## A logic of events (2003)

Citations: | 10 - 7 self |

### BibTeX

@TECHREPORT{Bickford03alogic,

author = {Mark Bickford and Robert L. Constable},

title = {A logic of events},

institution = {},

year = {2003}

}

### OpenURL

### Abstract

There is a well-established theory and practice for creating correct-by-construction functional programs by extracting them from constructive proofs of assertions of the form ∀x: A.∃y: B.R(x, y). There have been several efforts to extend this methodology to concurrent programs, say by using linear logic, but there is no practice and the results are limited. In this paper we define a logic of events that justifies the extraction of correct distributed processes from constructive proofs that system specifications are achievable, and we describe an implementation of an extraction process in the context of constructive type theory. We show that a class of message automata, similar to IO automata and to active objects, are realizers for this logic. We provide a relative consistency result for the logic. We show an example of protocol derivation in this logic, and show how to embed temporal logics such as T LA+ in the event logic. 1

### Citations

3400 | Communicating Sequential Processes
- Hoare
- 1985
(Show Context)
Citation Context ...d in part by Lamport [38]. He considered relationships to Petri nets and to domain theory and established the generality of event system, but he did not consider process extraction from proofs. Hoare =-=[33]-=- and Milner [48] created extremely influential process calculi and their work is the basis for exploring process realizability of logical formulas [7, 49, 50], but they do not take up the issue of ext... |

3204 |
Communication and Concurrency
- Milner
- 1989
(Show Context)
Citation Context ...port [38]. He considered relationships to Petri nets and to domain theory and established the generality of event system, but he did not consider process extraction from proofs. Hoare [33] and Milner =-=[48]-=- created extremely influential process calculi and their work is the basis for exploring process realizability of logical formulas [7, 49, 50], but they do not take up the issue of extraction from pro... |

2327 | Time, clocks, and the ordering of events in a distributed system
- Lamport
- 1978
(Show Context)
Citation Context ...t an abstract model that can capture the observable features of a distributed system. The fundamental types are locations and events which we can think of as space and time coordinates, as in Lamport =-=[38]-=-. Information is stored at a location as the value of a state variable or an observable and information is passed from one location to another along links in the form of messages.A message will consi... |

1533 |
Distributed Algorithms
- LYNCH
- 1996
(Show Context)
Citation Context ... of Abramsky [4, 5] directed toward linear logic. These results are of considerable theoretical interest, but they have not been connected to practical verification. Verification based on IO Automata =-=[42]-=- has been directly modeled in Nuprl [11] and PVS [6] and it is subsumed here as the special case where we reason directly about message automata. See also Vardi[59], Clarke and Emerson [17], Manna and... |

738 |
Parallel Program Design: A Foundation
- Chandy, Misra
- 1988
(Show Context)
Citation Context ...ythesis that reference the meaning we intend. Many logics used for practical reasoning and formal verification are based on programming logics [62, 55] or on temporal logic [44, 45], especially Unity =-=[16]-=- and T LA+ [39]. We look at the relationship between T LA+ and our work in the next section. Temporal logic has a limited role in synthesis [23]. Results on knowledge in multi-agent systems [24, 25, 2... |

471 |
The calculus of constructions
- Coquand, Huet
- 1988
(Show Context)
Citation Context ...in this logic, and show how to embed temporal logics such as T LA+ in the event logic. 1 Introduction The idea of creating functional programs that are correct-by-construction is old and well-studied =-=[20, 9, 22, 19, 47, 52]-=-. Several implementations by extraction have been built based on the concept of proofs-as-programs (e.g. Alf, MetaPRL, Nuprl, Coq, Lego), and many interesting examples are well-known, including soluti... |

453 | The Chemical Abstract Machine
- Berry, Boudol
- 1989
(Show Context)
Citation Context ...hing worthy of the name proofs-as-processes principle. In 1994 Samson Abramsky wrote an article [4] under this title in which linear logic was the basic logic and certain nondeterministic programs in =-=[10]-=- were considered as realizers. Robin Milner and his students also took up this challenge, and there are now a number of results along these lines [7, 49]. In this paper we look at a different approach... |

387 |
Temporal Verification of Reactive Systems: Safety
- Manna, Pnueli
- 1995
(Show Context)
Citation Context ... for different notions of sythesis that reference the meaning we intend. Many logics used for practical reasoning and formal verification are based on programming logics [62, 55] or on temporal logic =-=[44, 45]-=-, especially Unity [16] and T LA+ [39]. We look at the relationship between T LA+ and our work in the next section. Temporal logic has a limited role in synthesis [23]. Results on knowledge in multi-a... |

265 |
Constructive mathematics and computer programming
- Martin-Löf
- 1982
(Show Context)
Citation Context ...in this logic, and show how to embed temporal logics such as T LA+ in the event logic. 1 Introduction The idea of creating functional programs that are correct-by-construction is old and well-studied =-=[20, 9, 22, 19, 47, 52]-=-. Several implementations by extraction have been built based on the concept of proofs-as-programs (e.g. Alf, MetaPRL, Nuprl, Coq, Lego), and many interesting examples are well-known, including soluti... |

263 |
Event structures
- Winskel
- 1986
(Show Context)
Citation Context ... = 〈c2, strong, w.id〉 ∃g : viewid. g ≥ v.id ∧ vote when ep = 〈c1, strong, g〉 □10 Conclusion 10.1 Related Work Winskel considered event systems in his 1980 Ph.D. thesis [60] and in other publications =-=[61]-=-, inspired in part by Lamport [38]. He considered relationships to Petri nets and to domain theory and established the generality of event system, but he did not consider process extraction from proof... |

248 |
The Ensemble System
- Hayden
- 1998
(Show Context)
Citation Context ...ARPA grant F30602-98-2-0198 and NSF grant CCR-0208536. 1The specification language arose from our experience in describing and proving properties of implemented protocols in systems such as Ensemble =-=[13, 12, 14, 31, 32, 37, 36, 41, 58]-=-, UAV [35], and MediaNet [54]. Our approach to presenting the logic is to follow Martin-Löf’s discipline for type theory; that is, present the computation system first and then introduce types and log... |

177 |
Using branching time temporal logic to synthesize synchronization skeletons
- Emerson, Clarke
- 1982
(Show Context)
Citation Context ...62, 55] or on temporal logic [44, 45], especially Unity [16] and T LA+ [39]. We look at the relationship between T LA+ and our work in the next section. Temporal logic has a limited role in synthesis =-=[23]-=-. Results on knowledge in multi-agent systems [24, 25, 26, 27, 28, 30] uses models with some of the properties of our worlds. Abraham [1, 2, 3] uses classical multi-sorted first order logic to model p... |

160 |
Synthesis of communicating processes from temporal logic specifications
- Manna, Wolper
- 1984
(Show Context)
Citation Context ...n directly modeled in Nuprl [11] and PVS [6] and it is subsumed here as the special case where we reason directly about message automata. See also Vardi[59], Clarke and Emerson [17], Manna and Wolper =-=[46]-=-, and Leonard and Heitmeyer [40] for different notions of sythesis that reference the meaning we intend. Many logics used for practical reasoning and formal verification are based on programming logic... |

150 |
Specifying Systems, The TLA+ Language and Tools for Hardware and Software Engineers
- Lamport
- 2002
(Show Context)
Citation Context ...ference the meaning we intend. Many logics used for practical reasoning and formal verification are based on programming logics [62, 55] or on temporal logic [44, 45], especially Unity [16] and T LA+ =-=[39]-=-. We look at the relationship between T LA+ and our work in the next section. Temporal logic has a limited role in synthesis [23]. Results on knowledge in multi-agent systems [24, 25, 26, 27, 28, 30] ... |

150 | Elements of interaction
- Milner
- 1993
(Show Context)
Citation Context ...t consider process extraction from proofs. Hoare [33] and Milner [48] created extremely influential process calculi and their work is the basis for exploring process realizability of logical formulas =-=[7, 49, 50]-=-, but they do not take up the issue of extraction from proofs either. One of the most direct approaches to using proofs as processes is the work of Abramsky [4, 5] directed toward linear logic. These ... |

101 |
Proofs as programs
- Bates, Constable
- 1985
(Show Context)
Citation Context ...in this logic, and show how to embed temporal logics such as T LA+ in the event logic. 1 Introduction The idea of creating functional programs that are correct-by-construction is old and well-studied =-=[20, 9, 22, 19, 47, 52]-=-. Several implementations by extraction have been built based on the concept of proofs-as-programs (e.g. Alf, MetaPRL, Nuprl, Coq, Lego), and many interesting examples are well-known, including soluti... |

90 | J.D.: Strand spaces: Proving security protocols correct
- Fábrega, Herzog, et al.
(Show Context)
Citation Context ...m ∀P : P ropi. P ∨ ¬P to the Event Logic defined in this paper.10.3 Spaces of Events The Event Logic formalism allows us to discuss classes and structured spaces of events. For example, Strand spaces=-=[56]-=- consist of sequences of send and receive messages at a process and sequences of send and receive messages of a penetrator process trying to break security. Thus strands are locations in event structu... |

85 | Modelling knowledge and action in distributed systems
- Halpern, Fagin
- 1989
(Show Context)
Citation Context ...Unity [16] and T LA+ [39]. We look at the relationship between T LA+ and our work in the next section. Temporal logic has a limited role in synthesis [23]. Results on knowledge in multi-agent systems =-=[24, 25, 26, 27, 28, 30]-=- uses models with some of the properties of our worlds. Abraham [1, 2, 3] uses classical multi-sorted first order logic to model processes whose state transitions are events. He also linearly orders e... |

74 |
Implementing Mathematics with the Nuprl Development System
- Constable
- 1986
(Show Context)
Citation Context |

73 | Building reliable, high-performance communication systems from components
- Liu, Kreitz, et al.
- 1999
(Show Context)
Citation Context ...ARPA grant F30602-98-2-0198 and NSF grant CCR-0208536. 1The specification language arose from our experience in describing and proving properties of implemented protocols in systems such as Ensemble =-=[13, 12, 14, 31, 32, 37, 36, 41, 58]-=-, UAV [35], and MediaNet [54]. Our approach to presenting the logic is to follow Martin-Löf’s discipline for type theory; that is, present the computation system first and then introduce types and log... |

63 | CC++: A declarative concurrent object oriented programming notation
- Chandy, Kesselman
- 1993
(Show Context)
Citation Context ...roofs of system specifications that arise in practice. The abstract realizers are called message automata, and they resemble the IO automata of Lynch and Tuttle [43], and the active objects of Chandy =-=[15]-=-. ∗ This work was supported by the DoD Multidisciplinary University Research Initiative (MURI) program administered by the Office of Naval Research, under Grant N00014-01-1-0765, and by DARPA grant F3... |

62 | Mechanized proofs for a recursive authentication protocol - Paulson - 1997 |

61 |
Events in computation
- Winskel
- 1980
(Show Context)
Citation Context ... ∧ V iew(ep) = w ∧ vote when ep = 〈c2, strong, w.id〉 ∃g : viewid. g ≥ v.id ∧ vote when ep = 〈c1, strong, g〉 □10 Conclusion 10.1 Related Work Winskel considered event systems in his 1980 Ph.D. thesis =-=[60]-=- and in other publications [61], inspired in part by Lamport [38]. He considered relationships to Petri nets and to domain theory and established the generality of event system, but he did not conside... |

49 | Specifications and proofs for ensemble layers
- Hickey, Lynch, et al.
- 1999
(Show Context)
Citation Context ...ARPA grant F30602-98-2-0198 and NSF grant CCR-0208536. 1The specification language arose from our experience in describing and proving properties of implemented protocols in systems such as Ensemble =-=[13, 12, 14, 31, 32, 37, 36, 41, 58]-=-, UAV [35], and MediaNet [54]. Our approach to presenting the logic is to follow Martin-Löf’s discipline for type theory; that is, present the computation system first and then introduce types and log... |

49 |
An evaluation semantics for classical proofs
- Murthy
- 1991
(Show Context)
Citation Context ...ons by extraction have been built based on the concept of proofs-as-programs (e.g. Alf, MetaPRL, Nuprl, Coq, Lego), and many interesting examples are well-known, including solutions of Higman’s lemma =-=[51]-=- and a recent program for Buchberger’s Gröbner basis algorithm [57]. The extracted functional programs are called realizers for propositions. In this paper we deal with logics such as constructive typ... |

48 |
On Concurrent Programming
- Schneider
- 1997
(Show Context)
Citation Context ...and Leonard and Heitmeyer [40] for different notions of sythesis that reference the meaning we intend. Many logics used for practical reasoning and formal verification are based on programming logics =-=[62, 55]-=- or on temporal logic [44, 45], especially Unity [16] and T LA+ [39]. We look at the relationship between T LA+ and our work in the next section. Temporal logic has a limited role in synthesis [23]. R... |

46 | Knowledge-based programs
- Fagin, Halpern, et al.
- 1997
(Show Context)
Citation Context ...Unity [16] and T LA+ [39]. We look at the relationship between T LA+ and our work in the next section. Temporal logic has a limited role in synthesis [23]. Results on knowledge in multi-agent systems =-=[24, 25, 26, 27, 28, 30]-=- uses models with some of the properties of our worlds. Abraham [1, 2, 3] uses classical multi-sorted first order logic to model processes whose state transitions are events. He also linearly orders e... |

41 |
Proofs as processes
- Abramsky
- 1994
(Show Context)
Citation Context ...to extend this methodology to concurrent programs by extending the proofs-as-programs principle to something worthy of the name proofs-as-processes principle. In 1994 Samson Abramsky wrote an article =-=[4]-=- under this title in which linear logic was the basic logic and certain nondeterministic programs in [10] were considered as realizers. Robin Milner and his students also took up this challenge, and t... |

38 |
Building adaptive systems using ensemble. Software— Practice and Experience
- Renesse, KP, et al.
- 1998
(Show Context)
Citation Context |

35 | An automata-theoretic approach to fair realizability and synthesis
- Vardi
- 1995
(Show Context)
Citation Context .... Verification based on IO Automata [42] has been directly modeled in Nuprl [11] and PVS [6] and it is subsumed here as the special case where we reason directly about message automata. See also Vardi=-=[59]-=-, Clarke and Emerson [17], Manna and Wolper [46], and Leonard and Heitmeyer [40] for different notions of sythesis that reference the meaning we intend. Many logics used for practical reasoning and fo... |

34 |
The Horus and Ensemble projects: Accomplishments and limitations
- Birman, Constable, et al.
- 2000
(Show Context)
Citation Context |

29 | Semantic foundations for embedding HOL in Nuprl
- Howe
- 1996
(Show Context)
Citation Context ...reat the issue of finding a constructive sublanguage from whose proofs it might be possible to extract distributed systems. Our work shows how this can be done. For a start, using the methods of Howe =-=[34]-=-, the underlying logic of T LA+ can be embedded in a constructive logic such as Nuprl. Secondly, the temporal logic can be reduced to our event logic, as we now sketch. Essentially the T LA+ process m... |

27 | A proof environment for the development of group communication systems
- Kreitz, Hayden, et al.
- 1998
(Show Context)
Citation Context |

21 | Application of the QuO Quality-of-Service Framework to a Distributed Video
- Karr, Rodrigues, et al.
- 2001
(Show Context)
Citation Context ...CCR-0208536. 1The specification language arose from our experience in describing and proving properties of implemented protocols in systems such as Ensemble [13, 12, 14, 31, 32, 37, 36, 41, 58], UAV =-=[35]-=-, and MediaNet [54]. Our approach to presenting the logic is to follow Martin-Löf’s discipline for type theory; that is, present the computation system first and then introduce types and logic as a wa... |

19 | From action calculi to linear logic
- Barber, Gardner, et al.
- 1997
(Show Context)
Citation Context ...ic logic and certain nondeterministic programs in [10] were considered as realizers. Robin Milner and his students also took up this challenge, and there are now a number of results along these lines =-=[7, 49]-=-. In this paper we look at a different approach to the problem. We aim to extract distributed systems from proofs of system specifications that arise in practice. The abstract realizers are called mes... |

18 | On the relationship between strand spaces and multi-agent systems - Halpern, Pucella |

17 | On interprocess communication and the implementation of multi-writer atomic registers
- Abraham
- 1995
(Show Context)
Citation Context ... next section. Temporal logic has a limited role in synthesis [23]. Results on knowledge in multi-agent systems [24, 25, 26, 27, 28, 30] uses models with some of the properties of our worlds. Abraham =-=[1, 2, 3]-=- uses classical multi-sorted first order logic to model processes whose state transitions are events. He also linearly orders events at a process and assumes a causal order on events generated by the ... |

17 | E.: Proving invariants of i/o automata with tame
- Archer, Heitmeyer, et al.
- 2002
(Show Context)
Citation Context ...se results are of considerable theoretical interest, but they have not been connected to practical verification. Verification based on IO Automata [42] has been directly modeled in Nuprl [11] and PVS =-=[6]-=- and it is subsumed here as the special case where we reason directly about message automata. See also Vardi[59], Clarke and Emerson [17], Manna and Wolper [46], and Leonard and Heitmeyer [40] for dif... |

15 |
Constructive mathematics and automatic program writers
- Constable
- 1971
(Show Context)
Citation Context |

15 | NuPRL’s class theory and its applications
- Constable, Hickey
- 2000
(Show Context)
Citation Context ... will have inputs < tag, link >. 2.5 Typing and Examples Message automata are formalized in the type theory on which the logic of events is based. Our investigations started with such a formalization =-=[11, 21]-=-. We leave these details to the examples that appear later. 3 Event Systems We want an abstract model that can capture the observable features of a distributed system. The fundamental types are locati... |

13 |
Synthesis of synchronization skeletons from branching time temporal logic
- Clarke, Emerson
- 1982
(Show Context)
Citation Context ...O Automata [42] has been directly modeled in Nuprl [11] and PVS [6] and it is subsumed here as the special case where we reason directly about message automata. See also Vardi[59], Clarke and Emerson =-=[17]-=-, Manna and Wolper [46], and Leonard and Heitmeyer [40] for different notions of sythesis that reference the meaning we intend. Many logics used for practical reasoning and formal verification are bas... |

11 |
A Machine-Checked Implementation of Buchberger’s Algorithm
- Théry
- 2001
(Show Context)
Citation Context ...-programs (e.g. Alf, MetaPRL, Nuprl, Coq, Lego), and many interesting examples are well-known, including solutions of Higman’s lemma [51] and a recent program for Buchberger’s Gröbner basis algorithm =-=[57]-=-. The extracted functional programs are called realizers for propositions. In this paper we deal with logics such as constructive type theory, in which all provable assertions have realizers. For many... |

10 |
An introduction to Input/Output automata. Centrum voor Wiskunde en
- Lynch, Tuttle
- 1989
(Show Context)
Citation Context ...m to extract distributed systems from proofs of system specifications that arise in practice. The abstract realizers are called message automata, and they resemble the IO automata of Lynch and Tuttle =-=[43]-=-, and the active objects of Chandy [15]. ∗ This work was supported by the DoD Multidisciplinary University Research Initiative (MURI) program administered by the Office of Naval Research, under Grant ... |

9 | Process realizability
- Abramsky
- 2000
(Show Context)
Citation Context ...alizability of logical formulas [7, 49, 50], but they do not take up the issue of extraction from proofs either. One of the most direct approaches to using proofs as processes is the work of Abramsky =-=[4, 5]-=- directed toward linear logic. These results are of considerable theoretical interest, but they have not been connected to practical verification. Verification based on IO Automata [42] has been direc... |

8 | Predicate transformers for infinite-state automata in Nuprl type theory
- Bickford, Hickey
- 1999
(Show Context)
Citation Context ... will have inputs < tag, link >. 2.5 Typing and Examples Message automata are formalized in the type theory on which the logic of events is based. Our investigations started with such a formalization =-=[11, 21]-=-. We leave these details to the examples that appear later. 3 Event Systems We want an abstract model that can capture the observable features of a distributed system. The fundamental types are locati... |

7 | Automated fast-track reconfiguration of group communication systems. Pages 104–118 of
- Kreitz
- 1999
(Show Context)
Citation Context |

7 | Program synthesis from formal requirements specifications using APTS. Higher-Order and Symbolic Computation
- Leonard, Heitmeyer
- 2003
(Show Context)
Citation Context ... and PVS [6] and it is subsumed here as the special case where we reason directly about message automata. See also Vardi[59], Clarke and Emerson [17], Manna and Wolper [46], and Leonard and Heitmeyer =-=[40]-=- for different notions of sythesis that reference the meaning we intend. Many logics used for practical reasoning and formal verification are based on programming logics [62, 55] or on temporal logic ... |

5 | An environment for automated reasoning about partial functions - Basin - 1988 |

5 | Proving hybrid protocols correct
- Bickford, Kreitz, et al.
- 2001
(Show Context)
Citation Context |

5 | A refinement theory that supports reasoning about knowledge and time for synchronous agents
- Engelhardt, Meyden, et al.
- 2001
(Show Context)
Citation Context ...Unity [16] and T LA+ [39]. We look at the relationship between T LA+ and our work in the next section. Temporal logic has a limited role in synthesis [23]. Results on knowledge in multi-agent systems =-=[24, 25, 26, 27, 28, 30]-=- uses models with some of the properties of our worlds. Abraham [1, 2, 3] uses classical multi-sorted first order logic to model processes whose state transitions are events. He also linearly orders e... |