C. B. Jones. Development methods for computer programs including a notion of interference. Technical Report PRG-25, Programming Research Group, Oxford University Computing Laboratory, 1981.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....science for reasoning about discrete systems, can be extended to the hybrid setting and expressed by theorems about HIOAs. Other discrete analysis methods that should be extendible include proving progress using well founded sets (see, e.g. 26] assume guarantee compositional reasoning (e.g. [36,16]) and deducing properties within temporal logic and other logical formalisms. All of these methods could be supported by interactive theorem proving software. Automatic methods based on state space searching and based on decision procedures for automata on in nite paths (see, e.g. 16] ....

....so that it does not include any external variables. It remains to consider the formal relationship between this model and other timed automaton models, for example, those of [1,5,60,74,65] It would also be useful to incorporate additional analysis methods, including assume guarantee reasoning [16,36] and a variety of methods from control theory, into the HIOA framework. Control theory methods to consider should include Lyapunov stability analysis methods [79] and robust control methods [23] Results about these methods should be formulated in terms of HIOAs, and the methods should be extended ....

C. B. Jones. Development Methods for Computer Programs including a Notion of Interference. PhD thesis, Oxford University, June 1981. Printed as Programming Research Group, Technical Monograph 25.

....science for reasoning about discrete systems, can be extended to the hybrid setting and expressed by theorems about HIOAs. Other discrete analysis methods that should be extendible include proving progress using well founded sets (see, e.g. 26] assume guarantee compositional reasoning (e.g. [36,16]) and deducing properties within tem poral logic and other logical formalisms. All of these methods could be supported by interactive theorem proving software. Automatic methods based on state space searching and based on decision procedures for automata on infi nite paths (see, e.g. 16] ....

....so that it does not include any external variables. It remains to consider the formal relationship between this model and other timed automaton models, for ex ample, those of [1,5,60,74,65] It would also be useful to incorporate additional analysis methods, including assume guarantee reasoning [16,36] and a variety of methods from control theory, into the HIOA framework. Control theory methods to consider should include Lyapunov stability analysis methods [79] and robust control methods [23] Results about these methods should be formulated in terms of HIOAs, and the methods should be extended ....

C. B. Jones. Development Methods for Computer Programs including a Notion of Interference. PhD thesis, Oxford University, June 1981. Printed as Programming Research Group, Technical Monograph 25.

....science for reasoning about discrete systems, can be extended to the hybrid setting and expressed by theorems about HIOAs. Other discrete analysis methods that should be extendible include proving progress using well founded sets (see, e.g. 24] assume guarantee compositional reasoning (e.g. [33, 14]) and deducing properties within temporal logic and other logical formalisms. All of these methods could be supported by interactive theorem proving software. Automatic methods based on state space searching and based on decision procedures for automata on infinite paths (see, e.g. 14] should ....

....that it does not include any external variables. It remains to consider the formal relationship between this model and other timed automaton models, for example, those of [1, 4, 57, 70, 62] It would also be useful to incorporate additional analysis methods, including assume guarantee reasoning [14, 33] and a variety of methods from control theory, into the HIOA framework. Control theory methods to consider should include Lyapunov stability analysis methods [75] and robust control methods [21] Results about these methods should be formu lated in terms of HIOAs, and the methods should be ....

C. B. Jones. Development Methods for Computer Programs including a Notion of Inter- ference. PhD thesis, Oxford University, June 1981. Printed as Programming Research Group, Technical Monograph 25.

....science for reasoning about discrete systems, can be extended to the hybrid setting and expressed by theorems about HIOAs. Other discrete analysis methods that should be extendible include proving progress using well founded sets (see, e.g. 24] assume guarantee compositional reasoning (e.g. [33, 14]) and deducing properties within temporal logic and other logical formalisms. All of these methods could be supported by interactive theorem proving software. Automatic methods based on state space searching and based on decision procedures for automata on in nite paths (see, e.g. 14] should ....

....so that it does not include any external variables. It remains to consider the formal relationship between this model and other timed automaton models, for example, those of [1, 4, 57, 70, 62] It would also be useful to incorporate additional analysis methods, including assumeguarantee reasoning [14, 33] and a variety of methods from control theory, into the HIOA framework. Control theory methods to consider should include Lyapunov stability analysis methods [75] and robust control methods [21] Results about these methods should be formulated in terms of HIOAs, and the methods should be extended ....

C. B. Jones. Development Methods for Computer Programs including a Notion of Interference. PhD thesis, Oxford University, June 1981. Printed as Programming Research Group, Technical Monograph 25.

....science for reasoning about discrete systems, can be extended to the hybrid setting and expressed by theorems about HIOAs. Other discrete analysis methods that should be extendible include proving progress using well founded sets (see, e.g. 23] assume guarantee compositional reasoning (e.g. [32, 14]) and deducing properties within temporal logic and other logical formalisms. All of these methods could be supported by interactive theorem proving software. Automatic methods based on state space searching and based on decision procedures for automata on infinite paths (see, e.g. 14] should ....

....that it does not include any external variables. It remains to consider the formal relationship between this model and other timed automaton models, for example, those of [1, 4, 55, 68, 60] It would also be useful to incorporate additional analysis methods, including assume guarantee reasoning [14, 32] and a variety of methods from control theory, into the HIOA framework. Control theory methods to consider should include Lyapunov stability analysis methods [73] and robust control methods [20] Results about these methods should be formu lated in terms of HIOAs, and the methods should be ....

C. B. Jones. Development Methods for Computer Programs including a Notion of Inter- ference. PhD thesis, Oxford University, June 1981. Printed as Programming Research Group, Technical Monograph 25.

....that must be addressed by any work on program correctness. In the sequential case, the semantics of a programming language assigns to each program fragment (statement, procedure, etc. some mathematical object (denotation) representing the effect of executing that fragment. Typically, see, e.g. Jones81] this denotation takes the form of a partial function or a binary relation on program states. specification for a program fragment consists of some properties that must be satisfied by the denotation of that fragment. Often function specifications .are expressed in the form of Floyd Hoare ....

....servesthe same function as ghost variables: namely to capture information about the history of system execution possibly not reflected in the states of the component module machines. The proof technique suggested by the Correctness Theorem seems closely related to the data refinement proofs of [Jones81] Jones shows how the correctness of implementations of data abstractions can be performed via representation relations, which relate the states of abstract data objects to states of their concrete 55 representations. Representation relations capture the same information as the ....

[Article contains additional citation context not shown here]

Jones, C.B., "Development Methods for Computer Programs Including a Notion of Interference," Wolfson College, June, 1981.

....science for reasoning about discrete systems, can be extended to the hybrid setting and expressed by theorems about HIOAs. Other discrete analysis methods that should be extendible include proving progress using well founded sets (see, e.g. 23] assume guarantee compositional reasoning (e.g. [32, 14]) and deducing properties within temporal logic and other logical formalisms. All of these methods could be supported by interactive theorem proving software. Automatic methods based on state space searching and based on decision procedures for automata on in nite paths (see, e.g. 14] should ....

....so that it does not include any external variables. It remains to consider the formal relationship between this model and other timed automaton models, for example, those of [1, 4, 55, 68, 60] It would also be useful to incorporate additional analysis methods, including assumeguarantee reasoning [14, 32] and a variety of methods from control theory, into the HIOA framework. Control theory methods to consider should include Lyapunov stability analysis methods [73] and robust control methods [20] Results about these methods should be formulated in terms of HIOAs, and the methods should be extended ....

C. B. Jones. Development Methods for Computer Programs including a Notion of Interference. PhD thesis, Oxford University, June 1981. Printed as Programming Research Group, Technical Monograph 25.

....it is important to notice that their specification must only refer to projections of the trace onto those communications that involve the process at hand. The first compositional characterization of shared variable concurrency was called the Rely Guarantee (R G) method and was conceived by Jones [11]; for complete versions of this proof system consult [17, 22] Again validity of a R G specification of a process states that provided the environment satisfies the rely condition R that process fulfills the guarantee condition G. The difference with the A C system being that validity of an A C ....

....and par gives us in 1 (t 2 ) which contradicts :in 1 (t 2 ) Elimination of the logical variable t 0 in the precondition finally results in the correctness specification ftrueg PkQ ffalseg that was to be proved. 6 Embedding the rely and guarantee formalism In the Rely Guarantee formalism [11, 17, 22] a specification is split up into four parts. There exist two assumptions on the environment: a precondition pre characterizing the initial state and a rely condition on state pairs that characterizes a relation any transition from the environment is supposed to satisfy. These assumptions describe ....

C.B. Jones. Development methods for computer programs including a notion of interference. PhD thesis, Oxford University Computing Laboratory, 1981.

.... Work There are several proposals for compositional reasoning rules in the literature, but only a few investigations of the completeness of these rules a good survey of the field appears in the COMPOS97 proceedings [dRLP97] The earliest proposals for assume guarantee reasoning are from [Jon81,CM81] these are concerned with establishing safety properties of networks of processes. Zwiers book [Zwi89] contains much of the groundwork necessary for reasoning about compositional proof systems. Proofs of the completeness of compositional reasoning systems for safety properties are found ....

C.B. Jones. Development methods for computer programs including a notion of interference. PhD thesis, Oxford University, 1981.

....be presented at Concur 94, Uppsala, Sweden, August 22 25, 1994. Abstract. Assumption Commitment paradigms for speci cation and veri cation of concurrent programs have been proposed in the past. We show that two typical parallel composition rules for shared variable and message passing programs [8,12] which hitherto required di erent formulations are instances of one general rule mainly inspired by Abadi Lamport s composition theorem [1] 1 Introduction Compositional methods support the verify while develop paradigm (an interesting account is given in [15] However, compared to sequential ....

....as against monolithic, speci cation paradigms have been proposed, in which a component is veri ed to satisfy a commitment under the condition that the environment satis es an assumption. Such proof systems have been studied for concurrent programs communicating through shared variables [8,17 19], as well as through message passing (as in OCCAM for example) 12,14,20] Although historically these two systems were developed independently, it has been noticed from the beginning that the proof rules (recalled in Sect. 3) look remarkably similar. Nevertheless, there is a puzzling di erence. ....

[Article contains additional citation context not shown here]

C.B. Jones. Development methods for computer programs including a notion of interference. DPhil. Thesis, Oxford University Computing Laboratory, 1981. 15

....paper is as follows: In Section 2 we introduce Stark s formalism and give some simpli cations improvements based on [3] Furthermore we give an intuitive explanation of Stark s rely guarantee rule for liveness properties. Stark s work was based on the rely guarantee idea presented by Cli Jones in [4]. We present in Section 3 the formal treatment of [2] Section 4 contains a conclusion and mentions future work. 2 Stark s Formalism 2.1 Introduction In this section we present Stark s formalism because papers [12, 13] are not easily accessible. We simplify his temporal logic; this simpli cation ....

....one checks if for all events of the composite machine the maximality condition holds. For the proof of the validity condition Stark uses his rely guarantee rule because the V formulae can be written in rely guarantee form. This rule solves the circular reasoning problem in another way than [4, 15, 9], see Section 2.7 for details. 2.6 Speci cation of Lamport s soda machine In the next example, the soda machine example [7] we illustrate some of the above notions particularly that of composite machine. The soda machine is a system in which the user deposits either a half dollar or two ....

[Article contains additional citation context not shown here]

C.B. Jones. Development methods for computer programs including a notion of interference. PhD thesis, Oxford University Computing Laboratory, 1981.

.... concept of a simulation between machines, and can be viewed as a generalization of the standard representation function, abstraction function, or interpretation techniques for proving an implementation relationship between an abstract data type and its concrete representation ( GHM78] Hoa72] [Jon81]) If an abstract data type is viewed as a process, whose communications correspond to invocations of operations of the data type, then standard techniques are capable of proving only safety or invariance properties. In contrast, our technique permits both safety properties and liveness or ....

....the correspondence between the states of M and those of M 0 . The simulation relation ae is a generalization of, and serves a purpose similar to, the abstraction functions or representation functions used in proofs of implementation relationships between abstract data types ( GHM78] Hoa72] [Jon81]) Lemma 5 Suppose S = V; C; OE) and S 0 = V; C 0 ; OE 0 ) are conceptual state specifications. Then S j= S 0 iff to each V history x and C history y such that (x t y) j= OE, there corresponds a C 0 history y 0 such that (x t y 0 ) j= OE 0 . Proof Suppose to each V ....

C. B. Jones. Development Methods for Computer Programs Including a Notion of Interference. PhD thesis, Wolfson College, June 1981.

....with additional conditions to permit its application to these more general specifications. The additional conditions do not appear to relate in a simple way to the proof technique presented here. The use of rely and guarantee conditions has also been proposed for safety specifications by Jones [Jon81] [Jon83] Barringer and Kuiper [BK83] see also [BKP84] have proposed the use of liveness specifications that are partitioned into an environment part, which captures assumptions made about the environment, and a component part, which captures committments made by the module being specified. ....

C. B. Jones, "Development Methods for Computer Programs Including a Notion of Interference," Wolfson College, June, 1981.

.... concept of a simulation between machines, and can be viewed as a generalization of the standard representation function, abstraction function, or interpretation techniques for proving an implementation relationship between an abstract data type and its concrete representation ( GHM78] Hoa72] [Jon81]) If an abstract data type is viewed as a process, whose communications correspond to invocations of operations of the data type, then standard techniques are capable of proving only safety or invariance properties. In contrast, our technique permits both safety properties and liveness or ....

....the correspondence between the states of M and those of M 0 . The simulation relation ae is a generalization of, and serves a purpose similar to, the abstraction functions or representation functions used in proofs of implementation relationships between abstract data types ( GHM78] Hoa72] [Jon81]) Lemma 5 Suppose S = V; C; OE) and S 0 = V; C 0 ; OE 0 ) are conceptual state specifications. Then S j= S 0 iff to each V history x and C history y such that (x t y) j= OE, there corresponds a C 0 history y 0 such that (x t y 0 ) j= OE 0 . Proof Omitted from this ....

C. B. Jones, "Development Methods for Computer Programs Including a Notion of Interference, " Wolfson College, June, 1981.

....with additional conditions to permit its application to these more general specifications. The additional conditions do not appear to relate in a simple way to the proof technique presented here. The use of rely and guarantee conditions has also been proposed for safety specifications by Jones [Jon81] [Jon83] Barringer and Kuiper [BK83] see also [BKP84] have proposed the use of liveness specifications that are partitioned into an environment part, which captures assumptions made about the environment, and a component part, which captures committments made by the module being specified. ....

C. B. Jones, "Development Methods for Computer Programs Including a Notion of Interference," Wolfson College, June, 1981.

No context found.

C. B. Jones. Development Methods for Computer Programs including a Notion of Interference. PhD thesis, Oxford University, June 1981. Printed as: Programming Research Group, Technical Monograph 25.

No context found.

C. B. Jones. Development Methods for Computer Programs including a Notion of Interference. PhD thesis, Oxford University, June 1981. Printed as: Programming Research Group, Technical Monograph 25.

No context found.

C. B. Jones. Development Methods for Computer Programs including a Notion of Interference. PhD thesis, Oxford University, June 1981. Printed as Technical Monograph No. PRG-25.

.... code has been designed (in this case the interference freedom test) Several researchers realized that some way of controlling the interference would have to be built into speci cations: FP78] speci es interference but does not present a development method in the sense suggested here; Jon81] 52 uses rely and guarantee conditions to provide a partial speci cation of interference; a rely guarantee approach was published independently in [MC81] A signi cant 49 See also [Bri74a, Bri78] 50 Revised and rewritten as [Mil89] 51 See also [OG76] a related method is described in ....

C. B. Jones. Development Methods for Computer Programs including a Notion of Interference. PhD thesis, Oxford University, June 1981. Printed as Technical Monograph No. PRG-25.

....but only one operation is executed at a time. A sequential operation can then be interpreted as a binary relation on the state space and specified with pre and post conditions; examples are given below but readers are assumed to be familiar with pre post specifications in the style of VDM. In [Jon81], rely and guarantee conditions are proposed as an extension to cope with the specification and development of concurrent operations, a situation that occurs when operations sharing state components have overlapping executions. The necessary background about rely guarantee specifications is ....

Cliff B. Jones. Development Methods for Computer Programs Including a Notion of Interference. PhD thesis, Oxford University, 1981.

No context found.

C. B. Jones. Development methods for computer programs including a notion of interference. Technical Report PRG-25, Programming Research Group, Oxford University Computing Laboratory, 1981.

No context found.

C.B. Jones. Development methods for computer programs including a notion of interference. PhD thesis, Oxford University Computing Laboratory, 1981.

No context found.

Cli# B. Jones. Development Methods for Computer Programs including a Notion of Interference. PhD thesis, Oxford University Computing Laboratory, June 1981. Printed as: Programming Research Group, Technical Monograph 25.

No context found.

Jones, C.B.: Development methods for computer programs including a notion of interference. Ph.D. Thesis, Oxford University, 1981.

No context found.

Jones, C.B.: Development methods for computer programs including a notion of interference. Ph.D. Thesis, Oxford University, 1981.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC