An “Informal” introduction to Formal Verification
Osman Hasan
National University of Sciences and Technology (NUST), Islamabad, Pakistan
Formal Verification
Agenda
q Formal Verification Methods, Osman Hasan
q Can Formal Logic help with Social Decision Making?, Stephen Arthur Cook q 1982 ACM Turing award for his contributions to complexity theory
q Birth of Model Checking, Edmund M. Clarke
q Formal Methods – Assessment and Perspectives, Joseph Sifakis q Prof. Clarke and Prof. Sifakis are co-recipients of the 2007 ACM
Turing Award for their role in developing Model Checking into a highly effective verification technology
O. Hasan 2
Formal Verification O. Hasan
Objectives
q Formal Verification “A sound system analysis technique”
Soundness: Every statement that is provable is actually true
q Why do we need it?
q What is it? q How can we apply it for the analysis of real-world
systems?
3
Formal Verification
System Analysis
q Does the system exhibit the desired behavior?
q Mathematically using paper-and-pencil proof methods
q Computer Simulations
O. Hasan 4
Formal Verification
Paper-and-Pencil Proof Methods
q Construct a mathematical model of the system
q Mathematically verify that the system exhibits the desired characteristics
q Accurate
q Scalability
q Error-Prone
O. Hasan 5
Formal Verification 6
Simulation or Testing
q Construct a computer based model of the system
q Analyze the behavior of the system model under a number of test cases to deduce properties of interest
O. Hasan and S. Tahar O. Hasan
Formal Verification 7
Simulation or Testing – Example: Remainder and Quotient Program
var x, y, q, r: integer; r := x; q := 0; while y < r do
r := r - y; q := q + 1;
q Property q r and q represent the remainder and quotient for all values of variables x and y
q Test Cases
q Infer: The property is true since it is found to be true for all the test vectors used
Input (x,y) Output (r,q) Property
(23,4) (3,5) True
(2,5) (2,0) True
(17,3) (2,5) True
O. Hasan and S. Tahar O. Hasan
Formal Verification 8
Simulation or Testing – Example: Remainder and Quotient Program
var x, y, q, r: integer; r := x; q := 0; while y < r do
r := r - y; q := q + 1;
q Testing for (24, 4) q After the fifth iteration, r = 4, q = 5, y = 4, the loop ends and we
get (5, 4), which is wrong q Fix: Replace the condition y < r with y ≤ r
q Testing for (23, -2) q r is always greater than x and thus we have an infinite loop q Fix: Constrain y to have positive values only
O. Hasan and S. Tahar O. Hasan
Formal Verification 9
Simulation or Testing
q Easy to use q May lead to wrong conclusions
q Practically impossible to test for all possible cases when dealing with large systems
q Suppose we want to test a 64-bit floating-point division routine. There are 2128
combinations. q At 1 test/ms, it will take 1025
years
Program testing can be a very effective way to show the presence of bugs, but it is hopelessly inadequate for showing their absence.
Edsgar W. Dijkstra
O. Hasan and S. Tahar O. Hasan
Formal Verification
System Analysis Accuracy
q Extremely Important
O. Hasan 10
Hardware Software
Formal Verification 11 O. Hasan and S. Tahar
System Analysis Accuracy
q FDIV bug in Intel Pentium (60 Mhz, 90Mhz)
q Hardware error in the floating point division unit q Expected precision up to 18 positions q in practice, only 4 positions q Example:
q 5505001 / 294911 q wrong answer: 18.66600093 q expected answer: 18.6665197
q Resulted in net loss of approximately US $500M to the company in 1994
q Faulty systems can be disastrous
O. Hasan
Formal Verification O. Hasan
System Analysis Accuracy
q Therac-25 q Software Bug in a Cancer
Therapy Machine q 3 Deaths and 3 severe
injuries between 1985-87
q Faulty systems can be disastrous
12
Formal Verification 13 O. Hasan and S. Tahar
System Analysis Accuracy
q Mars Polar Lander
q Engine shutdown due to spurious signals that gave false indication that spacecraft had landed Mars
q Resulted in a loss of US $370M in 1999
q Mars Climate Orbiter
q Conversion error from English units to metric units
q Resulted in a loss of US $125M in 1999
q Faulty systems can be disastrous
O. Hasan
Formal Verification 14 O. Hasan and S. Tahar
System Analysis Accuracy
q Faulty systems can be disastrous
O. Hasan
Formal Verification 15
Formal Verification
q Bridges the gap between Paper-and-pencil proof methods and simulation
q Shares their advantages q As precise as a mathematical proof can be
q Computers are used for book-keeping
q Not as straightforward to use as testing
O. Hasan and S. Tahar O. Hasan
Simulation Paper-and-pencil Proof
Methods Formal
Verification
Formal Verification 16
Formal Verification
q Construct a computer-based mathematical model of the system (implementation)
q Use mathematical methods to check if the implementation satisfies the properties of interest (specifications) in a computerized environment
O. Hasan and S. Tahar O. Hasan
Formal Verification 17
Formal Verification Methods
q Most widely used techniques
q Model Checking
q Theorem proving
O. Hasan and S. Tahar
O. Hasan
Formal Verification
Model Checking
q Typically used for verifying Concurrent Finite-State Systems q Rigorous testing is infeasible due to large number of
possible scenarios
q Implementation q State-transition Graph
q Specifications q Temporal Logic
O. Hasan 18
Formal Verification
Temporal Logic
q Time is modeled as a sequence of states q Atomic formulas associated with each state
q Temporal connectives allow us to refer to the future
q F: some Future state (Fp)
q X: neXt state (Xp)
q G: Globally (Gp)
q U: Until (pUq)
O. Hasan 19
p
p
p p p p
p p p q
Formal Verification
Model Checking
q The verification can be done automatically using rigorous state-exploration methods
q Counter Examples q In case of failing properties, counter examples are
provided for debugging purposes
O. Hasan 20
Formal Verification
Model Checking – Example: Mutual Exclusion Protocol q Concurrent processes sharing the same file
q Each process has a critical section (where the shared file is accessed)
q The protocol manages the entry of a process in its critical sections
q Formally verify that the protocol allows only one process to enter its critical section at any time
O. Hasan 21
Formal Verification
Model Checking – Example: Mutual Exclusion Protocol q Model of the Protocol q Two Processes
q non-critical state (n)
q trying to enter its critical state (t)
q its critical state (c)
Logic in Computer Science, Ruth & Ryan
O. Hasan 22
Formal Verification
Model Checking – Example: Mutual Exclusion Protocol q Property 1: Only one process is in its critical
section at any time q : True
O. Hasan 23
Logic in Computer Science, Ruth & Ryan
Formal Verification
Model Checking – Example: Mutual Exclusion Protocol q Property 2: Whenever any process requests to
enter its critical section, it will eventually be permitted to do so q : False
q Counter Example:
q Fix: FIFO
Logic in Computer Science, Ruth & Ryan
O. Hasan 24
Logic in Computer Science, Ruth & Ryan
Formal Verification
Model Checking
q Extensively used in verifying q Software
q Security Protocols q Telecommunication Protocols
q Digital hardware q Analog and mixed signal circuits
q Microprocessors q Biological Systems
O. Hasan 25
Formal Verification 26
Model Checking
q Advantages q Automatic (Push button type analysis tools) q No proofs involved q Diagnostic counter examples
q Disadvantages q Limited expressiveness q State-space explosion problem
q Some commonly used Model Checking Tools q SPIN q NuSMV q PRISM (A probabilistic model checker)
O. Hasan and S. Tahar O. Hasan
Formal Verification 27
Theorem Proving
S ys tem
Logic (Function)
Logic (Theorem)
Formal proofs of the sys tem properties
Properties
Theorem Prover
O. Hasan and S. Tahar O. Hasan
Formal Verification
Logic
O. Hasan
q Study of drawing conclusions (reasoning) q Propositional logic
§ Supports statements that can be true or false q First-order logic (Predicate logic)
§ Quantification over variables (∀: For all, ∃: there exists) q Higher-order logic
§ Quantification over sets and functions
First-Order LogicPropositional Logic Higher-Order Logic
Less expressive(-) Very expressive(+)Decidable(+) Undecidable(-)
28
Formal Verification 29 29
Theorem Prover
q A theorem prover consists of q A notation (Syntax)
q A small set of fundamental axioms (facts) § Example: (¬¬A) ⇔ A
q A small set of deduction rules § Example: Given (A→B) and A, we can deduce B
q Soundness is assured as every new theorem must be created from q The basic axioms and primitive inference rules q Any other already proved theorems (Theory Files)
O. Hasan and S. Tahar O. Hasan
Formal Verification
Theorem Proving - Example: Natural Log of Product
val LN_MUL = store_thm("LN_MUL", (--`∀x y. 0 < x ∧ 0 < y ⇒ (ln (x * y) = ln x + ln y)`--),
REPEAT GEN_TAC THEN STRIP_TAC THEN
ONCE_REWRITE_TAC[GSYM EXP_INJ] THEN
REWRITE_TAC[EXP_ADD] THEN
SUBGOAL_THEN (--`&0 < x * y`--) ASSUME_TAC THENL
[MATCH_MP_TAC REAL_LT_MUL THEN ASM_REWRITE_TAC[],
EVERY_ASSUM(fn th => REWRITE_TAC[ONCE_REWRITE_RULE[GSYM EXP_LN] th])]);
[EXP_INJ] ∀x y. (exp x = exp y) ⇔ (x = y)
[EXP_ADD] ∀x y. exp (x + y) = exp x * exp y
[EXP_LN] ∀x. (exp (ln x) = x) ⇔ 0 < x
O. Hasan 30
Formal Verification 31
Theorem Proving
q Formalization of Classical Mathematical Theories q Multivariable analysis
q Euclidian Geometry q Probability
q Information
q Fractional Calculus
O. Hasan and S. Tahar O. Hasan
Formal Verification 32
Theorem Proving
q Some Significant Formally Verified Theorems q Gödel's Incompleteness Theorem
q The Impossibility of Trisecting the Angle and Doubling the Cube
q Euler's Generalization of Fermat's Little Theorem
q Fundamental Theorem of Integral Calculus q De Moivre's Theorem
q Feuerbach's Theorem q The Solution of a Cubic
q Minkowski's Fundamental Theorem q Pick's Theorem
q Cramer's Rule O. Hasan and S. Tahar O. Hasan
Formal Verification 33
Theorem Proving
q System Analysis q Compilers
q Floating-point algorithms
q Digital Signal Processing systems
q Optical systems
q Wireless sensor networks
q Kinematic Analysis of Robots
O. Hasan and S. Tahar O. Hasan
Formal Verification
q May be guessed q We all know that Probabilities need to be in the interval [0,1]
q Not very straightforward q Theorem cannot be verified except these
Significance of Assumptions
O. Hasan
⊢ ∀ a b w. (0 ≤ a) ∧ (a ≤1) ∧ (0 ≤ b) ∧ (b ≤1) ∧
(∀ n. (0<w(n)) ∧ (w(n)<(a+b) ) ) ∧
(lim ) ⇒
(lim (λn. P{ s | (fst (num_of_faults n a b w s) ) ≤ (a+b)n}) = 1)
Theorem: Repairability of Stuck-at Faults
n
⎟⎟⎠
⎞⎜⎜⎝
⎛= 0
w(n)1λ n.
34
Formal Verification 35
Theorem Proving
q Advantages q High expressiveness q No risk of mistakes (human errors) q Some parts of the proofs can be automated
q Disadvantages q Detailed and explicit human guidance required for verifying real-
world systems q The state-of-the-art is limited
q Theorem Proving Tools q ACL2 (First-order Logic) q Coq (Higher-order Logic) q HOL (Higher-order-logic)
O. Hasan and S. Tahar O. Hasan
Formal Verification
Objectives
q Formal Verification
q Why do we need it? § Exact Answers (Useful for the analysis of Safety-critical
systems)
q What is it? § Mathematically reason about properties of a system using a
computer-based tool
q How can we apply it for the analysis of real-world systems? § Mathematically model the system (Implementation) § Mathematically model the desired properties (Specification) § Use tool support to mathematically prove that the
specification holds for your implementation
O. Hasan 36
Formal Verification
Conclusions
O. Hasan 37
q Formal Verification is not an alternative to simulation q Both techniques have to play together for a successful
analysis framework
q Less critical sections of the system q Simulation/Testing
q Critical sections of the system that can be expressed as a FSM q Model Checking
q Critical sections of the system that cannot be handled by Model Checking q Theorem Proving
Formal Verification
Thanks!
q For More Information q Visit our website
§ http://save.seecs.nust.edu.pk
q Contact § [email protected]
O. Hasan 38