Proving correctness of threaded parallel executable code generated from models described by a domain specific language

We investigate correctness of threaded parallel executable code generated from models described by a Domain Specific Language (DSL). There are challenges in developing correct multi-threaded code. Model Driven Engineering (MDE) is a promising approach: the mod- eling can be done at a high abstraction level and with a chain of model transformations the implementation code is generated. During my Capita Selecta, I made a realization of the code generation step of a particular MDE-chain, the transformation of state-machine like SLCO models into multi-threaded C# code. In the generation process, use of and inheritance from multi-threaded generic code was applied. The goal of the present research is to investigate formal specification and verification of the generic code. This was done by first making a small overview of available tools and selection of the best suited tool for the verification. After that, we performed a parameterized verification with VeriFast on an essential, non-trivial part of the framework. Finally we reflect on the lessons learned.

[1]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[2]  Stephen D. Brookes,et al.  Variables as Resource for Shared-Memory Programs: Semantics and Soundness , 2006, MFPS.

[3]  Peter W. O'Hearn,et al.  A Primer on Separation Logic (and Automatic Program Verification and Analysis) , 2012, Software Safety and Security.

[4]  Hongseok Yang,et al.  Views: compositional reasoning for concurrent programs , 2013, POPL.

[5]  R. M. Burstall,et al.  Some Techniques for Proving Correctness of Programs which Alter Data Structures , 2013 .

[6]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[7]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[8]  Samin Ishtiaq,et al.  SLAyer: Memory Safety for Systems-Level Code , 2011, CAV.

[9]  Peter W. O'Hearn,et al.  The Logic of Bunched Implications , 1999, Bulletin of Symbolic Logic.

[10]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[11]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[12]  Cliff B. Jones,et al.  Developing methods for computer programs including a notion of interference , 1981 .

[13]  Mark van den Brand,et al.  An exercise in iterative domain-specific language design , 2010, IWPSE-EVOL '10.

[14]  Frank Piessens,et al.  Verification of data-race-freedom of a Java chat server with VeriFast , 2009 .

[15]  Marc Geilen,et al.  Software/Hardware Engineering with the Parallel Object-Oriented Specification Language , 2007, 2007 5th IEEE/ACM International Conference on Formal Methods and Models for Codesign (MEMOCODE 2007).

[16]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[17]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[18]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[19]  Frank Piessens,et al.  Sound Formal Verification of Linux's USB BP Keyboard Driver , 2012, NASA Formal Methods.

[20]  Frank Piessens,et al.  VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java , 2011, NASA Formal Methods.

[21]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[22]  Xinyu Feng Local rely-guarantee reasoning , 2009, POPL '09.

[23]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[24]  Hongseok Yang,et al.  Variables as Resource in Separation Logic , 2005, MFPS.

[25]  Arjan J. Mooij,et al.  Incremental Verification of Owicki/Gries Proof Outlines Using PVS , 2005, ICFEM.