## Section: New Results

### Verification Techniques

Participants : Ugo Dal Lago, Adrien Durier, Daniel Hirschkoff, Ivan Lanese, Cosimo Laneve, Davide Sangiorgi, Akira Yoshimizu, Gianluigi Zavattaro.

Extensional properties are those properties that constrain the behavioural descriptions of a system (i.e., how a system looks like from the outside). Examples of such properties include classical functional correctness, deadlock freedom and resource usage.

In the last year of the Focus project, we have worked on three main topics:
(*i*) *name mobility and coinductive techniques*, (*ii*) *deadlock analysis*, and (*iii*) *cost
analysis of properties*
of languages for actors and
for smart contracts.

#### Name Mobility and Coinductive Techniques

In [19], we propose proof techniques for bisimilarity based on unique solution of equations. The results essentially state that an equation (or a system of equations) whose infinite unfolding never produces a divergence has the unique-solution property. We distinguishing between different forms of divergence; derive an abstract formulation of the theorems, on generic LTSs; adapt the theorems to other equivalences such as trace equivalence, and to preorders such as trace inclusion; we compare the resulting techniques to enhancements of the bisimulation proof method (the `up-to techniques'). In [20], we study how to adapt such techniques to higher-order languages. In such languages proving behavioural equivalences is known to be hard, because interactions involve complex values, namely terms of the language. The soundness of proof techniques is usually delicate and difficult to establish. The language considered is the Higher-Order $\pi $-calculus.

The contribution [42] studies the representation of the call-by-need $\lambda $-calculus in the pure message-passing concurrency of the $\pi $-calculus, precisely the Local Asynchronous $\pi $-calculus, that has sharper semantic properties than the ordinary $\pi $-calculus. We exploit such properties to study the validity of of $\beta $-reduction (meaning that the source and target terms of a beta-reduction are mapped onto behaviourally equivalent processes). Nearly all results presented fail in the ordinary $\pi $-calculus.

In [45], we investigate basic properties of the Erlang concurrency model. This model is based on asynchronous communication through mailboxes accessed via pattern matching. In particular, we consider Core Erlang (which is an intermediate step in Erlang compilation) and we define, on top of its operational semantics, an observational semantics following the approach used to define asynchronous bisimulation for the $\pi $-calculus. Our work allows us to shed some light on the management of process identifiers in Erlang, different from the various forms of name mobility already studied in the literature. In fact, we need to modify standard definitions to cope with such specific features of Erlang.

The paper [25] reviews the origins and the history of enhancements of the bisimulation and coinduction proof methods.

#### Deadlock Analysis

The contributions [22] and [50] address deadlock analysis
of `Java` -like programs.
The two papers respectively cover two relevant features of these languages: (*i*)
multi-threading and reentrant locks and (*ii*) co-ordination primitives (`wait` , `notify` and
`notifyAll` ). In both cases, we define a behavioral type system that associates abstract models to
programs (lams and Petri Nets with inhibitor arcs) and define an algorithm for detecting deadlocks.
The two systems are consistent and our technique is intended to be an effective tool for the deadlock analysis of programming languages.

The paper [16] addresses the $\pi $-calculus. It defines a type system for guaranteing
that typable processes
never produce a run-time error and, even if they may diverge, there is always a chance for them to
finish their work, i.e., to reduce to an idle process (a stronger property than deadlock freedom).
The type system uses so-called *non-idempotent intersections* and, therefore, applies to a
large class of processes. Indeed, despite the fact that the underlying property is ${\prod}_{2}^{0}$-complete, there is a way to show that the system is complete, i.e., that any well-behaved process is typable, although for obvious reasons infinitely many derivations need to be considered.

#### Static Analysis of Properties of Concurrent Programs

We have analyzed the computational time of actor programs, following a technique
similar to [52], and we have begun a new research direction that deals
with the analysis of `Solidity` smart contracts.

In [23], we propose a technique for estimating the computational time
of programs in an actor model. To this aim, we define a compositional
translation function returning cost equations, which are fed to an automatic
off-the-shelf solver for obtaining the time bounds. Our approach is based on so-called *synchronization sets* that capture possible difficult synchronization
patterns between actors and helps make the analysis efficient and precise.
The approach is proven to correctly over-approximate the worst computational time
of an actor model of concurrent programs. The technique is complemented by a
prototype analyzer that returns upper bound of costs for the actor model.

In [38], we analyze the bahaviour of smart contracts, namely programs stored on
some
blockchain that control the transfer of assets between parties under certain conditions.
In particular, we focus on the interactions of smart contracts and
external actors (usually, humans) in order to maximize objective functions.
5
To this aim, we define a core language
of programs, which is reminiscent of `Solidity` , with a minimal set of smart
contract primitives and we describe the whole system as a parallel composition of smart contracts and users. We therefore express the system behaviour as a first order logic formula
in Presburger arithmetics and study the maximum profit for each actor by solving
arithmetic constraints.