E. Pascal Gribomont scite author profile

2003

The control part of many concurrent and distributed programs reduces to a set Π = {p1, . . . , pn} of symmetric processes containing mainly assignments and tests on Boolean variables. However, the assignments, the guards and the program invariants can be Π-quantified, so the corresponding verification conditions also involve Π-quantifications. We propose a systematic procedure allowing the elimination of such quantifications for a large class of program invariants. At the core of this procedure is a variant of the Herbrand Theorem for many-sorted first-order logic with equality.

Concurrency without toil: a systematic method for parallel program design

Science of Computer Programming

1993

Stepwise refinement and concurrency: the finite-state case

Science of Computer Programming

1990

Automated verification of Szymanski's algorithm

Zenner

1998

Abstract. The algorithm for mutual exclusion proposed by B. Szymanski is an interesting challenge for verification methods and tools. Several full proofs have been described in the literature, but they seem to require lengthy interactive sessions with powerful theorem provers. As far as this algorithm makes use of only the most elementary facts of arithmetics, we conjectured that a simple, non-interactive proof should exist; this paper gives such a proof, describes its development and how an elementaxy tool has been used to complete the verification.

Preprocessing for invariant validation

1996

CAVEAT: technique and tool for computer aided verification and transformation

Rossetto

1995

We describe CAVEAT, a technique and a tool (under development) for the stepwise design and verification of nearly finite-state concurrent systems (NFCS). A concurrent system is nearly finite-state when most of its variables have a finite range (Booleans, bounded integers). The heart of CAVEAT is a tool for verifying invariants, i.e., inductive safety properties. The underlying method is classical : formula I is an invariant for system ,S if and only if some formula ~r =def {I}S{I} is valid. If ,S is an NFCS, the formula ~5i contains only a small set of non-boolean variables. CAVEAT uses the connection method to extract from ~I a (small) set ~ of paths (some kind of assertions) about the non-boolean variables; ~5i is valid if and only if all paths contain connections, i.e., are inconsistent. For typical NFCS given with a correct invariant, the formula ~I is rather large (more than 100 lines) but k~ is quite small (a dozen one-line formulas). The second part of CAVEAT (not implemented yet) supports an incremental development method that is fairly systematic, but has proved to be flexible enough in practice.

Development of concurrent programs: An example

1989

A b s t r a c t . Concurrent programming is usually considered as a difficult task. This conunon opinion is investigated, while developing an example of concurrent system.The conclusion is that the difficulty of programming does not lie in concurrency, provided that adequate formal tools are used. These tools mnst not be more difficult than those used in sequential programming. I n t r o d u c t i o n and related workThe formal tools to deal with concurrency are usually considered to be adequate; in fact, most of them have been derived from those used in sequential programming. Unfortunately, formal tools become most useful only when there are appropriate methodologies to deal with them.Such methodologies exist for sequential programming; for instance, Dijkstra's programming calculus [Dijkstra (1976), Gries (1981)] allows the systematic use of the concept of invariant to derive programs correct with respect to their specifications.Good methodologies are usually compositional, that is, the meaning of a structured object can be expressed as a function of the meanings of the components. The main problem in concurrency is that the meaning of the system (PIlQ) can be expressed as a function of the meanings of the processes P and Q only when the notion of the meaning of a process is defined in a rather complex way. As a consequence, a compositional, process-based semantics for concurrent systems is not trivial, and the same is true for the methodologies derived from those semantics [Hoare (1985)]. A solution can be to get rid of the notion of process itself, in order to keep both compositionality and simplicity. Such an approach has been recently proposed in [Chandy and Misra (1988)]. Nevertheless, the notion of process has still to be introduced at the end of the development procedure; furthermore, as the notion of process is intuitive, we would like to keep it.Despite of the lack of a simple methodology, many non-trivial concurrent systems have been designed and proved correct. Although the authors do not often describe the methodology they have used to obtain their results, a piece of method is often evoked: the "stepwise refinement".The idea is very simple: several systems are considered in sequence, the first ones being more abstract and easier to understand than the last ones, which are more oriented towards an 1Supported in part by the ESPRIT project ATES.

Simplification of boolean verification conditions

Theoretical Computer Science

2000