Alexander Weigl

Alexander Weigl, Mattias Ulbrich, Suhyun Cha et al.

A wide range of interesting program properties are intrinsically relational, i.e., they relate two or more program traces. Two prominent relational properties are secure information flow and conditional program equivalence. By showing the absence of illegal information flow, confidentiality and integrity properties can be proved. Equivalence proofs allow using an existing (trusted) software release as specification for new revisions. Currently, the verification of relational properties is hardly accessible to practitioners due to the lack of appropriate relational specification languages. In previous work, we introduced the concept of generalised test tables: a table-based specification language for functional (non-relational) properties of reactive systems. In this paper, we present relational test tables -- a canonical extension of generalised test tables for the specification of relational properties, which refer to two or more program runs or traces. Regression test tables support asynchronous program runs via stuttering. We show the applicability of relational test tables, using them for the specification and verification of two examples from the domain of automated product systems.

Bernhard Beckert, Timo Bingmann, Moritz Kiefer et al.

MapReduce frameworks are widely used for the implementation of distributed algorithms. However, translating imperative algorithms into these frameworks requires significant structural changes to the algorithm. As the costs of running faulty algorithms at scale can be severe, it is highly desirable to verify the correctness of the translation, i.e., to prove that the MapReduce version is equivalent to the imperative original. We present a novel approach for proving equivalence between imperative and MapReduce algorithms based on partitioning the equivalence proof into a sequence of equivalence proofs between intermediate programs with smaller differences. Our approach is based on the insight that two kinds of sub-proofs are required: (1) uniform transformations changing the controlflow structure that are mostly independent of the particular context in which they are applied; and (2) context-dependent transformations that are not uniform but that preserve the overall structure and can be proved correct using coupling invariants. We demonstrate the feasibility of our approach by evaluating it on two prototypical algorithms commonly used as examples in MapReduce frameworks: k-means and PageRank. To carry out the proofs, we use the interactive theorem prover Coq with partial proof automation. The results show that our approach and its prototypical implementation based on Coq enables equivalence proofs of non-trivial algorithms and could be automated to a large degree.

Vladimir Klebanov, Alexander Weigl, Jörg Weisbarth

We present an improved method for a sound probabilistic estimation of the model count of a boolean formula under projection. The problem solved can be used to encode a variety of quantitative program analyses, such as concerning security of resource consumption. We implement the technique and discuss its application to quantifying information flow in programs.