106 research outputs found
Some Challenges of Specifying Concurrent Program Components
The purpose of this paper is to address some of the challenges of formally
specifying components of shared-memory concurrent programs. The focus is to
provide an abstract specification of a component that is suitable for use both
by clients of the component and as a starting point for refinement to an
implementation of the component. We present some approaches to devising
specifications, investigating different forms suitable for different contexts.
We examine handling atomicity of access to data structures, blocking operations
and progress properties, and transactional operations that may fail and need to
be retried.Comment: In Proceedings Refine 2018, arXiv:1810.0873
From Formal Methods to Executable Code
Note: the cover page of this report shows an incorrect title. The title given on the first page of the document itself is correct.The objective of this work is the derivation of software that is verifiably correct. Our approach is to abstract system specifications and model these in a formal framework called Timed Input/Output Automata, which provides a notation for expressing distributed systems and mathematical support for reasoning about their properties. Although formal reasoning is easier at an abstract level, it is not clear how to transform these abstractions into executable code. During system implementation, when an abstract system specification is left up to human interpretation, then this opens a possibility of undesirable behaviors being introduced into the final code, thereby nullifying all formal efforts. This manuscript addresses this issue and presents a set of transformation methods for systems described as a network to timed automata into Java code for distributed platforms. We prove that the presented transformation methods preserve guarantees of the source specifications, and therefore, result in code that is correct by construction
Reachability under Contextual Locking
The pairwise reachability problem for a multi-threaded program asks, given
control locations in two threads, whether they can be simultaneously reached in
an execution of the program. The problem is important for static analysis and
is used to detect statements that are concurrently enabled. This problem is in
general undecidable even when data is abstracted and when the threads (with
recursion) synchronize only using a finite set of locks. Popular programming
paradigms that limit the lock usage patterns have been identified under which
the pairwise reachability problem becomes decidable. In this paper, we consider
a new natural programming paradigm, called contextual locking, which ties the
lock usage to calling patterns in each thread: we assume that locks are
released in the same context that they were acquired and that every lock
acquired by a thread in a procedure call is released before the procedure
returns. Our main result is that the pairwise reachability problem is
polynomial-time decidable for this new programming paradigm as well. The
problem becomes undecidable if the locks are reentrant; reentrant locking is a
\emph{recursive locking} mechanism which allows a thread in a multi-threaded
program to acquire the reentrant lock multiple times.Comment: A preliminary version appears in TACAS 201
Weak Arithmetic Completeness of Object-Oriented First-Order Assertion Networks
We present a completeness proof of the inductive assertion method for object-oriented programs extended with auxiliary variables. The class of programs considered are assumed to compute over structures which include the standard interpretation of Presburger arithmetic. Further, the assertion language is first-order, i.e., quantification only ranges over basic types like that of the natural numbers, Boolean and Object
A Rely-Guarantee Specification of Mixed-Criticality Scheduling
The application considered is mixed-criticality scheduling. The core formal
approaches used are Rely-Guarantee conditions and the Timeband framework; these
are applied to give a layered description of job scheduling which includes
resilience to jobs overrunning their expected execution time. A novel formal
modelling idea is proposed to handle the relationship between actual time and
its approximation in hardware clocks.Comment: This paper will appear in a Festschrift - on publication we will
insert a pointer to the boo
Assertion-based proof checking of Chang-Roberts leader election in PVS
We report a case study in automated incremental assertion-based proof checking with PVS. Given an annotated distributed algorithm, our tool ProPar generates the proof obligations for partial correctness, plus a proof script per obligation. ProPar then lets PVS attempt to discharge all obligations by running the proof scripts. The Chang-Roberts algorithm elects a leader on a unidirectional ring with unique identities. With ProPar, we check its correctness with a very high degree of automation: over 90% of the proof obligations is discharged automatically. This case study underlines the feasibility of the approach and is, to the best of our knowledge, the first verification of the Chang-Roberts algorithm for arbitrary ring size in a proof checker
A methodology for programming with concurrency: An informal presentation
AbstractIn this methodology, programming problems which can be specified by an input/output assertion pair are solved in two steps: 1.(1) Refinement of a correct program that can be implemented sequentially.2.(2) Declaration of program properties, so-called semantic relations, that allow relaxations in the sequencing of the refinement's operations (e.g., concurrency).Formal properties of refinements comprise semantics (input/output characteristics) and (sequential) execution time. Declarations of semantic relations preserve the semantics but may improve the execution time of a refinement. The consequences are: 1.(a) The concurrency in a program is deduced from its formal semantics. Semantic correctness is not based on concurrency but precedes it.2.(b) Concurrency is a property not of programs but of executions. Programs do not contain concurrent commands, only suggestions (declarations) of concurrency.3.(c) The declaration of too much concurrency is impossible. Programs do not contain primitives for synchronization or mutual exclusion.4.(d) Proofs of parallel correctness are stepwise without auxiliary variables.5.(e) Freedom from deadlock and starvation is implicit without recourse to an authority outside the program, e.g., a fair scheduler
- …