We give a comprehensive and unifying survey of the theoretical aspects of Temporal and modal logic.

A rely/guarantee specification for a program P is a specification of the form R oe G (R implies G), where R is a rely condition and G is a guarantee condition. A rely condition expresses the conditions that P relies on its environment to provide, and a guarantee condition expresses what P guarantees to provide in return. This paper presents a proof technique that permits us to infer that a program P satisfies a rely/guarantee specification R oe G, given that we know P satisfies a finite collection of rely/guarantee specifications R i oe G i ; (i 2 I). The utility of the proof technique is illustrated by using it to derive global liveness properties of a system of concurrent processes from a collection of local liveness properties satisfied by the component processes. The use of the proof rule as a design principle, and the possibility of its incorporation into a formal logic of rely/guarantee assertions, is also discussed. 1 Introduction A rely/guarantee specification for a program P...

. There is a growing need for reliable methods of designing correct reactive systems such as computer operating systems and air traffic control systems. It is widely agreed that certain formalisms such as temporal logic, when coupled with automated reasoning support, provide the most effective and reliable means of specifying and ensuring correct behavior of such systems. This paper discusses known complexity and expressiveness results for a number of such logics in common use and describes key technical tools for obtaining essentially optimal mechanical reasoning algorithms. However, the emphasis is on underlying intuitions and broad themes rather than technical intricacies. 1 Introduction There is a growing need for reliable methods of designing correct reactive systems. These systems are characterized by ongoing, typically nonterminating and highly nondeterministic behavior. Examples include operating systems, network protocols, and air traffic control systems. There is w...

) Eugene W. Stark y Abstract The lack of expressive power of temporal logic as a specification language can be compensated to a certain extent by the introduction of powerful, high-level temporal operators, which are difficult to understand and reason about. A more natural way to increase the expressive power of a temporal specification language is by introducing conceptual state variables, which are auxiliary (unimplemented) variables whose values serve as an abstract representation of the internal state of the process being specified. The kind of specifications resulting from the latter approach are called conceptual state specifications. This paper considers a central problem in reasoning about conceptual state specifications: the problem of proving entailment between specifications. A technique, based on the notion of simulation between machines, is shown to be sound for proving entailment. A kind of completeness result can also be shown, if specifications are assumed to satisf...

This thesis investigates a particular approach, called state-transition specification, to the problem of describing the behavior of modules in a distributed or concurrent computer ,stem. A state-transition specification consists off (1) a state machine, which incorporates the safety or invariance properties of the module, and (2) validity conditions on the computations of the machine, which'capture the desired liveness or eventu;lity properties. The theory and techniques of state. transition specification are developed'from first principles to a point at which it is possible to write example sPeCificatiOns,'to check-the Specifications for coraiatency, and to perform correctlse examples.

We use an event-driven process model to specify a version of the High-Level Data Link Control (HDLC) protocol between two communicating protocol entities. The protocol is verified using the method of projections. The verification serves as a rigorous exercise to demonstrate the applicability of this method to the analysis of real-life communication protocols. The HDLC protocol has two characteristics found in most real-life communication protocols. First, the HDLC protocol operates under real-time constraints that are important not only for its performance but also for its correct logical behavior. We specify this real-time behavior using time variables and time events. Second, the HDLC protocol has three distinguishable functions: connection management, and one-way data transfers between the protocol entities. For each of these functions, we construct an image protocol using the method of projections. With each image protocol we obtain inductively complete invariant assertions that state various desirable logical safety properties. From the properties of image protocols it follows that these safety properties as proved for the image protocols are also satisfied by the HDLC protocol presented herein. We also suggest a minor modification to HDLC that will make it well-structured.

Many communication protocols can be observed to go through different phases performing a distinct function in each phase. A multiphase model for such protocols is presented. A phase is formally defined to be a network of communicating finite-state machines with certain desirable correctness properties; these include proper termination and freedom from deadlocks and unspecified receptions. A multifunction protocol is constructed by first constructing separate phases to perform its different functions. It is shown how to connect these phases together to realize the multifunction protocol so that the resulting network of communicating finite state machines is also a phase (i.e., it possesses the desirable properties defined for phases). The modularity inherent in multiphase protocols facilitates not only their construction hut also their understanding and modification. An abundance of protocols have been found in the literature that can be constructed as multiphase protocols. Three examples are presented here: two versions of IBM’s BSC protocol for data link control and a token ring network protocol.

Abstract. NPLCS’s are a new model for nondeterministic channel systems where unreliable communication is modeled by probabilistic message losses. We show that, for ω-regular linear-time properties and finite-memory schedulers, qualitative model-checking is decidable. The techniques extend smoothly to questions where fairness restrictions are imposed on the schedulers. The symbolic procedure underlying our decidability proofs has been implemented and used to study a simple protocol handling two-way transfers in an unreliable setting. 1