{\gamma} : \overline{\theta}) \in \text{Conf} : (c \xrightarrow{\overline{p}_{\overline{T}}} \ddot{c} \land p_{\overline{T}_{c}} = p_{\overline{T}}^{0} \land \overline{\gamma} \in \gamma_{\overline{\theta}} \land \overline{\theta} \in \text{Var}((\overline{\pi} x) T') \subseteq ((\overline{x} x) T') \land \forall lck \in \text{Lck} : (\text{OWN}(1 lck) = T' \Rightarrow (\text{SIT}(1 lck) \land \text{OWN}(1 lck) = \text{OWN}(1 lck) \land \text{DL}(1 lck) \in \gamma_{(\text{DL}(1 lck))} \land \text{POWN}(1 lck) = \text{POWN}(1 lck) \land \text{REL}(1 lck) \in \gamma_{(\text{REL}(1 lck))} \land \text{min}(\gamma_{(\text{DL}(1 lck))}) = -\infty)))
\]

This concludes the proof of the base case.

Now consider the case that $T'$ must wait for $j$ owner switches (i.e., $1\text{lock}s$ and $\text{un}1\text{lock}s$) on $lck'$ before it can acquire $lck'$ itself; i.e., $T'$ is owner number $j+1$ among a set of competing threads to successfully acquire $lck'$ (note that a thread could successfully acquire and release $lck'$ several times while $T'$ is waiting to acquire $lck'$; each time then counts as an owner switch). The induction assumption is that the lemma holds for all $j$ owners that acquire $lck'$ while $T'$ is waiting (i.e., frozen in the abstract case) and for all cases involving other locks.

Assume that $T'$ must wait for $j$ owner switches on $lck'$ before it successfully acquires $lck'$ itself and that the lemma holds for all $j$ owners that acquire $lck'$ while $T'$ is waiting. Then it must be that $\{n_{1}, n_{2}, \ldots, n_{m}\} \neq \emptyset$, and thus $t_{l}^{0} \leq t_{l}^{0} = t_{l}^{0} + \text{TIME}(e_{n_{1}}, T') + \text{TIME}(e_{n_{2}}, T') + \ldots + \text{TIME}(e_{n_{m}}, T') =
\[ t_{T'}^{e_m} + \text{TIME}(e_m, T') \] (c.f., Assumption 4.1 and Table 4.3).

Since the lemma holds for all \( j \) owners that acquire \( lck' \) while \( T' \) is waiting, and all other cases involving other locks, and \( \rightarrow_{pr} \) safely over-approximates the transitions described by \( \rightarrow \) for all other cases (Lemma 5.56), including lock owner assignments (Lemma 5.55), it must be that there exists an abstract transition trace (starting at \( e_0 \) and ending at \( e^k \)) that safely represents the concrete trace from \( e_0 \) to \( e^a \) for all \( j \) owners of \( lck' \), at least until the point in which they release \( lck' \) and do not acquire it again (which is the important part of the trace to consider here), the order in which threads acquire \( lck' \) and all states, including the accumulated execution times (c.f., Lemmas 5.51 and 5.56 and the induction assumption). Thus, since \( T' \in \mathsf{Thrd}_{exe}^{c'_{rel}} \land \mathsf{OWN}(1^{m''} lck') \neq T' \), \( \forall i \in \{n_m + 1, \ldots, n - 1\} : T'_i \not\in \mathsf{Thrd}_{exe} \) and \( T' \in \mathsf{Thrd}_{exe}^{c''_{rel}} \land \mathsf{OWN}(1^n lck') = \downarrow_{thrd} \land \mathsf{OWN}(1^n lck') = T' \) (since it is assumed that \( T' \) acquires \( lck' \) in the transition from \( e^n \)), it must be that \( lck' \) is released (by owner number \( j \)) in a transition to \( c^j \), where \( e_m \rightarrow_{pr} e_0 \rightarrow_{pr} e_1 \rightarrow_{pr} \cdots \rightarrow_{pr} e^k \) and \( n_m < n' \leq n \). Thus, it must be that \( t_{T'}^{e_m} + \text{TIME}(e_m, T') = t_{T'}^{e_a} \leq \text{REL}(1^n lck') \leq t_{T'}^{e_a} + \text{TIME}(e^a, T') \) (c.f., Assumption 4.1 and Table 4.3), where \( \text{REL}(1^n lck') = \text{REL}(1^n lck') \) and \( \text{REL}(1^n lck') \in \gamma_i(\text{REL}(1^k lck')) \) (given the abstract trace from \( e_0 \) to \( e^a \) for the previous, i.e., \( j^{th} \) owner of \( lck' \), it is easy to see that this is the result when the \( j^{th} \) owner issues \( \text{UNLOCK}(lck') \)). But, then it is trivially the case that \( t_{T'}^{e_a} + \text{TIME}(e^a, T') \in \gamma_i(\text{DLLOCK}(e^k, lck')) \) (Lemma 5.53).

To show that \( \text{ACC} \text{TIME} \) is safe for this case, first note that \( T' \in \mathsf{Thrd}_{exe}^{c''_{rel}} \), \( \text{STM}(T', pc_{T'}^{e_k}) = [1 \text{lock } lck']^{pc_{T'}^{e_k}} \) and \( s \uparrow T'(lck'^{e_k}) = \text{unlocked} \). Also note that since \( t_{T'}^{e_a} + \text{TIME}(e^a, T') \in \gamma_i(\text{DLLOCK}(e^k, lck')) \) = \( \text{DL}(lck'^{e_k}) \), \( \text{DL}(lck'^{e_k}) = t_{T'}^{e_a} + \text{TIME}(e^a, T') \) (c.f., Tables 4.2 and 4.3 since \( T' \) acquires \( lck' \) in a transition from \( e^a \) and \( \text{min}(\gamma_i(\text{DL}(lck'^{e_k})), ABSTIME(e^0, T')) \leq t_{T'}^{e_a} + \text{TIME}(e^a, T') \leq \max(\gamma_i(\text{DL}(lck'^{e_k})))) \), it must be the case that \( \text{DL}(lck'^{e_k}) \not\subset i, t_{T'}^{e_a} + \text{ABSTIME}(e^0, T') \), which means that there are three branches of Algorithm 5.12 that must be considered here. Note that this also means that \( \text{DL}(lck'^{e_k}) \in \gamma_i(\text{DL}(lck'^{e_k})) \). For the sake of readability, let \( e^{k''} = (\{T, pc_{T'}^{e_k}, \tilde{z}_T^{e_k}, i^{e_k}_{T'}\} \mid T \in \mathsf{Thrd}_{ak}, \tilde{z}_T^{e_k}, i^{e_k}_{T'} \} \). Also let \( i^{e_k}_{T'} \) be defined as \( i^{e_k}_{T'} \) in Algorithm 5.12.

1. Since \( T' \) has been frozen while waiting to acquire \( lck' \), it can be the case that \( i^{e_k}_{T'} \, \text{ABSTIME}(e^{k''}, T') \sim_i R_EL(1^{k''} lck') \), where \( i^{e_k}_{T'} = i^{e_k}_{T'} \). (Note
that this does not necessarily have to be the case, though.) Let \( c' \) be any configuration derived before (i.e., \( c' = c^{\text{old}} \)) or inside the **while**-loop.

First note that it cannot be that \( \text{ABSTIME}(c', T') = \alpha_s(\{0\}) \) and \( \tilde{p}^w_T \overset{t}{\rightarrow} \text{ABSTIME}(c', T') \) \( \prec \), \( \text{REL}(\tilde{1}^{\text{lck}} lck') \) (c.f., Assumptions 5.50 and Lemma 5.51). This means that the **while**-loop will eventually terminate. It does so when \( \tilde{p}^w_T \) is the last point in time that safely represents the situation that \( T' \) has not yet acquired \( lck' \); thus, at \( \tilde{p}^w_T \overset{t}{\rightarrow} \text{ABSTIME}(c', T') \), \( T' \) might have acquired \( lck' \) (i.e., \( \tilde{p}^w_T \overset{t}{\rightarrow} \text{REL}(\tilde{1}^{\text{lck}} lck') \) and \( \tilde{p}^w_T \overset{t}{\rightarrow} \text{ABSTIME}(c', T') \) \( \not\prec \), \( \text{REL}(\tilde{1}^{\text{lck}} lck') \)). In later references within this proof, the \( \tilde{p}^w_T \) obtained at the exit of the **while**-loop will be referred to as \( \tilde{p}^w_T \).

Since \( \tilde{p}^w_T \), \( \zeta_t \), \( \text{REL}(\tilde{1}^{\text{lck}} lck') \), and \( \tilde{p}^w_T \overset{t}{\rightarrow} \text{ABSTIME}(c', T') \) \( \not\prec \), \( \text{REL}(\tilde{1}^{\text{lck}} lck') \), it is easy to see that this branch will lead to an auxiliary configuration, \( c^{\text{old}} \), such that \( c^{k} \overset{\text{pre}}{\rightarrow} c^{\text{old}} \), for which \( \tilde{1}^{\text{lck}} lck' = \tilde{1}^{\text{lck}} lck' \); i.e., \( T' \) has not yet acquired \( lck' \). The only difference for \( T' \) between \( c^{k} \) and \( c^{\text{old}} \) is that, in the latter, it has an advanced accumulated execution time (c.f., Table 5.5). Since \( \tilde{p}^w_T \overset{t}{\rightarrow} \text{ABSTIME}(c', T') \) \( \not\prec \), \( \text{REL}(\tilde{1}^{\text{lck}} lck') \), it is also easy to see that this branch of Algorithm 5.12 will not be taken when \( \text{ACCTIME} \) is called based on \( c^{\text{old}} \). Note that it must be that \( |\{n_1, n_2, \ldots, n_m\}| \) is greater than or equal to the number of iterations of the **while**-loop (Assumption 5.50 and Lemma 5.52). Thus, it is also easy to see that \( \text{DL}(\tilde{1}^{\text{lck}} lck') \not\prec \), \( \tilde{p}^w_T \overset{t}{\rightarrow} \text{ABSTIME}(c^{\text{old}}, T') \) since \( \text{TIME}(c', T') \in \gamma(\text{ABSTIME}(c^{\text{old}}, T')) \), where \( i \in \{ n_1, n_2, \ldots, n_m \} \) is the corresponding concrete configuration for which the **while**-loop terminates (Assumption 5.50). This means that for \( c^{\text{old}} \), one of the two last branches (considered in the next two bullets) of Algorithm 5.12 will apply.

2. First note that it must be that \( \text{POW}n(\tilde{1}^{\text{lck}} lck') \neq T' \) since \( T' \) has been waiting for at least one other thread to release \( lck' \) before it is allowed to acquire it (c.f., Tables 5.5 and 5.6 and the induction assumption). If, on the other hand, \( \text{REL}(\tilde{1}^{\text{lck}} lck') \overset{t}{\rightarrow} \tilde{p}^w_T \overset{t}{\rightarrow} \text{ABSTIME}(c^{\text{old}}, T') \), then the proof is equivalent to the corresponding part of the proof for Lemma 5.54 since \( \tilde{t}^{w^e} \overset{t}{\rightarrow} \text{TIME}(c^{\text{old}}, T') = \text{DL}(\tilde{1}^{\text{lck}} lck'), \text{DL}(\tilde{1}^{\text{lck}} lck') \in \gamma(\text{DL}(\tilde{1}^{\text{lck}} lck')) \) and \( \text{REL}(\tilde{1}^{\text{lck}} lck') \in \gamma(\text{REL}(\tilde{1}^{\text{lck}} lck')) \). Note that this also applies if \( \tilde{p}^w_T = \tilde{p}^w_T \) (i.e., if \( c^{\text{old}} = c^{k} \)), since it must be that \( \tilde{t}^{w^e} \in \gamma(\tilde{p}^w_T) \), which follows from Assumption 5.50 and Lemma 5.51 based on 1 above.

3. If \( \tilde{p}^w_T \overset{t}{\rightarrow} \text{ABSTIME}(c', T') \cap_t \text{REL}(\tilde{1}^{\text{lck}} lck') \neq \cdot \), then let \( \tilde{p}^w_T = \tilde{p}^w_T \overset{t}{\rightarrow} \tilde{p}^w_T \overset{t}{\rightarrow} \text{ABSTIME}(c', T') \cap_t \text{REL}(\tilde{1}^{\text{lck}} lck') \neq \cdot \).
ABSTIME($c'$, T) (where $\tilde{\tau}'_T$ is thus defined as in Algorithm 5.12 and $\tilde{\tau}'_T$ is either $\tilde{\tau}'_D$ or $\tilde{\tau}'_T$ and $c'$ is either $\tilde{\tau}'_D$ or $\tilde{\tau}'_T$), which is obviously a safe estimation of the first point in time when $T'$ can acquire $lck'$.

Now, let $\tilde{c}'$ be any configuration derived before (i.e., $\tilde{c}' = \tilde{\tau}'_D$ or $\tilde{c}' = \tilde{\tau}'_T$) or inside the repeat-loop (and the corresponding for $\tilde{\tau}'_T$), which will now be considered. Note that $\tilde{\tau}_T = \tilde{\tau}'_T$ is used to exit the loop in case $\text{DL}(\tilde{\tau}'_D lck') \preceq_t \tilde{\tau}'_T \uplus_{\text{ABSTIME}}(\tilde{c}', T')$ or $0 \in \gamma_t(\text{ABSTIME}(\tilde{c}', T'))$, where the latter case means that a $\tilde{\tau}'_T$ such that $\text{REL}(\tilde{\tau}'_D lck') \preceq_t \tilde{\tau}'_T$ cannot be derived (c.f., Assumption 5.50).

(a) If $\text{DL}(\tilde{\tau}'_D lck') \preceq_t \tilde{\tau}'_T \uplus_{\text{ABSTIME}}(\tilde{c}', T')$, then it must be that $\tilde{\tau}'_T$ is a safe estimation of the last point in time when $T'$ can acquire $lck'$ since $\tilde{\tau}'_T + \text{TIME}(\tilde{c'}, T') = \text{DL}(\tilde{\tau}'_D lck')$, $\text{DL}(\tilde{\tau}'_D lck') \in \gamma_t(\text{DL}(\tilde{\tau}'_D lck'))$ and $T'$ acquires $lck'$ in a transition from $\tilde{\tau}'_T$ (c.f., Assumption 5.50 and Lemma 5.52) which means that the total number of iterations of the repeat-loop, and possibly the while-loop from 1, must be greater than or equal to $|\{n_1, n_2, \ldots, n_m, n\}|$. Thus, it must be that $\tilde{\tau}'_T + \text{TIME}(\tilde{c'}, T') \in \gamma_t((\text{DL}(\tilde{\tau}'_D lck')) \cap_t \text{DL}(\tilde{\tau}'_D lck')) \cap_t (\text{REL}(\tilde{\tau}'_D lck') \cap_t \alpha_t(\{\infty\}))$, since $\text{REL}(\tilde{\tau}'_D lck') \in \gamma_t(\text{REL}(\tilde{\tau}'_D lck'))$ and $\min(\gamma_t(\text{DL}(\tilde{\tau}'_D lck'))) = -\infty$.

(b) If $0 \in \gamma_t(\text{ABSTIME}(\tilde{c}', T'))$, then it must obviously be that $\tilde{\tau}' T \uplus_{\text{ABSTIME}}(\tilde{c}', T')$, where $\tilde{\tau} = (\tilde{\tau}' D \cup_t \alpha_t(\{\infty\})) \cap_t \text{REL}(\tilde{\tau}' D lck')$, and $\tilde{\tau}' = \langle T, pc^{\tilde{\tau}_C}, \tilde{\tau}' D, (T = T' \uplus \tilde{\tau} D \tilde{\tau}' C) \rangle_{\text{Thr}}(\tilde{\tau}' D lck')$, is a safe approximation of the last point in time when $T'$ can (or rather, will) acquire $lck'$ (c.f., Assumption 5.50 and Lemma 5.52). Thus, it must be that $\tilde{\tau}' T + \text{TIME}(\tilde{\tau}', T') \in \gamma_t(\text{DL}(\tilde{\tau}' D lck')) \cap_t \text{DL}(\tilde{\tau}' D lck')) \cap_t (\text{REL}(\tilde{\tau}' D lck') \cap_t \alpha_t(\{\infty\}))$, since $\text{REL}(\tilde{\tau}' D lck') \in \gamma_t(\text{REL}(\tilde{\tau}' D lck'))$, $\text{DL}(\tilde{\tau}' D lck') \in \gamma_t(\text{DL}(\tilde{\tau}' D lck'))$, $\text{DL}(\tilde{\tau}' D lck') \in \gamma_t(\text{DL}(\tilde{\tau}' D lck'))$, $\text{T}' = \text{T}' T + \text{TIME}(\tilde{\tau}', T') = \text{DL}(\tilde{\tau}' D lck')$, $\min(\gamma_t(\text{DL}(\tilde{\tau}' D lck'))) = -\infty$ and $T'$ acquires $lck'$ in a transition from $\tilde{\tau}'$.

(c) If $0 \not\in \gamma_t(\text{ABSTIME}(\tilde{c}', T'))$ and also $\text{DL}(\tilde{\tau}' D lck') \preceq_t \tilde{\tau}' T \uplus_{\text{ABSTIME}}(\tilde{c}', T')$, then it must be that, at the end of some iteration of the repeat-loop, $\text{REL}(\tilde{\tau}' D lck') \preceq_t \tilde{\tau}' T$. For such a $\tilde{\tau}' T$, it is easy to see that $\tilde{\tau}' T + \text{TIME}(\tilde{\tau}', T') \in \gamma_t((\text{DL}(\tilde{\tau}' D lck')) \cap_t \text{DL}(\tilde{\tau}' D lck')) \cap_t (\text{REL}(\tilde{\tau}' D lck') \cap_t \alpha_t(\{\infty\}))$, since $\text{REL}(\tilde{\tau}' D lck') \in \gamma_t(\text{REL}(\tilde{\tau}' D lck'))$, $\text{DL}(\tilde{\tau}' D lck') \in \gamma_t(\text{DL}(\tilde{\tau}' D lck'))$, $\text{T}' = \text{T}' T + \text{TIME}(\tilde{\tau}', T') = \text{DL}(\tilde{\tau}' D lck')$, $\min(\gamma_t(\text{DL}(\tilde{\tau}' D lck'))) = -\infty$ and $T'$ acquires $lck'$ in a transition from $\tilde{\tau}'$.
5.8 Abstract Semantics

Thus, it has been shown that $T_\text{tr}^{\text{prg}} + \text{TIME}(c^n, T') \in \gamma(T_{\text{exec}}(\text{TIME}(T,pc^\text{rel},I^\text{Thrd}_T,E^\text{Thrd}_T,T^\text{Thrd}_T,x,I)), T'))$, for both the case that $\hat{c}'$ is $\hat{c}^{\text{first}}$ (if $\hat{z}_k +_T \text{ABSTIME}(\hat{c}^{\text{first}}, T') \amalg_T \text{REL}(\hat{I}^{\text{first}} lck')$ and $\hat{c}'$ is $\hat{c}^{\text{last}}$ (if $\hat{z}_k +_T \text{ABSTIME}(\hat{c}^{\text{last}}, T') \amalg_T \text{REL}(\hat{I}^{\text{last}} lck')$, where $\hat{c}^{\text{first}}$ and $\hat{c}^{\text{last}}$ are as defined above. If $\hat{z}_k +_T \text{ABSTIME}(\hat{c}^{\text{first}}, T') \amalg_T \text{REL}(\hat{I}^{\text{first}} lck')$, it is easy to see that

\[
\begin{align*}
T_{\text{tr}} &= p c_{\text{tr}}, \\
T_{\text{tr}}^n &= y_{\text{reg}}(\hat{z}^{\text{first}}), \\
\exists x' \in y_{\text{var}}(\hat{z}^{\text{first}}) : (T' x \in \text{Var} : ((x^n x) T') \subseteq ((x' x) T')) \text{ and} \\
\forall lck \in \text{Lck} : (\text{OWN}(\hat{I}^{\text{first}} lck) = T' \Rightarrow (\text{STT}(\hat{I}^{\text{first}} lck) = \text{STT}(\hat{I}^{\text{first}} lck) \land \\
\text{OWN}(\hat{I}^{\text{first}} lck) = \text{OWN}(\hat{I}^{\text{first}} lck) \land \\
\text{DL}(\hat{I}^{\text{first}} lck) \in \gamma(\text{DL}(\hat{I}^{\text{first}} lck)) \land \\
\text{POW}(\hat{I}^{\text{first}} lck) = \text{POW}(\hat{I}^{\text{first}} lck) \land \\
\text{REL}(\hat{I}^{\text{first}} lck) \in \gamma(\text{REL}(\hat{I}^{\text{first}} lck)) \land \\
\min(\gamma(\text{DL}(\hat{I}^{\text{first}} lck))) = -\infty))
\end{align*}
\]

since, for $T'$, the accumulated execution time is the only state affected by the transition $\hat{c}^{\text{first}} \vartriangleright_{\text{prg}} \hat{c}^{\text{first}}$ (c.f., Table 5.5; this means that, e.g., $\hat{I}^{\text{first}} lck' = \hat{I}^{\text{first}} lck'$) and $\text{TRIM}$ is safe (Lemma 5.27). Thus, for both transition sequences described by $\hat{c}^{\text{first}} \vartriangleright_{\text{prg}} \hat{c}^{\text{first}} \vartriangleright_{\text{prg}} \hat{c}$ and $\hat{c}^{\text{last}} \vartriangleright_{\text{prg}} \hat{c}$, where $\hat{c} @ ([T,pc^\text{rel},E^\text{Thrd}_T,T^\text{Thrd}_T,x,I]) \in \text{Conf}$, for the two different cases $\hat{z}_k +_T \text{ABSTIME}(\hat{c}^{\text{first}}, T') \amalg_T \text{REL}(\hat{I}^{\text{first}} lck')$ and $\hat{z}_k +_T \text{ABSTIME}(\hat{c}^{\text{last}}, T') \amalg_T \text{REL}(\hat{I}^{\text{last}} lck')$, and
ABSTIME($\bar{c}_{kn}, T'$) $\not\preceq_i R\arel(\bar{c}_{kn} lck')$, respectively), it must be that

\[ pc_{T'} = pc_{\bar{c}'}, \]
\[ \varepsilon_T \in \gamma_{pc}(\bar{e}_T), \]
\[ t^{lck}_T \in \gamma(l^{lck}_T), \]
\[ \exists x' \in \gamma_{var}(\bar{e}_x) \] : (\forall x \in \text{Var} : ((x, x') T') \subseteq ((x', x) T')) and
\[ \forall lck \in \text{Lck} : (\text{OWN}(lck) = T' \Rightarrow (\text{STT}(lck) = STT(\bar{e}_lck) \wedge \text{OWN}(lck) = OWN(lck) \wedge \text{DL}(lck) \in \gamma_t(\text{DL}(\bar{e}_lck)) \wedge \text{POWN}(lck) = \text{POWN}(lck) \wedge \text{REL}(lck) \in \gamma_t(\text{REL}(\bar{e}_lck)) \wedge \text{min}(\gamma_t(\text{DL}(\bar{e}_lck))) = -\infty)\]

where $c^n \xrightarrow{p_{qs}} c$ for some $c@([T, pc_T, e_T, t^{lck}_T]_{T \in \text{Thrd}: x, l}) \in \text{Conf}$, since $\xrightarrow{a}$ is a safe approximation of $\xrightarrow{a}$ (Lemma 5.49), $\text{DL}(lck') = t^{lck}_T + \text{TIME}(c^n, T'$ (Table 4.2) and TRIM is safe (Lemma 5.27). But then the lemma holds. $\blacksquare$

Lemma 5.58 shows that $\xrightarrow{p_{qs}}$ can be used to safely approximate any finite concrete transition sequence. Note that the approximation is safe if either no thread issues a load-statement on a global variable or that the thread issuing the load-statement is the sole thread in $\text{Thrd}_{exe}$ in any step of the transition sequence.

**Lemma 5.58 (Soundness of $\xrightarrow{p_{qs}}$, final state):**

Given the valid concrete configurations (c.f., Definition 4.4) $c^0@([T, pc_T, e_T, t^{lck}_T]_{T \in \text{Thrd}: x, l}) \in \text{Conf}$ and $c^n@([T, pc_T, e_T, t^{lck}_T]_{T \in \text{Thrd}: x, l}) \in \text{Conf}$ and the abstract configuration $\bar{c}^0@([T, pc_T, e_T, t^{lck}_T]_{T \in \text{Thrd}: x, l}) \in \text{Conf}$, such that $c^0 \in \gamma_{conf}(\bar{c}^0)$, $\forall lck \in \text{Lck} : \text{min}(\gamma_t(\text{DL}(\bar{e}_lck))) =$
\[\forall T \in \text{Thrd}_T : \text{STM}(T, pc_T) = [\text{halt}]^{\text{at}}}\]

\[
(\exists k \in \langle [T, pc_T, \tilde{c}_k, \tilde{f}_k] \mid T \in \text{Thrd}_T \rangle) \in \text{Conf}:
\]

\[
(\tilde{c}_0 \xrightarrow{pc} \ldots \xrightarrow{pc} \tilde{c}_k) \wedge
\]

\[
(\forall i \in \{0, \ldots, k - 1\} : (|\text{Thrd}_{\text{exec}}| \neq 1 \vee
\{T \in \text{Thrd}_{\text{exec}} \mid \exists r \in \text{Reg}_T : \exists x \in \text{Var}_g : \text{STM}(T, pc_T) = [\text{load r from x}]^{\text{at}}{}} = \emptyset))
\]

\[
(\forall T \in \text{Thrd}_T : (pc_T = pc_T \wedge
\tilde{c}_T \in \gamma_{\text{reg}}(\tilde{c}_k) \wedge
\tilde{f}_T \in \gamma(\tilde{f}_k) \wedge
\exists x \in \gamma_{\text{reg}}(\tilde{c}_k) : (\forall x \in \text{Var} : ((x^n, x) T) \subseteq ((x', x) T))) \wedge
\forall lck \in \text{Lck}: (\text{STM}(1^n lck) = \text{STM}(\tilde{1} lck) \wedge
\text{OWN}(1^n lck) = \text{OWN}(\tilde{1} lck) \wedge
\text{DL}(1^n lck) \in \gamma(\text{DL}(\tilde{1} lck)) \wedge
\text{PWN}(1^n lck) = \text{PWN}(\tilde{1} lck) \wedge
\text{REL}(1^n lck) \in \gamma(\text{REL}(\tilde{1} lck)) \wedge
\text{min}(\gamma(\text{DL}(\tilde{1} lck))) = (-\infty)))
\]

where, for all \(i \in \{0, \ldots, k - 1\}, \text{Thrd}_{\text{exec}}\) is as defined in Table 5.6, and \(\text{Var}_g\) contains all \(x \in \text{Var}\) such that \(x\) can be written to by one thread and read from by another thread (i.e., there might be a data dependency between the threads; note that \(\text{Var}_g\) can be derived using Algorithm 6.9).

**Proof.** Assume that the valid (c.f., Definition 4.4) concrete configurations \(c^0@\langle [T, pc_T, \tilde{c}_T, \tilde{f}_T] \mid T \in \text{Thrd}_T \rangle : \tilde{c}_0, \tilde{f}_0 \in \text{Conf}\) and \(c^0@\langle [T, pc_T, \tilde{c}_T, \tilde{f}_T] \mid T \in \text{Thrd}_T \rangle : \tilde{c}_0, \tilde{f}_0 \in \text{Conf}\) and the abstract configuration \(c^0@\langle [T, pc_T, \tilde{c}_T, \tilde{f}_T] \mid T \in \text{Thrd}_T \rangle : \tilde{c}_0, \tilde{f}_0 \in \text{Conf}\) and the abstract configuration \(c^0@\langle [T, pc_T, \tilde{c}_T, \tilde{f}_T] \mid T \in \text{Thrd}_T \rangle : \tilde{c}_0, \tilde{f}_0 \in \text{Conf}\) are such that \(c^0 \in \gamma_{\text{conf}}(c^0), c^0 \xrightarrow{pc} \ldots \xrightarrow{pc} c^a, \forall lck \in \text{Lck} : \min(\gamma(\text{DL}(\tilde{1} lck))) = (-\infty)\) and \(\forall T \in \text{Thrd}_T : \text{STM}(T, pc_T) = [\text{halt}]^{\text{at}}{}}.\)

Note that since \(\forall T \in \text{Thrd}_T : \text{STM}(T, pc_T) = [\text{halt}]^{\text{at}}{}}\), it must be that all threads trying to acquire a lock at some point will eventually successfully do so (i.e., there are no deadlocks etc.) and there are no infinite loops. Also note that the possible abstract combinations of the owner and the state for some lock, \(lck \in \text{Lck}\), given a reference thread, \(T \in \text{Thrd}_T\), in a lock state, \(\tilde{1}\), resulting from a transition using \(\xrightarrow{pc}\) are by definition as follows.
1. $\text{OWN}(\lck) \not\in \{\bot_{\text{thrd}}, T\}$ – This means that T will be frozen if it issues $\lck$ and occurs when $\text{OWN}(\lck) \neq T$.

2. $\text{OWN}(\lck) = \bot_{\text{thrd}}$ – This occurs when $\text{OWN}(\lck) = \bot_{\text{thrd}}$. A safe (over-approximate) owner assignment will occur if T issues $\lck$. (The soundness is given by that it is trivially the case that for all concrete and abstract configurations consisting of the threads in $\text{Thrd}_{\lck}$, $\{T' \in \text{Thrd}_{\lck} \mid \text{STM}(T', pc_T) = [\lck]_{pc_T}\} \subseteq \{T' \in \text{Thrd}_{\lck} \mid \exists l \in \text{Lbl}_{\lck} : \text{STM}(T', l) = [\lck]_l\}$; c.f., Table 4.3.)

3. $\text{OWN}(\lck) = T \land \text{STT}(\lck) = \text{unlocked}$ – This means that T has not yet done $\lck$, but some other thread has (with the result that T was assigned $\lck$; c.f., the discussion for state 2). If T issues $\lck$ within the deadline, it will successfully acquire $\lck$. If it does not, there is no corresponding concrete situation described by the owner assignment, given that $\text{DL}(\lck) \in \text{DL}(\lck)$, and thus, the configuration will be discontinued; c.f., Algorithms 6.1 and 6.6, which are discussed in Chapter 6. This occurs when $\text{OWN}(\lck) = \bot_{\text{thrd}}$.

4. $\text{OWN}(\lck) = T \land \text{STT}(\lck) = \text{locked}$ – This occurs when $\text{OWN}(\lck) = T$.

The possible transitions between these abstract states (as defined by $\rightarrow_{ax}$ and $\rightarrow_{prg}$) are depicted in Figure 5.7. State 3 (a result from the over-approximate owner assignment performed by $\rightarrow_{prg}$) is needed because $\text{Time} = \text{Intv}$, which means that even if a thread acquires a lock first in the abstract case, it could be that some other thread could actually acquire the lock first in the corresponding concrete case. Lemma 5.55 gives that $\rightarrow_{prg}$ covers all the possible concrete situations for lock owner assignments, regardless of which thread issues $\lck$ first in the abstract case; c.f., a transition from state 2 to state 4, possibly via state 3.

This proof will partly be conducted using induction on how the states of a configuration are changed during transitions, based on one thread at
∀r

Therefore, consider $c^g @ \langle [T, pc_T, \tilde{r}, T] \in \text{Thrd}_c, \tilde{x}, 1 \rangle \in \text{Conf}$.

$c^g @ \langle [T, pc_T, \tilde{r}, T] \in \text{Thrd}_c, \tilde{x}, 1 \rangle \in \text{Conf}$, $c^g @ \langle [T, pc_T, \tilde{r}, T] \in \text{Thrd}_c, \tilde{x}, 1 \rangle \in \text{Conf}$, $c^g @ \langle [T, pc_T, \tilde{r}, T] \in \text{Thrd}_c, \tilde{x}, 1 \rangle \in \text{Conf}$.

$\exists lck \in \text{Lck} : (\text{STM}(T', pc_T) = [\text{lock} lck]^{pc_T} \land \text{OWN}(1+lck) \neq (T')) \land

T' \in \text{Thrd}_{g-1} \land

\forall lck \in \text{Lck} : \text{STM}(T', pc_T) = [\text{lock} lck]^{pc_T} \Rightarrow \text{OWN}(1+lck) = T' \land pc_T = pc_T^{g-1} \land

x_T \in \gamma_{\text{var}}(T) \land

T^{g-1}_T \in \gamma(T^{g-1}) \land

\exists x \in \text{Var} : \forall T \in \text{Thrd} : ((\tilde{x} f x) T) \subseteq ((\tilde{x} f x) T) \land

\forall lck \in \text{Lck} : ((\text{OWN}(1 lck) = \bot_{\text{thrd}} \Rightarrow (\text{STT}(1 lck) = \text{STT}(\tilde{1} lck)) \land

\text{OWN}(1 lck) = \text{OWN}(1 lck) \land

\text{DL}(1 lck) \in \gamma_{\text{DL}}(\tilde{1} lck) \land

\text{POWN}(1 lck) = \text{POWN}(1 lck) \land

\text{REL}(1 lck) \in \gamma_{\text{REL}}(\tilde{1} lck) \land

\text{min}(\gamma_{\text{DL}}(\tilde{1} lck)) = -\infty) \land

(\text{OWN}(1 lck) = \bot_{\text{thrd}} \Rightarrow ((\text{OWN}(1 lck) = \text{OWN}(1 lck)) \lor

(\text{OWN}(1 lck) = T') \land

\text{STT}(1 lck) = \text{unlocked} \land

T^{g-1}_T \in \gamma_{\text{DL}}(\tilde{1} lck) \land

\text{min}(\gamma_{\text{DL}}(\tilde{1} lck)) = -\infty) \land

\text{POWN}(1 lck) = \text{POWN}(1 lck) \land

\text{REL}(1 lck) \in \gamma_{\text{REL}}(\tilde{1} lck))) \land

\forall h \in \{f, \ldots, g-1\} : (|\text{Thrd}^h_c| \neq 1 \lor

\{ T \in \text{Thrd}^h_c \mid \exists r \in \text{Reg}_T : \exists x \in \text{Var} : \text{STM}(T, pc_T) = [\text{load} r \text{ from } x]^{pc_T} \} = \emptyset)\}

where Thrd$^h_c$ is as defined in Table 4.3. This is the induction assumption.

Then it is easy to see that there exists a $c^g @ \langle [T, pc_T, \tilde{x}, T] \rangle \in \text{Thrd}_c, \tilde{x}, 1 \rangle \in \text{Conf}$. 

\begin{align*}
&c^g @ \langle [T, pc_T, \tilde{x}, T] \rangle \in \text{Thrd}_c, \tilde{x}, 1 \rangle \in \text{Conf}.
\end{align*}
\[ \text{Confl}, \text{ such that} \]

\[ \exists i \xrightarrow{pc_{\mathcal{T}}^i} \ldots \xrightarrow{pc_{\mathcal{T}}^i} \exists j \land \]

\[ pe_{\mathcal{T}}^i = pe_{\mathcal{T}}^i \land \]

\[ t_{\mathcal{T}}^i \in \gamma_{\mathcal{T}}(\exists^{\mathcal{T}}) \land \]

\[ t_{\mathcal{T}}^i \in \gamma_{\mathcal{T}}(\exists^{\mathcal{T}}) \land \]

\[ \exists \gamma' \in \gamma_{\mathcal{T}}(\exists^{\mathcal{T}}) : \exists x \in \mathbf{Var} : ((\pi^x x) T) \subseteq ((\pi^x x) T) \land \]

\[ \forall \mathcal{Lck} \in \mathbf{Lck} : ((\text{OWN}(\mathcal{Lck})) = t' \lor \]

\[ \text{OWN}(\mathcal{Lck}) = T' \Rightarrow (\text{STT}(\mathcal{Lck}) = \text{STT}(\mathcal{Lck}) \land \]

\[ \text{OWN}(\mathcal{Lck}) = \text{OWN}(\mathcal{Lck}) \land \]

\[ \text{DL}(\mathcal{Lck}) \in \gamma_{\mathcal{T}}(\text{DL}(\mathcal{Lck})) \land \]

\[ \text{POWN}(\mathcal{Lck}) = \text{POWN}(\mathcal{Lck}) \land \]

\[ \text{REL}(\mathcal{Lck}) \in \gamma_{\mathcal{T}}(\text{REL}(\mathcal{Lck})) \land \]

\[ \min(\gamma_{\mathcal{T}}(\text{DL}(\mathcal{Lck}))) = -\infty) \]

(Lemmas 5.55, 5.56 and 5.57). Note that even if for some lock, \( \mathcal{Lck} \in \mathbf{Lck}, T' \) issues \( \text{lock} \mathcal{Lck} \) but \( \mathcal{Lck} \) is assigned to some other thread, \( T' \) will eventually be assigned \( \mathcal{Lck} \) so that it can acquire it (since all threads that want to acquire a lock eventually will be able to do so). For such cases, \( T' \) is the owner of \( \mathcal{Lck} \) in \( \varepsilon^T \) and \( \varepsilon^T \) (c.f., Lemmas 5.56 and 5.57).

Now consider the base case for the induction part of the proof. Since \( \varepsilon^0 \in \gamma_{\mathcal{T}}(\varepsilon^0) \), \( \forall \mathcal{Lck} \in \mathbf{Lck} : \min(\gamma_{\mathcal{T}}(\text{DL}(\mathcal{Lck}))) = -\infty \) and \( \varepsilon^0 \) is valid, it is easy to see that

\[ \forall T \in \mathbf{Thrd} : (pe_{\mathcal{T}}^\varepsilon = pe_{\mathcal{T}}^\varepsilon \land \]

\[ t_{\mathcal{T}}^\varepsilon \in \gamma_{\mathcal{T}}(\text{PC}_{\mathcal{T}}) \land \]

\[ t_{\mathcal{T}}^\varepsilon \in \gamma_{\mathcal{T}}(\text{PC}_{\mathcal{T}}) \land \]

\[ \exists \gamma' \in \gamma_{\mathcal{T}}(\varepsilon^0) : \exists x \in \mathbf{Var} : ((\pi^x x) T) \subseteq ((\pi^x x) T) \land \]

\[ \forall \mathcal{Lck} \in \mathbf{Lck} : (\text{STT}(\mathcal{Lck}) = \text{STT}(\mathcal{Lck}) \land \]

\[ \text{OWN}(\mathcal{Lck}) = \text{OWN}(\mathcal{Lck}) \land \]

\[ \text{DL}(\mathcal{Lck}) \in \gamma_{\mathcal{T}}(\text{DL}(\mathcal{Lck})) \land \]

\[ \text{POWN}(\mathcal{Lck}) = \text{POWN}(\mathcal{Lck}) \land \]

\[ \text{REL}(\mathcal{Lck}) \in \gamma_{\mathcal{T}}(\text{REL}(\mathcal{Lck})) \land \]

\[ \min(\gamma_{\mathcal{T}}(\text{DL}(\mathcal{Lck}))) = -\infty) \]

which means that as long as \( \forall b \in \{0, \ldots, k - 1\} : (|\mathbf{Thrd}|_{\mathcal{T}} + 1 \lor T \in \mathbf{Thrd} \lor |\exists r \in \mathbf{Reg}_T : \exists x \in \mathbf{Var}_x : \text{STM}(T, pe_{\mathcal{T}}^\varepsilon) = \text{load } r \text{ from } x_{\mathcal{T}}^\varepsilon\} = \emptyset), \) the induction holds for all threads in \( \mathbf{Thrd} \).
Note that by definition, $1^n \text{lck} = 1^0 \text{lck}$ (c.f., Tables 4.2 and 4.3) and $\tilde{1}^k \text{lck} = \tilde{1}^0 \text{lck}$ (c.f., Tables 5.5 and 5.6) if lck is never acquired by any thread, or never released by its initially owning thread (i.e., the owner of lck in $c^0$ and $\tilde{c}^0$, respectively).

This concludes the proof.

Because of the unsafe nature of $\text{prg} \mapsto$ (i.e., it cannot safely approximate all concrete transition sequences), it cannot be directly used to derive a safe set of possible final configurations (i.e., configurations such that all threads are issuing $\text{halt}$). It must instead be encapsulated by an algorithm that uses it in a safe manner and handles the unsafe situations explicitly. Such an algorithm is defined in the next chapter.
Chapter 6

Safe Timing Analysis by Abstract Execution

In this chapter, an algorithm for deriving safe timing bounds of PPL programs will be defined. The analysis will be based on the abstraction of the PPL semantics presented in Chapter 5.

NOTE. A summary of the notation and nomenclature used in this thesis can be found in Appendix A.

6.1 Abstract Execution

ABSEX, as given by Algorithm 6.1, can be used to derive safe approximations of the concrete final states resulting from a finite transition sequence (Lemma 6.8). ABSEX will also safely approximate some infinite transition sequences but is not guaranteed to terminate for all possible inputs. The algorithm is a work-list algorithm and is defined based on the auxiliary functions CHOOSE, which returns an arbitrary element of a given set (which must be non-empty), ISFINAL, ISDEADLOCK, ISTIMEOUT, ISVALID, CYCLE, EXELOADTHRD, GLOBALVAR, EXETHRD, GETVARLOAD and GETREGLOAD, defined in Algorithms 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 6.11 and 6.12.
Algorithm 6.1 Abstract Execution

1: function ABSExe(C, t₀)
2:   \( \mathcal{C}^o \leftarrow \mathcal{C} \); \( \mathcal{C}^t \leftarrow \emptyset \); \( \mathcal{C}^d \leftarrow \emptyset \)
3: while \( \mathcal{C}^o \neq \emptyset \) do
4:    \( \mathcal{c} \) @ \( \{T,pCT,T_T,T_T^{\mathcal{E}}\}_{T \in \text{Thr}_d} \) \( \cdot \) \( \mathcal{I} \) \( \leftarrow \) \text{CHOOSE}(\( \mathcal{C}^o \))
5:    \( \mathcal{C}^o \leftarrow \mathcal{C}^o \setminus \{ \mathcal{c} \} \)
6:   if \text{ISFINAL}(\( \mathcal{c} \)) then
7:      \( \mathcal{C}^t \leftarrow \mathcal{C}^t \cup \{ \mathcal{c} \} \)
8:   else if \text{ISDEADLOCK}(\( \mathcal{c} \)) then
9:      \( \mathcal{C}^d \leftarrow \mathcal{C}^d \cup \{ \mathcal{c} \} \)
10: else if \text{IS_TIMEOUT}(\( \mathcal{c}, t_0 \)) then
11:      \( \mathcal{C}^t \leftarrow \mathcal{C}^t \cup \{ \mathcal{c} \} \)
12: else if \text{ISVALID}(\( \mathcal{c}, t_0 \)) then
13:      \( \text{Thr}_d^\text{load} \leftarrow \text{EXELOAD}(\text{Thr}(\mathcal{c})) \)
14:      if \( \text{Thr}_d^\text{load} \neq \emptyset \) \&\& \(|\text{EXETHR}(\mathcal{c})| > 1\) then
15:         \( \langle \mathcal{C}^t \rangle_{T \in \text{Thr}_d^\text{load}} \leftarrow \langle \mathcal{C}^t \rangle_{T \in \text{Thr}_d^\text{load}} \cup \text{ABSTIME}(\mathcal{c}, T) \rangle_{T \in \text{Thr}_d^\text{load}} \)
16:         for all \( T \in \text{Thr}_d^\text{load} \) do
17:            \( x \leftarrow \text{GET VARLOAD}(\text{STM}(T,pCT)) \)
18:            \( r \leftarrow \text{GET REGLOAD}(\text{STM}(T,pCT)) \)
19:            \( \mathcal{c}' \leftarrow \{ T', pCT, T_T', T_T'^{\mathcal{E}} \}_{T \in \text{Thr}_d^\text{load} \setminus \{ T \} \cdot \mathcal{I} \} \)
20:            \( \mathcal{T}_T \leftarrow \mathcal{T}_T \cup \{ \mathcal{c}' \} \)
21:            for all \( \{ T, x, \mathcal{I}' \} \in \mathcal{C}_d^o \cup \mathcal{C}_d^t \cup \mathcal{C}_d^r \cup \{ \mathcal{c} \} \) do
22:                \( \mathcal{T}_T \leftarrow \mathcal{T}_T \cup \{ \mathcal{c} \} \)
23:            end for
24:         end for
25:      end for
26:      if \( \langle pCT \rangle_{T \in \text{Thr}_d^\text{load}} \leftarrow \langle pCT \rangle_{T \in \text{Thr}_d^\text{load}} \)
27:         \( \langle \mathcal{C}^o \rangle_{T \in \text{Thr}_d^\text{load}} \leftarrow \langle \mathcal{C}^o \rangle_{T \in \text{Thr}_d^\text{load}} \cup \{ \mathcal{c} \} \)
28:      end if
29:   end if
30: \( \mathcal{C}^w \leftarrow \mathcal{C}^w \cup \{ \mathcal{c} ' \in \text{Conf} \mid \mathcal{c} \xrightarrow{pCT} \mathcal{c}' \} \)
31: end if
32: end while
33: return \( \langle \mathcal{C}^t, \mathcal{C}^d, \mathcal{C}^r \rangle \)
34: end function
respectively.

A thread executing a `load`-statement on some global variable (i.e., a variable that could transfer data between threads) is extracted and handled separately in case it would not be the sole thread executed on a transition. This is done by recursively using `ABSEX`E for each such thread to simulate how the rest of the threads in the configuration can affect the read value. When the effects have been derived, they are merged and put in the target register for the thread that issues the `load`-statement. Next, a new configuration, in which the `load`-statements have been performed, is added to the work-list.

If no `load`-statement on some global variable is issued in any thread, or a thread issuing such a `load`-statement is the sole thread that will execute on a transition, \( \overrightarrow{\text{prg}} \) is used to derive a set of succeeding configurations, which are then added to the work-list.

Algorithm 6.2 Choose an Element

1: function \textsc{Choose}(S)
2: \textbf{Require:} \( S \neq \emptyset \)
3: \textbf{return} one of the elements in \( S \)
4: \textbf{end function}

Given an abstract configuration, \( \tilde{c} \in \text{Conf} \), \textsc{isFinal}(\( \tilde{c} \)) means that \( \tilde{c} \) is in the final state; i.e., all threads issue \texttt{halt}-statements.

Algorithm 6.3 Final Abstract Configuration

1: function \textsc{isFinal}((\( [T,pc_T,\tilde{r}_T,\tilde{x}_T] \))\(_{T \in \text{Thrhd}} \), \( \tilde{s}_{\text{\&}}, \tilde{l} \))
2: \textbf{return} \( \forall T \in \text{Thrhd} : \text{STM}(T,pc_T) = [\text{halt}]^{pc_T} \)
3: \textbf{end function}

Given an abstract configuration, \( \tilde{c} \in \text{Conf} \), \textsc{isDeadlock}(\( \tilde{c} \)) means that \( \tilde{c} \) cannot reach a final state (Lemma 6.5). Note that \textsc{isDeadlock} is not guaranteed to identify all such cases, though.

Given an abstract configuration, \( \tilde{c} \in \text{Conf} \), and a timeout, \( \tilde{t}_{\text{to}} \in \text{Time} \), \textsc{isTimeout}(\( \tilde{c}, \tilde{t}_{\text{to}} \)) means that \( \tilde{c} \) cannot reach a final state before \( \tilde{t}_{\text{to}} \) has passed (Lemma 6.6). Note that \textsc{isTimeout} might not identify all possible such cases, though.

Given an abstract configuration, \( \tilde{c} \in \text{Conf} \), and a timeout, \( \tilde{t}_{\text{to}} \in \text{Time} \), \( \neg \textsc{isValid}(\tilde{c}, \tilde{t}_{\text{to}}) \) means that \( \tilde{c} \) cannot reach a configuration that could represent at least one valid (c.f., Definition 4.4) concrete configuration (Lemma 6.7). Note that \textsc{isValid} might not identify all possible such cases, though.
Algorithm 6.4 Deadlocked Abstract Configuration

1: function ISDEADLOCK(\(\tau @ ([T,pc_T,\bar{T}^T]_{T \in \text{Thrd}}, \bar{x}, \bar{I})\))

Require: ¬ISFINAL(\(\tau\))

2: \(\text{Thrd}_{lock} \leftarrow \{ T \in \text{Thrd} \mid \exists lck \in \text{Lck} : (\text{STM}(T,pc_T) = [\text{lock} lck]^p/T \land \text{OWN}([lck] \notin \{ \bot_{\text{thrd}}, T \}) \land \text{STM}(lck) = \text{locked})\}\)

3: \(E \leftarrow \{ (T, T') \in \text{Thrd}_{lock} \times \text{Thrd}_{lock} \mid \exists lck \in \text{Lck} : (\text{STM}(T,pc_T) = [\text{lock} lck]^p/T \land \text{STM}(lck) = \text{locked})\}\)

4: return \(\text{Thrd}_e = \text{Thrd} \land (\text{CYCLE}(\text{Thrd}_{lock}, E) \lor \exists T \in \text{Thrd}_e : \exists lck \in \text{Lck} : (\text{STM}(T,pc_T) = [\text{lock} lck]^p/T \land \text{STM}(lck).pc_{\text{OWN}}(lck) = [\text{halt}]^{\text{SERVER}(\text{thrd})}))\)

5: end function

Algorithm 6.5 Timed-Out Abstract Configuration

1: function ISTIMEDOUT(\(\tau @ ([T,pc_T,\bar{T}^T]_{T \in \text{Thrd}}, \bar{x}, \bar{I})\))

Require: ¬ISFINAL(\(\tau\)) \land ¬ISDEADLOCK(\(\tau\))

2: return \(\forall T \in \text{Thrd}_e : (\text{STM}(T,pc_T) \neq [\text{halt}]^{p/T} \Rightarrow (\text{halt}_o < \frac{p}{T} + \text{ABSTIME}(\tau,T)) \lor (\text{Thrd}_e \subset \text{Thrd} \land \exists lck \in \text{Lck} : (\text{STM}(T,pc_T) = [\text{lock} lck]^p/T \land \text{STM}(lck).pc_{\text{OWN}}(lck) = [\text{halt}]^{\text{SERVER}(\text{thrd})}))\)

3: end function

Algorithm 6.6 Valid Abstract Configuration

1: function ISVALID(\(\tau @ ([T,pc_T,\bar{T}^T]_{T \in \text{Thrd}}, \bar{x}, \bar{I})\))

Require: ¬ISFINAL(\(\tau\)) \land ¬ISDEADLOCK(\(\tau\)) \land ¬ISTIMEDOUT(\(\tau\))

2: \(\text{Thrd}_{lock} \leftarrow \{ T \in \text{Thrd} \mid \exists lck \in \text{Lck} : (\text{STM}(T,pc_T) = [\text{lock} lck]^p/T \land \text{OWN}([lck] \notin \{ \bot_{\text{thrd}}, T \})\}\)

3: \(E \leftarrow \{ (T, T') \in \text{Thrd}_{lock} \times \text{Thrd}_{lock} \mid \exists lck \in \text{Lck} : (\text{STM}(T,pc_T) = [\text{lock} lck]^p/T \land \text{STM}(lck) = \text{locked})\}\)

4: return \((\text{Thrd}_e = \text{Thrd} \Rightarrow \neg\text{CYCLE}(\text{Thrd}_{lock}, E) \land \forall lck \in \text{Lck} : (\forall T \in \text{Thrd}_e : (\text{STM}(T,pc_T) = [\text{lock} lck]^p/T \land \text{STM}(lck).pc_{\text{OWN}}(lck) = \text{unlocked}) \Rightarrow (\text{STM}(T,pc_T) \neq [\text{halt}]^{p/T} \land \text{STM}(lck) \notin \{ \bot_{\text{thrd}}, T \}))\))

5: end function
6.1 Abstract Execution

Given a graph, $(V, E)$, $\text{CYCLE}(V, E)$ means that $(V, E)$ contains at least one cycle (Lemma 6.1).

**Algorithm 6.7** Determine if Graph Has Cycles

```
function CYCLE(V, E)
V' ← V
E' ← E
while V' ≠ ∅ do
  V'' ← \{v ∈ V' | ¬∃v' ∈ V': (v', v) ∈ E'\}
  if V'' = ∅ then
    return true
  else
    E' ← E' \{(v, v') ∈ E' | v ∈ V'' ∧ v' ∈ V'}
    V' ← V' \ V''
  end if
end while
return false
end function
```

Given a configuration, $\tilde{c} ∈ \text{Conf}$, $\text{EXELOADTHRD}(\tilde{c})$ is a set of threads that might issue a load-statement on a global variable in a transition from $\tilde{c}$ (Lemma 6.4).

**Algorithm 6.8** Threads Executing a Possibly Unsafe Load Statement

```
function EXELOADTHRD(\tilde{c}@⟨T, p_{CT}, x_{T}, t_{\tilde{c}, T}⟩ ∈ \text{Thrd}_{\tilde{c}}, z, \bar{I})⟩
return \{T ∈ EXE\text{THRD}(\tilde{c}) | ∃r ∈ \text{Reg}_T : ∃x ∈ \text{GLOBALVAR}(\text{Thrd}_{\tilde{c}}) : \text{STM}(T, p_{CT}) = [\text{load } r \text{ from } x]^{p_{CT}}\}
end function
```

Given a set of threads, $\text{Thrd}_{\tilde{c}} ⊆ \text{Thrd}$, $\text{GLOBALVAR}(\text{Thrd}_{\tilde{c}})$ is the set of variables that could transfer data between some of the threads in $\text{Thrd}_{\tilde{c}}$ (Lemma 6.3).

Given a configuration, $\tilde{c} ∈ \text{Conf}$, $\text{EXE}\text{THRD}(\tilde{c})$ is an over-approximation of $\text{Thrd}_{\text{exe}}$, as defined in Table 5.6 (Lemma 6.2).

Given a load-statement, $\text{GETVARLOAD}$ is the variable, and $\text{GETREGLOAD}$ is the register, defined by the statement.

**Lemma 6.1 (Soundness of CYCLE):**
Given the graph $(V, E)$, where $V$ is a set of vertices and $E$ is a set of edges (i.e.,
Algorithm 6.9 Global Variables in an Abstract Configuration

1: function $GLOBALVAR(\text{Thr}_c)$
2: \[
\begin{align*}
&\langle \{x \in \text{Var} | \exists r \in \text{Reg}_T : STM(T, l) = \text{[load] } r \text{ from } x \} \rangle_{T \in \text{Thr}_c} \\
&\langle \{x \in \text{Var} | \exists r \in \text{Reg}_T : STM(T, l) = \text{[store] } r \text{ to } x \} \rangle_{T \in \text{Thr}_c} \\
&\text{return} \{x \in \text{Var} | \exists T, T' \in \text{Thr}_c : (T \neq T' \land x \in \text{Var}^{\text{load}}_T \land x \in \text{Var}^{\text{store}}_{T'})\}
\end{align*}
\]
3: end function

Algorithm 6.10 Threads to Execute in Abstract Configuration

1: function $\text{EXE}T_HRD(\tilde{c}@\langle \{T, pc_T, f_T, ID_T, \text{Thr}_c, \text{Thr}_c', \tilde{I} \} \rangle)$
2: $\text{Thr}_{\text{hold}} \leftarrow \{T \in \text{Thr}_c | STM(T, pc_T) = [\text{halt}]^{pc_T} \lor \exists \text{lck} \in \text{Lck} : (STM(T, pc_T) = [\text{lock} \text{lck}]^{pc_T} \land OWN(\tilde{I} \text{lck}) \neq T)\}$
3: \[
\langle \{f_T^{pc_T} | T \in \text{Thr}_c \setminus \text{Thr}_{\text{hold}} \} \rangle \leftarrow \langle \text{ABSTIME}(\tilde{c}, T)_{T \in \text{Thr}_c \setminus \text{Thr}_{\text{hold}}} \rangle
\]
4: $t_{\text{min}} \leftarrow \min\{\min(\gamma(T(\tilde{F}^{pc_T} + I_T^T)), T \in \text{Thr}_c \setminus \text{Thr}_{\text{hold}})\}$
5: $t_{\text{max}} \leftarrow \min\{\max(\gamma(T(\tilde{F}^{pc_T} + I_T^T)), T \in \text{Thr}_c \setminus \text{Thr}_{\text{hold}})\}$
6: $\tilde{I} \leftarrow \alpha(t_{\text{min}}, t_{\text{max}})$
7: return $\{T \in \text{Thr}_c \setminus \text{Thr}_{\text{hold}} | \tilde{I} \cap (\tilde{F}^{pc_T} + I_T^T) \neq \tilde{I} \} \cup \{T \in \text{Thr}_{\text{hold}} | \exists \text{lck} \in \text{Lck} : STM(T, pc_T) = [\text{lock} \text{lck}]^{pc_T} \land OWN(\tilde{I} \text{lck}) = \perp\text{Thr}_c\}$
8: end function

Algorithm 6.11 Get Variable in Load Statement

1: function $\text{GETVARLOAD}(\text{[load] } r \text{ from } x)$
2: return $x$
3: end function

Algorithm 6.12 Get Register in Load Statement

1: function $\text{GETREGLOAD}(\text{[load] } r \text{ from } x)$
2: return $r$
3: end function
pairs of vertices) connecting the vertices, then \(\text{CYCLE}(V, E)\) iff \((V, E)\) contains at least one cycle.

**Proof.** Assume that \((V, E)\) is a graph, where \(V\) is a set of vertices and \(E\) is a set of edges connecting the vertices. By definition, a cycle involving vertices \(v_1, v_2, v_3, \ldots, v_n\) is described by the edges \((v_1, v_2), (v_2, v_3), \ldots, (v_n, v_1)\), where \(n \geq 2\). Thus it is easy to see that a vertex, \(v \in V\), cannot be part of a cycle in \((V, E)\) if \(\neg \exists v' \in V : (v', v) \in E\); i.e., if \(v\) has no incoming edges. It is also easy to see that the graph \((V', E')\), where \(V' = V \setminus \{v \in V \mid \neg \exists v' \in V : (v', v) \in E\}\) (i.e., all vertices without incoming edges are removed) and \(E' = E \setminus \{(v, v') \in E \mid v \in \{v'' \in V \mid \neg \exists v''' \in V : (v'', v''') \in E\} \land v' \in V\}\) (i.e., all edges going out from a vertex without incoming edges are removed) contains exactly as many cycles as \((V, E)\).

Thus it must be that if this procedure can be repeated until an empty graph is reached, there are no cycles in the initial graph. Likewise, if it is not possible to reduce the initial graph to an empty graph, there must be at least one cycle in the initial graph. If there is no cycle in the initial graph, it is easy to see that the graph can be reduced to the empty graph by the above procedure. Likewise it is easy to see that if there is a cycle in the initial graph, the graph cannot be reduced to the empty graph by the above procedure. But then it must be that \(\text{CYCLE}(V, E)\) iff the graph \((V, E)\) contains at least one cycle.

**Lemma 6.2 (Soundness of \text{EXETHRD}):**

Given \(\hat{c} \in \text{Conf}\), \(\text{Thrd}_{\text{exe}}^\hat{c} \subseteq \text{EXETHRD}(\hat{c})\), where \(\text{Thrd}_{\text{exe}}^\hat{c}\) is as defined in Table 5.6.

**Proof.** Based on \(\hat{c} \in \text{Conf}\), assume that \(\hat{t}\) is as defined in Algorithm 6.10 and that \(\hat{T}\) is defined as \(\hat{t}\) given by Table 5.6. It is easy to see that \(\text{Thrd}_{\text{hold}}\) as given by Algorithm 6.10 is a superset of \(\text{Thrd}_{\text{hold}}\) as given by Table 5.6 since in the latter case, a lock might have been assigned to some thread, which will exclude that thread from \(\text{Thrd}_{\text{hold}}\). Thus it must be that \(\min(\gamma_i(\hat{T})) \leq \min(\gamma_i(\hat{t}))\) and \(\max(\gamma_i(\hat{T})) \leq \max(\gamma_i(\hat{t}))\) (since \(\hat{T}\) is derived based on a superset of the threads used to derive \(\hat{t}\) not that if it is a true superset, it must be that all the extra threads issue \text{lock} \ lck\ for some locks, \(lck \in \text{Lck}\), and have been assigned the ownership of \(lck\), and that for those locks \(\text{OWN}(\hat{1}lck) = \bot_{\text{thr}}\). Thus it must be that \(\text{Thrd}_{\text{exe}}^\hat{c} \subseteq \text{EXETHRD}(\hat{c})\), where \(\text{Thrd}_{\text{exe}}^\hat{c}\) is as defined in Table 5.6, since \(\text{EXETHRD}(\hat{c})\) is derived based on \(\hat{t}\) but also includes all threads issuing \text{lock} \ lck\ where \(lck \in \text{Lck}\) and \(\text{OWN}(\hat{1}lck) = \bot_{\text{thr}}\).
Lemma 6.3 (Soundness of \textsc{GLOBAL}): 
\textsc{GLOBAL}(\textsc{Thrd}_e) is the set of variables (called global variables) for which a data dependency between two or more threads can occur in the program described by \textsc{Thrd}_e.

\textsc{PROOF}. Assume that \( x \in \text{Var} \). First note that

- if \( \{ T \in \text{Thrd}_e \mid \exists l \in \text{Lbl}_T : \exists r \in \text{Reg}_T : \text{store} \ r \ \text{to} \ x \} = \emptyset \) (i.e., no thread ever writes to \( x \)), then it must be that \( x \) can be considered a constant (since \( x \in \text{Var} \), there must be some thread reading from it),

- if \( \{ T \in \text{Thrd}_e \mid \exists l \in \text{Llb}_T : \exists r \in \text{Reg}_T : \text{load} \ r \ \text{from} \ x \} = \emptyset \) (i.e., no thread ever reads from \( x \)), then it must be that \( x \) can be considered a trash variable (since \( x \in \text{Var} \), there must be some thread writing to it),

- if, for some thread, \( T' \in \text{Thrd}_e \), \( \{ T \in \text{Thrd}_e \mid \exists l \in \text{Llb}_T : \exists r \in \text{Reg}_T : \text{store} \ r \ \text{to} \ x \} = \{ T' \} \) and \( \{ T \in \text{Thrd}_e \mid \exists l \in \text{Llb}_T : \exists r \in \text{Reg}_T : \text{load} \ r \ \text{from} \ x \} = \{ T' \} \), then it must be that \( x \) is only read from and written to by \( T' \) (thus there cannot be any data dependency on \( x \) between two threads), and

- for a data dependency to occur on \( x \) for two threads, \( T', T'' \in \text{Thrd}_e \), it must be that \( T' \in \{ T \in \text{Thrd}_e \mid \exists l \in \text{Llb}_T : \exists r \in \text{Reg}_T : \text{store} \ r \ \text{to} \ x \} \), \( T'' \in \{ T \in \text{Thrd}_e \mid \exists l \in \text{Llb}_T : \exists r \in \text{Reg}_T : \text{load} \ r \ \text{from} \ x \} \) and \( T' \neq T'' \).

Thus, since for each \( T \in \text{Thrd}_e \), the set \( \text{Var}^{\text{load}}_T \) contains all variables that \( T \) might read from and the set \( \text{Var}^{\text{store}}_T \) contains all variables that \( T \) might write to, it must be that \( \{ x \in \text{Var} \mid \exists T', T'' \in \text{Thrd}_e : (T' \neq T'' \land x \in \text{Var}^{\text{load}}_T \land x \in \text{Var}^{\text{store}}_T) \} \) is the set of variables for which data dependencies occur between at least two threads.

Lemma 6.4 (Soundness of \textsc{EXELOADTHRD}): 
Given a configuration \( \hat{c} @ \{ [T, pc_T, \hat{x}_T, \hat{r}_T] : T \in \text{Thrd}_e, \hat{x}, \hat{r} \} \in \text{Conf} \), \( \{ T \in \text{Thrd}_e^\hat{c} \mid \exists r \in \text{Reg}_T : \exists x \in \text{GLOBALVAR}(\text{Thrd}_e) : \text{STM}(T, pc_T) = \text{load} \ r \ \text{from} \ x \} \subseteq \text{EXELOADTHRD}(\hat{c}) \), where \( \text{Thrd}_e^\hat{c} \) is defined as in Table 5.6.

\textsc{PROOF}. Assume that \( \hat{c} @ \{ [T, pc_T, \hat{x}_T, \hat{r}_T] : T \in \text{Thrd}_e, \hat{x}, \hat{r} \} \in \text{Conf} \) and that \( \text{Thrd}_e^\hat{c} \) is defined as in Table 5.6. The proof follows directly from the fact that \( \text{Thrd}_e^\hat{c} \subseteq \text{EXE\textsc{THRD}}(\hat{c}) \) (Lemma 6.2).
Lemma 6.5 (Soundness of ISDEADLOCK):
Given a configuration $\mathcal{C} @ \langle [T, p c_T, x, T, l_c, l_c^p, T_T, \hat{x}, \hat{l}] \rangle \in \text{Conf}$. such that
$\exists T \in \text{Thrd}_c : \text{STM}(T, p c_T) \neq [\text{halt}]^{pc_T}$, ISDEADLOCK($\mathcal{C}$) ⇒ $\forall c \in \gamma_{\text{conf}}(\mathcal{C}) : \neg \exists \mathcal{C} @ \langle [T, p c'_T, x', T, l_c', l_c'^p, T_T, \hat{x'}, \hat{l'}] \rangle \in \text{Conf}$. 
This concludes the proof.

Proof. Assume that $\mathcal{C} @ \langle [T, p c_T, x, T, l_c, l_c^p, T_T, \hat{x}, \hat{l}] \rangle \in \text{Conf}$. such that
$\exists T \in \text{Thrd}_c : \text{STM}(T, p c_T) \neq [\text{halt}]^{pc_T}$ (note that this assumption fulfills $\neg$ISFINAL($\mathcal{C}$)). Since
$\text{STM}(T, p c_T) = [\text{halt}]^{pc_T}$, where $c$ and $c'$ are valid concrete configurations (c.f., Definition 4.4); i.e., if ISDEADLOCK($\mathcal{C}$), then $\mathcal{C}$ does not represent any concrete configuration that can possibly reach a final state.

6.1 Abstract Execution 145

Lemma 6.6 (Soundness of ISTIMEOUT):
Given a configuration $\mathcal{C} @ \langle [T, p c_T, x, T, l_c, l_c^p, T_T, \hat{x}, \hat{l}] \rangle \in \text{Conf}$, and time-out, $\hat{t}_{\text{io}}$ in Time, such that $\exists T \in \text{Thrd}_c : \text{STM}(T, p c_T) \neq [\text{halt}]^{pc_T}$ and
$\neg$ISDEADLOCK($\mathcal{C}$), ISTIMEOUT($\mathcal{C}, \hat{t}_{\text{io}}$) ⇒ $\forall c \in \gamma_{\text{conf}}(\mathcal{C}) : \neg \exists \mathcal{C} @$
\[
\langle [T, pc_T', r_T', t_T']_{Thrd}, \pi', I' \rangle \in \text{Conf} : (c \rightarrow \ldots \rightarrow c' \land \forall T \in \text{Thrd}_c : \\
(\text{stm}(T, pc_T') = [\text{halt}\lfloor pc_T' \rfloor \land t_T' \leq \max(\gamma(I_0))]), \text{ where } c \text{ and } c' \text{ are valid concrete configurations (c.f., Definition 4.4); i.e., if } \text{istimeout}(\bar{c}, I_0), \text{ then } \bar{c} \text{ does not represent any concrete configuration that can possibly reach a final state before the given timeout (i.e., before } \max(\gamma(I_0))).
\]

**Proof.** Assume that \(\bar{c}@[\langle T, pc_T', r_T', t_T' \rangle_{Thrd}, \bar{c}, \bar{I} \rangle \in \text{Conf} \) and \(I_0 \in \text{Tine}\) are such that \(\exists T \in \text{Thrd}_c : \text{stm}(T, pc_T') \neq [\text{halt}\lfloor pc_T' \rfloor, \neg \text{isdeadlock}(\bar{c}) \) and \(\text{istimeout}(\bar{c}, I_0).

Since \(\text{istimeout}(\bar{c}, I_0), it must be that \(\forall T \in \text{Thrd}_c : (\text{stm}(T, pc_T') \neq [\text{halt}\lfloor pc_T' \rfloor \rightarrow (I_0 \not\subseteq (r_T') \supset \text{ABSTIME}(\bar{c}, T)) \lor (\text{Thrd}_c \subseteq \text{Thrd} \land \exists l \in \text{Lck} : (\text{stm}(T, pc_T') = [\text{lock}\lfloor l \rfloor \supset \text{ABSTIME}(\bar{c}, T)), it is easy to see that \(\neg \exists c'@[\langle T, pc_T', r_T', t_T' \rangle_{Thrd}, \pi', I' \rangle \in \text{Conf} : (c \rightarrow \ldots \rightarrow c' \land \text{stm}(T, pc_T') = [\text{halt}\lfloor pc_T' \rfloor \land t_T' \leq \max(\gamma(I_0))]) \) (c.f., Assumptions 4.1 and 5.50). Thus, for all other threads, \(T \in \text{Thrd}_c\), such that \(\exists l \in \text{Lck} : (\text{stm}(T, pc_T') = [\text{lock}\lfloor l \rfloor \supset \text{ABSTIME}(\bar{c}, T)), it must be that \(\neg \exists c'@[\langle T, pc_T', r_T', t_T' \rangle_{Thrd}, \pi', I' \rangle \in \text{Conf} : (c \rightarrow \ldots \rightarrow c' \land \text{stm}(T, pc_T') = [\text{halt}\lfloor pc_T' \rfloor \land t_T' \leq \max(\gamma(I_0))]) \) since the respective locks cannot possibly be released at any time, \(t\), such that \(t \leq \max(\gamma(I_0)) \) (c.f., Assumptions 4.1 and 5.50).

This concludes the proof.

**Lemma 6.7 (Soundness of TND):**

Given a configuration \(\bar{c}@[\langle T, pc_T', r_T', t_T' \rangle_{Thrd}, \bar{c}, \bar{I} \rangle \in \text{Conf} \) and a time, \(I_0 \in \text{Tine}\), such that \(\exists T \in \text{Thrd}_c : \text{stm}(T, pc_T') \neq [\text{halt}\lfloor pc_T' \rfloor, \neg \text{isdeadlock}(\bar{c}) \) and \(\text{istimeout}(\bar{c}, I_0) \Rightarrow \neg \exists c' \in \text{Conf} : (c \rightarrow \ldots \rightarrow c' \land \text{stm}(T, pc_T') = [\text{halt}\lfloor pc_T' \rfloor \land t_T' \leq \max(\gamma(I_0))]) \) since the respective locks cannot possibly be released at any time, \(t\), such that \(t \leq \max(\gamma(I_0)) \) (c.f., Definition 4.4).

**Proof.** Assume that \(\bar{c}@[\langle T, pc_T', r_T', t_T' \rangle_{Thrd}, \bar{c}, \bar{I} \rangle \in \text{Conf} \) and \(I_0 \in \text{Tine}\) are such that \(\exists T \in \text{Thrd}_c : \text{stm}(T, pc_T') \neq [\text{halt}\lfloor pc_T' \rfloor, \neg \text{isdeadlock}(\bar{c}) \) and \(\text{istimeout}(\bar{c}, I_0) \Rightarrow \neg \exists c' \in \text{Conf} : (c \rightarrow \ldots \rightarrow c' \land \text{stm}(T, pc_T') = [\text{halt}\lfloor pc_T' \rfloor \land t_T' \leq \max(\gamma(I_0))]) \) (i.e., \(\text{Thrd}_c = \text{Thrd} \land \text{cycle}(\text{Thrd}_{lock}, E)\)), where \(\text{Thrd}_{lock} = \{T \in \text{Thrd}_c | \exists l \in \text{Lck} \).
Theorem 6.2: If

\[
\exists \forall lck \in \text{Lck} : \forall T \in \text{Thrd} : ((\text{OWN}(\hat{1}\ lck) = T \land \text{STT}(\hat{1}\ lck) = \text{unlocked}) \Rightarrow (\text{STM}(T,p_{cT}) = [\text{lock}\ lck]^{pcT} \land \text{OWN}(\hat{1}\ lck) \notin \{\bot_{\text{thrd}},T\}))
\]

and

\[
E = \{T', T : T, T' \in \text{Thrd}_{\text{lock}} \land \exists lck \in \text{Lck} : (\text{STM}(T,p_{cT}) = [\text{lock}\ lck]^{pcT} \land \text{OWN}(\hat{1}\ lck) = T')\},
\]

or

\[
\neg \forall lck \in \text{Lck} : \forall T \in \text{Thrd} : ((\text{OWN}(\hat{1}\ lck) = T \land \text{STT}(\hat{1}\ lck) = \text{unlocked}) \Rightarrow (\text{STM}(T,p_{cT}) \neq [\text{halt}]^{pcT} \land \text{DL}(\hat{1}\ lck) \not\in (\tilde{\it T}^{\bot}_{T} \uparrow_{T_{\text{ABSTIME}}(\hat{c},T)})�).
\]

This concludes the proof.
Lemma 6.8 (Soundness of ABSLEXE):
Given the sets of valid configurations $C \in \mathcal{P}(\text{Conf})$ (c.f., Definition 4.4) and $\bar{C} \in \mathcal{P}(\text{Conf})$, such that $\forall c @ ([t, pc_T, x_T, t^\text{env}]) \in C : \\
(\forall ([t, pc_T, x_T, t^\text{env}]) : T \in \text{Thrd} \Rightarrow \exists \tilde{c} : T \in \text{Thrd} : \tilde{c} : \langle \text{halt} \rangle) \in \bar{C} : \forall T \in \text{Thrd} : STM(T, pc_T) = [\text{halt}]^{pc_T}$\Rightarrow \\
$(\tilde{C} \neq \emptyset \lor \exists c @ ([t, pc_T, x_T, t^\text{env}]) : T \in \text{Thrd} : STM(T, pc_T) = [\text{halt}]^{pc_T} \land\ \text{Time}(\bar{C}, c, c) = (\text{halt})^{pc_T}$\Rightarrow \\
where $\text{Thrd}^{\text{lck}} = \{ T \in \text{Thrd} | \exists \text{lck} \in \text{Lck} : (STM(T, pc_T) = [\text{lck}]^{pc_T} \land\ \text{Time}(\bar{C}, c, c) = (\text{halt})^{pc_T}$\Rightarrow 

It is also the case that if $\tilde{C} \cup \bar{C} = \emptyset$, then all concrete configurations in $C$ are guaranteed to, along all possible paths, reach a state in which all threads issue the halt-statement (i.e., reach the final state, or in other words, terminate).
Furthermore (if \( C' \cup \bar{C'} = \emptyset \)):

\[
\forall c \in C : \forall c' @ ([T, pc_T', \tau_T', lck_T', t^p_T, I_T]_{\mathcal{C}} \in \mathcal{C}_{\text{Conf}}):
\]

\[
(\langle c \xrightarrow{\cdot} \cdots \xrightarrow{\cdot} c' \rangle \wedge \forall \langle T, pc_T \rangle = [\text{halt}] \rightarrow \langle t^p_T, lck_T', t^p_T, I_T \rangle_{\mathcal{C}} \in \mathcal{C}_{\text{Conf}})
\]

\[
\rightarrow \exists \langle [T, pc_T', \tau_T', lck_T', t^p_T, I_T]_{\mathcal{C}} \in \mathcal{C}_{\text{Conf}} : (pc_T' = pc_T \wedge lck_T' \in \gamma(t^p_T)) \rangle \tag{\text{\Box}}
\]

**PROOF.** Assume that the sets of valid configurations \( C \in \mathcal{P}(\text{Conf}) \) and \( \bar{C} \in \mathcal{P}(\text{Conf}) \) are such that \( \forall c @ ([T, pc_T, \tau_T, lck_T, t^p_T]_{\mathcal{C}} \in C : \langle (\forall \langle [T, pc_T', \tau_T', lck_T', t^p_T, I_T]_{\mathcal{C}} \in \mathcal{C}_{\text{Conf}} \rangle \wedge \exists c \in \bar{C} : c \in \gamma_{\text{conf}}(\bar{c}) \rangle \wedge \forall \langle [T, pc_T', \tau_T', lck_T', t^p_T, I_T]_{\mathcal{C}} \in \mathcal{C}_{\text{Conf}} \rangle \rightarrow \forall lck \in Lck : \min(\gamma_l(\bar{c} ; lck)) = -\infty \rangle) \), the times \( t_{i_0} \in \text{Time} \) and \( l_{i_0} \in \text{Ti\!\!me} \), are such that \( t_{i_0} = \max(\gamma_l(\bar{c} ; l_{i_0})) \), and that \( (\bar{C}', \bar{C'}, \bar{C}) = \text{ABS\!EXE}(\bar{C}, l_{i_0}) \).

This proof will partly be conducted using induction on the considered level of recursion, where level 0 is the base level (i.e., the level where for any considered \( \bar{c} \), \( \text{Thrd}_c = \text{Thrd} \)) and level \( n \geq 0 \) is the bottom level (i.e., the level from which no more recursion occurs, which is also referred to as the maximum level of recursion), while assuming that all sequentially preceding load-statements in all threads for any considered configuration on any level of recursion have been safely approximated. Before beginning the induction part of the proof, first note that:

- The overall structure of the algorithm is of the work-list type; i.e., given an item (abstract configuration in this case) that is extracted from a work-list, new items are generated, based on some rules, and are either added to the work-list (and will thus eventually be extracted themselves) or saved as output items if some condition is fulfilled. When the work-list is empty, the algorithm terminates.
- Since \( (\bar{C}', \bar{C'}, \bar{C'}) = \text{ABS\!EXE}(\bar{C}, l_{i_0}) \), it must be that the algorithm terminates for the considered input (i.e., \( \bar{C} \) and \( l_{i_0} \)).
- The structure of the algorithm is such that, for any \( \bar{c} \in \text{Conf} \) and \( l_{i_0} \in \text{Ti\!\!me} \), I\!\!S\!DEAD\!LOCK(\( \bar{c} \)) is only issued when \( \neg \text{I\!\!S\!F\!I\!N\!A\!L}(\bar{c}) \), I\!\!S\!TIME\!OUT(\( \bar{c}, l_{i_0} \)) is only issued when \( \neg \text{I\!\!S\!DEAD\!LOCK}(\bar{c}) \), and I\!\!S\!V\!A\!L\!ID(\( \bar{c}, l_{i_0} \)) is only issued when \( \neg \text{I\!\!S\!TIME\!OUT}(\bar{c}, l_{i_0}) \). This means that the requirements of Algorithms 6.4, 6.5 and 6.6 are fulfilled.
- The timing behaviors of the threads included on any recursion level are safely given by ABSTIME (Assumption 5.50).
The maximum level (i.e., depth) of any recursion pattern is $|\text{Thrd}| - 1$ since $|\text{EXETHRD}(\tilde{c})| > 1$ for recursion to occur and $|\text{Thrd}| \geq |\text{EXETHRD}(\tilde{c})|$ for any $\tilde{c} \in \text{Conf}$ (c.f., Algorithm 6.10). Since $|\text{Thrd}| < \infty$, it must thus be that $0 \leq n \leq |\text{Thrd}| - 1 < \infty$. But then, since the recursion depth is of a finite size, it must be that the recursion eventually stops for any considered case.

When the considered level of recursion, $i$, is greater than 0, it is easy to see that $\text{Thrd}_i \subseteq \text{Thrd}$, where $\text{Thrd}_i$ is the set of threads included in any configuration on recursion level $i$ for the considered recursion pattern. Note that $\text{Thrd}_0 = \text{Thrd}$.

The timeout, $\tilde{t}_i$, for recursion level $i > 0$ is such that $\max(\gamma(\tilde{t}_i)) \leq \max(\gamma(\tilde{t}_{i-1}))$ since $\tilde{t}_i = \tilde{t}_{i-1} \cap \tau (\tilde{t}_{i-1} \sqcup \alpha_i(-\infty))$, where $T \in \text{Thrd}_{\tilde{c}}$ is the thread that will be removed from the configurations on recursion level $i$. This means that the timeout cannot be shifted into the future when recursion occurs.

Figure 6.1 illustrates a case where $n = 4$, $\tilde{t}_0$ is the timeout at the base level (i.e., recursion level 0) and for all $i \in \{1, 2, 3, 4\}$, $\tilde{t}_i$ is the timeout at recursion level $i$, $T_{i-1}$ is the thread not included in configurations at recursion level $i - 1$ and $\tilde{t}_{i-1} = \tilde{t}_{i-1} + t_{\text{ABSTIME}(c^{i-1}, T_{i-1})}$.

Assume that a thread, $T \in \text{Thrd}$, issues a load-statement at some recursion level $i - 2$, where $i \geq 2$, and has been removed from all configurations at recursion level $i - 1$ and beyond, and that no events occurring after $\tilde{t}_{i-1}$ can affect the loaded value. If some other thread, $T' \in \text{Thrd}$, issues a possibly unsafe load-statement at recursion level $i - 1$, then a new recursion level, $i$, will be created to determine a safe write history before the load in $T'$ is evaluated. Then it is easy to see that any event occurring after $\tilde{t}_{i-1}$ cannot affect the value loaded by $T'$. But then it is easy to see that the value loaded by $T$ at recursion level $i - 2$ cannot be affected by any event occurring after $\tilde{t}_{i-1}$ for the considered recursion instance at level $i$. Thus, for all recursion levels $i \in \{1, \ldots, n\}$, the timeout for recursion level $i$, as determined by the algorithm, is safe since the accumulated time for a thread cannot decrease (c.f., Assumption 5.50).

The structure of the algorithm (i.e., on a recursion level, one new recursion-instance is created for each thread that is executing a possibly unsafe load-statement) gives that all possible cases, for in which order load-statements in different threads can be issued, are considered.
6.1 Abstract Execution

Recursion level

\[ \tilde{t}_0 \rightarrow \tilde{t}_1 \rightarrow \tilde{t}_2 \rightarrow \tilde{t}_3 \rightarrow \tilde{t}_4 \]

Figure 6.1: Illustration of how the timeout, \( \tilde{t}_{to} \), for a new level of recursion in \textsc{Absexe} is determined.

Assume that, given some configuration, \( \tilde{c} @ (\{T, pv_{c, T}, \tilde{r}_{T, T}, \tilde{T}_{T} \in \text{Thrd}_i, \tilde{x}, \tilde{l}\}) \), and timeout, \( \tilde{t}_{to} \), on recursion level \( i \), where \( 0 \leq i < n \), some thread, \( T_i \in \text{Thrd}_i \), issues a possibly unsafe load-statement (which means that a deeper recursion level, \( i + 1 \), will exist) that cannot be affected by any event occurring after \( \tilde{t}_{to} \). Further assume that the local thread states (i.e., program counters, register values and accumulated execution times) and write history for all variables as given by \( \tilde{c} \) safely approximate the possible concrete thread states and variable values given the considered program point and the corresponding concrete transition sequences (if any), and that all load-statements on recursion levels \( i + 1 \) to \( n \) are safely approximated. This comprises the induction assumption.

Since the local thread states and write history for all variables as given by \( \tilde{c} \) safely approximate the possible concrete thread states and variable values given by the configuration at the end of the corresponding concrete transition sequences and all load-statements on recursion levels \( i + 1 \) to \( n \) are safely approximated, it must be that all \( \tilde{c}' \in \text{Conf} \), such that \( \tilde{c} \overset{prg}{\rightarrow} \ldots \overset{prg}{\rightarrow} \tilde{c}' \), safely approximate the possible concrete thread states
and variable values given the considered program point and the corresponding concrete transition sequences since \( \sim_{ps} \) is used to approximate the execution of all statements except load-statements that are possibly unsafe (c.f., Lemmas 5.55, 5.56 and 5.57). Thus, it must be that \( \langle \tilde{C}^i_{t+1}, \tilde{C}^i_{t+1}, \tilde{C}^{i+1}_{t+1} \rangle \in \text{ABSEXEC}(\{\langle T, \tilde{p}c^i_{T}, \tilde{r}_{T}, \tilde{r}_T^i \rangle \}_{T \in \text{Thrd}'} \cup \langle T, \tilde{z}, \tilde{I} \rangle \}), (\tilde{r}_T^i \sim_{ps} +_t \text{ABSTIME}(\tilde{c}, T_i)) \cap \langle \tilde{r}_T^i \cup \alpha \rho(t, \{\sim_{ps} \})) \rangle \) is such that \( \bigwedge_{\text{all}} \langle \text{READ}(\tilde{z}', x, T_i, \tilde{r}_T^i \sim_{ps} +_t \text{ABSTIME}(\tilde{c}, T_i)) \cup \langle T, \tilde{z}', \tilde{I} \rangle \rangle \in \tilde{C}^i_{t+1} \cup \tilde{C}^i_{t+1} \cup \{c\} \) safely approximates all possible concrete values that could be read by the load-statement in \( T_i \) for the corresponding concrete transition sequence, since (the ABSEXEC instance mentioned above, corresponding to recursion level \( i+1 \) is considered)

1. \( \{c'' \in \text{ Conf} \mid \tilde{c'} \sim_{ps} +_{ps} \tilde{c''} \} \) safely collects all transition possibilities for any given configuration, \( \tilde{c'} \in \text{ Conf} \), or rather, thread, for which no possibly unsafe load-statements are approximated by the transition (c.f., Lemmas 5.55, 5.56 and 5.57),

2. TRIM is not used to remove old writes from the write history since \( i+1 > 0 \) (c.f., Table 5.6),

3. (note that \( \text{Thrd}_{i+1} \subset \text{Thrd} \) \& \( \forall \tilde{c}' \in \langle [T, \tilde{p}c^i_{T'}, \tilde{r}_T^i \rangle \rangle \cap \text{Thrd} \ \Rightarrow \left( \langle T, \tilde{c}', \tilde{z}', \tilde{I}' \rangle \right) \in \text{ Conf} : (\left( \tilde{c'} \sim_{ps} +_{ps} \tilde{c''} \right) \cap \forall T \in \text{ Thrd'} : (\text{STMT}(T, \tilde{p}c^i_{T}) = [\text{halt}]c^i_{T} +_{ps} \tilde{r}_T^i \leq \max(\gamma(\tilde{r}_T^i))) \rangle
\)

i.e., even if a deadlock exists in \( \tilde{c}' \), it is further evaluated just in case there are threads that are not part of the deadlock and thus could affect the value of the variable which is read on the lower recursion level (c.f., Algorithm 6.4),

4. for any \( \tilde{c}' \in \text{ Conf} \) and \( \tilde{r}_T^i \in \text{ Thrd} \), \( \text{ISTIMEOUT}(\tilde{c'}, \tilde{r}_T^i) \Rightarrow \forall \tilde{c} \in \gamma_{\text{ Conf}}(\tilde{c}'') : \neg \exists \tilde{c}' \in \langle [T, \tilde{p}c^i_{T'}, \tilde{r}_T^i \rangle \rangle \cap \text{Thrd} \ \Rightarrow \left( \langle T, \tilde{c}, \tilde{z}, \tilde{I} \rangle \right) \in \text{ Conf} : (\left( \tilde{c'} \sim_{ps} +_{ps} \tilde{c''} \right) \cap \forall T \in \text{ Thrd'} : (\text{STMT}(T, \tilde{p}c^i_{T}) = [\text{halt}]c^i_{T} +_{ps} \tilde{r}_T^i \leq \max(\gamma(\tilde{r}_T^i))) \rangle
\)

where \( c \) and \( c' \) are valid concrete configurations (c.f., Definition 4.4); i.e., if \( \text{ISTIMEOUT}(\tilde{c'}, \tilde{r}_T^i) \), then \( \tilde{c}' \) does not represent any concrete configuration that can possibly reach a final state before the given timeout (Lemma 6.6), or in other words, no thread in \( \tilde{c}' \) can affect the system state so that the effects are visible at or before \( \tilde{r}_T^i \) (c.f., Algorithm 6.5 and Assumption 5.50),

5. (note that \( \text{Thrd}_{i+1} \subset \text{Thrd} \) \& \( \forall \tilde{c}' \in \langle [T, \tilde{p}c^i_{T'}, \tilde{r}_T^i \rangle \rangle \cap \text{Thrd} \ \Rightarrow \left( \langle T, \tilde{c}' \rangle \in \text{ Conf} : (\left( \text{Thrd'} \subset \text{Thrd} \cap \neg \text{VALID}(\tilde{c}') \right) \Rightarrow \neg \text{lock} \in \text{ Lck} : \forall T \in \text{ Thrd'} : (\text{OWN}(\tilde{I} \text{ lock}) = T \wedge \text{STT}(\tilde{I} \text{ lock}) = \text{ unlocked}) \Rightarrow (\text{STMT}(T, \tilde{p}c^i_{T}) \neq [\text{halt}]c^i_{T} +_{ps} \text{ DL}(\tilde{I} \text{ lock}) \tilde{x}_T (\tilde{r}_T^i \sim_{ps} +_{ps} \text{ ABSTIME}(\tilde{c}, T))) \right) \right)
\)

which follows
6.1 Abstract Execution 153

directly from Algorithm 6.6 and means that there is no possibility that \( \tilde{c}'\) has any (or could lead to a configuration that has a) valid concrete counterpart (c.f., Definition 4.4 and the proof of Lemma 6.7).

It is important to notice that \( \text{IS_TIMEOUT} \) captures all configurations such that all threads have either executed beyond the timeout or are waiting to acquire a lock that is currently owned by a thread that has executed beyond the timeout or is also waiting to acquire some lock (c.f., Algorithm 6.5), which means that the first mentioned thread cannot possibly acquire the lock before the timeout has passed (c.f., Tables 5.5 and 5.6 and Assumption 5.50). This means that \( \text{IS_TIMEOUT} \) captures all deadlocked configurations, since \( \text{IS_DEADLOCK} \) does not capture any configuration at all when the considered recursion level is greater than 0 (c.f., Algorithm 6.4), and also all configurations allowed by \( \text{IS_VALID} \), although they lack valid concrete counterparts (c.f., Algorithm 6.6).

Since \( \tilde{t}_{T_i} \) = \( \tilde{t}_{T_i} + 1 \), \( \text{ABSTIME}(\tilde{c}', T_i) \), \( pc_{T_i} \) = \( pc_{T_i} + 1 \) and \( \tilde{t}_{T_i} = \tilde{c}_{T_i} [r] \rightarrow \bigcup_{\text{load}} \{ \text{READ}(\tilde{z}', x, T_i, r, \tilde{t}_{T_i} + 1, \text{ABSTIME}(\tilde{c}', T_i)) | (T, \tilde{z}', \tilde{r}') \in \tilde{C}_{i+1} \cup \tilde{C}_{i+1} \cup \{ \tilde{c}' \} \} \) (assuming that the possibly unsafe \( \text{load} \)-statement issued by \( T_i \) on recursion level \( i \) is safely approximated and that the new configuration, which is added to the work-list on line 28, is thus be that the \( \text{load} \)-statement in thread \( T_i \) on recursion level \( i \) is safely approximated and that the new configuration, which is added to the work-list on line 28, is therefore safely approximates the local thread states (i.e., program counters, register values and accumulated execution times) for all threads and the write history for all variables as given by the possible concrete thread states and variable values in the considered program point and the corresponding concrete transition sequences (if any). But this means that all possibly unsafe \( \text{load} \)-statements on recursion level \( i \) are safely approximated.

Now consider recursion level \( n \) (i.e., the level from which no more recursion will occur for a given recursion pattern, which is the base case for the induction part of the proof) for the first ever occurring recursion pattern for a given transition sequence, such that no potentially unsafe \( \text{load} \)-statement has yet been approximated. Since no potentially unsafe \( \text{load} \)-statement has yet been approximated and \( \forall c \in C : \exists \tilde{c} \in \tilde{C} : c \in \gamma_{\text{conf}}(\tilde{c}) \), it must be that any concrete state for all threads individually, and the write history for each variable, must be safely approximated up until the considered point of the considered transition sequence (since \( \overset{\rightarrow}{\text{prog}} \) has been safely used for all transitions and \( \{ \tilde{c}' \in \text{CoConf} | \tilde{c} \overset{\rightarrow}{\text{prog}} \tilde{c}' \} \) collects all abstract transition possibilities for any given configuration, \( \tilde{c} \in \text{CoConf} \), or rather, thread; c.f., Lemmas 5.55, 5.56 and 5.57). Since no more (i.e.,
deeper) recursion will occur, it must be that for any considered configuration, \( \tilde{c} @ \langle T, pc_T, \tilde{x}_T, \tilde{r}_T \rangle \in \text{Conf} \), at level \( n \), \( |EXETHRD(\tilde{c})| \neq 1 \) or \( \text{EXELOADTHRD}(\tilde{c}) = \emptyset \). But since for any given configuration \( \tilde{c} @ \langle T, pc_T, \tilde{x}_T, \tilde{r}_T \rangle \in \text{Conf} \), \( \text{Thrd}^{exe}_{\tilde{c}} \subseteq \text{EXETHRD}(\tilde{c}) \) (Lemma 6.2) and \( \{ T \in \text{Thrd}^{exe}_{\tilde{c}} \mid \exists r \in \text{Reg}_T \forall \tilde{x} \in \text{GLOBALVAR}(\text{Thrd}) : \text{STM}(T, pc_T) = \{ \text{load } r \text{ from } x \} \subseteq \text{EXELOADTHRD}(\tilde{c}) \) (Lemma 6.4), where \( \text{Thrd}^{exe}_{\tilde{c}} \) is as defined in Table 5.6, it must thus be that \( |\text{Thrd}^{exe}_{\tilde{c}}| \neq 1 \vee \{ T \in \text{Thrd}^{exe}_{\tilde{c}} \mid \exists r \in \text{Reg}_T \forall \tilde{x} \in \text{GLOBALVAR}(\text{Thrd}) : \text{STM}(T, pc_T) = \{ \text{load } r \text{ from } x \} \subseteq \text{EXELOADTHRD}(\tilde{c}) \) (Lemma 6.4). It must also be that, eventually, a configuration, \( \tilde{c} @ \langle T, pc_T, \tilde{x}_T, \tilde{r}_T \rangle \in \text{Conf} \), for which either \( \forall T \in \text{Thrd} : \text{STM}(T, pc_T) = [\text{halt}]^{pc_T} \) or \( \forall T \in \text{Thrd} : (\text{STM}(T, pc_T) \neq [\text{halt}]^{pc_T} \Rightarrow \tilde{r}_T \Rightarrow \text{ABSTIME}(\tilde{c}, T)) \) is derived along the corresponding (over-approximating) abstract trace of transitions.

If \( \forall T \in \text{Thrd} : \text{STM}(T, pc_T) = [\text{halt}]^{pc_T} \), then it is easy to see that \( \text{ISFINAL}(\tilde{c}) \) (c.f., Algorithm 6.3), which means that \( \tilde{c} \in \tilde{C} \). Thus, it must be that \( \exists T @ \langle T, pc_T, \tilde{x}_T, \tilde{r}_T \rangle \in \text{Conf} \) : \( \forall T \in \text{Thrd} : (pc_T = pc_T' \wedge r_T' \in \gamma(\tilde{r}_T')) \)
2. Assume that \(c \ldots \rightarrow \rightarrow \rightarrow \rightarrow c' \land (\text{CYCLE(Thrd}^{\prime} \text{lock, } E^{\prime}) \lor \exists T \in \text{Thrd} : \exists lck \in \text{Lck} : (\text{STM}(T, pc_{C}^{\prime}) = [\text{lock} \ in \ lck]|_{|E^{\prime}} \land \text{own}(lck) \notin \{\text{halt}, T\} \land \text{STM}(\text{own}(lck), pc_{C}^{\prime}|_{|E^{\prime}}) = [\text{halt}]|_{|E^{\prime}} \land \text{own}(lck))\), where \(\text{Thrd}^{\prime} \text{lock} = \{T \in \text{Thrd} | \exists lck \in \text{Lck} : (\text{STM}(T, pc_{C}^{\prime}) = [\text{lock} \ in \ lck]|_{|E^{\prime}} \land \text{own}(lck) \notin \{\text{halt}, T\} \land \text{STM}(\text{own}(lck), pc_{C}^{\prime}|_{|E^{\prime}}) = [\text{halt}]|_{|E^{\prime}} \land \text{own}(lck))\). Note that since all possible concrete transition sequences for each thread individually are safely approximated up until the timeout point and a deadlocked configuration is reached in the concrete case, there must be an abstract trace of transitions such that all configurations, \(\bar{c} \in \text{Conf}^c\), on that trace are such that \(\text{ISFINAL}(\bar{c})\) (c.f., Algorithm 6.3) and \(\text{ISVALID}(\bar{c}, \bar{T})\) (c.f., Algorithm 6.6 and Lemma 6.7). It must also be the case that, eventually, a configuration, \(\bar{c}^\prime\) \(\in \text{Conf}^c\), will be derived (along the corresponding, over-approximating abstract trace of transitions) for which either \((\text{CYCLE(Thrd}^{\prime} \text{lock, } E^{\prime}) \lor \exists T \in \text{Thrd} : \exists lck \in \text{Lck} : (\text{STM}(T, pc_{C}^{\prime}) = [\text{lock} \ in \ lck]|_{|E^{\prime}} \land \text{own}(lck) \notin \{\text{halt}, T\} \land \text{STM}(\text{own}(lck), pc_{C}^{\prime}|_{|E^{\prime}}) = [\text{halt}]|_{|E^{\prime}} \land \text{own}(lck)) \neq \text{halt} \land \text{STM}(\text{own}(lck), pc_{C}^{\prime}|_{|E^{\prime}}) = [\text{halt}]|_{|E^{\prime}} \land \text{own}(lck)\).

If \(\text{CYCLE(Thrd}^{\prime} \text{lock, } E^{\prime}) \lor \exists T \in \text{Thrd} : \exists lck \in \text{Lck} : (\text{STM}(T, pc_{C}^{\prime}) = [\text{lock} \ in \ lck]|_{|E^{\prime}} \land \text{halt} \land \text{STM}(\text{own}(lck), pc_{C}^{\prime}|_{|E^{\prime}}) = [\text{halt}]|_{|E^{\prime}} \land \text{own}(lck)) \neq \text{halt} \land \text{STM}(\text{own}(lck), pc_{C}^{\prime}|_{|E^{\prime}}) = [\text{halt}]|_{|E^{\prime}} \land \text{own}(lck)\), then it is easy to see that \(\neg \text{ISFINAL}(\bar{c})\), \(\neg \text{ISDEADLOCK}(\bar{c})\) (since the program terminates in the concrete case) and \(\text{ISTIMEOUT}(\bar{c}, \bar{T})\) (c.f., Algorithms 6.3 and 6.5), which means that \(\bar{c} \in \mathcal{C}\). Thus, it must be that \(\mathcal{C} \neq \emptyset\).
STM(\(\text{OWN}(I\ lck)\), pc\(\tilde{c}\)) = [halt]\(\text{pc}^{\tilde{c}}\text{OWN}(I\ lck)\)), then it is easy to see that \(\neg\text{ISFINAL}(\tilde{c})\) and \(\text{ISDEADLOCK}(\tilde{c})\) (c.f., Algorithm 6.4 and Lemma 6.5), which means that \(\tilde{C} \neq \emptyset\).

If \(\forall T \in \text{Thrd} : (\text{STM}(T, pc\tilde{c})) \neq [\text{halt}]pc\tilde{c}) \Rightarrow T \approx T_{\text{Thrd}} \approx T_{\text{Thrd}}\), then it is easy to see that \(\neg\text{ISFINAL}(\tilde{c})\), \(\neg\text{ISDEADLOCK}(\tilde{c})\) and \(\text{ISTIMEOUT}(\tilde{c}, I_{\text{to}})\) (c.f., Algorithm 6.5 and Lemma 6.6), which means that \(\tilde{C} \neq \emptyset\).

To prove the last part of the lemma, assume that \(\tilde{C} \cup \tilde{C} = \emptyset\). Since \(\forall [T, pc\tilde{c}, x_T, t_T, z, I] \in \tilde{C} : \forall T \in \text{Thrd} : \text{STM}(T, pc\tilde{c}) = [\text{halt}]pc\tilde{c})\) (c.f., Algorithm 6.3) and \(\neg\text{ISVALID}(\tilde{c}, I_{\text{to}})\) only if \(\tilde{c}\) can never lead to a configuration that might have a valid concrete counterpart (Lemma 6.7), it is easy to see that all concrete executions of the configurations in \(C\) will terminate since all possible concrete transition sequences are safely approximated. Further assume that \(c \in C\) and \(c \circ \langle [T, pc\tilde{c}, x_T, t_T, z, I] \in \text{Conf} \) are such that \(c \circ \ldots \circ c' \land \forall T \in \text{Thrd} : \text{STM}(T, pc\tilde{c}) = [\text{halt}]pc\tilde{c})\). Since \(\tilde{C} \cup \tilde{C} = \emptyset\) and \(\forall c \in C : \exists \tilde{c} \in \tilde{C} : c \in \gamma(\tilde{c})\), it is easy to see that \(\exists [T, pc\tilde{c}, x_T, t_T, z, I] \in \text{Thrd} : (pc\tilde{c}) = pc\tilde{c}) \land t_T \in \gamma(\tilde{c})\)) since all possible concrete transition sequences are safely approximated.

This concludes the proof.

---

**Note.** \textsc{absexe} has not been proven to terminate for all inputs. However, when it does terminate, it safely approximates the transition sequences for the corresponding concrete input set.

One case for which \textsc{absexe} will not terminate is when some thread could execute an infinite amount of statements in zero amount of time; c.f., an infinite loop where all the statements of the loop could be executed without any progression of time.
Algorithm 6.13 BCET/WCET Analysis

1: function ANALYSIS($\tilde{C}, \tilde{t}_0$)  
2:   ($\tilde{C}^f, \tilde{C}^d, \tilde{C}^t$) ← ABSExE($\tilde{C}, \tilde{t}_0$)  
3:   if $\tilde{C}^d \cup \tilde{C}^t \neq \emptyset$ then  
4:     return $(−\infty, \infty)$  
5:   end if  
6:   BCET ← $\infty$  
7:   WCET ← $−\infty$  
8:   while $\tilde{C}^f \neq \emptyset$ do  
9:     $\tilde{c}@\langle [T, pc_T, \tilde{r}_T, \tilde{t}_a_T, \tilde{t}_r_T, Thrd, \xi, \tilde{I}] \rangle$ ← CHOOSE($\tilde{C}^f$)  
10:    $\tilde{C}^f \leftarrow \tilde{C}^f \setminus \{\tilde{c}\}$  
11:    BCET$\tilde{c} \leftarrow \max \{\min(\gamma(\tilde{r}_T)) \mid T \in \text{Thrd}\}$  
12:    WCET$\tilde{c} \leftarrow \max \{\max(\gamma(\tilde{r}_T)) \mid T \in \text{Thrd}\}$  
13:    if BCET $> BCET\tilde{c}$ then  
14:      BCET $\leftarrow BCET\tilde{c}$  
15:    end if  
16:    if WCET $< WCET\tilde{c}$ then  
17:      WCET $\leftarrow WCET\tilde{c}$  
18:    end if  
19:  end while  
20:  return $(BCET, WCET)$  
21: end function
6.2 Timing Analysis

The BCET and WCET (c.f., Definition 6.9) of a program, given an initial system state, is safely derived by ANALYSIS, which is defined in Algorithm 6.13 (Lemma 6.10), whenever it terminates.

Definition 6.9 (BCET and WCET):
The Best-Case Execution Time, BCET, and the Worst-Case Execution Time, WCET, of a given configuration, (⟨T,pcT,T′,t′⟩T∈Thrd,ξ,I⟩) ∈ Conf are defined as:

\[
\begin{align*}
\text{BCET} &= \max\{\min(\gamma_i(\mathcal{I}_j^T)) \mid \mathcal{T} \in \text{Thrd}_l\} \\
\text{WCET} &= \max\{\max(\gamma_i(\mathcal{I}_j^T)) \mid \mathcal{T} \in \text{Thrd}_l\}
\end{align*}
\]

Lemma 6.10 (Soundness of ANALYSIS):
Given the sets of valid concrete configurations \(C \in \mathcal{P}(\text{Conf})\) (c.f., Definition 4.4) and abstract configurations \(\tilde{C} \in \mathcal{P}(\text{Conf})\), such that \(\forall c @ \langle[T,pcT,T′,t′]T∈\text{Thrd},ξ,\mathcal{I}\rangle \in C : \langle\forall\langle[T,pcT,T′,t′]T∈\text{Thrd},ξ,\mathcal{I}\rangle \in \tilde{C} : \text{Thrd}_1 = \text{Thrd}_2 = \text{Thrd} \rangle \land \exists \mathcal{C} : c \in \gamma_{\text{conf}}(\mathcal{C}) \land |\text{Thrd}| < \infty \land \forall c @ \langle[T,pcT,T′,t′]T∈\text{Thrd},ξ,\mathcal{I}\rangle \in \tilde{C} : \forall \mathcal{Lck} \in \text{Lck} : \min(\gamma_i(\mathcal{Lck} lck) = -\infty)\rangle\), and the times \(t_0 \in \text{Time}\) and \(\tilde{t}_0 \in \tilde{\text{Time}}\), such that \(t_0 = \max(\gamma_i(\tilde{t}_0))\), \((\text{BCET}, \text{WCET}) @ \text{ANALYSIS}(C, \tilde{t}_0)\) is such that

\[
\forall c \in C : \forall c' @ \langle[T,pcT,T′,t′]T∈\text{Thrd},ξ,\mathcal{I}\rangle \in \text{Conf}:
\]

\[
((c \xrightarrow{\mathcal{P}_T} \ldots \xrightarrow{\mathcal{P}_T} c') \land \forall T \in \text{Thrd} : \text{STM}(T,pc_T) = [\text{halt}]T,pc_T) \Rightarrow
\]

\[
\forall T \in \text{Thrd} : \text{BCET} \leq t_0^T \leq \text{WCET} \land (c \xrightarrow{\mathcal{P}_T} \ldots \xrightarrow{\mathcal{P}_T} c' \Rightarrow t_0^T \leq \text{WCET})
\]

given that the algorithm terminates.

PROOF. Assume that the sets of valid concrete configurations \(C \in \mathcal{P}(\text{Conf})\) (c.f., Definition 4.4) and abstract configurations \(\tilde{C} \in \mathcal{P}(\text{Conf})\) are such that \(\forall c @ \langle[T,pcT,T′,t′]T∈\text{Thrd},ξ,\mathcal{I}\rangle \in C : \langle\forall\langle[T,pcT,T′,t′]T∈\text{Thrd},ξ,\mathcal{I}\rangle \in \tilde{C} : \text{Thrd}_1 = \text{Thrd}_2 = \text{Thrd} \rangle \land \exists \mathcal{C} : c \in \gamma_{\text{conf}}(\mathcal{C}) \land |\text{Thrd}| < \infty \land \forall c @ \langle[T,pcT,T′,t′]T∈\text{Thrd},ξ,\mathcal{I}\rangle \in \tilde{C} : \forall \mathcal{Lck} \in \text{Lck} : \min(\gamma_i(\mathcal{Lck} lck) = -\infty)\rangle\), and the times \(t_0 \in \text{Time}\) and \(\tilde{t}_0 \in \tilde{\text{Time}}\) are such that \(t_0 = \max(\gamma_i(\tilde{t}_0))\), and that \((\text{BCET}, \text{WCET}) = \text{ANALYSIS}(C, \tilde{t}_0)\).
Since \((\text{BCET}, \text{WCET}) = \text{ANALYSIS}(\tilde{C}, \tilde{t}_0)\), it must be that \((\tilde{C}', \tilde{C}'', \tilde{C}''') @ \text{ABSExe}(\tilde{C}, \tilde{t}_0)\) terminates at some point and that

\[
\forall c \in C : \forall c' @ [[T, pc_t', x_t', \tilde{\tau}_T] \in \text{Thrd}] \exists (\tilde{\tau}', 1') \in \text{Conf} : \\
((c \xrightarrow{\text{pr}_x} \ldots \xrightarrow{\text{pr}_x} c' \land \forall T \in \text{Thrd} : \text{STM}(T, pc_t') = [\text{halt}]^{p_c'}) \Rightarrow \\
(\tilde{C}' \neq \emptyset \lor \\
\exists \tilde{\tau} @ [[T, pc_t', \tilde{\tau}_T, \tilde{\tau}'] \in \text{Thrd}] \exists (\tilde{\tau}', 1') \in \tilde{C}' : \forall T \in \text{Thrd} : \\
(pc_t' = pc_t' \land \tilde{\tau}' \in \gamma_1(\tilde{\tau}'))) \\
\forall c \in C : \forall c' @ [[T, pc_t', x_t', \tilde{\tau}_T] \in \text{Thrd}] \exists (\tilde{\tau}', 1') \in \text{Conf} : \\
((c \xrightarrow{\text{pr}_x} \ldots \xrightarrow{\text{pr}_x} c' \land \text{CYCLE}(\text{Thrd}_{\text{lock}}, E') \lor \\
\exists T \in \text{Thrd} : \exists \tilde{\tau} \in \text{Lck} : \\
\text{STM}(T, pc_t') = [\text{lock}]^{p_c'} \land \\
\text{OWN}(1' \land \tilde{\tau}) \in \{ \perp_{\text{thrd}}, T \} \land \\
\text{STM}((\text{OWN}(1' \land \tilde{\tau}), pc_{\text{own}}(1' \land \tilde{\tau})) = \\
[\text{halt}]^{p_{\text{own}}(1' \land \tilde{\tau})})) \Rightarrow \\
(\tilde{C}' \neq \emptyset \lor \tilde{C}'' \neq \emptyset))
\]

(Lemma 6.8). It is thus apparent that if \(\tilde{C}'' \cup \tilde{C}'' \neq \emptyset\), there might exist an infinite transition sequence in the concrete case. However, it is easy to see that (as returned by the algorithm) \(-\infty\) is a safe approximation of the BCET and that \(-\infty\) is a safe approximation of the WCET for all such (and all other) cases.

If \(\tilde{C}' \cup \tilde{C}'' = \emptyset\), then all concrete transition sequences are of finite length and \(\forall c \in C : \forall c' @ [[T, pc_t', x_t', \tilde{\tau}_T] \in \text{Thrd}] \exists (\tilde{\tau}', 1') \in \text{Conf} : \\
((c \xrightarrow{\text{pr}_x} \ldots \xrightarrow{\text{pr}_x} c' \land \forall T \in \text{Thrd} : \text{STM}(T, pc_t') = [\text{halt}]^{p_c'}) \Rightarrow \exists \tilde{\tau} @ [[T, pc_t', x_t', \tilde{\tau}_T] \in \text{Thrd}] \exists (\tilde{\tau}', 1') \in \text{Conf} : \\
((c \xrightarrow{\text{pr}_x} \ldots \xrightarrow{\text{pr}_x} c' \land \text{CYCLE}(\text{Thrd}_{\text{lock}}, E') \lor \\
\text{STM}(\text{OWN}(1' \land \tilde{\tau}), pc_{\text{own}}(1' \land \tilde{\tau})) = \\
[\text{halt}]^{p_{\text{own}}(1' \land \tilde{\tau})})) \Rightarrow \\
(\tilde{C}'' \neq \emptyset \lor \tilde{C}'' \neq \emptyset))
\]

(Lemma 6.8). Thus, since the structure of the algorithm trivially gives that the smallest possible estimation of the BCET, \(\text{BCET}\), and the largest possible estimation of the WCET, \(\text{WCET}\), among the derived final abstract configurations in \(\tilde{C}''\) are found (c.f., Definition 6.9), it must be that \(\forall c \in C : \forall c' @ [[T, pc_t', x_t', \tilde{\tau}_T] \in \text{Thrd}] \exists (\tilde{\tau}', 1') \in \text{Conf} : \\
((c \xrightarrow{\text{pr}_x} \ldots \xrightarrow{\text{pr}_x} c' \land \forall T \in \text{Thrd} : \text{BCET} \leq \tilde{\tau}' \leq \text{WCET})
\]

But, then it must also be that \(\forall c \in C : \forall c' @ [[T, pc_t', x_t', \tilde{\tau}_T] \in \text{Thrd}] \exists (\tilde{\tau}', 1') \in \text{Conf} : \\
((c \xrightarrow{\text{pr}_x} \ldots \xrightarrow{\text{pr}_x} c' \Rightarrow \forall T \in \text{Thrd} : \tilde{\tau}' \leq \text{WCET})
\]

since time only moves forward (c.f., Assumption 5.50), which concludes the proof.
Chapter 7

Examples

To clarify and explain the analysis defined in Chapters 5 and 6, this chapter instantiates it for some example PPL programs.

7.1 Communication

This case shows the recursive behavior of ABSXE; i.e., how it peeks into the future to derive safe write histories for unsafe load-statements.

For the program, \( \text{Thrd} = \{T_1, T_2, T_3\} \), defined in Table 7.1, it is easy to see that \( \text{Reg}_{T_1} = \{r\} \), \( \text{Reg}_{T_2} = \{r\} \), \( \text{Reg}_{T_3} = \{r\} \). \( \text{Var} = \{x, y, z\} \) and \( \text{Lck} = \emptyset \).

Note that \( r \) represents local memory within each thread; i.e., the register-name \( r \) can refer to three different memory locations – what location it refers to depends on which thread is considered.

Assume that \( \text{ABSTIME}(\tilde{c}, T) \), where \( \tilde{c} \in [T, pc_T, \tilde{x}_T, \tilde{r}_T, \tilde{l}_T]_{T \in \text{Thrd}}, \tilde{I} \) ∈

\[
\begin{align*}
T_1 & \circledast (1, \text{load } r \text{ from } x); [\text{store } r \text{ to } y]; [\text{halt}]^3 \\
T_2 & \circledast (2, \text{load } r \text{ from } y); [\text{store } r \text{ to } z]; [\text{halt}]^3 \\
T_3 & \circledast (3, \text{if } r \leq 3 \text{ goto } 4); [\text{store } r \text{ to } x]; [\text{skip}]^3; [\text{halt}]^4
\end{align*}
\]

Table 7.1: Communicating threads – Program.
Conf and $T \in \text{Thrd}_c$ is such that for any $\tilde{c}$, it assumes the values described by the below table.

<table>
<thead>
<tr>
<th>pc</th>
<th>T</th>
<th>T</th>
<th>T</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>[1,5]</td>
<td>[2,6]</td>
<td>[1,4]</td>
</tr>
<tr>
<td>2</td>
<td>[1,3]</td>
<td>[2,3]</td>
<td>[3,4]</td>
</tr>
<tr>
<td>3</td>
<td>-</td>
<td>-</td>
<td>[3,3]</td>
</tr>
</tbody>
</table>

Also assume that $\tilde{c}_0^0 @ \langle[T,pc_T,\tilde{x},\tilde{t}_T]T \in \text{Thrd}, \tilde{z}, \tilde{l} \rangle$ is as described in Table 7.2. (Due to the semantics of the program, the parts of the states that are left out from the table are of no interest for this case study.)

Tables 7.2 and 7.3 collect all the configurations derived by $\text{ABSEXE}(\{c_0^0\}, [-\infty, \infty])$ during the analysis described by $\text{ANALYSIS}(\{c_0^0\}, [-\infty, \infty])$. A ‘$-$’ indicates that the entry is not applicable to (i.e., not included in) the configuration. Figure 7.4 shows the order in which the configurations are derived; i.e., the relation between the derived configurations. In the figure, final configurations are circled and timed-out configurations are circled and marked with a ‘$t$’. To see how new recursive instances of $\text{ABSEXE}$ are created, note that when $\text{Thrd}_c = \{T_1, T_2, T_3\}$, then $\text{Var}_g = \{x,y\}$; when $\text{Thrd}_c = \{T_1, T_3\}$, then $\text{Var}_g = \{x\}$; and when $\text{Thrd}_c = \{T_2, T_3\}$, then $\text{Var}_g = \emptyset$.

It is apparent that $\text{ABSEXE}(\{c_0^0\}, [-\infty, \infty]) = (\{c_{11}^0, c_{23}^0\}, \emptyset, \emptyset)$; i.e., $c_{11}^0$ and $c_{23}^0$ are final-state configurations and there are no deadlocked or timed-out configurations. According to Algorithm 6.13, it is thus easy to see that the estimated timing bounds are:

$$\{\begin{align*}
\text{BCET} &= \min(\{\max(\{\min(\gamma(T)) \mid T \in \text{Thrd}\}) \mid \langle[T,pc_T,\tilde{x},\tilde{t}_T]T \in \text{Thrd}, \tilde{z}, \tilde{l}\rangle \in \{c_{11}^0, c_{23}^0\}\}) = 4 \\
\text{WCET} &= \max(\{\max(\{\min(\gamma(T)) \mid T \in \text{Thrd}\}) \mid \langle[T,pc_T,\tilde{x},\tilde{t}_T]T \in \text{Thrd}, \tilde{z}, \tilde{l}\rangle \in \{c_{11}^0, c_{23}^0\}\}) = 11
\end{align*}\}$$
<table>
<thead>
<tr>
<th>$\varepsilon$</th>
<th>$pc_{T_1}$</th>
<th>$pc_{T_2}$</th>
<th>$pc_{T_3}$</th>
<th>$\hat{x}_{T_1}$</th>
<th>$\hat{x}_{T_2}$</th>
<th>$\hat{y}_{T_1}$</th>
<th>$\hat{y}_{T_2}$</th>
<th>$(\hat{x} \times)_{T_3}$</th>
<th>$(\hat{x} \cdot y)_{T_1}$</th>
<th>$(\hat{x} \cdot z)_{T_2}$</th>
</tr>
</thead>
<tbody>
<tr>
<td>$c_{0}^{0}$</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>[0, 0]</td>
<td>[0, 0]</td>
<td>[2, 4]</td>
<td>[0, 0]</td>
<td>[0, 0]</td>
<td>([1, 1], [0, 0])</td>
<td>([5, 5], [0, 0])</td>
</tr>
<tr>
<td>$c_{0}^{1}$</td>
<td>1</td>
<td>1</td>
<td>1</td>
<td>[0, 0]</td>
<td>[2, 4]</td>
<td>[0, 0]</td>
<td>[0, 0]</td>
<td>[0, 0]</td>
<td>([1, 1], [0, 0])</td>
<td>([5, 5], [0, 0])</td>
</tr>
<tr>
<td>$c_{1}^{1}$</td>
<td>2</td>
<td>4</td>
<td>[5, 5]</td>
<td>[2, 3]</td>
<td>[2, 6]</td>
<td>[1, 4]</td>
<td>([1, 1], [0, 0])</td>
<td>([5, 5], [0, 0])</td>
<td>{($\tilde{\cdot}$) val, $\tilde{\cdot}$}</td>
<td></td>
</tr>
<tr>
<td>$c_{1}^{2}$</td>
<td>3</td>
<td>4</td>
<td>[5, 5]</td>
<td>[2, 3]</td>
<td>[2, 6]</td>
<td>[1, 4]</td>
<td>([1, 1], [0, 0])</td>
<td>([5, 5], [0, 0])</td>
<td>{($\tilde{\cdot}$) val, $\tilde{\cdot}$}</td>
<td></td>
</tr>
<tr>
<td>$c_{2}^{2}$</td>
<td>4</td>
<td>3</td>
<td>[5, 5]</td>
<td>[4, 4]</td>
<td>[2, 6]</td>
<td>[1, 4]</td>
<td>([1, 1], [0, 0])</td>
<td>([5, 5], [0, 0])</td>
<td>{($\tilde{\cdot}$) val, $\tilde{\cdot}$}</td>
<td></td>
</tr>
<tr>
<td>$c_{2}^{3}$</td>
<td>4</td>
<td>3</td>
<td>[5, 5]</td>
<td>[4, 4]</td>
<td>[2, 6]</td>
<td>[1, 4]</td>
<td>([1, 1], [0, 0])</td>
<td>([5, 5], [0, 0])</td>
<td>{($\tilde{\cdot}$) val, $\tilde{\cdot}$}</td>
<td></td>
</tr>
</tbody>
</table>

Table 7.2: Communicating threads – Configurations (First half).
<table>
<thead>
<tr>
<th>( \hat{c} )</th>
<th>( pc_{T_1} )</th>
<th>( pc_{T_2} )</th>
<th>( pc_{T_3} )</th>
<th>( \tilde{x}_{T_1} r )</th>
<th>( \tilde{x}_{T_2} r )</th>
<th>( \tilde{x}_{T_3} r )</th>
<th>( \tilde{r}_{T_1} )</th>
<th>( \tilde{r}_{T_2} )</th>
<th>( \tilde{r}_{T_3} )</th>
<th>( (\hat{z} \times) T_1 )</th>
<th>( (\hat{z} y) T_1 )</th>
<th>( (\hat{z} z) T_2 )</th>
</tr>
</thead>
<tbody>
<tr>
<td>( \hat{c}_{12} )</td>
<td>2</td>
<td>–</td>
<td>1</td>
<td>[1, 4]</td>
<td>–</td>
<td>[2, 4]</td>
<td>[1, 5]</td>
<td>–</td>
<td>[0, 0]</td>
<td>{([1, 1], [0, 0])}</td>
<td>{([5, 5], [0, 0])}</td>
<td>{([1]<em>{\text{val}}, [1]</em>{\hat{c}})}</td>
</tr>
<tr>
<td>( \hat{c}_{11} )</td>
<td>3</td>
<td>–</td>
<td>4</td>
<td>[1, 4]</td>
<td>–</td>
<td>[2, 3]</td>
<td>[2, 8]</td>
<td>–</td>
<td>[1, 4]</td>
<td>{([1, 1], [0, 0])}</td>
<td>{([5, 5], [0, 0]), ([1, 4], [2, 8])}</td>
<td>{([1]<em>{\text{val}}, [1]</em>{\hat{c}})}</td>
</tr>
<tr>
<td>( \hat{c}_{21} )</td>
<td>3</td>
<td>–</td>
<td>2</td>
<td>[1, 4]</td>
<td>–</td>
<td>[4, 4]</td>
<td>[2, 8]</td>
<td>–</td>
<td>[1, 4]</td>
<td>{([1, 1], [0, 0])}</td>
<td>{([5, 5], [0, 0]), ([1, 4], [2, 8])}</td>
<td>{([1]<em>{\text{val}}, [1]</em>{\hat{c}})}</td>
</tr>
<tr>
<td>( \hat{c}_{22} )</td>
<td>3</td>
<td>–</td>
<td>3</td>
<td>[1, 4]</td>
<td>–</td>
<td>[4, 4]</td>
<td>[2, 8]</td>
<td>–</td>
<td>[4, 8]</td>
<td>{([1, 1], [0, 0]), ([4, 4], [4, 8])}</td>
<td>{([5, 5], [0, 0]), ([1, 4], [2, 8])}</td>
<td>{([1]<em>{\text{val}}, [1]</em>{\hat{c}})}</td>
</tr>
<tr>
<td>( \hat{c}_{0} )</td>
<td>2</td>
<td>2</td>
<td>1</td>
<td>[1, 4]</td>
<td>[1, 5]</td>
<td>[2, 4]</td>
<td>[1, 5]</td>
<td>[2, 6]</td>
<td>[0, 0]</td>
<td>{([1, 1], [0, 0])}</td>
<td>{([5, 5], [0, 0])}</td>
<td>{([1]<em>{\text{val}}, [1]</em>{\hat{c}})}</td>
</tr>
<tr>
<td>( \hat{c}_{11} )</td>
<td>3</td>
<td>3</td>
<td>4</td>
<td>[1, 4]</td>
<td>[1, 5]</td>
<td>[2, 3]</td>
<td>[2, 8]</td>
<td>[4, 9]</td>
<td>[1, 4]</td>
<td>{([1, 1], [0, 0])}</td>
<td>{([5, 5], [0, 0]), ([1, 4], [2, 8])}</td>
<td>{([1]<em>{\text{val}}, [1]</em>{\hat{c}}), ([1, 5], [4, 9])}</td>
</tr>
<tr>
<td>( \hat{c}_{21} )</td>
<td>3</td>
<td>3</td>
<td>2</td>
<td>[1, 4]</td>
<td>[1, 5]</td>
<td>[4, 4]</td>
<td>[2, 8]</td>
<td>[4, 9]</td>
<td>[1, 4]</td>
<td>{([1, 1], [0, 0])}</td>
<td>{([5, 5], [0, 0]), ([1, 4], [2, 8])}</td>
<td>{([1]<em>{\text{val}}, [1]</em>{\hat{c}}), ([1, 5], [4, 9])}</td>
</tr>
<tr>
<td>( \hat{c}_{22} )</td>
<td>3</td>
<td>3</td>
<td>3</td>
<td>[1, 4]</td>
<td>[1, 5]</td>
<td>[4, 4]</td>
<td>[2, 8]</td>
<td>[4, 9]</td>
<td>[4, 8]</td>
<td>{([1, 1], [0, 0]), ([4, 4], [4, 8])}</td>
<td>{([5, 5], [0, 0]), ([1, 4], [2, 8])}</td>
<td>{([1]<em>{\text{val}}, [1]</em>{\hat{c}}), ([1, 5], [4, 9])}</td>
</tr>
<tr>
<td>( \hat{c}_{23} )</td>
<td>3</td>
<td>3</td>
<td>4</td>
<td>[1, 4]</td>
<td>[1, 5]</td>
<td>[4, 4]</td>
<td>[2, 8]</td>
<td>[4, 9]</td>
<td>[7, 11]</td>
<td>{([1, 1], [0, 0]), ([4, 4], [4, 8])}</td>
<td>{([5, 5], [0, 0]), ([1, 4], [2, 8])}</td>
<td>{([1]<em>{\text{val}}, [1]</em>{\hat{c}}), ([1, 5], [4, 9])}</td>
</tr>
</tbody>
</table>

Table 7.3: Communicating threads – Configurations (Second half).
Figure 7.4: Communicating threads – Configuration relations.
7.2 Synchronization – Deadlocks

This case shows how ABSXE identifies deadlocked configurations and how it discontinues deadlocked configurations that lack concrete counterparts.

For the program, \( \text{Thrd} = \{T_1, T_2\} \), defined in Table 7.5, it is easy to see that \( \text{Reg}_{T_1} = \emptyset, \text{Reg}_{T_2} = \emptyset, \text{Var} = \emptyset \) and \( \text{Lck} = \{\text{la}, \text{lb}\} \). Assume that \( \text{ABSTIME}(\tilde{c}, T) \), where \( \tilde{c}@\langle [T, pc_T, \tilde{x}_T, \tilde{x}_T\in \text{Thrd}], \tilde{x}, \tilde{l} \rangle \in \text{Conf} \) and \( T \in \text{Thrd} \), is such that for any \( \tilde{c} \), it assumes the values described by the below table.

<table>
<thead>
<tr>
<th>pc_T</th>
<th>T_1</th>
<th>T_2</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>[2, 2]</td>
<td>[1, 2]</td>
</tr>
<tr>
<td>2</td>
<td>[1, 2]</td>
<td>[1, 2]</td>
</tr>
<tr>
<td>3</td>
<td>[1, 1]</td>
<td>–</td>
</tr>
<tr>
<td>4</td>
<td>[1, 1]</td>
<td>–</td>
</tr>
</tbody>
</table>

Also assume that \( c^0_4@\langle [T, pc_T, \tilde{x}_T, \tilde{x}_T\in \text{Thrd}], \tilde{x}, \tilde{l} \rangle \) is as described in Table 7.6. (Due to the semantics of the program, the parts of the states that are left out from the table are of no interest for this case study.)

Table 7.6 collects all the configurations derived by \( \text{ABSEXE}(\{c_0^0\}, [-\infty, \infty]) \) during the analysis described by \( \text{ANALYSIS}(\{c_0^0\}, [-\infty, \infty]) \). Figure 7.7 shows the order in which the configurations are derived; i.e., the relation between the derived configurations. In the figure, final configurations are circled, deadlocked configurations are circled and marked with a ‘d’ and discontinued configurations are crossed out. Note that \( c^2_2 \) occurs since \( T_2 \) has been waiting to acquire \( \text{la} \) and is now assigned it, which means that \( T_2 \)'s accumulated execution time will be advanced to simulate the spin-lock waiting of the concrete semantics (c.f., the discussion in the proof of Lemma 5.57).

It is apparent that \( \text{ABSEXE}(\{c_0^0\}, [-\infty, \infty]) = \{\tilde{c}_2^2, \tilde{c}_2^4\}, \emptyset \); i.e., \( \tilde{c}_2^2 \) is a final-state configuration, \( \tilde{c}_2^4 \) is a deadlocked configuration, and there are no timed-out configurations.
### Table 7.6: Synchronization (Deadlock) – Configurations.

<table>
<thead>
<tr>
<th>$\hat{e}$</th>
<th>$pc_{T_1}$</th>
<th>$pc_{T_2}$</th>
<th>$\hat{i}_{T_1}^{a}$</th>
<th>$\hat{i}_{T_2}^{a}$</th>
<th>$\hat{i}_{1a}$</th>
<th>$\hat{i}_{1b}$</th>
</tr>
</thead>
<tbody>
<tr>
<td>$\hat{e}_0$</td>
<td>1</td>
<td>1</td>
<td>[0, 0]</td>
<td>[0, 0]</td>
<td>(unlocked, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
<td>(unlocked, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
</tr>
<tr>
<td>$\hat{e}_1$</td>
<td>2</td>
<td>1</td>
<td>[2, 2]</td>
<td>[0, 0]</td>
<td>(locked, $T_1$, $[\infty, 2]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
<td>(unlocked, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
</tr>
<tr>
<td>$\hat{e}_2$</td>
<td>2</td>
<td>1</td>
<td>[2, 2]</td>
<td>[0, 0]</td>
<td>(locked, $T_1$, $[\infty, 2]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
<td>(unlocked, $T_2$, $[\infty, 4]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
</tr>
<tr>
<td>$\hat{e}_3$</td>
<td>3</td>
<td>1</td>
<td>[3, 4]</td>
<td>[0, 0]</td>
<td>(locked, $T_1$, $[\infty, 2]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
<td>(locked, $T_1$, $[\infty, 4]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
</tr>
<tr>
<td>$\hat{e}_4$</td>
<td>4</td>
<td>1</td>
<td>[4, 5]</td>
<td>[0, 0]</td>
<td>(unlocked, $\perp_{\text{thad}}$, $[\infty, 2]$, $T_1$, [4, 5])</td>
<td>(locked, $T_1$, $[\infty, 4]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
</tr>
<tr>
<td>$\hat{e}_5$</td>
<td>5</td>
<td>1</td>
<td>[5, 6]</td>
<td>[0, 0]</td>
<td>(unlocked, $T_1$, $[\infty, 12]$, $T_1$, [4, 5])</td>
<td>(unlocked, $\perp_{\text{thad}}$, $[\infty, 4]$, $T_1$, [5, 6])</td>
</tr>
<tr>
<td>$\hat{e}_6$</td>
<td>4</td>
<td>1</td>
<td>[4, 5]</td>
<td>[1, 2]</td>
<td>(unlocked, $T_2$, $[\infty, 12]$, $T_1$, [4, 5])</td>
<td>(locked, $T_1$, $[\infty, 4]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
</tr>
<tr>
<td>$\hat{e}_7$</td>
<td>4</td>
<td>2</td>
<td>[4, 5]</td>
<td>[4, 12]</td>
<td>(locked, $T_2$, $[\infty, 12]$, $T_1$, [4, 5])</td>
<td>(locked, $T_1$, $[\infty, 4]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
</tr>
<tr>
<td>$\hat{e}_8$</td>
<td>5</td>
<td>2</td>
<td>[5, 6]</td>
<td>[4, 12]</td>
<td>(locked, $T_2$, $[\infty, 12]$, $T_1$, [4, 5])</td>
<td>(unlocked, $\perp_{\text{thad}}$, $[\infty, 4]$, $T_1$, [5, 6])</td>
</tr>
<tr>
<td>$\hat{e}_9$</td>
<td>5</td>
<td>2</td>
<td>[5, 6]</td>
<td>[4, 12]</td>
<td>(locked, $T_2$, $[\infty, 12]$, $T_1$, [4, 5])</td>
<td>(unlocked, $\perp_{\text{thad}}$, $[\infty, 4]$, $T_1$, [5, 6])</td>
</tr>
<tr>
<td>$\hat{e}_{10}$</td>
<td>5</td>
<td>3</td>
<td>[5, 6]</td>
<td>[5, 18]</td>
<td>(locked, $T_2$, $[\infty, 12]$, $T_1$, [4, 5])</td>
<td>(locked, $T_2$, $[\infty, 18]$, $T_1$, [5, 6])</td>
</tr>
<tr>
<td>$\hat{e}_{11}$</td>
<td>1</td>
<td>2</td>
<td>[0, 0]</td>
<td>[1, 2]</td>
<td>(locked, $T_2$, $[\infty, 2]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
<td>(unlocked, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
</tr>
<tr>
<td>$\hat{e}_{12}$</td>
<td>1</td>
<td>2</td>
<td>[0, 0]</td>
<td>[1, 2]</td>
<td>(locked, $T_2$, $[\infty, 2]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
<td>(unlocked, $T_1$, $[\infty, 4]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
</tr>
<tr>
<td>$\hat{e}_{13}$</td>
<td>1</td>
<td>3</td>
<td>[0, 0]</td>
<td>[2, 4]</td>
<td>(locked, $T_2$, $[\infty, 2]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
<td>(locked, $T_2$, $[\infty, 4]$, $\perp_{\text{thad}}$, $\perp_{\text{thad}}$)</td>
</tr>
</tbody>
</table>
According to Algorithm 6.13, it is thus easy to see that the estimated timing bounds are:

\[
\begin{align*}
\text{BCET} &= -\infty \\
\text{WCET} &= \infty
\end{align*}
\]
7.3 Synchronization – Deadline Miss

This case illustrates how the analysis discontinues configurations for which an assigned lock owner does not acquire the lock in time. It also illustrates how the analysis detects deadlocks.

For the program, \( \text{Thrd} = \{ T_1, T_2 \} \), defined in Table 7.8, it is easy to see that \( \text{Reg}_{T_1} = \emptyset, \text{Reg}_{T_2} = \emptyset, \text{Var} = \emptyset \) and \( \text{Lck} = \{ l \} \). Assume that \( \text{ABSTIME}(\tilde{c}, T) \), where \( \tilde{c} @ ([T, pc_T, \tilde{r}_T, \tilde{t}_T]_{T \in \text{Thrd}}, \tilde{x}, \tilde{l}) \in \text{Conf} \) and \( T \in \text{Thrd} \), is such that for any \( \tilde{c} \), it assumes the values described by the below table.

<table>
<thead>
<tr>
<th>pc_T</th>
<th>T_1</th>
<th>T_2</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>[5,5]</td>
<td>[10,10]</td>
</tr>
</tbody>
</table>

Also assume that \( \tilde{c}_0 @ ([T, pc_T, \tilde{r}_T, \tilde{t}_T]_{T \in \text{Thrd}}, \tilde{x}, \tilde{l}) \) is as described in Table 7.9. (Due to the semantics of the program, the parts of the states that are left out from the table are of no interest for this case study.)

Table 7.9 collects all the configurations derived by \( \text{ABSXE}(\{ \tilde{c}_0 \}, [-\infty, \infty]) \) during the analysis described by \( \text{ANALYSIS}(\{ \tilde{c}_0 \}, [-\infty, \infty]) \). Figure 7.10 shows the order in which the configurations are derived; i.e., the relation between the derived configurations. In the figure, deadlocked configurations are circled and marked with a ‘d’ and discontinued configurations are crossed out. It is apparent that \( \text{ABSXE}(\{ \tilde{c}_0 \}, [-\infty, \infty]) = (\emptyset, \{ \tilde{c}_1 \}, \emptyset) \); i.e., there are no final-state or timed-out configurations, and \( \tilde{c}_1 \) is a deadlocked configuration. According to Algorithm 6.13, it is thus easy to see that the estimated timing bounds are:

\[
\begin{aligned}
\text{BCET} &= -\infty \\
\text{WCET} &= \infty
\end{aligned}
\]

Table 7.8: Synchronization (Deadline miss) – Program.
Table 7.9: Synchronization (Deadline miss) – Configurations.

<table>
<thead>
<tr>
<th>$\tilde{c}$</th>
<th>$pc_{T_1}$</th>
<th>$pc_{T_2}$</th>
<th>$\tilde{r}_{T_1}$</th>
<th>$\tilde{r}_{T_2}$</th>
<th>$\tilde{l}$</th>
</tr>
</thead>
<tbody>
<tr>
<td>$\tilde{c}_0$</td>
<td>1</td>
<td>1</td>
<td>[0, 0]</td>
<td>[0, 0]</td>
<td>(unlocked, $\perp_{thrd}$, $\perp_{thrd}$, $\perp_{l}$)</td>
</tr>
<tr>
<td>$\tilde{c}_1$</td>
<td>2</td>
<td>1</td>
<td>[5, 5]</td>
<td>[0, 0]</td>
<td>(locked, $T_1$, $[-\infty, 5]$, $\perp_{thrd}$, $\perp_{l}$)</td>
</tr>
<tr>
<td>$\tilde{c}_2$</td>
<td>1</td>
<td>1</td>
<td>[0, 0]</td>
<td>[10, 10]</td>
<td>(unlocked, $T_2$, $[-\infty, 5]$, $\perp_{thrd}$, $\perp_{l}$)</td>
</tr>
</tbody>
</table>

Figure 7.10: Synchronization (Deadline miss) – Configuration relations.
Chapter 8

Conclusions

In this chapter, some distinguishing properties of the defined analysis will be discussed. Feedback on the Research Questions and issues to be further considered and investigated will also be given.

8.1 The Underlying Architecture

The analysis is defined for an arbitrary underlying architecture (that is, however, restricted to the constraints in Assumptions 4.1 and 4.3). The actual underlying system could be an operating system as well as raw hardware as long as both thread-private and globally shared memory, and some form of synchronization primitive, correlating to the description given in the beginning of Chapter 4 is provided. The assumed architecture should be fairly realistic since any mature operating system and any common (single- or multi-core) CPU provides the described features at some abstraction level. For example, any Real-Time operating system should provide spin-locks for thread synchronization and any CPU instruction set should provide the ability to lock the system bus to provide atomic execution of a set of machine operations (since one single instruction of the instruction set often is mapped to a set of machine instructions).

The lock- and unlock-statements could be used to model the LOCK prefix in the x86 instruction set. This prefix is used for asserting atomic execution of an instruction [41, 81]. The lock- and unlock-statements also trivially correspond to higher level spin-locking primitives, such as those provided by
the POSIX thread library [10, 39].

Many of the principles applied in the analysis presented in Chapters 5 and 6 to solve the problems arising from abstracting time using intervals are also applicable to analysis of systems with distributed address spaces. If considering processes on one and the same CPU, then communication between these processes is often implemented using a memory buffer which is then to be considered as shared memory. This means that the same principles as those presented in this thesis would be applicable to such an analysis. If communication is performed using, for example, message passing and “Any”-communication is available (i.e., several processes could send a message to a given receiving process and/or several processes could receive a message sent from a given process), this would also require some form of prediction of what values could be transferred between processes.

The necessity of allowing $\text{TIME}(c, T) = 0$ for some configuration, $c \in \text{Conf}$, and thread, $T \in \text{Thrd}$, is apparent when considering the following case. If mutual exclusion is inherent in some instruction of the modeled instruction set, for example, store, then the lock- and unlock-statements could be regarded as macros without timing that should encapsulate all store-statements in a program.

PPL is designed to bring the focus of the analysis to thread synchronization and global data flow. The method presented in this thesis might have to be extended in order to cover all the aspects of a real instruction set, such as those of for example the ARM or PowerPC architectures [5, 42]. This will be further investigated.

If limiting the register (and variable) sizes the architecture would become more realistic. However, wrap-around effects could render loops non-terminating in the abstract case even if this would not concretely occur. See Section 8.3 for a discussion on more non-terminating cases.

8.2 Algorithmic Structure & Complexity

The analysis presented in Chapters 5 and 6 is based on synchronously advancing the threads of a program between their respective program points while keeping the threads fairly synchronized in time (c.f., Algorithm 6.1 and Tables 5.5 and 5.6). The advantage of this approach (i.e., abstracting time using intervals) in conjunction with the defined domain for variable states (c.f., Section 5.5) is that a relatively high precision is achieved. And, when $|\text{Thrd}| = 1$, the analysis result will be equivalent to that of the corresponding sequential ana-
Another advantage is that the time-complexity of the analysis is more dependent on the number of program points in each thread than on the timing behavior of the program, compared to stepping through strict timing events, like in the concrete semantics.

Keeping the threads fairly synchronized in the analysis is also an advantage when considering its memory-complexity. Keeping the threads synchronized means that the write history for any thread on any variable will always be as small as possible since writes become outdated after a minimal amount of steps in the analysis and are then trimmed away from the history. In other words, the write history for any thread on any variable will never be larger than absolutely necessary.

One of the main disadvantages with keeping write history for each thread on each variable (which is expected to be necessary in order to keep the over-approximations at a reasonable level) is that the history must be trimmed. Trimming is an advantage for the memory-complexity as discussed above, but could be a serious disadvantage for the time-complexity if the analyzed program consists of many variables and many write-intensive threads.

The definition of the abstract state for locks contains some concrete parts (e.g., the owners of the locks). This is necessary since too much precision would be lost, and the timing approximations would become useless (i.e., too over-approximate), otherwise. However, this is very bad from a complexity point of view. The result of not abstracting some parts of a state is that (at least) all the concrete counterparts must be evaluated. Any reasonably precise abstractions of the parts of the lock states that are currently kept concrete have not been found. In case of serious complexity issues (which are very likely to occur), candidate domains for such abstractions must be further investigated.

It should be apparent that a given (abstract) configuration could result in two or more configurations for each thread issuing an if- or a lock-statement in a transition (c.f., Tables 5.5 and 5.6). Merging of configurations could be performed to reduce the complexity of the analysis. Using the Control Flow Graph (CFG) of the program, suitable merge-points within each thread can be found [25]. Typically, such points have multiple incoming edges. However, even if adding merging to the analysis, it will most probably happen very infrequently (if ever at all). This is since all the concrete parts (i.e., the program counters, lock owners, etc.) must be equal between the configurations to merge. As discussed above, domains for abstraction of the concrete parts of the configuration might have to be further investigated in case of serious complexity issues. Abstracting more parts of the configurations would also increase the possibility that merging could be more frequently performed. Although, the
Figure 8.1: Lock owner assignments based on $\tilde{c} \in \textbf{Conf}$ resulting in one valid and one invalid configuration.

derived timing approximations could become very pessimistic.

It is very important to note that several configurations that lack valid concrete counterparts (c.f., Definition 4.4) are added to the work-list for several situations. One such situation is when one sole thread issues $\textbf{lock lck}$ for some free lock, $\text{lck} \in \textbf{Lck}$, in a transition. A unique transition (i.e., resulting configuration) is possible for each thread that might issue $\textbf{lock lck}$ somewhere in the program. A new configuration for each such thread, where the given thread is the new owner of $\text{lck}$, will thus be derived. Consider the situation depicted in Figure 8.1 (c.f., the case study in Section 7.3). $T_1$ is obviously the thread issuing $\textbf{lock lck}$ first in any considered case. However, two new configurations are derived on the transition; one where $T_1$ is the new owner of $\text{lck}$ and one where $T_2$ is the new owner of $\text{lck}$. Obviously, only the configuration for which $T_1$ is the owner of $\text{lck}$ has valid concrete counterparts since $T_2$ will not acquire $\text{lck}$ before some other thread (i.e., $T_1$) is guaranteed to have acquired $\text{lck}$. Thus, the case that $T_2$ is the new owner of $\text{lck}$ will be discontinued since the lock is not acquired by $T_2$ before the deadline expires (c.f., Algorithm 6.6).

Another such situation will result for the program described in Figure 8.2a, assuming that the timing of the first $\textbf{lock}$-statement in the two threads overlap (c.f., the case study in Section 7.2). (Note that the given code is guaranteed not to deadlock, provided that both threads eventually release the two locks again.) Assume that the program is described by $\tilde{c}@ (\langle [T,pc_T,\tilde{e}_T,\tilde{l}_T]\rangle_{T \in \textbf{Thrd}} \tilde{x}_T, \tilde{\lambda}) \in \textbf{Conf}$ and that $pc_{T_1} = pc_{T_2} = 1$. The resulting lock-owner assignments (i.e., configurations) are given in Figure 8.2b. Obviously, only $\tilde{c}_{11}$ and $\tilde{c}_{22}$ have valid concrete counterparts. $\tilde{c}_{12}$ and $\tilde{c}_{21}$ will be discontinued (i.e., removed from the work-list) since there is a cycle in the dependency graph containing at least one lock (here, that lock is $\text{lck}'$) that has the state $\text{unlocked}$ (c.f., Algorithm 6.6). If $\tilde{c}_{12}$ and $\tilde{c}_{21}$ were not discontinued, the analysis would itself deadlock.

It is easy to see that all these complexity hazards really explode when com-
8.3 Non-terminating Transition Sequences

As previously discussed, isDEADLOCK catches some configurations that will never reach the final state (c.f., Algorithm 6.4). However, it is not guaranteed to identify all such configurations. This means that the analysis could actually deadlock for some cases that isDEADLOCK misses to identify as never reach-

\[ T_1 : \text{[lock lck]}^1 \text{; [lock lck]}^2 \text{; ...} \]
\[ T_2 : \text{[lock lck]}^1 \text{; [lock lck]}^2 \text{; ...} \]

(a) The program described by \( \tilde{c} \).

(b) Resulting configurations.

Figure 8.2: Lock owner assignments based on \( \tilde{c} \in \text{Conf} \) resulting in two valid and two invalid (i.e., falsely deadlock) configurations.

Another good thing to notice is that the complexity is lowered by keeping a high precision in the calculation of the accumulated execution time for threads issuing lock-statements. Since Tiime = Intv, a high precision in this calculation will give a narrow accumulated execution time. This will lead to that a minimum number of states need to be explored since the timing of individual threads will not overlap more than necessary. Of course, this part of the complexity is also dependent on the precision of ABSTIME; i.e., the accuracy in the model of the underlying architecture.

8.3 Non-terminating Transition Sequences
ing the final state. The corresponding can be said if ISVALID wrongly identifies a configuration as valid (c.f., Algorithm 6.6).

Infinite loops are recognized by IS_TIMEOUT(\(\tilde{c}, \tilde{t}_{\text{io}}\)), given that time moves forward and the timeout is finite; i.e., it cannot be that \(0 \in \text{ABSTIME}(\tilde{c}', T)\) for all \(\tilde{c}' \in \text{Conf}\) occurring in the loop in \(T\) and \(\max(\gamma(\tilde{t}_{\text{io}})) = \infty\). If ABSTIME includes 0 for all statements of an infinite loop in some thread, then the algorithm will not terminate.

To avoid part of this problem, another timeout variable could be added to the analysis. This timeout could be used to identify that the upper bound of a single thread’s accumulated execution time has reached a limit. However, this does not resolve the case that, for all \(\tilde{c}' \in \text{Conf}\) in the loop, \(\text{ABSTIME}(\tilde{c}', T) = [0, 0]\).

To address this case, a transition counter could be used. There could be one counter for each thread individually and/or one counter for all threads combined. The counter(s) could either count all transitions or only transitions that are consecutively done in \([0, 0]\) amount of time, depending on whether a second timeout is used. When the counter reaches a specific limit, the configuration could be considered to be timed out, which means that the corresponding transition sequence could be of infinite length.

Even if all concrete transition sequences given some initial configuration terminate, all abstract transition sequences resulting from the corresponding abstract initial configuration are not guaranteed to terminate. This is due to over-approximations inherent in the abstract interpretation of the PPL semantics. Thus, all the complications discussed above can occur in the abstract case even if they do not in the concrete case.

8.4 The Research Questions

**Question 1:** “What are the distinguishing features of a parallel computer system (i.e., the hardware and software combination) that must be taken into account in a timing analysis on the code level?”

The most important aspects found are some means of communication and synchronization between the parallel entities. In this thesis, only the software (i.e., code) level is considered: shared memory is used to represent the communication medium; locks that can be acquired in a mutually exclusive manner using spin-locking are used to represent the synchronization medium; and threads are used to represent the parallel entities.
8.5 Other Applications of the Analysis

Question 2: “How can a parallel computer system be analyzed to derive safe and tight estimations on its timing bounds?”

It has been shown that Abstract Interpretation is a suitable technique for deriving safe timing bound estimates for a given program and timing model. The resulting tightness of the estimates depends both on the precision of the used abstract domains, the precision of the timing analysis itself and the precision of the timing model. Further evaluation, preferably based on an implementation of the analysis, must be performed before the tightness of the approach used in this thesis can be commented upon.

Question 3: “How can analysis termination be guaranteed?”

Some techniques to increase the termination-probability have been already incorporated into the analysis and were discussed in the previous sections; one such technique is the discontinuation of configurations that lack concrete counterparts. Further techniques should be investigated and could most probably be derived based on an implementation and evaluation of the analysis. One such example, as discussed above, is to include a second timeout variable in the analysis. Another example, as also discussed above, is to include a transition counter.

As previously discussed, merging of configurations is not expected to be a usable technique since the configuration contains a lot of concrete information (e.g., the threads’ program counters and the owners of the program locks).

The techniques discussed above (a second timeout combined with a transition counter) should basically guarantee termination of the analysis, provided that suitable limits are chosen. But note that this is still an open question for the analysis presented in this thesis.

8.5 Other Applications of the Analysis

Given that the analysis terminates, some interesting results follow. The analysis could be used as a precise deadlock analysis including the timing behavior of the program. If the set of deadlocked configurations (c.f., $\tilde{C}^d$ in Algorithm 6.1) is empty, the program is deadlock free up until (and including) the point in time described by the timeout.

Furthermore, the analysis could also be used to determine whether a program is guaranteed to terminate. If the sets containing deadlocked and timed-out configurations (i.e., $\tilde{C}^d$ and $\tilde{C}^t$ in Algorithm 6.1, respectively) are empty, the program is guaranteed to terminate within the returned timing bounds.
8.6 Future Work

Some concrete tasks that will be performed in the near future is to implement and evaluate the analysis presented in this thesis. The implementation will be done in a suitable programming language. Which language is yet to be decided, but C/C++ and Erlang are top candidates.

Since PPL is rudimentary and designed to put focus on global data flow and thread synchronization, the implementation could use and analyze a more realistic instruction set. Some candidate instruction sets are LLVM [87], ALF [26, 27], ARM [5] and PowerPC [42]. It could also be possible to make the implementation a flexible framework which could allow the analyzed instruction set to be switched. This could be done by dividing instructions into special classes.

Some model of the underlying architecture (i.e., the function ABSTIME) must also be derived. Since the focus of this thesis has excluded any form of definition of ABSTIME, some very simple, and perhaps even non-realistic, timing model will most probably be used. Several different timing models should be evaluated to investigate how the characteristics of their definitions affect the complexity of the analysis.

The evaluation will be performed on some suitable benchmark suite of parallel programs. Such a suite is currently being established within the TACLe EU COST Action [86] (a European network of leading researchers within the field of WCET analysis) and will include parallel versions of some of the programs in the Mälardalen WCET Benchmark suite [24]. The benchmark suite should include different types of parallel programs, each of them stressing the analysis in a different way.

It is expected that the evaluation will result in hints pointing to some parts of the analysis that suffer from severe complexity problems. Thus, improvements and strategies for complexity reduction for these parts should be derived and implemented. One point that is already apparent in the case study in Section 7.2 is that the calculations in DLLOCK, defined in Algorithm 5.11, should be made tighter if possible (c.f., the result of the Study in Section 7.2, as shown in Table 7.6).
Bibliography


## Appendix A

### Notation & Nomenclature

<table>
<thead>
<tr>
<th>expression</th>
<th>description</th>
</tr>
</thead>
<tbody>
<tr>
<td>$\exp_1 \oplus \exp_2$</td>
<td>$\exp_1$ and $\exp_1$ denote the same thing, often a short and a long notation for a configuration.</td>
</tr>
<tr>
<td>$b \oplus \exp_1 : \exp_2$</td>
<td>If $b$, then $\exp_1$, otherwise $\exp_2$.</td>
</tr>
<tr>
<td>$(o_1, \ldots, o_n)$</td>
<td>Ordinary tuple containing $n$ elements.</td>
</tr>
<tr>
<td>$(o_1, \ldots, o_n)$</td>
<td>Special tuple containing $n$ elements. Used to denote complete lattices, Galois connections, configurations, etc.</td>
</tr>
<tr>
<td>$[o_1, \ldots, o_n]_{e \in {e_1, \ldots, e_m}}$</td>
<td>Expands to $\exp(e_1) \times \ldots \times \exp(e_m)$; i.e., one instance of $o_1, \ldots, o_n$ for each $e \in {e_1, \ldots, e_m}$. Used inside special tuples.</td>
</tr>
<tr>
<td>$S$</td>
<td>An arbitrary set (capitalized, italic notation).</td>
</tr>
<tr>
<td>$\mathbb{S}$</td>
<td>A standard set (capitalized, blackboard bold notation); e.g., $\mathbb{Z}$.</td>
</tr>
<tr>
<td>$\textbf{Set}$</td>
<td>A set of analysis-specific elements (first letter capitalized, bold notation); e.g., $\textbf{Thrd}$.</td>
</tr>
<tr>
<td>$\mathcal{P}(S)$</td>
<td>The powerset of $S$; i.e., ${S' \mid S' \subseteq S}$.</td>
</tr>
<tr>
<td>$S \times S'$</td>
<td>The Cartesian product; i.e., ${(e, e') \mid e \in S \land e' \in S'}$.</td>
</tr>
<tr>
<td>$\mathcal{P}_{e \in {e_1, \ldots, e_m}}(\exp(e))$</td>
<td>Expands to $\exp(e_1) \times \ldots \times \exp(e_m)$.</td>
</tr>
</tbody>
</table>


\(e, e' \in S\) Short for \(e \in S \land e' \in S\).

\(\lambda e \in S.\exp\) A function from \(e\), which is an element of \(S\), to \(\exp\), which is often dependent on the specific \(e\).

\(f(s)\) The function \(f\) applied on \(s\).

\(f \circ g(o)\) Equivalent to \(f(g(o))\).

\(f \circ [o_1]o_2\) Equivalent to \((f(o_1))(o_2)\).

\(f s\) The function \(f\) applied on \(s\). This notation is used when dereferencing mappings.

\(\mathcal{F}\) Denotes a state (i.e., a function/mapping from elements to values); e.g., \(r\).

\(\mathcal{F}[s' \mapsto \exp]\) Remap; defined as:

\[
\mathcal{F}[s' \mapsto \exp] s = \begin{cases} 
\exp & \text{if } s = s' \\
\mathcal{F} s & \text{otherwise}
\end{cases}
\]

\(\text{ALG}\)\(\text{FUNC}\) A function defined in a table or algorithm.

\(T\) One of the threads defined in the analyzed program.

\(\Pi, \text{Thrd}\) The analyzed program; i.e., a set of threads.

\(r\) Register (thread-local memory).

\(\text{Reg}_T\) The set of registers used by thread \(T\).

\(x\) Variable (global memory).

\(\text{Var}\) The variables defined in the program.

\(lck\) Lock (shared resource).

\(\text{Lck}\) The locks defined in the program.

\(pc\) Program counter (unique for each thread).

\(\tilde{f}\) \(f\) defined in some abstract domain; i.e., an abstraction of \(f\).

\(r, \tilde{r}\) Mapping from registers to their values (unique for each thread).

\(t^a, \tilde{t}^a\) Accumulated execution time (unique for each thread).

\(x, \tilde{x}\) Mapping from variables to mappings from threads to their write history for the given variable.
I, \tilde{I}  
Mapping from locks to their values.

c, \tilde{c}  
Configuration (system state).

\sqsubseteq  
Partial order relation.

\bot  
The bottom element in a complete lattice.

\top  
The top element in a complete lattice.

\cup  
The least upper bound operator.

\cap  
The greatest lower bound operator.

\alpha  
Abstraction function.

\gamma  
Concretization function.

\rightarrow^{ax}, \tilde{\rightarrow}^{ax}  
Transition relation for statements (i.e., axioms).

\rightarrow^{prg}, \tilde{\rightarrow}^{prg}  
Transition relation for threads (i.e., the program).

\tilde{t}_{to}, \tilde{\tilde{t}}_{to}  
The timeout variable used by the analysis.

\triangleright  
Begins a comment within algorithms.

**Final configurations** are configurations in which all the threads issue the `halt`-statement.

**Final states** is an alternative notation for final configurations.

**Deadlocked configurations** are configurations that can never reach the final state.

**Timed-out configurations** are configurations that cannot reach the final state before a given point in time, the timeout.

**Truly deadlocked configurations** are abstract configurations that are deadlocked and have valid concrete counterparts; i.e., there is at least one semantically valid concrete configuration that can be abstracted by the given configuration. It must thus be that all threads included in the deadlock are owners of some lock, which has the state `locked`, and are waiting to acquire some other lock, which also has the state `locked`.

**Falsely deadlocked configurations** are abstract configurations that are deadlocked and do not have any valid concrete counterpart; i.e., there is no
semantically valid concrete configuration that can be abstracted by the
given configuration. It could thus be that some thread included in the
deadlock is the owner of some lock, which has the state \textit{unlocked}, and
that some other thread included in the deadlock is waiting to acquire that
lock.

\textbf{Axiom statements} are labeled statements; i.e., statements that are not com-
posed of several statements.

\textbf{Composed statements} are statements that are composed by two or more ax-
iom (i.e., labeled) statements.

\textbf{Active statements} are the axiom statements pointed to by the threads’ pro-
gram counters. The active statement is the statement that is executed
when the thread is executed. Only one statement in each thread can be
active at any given point in time since all the axiom statements within a
thread are uniquely labeled.

\textbf{Frozen threads} are threads in an abstract configuration whose active state-
ments are \texttt{lock}-statements and the locks they are trying to acquire are
currently owned by some other thread.

\textbf{Active threads} are not frozen and their active statements are not \texttt{halt}. Note
that this applies to all threads in any concrete configuration, given that
they are not issuing the \texttt{halt}-statement, since only threads in an abstract
configuration can be frozen.

\textbf{Executing threads} are the active threads that will execute their active state-
ment at the nearest point in time.

\textbf{BCET} (Best-Case Execution Time) is the shortest possible execution time of
the program, given a certain set of initial states.

\textbf{WCET} (Worst-Case Execution Time) is the longest possible execution time
of the program, given a certain set of initial states.
Appendix B

List of Assumptions

4.1  TIME is non-negative

4.3  TIME is non-zero when spin-locking

5.50  ABSTEME is safe and non-negative
# Appendix C

## List of Definitions

<table>
<thead>
<tr>
<th>Section</th>
<th>Definition</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.1</td>
<td>Monotone function</td>
<td>16</td>
</tr>
<tr>
<td>3.2</td>
<td>Completely additive function</td>
<td>16</td>
</tr>
<tr>
<td>3.3</td>
<td>Completely multiplicative function</td>
<td>17</td>
</tr>
<tr>
<td>3.9</td>
<td>Galois connection</td>
<td>20</td>
</tr>
<tr>
<td>3.10</td>
<td>Galois insertion</td>
<td>20</td>
</tr>
<tr>
<td>3.11</td>
<td>Induced function</td>
<td>21</td>
</tr>
<tr>
<td>3.12</td>
<td>Adjunction</td>
<td>21</td>
</tr>
<tr>
<td>3.26</td>
<td>Partial order</td>
<td>32</td>
</tr>
<tr>
<td>3.27</td>
<td>Greatest lower bound</td>
<td>32</td>
</tr>
<tr>
<td>3.28</td>
<td>Least upper bound</td>
<td>32</td>
</tr>
<tr>
<td>3.29</td>
<td>Abstraction function, $\alpha$</td>
<td>32</td>
</tr>
<tr>
<td>3.30</td>
<td>Alternative definition – Concretization function, $\gamma$</td>
<td>32</td>
</tr>
<tr>
<td>3.31</td>
<td>Interval</td>
<td>33</td>
</tr>
<tr>
<td>3.32</td>
<td>Concretization of intervals</td>
<td>33</td>
</tr>
<tr>
<td>3.33</td>
<td>Partial order for intervals</td>
<td>33</td>
</tr>
<tr>
<td>3.34</td>
<td>Greatest lower bound for intervals</td>
<td>33</td>
</tr>
<tr>
<td>3.35</td>
<td>Least upper bound for intervals</td>
<td>34</td>
</tr>
<tr>
<td>3.36</td>
<td>Abstraction to interval</td>
<td>34</td>
</tr>
<tr>
<td>4.4</td>
<td>Valid concrete configuration</td>
<td>50</td>
</tr>
<tr>
<td>4.7</td>
<td>Collecting semantics</td>
<td>52</td>
</tr>
<tr>
<td>5.1</td>
<td>Concretization of an abstract register state</td>
<td>54</td>
</tr>
<tr>
<td>5.2</td>
<td>Partial order for abstract register states</td>
<td>54</td>
</tr>
<tr>
<td>Section</td>
<td>Definition</td>
<td>Page</td>
</tr>
<tr>
<td>---------</td>
<td>----------------------------------------------------------------------------</td>
<td>------</td>
</tr>
<tr>
<td>5.3</td>
<td>Greatest lower bound of abstract register states</td>
<td>54</td>
</tr>
<tr>
<td>5.4</td>
<td>Least upper bound of abstract register states</td>
<td>56</td>
</tr>
<tr>
<td>5.5</td>
<td>Abstraction of a set of register states</td>
<td>56</td>
</tr>
<tr>
<td>5.7</td>
<td>Boolean restriction</td>
<td>57</td>
</tr>
<tr>
<td>5.8</td>
<td>Concretization of an abstract variable state</td>
<td>58</td>
</tr>
<tr>
<td>5.9</td>
<td>Abstraction of a set of variable states</td>
<td>58</td>
</tr>
<tr>
<td>5.11</td>
<td>Partial order of writes, $\sqsubseteq_w$</td>
<td>60</td>
</tr>
<tr>
<td>5.12</td>
<td>Least upper bound of writes, $\sqcap_w$</td>
<td>60</td>
</tr>
<tr>
<td>5.13</td>
<td>Time precedence, $\preceq_t$</td>
<td>60</td>
</tr>
<tr>
<td>5.14</td>
<td>Partial order for abstract variable states</td>
<td>61</td>
</tr>
<tr>
<td>5.15</td>
<td>Greatest lower bound of abstract variable states</td>
<td>61</td>
</tr>
<tr>
<td>5.16</td>
<td>Least upper bound of abstract variable states</td>
<td>61</td>
</tr>
<tr>
<td>5.17</td>
<td>Time of most recent write</td>
<td>61</td>
</tr>
<tr>
<td>5.18</td>
<td>Safe write history</td>
<td>62</td>
</tr>
<tr>
<td>5.19</td>
<td>Safe value of $x$ as seen by thread $T$</td>
<td>62</td>
</tr>
<tr>
<td>5.20</td>
<td>Safe partial order of abstract variable states</td>
<td>65</td>
</tr>
<tr>
<td>5.21</td>
<td>Safe lower bound of abstract variable states</td>
<td>65</td>
</tr>
<tr>
<td>5.22</td>
<td>Safe upper bound of abstract variable states</td>
<td>65</td>
</tr>
<tr>
<td>5.28</td>
<td>Concretization of an abstract lock state</td>
<td>74</td>
</tr>
<tr>
<td>5.29</td>
<td>Abstraction of a set of lock states</td>
<td>74</td>
</tr>
<tr>
<td>5.30</td>
<td>Partial order of abstract lock states</td>
<td>76</td>
</tr>
<tr>
<td>5.31</td>
<td>Greatest lower bound of abstract lock states</td>
<td>76</td>
</tr>
<tr>
<td>5.32</td>
<td>Least upper bound of abstract lock states</td>
<td>76</td>
</tr>
<tr>
<td>5.35</td>
<td>Concretization of an abstract configuration</td>
<td>79</td>
</tr>
<tr>
<td>5.36</td>
<td>Partial ordering of two abstract configurations</td>
<td>79</td>
</tr>
<tr>
<td>5.38</td>
<td>Greatest lower bound for two abstract configurations</td>
<td>80</td>
</tr>
<tr>
<td>5.39</td>
<td>Least upper bound for two abstract configurations</td>
<td>80</td>
</tr>
<tr>
<td>5.40</td>
<td>Abstraction of a set of configurations</td>
<td>81</td>
</tr>
<tr>
<td>5.42</td>
<td>Abstraction of a set of axiom input configurations</td>
<td>83</td>
</tr>
<tr>
<td>5.43</td>
<td>Concretization of an abstract axiom input configuration</td>
<td>83</td>
</tr>
<tr>
<td>5.44</td>
<td>Abstraction of a set of axiom output configurations</td>
<td>83</td>
</tr>
<tr>
<td>5.45</td>
<td>Concretization of an abstract axiom output configuration</td>
<td>83</td>
</tr>
<tr>
<td>5.48</td>
<td>Soundness of the abstract axiom transition relation</td>
<td>85</td>
</tr>
<tr>
<td>6.9</td>
<td>BCET and WCET</td>
<td>158</td>
</tr>
</tbody>
</table>
Appendix D

List of Figures

4.6 Illustration of how $\text{Thrd}_{\text{exe}}$ is determined. 46
5.3 The time-stamps of the writes considered by $\text{READ}$. 68
5.7 Abstract lock state transitions. 132
6.1 Timeout for recursion in $\text{ABSEXE}$. 151
7.4 Communicating threads – Configuration relations. 165
7.7 Synchronization (Deadlock) – Configuration relations. 168
7.10 Synchronization (Deadline miss) – Configuration relations. 170
8.1 Lock owner assignments based on $\tilde{c} \in \text{Conf}$ resulting in one valid and one invalid configuration. 174
8.2 Lock owner assignments based on $\tilde{c} \in \text{Conf}$ resulting in two valid and two invalid (i.e., falsely deadlocked) configurations. 175
Appendix E

List of Tables

4.1 The Syntax of PPL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.2 Semantics of concrete axiom transitions. . . . . . . . . . . . . . . . . . . 42
4.3 Semantics of concrete program transitions. . . . . . . . . . . . . . . . . . . 43
4.4 Definition of STM and LABELS. . . . . . . . . . . . . . . . . . . . . . . . . 44
4.5 Definition of STT, OWN, DL, POWN and REL. . . . . . . . . . . . . . . . . . 45
4.7 Semantics of concrete evaluation of arithmetic expressions. . . . . . . . 48
4.8 Semantics of concrete evaluation of boolean expressions. . . . . . . . . . . 48
5.1 PPL operators defined for interval arguments. . . . . . . . . . . . . . . . . . 55
5.2 The abstract function evaluating arithmetic expressions. . . . . . . . . . . . 57
5.5 Semantics of abstract axiom transitions. . . . . . . . . . . . . . . . . . . . 84
5.6 Semantics of abstract program transitions. . . . . . . . . . . . . . . . . . . 88
7.1 Communicating threads – Program. . . . . . . . . . . . . . . . . . . . . . 161
7.2 Communicating threads – Configurations (First half). . . . . . . . . . . . . 163
7.3 Communicating threads – Configurations (Second half). . . . . . . . . . . . . 164
7.5 Synchronization (Deadlock) – Program. . . . . . . . . . . . . . . . . . . . 166
7.6 Synchronization (Deadlock) – Configurations. . . . . . . . . . . . . . . . . . 167
7.8 Synchronization (Deadline miss) – Program. . . . . . . . . . . . . . . . . . 169
7.9 Synchronization (Deadline miss) – Configurations. . . . . . . . . . . . . . 170
Appendix F

List of Algorithms

5.1 Partial Order of Abstract Variable States . . . . . . . . . . . . 63
5.2 Earliest Write for a Thread . . . . . . . . . . . . . . . . . 64
5.3 Meeting Two Abstract Variable States . . . . . . . . . . . . 66
5.4 Joining Two Abstract Variable States . . . . . . . . . . . . 67
5.5 Write to Variable . . . . . . . . . . . . . . . . . . . . . . . 68
5.6 Read from Variable . . . . . . . . . . . . . . . . . . . . . . 69
5.7 Time of Most Recent Write . . . . . . . . . . . . . . . . . . 69
5.8 Time of Most Recent Write in Thread . . . . . . . . . . . . 69
5.9 Trim Variable State . . . . . . . . . . . . . . . . . . . . . . 72
5.10 Split Set of Writes . . . . . . . . . . . . . . . . . . . . . . . 72
5.11 Determine Deadline for Lock Owner Assignment . . . . . . . 90
5.12 Determine Accumulated Execution Time . . . . . . . . . . . . 90
5.12 Cont. Determine Accumulated Execution Time . . . . . . . . 91
6.1 Abstract Execution . . . . . . . . . . . . . . . . . . . . . . . 138
6.2 Choose an Element . . . . . . . . . . . . . . . . . . . . . . . 139
6.3 Final Abstract Configuration . . . . . . . . . . . . . . . . . . 139
6.4 Deadlocked Abstract Configuration . . . . . . . . . . . . . . 140
6.5 Timed-Out Abstract Configuration . . . . . . . . . . . . . . 140
6.6 Valid Abstract Configuration . . . . . . . . . . . . . . . . . . 140
6.7 Determine if Graph Has Cycles . . . . . . . . . . . . . . . . . 141
6.8 Threads Executing a Possibly Unsafe Load Statement . . . . . . 141
6.9 Global Variables in an Abstract Configuration . . . . . . . . . 142
Appendix F. List of Algorithms

6.10 Threads to Execute in Abstract Configuration . . . . . . . . 142
6.11 Get Variable in Load Statement . . . . . . . . . . . . . . 142
6.12 Get Register in Load Statement . . . . . . . . . . . . . . 142
6.13 BCET/WCET Analysis . . . . . . . . . . . . . . . . . . . . . . 157
Appendix G

List of Lemmas

3.4 Completely multiplicative functions . . . . . . . . . . . . . . 17
3.14 Relation between $\alpha$ and $\gamma$ . . . . . . . . . . . . . . . 22
3.15 Galois connection – Existence . . . . . . . . . . . . . . . . 23
3.18 Monotonicity of $\alpha_P$ . . . . . . . . . . . . . . . . . . . . . 25
3.19 Monotonicity of $\gamma_P$ . . . . . . . . . . . . . . . . . . . . . 26
3.23 Monotonicity of $\gamma_t$ . . . . . . . . . . . . . . . . . . . . . 28
3.37 Monotonicity of $\gamma_{\text{int}}$ . . . . . . . . . . . . . . . 34
3.38 Monotonicity of $\alpha_{\text{int}}$ . . . . . . . . . . . . . . . . 34

4.2 Time only moves forward . . . . . . . . . . . . . . . . . . . . . 47
4.5 $\xrightarrow{\text{prg}}$ preserves lock state validity . . . . . . . . . 50
4.6 Properties of $\Gamma_n$ . . . . . . . . . . . . . . . . . . . . . . . 51

5.23 Soundness of $\text{WRITE}$ . . . . . . . . . . . . . . . . . . . . 68
5.24 Soundness of $\text{MOSTRECENTWRITETIMETHREAD}$ . . . . . 70
5.25 Soundness of $\text{MOSTRECENTWRITETIME}$ . . . . . . . . . 70
5.26 Soundness of $\text{READ}$ . . . . . . . . . . . . . . . . . . . . 70
5.27 Soundness of $\text{TRIM}$ . . . . . . . . . . . . . . . . . . . . . 71
5.33 Monotonicity of $\gamma_{\text{lock}}$ . . . . . . . . . . . . . . . . 77
5.37 Monotonicity of $\gamma_{\text{conf}}$ . . . . . . . . . . . . . . . . 79
5.49 Soundness of $\xrightarrow{\text{av}}$ . . . . . . . . . . . . . . . . 85
5.51 Time accumulation . . . . . . . . . . . . . . . . . . . . . . . 94
5.52 Thread isolation . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.53 Soundness of DLLOCK ........................................... 95
5.54 Partial soundness of ACCTIME ................................. 100
5.55 Properties of owner assignment for lock-transitions ....... 104
5.56 Soundness of $\xrightarrow{pr} \neg$ , no frozen thread ........... 108
5.57 Soundness of $\xrightarrow{pr} \neg$ , frozen thread ................. 119
5.58 Soundness of $\xrightarrow{pr} \neg$ , final state ..................... 130
6.1 Soundness of CYCLE ............................................. 141
6.2 Soundness of EXETHRD ........................................ 143
6.3 Soundness of GLOBALVAR .................................... 144
6.4 Soundness of EXELOADTHRD ................................. 144
6.5 Soundness of ISDEADLOCK .................................. 145
6.6 Soundness of ISTIMEOUT ..................................... 145
6.7 Soundness of ISVALID .......................................... 146
6.8 Soundness of ABSEXE ......................................... 148
6.10 Soundness of ANALYSIS ...................................... 158
### Appendix H

**List of Theorems**

<table>
<thead>
<tr>
<th>Section</th>
<th>Theorem Description</th>
<th>Page</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.5</td>
<td>Complete lattice – Lifting</td>
<td>18</td>
</tr>
<tr>
<td>3.6</td>
<td>Complete lattice – Cartesian product</td>
<td>18</td>
</tr>
<tr>
<td>3.7</td>
<td>Complete lattice – Total function space</td>
<td>19</td>
</tr>
<tr>
<td>3.8</td>
<td>Complete lattice – Monotone function space</td>
<td>19</td>
</tr>
<tr>
<td>3.13</td>
<td>Adjunctions and Galois connections</td>
<td>21</td>
</tr>
<tr>
<td>3.16</td>
<td>Galois connection – Independent attribute method</td>
<td>24</td>
</tr>
<tr>
<td>3.17</td>
<td>Galois connection – Lifted independent attribute method</td>
<td>24</td>
</tr>
<tr>
<td>3.20</td>
<td>Galois connection – Double lifting</td>
<td>26</td>
</tr>
<tr>
<td>3.21</td>
<td>Not a Galois connection – Double lifting</td>
<td>27</td>
</tr>
<tr>
<td>3.22</td>
<td>Galois connection – Function space</td>
<td>28</td>
</tr>
<tr>
<td>3.24</td>
<td>Galois connection – Lifted function space</td>
<td>29</td>
</tr>
<tr>
<td>3.25</td>
<td>Galois connection – Indexing</td>
<td>30</td>
</tr>
<tr>
<td>3.39</td>
<td>Galois insertion – Intervals</td>
<td>35</td>
</tr>
<tr>
<td>5.6</td>
<td>Galois connection – Register states</td>
<td>56</td>
</tr>
<tr>
<td>5.10</td>
<td>Galois connection – Variable states</td>
<td>59</td>
</tr>
<tr>
<td>5.34</td>
<td>Galois connection – Lock states</td>
<td>77</td>
</tr>
<tr>
<td>5.41</td>
<td>Galois connection – Configurations</td>
<td>81</td>
</tr>
<tr>
<td>5.46</td>
<td>Galois connection – Axiom input configurations</td>
<td>83</td>
</tr>
<tr>
<td>5.47</td>
<td>Galois connection – Axiom output configurations</td>
<td>83</td>
</tr>
</tbody>
</table>
Index

NOTE, 15, 37, 39, 53, 54, 60, 62, 65, 100, 137, 156
abstract domain, 6, 20
abstract execution, 6–9, 12
abstract interpretation, 6, 7, 11, 13, 15, 39, 176
abstraction, 6, 7, 9, 20, 48, 53, 56, 137, 171, 173, 190
anti-symmetric relation, see relation
BCET, BCET, 3, 4, 6–9, 12, 157–159, 162, 168, 169, 192
Best-Case Execution Time, see BCET, BCET
bottom element, 16
bounds
  lower, 16
  greatest, 16
  upper, 16
  least, 16
calculation, 4
completely additive function, see function
completely multiplicative function, see function
concrete domain, 20
COST Action, 178
dynamic analysis, 4
embedded system, 1
estimation
  safe, 3, 4
  tight, 4
fixed-point calculation, 92
flow analysis, 4
function
  completely additive, 16
  completely multiplicative, 16
  monotone, 16
  partial, 16
  total, 16
global memory, see variable
greatest lower bound, see bounds
halting-problem, 5
least upper bound, see bounds
local memory, see register
lock, 37
low-level analysis, 4
lower bound, see bounds
Mälardalen WCET Benchmark suite, 178
model-checking, 1, 5, 6, 12, 13
monotone function, see function
multi-core CPU, 2, 3, 7, 12–14, 37, 53, 171
partial function, *see* function
partial ordering, 16

real-time system, 1–3, 5–7
  hard, 2, 3
  soft, 2
reflexive relation, *see* relation
register, 37
relation, 15
  anti-symmetric, 16
  reflexive, 16
  transitive, 16
safe estimation, *see* estimation
shared memory, 2–4, 7, 13, 14, 37,
  172, 176
single-core CPU, 5, 14
static analysis, 4
TACLe, *see* COST Action
tight estimation, *see* estimation, 7
top element, 16
total function, *see* function
transitive relation, *see* relation

UPPAAL, 6, 12
upper bound, *see* bounds

variable, 37

WCET, *WCET*, 3–9, 11–14, 157–159,
  162, 168, 169, 178, 192
Worst-Case Execution Time, *see* WCET, *WCET*