A Machine-Checked, Type-Safe Model of Java Concurrency : Language, Virtual Machine, Memory Model, and Verified Compiler

The Java programming language provides safety and security guarantees such as type safety and its security architecture. They distinguish it from other mainstream programming languages like C and C++. In this work, we develop a machine-checked model of concurrent Java and the Java memory model and investigate the impact of concurrency on these guarantees. From the formal model, we automatically obtain an executable verified compiler to bytecode and a validated virtual machine

All Linear-Time Congruences for Familiar Operators

The detailed behaviour of a system is often represented as a labelled transition system (LTS) and the abstract behaviour as a stuttering-insensitive semantic congruence. Numerous congruences have been presented in the literature. On the other hand, there have not been many results proving the absence of more congruences. This publication fully analyses the linear-time (in a well-defined sense) region with respect to action prefix, hiding, relational renaming, and parallel composition. It contains 40 congruences. They are built from the alphabet, two kinds of traces, two kinds of divergence traces, five kinds of failures, and four kinds of infinite traces. In the case of finite LTSs, infinite traces lose their role and the number of congruences drops to 20. The publication concentrates on the hardest and most novel part of the result, that is, proving the absence of more congruences

Process algebra with conditionals in the presence of epsilon

In a previous paper, we presented several extensions of ACP with conditional expressions, including one with a retrospection operator on conditions to allow for looking back on conditions under which preceding actions have been performed. In this paper, we add a constant for a process that is only capable of terminating successfully to those extensions of ACP, which can be very useful in applications. It happens that in all cases the addition of this constant is unproblematic.Comment: 41 page

Specification and verification issues in a process language

PhD ThesisWhile specification formalisms for reactive concurrent systems are now reasonably well-understood theoretically, they have not yet entered common, widespread design practice. This motivates the attempt made in this work to enhance the applicability of an important and popular formal framework: the CSP language, endowed with a failure-based denotational semantics and a logic for describing failures of processes. The identification of behaviour with a set of failures is supported by a convincing intuitive reason: processes with different failures can be distinguished by easily realizable experiments. But, most importantly, many interesting systems can be described and studied in terms of their failures. The main technique employed for this purpose is a logic in which process expressions are required to satisfy an assertion with each failure of the behaviour they describe. The theory of complete partial orders, with its elegant treatment of recursion and fixpoint-based verification, can be applied to this framework. However, in spite of the advantages illustrated, the practical applicability of standard failure semantics is impaired by two weaknesses. The first is its inability to describe many important systems, constructed by connecting modules that can exchange values of an infinite set across ports invisible to the environment. This must often be assumed for design and verification purposes (e.g. for the many protocols relying upon sequence numbers to cope with out-of-sequence received messages). Such a deficiency is due to the definition of the hiding operator in standard failure semantics. This thesis puts forward a solution based on an interesting technical result about infinite sets of sequences. Another difficulty with standard failure semantics is its treatment of divergence, the phenomenon in which some components of a system interact by performing an infinite, uninterrupted sequence of externally invisible actions. Within failure semantics, divergence cannot be abstracted from on the basis of the implicit fairness assumption that, if there is a choice leading out of divergence, it will eventually be made. This 'fair abstraction' is essential for the verification of many important systems, including communication protocols. The solution proposed in this thesis is an extended failure semantics which records refused traces, rather than just actions. Not only is this approach compatible with fair abstraction, but it also permits, like ordinary failure semantics, verification in a compositional calculus with fixpoint induction. Rather interestingly, these results can be obtained outside traditional fixpoint theory, which cannot be applied in this case. The theory developed is based on the novel notion of 'trace-based' process functions. These can be shown to possess a particular fixpoint that, unlike the least fixpoint of traditional treatments, is compatible with fair abstraction. Moreover, they form a large class, sufficient to give a compositional denotational semantics to a useful eSP-like process language. Finally, a logic is proposed in which the properties of a process' extended failures can be expressed and analyzed; the methods developed are applied to the verification of two example communication protocols: a toy one and a large case study inspired by a real transport protocol