Section: New Results

Verification Techniques

Participants : Mario Bravetti, Adrien Durier, Daniel Hirschkoff, Ivan Lanese, Cosimo Laneve, Davide Sangiorgi.

We analyze sensible properties of concurrent systems, including deadlock freedom and resource usages, and proof techniques for deriving behavioural equalities and preorders on processes.

Deadlock detection and cloud elasticity

In order to verify sensible properties of concurrent programs we use a technique consisting of (1) extracting information by means of behavioural type systems and (2) analyzing types by means of ad-hoc tools.

In [20] we study deadlock detection for value-passing CCS (and for $\pi$ calculus). In this paper we analyze complex programs that create networks with arbitrary numbers of nodes. To enable the analysis of such programs, (1) we define an algorithm for detecting deadlocks of a basic model featuring recursion and fresh name generation, and (2) we design a type system that returns behavioural types. We show the soundness of the type system, and develop a type inference algorithm for it.

In [39] we apply the above technique to a language for stateful active objects. This is challenging because active objects use futures to refer to results of pending asynchronous invocations and because these futures can be stored in object fields, passed as method parameters, or returned by invocations. The type system traces the access to object fields by means of effects. For this reason, it is possible to compute behavioural types that express synchronisation patterns in a precise way. The behavioural types are thereafter analysed by a solver that discovers potential deadlocks. The PhD thesis of Vincenzo Mastandrea [11] addresses deadlock detection of stateful active objects.

In [44] we apply the same technique to Java byte-code. In particular [44] gives a practical presentation of JaDA, a static deadlock analyzer for Java that extracts behavioral types and analyzes these types by means of a fixpoint algorithm that reports potential deadlocks in the original Java code. We also present some of the features for customising the analysis: while the main strength of JaDA is to run in a fully automatic way, user interaction is possible and may enhance the accuracy of the results. The whole theory behind JaDa is fully developed in the PhD thesis of Abel Garcia Celestrin [10].

In [18] we address a concurrent language with explicit acquire and release operations on virtual machines. In our language it is possible to delegate other (ad-hoc or third party) concurrent code to release virtual machines (by passing them as arguments of invocations). In this case, we define (i) a type system associating programs with behavioural types that record relevant information for resource usage (creations, releases, and concurrent operations), (ii) a translation function that takes behavioural types and returns cost equations, and (iii) an automatic off-the-shelf solver for the cost equations. A soundness proof of the type system establishes the correctness of our technique with respect to the cost equations. We have experimentally evaluated our technique using a cost analysis solver. The experiments show that our analysis allows us to derive bounds for programs that are better than other techniques, such as those based on amortized analysis.

Most general property-preserving updates

Systems need to be updated to last for a long time in a dynamic environment, and to cope with changing requirements. It is important for updates to preserve the desirable properties of the system under update, while possibly enforcing new ones. We consider a simple yet general update mechanism [25] that replaces a component of the system with a new one. The context, i.e., the rest of the system, remains unchanged. We define contexts and components as Constraint Automata interacting via either asynchronous or synchronous communication, and we express properties using Constraint Automata too. Then we build most general updates which preserve specific properties, considering both a single property and all the properties satisfied by the original system, in a given context or in all possible contexts.

Proof techniques based on unique solutions

In [22], we study bisimilarity, a behavioural equivalence whose success is much due to the associated bisimulation proof method. In particular, we discuss a different proof method, based on unique solution of special forms of inequations called contractions, and inspired by Milner's theorem on unique solution of equations. The method is as powerful as the bisimulation proof method and its up-to context enhancements. The definition of contraction can be transferred onto other behavioural equivalences, possibly contextual and non-coinductive. This enables a coinductive reasoning style on such equivalences, either by applying the method based on unique solution of contractions, or by injecting appropriate contraction preorders into the bisimulation game.

In [38] we develop the above proof method in a different direction: rather than introducing contractions, we remain within equations, and we investigate conditions that guarantee unique solutions, for bisimilarity as well as for other behavioural equivalences such as trace equivalence. We also consider preorders such as trace inclusion. We finally develop abstract formulations of the theorems, on generic Labeled Transition Systems.

Fuzzy logics

In [14] we introduce a framework for detecting anomalies in the clocks of the different components of a network of sensor stations connected with a central server for measuring air quality. We propose a novel approach, supported by a formal representation of the network using fuzzy-timed automata, to precisely represent the expected behaviour of each component of the network. Using fuzzy logic concepts, we can specify admissible mismatches between the clocks.