# Proving That Non-Blocking Algorithms Don t Block

Save this PDF as:

Size: px
Start display at page:

## Transcription

4 struct Node { value_t data; Node *next; ; Node *S; int collision[size]; void push(value_t v) { Node *t, *x; x = new Node(); x->data = v; while (1) { t = S; x->next = t; if (CAS(&S,t,x)) { return; // Elimination scheme //... int pos = GetPosition(); // 0 pos SIZE-1 int hisid = collision[pos]; while (!CAS(&collision[pos],hisId,MYID)) { hisid = collision[pos]; //... value_t pop() { Node *t, *x; while (1) { t = S; if (t == NULL) { return EMPTY; x = t->next; if (CAS(&S,t,x)) { return t->data; // Elimination scheme //... int pos = GetPosition(); // 0 pos SIZE-1 int hisid = collision[pos]; while (!CAS(&collision[pos],hisId,MYID)) { hisid = collision[pos]; //... Figure 2. The HSY non-blocking stack op 1 op 2 Thread 1 does not Thread 2 does not execute Push or execute Push or Pop infinitely often Pop infinitely often Thread 1 does not Thread 2 does not execute Push, Pop, or execute Push, Pop, or Xchg infinitely often Xchg infinitely often Thread 1 terminates Thread 2 terminates Figure 3. An informal proof argument where an arrow from statement A to statement B means that A is used as a rely condition while establishing the guarantee B. ing of an arbitrary number of the algorithm s operations running in parallel: we search for proofs that follow the pattern described above and use rely and guarantee conditions of the restricted form. Our proof search procedure performs a forward search, constructing proof graphs like the one in Figure 3 top-down. It is able to construct proofs that the programs C (k) terminate for all k at once, because our guarantee conditions are such that if several threads satisfy a guarantee, then so does their parallel composition. We now informally describe the procedure using the HSY stack as the running example (the details are provided in Section 5). Consider a program consisting of an arbitrary number of the algorithm s operations running in parallel. First, using existing tools for verifying safety properties of non-blocking algorithms [6], we can infer a splitting of the program state into local and shared parts and a set of actions describing how the operations change the shared state ({Push, Pop, Xchg, Others, Id for the HSY stack). The set defines the initial guarantee provided by every operation in the program that ensures that the operation changes the shared state only according to one of the actions. Note that if several operations satisfy this guarantee, then so does their parallel composition. Hence, while checking a property of an operation in the program, we can rely on its environment satisfying the guarantee. The guarantee, however, is too weak to establish termination of the operations. We therefore try to strengthen it by considering every action in turn and attempting to prove that no operation executes the action infinitely often in an environment satisfying the guarantee. In our running example, we will be able to establish that the operations do not execute the actions Push and Pop infinitely often (but not Xchg and Others). Again, if several operations satisfy the guarantee strengthened in this way, then so does their parallel composition. Hence, we can check properties of the operations in the program assuming that their environment satisfies the guarantee. An attempt to prove their termination in this way fails again, and we have to strengthen the guarantee one more time. Namely, we try to prove that the operations do not execute the remaining actions Xchg and Others infinitely often. In this case, the available guarantee is strong enough to prove that the Xchg action is not executed infinitely often. Finally, the strengthened guarantee allows us to establish termination of the operations. Proving obstruction-freedom and wait-freedom. Obstructionfreedom of an operation ensures its termination in an environment that eventually stops executing. Therefore, when proving obstruction-freedom, infinite behaviours of the environment are irrelevant and the necessary environment guarantee can always be

5 Values = {..., 1, 0, 1,... Locs = {1, 2,... Vars = {x,y,...,&x, &y,... Stores = Vars Values Heaps = Locs fin Values Σ=Stores Heaps Figure 4. Program states Σ represented by a safety property. For example, the operations of Treiber s stack guarantee that they modify the shared state according to one of the actions Push, Pop, andid. To prove obstructionfreedom of a push or pop operation 2, it is thus sufficient to prove its termination in an environment that executes only finitely many such actions. This is true because, as in the proof of lock-freedom, in such an environment the CAS in the code of the operation will eventually succeed. In general, we can automatically check obstruction-freedom by checking termination of every operation in the environment satisfying the safety guarantee inferred by the safety verification tool and the additional assumption that it executes only finitely many actions. We describe this in more detail in Section 5. To the best of our knowledge, loops in all practical wait-free non-blocking algorithms have constant upper bounds on the number of their iterations. For example, Simpson s algorithm [32] consists of straight-line code only, and the number of loop iterations inthe wait-freefind operation of a non-blocking linked list [37] is bounded by the number of distinct keys that can be stored in the list. For this reason, termination of operations in wait-free algorithms can be justified by considering only safety properties guaranteed by operations environment. The automatic check for wait-freedom is similar to the one for obstruction-freedom (see Section 5). 3. Specifying liveness properties Our logic for reasoning about liveness properties is a Hoare-style logic, which combines ideas from rely-guarantee reasoning and separation logic. It generalises a recent logic for reasoning about safety properties of non-blocking algorithms, RGSep [35]. As any Hoare logic, ours consists of two formal systems: an assertion language and a proof system for Hoare triples. In this section, we describe the assertion language, define the form of judgements in our logic, and show how to specify wait-freedom, lock-freedom, and obstruction-freedom in it. The next section presents the logic s proof system. Programming language. We consider heap-manipulating programs written in the following simple programming language. Commands C are given by the grammar C ::= C 1; C 2 if (e) C 1 else C 2 while (e) C x = new() x = e x = *e 1 *e 1 = e 2 delete e atomic C where e ranges over arithmetic expressions, including nondeterministic choice nondet(). The command atomic C executes C in one indivisible step. Programs consist of initialisation code followed by a top-level parallel composition of threads: C 0;(C 1... C n). To avoid side conditions in our proof rules, we treat each program variable x as a memory cell at the constant address &x. Thus, any use of x in the code is just a shorthand for *(&x). Similarly, we interpret field expressions x->next as *(x + offset of next).in our examples, we also use other pieces of C syntax. Assertion language. Letp, q and r be separation logic assertions: p, q, r ::= emp e 1 e 2 p q false p q x.p... 2 This example is used here for illustrative purposes only: obstructionfreedom of Treiber s stack follows from its lock-freedom. Separation logic assertions denote sets of program states Σ represented by store-heap pairs (Figure 4). A store is a function from variables to values; a heap is a finite partial function from locations to values. We omit the standard formal semantics for most of the assertions [30]. Informally, emp describes the states where the heap is empty; e 1 e 2 describes the states where the heap contains a single allocated location at the address e 1 with contents e 2; p q describes the states where the heap is the union of two disjoint heaps, one satisfying p and the other satisfying q. The formal semantics of the assertion p q is defined using a partial operation on Σ such that for all (t 1,h 1), (t 2,h 2) Σ (t 1,h 1) (t 2,h 2)=(t 1,h 1 h 2) if t 1 = t 2 and h 1 h 2 is defined, and (t 1,h 1) (t 2,h 2) is undefined otherwise. Then u [p q ] u 1,u 2.u= u 1 u 2 u 1 [p] u 2 [q ] As we argued in Section 2, while reasoning about concurrent heap-manipulating programs it is useful to partition the program state into thread-local and shared parts. Therefore, assertions in our logic denote sets of pairs of states from Σ. The two components represent the state local to the thread in whose code the assertion is located and the shared state. We use the assertion language of RGSep [35], which describes the local and shared components with separation logic assertions and is defined by following grammar: P, Q ::= p p P Q true false P Q P Q x.p An assertion p denotes the local-shared state pairs with the local state satisfying p; p the pairs with the shared state satisfying p and the local state satisfying emp; P Q the pairs in which the local state can be divided into two substates such that one of them together with the shared state satisfies P and the other together with the shared state satisfies Q. The formal semantics of P Q is defined using a partial operation on Σ 2 such that for all (l 1,s 1), (l 2,s 2) Σ 2 (l 1,s 1) (l 2,s 2)=(l 1 l 2,s 1) if s 1 = s 2 and l 1 l 2 is defined, and (l 1,s 1) (l 2,s 2) is undefined otherwise. Thus, σ [P Q] σ 1,σ 2.σ= σ 1 σ 2 σ 1 [P ] σ 2 [Q] Note that by abuse of notation we denote the connectives interpreted by and with the same symbol. It should be always clear from the structure of the assertion which of the two connectives is being used. We denote global states from Σ with small Latin letters (u, l, s), and local-shared state pairs from Σ 2 with small Greek letters (σ). Judgements. The judgements in our logic include rely and guarantee conditions determining how a command or its environment change the shared state. These represent languages of finite and infinite words over the alphabet Σ 2 of relations on shared states and are denoted with capital calligraphic letters (R, G,...). A word in any of the languages describes the sequences of changes to the shared state. Thus, relies and guarantees can define liveness properties. This generalises the RGSep logic, in which rely and guarantee conditions define safety properties and are therefore represented with relations on the shared state. Our proof system has two kinds of judgements: R, G {P C {Q: if the initial state satisfies P and the environment changes the shared state according to R, then the program is safe (i.e., it does not dereference any invalid pointers), changes the shared state according to G, and the final state (if the program terminates) satisfies Q.

11 We do not report any results for wait-free algorithms in this paper. Operations consisting of straight-line code only are trivially wait-free. Proving termination ofwait-freefind operations in nonblocking linked lists mentioned in Section 2 requires tracking the keys stored in the list, which is not handled by our shape analysis. 6. Semantics and soundness We give semantics to programs with respect to labelled transition systems with states representing the whole program heap. The proof of soundness of our logic with respect to this global semantics is done in two steps. We first show that, given a transition system denoting a program, we can construct another transition system operating on states that distinguish between local and shared heap, according to the informal description given in Section 3. Interpretation of judgements in this split-state semantics is straightforward. We then relate the validity of judgements in the split-state semantics to the standard global notion of validity. The results in this section do not follow straightforwardly from existing ones, however, the techniques used to formulate the split-state semantics and prove the soundness theorems are the same as for the RGSep logic [35]. 6.1 Global semantics We represent denotations of programs as a variant of labelled transition systems (LTS). DEFINITION 1 (LTS). A labelled transition system (LTS) is a quadruple S =(Σ,, Φ,T),where Σ is the set of non-erroneous states of the transition system, / Σ is a distinguished error state (arising, for example, when a program dereferences an invalid pointer), Φ Σ is the set of final states, and T is the set of transitions such that every τ T is associated with a transition function f τ :Σ P(Σ) {,wherep(σ) is the powerset of Σ. DEFINITION 2 (Computation of an LTS). A computation of an LTS (Σ,, Φ,T) starting from an initial state u 0 Σ is a maximal sequence u 0,u 1,...of states u i Σ { such that for all i there exists a transition τ T such that u i+1 = if f τ (u i)= and u i+1 f τ (u i) otherwise. Given a thread C in the programming language of Section 3, we can construct the corresponding LTS C in the following way. Let us assume for the purposes of this construction that the program counter of the thread is a memory cell at a distinguished address &pc, implicitly modified by every primitive command. As the set of states Σ of the LTS we take the one defined in Figure 4. The final states are those in which the program counter has a distinguished final value. Every atomic command in the thread, including atomic blocks, corresponds to a transition in the LTS. Conditions in if and while commands are translated in the standard way using assume commands. The transition functions are then just the standard postcondition transformers [30, 5]. The denotation of a parallel composition of threads is the parallel composition of their denotations, defined as follows. DEFINITION 3 (Parallel composition of LTSes). The parallel composition of two LTSes S 1 = (Σ,, Φ 1,T 1) and S 2 =(Σ,, Φ 2,T 2), wheret 1 T 2 =, is defined as the LTS S 1 S 2 =(Σ,, Φ 1 Φ 2,T 1 T 2). As follows from Definitions 2 and 3, the parallel composition interleaves transitions from two LTSes on the same memory Σ without any fairness constraints. Note that we can always satisfy T 1 T 2 = by renaming transitions appropriately. 6.2 Split-state semantics We now show that given an LTS we can construct a split LTS that distinguishes between the local and the shared state. To this end, we assume a labelling function π that maps each transition in an LTS to either Local for operations that only access the local state, or Shared(p q) for operations that access both the local and the shared state. Note that for a program C we can construct such a labelling π C from the annotations we introduced in Section 3: commands outside atomic blocks are mapped to Local and annotations at atomic blocks give the parameters of Shared. Given a labelling π for an LTS (Σ,, Φ,T), we can define the corresponding split LTS as (Σ 2,, Φ Σ,T ),wheret consists of fresh copies of transitions τ for every transition τ T.The program counter of a thread is always in its local state, hence, the set of states of the split LTS in which it has the final value is Φ Σ. The transition functions for the split LTS are defined as follows. If π(τ) =Local, thenτ executes τ on the local state and preserves the shared state: f τ (l, s) =f τ (l) {s if f τ (l), and f τ (l, s) = otherwise. If π(τ) =Shared(p q), then the execution of τ follows the informal description of the execution of atomic blocks in Section 3: f τ (l, s) = {(restq(u), sat q(u) rest p(s)) u f τ (l sat p(s)) if sat p(s) is defined, f τ (l sat p(s)), andsat q(u) is defined for all u f τ (l sat p(s));otherwise,τ faults: f τ (l, s) =. 6.3 Validity in the split-state semantics To define validity of triples in the split-state semantics, we have to define the meaning of interleaving computations of a split LTS (Σ 2,, Φ Σ,T) with actions of an environment changing the shared state according to a rely condition R L(Σ 2 ).Werepresent these computations with traces α L(Σ 2 (Σ 2 { ) ({e T )). The first two components of every letter in a trace define how the state of the LTS changes. The third component defines if the change was made by a transition of the LTS (τ T )orthe environment (e). We require that the environment does not change the local state and does not fault, i.e., all e-letters in a trace are of the form ((l, s), (l, s ), e). We often need to project a trace α without error states to a word that records how the shared state is changed by a particular set of transitions U {e T. We define such a projection α U L(Σ 2 ) as the image of α under the following homomorphism h :Σ 2 Σ 2 ({e T ) L(Σ 2 ) { h((l, s), (l,s ),τ)= (s, s ), τ U; ε, otherwise where ε is the empty word. We write α σ if α is a nonempty trace and its last letter is of the form (σ,σ,τ) for some σ and τ. DEFINITION 4 (Traces). For a rely condition R L(Σ 2 ) and a split LTS S =(Σ 2,, Φ Σ,T),thesettr(S, R,σ 0) of traces of S executed in an environment satisfying R starting from an initial state σ 0 Σ 2 is defined as the set of traces α L(Σ 2 (Σ 2 { ) ({e T )) of the following two forms: finite or infinite traces α =(σ 0,σ 1,τ 0)(σ 1,σ 2,τ 1)...,where σ i, α {e R, and if τ i e,thenσ i+1 f τi (σ i); and finite traces α = β(σ n,,τ n) for some β = (σ 0,σ 1,τ 0) (σ 1,σ 2,τ 1)...(σ n 1,σ n,τ n 1) such that β {e R, f τn (σ n)=, and if τ i e for i<n,thenσ i+1 f τi (σ i). The first case in this definition corresponds to safe traces, and the second to unsafe traces, i.e., those in which both the program

13 building on a recent formalisation of weak memory model semantics [31]. Second, our tool can currently handle only list-based algorithms, because we use an off-the-shelf shape analysis. We believe that the methods described in this paper should be applicable to more complicated data structures as well, provided the necessary shape analysis infrastructure is available. The above-mentioned limitations notwithstanding, this paper presents the first successful attempt to give modular proofs of liveness properties to complex heap-manipulating concurrent programs. Acknowledgements. We would like to thank Josh Berdine, Mike Dodds, Tim Harris, Michael Hicks, Andreas Podelski, Moshe Vardi, Eran Yahav, and the anonymous reviewers for comments and discussions that helped to improve the paper. References [1] M. Abadi and L. Lamport. Conjoining specifications. ACM Trans. Program. Lang. Syst., 17(3): , [2] B. Alpern and F. B. Schneider. Defining liveness. Inf. Process. Lett., 21(4): , [3] J. Berdine, B. Cook, D. Distefano, and P. W. O Hearn. Automatic termination proofs for programs with shape-shifting heaps. In CAV 06: Conference on Computer Aided Verification, volume 4144 of LNCS, pages Springer, [4] S. D. Brookes. Full abstraction for a shared-variable parallel language. Inf. Comput., 127(2): , [5] C. Calcagno, P. O Hearn, and H. Yang. Local action and abstract separation logic. In LICS 07: Symposium on Logic in Computer Science, pages IEEE, [6] C. Calcagno, M. J. Parkinson, and V. Vafeiadis. Modular safety checking for fine-grained concurrency. In SAS 07: Static Analysis Symposium, volume 4634 of LNCS, pages Springer, [7] R. Colvin and B. Dongol. Verifying lock-freedom using well-founded orders. In ICTAC 07: International Colloquium on Theoretical Aspects of Computing, volume 4711 of LNCS, pages Springer, [8] B. Cook, A. Gotsman, A. Podelski, A. Rybalchenko, and M. Y. Vardi. Proving that programs eventually do something good. In POPL 07: Symposium on Principles of Programming Languages, pages ACM, [9] S. Doherty, L. Groves, V. Luchangco, and M. Moir. Formal verification of a practical lock-free queue algorithm. In FORTE 04: Conference on Formal Techniques for Networked and Distributed Systems, volume 3235 of LNCS, pages Springer, [10] B. Dongol. Formalising progress properties of non-blocking programs. In ICFEM 06: Conference on Formal Engineering Methods, volume 4260 of LNCS, pages Springer, [11] X. Feng, R. Ferreira, and Z. Shao. On the relationship between concurrent separation logic and assume-guarantee reasoning. In ESOP 07: European Symposium on Programming, volume 4421 of LNCS, pages Springer, [12] A. Gotsman, J. Berdine, B. Cook, and M. Sagiv. Thread-modular shape analysis. In PLDI 07: Conference on Programming Language Design and Implementation, pages ACM, [13] T. L. Harris, K. Fraser, and I. A. Pratt. A practical multi-word compare-and-swap operation. In DISC 02: Symposium on Distributed Computing, volume 2508 of LNCS, pages Springer, [14] D. Hendler, N. Shavit, and L. Yerushalmi. A scalable lock-free stack algorithm. In SPAA 04: Symposium on Parallelism in Algorithms and Architectures, pages ACM, [15] M. Herlihy. Wait-free synchronization. ACM Trans. Program. Lang. Syst., 13(1): , [16] M. Herlihy, V. Luchangco, and M. Moir. Obstruction-free synchronization: Double-ended queues as an example. In ICDCS 03: International Conference on Distributed Computing Systems, pages IEEE, [17] M. Herlihy and N. Shavit. The Art of Multiprocessor Programming. Morgan Kaufmann, [18] C. B. Jones. Specification and design of (parallel) programs. In IFIP Congress, pages North-Holland, [19] N. Kobayashi and D. Sangiorgi. A hybrid type system for lockfreedom of mobile processes. In CAV 08: Conference on Computer Aided Verification, volume 5123 of LNCS, pages Springer, [20] O. Lichtenstein, A. Pnueli, and L. D. Zuck. The glory of the past. In Conference on Logics of Programs, volume 193 of LNCS, pages Springer, [21] S. Magill, J. Berdine, E. M. Clarke, and B. Cook. Arithmetic strengthening for shape analysis. In SAS 07: Static Analysis Symposium, volume 4634 of LNCS, pages Springer, [22] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems: Specification. Springer-Verlag, Berlin, [23] H. Massalin and C. Pu. A lock-free multiprocessor OS kernel (Abstract). Operating Systems Review, 26(2):108, [24] K. L. McMillan. Circular compositional reasoning about liveness. In CHARME 99: Conference on Correct Hardware Design and Verification Methods, volume 1703 of LNCS, pages Springer, [25] M. M. Michael. High performance dynamic lock-free hash tables and list-based sets. In SPAA 02: Symposium on Parallelism in Algorithms and Architectures, pages ACM, [26] M. M. Michael and M. L. Scott. Simple, fast, and practical nonblocking and blocking concurrent queue algorithms. In PODC 96: Symposium on Principles of Distributed Computing, pages ACM, [27] J. S. Moore. A mechanically checked proof of a multiprocessor result via a uniprocessor view. Formal Methods in System Design, 14(2): , [28] P. W. O Hearn. Resources, concurrency and local reasoning. Theor. Comput. Sci., 375(1-3): , [29] A. Pnueli. In transition from global to modular temporal reasoning about programs. In Logics and Models of Concurrent Systems, pages Springer, [30] J. Reynolds. Separation logic: A logic for shared mutable data structures. In LICS 02: Symposium on Logic in Computer Science, pages IEEE, [31] S. Sarkar, P. Sewell, F. Zappa Nardelli, S. Owens, T. Ridge, T. Braibant, M. Myreen, and J. Alglave. The semantics of x86 multiprocessor machine code. This volume. [32] H. Simpson. Four-slot fully asynchronous communication mechanism. IEE Proceedings, 137(1):17 30, [33] R. K. Treiber. Systems programming: Coping with parallelism. Technical Report RJ 5118, IBM Almaden Research Center, [34] V. Vafeiadis. Modular fine-grained concurrency verification. PhD Thesis, University of Cambridge Computer Laboratory, [35] V. Vafeiadis and M. J. Parkinson. A marriage of rely/guarantee and separation logic. In CONCUR 07: Conference on Concurrency Theory, volume 4703 of LNCS, pages Springer, [36] M. Vardi. Verification of concurrent programs the automatatheoretic framework. Ann. Pure Appl. Logic, 51:79 98, [37] M. T. Vechev and E. Yahav. Deriving linearizable fine-grained concurrent objects. In PLDI 08: Conference on Programming Languages Design and Implementation, pages ACM, [38] I. William N. Scherer, D. Lea, and M. L. Scott. Scalable synchronous queues. In PPoPP 06: Symposium on Principles and Practice of Parallel Programming, pages ACM, 2006.

### Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Introduction Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification Advanced Topics in Software Engineering 1 Concurrent Programs Characterized by

### 3 Extending the Refinement Calculus

Building BSP Programs Using the Refinement Calculus D.B. Skillicorn? Department of Computing and Information Science Queen s University, Kingston, Canada skill@qucis.queensu.ca Abstract. We extend the

### CHAPTER 7 GENERAL PROOF SYSTEMS

CHAPTER 7 GENERAL PROOF SYSTEMS 1 Introduction Proof systems are built to prove statements. They can be thought as an inference machine with special statements, called provable statements, or sometimes

### Mathematics for Computer Science/Software Engineering. Notes for the course MSM1F3 Dr. R. A. Wilson

Mathematics for Computer Science/Software Engineering Notes for the course MSM1F3 Dr. R. A. Wilson October 1996 Chapter 1 Logic Lecture no. 1. We introduce the concept of a proposition, which is a statement

### Virtual Time and Timeout in Client-Server Networks

Virtual Time and Timeout in Client-Server Networks Jayadev Misra July 13, 2011 Contents 1 Introduction 2 1.1 Background.............................. 2 1.1.1 Causal Model of Virtual Time...............

### Rigorous Software Development CSCI-GA 3033-009

Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 11 Semantics of Programming Languages Denotational Semantics Meaning of a program is defined as the mathematical

### Chapter II. Controlling Cars on a Bridge

Chapter II. Controlling Cars on a Bridge 1 Introduction The intent of this chapter is to introduce a complete example of a small system development. During this development, you will be made aware of the

### Testing LTL Formula Translation into Büchi Automata

Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland

### AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS

TKK Reports in Information and Computer Science Espoo 2009 TKK-ICS-R26 AUTOMATED TEST GENERATION FOR SOFTWARE COMPONENTS Kari Kähkönen ABTEKNILLINEN KORKEAKOULU TEKNISKA HÖGSKOLAN HELSINKI UNIVERSITY OF

### [Refer Slide Time: 05:10]

Principles of Programming Languages Prof: S. Arun Kumar Department of Computer Science and Engineering Indian Institute of Technology Delhi Lecture no 7 Lecture Title: Syntactic Classes Welcome to lecture

### A Framework for the Semantics of Behavioral Contracts

A Framework for the Semantics of Behavioral Contracts Ashley McNeile Metamaxim Ltd, 48 Brunswick Gardens, London W8 4AN, UK ashley.mcneile@metamaxim.com Abstract. Contracts have proved a powerful concept

### Rigorous. Development. Software. Program Verification. & Springer. An Introduction to. Jorge Sousa Pinto. Jose Bacelar Almeida Maria Joao Frade

Jose Bacelar Almeida Maria Joao Frade Jorge Sousa Pinto Simao Melo de Sousa Rigorous Software Development An Introduction to Program Verification & Springer Contents 1 Introduction 1 1.1 A Formal Approach

### 1) The postfix expression for the infix expression A+B*(C+D)/F+D*E is ABCD+*F/DE*++

Answer the following 1) The postfix expression for the infix expression A+B*(C+D)/F+D*E is ABCD+*F/DE*++ 2) Which data structure is needed to convert infix notations to postfix notations? Stack 3) The

### Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Today s Agenda Quiz 4 Temporal Logic Formal Methods in Software Engineering 1 Automata and Logic Introduction Buchi Automata Linear Time Logic Summary Formal Methods in Software Engineering 2 1 Buchi Automata

### From Workflow Design Patterns to Logical Specifications

AUTOMATYKA/ AUTOMATICS 2013 Vol. 17 No. 1 http://dx.doi.org/10.7494/automat.2013.17.1.59 Rados³aw Klimek* From Workflow Design Patterns to Logical Specifications 1. Introduction Formal methods in software

### Context-Bounded Model Checking of LTL Properties for ANSI-C Software. Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole Model Checking C Model checking: normally applied to formal state transition

### Facing the Challenges for Real-Time Software Development on Multi-Cores

Facing the Challenges for Real-Time Software Development on Multi-Cores Dr. Fridtjof Siebert aicas GmbH Haid-und-Neu-Str. 18 76131 Karlsruhe, Germany siebert@aicas.com Abstract Multicore systems introduce

### Temporal Logics. Computation Tree Logic

Temporal Logics CTL: definition, relationship between operators, adequate sets, specifying properties, safety/liveness/fairness Modeling: sequential, concurrent systems; maximum parallelism/interleaving

### Reasoning about Optimistic Concurrency Using a Program Logic for History

Reasoning about Optimistic Concurrency Using a Program Logic for History Ming Fu 1, Yong Li 1, Xinyu Feng 1,2, Zhong Shao 3, and Yu Zhang 1 1 University of Science and Technology of China 2 Toyota Technological

### Extended Static Checking for Java

Lukas TU München - Seminar Verification 14. Juli 2011 Outline 1 Motivation 2 ESC/Java example 3 ESC/JAVA architecture VC generator Simplify 4 JML + ESC/Java annotation language JML What ESC/Java checks

### The Student-Project Allocation Problem

The Student-Project Allocation Problem David J. Abraham, Robert W. Irving, and David F. Manlove Department of Computing Science, University of Glasgow, Glasgow G12 8QQ, UK Email: {dabraham,rwi,davidm}@dcs.gla.ac.uk.

### DATA STRUCTURES USING C

DATA STRUCTURES USING C QUESTION BANK UNIT I 1. Define data. 2. Define Entity. 3. Define information. 4. Define Array. 5. Define data structure. 6. Give any two applications of data structures. 7. Give

### Wait-Free Queues With Multiple Enqueuers and Dequeuers

Wait-Free Queues With Multiple Enqueuers and Dequeuers Alex Kogan Department of Computer Science Technion, Israel sakogan@cs.technion.ac.il Erez Petrank Department of Computer Science Technion, Israel

### Formal Verification of Software

Formal Verification of Software Sabine Broda Department of Computer Science/FCUP 12 de Novembro de 2014 Sabine Broda (DCC-FCUP) Formal Verification of Software 12 de Novembro de 2014 1 / 26 Formal Verification

### Inter-process Buffers in Separation Logic with Rely-Guarantee

Under consideration for publication in Formal Aspects of Computing Inter-process Buffers in Separation Logic with Rely-Guarantee Richard Bornat and Hasan Amjad Middlesex University, London, UK Abstract.

### Towards Relaxing STM. Christoph M. Kirsch, Michael Lippautz! University of Salzburg. Euro-TM Workshop, April 2014

Towards Relaxing STM Christoph M. Kirsch, Michael Lippautz! University of Salzburg! Euro-TM Workshop, April 2014 Problem linear scalability positive scalability good performance throughput (#transactions/time)

### Likewise, we have contradictions: formulas that can only be false, e.g. (p p).

CHAPTER 4. STATEMENT LOGIC 59 The rightmost column of this truth table contains instances of T and instances of F. Notice that there are no degrees of contingency. If both values are possible, the formula

### Modular Verification of Preemptive OS Kernels

Modular Verification of Preemptive OS Kernels Alexey Gotsman IMDEA Software Institute Alexey.Gotsman@imdea.org Hongseok Yang University of Oxford Hongseok.Yang@cs.ox.ac.uk Abstract Most major OS kernels

### Write Barrier Removal by Static Analysis

Write Barrier Removal by Static Analysis Karen Zee and Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology Cambridge, MA 02139 {kkz, rinard@lcs.mit.edu ABSTRACT We present

### Regular Expressions and Automata using Haskell

Regular Expressions and Automata using Haskell Simon Thompson Computing Laboratory University of Kent at Canterbury January 2000 Contents 1 Introduction 2 2 Regular Expressions 2 3 Matching regular expressions

### The Union-Find Problem Kruskal s algorithm for finding an MST presented us with a problem in data-structure design. As we looked at each edge,

The Union-Find Problem Kruskal s algorithm for finding an MST presented us with a problem in data-structure design. As we looked at each edge, cheapest first, we had to determine whether its two endpoints

### Constructing Contracts: Making Discrete Mathematics Relevant to Beginning Programmers

Constructing Contracts: Making Discrete Mathematics Relevant to Beginning Programmers TIMOTHY S. GEGG-HARRISON Winona State University Although computer scientists understand the importance of discrete

### On strong fairness in UNITY

On strong fairness in UNITY H.P.Gumm, D.Zhukov Fachbereich Mathematik und Informatik Philipps Universität Marburg {gumm,shukov}@mathematik.uni-marburg.de Abstract. In [6] Tsay and Bagrodia present a correct

### A Comparison Of Shared Memory Parallel Programming Models. Jace A Mogill David Haglin

A Comparison Of Shared Memory Parallel Programming Models Jace A Mogill David Haglin 1 Parallel Programming Gap Not many innovations... Memory semantics unchanged for over 50 years 2010 Multi-Core x86

### Software Modeling and Verification

Software Modeling and Verification Alessandro Aldini DiSBeF - Sezione STI University of Urbino Carlo Bo Italy 3-4 February 2015 Algorithmic verification Correctness problem Is the software/hardware system

### NP-Completeness and Cook s Theorem

NP-Completeness and Cook s Theorem Lecture notes for COM3412 Logic and Computation 15th January 2002 1 NP decision problems The decision problem D L for a formal language L Σ is the computational task:

### Software Engineering

Software Engineering Lecture 04: The B Specification Method Peter Thiemann University of Freiburg, Germany SS 2013 Peter Thiemann (Univ. Freiburg) Software Engineering SWT 1 / 50 The B specification method

### Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 17 Shannon-Fano-Elias Coding and Introduction to Arithmetic Coding

### A Propositional Dynamic Logic for CCS Programs

A Propositional Dynamic Logic for CCS Programs Mario R. F. Benevides and L. Menasché Schechter {mario,luis}@cos.ufrj.br Abstract This work presents a Propositional Dynamic Logic in which the programs are

### Regular Languages and Finite Automata

Regular Languages and Finite Automata 1 Introduction Hing Leung Department of Computer Science New Mexico State University Sep 16, 2010 In 1943, McCulloch and Pitts [4] published a pioneering work on a

### Atomicity for Concurrent Programs Outsourcing Report. By Khilan Gudka <kg103@doc.ic.ac.uk> Supervisor: Susan Eisenbach

Atomicity for Concurrent Programs Outsourcing Report By Khilan Gudka Supervisor: Susan Eisenbach June 23, 2007 2 Contents 1 Introduction 5 1.1 The subtleties of concurrent programming.......................

### Coverability for Parallel Programs

2015 http://excel.fit.vutbr.cz Coverability for Parallel Programs Lenka Turoňová* Abstract We improve existing method for the automatic verification of systems with parallel running processes. The technique

### Multicore Systems Challenges for the Real-Time Software Developer

Multicore Systems Challenges for the Real-Time Software Developer Dr. Fridtjof Siebert aicas GmbH Haid-und-Neu-Str. 18 76131 Karlsruhe, Germany siebert@aicas.com Abstract Multicore systems have become

### INF5140: Specification and Verification of Parallel Systems

INF5140: Specification and Verification of Parallel Systems Lecture 7 LTL into Automata and Introduction to Promela Gerardo Schneider Department of Informatics University of Oslo INF5140, Spring 2007 Gerardo

### Chapter 13. Disk Storage, Basic File Structures, and Hashing

Chapter 13 Disk Storage, Basic File Structures, and Hashing Chapter Outline Disk Storage Devices Files of Records Operations on Files Unordered Files Ordered Files Hashed Files Dynamic and Extendible Hashing

### Krishna Institute of Engineering & Technology, Ghaziabad Department of Computer Application MCA-213 : DATA STRUCTURES USING C

Tutorial#1 Q 1:- Explain the terms data, elementary item, entity, primary key, domain, attribute and information? Also give examples in support of your answer? Q 2:- What is a Data Type? Differentiate

### Model Checking: An Introduction

Announcements Model Checking: An Introduction Meeting 2 Office hours M 1:30pm-2:30pm W 5:30pm-6:30pm (after class) and by appointment ECOT 621 Moodle problems? Fundamentals of Programming Languages CSCI

### Homework Exam 1, Geometric Algorithms, 2016

Homework Exam 1, Geometric Algorithms, 2016 1. (3 points) Let P be a convex polyhedron in 3-dimensional space. The boundary of P is represented as a DCEL, storing the incidence relationships between the

### Software Analysis (POPA Sec , )

Software Analysis (POPA Sec. 2.2.2, 2.5-2.5.2) Klaus Ostermann Based on slides by Jurriaan Hage Overview Correctness proof Live Variables Analysis The While language with procedures Live Variables Analysis

### Concurrent Data Structures

1 Concurrent Data Structures Mark Moir and Nir Shavit Sun Microsystems Laboratories 1.1 Designing Concurrent Data Structures............. 1-1 Performance Blocking Techniques Nonblocking Techniques Complexity

### Rigorous Software Engineering Hoare Logic and Design by Contracts

Rigorous Software Engineering Hoare Logic and Design by Contracts Simão Melo de Sousa RELEASE (UBI), LIACC (Porto) Computer Science Department University of Beira Interior, Portugal 2010-2011 S. Melo de

### Formal Verification and Linear-time Model Checking

Formal Verification and Linear-time Model Checking Paul Jackson University of Edinburgh Automated Reasoning 21st and 24th October 2013 Why Automated Reasoning? Intellectually stimulating and challenging

### A Note on Context Logic

A Note on Context Logic Philippa Gardner Imperial College London This note describes joint work with Cristiano Calcagno and Uri Zarfaty. It introduces the general theory of Context Logic, and has been

### The following themes form the major topics of this chapter: The terms and concepts related to trees (Section 5.2).

CHAPTER 5 The Tree Data Model There are many situations in which information has a hierarchical or nested structure like that found in family trees or organization charts. The abstraction that models hierarchical

### Moving from CS 61A Scheme to CS 61B Java

Moving from CS 61A Scheme to CS 61B Java Introduction Java is an object-oriented language. This document describes some of the differences between object-oriented programming in Scheme (which we hope you

### The Trip Scheduling Problem

The Trip Scheduling Problem Claudia Archetti Department of Quantitative Methods, University of Brescia Contrada Santa Chiara 50, 25122 Brescia, Italy Martin Savelsbergh School of Industrial and Systems

### C#5.0 IN A NUTSHELL. Joseph O'REILLY. Albahari and Ben Albahari. Fifth Edition. Tokyo. Sebastopol. Beijing. Cambridge. Koln.

Koln C#5.0 IN A NUTSHELL Fifth Edition Joseph Albahari and Ben Albahari O'REILLY Beijing Cambridge Farnham Sebastopol Tokyo Table of Contents Preface xi 1. Introducing C# and the.net Framework 1 Object

### 2. Methods of Proof Types of Proofs. Suppose we wish to prove an implication p q. Here are some strategies we have available to try.

2. METHODS OF PROOF 69 2. Methods of Proof 2.1. Types of Proofs. Suppose we wish to prove an implication p q. Here are some strategies we have available to try. Trivial Proof: If we know q is true then

### Turing Degrees and Definability of the Jump. Theodore A. Slaman. University of California, Berkeley. CJuly, 2005

Turing Degrees and Definability of the Jump Theodore A. Slaman University of California, Berkeley CJuly, 2005 Outline Lecture 1 Forcing in arithmetic Coding and decoding theorems Automorphisms of countable

### Bounded Cost Algorithms for Multivalued Consensus Using Binary Consensus Instances

Bounded Cost Algorithms for Multivalued Consensus Using Binary Consensus Instances Jialin Zhang Tsinghua University zhanggl02@mails.tsinghua.edu.cn Wei Chen Microsoft Research Asia weic@microsoft.com Abstract

### Simulation-Based Security with Inexhaustible Interactive Turing Machines

Simulation-Based Security with Inexhaustible Interactive Turing Machines Ralf Küsters Institut für Informatik Christian-Albrechts-Universität zu Kiel 24098 Kiel, Germany kuesters@ti.informatik.uni-kiel.de

### Static Analysis of Atomicity for Algorithms Using Non-Blocking. Synchronization

Static Analysis of Atomicity for Algorithms Using Non-Blocking Synchronization Liqiang Wang and Scott D. Stoller Abstract In concurrent programming, non-blocking synchronization is very efficient but difficult

### The Halting Problem is Undecidable

185 Corollary G = { M, w w L(M) } is not Turing-recognizable. Proof. = ERR, where ERR is the easy to decide language: ERR = { x { 0, 1 }* x does not have a prefix that is a valid code for a Turing machine

### Monitors, Java, Threads and Processes

Monitors, Java, Threads and Processes 185 An object-oriented view of shared memory A semaphore can be seen as a shared object accessible through two methods: wait and signal. The idea behind the concept

### Software Engineering using Formal Methods

Software Engineering using Formal Methods Model Checking with Temporal Logic Wolfgang Ahrendt 24th September 2013 SEFM: Model Checking with Temporal Logic /GU 130924 1 / 33 Model Checking with Spin model

### Algorithmic Software Verification

Algorithmic Software Verification (LTL Model Checking) Azadeh Farzan What is Verification Anyway? Proving (in a formal way) that program satisfies a specification written in a logical language. Formal

### CS510 Software Engineering

CS510 Software Engineering Propositional Logic Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Scott A. Carr Slides inspired by Xiangyu Zhang http://nebelwelt.net/teaching/15-cs510-se

### Elemental functions: Writing data-parallel code in C/C++ using Intel Cilk Plus

Elemental functions: Writing data-parallel code in C/C++ using Intel Cilk Plus A simple C/C++ language extension construct for data parallel operations Robert Geva robert.geva@intel.com Introduction Intel

### Cost Model: Work, Span and Parallelism. 1 The RAM model for sequential computation:

CSE341T 08/31/2015 Lecture 3 Cost Model: Work, Span and Parallelism In this lecture, we will look at how one analyze a parallel program written using Cilk Plus. When we analyze the cost of an algorithm

### 7.1 Our Current Model

Chapter 7 The Stack In this chapter we examine what is arguably the most important abstract data type in computer science, the stack. We will see that the stack ADT and its implementation are very simple.

Computing and Informatics, Vol. 20, 2001,????, V 2006-Nov-6 UPDATES OF LOGIC PROGRAMS Ján Šefránek Department of Applied Informatics, Faculty of Mathematics, Physics and Informatics, Comenius University,

### Automated Program Behavior Analysis

Automated Program Behavior Analysis Stacy Prowell sprowell@cs.utk.edu March 2005 SQRL / SEI Motivation: Semantics Development: Most engineering designs are subjected to extensive analysis; software is

### 1. The memory address of the first element of an array is called A. floor address B. foundation addressc. first address D.

1. The memory address of the first element of an array is called A. floor address B. foundation addressc. first address D. base address 2. The memory address of fifth element of an array can be calculated

### Validated Templates for Specification of Complex LTL Formulas

Validated Templates for Specification of Complex LTL Formulas Salamah Salamah Department of Electrical, computer, Software, and Systems Engineering Embry Riddle Aeronautical University 600 S. Clyde Morris

### Applications of formal verification for secure Cloud environments at CEA LIST

Applications of formal verification for secure Cloud environments at CEA LIST Nikolai Kosmatov joint work with A.Blanchard, F.Bobot, M.Lemerre,... SEC2, Lille, June 30 th, 2015 N. Kosmatov (CEA LIST) Formal

### Universal hashing. In other words, the probability of a collision for two different keys x and y given a hash function randomly chosen from H is 1/m.

Universal hashing No matter how we choose our hash function, it is always possible to devise a set of keys that will hash to the same slot, making the hash scheme perform poorly. To circumvent this, we

### Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications Sayantan Das Prasenjit Basu Ansuman Banerjee Pallab Dasgupta P.P. Chakrabarti Department of Computer Science & Engineering

### Formal Engineering for Industrial Software Development

Shaoying Liu Formal Engineering for Industrial Software Development Using the SOFL Method With 90 Figures and 30 Tables Springer Contents Introduction 1 1.1 Software Life Cycle... 2 1.2 The Problem 4 1.3

### HECTOR a software model checker with cooperating analysis plugins. Nathaniel Charlton and Michael Huth Imperial College London

HECTOR a software model checker with cooperating analysis plugins Nathaniel Charlton and Michael Huth Imperial College London Introduction HECTOR targets imperative heap-manipulating programs uses abstraction

### Lexical analysis FORMAL LANGUAGES AND COMPILERS. Floriano Scioscia. Formal Languages and Compilers A.Y. 2015/2016

Master s Degree Course in Computer Engineering Formal Languages FORMAL LANGUAGES AND COMPILERS Lexical analysis Floriano Scioscia 1 Introductive terminological distinction Lexical string or lexeme = meaningful

### PROPERTECHNIQUEOFSOFTWARE INSPECTIONUSING GUARDED COMMANDLANGUAGE

International Journal of Computer ScienceandCommunication Vol. 2, No. 1, January-June2011, pp. 153-157 PROPERTECHNIQUEOFSOFTWARE INSPECTIONUSING GUARDED COMMANDLANGUAGE Neeraj Kumar Singhania University,

### Paper 3F6: Software Engineering and Systems Distributed Systems Design Solutions to Examples Paper 3

Engineering Tripos Part IIA THIRD YEAR Paper 3F: Software Engineering and Systems Distributed Systems Design Solutions to Examples Paper 3 CORBA 1. (a) A typical IDL file for this application is as follows:

### Policy Analysis for Administrative Role Based Access Control without Separate Administration

Policy nalysis for dministrative Role Based ccess Control without Separate dministration Ping Yang Department of Computer Science, State University of New York at Binghamton, US Mikhail I. Gofman Department

### Chapter 4 Software Lifecycle and Performance Analysis

Chapter 4 Software Lifecycle and Performance Analysis This chapter is aimed at illustrating performance modeling and analysis issues within the software lifecycle. After having introduced software and

### Smallfoot: Modular Automatic Assertion Checking with Separation Logic

In: FMCO 2005, LNCS 4111, pp. 115 137. Smallfoot: Modular Automatic Assertion Checking with Separation Logic Josh Berdine 1, Cristiano Calcagno 2, and Peter W. O Hearn 3 1 Microsoft Research 2 Imperial

### Verification of Component-Based Software Application Families

Verification of Component-Based Software Application Families Fei Xie 1 and James C. Browne 2 1 Dept. of Computer Science, Portland State Univ., Portland, OR 97207 xie@cs.pdx.edu 2 Dept. of Computer Sciences,

### Standard for Software Component Testing

Standard for Software Component Testing Working Draft 3.4 Date: 27 April 2001 produced by the British Computer Society Specialist Interest Group in Software Testing (BCS SIGIST) Copyright Notice This document

Load Balancing Backtracking, branch & bound and alpha-beta pruning: how to assign work to idle processes without much communication? Additionally for alpha-beta pruning: implementing the young-brothers-wait

### TOPOLOGY: THE JOURNEY INTO SEPARATION AXIOMS

TOPOLOGY: THE JOURNEY INTO SEPARATION AXIOMS VIPUL NAIK Abstract. In this journey, we are going to explore the so called separation axioms in greater detail. We shall try to understand how these axioms

### An Implementation Of Multiprocessor Linux

An Implementation Of Multiprocessor Linux This document describes the implementation of a simple SMP Linux kernel extension and how to use this to develop SMP Linux kernels for architectures other than

### The countdown problem

JFP 12 (6): 609 616, November 2002. c 2002 Cambridge University Press DOI: 10.1017/S0956796801004300 Printed in the United Kingdom 609 F U N C T I O N A L P E A R L The countdown problem GRAHAM HUTTON

### Correspondence analysis for strong three-valued logic

Correspondence analysis for strong three-valued logic A. Tamminga abstract. I apply Kooi and Tamminga s (2012) idea of correspondence analysis for many-valued logics to strong three-valued logic (K 3 ).

### How to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor

How to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor Leslie Lamport 1 Digital Equipment Corporation February 14, 1993 Minor revisions January 18, 1996 and September 14, 1996

### Predictive modeling for software transactional memory

VU University Amsterdam BMI Paper Predictive modeling for software transactional memory Author: Tim Stokman Supervisor: Sandjai Bhulai October, Abstract In this paper a new kind of concurrency type named

### Chapter 13 Disk Storage, Basic File Structures, and Hashing.

Chapter 13 Disk Storage, Basic File Structures, and Hashing. Copyright 2004 Pearson Education, Inc. Chapter Outline Disk Storage Devices Files of Records Operations on Files Unordered Files Ordered Files

### Static Analysis. Find the Bug! 15-654: Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Static Analysis 15-654: Analysis of Software Artifacts Jonathan Aldrich 1 Find the Bug! Source: Engler et al., Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions, OSDI

### Views: Compositional Reasoning for Concurrent Programs

Views: Compositional Reasoning for Concurrent Programs Thomas Dinsdale-Young 1, Lars Birkedal 2, Philippa Gardner 1, Matthew J. Parkinson 3, and Hongseok Yang 4 1 Imperial College London 3 Microsoft Research

### Determination of the normalization level of database schemas through equivalence classes of attributes

Computer Science Journal of Moldova, vol.17, no.2(50), 2009 Determination of the normalization level of database schemas through equivalence classes of attributes Cotelea Vitalie Abstract In this paper,