Formal Methods and Event Notification Systems in Mobile Computing Environment

09/04/2019 ∙ by Prashant Kumar, et al. ∙ 0

In this report, we have explored the issues associated with the specification of event-based systems in a mobile environment using Unity <cit.>. We used a few constructs and concepts from Mobile UNITY which was proposed as an extension of UNITY by Roman and McCann <cit.>. Our aim in this report is to show that some of the constructs proposed in Mobile UNITY are not unnecessary. Those constructs are overly powerful and put a hindrance on the mapping from UNITY specification to particular architectures, which is one of the key simplicity of UNITY specification. Using an example of a message-based event notification system we have shown that a system with a simple modification to the structure of assign section of the UNITY programs could serve well in mapping and implementation at the same time preserve the small and compact proof logic of UNITY.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

The purpose of this work is to investigate the usefulness of formal methods, particularly UNITY [1] and Mobile UNITY [2], in specification and reasoning about applications for mobile computing environments. A Mobile Computing Environment (MCE) can be considered as a asynchronous Distributed Computing Environment (DCE). The major difference between MCE and DCE which affect semantics of developing correct program seems to be in modeling failures. In DCE a failure to communicate is considered as a failure of the system as a whole. But in MCE, failures to communicate may be transient as mobile terminals frequently change their locations. Another notable difference originates from the intended usage scenarios of mobile devices. It leads to demand for context dependent services from the applications running on a mobile computing environment. There are variety of reasons other than changing location for a participating node in an MCE to lose connectivity with rest of the network [3].

We are particularly interested in evaluating the UNITY model as our tool for formal specification. UNITY was introduced by Misra and Chandy [1] in late 80s. It is a formal computational model and with a proof system that supports development of correct programs and their efficient implementation on asynchronous parallel/ distributed architectures. Subsequently, some intensive research centered around UNITY. It includes modifications by Misra [4, 5] , Dynamic UNITY [6], Context UNITY [7] and Mobile UNITY [2]. Yet, the original UNITY still remains a seminal work in formal computational model and proof systems.

The focus of our work was to evaluate Mobile UNITY vis-a-vis UNITY in building mobile applications. The main purpose of Mobile UNITY was to develop a new notation and an underlying formal model for ”supporting specification and proof system for decoupled, location-aware systems” [6]. Essentially it provides a formal layer on the top of UNITY’s concurrency model. Therefore, we concentrated on the technical modifications to UNITY that have been proposed in Mobile UNITY to find if such modifications are necessary.

In order to evaluate Mobile UNITY against UNITY, we considered the implementation of the Event Notification System (ENS) on mobile computing environment. The reasons for choosing ENS implementation in mobile computing environment as a case study can be explained as follows. In any distributed computing model, a computation is represented by a sequence of local computation followed communication between compute nodes. So, message passing or the underlying communication pattern is fundamental to interaction of computational tasks. There are two main modes of communication, namely,

  1. pair-wise communication, and

  2. multiple participants communication.

Each mode of communication is further classified as asymmetric (client-server), or symmetric communication (peer-to-peer). Communication with multiple participants can be unicast (one-to-one), multicast (one-to-many) or convergecast (many-to-one). An ENS scheme generalizes these communication pattern to

-to- scheme, where . Developing ENS in mobile computing environment [8] further generalizes this many-to-many communication pattern. Obviously, mobility support can be considered as a natural requirements for event notification systems in mobile computing environment. Moreover, push based data delivery model is found to be eminently suitable for data dissemination in mobile computing environment [9]. Due to asynchronous, loose coupling characteristics of push based notification systems the support for mobility in some is sense natural for these systems.

Among the additional notations which were proposed in Mobile UNITY for modification of UNITY, the most powerful construct is the reacts-to . But this construct is found to be most difficult from point of view of implementation. Furthermore, it also complicates the proof system of original UNITY. In this paper we propose only minimal modifications to assign section of UNITY while preserving its weakly fair execution model for supporting specification and reasoning about implementing ENS in mobile environment. The proposed modifications to UNITY are designed in a way that they do not complicate the proof system of the UNITY model like reacts-to construct of Mobile UNITY. We also prove that reacts-to is not needed, and UNITY without support of any such highly powerful constructs can still be sufficient for specification of event based mobile applications like ENS by using minimal modification of the kind suggested in this paper. Since the proposed changes do not violate the execution model and semantics of UNITY, it preserves the proof system as well.

Contributions of this work can be summarized as follows:

  • Simplifying the notations in Mobile UNITY framework for specification of systems in Mobile environment.

  • Accompanying simplification in the proof part for various properties of the system.

  • Restructuring the assign section of UNITY program to make it closer to real world systems from the point of view of implementation.

  • Showing that some powerful constructs of Mobile UNITY eliminated and still it can support both specification and reasoning about decoupled, location aware systems.

  • To the best of our knowledge ours is the first use of UNITY formalism for message based event notification service systems.

The rest of the paper is organised as follows. Section II gives an overview of event notification systems. Sections III and IV provide an overview of UNITY and Mobile UNITY respectively. In sectionV we discuss events in UNITY and Mobile UNITY and towards the end of this section we also describe the additions to UNITY which though necessarily minimal help in specification and implementation of system for real world systems in mobile environment. It is followed by a detailed discussion of formal specification of event notification system and its implementation in section VI. Finally section VII summarises our contribution and lists the direction for future work.

Ii Event Notification Service Systems

Communication between nodes has always been a central issue in distributed computing. Newer issues have appeared in communication over wide area network in the context of loosely coupled systems and mobile agents. Such distributed computing environments do not guarantee low latency or continuous and reliable connectivity as one finds in a wired network of distributed system. So it has led to newer abstractions like event based interaction for design and implementation of software systems for such environments. Some works related to event notification service system such as SIENA [10], JEDI [11] and many others support this view. Event notification systems are meant to disseminate information based on occurrence of some events. It involves a set of event producer and a set of event consumers. Typically, the agents interested to receive notifications subscribe to a server and register themselves as the consumer of the events. The server dispatches the events to the subscribing agents whenever a something of interest occurs.

To motivate the point that such systems are needed and have there place in the larger scheme of things in design of applications, we compare message based event notification systems to traditional client-server model. We also discuss the need for message based communication abstraction based on events compared to distributed objects.

We can think of a client-server computing model to implement event notification service modelwhere servers are producer and clients are consumer. Client-server model has the advantage of being conceptually simple and has been been quite effective for point to point communication model over the time. But there is a fundamental difference, the client-server model is synchronous and communication typically is one-to-one whereas an event notification service systems provide both time and space decoupling. Time decoupling means interacting parties need not be present at the same time, and space decoupling means that the interacting parties need not be co-located. Apart from this there are several point to point communication middleware such as CORBA, RMI and DCOM which can offer these services but they are primarily meant for synchronous invocation of some service offered by a remote server and normally would be heavyweight and overkill if the task of the application is more basic and primitive. Hence to address the issues related to the systems where communication needs are not elaborate, other alternatives have been explored. Emergence of message based systems is one such solution. Before discussing further we note that message based communication is not a new concept in distributed computing but the lightweight communication needs have made them the most suitable choice.

A message is essentially a structured piece of information sent from one agent to another over a communication channel. Messages may deliver data, meta data (such as acknowledgements) or notification to an agent. Messaging services have a pre-defined and commonly agreed protocol between the agents. Message passing is not as robust and sophisticated as distributed objects and is necessarily a restrictive communication scheme compared to object based communication schemes like CORBA and RMI or even with respect to RPC. However, they are simple and elegant solution for the situations where communication needs dictated by application are limited and minimal. If seen in wider perspective, the goal of these two are quite different. Distributed objects serve the purpose of extending the application across the network and normally provide a local handle to the remote object for calling its methods. On the other hand, message passing is meant for a simpler role. It defines a bare minimum protocol for sending data and also avoids overhead associated with most distributed object technologies. To summarize we note that message passing based systems are desired in following scenarios[12]:

  1. Communication needs are relatively simple in nature.

  2. Transaction throughput is critical.

  3. Scope of the system is limited.

Before discussing more about event based notification system we turn our focus on formal methods. It is central to explain the key contributions of this paper.

Iii UNITY Formalism

We start with a brief introduction to UNITY. An interested reader may refer to [1] for further details. UNITY is a computational model and a proof system. It provides a minimal set notations to denote programs. UNITY programs can be seen as a program in unbounded non-deterministic iterative transformation notation. Some of these terms will become more clear in course of the discussion below.

Iii-a UNITY Program Structure

Following schema describes the structure of a UNITY program::


Program program-name
declare declare-section
always always-section
initially initially-section
assign assign-section

We illustrate some of these features by a simple program semaphore.

Program semaphore
declare       g : integer
initially      g = 1
       N ::
            g,p[i] := g-1,false if b 0 p[i]
      g,v[i] := g+1,false if v[i]
Figure (1). semaphore.

The variable names with their types are provided in declare-section. Normally, boolean and integers are used as basic types. Arrays and sets or any other ADT can also be used. The above program for semaphore does not use always section. But this section is for defining certain variables as function of others. It is, therefore, equivalent to #define of conventional C programming languages. The initial value of some of the variables are defined by initially section. The uninitialized variables can assume arbitrary values from its domain. The assign section consists of a set of assignment statements is the heart of UNITY program. The program execution starts in the state where values of the variables are as specified in the initially section. Then these statements are executed atomically and non-deterministically in weakly fair manner. By weakly fair we mean that in an infinite computation each statement is scheduled for execution infinitely often. The symbol  acts as separator between statements and   is used to limit the scope of quantification variables. One more point to be noted is that UNITY programs have no input/output statements. All I/O is assumed to be performed by appending items to or removing items from the corresponding sequences. Here, we do not discuss the composition models of individual programs in UNITY, i.e., union and superposition. The readers may refer to [1] for the same. It may, however, be noted in passing that in standard UNITY, variables with same name are shared between programs. Other constructs from UNITY will be introduced as we come across them in our discussion.

Iii-B Execution Model

In a UNITY program, more than one statement may be enabled at a time. Concurrency is modeled by weakly fair interleaved execution of these atomic statements. As stated earlier weakly fair means that in an infinite computation each statement is scheduled for execution infinitely often. Interestingly, a very simple notation like weakly fair execution model has been used by UNITY to specify and verify correctness large software systems in industry [13] as well as for specification of many well known problems in distributed systems [14].

Iii-C Proof Logic in UNITY

In the UNITY proof logic and program properties are expressed using a small set of predicate relations whose validity can be derived directly from the program text or from other properties through the application of inference rules. System properties can be categorized in two fundamental groups: safety and liveliness properties. The authors in [15] have shown that any property of the system can be expressed as the intersection of a pure safety and a pure liveliness property. Liveliness property essentially means that during the execution, program makes some progress and consequently some desirable state eventually does occur and safety property underlines that some unsafe state can not materialize during the execution of the program.

The safety property has been described using constrains relation. For brevity it is written as co henceforth [16]. This construct is not unique to UNITY and can be used for any state system. Given two state predicates and the expression co means that any state satisfying , the next state in the execution must satisfy . For example, to express that some variable counter in the program is monotonically increasing, we write

counter co counter

As an aside we note that in terms of Hoare triple [17], co can be denoted as


To be precise, we should have quantified with universal quantifier in the above co relation, but for convenience we will leave that part whenever it is clear from the context. We can build on more complex safety properties using co. For example, invariant that a variable always between 0 and , i.e.,

invariant 0 var

needs to be broken in two parts. In first part we have to verify from the initially-section that initial value of var satisfies this property. Then using co property on program text we can assert that invariant indeed holds.

Now let us consider liveliness property. Here we implicitly use UNITY’s inherent fairness assumption. Progress/liveliness is expressed in UNITY using the transient relation where transient , state that the predicate is eventually falsified, i.e.


which denotes the existence of a statement which when executed in a state satisfying , produces a state that does not satisfy . Using co and transient we can construct the familiar operator ensures. The relation ensures means that for any state satisfying and not , the next state must satisfy or . In addition, there is some statement that guarantees the establishment of if executed in a state satisfying and not . Because of fairness assumption, we can guarantee that this statement will eventually be selected for execution

p ensures q (p q co p q) transient(p q)

Iv Mobile UNITY

Mobile UNITY is an extension of UNITY with the aim of modeling systems in mobile environment as against UNITY which presents itself as a powerful approach to concurrency for distributed systems but its focus is essentially on the static nature of computation.

Iv-a Adding Constructs to UNITY to make it Mobile UNITY

We now discuss some new constructs proposed by [2] which when added to UNITY make it suitable for specifying and reasoning about programs suited for mobile computing environment. The new constructs of Mobile UNITY are illustrated with the example motivated by [2]. For more details, the readers may refer to [2] and [18]. System description is as follows. There are m producers and n consumers all in a mobile environment (n may or may not be equal to m). We take a mix of top down and bottom up approach to formalize the solution to the problem. We build the whole system incrementally, but describe smaller parts top down. First of all we consider two standard UNITY programs for sender and receiver

Program sender
      bit : boolean
    word: array[0..N-1] boolean
    csend,crecv : integer
      bit= 0
      csend= N
      if csend N csend = crecv
    new :: word, csend NewWord(), 0
      if csend N
Figure (2). sender.

Program receiver
      bit : boolean
    buffer : array[0..N-1] boolean
    csend,crecv : integer
      bit= 0
    crecv = N
      receive :: buffer[crecv+1], crecv
      bit, crecv+1 if crecv N crecv csend
    reset :: crecv -1
      if crecv N csend = 0
Figure (3). receiver.

These are two standard UNITY programs where variables with same name are shared. We also note that UNITY as well in Mobile UNITY comments are enclosed in {}. The first major and fundamental difference which comes in mobile environment is that we can not have shared name space. Here we assume that variables in different programs are not the same even if they have same name. So a variable v in program P is P.v but we may write it simply as v in cases where there is no ambiguity. With these comments we give tentative structure of this system in Mobile UNITY .

System sender-receiver
      program sender(i) at
      program receiver(i) at
      receiver(0) at
    sender(1) at

Figure (4). Tentative structure for sender-receiver system.
Now let us examine this program, taking up new concepts one by one.

Iv-B Location Awareness

First of all let us consider notion of location of mobile agents. Mobile UNITY has a special variable denoted by , which is mandatory in all programs. Mobile UNITY places no constraints on the type of . Intuitively, it should represent the notion of location of mobile agent/device and changes in value of denotes mobility. From Mobile UNITY ’s point of view whether ’s value is one dimensional or multidimensional (latitude /longitude IP address in network or memory address) doesn’t make much difference. But from implementation point of view, we assume that agent has some way to update the value of

Iv-C Interaction between Mobile Agents

Interaction section of the Mobile UNITY program helps in specifying the interaction between various agents/components. Its need basically arises because of distinct address spaces of agents in Mobile UNITY.

Program sender(i) at

      bit : boolean
    word : array[0..N-1] boolean
    c : integer
       = SenderLocation(i)
      transmit::bit,cword[c],c+1 if c N
    new :: word,c NewWord(),0 if c N
Figure (5). Modified Version of sender.

Program receiver(j)at

      bit : boolean
    buffer : array[0..N-1] boolean
    c : integer
      zero :: c 0 reacts-to bit = 1 c N
    receive ::buffer[c],cbit,c+1 if c N
    move:: buffer
      reacts-to validLoc(buffer) c N
Figure (6). Modified Version of receiver.
We assumed that first bit of sender is 1 and added mobility to receiver that on receiving a word which represents valid location it moves to that position.

Now all we need to do is fill in Interactions of sender-receiver system as follows:

      receiver(j).bit sender(i).bit
      reacts-to sender(i). = receiver(j).
    inhibit sender(i).transmit when
      sender(i).c receiver(j).c
      sender(i). = receiver(j).
    inhibit receiver(j).receive when
      receiver(j).c sender(i).c
      sender(i). = receiver(j).
Mobile UNITY introduces three new constructs: inhibition, transaction and reaction. We discuss these constructs one by one.

Iv-C1 Inhibitions

Inhibitions provide mechanism to constrain the non deterministic scheduler in certain undesirable state. It is particularly useful in global context, i.e., in interaction of agents. Its syntax is as follows.

inhibit label when predicate

We note following things regarding its semantics

  • The key word when has meaning similar to if, but it is conventionally used in inhibitions for emphasis.

  • So, the above inhibit statement can actually be rewritten as

    if predicate statement labeled label

Iv-C2 Transactions

A transaction is a sequence of statements enclosed in angle brackets and separated by semi colon. In other words, all statements within brackets should be executed in the order they appear with no other statement to be scheduled in between. Reactive statements are the only exception which can be triggered during the execution of transaction as well. Its syntax is as follows

label:: statement_1; …; statement_n

Transaction may or may not be inhibited.

Iv-C3 Reactions

Reactive statements are similar to exception with one exception that after reactions control flow goes to the position where it was before reaction was triggered. Its syntax it

assignment statement reacts-to predicate

It is triggered whenever predicate is true. The imporatant points about reactions are the following:

  • Set of reactive statements execute till the fixed point of this set reached.

  • Reactive statements must not be inhibited.

  • Reactive statements can trigger during the transaction.

The semantic requirements of reaction construct are not only too strong but also it hinders efficient implementation. For example, a method suggested by the authors was that reactive set be checked after the execution of each statement. Moreover, as can be seen in the paper [2] that it complicates the proofs also. During specification, it is the responsibility of the programmer to take care that reactions reach the fixed point otherwise it may violate UNITY execution model, since even in infinite executions only reactions can keep executing. This problem can be taken care of by ensuring that in all scenarios reactions reach the fixed point but in real life systems ensuring this may not be easy.

Iv-C4 Modifications to Proof Logic

Mobile UNITY also suggests some modification to proof logic. It requires that statement in proof be replaced by which is a transaction and may contain reactive statements as well. The interested reader may refer to [18] for further details.

V Events in UNITY and Mobile UNITY

Though the constructs introduced by Mobile UNITY, make the specification simple, the key construct reacts-to is too powerful and is difficult to implement. The authors of Mobile UNITY have suggested that after the execution of each statement, reactive set be checked. Clearly from point of view of implementation the suggested approach is too naive. In fact, the authors of [2] share this view too.

The actual advantage of reacts-to is that it can asynchronously trigger the execution of some statement but the implementation overhead for the same as indicated is prohibitively high. We have adopted a new approach to the tackle the need for having reacts-to construct. We propose spliting of the assign section in two parts with different scheduling priorities, but enforce that within each block weakly fair execution semantics of UNITY should be honored. We also note that based on application’s requirements assign section can be divided into arbitrary number of blocks. But for the concreteness of discussion, we just consider two blocks. In fact, in most of the systems two blocks will suffice. We also note that two different transactions were also proposed in Dynamic UNITY[6] where their primary goal was to use UNITY for specification of dynamically changing systems. Now we discuss the interpretation of these changes from the proof logic point of view of UNITY. From the proof logic point of view these parts of assign are same before. Statements within these will be treated in exactly the similar manner to what they would have been had the statements been in the assign section. But from the execution model point of view and particularly from the scheduling and implementation point of view, there is some difference. We propose that, there be different scheduling priority of the statements in these sections. We must take care of not violating the weakly fair execution semantics of UNITY, hence scheduling should be such that each section has a non zero

finite probability of being selected over a finite period of time. In fact, statements in

assign section can be grouped in more than two levels, but the scheduling should satisfy the weakly fair execution semantics. A simple policy for assigning different scheduling priority to different transition sections could be say and in case of two sections, greater value indicates higher priority.

Vi Implementing Event Notification System

To validate the utility of the modification to UNITY suggested in this paper, we examine how Event Notification System can be implemented using UNITY with the modified constructs. We are mainly concerned with the view of an application which is sufficient to demonstrate our modification and at the same giving a reasonably stand-alone view of the application. Thus we consider the structure of the application to be as follows.

  • It has multiple servers as well as multiple clients.

  • Mobility is modelled by migration of client(s) from one server to another.

  • The applications models fragile environment in the form of seemingly abrupt disconnections and takes care that messages are not lost in the process.

Our focus over here is to show that such systems can be conveniently expressed in UNITY without using reacts-to and our proposed modifications can lead to effective implementation and using UNITY proof logic we can assert about some of the properties of the system.

Vi-a UNITY specification

Program client(i) at

: location
    interface: queue of message
    server_addr: address
    in,out: queue of message
    registered,subscribed: bool
server server_addr
    self self_addr
{is }
interface =
server_addr =
{update location}
{receive messages from interface}
    interface,in tail(interface),inhead(interface)
      if interface head(interface).destination = self
       head(interface).type = M
{transmit messages from interface}
      if interface head(interface).status
{registering with a new server: handoff}
      if registered new_server server_addr
{remove N messages from interface}
{it shows that some request was not satisfied}
    interface tail(interface)
      if interface head(interface).msg=N
{clear sent message from interface}
      if interface head(interface).status
      if registered can_send(self,server)
{set the registered flag}
      if head.type= R head.msg=Y
      if subscribed
{set the subscribed flag}
      if head.type=Shead.msg=Y
      if unsubscribe
{reset the unsubscribe flag}
      if head.type=Uhead.msg=Y
{update subscription}
      if subscribedupdate_add
      if subscribedupdate_del
{reset the update flag}
      if head.type=Phead.msg=Y
{reset the update_del flag}
      if head.type=Qhead.msg=Y
{de-register: voluntary}
      if deregister
{reset de-registered flag}
      if head.type=Dhead.msg=Y
{transfer messages from out queue to interface}
      if out
{handle messages on in queue}
Figure (7). client.
Program server_(i)at

: location
    subscr: array[num_message_type] of queue of clients     interface: queue of message
self self_addr
interface =
{register clients}
      registered_clients client
      if client registered_clients
{de-registering clients}
    registered_clientsdelete(registered_clients, client)
{transmit messages from interface}
at(interface,i).status= send(at(interface,i))
      if interface at(interface,i).status
{update subscription}
      if head.type= P clientarr[msg_type]
      if head.type= Q clientarr[msg_type]
{transfer messages from out queue to interface}
      if out
{make sent messages null on interface}
    i :0length(interface)::
      if interface at(interface,i).status
{remove null messages from head of interface}
      if head(interface)=
Figure (8). server_(i,addr_self)at .

NumClients ::client() at
     NumServers ::server() at
NumServers 0jNumClients::
      if can_send(server(i),client(j))

Message type Stands for

Normal message

Registering with new server
R Register
S Subscribe
U Unsubscribe

Update subscription(add)
Q Update subscription(delete)


TABLE I: Message Types

Vi-B Discussion

The above specification does not use reacts-to . In general, any program containing reacts-to can be converted to one without having reacts-to

. A simple heuristic is to replace

reacts-to by if and put all these in higher priority section of the program. Now we explain some of the subtle points of the above specification. It is assumed that , in client as well as in server. We have used a function which returns if agent can send message to agent . Both client and server maintain and queues, which are queues of messages. The messages on queue come from the and messages from queue go to . There is a difference in the way messages are transmitted from the in case of and . In case of a client, the message at the head of the queue is processed, it will block if the first message in the queue can not be sent. Whereas this is not the case with server. The rationale for it is that at a time server may have connection with one client but may not have with another and if the client for which message is at the front of the queue is not connected at a time, all the other clients which can receive message should be able to receive. That is why transmission of message from the interface of server works on all the messages in simultaneously. Various message types have been explained in Table I. New server actually comes at a lower level with hand off, that is why we have not shown it explicitly over here. The specification of handoff would be needed had we been working at level of Mobile IP  and Cellular IP . We have not shown the handling of messages on in queue of client and addition of messages to out queue of server, because these are application dependent decisions, and all we need here and assume is that clients handle the message they get on their in queue in a way consistent with its application logic, similarly out of server too has messages for clients consistent with the associated application logic.

Vii Conclusion

In this work we have shown that UNITY formalism is quite powerful for specification of systems in mobile computing environment. Based on our experience with Mobile UNITY we have proposed doing away with very strong Mobile UNITY construct reacts-to . We have also proposed modification to the assign section of UNITY to reflect the systems in Mobile computing. We have shown that our additions do not violate the weakly fair execution semantics of UNITY model. These modifications do not modify the proof logic system of UNITY. We have taken an example of event notification service system to illustrate our ideas more concretely. As a future work one could try to incorporate these changes to the compilers which exist for translations of UNITY program to conventional programming languages.


  • [1] K. M. Chandy and J. Misra, Parallel Program Design : A Foundation. Addison-Wesley, New York 1988.
  • [2] G.-C. Roman and P. J. McCann, “An introduction to mobile unity,” tech.rep., Dept. of Computer Science, Washington University, 1997. WUCS-97.44.
  • [3]

    M. Satyanarayanan , “Pervasive computing: Vision and challenges,”IEEE Personal communications, vol. 8, no. 4, pp. 10–17, 2001.

  • [4] J. Misra, “General conjunction and disjunction rules for unless,”Noteson UNITY, pp. 01–88, 1988.
  • [5] J. Misra, “A logic for concurrent programming: Safety,”Journal ofComputer and Software Engineering, vol. 3, no. 2, pp. 273–300, 1995.
  • [6] D. M. Zimmerman,Dynamic UNITY. PhD thesis, California Instituteof Tehcnology, Pasadena, California, 2002.
  • [7] G.-C. Roman, C. Julien, and J. Payton, “Modeling adaptive behaviors incontext unity,”Theoretical Computer Science, vol. 376, no. 3, pp. 185–204, 2007.
  • [8] G. Arnold and F. Soriano, “Method and system for event notificationfor wireless pda devices,” Jan. 11 2005. US Patent 6,842,628.
  • [9] S. Acharya, M. Franklin, and S. Zdonik, “Dissemination-based datadelivery using broadcast disks,”IEEE Personal Communications, vol. 2,no. 6, pp. 50–60, 1995.
  • [10] A. Carzaniga, D. Rosenblum, and A. Wolf, “Content-based addressing and routing : A general model and its application,” tech. rep., Departmentof Computer Science, University of Colorado, 2000. CU-CS-902-00.
  • [11] G. Huck, P. Frankhauser, K. Aberer, and E. Neuhold, “Jedi: Extracting and synthesizing information from the web,” inProceedings. 3rd IFCISInternational Conference on Cooperative Information Systems (Cat. No.98EX122), pp. 32–41, IEEE, 1998.
  • [12] J. Farley, Java Distributed Computing. OŔeilly, 1998
  • [13] M. Staskauskas, “Formal derivation of concurrent programs: An example from industry”, IEEE transactions on Software Engeering, vol. 19, no. 5,pp. 503–528, 1993.
  • [14] J. Liu, W. Li, G. O. Karame, and N. Asokan, “Toward fairness ofcryptocurrency payments,”IEEE Security Privacy, vol. 16, no. 3, pp. 81–89, 2018.
  • [15] B. Alpern and F. Schneider, “Defining liveliness,”Information process-ing letters, vol. 21, no. 4, pp. 181–185, 1985.
  • [16] S. Gulwani, S. Srivastava, and R. Venkatesan, “Program analysis asconstraint solving,”ACM SIGPLAN Notices, vol. 43, no. 6, pp. 281–292, 2008.
  • [17] C. A. R. Hoare, “An axiomatic basis for computer programming,”Communications of the ACM, vol. 12, no. 10, pp. 576–580, 1969.
  • [18] P. J. McCann and Gruia-Catalin, “Compositional programming abstractions for mobile computing,”IEEE Transactions of Software Engineer-ing, vol. 24, no. 2, 1998.