Papers by Willem-Paul de Roever
Fundamenta Informaticae, Dec 1, 2008
Besides the features of a class-based object-oriented language, Java integrates concurrency via i... more Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread-classes, allowing for a multithreaded flow of control. Besides that, the language offers a flexible exception mechanism for handling errors or exceptional program conditions. To reason about safety-properties of Java-programs and extending previous work on the proof theory for monitor synchronization, we introduce in this paper an assertional proof method for Java MT ("Multi-Threaded Java"), a small concurrent sublanguage of Java, covering concurrency and especially exception handling. We show soundness and relative completeness of the proof method. * Part of this work has been financially supported by the EU-project IST-33826 Credo: Modeling and analysis of evolutionary structures for distributed services. and the NWO/DFG project Mobi-J (RO 1122/9-{1,2,4}).
Proceedings of the 14th ACM SIGACT-SIGPLAN symposium on Principles of programming languages - POPL '87, 1987
We present a fully abstract semantics for real-time distributed computing of the Ada and OCCAM ki... more We present a fully abstract semantics for real-time distributed computing of the Ada and OCCAM kind in a denotational style. This semantics turns termination, communication along channels, and the time communication takes place, into observables. Yet it is the coarsest semantics to do so which is syntax-directed (this is known as full abstraction). It extends the linear history semantics for CSP of Francez, Lehman and Pnueli. Our execution model is based on maximizing concurrent activity as opposed to interleaving (in which only one action occurs at the time and arbitrary delays are incurred between actions). It is a variant of the maximal parallelism model of Salwicki and Miildner. * This paper is based on C. Huizing's M.Sc. Thesis tHGR851.
Lecture Notes in Computer Science, 1992
FME '97: Industrial Applications and Strengthened Foundations of Formal Methods, 1997
This paper presents a compositional proof system for shared variable concurrency. The proof syste... more This paper presents a compositional proof system for shared variable concurrency. The proof system is based on an assertion language which describes a computation, i.e.. a sequence of state-changes, in terms of a qualitive notion of time represented by a discrete total well-founded ordering.
Lecture Notes in Computer Science, 1989
The workshops on Synchronous Languages started in 1993 at Schloss Dagstuhl. Since then seven such... more The workshops on Synchronous Languages started in 1993 at Schloss Dagstuhl. Since then seven such workshops have been organized, in total: 2 in Germany, 1 in Spain, and 4 in France, with an attendance varying between 40 and 60 persons. In 1993 the synchronous languages approach was promising: numerous design tools had been, or were in train of being, constructed based on the languages ESTEREL (Berry), Lustre (Halbwachs, Caspi), Signal (LeGuernic, Benveniste), and Statecharts (Harel, Pnueli), and were applied to the design of control of (real-time) embedded systems. Now, in 2000/2001, this approach is established, and possibly even more essential to computer science than the well-known model-checking paradigm to automatic verification. The software for the Airbus 340 has been entirely designed using the SCADE tool, based on a graphical representation of Lustre; the software for the Airbus 385 is being designed, based on SCADE; the software for the Rafale fighter bomber by Dassault — ...
ACM SIGPLAN Notices, 1973
CAAP '88, 1988
We present a denotational, strictly syntax-directed, semantics for Statecharts, a graphical, mixe... more We present a denotational, strictly syntax-directed, semantics for Statecharts, a graphical, mixed specification/programming language for real-time, developed by Harel [H]. This requires first of all defining a proper syntax for the graphical language. Apart from more conventional syntactical operators and their semantic counterparts, we encounter unconventional ones, dealing with the typical graphical structure of the language. The synchronous nature of Statecharts makes special demands on the semantics, especially with respect to the causal relation between simultaneous events, and requires a refinement of our techniques for obtaining a denotational semantics for OCCAM [HGR]. We prove that the model is fully abstract with respect to some natural notion of observable behaviour. The model presented will serve as a basis for a further study of specification and proof systems within the ESPRIT-project DESCARTES.
Workshops in Computing, 1992
DOI to the publisher's website. • The final author version and the galley proof are versions of t... more DOI to the publisher's website. • The final author version and the galley proof are versions of the publication after peer review. • The final published version features the final layout of the paper including the volume, issue and page numbers. Link to publication General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal. If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the "Taverne" license above, please follow below link for the End User Agreement:
Lecture Notes in Computer Science, 2010
In their seminal 1991 paper "What is in a Step: On the Semantics of Statecharts", Pnueli and Shal... more In their seminal 1991 paper "What is in a Step: On the Semantics of Statecharts", Pnueli and Shalev showed how, in the presence of global consistency and while observing causality, the synchronous language Statecharts can be given coinciding operational and declarative step semantics. Over the past decade, this semantics has been supplemented with order-theoretic, denotational, axiomatic and game-theoretic characterisations, thus revealing itself as a rather canonical interpretation of the synchrony hypothesis. In this paper, we survey these characterisations and use them to emphasise the close but not widely known relations of Statecharts to the synchronous language Esterel and to the field of logic programming. Additionally, we highlight some early reminiscences on Amir Pnueli's contributions to characterise the semantics of Statecharts.
Lecture Notes in Computer Science, 2003
Besides the features of a class-based object-oriented language, Java integrates concurrency via i... more Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread-classes, allowing for a multithreaded flow of control. The concurrency model includes sharedvariable concurrency via instance variables, coordination via reentrant synchronization monitors, synchronous message passing, and dynamic thread creation. In this paper we propose a class-based compositional operational semantics for multithreaded Java which provides a semantic characterization and a formal basis for further semantic investigations involving inheritance, subtyping, and full abstraction, and a compositional proof system. From its inception, Java [10] attracted interest from the formal methods community: The widespread use of Java across platforms made the need for formal studies and verification support more urgent, the grown awareness and advances of formal methods for real-life applications and languages made it more acceptable, and last but not least the array of non-trivial language features made it challenging and interesting. Thus, Java offered a rich field for formal studies, ranging from formal semantics [14, 5] over bytecode verification and static analysis [13] to model checking [11]. In this paper we propose a class-based compositional operational semantics for multithreaded Java which provides a semantic characterization of the behavioral interface of a class and a formal basis for further semantic investigations involving inheritance, subtyping, and full abstraction. Java offers concurrency in the form of threads integrated in its class-based object-oriented framework: The concurrent entities in the run-time system of Java consist of the different call-chains, the threads, which execute in parallel and which share the state space grouped into objects. Thus, concurrency arises in Java at two levels: sets of objects in parallel cooperate via method calls, and objects processing different operations at the same time on a shared state space, namely the states of objects.
Lecture Notes in Computer Science, 2008
A perspective on program verification is presented from the point of view of a university profess... more A perspective on program verification is presented from the point of view of a university professor who has been active over a period of 35 years in the development of formal methods and their supporting tools. He has educated until now approx. 25 Ph.D. researchers in those fields and has written two handbooks in the field of program verification, one unifying known techniques for proving data refinement, and the other on compositional verification of concurrent and distributed programs, and communication-closed layers. This essay closes with formulating a grand challenge worthy of modern Europe. 1 Background Conjecture: It has become a real possibility that Germany's most powerful industrialist, Jürgen Schrempp, heading the largest industry of Germany, Daim-lerChrysler, will be fired next year because his company has not spent sufficient attention to improve the reliability of the software of its prime product, Mercedes Benz cars. For, as a consequence of the poor quality of the top range of Mercedes Benz limousines, BMW has now replaced Mercedes Benz as the leading top-range car manufacturer in Germany. And this fact is unpalatable for the main shareholders of DaimlerChrysler (Deutsche Bank, e.g.). 1 The underlying reason for this fact is that 60% of the current production of Mercedes Benz cars has to be frequently called back because of software failures, the highest percentage of any car manufacturer in the world. And this percentage cannot be changed in, say, a year, the period of time Schrempp has to defend again his industrial strategy to his shareholders (this year his defense took place on April 6, 2005). This conjecture is at least the second of its kind: The Pentium Bug convinced the top level chip manufacturers that chips should be reliable and bug-free to the extent that any bug occurring after the production phase should be removable, at least to the extent that patches should be applicable circumventing those bugs. A third fact, not a conjecture, would be that two crashes of a fully loaded Airbus 380 due to software failure in a row would lead to the demise of the European aircraft industry. And one such crash of the Airbus 380 would have
Mathematical Foundations of Computer Science, 1974
Minimal fixed point operators were introduced by Scott and De Bakker in order to describe the inp... more Minimal fixed point operators were introduced by Scott and De Bakker in order to describe the input-output behaviour of recursive procedures. As they considered recursive procedures acting upon a monolithic state only, i.e., procedures acting upon one variable, the problem remained open how to describe this input-output behaviour in the presence of an arbitrary number of components which as a
FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing
Lecture Notes in Computer Science, 2009
Functional and non-functional concerns require different programming effort, different techniques... more Functional and non-functional concerns require different programming effort, different techniques and different methodologies when attempting to program efficient parallel/distributed applications. In this work we present a "programmer oriented" methodology based on formal tools that permits reasoning about parallel/distributed program development and refinement. The proposed methodology is semi-formal in that it does not require the exploitation of highly formal tools and techniques, while providing a palatable and effective support to programmers developing parallel/distributed applications, in particular when handling non-functional concerns.
Science of Computer Programming, 1986
Sadhana, 1992
DOI to the publisher's website. • The final author version and the galley proof are versions of t... more DOI to the publisher's website. • The final author version and the galley proof are versions of the publication after peer review. • The final published version features the final layout of the paper including the volume, issue and page numbers. Link to publication General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal. If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the "Taverne" license above, please follow below link for the End User Agreement:
Information and Computation, 1988
DOI to the publisher's website. • The final author version and the galley proof are versions of t... more DOI to the publisher's website. • The final author version and the galley proof are versions of the publication after peer review. • The final published version features the final layout of the paper including the volume, issue and page numbers. Link to publication General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal.
Formal Aspects of Computing, 1994
Designers of network algorithms often give elegant informal descriptions of the intuition behind ... more Designers of network algorithms often give elegant informal descriptions of the intuition behind their algorithms (see [ GHS83 , Hum83 , MeS79 , Seg82 , Seg83 , ZeS80 ]). Usually these descriptions are structured as if subtasks are performed one after the other. Although these subtasks are performed sequentially from a logical point of view, they are performed concurrently from an operational point of view. The current paper presents a principle for formally designing and verifying these kinds of algorithms. It is formulated in Manna and Pnueli’s linear time temporal logic [ MaP83 , MaP92 ]. This principle is applicable to large classes of algorithms, such as those for computing minimum-paths, connectivity, network flow, and minimum-weight spanning trees.
Cambridge University Press has no responsibility for the persistence or accuracy of URLs for exte... more Cambridge University Press has no responsibility for the persistence or accuracy of URLs for external or third-party internet websites referred to in this publication, and does not guarantee that any content on such websites is, or will remain, accurate or appropriate. Information regarding prices, travel timetables, and other factual information given in this work is correct at the time of first printing but Cambridge University Press does not guarantee the accuracy of such information thereafter.
Uploads
Papers by Willem-Paul de Roever