Proving opacity of a pessimistic STM

Transactional Memory (TM) is a high-level programming abstraction for concurrency control that provides programmers with the illusion of atomically executing blocks of code, called transactions. TMs come in two categories, optimistic and pessimistic, where in the latter transactions never abort. While this simplifies the programming model, high-performing pessimistic TMs can complex. In this paper, we present the first formal verification of a pessimistic software TM algorithm, namely, an algorithm proposed by Matveev and Shavit. The correctness criterion used is opacity, formalising the transactional atomicity guarantees. We prove that this pessimistic TM is a refinement of an intermediate opaque I/O-automaton, known as TMS2. To this end, we develop a rely-guarantee approach for reducing the complexity of the proof. Proofs are mechanised in the interactive prover Isabelle

Spatial variability in ecosystem services: simple rules for predator-mediated pest suppression

Agricultural pest control often relies on the ecosystem services provided by the predators of pests. Appropriate landscape and habitat management for pest control services requires an understanding of insect dispersal abilities and the spatial arrangement of source habitats for pests and their predators. Here we explore how dispersal and habitat configuration determine the locations where management actions are likely to have the biggest impact on natural pest control. The study focuses on the early colonization phase before predator reproduction takes place and when pest populations in crops are still relatively low. We developed a spatially explicit simulation model in which pest populations grow exponentially in pest patches and predators disperse across the landscape from predator patches. We generated 1000 computer-simulated landscapes in which the performance of four typical but different predator groups as biological control agents was evaluated. Predator groups represented trait combinations of poor and good dispersal ability and densityindependent and density-dependent aggregation responses toward pests. Case studies from the literature were used to inform the parameterization of predator groups. Landscapes with a small nearest-neighbor distance between pest and predator patches had the lowest mean pest density at the landscape scale for all predator groups, but there can be high variation in pest density between the patches within these landscapes. Mobile and strongly aggregating predators provide the best pest suppression in the majority of landscape types. Ironically, this result is true except in landscapes with small nearest-neighbor distances between pest and predator patches. The pest control potential of mobile predators can best be explained by the mean distance between a pest patch and all predator patches in the landscape, whereas for poorly dispersing predators the distance between a pest patch and the nearest predator patch is the best explanatory variable. In conclusion, the spatial arrangement of source habitats for natural enemies of agricultural pest species can have profound effects on their potential to colonize crops and suppress pest populations. © 2010 by the Ecological Society of America

Characterizing low-frequency artifacts during transcranial temporal interference stimulation (tTIS)

Transcranial alternating current stimulation (tACS) is a well-established brain stimulation technique to modulate human brain oscillations. However, due to the strong electro-magnetic artifacts induced by the stimulation current, the simultaneous measurement of tACS effects during neurophysiological recordings in humans is challenging. Recently, transcranial temporal interference stimulation (tTIS) has been introduced to stimulate neurons at depth non-invasively. During tTIS, two high-frequency sine waves are applied, that interfere inside the brain, resulting in amplitude modulated waveforms at the target frequency. Given appropriate hardware, we show that neurophysiological data during tTIS may be acquired without stimulation artifacts at low-frequencies. However, data must be inspected carefully for possible low-frequency artifacts. Our results may help to design experimental setups to record brain activity during tTIS, which may foster our understanding of its underlying mechanisms.</p

TWAM: A Certifying Abstract Machine for Logic Programs

Type-preserving (or typed) compilation uses typing derivations to certify correctness properties of compilation. We have designed and implemented a type-preserving compiler for a simply-typed dialect of Prolog we call T-Prolog. The crux of our approach is a new certifying abstract machine which we call the Typed Warren Abstract Machine (TWAM). The TWAM has a dependent type system strong enough to specify the semantics of a logic program in the logical framework LF. We present a soundness metatheorem which constitutes a partial correctness guarantee: well-typed programs implement the logic program specified by their type. This metatheorem justifies our design and implementation of a certifying compiler from T-Prolog to TWAM.Comment: 41 pages, under submission to ACM Transactions on Computational Logi

Non-invasive imaging methods applied to neo- and paleo-ontological cephalopod research

Several non-invasive methods are common practice in natural sciences today. Here we present how they can be applied and contribute to current topics in cephalopod (paleo-) biology. Different methods will be compared in terms of time necessary to acquire the data, amount of data, accuracy/resolution, minimum/maximum size of objects that can be studied, the degree of post-processing needed and availability. The main application of the methods is seen in morphometry and volumetry of cephalopod shells. In particular we present a method for precise buoyancy calculation. Therefore, cephalopod shells were scanned together with different reference bodies, an approach developed in medical sciences. It is necessary to know the volume of the reference bodies, which should have similar absorption properties like the object of interest. Exact volumes can be obtained from surface scanning. Depending on the dimensions of the study object different computed tomography techniques were applied

Verifying correctness of persistent concurrent data structures: a sound and complete method

Non-volatile memory (NVM), aka persistent memory, is a new memory paradigm that preserves its contents even after power loss. The expected ubiquity of NVM has stimulated interest in the design of persistent concurrent data structures, together with associated notions of correctness. In this paper, we present a formal proof technique for durable linearizability, which is a correctness criterion that extends linearizability to handle crashes and recovery in the context ofNVM.Our proofs are based on refinement of Input/Output automata (IOA) representations of concurrent data structures. To this end, we develop a generic procedure for transforming any standard sequential data structure into a durable specification and prove that this transformation is both sound and complete. Since the durable specification only exhibits durably linearizable behaviours, it serves as the abstract specification in our refinement proof. We exemplify our technique on a recently proposed persistentmemory queue that builds on Michael and Scott’s lock-free queue. To support the proofs, we describe an automated translation procedure from code to IOA and a thread-local proof technique for verifying correctness of invariants

Brief announcement: On strong observational refinement and forward simulation

Hyperproperties are correctness conditions for labelled transition systems that are more expressive than traditional trace properties, with particular relevance to security. Recently, Attiya and Enea studied a notion of strong observational refinement that preserves all hyperproperties. They analyse the correspondence between forward simulation and strong observational refinement in a setting with finite traces only. We study this correspondence in a setting with both finite and infinite traces. In particular, we show that forward simulation does not preserve hyperliveness properties in this setting. We extend the forward simulation proof obligation with a progress condition, and prove that this progressive forward simulation does imply strong observational refinement

Early-season movement dynamics of phytophagous pest and natural enemies across a native vegetation-crop ecotone

There is limited understanding about how insect movement patterns are influenced by landscape features, and how landscapes can be managed to suppress pest phytophage populations in crops. Theory suggests that the relative timing of pest and natural enemy arrival in crops may influence pest suppression. However, there is a lack of data to substantiate this claim. We investigate the movement patterns of insects from native vegetation (NV) and discuss the implications of these patterns for pest control services. Using bi-directional interception traps we quantified the number of insects crossing an NV/crop ecotone relative to a control crop/crop interface in two agricultural regions early in the growing season. We used these data to infer patterns of movement and net flux. At the community-level, insect movement patterns were influenced by ecotone in two out of three years by region combinations. At the functional-group level, pests and parasitoids showed similar movement patterns from NV very soon after crop emergence. However, movement across the control interface increased towards the end of the early-season sampling period. Predators consistently moved more often from NV into crops than vice versa, even after crop emergence. Not all species showed a significant response to ecotone, however when a response was detected, these species showed similar patterns between the two regions. Our results highlight the importance of NV for the recruitment of natural enemies for early season crop immigration that may be potentially important for pest suppression. However, NV was also associated with crop immigration by some pest species. Hence, NV offers both opportunities and risks for pest management. The development of targeted NV management may reduce the risk of crop immigration by pests, but not of natural enemies

Mechanized proofs of opacity: A comparison of two techniques

Software transactional memory (STM) provides programmers with a high-level programming abstraction for synchronization of parallel processes, allowing blocks of codes that execute in an interleaved manner to be treated as atomic blocks. This atomicity property is captured by a correctness criterion called opacity, which relates the behaviour of an STM implementation to those of a sequential atomic specification. In this paper, we prove opacity of a recently proposed STM implementation: the Transactional Mutex Lock (TML) by Dalessandro et al. For this, we employ two different methods: the first method directly shows all histories of TML to be opaque (proof by induction), using a linearizability proof of TML as an assistance; the second method shows TML to be a refinement of an existing intermediate specification called TMS2 which is known to be opaque (proof by simulation). Both proofs are carried out within interactive provers, the first with KIV and the second with both Isabelle and KIV. This allows to compare not only the proof techniques in principle, but also their complexity in mechanization. It turns out that the second method, already leveraging an existing proof of opacity of TMS2, allows the proof to be decomposed into two independent proofs in the way that the linearizability proof does not

Relational Concurrent Refinement II: Internal Operations and Outputs

Two styles of description arise naturally in formal specification: state-based and behavioural. In state-based notations, a system is characterised by a collection of variables, and their values determine which actions may occur throughout a system history. Behavioural specifications describe the chronologies of actions -- interactions between a system and its environment. The exact nature of such interactions is captured in a variety of semantic models with corresponding notions of refinement; refinement in state based systems is based on the semantics of sequential programs and is modelled relationally. Acknowledging that these viewpoints are complementary, substantial research has gone into combining the paradigms. The purpose of this paper is to do three things. First, we survey recent results linking the relational model of refinement to the process algebraic models. Specifically, we detail how variations in the relational framework lead to relational data refinement being in correspondence with traces-divergences, singleton failures and failures-divergences refinement in a process semantics. Second, we generalise these results by providing a general flexible scheme for incorporating the two main ''erroneous'' concurrent behaviours: deadlock and divergence, into relational refinement. This is shown to subsume previous characterisations. In doing this we derive relational refinement rules for specifications containing both internal operations and outputs that corresponds to failures-divergences refinement. Third, the theory has been formally specified and verified using the interactive theorem prover KIV