M. Abadi and L. Lamport. Conjoining specifications. ACM Trans. Prog. Lang. Syst., 17(3):507--534, May 1995.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....that while some model checkers such as Csar Ald ebaran [25] can handle open systems, others such as Spin [33] can not. The idea that it is possible to reason about open systems using explicit environmental assumptions and established methods for reasoning about closed systems has been suggested in [2]. The paper is organized as follows: Section 1.1 reviews the related literature on architectural notations, compositional verification of concurrent systems, and architecture driven verification. This is followed in Section 2 by the introduction of the model and the corresponding graphical ....

....is independent of the structural specification. Therefore, the correctness criterion can easily be changed depending on which properties should be preserved, without a#ecting the structural specification. Compositional verification of concurrent systems have been explored in many articles [45,37,41,15,38,1,2,12,29]. In [45] 37] 41] and [38] as well as here, correctness is defined in terms of a behavioral relation. In the remaining references, correctness is defined in terms of properties expressed in a modal logic. 45] uses abstractions of di#erent levels as the basis of decomposition. In [37] a ....

[Article contains additional citation context not shown here]

M. Abadi and L. Lamport. Conjoining specifications. ACM Trans. Program. Lang. Syst., 17(3):507--534, May 1995.

....and finite state. The compositional principle underlying our technique is assume guarantee reasoning, of which there are several variants. We refer the reader to our earlier paper [9] for a detailed discussion; here we only discuss the closely related work of Jones [14] and Abadi and Lamport [1]. Abadi and Lamport consider a composition of components, where each component modifies a separate part of the store. Their system is general enough to model a multithreaded program since a component can model a collection of threads operating on shared state and signaling among components can ....

M. Abadi and L. Lamport. Conjoining specifications. ACM TOPLAS, 17(3):507-- 534, 1995.

....system in PVS provides powerful mechanical support for compositional reasoning (but not model checking) The only timing construct is the precise delay; there are no time bounds on transitions as in TTMs. There is a growing interest in compositional and refinement methods for reactive systems [1,7,22,35,41,46,48]. The field is somewhat less developed in the case of real time systems especially in methods that also have tool support. ASTRAL [10] is based on the framework of [11] that uses Petri Nets for system descriptions and a timed temporal logic called TRIO for specifications. ASTRAL provides ....

....bounds can be imposed between actions, but not lower time bounds. A refinement from one timed automaton to another is a time preserving function similar to the classical notion of a homomorphism between automata. In single language frameworks (e.g. automata based COSPAN or the logic based TLA [1]) both the implementation and specification are expressed in the same formalism (automata or logic) Conformance is proved by demonstrating that each fair trace of the implementation is also a fair trace of the specification. There is a certain elegance and simplicity associated with using a ....

Abadi, M. and L. Lamport. "Conjoining Specifications." ACM Trans. on Programming Languages and Systems, 17(3): 507-534, 1995.

....on the specification of safety properties and do not incorporate liveness properties. In [7] we proposed the concept of fair objects, which combine temporal semantics and object oriented concepts in a complementary fashion. This concept is not new; similar constructs have been proposed earlier [5, 3, 1, 2]. In this paper, we study the effect of object composition on the liveness requirements of the objects being composed. When following an object oriented approach to specifying the behaviour of concurrent systems, we would like to be able to specify the liveness requirements of each object ....

....However, an object must be viewed as an open system which relies on its environment to ensure that its local requirements are satisfied. For this reason, open systems are often specified using an assumption guarantee (also called rely guarantee and assumption commitment) style of specification [9, 14, 15, 1, 16] which asserts that an object guarantees to meet its requirements under the assumption that its environment also meets its requirements. When objects specified using the assumption guarantee style are composed, the resulting composition must be checked to ensure that the assumptions about the ....

[Article contains additional citation context not shown here]

M. Abadi and L. Lamport. Conjoining Specifications. ACM Trans. Prog. Lang. Syst., 17(3):507--533, May 1995.

....Since VGI is a very big design, model checking cannot be applied directly. Previously, assumeguarantee methods have been developed for decomposing a refinement verification task into smaller proof obligations that can be discharged automatically with a model checker. In assumeguarantee reasoning [3, 7, 8, 9, 10], the different components of the implementation are verified in isolation by making appropriate assumptions about their environments. The environment assumptions are then discharged separately. In order to keep the sizes of the individual proof obligations within the capacity limits of model ....

M. Abadi and L. Lamport, "Conjoining specifications," ACM Transactions on Programming Languages and Systems, vol. 17, no. 3, pp. 507--534, 1995.

....close to linear temporal logic with the added possibility of talking about other objects . This is achieved by specifying from the local viewpoints of objects in the system, not that of an external observer with a bird s view of the system. There are some similarities to the approaches of TLA (Abadi et al. 1995) a temporal logic of actions to specify concurrent systems, and CTR (Bonner et al. 1996) a concurrent transaction logic in which communication is specifiable. In contrast to TLA and to CTR our models are true concurrent models whereas TLA is based on a sequential model and CTR also uses an ....

....between specifications. One of their main issue is to reason about composition of assumption guarantee specifications. Since our approach is purely based on communication, we will face different problems. It is subject to future work to see how we can deal with implementation problems mentioned in (Abadi et al. 1995). The approach of Bonner and Kifer differs from our in the sense that they specify several concurrent processes which synchronize on a common database. Our approach uses the concept of objects to encapsulate data. Thus, we do not have a central data space on which all processes have to ....

Abadi, M. and Lamport, L. (1995) Conjoining Specifications. ACM Transactions on Programming Languages and Systems, 17(3):507--533, May.

....curity properties, requiring composing middleware configurations respectively associated with these properties. The issue of composing software has formerly been addressed from a theoretical perspective, by examining the composition of software specifications (e.g. see [2, 3, 8]) However, such an approach is known to be at the expense of automation. In this paper, we propose a more pragmatic approach, which consists of a tool that takes as input the configurations of the middleware architectures to be composed and computes all possible valid composite middleware ....

M. Abadi and L. Lamport. Conjoining Specifications. ACM TOPLAS, 17(3):507--534, 1995.

....CONCURRENT SYSTEMS 3 checkers such as Csar Ald ebaran [25] can handle open systems, others such as Spin [33] can not. The idea that it is possible to reason about open systems using explicit environmental assumptions and established methods for reasoning about closed systems has been suggested in [2]. The paper is organized as follows: Section 1.1 reviews the related literature on architectural notations, compositional verification of concurrent systems, and architecture driven verification. This is followed in Section 2 by the introduction of the model and the corresponding graphical ....

....is independent of the structural specification. Therefore, the correctness criterion can easily be changed depending on which properties should be preserved, without a#ecting the structural specification. Compositional verification of concurrent systems have been explored in many articles [45,37,41,15,38,1,2,12,29]. In [45] 37] 41] and [38] as well as here, correctness is defined in terms of a behavioral relation. In the remaining references, correctness is defined in terms of properties expressed in a modal logic. 45] uses abstractions of di#erent levels as the basis of decomposition. In [37] a ....

[Article contains additional citation context not shown here]

M. Abadi and L. Lamport. Conjoining specifications. ACM Trans. Program. Lang. Syst., 17(3):507--534, May 1995.

....that senderImp senderSpec or that receiverImp receiverSpec fails. The implementation of the sender and receiver refine their abstract counterparts only in an environment that behaves like the abstract receiver and sender respectively. For such cases, an assume guarantee proof rule is needed [27, 10, 3, 4]. Our rule differs from the earlier ones in that it uses a different notion of refinement, namely, the stutter closed one. Proposition 2. Assume Guarantee) If P 1 kQ 2 Q 1 kQ 2 and Q 1 kP 2 Q 1 kQ 2 , then P 1 kP 2 Q 1 kQ 2 . module senderImp is external ack : channel[2] of bool ....

M. Abadi and L. Lamport. Conjoining specifications. ACM TOPLAS, 17:507--534, 1995.

....the fairness condition, the presence or absence of a signal is treated in a symmetrical manner as is the case in synchronous languages. The use of weak fairness constraints ensures that a module can satisfy these constraints without the cooperation of the environment, i.e. the module is receptive [AL95]. The fsts model, the compositionality proofs, the extended linear temporal logic, and the accompanying soundness proofs have all been formally verified using PVS [Ow95] The PVS verification pointed out a number of gaps in our earlier formalization and led to sharper definitions of the basic ....

M. Abadi and L. Lamport. Conjoining Specifications. TOPLAS, 17(3), pages 507--534, 1995.

....to a set of variables that can be viewed as the system state variables. Properties of the system are also expressed by TLA formulas and therefore in order to show that a given specification satisfies a given property one must prove that the former formula implies the latter. More recently, in [AL 95] Abadi and Lamport show how to specify a system as a conjunction of the specifications of its components. As is the case with ASTRAL, properties of the system as a whole are proved by reasoning about the components. Furthermore, their presentation of conditional implementations where certain ....

Abadi, M., and L. Lamport, "Conjoining Specifications" ACM Transactions on Programming Languages and Systems, Vol. 17, No. 3, pp. 507-534, May 1995.

....and functional languages are probably the richest in that respect. Some languages also support refinement relationships as a basis for incremental specification development and analysis, e.g. data reification [Jon90, Abr96] component composition decomposition through logical connectors [Spi92, Aba95], state composition decomposition [Har87, Lev94] or goal abstraction refinement [Dar96] Usability. It should be possible for reasonably well trained people to write high quality specifications. This soft, higherlevel criterion of course depends on all previous ones plus a few more. The language ....

M. Abadi and L. Lamport, "Conjoining Specifications", ACM Transactions on Programming Languages and Systems Vol. 17 No. 3, May 1995, 507-535.

....underlying semantic model. The principles of partial and total refinement were defined in [13] but in a less general setting. Conditional refinement is a straightforward generalization of behavioral refinement so straightforward that it seems unlikely that this idea is new. For example, what [1] refers to as conditional implementation is closely related. Moreover, the decomposition theorem of [1] seems to allow related refinements with respect to complete systems. Contrary to us, their coexistence proof is formulated with respect to the more abstract specifications. An attempt to tackle ....

....a less general setting. Conditional refinement is a straightforward generalization of behavioral refinement so straightforward that it seems unlikely that this idea is new. For example, what [1] refers to as conditional implementation is closely related. Moreover, the decomposition theorem of [1] seems to allow related refinements with respect to complete systems. Contrary to us, their coexistence proof is formulated with respect to the more abstract specifications. An attempt to tackle the transition from unbounded to bounded resources in the context of algebraic specifications can be ....

M. Abadi and L. Lamport. Conjoining specifications. Technical Report 118, Digital, SRC, Palo Alto, 1993.

....that while some model checkers such as CsarAld ebaran [24] can handle open systems, others such as Spin [32] can not. The idea that it is possible to reason about open systems using explicit environmental assumptions and established methods for reasoning about closed systems has been suggested in [2]. The paper is organized as follows: Section 1.1 reviews the related literature on architectural notations, architecture driven verification, and compositional verification of concurrent systems. This is followed in Section 2 by the introduction of the model and the corresponding graphical ....

....is independent of the structural specification. Therefore, the correctness criterion can easily be changed depending on which properties should be preserved, without a#ecting the structural specification. Compositional verification of concurrent systems have been explored in many articles [44, 36, 40, 15, 37, 1, 2, 12, 28]. In [44] 36] 40] and [37] as well as here, correctness is defined in terms of a behavioral relation. In the remaining references, correctness is defined in terms of properties expressed in a modal logic. 44] uses abstractions of di#erent levels as the basis of decomposition. In [36] a ....

[Article contains additional citation context not shown here]

M. Abadi and L. Lamport. Conjoining specifications. ACM Trans. Program. Lang. Syst., 17(3):507--534, May 1995.

.... been demonstrated in analysis of a video graphics image processor [HQR98] The notion of compositional refinement based on observable behaviors is central to many concurrency formalisms such as CCS [Mil80] I O automata [LT87] TLA [Lam91] but the circular assume guarantee reasoning [Sta85, GL94, AL95, AH99, McM97] is valid only when the interaction of a module with its environment is non blocking. While the reactive modules language supports architec tural hierarchy, it offers little structure to express the behavior of individual modules. In this paper, we present the language of ....

....task of proving implementation between compound modules into subtasks, it may not always be applicable. In particular, P1 may not implement Q1 for all environments, but only if the environment behaves like P2 , and vice versa. For such cases, an assume guarantee proof rule is needed [Sta85, GL94, AL95, AH99] The assume guarantee proof rule for reactive modules asserts that in order to prove that M N r e a q c c j k read x, write y, local z i h d p f g dx de e d f e1 e2 x1 x2 e2 e1 e3 e1 a b x3 x2 x1 m : N n : N read write z, local u b de dx Figure 2: Scoping ....

M. Abadi and L. Lamport. Conjoining specifications. ACM TOPLAS, 17:507--534, 1995.

....users of these two modules. Note that while some model checkers [15] can handle open systems, others [19] can not. The idea that it is possible to reason about open systems using explicit environmental assumptions and established methods for reasoning about closed systems has been suggested in [1]. Numerous techniques have been proposed for architectural descriptions. Examples include specification languages which support a box and line type block diagram notation [29, 28] architectural description languages [16, 30, 22] and other formal notations such as those used in [27] 18] and ....

....relative to a system which can be enclosed in those contexts. Grumberg and Long [17] describe another compositional verification method for temporal model checking. The distinguishing feature of this method is that it requires environmental assumptions expressed in an assume guarantee style [1] to be explicitly specified in order to reason about an open system. To prove that a component (subsystem) enclosed in a particular context (the environment) satisfies a given property, first the context is abstracted in a way independent of the property to be proved. Then the property is verified ....

[Article contains additional citation context not shown here]

M. Abadi and L. Lamport. Conjoining specifications. ACM Trans. Program. Lang. Syst., 17(3):507--534, May 1995.

....leave the set defined by DQ , the module P will not leave the set defined by DP ; the third premise is symmetrical. As the implications DP and DQ hold, the three premises lead to the conclusion. The rule is in fact closely related to inductive forms of assume guarantee reasoning [Sta85, AL95, AH96, McM97] The use of the stronger predicates DP and DQ in the second and third premises of the rule (3) potentially enables the erasure of more variables compared to the earlier rule (2) However, in rule (3) this erasure can take place only on one side of the parallel composition operator ....

Martn Abadi and Leslie Lamport. Conjoining specifications. ACM Trans. Prog. Lang. Sys., 17(3):507--534, 1995.

....in order to make sure that the operation preserves all safety properties. Safety properties state that nothing bad may happen , therefore the operation of reducing what can happen by a logical and cannot invalidate such properties. This subject is discussed formally, e.g. by Abadi and Lamport [AbLa95] 5 For a property that does not rely on any other property, and does not replace any other property either, we define the meaning of the corresponding sub subsection to be the same as if this sub subsection were a self contained specification of either NAT or REQ in the standard Functional ....

Abadi, M. and Lamport, L. Conjoining specifications. ACM Trans. Prog. Lang. Syst. 17(3), 507--534 (May 1995).

....1. 2 Any list without repetitions can be represented as a totally ordered set, and the other way around. We therefore often apply set operators to such lists without first conducting a conversion. This one step longer than semantics is closely related to the semantics of the operator in [AL93]. Note the way j= allows us to represent variables over domains of streams (at the syntactic level) by named stream tuples (at the semantic level) Throughout this paper, for any specification S, we use [ S ] to represent its denotation. Moreover, for any assumption commitment specification S, ....

.... we refer to [GS95] Specification Formats: The formats for time dependent and time independent specifications are inspired by [BS94] The format for synchronous specifications is for example related to the approach in [Tuc92] The one step longer than semantics used by us is strongly inspired by [AL93]. Col94] employs a slightly weaker semantics the commitment is only required to hold at least as long the assumption has not been falsified. Assumption Commitment Rules: A large number of composition rules for assumption commitment specifications have been published. In the case of ....

[Article contains additional citation context not shown here]

M. Abadi and L. Lamport. Conjoining specifications. Technical Report 118, Digital, SRC, Palo Alto, 1993.

.... to trace intersection (or conjunction) variable hiding is trace projection (or existential quantification) and implementation is trace inclusion (or logical implication) Modular (assumption guarantee) reasoning Modular verification rules have been presented for a variety of specific notations [2, 9, 15, 16, 17]. We present a simple and powerful rule for receptive live reactive systems. Consider two compatible live reactive systems S 1 and S 2 , an abstraction T 1 of S 1 , and an abstraction T 2 of S 2 . We wish to prove that the parallel composition S 1 kS 2 implements the abstraction T = T 1 kT 2 . ....

M. Abadi, L. Lamport. Conjoining Specifications. Technical Report 118, DEC-SRC, 1993.

....worked out in [WoD88, St 90, Xu92] Recently, Jones [Jon96] explores how the rely guarantee idea can be used in an objected oriented setting. A number of researchers have incorporated the rely guarantee ideas into existing full temporal based logics; examples are the works by Abadi and Lamport [AbL95] on TLA, by Collette [Col93] on UNITY, by Moszkowski on ITL [Mos94] and by Jonsson and Tsay [JoT95] on linear time temporal logic. A related topic of research concerns the abstraction of the semantic model. In this paper, we concentrate on the proof methods, and have used a simple semantics. To ....

M. Abadi and L. Lamport. Conjoining specifications. ACM Trans. on Program. Lang. Syst., 17(3):507--534, 1995.

....Garlan et al. [8] 9] also have done important work on identifying and exploiting architectural styles. We build on their work, developing schematic style mappings and schematic refinements involving style to style transformations. Composition has been studied recently by Abadi and Lamport [1] [2]. Their results are semantic and applicable to any domain, whereas ours are syntactic and specialized to the domain of software architecture. It is easy to state general criteria for the correctness of horizontal composition of architectures. However, it requires a difficult proof that it is not ....

M. Abadi and L. Lamport, "Conjoining Specifications", Technical Report 118, Digital Systems Research Center, Palo Alto, California, December 1993.

....specifications is highly dependent on the underlying communication paradigm. This has led to a rich flora of specification techniques based on the assumption commitment format. See [MC81] Jon83] ZdBdR84] BK84] Pnu85] Sta85] Sti88] AL90] Pan90] St 91] XH91] PJ91] AL93] SDW93] Col94a] JT95] for examples. The formulation of verification rules for the composition of assumption commitment specifications is a non trivial issue. The main reason is that the component specifications can be mutually dependent a fact which easily leads to circular reasoning. ....

....[Bro94] However, in these papers, the techniques for expressing general specifications are more complicated. SDW93] uses a specification format based on prophecies. Bro94] employs so called input choice specifications. The one step longer than semantics used by us is strongly inspired by [AL93] Col94b] employs a slightly weaker semantics the commitment is only required to hold at least as long the assumption has not been falsified. Assumption Commitment Rules: A large number of composition rules for assumption commitment specifications have been published. In the case of ....

[Article contains additional citation context not shown here]

M. Abadi and L. Lamport. Conjoining specifications. Technical Report 118, Digital, SRC, Palo Alto, 1993.

....specification can be written in a normal form where the assumption is a safety property. A similar result holds for our specifications. However, at least with respect to our specification formalism, it is often an advantage to be able to state liveness constraints also in the assumptions. AL93] proposes a slightly stronger rule which handles some liveness properties in the assumptions. However, this strengthening seems to be of little practical importance. Our rules for the feedback operators can deal with at least some interesting liveness properties in the assumptions. This is clear ....

M. Abadi and L. Lamport. Conjoining specifications. Technical Report 118, Digital, Palo Alto, 1993.

....We illustrate our methodology using non trivial examples a sliding window communication protocol and a hardware circuit implementing the Tomasulo algorithm. Related Work. The use of assume guarantee proof rules to decompose a refinement check has appeared before in [Sta85, Kur87, Kur94, AL95, AH96, McM97] The proof rule used in this paper is a generalization of the one in [AH96] The use of witness modules to deal with the exponential in the specification state space, has appeared in various guises and forms in [Lam83, LT87, AL91, AL95, Lyn96, McM97] Though our work draws ....

.... has appeared before in [Sta85, Kur87, Kur94, AL95, AH96, McM97] The proof rule used in this paper is a generalization of the one in [AH96] The use of witness modules to deal with the exponential in the specification state space, has appeared in various guises and forms in [Lam83, LT87, AL91, AL95, Lyn96, McM97] Though our work draws inspiration from [McM97] methodological issues like iterating witness and abstraction modules, generalization to handle fairness, and results of larger case studies have not been presented before. 2 Reactive Modules A formal definition of reactive modules ....

M. Abadi and L. Lamport. Conjoining Specifications. In ACM Transactions on Programming Languages and Systems, pages 507--534, May 1995.

No context found.

Abadi, M. and Lamport, L. 1993. Conjoining specifications. Res. Rep. 118, Digital Equipment Corp., Systems Research Center, Palo Alto, Calif.

No context found.

Martn Abadi and Leslie Lamport, "Conjoining Specifications", ACM Transactions on Programming Languages and Systems, Vol. 17, No. 3, May 1995.

....5.6) then shows that # is equivalent to # 1 ## 2 . Formulas # 1 and # 2 are the specifications of the two processes forming Program 1. This example illustrates a general method for decomposing the specification of a multiprocess program as the conjunction of the specifications of its processes [Abadi and Lamport 1993]. The observation that a single behavior can represent an execution of two or more noninteracting programs explains why we represent terminating as well as nonterminating executions by infinite behaviors. Termination of a program means that it has stopped; it does not mean that the entire universe ....

....are open systems. TLA can be used to describe and reason about open as well as closed systems. But closed systems are simpler, and they provide a necessary foundation for the study of open systems. Here, we have developed TLA and applied it to closed systems. Open systems are discussed elsewhere [Abadi and Lamport 1993]. 9.5.4 System Specifications. Most readers would expect a two page Pascal program to be simple and a two page mathematical formula to be too complicated to understand. Yet, since the semantics of TLA is simpler than the semantics of Pascal, a TLA formula should be simpler than a Pascal program of ....

Abadi, M. and Lamport, L. 1993. Conjoining specifications. Res. Rep. 118, Digital Equipment Corp., Systems Research Center, Palo Alto, Calif.

....shows that Phi is equivalent to Phi 1 Phi 2 . Formulas Phi 1 and Phi 2 are the specifications of the two processes forming Program 1. This example illustrates a general method for decomposing the specification of a multiprocess program as the conjunction of the specifications of its processes [Abadi and Lamport 1993]. ACM Transactions on Programming Languages and Systems, Vol , No. November 1993. The Temporal Logic of Actions Delta 15 The observation that a single behavior can represent an execution of two or more noninteracting programs explains why we represent terminating as well as nonterminating ....

....are open systems. TLA can be used to describe and reason about open as well as closed systems. But closed systems are simpler, and they provide a necessary foundation for the study of open systems. Here, we have developed TLA and applied it to closed systems. Open systems are discussed elsewhere [Abadi and Lamport 1993]. 9.5.4 System Specifications. Most readers would expect a two page Pascal program to be simple and a two page mathematical formula to be too complicated to understand. Yet, since the semantics of TLA is simpler than the semantics of Pascal, a TLA formula should be simpler than a Pascal program of ....

Abadi, M. and Lamport, L. 1993. Conjoining specifications. Research Report 118, Digital Equipment Corporation, Systems Research Center.

No context found.

M. Abadi and L. Lamport. Conjoining specifications. ACM Trans. Prog. Lang. Syst., 17(3):507--534, May 1995.

No context found.

Abadi, M., Lamport L., 1995. Conjoining Specifications, ACM Transactions on Programming Languages and Systems 17 (3), 507-534.

No context found.

Abadi, M., Lamport, L.: Conjoining specifications. ACM ToPLaS 17 (1995) 507--534

No context found.

M. Abadi, L. Lamport. Conjoining specifications. ACM TOPLAS 17:507--534, 1995.

No context found.

M. Abadi and L. Lamport, "Conjoining specification," ACM Transactions on Programming Languages and Systems, vol. 17, no. 3, pp. 507--534, 1995.

No context found.

M. Abadi and L. Lamport. Conjoining specifications. ACM Trans. Prog. Lang. and Sys., 17(3):507--535, May 1995.

No context found.

Martin Abadi and Leslie Lamport. Conjoining specifications. ACM Toplas, 17(3), May 1995. REFERENCES 39

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC