Introduction to Permission-Based Program Logics Part II Concurrent Programs
|
|
- Sabrina Jennings
- 6 years ago
- Views:
Transcription
1 Introduction to Permission-Based Program Logics Part II Concurrent Programs Thomas Wies New York University
2 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.
3 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.
4 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.
5 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.
6 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.
7 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.
8 Example: Lock-Coupling List There is one lock per node; threads acquire locks in a hand over hand fashion. If a node is locked, we can insert a node just after it. If two adjacent nodes are locked, we can remove the second.
9 Extensions of Separation Logic for Concurrent Programs
10 Extensions of Separation Logic for Concurrent Programs
11 Extensions of Separation Logic for Concurrent Programs
12 RGSep Primer [courtesy of Viktor Vafeiadis]
13 Program and Environment Program: the current thread being verified. Environment: all other threads of the system that execute in parallel with the thread being verified. Interference: The program interferes with the environment by modifying the shared state. Conversely, the environment interferes with the program by modifying the shared state.
14 Local & Shared State The total state is logically divided into two components: Shared: accessible by all threads via synchronization Local: accessible only by one thread, its owner shared local State of the lock-coupling list just before inserting a new node. The node to be added is local because other threads cannot yet access it.
15 Program Specifications The specification of a program consists of two assertions (precondition & postcondition), and two sets of actions: Rely: Describes the interference that the program can tolerate from the environment; i.e. specifies how the environment can change the shared state. Guarantee: Describes the interference that the program imposes on its environment; i.e. specifies how the program can change the shared state.
16 Rely/Guarantee Actions Actions describe minimal atomic changes to the shared state. Lock node Unlock node An action allows any part of the shared state that satisfies the LHS to be changed to a part satisfying the RHS, but the rest of the shared state must not be changed.
17 Rely/Guarantee Actions Actions can adjust the boundary between local state and stared state. This is also known as transfer of ownership. Add node Delete node
18 Rely/Guarantee Actions Actions can adjust the boundary between local state and stared state. This is also known as transfer of ownership. Add node this node becomes shared Delete node this node becomes local
19 Rely/Guarantee Actions: Lock Coupling List shared local Add node
20 Rely/Guarantee Actions: Lock Coupling List shared local Add node
21 Rely/Guarantee Actions: Lock Coupling List shared local Add node
22 Rely/Guarantee Actions: Lock Coupling List shared local Add node
23 Rely/Guarantee Actions: Lock Coupling List shared local Lock node
24 Rely/Guarantee Actions: Lock Coupling List shared local Lock node
25 Rely/Guarantee Actions: Lock Coupling List shared local Lock node
26 Rely/Guarantee Actions: Lock Coupling List shared local Lock node
27 Rely/Guarantee Actions: Lock Coupling List shared local Delete node
28 Rely/Guarantee Actions: Lock Coupling List shared local Delete node
29 Rely/Guarantee Actions: Lock Coupling List shared local Delete node
30 Rely/Guarantee Actions: Lock Coupling List shared local Delete node
31 Assertion Syntax Separation Logic P, Q ::= e = e e e e (f: e) P * Q Extended Logic p, q ::= P P p * q local shared
32 Assertion Semantics l, s ² P, l ² SL P l, s ² P, s ² SL P and l = {} l, s ² p * q, exists l, l 2 : l = l ² l 2 and l, s ² p and l 2, s ² q
33 Assertion Semantics l, s ² P, l ² SL P l, s ² P, s ² SL P and l = {} l, s ² p * q, exists l, l 2 : l = l ² l 2 and l, s ² p and l 2, s ² q split local state
34 Assertion Semantics l, s ² P, l ² SL P l, s ² P, s ² SL P and l = {} l, s ² p * q, exists l, l 2 : l = l ² l 2 and l, s ² p and l 2, s ² q share global state
35 Assertions: Lock Coupling List Unlocked node x holding value v and pointing to y v y x x (0, v, y) Node x holding value v and pointing to y, locked by thread T T v x y x (T, v, y) List segment from x to y of possibly locked nodes x y lseg(x, y)
36 Rely/Guarantee Actions: Lock Coupling List x (0, v, y) x (T, v, y) x (T, v, y) x (0, v, y) x (T, v, z) x (T, v, y) * z (0, w, y) x (T, v, z) * x (T, v, y) z (T, w, y)
37 Programs: Syntax Basic commands c: noop: skip guard: assume(b) heap write: [x] := y heap read: x := [y] allocation: x := new() deallocation: free(x) Commands C 2 Com: basic commands: c seq. composition: C ; C 2 nondet. choice: C + C 2 looping: C* atomic com.: atomic C par. composition: C C 2
38 Rely/Guarantee Judgements ` C sat (p, R, G, q) (precondition, rely, guarantee, postcondition)
39 Parallel Composition Rule ` C sat (p, R [ G 2, G, q ) ` C 2 sat (p 2, R [ G, G 2, q 2 ) ` (C C 2 ) sat (p * p 2, R, G [ G 2, q * q 2 )
40 Stability An assertion is stable iff it is preserved under interference by other threads. Example: A A Lock B
41 Stability An assertion is stable iff it is preserved under interference by other threads. Example: B A A Lock B
42 Stability An assertion is stable iff it is preserved under interference by other threads. Example: B A A Lock B not stable!
43 Stability An assertion is stable iff it is preserved under interference by other threads. Example: A A 5 7 Lock B Unlock B
44 Stability An assertion is stable iff it is preserved under interference by other threads. Example: A A 5 7 Add B B
45 Stability An assertion is stable iff it is preserved under interference by other threads. Example: A A 5 7 Delete B B B
46 Stability An assertion is stable iff it is preserved under interference by other threads. Example: A A 5 7 Delete B B B stable!
47 Stability (Formally) S stable under P Q iff (P -* S) * Q ² S where P -* S := : (: P -* : S)
48 Atomic Commands ` { P } C { Q } ` (atomic C) sat (P, ;, ;, Q) p, q stable under R ` (atomic C) sat (p, ;, G, q) ` (atomic C) sat (p, R, G, q)
49 Atomic Commands ` { P } C { Q } ` (atomic C) sat (P, ;, ;, Q) only local state p, q stable under R ` (atomic C) sat (p, ;, G, q) ` (atomic C) sat (p, R, G, q) reduction to sequential SL
50 Atomic Commands ` { P } C { Q } ` (atomic C) sat (P, ;, ;, Q) p, q stable under R ` (atomic C) sat (p, ;, G, q) ` (atomic C) sat (p, R, G, q)
51 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared local Add node
52 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared local Add node
53 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared local P 2 6 P 2 Q 2
54 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared local F 6 F P 2 Q 2
55 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared local 6 P P 2 Q 2
56 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared Q 2 6 local P 2 Q 2
57 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared F 6 F local P 2 Q 2
58 Atomic Commands P 2, Q 2 precise P 2 Q 2 2 G ` (atomic C) sat (P * P 2, ;, ;, Q * Q 2 ) ` (atomic C) sat (P * P 2 * F, ;, G, Q * Q 2 * F) shared Q = emp local P 2 Q 2
59 Challenge: Harris' Non-blocking List head
60 Challenge: Harris' Non-blocking List head
61 Challenge: Harris' Non-blocking List head
62 Challenge: Harris' Non-blocking List head
63 Challenge: Harris' Non-blocking List head
64 Challenge: Harris' Non-blocking List head Z Z 8
65 Challenge: Harris' Non-blocking List head free 7 2 8
66 Challenge: Harris' Non-blocking List head free 7 2 8
67 Challenge: Harris' Non-blocking List head free 7 2 Z Z 8
68 Challenge: Harris' Non-blocking List head free 7 2 8
69 Challenge: Harris' Non-blocking List head free 7 2 8
70 Challenge: Harris' Non-blocking List head free 7 2 8
71 Challenge: Harris' Non-blocking List head free 7 2 8
72 Flow Interfaces joint work with Siddharth Krishna and Dennis Shasha
73 Goal Data structure abstractions that can handle unbounded sharing and overlays treat structural and data constraints uniformly do not encode specific traversal strategies provide data-structure-agnostic composition and decomposition rules remain within general theory of separation logic ) Flow Interfaces
74 High-Level Idea Express all data structure invariants in terms of a local condition, satisfied by each node. Local condition may depend on a quantity of the graph that is calculated inductively over the entire graph (the flow). Introduce a notion of graph composition that preserves local invariants of global flows. Introduce a generic good graph predicate that abstracts a heap region satisfying the local flow condition (the flow interface).
75 Local Data Structure Invariants with Flows root r l r l l r r l l r Can we express the property that root points to a tree as a local condition of each node in the graph?
76 Local Data Structure Invariants with Flows root r l l r l Path counting! r r l l r Can we express the property that root points to a tree as a local condition of each node in the graph?
77 Local Data Structure Invariants with Flows root r 0 l r l 8 n 2 N. pc(root, n) "G contains a tree rooted at root" r 0 l r l r l 0 Can we express the property that root points to a tree as a local condition of each node in the graph?
78 Flows Step : Defining the Flow Graph root Label each edge in the graph with an element from some flow domain (D, v, +,, 0, )
79 Flows Step : Defining the Flow Graph root Requirements of flow domain: (D, +,, 0, ) is a semiring (D, v) is!-cpo with smallest element 0 + and are continuous Path counting flow domain: (N [ {},, +,, 0, ) Label each edge in the graph with an element from some flow domain (D, v, +,, 0, )
80 Flows Step : Defining the Flow Graph root Flow graph G = (N, e) N finite set of nodes e: N N D Label each edge in the graph with an element from some flow domain (D, v, +,, 0, )
81 Flows Step : Defining the Flow Graph 0 root Flow graph G = (N, e) N finite set of nodes e: N N D Label each edge in the graph with an element from some flow domain (D, v, +,, 0, )
82 Flows Step 2: Define the Inflow root in root (n) =, n = root 0, n root Label each node using an inflow in: N D
83 Flows Step 3: Calculate the flow 0 0 root Flow graph G = (N, e) flow in, G N D flow(in, G) = lfp λc. λn N. in n + C n e n, n n N
84 Flows Step 3: Calculate the flow root 0 0 Flow graph G = (N, e) flow in, G N D flow(in, G) = lfp λc. λn N. in n + C n e n, n n N
85 Flows Step 3: Calculate the flow root 0 0 Flow graph G = (N, e) n 2 N. flow(in root, G)(n) "G contains a tree rooted at root" 0 0 flow in, G N D flow(in, G) = lfp λc. λn N. in n + C n e n, n n N
86 Data Constraints predicate tree(t: Node, C: Set<Int>) { t == null Æ emp Æ C = ; Ç 9 v, x, y, Cx, Cy :: t (d:v, r:x, l:y) * tree(x, Cx) * tree(y, Cy) Æ C = {v} [ Cx [ Cy Æ v > Cx Æ v < Cy } d t v r l tree(x,cx) tree(y,cy)
87 Data Invariants predicate tree(t: Node, C: Set<Int>) { t == null Æ emp Æ C = ; Ç 9 v, x, y, Cx, Cy :: t (d:v, r:x, l:y) * tree(x, Cx) * tree(y, Cy) Æ C = {v} [ Cx [ Cy Æ v > Cx Æ v < Cy } d t v implies Cx Å Cy = ; r l tree(x,cx) tree(y, Cy)
88 Data Invariants predicate tree(t: Node, C: Set<Int>) { t == null Æ emp Æ C = ; Ç 9 v, x, y, Cx, Cy :: t (d:v, r:x, l:y) * tree(x, Cx) * tree(y, Cy) Æ C = {v} [ Cx [ Cy Æ v > Cx Æ v < Cy } d t v implies Cx Å Cy = ; r l Data invariant piggybacks on inductive definition of the tree. ) hard to entangle tree(x,cx) data invariants from tree(y, data Cy) structure specifics.
89 Inset Flows root 6 r l 3 8 KS: the set of all search keys e.g. KS = Z Inset flow domain: (2 KS, µ, [, \, ;, KS) r l l 4 9 Label each edge with the set of keys that follow that edge in a search (edgeset).
90 Inset Flows root 6 {k k < 6} {k k > 6} 3 8 KS: the set of all search keys e.g. KS = Z Inset flow domain: (2 KS, µ, [, \, ;, KS) {k k < 3} {k k > 3} {k k > 8} 4 9 Label each edge with the set of keys that follow that edge in a search (edgeset).
91 Inset Flows {k k < 6} root KS {k k > 6} ; ; KS: the set of all search keys e.g. KS = Z Inset flow domain: (2 KS, µ, [, \, ;, KS) {k k < 3} {k k > 3} {k k > 8} ; ; ; Set inflow in of root to KS and to ; for all other nodes.
92 Inset Flows {k k < 6} ; root KS {k k > 6} ; I = {k 3 < k} I 2 = {k 3 < k < 6} {k k < 3} {k k > 3} {k k > 8} I 3 = {k 8 < k} ; I I 2 ; I 3 ; flow(in, G)(n) is the inset of node n, i.e., the set of keys k such that a search for k will traverse node n.
93 From Insets to Keysets outset(g) n = n N e(n, n ) {k. k < 5 k } 5 {5} 7 {k. k > 5} keyset(in, G) n = inset(in, G) n outset(g)(n) 3 {k. k < 5 k > } keyset(in, G)(n) is the set of keys that could be in n
94 Verifying Concurrent Search Data Structures Local data structure invariants edgesets are disjoint for each n: {e(n,n')} n' 2 N are disjoint keyset of each n covers n's contents: C(G)(n) µ keyset(in, G)(n) Observation: disjoint inflows imply disjoint keysets If {in(n)} n 2 N are disjoint (e.g. G has a single root) then {keyset(in,g)(n)} n 2 N are disjoint ) Can be used to prove linearizability of concurrent search data structures in a data-structure-agnostic fashion [Shasha and Goodman, 988]
95 Compositional Reasoning Can we reason compositionally about flows and flow graphs à la SL?
96 Flow Graph Composition Standard SL Composition (disjoint union) is too weak: root root x * x = x y y y a tree a tree not a tree
97 Flow Interface Graph (in, G) is a flow interface graph iff G = (N, N o,, e) is a partial graph with N the set of internal nodes of the graph N o the set of external nodes of the graph : N A a node labeling function e: N x (N [ N o ) D is an edge function in: N D is an inflow Inflow in specifies rely of G on its context.
98 Flow Interface Graph Composition (in, G) root
99 Flow Interface Graph Composition (in, G) = (in, G ) ² (in 2, G 2 ) in =?, in 2 =? root G G
100 Flow Interface Graph Composition (in, G) = (in, G ) ² (in 2, G 2 ) root in =?, in 2 =? G G
101 Flow Interface Graph Composition (in, G) = (in, G ) ² (in 2, G 2 ) root in =?, in 2 =? G G 2 2 2
102 Flow Interface Graph Composition (in, G) = (in, G ) ² (in 2, G 2 ) root in =?, in 2 =? G G
103 Flow Interface Graph Composition H ² H 2 is commutative: H ² H 2 = H 2 ² H associative : (H ² H 2 ) ² H 3 = H ² (H 2 ² H 3 ) cancelative: H ² H = H ² H 2 ) H = H 2 ) Flow interface graphs form a separation algebra. ) We can use them to give semantics to SL assertions. How do we abstract flow interface graphs?
104 Flow Map of a Flow Interface Graph n n o G fm(g)(n, n o ) = { pathproduct(p) p path from n to n o in G} flow(in, G)(n o ) = { in(n) fm(g)(n, n o ) n 2 G}
105 Flow Map of a Flow Interface Graph in n n o G fm(g)(n, n o ) = { pathproduct(p) p path from n to n o in G} flow(in, G)(n o ) = { in(n) fm(g)(n, n o ) n 2 G}
106 Flow Map of a Flow Interface Graph in n p n o G fm(g)(n, n o ) = { pathproduct(p) p path from n to n o in G} flow(in, G)(n o ) = { in(n) fm(g)(n, n o ) n 2 G}
107 Flow Map of a Flow Interface Graph in n p n o fm(g) (n, n o ) G fm(g)(n, n o ) = { pathproduct(p) p path from n to n o in G} flow(in, G)(n o ) = { in(n) fm(g)(n, n o ) n 2 G}
108 Flow Map: Example
109 Flow Map: Example Flow map abstracts from internal structure of the graph
110 Flow Map: Example Flow map abstracts from internal structure of the graph
111 Flow Map: Example 0 0 Flow map abstracts from internal structure of the graph
112 Flow Interfaces I = (in, f) is a flow interface if in: N D is an inflow f: N N o D is a flow map (in, f) good denotes all flow interface graphs (in, G) s.t. fm(g) = f for all n 2 N good(in(n), G n ) holds where good is some good node condition e.g. good(i, _) = i
113 Flow Interfaces with Node Abstraction I = (in,, f) is a flow interface if in: N D is an inflow f: N N o D is a flow map 2 A is a node label (in,, f) good denotes all flow interface graphs (in, G) s.t. fm(g) = f = t { G(n) n 2 N } for all n 2 N good(in(n), G n ) holds where good is some good node condition e.g. good(i, _) = i
114 Flow Interface Composition Composition of flow interface graphs can be lifted to flow interfaces: I 2 I I 2 iff 9 H, H, H 2 such that H 2 I, H 2 I, and H 2 2 I 2 H = H ² H 2 Some nice properties of is associative and commutative I ² I 2 µ I I 2 if I 2 I I 2, then for all H 2 I, H 2 2 I 2, H ² H 2 defined
115 Separation Logic with Flow Interfaces Good graph predicate Gr (I) : SL predicate that defines good node condition and abstraction of heap onto nodes of flow graph I: flow interface term Good node predicate N (x, I) like Gr but denotes a single node definable in terms of Gr Dirty region predicate [P],I P: SL predicate denotes heap region that is expected to satisfy interface I but may currently not
116 Graph Predicate: Linked List root x y next next next {k', k' > 3} {k', k' > 6} {k', k' > 8} Abstraction of linked list node (x, in, C, f) = 9k, y. x (data: k, next: y) Æ C = {k} Æ k 2 in Æ f = ITE(y = null, ², { (x,y) {k'. k' > k} }) Invariant 9I :: Gr (I) Æ I in = {root KS}.0 Æ I f = ²
117 Graph Predicate: Binary Search Tree Abstraction of BST node (x, in, C, f) = 9k, y, z. x (data: k, left: y, right: z) Æ C = {k} Æ k 2 in Æ f = ITE(y = null, ², { (x,y) {k'. k' < k} }. ITE(z = null, ², { (x,z) {k'. k' > k} } Invariant 9I :: Gr (I) Æ I in = {root KS}.0 Æ I f = ² root 5 { k'. k' < 5 } { k'. k' > 5 } left right 7 right { k'. k' > } 3
118 Graph Predicate: Binary Search Tree Need tree invariant? Abstraction of BST node (x, in, C, f) = 9k, y, z. x (data: k, left: y, right: z) Æ C = {k} Æ k 2 in Æ f = ITE(y = null, ², { (x,y) {k'. k' < k} }. ITE(z = null, ², { (x,z) {k'. k' > k} } Invariant 9I :: Gr (I) Æ I in = {root KS}.0 Æ I f = ² root 5 { k'. k' < 5 } { k'. k' > 5 } left right 7 right { k'. k' > } 3
119 Graph Predicate: Binary Search Tree Need tree invariant? No problem! Abstraction of BST node (x, (in, pc), C, f) = 9k, y, z. x (data: k, left: y, right: z) Æ C = {k} Æ k 2 in Æ pc = Æ f = ITE(y = null, ², { (x,y) ({k'. k' < k}, ) }. ITE(z = null, ², { (x,z) ({k'. k' > k}, ) } Invariant root 5 ({ k'. k' < 5}, ) ({ k'. k' > 5 }, ) left right 7 right ({ k'. k' > }, ) 3 9I :: Gr (I) Æ I in = {root (KS, )}.0 Æ I f = ²
120 Data-Structure-Agnostic Proof Rules Decomposition Gr(I) Æ x 2 I in. N(x, I ) * Gr(I 2 ) Æ I 2 I I 2 Abstraction Gr(I ) * Gr(I 2 ) Æ I 2 I I 2 Gr(I) Æ I 2 I. I 2 Replacement I 2 I I 2 Æ I J. J 2 J I 2 Æ I J.
121 Generic R/G Actions Lock node N(x, (in, 0, f)) N(x, (in, T, f)) Unlock node N(x, (in, T, f)) N(x, (in, 0, f)) Dirty [true] I Æ I = t [true] I Sync [true] I Æ I = t Gr(I') Æ I I'
122 Conclusion Radically new approach for building compositional abstractions of data structures. Fits in existing (concurrent) separation logics. Enables simple correctness proofs of concurrent data structure algorithms Proofs abstract from the details of the specific data structure implementation.
Flow Interfaces Compositional Abstractions of Concurrent Data Structures. Siddharth Krishna, Dennis Shasha, and Thomas Wies
Flow Interfaces Compositional Abstractions of Concurrent Data Structures Siddharth Krishna, Dennis Shasha, and Thomas Wies Background Verifying programs, separation logic, inductive predicates Slides courtesy
More informationFlow Interfaces Compositional Abstractions of Concurrent Data Structures. Siddharth Krishna, Dennis Shasha, and Thomas Wies
Flow Interfaces Compositional Abstractions of Concurrent Data Structures Siddharth Krishna, Dennis Shasha, and Thomas Wies Background Verifying programs, separation logic, inductive predicates Verifying
More informationRecent developments in concurrent program logics
Recent developments in concurrent program logics Viktor Vafeiadis University of Cambridge PSPL 2010 Why program logic? Reasoning framework Capture common reasoning principles Reduce accidental proof complexity
More informationViews: Compositional Reasoning for Concurrent Programs
Views: Compositional Reasoning for Concurrent Programs Thomas Dinsdale-Young Imperial College td202@doc.ic.ac.uk Lars Birkedal IT University of Copenhagen birkedal@itu.dk Philippa Gardner Imperial College
More informationDesign of Distributed Systems Melinda Tóth, Zoltán Horváth
Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Publication date 2014 Copyright 2014 Melinda Tóth, Zoltán Horváth Supported by TÁMOP-412A/1-11/1-2011-0052
More informationVerifying Concurrent Memory Reclamation Algorithms with Grace
Verifying Concurrent Memory Reclamation Algorithms with Grace Alexey Gotsman, Noam Rinetzky, and Hongseok Yang 1 IMDEA Software Institute 2 Tel-Aviv University 3 University of Oxford Abstract. Memory management
More informationA Brief History of Shared memory C M U
A Brief History of Shared memory S t e p h e n B r o o k e s C M U 1 Outline Revisionist history Rational reconstruction of early models Evolution of recent models A unifying framework Fault-detecting
More informationProgram Analysis and Verification
Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 4: Axiomatic Semantics Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik Poll, Mooly Sagiv, Jean Souyris, Eran Tromer, Avishai
More informationProgramming Languages
CSE 230: Winter 2008 Principles of Programming Languages Lecture 6: Axiomatic Semantics Deriv. Rules for Hoare Logic `{A} c {B} Rules for each language construct ` {A} c 1 {B} ` {B} c 2 {C} ` {A} skip
More informationLocal Rely-Guarantee Reasoning
Local Rely-Guarantee Reasoning Xinyu Feng Toyota Technological Institute at Chicago Chicago, IL 60637, U.S.A. feng@tti-c.org Abstract Rely-Guarantee reasoning is a well-known method for verification of
More informationSeparation Logic and Graphical Models
Separation Logic and Graphical Models John Wickerson and Tony Hoare Semantics Lunch, 25th October 2010 1 Trace composition Problem: Composition is non-deterministic. 2 Trace composition Problem: Composition
More informationLocal Rely-Guarantee Reasoning
Technical Report TTIC-TR-2008-1 October 2008 Local Rely-Guarantee Reasoning Xinyu Feng Toyota Technological Institute at Chicago feng@tti-c.org ABSTRACT Rely-Guarantee reasoning is a well-known method
More informationConcurrent separation logic and operational semantics
MFPS 2011 Concurrent separation logic and operational semantics Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS), Germany Abstract This paper presents a new soundness proof for concurrent
More informationA Marriage of Rely/Guarantee and Separation Logic
A Marriage of Rely/Guarantee and Separation Logic Viktor Vafeiadis and Matthew Parkinson University of Cambridge Abstract. In the quest for tractable methods for reasoning about concurrent algorithms both
More informationLocal Reasoning for Storable Locks and Threads
Local Reasoning for Storable Locks and Threads Alexey Gotsman Josh Berdine Byron Cook Noam Rinetzky Mooly Sagiv University of Cambridge Microsoft Research Tel-Aviv University April, revised September Technical
More informationModular Termination Verification for Non-blocking Concurrency
Modular Termination Verification for Non-blocking Concurrency Pedro da Rocha Pinto 1, Thomas Dinsdale-Young 2, Philippa Gardner 1, and Julian Sutherland 1 1 Imperial College London pmd09,pg,jhs110@doc.ic.ac.uk
More informationDynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics
Dynamic Semantics Operational Semantics Denotational Semantic Dynamic Semantics Operational Semantics Operational Semantics Describe meaning by executing program on machine Machine can be actual or simulated
More informationTechnical Report. Deny-guarantee reasoning. Mike Dodds, Xinyu Feng, Matthew Parkinson, Viktor Vafeiadis. Number 736. January Computer Laboratory
Technical Report UCAM-CL-TR-736 ISSN 1476-2986 Number 736 Computer Laboratory Deny-guarantee reasoning Mike Dodds, Xinyu Feng, Matthew Parkinson, Viktor Vafeiadis January 2009 15 JJ Thomson Avenue Cambridge
More informationProgram Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language. Hongseok Yang (Queen Mary, Univ.
Program Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language Hongseok Yang (Queen Mary, Univ. of London) Dream Automatically verify the memory safety of systems software,
More informationA Short Introduction to Hoare Logic
A Short Introduction to Hoare Logic Supratik Chakraborty I.I.T. Bombay June 23, 2008 Supratik Chakraborty (I.I.T. Bombay) A Short Introduction to Hoare Logic June 23, 2008 1 / 34 Motivation Assertion checking
More informationTechnical Report. A safety proof of a lazy concurrent list-based set implementation. Viktor Vafeiadis, Maurice Herlihy, Tony Hoare, Marc Shapiro
Technical Report UCAM-CL-TR-659 ISSN 1476-2986 Number 659 Computer Laboratory A safety proof of a lazy concurrent list-based set implementation Viktor Vafeiadis, Maurice Herlihy, Tony Hoare, Marc Shapiro
More informationIntroduction to Kleene Algebras
Introduction to Kleene Algebras Riccardo Pucella Basic Notions Seminar December 1, 2005 Introduction to Kleene Algebras p.1 Idempotent Semirings An idempotent semiring is a structure S = (S, +,, 1, 0)
More informationRelational Parametricity and Separation Logic. Hongseok Yang, Queen Mary, Univ. of London Lars Birkedal, IT Univ. of Copenhagen
Relational Parametricity and Separation Logic Hongseok Yang, Queen Mary, Univ. of London Lars Birkedal, IT Univ. of Copenhagen Challenge Develop a theory of data abstraction for pointer programs. When
More informationConcurrency, Rely/Guarantee and Separation Logic
Concurrency, Rely/Guarantee and Separation Logic Cliff Jones Newcastle University Overture Workshop 2014-06-21 Concurrency, Rely/Guarantee and Separation Logic Cliff Jones [1] Expressive power must be
More informationBilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)
Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft) Jayadev Misra December 18, 2015 Contents 1 Introduction 3 2 Program and Execution Model 4 2.1 Program Structure..........................
More informationAxiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs
Review Operational semantics relatively l simple many flavors (small vs. big) not compositional (rule for while) Good for describing language implementation reasoning about properties of the language eg.
More informationProgram Analysis Part I : Sequential Programs
Program Analysis Part I : Sequential Programs IN5170/IN9170 Models of concurrency Program Analysis, lecture 5 Fall 2018 26. 9. 2018 2 / 44 Program correctness Is my program correct? Central question for
More informationAbstractions and Decision Procedures for Effective Software Model Checking
Abstractions and Decision Procedures for Effective Software Model Checking Prof. Natasha Sharygina The University of Lugano, Carnegie Mellon University Microsoft Summer School, Moscow, July 2011 Lecture
More informationHoare Logic (I): Axiomatic Semantics and Program Correctness
Hoare Logic (I): Axiomatic Semantics and Program Correctness (Based on [Apt and Olderog 1991; Gries 1981; Hoare 1969; Kleymann 1999; Sethi 199]) Yih-Kuen Tsay Dept. of Information Management National Taiwan
More informationPropositional Logic. What is discrete math? Tautology, equivalence, and inference. Applications
What is discrete math? Propositional Logic The real numbers are continuous in the senses that: between any two real numbers there is a real number The integers do not share this property. In this sense
More informationStructuring the verification of heap-manipulating programs
Structuring the verification of heap-manipulating programs Aleksandar Nanevski (IMDEA Madrid) Viktor Vafeiadis (MSR / Univ. of Cambridge) Josh Berdine (MSR Cambridge) Hoare/Separation Logic Hoare logic
More informationAxiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare
Axiomatic Semantics Semantics of Programming Languages course Joosep Rõõmusaare 2014 Direct Proofs of Program Correctness Partial correctness properties are properties expressing that if a given program
More informationProgram Verification Using Separation Logic
Program Verification Using Separation Logic Cristiano Calcagno Adapted from material by Dino Distefano Lecture 1 Goal of the course Study Separation Logic having automatic verification in mind Learn how
More informationModel Checking: An Introduction
Model Checking: An Introduction Meeting 3, CSCI 5535, Spring 2013 Announcements Homework 0 ( Preliminaries ) out, due Friday Saturday This Week Dive into research motivating CSCI 5535 Next Week Begin foundations
More informationCompositional Verification of Termination-Preserving Refinement of Concurrent Programs (Technical Report)
Compositional Verification of Termination-Preserving Refinement of Concurrent Programs (Technical Report) Hongjin Liang 1, Xinyu Feng 1, and Zhong Shao 2 1 University of Science and Technology of China
More informationTechnical Report Sequential Proximity
Technical Report Sequential Proximity Towards Provably Scalable Concurrent Search Algorithms Karolos Antoniadis, Rachid Guerraoui, Julien Stainer, and Vasileios Trigonakis École Polytechnique Fédérale
More informationLecture Notes: Axiomatic Semantics and Hoare-style Verification
Lecture Notes: Axiomatic Semantics and Hoare-style Verification 17-355/17-665/17-819O: Program Analysis (Spring 2018) Claire Le Goues and Jonathan Aldrich clegoues@cs.cmu.edu, aldrich@cs.cmu.edu It has
More informationUniversität Augsburg
Universität Augsburg Algebraic Separation Logic H.-H. Dang P. Höfner B. Möller Report 2010-06 July 2010 Institut für Informatik D-86135 Augsburg Copyright c H.-H. Dang P. Höfner B. Möller Institut für
More informationFrom Separation Logic to Systems Software
From Separation Logic to Systems Software Peter O Hearn, Queen Mary Based on work of the SpaceInvader team: Cristiano Calcagno, Dino Distefano, Hongseok Yang, and me Special thanks to our SLAyer colleagues
More informationCollecting garbage concurrently (but correctly)
Collecting garbage concurrently (but correctly) Kamal Lodaya The Institute of Mathematical Sciences, Chennai Joint work with Kalpesh Kapoor (IIT, Guwahati) and Uday Reddy (U. Birmingham) 1 First order
More informationAutomatic Parallelization with Separation Logic
Automatic Parallelization with Separation Logic Mohammad Raza, Cristiano Calcagno, and Philippa Gardner Department of Computing, Imperial College London 180 Queen s Gate, London SW7 2AZ, UK {mraza,ccris,pg}@doc.ic.ac.uk
More informationAutomatic Verification of Parameterized Data Structures
Automatic Verification of Parameterized Data Structures Jyotirmoy V. Deshmukh, E. Allen Emerson and Prateek Gupta The University of Texas at Austin The University of Texas at Austin 1 Outline Motivation
More informationLogical Reasoning for Disjoint Permissions
Logical Reasoning for Disjoint Permissions Xuan-Bach Le 1(B) and Aquinas Hobor 1,2 1 National University of Singapore, Singapore, Singapore bachdylan@gmail.com 2 Yale-NUS College, Singapore, Singapore
More informationOnline Appendix to: Types for Atomicity: Static Checking and Inference for Java
Online Appendix to: Types for Atomicity: Static Checking and Inference for Java CORMAC FLANAGAN University of California at Santa Cruz STEPHEN N. FREUND and MARINA LIFSHIN Williams College and SHAZ QADEER
More informationAbstraction and Refinement for Local Reasoning
Under consideration for publication in Math. Struct. in Comp. Science Abstraction and Refinement for Local Reasoning Thomas Dinsdale-Young, Philippa Gardner and Mark Wheelhouse Department of Computing,
More informationThe Assignment Axiom (Hoare)
The Assignment Axiom (Hoare) Syntax: V := E Semantics: value of V in final state is value of E in initial state Example: X:=X+ (adds one to the value of the variable X) The Assignment Axiom {Q[E/V ]} V
More informationLectures on Separation Logic. Lecture 2: Foundations
Lectures on Separation Logic. Lecture 2: Foundations Peter O Hearn Queen Mary, University of London Marktoberdorf Summer School, 2011 Outline for this lecture Part I : Assertions and Their Semantics Part
More informationSpatial Interpolants
Spatial Interpolants Aws Albargouthi 1, Josh Berdine 2, Byron Cook 3, and Zachary Kincaid 4 University of Wisconsin-Madison 1, Microsoft Research 2, University College London 3, University of Toronto 4
More informationCS 6112 (Fall 2011) Foundations of Concurrency
CS 6112 (Fall 2011) Foundations of Concurrency 29 November 2011 Scribe: Jean-Baptiste Jeannin 1 Readings The readings for today were: Eventually Consistent Transactions, by Sebastian Burckhardt, Manuel
More informationProblem. Problem Given a dictionary and a word. Which page (if any) contains the given word? 3 / 26
Binary Search Introduction Problem Problem Given a dictionary and a word. Which page (if any) contains the given word? 3 / 26 Strategy 1: Random Search Randomly select a page until the page containing
More informationAxiomatic Semantics. Lecture 9 CS 565 2/12/08
Axiomatic Semantics Lecture 9 CS 565 2/12/08 Axiomatic Semantics Operational semantics describes the meaning of programs in terms of the execution steps taken by an abstract machine Denotational semantics
More informationRelational Interfaces and Refinement Calculus for Compositional System Reasoning
Relational Interfaces and Refinement Calculus for Compositional System Reasoning Viorel Preoteasa Joint work with Stavros Tripakis and Iulia Dragomir 1 Overview Motivation General refinement Relational
More informationarxiv: v1 [cs.pl] 5 Apr 2017
arxiv:1704.01814v1 [cs.pl] 5 Apr 2017 Bilateral Proofs of Safety and Progress Properties of Concurrent Programs Jayadev Misra University of Texas at Austin, misra@utexas.edu April 5, 2017 Abstract This
More informationProgram verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program
Program verification Assertional semantics of a program Meaning of a program: relation between its inputs and outputs; specified by input assertions (pre-conditions) and output assertions (post-conditions)
More informationTute 10. Liam O'Connor. May 23, 2017
Tute 10 Liam O'Connor May 23, 2017 proc Search(value g : G, value s : V g, value k : K, result v : T, result f : B) Where a graph g : G is dened as a 4-tuple (V, Γ, κ, λ) containing a set of vertices V,
More informationExtended Transitive Separation Logic
Extended Transitive Separation Logic H.-H. Dang, B. Möller Institut für Informatik, Universität Augsburg, D-86135 Augsburg, Germany Abstract Separation logic (SL) is an extension of Hoare logic by operators
More informationAn Entailment Checker for Separation Logic with Inductive Definitions
An Entailment Checker for Separation Loic with Inductive Definitions Radu Iosif, Cristina Serban Université de Grenoble Alpes, CNRS, VERIMAG July 18, 2018 Cristina Serban (VERIMAG) An Entailment Checker
More informationHandout #6 INTRODUCTION TO ALGEBRAIC STRUCTURES: Prof. Moseley AN ALGEBRAIC FIELD
Handout #6 INTRODUCTION TO ALGEBRAIC STRUCTURES: Prof. Moseley Chap. 2 AN ALGEBRAIC FIELD To introduce the notion of an abstract algebraic structure we consider (algebraic) fields. (These should not to
More informationInductive Data Flow Graphs
Inductive Data Flow Graphs Azadeh Farzan University of Toronto Zachary Kincaid Andreas Podelski University of Freiburg Abstract The correctness of a sequential program can be shown by the annotation of
More informationNotes. Corneliu Popeea. May 3, 2013
Notes Corneliu Popeea May 3, 2013 1 Propositional logic Syntax We rely on a set of atomic propositions, AP, containing atoms like p, q. A propositional logic formula φ Formula is then defined by the following
More informationUsing the Prover I: Lee Pike. June 3, NASA Langley Formal Methods Group Using the Prover I:
Basic Basic NASA Langley Formal Methods Group lee.s.pike@nasa.gov June 3, 2005 Basic Sequents Basic Sequent semantics: The conjunction of the antecedents above the turnstile implies the disjunction of
More informationProgram verification using Hoare Logic¹
Program verification using Hoare Logic¹ Automated Reasoning - Guest Lecture Petros Papapanagiotou Part 2 of 2 ¹Contains material from Mike Gordon s slides: Previously on Hoare Logic A simple while language
More informationProgram verification. 18 October 2017
Program verification 18 October 2017 Example revisited // assume(n>2); void partition(int a[], int n) { int pivot = a[0]; int lo = 1, hi = n-1; while (lo
More informationG54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV
G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV Henrik Nilsson University of Nottingham, UK G54FOP: Lecture 17 & 18 p.1/33 These Two Lectures Revisit attempt to define denotational
More informationA MODEL-THEORETIC PROOF OF HILBERT S NULLSTELLENSATZ
A MODEL-THEORETIC PROOF OF HILBERT S NULLSTELLENSATZ NICOLAS FORD Abstract. The goal of this paper is to present a proof of the Nullstellensatz using tools from a branch of logic called model theory. In
More informationAutomata-Theoretic Model Checking of Reactive Systems
Automata-Theoretic Model Checking of Reactive Systems Radu Iosif Verimag/CNRS (Grenoble, France) Thanks to Tom Henzinger (IST, Austria), Barbara Jobstmann (CNRS, Grenoble) and Doron Peled (Bar-Ilan University,
More informationA Thread Algebra with Multi-level Strategic Interleaving
Theory of Computing Systems manuscript No. (will be inserted by the editor) A Thread Algebra with Multi-level Strategic Interleaving J.A. Bergstra 1,2, C.A. Middelburg 3,1 1 Programming Research Group,
More informationDeductive Verification
Deductive Verification Mooly Sagiv Slides from Zvonimir Rakamaric First-Order Logic A formal notation for mathematics, with expressions involving Propositional symbols Predicates Functions and constant
More informationModel Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies
Model Checking, Theorem Proving, and Abstract Interpretation: The Convergence of Formal Verification Technologies Tom Henzinger EPFL Three Verification Communities Model checking: -automatic, but inefficient
More informationTheories of Programming Languages Assignment 5
Theories of Programming Languages Assignment 5 December 17, 2012 1. Lambda-Calculus (see Fig. 1 for initions of = β, normal order evaluation and eager evaluation). (a) Let Ω = ((λx. x x) (λx. x x)), and
More informationIris: Higher-Order Concurrent Separation Logic. Lecture 9: Concurrency Intro and Invariants
1 Iris: Higher-Order Concurrent Separation Logic Lecture 9: Concurrency Intro and Invariants Lars Birkedal Aarhus University, Denmark November 21, 2017 Overview Earlier: Operational Semantics of λ ref,conc
More informationBenefits of Interval Temporal Logic for Specification of Concurrent Systems
Benefits of Interval Temporal Logic for Specification of Concurrent Systems Ben Moszkowski Software Technology Research Laboratory De Montfort University Leicester Great Britain email: benm@dmu.ac.uk http://www.tech.dmu.ac.uk/~benm
More informationVerification Frameworks and Hoare Logic
CMSC 630 February 11, 2015 1 Verification Frameworks and Hoare Logic Sources K. Apt and E.-R. Olderog. Verification of Sequential and Concurrent Programs (Second Edition). Springer-Verlag, Berlin, 1997.
More informationSalembier s Min-tree algorithm turned into breadth first search
Information Processing Letters 88 (2003) 225 229 www.elsevier.com/locate/ipl Salembier s Min-tree algorithm turned into breadth first search Wim H. Hesselink Department of Mathematics and Computing Science,
More informationCOP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen Assertions and Preconditions Assertions are used by programmers to verify run-time execution An assertion is a
More informationTHE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)
THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester 2016 COMP2600/COMP6260 (Formal Methods for Software Engineering) Writing Period: 3 hours duration Study Period: 15 minutes duration Permitted Materials:
More informationHoare Logic: Part II
Hoare Logic: Part II COMP2600 Formal Methods for Software Engineering Jinbo Huang Australian National University COMP 2600 Hoare Logic II 1 Factorial {n 0} fact := 1; i := n; while (i >0) do fact := fact
More informationFormal Methods for Probabilistic Systems
1 Formal Methods for Probabilistic Systems Annabelle McIver Carroll Morgan Source-level program logic Introduction to probabilistic-program logic Systematic presentation via structural induction Layout
More informationA Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING
A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING Do-Hyung Kim School of Computer Science and Engineering Sungshin Women s s University CONTENTS Bibliographic Information and Organization
More informationRibbon Proofs for Separation Logic
Ribbon Proofs for Separation Logic John Wickerson University of Cambridge Dublin Concurrency Workshop, 15 April 2011 Talk outline 1. The problem 2. Towards a solution 3. A big proof 4. Fun with quantifiers
More informationSymmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago
Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago Model-Checking Concurrent PGM Temporal SPEC Model Checker Yes/No Counter Example Approach Build the global state graph Algorithm
More informationPrograms, Semantics and Eective Atomicity
Programs, Semantics and Eective Atomicity Shankar April 3, 2014 Outline programs Program Service Programs State transition semantics of systems Assertions and their evaluation Splitting and stitching of
More informationSorting. Chapter 11. CSE 2011 Prof. J. Elder Last Updated: :11 AM
Sorting Chapter 11-1 - Sorting Ø We have seen the advantage of sorted data representations for a number of applications q Sparse vectors q Maps q Dictionaries Ø Here we consider the problem of how to efficiently
More informationPropositional and Predicate Logic - V
Propositional and Predicate Logic - V Petr Gregor KTIML MFF UK WS 2016/2017 Petr Gregor (KTIML MFF UK) Propositional and Predicate Logic - V WS 2016/2017 1 / 21 Formal proof systems Hilbert s calculus
More informationStrongly chordal and chordal bipartite graphs are sandwich monotone
Strongly chordal and chordal bipartite graphs are sandwich monotone Pinar Heggernes Federico Mancini Charis Papadopoulos R. Sritharan Abstract A graph class is sandwich monotone if, for every pair of its
More information3 Propositional Logic
3 Propositional Logic 3.1 Syntax 3.2 Semantics 3.3 Equivalence and Normal Forms 3.4 Proof Procedures 3.5 Properties Propositional Logic (25th October 2007) 1 3.1 Syntax Definition 3.0 An alphabet Σ consists
More informationFormal Specification and Verification. Specifications
Formal Specification and Verification Specifications Imprecise specifications can cause serious problems downstream Lots of interpretations even with technicaloriented natural language The value returned
More informationCoinductive big-step semantics and Hoare logics for nontermination
Coinductive big-step semantics and Hoare logics for nontermination Tarmo Uustalu, Inst of Cybernetics, Tallinn joint work with Keiko Nakata COST Rich Models Toolkit meeting, Madrid, 17 18 October 2013
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More informationHoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples
Hoare Logic I Introduction to Deductive Program Verification Işıl Dillig Program Spec Deductive verifier FOL formula Theorem prover valid contingent Example specs: safety (no crashes), absence of arithmetic
More informationModular Verification of Concurrent Programs via Sequential Model Checking. Dan Rasin
Modular Verification of Concurrent Programs via Sequential Model Checking Dan Rasin Modular Verification of Concurrent Programs via Sequential Model Checking Research Thesis Submitted in partial fulfillment
More informationAxiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year
Axiomatic semantics Semantics and Application to Program Verification Antoine Miné École normale supérieure, Paris year 2015 2016 Course 6 18 March 2016 Course 6 Axiomatic semantics Antoine Miné p. 1 /
More informationChapter 4: Computation tree logic
INFOF412 Formal verification of computer systems Chapter 4: Computation tree logic Mickael Randour Formal Methods and Verification group Computer Science Department, ULB March 2017 1 CTL: a specification
More informationA Separation Logic for Refining Concurrent Objects
A Separation Logic for Refining Concurrent Objects Aaron Turon Mitchell Wand Northeastern University {turon, wand}@ccs.neu.edu Abstract Fine-grained concurrent data structures are crucial for gaining performance
More informationSolutions. Prelim 2[Solutions]
Prelim [Solutions]. Short Answer [ pts] (a) [ pts] A traversal of an expression tree produces the string + + 3. i. What kind of traversal is it? Preorder; the operator is printed before the operands. ii.
More informationClassical Program Logics: Hoare Logic, Weakest Liberal Preconditions
Chapter 1 Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions 1.1 The IMP Language IMP is a programming language with an extensible syntax that was developed in the late 1960s. We will
More informationQuine s Fluted Fragment is Non-elementary
Quine s Fluted Fragment is Non-elementary Ian Pratt-Hartmann Wies law Szwast Lidia Tendera University of Manchester/University of Opole 25th EACSL Annual Conference on Computer Science Logic 1 st September,
More informationConstraint Solving for Program Verification: Theory and Practice by Example
Constraint Solving for Program Verification: Theory and Practice by Example Andrey Rybalchenko Technische Universität München Abstract. Program verification relies on the construction of auxiliary assertions
More informationHoare Examples & Proof Theory. COS 441 Slides 11
Hoare Examples & Proof Theory COS 441 Slides 11 The last several lectures: Agenda Denotational semantics of formulae in Haskell Reasoning using Hoare Logic This lecture: Exercises A further introduction
More informationMulticore Semantics and Programming
Multicore Semantics and Programming Peter Sewell Tim Harris University of Cambridge Oracle October November, 2015 p. 1 These Lectures Part 1: Multicore Semantics: the concurrency of multiprocessors and
More information