Verication of the Alternating-Bit-Protocol using Automated Theorem Provers in ILF - a case study Thomas Baar y Institute of Mathematics Humboldt Unive
|
|
- Reynard Arnold
- 5 years ago
- Views:
Transcription
1 Verication of the Alternating-Bit-Protocol using Automated Theorem Provers in ILF - a case study Thomas Baar y Institute of Mathematics Humboldt University Germany Ingo Dahn z Institute of Mathematics Humboldt University Germany June 5, Motivation For many years the OSI-reference model has been developed into a standard of communication in open systems. The OSI-model knows 7 layers. In each layer communication is described at a specic level of abstraction. Each layer oers services to the next higher layer. Vice versa the layer can use services oered by the underlying layer. In this article we investigate the service 'reliable data-transmission ' oered by DataLink-Layer. Realizing this service the DataLink-Layer can use only the service 'unreliable data-transmission' provided by Physical-Layer. Therefore a communication protocol has to be used. We will formally describe a well-known protocol (Alternating-Bit-Protocol) and prove, that the service oered by DataLink-Layer is really reliable, as soon as the Alternating-Bit-Protocol (ABP) is used. We use the ILF-System [4] for formal verication. ILF combines interactive possibilities for proof development with the power of ATP's. We point out some principles of deduction which are useful in the area of protocol verication. Therefore our verication is only an example how to verify a protocol using ILF. The main proof ideas can be reused to verify much more sophisticated protocols (e.g. Sliding-Windows-Protocol, Kermit-Protocol) or to prove correctness properties of distributed systems. 2 ABP and Z The specication language Z is suitable for specication of distributed systems and protocols. Z is widely used. It is based on set theory and sorted rst order This work is supported by the Deutsche Forschungsgemeinschaft within the Schwerpunktprojekt Deduktion. y baar@mathematik.hu-berlin.de z dahn@mathematik.hu-berlin.de 1
2 predicate logic. Many concepts in Z can be easily translated into other logical languages [3]. A library of well-known mathematical theorems - called Mathematical Toolkit - is an integral part of Z. It is comfortable to use these theorems formally in a proof for our purpose. The separation of the Mathematical Toolkit and the structured character of Z specication turn out to be very useful for formal proof development. The ABP, rst proposed in [2], is a very simple protocol, but its main idea is also used in other much more powerful protocols. Each message to transmit is augmented by an additional bit. Sender and receiver can mark and distinguish actual messages. The ABP is often described in terms of distributed systems. There are 4 agents and several actions to change their state. Sender - SendMsg TimeOut RecAck RejAck - MsgChan LoseMsg LoseAck 6? AckChan? RecMsg RejMsg - Receiver Figure 1: Agents and actions of ABP Starting with an initial state S 1 the decribed system denes a set of possible traces. A trace is a nite or innite sequence S 1 A 1 S 2 A 2 S 3 : : :, where A i denotes an instance of an action, S i the prestate, S i+1 the poststate of A i. We call a projection of a trace to the sequence of states history of states (sthist) and a projection to the sequence of actions history of actions (ophist). From the set of all traces we consider only a subset, called set of regular runs. A trace is a regular run, if it satises some fairness properties. For our ABP-system we want to prove that the nite sequence of messages - which the sender had to transmit in the initial state - is eventually received by the receiver. As a formal basis for our proof we formulate a Z specication to describe the ABP. We omit the specication of some actions which will not be interesting in further sections. At rst we specify some global types and constants. We dene all possible messages as the Z basic type MSG, that means that MSG denotes a nonempty set. Possible synchronization bits (members of Tag) are either 0 or 1, TaggedMsg is the cartesian product of Tag and MSG. The function ip yields the opposite synchronization bit, msgsfortrans is the sequence of messages to transmit by the sender in the initial state. In Z notation this is: [ MSG ] Tag == f0; 1g TaggedMSG == (Tag MSG) 2
3 ip : Tag! Tag ip(0) = 1 ip(1) = 0 msgsfortrans : seq MSG Sender, receiver and channels are specied as schemas. A schema consists of a declaration and a description part (optional). The declaration part declares components, the description part denes some relations among components. Sender and Receiver contain components for their local synchronization bit (acttag,exptag) and for sended / received messages (msgsin / msgsout). Furthermore Sender needs a buer to retransmit the last message (lasttaggedmsg) when a timeout signal occurs. Channels are modelled as nite sequences. Sender msgsin; yettotrans : seq MSG lasttaggedmsg : P(Tag MSG) acttag : Tag Receiver msgsout : seq MSG exptag : Tag msgsin a yettotrans = msgsfortrans MsgChan msgchan : seq TaggedMSG AckChan ackchan : seq Tag We include these schemas into a System-schema and specify an initial state for System. A schema is included into another schema by copying its declaration and description part. System Sender MsgChan Receiver AckChan Init System msgsin = msgsout = h i msgchan = h i ^ ackchan = h i lasttaggedmsg =? yettotrans = msgsfortrans acttag = ip(exptag) To specify actions Z oers the use of operation schemas. An operation schema for System includes all parts of System in the original and decorated (with ') form, so all components of System are also in original and decorated form components of the operation schema. An original component refers to the component in the prestate, the decorated to that in the poststate. The inclusion part is an abbrevation for inclusion of part and part 0. The inclusion part is an abbrevation for part and the additional equation part = part 0. We explain schema-, - and -inclusion in section 3. The action SendMsg changes Sender and MsgChan (-inclusion) and preserves Receiver and AckChan (-inclusion). 3
4 SendMsg Sender Receiver MsgChan AckChan lasttaggedmsg =? ^ yettotrans 6= h i yettotrans 0 = tail yettotrans ^ acttag 0 = ip(acttag) msgchan 0 = msgchan a h(acttag 0 ; head yettotrans)i lasttaggedmsg 0 = f(acttag 0 ; head yettotrans)g TimeOut Sender Receiver MsgChan AckChan acttag 2 dom lasttaggedmsg msgchan 0 = msgchan a h(acttag; lasttaggedmsg(acttag))i LoseMsg Sender Receiver MsgChan AckChan msgchan 6= h i msgchan 0 = tail msgchan RecMsg : : : : : : RejMsg : : : : : : OP == fsendmsg; TimeOut; RecMsg; RejMsg; RecAck ; RejAck ; LoseMsg; LoseAckg Until now, only ABP-specic statements have been made. In order to describe another protocol or distributed system, this part of specication only has to be changed. In the next part we express formally regular runs. Some preparations: OPSystem System pre == ( OPSystem System) post == ( OPSystem System 0 ) tracelike X == ff : N 1 7! X j 8 i 1 ; i 2 : N 1 i 1 < i 2 ^ i 2 2 dom f ) i 1 2 dom f g 4
5 regular runs : sthist : tracelike System ophist : tracelike OP dom ophist = dom sthist 1 2 dom sthist 8 op : OP [no action is triggered in the last state] 8 opinst : op dom sthist 6= N 1 ) sthist(#sthist) 6= pre(opinst) sthist(1) 2 Init 8 i : (dom sthist n f1g) 9 opinst : ophist(i? 1) sthist(i? 1) = pre(opinst) ^ sthist(i) = post(opinst) 8 i 1 : N 1 8 op : OP [Fairness] (9 i 2 : N 1 i 1 i 2 ^ i 2 2 dom ophist ^ ophist(i 2 ) = op) _ (9 i 3 : N 1 j i 1 i 3 8 i 4 : N 1 j i 3 i 4 8 opinst : op i 4 2 dom sthist ) sthist(i 4 ) 6= pre(opinst)) To prove the desired property of the protocol we prove several subgoals which can be seperated in so called safety and liveness properties. As one of the possible safety properties we want to prove that in every state of a regular run the sequence of received messages is a prex of the sequence of already sent messages. 8 i : N 1 i 2 dom(sthist) ) sthist(i):msgsout sthist(i):msgsin As one of the possible liveness properties we want to show that the sender will send a new message until he has sent all messages: 8 i : N 1 i 2 dom(sthist) ^ sthist(i):yettotrans 6= h i ) 9 j : N 1 j i ^ j 2 dom(sthist) ^ #(sthist(j ):msgsin) = #(sthist(i):msgsin) ILF and Z We have to translate Z specications into ILF theories, because ILF is unable to handle original Z specications. The syntax of ILF-theories is very similar to ordinary predicate logic. Moreover a powerful type system can be used to formulate short and readable ILF theories. Currently the translation from Z to ILF notation has to be done by the user. The translation must respect some translation rules and it is straightforward. We demonstrate a small translation into typed logic. Basic types, predicates and functions are translated as usual. 5
6 Z Typed Logic [ t 1 ] r : P t 1 c : t 1 f : t 1! t 1 TYPE = ft 1 g PRED = f(r : [t 1 ])g FUN = f(c : []! t 1 ); (f : [t 1 ]! t 1 )g Schemas can be represent as predicates, their components as functions. A a 1 : t 1 r(a 1 ) TYPE = fschg sch represents schematype hj a 1 : t 1 ji VAR = f(x : sch)g FUN = f(a 1 : [sch]! t 1 )g PRED = f(r A : [sch])g Theory = f8 x r A (x), r(a 1 (x))g We do not directly translate more sophisticate Z structures like schema-, - and -inclusion into typed logic. We only unfold this abbreviations into ordinary schemas, which are then translated as above. Z plain Z A a 1 : t 1 r(a 1 ) no simplication B b 1 : t 1 r(b 1 ) no simplication Sys A B Sys a 1 : t 1 [all declarations of A and B] b 1 : t 1 r(a 1 ) [all denitions of A and B] r(b 1 ) 6
7 Init Sys a 1 = c Init a 1 : t 1 b 1 : t 1 r(a 1 ) r(b 1 ) a 1 = c [like Sys] [additional denition of Init] Op1 A B b 0 1 = f (b 1 ) Op1 a 1 : t 1 [original and decorated components] a 0 1 : t 1 b 1 : t 1 b 0 1 : t 1 r(a 1 ) ^ r(a1) 0 r(b 1 ) ^ r(b1) 0 a 0 1 = a 1 b 0 1 = f (b 1 ) [consequence of A] With the expansion of inclusions the structure and clarity of the specication are lost. However, this expansion leads to formulas with less complex terms. This facilitates the work for the ATP's considerably. Moreover, many proof problems require the use of information which refers to several components of the distributed system. Hence the structuring of the knowledge base suggested by the Z specication is not helpful for our verication task. 4 Proof of safety properties Usually an invariant is shown to hold by induction. This means to prove the subgoals (1) 1 2 dom sthist ) (1) (2) (n 2 dom sthist ) (n))?! ((n + 1) 2 dom sthist ) (n + 1)) It is seldom that an invariant can be shown separately. Normally we need auxiliary invariants (simultaneous induction). In our case 12 other invariants were necessary to prove the safety property formally. The whole proof consists of 13 proofs for initial step of the induction and 13 * 8 (number of actions) = 104 proofs for the other induction steps. The proofs of these numerous little tasks are stupid for humans and require a lot of concentration and time. It is only really interesting task during developing this proof to nd useful lemmas. Using ILF it is much easier to prove the desired properties. The user has only to formulate the auxiliary invariants. Based on specication theory and 7
8 invariants a user dened ILF tactic generates 117 subgoals, comparable with a natural proof. When the subgoals are proved the whole problem is proved. ILF ensures the formal correctness for this proof reduction. The user dened ILF tactic is a domain specic combination of many basic ILF tactics and make some assumptions about the structure of the underlying theory. The assumptions are only related to parts of the theory which dene formally regular runs and therefore the tactic is not specic for the Alternating-Bit- Protocol. We can reuse the tactic to show safety properties of other protocols or distributed systems. The generated subgoals can be solved automatically by the provers integrated into ILF or interactivly. The proofs of the subgoals for initial steps of induction are often trivial. It is more interesting to prove induction steps. As a simple but typical task we present the proof that action SendMsg respects the safety property 8 i : N 1 i 2 dom(sthist) ) sthist(i):msgsout sthist(i):msgsin For the induction step from n-th to (n+1)-th state a theory like in gure 2 is used. 1 The parts except part V) are automatically extracted by ILF. Typically the theory consists of simply structured formulas like facts and implications to specify pre- and postconditions. In part III) we can nd many equations because using equations is an intuitiv style of specication for dening actions like SendMsg. ILF can use these equations to simplify the theory and reduce the signature. Many functional symbols representing schema components in the post state can be substituted by their denition (e.g. yettotrans 0 = tail yettotrans), but there are also some other cases (compare msgsin 0 ). To solve an induction step other theorems (part V)) are often necessary. To prove properties of a Z specication we can use all theorems collected in the Z library (Mathematical Toolkit). It is a problem to choose the right axioms from this library. Generally the user has to do this work. ILF provides a facility to choose whole classes of axioms, e.g. all axioms dening a property for sequences. But the automatically selected theories contain in most cases more axioms than really needed. If no further simplication of the theory can be done, ATP's are invoked to prove the subgoals. The user can specify a timelimit (often 1-2 minutes) for each prover, after lapse of timelimit ILF kills the prover. To prove the subgoals we used the provers Setheo [7] and Discount [1]. In 102 of 104 cases Setheo or Discount can nd a proof before timelimit has exceeded. In the other 2 cases the user has to simplify the goal by a further tactic and after that, Setheo and Discount can also nd a proof. Therefore ATP's gave an eective support to the user while proving safety properties. The boring task to check every action for every invariant have been done by Setheo and Discount. It is possible that an ATP nds subproofs because there is an error in the specication. This is most easily detected when the user inspects a well readable 1 We abbreviate sthist(n):msgsout with msgsout and sthist(n+1):msgsout with msgsout 0, analogous for all other components. 8
9 I) Precondition msgsout msgsin II) Preconditions omitted here (not needed) of other invariants III) Denition lasttaggedmsg =? of SendMsg yettotrans 6= h i yettotrans 0 = tail yettotrans acttag 0 = ip(acttag) msgchan 0 = msgchan a h(acttag 0 ; head yettotrans)i lasttaggedmsg 0 = f(acttag 0 ; head yettotrans)g exptag 0 = exptag msgsout 0 = msgsout ackchan 0 = ackchan IV) Invariants msgsin a yettotrans = msgsfortrans of sender msgsin 0 a yettotrans 0 = msgsfortrans V) Mathematics 8 SQ 1 8 SQ 2 8 SQ 3 SQ 1 SQ 2 ) SQ 1 SQ 2 a SQ3 8 SQ 1 8 SQ 2 8 SQ 3 8 SQ 4 SQ 2 6= h i ^ SQ 1 a SQ2 = SQ 3 a SQ4 ^ SQ 4 = tail SQ 2 ) SQ 3 = SQ 1 a hhead SQ2 i VI) Goal msgsout 0 msgsin 0 Figure 2: Theory used by an induction step proof presentation. ILF supports this with it's automatic generation of human readable proof presentation [5]. Some subproofs found by ATP's are really interesting and quite dierent from natural ones. Such proofs give the user new insights into the mechanism of the protocol. Natural language proof presentation makes them intelligible for users without special knowledge in deduction. 5 Proof of liveness properties The proof of liveness properties requires to show that each message sent by sender is eventually received by receiver and vice versa each acknowledge message sent by receiver is eventually received by sender. We call this the information ow of the protocol. In principle we have to show that after every state an action will occur which can be viewed as a step forward in the infomation ow. Normally the argumentation for the occurrence of such an action is based on the fairness of regular runs. Since all nite runs are fair by denition, fairness is a useful property only for innite runs. 9
10 We argue, that in the last state of a nite, regular run all data and acknowledge messages are sent and received. Let us assume the opposite for the last state. This means that there are still some messages for the sender to send (yettotrans 6= h i) or the acknowledge for the last message is not received yet (lasttaggedmsg 6=?). In the second case the action TimeOut, in the rst case TimeOut or SendMsg are triggered and therefore it cannot be the last state of a regular run. Assuming innite runs we sketch a tiny step in the information ow : 2 8 i 1 : N 1 msgchan(i 1 ) 6= h i ) 9 j : N 1 j i 1 ^ last msgchan(i 1 ) = head msgchan(j ) Informally speaking: The last element in the channel will be eventually the rst one. For this we need the following lemma: 8 i 1 : N 1 msgchan(i 1 ) 6= h i ) 9 j : N 1 j i ^ msgchan(j + 1) = tail(msgchan(j )) To show this lemma we can distinguish 2 cases using fairness for action LoseMsg: 1. 9 j 1 : N 1 j 1 i 1 ^ ophist(j 1 ) = LoseMsg In this case we can prove the lemma observing the fact 8 l : N 1 ophist(l) = LoseMsg ) msgchan(l + 1) = tail msgchan(l) 2. 9 j 2 : N 1 8 j 3 : N 1 j 2 i 1 ^ (j 3 j 2 ) 8 opinst : LoseMsg sthist(j 3 ) 6= pre(opinst)) Hence 8 opinst : LoseMsg pre(opinst):msgchan 6= h i we can conclude: msgchan(i 1 ) 6= h i ^ j 2 i 1 ^ msgchan(j 2 ) = h i Now the proof can be completed using the following lemma. 8 i : N 1 (9 j : N 1 i < j ^ msgchan(i) 6= h i ^ msgchan(j ) = h i) ) (9 j 0 : N 1 i j 0 ^ msgchan(j 0 + 1) = tail msgchan(j 0 )) This little example shows, that we must prove numerous lemmas before proving a single step in the information ow. The user can nd and formulate these lemmas and therefore he has to know the main proof ideas. Some of the lemmas are independent from the protocol (like this example) other depend on protocol denition. Nevertheless the detailed proof for the liveness properties can be obtained by combining the interactively generated proofs with the subproofs found by the ATP's. 2 We abbreviate sthist(i):msgchan with msgchan(i), analogous for all other components. 10
11 6 Tactics The use of interactive provers is a consequence of the limited power of ATP's. Two general problems may cause the unability of nding a proof: The goal requires a long (complicated) proof or the supplied theory is too large and contains many axioms not needed to show the goal. Therefore ILF-tactics have to solve two tasks: 1) Simplication of goals 2) Choice of suitable axioms to prove the goal Especially - in ILF - it is not the major task of tactics to generate partial proofs. ad1) Finding a proof becomes more easy, if the required proof becomes shorter. The ILF system oers several possibilities to realize such a simplication using tactics. The user can insert helpful lemmas, generate an equivalent set of subgoals (e.g. to show A ^ B it is sucient to show A and B), apply some theorems (e.g. to show C it is sucient to show A ^ B if we have A ^ B ) C as an axioms in the theory). ad2) Often the choice of a theory for a subgoal is based on heuristics. Nevertheless we can connect theory choice with tactics. For instance the use of a lemma is in many cases only necessary for the goal, for which this lemma was inserted. For some goals, like the induction step to show safety properties, tactics can extract a quite exact theory choice if they respect the structure of the whole proof (compare section 4). From this point of view we can realize some properties of tactics which are especially important. Tactics should consists of some basic elements and control structures giving the user the possibility to dene his own domain specic tactics. The basic elements should include: inserting of new, user dened subgoals application of an inference rule analysis of goal, in general matching a given structure with the goal analysis of axioms in the theory, in general matching a given structure with an axiom ILF provides the user with such basic tactics. The language PROLOG is used to recombine existing tactics to new ones. PROLOG oers sucient complex control structures and is suitable for matching tasks in an outstanding way. It supports backtracking in case of failed attemps and storage of intermediate results for further use. 11
12 7 Conclusions / experiences We have formally veried ABP using the proof system ILF starting from a specication in Z. For this purpose some domain specic tactics were developed. These tactics only assume some structure about the general specication part (denition of regular runs) and can be reused for similar problems, too. ILF tactics have to simplify a problem, not to solve it. That's the serious advantage compared with pure interactive provers. ILF benets from powerful automatical provers during it's work. For practical reasons it's very important that a prover can handle redundant theories. In most cases the user is not able to specify exactly the theory which is needed to prove a specic subgoal. The ability to prove really dicult problems and nd long proofs is less important. Often the user knows the key ideas of a proof and can help ILF (and ATP's) by giving additional lemmas. The use of ILF is very helpful for problems which can be divided automatically into many subgoals by a tactic. If it is not possible to benet from such a comfortable proof structure the user has to use the interactive ILF facilities. But he does not need to prove the whole problem in an interactive way and can also use ATP's for generated subgoals. Compared with other systems, e.g. [6], [8] the use of ATP's reduces the amount of user input considerably. For the verication of the safety and liveness properties of the ABP only 1 respectivly 5 ILF tactics were used. Nevertheless, a fully detailed verication can be obtained by combining the proofs generated by the ATP's with the partial proof edited by the user. In the future we intend to verify other protocols, especially the Sliding-Windows- Protocol. Another aim is to prove correctness properties for other distributed systems. References [1] J. Avenhaus, J. Denzinger, and M. Fuchs. Discount: A system for distributed equational deduction. In Proceedings 6. RTA, Lecture Notes in Computer Science, pages 397{402. Springer Verlag, [2] K. A. Bartlett, R. A. Scantlebury, and P. T. Wilkinson. A note on reliable full-duplex transmission over half-duplex links. Communication of the ACM, 12(5):260{261,265, [3] J. Bowen and M. J. C. Gordon. Z and hol. [4] B. I. Dahn, J. Gehne, T. Honigmann, and A. Wolf. Integration of automated and interactive theorem proving in ILF. In Proceedings CADE-14. Springer, [5] B. I. Dahn and A. Wolf. Natural language presentation and combination of automatically generated proofs. In F. Baader and K. Schulz, editors, Frontiers of Combining Systems, pages 175{192. Kluwer, [6] M. J. C. Gordon and T. F. Melham, editors. Introduction to HOL A theorem proving environment for higher order logic. Cambridge University Press,
13 [7] R. Letz, J. Schumann, S. Bayerl, and W. Bibel. Setheo: A high-performance theorem prover. Journal of Automated Reasoning, 8:183{212, [8] L. C. Paulson. Isabelle - A Generic Theorem Prover. LNCS 828. Springer,
Diagram-based Formalisms for the Verication of. Reactive Systems. Anca Browne, Luca de Alfaro, Zohar Manna, Henny B. Sipma and Tomas E.
In CADE-1 Workshop on Visual Reasoning, New Brunswick, NJ, July 1996. Diagram-based Formalisms for the Verication of Reactive Systems Anca Browne, Luca de Alfaro, Zohar Manna, Henny B. Sipma and Tomas
More informationLinear Algebra (part 1) : Vector Spaces (by Evan Dummit, 2017, v. 1.07) 1.1 The Formal Denition of a Vector Space
Linear Algebra (part 1) : Vector Spaces (by Evan Dummit, 2017, v. 1.07) Contents 1 Vector Spaces 1 1.1 The Formal Denition of a Vector Space.................................. 1 1.2 Subspaces...................................................
More informationand combine the results of the searches. We consider parallel search with subdivision, although most notions can be generalized to using dierent searc
On the representation of parallel search in theorem proving Maria Paola Bonacina Department of Computer Science { The University of Iowa Abstract This extended abstract summarizes two contributions from
More informationRobert Givan. David McAllester. Sameer Shalaby. Abstract
Natural Language Based Inference Procedures applied to Schubert's Steamroller Robert Givan rlg@ai.mit.edu David McAllester dam@ai.mit.edu Sameer Shalaby Abstract We have previously argued that the syntactic
More informationAn Alternative To The Iteration Operator Of. Propositional Dynamic Logic. Marcos Alexandre Castilho 1. IRIT - Universite Paul Sabatier and
An Alternative To The Iteration Operator Of Propositional Dynamic Logic Marcos Alexandre Castilho 1 IRIT - Universite Paul abatier and UFPR - Universidade Federal do Parana (Brazil) Andreas Herzig IRIT
More informationDegradable Agreement in the Presence of. Byzantine Faults. Nitin H. Vaidya. Technical Report #
Degradable Agreement in the Presence of Byzantine Faults Nitin H. Vaidya Technical Report # 92-020 Abstract Consider a system consisting of a sender that wants to send a value to certain receivers. Byzantine
More informationSyntax: form ::= A: lin j E: lin ::= 3 lin j lin ^ lin j :lin j bool lin lin is a temporal formula dened over a global sequence. bool is true in g if
Introduction 1 Goals of the lecture: Weak Conjunctive Predicates Logic for global predicates Weak conjunctive algorithm References: Garg and Waldecker 94 Syntax: form ::= A: lin j E: lin ::= 3 lin j lin
More informationAnalogies between Proofs { A Case Study. Erica Melis. Universitat Saarbrucken. Fachbereich Informatik Saarbrucken.
Analogies between Proofs { A Case Study Erica Melis Universitat Saarbrucken Fachbereich Informatik 6600 Saarbrucken email: melis@cs.uni-sb.de This case study examines in detail the theorems and proofs
More informationSplitting a Default Theory. Hudson Turner. University of Texas at Austin.
Splitting a Default Theory Hudson Turner Department of Computer Sciences University of Texas at Austin Austin, TX 7872-88, USA hudson@cs.utexas.edu Abstract This paper presents mathematical results that
More information2 C. A. Gunter ackground asic Domain Theory. A poset is a set D together with a binary relation v which is reexive, transitive and anti-symmetric. A s
1 THE LARGEST FIRST-ORDER-AXIOMATIZALE CARTESIAN CLOSED CATEGORY OF DOMAINS 1 June 1986 Carl A. Gunter Cambridge University Computer Laboratory, Cambridge C2 3QG, England Introduction The inspiration for
More informationThe Underlying Semantics of Transition Systems
The Underlying Semantics of Transition Systems J. M. Crawford D. M. Goldschlag Technical Report 17 December 1987 Computational Logic Inc. 1717 W. 6th St. Suite 290 Austin, Texas 78703 (512) 322-9951 1
More informationContents. 2.1 Vectors in R n. Linear Algebra (part 2) : Vector Spaces (by Evan Dummit, 2017, v. 2.50) 2 Vector Spaces
Linear Algebra (part 2) : Vector Spaces (by Evan Dummit, 2017, v 250) Contents 2 Vector Spaces 1 21 Vectors in R n 1 22 The Formal Denition of a Vector Space 4 23 Subspaces 6 24 Linear Combinations and
More information02 Propositional Logic
SE 2F03 Fall 2005 02 Propositional Logic Instructor: W. M. Farmer Revised: 25 September 2005 1 What is Propositional Logic? Propositional logic is the study of the truth or falsehood of propositions or
More informationOn 3-valued paraconsistent Logic Programming
Marcelo E. Coniglio Kleidson E. Oliveira Institute of Philosophy and Human Sciences and Centre For Logic, Epistemology and the History of Science, UNICAMP, Brazil Support: FAPESP Syntax Meets Semantics
More informationINSTITUT FÜR INFORMATIK
INSTITUT FÜR INFORMATIK DER LUDWIGMAXIMILIANSUNIVERSITÄT MÜNCHEN Bachelorarbeit Propagation of ESCL Cardinality Constraints with Respect to CEP Queries Thanh Son Dang Aufgabensteller: Prof. Dr. Francois
More informationThe TLA + proof system
The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA Nancy & INRIA-MSR Joint Centre, France Amir Pnueli Memorial Symposium New York University, May 8, 2010 Stephan
More informationA version of for which ZFC can not predict a single bit Robert M. Solovay May 16, Introduction In [2], Chaitin introd
CDMTCS Research Report Series A Version of for which ZFC can not Predict a Single Bit Robert M. Solovay University of California at Berkeley CDMTCS-104 May 1999 Centre for Discrete Mathematics and Theoretical
More informationLecture Notes on Inductive Definitions
Lecture Notes on Inductive Definitions 15-312: Foundations of Programming Languages Frank Pfenning Lecture 2 September 2, 2004 These supplementary notes review the notion of an inductive definition and
More informationKirsten Lackner Solberg. Dept. of Math. and Computer Science. Odense University, Denmark
Inference Systems for Binding Time Analysis Kirsten Lackner Solberg Dept. of Math. and Computer Science Odense University, Denmark e-mail: kls@imada.ou.dk June 21, 1993 Contents 1 Introduction 4 2 Review
More informationstarting from the initial states. In this paper, we therefore consider how forward verication can be carried out for lossy channel systems. For that w
On-the-Fly Analysis of Systems with Unbounded, Lossy FIFO Channels Parosh Aziz Abdulla 1, Ahmed Bouajjani 2, and Bengt Jonsson 1 1 Dept. of Computer Systems, P.O. Box 325, S-751 05 Uppsala, Sweden, fparosh,bengtg@docs.uu.se
More informationhigher-order logic (e:g:, Church's simple theory of types [5]) P must be a simple type. Although CC types include the types of the simply-typed -calcu
The Calculus of Constructions as a Framework for Proof Search with Set Variable Instantiation Amy Felty Bell Laboratories Lucent Technologies, 700 Mountain Ave., Murray Hill, NJ 07974, USA felty@bell-labs.com
More informationIn this paper, we take a new approach to explaining Shostak's algorithm. We rst present a subset of the original algorithm, in particular, the subset
A Generalization of Shostak's Method for Combining Decision Procedures Clark W. Barrett, David L. Dill, and Aaron Stump Stanford University, Stanford, CA 94305, USA, http://verify.stanford.edu c Springer-Verlag
More informationOn-the-Fly Analysis of Systems with Unbounded, Lossy. FIFO Channels.
On-the-Fly Analysis of Systems with Unbounded, Lossy FIFO Channels Parosh Aziz Abdulla 1, Ahmed Bouajjani 2, and Bengt Jonsson 1 1 Dept. of Computer Systems, P.O. Box 325, S-751 05 Uppsala, Sweden, fparosh,bengtg@docs.uu.se
More informationA Goal-Oriented Algorithm for Unification in EL w.r.t. Cycle-Restricted TBoxes
A Goal-Oriented Algorithm for Unification in EL w.r.t. Cycle-Restricted TBoxes Franz Baader, Stefan Borgwardt, and Barbara Morawska {baader,stefborg,morawska}@tcs.inf.tu-dresden.de Theoretical Computer
More informationProgram Analysis Part I : Sequential Programs
Program Analysis Part I : Sequential Programs IN5170/IN9170 Models of concurrency Program Analysis, lecture 5 Fall 2018 26. 9. 2018 2 / 44 Program correctness Is my program correct? Central question for
More informationdistinct models, still insists on a function always returning a particular value, given a particular list of arguments. In the case of nondeterministi
On Specialization of Derivations in Axiomatic Equality Theories A. Pliuskevicien_e, R. Pliuskevicius Institute of Mathematics and Informatics Akademijos 4, Vilnius 2600, LITHUANIA email: logica@sedcs.mii2.lt
More informationexample like a b, which is obviously not true. Using our method, examples like this will quickly halt and say there is no solution. A related deciency
Goal-Directed E-Unication Christopher Lynch and Barbara Morawska Department of Mathematics and Computer Science Box 5815, Clarkson University, Potsdam, NY 13699-5815, USA, E-mail: clynch@clarkson.edu,morawskb@clarkson.edu??
More informationPrograms, Semantics and Eective Atomicity
Programs, Semantics and Eective Atomicity Shankar April 3, 2014 Outline programs Program Service Programs State transition semantics of systems Assertions and their evaluation Splitting and stitching of
More informationUsing an Extension of Z. Viktor Friesen. Technische Universitat Berlin
An Exercise in Hybrid System Specication Using an Extension of Z Extended Abstract Viktor Friesen Technische Universitat Berlin Abstract. The main concepts of ZimOO are illustrated by a small case study,
More informationBoolean Algebra and Propositional Logic
Boolean Algebra and Propositional Logic Takahiro Kato June 23, 2015 This article provides yet another characterization of Boolean algebras and, using this characterization, establishes a more direct connection
More information1 Introduction During the execution of a distributed computation, processes exchange information via messages. The message exchange establishes causal
Quasi-Synchronous heckpointing: Models, haracterization, and lassication D. Manivannan Mukesh Singhal Department of omputer and Information Science The Ohio State University olumbus, OH 43210 (email: fmanivann,singhalg@cis.ohio-state.edu)
More informationComputing the acceptability semantics. London SW7 2BZ, UK, Nicosia P.O. Box 537, Cyprus,
Computing the acceptability semantics Francesca Toni 1 and Antonios C. Kakas 2 1 Department of Computing, Imperial College, 180 Queen's Gate, London SW7 2BZ, UK, ft@doc.ic.ac.uk 2 Department of Computer
More informationCompositionality in SLD-derivations and their abstractions Marco Comini, Giorgio Levi and Maria Chiara Meo Dipartimento di Informatica, Universita di
Compositionality in SLD-derivations and their abstractions Marco Comini Giorgio Levi and Maria Chiara Meo Dipartimento di Informatica Universita di Pisa Corso Italia 40 56125 Pisa Italy fcomini levi meog@di.unipi.it
More informationA note on fuzzy predicate logic. Petr H jek 1. Academy of Sciences of the Czech Republic
A note on fuzzy predicate logic Petr H jek 1 Institute of Computer Science, Academy of Sciences of the Czech Republic Pod vod renskou v 2, 182 07 Prague. Abstract. Recent development of mathematical fuzzy
More information1 Introduction During the execution of a distributed computation, processes exchange information via messages. The message exchange establishes causal
TR No. OSU-ISR-5/96-TR33, Dept. of omputer and Information Science, The Ohio State University. Quasi-Synchronous heckpointing: Models, haracterization, and lassication D. Manivannan Mukesh Singhal Department
More informationThe rest of the paper is organized as follows: in Section 2 we prove undecidability of the existential-universal ( 2 ) part of the theory of an AC ide
Undecidability of the 9 8 part of the theory of ground term algebra modulo an AC symbol Jerzy Marcinkowski jma@tcs.uni.wroc.pl Institute of Computer Science University of Wroc law, ul. Przesmyckiego 20
More informationCHAPTER 0: BACKGROUND (SPRING 2009 DRAFT)
CHAPTER 0: BACKGROUND (SPRING 2009 DRAFT) MATH 378, CSUSM. SPRING 2009. AITKEN This chapter reviews some of the background concepts needed for Math 378. This chapter is new to the course (added Spring
More informationIn a second part, we concentrate on interval models similar to the traditional ITL models presented in [, 5]. By making various assumptions about time
Complete Proof Systems for First Order Interval Temporal Logic Bruno Dutertre Department of Computer Science Royal Holloway, University of London Egham, Surrey TW0 0EX, United Kingdom Abstract Dierent
More informationA Proof of Burns N-Process Mutual Exclusion. Algorithm using Abstraction. Cambridge, MA USA.
A Proof of Burns N-Process Mutual Exclusion Algorithm using Abstraction Henrik E. Jensen 1 and Nancy A. Lynch 2 1 Department of Computer Science, Institute for Electronic Systems, Aalborg University, DK-9220
More informationfor Propositional Temporal Logic with Since and Until Y. S. Ramakrishna, L. E. Moser, L. K. Dillon, P. M. Melliar-Smith, G. Kutty
An Automata-Theoretic Decision Procedure for Propositional Temporal Logic with Since and Until Y. S. Ramakrishna, L. E. Moser, L. K. Dillon, P. M. Melliar-Smith, G. Kutty Department of Electrical and Computer
More informationAbstract. The paper considers the problem of implementing \Virtually. system. Virtually Synchronous Communication was rst introduced
Primary Partition \Virtually-Synchronous Communication" harder than Consensus? Andre Schiper and Alain Sandoz Departement d'informatique Ecole Polytechnique Federale de Lausanne CH-1015 Lausanne (Switzerland)
More informationINDEPENDENCE OF THE CONTINUUM HYPOTHESIS
INDEPENDENCE OF THE CONTINUUM HYPOTHESIS CAPSTONE MATT LUTHER 1 INDEPENDENCE OF THE CONTINUUM HYPOTHESIS 2 1. Introduction This paper will summarize many of the ideas from logic and set theory that are
More informationAnalogical Transfer of Verification Proofs for State-Based Specifications
Deutsches Forschungszentrum für Künstliche Intelligenz GmbH Research Report RR-97-01 Analogical Transfer of Verification Proofs for State-Based Specifications Erica Melis and Claus Sengler January 1997
More informationOn Controllability and Normality of Discrete Event. Dynamical Systems. Ratnesh Kumar Vijay Garg Steven I. Marcus
On Controllability and Normality of Discrete Event Dynamical Systems Ratnesh Kumar Vijay Garg Steven I. Marcus Department of Electrical and Computer Engineering, The University of Texas at Austin, Austin,
More informationSupplementary Notes on Inductive Definitions
Supplementary Notes on Inductive Definitions 15-312: Foundations of Programming Languages Frank Pfenning Lecture 2 August 29, 2002 These supplementary notes review the notion of an inductive definition
More information2 2 Proof planning One of our aims is to see if current theorem proving techniques, specically Bundy's \proof planning" approach [Bun91], can be succe
Proof Planning in Maple Toby Walsh 1 University of York, York, England. tw@cs.york.ac.uk Abstract. We are building a system that helps us mix proof with computation. On the one hand, theorem proving tools
More informationAbstract. In this paper we study clausal specications over built-in algebras. To keep things simple, we consider built-in algebras only that
Partial Functions in Clausal Specications? J. Avenhaus, K. Madlener Universitat Kaiserslautern e-mail: favenhaus, madlener g@informatik.uni-kl.de Abstract. In this paper we study clausal specications over
More information[7] F. Giunchiglia and R.W. Weyhrauch FOL User Manual - FOL version 2. Technical Report , DIST, University of Genova, Genova, Italy,
[7] F. Giunchiglia and R.W. Weyhrauch FOL User Manual - FOL version 2 Technical Report 9107-05, DIST, University of Genova, Genova, Italy, 1991. [8] D.A. Plaisted. Theorem proving with abstraction. Articial
More informationDesigning and Evaluating Generic Ontologies
Designing and Evaluating Generic Ontologies Michael Grüninger Department of Industrial Engineering University of Toronto gruninger@ie.utoronto.ca August 28, 2007 1 Introduction One of the many uses of
More informationFinite-Delay Strategies In Infinite Games
Finite-Delay Strategies In Infinite Games von Wenyun Quan Matrikelnummer: 25389 Diplomarbeit im Studiengang Informatik Betreuer: Prof. Dr. Dr.h.c. Wolfgang Thomas Lehrstuhl für Informatik 7 Logik und Theorie
More informationThe Proof of IP = P SP ACE
The Proof of IP = P SP ACE Larisse D. Voufo March 29th, 2007 For a long time, the question of how a verier can be convinced with high probability that a given theorem is provable without showing the whole
More informationA Formal Approach to Modeling and Model Transformations in Software Engineering
A Formal Approach to Modeling and Model Transformations in Software Engineering Adrian Rutle 1, Uwe Wolter 2, and Yngve Lamo 1 1 Bergen University College, p.b. 7030, 5020 Bergen, Norway {aru,yla}@hib.no
More informationUsing the Prover I: Lee Pike. June 3, NASA Langley Formal Methods Group Using the Prover I:
Basic Basic NASA Langley Formal Methods Group lee.s.pike@nasa.gov June 3, 2005 Basic Sequents Basic Sequent semantics: The conjunction of the antecedents above the turnstile implies the disjunction of
More information{},{a},{a,c} {},{c} {c,d}
Modular verication of Argos Programs Agathe Merceron 1 and G. Michele Pinna 2 1 Basser Department of Computer Science, University of Sydney Madsen Building F09, NSW 2006, Australia agathe@staff.cs.su.oz.au
More informationSMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic
Model Checking (I) SMV the Symbolic Model Verifier Example: the alternating bit protocol LTL Linear Time temporal Logic CTL Fixed Points Correctness Slide 1 SMV - Symbolic Model Verifier SMV - Symbolic
More informationLecture Notes on Inductive Definitions
Lecture Notes on Inductive Definitions 15-312: Foundations of Programming Languages Frank Pfenning Lecture 2 August 28, 2003 These supplementary notes review the notion of an inductive definition and give
More information7. F.Balarin and A.Sangiovanni-Vincentelli, A Verication Strategy for Timing-
7. F.Balarin and A.Sangiovanni-Vincentelli, A Verication Strategy for Timing- Constrained Systems, Proc. 4th Workshop Computer-Aided Verication, Lecture Notes in Computer Science 663, Springer-Verlag,
More informationIntuitionistic Proof Transformations and their Application to Constructive Program Synthesis
Intuitionistic Proof Transformations and their Application to Constructive Program Synthesis Uwe Egly uwe@krtuwienacat Stephan Schmitt steph@cscornelledu presented by: Christoph Kreitz kreitz@cscornelledu
More informationLecture Notes on Data Abstraction
Lecture Notes on Data Abstraction 15-814: Types and Programming Languages Frank Pfenning Lecture 14 October 23, 2018 1 Introduction Since we have moved from the pure λ-calculus to functional programming
More informationWojciech Penczek. Polish Academy of Sciences, Warsaw, Poland. and. Institute of Informatics, Siedlce, Poland.
A local approach to modal logic for multi-agent systems? Wojciech Penczek 1 Institute of Computer Science Polish Academy of Sciences, Warsaw, Poland and 2 Akademia Podlaska Institute of Informatics, Siedlce,
More informationBoolean Algebra and Propositional Logic
Boolean Algebra and Propositional Logic Takahiro Kato September 10, 2015 ABSTRACT. This article provides yet another characterization of Boolean algebras and, using this characterization, establishes a
More informationProgram verification using Hoare Logic¹
Program verification using Hoare Logic¹ Automated Reasoning - Guest Lecture Petros Papapanagiotou Part 2 of 2 ¹Contains material from Mike Gordon s slides: Previously on Hoare Logic A simple while language
More informationBeyond First-Order Logic
Beyond First-Order Logic Software Formal Verification Maria João Frade Departmento de Informática Universidade do Minho 2008/2009 Maria João Frade (DI-UM) Beyond First-Order Logic MFES 2008/09 1 / 37 FOL
More informationNew concepts: Span of a vector set, matrix column space (range) Linearly dependent set of vectors Matrix null space
Lesson 6: Linear independence, matrix column space and null space New concepts: Span of a vector set, matrix column space (range) Linearly dependent set of vectors Matrix null space Two linear systems:
More informationJan L.A. van de Snepscheut. California Institute of Technology
JAN 173-0 The sliding window protocol revisited Jan L.A. van de Snepscheut Computer Science California Institute of Technology Pasadena, CA 91125 Summary We give a correctness proof of the sliding window
More informationLecture Notes on Combinatory Modal Logic
Lecture Notes on Combinatory Modal Logic 15-816: Modal Logic Frank Pfenning Lecture 9 February 16, 2010 1 Introduction The connection between proofs and program so far has been through a proof term assignment
More information02 The Axiomatic Method
CAS 734 Winter 2005 02 The Axiomatic Method Instructor: W. M. Farmer Revised: 11 January 2005 1 What is Mathematics? The essence of mathematics is a process consisting of three intertwined activities:
More informationFinite information logic
Finite information logic Rohit Parikh and Jouko Väänänen April 5, 2002 Work in progress. Please do not circulate! Partial information logic is a generalization of both rst order logic and Hintikka-Sandu
More informationsignicant in view of the fact that in many applications existential queries are of main interest. It also plays an important role in the problem of nd
On the Relationship Between CWA, Minimal Model and Minimal Herbrand Model Semantics Michael Gelfond Halina Przymusinska Teodor Przymusinski March 3, 1995 Abstract The purpose of this paper is to compare
More informationLiveness in Timed and Untimed Systems. Abstract. and its timed version have been used successfully, but have focused on safety conditions and
Liveness in Timed and Untimed Systems Roberto Segala y Rainer Gawlick z Jrgen Sgaard-Andersen x Nancy Lynch { Abstract When proving the correctness of algorithms in distributed systems, one generally considers
More informationAsynchronous Communication 2
Asynchronous Communication 2 INF4140 22.11.12 Lecture 11 INF4140 (22.11.12) Asynchronous Communication 2 Lecture 11 1 / 37 Overview: Last time semantics: histories and trace sets specification: invariants
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationProgram Composition in Isabelle/UNITY
Program Composition in Isabelle/UNITY Sidi O. Ehmety and Lawrence C. Paulson Cambridge University Computer Laboratory J J Thomson Avenue Cambridge CB3 0FD England Tel. (44) 1223 763584 Fax. (44) 1223 334678
More informationLecture 4 Event Systems
Lecture 4 Event Systems This lecture is based on work done with Mark Bickford. Marktoberdorf Summer School, 2003 Formal Methods One of the major research challenges faced by computer science is providing
More informationUniversity of California. Berkeley, CA fzhangjun johans lygeros Abstract
Dynamical Systems Revisited: Hybrid Systems with Zeno Executions Jun Zhang, Karl Henrik Johansson y, John Lygeros, and Shankar Sastry Department of Electrical Engineering and Computer Sciences University
More informationFunctional Database Query Languages as. Typed Lambda Calculi of Fixed Order. Gerd G. Hillebrand and Paris C. Kanellakis
Functional Database Query Languages as Typed Lambda Calculi of Fixed Order Gerd G. Hillebrand and Paris C. Kanellakis Department of Computer Science Brown University Providence, Rhode Island 02912 CS-94-26
More informationA Recursion Combinator for Nominal Datatypes Implemented in Isabelle/HOL
A Recursion Combinator for Nominal Datatypes Implemented in Isabelle/HOL Christian Urban and Stefan Berghofer Technische Universität München {urbanc,berghofe}@in.tum.de Abstract. The nominal datatype package
More informationEvery formula evaluates to either \true" or \false." To say that the value of (x = y) is true is to say that the value of the term x is the same as th
A Quick and Dirty Sketch of a Toy Logic J Strother Moore January 9, 2001 Abstract For the purposes of this paper, a \logic" consists of a syntax, a set of axioms and some rules of inference. We dene a
More informationRamsey s Theorem in ProofPower (Draft)
A1 L E M M Lemma 1 Ltd. c/o Interglossa 2nd Floor 31A Chain St. Reading Berks RG1 2HX Ramsey s Theorem in ProofPower (Draft) Abstract This paper is concerned with a ProofPower-HOL proof of the finite exponent
More informationBehavioural theories and the proof of. LIENS, C.N.R.S. U.R.A & Ecole Normale Superieure, 45 Rue d'ulm, F{75230 Paris Cedex 05, France
Behavioural theories and the proof of behavioural properties Michel Bidoit a and Rolf Hennicker b b a LIENS, C.N.R.S. U.R.A. 1327 & Ecole Normale Superieure, 45 Rue d'ulm, F{75230 Paris Cedex 05, France
More informationEssentially based on Paramodulation [14], various renements for the ecient
Model Elimination with Basic Ordered Paramodulation Max Moser 1? Christopher Lynch 2 Joachim Steinbach 1? 1 Institut fur Informatik, Technische Universitat Munchen 80290 Munchen, Germany, Phone: +49-89/521096,
More informationA Termination Checker for Isabelle Hoare Logic
A Termination Checker for Isabelle Hoare Logic Jia Meng 1, Lawrence C. Paulson 2, and Gerwin Klein 3 1 National ICT Australia jia.meng@nicta.com.au 2 Computer Laboratory, University of Cambridge lp15@cam.ac.uk
More informationPart IV Basic procs 131 Chapter 10 Possible delay, Delay, Prex In this chapter the procs pdly, dly and pref are introduced. Those procs make it possible to compare chronicles in several ways. Important
More informationElectronic Notes in Theoretical Computer Science 18 (1998) URL: 8 pages Towards characterizing bisim
Electronic Notes in Theoretical Computer Science 18 (1998) URL: http://www.elsevier.nl/locate/entcs/volume18.html 8 pages Towards characterizing bisimilarity of value-passing processes with context-free
More informationDefault Reasoning and Belief Revision: A Syntax-Independent Approach. (Extended Abstract) Department of Computer Science and Engineering
Default Reasoning and Belief Revision: A Syntax-Independent Approach (Extended Abstract) Dongmo Zhang 1;2, Zhaohui Zhu 1 and Shifu Chen 2 1 Department of Computer Science and Engineering Nanjing University
More informationAlon Orlitsky. AT&T Bell Laboratories. March 22, Abstract
Average-case interactive communication Alon Orlitsky AT&T Bell Laboratories March 22, 1996 Abstract and Y are random variables. Person P knows, Person P Y knows Y, and both know the joint probability distribution
More informationIntroduction to Metalogic
Philosophy 135 Spring 2008 Tony Martin Introduction to Metalogic 1 The semantics of sentential logic. The language L of sentential logic. Symbols of L: Remarks: (i) sentence letters p 0, p 1, p 2,... (ii)
More informationTableau Calculus for Local Cubic Modal Logic and it's Implementation MAARTEN MARX, Department of Articial Intelligence, Faculty of Sciences, Vrije Uni
Tableau Calculus for Local Cubic Modal Logic and it's Implementation MAARTEN MARX, Department of Articial Intelligence, Faculty of Sciences, Vrije Universiteit Amsterdam, De Boelelaan 1081a, 1081 HV Amsterdam,
More informationEquivalence for the G 3-stable models semantics
Equivalence for the G -stable models semantics José Luis Carballido 1, Mauricio Osorio 2, and José Ramón Arrazola 1 1 Benemérita Universidad Autóma de Puebla, Mathematics Department, Puebla, México carballido,
More informationGenuine atomic multicast in asynchronous distributed systems
Theoretical Computer Science 254 (2001) 297 316 www.elsevier.com/locate/tcs Genuine atomic multicast in asynchronous distributed systems Rachid Guerraoui, Andre Schiper Departement d Informatique, Ecole
More informationLogic and Philosophical Logic. 1 Inferentialism. Inferentialism and Meaning Underdetermination
Logic and Philosophical Logic Inferentialism and Meaning Underdetermination AC Paseau alexanderpaseau@philosophyoxacuk 28 January 2019 In the rst half of today's class, we looked at Tarski's account of
More informationLinguistics and logic of common mathematical language I. Peter Koepke and Merlin Carl, Mathematical Institute Universität Bonn
The NAPROCHE Project Linguistics and logic of common mathematical language I Peter Koepke and Merlin Carl, Mathematical Institute Universität Bonn Mathematical texts are formulated in a semi-formal language,
More informationA Three-Level Analysis of a Simple Acceleration Maneuver, with. Uncertainties. Nancy Lynch. MIT Laboratory for Computer Science
A Three-Level Analysis of a Simple Acceleration Maneuver, with Uncertainties Nancy Lynch MIT Laboratory for Computer Science 545 Technology Square (NE43-365) Cambridge, MA 02139, USA E-mail: lynch@theory.lcs.mit.edu
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More informationA Preference Semantics. for Ground Nonmonotonic Modal Logics. logics, a family of nonmonotonic modal logics obtained by means of a
A Preference Semantics for Ground Nonmonotonic Modal Logics Daniele Nardi and Riccardo Rosati Dipartimento di Informatica e Sistemistica, Universita di Roma \La Sapienza", Via Salaria 113, I-00198 Roma,
More informationLecture Notes on Certifying Theorem Provers
Lecture Notes on Certifying Theorem Provers 15-317: Constructive Logic Frank Pfenning Lecture 13 October 17, 2017 1 Introduction How do we trust a theorem prover or decision procedure for a logic? Ideally,
More informationExtremal problems in logic programming and stable model computation Pawe l Cholewinski and Miros law Truszczynski Computer Science Department Universi
Extremal problems in logic programming and stable model computation Pawe l Cholewinski and Miros law Truszczynski Computer Science Department University of Kentucky Lexington, KY 40506-0046 fpaweljmirekg@cs.engr.uky.edu
More informationThe State Explosion Problem
The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis
More informationDesign of Distributed Systems Melinda Tóth, Zoltán Horváth
Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Publication date 2014 Copyright 2014 Melinda Tóth, Zoltán Horváth Supported by TÁMOP-412A/1-11/1-2011-0052
More informationA Proof Presentation Suitable for Teaching Proofs. Dept. of Science Education. Haifa, Israel 32000
A Proof Presentation Suitable for Teaching Proofs Erica Melis Universitat des Saarlandes, Fachbereich Informatik 66041 Saarbrucken melis@cs.uni-sb.de Uri Leron Dept. of Science Education Technion Inst.
More information