An Informal introduction to Formal Verification

Transcription

1 An Informal introduction to Formal Verification Osman Hasan National University of Sciences and Technology (NUST), Islamabad, Pakistan

2 O. Hasan Formal Verification 2 Agenda q Formal Verification Methods, Osman Hasan q Can Formal Logic help with Social Decision Making?, Stephen Arthur Cook q 1982 ACM Turing award for his contributions to complexity theory q Birth of Model Checking, Edmund M. Clarke q Formal Methods Assessment and Perspectives, Joseph Sifakis q Prof. Clarke and Prof. Sifakis are co-recipients of the 2007 ACM Turing Award for their role in developing Model Checking into a highly effective verification technology

3 O. Hasan Formal Verification 3 Objectives q Formal Verification A sound system analysis technique Soundness: Every statement that is provable is actually true q Why do we need it? q What is it? q How can we apply it for the analysis of real-world systems?

4 O. Hasan Formal Verification 4 System Analysis q Does the system exhibit the desired behavior? q Mathematically using paper-and-pencil proof methods q Computer Simulations

5 Paper-and-Pencil Proof Methods q Construct a mathematical model of the system q Mathematically verify that the system exhibits the desired characteristics q Accurate q Scalability q Error-Prone O. Hasan Formal Verification 5

6 O. Hasan O. Hasan and S. Tahar Formal Verification 6 Simulation or Testing q Construct a computer based model of the system q Analyze the behavior of the system model under a number of test cases to deduce properties of interest

7 Simulation or Testing Example: Remainder and Quotient Program var x, y, q, r: integer; r := x; q := 0; while y < r do r := r - y; q := q + 1; q Property q r and q represent the remainder and quotient for all values of variables x and y q Test Cases Input (x,y) Output (r,q) Property (23,4) (3,5) True (2,5) (2,0) True (17,3) (2,5) True q Infer: The property is true since it is found to be true for all the test vectors used O. Hasan O. Hasan and S. Tahar Formal Verification 7

8 Simulation or Testing Example: Remainder and Quotient Program var x, y, q, r: integer; r := x; q := 0; while y < r do r := r - y; q := q + 1; q Testing for (24, 4) q After the fifth iteration, r = 4, q = 5, y = 4, the loop ends and we get (5, 4), which is wrong q Fix: Replace the condition y < r with y r q Testing for (23, -2) q r is always greater than x and thus we have an infinite loop q Fix: Constrain y to have positive values only O. Hasan O. Hasan and S. Tahar Formal Verification 8

9 O. Hasan O. Hasan and S. Tahar Formal Verification 9 Simulation or Testing q Easy to use q May lead to wrong conclusions q Practically impossible to test for all possible cases when dealing with large systems q Suppose we want to test a 64-bit floating-point division routine. There are combinations. q At 1 test/ms, it will take years Program testing can be a very effective way to show the presence of bugs, but it is hopelessly inadequate for showing their absence. Edsgar W. Dijkstra

10 System Analysis Accuracy q Extremely Important Hardware Software O. Hasan Formal Verification 10

11 O. Hasan O. Hasan and S. Tahar Formal Verification 11 System Analysis Accuracy q Faulty systems can be disastrous q FDIV bug in Intel Pentium (60 Mhz, 90Mhz) q Hardware error in the floating point division unit q Expected precision up to 18 positions q in practice, only 4 positions q Example: q / q wrong answer: q expected answer: q Resulted in net loss of approximately US $500M to the company in 1994

12 O. Hasan Formal Verification 12 System Analysis Accuracy q Faulty systems can be disastrous q Therac-25 q Software Bug in a Cancer Therapy Machine q 3 Deaths and 3 severe injuries between

13 O. Hasan O. Hasan and S. Tahar Formal Verification 13 System Analysis Accuracy q Faulty systems can be disastrous q Mars Polar Lander q Mars Climate Orbiter q Engine shutdown due to spurious signals that gave false indication that spacecraft had landed Mars q Resulted in a loss of US $370M in 1999 q Conversion error from English units to metric units q Resulted in a loss of US $125M in 1999

14 O. Hasan O. Hasan and S. Tahar Formal Verification 14 System Analysis Accuracy q Faulty systems can be disastrous

15 Formal Verification q Bridges the gap between Paper-and-pencil proof methods and simulation Paper-and-pencil Proof Methods Formal Verification Simulation q Shares their advantages q As precise as a mathematical proof can be q Computers are used for book-keeping q Not as straightforward to use as testing O. Hasan O. Hasan and S. Tahar Formal Verification 15

16 O. Hasan O. Hasan and S. Tahar Formal Verification 16 Formal Verification q Construct a computer-based mathematical model of the system (implementation) q Use mathematical methods to check if the implementation satisfies the properties of interest (specifications) in a computerized environment

17 O. Hasan O. Hasan and S. Tahar Formal Verification 17 Formal Verification Methods q Most widely used techniques q Model Checking q Theorem proving

18 Model Checking q Typically used for verifying Concurrent Finite- State Systems q Rigorous testing is infeasible due to large number of possible scenarios q Implementation q State-transition Graph q Specifications q Temporal Logic O. Hasan Formal Verification 18

19 Temporal Logic q Time is modeled as a sequence of states q Atomic formulas associated with each state q Temporal connectives allow us to refer to the future q F: some Future state (Fp) p q X: next state (Xp) p q G: Globally (Gp) p p p p q U: Until (puq) p p p q O. Hasan Formal Verification 19

20 Model Checking q The verification can be done automatically using rigorous state-exploration methods q Counter Examples q In case of failing properties, counter examples are provided for debugging purposes O. Hasan Formal Verification 20

21 O. Hasan Formal Verification 21 Model Checking Example: Mutual Exclusion Protocol q Concurrent processes sharing the same file q Each process has a critical section (where the shared file is accessed) q The protocol manages the entry of a process in its critical sections q Formally verify that the protocol allows only one process to enter its critical section at any time

22 Model Checking Example: Mutual Exclusion Protocol q Model of the Protocol q Two Processes q non-critical state (n) q trying to enter its critical state (t) q its critical state (c) Logic in Computer Science, Ruth & Ryan O. Hasan Formal Verification 22

23 O. Hasan Formal Verification 23 Model Checking Example: Mutual Exclusion Protocol q Property 1: Only one process is in its critical section at any time q : True Logic in Computer Science, Ruth & Ryan

24 O. Hasan Formal Verification 24 Model Checking Example: Mutual Exclusion Protocol q Property 2: Whenever any process requests to enter its critical section, it will eventually be permitted to do so q : False q Counter Example: q Fix: FIFO Logic in Computer Science, Ruth & Ryan

25 O. Hasan Formal Verification 25 Model Checking q Extensively used in verifying q Software q Security Protocols q Telecommunication Protocols q Digital hardware q Analog and mixed signal circuits q Microprocessors q Biological Systems

26 O. Hasan O. Hasan and S. Tahar Formal Verification 26 Model Checking q Advantages q Automatic (Push button type analysis tools) q No proofs involved q Diagnostic counter examples q Disadvantages q Limited expressiveness q State-space explosion problem q Some commonly used Model Checking Tools q SPIN q NuSMV q PRISM (A probabilistic model checker)

27 O. Hasan O. Hasan and S. Tahar Formal Verification 27 Theorem Proving S ystem Properties Logic (Function) Logic (Theorem) Theorem Prover Form al proofs of the system properties

28 Logic q Study of drawing conclusions (reasoning) q Propositional logic Supports statements that can be true or false q First-order logic (Predicate logic) Quantification over variables ( : For all, : there exists) q Higher-order logic Quantification over sets and functions Propositional Logic Less expressive(-) Decidable(+) First-Order Logic Higher-Order Logic Very expressive(+) Undecidable(-) O. Hasan Formal Verification 28

29 O. Hasan O. Hasan and S. Tahar 29 Formal Verification 29 Theorem Prover q A theorem prover consists of q A notation (Syntax) q A small set of fundamental axioms (facts) Example: ( A) A q A small set of deduction rules Example: Given (A B) and A, we can deduce B q Soundness is assured as every new theorem must be created from q The basic axioms and primitive inference rules q Any other already proved theorems (Theory Files)

30 Theorem Proving - Example: Natural Log of Product val LN_MUL = store_thm("ln_mul", (--` x y. 0 < x 0 < y (ln (x * y) = ln x + ln y)`--), REPEAT GEN_TAC THEN STRIP_TAC THEN ONCE_REWRITE_TAC[GSYM EXP_INJ] THEN REWRITE_TAC[EXP_ADD] THEN SUBGOAL_THEN (--`&0 < x * y`--) ASSUME_TAC THENL [MATCH_MP_TAC REAL_LT_MUL THEN ASM_REWRITE_TAC[], EVERY_ASSUM(fn th => REWRITE_TAC[ONCE_REWRITE_RULE[GSYM EXP_LN] th])]); [EXP_INJ] x y. (exp x = exp y) (x = y) [EXP_ADD] x y. exp (x + y) = exp x * exp y [EXP_LN] x. (exp (ln x) = x) 0 < x O. Hasan Formal Verification 30

31 Theorem Proving q Formalization of Classical Mathematical Theories q Multivariable analysis q Euclidian Geometry q Probability q Information q Fractional Calculus O. Hasan O. Hasan and S. Tahar Formal Verification 31

32 O. Hasan O. Hasan and S. Tahar Formal Verification 32 Theorem Proving q Some Significant Formally Verified Theorems q Gödel's Incompleteness Theorem q The Impossibility of Trisecting the Angle and Doubling the Cube q Euler's Generalization of Fermat's Little Theorem q Fundamental Theorem of Integral Calculus q De Moivre's Theorem q Feuerbach's Theorem q The Solution of a Cubic q Minkowski's Fundamental Theorem q Pick's Theorem q Cramer's Rule

33 Theorem Proving q System Analysis q Compilers q Floating-point algorithms q Digital Signal Processing systems q Optical systems q Wireless sensor networks q Kinematic Analysis of Robots O. Hasan O. Hasan and S. Tahar Formal Verification 33

34 Significance of Assumptions q May be guessed q We all know that Probabilities need to be in the interval [0,1] q Not very straightforward q Theorem cannot be verified except these Theorem: Repairability of Stuck-at Faults a b w. (0 a) (a 1) (0 b) (b 1) ( n. (0<w(n)) (w(n)<(a+b) ) ) n (lim λ n. 1 w(n) = 0 ) (lim (λn. P{ s (fst (num_of_faults n a b w s) ) (a+b)n}) = 1) O. Hasan Formal Verification 34

35 O. Hasan O. Hasan and S. Tahar Formal Verification 35 Theorem Proving q Advantages q High expressiveness q No risk of mistakes (human errors) q Some parts of the proofs can be automated q Disadvantages q Detailed and explicit human guidance required for verifying realworld systems q The state-of-the-art is limited q Theorem Proving Tools q ACL2 (First-order Logic) q Coq (Higher-order Logic) q HOL (Higher-order-logic)

36 O. Hasan Formal Verification 36 Objectives q Formal Verification q Why do we need it? Exact Answers (Useful for the analysis of Safety-critical systems) q What is it? Mathematically reason about properties of a system using a computer-based tool q How can we apply it for the analysis of real-world systems? Mathematically model the system (Implementation) Mathematically model the desired properties (Specification) Use tool support to mathematically prove that the specification holds for your implementation

37 Conclusions q Formal Verification is not an alternative to simulation q Both techniques have to play together for a successful analysis framework q Less critical sections of the system q Simulation/Testing q Critical sections of the system that can be expressed as a FSM q Model Checking q Critical sections of the system that cannot be handled by Model Checking q Theorem Proving O. Hasan Formal Verification 37

38 O. Hasan Formal Verification 38 Thanks! q For More Information q Visit our website q Contact osman.hasan@seecs.nust.edu.pk