80 research outputs found
A Generalized Hybrid Hoare Logic
Deductive verification of hybrid systems (HSs) increasingly attracts more
attention in recent years because of its power and scalability, where a
powerful specification logic for HSs is the cornerstone. Often, HSs are
naturally modelled by concurrent processes that communicate with each other.
However, existing specification logics cannot easily handle such models. In
this paper, we present a specification logic and proof system for Hybrid
Communicating Sequential Processes (HCSP), that extends CSP with ordinary
differential equations (ODE) and interrupts to model interactions between
continuous and discrete evolution. Because it includes a rich set of algebraic
operators, complicated hybrid systems can be easily modelled in an algebra-like
compositional way in HCSP. Our logic can be seen as a generalization and
simplification of existing hybrid Hoare logics (HHL) based on duration calculus
(DC), as well as a conservative extension of existing Hoare logics for
concurrent programs. Its assertion logic is the first-order theory of
differential equations (FOD), together with assertions about traces recording
communications, readiness, and continuous evolution. We prove continuous
relative completeness of the logic w.r.t. FOD, as well as discrete relative
completeness in the sense that continuous behaviour can be arbitrarily
approximated by discretization. Besides, we discuss how to simplify proofs
using the logic by providing a simplified assertion language and a set of sound
and complete rules for differential invariants for ODEs. Finally, we implement
a proof assistant for the logic in Isabelle/HOL, and apply it to verify two
case studies to illustrate the power and scalability of our logic
Fifty years of Hoare's Logic
We present a history of Hoare's logic.Comment: 79 pages. To appear in Formal Aspects of Computin
An Assertional Proof System for Multithreaded Java - Theory and Tool Support
Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread classes, allowing for a multithreaded flow of control. The concurrency model includes shared-variable concurrency via instance variables, coordination via reentrant synchronization monitors, synchronous message passing, and dynamic thread creation. To reason about safety properties of multithreaded Java programs, we introduce a tool-supported assertional proof method for JavaMT ("Multi-Threaded Java"), a small sublanguage of Java, covering the mentioned concurrency issues as well as the object-based core of Java. The verification method is formulated in terms of proof-outlines, where the assertions are layered into local ones specifying the behavior of a single instance, and global ones taking care of the connections between objects. We establish the soundness and the completeness of the proof system. From an annotated program, a number of verification conditions are generated and handed over to the interactive theorem prover PVS.IST project Omega (IST-2001-33522) NWO/DFG project Mobi-J (RO 1122/9-1, RO 1122/9-2)UBL - phd migration 201
Recommended from our members
Program reliability through algorithmic design and analysis
textSoftware systems are ubiquitous in today's world and yet, remain vulnerable to the fallibility of human programmers as well as the unpredictability of their operating environments. The overarching goal of this dissertation is to develop algorithms to enable automated and efficient design and analysis of
reliable programs.
In the first and second parts of this dissertation, we focus on the development of programs that are free from programming errors. The intent is not to eliminate the human programmer, but instead to complement his or her expertise, with sound and efficient computational techniques, when possible. To this end, we make contributions in two specific domains.
Program debugging --- the process of fault localization and error elimination from a program found to be incorrect --- typically relies on expert human intuition and experience, and is often a lengthy, expensive part of the program development cycle. In the first part of the dissertation, we target automated debugging of sequential programs. A broad and informal statement of the (automated) program debugging problem is to suitably modify an
erroneous program, say P, to obtain a correct program, say P'. This problem is undecidable in general; it is hard to formalize; moreover, it is particularly challenging to assimilate and mechanize the customized, expert
programmer intuition involved in the choices made in manual program debugging. Our first contribution in this domain is a methodical formalization of the program debugging problem, that enables automation, while incorporating expert programmer intuition and intent. Our second contribution is a solution framework that can debug infinite-state, imperative, sequential programs written in higher-level programming languages such as C. Boolean programs, which are smaller, finite-state abstractions of infinite-state or large, finite-state programs, have been found to be tractable for program verification. In this dissertation, we utilize Boolean programs for program debugging. Our solution framework involves two main steps: (a) automated debugging of a Boolean program, corresponding to an erroneous program P, and (b) translation of the corrected Boolean program into a correct program P'.
Shared-memory concurrent programs are notoriously difficult to write, verify
and debug; this makes them excellent targets for automated program
completion, in particular, for synthesis of synchronization code. Extant work
in this domain has focused on either propositional temporal logic specifications with simplistic models of concurrent programs, or more refined
program models with the specifications limited to just safety properties. Moreover, there has been limited effort in developing adaptable and fully-automatic synthesis frameworks that are capable of generating synchronization at different levels of abstraction and granularity. In the
second part of this dissertation, we present a framework for synthesis of
synchronization for shared-memory concurrent programs with respect to temporal logic specifications. In particular, given a concurrent program composed of synchronization-free processes, and a temporal logic specification describing their expected concurrent behaviour, we generate synchronized processes such
that the resulting concurrent program satisfies the specification. We
provide the ability to synthesize readily-implementable synchronization code
based on lower-level primitives such as locks and condition variables. We
enable synchronization synthesis of finite-state concurrent programs composed of processes that may have local and shared variables, may be straight-line or branching programs, may be ongoing or terminating, and may have program-initialized or user-initialized variables. We also facilitate
expression of safety and liveness properties over both control and data
variables by proposing an extension of propositional computation tree logic.
Most program analyses, verification, debugging and synthesis methodologies target traditional correctness properties such as safety
and liveness. These techniques typically do not provide a quantitative
measure of the sensitivity of a computational system's behaviour to
unpredictability in the operating environment. We propose that the
core property of interest in reasoning in the presence of such uncertainty is robustness --- small perturbations to the operating environment do not change the system's observable behavior substantially. In well-established areas such as control theory, robustness has always been a fundamental concern; however, the
techniques and results therein are not directly applicable to computational systems with large amounts of discretized, discontinuous
behavior. Hence, robustness analysis of software programs used in heterogeneous settings necessitates development of new theoretical
frameworks and algorithms.
In the third part of this dissertation, we target robustness analysis of two
important classes of discrete systems --- string transducers and networked
systems of Mealy machines. For each system, we formally define robustness of the system with respect to a specific source of uncertainty. In particular, we
analyze the behaviour of transducers in the presence of input perturbations,
and the behaviour of networked systems in the presence of channel
perturbations. Our overall approach is automata-theoretic, and necessitates the use of specialized distance-tracking automata for tracking various
distance metrics between two strings. We present constructions for such
automata and use them to develop decision procedures based on reducing the problem of robustness verification of our systems to the problem of checking
the emptiness of certain automata. Thus, the system under consideration is robust if and only if the languages of particular automata are empty.Electrical and Computer Engineerin
Information Flow Control-by-Construction for an Object-Oriented Language Using Type Modifiers
In security-critical software applications, confidential information must be
prevented from leaking to unauthorized sinks. Static analysis techniques are
widespread to enforce a secure information flow by checking a program after
construction. A drawback of these systems is that incomplete programs during
construction cannot be checked properly. The user is not guided to a secure
program by most systems. We introduce IFbCOO, an approach that guides users
incrementally to a secure implementation by using refinement rules. In each
refinement step, confidentiality or integrity (or both) is guaranteed alongside
the functional correctness of the program, such that insecure programs are
declined by construction. In this work, we formalize IFbCOO and prove soundness
of the refinement rules. We implement IFbCOO in the tool CorC and conduct a
feasibility study by successfully implementing case studies
Tool Support for Correctness-by-Construction
Correctness-by-Construction (CbC) is an approach to incrementally create formally correct programs guided by pre- and postcondition specifications. A program is created using refinement rules that guarantee the resulting implementation is correct with respect to the specification. Although CbC is supposed to lead to code with a low defect rate, it is not prevalent, especially because appropriate tool support is missing. To promote CbC, we provide tool support for CbC-based program development. We present CorC, a graphical and textual IDE to create programs in a simple while-language following the CbC approach. Starting with a specification, our open source tool supports CbC developers in refining a program by a sequence of refinement steps and in verifying the correctness of these refinement steps using the theorem prover KeY. We evaluated the tool with a set of standard examples on CbC where we reveal errors in the provided specification. The evaluation shows that our tool reduces the verification time in comparison to post-hoc verification
Dynamic Logic for an Intermediate Language: Verification, Interaction and Refinement
This thesis is about ensuring that software behaves as it is supposed to behave. More precisely, it is concerned with the deductive verification of the compliance of software implementations with their formal specification. Two successful ideas in program verification are integrated into a new approach: dynamic logic and intermediate verification language. The well-established technique of refinement is used to decompose the difficult task of program verification into two easier tasks
Algebraic verification of hybrid systems in Isabelle/HOL
The thesis describes an open modular semantic framework for the verification of hybrid systems in a general-purpose proof assistant. We follow this approach to create the first algebraic based verification components for hybrid systems in Isabelle/HOL.
The framework benefits from various design choices. Firstly, an algebra for programs such as Kleene algebras with tests or modal Kleene algebras captures the verification condition generation by providing rules for each programming construct. Intermediate relational or state transformer semantics instantiated to a concrete model of the program store allow the framework to handle assignments and ordinary differential equations (ODEs). The verification rules for ODEs require user-provided solutions, differential invariants or analytical descriptions of the continuous dynamics of the system.
The construction is a shallow embedding which makes the approach quickly extensible and modular. Taking advantage of these features, we derive differential Hoare logic (dH), a minimalistic logic for the verification of hybrid systems, and the differential refinement calculus (dR) for their stepwise construction. Yet the approach is not limited to these formalisms. We also present a hybrid weakest liberal precondition calculus based on predicate transformers which subsumes powerful deductive verification approaches like differential dynamic logic.
The framework is also compositional: we combine it with lenses to vary the model of the program store. We also support it with a formalisation of affine and linear systems of ordinary differential equations in Isabelle/HOL. This integration simplifies various certifications that the proof assistant requires such as guarantees of existence and uniqueness of the corresponding solutions.
Verification examples illustrate the approach at work. Formalisations of our solutions to problems of the international friendly competition ARCH2020, where our components participated, further evidence their effectiveness. Finally, a larger case study certifying an invariant for a PID controller of the roll angle in a quadcopter’s flight complements these verifications
- …