Concurrent library abstraction without information hiding
|
|
- Warren Nichols
- 6 years ago
- Views:
Transcription
1 Universidad Politécnica de Madrid Escuela técnica superior de ingenieros informáticos Concurrent library abstraction without information hiding Artem Khyzha Advised by Manuel Carro and Alexey Gotsman Madrid 2014
2 Concurrent libraries Encapsulate efficient concurrent algorithms. - Java: java.util.concurrent - C++: Intel Threading Building Blocks - C#: System.Collections.Concurrent Implement stacks, queues, skip lists, hash tables, etc. But it is not easy to understand why they are correct. 2
3 Concurrent library correctness Non-blocking stack: t1: (t1, call push(42)) (t1, ret push) (t1, call isempty) (t1, ret isempty(yes)) t2: (t2, call pop) (t2, ret pop(42)) (t2, call push(11)) (t2, ret push) 3
4 Concurrent library correctness Non-blocking stack: Why is it OK to return empty here? t1: (t1, call push(42)) (t1, ret push) (t1, call isempty) (t1, ret isempty(yes)) t2: (t2, call pop) (t2, ret pop(42)) (t2, call push(11)) (t2, ret push) 4
5 Concurrent library correctness Non-blocking stack: It can also return no t1: (t1, call push(42)) (t1, ret push) (t1, call isempty) (t1, ret isempty(no)) t2: (t2, call pop) (t2, ret pop(42)) (t2, call push(11)) (t2, ret push) 5
6 A binary relation L L on libraries L and L. Usually, L is an impl. and L is a spec. 6
7 Concurrent library specification Non-blocking stack Atomic stack ADT struct Node { Node *next; int val; } *Top; void push(int v) { Node *t, *x; x = new Node; x->val = v; do { t = Top; x->next = t; } while(!cas(&top,t,x)); } Sequence S; void push(int v) { atomic { S = v S; } }
8 Library abstraction Abstraction theorem: it is sound to replace a library with its specification in reasoning about its client. If L L, then C(L ) can recreate executions of C(L). Proofs about C(L ) work for C(L). EXAMPLE OF THE PROPERTY. 8
9 Problem Linearizability hasn t been defined even for settings concurrent libraries get used in 9
10 Information hiding in linearizability C call m(42) ret m(0) L 10
11 Information hiding in linearizability C ret m(0) call m(42) Linearizability assumes a complete information hiding between the library and its client. L The client and the library exchange data via library interface. 10
12 Information hiding in fine-grained concurrency C read x ++x; x >? read x x = 1 ++x L 11
13 Information hiding in fine-grained concurrency C ++x; read x x >? x = 1 ++x L read x Clients and libraries share address space and communicated via shared memory for efficiency. Following the contract between components makes the program correct. 11
14 Information hiding in fine-grained concurrency C increases x read x ++x; x >? read x x = 1 ++x initialises x increases x L 12
15 Information hiding in fine-grained concurrency C increases x read x Clients and libraries share address space and communicated via shared ++x; x >? x = 1 ++x initialises x increases x L read x memory for efficiency. Following the contract between components makes the program correct. 12
16 Information hiding in fine-grained concurrency C increases x read x ++x; x >? read x x = 1 ++x initialises x increases x L once assigned, x can only increase 13
17 Information hiding in fine-grained concurrency C increases x read x Clients and libraries share address space and communicated via shared ++x; memory for efficiency. x >? read x x = 1 ++x Following the contract between components makes the program initialises x increases x L correct. once assigned, x can only increase 13
18 Information hiding in fine-grained concurrency C increases x read x ++x; x >? read x x = 1 ++x initialises x increases x L 14
19 Information hiding in fine-grained concurrency C increases x read x Clients and libraries share address space and communicated via shared ++x; x >? x = 1 ++x initialises x increases x L read x 14 memory for efficiency. Following the contract between components makes the program correct. Example in the paper.
20 In this thesis 1. No information hiding assumed. 2. Formalisation of the contract between clients and libraries. 3. A different library abstraction relation; 4. The Abstraction theorem proved. C C L1 L2 15
21 In this thesis We want to be able to replace L1 with L2 while reasoning about C(L1). The contract between components has to be considered. C C L1 L2 16
22 The contract views The Views Framework is a generalisation of Hoare-style program logics. Parameters: Views, Reification, Axioms. Framework can be instantiated into Concurrent Separation Logic, Rely- Guarantee etc. POPL 13, Dinsdale-Young et al 17
23 The contract views Formally: (View, *) a semi-group of assertions with commutative operation. Views represent information about the contract, and * combines contracts. Reification maps y views > 42to sets of concrete states; x - i -> _ Axioms specify x - i -> how _ * y commands > 42 change 18
24 The contract views Axioms specify how commands change views: soundly w.r.t. a concrete semantics; considering permissions. { x > 42 } ++x { x > 43 } { x > 42 } --x { x > 41 } 19
25 The contract views Axioms specify how commands change views: soundly w.r.t. a concrete semantics; considering contract. { x - i -> _ } ++x { x - i -> _ } { x - i -> _ } --x { x - i ->! _ } 20
26 The contract views Reification p gives a meaning to a view p Programs work with machine states σ; Views are abstracts states: reification maps views to sets of machine states; Axioms specify σ how p commands change views. a machine state σ satisfies p 21
27 The contract semantics Execution of C(L): by C by L by C by L by L by C σ1 σ2 σ3 σ4 σ5 σ6 σ7 Semantics in terms of traces sequences of labelled transitions between machine states. Idea: represent the information about the contract with views. LICS 93, Brookes 22
28 The contract semantics Execution of C(L): by C by L by C by L by L by C σ1 σ2 σ3 σ4 σ5 σ6 σ7 p1 p2 p2 p3 p3 p3 p4 q1 q1 q2 q2 q3 q4 q4 Client and library have initial views p1 and q1 (parts of the contract to follow); Components only change their own views; 23
29 The contract semantics Execution of C(L): by C by L by C by L by L by C σ1 σ2 σ3 σ4 σ5 σ6 σ7 p1 p2 p2 p3 p3 p3 p4 q1 q1 q2 q2 q3 q4 q4 Client and library have initial views p1 and q1 (parts of the contract to follow); Components only change their own views; Contract is followed: σi pi * qi View changes are done w.r.t. to the axioms 24
30 The contract semantics Execution of C(L): by C by L by C by L by L by C σ1 σ2 σ3 σ4 σ5 σ6 σ7 p1 p2 p2 p3 p3 p3 p4 q1 q1 q2 q2 q3 q4 q4 Client and library have initial views p1 and q1 (parts of the contract to follow); Components only change their own views; Contract is followed: σi pi * qi View changes are done w.r.t. to the axioms 25
31 The contract semantics Execution of C(L): by C by L by C by L by L by C σ1 σ2 σ3 σ4 σ5 σ6 σ7 p1 p2 p2 p3 p3 p3 p4 = Z = X # q1 q1 q2 q2 q3 q4 q4 = Y # Internally safe semantics of C(L) w.r.t. p1 and q1 the set of all possible (Z, X #, Y # ) 26
32 Semantics of programs Sint C(L) (pc, pl) = {(Z, X #, Y # ) where: } Z is a concrete trace (α1,σ1,σ 1) (αn,σn,σ n) X # is a client s abstract trace (α1, p1, p2) (αn, pn, pn+1) Y # is a library s abstract trace Views in X# and Y# are picked according to axioms Machine states satisfy views: σ1 p1*q1 X
33 The contract semantics Execution of C(L): by C by L by C by L by L by C σ1 σ2 σ3 σ4 σ5 σ6 σ7 p1 p2 p2 p3 p3 p3 p4 q1 q1 q2 q2 q3 q4 q4 Client s vision: by C by C by C σ1 σ2 σ3 σ4 σ6 σ7 p1 p2 p2 p3 p3 p4 Library s vision: by L by L by L σ2 σ3 σ4 σ5 σ6 q1 q2 q2 q3 q4 X
34 The contract semantics Execution of C(L): by C by L by C by L by L by C σ1 σ2 σ3 σ4 σ5 σ6 σ7 Client s vision: by C by C by C σ1 σ2 σ3 σ4 σ6 σ7 Library s vision: by L by L by L σ2 σ3 σ4 σ5 σ6 X
35 Abstraction theorem If L L, then executions of C(L) can be recreated by C(L ). 27
36 Abstraction theorem If L1 q1 L2 and initial contracts are p1 and q1,???????? for all internally safe traces (Z1, X # 1, Y # 1) of C(L1), C(L2) has (Z2, X # 2, Y # 2) such that: client s execution does not change: client(z1) = client(z2) library L 2 recreates the same state changes: states(lib(z1)) = states(lib(z2)) 28
37 Abstraction theorem If L1 q1 L2 and initial contracts are p1 and q1,???????? for all internally safe traces (Z1, X # 1, Y # 1) of C(L1), C(L2) has (Z2, X # 2, Y # 2) such that: client s execution does not change: client(z1) = client(z2) library L 2 recreates the same state changes: Has to work for all clients states(lib(z1)) = states(lib(z2)) 29
38 Abstraction theorem If????????? for all internally safe traces ( C L1 q1 L2 must establish correspondence between client s execution possible does uses of not libraries change: without considering a specific client library Has to work for all clients 30
39 Abstraction theorem If L1 q1 L2 and initial contracts are p1 and q1,????????? for all internally safe traces (Z1, X # 1, Y # 1) of C(L1), C(L2) has (Z2, X # 2, Y # 2) such that: client s execution does not change: client(z1) = client(z2) library L 2 recreates the same state changes: states(lib(z1)) = states(lib(z2)) X
40 Library abstraction relation A binary relation q: every concrete behaviour is preserved; the contract is not stricter; the same methods are used. L2 L1 method calls contract any C 31
41 Library abstraction relation A binary relation v p : ensures that every concrete behaviour is preserved; ensures that the contract is not more restrictive. v 8 2 SJ K 9 2 SJ K (Y 1,Y # 1 ) v (Y 2,Y # 2 ), states(y v 1)=states(Y 2 )^views(y # 1 ) views(y # 2 ) ^interface(y 1 )=interface(y 2 ). L 1 v p L 2, 8(Y 1,Y # 1 ) 2 SJL 1K(p). 9(Y 2,Y # 2 ) 2 SJL 2K(p). (Y 1,Y # 1 ) v (Y 2,Y # 2 ) X
42 Library-local contract A possible use of L: by L by L by L σ2 σ3 σ4 σ5 σ6 q1 q2 q2 q3 q4 Client may change machine state any time but then library s view remains invariant 32
43 Library-local contract A possible use of L: α by L by L σ2 σ3 σ4 σ5 σ6 q1 q2 q2 q3 q4 Client may change machine state any time but then library s view remains invariant which is enabled by changing views w.r.t. axioms and the Frame property of them for all (client s) views r, {q1} α {q2} implies {q1 * r} α {q2 * r} 33
44 Library-local contract A possible use of L: by L by L by L σ2 σ3 σ4 σ5 σ6 q1 q2 q2 q3 q4 Client may change machine state any time but then library s view remains invariant Execution of C(L): by C by L by C by L by L by C σ1 σ2 σ3 σ4 σ5 σ6 σ7 p1 p2 p2 p3 p3 p3 p4 q1 q1 q2 q2 q3 q4 q4 34
45 Library-local semantics Execution of L: by L by L by L σ2 σ3 σ4 σ5 σ6 q1 q2 q2 q3 q4 Library has initial view q1 as the contract; Follows the contract: σi qi Changes views w.r.t. the axioms; 35
46 Library-local executions Library behaviours are generated by n special clients: MGCn(L) = C1 C2 Cn Ci = (call arbitrary method of L)* Client may change the machine state arbitrarily 36
47 Library-local executions Library behaviours are generated by n special clients: Library s vision: MGCn(L) = C1 C2 Cn Ci = (call arbitrary method of L)* Client may change the machine state arbitrarily by L by L by L σ2 σ3 σ4 σ5 σ6 37
48 Library abstraction relation A binary relation q: every concrete behaviour is preserved; the contract is not stricter; the same methods are used. L2 L1 method calls contract any C 38
49 Abstraction theorem If L1 q1 L2 and initial contracts are p1 and q1, for all internally safe traces (Z1, X # 1, Y # 1) of C(L1), C(L2) has (Z2, X # 2, Y # 2) such that: client s execution does not change: client(z1) = client(z2) library L 2 recreates the same state changes: states(lib(z1)) = states(lib(z2)) 39
50 Library-local contract Safety of L w.r.t. p checks that library follows its contract itself. safe(l, pl) requires safe(mgcn(l), pl) safe(p, p) is: L safe(l,p), V n 1 safe(mgc n(l),p) 8, P 0,, 0. 2bpc^hP, i = )hp 0, 0 i =) 9p 0.p 0 2 SP(,p) ^ safe(p 0,p 0 ) X
51 Abstraction theorem Proof is constructive: decomposition : split a trace of C(L1) on library s and client s parts; C L1 C L1 X
52 Abstraction theorem Proof is constructive: decomposition : split a trace of C(L1) on library s and client s parts; replace L1 with L2; L1 L2 p X
53 Abstraction theorem Proof is constructive: decomposition : split a trace of C(L1) on library s and client s parts; replace L1 with L2; composition : merge parts of a trace together. C C + L2 L2 X
54 Summary 1. Library abstraction relation for programs interacting only on the shared memory; 2. Formalisation of the contract between clients and libraries with internally safe traces. 3. Proof of the Abstraction theorem. 40
55 Future work Linearizability Complete information hiding Communication via interface of the library? Partial information hiding? Library abstraction (in this work) No information hiding Communication via shared memory 41
56 Future work 1. Library abstraction with partial information hiding; 2. Real-world examples; 3. Relational logic for establishing q. 42
57 transition trace ofsafe L2 can mumbled to semantics fitto the ch eained able we are to prove able to safe prove and internally and be internally safe semantics safe be to b two consequent transitions. Consideration of this Abstraction Theorem that justifies abstracting f slosed that in transition traces of a closed program, states are not ch rams.programs Closed programs work in the work absence in the absence of the environment, of the environment safe semantics as follows: uent transitions. Consideration of this adjusts definitions of saft specification while reasoning about its nces of library abstraction is sound by establishing theclient. itionoftraces a closed of aprogram, closed program, states are states not changed are not changed between betwee as follows: bstracting from an a library with itsjpk(p) a adjusts client a19. concurrent library is still reprodu Definition Closed semantics Sclosed of deration s.ics Consideration of of this of implementation thisofdefinitions adjusts definitions ofofsafe and of safe internally and internall its theoremsstates that certain executions one provided that they are related with our not 19.client. ClosedThe semantics JPK(p) of a program P w.r.t. a vi closed n Sclosed JPK(p) = {Z Z 2 Twith JPK ^another 9n, { i }i=1, { still reproducible, if we replace a library Assume: mantics Sclosed JPK(p) Sclosed ofjpk(p) a program of13 a program P(Abstraction). w.r.t. Pa w.r.t. view is: view p is: C(L2 n+1 paif n Theorem program (p) =our {Z notion Z 2 TofJPK ^ 9n, abstraction. { i }i=1, { i }i= bpc ^ ( 1, 1, with library Z= ), p, p ), safeint(c(l ), p, p ) and L n+1 n+1 n safeint(c(l n 1 c 2 c l l 9n, T JPK { ^ 9n,,2{ {)Corollary,.{ 1i }2i=1 bpc. ^ 2 bpc ^ Z = (,, )(,, )... (, i }C(L i }i=1libraries n n i=1 ogram and L and L are such that 20. If a client C and libraries L an # # # (, Z =, ( )(,,,, )( ).,.. (,, )..,. (, )}, [ {"} )} [ {"} p20. )If and L v L hold, then: safeint(c(l ), p p ) and L v L hold, then: n 3 n n+1 n n n+1 c,zpl= p 2 c 1 p 2 l a client Cl,and L2 )K(p are such l 8(Z X libraries, Y ) 2 LS1 and JC(L, p ).that 9(Z safein,x Abstraction theorem (closed programs) int 1 c l 2 2 ),Cpcand, pl )libraries and L v L hold, then: 2libraries 1 p 2 L and L L are and such L are that such safeint(c(l that safeint(c(l ), p, p ), ), p, p ) l # # c 1 c l l Then: 9Z2 2 Sclosed1JC(L 122SS 1 )K(p c pl ). 9(Z2, X2, Y28Z)client(Z JC(L l ).states(lib(z =2 )K(p client(z )) = c, pl ). intclosed 1 ) JC(L 2 )p^ L2 1hold, vpl Lthen: 2 hold, then: # JC(L# # # JC(L )K(p p ). 9Z 2 S )K(p p ). client(z ) = c 1 c 2 2 c 1 osed l closed l s(lib(z1 )) =Definition states(lib(z214. )) ^ X ^ Ythe Y2of. best axiom 1 = 1 set We sayx2that 2 pl ). Sclosed 9Z2 JC(L 2 Sclosed JC(L ). client(z ) = client(z =2client(Z )^ ^= s 2 2 )K(p c p2l)k(p c pl ).1client(Z 1 ) states(lib(z 21))) Frame property, when the is following holds: of best axioms of the Views Framework closed under states(lib(z states(lib(z 5.1 Proof outline 1 )) = states(lib(z 1 )) = states(lib(z 2 )). 2 )). holds: oof outline P(, p) =) q r 2 SP(, p r). X 8p, q,. q 2 SP(, p) =)
Linearizability with ownership transfer
Linearizability with ownership transfer Hongseok Yang University of Oxford Joint work with Alexey Gotsman (IMDEA Software Institute, Spain) Concurrent libraries Encapsulate efficient concurrent algorithms.
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More informationHoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic
Introduction Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that Separation Logic is based on. Kasper Svendsen University of Cambridge CST Part II 2016/17 This lecture
More informationProving liveness. Alexey Gotsman IMDEA Software Institute
Proving liveness Alexey Gotsman IMDEA Software Institute Safety properties Ensure bad things don t happen: - the program will not commit a memory safety fault - it will not release a lock it does not hold
More informationA Generic Logic for Proving Linearizability
A Generic Logic for Proving Linearizability Artem Khyzha 1, Alexey Gotsman 1, and Matthew Parkinson 2 1 IMDEA Software Institute 2 Microsoft Research Cambridge Abstract. Linearizability is a commonly accepted
More informationConcurrent specifications beyond linearizability
Concurrent specifications beyond linearizability Éric Goubault Jérémy Ledent Samuel Mimram École Polytechnique, France OPODIS 2018, Hong Kong December 19, 2018 1 / 14 Objects Processes communicate through
More informationVerifying Concurrent Memory Reclamation Algorithms with Grace
Verifying Concurrent Memory Reclamation Algorithms with Grace Alexey Gotsman, Noam Rinetzky, and Hongseok Yang 1 IMDEA Software Institute 2 Tel-Aviv University 3 University of Oxford Abstract. Memory management
More informationProving Linearizability Using Partial Orders
Proving Linearizability Using Partial Orders Artem Khyzha 1, Mike Dodds 2, Alexey Gotsman 1, and Matthew Parkinson 3 1 IMDEA Software Institute, Madrid, Spain 2 University of York, UK 3 Microsoft Research
More informationModular Verification of Preemptive OS Kernels
Under consideration for publication in J. Functional Programming 1 Modular Verification of Preemptive OS Kernels ALEXEY GOTSMAN IMDEA Software Institute HONGSEOK YANG University of Oxford Abstract Most
More informationType Soundness and Race Freedom for Mezzo
Type Soundness and Race Freedom for Mezzo Thibaut Balabonski François Pottier Jonathan Protzenko INRIA FLOPS 2014 1 / 42 Mezzo in a few words Mezzo is a high-level programming language, equipped with:
More informationAn Annotated Language
Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of
More information[module 2.2] MODELING CONCURRENT PROGRAM EXECUTION
v1.0 20130407 Programmazione Avanzata e Paradigmi Ingegneria e Scienze Informatiche - UNIBO a.a 2013/2014 Lecturer: Alessandro Ricci [module 2.2] MODELING CONCURRENT PROGRAM EXECUTION 1 SUMMARY Making
More informationAbstract Data Types. Stack. January 26, 2018 Cinda Heeren / Geoffrey Tien 1
Abstract Data Types Stack January 26, 2018 Cinda Heeren / Geoffrey Tien 1 Abstract data types and data structures An Abstract Data Type (ADT) is: A collection of data Describes what data are stored but
More informationHiding local state in direct style: a higher-order anti-frame rule
1 / 65 Hiding local state in direct style: a higher-order anti-frame rule François Pottier January 28th, 2008 2 / 65 Contents Introduction Basics of the type system A higher-order anti-frame rule Applications
More informationProof Carrying Code(PCC)
Discussion p./6 Proof Carrying Code(PCC Languaged based security policy instead of OS-based A mechanism to determine with certainity that it is safe execute a program or not Generic architecture for providing
More informationA Michael Jackson presentation. CSE503: Software Engineering. The following slides are from his keynote at ICSE 1995
A Michael Jackson presentation CSE503: Software Engineering The following slides are from his keynote at ICSE 1995 David Notkin University of Washington Computer Science & Engineering Spring 2006 1 2 3
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationFormal Syntax and Semantics of Programming Languages
Formal Syntax and Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html The While
More informationFrom IMP to Java. Andreas Lochbihler. parts based on work by Gerwin Klein and Tobias Nipkow ETH Zurich
From IMP to Java Andreas Lochbihler ETH Zurich parts based on work by Gerwin Klein and Tobias Nipkow 2015-07-14 1 Subtyping 2 Objects and Inheritance 3 Multithreading 1 Subtyping 2 Objects and Inheritance
More informationLecture 5 - Axiomatic semantics
Program Verification March 2014 Lecture 5 - Axiomatic semantics Lecturer: Noam Rinetzky Scribes by: Nir Hemed 1.1 Axiomatic semantics The development of the theory is contributed to Robert Floyd, C.A.R
More informationProgram logics for relaxed consistency
Program logics for relaxed consistency UPMARC Summer School 2014 Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 1st Lecture, 28 July 2014 Outline Part I. Weak memory models 1. Intro
More informationPierce Ch. 3, 8, 11, 15. Type Systems
Pierce Ch. 3, 8, 11, 15 Type Systems Goals Define the simple language of expressions A small subset of Lisp, with minor modifications Define the type system of this language Mathematical definition using
More informationObject-Oriented Languages and Object-Oriented Design. Ghezzi&Jazayeri: OO Languages 1
Object-Oriented Languages and Object-Oriented Design Ghezzi&Jazayeri: OO Languages 1 What is an OO language? In Ada and Modula 2 one can define objects encapsulate a data structure and relevant operations
More informationReminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture
Reminder of the last lecture Aliasing Issues: Call by reference, Pointer programs Claude Marché Cours MPRI 2-36-1 Preuve de Programme 18 janvier 2017 Additional features of the specification language Abstract
More informationBehavioural Equivalences and Abstraction Techniques. Natalia Sidorova
Behavioural Equivalences and Abstraction Techniques Natalia Sidorova Part 1: Behavioural Equivalences p. p. The elevator example once more How to compare this elevator model with some other? The cabin
More informationA unified machine-checked model for multithreaded Java
A unified machine-checked model for multithreaded Java Andre Lochbihler IPD, PROGRAMMING PARADIGMS GROUP, COMPUTER SCIENCE DEPARTMENT KIT - University of the State of Baden-Wuerttemberg and National Research
More informationA Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm
Appears as Technical Memo MIT/LCS/TM-590, MIT Laboratory for Computer Science, June 1999 A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm Miguel Castro and Barbara Liskov
More informationHyperkernel: Push-Button Verification of an OS Kernel
Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 19 Tuesday, April 3, 2018 1 Introduction to axiomatic semantics The idea in axiomatic semantics is to give specifications
More informationTyped Assembly Language for Implementing OS Kernels in SMP/Multi-Core Environments with Interrupts
Typed Assembly Language for Implementing OS Kernels in SMP/Multi-Core Environments with Interrupts Toshiyuki Maeda and Akinori Yonezawa University of Tokyo Quiz [Environment] CPU: Intel Xeon X5570 (2.93GHz)
More informationPrecision and the Conjunction Rule in Concurrent Separation Logic
Precision and the Conjunction Rule in Concurrent Separation Logic Alexey Gotsman a Josh Berdine b Byron Cook b,c a IMDEA Software Institute b Microsoft Research c Queen Mary University of London Abstract
More informationAn Approach to Behavioral Subtyping Based on Static Analysis
TACoS 04 Preliminary Version An Approach to Behavioral Subtyping Based on Static Analysis Francesco Logozzo 1 STIX - École Polytechnique F-91128 Palaiseau, France Abstract In mainstream object oriented
More informationShow No Weakness: Sequentially Consistent Specifications of TSO Libraries
Show No Weakness: Sequentially Consistent Specifications of TSO Libraries Alexey Gotsman 1, Madanlal Musuvathi 2, and Hongseok Yang 3 1 IMDEA Software Institute 2 Microsoft Research 3 University of Oxford
More informationCLAN: A Tool for Contract Analysis and Conflict Discovery
CLAN: A Tool for Contract Analysis and Conflict Discovery Stephen Fenech 1, Gordon J. Pace 1, and Gerardo Schneider 2 1 Dept. of Computer Science, University of Malta, Malta 2 Dept. of Informatics, University
More informationPhantom Monitors: A Simple Foundation for Modular Proofs of Fine-Grained Concurrent Programs
Phantom Monitors: A Simple Foundation for Modular Proofs of Fine-Grained Concurrent Programs Christian J Bell, Mohsen Lesani, Adam Chlipala, Stephan Boyer, Gregory Malecha, Peng Wang MIT CSAIL cj@csailmitedu
More informationParallel Programming in Distributed Systems Or Distributed Systems in Parallel Programming
Parallel Programming in Distributed Systems Or Distributed Systems in Parallel Programming Philippas Tsigas Chalmers University of Technology Computer Science and Engineering Department Philippas Tsigas
More informationAn Abstraction Technique for Describing Concurrent Program Behaviour
An Abstraction Technique for Describing Concurrent Program Behaviour Wytse Oortwijn (joint with Stefan Blom and Marieke Huisman) Formal Methods and Tools, University of Twente September 19, 2017 Wytse
More informationTranslation Validation for a Verified OS Kernel
To appear in PLDI 13 Translation Validation for a Verified OS Kernel Thomas Sewell 1, Magnus Myreen 2, Gerwin Klein 1 1 NICTA, Australia 2 University of Cambridge, UK L4.verified sel4 = a formally verified
More informationFormal Syntax and Semantics of Programming Languages
Formal Syntax and Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html axioms
More informationCMSC 330: Organization of Programming Languages. Basic OCaml Modules
CMSC 330: Organization of Programming Languages Basic OCaml Modules 1 Modules So far, most everything we ve defined has been at the top-level of OCaml This is not good software engineering practice A better
More informationFormal verification of program obfuscations
Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 2.11, 2015-11-10 1 Background: verifying a compiler Compiler + proof that the compiler
More informationVerification Condition Generation
Verification Condition Generation Jorge Sousa Pinto Departamento de Informática / Universidade do Minho jsp@di.uminho.pt www.di.uminho.pt/~jsp Outline (1) - From Hoare Logic to VCGen algorithms: an architecture
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More information! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !
What Are Formal Methods? David S. Rosenblum ICS 221 Winter 2001! Use of formal notations! first-order logic, state machines, etc.! in software system descriptions! system models, constraints, specifications,
More informationConcurrent Objects and Linearizability
Chapter 3 Concurrent Objects and Linearizability 3.1 Specifying Objects An object in languages such as Java and C++ is a container for data. Each object provides a set of methods that are the only way
More informationDOM: Specification & Client Reasoning
DOM: Specification & Client Reasoning Azalea Raad José Fragoso Santos Philippa Gardner Imperial College London APLAS 16 23 November 2016 1 Document Object Model (DOM) Cross-platform, language-independent,
More informationNON-BLOCKING DATA STRUCTURES AND TRANSACTIONAL MEMORY. Tim Harris, 31 October 2012
NON-BLOCKING DATA STRUCTURES AND TRANSACTIONAL MEMORY Tim Harris, 31 October 2012 Lecture 6 Linearizability Lock-free progress properties Queues Reducing contention Explicit memory management Linearizability
More informationCOMP4128 Programming Challenges
Multi- COMP4128 Programming Challenges School of Computer Science and Engineering UNSW Australia Table of Contents 2 Multi- 1 2 Multi- 3 3 Multi- Given two strings, a text T and a pattern P, find the first
More informationConstraints in Feature Algebra
Constraints in Feature Algebra Andreas Zelend Institut für Informatik, Universität Augsburg, Germany zelend@informatik.uni-augsburg.de Abstract. Feature Algebra captures the commonalities of feature oriented
More informationIronFleet. Dmitry Bondarenko, Yixuan Chen
IronFleet Dmitry Bondarenko, Yixuan Chen A short survey How many people have the confidence that your Paxos implementation has no bug? How many people have proved that the implementation is correct? Why
More informationModular Reasoning about Separation of Concurrent Data Structures
Modular Reasoning about Separation of Concurrent Data Structures Kasper Svendsen 1, Lars Birkedal 1, and Matthew Parkinson 2 1 T University of Copenhagen, {kasv,birkedal}@itu.dk 2 Microsoft Research Cambridge,
More informationAxiomatic Rules. Lecture 18: Axiomatic Semantics & Type Safety. Correctness using Axioms & Rules. Axiomatic Rules. Steps in Proof
Lecture 18: Axiomatic Semantics & Type Safety CSCI 131 Fall, 2011 Kim Bruce Axiomatic Rules Assignment axiom: - {P [expression / id]} id := expression {P} - Ex: {a+47 > 0} x := a+47 {x > 0} - {x > 1} x
More informationPractical Affine Types and Typestate-Oriented Programming
Practical Affine Types and Typestate-Oriented Programming Philipp Haller KTH Royal Institute of Technology Stockholm, Sweden Dagstuhl Seminar 17051 Theory and Applications of Behavioural Types Schloss
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationThe theory of Mezzo. François Pottier. IHP, April 2014 INRIA
The theory of Mezzo François Pottier INRIA IHP, April 2014 1 / 94 Acknowledgements Jonathan Protzenko, Thibaut Balabonski, Henri Chataing, Armaël Guéneau, Cyprien Mangin. 2 / 94 Outline Introduction The
More informationProving linearizability using forward simulations
Proving linearizability using forward simulations Ahmed Bouajjani 1, Michael Emmi 2, Constantin Enea 1, and Suha Orhun Mutluergil 3 1 IRIF, Univ. Paris Diderot, {abou,cenea}@irif.fr 2 Nokia Bell Labs,
More informationVerified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017
Verified Characteristic Formulae for CakeML Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017 Goal: write programs in a high-level (ML-style) language, prove them correct interactively,
More informationLibrary Abstraction for C/C++ Concurrency
Library Abstraction for C/C++ Concurrency Mark Batty University of Cambridge Mike Dodds University of York Alexey Gotsman IMDEA Software Institute Abstract When constructing complex concurrent systems,
More informationAn Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C
An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C Robbert Krebbers Radboud University Nijmegen January 22, 2014 @ POPL, San Diego, USA 1 / 16 What is this program supposed
More informationProgram Analysis: Lecture 02 Page 1 of 32
Program Analysis: Lecture 02 Page 1 of 32 Program Analysis/ Mooly Sagiv Lecture 1, 31/10/2012 Operational Semantics Notes by: Kalev Alpernas As background to the subject of Program Analysis, we will first
More informationOutline. Example stack Version 1 -- int stack with fixed array Version 2 -- int stack with flexible array Version 3 -- with interface
Outline Example stack Version 1 -- int stack with fixed array Version 2 -- int stack with flexible array Version 3 -- with interface Visibility issues 6 :: 2 0024 Spring 2010 Stacks push(value) -- store
More informationGang Tan, Boston College Andrew W. Appel, Princeton University
A Compositional Logic for Control Flow Gang Tan, Boston College Andrew W. Appel, Princeton University Jan 8, 2006 1 Mobile Code Security Protect trusted system against untrusted code cyberspace ce program
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationDeadlock and Monitors. CS439: Principles of Computer Systems September 24, 2018
Deadlock and Monitors CS439: Principles of Computer Systems September 24, 2018 Bringing It All Together Processes Abstraction for protection Define address space Threads Share (and communicate) through
More informationThe Java Modeling Language (Part 2)
The Java Modeling Language (Part 2) Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationA Sophomoric Introduction to Shared-Memory Parallelism and Concurrency Lecture 5 Programming with Locks and Critical Sections
A Sophomoric Introduction to Shared-Memory Parallelism and Concurrency Lecture 5 Programming with Locks and Critical Sections Dan Grossman Last Updated: May 2012 For more information, see http://www.cs.washington.edu/homes/djg/teachingmaterials/
More informationCSE332: Data Abstractions Lecture 23: Programming with Locks and Critical Sections. Tyler Robison Summer 2010
CSE332: Data Abstractions Lecture 23: Programming with Locks and Critical Sections Tyler Robison Summer 2010 1 Concurrency: where are we Done: The semantics of locks Locks in Java Using locks for mutual
More informationFormal Semantics of Programming Languages
Formal Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html Benefits of formal
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationHoare triples. Floyd-Hoare Logic, Separation Logic
Hoare triples Floyd-Hoare Logic, Separation Logic 1. Floyd-Hoare Logic 1969 Reasoning about control Hoare triples {A} p {B} a Hoare triple partial correctness: if the initial state satisfies assertion
More informationINF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen
INF672 Protocol Safety and Verication Karthik Bhargavan Xavier Rival Thomas Clausen 1 Course Outline Lecture 1 [Today, Sep 15] Introduction, Motivating Examples Lectures 2-4 [Sep 22,29, Oct 6] Network
More informationKeywords: UML-B, refactoring, refinement, object-oriented design, annealing, introduce
Computing and Informatics, Vol. 35, 2016, 411 440 A SET OF REFACTORING RULES FOR UML-B SPECIFICATIONS Mehrnaz Najafi, Hassan Haghighi, Tahereh Zohdi Nasab Faculty of Computer Science and Engineering Shahid
More informationA Proposal for Weak-Memory Local Reasoning
A Proposal for Weak-Memory Local Reasoning Ian Wehrman and Josh Berdine Abstract Program logics are formal systems for specifying and reasoning about software programs. Most program logics make the strong
More informationFormal Methods for Java
Formal Methods for Java Lecture 30: Conclusion Jochen Hoenicke Software Engineering Albert-Ludwigs-University Freiburg Feb 17, 2012 Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 1 / 21 Topics
More informationFormal Semantics of Programming Languages
Formal Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html Benefits of formal
More informationConcurrent Libraries with Foresight
Concurrent Libraries with Foresight Guy Golan-Gueta Tel Aviv University ggolan@tau.ac.il G. Ramalingam Microsoft Research grama@microsoft.com Mooly Sagiv Tel Aviv University msagiv@tau.ac.il Eran Yahav
More informationMain Goal. Language-independent program verification framework. Derive program properties from operational semantics
Main Goal Language-independent program verification framework Derive program properties from operational semantics Questions: Is it possible? Is it practical? Answers: Sound and complete proof system,
More informationCS 112 Introduction to Computing II. Wayne Snyder Computer Science Department Boston University
CS 11 Introduction to Computing II Wayne Snyder Department Boston University Today Object-Oriented Programming Concluded Stacks, Queues, and Priority Queues as Abstract Data Types Reference types: Basic
More informationIndistinguishability: Friend and Foe of Concurrent Data Structures. Hagit Attiya CS, Technion
Indistinguishability: Friend and Foe of Concurrent Data Structures Hagit Attiya CS, Technion Uncertainty is a main obstacle for designing correct applications in concurrent systems Formally captured by
More informationSemantic Embedding of Petri-Nets into Event-B
IM FMT@IFM 2009, 16 February 2009 Semantic Embedding of Petri-Nets into Event-B Christian Attiogbé LINA - UMR 6241 University of Nantes C. Attiogbé (LINA UMR CNRS 6241) Semantic Embedding of Petri-Nets
More informationThe Rule of Constancy(Derived Frame Rule)
The Rule of Constancy(Derived Frame Rule) The following derived rule is used on the next slide The rule of constancy {P } C {Q} {P R} C {Q R} where no variable assigned to in C occurs in R Outline of derivation
More informationProgram Verification (6EC version only)
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language
More information(2,4) Trees. 2/22/2006 (2,4) Trees 1
(2,4) Trees 9 2 5 7 10 14 2/22/2006 (2,4) Trees 1 Outline and Reading Multi-way search tree ( 10.4.1) Definition Search (2,4) tree ( 10.4.2) Definition Search Insertion Deletion Comparison of dictionary
More informationWork Analysis with Resource-Aware Session Types
Work Analysis with Resource-Aware Session Types Ankush Das Jan Hoffmann Frank Pfenning LICS, July 10, 2018 1 Goal for this Talk Resource Analysis for Concurrent Programs Execution Time Memory Usage 2 Why
More informationModel-Driven Verifying Compilation of Synchronous Distributed Applications
Model-Driven Verifying Compilation of Synchronous Distributed Applications Sagar Chaki, James Edmondson October 1, 2014 MODELS 14, Valencia, Spain Copyright 2014 Carnegie Mellon University This material
More informationBOBJ: A Quickstart for Software Engineers
BOBJ: A Quickstart for Software Engineers Lutz Hamel Dept. of Computer Science and Statistics University of Rhode Island Kingston, RI 02881 hamel@cs.uri.edu DRAFT 12/7/03 Getting Started BOBJ is a specification
More informationMechanized Operational Semantics
Mechanized Operational Semantics J Strother Moore Department of Computer Sciences University of Texas at Austin Marktoberdorf Summer School 2008 (Lecture 3: Direct Proofs) 1 Fact 1 Given an operational
More informationJML Class Specifications The Java Modeling Language (Part 2) A Java Class
JML Class Specifications The Java Modeling Language (Part 2) Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria
More informationDeadlock and Monitors. CS439: Principles of Computer Systems February 7, 2018
Deadlock and Monitors CS439: Principles of Computer Systems February 7, 2018 Last Time Terminology Safety and liveness Atomic Instructions, Synchronization, Mutual Exclusion, Critical Sections Synchronization
More informationOperational Semantics
15-819K: Logic Programming Lecture 4 Operational Semantics Frank Pfenning September 7, 2006 In this lecture we begin in the quest to formally capture the operational semantics in order to prove properties
More informationVerification and Validation
Cycle Ingénieur 2 ème année Département Informatique Verification and Validation Part IV : Proof-based Verification (I) Burkhart Wolff Département Informatique Université Paris-Sud / Orsay 2013-2014 What
More informationVerification and Validation
2017-2018 Cycle Ingénieur 2 ème année Département Informatique Verification and Validation Part IV : Proof-based Verification (I) Burkhart Wolff Département Informatique Université Paris-Sud / Orsay Difference
More informationVerifying a Compiler for Java Threads
Verifying a Compiler for Java Threads Andreas Lochbihler IPD, PROGRAMMING PARADIGMS GROUP, COMPUTER SCIENCE DEPARTMENT KIT - University of the State of aden-wuerttemberg and National Research Center of
More informationPROPER TECHNIQUE OF SOFTWARE INSPECTION USING GUARDED COMMAND LANGUAGE
International Journal of Computer Science and Communication Vol. 2, No. 1, January-June 2011, pp. 153-157 PROPER TECHNIQUE OF SOFTWARE INSPECTION USING GUARDED COMMAND LANGUAGE Neeraj Kumar Singhania University,
More information4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271
Mel Checking LTL Property System Mel Mel Checking CS 4271 Mel Checking OR Abhik Roychoudhury http://www.comp.nus.edu.sg/~abhik Yes No, with Counter-example trace 2 Recap: Mel Checking for mel-based testing
More informationAbstraction עזאם מרעי המחלקה למדעי המחשב אוניברסיטת בן-גוריון
Abstraction עזאם מרעי המחלקה למדעי המחשב אוניברסיטת בן-גוריון 2 Tools for Programming Complex Software Fundamentally, people use only a few simple tools to create, understand, or manage complex systems
More informationA Type System for Object Initialization In the Java TM Bytecode Language
Electronic Notes in Theoretical Computer Science 10 (1998) URL: http://www.elsevier.nl/locate/entcs/volume10.html 7 pages A Type System for Object Initialization In the Java TM Bytecode Language Stephen
More informationNotes on the Exam. Question 1. Today. Comp 104:Operating Systems Concepts 11/05/2015. Revision Lectures (separate questions and answers)
Comp 104:Operating Systems Concepts Revision Lectures (separate questions and answers) Today Here are a sample of questions that could appear in the exam Please LET ME KNOW if there are particular subjects
More informationInheritance (Chapter 7)
Inheritance (Chapter 7) Prof. Dr. Wolfgang Pree Department of Computer Science University of Salzburg cs.uni-salzburg.at Inheritance the soup of the day?! Inheritance combines three aspects: inheritance
More information