Temporal verification with transition invariants

Program verification increases the degree of confidence that a program will perform correctly. Manual verification is an error-prone and tedious task. Its automation is highly desirable. The verification methodology reduces the reasoning about temporal properties of program computations to testing the validity of implication between auxiliary first-order assertions. The synthesis of such auxiliary assertions is the main challenge for automated tools. There already exist successful tools for the verification of safety properties. These properties require that some "bad'; states never appear during program computations. The tools construct invariants, which are auxiliary assertions for safety. Invariants are computed symbolically by applying techniques of abstract interpretation. Liveness properties require that some "good'; states will eventually appear in every computation. The synthesis of auxiliary assertions for the verification of liveness properties is the next challenge for automated verification tools. This dissertation argues that transition invariants can provide a new basis for the development of automated methods for the verification of liveness properties. We support this thesis as follows. We introduce a new notion of auxiliary assertions called transition invariant. We apply this notion to propose a proof rule for the verification of liveness properties. We provide a viable approach for the automated synthesis of transition invariants by abstract interpretation, which automates the proof rule. For this purpose, we introduce a transition predicate abstraction. This abstraction does not have an inherent limitation to preserve only safety properties. Most liveness properties of concurrent programs only hold under certain assumptions on non-deterministic choices made during program executions. These assumptions are known as fairness requirements. A direct treatment of fairness requirements in a proof rule is desirable. We specialize our proof rule for the direct accounting of two common ways of specifying fairness. Fairness requirements can be imposed either on program transitions or on sets of programs states. We treat both cases via abstract-transition programs and labeled transition invariants respectively. We have developed a basis for the construction of automated tools that can not only prove that a program never does anything bad, but can also prove that the program eventually does something good. Such proofs increase our confidence that the program will perform correctly.Programmverifikation stärkt unsere Überzeugung darin, dass ein Programm korrekt funktionieren wird. Manuelle Verifikation ist fehleranfällig und mühsam. Deren Automatisierung ist daher sehr erwünscht. Die allgemeine Vorgehensweise bei der Verifikation besteht darin, die temporale Argumentation über die Programmberechnungen auf die Überprüfung der Gültigkeit von Implikation zwischen Hilfsaussagen in Prädikatenlogik zu reduzieren. Die größte Herausforderung in der Automatisierung von Verifikationsmethoden liegt in der automatischen Synthese solcher Hilfsaussagen. Es gibt bereits erfolgreiche Werkzeuge für die automatische Verifikation von Safety-Eigenschaften.Diese Eigenschaften erfordern, dass keine ';unerwünschten" Programmzustände in Berechnungen auftreten. Die Werkzeuge synthetisieren Invarianten, die Hilfsaussagen für die Verifikation von Safety-Eigenschaften darstellen. Invarianten werden symbolisch, mit Hilfe von Techniken der abstrakten Interpretation berechnet. Liveness-Eigenschaften erfordern, dass bestimmte ';gute" Zustände irgendwann in jeder Berechnung vorkommen. Die Synthese von Hilfsaussagen für die Verifikation von Liveness-Eigenschaften ist die nächste Herausforderung für automatische Werkzeuge. Diese Dissertation vertritt die Auffassung, dass Transitionsinvarianten (engl.: transition invariants) eine neu Basis für die Entwicklung automatischer Methoden für die Verifikation von Liveness-Eigenschaften bereitstellen können. Wir unterstützen diese These wie folgt. Wir führen einen neuen Typ von Hilfsaussagen ein, der als Transitionsinvariante bezeichnet wird. Wir benutzen Transitionsinvariante, um eine Beweisregel für die Verifikation von Liveness-Eigenschaften zu entwickeln.Wir stellen einen praktikablen Ansatz für die Synthese von Transitionsinvarianten basierend auf der abstrakten Interpretation vor und automatisieren dadurch die Beweisregel. Zu diesem Zweck führen wir eine Transitionsprädikaten-Abstraktion (engl.: transition predicate abstraction) ein. Diese Abstraktion ist nicht darauf beschränkt, nur Safety-Eigenschaften erhalten zu können. Die meisten Liveness-Eigenschaften nebenläufiger Programme gelten nur unter bestimmten Annahmen bzgl. der nicht-deterministischen Wahl, die bei den Programmberechnungen getroffen wird. Diese Annahmen sind als Fairness-Anforderungen bekannt und deren direkte Berücksichtigung in einer Beweisregel ist wünschenswert. Wir spezialisieren unsere Beweisregel für die direkte Behandlung von zwei verbreiteten Arten von Fairness-Spezifikationen. Zum einem berücksichtigen wir die Fairness-Anforderungen an Programmübergänge durch abstrakte Transitionsprogramme (engl.: abstract-transition programs). Zum anderen werden die durch Zustandsmengen angegebenen Fairness-Anforderungen mit Hilfe von markierten Transitionsinvarianten (engl.: labeled transition invariants) behandelt. Wir haben eine Basis für die Entwicklung automatischer Werkzeuge bereitgestellt, die beweisen können, dass ein Programm nicht schadet und dass das Programm etwas Gutes bewirkt. Solche Beweise stärken unsere Überzeugung darin, dass das Programm korrekt funktionieren wird

Search and Preference-Based Navigation in Electronic Shopping

The aim of this paper is to address the requirements for electronic shopping systems. Large-scale computerized electronic shopping systems need to accommodate both (a) a large number of products, many of which are close substitutes, and (b) a heterogeneous body of customers who have complex, multidimensional â and perhaps rapidly changing â preferences regarding the products for sale in the system. Further, these systems will have to be designed in a manner so as to both (c) reduce the complexity of the shopping problem from the customerâs point of view, and (d) effectively and insightfully match products to customersâ needs. We show has an abstraction hierarchy with an imposed distance metric provides the necessary elements to implement the desired features. Further, we indicate how the distance metric, in the context of the abstraction hierarchy, can be interpreted as a unidimensional utility function. Finally, we extend the single dimensional (single perspective) treatment to multiple dimensions, or perspectives, and show how the resulting representation can be interpreted as a multiattribute utility function. We argue that the resulting function is plausible and, most importantly, testable.Information Systems Working Papers Serie

Automatically Verifying Temporal Properties of Heap Programs with Cyclic Proof

This work proposes a deductive reasoning approach to the automatic verification of temporal properties of pointer programs, based on cyclic proof. We present a proof system whose judgements express that a program has a certain temporal property, given a suitable precondition, and whose rules operate directly on the temporal modalities as well as symbolically executing programs. Cyclic proofs in our system are, as elsewhere, finite rooted proof graphs subject to a natural, decidable sound ness condition, encoding a form of proof by infinite descent. We present two variants of our proof system, one for CTL (branching time) properties and one for LTL (linear time) properties, and show them both to be sound. We have implemented both variants in the C YCLIST theorem prover, yielding an automated tool that is capable of automatically discovering proofs of temporal properties of our programs. Evaluation of our tool on well-known benchmarks in the model checking community indicates that our approach is viable, and offers an interesting alternative to traditional model checking techniques

European capital structures and the macroeconomic, corporate and taxation environments

The objective of this thesis is to determine whether European firms exhibit firmspecific optimal capital structure solutions. If the capital structure of the firm is irrelevant then the finance manager should concentrate upon the maximisation of the returns from the firm's investment projects alone. Alternatively, if the capital structure is relevant then the finance manager should strive to attain the capital structure which minimises the cost of capital to the firm, and thus maximises the value of the firm. The firm is positioned within three environments: the macroeconomic environment, the taxation environment and the corporate environment, and it is with respect to these environmentst hat optin-ýisingb ehaviour may be measured.A variety of conventional and modem econometric techniques are employed to study the interaction of the capital structure with the environments within which it is placed to determine whether behaviouro f an optimising nature may be ascertainedT. o allow for as comprehensivea perspective as possible, the processes which determine capital structure policies are tested and modelled across average, marginal, dynamic and long-run time-frames, to enable operational capital structure policies to be distinguished from strategic capital structure policies of the firm. The conclusions suggest that there exists a behavioural dichotomy between larger and smaller firms, based upon differences in the sophistication of information systems present within the finance function of the firm. Larger firms engage in full-optimisation behaviour at the strategic level by targeting the long-run path of the capital structure ratio in relation to key taxation, macroeconomic, and corporate environment variables, endo-exogenousin teraction effects, and considerationo f the effects of the two-way causal interrelationship between the capital structure ratio and the corporate environment. Smaller firms engage in a form of bounded-optimisation behaviour at the strategic level, targeting the capital structure ratio upon the norm for the industry to which the firm belongs, upon the capital structure ratio of larger firms, or on the basis of some other targeting criterion. For both larger and smaller firms, departures from the long-run path of the capital structure ratio, determined by the strategic capital structure policy, are caused by operational capital structure policy adjustments. The operational capital structure policy of both larger and smaller firms is determined mainly by those exogenous factors which determine the explicit costs of finance, although endo-exogenousin teraction effects and the two-way causal interrelationship between the capital structure ratio and the corporate environment also exert an influence. Overall, the theoretical and empirical analyses of the European research provide very strong support for the existence of firm-specific optimal capital structure solutions.Plymouth Business School, University of Plymout

New Perspectives on Games and Interaction

This volume is a collection of papers presented at the 2007 colloquium on new perspectives on games and interaction at the Royal Dutch Academy of Sciences in Amsterdam. The purpose of the colloquium was to clarify the uses of the concepts of game theory, and to identify promising new directions. This important collection testifies to the growing importance of game theory as a tool to capture the concepts of strategy, interaction, argumentation, communication, cooperation and competition. Also, it provides evidence for the richness of game theory and for its impressive and growing application

A Framework for Information Architecture for Business Networks

The concept of Information Architecture (IA) has been independently explored by researchers and practitioners in Information Engineering, Information Systems (ISmanagement, information visualisation and Web site design. However, little has been achieved towards its standardisation within and across these subject domains. To bridge the existing subject divide this study conducts a systematic analysis of publications on frameworks for Information Architecture developed in the field of IS planning and Information Engineering and elicits both common and desirable IA dimensions. It concludes that regardless of their originating subject field, existing IA frameworks are internally focused and have limited effectiveness for dynamic e-business alliances. To address this deficiency, related subject domains such as Systems Theory and Systems Modelling, Web design and virtual team working are explored and ideas are generated for further architectural components such as events, standards, aggregation level and trust that are not supported by existing IAs, but are of high importance for e-business. These are synthesized with the most prevalent IA dimensions identified earlier into a conceptual framework for IA for electronically mediated business networks, called FEBus ffra. network for Information Architecture for Electronically mediated Business networks. The structural viability and usability of the proposed analytical vehicle are evaluated over the period 2001-2003 using a triangulation of a Delphi study, an electronic survey, and evaluation interviews. The participants, representing three self-selecting samples of experienced UK academics and practitioners interested in IA, confirmed the need for an IA framework for e-business alliances and proposed and proved the scope, merits and limitations of the tool. Their views formed the basis for some amendments to the framework and for recommendations for future research. This thesis presents an original contribution to IA knowledge through the comprehensive critical analysis of frameworks on IA and the development of a set of fundamental requirements for IA for e-business environments. Its importance is also seen in the synthesis of the research on 1A conducted in different subject areas. The architectural tool built as an extension of the reviewed IA works constitutes another original aspect of this research. Finally, the novel multi-method evaluation approach employed in the study and the critical examination of its operability, present an advancement of existing knowledge on methodological diversity in IS research

Tourism specialisation and economic growth

This thesis focuses on the relationship between tourism policy and economic growth. Primarily it evaluates the effects of specialising in tourism on the growth performance of small economies and in particular the effects of tourism specialisation based on natural resources. A secondary but related question is how do changes in the quality of natural resources affect the relationship between specialisation and growth? These questions are considered in the framework defined by recent literature on endogenous growth theory [EG]. Consider a two-sector economy, where growth is driven by the accumulation of sector-specific human capital. The two sectors differ in their associated rates of potential learning. If the low- (no-) learning sector is defined as Tourism and the other as Manufacturing, the condition for balanced growth, under complete specialisation (i.e., equal per capita growth rate in both countries), is the presence of homothetic preferences are those spelled out in Lucas (1988). This approach provides a rather promising outlook for economies characterised by a comparative advantage in the tourist sector - as long as the elasticity of substitution between tourism and other goods, produced under decreasing marginal costs, is low. However, this result is based on a characterisation of the demand side that ignores an important feature of the market for tourist services: the income elasticity of the tourist may be other than one. To take account of a non-unitary income elasticity, the EG conditions for balanced growth should be redefined under a non-(quasi) homothetic utility function. After presenting the model, two empirical analyses, using different techniques, are provided. If consumers allocate a constant share of their (increasing) income toward financing their holidays and two, different types of tourist goods exist - one based on natural resources and the other on activities unrelated to natural resources and supplied at decreasing marginal costs - then a reduction in the quality of a country's natural resources may weaken the capacity of the country's tourist sector to retain a non-decreasing share of the market. This idea is based on the hypothesis that the two tourist goods are vertically differentiated. Quality, however, depends on the rate of exploitation. Lowering the quality lessens the value of the luxury good attached to the resource-based good. This framework should allow for a description of the relationship between the rate of exploitation of natural resources and the conditions which allow economies specialising in tourism to reach a balanced growth path, in a market where more than one tourist good is offered

Accidental Torts

One way to understand tort law is as a functional response to the social problem of accidental personal injury. That puts the negligence action at the center, and emphasizes the doctrinal choice between negligence and strict liability, while downplaying the intentional torts and the torts that do not involve physical injury. It also foregrounds the policy choice between tort and other means of dealing with accidents. This functional treatment is not uncontroversial today, but it is certainly orthodox. Here I propose to bring back into view some neglected aspects of the intellectual origins of the accident-centered approach to tort law. When torts was emerging as an important doctrinal category in the common-law world during the late nineteenth century, the early commentator who did the most to organize it around the problem of accidental injury was the young Oliver Wendell Holmes, Jr. The influential slant he gave to the subject turns out to have resulted from his struggle with doubts, surprising and possibly instructive to us, about whether torts was a viable legal category at all. Neither Holmes\u27 doubts about torts nor the theory with which he resolved them had much to do with his views about proper social policy toward industrial accidents. He was mainly responding to the inner dynamics of a juristic debate about the taxonomic arrangement of the substantive law, a debate that had been triggered by the legislative abolition of the common-law forms of action. Jurists drawing on conceptual traditions inherited from Roman law favored adopting tort as a basic category, while those influenced by the analytical jurisprudence of Bentham and Austin pressed the other way. After first taking the Bentham-Austin side, Holmes dis- covered that centering tort law around the problem of accidents could justify its recognition as an important subject after all. Coincidentally, the burst of personal injury litigation that accompanied the growth of railroads and factories in the late nineteenth century made Holmes\u27 accident-centered formulation of tort law especially salient in practical terms, and his theory went on to gain the dominant position it holds today, at least in the United States. It thus turned out that in resolving an abstruse theoretical puzzle about the arrangement of the law in the way he did, Holmes was helping to construct an understanding of torts that is still dominant a century later, when its origins have largely been forgotten. As a final twist, we now have our own quite different doubts about torts, based more on concerns about accident policy than on views about conceptual arrangement-and the accident-centered conception that Holmes devised to justify the subject in the first place turns out to leave it especially vulnerable to these doubts

Managing multiple interdependencies in large scale software development projects

Thesis (Ph. D.)--Massachusetts Institute of Technology, Sloan School of Management, 1997.Includes bibliographical references (p. 279-283).by Nancy A. Staudenmayer.Ph.D