Journal of Logical and Algebraic Methods in Programming最新文献

With the incresasing importance of program verification, an issue that has been receiving more attention is the certification of verification tools, addressing the vernacular question: “Who verifies the verifier?”. In this paper we approach this meta-verification problem by focusing on a fundamental component of program verifiers: the “Verification Conditions Generator” (VCGen), responsible for producing a set of proof obligations from a program and a specification. The semantic foundations of VCGens lie in program logics, such as Hoare logic, Dynamic logic, or Separation logic, and related predicate transformers.

Dynamic logic is the basis of the KeY system, one of the foremost deductive verifiers, whose logic makes use of the notion of update, which is quite intricate to formalize. In this paper we derive systematically, based on a KeY-style dynamic logic, a correct-by-construction VCGen for a toy programming language. Our workflow covers the entire process, from the logic to the VCGen. It is implemented in the Why3 tool, which is itself a program verifier. We prove the soundness and (an appropriate notion of) completeness of the logic, then define a VCGen for our language and establish its soundness.

Dynamic logic is one of a variety of research topics that our dear friend and colleague Luís Soares Barbosa has, over the years, initiated and promoted at the University of Minho. It is a pleasure for us to dedicate this work to him on the occasion of his 60th birthday.

A monolithic process is a single recursive equation with data parameters, which only uses non-determinism, action prefixing, and recursion. We present a technique that decomposes such a monolithic process into multiple processes where each process defines behaviour for a subset of the parameters of the monolithic process. For this decomposition we can show that a composition of these processes is strongly bisimilar to the monolithic process under a suitable synchronisation context. Minimising the resulting processes before determining their composition can be used to derive a state space that is smaller than the one obtained by a monolithic exploration. We apply the decomposition technique to several specifications to show that this works in practice. Finally, we prove that state invariants can be used to further improve the effectiveness of this decomposition technique.

This work aims to provide a general mechanism for safety enforcement in rewriting logic computations. Our technique relies on an assertion-guided model transformation that leverages the newly defined Maude strategy language for ensuring rich safety policies in non-deterministic programs. The transformed system is guaranteed to comply with user-defined invariants that are expressed in a strategy-based, pattern-matching logic, thus preventing the concurrent system to reach any unsafe states. The performance and scalability of the technique is empirically evaluated and benchmarked on a set of realistic programs.

We aim to reason about the correctness of behaviour-preserving transformations of Erlang programs. Behaviour preservation is characterised by semantic equivalence. Based upon our existing formal semantics for Core Erlang, we investigate potential definitions of suitable equivalence relations. In particular we adapt a number of existing approaches of expression equivalence to a simple functional programming language that carries the main features of sequential Core Erlang; we then examine the properties of the equivalence relations and formally establish connections between them. The results presented in this paper, including all theorems and their proofs, have been machine checked using the Coq proof assistant.

Component based software engineering (CBSE) is a methodology that aims to design and build software systems by assembling together reusable and loosely coupled components. Applying CBSE in a distributed setting is appealing but challenging: distributed applications require different remote components to interact following a well-defined protocol. In this paper we consider a model for message passing component-based systems where components are assembled together with a protocol, and are reactive to messages in a flexible way. We propose a type language that allows capturing component reactive behaviour and checking its compatibility with the protocol. Moreover, we show the correspondence of component and type behaviours, which entails a progress property for components.

The Robot Operating System (ROS) is a framework for building robust software for complex robot systems in several domains. The Navigation Stack stands out among the different libraries available in ROS, providing a set of components that can be reused to build robots with autonomous navigation capabilities. This library is a critical component, as navigation failures could have catastrophic consequences for applications like self-driving cars where safety is crucial.

Here we devise a general methodology for verifying this kind of complex systems by specifying them in different executable specification languages with verification support and validating the equivalence between the specifications and the original system using differential testing techniques. The complex system can then be indirectly analyzed using the verification tools of the specification languages like model checking, semi-automated functional verification based on Hoare logic, and other formal techniques. In this paper we apply this verification methodology to the NavFn planner, which is the main planner component of the Navigation Stack of ROS, using Maude and Dafny as specification languages. We have formally proved several desirable properties of this planner algorithm like the absence of obstacles in the planned path. Moreover, we have found counterexamples for other concerns like the optimality of the path cost.

With the continuous development of information technology, software vulnerabilities have become a critical threat to information security. Post-release detection of memory leaks, double free and use after free is one of the most challenging research problems in software vulnerability analysis. To tackle this challenge, we introduce a vulnerability model based on Petri Net. We consider the characteristics and causes of vulnerabilities, modeling is conducted from the subject and environment of vulnerabilities. Based on this vulnerability model, we propose a memory-related vulnerability detection framework based on vulnerability model (MRVD-VM) and its vulnerability detection algorithm based on vulnerability mode (VDA-VM). The results of experiments on Juliet Test Suite 1.2 for C_CPP show that MRVD-VM significantly outperforms three state-of-the-art baseline tools, including Cppcheck, Flawfinder, and Splint, in detecting memory leaks, double free and use after free.

Several notions of synchronisation in concurrent systems can be modelled by regular shuffle operators. In this paper we consider regular expressions extended with three operators corresponding respectively to strong, arbitrary, and weak synchronisation. For these expressions, we define a location based position automaton. Furthermore, we show that the partial derivative automaton is still a quotient of the position automaton.

In the context of intuitionistic sequent calculus, “naturality” means permutation-freeness (the terminology is essentially due to Mints). We study naturality in the context of the lambda-calculus with generalized applications and its multiary extension, to cover, under the Curry-Howard correspondence, proof systems ranging from natural deduction (with and without general elimination rules) to a fragment of sequent calculus with an iterable left-introduction rule, and which can still be recognized as a call-by-name lambda-calculus. In this context, naturality consists of a certain restricted use of generalized applications. We consider the further restriction obtained by the combination of naturality with normality w.r.t. the commutative conversion engendered by generalized applications. This combination sheds light on the interpretation of naturality as a vectorization mechanism, allowing a multitude of different ways of structuring lambda-terms, and the structuring of a multitude of interesting fragments of the systems under study. We also consider a relaxation of naturality, called weak naturality: this not only brings similar structural benefits, but also suggests a new “weak” system of natural deduction with generalized applications which is exempt from commutative conversions. In the end, we use all of this evidence as a stepping stone to propose a computational interpretation of generalized application (whether multiary or not, and without any restriction): it includes, alongside the argument(s) for the function, a general list – a new, very general, vectorization mechanism, that structures the continuation of the computation.

FIFO automata are finite state machines communicating through FIFO queues. They can be used, for instance, to model distributed protocols. Due to the unboundedness of the FIFO queues, several verification problems are undecidable for these systems. In order to model check such systems, one may look for decidable subclasses of FIFO systems. Binary half-duplex systems are systems of two FIFO automata exchanging over a half-duplex channel. They were studied by Cécé and Finkel who established the decidability in polynomial time of several properties. There is no obvious way to generalize the half-duplex property to multiparty systems. Cécé and Finkel proposed some generalizations but concluded that their notions of multiparty half-duplex systems were either too restrictive or too expressive.

We explore in this paper other ways of generalizing half-duplex systems to multiparty. First, we introduce systems realizable with synchronous communications (RSC) and we show that RSC systems generalize half-duplex systems and retain the same good properties as binary half-duplex systems. Second, we introduce a notion of multiparty half-duplex systems that differs from the ones explored by Cécé and Finkel, and we show two results about this notion: (1) for mailbox communications, half-duplex systems are essentially the same as RSC systems, and (2) for peer-to-peer communications, the two notions are distinct, and RSC systems appear to be “the good one”, since peer-to-peer half-duplex systems are Turing powerful.