Various forms of assumption/commitment specifications have been used to specify and reason about the interference that comes from concurrent execution; in particular, consistent and complete proof rules relating to shared state operation specifications –with rely and guarantee conditions – have been published elsewhere. This paper discusses some issues about the formulation of such specifications and the way to record design decisions so as to make the use of rely/guarantee conditions more tractable.

Abstract. We presentalogic of speci cations of reactive systems. The logic is independent of particular computational models, but it captures common patterns of reasoning with assumption-commitment speci cations. We use the logic for deriving proof rules for TLA and CTL speci cations. 1 Assumption-commitment speci cations Modularityisacentral concern in the design of speci cation methods. In general terms, modularity is the ability to reduce reasoning about a complete system to reasoning about its components. These components are not expected to operate in fully arbitrary environments. In the context of the complete system, each component can assume that its environment is to some extent well behaved, for instance that it adheres to certain communication protocols. Therefore, it is common to specify each component by describing both the function required of the component and the properties assumed of its environment. In the realm of sequential programs, for example, the requirements are postconditions and the

Concurrency, as a useful feature of many modern programming languages and systems, is generally hard to reason about. Although existing work has explored the verification of concurrent programs using high-level languages and calculi, the verification of concurrent assembly code remains an open problem, largely due to the lack of abstraction at a low-level. Nevertheless, it is sometimes necessary to reason about assembly code or machine executables so as to achieve higher assurance. In this paper

This paper presents a theory for concurrent program composition based on a predicate transformer call the the weakest guarantee and a corresponding binary relation guarantees. The theory stems from a novel view of rely-guarantee techniques for reasoning about program composition and provides a general and uniform framework for handling temporal properties as well as other kinds of program properties such as refinement and encapsulation. 1 Introduction The contribution of this paper is a predicate-transformer based theory for reasoning about the composition of concurrent programs. This section contains the motivation for this contribution and a discussion of the central issues. The predicate transformers wp and wlp provide an elegant basis for reasoning about sequential programs because they focus attention on the most fundamental aspects of these programs: their initial and final states [DS90]. By identifying a program with its predicate transformer, we can reason about programs using...

From an arbitrary temporal logic institution we show how to set up the corresponding institution of objects. The main properties of the resulting institution are studied and used in establishing a categorial, denotational semantics of several basic constructs of object specification, namely aggregation (parallel composition), interconnection, abstraction (interfacing) and monotonic specialization. A duality is established between the category of theories and the category of objects, as a corollary of the Galois correspondence between these concrete categories. The special case of linear temporal logic is analysed in detail in order to show that categorial products do reflect interleaving and reducts may lead to internal nondeterminism. Key words: object-orientation, system specification, temporal logic, institution, denotational semantics, duality. 1 Introduction The advantages of object-orientation in software engineering in general and system specification in particular...

. Assumption{Commitment paradigms for specication and verication of concurrent programs have been proposed in the past. We show that two typical parallel composition rules for shared variable and message passing programs [8,12] which hitherto required dierent formulations are instances of one general rule mainly inspired by Abadi & Lamport's composition theorem [1]. 1 Introduction Compositional methods support the verify-while-develop paradigm (an interesting account is given in [15]). However, compared to sequential programs, concurrent programs are much harder to specify and verify. In order to obtain tractable proof rules for concurrency, assumption{commitment (sometimes also called rely{guarantee), as against monolithic, specication paradigms have been proposed, in which a component is veried to satisfy a commitment under the condition that the environment satises an assumption. Such proof systems have been studied for concurrent programs communicating through shared variabl...

A number of authors has studied the design of distributed systems considering the existence of an environment over which little (if any) control is retained. Perhaps the most systematic of these studies suggest the use of rely and guarantee conditions that assert respectively what is assumed from the environment and what the system is committed to insure as long as the assumptions hold, a refinement of the pre and post conditions adopted in sequential program design. We propose a new rely-guarantee discipline based on linear time future temporal connectives and show how it can be applied in designing open distributed systems.

We survey the most significant literature about compositional techniques for concurrent and real-time system verification. We especially focus on abstract frameworks for rely/guarantee compositionality that handles circularity, but also consider different developments.

Compositionality provides the foundation of software modularity, reusability and separate verification of software components. One of the known difficulties, when separately verifying components, is producing compositional proofs for progress properties of distributed systems. This paper presents a new composition theory based on reasoning about temporary interference. The approach is axiomatic, enabling us to capture aspects relevant for composition in a direct and clean way, and resulting in a theory which in our opinion is elegant and easy to understand, in particular when dealing with progressproperties. The theory only deals with components that synchronize by mutual exclusion --though it will be discussed how it could be extended.

Compositional proofs about systems of many components require circular reasoning principles in which properties of other components need to be assumed in proving the properties of each individual component. A number of such circular assume-guarantee rules have been proposed for different concurrency models and different forms of property specifications. In this paper, we provide a framework that unifies and extends these results. We define an assume-guarantee semantics for properties expressible as least or greatest fixed points, and a circular compositional rule that is sound with respect to this semantics. We demonstrate the utility of this general rule by applying it to trace semantics with linear temporal logic specifications, and trace tree semantics with automata refinement specifications. For traces, we derive a new assume-guarantee rule for the "until" and "weakly until" properties of linear temporal logic and show that previously proposed assume-guarantee rules can be seen as special instances of our rule. For trace trees, we derive a rule for parallel composition of Moore machines, and show that the rule of [7] is a special instance thus yielding an alternate proof of the results in [7].