Results 1  10
of
10
Closure and Convergence: A Foundation of FaultTolerant Computing
 IEEE Transactions on Software Engineering
, 1993
"... We give a formal definition of what it means for a system to "tolerate" a class of "faults". The definition consists of two conditions: One, if a fault occurs when the system state is within a set of "legal" states, the resulting state is within some larger set and, if ..."
Abstract

Cited by 110 (30 self)
 Add to MetaCart
We give a formal definition of what it means for a system to "tolerate" a class of "faults". The definition consists of two conditions: One, if a fault occurs when the system state is within a set of "legal" states, the resulting state is within some larger set and, if faults continue occurring, the system state remains within that larger set (Closure). And two, if faults stop occurring, the system eventually reaches a state within the legal set (Convergence). We demonstrate the applicability of our definition for specifying and verifying the faulttolerance properties of a variety of digital and computer systems. Further, using the definition, we obtain a simple classification of faulttolerant systems and discuss methods for their systematic design. as traditionally been studied in the context of specifi...
Model Checking Complete Requirements Specifications Using Abstraction
 Automated Software Engineering
, 1999
"... Although model checking has proven remarkably effective in detecting errors in hardware designs, its success in the analysis of software specifications has been limited. Model checking algorithms for hardware verification commonly use Binary Decision Diagrams (BDDs) to represent predicates involving ..."
Abstract

Cited by 70 (19 self)
 Add to MetaCart
Although model checking has proven remarkably effective in detecting errors in hardware designs, its success in the analysis of software specifications has been limited. Model checking algorithms for hardware verification commonly use Binary Decision Diagrams (BDDs) to represent predicates involving the many Boolean variables commonly found in hardware descriptions. Unfortunately, BDD representations may be less effective for analyzing software specifications, which usually contain not only Booleans but variables spanning a wide range of data types. Further, software specifications typically have huge, sometimes infinite, state spaces that cannot be model checked directly using conventional symbolic methods. One promising but largely unexplored approach to model checking software...
Focus points and convergent process operators: A proof strategy for protocol verification
, 1995
"... We present a strategy for finding algebraic correctness proofs for communication systems. It is described in the setting of µCRL [11], which is, roughly, ACP [2, 3] extended with a formal treatment of the interaction between data and processes. The strategy has already been applied successfully in [ ..."
Abstract

Cited by 39 (11 self)
 Add to MetaCart
We present a strategy for finding algebraic correctness proofs for communication systems. It is described in the setting of µCRL [11], which is, roughly, ACP [2, 3] extended with a formal treatment of the interaction between data and processes. The strategy has already been applied successfully in [4] and [10], but was not explicitly identified as such. Moreover, the protocols that were verified in these papers were rather complex, so that the general picture was obscured by the amount of details. In this paper, the proof strategy is materialised in the form of definitions and theorems. These results reduce a large part of protocol verification to a number of trivial facts concerning data parameters occurring in implementation and specification. This greatly simplifies protocol verifications and makes our approach amenable to mechanical assistance � experiments in this direction seem promising. The strategy is illustrated by several small examples and one larger example, the Concurrent Alternating Bit Protocol (CABP). Although simple, this protocol contains a large amount of internal parallelism, so that all relevant issues make their appearance.
Action systems in pipelined processor design
 In Proc. of the 3rd Int. Symp. on Advanced Research in Asynchronous Circuits and Systems
, 1997
"... We show that the action systems framework combined with the re nement calculus is a powerful method for handling a central problem in hardware design, the design of pipelines. We present a methodology for developing asynchronous pipelined microprocessors relying on this framework. Each functional un ..."
Abstract

Cited by 16 (7 self)
 Add to MetaCart
We show that the action systems framework combined with the re nement calculus is a powerful method for handling a central problem in hardware design, the design of pipelines. We present a methodology for developing asynchronous pipelined microprocessors relying on this framework. Each functional unit of the processor is stepwise brought about which leads to a structured and modular design. The handling of di erent hazard situations is realized when verifying re nement steps. Our design is carried out with circuit implementation using speedindependent techniques in mind.
Distributed service composition
, 1999
"... In this paper we explore the use of action systems for distributed service composition. Distributed systems can be composed out of a basic computation and a set of services. Even though this way of designing a system out of components helps in managing the derivation task, formal description techniq ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In this paper we explore the use of action systems for distributed service composition. Distributed systems can be composed out of a basic computation and a set of services. Even though this way of designing a system out of components helps in managing the derivation task, formal description techniques are needed due to the complexity of distributed systems. We propose a method where services, or features as they are often called, are speci ed in isolation by the service provider. The services when available are used by clients in a distributed manner. Reasoning about the services and their interactions with each other and with the basic computation of the clients is carried out within the re nement calculus. To exemplify the proposed methodology we study feature composition and feature interaction in telecommunications software.
AFast, Scalable Mutual Exclusion Algorithm
, 1993
"... This paper is concerned with synchronization under read/write atomicity in shared memory multiprocessors. We present a new algorithm for Nprocess mutual exclusion that requires only read and write operations and that has O(log N) time complexity, where \time " is measured by counting remot ..."
Abstract
 Add to MetaCart
This paper is concerned with synchronization under read/write atomicity in shared memory multiprocessors. We present a new algorithm for Nprocess mutual exclusion that requires only read and write operations and that has O(log N) time complexity, where \time &quot; is measured by counting remote memory references. The time complexity of this algorithm is better than that of all prior solutions to the mutual exclusion problem that are based upon atomic read and write instructions � in fact, the time complexity of most prior solutions is unbounded. Performance studies are presented that show that our mutual exclusion algorithm exhibits scalable performance under heavy contention. In fact, its performance rivals that of the fastest queuebased spin locks based on strong primitives such as compareandswap and fetchandadd. We also present a modi ed version of our algorithm that generates only O(1) memory references in the absence of contention.
Using kExclusion to Implement Resilient, Scalable Shared Objects
"... We present a methodology for the implementation of resilient shared objects that allows the desired level of resiliency to be selected based on performance concerns. This methodology is based on the kexclusion and renaming problems. To make this methodology practical, we present anumber of fast ke ..."
Abstract
 Add to MetaCart
We present a methodology for the implementation of resilient shared objects that allows the desired level of resiliency to be selected based on performance concerns. This methodology is based on the kexclusion and renaming problems. To make this methodology practical, we present anumber of fast kexclusion algorithms that employ \local spin &quot; techniques to minimize the impact of the processortomemory bottleneck. We also present a new \longlived &quot; renaming algorithm. Our kexclusion algorithms are based on commonlyavailable synchronization primitives, are fast in the absence of contention, and have scalable performance when contention exceeds expected thresholds. By contrast, all prior kexclusion algorithms either require unrealistic atomic operations or perform badly. Our kexclusion algorithms are also the rst algorithms based on localspin techniques that tolerate process failures. 1
Formalizing Design Patterns
"... Design patterns facilitate reuse of good design practices. They are typically given by using conventional notations that lack wellde ned semantics and, therefore reasoning about their behaviors requires formalization. Even when formalized, conventional communication abstractions may lead to too lab ..."
Abstract
 Add to MetaCart
Design patterns facilitate reuse of good design practices. They are typically given by using conventional notations that lack wellde ned semantics and, therefore reasoning about their behaviors requires formalization. Even when formalized, conventional communication abstractions may lead to too laborious formalizations when addressing the temporal behavior of a pattern as a whole instead of behaviors local to its components. We show that rigorous reasoning can be eased by formalizing temporal behaviors of patterns in terms of highlevel abstractions of communication, and that by using propertypreserving re nements, speci cations can be naturally composed by using patterns as building blocks.
SNAP: A Validator/Annotator for Proofs of Distributed Programs
"... Distributed programs are notorious for subtle errors, requiring proofs to establish their correctness. Correctness proofs carried out on paper tend to be errorprone. This paper presents system Snap (Simple Notion of Annotating Proofs) being developed to validate correctness proofs in Linear Time T ..."
Abstract
 Add to MetaCart
Distributed programs are notorious for subtle errors, requiring proofs to establish their correctness. Correctness proofs carried out on paper tend to be errorprone. This paper presents system Snap (Simple Notion of Annotating Proofs) being developed to validate correctness proofs in Linear Time Temporal Logic (LTL). Snap supports forward proofs and can be used either interactively or in batch mode. The system validates proofs entered by users  in a representation close to handwritten proofs  by providing justifications for every proof step. Justifications are in essence theorems or meta rules in the system's rulebase; together with the proof, they constitute a proof annotation. Theorems proved elsewhere may be loaded into the system's rulebase without having to redo proofs, a mechanism to raise the abstraction level of proofs. Snap supports proofs of theorems and certain meta rules, all of which may be dynamically added to its rulebase. Since the design goal of Snap is to...