Advertisement

A Parametric Rely-Guarantee Reasoning Framework for Concurrent Reactive Systems

  • Yongwang ZhaoEmail author
  • David Sanán
  • Fuyuan Zhang
  • Yang Liu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11800)

Abstract

Reactive systems are composed of a well defined set of event handlers by which the system responds to environment stimulus. In concurrent environments, event handlers can interact with the execution of other handlers such as hardware interruptions in preemptive systems, or other instances of the reactive system in multicore architectures. The rely-guarantee technique is a suitable approach for the specification and verification of reactive systems. However, the languages in existing rely-guarantee implementations are designed only for “pure programs”, simulating reactive systems makes the program and rely-guarantee conditions unnecessary complicated. In this paper, we decouple the system reactions and programs using a rely-guarantee interface, and develop PiCore, a parametric rely-guarantee framework for concurrent reactive systems. PiCore has a two-level inference system to reason on events and programs associated to events. The rely-guarantee interface between the two levels allows the reusability of existing languages and their rely-guarantee proof systems for programs. In this work we show how to integrate in PiCore two existing rely-guarantee proof systems. This work has been fully mechanized in Isabelle/HOL. As a case study, we have applied PiCore to the concurrent buddy memory allocation of a real-world OS, providing a verified low-level specification and revealing bugs in the C code.

References

  1. 1.
    The Zephyr Project. https://www.zephyrproject.org/. Accessed December 2018
  2. 2.
    Abrial, J.R., Hallerstede, S.: Refinement, decomposition, and instantiation of discrete models: application to event-B. Fundamenta Informaticae 77(1–2), 1–28 (2007)MathSciNetzbMATHGoogle Scholar
  3. 3.
    Aceto, L., Ingólfsdóttir, A., Larsen, K., Srba, J.: Reactive Systems - Modeling, Specification and Verification. Cambridge University Press, Cambridge (2007)CrossRefGoogle Scholar
  4. 4.
    Andronick, J., Lewis, C., Morgan, C.: Controlled Owicki-Gries concurrency: reasoning about the preemptible eChronos embedded operating system. In: Proceedings Workshop on Models for Formal Analysis of Real Systems MARS, pp. 10–24 (2015)Google Scholar
  5. 5.
    Back, R.J., Sere, K.: Superposition Refinement of Reactive Systems. Formal Aspects Comput. 8(3), 324–346 (1996)CrossRefGoogle Scholar
  6. 6.
    Back, R.J., Sere, K.: Stepwise refinement of action systems. Struct. Program. 12, 17–30 (1991)Google Scholar
  7. 7.
    Chen, H., Wu, X., Shao, Z., Lockerman, J., Gu, R.: Toward compositional verification of interruptible OS kernels and device drivers. In: 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pp. 431–447. ACM (2016)Google Scholar
  8. 8.
    Dingel, J., Garlan, D., Jha, S., Notkin, D.: Towards a formal treatment of implicit invocation using rely/guarantee reasoning. Formal Aspects Comput. 10(3), 193–213 (1998)CrossRefGoogle Scholar
  9. 9.
    Fenkam, P., Gall, H., Jazayeri, M.: Composing specifications of event based applications. In: Pezzè, M. (ed.) FASE 2003. LNCS, vol. 2621, pp. 67–86. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36578-8_6CrossRefGoogle Scholar
  10. 10.
    Fenkam, P., Gall, H., Jazayeri, M.: Constructing deadlock free event-based applications: a rely/guarantee approach. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 636–657. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45236-2_35CrossRefGoogle Scholar
  11. 11.
    Garlan, D., Jha, S., Notkin, D., Dingel, J.: Reasoning about implicit invocation. In: Proceedings of the 6th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE), pp. 209–221. ACM, New York (1998)Google Scholar
  12. 12.
    Harel, D., Pnueli, A.: On the development of reactive systems. In: Apt, K.R. (ed.) Logics and Models of Concurrent Systems. NATO ASI Series (Series F: Computer and Systems Sciences), vol. 13, pp. 477–498. Springer, Heidelberg (1985).  https://doi.org/10.1007/978-3-642-82453-1_17CrossRefGoogle Scholar
  13. 13.
    Hayes, I.J.: Generalised rely-guarantee concurrency: an algebraic foundation. Formal Aspects Comput. 28(6), 1057–1078 (2016)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Hayes, I.J., Colvin, R.J., Meinicke, L.A., Winter, K., Velykis, A.: An algebra of synchronous atomic steps. In: Fitzgerald, J., Heitmeyer, C., Gnesi, S., Philippou, A. (eds.) FM 2016. LNCS, vol. 9995, pp. 352–369. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-48989-6_22CrossRefGoogle Scholar
  15. 15.
    Hoang, T.S., Abrial, J.-R.: Event-B decomposition for parallel programs. In: Frappier, M., Glässer, U., Khurshid, S., Laleau, R., Reeves, S. (eds.) ABZ 2010. LNCS, vol. 5977, pp. 319–333. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-11811-1_24CrossRefGoogle Scholar
  16. 16.
    Jones, C.B.: Tentative steps toward a development method for interfering programs. ACM Trans. Program. Lang. Syst. 5(4), 596–619 (1983)CrossRefGoogle Scholar
  17. 17.
    Klein, G., et al.: seL4: formal verification of an OS kernel. In: Proceedings of ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP 2009, Big Sky, Montana, USA, pp. 207–220. ACM Press (2009)Google Scholar
  18. 18.
    Liang, H., Feng, X., Fu, M.: A rely-guarantee-based simulation for verifying concurrent program transformations. In: 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pp. 455–468. ACM Press (2012)Google Scholar
  19. 19.
    Mantel, H., Sands, D., Sudbrock, H.: Assumptions and guarantees for compositional noninterference. In: 24th Computer Security Foundations Symposium (CSF), pp. 218–232. IEEE Press (2011)Google Scholar
  20. 20.
    Moreira, N., Pereira, D., de Sousa, S.M.: On the mechanisation of rely-guarantee in Coq. Universidade do Porto, Technical report (2013)Google Scholar
  21. 21.
    Murray, T., Matichuk, D., Brassil, M., Gammie, P., Klein, G.: Noninterference for operating system kernels. In: Hawblitzel, C., Miller, D. (eds.) CPP 2012. LNCS, vol. 7679, pp. 126–142. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-35308-6_12CrossRefGoogle Scholar
  22. 22.
    Murray, T., Sison, R., Pierzchalski, E., Rizkallah, C.: Compositional verification and refinement of concurrent value-dependent noninterference. In: 29th IEEE Computer Security Foundations Symposium (CSF). IEEE Press (2016)Google Scholar
  23. 23.
    Nieto, L.P.: The rely-guarantee method in Isabelle/HOL. In: Degano, P. (ed.) ESOP 2003. LNCS, vol. 2618, pp. 348–362. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36575-3_24CrossRefGoogle Scholar
  24. 24.
    Sanán, D., Zhao, Y., Hou, Z., Zhang, F., Tiu, A., Liu, Y.: CSimpl: a rely-guarantee-based framework for verifying concurrent programs. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10205, pp. 481–498. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54577-5_28CrossRefGoogle Scholar
  25. 25.
    Schirmer, N.: Verification of Sequential Imperative Programs in Isabelle/HOL. Ph.D. thesis, Technical University Munich (2006)Google Scholar
  26. 26.
    van Staden, S.: On rely-guarantee reasoning. In: Hinze, R., Voigtländer, J. (eds.) MPC 2015. LNCS, vol. 9129, pp. 30–49. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-19797-5_2CrossRefGoogle Scholar
  27. 27.
    Xu, F., Fu, M., Feng, X., Zhang, X., Zhang, H., Li, Z.: A practical verification framework for preemptive OS kernels. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9780, pp. 59–79. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-41540-6_4CrossRefGoogle Scholar
  28. 28.
    Xu, Q., de Roever, W.P., He, J.: The rely-guarantee method for verifying shared variable concurrent programs. Formal Aspects Comput. 9(2), 149–174 (1997)CrossRefGoogle Scholar
  29. 29.
    Zhao, Y., Sanán, D.: Rely-guarantee reasoning about concurrent memory management in Zephyr RTOS. In: Dillig, I., Tasiran, S. (eds.) CAV 2019. LNCS, vol. 11562, pp. 515–533. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-25543-5_29CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Yongwang Zhao
    • 1
    • 2
    Email author
  • David Sanán
    • 3
  • Fuyuan Zhang
    • 4
  • Yang Liu
    • 3
  1. 1.School of Computer Science and EngineeringBeihang UniversityBeijingChina
  2. 2.Beijing Advanced Innovation Center for Big Data and Brain ComputingBeihang UniversityBeijingChina
  3. 3.School of Computer Science and EngineeringNanyang Technological UniversitySingaporeSingapore
  4. 4.MPI-SWSKaiserslauternGermany

Personalised recommendations