new computer aided verification lecture 1sl/teaching/15_16/wwk/slajdy/... · 2016. 2. 24. ·...
TRANSCRIPT
![Page 1: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/1.jpg)
COMPUTER AIDED VERIFICATION
Sławomir LasotaUniversity of Warsaw
LECTURE 1: Overview of formal verification
środa, 24 lutego 16
![Page 2: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/2.jpg)
PLAN
•Motivation (famous bugs)
•Motivation (success stories)
• Formal verification:
• interactive (proving correctness)
• approximation (static analysis)
• abstraction (model checking)
• Brief history of formal verification
środa, 24 lutego 16
![Page 3: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/3.jpg)
Famous bugs
środa, 24 lutego 16
![Page 4: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/4.jpg)
THE FIRST BUG...
środa, 24 lutego 16
![Page 5: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/5.jpg)
THE FIRST BUG...
1947 Harward
Mark II computer logbook
...was a moth:)
środa, 24 lutego 16
![Page 6: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/6.jpg)
MARINER 1• period instead of comma in Fortran source code
• estimated cost: 18.5 mln $
July 1962
(hypothesis)
środa, 24 lutego 16
![Page 7: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/7.jpg)
środa, 24 lutego 16
![Page 8: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/8.jpg)
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
środa, 24 lutego 16
![Page 9: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/9.jpg)
THERAC-25
• race condition
• at least 6 victims1985-87
środa, 24 lutego 16
![Page 10: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/10.jpg)
PATRIOT MISSILE
February 1991
• inaccurate calculation of time due to arithmetic rounding (drift by one third of a second over a period of one hundred hours)
• failed to track and intercept an incoming enemy’s Scud missile
• 28 soldiers killed, around 100 injured
środa, 24 lutego 16
![Page 11: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/11.jpg)
PENTIUM FDIV BUG
• floating point division operation occasionally yields incorrect result
October 1994
środa, 24 lutego 16
![Page 12: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/12.jpg)
ARIANE 5FLIGHT 501
June 1996
środa, 24 lutego 16
![Page 13: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/13.jpg)
• conversion from 64-bit to 16-bit format, at less than one minute after launch
• estimated cost: 600 mln euro
ARIANE 5FLIGHT 501
środa, 24 lutego 16
![Page 14: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/14.jpg)
MARS CLIMATE ORBITERAND
MARS POLAR LANDER
• launched on December 1998 and January 1999
• estimated cost: 327 mln $
środa, 24 lutego 16
![Page 15: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/15.jpg)
September 1999
• different units (pound, kg) used in different software components
• discrepancy between a planned trajectory and the actual one
MARS CLIMATE ORBITERAND
MARS POLAR LANDER• software incorrectly interpreted
vibrations as surface touchdown
(hypothesis)
December 1999środa, 24 lutego 16
![Page 16: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/16.jpg)
CODE RED
• buffer overflow in Microsoft Internet Information Server
• estimated cost: 2.5 billion $
July 2001
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
środa, 24 lutego 16
![Page 17: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/17.jpg)
• bug in the alarm system
• operators unaware of overload
• race condition in the controlling software
• local blackout cascaded to massive global one
• 50 mln people affected
NORTHEAST BLACKOUT
August 2003
środa, 24 lutego 16
![Page 18: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/18.jpg)
• buffer over-read in Open SSL cryptography library
• leakage of keys
• violation of confidentiality
HEARTBLEED
April 2014
środa, 24 lutego 16
![Page 19: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/19.jpg)
• buffer over-read in Open SSL cryptography library
• leakage of keys
• violation of confidentiality
HEARTBLEED
April 2014
środa, 24 lutego 16
![Page 20: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/20.jpg)
• bugs are costly ...
• ... and often unacceptable (safety critical systems)
• formal verification may help to decrease the number of bugs
• testing proves presence of bugs, while formal verification (sometimes) proves their absence
SUMMARY
środa, 24 lutego 16
![Page 21: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/21.jpg)
Success stories
środa, 24 lutego 16
![Page 22: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/22.jpg)
SOFTWARE SUCCESS STORY
środa, 24 lutego 16
![Page 23: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/23.jpg)
SOFTWARE SUCCESS STORY
• 85% of system crashes of Windows XP caused by bugs in third-party kernel-level device drivers (2003)
środa, 24 lutego 16
![Page 24: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/24.jpg)
SOFTWARE SUCCESS STORY
• 85% of system crashes of Windows XP caused by bugs in third-party kernel-level device drivers (2003)
• one of reasons is the complexity of the Windows drivers API
środa, 24 lutego 16
![Page 25: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/25.jpg)
SOFTWARE SUCCESS STORY
• 85% of system crashes of Windows XP caused by bugs in third-party kernel-level device drivers (2003)
• one of reasons is the complexity of the Windows drivers API
• SLAM: automatically checks device drivers for certain correctness properties with respect to the Windows device drivers API
środa, 24 lutego 16
![Page 26: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/26.jpg)
SOFTWARE SUCCESS STORY
• 85% of system crashes of Windows XP caused by bugs in third-party kernel-level device drivers (2003)
• one of reasons is the complexity of the Windows drivers API
• SLAM: automatically checks device drivers for certain correctness properties with respect to the Windows device drivers API
• now part of Windows Driver Development Kit, a toolset for drivers developers
środa, 24 lutego 16
![Page 27: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/27.jpg)
verification of coders ;)
środa, 24 lutego 16
![Page 28: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/28.jpg)
verification of coders ;)
środa, 24 lutego 16
![Page 29: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/29.jpg)
we model-check coders
verification of coders ;)
środa, 24 lutego 16
![Page 30: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/30.jpg)
Assignment: compute equilibrium point
środa, 24 lutego 16
![Page 31: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/31.jpg)
Solution:
środa, 24 lutego 16
![Page 32: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/32.jpg)
Solution:
środa, 24 lutego 16
![Page 33: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/33.jpg)
Solution:
k
o
n
t
r
p
r
z
y
k
l
a
d
:
{230 , 0, 230}
środa, 24 lutego 16
![Page 34: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/34.jpg)
k
o
n
t
r
p
r
z
y
k
l
a
d
:
{230 , 0, 230}
środa, 24 lutego 16
![Page 35: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/35.jpg)
How is it possible?
k
o
n
t
r
p
r
z
y
k
l
a
d
:
{230 , 0, 230}
środa, 24 lutego 16
![Page 36: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/36.jpg)
How is it possible?Due to symbolic approach!
k
o
n
t
r
p
r
z
y
k
l
a
d
:
{230 , 0, 230}
środa, 24 lutego 16
![Page 37: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/37.jpg)
Formal verification
środa, 24 lutego 16
![Page 38: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/38.jpg)
A POSTERIORI VERIFICATION
✔ ✘
środa, 24 lutego 16
![Page 39: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/39.jpg)
A POSTERIORI VERIFICATION
✔ ✘
automatically!
środa, 24 lutego 16
![Page 40: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/40.jpg)
A POSTERIORI VERIFICATION
✔ ✘
automatically!
środa, 24 lutego 16
![Page 41: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/41.jpg)
RESTRICTION
✔
every non-trivial question is undecidable !
✘
środa, 24 lutego 16
![Page 42: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/42.jpg)
METHOD 1: INTERACTIVE
✔ ✘
(proving correctness)środa, 24 lutego 16
![Page 43: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/43.jpg)
METHOD 2: APPROXIMATION
surely ✔ possibly ✘
(static analysis)środa, 24 lutego 16
![Page 44: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/44.jpg)
METHOD 3: ABSTRACTION
(model checking)środa, 24 lutego 16
![Page 45: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/45.jpg)
RESTRICTIONS
•Method 1 (interactive): substantial human effort needed
•Method 2 (approximation): false alarms
•Method 3 (abstraction): model is verified, not the system itself
środa, 24 lutego 16
![Page 46: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/46.jpg)
MOTTO
Formal verification aims not at developing correct computer systems ...
środa, 24 lutego 16
![Page 47: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/47.jpg)
MOTTO
Formal verification aims not at developing correct computer systems ...
... but at providing more rigorous methodologies yielding better reliability of designed systems.
środa, 24 lutego 16
![Page 48: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/48.jpg)
MOTTO
Formal verification aims not at developing correct computer systems ...
... but at providing more rigorous methodologies yielding better reliability of designed systems.
-standard software: 25 bugs per 1000 loc-good software: 2 bugs per 1000 loc-spacecraft software: <1 bugs per 10000 loc
środa, 24 lutego 16
![Page 49: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/49.jpg)
VERIFICATION VS VALIDATION
✔ ✘
środa, 24 lutego 16
![Page 50: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/50.jpg)
VERIFICATION VS VALIDATION
✔ ✘
do we build the right thing?
środa, 24 lutego 16
![Page 51: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/51.jpg)
VERIFICATION VS VALIDATION
✔ ✘
do we build the right thing?
do we build the thing right?
środa, 24 lutego 16
![Page 52: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/52.jpg)
Method 1: Interactive
środa, 24 lutego 16
![Page 53: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/53.jpg)
PROVING CORRECTNESS
proof
proof assistant tool
?
proof obligations
środa, 24 lutego 16
![Page 54: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/54.jpg)
PROVING CORRECTNESS
proof
proof assistant tool
?
proof obligations
środa, 24 lutego 16
![Page 55: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/55.jpg)
PROVING CORRECTNESS
proof
proof assistant tool
?
proof obligationsautomatically
orinteractively
środa, 24 lutego 16
![Page 56: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/56.jpg)
EXAMPLE - HOARE LOGIC
{ a = m ∧ b = n }c = 0;while( b > 0 )
while( even(b) ) a := a+a; b := b>>1;
b := b-1 ; c := c+a;
{ c = m*n }
środa, 24 lutego 16
![Page 57: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/57.jpg)
EXAMPLE - HOARE LOGIC
{ a = m ∧ b = n }c = 0;while( b > 0 )
while( even(b) ) a := a+a; b := b>>1;
b := b-1 ; c := c+a;
{ c = m*n }
invariant:c + a*b = m*n
środa, 24 lutego 16
![Page 58: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/58.jpg)
EXAMPLE - HOARE LOGIC
{ a = m ∧ b = n }c = 0;while( b > 0 )
while( even(b) ) a := a+a; b := b>>1;
b := b-1 ; c := c+a;
{ c = m*n }
invariant:c + a*b = m*n
proof obligations, eg:c + a*b = m*n ∧ not even(b) ⇒ c+a + a*(b-1) = m*n
środa, 24 lutego 16
![Page 59: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/59.jpg)
PROVING CORRECTNESS - CHARACTERISTIC PROPERTIES
• we analyze decorated source code
• typically only partial automatization is possible
• typically a substantial human expert engagement is necessary
• applicable to small-scale systems
• parametrization/generalization
środa, 24 lutego 16
![Page 60: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/60.jpg)
PIONEERS
środa, 24 lutego 16
![Page 61: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/61.jpg)
PIONEERS
Edsger Dijkstra C.A.R. HoareRobert Floyd
środa, 24 lutego 16
![Page 62: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/62.jpg)
Method II:Approximation
środa, 24 lutego 16
![Page 63: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/63.jpg)
STATIC ANALYSIS
surely ✔
static analyzer
possibly ✘
środa, 24 lutego 16
![Page 64: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/64.jpg)
STATIC ANALYSIS - CHARACTERISTIC PROPERTIES
• we analyze source code (control flow diagram)
• approximate analysis - false alarms (false positives)
• typically oriented towards specific properties
• fully automatic
• applicable to large-scale systems
środa, 24 lutego 16
![Page 65: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/65.jpg)
STATIC ANALYSIS - APPLICATIONS
• compiler optimization
• source code quality estimation
• program verification
środa, 24 lutego 16
![Page 66: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/66.jpg)
STATIC ANALYSIS - METHODS
• data flow analysis
• control flow analysis
• type analysis
• shape analysis
• ...
• abstract interpretation
środa, 24 lutego 16
![Page 67: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/67.jpg)
STATIC ANALYSIS - EXAMPLE
[Nielson, Nielson, Hankin 2005]
środa, 24 lutego 16
![Page 68: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/68.jpg)
“REACHING” ASSIGNMENTS
[Nielson, Nielson, Hankin 2005]
środa, 24 lutego 16
![Page 69: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/69.jpg)
[Nielson, Nielson, Hankin 2005]
“REACHING” ASSIGNMENTS• execution in an abstract domain
środa, 24 lutego 16
![Page 70: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/70.jpg)
• we formalize the problem as a set of equations
• the least solution
• iterative algorithm
“REACHING” ASSIGNMENTS
środa, 24 lutego 16
![Page 71: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/71.jpg)
Method III:Model checking
środa, 24 lutego 16
![Page 72: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/72.jpg)
MODEL CHECKING
model checker
✔ counterexample
errorśroda, 24 lutego 16
![Page 73: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/73.jpg)
MODEL CHECKING
model checker
✔ counterexample
errorśroda, 24 lutego 16
![Page 74: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/74.jpg)
• finite-state model M - possible system’s behavior
• property Φ - admissible system’s behavior expressed in a temporal logic
• automatically check
M satisfies Φ
MODEL CHECKING
środa, 24 lutego 16
![Page 75: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/75.jpg)
TYPICAL TEMPORAL PROPERTIES
• safety: all reachable states satisfy ϕ
• liveness: eventually ϕ is satisfies
• fairness: ϕ is satisfies infinitely often
środa, 24 lutego 16
![Page 76: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/76.jpg)
TURING AWARD 2007
środa, 24 lutego 16
![Page 77: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/77.jpg)
TURING AWARD 2007
Ed Clarke Allen Emerson Joseph Sifakis
środa, 24 lutego 16
![Page 78: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/78.jpg)
TURING AWARD 2007
Ed Clarke Allen Emerson Joseph Sifakis
Turing awards1972, 1978, 1980
środa, 24 lutego 16
![Page 79: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/79.jpg)
MODEL CHECKING - CHARACTERISTIC PROPERTIES
•model of a system (graph of states and transitions)
• analysis of a model via exhaustive state-space exploration
• requirement specification = temporal formula
• (almost) fully automatic
• applicable to small-size models
• in case of negative answer, diagnostic information - counterexample
środa, 24 lutego 16
![Page 80: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/80.jpg)
FROM SYSTEM TO MODEL
• not always fully automatic
• appropriate choice of abstraction level is crucial
środa, 24 lutego 16
![Page 81: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/81.jpg)
WHAT KIND OF MODEL?
• functional (relational): input/output
• reactive:
• interaction with environment
•maybe non-terminating
środa, 24 lutego 16
![Page 82: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/82.jpg)
MODEL = CONTROL + INTERACTION
• no complex data structures and computations on them
• abstract (nondeterminism)
• compositional
• concurrency, internal interaction among components (nondeterminism)
środa, 24 lutego 16
![Page 83: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/83.jpg)
STATE SPACE• local state =
• control point +• valuation of variables +• content of communication channels +• ...
• global state = local states of components + ...
środa, 24 lutego 16
![Page 84: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/84.jpg)
STATE-SPACE EXPLOSION
środa, 24 lutego 16
![Page 85: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/85.jpg)
STATE-SPACE EXPLOSION
środa, 24 lutego 16
![Page 86: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/86.jpg)
STATE-SPACE EXPLOSION
środa, 24 lutego 16
![Page 87: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/87.jpg)
MODEL CHECKING
model checker
✔ counterexample
error
środa, 24 lutego 16
![Page 88: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/88.jpg)
MODEL CHECKING
model checker
✔ counterexample
error
środa, 24 lutego 16
![Page 89: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/89.jpg)
COMPARISON
• interactive verification
• approximate verification
• abstraction-based verification
środa, 24 lutego 16
![Page 90: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/90.jpg)
COMPARISON
• interactive verification
• approximate verification
• abstraction-based verification
efficiency
precision
concurrencyfull automatization
state-space explosion
human’s work
false alarms
parametrization
hardware
source code
środa, 24 lutego 16
![Page 91: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/91.jpg)
History
środa, 24 lutego 16
![Page 92: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/92.jpg)
PREHISTORY• Goldstine, v. Neumann (1947), Turing (1949)
• Floyd (1967), Hoare (1969), Dijkstra (1976)
• Pratt, Harel (1976-79): dynamic logic of programs
• Owicki, Gries (1976): Hoare’s logic for concurrent programs
• Kamp (1968): LTL, Pnueli (1977): application in verification
• 70’: static analysis in compiler optimization
• (1979) lint - static analysis of C programs
• (1971) Boyer-Moore theorem prover
} diagrams, assertions
środa, 24 lutego 16
![Page 93: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/93.jpg)
PREHISTORY• Goldstine, v. Neumann (1947), Turing (1949)
• Floyd (1967), Hoare (1969), Dijkstra (1976)
• Pratt, Harel (1976-79): dynamic logic of programs
• Owicki, Gries (1976): Hoare’s logic for concurrent programs
• Kamp (1968): LTL, Pnueli (1977): application in verification
• 70’: static analysis in compiler optimization
• (1979) lint - static analysis of C programs
• (1971) Boyer-Moore theorem prover
} diagrams, assertions
Turing award 1996
środa, 24 lutego 16
![Page 94: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/94.jpg)
HISTORY (80’)
• Clarke, Emerson (1980), Ben-Ari, Manna, Pnueli (1981): CTL*
• Clarke, Emerson (1981), Queille, Sifakis (1982): invention of model checking
• EMC: tens of thousands of states
• 80’: proof assistants, applications in verification:
• Boyer-Moore, Isabelle, HOL, PVS, Coq, Mizar, ...
środa, 24 lutego 16
![Page 95: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/95.jpg)
HISTORY (90’)
• Clarke, McMillan, and others (1988-1990): symbolic model checking based on OBDDs
• SMV: 10^20 ... 10^50 states (circuits)
• (1994-95) commercial tools:
• model checkers, proof assistants
• Clarke, Biere and others (1998-99): bounded model checking based on SAT
• Valmari, Peled, Godefroid (1990-1994): partial order reductions
środa, 24 lutego 16
![Page 96: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/96.jpg)
HISTORY (00’)• development of methods based on SAT and SMT
• software model checking (abstractions)
• tools (examples for C and Java):
• proving correctness: ESC/Java2, KeY
• static analysis: FindBugs, PMD, Splint, Coverity, SLAM
• model checking: CBMC, Java Pathfinder, Bandera, Bogor, BLAST, Magic
• timed and probabilistic systems
środa, 24 lutego 16
![Page 97: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/97.jpg)
APPLICATION AREASOF MODEL CHECKING
środa, 24 lutego 16
![Page 98: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/98.jpg)
APPLICATION AREASOF MODEL CHECKING
• hardware (NuSMV)
środa, 24 lutego 16
![Page 99: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/99.jpg)
APPLICATION AREASOF MODEL CHECKING
• hardware (NuSMV)
• protocols, system software, drivers (Spin)
środa, 24 lutego 16
![Page 100: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/100.jpg)
APPLICATION AREASOF MODEL CHECKING
• hardware (NuSMV)
• protocols, system software, drivers (Spin)
• software (CBMC)
środa, 24 lutego 16
![Page 101: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/101.jpg)
APPLICATION AREASOF MODEL CHECKING
• hardware (NuSMV)
• protocols, system software, drivers (Spin)
• software (CBMC)
• time-dependent systems (UPPAAL)
środa, 24 lutego 16
![Page 102: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/102.jpg)
APPLICATION AREASOF MODEL CHECKING
• hardware (NuSMV)
• protocols, system software, drivers (Spin)
• software (CBMC)
• time-dependent systems (UPPAAL)
• probabilistic systems (PRISM)
środa, 24 lutego 16
![Page 103: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/103.jpg)
APPLICATION AREASOF MODEL CHECKING
• hardware (NuSMV)
• protocols, system software, drivers (Spin)
• software (CBMC)
• time-dependent systems (UPPAAL)
• probabilistic systems (PRISM)
• systems biology (PRISM)
środa, 24 lutego 16
![Page 104: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/104.jpg)
BOUNDARIES
• frontiers between approaches are not rigid
• combining model checking with static analysis and with correctness proving
• initial (light) static analysis preceding (heavy) model checking
•model checking as correctness proving, or as static analysis
środa, 24 lutego 16
![Page 105: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/105.jpg)
The following lectures
środa, 24 lutego 16
![Page 106: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/106.jpg)
FUNDAMENTALS OF MODEL CHECKING
• temporal logics: LTL, CTL, CTL*
• LTL model checking via translation to omega-automata
• partial order reductions for LTL
• CTL symbolic model checking using OBDDs
• LTL bounded model checking using SAT
• abstractions, CEGAR
środa, 24 lutego 16
![Page 107: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/107.jpg)
WHAT IS NOT COVERED?
• tuning general methodologies to specific application domains
• inclusion of formal verification into the development cycle of computer systems
• verification process management
• applications to realistic systems
• heuristics for efficiency
• ...
środa, 24 lutego 16
![Page 108: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/108.jpg)
OTHER APPROACHES
• dynamic analysis of programs
• testing/simulations, test coverage measures
• source code quality metrics (code quality management)
• source code audit
• correct by design: systematic construction of correct systems
• ...
środa, 24 lutego 16
![Page 109: New COMPUTER AIDED VERIFICATION LECTURE 1sl/teaching/15_16/WWK/SLAJDY/... · 2016. 2. 24. · static analyzer possibly środa, 24 lutego 16. STATIC ANALYSIS - CHARACTERISTIC PROPERTIES](https://reader033.vdocuments.us/reader033/viewer/2022052103/603d58d373987328ca565cc0/html5/thumbnails/109.jpg)
PREREQUISITES
• logic, set theory (e.g. fixed points theorems)
• automata theory
•models of concurrent systems
• graph algorithms
środa, 24 lutego 16