下载文档原格式
抽象灵感的英语作文Title: Unveiling the Essence of Abstract Inspiration。
In the realm of creativity, abstract inspiration serves as the ethereal force that drives artistic expression and innovation. It is a mysterious muse that whispers ideasinto the minds of creators, transcending conventional boundaries and igniting the imagination. Exploring the nature of abstract inspiration unveils a captivating journey into the depths of human creativity.At its core, abstract inspiration defies conventional definition, eluding the confines of logic and reason. It emanates from the subconscious mind, often emerging unexpectedly and evoking a profound sense of wonder. Unlike concrete stimuli, such as tangible objects or specific experiences, abstract inspiration arises from intangible sources, such as emotions, dreams, and the collective unconscious.One of the most intriguing aspects of abstract inspiration is its elusive nature. It cannot be summoned at will or controlled by external forces; rather, it manifests spontaneously, like a sudden burst of light in the darkness. Artists, writers, and innovators alike have long grappled with the enigma of inspiration, seeking to capture its essence and harness its transformative power.In the realm of visual arts, abstract inspiration takes on myriad forms, from the vibrant brushstrokes of apainting to the sculpted contours of a masterpiece.Abstract artists, such as Wassily Kandinsky and Jackson Pollock, have famously explored the depths of the subconscious, allowing their inner visions to guide their creative process. Through abstraction, they transcend the limitations of representation, inviting viewers to delveinto the realm of pure sensation and emotion.Similarly, in the domain of literature, abstract inspiration fuels the imaginations of writers and poets, infusing their words with lyrical beauty and profound meaning. Authors like Virginia Woolf and James Joyce delveinto the inner workings of the human psyche, weavingintricate narratives that defy traditional storytelling conventions. Through stream-of-consciousness prose and experimental techniques, they capture the fleeting natureof thought and emotion, inviting readers to explore the depths of the human experience.Innovation, too, is fueled by abstract inspiration, as visionary thinkers push the boundaries of possibility and redefine the limits of human potential. Scientists and inventors draw upon abstract concepts and theoretical frameworks to envision groundbreaking technologies and paradigm-shifting discoveries. From the revolutionary theories of Albert Einstein to the disruptive innovationsof Steve Jobs, abstract inspiration serves as the catalyst for progress and change.Despite its intangible nature, abstract inspiration is not devoid of structure or meaning. Rather, it existswithin a framework of interconnected ideas and associations, drawing upon the rich tapestry of human experience. Each moment of inspiration builds upon the accumulated wisdom ofthe past, weaving together disparate threads of thoughtinto a cohesive whole.Ultimately, abstract inspiration serves as a reminderof the boundless potential of the human mind. It invites us to embrace uncertainty and embrace the unknown, trusting in the creative process to guide us towards new horizons. By surrendering to the ebb and flow of inspiration, we open ourselves to infinite possibilities, allowing our imaginations to soar beyond the constraints of the familiar.In conclusion, abstract inspiration transcends the boundaries of conventional understanding, serving as a source of creativity and innovation. From the visual artsto literature to scientific discovery, it permeates every aspect of human endeavor, guiding us towards new realms of possibility. By embracing the enigma of abstractinspiration, we embark on a journey of self-discovery and artistic expression, tapping into the infinite wellspringof creativity that lies within us all.。
Translation Strategies for Translating Postmodifiers in Scientific Text from the Perspective of Logic Translation Theory: A Case Study of the Translation of Climate Changeand Air PollutionByZhang XiaojieUnder the Supervision ofAssociate Professor Zheng YouqiSubmitted in Partial Fulfillment of the RequirementsFor the Degree of Master of Translation and InterpretingDepartment of EnglishCollege of Liberal ArtsNanjing University of Information Science & TechnologyJune, 2019AcknowledgementsI would like to express my sincere appreciation to those who have given me invaluable help during the writing of this report.First and foremost, my heartfelt gratitude goes to my supervisor, Associate Professor Zheng Youqi, for his constant encouragement during these two years and instructive advice on this report. Associate Professor Zheng has offered a lot of valuable suggestions during the preparation for the report. He has also revised my draft carefully and offered clear instruction. Without his patient instruction and insightful criticism, it would not have been possible for me to complete this report.In addition, I wish to take this opportunity to express my deep gratitude to all the teachers who have taught me for their patient instructions in many courses and their precious suggestions. What I learned from their classes has helped me lay the foundation for this report.Last but not least, my gratitude extends to my beloved parents for providing support and care for me in my whole life. They have given me strong support when I was confronted with difficulties in writing the report.ContentsAbstract ........................................................................................................................ I II 摘要 (V)Chapter One Introduction (1)1.1 Research Background (1)1.2 Motivation and Significance of the Research (2)1.3 Layout of the Report (3)Chapter Two Task Description (5)2.1 Project Profile (5)2.2 Process of the Project (5)2.2.1 Preparation for Translation (5)2.2.2 Process of Translation (6)2.2.3 Revision after Translation (7)Chapter Three Literature Review (8)3.1 Differences of Attribute between Chinese and English (8)3.2 Translation Strategies for Postmodifier in English. (9)Chapter Four Theoretical Framework (11)4.1 Development of the Logic Translation Theory (11)4.2 Application of the Logic Translation Theory in the Translation of thePostmodifier (12)Chapter Five A Case Study (14)5.1 Translation of the Adjective Phrase as Postmodifier (14)5.1.1 Inversion (14)5.1.2 Division (15)5.2 Translation of the Non-Finite Verb as Postmodifier (16)5.2.1 Inversion (17)5.2.2 Division (18)5.2.3 Amplification (19)5.3 Translation of the Attributive Clause as Postmodifier (20)5.3.1 Inversion (20)5.3.2 Amplification (21)5.3.3 Division (23)5.4 Translation of the Prepositional Phrase as Postmodifier. (24)5.4.1 Inversion (24)5.4.2 Conversion (25)5.4.3 Amplification (25)5.4.4 Division (26)Chapter Six Conclusion (28)References (30)Appendix 1 Source Text and Target Text (32)Appendix II Technical Terms (94)攻读学位期间的研究成果 (95)AbstractThere are many postmodifiers in English for Science and Technology (EST), which imply the logic in the original text. EST is characterized by strong professionalism, compact structure, strict logic, concise writing, objective expression, exact content, a large amount of information and emphasis on the existence of facts. Therefore, translators must restore its logical rigor with accurate and standardized expressions. In this translation task, Chapter One, Chapter Two and Chapter Three are selected as the source text from the book Climate Change and Air Pollution. Today, climate change and air pollution are major concerns around the world. These chapters describe the history and the impact of climate change and air pollution, and the international conferences held to address the problems caused by climate change. This report lists four forms of English postmodifiers from the three chapters, namely, adjective phrases as postmodifiers, non-predicate verb phrases as postmodifiers, attributive clauses as postmodifiers, and prepositional phrases as postmodifiers. Under the guidance of logic translation theory, four common translation strategies are used in the translation of these four kinds of postmodifiers, namely conversion, amplification, inversion and division. Logic plays an important role in the process of interlingual transformation, which runs through the process of translation. From words, sentences, paragraphs to the whole text, the more accurately the translator grasps the semantic logic of the source language, the easier it is to understand the meaning of the original text. When a translation is organized, it is the key to express the original meaning accurately and smoothly. Only in this way can the translator successfully transfer source language thinking to target language thinking, and skillfully use the logic of the target language to organize the translation.The report is divided into six chapters. The first chapter demonstrates the research background, the motivation and significance of the research and the layout of the report. The second chapter mainly describes the process of the project. Theliterature review is mentioned in the third chapter, including the differences of attribute between Chinese and English and the translation strategies of postmodifiers in English. The fourth chapter depicts the development and application of the logic translation theory. The fifth chapter, as the main body of the report, poses some proper translation strategies to solve different kinds of problems. The last chapter is a summary of the study.Key Words: Logic translation theory; Postmodifier; Translation strategy; Climate Change and Air Pollution摘要科技英语中后置定语出现频繁,体现原文的逻辑思维。
英语作文里的逻辑如何体现Logic is an essential component of writing an effective and persuasive essay. It is the backbone of a well-structured essay that presents a clear and concise argument. In this essay, I will discuss how logic is reflected in English writing and provide a high-quality imitation of the most downloaded essay online.Firstly, logic is reflected in the structure of an essay. A well-structured essay follows a logical sequenceof ideas that leads the reader from the introduction to the conclusion. The introduction should provide background information and set the tone for the essay. The body paragraphs should be organized in a logical order that supports the thesis statement. Each paragraph shouldcontain a topic sentence that introduces the main idea and evidence that supports it. The conclusion should summarize the main points and restate the thesis statement.Secondly, logic is reflected in the use of evidence. Apersuasive essay should provide evidence that supports the argument. The evidence should be relevant, reliable, and presented in a logical manner. The writer should use facts, statistics, and examples to support their argument. The evidence should be presented in a logical order that supports the thesis statement.Thirdly, logic is reflected in the use of language. The language used in an essay should be clear, concise, and precise. The writer should avoid using vague or ambiguous language that can confuse the reader. The writer should use words and phrases that are appropriate for the audience and the purpose of the essay. The writer should also use transitional words and phrases to connect ideas and create a logical flow.Now, let me provide a high-quality imitation of the most downloaded essay online, reflecting the use of logicin English writing.The topic of my essay is the importance of exercise for a healthy lifestyle. The essay will follow a logicalstructure that includes an introduction, body paragraphs, and a conclusion. The body paragraphs will provide evidence that supports the argument that exercise is essential for a healthy lifestyle.Introduction:Exercise is an essential component of a healthy lifestyle. It has numerous benefits that include weight loss, improved cardiovascular health, and increased energy levels. In this essay, I will discuss the importance of exercise for a healthy lifestyle.Body Paragraph 1:Exercise is an effective way to maintain a healthy weight. It burns calories and increases metabolism, which helps to reduce body fat. In addition, exercise can help to prevent obesity, which is a major risk factor for many chronic diseases.Body Paragraph 2:Exercise improves cardiovascular health. It strengthens the heart and improves blood flow, which reduces the risk of heart disease and stroke. Regular exercise can also lower blood pressure and cholesterol levels, which are other risk factors for cardiovascular disease.Body Paragraph 3:Exercise increases energy levels and improves mood. It releases endorphins, which are natural mood boosters. Regular exercise can also improve sleep quality, which is essential for overall health and wellbeing.Conclusion:In conclusion, exercise is essential for a healthy lifestyle. It has numerous benefits that include weight loss, improved cardiovascular health, and increased energy levels. By incorporating exercise into our daily routine, we can improve our overall health and wellbeing.。
【工程技术研究与应用】主持:李艳利用遗传算法进行机械优化冯锦春1 杨林建1①(1.四川工程职业技术学院,四川德阳618000)[摘 要] 本文简单介绍了遗传算法的原理和运算过程,讨论了遗传算法在机械优化方面的应用,并用实例加以说明,总结了它的特点和应用前景。
[关键词] 遗传算法;机械;优化中图分类号:TH123 文献标识码:A 文章编号:CK N 字07-005(2007)06-0072-02The Use of Geneti c A lgor ith m i nM ach i n ery O pti m i za ti onFeng J inchun 1 Yang L injian2(1.Sichuan Engineering Technical College,Deyang Sichuan 618000,China )Abstract:This paper si m p ly intr oduces a genetic algorith m theory and computati on p r ocess,discusses the ge 2netic algorith m in the app licati on of mechanical op ti m izati on,using exa mp les t o illustrate .It su m s up the charac 2teristics and app licati on p r os pects .Key words:Genetic algorith m s;mechanical engineering;op ti m izati on 遗传算法模拟了自然选择和遗传中发生的复制、交叉和变异等现象,从任一初始种群(populati on )出发,通过随机选择、交叉和变异操作,产生一群更适应环境的个体,使群体进化到搜索空间中越来越好的区域,这样一代一代地不断繁衍进化,最后收敛到一群最适应环境的个体(indi 2vidual ),求得问题的最优解。
英语抽象类作文模板范文Abstract Class Essay Template。
An abstract class is a concept in object-oriented programming that serves as a blueprint for other classes. It cannot be instantiated on its own and is meant to be extended by other classes. In this essay, we will discuss the characteristics of an abstract class, its purpose, and its role in the development of software applications.An abstract class is a class that cannot be instantiated, meaning you cannot create an object of the abstract class itself. Instead, it serves as a base for other classes to inherit from. It can contain both abstract and non-abstract methods. An abstract method is a method that is declared but not implemented in the abstract class. It is meant to be implemented by the subclasses that inherit from the abstract class. On the other hand, a non-abstract method is a method that has an implementation in the abstract class itself.The purpose of an abstract class is to provide a common interface for its subclasses. It allows you to define a set of methods that must be implemented by all the subclasses, ensuring that they have a consistent behavior. This is useful when you have a group of classes that share some common characteristics but also have their own unique behavior. By using an abstract class, you can define the common methods in the abstract class and leave the specific implementation to the subclasses.Another important role of an abstract class is to provide a level of abstraction in the design of a software application. Abstraction is a fundamental concept in object-oriented programming that allows you to focus on the essential features of an object while hiding the unnecessary details. By using an abstract class, you can define the essential methods and properties that are common to a group of related classes, while hiding the implementation details from the outside world. This makes the design of the software application more modular and easier to maintain.In addition, an abstract class can also be used to enforce a specific contract on its subclasses. By defining abstract methods in the abstract class, you can require that all thesubclasses provide an implementation for those methods. This ensures that the subclasses adhere to a certain set of rules and guarantees a consistent behavior across the different subclasses.To create an abstract class in a programming language such as Java or C#, you use the "abstract" keyword in the class definition. For example, in Java, you would declare an abstract class like this:```java。
第43卷第11期包装工程2022年6月PACKAGING ENGINEERING·46·不可逆温敏变色油墨的显色动力学探究俞胡斐,钱静(江南大学,江苏无锡214122)摘要:目的探究温敏变色油墨对时间、温度的响应情况,以及不同制备配方对其动力学参数的影响。
方法利用光生酸剂的分解反应使结晶隐性紫染料开环显色,以此作为变色体系置于丝网油墨中,制备出可随时间–温度累积进行不可逆变色的智能温敏标签。
利用分光密度仪测量标签b*值,以标签b*值变化作为测量指标,将其与变色时间进行拟合,探讨油墨组分对标签变色性能的影响。
并探究不同组配方下b*值对温度变化的响应,以及不同配方对反应活化能的影响。
结果随着时间的积累,油墨印刷标签b*值逐渐减少,标签颜色由浅黄色变成深蓝色;同时,当温度升高,标签的变色速率也随之加快,温度越高,标签所测量的b*值越低,呈现出的蓝色越深。
相同温度下标签|Δb*|值较高时,标签的活化能较低。
结论该标签对时间、温度的积累均有响应,制备的标签活化能在11.453~27.676 kJ/mol波动,具有应用在食品品质智能监控领域的潜力。
关键词:不可逆变色;活化能;丝网印刷中图分类号:TS871 文献标识码:A 文章编号:1001-3563(2022)11-0046-08DOI:10.19554/ki.1001-3563.2022.11.007. All Rights Reserved.Color Kinetics of an Irreversible Thermochromic InkYU Hu-fei, QIAN Jing(Jiangnan University, Jiangsu Wuxi 214122, China)ABSTRACT: The purpose of this paper is to explore the response of thermochromic ink to time and temperature, and theeffects of different preparation formulas on its kinetic parameters. An intelligent thermochromic label that can discolorirreversibly with time-temperature accumulation was prepared by using the decomposition reaction of photo-acid genera-tor to discolor leucocrystal violet as a color-change system in screen ink. A spectrodensitometer was used to measure thelabel b* value, and make the change of label b* value as the measurement index. Then it was fitted with the discolorationtime to explore the influence of ink components on the discoloration performance of labels. With the accumulation oftime, the label b* value gradually reduced, the label color from light yellow to dark blue; at the same time, when thetemperature increases, the rate of discoloration of the label is accelerated. The higher the temperature, the lower the la-bel b* value measured, and the deeper the blue color presented. And the activation energy of the label is lower when thelabel |Δb*| value is higher at the same temperature. In conclusion, the label responds to the accumulation of time andtemperature, and the activation energy of the prepared label fluctuates from 11.453 to 27.676 kJ/mol, which has the po-tential to be applied in the field of intelligent monitoring of food quality.KEY WORDS: irreversible discoloration; activation energy; screen printing收稿日期:2021–08–03基金项目:国家重点研发计划重点专项(2018YFC1603300);无锡科技局产业前瞻和关键技术(现代农业)(N20193008);江苏省苏北专项(SZ–SQ2017049)作者简介:俞胡斐(1997—),女,江南大学硕士生,主攻智能包装。
抽象类英语作文Abstract class is an important concept in object-oriented programming. It serves as a blueprint for other classes to inherit from, but cannot be instantiated on its own. In other words, it is a template that provides a set of common methods and properties for its subclasses to implement. These abstract methods must be defined in the subclasses, making them concrete classes.抽象类是面向对象编程中一个重要的概念。
它充当其他类继承的蓝图,但不能单独实例化。
换句话说,它是一个模板,为其子类提供了一组通用的方法和属性供其实现。
这些抽象方法必须在子类中定义,使它们成为具体类。
One of the key benefits of using abstract classes is to enforce a consistent structure and behavior across multiple related classes. By defining a common set of methods in the abstract class, developers can ensure that all subclasses will have these methods implemented. This can improve code quality and maintainability by promoting code reusability and reducing duplication.使用抽象类的主要好处之一是在多个相关类之间强制执行一致的结构和行为。
Formal derivation of concurrent non-blocking algorithms for real-time systemsConfirmation reportBrijesh Dongol1Contents1Introduction3 2Related Work42.1Foundations (5)Hoare logic and predicate transformers (5)Temporal logic (5)Dynamic logic (5)2.2Non-compositional methods (6)Owicki-Gries (6)UNITY (6)Action systems (7)Modular approach (7)TLA (7)I/O automata (7)2.3Compositional methods (7)2.4Program construction (9)2.5Non-blocking algorithms (9)3Results to date10 Progress for Owicki-Gries (10)Java monitors (10)Refinement rules (11)Latest achievements (11)4Research plan11 Research goals (12)Timeline (12)References1321IntroductionConcurrent programs are difficult to get right and onefinds it hard to trust their validity without a formal proof.There have certainly been examples of errors being uncovered in published algorithms that were previously assumed correct.A variety of formalisms for the verification of concurrent programs have been developed and proof tools that allow verification to be automated are available. However,for complex problems,when the verification does not work,it becomes difficult to judge whether the proof technique or the program itself is at fault. Automated model checking techniques are available where all possible states are scanned for errors.With complex programs however,model checking becomes intractable and suffers from the state-explosion problem.Techniques such as abstraction are required to approximate the program so that we operate on a smaller state space.The success of the model checking then depends on the accuracy of the abstraction.With issues such as these,one might look at the development of correct pro-grams instead,so that verification may be avoided.One such method is that of stepwise refinement where a high level specification that satisfies the require-ments isfirst developed.Via a series of small steps,using correctness preserving refinement rules,the specification is eventually refined to an implementation. The idea here is that at an abstract level programs are less detailed and hence easier to verify.As each refinement is correctness preserving,verifying the va-lidity of the refinement and correctness of the abstract level program is enough to establish correctness of the implementation.Here,the high level specifica-tion must be an abstraction of the implementation,hence,they must satisfy the same requirements.This means that the implementation may not introduce any new behaviour.If for some reason the requirements change,the new behaviour must be introduced at the abstract level and the refinement performed again. Also,these methods are more about proving the validity of refinements rather than providing a calculational method for program construction.Compositional methods of program construction are also available.Here,a program is thought of as consisting of a number of components,each of which implements some part of the given requirements.The idea is that components are smaller and hence easier to verify than an entire system.Each component is described by some specification which allows us to reason about its behaviour without referring to its internal structure.One might even like to maintain a library of components,so that components may be reused whenever necessary. Rules for composing specifications are available,which allow us to compose components without affecting their correctness.A problem with this approach is that when there is a high degree of interaction between processes,compo-nent specifications can become very detailed,but with detailed specifications reusability of components becomes difficult.Also,as leads-to(the main relation used to prove progress)is not compositional,progress properties of individual components can be lost during composition.Another method of constructing correct concurrent programs is that of Fei-jen and van Gasteren which is based on the theory of Owicki and Gries.Here,3we start with an approximation to the solution.Then,requirements are for-malised and added as annotation to this approximation.Code is introduced and modified until the annotation is satisfied.As the annotation represents a program’s proof,a program is in fact built to satisfy its proof.Modifications are motivated by the proof rules of Owicki and Gries and wlp calculations of Di-jkstra.A number of lemmas have also been provided which allows much of the work to be avoided.The method has already been used to derive a number of programs across a wide range of problems.However,the lack of a formal notion of progress in Owicki-Gries has meant that Feijen and van Gasteren have been unable to reason about progress in their derivations.A more detailed discussion is presented in Section3.The problems we would like to consider are non-blocking algorithms oper-ating over a real-time environment.Non-blocking algorithms achieve synchro-nisation by manipulating variables in complex ways,as opposed to using locks. As no process ever waits,non-blocking versions tend to achieve much better efficiency than equivalent lock-based counterparts.Problems such as priority inversion where a high-priority process is waiting for a lock held by low-priority process can be avoided.This is a serious problem in real-time systems where the high-priority process might miss some deadline due to it being unable to acquire a necessary lock.It is worth noting that Owicki-Gries formalism does not currently have a way of reasoning about real-time,but Hooman-van Roosmalen have described the notion of timing annotation which provides clues on how possible exten-sions might be performed.Timing annotation could also allow us to abandon interleaving semantics and examine true concurrency.Ideas such as conflict composition could be applied here which would force transitions to interleave only when they share the same state space.Within the Java2platform,atomic variable classes are available in Java which allows us to implement non-blocking algorithms.As there are already ex-amples of successful derivations of Java programs using the Feijen-van Gasteren approach,one would think that Java implementation of non-blocking algorithms would be the next logical step.One also hopes that life can be made simpler with tool support.The“Improving the Quality of Protocol Standards”project (http://www.win.tue.nl/oas/iqps/two distinct but equally challenging thought processes of coming up with the appropriate set of formal assertions,then using them to establish a set of proof obligations which can be verified.The two key requirements that concurrent programs need to satisfy are safety and liveness[Lam77].This distinction has developed extensively over time,expressed via a number of different viewpoints [Kin94].For instance,[AS85,AS87]shows us how,from a topological viewpoint, safety properties are closed sets and liveness properties dense sets.When think-ing about progress,one must invariably address assumptions about fairness as well.This topic is carefully studied in[Fra86].Correctness conditions like lin-earisability that focus on data(rather than control)have also been deveoped [HW90],which is the main condition used to verify non-blocking algorithms(eg. [DGLM04]).2.1FoundationsHoare logic and predicate transformers One of thefirst coherent meth-ods of proving properties of programs using program text was via Hoare logic [Hoa69].Later,[Dij76]introduced us to predicate transformers with which, one could prove program properties purely by syntactic manipulation.As the method is calculational,predicate transformers proved to be a useful tool not only in verification,but also in program derivation.Hoare logic and predicate transformers were initially developed to prove properties of sequential programs, hence suitable extensions are necessary in the context of concurrency. Temporal logic Temporal logic[Pnu77,MP95],is an extension to classical first order logic,which allowed reasoning about properties that change with time.Temporal logic drives the machinery for proving progress in the same way that Hoare-logic does for safety.Two forms of temporal logic exist-linear time temporal logic(LTL)and concurrent(or branching time)temporal logic (CTL),whose merits are described in[Lam80,EH86].The view taken by LTL is that for each moment,there is exactly one possible future,whereas CTL says that time may split into multiple paths representing the different possible futures.Proofs of temporal formulas without using temporal logic are explained in[AS89],where temporal formulas are translated to Buchi automata. Dynamic logic Dynamic logic(DL)[Har84]is another formalism for reason-ing about programs.DL is expressive enough to be able to give us insights into various program properties like correctness,the expressive power of program-ming constructs,program equality etc.The logic is a mix offirst order and predicate logic,modal logic and process algebras.A concurrent extension can be made[Pel87a,Pel87b,Pel84]where computations are modelled by branching paths.52.2Non-compositional methodsThese methods are classified as those that require complete knowledge of the other components.Owicki-Gries A popular and much referenced method for verification of con-current programs is the theory of Owicki-Gries[OG76]which builds on Hoare’s logic for sequential programs.The method supercedes the previously existing global invariant method of Ashcroft[Ash75]which itself is a concurrent ex-tension to the global invariant method of[Flo67]for sequential systems.The state-explosion problem suffered by the global invariant method is avoided via the interference freedom condition which allows us to decompose invariants so that a number of smaller proof obligations are proved instead.[Lam88]points out that annotations provide a pleasant manner in which verification of large invariants are decomposed into smaller and more localised proofs.The Owicki-Gries method is thought of as being more applicable to shared-memory systems, however,[AO91,FvG99]have shown how communication channels may be mod-elled by shared variables to reason about distributed systems.It is sometimes referred to as the modular method of proving invariants[JHW96].Owicki-Gries does,however,have a crucial deficiency:there does not exist a logic for reasoning about progress.This fact remained true for the derivations in[FvG99]where progress is given an informal operational treatment.Progress for the Owicki-Gries theory is addressed in[DG05]by incorporating the rules of progress of UNITY into the logic.In[GD05]the extended theory is used to derive Dekker’s algorithm in the style of Feijen and van Gasteren,where safety as well as progress are given equal consideration.UNITY UNITY[CM88]takes into account the commonalities in program de-velopment without targeting a specific application or architecture.The theory in UNITY has produced the greatest strides with the axiomatisation of the pre-viously temporal notion of leads-to.However,leads-to is limited as we cannot directly reason about temporal properties such as‘next’and complex manipu-lation of auxiliary variables are necessary to achieve this[Sha93,CK97].Also, there is an absence of control in UNITY,hence existing theories for program development and verification are not applicable[dRdBH+01].It is not easy to introduce operators such as sequential composition[SdR94].[CM88,Kna90a, Kna90b]give us examples of development of programs,ultimately represented in the UNITY framework.The development process consists of stating the requirements as a number of invariants,then refining these invariants until a level of detail is reached where the UNITY program becomes obvious.[GP89] describes the relationship between UNITY and linear temporal logic by show-ing how UNITY might have been obtained as a specialisation of temporal logic and the transition logic of[Ger84].[JKR89]shows that the leads-to operator in UNITY and that of temporal logic are in fact the same.[CK97]extends UNITY to a compositional framework which also explores strongest invariants[Lam90].6Action systems Another important formalism is that of action systems[Bac89, BS89,Bac92a,Bac92b].The model itself very similar to UNITY,however,the theoretical background is radically different.The idea is that when interleaving semantics is employed,the semantics of a concurrent system is no different from a non-deterministic sequential program.Hence,one can use a sequential pro-gram to model a concurrent system.Semantics of action systems are described in a lattice theoretical framework.Action systems have been extended tofit many contexts such as reactive[Bac92b],component based[Ruk03],distributed and shared memory[BS89].Refinements based on transition traces using ac-tion systems is described in[BvW94].[Qiw96]investigates three different types of refinement in the action system framework–global,modular,and composi-tional.Only safety and forward simulation is addressed,however,the author claims that generalisations that allow backwards simulation and progress to be addressed are possible.Modular approach[Sha93,LS92],presents another state transition model with syntactic constructs similar to that of IOAs,but with semantics that follow UNITY.Systems are represented as sets of state variables,initial conditions, fairness requirements and events.The main difference between UNITY and this method is that we are able to specify different fairness assumptions for different actions.This formalism was developed to reason about distributed protocols.TLA TLA or temporal logic of actions is a body of work developed by Lamport [Lam94].[Aba90]provides an axiomatisation of TLA,and[AL93,AL95]shows us how programs can be constructed in a compositional manner.However, it turns out,that the proofs using TLA are not much different to a proof in the other mport himself claims that any proof in TLA can be translated to a proof in any other method,and vice versa.It seems that for verification at least,the difference might just be presentational.The notion of refinement mappings appears in[AL91]which allows us to prove that a lower-level specification implements a higher level one.In contrast to[FvG99,CM88], the TLA approach is to validate refinements rather than incremental derivation.A very good tutorial on TLA appears in[Lad97].I/O automata[LT89]introduces us to the input/output automata(IOA) formalism,which wasfirst developed as a tool for modelling concurrent and distributed discrete event systems.This work has now been extended to model continuous systems[NLV03].Refinement in the context of IOAs is described in [LV95].2.3Compositional methodsComposition consists of building a system out of several smaller components so that the combined effect of the components satisfies the requirements of the7system.This idea wasfirst advocated in[FP78],and has now become a much establishedfield by itself.Such methods are undeniably necessary in order to verify or construct large scale systems.We prefer to treat a component as a ‘black box’so their composition need not refer to program text.Properties of the component are described by its specification.A variety of terms like rely-guarantee[Jon83],assumption-commitment[MC81],and assumption-guarantee [JT96]are used to describe compositional reasoning.We distinguish between the construction of compositional programs and compositional positional programs are programs that are com-positional by nature whereas compositional reasoning involves arbitrary parallel programs and attempts to construct a compositional proof of the program as a whole by considering the individual parts separately.[Lam98]describes why compositional proof techniques in the context of concurrency are to be avoided.[AL93]pins down the conditions under which specifications can be com-posed.As descriptions are entirely at a semantic level and transition traces are observed,no specific language is referred to,which makes the work appli-cable to a number of other approaches.A description of how specifications can be composed is given,followed by a discussion on how an implementation of a specification by another can be proved.This allows the non-cyclical composition principle to be stated which can be used to prove whether the composition of two specifications implements a program.[XdRH97]provides an overview of compositional methods using the rely-guarantee approach and its relation to the Owicki-Gries and assumption-com-mitment approaches,including proofs of soundness and completeness of the sys-tem.Following[Stø90],the paper also outlines how additional information can be added to the specification so that one may reason about deadlock freedom.From[MS00]we learn that leads-to relations are generally not compositional, yet,specific instances of when they are can be ing a notion called progress sets generalised versions of known compositional theorems for leads-to are produced.[CS95,CS96a]explores how a weakest guarantees(wg)property transformer can be defined,which forms a relationship with the guarantees property similar to that of wp to Hoare-triples.This is used in[CC02]to show us how compositional approaches can be used in specification,development and verification of concurrent programs.[DS96]explores compositionality of the ‘to-always’class of progress properties with which limited results are obtained. [Sha98]introduces us to lazy composition,an alternative paradigm to rely-guarantee where proofs of components meeting their expectations are delayed till sufficient detail has been provided to their design.[dRdBH+01,JPZ91,SdR94]shows how we can use transformational design techniques to develop distributed programs.An attempt is made to produce a layered version of the algorithm where each layer is a smaller concurrent program than the original.The layers themselves are conflict composed which means the ordering of statements only matter when the statements are in conflict.From this,using the communication closed layers(CCLs)theorem,an equivalent dis-tributed version is produced.The motivation behind this approach is that layered versions are easier to verify than distributed ones.Decomposition of the8global invariant takes place as proofs focus only on each layer of the program. [JPZ91]presents a framework that combines action systems with CCLs in a way that supports composition.[JZ92]presents a derivation of a complicated algo-rithm for determining minimum weight spanning trees of graphs using CCLs, and provides a good example of how CCLs are useful in derivation of complex systems.2.4Program constructionA survey of popular data refinement techniques and the relationships between a number of different formalisms is given in[dRE96].Traditionally,two types of simulation relations exist–forwards(or downwards)and backwards(or up-wards).Neither relation by itself is complete and to achieve completeness,one mustfind an intermediate system such that there is a forwards simulation from the concrete to the intermediate and a backwards simulation from the interme-diate to the abstract.[LV95]describes how a single relation that captures both forwards and backwards simulation can be constructed.This is done by con-structing a relation that relates concrete states to sets of abstract states.[Bro93] describes a refinement calculus using transition trace semantics which[Din98] advocates as a good basis for the stepwise refinement of parallel programs.The method in[Din98]supports compositional reasoning,local variables,fairness and reasoning about liveness properties.Another way of constructing concurrent programs is by starting out with a coarse-grained solution,where large chunks of the operation is performed atomically,then reducing granularity of code until we can guarantee atomicity of the statements in our implementation machine.This is the approach taken in[FvG99,GD05].People have also looked at ways to algorithmically construct concurrent pro-grams,however,most of these methods are deficient in some way.For example, the algorithm of[MW84]produces programs with a highly centralised archi-tecture and[EC82]produces concurrent programs in a shared memory model, however,a large number of shared variables may need to be accessed atomically, making many programs infeasible.More recently[EH93,AE96]have developed synthesis algorithms to tackle the problems listed above.However,the method in[AE96]is incomplete(solutions are not always found)and although[EH93] always produces a solution adding a new process requires the whole algorithm to be repeated from scratch.[YKB02]describes a method of synthesising Java monitors using an airport ground traffic control system as an example,but this too has problems regarding the complexity of the solution.2.5Non-blocking algorithmsThe idea of non-blocking algorithms was introduced by Lamport[Lam87],and [HW90]defined linearisability,which is the main correctness condition used in non-blocking algorithms.It is generally accepted that non-blocking versions outperform their blocking counterparts(eg.[MS96,FH]).However,the lock9free property alone is not enough to avoid problems such as infinite overtak-ing,for which reason the notion of wait-free algorithms was developed[Her91]. Derivations of non-blocking algorithms in the style of[FvG99]are presented in[Moo02],and[AC05]describes a development of a concurrent non-blocking queue using Event-B.3Results to dateAs the name suggests,this section outlines the work done so far.Progress for Owicki-Gries An early achievement in this project has been the development of a progress logic for the previously incomplete Owicki-Gries theory[DG05].One of the aims here is to make the change as small as possible, so that familiarity with the Owicki-Gries formalism is maintained.Thefirst realisation is that it is impossible to reason about progress without referring to a program’s control state.Hence,we need to introduce a systematic method of labelling the various control points.This is done by labelling each atomic statement with a unique initial label.Thefinal atomic statement of each process is also given a uniquefinal label so that we may reason about termination.We introduce control variables(program counters),modelled on auxiliary variables,which capture control information without influencing a program’s controlflow.Prior to execution of any statement the program counter must be equal to the statement’s initial label,which indicates that control is currently at the statement.Once the statement is executed,the value of the program counter is updated to the initial label of the statement that follows sequentially.To capture the change in a program’s control state,modified wlp rules for labelled statements are introduced.Finally,progress rules from UNITY are modified tofit the Owicki-Gries formalism,so that temporal‘eventuality’properties could be proved[DG05].This work has been submitted to‘Logical Methods in Computer Science’and is currently under review.The main advantage provided by the extension was that it allowed progress considerations to drive program development in the style of[FvG99].[GD05] presents a significant example of this where the extended theory is used to derive Dekker’s mutual exclusion algorithm.Java monitors Another achievement has been the formalisation of Java syn-chronisation commands in the extended Owicki-Gries model.This not only allowed safety and progress properties of multi-threaded Java programs to be verified,but also provided a basis for the development of Java monitors.The derivation procedure consists of two distinct stages.Thefirst is the development of the model using the standard Feijen-van Gasteren approach.As the model would most likely make atomicity assumptions Java is unable to guarantee,a transformation procedure is necessary to translate the program to the model for the Java monitor.This work has been submitted to QSIC05,and serves as10an example of how the Feijen-van Gasteren development method together with the extended Owicki-Gries theory,can be used to develop Java programs.There are many future directions for this work.For example,exception han-dling has not yet been formalised.When an exception does occur,the behaviour of the program changes significantly.Although exception handling does not af-fect our goal of designing correct Java programs,formalising exception handling, would allow us to design programs that catch exceptions correctly.It might also be possible streamline the two stage process in favour of an approach in which Java programs are generated more directly.Here,one would have to derive the algorithm itself with a Java implementation in mind,rather than a derivation followed by a translation.A difficulty would be reasoning about Java’s wait statement which blocks halfway through its execution.Refinement rules Although this derivation style is successful,we might still like to apply traditional refinement techniques such as simulation,a technique that has been used effectively to prove correctness of non-blocking algorithms [DGLM04].With the idea in mind that translation should be avoided when-ever possible,another achievement has been the development of rules to prove simulation.These rules were adapted from other formalisms and hence do not contain anything theoretically new,but has been a useful learning exercise and demonstrates that the Owicki-Gries formalism can be extended with simulation rules.Latest achievements Some advances have been made towards derivations of non-blocking algorithms for concurrent data structures,and reasoning about concurrent real-time systems using timing annotation.Safety and progress proofs in PVS have also been looked at.4Research planAs mention in Section1,the goal for the next two years is to focus on derivations of non-blocking algorithms,in particular,non-blocking algorithms in the context of real-time.To avoid problems such as priority inversion,it looks likely that we will need to focus on wait-free algorithms.[HvR00]describes a refinement model for real time systems where the idea of timing annotation has been introduced.Each atomic transition is associated with an‘execution moment’that records when the effect of the transition was realised.Timing annotation allows us to reason about timing requirements for each statement,i.e.,to check when in time each statement may execute.Failure of programs to satisfy timing requirements may help us introduce new code in the same manner as[FvG99].We might also see the need to extend the progress logic further by providing a basis for the‘next’temporal operator.As it is not part of the UNITY logic,‘next’is also missing from Owicki-Gries extension.With leads-to,one can only show that a property eventually becomes true but not that it becomes true in11the immediate next state.Yet,for wait-free algorithms,identifying the sorts of conditions that are required for‘next’to be true may be useful.Research goals1.Extensions to the Owicki-Gries system:(a)Support for real-time(b)Support for‘next’(c)Complete refinement rules2.Derivations in the style of Feijen and van Gasteren that consider safetyand progress:(a)Real-time algorithms(b)Programs that incorporate‘next’(c)Non-blocking concurrent data structures(d)Wait-free algorithms(e)Implementation in Java3.Tool support for the extensions and derivation process.Non-blocking queueTimeline for2006Timeline for2007This year will be spent tying up any loose ends and writing up the thesis.12References[Aba90]M.Abadi.An axiomatization of Lamport’s temporal logic of ac-tions,1990.[AC05]J.R.Abrial and D.Cansell.Formal construction of a non-blocking concurrent queue algorithm(a case study in atomicity).Journalof Universal Computer Science,2005.[AE96]P.C.Attie and E.A.Emerson.Synthesis of concurrent systems for an atomic read/atomic write model of computation.In Proceed-ings of the5th Annual ACM Symposium on Principles of Dis-tributed Computing,pages111–120,Philadelphia,Pennsylvania,United States,1996.[AL91]M.Abadi and mport.The existence of refinement mappings.Theoretical Computer Science,82(2):253–284,1991.[AL93]M.Abadi and posing specifications.ACM Trans.ng.Syst.,15(1):73–132,1993.[AL95]M.Abadi and mport.Conjoining specifications.ACM Trans.ng.Syst.,17(3):507–535,1995.[AO91]K.R.Apt and E.R.Olderog.Verification of sequential and con-current programs.Springer-Verlag New York,Inc.,1991.[AS85] B.Alpern and F.B.Schneider.Defining liveness.21:181–185, 1985.[AS87] B.Alpern and F.B.Schneider.Recognizing safety and liveness.Distributed Computing,2(3):117–126,1987.[AS89] B.Alpern and F. B.Schneider.Verifying temporal proper-ties without temporal logic.ACM ng.Syst.,11(1):147–167,1989.[Ash75] E.A.Ashcroft.Proving assertions about parallel programs.JCSS, 10:110–135,February1975.[Bac89]R.J.R.Back.Refinement calculus,part II:Parallel and reactive programs.In REX Workshop for Refinement of Distributed Sys-tems,LNCS430.Springer-Verlag,Nijmegen,The Netherlands,1989.[Bac92a]R.J.R.Back.Refinement calculus,lattices and higher order logic.Technical Report CaltechCSTR:1992.cs-tr-92-22,California Insti-tute of Technology,1992.13。
Using Temporal Logic to SpecifyAdaptive Program Semantics∗Ji Zhang and Betty H.C.ChengSoftware Engineering and Network Systems LaboratoryDepartment of Computer Science and EngineeringMichigan State UniversityEast Lansing,Michigan48824tted:{zh1IntroductionIncreasingly,computer software must adapt to changing conditions in both the supporting computing and communication infrastructure,as well as in the surrounding physical environment(1).However,adaptive programs may be prone to errant behavior due to its innate high complexity and possibly im-precise requirements.The benefit expected from adaptations,such as higher reliability and higher availability,may be countered by the errors introduced during the adaptive software development process.Furthermore,the correct-ness of adaptation becomes most crucial when the adaptive software is applied in a safety-critical domain,such as the control software for medical devices, etc.Correctness of adaptive programs cannot be properly addressed without precisely specifying the requirements for the adaptive programs.This paper introduces specifications for three commonly used adaptation semantics and two composition techniques to be used for constructing the temporal logic specification of an adaptive program.Numerous techniques have been proposed to address the correctness of adap-tations.Kulkarni et al.(2)introduced a transitional-invariant lattice approach that uses theorem proving techniques to show that during and after an adapta-tion,the adaptive program is always in correct states with respect to satisfying the transitional-invariants.Some approaches(3;4;5)use formal languages to describe the structural changes of the software at the design and implemen-tation levels.Other approaches(6;7;8;9;10;11;12;13)design adaptation protocols or algorithms to be used during component replacement to achieve a rigorous and safe adaptation procedure.Different approaches assume different adaptation semantics.For example,Appavoo et al.(12)introduced a hot-swapping technique,which does not allow the old and the new components to execute simultaneously to achieve strict sequential semantics.In contrast,in order to improve performance,Chen et al.(11)proposed a graceful adaptation process,which allows the old component and the new component to overlap their executions.These different semantics are implied by their designs and implementations.All of the above techniques focus on the design and the im-plementation of achieving adaptability,while the requirements for adaptation are largely assumed or ambiguous.We believe that the semantics for adaptive software should be explicitly cap-tured at the requirements level(14).The correctness of adaptive software can then be evaluated with respect to its adaptation requirements specification.A recent survey(15)describes numerous research efforts that have proposed ways to formally specify dynamically adaptive programs in the past several years.Graph-based approaches model the dynamic architectures of adaptive programs as graph transformations(16;17;18).Architecture Description Lan-guage(ADL)-based approaches model adaptive programs with connection andreconnection of connectors(10;19;4).A few efforts have formally specified the behavioral changes of adaptive programs,including those that use process algebras to specify the behavior of adaptive programs(20;21;22).This paper focuses on the specification of requirements of adaptations with temporal logics.We model an adaptive program as the composition of afinite number of steady-state programs(20)(briefly programs)and the adaptations among these programs.We assume that the properties(e.g.liveness and safety properties)of each program have already been specified with a Linear Tempo-ral Logic(LTL)formula(23).To specify an adaptation from one program to another,we introduce the Adapt operator-extended LTL(A-LTL),an extension to LTL.We introduce three basic adaptation semantics and use A-LTL to for-mally specify their semantics.We can compose the basic adaptation semantics with two types of compositional procedures:neighborhood compositions and sequential compositions to derive more complex adaptation semantics.We introduce adaptation semantics graphs,a graph-based representation of adap-tive programs semantics,which can be automatically processed to generate adaptive program specifications.The formal specifications for adaptive programs precisely describe the objec-tives for adaptive programs,which facilitate rigorous software requirements specifications,and thus improves the assurance of the software.The adap-tation semantics graphs and the generated temporal logic specifications may serve as guidance for the adaptation developers to clarify the intent for the adaptive program.The temporal specifications also enable us to perform nu-merous automated analyses of the adaptive program,such as specification consistency,model checking to verify the correctness of a program model, dynamic insertion of adaptation logic code into the program,etc.We have successfully applied our specification technique to a number of adap-tive mobile computing applications,including MetaSockets(24).The remain-der of this paper is organized as follows.In Section2,we introduce A-LTL and describe three basic adaptation semantics.Section3describes neighborhood specification compositions,sequential specification compositions,and adapta-tion semantics graphs.Section4illustrates our approach with a MetaSockets example.Section5concludes the paper and discusses future directions.2Adaptation SemanticsIn this paper,we take a most general view of programs,i.e.,all programs and adaptive programs are considered as state machines(FSAs).An adaptive program changes its behavior during its execution.The state space describing each different kind of steady-state(20)behavior is a non-adaptive program,orbriefly a program.The state space describing the change of behavior from one program(source program)to another(target program)is a simple adaptive program,which can be identified by the source and target program pair.2.1Adapt Operator-Extended LTLLTL is a temporal extension to propositional logic(23).An LTL formula is constructed over a set of atomic propositions(Π),using¬(not)and∧(and) boolean operators,and (next)and U(until)temporal connectives.Other operators are defined as abbreviations over the above basic operators,such as ∨(or),→(imply),↔(co-imply),♦(eventually),2(always),etc.Existing LTL operators are insufficient for specifying adaptation behavior. In LTL,the operator closest to capturing the meaning of adaptation is the until(U)operator.However,we cannot express an adaptation from the be-havior specified withφto the behavior specified withψusingφUψfor the following reason:If a state sequenceσ=s0,s1,···satisfiesφUψ(denoted as σ|=φUψ),thenφshould hold for all suffixes ofσstarting from all the states before a certain state.However,adaptation semantics usually only requireφto hold for a given interval ofσ.Several temporal logics,including the choppy logic(25),the Propositional Interval Temporal Logic(PITL)(26;27;28;29;30),and the Interval Temporal Logic(ITL)(31),are capable of expressing adaptation behavior.However,these logics are both too complex and incon-venient for our adaptation specification purposes.By“inconvenient”we mean that they do not have direct notation support.To specify adaptation behavior,we extend LTL with the adapt operator (“Ω ”).Informally,a program satisfies“φΩ ψ”(φ,ψ,andΩare three tem-poral logic formulae)means that the program initially satisfiesφ.In a certain state A,it stops being constrained byφ,and in the next state B,it starts to satisfyψ.We formally define A-LTL as follows:•Ifφis an LTL formula,thenφis also an A-LTL formula.•Ifφandψare both A-LTL formulae,thenξ=φΩ ψis an A-LTL formula.•Ifφandψare both A-LTL formulae,then¬φ,φ∧ψ,φ∨ψ,andφUψare all A-LTL formulae.We define the A-LTL semantics as follows.•Ifσis an infinite state sequence andφis an LTL formula,thenσsatisfies φin A-LTL if and only ifσsatisfiesφin LTL.Formally,σ|=φiffσ|=φin LTL.•Ifσis afinite state sequence andφis an A-LTL formula,thenσ|=fφiffσ |=φ,whereσ is an infinite state sequence constructed by repeating thelast state ofσ.•σ|=φΩ ψiffthere exist afinite state sequenceσ =(s0,s1,···s k)and an infinite state sequenceσ =(s k+1,s k+2,···),such thatσ=σ σ ,σ |=fφ,σ |=ψ,and(s k,s k+1)|=fΩ,whereφ,ψ,andΩare A-LTL formulae.A sequence satisfyingφΩ ψcan be considered the concatenation of two subsequences,where thefirst subsequence satisfiesφ,the second subse-quence satisfiesψ,and the two states connecting the two subsequences satisfyΩ.•Other operators(→,∧,∨,U,¬,etc)are defined similarly as those used in LTL.TheΩnotation of an adapt operator can be used for specifying additional safe conditions for the state in which the adaptation occurs and logical connections between the behavior before and after adaptation.Although in some cases, the extra constraints are not used(where we simply setΩto be true),we find this notation to be useful in many other cases.For example,we can useΩ=buffer-empty to constrain that the buffer must be empty when the adaptation occurs.We separate the behavior of an adaptive program into adaptation invariants, the properties that hold continuously during an execution of the program,and adaptation variants,the properties that change during the program’s execu-tion.Wefirst introduce three adaptation semantics specifications in A-LTL. These semantics are used to specify the adaptation variants of adaptations from a given source program to a given target program.Then we introduce composition techniques to handle general adaptive programs.Finally,we com-pose adaptation invariants with adaptation variants to specify the overall adaptive program behavior.2.2Semantics for Adaptation VariantsSeveral questions have to be answered before designing an adaptive program: (1)What is the expected behavior after adaptation?(2)What constraints,if any,exist for adaptations to occur?(3)Are the source program behavior and the target program behavior allowed to overlap?(4)Should the source/target program behavior be restricted during an adaptation,and what are the re-strictions,if any?An adaptation specification should precisely address all of the above questions.Based on results presented in the literature and our own experience,we summarize three commonly used semantics for adaptation.By formally specifying these semantics,we are able to precisely answer the above questions.We assume the source program and the target program have both been spec-ified in LTL,named base specifications.We specify the adaptation from the source program to the target program with A-LTL by extending the base specifications of the source and the target programs.For some adaptations, the source/target program behavior may need to be constrained during the adaptation.These constraints,termed restriction conditions,are specified in LTL.We assume the adaptive program has moderate computational reflection(32) capability,i.e.,it is conscious about its adaptation and the currently running steady-state program.This capability can be achieved by simply introducing flag propositions in the program to identify its current steady-state program or adaptation status.We assume that a decision-making procedure that trans-lates environment changes into specific adaptation requests is available.Our specification technique describes the expected program behavior in response to these requests.We use an atomic proposition A REQ to indicate the receipt of an adaptation request to a target program from the decision making procedure. In this section,we summarize three commonly occurring basic adaptation se-mantics interpretations from the literature(12;11;6;8)specified in terms of A-LTL.There are potentially many other possible adaptation semantics. In all three adaptation specification semantics,we denote the source and the target program base specifications as S SPEC and T SPEC,respectively.If appli-cable,the restriction condition during adaptation is R COND.We assume the flag propositions are already parts of the specifications.We use the term safe states to indicate the states where all the obligations of the source program are fulfilled,thus making it safe to terminate the source behavior.2.2.1One-point adaptation.Under one-point adaptation semantics,after receiving an adaptation requestA REQ,the program adapts to the target program T SPEC at a certain pointduring its execution.The prerequisite for one-point adaptation is that the source program S SPEC should always eventually reach a safe state during its execution.(S SPEC∧♦A REQ)Ω T SPEC(1) The formula states that the program initially satisfies S SPEC.After receiving an adaptation request,A REQ,it waits until the program reaches a safe state, i.e.,all obligations generated by S SPEC are satisfied.Then the program stops being obligated to satisfy S SPEC and starts to satisfy T SPEC.This semantics isvisually presented in Figure1(a),where circles represent a sequence of states. Solid lines represent state intervals and the label of each solid line represents the property that is held by the interval.The arrow points to the states when an adaptation request is received.This semantics is straightforward and is ex-plicitly or implicitly applied by many approaches(e.g.,(12;11;6))to deal with simple cases that do not require restraining the source behavior or overlapping the source and the target behavior.2.2.2Guided adaptation.Under guided adaptation semantics(visually depicted in Figure1(b)),after receiving an adaptation request,the programfirst restrains its source pro-gram behavior by a restriction condition,R COND,and then adapts to the target program when it reaches a safe state.This semantics is suitable for adapta-tions whose source programs do not guarantee reaching a safe state within a given amount of time.The restriction condition should ensure that the source program willfinally reach a safe state.S SPEC∧(♦A REQΩ1 R COND) Ω2 T SPEC(2) This formula states that initially S SPEC is satisfied.After an adaptation re-quest,A REQ,is received,the program should satisfy a restriction conditionRCOND(marked withΩ1 ).When the program reaches a safe state of the source,the program stops being constrained by S SPEC,and starts to satisfy T SPEC (marked withΩ2 ).The hot-swapping technique introduced by Appavoo et al(12)and the safe adaptation protocol(6)introduced in our previous work use the guided adaptation semantics.2.2.3Overlap adaptation.Under overlap adaptation semantics(visually depicted in Figure1(c)),the tar-get program behavior starts before the source program behavior stops.During the overlap of the source and the target behavior,a restriction condition is applied to safeguard the correct behavior of the program.This adaptation se-mantics is appropriate for the case when continuous service from the adaptive program is required.The restriction condition should ensure that the source program reaches a safe state.S SPEC∧(♦A REQΩ1 R COND) Ω2 true ∧ ♦A REQΩ1 T SPEC∧(R CONDΩ2 true) (3)This formula states that initially S SPEC is satisfied.After an adaptation re-quest,A REQ ,is received,the program should start to satisfy T SPEC and alsosatisfy a restriction condition,R COND (marked with Ω1 ).When the programreaches a safe state of the source program,the program stops being obliged by S SPEC and R COND (marked with Ω2 ).The graceful adaptation protocol in-troduced by Chen et al (11)and the distributed reset protocol introduced by Kulkarni et al (8)use the overlap adaptationsemantics.SPEC S SPECTSPEC S SPECT REQRSPEC S SPECTREQCONDFig.1.Adaptation semantics2.2.4Safety and Liveness Properties.Temporal logics are often applied to the specifications of safety and liveness properties of a program.A safety property asserts something bad never hap-pens,while a liveness property asserts something good will eventually hap-pen (33).Although general forms of safety and liveness properties are not preserved by the adaptation semantics defined above,some common forms of safety and liveness properties are preserved.We define a formula to be a point safety property if and only if =2¬η(read as ηnever holds during execution),where ηis a point formula (a formula that does not contain temporal operators).We define a formula to be pointliveness property if and only if =2(α→♦β)(read as it is always the case that ifαholds at some point,thenβwill eventually hold at a point after that point),where bothαandβare point formulae.LEMMA1:All three adaptation semantics preserve point safety properties.That is,if (S SPEC∨T SPEC)→2¬η,whereηis a point property,thenξ→2¬η,whereξis the adaptation specification based on either semantics.We only provide the proof for the one-point adaptation case.Other cases can be proved similarly.ProofLet the adaptation specificationξbe(Formula1)ξ=(S∧♦A REQ)Ω T SPECSPECFor an arbitrary sequenceσ|=ξ,∃σ |=S SPEC∧♦A REQ andσ |=T SPEC, andσ=σ σ .Since(S SPEC∨T SPEC)→2¬η,σ |=2¬η,andσ |=2¬η. Therefore,σ|=2¬η.This lemma implies that if a propositional invariant(such as a variable is never greater than a given value)should be held in both the source and the target subprograms,then the invariant is also held by a simple adaptive program under all three adaptation semantics.This conclusion does not apply to general temporal properties.LEMMA2:Point liveness properties are preserved by all three adaptation semantics. That is,if(S SPEC∨T SPEC)→2(α→♦β),thenξ→2(α→♦β),whereξis the adaptation specification based on either semantics.Also,we only provide the proof for the one-point adaptation case.Other cases can be proved similarly.Proof:Let the adaptation specificationξbe(Formula1)∧♦A REQ)Ω T SPECξ=(SSPECFor an arbitrary sequence s0,s1,···|=ξ,∃i,such that s0,s1,···s i|=S SPEC∧♦A REQ and s i+1,s i+2,···|=T SPEC.Since(S SPEC∨T SPEC)→2(α→♦β),we have s0,s1,···s i|=2(α→♦β),and s i+1,s i+2,···|=2(α→♦β).For an arbitrary state s j,if s j|=α,then we have•if j≤i,then there exists k(j<k≤i)such that s k|=β;•if j>i,then there exists k(j<k)such that s k|=β.That is,s0,s1,···|=2(α→♦β)Therefore,we haveξ→2(α→♦β).3Specification CompositionsThus far,we have described how to specify simple adaptive programs.These specifications can be composed to describe multiple adaptation options from a single steady-state program.We can also link a sequence of adaptation spec-ifications together to describe the behavior of executions with multiple adap-tation occurrences.3.1Neighborhood CompositionA simple adaptive program starts from one program and may adapt to only one target program.A more complex adaptive program may adapt to different target programs in response to different adaptation requests.The neighborhood composition is proposed to specify multiple adaptation options from a single program.We define the neighborhood adaptive program of a program S to be the composition of all the simple adaptive programs that share the same source program S.An execution starting from S can either adapt to a target program if a corresponding adaptation request is received,or remain in S if no adaptation request is received.Assume for all target programs,the properties of the simple adaptive program from S to the i th target program T i is specified with an A-LTL formula STi SPEC,and the properties of S are specified withS SPEC.We can construct the specification for the neighborhood of S by thedisjunction of S SPEC and STi SPEC.Let N SPEC be the neighborhood specification of S,we haveN SPEC=ki=1STiSPEC∨S SPEC(4)where k is the number of simple adaptive programs sharing the same source program S.3.2Sequential CompositionA complex adaptive program may sequentially perform adaptations more than once during a single execution.For example,an adaptive program may startfrom a program A,then sequentially perform adaptations from A to B to obtain program B,and B to C to obtain program C.Assume the properties ofA,B,and C are specified with ASPEC,B SPEC,and C SPEC,respectively.The A toB adaptation specification under a given adaptation semantics is a function ofASPEC and B SPEC:AB SPEC=ADAPT1(A SPEC,B SPEC).The B to C adaptationspecification under a given adaptation semantics is a function of B SPEC andC SPEC:BC SPEC=ADAPT2(B SPEC,C SPEC).The specification of A to B to Cmay be constructed by substituting AB SPEC for the B SPEC in BC SPEC.ABCSPEC=ADAPT2(ADAPT1(A SPEC,B SPEC),C SPEC)(5)Similarly,afinite number of simple adaptive program specifications can be sequentially composed to construct the specification of more complex adaptive programs.THEOREM:Both point safety and point liveness properties are preserved by the adap-tation semantics and the two types of compositions.Proof outline:This theorem can be proved by applying Lemma1and Lemma2.•For neighborhood compositions,from the lemmas,we know that if all base specifications imply a point safety(liveness)propertyφ,then all the disjuncts implyφas well.Then the disjunction(the neighborhood composition)also impliesφ.•For sequential composition,we can prove the conclusion inductively.(1)The base case states0-step sequential composition preserves pointsafety and liveness properties.This has been proved by Lemma1and Lemma2.(2)Then we assume any n-step sequential composition preserves pointsafety and liveness properties.An n+1-step sequential composition can be considered as an n-stepsequential composition composed with a base specification.Then wecan apply Lemma1and Lemma2to the n-step adaptation compo-sition case and claim that all n+1-step sequential compositions alsopreserve point safety and liveness properties.3.3Adaptation InvariantsIn spite of adaptations of a program,some properties should be held true throughout its execution.This type of properties,such as safety and liveness properties,are adaptation invariants.We use LTL formulae to specify adap-tation invariants of the program to ensure the properties that should be held throughout the execution of an adaptive program.3.4Adaptation Specification Visualization and Automatic GenerationAn adaptive program can be visually represented as a graph,where programs are vertices and adaptations are arcs.We add temporal logic information to the graph so that we are able to derive the adaptation temporal logic specification automatically from the graph.We define an adaptation semantics graph to be a tuple(S,S0,A,P,Φ,Ψ,INV),where S is a set of vertices representing the set of programs in an adaptive program.S0⊆S is a set of initial vertices,repre-senting the initial programs of the adaptive program.FunctionΦ:S→LTL maps each program to the base specification for the program.A⊆S×S is a set of arcs representing adaptations.Function P:A→semantics name maps an adaptation to one of the semantics names{one-point,guided,overlap}.Ψ:A→LTL is a partial function that maps guided or overlap adaptation to their associated restriction conditions.INV is the set of adaptation invariants. The adaptation specifications can be derived from the adaptation semantics graph.We have implemented a prototype,ASpecGen,which uses simple edge traversal to automate this process.The complexity of the algorithm is linear to the number of adaptations.4Case StudyIn this section we use MetaSockets(24)as an illustrative example to demon-strate our adaptation specification approach.MetaSockets are constructed from the regular Java Socket and MulticastSocket classes;however,their inter-nal structure and behavior can be modified at run time in response to external conditions.MetaSocket behavior can be adapted through the insertion and removal offilters that manipulate the data stream.For example,filters can perform encryption,decryption,forward error correction,compression,and so forth.We consider a sender’s MetaSocket with three differentfilters:a data com-pressionfilter(COM),a DES64-bit encryptionfilter(DES64),and a DES 128-bit encryptionfilter(DES128).The available adaptations are data com-pressionfilter insertion and removal,and DESfilter replacement.Note that to enforce security,the DESfilters can only be replaced by other DESfilters, but cannot be removed.Thesefilters can be combined in four different config-urations:DES64,DES128,DES64with COM(DES64COM),and DES128with COM(DES128COM).We consider the MetaSocket under each configuration a program.The adaptive program is initially running in the DES64program.4.1MetaSocket SpecificationsThe specifications of the programs are described as follows:•DES64program:DES64SPEC =(2DES64FL)∧2(DES64Input(x)→♦DES64Output(x))The DES64Input(DES64Output)are events indicating the input(output) of a packet to(from)the MetaSocket under DES64configuration.1The flag proposition DES64FLindicates that the program is running under the DES64configuration.The formula states that under this configuration,for every input packet to be encoded by the DES64filter,the MetaSocket should eventually output a DES64encoded packet.The following program aspects can be interpreted in a similar way.•DES128program:DES128SPEC=(2DES128FL)∧(2(DES128Input(x)→♦DES128Output(x)))•DES64COM program:DES64COMSPEC=(2DES64COMFL)∧(2(DES64COMInput(x)→♦DES64COMOutput(x)))•DES128COM program:=DES128COMSPEC(2DES128COM FL)∧(2(DES128COMInput(x)→♦DES128COMOutput(x)))To determine the semantics of each adaptation,we consider the following factors:(1)The MetaSocket component is designed for the transmission of real-time video and audio data.Therefore,we should minimize data blocking.(2)We should not allow both the source and the target programs to input simultaneously because that will cause ambiguity in the input.(3)We should not allow the target program to output data before any output is produced from the source program,otherwise,it will complicate the logic on the receiver. Based on the above considerations,it is appropriate to apply the overlap semantics with conditions prohibiting the types of overlap discussed above.2.The adaptation semantics graph is visually presented in FigureFig.2.Visual representation of MetaSocket adaptation semantics graphWe use the DES64to DES128adaptation as an example to demonstrate the simple adaptive program specification construction.In order to use overlap semantics,we have to define restriction conditions to prevent overlap of the source and target programs input and the overlap of the source and target programs output.Therefore,we define the restriction conditions to beR(DES64-DES128)=2(¬DES64Input(x)∧¬DES128Output(x)).(6) CONDThe intuition for this restriction condition is that it should not accept any more DES64inputs and will not produce any DES128outputs until all DES64out-puts have been produced.Given the source and target program specifications, the overlap semantics,and the restriction condition,we apply Formula3toderive the following specification:DES64-DES128SPEC =(7)DES64SPEC∧ ♦A REQ(DES128)true R COND(DES64-DES128) true true ∧ A REQ(DES128)true DES128SPEC∧(R COND(DES64-DES128)true true) Formula(7)states that after the program receives an adaptation request to the DES128program(A REQ(DES128)),it should adapt to the DES128program. Furthermore,the behavior of DES64and DES128may overlap,and during the overlapping period,the program should satisfy the restriction conditionR COND(DES64-DES128).In this example,theΩnotation of the adaptationoperators are not used.We simply assign true toΩin the four adapt operator locations.With the same approach,we specify other simple adaptive programs in the adaptive program.Further,both the source and the target specifications are point liveness properties.We can unify them with the following formula by disregarding the type of inputs and outputs.2(Input(x)→♦Output(x))(8) According to Lemma2,we can conclude that the adaptation also satisfies the point liveness property.In addition to the specification for adaptation behavior,the program should also satisfy a set of adaptation invariants to maintain its integrity.•Security invariant:During program execution,the sender MetaSocket should not cause any loss of packets,i.e.,all input packets should be output:INV2=2(Input(x)→♦Output(x))Note,this invariant is already guaranteed by the point liveness preservation property of the adaptation semantics.(Formula8.)。
