Jayadev Misra

• Professor Emeritus at University of Texas at Austin

Originating in the 1970's, the parallel discrete event simulation (PDES) field grew from a group of researchers focused on determining how to execute a discrete event simulation program on a parallel computer while still obtaining the same results as a sequential execution. Over the decades that followed the field expanded, grew, and flourishes to...

This paper suggests a theomisra@utexas.edury of composable specification of concurrent programs that permits: (1) verification of program code for a given specification, and (2) composition of the specifications of the components to yield the specification of a program. The specification consists of both terminal properties that hold at the end of...

This paper proposes a general denotational semantic theory suitable for most concurrent systems. It is based on well-known concepts of events, traces and specifications of systems as sets of traces. Each programming language combinator is modeled by a transformer that combines the specifications of the components to yield the specification of a sys...

Kőnig's infinity lemma states that an infinite rooted tree in which every node has finite degree has an infinite path. A variation of this lemma about mappings from one tree to another is presented in this note. Its proof utilizes Kőnig's lemma, and Kőnig's lemma follows from this variation.

In this position paper we argue that: (1) large programs should be composed out of components, which are possibly heterogeneous (i.e., written in a variety of languages and implemented on a variety of platforms), (2) the system merely orchestrates the executions of its components in some fashion but does not analyze or exploit their internal struct...

This talk will describe a view of concurrency, the author's own, as it has evolved since the late 1970s. Early notions of concurrency were intimately tied with physical hardware and speeding up of computations, which proved to be an impediment to the development of a logical theory of concurrency. In collaboration with K. Mani Chandy, the author de...

Comprehensive language reference manual for the Orc programming language. Orc is a programming language designed to make distributed and concurrent programs simple and intuitive to write. Orc expresses orchestration, a type of structured concurrency. It emphasizes the flow of control and gives a global view of a concurrent system. Orc is well-suite...

Introduction to the Orc programming language. Orc is a programming language designed to make distributed and concurrent programs simple and intuitive to write. Orc expresses orchestration, a type of structured concurrency. It emphasizes the flow of control and gives a global view of a concurrent system. Orc is well-suited for task orchestration, a...

We propose a scheme for secure voting that involves the candidates themselves in implementing the voting system. It exploits the competing interests (rivalry) and mutual distrust among the candidates to force an honest election.

This paper proposes that virtual time and virtual time-outs should be available as tools for programming distributed systems. Virtual time is already used for event ordering in distributed systems [4,3,5,1,9], though the numeric value of virtual time is irrelevant in this context (see Section 2). Virtual time-out has not been used in distributed sy...

Topology maintenance, or how to handle the possibly concurrent joining and leaving of nodes, is a central problem for structured peer-to-peer networks. A good topology maintenance protocol should run efficiently, fully maintain the topology, and should not unduly restrict concurrency. In this paper, we present such a protocol for a multi-ring topol...

Quicksort (Commun. ACM 4(7):321–322, 1961) remains one of the most studied algorithms in computer science. It is important not only as a practical sorting method, but also as a splendid teaching aid for introducing recursion and systematic algorithm development. The algorithm has been studied extensively; so, it is natural to assume that everything...

A team of researchers from SRI International Computer Science Laboratory has proposed a long-term research program toward the construction of error-free software systems. The research project, called the Verified Software Initiative, will make an effort to a comprehensive theory of programming that covers the features needed to build practical and...

Orc was originally presented as a process calculus. It has now evolved into a full programming language, which we describe in this paper. The language has the structure and feel of a functional program- ming language, yet it handles many non-functional aspects eectively, including spawning of concurrent threads, time-outs and mutable state. We rst...

Today, concurrency is ubiquitous, in desktop applications, client-server systems, workflow systems, transaction processing and web services. Design of concurrent systems, particularly in the presence of communication failures, time-outs and interrupts, is still difficult and error-prone. Theoretical models of concurrency focus on expressive power a...

Orc is a kernel language for structured concurrent programming. Orc provides three powerful combinators that deflne the structure of a concurrent computation. These combinators support sequential and concurrent execution, and concurrent execution with blocking and termination. Orc is particularly well-suited for task orchestration, a form of concur...

The real world is inherently concurrent and temporal. For simulating physical phenomena of the real world, one prefers frameworks which easily express concurrency and account for the passage of time. We propose Orc, a structured concurrent calculus, as a framework for writing simulations. Orc provides constructs to orchestrate the concurrent invoca...

Orc is a new language for task orchestration, a form of concurrent pro- gramming with applications in workflow, business process management, and web service orchestration. Orc provides constructs to orchestrate the concurrent invocation of services - while managing time-outs, priori- ties, and failure of services or communication. In this paper, we...

Please permit me to talk about the paper ”Guarded Commands, Nondeterminacy

A language in which discrete event simulations can be coded needs to support the features (1) to describe behavior of a single physical process, (2) to describe concurrent ctivities of multiple physical processes, including communication, synchronization and interruption, (3) to account for passage of time, and (4) to record system state at appropr...

We explore the following quintessential problem: given a set of basic computing elements how do we compose them to yield interesting computation patterns. Our goal is to study composition operators which apply across a broad spectrum of computing elements, from sequential programs to distributed transactions over computer networks. Our theory makes...

Van der Aalst recently proposed a set of workflow patterns to characterize the kinds of control flow that appear frequently in workflow processes. These patterns are useful for evaluating the capabilities of workflow systems and models. In this paper we provide implementations of the workflow patterns in Orc, a new process calculus for orchestratin...

The widespread deployment of networked applications and adoption of the internet has fostered an environment in which many distributed services are available. There is great demand to automate business processes and workflows among organizations and individuals. Solutions to such problems require orchestration of concurrent and distributed services...

A central problem for structured peer-to-peer networks is topology maintenance, that is, how to properly update neighbor variables when nodes join or leave the network, possibly concurrently. In this paper, we consider the maintenance of the ring topology, the basisof several peer-to-peer networks, in the fault-free environment. We design, and prov...

Orc is a new language for task orchestration, a form of con- current programming with applications in work∞ow, business process management, and web service orchestration. Orc provides constructs to orchestrate the concurrent invocation of services { while managing time- outs, priorities, and failure of services or communication. In this paper, we s...

The ideal of correct software has long been the goal of research in Computer Science. We now have a good theoretical understanding of how to describe what programs do, how they do it, and why they work.This understanding has already been applied to the design, development and manual verification of simple programs of moderate size that are used in...

This paper presents a formal semantics of a language, called Orc, which is described in a companion paper[3] in this volume. There are many styles of presentation of programming language semantics. The more operational styles give more concrete guidance to the implementer on how a program should be executed. The more abstract styles are more helpfu...

A central problem for structured peer-to-peer networks is topology maintenance, that is, how to properly update neighbor variables when nodes join and leave the network, possibly concurrently. In this paper, we rst present a protocol that maintains a ring, the basis of several structured peer-to-peer networks. We then present a protocol that mainta...

Secure function evaluation (SFE) enables a group of players, by themselves, to evaluate a function on private inputs as securely as if a trusted third party had done it for them. A completely fair SFE is a protocol in which, conceptually, ...

The wide acceptance of the internet standards and technologies, the emerging Grid structures makes it hard to imagine a situation in which it would be easier to argue about the importance of distributed algorithms than it is today. Distributed algorithms cover a wide area of topics including but not limited to: • design and analysis of distribut...

The metaphor “Network is the Computer” has received much attention lately. It is easy/hard to claim such an equivalence since neither term is defined precisely. It is easy to establish an equivalence by ignoring several key aspects of the network, such as the costs of remote data access, failures of network nodes and communication links, and the se...

Dijkstra and Scho!ten developed the notion of diffusing computations to provide a very general framework for a large and important class of problems. In this paper we show how the results of diffusing computa- tions can be compiled efficiently and applied to a variety of problems i.

this paper was supported by Hitachi Corporation. 1.

A method for specification of data abstraction, using charac- teristic functions, is proposed in this paper It is shown that the notion of characteristic functions is a generalization of V-function of Parnas[7] fis technique provides specifications which are simple to understand, yet rigorous enough for formal proofs Verification of implementation...

this report was supported by Hitachi Corporations 1o Networks of Processes This paper suggests methods for proving the correctness of networks of processes which communicate exclusively through messages

We define "power" of an induction rule and show that a slight modification to subgoal induction rule increases its power We give an infinite sequence of induction rules of strictly increasing power KEY Words Program Verification Induction Rule, Subgoal Induction 1.

This paper describes a methodology and its theoretical basis for synthesizing a class of programs which operate on recursive data structures. The methodology has appeared in an earlier paper by the author (7). This paper suggests a theoretical basis for the methodology. The theory rests on some elementary results in fixed point theory over lattices...

this paper which has been found to be a useful tool for understanding and verifying programs and synthesizing programs from their specifications A program can be viewed as a transition system operating on a set of states Each state corresponds to distinct values of variables registers location counters, etc Execution of a program statement results...

An abstract is not available.

Word processing software, email, and spreadsheet have revolutionized office activities. There are many other office tasks that are amenable to automation, such as: scheduling a visit by an external visitor, arranging a meeting, and handling student application and admission to a university. Many business applications —protocol for filling an order...

Many data parallel algorithms -- Fast Fourier Transform, Batcher's sorting networks and prefix-sum -- exhibit recursive structure. We propose a data structure, powerlist, that permits succinct descriptions of such algorithms, highlighting the roles of both parallelism and recursion.

Object-based sequential programming has had a major impact on software engineering. However, object-based concurrent programming remains elusive as an effective programming tool. The class of applications that will be implemented on future high-bandwidth networks of processors will be significantly more ambitious than the current applications (whic...

Model checking, in particular symbolic model checking, has proved to be extremely successful in establishing properties of finite state programs. In most cases, the proven properties are safety properties stat- ing that the program never executes outside a specified set of states. But another important class of properties, progress (liveness) prope...

Theories and design principles of a general nature will be far too weak to be of much value to the practitioners. We should develop specialized theories that are applicable in specific domains, and we should work on binding these theories and principles much like the way we structure large systems today. Functional programming, for instance, provid...

We derive an ecient parallel algorithm to nd all occurrences of a pattern string in a subject string in O(log n) time, where n is the length of the subject string. The number of processors employed is of the order of the product of the two string lengths. The theory of powerlists [2, 3] is central to the development of the algorithm and its algebra...

A typical execution of a concurrent program is an interleaving of the threads of its components. It is well known that the net eect of a concurrent execution may be quite dierent from the serial executions of its components. In this paper we introduce a programming notation for concurrent object-oriented programs, called Seuss, and show that concur...

data types and the development of data structures. Communications of the ACM, 20(6):396-404, June 1977. [82] A. Nico Habermann. Synchronization of communicating processes. Communications of the ACM, 15(3):171-176, March 1972. [83] J.Y. Halpern and Y. Moses. Knowledge and common knowledge in a distributed environment. Journal of the ACM, 37(3):549-5...

The one purpose of this little Note is to show that formal arguments need not be lengthy at all; on the contrary, they are often the most compact rendering of the argument. Its other purpose is to show the strong heuristic guidance that is available to us when we design such calculational proofs in sufficiently small, explicit steps. We illustrate...

During the last decade there have been great strides in broadband communication, and the World Wide Web provides a giant repository of information. This combination promises development of a new generation of distributed applications, ranging from mundane office tasks — e.g., planning a meeting by reading the calendars of the participants — to real...

We present a derivation Dijkstra's shortest path algorithm[1]. We view the problemas computation of a \greatest solution" of a set of equations. A UNITY-stylecomputation[0] is then prescribed whose implementation results in Dijkstra's algorithm.Key words: Design of algorithms, Graph algorithms, Combinatorial problems,Program derivation0

The objective of this project is to design a domain-independent framework that allows rapid development of applications customized for specific user needs. We see three major components in the design: (1) persistent storage management, (2) computational logic and execution. environment, and (3) methods for orchestrating computations. Recent develop...

The operational semantics of the programming model —action systems in chapter 2 and object-oriented systems in chapter 3— is based on tight executions, where each action execution is completed before another one is started. This is a convenient model for understanding a program and reasoning about its properties, because an action represents an ind...

Safety properties, discussed in chapter 5, allow us to state that “the program does no harm”. A trivial program that causes no state change —a program that consists only of a skip action, for instance— satisfies all the safety properties. Thus, safety properties alone are insufficient as a basis of program design. Several formal aspects of program...

The union theorem, introduced in section 8.2.3, is the main tool for the study of asynchronous compositions of programs. The major virtue of this theorem is that it provides a simple rule for deducing the co-properties and transient predicates of a system from those of its component boxes. The major shortcoming is that it does not provide a simple...

Traditionally, a program specification is given by safety and progress properties, as explained in chapters 5 and 6. A safety property —e.g., no two neighbors eat simultaneously in a dining philosophers solution— is used to exclude certain undesirable execution sequences. A specification with safety properties alone can be implemented by a program...

Action systems are used in chapter 2 to represent a message communicating process (Merge), a fragment of an operating system (mutual exclusion), a process controller (odometer), and even solutions to combinatorial problems (gcd, shortest path). The syntax and semantics of action systems are sparse, yet we developed succinct programs for several wel...

A number of small examples are treated in this chapter. The goal is to show that typical multiprogramming examples from the literature have succinct representations in Seuss. Additionally, the small number of features of Seuss is adequate for solving many well-known problems: communications over bounded and unbounded channels, maintaining a databas...

The logic of action systems, developed in chapters 5 and 6, allowed us to specify safety and progress properties of a single box; the logic is extended in chapters 8 and 9 for specifications of ensembles of boxes. Properties such as co and leads-to specify the collective effect of the executions of the actions of a box or a set of boxes; the indivi...

Typically, program design involves constructing a program P that implements a given specification S; that is, the set [`(P)]{\overline P} of executions of P is a subset of the set [`(S)]{\overline S} of executions satisfying S. In many cases, we seek a program P that not only implements S, but for which [`(P)]{\overline P} = [`(S)]{\overline S}...

Object-based sequential programming has had a major impact on software engineering. However, object-based concurrent programming remains elusive as an effective programming tool. The class of applications that will be implemented on future high-bandwidth networks of processors will be significantly more ambitious than the current applications (whic...

Typically, program design involves constructing a program P that implements a given specification S; that is, the set P of executions of P is a subset of the set S of executions satisfying S. In many cases, we seek a program P that not only implements S, but for which P = S. Then, every execution satisfying the specification is a possible execution...

It is impossible to combat software piracy as long as the machines on which the programs execute are indistinguishable; then, any program that can execute on one machine may be copied for execution on another machine. Recently, hardware manufacturers have begun assigning unique identifiers to CPU chips, which make it possible to address the piracy...

Generating functions have long been used to analyze properties of sequences of numbers. In this note, we use generating functions to analyze a class of combinatorial objects, called interconnection networks. In particular, we prove that two families of interconnection networks are isomorphic by showing that the corresponding generating functions ar...

Contents 4 Progress 5 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.2 Fairness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4.2.1 Minimal Progress . . . . . . . . . . . . . . . . . . . . 7 4.2.2 Weak Fairness . . . . . . . . . . . . . . . . . . . . . 7 4.2.3 Strong Fairness . . . . . . . . . . . . . . . ....

We show that the presence of even a single faulty process makes it impossible to design a strategy for fair allocation of a shared resource.

f a multiprocess system before any variable is read, where different processes initialize different portions of the shared store. Here, initialization may be thought of as the first phase and regular computation as the second phase. In order to solve such problems, we assume nothing about the initial values of shared variables. Phase synchronizatio...

Introduction Programs that accept inputs, compute and produce outputs are specified by describing all possible inputs and the corresponding outputs. When the possible inputs are finite in number---as is the case with combinatorial circuits, for instance---the input,output pairs may be explicitly enumerated. However, for most programs it is convenie...

Introduction It is generally assumed that formal proofs of programs are considerably longer and more tedious than their informal counterparts. Informal proofs employ a form of common sense reasoning whereby "obvious" facts are often omitted and the proof steps rely upon the intuition of the reader. Typically informal proofs are operational; argumen...

From the author’s text: “A Consenus algorithm is given by (1) naming the (local) variables of each process, (2) designating the variables where the initial and the final values are stored for each process, and (3) writing a set of equations over these variables. Such an algorithm is correct provided that for any subset of s processes, the subset of...

this paper, we propose a specification scheme for concurrent objects that allows effective manipulations of specifications and admits nondeterministic, nonterminating and concurrent operations on objects. Our approach is to view a concurrent object as an asynchronous communicating process. Such a process can be specified by describing its initial s...

A deterministic message-communicating process can be characterized by a "continuous" function f which describes the relationship between the inputs and the outputs of the process. The operational behavior of a network of deterministic processes can be deduced from the least fixpoint of a function g, where g is obtained from the functions that chara...

Object-based sequential programming has had a major impact on soft-ware engineering. However, object-based concurrent programming remains elusive as an effective programming tool. The class of applications that will be implemented on future high-bandwidth networks of processors will be sig-nificantly more ambitious than the current applications (wh...

We have developed a programming model that integrates concurrency with object-based programming. The model includes features for object definition and instantiation, and it supports concurrent executions of designated methods of the object instances. Yet, the model includes no specific communication or synchronization mechanism, except procedure ca...

Reconciling the conflicting goals of simplicity and efficiency has traditionally been a major challenge in the development of concurrent programs. Seuss (see J. Misra, ftp://ftp.cs.utexas.edu/pub/psp/seuss/discipline.ps.Z) is a methodology for concurrent programming that attempts to achieve the right balance between these competing concerns. The go...

The main software challenge in developing application programs during the 1960s and the 1970s was that the programs had to operate within limited resources, i.e., slow processors, small memories, and limited disk capacities. Application programming became far more widespread during the 1980s because of the falling prices of hardware (which meant th...

Michael Fischer has proposed a mutual exclusion algorithm that ingeniously exploits real time. We prove this algorithm using the time-honored technique of establishing an appropriate invariant.

The UNITY-logic, a fragment of linear temporal logic, was introduced in [5]. In this paper, we describe several recent modifications to this logic. In particular, the operator co replaces unless, for expressing safety properties and, transient predicates form the basis for the progress properties. Our experience suggests that these modifications si...

data types and the development of data structures. C.ACM, 20(6):396--404, June 1977. [5] C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall International, London, 1984. [6] E. Knapp. Refinement as a Basis for Concurrent Program Design. PhD thesis, The University of Texas at Austin, May 1992. [7] H. T. Kung and C. E. Leiserson. Systol...

Contents 3 Safety Properties 3 3.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : 3 3.2 The meaning of co : : : : : : : : : : : : : : : : : : : : : : : 4 3.3 Special cases of co : : : : : : : : : : : : : : : : : : : : : : : 9 3.3.1 Stable, Invariant, Constant : : : : : : : : : : : : : : 9 3.3.2 Fixed Point : : : : : : : : : : :...

Research in multiprogramming has, traditionally, attempted to reconcile two apparently contradictory goals: (1) it should be possible to understand a module (e.g., a process or a data object) in isolation, without considerations of interference by the other modules, and (2) the implementation should permit a ne level of granularity so that no proce...

Introduction It is well known that strengthening a guard of any statement in a program preserves all its safety properties though certain progress properties may be destroyed. (If all guards are strengthened to false, the corresponding statements would never be executed causing serious disruption in progress.) The purpose of this note is to investi...

llary to the union theorem on the above and (1) 5 Theorem 2: T ) F:FP; T is stable in G; p ensures q in G T p ensures T q in F [] G This work was partially supported by ONR Contracts N00014-87-K-0510 and N00014-86-0763 and by a grant from the John Simon Guggenheim Foundation. 1 Proof: Similar to the proof of Theorem 1; replace unless by ensures. 5...

Introduction We interpret the program F ; G in operational terms as follows. Program F 's execution is started. If a fixedpoint state of F is reached, the execution of G is started from that state. It simplifies matters, and it does not sacrifice generality, to assume that G has no initialization section. (If G has an initialization section, we may...

Introduction Auxiliary variables are usually employed to record the history of a computation, and, thereby, allow reasoning over the entire computation history. They are typically defined by augmenting the program text; if, for instance, x is a program variable and y is a variable that counts the number of times x has changed value then y may be de...

s work was partially supported by ONR Contracts N00014-87-K-0510 and N00014-86-0763, by a grant from the John Simon Guggenheim Foundation. 1 s :r :q 7! false , PSP on (3) and (4) s ) q r , impossibility theorem on the above and then rewriting (5) p unless :p , property of unless s unless q , repeating (2) p s unless (p q) (:p s) (:p q) , conjunctio...

Introduction To paraphrase Mark Twain, the unsoundness of the substitution axiom has been greatly exaggerated. Last June, Jan van de Snepscheut showed me an example where p unless q, in a given program, for some specific p; q, could be proven "true" by application of the substitution axiom and "false" by appealing to the original definition. Since...

Michael Fischer[2] has proposed a mutual exclusion algorithm that ingeniously exploits real time. We prove this algorithm using the time-honored technique of establishing an appropriate invariant. 1 Introduction Michael Fischer[2] has proposed a mutual exclusion algorithm in which real time is used to speed up certain actions and slow down certain...

, trivially r 7! q , since p 7! q from p ensures q r unless q , from p ensures q we have p unless q 2) p 7! s ; s 7! q : Inductively, we may assume from p 7! s that there is a predicate rp satisfying p ) rp ; rp 7! s ; rp unless s Similarly, from s 7! q, we have a predicate rs satisfying s ) rs ; rs 7! q ; rs unless q Let r = rp rs. We show that r...

this paper we show a very simple scheme for solving this problem.

Now This work was partially supported by ONR Contracts N00014-87-K-0510 and N00014-86-0763, by a grant from the John Simon Guggenheim Foundation. s :r :q 7! false , PSP on (3) and (4) s ) q r , impossibility theorem on the above and then rewriting (5) p unless :p , property of unless s unless q , repeating (2) p s unless (p q) (:p s) (:p q) , conju...

Introduction The question considered in this note is this: Under what condition is a progress property of program F preserved when F is composed with another program? For safety properties and progress properties of the form p ensures q, the corresponding question is answered by the union theorem. For general progress properties, however, there see...