As software systems become more complex, the overall system structure---or software architecture---becomes a central design problem. A system's architecture provides a model of the system that suppresses implementation detail, allowing the architect to concentrate on the analyses and decisions that are most crucial to structuring the system to satisfy its requirements. Unfortunately, current representations of software architecture are informal and ad hoc. While architectural concepts are often embodied in infrastructure to support specific architectural styles and in the initial conceptualization of a system configuration, the lack of an explicit, independently-characterized architecture or architectural style significantly limits the benefits of software architectural design in current practice. In this dissertation, I show that an Architecture Description Language based on a formal, abstract model of system behavior can provide a practical means of describing and analyzing softwar...

The theme of this paper is profunctors, and their centrality and ubiquity in understanding concurrent computation. Profunctors (a.k.a. distributors, or bimodules) are a generalisation of relations to categories. Here they are first presented and motivated via spans of event structures, and the semantics of nondeterministic dataflow. Profunctors are shown to play a key role in relating models for concurrency and to support an interpretation as higher-order processes (where input and output may be processes). Two recent directions of research are described. One is concerned with a language and computational interpretation for profunctors. This addresses the duality between input and output in profunctors. The other is to investigate general spans of event structures (the spans can be viewed as special profunctors) to give causal semantics to higher-order processes. For this it is useful to generalise event structures to allow events which “persist.”

There is increasing interest in having software systems execute and interoperate over the Internet. Execution and interoperation at this scale imply a degree of loose coupling and heterogeneity among the components from which such systems will be built. One common architectural style for distributed; loosely-coupled, heterogeneous software systems is a structure based on event generation, observation and notification. The technology to support this approach is well-developed for local area networks, but it is illsuited to networks on the scale of the Internet. Hence, new technologies are needed to support the construction of large-scale, event-based software systems for the Internet. We have begun to design a new facility for event observation and notification that better serves the needs of Internet-scale applications. In this paper we present results from our first step in this design process, in which we defined a framework that captures many of the relevant design dimensions. Our framework comprises seven models-an object model, an event model, a naming model, an observation model, a time model, a notification model, and a resource model. The paper discusses each of these models in detail and illustrates them using an example involving an update to a Web page. The paper also evaluates three existing technologies with respect to the seven models.

The phenomena of branching time and true or noninterleaving concurrency find their respective homes in automata and schedules. But these two models of computation are formally equivalent via Birkhoff duality, an equivalence we expound on here in tutorial detail. So why should these phenomena prefer one home over the other? We identify dimension as the culprit: 1dimensional automata are skeletons permitting only interleaving concurrency, whereas true n-fold concurrency resides in transitions of dimension n. The truly concurrent automaton dual to a schedule is not a skeletal distributive lattice but a solid one. We introduce true nondeterminism and define it as monoidal homotopy; from this perspective nondeterminism in ordinary automata arises from forking and joining creating nontrivial homotopy. The automaton dual to a poset schedule is simply connected whereas that dual to an event structure schedule need not be, according to monoidal homotopy though not to group homotopy. We conclude...

Scenario-based specifications such as message sequence charts (MSC) or an intuitive and visual way of describing design requirements. Such specifications focus on message exchanges among communicating entities in distributed software systems. Structured specifications such as MSC-graphs and Hierarchical MSC-graphs (HMSC) allow convenient expression of multiple scenarios, and can be viewed as an early model of the system. In this paper, we present a comprehensive study of the problem of verifying whether this model satisfies a temporal requirement given by an automaton, by developing algorithms for the different cases along with matching lower bounds. When the model is given as an MSC, model checking can be done by constructing a suitable automaton for the linearizations of the partial order specified by the MSC, and the problem is coNP-complete. When the model is given by an MSC-graph, we consider two possible semantics depending on the synchronous or asynchronous interpretation of concatenating two MSCs. For synchronous model checking of MSC-graphs and HMSCs, we present algorithms whose time complexity is proportional to the product of the size of the description and the cost of processing MSCs at individual vertices. Under the asynchronous interpretation, we prove undecidability of the model checking problem. We, then, identify a natural requirement of boundedness, give algorithms to check boundedness, and establish asynchronous model checking to be Pspace-complete for bounded MSC-graphs and Expspace-complete for bounded HMSCs.

: We present a formal model that captures the subtle interaction between knowledge and action in distributed systems. We view a distributed system as a set of runs, where a run is a function from time to global states and a global state is a tuple consisting of an environment state and a local state for each process in the system. This model is a generalization of those used in many previous papers. Actions in this model are associated with functions from global states to global states. A protocol is a function from local states to actions. We extend the standard notion of a protocol by defining knowledge-based protocols, ones in which a process' actions may depend explicitly on its knowledge. Knowledge-based protocols provide a natural way of describing how actions should take place in a distributed system. Finally, we show how the notion of one protocol implementing another can be captured in our model. Some material in this paper appeared in preliminary form in [HF85]. An abridge...

The paper describes a graphical interval logic that is the foundation of a toolset supporting formal specification and verification of concurrent software systems. Experience has shown that most software engineers find standard temporal logics difficult to understand and to use. The objective of this work is to enable software engineers to specify and reason about temporal properties of concurrent systems more easily by providing them with a logic that has an intuitive graphical representation and with tools that support its use. To illustrate the use of the graphical logic, the paper provides some specifications for an elevator system and proves several properties of the specifications. The paper also describes the toolset and the implementation. 1 Introduction One of the great challenges facing today's software engineers is the development of correct programs for real applications. Recent advances in hardware reliability and fault tolerance technology can assure extremely lo...

Message sequence charts (MSC) are commonly used in designing communication systems. They allow describing the communication skeleton of a system and can be used for finding design errors. First, a specification formalism that is based on MSC graphs, combining finite message sequence charts, is presented. We present then an automatic validation algorithm for systems described using the message sequence charts notation. The validation problem is tightly related to a natural language-theoretic problem over semi-traces (a generalization of Mazurkiewicz traces, which represent partially ordered executions). We show that a similar and natural decision problem is undecidable. 1

This paper describes the Rapide concepts of system architecture, causal event simulation, and some of the tools for viewing and analysis of causal event simulations. Illustration of the language and tools is given by a detailed small example. 1 Introduction Rapide-1.0 [LKA + 95],[LV95] is a computer language for defining and executing models of system architectures. The result of executing a Rapide model is a set of events that occurred during the execution together with causal and timing relationships between events. The production of causal history as a simulation result is, at present, unique to Rapide among event-based languages. Sets of events with causal histories are called posets (partially ordered event sets). 1 Simulators that produce posets provide many new opportunities for analysis of models of distributed and concurrent systems. Rapide-1.0 is structured as a set of languages consisting of the Types, Patterns, Architecture, Constraint, and Executable Module languages...

In Floyd-Hoare logic, programs are dynamic while assertions are static (hold at states). In action logic the two notions become one, with programs viewed as on-the-fly assertions whose truth is evaluated along intervals instead of at states. Action logic is an equational theory ACT conservatively extending the equational theory REG of regular expressions with operations preimplication a!b (had a then b) and postimplication b/a (b if-ever a). Unlike REG, ACT is finitely based, makes a reflexive transitive closure, and has an equivalent Hilbert system. The crucial axiom is that of pure induction, (a!a) = a!a. This work was supported by the National Science Foundation under grant number CCR-8814921. 1 Introduction Many logics of action have been proposed, most of them in the past two decades. Here we define action logic, ACT, a new yet simple juxtaposition of old ideas, and show off some of its attractive aspects. The language of action logic is that of equational regular expressio...