Results 1 
5 of
5
Verdi: A Framework for Implementing and Formally Verifying Distributed Systems
"... ns iste nt * Complete * W ell D ocumented*Easyto ..."
(Show Context)
IronFleet: Proving Practical Distributed Systems Correct
"... Abstract Distributed systems are notorious for harboring subtle bugs. Verification can, in principle, eliminate these bugs a priori, but verification has historically been difficult to apply at fullprogram scale, much less distributedsystem scale. We describe a methodology for building practical a ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract Distributed systems are notorious for harboring subtle bugs. Verification can, in principle, eliminate these bugs a priori, but verification has historically been difficult to apply at fullprogram scale, much less distributedsystem scale. We describe a methodology for building practical and provably correct distributed systems based on a unique blend of TLAstyle statemachine refinement and Hoarelogic verification. We demonstrate the methodology on a complex implementation of a Paxosbased replicated state machine library and a leasebased sharded keyvalue store. We prove that each obeys a concise safety specification, as well as desirable liveness requirements. Each implementation achieves performance competitive with a reference system. With our methodology and lessons learned, we aim to raise the standard for distributed systems from "tested" to "correct."
ROSCoq: Robots powered by constructive reals.
 ITP 2015,
, 2015
"... Abstract. We present ROSCoq, a framework for developing certified Coq programs for robots. ROSCoq subsystems communicate using messages, as they do in the Robot Operating System (ROS). We extend the logic of events to enable holistic reasoning about the cyberphysical behavior of robotic systems. T ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present ROSCoq, a framework for developing certified Coq programs for robots. ROSCoq subsystems communicate using messages, as they do in the Robot Operating System (ROS). We extend the logic of events to enable holistic reasoning about the cyberphysical behavior of robotic systems. The behavior of the physical world (e.g. Newton's laws) and associated devices (e.g. sensors, actuators) are specified axiomatically. For reasoning about physics we use and extend CoRN's theory of constructive real analysis. Instead of floating points, our Coq programs use CoRN's exact, yet fast computations on reals, thus enabling accurate reasoning about such computations. As an application, we specify the behavior of an iRobot Create. Our specification captures many real world imperfections. We write a Coq program which receives requests to navigate to specific positions and computes appropriate commands for the robot. We prove correctness properties about this system. Using the ROSCoq shim, we ran the program on the robot and provide even experimental evidence of correctness.
Con sis te n t * Comple te * W ell Docu m e n te d * Easy to R e us e * E v a lu ate d Verdi: A Framework for Implementing and Formally Verifying Distributed Systems
"... Abstract Distributed systems are difficult to implement correctly because they must handle both concurrency and failures: machines may crash at arbitrary points and networks may reorder, drop, or duplicate packets. Further, their behavior is often too complex to permit exhaustive testing. Bugs in t ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract Distributed systems are difficult to implement correctly because they must handle both concurrency and failures: machines may crash at arbitrary points and networks may reorder, drop, or duplicate packets. Further, their behavior is often too complex to permit exhaustive testing. Bugs in these systems have led to the loss of critical data and unacceptable service outages. We present Verdi, a framework for implementing and formally verifying distributed systems in Coq. Verdi formalizes various network semantics with different faults, and the developer chooses the most appropriate fault model when verifying their implementation. Furthermore, Verdi eases the verification burden by enabling the developer to first verify their system under an idealized fault model, then transfer the resulting correctness guarantees to a more realistic fault model without any additional proof burden. To demonstrate Verdi's utility, we present the first mechanically checked proof of linearizability of the Raft state machine replication algorithm, as well as verified implementations of a primarybackup replication system and a keyvalue store. These verified systems provide similar performance to unverified equivalents.
Two Lectures on Constructive Type Theory
, 2015
"... Main Goal: One goal of these two lectures is to explain how important ideas and problems from computer science and mathematics can be expressed well in constructive type theory and how proof assistants for type theory help us solve them. Another goal is to note examples of abstract mathematical idea ..."
Abstract
 Add to MetaCart
(Show Context)
Main Goal: One goal of these two lectures is to explain how important ideas and problems from computer science and mathematics can be expressed well in constructive type theory and how proof assistants for type theory help us solve them. Another goal is to note examples of abstract mathematical ideas currently not expressed well enough in type theory. The two lectures will address the following three specific questions related to this goal. Three Questions: One, what are the most important foundational ideas in computer science and mathematics that are expressed well in constructive type theory, and what concepts are more difficult to express? Two, how can proof assistants for type theory have a large impact on research and education, specifically in computer science, mathematics, and beyond? Three, what key ideas from type theory are students missing if they know only one of the modern type theories? The lectures are intended to complement the handson Nuprl tutorials by Dr. Mark Bickford that will introduce new topics as well as address these questions. The lectures refer to recent educational material posted on the PRL project web page, www.nuprl.org, especially the online article Logical Investigations, July 2014 on the front page of the web cite.