Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).
|
|
- Dale Carson
- 5 years ago
- Views:
Transcription
1 Sérgio Campos Why? Imagine the implementation of a complex hardware or software system: A 100K gate ASIC perhaps 100 concurrent modules; A flight control system dozens of concurrent processes in multiple CPUs. Under test the system fails approximately every 3 days. Failures is not repeatable race conditions; Internal signals are hard to watch; Too much data; Heisenbug. The reason could be: x and y happen simultaneously every times Assumed mutual exclusion. 1 / 32 3 / 32 This course will be about: Not testing, not simulation... No manual proofs... Formal Guaranteed results whenever possible, knowing when not possible (not AI). Model checking. Mostly. Clarke, E., Grumberg, O., Peled, D.. The MIT Press, A trivial example: Process A Process B x++; x--; These errors can be prevented by good practice: semaphores, monitors, etc. But other errors can be more subtle... 2 / 32 4 / 32
2 The Analyzer does not see Sensor, and blocks Reporter indefinitely What if the Analyzer decides to run? Processes communicate using shared memory. Priority order: Sensor (most important); Analyzer; Reporter; Consider a air traffic control system: 6 / 32 8 / 32 7 / 32 It happened In Mars NASA Pathfinder, 1997: Verification Verification 5 / 32 Verification Sensor may never be blocked But the events below cause priority inversion: Verification
3 Pentium FDIV: SRT Division Circuit P0 = dividend r Pj 1 = r Pj qj 1 divisor Qj 1 = r Qj + qj 1 Radiotherapy Between 1985 and 1986 the radiotherapy machine massively overdosed 6 patients causing 2 deaths and worsening the other patients conditions severely. Two modes of operation: After entering patients data, it is possible to edit this data. In some cases this causes a change in mode of operation, from x-ray to electron mode. 9 / / 32 SRT Division Circuit Quotient Logic: Table was compressed to remove unreachable entries. reachable entries were considered unreachable and removed This caused an error only for operands that try to use those entries. Rare, but it sure happens And it cost them US$500M Error caused by: Race conditions in accessing shared variables. No hardware interlock: in this case, a pin holding the filter in place. The previous machine had a hardware interlock, but it was removed from the They used the same software, and they considered the software correct 10 / / 32
4 In June 4, 1996, the rocket was launched for its first flight test 37 seconds after, it veered off its trajectory and was self-destructed. The error: Software reused from Ariane 4 But the previous rocket was much less powerful Navigation software detected a much stronger change in course than expected And the software that handled it overflowed. Unknown Incident... define three 3... three++;... a = a + three; / / 32 One of the most expensive bugs in history: 10 years development at the cost of US$ ,00 (7 billion ) What can be done? Simulation and testing are problematic We will consider a mathematical approach. It requires: A model of the system as a mathematical object. The model represents formally: program state; transition relation. A specification method for expressing properties such as: A req is always followed by an ack A proof method to show that the model satisfies the properties. Proving can be done: by hand; semi-automatic: user suggests a proof that is machine checked; fully automatic. 14 / / 32
5 I object Proofs are about the models, not the systems; Specs are subject to error and incompleteness; The software that generates proofs can be buggy; Computer proofs are unreadable. Not really... Lets put aside mathematical certainty as our first goal: We can use formal methods as a methodology that helps produce more reliable systems. Even hand proofs are likely to produce better programs. Increased automation makes them even better. A Selective Early Program proving suggested by a few visionaries (McCarthy, Dijkstra). Late Software crisis declared at NATO conference on Software Engineering. Floyd s method for flow charts: Label each control point with invariant assertions Proof: all assertions preserved by program transitions. This proves partial correctness (if program terminates, result is correct). 17 / / 32 The Real Problem Real systems are several orders of magnitude larger than what can be handled. A simple program can have 10 integer variables: = 320 boolean variables; Thats = configurations is the number of atoms in the universe Can we do non trivial things? Automation: fully automated methods help. Efficiency: e.g. with BDDs weve gone from 10 5 to overnight. Compositional reasoning: divide into simpler subsystems and verify them.... Late 1960s Hoare logic a structured approach: Hoare triple P}S Q} if P holds and S terminates, then Q holds Axiom for assignment P x }x := f P} example y >= 0}x := y x >= 0} Compositional rules Sequential composition P1}S1 P2} P2}S2 P3} P1}S1; S2 P3} While loop P B}S P} P}whileB os P B} 18 / / 32
6 Late 1960s Hoare logic a structured approach: The proof follows the program structure: 1. Prove properties of program components; 2. Combine properties using inference rules. First example of compositional approach. 1970s Proofs of concurrent programs Owicki-Gries Difficult to identify control points: one for each process; Suggested a compositional system for concurrent programs: Data shared only through resources. Critical sections to access resources. Resource invariant I (r) Triple P}S Q} means that if P is true initially, then: 1. Finally (if S terminates) Q; 2. I (r) is preserved while S is in critical sections Coroutine rule: P1}S1 Q1} P2}S2 Q2} I (r) P1 P2}S1 S2 I (r) Q1 Q2} Aux. vars added to aid in stating invariants 21 / / s Large amount of work done on Axiomatizing various languages, constructs, e.g procedure calls, assignments to arrays, etc. Automating proofs: Notably, the Boyer-Moore prover can automatically prove correctness of some recursively defined LISP functions, (e.g. APPEND), without the user having to suggest an invariant. Late 1970s Temporal logic and reactive systems. Partial correctness and termination are not adequate abstractions of concurrent processes. Notion of a reactive system: interacts with its environment without terminating (Pnueli) Examples of reactive systems: control/operating systems communication protocols hardware 22 / / 32
7 Late 1970s Temporal logic and reactive systems. Need to be able to state and prove properties of execution sequences: If P is scheduled infinitely often, it eventually produces an output (liveness). If P sends a message, then it won t send another message until it receives an ack (safety). Late 1970s Protocol analysis and reachability analysis The model: Set of program states Transition relation between states Idea: instead of reasoning symbolically about the model, just construct it explicitly This is called reachability analysis. Advantage: Totally automated. Disadvantages: 1. Can verify only limited properties (non-compositional). 2. State explosion problem: Can handle only fairly small models For these reasons, this technique was more or less dismissed / / 32 Late 1970s Temporal Operators G p = Globally p p = Eventually p X p = At the next time p Example: G scheduled(p) terminated(p) if p is always eventually scheduled, it eventually terminates. Temporal logic allows us to reason compositionally about parallel programs As Hoare allows us to reason about sequential ones. However, this does not mean that it is easy. e.g., Hailpern provides a 15 page proof of the correctness of a nearly trivial protocol (the ABP). Symbolic X Explicit 26 / / 32
8 Model checking (Clarke/Emerson, Queille/Sifakis) 1. Specify properties in TL; 2. Build finite state model explicitly; 3. Check that model satisfies specifications; 4. Produce counterexample when false. This approach has a number of advantages: High expressiveness (> reachability analysis). Is compositional, since based on TL. Complexity is linear in formula size for CTL. Very good for disproving properties. For small but tricky asynchronous circuits: Showed previously published designs incorrect (embarrassing). Showed previously proved correct designs incorrect (highly embarrassing). Late and 1990s Partial order methods Often, state explosion is due to many (irrelevant) orderings of independent events. Symmetry reductions Consider only one state in each class of symmetrically related states. Often process id s, address and data values are equivalent under symmetry transformations. Real-Time Discrete: Verus Continuous: Timed automata 29 / / 32 Late and 1990s Success of model checking on small examples leads to various attacks on the state explosion problem. Modularity - abstracting system components Using temporal formulas Abstract FS models by other FS models. ally generated reductions Symbolic model checking techniques Use compact boolean forms to represent state sets and transition relations (e.g. BDD s) Can handle state spaces many orders of magnitude larger. Other domains: Software Bioinformatics Other representations Bounded s SAT solvers Statistical Used by: Intel, Motorola, IBM, Siemens,... Formal verification companies: Cadence Verplex Jasper 30 / / 32
Distributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationResearch Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001
Research Collection Other Conference Item Formal background and algorithms Author(s): Biere, Armin Publication Date: 2001 Permanent Link: https://doi.org/10.3929/ethz-a-004239730 Rights / License: In Copyright
More informationProgram Verification. Aarti Gupta
Program Verification Aarti Gupta 1 Agenda Famous bugs Common bugs Testing (from lecture 6) Reasoning about programs Techniques for program verification 2 Famous Bugs The first bug: A moth in a relay (1945)
More informationIntroduction to CS 270 Math Foundations of CS
Introduction to CS 270 Math Foundations of CS Verification of Computer Systems Jeremy Johnson Drexel University Course Description Emphasizes analytic problem-solving and introduction of mathematical material
More informationModel Checking. Dragana Cvijanovic
Model Checking Dragana Cvijanovic d.cvijanovic@cs.ucl.ac.uk 1 Introduction Computerised systems pervade more and more our everyday lives. Digital technology is now used to supervise critical functions
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More informationSérgio Campos, Edmund Clarke
Sérgio Campos, Edmund 1 / 23 Model checking is a technique that relies on building a finite model of a system and checking that a desired property holds in that model. The check is performed by an exhaustive
More informationAlgorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)
Algorithmic Verification The software crisis (and hardware as well) Algorithmic Verification Comp4151 Lecture 1-B Ansgar Fehnker Computer become more powerful (Moore s law) The quality of programs cannot
More informationBinary Decision Diagrams and Symbolic Model Checking
Binary Decision Diagrams and Symbolic Model Checking Randy Bryant Ed Clarke Ken McMillan Allen Emerson CMU CMU Cadence U Texas http://www.cs.cmu.edu/~bryant Binary Decision Diagrams Restricted Form of
More informationModel Checking with Automata An Overview
Model Checking with Automata An Overview Vanessa D Carson Control and Dynamical Systems, Caltech Doyle Group Presentation, 05/02/2008 VC 1 Contents Motivation Overview Software Verification Techniques
More informationWarm-Up Problem. Let be a set of well-formed Predicate logic formulas. Let be well-formed Predicate logic formulas. Prove or disprove the following.
Warm-Up Problem Let be a set of well-formed Predicate logic formulas Let be well-formed Predicate logic formulas Prove or disprove the following If then 1/35 Program Verification Carmen Bruni Lecture 18
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationModel Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12
Model Checking mc Revision:.2 Model Checking for Infinite Systems mc 2 Revision:.2 check algorithmically temporal / sequential properties fixpoint algorithms with symbolic representations: systems are
More informationVerifying Parallel Programs
Verifying Parallel Programs Stephen F. Siegel The Verified Software Laboratory Department of Computer and Information Sciences University of Delaware, Newark, USA http://www.cis.udel.edu/~siegel SIG-NEWGRAD
More informationModel checking Timber program. Paweł Pietrzak
Model checking Timber program Paweł Pietrzak 1 Outline Background on model checking (spam?) The SPIN model checker An exercise in SPIN - model checking Timber Deriving finite models from Timber programs
More informationTutorial on Model Checking Modelling and Verification in Computer Science
Tutorial on Model Checking Modelling and Verification in Computer Science Armin Biere Institute for Formal Models and Verification Johannes Kepler University, Linz, Austria Abstract. This paper serves
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationSystem Debugging and Verification : A New Challenge. Center for Embedded Computer Systems University of California, Irvine
System Debugging and Verification : A New Challenge Daniel Gajski Samar Abdi Center for Embedded Computer Systems http://www.cecs.uci.edu University of California, Irvine Overview Simulation and debugging
More informationFormal Methods. CITS5501 Software Testing and Quality Assurance
Formal Methods CITS5501 Software Testing and Quality Assurance Pressman, R. Software Engineering: A Practitioner s Approach. Chapter 28. McGraw-Hill, 2005 The Science of Programming, David Gries, 1981
More informationIntroduction & Formal Methods
Introduction & Formal Methods http://d3s.mff.cuni.cz Jan Kofroň CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Introduction to dependable systems NSWE 002 What you learn: Dependable systems
More informationIntroduction In Practice State Explosion Problem Infinity and Uncomputability Techniques References. Model Checking. Toryn Qwyllyn Klassen
Model Checking Toryn Qwyllyn Klassen April 13, 2010 Limitations of testing Testing cannot in general prove that a program works. Some program states are usually not covered. Concurrent systems are particularly
More informationLecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University
Lecture 1: Model Checking Edmund Clarke School of Computer Science Carnegie Mellon University 1 Cost of Software Errors June 2002 Software bugs, or errors, are so prevalent and so detrimental that they
More informationVerifying IP-Core based System-On-Chip Designs
Verifying IP-Core based System-On-Chip Designs Pankaj Chauhan, Edmund M. Clarke, Yuan Lu and Dong Wang Carnegie Mellon University, Pittsburgh, PA 15213 fpchauhan, emc, yuanlu, dongwg+@cs.cmu.edu April
More informationLecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213
Lecture: Symbolic Model Checking with BDDs Edmund M Clarke, Jr Computer Science Department Carnegie Mellon University Pittsburgh, PA 523 Temporal Logic Model Checking Specification Language: A propositional
More informationCITS5501 Software Testing and Quality Assurance Formal methods
CITS5501 Software Testing and Quality Assurance Formal methods Unit coordinator: Arran Stewart May 1, 2018 1 / 49 Sources Pressman, R., Software Engineering: A Practitioner s Approach, McGraw-Hill, 2005
More informationFormal verification of floating-point arithmetic at Intel
1 Formal verification of floating-point arithmetic at Intel John Harrison Intel Corporation 6 June 2012 2 Summary Some notable computer arithmetic failures 2 Summary Some notable computer arithmetic failures
More informationTo be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 Introduction SDN research directions as outlined in IRTF RG outlines i) need for more flexibility and programmability
More informationLecture 11 Lecture 11 Nov 5, 2014
Formal Verification/Methods Lecture 11 Lecture 11 Nov 5, 2014 Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems to be analyzed, and
More informationIntroduction to Formal Methods
2008 Spring Software Special Development 1 Introduction to Formal Methods Part I : Formal Specification i JUNBEOM YOO jbyoo@knokuk.ac.kr Reference AS Specifier s Introduction to Formal lmethods Jeannette
More informationSoftware Testing Lecture 1. Justin Pearson
Software Testing Lecture 1 Justin Pearson 2017 1 / 50 Four Questions Does my software work? 2 / 50 Four Questions Does my software work? Does my software meet its specification? 3 / 50 Four Questions Does
More informationIntroduction to Software Verification
Introduction to Software Verification Anca Muscholl, Marc Zeitoun, LaBRI, U. Bordeaux January 2018 Hunting bugs: why? Bugs are an integral part of computer science. Are bugs really serious? No, just a
More informationWriting better code Loop invariants Correctness. John Edgar 2
Writing better code Loop invariants Correctness John Edgar 2 Not all code is equal Correct and reliable code is one of our goals Is a new car correct or reliable? Other characteristics of good code Affordable
More informationScenario Graphs Applied to Security (Summary Paper)
Book Title Book Editors IOS Press, 2003 1 Scenario Graphs Applied to Security (Summary Paper) Jeannette M. Wing Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213 US Abstract.
More informationLectures 20, 21: Axiomatic Semantics
Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 19 Tuesday, April 3, 2018 1 Introduction to axiomatic semantics The idea in axiomatic semantics is to give specifications
More informationPetri Nets ee249 Fall 2000
Petri Nets ee249 Fall 2000 Marco Sgroi Most slides borrowed from Luciano Lavagno s lecture ee249 (1998) 1 Models Of Computation for reactive systems Main MOCs: Communicating Finite State Machines Dataflow
More informationFormal Verification. Lecture 10
Formal Verification Lecture 10 Formal Verification Formal verification relies on Descriptions of the properties or requirements of interest Descriptions of systems to be analyzed, and rely on underlying
More informationDISCRETE MATHEMATICS
DISCRETE MATHEMATICS WITH APPLICATIONS THIRD EDITION SUSANNA S. EPP DePaul University THOIVISON * BROOKS/COLE Australia Canada Mexico Singapore Spain United Kingdom United States CONTENTS Chapter 1 The
More informationFormal Methods in Software Engineering. Lecture 07
Formal Methods in Software Engineering Lecture 07 What is Temporal Logic? Objective: We describe temporal aspects of formal methods to model and specify concurrent systems and verify their correctness
More informationProving the Correctness of Distributed Algorithms using TLA
Proving the Correctness of Distributed Algorithms using TLA Khushboo Kanjani, khush@cs.tamu.edu, Texas A & M University 11 May 2007 Abstract This work is a summary of the Temporal Logic of Actions(TLA)
More informationSCADE S E M I N A R I N S O F T W A R E E N G I N E E R I N G P R E S E N T E R A V N E R B A R R
SCADE 1 S E M I N A R I N S O F T W A R E E N G I N E E R I N G P R E S E N T E R A V N E R B A R R What is SCADE? Introduction 2 Software Critical Application Development Environment, a Lustrebased IDE
More informationLecture 2: Symbolic Model Checking With SAT
Lecture 2: Symbolic Model Checking With SAT Edmund M. Clarke, Jr. School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 (Joint work over several years with: A. Biere, A. Cimatti, Y.
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationLinear Temporal Logic. Model Checking and. Based on slides developed by Natasha Sharygina. Carnegie Mellon University.
Model Checking and Linear Temporal Logic Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654: Analysis of Software Artifacts 1 Formal Verification by Model
More informationIntroduction to Formal Methods
Introduction to Formal Methods October 6, 2005 Errors and their sources What are formal methods? Techniques and applications Introduction to Formal Methods 2 Course objectives be able to verify correct
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More informationDouble Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST
Model Checking #1 Double Header Two Lectures Model Checking Software Model Checking SLAM and BLAST Flying Boxes It is traditional to describe this stuff (especially SLAM and BLAST) with high-gloss animation
More informationFormal Methods at Intel An Overview
1 Formal Methods at Intel An Overview John Harrison Intel Corporation 27 September 2011 2 Summary Intel s diverse verification problems 2 Summary Intel s diverse verification problems Verifying hardware
More informationCISC : Finite-State Verification
CISC879-011: Finite-State Verification Stephen F. Siegel Department of Computer and Information Sciences University of Delaware Fall 2006 1 The Software Crisis The desire for formal software verification
More informationMURPHY S COMPUTER LAWS
Bosch Workshop 04/08/18 Brandenburg University of Technology at Cottbus, Dep. of Computer Science MURPHY S COMPUTER LAWS (1) No program without faults. DEPENDABLE SOFTWARE - AN UNREALISTIC DREAM OR JUST
More informationWHEN concurrent processes share a resource such as a file
1 Verification of mutual exclusion algorithms with SMV System Nikola Bogunović, Edgar Pek Faculty of Electrical Engineering and Computing Unska 3 Croatia email: nikola.bogunovic@fer.hr, edgar.pek@fer.hr
More informationINF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen
INF672 Protocol Safety and Verication Karthik Bhargavan Xavier Rival Thomas Clausen 1 Course Outline Lecture 1 [Today, Sep 15] Introduction, Motivating Examples Lectures 2-4 [Sep 22,29, Oct 6] Network
More information! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !
What Are Formal Methods? David S. Rosenblum ICS 221 Winter 2001! Use of formal notations! first-order logic, state machines, etc.! in software system descriptions! system models, constraints, specifications,
More informationABHELSINKI UNIVERSITY OF TECHNOLOGY
T-79.5305 Formal Methods (4 ECTS) T-79.5305 Formaalit menetelmät (4 op) 2006-09-13 Tommi Junttila, Keijo Heljanko, Ilkka Niemelä, and Heikki Tauriainen T-79.5305 Formal Methods, Autumn 2006 1/27 T-79.5305
More informationDiscrete Mathematics Lecture 4. Harper Langston New York University
Discrete Mathematics Lecture 4 Harper Langston New York University Sequences Sequence is a set of (usually infinite number of) ordered elements: a 1, a 2,, a n, Each individual element a k is called a
More informationSpecifying circuit properties in PSL. (Some of this material is due to Cindy Eisner and Dana Fisman, with thanks) See also the Jasper PSL Quick Ref.
Specifying circuit properties in PSL (Some of this material is due to Cindy Eisner and Dana Fisman, with thanks) See also the Jasper PSL Quick Ref. Background: Model Checking property G(p -> F q) yes MC
More informationApplications of Program analysis in Model-Based Design
Applications of Program analysis in Model-Based Design Prahlad Sampath (Prahlad.Sampath@mathworks.com) 2018 by The MathWorks, Inc., MATLAB, Simulink, Stateflow, are registered trademarks of The MathWorks,
More informationReal numbers in the real world
0 Real numbers in the real world Industrial applications of theorem proving John Harrison Intel Corporation 30th May 2006 1 Overview Famous computer arithmetic failures Formal verification and theorem
More informationModel-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner
Model-Checking Concurrent Systems Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at 1.
More informationBasic Definitions: Testing
Basic Definitions: Testing l What is software testing? Running a program In order to find faults a.k.a. defects a.k.a. errors a.k.a. flaws a.k.a. faults a.k.a. BUGS 1 Bugs Hopper s bug (moth stuck in a
More informationOverview of SRI s. Lee Pike. June 3, 2005 Overview of SRI s. Symbolic Analysis Laboratory (SAL) Lee Pike
June 3, 2005 lee.s.pike@nasa.gov Model-Checking 101 Model-checking is a way automatically to verify hardware or software. For a property P, A Model-checking program checks to ensure that every state on
More informationIntroduction: Software Testing and Quality Assurance
Introduction: Software Testing and Quality Assurance Software Testing, Quality Assurance, and Maintenance Winter 2018 Prof. Arie Gurfinkel Software is Everywhere 2 2 Software is Everywhere Software easily
More informationCSC2108: Automated Verification Assignment 1 - Solutions
8 CSC218: Automated Verification Assignment 1 - Solutions 1. Solve the following problem: Use the definition of between states and CTL formulas to explain why means that is true infinitely often along
More information[module 2.2] MODELING CONCURRENT PROGRAM EXECUTION
v1.0 20130407 Programmazione Avanzata e Paradigmi Ingegneria e Scienze Informatiche - UNIBO a.a 2013/2014 Lecturer: Alessandro Ricci [module 2.2] MODELING CONCURRENT PROGRAM EXECUTION 1 SUMMARY Making
More informationFormal Verification for UML/SysML models
Formal Verification for UML/SysML models IBM Research Lab - Haifa Content Formal verification v.s. testing Correctness properties Formal verification for Rhapsody models 2 Formal Verification Desired Properties
More informationFormal Methods in Software Development
Formal Methods in Software Development Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationSpecifying circuit properties in PSL
Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet of system Apply to both hardware and software 1 Formal
More informationOverview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?
Computer Engineering and Networks Overview Discrete Event Systems - Verification of Finite Automata Lothar Thiele Introduction Binary Decision Diagrams Representation of Boolean Functions Comparing two
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember: just do the counterexample guided abstraction refinement part of DPLL(T). If you notice any other errors, those are good
More informationFinite State Verification. CSCE Lecture 21-03/28/2017
Finite State Verification CSCE 747 - Lecture 21-03/28/2017 So, You Want to Perform Verification... You have a property that you want your program to obey. Great! Let s write some tests! Does testing guarantee
More informationHardware Design Verification: Simulation and Formal Method-Based Approaches William K Lam Prentice Hall Modern Semiconductor Design Series
Design Verification An Introduction Main References Hardware Design Verification: Simulation and Formal Method-Based Approaches William K Lam Prentice Hall Modern Semiconductor Design Series A Roadmap
More informationA Verification Method for Software Safety Requirement by Combining Model Checking and FTA Congcong Chen1,a, Fuping Zeng1,b, Minyan Lu1,c
International Industrial Informatics and Computer Engineering Conference (IIICEC 2015) A Verification Method for Software Safety Requirement by Combining Model Checking and FTA Congcong Chen1,a, Fuping
More informationCombinational Equivalence Checking
Combinational Equivalence Checking Virendra Singh Associate Professor Computer Architecture and Dependable Systems Lab. Dept. of Electrical Engineering Indian Institute of Technology Bombay viren@ee.iitb.ac.in
More informationHardware Verification 2IMF20
Hardware Verification 2IMF20 Julien Schmaltz Lecture 01: Introduction to Hardware (Formal) Verification Lectures» Two blocks every week (w36 to w43)» Tue 13:45-15:30 Room LUNA 1.056» Thu 08:45-10:30 Room
More informationContents. Program 1. Java s Integral Types in PVS (p.4 of 37)
Java s Integral Types in PVS Bart Jacobs bart@cs.kun.nl www.cs.kun.nl/ bart www.verificard.org. Dep. Computer Science, Univ. Nijmegen, NL Contents I. Example programs II. Integral types in Java (implementations)
More informationReasoning about Timed Systems Using Boolean Methods
Reasoning about Timed Systems Using Boolean Methods Sanjit A. Seshia EECS, UC Berkeley Joint work with Randal E. Bryant (CMU) Kenneth S. Stevens (Intel, now U. Utah) Timed System A system whose correctness
More informationEECS 219C: Computer-Aided Verification Introduction & Overview. Sanjit A. Seshia EECS, UC Berkeley. What we ll do today
EECS 219C: Computer-Aided Verification Introduction & Overview Sanjit A. Seshia EECS, UC Berkeley What we ll do today Introductions: to Sanjit and others Brief Intro. to Model Checking, SAT, and Satisfiability
More informationThe University of Iowa Fall CS:5810 Formal Methods in Software Engineering. Introduction
The University of Iowa Fall 2017 CS:5810 Formal Methods in Software Engineering Introduction Copyright 2017, Cesare Tinelli, Pierre-Loïc Garoche, Reiner Hänle, Steven Miller These notes are copyrighted
More informationSoftware Model Checking. From Programs to Kripke Structures
Software Model Checking (in (in C or or Java) Java) Model Model Extraction 1: int x = 2; int y = 2; 2: while (y
More informationA Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software
A Case Study on Model Checking and Deductive Verification Techniques of Safety-Critical Software Rovedy A. B. e Silva 1,2, Jose M. Parente de Oliveira 2, and Jorge Sousa Pinto 3 1 Aeronautics and Space
More informationWho is our rival? Upcoming. Testing. Ariane 5 rocket (1996) Ariane 5 rocket 3/8/18. Real programmers need no testing!
Upcoming Homework 3 posted; due March 22 Literature review due March 20 Testing Paper presentation instructions posted: http://people.cs.umass.edu/~brun/class/2018spring/cs621/paperpresentation/paperpresentation.pdf
More informationTherac-25 radiation therapy machine
Testing CSE 331 Ariane 5 rocket The rocket self-destructed 37 seconds after launch Reason: A control software bug that went undetected Conversion from 64-bit floating point to 16-bit signed integer value
More informationAcceleration of SAT-based Iterative Property Checking
Acceleration of SAT-based Iterative Property Checking Daniel Große Rolf Drechsler Institute of Computer Science University of Bremen 28359 Bremen, Germany {grosse, drechsle}@informatik.uni-bremen.de Abstract
More informationA Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm
Appears as Technical Memo MIT/LCS/TM-590, MIT Laboratory for Computer Science, June 1999 A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm Miguel Castro and Barbara Liskov
More informationTemporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols
Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols Lee Pike (Presenting), Galois, Inc. leepike@galois.com Geoffrey M. Brown, Indiana University geobrown@cs.indiana.edu
More informationFormal Verification by Model Checking
Formal Verication by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artacts Spring 2006 1 CTL Model Checking
More informationThe semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.
Semantics The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers. The semantics of a programming language assigns a precise
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationVerification of Concurrent Programs, Part I: The Temporal Framework
June 1981 Report. No. ~ 1 AN-U-81-836 Verification of Concurrent Programs, Part I: The Temporal Framework by Zohar MilnIla Amir Ynucli Office of Navitl Rcscarch Department of Computer Science Stanford
More informationAn Annotated Language
Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of
More informationTransforming Programs into Recursive Functions
SBMF 2008 Transforming Programs into Recursive Functions Magnus O. Myreen, Michael J. C. Gordon 1 Computer Laboratory, University of Cambridge 15 JJ Thomson Avenue, Cambridge, UK Abstract This paper presents
More informationPetri Nets ~------~ R-ES-O---N-A-N-C-E-I--se-p-te-m--be-r Applications.
Petri Nets 2. Applications Y Narahari Y Narahari is currently an Associate Professor of Computer Science and Automation at the Indian Institute of Science, Bangalore. His research interests are broadly
More informationSummary of Course Coverage
CS-227, Discrete Structures I Spring 2006 Semester Summary of Course Coverage 1) Propositional Calculus a) Negation (logical NOT) b) Conjunction (logical AND) c) Disjunction (logical inclusive-or) d) Inequalities
More informationReasoning About Imperative Programs. COS 441 Slides 10
Reasoning About Imperative Programs COS 441 Slides 10 The last few weeks Agenda reasoning about functional programming It s very simple and very uniform: substitution of equal expressions for equal expressions
More information1. Introduction to Formal Verification
Course Flow Formal Verification of Systems Professors S. Tahar, E. Cerny and X. Song (Updated by S. Tahar, May 2002) Department of Electrical and Computer Engineering Concordia University 1455 de Maisonneuve
More informationT Reactive Systems: Kripke Structures and Automata
Tik-79.186 Reactive Systems 1 T-79.186 Reactive Systems: Kripke Structures and Automata Spring 2005, Lecture 3 January 31, 2005 Tik-79.186 Reactive Systems 2 Properties of systems invariants: the system
More informationC07: Testing and JUnit
CISC 3120 C07: Testing and JUnit Hui Chen Department of Computer & Information Science CUNY Brooklyn College 9/19/2017 CUNY Brooklyn College 1 Outline Recap and issues Grades and feedback Assignments &
More informationModel Checking with Abstract State Matching
Model Checking with Abstract State Matching Corina Păsăreanu QSS, NASA Ames Research Center Joint work with Saswat Anand (Georgia Institute of Technology) Radek Pelánek (Masaryk University) Willem Visser
More informationSymbolic Execution and Proof of Properties
Chapter 7 Symbolic Execution and Proof of Properties Symbolic execution builds predicates that characterize the conditions under which execution paths can be taken and the effect of the execution on program
More informationHardware versus software
Logic 1 Hardware versus software 2 In hardware such as chip design or architecture, designs are usually proven to be correct using proof tools In software, a program is very rarely proved correct Why?
More information