Stephen J. Garland

An Overview of LP, The Larch Power

We sketch a method for deduction-oriented software and system development The method incorporates formal machine-supported specification and verification as activities in software and systems development. We describe experiences in applying this method. These experiences have been gained by using the LP, the Larch proof assistant, as a tool for a number of small and medium size case studies for the formal development of software and systems. LP is used for the verification of the development steps. These case studies include ž quicksort, ž the majority vote problem, ž code generation by a compiler and its correctness, ž an interactive queue and its refinement into a network. The developments range over levels of requirement specifications, designs and abstract implementations. The main issues are questions of a development method and how to make good use of a formal tool like LP in a goal-directed way within the development. We further discuss of the value of advanced specification techniques, most of which are deliberately not supported by LP and its notation, and their significance in development. Furthermore, we discuss issues of enhancement of a support system like LP and the value and the practicability of using formal techniques such as specification and verification in the development process in practice.

PAN: a high-performance active network node supporting multiple mobile code systems

A capsule-based active network transports capsules containing code to be executed on network nodes through which they pass. Active networks facilitate the deployment of new protocols, which can be used without any changes to the underlying network infrastructure. This paper describes the design, implementation, and evaluation of a high-performance active network node which supports multiple mobile code systems. Experiments, using capsules executing unsafe native Intel ix86 object code, indicate that active networks may be able to provide significant flexibility relative to traditional networks with only a small performance overhead (as little as 13% for 1500 byte packets). However, capsules executing JavaVM code performed far worse (with over three times the performance overhead of native code for 128 byte packets), indicating that mobile code system performance is critical to overall node performance.

Debugging Larch shared language specifications

The checkability designed into the LSL (Larch shared language) is described, and two tools that help perform the checking are discussed. LP (the Larch power) is the principal debugging tool. Its design and development have been motivated primarily by work on LSL, but it also has other uses (e.g. reasoning about circuits and concurrent algorithms). Because of these other uses, and because they also tend to use LP to analyze Larch interface specifications, the authors have tried not to make LP too LSL-specific. Instead, they have chosen to build a second tool, LSLC (the LSL checker), to serve as a front-end to LP. LSLC checks the syntax and static semantics of LSL specifications and generates LP proof obligations from their claims. These proof obligations fall into three categories: consistency (that a specification does not contradict itself), theory containment (that a specification has intended consequences), and relative completeness (that a set of operators is adequately defined). An extended example illustrating how LP is used to debug LSL specifications is presented. >

Using Transformations and Verification in Circuit Design

We show how machine-checked verification can support an approach to circuit design based on two kinds of refinement. This approach starts with a conceptually simple (but inefficient) initial design and uses a combination of ad hoc refinement and algorithmic transformation to produce a design that is more efficient (but more complex).We present an example in which we start with a simplified CPU design and derive an efficient pipelined form, including circuitry for reverting the effects of partially executed instructions when a successful branch is detected late in the pipeline. The algorithmic stage of our derivation applies a transormation, retiming, that has been proven to preserve functional behavior in the general case. The ad hoc stage requires special justification, which we supply in the form of a machine-checked formal verification.

Inductive methods for reasoning about abstract data types

Rewriting techniques have been used to reason about a variety of topics related to programming languages, e.g., abstract data types, Petri Nets, FP programs, and data bases. They have also been used in the implementation and definition of a variety of programming languages. At the 1980 POPL Conference, David Musser proposed a new method of proving inductive properties of abstract data types. Since that time, this method, which came to be called inductionless induction, has attracted considerable attention. Numerous applications and improvements have been proposed and several implementations described. However, little or no work has appeared that questions the basic utility of the idea. The thesis of this paper is that while induction using equational term-rewriting holds great promise, inductionless induction does not. More specifically, we argue that for reasoning about abstract data types traditional inductive methods are usually superior.

An Overview of Larch

We begin by describing the Larch approach to specification and illustrating it with a few small examples. We then discuss LP, the Larch proof assistant, a tool that supports all the Larch languages. Our intent is to give you only a taste of these things. For a comprehensive look at Larch see [12].

Verifying timing properties of concurrent algorithms

This paper presents a method for computer-aided verification of timing properties of real-time systems. A timed automaton model, along with invariant assertion and simulation techniques for proving properties of real-time systems, is formalized within the Larch Shared Language. This framework is then used to prove time bounds for two sample algorithms—a simple counter and Fischer’s mutual exclusion protocol. The proofs are checked using the Larch Prover.

A Parallel Completion Procedure for Term Rewriting Systems

We present a parallel completion procedure for term rewriting systems. Despite an extensive literature concerning the well-known sequential Knuth-Bendix completion procedure, little attention has been devoted to designing parallel completion procedures. Because naive parallelizations of sequential procedures lead to over-synchronization and poor performance, we employ a transition-based approach that enables more effective parallelizations. The approach begins with a formulation of the completion procedure as a set of transitions (in the style of Bachmair, Dershowitz, and Hsiang) and proceeds to a highly tuned parallel implementation that runs on a shared memory multiprocessor. The implementation performs well on a number of standard examples.

Localized verification of circuit descriptions

Automated theorem provers can provide substantial assistance when verifying that circuits described with Synchronized Transitions preserve invariants. To make verification practical for large circuits, Synchronized Transitions allows circuits to be described as hierarchies of subcircuits. Protocols defined for each subcircuit permit them to be verified one at a time. This localized proof technique factors the verification of a circuit into manageable pieces, making machine assisted verification both simpler and faster.

Computer-assisted verification of an algorithm for concurrent timestamps

A formal representation and machine-checked proof are given for the Bounded Concurrent Timestamp (BCTS) algorithm of Dolev and Shavit. The proof uses invariant assertions and a forward simulation mapping to a corresponding Unbounded Concurrent Timestamp (UCTS) algorithm, following a strategy developed by Gawlick, Lynch, and Shavit. The proof was produced interactively, using the Larch Prover.