A. Udaya Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225--262, (September 1993). 36  Home/Search   Document Not in Database   Summary   Related Articles   Check

....a suitable state) will eventually reach a good state ) We will present a method which uses the specialization of constraint logic programs for verifying CTL properties of finite or infinite state concurrent systems. Our verification method can be applied to a large class of concurrent systems [76] and it consists of two steps. Given a concurrent system S, we construct a locally stratified constraint logic program P such that a CTL for mula 9 is true in a state s of S iff an atom of the form sat(s, 9) holds in the perfect model semantics of P. Then, we check whether or not, for a given ....

....such as [15, 18] However, since generalization is applied during, and not before, the verification process, generalization may be more flexible than abstraction. The contributions of this chapter are the following ones. i) We have shown that the CTL properties of concurrent systems as defined in [76], can be expressed by using perfect models of locally stratified CLP programs. ii) We have proposed an automatic strategy for program specialization and, in particular, a technique for generalization which makes program specialization always terminating. iii) Finally, we have demonstrated that ....

[Article contains additional citation context not shown here]

SHANKAR, A. U. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys 5, 3 (Sept. 1993), 225-262.

....such as [8, 10] However, since generalization is applied during, and not before, the veri cation process, generalization may be more exible than abstraction. The contributions of this paper are the following ones. i) We have shown that the CTL properties of concurrent systems as de ned in [38], can be expressed by using perfect models of locally strati ed CLP programs. ii) We have de ned variants of the usual transformation rules, such as, unfolding, folding, clause deletion, and constraint replacement. These variants are suitable for performing the specialization of locally strati ....

....express are properties of the initial states of the system. 12. 4. Expressing CTL Properties by Locally Strati ed CLP In this section we present the class of reactive systems which can be veri ed by using our method. This class is very general, and includes the concurrent systems de ned in [38]. But, unlike [38] in order to specify these systems and their temporal properties, we use constraint logic programs. In this respect our approach is similar to the one presented in [11] However, we use CLP programs with negation and the perfect model semantics, while the authors of [11] ....

[Article contains additional citation context not shown here]

A. U. Shankar, \An introduction to assertional reasoning for concurrent systems," ACM Computing Surveys, vol. 25, pp. 225-262, Sept. 1993.

....property is assumed to involve only stable locations, and to hold for all parameter valuations satisfying the initial p constraint of the modeled system. The first method, based on Floyd Hoare method of assertions, consists in proving that Pi is an inductive invariant of the model (see, e.g. [27]) The second one, based on model checking techniques, consists in characterizing the set of all the reachable states of the system, and checking that no element violates Pi. Inductive invariants. To prove Pi by inductive invariance, one has to prove that Pi holds initially, and is preserved ....

....properties of the system. Some of these auxiliary properties (viz. Aux 3 ; Aux 4 ; Aux 5 ) involve an additional variable r, which represents the reception date of the last RM cell. Such variables, that record some history of system execution without affecting it, are called history variables [1, 27]. In our model, this can be easily implemented by introducing a discrete variable r in the environment automaton, and updating it with current time value s, whenever event newRM occurs. Initially: s = r 3 . Enriched automaton A env is represented in Figure 5. Wait s t newRM R 0 0 r ....

A.U. Shankar. "An Introduction to Assertional Reasoning for Concurrent Systems. " ACM Computing Surveys 25:3, 1993, pp. 225--262. 25 Appendix A: Pseudocode of B 0 ffl when a new RM cell (with value R) arrives:

....s j= see [4] In this paper we will present a method for verifying CTL properties of possibly in nite state systems by using Constraint Logic Programming [7] CLP for short) and program specialization. Our method is applicable to a large class of concurrent systems, like those described by [14]. Constraint Logic Programming extends standard logic programming by allowing constraint solving over a given constraint domain D by using domain speci c e cient algorithms. The domain D can be the domain of inequations over real or rational numbers, or the domain of boolean formulas, or any ....

....that a CTL formula is true in s. Step 1 can be performed automatically for a very large class of concurrent systems, namely those which can be speci ed by state transition systems with enabling conditions and actions which can be expressed by constraints over the values of state variables (see [14]) Let us consider the following simple example, which will be used throughout this paper to illustrate our approach. Let S0 be the system whose set of states is a subset of fa; bg Z, where Z is the set of integers. Let the initial state of S0 be the pair ha; 0i, and let us assume that the ....

A. Udaya Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225262, September 1993.

....way, and can be rather coarse. Moreover, it simplifies only that part of the state space that involves integer variable, whereas our method also works for boolean and enumerative variables. 2 2 Programming Notation As program notation we use concurrent state based guarded command systems [Sha93]; a system is hence of form (V, C 1 , C n , I) where V is a set of variables, C i are components and I is a predicate describing the initial states. A component consists of a set of transitions, where guards and assignments are built over boolean or enumerative variables or integer terms. ....

Shankar, A. U. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3), September 1993. Appendix A Definition 5 Let # be a finite path of states and let Q be a set of literals. 1. Let # = (k 0 , i 0 ) . . . (k m , i m ) be a sequence such that k j are nodes in G and k j+1 is a predecessor of k j for all j, and 0 = i 0 < . . . i m

.... is true in s [4] In this paper we will present a method for verifying CTL properties of possibly in nite state systems by using Constraint Logic Programming [7] CLP, for short) and Program Specialization. Our method is applicable to a large class of concurrent systems, like those described by [14]. Revised version of the extended abstract presented at VCL 01, 2nd ACM Sigplan Workshop on Veri cation and Computational Logic, Florence, Italy, September 4, 2001. Constraint Logic Programming extends standard logic programming by incorporating mechanisms for solving constraints over some ....

....method is realized by providing the recursive de nition of the relation s 0 j= as a locally strati ed program PS . Step 1 can be performed in an automatic way for a very large class of concurrent systems, namely those which are state transition systems with enabling conditions and actions [14] with conditions and actions which can be expressed by constraints over the values of state variables. The following simple example will clarify the reader s ideas. This example will be used throughout this paper to illustrate our approach. Let S0 be the system whose set of states is a subset of ....

A. Udaya Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225262, September 1993. 11

....section describes and proves a set of properties easily derived from the program text. These properties are later used to prove the problem specification in section 6. First, a very simple invariant of the program is: INVARIANT h8s : 1 6 s 6 N : Nodes[s] wc 0i (9) Following the terminology of [10], this is an inductive invariant: an invariant p is inductive if it respects fpg s fpg for all statements in the program. It is easy to check that any statement starting in a state where wc 0 produces a state where wc 0: the statement that decrements by one wc is guarded with Active, that is ....

A. U. Shankar. An Introduction to Assertional Reasoning for Concurrent Systems. ACM Computing Surveys, 25(3):225-- 262, Sept. 1993.

....invariant (i.e. true initially and preserved by any statement) we have to strengthen it by providing a predicate str such that mutex str is actually invariant. Then, from the invariance of mutex str, it follows that mutex str is always true and consequently also mutex. As noted by Shankar [Sha93] although there is no algorithm to generate inductive invariants: it requires invention and insight into why the system works , there is a heuristic [SL92] based on weakest preconditions [Dij76] that often works. In the following, we first show how we have synthesized an inductive invariant by ....

A.U. Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225--262, September 1993.

....invariant (i.e true initially and preserved by any statement) we have to strengthen it by providing a predicate str such that mutexstr is actually invariant. Then, from the invariance of mutex str, it follows that mutex str is always true and consequently also mutex. As noted by Shankar [13], although there is no algorithm to generate inductive invariants: it requires invention and insight into why the system works , there is a heuristic [14] based on weakest preconditions [7] that often works. In the following, we first show how we have synthesized an inductive invariant by ....

A.U. Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225--262, September 1993.

....model. 2.3 The Logic The Unity framework also provides a linear temporal logic to describe and prove some properties of programs. This logic is based on the operators unless, stable, constant, invariant, leads to (7 ) and until 1 . Because they are fundamental properties of systems [16], we only consider invariant and leads to relations. 1 In a purely operational semantic model, where only computations are considered, the operator ensures is removed from the theory presented in [3] 3 However, we also give the operational definition of stable which is useful to state ....

....synchronous statements. However, the formalism forces weak fairness for all statements. Thus, the definition of the product composition is more awkward than if the kind of fairness (including the complete absence of fairness) could be chosen for each statement, as it is the case for example in [11, 16]. Acknowledgements Special thanks to G. Padiou and P. Qu einnec for their valuable comments on earlier drafts and their help in preparing the final version of this paper. The author is also grateful to the anonymous referees for careful reading of the manuscript and helpful comments. ....

A.U. Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225--262, September 1993.

....parts of a specification on the one hand, and the formal parts on the other hand, it is essential that both are based on the same semantic model. This requires that the semantic model is both intuitive and formal, which is not an obvious combination. ISpec uses the transition system model [16] as its underlying semantic model, which is believed to satisfy these requirements. This is further explained and motivated below. Transition systems have a long standing reputation as semantic model for concurrent systems. In its basic form a transition system consists of a collection of states, ....

Shankar, A.U., An Introduction to Assertional Reasoning for Concurrent Systems, ACM Computing Surveys, Vol. 25, No. 3. (1993), 225--262.

....property is assumed to involve only stable locations, and to hold for all parameter valuations satisfying the initial p constraint of the modeled system. The first method, based on Floyd Hoare method of assertions, consists in proving that Pi is an inductive invariant of the model (see, e.g. [19]) The second one, based on model checking techniques, consists in characterizing the set of all the reachable states of the system, and checking that no element violates Pi. Inductive invariants. To prove Pi by inductive invariance, one has to prove that Pi holds initially, and is preserved ....

....15 erties of the system. Some of these auxiliary properties (viz. Aux 3 ; Aux 4 ; Aux 5 ) involve an additional variable r, which represents the reception date of the last RM cell. Such variables, that record some history of system execution without affecting it, are called history variables [1, 19]. In our model, this can be easily implemented by introducing a discrete variable r in the environment automaton, and updating it with current time value s, whenever event newRM occurs. Initially: s = r 3 . Enriched automaton A env is represented in Figure 5. Wait s t newRM R 0 0 r ....

A.U. Shankar. "An Introduction to Assertional Reasoning for Concurrent Systems. " ACM Computing Surveys 25:3, 1993, pp. 225--262. 23 Appendix A: Pseudocode of B 0 ffl when a new RM cell (with value R) arrives:

....We present a translation from concurrent systems with in nite state spaces to CLP programs that preserves the semantics in terms of transition sequences. The formalism of concurrent systems is a widely used guarded command speci cation language with shared variables promoted by Shankar [Sha93] Using this translation, we exhibit the connection between states and ground atoms, between sets of states and constrained facts, between the pre condition operator and the logical consequence operator of CLP programs, and, nally, between CTL properties (safety, liveness) and modeltheoretic or ....

....The integer values of the two variables turn 1 and turn 2 in reachable states are unbounded; note that a process can enter wait before the other one has reset its counter to 0. The concurrent program above can be directly encoded as the concurrent system S in Figure 1 following the scheme in [Sha93] Each process is associated with a control variable ranging over the control locations (i.e. program labels) The data variables correspond to the program variables. The states of S are tuples of control and data values, e.g. hthink; think; 0; 3i. The primed version of a variable in an action ....

[Article contains additional citation context not shown here]

U. A. Shankar. An Introduction to Assertional Reasoning for Concurrent Systems. ACM Computing Surveys, 25(3):225-262, 1993.

.... de Inform atica UFRGS fvandi,flaviog inf.ufrgs.br 1 Introduction The class of formalisms composed of a transition system and a linear time temporal logic includes the UNITY formalism [3, 9] the Manna and Pnueli logic [8] the TLA logic [7] the ST formalism [12] and other formalisms [11]. They successfully describe concurrent computational systems in several application fields, and allow the verification of their properties. Digital systems are prime examples of concurrent system. To describe a digital system, the current design techniques use hardware description languages such ....

....to allow non terminating transitions because they lift a restriction on the notation for transitions without adding a great burden on the logic. We develop SINC because these features are missing in similar formalisms. The formalisms based on a transition system and a linear time temporal logic [11] usually are asynchronous and do not deal with synchronous systems appropriately. UNITY [3, 9] is a typical formalism based on a transition system and a temporal logic. It includes a synchronous combinator, but its logic does not include rules to prove properties about it. Therefore, this ....

A. U. Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225--262, 1993.

....actions, where an action represents a relation between old state and new state, and a temporal logic for reasoning about (potentially infinite) sequences of states, arising from the execution of an algorithm. TLA is quite similar to other formalisms such as Unity [2] and State Transition Systems [11]. A convenient feature of TLA is the use of lifted predicates to specify the relation between two consecutive states, as opposed to guarded assignments and explicit state transitions. There is then a single logic in which both specifications and processes can be described, much in the same way as ....

A. U. Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3), 1993.

....of it and being prepared to present and defend them. In our analysis, a simple dispute is initiated by the communication act Assert(#) performed by the proponent of the assertion # and proceeds in the following way: 1. The response to Assert(# # )may be either AskWhy(# # )orAccept(# # ) # See [Sha93, MP92] 18 2. The response to Ask Why(# # )isArgue(# # ) where # # is an argumentinfavor of # # in the argumentation system of the proponent. 3. The response to Argue(# # ) may be either Attack(# # ## # ) where # # attacks # # ,orAccept(# # ) 4. The response to Attack(###)may be either ....

A.U. Shankar. An introduction to assertional reasoning for concurrent systems. ### ######### #######, 25(3):225-262, 1993.

....We present a translation from concurrent systems with in nite state spaces to CLP programs that preserves the semantics in terms of transition sequences. The formalism of concurrent systems is a widely used guarded command speci cation language with shared variables promoted by Shankar [Sha93] Using this translation, we exhibit the connection between states and ground atoms, between sets of states and constrained facts, between the pre condition operator and the logical consequence operator of CLP programs, and, nally, between CTL properties (safety, liveness) and modeltheoretic or ....

....The integer values of the two variables turn 1 and turn 2 in reachable states are unbounded; note that a process can enter wait before the other one has reset its counter to 0. The concurrent program above can be directly encoded as the concurrent system S in Figure 3 following the scheme in [Sha93] Each process is associated with a control variable ranging over the control locations (i.e. program labels) The data variables correspond to the program variables. The states of S are tuples of control and data values, e.g. hthink; think; 0; 3i. The primed version of a variable in an action ....

[Article contains additional citation context not shown here]

U. A. Shankar. An Introduction to Assertional Reasoning for Concurrent Systems. ACM Computing Surveys, 25(3):225-262, 1993.

....We present a translation from concurrent systems with infinite state spaces to CLP programs that preserves the semantics in terms of transition sequences. The formalism of concurrent systems is a widely used guarded command specification language with shared variables promoted by Shankar [Sha93] Using this translation, we exhibit the connection between states and ground atoms, between sets of states and constrained facts, between the pre condition operator and the logical consequence operator of CLP programs, and, finally, between CTL properties (safety, liveness) and model theoretic ....

....The integer values of the two variables turn 1 and turn 2 in reachable states are unbounded; note that a process can enter wait before the other one has reset its counter to 0. The concurrent program above can be directly encoded as the concurrent system S in Figure 1 following the scheme in [Sha93] Each process is associated with a control variable ranging over the control locations (i.e. program labels) The data variables correspond to the program variables. The states of S are tuples of control and data values, e.g. hthink; think; 0; 3i. The primed version of a variable in an action ....

[Article contains additional citation context not shown here]

U. A. Shankar. An Introduction to Assertional Reasoning for Concurrent Systems. ACM Computing Surveys, 25(3):225--262, 1993.

....; ffl (Variable elimination) ElimD ( y; OE) returns a constraint fl that is equivalent to 9 yOE and whose variables are contained in those of OE without y 1 ; yn . ffl (Entailment test) Entail D ( Psi; Phi) returns true if and only if Theta Psi D Theta Phi D . Following [Sha93] we use concurrent systems (to which concurrent programs can be directly translated) to specify systems consisting of concurrently executing processes. A concurrent system S = h x; Theta; Ei is given by its control and data variables x 1 ; xn , a initial condition Theta, and a set E of ....

U. A. Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3),pages 225--262, 1993.

....regular structures. SINC is based on the Hoare logic and the UNITY formalism. 1 Introduction The class of formalisms composed of a transition system and a first order linear time temporal logic includes the Manna and Pnueli logic [17, 18] TLA [16] UNITY [8, 20] ST [29] and other formalisms [25, 28]. Due to their expressiveness and flexibility, they have been successfully employed in the description and verification of concurrent or reactive systems in several application fields. However, these formalisms deal with asynchronous systems mostly. A distinct class of computational systems is ....

A. U. Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225--262, 1993.

....to the formalism. DSYNC is based on the Hoare logic and the UNITY formalism. 1 Introduction The class of formalisms composed of a transition system and a first order linear time temporal logic includes the Manna and Pnueli logic [16, 17] TLA [15] UNITY [8, 19] ST [29] and other formalisms [25, 28]. Due to their expressiveness and flexibility, they have been successfully employed in the description and verification of concurrent or reactive systems in several application fields. However, these formalisms deal with asynchronous systems mostly. A distinct class of computational systems is ....

A. U. Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225--262, 1993.

....0 eT 2 enabled: pc2 = T2 action: pc 0 2 = W2 b 0 = a 1 eW 2 enabled: pc2 = W2 (b a a = 0) action: pc 0 2 = C2 eC 2 enabled: pc2 = C2 action: pc 0 2 = T2 b 0 = 0 Fig. 1. The bakery algorithm. 2 Representation of Programs and Properties We use the event action language from [18] as our syntax for concurrent programs, with a semantics defined in terms of infinite transition systems. A concurrent program C = V; I; E) is represented by (1) a finite set of data and control variables V ; 2) an initial condition I, which specifies the starting states of the program; and (3) ....

A. Udaya Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225--262, 1993.

.... ; B i p rM i [REPLY IF(p; no) j] B i :p Non Vacuity Questions are non vacuous: Inv(rM i [ASK IF(p) j] oe :B j p :B j :p) In the case of agents with meta beliefs, we can require in addition that TELL is non vacuous: Inv(rM i [TELL(p) j] oe :B j B i p) 6 Further details can be found in [Sha93, Wag96]. Cooperativity GoodAgents always reply: rM i [ASK IF(p) j] rM j [REPLY IF(p; yes) i] rM j [REPLY IF(p; no) i] rM j [REPLY IF(p; unknown) i] Requests are confirmed or disconfirmed: rM i [REQ DO(ff) j] rM j [CONFIRM(ff) i] rM j [DISCONFIRM(ff) i] 6 Vivid Agents A vivid agent ....

A.U. Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225--262, 1993.

....yielded valuable insights and criticisms. Mart in Abadi and Leslie Lamport prompt and helpful in their responses to various technical queries and with feedback on earlier drafts. P z x y odd odd even Fig. 1. Even number generator process algebras [Hoa85,Mil80] and verification methods [Bar85,dBdRR90,dBdRR94, Sha93a] based on deduction [Eme90, Lam94,MP92,CM88] and model checking [CES86, Kur93, Hol91] While these techniques are effective on small examples mutual exclusion, basic cache consistency algorithms, and simple communication protocols the difficult problem of scaling these techniques up to large ....

A. Udaya Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225--262, September 1993.

No context found.

A. Udaya Shankar. An introduction to assertional reasoning for concurrent systems. ACM Computing Surveys, 25(3):225--262, (September 1993). 36

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC