Results 1  10
of
87
Specifying and Using a Partitionable Group Communication Service
 ACM TRANSACTIONS ON COMPUTER SYSTEMS
, 1997
"... Group communication services are becoming accepted as effective building blocks for the construction of faulttolerant distributed applications. Many specifications for group communication services have been proposed. However, there is still no agreement about what these specifications should say ..."
Abstract

Cited by 113 (21 self)
 Add to MetaCart
(Show Context)
Group communication services are becoming accepted as effective building blocks for the construction of faulttolerant distributed applications. Many specifications for group communication services have been proposed. However, there is still no agreement about what these specifications should say, especially in cases where the services are partitionable, that is, where communication failures may lead to simultaneous creation of groups with disjoint memberships, such that each group is unaware of the existence of any other group. In this paper
Liveness in Timed and Untimed Systems
, 1994
"... When proving the correctness of algorithms in distributed systems, one generally considers safety conditions and liveness conditions. The Input/Output (I/O) automaton model and its timed version have been used successfully, but have focused on safety conditions and on a restricted form of liveness c ..."
Abstract

Cited by 91 (18 self)
 Add to MetaCart
(Show Context)
When proving the correctness of algorithms in distributed systems, one generally considers safety conditions and liveness conditions. The Input/Output (I/O) automaton model and its timed version have been used successfully, but have focused on safety conditions and on a restricted form of liveness called fairness. In this paper we develop a new I/O automaton model, and a new timed I/O automaton model, that permit the verification of general liveness properties on the basis of existing verification techniques. Our models include a notion of environmentfreedom which generalizes the idea of receptiveness of other existing formalisms, and enables the use of compositional verification techniques.
Testing Timed Automata
 IN B. JONSSON AND J. PARROW (EDS.), PROC. FTRTFT'96, LNCS 1135
, 1996
"... We present a generalization of the classical theory of testing for Mealy machines to a setting of dense realtime systems. A model of timed I/O automata is introduced, inspired by the timed automaton model of Alur and Dill, together with a notion of test sequence for this model. Our main contributio ..."
Abstract

Cited by 85 (3 self)
 Add to MetaCart
We present a generalization of the classical theory of testing for Mealy machines to a setting of dense realtime systems. A model of timed I/O automata is introduced, inspired by the timed automaton model of Alur and Dill, together with a notion of test sequence for this model. Our main contribution is a test generation algorithm for blackbox conformance testing of timed I/O automata. Although it is highly exponential and cannot be claimed to be of practical value, it is the first algorithm that yields a finite and complete set of tests for dense realtime systems.
EventuallySerializable Data Services
, 1996
"... We present a new specification for distributed data services that tradeoff immediate consistency guarantees for improved system availability and efficiency, while ensuring the longterm consistency of the data. An eventualIyserializable data service maintains the operations requested in a partial ..."
Abstract

Cited by 64 (13 self)
 Add to MetaCart
We present a new specification for distributed data services that tradeoff immediate consistency guarantees for improved system availability and efficiency, while ensuring the longterm consistency of the data. An eventualIyserializable data service maintains the operations requested in a partial order that gravitates over time towards a total order. It provides clear and unambiguous guarantees about the immediate and longterm behavior of the system. To demonstrate its utility, we present an algorithm, based on one of Ladin, Liskov, Shrira, and Ghemawat [12], that implements this specification. Our algorithm provides the interface of the abstract service, and generalizes their algorithm by allowing general operations and greater flexibility in specifying consistency requirements. We also describe how to use this specification as a building block for applications such as directory services.
The Theory of Timed I/O Automata
, 2003
"... This paper presents the Timed Input/Output Automaton (TIOA) modeling framework, a basic mathematical framework to support description and analysis of timed systems. An important feature of this model is its support for decomposing timed system descriptions. In particular, the framework includes a no ..."
Abstract

Cited by 63 (29 self)
 Add to MetaCart
(Show Context)
This paper presents the Timed Input/Output Automaton (TIOA) modeling framework, a basic mathematical framework to support description and analysis of timed systems. An important feature of this model is its support for decomposing timed system descriptions. In particular, the framework includes a notion of external behavior for a timed I/O automaton, which captures its discrete interactions with its environment. The framework also denes what it means for one TIOA to implement another, based on an inclusion relationship between their external behavior sets, and de nes notions of simulations, which provide sucient conditions for demonstrating implementation relationships. The framework includes a composition operation for TIOAs, which respects external behavior, and a notion of receptiveness, which implies that a TIOA does not block the passage of time. The TIOA framework supports the statement and verication of safety and liveness properties for timed systems. It denes what it means for a property to be a safety or a liveness property, includes basic results about safetyliveness classication, and
Verification of an Audio Control Protocol
 FORMAL TECHNIQUES IN REALTIME AND FAULTTOLERANT SYSTEMS
, 1994
"... We analyze a simple version of a protocol developed by Philips for the physical layer of an interface bus that connects the various devices of some stereo equipment (tuner, CD player,...). The protocol, which uses Manchester encoding, has to deal with a significant uncertainty in the timing of event ..."
Abstract

Cited by 56 (7 self)
 Add to MetaCart
(Show Context)
We analyze a simple version of a protocol developed by Philips for the physical layer of an interface bus that connects the various devices of some stereo equipment (tuner, CD player,...). The protocol, which uses Manchester encoding, has to deal with a significant uncertainty in the timing of events, due to both hardware and software constraints. We present a formal specification of the protocol, and a proof of correctness for the case where the tolerance of the clocks used within the system is less than 1/17 . A counterexample shows that the protocol fails for tolerances greater than or equal to this value. The verification is carried out using a model of linear hybrid systems, which is similar to the phase transition system model of Manna and Pnueli, and the model of linear hybrid automata of Alur, Henzinger and Ho. The semantics of linear hybrid systems is defined via a translation to the timed I/O automata model of Lynch and Vaandrager.
Verification of the Randomized Consensus Algorithm of Aspnes and Herlihy: a Case Study
, 1997
"... The Probabilistic I/O Automaton model of [20] is used as the basis for a formal presentation and proof of the randomized consensus algorithm of Aspnes and Herlihy. The algorithm guarantees termination within expected polynomial time. ..."
Abstract

Cited by 50 (10 self)
 Add to MetaCart
The Probabilistic I/O Automaton model of [20] is used as the basis for a formal presentation and proof of the randomized consensus algorithm of Aspnes and Herlihy. The algorithm guarantees termination within expected polynomial time.
TAME: Using PVS strategies for specialpurpose theorem proving
 Annals of Mathematics and Arti cial Intelligence
, 2000
"... TAME (Timed Automata Modeling Environment), an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I/O automata, LynchVaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theo ..."
Abstract

Cited by 48 (14 self)
 Add to MetaCart
(Show Context)
TAME (Timed Automata Modeling Environment), an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I/O automata, LynchVaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theories, and a set of specialized PVS strategies that rely on these theories and on the structure of automata speci cations using the templates. Use of the TAME strategies simpli es the process of proving automaton properties, particularly state and transition invariants. TAME provides two types of strategies: strategies for \automatic " proof and strategies designed to implement \natural " proof steps, i.e., proof steps that mimic the highlevel steps in typical natural language proofs. TAME's \natural " proof steps can be used both to mechanically check hand proofs in a straightforward way and to create proof scripts that can be understood without executing them in the PVS proof checker. Several new PVS features can be used to obtain better control and e ciency in userde ned strategies such asthose used in TAME. This paper describes the TAME strategies, their use, and how their implementation exploits the structure of speci cations and various PVS features. It also describes several features, currently unsupported in PVS, that would either allow additional \natural" proof steps in TAME or allow existing TAME proof steps to be improved. Lessons learned from TAME relevant to the development of similar specialized interfaces to PVS or other theorem provers are discussed.
Timed I/O Automata: A Mathematical Framework for Modeling and Analyzing RealTime Systems
 In RTSS 2003: The 24th IEEE International RealTime Systems Symposium, Cancun,Mexico
, 2003
"... We describe the Timed Input/Output Automata (TIOA) framework, a general mathematical framework for modeling and analyzing realtime systems. It is based on timed I/O automata, which engage in both discrete transitions and continuous trajectories. The framework includes a notion of external behavior, ..."
Abstract

Cited by 44 (15 self)
 Add to MetaCart
(Show Context)
We describe the Timed Input/Output Automata (TIOA) framework, a general mathematical framework for modeling and analyzing realtime systems. It is based on timed I/O automata, which engage in both discrete transitions and continuous trajectories. The framework includes a notion of external behavior, and notions of composition and abstraction. We define safety and liveness properties for timed I/O automata, and a notion of receptiveness, and prove basic results about all of these notions. The TIOA framework is defined as a special case of the new Hybrid I/O Automata (HIOA) modeling framework for hybrid systems. Specifically, a TIOA is an HIOA with no external variables; thus, TIOAs communicate via shared discrete actions only, and do not interact continuously. This restriction is consistent with previous realtime system models, and gives rise to some simplifications in the theory (compared to HIOA). The resulting model is expressive enough to describe complex timing behavior, and to express the important ideas of previous timed automata frameworks.
Action Transducers and Timed Automata
 Formal Aspects of Computing
, 1996
"... The timed automaton model of [LV92, LV93] is a general model for timingbased systems. A notion of timed action transducer is here defined as an automatatheoretic way of representing operations on timed automata. It is shown that two timed trace inclusion relations are substitutive with respect to ..."
Abstract

Cited by 39 (13 self)
 Add to MetaCart
The timed automaton model of [LV92, LV93] is a general model for timingbased systems. A notion of timed action transducer is here defined as an automatatheoretic way of representing operations on timed automata. It is shown that two timed trace inclusion relations are substitutive with respect to operations that can be described by timed action transducers. Examples are given of operations that can be described in this way, and a preliminary proposal is given for an appropriate language of operators for describing timingbased systems.