xii

viii

viii

vii Chapter

vii

vi

ion-Based Techniques In [BPG08], the Assume-guarantee-Abstraction Refinement method is proposed for the automation of this compositional reasoning paradigm and applied for Rule 2.1. It is mainly inspired by the CEGAR approach and iteratively finds assumptions that represent the abstraction of the behavior of component B0 which concerns its interaction with component B. Therefore, in each iteration, the assumption A satisfies the first premise of the rule and is verified for the second premise. The generated counterexamples are analyzed and those which are spurious serve to strengthen iteratively the overapproximation made by the abstraction. 2.1.2 Assume-guarantee Reasoning for Timed Systems The above-mentioned research works are focused on the untimed systems. The proposals to handle real-time systems are more limited. In [GJL04, GJP06, GJL10], the authors extended the learning techniques which were first proposed by Angluin for finite automata to the setting of real-time systems. In the field of timed automata, one major obstacle for learning assumptions is that the set of clocks is not known in advance. Regarding this difficulty, the authors restricted their methods for event-recording-automata (ERA) [AFH99] where the last occurrence of each action is registered. The three developed algorithms focus on ERA with canonical shapes and which can be perceived as finite automata over a symbolic alphabet. Another method for learning timed systems was proposed in [VDWW06]. It deals with timed automata containing one clock reset at every transition. There, the generalization to automata with multiple clocks is difficult. In [LAL+14], another method for learning the non circular rule of assume-guarantee method is proposed for the verification of timed systems, focusing also on ERA. It consists in a twosteps flow: first, an untimed assumption is generated in order to ensure the events sequence is correct, then these assumptions are refined so that timing constraints are satisfied. 2.2. Contract-Based Reasoning and Interface Theories 19 In [FHK04], an assume-guarantee reasoning approach is proposed for hybrid I/O-automata [LSV03] where a novel rule is proposed on the basis of simulation relations. One advantage of this approach is that circularity is countered by a state-based non blocking condition that can be checked during the computation of the simulation relations.

ion is the process in programming that allows the complexity of certain aspects of a program to be limited to parts of the program and provides a clean interface for using those features. For instance, object oriented features such as polymorphism and encapsulation can be implemented in a non-object oriented programming language (such as C) by exploiting related design patterns [3], but at the cost of complex logic to be coded by the programmer. Alternatively, object oriented languages provide declarative syntax that abstracts the object oriented features and reduces the complexity of code to be written by the programmer. Similarly, in conventional object oriented programming, a programmer can write code to maintain the state of an object, but at the cost of writing the state maintenance code himself. Usually state maintenance code is in the form of conditional checks, state tables or in the form of state design patterns that potentially make the object oriented code more complex.

ion and Training of Stochastic Graph Transformation Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Mayur Bapodra and Reiko Heckel

ion Refinement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Pei-Hsin Ho

and many others; see the Acknowledgements section for a full list. In the painting, there are two quotations from book VII of P. Ovidius Naso's Metamorphoses: " Nempe tenens, quod amo, gremioque in Iasonis haerens per freta longa ferar: nihil illum amplexa verebor " (verses 66–67), and " heros Aesonius potitur spolioque superbus muneris auctorem secum, spolia altera, portans " (verses 156–157). Preface One of the best known approaches to the development of cognitive agents is the BDI (Beliefs-Desires-Intentions) architecture. In the area of agent-oriented programming languages in particular, AgentSpeak(L) has been one of the most influential abstract languages based on the BDI architecture. The type of agents specified with AgentSpeak(L) are sometimes referred to as reactive planning systems. To the best of our knowledge, Jason is the first fully-fledged interpreter for a much improved version of AgentSpeak, including also speech-act based inter-agent communication. Using SACI, a Jason multi-agent system can be distributed over a network effortlessly. Various ad hoc implementations of BDI systems exist, but one important characteristic of AgentSpeak is its theoretical foundation; work on formal verification of AgentSpeak systems is also underway (references are given throughout this document). Another important characteristic of Jason in comparison with other BDI agent systems is that it is implemented in Java (thus multi-platform) and is available Open Source, and is distributed under GNU LGPL. Besides interpreting the original AgentSpeak(L) language, Jason also features: • strong negation, so both closed-world assumption and open-world are available; • handling of plan failures; • speech-act based inter-agent communication (and belief annotations on information sources); • annotations on plan labels, which can be used by elaborate (e.g., decision theoretic) selection functions; • support for developing Environments (which are not normally to be programmed in AgentSpeak; in this case they are programmed in Java); • the possibility to run a multi-agent system distributed over a network (using SACI); • fully customisable (in Java) selection functions, trust functions, and overall agent architecture (perception, belief-revision, inter-agent communication, and acting); • a library of essential " internal actions " ; • straightforward extensibility by user-defined internal actions, which are programmed in Java. Besides, it is an implementation of the operational semantics, formally given to the AgentSpeak(L) language and most of the extensions available in Jason. This manual is still quite preliminary, and written in the form of something like a tutorial. It does cover most of the features of the …

Writing reliable concurrent programs is said to be more difficult than sequential programs because of the possibility of deadlocks and races. Moreover, the state-explosion problem caused by non-deterministic interleaving of threads makes it difficult to track program states. One of the promising approaches for high software reliability is formal verification, statically verifying software before executing it. However, though static verification methods have been extensively studied for sequential programs so far, verification for concurrent programs is still immature, in that many important software features such as interrupts and dynamic creation of communication channels, which often appear in practical software, have not been investigated. Because the debugging-by-testing approach for concurrent programs is less useful than for sequential programs, static verification methods that can deal with concurrent programs with such primitives are of significant importance. As a step to verification methods that can deal with practical programs, we propose type-based verification of two important security properties of concurrent programs: deadlock-freedom and resource usage. The presented deadlock-freedom verification is equipped with three features: (1) non-blockstructured mutex primitives (2) mutable references to mutexes and (3) interrupts. Those three features, which are heavily used in real-world programs, have not been dealt with in the deadlock-freedom analyses proposed so far. In order to design a deadlock-freedom verification for such programs, we define a concurrent calculus with those three features and a type system for the calculus. Our type system guarantees deadlockfreedom (1) by verifying that there are not circular dependencies among locking/unlocking operations and (2) by guaranteeing that an acquired lock is released exactly once. For guaranteeing the first condition, the type system assigns a natural number called lock level to each lock type and verifies that locks are acquired in a strict increasing order of those numbers. For the verification of the second condition in the presence of aliasing and references to a mutex, we use a kind of linear types called capabilities/obligations, and ownerships, a technique to control accesses to a reference to a mutex. We also report the result of a verification experiment of an implementation of a network protocol stack. We next present a type-based resource usage analysis for the π-calculus. The goal of the resource usage analysis is to statically check that various resources (e.g., files, memory and sockets) are accessed according to an access protocol associated to each resource. Though resource usage analysis for sequential programs is extensively studied so far, it is not well investigated for concurrent programs, especially those involving dynamic creation/passing of communication channels and resources, which often appears in practical software. To this end, we design a type system for a π-calculus extended with resource creation/access primitives, as an extension of the behavioral type system by Igarashi and Kobayashi. The type system guarantees the safety property that no invalid access is performed, as well as the property that necessary accesses (such as the close operation for a file) are eventually performed unless the program diverges. A sound type inference algorithm for the type system is also developed to free the programmer from the burden of writing complex type annotations. Based on the algorithm, we have implemented a prototype resource usage analyzer for the π-calculus. To the authors’ knowledge, ours is the first type-based resource usage analysis that deals with an expressive concurrent language like the π-calculus.

Writing effective models for systems and their environment is a challenge. The task involves both mastering the modeling tool and its notation, and faithfully translating all requirements and specifications into a complete model. The former ability can be learned, while the latter one is a continuous challenge requiring experience and tools supporting the visualization and understanding of models. This paper describes our experience with incomplete models, the types of changes that were made later, and the defects that were found with the improved models.

With the success of formal verification techniques like equivalence checking and model checking for hardware designs, there has been growing interest in applying such techniques for formal analysis and automatic verification of software programs. This paper provides a brief tutorial on model checking of C programs. The essential approach is to model the semantics of C programs in the form of finite state systems by using suitable abstractions. The use of abstractions is key, both for modeling programs as finite state systems and for reducing the model sizes in order to manage verification complexity. We provide illustrative details of a verification platform called F-Soft, which provides a range of abstractions for modeling software, and uses customized SAT-based and BDD-based model checking techniques targeted for software.

With the rise of multi-core processors, shared-memory concurrency has become a widespread feature of computation, from hardware, to operating systems, to programming languages such as C++ and Java. However, none of these provide sequentially consistent shared memory; instead they have relaxed memory models, which make concurrent programs even more challenging to understand. Programming language implementations run on hardware memory models, so VM and run-time system implementors must reason at both levels. Of particular interest are the low-level implementations of the abstractions that support language-level concurrency-especially because they invariably contain data races. In this paper, we develop a novel principle for reasoning about assembly programs on our previous x86-TSO memory model, and we use it to analyze five concurrency abstraction implementations: two spinlocks (from Linux); a non-blocking write protocol; the double-checked locking idiom; and java.util.concurrent's Parker. Our principle, called triangular-race freedom, strengthens the usual data-race freedom style of reasoning.

With the growing complexity of modern day software, software model checking has become a critical technology for ensuring correctness of software. As is true with any promising technology, there are a number of tools for software model checking. However, their respective performance trade-offs are difficult to characterize accurately – making it difficult for practitioners to select a suitable tool for the task at hand. This paper proposes a technique called MUX that addresses the problem of selecting the most suitable software model checker for a given input instance. MUX performs machine learning on a repository of software verification instances. The algorithm selector, synthesized through machine learning, uses structural features from an input instance, comprising a program-property pair, at runtime and determines which tool to use. We have implemented MUX for Windows device drivers and evaluated it on a number of drivers and model checkers. Our results are promising in that the algorithm selector not only avoids a significant number of timeouts but also improves the total runtime by a large margin, compared to any individual model checker. It also outperforms a portfolio-based algorithm selector being used in Microsoft at present. Besides, MUX identifies structural features of programs that are key factors in determining performance of model checkers.

Winblad, K. 2018. Dynamic Adaptations of Synchronization Granularity in Concurrent Data Structures. Digital Comprehensive Summaries of Uppsala Dissertations from the Faculty of Science and Technology 1684. 92 pp. Uppsala: Acta Universitatis Upsaliensis. ISBN 978-91-513-0367-3. The multicore revolution means that programmers have many cores at their disposal in everything from phones to large server systems. Concurrent data structures are needed to make good use of all the cores. Designing a concurrent data structure that performs well across many different scenarios is a difficult task. The reason for this is that the best synchronization granularity and data organization vary between scenarios. Furthermore, the number of parallel threads and the types of operations that are accessing a data structure may even change over time. This dissertation tackles the problem mentioned above by proposing concurrent data structures that dynamically adapt their synchronization granularity and organization based on usage statistics collected at run-time. Two of these data structures (one lock-free and one lock-based) implement concurrent sets with support for range queries and other multi-item operations. These data structures adapt their synchronization granularity based on detected contention and the number of items that are involved in multi-item operations such as range queries. This dissertation also proposes a concurrent priority queue that dynamically changes its precision based on detected contention. Experimental evaluations of the proposed data structures indicate that they outperform nonadaptive data structures over a wide range of scenarios because they adapt their synchronization based on usage statistics. Possible practical consequences of the work described in this dissertation are faster parallel programs and a reduced need to manually tune the synchronization granularities of concurrent data structures.

Who could fault an approach that offers greater credibility at reduced cost?

While directed model checking has proven to be a powerful tool in the fight against concurrency bugs, scalability remains a concern due to the combinatorial explosion in size of the state space. Overcoming that combinatorial explosion requires the selection and/or parameterization of meta*-heuristics, but we are left with a persistent problem of having to provide or compute specialized knowledge of the program under consideration, and this limits the practical value of the technique. To circumvent that, this paper investigates directed model checking as a platform for the synthesis of results from other analyses. We introduce an open-source tool, Ariadne, which translates reports of suspected race conditions of a static analyzer (Petablox) to instrumentation using a source-to-source compiler (ROSE) that can be exploited by a model checker (Java Pathfinder). We detail the algorithm used, present experimental results, and outline directions for future research.

While design automation for hardware systems is quite advanced, this is not the case for practical embedded systems. The current state-of-the-art is to use a software modeling environment and integrated development environment for code development and debugging, but these rarely include the sort of automatic synthesis and verification capabilities available in the VLSI domain. We present a model-based integration environment which uses a graphical architecture description language (EsMoL) to pull together control design, code and configuration generation, platform-specific simulation, and a number of other features useful for taming the heterogeneity inherent in safety-critical embedded control system designs. We describe concepts, elements, and development status for this suite of tools.