Specifying message passing and time systems with
real-time temporal logic
Citation for published version (APA):
Koymans, R. L. C. (1987). Specifying message passing and real-time systems with real-time temporal logic. (Computing science notes; Vol. 8707). Technische Universiteit Eindhoven.
Document status and date: Published: 01/01/1987
Document Version:
Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)
Please check the document version of this publication:
• A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website.
• The final author version and the galley proof are versions of the publication after peer review.
• The final published version features the final layout of the paper including the volume, issue and page numbers.
Link to publication
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain
• You may freely distribute the URL identifying the publication in the public portal.
If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement:
www.tue.nl/taverne
Take down policy
If you believe that this document breaches copyright please contact us at: openaccess@tue.nl
providing details and we will investigate your claim.
RRD
[11
C 5
t~
&"1.01
Specifying Message Passing and Real-Time Systems with Real-Time Temporal Logic
R. Koymans
Specifying Message Passing and Real-Time Systems with Real-Time Temporal Logic
R. Koymans
COMPUTING SCIENCE NOTES
This is a series of notes of the Computing Science Section of the Oepartment of
Mathematics and Computing Science of Eindhoven University of Technology.
Since many of these notes are preliminary versions or may be published elsewhere, they have a limited distribution only and are not for review.
Copies of these notes ~re available from the author or the editor.
Eindhoven University of Technology
Department of Mathematics and Computing Science P.O. Box 513
5600 MB EINDHOVEN The Netherlands All rights reserved
tliJ
European Strategic Programme of Research and Development in Information Technology
Project 937 : Debugging and Specification of Ada Real-Time Embedded Systems Package 4 : Fonnal Semantics and Proof Systems for Real-Time Languages
PE.03
PE
Mail to Doc. No. Type
Title Specifying Message Passing and Real-Time Systems with
Real-Time Temporal Logic Author
Date
R. Koymans
29-04-1987 Version Replaces: Document Status: Submitted
Confidentiality Level: Public Domain
GSI-TECSI SYSTEAM KG.
FOXBORO Netherlands NV
ELECfRONIQUE SERGE DASSA UL T
EINDHOVEN UNIVERSITY OF TECHNOLOGY UNIVERSITY OF STIRLING
ADCAD Ltd
o
.Copyright 1986 by the DESCARTES consortium formed by the companies and universities listed above.
Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage. and that the DES-CARTES copyright notice and the title of this document and date appear.
,
SPECIFYING MESSAGE PASSING AND REAL-TIME SYSTEMS
WITH REAL-TIME TEMPORAL LOGIC
Ron Koymans
Eindhoven University of Technology
Department of Mathematics and Computing Science P.O.Box 513
5600 MB Eindhoven The Netherlands electronic mail addresses:
mcvax!eutrc3!wsinronk.UUCP or WSDCRONK@HEITHE5.bitnet
Apri115.1981
Abstract
Temporal logic is a simple extension of classical logic with temporal operators. When a computation is seen as a sequence of states changing over time. one can reason about such a sequence with temporal logic: the classical part describes the static aspect. the states. and the temporal operators describe the dynamic aspect. the relation (in time) between states.
Temporal logic has proved to be a most versatile tool for the specification and verification of concurrent systems. It has been applied to a wide variety of sys-tems. such as concurrent programs. communication protocols. hardware. VLSI etcetera.
Nevertheless. temporal logic is not suited on beforehand for the specification of two important classes of systems: message passing and real-time systems. We develop an extension of standard temporal logic. called real-time temporal logic. that enables the description of these two classes of systems and illustrate this by three examples.
2
-1. Introduction
Temporal logic is a simple and elegant extension of classical logic (propositional and predicate logic) with temporal operators for reasoning about situations changing in time. The underlying semantics of temporal logic makes a clear distinction between the static aspect of a situation. represented by a state. and the dynamic aspect. the relation (in time) between states. This dis-tinction can be found back in the syntax: a state is described by classical logic. while the temporal operators are used for the description of the evolution of the situation over time. In this way states and time need not be introduced explicitly in the logic itself.
This picture of states and their relation in time fits well with the notion of computation as used in computer science. A computation can be seen as a sequeJ;)ce of states where each transition from one state to the next state in the sequence (each step of the computation) can be thought of as a tick of some computation clock. The corresponding time model is in that case the set of natural numbers. Temporal logic with the natural numbers as time domain is a variant of linear time temporal logic. This variant is especially suited for the description of computer systems which are seen then as generators of execution sequences.
Since the introduction of (linear time) temporal logic in the area of program verification· ([pD. it has proved to be a most versatile tool for the specification and verification of concurrent systems. In that context it can amongst others be used for
reasoning about safety properties (e.g. partial correctness. mutual exclusion) and liveness properties (e.g. total correctness. fairness).
describing systems at any level of abstraction.
compositional reasoning: the specification of the whole system is a function of the specifications of its subcomponents.
Consequently. temporal logic has numerous applications in computer science. It has been successfully applied as a specification and verification method for concurrent programs. communi-cation protocols. VLSI. hardware etcetera. It can furthermore be used to give axiomatic definitions of concurrent programming languages and Ben Moszkowski even turned his Interval Temporal Logic into a programming language (thereby unifying programs and specifications).
Nevertheless. temporal logic is not suited on beforehand for the specification of two impor-tant classes of systems: message passing and real-time systems. The importance of these two classes is stressed by their manifold appearances in practice:
message passing is one of the most important means of interprocess communication in dis-tributed systems. either -on a high level
(e.g:
in telecommuniCation applications where pro-gramming could be done in a high-level concurrent language with asynchronous message passing such as CHILL [CHILL)) or on a lower level (such as in implementations of syn-chronous languages for distributed computing like Ada [Ada)).3
-among the many real-time applications (e.g. on-line reservation systems) there are some highly critical systems such as computer controlled chemical plants and nuclear power sta-tions.
Because message passing systems are so widely used and the dangers of malfunctioning real-time systems aft" ect most of us (think e.g. of flight control software for civil airplanes), it is of vital
importance to develop formal techniques for reasoning about them. For message passing this development is actively going on for several years. For real-time. however, the situation is alarm-ing: theoretical research has almost completely ignored real-time aspects.
In this paper we give an extension of standard temporal logic, called real-time temporal logic. that enables the description of both message passing and real-time systems. We illustrate this real-time temporal logic by three examples: a classification of pure message passing systems. a pure real-time system and a mixture of both.
This paper is structured as follows. In section 2 we give a short summary of propositional
tem~ral logic. Section 3 contains a description of message passing and real-time systems. Real-time temporal logic is introduced in section 4 and is illustrated in section 5 with three examples.
2. Propositional Temporal Logic
We first define the syntax of PTL. Propositional (Linear Time) Temporal Logic.
Let 1 be a non-empty set.
PTL uses a propositional language with
Vocabulary; atomic propositions Pi (i E 1)
propositional connectives ... , /\ temporal operators X. U. Y. S
Formulas: Pi
Ci
E 1)-'/1'/1/\ 12,X/1,/ l Uf2,Y/l,fl Sf2 ([1,/2 formulas).
The operators X, U, Y. S are called respectively 'next-time', ·until". 'last-time' and 'since'.
The semantics of PTL is as follows. A state is a mapping from 1 to {True, False
I :
a state indi-cates which atomic propositions are true in that state. A model is an infinite sequence of states. An interpretation is a pair <M. n>
where M is a model and n a natural number (representingthe present). Truth of a formula / in an interpretation <M, n
>
,notati~n M, nF
f
,is inductively defined as follows:M.nFPj M,nF-.I M.nF/l f\ 12 M.npXI M.
nF
I I VI 2 M.nFYI M.nF/ 1SI2 -Mn (i)=
True not M.nFI 4 -M.nF/l and M.nF/2 M.n+1FIthere exists m ~ n such that M . m
F
I
2 andfor all j such that n ~ j <m: M. j
F
f
In>O and M.n-IFI
there exists m ~ n such that M. m
F
12 andfor all j such that m
<
j ~ n: M. jF
f
l'From the four temporal operators above many other temporal operators can be derived. Two very important temporal operators are F ('eventually') and its dual G ('henceforth'). These can be defined by
FI := true VI . where true
= ..,
(Pj f\ ..,Pj ) for some i E I.GI
:= .., F ..,I·
As an example of the use of these operators we mention the combination GF ... which corresponds semantically with 'infinitely often'. This combination is often used for the expression of fairness properties.
3. Message Passing and Real-Time Systems
Let Messages be a non-empty set of messages. A schematic picture of a message passing system could be
in (m ) out (m )
---~~MPS
>
MPS = Message Passing System where m E Messages andin (m) corresponds to the acceptance (from the environment) of message m by the MPS. and
out em) corresponds to the delivery (to the environment) of message m by the MPS.
The MPS can be a simple buffer or transmission medium but also a complex communication
net-w~rk. in(m) and out (~ ) con~titut.e-the interf~ce with the en~ironment and out (m ) is considered to be the system reaction on the environment action in (m). Of course. the above picture should be supplemented by restrictions on the functions in and out. dependent on the particular type of message passing system· considered. For all types we take the following restrictions as basic assumptions:
5
-BAl. the acceptance and delivery of messages can be viewed as instantaneous actions (in the sense that always a unique moment of time can be identified at which a message can be said to be accepted, respectively delivered), which are always possible,
BA2. at any moment of time, at most one message can be accepted (respectively delivered), BA3. the MPS does not create messages by itself (in other words: the bag of delivered
mes-sages is always some part of the bag of accepted mesmes-sages),
BA4. the speed of the MPS is finite, i.e. there is a positive (maybe infinite) delay between the acceptance of a message and its delivery.
An example of a MPS often occurring in practice and satisfying BAI-BA4 is a transmission medium with a probability between zero and one of a successful transmission.
Besides the basic assumptions above message passing systems can be distinguished further by properties such as
- reliability properties
• perfect: all accepted messages are (eventually) delivered • . imperfect: messages may get lost
ordering disciplines
• •
•
FIFO Oike a queue) LIFO (like a stack) unordered (like a bag).
An example of an unordered MPS is a communication network in which every message is sent on to an arbitrary node until it reaches the destination node.
It is difficult to list precise characteristics for real-time systems as given above for message passing systems. However, what is clear in any case, is that time plays a dominant role. Three subjects we want to mention here are:
'promptness requirements'. e.g. every time A occurs, B must follow within 3 seconds 'periodicity properties', e.g. A occurs regularly with a period of 3 seconds
time models: some real-time systems control continuous physical entities, such as volume and temperature, and in such a case a discrete time model (like the natural numbers) is questionable.
6
-4. Real-Time Temporal Logic (RTL)
It can be proved (see [K)) that many message passing systems can not be specified with PTL (see section 2) or even its first-order extension. The essential fact here is that PTL can not distin-guish the different instances of one and the same message accepted by the MPS and hence can not trace back (in time) every delivered message to its unique moment of acceptance. For real-time systems there is a simpler reason why these can not be specified with standard temporal logic: PTL has only qualitative temporal operators and hence is not capable to express quantitative measures of time. Furthermore, the semantics of PTL is based on a discrete time model and, as noted at the end of the previous section, this complicates the description of specific applications in which continuous processes are involved.
These remarks lead to our motivation for RTL. Real-Time Temporal Logic. RTL introduces quantitative temporal operators and its semantics allows dense time models also, like the rational and real numbers. Furthermore it is assumed for message passing systems that incoming messages can be uniquely identified, e.g. by means of conceptual time stamps. This makes the above men-tioned tracing of delivered messages to their moments of acceptance possible. The assumption of unique identification is not that restrictive as it may seem on first sight. This assumption can be justified by the notion of independence of [WJ. Informally, a system is called data-independent when the values of the supplied data do not influence the functional behaviour of the system. One of the results of [W] implies that the correctness of a data-independent system does not depend on the uniqueness of the incoming data. Since message passing systems only pass data, they are clearly data-independent.
We now define RTL more formally. Consider a time domain T with a linear order
<
(in particular we think of the natural and real numbers). RTL uses a first-order language with quantification over:the data domain, e.g. Messages: \/m, 3m ,
the time domain T : \It , :l t .
The temporal operators are U =1 and S=I for all t E T.
The semantics of RTL is as follows. Let 1: be the set of all states. A model is a mapping from T to 1:. For an interpretation <M, t
>,
where M is a model and t E T, the temporal opera-tors are defined as follows:M,t'rflU=IOf2 - M,t+tol=f2 andforallt' such that t<t'<t+to: M,t''rfl
M,t'rflS=IOf2 - M,t-to'rf2 andforallt' such that [-lo<t'<t: M,t''rfl.
In the above definitions it is assumed that t +t 0 and t -t 0 exist in T. Whenever this is not the
case (e.g. t -t 0 <0 for the natural numbers as time domain) the above formulas are false in
7
-From these real-time operators again many derived operators can be defined amongst which the original U and S of PTL from section 2:
I1 U I2 :=
12
V ([11\ 3t(t>O
1\ I1U=112»
f
1 S[ 2 :=12
V (f J 1\ :3 t (t> 0
1\ I J S =112»'
Apart from the operators F and G as defined at the end of section 2 we also use an analogue of F
that refers to the past instead of the future. but without including the present:
PI
:= :3 t (t>
0 1\ true S =t1 ) .
. 5. Examples
Our first example concerns message passing systems. Under the assumption of uniqueness of accepted messages which can be translated as
G Vm ... (in em) 1\ P in em»
we can formulate the basic assumptions BA1-BA4 from section 3 as the following set of axioms:
BA 2
BA 3a.4 BA 3b
G Vm Vm' [«(in em) 1\ in (m'» V (out (m) /\ out (m'») - t m
=
m']G Vm [out (m) - t P in (m)]
G Vm ... (out (m) /\ P out (m
».
There is no need to specify BAl because this is already fulfilled by the nature of the formaliza-tion: in (m) and out (m ) can be true or false at any moment. Notice that we split BA3 (no crea-tion of messages) into the following two cases:
BA3a no creation of altogether new messages. BA3b no multiplication of messages already present.
Axiom BA 3a.4 does not cover requirement BA3b as is shown by the BA3b-illegal behaviour
in (m) out (m) out (m )
I I I
which is allowed by this axiom. Therefore we need a separate axiom BA 3b.
Next we specify FIFO. respectively LIFO:
FIFO G Vm Vm' [(out (m) 1\ P out (m'
»
- t P (in (m) /\ P in (m' »]- - -
8
-Both axioms are independent of the loss of messages, in other words of the perfectness of the
MPS. FIFO simply says: if m comes out after m' , then m must also have come in after m'. LIFO distinguishes two cases when m comes out after m' :
1. m' was put on the stack when m was already there
2. m' was already taken from the stack before m was put on it.
Note that FIFO and LIFO become equivalent when it is additionally assumed that the capacity of the message passing system to store messages is 1 (since in that case the first disjunctive clause of LIFO, point 1 above, is impossible). It is easy to check that the axiom for either FIFO or LIFO together with the assumption about the uniqueness of incoming messages imply axiom BA 3b.
Intuitively. all the formalized properties above are safety properties. It is nice to notice that all axioms above use only the temporal operators G and P and hence are safety properties accord-ing to the syntactical characterization of temporal formulas into safety and liveness properties of [LPZ]. When we want to formalize a typical liveness property such as being perfect the corresponding axiom uses the liveness operator F:
G Vm [in (m) -+ F out (m »).
Our second example specifies a pure real-time system. a watchdog timer. A processor is mon-itored by a timer, the watchdog. The processor sets the timer with time-out period t by a signal
enable (t ) and it should reset the timer by a reset signal each time before the timer expires. When the processor does not succeed in resetting the timer in time, the processor will be halted by a halt signal from the watchdog. At any time, the processor and the watchdog timer can be restarted by an initiate signal from the environment (e.g. an operator pushing a button). Once the timer is set with enable (t ) after an initiate signal. the time-out period remains t (and thus every subsequent enable (t' ) signal is ignored) until the next initiate signal.
To identify the first enable (t ) after an initiate we define
firstenable(t)
=
enable(t) /\ ( ... 3t' enable{t'»S initiate.The only essential thing to be specified is the generation of the halt signal. For the moment ignor-ing the possibility of an interruptignor-ing initiate Signal this can be characterized by
G (halt -
3
t [ t>
0 /\ ... reset S=
I(firstenable(t) V (reset /\ ... halt /\ ... Judt S firstenable(t »))).
The explanation hereof is as follows. A halt signal may be generated if and only if the timer just timed out with some period t. so during that period t no reset signal occurred and at the start of that time-out period either the timer was set (for the first time after an initiate) or the first reset signal (since the timer was set) that is not followed by another reset within a period t occurred
9
-(to get the first reset signal it is required that the processor has not already been halted since the timer was set).
An interrupting initiate signal would restart the whole system and to incorporate this we have to add that during the whole period of time concerned no initiate signal occurs. This leads to the final and complete specification
G(halt +-+ 3t [t>O 1\ ( .... reset 1\ .... initiate)S=r
«firstenable(t) 1\ ""initiate) V (reset 1\ .... halt 1\ .... initiate 1\
(..,halt 1\ ..,initiate) S (firstenable(t) 1\ .... initiate »))]).
Our third example is a mixture of message passing and real-time. It concerns a simplified terminal adaptor. On one side bytes are received from a data link operating on 512 bytes/second. On the other side bytes are transmitted to a terminal with a rate of 300 bytes/second. The adap-tor has a buffering capacity of N 1 bytes and it prevents buffer overflow through sending stop and
start signals to the data link as soon as the buffer becomes more than 80% full. respectively more than 80% empty. It is assumed that after the sending of a stop signal at most N 2 bytes are sent
by the data link (of course N 2 should be less than one fifth of N 1)' The data link may resume
sending bytes only after it has received a start signal.
Let in (b) denote the reception of byte b from the data link and out (b) the transmission of byte b to the terminal. Since the terminal adaptor operates as a perfect FIFO message passing sys-tem (with additional real-time restrictions). we assume uniqueness of incoming bytes
G Vb .... (in (b) 1\ P in (b
»
and hence can use the axioms for message passing systems. in particular BA 2. BA 3a.4 . FIFO and perfect:
1. G Vb Vb' [«in (b) 1\ in(b')) V (DUt(b) 1\ DUt(b'»)) --+ b=b']
2. G V b [out (b) --+ P in (b )]
3. G V b V b' [(out (b) 1\ P outCb'» --+ P (in (b) 1\ P in (b' »]
4. G V b [in (b ) --+ F out (b )]
As already remarked, requirement BA3b follows from the uniqueness of incoming messages together with FIFO.
For the real-time part we need some more derived real-time operators:
F=rof trueU=rof
11S>I0/2 3t (t>to 1\ IIS=, 12)'
Similarly one can define F <10 etcetera. Furthermore we need a temporal operator like P. but
10
-Pf := f V Pf·
Using P we can express that byte b is at the moment contained in the buffer of the terminal adap-tor:
bufferedCb )
==
P
in (b) A. .., Pout (b ).Just to illustrate the specification method we assume that the reception from the data link is regular. with period 1/512. while the transmission to the terminal is irregular. but whenever a byte is available a transmission takes place within 1/300. The latter can be specified by
5. G [(3b bujJered(b» ... F <1/300
3
b' out (b')].The specification of the regularity at the other side is complicated by the presence of the stop and start signals. But whenever these signals do not interfere in the period of 11512. the reception is regular. This can be specified by
6. G V b [(in (b) A. .., F < 1/512 start A. .., F = 11512
«..,
start) S stop» ...(.., 3
b' in (b'»
U=
115123
b' in (b' )].After the data link received the start signal. the sending of bytes can resume at any time. But after a stop signal has been sent by the terminal adaptor, the sending of bytes remains regular. although at most N 2 bytes may be sent. This regularity is guaranteed by also demanding a
'back-ward periodicity' of the input since the reception of the first byte after a start signal:
7. G Vb [in(b) ...
«( ..
3b' in(b'»S=11512 3b' in(b'» V « .. 3b' in(b'))S start))].The following axiom specifies that at most N 2 bytes may be received after a stop signal:
8. G [( (.., start) S > N 21512 stop) ... ..,
3
b in (b )].Finally. we have to specify the generation of the stop and start signals. For simplicity we assume that N 1 is divisible by 5 and we define the following abbreviations to indicate the
situa-tions where the buffer is more than 80% full. respectively more than 80% empty:
A. 1\
i= 1
almost empty
==
IN "5 I 11-A.
.. <3
b I . . . :3 b I [ _ Ib ¢. b - N I . } - I J 5 I i < j 1 SNIA.
bufjered(b;)J. i=1Note that for each value of the constant N I these abbreviations can be written out to fixed length
formulas. What remains is to expreSs that the stop and start signals should be generated the first moment that the buffer becomes (again) almost full. respectively almost empty. In general. the first moment that a formula
I
becomes true after having been false before can be expressed for dense time domains by the formulaI
1\(PI
-+ (..,I )
S
I )
-where S does not include the present:
lIS
12:=:3t
(t>O 1\ IIS=r 12).When one also wants to cover the case of discrete time models. the possibility of
I
being true the previous moment should be excluded. So. define the operator I asII
:=I
1\(PI
-+ (..,«..,true)S
I)
1\("'1)
S
I))·
Using this operator our last two axioms are:
9. G [I almost lull ... stop]
10. G [I almost empty - start
J.
In fact. as can be seen from these last two axioms. the stop and start signals are not essentially needed and hence the terminal adaptor can be specified in a more abstract way only in terms of in and out. This can simply be done by substituting the equivalences of axioms 9 and 10 in the appropriate places of axioms 6. 7 and 8.
12
-References
[Ada] The programming language Ada. Reference manual,
Lecture Notes in Computer Science 155. Springer 1983.
[CHILL] CHILL Recommendation Z.200 (CHILL Language Deftniticm), C.C.l.T.T. Study Group XI. 1980.
[K] R.Koymans. Specifying Message Passing Systems Requires Extending Temporal Logic, Eindhoven University of Technology Computing Science Notes 86/14.
[LPZ] O.Lichtenstein. A.Pnueli. L.Zuck. The Glory of The Past, Logics of Programs. Brooklyn. June 1985.
Lecture Notes in Computer Science 193. pp. 196-218. Springer 1985.
[p] A.Pnueli. The Temporal Logic of Programs,
18th Annual Symposium on Foundations of Computer Science. pp. 46-57. IEEE 1977.
[W] P.Wolper. Expressing Interesting Properties of Programs in Propositional Temporal Logic, 13th Annual ACM Symposium on Principles of Programming Languages. pp. 184-193. 1986.
COMPUTING SCIENCE NOTES In this series appeared
No. 85/01 85/02 85/03 85/04 86/01 86/02 86/03 86/04 86/05 86/06 86/07 Author(s) R.H. Mak W.M.C.J. van Overveld W.J.M. Lemmens T. Verhoeff H.M.J.L. Schols R. Koymans G.A. Bussing K.M. van Hee M. Voorhoeve Rob Hoogerwoord G.J. Houben J. Paredaens K.M. van Hee Jan L.G. Dietz Kees M. van Hee Tom Verhoeff
R. Gerth L. Shira
Title
The formal specification and derivation of CMOS-circuits On arithmetic operations with M-out-of-N-codes
Use of a computer for evaluation of flow films
Delay insensitiv.e·directed trace structures satisfy the foam rubber wrapper postulate Specifying message passing and real-time systems
ELISA, A language for formal specifications of information systems
Some reflections on the implementation of trace structures
The partition of an information system in several parallel systems
A framework for the conceptual
modeling of discrete dynamic systems Nondeterminism and divergence
created by concealment in CSP On proving communication
86/08 86/09 86/10 86/11 86/12 86/13 86/14 87/01 87/02 87/03 87/04 R. Koymans R.K. Shyamasundar
w.P.
de Roever R. Gerth S. Arun Kumar C. Huizing R. Gerth W.P. de RoeverJ.
Hooman W.P. de Roever A. Boucher R. Gerth R. Gerth W.P. de RoeverR.
Koymans R. Gerth Simon J. Klaver Chris F.M. Verberne G.J. Houben J.Paredaens T.VerhoeffCompositional semantics for real-time distributed
computing (Inf.&Control 1987)
Full abstraction of a real-time denotational semantics for an OCCAM-like language
A compositional proof theory for real-time distributed message passing
Questions to Robin Milner - A responder's commentary (IFIP86) A timed failures model for
extended communicating processes Proving monitors revisited: a first step towards verifying
object oriented systems (Fund. Informatica IX-4)
Specifying passing systems
requires extending temporal logic On the existence of sound and complete axiomatizations of the monitor concept
Federatieve Databases
A formal approach to distri-buted information sys~ems
Delayinsensitive codes -An over.view
87/05 R.Kuiper
87/06 R.Koymans
87/07 R.Koymans
Enforcing non-determinism via
linear time temporal logic specification. Temporele logica speclficatie van message passing en real-time systemen (in Dutch). Specifying message passing and real-time systems with real-time temporal logic.
TIR82.1 TIR83.1 TlR83.2 TIR84.1 TIR84.2 TIR84.3 TIR84.4 TlR85.1 TIR85.2
Available Reports from the
TheoreticaH Computing Science Group
Author(s) Title
R. Kuiper, Fairness Assumptions for CSP in a
Tem-W • P. de Roever poral Logic Framework
R. Koymans, J. Vytopil, W.P. de Roever H. Barringer, R. Kuiper R. Genh, W.P. de Roever R. Gerth H.Barringer, R. Kuiper, A. Pnueli H. Barringer, R. Kuiper W.P. de Roever O. Grunberg, N. Francez, J. Makowsky, W.P. de Roever
Real-Time Programming and Synchronous Message passing (2nd ACM PODC)
Towards the Hierarchical, Temporal Logic, Specification of Concurrent Systems A Proof System for Concurrent Ada Pro-grams (SCP4)
Transition Logic - how to reason about tem-poral properties in a compositional way
(16th ACM FOCS)
Now you may carr-pose Temporal Logic
Specifications (Proc. STOC84)
Hierarchical Development of Concurrent Systems in a Temporal Logic Framework The Quest for Compositionalily - a survey of assertion-based proof systems for con-current progams, Part I: Concurrency based on shared variables (IFIP85)
A proof-rule for fair termination of guarded commands (lnf.& Control 1986)
Classification
TIR85.3 TIR85 A TIR85.5 TIR86.1 TIR86.2 TIR86.3 TIR86.4 TIR86.5 TIR86.6 TIR86.7 TIR86.8 TIR86.9 TIR86.10 F.A. Stomp, W.P. de Roever, RGerth R Koymans, W.P. de Roever H. Barringer, R Kuiper, A. PnueH R. Koymans J. Hooman, W.P. de Roever R Gerth, L. Shira 2
-The IJ.-calculus as an assertion language for fairness arguments (Inf.& Control 1987)
Examples of a Real-Time Temporal Logic Specification (LNCS207)
A Compositional Approach LO a CSP-like Language
Specifying Message Passing and Real-Time CSN86/01 Systems (extended abstract)
The Quest goes on: A Survey of Proof Sys- EUT-Report terns for Partial Correctness of CSP 86-WSK-Ol (LNCS227)
On Proving Communication Closedness of CSN86/07 Distributed Layers (LNCS236)
R Koymans, .CSN86/08
R.K. Shyamasundar, Compositional Semantics for Real-Time W.P. de Roever, Distributed Computing (Inf.&Control 1987) R Gerth, S. Arun Kumar C. Huizing, R Gerth, W.P. de Roever J. Hooman W.P. de Roever R Gerth, A. Boucher R Gerth, W.P. de Roever R Koymans
Full Abstraction of a Real-Time Dcnota- CSN86/09 PE.O} tional Semantics for an OCCAM-like
Language
A Compositional Proof Theory for Real- CSN86/1O TRA-I-I(l) Time Distributed Message Passing
Questions to Robin Milner - A Responder's CSN86/11 Commentary (IFIP86)
A Timed Failures Model for Extended CSN86/12 TR.4-4(l) Communicating Processes
Proving Monitors Revisited: a first step CSN86/13 towards verifying object oriented systems
(Fund. Informatica IX-4)
Specifying Message Passing Systems CSN86/14 PE.02 Requires Extending Temporal Logic
TIR86.11 TIR87.1 TIR87.2 TIR87.3 TIR87.4 H. Barringer, R. Kuiper, A. Pnueli R.Gerth R. Kuiper R. Koymans R. Koymans 3
-A Really -Abstract Temporal Logic Seman-tics for Concunency (Proc. POPL86)
On the existence of sound and complete CSN87/01 axiomatizations of the monitor concept
Enforcing Nondetcrminism via Linear Time CSN87/05 Temporal Logic Specifications
Tcmporele Logica Specifieatie van. Message CSN87/06 Passing en Real-Time Systcmen (in Dutch)
Specifying Message Passing and Real-Time CSN87/07 PE.03 Systems with Real-Time Temporal Logic
