Ernst-Rüdiger Olderog

Specification-oriented semantics for communicating processes

SummaryA process P satisfies a specification S if every observation we can make of the behaviour of P is allowed by S. We use this idea of process correctness as a starting point for developing a specific form of denotational semantics for processes, called here specification — oriented semantics. This approach serves as a uniform framework for generating and relating a series of increasingly sophisticated denotational models for Communicating Processes.These models differ in the underlying structure of their observations which influences both the number of representable language operators and the induced notion of process correctness. Safety properties are treated by all models; the more sophisticated models also permit proofs of certain liveness properties. An important feature of the models is a special hiding operator which abstracts from internal process activity. This allows large processes to be composed hierarchically from networks of smaller ones in such a way that proofs of the whole are constructed from proofs of its components. We also show the consistency of our denotational models w.r.t. a simple operational semantics based on transitions which make internal process activity explicit.

Operational Petri net semantics for CCSP

We provide a Petri net semantics for a subset of CCSP, the union of Milners CCS and Hoares CSP. It assigns to each process term in the subset a labelled, one-safe place/transition net. As opposed to many other approaches to Petri net semantics, our definition is operational as it is based on Plotkin-style transition rules. These rules are inspired by work of Degano, DeNicola and Montanari, but differ in the way they model the interplay of the central concepts in CCSP: concurrency, nondeterminism and recursion. To discuss these differences, we propose criteria for a good Petri net semantics for CCSP.

Provably Correct Systems

As computers increasingly control the systems and services we depend upon within our daily lives like transport, communications, and the media, ensuring these systems function correctly is of utmost importance. This book consists of twelve chapters and one historical account that were presented at a workshop in London in 2015, marking the 25th anniversary of the European ESPRIT Basic Research project ProCoS (Provably Correct Systems). The ProCoS I and II projects pioneered and accelerated the automation of verification techniques, resulting in a wide range of applications within many trades and sectors such as aerospace, electronics, communications, and retail. The following topics are covered: An historical account of the ProCoS projectHybrid Systems Correctness of Concurrent Algorithms Interfaces and Linking Automatic VerificationRun-time Assertions Checking Formal and Semi-Formal Methods Provably Correct Systems provides researchers, designers and engineers with a complete overview of the ProCoS initiative, past and present, and explores current developments and perspectives within the field.

Verification of sequential and concurrent programs (2nd ed.)

This widely anticipated third edition provides a systematic exploration of one of the most common approaches to program verification, known as the assertional approach. This approach is applied to deterministic and nondeterministic sequential programs of varying complexity, together with both parallel and distributed concurrent programs. The expanded content also includes coverage of the verification of object-oriented programs. For each class of programs, the authors introduce proof systems for the verification of partial and total correctness, justified formally in corresponding soundness theorems. Case studies supplied throughout the book demonstrate the use of the proof systems and formally verify solutions to classical problems, such as producer/consumer and mutual exclusion. This modern update of a classic, reader-friendly textbook is perfect for an introductory course on program verification for advanced undergraduate or graduate students. Outlines for possible courses are suggested in the Preface.

Proof rules and transformations dealing with fairness

Abstract We provide proof rules enabling the treatment of two fairness assumptions in the context of Dijkstras do-od-programs. These proof rules are derived by considering a transformed version of the original program which uses random assignments z ≔? and admits only fair computations. Various, increasingly complicated, examples are discussed. In all cases reasonably simple proofs can be given. The proof rules use well-founded structures corresponding to infinite ordinals and deal with the original programs and not their translated versions.

Sound and complete Hoare-like calculi based on copy rules

SummaryThis paper presents a uniform approach to known and new results on relative completeness of Hoare-like calculi for languages of ALGOL-like programs with procedures as procedure parameters. First the notion of a copy rule is introduced. It provides a uniform framework for dealing with different variants of semantics reaching from dynamic to static scope. Then for each copy rule ℒ a Hoare-like calculus ℋ(ℒ) is presented, the soundness of which is shown by using an approximating semantics. The key to the completeness results lies in a general completeness theorem on the calculi ℋ(ℒ) which has these results as corollaries. Finally, a new type of theorem on Hoare-like calculi is proved by which the notion of formal provability in ℋ(ℒ) is completely characterized. This characterization theorem is the main result of the paper. It covers both soundness and completeness of the calculi ℋ(ℒ) and additionally gives an idea of what the limits of presently known Hoare-like proof techniques for programming languages with procedures are.

Fairness in parallel programs: the transformational approach

Program transformations are proposed as a means of providing fair parallelism semantics for parallel programs with shared variables. The transformations are developed in two steps. First, abstract schedulers that implement the various fairness policies are introduced. These schedulers use random assignments z := ? to represent the unbounded nondeterminism induced by fairness. Concrete schedulers are derived by suitably refining the ?. The transformations are then obtained by embedding the abstract schedulers into the parallel programs. This embedding is proved correct on the basis of a simple transition semantics. Since the parallel structure of the original program is preserved, the transformations also provide a basis for syntax-directed proofs of total correctness under the fairness assumption. These proofs make use of infinite ordinals.

On the notion of expressiveness and the rule of adaptation

Abstract In this note two issues concerning completeness of Hoare-like proof systems which seem unrelated at first sight are brought together: Expressiveness of the assertion language and the Rule of Adaptation. These different issues are connected by investigating soundness and relative completeness of four published versions of the Rule of Adaptation with help of some general techniques for reasoning about expressiveness.

Verification of cooperating traffic agents

This paper exploits design patterns employed in coordinating autonomous transport vehicles in order to ease the burden in verifying cooperating hybrid systems. The presented verification methodology is equally applicable for avionics applications (such as the traffic alert and collision avoidance system (TCAS)), train applications (such as the European train control system (ETCS)), or automotive applications (such as platooning). We present a verification rule explicating the essence of employed design patterns, guaranteeing global safety properties of the kind “a collision will never occur”, and whose premises can either be established by off-line analysis of the worst-case behaviour of the involved traffic agents, or by purely local proofs, involving only a single traffic agent. A companion paper will show how such local proof obligations can be discharged automatically.

Contrasting themes in the semantics of imperative concurrency

A survey is given of work performed by the authors in recent years concerning the semantics of imperative concurrency. Four sample languages are presented for which a number of operational and denotational semantic models are developed. All languages have parallel execution through interleaving, and the last three have as well a form of synchronization. Three languages are uniform, i.e., they have uninterpreted elementary actions; the fourth is nonuniform and has assignment, tests and value-passing communication. The operational models build on Hennessy-Plotkin transition systems; as denotational structures both metric spaces and cpo domains are employed. Two forms of nondeterminacy are distinguished, viz. the local and global variety. As associated model-theoretic distinction that of linear time versus branching time is investigated. In the former we use streams, i.e. finite or infinite sequences of actions; in the latter the (metrically based) notion of process is introduced. We furthermore study a model with only finite observations. Ready sets also appear, used as technical tool to compare various semantics. Altogether, ten models for the four languages are described, and precise statements on (the majority of) their interrelationships are made. The paper supplies no proofs; for these references to technical papers by the authors are provided.