A Machine-Checked, Type-Safe Model of Java Concurrency : Language, Virtual Machine, Memory Model, and Verified Compiler

The Java programming language provides safety and security guarantees such as type safety and its security architecture. They distinguish it from other mainstream programming languages like C and C++. In this work, we develop a machine-checked model of concurrent Java and the Java memory model and investigate the impact of concurrency on these guarantees. From the formal model, we automatically obtain an executable verified compiler to bytecode and a validated virtual machine

Computer Aided Verification

The open access two-volume set LNCS 11561 and 11562 constitutes the refereed proceedings of the 31st International Conference on Computer Aided Verification, CAV 2019, held in New York City, USA, in July 2019. The 52 full papers presented together with 13 tool papers and 2 case studies, were carefully reviewed and selected from 258 submissions. The papers were organized in the following topical sections: Part I: automata and timed systems; security and hyperproperties; synthesis; model checking; cyber-physical systems and machine learning; probabilistic systems, runtime techniques; dynamical, hybrid, and reactive systems; Part II: logics, decision procedures; and solvers; numerical programs; verification; distributed systems and networks; verification and invariants; and concurrency

Tackling Credit Assignment Using Memory and Multilevel Optimization for Multiagent Reinforcement Learning

There is growing commercial interest in the use of multiagent systems in real world applications. Some examples include inventory management in warehouses, smart homes, planetary exploration, search and rescue, air-traffic management and autonomous transportation systems. However, multiagent coordination is an extremely challenging problem. First, information relevant for coordination is often distributed across the team members, and fragmented amongst each agent's observation histories (past states). Second, the coordination objective is often sparse and noisy from the perspective of an agent. Designing general mechanisms of generating agent-specific reward functions that incentivizes an agent to collaborate towards the shared global objective is extremely difficult. From a learning perspective, both difficulties can be linked to the difficulty of credit assignment - the process of accurately associating rewards with actions. The primary contribution of this dissertation is to tackle credit assignment in multiagent systems in order to enable better multiagent coordination. First we leverage memory as a tool in enabling better credit assignment by facilitating associations between rewards and actions separated across time. We achieve this by introducing Modular Memory Units (MMU), a memory-augmented neural architecture that can reliably retain and propagate information over an extended period of time. We then use MMU to augment individual agents' policies in solving dynamic tasks that require adaptive behavior from a distributed multiagent team. We also introduce Distributed MMU (DMMU) which uses memory as a shared knowledge base across a team of distributed agents to enable distributed one-shot decision making. Switching our attention from the agent to the learning algorithm, we then introduce Evolutionary Reinforcement Learning (ERL), a multilevel optimization framework that blends the strength of policy gradients and evolutionary algorithms to improve learning. We further extend the ERL framework to introduce Collaborative ERL (CERL) which employs a collection of policy gradient learners (portfolio), each optimizing over varying resolution of the same underlying task. This leads to a diverse set of policies that are able to reach diverse regions within the solution space. Results in a range of continuous control benchmarks demonstrate that ERL and CERL significantly outperform their composite learners while remaining overall more sample-efficient. Finally, we introduce Multiagent ERL (MERL), a hybrid algorithm that leverages the multilevel optimization framework of ERL to enable improved multiagent coordination without requiring explicit alignment between local and global reward functions. MERL uses fast, policy-gradient based learning for each agent by utilizing their dense local rewards. Concurrently, evolution is used to recruit agents into a team by directly optimizing the sparser global objective. Experiments in multiagent coordination benchmarks demonstrate that MERL's integrated approach significantly outperforms the state-of-the-art multiagent policy-gradient algorithms

Causality-based verification

Program verification is one of the central research topics in computer science since its inception – we can consider the field to be initiated as early as in 1949, with Alan Turing’s pioneering paper “Checking a Large Routine.” Yet, we are still far from the dream of automatically proving every computer program correct. Two aspects make this problem particularly challenging: concurrent program execution on parallel processors, and large, or even infinite, state spaces of data-manipulating programs. Nowadays, with concurrency entering everywhere, from smartphones to aircrafts, proving the correctness of infinite-state concurrent programs becomes increasingly more important: we do want to be sure that the program that controls the airplane we are flying in is correct. In this thesis we propose a new approach to the verification of infinitestate concurrent programs. We call it causality-based, because it captures in an automatic proof system the “cause-effect” reasoning principles, which are often used informally in manual correctness proofs. While traditionally automatic methods are based on the state space exploration, our method is based on a new concurrency model, called concurrent traces, which are the abstractions of the history of a concurrent program to some key events and the relationships between them. Causality-based proof rules relate concurrent traces with each other, by formally tracking what are the necessary consequences (the “effects”) from a particular analysis situation (the “cause”). The full correctness proof is then a composition of such primitive proof steps. We study the syntactic and language-based properties of concurrent traces, and characterize the complexity of such operations as emptiness checking and language inclusion. Regarding the program correctness, we develop proof systems for the broad classes of safety and liveness properties, and provide algorithms for the automatic construction of correctness proofs. We demonstrate that for practically relevant classes of programs, such as multi-threaded programs with binary semaphores, the constructed proofs are of polynomial size, and can be also checked in polynomial time. The methods of the thesis have been implemented in Arctor, the first scalable termination prover for concurrent programs, which is able to handle programs with hundreds of non-trivial threads.Die Programmverifikation ist seit den Anfängen der Informatik eines ihrer zentralen Forschungsfelder. Als Beginn dieser Forschungsrichtung kann bereits das Jahr 1949 betrachtet werden, in dem Alan Turings bahnbrechende Arbeit “Checking a Large Routine” erschien. Der Traum, die Korrektheit von Programmen stets automatisch beweisen zu können, ist aber auch heute noch weit davon entfernt, Realität zu sein. Es gibt zwei Aspekte, die dieses Problem zu einer solch großen Herausforderung machen: die nebenläufige Ausführung von Programmen auf Parallelrechnern, und die großen, oder sogar unendlichen, Zustandsräume von datenverarbeitenden Programmen. Nebenläufige Programme werden in immer mehr Anwendungsbereichen, von Handys bis zur Luftfahrt, eingesetzt. Automatische Korrektheitsbeweise werden daher immer wichtiger: wenn wir mit dem Flugzeug reisen, möchten wir sicher sein, dass das Programm, das das Flugzeug steuert, auch tatsachlich korrekt ist. In dieser Arbeit schlagen wir einen neuen Ansatz für die Verifikation von nebenläufigen Programmen mit unendlichem Zustandsraum vor. Wir nennen den Ansatz “kausalitätsbasiert”, weil er im Rahmen eines automatischen Beweissystems die “Ursache-Wirkung”-Beziehungen erfasst, die sonst eher informell in manuellen Korrektheitsbeweisen benutzt werden. Anders als traditionelle automatische Methoden, die den Zustandsraums explorieren, baut unser Ansatz auf einem neuen nebenläufigen Berechnungsmodell, dem der “nebenläufigen Spuren”, auf. Eine nebenläufige Spur ist eine Abstraktion der Vergangenheit eines nebenläufigen Programms im Hinblick auf bestimmte Schlüsselereignisse und die Beziehungen zwischen diesen Ereignissen. Kausalitätsbasierte Beweis-regeln setzen nebenläufige Spuren zueinander in Bezug, indem die Konsequenzen (die “Wirkungen”) einer bestimmten analytischen Situation (der “Ursache”) auf eine formale Art und Weise verfolgt werden. Der vollständige Korrektheitsbeweis setzt sich dann aus solchen einfachen Beweisschritten zusammen. Wir untersuchen die syntaktischen und sprachtheoretischen Eigenschaften von nebenläufigen Spuren, und charakterisieren die Komplexität von Operationen wie den Tests auf leere Sprache und Sprachinklusion. Wir entwickeln Beweissysteme zum Nachweis der Programmkorrektheit für die allgemeinen Klassen der Sicherheits- und Lebendigkeitseigenschaften, und stellen Algorithmen vor, die solche Beweise automatisch konstruieren. Für aus praktischer Sicht relevante Klassen von Programmen, wie Multi-Thread Programme mit binären Semaphoren, zeigen wir, dass die konstruierten Beweise polynomiell groß sind und auch in polynomieller Zeit geprüft werden können. Die in der Arbeit vorgestellten Methoden wurden im Verifikationswerkzeug Arctor implementiert. Arctor is der erste skalierbare Terminierungsbeweiser für nebenläufige Programme. Arctor kann Programme mit Hunderten nicht-trivialer Threads verarbeiten

Programming Languages and Systems

This open access book constitutes the proceedings of the 31st European Symposium on Programming, ESOP 2022, which was held during April 5-7, 2022, in Munich, Germany, as part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2022. The 21 regular papers presented in this volume were carefully reviewed and selected from 64 submissions. They deal with fundamental issues in the specification, design, analysis, and implementation of programming languages and systems

Caching, crashing & concurrency - verification under adverse conditions

The formal development of large-scale software systems is a complex and time-consuming effort. Generally, its main goal is to prove the functional correctness of the resulting system. This goal becomes significantly harder to reach when the verification must be performed under adverse conditions. When aiming for a realistic system, the implementation must be compatible with the “real world”: it must work with existing system interfaces, cope with uncontrollable events such as power cuts, and offer competitive performance by using mechanisms like caching or concurrency. The Flashix project is an example of such a development, in which a fully verified file system for flash memory has been developed. The project is a long-term team effort and resulted in a sequential, functionally correct and crash-safe implementation after its first project phase. This thesis continues the work by performing modular extensions to the file system with performance-oriented mechanisms that mainly involve caching and concurrency, always considering crash-safety. As a first contribution, this thesis presents a modular verification methodology for destructive heap algorithms. The approach simplifies the verification by separating reasoning about specifics of heap implementations, like pointer aliasing, from the reasoning about conceptual correctness arguments. The second contribution of this thesis is a novel correctness criterion for crash-safe, cached, and concurrent file systems. A natural criterion for crash-safety is defined in terms of system histories, matching the behavior of fine-grained caches using complex synchronization mechanisms that reorder operations. The third contribution comprises methods for verifying functional correctness and crash-safety of caching mechanisms and concurrency in file systems. A reference implementation for crash-safe caches of high-level data structures is given, and a strategy for proving crash-safety is demonstrated and applied. A compatible concurrent implementation of the top layer of file systems is presented, using a mechanism for the efficient management of fine-grained file locking, and a concurrent version of garbage collection is realized. Both concurrency extensions are proven to be correct by applying atomicity refinement, a methodology for proving linearizability. Finally, this thesis contributes a new iteration of executable code for the Flashix file system. With the efficiency extensions introduced with this thesis, Flashix covers all performance-oriented concepts of realistic file system implementations and achieves competitiveness with state-of-the-art flash file systems