Modular Verification of a Modular Specification: Behavioral Types as Program Logics

Abstract

Verification of distributed systems is a challenging problem, especially if the distributed system allows entities to interact in multiple ways. The complexity of the task is mirrored in the complexity of the verification system. The design of such verification systems itself is a challenge on the theoretical level. The main engineering tool to handle complex systems is modularization. While modularity in the target system is exploited by verification systems, it is rarely applied to their theory. This thesis is a study of modularity in deductive verification with program logics and the main tool we introduce is the Behavioral Program Logic (BPL). As concurrency model we use Active Objects, because, for one, they allow multiple ways for entities to interact, for another, because their strong encapsulation enables modularization on the semantic level. Modularity is applied on multiple layers: • We present a modular, new Locally Abstract, Globally Concrete semantics for Active Objects, that allows us to sharply distinguish between local and global behavior. • We introduce a modular specification principle with object invariants, asynchronous method contracts, Effect Types and Session Types. Each of these specifications itself is modular and describes the behavior of an encapsulated entity. E.g., object invariants describe single objects, method contracts describe single methods, Session Types describe single methods in a protocol context. • We design a modular verification system with BPL. BPL allows one to design one logic per verification aspect, such as presence of object invariants, as well as interfacing with external static analyses, such as pointer analyses. BPL enables us not only the simple design of new program logics, it also allows reuse on the rule level: The calculi of all aspects are composed before being applied. For composition, we give a mostly automatic soundness argument for the composed rule. BPL has structural similarities with behavioral types, which simplify calculus design — the most prominent is that the calculus modifies program and specification in one step, after syntactically matching them. This is uncommon in other dynamic logics. The lack of modularity in verification of distributed systems and the need for a more structural approach in the design of program logics are identified as shortcomings of state-of-the-art approaches by applying existing tools to the FormbaR model of railway operations, the biggest verification study with Active Objects to date. This thesis concludes with a discussion that exemplifies how our approach can express and verify properties that were not possible before.