Results 1 
2 of
2
Formal But Lively Buffers in TLA
, 1996
"... I perform some rigorous verifications in TLA, by using simple examples which nevertheless illustrate TLA techniques, in particular liveness proofs. Since the method of invariants for safety proofs is well understood, our example needs only the trivial invariant, which is simply omitted. We specify i ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
(Show Context)
I perform some rigorous verifications in TLA, by using simple examples which nevertheless illustrate TLA techniques, in particular liveness proofs. Since the method of invariants for safety proofs is well understood, our example needs only the trivial invariant, which is simply omitted. We specify in TLA a buffer implemented as an array, a double buffer implemented as two arrays in series, and an abstract buffer which uses a sequence. We prove, formally and rigorously, that the two `implementations' implement the abstract buffer. The nontrivial part is the proof of liveness. 1 The Problem When she was told Calvin Coolidge had died, Dorothy Parker asked, "How could they tell?". If your system dies, how could you tell? The chances are slim if you don't specify that it shall live. Nonetheless, many specification methods, including most process algebraic approaches, omit a liveness requirement. Liveness can be hard to prove, which is maybe one reason why it isn't stated. And engineers wr...
Using The Temporal Logic of Actions: A Tutorial on TLA Verification
 of Technology, Bielefeld University
, 1997
"... Buffer with Operations How does this fit together? The concrete buffer simulates the abstract buffer, and we shall prove that. Simulation means that ffl they start in `equivalent' states ffl every action of the concrete buffer corresponds either to an action or to a nonaction of the abstract ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Buffer with Operations How does this fit together? The concrete buffer simulates the abstract buffer, and we shall prove that. Simulation means that ffl they start in `equivalent' states ffl every action of the concrete buffer corresponds either to an action or to a nonaction of the abstract buffer ffl when the concrete buffer is sufficiently `live', then the abstract buffer actually does some desired action This method of state machine simulation is common to many verification methods, for example ffl TLA of Lamport ffl the Input/Output machines of Tuttle, Lynch, Vaandrager (e.g. [Vaa]) ffl the method of Lam and Shankar (e.g. [LS84]) which is also TLbased An alternative is to have actions onlythen the operation of the system is an abstract machine simulation, but not a state machine simulation, since one doesn't have state. This is the setup in process algebra. But one ends up with state anyway  most process algebras have a way of defining state. How does one specify the ...