45 research outputs found
Reasoning about correctness properties of a coordination programming language
Safety critical systems place additional requirements to the programming
language used to implement them with respect to traditional environments.
Examples of features that in
uence the suitability of a programming language
in such environments include complexity of de nitions, expressive
power, bounded space and time and veri ability. Hume is a novel programming
language with a design which targets the rst three of these, in some
ways, contradictory features: fully expressive languages cannot guarantee
bounds on time and space, and low-level languages which can guarantee
space and time bounds are often complex and thus error-phrone. In Hume,
this contradiction is solved by a two layered architecture: a high-level fully
expressive language, is built on top of a low-level coordination language
which can guarantee space and time bounds.
This thesis explores the veri cation of Hume programs. It targets safety
properties, which are the most important type of correctness properties,
of the low-level coordination language, which is believed to be the most
error-prone. Deductive veri cation in Lamport's temporal logic of actions
(TLA) is utilised, in turn validated through algorithmic experiments. This
deductive veri cation is mechanised by rst embedding TLA in the Isabelle
theorem prover, and then embedding Hume on top of this. Veri cation of
temporal invariants is explored in this setting.
In Hume, program transformation is a key feature, often required to guarantee
space and time bounds of high-level constructs. Veri cation of transformations
is thus an integral part of this thesis. The work with both invariant
veri cation, and in particular, transformation veri cation, has pinpointed
several weaknesses of the Hume language. Motivated and in
uenced by
this, an extension to Hume, called Hierarchical Hume, is developed and
embedded in TLA. Several case studies of transformation and invariant veri
cation of Hierarchical Hume in Isabelle are conducted, and an approach
towards a calculus for transformations is examined.James Watt ScholarshipEngineering and Physical Sciences Research Council (EPSRC) Platform grant GR/SO177
Extending and Relating Semantic Models of Compensating CSP
Business transactions involve multiple partners coordinating and interacting with each other. These transactions have hierarchies of activities which need to be orchestrated. Usual database approaches (e.g.,checkpoint, rollback) are not applicable to handle faults in a long running transaction due to interaction with multiple partners. The compensation mechanism handles faults that can arise in a long running transaction. Based on the framework of Hoare's CSP process algebra, Butler et al introduced Compensating CSP (cCSP), a language to model long-running transactions. The language introduces a method to declare a transaction as a process and it has constructs for orchestration of compensation. Butler et al also defines a trace semantics for cCSP. In this thesis, the semantic models of compensating CSP are extended by defining an operational semantics, describing how the state of a program changes during its execution. The semantics is encoded into Prolog to animate the specification. The semantic models are further extended to define the synchronisation of processes. The notion of partial behaviour is defined to model the behaviour of deadlock that arises during process synchronisation. A correspondence relationship is then defined between the semantic models and proved by using structural induction. Proving the correspondence means that any of the presentation can be accepted as a primary definition of the meaning of the language and each definition can be used correctly at different times, and for different purposes. The semantic models and their relationships are mechanised by using the theorem prover PVS. The semantic models are embedded in PVS by using Shallow embedding. The relationships between semantic models are proved by mutual structural induction. The mechanisation overcomes the problems in hand proofs and improves the scalability of the approach
Extending and relating semantic models of compensating CSP
Business transactions involve multiple partners coordinating and interacting with each other. These transactions have hierarchies of activities which need to be orchestrated. Usual database approaches (e.g.,checkpoint, rollback) are not applicable to handle faults in a long running transaction due to interaction with multiple partners. The compensation mechanism handles faults that can arise in a long running transaction. Based on the framework of Hoare's CSP process algebra, Butler et al introduced Compensating CSP (cCSP), a language to model long-running transactions. The language introduces a method to declare a transaction as a process and it has constructs for orchestration of compensation. Butler et al also defines a trace semantics for cCSP. In this thesis, the semantic models of compensating CSP are extended by defining an operational semantics, describing how the state of a program changes during its execution. The semantics is encoded into Prolog to animate the specification. The semantic models are further extended to define the synchronisation of processes. The notion of partial behaviour is defined to model the behaviour of deadlock that arises during process synchronisation. A correspondence relationship is then defined between the semantic models and proved by using structural induction. Proving the correspondence means that any of the presentation can be accepted as a primary definition of the meaning of the language and each definition can be used correctly at different times, and for different purposes. The semantic models and their relationships are mechanised by using the theorem prover PVS. The semantic models are embedded in PVS by using Shallow embedding. The relationships between semantic models are proved by mutual structural induction. The mechanisation overcomes the problems in hand proofs and improves the scalability of the approach.EThOS - Electronic Theses Online ServiceGBUnited Kingdo
Automating Verification of State Machines with Reactive Designs and Isabelle/UTP
State-machine based notations are ubiquitous in the description of component
systems, particularly in the robotic domain. To ensure these systems are safe
and predictable, formal verification techniques are important, and can be
cost-effective if they are both automated and scalable. In this paper, we
present a verification approach for a diagrammatic state machine language that
utilises theorem proving and a denotational semantics based on Unifying
Theories of Programming (UTP). We provide the necessary theory to underpin
state machines (including induction theorems for iterative processes),
mechanise an action language for states and transitions, and use these to
formalise the semantics. We then describe the verification approach, which
supports infinite state systems, and exemplify it with a fully automated
deadlock-freedom check. The work has been mechanised in our proof tool,
Isabelle/UTP, and so also illustrates the use of UTP to build practical
verification tools.Comment: 18 pages, 16th Intl. Conf. on Formal Aspects of Component Software
(FACS 2018), October 2018, Pohang, South Kore
A formalisation of the theory of context-free languages in higher order logic
We present a formalisation of the theory of context-free languages using the HOL4
theorem prover. The formalisation of this theory is not only interesting in its own right,
but also gives insight into the kind of manipulations required to port a pen-and-paper
proof to a theorem prover. The mechanisation proves to be an ideal case study of how
intuitive textbook proofs can blow up in size and complexity, and how details from the
textbook can change during formalisation.
The mechanised theory provides the groundwork for our subsequent results about
SLR parser generation. The theorems, even though well-established in the field, are
interesting for the way they have to be “reproven” in a theorem prover. Proofs must
be recast to be concrete enough for the prover: patching deductive gaps which are
relatively easily grasped in a text proof, but beyond the automatic capabilities of
contemporary tools. The library of proofs, techniques and notations developed here
provides a basis from which further work on verified language theory can proceed at a
quickened pace.
We have mechanised classical results involving context-free grammars and pushdown
automata. These include but are not limited to the equivalence between those two
formalisms, the normalisation of CFGs, and the pumping lemma for proving a language
is not context-free. As an application of this theory, we describe the verification of SLR
parsing. Among the various properties proven about the parser we show, in particular,
soundness: if the parser results in a parse tree on a given input, then the parse tree is
valid with respect to the grammar, and the leaves of the parse tree match the input;
and completeness: if the input belongs in the language of the grammar then the parser
constructs the correct parse tree for the input with respect to the grammar. In addition,
we develop a version of the algorithm that is executable by automatic translation
from HOL to SML. This alternative version of the algorithm requires some interesting
termination proofs.
We conclude with a discussion of the issues we faced while mechanising pen-and-paper
proofs. Carefully written formal proofs are regarded as rigorous for the audience they
target. But when such proofs are implemented in a theorem prover, the level of detail
required increases dramatically. We provide a discussion and a broad categorisation of
the causes that give rise to this
Formal analysis of confidentiality conditions related to data leakage
The size of the financial risk, the social repercussions and the legal ramifications resulting from data leakage are of great concern. Some experts believe that poor system designs are to blame. The goal of this thesis is to use applied formal methods to verify that data leakage related confidentiality properties of system designs are satisfied. This thesis presents a practically applicable approach for using Banks's confidentiality framework, instantiated using the Circus notation.
The thesis proposes a tool-chain for mechanizing the application of the framework and includes a custom tool and the Isabelle theorem prover that coordinate to verify a given system model. The practical applicability of the mechanization was evaluated by analysing a number of hand-crafted systems having literature related confidentiality requirements.
Without any reliable tool for using BCF or any Circus tool that can be extended for the same purpose, it was necessary to build a custom tool. Further, a lack of literature related descriptive case studies on confidentiality in systems compelled us to use hand-written system specifications with literature related confidentiality requirements.
The results of this study show that the tool-chain proposed in this thesis is practically applicable in terms of time required. Further, the efficiency of the proposed tool-chain has been shown by comparing the time taken for analysing a system both using the mechanised approach as well as the manual approach
Automating Verification of State Machines with Reactive Designs and Isabelle/UTP
State-machine based notations are ubiquitous in the description of component systems, particularly in the robotic domain. To ensure these systems are safe and predictable, formal verification techniques are important, and can be cost-effective if they are both automated and scalable. In this paper, we present a verification approach for a diagrammatic state machine language that utilises theorem proving and a denotational semantics based on Unifying Theories of Programming (UTP). We provide the necessary theory to underpin state machines (including induction theorems for iterative processes), mechanise an action language for states and transitions, and use these to formalise the semantics. We then describe the verification approach, which supports infinite state systems, and exemplify it with a fully automated deadlock-freedom check. The work has been mechanised in our proof tool, Isabelle/UTP, and so also illustrates the use of UTP to build practical verification tools