Addressing performance requirements in the FDT-based design of distributed systems

The development of distributed systems is generally regarded as a complex and costly task, and for this reason formal description techniques such as LOTOS and ESTELLE (both standardized by the ISO) are increasingly used in this process. Our experience is that LOTOS can be exploited at many stages on the design trajectory, from requirements specification to implementation, but that the language elements do not allow direct formalization of performance requirements. To avoid duplication of effort by using two formalisms with distinct approaches, we propose a design method that incorporates performance constraints in an heuristic but effective manner

STAIRS - Understanding and Developing Specifications Expressed as UML Interaction Diagrams

STAIRS is a method for the step-wise, compositional development of interactions in the setting of UML 2.x. UML 2.x interactions, such as sequence diagrams and interaction overview diagrams, are seen as intuitive ways of describing communication between different parts of a system, and between a system and its users. STAIRS addresses the challenges of harmonizing intuition and formal reasoning by providing a precise understanding of the partial nature of interactions, and of how this kind of incomplete specifications may be consistently refined into more complete specifications. For understanding individual interaction diagrams, STAIRS defines a denotational trace semantics for the main constructs of UML 2.x interactions. The semantic model takes into account the partiality of interactions, and the formal semantics of STAIRS is faithful to the informal semantics given in the UML 2.x standard. For developing UML 2.x interactions, STAIRS defines a number of refinement relations corresponding to basic system development steps. STAIRS also defines matching compliance relations, for relating interactions to real computer systems. An important feature of STAIRS is the distinction between underspecification and inherent nondeterminism. Underspecification means that there are several possible behaviours serving the same overall purpose, and that it is sufficient for a computer system to perform only one of these. On the other hand, inherent nondeterminism is used to capture alternative behaviours that must all be possible for an implementation. A typical example is the tossing of a coin, where both heads and tails should be possible outcomes. In some cases, using inherent nondeterminism may also be essential for ensuring the necessary security properties of a system

Specifying and reasoning about concurrent systems in logic

Imperial Users onl

Using formal methods to support testing

Formal methods and testing are two important approaches that assist in the development of high quality software. While traditionally these approaches have been seen as rivals, in recent years a new consensus has developed in which they are seen as complementary. This article reviews the state of the art regarding ways in which the presence of a formal specification can be used to assist testing

Verification of LOTOS Specifications Using Term Rewriting Techniques

Recently the use of formal methods in describing and analysing the behaviour of (computer) systems has become more common. This has resulted in the proliferation of a wide variety of different specification formalisms, together with analytical techniques and methodologies for specification development. The particular specification formalism adopted for this study is LOTOS, an ISO standard formal description technique. Although there are many works dealing with how to write LOTOS specifications and how to develop a LOTOS specification from the initial abstract requirements specification to concrete implementation, relatively few works are concerned with the problems of expressing and proving the correctness of LOTOS specifications, i.e. verification. The main objective of this thesis is to address this shortfall by investigating the meaning of verification as it relates to concurrent systems in general, and in particular to those systems described using LOTUS. Further goals are to automate the verification process using equational reasoning and term rewriting, and also to attempt to make the results of this work, both theoretical and practical, as accessible to LOTOS practitioners as possible. After introducing the LOTUS language and related formalisms, the thesis continues with a survey of approaches to verification of concurrent systems with a view to identifying those approaches suitable for use in verification of properties of systems specified using LOTOS. Both general methodology and specific implementation techniques are considered. As a result of this survey, two useful approaches are identified. Both are based on the technique of expressing the correctness of a LOTUS specification by comparison with another, typically more abstract, specification. The second approach, covered later in the thesis, uses logic for the more abstract specification. The main part of the thesis is concerned with the first approach, in which both specifications are described in LOTUS, and the comparison is expressed by a behavioural equivalence or preorder relation. This approach is further explored by means of proofs based on the paradigm of equational reasoning, implemented by term rewriting. Initially, only Basic LOTUS (i.e. the process algebra) is considered. A complete (i.e. confluent and terminating) rule set for weak bisimulation congruence over a subset of Basic LOTOS is developed using RRL (Rewrite Rule Laboratory). Although fully automatic, this proof technique is found to be insufficient for anything other than finite toy examples. In order to give more power, the rule set is supplemented by an incomplete set of rules expressing the expansion law. The incompleteness of the rule set necessitates the use of a strategy in applying the rules, as indiscriminate application of the rules may lead to non-termination of the rewriting. A case study illustrates the use of these rules, and also the effect of different interpretations of the verification requirement on the outcome of the proof. This proof technique, as a result of the deficiencies of the tool on which it is based, has two major failings: an inability to handle recursion, and no opportunity for user control in the proof. Moving to a different tool, PAM (Process Algebra Manipulator), allows correction of these faults, but at the cost of automation. The new implementation acts merely as computerised pencil and paper, although tactics can be defined which allow some degree of automation. Equations may be applied in either direction, therefore completion is no longer as important. (Note that the tactic language could be used to describe a a complete set of rules which would give an automatic proof technique, therefore some effort towards completion is still desirable. However, since LOTOS weak bisimulation congruence is undecidable, there can never be a complete rule set for deciding equivalence of terms from the full LOTUS language.) The composition of the rule set is re-considered, with a. view to using alternative axiomatisations of weak bisimulation congruence: two main axiomatisations are described and their relative merits compared. The axiomatisation of other LOTUS relations is also considered. In particular, we consider the pitfalls of axiomatising the cred preorder relation. In order to demonstrate the use of the PAM proof system developed, the case study, modified to use recursion, is re-examined. Four other examples taken from the literature, one substantial, the others fairly small, are also investigated to further demonstrate the applicability of the PAM proof system to a variety of examples. The above approach considers Basic LOTUS only; to be more generally applicable the verification of properties of full LOTOS specifications (i.e. including abstract data types) must also be studied. Methods for proving the equivalence of full LOTUS specifications are examined, including a modification of the technique used successfully above. The application of this technique is illustrated via proofs of the equivalence of three variants of the well-known stack example

Distributed systems : architecture-driven specification using extended LOTOS

The thesis uses the LOTOS language (ISO International Standard ISO 8807) as a basis for the formal specification of distributed systems. Contributions are made to two key research areas: architecture-driven specification and LOTOS language extensions. The notion of architecture-driven specification is to guide the specification process by providing a reference-base of pre-defined domain-specific components. The thesis builds an infra-structure of architectural elements, and provides Extended LOTOS (XL) definitions of these elements. The thesis develops Extended LOTOS (XI.) for the specification of distributed systems. XL- is LOTOS enhanced with features for the formal specification of quantitative timing. probabilistic and priority requirements. For distributed systems, the specification of these ‘performance’ requirements, ran be as important as the specification of the associated functional requirements. To support quantitative timing features, the XL semantics define a global, discrete clock which can be used both to force events to occur at specific times, and to measure Intervals between event occurrences. XL introduces time policy operators ASAP (as soon as possible’ corresponding to “maximal progress semantics") and ALAP (late as possible'). Special internal transitions are introduced in XL semantics for the specification of probability, Conformance relations based on a notion of probabilization, together with a testing framework, are defined to support reasoning about probabilistic XL specifications. Priority within the XL semantics ensures that permitted events with the highest priority weighting of their class are allowed first. Both functional and performance specification play important roles in CIM (Computer Integrated Manufacturing) systems. The thesis uses a CIM system known as the CIM- OSA lntegrating Infrastructure as a case study of architecture-driven specification using XL. The thesis thus constitutes a step in the evolution of distributed system specification methods that have both an architectural basis and a formal basis

Molecular Phylogenetics and Historical Biogeography of Basal Angiosperms : A Case Study in Nymphaeales

Scientific progress during the last two decades has greatly improved our knowledge on phylogenetic relationships among major lineages of flowering plants. Besides the two major groups of angiosperms, the eudicots and the monocots, there are several not closely related lineages that are generally referred to as the "basal angiosperms". Among those lineages, Amborella, Nymphaeales and Austrobaileyales are currently assumed to be successive sisters to the rest of angiosperms, thus forming a "basal grade". However, the phylogenetic relationships among and within the basal angiosperm lineages are still not convincingly resolved, which is to a large extent due to the persisting need for efficient molecular markers at this taxonomic level. The focus of the present thesis is on the phylogenetic and biogeographic history of the order Nymphaeales, a relatively small order comprising water lilies and other water plants. To clarify the phylogeny of Nymphaeales a new molecular marker, the petD intron, was developed. The molecular evolution of this non-coding region of the chloroplast genome was examined and its suitability as a new marker for resolving basal angiosperm relationships was proved. This study also revealed a great potential of microstructural changes as phylogenetic markers. In a second step the petD intron was chosen as a marker - together with other fast evolving chloroplast regions (rpl16 intron, trnK intron, matK gene, and the trnT-trnF region) to elucidate details of phylogenetic relationships in Nymphaeales. With this comprehensive analysis of Nymphaeales the monophyly of the Cabombaceae could be confirmed, but there is no convincing support for the monophyly of Nymphaeaceae with respect to Nuphar. Furthermore, the genus Nymphaea is inferred to be polyphyletic with respect to the genera Ondinea, Victoria and Euryale. In fact, Victoria and Euryale are inferred to be closely related to a clade comprising all night blooming water lilies (Nymphaea subgenera Hydrocallis and Lotos). The Australian endemic Ondinea forms a highly supported clade with the Australian water lilies Nymphaea subg. Anecphya. A detailed examination of relationships among Australian water lilies using chloroplast and nuclear markers (ITS, trnT-trnF) confirmed the close affinity of Ondinea to N. subg. Anecphya, and within this subgenus especially to Nymphaea hastifolia. The ITS data set resolved two well supported clades in Anecphya, the small-seeded and large-seeded group, with Ondinea and N. hastifolia being part of the small-seeded group. Observed polymorphisms among ITS paralogues points to recent hybridisation or introgression in this group. The rather young radiation of water lilies in Australia gave rise to one of the centres of diversity in Nymphaeales. Other centres of diversity are northern South America and South-Central Africa, which correspond to likewise recent radiations in the water lily subgenera Hydrocallis and Brachyceras. The radiation of core Nymphaeaceae, i.e. Nymphaea, Victoria, Euryale and Ondinea, occurred in the Tertiary around the Eocene-Oligocene boundary and is correlated with strong global cooling, the demise of the boreotropical flora and the segregation of northern hemispheric continents. The northern hemisphere, and possibly also South America, is inferred to be the ancestral range of Nymphaeales. Other Gondwanan continents such as Africa or Australia have been invaded by water lilies rather recently. Some findings of this thesis are of more general significance - beyond Nymphaeales or basal angiosperms: The present study provides another peace of evidence for the general utility of non-coding, fast-evolving chloroplast genomic regions and of microstructural changes as phylogenetic markers. Furthermore, the Nymphaeales study exemplifies the importance of judicious taxon sampling for correct phylogenetic inference. Only the combination of well-supported evidence from molecular phylogenetics, earth history and the fossil record with a thorough consideration of biological and ecological factors allows reasonable conclusions on the evolution of a lineage in space and time

Rigorous object-oriented analysis

Object-oriented methods for analysis, design and programming are commonly used by software engineers. Formal description techniques, however, are mainly used in a research environment. We have investigated how rigour can be introduced into the analysis phase of the software development process by combining object-oriented analysis (OOA) methods with formal description techniques. The main topics of this investigation are a formal interpretation of the OOA constructs using LOTOS, a mathematical definition of the basic OOA concepts using a simple denotational semantics and a new method for object- oriented analysis that we call the Rigorous Object-Oriented Analysis method (ROOA). The LOTOS interpretation of the OOA concepts is an intrinsic part of the ROOA method. It was designed in such a way that software engineers with no experience in LOTOS, can still use ROOA. The denotational semantics of the concepts of object-oriented analysis illuminates the formal syntactic transformations within ROOA and guarantees that the basic object- oriented concepts can be understood independently of the specification language we use. The ROOA method starts from a set of informal requirements and an object model and produces a formal object-oriented analysis model that acts as a requirements specification. The resulting formal model integrates the static, dynamic and functional properties of a system in contrast to existing OOA methods which are informal and produce three separate models that are difficult to integrate and keep consistent. ROOA provides a systematic development process, by proposing a set of rules to be followed during the analysis phase. During the application of these rules, auxiliary structures are created to help in tracing the requirements through to the final formal model. As LOTOS produces executable specifications, prototyping can be used to check the conformance of the specification against the original requirements and to detect inconsistencies, omissions and ambiguities early in the development process

Inhibited privatization: a hurdle race over vested interests

This paper recognizes vested interests as one of the primary premises that reduce the effectiveness of privatization policy, stall its momentum and produce structural problems in the long-run. Both exogenous and endogenous drawbacks are cited, but the main focus is put on the dynamism of vested interests’ character, interconnectedness and evolution. Policy makers have been long aware of the existence of activities rooted in vested interests including empire building behaviors, creation of sinecures or extravagant management style. Hence, the fundamental effort here is put on the identification of emerging vested interests that were typically not considered by scholars. The channels through which conventional vested interests have snowballed over time are emphasized. This includes casting a closer glance at family employment, as well as at sports sponsorship arrangements, which emerge as the favorite domain of marketing activity for Polish state-owned enterprises. The research of available literature is performed, along with its application to the Polish case, and insightful observations concerning the anatomy of privatization-related reluctance. Rough policy recommendations conclude the paper