this paper we consider assume-guarantee specifications in which the guarantee is specified by branching temporal formulas. We distinguish between two approaches. In the first approach, the assumption is specified by branching temporal formulas too. In the second approach, the assumption is specified by linear temporal logic. We consider guarantees in 8CTL and 8CTL

. Effective verification methods, both deductive and algorithmic, exist for the verification of global system properties. In this paper, we introduce a formal framework for the modular description and verification of parameterized fair transition systems. The framework allows us to apply existing global verification methods, such as verification rules and diagrams, in a modular setting. Transition systems and transition modules can be described by recursive module expressions, allowing the description of hierarchical systems of unbounded depth. Apart from the usual parallel composition, hiding and renaming operations, our module description language provides constructs to augment and restrict the module interface, capablilities that are essential for recursive descriptions. We present proof rules for property inheritance between modules. Finally, module abstraction and induction allow the verification of recursively defined systems. Our approach is illustrated with a recursively defined arbiter for which we verify mutual exclusion and eventual access. 1

Abstract. We present a framework for formally proving that the composition of the behaviors of the different parts of a complex, real-time system ensures a desired global specification of the overall system. The framework is based on a simple compositional rely/guarantee circular inference rule, plus a small set of conditions concerning the integration of the different parts into a whole system. The reference specification language is the TRIO metric linear temporal logic. The novelty of our approach with respect to existing compositional frameworks — most of which do not deal explicitly with real-time requirements — consists mainly in its generality and abstraction from any assumptions about the underlying computational model and from any semantic characterizations of the temporal logic language used in the specification. Moreover, the framework deals equally well with continuous and discrete time. It is supported by a tool, implemented on top of the proof-checker PVS, to perform deduction-based verification through theorem-proving of modular real-time axiom systems. As an example of application, we show the verification of a real-time version of the old-fashioned but still relevant “benchmark ” of the dining philosophers problem.

From an arbitrary temporal logic institution we show how to set up the corresponding institution of objects. The main properties of the resulting institution are studied and used in establishing a categorial, denotational semantics of several basic constructs of object specification, namely aggregation (parallel composition), interconnection, abstraction (interfacing) and monotonic specialization. A duality is established between the category of theories and the category of objects, as a corollary of the Galois correspondence between these concrete categories. The special case of linear temporal logic is analysed in detail in order to show that categorial products do reflect interleaving and reducts may lead to internal nondeterminism. Key words: object-orientation, system specification, temporal logic, institution, denotational semantics, duality. 1 Introduction The advantages of object-orientation in software engineering in general and system specification in particular...

In order to check whether an open system satisfies a desired property, we need to check the behavior of the system with respect to an arbitrary environment. In the most general setting, the environment is another open system. Given an open system � and a property � , we say that � robustly satisfies � iff for every open system �� � , which serves as an environment to � , the composition ���� � � satisfies �. The problem of robust model checking is then to decide, given � and � , whether � robustly satisfies �. In this paper we study the robust-model-checking problem. We consider systems modeled by nondeterministic Moore machines, and properties specified by branching temporal logic (for linear temporal logic, robust satisfaction coincides with usual satisfaction). We show that the complexity of the problem is EXPTIME-complete for CTL and the �-calculus, and is 2EXPTIME-complete for CTL �. We partition branching temporal logic formulas into three classes: universal, existential, and mixed formulas. We show that each class has different sensitivity to the robustness requirement. In particular, unless the formula is mixed, robust model checking can ignore nondeterministic environments. In addition, we show that the problem of classifying a CTL formula into these classes is EXPTIME-complete.

A number of authors has studied the design of distributed systems considering the existence of an environment over which little (if any) control is retained. Perhaps the most systematic of these studies suggest the use of rely and guarantee conditions that assert respectively what is assumed from the environment and what the system is committed to insure as long as the assumptions hold, a refinement of the pre and post conditions adopted in sequential program design. We propose a new rely-guarantee discipline based on linear time future temporal connectives and show how it can be applied in designing open distributed systems.

We explore the question of the composition of invariance speci cations in a context of formal methods applied to concurrent and reactive systems. Depending on how compositionality is stated and how invariants are de ned, invariance speci cations may or may not be compositional.

In order to check whether an open system satisfies a desired property, we need to check the behavior of the system with respect to an arbitrary environment. In the most general setting, the environment is another open system. Given an open system M and a property #, we say that M robustly satisfies # i# for every open system M # , which serves as an environment to M , the composition M#M # satisfies #. The problem of robust model checking is then to decide, given M and #, whether M robustly satisfies #. In essence, robust model checking focuses on reasoning algorithmically about interaction. In this

The CONNECT project aims to develop a novel network infrastructure to allow heterogeneous networked systems to freely communicate with each other via on-the-fly synthesis of emergent connectors. The role of Work Package 2 (WP2) is to investigate the foundations and verification methods for composable connectors, so that support is provided for composition of networked systems, whilst enabling automated learning, reasoning and synthesis. In the second year, we focused our attention on providing an underpinning for a framework capable of supporting the dimensions of interest to the project, and the generalisation of assume-guarantee properties beyond probabilistic safety properties, in addition to supporting the automated learning of assumptions. In this deliverable, we report on work carried out in two streams, compositional theory of connector behaviours and compositional assume-guarantee verification for probabilistic automata, which we are beginning to bring together. At the theory level, we first considered several probabilistic models, focusing on their interactive behaviour and asynchronous parallel composition. We then conducted a survey of the different formalisms of component models from the viewpoint of whether they supported a number of operators (e.g. parallel composition, conjunction and quotient) and a refinement relation. Based on this, we concluded that interface automata were one