The Bakery Algorithm: Yet Another Specification and Verification 0 Egon B¨ orger 1 Yuri Gurevich 2 Dean Rosenzweig 3 Abstract In a meeting at Schloss Dagstuhl in June 1993, Uri Abraham and Menachem Magidor have challenged the thesis that an evolving algebra can be tailored to any algorithm at its own abstraction level. As example they gave an instructive proof which uses lower and higher views to show correctness of Lamport’s bakery algorithm. We construct two evolving algebras capturing lower and higher view respectively, enabling a simple and concise proof of correctness for the bakery algorithm. Introduction Uri Abraham [Abraham93] has devised an instructive correctness proof for various variants of Lamport’s bakery algorithm relying on a distinction between a lower view and a higher view of the algorithms. Actions at the higher level represents complex lower level compu- tations. He formulates abstract conditions on higher level actions which are then shown to suffice for correctness and fairness (in form of a ‘first-come-first-served’ property and deadlock–freedom) and to be satisfied by the corresponding lower level computations. At a seminar in Schloss Dagstuhl in June 1993 Uri Abraham and Menachem Magidor have expressed doubts that such a proof could be naturally carried out in the evolving algebra framework of [Gurevich91], since the latter uses a notion of atomic instantaneous action. We construct, in Section 1, two evolving algebras, reflecting the lower and higher views of Lamport’s improved version of the bakery algorithm (see [Lamport79]). In Section 2 we display abstract conditions on higher level actions, in terms of atomic– action semantics, enabling a simple and concise proof of the first–come–first–served property (FCFS) and deadlock–freedom. The conditions are easily seen to be satisfied by correspond- ing lower level computations. Since actions of an evolving algebra are assumed there to be atomic, that proof treats the case of atomic reads and writes to shared registers. In Section 3 we explain the semantics of evolving algebras assuming durative actions , actions taking time, and allowing overlapping of reads and writes to shared registers. Re- fining the abstract conditions for the case of regular reads (see [Lamport86]), we show that the proof of the previous section goes through with only slight modifications. For the more general case of safe registers correctness of the algorithm from [Lamport74] is then eas- ily proved by a slight adaptation of the present argument—the improved algorithm from [Lamport79] is not correct for safe registers, as shown by a simple counterexample. 0 In this version, notation is slightly modified to reflect the Lipari guide. The original publication in ”Specification and Validation Methods”, ed. E. B¨orger, Oxford University Press, 1995, 231–243. 1 Dipartimento di Informatica, Universita di Pisa, Corso Italia 40, I–56100 Pisa, boerger@di.unipi.it. Partially supported by MURST 91. 2 EECS, University of Michigan, Ann Arbor MI 48109–2122, gurevich@umich.edu. Partially supported by NSF Grant CCR 92-04742 and ONR grant N00014-91-J-11861. 3 FSB, University of Zagreb, Salajeva 5, HR–41000 Zagreb, dean@math.hr. Partially supported by CNR/Gnasaga grant 2.94. 1