56 research outputs found
A Sound and Complete Projection for Global Types
Multiparty session types is a typing discipline used to write specifications, known as global types, for branching and recursive message-passing systems. A necessary operation on global types is projection to abstractions of local behaviour, called local types. Typically, this is a computable partial function that given a global type and a role erases all details irrelevant to this role.
Computable projection functions in the literature are either unsound or too restrictive when dealing with recursion and branching. Recent work has taken a more general approach to projection defining it as a coinductive, but not computable, relation. Our work defines a new computable projection function that is sound and complete with respect to its coinductive counterpart and, hence, equally expressive. All results have been mechanised in the Coq proof assistant
Formalising the pi-calculus using nominal logic
We formalise the pi-calculus using the nominal datatype package, based on
ideas from the nominal logic by Pitts et al., and demonstrate an implementation
in Isabelle/HOL. The purpose is to derive powerful induction rules for the
semantics in order to conduct machine checkable proofs, closely following the
intuitive arguments found in manual proofs. In this way we have covered many of
the standard theorems of bisimulation equivalence and congruence, both late and
early, and both strong and weak in a uniform manner. We thus provide one of the
most extensive formalisations of a process calculus ever done inside a theorem
prover.
A significant gain in our formulation is that agents are identified up to
alpha-equivalence, thereby greatly reducing the arguments about bound names.
This is a normal strategy for manual proofs about the pi-calculus, but that
kind of hand waving has previously been difficult to incorporate smoothly in an
interactive theorem prover. We show how the nominal logic formalism and its
support in Isabelle accomplishes this and thus significantly reduces the tedium
of conducting completely formal proofs. This improves on previous work using
weak higher order abstract syntax since we do not need extra assumptions to
filter out exotic terms and can keep all arguments within a familiar
first-order logic.Comment: 36 pages, 3 figure
Actris: session-type based reasoning in separation logic
Message passing is a useful abstraction to implement concurrent programs. For real-world systems, however, it is often combined with other programming and concurrency paradigms, such as higher-order functions, mutable state, shared-memory concurrency, and locks. We present Actris: a logic for proving functional correctness of programs that use a combination of the aforementioned features. Actris combines the power of modern concurrent separation logics with a first-class protocol mechanism - based on session types - for reasoning about message passing in the presence of other concurrency paradigms. We show that Actris provides a suitable level of abstraction by proving functional correctness of a variety of examples, including a distributed merge sort, a distributed load-balancing mapper, and a variant of the map-reduce model, using relatively simple specifications. Soundness of Actris is proved using a model of its protocol mechanism in the Iris framework. We mechanised the theory of Actris, together with tactics for symbolic execution of programs, as well as all examples in the paper, in the Coq proof assistant.Programming Language
Actris 2.0: Asynchronous Session-Type Based Reasoning in Separation Logic
Message passing is a useful abstraction for implementing concurrent programs.
For real-world systems, however, it is often combined with other programming
and concurrency paradigms, such as higher-order functions, mutable state,
shared-memory concurrency, and locks. We present Actris: a logic for proving
functional correctness of programs that use a combination of the aforementioned
features. Actris combines the power of modern concurrent separation logics with
a first-class protocol mechanism -- based on session types -- for reasoning
about message passing in the presence of other concurrency paradigms. We show
that Actris provides a suitable level of abstraction by proving functional
correctness of a variety of examples, including a channel-based merge sort, a
channel-based load-balancing mapper, and a variant of the map-reduce model,
using concise specifications. While Actris was already presented in a
conference paper (POPL'20), this paper expands the prior presentation
significantly. Moreover, it extends Actris to Actris 2.0 with a notion of
subprotocols -- based on session-type subtyping -- that permits additional
flexibility when composing channel endpoints, and that takes full advantage of
the asynchronous semantics of message passing in Actris. Soundness of Actris
2.0 is proven using a model of its protocol mechanism in the Iris framework. We
have mechanised the theory of Actris, together with custom tactics, as well as
all examples in the paper, in the Coq proof assistant.Comment: 60 pages, 24 figure
Web Services as a New Approach to Distributing and Coordinating Semantics-Based Veri cation Toolkits
n/
Formally verifying Exceptions for Low-level code with Separation Logic
Exceptions in low-level architectures are implemented as synchronous interrupts: upon the execution of a faulty instruction the processor jumps to a piece of code that handles the error. Previous work has shown that assembly programs can be written, verified and run using higher-order separation logic. However, execution of faulty instructions is then specified as either being undefined or terminating with an error. In this paper, we study synchronous interrupts and show their usefulness by implementing a memory allocator. This shows that it is indeed possible to write positive specifications of programs that fault. All of our results are mechanised in the interactive proof assistant Coq
- …