Go backward to Reasoning about Composed Systems
Go up to Top
Go forward to TLA

Reasoning about Composed Systems

First Example:
- Changing the output variable would violate guarantee before assumption had been violated.
Second Example:
- Violating the quarantee does not occur at any particular moment in time.
Assumption/guarantuee specifications:
- Guarantuee $M$ can become false only after assumption $E$ becomes false.

Reasoning about composition of specification is easiest when assumptions are safety conditions!

Id: spec1.tex,v 1.1 1996/05/13 09:04:04 schreine Exp schreine