Towards the Formal Specification and Verification of Maple Programs

In this paper, we present our ongoing work and initial results on the formal specification and verification of MiniMaple (a substantial subset of Maple with slight extensions) programs. The main goal of our work is to find behavioral errors in such programs w.r.t. their specifications by static analysis. This task is more complex for widely used computer algebra languages like Maple as these are fundamentally different from classical languages: they support non-standard types of objects such as symbols, unevaluated expressions and polynomials and require abstract computer algebraic concepts and objects such as rings and orderings etc. As a starting point we have defined and formalized a syntax, semantics, type system and specification language for MiniMaple

Hoare-style Specifications as Correctness Conditions for Non-linearizable Concurrent Objects

Designing scalable concurrent objects, which can be efficiently used on multicore processors, often requires one to abandon standard specification techniques, such as linearizability, in favor of more relaxed consistency requirements. However, the variety of alternative correctness conditions makes it difficult to choose which one to employ in a particular case, and to compose them when using objects whose behaviors are specified via different criteria. The lack of syntactic verification methods for most of these criteria poses challenges in their systematic adoption and application. In this paper, we argue for using Hoare-style program logics as an alternative and uniform approach for specification and compositional formal verification of safety properties for concurrent objects and their client programs. Through a series of case studies, we demonstrate how an existing program logic for concurrency can be employed off-the-shelf to capture important state and history invariants, allowing one to explicitly quantify over interference of environment threads and provide intuitive and expressive Hoare-style specifications for several non-linearizable concurrent objects that were previously specified only via dedicated correctness criteria. We illustrate the adequacy of our specifications by verifying a number of concurrent client scenarios, that make use of the previously specified concurrent objects, capturing the essence of such correctness conditions as concurrency-aware linearizability, quiescent, and quantitative quiescent consistency. All examples described in this paper are verified mechanically in Coq.Comment: 18 page

Brief Announcement: Update Consistency in Partitionable Systems

Data replication is essential to ensure reliability, availability and fault-tolerance of massive distributed applications over large scale systems such as the Internet. However, these systems are prone to partitioning, which by Brewer's CAP theorem [1] makes it impossible to use a strong consistency criterion like atomicity. Eventual consistency [2] guaranties that all replicas eventually converge to a common state when the participants stop updating. However, it fails to fully specify shared objects and requires additional non-intuitive and error-prone distributed specification techniques, that must take into account all possible concurrent histories of updates to specify this common state [3]. This approach, that can lead to specifications as complicated as the implementations themselves, is limited by a more serious issue. The concurrent specification of objects uses the notion of concurrent events. In message-passing systems, two events are concurrent if they are enforced by different processes and each process enforced its event before it received the notification message from the other process. In other words, the notion of concurrency depends on the implementation of the object, not on its specification. Consequently, the final user may not know if two events are concurrent without explicitly tracking the messages exchanged by the processes. A specification should be independent of the system on which it is implemented. We believe that an object should be totally specified by two facets: its abstract data type, that characterizes its sequential executions, and a consistency criterion, that defines how it is supposed to behave in a distributed environment. Not only sequential specification helps repeal the problem of intention, it also allows to use the well studied and understood notions of languages and automata. This makes possible to apply all the tools developed for sequential systems, from their simple definition using structures and classes to the most advanced techniques like model checking and formal verification. Eventual consistency (EC) imposes no constraint on the convergent state, that very few depends on the sequential specification. For example, an implementation that ignores all the updates is eventually consistent, as all replicas converge to the initial state. We propose a new consistency criterion, update consistency (UC), in which the convergent state must be obtained by a total ordering of the updates, that contains the sequential order of eachComment: in DISC14 - 28th International Symposium on Distributed Computing, Oct 2014, Austin, United State

Scientific investigations with the data base HEAO-1 scanning modulator collimator

The hardware specification for the Scanning Modulation Collimator (MC) experiment on HEAO-1 was to measure positions of bright (greater than 10(exp -11) ergs/cm(exp 2)s), hard (1 to 15 keV) x-ray sources to 5-10 arcsec, and to measure their size and structure in three energy bands down to 10 arcsec resolution. The scientific purpose of this specification was to enable the identification of these x-ray sources with optical and radio objects in order to elucidate the x-ray emission mechanism and the nature of the candidate astronomical system. The experiment was an outstanding success. Hardware systems functioned perfectly although loss of one (out of eight) proportional counters degraded our sensitivity by about 10 percent. Our aspect solution of 7 arcsec precision, allowed us to achieve statistic-limited location precision for all but the strongest sources. We vigorously pursued a strategy of determining the scientific importance of each identification, and of publishing each scientific result as it came along

Visual Specification of Interprocess and Intraprocess Communication

We present a visual specification language for constructing distributed applications and their direct manipulation graphical user interfaces. Each distributed application consists of a collection of independent modules and a configuration of logical connections that define communication among the data interfaces of the modules. Our specification language uses a single visual mechanism that allows end-users to define interprocess communication among distributed modules and to define intraprocess communication among objects within a module. This seamless specification provides a general encapsulation/abstraction mechanism and is designed to support dynamic change to the communication structure. User interfaces are completely decoupled from the module(s) they control

OCL Plus:Processes and Events in Object-Centred Planning

An important area in AI Planning is the expressiveness of planning domain specification languages such as PDDL, and their aptitude for modelling real applications. This paper presents OCLplus, an extension of a hierarchical object centred planning domain definition language, intended to support the representation of domains with continuous change. The main extension in OCLplus provides the capability of interconnection between the planners and the changes that are caused by other objects of the world. To this extent, the concept of event and process are introduced in the Hierarchical Task Network (HTN), object centred planning framework in which a process is responsible for either continuous or discrete changes, and an event is triggered if its precondition is met. We evaluate the use of OCLplus and compare it with a similar language, PDDL+

Refining SCJ Mission Specifications into Parallel Handler Designs

Safety-Critical Java (SCJ) is a recent technology that restricts the execution and memory model of Java in such a way that applications can be statically analysed and certified for their real-time properties and safe use of memory. Our interest is in the development of comprehensive and sound techniques for the formal specification, refinement, design, and implementation of SCJ programs, using a correct-by-construction approach. As part of this work, we present here an account of laws and patterns that are of general use for the refinement of SCJ mission specifications into designs of parallel handlers used in the SCJ programming paradigm. Our notation is a combination of languages from the Circus family, supporting state-rich reactive models with the addition of class objects and real-time properties. Our work is a first step to elicit laws of programming for SCJ and fits into a refinement strategy that we have developed previously to derive SCJ programs.Comment: In Proceedings Refine 2013, arXiv:1305.563