PSL is a framework for describing dynamic and architectural properties of open systems. PSL extends established interface-based tactics for describing the functional properties of open systems to the realm of protocol description. PSL specifications consist of logical and temporal rules relating situations, each of which describes potential states with respect to instances of interfaces, their attributes, and the issuance and reception of events. PSL accommodates refinement and extensibility of specifications along the three dimensions of interfaces, situations, and orderings. A specialized form, PSL/IDL describes protocols in CORBA systems. 1 Introduction An open system, in the technical sense [28, 1, 63] (not necessarily the commercial sense) is encapsulated, reactive, spatially extensible, and temporally extensible: Encapsulation. An open system is composed of possibly many components, each described by one or more public interfaces along with an otherwise inaccessible implementa...

A constraint is a relation among program variables that is maintained throughout execution. Type declarations and a very general form of aliasing can be expressed as constraints. A proof system based upon the interpretation of Hoare triples as temporal logic formulas is given for reasoning about programs with constraints. The proof system is shown to be sound and relatively complete, and example program proofs are given. 1 Introduction Type declarations and aliasing relations have traditionally been thought of as unrelated concepts. However, both can be viewed as specifying properties that do not change during program execution. This view leads to a uniform method for reasoning about types and aliasing in which the usual Hoare logic triples are regarded as temporal logic formulas. Aliasing two variables x and y means they always have the same value. This is usually implemented by allocating the same memory location to x # Work supported in part by the National Science Foundation unde...

We describe a mechanically checked correctness proof for a system of n processes, each running a simple, non-blocking counter algorithm. We prove that if the system runs longer than 5n steps, the counter is increased. The theorem is formalized in applicative Common Lisp and proved with the ACL2 theorem prover. The value of this paper lies not so much in the trivial algorithm addressed as in the method used to prove it correct. The method allows one to reason accurately about the behavior of a concurrent, multiprocess system by reasoning about the sequential computation carried out by a selected process, against a memory that is changed externally. Indeed, we prove general lemmas that allow shifting between the multiprocess and uniprocess views. We prove a safety property using a multiprocess view, project the property to a uniprocess view, and then prove a global progress property via a local, sequential computation argument. 1 Informal Discussion of the Problem Consider a system of ...

Graphical Interval Logic (GIL) is a temporal logic in which all reasoning is done by means of diagrammatic formulae. It is a discrete linear-time modal logic in which the basic temporal modality is the interval. Future Interval Logic (FIL) provides the logical foundation for GIL. In this paper we present an automata-theoretic decision procedure for FIL with complexity DTIME(2 O(n k ) ), where n is the size of the formula and k is the depth of interval nesting. For formulae with bounded depth but length unbounded, the satisfiability problem for FIL is shown to be PSPACE-complete. We believe that this is the first result giving a direct decision procedure of elementary complexity for an interval logic. We also show that the logic is transparent to finite stuttering over the class of !-sequences, a feature that is useful for composition and refinement. 1 Introduction A variety of temporal logics [4, 12, 18, 19, 28] have been devised for reasoning about temporal relationships. Exper...

Network concept In the AMp design, an abstraction of the underlying medium was made. Several reasons justified this option. One of them was the intention of showing that the protocol worked correctly as a LAN independent protocol: there would be no need to establish verifications for every LAN port. The other reason relevant to this paper was the fact that, by abstracting from the physical network, and instead replacing it by a set of properties representing the functionality required by the AMp, we have indeed reduced the complexity of the system to verify. It may be seen that the properties are fulfilled almost directly by a large set of standard LANs; assuming that existing VLSI circuits correctly implement the relevant MAC protocols, this seemed to be a reasonable approach, with regard to reliance in the correctness of implementation of the abstract network properties. The abstract network is defined as a set of nodes, each node having a source access point and a destination acces...

this paper, we show that there is a real di#erence between control predicates and dummy variables. Although dummy variables can represent the control state, the implicit nature of this representation limits their utility. The use of explicit control predicates allows a strengthening of the ordinary Owicki-Gries method that makes it easier to write annotations. Our strengthening of the Owicki-Gries method eliminates a well-known weakness in the original method. Assertional methods for proving safety properties involve proving the invariance of an assertion. In the Ashcroft method [1], one writes a single global assertion; in the Owicki-Gries method, the global assertion is decomposed into an annotation of the program. It often happens that when the global invariant used in an Ashcroft-method proof is decomposed in the obvious way, the original Owicki-Gries method cannot prove its invariance; a di#erent and often more complicated annotation must be used. This is not the case with the strengthened version. If the Ashcroft method can prove invariance of a global assertion, then the strengthened Owicki-Gries method can prove the invariance of the corresponding annotation. Strengthening the Owicki-Gries method makes it easier to construct proofs; it does not change what can be proved. The global invariant used in an Ashcroft-style proof can always be translated into a proof with the original Owicki-Gries method by simply attaching the global invariant to all control points, though of course this defeats the whole purpose of the method, which is to decompose the invariant. Moreover, even though the original Owicki-Gries method fails on one simple decomposition of the invariant, there may be another equally simple decomposition for which it does work. What we claim is that usin...

. Real-Time Future Interval Logic is a visual logic in which formulae have a natural graphical representation, resembling timing diagrams. It is a dense real-time temporal logic that is based on two simple temporal primitives: interval modalities for the purely qualitative part and duration predicates for the quantitative part. We give a decision procedure for the logic by reduction to the emptiness problem for Timed Buchi Automata. The decision procedure forms the core of a proof checker for the logic that we have recently implemented. The logic does not admit instantaneous states, and is invariant under realtime stuttering. These properties facilitate proof methods based on abstraction and refinement. Two natural extensions of the logic lead to non-elementariness and undecidability. 1 Introduction Specifications of concurrent systems tend to be very complex. Much of this complexity stems from specifications that apply only in particular situations. Such specifications must define no...

Abstract not found

As the size of a formal model increases, state space analysis becomes more complex in terms of time or space or both. This complexity means that state space analysis of a formal model is often practically impossible, even for a modest sized system. Recently techniques to reduce the complexity have done so by taking advantage of the structure built into the model by the designer (e.g. [16]). In a similar vein we plan to take advantage of the incremental specification that is found in many formal models. This paper examines a number of case studies to determine the various types of incremental change that are used in practice and presents a sketch of an incremental state space generation algorithm. 1 Introduction One of the major benefits of developing a formal model is that it can be analysed. The ultimate goal of analysing a model is to show that the system will work correctly, or to find out why it will not work in order to make appropriate modifications. A formal model is analysed f...

Language design involves the construction of a mathematical model of meanings, together with the construction of an abstract syntax for representing those meanings, followed by the reduction of the latter to a concrete syntax. Unfortunately, this activity seems subject to a weak "Sapir-Whorf" influence: the optimization of syntax, which is necessary to make it easy to say things clearly, affects attitudes about what should be expressed, which feeds back into the construction and understanding of semantic domains. This interaction between syntax and semantics can be reduced by having more than one style of representation. Then, a superficially appealing simplification in one syntax may be seen to lead to complications in another; but a modification that makes things clearer across different views is more likely to indicate a genuine simplification in semantics. This process is illustrated through the prototype design of an eventflow specification and programming language. 1 Introductio...