## Proving Possibility Properties (1998)

### Cached

### Download Links

- [research.compaq.com]
- [research.microsoft.com]
- [research.microsoft.com]
- DBLP

### Other Repositories/Bibliography

Citations: | 3 - 0 self |

### BibTeX

@TECHREPORT{Lamport98provingpossibility,

author = {Leslie Lamport},

title = {Proving Possibility Properties},

institution = {},

year = {1998}

}

### OpenURL

### Abstract

A method is described for proving "always possibly" properties of specifications in formalisms with linear-time trace semantics. It is shown to be relatively complete for TLA (Temporal Logic of Actions) specifications. Key words: Branching time, linear time, temporal logic. 1 Introduction Does proving possibility properties provide any useful information about a system? Why prove that it is possible for a user to press q on the keyboard and for a q subsequently to appear on the screen? We know that the user can always press the q key, and what good is knowing that a q might appear on the screen? Isn't it enough to prove that no q appears on the screen unless a q is typed (a safety property), and that, if a q is typed, then a q eventually does appear (a liveness property)? Although possibility properties may tell us nothing about a system, we do not reason about a system; we reason about a mathematical model of a system. A possibility property can provide a sanity check on our model. P...

### Citations

1501 |
The Temporal Logic of Reactive and Concurrent Systems: Specifications. The Temporal Logic of Reactive and Concurrent Systems
- Manna, Pnueli
- 1992
(Show Context)
Citation Context ...ing branching-time specification, and hence the same model checking algorithm. 2 Possibility and Closure 2.1 Closure and Safety We begin by reviewing some basic concepts of linear-time temporal logic =-=[10]-=-. A behavior is an infinite sequence of states or of events---for now, it doesn't matter which. The meaning [[#]] of a temporal-logic formula # is a Booleanvalued function on behaviors. We say that th... |

1108 | Temporal and Modal Logic
- Emerson
- 1990
(Show Context)
Citation Context ...Elsevier Preprint 9 March 1998 TLA, the Temporal Logic of Actions [8], and prove a relative completeness result. Possibility properties pose no problem in formalisms based on branching-time semantics =-=[4]-=-. However, it is impossible to assert in linear-time temporal logic that something is always possible [6]. It is therefore not obvious how to prove possibility properties in the formalisms that we con... |

806 | The temporal logic of actions
- Lamport
- 1994
(Show Context)
Citation Context ...approach, which applies to any formalism with a linear-time semantics. We then show how the method is used with Preprint submitted to Elsevier Preprint 9 March 1998 TLA, the Temporal Logic of Actions =-=[8]-=-, and prove a relative completeness result. Possibility properties pose no problem in formalisms based on branching-time semantics [4]. However, it is impossible to assert in linear-time temporal logi... |

366 | Hierarchical correctness proofs for distributed algorithms
- Lynch, Tuttle
- 1987
(Show Context)
Citation Context ...to) a Buchi automaton [2] with a strongly connected state graph is the automaton obtained by making every state an accepting state. The closure of a specification written as a state transition system =-=[5,9]-=- is obtained by removing the fairness properties, if those properties are expressed as fairness conditions on transitions. We do not know of any practical method for computing the closure of arbitrary... |

205 | An old-fashioned recipe for real time
- Abadi, Lamport
- 1994
(Show Context)
Citation Context ...ce ## implies ###, for any #, substituting Nxy for both N and M in the proposition proves that C(#xy) # (x = y = 0) # #[Nxy ] #x ,y # . For M = N , Proposition 3 is a special case of Proposition 2 of =-=[1]-=-. A formula of the form Init ##[N ] v #F is called machine closed [1] if its closure equals Init ##[N ] v . Proposition 3 implies that such a formula is machine closed if F is the conjunction of fairn... |

179 | Recognizing safety and liveness
- Alpern, Schneider
- 1987
(Show Context)
Citation Context ...ted. It is easy to compute closures when specifications are written as certain kinds of transition systems. For example, the closure of (the temporal-logic formula corresponding to) a Buchi automaton =-=[2]-=- with a strongly connected state graph is the automaton obtained by making every state an accepting state. The closure of a specification written as a state transition system [5,9] is obtained by remo... |

30 | win and sin: Predicate transformers for concurrency. A
- Lamport
- 1990
(Show Context)
Citation Context ...g, forming tuples, and primitive recursive definitions. Relative completeness results for programming logics are generally based on some form of predicate transformer analogous to the sin operator of =-=[7]-=-. For any action A and state predicate P , the state predicate sin(A, P) can be defined by [[sin(A, P )]](s) # = #s 0 , . . . , s n # S : (s = s n ) # [[P ]](s 0 ) # (#isn : [[A]](s i , s i+1 )) (6) f... |

12 |
Specifying modules to satisfy interfaces: A state transition system approach In Distributed Computmg, Springer-Verlag. To be published, (Also Tech
- LAM, S, et al.
- 1992
(Show Context)
Citation Context ...to) a Buchi automaton [2] with a strongly connected state graph is the automaton obtained by making every state an accepting state. The closure of a specification written as a state transition system =-=[5,9]-=- is obtained by removing the fairness properties, if those properties are expressed as fairness conditions on transitions. We do not know of any practical method for computing the closure of arbitrary... |

7 |
Sometime' is sometimes `not never': a tutorial on the temporal logic of programs
- Lamport
- 1980
(Show Context)
Citation Context ...result. Possibility properties pose no problem in formalisms based on branching-time semantics [4]. However, it is impossible to assert in linear-time temporal logic that something is always possible =-=[6]-=-. It is therefore not obvious how to prove possibility properties in the formalisms that we consider, which are based on linear-time semantics. We are concerned with proofs, not finite-state model che... |

6 |
Ten years of Hoare’s logic: A survey—part one
- Apt
- 1981
(Show Context)
Citation Context ...N , and sin([N ] v , Init) are expressible. (3) |= Init # #[N ] v # #I then # Init # #[N ] v # #I . Proposition 4 is essentially the TLA version of the classical completeness results for Hoare logics =-=[3]-=-. We use it to show completeness of our method for proving possibility properties: Proposition 5 If (1) Every valid expressible action formula is provable. (2) P , Init , v , N , and sin([N ] v , Init... |