A Concurrent Language with a Uniform Treatment of Regions and Locks

A challenge for programming language research is to design and implement multi-threaded low-level languages providing static guarantees for memory safety and freedom from data races. Towards this goal, we present a concurrent language employing safe region-based memory management and hierarchical locking of regions. Both regions and locks are treated uniformly, and the language supports ownership transfer, early deallocation of regions and early release of locks in a safe manner

The AutoProof Verifier: Usability by Non-Experts and on Standard Code

Formal verification tools are often developed by experts for experts; as a result, their usability by programmers with little formal methods experience may be severely limited. In this paper, we discuss this general phenomenon with reference to AutoProof: a tool that can verify the full functional correctness of object-oriented software. In particular, we present our experiences of using AutoProof in two contrasting contexts representative of non-expert usage. First, we discuss its usability by students in a graduate course on software verification, who were tasked with verifying implementations of various sorting algorithms. Second, we evaluate its usability in verifying code developed for programming assignments of an undergraduate course. The first scenario represents usability by serious non-experts; the second represents usability on "standard code", developed without full functional verification in mind. We report our experiences and lessons learnt, from which we derive some general suggestions for furthering the development of verification tools with respect to improving their usability.Comment: In Proceedings F-IDE 2015, arXiv:1508.0338

Flexible Invariants Through Semantic Collaboration

Modular reasoning about class invariants is challenging in the presence of dependencies among collaborating objects that need to maintain global consistency. This paper presents semantic collaboration: a novel methodology to specify and reason about class invariants of sequential object-oriented programs, which models dependencies between collaborating objects by semantic means. Combined with a simple ownership mechanism and useful default schemes, semantic collaboration achieves the flexibility necessary to reason about complicated inter-object dependencies but requires limited annotation burden when applied to standard specification patterns. The methodology is implemented in AutoProof, our program verifier for the Eiffel programming language (but it is applicable to any language supporting some form of representation invariants). An evaluation on several challenge problems proposed in the literature demonstrates that it can handle a variety of idiomatic collaboration patterns, and is more widely applicable than the existing invariant methodologies.Comment: 22 page

A Case Study in Automated Verification Based on Trace Abstractions

In [14], we proposed a framework for the automatic verification of reactivesystems. Our main tool is a decision procedure, Mona, for MonadicSecond-order Logic (M2L) on finite strings. Mona translates a formula inM2L into a finite-state automaton. We show in [14] how traces, i.e. finiteexecutions, and their abstractions can be described behaviorally. Thesestate-less descriptions can be formulated in terms of customized temporallogic operators or idioms.In the present paper, we give a self-contained, introductory account ofour method applied to the RPC-memory specification problem of the 1994Dagstuhl Seminar on Specification and Refinement of Reactive Systems.The purely behavioral descriptions that we formulate from the informalspecifications are formulas that may span 10 pages or more.Such descriptions are a couple of magnitudes larger than usual temporallogic formulas found in the literature on verification. To securelywrite these formulas, we introduce Fido [16] as a reactive system descriptionlanguage. Fido is designed as a high-level symbolic language forexpressing regular properties about recursive data structures.All of our descriptions have been verified automatically by Mona fromM2L formulas generated by Fido.Our work shows that complex behaviors of reactive systems can beformulated and reasoned about without explicit state-based programming.With Fido, we can state temporal properties succinctly while enjoyingautomated analysis and verification

Preliminary Design of the SAFE Platform

SAFE is a clean-slate design for a secure host architecture. It integrates advances in programming languages, operating systems, and hardware and incorporates formal methods at every step. Though the project is still at an early stage, we have assembled a set of basic architectural choices that we believe will yield a high-assurance system. We sketch the current state of the design and discuss several of these choices.Engineering and Applied Science