Abstract not found

Abstract. We presentalogic of speci cations of reactive systems. The logic is independent of particular computational models, but it captures common patterns of reasoning with assumption-commitment speci cations. We use the logic for deriving proof rules for TLA and CTL speci cations. 1 Assumption-commitment speci cations Modularityisacentral concern in the design of speci cation methods. In general terms, modularity is the ability to reduce reasoning about a complete system to reasoning about its components. These components are not expected to operate in fully arbitrary environments. In the context of the complete system, each component can assume that its environment is to some extent well behaved, for instance that it adheres to certain communication protocols. Therefore, it is common to specify each component by describing both the function required of the component and the properties assumed of its environment. In the realm of sequential programs, for example, the requirements are postconditions and the

: The structure of High-level nets is studied from an algebraic and a logical point of view using Algebraic nets as an example. First the category of Algebraic nets is defined and the semantics given through an unfolding construction. Other kinds of Highlevel net formalisms are then presented. It is shown that nets given in these formalisms can be transformed into equivalent Algebraic nets. Then the semantics of nets in terms of universal constructions is discussed. A definition of Algebraic nets in terms of structured transition systems is proposed. The semantics of the Algebraic net is then given as a free completion of this structured transition system to a category. As an alternative also a sheaf semantics of nets is examined. Here the semantics of the net arises as a limit of a diagram of sheaves. Next Algebraic nets are characterized as encodings of special morphisms called foldings. Each algebraic net gives rise to a surjective morphism between Petri nets and conversely each sur...

this paper we describe TLA from a logical perspective; our description of TLA has three aspects: 1. As a logic, TLA has a precise syntax and semantics. We define these in the next section. Our intent is not to develop a new TLA, but rather to explain and to refine Lamport's definition of TLA [19]. 2. Like HOL [13] and other logics, TLA can serve for representing reactive systems in several styles. In particular, a specification may describe concurrent steps as interleaved or simultaneous; communication between components may be synchronous or asynchronous. We discuss a few styles in section 3. 3. Proofs in TLA rely on basic rules of temporal logic, rules for refinement, and rules for composition. We state the principal rules in sections 4 and 5. Following [7, 8], we show that some of them arise from general logical (or algebraic) considerations, largely independent of the details of TLA This paper is a self-contained presentation of TLA. It is however not a survey, in that it includes technical novelties and in that it is far from comprehensive. Lamport's original work on TLA [19] provides much additional, useful material, and in particular some motivation for the TLA approach and a proof system for TLA. Other papers discuss mechanical verification in TLA [11, 16], refinement and composition [6, 4], real-time systems and hybrid systems [5, 18, 12], and medium-size examples [20]. There are also works on PTLA [1, 29], a propositional logic based on a preliminary version of TLA. Finally, the logic TLR has many similarities with TLA [28]. 2 Mart'in Abadi and Stephan Merz 2 A Definition of TLA