Time for Time ... Ernest Allen Emerson II Computer Sciences Department University of Texas at Austin Amir Pnueli Memorial, New York, NY, 8 May 2010 1
Ultimate Goal of FM: To Program Well • Basic Need : predictable & reliable programs • Program :: hardware design, software program, system, etc. • Problem : programs have bugs • Issue : Programs are Mathematical Objects • Solution : Formal Methods based on Mathemat- ical Logic • Specify : correct behavior • Verify : program conforms specification 2
Amir Pnueli (1941 – 2009) * father: professor of Hebrew literature * Ph.D. dissertation at Weizmann Institue: - Solution of Tidal Problems - in Simple Basins, 1967 (advisor: Pekeris) * postdoc: Stanford w/ McCarthy * seminal paper [Pnueli 77] while visiting Penn - Logic of Commmands suggested by Saul Gorn; blurb on back: - Rescher & Urquhart, Temporal Logic * Newton of Temporal Logic - Tarski of Computer Aided Verification 3
Bumping into Amir Lop81, Popl83, Lop83, Monterrey84, Stoc84?, Icalp84?, Popl85, Lop85, Lics86, UT-Fall86, Manchester87, Popl89... 4
Comments “Amir Pnueli plainly deserves the Turing Award” — Krzysztof Apt, ≈ 1987 “Pnueli is the single scientist I most admire and respect professionally.” — Emerson to Dijkstra, 1994 — 3 hr discusion — Dijkstra appreciates Pnueli’s ex- cellence 5
V eri�cation Engineering : A F uture Profession Amir Pnueli W eizmann Institute of Sciences An A.M. T uring Aw a rd Lecture PODC, San Diego, 23.8.97 T uring Lecture, PODC, San Diego, 23.8.1997
F o rmal V eri�cation V eri�cation Engineering A. Pnueli Sta rted with sequential p rogram veri�cation which, so fa r, has not b een universally emb raced. It then expanded into the a re of reactive system veri�cation, where it has a mo re visible impact and greater success. Why? Distinguish b et w een [HP85] � T ransfo rmational systems (sequential): Run in o rder to p ro duce a �nal result on termination. Can b e mo deled as a black b o x. Sp eci�ed in terms of their Input/Output relations. y x � Reactive systems, whose role is to maintain an ongoing interaction with their environment. Green Cactus? Such systems must b e sp eci�ed and veri�ed in terms of their b ehavio rs. T uring Lecture, PODC, San Diego, 23.8.1997 2
Originally , V eri�cation Engineering A. Pnueli F o rmal veri�cation w as asso ciated with the application of axiomatic o r deductive techniques to p ro ofs of co rrectness. Things having to do with logic. Since the ea rly 80's [CE81], it also includes mo del- checking and other algo rithmic app roaches, which can b e view ed as exhaustive simulation o r exhaustive testing. A �rst step to w a rds engineerization of the �eld! T uring Lecture, PODC, San Diego, 23.8.1997 5
Example: Mutual Exclusion b y Semapho res V eri�cation Engineering A. Pnueli Tw o p ro cesses co o rdinating access to their critical N N sections b y Semapho res | y : integer where y = 1 T T 1 2 y y y y C C 1 2 request request release release 1 2 The semapho re instructions request y and release y stand fo r h a w ait y > 0 ; y := y � 1 i and y := y + 1 : T uring Lecture, PODC, San Diego, 23.8.1997 7
Sp eci�cation of MUTEX b y a Prop ert y List V eri�cation Engineering A. Pnueli � Safet y: : ( C ^ C ) 1 2 The t w o p ro cesses can never visit their resp ective critical sections at the same time. � Liveness: T = ) C T = ) C 1 1 2 2 Every visit of a p ro cess to its trying section is follo w ed b y a visit to the critical section of the same p ro cess. T uring Lecture, PODC, San Diego, 23.8.1997 8
Sp eci�cation b y an Abstract Mo del V eri�cation Engineering A. Pnueli N ; N 1 2 N ; T T ; N 1 2 1 2 N ; C T ; T C ; N 1 2 1 2 1 2 T ; C C ; T 1 2 1 2 The absence of the state h C ; C i implies mutual 1 2 exclusion. T uring Lecture, PODC, San Diego, 23.8.1997 9
Personal Pnueli’s Turing Award Lecture, 1997 — Cites two papers — [HP85] Reactive systems — [CE81] Model Checking — uses Mutex example of [EL85] (cf. [CE81]) — I felt very honored 6
COMMUNICATIONS OF THE ACM CACM.ACM.ORG 11/09 VOL.52 NO.11 Scratch Programming for All Communications Surveillance An Interview with Ping Fu Usable Security: How To Get It E-Paper’s Next Chapter Turing Lecture by Edmund M. Clarke, E. Allen Emerson, and Joseph Sifakis Association for Computing Machinery
11/2009 VOL. 52 NO. 11 Practice Review Articles Virtual Extension 42 Communications Surveillance: 74 Turing Lecture As with all magazines, page limitations often prevent the publication of articles that might Privacy and Security at Risk Turing Lecture from the winners of otherwise be included in the print edition. As the sophistication of wiretapping the 2007 ACM A.M. Turing Award: To ensure timely publication, ACM created technology grows, so too do the risks Edward M. Clarke, E. Allen Emerson, Communications ’ Virtual Extension (VE). it poses to our privacy and security. and Joseph Sifakis. VE articles undergo the same rigorous review By Whitfield Diffie and Susan Landau process as those in the print edition and are accepted for publication on their merit. These Research Highlights 48 Four Billion Little Brothers? articles are now available to ACM members in the Digital Library. Privacy, mobile phones, and ubiquitous data collection 86 Technical Perspective Participatory sensing technologies Narrowing the Semantic Gap Offshoring and the New World Order could improve our lives and In Distributed Programming Rudy Hirschheim our communities, but at what cost By Peter Druschel to our privacy? If Your Pearls of Wisdom By Katie Shilton 87 Declarative Networking Fall in a Forest… By Boon Thau Loo, Tyson Condie, Ralph Westfall 54 You Don’t Know Jack about Minos Garofalakis, David E. Gay, Software Maintenance Joseph M. Hellerstein, Petros Maniatis, Quantifying the Benefits of Long considered an afterthought, Raghu Ramakrishnan, Investing in Information Security Timothy Roscoe, and Ion Stoica Lara Khansa and Divakaran Liginlal software maintenance is easiest and most effective when built into a system from the ground up. iCare Home Portal: An Extended By Paul Stachour and 96 Technical Perspective Model of Quality Aging E-Services David Collier-Brown Machine Learning for Wei-Lun Chang, Soe-Tsyer, Complex Predictions and Eldon Y. Li By John Shawe-Taylor Article development led by Computing Journals queue.acm.org Review Articles 97 Predicting Structured Objects and their Emerging Roles with Support Vector Machines in Knowledge Exchange Contributed Articles By Thorsten Joachims, Aakash Taneja, Anil Singh, Thomas Hofmann, Yisong Yue, and M.K. Raja 60 Scratch: Programming for All and Chun-Nam Yu “Digital fluency” should mean And What Can Context Do For Data? C. Bolchini, C. A. Curino, G. Orsi, designing, creating, and remixing, not just browsing, chatting, E. Quintarelli, R. Rossato, and interacting. F. A. Schrieber, and L. Tanca By Mitchel Resnick, John Maloney, Andrés Monroy-Hernández, Why Web Sites Are Lost (and How Natalie Rusk, Evelyn Eastmond, They’re Sometimes Found) Karen Brennan, Amon Millner, Frank McCown, Catherine C. Eric Rosenbaum, Jay Silver, Marshall, and Michael L. Nelson Brian Silverman, and Yasmin Kafai About the Cover: As if they were Technical Opinion assembling Lego bricks, 68 Why IT Managers Don’t Go Steering Self-Learning children snap together Scratch graphical for Cyber-Insurance Products Distance Algorithms programming blocks— Proposed contracts tend to Frank Nielsen shaped to fit together only in ways that make be overpriced because insurers syntactic sense—to are unable to anticipate customers’ create their own programs, playfully secondary losses. explored in the cover By Tridib Bandyopadhyay, story beginning on page 60. Vijay S. Mookerjee, and Ram C. Rao NOVEMBER 2009 | VOL. 52 | NO. 11 | COMMUNICATIONS OF THE ACM 3
COMMUNICATIONS OF THE ACM CACM.ACM.ORG 01/2010 VOL.53 NO.01 Amir Pnueli Ahead of His Time Data in Flight Two Views of MapReduce Capabilities Can Automated Agents Negotiate with Humans? Rebuilding for Eternity ACM’s Annual Report
Recommend
More recommend
