Aquinas Hobor Research Statement

I am interested in improving software reliability through specification and verification techniques. Recently I have focused on improving the reliability of concurrent programs. Multi-core processors are leading to an increasing number of programs that utilize concurrency. Unfortunately, concurrency bugs tend to be among the most difficult to discover through testing. Therefore to improve the reliability of future software, we need to develop static analysis techniques that prevent concurrency bugs. Most concurrent programs use threads and locks to control shared-memory concurrency. One formal method for reasoning about such programs is Concurrent Separation Logic (CSL) [8]. However, CSL was proposed for a simplified language that did not have first-order locks, threads, or substantial sequential control flow. Still, difficulties in reasoning about concurrent execution meant that the soundness of CSL was uncertain for some time [7], until Stephen Brookes developed a semantic model [2]. My work makes CSL more usable and its soundness more reliable. A major goal is end-to-end proofs: if we prove a property of our concurrent source program we should get guarantees about the concurrent program as it actually executes on chip. I developed a machine-checked soundness proof (in Coq) of CSL with respect to the operational semantics of concurrent C minor. C minor was chosen because it is powerful enough to be an intermediate language in an ANSI C compiler and because Xavier Leroy has a machine-verified compiler from (sequential) C minor to PowerPC assembly [6]. A major strength of my approach as compared to others [3] is that it directly supports the goal of end-to-end proofs and has the reliability guarantees of machine-checked proof. To handle the soundness proof, I developed a separation technique that allows independent reasoning about the sequential and concurrent features of C minor. The resulting modularity is quite strong and allowed me to reuse an existing machine-checked soundness proof for sequential separation logic with respect to sequential C minor [1] with only very minor modification; this modularity was extremely helpful for developing an industrial-sized machine-checked proof. My paper on this result is to appear in ESOP 2008 [5]. This modularity should similarly allow the machine-checked soundness proof of the sequential C minor compiler to be largely re-used in a soundness proof of a concurrency-aware C minor compiler (a direction for future work). In prior work related to concurrency and software verification, during an internship at Microsoft, I developed a system called espC that uses annotations to verify locking protocols; this tool is now being deployed over the Windows code base. Other research interests of mine include weak memory models, certified concurrency-aware compilers, the relationship of properties at the source code level to properties at the machine code level, certified parsers, semantic modeling, machinechecked proofs, modular proof techniques, substructural modal logics, information flow, modules and interfaces, size of trusted code base, editors and tools to aid code development, code analysis techniques, and security. A major strength of the approach described in [3] is that it connects to an implemented shape analysis technique [4]; unifying the two approaches is an interesting avenue for future work.