Recent accounts of accidents draw attention to "automation surprises'' that arise in safety critical systems. An automation surprise can occur when a system behaves differently from the expectations of the operator. Interface mode changes are one class of such surprises that have significant impact on the safety of a dynamic interactive system. They may take place {\em implicitly} as a result of other system action. Formal specifications of interactive systems provide an opportunity to analyse problems that arise in such systems. In this paper we consider the role that an {\em interactor} based specification has as a partial model of an interactive system so that mode consequences can be checked early in the design process. We show how interactor specifications can be translated into the SMV model checker input language and how we can use such specifications in conjunction with the model checker to analyse potential for mode confusion in a realistic case. Our final aim is to develop a general purpose methodology for the automated analysis of interactive systems. This verification process can be useful in raising questions that have to be addressed in a broader context of analysis.

Traditional reliable broadcast protocols fail to scale to large settings. The paper proposes a reliable multicast protocol that integrates two approaches to deal with the large-scale dimension in group communication protocols: gossip-based probabilistic broadcast and semantic reliability. The aim of the resulting protocol is to improve the resiliency of the probabilistic protocol to network congestion by allocating scarce resources to semantically relevant messages. Although intuitively it seems that a straightforward combination of probabilistic and semantic reliable protocols is possible, we show that it offers disappointing results. Instead, we propose an architecture based on a specialized probabilistic semantically reliable layer and show that it produces the desired results. The combined primitive is thus scalable to large number of participants, highly resilient to network and process failures, and delivers a high quality data flow even when the load exceeds the available bandwidth. We present a summary of simulation results that compare different protocol configurations.

This paper sketches a discipline for reverse engineering which combines formal and semi-formal methods. Among the former is the "algebra of programming", which we apply in "reverse order" so as to reconstruct formal specifications of legacy code. The latter includes code slicing, used as a means of trimming down the complexity of handling the formal semantics of all program variables at the same time. A strong point of the approach is its constructive style. Reverse calculations go as far as imploding auxiliary variables, introducing mutual recursion (if applicable) and transforming semantic functions into standard generic programming schemata such as cata/paramorphisms. We illustrate the approach by reversing a piece of code (from C to Haskell) already studied in the code-slicing literature: the word-count (wc) program.

Reliable multicast protocols can strongly simplify the design of distributed applications. However it is hard to sustain a high multicast throughput when groups are large and heterogeneous. In an attempt to overcome this limitation, previous work has focused on weakening reliability properties. The authors introduce a novel reliability model that exploits semantic knowledge to decide in which specific conditions messages can be purged without compromising application correctness. This model is based on the concept of message obsolescence: a message becomes obsolete when its content or purpose is overwritten by a subsequent message. We show that message obsolescence can be expressed in a generic way and can be used to configure the system to achieve higher multicast throughput.

To allow mobile users to continue their work while disconnected, mobile systems usually rely on optimistic replication techniques. In mobile database systems, mobile units cache subsets of the database state and allow disconnected users to perform transactions concurrently. These transactions are later integrated in the master database state. As concurrently performed transactions may conflict, it is usually impossible to determine the result of an update in the mobile unit. Moreover, this model differs from the traditional client/server model due to the fundamental fact that the user will usually not be connected to the system when the results of his transactions are finally determined - therefore, he can not immediately perform adequate alternative actions. In this paper we describe a transaction management system that takes into consideration the above-mentioned characteristics. Transactions are specified as mobile transactional programs, which allows the precise definition of operation semantics and the definition of alternative actions. Support for active user notification is also provided in the system. Finally, the system relies on a reservation mechanism to be able to guarantee the results of transactions in the mobile units.

Abstract Software components, arising, typically, in systems ’ analysis and design, are characterized by a public interface and a private encapsulated state. They persist (and evolve) in time, according to some behavioural patterns. This paper is an exercise in modeling such components as coalgebras for some kinds of endofunctors on ¢¡¤ £ , capturing both (interface) types and behavioural aspects. The construction of component categories, cofibred over the interface space, emerges by generalizing the usual notion of a coalgebra morphism. A collection of composition operators as well as a generic notion of bisimilarity, are discussed.

The analysis of causal relations among events in a distributed computation plays a central role in distributed systems modeling. Existing models for causal time-stamping are based on a known set of entities, either processes or data repositories, where events can occur. The advent of mobile computing settings that stimulate cooperation among arbitrary groups of nodes, possibly in isolation, precludes the use of a pre-established set of entity identifiers. Addressing this problem, the article proposes a causality definition and a time-stamping model that allows the analysis of those environments, while retaining compatibility with the classic causality model.