Dependent Types for Reasoning About Distributed Systems Paul Sivilotti - Ohio State Hongwei Xi - Cincinnati.

Slides:



Advertisements
Similar presentations
The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Mutual Exclusion – SW & HW By Oded Regev. Outline: Short review on the Bakery algorithm Short review on the Bakery algorithm Black & White Algorithm Black.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Imperative Programming with Dependent Types Hongwei Xi University of Cincinnati.
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Process Synchronization Continued 7.2 The Critical-Section Problem.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Visual Tools for Temporal Reasoning G. Kutty, L.K. Dillon, L.E. Moser, P.M. Melliar-Smith, and Y.S. Ramakrishna.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
Lecture 2: Reasoning with Distributed Programs Anish Arora CSE 6333.
Variability Oriented Programming – A programming abstraction for adaptive service orientation Prof. Umesh Bellur Dept. of Computer Science & Engg, IIT.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
Semantic description of service behavior and automatic composition of services Oussama Kassem Zein Yvon Kermarrec ENST Bretagne France.
VIDE Integrated Environment for Development and Verification of Programs.
Facilitating Program Verification with Dependent Types Hongwei Xi Boston University.
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
CS294, YelickSelf Stabilizing, p1 CS Self-Stabilizing Systems
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Dependent Types for High- Confidence Distributed Systems Paul Sivilotti - Ohio State Hongwei Xi – Cincinnati (Boston Univ.)
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
Facilitating Programming Verification with Dependent Types Hongwei Xi University of Cincinnati.
The Model Checker SPIN Written by Gerard J. Holzmann Presented by Chris Jensen.
1 Software Testing and Quality Assurance Lecture 5 - Software Testing Techniques.
Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.
Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Erlang/QuickCheck Thomas Arts, IT University John Hughes, Chalmers University Gothenburg.
Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...
Verifying Concurrent Objects under Fair Scheduling Hongjin Liang University of Science and Technology of China (USTC) Joint work with Xinyu Feng.
Programming Models & Runtime Systems Breakout Report MICS PI Meeting, June 27, 2002.
The Beauty and Joy of Computing Lecture #3 : Creativity & Abstraction UC Berkeley EECS Lecturer Gerald Friedland.
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Joseph E. Hollingsworth
VDM++ Tutorial Model Quality. Overview Introduction Assessing internal consistency Assessing external consistency.
Fault-Tolerant Parallel and Distributed Computing for Software Engineering Undergraduates Ali Ebnenasir and Jean Mayo {aebnenas, Department.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
© Paul Ammann, 2008 Design by Contract Paul Ammann CS/SWE 332.
Program correctness The State-transition model The set of global states = so x s1 x … x sm {sk is the set of local states of process k} S0 ---> S1 --->
Program correctness The State-transition model A global states S  s 0 x s 1 x … x s m {s k = set of local states of process k} S0  S1  S2  Each state.
Hwajung Lee. The State-transition model The set of global states = s 0 x s 1 x … x s m {s k is the set of local states of process k} S0  S1  S2  Each.
Defining Liveness by Bowen Alpern and Fred B. Schneider Presented by Joe Melnyk.
Hwajung Lee. The State-transition model The set of global states = s 0 x s 1 x … x s m {s k is the set of local states of process k} S0  S1  S2  Each.
CS 542: Topics in Distributed Systems Self-Stabilization.
ARO Workshop Wendy Roll - May 2004 Topic 4: Effects of software certification on the current balance between software/system modeling, analysis and testing.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Program Correctness. The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Presented by: Belgi Amir Seminar in Distributed Algorithms Designing correct concurrent algorithms Spring 2013.
Discussing “Developing Secure Systems with UMLSec” 15 FEB Joe Combs.
DBC NOTES. Design By Contract l A contract carries mutual obligations and benefits. l The client should only call a routine when the routine’s pre-condition.
Agenda  Quick Review  Finish Introduction  Java Threads.
Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.
Managing, Storing, and Executing DTS Packages
Types for Programs and Proofs
Model and complexity Many measures Space complexity Time complexity
Lecture 5 Floyd-Hoare Style Verification
Programming Languages 2nd edition Tucker and Noonan
ITEC452 Distributed Computing Lecture 5 Program Correctness
Mutual Exclusion CS p0 CS p1 p2 CS CS p3.
Formal Methods in software development
Program correctness Axiomatic semantics
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

Dependent Types for Reasoning About Distributed Systems Paul Sivilotti - Ohio State Hongwei Xi - Cincinnati

Dependent Types for Distributed Components2 Motivation and Context Aim: practical support for the development of high-confidence distributed systems practical: modularity (components) low cost high-confidence: respects resource budget, private memory… executes “correctly”

Dependent Types for Distributed Components3 Gaining confidence that program text satisfies required behavior Two Challenges Specifying com- ponent behavior and reasoning about its com- position System Properties Component A Properties Component B Properties Component C Properties Program Text of A... Program Text of B... Program Text of C...

Dependent Types for Distributed Components4 Dependent Types enriched types familiar, low cost Two Synergistic Solutions Synergy: locality Surprising Connection: termination Certificates temporal logic local properties Typically not used for reasoning about progress Typically not tied to real programs

Dependent Types for Distributed Components5 Transient P for component C means: progress: if P ever becomes true, it eventually becomes false locality: guaranteed by an action of C alone More formally: transient P   a  C : [ P  wp.a.  P ] “Transient”: A Certificate for Progress

Dependent Types for Distributed Components6 E.g.: Mutual Exclusion System: every client request is eventually satisfied Token-passing Layer Client C Client D Client E Client B Client A Client: token is eventually returned transient holding

Dependent Types for Distributed Components7 Client Program To prove transient holding, show CS terminates (ie ninetyone terminates) *[ non CS ! request ? token //holding is true CS: ninetyone(0); ! token //holding is false ]

Dependent Types for Distributed Components8 Dependent Types Dependent types are types that can depend on the values of expressions Examples int(i) is a singleton type that contains the only integer equal to i intarray(n) is the type for integer arrays of size n.

Dependent Types for Distributed Components9 McCarthy’s 91 Function {i:nat} /* metric: max(0, 101-i) */ [j:int | (i 100  j = i-10)] int(j) ninetyone (x:int(i)) { if (x <= 100) { return ninetyone (ninetyone (x+11)); } else { return (x-10); }

Dependent Types for Distributed Components10 Cost Effectiveness In general, termination of a program is difficult to prove However, critical sections tend to be small and manageable More importantly, we provide the programmer with a range of choices higher effort  lower effort higher benefit  lower benefit

Dependent Types for Distributed Components11 Spectrum of Choices Static Check Programmer provides a metric Type-checker verifies monotonicity of metric Dynamic Check Programmer provides a metric Type-checker inserts run-time tests to check monotonicity of metric Checkpointing Programmer does not provide a metric Checkpoint taken before “dangerous” action

Dependent Types for Distributed Components12 Feasibility of Project Certificates A tool (cidl) for testing transient in CORBA objects has been implemented Transient, and other local certificates, have been applied to several examples Dependent Types A dependently typed language (Xanadu) has been formalized and prototyped Xanadu applied to several examples

Dependent Types for Distributed Components13 Synergy of Collaboration Paul: Use transient properties to reason about progress in distributed systems Use locally-checkable component properties to establish global system properties Hongwei: Design a dependent type system to capture termination properties Implement a type-checker to verify captured termination properties

Dependent Types for Distributed Components14 Future Goals Research topics Certification of mobile code for distributed systems Build high confidence systems External Funding NSF (OS/Compiler & SE/Language) DARPA (high-confidence computing)

Dependent Types for Distributed Components15 Summary of Proposed Work Extend dependent types to capture termination Characterize certificates that can be supported by dependent types Key qualities: modular holistic high-confidence, not proof

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.