Abstract not found

Abstract not found

Abstract not found

this paper appeared in ACM Transactions on Programming Languages and Systems 16, 5 (September 1994) 1543-- 1571. The appendix was published electronically by the ACM. Contents

This paper substantiates that experience by formalizing safety and liveness in a way that permits the relationship between safety and invariance and between liveness and wellfoundedness to be demonstrated for a large class of properties. In so doing, we give new characterizations of safety and liveness and prove that they satisfy the formal definitions in [Alpera & Schneider 85a]

This paper presents a general theory of system composition for #possibilistic" security properties. We see that these properties fall outside of the AlpernSchneider safety#liveness domain and hence, are not subject to the Abadi-Lamport Composition Principle. We then introduce a set of trace constructors called selective interleaving functions and show that possibilistic security properties are closure properties with respect to di#erent classes of selectiveinterleaving functions. This provides a uniform framework for analyzing these properties and allows us to construct a partial ordering for them. We presentanumber of composition constructs, show the extent to which each preserves closure with respect to di#erent classes of selectiveinterleaving functions, and show that they are su#cient for forming the general hook-up construction. We see that although closure under a class of selectiveinterleaving functions is generally preserved by product and cascading, it is not generally preserv...

Checking that a given finite state program satisfies a linear temporal logic property is suffering in many cases from a severe space and time explosion. One way to cope with this is to reduce the state graph used for model checking. We define an equivalence relation between infinite sequences, based on infinite traces such that for each equivalence class, either all or none of the sequences satisfy the checked formula. We present an algorithm for constructing a state graph that contains at least one representative sequence for each equivalence class. This allows applying existing model checking algorithms to the reduced state graph rather than on the larger full state graph of the program. It also allows model checking under fairness assumptions, and exploits these assumptions to obtain smaller state graphs. A formula rewriting technique is presented to allow coarser equivalence relation among sequences, such that less representatives are needed. 1

A unified, comprehensive presentation of simulation techniques for verification of concurrent systems is given, in terms of a simple untimed automaton model. In particular, (1) refinements, (2) forward and backward simulations, (3) hybrid forward-backward and backward-forward simulations, and (4) history and prophecy relations are defined. History and prophecy relations are abstract versions of the history and prophecy variables of Abadi and Lamport, as well as the auxiliary variables of Owicki and Gries. Relationships between the different types of simulations, as well as soundness and completeness results, are stated and proved. Finally, it is shown how invariants can be incorporated into all the simulations. Even though many results are presented here for the first time, this paper can also be read as a survey (in a simple setting) of the research literature on simulation techniques. The development for untimed automata is designed to support a similar development for timed automata...

We propose Interaction Categories as a new paradigm for the semantics of functional and concurrent computation. Interaction categories have specifications as objects, processes as morphisms, and interaction as composition. We introduce two key examples of interaction categories for concurrent computation and indicate how a general axiomatisation can be developed. The upshot of our approach is that traditional process calculus is reconstituted in functorial form, and integrated with type theory and functional programming.

In the transition axiom method, safety properties of a concurrent system can be specified by programs; liveness properties are specified by assertions in a simple temporal logic. The method is described with some simple examples, and its logical foundation is informally explored through a careful examination of what it means to implement a specification. Language issues and other practical details are largely ignored.