Results 1 
6 of
6
A Simple Approach to Specifying Concurrent Systems
, 1988
"... In the transition axiom method, safety properties of a concurrent system can be specified by programs; liveness properties are specified by assertions in a simple temporal logic. The method is described with some simple examples, and its logical foundation is informally explored through a careful ex ..."
Abstract

Cited by 118 (7 self)
 Add to MetaCart
In the transition axiom method, safety properties of a concurrent system can be specified by programs; liveness properties are specified by assertions in a simple temporal logic. The method is described with some simple examples, and its logical foundation is informally explored through a careful examination of what it means to implement a specification. Language issues and other practical details are largely ignored.
Mechanical Verification of Concurrent Systems with TLA
, 1992
"... . We describe an initial version of a system for mechanically checking the correctness proof of a concurrent system. Input to the system consists of the correctness properties, expressed in TLA (the temporal logic of actions), and their proofs, written in a humanly readable, hierarchically structure ..."
Abstract

Cited by 56 (12 self)
 Add to MetaCart
. We describe an initial version of a system for mechanically checking the correctness proof of a concurrent system. Input to the system consists of the correctness properties, expressed in TLA (the temporal logic of actions), and their proofs, written in a humanly readable, hierarchically structured form. The system uses a mechanical verifier to check each step of the proof, translating the step's assertion into a theorem in the verifier's logic and its proof into instructions for the verifier. Checking is now done by LP (the Larch Prover), using two di#erent translationsone for action reasoning and one for temporal reasoning. The use of additional mechanical verifiers is planned. Our immediate goal is a practical system for mechanically checking proofs of behavioral properties of a concurrent system; we assume ordinary properties of the data structures used by the system. 1 Introduction TLA, the Temporal Logic of Actions, is a logic for specifying and reasoning about concurrent s...
Proving Possibility Properties
, 1998
"... A method is described for proving "always possibly" properties of specifications in formalisms with lineartime trace semantics. It is shown to be relatively complete for TLA (Temporal Logic of Actions) specifications. Key words: Branching time, linear time, temporal logic. 1 Introduction Does provi ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
A method is described for proving "always possibly" properties of specifications in formalisms with lineartime trace semantics. It is shown to be relatively complete for TLA (Temporal Logic of Actions) specifications. Key words: Branching time, linear time, temporal logic. 1 Introduction Does proving possibility properties provide any useful information about a system? Why prove that it is possible for a user to press q on the keyboard and for a q subsequently to appear on the screen? We know that the user can always press the q key, and what good is knowing that a q might appear on the screen? Isn't it enough to prove that no q appears on the screen unless a q is typed (a safety property), and that, if a q is typed, then a q eventually does appear (a liveness property)? Although possibility properties may tell us nothing about a system, we do not reason about a system; we reason about a mathematical model of a system. A possibility property can provide a sanity check on our model. P...
Formal Methods For RealTime Systems
, 1996
"... Model At this point, while the model is defined formally, the notion of event is not. The notion of event is an intuitive idea, and is meant to be identified with some occurrence of the system being modeled that is of interest to the user. While this is a useful idea, it is not a formal definition. ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Model At this point, while the model is defined formally, the notion of event is not. The notion of event is an intuitive idea, and is meant to be identified with some occurrence of the system being modeled that is of interest to the user. While this is a useful idea, it is not a formal definition. The semantics of the previous section charac 21 terize an event by its properties, namely, what kind of event is it, and when does it happen. That information is sufficient for the RTM, and what follows. This section, however, will recast the model by attempting to give a more explicit definition of event, and show how the semantics can be built up from this definition. The definition in this section will not be referred to again in what follows though, and is intended primarily as an illustration that if necessary, the intuitive notion of event can be defined, although the intuitive notion may be more satisfying, and is more useful from the perspective of a specification writer. The abst...