ABSTRACT In this paper we discuss a notation to describe task models, which can specify a wide range of temporal relationships among tasks. It is a compact and graphical notation, immediate both to use and understand. Its logical structure and the related automatic tool make it suitable for designing even large sized applications.

The construction of a large class of distributed systems can be simplified by leveraging middleware, which is layered between network operating systems and application components. Middleware resolves heterogeneity, and facilitates communication and coordination of distributed components. Existing middleware products enable software engineers to build systems that are distributed across a local-area network. State-of-the-art middleware research aims to push this boundary towards Internet-scale distribution, adaptive and reconfigurable middleware and middleware for dependable and wireless systems. The challenge for software engineering research is to devise notations, techniques, methods and tools for distributed system construction that systematically build and exploit the capabilities that middleware deliver.

This dissertation analyzes the usefulness of existing "conventional" collaboration-transparency systems, which permit the shared use of legacy, single-user applications. I find that conventional collaboration-transparency systems do not use network resources efficiently, and they impose an inflexible, tightly coupled style of collaboration because they do not adequately support important groupware principles: concurrent work, relaxed WYSIWIS, group awareness, and inherently collaborative tasks. This dissertation proposes and explores solutions to those deficiencies. The primary goal of this work is to maintain the benefits of collaboration transparency while relieving some of its disadvantages. To that end, I present an alternate implementation approach that provides many features previously seen only in applications specifically designed to support cooperative work, called collaboration-aware applications. The new approach uses a replicated architecture, in which a copy of the application resides on each user's machine, and the users' input events are broadcast to each copy. I discuss solutions to certain key problems in replicated architectures, such as maintaining consistency, unanticipated sharing, supporting late-joiners, and replicating system resources (e.g., files, sockets, and random number generators). To enhance the collaborative usability of a legacy application, the new approach transparently replaces selected single-user interface objects with multi-user versions at runtime. There are four requirements of an application platform needed to implement this approach: process migration, run-time object replacement, dynamic binding, and the ability to intercept and introduce low-level user input events. As an instance of this approach, I describe its incorpor...

In this paper we present a solution to the long-standing problem of characterising the coarsest liveness-preserving pre-congruence with respect to a full (TCSP-inspired) process algebra. In fact, we present two distinct characterisations, which give rise to the same relation: an operational one based on a De Nicola-Hennessy-like testing modality which we call should-testing, and a denotational one based on a refined notion of failures. One of the distinguishing characteristics of the should-testing pre-congruence is that it abstracts from divergences in the same way as Milner’s observation congruence, and as a consequence is strictly coarser than observation congruence. In other words, should-testing has a built-in fairness assumption. This is in itself a property long sought-after; it is in notable contrast to the well-known must-testing of De Nicola and Hennessy (denotationally characterised by a combination of failures and divergences), which treats divergence as catrastrophic and hence is incompatible with observation congruence. Due to these characteristics, should-testing supports modular reasoning and allows to use the proof techniques of observation congruence, but also supports additional laws and techniques.

We give a semantics for Message Flow Graphs(MFGs), which play the role for interprocess communication that Program Dependence Graphs play for control ow in parallel processes. MFGs have been used to analyse parallel code, and are closely related to Message Sequence Charts and Time Sequence Diagrams in telecommunications systems. Our requirements are rstly, to determine unambiguously exactly what execution traces are speci ed by anMFG, and secondly, to use a nite-state interpretation. Our methods function for both asynchronous and synchronous communications. From a set of MFGs, we de ne a transition system of global states, and from that a Buchi automaton by considering safety and liveness properties of the system. In order easily to describe liveness properties, we interpret the traces of the transition system as a model of Manna-Pnueli temporal logic. Finally,we describe the expressive power of MFGs by mimicking an arbitrary Buchi automaton by means of a set of MFGs. 1.

This paper reasons about naming systems as specialized inference mechanisms, It describes a preference)-zierarch.v that can be used to specify the structure of a naming system’s inference mechanism and defines criteria by which different naming systems can be evaluated, For example, the preference hierarchy allows one to compare naming systems based on how dkcrzmznating they are and to identify the class of names for which a given naming system is sound and complete. A study of several example naming systems demonstrates how the prefer-ence hierarchy can be used as a formal tool for designing naming systems. Categories and Subject Descriptors: H.2.3 [Database Management]: Languages—query lan-guages; H.2.4 [Database Management]: Systems—query processing; H.3.3 [Information

Implicit invocation [SN92, GN91] has become an important architectural style for large-scale system design and evolution. This paper addresses the lack of specification and verification formalisms for such systems. Based on standard notions from process algebra and trace semantics, we define a formal computational model for implicit invocation. A verification methodology is presented that supports linear time temporal logic and compositional reasoning. First, the entire system is partioned into groups of components (methods) that behave independently. Then, local properties are proved for each of the groups. A precise description of the cause and the effect of an event supports this step. Using local correctness, independence of groups, and properties of the delivery of events, we infer the desired property of the overall system. Two detailed examples illustrate the use of our framework. 1 Introduction A critical issue for large-scale systems design and evolution is the choice of an ...

Functional scenarios describing system views, uses, or services are a common way of capturing requirements of distributed systems. However, integrating individual scenarios in different ways may result in different kinds of unexpected or undesirable interactions. In this paper, we present an innovative approach based on the combined use of two notations. The first one is a recent visual notation for causal scenarios called Use Case Maps (UCMs), which is used to capture and integrate the requirements. Integrating UCMs together helps avoiding many interactions before any prototype is generated. The second notation is the formal specification language LOTOS. UCM scenarios are translated into high-level LOTOS specifications, which can be used to validate the requirements formally through numerous techniques, including functional testing based on UCMs. LOTOS possesses powerful testing concepts and tools that we use for the detection of remaining undesirable interactions. To illustrate these...

JACK, standing for Just Another Concurrency Kit, is a new environment integrating a set of verification tools, supported by a graphical interface offering facilities to use these tools separately or in combination. The environment proposes several functionalities for the design, analysis and verification of concurrent systems specified using process algebra. Tools exchange information through a text format called Fc2. Users are able to graphically layout their specifications, that will be automatically converted into the Fc2 format and then minimised with respect to various kinds of equivalences. A branching time and action based logic, ACTL, is used to describe the properties that the specification must satisfy, and model checking of ACTL formulae on the specification is performed in linear time. A translator from Natural Language to ACTL formulae is provided, in order to simplify the job to describe the specification properties by ACTL formulae. A description of the graphical interface is given together with its functionalities and the exchange format used by the tools. As an example of use of JACK, we present a small case study within JACK, that covers both verification of a software system and verification of its properties.

The ultimate purpose of a non-repudiation service is to resolve disputes about the occurrence or non-occurrence of a claimed event or action. Dispute resolution relies on the evidence held by the participants. This paper discusses types of non-repudiation evidence, elements of non-repudiation evidence and validity of non-repudiation evidence. We also investigate and compare a number of protocols aiming at fair exchange of non-repudiation evidence.