Section: New Results

Verification Techniques

Participants : Ugo Dal Lago, Adrien Durier, Daniel Hirschkoff, Ivan Lanese, Cosimo Laneve, Davide Sangiorgi, Akira Yoshimizu, Gianluigi Zavattaro.

Extensional properties are those properties that constrain the behavioural descriptions of a system (i.e., how a system looks like from the outside). Examples of such properties include classical functional correctness, deadlock freedom and resource usage.

In the last year of the Focus project, we have worked on three main topics: (i) name mobility and coinductive techniques, (ii) deadlock analysis, and (iii) cost analysis of properties of languages for actors and for smart contracts.

Name Mobility and Coinductive Techniques

In [19], we propose proof techniques for bisimilarity based on unique solution of equations. The results essentially state that an equation (or a system of equations) whose infinite unfolding never produces a divergence has the unique-solution property. We distinguishing between different forms of divergence; derive an abstract formulation of the theorems, on generic LTSs; adapt the theorems to other equivalences such as trace equivalence, and to preorders such as trace inclusion; we compare the resulting techniques to enhancements of the bisimulation proof method (the `up-to techniques'). In [20], we study how to adapt such techniques to higher-order languages. In such languages proving behavioural equivalences is known to be hard, because interactions involve complex values, namely terms of the language. The soundness of proof techniques is usually delicate and difficult to establish. The language considered is the Higher-Order $\pi$-calculus.

The contribution [42] studies the representation of the call-by-need $\lambda$-calculus in the pure message-passing concurrency of the $\pi$-calculus, precisely the Local Asynchronous $\pi$-calculus, that has sharper semantic properties than the ordinary $\pi$-calculus. We exploit such properties to study the validity of of $\beta$-reduction (meaning that the source and target terms of a beta-reduction are mapped onto behaviourally equivalent processes). Nearly all results presented fail in the ordinary $\pi$-calculus.

In [45], we investigate basic properties of the Erlang concurrency model. This model is based on asynchronous communication through mailboxes accessed via pattern matching. In particular, we consider Core Erlang (which is an intermediate step in Erlang compilation) and we define, on top of its operational semantics, an observational semantics following the approach used to define asynchronous bisimulation for the $\pi$-calculus. Our work allows us to shed some light on the management of process identifiers in Erlang, different from the various forms of name mobility already studied in the literature. In fact, we need to modify standard definitions to cope with such specific features of Erlang.

The paper [25] reviews the origins and the history of enhancements of the bisimulation and coinduction proof methods.

Deadlock Analysis

The contributions [22] and  [50] address deadlock analysis of Java -like programs. The two papers respectively cover two relevant features of these languages: (i) multi-threading and reentrant locks and (ii) co-ordination primitives (wait , notify and notifyAll ). In both cases, we define a behavioral type system that associates abstract models to programs (lams and Petri Nets with inhibitor arcs) and define an algorithm for detecting deadlocks. The two systems are consistent and our technique is intended to be an effective tool for the deadlock analysis of programming languages.

The paper [16] addresses the $\pi$-calculus. It defines a type system for guaranteing that typable processes never produce a run-time error and, even if they may diverge, there is always a chance for them to finish their work, i.e., to reduce to an idle process (a stronger property than deadlock freedom). The type system uses so-called non-idempotent intersections and, therefore, applies to a large class of processes. Indeed, despite the fact that the underlying property is ${\prod }_2^0$-complete, there is a way to show that the system is complete, i.e., that any well-behaved process is typable, although for obvious reasons infinitely many derivations need to be considered.

Static Analysis of Properties of Concurrent Programs

We have analyzed the computational time of actor programs, following a technique similar to  [52], and we have begun a new research direction that deals with the analysis of Solidity smart contracts.

In [23], we propose a technique for estimating the computational time of programs in an actor model. To this aim, we define a compositional translation function returning cost equations, which are fed to an automatic off-the-shelf solver for obtaining the time bounds. Our approach is based on so-called synchronization sets that capture possible difficult synchronization patterns between actors and helps make the analysis efficient and precise. The approach is proven to correctly over-approximate the worst computational time of an actor model of concurrent programs. The technique is complemented by a prototype analyzer that returns upper bound of costs for the actor model.

In [38], we analyze the bahaviour of smart contracts, namely programs stored on some blockchain that control the transfer of assets between parties under certain conditions. In particular, we focus on the interactions of smart contracts and external actors (usually, humans) in order to maximize objective functions. 5 To this aim, we define a core language of programs, which is reminiscent of Solidity , with a minimal set of smart contract primitives and we describe the whole system as a parallel composition of smart contracts and users. We therefore express the system behaviour as a first order logic formula in Presburger arithmetics and study the maximum profit for each actor by solving arithmetic constraints.