J. Misra. Soundness of the substitution axiom. Notes on UNITY 14--90, Department of Computer Sciences, University of Texas at Austin, Austin, Texas, March 1990.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....t satisfy postcondition q. In terms of the execution sequences this rule means Sg.e i = t # q(e i 1 )#. Safety Properties. As in UNITY s logic, the basic safety properties of a program are specified in terms of unless relations. The Swarm unless rule mirrors the UNITY rule [14]: p # q p # q # p unless q Informally, p unless q means that, if predicate p is true at some point in the computation and q is not, then, after the next step, p remains true or q becomes true. Remember TRS is the set of all possible transactions, not a specific transaction space. ....

J. Misra. Soundness of the substitution axiom. Notes on UNITY 14--90, Department of Computer Sciences, University of Texas at Austin, Austin, Texas, March 1990.

....contradiction. The problem is that by definition p UNLESS q in Pr holds regardless whether p or q ever holds during the execution. On the other hands, an invariant only holds in reachable states. So, using an invariant to do substitution is only valid on the part of p and q that are reachable. See [Mis90, San91, Pra93a] for more discussions on this topic. To avoid this problem we can weaken the definition of UNITY operators by restricting them to reachable states. For example UNLESS is redefined to: t) p UNLESS q in Pr : VA : PROG.Pr. Reach.Pt AND p AND (NOT q) 4 p OR Where Reach.Pt is a predicate that ....

J. Misra. Soundness of the substitution axiom. Notes on UNITY, 14-90, March 1990.

....p leads Gamma to q are obtained by finite use of the above rules: The complete Unity programming logic is based on the temporal operators unless, ensures and leads to, plus the substitution axiom. Combining the substitution axiom with the defined temporal operators gives an unsound proof system [San91, Mis90]. A. Sanders in [San91] modifies the Unity logic by eliminating the substitution axiom from this logic and by giving a new definition of the operator unless, ensures and leads to using the predicate transformers sst and wst, standing respectively for strongest stable predicate and weakest stable ....

J. Misra. Soundness of the substitution axiom. Notes on Unity, pages 14--90, 1990.

....Our earlier theory of safety[3] using the unless operator, was inspired by temporal logic. The present treatment tries to overcome some of the pragmatic difficulties of using unless. There are a number of papers on the substitution axiom, in particular by Sanders[24] Knapp[13] and Misra[22]; the interpretation given in this chapter is from Knapp. A clear example of the distinction between invariant and always true is in van Gasteren and Tel[27] The notion of the strongest invariant has been around for a long time; see Lamport[16] and Sanders[24] in particular. Section 3.5.6, ....

J. Misra. Soundness of the substitution axiom. Notes on UNITY: 14--90, March 1990.

....to the treatment of invariants in [San91] We call a property of a program F directly provable if it can be proved in the UNITY proof system for F without using the substitution axiom. The importance of direct provability is emphasized by the theorem about normal forms of proofs due to Misra [Mis90b] 36 Theorem 4 For any property of a program F there is an invariant J such that ( J is directly provable. The significance of this theorem for our derivation of a verification method is that any proof of a property can be split into two parts, namely first finding a suitable invariant J ....

J. Misra. Soundness of the substitution axiom. Notes on UNITY, (14), 1990.

....Our earlier theory of safety[5] using the unless operator, was inspired by temporal logic. The present treatment tries to overcome some of the pragmatic difficulties of using unless. There are a number of papers on the substitution axiom, in particular by Sanders[39] Knapp[21] and Misra[33]; the interpretation given in this paper is from Knapp[21] A clear example of the distinction between invariant and always true is in van Gasteren and Tel[45] The notion of the strongest invariant has been around for a long time; see Lamport[24] and Sanders[39] in particular. Section 5.5 on ....

J. Misra. Soundness of the substitution axiom. Notes on UNITY: 14--90, March 1990.

....p 7 q in F [ ff ) p 7 q in F [ fi . This material is based in part upon work supported by the Texas Advanced Research Program under Grant No. 003658 065 and by the Office of Naval Research Contract N00014 90 J 1640. Proof: We give the proof, ignoring the substitution axiom. As shown in [2], the proof can be redone if substitution axiom is taken into account. The proof is given in several major steps. 1. p unless q in ff ) p unless q in fi: This merely says that strengthening a guard preserves the safety properties. p unless q in ff , assume fp :q rg A fp qg , definitions of ....

J. Misra, "Soundness of the Substitution Axiom," Notes on UNITY: 14-90, Austin, Texas, March 1990.

No context found.

J. Misra. Soundness of the substitution axiom. Notes on UNITY 14--90, Department of Computer Sciences, University of Texas at Austin, Austin, Texas, March 1990.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC