Semantics-based program verification

We present language-independent formal methods that are parameterized by the operational semantics of languages. We provide the theory, implementation, and extensive evaluation of the language-parametric formal methods. Specifically, we consider two formal analyses: program verification and program equivalence. First, we propose a novel notion of bisimulation, which we call cut-bisimulation, allowing the two programs to semantically synchronize at relevant "cut" points, but to evolve independently otherwise. Employing the cut-bisimulation, we develop a language-independent equivalence checking algorithm, parameterized by the input and output language semantics, to prove equivalence of programs written in possibly different languages. We implement the algorithm in the K framework, yielding the first language-parametric program equivalence checker. To demonstrate the practical feasibility of the language-parametric formal methods, we instantiate a language-independent deductive program verifier by plugging-in four real-world language semantics, C, Java, JavaScript, and Ethereum Virtual Machine (EVM), and use them to verify full functional correctness of challenging heap-manipulating programs and high-profile commercial smart contracts. In particular, to the best of our knowledge, the JavaScript and EVM verifiers are the first deductive program verifier for these languages

Tools and Algorithms for the Construction and Analysis of Systems

This open access two-volume set constitutes the proceedings of the 26th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2020, which took place in Dublin, Ireland, in April 2020, and was held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2020. The total of 60 regular papers presented in these volumes was carefully reviewed and selected from 155 submissions. The papers are organized in topical sections as follows: Part I: Program verification; SAT and SMT; Timed and Dynamical Systems; Verifying Concurrent Systems; Probabilistic Systems; Model Checking and Reachability; and Timed and Probabilistic Systems. Part II: Bisimulation; Verification and Efficiency; Logic and Proof; Tools and Case Studies; Games and Automata; and SV-COMP 2020

Interacting Hopf Algebras: the theory of linear systems

Scientists in diverse fields use diagrammatic formalisms to reason about various kinds of networks, or compound systems. Examples include electrical circuits, signal flow graphs, Penrose and Feynman diagrams, Bayesian networks, Petri nets, Kahn process networks, proof nets, UML specifications, amongst many others. Graphical languages provide a convenient abstraction of some underlying mathematical formalism, which gives meaning to diagrams. For instance, signal flow graphs, foundational structures in control theory, are traditionally translated into systems of linear equations. This is typical: diagrammatic languages are used as an interface for more traditional mathematics, but rarely studied per se. Recent trends in computer science analyse diagrams as first-class objects using formal methods from programming language semantics. In many such approaches, diagrams are generated as the arrows of a PROP — a special kind of monoidal category — by a two-dimensional syntax and equations. The domain of interpretation of diagrams is also formalised as a PROP and the (compositional) semantics is expressed as a functor preserving the PROP structure. The first main contribution of this thesis is the characterisation of SVk, the PROP of linear subspaces over a field k. This is an important domain of interpretation for diagrams appearing in diverse research areas, like the signal flow graphs mentioned above. We present by generators and equations the PROP IH of string diagrams whose free model is SVk. The name IH stands for interacting Hopf algebras: indeed, the equations of IH arise by distributive laws between Hopf algebras, which we obtain using Lack’s technique for composing PROPs. The significance of the result is two-fold. On the one hand, it offers a canonical string diagrammatic syntax for linear algebra: linear maps, kernels, subspaces and the standard linear algebraic transformations are all faithfully represented in the graphical language. On the other hand, the equations of IH describe familiar algebraic structures — Hopf algebras and Frobenius algebras — which are at the heart of graphical formalisms as seemingly diverse as quantum circuits, signal flow graphs, simple electrical circuits and Petri nets. Our characterisation enlightens the provenance of these axioms and reveals their linear algebraic nature. Our second main contribution is an application of IH to the semantics of signal processing circuits. We develop a formal theory of signal flow graphs, featuring a string diagrammatic syntax for circuits, a structural operational semantics and a denotational semantics. We prove soundness and completeness of the equations of IH for denotational equivalence. Also, we study the full abstraction question: it turns out that the purely operational picture is too concrete — two graphs that are denotationally equal may exhibit different operational behaviour. We classify the ways in which this can occur and show that any graph can be realised — rewritten, using the equations of IH, into an executable form where the operational behaviour and the denotation coincide. This realisability theorem — which is the culmination of our developments — suggests a reflection about the role of causality in the semantics of signal flow graphs and, more generally, of computing devices

Interaction Trees: Representing Recursive and Impure Programs in Coq

"Interaction trees" (ITrees) are a general-purpose data structure for representing the behaviors of recursive programs that interact with their environments. A coinductive variant of "free monads," ITrees are built out of uninterpreted events and their continuations. They support compositional construction of interpreters from "event handlers", which give meaning to events by defining their semantics as monadic actions. ITrees are expressive enough to represent impure and potentially nonterminating, mutually recursive computations, while admitting a rich equational theory of equivalence up to weak bisimulation. In contrast to other approaches such as relationally specified operational semantics, ITrees are executable via code extraction, making them suitable for debugging, testing, and implementing software artifacts that are amenable to formal verification. We have implemented ITrees and their associated theory as a Coq library, mechanizing classic domain- and category-theoretic results about program semantics, iteration, monadic structures, and equational reasoning. Although the internals of the library rely heavily on coinductive proofs, the interface hides these details so that clients can use and reason about ITrees without explicit use of Coq's coinduction tactics. To showcase the utility of our theory, we prove the termination-sensitive correctness of a compiler from a simple imperative source language to an assembly-like target whose meanings are given in an ITree-based denotational semantics. Unlike previous results using operational techniques, our bisimulation proof follows straightforwardly by structural induction and elementary rewriting via an equational theory of combinators for control-flow graphs.Comment: 28 pages, 4 pages references, published at POPL 202

Processes with Multiple Entries and Exits Modulo Isomorphism and Modulo Bisimulation

This paper is an attempt to integrate the algebra of communicating processes (ACP) and the algebra of flownomials (AF). Basically, this means to combine axiomatized parallel and looping operators. To this end we introduce a model of process graphs with multiple entries and exits. In this model the usual operations of both algebras are defined, e.g. alternative composition (this covers both the sum of ACP and the disjoint sum of AF), sequential composition, feedback, parallel composition, left merge, communication merge, encapsulation, etc. 1 The main results consist of correct and complete axiomatisations of process graphs modulo isomorphism and modulo bisimulation. Key words & Phrases: process algebra, feedback, flowchart theories. 1 Introduction This paper is an attempt to integrate the algebra of communicating processes (ACP) and the algebra of flownomials (AF). Basically, this means to combine axiomatized parallel and looping operators. There are three axiomatized looping opera..

Tools and Algorithms for the Construction and Analysis of Systems

This open access book constitutes the proceedings of the 28th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2022, which was held during April 2-7, 2022, in Munich, Germany, as part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2022. The 46 full papers and 4 short papers presented in this volume were carefully reviewed and selected from 159 submissions. The proceedings also contain 16 tool papers of the affiliated competition SV-Comp and 1 paper consisting of the competition report. TACAS is a forum for researchers, developers, and users interested in rigorously based tools and algorithms for the construction and analysis of systems. The conference aims to bridge the gaps between different communities with this common interest and to support them in their quest to improve the utility, reliability, exibility, and efficiency of tools and algorithms for building computer-controlled systems

Executable Denotational Semantics With Interaction Trees

Interaction trees are a representation of effectful and reactive systemsdesigned to be implemented in a proof assistant such as Coq. They are equipped with a rich algebra of combinators to construct recursive and effectful computations and to reason about them equationally. Interaction trees are also an executable structure, notably via extraction, which enables testing and directly developing executable programs in Coq. To demonstrate the usefulness of interaction trees, two applications are presented. First, I develop a novel approach to verify a compiler from a simple imperative language to assembly, by proving a semantic preservation theorem which is termination-sensitive, using an equational proof. Second, I present a framework of concurrent objects, inheriting the modularity, compositionality, and executability of interaction trees. Leveraging that framework, I formally prove the correctness of a transactionally predicated map, using a novel approach to reason about objects combining the notions of linearizability and strict serializability, two well-known correctness conditions for concurrent objects