Enforcing nondeterminism via linear time temporal logic
specifications
Citation for published version (APA):
Kuiper, R. (1987). Enforcing nondeterminism via linear time temporal logic specifications. (Computing science notes; Vol. 8705). Technische Universiteit Eindhoven.
Document status and date: Published: 01/01/1987
Document Version:
Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)
Please check the document version of this publication:
• A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website.
• The final author version and the galley proof are versions of the publication after peer review.
• The final published version features the final layout of the paper including the volume, issue and page numbers.
Link to publication
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain
• You may freely distribute the URL identifying the publication in the public portal.
If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement:
www.tue.nl/taverne Take down policy
If you believe that this document breaches copyright please contact us at: openaccess@tue.nl
providing details and we will investigate your claim.
Enforcing Nondeterminism via
near Time Temporal Logic Specifications
!
-I
-Enforcing Nondeterin:inis~
·via
Linear
'-Time
·feriipor~l'Logic
Specifications·1 \,
. i ~ ;
",
COMPUTING SCIENCE NOTES
This is a series of notes of the Computing Science Section of the Oepartment of Mathematics and Computing Science of .... , ... '.;.j'. r~:, ··.~I~~'· ,'0" I ' . • ~. ' _ " ' J '
.. ,Eindh()v,e,n Uni.ve.rsityof Tec;ht:u?logy. , ' .>,:.,jf~ I , : . . H .... ~ i~" ., ,:> .• ~. '.:: '";l~'>,,"'._\ :" .,';"
Since many of ,these notes are . . preliml~ary
~. ..,.,. ,~ ~ " . ' . , " : versi,ons:,or ,nay ~e p~blhh~4;,e~se~~ere, "t~ey
hav.\e a' limited i.distribution . 'only and are not for review.
Copies of these notes ~re available from the author or the editor.
".l ."
.. ,~ .. \ ;~',', .
"~I :: ... '\. J ; : ~ f ~ t..t;."l: ~~~~ ..
Eindhoven University of Tecnnology
" ' ' , , ' , ; ; T,_ " i.~ . : :,,: ~ ..
,>
," . ":
1~~·:~~'; .. :.~! ~,.,;.'::.{;.~~~ .. , ' I~ - -:-l--~epa-t=-t-ment-of-Mathematics -and Comput1ng_Science ___ ~ ~_~
.j;: , - ; - f - _.
-P.O. Box 513
5600 MB E~NPHOV~N
The Netherlands All rights reserved
Enforcing Nomleter:minnsm via Linear Time Temporal Logic Specifications
Ruurd Kuiper
D~partment of Mathematics and Computing Science,
Eindhoven University of Technology, P.O. Box 513,5600 MB Eiitdhovert; The'
Netherlands.
March 1987
ABSTRACT
It is shown' how some amount, of nondetenninism can be enforced via
line,ar time temporal logic. This is achieved through extending .thepotionof,
•• .~ • • • . '" • • ' .' ';'. '. 4 1 . '.
specification l11ther ,tllan.,changing the logic" i.e.,. no recourse is taken to bran.ch-.
. . , . • • , ' .' • . ' _ . t ,'._ •
ing time. The ~aunent is compared, Poth in jntent and with re§pect to realiza~
;.. t • . . . . " ',.: • " , ' . ~', ' . , . ,... ,,;.L, 1 . , ,'.1 , :, .... '" "
'l,tion t~
a
simil~ ~pl?roac~ ~ing predicate transf~IlI1:ers. ';' ;,,';,: "L ,Introduction'
A specification describes requirements which further developments or implementati9ns mu~t
; ' : . . ' . . ;" :': ... .' ~.~C'. ~;' . . "L~.4l':·~':.1 _'" ,,' ,-. : . !"." .'
fulfill In order to satisfy it. Usuany~ many decisions are deliberat~y left open to be filled In at
. '. ' i ' ~;"j": I ! r t· • n ,;, I ' • ' . ' ,-:.~ . " • '., • ' ; . . ' ' . ' : ' . . . !: .",: -', ',. "
later stages. 'Consequeridy; specifiCations usually contain nondetermini'sm which will, perhaps
oci
yin'part,'be
resolvediatei'. " , " ..., " ' , ' , ": .>. ~ c.' ? : l ' .. '". ,.~', i' r , • " ~ ",
for ,ex~pl~, if Pl'C?duction of~i!l1~r of the actions a,b,~ or d wi~ls.!l~sfy the ,u~r,a,
co~-pone!!t, S might. for ,the mom~nt using witho,ut further explanation an intuitively obvious
nota-. . . ' . '.'j • " , . , . ' , ~ ,- ;
tion. be specified by
S sat a V b V c V d.
. , ' ';.! • ,';'l ~
The customary interpretation of such a specification is to allow S to be implemented by any
procc!ls.of ,WhiCh. the output ~s in the, se~ {a,b, c ,d
1..,
For i~ran~, ,by a prpcess ll, ~1,llcl;1: ' " , . , ' .. ," " . " . " ' . ' . ' - "', ,".. ~~."., ~ - ~ .
al~a~s.~rod~f.t;.s ~. when ~c~~at~, but' also by rL:li., which prodl19C~'~i'th~r an a
O!
a c upondifferent activations. ; . . . '
This kind of nondetenninism, say allowed nondelerminism, is not required of the
implementa-tion at all and only leaves some freedom to the implementor due to. deliberate, vagueness in
2
-A completely different kind of nondetenninism, say
required
nondetenninism is thenondeter-minism which the implementation should possess.
For example, a random number generator should not always generate the same number when
activated. Yet a specificati~n like
S
sat x :=x'(x'
E IV),interpreted similarly as above as containing allowed nondeteI'minism, does not guarantee' this;
AD
implementation which always assigns, say, 5 to x would perfectly. satisfy this specification.Usually, specification methods make use of the first kind of notldeterminism to allow general
specifications; 'but 'cannot' handle
the
second kind. Branching time temporal logic, wruchdescribes behaviour as sets of trees is one of the few exceptions. Linear time temporal logic, describing behaviour as ,sets of sequences does" in its usual fonn, not have this expressive
abil-ity. There are, howev~r, many different cons,iderations which at present leave the debate as to
which of the two is the (~ost suitable, wide open.
We will present and ~is.cuss a way to enable in the context of linear time temporal logic
specification of a modest amount of rec:iuired nondetenninism. The idea is to limit the extent to
which the 'allowoo nondetenninism' maybe 'resolve<I,' by'
additio~3iiy
specifying a lower 'bound.This enforces 'iniplementations to possess a degree of nondeterminism between the bounds set by the required and the allowed nondelenninism .
. " ."
for, the above examples such lower' bounds might be, respectively, a V c and
. , ' . - .
x :=x'(x'
E (1, ... ,IOO)).In section 2 we briefly. discuss the (only).approach similar to ours we know of, namely [Fr77].
This is carried out in the context of predicate transfonners and safety properties, but it will be k " . , . : ' '"".:,' , !
seen Ll-tat a more general idea" underlies his approach. In section 3 we show how this can be
used for linear time temporal logic specifications. The interaction with development is dis-cussed in the next section. In section 5 ,a brief look is taken at the situation for branching time temporal logic. The last section contains some discussion.
, • . ' : ' ~ • • • . • , , ' . ' . . . . . . ' 4 " ' •
2. A precursor: required non determinism and predicate transformers
In [Fr77], Francez addresses specifying required nondeterminism using predicate transformers.
_ _ _ _ W----"c
19~Jc. at·th~'e~~pl~givcn
above:.'ssqL~.:-:LilY.
cyd
~ith ~e ~xt~ ~ITI l0_~Q.ecify
somerequired, nondeterniinism.
Let the specification of S be given
as
(~)
S
('V).IIi
the'
usual weakest precoIidition appttiach, oilly' consideririg allowed nondetenninism,'tfiis
means that S has to satisfy
(i) C\>::;.wp(S .'1') where, in this example.
C\>
=
true
'I'=avbvcVd.
3
-This only' gives an upper bound to the allowed nondetennlnistic behaviour of S and allows implementations like. e.g .• S
=
b..
The idea in [Fr77] now is. to enforce 'I' as a lower bound on required nondetenninism as well. again using weakest preconditions. The extra part of the satisfaction notion is. that S should
also satisfy
. '
..
(ii)
'V'If*:f:.
'1'[('1'*::;. '1') ::;."" (lj>=>wp(S.'1'*))].
where again in this
~xaIllPle
C\>=true
'I'=aVbVcVd ..
It can be easily seen. that together these requirements limit the implementations to
a V b Y c V d only.
In this example. lower and upper- bound coincide .. The words lower and upper suggest. although [Fr77] does not claim this,noncoinciding bounds. allowing a range ,of implementa-tions in between them. This might. for instance, be denoted by
{~}
S{'I',~}, whe~'iiis,the
upper and 3ll the lower bound.Intuitively, expressed in teoos of an obvious semantics of i/o pairs, the lower tupper bound approach, in our view, aims ~t achieving the following
kimt
of constraints.Let <i ,a> denote: on any input, produce
a.
Take as lower and upper bound requirements~speCtively . . , , ' " ' . , ' , : , "";'~ ,
'I'=aYbVcYd
~= a Y c.
Then the desired constraint on S would be
,{<i,a>,<i,c>} ~ [S] ~ {<i,a>,<i,b>.<i,c>,<i,d>},
i.e.; allowing the implementations
rL:Lc.,
a
Y b Yc. aye
y
d anda
Y b Vc
Yd.Unfoitunately.using (ii) with 3ll as
'II
does not give the desired result. Namely (ii) now is of the fonn4
-Consider the implementation S
=
12.
As S produces only b, S does not satisfy wp (S ,a V c),which will remain the case if a " c is strengthened. So S is, contrary to the intuition, allowed as an implementation of
{4>}
S
{'II,~}. Hence, the approach in [Fr77] is limited to coinciding lower and upper bounds.ill'
the' next section, the lower/upper bound approach will be adapted to linear time temporal logic specifications and extended to enable the use of lower and upper ~unds that do not coin-cide. '3. Enforcing required nondeterminisrn in linear time temporal logic
In linear time temporal logic (LTL) we
take
bOth
the specification; 'If, arid the seinantics,[s],
of an implementation S tobe
an L TL foirnula:Such a formUla in tum can be interpreted as characterizing a set of (stllte~ sequ~!lces. nllIl1elythose for which it is true.The customary satisfaction relation when considering only allowed nondetenninism is then straightforward:
S
sat
'II~[S]
~ 'II.Intuitively this ,means that the set of sequences that can
,be
generated by S is included in the set allowed by4>.
It is clear that any less nondetenninistic implementation S', meaning-that meset of sequences it can generate is s~al1cr, which in, tum means ,that [S'].~
[S],
sa~sfies,'II
as well. So the implication makes it impossible to specify,required-,.faimess. Establishing 'a lower bound is the solution and, in the L TL framework, can be easily incorporated in a manner reflecting the intuitive set inclusion as mentioned in the previous section.
Define
The specification of the example, in th~ fonnal notation as used in [BKP84], i.e. assuming sequen~es to have'labels iriclicating' envirOnment (E) steps and component (II) steps, then
". - -~
becomes:
where
:lj[
=
E u(11/\ (a V c»,C/in,(Which inJorinally' states:
starting with environment steps E,
after which the component stops.) and .
'V=E U(TI/\(a Y by c Y d»Cjin.
Remarks-'
5
-(i) An alternative way Lo enable specifying required nondetenninism may seem to change the
implication to equivalence (this, in fact, is the situation in [Fr77]):
P
sat
'V~
[p]
= "'.
This indeed ful~s the aim, but does not possess the lower and upper bound flexibility.
Consequently, extra allowed nondctenninism can now only be obtained by explicitly
list-ing the ~owed alternatives, e.g., via exclusive or notation:
S
sat 'VI
ED'V2
e "
'ED "',.~
S
sat
'1'1
ED S ~a!'I'2 ED ... ED Ssat '1',..
,> I ,
This is unfortunate, as . usu~y. wi1,en giving a spec.ficati9n one only has a rough. idea
.. - '-'" ' . ' . ..
.
' .. , - . . ' .. "about what one wants to allow, but certainly not a full grasp of all possible alternatives.
Furthermore, if infinitely many alternatives for implementation exist, as in the case of the random number. generator example, it is not possible to list all of these unless infinite ED
- .
is allowed. In that case, although the first objection remains, both extensions are equivalent.
(ii) In, e.g., [Pn851 -a strong notio~ of.~xpres~i~ityis <Jefmed for specification'methOds: A
' . -
meth~dis expressi~e ~
forallSth~re
isa'~tl<U'acte~stic sPccificatio~,
speccsu~hthat:
. (i) For all
S:,S' satspec
c
~([s]
=
[S~]),"
" .
. .. ,
. ....
."-(ii) For all spec, S
sat
spec.;::;. (specc ::::> spec)This property us~ally does not hold; it is obtained for [BKP84] when extended as above.
4. Development
One pan of development is concerned with decomposition into subspecifications. The exten-sion of the notion of specification is such, that adapting of this part of existing methods is straightforward.
t
;>c:.
6
-For instance, a compositional specification method dealing with required nondeterminism can
be
obtained by using an existing one like described in [BKP84]
andjust redefining the notion
of specification as above and adapting the proof rules as follows.
For
~edecomposition part, the essential rules are those concerned with syntactical
combina-tors, e.g., sequential and parallel composition, enabling to derive properties of components
from properties of their syntactic subcomponents. These rules reflect the semantics of such
~~r~tors
and are of the fonn
S 1
sat
"'1
.S2
sat
"'2
where
Cis a syntactical combinator on components and
C'the corresponding syntactical
com~binator on specifications.
The translation then is
S
I-
sat
~I';'"
1.> _
S 2
~at <~I!2,W2>A concrete example, for sequential composition, using the temPoral logic operator C (chop) is
- ~-~ , .
S 1
sgt <:W:\t'"
1>_$2
sat
<;:~''''2>Another part of development is concerned with extending the requirements on the behaviour.
In
the context of
L'i'Lthis -Intuitively means further narrowing down the sets of sequences
allowed by the specification. In the
:w:::;.
[s] ::;. '"
framework, this amounts to weakening
(!):w:
and strengtheriing ",. This givesrlse to 'the following
ruIe:'
" ' ,
S
sat
<m.,$>
• • . , ! ~.,
:w:::;.m.
S
sat
~,~~g~~ ~~ng
_to the
prevj9~sly -,-~se~x~ple,_ thi~ me~th_at
i~ c~_~deriyed
th~t ~!Il_: --' __ . ___ _' =
-S sat <a Y
c'V
d,a Y c Y d>. , . , ,... ... ..,. 'r' ~ ... ... •
- - .. '. .~
it follows that
-,
.
7
-S sat <a Y C ,a V b V C Y d>
This corresponds to the irituition, as the first specification only allows the implementation
S
=
a
Vc
y
d. This is. as' has been seen previously, orie ofthe
various implementationsallowed by the'Second speCification. Remark
There is a rather subtle problem in the treatment of required nondeterminism in development. Of variables about which at a certain stage in the dcvelopment nothing has yet been decided,
usually 'nothing is required, i.e.,'
aW
sequeftces 'are allowed as regards their values.. , . ~. . . . \'l • . .
However, if ~othing ~s required i~ ~. ~t:'<>u~such a v~~able •. this should rc~ain so ~u~ng
further developmel!t, because, as seen from the I'IllCS, ~ may only
be
weaf(ened. Intuitively, as. ~., "., • . , ."' _: . " " , , ' . ' - . ',: . ' . I '" .~" \ : ' . " . . ,
seen from the example, if straightforward strengthening of already mentioned v~rial>les is
~ . ' ... I . . ' ; \ - . ; . ; ; . . ' ' i i . . ' . < ' ' . . ' • ' . _ , . . .
involved, th~re is ~oproblem, because required nondctermihism for this varii\ple was explicitly
' . . " , . ; ,'. '1. .. ' - . " . " " _
stated.
For the decomposition case there is
a
p~blem"
as one would like, but cannot, formulate thatfor as yet unusea
~'ariables'n~
lower bound is yet 'established. A'posSible solution 'for this case. . ) ~ \.: ... , .. ' \ " ! ' ; . ' . • . • . . '~"-, " ~ , . . . . ',") , ,.,: . ' , " : ~"' , ' " , {' ~'~ , 1 ' , , " " , , ' " ' ; \ 'i~'
is to argue that a decomposition step causes a lower level of abstraction to be used.'
New
vari-ables added to
theinterfa~e
canbe
viewed asvi~ible
only to the subcomponents.RequirementS, esPeCially requh-ed nondeterminism, pertaining to these .
v
aii
abies can
tlierialSo'
be seen
as
limited to this level only.The problem then 'disappears, as Yl on a higher level of specification cannot impose' requireG
ments on these variables. This approach may· be fonnalized by introducing ail expliCit interrace
for each level of specification. (See, e.g., [BK83];)
' - , , 1
5.
Branching time temporal logicIn branching time temporal logic (BTL), the fonnulae are interpreted not as characterizing sets of sequences,' but sets of trees.
It is then obvious,. that because sets of such trees are involved, a completely analogous
treat-ment as for the LTL case is, in principle. possible. Whether this is desirable depends on one's view about which objects are more natural asbchaviour 9f programs in certain circumstances.
Consider, for example, required nondeterminism, say a Y b. If one feels, that only a set
con-taining at least a sequence with
a
and one with b on it is a correct representation of thisrequirement, then a similar extenSion as to L TL is needed for BTL. The reason is, that although sequences canbc viewed as trecs, when required nondeterminism is imposed via sets
of these, the same problems with resolving allowed nondetenninism too far as in LTL apply to
8
-least a branch with
a
and one with b on it, standard BTL is expressive enough already.As yet, apart from many other arguments about which of these basic varieties is the most
suit-able (or when), about this particular choice there seems
19
be no consensus. For moreinforma-tion on BTL, see, e.g., [EL85].
6. Discussion
We . presented ~ way to enforce, some, amount ofreq~ired nqndeterminism via L TL
specifications. ,I~. is sometimes argued that specifying required nondeterminism is meaningless,
as no test will be able to falsify a claim like. e.g., :JU: = a Vb. The idea is. that even after
repeated testing with consistently result
a,
b might st!ll occ_ur at ,some future test _. . . . ' . . . . .. " '. " -, . . '-,." -:f.~; ~.- -~7"'" - '" C/'" ' .: '; . ,'.. .'. " ,
One remark here is, that exactly the same argumentation applies to fairness requirements like:
" ~., :~i ':~' 1(~" " . . ,:', ",.;"
eventually b will occur. This concept however now seems quite
wcl1
accepted.MOre di~ect counter arguments are th~ following:
. I : . ' ' . ' " , ; " . . ' j ' I . .' ~.,.,;. '. .... ... ~; ... 'li, ; t'-~';j,:i I·~.< ' .• ( ' ,
(i) When de~igning ~ ,sy~tem .. it, is natural that initially some properties are underdefined.
During development these may be strengthened to falsifiable ones, which is certainly the
.only way in
whic~,tl1~y c~,~. ~~~,~me!1~~'
,.".,' ;, ,ii" ,';. "':.::'.:.,;~.:.
.;,JI:
;~~U'f:'
(ii) An imple,mentation wiU come. together with a proof that its specification is met, so testing
is not required.
A fortunate consequence of the fact that the extension made to the notion of specification, retains the interpretation as a pure L TL formula and does not alter the logic is, that existing decision procedures (see, e.g., [G083]) can still be used.
An open problem is, whether existing devices that contain nondeterminism, like random
number generators. will satisfy abstract specifications of this
propeny,
Furthermore, if this isthe case, how can this be proven? The link between the formulation of the practical and the theoretical properties seems not obvious.
Acknowledgements
Many thanks to Ron KOYmans and Rob Gerth for comments and help at various stages and
especially to Willem-Paul de Roever, who provided the link to reference [Fr77] ,
I am very grateful to
Edme
van Thiel for Elastic Time Typing.References
[EL85] Emerson, E.A., Chin-Laung Lei, Modalities for Model Checking: Bt:anching Time
Logic Strikes Back, POPL 1 9 8 5 . ' -,'
[Fr77] Francez, N., A Case for a FOrWafdi'fedicdte Trii1iSfiirmer, Irif. Proc. Letters IEEE
6:6, 1977.
[G083] Gough, G.D., M.Sc. Thesis, Decision Procedures for Temporal Logic, Univ. of Manchester. "
[BK83] ,Barriitgert H., Kuiper, R., Towards the Hierarchical. Temporal Logic. Specification of toni:u'r~ent Systems, LNCS 207.
",1 ...
[BKP84] Barringer, H.t Kuiper, R.,
Poueli,
A., Now YouMay
Compose Temporal Logic SpecijicqUons, STOC 1984.[Pn85]
PoueH,
A., Linear and Branching Structures in the Semantics and Logics of Reac-tive Systems. ICALP 1985.~ .. , ."
,
,
~;.~ ... :.: -;:-~ ~-:.
COMPUTING SCIENCE NOTES
:',
In this series appea~ed
No. 85/01 85/02
85io3
85/04 86/01 86/02" 86/03 86/04 .86/05 86/06 "".' ' Author(s) '..
R.H. Mak W.M.C~J. v~Q Overveld W.J.M. Lemmens T. Verhoeff . \ ' . .. ~ H.M.J.L. Schols .!.:R.
Koymans "., G.A. Buss~~g K.M. van Hee M. Voorhoeve Rob,Ho<:)ger,woord G.J. Rouben . '~.... J. Paredaens K.M. van Hee Jan L.G. Dietz .... ~~;~.'. ' ;f,.i~)···i.:~ Kees M. vanHee , .. " .... '.';'; Tom Verhoeff . ./,. ... \ TitleThe formal specification and
deriva~ion of CMO,~:-c~r~ui.ts
On arithmetic.operations with . .. .
: " . -~ "
M-out-of-N-codes
Use of, a co~puter for evaluation of flow films ~l . ' \,
Delay insensitiv.e directed trace ~
..
-.: ';'' " . ',' ' . " . '
stru~t,ures, s~t1.sfythe foam!.
rubber wrapper postulate
~pe~~~y~ng ,me..~sB:gepa~s~ng and real-time systems
ELISA, A lang~~g~ fqr~orma~, spe;c1ficlit~o11s .. o~ 1n~ot:mat-1op '.
sys~em.,~
Some. reflections, on tq.eimplementation .~ j ... ':i. ' . , , " , . , . .'~."
of tra~.e. struc.tureS
The ,part~tion '()~; an informatipn
sy!:!tem in !3ev~r~l .. paralle~ ,systems
A fr~mework:. f9F;Jl~ ,.~onceptual modeling of discrete dynamic systems Nondeterminism and divergence
c~~at~,~ by. conce~:lment~iJ;l ,CSP
: .t~, .. ' ,. 'l: ~ .~ " I" " .. :...~',;- _ , '. c
---86/01--: :~:-'R. Ger~h_~'~ .--::--:---~On-provirig::communic-ation '---, _. L. Sllira
._--'---_.
cJ.o,s~~tnes.s ,of. ~i~:~ributed layers86/08 86/09 86/10 86/11 86/12 86/13 86/14
87/01
87/02
87/0387/04
R. Koymans R.K. ShyamasundarW.p.
de Roever R~:'Gerth S. Arun Kumarc.
Hutting R. Gerth W.P. de Roever " ~ :. J. Hooman W.P. de Roever A. Boucher R. Gerth R. Gerth W.P. de Roever R. Koymans R. Gerth Simon J. Klaver Chris F.M. Verberne G.J. Houben J.Paredaens T.VerhoeffCompositional semantics for real-time distributed
computing (Inf.&Control
1987)
, .. " ... ~ './ :.-:.c "
Furl 80S fraction of a 'ie'al:':-t-:fme denotafional . semantics 'f'or
"(an .'
OCCAM-like languageA
compositional proof theory for real-time distributed message passingQuestions to Robin Milner - A responder's commentary (IFIP86) A timed failures model for
extended communicating processes Proving monitors revisited: a first step towards verifying
object oriented systems (Fund. Informatica IX-4)
Specifying passing systems
requires extending temporal logic On the existence of sound and complete axiomatizations of the monitor concept
Federatieve Databases
A formal approach to distri-buted information systems
Delayinsensitive codes -An overview
87/05 R.Kuiper·
~
~. 87/06 R.Koymans 87/07 R.Koymans ':'(:-
' . ... '., .. ,Enforcing non~determinism ~ia
linear time temporal logic specification. Temporele logica specificatie van message passing en real-time systemen (in Dutch). , " Specifying message passing and real-time , systems with ~ea17time temporal logic.
"" "" .:"
TIR82.1 TIR83.1 TIR83.2 TIR84.1 TIR84.2 TIR84.3 TIR84.4 TIR85.1 TIR85.2
A vailable Reports from the Theoretical Computing Science Group
Author(s) Title
R. Kuiper, Fairness Assumptions for CSP in a
Tem-W. P. de Roever pora! Logic Framework
R. Koymans, J. VylOpil, W.P. de Roever H. Barringer, R. Kuiper R. Gerth, W.P. de Roever R. Gerth H.Barringer. R. Kuiper. A. Pnueli H. Barringer, R. Kuiper W.P. de Roever O. Grunberg, N. Francez, 1. Makowsky, W.P. de Roever
Real-Time Programming and Synchronous Message passing (2nd ACM PO DC)
Towards the Hierarchical, Temporal Logic, Specification of Concurrent Systems A Proof System for Concurrenl Ada Pro-grams (SCP4)
Transition Logic - how LO reason about
tem-poral propcnies in a compositional way (16th ACM FOCS)
Now you may compose Temporal Logic Specifications (Proc. STOC84)
Hierarchical Development of Concurrent Systems in a Temporal Logic Framework The Quest for Compositionality - a survey of assenion-based proof syslems for con-current progams, Pan I: Concurrency based on shared variables (IFlP85)
A proof-rule for fair termination of guarded commands (lnf.& Control 1986)
Classification
TIR85.3 TIR85A TIR85.5 TIR86.1 TIR86.2 TIR86.3 TIR86.4 TIR86.5 TIR86.6 TIR86.7 TIR8608 TIR8609 TIR86.10 F.A. Stomp, W.P. de Roever, R Gerth R Koymans, WoP. de Roever Ho Barringer, R. Kuiper, A. Pnueli R. Koymans I. Hooman, W.P. de Roever R. Gerth, L. Shira 2
-The Jl-calculus as an assertion language for fairness argumenlS (Inf.& ConLroI 1987)
Examples of a Real-Time Temporal Logic Specification (LNCS207)
A Compositional Approach to a CSP-like Language
Specifying Message Passing and Real-Time CSN86/01 Systems (extended abstract)
The Quest goes on: A Survey of Proof Sys- EUT-Report terns for Partial Correctness of CSP 86-WSK-OI (LNCS227)
On Proving Communication Closcdness of CSN86/07 Distributed Layers (LNCS236)
R Koymans, CSN86/08
RK. Shyamasundar, Compositional Semantics for Real-Time W.P. de Roever, Distributed Computing (Inf.&Control 1987) R Gerth, S. Arun Kumar C. Huizing, R. Gerth, W.P. de Roever I. Hooman W.P. de Roever R. Gerth, A. Boucher R. Gerth, W.P. de Roever R. Koymans
Full Abstraction of a Real-Time Dcnota- CSN86/09 PE.Ol tional Semantics for an OCCAM-like
Language
A Compositional Proof Theory for Real- CSN86/1O TRA-I-l(l) Time Distributed Message Passing
Questions to Robin Milner - A Responder's CSN86/11 Commentary (IFIP86)
A Timed Failures Model for Extended CSN86/12 TR.4-4(l) Communicating Processes
Proving Monitors Revisited: a first step CSN86/13 towards verifying object oriented systems
(Fund. Informatica IX-4)
Specifying Message Passing Systems CSN86/14 PE.02
3
-TIR86.11 H. Barringer,
A Really Abstract Temporal Logic
Seman-R. Kuiper,
A. Pnucli tics for Concurrency (proc. POPL86)
TIR87J R. Gerth On the existence of sound and complete CSN87/01 axiomatizations of the moriitor concept
TIR87.2 R. Kuiper Enforcing Nondelcrminism via Linear Time CSN87/0S Temporal Logic Specifications
TIR87.3 R. Koymans Temporcle Logica Specificatic van Message CSN87/06 Passing en Real-Time Systcmen (in Dutch)
TIR87.4 R. Koymans Specifying Message Passing and Real-Time CSN87/07 PE.03 Systems with Real-Time Temporal Logic