Showing papers in "Formal Aspects of Computing in 1990"
TL;DR: This work presents a logic for stating properties such as, “after a request for service there is at least a 98% probability that the service will be carried out within 2 seconds” and gives algorithms for checking that a given Markov chain satisfies a formula in the logic.
Abstract: We present a logic for stating properties such as, "after a request for service there is at least a 98\045 probability that the service will be carried out within 2 seconds". The logic extends the temporal logic CTL by Emerson, Clarke and Sistla with time and probabil- ities. Formulas are interpreted over discrete time Markov chains. We give algorithms for checking that a given Markov chain satis- fies a formula in the logic. The algorithms require a polynomial number of arithmetic operations, in size of both the formula and\003This research report is a revised and extended version of a paper that has appeared under the title "A Framework for Reasoning about Time and Reliability" in the Proceeding of the 10thIEEE Real-time Systems Symposium, Santa Monica CA, December 1989. This work was partially supported by the Swedish Board for Technical Development (STU) as part of Esprit BRA Project SPEC, and by the Swedish Telecommunication Administration.1the Markov chain. A simple example is included to illustrate the algorithms.
1,441 citations
TL;DR: The approach to fault-tolerant programming is illustrated by considering the problem of designing a protocol that guarantees reliable communication from a sender to a receiver in spite of faults in the communication channel between them.
Abstract: It has been usual to consider that the steps of program refinement start with a program specification and end with the production of the text of an executable program. But for fault-tolerance, the program must be capable of taking account of the failure modes of the particular architecture on which it is to be executed. In this paper we shall describe how a program constructed for a fault-free system can be transformed into a fault-tolerant program for execution on a system which is susceptible to failures. We assume that the interference by a faulty environment F on the execution of a program P can be described as a fault-transformation F which transforms P into a program F(P) = P + F. A recovery transformation R transforms P into a program R(P) = P[]R by adding a set of recovery actions R, called a recovery program. If the system is fail stop and faults do not affect recovery actions, we have F(R(P)) = F(P)[]R = (P + F)[]R We illustrate this approach to fault-tolerant programming by considering the problem of designing a protocol that guarantees reliable communication from a sender to a receiver in spite of faults in the communication channel between them.
83 citations
TL;DR: A theory of commands with weakest precondition semantics is formalised using the HOL proof assistant system, and it is shown how the formalisation can be used for proving refinements of actual program texts correct.
Abstract: A theory of commands with weakest precondition semantics is formalised using the HOL proof assistant system. The concept of refinement between commands is formalised, a number of refinement rules are proved and it is shown how the formalisation can be used for proving refinements of actual program texts correct.
58 citations
TL;DR: It is argued that partial order semantics can be used profitably in the proofs of some nontrivial results in Petri net theory.
Abstract: This paper argues that partial order semantics can be used profitably in the proofs of some nontrivial results in Petri net theory. We show that most of Commoner's and Hack's structure theory of free choice nets can be phrased and proved in terms of partial order behaviour. The new proofs are considerably shorter (and, arguably, more lucid) than the old ones; they also generalise the results from (safe) free choice nets to (bounded) extended free choice nets.
49 citations
TL;DR: The ability of this model to solve the Halting problem for Turing machines is demonstrated, and it is proved that this model is capable of performing calculations beyond the capability of the standard Turing machine model.
Abstract: We describe a novel machine model of computation, and prove that this model is capable of performing calculations beyond the capability of the standard Turing machine model. In particular, we demonstrate the ability of our model to solve the Halting problem for Turing machines. We discuss the issues involved in implementing the model as a physical device, and offer some tentative suggestions.
47 citations
TL;DR: This work extends the well-known strategy of program transformation to model transformation, adding to previous work on a transformational style for operation-decomposition in META-IV, which is also useful for improving model-oriented specifications.
Abstract: This paper presents a transformational approach to the derivation of implementations from model-oriented specifications of abstract data types.
33 citations
TL;DR: A theoretical relationship between the computation models of these two formalisms is presented; an algorithm for systematically translating a predicate transition nets into a corresponding temporal logic system is outlined; and a special temporal refutation proof technique is proposed and illustrated in verifying various concurrent properties of the predicate transition net specification of the five dining philosophers problem.
Abstract: This paper presents some results of integrating predicate transition nets with first order temporal logic in the specification and verification of concurrent systems. The intention of this research is to use predicate transition nets as a specification method and to use first order temporal logic as a verification method so that their strengths — the easy comprehension of predicate transition nets and the reasoning power of first order temporal logic can be combined. In this paper, a theoretical relationship between the computation models of these two formalisms is presented; an algorithm for systematically translating a predicate transition net into a corresponding temporal logic system is outlined; and a special temporal refutation proof technique is proposed and illustrated in verifying various concurrent properties of the predicate transition net specification of the five dining philosophers problem.
27 citations
TL;DR: It follows from the results that the traditionally accepted atomicity criterion, which allows each action to have at most one occurrence of a shared variable, can be relaxed, allowing programs to have more powerful actions.
Abstract: Most proof methods for reasoning about concurrent programs are based upon the interleaving semantics of concurrent computation: a concurrent program is executed in a stepwise fashion, with only one enabled action being executed at each step. Interleaving semantics, in effect, requires that a concurrent program be executed as a nondeterministic sequential program. This is clearly an abstraction of the way in which concurrent programs are actually executed. To ensure that this is a reasonable abstraction, interleaving semantics should only be used to reason about programs with simple actions; we call such programs atomic. In this paper, we formally characterize the class of atomic programs. We adopt the criterion that a program is atomic if it can be implemented in a wait-free, serializable manner by a primitive program. A program is primitive if each of its actions has at most one occurrence of a shared bit, and each shared bit is read by at most one process and written by at most one process. It follows from our results that the traditionally accepted atomicity criterion, which allows each action to have at most one occurrence of a shared variable, can be relaxed, allowing programs to have more powerful actions. For example, according to our criterion, an action can read any finite number of shared variables, provided it writes no shared variable.
21 citations
TL;DR: This paper shows that a nondeter-ministic process can be characterised by a “description” consisting of a pair of functions, a generalisation of least fixpoint.
Abstract: A deterministic message-communicating process can be characterised by a “continuous” functionf which describes the relationship between the inputs and the outputs of the process. The operational behaviour of a network of deterministic processes can be deduced from the least fixpoint of a functiong, whereg is obtained from the functions that characterise the component processes of the network. We show in this paper that a nondeter-ministic process can be characterised by a “description” consisting of a pair of functions. The behaviour of a network consisting of such processes can be obtained from the “smooth” solutions of the descriptions characterising its component processes. The notion of smooth solution is a generalisation of least fixpoint. Descriptions enjoy the crucial property that a variable may be replaced by its definition.
13 citations
TL;DR: Closures chains are introduced, which are special rule closures constructed by means of particular substitution operations and operators, as a suitable formalism for progress in this direction.
Abstract: This article introduces a generalisation of the crossed rule approach to the detection of Knuth-Bendix completion procedure divergence. It introduces closure chains, which are special rule closures constructed by means of particular substitution operations and operators, as a suitable formalism for progress in this direction. Supporting substitution algebra is developed first, followed by considerations concerning rule closures in general, concluding with an investigation of closure chain properties. Issues concerning the narrowing process are not discussed here.
12 citations
TL;DR: The development of a formal derivation of a rather ingenious algorithm, viz., the fast pattern matching algorithm of Boyer and Moore, illustrates that transformational programming combined with assertional reasoning provides an appropriate approach for developing and understanding highly optimised algorithms.
Abstract: Highly optimised algorithms are, in general, hard to understand. This is a consequence of the designer's sacrifice of clarity and modularity in favour of efficiency. In this paper we present a formal derivation of a rather ingenious algorithm, viz., the fast pattern matching algorithm of Boyer and Moore. The development illustrates that transformational programming combined with assertional reasoning provides an appropriate approach for developing and understanding highly optimised algorithms.
TL;DR: A meta-linear operatorL is proposed and compared with the “in all trajectories” operator considered in the language CTL*.
Abstract: A brief overview is given of the temporal logics used in concurrent program verification and in database and systems specification. The properties of the underlying modal frame structures are analysed. The relative advantages of the linear and branching approaches are discussed. The state versus path formulas controversy is revisited. A meta-linear operatorL is proposed and compared with the “in all trajectories” operator considered in the language CTL*. The usefulness of the new operator within the context of a layered methodology for database and information systems specification and verification is illustrated. The operator is seen as a “frame change operator” and other interesting operators of this class are referred. Finitary and infinitary axiomatisations are given for the operatorL. The proof of the completeness of the infinitary axiomatisation is briefly outlined. This proof requires an appropriate extension of the usual Henkin methods.
TL;DR: The main result is an algebraic version of the rule of computational induction ofijkstra's language of guarded commands, where certain parts of the programs are restricted to finite nondeterminacy.
Abstract: Dijkstra's language of guarded commands is extended with recursion and transformed into algebra. The semantics is expressed in terms of weakest preconditions and weakest liberal preconditions. Extreme fixed points are used to deal with recursion. Unbounded nondeterminacy is allowed. The algebraic setting enables us to develop efficient transformation rules for recursive procedures. The main result is an algebraic version of the rule of computational induction. In this version, certain parts of the programs are restricted to finite nondeterminacy. It is shown that without this restriction the rule would not be valid. Some applications of the rule are presented. In particular, we prove the correctness of an iterative stack implementation of a class of simple recursive procedures.
TL;DR: Girard's recent system of linear logic is presented in a way that avoids the two-level structure of formulae and sequents, and that minimises the number of primitive function symbols.
Abstract: Girard's recent system of linear logic is presented in a way that avoids the two-level structure of formulae and sequents, and that minimises the number of primitive function symbols. A deduction theorem is proved concerning the classical implication as embedded in linear logic. The Hilbert-style axiomatisation is proved to be equivalent to the sequent formalism. The axiomatisation leads to a complete class of algebraic models. Various models are exhibited. On the meta-level we use Dijkstra's method of explicit equational proofs.
TL;DR: It is shown how deadlock-proneness of a protocol can be formalised as a property of its attribute grammar specification, and the undecidability of deadlock -proneness for arbitrary grammars is proved.
Abstract: A new approach to describing communication protocols is introduced In the style of a formal language, the protocol is considered as the set of all legal sequences of symbols that can be exchanged by the communicating processes Although context free grammars cannot adequately describe such sequences, it is shown that attribute grammars may be used Examples are given which show that common protocol features such as interleaving, windowing and flow control can be described by attribute grammars
TL;DR: It is shown that the informal semantics of multiple inheritance used in existing object-oriented programming languages conforms to, or is consistent with, this model.
Abstract: A categorical semantics of multiple inheritance is presented, in which the inheritance relations between program entities are represented as commutative diagrams in a suitable category, and multiple inheritance is then modelled with colimits of such diagrams. It is shown that the informal semantics of multiple inheritance used in existing object-oriented programming languages conforms to, or is consistent with, this model.
TL;DR: Operation decomposition proof obligations are given for a language with blocks and unrestricted procedure calls with reference parameters and global variables and Aliasing, as arising from reference parameters, and static scoping are dealt with in the Hoare-like proof system by the use of a “syntactic environment”.
Abstract: Operation decomposition proof obligations are given for a language with blocks and unrestricted procedure calls with reference parameters and global variables. Post-conditions of the initial and final states of the computation are used; existing proof rules are for post-conditions which are predicates of the final state only. Aliasing, as arising from reference parameters, and static scoping are dealt with in the Hoare-like proof system by the use of a “syntactic environment”.
TL;DR: A scheme is presented which transforms systolic programs with a two-dimensional structure to one dimension and the scheme is demonstrated with an example in occam: matrix composition/decomposition.
Abstract: A scheme is presented which transforms systolic programs with a two-dimensional structure to one dimension. The elementary steps of the transformation are justified by theorems in the theory of communicating sequential processes and the scheme is demonstrated with an example in occam: matrix composition/decomposition.
TL;DR: This paper examines a discrete model of Hopfield nets which allows a better characterisation of the constants, and identifies methods to remove extraneous energy minima in the discrete version of the system.
Abstract: Hopfield nets are a class of neural networks that are often applied to optimisation problems. The role played by certain constants appearing in the interconnections are crucial to the computations. A bad choice of constant values results in the convergence of the system to states that represent extraneous results. This paper examines a discrete model of the nets which allows a better characterisation of the constants. The formal approach followed in this paper allows the specification of values to the constants that ensure convergence of the system to states that represent results that are not extraneous. Using the Hopfield nets terminology, we have identified methods to remove extraneous energy minima in the discrete version of the system. Since any simulation study of Hopfield nets on real computers must use discretised approximations to analog values, the results are of interest in a practical domain as well.