Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Summary and Main Contributions
Related Work
References
All Topics
Computer Science
Theoretical Computer Science

Layered and object-based game semantics

Profile image of Paul-André MellièsPaul-André Melliès

Proceedings of the ACM on Programming Languages

https://doi.org/10.1145/3498703
visibility

description

32 pages

link

1 file

Abstract

Large-scale software verification relies critically on the use of compositional languages, semantic models, specifications, and verification techniques. Recent work on certified abstraction layers synthesizes game semantics, the refinement calculus, and algebraic effects to enable the composition of heterogeneous components into larger certified systems. However, in existing models of certified abstraction layers, compositionality is restricted by the lack of encapsulation of state. In this paper, we present a novel game model for certified abstraction layers where the semantics of layer interfaces and implementations are defined solely based on their observable behaviors. Our key idea is to leverage Reddy's pioneer work on modeling the semantics of imperative languages not as functions on global states but as objects with their observable behaviors. We show that a layer interface can be modeled as an object type (i.e., a layer signature) plus an object strategy. A layer impleme...

Related papers

Computing Specification-Sensitive Abstractions for Program Verification
Shmuel Tyszberowicz

Lecture Notes in Computer Science, 2016

To enable scalability and address the needs of real-world software, deductive verification relies on modularization of the target program and decomposition of its requirement specification. In this paper, we present an approach that, given a Java program and a partial requirement specification written using the Java Modeling Language, constructs a semantic slice. In the slice, the parts of the program irrelevant w.r.t. the partial requirements are replaced by an abstraction. The core idea of our approach is to use bounded program verification techniques to guide the construction of these slices. Our approach not only lessens the burden of writing auxiliary specifications (such as loop invariants) but also reduces the number of proof steps needed for verification.

View PDFchevron_right
Object-oriented refinement and proof using behaviour functions.
Tony Clark

2000

This paper proposes a new calculus for expressing the behaviour of object-oriented systems. The semantics of the calculus is given in terms of operators from computational category theory. The calculus aims to span the gulf between abstract specification and concrete implementation of object-oriented systems using mathematically verifiable properties and transformations. The calculus is compositional and can be used to express the behaviour of partial system views.

View PDFchevron_right
Game semantics for programming languages
Samson Abramsky

1997

Mathematical models of computation, from the-calculus to PRAM's, have played a key role in the development of software technology, from programming languages to the design and analysis of algorithms. The rst generation of models of computation (c. 1950 {1980) were functional in character; that is, they abstracted the behaviour of a program as the computation of a function.

View PDFchevron_right
Proof-Theoretic Semantics of Object-Oriented Specification Constructs
Tom Maibaum

A formal semantics for the kernel constructs of an object-oriented specification language is presented. The formal counterparts of objects as the basic building blocks of information systems are given by theory presentations in a logic that has been developed to support the required objectoriented specification mechanisms. Attributes (structure) and events (behaviour) are integrated in coherent logical units (focused on a logical rôle for signatures) around which the notion of locality (encapsulation) is formalised. Objects can be specified directly through formulae of the logic, describing the effects of the events on the attributes as well as the restrictions and requirements on their occurrence. Aggregation, inheritance and particularisation are formalised as specification constructs acting on a context (a diagram in the category of theory presentations) where previously built specifications are stored, thus allowing to assemble large specifications from existing ones. The derivation of safety and liveness properties from specifications using the inference rules of the logic, and the use of the structure of specifications to direct these proofs is also illustrated. In this way, we hope to contribute towards the necessary formalisation of object-oriented information systems design.

View PDFchevron_right
Algorithmic game semantics
Samson Abramsky

2002

Game Semantics has emerged as a powerful paradigm for giving semantics to a variety of programming languages and logical systems. It has been used to construct the first syntax-independent fully abstract models for a spectrum of programming languages ranging from purely functional languages to languages with non-functional features such as control operators and locally-scoped references [4, 21, 5, 19, 2, 22, 17, 11].

View PDFchevron_right
Certified concurrent abstraction layers
Ronghui Gu

Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation

Concurrent abstraction layers are ubiquitous in modern computer systems because of the pervasiveness of multithreaded programming and multicore hardware. Abstraction layers are used to hide the implementation details (e.g., finegrained synchronization) and reduce the complex dependencies among components at different levels of abstraction. Despite their obvious importance, concurrent abstraction layers have not been treated formally. This severely limits the applicability of layer-based techniques and makes it difficult to scale verification across multiple concurrent layers. In this paper, we present CCALÐa fully mechanized programming toolkit developed under the CertiKOS projectÐ for specifying, composing, compiling, and linking certified concurrent abstraction layers. CCAL consists of three technical novelties: a new game-theoretical, strategy-based compositional semantic model for concurrency (and its associated program verifiers), a set of formal linking theorems for composing multithreaded and multicore concurrent layers, and a new CompCertX compiler that supports certified thread-safe compilation and linking. The CCAL toolkit is implemented in Coq and supports layered concurrent programming in both C and assembly. It has been successfully applied to build a fully certified concurrent OS kernel with fine-grained locking.

View PDFchevron_right
Program abstractions for behaviour validation
Diego Garbervetsky

2011

Abstract Code artefacts that have non-trivial requirements with respect to the ordering in which their methods or procedures ought to be called are common and appear, for instance, in the form of API implementations and objects. This work addresses the problem of validating if API implementations provide their intended behaviour when descriptions of this behaviour are informal, partial or non-existent. The proposed approach addresses this problem by generating abstract behaviour models which resemble typestates.

View PDFchevron_right
Towards Heterogeneous Formal Specification
Pascale Le Gall

1996

We believe that big software systems could be more easily formally specified if several specification approaches were allowed within a single system specification. We propose a notion of heterogeneous framework where the specifier can choose a dedicated specification framework for each specification module. We show how the resulting heterogeneous modular specifications can get semantics, and how modular proofs can still be performed on these specifications. Our contribution is mainly focussed on a sort of interoperability between heterogeneous specification modules and we retrieve, as much as possible, classical notions of “meta-formalisms,” modularity for structured specifications, or inference systems, as they are well known in the algebraic specification community. With this respect, our work can be regarded as an attempt to unify frameworks, by accepting and formalizing heterogeneity.

View PDFchevron_right
A proof system for invariants in layered OO designs
Ruurd Kuiper

Int J Sci Educ, 2008

Although invariants have a long history, their meaning in OO designs is still under discussion. OO designs often include functionality that is used by different otherwise unrelated objects (shared functionality). We identify a problem with current interpretations of invariants in such designs. OO designs are often layered, where a layer uses functionality of a lower layer (in particular, shared functionality) but has little or no involvement with higher layers. As a result, higher layers can rely on lower layer invariants and lower layers do not rely on higher layer invariants. This is not reflected by current interpretations of invariants. We propose to make layers explicit in specifications and introduce a new interpretation of invariants that exploits these layers. Furthermore, we present a sound, modular verification technique that ensures the new interpretation is satisfied. distinguished (see above). Case 2.1: k = j. Then either X is consistent in Σ[i], or X is allocated but not consistent in any execution state in Σ[j..i]. That concludes the proof of this case. Case 2.2: Σ[k..i − 1] is a method execution and k > j. Two cases can be distinguished. Case 2.2.1: X is not allocated in Σ[k − 1]. Then X is newly allocated in Σ[k]. Then Σ[k] is a prestate in which X is constructing, and in which control is in class type(X) (language property). Then X is consistent for [type(X), Object] in poststate Σ[i−1] (Σ satisfies upward local consistency). Then X is consistent in Σ[i − 1]. As this contradicts that X is not consistent in any execution state in Σ[j..i], this case is not feasible. Case 2.2.2: X is allocated in Σ[k − 1]. Note that callstack(Σ, k − 1) = callstack(Σ, i) (lemma A.4). Furthermore, (k − 1) − j ≤ n + 1 (as j > k < i). Then the the following cases can be distinguished (as IH((k − 1) − j) holds by assumption). Case 2.2.2.1: X is consistent in Σ[k − 1]. Then X is consistent in Σ[k − 1], but not in Σ[k]. Then Σ[k − 1] and Σ[k] differ on an object Y and either X = Y , or X owns Y (all invariants in P are ownership based). Then control is with Y in Σ[k] (Σ satisfies classical encapsulation). Then Y is not allocated in Σ[k − 1] (due to a language property: a context switch does not change the object store. Therefore, Y must be newly created). Then X = Y (X is allocated in Σ[k − 1]). Then X owns Y. Let O be the direct owner of Y , i.e., owner(Σ[k]) = O. Then either X = O, or X owns O (as X owns Y). Then O = root. Then either owner(Σ[k − 1]) = O, or control is with O in Σ[k − 1] (Σ satisfies ownership encapsulation). Then control is with an object Z in Σ[k − 1] and either X = Z, or X owns Z. Then the same is true in Σ[i] (axiom A.1). That concludes the proof of this case. Case 2.2.2.2: X is allocated but not consistent in any execution state in Σ[j..k −1]. Then either X is consistent in Σ[i], or X is allocated but not consistent in any execution state in Σ[j..i]. That concludes the proof of this case. Case 2.2.2.3: Control is with an object Y in Σ[k − 1] and either X = Y , or X owns Y. Then the same is true in Σ[i] (due to axiom A.1). That concludes the proof of this case. Case 3: Control is with an object Y in Σ[i − 1] and either X = Y , or X owns Y. Two cases can be distinguished (see above). Case 3.1: k = j. Then control is with Y in Σ[i] (lemma A.2 and axiom A.1). That concludes the proof of this case. Case 3.2: Σ[k..i − 1] is a method execution and k > j. Two cases can be distinguished. Case 3.2.1: X = Y. Two cases can be distinguished. Case 3.2.1.1: X is not constructing in Σ[i − 1]. Then X is consistent in poststate Σ[i − 1] (Σ satisfies upward and downward local consistency). Then X is consistent in Σ[i] (a context switch does not change the object store). That concludes the proof of this case. Case 3.2.1.2: X is constructing in Σ[i − 1]. Then X is constructing in Σ[k]. Then two cases can be distinguished (language property: a constructor on X can only be executed as a result of a superclass constructor call, or an object creation statement). Case 3.2.1.2.1: X is constructing in Σ[k−1]. Then control is with X in Σ[k−1] (by definition). Note that callstack(Σ, k − 1) = callstack(Σ, i) (lemma A.4). Then control is with X in Σ[i] (axiom A.1). That concludes the proof of this case. Case 3.2.1.2.2: X is not allocated in Σ[k − 1]. Then control is in class type(X) in Σ[k] (language property). Then control is in type(X) in poststate Σ[i − 1] (axiom A.1). Then X is consistent for [type(X), Object] in Σ[i − 1] (Σ satisfies upward local consistency). Then X is consistent in Σ[i − 1]. Then X is consistent in Σ[i] (as a context switch does not change the object store). That concludes the proof of this case. Case 3.2.2: X owns Y. Recall that control is with Y in Σ[i − 1]. Then control is with Y in Σ[k] (axiom A.1). Let O be the direct owner of Y , i.e., owner(Σ[k]) = O. Then either X = O, or X owns O (as X owns Y). Then O = root. Then either owner(Σ[k − 1]) = O, or control is with O in Σ[k − 1] (Σ satisfies ownership encapsulation). Then control is with an object Z in Σ[k − 1] and either X = Z, or X owns Z. Then the same is true in Σ[i] (axiom A.1). That concludes the proof of this case. the LRII and LRII-c in each (sub)case). Case 2.2.1: X is consistent in Σ[i − 1]. Two cases can be distinguished. Case 2.2.1.1: X is consistent in Σ[i]. Case 2.2.1.2: X is not consistent in Σ[i]. Then Σ[i − 1] and Σ[i] differ on an object Y and either X = Y , or X owns Y (all invariants are ownership based). Then Y is not allocated in Σ[i − 1] (a context switch does not change the object store). Then X = Y (X is allocated in Σ[i − 1]). Then X owns Y in Σ[i]. Then l ≥ layer(Σ[i]) (lemma A.6), and owner(Σ[i]) does not own X (by definition). Case 2.2.2: X is allocated but not consistent in any execution state in Σ[j..i − 1], and control is not with X in Σ[i − 1]. Then X is non-constructing in Σ[i − 1]. Then X is non-constructing in Σ[j] (lemma A.2 and axiom A.1). As Σ[j] is a prestate (by definition of callstack), and as j < i, it follows from IH(n) that Σ[0..j] satisfies the LRII. Then either l > layer(Σ[j]), or owner(Σ[j]) does not own X and l = layer(Σ[j]) (X is non-constructing but not consistent in Σ[j]). Due to lemma A.2 and axiom A.1, layer(Σ[j]) = layer(Σ[i]) and owner(Σ[j]) = owner(Σ[i]). Then either l > layer(Σ[i]), or owner(Σ[i]) does not own X and l = layer(Σ[i]). Case 2.2.3: In Σ[i−1], X is not consistent and control is with X. Two cases can be distinguished. Case 2.2.3.1: Σ[i − 1] is a horizontal call state. Then Σ[i − 1] is not relevant (X is not consistent in Σ[i − 1] and Σ satisfies upward and downward local consistency). Then X is constructing in Σ[i] (by definition of 'relevant'). Case 2.2.3.2: Σ[i − 1] is not a horizontal call state. As Σ satisfies ownership encapsulation, three cases can be distinguished. Case 2.2.3.2.1: layer(Σ[i − 1]) ≥ layer(Σ[i]) and owner(Σ[i − 1]) = owner(Σ[i]). Then layer(Σ[i − 1]) > layer(Σ[i]) (Σ[i − 1] is not a horizontal call state). Then l > layer(Σ[i]) (control is with X in Σ[i − 1]). Case 2.2.3.2.2: layer(Σ[i − 1]) ≥ layer(Σ[i]) and control is with owner(Σ[i]) in Σ[i − 1]. Then X = owner(Σ[i − 1]). Then owner(Σ[i − 1]) does not own X (by definition). Case 2.2.3.2.3: layer(Σ[i − 1]) > layer(Σ[i]) and owner(Σ[i]) = root. Then l > layer(Σ[i]). Case 2.2.4: In Σ[i − 1], X is not consistent, and control is with an object Y , and X owns Y. Then l ≥ layer(Σ[i − 1]) (due to lemma A.6). As Σ satisfies ownership encapsulation, three cases can be distinguished. Case 2.2.4.1: layer(Σ[i − 1]) = layer(Σ[i]) and owner(Σ[i − 1]) = owner(Σ[i]). Then l ≥ layer(Σ[i]), and owner(Σ[i]) does not own X (by definition). Case 2.2.4.2: layer(Σ[i − 1]) ≥ layer(Σ[i]) and control is with owner(Σ[i]) in Σ[i − 1]. Then l ≥ layer(Σ[i]), and owner(Σ[i]) does not own X (by definition). Case 2.2.4.3: layer(Σ[i − 1]) > layer(Σ[i]) and owner(Σ[i]) = root. Then l > layer(Σ[i]. From the two cases above, it follows that if Σ[i] is a prestate, then either X is consistent in Σ[i], or in Σ[i], X is constructing, or in Σ[i], X is non-constructing and either l > layer(Σ[i]), or owner(Σ[i]) does not own X and l = layer(Σ[i]), From the two cases above, it follows that if X is non-constructing in Σ[i], then 1) if either l < layer(σ), or owner(σ) owns X and l = layer(σ), then X is consistent, and 2) if σ is a poststate and owner(σ) owns X and l > layer(σ), then X is at least as consistent in σ as in the prestate matching σ. Therefore, Σ[0..i] satisfies the LRII. It also follows that if Σ[i] is a poststate, then 1) if X is constructing and control is in class C, then X is consistent for [C, Object], and 2) if X is not allocated in top(callstack(Σ[i])), then X is consistent. As top(callstack(Σ[i])) is the prestate matching Σ[i] (proof is straightforward), Σ[0..i] satisfies the LRIIc. As Σ[0..i] contains n + 1 visible states, if j is such that Σ[0..j] contains n + 1 visible states, then Σ[0..j] satisfies the LRII and the LRII-c. Then IH(n + 1) holds (as IH(n) holds by assumption). That concludes the proof of the step case of the induction proof.

View PDFchevron_right
Specification, abstraction and verification in a concurrent object-oriented language
Ulrike Lechner

1996

We use Maude as our speci cation language and the modal -calculus as our logic. We apply to speci cations in Maude a framework of abstraction and veri cation based on property-preserving mappings between transition systems. Firstly, we demonstrate how to employ abstraction in veri cation of object-oriented speci cations of distributed systems. Secondly, we use this framework to nd classes of properties preserved by Maude's inheritance relation.

View PDFchevron_right

References (51)

  1. 2015-2021. DeepSpec: The Science of Deep Specifications. https://deepspec.org/.
  2. Samson Abramsky, Radha Jagadeesan, and Pasquale Malacaria. 2000. Full Abstraction for PCF. Inf. Comput. 163, 2 (2000), 409ś470. https://doi.org/10.1006/inco.2000.2930
  3. Samson Abramsky and Guy McCusker. 1997. Linearity, Sharing and State: A Fully Abstract Game Semantics for Idealized Algol with Active Expressions. Birkhäuser Boston, Boston, MA, 297ś329. https://doi.org/10.1007/978-1-4757-3851-3_10
  4. Samson Abramsky and Guy McCusker. 1999. Game Semantics. In Computational Logic, Ulrich Berger and Helmut Schwicht- enberg (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 1ś55.
  5. Andrew W. Appel. 2011. Verified Software Toolchain. In Proceedings of the 20th European Symposium on Programming (ESOP 2011). Springer, Berlin, Heidelberg, 1ś17. https://doi.org/10.1007/978-3-642-19718-5_1
  6. Andrew W Appel, Lennart Beringer, Adam Chlipala, Benjamin C Pierce, Zhong Shao, Stephanie Weirich, and Steve Zdancewic. 2017. Position Paper: The Science of Deep Specification. Phil. Trans. R. Soc. A 375, 2104 (2017), 20160331. https://doi.org/10.1098/rsta.2016.0331
  7. Ralph-Johan Back and Joakim von Wright. 1998. Refinement Calculus: A Systematic Introduction. Springer, New York. https://doi.org/10.1007/978-1-4612-1674-2
  8. Andreas Blass. 1992. A Game Semantics for Linear Logic. Ann. Pure Appl. Log. 56, 1ś3 (1992), 183ś220. https://doi.org/10. 1016/0168-0072(92)90073-9
  9. Stephen Brookes. 2006. A Grainless Semantics for Parallel Programs with Shared Mutable Data. Electronic Notes in Theoretical Computer Science 155 (2006), 277 ś 307. https://doi.org/10.1016/j.entcs.2005.11.060 Proceedings of the 21st Annual Conference on Mathematical Foundations of Programming Semantics (MFPS XXI).
  10. Stephen Brookes. 2007. A Semantics for Concurrent Separation Logic. Theoretical Computer Science 375, 1 (2007), 227 ś 270. https://doi.org/10.1016/j.tcs.2006.12.034 Festschrift for John C. Reynolds's 70th birthday.
  11. Ana C. Calderon and Guy McCusker. 2010. Understanding Game Semantics Through Coherence Spaces. Electron. Notes Theor. Comput. Sci. 265 (Sept. 2010), 231ś244. https://doi.org/10.1016/j.entcs.2010.08.014
  12. Andrea Cerone, Alexey Gotsman, and Hongseok Yang. 2014. Parameterised Linearisability. In Automata, Languages, and Programming, Javier Esparza, Pierre Fraigniaud, Thore Husfeldt, and Elias Koutsoupias (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 98ś109.
  13. Hao Chen, Xiongnan (Newman) Wu, Zhong Shao, Joshua Lockerman, and Ronghui Gu. 2016. Toward Compositional Verification of Interruptible OS Kernels and Device Drivers. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (Santa Barbara, CA, USA) (PLDI '16). Association for Computing Machinery, New York, NY, USA, 431ś447. https://doi.org/10.1145/2908080.2908101
  14. Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, M. Frans Kaashoek, and Nickolai Zeldovich. 2015. Using Crash Hoare Logic for Certifying the FSCQ File System. In Proceedings of the 25th Symposium on Operating Systems Principles (Monterey, California) (SOSP '15). Association for Computing Machinery, New York, NY, USA, 18ś37. https: //doi.org/10.1145/2815400.2815402
  15. Joonwon Choi, Muralidaran Vijayaraghavan, Benjamin Sherman, Adam Chlipala, and Arvind. 2017. Kami: A Platform for High-Level Parametric Hardware Specification and Its Modular Verification. Proc. ACM Program. Lang. 1, ICFP, Article 24 (Aug. 2017), 30 pages. https://doi.org/10.1145/3110268
  16. David Costanzo, Zhong Shao, and Ronghui Gu. 2016. End-to-End Verification of Information-Flow Security for C and Assembly Programs. SIGPLAN Not. 51, 6 (June 2016), 648ś664. https://doi.org/10.1145/2980983.2908100
  17. Ivana Filipović, Peter O'Hearn, Noam Rinetzky, and Hongseok Yang. 2009. Abstraction for Concurrent Objects. In Program- ming Languages and Systems, Giuseppe Castagna (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 252ś266.
  18. Dan R. Ghica and Andrzej S. Murawski. 2008. Angelic Semantics of Fine-Grained Concurrency. Annals of Pure and Applied Logic 151, 2 (2008), 89 ś 114. https://doi.org/10.1016/j.apal.2007.10.005
  19. Jean-Yves Girard. 1987. Linear logic. Theoretical Computer Science 50, 1 (1987), 1ś101. https://doi.org/10.1016/0304- 3975(87)90045-4
  20. Ronghui Gu, Jérémie Koenig, Tahina Ramananandro, Zhong Shao, Xiongnan (Newman) Wu, Shu-Chun Weng, Haozhong Zhang, and Yu Guo. 2015. Deep Specifications and Certified Abstraction Layers. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Mumbai, India) (POPL '15). Association for Computing Machinery, New York, NY, USA, 595ś608. https://doi.org/10.1145/2676726.2676975
  21. Ronghui Gu, Zhong Shao, Hao Chen, Jieung Kim, Jérémie Koenig, Xiongnan (Newman) Wu, Vilhelm Sjöberg, and David Costanzo. 2019. Building Certified Concurrent OS Kernels. Commun. ACM 62, 10 (Sept. 2019), 89ś99. https://doi.org/10. 1145/3356903
  22. Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (Savannah, GA, USA) (OSDI'16). USENIX Association, USA, 653ś669.
  23. Ronghui Gu, Zhong Shao, Jieung Kim, Xiongnan (Newman) Wu, Jérémie Koenig, Vilhelm Sjöberg, Hao Chen, David Costanzo, and Tahina Ramananandro. 2018. Certified Concurrent Abstraction Layers. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (Philadelphia, PA, USA) (PLDI 2018). Association for Computing Machinery, New York, NY, USA, 646ś661. https://doi.org/10.1145/3192366.3192381
  24. Maurice P. Herlihy and Jeannette M. Wing. 1990. Linearizability: A Correctness Condition for Concurrent Objects. ACM Trans. Program. Lang. Syst. 12, 3 (July 1990), 463ś492. https://doi.org/10.1145/78969.78972
  25. J. M. E. Hyland and C.-H. L. Ong. 2000. On Full Abstraction for PCF: I, II, and III. Inf. Comput. 163, 2 (2000), 285ś408. https://doi.org/10.1006/inco.2000.2917
  26. A. Kock. 1972. Strong functors and monoidal monads. Archiv der Mathematik 23 (1972), 113ś120.
  27. Jérémie Koenig. 2021. Grounding Game Semantics in Categorical Algebra. In Proceedings of the Fourth International Conference on Applied Category Theory (ACT 2021), Kohei Kishida (Ed.). To appear.
  28. Jérémie Koenig and Zhong Shao. 2020. Refinement-Based Game Semantics for Certified Abstraction Layers. In Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science (Saarbrücken, Germany) (LICS '20). Association for Computing Machinery, New York, NY, USA, 633ś647. https://doi.org/10.1145/3373718.3394799
  29. Jérémie Koenig and Zhong Shao. 2021. CompCertO: Compiling Certified Open C Components. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation (Virtual, Canada) (PLDI 2021). Association for Computing Machinery, New York, NY, USA, 1095ś1109. https://doi.org/10.1145/3453483.3454097
  30. Xavier Leroy. 2009. Formal Verification of a Realistic Compiler. Commun. ACM 52, 7 (July 2009), 107ś115. https: //doi.org/10.1145/1538788.1538814
  31. Mengqi Liu, Lionel Rieg, Zhong Shao, Ronghui Gu, David Costanzo, Jung-Eun Kim, and Man-Ki Yoon. 2019. Virtual Timeline: A Formal Abstraction for Verifying Preemptive Schedulers with Temporal Isolation. Proc. ACM Program. Lang. 4, POPL, Article 20 (Dec. 2019), 31 pages. https://doi.org/10.1145/3371088
  32. Antoni W. Mazurkiewicz. 1995. Introduction to Trace Theory. In The Book of Traces, Volker Diekert and Grzegorz Rozenberg (Eds.). World Scientific, 3ś41. https://doi.org/10.1142/9789814261456_0001
  33. Paul-André Melliès and Léo Stefanesco. 2018. An Asynchronous Soundness Theorem for Concurrent Separation Logic. In Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science (Oxford, United Kingdom) (LICS '18). Association for Computing Machinery, New York, NY, USA, 699ś708. https://doi.org/10.1145/3209108.3209116
  34. Paul-André Melliès and Léo Stefanesco. 2020. Concurrent Separation Logic Meets Template Games. In Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science (Saarbrücken, Germany) (LICS '20). Association for Computing Machinery, New York, NY, USA, 742ś755. https://doi.org/10.1145/3373718.3394762
  35. Paul-André Melliès and Noam Zeilberger. 2015. Functors Are Type Refinement Systems. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Mumbai, India) (POPL '15). Association for Computing Machinery, New York, NY, USA, 3ś16. https://doi.org/10.1145/2676726.2676970
  36. Paul-André Melliès. 2009. Categorical Semantics of Linear Logic. In Interactive Models of Computation and Program Behaviour, Panoramas et Synthèses 27. Société Mathématique de France, Paris, France, 1ś196.
  37. Andrzej S. Murawski and Nikos Tzevelekos. 2014. Game Semantics for Interface Middleweight Java. In Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Diego, California, USA) (POPL '14). Association for Computing Machinery, New York, NY, USA, 517ś528. https://doi.org/10.1145/2535838.2535880
  38. Andrzej S. Murawski and Nikos Tzevelekos. 2019. Higher-order Linearisability. Journal of Logical and Algebraic Methods in Programming 104 (2019), 86ś116. https://doi.org/10.1016/j.jlamp.2019.01.002
  39. Peter W. O'Hearn. 2004. Resources, Concurrency and Local Reasoning. In CONCUR 2004 -Concurrency Theory, Philippa Gardner and Nobuko Yoshida (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 49ś67.
  40. Peter W. O'Hearn and Uday S. Reddy. 1999. Objects, interference, and the Yoneda embedding. Theoretical Computer Science 228, 1 (1999), 253ś282. https://doi.org/10.1016/S0304-3975(98)00360-0
  41. Arthur Oliveira Vale, Paul-André Melliès, Zhong Shao, Jérémie Koenig, and Léo Stefanesco. 2021. Layered and Object-Based Game Semantics. Technical Report YALEU/DCS/TR-1559. Yale Univ. https://flint.cs.yale.edu/publications/layered.html Gordon Plotkin and John Power. 2001. Adequacy for Algebraic Effects. In Proceedings of the 4th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS 2001). Springer, Berlin, Heidelberg, 1ś24. https://doi.org/10.1007/3-540-45315-6_1
  42. Gordon Plotkin and Matija Pretnar. 2009. Handlers of Algebraic Effects. In Proceedings of the 18th European Symposium on Programming (ESOP 2009). Springer, Berlin, Heidelberg, 80ś94. https://doi.org/10.1007/978-3-642-00590-9_7
  43. U.S. Reddy. 1994. Passivity and independence. In Proceedings Ninth Annual IEEE Symposium on Logic in Computer Science. 342ś352. https://doi.org/10.1109/LICS.1994.316055
  44. Uday S. Reddy. 1993. A Linear Logic Model of State. Technical Report. Dept. of Computer Science, UIUC, Urbana, IL.
  45. Uday S. Reddy. 1996. Global State Considered Unnecessary: An Introduction to Object-Based Semantics. LISP Symb. Comput. 9, 1 (1996), 7ś76.
  46. Uday S. Reddy. 2002. Objects and Classes in Algol-like Languages. Inf. Comput. 172, 1 (Feb. 2002), 63ś97. https://doi.org/10. 1006/inco.2001.2927
  47. Uday S. Reddy. 2013. Automata-Theoretic Semantics of Idealized Algol with Passive Expressions. Electronic Notes in Theoretical Computer Science 298 (2013), 325ś348. https://doi.org/10.1016/j.entcs.2013.09.020 Proceedings of the Twenty- ninth Conference on the Mathematical Foundations of Programming Semantics, MFPS XXIX.
  48. Uday S. Reddy and Brian P. Dunphy. 2012. An Automata-Theoretic Model of Idealized Algol. In Automata, Languages, and Programming, Artur Czumaj, Kurt Mehlhorn, Andrew Pitts, and Roger Wattenhofer (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 337ś350.
  49. Christian Retoré. 1997. Pomset logic: A non-commutative extension of classical linear logic. In Typed Lambda Calculi and Applications, Philippe de Groote and J. Roger Hindley (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 300ś318.
  50. Jerome H. Saltzer and M. Frans Kaashoek. 2009. Principles of Computer System Design. Morgan Kaufmann. Zhong Shao. 2010. Certified Software. Commun. ACM 53, 12 (December 2010), 56ś66.
  51. Vilhelm Sjöberg, Yuyang Sang, Shu-chun Weng, and Zhong Shao. 2019. DeepSEA: A Language for Certified System Software. Proc. ACM Program. Lang. 3, OOPSLA, Article 136 (Oct. 2019), 27 pages. https://doi.org/10.1145/3360562

Related papers

Applying Game Semantics to Compositional Software Modeling and Verification
Dan Taca

2004

We describe a software model checking tool founded on game semantics, highlight the underpinning theoretical results and discuss several case studies. The tool is based on an interpretation algorithm defined compositionally on syntax and thus can also handle open programs. Moreover, the models it produces are equationally fully abstract. These features are essential in the modeling and verification of software components such as modules and turn out to lead to very compact models of programs.

View PDFchevron_right
Algorithmic game semantics and component-based verification
Samson Abramsky

2003

ABSTRACT We present a research programme dedicated to the application of Game Semantics to program analysis and verification. We highlight several recent theoretical results and describe a prototypical software modeling and verification tool. The distinctive novel features of the tool are its ability to handle open programs and the fact that the models it produces are observationally fully abstract. These features are essential in the modeling and verification of software components such as modules.

View PDFchevron_right
Compositional Predicate Abstraction from Game Semantics
Dan Taca

2009

We introduce a technique for using conventional predicate abstraction methods to reduce the state-space of models produced using game semantics. We focus on an expressive procedural language that has both local store and local control, a language which enjoys a simple game-semantic model yet is expressive enough to allow non-trivial examples. Our compositional approach allows the verification of incomplete programs (e.g. libraries) and offers the opportunity for new heuristics for improved efficiency. Game-semantic predicate abstraction can be embedded in an abstraction-refinement cycle in a standard way, resulting in an improved version of our experimental model-checking tool Mage, and we illustrate it with several toy examples.

View PDFchevron_right
10252 Executive Summary – Game Semantics and Program Verification
Paul-André Melliès

2010

The seminar took place from 20th until 25th June 2010. Its primary aim was to foster interaction between researchers working on modelling programs/proofs using games and the verification community. The meeting brought together 28 researchers from eight different countries, both junior and senior, for a systematic assessment of what the two areas have to offer to one another, critical evaluation of what has been achieved so far, with a view to establishing common research goals for the future.

View PDFchevron_right
A Compositional Proof System for Dynamic Object Systems
Johan Dovland, Olaf Owe

Current object-oriented approaches to distributed programs may be criticized in several respects. First, method calls are generally synchronous, which leads to much waiting in distributed and unstable net- works. Second, the common model of thread concurrency makes reasoning about program behavior very challenging. Object-oriented models based on concurrent objects communicating by asynchronous method calls, have been proposed to combine object orientation and distribution in a more satisfactory way. In this report, a high-level language and proof system are developed for such a model, emphasizing simplicity and modularity. In particular, the proof system is used to derive external specifications of observable beha- vior for objects, encapsulating their state. A simple and compositional proof system is paramount to allow verification of real programs. The proposed proof rules are derived from the Hoare rules of a standard se- quential language by a semantic encoding preserving sound...

View PDFchevron_right

Related topics

  • Computer Science
  • Theoretical Computer Science
  • Operational Semantics

    • Cited by

    Layered and object-based game semantics
    Paul-André Melliès

    Proceedings of the ACM on Programming Languages

    Large-scale software verification relies critically on the use of compositional languages, semantic models, specifications, and verification techniques. Recent work on certified abstraction layers synthesizes game semantics, the refinement calculus, and algebraic effects to enable the composition of heterogeneous components into larger certified systems. However, in existing models of certified abstraction layers, compositionality is restricted by the lack of encapsulation of state. In this paper, we present a novel game model for certified abstraction layers where the semantics of layer interfaces and implementations are defined solely based on their observable behaviors. Our key idea is to leverage Reddy&#39;s pioneer work on modeling the semantics of imperative languages not as functions on global states but as objects with their observable behaviors. We show that a layer interface can be modeled as an object type (i.e., a layer signature) plus an object strategy. A layer impleme...

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved