![Page 1: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/1.jpg)
1
Are We There Yet? 20 Years of Formal Verification
in Critical Software
Roderick Chapman Principal Engineer, Altran UK
![Page 2: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/2.jpg)
• Our world…
• An opening thought…
• So why Formalize?
• Examples of FV in Software
• Encouraging signs…
• Homework
• A Closing Thought…
2
Agenda
![Page 3: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/3.jpg)
•Our world… • An opening thought…
• So why Formalize?
• Examples of FV in Software
• Encouraging signs…
• Homework
• A Closing Thought…
3
Agenda
![Page 4: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/4.jpg)
No defects please!
Our World – Crit ical Software
![Page 5: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/5.jpg)
• Our world…
•An opening thought… • So why Formalize?
• Examples of FV in Software
• Encouraging signs…
• Homework
• A Closing Thought…
5
Agenda
![Page 6: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/6.jpg)
6
A Opening Thought…
Professor Martyn Thomas CBE
Every software project
uses Formal Methods…
![Page 7: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/7.jpg)
7
A Opening Thought…
Huh?
![Page 8: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/8.jpg)
• Our world…
• An opening thought…
• So why Formalize? • Examples of FV in Software
• Encouraging signs…
• Homework
• A Closing Thought…
8
Agenda
![Page 9: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/9.jpg)
9
Why Bother with Formal Methods?
![Page 10: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/10.jpg)
10
Why Bother with Formal Methods?
![Page 11: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/11.jpg)
11
Thinking and Tool ing exposes…
Ambiguity…
![Page 12: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/12.jpg)
12
Thinking and Tool ing exposes…
Contradiction…
![Page 13: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/13.jpg)
13
Thinking and Tool ing exposes…
Incompleteness…
![Page 14: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/14.jpg)
#include “customer_call.h”;
14
Thinking and Tool ing enables…
![Page 15: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/15.jpg)
• What’s stopping us?
• Fear of maths?
• Snake-oil?
• Oversold promises in the 1980s?
• Something else?
• “Software is a fashion industry with delusions of grandeur”
Prof. Les Hatton, Author of “Safer C”
15
The Catch…
![Page 16: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/16.jpg)
• Big problem – most “notations” that we deal with (mostly Programming Languages)…
• Are not formal or unambiguous…
• Are poorly defined…
• Contain hard-to-avoid features that are intrinsically hostile to sound and fast formal verification.
• e.g. undefined behaviour, pointers, un-disciplined use of concurrency etc.
16
The Catch…
![Page 17: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/17.jpg)
• Consider the following code in C or C++
int i;
int a[10];
i = … ; /* initialize i */
a = { … }; /* initialize a fully */
i = a[i++]; /* ??????? */
17
The Catch… Quiz Time!
![Page 18: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/18.jpg)
• Our world…
• An opening thought…
• So why Formalize?
• Examples of FV in Software • Encouraging signs…
• Homework
• A Closing Thought…
18
Agenda
![Page 19: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/19.jpg)
• So are there any “properly formal” programming languages?
• Yes! An incomplete list…
• OCAML
• Scheme
• SPARK (the Ada subset, not Apache-SPARK)
• Eiffel
• JVM Bytecode
• All machine code (e.g. ARM ISA)
19
Formal Languages?
![Page 20: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/20.jpg)
• What if we include specification or “modelling” languages? OK… then…
• SCADE (Lustre)
• B and Event-B
• CSP
• Subset(s) of MATLAB/Simulink
• Escher Perfect
• ..and many more…
20
Formal Languages?
![Page 21: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/21.jpg)
• Here are some examples of systems using formal software verification…
21
Formally Verif ied Software?
![Page 22: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/22.jpg)
22
![Page 23: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/23.jpg)
• Our world…
• An opening thought…
• So why Formalize?
• Examples of FV in Software
• Encouraging signs… • Homework
• A Closing Thought…
23
Agenda
![Page 24: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/24.jpg)
• Formal Methods tend to “disappear” as they become accepted… to the point where you don’t even know you’re using them…
• For example…
• Compiler optimization.
• Basic Static Code Analysis/Verification.
• Bounded Model Checking and Constraint Solving for test data generation.
24
Encouraging Signs…
![Page 25: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/25.jpg)
• Security Changes Everything…
• Against a malicious and capable attacker, a “test it lots” verification approach will never be good enough.
• Finally, people at realizing that sound formal verification can deal with this, because a sound verification prevents all the bugs…
25
Encouraging Signs…
![Page 26: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/26.jpg)
• Our world…
• An opening thought…
• So why Formalize?
• Examples of FV in Software
• Encouraging signs…
•Homework • A Closing Thought…
26
Agenda
![Page 27: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/27.jpg)
27
Homework Assignment 1…
![Page 28: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/28.jpg)
28
Homework Assignment 2…
• Check out www.fbinfer.com
• Infer – facebook’s static code analysis tool for C/C++/Java/Objective-C
![Page 29: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/29.jpg)
• Our world…
• An opening thought…
• So why Formalize?
• Examples of FV in Software
• Encouraging signs…
• Homework
•A Closing Thought…
29
Agenda
![Page 30: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/30.jpg)
30
A Closing Thought…
Professor Martyn Thomas CBE
Every software project
uses Formal Methods…
![Page 31: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/31.jpg)
MOV R0, #1024
MOV R1, #0
MOV R2, #0x19000000
ORR R2, R2, #0x00990000
ORR R2, R2, #0x00009900
ORR R2, R2, #0x0000009A
MOV R3, #10
loop UMULL R4, R5, R0, R2
UMULL R4, R6, R5, R3
SUB R4, R0, R4
ADD R1, R1, R4
MOVS R0, R5
BNE loop
31
Here’s a Formal Language that you all use
![Page 32: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/32.jpg)
32
A Closing Thought…
The big question is not if to
use Formal Methods, but
when to start…
![Page 33: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/33.jpg)
• R. Chapman and F. Schanda
“Are we there yet? 20 years of industrial theorem proving with SPARK.” Invited Keynote Paper, Proceedings of Interactive Theorem Proving (ITP) 2014. Springer-Verlag LNCS Vol. 8558, pp. 17-26.
• Full details, data, and references for SHOLIS, C130J, Tokeneer, iFACTS projects, and how SPARK developed over the years.
• PDF available from me:
33
References
![Page 34: Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming Languages)… •Are not formal or unambiguous… •Are poorly defined… •Contain hard-to-avoid](https://reader034.vdocuments.us/reader034/viewer/2022042410/5f28368f30656175de053f70/html5/thumbnails/34.jpg)
Questions…