Results 11  20
of
164
On Strongest Necessary and Weakest Sufficient
 Artificial Intelligence
, 2000
"... Given a propositional theory T and a proposition q, a sufficient condition of q is one that will make q true under T , and a necessary condition of q is one that has to be true for q to be true under T . In this paper, we propose a notion of strongest necessary and weakest sufficient conditions. ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
Given a propositional theory T and a proposition q, a sufficient condition of q is one that will make q true under T , and a necessary condition of q is one that has to be true for q to be true under T . In this paper, we propose a notion of strongest necessary and weakest sufficient conditions. Intuitively, the strongest necessary condition of a proposition is the most general consequence that we can deduce from the proposition under the given theory, and the weakest sufficient condition is the most general abduction that we can make from the proposition under the given theory. We show that these two conditions are dual ones, and can be naturally extended to arbitrary formulas. We investigate some computational properties of these two conditions and discuss some of their potential applications.
Structural abstraction of software verification conditions
 in Computer Aided Verification: 19th International Conference, CAV 2007, ser. LNCS
, 2007
"... Abstract. Precise software analysis and verification require tracking the exact path along which a statement is executed (pathsensitivity), the different contexts from which a function is called (contextsensitivity), and the bitaccurate operations performed. Previously, verification with such pre ..."
Abstract

Cited by 26 (5 self)
 Add to MetaCart
Abstract. Precise software analysis and verification require tracking the exact path along which a statement is executed (pathsensitivity), the different contexts from which a function is called (contextsensitivity), and the bitaccurate operations performed. Previously, verification with such precision has been considered too inefficient to scale to large software. In this paper, we present a novel approach to solving such verification conditions, based on an automatic abstractioncheckingrefinement framework that exploits natural abstraction boundaries present in software. Experimental results show that our approach easily scales to over 200,000 lines of real C/C++ code. 1
Avoiding the Undefined by Underspecification
 Computer Science Today: Recent Trends and Developments, number 1000 in Lecture Notes in Computer Science
, 1995
"... We use the appeal of simplicity and an aversion to complexity in selecting a method for handling partial functions in logic. We conclude that avoiding the undefined by using underspecification is the preferred choice. ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
We use the appeal of simplicity and an aversion to complexity in selecting a method for handling partial functions in logic. We conclude that avoiding the undefined by using underspecification is the preferred choice.
Deliverables: A Categorical Approach to Program Development in Type Theory
, 1992
"... This thesis considers the problem of program correctness within a rich theory of dependent types, the Extended Calculus of Constructions (ECC). This system contains a powerful programming language of higherorder primitive recursion and higherorder intuitionistic logic. It is supported by Pollack's ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
This thesis considers the problem of program correctness within a rich theory of dependent types, the Extended Calculus of Constructions (ECC). This system contains a powerful programming language of higherorder primitive recursion and higherorder intuitionistic logic. It is supported by Pollack's versatile LEGO implementation, which I use extensively to develop the mathematical constructions studied here. I systematically investigate Burstall's notion of deliverable, that is, a program paired with a proof of correctness. This approach separates the concerns of programming and logic, since I want a simple program extraction mechanism. The \Sigmatypes of the calculus enable us to achieve this. There are many similarities with the subset interpretation of MartinLof type theory. I show that deliverables have a rich categorical structure, so that correctness proofs may be decomposed in a principled way. The categorical combinators which I define in the system package up much logical bo...
A CSP Approach To Action Systems
, 1992
"... The communicating sequential processes (CSP) formalism, introduced by Hoare [Hoa85], is an eventbased approach to distributed computing. The actionsystem formalism, introduced by Back & KurkiSuonio [BKS83], is a statebased approach to distributed computing. Using weakestprecondition formulae, M ..."
Abstract

Cited by 23 (6 self)
 Add to MetaCart
The communicating sequential processes (CSP) formalism, introduced by Hoare [Hoa85], is an eventbased approach to distributed computing. The actionsystem formalism, introduced by Back & KurkiSuonio [BKS83], is a statebased approach to distributed computing. Using weakestprecondition formulae, Morgan [Mor90a] has defined a correspondence between action systems and the failuresdivergences model for CSP. Simulation is a proof technique for showing refinement of action systems. Using the correspondence of [Mor90a], Woodcock & Morgan [WM90] have shown that simulation is sound and complete in the CSP failuresdivergences model. In this thesis, Morgan's correspondence is extended to the CSP infinitetraces model [Ros88] in order to deal more properly with unbounded nondeterminism. It is shown that simulation is sound in the infinitetraces model, though completeness is lost in certain cases. The new correspondence is then extended to include a notion of internal action. This allows the ...
Predicate Transformer Semantics of a Higher Order Imperative Language With . . .
 SCIENCE OF COMPUTER PROGRAMMING
, 1998
"... Using a settheoretic model of predicate transformers and ordered data types, we give a totalcorrectness semantics for a typed higherorder imperative programming language that includes record extension, local variables, and proceduretype variables and parameters. The language includes infeasibl ..."
Abstract

Cited by 19 (9 self)
 Add to MetaCart
Using a settheoretic model of predicate transformers and ordered data types, we give a totalcorrectness semantics for a typed higherorder imperative programming language that includes record extension, local variables, and proceduretype variables and parameters. The language includes infeasible speci cation constructs, for a calculus of re nement. Procedures may have global variables, subject to mild syntactic restrictions to avoid the semantic complications of Algollike languages. The semantics is used to validate simple proof rules for noninterference, type extension, and calls of procedure variables and constants.
DynAlloy: Upgrading Alloy with Actions
, 2005
"... We present DynAlloy, an extension to the Alloy specification language to describe dynamic properties of systems using actions. Actions allow us to appropriately specify dynamic properties, particularly, properties regarding execution traces, in the style of dynamic logic specifications. We extend Al ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
We present DynAlloy, an extension to the Alloy specification language to describe dynamic properties of systems using actions. Actions allow us to appropriately specify dynamic properties, particularly, properties regarding execution traces, in the style of dynamic logic specifications. We extend Alloy’s syntax with a notation for partial correctness assertions, whose semantics relies on an adaptation of Dijkstra’s weakest liberal precondition. These assertions, defined in terms of actions, allow us to easily express properties regarding executions, favoring the separation of concerns between the static and dynamic aspects of a system specification. We also extend the Alloy tool in such a way that DynAlloy specifications are also automatically analyzable, as standard Alloy specifications. We present the foundations, two casestudies, and empirical results evidencing that the analysis of DynAlloy specifications can be performed efficiently.
Predicates and Predicate Transformers for Supervisory Control of Discrete Event Dynamical Systems
 IEEE Transactions on Automatic Control
, 1995
"... Most discrete event system models are based on defining the alphabet set or the set of events as a fundamental concept. In this paper, we take an alternative view of treating the state space as the fundamental concept. We approach the problem of controlling discrete event systems by using predicates ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
Most discrete event system models are based on defining the alphabet set or the set of events as a fundamental concept. In this paper, we take an alternative view of treating the state space as the fundamental concept. We approach the problem of controlling discrete event systems by using predicates and predicate transformers. Predicates have the advantage that they can concisely characterize an infinite state space. The notion of controllability of a predicate is defined, and the supervisory predicate control problem introduced in this paper is solved. A closed form expression for the weakest controllable predicate is obtained. The problem of controlling discrete event systems under incomplete state observation is also considered and observability of predicates is defined. Techniques for finding extremal solutions of boolean equations is used to derive minimally restrictive supervisors. 1 Introduction Many discrete event system models [24, 23, 25, 9, 11, 12] are based on defining t...
Formal Methods Application: An Empirical Tale of Software Development
 IEEE Transactions on Software Engineering
, 2002
"... AbstractÐThe development of an elevator scheduling system by undergraduate students is presented. The development was performed by 20 teams of undergraduate students, divided into two groups. One group produced specifications by employing a formal method that involves only firstorder logic. The oth ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
AbstractÐThe development of an elevator scheduling system by undergraduate students is presented. The development was performed by 20 teams of undergraduate students, divided into two groups. One group produced specifications by employing a formal method that involves only firstorder logic. The other group used no formal analysis. The solutions of the groups are compared using the metrics of code correctness, conciseness, and complexity. Particular attention is paid to a subset of the formal methods group which provided a full verification of their implementation. Their results are compared to other published formal solutions. The formal methods group's solutions are found to be far more correct than the nonformal solutions. Index TermsÐFormal methods, software specifications, software engineering curriculum.