Certified concurrent abstraction layers

Gu, Ronghui; Shao, Zhong; Kim, Ji-Eung; Wu, Xiongnan; Koenig, Jérémie; Sjöberg, Vilhelm; Chen, Hao; Costanzo, David; Ramananandro, Tahina

doi:10.1145/3192366.3192381

Cited by 61 publications

(49 citation statements)

References 44 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Many real-world web servers are multi-threaded, handling requests from different clients in separate threads. Some parts of our approach are already able to handle concurrency: the top-level specification ITree should be sequential regardless of the implementation, and VST and CertiKOS already support concurrent C programs [Gu et al 2018;Mansky et al 2017]. Other parts will require adjustment: for instance, the implementation model may need to explicitly represent the concurrency allowed in the C program.…”

Section: Discussionmentioning

confidence: 99%

“…A similar underlying structure to interaction trees is used as specifications of distributed systems in an early version of F* [Swamy et al 2011], but that work did not show how to use the structure for testing or how to do refinement. Gu et al [2018] use environment contexts to specify past events as well as future events, but rather than starting with all possible traces and consuming them, valid traces are generated one event at a time by consulting an oracle. Although using this step-based approach instead of explicitly coinductive ITrees leads to different specification styles, it is possible to connect them as we discussed in Section 7.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

From C to interaction trees: specifying, verifying, and testing a networked server

Koh

et al. 2019

Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and Proofs

View full text Add to dashboard Cite

We present the first formal verification of a networked server implemented in C. Interaction trees, a general structure for representing reactive computations, are used to tie together disparate verification and testing tools (Coq, VST, and Quick-Chick) and to axiomatize the behavior of the operating system on which the server runs (CertiKOS). The main theorem connects a specification of acceptable server behaviors, written in a straightforward "one client at a time" style, with the CompCert semantics of the C program. The variability introduced by low-level buffering of messages and interleaving of multiple TCP connections is captured using network refinement, a variant of observational refinement.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

From C to interaction trees: specifying, verifying, and testing a networked server

Koh

et al. 2019

Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and Proofs

View full text Add to dashboard Cite

show abstract

“…The CertiKOS project [Gu et al 2015[Gu et al , 2018 takes the idea of composition of a program with its environment even further. Their Concurrent Certified Abstraction Layers framework also uses a trace-based formulation of semantics.…”

Section: Composition With the Environmentmentioning

confidence: 99%

Interaction trees: representing recursive and impure programs in Coq

Xia

Zakowski

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We present interaction trees (ITrees), a general-purpose data structure in Coq for formalizing the behaviors of recursive programs that interact with their environment. ITrees are built of uninterpreted events and their continuations-a coinductive variant of a "free monad. " We study the compositional properties of interpreters built from event handlers and show how to use them to implement a general mutual recursion operator. The resulting theory enables equational reasoning about ITrees up to weak bisimulation. Using this theory, we prove the termination-sensitive correctness of a compiler from a simple imperative source language to an assembly-like target whose meanings are given as an ITree-based denotational semantics. Crucially, the correctness proof follows entirely by structural induction and the equational theory of combinators for control-flow graphs, which are built on top of the mutual recursion operator. ITrees are also executable, e.g. through extraction, making them suitable for debugging, testing, and implementing executable artifacts.

show abstract

“…Concurrent notions of refinement There are systems like RGSim [22] and CCAL [14] which support verification of concurrent software using refinement between multiple implementation layers. It might seem that crashes are simply a special case of concurrency, since crashes interrupt threads in a similar way to interleaving threads.…”

Section: Related Workmentioning

confidence: 99%

Argosy: verifying layered storage systems with recovery refinement

Chajed

Tassarotti

Kaashoek

et al. 2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Storage systems make persistence guarantees even if the system crashes at any time, which they achieve using recovery procedures that run after a crash. We present Argosy, a framework for machine-checked proofs of storage systems that supports layered recovery implementations with modular proofs. Reasoning about layered recovery procedures is especially challenging because the system can crash in the middle of a more abstract layer's recovery procedure and must start over with the lowest-level recovery procedure.This paper introduces recovery refinement, a set of conditions that ensure proper implementation of an interface with a recovery procedure. Argosy includes a proof that recovery refinements compose, using Kleene algebra for concise definitions and metatheory. We implemented Crash Hoare Logic, the program logic used by FSCQ [8], to prove recovery refinement, and demonstrated the whole system by verifying an example of layered recovery featuring a write-ahead log running on top of a disk replication system. The metatheory of the framework, the soundness of the program logic, and these examples are all verified in the Coq proof assistant.

show abstract

Certified concurrent abstraction layers

Cited by 61 publications

References 44 publications

From C to interaction trees: specifying, verifying, and testing a networked server

From C to interaction trees: specifying, verifying, and testing a networked server

Interaction trees: representing recursive and impure programs in Coq

Argosy: verifying layered storage systems with recovery refinement

Contact Info

Product

Resources

About