Verification and Specification of Concurrent Programs
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
On-The-Fly Garbage Collection: an Exercise in Cooperation
8. HoIn, B.K.P. Determining lightness from an image. Comptr. Graphics and Image Processing 3, 4(Dec. 1974), 277-299. 9. Huffman, D.A. Impossible objects as nonsense sentences. In Machine Intelligence 6, B. Meltzer and D. Michie, Eds., Edinburgh U. Press, Edinburgh, 1971, pp. 295-323. 10. Mackworth, A.K. Consistency in networks of relations. Artif. Intell. 8, 1(1977), 99-118. I1. Marr, D. Simple memory: A theory for archicortex. Philos. Trans. Operating R.S. Gaines Roy. Soc. B. 252 (1971), 23-81. Systems Editor 12. Marr, D., and Poggio, T. Cooperative computation of stereo disparity. A.I. Memo 364, A.I. Lab., M.I.T., Cambridge, Mass., 1976. On-the-Fly Garbage 13. Minsky, M., and Papert, S. Perceptrons. M.I.T. Press, Cambridge, Mass., 1968. Collection: An Exercise in 14. Montanari, U. Networks of constraints: Fundamental properties and applications to picture processing. Inform. Sci. 7, 2(April 1974), Cooperation 95-132. 15. Rosenfeld, A., Hummel, R., and Zucker, S.W. Scene labelling by relaxation operations. IEEE Trans. Systems, Man, and Cybernetics Edsger W. Dijkstra SMC-6, 6(June 1976), 420-433. Burroughs Corporation 16. Sussman, G.J., and McDermott, D.V. From PLANNER to CONNIVER--a genetic approach. Proc. AFIPS 1972 FJCC, Vol. 41, AFIPS Press, Montvale, N.J., pp. 1171-1179. Leslie Lamport 17. Sussman, G.J., and Stallman, R.M. Forward reasoning and SRI International dependency-directed backtracking in a system for computer-aided circuit analysis. A.I. Memo 380, A.I. Lab., M.I.T., Cambridge, Mass., 1976. A.J. Martin, C.S. -
Verification of Concurrent Programs in Dafny
Bachelor’s Degree in Informatics Engineering Computation Bachelor’s End Project Verification of Concurrent Programs in Dafny Author Jon Mediero Iturrioz 2017 Abstract This report documents the Bachelor’s End Project of Jon Mediero Iturrioz for the Bachelor in Informatics Engineering of the UPV/EHU. The project was made under the supervision of Francisca Lucio Carrasco. The project belongs to the domain of formal methods. In the project a methodology to prove the correctness of concurrent programs called Local Rely-Guarantee reasoning is analyzed. Afterwards, the methodology is implemented over Dagny automatic program verification tool, which was introduced to me in the Formal Methods for Software Devel- opments optional course of the fourth year of the bachelor. In addition to Local Rely-Guarantee reasoning, in the report Hoare logic, Separation logic and Variables as Resource logic are explained, in order to have a good foundation to understand the new methodology. Finally, the Dafny implementation is explained, and some examples are presented. i Acknowledgments First of all, I would like to thank to my supervisor, Paqui Lucio Carrasco, for all the help and orientation she has offered me during the project. Lastly, but not least, I would also like to thank my parents, who had supported me through all the stressful months while I was working in the project. iii Contents Abstracti Contentsv 1 Introduction1 1.1 Objectives..................................3 1.2 Work plan..................................3 1.3 Content...................................4 2 Foundations5 2.1 Hoare Logic.................................5 2.1.1 Assertions..............................5 2.1.2 Programming language.......................7 2.1.3 Inference rules...........................9 2.1.4 Recursion............................. -
Arxiv:1909.05204V3 [Cs.DC] 6 Feb 2020
Cogsworth: Byzantine View Synchronization Oded Naor, Technion and Calibra Mathieu Baudet, Calibra Dahlia Malkhi, Calibra Alexander Spiegelman, VMware Research Most methods for Byzantine fault tolerance (BFT) in the partial synchrony setting divide the local state of the nodes into views, and the transition from one view to the next dictates a leader change. In order to provide liveness, all honest nodes need to stay in the same view for a sufficiently long time. This requires view synchronization, a requisite of BFT that we extract and formally define here. Existing approaches for Byzantine view synchronization incur quadratic communication (in n, the number of parties). A cascade of O(n) view changes may thus result in O(n3) communication complexity. This paper presents a new Byzantine view synchronization algorithm named Cogsworth, that has optimistically linear communication complexity and constant latency. Faced with benign failures, Cogsworth has expected linear communication and constant latency. The result here serves as an important step towards reaching solutions that have overall quadratic communication, the known lower bound on Byzantine fault tolerant consensus. Cogsworth is particularly useful for a family of BFT protocols that already exhibit linear communication under various circumstances, but suffer quadratic overhead due to view synchro- nization. 1. INTRODUCTION Logical synchronization is a requisite for progress to be made in asynchronous state machine repli- cation (SMR). Previous Byzantine fault tolerant (BFT) synchronization mechanisms incur quadratic message complexities, frequently dominating over the linear cost of the consensus cores of BFT so- lutions. In this work, we define the view synchronization problem and provide the first solution in the Byzantine setting, whose latency is bounded and communication cost is linear, under a broad set of scenarios. -
Mathematical Writing by Donald E. Knuth, Tracy Larrabee, and Paul M
Mathematical Writing by Donald E. Knuth, Tracy Larrabee, and Paul M. Roberts This report is based on a course of the same name given at Stanford University during autumn quarter, 1987. Here's the catalog description: CS 209. Mathematical Writing|Issues of technical writing and the ef- fective presentation of mathematics and computer science. Preparation of theses, papers, books, and \literate" computer programs. A term paper on a topic of your choice; this paper may be used for credit in another course. The first three lectures were a \minicourse" that summarized the basics. About two hundred people attended those three sessions, which were devoted primarily to a discussion of the points in x1 of this report. An exercise (x2) and a suggested solution (x3) were also part of the minicourse. The remaining 28 lectures covered these and other issues in depth. We saw many examples of \before" and \after" from manuscripts in progress. We learned how to avoid excessive subscripts and superscripts. We discussed the documentation of algorithms, com- puter programs, and user manuals. We considered the process of refereeing and editing. We studied how to make effective diagrams and tables, and how to find appropriate quota- tions to spice up a text. Some of the material duplicated some of what would be discussed in writing classes offered by the English department, but the vast majority of the lectures were devoted to issues that are specific to mathematics and/or computer science. Guest lectures by Herb Wilf (University of Pennsylvania), Jeff Ullman (Stanford), Leslie Lamport (Digital Equipment Corporation), Nils Nilsson (Stanford), Mary-Claire van Leunen (Digital Equipment Corporation), Rosalie Stemer (San Francisco Chronicle), and Paul Halmos (University of Santa Clara), were a special highlight as each of these outstanding authors presented their own perspectives on the problems of mathematical communication. -
Transforming Event-B Models to Dafny Contracts
Electronic Communications of the EASST Volume XXX (2015) Proceedings of the 15th International Workshop on Automated Verification of Critical Systems (AVoCS 2015) Transforming Event-B Models to Dafny Contracts Mohammadsadegh Dalvandi, Michael Butler, Abdolbaghi Rezazadeh 15 pages Guest Editors: Gudmund Grov, Andrew Ireland Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 ECEASST Transforming Event-B Models to Dafny Contracts Mohammadsadegh Dalvandi1, Michael Butler2, Abdolbaghi Rezazadeh3 School of Electronic & Computer Science, University of Southampton 1 2 3 md5g11,mjb,[email protected] Abstract: Our work aims to build a bridge between constructive (top-down) and analytical (bottom-up) approaches to software verification. This paper presents a tool-supported method for linking two existing verification methods: Event-B (con- structive) and Dafny (analytical). This method combines Event-B abstraction and refinement with the code-level verification features of Dafny. The link transforms Event-B models to Dafny contracts by providing a framework in which Event-B models can be implemented correctly. The paper presents a method for transforma- tion of Event-B models of abstract data types to Dafny contracts. Also a prototype tool implementing the transformation method is outlined. The paper also defines and proves a formal link between property verification in Event-B and Dafny. Our approach is illustrated with a small case study. Keywords: Formal Methods, Hoare Logic, Program Verification, Event-B, Dafny 1 Introduction Various formal methods communities [CW96, HMLS09, LAB+06] have suggested that no single formal method can cover all aspects of a verification problem therefore engineering bridges be- tween complementary verification tools to enable their effective interoperability may increase the verification capabilities of verification tools. -
The Specification Language TLA+
Leslie Lamport: The Speci¯cation Language TLA+ This is an addendum to a chapter by Stephan Merz in the book Logics of Speci¯cation Languages by Dines Bj¿rner and Martin C. Henson (Springer, 2008). It appeared in that book as part of a \reviews" chapter. Stephan Merz describes the TLA logic in great detail and provides about as good a description of TLA+ and how it can be used as is possible in a single chapter. Here, I give a historical account of how I developed TLA and TLA+ that explains some of the design choices, and I briefly discuss how TLA+ is used in practice. Whence TLA The logic TLA adds three things to the very simple temporal logic introduced into computer science by Pnueli [4]: ² Invariance under stuttering. ² Temporal existential quanti¯cation. ² Taking as atomic formulas not just state predicates but also action for- mulas. Here is what prompted these additions. When Pnueli ¯rst introduced temporal logic to computer science in the 1970s, it was clear to me that it provided the right logic for expressing the simple liveness properties of concurrent algorithms that were being considered at the time and for formalizing their proofs. In the early 1980s, interest turned from ad hoc properties of systems to complete speci¯cations. The idea of speci- fying a system as a conjunction of the temporal logic properties it should satisfy seemed quite attractive [5]. However, it soon became obvious that this approach does not work in practice. It is impossible to understand what a conjunction of individual properties actually speci¯es. -
Using Lamport Clocks to Reason About Relaxed Memory Models
Using Lamport Clocks to Reason About Relaxed Memory Models Anne E. Condon, Mark D. Hill, Manoj Plakal, Daniel J. Sorin Computer Sciences Department University of Wisconsin - Madison {condon,markhill,plakal,sorin}@cs.wisc.edu Abstract industrial product groups spend more time verifying their Cache coherence protocols of current shared-memory mul- system than actually designing and optimizing it. tiprocessors are difficult to verify. Our previous work pro- To verify a system, engineers should unambiguously posed an extension of Lamport’s logical clocks for showing define what “correct” means. For a shared-memory sys- that multiprocessors can implement sequential consistency tem, “correct” is defined by a memory consistency model. (SC) with an SGI Origin 2000-like directory protocol and a A memory consistency model defines for programmers the Sun Gigaplane-like split-transaction bus protocol. Many allowable behavior of hardware. A commonly-assumed commercial multiprocessors, however, implement more memory consistency model requires a shared-memory relaxed models, such as SPARC Total Store Order (TSO), a multiprocessor to appear to software as a multipro- variant of processor consistency, and Compaq (DEC) grammed uniprocessor. This model was formalized by Alpha, a variant of weak consistency. Lamport as sequential consistency (SC) [12]. Assume that This paper applies Lamport clocks to both a TSO and an each processor executes instructions and memory opera- Alpha implementation. Both implementations are based on tions in a dynamic execution order called program order. the same Sun Gigaplane-like split-transaction bus protocol An execution is SC if there exists a total order of memory we previously used, but the TSO implementation places a operations (reads and writes) in which (a) the program first-in-first-out write buffer between a processor and its orders of all processors are respected and (b) a read returns cache, while the Alpha implementation uses a coalescing the value of the last write (to the same address) in this write buffer. -
Specifying Loops with Contracts Reasoning About Loops As Recursive Procedures
Chair for Software Systems Institute for Informatics LMU Munich Bachelor Thesis in Computer Science: Specifying Loops With Contracts Reasoning about loops as recursive procedures Gregor Cassian Alexandru August 8, 2019 I dedicate this work to the memory of Prof. Martin Hofmann, who was an amazing teacher and inspiration, and left us all too soon. Hiermit versichere ich, dass ich die vorliegende Bachelorarbeit selbstständig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel verwendet habe. ............................................... (Unterschrift des Kandidaten) München, den 8. August 2019 5 Abstract Recursive procedures can be inductively verified to fulfill some contract, by assuming that contract for recursive calls. Since loops correspond essentially to linear recursion, they ought to be verifiable in an analogous manner. Rules that allow this have been proposed, but are incomplete in some aspect, or do not lend themselves to straight- forward implementation. We propose some implementation-oriented derivatives of the existing verification rules and further illustrate the advantages of contract-based loop specification by means of examples. Contents 1 Introduction 11 2 Motivating Example 12 2.1 Verification using an Invariant . 12 2.2 Using a local Recursive Procedure . 13 2.3 Comparison . 15 3 Preliminaries 16 4 Predicate transformer semantics 17 4.1 Prerequisites . 17 4.2 Loop specification rule for weakest precondition . 20 4.3 Soundness proof . 20 4.4 Context-aware rule . 22 4.5 Rules in strongest postcondition . 22 5 Rules in Hoare Logic 24 5.1 Preliminaries . 24 5.2 Loop specification rule in Hoare logic . 25 6 Implementation 26 7 Example Application to Textbook Algorithms 29 7.1 Euclid’s algorithm . -
Should Your Specification Language Be Typed?
Should Your Specification Language Be Typed? LESLIE LAMPORT Compaq and LAWRENCE C. PAULSON University of Cambridge Most specification languages have a type system. Type systems are hard to get right, and getting them wrong can lead to inconsistencies. Set theory can serve as the basis for a specification lan- guage without types. This possibility, which has been widely overlooked, offers many advantages. Untyped set theory is simple and is more flexible than any simple typed formalism. Polymorphism, overloading, and subtyping can make a type system more powerful, but at the cost of increased complexity, and such refinements can never attain the flexibility of having no types at all. Typed formalisms have advantages too, stemming from the power of mechanical type checking. While types serve little purpose in hand proofs, they do help with mechanized proofs. In the absence of verification, type checking can catch errors in specifications. It may be possible to have the best of both worlds by adding typing annotations to an untyped specification language. We consider only specification languages, not programming languages. Categories and Subject Descriptors: D.2.1 [Software Engineering]: Requirements/Specifica- tions; D.2.4 [Software Engineering]: Software/Program Verification—formal methods; F.3.1 [Logics and Meanings of Programs]: Specifying and Verifying and Reasoning about Pro- grams—specification techniques General Terms: Verification Additional Key Words and Phrases: Set theory, specification, types Editors’ introduction. We have invited the following -
KAT and Hoare Logic
Introduction to Kleene Algebra Lecture 14 CS786 Spring 2004 March 15, 2004 KAT and Hoare Logic In this lecture and the next we show that KAT subsumes propositional Hoare logic (PHL). Thus the specialized syntax and deductive apparatus of Hoare logic are inessential and can be replaced by simple equational reasoning. Moreover, all relationally valid Hoare-style inference rules are derivable in KAT (this is false for PHL). The results of this lecture are from [8, 7]. In a future lecture we will show that deciding the relational validity of such rules is PSPACE-complete. Hoare logic, introduced by C. A. R. Hoare in 1969 [6], was the first formal system for the specification and verification of well-structured programs. This pioneering work initiated the field of program correctness and inspired dozens of technical articles [2, 1, 3]. For this achievement among others, Hoare received the Turing Award in 1980. A comprehensive introduction to Hoare logic can be found in [3]. Hoare logic uses a specialized syntax involving partial correctness assertions (PCAs) of the form {b} p {c} and a deductive apparatus consisting of a system of specialized rules of inference. Under certain conditions, these rules are relatively complete [2]; essentially, the propositional fragment of the logic can be used to reduce partial correctness assertions to static assertions about the underlying domain of computation. The propositional fragment of Hoare logic, called propositional Hoare logic (PHL), is subsumed by KAT. The reduction transforms PCAs to ordinary equations and the specialized rules of inference to equational implications (universal Horn formulas). The transformed rules are all derivable in KAT by pure equational reasoning. -
(LA)TEX Changed the Face of Mathematics: An
20 TUGboat, Volume 22 (2001), No. 1/2 How (LA)TEX changed the face of Mathematics: An E-interview with Leslie Lamport, the author of LATEX∗ A great deal of mathematics, including this journal, is typeset with TEX or LATEX; this has made a last- ing change on the face of (published) mathematics, and has also permanently revolutionized mathemat- ics publishing. Many mathematicians typeset their own mathematics with these systems, and this has also changed mathematical thinking, so that in a ca- sual√ conversation one might write \sqrt{2} instead of 2 on the tablecloth . We take “ca. 20 years of TEX” as the occasion to ask Leslie Lamport, the author of LATEX, some questions. (GMZ) LL: At the time, it never really occurred to me that − − ∗ − − people would pay money for software. I certainly GMZ: How were your own first papers produced? Did didn’t think that people would pay money for a you start out on a typewriter? On roff/troff/nroff? book about software. Fortunately, Peter Gordon A LL: Typically, when writing a paper, I would write at Addison-Wesley convinced me to turn the LTEX a first draft in pen, then go to typewritten drafts. I manual into a book. In retrospect, I think I made would edit each typed draft with pencil or pen until more money by giving the software away and selling it became unreadable, and would then type the next the book than I would have by trying to sell the A draft. I think I usually had two typewritten drafts. software. -
A Fast Mutual Exclusion Algorithm
A Fast Mutual Exclusion Algorithm LESLIE LAMPORT Digital Equipment Corporation A new solution to the mutual exclusion problem is presented that, in the absence of contention, requires only seven memory accesses. It assumes atomic reads and atomic writes to shared regis- ters. Categories and Subject Descriptors: D.4.1 [Operating Systems]: Process Management-rnuti mlti General terms: Algorithms Additional Key Words and Phrases: Critical section, multiprocessing I. INTRODUCTION The mutual exclusion problem-guaranteeing mutually exclusive access to a crit- ical section among a number of competing processes-is well known, and many solutions have been published. The original version of the problem, as presented by Dijkstra [2], assumed a shared memory with atomic read and write operations. Since the early 19709, solutions to this version have been of little practical interest. If the concurrent processesare being time-shared on a single processor, then mutual exclusion is easily achieved by inhibiting hardware interrupts at crucial times. On the other hand, multiprocessor computers have been built with atomic test-and- set instructions that permitted much simpler mutual exclusion algorithms. Since about 1974, researchers have concentrated on finding algorithms that use a more restricted form of shared memory or that use message passing instead of shared memory. Of late, the original version of the problem has not been widely studied. Recently, there has arisen interest in building shared-memory multiprocessor computers by connecting standard processors and memories, with as little modifica- tion to the hardware as possible. Because ordinary sequential processors and mem- ories do not have atomic test-and-set operations, it is worth investigating whether shared-memory mutual exclusion algorithms are a practical alternative.