A synchronous program algebra: a basis for reasoning about shared-memory and event-based concurrency

This research started with an algebra for reasoning about rely/guarantee concurrency for a shared memory model. The approach taken led to a more abstract algebra of atomic steps, in which atomic steps synchronise (rather than interleave) when composed in parallel. The algebra of rely/guarantee concurrency then becomes an instantiation of the more abstract algebra. Many of the core properties needed for rely/guarantee reasoning can be shown to hold in the abstract algebra where their proofs are simpler and hence allow a higher degree of automation. The algebra has been encoded in Isabelle/HOL to provide a basis for tool support for program verification. In rely/guarantee concurrency, programs are specified to guarantee certain behaviours until assumptions about the behaviour of their environment are violated. When assumptions are violated, program behaviour is unconstrained (aborting), and guarantees need no longer hold. To support these guarantees a second synchronous operator, weak conjunction, was introduced: both processes in a weak conjunction must agree to take each atomic step, unless one aborts in which case the whole aborts. In developing the laws for parallel and weak conjunction we found many properties were shared by the operators and that the proofs of many laws were essentially the same. This insight led to the idea of generalising synchronisation to an abstract operator with only the axioms that are shared by the parallel and weak conjunction operator, so that those two operators can be viewed as instantiations of the abstract synchronisation operator. The main differences between parallel and weak conjunction are how they combine individual atomic steps; that is left open in the axioms for the abstract operator.Comment: Extended version of a Formal Methods 2016 paper, "An algebra of synchronous atomic steps

Deriving Laws for Developing Concurrent Programs in a Rely-Guarantee Style

In this paper we present a theory for the refinement of shared-memory concurrent algorithms from specifications. Our approach avoids restrictive atomicity contraints. It provides a range of constructs for specifying concurrent programs and laws for refining these to code. We augment pre and post condition specifications with Jones' rely and guarantee conditions, which we encode as commands within a wide-spectrum language. Program components are specified using either partial and total correctness versions of end-to-end specifications. Operations on shared data structures and atomic machine operations (e.g. compare-and-swap) are specified using an atomic specification command. All the above constructs are defined in terms of a simple core language, based on four primitive commands and a handful of operators, and for which we have developed an extensive algebraic theory in Isabelle/HOL. For shared memory programs, expression evaluation is subject to fine-grained interference and we have avoided atomicity restrictions other than for read and write of primitive types (words). Expression evaluation and assignment commands are also defined in terms of our core language primitives, allowing laws for reasoning about them to be proven in the theory. Control structures such as conditionals, recursion and loops are all defined in terms of the core language. In developing the laws for refining to such structures from specifications we have taken care to develop laws that are as general as possible; our laws are typically more general than those found in the literature. In developing our concurrent refinement theory we have taken care to focus on the algebraic properties of our commands and operators, which has allowed us to reuse algebraic theories, including well-known theories, such as lattices and boolean algebra, as well as programming-specific algebras, such as our synchronous algebra

Refinement algebra for probabilistic programs

We identify a refinement algebra for reasoning about probabilistic program transformations in a total-correctness setting. The algebra is equipped with operators that determine whether a program is enabled or terminates respectively. As well as developing the basic theory of the algebra we demonstrate how it may be used to explain key differences and similarities between standard (i.e. non-probabilistic) and probabilistic programs and verify important transformation theorems for probabilistic action systems.29 page(s

Capabilities for Java: Secure access to resources

This paper explores adding capabilities to Java with the objective of tightening security management for access to resources both within the Java Class Library and Java applications. Code can only access resources if it is given explicit capabilities, allowing replacement of the use of doPrivileged blocks. Capabilities provide restricted access to their implementing object – like an interface – but when a capability is created, it has a more restrictive dynamic type than its implementing object, and hence access to the full facilities of the implementing object (e.g. via down casting) are precluded. We used the Annotation Processing Tool to track the declaration and use of capabilities

Linking unifying theories of program refinement

In this paper we consider three theories of programs and specifications at different levels of abstraction. The theories we focus on are: the basic Unifying Theories of Programming(UTP) model, which corresponds to the theories of VDM, B, and the refinement calculus; an extended theory that distinguishes abort from nontermination; and a further extension that introduces (abstract) time. We define UTP-style designs (or specifications) in each theory and show how program constructors, such as nondeterministic choice and sequential composition, can be expressed as single designs in each theory. To examine the relationships between the theories, we construct mappings in both directions between pairs of theories and show that the pairs of mappings form Galois connections. This shows that the simpler (more abstract) models are sub-theories of the more complex extensions. The mappings preserve the program structure and hence are homomorphisms. An important property of a Galois connection is that both mappings preserve refinement. The Galois connections between the models can be exploited to translate properties, including refinement laws, between theories. In addition, we show how to define an iteration in the extended model in terms of an iteration in the timed model

Algebraic reasoning for probabilistic action systems and while-loops

Back and von Wright have developed algebraic laws for reasoning about loops in a total correctness framework using the refinement calculus. We extend their work to reasoning about probabilistic loops in the probabilistic refinement calculus. We apply our algebraic reasoning to derive transformation rules for probabilistic action systems and probabilistic while-loops. In particular we focus on developing data refinement rules for these two constructs. Our extension is interesting since some well known transformation rules that are applicable to standard programs are not applicable to probabilistic ones: we identify some of these important differences and we develop alternative rules where possible