A Transactional Model and Platform for Designing and Implementing Reactive Systems

A reactive program is one that has ongoing interactions with its environment. Reactive programs include those for embedded systems, operating systems, network clients and servers, databases, and smart phone apps. Reactive programs are already a core part of our computational and physical infrastructure and will continue to proliferate within our society as new form factors, e.g. wireless sensors, and inexpensive (wireless) networking are applied to new problems. Asynchronous concurrency is a fundamental characteristic of reactive systems that makes them difficult to develop. Threads are commonly used for implementing reactive systems, but they may magnify problems associated with asynchronous concurrency, as there is a gap between the semantics of thread-based computation and the semantics of reactive systems: reactive software developed with threads often has subtle timing bugs and tends to be brittle and non-reusable as a holistic understanding of the software becomes necessary to avoid concurrency hazards such as data races, deadlock, and livelock. Based on these problems with the state of the art, we believe a new model for developing and implementing reactive systems is necessary. This dissertation makes four contributions to the state of the art in reactive systems. First, we propose a formal yet practical model for (asynchronous) reactive systems called reactive components. A reactive component is a set of state variables and atomic transitions that can be composed with other reactive components to yield another reactive component. The transitions in a system of reactive components are executed by a scheduler. The reactive component model is based on concepts from temporal logic and models like UNITY and I/O Automata. The major contribution of the reactive component model is a formal method for principled composition, which ensures that 1) the result of composition is always another reactive component, for consistency of reasoning; 2) systems may be decomposed to an arbitrary degree and depth, to foster divide-and-conquer approaches when designing and re-use when implementing; 3)~the behavior of a reactive component can be stated in terms of its interface, which is necessary for abstraction; and 4) properties of reactive components that are derived from transitions protected by encapsulation are preserved through composition and can never be violated, which permits assume-guarantee reasoning. Second, we develop a prototypical programming language for reactive components called rcgo that is based on the syntax and semantics of the Go programming language. The semantics of the rcgo language enforce various aspects of the reactive component model, e.g., the isolation of state between components and safety of concurrency properties, while permitting a number of useful programming techniques, e.g., reference and move semantics for efficient communication among reactive components. For tractability, we assume that each system contains a fixed set of components in a fixed configuration. Third, we provide an interpreter for the rcgo language to test the practicality of the assumptions upon which the reactive component model are founded. The interpreter contains an algorithm that checks for composition hazards like recursively defined transitions and non-deterministic transitions. Transitions are executed using a novel calling convention that can be implemented efficiently on existing architectures. The run-time system also contains two schedulers that use the results of composition analysis to execute non-interfering transitions concurrently. Fourth, we compare the performance of each scheduler in the interpreter to the performance of a custom compiled multi-threaded program, for two reactive systems. For one system, the combination of the implementation and hardware biases it toward an event-based solution, which was confirmed when the reactive component implementation outperformed the custom implementation due to reduced context switching. For the other system, the custom implementation is not prone to excessive context switches and outperformed the reactive component implementations. These results demonstrate that reactive components may be a viable alternative to threads in practice, but that additional work is necessary to generalize this claim

Automated and foundational verification of low-level programs

Formal verification is a promising technique to ensure the reliability of low-level programs like operating systems and hypervisors, since it can show the absence of whole classes of bugs and prevent critical vulnerabilities. However, to realize the full potential of formal verification for real-world low-level programs one has to overcome several challenges, including: (1) dealing with the complexities of realistic models of real-world programming languages; (2) ensuring the trustworthiness of the verification, ideally by providing foundational proofs (i.e., proofs that can be checked by a general-purpose proof assistant); and (3) minimizing the manual effort required for verification by providing a high degree of automation. This dissertation presents multiple projects that advance formal verification along these three axes: RefinedC provides the first approach for verifying C code that combines foundational proofs with a high degree of automation via a novel refinement and ownership type system. Islaris shows how to scale verification of assembly code to realistic models of modern instruction set architectures-in particular, Armv8-A and RISC-V. DimSum develops a decentralized approach for reasoning about programs that consist of components written in multiple different languages (e.g., assembly and C), as is common for low-level programs. RefinedC and Islaris rest on Lithium, a novel proof engine for separation logic that combines automation with foundational proofs.Formale Verifikation ist eine vielversprechende Technik, um die Verlässlichkeit von grundlegenden Programmen wie Betriebssystemen sicherzustellen. Um das volle Potenzial formaler Verifikation zu realisieren, müssen jedoch mehrere Herausforderungen gemeistert werden: Erstens muss die Komplexität von realistischen Modellen von Programmiersprachen wie C oder Assembler gehandhabt werden. Zweitens muss die Vertrauenswürdigkeit der Verifikation sichergestellt werden, idealerweise durch maschinenüberprüfbare Beweise. Drittens muss die Verifikation automatisiert werden, um den manuellen Aufwand zu minimieren. Diese Dissertation präsentiert mehrere Projekte, die formale Verifikation entlang dieser Achsen weiterentwickeln: RefinedC ist der erste Ansatz für die Verifikation von C Code, der maschinenüberprüfbare Beweise mit einem hohen Grad an Automatisierung vereint. Islaris zeigt, wie die Verifikation von Assembler zu realistischen Modellen von modernen Befehlssatzarchitekturen wie Armv8-A oder RISC-V skaliert werden kann. DimSum entwickelt einen neuen Ansatz für die Verifizierung von Programmen, die aus Komponenten in mehreren Programmiersprachen bestehen (z.B., C und Assembler), wie es oft bei grundlegenden Programmen wie Betriebssystemen der Fall ist. RefinedC und Islaris basieren auf Lithium, eine neue Automatisierungstechnik für Separationslogik, die maschinenüberprüfbare Beweise und Automatisierung verbindet.This research was supported in part by a Google PhD Fellowship, in part by awards from Android Security's ASPIRE program and from Google Research, and in part by a European Research Council (ERC) Consolidator Grant for the project "RustBelt", funded under the European Union’s Horizon 2020 Framework Programme (grant agreement no. 683289)

Fundamental Approaches to Software Engineering

computer software maintenance; computer software selection and evaluation; formal logic; formal methods; formal specification; programming languages; semantics; software engineering; specifications; verificatio

Rethinking the semantics of attitude reports

In response to John Locke’s death in 1704, Pierre Coste (1824) penned a letter containing the following passage: [H]e was naturally somewhat choleric. But his anger never lasted long...I remember, that two or three weeks before his death, as he was sitting in a garden, taking the air in a bright sunshine, whose warmth afforded him a great deal of pleasure...; we happened to speak of Horace, I know not on what occasion, and having repeated to him these verses, where that Poet says of himself, that he was Solibus aptum; Irasci celerem, tamen ut placabilis essem: “That he loved the warmth of the sun, and that tho’ he was naturally choleric, his anger was easily appeased.” Mr. Locke replied, that if he durst presume to compare himself with Horace in any thing, he thought he was perfectly like him in those two respects. (170, bold emphasis mine) This passage loosely contains a sentence of the form ⌜x says of y that p⌝ and ends with an anaphoric reference to “two respects” that, at face value, are designated by clausal complements, viz. ‘that he loved the warmth of the sun’ and ‘that tho he was naturally choleric, his anger was easily appeased.’ This dissertation concerns the semantics of these and related constructions, with an emphasis placed on those of the form ⌜x believes about y that p.⌝ These belief-about reports have received less attention than reports of the form ⌜x believes that p,⌝ but the former – along with their syntactically derived forms – are just as much a part of present-day, natural language English as the latter. Indeed, once I started studying ‘about’-constructions systematically, I immediately began to notice their regular appearance “in the wild.” This dissertation represents my attempts at taming this small corner, replete with philosophical significance, of the English language. There are three chapters, and they all concern the semantics of attitude verbs with clausal complements; I focus on ‘believes’ for ease of exposition. Chapters 1 and 3 can be read as standalone works. Chapter 2 should be read after Chapter 1. In Chapter 1, “A Puzzle about Belief-about,” I argue that certain valid inferences involving belief-about reports are prima facie inconsistent with orthodox views of the belief relation as binary and propositional. In response, I propose a conservative departure from orthodoxy according to which certain ‘that’-clauses designate novel devices of semantic type called open propositions; the view of belief as binary and propositional is retained. I give some reasons for thinking that open propositions are properties of a certain kind, give a bridge principle between belief-about and belief simpliciter, and formally implement the resulting view in accordance with contemporary theories of syntax and compositional semantics. The upshot is that theorists committed to orthodoxy must complicate their account of certain ‘that’-clauses in surprising ways. In Chapter 2, “Belief is a Ternary Relation,” I object to the semantic complexity required by the proposal advanced in Chapter 1 and investigate a more radical departure from orthodoxy, viz. that belief is a ternary relation between subjects, objects (“targets”), and properties (“contents”). After showing how the resulting Target and Content View can be formally implemented, I respond to a variety of objections that fall roughly into one of two categories: semantic and metaphysical. Responding to the semantic objections requires developing accounts of truth, assertion, and related notions, while responding to the metaphysical objections requires defending a particular view on the nature of propositions. The upshot is that if theorists are unwilling to countenance the semantic complexity required to save orthodoxy in the way proposed in Chapter 1, then the Target and Content View is an attractive alternative with theoretical benefits that are significant in their own right. The formal implementation of the view proposed in Chapter 2 presupposes an intensional semantic framework attributable to the linguistic development of variable-based theories of intensionality, which purport to explain the transparency of determiner phrases in the context of attitude reports. In Chapter 3, “Variable-based Intensionality for Structured Propositions,” I argue that these theories in their simple, traditional forms are not available to advocates of structured propositions, and that the only attempt so far to unify these approaches is unsuccessful. So, I develop an improved variable-based theory of intensionality for structured propositions. Due to the underappreciated generality of the intensional phenomena at issue, however, it turns out that all theories face further challenges still. The upshot is that advocates of structured propositions might even be in a stronger position than other theorists when it comes to tackling these challenges purely semantically, but the complications required also suggest that non-semantic explanations of transparency are worth investigating now more than ever. I’ll end with a note on methodology. This dissertation is couched within the theoretical framework of generative grammar and compositional semantics. One of its guiding principles is, accordingly, that truth-conditions for English sentences in context must be compositionally derived on the basis of syntactically respectable logical forms. This dissertation is also strongly influenced by the methods and tools of contemporary analytic metaphysics. So, another one of its guiding principle is that we ought to take seriously the nature of the entities appealed to by our best scientific theories, including the science of language. A recurring theme is therefore the dovetailing of considerations from formal semantics, on the one hand, and philosophical argumentation pertaining to the metaphysical natures of compositional semantic values (in context), on the other. I’ve tried to treat linguistic and philosophical considerations as on a par with one another throughout, conceiving of their distinction ultimately as an arbitrary matter – or, at least, as one that can be safely bracketed for present purposes.Philosoph

Behavioural semantics for asynchronous components

International audienceSoftware components are a valuable programming abstraction that enables a compositional design of complex applications. In distributed systems, components can also be used to provide an abstraction of locations: each component is a unit of deployment that can be placed on a different machine. In this article, we consider this kind of distributed components that are additionally loosely coupled and communicate by asynchronous invocations. Components also provide a convenient abstraction for verifying the correct behaviour of systems: they provide structuring entities easing the correctness verification. This article provides a formal background for the generation of behavioural semantics for asynchronous components. It expresses the semantics of hierarchical distributed components communicating asynchronously by requests, futures, and replies; this semantics is provided using the pNet intermediate language. This article both demonstrates the expressiveness of the pNet model and formally specifies the complete process of the generation of a behavioural model for a distributed component system. The purpose of our be-havioural semantics is to allow for verification both by finite instantiation and model-checking, and by techniques for infinite systems

Programming Languages and Systems

This open access book constitutes the proceedings of the 31st European Symposium on Programming, ESOP 2022, which was held during April 5-7, 2022, in Munich, Germany, as part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2022. The 21 regular papers presented in this volume were carefully reviewed and selected from 64 submissions. They deal with fundamental issues in the specification, design, analysis, and implementation of programming languages and systems

Programming Languages and Systems

This open access book constitutes the proceedings of the 31st European Symposium on Programming, ESOP 2022, which was held during April 5-7, 2022, in Munich, Germany, as part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2022. The 21 regular papers presented in this volume were carefully reviewed and selected from 64 submissions. They deal with fundamental issues in the specification, design, analysis, and implementation of programming languages and systems