Conjoining specifications

Reviewer: D. John Cooke

The authors show that writing specifications of a finite set of components in a certain fashion enables their logical conjunction to represent the system arising from their parallel combination. The idea is disarmingly simple, but in practice the possibility of interference between components can make proving correctness rather complicated. Several examples illustrate the ideas and potential difficulties well. The authors discuss TLA, the temporal logic of actions, which is used to represent both specifications and implementation designs. The standard way of specifying a system in TLA has three components: an initial requirement, a description of transient behavior, and liveness requirements. The kernel of the paper is section 4, which discusses the decomposition theorem. Detailed proofs are consigned to an appendix available by ftp from various sites; nevertheless, the paper still requires the reader to fill in many small details. This paper provides an important step in furthering our understanding of complex systems. To those familiar with TLA, the paper will be easy to follow. To others, it will require some backtracking and substantial verification of claims made in this text.

Reviewer: Jan Hendrik Jongejan

The authors present a method for deducing properties of a concurrent system by reasoning about its components. Specifications are given in the Temporal Logic of Actions (TLA). Both the decomposition of a system (into its components) and the composition of a system (out of a set of components) are studied. First, an informal overview is presented: complete systems and open systems are introduced, the latter being the main subject of interest. Open systems interact with an environment that they do not control. A specification for an open system is written in the assumption/guarantee style. That is, we assume a certain behavior from the environment, and then guarantee the specified behavior of the system. A typical TLA component specification would have a canonical form ?x: Init ?? N v ?L , where Init is an initial predicate, the notation ? N v stands for “always take an N step or else state function v does not change,” and L is a conjunction of fairness conditions. The N is the disjunction of Q M , describing the steps taken by the component, and Q E , describing the steps taken by the environment. Next, implementation is introduced as implication between specifications: A?B . Several other operators are also presented. One of the two main results is the decomposition theorem, which enables us to prove when a system decomposed into components P i is implemented by a lower-level system with components P ? i , by using the proofs that each P ? i implements P i . The last part of the paper studies composition of a system specification from its component specifications: the composition theorem. The paper clearly addresses theoretically oriented computing scientists. For the method to be of practical importance, however, a lot of work still has to be done. For instance, the notation chosen is cumbersome. It uses a lot of symbols, special operators, indices, and so on (for example, M &d14; <__?__Pub Caret> on pp. 516–517). Also, the proof steps needed are cumbersome. (Most proofs have not been included in the paper, but are in a separate appendix, which can be had by anonymous ftp from ACM or Princeton. However, they were not present on either site when I tried to access them.)