Step-wise Refinement Design Example Using LOTOS
|
|
- Adelia Logan
- 5 years ago
- Views:
Transcription
1 Step-wise Refinement Design Example Using LOTOS Luís Ferreira Pires a and Wanderley Lopes de Souza b a Tele-Informatics Group, University of Twente, PO Box 217,7500 AE Enschede, the Netherlands b GRC/DSC/CCT, Universidade Federal da Paraíba, Av. Aprígio Veloso, 882,58100 Campina Grande (Pb),Brazil Abstract The importance of a design methodology when using Formal Description Techniques is generally agreed in the scientific community. This paper presents some design principles and concepts that characterize a step-wise refinement design approach and illustrates their application on an example of a mutual exclusion access system. The relevance of this work is to provide a reference as to how design decisions during the design trajectory can be taken and represented in LOTOS specifications, and to evaluate the suitability of such techniques for use on an industrial scale. 1. INTRODUCTION LOTOS - Language Of Temporal Ordering Specification - is one of the Formal Description Techniques (FDTs) standardized by ISO [1] aiming at support of specification of OSI services and protocols. Due to its high expressive power, LOTOS is suitable for description of systems that display concurrency, distribution and synchronization. Since LOTOS is an International Standard and has therefore gained stability, it is important to explore the use of the language in the various possible application fields. The availability of methodologies and tools will enable LOTOS to be used on a large scale in the industrial and academic worlds. This paper discusses the use of LOTOS to support system implementation design, according to certain design principles, by means of a medium size non-trivial example. Our purpose is to illustrate how designers can reach a sufficiently refined specification of a system, from which an implementation could be derived. The paper is organized as follows: section 2 summarizes the main concepts (e.g. step-wise refinement and specification styles) that we make use of, relating our work to current research; section 3 presents the example problem and its more abstract formal specification; section 4 shows the step-wise refinement process applied to the specification of section 3; conclusions are drawn in section THE DESIGN PROCESS The ultimate goal of the system design process is to derive a system realization - a concrete instance of a system - that fulfils the user requirements. The design process, in the case of complex distributed and concurrent systems, is a complicated task. In order to cope with complexity the design process must be carried out in steps, characterizing a design trajectory. In each design step a more refined version of the design is elaborated. Some qualitative de
2 sign principles (orthogonality, generality and open-endedness) to evaluate designs and the way in which they are formulated have been addressed in [2]. Specification styles, as a means to guide the designer in making efficient use of language elements, is of paramount importance as a measure of the suitability of specifications for their purpose in the design trajectory. In the initial steps of a design trajectory the user requirements must be analyzed and partly formalized in an initial specification. We call this specification an architecture 1. The architecture must not contain irrelevant details such as internal structure, since these details must be subject to design at lower levels of abstraction. A realization can be obtained from the architecture by taking a set of design decisions. A good practice is to evaluate and to take a small amount of design decisions in isolation each time, producing therewith intermediate more refined specifications, until a final specification that can be mapped onto a realization in a straightforward way is reached. This final specification is called an implementation and the approach towards design in which design decisions are evaluated and taken in isolation is called step-wise refinement([3]). Nevertheless LOTOS seems to present limitations with respect to representation of concreteness, as required in the implementation. Consequently we expect that a translation from LOTOS to an implementation language (programming or hardware design language) will take place some in the design trajectory. We strive for this translation to happen at late steps, since it appears that many aspects of system functionality can be effectively represented in LOTOS throughout the design trajectory. When talking about literature, style denotes the way someone expresses himself making use of words. In our context of formal specification, style denotes the way the designer expresses the functionality of systems making use of language elements. Therefore we conclude that styles are inherent to designers, although designers have to be disciplined to make efficient use of language elements. A specification can generally be regarded as one of: (i) extensional description: representing "what" the system does, abstracting from internal structure and details; (ii) intensional description, representing "how" the system does its functions, thus showing system structure or detail. For extensional descriptions the monolithic and the constraint-oriented styles are defined; for intensional descriptions the state-oriented and the resource-oriented styles apply. Further information and examples for these styles can be found in [2]. 3. THE MUTUAL EXCLUSION ACCESS PROBLEM Our design example is a mutual exclusion access system that coordinates the access of users to a shared resource (e.g. printer, plotter). The mutual exclusion access service presents two service primitives (SPs), ME_Begin to indicate the beginning of resource access and ME_End to indicate the release of the resource. Any ME_Begin at a certain service access point (SAP) must be followed by a ME_End at the same SAP, characterizing the mutual exclusion. The user requirements state that the mutual exclusion access service users may be placed at different sites (a distributed system). This requirement means that some initial design decisions have to be taken in order to provide connectivity between users (a lower layer service) and intelligence to coordinate the mutual exclusion (protocol). Therefore service users are connected to local controllers and all the controllers are attached to a virtual ring (VR), which is their communication path ([4,5]). The privilege to access the resource is negotiated by the controllers that make use of the virtual ring to exchange state information. Depending on its left neighbour s state and its own state, each controller decides whether or not its user can access the resource. The algorithm to define the access privilege is a modified version of the one presented in [6]. Here we consider that only one controller at a time has the privilege. The controller that has the privilege may allow its user 1 The use of the term architecture in this paper may seem unconventional, but it is the same concept as in [2]
3 to access the resource; after some time this controller makes a move and changes its state, passing the privilege to its right neighbour. For further details about the algorithm we refer to [7]. The virtual ring service supports the exchange of state information between two neighbouring controllers. An S_Req service primitive (SP) at VR SAP i leads to an S_Ind at VR SAP i The ring service expects then an S_Resp SP with the requested state value at i-1, that pops up as an S_Conf SP at i. Figure 1 shows the structure of the system in terms of service boundaries and access points. User 0 User i User i+1 User N-1 u Controller 0 Controller i Controller i+1 Controller N-1 r Virtual Ring Service Provider Figure 1. System Structure in terms of Service Boundaries. We concentrate our attention on the design of a controller, since it is expected to be part of the embedded system to be produced. In the most abstract description we model the controller as a black box that interacts with its environment through gates u and r. Gate u represents the mutual exclusion (ME) SAP while gate r represents the VR SAP. Due to the fact that each controller has only one ME SAP and one VR SAP, we abstract from the identification of SAPs in the formal description. Nevertheless it is interesting to remark that combining the controllers and the virtual ring makes the identification of SAPs mandatory. Unlike [5] we do not consider failure procedures here. The architecture of the controller was specified using constraint-oriented style. The behaviour of a controller is regarded as a composition of local concerns at gate r represented in process RingConstraints and concerns related to communication between gates u and r described in process ControllerProtocol. The local constraints at gate r are described as a composition of constraints related to asking state of the left neighbour (process AskLState) and constraints related to answering state to the right neighbour (process AnswerRState). Here we require that the controller only answers its state to its right neighbour if it has asked the state of its left neighbour beforehand, since we want the privilege to circulate in the ring, and only a single controller offering access at a time (mutual exclusion). Constraints on the relationship between gates u and r represent the protocol mechanisms, i.e. how resource access is granted to the resource user. Process Controller-Protocol contains an initialization phase in which an initial state is chosen. The initial state must also comply with the requirement that only one controller in the whole mutual exclusion system has the privilege at a time. The protocol operation that follows the initialization consists of a repetition of three consecutive activities, namely trying to get the privilege, offering access to the resource user and modifying the controller state. From time to time the controller will try to get the privilege. This is modelled in the specification by an internal event, since we want to have a language element to explicitly describe this fact. After the privilege is obtained by the controller, the resource is available to the mutual exclusion service user. The controller will decide when to cease the access offer in case the user does not make use of the resource; this situation is described by an internal event modelling an access timeout. There follows the most abstract LOTOS specification of the controller. Abstract Data Type (ADT) definitions are considered to be available although they are omitted in the text for rea- 2 i {0, 1,..., N-1}; an S_Req at SAP i=0 leads to an S_Ind at SAP N-1-3 -
4 sons of brevity, but can be found in [8]. specification ME_Controller[u,r] : noexit <ADTs> behaviour RingConstraints[r] [r] ControllerProtocol[u,r] process RingConstraints[r] : noexit:= AskLState[r] AnswerRState[r] process AskLState[r] : noexit:= r!s_req ; WaitForConf[r] >> AskLState[r] process WaitForConf[r] : exit:= r?prim : RingPrim [IsNotReq(prim)] ; ( [IsConf(prim)] -> exit [] [IsNotConf(prim)] -> WaitForConf[r] ) endproc (* WaitForConf *) endproc (* AskLState *) process AnswerRState[r] : noexit:= r?prim1 : RingPrim [IsNotResp(prim1)] ; ( [IsInd(prim1)] -> r?prim2 : RingPrim [IsResp(prim2)] ; AnswerRState[r] [] [IsNotInd(prim1)] -> AnswerRState[r] ) endproc (* AnswerRState *) endproc (* RingConstraints *) process ControllerProtocol[u,r] : noexit:= choice InitialState : State [] i ; ProtocolOperation[u,r](InitialState) process ProtocolOperation[u,r](s : State) : noexit:= i ; AskPrivilege[u,r](s) >> AccessOffered[u] >> ( choice NewState : State [] [NewState ne s] -> i ; ProtocolOperation[u,r](NewState) ) process AskPrivilege[u,r](s : State) : exit:= r?prim : RingPrim [IsResp(prim) implies (s IsStateOf prim)] ; ( [IsConf(prim)] -> ( [s HasPrivilegeWith State(prim)] -> exit [] [s NoPrivilegeWith State(prim)] -> ProtocolOperation[u,r](s) ) [] [IsNotConf(prim)] -> AskPrivilege[u,r](s) ) endproc (* AskPrivilege *) process AccessOffered[u] : exit:= SingleAccess[u] [] i ; exit process SingleAccess[u] : exit:= u!me_begin ; u!me_end ; exit endproc (* SingleAccess *) endproc (* AccessOffered *) endproc (* ProtocolOperation *) endproc (* ControllerProtocol *) endspec (* ME_Controller *) 4. DESIGN STEPS In this section we discuss the design steps that lead us to intermediate specifications. In each design step we consider that there is an initial specification at some (N) level of abstraction that is transformed to a more refined specification at some (N+1) level of abstraction. Some typical design decisions to be taken at a design step are definition of internal structure, removal (or iso
5 lation) of non-determinism, or refinement of interfaces. We address in this paper the first two examples of these design decisions. When facing the problem of how to define structure, the designer has the choice of applying the principle of "separation of concerns". This principle consists of identifying (partly) independent concerns and, based on these concerns, defining cooperative components. The degree of independence of the components may determine the complexity of their interface; poor separation of concerns may lead to a highly complicated interface. The removal of non-determinism can be accomplished by refining the specification down to the details (e.g. description of algorithms). The isolation of non-determinism can be applied to aspects that cannot be formally represented with the specification language model (e.g. timing in LOTOS). When defining structure we need to express the structural decisions (components and component interactions) in our design specifications. In LOTOS we can do that using language elements such as the parallel operator and hiding of gates; the use of these language elements characterizes the resource-oriented specification style. Furthermore there are behavioural aspects of the initial architecture that will be preserved through the step-wise refinement process Resource Access Control Refinement From the analysis of the controller specification in section 3 one can identify two main streams of functionality: resource access control and handling of privilege at the ring. These two aspects can be used to define cooperative components, as shown in figure 2. Figure 2. Resource Access Control Refinement. Process AccessControl and process PrivManager communicate through gate a, considered to be internal to the controller. Although the so-generated new specification of the controller displays resource-oriented style, each of the components (PrivManager and AccessControl) will be again specified in monolithic or constraint-oriented style. Interactions at gate a indicate access enabled or disabled to process AccessControl. Process AccessControl waits until the access is enabled by PrivManager. When the access is enabled the user is given a chance to access the resource. The sequence is finished when the access is disabled either by an access timeout or by a resource access. There follows the LOTOS specification of this structure. Some processes omitted here can be found in [8]. specification ME_Controller1[u,r] : noexit <ADTs> behaviour hide a in AccessControl[u,a] [a] PrivManager[a,r] process AccessControl[u,a] : noexit:= WaitEnable[a] >> AccessOffered[u] >> WaitDisable[a] >> AccessControl[u,a]... process PrivManager[a,r] : noexit:= RingConstraints[r] [r] PrivOperation[a,r] process PrivOperation[a,r] : noexit:= choice InitialState : State [] i ; ProtocolOperation[a,r](InitialState) process ProtocolOperation[a,r](s : State) : noexit:= u AccessControl a PrivManager r - 5 -
6 i ; AskPrivilege[a,r](s) >> AccessInstance[a] >> ( choice NewState : State [] [NewState ne s] -> i ; ProtocolOperation[a,r](NewState) )... endspec (* ME_Controller1 *) 4.2. Privilege Handling Refinement In process PrivManager we can identify two concerns, namely the ring primitive handling and central management. The controller is decomposed as shown is figure 3. Figure 3. Privilege Handling Refinement. Gate m represents the interaction point between CentralManager and RingHandler. The interactions at gate m are to request (PrivReq (state)) and to respond (PrivResp (state)) to privilege. Therefore we isolate the handling of ring primitives from the evaluation of privilege states. specification PrivManager1[a,r] : noexit <ADTs> behaviour hide m in CentralManager[a,m] [m] RingHandler[m,r] process CentralManager[a,m] : noexit:= ManagConstraints[m] [m] ManagControl[a,m] process ManagConstraints[m] : noexit:= m?p1 : PrivPrim [IsPrivReq(p1)]; m?p2 : PrivPrim [IsPrivResp(p2)] ; ManagConstraints[m] endproc (* ManagConstraints *) process ManagControl[a,m] : noexit:= choice InitialState : State [] i ; ManagControlRun[a,m](InitialState)... process RingHandler[m,r] : noexit:= RingConstraints[r] [r] RingSeqHandler[m, r] process RingSeqHandler [m,r] : noexit:= WaitPrivState[m] >> accept s : State in WaitConf[r](s) >> accept s1 : State in RespPrivState[m](s1) >> RingSeqHandler[m,r]... endspec (* PrivManager1 *) 4.3. Central Manager Refinement In this design step we refine CentralManager by identifying cooperative functions that will have to be performed by this component at a lower abstraction level. These functions are state initialization, state storage, privilege request initiation, access grant (privilege algorithm) and state actualization. The structure we have chosen to reflect these functions (see figure 4) consists of processes Initialization and Memory as kinds of peripherals and process CentralControl to coordinate their operation. Process Memory interacts with its environment via either a Read(state) or u AccessControl a CentralManager m RingHandler r - 6 -
7 a Write(state) interaction. In our example the memory must be first written by an initialization component and only then can read and write operations happen in any order. Process Init performs the initialization of the memory and then halts. Process CentralControl starts a privilege request, runs the privilege algorithm eventually enabling access, and generates a new state. a Init Memory me m CentralControl Figure 4. Central Manager Refinement. specification CentralManager1[a,m] : noexit <ADTs> behaviour hide me in ( Initialization[me] CentralControl[me,a,m] ) [me] Memory[me] process Memory[me] : noexit:= me?op : MemoryOperation [IsWrite(op)] ; MemoryRun[me](State(op)) process MemoryRun[me](s : State) : noexit:= me?op: MemoryOperation [IsRead(op) implies (s IsStateOf op)] ; MemoryRun[me](State(op)) endproc (* MemoryRun *) endproc (* Memory *)... endspec (* CentralManager1 *) 4.4. Further Implementation Decisions From a certain point in the design trajectory, the design decisions are more guided by some knowledge about target realization environments, such as hardware, software, firmware or operating system resources. When dealing with hardware realization, a possibility could be to define basic hardware building blocks, which would be then specified in LOTOS. The components of our intermediate architecture can be specified as a composition of such hardware building blocks. In [8] we illustrate this idea with process AccessControl, which is structured there as a combination of a sequencer and a timer. Aspects that can still be refined in LOTOS include the algorithm that gives the access to resources. More detail about the conditions for privilege (refinement of HasPrivilegeWith) and the generation of new state can be introduced as further refinements of CentralControl, aiming at removing non-determinism due to incompleteness. So far we have considered the controller s state as a sort in the ADT definition without any structure. Nevertheless the algorithm determines that states have two components, a fixed one that indicates the controller position (Site_Id) and a counter, which is incremented every time a controller makes a move. The formal description of the state can be complemented with ADT definitions that fully describe the structure of the states, the privilege conditions and the new state values. 5. CONCLUSIONS In this paper we have considered at each point in the example s design trajectory one of the multiple possible design decisions, and have formalized them in a more refined version of the design. At each design step the resulting specification must conform to the previous one. We have tested the specifications for syntax and (static and dynamic) semantics correctness through - 7 -
8 simulation, using the SEDOS HIPPO [9] simulator tool. The novelty of the design strategy taken in this paper in comparison with the one taken in [4] for the same example in CCS (Calculus of Communicating Systems, [10]) is that here we identify components of the processes to be decomposed from concerns (functions) they relate to, while in [4] the strategy was to search for a composition of pre-defined CCS components that would be equivalent to the initial specification. We claim that the approach taken in this paper is much more general and, unlike the approach taken in [4], it could be applied efficiently in the systematic implementation design of much more complex systems than the one in the example. Another important aspect of the design methodology applied in this work is controlled design using FDTs. By controlled design we mean that design decisions are justified, taken and documented in formal specifications. These specifications can be verified using tools, allowing design mistakes to be detected and corrected much earlier than in conventional design methodologies, with obvious savings in time and money. 6. REFERENCES 1 International Organization for Standardization, Information Processing Systems - Open Systems Interconnection - LOTOS - A Formal Description Technique Based on the Temporal Ordering of Observational Behaviour, ISO, C.A. Vissers, G. Scollo and M. van Sinderen, Architecture and Specification Style in Formal Descriptions of Distributed Systems. In S. Aggarwal and K. Sabnani (eds.), Protocol Specification, Testing, and Verification, VIII,1988, North-Holland, pages K. Bogaards, LOTOS Supported System Development. In K. J. Turner (ed.) Formal Description Techniques, 1989, pages W. L. de Souza and B. G. Riso, Using CCS for Protocol Specifications by Step-wise Refinements. In Proceedings of the Second International Symposium on Interoperable Information Systems, INTA, Tokyo, Nov.1988, pages G. v. Bochmann and J. P. Verjus, Some Comments on Transition-Oriented versus Structured Specification of Distributed Algorithms and Protocols. IEEE Transactions on Software Engineering, 1987, 13, pages E. W. Dijkstra, Self-stabilizing Systems in Spite of Distributed Control. Communications of the ACM,17(11),1974, pages J. Mossiere, J. Tchente and J.P. Verjus, Sur l exclusion mutuelle dans les reseaux informatiques - Publ. 75, IRISA, Rennes, France, L. Ferreira Pires and W. L. de Souza, Step-wise Refinement Design Example Using LO- TOS - Memoranda Informatica 90-55, University of Twente, Enschede, the Netherlands, P. van Eijk, Software tools for the Specification Language LOTOS - PhD Thesis, Twente University of Technology, Enschede, the Netherlands, R. Milner, A Calculus for Communicating Systems - LNCS 92, Springer-Verlag,
Chapter 2 Overview of the Design Methodology
Chapter 2 Overview of the Design Methodology This chapter presents an overview of the design methodology which is developed in this thesis, by identifying global abstraction levels at which a distributed
More informationProtocol Design and Implementation Using Formal Methods 1
Protocol Design and Implementation Using Formal Methods 1 Marten van Sinderen, Luís Ferreira Pires, Chris A. Vissers Tele-Informatics and Open Systems Group University of Twente P.O. Box 217, 7500 AE Enschede,
More informationVerification of Concurrent Programs, Part I: The Temporal Framework
June 1981 Report. No. ~ 1 AN-U-81-836 Verification of Concurrent Programs, Part I: The Temporal Framework by Zohar MilnIla Amir Ynucli Office of Navitl Rcscarch Department of Computer Science Stanford
More informationMODEL-DRIVEN DESIGN, REFINEMENT AND TRANSFORMATION OF ABSTRACT INTERACTIONS *
MODEL-DRIVEN DESIGN, REFINEMENT AND TRANSFORMATION OF ABSTRACT INTERACTIONS * JOÃO PAULO A. ALMEIDA 1,2, REMCO DIJKMAN 1, LUÍS FERREIRA PIRES 1, DICK QUARTEL 1, MARTEN VAN SINDEREN 1 1 Centre for Telematics
More informationQoS-aware model-driven SOA using SoaML
QoS-aware model-driven SOA using SoaML Niels Schot A thesis submitted for the degree of MSc Computer Science University of Twente EEMCS - TRESE: Software Engineering Group Examination committee: Luís Ferreira
More informationReal-Time Coordination in Distributed Multimedia Systems
Real-Time Coordination in Distributed Multimedia Systems Theophilos A. Limniotes and George A. Papadopoulos Department of Computer Science University of Cyprus 75 Kallipoleos Str, P.O.B. 20537 CY-1678
More informationA Case Study on the Transformation of Context-Aware Domain Data onto XML Schemas
A Case Study on the Transformation of Context-Aware Domain Data onto XML Schemas Cléver R. G. de Farias 1, Luís Ferreira Pires 2, Marten van Sinderen 2 1 Department of Physics and Mathematics, University
More informationDistributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationConstraint-Oriented Style in LOTOS
Kenneth J. Turner. The alternating bit protocol - Constraint-oriented specifications in LOTOS. In Proc. British Computer Society Workshop on Formal Methods in Standards, pages 1-13, London, April 1988.
More informationFrom Analysis to Code Generation of Protocols and Embedded Software with a UML-Based Formal Environment Named TURTLE 2005
From Analysis to Code Generation of Protocols and Embedded Software with a UML-Based Formal Environment Named TURTLE 2005 Ludovic Apvrille ludovic.apvrille@enst.fr Ludovic Apvrille - UML - 2005. Slide
More informationReflective Design Patterns to Implement Fault Tolerance
Reflective Design Patterns to Implement Fault Tolerance Luciane Lamour Ferreira Cecília Mary Fischer Rubira Institute of Computing - IC State University of Campinas UNICAMP P.O. Box 676, Campinas, SP 3083-970
More informationEXTENDED DISTRIBUTED UML-BASED PROTOCOL SYNTHESIS METHOD
EXTENDED DISTRIBUTED UML-BASED PROTOCOL SYNTHESIS METHOD Jehad Al Dallal Department of Information Science, Kuwait University, Kuwait ABSTRACT Synthesizing specifications for real time applications that
More informationA SYSTEMATIC APPROACH FOR COMPONENT-BASED SOFTWARE DEVELOPMENT
A SYSTEMATIC APPROACH FOR COMPONENT-BASED SOFTWARE DEVELOPMENT Cléver Ricardo Guareis de Farias, Marten van Sinderen and Luís Ferreira Pires Centre for Telematics and Information Technology (CTIT) PO Box
More information40 Behaviour Compatibility
40 Behaviour Compatibility [2] R. De Nicola, Extentional Equivalences for Transition Systems, Acta Informatica, vol. 24, pp. 21-237, 1987. [3] J. Gray, Notes on Data Base Operating Systems, in Operating
More informationArchitectural Notes: a Framework for Distributed Systems Development
Architectural Notes: a Framework for Distributed Systems Development Luís Ferreira Pires Architectural Notes: a Framework for Distributed Systems Development CTIT Ph. D-thesis series No. 94-01 P.O. Box
More informationTowards a formal model of object-oriented hyperslices
Towards a formal model of object-oriented hyperslices Torsten Nelson, Donald Cowan, Paulo Alencar Computer Systems Group, University of Waterloo {torsten,dcowan,alencar}@csg.uwaterloo.ca Abstract This
More informationAppendix B: Test Process Sample
[TV] [VL] [VSV] [VTZ] [VVD] [Z] Tvrdy, I. Formal Modelling of Telematics Services Using LOTOS. Microprocessing and Microprogramming, Vol. 25, 1989, No. 1-5, 313-317. Vissers, C. A., and Logrippo, L. The
More informationProving the Correctness of Distributed Algorithms using TLA
Proving the Correctness of Distributed Algorithms using TLA Khushboo Kanjani, khush@cs.tamu.edu, Texas A & M University 11 May 2007 Abstract This work is a summary of the Temporal Logic of Actions(TLA)
More informationAutomatically Generation of N-bit Logic Circuit Components in Extended LOTOS from High-Level Functional Programming Language: HDCaml
SHINSHU UNIVERSITY Automatically Generation of N-bit Logic Circuit Components in Extended LOTOS from High-Level Functional Programming Language: HDCaml Graduate School of Science and Technology, Shinsu
More informationAn implementation model of rendezvous communication
G.Winskel Eds. Appears in Seminar on Concurrency S.D.Brookds, A.W.Roscoe, and Lecture Notes in Computer Science 197 Springer-Verlag, 1985 An implementation model of rendezvous communication Luca Cardelli
More informationComposition and Separation of Concerns in the Object-Oriented Model
ACM Computing Surveys 28A(4), December 1996, http://www.acm.org/surveys/1996/. Copyright 1996 by the Association for Computing Machinery, Inc. See the permissions statement below. Composition and Separation
More informationSoftware Engineering: Integration Requirements
Software Engineering: Integration Requirements AYAZ ISAZADEH Department of Computer Science Tabriz University Tabriz, IRAN Abstract: - This paper presents a discussion of software integration requirements,
More informationDepartment of Computing Science and Mathematics, University Of Stirling, STIRLING FK9 4LA, Scotland.
Department of Computing Science and Mathematics, University Of Stirling, STIRLING FK9 4LA, Scotland. Email: amm@cs.stir.ac.uk Email: rgc@cs.stir.ac.uk Abstract Object-oriented analysis (OOA) and design
More informationModelling ODP Viewpoints. 1 Introduction. 2 Basic Modelling and Specification Concepts
Richard O. Sinnott and Kenneth J. Turner. Modelling ODP viewpoints. In B. Cameron, C. Geldrez, A. Hopley, D. Howes, B. Mirek, and M. Plucinska, editors, Proc. OOPSLA 94 Workshop on Precise Behavioural
More informationlnteroperability of Standards to Support Application Integration
lnteroperability of Standards to Support Application Integration Em delahostria Rockwell Automation, USA, em.delahostria@ra.rockwell.com Abstract: One of the key challenges in the design, implementation,
More informationA Lightweight Language for Software Product Lines Architecture Description
A Lightweight Language for Software Product Lines Architecture Description Eduardo Silva, Ana Luisa Medeiros, Everton Cavalcante, Thais Batista DIMAp Department of Informatics and Applied Mathematics UFRN
More informationProperties Preservation in Distributed Execution of Petri Nets Models
Properties Preservation in Distributed Execution of Petri Nets Models Anikó Costa 1, Paulo Barbosa 2, Luís Gomes 1, Franklin Ramalho 2, Jorge Figueiredo 2, and Antônio Junior 2 1 Universidade Nova de Lisboa,
More informationSeparating Product Variance and Domain Concepts in the Specification of Software Product Lines
Separating Product Variance and Domain Concepts in the Specification of Software Product Lines Pertti Kellomäki Software Systems Laboratory, Tampere University of Technology P.O. Box 553, FIN-33101 Tampere,
More informationHow useful is the UML profile SPT without Semantics? 1
How useful is the UML profile SPT without Semantics? 1 Susanne Graf, Ileana Ober VERIMAG 2, avenue de Vignate - F-38610 Gières - France e-mail:{susanne.graf, Ileana.Ober}@imag.fr http://www-verimag.imag.fr/~{graf,iober}
More informationPROTOCOL CONVERSION FOR INTERCONNECTING ENERGY MANAGEMENT SYSTEMS. J. Luque, F. Gonzalo, F. Pérez, M. Mejías.
PROTOCOL CONVERSION FOR INTERCONNECTING ENERGY MANAGEMENT SYSTEMS. J. Luque, F. Gonzalo, F. Pérez, M. Mejías. Facultad de Informática. Universidad de Sevilla. Avda. Reina Mercedes s/n. 41012-SEVILLA. SPAIN.
More informationGeneric and Domain Specific Ontology Collaboration Analysis
Generic and Domain Specific Ontology Collaboration Analysis Frantisek Hunka, Steven J.H. van Kervel 2, Jiri Matula University of Ostrava, Ostrava, Czech Republic, {frantisek.hunka, jiri.matula}@osu.cz
More informationExperiences with OWL-S, Directions for Service Composition:
Experiences with OWL-S, Directions for Service Composition: The Cashew Position Barry Norton 1 Knowledge Media Institute, Open University, Milton Keynes, UK b.j.norton@open.ac.uk Abstract. Having used
More informationModel Checking VHDL with CV
Model Checking VHDL with CV David Déharbe 1, Subash Shankar 2, and Edmund M. Clarke 2 1 Universidade Federal do Rio Grande do Norte, Natal, Brazil david@dimap.ufrn.br 2 Carnegie Mellon University, Pittsburgh,
More informationIntroduction to Formal Methods
2008 Spring Software Special Development 1 Introduction to Formal Methods Part I : Formal Specification i JUNBEOM YOO jbyoo@knokuk.ac.kr Reference AS Specifier s Introduction to Formal lmethods Jeannette
More informationAUTOMATED BEHAVIOUR REFINEMENT USING INTERACTION PATTERNS
MASTER THESIS AUTOMATED BEHAVIOUR REFINEMENT USING INTERACTION PATTERNS C.J.H. Weeïnk FACULTY OF ELECTRICAL ENGINEERING, MATHEMATICS AND COMPUTER SCIENCE SOFTWARE ENGINEERING EXAMINATION COMMITTEE dr.
More informationPattern-Based Architectural Design Process Model
Pattern-Based Architectural Design Process Model N. Lévy, F. Losavio Abstract: The identification of quality requirements is crucial to develop modern software systems, especially when their underlying
More informationGuarded Operations, Refinement and Simulation
Guarded Operations, Refinement and Simulation Steve Reeves and David Streader Department of Computer Science University of Waikato Hamilton, New Zealand stever,dstr@cs.waikato.ac.nz Abstract Simulation
More informationGuidelines for Coding of SAS Programs Thomas J. Winn, Jr. Texas State Auditor s Office
Guidelines for Coding of SAS Programs Thomas J. Winn, Jr. Texas State Auditor s Office Abstract This paper presents a set of proposed guidelines that could be used for writing SAS code that is clear, efficient,
More informationProving Invariants of Functional Programs
Proving Invariants of Functional Programs Zoltán Horváth, Tamás Kozsik, Máté Tejfel Eötvös Loránd University Department of General Computer Science {hz,kto,matej}@inf.elte.hu Abstract. In a pure functional
More informationTEST RESULT ANALYSIS WITH RESPECT TO FORMAL SPECIFICATIONS
TEST RESULT ANALYSIS WITH RESPECT TO FORMAL SPECIFICATIONS Gregor v. BOCHMANN and Omar B. BELLAL Université de Montréal Montréal, Canada Abstract: There are two aspects to testing: (1) the selection of
More informationANSAwise - The ODP Reference Model
Poseidon House Castle Park Cambridge CB3 0RD United Kingdom TELEPHONE: Cambridge (01223) 515010 INTERNATIONAL: +44 1223 515010 FAX: +44 1223 359779 E-MAIL: apm@ansa.co.uk Training ANSAwise - The ODP Reference
More informationComparing the Parix and PVM parallel programming environments
Comparing the Parix and PVM parallel programming environments A.G. Hoekstra, P.M.A. Sloot, and L.O. Hertzberger Parallel Scientific Computing & Simulation Group, Computer Systems Department, Faculty of
More informationThesis Defense: Developing Real-Time Collaborative Editing Using Formal Methods
Thesis Defense: Developing Real-Time Collaborative Editing Using Formal Methods Lars Tveito September 9th, 2016 Department of Informatics, University of Oslo Outline Introduction Formal Semantics of Editing
More informationSoftware Design. Software design is a blueprint or a plan for a computerbased solution for system
Software Design Software Design Software design is a blueprint or a plan for a computerbased solution for system Software design deals with transforming the customer requirements, as described by the SRS
More informationOASIS: Architecture, Model and Management of Policy
OASIS: Architecture, Model and Management of Policy Ken Moody Computer Laboratory, University of Cambridge 1 Overview OASIS : Architecture, Model and Policy 1. background to the research people, projects
More information3.7 Denotational Semantics
3.7 Denotational Semantics Denotational semantics, also known as fixed-point semantics, associates to each programming language construct a well-defined and rigorously understood mathematical object. These
More informationOSI95. Université de Liège. The OSI95 Transport Service with Multimedia support ***
Université de Liège Faculté des Sciences Appliquées Systèmes et Automatique Esprit Project 5341 Institut d'electricité Montefiore, B28 Université de Liège au Sart Tilman B-4000 Liège 1 (Belgique) OSI95
More informationA Meta-Model for Composition Techniques in Object-Oriented Software Development
A Meta-Model for Composition Techniques in Object-Oriented Software Development Bedir Tekinerdogan Department of Computer Science University of Twente P.O. Box 217, 7500 AE Enschede, The Netherlands E-Mail:
More informationAbstracting Timing Information in UML State Charts via
Abstracting Timing Information in UML State Charts via Temporal Ordering and LOTOS Valentin Chimisliu Institut für Softwaretechnologie Technische Universität Graz Graz, Austria Franz Wotawa Institut für
More informationDomain-Driven Development with Ontologies and Aspects
Domain-Driven Development with Ontologies and Aspects Submitted for Domain-Specific Modeling workshop at OOPSLA 2005 Latest version of this paper can be downloaded from http://phruby.com Pavel Hruby Microsoft
More informationA Type Graph Model for Java Programs
A Type Graph Model for Java Programs Arend Rensink and Eduardo Zambon Formal Methods and Tools Group, EWI-INF, University of Twente PO Box 217, 7500 AE, Enschede, The Netherlands {rensink,zambon}@cs.utwente.nl
More informationSOME TYPES AND USES OF DATA MODELS
3 SOME TYPES AND USES OF DATA MODELS CHAPTER OUTLINE 3.1 Different Types of Data Models 23 3.1.1 Physical Data Model 24 3.1.2 Logical Data Model 24 3.1.3 Conceptual Data Model 25 3.1.4 Canonical Data Model
More informationPrototype Environment for Refactoring Clean Programs
Prototype Environment for Refactoring Clean Programs Extended abstract Rozália Szabó-Nacsa, Péter Diviánszky, Zoltán Horváth Department of Software Technology and Methodology, Eötvös Loránd University,
More informationFormal Methods in Software Engineering. Lecture 07
Formal Methods in Software Engineering Lecture 07 What is Temporal Logic? Objective: We describe temporal aspects of formal methods to model and specify concurrent systems and verify their correctness
More informationLiveness and Fairness Properties in Multi-Agent Systems
Liveness and Fairness Properties in Multi-Agent Systems Hans-Dieter Burkhard FB Informatik Humboldt-University Berlin PF 1297, 1086 Berlin, Germany e-mail: hdb@informatik.hu-berlin.de Abstract Problems
More informationDépartement d'informatique et de recherche opérationnelle Universite de Montreal, Canada
FORMAL METHODS FOR DESCRIBING DISTRIBUTED SYSTEMS: A DISCUSSION OF THE EXPERIENCE IN OSI STANDARDIZATION * Gregor v. Bochmann Département d'informatique et de recherche opérationnelle Universite de Montreal,
More informationAgent-Oriented Software Engineering
Agent-Oriented Software Engineering Lin Zuoquan Information Science Department Peking University lz@is.pku.edu.cn http://www.is.pku.edu.cn/~lz/teaching/stm/saswws.html Outline Introduction AOSE Agent-oriented
More informationCh 1: The Architecture Business Cycle
Ch 1: The Architecture Business Cycle For decades, software designers have been taught to build systems based exclusively on the technical requirements. Software architecture encompasses the structures
More informationConfiguration management for Lyee software
Knowledge-Based Systems 16 (2003) 441 447 www.elsevier.com/locate/knosys Configuration management for Lyee software V. Gruhn*, R. Ijioui, D. Peters, C. Schäfer Faculty of Mathematics and Computer Science,
More informationEngineering program development. Edited by Péter Vass
Engineering program development Edited by Péter Vass Introduction Question: Why engineering program development may be useful for a PhD student in Earth Sciences? Counter-argument: In these days a wide
More informationComparative Analysis of Architectural Views Based on UML
Electronic Notes in Theoretical Computer Science 65 No. 4 (2002) URL: http://www.elsevier.nl/locate/entcs/volume65.html 12 pages Comparative Analysis of Architectural Views Based on UML Lyrene Fernandes
More informationMONIKA HEINER.
LESSON 1 testing, intro 1 / 25 SOFTWARE TESTING - STATE OF THE ART, METHODS, AND LIMITATIONS MONIKA HEINER monika.heiner@b-tu.de http://www.informatik.tu-cottbus.de PRELIMINARIES testing, intro 2 / 25
More informationEvaluating Architecture Implementation Alternatives based on Adaptability Concerns
Evaluating Architecture Implementation Alternatives based on Adaptability Concerns Mehmet Aksit and Bedir Tekinerdogan TRESE project, CTIT and Department of Computer Science, University of Twente, P.O.
More informationA Concurrency Control for Transactional Mobile Agents
A Concurrency Control for Transactional Mobile Agents Jeong-Joon Yoo and Dong-Ik Lee Department of Information and Communications, Kwang-Ju Institute of Science and Technology (K-JIST) Puk-Gu Oryong-Dong
More informationFORMALIZED SOFTWARE DEVELOPMENT IN AN INDUSTRIAL ENVIRONMENT
FORMALIZED SOFTWARE DEVELOPMENT IN AN INDUSTRIAL ENVIRONMENT Otthein Herzog IBM Germany, Dept. 3100 P.O.Box 80 0880 D-7000 STUTTGART, F. R. G. ABSTRACT tn the IBM Boeblingen Laboratory some software was
More informationIncompatibility Dimensions and Integration of Atomic Commit Protocols
The International Arab Journal of Information Technology, Vol. 5, No. 4, October 2008 381 Incompatibility Dimensions and Integration of Atomic Commit Protocols Yousef Al-Houmaily Department of Computer
More informationRefinement Using µ-charts: The Compaq Grand Slam Cup Case Study Revisited
Refinement Using µ-charts: The Compaq Grand Slam Cup Case udy Revisited Hubert Baumeister Institut für Informatik Universität München Oettingenstr. 67 80538 München, Germany Christoph Maier FAST e.v. Arabellastr.
More informationUsing Formal Description Technique ESTELLE for Manufacturing Systems Specification or Description
Using Formal Description Technique ESTELLE for Manufacturing Systems Specification or Description Sousa, R. a ; Putnik, G. b ; Moreira, F. c Production and Systems Engineering Department - School of Engineering
More informationContemporary Design. Traditional Hardware Design. Traditional Hardware Design. HDL Based Hardware Design User Inputs. Requirements.
Contemporary Design We have been talking about design process Let s now take next steps into examining in some detail Increasing complexities of contemporary systems Demand the use of increasingly powerful
More informationTIV: A Toolset for Interactive Verification of Basic LOTOS Specifications
TIV: A Toolset for Interactive Verification of Basic LOTOS Specifications Cheoljoo Jeong Kangho Kim Youngchan Kim Yeondae Chung Systems Engineering Research Institute Taejon, 305-333, Korea {cjeong,khkim,yckim,chung}@eagles.seri.re.kr
More informationConcurrent & Distributed Systems Supervision Exercises
Concurrent & Distributed Systems Supervision Exercises Stephen Kell Stephen.Kell@cl.cam.ac.uk November 9, 2009 These exercises are intended to cover all the main points of understanding in the lecture
More informationOptimization with linguistic variables
Optimization with linguistic variables Christer Carlsson christer.carlsson@abo.fi Robert Fullér rfuller@abo.fi Abstract We consider fuzzy mathematical programming problems (FMP) in which the functional
More informationINTERNATIONAL TELECOMMUNICATION UNION. SERIES X: DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS Open distributed processing
INTERNATIONAL TELECOMMUNICATION UNION ITU-T X.911 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2001) SERIES X: DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS Open distributed processing Information
More informationAn Operational Semantics for Parallel Execution of Re-entrant PLEX
Licentiate Thesis Proposal An Operational Semantics for Parallel Execution of Re-entrant PLEX Johan Erikson Department of Computer Science and Electronics Mälardalen University,Västerås, SWEDEN johan.erikson@mdh.se
More informationRule Formats for Nominal Modal Transition Systems
Rule Formats for Nominal Modal Transition Systems Anke Stüber Universitet Uppsala, Uppsala, Sweden anke.stuber@it.uu.se Abstract. Modal transition systems are specification languages that allow the expression
More informationTSE-P - a highly flexible tool for testing network management applications using simulation
TSE-P - a highly flexible tool for testing network management applications using simulation 4 Dr. Winfried Geyer, Stephan Hesse, Dr. Norbert Newrly Telenet GmbH Rhine-Main Office, Marburger StrafJe 14
More informationSynchronous Specification
Translation Validation for Synchronous Specification in the Signal Compiler Van-Chan Ngo Jean-Pierre Talpin Thierry Gautier INRIA Rennes, France FORTE 2015 Construct a modular translation validationbased
More informationOSI95. Université de Liège. The OSI95 Transport Service with Multimedia support *** The OSI95 Connectionless-Mode Transport Services
Université de Liège Faculté des Sciences Appliquées Systèmes et Automatique Esprit Project 5341 Institut d'electricité ontefiore, B28 Université de Liège au Sart Tilman B-4000 Liège 1 (Belgique) OSI95
More informationVerifying Concurrent ML programs
Verifying Concurrent ML programs a research proposal Gergely Buday Eszterházy Károly University Gyöngyös, Hungary Synchron 2016 Bamberg December 2016 Concurrent ML is a synchronous language a CML program
More informationRaising Level of Abstraction with Partial Models: A Vision
Raising Level of Abstraction with Partial Models: A Vision Marsha Chechik 1, Arie Gurfinkel 2, Sebastian Uchitel 3, and Shoham Ben-David 1 1 Department of Computer Science, University of Toronto 2 SEI/CMU
More informationThirty one Problems in the Semantics of UML 1.3 Dynamics
Thirty one Problems in the Semantics of UML 1.3 Dynamics G. Reggio R.J. Wieringa September 14, 1999 1 Introduction In this discussion paper we list a number of problems we found with the current dynamic
More informationRECURSIVE DEFINITION, BASED ON A META-MODEL, FOR THE TYPE SYSTEM OF COMPLEX COMPUTING SYSTEMS ARCHITECTURES
An. Şt. Univ. Ovidius Constanţa Vol. 12(1), 2004, 45 58 RECURSIVE DEFINITION, BASED ON A META-MODEL, FOR THE TYPE SYSTEM OF COMPLEX COMPUTING SYSTEMS ARCHITECTURES Abstract A theoretical abstract analysis
More informationCLAN: A Tool for Contract Analysis and Conflict Discovery
CLAN: A Tool for Contract Analysis and Conflict Discovery Stephen Fenech 1, Gordon J. Pace 1, and Gerardo Schneider 2 1 Dept. of Computer Science, University of Malta, Malta 2 Dept. of Informatics, University
More informationA Model Transformation from Misuse Cases to Secure Tropos
A Model Transformation from Misuse Cases to Secure Tropos Naved Ahmed 1, Raimundas Matulevičius 1, and Haralambos Mouratidis 2 1 Institute of Computer Science, University of Tartu, Estonia {naved,rma}@ut.ee
More informationCovert Identity Information in Direct Anonymous Attestation (DAA)
Covert Identity Information in Direct Anonymous Attestation (DAA) Carsten Rudolph Fraunhofer Institute for Secure Information Technology - SIT, Rheinstrasse 75, Darmstadt, Germany, Carsten.Rudolph@sit.fraunhofer.de
More informationTOWARDS AUTOMATED VERIFICATION OF WEB SERVICES
TOWARDS AUTOMATED VERIFICATION OF WEB SERVICES Cátia Vaz INESC-ID Lisboa, ISEL-IPL Rua Alves Redol 9, 1000-029 Lisboa cvaz@cc.isel.ipl.pt Carla Ferreira INESC-ID, IST-UTL Rua Alves Redol 9, 1000-029 Lisboa
More informationSpecifying Hardware Timing Characteristics with ET-LOTOS
Ji He and Kenneth J. Turner. Specifying Hardware Timing with ET-LOTOS extended version of article published by and copyright Springer-Verlag. In Tiziana Margaria and Thomas F. Melham, editors, Proc. 11th
More informationA Lost Cycles Analysis for Performance Prediction using High-Level Synthesis
A Lost Cycles Analysis for Performance Prediction using High-Level Synthesis Bruno da Silva, Jan Lemeire, An Braeken, and Abdellah Touhafi Vrije Universiteit Brussel (VUB), INDI and ETRO department, Brussels,
More informationLecture 8. 1 Some More Security Definitions for Encryption Schemes
U.C. Berkeley CS276: Cryptography Lecture 8 Professor David Wagner February 9, 2006 Lecture 8 1 Some More Security Definitions for Encryption Schemes 1.1 Real-or-random (rr) security Real-or-random security,
More informationRefactoring via Database Representation
6 th International Conference on Applied Informatics Eger, Hungary, January 27 31, 2004. Refactoring via Database Representation Péter Diviánszky 1, Rozália Szabó-Nacsa 2, Zoltán Horváth 1 1 Department
More informationDeriving design aspects from canonical models
Deriving design aspects from canonical models Bedir Tekinerdogan & Mehmet Aksit University of Twente Department of Computer Science P.O. Box 217 7500 AE Enschede, The Netherlands e-mail: {bedir aksit}@cs.utwente.nl
More informationTowards a Context Binding Transparency *
Towards a Context Binding Transparency * Tom Broens, Dick Quartel, and Marten van Sinderen Center for Telematics and Information Technology, ASNA group, University of Twente, P.O. Box 217, 7500 AE Enschede,
More informationUscan. DICOM Conformance Statement
DICOM Conformance Statement - Uscan Uscan DICOM Conformance Statement Software Version: 4.1.1 Date: 3 August 2018 Signostics, Inc., a subsidiary of EchoNous, Inc. 8310 154th Ave NE, Suite 200 Redmond,
More informationConfiguration Management in the STAR Framework *
3 Configuration Management in the STAR Framework * Helena G. Ribeiro, Flavio R. Wagner, Lia G. Golendziner Universidade Federal do Rio Grande do SuI, Instituto de Informatica Caixa Postal 15064, 91501-970
More informationState-Optimal Snap-Stabilizing PIF In Tree Networks
State-Optimal Snap-Stabilizing PIF In Tree Networks (Extended Abstract) Alain Bui, 1 Ajoy K. Datta, 2 Franck Petit, 1 Vincent Villain 1 1 LaRIA, Université de Picardie Jules Verne, France 2 Department
More informationWeb Services Annotation and Reasoning
Web Services Annotation and Reasoning, W3C Workshop on Frameworks for Semantics in Web Services Web Services Annotation and Reasoning Peter Graubmann, Evelyn Pfeuffer, Mikhail Roshchin Siemens AG, Corporate
More informationModeling Systems Using Design Patterns
Modeling Systems Using Design Patterns Jaroslav JAKUBÍK Slovak University of Technology Faculty of Informatics and Information Technologies Ilkovičova 3, 842 16 Bratislava, Slovakia jakubik@fiit.stuba.sk
More informationthe application rule M : x:a: B N : A M N : (x:a: B) N and the reduction rule (x: A: B) N! Bfx := Ng. Their algorithm is not fully satisfactory in the
The Semi-Full Closure of Pure Type Systems? Gilles Barthe Institutionen for Datavetenskap, Chalmers Tekniska Hogskola, Goteborg, Sweden Departamento de Informatica, Universidade do Minho, Braga, Portugal
More informationThe Contract Pattern. Design by contract
The Contract Pattern Copyright 1997, Michel de Champlain Permission granted to copy for PLoP 97 Conference. All other rights reserved. Michel de Champlain Department of Computer Science University of Canterbury,
More informationHow to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor
How to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor Leslie Lamport 1 Digital Equipment Corporation February 14, 1993 Minor revisions January 18, 1996 and September 14, 1996
More information