Verification of a Prolog compiler - first steps with KIV

This paper describes the first steps of the formal verification of a Prolog compiler with the KIV system. We build upon the mathematical definitions given by Boerger and Rosenzweig in [BR95]. There an operational semantics of Prolog is defined using the formalism of Evolving Algebras, and then transformed in several systematic steps to the Warren Abstract Machine (WAM). To verify these transformation steps formally in KIV, a translation of deterministic Evolving Algebras to Dynamic Logic is defined, which may also be of general interest. With this translation, correctness of transformation steps becomes a problem of program equivalence in Dynamic Logic. We define a proof technique for verifying such problems, which corresponds to the use of proof maps in Evolving Algebras. Although the transfor- mation steps are small enough for a mathematical analysis, this is not sufficient for a successful formal correctness proof. Such a proof requires to explicitly state a lot of facts, which were only impli- citly assumed in the analysis. We will argue that these assumptions cannot be guessed in a first proof attempt, but have to be filled in incrementally. We report on our experience with this `evolutionary\u27 verification process for the first transformation step, and the support KIV offers to do such incremental correctness proofs

Specification and verification of distributed technical systems with central control

This paper presents an algebraic approach to the specification and verification of distributed technical systems, which are controlled by a central control program. The approach is demonstrated by its application to the case study "production cell". The approach uses first-order specifications to describe the possible behaviour of the system. Specifications are structured according to the physical structure of the system. A PASCAL-like program is used to enforce intended behaviour. The whole case study, including specification as well as verification of lifeness and safety conditions, is carried out using the KIV system. This research was sponsored by the BMFT project KORSO

Thread-local, step-local proof obligations for refinement of state-based concurrent systems

This paper presents a proof technique for proving refinements for general state-based models of concurrent systems that reduces proving forward simulations to thread-local, step-local proof obligations. Instances of this proof technique should be applicable to systems specified with ASM rules, B events, or Z operations. To exemplify the proof technique, we demonstrate it with a simple case study that verifies linearizability of a lock-free implementation of concurrent hash sets by showing that it refines an abstract concurrent system with atomic operations. Our theorem prover KIV translates programs to a set of transition rules and generates proof obligations according to the technique

Proving Linearizability of Multiset with Local Proof Obligations

Linearizability is a key correctness criterion for concurrent software.In our previous work, we introduced local proof obligations, which, by showing a refinement between an abstract specification and its implementation, imply linearizability of the implementation. The  refinement is shown via a thread local backward simulation, which reduces the complexity of a backward simulation to an execution of two symbolic threads. In this paper, we present a correctness proof by applying those proof obligations to a lock-based implementation of a multiset. It is  interesting for two reasons: First, one of its operations inserts two elements non-atomically. To show that it linearizes, we have to find one point, where the multiset is changed instantaneously, which is a counter-intuitive task. Second, another operation has non-fixed linearization points, i.e. the linearization points cannot be statically fixed, because the operation’s linearization may depend on other processes’ execution. This is a typical case to use backward simulation, where we could apply our thread local variant of it. All proofs were mechanized in the theorem prover KIV

Weak Progressive Forward Simulation Is Necessary and Sufficient for Strong Observational Refinement

Hyperproperties are correctness conditions for labelled transition systems that are more expressive than traditional trace properties, with particular relevance to security. Recently, Attiya and Enea studied a notion of strong observational refinement that preserves all hyperproperties. They analyse the correspondence between forward simulation and strong observational refinement in a setting with only finite traces. We study this correspondence in a setting with both finite and infinite traces. In particular, we show that forward simulation does not preserve hyperliveness properties in this setting. We extend the forward simulation proof obligation with a (weak) progress condition, and prove that this weak progressive forward simulation is equivalent to strong observational refinement

Flashix: modular verification of a concurrent and crash-safe flash file system

The Flashix project has developed the first realistic verified file system for Flash memory. This paper gives an overview over the project and the theory used. Specification is based on modular components and subcomponents, which may have concurrent implementations connected via refinement. Functional correctness and crash-safety of each component is verified separately. We highlight some components that were recently added to improve efficiency, such as file caches and concurrent garbage collection. The project generates 18K of C code that runs under Linux. We evaluate how efficiency has improved and compare to UBIFS, the most recent flash file system implementation available for the Linux kernel