Assumption/guarantee specifications in linear-time temporal logic

Abstract

An assumption/guarantee specification of a system consists of an assumption part, which specifies the assumptions on the behavior of the environment, and a guarantee part, which specifies the properties guaranteed by the system if the environment obeys the assumptions. A suitable interpretation of an assumption/guarantee specification was essentially formulated by Misra and Chandy (1981). The interpretation was later extended by others to allow liveness properties in the guarantee part. In this paper, we explore the use of linear-time temporal logic in writing and reasoning about assumption/guarantee specifications. We choose this logic, specifically LTL defined in the book by Manna and Pnueli (1992), for the following reasons: (i) Linear-time temporal logics, including LTL and TLA, have proven to be a successful formalism for the specification and verification of concurrent systems. (ii) Previous works on assumption/guarantee specifications typically reason about relevant properties at the semantic level or define a special-purpose logic. We feel it is beneficial to formulate such specifications in a more widely used formalism. (iii) We find that, with past temporal operators, LTL admits a succinct syntactic formulation of assumption/guarantee specifications. This contrasts, in particular, with the work by Abadi and Lamport using TLA, where working at the syntactic level is more complicated. We derive inference rules for refining and composing assumption/guarantee specifications as the main results of this paper. The derived rules can handle internal variables. We had to overcome a number of technical problems in this pursuit, in particular, the problem of extracting the safety closure of a temporal formula. As a by-product, we identify general conditions under which the safety closure can be expressed in a succinct way that facilitates syntactic manipulation.