Computation calculus bridging a formalization gap

AbstractWe present an algebra that is intended to bridge the gap between programming formalisms that have a high level of abstraction and the operational interpretations these formalisms have been designed to capture. In order to prove a high-level formalism sound for its intended operational interpretation, one needs a mathematical handle on the latter. To this end we design the computation calculus. As an expression mechanism, it is sufficiently transparent to avoid begging the question. As an algebra, it is quite powerful and relatively simple

UNITY and Büchi automata

UNITY is a model for concurrent specifications with a complete logic for proving progress properties of the form ``$P$ leads to $Q$''. UNITY is generalized to U-specifications by giving more freedom to specify the steps that are to be taken infinitely often. In particular, these steps can correspond to non-total relations. The generalization keeps the logic sound and complete. The paper exploits the generalization in two ways. Firstly, the logic remains sound when the specification is extended with hypotheses of the form ``$F$ leads to $G$''. As the paper shows, this can make the logic incomplete. The generalization is used to show that the logic remains complete, if the added hypotheses ``$F$ leads to $G$'' satisfy ``$F$ unless $G$''. The main result extends the applicability and completeness of UNITY logic to proofs that a given concurrent program satisfies any given formula of LTL, linear temporal logic, without the next-operator which is omitted because it is sensitive to stuttering. For this purpose, the program, written as a UNITY program, is extended with a number of boolean variables. The proof method relies on implementing the LTL formula, i.e., restricting the specification in such a way that only those runs remain that satisfy the formula. This result is a variation of the classical construction of a B\"uchi automaton for a given LTL formula that accepts precisely those runs that satisfy the formula

Especificación y análisis de sistemas de tiempo real en teoría de tipos. Caso de estudio : the railroad crossing example

Para el análisis de sistemas reactivos y de tiempo real dos importantes enfoques formales se destacan: la verificación de modelos, o model checking, y el análisis deductivo basado en asistentes de pruebas. El primero se caracteriza por la automaticidad pero presenta dificultades al tratar con sistemas que involucran un gran número de estados o donde se tienen parámetros variables, no acotados. El segundo permite tratar con sistemas que involucran un gran número de estados o donde se tienen parámetros variables, no acotados. El segundo permite tratar con sistemas arbitrarios pero requiere la interacción del usuario. Este trabajo explora una metodología de trabajo que permita compatibilizar el uso de un verificador de modelos como Kromos y el asistente de pruebas Coq en el análisis de sistemas de tiempo real. Para ello formalizamos grafos (autómatas) temporizados y la lógica TCTL (y CTL) en el cálculo de construcciones inductivas y co-inductivas de Coq, a fin de disponer de lenguajes de especificación y análisis comunes a ambas herramientas. Los grafos permiten describir los sistemas, mientras que la lógica se usa para especificar los requerimientos temporales. Una parte importante del trabajo está dedicada a estudiar cómo razonar deductivamente en Coq sobre esta clase de sistemas -la utilidad de tipos inductivos y la necesidad de tipos co-inductivos- asumiendo inicialmente un modelo de tiempo discreto. Un especial énfasis es puesto en el análisis de un caso de estudio, considerado como benchmark en diferentes trabajos: el control de un paso a nivel de tren ("the railroad corssing example"). Este problema es utilizado para evaluar y validar algunas de las formalizaciones propuestas

A Predicate Transformer for the Progress Property `to-Always'

. The temporal property `to-always' has been proposed for specifying progress properties of concurrent programs. Although the `to-always' properties are a subset of the `leads-to' properties for a given program, `to-always' has more convenient proof rules and in some cases more accurately describes the desired system behavior. In this paper, we give a predicate transformer wta, derive some of its properties, and use it to define `to-always'. Proof rules for `toalways ' are derived from the properties of wta. We conclude by briefly describing two application areas, nondeterministic data flow networks and self-stabilizing systems where `to-always' properties are useful. 1. Introduction The property most commonly used to specify progress of (formally nonterminating) concurrent programs is `leads-to' (;). Operationally, p ; q means that in every computation of a program, if at some point p holds, then at that point or some later point q will hold. Jutla, Knapp, and Rao [JKR89, Kna90] gav..