L. Lamport and S. Merz. Specifying and verifying faulttolerant systems. In Proceedings of FTRTFT'94, volume 863 of Lecture Notes in Computer Science. Springer, 1994.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....that non faulty receivers agree on the message received from the transmitter, and, if the transmitter is non faulty, the message received by every non faulty receiver is the message he sent. Oral message algorithms of di erent levels of granularity have been formally checked, for example in [2, 7, 9, 13]. These proofs are usually long, tedious, and quite complicated. Lincoln and Rushby [9] use specialized proof tactics and a library of useful facts about cardinality constraints on nite sets. The following simple property, where S and P are subsets of f0 : ng, is representative for the set ....

L. Lamport and S. Merz, Specifying and verifying fault-tolerant systems, in Formal Techniques in Real-Time and Fault-Tolerant Systems, H. Langmaack, W.-P. de Roever, and J. Vytopil, eds., vol. 863 of Lecture Notes in Computer Science, Lubeck, Germany, September 1994, Springer-Verlag, pp. 41-76. 25

....Our analysis method is to compute, for each failure scenario of interest, an MFG representing the system s communication behaviors in that failure scenario. Each MFG is then checked to see whether the fault tolerance requirement for that failure scenario is satisfied. A more common method (e.g. [SS83, LJ92, CdR93, Web93, PJ94, LM94]) is to model failures as events that occur non deterministically during a computation; system behavior in all failure scenarios is analyzed together. We separate the analyses for di#erent failure scenarios for two reasons: i) this separation is convenient for failure scenarios with di#erent ....

Leslie Lamport and Stephan Merz. Specifying and verifying fault-tolerant systems. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Formal Techniques in RealTime and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 41--76. Springer-Verlag, 1994.

....irrelevant aspects of a system s failure free behavior. The latter reflects a separation of concerns that is crucial for making the fault tolerance analysis tractable. A common approach to modeling failures is to treat them as events that occur non deterministically during a computation (e.g. [CdR93,PJ94,LM94]) but this makes it di#cult to separate the e#ects of failures from other aspects of the system s behavior and, consequently, to model the former more finely than the latter. In particular, one often wants to avoid case analysis corresponding to nondeterminism in a system s failure free behavior, ....

L. Lamport and S. Merz. Specifying and verifying fault-tolerant systems. In Proc. Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of LNCS, pages 41--76. Springer-Verlag, 1994.

....as well as others have been promoting as a future direction of research in the area of mechanical reasoning. One of the most interesting examples of the use of TLP has been one by Stephan Merz, described in the recent article by Lamport and Merz Specifying and Verifying Fault Tolerant Systems [25]. The article presents specifications for a well known solution to the Byzantine generals problem and delivers a rigorous, hierarchically structured proof, of which most steps has been verified with TLP. Peter Grnning has at the Danish Technical University been using TLP in the verification of a ....

Leslie Lamport and Stephan Merz. Specifying and verifying fault-tolerant systems. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 41--76. Springer-Verlag, September 1994.

....composition. Motivation: Typical examples of important building blocks in the construction of fault tolerant distributed systems include [5] consensus (or exact agreement) atomic broadcast and group membership. Formal speci cation and veri cation of these building blocks exist in the literature [11, 18, 25, 36]. The work reported in [35] combines some of these building blocks in the design of di erent diagnosis algorithms, and presents formal analyses of the proposed algorithms. It is important to point out that formal speci cations and related veri cation in [35] have been performed on a progressive or ....

L. Lamport, S. Marz, \Specifying and Verifying Fault-Tolerant Systems." Proc. of FTRTFT, LNCS{863, pp. 41-76, 1994.

....timewise re nement 1. Introduction Formal methods based on state machines [36] assertional proof systems [5, 6, 20] process algebras [25, 2, 15, 31, 38] and other formalisms [17, 3, 8, 27] have been applied to the development of fault tolerant real time systems. Many case studies (e.g. [35, 28, 14, 34, 21, 4]) can be found in the literature but none of them treats system design involving the tolerance of both hardware and software faults, while addressing real time requirements simultaneously. As the reliability of computing hardware continues to increase, error prone software remain ubiquitous, even ....

L. Lamport and S. Merz. Specifying and verifying fault-tolerant systems. In H. Langmaak, W.-P. de Roever, and J. Vytopil, editors, Proc. Formal Techniques in Real-Time and FaultTolerant Systems, pages 42-76. Springer-Verlag, 1994.

.... known as interactive consistency and Byzantine agreement) 13] reliable and atomic broadcast [14] and group membership [15] Numerous algorithms have been developed to perform these functions and, because of their criticality and subtlety, several of them have been subjected to detailed formal [16 18] and mechanically checked [19 23] veri cations, as have their combination into larger functions such as diagnosis [24] and their synthesis into a fault tolerant architecture based on active (state machine) replication [25, 26] Formal, and especially mechanically checked, veri cation of these ....

....program and the proofs are conventional inductions. Following this approach, the special case of a two round algorithm (a variant of the algorithm known as OM(1) is speci ed in [22] in a couple of lines and its veri cation is almost completely automatic. In contrast, the treatment of OM(1) in [18] is long and detailed and quite complicated. The reason for its length and complexity is that this treatment explicitly considers the distributed, message passing character of the intended implementation, and calculates tight real time bounds on the timeouts employed. All these details are ....

Leslie Lamport and Stephan Merz, \Specifying and verifying fault-tolerant systems," in Formal Techniques in Real-Time and Fault-Tolerant Systems, H. Langmaack, W.-P. de Roever, and J. Vytopil, Eds., Lubeck, Germany, Sept. 1994, vol. 863 of Lecture Notes in Computer Science, pp. 41-76, Springer-Verlag.

.... known as interactive consistency and Byzantine agreement) 33] reliable and atomic broadcast [9] and group membership [7] Numerous algorithms have been developed to perform these functions and, because of their criticality and subtlety, several of them have been subjected to detailed formal [15, 23, 43] and mechanically checked [2, 26 28, 34] verifications, as have their combination into larger functions such as diagnosis [25] and their synthesis into a fault tolerant architecture based on active (state machine) replication [11, 35] Formal, and especially mechanically checked, verification ....

....program and the proofs are conventional inductions. Following this approach, the special case of a two round algorithm (a variant of the algorithm known as OM(1) is specified in [28] in a couple of lines and its verification is almost completely automatic. In contrast, the treatment of OM(1) in [23] is long and detailed and quite complicated. The reason for its length and complexity is that this treatment explicitly considers the distributed, message passing character of the intended implementation, and calculates tight real time bounds on the timeouts employed. All these details are ....

Leslie Lamport and Stephan Merz. Specifying and verifying fault-tolerant systems. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 41--76, Lubeck, Germany, September 1994. Springer-Verlag.

.... Proof systems based on higher order logic include ALF [18] Automath [20] Coq [9] EHDM [19] HOL [13] IMPS [10] LAMBDA [11] LEGO [17] Nuprl [6] PVS [22] and Veritas [14] Set theory is the standard foundation for mathematics and for formal notations like Z [24] VDM [15] and TLA [16]. Several proof assistants for set theory exist, such as Mizar [23] and Isabelle ZF [21] Anecdotal evidence suggests that, for equivalent kinds of theorems, proof in higher order logic is usually easier and shorter than in set theory. Isabelle users liken set theory to machine code and type ....

L. Lamport and S. Merz. Specifying and verifying fault-tolerant systems. In Proceedings of FTRTFT'94, Lecture Notes in Computer Science. Springer-Verlag, 1994. See also: http://www.research.digital.com/SRC/tla/papers.html#TLA+.

....CAREER CCR 9896321 1 Motivation: Typical examples of important building blocks in the construction of fault tolerant systems include [6] consensus (or exact agreement) atomic broadcast and group membership. Formal specification and verification of these building blocks exist in the literature [11, 19, 29, 41]. The work reported in [40] combines some of these building blocks in the design of different diagnosis algorithms, and presents formal analyses of the proposed algorithms. It is important to point out that formal specifications and related verification in [40] have been performed on a progressive ....

L. Lamport, S. Marz, "Specifying and Verifying Fault-Tolerant Systems." Proc. of FTRTFT, LNCS--863, pp. 41--76, 1994.

....organization of TLA specications: our module structure is straightforward: each class is modelled as a module (Client, BinaryTree) and we add an Eioeel= module for the actions and state predicates common to all the specications of Eioeel= programs. We also use the Sequences module, dened in [17], which denes usual operators on sequences (Head, Tail, concatenation, and length) For example, Seq(S) represents the set of all the sequences of values belonging to S. Here are some notations used to represent functions and records (as presented in [16] A B] is the set of all the ....

L. Lamport and S. Merz. Specifying and verifying fault-tolerant systems. In H. Langmaack, W. P de Roever, and J. Vytopil, editors, Formal Techniques in real-time and fault-tolerant systems, volume 863 of Lecture Notes in Computer Science, pages 4176. Springer-Verlag, 1994.

....[Sha93] and an algorithm for interactive consistency [LR93] We also mention the specification language TLA (Temporal Logic of Actions) which has been applied to a large number of examples. See, e.g. the specification and the hierarchically structured proof of a Byzantine generals algorithm [LM94]. Another nice example of protocol verification can be found in [BPV94] where an industrial protocol is specified and verified based on timed I O automata. Acknowledgements The ACCESS.bus protocol has been proposed by Ron Koymans (Philips Research, Eindhoven) to a number of academic researchers ....

L. Lamport and S. Merz. Specifying and verifying fault-tolerant systems. In Formal Techniques in Real-Time and Fault-Tolerant Systems, pages 41--76. LNCS 863, 1994.

....Nqthm [BHMY89] Most of the literature mentioned above does not give a clear methodology that can easily be used by others. Sometimes the use of a formal framework structures the specification and the verification; see for instance the use of TLA for a treatment of the Byzantine generals problem [LM94]. Interesting in [AH97] is the formulation of a template for specifying Lynch Vaandrager timed automata in PVS. Generic PVS theories to verify well known algorithmic techniques such as divide and conquer have been formulated by Dold [Dol95] Specific algorithms can be obtained by adding details to ....

L. Lamport and S. Merz. Specifying and verifying fault-tolerant systems. In Formal Techniques in Real-Time and Fault-Tolerant Systems, pages 41--76. LNCS 863, 1994.

....be applicable to a reasonably broad class of problems. There would be little point developing a complete specification and verification method for each particular problem. TLA and TLA have been applied to a number of divers problems including hybrid systems [14] fault tolerant algorithms [17], and operating system algorithms [12] Although some research has been published reporting using formal methods to verify sliding window protocols [8, 6, 3] we don t know of any that has included full liveness proofs and implementation aspects. This has apparently been due either to the ....

Lamport, L., and Merz, S. Specifying and verifying fault-tolerant systems. In Formal Techniques in RealTime and Fault-Tolerant Systems (1994), H. Langmaack, W.-P. de Roever, and J. Vytopil, Eds., LNCS, volume 863, Springer-Verlag, pp. 41--76.

.... of faults [LSP82] This is a distributed algorithm, and if we are concerned with issues of the timing and transfer of the messages that are communicated in the algorithm, then it is necessary to model these mechanisms in some detail, and the analysis will be correspondingly detailed and lengthy [LM94] But if we are mainly concerned with the fault masking properties of the algorithm, then the mechanisms of distributed computation and communication can be ignored and the algorithm can be modeled as a recursive function, in which form its analysis is quite straightforward. Certain details of ....

Leslie Lamport and Stephan Merz. Specifying and verifying faulttolerant systems. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems, pages 41--76, Lubeck, Germany, September 1994. Volume 863 of Lecture Notes in Computer Science, Springer-Verlag.

....a mechanizable calculus for process transformations [10] We aim at an extension to a design calculus which allows the derivation of processes from abstract descriptions of their desired behaviour. The calculational approach to program derivation is by now traditional (see, for example, [6, 20, 4, 18]) Since most errors in software engineering result from erroneous descriptions of the intended behaviour, it is vital that these specifications be as clear and concise as possible. The language CSP is oriented towards implementability, and less suitable for expressing specifications. Some ....

Lamport L., Merz S.: Specifying and verifying fault-tolerant systems. In: Langmaack H. et al. (eds.): Formal techniques in real-time and fault-tolerant systems. LNCS 863, Springer Verlag, 41-76 (1994)

No context found.

Leslie Lamport and Stephan Merz. Specifying and verifying faulttolerant systems. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 41--76. Springer-Verlag, September 1994.

No context found.

Leslie Lamport and Stephan Merz. Specifying and verifying fault-tolerantsystems. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 41--76. Springer-Verlag, September 1994.

No context found.

Leslie Lamport and Stephan Merz. Specifying and verifying faulttolerant systems. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 41--76. Springer-Verlag, September 1994.

No context found.

Leslie Lamport and Stephan Merz. Specifying and verifying fault-tolerant systems. In H. Langmaack, W.-P.deRoever, and J. Vytopil, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems,volume 863 of Lecture Notes in Computer Science, pages 41--76. Springer-Verlag, September 1994.

....somewhat laborious. We assume no prior knowledge of TLA or TLA . Concepts and notations are explained as they are introduced; the index on page 46 can help the reader find those explanations. TLA is described in detail in [12] and there are several published examples of TLA specifications [11, 14]. Further information about TLA and TLA can be found on the Web [9] The problem is not very challenging for TLA, TLA , or our proof style. With our experience, it was possible to grind out the requisite specifications and proofs without much thought. More difficult was choosing from among ....

....defines operators on finite sequences. In TLA , an n tuple hv 1 ; v n i is a function whose domain is the set f1; ng of natural numbers, where hv 1 ; v n i[i ] equals v i , for 1 i n. 11 The Sequences module represents sequences as tuples. The module appeared in [14] (without the definition of Seq , which was not needed there) and is given without further explanation in Figure 8 on the next page. It defines the usual operators Head , Tail , ffi (concatenation) and Len (length) on sequences, as well as the operator Seq , where Seq(S ) is the set of ....

[Article contains additional citation context not shown here]

Leslie Lamport and Stephan Merz. Specifying and verifying fault-tolerant systems. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 41--76. Springer-Verlag, September 1994.

....to a reasonably broad class of problems. There would be little point developing a complete specification and proof method just for caching algorithms. TLA and TLA have been applied to a number of diverse domains, including hybrid systems [15] and distributed fault tolerant algorithms [18]. Nothing new has been introduced for the lazy caching example. 1 We are not interested in finding the simplest or most elegant possible proof of the lazy caching algorithm. Some formalisms might be better suited for reasoning about caching algorithms. Also, this kind of short, subtle algorithm ....

Leslie Lamport and Stephan Merz. Specifying and verifying faulttolerant systems. In H. Langmaack, W.-P. de Roever, and J. Vytopil, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 863 of Lecture Notes in Computer Science, pages 41--76. Springer-Verlag, September 1994.

No context found.

L. Lamport and S. Merz. Specifying and verifying faulttolerant systems. In Proceedings of FTRTFT'94, volume 863 of Lecture Notes in Computer Science. Springer, 1994.

No context found.

L. Lamport, S. Merz. Specifying and Verifying Fault-Tolerant Systems. H. Langmaack, W.-P. de Roever, J. Vytopil (eds.) Formal Techniques in Real Time and Fault-Tolerant Systems, LNCS, volume 863, Springer-Verlag, pp. 41-76, 1994.

No context found.

Leslie Lamport and Stephan Merz. Specifying and Verifying FaultTolerant Systems. In Formal Techniques in Real-Time and FaultTolerant Systems, H. Langmaack, W.-P.de Roever, and J. Vytopil, editors. LNCS 863, 41-76.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC