An Abstract Interpretation Framework for Diagnosis and Verification of Timed Concurrent Constraint Languages

In this thesis, we propose a semantic framework for tccp based on abstract interpretation with the main purpose of formally verifying and debugging tccp programs. A key point for the efficacy of the resulting methodologies is the adequacy of the concrete semantics. Thus, in this thesis, much effort has been devoted to the development of a suitable small-step denotational semantics for the tccp language to start with. Our denotational semantics models precisely the small-step behavior of tccp and is suitable to be used within the abstract interpretation framework. Namely, it is defined in a compositional and bottom-up way, it is as condensed as possible (it does not contain redundant elements), and it is goal-independent (its calculus does not depend on the semantic evaluation of a specific initial agent). Another contribution of this thesis is the definition (by abstraction of our small-step denotational semantics) of a big-step denotational semantics that abstracts away from the information about the evolution of the state and keeps only the the first and the last (if it exists) state. We show that this big-step semantics is essentially equivalent to the input-output semantics. In order to fulfill our goal of formally validate tccp programs, we build different approximations of our small-step denotational semantics by using standard abstract interpretation techniques. In this way we obtain debugging and verification tools which are correct by construction. More specifically, we propose two abstract semantics that are used to formally debug tccp programs. The first one approximates the information content of tccp behavioral traces, while the second one approximates our small-step semantics with temporal logic formulas. By applying abstract diagnosis with these abstract semantics we obtain two fully-automatic verification methods for tccp

Doctor of Philosophy

dissertationTrusted computing base (TCB) of a computer system comprises components that must be trusted in order to support its security policy. Research communities have identified the well-known minimal TCB principle, namely, the TCB of a system should be as small as possible, so that it can be thoroughly examined and verified. This dissertation is an experiment showing how small the TCB for an isolation service is based on software fault isolation (SFI) for small multitasking embedded systems. The TCB achieved by this dissertation includes just the formal definitions of isolation properties, instruction semantics, program logic, and a proof assistant, besides hardware. There is not a compiler, an assembler, a verifier, a rewriter, or an operating system in the TCB. To the best of my knowledge, this is the smallest TCB that has ever been shown for guaranteeing nontrivial properties of real binary programs on real hardware. This is accomplished by combining SFI techniques and high-confidence formal verification. An SFI implementation inserts dynamic checks before dangerous operations, and these checks provide necessary invariants needed by the formal verification to prove theorems about the isolation properties of ARM binary programs. The high-confidence assurance of the formal verification comes from two facts. First, the verification is based on an existing realistic semantics of the ARM ISA that is independently developed by Cambridge researchers. Second, the verification is conducted in a higher-order proof assistant-the HOL theorem prover, which mechanically checks every verification step by rigorous logic. In addition, the entire verification process, including both specification generation and verification, is automatic. To support proof automation, a novel program logic has been designed, and an automatic reasoning framework for verifying shallow safety properties has been developed. The program logic integrates Hoare-style reasoning and Floyd's inductive assertion reasoning together in a small set of definitions, which overcomes shortcomings of Hoare logic and facilitates proof automation. All inference rules of the logic are proven based on the instruction semantics and the logic definitions. The framework leverages abstract interpretation to automatically find function specifications required by the program logic. The results of the abstract interpretation are used to construct the function specifications automatically, and the specifications are proven without human interaction by utilizing intermediate theorems generated during the abstract interpretation. All these work in concert to create the very small TCB

Abstract Diagnosis for Timed Concurrent Constraint programs

The Timed Concurrent Constraint Language (tccp in short) is a concurrent logic language based on the simple but powerful concurrent constraint paradigm of Saraswat. In this paradigm, the notion of store-as-value is replaced by the notion of store-as-constraint, which introduces some differences w.r.t. other approaches to concurrency. In this paper, we provide a general framework for the debugging of tccp programs. To this end, we first present a new compact, bottom-up semantics for the language that is well suited for debugging and verification purposes in the context of reactive systems. We also provide an abstract semantics that allows us to effectively implement debugging algorithms based on abstract interpretation. Given a tccp program and a behavior specification, our debugging approach automatically detects whether the program satisfies the specification. This differs from other semiautomatic approaches to debugging and avoids the need to provide symptoms in advance. We show the efficacy of our approach by introducing two illustrative examples. We choose a specific abstract domain and show how we can detect that a program is erroneous.Comment: 16 page

Optimizing Abstract Abstract Machines

The technique of abstracting abstract machines (AAM) provides a systematic approach for deriving computable approximations of evaluators that are easily proved sound. This article contributes a complementary step-by-step process for subsequently going from a naive analyzer derived under the AAM approach, to an efficient and correct implementation. The end result of the process is a two to three order-of-magnitude improvement over the systematically derived analyzer, making it competitive with hand-optimized implementations that compute fundamentally less precise results.Comment: Proceedings of the International Conference on Functional Programming 2013 (ICFP 2013). Boston, Massachusetts. September, 201

Semantics of Separation-Logic Typing and Higher-order Frame Rules for<br> Algol-like Languages

We show how to give a coherent semantics to programs that are well-specified in a version of separation logic for a language with higher types: idealized algol extended with heaps (but with immutable stack variables). In particular, we provide simple sound rules for deriving higher-order frame rules, allowing for local reasoning

A robust semantics hides fewer errors

In this paper we explore how formal models are interpreted and to what degree meaning is captured in the formal semantics and to what degree it remains in the informal interpretation of the semantics. By applying a robust approach to the definition of refinement and semantics, favoured by the event-based community, to state-based theory we are able to move some aspects from the informal interpretation into the formal semantics