• No results found

Enforcing nondeterminism via linear time temporal logic specifications

N/A
N/A
Protected

Academic year: 2021

Share "Enforcing nondeterminism via linear time temporal logic specifications"

Copied!
19
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Hele tekst

(1)

Enforcing nondeterminism via linear time temporal logic

specifications

Citation for published version (APA):

Kuiper, R. (1987). Enforcing nondeterminism via linear time temporal logic specifications. (Computing science notes; Vol. 8705). Technische Universiteit Eindhoven.

Document status and date: Published: 01/01/1987

Document Version:

Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)

Please check the document version of this publication:

• A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website.

• The final author version and the galley proof are versions of the publication after peer review.

• The final published version features the final layout of the paper including the volume, issue and page numbers.

Link to publication

General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain

• You may freely distribute the URL identifying the publication in the public portal.

If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement:

www.tue.nl/taverne Take down policy

If you believe that this document breaches copyright please contact us at: openaccess@tue.nl

providing details and we will investigate your claim.

(2)

Enforcing Nondeterminism via

near Time Temporal Logic Specifications

(3)

!

-I

-Enforcing Nondeterin:inis~

·via

Linear

'-Time

·feriipor~l

'Logic

Specifications

·1 \,

(4)

. i ~ ;

",

COMPUTING SCIENCE NOTES

This is a series of notes of the Computing Science Section of the Oepartment of Mathematics and Computing Science of .... , ... '.;.j'. r~:, ··.~I~~'· ,'0" I ' . • ~. ' _ " ' J '

.. ,Eindh()v,e,n Uni.ve.rsityof Tec;ht:u?logy. , ' .>,:.,jf~ I , : . . H .... ~ i~" ., ,:> .• ~. '.:: '";l~'>,,"'._\ :" .,';"

Since many of ,these notes are . . preliml~ary

~. ..,.,. ,~ ~ " . ' . , " : versi,ons:,or ,nay ~e p~blhh~4;,e~se~~ere, "t~ey

hav.\e a' limited i.distribution . 'only and are not for review.

Copies of these notes ~re available from the author or the editor.

".l ."

.. ,~ .. \ ;~',', .

"~I :: ... '\. J ; : ~ f ~ t..t;."l: ~~~~ ..

Eindhoven University of Tecnnology

" ' ' , , ' , ; ; T,_ " i.~ . : :,,: ~ ..

,>

," . ":

1~~·:~~'; .. :.~! ~,.,;.'::.{;.~~~ .. , ' I

~ - -:-l--~epa-t=-t-ment-of-Mathematics -and Comput1ng_Science ___ ~ ~_~

.j;: , - ; - f - _.

-P.O. Box 513

5600 MB E~NPHOV~N

The Netherlands All rights reserved

(5)

Enforcing Nomleter:minnsm via Linear Time Temporal Logic Specifications

Ruurd Kuiper

D~partment of Mathematics and Computing Science,

Eindhoven University of Technology, P.O. Box 513,5600 MB Eiitdhovert; The'

Netherlands.

March 1987

ABSTRACT

It is shown' how some amount, of nondetenninism can be enforced via

line,ar time temporal logic. This is achieved through extending .thepotionof,

•• .~ • • • . '" • • ' .' ';'. '. 4 1 . '.

specification l11ther ,tllan.,changing the logic" i.e.,. no recourse is taken to bran.ch-.

. . , . • • , ' .' • . ' _ . t ,'._ •

ing time. The ~aunent is compared, Poth in jntent and with re§pect to realiza~

;.. t • . . . . " ',.: • " , ' . ~', ' . , . ,... ,,;.L, 1 . , ,'.1 , :, .... '" "

'l,tion t~

a

simil~ ~pl?roac~ ~ing predicate transf~IlI1:ers. ';' ;,,';,: "

L ,Introduction'

A specification describes requirements which further developments or implementati9ns mu~t

; ' : . . ' . . ;" :': ... .' ~.~C'. ~;' . . "L~.4l':·~':.1 _'" ,,' ,-. : . !"." .'

fulfill In order to satisfy it. Usuany~ many decisions are deliberat~y left open to be filled In at

. '. ' i ' ~;"j": I ! r t· • n ,;, I ' • ' . ' ,-:.~ . " • '., • ' ; . . ' ' . ' : ' . . . !: .",: -', ',. "

later stages. 'Consequeridy; specifiCations usually contain nondetermini'sm which will, perhaps

oci

y

in'part,'be

resolvediatei'. " , " ..., " ' , ' , "

: .>. ~ c.' ? : l ' .. '". ,.~', i' r , • " ~ ",

for ,ex~pl~, if Pl'C?duction of~i!l1~r of the actions a,b,~ or d wi~ls.!l~sfy the ,u~r,a,

co~-pone!!t, S might. for ,the mom~nt using witho,ut further explanation an intuitively obvious

nota-. . . ' . '.'j • " , . , . ' , ~ ,- ;

tion. be specified by

S sat a V b V c V d.

. , ' ';.! • ,';'l ~

The customary interpretation of such a specification is to allow S to be implemented by any

procc!ls.of ,WhiCh. the output ~s in the, se~ {a,b, c ,d

1..,

For i~ran~, ,by a prpcess ll, ~1,llcl;1

: ' " , . , ' .. ," " . " . " ' . ' . ' - "', ,".. ~~."., ~ - ~ .

al~a~s.~rod~f.t;.s ~. when ~c~~at~, but' also by rL:li., which prodl19C~'~i'th~r an a

O!

a c upon

different activations. ; . . . '

This kind of nondetenninism, say allowed nondelerminism, is not required of the

implementa-tion at all and only leaves some freedom to the implementor due to. deliberate, vagueness in

(6)

2

-A completely different kind of nondetenninism, say

required

nondetenninism is the

nondeter-minism which the implementation should possess.

For example, a random number generator should not always generate the same number when

activated. Yet a specificati~n like

S

sat x :=x'(x'

E IV),

interpreted similarly as above as containing allowed nondeteI'minism, does not guarantee' this;

AD

implementation which always assigns, say, 5 to x would perfectly. satisfy this specification.

Usually, specification methods make use of the first kind of notldeterminism to allow general

specifications; 'but 'cannot' handle

the

second kind. Branching time temporal logic, wruch

describes behaviour as sets of trees is one of the few exceptions. Linear time temporal logic, describing behaviour as ,sets of sequences does" in its usual fonn, not have this expressive

abil-ity. There are, howev~r, many different cons,iderations which at present leave the debate as to

which of the two is the (~ost suitable, wide open.

We will present and ~is.cuss a way to enable in the context of linear time temporal logic

specification of a modest amount of rec:iuired nondetenninism. The idea is to limit the extent to

which the 'allowoo nondetenninism' maybe 'resolve<I,' by'

additio~3iiy

specifying a lower 'bound.

This enforces 'iniplementations to possess a degree of nondeterminism between the bounds set by the required and the allowed nondelenninism .

. " ."

for, the above examples such lower' bounds might be, respectively, a V c and

. , ' . - .

x :=x'(x'

E (1, ... ,IOO)).

In section 2 we briefly. discuss the (only).approach similar to ours we know of, namely [Fr77].

This is carried out in the context of predicate transfonners and safety properties, but it will be k " . , . : ' '"".:,' , !

seen Ll-tat a more general idea" underlies his approach. In section 3 we show how this can be

used for linear time temporal logic specifications. The interaction with development is dis-cussed in the next section. In section 5 ,a brief look is taken at the situation for branching time temporal logic. The last section contains some discussion.

, • . ' : ' ~ • • • . • , , ' . ' . . . . . . ' 4 " ' •

2. A precursor: required non determinism and predicate transformers

In [Fr77], Francez addresses specifying required nondeterminism using predicate transformers.

_ _ _ _ W----"c

19~Jc. at·th~'e~~pl~givcn

above:.'s

sqL~.:-:LilY.

cy

d

~ith ~e ~xt~ ~ITI l0_~Q.ecify

some

required, nondeterniinism.

Let the specification of S be given

as

(~)

S

('V).

IIi

the'

usual weakest precoIidition appttiach, oilly' consideririg allowed nondetenninism,'

tfiis

(7)

means that S has to satisfy

(i) C\>::;.wp(S .'1') where, in this example.

C\>

=

true

'I'=avbvcVd.

3

-This only' gives an upper bound to the allowed nondetennlnistic behaviour of S and allows implementations like. e.g .• S

=

b..

The idea in [Fr77] now is. to enforce 'I' as a lower bound on required nondetenninism as well. again using weakest preconditions. The extra part of the satisfaction notion is. that S should

also satisfy

. '

..

(ii)

'V'If*:f:.

'1'[('1'*::;. '1') ::;."" (lj>=>wp(S

.'1'*))].

where again in this

~xaIllPle

C\>=true

'I'=aVbVcVd ..

It can be easily seen. that together these requirements limit the implementations to

a V b Y c V d only.

In this example. lower and upper- bound coincide .. The words lower and upper suggest. although [Fr77] does not claim this,noncoinciding bounds. allowing a range ,of implementa-tions in between them. This might. for instance, be denoted by

{~}

S

{'I',~}, whe~'iiis,the

upper and 3ll the lower bound.

Intuitively, expressed in teoos of an obvious semantics of i/o pairs, the lower tupper bound approach, in our view, aims ~t achieving the following

kimt

of constraints.

Let <i ,a> denote: on any input, produce

a.

Take as lower and upper bound requirements

~speCtively . . , , ' " ' . , ' , : , "";'~ ,

'I'=aYbVcYd

~= a Y c.

Then the desired constraint on S would be

,{<i,a>,<i,c>} ~ [S] ~ {<i,a>,<i,b>.<i,c>,<i,d>},

i.e.; allowing the implementations

rL:Lc.,

a

Y b Y

c. aye

y

d and

a

Y b V

c

Yd.

Unfoitunately.using (ii) with 3ll as

'II

does not give the desired result. Namely (ii) now is of the fonn

(8)

4

-Consider the implementation S

=

12.

As S produces only b, S does not satisfy wp (S ,a V c),

which will remain the case if a " c is strengthened. So S is, contrary to the intuition, allowed as an implementation of

{4>}

S

{'II,~}. Hence, the approach in [Fr77] is limited to coinciding lower and upper bounds.

ill'

the' next section, the lower/upper bound approach will be adapted to linear time temporal logic specifications and extended to enable the use of lower and upper ~unds that do not coin-cide. '

3. Enforcing required nondeterminisrn in linear time temporal logic

In linear time temporal logic (LTL) we

take

bOth

the specification; 'If, arid the seinantics,

[s],

of an implementation S to

be

an L TL foirnula:Such a formUla in tum can be interpreted as characterizing a set of (stllte~ sequ~!lces. nllIl1elythose for which it is true.

The customary satisfaction relation when considering only allowed nondetenninism is then straightforward:

S

sat

'II~

[S]

~ 'II.

Intuitively this ,means that the set of sequences that can

,be

generated by S is included in the set allowed by

4>.

It is clear that any less nondetenninistic implementation S', meaning-that me

set of sequences it can generate is s~al1cr, which in, tum means ,that [S'].~

[S],

sa~sfies

,'II

as well. So the implication makes it impossible to specify,required-,.faimess. Establishing 'a lower bound is the solution and, in the L TL framework, can be easily incorporated in a manner reflecting the intuitive set inclusion as mentioned in the previous section.

Define

The specification of the example, in th~ fonnal notation as used in [BKP84], i.e. assuming sequen~es to have'labels iriclicating' envirOnment (E) steps and component (II) steps, then

". - -~

becomes:

where

:lj[

=

E u(11/\ (a V c»,C/in,

(Which inJorinally' states:

starting with environment steps E,

(9)

after which the component stops.) and .

'V=E U(TI/\(a Y by c Y d»Cjin.

Remarks-'

5

-(i) An alternative way Lo enable specifying required nondetenninism may seem to change the

implication to equivalence (this, in fact, is the situation in [Fr77]):

P

sat

'V~

[p]

= "'.

This indeed ful~s the aim, but does not possess the lower and upper bound flexibility.

Consequently, extra allowed nondctenninism can now only be obtained by explicitly

list-ing the ~owed alternatives, e.g., via exclusive or notation:

S

sat 'VI

ED

'V2

e "

'ED "',.

~

S

sat

'1'1

ED S ~a!'I'2 ED ... ED S

sat '1',..

,> I ,

This is unfortunate, as . usu~y. wi1,en giving a spec.ficati9n one only has a rough. idea

.. - '-'" ' . ' . ..

.

' .. , - . . ' .. "

about what one wants to allow, but certainly not a full grasp of all possible alternatives.

Furthermore, if infinitely many alternatives for implementation exist, as in the case of the random number. generator example, it is not possible to list all of these unless infinite ED

- .

is allowed. In that case, although the first objection remains, both extensions are equivalent.

(ii) In, e.g., [Pn851 -a strong notio~ of.~xpres~i~ityis <Jefmed for specification'methOds: A

' . -

meth~dis expressi~e ~

forallS

th~re

is

a'~tl<U'acte~stic sPccificatio~,

specc

su~hthat:

. (i) For all

S:,S' satspec

c

~([s]

=

[S~]),"

" .

. .. ,

. ....

."-(ii) For all spec, S

sat

spec.;::;. (specc ::::> spec)

This property us~ally does not hold; it is obtained for [BKP84] when extended as above.

4. Development

One pan of development is concerned with decomposition into subspecifications. The exten-sion of the notion of specification is such, that adapting of this part of existing methods is straightforward.

(10)

t

;>c:.

6

-For instance, a compositional specification method dealing with required nondeterminism can

be

obtained by using an existing one like described in [BKP84]

and

just redefining the notion

of specification as above and adapting the proof rules as follows.

For

~e

decomposition part, the essential rules are those concerned with syntactical

combina-tors, e.g., sequential and parallel composition, enabling to derive properties of components

from properties of their syntactic subcomponents. These rules reflect the semantics of such

~~r~tors

and are of the fonn

S 1

sat

"'1

.S2

sat

"'2

where

C

is a syntactical combinator on components and

C'

the corresponding syntactical

com~

binator on specifications.

The translation then is

S

I-

sat

~I';'"

1.> _

S 2

~at <~I!2,W2>

A concrete example, for sequential composition, using the temPoral logic operator C (chop) is

- ~-~ , .

S 1

sgt <:W:\t'"

1>

_$2

sat

<;:~''''2>

Another part of development is concerned with extending the requirements on the behaviour.

In

the context of

L'i'Lthis -

Intuitively means further narrowing down the sets of sequences

allowed by the specification. In the

:w:::;.

[s] ::;. '"

framework, this amounts to weakening

(!)

:w:

and strengtheriing ",. This givesrlse to 'the following

ruIe:'

" ' ,

S

sat

<m.,$>

• • . , ! ~.,

:w:::;.m.

S

sat

~,~

~g~~ ~~ng

_to the

prevj9~sly -,-~se~x~ple,_ thi~ me~

th_at

i~ c~_~

deriyed

th~t ~!Il_: --' __ . ___ _

' =

-S sat <a Y

c'V

d,a Y c Y d>

. , . , ,... ... ..,. 'r' ~ ... ... •

- - .. '. .~

it follows that

-,

.

(11)

7

-S sat <a Y C ,a V b V C Y d>

This corresponds to the irituition, as the first specification only allows the implementation

S

=

a

V

c

y

d. This is. as' has been seen previously, orie of

the

various implementations

allowed by the'Second speCification. Remark

There is a rather subtle problem in the treatment of required nondeterminism in development. Of variables about which at a certain stage in the dcvelopment nothing has yet been decided,

usually 'nothing is required, i.e.,'

aW

sequeftces 'are allowed as regards their values.

. , . ~. . . . \'l • . .

However, if ~othing ~s required i~ ~. ~t:'<>u~such a v~~able •. this should rc~ain so ~u~ng

further developmel!t, because, as seen from the I'IllCS, ~ may only

be

weaf(ened. Intuitively, as

. ~., "., • . , ."' _: . " " , , ' . ' - . ',: . ' . I '" .~" \ : ' . " . . ,

seen from the example, if straightforward strengthening of already mentioned v~rial>les is

~ . ' ... I . . ' ; \ - . ; . ; ; . . ' ' i i . . ' . < ' ' . . ' • ' . _ , . . .

involved, th~re is ~oproblem, because required nondctermihism for this varii\ple was explicitly

' . . " , . ; ,'. '1. .. ' - . " . " " _

stated.

For the decomposition case there is

a

p~blem"

as one would like, but cannot, formulate that

for as yet unusea

~'ariables'n~

lower bound is yet 'established. A'posSible solution 'for this case

. . ) ~ \.: ... , .. ' \ " ! ' ; . ' . • . • . . '~"-, " ~ , . . . . ',") , ,.,: . ' , " : ~"' , ' " , {' ~'~ , 1 ' , , " " , , ' " ' ; \ 'i~'

is to argue that a decomposition step causes a lower level of abstraction to be used.'

New

vari-ables added to

theinterfa~e

can

be

viewed as

vi~ible

only to the subcomponents.

RequirementS, esPeCially requh-ed nondeterminism, pertaining to these .

v

aii

abies can

tlieri

alSo'

be seen

as

limited to this level only.

The problem then 'disappears, as Yl on a higher level of specification cannot impose' requireG

ments on these variables. This approach may· be fonnalized by introducing ail expliCit interrace

for each level of specification. (See, e.g., [BK83];)

' - , , 1

5.

Branching time temporal logic

In branching time temporal logic (BTL), the fonnulae are interpreted not as characterizing sets of sequences,' but sets of trees.

It is then obvious,. that because sets of such trees are involved, a completely analogous

treat-ment as for the LTL case is, in principle. possible. Whether this is desirable depends on one's view about which objects are more natural asbchaviour 9f programs in certain circumstances.

Consider, for example, required nondeterminism, say a Y b. If one feels, that only a set

con-taining at least a sequence with

a

and one with b on it is a correct representation of this

requirement, then a similar extenSion as to L TL is needed for BTL. The reason is, that although sequences canbc viewed as trecs, when required nondeterminism is imposed via sets

of these, the same problems with resolving allowed nondetenninism too far as in LTL apply to

(12)

8

-least a branch with

a

and one with b on it, standard BTL is expressive enough already.

As yet, apart from many other arguments about which of these basic varieties is the most

suit-able (or when), about this particular choice there seems

19

be no consensus. For more

informa-tion on BTL, see, e.g., [EL85].

6. Discussion

We . presented ~ way to enforce, some, amount ofreq~ired nqndeterminism via L TL

specifications. ,I~. is sometimes argued that specifying required nondeterminism is meaningless,

as no test will be able to falsify a claim like. e.g., :JU: = a Vb. The idea is. that even after

repeated testing with consistently result

a,

b might st!ll occ_ur at ,some future test _

. . . . ' . . . . .. " '. " -, . . '-,." -:f.~; ~.- -~7"'" - '" C/'" ' .: '; . ,'.. .'. " ,

One remark here is, that exactly the same argumentation applies to fairness requirements like:

" ~., :~i ':~' 1(~" " . . ,:', ",.;"

eventually b will occur. This concept however now seems quite

wcl1

accepted.

MOre di~ect counter arguments are th~ following:

. I : . ' ' . ' " , ; " . . ' j ' I . .' ~.,.,;. '. .... ... ~; ... 'li, ; t'-~';j,:i I·~.< ' .• ( ' ,

(i) When de~igning ~ ,sy~tem .. it, is natural that initially some properties are underdefined.

During development these may be strengthened to falsifiable ones, which is certainly the

.only way in

whic~,tl1~y c~,~. ~~~,~me!1~~'

,.".,' ;, ,ii" ,';. "':.::

'.:.,;~.:.

.;,JI:

;~~U'f:'

(ii) An imple,mentation wiU come. together with a proof that its specification is met, so testing

is not required.

A fortunate consequence of the fact that the extension made to the notion of specification, retains the interpretation as a pure L TL formula and does not alter the logic is, that existing decision procedures (see, e.g., [G083]) can still be used.

An open problem is, whether existing devices that contain nondeterminism, like random

number generators. will satisfy abstract specifications of this

propeny,

Furthermore, if this is

the case, how can this be proven? The link between the formulation of the practical and the theoretical properties seems not obvious.

Acknowledgements

Many thanks to Ron KOYmans and Rob Gerth for comments and help at various stages and

especially to Willem-Paul de Roever, who provided the link to reference [Fr77] ,

I am very grateful to

Edme

van Thiel for Elastic Time Typing.

(13)

References

[EL85] Emerson, E.A., Chin-Laung Lei, Modalities for Model Checking: Bt:anching Time

Logic Strikes Back, POPL 1 9 8 5 . ' -,'

[Fr77] Francez, N., A Case for a FOrWafdi'fedicdte Trii1iSfiirmer, Irif. Proc. Letters IEEE

6:6, 1977.

[G083] Gough, G.D., M.Sc. Thesis, Decision Procedures for Temporal Logic, Univ. of Manchester. "

[BK83] ,Barriitgert H., Kuiper, R., Towards the Hierarchical. Temporal Logic. Specification of toni:u'r~ent Systems, LNCS 207.

",1 ...

[BKP84] Barringer, H.t Kuiper, R.,

Poueli,

A., Now You

May

Compose Temporal Logic SpecijicqUons, STOC 1984.

[Pn85]

PoueH,

A., Linear and Branching Structures in the Semantics and Logics of Reac-tive Systems. ICALP 1985.

~ .. , ."

,

,

~;.~ ... :.: -;:-~ ~-:.

(14)

COMPUTING SCIENCE NOTES

:',

In this series appea~ed

No. 85/01 85/02

85io3

85/04 86/01 86/02" 86/03 86/04 .86/05 86/06 "".' ' Author(s) '

..

R.H. Mak W.M.C~J. v~Q Overveld W.J.M. Lemmens T. Verhoeff . \ ' . .. ~ H.M.J.L. Schols .!.:

R.

Koymans "., G.A. Buss~~g K.M. van Hee M. Voorhoeve Rob,Ho<:)ger,woord G.J. Rouben . '~.... J. Paredaens K.M. van Hee Jan L.G. Dietz .... ~~;~.'. ' ;f,.i~)···i.:~ Kees M. vanHee , .. " .... '.';'; Tom Verhoeff . ./,. ... \ Title

The formal specification and

deriva~ion of CMO,~:-c~r~ui.ts

On arithmetic.operations with . .. .

: " . -~ "

M-out-of-N-codes

Use of, a co~puter for evaluation of flow films ~l . ' \,

Delay insensitiv.e directed trace ~

..

-.: ';'

' " . ',' ' . " . '

stru~t,ures, s~t1.sfythe foam!.

rubber wrapper postulate

~pe~~~y~ng ,me..~sB:gepa~s~ng and real-time systems

ELISA, A lang~~g~ fqr~orma~, spe;c1ficlit~o11s .. o~ 1n~ot:mat-1op '.

sys~em.,~

Some. reflections, on tq.eimplementation .~ j ... ':i. ' . , , " , . , . .'~."

of tra~.e. struc.tureS

The ,part~tion '()~; an informatipn

sy!:!tem in !3ev~r~l .. paralle~ ,systems

A fr~mework:. f9F;Jl~ ,.~onceptual modeling of discrete dynamic systems Nondeterminism and divergence

c~~at~,~ by. conce~:lment~iJ;l ,CSP

: .t~, .. ' ,. 'l: ~ .~ " I" " .. :...~',;- _ , '. c

---86/01--: :~:-'R. Ger~h_~'~ .--::--:---~On-provirig::communic-ation '---, _. L. Sllira

._--'---_.

cJ.o,s~~tnes.s ,of. ~i~:~ributed layers

(15)

86/08 86/09 86/10 86/11 86/12 86/13 86/14

87/01

87/02

87/03

87/04

R. Koymans R.K. Shyamasundar

W.p.

de Roever R~:'Gerth S. Arun Kumar

c.

Hutting R. Gerth W.P. de Roever " ~ :. J. Hooman W.P. de Roever A. Boucher R. Gerth R. Gerth W.P. de Roever R. Koymans R. Gerth Simon J. Klaver Chris F.M. Verberne G.J. Houben J.Paredaens T.Verhoeff

Compositional semantics for real-time distributed

computing (Inf.&Control

1987)

, .. " ... ~ './ :.-:.c "

Furl 80S fraction of a 'ie'al:':-t-:fme denotafional . semantics 'f'or

"(an .'

OCCAM-like language

A

compositional proof theory for real-time distributed message passing

Questions to Robin Milner - A responder's commentary (IFIP86) A timed failures model for

extended communicating processes Proving monitors revisited: a first step towards verifying

object oriented systems (Fund. Informatica IX-4)

Specifying passing systems

requires extending temporal logic On the existence of sound and complete axiomatizations of the monitor concept

Federatieve Databases

A formal approach to distri-buted information systems

Delayinsensitive codes -An overview

(16)

87/05 R.Kuiper·

~

~. 87/06 R.Koymans 87/07 R.Koymans ':'

(:-

' . ... '., .. ,

Enforcing non~determinism ~ia

linear time temporal logic specification. Temporele logica specificatie van message passing en real-time systemen (in Dutch). , " Specifying message passing and real-time , systems with ~ea17time temporal logic.

"" "" .:"

(17)

TIR82.1 TIR83.1 TIR83.2 TIR84.1 TIR84.2 TIR84.3 TIR84.4 TIR85.1 TIR85.2

A vailable Reports from the Theoretical Computing Science Group

Author(s) Title

R. Kuiper, Fairness Assumptions for CSP in a

Tem-W. P. de Roever pora! Logic Framework

R. Koymans, J. VylOpil, W.P. de Roever H. Barringer, R. Kuiper R. Gerth, W.P. de Roever R. Gerth H.Barringer. R. Kuiper. A. Pnueli H. Barringer, R. Kuiper W.P. de Roever O. Grunberg, N. Francez, 1. Makowsky, W.P. de Roever

Real-Time Programming and Synchronous Message passing (2nd ACM PO DC)

Towards the Hierarchical, Temporal Logic, Specification of Concurrent Systems A Proof System for Concurrenl Ada Pro-grams (SCP4)

Transition Logic - how LO reason about

tem-poral propcnies in a compositional way (16th ACM FOCS)

Now you may compose Temporal Logic Specifications (Proc. STOC84)

Hierarchical Development of Concurrent Systems in a Temporal Logic Framework The Quest for Compositionality - a survey of assenion-based proof syslems for con-current progams, Pan I: Concurrency based on shared variables (IFlP85)

A proof-rule for fair termination of guarded commands (lnf.& Control 1986)

Classification

(18)

TIR85.3 TIR85A TIR85.5 TIR86.1 TIR86.2 TIR86.3 TIR86.4 TIR86.5 TIR86.6 TIR86.7 TIR8608 TIR8609 TIR86.10 F.A. Stomp, W.P. de Roever, R Gerth R Koymans, WoP. de Roever Ho Barringer, R. Kuiper, A. Pnueli R. Koymans I. Hooman, W.P. de Roever R. Gerth, L. Shira 2

-The Jl-calculus as an assertion language for fairness argumenlS (Inf.& ConLroI 1987)

Examples of a Real-Time Temporal Logic Specification (LNCS207)

A Compositional Approach to a CSP-like Language

Specifying Message Passing and Real-Time CSN86/01 Systems (extended abstract)

The Quest goes on: A Survey of Proof Sys- EUT-Report terns for Partial Correctness of CSP 86-WSK-OI (LNCS227)

On Proving Communication Closcdness of CSN86/07 Distributed Layers (LNCS236)

R Koymans, CSN86/08

RK. Shyamasundar, Compositional Semantics for Real-Time W.P. de Roever, Distributed Computing (Inf.&Control 1987) R Gerth, S. Arun Kumar C. Huizing, R. Gerth, W.P. de Roever I. Hooman W.P. de Roever R. Gerth, A. Boucher R. Gerth, W.P. de Roever R. Koymans

Full Abstraction of a Real-Time Dcnota- CSN86/09 PE.Ol tional Semantics for an OCCAM-like

Language

A Compositional Proof Theory for Real- CSN86/1O TRA-I-l(l) Time Distributed Message Passing

Questions to Robin Milner - A Responder's CSN86/11 Commentary (IFIP86)

A Timed Failures Model for Extended CSN86/12 TR.4-4(l) Communicating Processes

Proving Monitors Revisited: a first step CSN86/13 towards verifying object oriented systems

(Fund. Informatica IX-4)

Specifying Message Passing Systems CSN86/14 PE.02

(19)

3

-TIR86.11 H. Barringer,

A Really Abstract Temporal Logic

Seman-R. Kuiper,

A. Pnucli tics for Concurrency (proc. POPL86)

TIR87J R. Gerth On the existence of sound and complete CSN87/01 axiomatizations of the moriitor concept

TIR87.2 R. Kuiper Enforcing Nondelcrminism via Linear Time CSN87/0S Temporal Logic Specifications

TIR87.3 R. Koymans Temporcle Logica Specificatic van Message CSN87/06 Passing en Real-Time Systcmen (in Dutch)

TIR87.4 R. Koymans Specifying Message Passing and Real-Time CSN87/07 PE.03 Systems with Real-Time Temporal Logic

Referenties

GERELATEERDE DOCUMENTEN

Er zijn geen feiten bekend die erop wijzen dat leaseauto's vaker dan andere auto's bij dodelijke ongevallen zijn betrokken, dus deze kleine daling kan geen verklaring zijn voor

Voor de goede orde moet worden opgemerkt dat de beoordelingsbasis telkens die van het hele ongeval is (per ongeval is dus één record geco- deerd), ook als er meer slachtoffers

Hoogte spoor in m TAW Vondsten (V) en staalnames (St) Werkputcontour Structuur Nieuwe/nieuwste tijd Middeleeuwen/nieuwe tijd Middeleeuwen Romeinse tijd Metaaltijden/Romeinse

Initially, we got the feeling that the two us, working at the Management Studies group of the Social Sciences depart- ment, were two lone riders trying to find their way in the

Het blijkt dat de middelen waarin de planten gedompeld worden geen effect hebben op de Fusarium besmetting van de oude wortels en niet op die van de nieuwe wortels.. Dit geldt

Het toezicht op controlebeleid en de daarmee verbonden pilotprojecten hebben gezorgd voor veel energie en dialoog. Het gevaar is echter niet denkbeeldig dat de opgewekte energie

Voor de meeste modellen geldt dat ze over het geheel genomen wel redelijk tot goed voorspellen waar kokkels wel en niet voorkomen, maar dat ze alleen vaak veel lagere

Dat ik tot dusver nog geen gewag maakte van de beide nota's van Oud-minister R u t t e n en van de daarna ingediende wetsontwerpen ter regeling van het algmeen middelbaar onderwijs