AVIACC First Project Meeting

Date

December 18, 2012, 10:00

Place

DCC-FCUP, videoconference room

Schedule

10h00 - 11h30: Scientific talks and discussion

11h30 - 13h00: project planning meeting

Motivation

In a brief comparison of software model checking with deductive verification techniques for the purpose of verifying concurrent software, we stress the following:

• The state of the art of software model checking techniques is substantially more advanced than deductive techniques. More interesting and complex properties can be automatically proved than with deductive methods. Consequently these methods are much more used in industry than deductive methods.

• The above does not mean that deductive methods are doomed to be abandoned: on one hand the soundness and completeness of these methods (with no false errors), as well as the expressiveness of the logical languages used and the general flexibility of their application make them highly desirable (especially in the critical context); on the other hand it is expected that, as was previously the case for sequential code, automation levels will increase and render such methods more usable.

The current project has the double purpose of advancing the state of the art and providing results that can be brought to practice in the very short term by our industrial partners. Since software model checking techniques are currently much more advanced and usable in practice than deductive methods, one task of the project will be dedicated to producing a practical verification platform suited to specific needs and programming languages. On the other hand, the deduction-based approach to verification of concurrent software has become an exciting area, in which the team wants to contribute with fundamental research.

Our approach will be guided by three simples principles, as follows:

1. It will be incremental, starting from languages with restricted data structures and models for concurrency. This is particularly adequate for critical software, since in this area the programming languages that are used are often subject to restricted profiles that forbid less predictable behaviour.
2. It will combine path sensitive and path insensitive techniques, and exploit their interaction. It is our firm belief that the key to successful automatic verification lies in this combined approach.
3. All the methods and tools produced will be validated through real-life use cases, provided and carried out by team members who work directly in the development of embedded critical software.

We now detail our plan and the reasons why we think these three principles will lead us to successful solutions.

I.

Since C and Ada are the languages of choice in the development of embedded critical systems, we will start by addressing the verification of concurrent programs of subsets of both languages. In the case of Ada, the choice goes naturally to the RavenSPARK language, which has the enormous advantage of being a commercially successful product, widely used in industry, and having ideal characteristics for our purposes: a restricted model of concurrency; restricted data structures (no aliasing is possible); an annotation language comprising assertional and dataflow contracts; and the availability of a toolset for checking both dataflow and assertions. Furthermore the team possesses experience in the verification of sequential SPARK code. The presence of dataflow annotations, complemented by a model of concurrency that forbids the dynamic creation of threads, can be taken into account to calculate predicate abstractions of concurrent programs, since the amount of interference between threads is naturally limited by the dataflow restrictions, which can be taken for granted since they can be effectively checked by the SPARK toolset. Also, rely and guarantee conditions are intrinsically related to dataflow annotations of individual threads of a program. It will be interesting for instance to see if such conditions can be automatically inferred from the compulsory dataflow annotations that must be present in every valid RavenSPARK program.

II.

Approaches to program verification that combine different techniques are seen as promising, even if it may be difficult for a team to acquire the required know-how. We intend precisely to take advantage of the fact that know-how is in place, as a result of a process carried out over the past 5 years in a number of projects, collaborations, and doctoral theses. Predicate abstraction, which is a fundamental component of any software model checking system, is typically implemented with the help of a weakest precondition algorithm -- a deductive technique. In this project we will be in a position of deep understanding of the deductive aspects of verification, which may allow us to produce predicate abstraction algorithms tailored to our needs. Moreover, since the study of predicate abstractions for concurrent programs is a practically untouched field, it may well be the case that the rely-guarantee principles and verification conditions algorithms can be used fruitfully for predicate abstraction (some published work hints at this).

Finally, it is our conviction that a mixture of software model checking and deductive verification can be in itself a very powerful verification method. Rely-guarantee reasoning is based on two separate aspects: "intra-thread" verification conditions for each thread (taking as assumptions rely and guarantee conditions of all the threads in the program), and "inter-thread" verification conditions, to assert (compositionally) that if all threads satisfy a given property then the ensemble does so as well. We will investigate the possibility of each of these aspects being verified by different methods; we will for instance use a SMC to check intra-thread properties and rely-guarantee reasoning for the compositional aspect. This may still result in an acceptable level of automation in the proofs. In the other direction we will also investigate the use of predicate abstraction itself as a tool for deductive verification at the inter-thread level, since rely-guarantee VCs may be easier to establish for over-approximated code.

III.

This project stems from an ongoing collaboration between academics and practitioners. The team brings together

• Specialists in verification from CCTC and CMAT, Univ Minho, and LIACC, Univ Porto, who will work on the theoretical aspects of all the main tasks of the project: predicate abstraction (CCTC and LIACC, task 1); properties of models (LIACC, task 2); and deductive techniques (CMAT, CCTC, and LIACC, task 3).
• Researchers who are expert in embedded, safety-critical, and real-time concurrent programming, from CISTER, IPP, will work on the development of the SMC platform (task 2), provide use cases, and carry on an evaluation of the tools and methods obtained as outcomes of the project (task 4).

Main Results

The main results of the project will include (for at least one of the programming languages of interest in the safety-critical context)

• a novel predicate abstraction algorithm and the corresponding implementation
• a SMC toolkit for concurrent applications
• a prototype generic SMC toolkit (multi-language, multi-checker)
• a VCGen for rely-guarantee conditions
• a general method for verification of concurrent programs combining both path-sensitive and path-insensitive techniques.

Main novelties include (i) taking advantage of specific aspects of relatively simple programming languages used in safety-critical development, and (ii) combining techniques that have not to this point been combined. Both aspects will allow us to produce tools that can be used with realistic code.

• The first project meeting took place on December 18 2012, at FCUP.

Currently submitted

• André de Matos Pedro, David Pereira, Luís Miguel Pinho, and Jorge Sousa Pinto. Monitoring for a decidable fragment of MTL-􏰃S. Submitted to Runtime Verification 2015.

• Sabine Broda, Sílvia Cavadas, Miguel Ferreira, and Nelma Moreira. Synchronous Kleene algebra with derivatives. Submitted to an international conference.

• Cezar Câmpeanu, Nelma Moreira, and Rogério Reis. Distinguishability operations on regular languages. Submitted for publication in Fundamenta Informaticae.

• P. Soares, A. Ravara, and S. Melo de Sousa. Revisiting concurrent separation logic. Science of Computer Programming, 2014. Special issue on open problems in Concurrency Theory. Elsevier. Submitted in November 2014.

Publications in International Journals

Conditionally accepted for publication

• Rovedy Aparecida Busquim e Silva, Nanci Naomi Arai, Luciana Akemi Burgareli, José Maria Parente de Oliveira, and Jorge Sousa Pinto. Formal verification with Frama-C: a case study in the space software domain. IEEE Transactions on Reliability, 2015. Conditionally accepted.

• Mário Pereira and Simão Melo de Sousa. Complexity checking of ARM programs, by deduction -- extended and updated version. Science of Computer Programming, 2014. Selected papers of ACM SAC-SVT’14. Elsevier. Conditionally accepted in March 2015.

2015

• V. Rodrigues, B. Akesson, M. Florido, S. Melo de Sousa, J. P. Pedroso, and P. Vasconcelos. Certifying execution time in multicores. Science of Computer Programming, 2014. Submitted in 2013 and accepted for publication in April 2014. To appear.

• A. M. Pedro, D. Pereira, L. M. Pinho, and J. S. Pinto. Logic-based schedulability analysis for compositional hard real-time embedded systems. In SIGBED review 12(1):56–64. New York, NY, USA, 2015. ACM. link

• Nelma Moreira, David Pereira, and Simão Melo de Sousa. Deciding Kleene algebra terms equivalence in Coq. Journal of Logical and Algebraic Methods in Programming, 84(3):377 – 401, 2015. link

Publications in Proceedings of Refereed International Events

2015

• Pedro Soares, António Ravara, and Simão Melo de Sousa. Revisiting concurrent separation logic and operational semantics. In Masoud Daneshtalab, Marco Aldinucci, Ville Leppaenen, Johan Lilius, and Mats Brorsson, editors, 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, PDP 2015, Turku, Finland, March 4-6, 2015, pages 484–491. IEEE, 2015. link

• Sabine Broda, António Machiavelo, Nelma Moreira, and Rogério Reis. Partial derivative automaton for regular expressions with shuffle. In Alexander Okhtin and Jeffrey Shallit, editors, Proceedings of Descriptional Complexity of Formal Systems, 17th International Workshop (DCFS 2015), 2014. To appear in Springer LNCS.

• Eva Maia, Nelma Moreira, and Rogério Reis. Prefix and right-partial derivative automata. In Mariya Soskova and Victor Mitrana, editors, Proceedings of Computability in Europe (CiE 2015), 2015. To appear in Springer LNCS.

• Nelma Moreira, Giovanni Pighizzini, and Rogério Reis. Optimal state reductions of automata with partially specified behaviors. In Giuseppe F. Italiano, Tiziana Margaria-Steffen, Jaroslav Pokorny, Jean-Jacques Quisquater, and Roger Wattenhofer, editors, SOFSEM 2015: Theory and Practice of Computer Science - 41st International Conference on Current Trends in Theory and Practice of Computer Science, Czech Republic, January 24-29, 2015. Proceedings, volume 8939 of Lecture Notes in Computer Science. Springer, 2015. link

2014

• Mário Pereira and Simão Melo de Sousa. Complexity checking of ARM programs, by deduction. In Proceedings of the 2014 ACM SIGAPP Simposium on Applied Computing, Software Verification and Testing (ACM SAC-SVT'14). March 2014, Gyeongju, Korea. ACM Press. link

• Eva Maia, Nelma Moreira, and Rogério Reis. Partial derivative and position bisimilarity automata. In Markus Holzer and Martin Kutrib, editors, Implementation and Application of Automata - 19th International Conference, CIAA 2014, Giessen, Germany, July 30 - August 2, 2014. Proceedings, volume 8587 of Lecture Notes in Computer Science. Springer, 2014. link

• Cezar Câmpeanu, Nelma Moreira, and Rogério Reis. The distinguishability operation on regular languages. In Suna Bensch, Rudolf Freund, and Friedrich Otto, editors, Sixth Workshop on Non-Classical Models for Automata and Applications - NCMA 2014, Kassel, Germany, July 28-29, 2014. Proceedings, volume 304 of books@ocg.at. Oesterreichische Computer Gesellschaft, 2014. link

• Sabine Broda, António Machiavelo, Nelma Moreira, and Rogério Reis. "On the Equivalence of Automata for KAT-expressions". In A. Beckmann, E. Csuhaj-Varjú, K. Meer (eds.): Computability in Europe (CIE 2014), LNCS 8493, Springer 2014. link

• A. de Matos Pedro, D. Pereira, L. M. Pinho, and J. S. Pinto. Towards a Runtime Verification Framework for the Ada Programming Language. In Proceedings of the 19th International Conference on Reliable Software Technologies (RST-AE’14), Lecture Notes in Computer Science, Berlin, Heidelberg, 2014. Springer-Verlag. link

• A. de Matos Pedro, D. Pereira, L. M. Pinho, and J. S. Pinto. A Compositional Monitoring Framework for Hard Real-Time Systems. In Proceedings of the Sixth NASA Formal Methods Symposium (NFM 2014), Lecture Notes in Computer Science, Berlin, Heidelberg, 2014. Springer-Verlag. link

• N. Carvalho, C. da Silva Sousa, J. S. Pinto, and A. Tomb. Formal Verification of kLIBC with the WP Frama-C plug-in. In Proceedings of the Sixth NASA Formal Methods Symposium (NFM 2014), Lecture Notes in Computer Science, Berlin, Heidelberg, 2014. Springer-Verlag. link

• C. B. Lourenço, M. J. Frade, and J. S. Pinto. A Bounded Model Checker for SPARK Programs (tool paper). In Proceedings of Automated Technology for Verification and Analysis - 12th International Symposium (ATVA 2014), volume 8837 of Lecture Notes in Computer Science, pages 24–30, Berlin, Heidelberg, 2014. Springer-Verlag. link

2013

• V. Rodrigues, B. Akesson, S. M. de Sousa, M. Florido: A Declarative Compositional Timing Analysis for Multicores Using the Latency-Rate Abstraction. PADL 2013: 43-59. link

• S. Broda, A. Machiavelo, N. Moreira, R. Reis, "On the Average Size of Glushkov and Equation Automata for KAT Expressions", in 19th International Symposium on Fundamentals of Computation Theory, number 8070 in LNCS, pages 72-83. Springer-Verlag, 2013. link

• I. Abal and J. S. Pinto. 2013. Towards a mostly-automated prover for bit-vector arithmetic. In Proceedings of the International C* Conference on Computer Science and Software Engineering (C3S2E '13). ACM, New York, NY, USA, 132-133. link

• R. A. B. e Silva, N. N. Arai, L. A. Burgareli, J. M. P. Oliveira, J. S. Pinto. Using Abstract Interpretation to Produce Dependable Aerospace Control Software. Presented at the Sixth Latin-American Symposium on Dependable Computing (LADC'2013), industrial track. link

• D. da Cruz, P. R. Henriques, and J. S. Pinto. Interactive Verification of Safety-Critical Software. In proceedings of the 37th Annual International Computer Software & Applications Conference (COMPSAC 2013), IEEE. link

2012

• R. Almeida, S. Broda, N. Moreira, "Deciding KAT and Hoare Logic with Derivatives", Proceedings of the Third International Symposium on Games, Automata, Logics and Formal Verification (GandALF 2012), Electronic Proceedings in Theoretical Computer Science, pp. 127-140, 2012. link

• D. Pereira, A. Pedro, L. M. Pinho and J. S. Pinto, “Towards specification and verification frameworks for concurrent real-time systems”, Poster presented at the ACM SIGAda High Integrity Language Technology 2012 conference in Boston, MA, December 2-6. link

Communications and Publications in National Events

• Nuno Laranjo, Rogério Pontes, , and Maria João Frade. HSMTLib – interacting with SMT solvers in haskell. 2014. Poster presented at INForum’14 — Simpósio de Informática. link

• V. C. Miraldo, M. J. Frade, C. Lourenço, and J. S. Pinto. Experimenting with predicate abstraction. In B. S. Santos and J. Cachopo, editors, Proceedings of INForum’13 — Simpósio de Informática (SOFTPT track). Universidade de Évora, 2013. link

• V. C. Miraldo, M. J. Frade, C. Lourenço, and J. S. Pinto. SPARK-BMC: Checking spark code for bugs (Comunicação). Simpósio de Informática (SETR track). Universidade de Évora, 2013. link

• Mário Pereira, Jean-Christophe Filliâtre, and Simão Melo de Sousa. ARMY: a deductive verification platform for ARM programs using Why3. In INForum 2012, September 2012. link

Reports

• Cláudio Belo Lourenço, Maria João Frade, and Jorge Sousa Pinto. A single- assignment translation for while annotated programs. Technical report, HASLab & Universidade do Minho, 2014. link

• Victor Cacciari Miraldo, Experimenting with Predicate Abstraction. Technical Report. link

• Victor Cacciari Miraldo, SABS : A Spark ABStraction Tutorial. Technical Report. link

• Sabine Broda, Sílvia Cavadas, and Nelma Moreira. Derivative based methods for deciding SKA and SKAT. Technical Report DCC-2014-10, DCC-FC, Universidade do Porto, 2014. link

• Sabine Broda, Sílvia Cavadas, and Nelma Moreira. Kleene Algebra Completeness. Technical Report DCC-2014-07, DCC-FC & CMUP, Universidade do Porto, April 2014. link

• Sabine Broda, António Machiavelo, Nelma Moreira, and Rogério Reis. Automata for KAT Expressions. Technical Report DCC-2014-01, DCC-FC, Universidade do Porto, January 2014. link

• Nelma Moreira, David Pereira, and Simão Melo de Sousa. On the Mechanisation of Rely-Guarantee in Coq. Technical Report DCC-2013-01, DCC-FC, Universidade do Porto, January 2013. link

• Vítor Rodrigues. Compositional timing analysis for multicores using the latency-rate abstraction. Technical report, DCC-FC, Universidade do Porto, 2012. link

Theses

Forthcoming

• André de Matos Pedro. Dynamic contracts for Verification and Enforcement of Real-time Systems Properties. PhD thesis, MAPi PhD program, Universidade do Minho, 2016. Forthcoming.

• Cláudio Belo Lourenço. Software Verification and Defect Analysis. PhD thesis, MAPi PhD program, Universidade do Minho, 2017. Forthcoming.

Defended

• Rovedy Aparecida Busquim e Silva. Uma Abordagem de Engenharia Reversa para Extracção do Projeto de Sistemas de Software Crítico Embarcado. PhD thesis, Instituto Tecnológico de Aeronáutica, 2013. link

• Vitor Rodrigues. Semantics-based Program Verification: An Abstract Interpretation Approach. PhD Thesis. MAPi PhD program, LIACC/DCC/FCUP - University of Porto. May 2013. link

• David Pereira. Towards Certified Program Logics for the Verification of Imperative Programs. PhD Thesis. MAPi PhD program, LIACC/DCC/FCUP - University of Porto. April 2013. link

• Claúdio Belo Lourenço, A SPARK Model Checker for SPARK programas. MSc thesis. Universidade do Minho, 2013. link

Software Tools and Packages

HSMTlib

A Haskell library for easy interaction with multiple SMT solvers. Available through Hackage.

SPARK parser

A parser library for SPARK code. Available from the repository.

SPARK-BMC

A bounded model checker for SPARK programs. Available from the repository.

SPARK-ABS

An experimental predicate abstraction workbench for SPARK code. Available from the repository.

KATEXP

KAT decision procedures in Python. Available here.

ARMY

A deductive verification platform for ARM programs using Why3. Available here

WCET platform

WCET instantiation of a generic static analyzer in Haskell. Available here.

RGCoq

Mechanization of Rely-Guarantee reasoning in the Coq proof-assistant. Available from this link.

50 Recent Changes in TWiki Web retrieved at 18:16 (GMT)

See also: RSS feed, recent changes with 50, 100, 200, 500, 1000 topics, all changes

See also the faster WebTopicList

• TWikiGuest - example@your.company

Web Changes Notification Service

Each TWiki web has an automatic e-mail notification service that sends you an e-mail with links to all of the topics modified since the last alert.

Users subscribe to email notifications using their WikiName or an alternative email address, and can specify the webs/topics they wish to track using one of these bullet list formats:

three spaces * [ webname . ] wikiName - SMTP mail address
three spaces * [ webName . ] wikiName
three spaces * SMTP mail address
three spaces * SMTP mail address : topics
three spaces * [ webname . ] wikiName : topics

In the above examples, topics is a space-separated list of topic names. The user may further customize the specific content they will receive using the following formats:

• Specify topics without a Web. prefix
• Topics must exist in this web.
• Topics may be specified using * wildcards
• Each topic may optionally be preceded by a '+' or '-' sign. The '+' sign means "subscribe to this topic" (the same as not putting anything). The '-' sign means "unsubscribe" or "don't send notifications regarding this topic". This allows users to elect to filter out certain topics (and their children, to an arbitrary depth). Topic filters ('-') take precedence over topic includes ('+').
• Each topic may optionally be followed by an integer in parentheses, indicating the depth of the tree of children below that topic. Changes in all these children will be detected and reported along with changes to the topic itself. Note This uses the TWiki "Topic parent" feature.
• Each topic may optionally be immediately followed by an exclamation mark ! or a question mark ? with no intervening spaces, indicating that the topic (and children if there is a tree depth specifier as well) should be mailed out as complete topics instead of change summaries. ! causes the topic to be mailed every time even if there have been no changes, ? will mail the topic only if there have been changes to it. This only makes sense for subscriptions.

For example: Subscribe Daisy to all changes to topics in this web.

   * daisy.cutter@flowers.com

   * daisy.cutter@flowers.com: Web*

   * TWiki.DaisyCutter: Petal* (1) TWiki.WeedKillers (3) Pretty*Flowers

   * TWiki.StarTrekFan: Star* - *Wars - *sInTheirEyes - *shipTroopers

   * daisy@flowers.com: TWiki.NewsLetter?

   * buttercup@flowers.com: TWiki.NewsLetter! (1)

   * TWiki.GardenGroup: TWiki.AllNewsLetters? (3)
   * petunia@flowers.com: - TWiki.ManureNewsLetter

If a TWiki group is listed for notification, the group will be recursively expanded to the e-mail addresses of all members.

Tip: List names in alphabetical order to make it easier to find the names.

Note for System Administrators: Notification is supported by an add-on to the TWiki kernel called the MailerContrib. See the MailerContrib topic for details of how to set up this service.

Note: If you prefer a news feed, point your reader to WebRss (for RSS 1.0 feeds) or WebAtom (for ATOM 1.0 feeds). Learn more at WebRssBase and WebAtomBase, respectively.

Related topics: WebChangesAlert, TWikiUsers, TWikiRegistration

Warning

Can't INCLUDE TWiki.WebSearchAdvanced repeatedly, topic is already included.

Statistics for Research/Aviacc Web

Notes:

• Do not edit this topic, it is updated automatically. (You can also force an update)
• TWikiDocumentation tells you how to enable the automatic updates of the statistics.
• Suggestion: You could archive this topic once a year and delete the previous year's statistics from the table.

• 1stWorkshop
• 2ndWorkshop
• Description
• Jobs
• News
• ProjectSummary
• Publications
• Team
• Tools
• WebAtom
• WebChanges
• WebHome
• WebIndex
• WebLeftBar
• WebNotify
• WebPreferences
• WebRss
• WebSearch
• WebSearchAdvanced
• WebSideBar
• WebStatistics
• WebTopicCreator
• WebTopicList

See also the verbose WebIndex.