Temporal verification with transition invariants

Program verification increases the degree of confidence that a program will perform correctly. Manual verification is an error-prone and tedious task. Its automation is highly desirable. The verification methodology reduces the reasoning about temporal properties of program computations to testing the validity of implication between auxiliary first-order assertions. The synthesis of such auxiliary assertions is the main challenge for automated tools. There already exist successful tools for the verification of safety properties. These properties require that some "bad'; states never appear during program computations. The tools construct invariants, which are auxiliary assertions for safety. Invariants are computed symbolically by applying techniques of abstract interpretation. Liveness properties require that some "good'; states will eventually appear in every computation. The synthesis of auxiliary assertions for the verification of liveness properties is the next challenge for automated verification tools. This dissertation argues that transition invariants can provide a new basis for the development of automated methods for the verification of liveness properties. We support this thesis as follows. We introduce a new notion of auxiliary assertions called transition invariant. We apply this notion to propose a proof rule for the verification of liveness properties. We provide a viable approach for the automated synthesis of transition invariants by abstract interpretation, which automates the proof rule. For this purpose, we introduce a transition predicate abstraction. This abstraction does not have an inherent limitation to preserve only safety properties. Most liveness properties of concurrent programs only hold under certain assumptions on non-deterministic choices made during program executions. These assumptions are known as fairness requirements. A direct treatment of fairness requirements in a proof rule is desirable. We specialize our proof rule for the direct accounting of two common ways of specifying fairness. Fairness requirements can be imposed either on program transitions or on sets of programs states. We treat both cases via abstract-transition programs and labeled transition invariants respectively. We have developed a basis for the construction of automated tools that can not only prove that a program never does anything bad, but can also prove that the program eventually does something good. Such proofs increase our confidence that the program will perform correctly.Programmverifikation stärkt unsere Überzeugung darin, dass ein Programm korrekt funktionieren wird. Manuelle Verifikation ist fehleranfällig und mühsam. Deren Automatisierung ist daher sehr erwünscht. Die allgemeine Vorgehensweise bei der Verifikation besteht darin, die temporale Argumentation über die Programmberechnungen auf die Überprüfung der Gültigkeit von Implikation zwischen Hilfsaussagen in Prädikatenlogik zu reduzieren. Die größte Herausforderung in der Automatisierung von Verifikationsmethoden liegt in der automatischen Synthese solcher Hilfsaussagen. Es gibt bereits erfolgreiche Werkzeuge für die automatische Verifikation von Safety-Eigenschaften.Diese Eigenschaften erfordern, dass keine ';unerwünschten" Programmzustände in Berechnungen auftreten. Die Werkzeuge synthetisieren Invarianten, die Hilfsaussagen für die Verifikation von Safety-Eigenschaften darstellen. Invarianten werden symbolisch, mit Hilfe von Techniken der abstrakten Interpretation berechnet. Liveness-Eigenschaften erfordern, dass bestimmte ';gute" Zustände irgendwann in jeder Berechnung vorkommen. Die Synthese von Hilfsaussagen für die Verifikation von Liveness-Eigenschaften ist die nächste Herausforderung für automatische Werkzeuge. Diese Dissertation vertritt die Auffassung, dass Transitionsinvarianten (engl.: transition invariants) eine neu Basis für die Entwicklung automatischer Methoden für die Verifikation von Liveness-Eigenschaften bereitstellen können. Wir unterstützen diese These wie folgt. Wir führen einen neuen Typ von Hilfsaussagen ein, der als Transitionsinvariante bezeichnet wird. Wir benutzen Transitionsinvariante, um eine Beweisregel für die Verifikation von Liveness-Eigenschaften zu entwickeln.Wir stellen einen praktikablen Ansatz für die Synthese von Transitionsinvarianten basierend auf der abstrakten Interpretation vor und automatisieren dadurch die Beweisregel. Zu diesem Zweck führen wir eine Transitionsprädikaten-Abstraktion (engl.: transition predicate abstraction) ein. Diese Abstraktion ist nicht darauf beschränkt, nur Safety-Eigenschaften erhalten zu können. Die meisten Liveness-Eigenschaften nebenläufiger Programme gelten nur unter bestimmten Annahmen bzgl. der nicht-deterministischen Wahl, die bei den Programmberechnungen getroffen wird. Diese Annahmen sind als Fairness-Anforderungen bekannt und deren direkte Berücksichtigung in einer Beweisregel ist wünschenswert. Wir spezialisieren unsere Beweisregel für die direkte Behandlung von zwei verbreiteten Arten von Fairness-Spezifikationen. Zum einem berücksichtigen wir die Fairness-Anforderungen an Programmübergänge durch abstrakte Transitionsprogramme (engl.: abstract-transition programs). Zum anderen werden die durch Zustandsmengen angegebenen Fairness-Anforderungen mit Hilfe von markierten Transitionsinvarianten (engl.: labeled transition invariants) behandelt. Wir haben eine Basis für die Entwicklung automatischer Werkzeuge bereitgestellt, die beweisen können, dass ein Programm nicht schadet und dass das Programm etwas Gutes bewirkt. Solche Beweise stärken unsere Überzeugung darin, dass das Programm korrekt funktionieren wird

The Past, Present, and Future(s): Verifying Temporal Software Properties

Software systems are increasingly present in every aspect of our society, as their deployment can be witnessed from seemingly trivial applications of light switches, to critical control systems of nuclear facilities. In the context of critical systems, software faults and errors could potentially lead to detrimental consequences, thus more rigorous methodologies beyond the scope of testing need be applied to software systems. Formal verification, the concept of being able to mathematically prove the correctness of an algorithm with respect to a mathematical formal specification, can indeed help us prevent these failures. A popular specification language for these formal specifications is temporal logic, due to its intuitive, yet precise expressions that can be utilized to both specify and verify fundamental properties pertaining to software systems. Temporal logic can express properties pertaining to safety, liveness, termination, non-termination, and more with regards to various systems such as Windows device drivers, kernel APIs, database servers, etc. This dissertation thus presents automated scalable techniques for verifying expressive temporal logic properties of software systems, specifically those beyond the scope of existing techniques. Furthermore, this work considers the temporal sub-logics fair-CTL, CTL*, and CTL*lp, as verifying these more expressive sub-logics has been an outstanding research problem. We begin building our framework by introducing a novel scalable and high-performance CTL verification technique. Our CTL methodology is unique relative to existing techniques in that it facilitates reasoning about more expressive temporal logics. In particular, it allows us to further introduce various methodologies that allow us to verify fair-CTL, CTL*, and CTL*lp. We support the verification of fair-CTL through a reduction to our CTL model checking technique via the use of infinite non-deterministic branching to symbolically partition fair from unfair executions. For CTL∗, we propose a method that uses an internal encoding which facilitates reasoning about the subtle interplay between the nesting of path and state temporal operators that occurs within CTL∗ proofs. A precondition synthesis strategy is then used over a program transformation which trades nondeterminism in the transition relation for nondeterminism explicit in variables predicting future outcomes when necessary. Finally, we propose a linear-past extension to CTL*, that being CTL*lp, in which the past is linear and each moment in time has a unique past. We support this extension through the use of history variables over our CTL∗ technique. We demonstrate the fully automated implementation of our techniques, and report our bench- marks carried out on code fragments from the PostgreSQL database server, Apache web server, Windows OS kernel, as well as smaller programs demonstrating the expressiveness of fair-CTL, CTL*, and CTL*lp specifications. Together, these novel methodologies lead to a new class of fully automated tools capable of proving crucial properties that no tool could previously prove in the infinite-state setting

Construction and Constraint: The Animal Body and Constructions of Power in Motion Pictures.

This dissertation proceeds from the question “How does the camera capture animals, and how does the medium of that image structure the relationship between camera, animal and spectator?” by arguing that both the terms of the question and the answers themselves are culturally and historically contingent. The tension between the documented animal body as it is viewed on screen and the living animal captured in profilmic space demands a methodology attentive to both historical context and the power structures that shape the writing of history for non-speaking subjects. I examine cases such as the early Edison short Electrocution of an Elephant, the 1939 Hollywood production of Jesse James, BBC’s Planet Earth and cat videos on the internet through the moments of their filming and exhibition, I argue the relationships amongst animals, humans, landscape, and culture inform the representations of animals onscreen, and how animal images are seen and understood. My work privileges the conditions of production and exhibition because the power dynamics of the gaze at animals are not only implicated in the image textually, but also in the factors that produced the image. Drawing on institutional archives, public animal advocacy and legal discourse, I demonstrate that the power of the human to control not only the animal but the framing of that animal is elided in order to naturalize both the human-animal power dynamic and the relationship between camera, subject and viewer. Animals are often in the background, textually and historically, of American film history. By focusing on their performances, my work demonstrates how animals were understood through and ultimately regulated by a media industry that both profited from and dictated the terms of representation. The animal body has a unique status as familiar and distant, exotic and domesticated, unknowable and subject to human control. Media texts focused on animal bodies provide an ideal testing ground for examining how the relationship between human and animal is both reflected and created by media, and the power that fills each frame.PhDScreen Arts and CulturesUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/133428/1/kralko_1.pd

Nonhuman Agency in Speculative Ecofiction

Speculative ecofiction creates situations that demand ethical relation to nonhumans in order to complicate definitions of “the human” and promote a neohumanist ethic based on human stewardship. Compassion is at the core of my understanding of stewardship, and I believe that certain literary works model ethical relationality based on care for all life. The novels that I examine pit nonhuman agency against human exceptionalism, bringing to light the ways in which “the other” is stripped of its agency. Reallocating agency impacts subgenres of speculative fiction including postcolonial, posthuman, and Afrofuturist literatures, because as beings are stripped of agency they are also stripped of their rights

Model Checking and Model-Based Testing : Improving Their Feasibility by Lazy Techniques, Parallelization, and Other Optimizations

This thesis focuses on the lightweight formal method of model-based testing for checking safety properties, and derives a new and more feasible approach. For liveness properties, dynamic testing is impossible, so feasibility is increased by specializing on an important class of properties, livelock freedom, and deriving a more feasible model checking algorithm for it. All mentioned improvements are substantiated by experiments

proving liveness property under strengthened compassion requirements

Deductive rules are useful for proving properties with fairness constraints and there have been many studies on such rules with justice and compassion constraints. This paper focuses on system specifications with strengthened compassion that impose constraints on transitions involving states and their successors. A deductive rule for proving liveness properties under strengthened compassion is presented, and proofs of the soundness and the relative completeness of the rule are also presented. © 2012 Springer-Verlag.State Key Laboratory of Computer Science; Chinese Academy of Sciences, Institute of Software; Chinese Academy of SciencesDeductive rules are useful for proving properties with fairness constraints and there have been many studies on such rules with justice and compassion constraints. This paper focuses on system specifications with strengthened compassion that impose constraints on transitions involving states and their successors. A deductive rule for proving liveness properties under strengthened compassion is presented, and proofs of the soundness and the relative completeness of the rule are also presented. © 2012 Springer-Verlag

Risky Enterprise: Stunts and value in public life of late nineteenth-century New York

PhDThis thesis analyses stunts in the public life of late nineteenth-century New York, where ‘stunt’ developed as a slang term. Addressing stunts as a performative and discursive practice, I investigate stunts in popular newspapers, sports, politics and protest and, to a lesser extent, theatre and film. Each chapter focuses on one form of stunt: bridge jumping, extreme walking contests, a new genre of reporting called ‘stunt journalism’, and cycling feats. Joseph Pulitzer’s popular newspaper, the World, is the primary research archive, supported by analysis of other newspapers and periodicals, vaudeville scripts, films, manuals and works of fiction. The driving question is: how did stunts in public life enact conceptions of value? I contextualise stunts in a ‘crisis of value’ concerning industrialisation, secularisation, recessions, the currency crisis, increased entry of women into remunerative work, immigration, and racialised anxieties about consumption and degeneration. I examine the ways in which ‘stunt’ connotes devaluation, suggesting a degraded form of politics, art or sport, and examine how such cultural hierarchies intersect with gender, race and class. The critical framework draws on Theatre and Performance Studies theorisations of precarity and liveness. I argue that stunts aestheticised everyday precarity and made it visible, raising ethical questions about the value of human life and death, and the increasingly interdependent nature of urban society. Stunts took entrepreneurial idealisations of risk and autoproduction to extreme, constructing identity as commodity. By aestheticising precarity and endangering lives, stunts explored a symbolic and material connection between liveness and aliveness, which provokes questions about current conceptualisations of liveness and mediatisation. I argue that while stunts were framed as exceptional, frivolous acts, they adopted the logic of increasingly major industries, such as the popular press, advertising and financial markets. Stunts became a focal point for anxiety regarding the abstract and unstable nature of value itself.Arts and Humanities Research Council [grant numbers AH/M108823H, AH/M000427/1]

Antiwar Literature In The United States Since 1945

This dissertation examines literary resistance to US militarism since 1945. I maintain that a requirement of antiwar literature is a disruption or break from the pro-war narrative that seeks to justify and normalize the wars and militarism that saturate this historical period; literary works about war that do not deviate from this narrative are simply war literature. In chapters on John Hersey’s Hiroshima (1946), poetry and performance protests of the Vietnam Veterans Against the War (1970-72), Rob Halpern’s Common Place (2015), and works of speculative fiction by Omar El Akkad (American War, 2017) and N.K. Jemisin (The Fifth Season, 2015), I argue that we cannot understand the specific formal principles at work in antiwar texts unless we account for the ways in which those practices are motivated to contest given pro-war ideologies and structures of feelings or to inspire or sustain antiwar practices. This motivation is conveyed in a range of ways, attuned to historical context and generic affordances, and explicating these various methods of literarily representing an antiwar position and antiwar sentiment across different wars and via different literary genres produces a broader sense of what a political work of literature could be expected to do throughout this period of US history.In my examination of US literature since 1945 through the lens of antiwar literature, I reached the following historical and theoretical conclusions. The historical conclusion is that in the period of time from the end of the Second World War (1945) to the first two decades of the 21st century, US antiwar literature has demonstrated a continuing disenchantment with national politics alongside a skepticism about what literature does or can do in terms of political formation through aesthetic experience. The theoretical conclusion that my analysis in each chapter supports is that to be antiwar as a political position also requires the critique of the nation-state as a form and of state ideological formations around race, gender, and sexuality