IFIP Working Group 2.2 Meeting
14 - 17 May 2001, Rennes, France.

Abstracts of the talks

Manfred Broy
The essence of Messega Sequence Charts

Egon Boerger
Java and the Java Virtual Machine: Verifying and validating bytecode verification and execution

Concise abstract (ASM) code is provided for interpreting Java programs and for a fast Java Virtual Machine (JVM) which serves as platform for a general compilation scheme of Java programs to JVM code. These definitions allow us to prove that any compiler that satisfies some natural conditions compiles legal Java code correctly. As a by-product we provide a challenging realistic case study for mechanical verification of a compiler correctness proof.

The modularity of the ASM definitions for Java, the JVM and the compilation scheme exhibit orthogonal language, machine and compiler components, which fit together and provide the basis for a stepwise and provably correct design--for--reuse. The above definition for the JVM is extended to a defensive JVM which can be used as Java independent platform for safely executing byte code. Separating the checking mechanism from the execution we obtain a model for the bytecode verifier which can be proved to be correct and complete. By extending the compiler to a certifying compiler we can prove our compiler to generate code which successfully passes the bytecode verifier. As last step this bytecode verifier is integrated into a loading machine which together with the executing ASM provides a full JVM model.

The construction makes use of new composition techniques for building complex ASMs. These abstract machines for Java, the JVM and the compiler have also been refined to executable machines, which have been validated through experimentation with ASMGofer (available at http://www.uni-ulm.de/~s_jschmi/AsmGofer).

A full documentation is in the book R. Staerk, J. Schmid, E. Boerger: Java and the Java Virtual Machine: Definition, Verification, Validation. Springer-Verlag (2001), see http://www.inf.ethz.ch/~jbook

Anders Ravn
Developing Embedded Systems - where are Foundations needed?

Catuscia Palamidessi (joint work with Mihaela Herescu)
On the generalized dining philosophers problem.

The problem of the dining philosophers, proposed by Dijkstra, is a very popular example of control problem in distributed systems. In the classic formulation the philosophers sit at a round table and there is a fork between any two philophers. In order to eat, each philosopher needs both his adjacent forks. The aim is to make sure that if there are hungry philosophers then some of them will eventually eat (deadlock freedom), or, more ambitiously, that every hungry philosopher will eventually eat (lockout freedom).

In the early 80's, Lehman and Rabin showed that there exist no deterministic, symmetric and fully distributed solution to the problem of the dining philosophers, and they proposed two randomized solutions: one which guarrantees deadlock freedom with probability 1 and another one which guarrantees lockout freedom with probability 1.

In this talk, we consider a generalization of the dining philosophers problem where the number of philosophers can exceed the number of forks (although each philosopher can still only access two forks), and we study whether the randomized algorithms of Lehman and Rabin still work in this situation. We show that the answer is "No": in most cases, a malicious scheduler can induce a deadlock. We then show a randomized solution, still fully distributed and symmetric, which works for any number of philosophers and any kind of connection graph, and guarrantees lockout freedom with probability 1.

Marcelo Fiore
On model checking security properties of cryptographic protocols

Stephan Merz
Temporal logic with(out) limits

We consider an extension of standard first-order temporal logic of linear time by assertions about the "limits" and "histories" of sequence-valued state variables. For example, the specification of a FIFO queue can in such a language be written as
[](hist out \prefix hist in) /\ (lim out = lim in)
where 'in' and 'out' are the variables representing the queue's input and output channels. (A standard result due to Sistla et al states that it is impossible to specify a FIFO queue in LTL without additional assumptions.) More precisely, we extend LTL formulas by predicates of the form
hist c \prefix hist d and lim c \prefix lim d
We show that the formulas of the extended language can be expressed in LTL augmented by history variables. We also consider the model checking problem for the extended logic over transition systems with finite control, but unbounded output channels over finite alphabet. Although that problem is undecidable in general, the problem of deciding
T |= lim c \prefix lim d
is decidable. This result could have applications in the verification of communication protocols and other systems involving buffered communication.

Wjciech Penczek
Bounded model checking for the universal subset of TCTL

Dina Goldin (based on work with Scott Smolka)
Modeling interactive computation: Turing machines or labeled transition systems?

Interactive computation, such as that of components, reactive systems, or embedded devices, has several characteristics that distinguish it from the ``algorithmic'' computation captured by the Church-Turing thesis: (a) inputs/outputs are consumed/produced during the computation, rather than before/after it; (b) input values are generated dynamically by the environment, and can depend on earlier outputs; (c) output values are generated dynamically by the computing device, and can depend on earlier inputs (``history dependence''); (d) computation is not assumed to terminate; (e) the environment is not assumed to be computable.

We present Persistent Turing Machines (PTMs), whose computation is a stream-based and persistent extension of Turing machine (TM) computation. A PTM repeatedly receives an input token from the environment, computes for a while, and then outputs the result; moreover, its work tape is persistent, so it ``remembers'' its previous contents upon commencing a new computation. We show that the class of PTMs is isomorphic to interactive transition systems, a very general class of effective LTSs. As a result, PTMs admit a much richer variety of equivalence relations than do TMs; bisimulation, and persistent stream language (PSL) equivalence are examples.

We also consider amnesic PTMs, where each new computation begins with a blank work tape, and a corresponding notion of equivalence based on amnesic stream languages (ASLs). It can be argued that amnesic stream languages are representative of the classical view of Turing-machine computation. We show that the class of ASLs is strictly contained in the class of PSLs. Furthermore, the hierarchy of PTM equivalence relations collapses for the subclass of amnesic PTMs. One may consequently conclude that, in a stream-based setting, the extension of the Turing-machine model with persistence is a nontrivial one. It results in a natural model of sequential interactive computation, offering a bridge between TM-based computational models and those based on LTSs, and providing a formal foundation for reasoning about interactive computation.

Davide Sangiorgi
Extensionality and intensionality in the Ambient Logic

Igor Walukiewicz
First-order logic on traces

Michel Bidoit
Abstract interpretation: an algebraic approach

Peter Mosses
A New Version of Action Semantics

Frank de Boer
Proof-Outlines for Threads in Java

In this talk I discussed the main ideas underlying my paper presented at CONCUR 2000 which introduces an assertional method for specifying and proving properties of the multi-threaded flow of control in Java. The method integrates in a modular manner reasoning about the shared-variable concurrency within one object and the communication of values between threads.

Markus Mueller-Olm
Limits of optimal parallel flow analysis

abstract (postscript)

WG 2.2 (darondeau@irisa.fr)