From Event-B models to Dafny code contracts

International audienceThe constructive approach to software correctness aims at formal modelling and verification of the structure and behaviour of a system in different levels of abstraction. In contrast, the analytical approach to software verification focuses on code level correctness and its verification. Therefore it would seem that the constructive and analytical approaches should complement each other well. To demonstrate this idea we present a case for linking two existing verification methods, Event-B (constructive) and Dafny (analytical). This approach combines the power of Event-B abstraction and its stepwise refinement with the verification capabilities of Dafny. We presented a small case study to demonstrate this approach and outline of the rules for transforming Event-B events to Dafny contracts. Finally, a tool for automatic generation of Dafny contracts from Event-B formal models is presented

Flexible Invariants Through Semantic Collaboration

Modular reasoning about class invariants is challenging in the presence of dependencies among collaborating objects that need to maintain global consistency. This paper presents semantic collaboration: a novel methodology to specify and reason about class invariants of sequential object-oriented programs, which models dependencies between collaborating objects by semantic means. Combined with a simple ownership mechanism and useful default schemes, semantic collaboration achieves the flexibility necessary to reason about complicated inter-object dependencies but requires limited annotation burden when applied to standard specification patterns. The methodology is implemented in AutoProof, our program verifier for the Eiffel programming language (but it is applicable to any language supporting some form of representation invariants). An evaluation on several challenge problems proposed in the literature demonstrates that it can handle a variety of idiomatic collaboration patterns, and is more widely applicable than the existing invariant methodologies.Comment: 22 page

Carvedilol Protects against Doxorubicin-Induced Mitochondrial Cardiomyopathy

Several cytopathic mechanisms have been suggested to mediate the dose-limiting cumulative and irreversible cardiomyopathy caused by doxorubicin. Recent evidence indicates that oxidative stress and mitochondrial dysfunction are key factors in the pathogenic process. The objective of this investigation was to test the hypothesis that carvedilol, a nonselective [beta]-adrenergic receptor antagonist with potent antioxidant properties, protects against the cardiac and hepatic mitochondrial bioenergetic dysfunction associated with subchronic doxorubicin toxicity. Heart and liver mitochondria were isolated from rats treated for 7 weeks with doxorubicin (2 mg/kg sc/week), carvedilol (1 mg/kg ip/week), or the combination of the two drugs. Heart mitochondria isolated from doxorubicin-treated rats exhibited depressed rates for state 3 respiration (336 ± 26 versus 425 ± 53 natom O/min/mg protein) and a lower respiratory control ratio (RCR) (4.3 ± 0.6 versus 5.8 ± 0.4) compared with cardiac mitochondria isolated from saline-treated rats. Mitochondrial calcium-loading capacity and the activity of NADH-dehydrogenase were also suppressed in cardiac mitochondria from doxorubicin-treated rats. Doxorubicin treatment also caused a decrease in RCR for liver mitochondria (3.9 ± 0.9 versus 5.6 ± 0.7 for control rats) and inhibition of hepatic cytochrome oxidase activity. Coadministration of carvedilol decreased the extent of cellular vacuolization in cardiac myocytes and prevented the inhibitory effect of doxorubicin on mitochondrial respiration in both heart and liver. Carvedilol also prevented the decrease in mitochondrial Ca2+ loading capacity and the inhibition of the respiratory complexes of heart mitochondria caused by doxorubicin. Carvedilol by itself did not affect any of the parameters measured for heart or liver mitochondria. It is concluded that this protection by carvedilol against both the structural and functional cardiac tissue damage may afford significant clinical advantage in minimizing the dose-limiting mitochondrial dysfunction and cardiomyopathy that accompanies long-term doxorubicin therapy in cancer patients.http://www.sciencedirect.com/science/article/B6WXH-47G34FR-7/1/591ea3d1072dcf2971b640191c05679

GPUVerify: A Verifier for GPU Kernels

We present a technique for verifying race- and divergence-freedom of GPU kernels that are written in mainstream ker-nel programming languages such as OpenCL and CUDA. Our approach is founded on a novel formal operational se-mantics for GPU programming termed synchronous, delayed visibility (SDV) semantics. The SDV semantics provides a precise definition of barrier divergence in GPU kernels and allows kernel verification to be reduced to analysis of a sequential program, thereby completely avoiding the need to reason about thread interleavings, and allowing existing modular techniques for program verification to be leveraged. We describe an efficient encoding for data race detection and propose a method for automatically inferring loop invari-ants required for verification. We have implemented these techniques as a practical verification tool, GPUVerify, which can be applied directly to OpenCL and CUDA source code. We evaluate GPUVerify with respect to a set of 163 kernels drawn from public and commercial sources. Our evaluation demonstrates that GPUVerify is capable of efficient, auto-matic verification of a large number of real-world kernels

Effectiveness of nursing interventions among patients with cancer: An overview of systematic reviews

Aims and objectives To explore nursing interventions used among patients with cancer and summarise the results of their effectiveness. The ultimate goal was to improve the quality of care and provide best evidence for clinicians to refer to while developing effective nursing interventions. Background Nursing interventions refer to actions that nurses take with the aim of improving the well-being of people with cancer-related health and care needs. A plethora of systematic reviews has been conducted in this research area, although with scattered results. We conducted a comprehensive review to identify and summarise the existing evidence. Methods This overview of systematic reviews adheres to the PRISMA guidelines. The PubMed, CINAHL, MEDLINE and Scopus databases were searched. Nine reviews reporting findings from 112 original studies published 2007?2017 met the selection criteria. The results of intervention effectiveness were analysed using descriptive quantification and a narrative summary of the quantitative data. Results The effectiveness of educational nursing interventions was inconsistent on quality of life, attitudes, anxiety and distress, but positive on level of knowledge, symptom severity, sleep and uncertainty. Psychosocial nursing interventions had a significant effect on spiritual well-being, meaning of life, fatigue and sleep. Psychological nursing interventions reduced cancer-related fatigue. Nursing interventions supporting patients? coping had a significant impact on anxiety, distress, fatigue, sleep, dyspnoea and functional ability. Activity-based interventions may prevent cancer-related fatigue. Conclusions Nursing interventions achieved significant physical and psychological effects on the lives of patients with cancer. Multidimensional nature of interventions by combining different elements reinforces the effect. Priorities for future research include identifying the most beneficial components of these interventions. Relevance to Clinical Practice Implementation of these nursing interventions into clinical practice is important to improve patients? knowledge and quality of life (QoL) as well as reducing various symptoms and side effects related to cancer and its treatment. This article is protected by copyright. All rights reserved.</p

On Deciding Local Theory Extensions via E-matching

Satisfiability Modulo Theories (SMT) solvers incorporate decision procedures for theories of data types that commonly occur in software. This makes them important tools for automating verification problems. A limitation frequently encountered is that verification problems are often not fully expressible in the theories supported natively by the solvers. Many solvers allow the specification of application-specific theories as quantified axioms, but their handling is incomplete outside of narrow special cases. In this work, we show how SMT solvers can be used to obtain complete decision procedures for local theory extensions, an important class of theories that are decidable using finite instantiation of axioms. We present an algorithm that uses E-matching to generate instances incrementally during the search, significantly reducing the number of generated instances compared to eager instantiation strategies. We have used two SMT solvers to implement this algorithm and conducted an extensive experimental evaluation on benchmarks derived from verification conditions for heap-manipulating programs. We believe that our results are of interest to both the users of SMT solvers as well as their developers

S53P4 bioactive glass scaffolds induce BMP expression and integrative bone formation in a critical-sized diaphysis defect treated with a single-staged induced membrane technique

Surgical management of critical-sized diaphyseal defects involves multiple challenges, and up to 10% result in delayed or non-union. The two-staged induced membrane technique is successfully used to treat these defects, but it is limited by the need of several procedures and bone graft. Repeated procedures increase costs and morbidity, while grafts are subject to donor-site complications and scarce availability. To transform this two-staged technique into one graft-independent procedure, we developed amorphous porous scaffolds sintered from the clinically used bioactive glass S53P4. This work constitutes the first evaluation of such scaffolds in vivo in a critical-sized diaphyseal defect in the weight-bearing rabbit femur. We provide important knowledge and prospects for future development of sintered S53P4 scaffolds as a bone substitute. Critical-sized diaphysis defects are complicated by inherent sub-optimal healing conditions. The two staged induced membrane technique has been used to treat these challenging defects since the 1980 & rsquo;s. It involves temporary implantation of a membrane-inducing spacer and subsequent bone graft defect filling. A single-staged, graft-independent technique would reduce both socio-economic costs and patient morbidity. Our aim was to enable such single-staged approach through development of a strong bioactive glass scaffold that could replace both the spacer and the graft filling. We constructed amorphous porous scaffolds of the clinically used bioactive glass S53P4 and evaluated them in vivo using a critical sized defect model in the weight-bearing femur diaphysis of New Zealand White rabbits. S53P4 scaffolds and standard polymethylmethacrylate spacers were implanted for 2, 4, and 8 weeks. Induced membranes were confirmed histologically, and their osteostimulative activity was evaluated through RT-qPCR of bone morphogenic protein 2, 4, and 7 (BMPs). Bone formation and osseointegration were examined using histology, scanning electron microscopy, energy-dispersive X-ray analysis, and micro-computed tomography imaging. Scaffold integration, defect union and osteosynthesis were assessed manually and with X-ray projections. We demonstrated that S53P4 scaffolds induce osteostimulative membranes and produce osseointegrative new bone formation throughout the scaffolds. We also demonstrated successful stable scaffold integration with early defect union at 8 weeks postoperative in critical-sized segmental diaphyseal defects with implanted sintered amorphous S53P4 scaffolds. This study presents important considerations for future research and the potential of the S53P4 bioactive glass as a bone substitute in large diaphyseal defects. Statement of significance Surgical management of critical-sized diaphyseal defects involves multiple challenges, and up to 10% result in delayed or non-union. The two-staged induced membrane technique is successfully used to treat these defects, but it is limited by the need of several procedures and bone graft. Repeated procedures increase costs and morbidity, while grafts are subject to donor-site complications and scarce availability. To transform this two-staged technique into one graft-independent procedure, we developed amorphous porous scaffolds sintered from the clinically used bioactive glass S53P4. This work constitutes the first evaluation of such scaffolds in vivo in a critical-sized diaphyseal defect in the weight-bearing rabbit femur. We provide important knowledge and prospects for future development of sintered S53P4 scaffolds as a bone substitute. (c) 2021 The Author(s). Published by Elsevier Ltd on behalf of Acta Materialia Inc. This is an open access article under the CC BY-NC-ND license ( http://creativecommons.org/licenses/by-nc-nd/4.0/ )Peer reviewe

S53P4 bioactive glass scaffolds induce BMP expression and integrative bone formation in a critical-sized diaphysis defect treated with a single-stage d induce d membrane technique

Surgical management of critical-sized diaphyseal defects involves multiple challenges, and up to 10% result in delayed or non-union. The two-staged induced membrane technique is successfully used to treat these defects, but it is limited by the need of several procedures and bone graft. Repeated procedures increase costs and morbidity, while grafts are subject to donor-site complications and scarce availability. To transform this two-staged technique into one graft-independent procedure, we developed amorphous porous scaffolds sintered from the clinically used bioactive glass S53P4. This work constitutes the first evaluation of such scaffolds in vivo in a critical-sized diaphyseal defect in the weight-bearing rabbit femur. We provide important knowledge and prospects for future development of sintered S53P4 scaffolds as a bone substitute. Critical-sized diaphysis defects are complicated by inherent sub-optimal healing conditions. The two staged induced membrane technique has been used to treat these challenging defects since the 1980 & rsquo;s. It involves temporary implantation of a membrane-inducing spacer and subsequent bone graft defect filling. A single-staged, graft-independent technique would reduce both socio-economic costs and patient morbidity. Our aim was to enable such single-staged approach through development of a strong bioactive glass scaffold that could replace both the spacer and the graft filling. We constructed amorphous porous scaffolds of the clinically used bioactive glass S53P4 and evaluated them in vivo using a critical sized defect model in the weight-bearing femur diaphysis of New Zealand White rabbits. S53P4 scaffolds and standard polymethylmethacrylate spacers were implanted for 2, 4, and 8 weeks. Induced membranes were confirmed histologically, and their osteostimulative activity was evaluated through RT-qPCR of bone morphogenic protein 2, 4, and 7 (BMPs). Bone formation and osseointegration were examined using histology, scanning electron microscopy, energy-dispersive X-ray analysis, and micro-computed tomography imaging. Scaffold integration, defect union and osteosynthesis were assessed manually and with X-ray projections. We demonstrated that S53P4 scaffolds induce osteostimulative membranes and produce osseointegrative new bone formation throughout the scaffolds. We also demonstrated successful stable scaffold integration with early defect union at 8 weeks postoperative in critical-sized segmental diaphyseal defects with implanted sintered amorphous S53P4 scaffolds. This study presents important considerations for future research and the potential of the S53P4 bioactive glass as a bone substitute in large diaphyseal defects. Statement of significance Surgical management of critical-sized diaphyseal defects involves multiple challenges, and up to 10% result in delayed or non-union. The two-staged induced membrane technique is successfully used to treat these defects, but it is limited by the need of several procedures and bone graft. Repeated procedures increase costs and morbidity, while grafts are subject to donor-site complications and scarce availability. To transform this two-staged technique into one graft-independent procedure, we developed amorphous porous scaffolds sintered from the clinically used bioactive glass S53P4. This work constitutes the first evaluation of such scaffolds in vivo in a critical-sized diaphyseal defect in the weight-bearing rabbit femur. We provide important knowledge and prospects for future development of sintered S53P4 scaffolds as a bone substitute. (c) 2021 The Author(s). Published by Elsevier Ltd on behalf of Acta Materialia Inc. This is an open access article under the CC BY-NC-ND license ( http://creativecommons.org/licenses/by-nc-nd/4.0/ )Peer reviewe

Invariant Synthesis for Incomplete Verification Engines

We propose a framework for synthesizing inductive invariants for incomplete verification engines, which soundly reduce logical problems in undecidable theories to decidable theories. Our framework is based on the counter-example guided inductive synthesis principle (CEGIS) and allows verification engines to communicate non-provability information to guide invariant synthesis. We show precisely how the verification engine can compute such non-provability information and how to build effective learning algorithms when invariants are expressed as Boolean combinations of a fixed set of predicates. Moreover, we evaluate our framework in two verification settings, one in which verification engines need to handle quantified formulas and one in which verification engines have to reason about heap properties expressed in an expressive but undecidable separation logic. Our experiments show that our invariant synthesis framework based on non-provability information can both effectively synthesize inductive invariants and adequately strengthen contracts across a large suite of programs