Abstract
Large-scale software verification relies critically on the use of compositional languages, semantic models, specifications, and verification techniques. Recent work on certified abstraction layers synthesizes game semantics, the refinement calculus, and algebraic effects to enable the composition of heterogeneous components into larger certified systems. However, in existing models of certified abstraction layers, compositionality is restricted by the lack of encapsulation of state.
In this paper, we present a novel game model for certified abstraction layers where the semantics of layer interfaces and implementations are defined solely based on their observable behaviors. Our key idea is to leverage Reddy's pioneer work on modeling the semantics of imperative languages not as functions on global states but as objects with their observable behaviors. We show that a layer interface can be modeled as an object type (i.e., a layer signature) plus an object strategy. A layer implementation is then essentially a regular map, in the sense of Reddy, from an object with the underlay signature to that with the overlay signature. A layer implementation is certified when its composition with the underlay object strategy implements the overlay object strategy. We also describe an extension that allows for non-determinism in layer interfaces.
After formulating layer implementations as regular maps between object spaces, we move to concurrency and design a notion of concurrent object space, where sequential traces may be identified modulo permutation of independent operations. We show how to express protected shared object concurrency, and a ticket lock implementation, in a simple model based on regular maps between concurrent object spaces.
Supplemental Material
- 2015-2021. DeepSpec: The Science of Deep Specifications. https://deepspec.org/Google Scholar
- Samson Abramsky, Radha Jagadeesan, and Pasquale Malacaria. 2000. Full Abstraction for PCF. Inf. Comput., 163, 2 (2000), 409–470. issn:0890-5401 https://doi.org/10.1006/inco.2000.2930 Google Scholar
Digital Library
- Samson Abramsky and Guy McCusker. 1997. Linearity, Sharing and State: A Fully Abstract Game Semantics for Idealized Algol with Active Expressions. Birkhäuser Boston, Boston, MA. 297–329. isbn:978-1-4757-3851-3 https://doi.org/10.1007/978-1-4757-3851-3_10 Google Scholar
Cross Ref
- Samson Abramsky and Guy McCusker. 1999. Game Semantics. In Computational Logic, Ulrich Berger and Helmut Schwichtenberg (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 1–55. isbn:978-3-642-58622-4Google Scholar
- Andrew W. Appel. 2011. Verified Software Toolchain. In Proceedings of the 20th European Symposium on Programming (ESOP 2011). Springer, Berlin, Heidelberg. 1–17. isbn:978-3-642-19717-8 https://doi.org/10.1007/978-3-642-19718-5_1 Google Scholar
Cross Ref
- Andrew W Appel, Lennart Beringer, Adam Chlipala, Benjamin C Pierce, Zhong Shao, Stephanie Weirich, and Steve Zdancewic. 2017. Position Paper: The Science of Deep Specification. Phil. Trans. R. Soc. A, 375, 2104 (2017), 20160331. https://doi.org/10.1098/rsta.2016.0331 Google Scholar
Cross Ref
- Ralph-Johan Back and Joakim von Wright. 1998. Refinement Calculus: A Systematic Introduction. Springer, New York. isbn:978-1-4612-1674-2 https://doi.org/10.1007/978-1-4612-1674-2 Google Scholar
Cross Ref
- Andreas Blass. 1992. A Game Semantics for Linear Logic. Ann. Pure Appl. Log., 56, 1–3 (1992), 183–220. issn:0168-0072 https://doi.org/10.1016/0168-0072(92)90073-9 Google Scholar
Cross Ref
- Stephen Brookes. 2006. A Grainless Semantics for Parallel Programs with Shared Mutable Data. Electronic Notes in Theoretical Computer Science, 155 (2006), 277 – 307. issn:1571-0661 https://doi.org/10.1016/j.entcs.2005.11.060 Proceedings of the 21st Annual Conference on Mathematical Foundations of Programming Semantics (MFPS XXI). Google Scholar
Digital Library
- Stephen Brookes. 2007. A Semantics for Concurrent Separation Logic. Theoretical Computer Science, 375, 1 (2007), 227 – 270. issn:0304-3975 https://doi.org/10.1016/j.tcs.2006.12.034 Festschrift for John C. Reynolds’s 70th birthday. Google Scholar
Digital Library
- Ana C. Calderon and Guy McCusker. 2010. Understanding Game Semantics Through Coherence Spaces. Electron. Notes Theor. Comput. Sci., 265 (2010), Sept., 231–244. issn:1571-0661 https://doi.org/10.1016/j.entcs.2010.08.014 Google Scholar
Digital Library
- Andrea Cerone, Alexey Gotsman, and Hongseok Yang. 2014. Parameterised Linearisability. In Automata, Languages, and Programming, Javier Esparza, Pierre Fraigniaud, Thore Husfeldt, and Elias Koutsoupias (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 98–109. isbn:978-3-662-43951-7Google Scholar
- Hao Chen, Xiongnan (Newman) Wu, Zhong Shao, Joshua Lockerman, and Ronghui Gu. 2016. Toward Compositional Verification of Interruptible OS Kernels and Device Drivers. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’16). Association for Computing Machinery, New York, NY, USA. 431–447. isbn:9781450342612 https://doi.org/10.1145/2908080.2908101 Google Scholar
Digital Library
- Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, M. Frans Kaashoek, and Nickolai Zeldovich. 2015. Using Crash Hoare Logic for Certifying the FSCQ File System. In Proceedings of the 25th Symposium on Operating Systems Principles (SOSP ’15). Association for Computing Machinery, New York, NY, USA. 18–37. isbn:9781450338349 https://doi.org/10.1145/2815400.2815402 Google Scholar
Digital Library
- Joonwon Choi, Muralidaran Vijayaraghavan, Benjamin Sherman, Adam Chlipala, and Arvind. 2017. Kami: A Platform for High-Level Parametric Hardware Specification and Its Modular Verification. Proc. ACM Program. Lang., 1, ICFP (2017), Article 24, Aug., 30 pages. https://doi.org/10.1145/3110268 Google Scholar
Digital Library
- David Costanzo, Zhong Shao, and Ronghui Gu. 2016. End-to-End Verification of Information-Flow Security for C and Assembly Programs. SIGPLAN Not., 51, 6 (2016), June, 648–664. issn:0362-1340 https://doi.org/10.1145/2980983.2908100 Google Scholar
Digital Library
- Ivana Filipović, Peter O’Hearn, Noam Rinetzky, and Hongseok Yang. 2009. Abstraction for Concurrent Objects. In Programming Languages and Systems, Giuseppe Castagna (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg. 252–266. isbn:978-3-642-00590-9Google Scholar
- Dan R. Ghica and Andrzej S. Murawski. 2008. Angelic Semantics of Fine-Grained Concurrency. Annals of Pure and Applied Logic, 151, 2 (2008), 89 – 114. issn:0168-0072 https://doi.org/10.1016/j.apal.2007.10.005 Google Scholar
Cross Ref
- Jean-Yves Girard. 1987. Linear logic. Theoretical Computer Science, 50, 1 (1987), 1–101. issn:0304-3975 https://doi.org/10.1016/0304-3975(87)90045-4 Google Scholar
Digital Library
- Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’15). Association for Computing Machinery, New York, NY, USA. 595–608. isbn:9781450333009 https://doi.org/10.1145/2676726.2676975 Google Scholar
Digital Library
- Ronghui Gu, Zhong Shao, Hao Chen, Jieung Kim, Jérémie Koenig, Xiongnan (Newman) Wu, Vilhelm Sjöberg, and David Costanzo. 2019. Building Certified Concurrent OS Kernels. Commun. ACM, 62, 10 (2019), Sept., 89–99. issn:0001-0782 https://doi.org/10.1145/3356903 Google Scholar
Digital Library
- Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI’16). USENIX Association, USA. 653–669. isbn:9781931971331Google Scholar
- Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified Concurrent Abstraction Layers. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2018). Association for Computing Machinery, New York, NY, USA. 646–661. isbn:9781450356985 https://doi.org/10.1145/3192366.3192381 Google Scholar
Digital Library
- Maurice P. Herlihy and Jeannette M. Wing. 1990. Linearizability: A Correctness Condition for Concurrent Objects. ACM Trans. Program. Lang. Syst., 12, 3 (1990), July, 463–492. issn:0164-0925 https://doi.org/10.1145/78969.78972 Google Scholar
Digital Library
- J. M. E. Hyland and C.-H. L. Ong. 2000. On Full Abstraction for PCF: I, II, and III. Inf. Comput., 163, 2 (2000), 285–408. https://doi.org/10.1006/inco.2000.2917 Google Scholar
Digital Library
- A. Kock. 1972. Strong functors and monoidal monads. Archiv der Mathematik, 23 (1972), 113–120.Google Scholar
Cross Ref
- Jérémie Koenig. 2021. Grounding Game Semantics in Categorical Algebra. In Proceedings of the Fourth International Conference on Applied Category Theory, Kohei Kishida (Ed.) (ACT 2021). To appear.Google Scholar
- Jérémie Koenig and Zhong Shao. 2020. Refinement-Based Game Semantics for Certified Abstraction Layers. In Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science (LICS ’20). Association for Computing Machinery, New York, NY, USA. 633–647. isbn:9781450371049 https://doi.org/10.1145/3373718.3394799 Google Scholar
Digital Library
- Jérémie Koenig and Zhong Shao. 2021. CompCertO: Compiling Certified Open C Components. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation (PLDI 2021). Association for Computing Machinery, New York, NY, USA. 1095–1109. isbn:9781450383912 https://doi.org/10.1145/3453483.3454097 Google Scholar
Digital Library
- Xavier Leroy. 2009. Formal Verification of a Realistic Compiler. Commun. ACM, 52, 7 (2009), July, 107–115. issn:0001-0782 https://doi.org/10.1145/1538788.1538814 Google Scholar
Digital Library
- Mengqi Liu, Lionel Rieg, Zhong Shao, Ronghui Gu, David Costanzo, Jung-Eun Kim, and Man-Ki Yoon. 2019. Virtual Timeline: A Formal Abstraction for Verifying Preemptive Schedulers with Temporal Isolation. Proc. ACM Program. Lang., 4, POPL (2019), Article 20, Dec., 31 pages. https://doi.org/10.1145/3371088 Google Scholar
Digital Library
- Antoni W. Mazurkiewicz. 1995. Introduction to Trace Theory. In The Book of Traces, Volker Diekert and Grzegorz Rozenberg (Eds.). World Scientific, 3–41. https://doi.org/10.1142/9789814261456_0001 Google Scholar
Cross Ref
- Paul-André Melliès and Léo Stefanesco. 2018. An Asynchronous Soundness Theorem for Concurrent Separation Logic. In Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science (LICS ’18). Association for Computing Machinery, New York, NY, USA. 699–708. isbn:9781450355834 https://doi.org/10.1145/3209108.3209116 Google Scholar
Digital Library
- Paul-André Melliès and Léo Stefanesco. 2020. Concurrent Separation Logic Meets Template Games. In Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science (LICS ’20). Association for Computing Machinery, New York, NY, USA. 742–755. isbn:9781450371049 https://doi.org/10.1145/3373718.3394762 Google Scholar
Digital Library
- Paul-André Melliès and Noam Zeilberger. 2015. Functors Are Type Refinement Systems. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’15). Association for Computing Machinery, New York, NY, USA. 3–16. isbn:9781450333009 https://doi.org/10.1145/2676726.2676970 Google Scholar
Digital Library
- Paul-André Melliès. 2009. Categorical Semantics of Linear Logic. In Interactive Models of Computation and Program Behaviour, Panoramas et Synthèses 27. Société Mathématique de France, Paris, France. 1–196.Google Scholar
- Andrzej S. Murawski and Nikos Tzevelekos. 2014. Game Semantics for Interface Middleweight Java. In Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’14). Association for Computing Machinery, New York, NY, USA. 517–528. isbn:9781450325448 https://doi.org/10.1145/2535838.2535880 Google Scholar
Digital Library
- Andrzej S. Murawski and Nikos Tzevelekos. 2019. Higher-order Linearisability. Journal of Logical and Algebraic Methods in Programming, 104 (2019), 86–116. issn:2352-2208 https://doi.org/10.1016/j.jlamp.2019.01.002 Google Scholar
Cross Ref
- Peter W. O’Hearn. 2004. Resources, Concurrency and Local Reasoning. In CONCUR 2004 - Concurrency Theory, Philippa Gardner and Nobuko Yoshida (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 49–67. isbn:978-3-540-28644-8Google Scholar
- Peter W. O’Hearn and Uday S. Reddy. 1999. Objects, interference, and the Yoneda embedding. Theoretical Computer Science, 228, 1 (1999), 253–282. issn:0304-3975 https://doi.org/10.1016/S0304-3975(98)00360-0 Google Scholar
Digital Library
- Arthur Oliveira Vale, Paul-André Melliès, Zhong Shao, Jérémie Koenig, and Léo Stefanesco. 2021. Layered and Object-Based Game Semantics. Yale Univ.. https://flint.cs.yale.edu/publications/layered.htmlGoogle Scholar
- Gordon Plotkin and John Power. 2001. Adequacy for Algebraic Effects. In Proceedings of the 4th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS 2001). Springer, Berlin, Heidelberg. 1–24. isbn:978-3-540-45315-4 https://doi.org/10.1007/3-540-45315-6_1 Google Scholar
Cross Ref
- Gordon Plotkin and Matija Pretnar. 2009. Handlers of Algebraic Effects. In Proceedings of the 18th European Symposium on Programming (ESOP 2009). Springer, Berlin, Heidelberg. 80–94. https://doi.org/10.1007/978-3-642-00590-9_7 Google Scholar
Digital Library
- U.S. Reddy. 1994. Passivity and independence. In Proceedings Ninth Annual IEEE Symposium on Logic in Computer Science. 342–352. https://doi.org/10.1109/LICS.1994.316055 Google Scholar
Cross Ref
- Uday S. Reddy. 1993. A Linear Logic Model of State. Dept. of Computer Science, UIUC, Urbana, IL.Google Scholar
- Uday S. Reddy. 1996. Global State Considered Unnecessary: An Introduction to Object-Based Semantics. LISP Symb. Comput., 9, 1 (1996), 7–76.Google Scholar
Cross Ref
- Uday S. Reddy. 2002. Objects and Classes in Algol-like Languages. Inf. Comput., 172, 1 (2002), Feb., 63–97. issn:0890-5401 https://doi.org/10.1006/inco.2001.2927 Google Scholar
Digital Library
- Uday S. Reddy. 2013. Automata-Theoretic Semantics of Idealized Algol with Passive Expressions. Electronic Notes in Theoretical Computer Science, 298 (2013), 325–348. issn:1571-0661 https://doi.org/10.1016/j.entcs.2013.09.020 Proceedings of the Twenty-ninth Conference on the Mathematical Foundations of Programming Semantics, MFPS XXIX. Google Scholar
Digital Library
- Uday S. Reddy and Brian P. Dunphy. 2012. An Automata-Theoretic Model of Idealized Algol. In Automata, Languages, and Programming, Artur Czumaj, Kurt Mehlhorn, Andrew Pitts, and Roger Wattenhofer (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 337–350. isbn:978-3-642-31585-5Google Scholar
- Christian Retoré. 1997. Pomset logic: A non-commutative extension of classical linear logic. In Typed Lambda Calculi and Applications, Philippe de Groote and J. Roger Hindley (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 300–318. isbn:978-3-540-68438-1Google Scholar
- Jerome H. Saltzer and M. Frans Kaashoek. 2009. Principles of Computer System Design. Morgan Kaufmann.Google Scholar
- Zhong Shao. 2010. Certified Software. Commun. ACM, 53, 12 (2010), December, 56–66.Google Scholar
Digital Library
- Vilhelm Sjöberg, Yuyang Sang, Shu-chun Weng, and Zhong Shao. 2019. DeepSEA: A Language for Certified System Software. Proc. ACM Program. Lang., 3, OOPSLA (2019), Article 136, Oct., 27 pages. issn:2475-1421 https://doi.org/10.1145/3360562 Google Scholar
Digital Library
Index Terms
Layered and object-based game semantics
Recommendations
Refinement-Based Game Semantics for Certified Abstraction Layers
LICS '20: Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer ScienceFormal methods have advanced to the point where the functional correctness of various large system components has been mechanically verified. However, the diversity of semantic models used across projects makes it difficult to connect these component to ...
Procedural implementation of algebraic specification
An implementation of an algebraic specification in an imperative programming language consists of a representation type, together with an invariant and an equivalence relation over it, and a procedure for each operator in the specification. A formal ...
Software Model Checking Based on Game Semantics and CSP
We present an approach for software model checking based on game semantics and CSP. Open program fragments are compositionally modelled as CSP processes which represent their game semantics. This translation is performed by a prototype compiler. ...






Comments