Automated verification of practical garbage collectors

HawblitzelChris,; PetrankErez,

doi:10.1145/1594834.1480935

Cited by 19 publications

(16 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Efforts towards a certified GC [55,84,86,129] have focused on correctly specifying the collector-mutator interface in order to avoid implementers either on the collector or mutator side to violate intended invariants [83].…”

Section: Certifiable Garbage Collectormentioning

confidence: 99%

Safety‐critical Java for embedded systems

Schoeberl

Dalsgaard

Hansen

et al. 2016

Concurrency and Computation

View full text Add to dashboard Cite

Phone +45 4525 3351 compute@compute.dtu.dk www.compute.dtu.dk IMM-PhD-2014-340 Summary (English) Safety-critical systems are real-time systems whose failure can have severe or catastrophic consequences, possibly endangering human life. Many safety-critical systems incorporate embedded computers used to control different tasks. Software running on safety-critical systems needs to be certified before its deployment and the most time-consuming step of this process is the testing and verification phase. Due to the increasing complexity in safety-critical systems there is a need for new technologies that can facilitate testing and verification activities.The safety-critical specification for Java aims at providing a reduced set of the Java programming language that can be used for systems that need to be certified at the highest levels of criticality. Safety-critical Java (SCJ) restricts how a developer can structure an application by providing a specific programming model and by restricting the set of methods and libraries that can be used. Furthermore, its memory model do not use a garbage-collected heap but scoped memories.In this thesis we examine the use of the SCJ specification through an implementation in a time-predictable, FPGA-based Java processor. The specification is now in a mature state and with our implementation we have proved its feasibility in an embedded platform. Moreover, we have explored how simple hardware extensions can reduce the execution time of time-critical operations required by the SCJ specification.The scoped memory model used in SCJ is perhaps one of its most difficult features to use correctly. Therefore, in this work we have also studied practical aspects of its usage by developing scoped memory use patterns and reusable libraries aiming at facilitating the development of complex software systems.ii Summary (Danish)Sikkerhedskritiske systemer er realtidssystemer. Hvis sådanne systemer fejler, kan det have alvorlige eller katastrofale konsekvenser, muligvis livsfarlige konsekvenser. Mange sikkerhedskritiske systemer inkorporerer embeddede computere, som bruges til at kontrollere forskellige opgaver. Software, som kører på sikkerhedskritiske systemer, skal certificeres, før softwaren udrulles, og det mest tidskraevende skridt i denne proces er test-og verifikationsfasen. På grund af den stigende kompleksitet i sikkerhedskritiske systemer er der behov for nye teknologier til at facilitere test-og verifikationsaktiviteter.Den sikkerhedskritiske specifikation for Java har til formål at levere en reduceret udgave af Java-programmeringssproget, som kan bruges til systemer, der skal kunne certificeres på de højeste kritikalitetsniveauer. Safety Critical Java (SCJ) begraenser, hvordan en udvikler kan strukturere en applikation, ved at levere en specifik programmeringsmodel og ved at begraense de metoder og biblioteker, som kan anvendes. Derudover benytter hukommelsesmodellen i SCJ ikke en heap, der er garbage-collected, men afgraensede hukommelser.I denne afhandling undersøger vi brugen a...

show abstract

Section: Certifiable Garbage Collectormentioning

confidence: 99%

Safety‐critical Java for embedded systems

Schoeberl

Dalsgaard

Hansen

et al. 2016

Concurrency and Computation

View full text Add to dashboard Cite

show abstract

“…The use of ghost state to encode inductive properties without induction has been fruitful in verifications using SMT solvers (e.g., [8,16,40]). Our use of ghost state for frame conditions and separation reasoning was directly inspired by the state-dependent effects of Kassios [18] (who calls them dynamic frames, whence our term "dynamic boundary").…”

Section: Related Workmentioning

confidence: 99%

Dynamic Boundaries: Information Hiding by Second Order Framing with First Order Assertions

Naumann

Banerjee

2010

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract. The hiding of internal invariants creates a mismatch between procedure specifications in an interface and proof obligations on the implementations of those procedures. The mismatch is sound if the invariants depend only on encapsulated state, but encapsulation is problematic in contemporary software due to the many uses of shared mutable objects. The mismatch is formalized here in a proof rule that achieves flexibility via explicit restrictions on client effects, expressed using ghost state and ordinary first order assertions.

show abstract

“…This challenge has been identified and addressed in various settings [8,9,11,12]. This paper provides an independent proof, and it explores a different proof method in the design space.…”

Section: Introductionmentioning

confidence: 99%

Verifying a Concurrent Garbage Collector Using a Rely-Guarantee Methodology

Zakowski

Cachera

Demange

et al. 2017

Interactive Theorem Proving

View full text Add to dashboard Cite

Concurrent garbage collection algorithms are an emblematic challenge in the area of concurrent program verification. In this paper, we address this problem by proposing a mechanized proof methodology based on the popular RelyGuarantee (RG) proof technique. We design a specific compiler intermediate representation (IR) with strong type guarantees, dedicated support for abstract concurrent data structures, and high-level iterators on runtime internals. In addition, we define an RG program logic supporting an incremental proof methodology where annotations and invariants can be progressively enriched. We formalize the IR, the proof system, and prove the soundness of the methodology in the Coq proof assistant. Equipped with this IR, we prove a fully concurrent garbage collector where mutators never have to wait for the collector.

show abstract

Automated verification of practical garbage collectors

Cited by 19 publications

References 28 publications

Safety‐critical Java for embedded systems

Safety‐critical Java for embedded systems

Dynamic Boundaries: Information Hiding by Second Order Framing with First Order Assertions

Verifying a Concurrent Garbage Collector Using a Rely-Guarantee Methodology

Contact Info

Product

Resources

About