Jinjiang Let,Zongyan Qiu

DOI: https://doi.org/10.7561/sacs.2014.2.217

2014-01-01

Scientific Annals of Computer Science

Abstract:The difficulties of verifying concurrent programs lie in their inherent non-determinism and interferences. Rely-Guarantee reasoning is one useful approach to solve this problem for its capability in formally specifying inter- thread interferences. However, modern verification requires better locality and modularity. It is still a great challenge to verify a message-passing program in a modular and composable way. In this paper, we propose a new reasoning system for message-passing programs. It is a novel logic that supports Hoare style triples to specify and verify distributed programs modularly. We concretize the concept of event traces to represent interactions among distributed agents, and specify behav- iors of agents by their local traces with regard to environmental assumptions — an idea inspired by Rely-Guarantee reasoning. Based on trace semantics, the verification is compositional in both temporal and spatial dimensions. To show validity, we apply our logic to modularly prove several examples.

Jinjiang Lei,Zongyan Qiu

DOI: https://doi.org/10.1007/978-3-319-10882-7_17

2014-01-01

Abstract:Verification of concurrent systems is difficult because of the inherent nondeterminism. Modern verification requires better locality and modularity. Reasoning of shared memory systems has gained much progress in these aspects. However, modular verification of distributed systems is still in demand. In this paper, we propose a new reasoning system for message-passing programs. It is a novel logic that supports Hoare style triples to specify and verify distributed programs modularly. We concretize the concept of event traces to represent interactions among distributed agents, and specify behaviors of agents by their local traces with regard to environmental assumptions. Based on trace semantics, the verification is compositional in both temporal and spatial dimensions. As an example, we show how to modularly verify an implementation of merging network.

Jia Lv,Jing Ying,Minghui Wu,Tao Jiang,Fanwei Zhu

DOI: https://doi.org/10.1109/ssiri.2009.20

2009-01-01

Abstract:The behavior model of traditional temporal logic is closed and symmetrical, while the behavior model of aspect-oriented programs is open and asymmetrical. When the programmer designs the base-code, he is not sure what aspects will be woven to it. It is indirect and difficult to specify and verify the behavior of aspect-oriented programs by using traditional temporal logic. In this paper, we propose a new temporal logic named open temporal logic, which introduced some new path operators and one new temporal operator. Since paths are divided into two kinds: internal parts and external parts, the behavioral model of open temporal logic is open and asymmetrical. Base on open temporal logic and the proof system of traditional rely-guarantee method, a new proof system is given to verify the behavior of aspect-oriented programs.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as mu C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS mu C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore (approximate to 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore ( 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Teng Long,Xingtao Ren,Qing Wang,Chao Wang

DOI: https://doi.org/10.1007/978-3-030-91265-9_7

2021-01-01

Abstract:With the development of network technology and the increasing popularity of distributed systems, the society pays more and more attention to the reliability of distributed systems. Distributed systems establish services and communications among a large number of terminals, and message passing is a common communication method in distributed systems. In practice, asynchronous mode has better performance than synchronous mode, but asynchronous completion makes the task of specifying correct behaviors more difficult. Verification of asynchronous distributed systems is challenging due to unpredictable interleaving and possible network failures. Aiming to verify the safety properties of asynchronous programs, we propose a simple procedure with the assumption of mergeable parallelism in this paper. Then we characterize inference rules to describe the sequence combination that satisfies the conditions of the receive operations. The program’s execution can be reduced to executions with sets of fixed order. A proof is provided to show its soundness. The correctness of the mergeable message passing programs could be verified by a state-of-the-art verification framework. Experimental results show that our method is efficient and applicable in various message passing cases.

Bin Yu,Zhenhua Duan,Cong Tian,Nan Zhang

DOI: https://doi.org/10.1016/j.jpdc.2017.09.003

IF: 4.542

2018-01-01

Journal of Parallel and Distributed Computing

Abstract:Due to the nature in dealing only with observed executions of a real system, runtime verification is being pursued as a lightweight verification technique. However, the overhead for analyzing the desired temporal properties usually degrades performance greatly. The reasons are: (1) the low efficiency of the interpretive execution in the analyzing process, and (2) nondeterminism of the automata generated from temporal logic properties. To overcome them, this paper presents a parallel approach to verify full regular temporal properties of a program. With this approach, the program is written in Modeling, Simulation and Verification Language (MSVL), and the property is specified by a Propositional Projection Temporal Logic (PPTL) formula. Execution and verification of a program are carried out at the same time. Specifically, each trace generated from executing a program is divided into several segments which are verified in parallel. Also, in the process of verifying each segment, nondeterministic choices in the relative automaton of a temporal property are also handled in parallel. Finally, verification results of all the segments are merged to form the eventual result as well as the counterexample. Our parallel mechanism takes full advantage of the hardware resources and makes temporal property verification efficient in a multi-core system. Experiments show that our approach is practical in verifying temporal properties of large-scale programs in the real world.

Teng Long,Xingtao Ren,Qing Wang,Chao Wang

DOI: https://doi.org/10.1016/j.sysarc.2022.102646

IF: 5.836

2022-09-01

Journal of Systems Architecture

Abstract:With the development of network technology and the increasing popularity of distributed systems, the society pays more and more attention to the reliability of distributed systems. Distributed systems establish services and communications among a large number of terminals, and message passing is a common communication method in distributed systems. In practice, asynchronous mode has better performance than synchronous mode, but asynchronous completion makes the task of specifying correct behaviors more difficult. Verification of asynchronous distributed systems is challenging due to unpredictable interleaving and possible network failures. Aiming to verify the safety properties of asynchronous programs, we propose a simple procedure with the assumption of mergeable parallelism in this paper. Then we characterize inference rules to describe the sequence combination that satisfies the conditions of the receive operations. The program’s execution can be reduced to executions with sets of fixed order. A proof is provided to show its soundness. The correctness of the mergeable message passing programs could be verified by a state-of-the-art verification framework. Experimental results show that our method is efficient and applicable in various message passing cases.

computer science, software engineering, hardware & architecture

Weijiang Hong,Zhenbang Chen,Yufeng Zhang,Hengbiao Yu,Yide Du,Ji Wang

DOI: https://doi.org/10.1016/j.scico.2023.103075

IF: 1.039

2024-01-01

Science of Computer Programming

Abstract:Message-passing programs involve several processes with channel-based communications to deal with tasks concurrently. The complex computations and communications between processes make the verification of message-passing programs hard. By regarding the functions in programs as uninterpreted functions, we focus on the verification problem of message-passing uninterpreted programs. Although the usage of uninterpreted functions alleviates the computational difficulties brought by functions, the verification problem is still undecidable in general. In this work, we provide a decidable subclass of message-passing uninterpreted programs, wherein programs in this subclass satisfy the property of k-record coherence. The decidability result closely relies on communicating finite-state machine (CFM) with bounded channels. Based on the decidability result, we proposed a verification framework for message-passing uninterpreted programs.

Yide Du,Weijiang Hong,Zhenbang Chen,Ji Wang

DOI: https://doi.org/10.1007/978-3-031-10363-6_10

2022-01-01

Abstract:Given a set of uninterpreted programs to be verified, the trace abstraction-based verification method can be used to solve them once at a time. The verification of different programs is independent of each other. However, the individual verification for each one is a waste of resources if the programs behave similarly. In this work, we propose a framework for the collaborative verification of a set of uninterpreted programs, which accumulates and reuses the abstract models of infeasible traces to improve the verification's efficiency. We have implemented the collaborative verification framework and the preliminary result demonstrate that our collaborative method is effective on the benchmark.

Bin Yu,Cong Tian,Xu Lu,Nan Zhang,Zhenhua Duan

DOI: https://doi.org/10.1109/tpds.2022.3215854

IF: 5.3

2022-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:As a lightweight method, runtime verification aims to check whether one program execution satisfies a desired property. For online runtime verification, the approach efficiency and property expressiveness are two key points restricting its wide application. In this paper, we propose a distributed network-based parallel runtime verification approach to verifying full regular temporal properties for a suitable subset of C (named by Xd-C) programs in an online manner. With this approach, an Xd-C program is translated into an equivalent Modeling, Simulation and Verification Language (MSVL) program, and a desired property is specified as a Propositional Projection Temporal Logic (PPTL) formula; during the program execution, segments of the generated state sequence are verified in parallel by distributed multi-core machines. Experimental results show that, our approach has a speedup of 2.5X-5.0X over the state-of-art runtime verification approaches and supports full regular temporal properties, meaning that our approach can not only take full advantage of computing and storage resources in a distributed network, but also support more expressive properties.

Hengbiao Yu,Zhenbang Chen,Chun Huang,Ji Wang

DOI: https://doi.org/10.1007/978-3-030-62822-2_10

2020-01-01

Abstract:Message Passing Interface (MPI) is the current de-facto standard for developing applications in high-performance computing. MPI allows flexible implementations of message passing operations, which introduces non-deterministic synchronizations that challenge the correctness of MPI programs. We present in this paper a symbolic method for verifying the MPI programs with non-deterministic synchronizations. Insides the method, we propose a path-level modeling method that uses communicating sequential processes (CSP) to precisely encode the non-deterministic synchronizations of an execution path. Furthermore, for the execution paths without non-deterministic message receive operations, we propose an optimization method to reduce the complexity of the CSP models. We have implemented our technique on MPI-SV and evaluated it on 10 real-world MPI programs w.r.t. deadlock freedom. The experimental results demonstrate the effectiveness of our verification method.

Xuandong Li,Xiaokang Qiu,Linzhang Wang,Bin Lei,W. Eric Wong

DOI: https://doi.org/10.1145/1363686.1363781

2008-01-01

Abstract:In object-oriented programs, we often need to set some restrictions on the temporal orders of the message receiving for objects, which forms a class of safety requirements. In this paper, we use UML state machine diagrams as design specifications, and present an approach to runtime verification of Java programs, which is focused on the temporal order of message receiving based consistency verification between the behavior of state machine diagrams and the program execution traces. In the approach, we first instrument the program under verification so as to gather the program execution traces related to a given state machine diagram. Then we drive the instrumented program by random test cases so as to generate the program execution traces. Finally we check if the collected program execution traces are consistent with the behavior of the state machine diagram, which means that the temporal orders of the message receiving occurring in the program traces are consistent with the ones occurring in the state machine diagram. Our approach can be used to detect not only the program bugs resulting from the wrong temporal orders of message receiving, but also the imperfect state machine models constructed in reverse engineering for legacy systems, and leads to a testing tool which may proceed in a fully automatic fashion.

Qingyu Jiang,Jing Liu,Haodong Hu

DOI: https://doi.org/10.1109/apsec.2018.00026

2018-01-01

Abstract:Ensuring the reliability of concurrency software systems is difficult due to the interaction between threads. This article discusses the requirements for formal verification of concurrent embedded software and proposes a constraint-based flow-sensitive static analysis for concurrent avionics software by iteratively composing thread-modular abstract interpreters. These constraint are based on data-flow graphs and used to rule out patterns of thread interference that can not occur in a real program execution. Our new method has the advantage of being more accurate than existing, flow-insensitive, static avionics analyzers while remaining scalable and providing the expected soundness and termination guarantees. We implemented our method and evaluated it on an industrial setting, hinting at the maturity of our approach.

Chinmay Narayan,Subodh Sharma,Shibashis Guha,S.Arun-Kumar

DOI: https://doi.org/10.48550/arXiv.1506.07635

2016-04-28

Abstract:Nondeterminism in scheduling is the cardinal reason for difficulty in proving correctness of concurrent programs. A powerful proof strategy was recently proposed [6] to show the correctness of such programs. The approach captured data-flow dependencies among the instructions of an interleaved and error-free execution of threads. These data-flow dependencies were represented by an inductive data-flow graph (iDFG), which, in a nutshell, denotes a set of executions of the concurrent program that gave rise to the discovered data-flow dependencies. The iDFGs were further transformed in to alternative finite automatons (AFAs) in order to utilize efficient automata-theoretic tools to solve the problem. In this paper, we give a novel and efficient algorithm to directly construct AFAs that capture the data-flow dependencies in a concurrent program execution. We implemented the algorithm in a tool called ProofTraPar to prove the correctness of finite state cyclic programs under the sequentially consistent memory model. Our results are encouranging and compare favorably to existing state-of-the-art tools.

Programming Languages,Software Engineering

Meng Wang,Cong Tian,Nan Zhang,Zhenhua Duan

DOI: https://doi.org/10.1109/icse-c.2017.98

IF: 5.883

2019-01-01

IEEE Transactions on Reliability

Abstract:Verification of programs in code-level has attracted more and more attentions since the cost is high to extract models from source code. Most of the approaches available for code-level verification are carried on by inserting assertions into programs and then checking whether the assertions are violated. But in this way, only safety properties can be verified, other temporal properties of programs such as liveness cannot be verified. To tackle this problem, a unified model checking approach is presented in this paper where a program to be verified is written in a Modeling, Simulation and Verification Language (MSVL) program M and a desired property is specified by a Propositional Projection Temporal Logic (PPTL) formula P. Different from the traditional model checking approach, the negation of the desired property is translated into an MSVL program M' first. Then whether P is valid on M can be checked by evaluating whether there exists an acceptable execution of the new MSVL program "M and M'". This problem can be efficiently conducted with the compiler of MSVL namely MSV. The proposed approach has been implemented in a tool called UMC4MSVL. Experiments show that UMC4MSVL is efficient in verifying temporal properties of real-world programs.

Yun-min ZHU,Li-wei ZHANG,Sheng-yuan WANG,Yuan DONG,Su-qin ZHANG

DOI: https://doi.org/10.3321/j.issn:0372-2112.2009.z1.001

2009-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:2 Abstract As the multi-core processor is widely used and advanced high-trusted software is required, the verification of parallel programs for multi-core processor becomes more and more important. This paper presents a proof framework about the verification of parallel programs, including the definition of our abstract machine, the formal specification for object code, logic inference rules and the proof of soundness theory. We certify the code at an assembly-level directly in order to disregard the correctness of compilers. The classic spin-lock technology is introduced to implement the mutually exclusive access to shared memory. Our proof framework supports Hoare-logic style reasoning. In addition, we use high-order logic to describe both operational semantics and security-policy, so the partial correctness of multi-core parallel programs can be verified in our system.

LI Yang,CHENG Jian-hua,FANG Ding-yi,CHEN Xiao-jiang,FENG Jian

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.04.034

2008-01-01

Abstract:Distributed system is one type of typical concurrent systems.In concurrent system,safety and liveness are the two main characteristics which should be most concerned and ensured in its application.However,we have to face the problems,in concurrent system modeling and formal verification,such as tedious description,complex and difficult understanding,and it is more serious because of the low efficiency in model checking when it is much large(with a great number of the processes).Combining the features of good modularity in Compositional Reachability Analysis(CRA) and high efficiency in Labeled Transition System(LTS),an efficient model verification method is proposed.Three theorems for safety and liveness verification of concurrent systems are proved,and the relevant effective verification algorithms are derived.The feasibility of the algorithms is indicated through a simplified example.

Andreea Costea,Wei-Ngan Chin,Florin Craciun,Shengchao Qin

DOI: https://doi.org/10.48550/arXiv.2109.11802

2021-09-24

Programming Languages

Abstract:Ensuring the correctness of software for communication centric programs is important but challenging. Previous approaches, based on session types, have been intensively investigated over the past decade. They provide a concise way to express protocol specifications and a lightweight approach for checking their implementation. Current solutions are based on only implicit synchronization, and are based on the less precise types rather than logical formulae. In this paper, we propose a more expressive session logic to capture multiparty protocols. By using two kinds of ordering constraints, namely "happens-before" <HB and "communicates-before" <CB, we show how to ensure from first principle race-freedom over common channels. Our approach refines each specification with both assumptions and proof obligations to ensure compliance to some global protocol. Each specification is then projected for each party and then each channel, to allow cooperative proving through localized automated verification. Our primary goal in automated verification is to ensure race-freedom and communication-safety, but the approach is extensible for deadlock-freedom as well. We shall also describe how modular protocols can be captured and handled by our approach.

WAN Liang,SHI Wen-chang,FENG Hui

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.10.031

2013-01-01

Computer Science

Abstract:With the popularity of multi-core,multi-thread and parallel execution,there is an increasing demand for formal verification of parallel programs.The uncertainty of execution flows in parallel program verification makes it difficult to determine the relation between verification contents and targets.Verifying directly from the parallel programs will lead to large-scale verification.To this end,we proposed a new verification method based on separation logic.On the basis of the feature that the semantics of separation logic's programming language are both interpretive and axiomatic,our method transforms the property formulae to be verified into logical composition expression,and reforms and simplifies them.Then separation logic's axiom system is used to verify the expression and calculate the value of property formulae with verified assertions.Case studies further illustrate that the proposed method is effective and can reduce verification scales.