View-oriented group communication is an important and widely used building block for many distributed applications. Much current research has been dedicated to specifying the semantics and services of view-oriented Group Communication Systems (GCSs). However, the guarantees of different GCSs are formulated using varying terminologies and modeling techniques, and the specifications vary in their rigor. This makes it difficult to analyze and compare the different systems. This paper provides a comprehensive set of clear and rigorous specifications, which may be combined to represent the guarantees of most existing GCSs. In the light of these specifications, over thirty published GCS specifications are surveyed. Thus, the specifications serve as a unifying framework for the classification, analysis and comparison of group communication systems. The survey also discusses over a dozen different applications of group communication systems, shedding light on the usefulness of the p...

A general automaton model for timing-based systems is presented and is used as the context for developing a variety of simulation proof techniques for such systems. These techniques include (1) refinements, (2) forward and backward simulations, (3) hybrid forward-backward and backward-forward simulations, and (4) history and prophecy relations. Relationships between the different types of simulations, as well as soundness and completeness results, are stated and proved. These results are (with one exception) analogous to the results for untimed systems in Part I of this paper. In fact, many of the results for the timed case are obtained as consequences of the analogous results for the untimed case.

This paper reports the results of a case study on the feasibility of developing and applying mechanical methods, based on the proof system PVS, to prove propositions about real-time systems specified in the Lynch-Vaandrager timed automata model. In using automated provers to prove propositions about systems described by a specific mathematical model, both the proofs and the proof process can be simplified by exploiting the special properties of the mathematical model. Because both specifications and methods of reasoning about them tend to be repetitive, the use of a standard template for specifications, accompanied by standard shared theories and standard proof strategies or tactics, is often feasible. Presented are the PVS specification of three theories that underlie the timed automata model, a template for specifying timed automata models in PVS, and an example of its instantiation. Both hand proofs and the corresponding PVS proofs of two propositions are provided to illustrate h...

This report describes a new language for distributed programming, the IOA language, together with a high-level design and preliminary implementation for a suite of tools, the IOA toolset, to support the production of high-quality distributed software. The language and tools are based on the I/O automaton model, which has been used to describe and verify distributed algorithms. The toolset supports a development process that begins with a high-level specification, refines that specification via successively more detailed designs, and ends by automatically generating distributed programs. The toolset encourages system decomposition, which helps make distributed programs understandable and easy to modify. It also provides a variety of validation methods (theorem proving, model checking, and simulation), which can be used to ensure that the generated programs are correct, subject to assumptions about externally-provided system services (e.g., communication services), and about the correctness of hand-coded data type implementations.

. We have embedded the meta-theory of I/O automata, a model for describing and reasoning about distributed systems, in Isabelle 's version of higher order logic. On top of that, we have specified and verified a recent network transmission protocol which achieves reliable communication using single-bit-header packets over a medium which may reorder packets arbitrarily. 1 Introduction This paper describes a formalization of Input/Output automata (IOA), a particular model for concurrent and distributed discrete event systems due to Lynch and Tuttle [9], inside Isabelle/HOL, a theorem prover for higher-order logic [12]. The motivation for our work is twofold: -- The verification of distributed systems is a challenging application for formal methods because in that area informal arguments are notoriously unreliable. -- This area is doubly challenging for interactive general purpose theorem provers because model-checking [4] already provides a successful automatic approach to the ver...

View-oriented group communication systems (GCSs) are powerful tools for building distributed applications. Over the past fifteen years, group communication researchers developed a multitude of group communication semantics and implementations. Today, researchers commonly design their group communication algorithms on top of simple existing services such as a network membership service or a reliable FIFO multicast framework. A natural extension of this idea is to implement one set of group communication semantics using another. This approach is not usually utilized due to the expensive overhead of running one set of group communication algorithms on top of another.

This paper presents a formalization of finite and infinite sequences in domain theory carried out in the theorem prover Isabelle. The results

A formal representation and machine-checked proof are given for the Bounded Concurrent Timestamp (BCTS) algorithm of Dolev and Shavit. The proof uses invariant assertions and a forward simulation mapping to a corresponding Unbounded Concurrent Timestamp (UCTS) algorithm, following a strategy developed by Gawlick, Lynch, and Shavit. The proof was produced interactively, using the Larch Prover. Keywords Verification, validation and testing; tools and tool support; Larch; input/output automata; concurrent timestamps 1 INTRODUCTION In this paper, we describe a computer-assisted verification, using the Larch Prover (Garland and Guttag, 1991), of one of the most complicated algorithms in the distributed systems theory literature: the Bounded Concurrent Timestamp (BCTS) algorithm of Dolev and Shavit (1989). This algorithm runs in the single-writer, multi-reader, read/write shared memory model. The verified algorithm is a slight simplification, due to Gawlick, Lynch, and Shavit (1992), of t...

I/O Automata Models for Distributed Computing Submitted by: Joshua A. Tauber NE43-369 (Signature of author) Cambridge, MA 02139 Date of submission: March 21, 2001 Expected Date of Completion: May 2002 Laboratory where thesis will be done: Laboratory for Computer Science Brief Statement of the Problem: Reasoning about and building distributed systems is notoriously dicult. I/O automata provide a simple mathematical basis for formally modeling and understanding distributed systems. Using a rich set of proof techniques, I/O automata have been used to verify a wide variety of distributed systems and algorithms and to express and prove several impossibility results. IOA is a formal language for describing I/O automata that has been introduced to promote I/O automata-based techniques and to support an integrated software development environment for distributed systems. This environment, the IOA toolset, will support algorithm design, development, testing, and formal veri cation using automated tools. The toolset connects I/O automata together with both lightweight (syntax checkers, simulators, model checkers) and heavyweight (theorem provers) tools.

: This paper presents a new language for distributed programming, the IOA language, together with a design for a suite of tools, the IOA toolset, that support the production of high-quality distributed software. The language and tools are based on the I/O automaton model, which has been used extensively to describe and verify distributed algorithms. The toolset supports a development process that begins with a high-level specification, refines that specification via successively more detailed designs, and ends by automatically generating efficient distributed programs. The toolset encourages system decomposition, which helps make distributed programs understandable and easy to modify. Most importantly, it provides a variety of validation methods (theorem proving, model checking, and simulation), which can be used to ensure that the generated programs are correct, subject to stated assumptions about externally-provided system services (e.g., communication services). Keywords: Distribut...