Verification of algorithms and data structures utilized in modern autonomous and semi-autonomous vehicles for land, sea, air, and space presents a significant challenge. Autonomy algorithms, e.g., route planning, pattern matching, and inference, are based on complex data structures such as directed graphs and algebraic data types. Proof techniques for these data structures exist, but are oriented to unbounded, functional realizations, which are not typically efficient in either space or time. Autonomous systems designers, on the other hand, generally limit the space and time allocations for any given function, and require that algorithms deliver results within a finite time, or suffer a watchdog timeout. Furthermore, high-assurance design rules frown on dynamic memory allocation, preferring simple array-based data structure implementations. In order to provide efficient implementations of high-level data structures used in autonomous systems with the high assurance needed for accreditation, we have developed a verifying compilation technique that supports the "natural" functional proof style, but yet applies to more efficient data structure implementations. Our toolchain features code generation to mainstream programming languages, as well as GPU-based and hardware-based realizations. We base the Intermediate Verification Language for our toolchain upon higher-order logic; however, we have used ACL2 to develop our efficient yet verifiable data structure design. ACL2 is particularly well-suited for this work, with its sophisticated libraries for reasoning about aggregate data structures of arbitrary size, efficient execution of formal specifications, as well as its support for "single-threaded objects" -- functional datatypes with imperative "under the hood" implementations. In this paper, we detail our high-assurance data structure design approach, including examples in ACL2 of common algebraic data types implemented using this design approach, proofs of correctness for those data types carried out in ACL2, as well as sample ACL2 implementations of relevant algorithms utilizing these efficient, high-assurance data structures.
{"title":"Using ACL2 in the Design of Efficient, Verifiable Data Structures for High-Assurance Systems","authors":"D. Hardin, Konrad Slind","doi":"10.4204/EPTCS.280.5","DOIUrl":"https://doi.org/10.4204/EPTCS.280.5","url":null,"abstract":"Verification of algorithms and data structures utilized in modern autonomous and semi-autonomous vehicles for land, sea, air, and space presents a significant challenge. Autonomy algorithms, e.g., route planning, pattern matching, and inference, are based on complex data structures such as directed graphs and algebraic data types. Proof techniques for these data structures exist, but are oriented to unbounded, functional realizations, which are not typically efficient in either space or time. Autonomous systems designers, on the other hand, generally limit the space and time allocations for any given function, and require that algorithms deliver results within a finite time, or suffer a watchdog timeout. Furthermore, high-assurance design rules frown on dynamic memory allocation, preferring simple array-based data structure implementations. \u0000In order to provide efficient implementations of high-level data structures used in autonomous systems with the high assurance needed for accreditation, we have developed a verifying compilation technique that supports the \"natural\" functional proof style, but yet applies to more efficient data structure implementations. Our toolchain features code generation to mainstream programming languages, as well as GPU-based and hardware-based realizations. We base the Intermediate Verification Language for our toolchain upon higher-order logic; however, we have used ACL2 to develop our efficient yet verifiable data structure design. ACL2 is particularly well-suited for this work, with its sophisticated libraries for reasoning about aggregate data structures of arbitrary size, efficient execution of formal specifications, as well as its support for \"single-threaded objects\" -- functional datatypes with imperative \"under the hood\" implementations. \u0000In this paper, we detail our high-assurance data structure design approach, including examples in ACL2 of common algebraic data types implemented using this design approach, proofs of correctness for those data types carried out in ACL2, as well as sample ACL2 implementations of relevant algorithms utilizing these efficient, high-assurance data structures.","PeriodicalId":10720,"journal":{"name":"CoRR","volume":"1 1","pages":"61-76"},"PeriodicalIF":0.0,"publicationDate":"2018-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84490818","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
AIJ (ACL2 In Java) is a deep embedding in Java of an executable, side-effect-free, non-stobj-accessing subset of the ACL2 language without guards. ATJ (ACL2 To Java) is a simple Java code generator that turns ACL2 functions into AIJ representations that are evaluated by the AIJ interpreter. AIJ and ATJ enable possibly verified ACL2 code to run as, and interoperate with, Java code, without much of the ACL2 framework or any of the Lisp runtime. The current speed of the resulting Java code may be adequate to some applications.
AIJ (Java中的ACL2)是在Java中深度嵌入一个可执行的、无副作用的、不访问stobj的、没有保护的ACL2语言子集。ATJ (ACL2 To Java)是一个简单的Java代码生成器,它将ACL2函数转换为AIJ表示,并由AIJ解释器进行计算。AIJ和ATJ使可能经过验证的ACL2代码能够作为Java代码运行并与之互操作,而不需要太多的ACL2框架或Lisp运行时。当前生成的Java代码的速度对于某些应用程序来说可能已经足够了。
{"title":"A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java","authors":"A. Coglio","doi":"10.4204/EPTCS.280.1","DOIUrl":"https://doi.org/10.4204/EPTCS.280.1","url":null,"abstract":"AIJ (ACL2 In Java) is a deep embedding in Java of an executable, side-effect-free, non-stobj-accessing subset of the ACL2 language without guards. ATJ (ACL2 To Java) is a simple Java code generator that turns ACL2 functions into AIJ representations that are evaluated by the AIJ interpreter. AIJ and ATJ enable possibly verified ACL2 code to run as, and interoperate with, Java code, without much of the ACL2 framework or any of the Lisp runtime. The current speed of the resulting Java code may be adequate to some applications.","PeriodicalId":10720,"journal":{"name":"CoRR","volume":"29 1","pages":"1-17"},"PeriodicalIF":0.0,"publicationDate":"2018-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80605459","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We consider recognizable trace rewriting systems with level-regular contexts (RTL). A trace language is level-regular if the set of Foata normal forms of its elements is regular. We prove that the rewriting graph of a RTL is word-automatic. Thus its first-order theory is decidable. Then, we prove that the concurrent unfolding of a finite concurrent automaton with the reachability relation is a RTL graph. It follows that the first-order theory with the reachability predicate (FO[Reach] theory) of such an unfolding is decidable. It is known that this property holds also for the ground term rewriting graphs. We provide examples of finite concurrent automata of which the concurrent unfoldings fail to be ground term rewriting graphs. The infinite grid tree (for each vertex of an infinite grid, there is an edge from this vertex to the origin of a copy of the infinite grid) is such an unfolding. We prove that the infinite grid tree is not a ground term rewriting graph. We have thus obtained a new class of graphs for with a decidable FO[Reach] theory.
{"title":"Unfolding of Finite Concurrent Automata","authors":"Alexandre Mansard","doi":"10.4204/EPTCS.279.8","DOIUrl":"https://doi.org/10.4204/EPTCS.279.8","url":null,"abstract":"We consider recognizable trace rewriting systems with level-regular contexts (RTL). A trace language is level-regular if the set of Foata normal forms of its elements is regular. We prove that the rewriting graph of a RTL is word-automatic. Thus its first-order theory is decidable. Then, we prove that the concurrent unfolding of a finite concurrent automaton with the reachability relation is a RTL graph. It follows that the first-order theory with the reachability predicate (FO[Reach] theory) of such an unfolding is decidable. It is known that this property holds also for the ground term rewriting graphs. We provide examples of finite concurrent automata of which the concurrent unfoldings fail to be ground term rewriting graphs. The infinite grid tree (for each vertex of an infinite grid, there is an edge from this vertex to the origin of a copy of the infinite grid) is such an unfolding. We prove that the infinite grid tree is not a ground term rewriting graph. We have thus obtained a new class of graphs for with a decidable FO[Reach] theory.","PeriodicalId":10720,"journal":{"name":"CoRR","volume":"54 1","pages":"68-84"},"PeriodicalIF":0.0,"publicationDate":"2018-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90095531","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Updating a probability distribution in the light of new evidence is a very basic operation in Bayesian probability theory. It is also known as state revision or simply as conditioning. This paper recalls how locally updating a joint state can equivalently be described via inference using the channel extracted from the state (via disintegration). This paper also investigates the quantum analogues of conditioning, and in particular the analogues of this equivalence between updating a joint state and inference. The main finding is that in order to obtain a similar equivalence, we have to distinguish two forms of quantum conditioning, which we call lower and upper conditioning. They are known from the literature, but the common framework in which we describe them and the equivalence result are new.
{"title":"Lower and Upper Conditioning in Quantum Bayesian Theory","authors":"B. Jacobs","doi":"10.4204/EPTCS.287.13","DOIUrl":"https://doi.org/10.4204/EPTCS.287.13","url":null,"abstract":"Updating a probability distribution in the light of new evidence is a very basic operation in Bayesian probability theory. It is also known as state revision or simply as conditioning. This paper recalls how locally updating a joint state can equivalently be described via inference using the channel extracted from the state (via disintegration). \u0000This paper also investigates the quantum analogues of conditioning, and in particular the analogues of this equivalence between updating a joint state and inference. The main finding is that in order to obtain a similar equivalence, we have to distinguish two forms of quantum conditioning, which we call lower and upper conditioning. They are known from the literature, but the common framework in which we describe them and the equivalence result are new.","PeriodicalId":10720,"journal":{"name":"CoRR","volume":"11 1","pages":"225-238"},"PeriodicalIF":0.0,"publicationDate":"2018-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88245384","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We propose active object languages as a development tool for formal system models of distributed systems. Additionally to a formalization based on a term rewriting system, we use established Software Engineering concepts, including software product lines and object orientation that come with extensive tool support. We illustrate our modeling approach by prototyping a weak memory model. The resulting executable model is modular and has clear interfaces between communicating participants through object-oriented modeling. Relaxations of the basic memory model are expressed as self-contained variants of a software product line. As a modeling language we use the formal active object language ABS which comes with an extensive tool set. This permits rapid formalization of core ideas, early validity checks in terms of formal invariant proofs, and debugging support by executing test runs. Hence, our approach supports the prototyping of formal system models with early feedback.
{"title":"Prototyping Formal System Models with Active Objects","authors":"Eduard Kamburjan, Reiner Hähnle","doi":"10.4204/EPTCS.279.7","DOIUrl":"https://doi.org/10.4204/EPTCS.279.7","url":null,"abstract":"We propose active object languages as a development tool for formal system models of distributed systems. Additionally to a formalization based on a term rewriting system, we use established Software Engineering concepts, including software product lines and object orientation that come with extensive tool support. We illustrate our modeling approach by prototyping a weak memory model. The resulting executable model is modular and has clear interfaces between communicating participants through object-oriented modeling. Relaxations of the basic memory model are expressed as self-contained variants of a software product line. As a modeling language we use the formal active object language ABS which comes with an extensive tool set. This permits rapid formalization of core ideas, early validity checks in terms of formal invariant proofs, and debugging support by executing test runs. Hence, our approach supports the prototyping of formal system models with early feedback.","PeriodicalId":10720,"journal":{"name":"CoRR","volume":"15 1","pages":"52-67"},"PeriodicalIF":0.0,"publicationDate":"2018-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90189493","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pomsets are a model of concurrent computations introduced by Pratt. They can provide a syntax-oblivious description of semantics of coordination models based on asynchronous message-passing, such a ...
{"title":"Realisability of Pomsets via Communicating Automata","authors":"R. Guanciale, E. Tuosto","doi":"10.4204/EPTCS.279.6","DOIUrl":"https://doi.org/10.4204/EPTCS.279.6","url":null,"abstract":"Pomsets are a model of concurrent computations introduced by Pratt. They can provide a syntax-oblivious description of semantics of coordination models based on asynchronous message-passing, such a ...","PeriodicalId":10720,"journal":{"name":"CoRR","volume":"1 1","pages":"37-51"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83003196","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Global-type formalisms enable to describe the overall behaviour of distributed systems and at the same time to enforce safety properties for communications between system components. Our goal is that of amending a weakness of such formalisms: the difficulty in describing open systems, i.e. systems which can be connected and interact with other open systems. We parametrically extend, with the notion of interface role and interface connection, the syntax of global-type formalisms. Semantically, global types with interface roles denote open systems of communicating finite state machines connected by means of gateways obtained from compatible interfaces. We show that safety properties are preserved when open systems are connected that way.
{"title":"Global Types for Open Systems","authors":"F. Barbanera, Ugo de'Liguoro, R. Hennicker","doi":"10.4204/EPTCS.279.4","DOIUrl":"https://doi.org/10.4204/EPTCS.279.4","url":null,"abstract":"Global-type formalisms enable to describe the overall behaviour of distributed systems and at the same time to enforce safety properties for communications between system components. Our goal is that of amending a weakness of such formalisms: the difficulty in describing open systems, i.e. systems which can be connected and interact with other open systems. We parametrically extend, with the notion of interface role and interface connection, the syntax of global-type formalisms. Semantically, global types with interface roles denote open systems of communicating finite state machines connected by means of gateways obtained from compatible interfaces. We show that safety properties are preserved when open systems are connected that way.","PeriodicalId":10720,"journal":{"name":"CoRR","volume":"28 1","pages":"4-20"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85279977","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We present a recursive formulation of the Horn algorithm for deciding the satisfiability of propositional clauses. The usual presentations in imperative pseudo-code are informal and not suitable for simple proofs of its main properties. By defining the algorithm as a recursive function (computing a least fixed-point), we achieve: 1) a concise, yet rigorous, formalisation; 2) a clear form of visualising executions of the algorithm, step-by-step; 3) precise results, simple to state and with clean inductive proofs.
{"title":"A Simple Functional Presentation and an Inductive Correctness Proof of the Horn Algorithm","authors":"A. Ravara","doi":"10.4204/EPTCS.278.6","DOIUrl":"https://doi.org/10.4204/EPTCS.278.6","url":null,"abstract":"We present a recursive formulation of the Horn algorithm for deciding the satisfiability of propositional clauses. The usual presentations in imperative pseudo-code are informal and not suitable for simple proofs of its main properties. By defining the algorithm as a recursive function (computing a least fixed-point), we achieve: 1) a concise, yet rigorous, formalisation; 2) a clear form of visualising executions of the algorithm, step-by-step; 3) precise results, simple to state and with clean inductive proofs.","PeriodicalId":10720,"journal":{"name":"CoRR","volume":"abs/1809.04772 1","pages":"34-48"},"PeriodicalIF":0.0,"publicationDate":"2018-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87169999","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We describe a mathematical framework for equational reasoning about infinite families of string diagrams which is amenable to computer automation. The framework is based on context-free families of string diagrams which we represent using context-free graph grammars. We model equations between infinite families of diagrams using rewrite rules between context-free grammars. Our framework represents equational reasoning about concrete string diagrams and context-free families of string diagrams using double-pushout rewriting on graphs and context-free graph grammars respectively. We prove that our representation is sound by showing that it respects the concrete semantics of string diagrammatic reasoning and we show that our framework is appropriate for software implementation by proving important decidability properties.
{"title":"A Framework for Rewriting Families of String Diagrams","authors":"Vladimir Zamdzhiev","doi":"10.4204/EPTCS.288.6","DOIUrl":"https://doi.org/10.4204/EPTCS.288.6","url":null,"abstract":"We describe a mathematical framework for equational reasoning about infinite families of string diagrams which is amenable to computer automation. The framework is based on context-free families of string diagrams which we represent using context-free graph grammars. We model equations between infinite families of diagrams using rewrite rules between context-free grammars. Our framework represents equational reasoning about concrete string diagrams and context-free families of string diagrams using double-pushout rewriting on graphs and context-free graph grammars respectively. We prove that our representation is sound by showing that it respects the concrete semantics of string diagrammatic reasoning and we show that our framework is appropriate for software implementation by proving important decidability properties.","PeriodicalId":10720,"journal":{"name":"CoRR","volume":"95 1","pages":"63-76"},"PeriodicalIF":0.0,"publicationDate":"2018-09-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81559757","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Parity games are two player games with omega-winning conditions, played on finite graphs. Such games play an important role in verification, satisfiability and synthesis. It is therefore important to identify algorithms that can efficiently deal with large games that arise from such applications. In this paper, we describe our experiments with BDD-based implementations of four parity game solving algorithms, viz. Zielonka's recursive algorithm, the more recent Priority Promotion algorithm, the Fixpoint-Iteration algorithm and the automata based APT algorithm. We compare their performance on several types of random games and on a number of cases taken from the Keiren benchmark set.
{"title":"A Comparison of BDD-Based Parity Game Solvers","authors":"L. Sanchez, Wieger Wesselink, T. Willemse","doi":"10.4204/EPTCS.277.8","DOIUrl":"https://doi.org/10.4204/EPTCS.277.8","url":null,"abstract":"Parity games are two player games with omega-winning conditions, played on finite graphs. Such games play an important role in verification, satisfiability and synthesis. It is therefore important to identify algorithms that can efficiently deal with large games that arise from such applications. In this paper, we describe our experiments with BDD-based implementations of four parity game solving algorithms, viz. Zielonka's recursive algorithm, the more recent Priority Promotion algorithm, the Fixpoint-Iteration algorithm and the automata based APT algorithm. We compare their performance on several types of random games and on a number of cases taken from the Keiren benchmark set.","PeriodicalId":10720,"journal":{"name":"CoRR","volume":"68 12 1","pages":"103-117"},"PeriodicalIF":0.0,"publicationDate":"2018-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90253972","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}