Formal Generation of Executable Assertions for Application-Oriented Fault Tolerance

Executable assertions embedded into a distributed computing system can provide run-time assurance by ensuring that the program state, in the actual run-time environment, is consistent with the logical stage specified in the assertions; if not, then an error has occurred and a reliable communication of this diagnostic information is provided to the system such that reconfiguration and recovery can take place. Application- oriented fault tolerance is a method that provides fault detection using executable assertions based on the natural constraints of the application. This paper focuses on giving application-oriented fault tolerance a theoretical foundation by providing a mathematical model for the generation of executable assertions which detect faults in the presence of arbitrary failures. The mathematical model of choice was axiomatic program verification. A method was developed that translates a concurrent verification proof outline into an error-detecting concurrent program. This paper shows the application of the developed method to several applications

An Assertional Proof System for Multithreaded Java - Theory and Tool Support

Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread classes, allowing for a multithreaded flow of control. The concurrency model includes shared-variable concurrency via instance variables, coordination via reentrant synchronization monitors, synchronous message passing, and dynamic thread creation. To reason about safety properties of multithreaded Java programs, we introduce a tool-supported assertional proof method for JavaMT ("Multi-Threaded Java"), a small sublanguage of Java, covering the mentioned concurrency issues as well as the object-based core of Java. The verification method is formulated in terms of proof-outlines, where the assertions are layered into local ones specifying the behavior of a single instance, and global ones taking care of the connections between objects. We establish the soundness and the completeness of the proof system. From an annotated program, a number of verification conditions are generated and handed over to the interactive theorem prover PVS.IST project Omega (IST-2001-33522) NWO/DFG project Mobi-J (RO 1122/9-1, RO 1122/9-2)UBL - phd migration 201

Flush communication channels: Effective implementation and verification

Flush communication channels, or F-channels, generalize more conventional asynchronous communication paradigms. A distributed system which uses an F-channel allows a programmer to define the delivery order of each message in relation to other messages transmitted on the channel. Unreliable datagrams and FIFO (first-in-first-out) communication channels have strictly defined delivery semantics. No restrictions are allowed on message delivery order with unreliable datagrams--message delivery is completely unordered. FIFO channels, on the other hand, insist messages are delivered in the order of their transmission. Flush channels can provide either of these delivery order semantics; in addition, F-channels allow the user to define the delivery of a message to be after the delivery of all messages previously transmitted or before the delivery of all messages subsequently transmitted or both. A system which communicates with a flush channel has a message delivery order that is a partial order.;Dynamically specifying a partial message delivery order complicates many aspects of how we implement and reason about the communication channel. From the system\u27s perspective, we develop a feasible implementation protocol and prove its correctness. The protocol effectively handles the partially ordered message delivery. From the user\u27s perspective, we derive an axiomatic verification methodology for flush applications. The added flexibility of defining the delivery order dynamically slightly increases the complexity for the application programmer. Our verification work helps the user effectively deal with the partially ordered message delivery in flush communication

Flush communication channels: Effective implementation and verification

Flush communication channels, or F-channels, generalize more conventional asynchronous communication paradigms. A distributed system which uses an F-channel allows a programmer to define the delivery order of each message in relation to other messages transmitted on the channel. Unreliable datagrams and FIFO (first-in-first-out) communication channels have strictly defined delivery semantics. No restrictions are allowed on message delivery order with unreliable datagrams--message delivery is completely unordered. FIFO channels, on the other hand, insist messages are delivered in the order of their transmission. Flush channels can provide either of these delivery order semantics; in addition, F-channels allow the user to define the delivery of a message to be after the delivery of all messages previously transmitted or before the delivery of all messages subsequently transmitted or both. A system which communicates with a flush channel has a message delivery order that is a partial order.;Dynamically specifying a partial message delivery order complicates many aspects of how we implement and reason about the communication channel. From the system\u27s perspective, we develop a feasible implementation protocol and prove its correctness. The protocol effectively handles the partially ordered message delivery. From the user\u27s perspective, we derive an axiomatic verification methodology for flush applications. The added flexibility of defining the delivery order dynamically slightly increases the complexity for the application programmer. Our verification work helps the user effectively deal with the partially ordered message delivery in flush communication

An Assertional Proof System for Multithreaded Java - Theory and Tool Support

Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread classes, allowing for a multithreaded flow of control. The concurrency model includes shared-variable concurrency via instance variables, coordination via reentrant synchronization monitors, synchronous message passing, and dynamic thread creation. To reason about safety properties of multithreaded Java programs, we introduce a tool-supported assertional proof method for JavaMT ("Multi-Threaded Java"), a small sublanguage of Java, covering the mentioned concurrency issues as well as the object-based core of Java. The verification method is formulated in terms of proof-outlines, where the assertions are layered into local ones specifying the behavior of a single instance, and global ones taking care of the connections between objects. We establish the soundness and the completeness of the proof system. From an annotated program, a number of verification conditions are generated and handed over to the interactive theorem prover PVS.IST project Omega (IST-2001-33522) NWO/DFG project Mobi-J (RO 1122/9-1, RO 1122/9-2)UBL - phd migration 201

The Theory of Interacting Deductions and its Application to Operational Semantics

This thesis concerns the problem of complexity in operational semantics definitions. The appeal of modern operational semantics is the simplicity of their metatheories, which can be regarded as theories of deduction about certain shapes of operational judgments. However, when applied to real programming languages they produce bulky definitions that are cumbersome to reason about. The theory of interacting deductions is a richer metatheory which simplifies operational judgments and admits new proof techniques. An interacting deduction is a pair (F, I), where F is a forest of inference trees and I is a set of interaction links (a symmetric set of pairs of formula occurrences of F), which has been built from interacting inference rules (sequences of standard inference rules, or rule atoms). This setting allows one to decompose operational judgments. For instance, for a simple imperative language, one rule atom might concern a program transition, and another a store transition. Program judgments only interact with store judgments when necessary: so stores do not have to be propagated by every inference rule. A deduction in such a semantics would have two inference trees: one for programs and one for stores. This introduces a natural notion of modularity in proofs about semantics. The proof fragmentation theorem shows that one need only consider the rule atoms relevant to the property being proved. To illustrate, I give the semantics for a simple process calculus, compare it with standard semantics and prove three simple properties: nondivergence, store correctness and an equivalence between the two semantics. Typically evaluation semantics provide simpler definitions and proofs than transition semantics. However, it turns out that evaluation semantics cannot be easily expressed using interacting deductions: they require a notion of sequentiality. The sequential deductions contain this extra structure. I compare the utility of evaluation and transition semantics in the interacting case by proving a simple translation correctness example. This proof in turn depends on proof-theoretic concerns which can be abstracted using dangling interactions. This gives rise to the techniques of breaking and assembling interaction links. Again I get the proof fragmentation theorem, and also the proof assembly theorem, which allow respectively both the isolation and composition of modules in proofs about semantics. For illustration, I prove a simple type-checking result (in evaluation semantics) and another nondivergence result (in transition semantics). I apply these results to a bigger language, CSP, to show how the results scale up. Introducing a special scoping side-condition permits a number of linguistic extensions including nested parallelism, mutual exclusion, dynamic process creation and recursive procedures. Then, as an experiment I apply the theory of interacting deductions to present and prove sound a compositional proof system for the partial correctness of CSP programs. Finally, I show that a deduction corresponds to CCS-like process evaluation, justifying philosophically my use of the theory to give operational semantics. A simple corollary is the undecidability of interacting-deducibility. Practically, the result also indicates how one can build prototype interpreters for definitions

Programming Languages and Systems

This open access book constitutes the proceedings of the 31st European Symposium on Programming, ESOP 2022, which was held during April 5-7, 2022, in Munich, Germany, as part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2022. The 21 regular papers presented in this volume were carefully reviewed and selected from 64 submissions. They deal with fundamental issues in the specification, design, analysis, and implementation of programming languages and systems

Programming Languages and Systems

This open access book constitutes the proceedings of the 31st European Symposium on Programming, ESOP 2022, which was held during April 5-7, 2022, in Munich, Germany, as part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2022. The 21 regular papers presented in this volume were carefully reviewed and selected from 64 submissions. They deal with fundamental issues in the specification, design, analysis, and implementation of programming languages and systems