Abstract not found

A rely/guarantee specification for a program P is a specification of the form R oe G (R implies G), where R is a rely condition and G is a guarantee condition. A rely condition expresses the conditions that P relies on its environment to provide, and a guarantee condition expresses what P guarantees to provide in return. This paper presents a proof technique that permits us to infer that a program P satisfies a rely/guarantee specification R oe G, given that we know P satisfies a finite collection of rely/guarantee specifications R i oe G i ; (i 2 I). The utility of the proof technique is illustrated by using it to derive global liveness properties of a system of concurrent processes from a collection of local liveness properties satisfied by the component processes. The use of the proof rule as a design principle, and the possibility of its incorporation into a formal logic of rely/guarantee assertions, is also discussed. 1 Introduction A rely/guarantee specification for a program P...

this paper were first presented at the "IEEE Symposium on Logic in Computer Science," Ithaca, New York, June 1987

The replacement of parts of software systems is an important aspect of programming methodology. Most of the research in this area has centered around support for modular construction and the clear separation of interface from implementation. The emphasis has been on producing easily modified static program structures.

The method of simulations is an important technique for reasoning about real-time and other timing-based systems. It is adapted from an analogous method for untimed systems. This paper presents the simulation method in the context of a very general automaton (i.e., labelled transition system) model for timing-based systems. Sketches are presented of several typical examples for which the method has been used successfully. Other complementary tools are also described, in particular, invariants for safety proofs, progress functions for timing proofs, and execution correspondences for liveness proofs.

) Eugene W. Stark y Abstract The lack of expressive power of temporal logic as a specification language can be compensated to a certain extent by the introduction of powerful, high-level temporal operators, which are difficult to understand and reason about. A more natural way to increase the expressive power of a temporal specification language is by introducing conceptual state variables, which are auxiliary (unimplemented) variables whose values serve as an abstract representation of the internal state of the process being specified. The kind of specifications resulting from the latter approach are called conceptual state specifications. This paper considers a central problem in reasoning about conceptual state specifications: the problem of proving entailment between specifications. A technique, based on the notion of simulation between machines, is shown to be sound for proving entailment. A kind of completeness result can also be shown, if specifications are assumed to satisf...

this paper we consider assume-guarantee specifications in which the guarantee is specified by branching temporal formulas. We distinguish between two approaches. In the first approach, the assumption is specified by branching temporal formulas too. In the second approach, the assumption is specified by linear temporal logic. We consider guarantees in 8CTL and 8CTL

Jennifer Lundelius Welch Leslie Lamport Digital Equipment Corporation, Systems Research Center Abstract: rithms are often hard to prove correct because they have no natural decomposition into separately provable parts. This paper presents a proof technique for the modular verification of such non-modular algorithms. It generalizes existing verification techniques based on a totally-ordered hierarchy of refinements to allow a partiallyordered hierarchy--that is; a lattice of different views of the algorithm. The technique is applied to the well-known distributed minimum spanning tree algorithm of Gallager, Humblet and Spira, which has until recently lacked a rigorous proof. 1.

Simulation-based assertional techniques and process algebraic techniques are two of the major methods that have been proposed for the verification of concurrent and distributed systems. It is shown how each of these techniques can be applied to the task of verifying systems described as input/output automata; both safety and liveness properties are considered. A small but typical circuit is verified in both of these ways, first using forward simulations, an execution correspondence lemma, and a simple fairness argument, and second using deductions within the process algebra DIOA for I/O automata. An extended evaluation and comparison of the two methods is given.

. A dense temporal logic development method for the specification, refinement, composition and verification of reactive systems is introduced. A reactive system is specified by a pair consisting of a machine and a condition that indicate the valid computations of this machine. Compositionality is achieved by adding to each machine step whether it is a environment, system or communication step. Refinement can be expressed straightforward in the logic because the stutter problem is elegantly solved by using the dense structure of the logic. Compositionality enables us to break refinement between complex systems into refinement between small and simple systems. The latter can then be verified by existing proof rules for refinement which are reformulated in our formalism. 1. Introduction We present a compositional refinement method for reactive systems. A system is called reactive if it maintains some ongoing interaction with its environment, for example an operating system. This contrast...