I'm always tweaking the reading list, so this list will mutate over time. Also, I'm building on many old reading lists, so if you go read the commented-out HTML, you'll see old readings listed. Some of those we'll use, but some we won't. (But they're all good papers...)
Week 0:
These two papers are optional, and you haven't learned enough to understand most of the details yet (You will!), but these are nice ways to get motivated, by seeing impressive industrial case studies that show successful adoption of modern, automated, formal verification techniques. For now, just skim over anything that doesn't make sense (or google/wikipedia them if you're curious), and concentrate on the results!
Hey, there's video now, too!
describing current work happening at Amazon Web Services using the sorts of highly automated formal methods that we will be studying. (Note that I attended and enjoyed the talk at FloC, but I haven't watched the entire video, so I can't vouch for the production values.) And if you don't want to watch the video, here's the accompanying paper: although you'll miss little details, like Byron reminiscing that his first conference ever was the 10th CAV that I chaired (with Moshe Vardi) here at UBC in 1998, or the passing mention to MonoSAT, which we developed recently here. (This is optional, too.) (Most paper links I post are from the publisher's websites. This is the most "proper" place to link to, but the publishers are generally behind pay walls. Fortunately, if you're accessing from a UBC machine, the UBC Libraries have negotiated site-wide access for you, so you can download the paper for free from UBC machines. Let me know if you have any trouble with this.)Week 1:
Randal E. Bryant, "Symbolic Boolean Manipulation with Ordered Binary Decision Diagrams", ACM Computing Surveys, Vol. 24, No. 3 (September 1992), pp. 293-318. (Preprint published as CMU CS Tech Report CMU-CS-92-160.) Sections 1 to 3 are the relevant ones for us, although the whole paper is excellent. Here is a link to the official version at the ACM Digital Library. You have free access from UBC machines.
Karl S. Brace, Richard L. Rudell, and Randal E. Bryant, "Efficient Implementation of a BDD Package", 27th Design Automation Conference, pp. 40-45, 1990. How BDD packages are really implemented. (Optional.)
Randal Bryant, "On the Complexity of VLSI Implementations and Graph Representations of Boolean Functions with Applications to Integer Multiplication", IEEE Transactions on Computers, Vol. 40, No. 2, February 1991. A general technique for proving BDDs big for certain functions (and getting better intuition about what makes BDDs big). (Optional. You may find this interesting if you like theory and/or are interested in understanding what makes BDDs blow up.) Here is additional explanation of the combinatorial part of Bryant's multiplication proof. Optional
I hope we'll have time to take a quick look at cutpoints for combinational equivalence. Here are some of the classic references on practical techniques for scaling combinational equivalence checking up to practical sizes. (These are all optional.)
Week 2:
Joao Marques-Silva, Ines Lynce, and Sharad Malik, "Conflict-Driven Clause Learning for SAT Solvers", Chapter 4 in the Handbook of Satisfiability, Armin Biere, Marijhn Heule, Hans van Maaren, and Toby Walsch, Eds., IOS Press, 2008. I found this link (unofficial, but at Princeton, where Sharad is a professor) to a somewhat more updated treatment of the material, whereas I used to refer to the original papers. This looks good, and I've used in for 513 a few times. Let me know if you like this. Let me know if you like this reading.
A long time ago, I wrote up some additional explanatory notes, which I think were really excellent back in the day. I realized that they had gotten really out-of-date, though, so I was going to update them. But instead, I found these great explanatory notes on implication graphs and clause learning by Tommi Junttila. ( Optional ) (Solely for historical reference, these are my old, additional explanation notes (DEPRECATED). I recommend not reading my old notes, but am leaving the link, as I know some former students refer to my reading lists.)
Similarly, these are some classic papers on CDCL SAT solving, and are still listed here purely for reference.
I may move the material below later in the term, as I want to try this year to accelerate the assignments, so that you all get a wider range of exposures to different topics before embarking on a project. But these are two papers on extracting a proof out of modern SAT solver.
Week 3 (and Into Week 4)
OK, we're going to switch to software verification next. However, I'm going to rush through just what we need to get to SMT solving (like SAT, but with more expressive logics) and the next assignment. We'll come back later and backfill the classical basics for software verification, and maybe some interesting twists on SMT solving.
For symbolic execution:
My former student and SMT expert Sam Bayless recommended a great survey paper on SMT solving, by two of the very best experts out there. This is easier than the papers I used to use. Leonardo de Moura, and Nikolaj Bjorner, "Satisfiability Modulo Theories: An Appetizer," Formal Methods: Foundations and Applications -- 12th Brazilian Symposium on Formal Methods, Springer LNCS Volume 5902, 2009, pp. 23-36. SMT is basically SAT solving, but with additional logics that are very useful for software verification and other applications where you don't want to model everything as Booleans.
Roberto Bruttomesso, Alessandro Cimatti, Anders Franzen, Alberto Griggio, and Roberto Sebastiani, "Delayed Theory Combination vs. Nelson-Oppen for Satisfiability Modulo Theories: A Comparative Analysis", Annals of Mathematics and Artificial Intelligence, Vol. 55, No. 1-2, pp. 63-99. This is the paper I used to recommend, and looking at it again, it does a great job of presenting more details, although the above paper is easier to read. Check this one if you are excited and want to learn more. (Optional) (Later: I realized that my enthusiasm for Leo and Nikolai above could be interpreted as a critique of these authors, and I totally don't mean that! This survey is from another one of the top teams in SMT solving. It's extraordinarily hard to build and maintain a competitive, general-purpose SMT solver, so the research community that actually builds SMT solvers is dominated by a few small groups of rock stars.)
Greg Nelson, and Derek C. Oppen, "Simplification by Cooperating Decision Procedures," ACM Transactions on Programming Languages and Systems, 1(2), October 1979, pp. 245-257. For reference, this is a classic paper on the topic. Nelson and Oppen pioneered this area, and their work still underlies and guides a lot of research in this area. (Optional)
Week 4 (after finishing SMT) (and into Week 5)
We now shift our focus to "reactive systems", which are systems that maintain an on-going interaction with the environment (cf. "agents"). The key difference is that we now worry about how a system behaves over time, versus just checking whether a function computes the correct result.
The most basic computational tool is computing reachability, the set of states the system can get into. We'll briefly explore two basic approaches:
Explicit Reachability: The basic ideas are really simple, but you can do some interesting stuff with it. I'm not going to push the readings too hard, though. Here are some optional papers.
Symbolic Reachability: I haven't found a description of the basic reachability computation with BDDs that fits into the course well. Accordingly, I list here three optional papers. The simplest description is one I wrote for a survey paper a million years ago. Section II.C is the relevant part. Alan J. Hu, "Formal Hardware Verification with BDDs: An Introduction", IEEE Pacific Rim Conference on Communications, Computers, and Signal Processing (PACRIM'97), 1997. This is a bit too breezy for our course. Two other possible papers are "A Unified Framework for the Formal Verification of Sequential Circuits" by Coudert and Madre, which is a dense, but good paper by two of the pioneers in this area, and "Implicit State Enumeration of Finite State Machines using BDD's [sic]" by Touati, Savoj, Lin, Brayton, and Sangiovanni-Vincentelli, which is easier to read, although I don't particularly like some of their notation. Both of these papers appeared in the International Conference on Computer-Aided Design in 1990. ( All of these papers are optional.)
Week 5
I think the preceding "week"'s reading will cover us through this week as well. As I was revising my lecture notes, I realized that I'm hoping to look at the idea of abstraction (again), but this time for reactive systems. And I'm thinking of giving an (incredibly brief, cocktail-party-level) intro to abstract interpretation as an example of reachability with conservative abstraction. And since I don't expect to revisit this topic, I should provide a (very optional) link to the classic paper that introduced abstract interpretation. (This is a tough read, but it's a classic, and one of the most cited papers in computer science.) Patrick Cousot and Radhia Cousot, "Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints," Sixth ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), 1977.
Week 6
We spent a bit longer on abstraction than I had planned, but that's good, as it lays the groundwork for later, as we'll encounter abstraction over and over again. Anyway, this means that we'll do symbolic reachability this week, which is incredibly cool (at least to me), and then a quick intro to temporal logic, which is the main theoretical framework for specifying more complex properties about reactive systems, beyond just reachability.
For temporal logic, Allen Emerson has written an amazing chapter in the Handbook of Theoretical Computer Science. This book is well worth buying. (2024 update: Oh my! The two volumes were expensive back when I was a young faculty member, but they are crazy expensive now!) But, a draft of the chapter is available on-line directly from Allen. This is optional. It's an encyclopedic reference.
Week 7
And now, we're ready for another Turing-Award-winning topic: model checking. For model checking (Turing Award 2007 to Ed Clarke, Allen Emerson, and Joseph Sifakis), we're going to jump straight to symbolic model checking. J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang, "Symbolic Model Checking: 10^{20} States and Beyond", Information and Computation, Vol. 98, No. 2, June 1992. This is the journal version of the original paper on symbolic model checking (which appeared in the Conference on Logic in Computer Science in 1990). The paper goes into more depth than what I expect of you and is rather theoretical, but I want you all to understand symbolic model checking for CTL at least. (We'll cover roughly the material from Sections 1-4 and 6 in class.)
Time-permitting, we'll look at LTL model checking, which has become increasingly fashionable (whereas I have historically emphasized CTL model checking because CTL and model checking go together so well). Given that many of you may encounter LTL in your research, we'll do a quick intro to LTL model checking. I struggled quite a bit to select readings, as there's a vast literature on this topic, some of it quite theoretical.
Week 8
Sorry for posting late. We did LTL model checking on Tuesday. Next, we'll move on to how to use SAT to do model checking. For Thursday, I think we'll do Bounded Model Checking (BMC), which is a really simple idea, but has had a lot of success in practice. If we have time, I might also introduce Craig interpolants. Next week (which is a short week due to the break), we'll tackle IC3, which is the state-of-the-art in SAT-based model checking (although in practice, no method completely dominates the others, so people still do use BDDs, and interpolation, often as part of a portfolio of algorithms).
A. Biere, A. Cimatti, E. M. Clarke, and Y. Zhu, "Symbolic Model Checking without BDDs," Tools and Algorithms for the Analysis and Construction of Systems (TACAS'99), LNCS Vol. 1579. This is the original paper on bounded model checking.
This is a good survey of the pre-IC3 approaches to using SAT for unbounded model checking: Mukul R. Prasad, Armin Biere, and Aarti Gupta, "A Survey of Recent Advances in SAT-Based Formal Verification", Software Tools for Technology Transfer, Vol 7 No 2 (April 2005), pp. 156-173. (Optional)
And Ken McMillan's original interpolation paper was a major breakthrough and is still a very insightful approach. K. L. McMillan, "Interpolation and SAT-Based Model Checking," Computer-Aided Verification: 15th International Conference (CAV'2003), LNCS Vol. 2725, Springer, 2003, pp. 1-13. (Optional)
Week 9
We only get one lecture this week, due to the mini reading break in the schedule.
I somehow always feel like I need to read at least two different papers explaining IC3 to have a feel for what's going on. Here are the core IC3 papers that I recommend. Given what I just said, perhaps the "assignment" should be to read any two of these four (the last one is for historical reference)! :-):
Week 10
Funny, several years back, people voted hybrid systems off the syllabus, but this year, there's renewed interest. Many years back, I'd sometimes spend a couple weeks on this, and then later, I'd sometimes try to cram everything into a single lecture. I'm going to try this year to give you a very light introduction to the area, so that you'll have a basic feel for the area, and will be equipped to read more if you want. So, this will likely be 1-2 lectures.
For your reference, these are a great set of lecture notes to introduce continuous and hybrid systems, developed by John Lygeros of the University of Patras: John Lygeros, "Lecture Notes on Hybrid Systems", Notes for an ENSIETA short course, February 2-6, 2004. . (Optional) (This document appears to be floating around unpublished. Obviously, we don't have time to go through all of this, but these notes are provided as a background reference for you.)
New this year, I just stumbled across the draft of a book, which appears not to have ever been published. This is by John Lygeros, together with Claire Tomlin and Shankar Sastry, who are all major big shots in this area. I haven't gone through this, but it looks good. John Lygeros, Claire Tomlin, Shankar Sastry, Hybrid Systems: Modeling, Analysis and Control, December 28, 2008. (Optional)
OK, sorry for the VERY late addition, but I wanted to try to cover Reluplex this year, and I got very, very far behind on my lecture prep. Reluplex is an SMT solver optimized for neural network verification, and was the winner of this year's CAV Award. I'll be working from the arXiv version of the original CAV paper for this lecture. (Optional)
Week 11
For Tuesday, I think it's time to revisit SAT -- in particular, the problem of getting a proof out of the SAT solver when the result is UNSAT. (When the result is SAT, you can easily check the answer by plugging in the satisfying assignment.)
For Thursday this week, we'll return to ancient history: the classic, foundational papers on formal specification and verification of software.
And... if you want to see a more modern application... some years ago, two 513 students had to miss a few lectures to attend OSDI (the flagship conference for operating systems research). At the same time that we were going over classic Floyd-Hoare software verification, the OSDI folks were getting a talk from some folks at Microsoft (with academic collaborators) on an end-to-end software verification project using Floyd-Hoare reasoning (helped by the sort of automation we've covered). It's a cool paper, and they did some really impressive stuff. At the same time, you can see the weakness of this approach, as there's still a huge amount of manual effort to add the required annotations (about 5x more annotation than code), which limits scalability and economic viability. I saw Chris give a great talk on a related project (verifying cryptographic code) last summer, and activity in this area is continuing. Chris Hawblitzel, Jon Howell, Jacob Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, Brian Zill, "Ironclad Apps: End-to-End Security via Automated Full-System Verification", OSDI 2014. (Optional)
Week 12
The topic for Tuesday, or maybe the whole week, is synthesis, specifically syntax-guided synthesis for programs. Sorry this is getting posted so late. I'm basically pulling an all-nighter to get this lecture(s?) together, as I haven't covered this material before, and there's a LOT of stuff. I will aim to just give you all some background and context around this, with some basic examples and intuition, to help you navigate this material and read the papers if you are interested in more. (In fact, one of the pioneers of SyGuS, Armando Solar-Lezama, has notes online for an entire course on program synthesis, if you're interested.)
For the readings, let me recommend Rajeev Alur, Rastislav Bodik, Garvit Juniwal, Milo M. K. Martin, Mukkund Raghothaman, Sanjit A. Seshia, Rishabh Singh, Armando Solar-Lezama, Emina Torlak, and Abhishek Udupa, "Syntax-Guided Synthesis", Formal Methods in Computer-Aided Design (FMCAD), 2013, which is the paper that launched the term "Syntax-Guided Synthesis". It's sort of a survey paper, written by several of the leading groups that were pioneering related approaches. I'll hopefully also get to talk about Flashfill, which is the big success for synthesis to date. The paper in CACM, Sumit Gulwani, William R. Harris, and Rishabh Singh, "Spreadsheet Data Manipulation Using Examples", Communications of the ACM, August 2012, Vol. 55, No. 8, is a combo of three prior papers. It's written to be more of an overview, although you'll need to read the linked papers for more details. (All these papers are optional.)
OK, for the last lecture of the course, we're going to talk about... concurrent software! This was quite a last-minute switch.
I had heard great things about a new parallel SAT solver, called Mallob or MallobSat , and I was thinking it'd be good to do a lecture on this. However, as I dove into the details, it didn't actually look like a good topic for a lecture in this course, as the papers are all about how they very very carefully balanced various factors and built on efficient concurrent data structures to get good parallelization of a portfolio of SAT solvers. It'd be better for a course on parallel computing, for example. Still, this is apparently the best-performing, most powerful SAT solver out there, so it's good to know about (and now you do!), if you ever have to deal with big SAT problems and have good parallel computing available.
So, what to lecture about instead? Back at the beginning of the term, I asked the various formal-related faculty if there were topics that they hoped I might cover (e.g., Ron suggested the synthesis stuff). Alex suggested that I might cover assume-guarantee reasoning for concurrent software. There's a large literature on assume-guarantee reasoning, so I kind of hesitated to try to do a quick intro, but I found a nice paper by two folks who have done a lot of influential, fairly practical work on concurrent software verification. This is a great, fairly accessible taste of this area of research: Cormac Flanagan and Shaz Qadeer, "Assume-Guarantee Model Checking", 10th SPIN Workshop (2003). Looking at that paper reminded me about later work, that also had practical impact, on context-bounded analysis of concurrent software. (Shaz, with Dinghao Wu, introduced the idea in this paper. (Optional)) Since this course is a high-level overview of lots of different things, I will link to one of my own papers, which is a quick intro to three different approaches to context bounded analysis: Naghmeh Ghafari, Alan J. Hu, Zvonimir Rakamaric, "Context-Bounded Translations for Concurrent Software: An Empirical Evaluation", 17th International SPIN Workshop on Model Checking Software (2010). (Not sure if we'll have time to get to this.)
Finally, from the Mallob folks, I found a link to an Amazon Science blog post by Byron Cook, who leads Amazon's Automated Reasoning Group. Byron has far greater social intelligence than I do (and he's no slouch in other intelligence, either!), so instead of my snarky cynicism, his blog post is a great, inspiring look forward at the increasing promise of automated verification technology. I think that's a perfect note on which to end the course.
Don't read ahead of here (unless you want to), since I haven't picked all the papers for this year yet. The "week" labels are also likely very wrong, since the course mutates a bit every year.
Week n+1:
And now, we get to symbolic model checking. There are actually two different Turing Awards discussed in this week's material.
Week n+2:
Last week was short due to the new mental health break in UBC's schedule, so we wrapped up symbolic model checking on Monday, and for Wednesday, we'll look at LTL model checking, which has become increasingly fashionable lately (whereas I have historically emphasized CTL model checking because CTL and model checking go together so well). Given that many of you may encounter LTL in your research, we'll do a quick intro to LTL model checking. I struggled quite a bit to select readings, as there's a vast literature on this topic, some of it quite theoretical.
Week n+3?:
Week n+4:
I somehow always feel like I need to read at least two different papers explaining IC3 to have a feel for what's going on. Here are the core IC3 papers that I recommend. Given what I just said, perhaps the "assignment" should be to read any two of these four (the last one is for historical reference)! :-):
For the classical foundation on software verification:
And... if you want to see something more modern... a few years ago, two 513 students had to miss a few lectures to attend OSDI (the flagship conference for operating systems research). At the same time that we were going over classic Floyd-Hoare software verification, the OSDI folks were getting a talk from some folks at Microsoft (with academic collaborators) on an end-to-end software verification project using Floyd-Hoare reasoning (helped by the sort of automation we'll get to soon). It's a cool paper, and they did some really impressive stuff. At the same time, you can see the weakness of this approach, as there's still a huge amount of manual effort to add the required annotations, which limits scalability and economic viability. I saw Chris give a great talk on a related project (verifying cryptographic code) last summer, and activity in this area is continuing. Chris Hawblitzel, Jon Howell, Jacob Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, Brian Zill, "Ironclad Apps: End-to-End Security via Automated Full-System Verification", OSDI 2014. (Optional)
Week 7:
LTL has become increasingly fashionable lately (whereas I have historically emphasized CTL model checking because CTL and model checking go together so well). Therefore, given that many of you may encounter LTL in your research, I figured that I really should give you all an introduction to LTL model checking. I struggled quite a bit to select readings, as there's a vast literature on this topic, some of it quite theoretical. I'm going to select just two papers for you: one to give a taste for the classical, original approach to LTL model checking; and the second to describe one of the main workhorses in practice for checking liveness properties (which tend to get emphasized more in LTL model checking, but also apply for CTL).
Week 10:
For predicate abstraction, I'm going to assign:
Satyaki Das, and David L. Dill,
"Successive Approximation of Abstract Transition Relations,"
Proc. of the Sixteenth Annual IEEE Symposium on Logic in Computer Science
(LICS), June 2001.
This paper is a compromise assigned reading between the original
paper on predicate abstraction (see below) and more recent papers
with fancier heuristics. Section 2 is a good review of the
idea of (conservative) abstraction in general, and this paper
still gets cited quite a bit.
The original paper on predicate abstract:
Susanne Graf, and Hassen Saidi,
"Construction of Abstract State Graphs with PVS",
Conference on Computer-Aided Verification (CAV), 1997, Springer LNCS 1254.
(Optional)
is also a great paper, and if you're interested in the idea, you
should take a look as well.
Thomas Ball, Sriram K. Rajamani, "Bebop: A Symbolic Model Checker for Boolean Programs", SPIN 2000 Workshop on Model Checking of Software, LNCS 1885, August/September 2000, pp. 113-130. This paper describes computing reachability over "Boolean programs", which are essentially pushdown automata. This was the original model-checking engine behind Microsoft's SLAM project, which has evolved into production use in Microsoft's Static Driver Verifier.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani, "Automatic Predicate Abstraction of C Programs", PLDI 2001, SIGPLAN Notices 36(5), pp. 203-213. This paper describes mapping real C programs to Boolean programs, using predicate abstraction. (Optional) (This paper basically "concretizes" (pun, haha) the connection between the more theoretical work on predicate abstraction and Boolean programs with actual software.)
Week 11:
Hmm... was this term short by a week? I did start counting at 0, but still, I think there are usually more weeks. Anyway, we finished the Bebop paper on Monday, and for Wednesday, folks asked for some coverage of parameterized verification.
I find this a very hard topic to cover, as there's quite a large literature, but it's very fragmented, with different communities that don't interact that much, using different formalism and techniques. There's also a big dichotomy between a fairly well-developed literature, with some really cool theoretical results, but not scalable to practical systems, versus a literature of techniques applied to more practical-sized systems, but relying on some ad hoc manual effort.
For your reference, I'll suggest two optional readings:
Week 9 (Guest Lectures by Mark Greenstreet, Itrat Akhter, and Carl Kwan):
Week 12: TBD
Vaastav asked for some coverage of formal verification of
probabilistic systems. This paper is a good introduction:
L. de Alfaro, M. Kwiatkowska, G. Norman, D. Parker, and R. Segala,
"Symbolic Model Checking of Concurrent Probabilistic Processes Using MTBDDs
and the Kronecker Representation",
6th International Worskshop on Tools and Algorithms for the Construction
and Analysis of Systems (TACAS 2000)
LNCS Vol. 1785.
This is also a good chance to introduce influential work that came
directly out of a CPSC 513 project. Robert St. Aubin and Jesse Hoey
were in 513, and this work started as their course project and
became the fastest stochastic planner available. Stochastic planning
is a closely related problem to verification of probabilistic systems.
Jesse Hoey, Robert St. Aubin, Alan Hu, Craig Boutilier,
"SPUDD: Stochastic Planning Using Decision Diagrams",
15th Conference on Uncertainty in Artificial Intelligence (UAI'99),
pp. 279-288.
Week 13: Project Presentations!
We'll have signups for your project presentations on November 27 and November 29. We'll schedule people on 15-minute intervals, so aim for about 10-12 minutes per project (individual or group).
Week 8
Sam Bayless, Celina G. Val, Thomas Ball, Holger H. Hoos, Alan J. Hu, "Efficient Modular SAT Solving for IC3", Formal Methods in Computer-Aided Design (FMCAD), 2013, pp. 149-156. This is an amazing paper, by some truly brilliant researchers, which brings together ideas from SAT, SMT, BMC, IC3, interpolation, induction, and probably a few other ideas from the class that I can't think of right now... (Optional) (All joking aside, I really love how this paper ties together a whole bunch of other ideas. However, I can't justify it as a must-read in our limited time.)
Week 10:
OK, this is a short week (only 1 lecture) due to Remembrance Day. I know that people voted not spend time on hybrid systems, but I think you should get some exposure to the basics. I'm going to skip most of the details (usually, I'd spend about 2 weeks on this), and then try to condense about 3 lectures worth of material into one day. :-) We'll basically just look at basic concepts and definitions. For your reference, these are a great set of lecture notes to introduce continuous and hybrid systems, developed by John Lygeros of the University of Patras: John Lygeros, "Lecture Notes on Hybrid Systems", Notes for an ENSIETA short course, February 2-6, 2004. . (Optional) (This document appears to be floating around unpublished. Obviously, we don't have time to go through all of this, but these notes are provided as a background reference for you.
In the unlikely event that we have some spare time, Alur-Dill timed automata are a very cool special case of hybrid systems: Rajeev Alur, Costas Courcoubetis, and David Dill, "Model-Checking in Dense Real-Time", Information and Computation, May 1993, pp. 2-34. (Optional)
Possibly Later: