Editorial Notes
The authors have requested minor, non-substantive changes to the VoR and, in accordance with ACM policies, a Corrected VoR was published on February 19, 2021. For reference purposes the VoR may still be accessed via the Supplemental Material section on this page.
Abstract
To make feasible and scalable the verification of large and complex concurrent systems, it is necessary the use of compositional techniques even at the highest abstraction layers. When focusing on the lowest software abstraction layers, such as the implementation or the machine code, the high level of detail of those layers makes the direct verification of properties very difficult and expensive. It is therefore essential to use techniques allowing to simplify the verification on these layers. One technique to tackle this challenge is top-down verification where by means of simulation properties verified on top layers (representing abstract specifications of a system) are propagated down to the lowest layers (that are an implementation of the top layers). There is no need to say that simulation of concurrent systems implies a greater level of complexity, and having compositional techniques to check simulation between layers is also desirable when seeking for both feasibility and scalability of the refinement verification. In this article, we present CSim2 a (compositional) rely-guarantee-based framework for the top-down verification of complex concurrent systems in the Isabelle/HOL theorem prover. CSim2 uses CSimpl, a language with a high degree of expressiveness designed for the specification of concurrent programs. Thanks to its expressibility, CSimpl is able to model many of the features found in real world programming languages like exceptions, assertions, and procedures. CSim2 provides a framework for the verification of rely-guarantee properties to compositionally reason on CSimpl specifications. Focusing on top-down verification, CSim2 provides a simulation-based framework for the preservation of CSimpl rely-guarantee properties from specifications to implementations. By using the simulation framework, properties proven on the top layers (abstract specifications) are compositionally propagated down to the lowest layers (source or machine code) in each concurrent component of the system. Finally, we show the usability of CSim2 by running a case study over two CSimpl specifications of an Arinc-653 communication service. In this case study, we prove a complex property on a specification, and we use CSim2 to preserve the property on lower abstraction layers.
Supplemental Material
Available for Download
Version of Record for "CSim2: Compositional Top-down Verification of Concurrent Systems using Rely-Guarantee" by Sanan et al., ACM Transactions on Programming Languages and Systems, Volume 43, Issue 1 (TOPLAS 43:1).
- Aeronautical Radio, Inc. 2015. ARINC Specification 653: Avionics Application Software Standard Interface, Part 1—Required Services. Aeronautical Radio, Inc.Google Scholar
- Eyad Alkassar, Mark A. Hillebrand, Dirk Leinenbach, Norbert W. Schirmer, and Artem Starostin. 2008. The verisoft approach to systems verification. In Verified Software: Theories, Tools, Experiments, Natarajan Shankar and Jim Woodcock (Eds.). Springer, Berlin, 209--224.Google Scholar
- Alasdair Armstrong, Victor B. F. Gomes, and Georg Struth. 2014. Algebraic principles for rely-guarantee style concurrency verification tools. In Proceedings of the 19th International Symposium on Formal Methods (FM’14). 78--93.Google Scholar
Digital Library
- Dirk Beyer and M. Erkan Keremoglu. 2011. CPAchecker: A tool for configurable software verification. In Computer Aided Verification, Ganesh Gopalakrishnan and Shaz Qadeer (Eds.). Springer, Berlin, 184--190.Google Scholar
Digital Library
- Stephen D. Brookes. 1993. Full abstraction for a shared variable parallel language. In Proceedings of the 8th Annual Symposium on Logic in Computer Science (LICS’93). 98--109.Google Scholar
Cross Ref
- Sebastian Burckhardt, Madanlal Musuvathi, and Vasu Singh. 2010. Verifying local transformations on relaxed memory models. In Proceedings of the 19th International Conference on Compiler Construction (CC’10). 104--123.Google Scholar
Digital Library
- E. Carrascosa, J. Coronel, M. Masmano, P. Balbastre, and A. Crespo. 2014. XtratuM hypervisor redesign for LEON4 multicore processor. SIGBED Rev. 11, 2 (Sept. 2014), 27--31.Google Scholar
Digital Library
- Joey W. Coleman and Cliff B. Jones. 2007. A structural proof of the soundness of rely/guarantee rules. J. Logic Comput. 17, 4 (Aug. 2007), 807--841.Google Scholar
Digital Library
- Mads Dam, Roberto Guanciale, Narges Khakpour, Hamed Nemati, and Oliver Schwarz. 2013. Formal verification of information flow security for a simple arm-based separation kernel. In Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security (CCS’13). ACM, New York, NY, 223--234.Google Scholar
Digital Library
- Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified concurrent abstraction layers. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’18). ACM, New York, NY, 646--661.Google Scholar
Digital Library
- Chris Hawblitzel, Erez Petrank, Shaz Qadeer, and Serdar Tasiran. 2015. Automated and modular refinement reasoning for concurrent programs. In Proceedings of the 27th International Conference on Computer Aided Verification (CAV’15). 449--465.Google Scholar
Cross Ref
- Ian J. Hayes. 2016. Generalised rely-guarantee concurrency: An algebraic foundation. Formal Aspects Comput. 28, 6 (Nov. 2016), 1057--1078.Google Scholar
Digital Library
- Ian J. Hayes, Robert J. Colvin, Larissa A. Meinicke, Kirsten Winter, and Andrius Velykis. 2016. An algebra of synchronous atomic steps. In Proceedings of the International Symposium on Formal Methods (FM’16). Springer International Publishing, 352--369.Google Scholar
Cross Ref
- C. B. Jones. 1981. Development Methods for Computer Programs Including a Notion of Interference. Ph.D. Dissertation, Oxford University.Google Scholar
- C. B. Jones. 2010. The role of auxiliary variables in the formal development of concurrent programs. In Reflections on the Work of C.A.R. Hoare, Cliff B. Jones, A. W. Roscoe, and Kenneth Wood (Eds.). Springer, Chapter 8, 167--188 https://doi.org/10.1007/978-1-84882-912-1\_8.Google Scholar
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP). ACM, New York, NY, 207--220.Google Scholar
Digital Library
- Gerwin Klein, Thomas Sewell, and Simon Winwood. 2010. Refinement in the Formal Verification of the seL4 Microkernel. Springer US, Boston, MA, 323--339.Google Scholar
- Sudipta Kundu, Sorin Lerner, and Rajesh Gupta. 2007. Automated refinement checking of concurrent systems. In Proceedings of the International Conference on Computer-Aided Design (ICCAD’07). 318--325.Google Scholar
Digital Library
- Hongjin Liang, Xinyu Feng, and Ming Fu. 2014. Rely-guarantee-based simulation for compositional verification of concurrent program transformations. ACM Trans. Program. Lang. Syst. 36, 1 (2014), 3.Google Scholar
Digital Library
- Andreas Lochbihler. 2010. Verifying a compiler for Java threads. In Proceedings of the 19th European Symposium on Programming (ESOP’10). 427--447.Google Scholar
Digital Library
- Magnus O. Myreen, Michael J. C. Gordon, and Konrad Slind. 2008. Machine-code verification for multiple architectures: An application of decompilation into logic. In Proceedings of the International Conference on Formal Methods in Computer-Aided Design (FMCAD’08). IEEE Press, Piscataway, NJ, Article 20, 8 pages.Google Scholar
Cross Ref
- Chris Newcombe, Tim Rath, Fan Zhang, Bogdan Munteanu, Marc Brooker, and Michael Deardeuff. 2015. How Amazon web services uses formal methods. Commun. ACM 58, 4 (Mar. 2015), 66--73.Google Scholar
Digital Library
- Leonor Prensa Nieto. 2003. The rely-guarantee method in Isabelle/HOL. In Proceedings of the 12th European Conference on Programming (ESOP’03). Springer-Verlag, 348--362.Google Scholar
Digital Library
- Tobias Nipkow and Leonor Prensa Nieto. 1999. Owicki/gries in Isabelle/HOL. In Proceedings of 2nd International Conference on Fundamental Approaches to Software Engineering (FASE’99). 188--203.Google Scholar
Cross Ref
- Tobias Nipkow, Markus Wenzel, and Lawrence C. Paulson. 2002. Isabelle/HOL: A Proof Assistant for Higher-order Logic. Springer-Verlag, Berlin.Google Scholar
Digital Library
- Susan Owicki and David Gries. 1976. An axiomatic proof technique for parallel programs I. Acta Inform. 6, 4 (1976), 319--340.Google Scholar
Digital Library
- David Sanán, Yongwang Zhao, Zhe Hou, Fuyuan Zhang, Alwen Tiu, and Yang Liu. 2017. CSimpl: A rely-guarantee-based framework for verifying concurrent programs. In Proceedings of the 23rd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’17), Held as Part of the European Joint Conferences on Theory and Practice of Software (ETAPS’17). 481--498.Google Scholar
- N. Schirmer. 2006. Verification of Sequential Imperative Programs in Isabelle/HOL. Ph.D. Dissertation. Technischen Universitat Munchen.Google Scholar
- Harvey Tuch, Gerwin Klein, and Michael Norrish. 2007. Types, bytes, and separation logic. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’07). ACM, New York, NY, 97--108. DOI:https://doi.org/10.1145/1190216.1190234Google Scholar
Digital Library
- Qiwen Xu, Willem Paul de Roever, and Jifeng He. 1997. The rely-guarantee method for verifying shared variable concurrent programs. Formal Aspects Comput. 9, 2 (1997), 149--174.Google Scholar
Digital Library
- Fuyuan Zhang, Yongwang Zhao, David Sanán, Yang Liu, Alwen Tiu, Shang-Wei Lin, and Jun Sun. 2018. Compositional reasoning for shared-variable concurrent programs. In Proceedings of the 22nd International Symposium on Formal Methods (FM’18).Google Scholar
Cross Ref
- Yongwang Zhao and David Sanan. 2019. Rely-guarantee reasoning about concurrent memory management in zephyr RTOS. In Proceedings of the 31st International Conference on Computer Aided Verification. Springer International Publishing, 515--533.Google Scholar
Cross Ref
- Yongwang Zhao, David Sanán, Fuyuan Zhang, and Yang Liu. 2016. Formal specification and analysis of partitioning operating systems by integrating ontology and refinement. IEEE Trans. Industr. Inform. 12, 4 (2016), 1321--1331.Google Scholar
Cross Ref
- Yongwang Zhao, David Sanan, Fuyuan Zhang, and Liu Yang. 2019. A parametric rely-guarantee reasoning framework for concurrent reactive systems. In Proceedings of the 23rd International Symposium on Formal Methods. Springer International Publishing, 161--178.Google Scholar
Digital Library
Index Terms
CSim2: Compositional Top-down Verification of Concurrent Systems using Rely-Guarantee
Recommendations
Modular verification of concurrent assembly code with dynamic thread creation and termination
Proceedings of the tenth ACM SIGPLAN international conference on Functional programmingProof-carrying code (PCC) is a general framework that can, in principle, verify safety properties of arbitrary machine-language programs. Existing PCC systems and typed assembly languages, however, can only handle sequential programs. This severely ...
Modular verification of concurrent assembly code with dynamic thread creation and termination
ICFP '05: Proceedings of the tenth ACM SIGPLAN international conference on Functional programmingProof-carrying code (PCC) is a general framework that can, in principle, verify safety properties of arbitrary machine-language programs. Existing PCC systems and typed assembly languages, however, can only handle sequential programs. This severely ...
Compositionality entails sequentializability
TACAS'11/ETAPS'11: Proceedings of the 17th international conference on Tools and algorithms for the construction and analysis of systems: part of the joint European conferences on theory and practice of softwareWe show that any concurrent program that is amenable to compositional reasoning can be effectively translated to a sequential program. More precisely, we give a reduction from the verification problem for concurrent programs against safety ...






Comments