hands on a grand challenge in computing proving a
play

Hands on a Grand Challenge in Computing: Proving a Journaled File - PowerPoint PPT Presentation

Oct 07, 2022 •359 likes •1.1k views

Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira High Assurance Software Lab and Dept. Inform atica Universidade do Minho Braga, Portugal INFORUM 2010 Braga, Portugal, September 2010 Context

  1. Hands on a Grand Challenge in Computing: Proving a Journaled File System Correct J.N. Oliveira High Assurance Software Lab and Dept. Inform´ atica Universidade do Minho Braga, Portugal INFORUM 2010 Braga, Portugal, September 2010

  2. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Opening questions • Are we doing computer science research in the right way? • Are we using the right notation, language? • Does more technology mean better science? • “Is computer science science?” (Denning, 2005)

  3. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Science? Pre-science? In an excellent book on the history of scientific technology, “How Science Was Born in 300BC and Why It Had to Be Reborn” (Springer, 2003), Lucio Russo writes: The immense usefulness of exact science consists in providing models of the real world within which there is a guaranteed method for telling false statements from true. (...) Such models, of course, allow one to describe and predict natural phenomena, by translating them to the theoretical level via correspondence rules , then solving the “ exercises ” thus obtained and translating the solutions obtained back to the real world. Disciplines unable to build themselves around “exercises” are regarded as pre-scientific .

  4. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Scientific engineering ( e = m + c ) Also from Russo’s book : Vertical lines mean abstraction , horizontal ones mean calculation : engineering = model first, then calculate ( e = m + c )

  5. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Theory? Practice? Donald Knuth: My experience has been that theories are often more structured and interesting when they are based on real problems ; somehow they are more exciting than completely abstract theories will ever be. (Quoted from The Dangers of Computer-science Theory . Standford University, 1971) This kind of position explains the Grand Challenges in Computing initiative.

  6. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Grand Challenge Initiative • Healthy trend in formal methods (FM) research driven by the idea of a Grand Challenge (GC). • Triggered by eminent computer scientists T. Hoare & J. Misra. • VSTTE conference ( “Verified Software: Theories, Tools, Experiments” ) created as response to the challenge. • VSTTE’05: Hoare proposes that time to start long term international cooperation research projects has arrived. • Outcome to be gathered in a Verified Software Repository (VSR). • No funding.

  7. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Verified Software Repository Mondex — A verified electronic purse hosted on a smart card. Players : Bremen (OCL); Escher Technologies (PerfectDeveloper); MIT (Alloy); Macao/DTU (Raise); Newcastle (p-Calculus); Southampton (Event-B); York (Z). Pacemaker — based on a previous generation pacemaker specification released by Boston Scientific (BSC). Aims at production of verified pacemaker software, designed to run on specified PIC hardware. Players (thus far): Aharus (VDM++); BSC (BLESS); UFRGN (Z, PerfectDeveloper). UPEN (Uppaal, ADL).

  8. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Verified Software Repository Verified File System (VFS) — Verified subset of POSIX suitable for flash-memory hardware with strict fault-tolerant requirements to be used by forthcoming NASA’s JPL missions. Players (thus far): Augsburg (KIV); MIT (Alloy); Minho (Alloy etc); Southampton (Event-B); York (Z/Eves).

  9. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References VFS @ Minho � Flash File System First effort was concerned with verifying Intel R Core Reference Guide (API): (Permission to reproduce this excerpt kindly granted by Intel Corporation.)

  10. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References VFS @ Minho Formal model unveiled some ambiguities in the documentation, eg. • Can the root directory be removed? Surprised to see the POSIX System Interface Standard (2004) itself vague in this respect: The rmdir() function shall remove a directory whose name is given by path. The directory shall be removed only if it is an empty directory. If the directory is the root directory or the current working directory of any process, it is unspecified whether the function succeeds, or whether it shall fail and set errno to [EBUSY]. Publications: see (Oliveira, 2009), (Ferreira and Oliveira, 2009)

  11. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References VFS @ Minho (recent) GCI still suffering from lack of comparative work: • We’ve chosen the KIV Augsburg model (Schierl et al., 2009) to compare our work with. • Alloy emulation of Augsburg model — subject of a Master thesis by Fernandes (2010) available soon. • Going abstract: high-level model in Alloy of the most interesting part of KIV model, which has to do with the journaling , wear leveling and power loss recovery mechanisms. • Formal design and calculational approach (as explained later in this talk)

  12. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References VFS @ Augsburg (KIV) • Standard: They adhere to UBIFS (Unsorted Block Image File System) — a journaled file system developed by Nokia + Univ. Szeged that works on top of UBI (a wear-leveling and volume management system for flash devices). • Tool: Karlsruhe Interactive Verifier (KIV) — a tactical theorem prover developed at the Univ. of Karlsruhe. Main source: a nice paper A. Schierl, G. Schellhorn, D. Haneberg, W. Reif Abstract specification of the UBIFS file system for flash memory. LNCS volume 5850, pages 190–206. Springer, 2009. supported by a very detailed website: www.informatik.uni-augsburg.de/swt/projects/flash.html

  13. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Our (first) approach Verification life-cycle made of several steps: • Build and animate the file system model (VDM++) • Automatic generation of verification proof obligations (PO) • PO model-checking step (Alloy) • PO discharge step (HOL) (Diagram next slide.)

  14. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Our (first) approach

  15. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References What we have learnt Mea culpa: • Too technological • Too many tools • Tool interoperability at target in the GCI but hard to accomplish in practice • Even if successful technology-wise: “push-button proofs (alone) considered harmful” • Lack of proof awareness — proofs with too many (often hundreds, thousands) of steps. Questions: • How to reduce such complex models and proofs to something small (readable) and elegant ?

  16. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Abstract modeling There is a clear need for: • Abstraction • Notations in which you write less to say more • Calculi to perform (readable) proofs as in high-school algebra. My current answer to such needs is the Relation algebra (RA) which underlies the Algebra of Programming (Bird and de Moor, 1997). Why?

  17. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Abstract modeling There is a clear need for: • Abstraction • Notations in which you write less to say more • Calculi to perform (readable) proofs as in high-school algebra. My current answer to such needs is the Relation algebra (RA) which underlies the Algebra of Programming (Bird and de Moor, 1997). Why?

  18. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Why Relation Algebra (RA) • Abstract models capture nothing but the essence of given problems expressed in terms of relationships among objects of interest. • So, relational models are natural and stem from natural language itself, cf. sentences such as eg. John loves Mary of the same shape as mathematical relationship 0 ≤ 1 (“0 is at most 1”), and so on. (Note the infix notation.)

  19. Context VFS Going abstract RA Diagrams FLASH Alloy What next FAQs References References Why Relation Algebra (RA) • The algebra of binary relations replaces logic deduction by inequational reasoning. • Such calculations are pointfree , saving ink by dropping variables, quantifiers, variable substitution etc. • Such was the motivation of mathematicians like Alfred Tarski (1901-83) who had a life-long struggle with quantified notation (too complex for his needs).

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ultimately our vision is about GRAND CHALLENGE using science to make a difference in the world.

Ultimately our vision is about GRAND CHALLENGE using science to make a difference in the world.

GRAND CHALLENGE GRAND CHALLENGE Ultimately our vision is about GRAND CHALLENGE using science to make a difference in the world. GRAND CHALLENGE GRAND CHALLENGE GRAND CHALLENGE Our Driving forces: ENTREPRENEURSHIP INNOVATION

515 views • 37 slides
Grand Challenge Project (http://www-rnc.lbl.gov/GC/) D. Olson RHIC Off-line Computing Review 30

Grand Challenge Project (http://www-rnc.lbl.gov/GC/) D. Olson RHIC Off-line Computing Review 30

Grand Challenge Project (http://www-rnc.lbl.gov/GC/) D. Olson RHIC Off-line Computing Review 30 July 1997 Outline People Goals The Problem Approach Near Term Issues Schedule 30 July 1997 Grand Challenge, D. Olson 2 1

284 views • 11 slides
Declare victory and move on. Why a Grand Challenge? We choose to go to the moon. We choose

Declare victory and move on. Why a Grand Challenge? We choose to go to the moon. We choose

Public Health for the Internet Toward a New Grand Challenge for Data Management Joseph M. Hellerstein, UC Berkeley Tyson Condie, Minos Garofalakis, Boon Thau Loo, Petros Maniatis, Timothy Roscoe, Nina A. Taft Our Last Grand Challenge

339 views • 17 slides
No challenge, decade outlook. Industrys evolutionary path Que sera sera Grand Goodness

No challenge, decade outlook. Industrys evolutionary path Que sera sera Grand Goodness

No challenge, decade outlook. Industrys evolutionary path Que sera sera Grand Goodness Challengeland Base Case Death and Doldrums 2000 Time 2012 Computing Research Association Grand Challenges Gordon Bell Microsoft Research 26

774 views • 12 slides
HECs Grand Challenge Fund 2020 HISTORY, APPROACH, THEMATIC AREAS, AND SOME POINTERS JAN 29,

HECs Grand Challenge Fund 2020 HISTORY, APPROACH, THEMATIC AREAS, AND SOME POINTERS JAN 29,

HECs Grand Challenge Fund 2020 HISTORY, APPROACH, THEMATIC AREAS, AND SOME POINTERS JAN 29, 2020 DR. ATHAR OSAMA, PROGRAMME CHAIR, GRAND CHALLENGE FUND HIGHER EDUCATION COMMISSION Presentation Outline Grand Challenges: Definitions and

216 views • 21 slides
Wave of Grand Challenge Initiatives Grand Challenges in Computer Science and Engineering

Wave of Grand Challenge Initiatives Grand Challenges in Computer Science and Engineering

Computational Trust SFM11 Bertinoro June 2011 Mogens Nielsen University of Aarhus DK AARHUS S UNIVERSI SITET 1 Aarhus Gr Aa Gradua uate Sc School of Sc Scie ience Mogens Nie iels lsen Plan of talk 1) The grand challenge of

794 views • 38 slides
The IMO Grand Challenge Daniel Selsam Microsoft Research September 16th, 2020 Outline The

The IMO Grand Challenge Daniel Selsam Microsoft Research September 16th, 2020 Outline The

The IMO Grand Challenge Daniel Selsam Microsoft Research September 16th, 2020 Outline The Great Myth 1 The Grand Challenge 2 High-Level Strategy 3 Preliminary Roadmap 4 The Search Transformer The Universal Oracle Beyond the IMO 5 2

2.24k views • 177 slides
First Grand-Challenge and Workshop on Human Multimodal Language (Challenge-HML) Organizers: Amir

First Grand-Challenge and Workshop on Human Multimodal Language (Challenge-HML) Organizers: Amir

First Grand-Challenge and Workshop on Human Multimodal Language (Challenge-HML) Organizers: Amir Louis-Philippe Paul Pu Soujanya Erik Stefan Zhun Zadeh Morency Liang Poria Cambria Scherer Liu Continuous Theories of (Multimodal)

520 views • 12 slides
Integrating Science, Engineering & Liberal Arts through the Grand Challenge Scholars Program

Integrating Science, Engineering & Liberal Arts through the Grand Challenge Scholars Program

Integrating Science, Engineering & Liberal Arts through the Grand Challenge Scholars Program Fall of 2015 Teagle Grant Awarded to WPI and three other AITU Schools Summer of 2017 The Grand Challenge Scholars program was approved. January

528 views • 13 slides
The Automated Exploitation Grand Challenge A Five-Year Retrospective Julien Vanegue IEEE

The Automated Exploitation Grand Challenge A Five-Year Retrospective Julien Vanegue IEEE

The Automated Exploitation Grand Challenge A Five-Year Retrospective Julien Vanegue IEEE Security & Privacy Langsec Workshop May 25th 2018 AEGC 2013/2018 vs DARPA Cyber Grand Challenge Was Automated Exploit Generation solved with DARPA

370 views • 21 slides
Grand Large Grand Large INRIA High Performance Computing on P2P Platforms: Recent

Grand Large Grand Large INRIA High Performance Computing on P2P Platforms: Recent

Grand Large Grand Large INRIA High Performance Computing on P2P Platforms: Recent Innovations Franck Cappello CNRS Head Cluster et GRID group INRIA Grand-Large LRI, Universit Paris sud. fci@lri.fr www.lri.fr/~fci May 20,

768 views • 50 slides
Four Grand Challenges in Trustworthy Computing Why Grand Challenges? Inspire creative

Four Grand Challenges in Trustworthy Computing Why Grand Challenges? Inspire creative

Four Grand Challenges in Trustworthy Computing Why Grand Challenges? Inspire creative thinking Encourage thinking beyond the incremental Some important problems require multiple approaches over long periods of time Big

677 views • 52 slides
Computers Change the World Computing is Changing the World Activity 1.1.1 Computing Is Changing

Computers Change the World Computing is Changing the World Activity 1.1.1 Computing Is Changing

Computers Change the World Computing is Changing the World Activity 1.1.1 Computing Is Changing the World Students pick a grand challenge and consider how mobile computing, the Internet, Big Data, and simulation are contributing to solving

347 views • 22 slides
Grand Challenge #1 Grand Challenge #1 David Applegate U.S. Geological Survey applegate@usgs.gov

Grand Challenge #1 Grand Challenge #1 David Applegate U.S. Geological Survey applegate@usgs.gov

Grand Challenge #1 Grand Challenge #1 David Applegate U.S. Geological Survey applegate@usgs.gov U.S. Department of the Interior U.S. Department of the Interior U.S. Geological Survey U.S. Geological Survey The Grand Challenges for Disaster

438 views • 16 slides
POSIX mini-challenge Leo Freitas and Jim Woodcock University of York December 2006 @ TC Dublin

POSIX mini-challenge Leo Freitas and Jim Woodcock University of York December 2006 @ TC Dublin

POSIX mini-challenge 01 POSIX mini-challenge Leo Freitas and Jim Woodcock University of York December 2006 @ TC Dublin POSIX mini-challenge 02 A grand challenge Tony Hoare automatically verified software: a grand scientific challenge

415 views • 18 slides
Workshop on Grand Challenge Competition Workshop on Grand Challenge Competition t to Predict In

Workshop on Grand Challenge Competition Workshop on Grand Challenge Competition t to Predict In

Workshop on Grand Challenge Competition Workshop on Grand Challenge Competition t to Predict In Vivo Knee Loads to Predict In Vivo Knee Loads t P P di t I di t I Vi Vi K K L L d d B.J. Fregly 1 , Darryl D. DLima , Darryl D.

1.93k views • 135 slides
Objectives To introduce the concept of safety-critical software To describe the

Objectives To introduce the concept of safety-critical software To describe the

Chapter 21 Chapter 21 Safety-Critical Software Learning Objective . Developing software which should never compromise the overall safety of a system. Frederick T Sheldon Assistant Professor of Computer Science Washington State University CS

327 views • 15 slides
Synchronization of a standing wave thermoacoustic prime-mover by an external sound source. G.

Synchronization of a standing wave thermoacoustic prime-mover by an external sound source. G.

Synchronization of a standing wave thermoacoustic prime-mover by an external sound source. G. Penelet (a) , T. Biwa (b) (a) Laboratoire d'Acoustique de l'Universit du Maine, UMR CNRS 6613, avenue Olivier Messiaen, 72085 Le Mans cedex 9, France

342 views • 20 slides
Networks of Centres of Excellence NCE Program (http://www.nce-rce.gc.ca/) Federal research

Networks of Centres of Excellence NCE Program (http://www.nce-rce.gc.ca/) Federal research

Networks of Centres of Excellence NCE Program (http://www.nce-rce.gc.ca/) Federal research funding program Partnership between Canadas three funding agencies, Health Canada and Industry Canada Mission To mobilize Canadas

804 views • 46 slides
Synchronization in Ensembles of Oscillators: Theory of Collective Dynamics A. Pikovsky Institut

Synchronization in Ensembles of Oscillators: Theory of Collective Dynamics A. Pikovsky Institut

Synchronization in Ensembles of Oscillators: Theory of Collective Dynamics A. Pikovsky Institut for Physics and Astronomy, University of Potsdam, Germany Florence, May 15, 2014 1 / 62 Content Synchronization in ensembles of coupled

1.21k views • 62 slides
Control of synchronization in complex oscillator networks via time-delayed feedback Viktor Novi

Control of synchronization in complex oscillator networks via time-delayed feedback Viktor Novi

Control of synchronization in complex oscillator networks via time-delayed feedback Viktor Novi enko 2017 Szeged, Hungary Motivation The synchronous behavior can be desirable or harmful. Power grids Parkinsons disease, essential

275 views • 9 slides
StormCrawler Low Latency Web Crawling on Apache Storm Julien Nioche julien@digitalpebble.com

StormCrawler Low Latency Web Crawling on Apache Storm Julien Nioche julien@digitalpebble.com

StormCrawler Low Latency Web Crawling on Apache Storm Julien Nioche julien@digitalpebble.com @digitalpebble @stormcrawlerapi 1 About myself DigitalPebble Ltd , Bristol (UK) Text Engineering Web Crawling Natural Language

527 views • 49 slides
0 + 2

0 + 2

( A )

355 views • 12 slides
Composites in Canada Andrew Johnston Group Leader, Composites and Novel Airframe Materials

Composites in Canada Andrew Johnston Group Leader, Composites and Novel Airframe Materials

Composites in Canada Andrew Johnston Group Leader, Composites and Novel Airframe Materials National Research Council Canada Institute for Aerospace Research Ottawa, Ontario Presentation Outline Some Canadian innovations in history

799 views • 60 slides

More recommend