William D. Young. Verifying the Interactive Convergence clocksynchronization algorithm using the Boyer-Moore prover. NASA Contractor Report 189649, NASA Langley Research Center, Hampton, VA, April 1992. (Work performed by Computational Logic Incorporated)  Home/Search   Document Details and Download   Summary   Related Articles   Check

....axioms in favor of de nitions; the axioms that remain are used to state assumptions about the environment and constraints on parameters properties that are best treated axiomatically rather than de nitionally. Even so, Bill Young of CLI, who repeated our veri cation using the Boyer Moore prover [28], found that one of the remaining axioms was unsatis able in the case of drift free clocks. We adopted a repair suggested by him (a substitution of for ) and also an improved way to organize the main induction. The defective axiom identi ed by Bill Young did not introduce an inconsistency; ....

William D. Young, \Verifying the Interactive Convergence clock-synchronization algorithm using the Boyer-Moore prover", NASA Contractor Report 189649, NASA Langley Research Center, Hampton, VA, Apr. 1992, (Work performed by Computational Logic Incorporated). FORMAL VERIFICATION FOR FAULT-TOLERANT ARCHITECTURES AND THE DESIGN OF PVS 19

....1 implementing various kinds of reasoning have been developed and used to accomplish complex tasks. For instance, interactive theorem provers have been employed to mechanically prove deep mathematical theorems ( 17,35,37,7] as well as correctness of nontrivial hardware and software systems ([6,8,36,44]) As another example, the use of model checking tools has become a de facto standard approach (also in many industrial projects) to validate the design of hardware components or communication protocols ( 11,24] Furthermore, decision procedures of various kinds (e.g. for propositional calculus, ....

W.D. Young. Verifying the interactive convergence clock synchronization algorithm using the Boyer-Moore theorem prover. Contractor Report 189649, NASA. 20

....is universal is proved by induction on the number of rounds, and then a theorem giving the result in the form desired is stated. This style of breaking a specification into separate predicate, lemma, and theorem is quite useful in formal systems. Many other large specifications use this technique [30, 40, 13]. We now present the final theorem versions of the two properties. FinalCorrectness: THEOREM (FORALL i,j: g(i) AND fincard(gs(fullset[fcu] fincard(ss(fullset[fcu] 1 AND PP(fullset[fcu] R,Empty) i,j) IMPLIES c(j) OR s(j) This theorem is supposed to roughly correspond to the first ....

Young, W., "Verifying the Interactive Convergence clock-synchronization algorithm using the Boyer-Moore prover", NASA TR 189649, NASA LARC, April 1992.

.... ) algorithm of Pease, Shostak, and Lamport[PSL80] In [BY91] they describe the formalization and correctness proof of that algorithm and carried it all the way down to the Nqthm specification of four microprocessors that use the algorithm to reach agreement in the presence of faults. Young[You91] then used Nqthm to prove the correctness of the interactive convergence clock synchronization algorithm, essentially following in the footsteps of Rushby and von Henke[RvH89] Meanwhile, the present author used the hardware description language formalized in Nqthm by B. Brock and W. Hunt[BH90] of ....

Young, W.D.: Verifying the interactive convergence clock synchronization algorithm using the boyer-moore theorem prover. Internal Note 199, Computational Logic, Inc., 1717 W. Sixth Street, Suite 290, Austin, TX 78703, January 1991.

....in favor of definitions; the axioms that remain are used to state assumptions about the environment and constraints on parameters properties that are best treated axiomatically rather than definitionally. Even so, Bill Young of CLI, who repeated our verification using the Boyer Moore prover [28], found that one of the remaining axioms was unsatisfiable in the case of drift free clocks. We adopted a repair suggested by him (a substitution of for ) and also an improved way to organize the main induction. The defective axiom identified by Bill Young did not introduce an inconsistency; ....

William D. Young, "Verifying the Interactive Convergence clock-synchronization algorithm using the Boyer-Moore prover", NASA Contractor Report 189649, NASA Langley Research Center, Hampton, VA, Apr. 1992, (Work performed by Computational Logic Incorporated). FORMAL VERIFICATION FOR FAULT-TOLERANT ARCHITECTURES AND THE DESIGN OF PVS 19

.... io Byzantine agreement processor has been proved [26] In addition, it was proved that the algorithm implemented by the Byzantine agreement processor correctly solves the oral messages problem [5] Finally, the correctness of the interactive convergence clock synchronization algorithm was proved [38]. ffl Scheduling, Concurrency, and Distributed Computing Nqthm has been used to prove that an operating system implemented in machine code on a uniprocessor correctly provides multitasking and task isolation and communication [3] An Nqthm formalization of Misra and Chandy s Unity language [14] ....

W.D. Young. Verifying the Interactive Convergence Clock Synchronization Algorithm using the Boyer-Moore Theorem Prover. Contractor Report 189649, NASA, April 1992.

....most difficulty convincing themselves they ve got right. In the first years of the program, formal specifications and verifications for these building blocks were undertaken and completed in the following systems: EHDM and later in PVS at SRI [55, 50, 59] Nqthm, the Boyer Moore prover, at CLI [1, 2, 45, 44, 68]; and Clio and the Penelope Ada verification system at ORA [61, 4, 63, 30, 62] Concurrently we gained experience at Langley using a number of the prover systems including EHDM, Nqthm, and HOL. During that time we were primarily occupied with the design and verification (in EHDM) of a ....

William D. Young. Verifying the interactive convergence clock synchronization algorithm using the boyer-moore theorem prover. NASA Contractor Report 189649, April 1992.

....of the extensive arithmetic reasoning that is required. Only systems with integrated decision procedures for real and integer arithmetic stand any chance of completing the proof at reasonable cost. The full proof has over 200 mechanicallychecked lemmas. It has been repeated just once: by Young [22], using the Boyer Moore prover. surements of a hardware implementation of the interactive convergence algorithm, that the observed worstcase skew is significantly better than that predicted by the standard Constraint C6 [13] They showed that observation and theory could be brought into much ....

William D. Young. Verifying the Interactive Convergence clock-synchronization algorithm using the Boyer-Moore prover. NASA Contractor Report 189649, NASA Langley Research Center, Hampton, VA, April 1992. (Work performed by Computational Logic Incorporated).

....in this document are those of the author(s) and should not be interpreted as representing the official policies, either expressed or implied, of Computational Logic, Inc. the Defense Advanced Research Projects Agency, the Office of Naval Research, or the U.S. Government. earlier systems [3, 4, 5, 8, 10, 11, 13, 14, 15, 18, 19, 20, 29, 31, 32, 35, 36, 37, 38, 41, 42, 43] supports the claim that such a logic is sufficiently expressive to permit one to address deep mathematical problems and realistic verification projects. The fact that the Nqthm logic is executable is also an important asset when using it to model hardware and software systems: the models can be ....

W.D. Young. Verifying the Interactive Convergence Clock Synchronization Algorithm using the Boyer-Moore Theorem Prover. Contractor Report 189649, NASA, April 1992. Also available as Technical Report 77, Computational Logic, Inc., Suite 290, 1717 West Sixth Street, Austin, TX 78703. URL http://www.cli.com/.

....Bill Young s comparison of Z and Gypsy [24] and the 12 way comparison reported by Jeannette Wing [23] are concerned solely with specification. Rather more interesting are David Basin and Matt Kaufmann s comparison of two verifications of the finite Ramsey theorem [1] and Bill Young s duplication [25] of our verification [15, 16] of a clock synchronization algorithm [8] One reason for the paucity of comparisons using substantial or difficult examples is that only a handful of verification systems are capable of undertaking such examples, and the developers and users of those systems are fully ....

William D. Young. Verifying the Interactive Convergence clock-synchronization algorithm using the Boyer-Moore prover. Internal Note 199, Computational Logic Incorporated, Austin, TX, January 1991.

....our problems. We have also been on the receiving end of such scientific exchanges. For example, Bill Young of CLI has taken the EHDM proof of the interactive convergence clock synchronization algorithm by Rushby and von Henke [22] and converted it to a successfully processed Nqthm proof script [23]. This script contains 200 definitions and theorems (not counting those in our standard rational arithmetic library) and represents another significant example of data exchange. 3. Exchanging Code 3. Methods for promoting the interchangeability of component parts of automated reasoning tools. ....

W.D. Young, "Verifying the Interactive Convergence Clock Synchronization Algorithm Using the Boyer-Moore Theorem Prover ", Internal Note 199, Computational Logic, Inc., 1717 W. Sixth Street, Suite 290, Austin, TX 78703, January 1991.

....at NASA Langley [83] 7 . The design of a digital circuit to distribute clock values in support of fault tolerant synchronization was completed by SRI and was partially verified. 8 CLI reproduced the SRI verification of the interactive convergence algorithm using the Boyer Moore theorem prover [140]. NASA Langley researchers designed and implemented a fault tolerant clock synchronization circuit capable of recovery from transient faults [85, 84, 83] The top level specification for the design is the Ehdm verification of Schneider s paradigm. The circuit was implemented with programmable ....

Young, William D.: Verifying the Interactive Convergence Clock Synchronization Algorithm Using the Boyer-Moore Theorem Prover. NASA Contractor Report 189649, Apr. 1992.

....version of this report. Two of the three improvements in the substance of the verification incorporated in this revised edition of the report were suggested by Bill Young of Computational Logic Inc. who has repeated our verification using an extended version of the BoyerMoore theorem prover [30]. David Fura of Boeing High Technology Center pointed out obscurities and opportunities for misinterpretation in the explanation of clock corrections given in the first edition, and suggested several improvements in the exposition that have been incorporated in this revised edition. Chapter 2 ....

....to avoid this sort of difficulty is part of the lore of mechanical theorem proving. We first heard it articulated by our colleague Shankar, but its application to this particular specification derives from Bill Young s re verification of the Algorithm using the Boyer Moore theorem prover [30]. 4.2.3 Proof Modules As noted, the proof of Theorem 2 (the Interactive Convergence Clock Synchronization Algorithm maintains the clock synchronization condition S2) is provided directly in the module algorithm. The proof of Theorem 1 (the Algorithm maintains clock synchronization condition S1) ....

[Article contains additional citation context not shown here]

William D. Young. Verifying the Interactive Convergence clock-synchronization algorithm using the Boyer-Moore prover. Internal Note 199, Computational Logic Incorporated, Austin, TX, January 1991.

....at NASA Langley [73] 5 . The design of a digital circuit to distribute clock values in support of fault tolerant synchronization was completed by SRI and was partially verified. 6 CLI reproduced the SRI verification of the interactive convergence algorithm using the Boyer Moore theorem prover [122]. NASA Langley researchers designed and implemented a fault tolerant clock synchronization circuit capable of recovery from transient faults [75, 74, 73] The top level specification for the design is the Ehdm verification of Schneider s paradigm. The circuit was implemented with programmable ....

Young, William D.: Verifying the Interactive Convergence Clock Synchronization Algorithm Using the Boyer-Moore Theorem Prover. NASA Contractor Report 189649, Apr. 1992.

.... biphase mark protocol, similar to the protocol in [12] was proved by Moore in [62] As an interesting benchmark problem for specification and verification, the interactive convergence clock synchronization algorithm [51] has been mechanically checked respectively with the Boyer Moore prover in [82] and with PVS in [73] Also, several versions of the oral messages algorithm [52] have been proved correct in [84] with the new version ACL2 [46] of Nqthm and with PVS in [76, 72, 55] Nqthm is also used by [65] Since several years, numerous protocols have been checked in the field of security ....

W.D. Young. Verifying the interactive convergence clock synchronization algorithm using the Boyer-Moore theorem prover. Contractor Report 189649, NASA, 1992.

....at NASA Langley [44] 4 . The design of a digital circuit to distribute clock values in support of fault tolerant synchronization was completed by SRI and was partially verified. 5 CLI reproduced the SRI verification of the interactive convergence algorithm using the Boyer Moore theorem prover [45]. NASA Langley researchers designed and implemented a fault tolerant clock synchronization circuit capable of recovery from transient faults [46, 47, 44] The top level specification for the design is the Ehdm 4 The bounded delay assumption was shown to follow from the other assumptions of the ....

William D. Young, "Verifying the interactive convergence clock synchronization algorithm using the boyer-moore theorem prover", NASA CR-189649, Apr. 1992.

....example. Traditional notation requires considerably more effort to parse. Some recent research[6] suggests that so called standard mathematical notations in fact may be quite difficult to understand except to the expert, exactly because of such complex ancillary rules. For example, we noted in [21] that the published proof of the Interactive Convergence Clock Synchronization algorithm in EHDM[18] is unnecessarily confusing in places because the expected precedence was not observed in generating traditional notation from the EHDM internal form. In our translation of the OMBG version of the ....

....PVS specification which make essential use of the higher order aspects of the language and could not be translated into a first order context; however, these seem to be rare. We have found in translating several specifications (e.g. the Interactive Convergence Clock Synchronization Algorithm[21] and the current effort) from a higher order framework to a first order framework that we have not had any difficulty. This suggests that the higher orderness of these specification is primarily a notational convenience. Most lambda terms can be translated directly into recursive functions, ....

W.D. Young. Verifying the interactive convergence clock synchronization algorithm using the Boyer-Moore theorem prover. Contractor Report 189649, NASA, April 1992.

No context found.

William D. Young. Verifying the Interactive Convergence clocksynchronization algorithm using the Boyer-Moore prover. NASA Contractor Report 189649, NASA Langley Research Center, Hampton, VA, April 1992. (Work performed by Computational Logic Incorporated)

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC