-
Towards a Proof System for Probabilistic Dynamic Logic
Authors:
Einar Broch Johnsen,
Eduard Kamburjan,
Raúl Pardo,
Erik Voogd,
Andrzej Wąsowski
Abstract:
Whereas the semantics of probabilistic languages has been extensively studied, specification languages for their properties have received less attention -- with the notable exception of recent and on-going efforts by Joost-Pieter Katoen and collaborators. In this paper, we revisit probabilistic dynamic logic (pDL), a specification logic for programs in the probabilistic guarded command language (p…
▽ More
Whereas the semantics of probabilistic languages has been extensively studied, specification languages for their properties have received less attention -- with the notable exception of recent and on-going efforts by Joost-Pieter Katoen and collaborators. In this paper, we revisit probabilistic dynamic logic (pDL), a specification logic for programs in the probabilistic guarded command language (pGCL) of McIver and Morgan. Building on dynamic logic, pDL can express both first-order state properties and probabilistic reachability properties. In this paper, we report on work in progress towards a deductive proof system for pDL. This proof system, in line with verification systems for dynamic logic such as KeY, is based on forward reasoning by means of symbolic execution.
△ Less
Submitted 1 December, 2024;
originally announced December 2024.
-
A Hoare Logic for Domain Specification (Full Version)
Authors:
Eduard Kamburjan,
Dilian Gurov
Abstract:
Programs must be correct with respect to their application domain. Yet, the program specification and verification approaches so far only consider correctness in terms of computations. In this work, we present a two-tier Hoare Logic that integrates assertions for both implementation and domain. For domain specification, we use description logics and semantic lifting, a recently proposed approach t…
▽ More
Programs must be correct with respect to their application domain. Yet, the program specification and verification approaches so far only consider correctness in terms of computations. In this work, we present a two-tier Hoare Logic that integrates assertions for both implementation and domain. For domain specification, we use description logics and semantic lifting, a recently proposed approach to interpret a program as a knowledge graph. We present a calculus that uses translations between both kinds of assertions, thus separating the concerns in specification, but enabling the use of description logic in verification.
△ Less
Submitted 1 February, 2024;
originally announced February 2024.
-
Context-aware Trace Contracts
Authors:
Reiner Hähnle,
Eduard Kamburjan,
Marco Scaletta
Abstract:
The behavior of concurrent, asynchronous procedures depends in general on the call context, because of the global protocol that governs scheduling. This context cannot be specified with the state-based Hoare-style contracts common in deductive verification. Recent work generalized state-based to trace contracts, which permit to specify the internal behavior of a procedure, such as calls or state c…
▽ More
The behavior of concurrent, asynchronous procedures depends in general on the call context, because of the global protocol that governs scheduling. This context cannot be specified with the state-based Hoare-style contracts common in deductive verification. Recent work generalized state-based to trace contracts, which permit to specify the internal behavior of a procedure, such as calls or state changes, but not its call context. In this article we propose a program logic of context-aware trace contracts for specifying global behavior of asynchronous programs. We also provide a sound proof system that addresses two challenges: To observe the program state not merely at the end points of a procedure, we introduce the novel concept of an observation quantifier. And to combat combinatorial explosion of possible call sequences of procedures, we transfer Liskov's principle of behavioral subtyping to the analysis of asynchronous procedures.
△ Less
Submitted 6 October, 2023;
originally announced October 2023.
-
Type-Based Verification of Delegated Control in Hybrid~Systems (Full Version)
Authors:
Eduard Kamburjan,
Michael Lienhardt
Abstract:
We present a post-region-based verification system for distributed hybrid systems modeled with Hybrid Active Objects. The post-region of a class method is the region of the state space where a physical process must be proven safe to ensure some object invariant. Prior systems computed the post-region locally to a single object and could only verify systems where each object ensures its own safety,…
▽ More
We present a post-region-based verification system for distributed hybrid systems modeled with Hybrid Active Objects. The post-region of a class method is the region of the state space where a physical process must be proven safe to ensure some object invariant. Prior systems computed the post-region locally to a single object and could only verify systems where each object ensures its own safety, or relied on specific, non-modular communication patterns. The system presented here uses a type-and-effect system to structure the interactions between objects and computes post-regions globally, but verifies them locally. Furthermore, we are able to handle systems with delegated control: the object and method that shape the post-region change over time. We exemplify our approach with a model of a cloud-based hybrid system.
△ Less
Submitted 2 October, 2023;
originally announced October 2023.
-
Modular Analysis of Distributed Hybrid Systems using Post-Regions (Full Version)
Authors:
Eduard Kamburjan
Abstract:
We introduce a new approach to analyze distributed hybrid systems by a generalization of rely-guarantee reasoning. First, we give a system for deductive verification of class invariants and method contracts in object-oriented distributed hybrid systems. In a hybrid setting, the object invariant must not only be the post-condition of a method, but also has to hold in the post-region of a method. Th…
▽ More
We introduce a new approach to analyze distributed hybrid systems by a generalization of rely-guarantee reasoning. First, we give a system for deductive verification of class invariants and method contracts in object-oriented distributed hybrid systems. In a hybrid setting, the object invariant must not only be the post-condition of a method, but also has to hold in the post-region of a method. The post-region describes all reachable states after method termination before another process is guaranteed to run. The system naturally generalizes rely-guarantee reasoning of discrete object-oriented languages to hybrid systems and carries over its modularity to hybrid systems: Only one dL-proof obligation is generated per method. The post-region can be approximated using lightweight analyses and we give a general notion of soundness for such analyses. Post-region based verification is implemented for the Hybrid Active Object language HABS.
△ Less
Submitted 19 September, 2023;
originally announced September 2023.
-
Digital Twin as a Service (DTaaS): A Platform for Digital Twin Developers and Users
Authors:
Prasad Talasila,
Cláudio Gomes,
Peter Høgh Mikkelsen,
Santiago Gil Arboleda,
Eduard Kamburjan,
Peter Gorm Larsen
Abstract:
Establishing digital twins is a non-trivial endeavour especially when users face significant challenges in creating them from scratch. Ready availability of reusable models, data and tool assets, can help with creation and use of digital twins. A number of digital twin frameworks exist to facilitate creation and use of digital twins. In this paper we propose a digital twin framework to author digi…
▽ More
Establishing digital twins is a non-trivial endeavour especially when users face significant challenges in creating them from scratch. Ready availability of reusable models, data and tool assets, can help with creation and use of digital twins. A number of digital twin frameworks exist to facilitate creation and use of digital twins. In this paper we propose a digital twin framework to author digital twin assets, create digital twins from reusable assets and make the digital twins available as a service to other users. The proposed framework automates the management of reusable assets, storage, provision of compute infrastructure, communication and monitoring tasks. The users operate at the level of digital twins and delegate rest of the work to the digital twin as a service framework.
△ Less
Submitted 13 June, 2023; v1 submitted 12 May, 2023;
originally announced May 2023.
-
The Right Kind of Non-Determinism: Using Concurrency to Verify C Programs with Underspecified Semantics
Authors:
Eduard Kamburjan,
Nathan Wasser
Abstract:
We present a novel and well automatable approach to formal verification of C programs with underspecified semantics, i.e., a language semantics that leaves open the order of certain evaluations. First, we reduce this problem to non-determinism of concurrent systems, automatically extracting a distributed Active Object model from underspecified, sequential C code. This translation process provides…
▽ More
We present a novel and well automatable approach to formal verification of C programs with underspecified semantics, i.e., a language semantics that leaves open the order of certain evaluations. First, we reduce this problem to non-determinism of concurrent systems, automatically extracting a distributed Active Object model from underspecified, sequential C code. This translation process provides a fully formal semantics for the considered C subset. In the extracted model every non-deterministic choice corresponds to one possible evaluation order. This step also automatically translates specifications in the ANSI/ISO C Specification Language (ACSL) into method contracts and object invariants for Active Objects. We then perform verification on the specified Active Objects model, using the Crowbar theorem prover, which verifies the extracted model with respect to the translated specification and ensures the original property of the C code for all possible evaluation orders. By using model extraction, we can use standard tools, without designing a new complex program logic to deal with underspecification. The case study used is highly underspecified and cannot be handled correctly by existing tools for C.
△ Less
Submitted 9 August, 2022;
originally announced August 2022.
-
Deductive Verification of Programs with Underspecified Semantics by Model Extraction
Authors:
Eduard Kamburjan,
Nathan Wasser
Abstract:
We present a novel and well automatable approach to formal verification of programs with underspecified semantics, i.e., a language semantics that leaves open the order of certain evaluations. First, we reduce this problem to non-determinism of distributed systems, automatically extracting a distributed Active Object model from underspecified, sequential C code. This translation process provides a…
▽ More
We present a novel and well automatable approach to formal verification of programs with underspecified semantics, i.e., a language semantics that leaves open the order of certain evaluations. First, we reduce this problem to non-determinism of distributed systems, automatically extracting a distributed Active Object model from underspecified, sequential C code. This translation process provides a fully formal semantics for the considered C subset. In the extracted model every non-deterministic choice corresponds to one possible evaluation order. This step also automatically translates specifications in the ANSI/ISO C Specification Language (ACSL) into method contracts and object invariants for Active Objects. We then perform verification on the specified Active Objects model. For this we have implemented a theorem prover Crowbar based on the Behavioral Program Logic (BPL), which verifies the extracted model with respect to the translated specification and ensures the original property of the C code for all possible evaluation orders. By using model extraction, we can use standard tools, without designing a new complex program logic to deal with underspecification. The case study used is highly underspecified and cannot be verified with existing tools for C.
△ Less
Submitted 11 February, 2022; v1 submitted 5 October, 2021;
originally announced October 2021.
-
Crowbar: Behavioral Symbolic Execution for Deductive Verification of Active Objects
Authors:
Eduard Kamburjan,
Marco Scaletta,
Nils Rollshausen
Abstract:
We present the Crowbar tool, a deductive verification system for the ABS language. ABS models distributed systems with the Active Object concurrency model. Crowbar implements behavioral symbolic execution: each method is symbolically executed, but specification and prior static analyses influence the shape of the symbolic execution tree. User interaction is realized through guided counterexamples,…
▽ More
We present the Crowbar tool, a deductive verification system for the ABS language. ABS models distributed systems with the Active Object concurrency model. Crowbar implements behavioral symbolic execution: each method is symbolically executed, but specification and prior static analyses influence the shape of the symbolic execution tree. User interaction is realized through guided counterexamples, which present failed proof branches in terms of the input program. Crowbar has a clear interface to implement new specification languages and verification calculi in the Behavioral Program Logic and has been applied for the biggest verification case study of Active Objects.
△ Less
Submitted 11 February, 2022; v1 submitted 19 February, 2021;
originally announced February 2021.
-
Tool Support for Validation of Formal System Models: Interactive Visualization and Requirements Traceability
Authors:
Eduard Kamburjan,
Jonas Stromberg
Abstract:
Development processes in various engineering disciplines are incorporating formal models to ensure safety properties of critical systems. The use of these formal models requires to reason about their adequacy, i.e., to validate that a model mirrors the structure of the system sufficiently that properties established for the model indeed carry over to the real system. Model validation itself is non…
▽ More
Development processes in various engineering disciplines are incorporating formal models to ensure safety properties of critical systems. The use of these formal models requires to reason about their adequacy, i.e., to validate that a model mirrors the structure of the system sufficiently that properties established for the model indeed carry over to the real system. Model validation itself is non-formal, as adequacy is not a formal (i.e., mathematical) property. Instead it must be carried out by the modeler to justify the modeling to the certification agency or other stakeholders. In this paper we argue that model validation can be seen as a special form of requirements engineering, and that interactive visualization and concepts from requirements traceability can help to advance tool support for formal modeling by lowering the cognitive burden needed for validation. We present the VisualisierbaR tool, which supports the formal modeling of railway operations and describe how it uses interactive visualization and requirements traceability concepts to validate a formal model.
△ Less
Submitted 23 December, 2019;
originally announced December 2019.
-
Modeling and Verifying Cyber-Physical Systems with Hybrid Active Objects
Authors:
Eduard Kamburjan,
Stefan Mitsch,
Martina Kettenbach,
Reiner Hähnle
Abstract:
Formal modeling of cyber-physical systems (CPS) is hard, because they pose the double challenge of combined discrete-continuous dynamics and concurrent behavior. Existing formal specification and verification languages for CPS are designed on top of their underlying proof search technology. They lack high-level structuring elements. In addition, they are not efficiently executable. This makes form…
▽ More
Formal modeling of cyber-physical systems (CPS) is hard, because they pose the double challenge of combined discrete-continuous dynamics and concurrent behavior. Existing formal specification and verification languages for CPS are designed on top of their underlying proof search technology. They lack high-level structuring elements. In addition, they are not efficiently executable. This makes formal CPS models hard to understand and to validate, hence impairs their usability. Instead, we suggest to model CPS in an Active Objects (AO) language designed for concise, intuitive modeling of concurrent systems. To this end, we extend the AO language ABS and its runtime environment with Hybrid Active Objects (HAO). CPS models and requirements formalized in HAO must follow certain communication patterns that permit automatic translation into differential dynamic logic, a sequential hybrid program logic. Verification is achieved by discharging the resulting formulas with the theorem prover KeYmaera X. We demonstrate the practicality of our approach with case studies.
△ Less
Submitted 13 June, 2019;
originally announced June 2019.
-
Behavioral Program Logic and LAGC Semantics without Continuations (Technical Report)
Authors:
Eduard Kamburjan
Abstract:
We present Behavioral Program Logic (BPL), a dynamic logic for trace properties that incorporates concepts from behavioral types and allows reasoning about non-functional properties within a sequent calculus. BPL uses behavioral modalities [s |- τ ], to verify statements s against behavioral specifications τ. Behavioral specifications generalize postconditions and behavioral types. They can be use…
▽ More
We present Behavioral Program Logic (BPL), a dynamic logic for trace properties that incorporates concepts from behavioral types and allows reasoning about non-functional properties within a sequent calculus. BPL uses behavioral modalities [s |- τ ], to verify statements s against behavioral specifications τ. Behavioral specifications generalize postconditions and behavioral types. They can be used to specify other static analyses, e.g., data flow analyses. This enables deductive reasoning about the results of multiple analyses on the same program, potentially implemented in different formalisms. Our calculus for BPL verifies the behavioral specification gradually, as common for behavioral types. This vastly simplifies specification, calculus and composition of local results. We present a sequent calculus for object-oriented actors with futures that integrates a pointer analysis and bridges the gap between behavioral types and deductive verification. This technical report introduces (1) complete LAGC semantics of a Core Active Object language (CAO) without continuations (2) Behavioral Program Logic and (3) gives an example for a behavioral type expressed in Behavioral Program Logic, method types. This report contains the soundness proofs for method types. While the semantics cover CAO with suspension, the method types do not, to simplify the presentation.
△ Less
Submitted 30 April, 2019;
originally announced April 2019.
-
Prototyping Formal System Models with Active Objects
Authors:
Eduard Kamburjan,
Reiner Hähnle
Abstract:
We propose active object languages as a development tool for formal system models of distributed systems. Additionally to a formalization based on a term rewriting system, we use established Software Engineering concepts, including software product lines and object orientation that come with extensive tool support. We illustrate our modeling approach by prototyping a weak memory model. The result…
▽ More
We propose active object languages as a development tool for formal system models of distributed systems. Additionally to a formalization based on a term rewriting system, we use established Software Engineering concepts, including software product lines and object orientation that come with extensive tool support. We illustrate our modeling approach by prototyping a weak memory model. The resulting executable model is modular and has clear interfaces between communicating participants through object-oriented modeling. Relaxations of the basic memory model are expressed as self-contained variants of a software product line. As a modeling language we use the formal active object language ABS which comes with an extensive tool set. This permits rapid formalization of core ideas, early validity checks in terms of formal invariant proofs, and debugging support by executing test runs. Hence, our approach supports the prototyping of formal system models with early feedback.
△ Less
Submitted 4 October, 2018;
originally announced October 2018.
-
Stateful Behavioral Types for ABS
Authors:
Eduard Kamburjan,
Tzu-Chun Chen
Abstract:
It is notoriously hard to correctly implement a multiparty protocol which involves asynchronous/concurrent interactions and the constraints on states of multiple participants. To assist developers in implementing such protocols, we propose a novel specification language to specify interactions within multiple object-oriented actors and the side-effects on heap memory of those actors; a behavioral-…
▽ More
It is notoriously hard to correctly implement a multiparty protocol which involves asynchronous/concurrent interactions and the constraints on states of multiple participants. To assist developers in implementing such protocols, we propose a novel specification language to specify interactions within multiple object-oriented actors and the side-effects on heap memory of those actors; a behavioral-type-based analysis is presented for type checking. Our specification language formalizes a protocol as a global type, which describes the procedure of asynchronous method calls, the usage of futures, and the heap side-effects with a first-order logic. To characterize runs of instances of types, we give a model-theoretic semantics for types and translate them into logical constraints over traces. We prove protocol adherence: If a program is well-typed w.r.t. a protocol, then every trace of the program adheres to the protocol, i.e., every trace is a model for the formula of its type.
△ Less
Submitted 25 June, 2018; v1 submitted 23 February, 2018;
originally announced February 2018.
