Specification and verification of atomic operations in GPGPU programs

We propose a specification and verification technique based on separation logic to reason about data race freedom and functional correctness of GPU kernels that use atomic operations as synchronisation mechanism. Our approach exploits the notion of resource invariant from Concurrent Separation Logic (CSL) to capture the behaviour of atomic operations. However, because of the different memory levels in the GPU architecture, we adapt this notion of resource invariant to these memory levels, i.e., group resource invariants capture the behaviour of atomic operations that access locations in local memory, while kernel resource invariants capture the behaviour of atomic operations that access locations in global memory. We show soundness of our approach and we provide tool support that enables us to verify kernels from standard benchmarks suites

Moving from Specifications to Contracts in Component-Based Design

Abstract. Program properties that are automatically inferred by static analysis tools are generally not considered to be completely trustworthy, unless the tool implementation or the results are formally verified. Here we focus on the formal verification of resource guarantees inferred by automatic cost analysis. Resource guarantees ensure that programs run within the indicated amount of resources which may refer to memory consumption, to number of instructions executed, etc. In previous work we studied formal verification of inferred resource guarantees that depend only on integer data. In realistic programs, however, resource consumption is often bounded by the size of heap-allocated data structures. Bounding their size requires to perform a number of structural heap analyses. The contributions of this paper are (i) to identify what exactly needs to be verified to guarantee sound analysis of heap manipulating programs, (ii) to provide a suitable extension of the program logic used for verification to handle structural heap properties in the context of resource guarantees, and (iii) to improve the underlying theorem prover so that proof obligations can be automatically discharged.

History-based verification of functional behaviour of concurrent programs

Modular verification of the functional behaviour of a concurrent program remains a challenge. We propose a new way to achieve this, using histories, modelled as process algebra terms, to keep track of local changes. When threads terminate or synchronise in some other way, local histories are combined into global histories, and by resolving the global histories, the reachable state properties can be determined. Our logic is an extension of permission-based separation logic, which supports expressive and intuitive specifications. We discuss soundness of the approach, and illustrate it on several examples

Automating Deductive Verification for Weak-Memory Programs

Writing correct programs for weak memory models such as the C11 memory model is challenging because of the weak consistency guarantees these models provide. The first program logics for the verification of such programs have recently been proposed, but their usage has been limited thus far to manual proofs. Automating proofs in these logics via first-order solvers is non-trivial, due to reasoning features such as higher-order assertions, modalities and rich permission resources. In this paper, we provide the first implementation of a weak memory program logic using existing deductive verification tools. We tackle three recent program logics: Relaxed Separation Logic and two forms of Fenced Separation Logic, and show how these can be encoded using the Viper verification infrastructure. In doing so, we illustrate several novel encoding techniques which could be employed for other logics. Our work is implemented, and has been evaluated on examples from existing papers as well as the Facebook open-source Folly library.Comment: Extended version of TACAS 2018 publicatio

Selective inhibition of intestinal guanosine 3,5-cyclic monophosphate signaling by small-molecule protein kinase inhibitors

The guanosine 3,5-cyclic monophosphate (cGMP)-dependent protein kinase II (cGKII) serine/threonine kinase relays signaling through guanylyl cyclase C (GCC) to control intestinal fluid homeostasis. Here, we report the discovery of small-molecule inhibitors of cGKII. These inhibitors were imidazole-aminopyrimidines, which blocked recombinant human cGKII at submicromolar concentrations but exhibited comparatively little activity toward the phylogenetically related protein kinases cGKI and cAMP-dependent protein kinase (PKA). Whereas aminopyrimidyl motifs are common in protein kinase inhibitors, molecular modeling of these imidazole-aminopyrimidines in the ATP-binding pocket of cGKII indicated an unconventional binding mode that directs their amine substituent into a narrow pocket delineated by hydrophobic residues of the hinge and the C-helix. Crucially, this set of residues included the Leu-530 gatekeeper, which is not conserved in cGKI and PKA. In intestinal organoids, these compounds blocked cGKII-dependent phosphorylation of the vasodilator-stimulated phosphoprotein (VASP). In mouse small intestinal tissue, cGKII inhibition significantly attenuated the anion secretory response provoked by the GCC-activating bacterial heat-stable toxin (STa), a frequent cause of infectious secretory diarrhea. In contrast, both PKA-dependent VASP phosphorylation and intestinal anion secretion were unaffected by treatment with these compounds, whereas experiments with T84 cells indicated that they weakly inhibit the activity of cAMP-hydrolyzing phosphodiesterases. As these protein kinase inhibitors are the first to display selective inhibition of cGKII, they may expedite research on cGMP signaling and may aid future development of therapeutics for managing diarrheal disease and other pathogenic syndromes that involve cGKII

Gonad shielding in paediatric pelvic radiography: disadvantages prevail over benefit

Objective To re-evaluate gonad shielding in paediatric pelvic radiography in terms of attainable radiation risk reduction and associated loss of diagnostic information. Methods A study on patient dose and the quality of gonad shielding was performed retrospectively using 500 pelvic radiographs of children from 0 to 15 years old. In a subsequent study, 195 radiographs without gonad shielding were included. Patient doses and detriment adjusted risks for heritable disease and cancer were calculated with and without gonad shielding. Results For girls, gonad shields were placed incorrectly in 91% of the radiographs; for boys, in 66%. Without gonad shielding, the hereditary detriment adjusted risk for girls ranged between 0.1?×?10?6 and 1.3?×?10?6 and for boys between 0.3?×?10?6 and 3.9?×?10?6, dependent on age. With shielding, the reduction in hereditary risk for girls was on average 6?±?3% of the total risk of the radiograph, for boys 24?±?6%. Without gonad shielding, the effective dose ranged from 0.008 to 0.098 mSv. Conclusions With modern optimised X-ray systems, the reduction of the detriment adjusted risk by gonad shielding is negligibly small. Given the potential consequences of loss of diagnostic information, of retakes, and of shielding of automatic exposure-control chambers, gonad shielding might better be discontinued.Support TNWApplied Science

Major Radiodiagnostic Imaging in Pregnancy and the Risk of Childhood Malignancy: A Population-Based Cohort Study in Ontario

In a record-linkage study, Joel Ray and colleagues examine the association between diagnostic imaging during pregnancy and later childhood cancers

Observed and predicted risk of breast cancer death in randomized trials on breast cancer screening

BACKGROUND: The role of breast screening in breast cancer mortality declines is debated. Screening impacts cancer mortality through decreasing the number of advanced cancers with poor diagnosis, while cancer treatment works through decreasing the case-fatality rate. Hence, reductions in cancer death rates thanks to screening should directly reflect reductions in advanced cancer rates. We verified whether in breast screening trials, the observed reductions in the risk of breast cancer death could be predicted from reductions of advanced breast cancer rates. PATIENTS AND METHODS: The Greater New York Health Insurance Plan trial (HIP) is the only breast screening trial that reported stage-specific cancer fatality for the screening and for the control group separately. The Swedish Two-County trial (TCT)) reported size-specific fatalities for cancer patients in both screening and control groups. We computed predicted numbers of breast cancer deaths, from which we calculated predicted relative risks (RR) and (95% confidence intervals). The Age trial in England performed its own calculations of predicted relative risk. RESULTS: The observed and predicted RR of breast cancer death were 0.72 (0.56-0.94) and 0.98 (0.77-1.24) in the HIP trial, and 0.79 (0.78-1.01) and 0.90 (0.80-1.01) in the Age trial. In the TCT, the observed RR was 0.73 (0.62-0.87), while the predicted RR was 0.89 (0.75-1.05) if overdiagnosis was assumed to be negligible and 0.83 (0.70-0.97) if extra cancers were excluded. CONCLUSIONS: In breast screening trials, factors other than screening have contributed to reductions in the risk of breast cancer death most probably by reducing the fatality of advanced cancers in screening groups. These factors were the better management of breast cancer patients and the underreporting of breast cancer as the underlying cause of death. Breast screening trials should publish stage-specific fatalities observed in each group

Optimal surface electrode positioning for reliable train of four muscle relaxation monitoring

In the clinic, a major problem in train of four (TOF) muscle relaxation monitoring is incorrect placement of stimulation and recording electrodes, frequently resulting in incorrect estimates of the patient's degree of relaxation or in abandonment of relaxation monitoring. The aim of this study was to arrive at recommendations that describe how to find optimal positions for the electrodes, where 'optimal' is taken in the sense that small deviations from these positions introduce no or only a small decline in the accuracy of the computed degree of muscle relaxation. This study, which employed the Relaxograph as the stimulation and measuring device, established that incorrect positioning is a real problem that frequently occurs; that the correctness of positioning is not guaranteed when the calibration of the Relaxograph succeeds; that the inadequacy of the electrode position is sometimes discovered for the first time when relaxation deepens; that positioning errors can be discovered by analysing the shape of the evoked compound action potential (ECAP), not only upon calibration but also when relaxation deepens; that a set of optimal electrode positions can be found; and that recommendations of how to find these optimal positions could help clinicians to place the electrodes in such a way, that reliable relaxation monitoring was possible in 100% of the investigated cases. In a first test in 30 adult patients, we surveyed how clinicians routinely positioned electrodes and found that in 14 of the 30 cases positioning was unsuccessful. In a second test in 10 patients, we tested a variety of electrode positions in order to discover 'optimal' stimulation, recording and ground electrode sites. In a third test in 10 patients, electrodes were positioned at these 'optimal' sites; stimulation and recording at these sites was successful in all 10 cases