E. W. Dijkstra. Guarded commands, nondeterminancy and formal derivation of programs. Communications of the ACM, 18:453--457, 1975.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....extends the new information. 3.5. 2 Inference path compilation An important and ubiquitous learning opportunity occurs when a useful but deep inference path is compiled into a shallow and efficient rule [MKKC86, DM86, Die86] the new rule s antecedent identifies the weakest pre 74 conditions [Dij75] for completing the inference path. Acquiring such compilations can promote the general learning goal of economy as useful implicit beliefs are made more accessible. At this point in the example, the three types of knowledge KI acquires by exploiting this learning opportunity are new inheritance ....

E. Dijkstra. Guarded commands, non-determinancy and formal derivation of programs. Communications of the Association of Computing Machinery, 18:453--457, 1975.

....cation proofs. We provide a characterization of weakest (liberal) preconditions in terms of the ordinal closures of an operator #P;P ost , based on the program P under consideration and its intended interpretation Post . The notion of weakest (liberal) precondition was originally introduced in [6], as an alternative, yet equivalent, formulation of Hoare s logic, more geared to the calculation of assertions and programs. The theory of weakest preconditions was the basis for the systematic development of correct programs rst described in [7] and further explained in [9] The results of ....

E. W. Dijkstra. Guarded commands, nondeterminancy and formal derivation of programs. CACM, 18(8):453-457, 1975.

....containing all the processes that failed to acquire the lock. When the lock is freed, it is given to one of the enqueued processes, which is sent an interrupt call. There are other variations of synchronization primitives such as monitors [Hoa74] eventcount and sequencers [RK79] guarded commands [Dij75] and others but the examples above illustrate clearly the issues involved in SMP process synchronization. 3.4 Examples of SMP Operating Systems Currently, the most important examples of operating systems for parallel machines are UNIX and Windows NT running on top of the most ubiquitous ....

Dijkstra, E.W., Guarded commands, nondeterminancy and the formal derivation of programs, Communications of the ACM 18, 1975, 453-457.

....To create certificates for a program, we must prove that executing it does not violate any of the safety checks (and the postcondition, if one is given, is also satisfied) Standard techniques exist for building such proofs. We use the formalism of Dijkstra s weakest liberal preconditions [3, 4], because it is powerful enough to deal with assembly language programs and a broad range of safety invariants. Certification of programs then involves three steps: 1. Compute the weakest precondition for the program. This essentially encodes the semantic meaning of the program in logical form. 2. ....

....filters. Still, it would be much better to use more sophisticated theorem proving technology. One of the simplifications in the packet filters is to restrict programs so that they do not contain loops. Although the general framework presented in this paper is easily extended to accommodate loops [3], this introduces a number of complications. One experiment we conducted involves an IP header checksum routine, which is hand coded in 39 DEC Alpha instructions. The core loop contains 8 instructions, and is optimized by computing the 16 bit IP checksum using 64 bit additions followed by a ....

Dijkstra, E. W. Guarded commands, nondeterminancy and formal derivation of programs. Communications of the ACM 18 (1975), 453--457.

.... This is the approach of Proof Carrying Code (PCC) 26] which suggests that a program be shipped with a proof of safety: essentially the set of loop invariants along with the proofs of the particular implication propositions needed for an automatic Floyd style verification of that program [12, 13, 20], as in [4, 5] An advantage of this technique is that after the overhead of verification, the program executes with no run time penalty at all. A disadvantage is that the program must be supplied with the certification. Also, if the safety policy ever changes, this certification must also change; ....

E. W. Dijkstra. Guarded commands, nondeterminancy and formal derivation of programs. CACM, 18(8):453-- 457, August 1975.

.... requires defined(t, k) ensures result = apply(t, k) requires : defined(t, k) ensures thrown(NoAssociation) theException; Figure 8: A sugared version of the previous specification of fetch. An implementation has to satisfy both pre and postcondition pairs. commands [4], and have been used in the specification languages Larch CLU [24, Section 4.1.4] and Fresco [20, 22, 21] Besides bringing the issue of protection to the specifier s attention, this notational convenience makes it easier to automatically check that a specification is protective. Without such ....

E. W. Dijkstra. Guarded commands, nondeterminancy and formal derivation of programs. Communications of the ACM, 18(8):453--457, August 1975.

....alleviated in Larch C by a syntactic sugar that allows one to split the specification up into multiple cases, each with its own precondition. This sugar would allow the specification in Figure 6 to be written as in Figure 8. Such multiple pre and postconditions are similar to guarded commands [4], and have been used in the specification languages Larch CLU [24, Section 4.1.4] and Fresco [20, 22, 21] Besides bringing the issue of protection to the specifier s attention, this notational convenience makes it easier to automatically check that a specification is protective. Without such ....

E. W. Dijkstra. Guarded commands, nondeterminancy and formal derivation of programs. Communications of the ACM, 18(8):453--457, August 1975.

.... Software Fault Isolation [24] and programming in the safe subset of Modula 3 [1, 9, 17] Although we have worked out many of the theoretical underpinnings for PCC (and indeed, most of the theory is based on old and well known principles from logic, type theory [4, 11] and formal verification [5, 6, 8]) there are many difficult problems that remain to be solved before the approach can be considered practical. To mention just one here, we do not know at this moment what is the most practical way to generate the safety proofs. A more in depth discussion of where we see the major difficulties in ....

....the packet start address is in r 16 and its length in r 17 . 8 Practical Difficulties Although we have worked out many of the theoretical underpinnings for PCC (and indeed, most of the theory is based on old and well known principles from logic, type theory [4, 11] and formal verification [5, 6, 8]) there are many difficult problems that remain to be solved. In this section we discuss some of the problematic issues that were brought to light by our experiment. Fortunately we think that we have found good practical solutions to the part of the PCC pertaining to the code consumer: safety ....

Dijkstra, E. W. Guarded commands, nondeterminancy and formal derivation of programs. Communications of the ACM 18 (1975), 453--457.

....addr in memory state mem. Then, it would be left to the proof logic to determine the meaning of the saferd predicate. A given logic might even say that saferd is never true, thus effectively disallowing memory reads. Several techniques for implementing VCGen have been described in the literature [3, 8]. As shown in Fig. 2, our approach to implementing VCGen involves two main components. One is the language dependent parser, whose purpose is to translate the instructions of the untrusted annotated code to a stream of instructions in a generic intermediate language (IL) that is understood by the ....

Dijkstra, E. W. Guarded commands, nondeterminancy and formal derivation of programs. Communications of the ACM 18 (1975), 453--457.

.... descriptors are represented as integers (by incrementing a file descriptor, for example) Although we have worked out many of the theoretical underpinnings for PCC (and indeed, most of the theory is based on old and well known principles from logic, type theory [4, 11] and formal verification [5, 6, 8]) there are many difficult problems that remain to be solved. In particular we do not know at this point the most practical way to generate the proofs. We have thus set out to gain some preliminary experience, both to measure the benefits and to identify the practical problems. In the experiments ....

....predicates for packet filters are fairly easy handled by existing theorem proving technology. One of the simplifications in the packet filters is to restrict programs so that they do not contain loops. Although the general framework presented in this paper is easily extended to accommodate loops [5], this introduces a number of complications. One experiment we conducted involves an IP header checksum routine, which is hand coded in 39 DEC Alpha instructions. The core loop contains 8 instructions, and is optimized by computing the 16 bit IP checksum using 64 bit additions followed by a ....

Dijkstra, E. W. Guarded commands, nondeterminancy and formal derivation of programs. Communications of the ACM 18 (1975), 453-- 457.

No context found.

E. W. Dijkstra. Guarded commands, nondeterminancy and formal derivation of programs. Communications of the ACM, 18:453--457, 1975.

No context found.

E. W. Dijkstra. Guarded commands, nondeterminancy and formal derivation of programs. CACM, 18(8):453--457, August 1975.

No context found.

E. W. Dijkstra. Guarded commands, nondeterminancy and formal derivation of programs. CACM, 18(8):453--457, August 1975.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC