Summary: Composing Specifications
MART ' IN ABADI and LESLIE LAMPORT
Digital Equipment Corporation
A rigorous modular specification method requires a proof rule asserting that if each component
behaves correctly in isolation, then it behaves correctly in concert with other components. Such
a rule is subtle because a component need behave correctly only when its environment does, and
each component is part of the others' environments. We examine the precise distinction between
a system and its environment, and provide the requisite proof rule when modules are specified
with safety and liveness properties.
Categories and Subject Descriptors: D.2.4 [Software Engineering]: Program Verification---
correctness proofs; F.3.1 [Logics and Meanings of Programs]: Specifying and Verifying and
Reasoning about Programs---Specification techniques
General terms: Theory, Verification
Additional Key Words and Phrases: Compositionality, concurrent programming, liveness proper­
ties, modular specification, safety properties
1. INTRODUCTION
In the transition­axiom method, concurrent systems are specified by combining
abstract programs and temporal logic [16]. The method permits a hierarchical ap­
proach in which the composition of lower­level specifications is proved to implement
a higher­level specification. In [1], we described how to prove that one specification

Source: Abadi, Martín - Department of Computer Science, University of California at Santa Cruz

Collections: Computer Technologies and Information Sciences