Proving the Correctness of Distributed Algorithms using TLA
|
|
- Coleen Thompson
- 6 years ago
- Views:
Transcription
1 Proving the Correctness of Distributed Algorithms using TLA Khushboo Kanjani, Texas A & M University 11 May 2007 Abstract This work is a summary of the Temporal Logic of Actions(TLA) proposed by Leslie Lamport as a language for specifying and verifying concurrent systems. Dijkstra s self-stabilizing mutual exclusion algorithm is discussed to demonstrate the use of TLA. 1 Introduction Formal methods are mathematically-based techniques for the specification, development and verification of software and hardware systems. Formal verification is the act of proving the correctness of algorithms with respect to a property, using formal methods of mathematics. There are two approaches to formal verification as defined in [1]: Model Checking: This is a technique that relies on building a finite model of a system and checking that a desired property holds in that model.the check is performed as an exhaustive state space search that is guaranteed to terminate since the model is finite. Theorem Proving: Theorem proving is the process of finding a proof of a property from the axioms of the system. It is a technique in which the behavior of the system and its desired properties are expressed as formulas in some mathematical logic. The temporal logic of actions(tla) is one such logic aiming at proving correctness of multiprocess programs. 1
2 The properties which define the correctness of a program are often described in temporal logic. The following is a brief overview of the kinds of logic: 1.1 Logic Binary Logic has two boolean values True and False. Propositional Logic adds the following operators to the binary logic. conjunction(and) disjunction(or) negation(not) implication(implies) equivalence. First-Order(Predicate) Logic extends propositional logic with two quantifiers: existential quantification(there exists) universal quantification (for all) Temporal Logic quantifies in terms of time and has the following two operators: - now or sometime in future - now and forever Time is viewed as a sequence of states in temporal logic. The Temporal Logic of Actions(TLA) is a combination of two logics : logic of actions and the standard temporal logic. In TLA, the program and its properties are written in the same language. The behavior of the program is written as a temporal formula σ. To prove that the program satisfies a property P, it is sufficient to prove that σ => P. 1.2 Related Work The other formal methods based on temporal logic are Unity Logic [4], the logic of Manna, Pnueli [11] and Process Algebra by Hoare [2], Milner[9]. Unity logic is based on assertions of the form {p}s{q}, which denotes that the execution of statement s in any state satisfying predicate p results in a state satisfying predicate q. Properties of a program are expressed in terms of the basic operators unless, invariant, ensures and (leads-to).
3 The language of temporal logic defined by Manna, Pnueli [11] is built from a state language used to construct state formulas, and a set of logical and temporal operators. By applying the logical and temporal operators to the state formulas, they construct general temporal formulas. Process algebra provides a tool for the high-level description of interactions, communications, and synchronizations between a collection of independent processes. Some examples of this are Hoare s Communicating Sequential Processes(CSP)[2] and Milner s Calculus of Communicating Systems(CCS) [9]. 2 Definitions This section defines all the definitions used in the logic. The semantic meaning of every object T in the logic in denoted by [[T]]. The semantic meaning of state functions, predicates, actions etc. are stated in Figure 1 from [6] in the appendix. 1. Values, Variables and States: A set Val of all possible values of variables is assumed. It includes sets like the set Nat of natural numbers. The booleans true and false do not belong to this set Val. The set Var is an infinite set of all variable names. A state is a mapping from the set Var to the set Val. A state s assigns a value s[x] to a variable x. St is the collection of all possible states. 2. State Functions: A non boolean expression built from variables and constants. For example: z=x+y State Predicate: It is a boolean expression built from variables and constant symbols. For example x + y = 1 and x, y Nat 4. Actions: An action represents an atomic operation in a concurrent program. It is a relation between unprimed variables(referring to old state) and primed variables(referring to the new state after the action is executed). For example : y =x+y+1. s[[a]]t is true if executing the A operation in state s produces state t.
4 5. Validity: The formal definition of validity of an action A, denoted as = A is: = A s, t St : s[[a]]t 6. Rigid Variables: A variable whose value does not change in the execution of the program is termed as a rigid variable. 7. Enabled Predicate: For any action A, Enabled A is defined as follows: s[[enableda]] t St : s[[a]]t 8. Unchanged Action: An action Unchanged f, for a state function f is defined as a step in which the value of f does not change. Formally : Unchanged f f = f 3 TLA In TLA, specification of the system and the desired properties are stated by TLA formulas. A TLA formula is true or false on a behavior, which is a sequence of states, where a state is an assignment of values to variables. 3.1 Specification A specification is a formal description of the desired behavior of a program. The approach to define it can be divided into two steps: State the variables that define the system s state. State the granularity of the steps that change those variables values.
5 P1: while true do if x 1 = x n then x 1 := (x 1 + 1)mod(n + 1) end end P i (i 1) : while true do if x i x i 1 then x i := x i 1 end end Algorithm 1: Dijkstra self-stabilizing algorithm for ME Example: Here we give a TLA specification of the famous Dijkstra s selfstabilizing algorithm for mutual exclusion in a ring described in Algorithm 1. The notations used here are explained in Figure 1. Equation 1 describes the initial condition of the variables. Equation 2 states that i [0, N]i 1 if the value of x i is not equal to that of its left neighbor, it is assigned that value when process P i is activated. For P 1, equation 3 states that the value of x 1 is incremented if its value is equal to x n. In equation 4, w defines the state function of all the variables in the program. These TLA formulas C 1, C 2,...C n describe the behavior of the processes P 1, P 2,...P n respectively. All possible executions of the program satisfy the temporal formula defined in equation 6. Init φ i n, 0 x i n (1) i [0, N]i 1, C i (x i x i 1 ) (x i = x i 1 ) Unchanged < AllBut(x i ) > (2) C 1 (x 1 = x n ) (x 1 = (x 1 + 1)mod(n + 1)) Unchanged < AllBut(x 1 ) > (3) w =< x 1, x 2,..., x n > (4) C C 1 C 2... C n (5) φ Init φ [C] w (6)
6 3.2 Safety Properties Safety properties assert that something bad never happens. For example, for the problem of mutual exclusion, the safety property is that at most one processor is in the critical section. For the self-stabilizing Algorithm 1, mutual exclusion will be guaranteed if only one processor is allowed to change its value. In other words, only one of C 1, C 2,...C n is enabled. Safety properties are usually described as invariance properties with TLA formulas of the form P where P is predicate. These invariance properties are proved with rule INV1 of Figure Fairness Properties Weak fairness asserts that eventually the action is either executed or become impossible to execute- maybe only briefly. Strong fairness rules out that last condition. It means that either the action is eventually executed, or its execution is eventually always impossible. For an action A and state function f, weak fairness (WF) and strong fairness(sf) are expressed as follows: W F f (A) = ( A f ) ( Enabled A f ) (7) SF f (A) = ( A f ) ( Enabled A f ) (8) For the algorithm 1, starting with a random initial configuration, the program eventually reaches a safe configuration where only one processor changes its value. The program guarantees W F C w. 4 Verification of the Byzantine Generals algorithm In [8], the one-traitor oral-message solution to the Byzantine Generals problem is verified using TLA. The specification is divided into three levels and a hierarchical proof is presented. The high-level specification defines the problem statement. The mid-level specification captures the oral-message solution to the problem that works in the presence of at most of one traitor. The underlying communication is ignored. The low-level specification models the way values are transmitted over communication channels. All these three level specifications are long. So cannot be included here.
7 5 Developments TLA+[7] provides a language for specifying TLA specifications. It can be used for a wide class of systems - from program interfaces(api) to distributed systems. It is an extension to TLA and it contains operators for defining and manipulating data structures and syntactic structures for handling large specifications. The syntax for expressions in TLA+ aims to capture some of the richness of ordinary mathematical notation. But a precise specification in TLA+ gets very long and complicated. TLA+ is good for software and hardware engineers and of little use to researchers concentrating on design of algorithms. 6 Comments TLA is good as a formal method for verifying systems but I feel that it is not good for proving the correctness of distributed algorithms. The designer of the algorithm has an intuition of why the algorithm is correct. TLA only gives a language to specify the behavior of the program. If the behavior is specified correctly, the safety and liveness proofs are direct conclusions by applying the TLA rules. Capturing the complete behavior of the algorithm can get long and complicated. I believe informal proofs give a better insight of the correctness of the algorithm. Some points to be noted about TLA : Booleans are distinct from values of any variable and so state predicates are different from state functions. The variables in TLA have no types. Type-correctness is a provable property and not a syntactic requirement for specifying programs in TLA. A specification of a multiprocess program can be decomposed as conjunction of its processes. The rules stated in Figure 2 as described in [6] form a complete proof system for reasoning programs in TLA. There is no distinction between a program and a property in TLA.
8 References [1] E.M. Clarke and J.M. Wing. Formal methods: State of the art and future directions. ACM Computing Surveys, [2] C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall International,London, [3] Rajeev Joshi, Leslie Lamport, John Matthews, Serdar Tasiran, Mark Tuttle, and Yuan Yu. Checking cache-cohorence protocols with tla+. Formal Methods in System Design, [4] Chandy K.M. and Misra. Parallel Program Design. Addison-Wesley, [5] Leslie Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, [6] Leslie Lamport. The temporal logic of actions. ACM Transactions on Programming Languages and Systems, pages 1 52, [7] Leslie Lamport. Specifying Systems:The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley, [8] Leslie Lamport and Stephan Merz. Specifying and verifying faulttolerant systems. International Symposium on Formal Techniques in Real and Fault Tolerant Systems, [9] Robin Milner. A complete inference system for a class of regular behaviors. Journal of Computer and System Sciences, 28: , [10] Joao Luis Sobrinho. An algebraic theory of dynamic network routing. ACM Transcations on Networking, [11] Manna Z. and Pnuelli A. The temporal logic and reactive and concurrent systems. Springer-Verlag, New York, 1991.
9 Figure 1: Syntax of TLA
10 Figure 2: Proof Rules of TLA Khushboo Kanjani
11 Figure 3: Quantification in TLA
Leslie Lamport: The Specification Language TLA +
Leslie Lamport: The Specification Language TLA + This is an addendum to a chapter by Stephan Merz in the book Logics of Specification Languages by Dines Bjørner and Martin C. Henson (Springer, 2008). It
More informationTemporal Logic of Actions (TLA) (a brief introduction) Shmuel Katz Computer Science Department The Technion
Temporal Logic of Actions (TLA) (a brief introduction) Shmuel Katz Computer Science Department The Technion CS236368 Formal Specifications Lecture-- TLA 1 Basic Idea Combine transitions with temporal logic
More informationA UNITY-based Formalism for Dynamic Distributed Systems
A UNITY-based Formalism for Dynamic Distributed Systems Daniel M. Zimmerman Computer Science 256-80 California Institute of Technology Pasadena, California 91125 USA dmz@cs.caltech.edu Abstract We describe
More informationHoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré
Hoare Logic COMP2600 Formal Methods for Software Engineering Rajeev Goré Australian National University Semester 2, 2016 (Slides courtesy of Ranald Clouston) COMP 2600 Hoare Logic 1 Australian Capital
More informationFormal Methods in Software Engineering. Lecture 07
Formal Methods in Software Engineering Lecture 07 What is Temporal Logic? Objective: We describe temporal aspects of formal methods to model and specify concurrent systems and verify their correctness
More informationIntroduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL
Introduction to Linear-Time Temporal Logic CSE 814 Introduction to LTL 1 Outline Motivation for TL in general Types of properties to be expressed in TL Structures on which LTL formulas are evaluated Syntax
More informationSpecifying and Proving Broadcast Properties with TLA
Specifying and Proving Broadcast Properties with TLA William Hipschman Department of Computer Science The University of North Carolina at Chapel Hill Abstract Although group communication is vitally important
More informationLectures 20, 21: Axiomatic Semantics
Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics
More informationHow to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor
How to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor Leslie Lamport 1 Digital Equipment Corporation February 14, 1993 Minor revisions January 18, 1996 and September 14, 1996
More informationVerification and Specification of Concurrent Programs
Verification and Specification of Concurrent Programs Leslie Lamport 16 November 1993 To appear in the proceedings of a REX Workshop held in The Netherlands in June, 1993. Verification and Specification
More informationDistributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationOverview. CS389L: Automated Logical Reasoning. Lecture 6: First Order Logic Syntax and Semantics. Constants in First-Order Logic.
Overview CS389L: Automated Logical Reasoning Lecture 6: First Order Logic Syntax and Semantics Işıl Dillig So far: Automated reasoning in propositional logic. Propositional logic is simple and easy to
More informationLecture 11 Lecture 11 Nov 5, 2014
Formal Verification/Methods Lecture 11 Lecture 11 Nov 5, 2014 Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems to be analyzed, and
More informationProofs and Proof Certification in the TLA + Proof System
Proofs and Proof Certification in the TLA + Proof System Stephan Merz Inria Nancy Grand-Est & LORIA, Villers-lès-Nancy, France Abstract TLA + is a specification language originally designed for specifying
More informationIntroduction to Axiomatic Semantics
Introduction to Axiomatic Semantics Meeting 10, CSCI 5535, Spring 2009 Announcements Homework 3 due tonight Homework 2 is graded 13 (mean), 14 (median), out of 21 total, but Graduate class: final project
More informationComposing Fair Objects
Composing Fair Objects G.W. Hamilton School of Computer Applications Dublin City University Ireland hamilton@compapp.dcu.ie D. Méry Université Henri Poincaré Nancy France mery@loria.fr J.P. Gibson Department
More informationSpecifying and Verifying External Behaviour of Fair Input/Output Automata by Using the Temporal Logic of Actions
INFORMATICA, 2015, Vol. 26, No. 4, 685 704 685 2015 Vilnius University DOI: http://dx.doi.org/10.15388/informatica.2015.71 Specifying and Verifying External Behaviour of Fair Input/Output Automata by Using
More informationTo be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 Introduction SDN research directions as outlined in IRTF RG outlines i) need for more flexibility and programmability
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember that you can t just define a meaning function in terms of itself you must use some fixed point machinery. #2 #3 Observations
More informationProgramming Languages Third Edition
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 19 Tuesday, April 3, 2018 1 Introduction to axiomatic semantics The idea in axiomatic semantics is to give specifications
More informationLeslie Lamport. April 20, Leslie Lamport. Jenny Tyrväinen. Introduction. Education and Career. Most important works.
April 20, 2016 Born February 7 1941 in New York Mathematician by his education Has worked in industry, not an academic Fields: concurrency and distributed systems Lists 180 publications and other texts
More informationPROPER TECHNIQUE OF SOFTWARE INSPECTION USING GUARDED COMMAND LANGUAGE
International Journal of Computer Science and Communication Vol. 2, No. 1, January-June 2011, pp. 153-157 PROPER TECHNIQUE OF SOFTWARE INSPECTION USING GUARDED COMMAND LANGUAGE Neeraj Kumar Singhania University,
More informationSemantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics
There is no single widely acceptable notation or formalism for describing semantics Operational Describe the meaning of a program by executing its statements on a machine, either simulated or actual. The
More informationLecture 5 - Axiomatic semantics
Program Verification March 2014 Lecture 5 - Axiomatic semantics Lecturer: Noam Rinetzky Scribes by: Nir Hemed 1.1 Axiomatic semantics The development of the theory is contributed to Robert Floyd, C.A.R
More informationSpecifying Concurrent Systems with TLA +
Specifying Concurrent Systems with TLA + Leslie Lamport 18 Oct 1999 c 1999 by Leslie Lamport Incomplete Preliminary Draft Be sure to read the description of this document on page 3 of the Introduction.
More informationFormal Verification. Lecture 10
Formal Verification Lecture 10 Formal Verification Formal verification relies on Descriptions of the properties or requirements of interest Descriptions of systems to be analyzed, and rely on underlying
More informationTLA + Proofs. 1 Introduction. Denis Cousineau 1, Damien Doligez 2, Leslie Lamport 3, Stephan Merz 4, Daniel Ricketts 5, and Hernán Vanzetto 4
TLA + Proofs Denis Cousineau 1, Damien Doligez 2, Leslie Lamport 3, Stephan Merz 4, Daniel Ricketts 5, and Hernán Vanzetto 4 1 Inria - Université Paris Sud, Orsay, France. 2 Inria, Paris, France 3 Microsoft
More informationSpecifying Concurrent Systems with TLA +
Specifying Concurrent Systems with TLA + Leslie Lamport Compaq 23 April 1999 To appear in Calculational System Design. M. Broy and R. Steinbrüggen, editors. IOS Press, Amsterdam, 1999. Contents 1 Introduction
More informationAsynchronous Models. Chapter Asynchronous Processes States, Inputs, and Outputs
Chapter 3 Asynchronous Models 3.1 Asynchronous Processes Like a synchronous reactive component, an asynchronous process interacts with other processes via inputs and outputs, and maintains an internal
More informationDiscrete Mathematics Lecture 4. Harper Langston New York University
Discrete Mathematics Lecture 4 Harper Langston New York University Sequences Sequence is a set of (usually infinite number of) ordered elements: a 1, a 2,, a n, Each individual element a k is called a
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember: just do the counterexample guided abstraction refinement part of DPLL(T). If you notice any other errors, those are good
More informationPart II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?
Part II. Hoare Logic and Program Verification Part II. Hoare Logic and Program Verification Dilian Gurov Props: Models: Specs: Method: Tool: safety of data manipulation source code logic assertions Hoare
More informationChapter 3. Describing Syntax and Semantics
Chapter 3 Describing Syntax and Semantics Chapter 3 Topics Introduction The General Problem of Describing Syntax Formal Methods of Describing Syntax Attribute Grammars Describing the Meanings of Programs:
More informationLecture 1: Conjunctive Queries
CS 784: Foundations of Data Management Spring 2017 Instructor: Paris Koutris Lecture 1: Conjunctive Queries A database schema R is a set of relations: we will typically use the symbols R, S, T,... to denote
More informationCopyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley. Chapter 6 Outline. Unary Relational Operations: SELECT and
Chapter 6 The Relational Algebra and Relational Calculus Copyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 6 Outline Unary Relational Operations: SELECT and PROJECT Relational
More informationIntroductory logic and sets for Computer scientists
Introductory logic and sets for Computer scientists Nimal Nissanke University of Reading ADDISON WESLEY LONGMAN Harlow, England II Reading, Massachusetts Menlo Park, California New York Don Mills, Ontario
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationIntroduction to Formal Methods
2008 Spring Software Special Development 1 Introduction to Formal Methods Part I : Formal Specification i JUNBEOM YOO jbyoo@knokuk.ac.kr Reference AS Specifier s Introduction to Formal lmethods Jeannette
More informationSpecifying Concurrent Systems with TLA +
Specifying Concurrent Systems with TLA + Leslie Lamport 9 Feb 2000 c 1999 by Leslie Lamport Preliminary Draft Be sure to read the description of this document on page 3 of the Introduction. Contents Introduction.................................
More informationComputation Club: Gödel s theorem
Computation Club: Gödel s theorem The big picture mathematicians do a lot of reasoning and write a lot of proofs formal systems try to capture the ideas of reasoning and proof in a purely mechanical set
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationConcurrent & Distributed 7Systems Safety & Liveness. Uwe R. Zimmer - The Australian National University
Concurrent & Distributed 7Systems 2017 Safety & Liveness Uwe R. Zimmer - The Australian National University References for this chapter [ Ben2006 ] Ben-Ari, M Principles of Concurrent and Distributed Programming
More informationFUZZY SPECIFICATION IN SOFTWARE ENGINEERING
1 FUZZY SPECIFICATION IN SOFTWARE ENGINEERING V. LOPEZ Faculty of Informatics, Complutense University Madrid, Spain E-mail: ab vlopez@fdi.ucm.es www.fdi.ucm.es J. MONTERO Faculty of Mathematics, Complutense
More informationThe PlusCal Algorithm Language. Leslie Lamport Microsoft Research
The PlusCal Algorithm Language Leslie Lamport Microsoft Research 2 January 2009 minor corrections 13 April 2011 and 23 October 2017 Abstract Algorithms are different from programs and should not be described
More informationLogic and its Applications
Logic and its Applications Edmund Burke and Eric Foxley PRENTICE HALL London New York Toronto Sydney Tokyo Singapore Madrid Mexico City Munich Contents Preface xiii Propositional logic 1 1.1 Informal introduction
More informationAn Annotated Language
Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of
More informationVerification of Concurrent Programs, Part I: The Temporal Framework
June 1981 Report. No. ~ 1 AN-U-81-836 Verification of Concurrent Programs, Part I: The Temporal Framework by Zohar MilnIla Amir Ynucli Office of Navitl Rcscarch Department of Computer Science Stanford
More informationCSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27
CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter 2.1-2.7 p. 1/27 CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer
More informationFinite State Verification. CSCE Lecture 14-02/25/2016
Finite State Verification CSCE 747 - Lecture 14-02/25/2016 So, You Want to Perform Verification... You have a property that you want your program to obey. Great! Let s write some tests! Does testing guarantee
More informationFinite State Verification. CSCE Lecture 21-03/28/2017
Finite State Verification CSCE 747 - Lecture 21-03/28/2017 So, You Want to Perform Verification... You have a property that you want your program to obey. Great! Let s write some tests! Does testing guarantee
More informationVS 3 : SMT Solvers for Program Verification
VS 3 : SMT Solvers for Program Verification Saurabh Srivastava 1,, Sumit Gulwani 2, and Jeffrey S. Foster 1 1 University of Maryland, College Park, {saurabhs,jfoster}@cs.umd.edu 2 Microsoft Research, Redmond,
More informationA New Logical Framework for Deductive Planning *
A New Logical Framework for Deductive Planning * Werner Stephan and Susanne Biundo German Research Center for Artificial Intelligence (DFKI) Stuhlsatzenhausweg 3, 66123 Saarbrucken e-mail: @dfki.uni-sb.cie
More informationCOMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University
Eugene Syriani Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science McGill University 1 OVERVIEW In the context In Theory: Timed Automata The language: Definitions and Semantics
More informationModel Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12
Model Checking mc Revision:.2 Model Checking for Infinite Systems mc 2 Revision:.2 check algorithmically temporal / sequential properties fixpoint algorithms with symbolic representations: systems are
More informationSoftware Model Checking: Theory and Practice
Software Model Checking: Theory and Practice Lecture: Specification Checking - Specification Patterns Copyright 2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course
More informationThe semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.
Semantics The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers. The semantics of a programming language assigns a precise
More informationSafe Stratified Datalog With Integer Order Does not Have Syntax
Safe Stratified Datalog With Integer Order Does not Have Syntax Alexei P. Stolboushkin Department of Mathematics UCLA Los Angeles, CA 90024-1555 aps@math.ucla.edu Michael A. Taitslin Department of Computer
More informationTowards a Logical Reconstruction of Relational Database Theory
Towards a Logical Reconstruction of Relational Database Theory On Conceptual Modelling, Lecture Notes in Computer Science. 1984 Raymond Reiter Summary by C. Rey November 27, 2008-1 / 63 Foreword DB: 2
More informationSeparation Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré. Australian National University Semester 2, 2016
Separation Logic COMP2600 Formal Methods for Software Engineering Rajeev Goré Australian National University Semester 2, 2016 COMP 2600 Separation Logic 1 Motivation: Reasoning About Pointers Recall this
More informationTerm Algebras with Length Function and Bounded Quantifier Elimination
with Length Function and Bounded Ting Zhang, Henny B Sipma, Zohar Manna Stanford University tingz,sipma,zm@csstanfordedu STeP Group, September 3, 2004 TPHOLs 2004 - p 1/37 Motivation: Program Verification
More informationALGOL 48 AND ALGOL 50 ALGOLIC LANGUAGES IN MATHE- MATICS
ALGOL 48 AND ALGOL 50 ALGOLIC LANGUAGES IN MATHE- MATICS Abstract This article describes how to express programs with assignment statements and conditional go tos in mathematical logic without any programming
More information3.4 Deduction and Evaluation: Tools Conditional-Equational Logic
3.4 Deduction and Evaluation: Tools 3.4.1 Conditional-Equational Logic The general definition of a formal specification from above was based on the existence of a precisely defined semantics for the syntax
More informationThe Maude LTL Model Checker and Its Implementation
The Maude LTL Model Checker and Its Implementation Steven Eker 1,José Meseguer 2, and Ambarish Sridharanarayanan 2 1 Computer Science Laboratory, SRI International Menlo Park, CA 94025 eker@csl.sri.com
More informationModel Checking with Automata An Overview
Model Checking with Automata An Overview Vanessa D Carson Control and Dynamical Systems, Caltech Doyle Group Presentation, 05/02/2008 VC 1 Contents Motivation Overview Software Verification Techniques
More informationThe Rule of Constancy(Derived Frame Rule)
The Rule of Constancy(Derived Frame Rule) The following derived rule is used on the next slide The rule of constancy {P } C {Q} {P R} C {Q R} where no variable assigned to in C occurs in R Outline of derivation
More informationAn Evolution of Mathematical Tools
An Evolution of Mathematical Tools From Conceptualization to Formalization Here's what we do when we build a formal model (or do a computation): 0. Identify a collection of objects/events in the real world.
More informationLecture Notes on Real-world SMT
15-414: Bug Catching: Automated Program Verification Lecture Notes on Real-world SMT Matt Fredrikson Ruben Martins Carnegie Mellon University Lecture 15 1 Introduction In the previous lecture we studied
More informationComputer Science Technical Report
Computer Science Technical Report Feasibility of Stepwise Addition of Multitolerance to High Atomicity Programs Ali Ebnenasir and Sandeep S. Kulkarni Michigan Technological University Computer Science
More informationContents. Chapter 1 SPECIFYING SYNTAX 1
Contents Chapter 1 SPECIFYING SYNTAX 1 1.1 GRAMMARS AND BNF 2 Context-Free Grammars 4 Context-Sensitive Grammars 8 Exercises 8 1.2 THE PROGRAMMING LANGUAGE WREN 10 Ambiguity 12 Context Constraints in Wren
More information! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !
What Are Formal Methods? David S. Rosenblum ICS 221 Winter 2001! Use of formal notations! first-order logic, state machines, etc.! in software system descriptions! system models, constraints, specifications,
More informationChapter 3. Describing Syntax and Semantics ISBN
Chapter 3 Describing Syntax and Semantics ISBN 0-321-49362-1 Chapter 3 Topics Introduction The General Problem of Describing Syntax Formal Methods of Describing Syntax Attribute Grammars Describing the
More informationLecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213
Lecture: Symbolic Model Checking with BDDs Edmund M Clarke, Jr Computer Science Department Carnegie Mellon University Pittsburgh, PA 523 Temporal Logic Model Checking Specification Language: A propositional
More informationFormal Methods. CITS5501 Software Testing and Quality Assurance
Formal Methods CITS5501 Software Testing and Quality Assurance Pressman, R. Software Engineering: A Practitioner s Approach. Chapter 28. McGraw-Hill, 2005 The Science of Programming, David Gries, 1981
More informationSelf Stabilization. CS553 Distributed Algorithms Prof. Ajay Kshemkalyani. by Islam Ismailov & Mohamed M. Ali
Self Stabilization CS553 Distributed Algorithms Prof. Ajay Kshemkalyani by Islam Ismailov & Mohamed M. Ali Introduction There is a possibility for a distributed system to go into an illegitimate state,
More informationChapter 3 (part 3) Describing Syntax and Semantics
Chapter 3 (part 3) Describing Syntax and Semantics Chapter 3 Topics Introduction The General Problem of Describing Syntax Formal Methods of Describing Syntax Attribute Grammars Describing the Meanings
More informationTheory and Algorithms for the Generation and Validation of Speculative Loop Optimizations
Theory and Algorithms for the Generation and Validation of Speculative Loop Optimizations Ying Hu Clark Barrett Benjamin Goldberg Department of Computer Science New York University yinghubarrettgoldberg
More informationTheorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214
Theorem proving PVS theorem prover Abhik Roychoudhury National University of Singapore Both specification and implementation can be formalized in a suitable logic. Proof rules for proving statements in
More informationSelf-Stabilizing Distributed Algorithms for Graph Alliances
Self-Stabilizing Distributed Algorithms for Graph Alliances Zhenyu Xu and Pradip K Srimani Department of Computer Science, Clemson University, Clemson, SC 29634-0974 Abstract Graph alliances are recently
More informationInteractive Verification of Concurrent Systems using Symbolic Execution
Interactive Verification of Concurrent Systems using Symbolic Execution Michael Balser, Simon Bäumler, Wolfgang Reif, and Gerhard Schellhorn University of Augsburg Abstract This paper presents an interactive
More information15-819M: Data, Code, Decisions
15-819M: Data, Code, Decisions 08: First-Order Logic André Platzer aplatzer@cs.cmu.edu Carnegie Mellon University, Pittsburgh, PA André Platzer (CMU) 15-819M/08: Data, Code, Decisions 1 / 40 Outline 1
More informationCitation for published version (APA): Gao, H. (2005). Design and verification of lock-free parallel algorithms. s.n.
University of Groningen Design and verification of lock-free parallel algorithms Gao, Hui IMPORTANT NOTE: You are advised to consult the publisher's version (publisher's PDF) if you wish to cite from it.
More informationChapter 3. Describing Syntax and Semantics
Chapter 3 Describing Syntax and Semantics Chapter 3 Topics Introduction The General Problem of Describing Syntax Formal Methods of Describing Syntax Attribute Grammars Describing the Meanings of Programs:
More informationLeveraging DTrace for runtime verification
Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of Informatics, University of Oslo Context: Runtime verification Desired properties System Every request gets
More informationByzantine Consensus in Directed Graphs
Byzantine Consensus in Directed Graphs Lewis Tseng 1,3, and Nitin Vaidya 2,3 1 Department of Computer Science, 2 Department of Electrical and Computer Engineering, and 3 Coordinated Science Laboratory
More informationLecture Notes on Program Equivalence
Lecture Notes on Program Equivalence 15-312: Foundations of Programming Languages Frank Pfenning Lecture 24 November 30, 2004 When are two programs equal? Without much reflection one might say that two
More informationA Partial Correctness Proof for Programs with Decided Specifications
Applied Mathematics & Information Sciences 1(2)(2007), 195-202 An International Journal c 2007 Dixie W Publishing Corporation, U. S. A. A Partial Correctness Proof for Programs with Decided Specifications
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More informationQuo Vadis Program Verification
Quo Vadis Program Verification p. 1/2 Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands, University of Amsterdam We would like to use correct programs. Quo Vadis Program Verification
More informationA Structured Approach to Parallel Programming: Methodology and Models?
A Structured Approach to Parallel Programming: Methodology and Models? Berna L. Massingill University of Florida, P.O. Box 116120, Gainesville, FL 32611 blm@cise.ufl.edu Abstract. Parallel programming
More informationChapter 3. Semantics. Topics. Introduction. Introduction. Introduction. Introduction
Topics Chapter 3 Semantics Introduction Static Semantics Attribute Grammars Dynamic Semantics Operational Semantics Axiomatic Semantics Denotational Semantics 2 Introduction Introduction Language implementors
More informationAlloy: A Lightweight Object Modelling Notation
Alloy: A Lightweight Object Modelling Notation Daniel Jackson, ACM Transactions on Software Engineering, 2002 Presented By: Steven Stewart, 2012-January-23 1 Alloy: 2002 to present Software is built on
More informationCOSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor
COSC252: Programming Languages: Semantic Specification Jeremy Bolton, PhD Adjunct Professor Outline I. What happens after syntactic analysis (parsing)? II. Attribute Grammars: bridging the gap III. Semantic
More informationTowards certification of TLA + proof obligations with SMT solvers
Towards certification of TLA + proof obligations with SMT solvers Stephan Merz and Hernán Vanzetto INRIA Nancy Grand-Est & LORIA Nancy, France Abstract TLA + is a formal specification language that is
More informationReal Time is Really Simple
Real Time is Really Simple Leslie Lamport Microsoft Research Technical Report MSR-TR-2005-30 4 March 2005 Revised 16 August 2005 Abstract It is easy to write and verify real-time specifications with existing
More informationWHEN concurrent processes share a resource such as a file
1 Verification of mutual exclusion algorithms with SMV System Nikola Bogunović, Edgar Pek Faculty of Electrical Engineering and Computing Unska 3 Croatia email: nikola.bogunovic@fer.hr, edgar.pek@fer.hr
More informationSafety & Liveness Towards synchronization. Safety & Liveness. where X Q means that Q does always hold. Revisiting
459 Concurrent & Distributed 7 Systems 2017 Uwe R. Zimmer - The Australian National University 462 Repetition Correctness concepts in concurrent systems Liveness properties: ( P ( I )/ Processes ( I, S
More informationRegression Verification - a practical way to verify programs
Regression Verification - a practical way to verify programs Ofer Strichman Benny Godlin Technion, Haifa, Israel. Email: ofers@ie.technion.ac.il bgodlin@cs.technion.ac.il 1 Introduction When considering
More informationLecture 4. First order logic is a formal notation for mathematics which involves:
0368.4435 Automatic Software Verification April 14, 2015 Lecture 4 Lecturer: Mooly Sagiv Scribe: Nimrod Busany, Yotam Frank Lesson Plan 1. First order logic recap. 2. The SMT decision problem. 3. Basic
More informationCITS5501 Software Testing and Quality Assurance Formal methods
CITS5501 Software Testing and Quality Assurance Formal methods Unit coordinator: Arran Stewart May 1, 2018 1 / 49 Sources Pressman, R., Software Engineering: A Practitioner s Approach, McGraw-Hill, 2005
More information