Oce National d' Etudes. et de Recherches Aerospatiales. Centre d' Etudes et de Recherche de l' Ecole Nationale Superieure
|
|
- Shanon Stafford
- 5 years ago
- Views:
Transcription
1 Oce National d' Etudes et de Recherches Aerospatiales Centre d' Etudes et de Recherche de l' Ecole Nationale Superieure de l'aeronautique et de l'espace a Toulouse Programming Communicating Distributed Reactive Automata: the Weak Synchronous Paradigm Frederic Boniol Martin Adelantado Publication presentee a : FP WG10.3 nternational Conference on Decentralized and Distributed Systems CDDS'93, September 15-17, 1993, Palma de Mallorca, Spain. Departement d' Etudes et de Recherches en nformatique 2, avenue Edouard Belin - BP Toulouse Cedex Tel Fax
2
3 Programming Communicating Distributed Reactive Automata: the Weak Synchronous Paradigm Frederic Boniol and Martin Adelantado CERT-ONERA Dept. d'nformatique, BP4025, Toulouse cedex, France. Abstract The aim of this paper is to present a new paradigm for reactive and real-time distributed programming: weak synchronism. We dene a small language for communicating reactive automata, and characterize it by an operational semantics. We show that weak synchronism provides a deterministic semantics of concurrency and allows physical distributed implementations. This weak synchronous paradigm can then be extended to real-time programming, by dening a more general paradigm, a strong-weak synchronous coupling. Keyword codes: D.1.3; F.3.2; F.4.3 Keywords: Concurrent Programming; Semantics of Programming Languages; Formal Languages. 1. ntroduction: Real-Time and Reactive Systems The concept of reactive system was introduced by D. Harel and A. Pnueli in [8] to describe systems which maintain a continuous interaction with their environment. D. Harel and A. Pnueli propose a dichotomy between what they call transformational and reactive systems. On the one hand, a transformational system accepts inputs, performs transformations on them, and produces outputs. Globally speaking, transformational systems are well described by a relation between input and output values. They perform input/output operations, perhaps prompting a user from time to time to provide extra information. On the other hand, a reactive system is repeatedly prompted by the outside world and its role is to continuously respond to external inputs. More generally, a reactive system does not compute a function from initial to nal states, but it is supposed to maintain a permanent interaction with its environment, reacting to events coming from this environment by sending events and commands to it. The time at which each new event arrives is relevant to the behaviour. Such systems are said event-driven. Examples include digital watches, man/machine interfaces, silicon chips, robots, communication networks, video games, and more generally all kinds of real time process controllers. t is often convenient to consider real time systems as composed of three layers. The rst one is an interface with the environment that is in charge of input reception and output production. t transforms external physical events into internal logical ones and This research was carried out in the context of the project SATURNE (Synchronous Any-Time coupling for Real-time reasoning design) supported by the French Ministry of Defence.
4 conversely. The second one is a reactive subsystem that contains the logical and temporal control of the system. t handles the logical inputs and decides, with respect to the current time, what outputs and what actions must be generated in reacting to the environment. The last one is a set of transformational tasks that perform classical computations requested by the reactive subsystem. From this point of view, the reactive part is one of the most critical, and needs particular attention. Temporal and Logical Safety: by construction, the reactive part of a real time system contains the temporal and logical control of the whole application, and then requires logical properties, i.e. respect of the input/output specication, and (b) temporal properties, i.e. respect of the timing constraints. n this sense, the development of techniques that could help to design such reactive systems, and to prove their logical and temporal correctness, is one of the most relevant aims of real time programming. Concurrency: from an architectural point of view, the reactive part of a real time system is generally composed of concurrent communicating subunits, either for geographical requirements, or for safety and fault tolerance criteria. This requires concurrency expression means within specication and programming languages, and also within their execution model. Determinism: the behaviour of a critical real time application must be as predictable as possible. t means that the behaviour of its reactive part must be reproducible, and then deterministic. Purely sequential systems are obviously deterministic. However, determinism does not mean sequentiality. On the contrary, as noted above, reactivity often means concurrency. This requires a deterministic semantics of communication and concurrency within programming languages, and also within their execution model. The literature on real time systems is unanimous in recognizing the diculty in specifying complex and critical reactive systems. Transformational description techniques are not available for reactive systems. One needs more particular specication languages, tools and methods. Several asynchronous solutions have been proposed to this problem: Petri Nets, CSP (C.A.R. Hoare), CCS (R. Milner) : : : But, due to the asynchronous concurrency semantics generally based on an interleaving principle, most of these solutions are non-deterministic. The time at which outputs are delivered is not predictable. Reactivity and response time can not be guaranteed. Another approach involves strong synchronous languages: Esterel [4], Statecharts [7] : : :. They consider ideal reactive systems that produce outputs synchronously with inputs, their reactions taking no observable time. This approach is interesting in the sense that it tackles real time and reactive programming in a formal and deterministic way. Nevertheless, to take no time has to be understood in the sense that the environment remains invariant during reactions and communications. Such an hypothesis provides a powerful manner to produce centralized reactive processes. But it is rather more unrealistic in the area of distributed applications, where by denition, communication time cannot be neglected. However, as noted above, on the one hand, real time often means parallel or distributed programming. On the other hand, real-time requires predictable behaviours and then deterministic programming languages. n this 2
5 sense, both strong synchronism and asynchronism are not adequate answers for real time programming. We explore in this article a third approach to reactive and real-time programming: the weak synchronism. We consider reactive systems, (a) that have an internal clock, (b) that react exactly at each \tick" of the clock, and (c) that produce outputs exactly one time unit after inputs, their reactions taking one time unit exactly. This approach is interesting in that it provides another synchronous programming style, between pure synchronous and asynchronous languages. t provides a formal specication technique to critical reactive systems, avoiding the non-determinism diculties met within the asynchronous approach, and permitting distributed implementation, conversely to the strong synchronous one. We illustrate the weak synchronous paradigm by dening a small language, CoReA, for programming communicating and distributed reactive automata. n giving the semantics of CoReA, we show how a distributed reactive network may be designed, formally and deterministically, by a strong and weak synchronous coupling. This paper is organized as follows. Section 2 presents a brief state of the art of the reactive programming techniques. We discuss the advantages and the drawbacks of several asynchronous solutions, the strong one, and a more recent approach proposed by G. Berry in [5], coupling Esterel and CSP. Section 3 is devoted to an informal presentation of the weak synchronous paradigm. Section 4 denes the CoReA language, rst informally, and then by dening its abstract syntax and its operational semantics. We present in the following section the strong-weak synchronous paradigm as a generalization of CoReA, and discuss the relevance of this approach. 2. Reactive Programming: Related Work Asynchronous Approaches Several \asynchronous" solutions have been proposed to the problem of reactive programming: Deterministic automata are often used to program relatively small reactive kernels. They are mathematically well-known, and allow non-trivial correctness proofs by automatic tools (such as Model Checkers, or Bisimulation tools). However, the human design and maintenance of automata turns out to be very dicult. Furthermore, automata are purely sequential and do not support concurrency and hierarchy. Petri Nets or Petri-Net based formalism (such as GRAFCET) are widely used in the area of programmable controllers. They support concurrency. However, they often are characterized by a non-deterministic semantics of concurrency, and lack modular structure. They do not scale up well to big systems. Concurrent programming languages such as Ada or Occam are more elaborated. They permit hierarchical, modular and concurrent program developments. However, because of the asynchronous nature of tasks units, they are essentially asynchronous and non-deterministic. Although a communication is seen as a synchronization between two processes, the time taken between the possibility of communication and its actual achievement can be arbitrary. Furthermore when several communication can 3
6 take place, their actual order is also arbitrary. Then semantics of the time-handling primitives of these languages is non-deterministic and somewhat vague. Execution times are unpredictable, implying diculties in proving correctness properties. More generally, asynchronous techniques force the user to choose between determinism and concurrency, for they base concurrency on asynchronous implementation models where processes non-deterministically compete for computing resources. This leads to the problem of temporal interpretation of programs. Temporal primitives such as watchdogs (e.g. \do a task in less than 3 seconds") have only tentative meanings, for nothing forces them to be accurately executed. n this sense, temporal correctness cannot be rigorously proved, and reactivity can not be guaranteed. The Strong Synchronous Approach n order to avoid the previously mentioned problems, a more recent approach called \strong synchronism", has been proposed by D. Harel et G. Berry in respectively Statecharts [7], and Esterel [4]. This approach is based on the strong synchronous hypothesis [3]: each reaction of a reactive system is assumed to be instantaneous, i.e. takes no time. Such ideal reactive systems produce outputs synchronously with their inputs, their reactions taking no observable time. To \take no time" has to be understood in two ways. First, a reaction takes no time with respect to the external environment, i.e. the environment remains invariant during the reaction. Second, each subprocess also takes no time with respect to any other subprocesses; all subprocesses react instantly at the same time. Then, inter-process communication is performed by instantly broadcasting, and all subprocesses share the same environment. t provides a deterministic semantics of concurrence, and a formal straightforward interpretation of temporal statement. The watchdog \await 10 SECOND" lasts exactly 10 seconds. n the same way, a sequence of two processes \P 1 ; P 2 " means that P 2 begins exactly when P 1 ends. Thus, the statement \await 10 METER ; P 1 " (written in the Esterel style) means that the subprocess P 1 starts exactly when the 10th occurrence of event \METER" arrives. However, in order to guarantee as much as possible the strong synchronous hypothesis, synchronous programs are compiled into deterministic sequential automata. This yields excellent run-time eciency and predictability. Performance is often as good as that of carefully hand-written code. Nevertheless, such results are not available in the area of distributed reactive programming. Reactive systems we are interested in, are potentially loosely coupled and then cannot be implemented by a single sequential automaton. Asynchronous-Synchronous Coupling: Esterel+CSP A third approach based on a coupling between the two approaches above has been proposed recently by G. Berry [5]. The general idea is to describe a distributed reactive system as a network of communicating reactive kernels. Each kernel is a strong synchronous program (Esterel), while communication rules between kernels follow the CSP style, i.e. are based on the \one to one" rendezvous paradigm. Nevertheless, because of the asynchronous semantics of communication and concurrency in CSP, the Esterel+CSP approach yields again non-deterministic semantics, and then non-predictable temporal behaviours for the whole system. We propose in this article another approach to reactive programming, the weak syn- 4
7 chronous paradigm, between asynchronism and strong synchronism, and preserving two of the most important features of these two latter: determinism and concurrency. We show then, like Esterel+CSP, that a distributed reactive system can be described as a network of strong synchronous communicating reactive kernels, but unlike it, communication between kernels being based on the weak synchronous paradigm, yielding predictability. The next parts are devoted to the description of the weak synchronous paradigm. 3. The Weak Synchronous Paradigm The idea of weak synchronism has been initially proposed by R. Milner in his synchronous calculus SCCS [9], and more recently by Clarke et al. in the area of hardware controllers and digital circuits [6]. n this article we adapt this approach to real time distributed programming. The main idea we develop is, as well as the strong synchronous one, to control the physical time by controlling communication and execution time. But, contrary to the strong one, we assume in our model that reactions take exactly a constant strictly positive duration. n other words, inputs and outputs are separated by one constant time unit. For instance, execution at time t of the broadcast statement \emit E" performs exactly at time t + 1 an occurrence of event E. Consequently, we consider weak reactive systems, (a) that have an explicit notion of time, i.e. an internal clock, (b) that exactly react at each \tick" of the clock, and (c) that broadcast outputs exactly one time unit after receiving inputs. At a clock transition, the system examines its input signals and computes its new internal state and outputs accordingly that it will perform at next tick. n that sense, the system operates exactly the same as an abstract machine in which the next state is computed instantaneously and in which changing state and broadcasting outputs require waiting for the next clock tick. As well as the strong synchronous hypothesis, the weak synchronism provides a deterministic semantics of concurrency. By denition, parallel subprocesses of a reactive system share the same internal clock. They react simultaneously at each clock transition and perform at the next tick a global internal state and a global output by adding the results of their respective reactions. 4. Weak Synchronous Communicating Reactive Automata We dene formally a small calculus, called CoReA, for programming communicating reactive automata, and extending the classical formalism of nite state machine in two directions: concurrency, and communication by broadcast. CoReA is a weak synchronous subset of Statecharts, a concurrent event-driven language proposed by D. Harel in [7] nformal deas At the highest level, a CoReA program is seen as a parallel composition of sequential automata. Specication of evolutions is described by transitions between states of each automata. A transition is labelled by a guard, and by an action which is executed just after the transition has been taken. A transition is taken if and only if its guard holds and its original state is occupied. ts action is then executed, its original state is left, and its goal state is reached. Let us consider, for example, the specication of a process controlling a simple level crossing system described in gure 1. An event train is emitted whenever the train enters 5
8 tyuy up_ack, down_ack % up, down Y train train train / up down up_ack sec/alarm up_ack sec train / down down_ack sec up sec/alarm sec/alarm down_ack Figure 1. level crossing or exits the level crossing area. The system sends then commands to the barriers, and waits for acknowledgments. Such a process could be seen as a parallel composition of two automata. The rst one describes the module listening to events train, and sending commands to barriers. The second one describes the module controlling that barriers obey the rst automaton. t is listening to commands sent to barriers, and waiting for acknowledgments. Whenever acknowledgments do not come back on time (at most two seconds after up or down), alarm messages are broadcast, warning that barriers are possibly in the wrong position. By denition, weak reactive systems are assumed to have an internal clock. nput events and output events are separated by one internal time unit. They react at each internal clock tick to all the external changes occurring during the one time unit elapsed since the last tick, and to events generated by the system itself during the last reaction. Assuming this general semantics, we present informally the semantics of the elements of the language. Transition Transitions of each automaton are labelled by guards and actions. A guard is a logic formula composed of events, using conjunction, disjunction and negation. Events are emitted by the environment or by the system itself. They are seen at each internal clock tick. A transition labelled with \a ^ b" (resp. \a _ b") is taken whenever a and b (resp. a or b) occur at the same tick. A transition labelled with \:a" can be taken whenever a does not occur. An action is a set of events broadcast simultaneously to the environment and to others automata one time unit after taking the transition. For instance, suppose that an event train is emitted at t = 0 (i.e. a train is entering the level crossing area), the rst automaton reacts by taking the rst transition and 6
9 by broadcasting at t = 1 the event down to the second automaton and to the external environment. Then at t = 1 the second automaton reacts by taking its rst transition and by waiting at t = 2 for events sec or down ack. Parallel Decomposition Parallel automata are executed synchronously. At each tick, all automata that can take a transition do it simultaneously. Events emitted by a transition taken at t, are broadcast to all others automata and to the environment at t + 1. Furthermore, for conciseness, we suppose in this article that each event emitted by transitions or by the environment is seen everywhere. Events are considered as output and input towards the whole system and its environment Abstract Syntax A program P is a parallel composition of sequential automata A, dened classically a la CCS by: P ::= A j A k P A ::= nil j X j g=o A j A + A j fix(x = A) s.t. A 6= X, A 6= X + A 0 and X free in A where, nil denotes an automaton which does nothing; + is the CCS non-deterministic fork operator; X is a variable for recursive denition belonging to a variable alphabet. The term g=o A denotes an automaton composed of one initial state and a transition leaving this state, labelled by g=o and leading to the new automaton A. The term fix(x = P ) stands for a program that behaves like P until the state variable X is reached, and then behaves like fix(x = P ) again. Let E be a nite alphabet of events. Labels of transitions are composed of a crossing guard g, and a set O E of events broadcast one time unit after taking the transition. Crossing guards g are formula of an event calculus. g is either (a) the constant event tick which is always present, or (b) an event 2 E, or (d) logical compositions of guards 2 : g ::= tick j j g ^ g j :g O E For example, the process controlling level crossing described gure 1 can be written in CoReA by: P = fix(x = train=fdowng train=fupg X) k fix(x = down=; ( (sec=; ( (down ack=; A) + (sec=falarmg A) ) ) + (down ack=; A) ) ) whith A = up=; ( (sec=; ((up ack=; X) + (sec=falarmg X))) + (up ack=; X) ) 2 For conciseness, we take the logical operator : and ^ as primitive. The others can be introduced as abbreviations in the usual way. 7
10 A reactive system is composed of two communicating agents: a reactive program and an environment. As dened above, programs are composed of parallel communicating automata broadcasting at each tick events to others automata. Then at each tick, each automaton A i reacts to its own input events. We call this set of input events the environment of A i. Denition 4.1 At each tick t and to each automaton A is associated a set E. is called the environment of A at t. 2 means that is an input event of A at t. Denition 4.2 Let P = A 1 k : : : k A n be a CoReA program, we dene a n-environment of P as a term Env = ( 1 j : : : j n ) composed of n subsets of E. For i = 1; : : : ; n i is the input environment of A i. Then we dene a reactive process as a term (Env P ) standing for program P reacting to an n-environment Env Operational Semantics We dene below the operational semantics of CoReA by a set of Plotkin rewrite rules Guards A guard is a logical composition of events. The truth of a guard g depends on the set of input events. We write j= g to mean that the guard g is valid over the environment. We dene j= inductively on the structure of guards: j= tick j= i 2 j= g 1 ^ g 2 i j= g 1 and j= g 2 j= :g i it is not the case that j= g Sequential Automata n giving meaning to our language, we dene rst the semantics of sequential automata A. n the following, we write A?! O A0 to mean that an automaton A react to a set input events by broadcasting a set of output events O, and becomes then a new automaton A 0. We write then A 6?! to mean that A does not react to. This relation characterizes the semantics of automata. t is dened below inductively on the syntactical structure of automata. Transition A transition is taken i its guard is valid over the set of input events. The automaton g=o A becomes then automaton A and output events O are broadcast: j= g??????????? g=o A?! O A (1) 3 One writes H 1 :::H n????????? C to mean that H 1 ^ ::: ^ H n ) C. 8
11 Fork For conciseness and in order to be as simple as possible we dene + by the CCS nondeterministic semantics 4 : A 1?! O A0 1????????????? A 1 + A 2?! O A0 1 (2) A 2?! O A0 2????????????? A 1 + A 2?! O A0 2 Recursion The automaton fix(x = A) reacts as A in which X is substituted by fix(x = A): Aff ix(x = A)=Xg?! O A0?????????????????????? f ix(x = A)?! O A Communicating Reactive Automata Accordingly to the weak synchronous paradigm, weak reactive systems react synchronously with a global clock. The operational semantics of whole CoReA is dened by a relation =). We write (Env P ) =)(Env O 0 P 0 ) to mean that the reactive process (Env P ) becomes at the next tick the reactive process (Env 0 P 0 ), and broadcasts at the next tick output events O. Conversely to the relation?! which describes instanstaneous reaction of sequential automata to input events, the relation =) characterizes the dynamic evolution of a reactive system when the time is runing. Then, for each reactive process (Env P ), there is always at least one reactive process (Env 0 P 0 ), such that (Env P ) =)(Env O 0 P 0 ); the time cannot stop. The relation =) is dened by the following rules. Single Automaton A reactive process composed only of one sequential automaton A reacts as this latter. f A reacts to a set of input events by becoming A 0, then ( A) becomes at the next tick ( 0 A 0 ) where 0 is a set of input events broadcast by the external world: (3) (4) 8 0 E; A?! O A0????????????????? O ( A) =) ( 0 A 0 ) (5) 4 We have claimed in previous sections that reactive systems must be as deterministic as possible. However, note that this non-determinism will disappear when considering deterministic strong synchronous programs instead of pure CoReA sequential automata (cf. next section). 9
12 8 0 E; A 6?!???????????????? ; ( A) =) ( 0 A) Weak Synchronous Concurrency Let P = (A 1 k : : : k A n ) be a CoReA program composed of n communicating sequential automata. Let Env = ( 1 j : : : j n ) an environment of P. At each tick, all automata react simultaneously to their own environment, broadcast output events to others automata and to external world, and share at the next tick the same input events 0 emitted by the external world. Concurrency is deterministic and communications between automata are simultaneous and take one time unit: ( 1 A 1 ) O 1 =) ( 0 A 0 1 ) : : : ( n A n ) =) On ( 0 A 0 n???????????????????????????????????????????????????????????????????? [ ) (( 1 j : : : j n ) (A 1 k : : : k A n )) O i j : : : j 0 [ O i ) (A 0 k 1 : : : k (7) A0 )) n S i O i =) (( 0 [ [ i6=1 We can then dene the whole behaviour of a program P = (A 1 k : : : k A n ) by a labelled def transition system [[P ]] W = (P n ; 2 E ; p 0 ; =)) where P n is the set of reactive processes composed of n sequential automata, 2 E the powerset of E, =) the relation dened above and p 0 the initial process: P n def = f(( 0 j : : : j 0 ) 1 n (A0 k : : : k 1 A0 )) s.t. 0 E and n i A0 sequential automatag i def p 0 = ((; j : : : j ;) (A 1 k : : : k A n )) E is nite, then [[P ]] W is a nite labelled transition system, and characterizes the whole semantics of CoReA. 5. Extension to a strong-weak synchronous coupling As noted in section 2, the human design and maintenance of sequential and at automata, such as CoReA sequential automata, turns out to be very dicult. Then we propose in this section to improve both weak and strong synchronism by dening a more relevant paradigm: strong-weak synchronism. CoReA is extended by considering strong synchronous programs (Esterel, Lustre : : : ) instead of sequential automata. Accordingly to this extension, a reactive system R is seen as a parallel composition of strong synchronous modules: R ::= Strong Synch Module j Strong Synch Module k R where Strong Synch Module (SSMs) are strong synchronous programs. Furthermore, by construction a compiler of a strong synchronous language is a function which transforms programs into nite deterministic sequential automata (see [3]). Let be [[:]] S this function: [[:]] S : Strong Synch Module ; CoReA sequential automata Consequently, reactive systems can be transformed into CoReA programs by the function [[:]] S extended to concurrent systems: i6=n (6) [[SSM 1 k : : : k SSM n ]] S def = [[SSM 1 ]] S k : : : k [[SSM n ]] S 10
13 Accordingly to the CoReA operational semantics, we dene then the semantics of strong-weak synchronous programs by the function [[:]] SW dened by: [[R]] SW def = [[[[R]] S ]] W Strong synchronous programs being deterministic, the strong-weak synchronous coupling provides a deterministic semantics of concurrent and communicating reactive systems. The last problem is to show that such a semantics allows physical distribution. Let be a reactive process R composed of n communicating strong synchronous modules, and let be a network N composed of at least n communicating processors. Then, a way for implementing R on N could be: (a) to transform each strong synchronous module into a sequential automaton, and (b) to implement exactly one automaton on one processor. Each strong synchronous module is centralized on one single processor, and logical concurrency between strong synchronous modules is implemented by physical concurrency between processors. The problem is then to execute and to synchronize each processor accordingly to weak synchronous paradigm. Assuming that the real communication time from a processor to another is bounded, we dene in [1] an execution model of CoReA preserving the weak synchronous paradigm. The principles of this execution model are, (a) to schedule reactions of processors and the related communications such that they take minimal time, (b) to build a virtual clock such that reactions plus communications take less than one time unit of this clock, and (c) to synchronize processors with this clock. Then, such an execution model guarantees that each strong synchronous module reacts at each tick and communicates with others modules before next tick. We do not develop this point in this article. Please refer to [1] for more explanations. 6. Conclusion and Future Trends The starting point of the work presented in this paper is based upon the synchronous thesis: reactive systems play an important role in the real time programming. They dier strongly from transformational systems and require dierent approaches to their specication. Furthermore, an essential element in the specication or the programming of reactive systems is the need for clear, rigorous and formal behavioural description. These are the basic theses of the reactive theory developed by D. Harel and G. Berry. However, this reactive theory is essentially based on the strong synchronous paradigm. Adequate to centralized systems, strong synchronism is not relevant in the context of distributed systems, where by denition communication time cannot be neglected. Then rstly we have proposed in this article a new paradigm, weak synchronism, for distributed reactive programming yielding both determinism and distribution capabilities. Secondly we have shown that this paradigm can be easily extended to a strong-weak synchronous coupling, yielding determinism, distribution capabilities, and also all the advantages of strong synchronous languages (modularity, abstraction, : : : ). Future intelligent real-time systems will be large and complex, and will include monitoring and time bounded decision making capabilities. One of the most important aspects of such systems is predictability, and then determinism. We have developed in [1] a modular 11
14 and hierarchical language, called SATURNE (Synchronous Any-Time coupling for Realtime reasoning design), allowing the expression of intelligent real-time applications in terms of a distributed reactive network of strong synchronous modules written in Esterel, and a set of any-time transformational tasks (i.e. being assumed to return an answer for any allocation of computation time [2]). The semantics of the reactive network is based formally on the strong-weak synchronous coupling dened in this article. The next work to be planned is to extend formally this strong-weak synchronous paradigm to a more general paradigm for real-time: Real-Time = Strong-Weak Synchronism + Any-Time Programming The main problem will be then to dene concurrency and communication between synchronous and any-time parts preserving predictability and distribution capabilities. REFERENCES 1. M. Adelantado, F. Boniol, M. Cubero-Castan, N. Hifdi, B. Lecussan, V. David, and R. Porche. Projet SATURNE : Modele de Programmation et Modele d'execution pour un Systeme Temps-Reel d'aide a la Decision. Technical Report 1/ /DER, CERT-ONERA Deptartement d'nformatique, Toulouse, January M. Adelantado, F. Boniol, V. David, B. Lecussan, and R. Porche. Predictability in Distributed ntelligent Real-Time Systems. n First EEE Workshop on Parallel and Distributed Real-Time Systems, Newport Beach, California, April A. Benveniste and G. Berry. The synchronous Approach to Reactive and Real-Time Systems. Proceedings of EEE, Another Look at Real-time programming, 79(9):1270{ 1282, September G. Berry and G. Gonthier. The Esterel Synchronous Programming Language: Design, Semantics, mplementation. Technical Report 842, NRA, May G. Berry, S. Ramesh, and R.K. Shyamasundar. Communicating Reactive Processes. n Proc. of the 20th Annual Symp. on Principles of Programming Languages, E.M. Clarke, D.E. Long, and K.L. McMillan. A Language for Compositional Speci- cation and Verication of Finite State Hardware Controllers. Proceedings of EEE, Another Look at Real-time programming, 79(9), September D. Harel. Statecharts: a Visual Formalism for Complex Systems. Science of Computer Programming, 8(3):231{275, D. Harel and A. Pnueli. On the Development of Reactive Systems. n Logic and Models of Concurrent Systems. Proc NATO Advanced Study nstitute on Logics and Models for Verication and Specication of Concurrent Systems (NATO AS Series F vol. 13), R. Milner. Calculi for Synchrony and Asynchrony. Theoretical Computer Science, 25(3),
{},{a},{a,c} {},{c} {c,d}
Modular verication of Argos Programs Agathe Merceron 1 and G. Michele Pinna 2 1 Basser Department of Computer Science, University of Sydney Madsen Building F09, NSW 2006, Australia agathe@staff.cs.su.oz.au
More informationDiagram-based Formalisms for the Verication of. Reactive Systems. Anca Browne, Luca de Alfaro, Zohar Manna, Henny B. Sipma and Tomas E.
In CADE-1 Workshop on Visual Reasoning, New Brunswick, NJ, July 1996. Diagram-based Formalisms for the Verication of Reactive Systems Anca Browne, Luca de Alfaro, Zohar Manna, Henny B. Sipma and Tomas
More informationEmbedded Systems 2. REVIEW: Actor models. A system is a function that accepts an input signal and yields an output signal.
Embedded Systems 2 REVIEW: Actor models A system is a function that accepts an input signal and yields an output signal. The domain and range of the system function are sets of signals, which themselves
More informationA Deterministic Logical Semantics for Esterel
SOS 2004 Preliminary Version A Deterministic Logical Semantics for Esterel Olivier Tardieu 1 NRA Sophia Antipolis, France Abstract Esterel is a synchronous design language for the specification of reactive
More informationFailure detectors Introduction CHAPTER
CHAPTER 15 Failure detectors 15.1 Introduction This chapter deals with the design of fault-tolerant distributed systems. It is widely known that the design and verification of fault-tolerent distributed
More informationUNIVERSIT A DEGLI STUDI DI PISA DIPARTIMENTO DI INFORMATICA DOTTORATO DI RICERCA IN INFORMATICA Universita di Pisa-Genova-Udine Ph.D. Thesis Verication of Temporal and Real-Time Properties of Statecharts
More informationThe State Explosion Problem
The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis
More informationTRANSITION CONFLICTS DETECTION IN BINARY MODULAR STATECHART DIAGRAMS 1. Grzegorz Łabiak
TRANSITION CONFLICTS DETECTION IN BINARY MODULAR STATECHART DIAGRAMS 1 Grzegorz Łabiak Computer Engineering & Electronics Department, University of Zielona Góra, Podgórna 50, 65-246 Zielona Góra, Poland.
More informationand equal to true, encoded by 1, or present and equal to false, encoded by?1. The solutions of a polynomial are composed events. ILTS naturally posses
Labeling Automata with Polynomials Olga Kouchnarenko and Sophie Pinchinat y Abstract We present a behavioral model for discrete event systems based on a polynomial approach. We dene implicit transition
More informationExtending Statecharts with Temporal Logic. A. Sowmya and S. Ramesh
SCS&E Report 9401 Extending Statecharts with Temporal Logic A. Sowmya and S. Ramesh SCHOOL OF COMPUTER SCIENCE AND ENGINEERING THE UNIVERSITY OF NEW SOUTH WALES Abstract Statecharts is a behavioural specication
More informationDecentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication
Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication Stavros Tripakis Abstract We introduce problems of decentralized control with communication, where we explicitly
More informationEmbedded Systems 5. Synchronous Composition. Lee/Seshia Section 6.2
Embedded Systems 5-1 - Synchronous Composition Lee/Seshia Section 6.2 Important semantic model for concurrent composition Here: composition of actors Foundation of Statecharts, Simulink, synchronous programming
More informationUndecidability Results for Timed Automata with Silent Transitions
Fundamenta Informaticae XXI (2001) 1001 1025 1001 IOS Press Undecidability Results for Timed Automata with Silent Transitions Patricia Bouyer LSV, ENS Cachan, CNRS, France bouyer@lsv.ens-cachan.fr Serge
More informationComputation Tree Logic (CTL) & Basic Model Checking Algorithms
Computation Tree Logic (CTL) & Basic Model Checking Algorithms Martin Fränzle Carl von Ossietzky Universität Dpt. of Computing Science Res. Grp. Hybride Systeme Oldenburg, Germany 02917: CTL & Model Checking
More informationEmbedded Systems Development
Embedded Systems Development Lecture 2 Finite Automata & SyncCharts Daniel Kästner AbsInt Angewandte Informatik GmbH kaestner@absint.com Some things I forgot to mention 2 Remember the HISPOS registration
More informationAn Alternative To The Iteration Operator Of. Propositional Dynamic Logic. Marcos Alexandre Castilho 1. IRIT - Universite Paul Sabatier and
An Alternative To The Iteration Operator Of Propositional Dynamic Logic Marcos Alexandre Castilho 1 IRIT - Universite Paul abatier and UFPR - Universidade Federal do Parana (Brazil) Andreas Herzig IRIT
More informationComputability and Complexity
Computability and Complexity Sequences and Automata CAS 705 Ryszard Janicki Department of Computing and Software McMaster University Hamilton, Ontario, Canada janicki@mcmaster.ca Ryszard Janicki Computability
More informationWojciech Penczek. Polish Academy of Sciences, Warsaw, Poland. and. Institute of Informatics, Siedlce, Poland.
A local approach to modal logic for multi-agent systems? Wojciech Penczek 1 Institute of Computer Science Polish Academy of Sciences, Warsaw, Poland and 2 Akademia Podlaska Institute of Informatics, Siedlce,
More informationCommunication and Concurrency: CCS
Communication and Concurrency: CCS R. Milner, A Calculus of Communicating Systems, 1980 cours SSDE Master 1 Why calculi? Prove properties on programs and languages Principle: tiny syntax, small semantics,
More informationNon-elementary Lower Bound for Propositional Duration. Calculus. A. Rabinovich. Department of Computer Science. Tel Aviv University
Non-elementary Lower Bound for Propositional Duration Calculus A. Rabinovich Department of Computer Science Tel Aviv University Tel Aviv 69978, Israel 1 Introduction The Duration Calculus (DC) [5] is a
More informationFinancial. Analysis. O.Eval = {Low, High} Store. Bid. Update. Risk. Technical. Evaluation. External Consultant
ACM PODS98 of CS Dept at Stony Brook University Based Modeling and Analysis of Logic Workows Hasan Davulcu* N.Y. 11794, U.S.A. * Joint with M. Kifer, C.R. Ramakrishnan, I.V. Ramakrishnan Hasan Davulcu
More informationTime values are often denoted as positive real numbers including zero. We dene symbols to present the events of processes. Denition 2.2 l Let A be an
A rocess Algebra for Optimization for arallel rograms Ichiro Satoh Department of Information Sciences, Ochanomizu University 2-1-1 Otsuka Bunkyo-ku Tokyo 112-8610 Japan Tel: +81-3-5978-5388 Fax: +81-3-5978-5390
More informationSupervisory Control of Hybrid Systems
X.D. Koutsoukos, P.J. Antsaklis, J.A. Stiver and M.D. Lemmon, "Supervisory Control of Hybrid Systems, in Special Issue on Hybrid Systems: Theory and Applications, Proceedings of the IEEE, P.J. Antsaklis,
More informationLet us first give some intuitive idea about a state of a system and state transitions before describing finite automata.
Finite Automata Automata (singular: automation) are a particularly simple, but useful, model of computation. They were initially proposed as a simple model for the behavior of neurons. The concept of a
More informationModels of Concurrency
Models of Concurrency GERARDO SCHNEIDER UPPSALA UNIVERSITY DEPARTMENT OF INFORMATION TECHNOLOGY UPPSALA, SWEDEN Thanks to Frank Valencia Models of Concurrency p.1/57 Concurrency is Everywhere Concurrent
More informationAutomatic Synthesis of Distributed Protocols
Automatic Synthesis of Distributed Protocols Rajeev Alur Stavros Tripakis 1 Introduction Protocols for coordination among concurrent processes are an essential component of modern multiprocessor and distributed
More informationA Context Dependent Equivalence Relation Between Kripke Structures (Extended abstract)
A Context Dependent Equivalence Relation Between Kripke Structures (Extended abstract) Bernhard Josko Computer Science Department, University of Oldenburg 2900 Oldenburg, Federal Republic of Germany Abstract
More informationCommunication and Concurrency: CCS. R. Milner, A Calculus of Communicating Systems, 1980
Communication and Concurrency: CCS R. Milner, A Calculus of Communicating Systems, 1980 Why calculi? Prove properties on programs and languages Principle: tiny syntax, small semantics, to be handled on
More informationModal and Temporal Logics
Modal and Temporal Logics Colin Stirling School of Informatics University of Edinburgh July 23, 2003 Why modal and temporal logics? 1 Computational System Modal and temporal logics Operational semantics
More informationA Propositional Dynamic Logic for Instantial Neighborhood Semantics
A Propositional Dynamic Logic for Instantial Neighborhood Semantics Johan van Benthem, Nick Bezhanishvili, Sebastian Enqvist Abstract We propose a new perspective on logics of computation by combining
More informationOpus: University of Bath Online Publication Store
Lam, V. S. W. (2006) A formal execution semantics and rigorous analytical approach for communicating UML statechart diagrams. Other. Department of Computer Science, University of Bath. Link to official
More information2 On TLA TLA is a simple linear-time temporal logic with a relatively complete set of proof rules for reasoning about the safety (i.e. \what the syste
Reasoning about mobile processes in an ambient using the temporal logic of actions TATJANA KAPUS Faculty of Electrical Engineering and Computer Science University of Maribor Smetanova ul. 17, SI-2000 Maribor
More informationSynchronous Reactive Systems
Synchronous Reactive Systems Stephen Edwards sedwards@synopsys.com Synopsys, Inc. Outline Synchronous Reactive Systems Heterogeneity and Ptolemy Semantics of the SR Domain Scheduling the SR Domain 2 Reactive
More informationElectronic Notes in Theoretical Computer Science 18 (1998) URL: 8 pages Towards characterizing bisim
Electronic Notes in Theoretical Computer Science 18 (1998) URL: http://www.elsevier.nl/locate/entcs/volume18.html 8 pages Towards characterizing bisimilarity of value-passing processes with context-free
More information7. F.Balarin and A.Sangiovanni-Vincentelli, A Verication Strategy for Timing-
7. F.Balarin and A.Sangiovanni-Vincentelli, A Verication Strategy for Timing- Constrained Systems, Proc. 4th Workshop Computer-Aided Verication, Lecture Notes in Computer Science 663, Springer-Verlag,
More informationAbstract. The paper considers the problem of implementing \Virtually. system. Virtually Synchronous Communication was rst introduced
Primary Partition \Virtually-Synchronous Communication" harder than Consensus? Andre Schiper and Alain Sandoz Departement d'informatique Ecole Polytechnique Federale de Lausanne CH-1015 Lausanne (Switzerland)
More informationAlan Bundy. Automated Reasoning LTL Model Checking
Automated Reasoning LTL Model Checking Alan Bundy Lecture 9, page 1 Introduction So far we have looked at theorem proving Powerful, especially where good sets of rewrite rules or decision procedures have
More informationTowards a formal language for systemic requirements
Towards a formal language for systemic requirements LIX, Yann Hourdel École Polytechnique, 91128 Palaiseau Cedex, France, yann.hourdel@polytechnique.edu Abstract. This work is an attempt to contribute
More informationThe Discrete EVent System specification (DEVS) formalism
The Discrete EVent System specification (DEVS) formalism Hans Vangheluwe The DEVS formalism was conceived by Zeigler [Zei84a, Zei84b] to provide a rigourous common basis for discrete-event modelling and
More informationDiscrete Dynamics Finite State Machines גרא וייס המחלקה למדעי המחשב אוניברסיטת בן-גוריון
Discrete Dynamics Finite State Machines גרא וייס המחלקה למדעי המחשב אוניברסיטת בן-גוריון 2 Recap: Actor Model An actor is a mapping of input signals to output signals S: R R k R R m where k is the number
More informationSpiking Neural P Systems with Anti-Spikes as Transducers
ROMANIAN JOURNAL OF INFORMATION SCIENCE AND TECHNOLOGY Volume 14, Number 1, 2011, 20 30 Spiking Neural P Systems with Anti-Spikes as Transducers Venkata Padmavati METTA 1, Kamala KRITHIVASAN 2, Deepak
More informationCommunicating Parallel Processes. Stephen Brookes
Communicating Parallel Processes Stephen Brookes Carnegie Mellon University Deconstructing CSP 1 CSP sequential processes input and output as primitives named parallel composition synchronized communication
More informationDES. 4. Petri Nets. Introduction. Different Classes of Petri Net. Petri net properties. Analysis of Petri net models
4. Petri Nets Introduction Different Classes of Petri Net Petri net properties Analysis of Petri net models 1 Petri Nets C.A Petri, TU Darmstadt, 1962 A mathematical and graphical modeling method. Describe
More informationTrace Refinement of π-calculus Processes
Trace Refinement of pi-calculus Processes Trace Refinement of π-calculus Processes Manuel Gieseking manuel.gieseking@informatik.uni-oldenburg.de) Correct System Design, Carl von Ossietzky University of
More informationInterface Automata with Complex Actions - Extended Version
Interface Automata with Complex Actions - Extended Version Shahram Esmaeilsabzali Nancy A. Day Farhad Mavaddat David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, Canada
More informationComputing the acceptability semantics. London SW7 2BZ, UK, Nicosia P.O. Box 537, Cyprus,
Computing the acceptability semantics Francesca Toni 1 and Antonios C. Kakas 2 1 Department of Computing, Imperial College, 180 Queen's Gate, London SW7 2BZ, UK, ft@doc.ic.ac.uk 2 Department of Computer
More informationTESTING is one of the most important parts of the
IEEE TRANSACTIONS 1 Generating Complete Controllable Test Suites for Distributed Testing Robert M. Hierons, Senior Member, IEEE Abstract A test suite is m-complete for finite state machine (FSM) M if it
More informationLiveness in Timed and Untimed Systems. Abstract. and its timed version have been used successfully, but have focused on safety conditions and
Liveness in Timed and Untimed Systems Roberto Segala y Rainer Gawlick z Jrgen Sgaard-Andersen x Nancy Lynch { Abstract When proving the correctness of algorithms in distributed systems, one generally considers
More informationStéphane Lafortune. August 2006
UNIVERSITY OF MICHIGAN DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE LECTURE NOTES FOR EECS 661 CHAPTER 1: INTRODUCTION TO DISCRETE EVENT SYSTEMS Stéphane Lafortune August 2006 References for
More informationTimo Latvala. March 7, 2004
Reactive Systems: Safety, Liveness, and Fairness Timo Latvala March 7, 2004 Reactive Systems: Safety, Liveness, and Fairness 14-1 Safety Safety properties are a very useful subclass of specifications.
More informationProcess Algebras and Concurrent Systems
Process Algebras and Concurrent Systems Rocco De Nicola Dipartimento di Sistemi ed Informatica Università di Firenze Process Algebras and Concurrent Systems August 2006 R. De Nicola (DSI-UNIFI) Process
More informationThe Underlying Semantics of Transition Systems
The Underlying Semantics of Transition Systems J. M. Crawford D. M. Goldschlag Technical Report 17 December 1987 Computational Logic Inc. 1717 W. 6th St. Suite 290 Austin, Texas 78703 (512) 322-9951 1
More informationDecentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication 1
Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication 1 Stavros Tripakis 2 VERIMAG Technical Report TR-2004-26 November 2004 Abstract We introduce problems of decentralized
More informationSE 2FA3: Discrete Mathematics and Logic II. Teaching Assistants: Yasmine Sharoda,
SE 2FA3: Discrete Mathematics and Logic II Instructor: Dr. Ryszard Janicki, ITB 217, e-mail: janicki@mcmaster.ca, tel: 529-7070 ext: 23919, Teaching Assistants: Yasmine Sharoda, e-mail: sharodym@mcmaster.ca,
More informationAutomata-Theoretic Model Checking of Reactive Systems
Automata-Theoretic Model Checking of Reactive Systems Radu Iosif Verimag/CNRS (Grenoble, France) Thanks to Tom Henzinger (IST, Austria), Barbara Jobstmann (CNRS, Grenoble) and Doron Peled (Bar-Ilan University,
More informationGenuine atomic multicast in asynchronous distributed systems
Theoretical Computer Science 254 (2001) 297 316 www.elsevier.com/locate/tcs Genuine atomic multicast in asynchronous distributed systems Rachid Guerraoui, Andre Schiper Departement d Informatique, Ecole
More informationTowards Co-Engineering Communicating Autonomous Cyber-physical Systems. Bujorianu, M.C. and Bujorianu, M.L. MIMS EPrint:
Towards Co-Engineering Communicating Autonomous Cyber-physical Systems Bujorianu M.C. and Bujorianu M.L. 009 MIMS EPrint: 00.53 Manchester Institute for Mathematical Sciences School of Mathematics The
More informationFrom Constructibility and Absoluteness to Computability and Domain Independence
From Constructibility and Absoluteness to Computability and Domain Independence Arnon Avron School of Computer Science Tel Aviv University, Tel Aviv 69978, Israel aa@math.tau.ac.il Abstract. Gödel s main
More informationFormal Semantics for Grafcet Controlled Systems 1 Introduction 2 Grafcet
Formal Semantics for Grafcet Controlled Systems JANAN ZAYTOON Laboratoire d'automatique et de Microélectronique Faculté des Sciences Moulin de la Housse, BP 1039, 51687 Reims cedex 2 FRANCE Abstract: Grafcet
More informationusual one uses sequents and rules. The second one used special graphs known as proofnets.
Math. Struct. in omp. Science (1993), vol. 11, pp. 1000 opyright c ambridge University Press Minimality of the orrectness riterion for Multiplicative Proof Nets D E N I S B E H E T RIN-NRS & INRILorraine
More informationOn the Myhill-Nerode Theorem for Trees. Dexter Kozen y. Cornell University
On the Myhill-Nerode Theorem for Trees Dexter Kozen y Cornell University kozen@cs.cornell.edu The Myhill-Nerode Theorem as stated in [6] says that for a set R of strings over a nite alphabet, the following
More informationProperty Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms
Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms Wen-ling Huang and Jan Peleska University of Bremen {huang,jp}@cs.uni-bremen.de MBT-Paradigm Model Is a partial
More informationThe Weakest Failure Detector to Solve Mutual Exclusion
The Weakest Failure Detector to Solve Mutual Exclusion Vibhor Bhatt Nicholas Christman Prasad Jayanti Dartmouth College, Hanover, NH Dartmouth Computer Science Technical Report TR2008-618 April 17, 2008
More informationfor Propositional Temporal Logic with Since and Until Y. S. Ramakrishna, L. E. Moser, L. K. Dillon, P. M. Melliar-Smith, G. Kutty
An Automata-Theoretic Decision Procedure for Propositional Temporal Logic with Since and Until Y. S. Ramakrishna, L. E. Moser, L. K. Dillon, P. M. Melliar-Smith, G. Kutty Department of Electrical and Computer
More informationFormal Specification and Verification of Task Time Constraints for Real-Time Systems
1 Formal Specification and Verification of Task Time Constraints for Real-Time Systems Ning Ge, Marc Pantel and Xavier Crégut University of Toulouse, IRIT/INPT 2 rue Charles Camichel, BP 7122, 31071 Toulouse
More informationDynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics
Dynamic Semantics Operational Semantics Denotational Semantic Dynamic Semantics Operational Semantics Operational Semantics Describe meaning by executing program on machine Machine can be actual or simulated
More informationT Reactive Systems: Temporal Logic LTL
Tik-79.186 Reactive Systems 1 T-79.186 Reactive Systems: Temporal Logic LTL Spring 2005, Lecture 4 January 31, 2005 Tik-79.186 Reactive Systems 2 Temporal Logics Temporal logics are currently the most
More informationDegradable Agreement in the Presence of. Byzantine Faults. Nitin H. Vaidya. Technical Report #
Degradable Agreement in the Presence of Byzantine Faults Nitin H. Vaidya Technical Report # 92-020 Abstract Consider a system consisting of a sender that wants to send a value to certain receivers. Byzantine
More informationInformation System Design IT60105
n IT60105 Lecture 13 Statechart Diagrams Lecture #13 What is a Statechart diagram? Basic components in a state-chart diagram and their notations Examples: Process Order in OLP system What is a Statechart
More informationOn Controllability and Normality of Discrete Event. Dynamical Systems. Ratnesh Kumar Vijay Garg Steven I. Marcus
On Controllability and Normality of Discrete Event Dynamical Systems Ratnesh Kumar Vijay Garg Steven I. Marcus Department of Electrical and Computer Engineering, The University of Texas at Austin, Austin,
More information6.852: Distributed Algorithms Fall, Class 10
6.852: Distributed Algorithms Fall, 2009 Class 10 Today s plan Simulating synchronous algorithms in asynchronous networks Synchronizers Lower bound for global synchronization Reading: Chapter 16 Next:
More informationReview of The π-calculus: A Theory of Mobile Processes
Review of The π-calculus: A Theory of Mobile Processes Riccardo Pucella Department of Computer Science Cornell University July 8, 2001 Introduction With the rise of computer networks in the past decades,
More informationAnother Glance at the Alpern-Schneider. Characterization of Safety andliveness in. Concurrent Executions. Abstract
Another Glance at the Alpern-Schneider Characterization of Safety andliveness in Concurrent Executions H.Peter Gumm Abstract In order to derive a result such as the Alpern-Schneider theorem characterizing
More informationDesign of Distributed Systems Melinda Tóth, Zoltán Horváth
Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Publication date 2014 Copyright 2014 Melinda Tóth, Zoltán Horváth Supported by TÁMOP-412A/1-11/1-2011-0052
More informationModels for Efficient Timed Verification
Models for Efficient Timed Verification François Laroussinie LSV / ENS de Cachan CNRS UMR 8643 Monterey Workshop - Composition of embedded systems Model checking System Properties Formalizing step? ϕ Model
More informationTemporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.
EE 244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2016 Temporal logic Stavros Tripakis University of California, Berkeley Stavros Tripakis (UC Berkeley) EE 244, Fall 2016
More informationComponent-Based Construction of Deadlock-Free Systems
Component-Based Construction of Deadlock-Free Systems Extended Abstract Gregor Gössler 1 and Joseph Sifakis 2 1 INRIA Rhône-Alpes, goessler@inrialpes.fr 2 VERIMAG, sifakis@imag.fr Abstract. We propose
More informationEventually consistent failure detectors
J. Parallel Distrib. Comput. 65 (2005) 361 373 www.elsevier.com/locate/jpdc Eventually consistent failure detectors Mikel Larrea a,, Antonio Fernández b, Sergio Arévalo b a Departamento de Arquitectura
More informationComputability and Complexity
Computability and Complexity Non-determinism, Regular Expressions CAS 705 Ryszard Janicki Department of Computing and Software McMaster University Hamilton, Ontario, Canada janicki@mcmaster.ca Ryszard
More informationHelsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66
Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66 Teknillisen korkeakoulun tietojenkäsittelyteorian laboratorion tutkimusraportti 66 Espoo 2000 HUT-TCS-A66
More informationSemantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr
Semantic Equivalences and the Verification of Infinite-State Systems Richard Mayr Department of Computer Science Albert-Ludwigs-University Freiburg Germany Verification of Infinite-State Systems 1 c 2004
More informationAbstractions and Decision Procedures for Effective Software Model Checking
Abstractions and Decision Procedures for Effective Software Model Checking Prof. Natasha Sharygina The University of Lugano, Carnegie Mellon University Microsoft Summer School, Moscow, July 2011 Lecture
More informationDuration Calculus of Weakly Monotonic Time
Duration Calculus of Weakly Monotonic Time Paritosh K. Pandya 1 and Dang Van Hung 2 1 Tata Institute of Fundamental Research Mumbai 400 005, India email: pandya@tcs.tifr.res.in 2 UNU/IIST Macau email:
More informationSynchronous Modelling of Complex Systems
Synchronous Modelling of Complex Systems Nicolas Halbwachs Verimag, Grenoble joint work with L. Mandel LRI E. Jahier, P. Raymond, X. Nicollin Verimag and D. Lesens Astrium Space Transportation () 1 / 45
More informationEE249 - Fall 2012 Lecture 18: Overview of Concrete Contract Theories. Alberto Sangiovanni-Vincentelli Pierluigi Nuzzo
EE249 - Fall 2012 Lecture 18: Overview of Concrete Contract Theories 1 Alberto Sangiovanni-Vincentelli Pierluigi Nuzzo Outline: Contracts and compositional methods for system design Where and why using
More informationComposition for Component-Based Modeling
Composition for Component-Based Modeling Gregor Gössler a, Joseph Sifakis b a INRIA Rhône-Alpes, France b VERIMAG, France Abstract We propose a framework for component-based modeling using an abstract
More informationThe Quasi-Synchronous Approach to Distributed Control Systems
The Quasi-Synchronous Approach to Distributed Control Systems Paul Caspi caspi@imag.fr Verimag Laboratory http://www-verimag.imag.fr Crisys Esprit Project http://borneo.gmd.de/ ap/crisys/ The Quasi-Synchronous
More informationFormal Methods for Specifying and Verifying Distributed Algorithms Process Algebra vs I/O Automata
Formal Methods for Specifying and Verifying Distributed Algorithms Process Algebra vs I/O Automata Marina Gelastou, Chryssis Georgiou and Anna Philippou Department of Computer Science, University of Cyprus,
More informationDISTINGUING NON-DETERMINISTIC TIMED FINITE STATE MACHINES
DISTINGUING NON-DETERMINISTIC TIMED FINITE STATE MACHINES Maxim Gromov 1, Khaled El-Fakih 2, Natalia Shabaldina 1, Nina Yevtushenko 1 1 Tomsk State University, 36 Lenin Str.. Tomsk, 634050, Russia gromov@sibmail.com,
More informationOn-line Bin-Stretching. Yossi Azar y Oded Regev z. Abstract. We are given a sequence of items that can be packed into m unit size bins.
On-line Bin-Stretching Yossi Azar y Oded Regev z Abstract We are given a sequence of items that can be packed into m unit size bins. In the classical bin packing problem we x the size of the bins and try
More informationIntroduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014
Introduction Pedro Cabalar Department of Computer Science University of Corunna, SPAIN cabalar@udc.es 2013/2014 P. Cabalar ( Department Introduction of Computer Science University of Corunna, SPAIN2013/2014
More informationModeling Synchronous Systems in BIP
Unité Mixte de Recherche 5104 CNRS - INPG - UJF Centre Equation 2, avenue de VIGNATE F-38610 GIERES tel : +33 456 52 03 40 fax : +33 456 52 03 50 http://www-verimag.imag.fr Modeling Synchronous Systems
More informationFailure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications
Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications Shengbing Jiang and Ratnesh Kumar Abstract The paper studies failure diagnosis of discrete event systems with
More informationShared Memory vs Message Passing
Shared Memory vs Message Passing Carole Delporte-Gallet Hugues Fauconnier Rachid Guerraoui Revised: 15 February 2004 Abstract This paper determines the computational strength of the shared memory abstraction
More informationA Simulation Condition for Correct Asynchronous Implementation of Synchronous Design
A Simulation Condition for Correct Asynchronous Implementation of Synchronous Design S. Xu, R. Kumar, S. Jiang, and S. Ramesh Abstract We study the problem of desynchronization, i.e., semantics-preserving
More informationProving Inter-Program Properties
Unité Mixte de Recherche 5104 CNRS - INPG - UJF Centre Equation 2, avenue de VIGNATE F-38610 GIERES tel : +33 456 52 03 40 fax : +33 456 52 03 50 http://www-verimag.imag.fr Proving Inter-Program Properties
More informationsystem perform its tasks (performance testing), how does the system react if its environment does not behave as expected (robustness testing), and how
Test Generation with Inputs, Outputs, and Repetitive Quiescence Jan Tretmans Tele-Informatics and Open Systems Group Department of Computer Science University of Twente P.O. Box 17, NL-7500 AE Enschede
More informationFormal Models of Timed Musical Processes Doctoral Defense
Formal Models of Timed Musical Processes Doctoral Defense Gerardo M. Sarria M. Advisor: Camilo Rueda Co-Advisor: Juan Francisco Diaz Universidad del Valle AVISPA Research Group September 22, 2008 Motivation
More informationA Multi-Periodic Synchronous Data-Flow Language
Julien Forget 1 Frédéric Boniol 1 David Lesens 2 Claire Pagetti 1 firstname.lastname@onera.fr 1 ONERA - Toulouse, FRANCE 2 EADS Astrium Space Transportation - Les Mureaux, FRANCE November 19, 2008 1 /
More informationOn Reducing Linearizability to State Reachability 1
On Reducing Linearizability to State Reachability 1 Ahmed Bouajjani a, Michael Emmi b, Constantin Enea a, Jad Hamza a a LIAFA, Université Paris Diderot b IMDEA Software Institute, Spain Abstract Ecient
More information