Alpern, B. and F.B. Schneider. Verifying Temporal Properties without using Temporal Logic. Technical Report TR 85-723, Department of Computer Science, Cornell University, Dec. 1985.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....there is no notion of eventuality. We note that safety properties can often be used to prove liveness properties. For example, Owicki and Gries show in [OG76] how well foundedness arguments can be incorporated into Hoare logics to prove termination of programs. Alpern and Schneider go farther in [AS85] and show that the verification of both liveness and safety properties can be reduced to proving what are essentially partial correctness assertions. However, the specification of a liveness condition in terms of partial correctness assertions is often an unintuitive formulation. A more natural ....

Bowen Alpern and Fred B. Schneider. Verifying temporal properties without using temporal logic. Technical Report TR 85-723, Department of Computer Science, Cornell University, December 1985.

....other axiomatic methods have been used to write specifications that do not mention internal states. Aren t these specifications more general than transition axiom specifications Let us call a specification purely temporal if it does not mention internal states. The work of Alpern and Schneider [3] shows that purely temporal specifications are no more general than transition axiom specifications. They defined a logic that is at least as powerful as most of the logics used for purely temporal specifications and showed that any formula in their logic is equivalent to an assertion about an ....

Bowen Alpern and Fred B. Schneider. Verifying Temporal Properties without using Temporal Logic. Technical Report TR85-723, Department of Computer Science, Cornell University, December 1985.

....asserting what the possible actions # i are in a behavior of the form (1) In writing specifications, a slightly di#erent form of completion axiom will be used that asserts which actions are performed by which modules. 1.3. 3 Completeness of the Method Implicit in the work of Alpern and Schneider [2] is a proof that any system that can be described using a very powerful formal system for writing temporal axioms (much more powerful than the simple temporal logic defined above) can also be described by initial axioms, transition axioms, simple 22 liveness axioms of the form P # Q with P and Q ....

Bowen Alpern and Fred B. Schneider. Verifying Temporal Properties without using Temporal Logic. Technical Report TR85-723, Department of Computer Science, Cornell University, December 1985.

.... a finite state program P , one can combine P with A and then check whether P satisfies by a reachability analysis of the combined program [Va85,VW86] Finally, given a program P one can use A to derive proof obligations that when checked will guarantee the correctness of P with respect to [AS85, AS87, MP87, Va87]. We first show that the automata theoretic paradigm can be extended to TL. This result requires two basic techniques. The first technique is borrowed from the analysis by Streett and Emerson of the calculus [SE84] A least fixpoint formula X: X) resp. a greatest fixpoint formula X: X) ....

Alpern, B., Schneider, F.B.: Verifying temporal properties without using temporal logic. Technical Report TR--85--723, Cornell University, Dec. 1985.

....M 0 corresponding to 0 , such that M 0 is quasi determinate and 0 is regular with respect to M 0 seems at least as problematic. Perhaps, though, by imposing suitable restrictions on the temporal specification language, a result along these lines could be obtained. Alpern and Schneider [AS85] have obtained similar completeness results in a setup where temporal properties are specified as property recognizers, which are similar to Buchi automata. 8 Summary We have introduced the notion of a conceptual state specification, which is a kind of temporal logic specification in which ....

B. Alpern and F. B. Schneider. Verifying Temporal Properties Without Using Temporal Logic. Technical Report TR 85-723, Cornell University Computer Science Department, December 1985.

....program and the finite state specification, the verification problem can be reduced to an automata theoretic problem. Essentially, their method is to get away from temporal logic, since it seems difficult to directly verify properties specified in temporal logic. Alpern and Schneider [AS85,AS87] and Manna and Pnueli [MP87] continued this trend. They describe a proof by reduction method for properties (of arbitrary programs) specified by finite state automata. At the same time, a lot of attention has been given to the development of methods for proving fair termination of ....

....X and rank(i) Let be the length of the sequence X 0 ; X 1 ; We leave it to the reader to verify that and ae satisfies the conditions of the theorem. Note that we have not assigned ranks to programs states, but rather to pairs consisting of a program state and an automaton state as in [AS85]. Alternatively, one can associate a rank predicate with each state of A Phi; Psi in the spirit of [FRG85] This would be practical if A Phi; Psi is finite state. Theorem 4.4 extends the results in [RFG88] In that paper, the method of helpful directions was applied to derive a proof rule for ....

Alpern, B., Schneider, F.B.: Verifying temporal properties without using temporal logic. Technical Report TR--85--723, Cornell University, Dec. 1985. To appear in ACM Trans. on Programming Languages.

....other axiomatic methods have been used to write specifications that do not mention internal states. Aren t these specifications more general than transition axiom specifications Let us call a specification purely temporal if it does not mention internal states. The work of Alpern and Schneider [3] shows that purely temporal specifications are no more general than transition axiom specifications. They defined a logic that is at least as powerful as most of the logics used for purely temporal specifications and showed that any formula in their logic is equivalent to an assertion about an ....

Bowen Alpern and Fred B. Schneider. Verifying Temporal Properties without using Temporal Logic. Technical Report TR85-723, Department of Computer Science, Cornell University, December 1985.

....automata. Thus, u(x) O for every joint state x, so the final disjunct of 04 must be false. AS3 and 04 are therefore equivalent, and each implies 03. Thus, the two techniques yield essentially the same proof obligations when applied to properties that they both can handle. The method in [Alpern Schneider 85] is unsatisfactory for properties specified by non deterministic Buchi automata. To use it to prove that a program rI satisfies such a property if , a deterministic property q)that is contained in if is found. Proof obligations are then extracted from the deterministic Buchi automaton for q) ....

....approach may be easier. An added advantage of our Boolean decomposition approach is that parts of the proof may be reusable since other properties might be constructed from these parts. A final insight into the difference between the approach of [Manna Pnueli 87] and our earlier approach in [Alpern Schneider 85] is obtained by considering clauses of the form N , as was done in section 4.3. The technique in [Alpern Schneider 85] is a restriction to the special case true : M and the technique in [Manna Pnueli 87] treats the other special case, Nfalse. Of these special cases , the second is general; ....

[Article contains additional citation context not shown here]

Alpern, B. and F.B. Schneider. Verifying Temporal Properties without using Temporal Logic. Technical Report TR 85-723, Department of Computer Science, Cornell University, Dec. 1985.

....in devising suitable proof instruments, although this might be viewed as an asset since the proof instruments can give insight into why a program works. The first Buchi automaton based method for extracting first order proof obligations for temporal properties was proposed by us in [1] and [2]. That work applied to those properties that can be specified using a single deterministic Buchi automaton. Formulated in the terminology of this paper, the method requires the program prover to exhibit an invariant I and a variant function v 9 However, proponents of the model checking approach ....

....negative automata. Thus, u(x) O for every joint state x, so the final disjunct of 04 must be false. AS3 and 04 are therefore equivalent, and each implies 03. Thus, the two techniques yield essentially the same proof obligations when applied to properties that they both can handle. The method in [2] is unsatisfactory for properties specified by nondeterministic Buchi automata. To use it to prove that a program II satisfies such a property , a deterministic property 2 that is contained in is found. Proof obligations are then extracted from the deterministic Buchi automaton for . If a ....

[Article contains additional citation context not shown here]

ALPERN, B., AND SCHNEIDER, F.B. Verifying temporal properties without using temporal logic. Tech. Rep. TR 85-723, Dept. of Computer Science, Cornell Univ., Dec.

....programming languages[23, 26] To extend PCC for security policies that are specified by arbitrary security automata, a method is needed to extract proof obligations for establishing that a program satisfies the property given by such an automaton. Such a method does exist it is described in [3]. 5 Discussion The utility of a formalism partly depends on the ease with which objects of the formalism can be read and written. Users of the formalism must be able to translate informal requirements into objects of the formalism. With security automata, establishing the correspondence between ....

Alpern, B. and F.B. Schneider. Verifying temporal properties without using temporal logic. ACM Transactions on Programming Languages and Systems 11, 1 (January 1989), 147--167.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC