skip to main content
research-article
Free Access

CSim2: Compositional Top-down Verification of Concurrent Systems using Rely-Guarantee

Published:09 February 2021Publication History
Skip Editorial Notes Section

Editorial Notes

The authors have requested minor, non-substantive changes to the VoR and, in accordance with ACM policies, a Corrected VoR was published on February 19, 2021. For reference purposes the VoR may still be accessed via the Supplemental Material section on this page.

Skip Abstract Section

Abstract

To make feasible and scalable the verification of large and complex concurrent systems, it is necessary the use of compositional techniques even at the highest abstraction layers. When focusing on the lowest software abstraction layers, such as the implementation or the machine code, the high level of detail of those layers makes the direct verification of properties very difficult and expensive. It is therefore essential to use techniques allowing to simplify the verification on these layers. One technique to tackle this challenge is top-down verification where by means of simulation properties verified on top layers (representing abstract specifications of a system) are propagated down to the lowest layers (that are an implementation of the top layers). There is no need to say that simulation of concurrent systems implies a greater level of complexity, and having compositional techniques to check simulation between layers is also desirable when seeking for both feasibility and scalability of the refinement verification. In this article, we present CSim2 a (compositional) rely-guarantee-based framework for the top-down verification of complex concurrent systems in the Isabelle/HOL theorem prover. CSim2 uses CSimpl, a language with a high degree of expressiveness designed for the specification of concurrent programs. Thanks to its expressibility, CSimpl is able to model many of the features found in real world programming languages like exceptions, assertions, and procedures. CSim2 provides a framework for the verification of rely-guarantee properties to compositionally reason on CSimpl specifications. Focusing on top-down verification, CSim2 provides a simulation-based framework for the preservation of CSimpl rely-guarantee properties from specifications to implementations. By using the simulation framework, properties proven on the top layers (abstract specifications) are compositionally propagated down to the lowest layers (source or machine code) in each concurrent component of the system. Finally, we show the usability of CSim2 by running a case study over two CSimpl specifications of an Arinc-653 communication service. In this case study, we prove a complex property on a specification, and we use CSim2 to preserve the property on lower abstraction layers.

Skip Supplemental Material Section

Supplemental Material

References

  1. Aeronautical Radio, Inc. 2015. ARINC Specification 653: Avionics Application Software Standard Interface, Part 1—Required Services. Aeronautical Radio, Inc.Google ScholarGoogle Scholar
  2. Eyad Alkassar, Mark A. Hillebrand, Dirk Leinenbach, Norbert W. Schirmer, and Artem Starostin. 2008. The verisoft approach to systems verification. In Verified Software: Theories, Tools, Experiments, Natarajan Shankar and Jim Woodcock (Eds.). Springer, Berlin, 209--224.Google ScholarGoogle Scholar
  3. Alasdair Armstrong, Victor B. F. Gomes, and Georg Struth. 2014. Algebraic principles for rely-guarantee style concurrency verification tools. In Proceedings of the 19th International Symposium on Formal Methods (FM’14). 78--93.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Dirk Beyer and M. Erkan Keremoglu. 2011. CPAchecker: A tool for configurable software verification. In Computer Aided Verification, Ganesh Gopalakrishnan and Shaz Qadeer (Eds.). Springer, Berlin, 184--190.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Stephen D. Brookes. 1993. Full abstraction for a shared variable parallel language. In Proceedings of the 8th Annual Symposium on Logic in Computer Science (LICS’93). 98--109.Google ScholarGoogle ScholarCross RefCross Ref
  6. Sebastian Burckhardt, Madanlal Musuvathi, and Vasu Singh. 2010. Verifying local transformations on relaxed memory models. In Proceedings of the 19th International Conference on Compiler Construction (CC’10). 104--123.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. E. Carrascosa, J. Coronel, M. Masmano, P. Balbastre, and A. Crespo. 2014. XtratuM hypervisor redesign for LEON4 multicore processor. SIGBED Rev. 11, 2 (Sept. 2014), 27--31.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Joey W. Coleman and Cliff B. Jones. 2007. A structural proof of the soundness of rely/guarantee rules. J. Logic Comput. 17, 4 (Aug. 2007), 807--841.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Mads Dam, Roberto Guanciale, Narges Khakpour, Hamed Nemati, and Oliver Schwarz. 2013. Formal verification of information flow security for a simple arm-based separation kernel. In Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security (CCS’13). ACM, New York, NY, 223--234.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified concurrent abstraction layers. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’18). ACM, New York, NY, 646--661.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Chris Hawblitzel, Erez Petrank, Shaz Qadeer, and Serdar Tasiran. 2015. Automated and modular refinement reasoning for concurrent programs. In Proceedings of the 27th International Conference on Computer Aided Verification (CAV’15). 449--465.Google ScholarGoogle ScholarCross RefCross Ref
  12. Ian J. Hayes. 2016. Generalised rely-guarantee concurrency: An algebraic foundation. Formal Aspects Comput. 28, 6 (Nov. 2016), 1057--1078.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Ian J. Hayes, Robert J. Colvin, Larissa A. Meinicke, Kirsten Winter, and Andrius Velykis. 2016. An algebra of synchronous atomic steps. In Proceedings of the International Symposium on Formal Methods (FM’16). Springer International Publishing, 352--369.Google ScholarGoogle ScholarCross RefCross Ref
  14. C. B. Jones. 1981. Development Methods for Computer Programs Including a Notion of Interference. Ph.D. Dissertation, Oxford University.Google ScholarGoogle Scholar
  15. C. B. Jones. 2010. The role of auxiliary variables in the formal development of concurrent programs. In Reflections on the Work of C.A.R. Hoare, Cliff B. Jones, A. W. Roscoe, and Kenneth Wood (Eds.). Springer, Chapter 8, 167--188 https://doi.org/10.1007/978-1-84882-912-1\_8.Google ScholarGoogle Scholar
  16. Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP). ACM, New York, NY, 207--220.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Gerwin Klein, Thomas Sewell, and Simon Winwood. 2010. Refinement in the Formal Verification of the seL4 Microkernel. Springer US, Boston, MA, 323--339.Google ScholarGoogle Scholar
  18. Sudipta Kundu, Sorin Lerner, and Rajesh Gupta. 2007. Automated refinement checking of concurrent systems. In Proceedings of the International Conference on Computer-Aided Design (ICCAD’07). 318--325.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Hongjin Liang, Xinyu Feng, and Ming Fu. 2014. Rely-guarantee-based simulation for compositional verification of concurrent program transformations. ACM Trans. Program. Lang. Syst. 36, 1 (2014), 3.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Andreas Lochbihler. 2010. Verifying a compiler for Java threads. In Proceedings of the 19th European Symposium on Programming (ESOP’10). 427--447.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Magnus O. Myreen, Michael J. C. Gordon, and Konrad Slind. 2008. Machine-code verification for multiple architectures: An application of decompilation into logic. In Proceedings of the International Conference on Formal Methods in Computer-Aided Design (FMCAD’08). IEEE Press, Piscataway, NJ, Article 20, 8 pages.Google ScholarGoogle ScholarCross RefCross Ref
  22. Chris Newcombe, Tim Rath, Fan Zhang, Bogdan Munteanu, Marc Brooker, and Michael Deardeuff. 2015. How Amazon web services uses formal methods. Commun. ACM 58, 4 (Mar. 2015), 66--73.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Leonor Prensa Nieto. 2003. The rely-guarantee method in Isabelle/HOL. In Proceedings of the 12th European Conference on Programming (ESOP’03). Springer-Verlag, 348--362.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Tobias Nipkow and Leonor Prensa Nieto. 1999. Owicki/gries in Isabelle/HOL. In Proceedings of 2nd International Conference on Fundamental Approaches to Software Engineering (FASE’99). 188--203.Google ScholarGoogle ScholarCross RefCross Ref
  25. Tobias Nipkow, Markus Wenzel, and Lawrence C. Paulson. 2002. Isabelle/HOL: A Proof Assistant for Higher-order Logic. Springer-Verlag, Berlin.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Susan Owicki and David Gries. 1976. An axiomatic proof technique for parallel programs I. Acta Inform. 6, 4 (1976), 319--340.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. David Sanán, Yongwang Zhao, Zhe Hou, Fuyuan Zhang, Alwen Tiu, and Yang Liu. 2017. CSimpl: A rely-guarantee-based framework for verifying concurrent programs. In Proceedings of the 23rd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’17), Held as Part of the European Joint Conferences on Theory and Practice of Software (ETAPS’17). 481--498.Google ScholarGoogle Scholar
  28. N. Schirmer. 2006. Verification of Sequential Imperative Programs in Isabelle/HOL. Ph.D. Dissertation. Technischen Universitat Munchen.Google ScholarGoogle Scholar
  29. Harvey Tuch, Gerwin Klein, and Michael Norrish. 2007. Types, bytes, and separation logic. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’07). ACM, New York, NY, 97--108. DOI:https://doi.org/10.1145/1190216.1190234Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Qiwen Xu, Willem Paul de Roever, and Jifeng He. 1997. The rely-guarantee method for verifying shared variable concurrent programs. Formal Aspects Comput. 9, 2 (1997), 149--174.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Fuyuan Zhang, Yongwang Zhao, David Sanán, Yang Liu, Alwen Tiu, Shang-Wei Lin, and Jun Sun. 2018. Compositional reasoning for shared-variable concurrent programs. In Proceedings of the 22nd International Symposium on Formal Methods (FM’18).Google ScholarGoogle ScholarCross RefCross Ref
  32. Yongwang Zhao and David Sanan. 2019. Rely-guarantee reasoning about concurrent memory management in zephyr RTOS. In Proceedings of the 31st International Conference on Computer Aided Verification. Springer International Publishing, 515--533.Google ScholarGoogle ScholarCross RefCross Ref
  33. Yongwang Zhao, David Sanán, Fuyuan Zhang, and Yang Liu. 2016. Formal specification and analysis of partitioning operating systems by integrating ontology and refinement. IEEE Trans. Industr. Inform. 12, 4 (2016), 1321--1331.Google ScholarGoogle ScholarCross RefCross Ref
  34. Yongwang Zhao, David Sanan, Fuyuan Zhang, and Liu Yang. 2019. A parametric rely-guarantee reasoning framework for concurrent reactive systems. In Proceedings of the 23rd International Symposium on Formal Methods. Springer International Publishing, 161--178.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. CSim2: Compositional Top-down Verification of Concurrent Systems using Rely-Guarantee

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader

          HTML Format

          View this article in HTML Format .

          View HTML Format
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!