David C. Luckham

Specification and analysis of system architecture using Rapide

Rapide is an event-based, concurrent, object-oriented language specifically designed for prototyping system architectures. Two principle design goals are: (1) to provide constructs for defining executable prototypes of architectures and (2) to adopt an execution model in which the concurrency, synchronization, dataflow, and timing properties of a prototype are explicitly represented. This paper describes the partially ordered event set (poset) execution model and outlines with examples some of the event-based features for defining communication architectures and relationships between architectures. Various features of Rapide are illustrated by excerpts from a prototype of the X/Open distributed transaction processing reference architecture. >

An event-based architecture definition language

This paper discusses general requirements for architecture definition languages, and describes the syntax and semantics of the subset of the Rapide language that is designed to satisfy these requirements. Rapide is a concurrent event-based simulation language for defining and simulating the behavior of system architectures. Rapide is intended for modelling the architectures of concurrent and distributed systems, both hardware and software in order to represent the behavior of distributed systems in as much detail as possible. Rapide is designed to make the greatest possible use of event-based modelling by producing causal event simulations. When a Rapide model is executed it produces a simulation that shows not only the events that make up the models behavior, and their timestamps, but also which events caused other events, and which events happened independently. The architecture definition features of Rapide are described: event patterns, interfaces, architectures and event pattern mappings. The use of these features to build causal event models of both static and dynamic architectures is illustrated by a series of simple examples from both software and hardware. Also we give a detailed example of the use of event pattern mappings to define the relationship between two architectures at different levels of abstraction. Finally, we discuss briefly how Rapide is related to other event-based languages. >

An Overview of Anna, a Specification Language for Ada

The Anna approach to specification language design strengthens the existing explanatory constructs in Ada and adds new ones where there is an obvious need.

Debugging Ada Tasking Programs

Debuggers for parallel programs have to be more than passive information gatherers-they should automatically detect errors. Powerful task debuggers for Ada can be constructed by extending existing tools that detect deadlock.

Automatic program verification I: A logical basis and its implementation

SummaryDefining the semantics of programming languages by axioms and rules of inference yields a deduction system within which proofs may be given that programs satisfy specifications. The deduction system herein is shown to be consistent and also deduction complete with respect to Hoares system. A subgoaler for the deduction system is described whose input is a significant subset of Pascal programs plus inductive assertions. The output is a set of verification conditions or lemmas to be proved. Several non-trivial arithmetic and sorting programs have been shown to satisfy specifications by using an interactive theorem prover to automatically generate proofs of the verification conditions. Additional components for a more powerful verification system are under construction.

On formalised computer programs

In [2] Ianov introduced a simple abstract model of a computer program (called a program schema) based on the notion of a program as a finite linear sequence of instructions of two types: computational instructions and conditional binary transfer instructions. The transfers, controlling the order in which instructions are executed, depend on the value of propositional truth functions of a finite number of variables, the values (true or false) of which may be changed by the execution of any computation. Each computational instruction and Boolean function is uninterpreted (i.e., its meaning or interpretation is left open) so that a program schema may be thought of as representing a family of computer programs, each member being a possible interpretation of the schema. Properties of abstract schemas of this type are independent of any particular computer or programming language, and will be true of programs written in any language which possesses the basic sequential and control characteristics assumed in the model. Ianovs principal results are that there exist algorithms for deciding whether or not, under all interpretations, a given pair of schemas represent the same programs (i.e., are equivalent), and for reducing a schema to an equivalent simple canonical form. These results are concisely presented by

Verification of Array, Record, and Pointer Operations in Pascal

A practical method is presented for automating in a uniform way the verification of Pascal programs that operate on the standard Pascal data structures Array, Record, and Pointer. New assertion language primitives are introduced for describing computational effects of operations on these data structures. Axioms defining the semantics of the new primitives are given. Proof rules for standard Pascal operations on data structures are then defined using the extended assertion language. An axiomatic rule for the Pascal storage allocation operation, NEW, is also given. These rulers have been implemented in the Stanford Pascal program verifier. Examples illustrating the verification of programs which operate on list structures implemented with pointers and records are discussed. These include programs with side effects.

ANNA: a language for annotating Ada programs

ANNA is a proposed language extension of Ada to include facilities for formally specifying the intended behavior of Ada programs (or portions thereof) at all stages of program development. Anna programs are Ada programs extended by formal comments. Formal comments in ANNA consist of virtual Ada text and annotations. Anna provides annotations for all Ada constructs, including declarative annotations (for variables, subtypes, subprograms, and packages), statement annotations, annotations of generic units, exception annotations and visibility annotations. (The current Anna design does not include extensions for annotating Ada multi-tasking constructs.) Anna also includes a small number of new predefined attributes, which may appear only in annotations, e.g. the collection attribute of an access type. Since all Anna extensions appear as Ada comments, Anna programs are also legal Ada programs and acceptable by Ada translators. The semantics of annotations are defined in terms of Ada concepts; in particular, many kinds of annotations are generalizations of the Ada constraint concept. This simplifies the training of Ada programmers to use Anna for formal specification of Ada programs. Anna provides a formal framework within which different theories of formal specification may be applied to Ada. This manual also describes a translation of annotations into Ada text for run-time check of consistency with annotations.

Partial orderings of event sets and their application to prototyping concurrent, timed systems

Rapide is a concurrent object-oriented language specifically designed for prototyping large concurrent systems. One of the principle design goals has been to adopt a computation model in which the synchronization, concurrency, dataflow, and timing aspects of a prototype are explicitly represented and easily accessible both to the prototype itself and to the prototyper. This paper describes the partially ordered event set (poset) computation model, and the features of Rapide for using posets in reactive prototypes and for automatically checking posets. Some critical issues in the implementation of Rapide are described and our experience with them is summarized. An example prototyping scenario illustrates uses of the poset computation model.

Ada exception handling: an axiomatic approach

A method of documenting exception propagation and handling in Ada programs is proposed. Exception propagation declarations are introduced as a new component of Ada specifications, permitting documentation of those exceptions that can be propagated by a subprogram. Exception handlers are documented by entry assertions. Axioms and proof rules for Ada exceptions given. These rules are simple extensions of previous rules for Pascal and define an axiomatic semantics of Ada exceptions. As a result, Ada programs specified according to the method can be analyzed by formal proof techniques for consistency with their specifications, even if they employ exception propagation and handling to achieve required results (i.e., nonerror situations). Example verifications are given.