Results 1  10
of
14
A theory of action for multiagent planning
 In The Proceedings of the Fourth National Conference on Artificial Intelligence
, 1984
"... A theory of action suitable for reasoning about events in multiagent or dynamically changing environments is prescntcrl. A device called a process model is used to represent the observable behavior of an agent in performing an action. This model is more general than previous models of act ion, all ..."
Abstract

Cited by 65 (0 self)
 Add to MetaCart
A theory of action suitable for reasoning about events in multiagent or dynamically changing environments is prescntcrl. A device called a process model is used to represent the observable behavior of an agent in performing an action. This model is more general than previous models of act ion, allowing sequencing, selection, nondeterminism, iteration, and parallelism to be represented. It is shown how this model can be utilized in synthesizing plans and reasoning about concurrency. In parbicular, conditions are derived for determining whether or not concurrent actions are free from mutual interference. It is also indicated how this theory pro!.ides a basis for understanding and reasoning about act,ion sentences in both natural and programming lariguagcs. 1.
InterfaceBased Protocol Specification of Open Systems using PSL
, 1994
"... PSL is a framework for describing dynamic and architectural properties of open systems. PSL extends established interfacebased tactics for describing the functional properties of open systems to the realm of protocol description. PSL specifications consist of logical and temporal rules relating sit ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
(Show Context)
PSL is a framework for describing dynamic and architectural properties of open systems. PSL extends established interfacebased tactics for describing the functional properties of open systems to the realm of protocol description. PSL specifications consist of logical and temporal rules relating situations, each of which describes potential states with respect to instances of interfaces, their attributes, and the issuance and reception of events. PSL accommodates refinement and extensibility of specifications along the three dimensions of interfaces, situations, and orderings. A specialized form, PSL/IDL describes protocols in CORBA systems. 1 Introduction An open system, in the technical sense [28, 1, 63] (not necessarily the commercial sense) is encapsulated, reactive, spatially extensible, and temporally extensible: Encapsulation. An open system is composed of possibly many components, each described by one or more public interfaces along with an otherwise inaccessible implementa...
A Mechanically Checked Proof of a Multiprocessor Result via a Uniprocessor View
 Formal Methods in System Design
, 1999
"... We describe a mechanically checked correctness proof for a system of n processes, each running a simple, nonblocking counter algorithm. We prove that if the system runs longer than 5n steps, the counter is increased. The theorem is formalized in applicative Common Lisp and proved with the ACL2 the ..."
Abstract

Cited by 14 (6 self)
 Add to MetaCart
(Show Context)
We describe a mechanically checked correctness proof for a system of n processes, each running a simple, nonblocking counter algorithm. We prove that if the system runs longer than 5n steps, the counter is increased. The theorem is formalized in applicative Common Lisp and proved with the ACL2 theorem prover. The value of this paper lies not so much in the trivial algorithm addressed as in the method used to prove it correct. The method allows one to reason accurately about the behavior of a concurrent, multiprocess system by reasoning about the sequential computation carried out by a selected process, against a memory that is changed externally. Indeed, we prove general lemmas that allow shifting between the multiprocess and uniprocess views. We prove a safety property using a multiprocess view, project the property to a uniprocess view, and then prove a global progress property via a local, sequential computation argument. 1 Informal Discussion of the Problem Consider a system of ...
Constraints: A Uniform Approach to Aliasing and Typing
 In Proceedings of the Twelfth ACM Symposium on Principles of Programming Languages, ACM SIGACTSIGPLAN
, 1984
"... A constraint is a relation among program variables that is maintained throughout execution. Type declarations and a very general form of aliasing can be expressed as constraints. A proof system based upon the interpretation of Hoare triples as temporal logic formulas is given for reasoning about pro ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
A constraint is a relation among program variables that is maintained throughout execution. Type declarations and a very general form of aliasing can be expressed as constraints. A proof system based upon the interpretation of Hoare triples as temporal logic formulas is given for reasoning about programs with constraints. The proof system is shown to be sound and relatively complete, and example program proofs are given. 1 Introduction Type declarations and aliasing relations have traditionally been thought of as unrelated concepts. However, both can be viewed as specifying properties that do not change during program execution. This view leads to a uniform method for reasoning about types and aliasing in which the usual Hoare logic triples are regarded as temporal logic formulas. Aliasing two variables x and y means they always have the same value. This is usually implemented by allocating the same memory location to x # Work supported in part by the National Science Foundation unde...
An AutomataTheoretic Decision Procedure for Future Interval Logic
 PROCEEDINGS OF THE TWELFTH CONFERENCE ON FOUNDATIONS OF SOFTWARE TECHNOLOGY AND THEORETICAL COMPUTER SCIENCE
, 1992
"... Graphical Interval Logic (GIL) is a temporal logic in which all reasoning is done by means of diagrammatic formulae. It is a discrete lineartime modal logic in which the basic temporal modality is the interval. Future Interval Logic (FIL) provides the logical foundation for GIL. In this paper we pr ..."
Abstract

Cited by 9 (7 self)
 Add to MetaCart
Graphical Interval Logic (GIL) is a temporal logic in which all reasoning is done by means of diagrammatic formulae. It is a discrete lineartime modal logic in which the basic temporal modality is the interval. Future Interval Logic (FIL) provides the logical foundation for GIL. In this paper we present an automatatheoretic decision procedure for FIL with complexity DTIME(2 O(n k ) ), where n is the size of the formula and k is the depth of interval nesting. For formulae with bounded depth but length unbounded, the satisfiability problem for FIL is shown to be PSPACEcomplete. We believe that this is the first result giving a direct decision procedure of elementary complexity for an interval logic. We also show that the logic is transparent to finite stuttering over the class of !sequences, a feature that is useful for composition and refinement.
Control Predicates are Better than Dummy Variables for Reasoning about Program Control
, 1987
"... this paper, we show that there is a real di#erence between control predicates and dummy variables. Although dummy variables can represent the control state, the implicit nature of this representation limits their utility. The use of explicit control predicates allows a strengthening of the ordinary ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
this paper, we show that there is a real di#erence between control predicates and dummy variables. Although dummy variables can represent the control state, the implicit nature of this representation limits their utility. The use of explicit control predicates allows a strengthening of the ordinary OwickiGries method that makes it easier to write annotations. Our strengthening of the OwickiGries method eliminates a wellknown weakness in the original method. Assertional methods for proving safety properties involve proving the invariance of an assertion. In the Ashcroft method [1], one writes a single global assertion; in the OwickiGries method, the global assertion is decomposed into an annotation of the program. It often happens that when the global invariant used in an Ashcroftmethod proof is decomposed in the obvious way, the original OwickiGries method cannot prove its invariance; a di#erent and often more complicated annotation must be used. This is not the case with the strengthened version. If the Ashcroft method can prove invariance of a global assertion, then the strengthened OwickiGries method can prove the invariance of the corresponding annotation. Strengthening the OwickiGries method makes it easier to construct proofs; it does not change what can be proved. The global invariant used in an Ashcroftstyle proof can always be translated into a proof with the original OwickiGries method by simply attaching the global invariant to all control points, though of course this defeats the whole purpose of the method, which is to decompose the invariant. Moreover, even though the original OwickiGries method fails on one simple decomposition of the invariant, there may be another equally simple decomposition for which it does work. What we claim is that usin...
Formal Specification And Verification Of A Network Independent Atomic Multicast Protocol
, 1991
"... Network concept In the AMp design, an abstraction of the underlying medium was made. Several reasons justified this option. One of them was the intention of showing that the protocol worked correctly as a LAN independent protocol: there would be no need to establish verifications for every LAN port ..."
Abstract

Cited by 7 (7 self)
 Add to MetaCart
Network concept In the AMp design, an abstraction of the underlying medium was made. Several reasons justified this option. One of them was the intention of showing that the protocol worked correctly as a LAN independent protocol: there would be no need to establish verifications for every LAN port. The other reason relevant to this paper was the fact that, by abstracting from the physical network, and instead replacing it by a set of properties representing the functionality required by the AMp, we have indeed reduced the complexity of the system to verify. It may be seen that the properties are fulfilled almost directly by a large set of standard LANs; assuming that existing VLSI circuits correctly implement the relevant MAC protocols, this seemed to be a reasonable approach, with regard to reliance in the correctness of implementation of the abstract network properties. The abstract network is defined as a set of nodes, each node having a source access point and a destination acces...
A RealTime Interval Logic and Its Decision Procedure
 In Proc. 13th Conf. Foundations of Software Technology and Theoretical Computer Science
, 1993
"... . RealTime Future Interval Logic is a visual logic in which formulae have a natural graphical representation, resembling timing diagrams. It is a dense realtime temporal logic that is based on two simple temporal primitives: interval modalities for the purely qualitative part and duration predicat ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
(Show Context)
. RealTime Future Interval Logic is a visual logic in which formulae have a natural graphical representation, resembling timing diagrams. It is a dense realtime temporal logic that is based on two simple temporal primitives: interval modalities for the purely qualitative part and duration predicates for the quantitative part. We give a decision procedure for the logic by reduction to the emptiness problem for Timed Buchi Automata. The decision procedure forms the core of a proof checker for the logic that we have recently implemented. The logic does not admit instantaneous states, and is invariant under realtime stuttering. These properties facilitate proof methods based on abstraction and refinement. Two natural extensions of the logic lead to nonelementariness and undecidability. 1 Introduction Specifications of concurrent systems tend to be very complex. Much of this complexity stems from specifications that apply only in particular situations. Such specifications must define no...
Development of Concurrent Systems by Incremental Transformation
"... A formal development method for concurrent programs is proposed. It generalizes several variants of the stepwise refinement method often used in concurrency, in that not only atomicity refinements, but also arbitrary transformations, are taken into account. The method ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
A formal development method for concurrent programs is proposed. It generalizes several variants of the stepwise refinement method often used in concurrency, in that not only atomicity refinements, but also arbitrary transformations, are taken into account. The method