Go backward to Reasoning about Composed Systems
Go up to Top
Go forward to TLA
Reasoning about Composed Systems
Reasoning about composition of specification is easiest when assumptions
are safety conditions!
- First Example:
- Changing the output variable would violate guarantee
before assumption had been violated.
- Second Example:
- Violating the quarantee does not occur at any
particular moment in time.
- Assumption/guarantuee specifications:
- Guarantuee can become false only after assumption becomes
Id: spec1.tex,v 1.1 1996/05/13 09:04:04 schreine Exp schreine