Results 1  10
of
32
Friends need a bit more: Maintaining invariants over shared state
 In MPC, volume 3125 of LNCS
, 2004
"... Abstract. A friendship system is introduced for modular static verification of object invariants. It extends a previous methodology, based on ownership hierarchy encoded in auxiliary state, to allow for state dependence across ownership boundaries. Friendship describes a formal protocol for a granti ..."
Abstract

Cited by 77 (12 self)
 Add to MetaCart
Abstract. A friendship system is introduced for modular static verification of object invariants. It extends a previous methodology, based on ownership hierarchy encoded in auxiliary state, to allow for state dependence across ownership boundaries. Friendship describes a formal protocol for a granting class to grant a friend class permission to express its invariant over fields in the granting class. The protocol permits the safe update of the granter’s fields without violating the friend’s invariant. The ensuing proof obligations are minimal and permit many common programming patterns. A soundness proof is sketched. The method is demonstrated on several realistic examples, showing that it significantly expands the domain of programs amenable to static verification. 0
The origins of structural operational semantics
 Journal of Logic and Algebraic Programming
, 2004
"... We review the origins of structural operational semantics. The main publication ‘A Structural Approach to Operational Semantics, ’ also known as the ‘Aarhus Notes, ’ appeared in 1981 [G.D. Plotkin, A structural approach to operational semantics, DAIMI FN19, Computer Science Department, Aarhus Unive ..."
Abstract

Cited by 64 (0 self)
 Add to MetaCart
We review the origins of structural operational semantics. The main publication ‘A Structural Approach to Operational Semantics, ’ also known as the ‘Aarhus Notes, ’ appeared in 1981 [G.D. Plotkin, A structural approach to operational semantics, DAIMI FN19, Computer Science Department, Aarhus University, 1981]. The development of the ideas dates back to the early 1970s, involving many people and building on previous work on programming languages and logic. The former included abstract syntax, the SECD machine, and the abstract interpreting machines of the Vienna school; the latter included the λcalculus and formal systems. The initial development of structural operational semantics was for simple functional languages, more or less variations of the λcalculus; after that the ideas were gradually extended to include languages with parallel features, such as Milner’s CCS. This experience set the ground for a more systematic exposition, the subject of an invited course of lectures at Aarhus University; some of these appeared in print as the 1981 Notes. We discuss the content of these lectures and some related considerations such as ‘small state’ versus ‘grand state, ’ structural versus compositional semantics, the influence of the Scott–Strachey approach to denotational semantics, the treatment of recursion and jumps, and static semantics. We next discuss relations with other work and some immediate further development. We conclude with an account of an old, previously unpublished, idea: an alternative, perhaps more readable, graphical presentation of systems of rules for operational semantics.
Hoare Logic and Auxiliary Variables
 Formal Aspects of Computing
, 1998
"... Auxiliary variables are essential for specifying programs in Hoare Logic. They are required to relate the value of variables in different states. However, the axioms and rules of Hoare Logic turn a blind eye to the rle of auxiliary variables. We stipulate a new structural rule for adjusting auxiliar ..."
Abstract

Cited by 38 (0 self)
 Add to MetaCart
Auxiliary variables are essential for specifying programs in Hoare Logic. They are required to relate the value of variables in different states. However, the axioms and rules of Hoare Logic turn a blind eye to the rle of auxiliary variables. We stipulate a new structural rule for adjusting auxiliary variables when strengthening preconditions and weakening postconditions. Courtesy of this new rule, Hoare Logic is adaptation complete, which benefits software reuse. This property is responsible for a number of improvements. Relative completeness follows uniformly from the Most General Formula property. Moreover, contrary to common belief, one can show that Hoare Logic subsumes VDM's operation decomposition rules in that every derivation in VDM can be naturally embedded in Hoare Logic. Furthermore, the new treatment leads to a significant simplification in the presentation for verification calculi dealing with more interesting features such as recursion or concurrency.
Software Debugging, Testing, and Verification
 IBM SYSTEMS JOURNAL
, 2001
"... In the commercial software development organizations, increased complexity of products, shortened development cycles and higher customer expectations of quality have placed a major responsibility on the areas of software debugging, testing, and verification. As this issue of the IBM Systems Journal ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
In the commercial software development organizations, increased complexity of products, shortened development cycles and higher customer expectations of quality have placed a major responsibility on the areas of software debugging, testing, and verification. As this issue of the IBM Systems Journal illustrates, the technology is improving on all the three fronts. However, we observe that due to the informal nature of software development as a whole, the prevalent practices in t he industry are still quite immature even in areas where there is existing technology. In addition, the technology and tools in the more advanced aspects are really not ready for a large scale commercial use.
wp is wlp
 RELATIONAL METHODS IN COMPUTER SCIENCE. LNCS 3929
, 2006
"... Using only a simple transition relation one cannot model commands that may or may not terminate in a given state. In a more general approach commands are relations enriched with termination vectors. We reconstruct this model in modal Kleene algebra. This links the recursive definition of the do od l ..."
Abstract

Cited by 8 (6 self)
 Add to MetaCart
Using only a simple transition relation one cannot model commands that may or may not terminate in a given state. In a more general approach commands are relations enriched with termination vectors. We reconstruct this model in modal Kleene algebra. This links the recursive definition of the do od loop with a combination of the Kleene star and a convergence operator. Moreover, the standard wp operator coincides with the wlp operator in the modal Kleene algebra of commands. Therefore our earlier general soundness and relative completeness proof for Hoare logic in modal Kleene algebra can be reused for wp. Although the definition of the loop semantics is motivated via the standard EgliMilner ordering, the actual construction does not depend on EgliMilnerisotonicity of the constructs involved.
Convex Hull Abstractions in Specialization of CLP Programs
"... Abstract. We introduce an abstract domain consisting of atomic formulas constrained by linear arithmetic constraints (or convex hulls). This domain is used in an algorithm for specialization of constraint logic programs. The algorithm incorporates in a single phase both topdown goal directed propag ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Abstract. We introduce an abstract domain consisting of atomic formulas constrained by linear arithmetic constraints (or convex hulls). This domain is used in an algorithm for specialization of constraint logic programs. The algorithm incorporates in a single phase both topdown goal directed propagation and bottomup answer propagation, and uses a widening on the convex hull domain to ensure termination. We give examples to show the precision gained by this approach over other methods in the literature for specializing constraint logic programs. The specialization method can also be used for ordinary logic programs containing arithmetic, as well as constraint logic programs. Assignments, inequalities and equalities with arithmetic expressions can be interpreted as constraints during specialization, thus increasing the amount of specialization that can be achieved. 1
A Hoare calculus for graph programs
 In Proc. International Conference on Graph Transformation (ICGT 2010), Lecture
"... Abstract. We present Hoarestyle axiom schemata and inference rules for verifying the partial correctness of programs in the graph programming language GP. The pre and postconditions of this calculus are the nested conditions of Habel, Pennemann and Rensink, extended with expressions for labels in ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
Abstract. We present Hoarestyle axiom schemata and inference rules for verifying the partial correctness of programs in the graph programming language GP. The pre and postconditions of this calculus are the nested conditions of Habel, Pennemann and Rensink, extended with expressions for labels in order to deal with GP’s conditional rule schemata and infinite label alphabet. We show that the proof rules are sound with respect to GP’s operational semantics. 1
A mechanical proof of Segall's PIF algorithm
, 1997
"... . We describe the construction of a distributed algorithm with asynchronous communication together with a mechanically verified proof of correctness. For this purpose we treat Segall's PIF algorithm (propagation of information with feedback). The proofs are based on invariants, and variant functions ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
. We describe the construction of a distributed algorithm with asynchronous communication together with a mechanically verified proof of correctness. For this purpose we treat Segall's PIF algorithm (propagation of information with feedback). The proofs are based on invariants, and variant functions for termination. The theorem prover NQTHM is used to deal with the many case distinctions due to asynchronous distributed computation. Emphasis is on the modelling assumptions, the treatment of nondeterminacy, the forms of termination detection, and the proof obligations for a complete mechanical proof. Finally, a comparison is made with (the proof of) the minimum spanning tree algorithm of Gallager, Humblet, and Spira, for which the technique was developed. 1. Introduction The purpose of this paper is to present a mechanically supported, verified design of Segall's PIF algorithm and its extension to a distributed summation algorithm, cf. [Vaa95]. PIF stands for Propagation of Information ...
Maximally Concurrent Programs
 Formal Aspects of Computing
, 1999
"... Typically, program design involves constructing a program, P , that implements a given specification, S; that is, the set P of executions of P is a subset of the set S of executions satisfying S. In many cases, we seek a P that not only implements S but for which P = S. Then, every execution sat ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Typically, program design involves constructing a program, P , that implements a given specification, S; that is, the set P of executions of P is a subset of the set S of executions satisfying S. In many cases, we seek a P that not only implements S but for which P = S. Then, every execution satisfying the specification is a possible execution of the program; we call P maximal for the specification S. We argue in this paper that traditional specifications of concurrent programs are incomplete without some maximality requirement because they can often be implemented in a sequential fashion. Additionally, a maximal solution can be refined to a variety of programs each appropriate for execution on a different computing platform. In this paper, we suggest a method for proving the maximality of a program with respect to a given specification. Even though we prove facts about possible executions of programs there is no need to appeal to branching time logics; we employ a fragment of linear temporal logic for our proofs. The method results in concise proofs of maximality for many nontrivial examples. The method may also serve as a guide in constructing maximal programs. 1