Results 1  10
of
73
A Proof Technique for Rely/Guarantee Properties
 In Proceedings of the 5th Conference on Foundations of Software Technology and Theoretical Computer Science, Lecture Notes in Computer Science 206
, 1986
"... A rely/guarantee specification for a program P is a specification of the form R oe G (R implies G), where R is a rely condition and G is a guarantee condition. A rely condition expresses the conditions that P relies on its environment to provide, and a guarantee condition expresses what P guarantees ..."
Abstract

Cited by 53 (0 self)
 Add to MetaCart
A rely/guarantee specification for a program P is a specification of the form R oe G (R implies G), where R is a rely condition and G is a guarantee condition. A rely condition expresses the conditions that P relies on its environment to provide, and a guarantee condition expresses what P guarantees to provide in return. This paper presents a proof technique that permits us to infer that a program P satisfies a rely/guarantee specification R oe G, given that we know P satisfies a finite collection of rely/guarantee specifications R i oe G i ; (i 2 I). The utility of the proof technique is illustrated by using it to derive global liveness properties of a system of concurrent processes from a collection of local liveness properties satisfied by the component processes. The use of the proof rule as a design principle, and the possibility of its incorporation into a formal logic of rely/guarantee assertions, is also discussed. 1 Introduction A rely/guarantee specification for a program P...
Symbolic compositional verification by learning assumptions
 In CAV
, 2005
"... Abstract. The verification problem for a system consisting of components can be decomposed into simpler subproblems for the components using assumeguarantee reasoning. However, such compositional reasoning requires user guidance to identify appropriate assumptions for components. In this paper, we ..."
Abstract

Cited by 52 (7 self)
 Add to MetaCart
Abstract. The verification problem for a system consisting of components can be decomposed into simpler subproblems for the components using assumeguarantee reasoning. However, such compositional reasoning requires user guidance to identify appropriate assumptions for components. In this paper, we propose an automated solution for discovering assumptions based on the L \Lambda algorithm for active learning of regular languages. We present a symbolic implementation of the learning algorithm, and incorporate it in the model checker NuSMV. Our experiments demonstrate significant savings in the computational requirements of symbolic model checking.
The Principled Design of Computer System Safety Analyses
, 2000
"... For my parents Safety critical computing is a relatively young and rapidly developing technology, which nevertheless is being deployed in applications where a single accident may have extremely severe consequences. The safety record of critical systems presently in service is reasonably good, but in ..."
Abstract

Cited by 44 (0 self)
 Add to MetaCart
For my parents Safety critical computing is a relatively young and rapidly developing technology, which nevertheless is being deployed in applications where a single accident may have extremely severe consequences. The safety record of critical systems presently in service is reasonably good, but increasing expectations of functionality and performance are challenging the capabilities of current design and assessment processes. One specific area where limitations of existing methods are becoming obvious is in the analysis techniques that are used to derive safety requirements and to provide evidence that they have been satisfied. There are significant practical problems in using existing analysis techniques to evaluate computer systems, but few viable new computerspecific methods have been developed. This thesis proposes and evaluates a set of principles for the design of effective techniques to address novel computer system safety analysis requirements. The principles are based on an appreciation of the technical concepts underlying successful existing system level analysis techniques, and of the practical qualities necessary to make a method industrially acceptable. The
Using History Invariants to Verify Observers
, 2007
"... This paper contributes a technique that expands the set of object invariants that one can reason about in modular verification. The technique uses history invariants, twostate invariants that describe the evolution of data values. The technique enables a flexible new way to specify and verify vari ..."
Abstract

Cited by 27 (2 self)
 Add to MetaCart
This paper contributes a technique that expands the set of object invariants that one can reason about in modular verification. The technique uses history invariants, twostate invariants that describe the evolution of data values. The technique enables a flexible new way to specify and verify variations of the observer pattern, including iterators. The paper details history invariants and the new kind of object invariants, and proves a soundness theorem.
Parallel Composition of AssumptionCommitment Specifications  a Unifying Approach for Shared Variable and Distributed Message Passing Concurrency
, 1996
"... We unify the parallel composition rule of assumptioncommitment specifications for respectively statebased and messagebased concurrent processes. Without providing languagedependent definitions, we first assume that the model of a process can be given as a set of `sequences' (e.g., traces, state s ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
We unify the parallel composition rule of assumptioncommitment specifications for respectively statebased and messagebased concurrent processes. Without providing languagedependent definitions, we first assume that the model of a process can be given as a set of `sequences' (e.g., traces, state sequences). Then we assume the existence of a merging operator that captures the compositionality of that model. On this basis, we formulate a semantic parallel composition rule for assumptioncommitment specifications wherein the merging operator behaves as a parameter. Then, by providing suitable languagespecific definitions for the model of a process and the merging operator, we transform the semantic rule into syntactic ones, both for the statebased and messagebased approaches to concurrency. 1 Introduction In the concurrent programming community, communication between processes is usually modeled in two ways. The first one uses shared variables as a mean for communication and the oth...
Determining the specification of a control system from that of its environment
 In Keijiro Araki, Stefani Gnesi, and Dino Mandrioli, editors, FME 2003: Formal Methods, volume 2805 of LNCS
, 2003
"... Abstract. Well understood methods exist for developing programs from given specifications. A formal method identifies proof obligations at each development step: if all such proof obligations are discharged, a precisely defined class of errors can be excluded from the final program. For a class of “ ..."
Abstract

Cited by 26 (9 self)
 Add to MetaCart
Abstract. Well understood methods exist for developing programs from given specifications. A formal method identifies proof obligations at each development step: if all such proof obligations are discharged, a precisely defined class of errors can be excluded from the final program. For a class of “closed ” systems such methods offer a gold standard against which less formal approaches can be measured. For “open ” systems –those which interact with the physical world – the task of obtaining the program specification can be as challenging as the task of deriving the program. And, when a system of this class must tolerate certain kinds of unreliability in the physical world, it is still more challenging to reach confidence that the specification obtained is adequate. We argue that widening the notion of software development to include specifying the behaviour of the relevant parts of the physical world gives a way to derive the specification of a control system and also to record precisely the assumptions being made about the world outside the computer. 1
The RelyGuarantee Method for Verifying Shared Variable Concurrent Programs
, 1997
"... . Compositional proof systems for shared variable concurrent programs can be devised by including the interference information in the specifications. The formalism falls into a category called relyguarantee (or assumption commitment), in which a specification is explicitly (syntactically) split ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
. Compositional proof systems for shared variable concurrent programs can be devised by including the interference information in the specifications. The formalism falls into a category called relyguarantee (or assumption commitment), in which a specification is explicitly (syntactically) split into two corresponding parts. This paper summarises existing work on the relyguarantee method and gives a systematic presentation. A proof system for partial correctness is given first, thereafter it is demonstrated how the relevant rules can be adapted to verify deadlock freedom and convergence. Soundness and completeness, of which the completeness proof is new, are studied with respect to an operational model. We observe that the relyguarantee method is in a sense a reformulation of the classical noncompositional Owicki & Gries method, and we discuss throughout the paper the connection between these two methods. 1 The research was partially supported by EspritBRA project 6021 (REACT)...
On the Completeness of Compositional Reasoning
 In CAV, volume 1855 of LNCS
, 2000
"... Several proof rules based on the assumeguarantee paradigm have been proposed for compositional reasoning about concurrent systems. ..."
Abstract

Cited by 24 (4 self)
 Add to MetaCart
Several proof rules based on the assumeguarantee paradigm have been proposed for compositional reasoning about concurrent systems.
Enhancing the tractability of rely/guarantee specifications in the development of interfering operations
 Foundations of Computing
, 2000
"... Various forms of assumption/commitment specifications have been used to specify and reason about the interference that comes from concurrent execution; in particular, consistent and complete proof rules relating to shared state operation specifications –with rely and guarantee conditions – have been ..."
Abstract

Cited by 22 (9 self)
 Add to MetaCart
Various forms of assumption/commitment specifications have been used to specify and reason about the interference that comes from concurrent execution; in particular, consistent and complete proof rules relating to shared state operation specifications –with rely and guarantee conditions – have been published elsewhere. This paper discusses some issues about the formulation of such specifications and the way to record design decisions so as to make the use of rely/guarantee conditions more tractable.
A Calculus of Atomic Actions
"... We present a proof calculus and method for the static verification of assertions and procedure specifications in sharedmemory concurrent programs. The key idea in our approach is to use atomicity as a proof tool and to simplify the verification of assertions by rewriting programs to consist of larg ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
We present a proof calculus and method for the static verification of assertions and procedure specifications in sharedmemory concurrent programs. The key idea in our approach is to use atomicity as a proof tool and to simplify the verification of assertions by rewriting programs to consist of larger atomic actions. We propose a novel, iterative proof style in which alternating use of abstraction and reduction is exploited to compute larger atomic code blocks in a sound manner. This makes possible the verification of assertions in the transformed program by simple sequential reasoning within atomic blocks, or significantly simplified application of existing concurrent program verification techniques such as the OwickiGries or relyguarantee methods. Our method facilitates a clean separation of concerns where at each phase of the proof, the user worries only about only either the sequential properties or the concurrency control mechanisms in the program. We implemented our method in a tool called QED. We demonstrate the simplicity and effectiveness of our approach on a number of benchmarks including ones with intricate concurrency protocols. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program Verification — assertion checkers, correctness