L. Lamport and F. B. Schneider. Pretending atomicity. Research Report 44, DEC Systems Research Center, 1989.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....noted earlier, for the example shown in Figure 1.1, 1;4 (S) is the interval between the dashed lines shown in Figure 1.2. When the interval corresponding to the sensor S(4) shifts a little to the left, 1;4 (S) jumps to the interval shown in Figure 1. 4 as soon as S(4) overlaps S(3) Lamport [Lam87] noted this undesirable property and suggested that a good fusion function should satisfy a Lipschitz Condition, meaning that small changes in the readings of individual sensors should change the fusion interval by a correspondingly small amount. Lamport considered some plausible modifications ....

Leslie Lamport. Synchronizing time servers. Technical Report 18, DEC Systems Research Center, Palo Alto, CA, June 1987.

....trade o must be negotiated between 3 In logic, sorts and types are di erent notions. However, we will follow computer science terminology in which the distinction is blurred and the single term type is generally used. 4 Not everyone favors the restrictions of a typed logic (see Lamport [17], for example) For the most part, the objections are to the excessively strict type rules that are required for deterministic typechecking. Later on we will describe ways of relaxing these rules. 6 the convenience and expressiveness of the speci cation language, and the automation and ....

....of a speci cation environment equipped with a powerful theorem prover. Additional bene ts that derive from the decision to use theorem proving in typechecking include a straightforward treatment of dependent and quotient types, and the ability to address the objections of those, such as Lamport [17], who nd strict typechecking irksome. A user who knows that, for possibly deep reasons, the expression e should have type t can simply write e : t and the system will generate the necessary type correctness theorem for the user to prove. Thus, sophisticated type determinations can be controlled ....

Leslie Lamport. The temporal logic of actions. Technical Report 57, DEC Systems Research Center, Palo Alto, CA, April

....of a component, r 0 r 1 : r n c l 0 l 1 : l m , may be considered indivisible for proof of termination of a concurrent program if each r i is a right mover, l j a left mover and c is unconstrained. This result has been extended to proofs of more general properties by Lamport and Schneider [2], Misra [4] and, more recently, by Cohen and Lamport [1] In section 2, we introduce a programming notation for concurrent objectoriented programming, called Seuss. Brie y, a seuss program consists of boxes; a box is similar to an object instance. A box has local variables whose values de ne the ....

L. Lamport and Fred B. Schneider. Pretending atomicity. Technical Report 44, DEC Systems Research Center, May 1989.

....for execution of operations requested by clients. It does this by assigning a sequence number to each request. But the primary may be faulty. Therefore, the backups trigger view changes when it appears that the primary has failed to select a new primary. Viewstamped Replication [23] and Paxos [18] use a similar approach to tolerate benign faults. To tolerate Byzantine faults, every step taken by a node in our system is based on obtaining a certificate. A certificate is a set of messages certifying some statement is correct and coming from different replicas. An example of a statement is: ....

....completes. These view changes are inexpensive because a primary multicasts a view change message just before its recovery starts and this causes the other replicas to move to the next view immediately. 7 Related Work Most previous work on replication techniques assumed benign faults, e.g. [17, 23, 18, 19] or a synchronous system model, e.g. 28] Earlier Byzantine fault tolerant systems [26, 16, 20] including the algorithm we described in [6] could guarantee safety only if fewer than 1 3 of the replicas were faulty during the lifetime of the system. This guarantee is too weak for long lived ....

L. Lamport. The Part-Time Parliament. Technical Report 49, DEC Systems Research Center, 1989.

....real time properties that are unconditional liveness properties; that is, all the liveness they stipulate is subsumed by the divergence of time. Bounded response is the standard example of a real time property that is unconditionally live and becomes safe under strong enough timing assumptions [LA90, HMP91, Lam91, Sch91]. Let p; q 2 Sigma and let ffi be a nonnegative real. The bounded response property Pi ffi p7 q contains a timed state sequence (oe; iff for all i 0, whenever oe i = p, then oe j = q and d( i ; j ) ffi for some j i; that is, every p state is followed by a q state within time ffi . Since ....

Leslie Lamport. The temporal logic of actions. Technical report, DEC Systems Research Center, February 1991.

.... Lynch and Vaandrager have developed a very general notion of a timed automaton, and they describe a wide variety of simulation based techniques for this model [LV91, LVarb] Abadi and Lamport [AL92] demonstrate how timing properties can be expressed using Lamport s Temporal Logic of Actions (TLA) Lam91] and thus, the methods developed for TLA, including simulations, can be immediately applied. Their use of simulations, however, is more restricted, and they did not address how timing properties, specifically, can be approached systematically. Many others, including Haase [Haa81] Tel [Tel88] ....

Leslie Lamport. The temporal logic of actions. Research Report 79, DEC Systems Research Center, December 1991.

.... Phi one may find sequences of values for the abstract variables a such that Psi is fulfilled. The high expressiveness of this refinement construct is due to the existential quantification over behavior. As in the case of UNITY, lacking structuring facilities were added subsequently (see [Lam94b] The Calculus of Communicating Systems, or CCS for short, was introduced by Robin Milner in [Mil80] and slightly revised in [Mil89] In CCS, specifications are given as algebraic expressions. For example, a:E denotes a process that takes part in an action a and thereafter behaves like process ....

Leslie Lamport. TLA+. Technical Report (preliminary), DEC Systems Research Center, August 1994.

....on the input value of one of the processors. Consensus breaks symmetry by requiring one processor to choose its input value, and the rest to discard theirs. Consensus requires a linear number of rounds to solve [FL82] but it can be used to solve almost any other nontrivial problem [Lam78, Lam89, Sch87, Her91b] so solving these nontrivial problems never takes longer than consensus. We want to know exactly how quickly these nontrivial problems can be solved. Solving a nontrivial problem requires causing two processors to perform different actions. Speaking informally, if processors ....

....state is linearizable to a sequential history in which the operations in the history are invoked sequentially on a copy of the object initialized to the value v. This assumption is valid, for example, for all concurrent objects implemented using the technique of state machine replication [Lam78, Lam89, Sch87] which is the technique most commonly used in message passing models like ours. 5.1 Lower bounds Our lower bound on order equivalence can be used to prove lower bounds for a number of concurrent objects. For example, an ordered set S is an object whose value is some subset of a totally ....

Leslie Lamport. The part-time parliament. Technical Report 49, DEC Systems Research Center, September 1989.

....on the register at different times do not interfere with each other. Of course, there are many ways to implement an increment register. In fact, there are general purpose techniques for constructing a wait free implementation of any concurrent object. They are based on atomic broadcast [Lam78, Lam89, Sch87] and consensus [Her91b] so they yield implementations requiring O(n) rounds where n is the number of processes. On the other hand, it is well known that type specific techniques often yield more efficient implementations than general purpose techniques [Her86] but our implementation ....

Leslie Lamport. The part-time parliament. Technical Report 49, DEC Systems Research Center, September 1989.

....a view one replica is the primary and the others are backups. Views are numbered consecutively. The primary of a view is replica p such that p = v mod jRj, where v is the view number. View changes are carried out when it appears that the primary has failed. Viewstamped Replication [21] and Paxos [15] used a similar approach to tolerate benign faults. The algorithm works roughly as follows: 1. A client sends a request to invoke a service operation to the primary 2. The primary multicasts the request to the backups 3. Replicas execute the request and send a reply to the client 4. The ....

....number n with the highest view number in V . In the second case, it creates a new preprepare message hPRE PREPARE; v 1; n; d null i oe p , where d null is the digest of a special null request; a null request goes through the protocol like other requests, but its execution is a no op. Paxos [15] used a similar technique to fill in gaps. Next the primary appends the messages in O to its log. If min s is greater than the sequence number of its latest stable checkpoint, the primary also inserts the proof of stability for the checkpoint with sequence number min s in its log, and discards ....

[Article contains additional citation context not shown here]

L. Lamport. The Part-Time Parliament. Technical Report 49, DEC Systems Research Center, 1989. 11

....reason about time in a qualitative fashion. A quantitative notion of time can be introduced by allowing the specification of time bounds with the eventuality and invariance quantifiers [36, 35, 34, 3] Another approach is to introduce a mechanism to access the value of a real time clock; in [37, 1] it is read from a state variable; in [31, 32, 21] it is denoted by a predicates; and in [5, 6] it is bound by a new quantifier called freeze. Finite state automata have been used extensively in the specification and analysis of reactive systems. Several attempts have been made to extend their ....

Leslie Lamport. The Temporal Logics of Actions. Technical report, DEC Systems Research Center, Palo Alto, California, 1991.

.... The examples found in the appendix illustrate some of the possibilities of engineering modular proofs in incremental steps: proof engineering is closely related to software engineering NAP features could be used, for instance, to structure proofs in accordance with Lamport s suggestions; see [49]. See [48] for a detailed step wise proof construction and hierarchical refinement. Criteria for a convincing proof are: ffl it is simple i.e. the proof follows an understandable thread, and is modular the collated comments constitute an acceptable informal proof ffl it is completed ....

Lamport, L., How to Write a Proof, Technical Report 94, DEC Systems Research Center, Cambridge, Massachusetts, February 1993.

....views. In a view one replica is the primary and the others are backups. Views are numbered consecutively. The primary of a view is replica such that mod , where is the view number. View changes are carried out when it appears that the primary has failed. Viewstamped Replication [26] and Paxos [18] used a similar approach to tolerate benign faults (as discussed in Section 8. The algorithm works roughly as follows: 1. A client sends a request to invoke a service operation to the primary 2. The primary multicasts the request to the backups 3. Replicas execute the request and send a reply ....

....in the pre prepare message for sequence number with the highest view number in . In the second case, it creates a new preprepare message PRE PREPARE 1 , where is the digest of a special null request; a null request goes through the protocol like other requests, but its execution is a no op. Paxos [18] used a similar technique to fill in gaps. Next the primary appends the messages in to its log. If min s is greater than the sequence number of its latest stable checkpoint, the primary also inserts the proof of stability for the checkpoint with sequence number min s in its log, and discards ....

[Article contains additional citation context not shown here]

L. Lamport. The Part-Time Parliament. Technical Report 49, DEC Systems Research Center, 1989.

....this section we set out our formal language and use it to describe two simple systems. Then we give the axioms and rules of our logic. 3. 1 Formation Rules To describe the operation of the system under consideration (viz, Sigma) we use a variant of Lamport s Raw Temporal Logic of Actions (RTLA) [21]. 5 The primary difference is that we add a modal operator Pr i ( that allows us to specify and reason about the probabilistic behavior of the system. From the previous section, we assume the following basic sets of symbols, all nonempty: C, I, O, and IR . Members of IR will have the usual ....

....from O. Note that, implicitly, inputs are from the covert senders and receivers into the system ( Sigma) and outputs are from the system to the 5 Roughly speaking, Raw Temporal Logic of Actions (RTLA) is the same as Lamport s Temporal Logic of Actions (TLA) without the treatment of stuttering [21]. Since we are not, in this paper, concerned with refinement, we omit the considerations of stuttering and use RTLA. 14 covert senders and receivers. This is because Sigma is the system under consideration (i.e. with respect to which we are reasoning about security) We have no mechanism (and ....

Leslie Lamport. The temporal logic of actions. Technical Report 79, DEC Systems Research Center, Palo Alto, CA, December 1991.

....this section we set out our formal language and use it to describe two simple systems. Then we give the axioms and rules of our logic. 3. 1 Formation Rules To describe the operation of the system under consideration (viz, Sigma) we use a variant of Lamport s Raw Temporal Logic of Actions (RTLA) [24]. 4 The primary difference is that we 4 Roughly speaking, Raw Temporal Logic of Actions (RTLA) is the same as Lamport s Temporal Logic of Actions (TLA) without the treatment of stuttering [24] Since we are not, in this paper, concerned with refinement, we omit the considerations of stuttering ....

.... under consideration (viz, Sigma) we use a variant of Lamport s Raw Temporal Logic of Actions (RTLA) 24] 4 The primary difference is that we 4 Roughly speaking, Raw Temporal Logic of Actions (RTLA) is the same as Lamport s Temporal Logic of Actions (TLA) without the treatment of stuttering [24]. Since we are not, in this paper, concerned with refinement, we omit the considerations of stuttering and use RTLA. 14 add a modal operator Pr i ( that allows us to specify and reason about the probabilistic behavior of the system. From the previous section, we assume the following basic ....

Leslie Lamport. The temporal logic of actions. Technical Report 79, DEC Systems Research Center, Palo Alto, CA, December 1991.

No context found.

Leslie Lamport. The temporal logic of actions. Technical Report 79, DEC Systems Research Center, December 1991.

....development of real world systems. Users must be able to express the properties of the systems about which they wish to reason as naturally as possible and to confirm mechanically that the specifications, designs, testing criteria and sample executions have the required properties. Temporal logics [2, 19, 21, 32] are well suited for specifying temporal properties of concurrent systems. Experience has shown, however, that specifications of even moderate sized systems are too complex to be readily understood. This complexity stems chiefly from the need to establish the temporal context within which ....

L. Lamport. A temporal logic of actions. Tech. Rep. 57, DEC Systems Research Center, Palo Alto, CA, Apr. 1990. 35

No context found.

L. Lamport and F. B. Schneider. Pretending atomicity. Research Report 44, DEC Systems Research Center, 1989.

No context found.

L. Lamport and F. B. Schneider. Pretending atomicity. Research Report 44, DEC Systems Research Center, May 1989.

No context found.

L. Lamport and F. Schneider. Pretending atomicity. Research Report 44, DEC Systems Research Center, May

No context found.

L. Lamport and F. B. Schneider. Pretending atomicity. Research Report 44, DEC Systems Research Center, 1989.

No context found.

L. Lamport and F. Schneider. Pretending atomicity. Research Report 44, DEC Systems Research Center, 1989.

No context found.

L. Lamport. The temporal logic of actions. Tech. Report 79, DEC Systems Research Center, Palo Alto, Calif., USA, 1991.

No context found.

Leslie Lamport. The temporal logic of actions. Research Report 79, DEC Systems Research Center, Palo Alto, CA, 1991.

No context found.

Leslie Lamport. The Part-Time Parliament. Technical Report 49, DEC Systems Research Center, 1989.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC