Bohua Zhan,Maximilian P. L. Haslbeck

DOI: https://doi.org/10.48550/arXiv.1802.01336

2018-02-05

Logic in Computer Science

Abstract:We present a framework in Isabelle for verifying asymptotic time complexity of imperative programs. We build upon an extension of Imperative HOL and its separation logic to include running time. In addition to the basic arguments, our framework is able to handle advanced techniques for time complexity analysis, such as the use of the Akra-Bazzi theorem and amortized analysis. Various automation is built and incorporated into the auto2 prover to reason about separation logic with time credits, and to derive asymptotic behavior of functions. As case studies, we verify the asymptotic time complexity (in addition to functional correctness) of imperative algorithms and data structures such as median of medians selection, Karatsuba's algorithm, and splay trees.

David Sanán,Yongwang Zhao,Zhe Hou,Fuyuan Zhang,Alwen Tiu,Yang Liu

DOI: https://doi.org/10.1007/978-3-662-54577-5_28

2017-01-01

Abstract:It is essential to deal with the interference of the environment between programs in concurrent program verification. This has led to the development of concurrent program reasoning techniques such as rely-guarantee. However, the source code of the programs to be verified often involves language features such as exceptions and procedures which are not supported by the existing mechanizations of those concurrent reasoning techniques. Schirmer et al. have solved a similar problem for sequential programs by developing a verification framework in the Isabelle/HOL theorem prover called Simpl, which provides a rich sequential language that can encode most of the features in real world programming languages. However Simpl only aims to verify sequential programs, and it does not support the specification nor the verification of concurrent programs. In this paper we introduce CSimpl, an extension of Simpl with concurrency-oriented language features and verification techniques. We prove the compositionality of the CSimpl semantics and we provide inference rules for the language constructors to reason about CSimpl programs using rely-guarantee, showing that the inference rules are sound w.r.t. the language semantics. Finally, we run a case study where we use CSimpl to specify and prove functional correctness of an abstract communication model of the XtratuM partitioning separation micro-kernel.

Péter Bereczky,Dániel Horpácsi,Simon Thompson

2023-11-17

Abstract:In order to reason about the behaviour of programs described in a programming language, a mathematically rigorous definition of that language is needed. In this paper, we present a machine-checked formalisation of concurrent Core Erlang (a subset of Erlang) based on our previous formalisations of its sequential sublanguage. We define a modular, frame stack semantics, show how program evaluation is carried out with it, and prove a number of properties (e.g. determinism, confluence). Finally, we define program equivalence based on bisimulations and prove that side-effect-free evaluation is a bisimulation. This research is part of a wider project that aims to verify refactorings to prove that particular program code transformations preserve program behaviour.

Programming Languages

Constantin Enea,Eric Koskinen

2024-10-18

Abstract:Concurrent objects form the foundation of many applications that exploit multicore architectures and their importance has lead to informal correctness arguments, as well as formal proof systems. Correctness arguments (as found in the distributed computing literature) give intuitive descriptions of a few canonical executions or "scenarios" often each with only a few threads, yet it remains unknown as to whether these intuitive arguments have a formal grounding and extend to arbitrary interleavings over unboundedly many threads. We present a novel proof technique for concurrent objects, based around identifying a small set of scenarios (representative, canonical interleavings), formalized as the commutativity quotient of a concurrent object. We next give an expression language for defining abstractions of the quotient in the form of regular or context-free languages that enable simple proofs of linearizability. These quotient expressions organize unbounded interleavings into a form more amenable to reasoning and make explicit the relationship between implementation-level contention/interference and ADT-level transitions. We evaluate our work on numerous non-trivial concurrent objects from the literature (including the Michael-Scott queue, Elimination stack, SLS reservation queue, RDCSS and Herlihy-Wing queue). We show that quotients capture the diverse features/complexities of these algorithms, can be used even when linearization points are not straight-forward, correspond to original authors' correctness arguments, and provide some new scenario-based arguments. Finally, we show that discovery of some object's quotients reduces to two-thread reasoning and give an implementation that can derive candidate quotients expressions from source code.

Programming Languages

KP Jevitha,Bharat Jayaraman,M Sethumadhavan

2024-06-18

Abstract:Finite-state models are ubiquitous in the study of concurrent systems, especially controllers and servers that operate in a repetitive cycle. In this paper, we show how to extract finite state models from a run of a multi-threaded Java program and carry out runtime verification of correctness properties. These properties include data-oriented and control-oriented properties; the former express correctness conditions over the data fields of objects, while the latter are concerned with the correct flow of control among the modules of larger software. As the extracted models can become very large for long runs, the focus of this paper is on constructing reduced models with user-defined abstraction functions that map a larger domain space to a smaller one. The abstraction functions should be chosen so that the resulting model is property preserving, i.e., proving a property on the abstract model carries over to the concrete model. The main contribution of this paper is in showing how runtime verification can be made efficient through online property checking on property-preserving abstract models. The property specification language resembles a propositional linear temporal logic augmented with simple datatypes and operators. Classic concurrency examples and larger case studies (Multi-rotor Drone Controller, OAuth Protocol) are presented in order to demonstrate the usefulness of our proposed techniques, which are incorporated in an Eclipse plug-in for runtime visualization and verification of Java programs.

Software Engineering

Raymond C. McDowell,Dale A. Miller

DOI: https://doi.org/10.48550/arXiv.cs/0003062

2001-01-16

Abstract:Logical frameworks based on intuitionistic or linear logics with higher-type quantification have been successfully used to give high-level, modular, and formal specifications of many important judgments in the area of programming languages and inference systems. Given such specifications, it is natural to consider proving properties about the specified systems in the framework: for example, given the specification of evaluation for a functional programming language, prove that the language is deterministic or that evaluation preserves types. One challenge in developing a framework for such reasoning is that higher-order abstract syntax (HOAS), an elegant and declarative treatment of object-level abstraction and substitution, is difficult to treat in proofs involving induction. In this paper, we present a meta-logic that can be used to reason about judgments coded using HOAS; this meta-logic is an extension of a simple intuitionistic logic that admits higher-order quantification over simply typed lambda-terms (key ingredients for HOAS) as well as induction and a notion of definition. We explore the difficulties of formal meta-theoretic analysis of HOAS encodings by considering encodings of intuitionistic and linear logics, and formally derive the admissibility of cut for important subsets of these logics. We then propose an approach to avoid the apparent tradeoff between the benefits of higher-order abstract syntax and the ability to analyze the resulting encodings. We illustrate this approach through examples involving the simple functional and imperative programming languages PCF and PCF:=. We formally derive such properties as unicity of typing, subject reduction, determinacy of evaluation, and the equivalence of transition semantics and natural semantics presentations of evaluation.

Logic in Computer Science,Programming Languages

Simon Foster,Kangfeng Ye,Ana Cavalcanti,Jim Woodcock

DOI: https://doi.org/10.1016/j.jlamp.2021.100681

2021-04-12

Abstract:Reactive programs combine traditional sequential programming constructs with primitives to allow communication with other concurrent agents. They are ubiquitous in modern applications, ranging from components systems and web services, to cyber-physical systems and autonomous robots. In this paper, we present an algebraic verification strategy for concurrent reactive programs, with a large or infinite state space. We define novel operators to characterise interactions and state updates, and an associated equational theory. With this we can calculate a reactive program's denotational semantics, and thereby facilitate automated proof. Of note is our reasoning support for iterative programs with reactive invariants, based on Kleene algebra, and for parallel composition. We illustrate our strategy by verifying a reactive buffer. Our laws and strategy are mechanised in Isabelle/UTP, our implementation of Hoare and He's Unifying Theories of Programming (UTP) framework, to provide soundness guarantees and practical verification support.

Logic in Computer Science,Programming Languages

Eduard Kamburjan,Nathan Wasser

DOI: https://doi.org/10.4204/EPTCS.365.1

2022-08-09

Abstract:We present a novel and well automatable approach to formal verification of C programs with underspecified semantics, i.e., a language semantics that leaves open the order of certain evaluations. First, we reduce this problem to non-determinism of concurrent systems, automatically extracting a distributed Active Object model from underspecified, sequential C code. This translation process provides a fully formal semantics for the considered C subset. In the extracted model every non-deterministic choice corresponds to one possible evaluation order. This step also automatically translates specifications in the ANSI/ISO C Specification Language (ACSL) into method contracts and object invariants for Active Objects. We then perform verification on the specified Active Objects model, using the Crowbar theorem prover, which verifies the extracted model with respect to the translated specification and ensures the original property of the C code for all possible evaluation orders. By using model extraction, we can use standard tools, without designing a new complex program logic to deal with underspecification. The case study used is highly underspecified and cannot be handled correctly by existing tools for C.

Programming Languages

Joseph William Neal Paulus

2024-08-15

Abstract:This thesis embarks on a comprehensive exploration of formal computational models that underlie typed programming languages. We focus on programming calculi, both functional (sequential) and concurrent, as they provide a compelling rigorous framework for evaluating program semantics and for developing analyses and program verification techniques. This is the full version of the thesis containing appendices.

Logic in Computer Science,Programming Languages

Jesper Amilon,Zafer Esen,Dilian Gurov,Christian Lidström,Philipp Rümmer,Marten Voorberg

2024-12-09

Abstract:In deductive verification and software model checking, dealing with certain specification language constructs can be problematic when the back-end solver is not sufficiently powerful or lacks the required theories. One way to deal with this is to transform, for verification purposes, the program to an equivalent one not using the problematic constructs, and to reason about this equivalent program instead. In this article, we propose program instrumentation as a unifying verification paradigm that subsumes various existing ad-hoc approaches, has a clear formal correctness criterion, can be applied automatically, and can transfer back witnesses and counterexamples. We illustrate our approach on the automated verification of programs that involve quantification and aggregation operations over arrays, such as the maximum value or sum of the elements in a given segment of the array, which are known to be difficult to reason about automatically. We implement our approach in the MonoCera tool, which is tailored to the verification of programs with aggregation, and evaluate it on example programs, including SV-COMP programs.

Logic in Computer Science

Yongwang Zhao,David Sanán,Fuyuan Zhang,Yang Liu

DOI: https://doi.org/10.1007/978-3-030-30942-8_11

2019-01-01

Abstract:Reactive systems are composed of a well defined set of event handlers by which the system responds to environment stimulus. In concurrent environments, event handlers can interact with the execution of other handlers such as hardware interruptions in preemptive systems, or other instances of the reactive system in multicore architectures. The rely-guarantee technique is a suitable approach for the specification and verification of reactive systems. However, the languages in existing rely-guarantee implementations are designed only for “pure programs”, simulating reactive systems makes the program and rely-guarantee conditions unnecessary complicated. In this paper, we decouple the system reactions and programs using a rely-guarantee interface, and develop PiCore , a parametric rely-guarantee framework for concurrent reactive systems. PiCore has a two-level inference system to reason on events and programs associated to events. The rely-guarantee interface between the two levels allows the reusability of existing languages and their rely-guarantee proof systems for programs. In this work we show how to integrate in PiCore two existing rely-guarantee proof systems. This work has been fully mechanized in Isabelle/HOL. As a case study, we have applied PiCore to the concurrent buddy memory allocation of a real-world OS, providing a verified low-level specification and revealing bugs in the C code.

Will Crichton,Shriram Krishnamurthi

DOI: https://doi.org/10.1145/3632865

2023-11-15

Abstract:Passive documents and active programs now widely comingle. Document languages include Turing-complete programming elements, and programming languages include sophisticated document notations. However, there are no formal foundations that model these languages. This matters because the interaction between document and program can be subtle and error-prone. In this paper we describe several such problems, then taxonomize and formalize document languages as levels of a document calculus. We employ the calculus as a foundation for implementing complex features such as reactivity, as well as for proving theorems about the boundary of content and computation. We intend for the document calculus to provide a theoretical basis for new document languages, and to assist designers in cleaning up the unsavory corners of existing languages.

Programming Languages

Zheng Yang,Hang Lei

DOI: https://doi.org/10.48550/arxiv.1803.00403

2018-01-01

Abstract:In recent years, a number of lightweight programs have been deployed in critical domains, such as in smart contracts based on blockchain technology. Therefore, the security and reliability of such programs should be guaranteed by the most credible technology. Higher-order logic theorem proving is one of the most reliable technologies for verifying the properties of programs. However, programs may be developed by different high-level programming languages, and a general, extensible, and reusable formal memory (GERM) framework that can simultaneously support different formal verification specifications, particularly at the code level, is presently unavailable for verifying the properties of programs. Therefore, the present work proposes a GERM framework to fill this gap. The framework simulates physical memory hardware structure, including a low-level formal memory space, and provides a set of simple, nonintrusive application programming interfaces and assistant tools using Coq that can support different formal verification specifications simultaneously. The proposed GERM framework is independent and customizable, and was verified entirely in Coq. We also present an extension of Curry-Howard isomorphism, denoted as execution-verification isomorphism (EVI), which combines symbolic execution and theorem proving for increasing the degree of automation in higher-order logic theorem proving assistant tools. We also implement a toy functional programming language in a generalized algebraic datatypes style and a formal interpreter in Coq based on the GERM framework. These implementations are then employed to demonstrate the application of EVI to a simple code segment.

Yifeng Chen

DOI: https://doi.org/10.1007/978-3-642-16690-7_8

2010-01-01

Abstract:This paper studies the relation between execution and verification. A simple imperative language called VerExec with execution and verification commands is introduced. A machine only executes execution commands of a program, while the compiler only performs the verification commands. Common commands in other languages can be defined as a combination of execution and verification commands. Design of verifiers then becomes program design using verification commands. It is shown that type checking, abstract interpretation, modeling checking and Hoare Logic are all special verification programs, so are many of their combinations.

Johan van Benthem,Jelle Gerbrandy,Tomohiro Hoshi,Eric Pacuit

DOI: https://doi.org/10.1007/s10992-008-9099-x

2009-01-01

Journal of Philosophical Logic

Abstract:A variety of logical frameworks have been developed to study rational agents interacting over time. This paper takes a closer look at one particular interface, between two systems that both address the dynamics of knowledge and information flow. The first is Epistemic Temporal Logic (ETL) which uses linear or branching time models with added epistemic structure induced by agents’ different capabilities for observing events. The second framework is Dynamic Epistemic Logic (DEL) that describes interactive processes in terms of epistemic event models which may occur inside modalities of the language. This paper systematically and rigorously relates the DEL framework with the ETL framework. The precise relationship between DEL and ETL is explored via a new representation theorem characterizing the largest class of ETL models corresponding to DEL protocols in terms of notions of Perfect Recall, No Miracles, and Bisimulation Invariance. We then focus on new issues of completeness. One contribution is an axiomatization for the dynamic logic of public announcements constrained by protocols, which has been an open problem for some years, as it does not fit the usual ‘reduction axiom’ format of DEL. Finally, we provide a number of examples that show how DEL suggests an interesting fine-structure inside ETL.

Mingzhang Huang,Guoqiang Li

DOI: https://doi.org/10.3969/j.issn.1000-386x.2014.12.001

2015-01-01

Abstract:Program analysis can be regarded as the model checking of abstract interpretation, this view makes the systematic way of programanalysis possible.Concurrent programming is becoming increasingly important with the trends that to be widely used in multi-core platforms and distributed systems.However, concurrent programming analysis raises huge difficulties, since the practical complexities and theoretical undecidability.Literature [ 19 ] gives a negative result that, even when the case is as simple as two interacted threads with recursionallowed, the checking assertions are still undecidable.To bypass this undecidable barrier, different techniques of static analysis of concurrent programs are proposed.We give a detailed survey on model checking-based concurrent programming analyses, including mathematicalmodels under use, existing tools, decidable and undecidable results.

Guojun Xie,Huanhuan Yang,Gang Chen

DOI: https://doi.org/10.1016/j.jlamp.2024.100972

IF: 1.088

2024-05-01

Journal of Logical and Algebraic Methods in Programming

Abstract:As robotic applications continue to expand and task complexity increases, the adoption of more advanced and sophisticated control algorithms and models becomes critical. Traditional methods, relying on manual abstraction and modeling to verify these algorithms and models, may not fully encompass all potential design paths, leading to incomplete models, design defects, and increased vulnerability to security risks. The verification of control systems using formal methods is crucial for ensuring the safety of robots. This paper introduces a formal verification framework for robot kinematics implemented in Coq. It constructs a formal proof for the theory of robot motion and control algorithms, specifically focusing on the theory of robot kinematics, which includes the homogeneous representation of robot coordinates and the transformation relations between different coordinate systems. Subsequently, we provide formal definitions and verification for several commonly used structural robots, along with their coordinate transformation algorithms. Finally, we extract the Coq code, convert the functional algorithms into OCaml code, and perform data validation using various examples. It is worth emphasizing that the framework we have built possesses a high level of reusability, providing a solid technological foundation for the development of kinematics theorem libraries.

computer science, theory & methods,logic

Fengwei Xu,Ming Fu,Xinyu Feng,Xiaoran Zhang,Hui Zhang,Zhaohui Li

DOI: https://doi.org/10.1007/978-3-319-41540-6_4

2016-01-01

Abstract:We propose a practical verification framework for preemptive OS kernels. The framework models the correctness of API implementations in OS kernels as contextual refinement of their abstract specifications. It provides a specification language for defining the high-level abstract model of OS kernels, a program logic for refinement verification of concurrent kernel code with multi-level hardware interrupts, and automated tactics for developing mechanized proofs. The whole framework is developed for a practical subset of the C language. We have successfully applied it to verify key modules of a commercial preemptive OS mu C/OS-II [ 2], including the scheduler, interrupt handlers, message queues, and mutexes etc. We also verify the priority-inversion-freedom (PIF) in mu C/OS-II. All the proofs are mechanized in Coq. To our knowledge, our work is the first to verify the functional correctness of a practical preemptive OS kernel with machine-checkable proofs.

Eleftherios Ioannidis,Yannick Zakowski,Steve Zdancewic,Sebastian Angel

2024-10-19

Abstract:Mechanized verification of liveness properties for programs with effects, nondeterminism, and nontermination is difficult. Existing temporal reasoning frameworks operate on the level of models (traces, automata) not executable code, creating a verification gap and losing the benefits of modularity and composition enjoyed by structural program logics. Reasoning about infinite traces and automata requires complex (co-)inductive proof techniques and familiarity with proof assistant mechanics (e.g., guardedness checker). We propose a structural approach to the verification of temporal properties with a new temporal logic that we call ictl. Using ictl, we internalize complex (co-)inductive proof techniques to structural lemmas and reasoning about variants and invariants. We show that it is possible to perform mechanized proofs of general temporal properties, while working in a high-level of abstraction. We demonstrate the benefits of ictl by giving mechanized proofs of safety and liveness properties for programs with queues, secure memory, and distributed consensus.

Programming Languages,Logic in Computer Science

menouer boubekeur,ka lok man,michel schellekens

DOI: https://doi.org/10.1109/CCECE.2007.356

2007-01-01

Abstract:The formal verification of mutual exclusion between the guards of a deterministic choice structure is of great interest to the asynchronous circuit designers. To perform this spot of checking, we propose a treatment in two phases; the first is based on a static analysis, the Mutual Exclusion (ME) is checked using a symbolic decision tool. In the second phase, if the static analysis returns a result like "the model does not satisfy mutual exclusion", the dynamic verification takes into account the constraints of the environment to refine the analysis. If the mutual exclusion is still not satisfied, it gives a counter-example. The principle is to check wether indeterminism exists during the construction of the whole execution model, using a model-checking tool.