On the Reliability of Correct Programs
|
|
- Laurence Johns
- 5 years ago
- Views:
Transcription
1 On the Reliability of Correct Programs Marie-Claude Gaudel LRI, Université de Paris-Sud & CNRS April 2010 LAAS 1
2 Programs? Everybody knows what it is Let us try: A program is a piece of text in a (hopefully) well defined language There is a syntax, some semantics, and compilers A program is a very detailed solution to a much more abstract problem [Ball, 2005] {i=0 ; read(x); repeat { i++ ; perd(x, i); } until term(i,x) ; April 2010 LAAS 2
3 Why are programs useful? They can be compiled and then embedded into some system {i=0 ; read(x); repeat { i++ ; perd(x, i); } until term(i,x) ; output input April 2010 LAAS 3
4 Interlude {i=0 ; read(x); repeat { i++ ; perd(x, i); } until term(i,x) ; CORRECT! April 2010 LAAS 4
5 Interlude (cont) A map is not the territory A program text, or a specification text, or a model, is not the system April 2010 LAAS 5
6 Systems? A system is a dynamic entity, embedded in the physical world It is observable via some limited interface/procedure It is not always controllable Quite different from a piece of text (formula, program) or a diagram input output April 2010 LAAS 6
7 Systems are the actual objects of interest How to guarantee that a system satisfies certain properties? Properties? Texts in natural languages whenever a request is made it holds continuously until it is eventually granted no buffer overflows Formulas in a given specification logic G( request (request U grant)) Sets of mandatory or forbidden execution paths in some graphical model Constraints on some well-known quantities: WCET, MTTF, etc Beware the abstraction gap (between the entities in the system and the concepts mentioned in the properties) April 2010 LAAS 7
8 All that is well-known? Found on the web September 25, 2009, news of a respected university «Professor XXX,, said for the first time a team had been able to prove with mathematical rigour that an operating-system kernel - the code at the heart of any computer or microprocessor - was 100 per cent bug-free and therefore immune to crashes and failures.» April 2010 LAAS 8
9 All that is well-known? Found on the web September 25, 2009, news of a respected university «Professor XXX,, said for the first time a team had been able to prove with mathematical rigour that an operatingsystem kernel - the code at the heart of any computer or microprocessor - was 100 per cent bug-free and therefore immune to crashes and failures.» Some blogger s comment: «Yup, it's only as secure as the properties you've defined and proven THAT SAID: If the core of the OS has been proven to have many strong properties, e.g. it can't crash under reasonable hardware assumptions, then building a more complex (and well tested!) OS on that proven core could be very profitable!» April 2010 LAAS 9
10 Program Proving and System Testing April 2010 LAAS 10
11 A few words on Program Proving Program {i=0 ; read(x); repeat { i++ ; perd(x, i); } until term(i,x) ; + Logical Assertions Theorem Prover Seen as a formula (for instance, good old {Pre} Prog {Post}) Static Analyser Libraries axiomatisation Proof envt SAT solver April 2010 LAAS 11
12 Progresses and Tendencies Significant and continuous progresses Great theorem provers: HOL/Isabelle, Coq, PVS Powerful static analysis techniques: Astree Tendency Environments specialised for given couples <programming language, specification/assertion language> : Java/JML, C#/Spec# The assertion language is tailored for the programming language Libraries of abstract modelling types (collections, etc) Specialised theories and tools for specific errors: arithmetic overflow, out of bound array indexing, Domain-aware theories and tools (f.i. device drivers) Big industrial investments: HP, Microsoft Research, Big academic investment: VSI Grand Challenge, April 2010 LAAS 12
13 Achievements and challenges Side-effects and aliasing handled by various program logics Reasoning about heap structures and aliasing, but pb with invariants of complex object structures Reasoning on breaking out of loops, or catching exceptions solved by logics for abrupt termination Dynamic method binding and inheritance partially handled by behavioural subtyping Gap between some abstract modelling types and concrete types (quantifications, _.equals() versus = ) Non-termination (loop variants, model-checkers) handled in various cases [Leavens, Leino, Muller, FAC 2007] Open issue: impact of such proofs on the reliability of the resulting system April 2010 LAAS 13
14 From the VSI Manifesto «A verified program is one that has been proved to satisfy certain desirable and clearly specified properties, and to be free of certain rigorously specified kinds of error. The proof itself is free from error, because it has been checked or even generated with the aid of software tools» «The lack of collaboration with other areas of computing is also a current weakness. Formal methods researchers must recognize the need to collaborate outside of the formal methods community in areas such as requirements analysis, testing, and fault tolerant systems, in seeking ways to aid the cause of reliable software.» April 2010 LAAS 14
15 A few words on System Testing The actual system is executed for a finite set of selected inputs NB: selected test sequences for reactive systems These executions are observed, and a decision is made on their conformance w. r. t. some specification Issues : Selection Oracle Control, non-determinism Assessment of the result of a test campaign Selected test input Oracle failure/ correct Ouput, observation April 2010 LAAS 15
16 ??? Run-time verification, Model-checking programs, Coverage in model-checking, Bounded model-checking, Model-based testing, Zoom in on What people call Model Based Testing What is Test Generation using Model-checking April 2010 LAAS 16
17 Models: an heavily overloaded* term Models as they are used for model-checking are just annotated graphs A finite set of states, S Some initial state, s 0 A transition relation between states, T S S A finite set of atomic propositions, AP A labelling function L : S P(AP) Richer similar notions: Labelled Transition systems, LTS Finite State machines, FSM Control Graphs State charts, * For a physicist a model is a differential equation; For a biologist, it may be mice or frogs April 2010 LAAS 17
18 Model-Checking Model ϕ, Temporal Formula Model Checker valid Counter example Algorithmic approach: exhaustive exploration of the model A well-known example: SPIN, where models are described in Promela and checked against LTL formulas Big issue: size of the model (esp. due to concurrency). Huge models are attainable but it is not enough April 2010 LAAS 18
19 Model-based testing Selection, driving and oracle are based on some model Almost everything may be considered as a model (may be not wrong ) Examples of considered models: Annotated graphs, control graphs Pre- and Post-conditions, invariants Finite State Machines (FSM), possibly extended (EFSM) Labelled Transition System (LTS), possibly with distinction between inputs and outputs Back to [Chow 78] for FSM, [Brinksma 88] for LTS, and then many others Selected test input Oracle failure/ correct Ouput, observation April 2010 LAAS 19
20 Control and Observation A popular test strategy: transition coverage s x:y-> s is a transition. In state s, input x must produce output y and move to state s Questions control: how to put the System Under Test into a state equivalent to s? observation: how to check that after receiving x and issuing y, the SUT is in a state equivalent to s? See next slide Meta-question: what brings transition coverage? The number of tests is finite, NO MORE! April 2010 LAAS 20
21 One of the model-based tests for s -x/y-> s? h/answ s s w/λ*(s s,w) homing sequence s h I* => answ O*: then the SUT state should be equivalent to s s. w I*: in the formal description, w leads from s s to s. x/y? z/λ*(s, z) z belongs to the separating set of s preamble transition execution observation April 2010 LAAS 21
22 Too big models? => Random Testing These methods can be classified into three categories : those based on the input domain Adaptive random testing Stochastic optimisation (simulated annealing, genetic algorithms) those based on the environment (usage model) and those based on some knowledge of the behaviour of the SUT (some SUT model) Random walks NEW: Coverage-biased random selection April 2010 LAAS 22
23 Coverage-biased random selection Old classical idea for simulation and testing: random walks An isotropic random walk in the state space of a model (a control graph, etc) is: a sequence of states s 0, s 1,, s n such that s i is chosen uniformly at random among the successors of the state s i-1, It is easy to implement and it only requires local knowledge of the graph. Numerous applications in Testing (protocols), simulation Model-checking (recent works) April 2010 LAAS 23
24 Drawback of classical isotropic random walks The resulting coverage is dependent on the topology a c d Classical random walks, length 3: Pr(a; c; d) = = Pr(b; e; f) = 0.5 Uniform random sampling of traces, length 3: Pr(a; c; d) = Pr(b; e; f) = 0.1 b f e April 2010 LAAS 24
25 Uniform generation of bounded paths in a graph Counting [Flajolet et al.]: Given any vertex v, let l v (k) be the number of paths of length k that start from v we are on vertex v with m successors v 1, v 2,..., v m condition for path uniformity: choose v i with probability l vi (k-1)/l v (k) Application to various criteria based on paths Generalisation to node coverage, branch coverage Assessment of the quality of the coverage Application to C programs (AuGuSTe) and to models The RASTA group, LRI, [ISSRE 2004], [Random Testing Workshop 2006], [Random Testing Workshop 2007], [MBT/ETAPS 2008], [MSR 2009] April 2010 LAAS 25
26 ??? Run-time verification, Model-checking programs, Coverage in model-checking, Bounded model-checking, Model-based testing, Zoom in on What people call Model Based Testing What is Test Generation using Model-checking? Is it the miracle we wait for? April 2010 LAAS 26
27 Test generation using modelchecking Exploits the fact that model-checkers may yield counter-examples Given ϕ, a required property of the SUT Given a model M of the SUT Model-check M for ϕ The model-checker will reject ϕ and produce a counter-example, i.e. a trace that satisfies ϕ, i.e. a test sequence for ϕ Popular, most model-checkers have been experienced for test generation Nice, but April 2010 LAAS 27
28 New issues, and good old ones ϕ must be a formula in some temporal logic (not always convenient) An example: ϕ: AG( request (request U grant)) ϕ: EF(request (request U grant)) One counter-example is not enough (because of the universal quantification) => exhaustivity and coverage issues The finite model is an over-approximation of the system Feasability, constraint solvers April 2010 LAAS 28
29 Some Conclusions (1) Significant advances in Model Checking, Program Proving, System Testing Each one makes use of the other ones in some occasions Very good specialised tools Some politically correct and frequent comments: All these methods are now used together, and this convergence will lead to great results Model-checking is very powerful and solves most problems in static analysis and model based testing and, more generally, in verification April 2010 LAAS 29
30 Some Conclusions (cont.) We are not so far Many tricky scientific issues, f.i. Standard temporal logics can specify only regular properties; correctness of procedures w. r. t. pre- and post conditions are not regular [Alur 2005] Integration of model-checking and program proving is not as clear as it is claimed by some authors. Constraint solving remains a bottle-neck: most success stories on large programs static analysis or testing are either limited to linear arithmetic, or not fully automated Dealing with the abstraction gap in proving (reasoning with equality) and testing (oracle) is not solved in general April 2010 LAAS 30
31 Last Conclusion But the trickiest issue is April 2010 LAAS 31
Distributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More informationCounting for Random Testing
Counting for Random Testing Marie-Claude Gaudel Université Paris-Sud 11, LRI, Orsay, F-91405, and CNRS, Orsay, F-91405 mcg@lri.fr http://www.lri.fr/~mcg Abstract. The seminal works of Wilf and Nijenhuis
More informationFormal Methods for Software Development
Formal Methods for Software Development Model Checking with Temporal Logic Wolfgang Ahrendt 21st September 2018 FMSD: Model Checking with Temporal Logic /GU 180921 1 / 37 Model Checking Check whether a
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationA NEW PROOF-ASSISTANT THAT REVISITS HOMOTOPY TYPE THEORY THE THEORETICAL FOUNDATIONS OF COQ USING NICOLAS TABAREAU
COQHOTT A NEW PROOF-ASSISTANT THAT REVISITS THE THEORETICAL FOUNDATIONS OF COQ USING HOMOTOPY TYPE THEORY NICOLAS TABAREAU The CoqHoTT project Design and implement a brand-new proof assistant by revisiting
More informationFormal Verification. Lecture 10
Formal Verification Lecture 10 Formal Verification Formal verification relies on Descriptions of the properties or requirements of interest Descriptions of systems to be analyzed, and rely on underlying
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationDistributed Systems Programming (F21DS1) SPIN: Formal Analysis II
Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Introduce
More informationINF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen
INF672 Protocol Safety and Verication Karthik Bhargavan Xavier Rival Thomas Clausen 1 Course Outline Lecture 1 [Today, Sep 15] Introduction, Motivating Examples Lectures 2-4 [Sep 22,29, Oct 6] Network
More informationDeductive Verification in Frama-C and SPARK2014: Past, Present and Future
Deductive Verification in Frama-C and SPARK2014: Past, Present and Future Claude Marché (Inria & Université Paris-Saclay) OSIS, Frama-C & SPARK day, May 30th, 2017 1 / 31 Outline Why this joint Frama-C
More informationLectures 20, 21: Axiomatic Semantics
Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics
More informationA Java Reference Model of Transacted Memory for Smart Cards
Erik Poll p.1/23 A Java Reference Model of Transacted Memory for Smart Cards Erik Poll University of Nijmegen Joint work with Pieter Hartel Eduard de Jong University of Twente Sun Microsystems Erik Poll
More informationHoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré
Hoare Logic COMP2600 Formal Methods for Software Engineering Rajeev Goré Australian National University Semester 2, 2016 (Slides courtesy of Ranald Clouston) COMP 2600 Hoare Logic 1 Australian Capital
More informationECE 587 Hardware/Software Co-Design Lecture 12 Verification II, System Modeling
ECE 587 Hardware/Software Co-Design Spring 2018 1/20 ECE 587 Hardware/Software Co-Design Lecture 12 Verification II, System Modeling Professor Jia Wang Department of Electrical and Computer Engineering
More informationAdministrivia. ECE/CS 5780/6780: Embedded System Design. Acknowledgements. What is verification?
Administrivia ECE/CS 5780/6780: Embedded System Design Scott R. Little Lab 8 status report. Set SCIBD = 52; (The Mclk rate is 16 MHz.) Lecture 18: Introduction to Hardware Verification Scott R. Little
More informationLecture 11 Lecture 11 Nov 5, 2014
Formal Verification/Methods Lecture 11 Lecture 11 Nov 5, 2014 Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems to be analyzed, and
More informationWhy. an intermediate language for deductive program verification
Why an intermediate language for deductive program verification Jean-Christophe Filliâtre CNRS Orsay, France AFM workshop Grenoble, June 27, 2009 Jean-Christophe Filliâtre Why tutorial AFM 09 1 / 56 Motivations
More informationThe STERNOL Specification Tool (SST)
Industrilogik The STERNOL specification tool 1999-05-12 1 Adtranz Signal s Formal Verification Process (2) The STERNOL Specification Tool (SST) Lars-Henrik Eriksson Industrilogik L4i AB Industrilogik The
More informationApplications of Program analysis in Model-Based Design
Applications of Program analysis in Model-Based Design Prahlad Sampath (Prahlad.Sampath@mathworks.com) 2018 by The MathWorks, Inc., MATLAB, Simulink, Stateflow, are registered trademarks of The MathWorks,
More informationProving the Correctness of Distributed Algorithms using TLA
Proving the Correctness of Distributed Algorithms using TLA Khushboo Kanjani, khush@cs.tamu.edu, Texas A & M University 11 May 2007 Abstract This work is a summary of the Temporal Logic of Actions(TLA)
More informationFormal Specification and Verification
Formal Specification and Verification Model Checking with Temporal Logic Bernhard Beckert Based on a lecture by Wolfgang Ahrendt and Reiner Hähnle at Chalmers University, Göteborg Formal Specification
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationCS/ECE 5780/6780: Embedded System Design
CS/ECE 5780/6780: Embedded System Design John Regehr Lecture 18: Introduction to Verification What is verification? Verification: A process that determines if the design conforms to the specification.
More informationOutline. Analyse et Conception Formelle. Lesson 7. Program verification methods. Disclaimer. The basics. Definition 2 (Specification)
Outline Analyse et Conception Formelle Lesson 7 Program verification methods 1 Testing 2 Model-checking 3 Assisted proof 4 Static Analysis 5 A word about protoypes/models, accuracy, code generation T.
More informationTesting! Prof. Leon Osterweil! CS 520/620! Spring 2013!
Testing Prof. Leon Osterweil CS 520/620 Spring 2013 Relations and Analysis A software product consists of A collection of (types of) artifacts Related to each other by myriad Relations The relations are
More informationFormal Methods in Software Engineering. Lecture 07
Formal Methods in Software Engineering Lecture 07 What is Temporal Logic? Objective: We describe temporal aspects of formal methods to model and specify concurrent systems and verify their correctness
More informationDistributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter
Distributed Systems Programming (F21DS1) SPIN: Simple Promela INterpreter Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview
More informationDesign and Analysis of Distributed Interacting Systems
Design and Analysis of Distributed Interacting Systems Lecture 5 Linear Temporal Logic (cont.) Prof. Dr. Joel Greenyer May 2, 2013 (Last Time:) LTL Semantics (Informally) LTL Formulae are interpreted on
More informationIntroduction to Dynamic Analysis
Introduction to Dynamic Analysis Reading assignment Gary T. Leavens, Yoonsik Cheon, "Design by Contract with JML," draft paper, http://www.eecs.ucf.edu/~leavens/jml//jmldbc.pdf G. Kudrjavets, N. Nagappan,
More informationCIS 890: Safety Critical Systems
CIS 890: Safety Critical Systems Lecture: SPARK -- Analysis Tools Copyright 2007, John Hatcliff. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course
More informationDouble Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST
Model Checking #1 Double Header Two Lectures Model Checking Software Model Checking SLAM and BLAST Flying Boxes It is traditional to describe this stuff (especially SLAM and BLAST) with high-gloss animation
More informationResearch Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001
Research Collection Other Conference Item Formal background and algorithms Author(s): Biere, Armin Publication Date: 2001 Permanent Link: https://doi.org/10.3929/ethz-a-004239730 Rights / License: In Copyright
More informationTopics in Software Testing
Dependable Software Systems Topics in Software Testing Material drawn from [Beizer, Sommerville] Software Testing Software testing is a critical element of software quality assurance and represents the
More informationVerification of Intelligent Software
Verification of Intelligent Software Charles Pecheur (RIACS / NASA Ames) Charles Pecheur 2003 1 Contents Model Checking for Intelligent Software Why? Intelligent software, how to verify it? What? A bird's-eye
More informationTo be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 Introduction SDN research directions as outlined in IRTF RG outlines i) need for more flexibility and programmability
More informationAutomated Reasoning. Model Checking with SPIN (II)
Automated Reasoning Model Checking with SPIN (II) Alan Bundy page 1 Verifying Global Properties Assertions can be used to verify a property locally For example, place assert(memreturned) at the end of
More informationVisual Layout of Graph-Like Models
Visual Layout of Graph-Like Models Tarek Sharbak MhdTarek.Sharbak@uantwerpen.be Abstract The modeling of complex software systems has been growing significantly in the last years, and it is proving to
More informationCorrectness of specifications. Correctness. Correctness of specifications (2) Example of a Correctness Proof. Testing versus Correctness Proofs
CS 390 Lecture 17 Correctness A product is correct if it satisfies its output specifications when operated under permitted conditions Correctness of specifications Incorrect specification for a sort (Figure
More informationProving Dekker with SPIN and PROMELA
15-410...fairness disabled... Proving Dekker with SPIN and PROMELA Joshua Wise With help from Greg Hartman L36_SPIN 1 Synchronization Project 4 due Wednesday Everyone having fun? Kernel interviews If you
More informationAn Annotated Language
Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of
More informationBehavioural Equivalences and Abstraction Techniques. Natalia Sidorova
Behavioural Equivalences and Abstraction Techniques Natalia Sidorova Part 1: Behavioural Equivalences p. p. The elevator example once more How to compare this elevator model with some other? The cabin
More informationCITS5501 Software Testing and Quality Assurance Formal methods
CITS5501 Software Testing and Quality Assurance Formal methods Unit coordinator: Arran Stewart May 1, 2018 1 / 49 Sources Pressman, R., Software Engineering: A Practitioner s Approach, McGraw-Hill, 2005
More informationMONIKA HEINER.
LESSON 1 testing, intro 1 / 25 SOFTWARE TESTING - STATE OF THE ART, METHODS, AND LIMITATIONS MONIKA HEINER monika.heiner@b-tu.de http://www.informatik.tu-cottbus.de PRELIMINARIES testing, intro 2 / 25
More informationProgram Verification (6EC version only)
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationThe Spin Model Checker : Part I/II
The Spin Model Checker : Part I/II Moonzoo Kim CS Dept. KAIST Korea Advanced Institute of Science and Technology Motivation: Tragic Accidents Caused by SW Bugs 2 Cost of Software Errors June 2002 Software
More informationProgram Verification. Aarti Gupta
Program Verification Aarti Gupta 1 Agenda Famous bugs Common bugs Testing (from lecture 6) Reasoning about programs Techniques for program verification 2 Famous Bugs The first bug: A moth in a relay (1945)
More informationProgramming Languages Third Edition
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand
More informationPractical Model-based Testing With Papyrus and RT-Tester
Practical Model-based Testing With Papyrus and RT-Tester Jan Peleska and Wen-ling Huang University of Bremen Verified Systems International GmbH Fourth Halmstad Summer School on Testing, 2014-06-11 Acknowledgements.
More informationPropositional Logic. Andreas Klappenecker
Propositional Logic Andreas Klappenecker Propositions A proposition is a declarative sentence that is either true or false (but not both). Examples: College Station is the capital of the USA. There are
More informationHave we Learned from the Vasa Disaster?
Have we Learned from the Vasa Disaster? Jean-Raymond Abrial ETH Zurich September 19th 2006 The Vasa Disaster 1 The Story 2 - August 10, 1628: The Swedish warship Vasa sank. - This was her maiden voyage.
More informationPrinciples of Program Analysis. Lecture 1 Harry Xu Spring 2013
Principles of Program Analysis Lecture 1 Harry Xu Spring 2013 An Imperfect World Software has bugs The northeast blackout of 2003, affected 10 million people in Ontario and 45 million in eight U.S. states
More informationImproving Coq Propositional Reasoning Using a Lazy CNF Conversion
Using a Lazy CNF Conversion Stéphane Lescuyer Sylvain Conchon Université Paris-Sud / CNRS / INRIA Saclay Île-de-France FroCoS 09 Trento 18/09/2009 Outline 1 Motivation and background Verifying an SMT solver
More informationDIVERSITY TG Automatic Test Case Generation from Matlab/Simulink models. Diane Bahrami, Alain Faivre, Arnault Lapitre
DIVERSITY TG Automatic Test Case Generation from Matlab/Simulink models Diane Bahrami, Alain Faivre, Arnault Lapitre CEA, LIST, Laboratory of Model Driven Engineering for Embedded Systems (LISE), Point
More informationModel-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner
Model-Checking Concurrent Systems Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at 1.
More informationIn this Lecture you will Learn: Testing in Software Development Process. What is Software Testing. Static Testing vs.
In this Lecture you will Learn: Testing in Software Development Process Examine the verification and validation activities in software development process stage by stage Introduce some basic concepts of
More informationFormal Methods for Software Development
Formal Methods for Software Development Verification with Spin Wolfgang Ahrendt 07 September 2018 FMSD: Spin /GU 180907 1 / 34 Spin: Previous Lecture vs. This Lecture Previous lecture Spin appeared as
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember that you can t just define a meaning function in terms of itself you must use some fixed point machinery. #2 #3 Observations
More informationIronFleet. Dmitry Bondarenko, Yixuan Chen
IronFleet Dmitry Bondarenko, Yixuan Chen A short survey How many people have the confidence that your Paxos implementation has no bug? How many people have proved that the implementation is correct? Why
More informationInterpretations and Models. Chapter Axiomatic Systems and Incidence Geometry
Interpretations and Models Chapter 2.1-2.4 - Axiomatic Systems and Incidence Geometry Axiomatic Systems in Mathematics The gold standard for rigor in an area of mathematics Not fully achieved in most areas
More informationBuilding Dependable COTS Microkernel-based Systems using MAFALDA
Building Dependable COTS Microkernel-based Systems using MAFALDA Jean-Charles Fabre, Manuel Rodríguez, Jean Arlat, Frédéric Salles and Jean-Michel Sizun LAAS-CNRS Toulouse, France PRDC-2000, UCLA, Los
More informationSpecifying and Proving Broadcast Properties with TLA
Specifying and Proving Broadcast Properties with TLA William Hipschman Department of Computer Science The University of North Carolina at Chapel Hill Abstract Although group communication is vitally important
More informationAlgorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)
Algorithmic Verification The software crisis (and hardware as well) Algorithmic Verification Comp4151 Lecture 1-B Ansgar Fehnker Computer become more powerful (Moore s law) The quality of programs cannot
More informationThe type system of Axiom
Erik Poll p.1/28 The type system of Axiom Erik Poll Radboud University of Nijmegen Erik Poll p.2/28 joint work with Simon Thompson at University of Kent at Canterbury (UKC) work done last century, so probably
More informationHierarchical Dynamic Models for Verifying Parallel Distributed Real-Time Systems
Hierarchical Dynamic Models for Verifying Parallel Distributed Real-Time Systems Heinz Schmidt Centre for Distributed Systems and Software Engineering Monash University 11/2005 1 Overview Architectural
More informationFormal Verification: Practical Exercise Model Checking with NuSMV
Formal Verification: Practical Exercise Model Checking with NuSMV Jacques Fleuriot Daniel Raggi Semester 2, 2017 This is the first non-assessed practical exercise for the Formal Verification course. You
More informationReading Assignment. Symbolic Evaluation/Execution. Move from Dynamic Analysis to Static Analysis. Move from Dynamic Analysis to Static Analysis
Reading Assignment Symbolic Evaluation/Execution *R.W. Floyd, "Assigning Meaning to Programs, Symposium on Applied Mathematics, 1967, pp. 19-32 (Appeared as volume 19 of Mathematical Aspects of Computer
More informationLeveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group
Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group 2014 The MathWorks, Inc. 1 The Cost of Failure News reports: Recall Due to ECU software
More informationTransforming UML Collaborating Statecharts for Verification and Simulation
Transforming UML Collaborating Statecharts for Verification and Simulation Patrick O. Bobbie, Yiming Ji, and Lusheng Liang School of Computing and Software Engineering Southern Polytechnic State University
More informationLecture Notes on Contracts
Lecture Notes on Contracts 15-122: Principles of Imperative Computation Frank Pfenning Lecture 2 August 30, 2012 1 Introduction For an overview the course goals and the mechanics and schedule of the course,
More informationSymbolic Evaluation/Execution
Symbolic Evaluation/Execution Reading Assignment *R.W. Floyd, "Assigning Meaning to Programs, Symposium on Applied Mathematics, 1967, pp. 19-32 (Appeared as volume 19 of Mathematical Aspects of Computer
More informationHardware versus software
Logic 1 Hardware versus software 2 In hardware such as chip design or architecture, designs are usually proven to be correct using proof tools In software, a program is very rarely proved correct Why?
More informationIntroduction to Axiomatic Semantics (1/2)
#1 Introduction to Axiomatic Semantics (1/2) How s The Homework Going? Remember: just do the counterexample guided abstraction refinement part of DPLL(T). If you notice any other errors, those are good
More informationA3. Programming Languages for Writing Safety-Critical Software
A3. Programming Languages for Writing Safety-Critical Software (a) Overview. (b) SPARK Ada. Critical Systems, CS 411, Lent term 2002, Sec. A3 A3-1 (a) Overview Important Factors for Programming Languages
More informationSimulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1
Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 2012 The MathWorks, Inc. 1 Agenda Formal Verification Key concept Applications Verification of designs against (functional) requirements Design error detection Test
More informationSUMMARY: MODEL DRIVEN SECURITY
SUMMARY: MODEL DRIVEN SECURITY JAN-FILIP ZAGALAK, JZAGALAK@STUDENT.ETHZ.CH Model Driven Security: From UML Models to Access Control Infrastructres David Basin, Juergen Doser, ETH Zuerich Torsten lodderstedt,
More informationThe Maude LTL Model Checker and Its Implementation
The Maude LTL Model Checker and Its Implementation Steven Eker 1,José Meseguer 2, and Ambarish Sridharanarayanan 2 1 Computer Science Laboratory, SRI International Menlo Park, CA 94025 eker@csl.sri.com
More informationPart I: Preliminaries 24
Contents Preface......................................... 15 Acknowledgements................................... 22 Part I: Preliminaries 24 1. Basics of Software Testing 25 1.1. Humans, errors, and testing.............................
More informationGoal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010
Goal Overflow Checking in Firefox Brian Hackett Can we clean a code base of buffer overflows? Keep it clean? Must prove buffer accesses are in bounds Verification: prove a code base has a property Sixgill
More informationSemantic Subtyping. Alain Frisch (ENS Paris) Giuseppe Castagna (ENS Paris) Véronique Benzaken (LRI U Paris Sud)
Semantic Subtyping Alain Frisch (ENS Paris) Giuseppe Castagna (ENS Paris) Véronique Benzaken (LRI U Paris Sud) http://www.cduce.org/ Semantic Subtyping - Groupe de travail BD LRI p.1/28 CDuce A functional
More informationCS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012
CS-XXX: Graduate Programming Languages Lecture 9 Simply Typed Lambda Calculus Dan Grossman 2012 Types Major new topic worthy of several lectures: Type systems Continue to use (CBV) Lambda Caluclus as our
More informationAppendix G: Some questions concerning the representation of theorems
Appendix G: Some questions concerning the representation of theorems Specific discussion points 1. What should the meta-structure to represent mathematics, in which theorems naturally fall, be? There obviously
More informationHybrid Verification in SPARK 2014: Combining Formal Methods with Testing
IEEE Software Technology Conference 2015 Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing Steve Baird Senior Software Engineer Copyright 2014 AdaCore Slide: 1 procedure Array_Indexing_Bug
More informationSeminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
More informationNo model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine
No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable
More informationDeductive Methods, Bounded Model Checking
Deductive Methods, Bounded Model Checking http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Deductive methods Pavel Parízek Deductive Methods, Bounded
More informationIntroduction & Formal Methods
Introduction & Formal Methods http://d3s.mff.cuni.cz Jan Kofroň CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Introduction to dependable systems NSWE 002 What you learn: Dependable systems
More informationLanguage Techniques for Provably Safe Mobile Code
Language Techniques for Provably Safe Mobile Code Frank Pfenning Carnegie Mellon University Distinguished Lecture Series Computing and Information Sciences Kansas State University October 27, 2000 Acknowledgments:
More informationUnit- and Sequence Test Generation with HOL-TestGen
Unit- and Sequence Test Generation with HOL-TestGen Tests et Methodes Formelles Prof. Burkhart Wolff Univ - Paris-Sud / LRI 16.6.2015 B.Wolff - HOL-TestGen 1 Overview HOL-TestGen and its Business-Case
More information6c Lecture 3 & 4: April 8 & 10, 2014
6c Lecture 3 & 4: April 8 & 10, 2014 3.1 Graphs and trees We begin by recalling some basic definitions from graph theory. Definition 3.1. A (undirected, simple) graph consists of a set of vertices V and
More informationMulti-Threaded System int x, y, r; int *p, *q, *z; int **a; EEC 421/521: Software Engineering. Thread Interleaving SPIN. Model Checking using SPIN
EEC 421/521: Software Engineering Model Checking using SPIN 4/29/08 EEC 421/521: Software Engineering 1 Multi-Threaded System int x, y, r; int *p, *q, *z; int **a; thread_1(void) /* initialize p, q, and
More informationA NEW PROOF-ASSISTANT THAT REVISITS HOMOTOPY TYPE THEORY THE THEORETICAL FOUNDATIONS OF COQ USING NICOLAS TABAREAU
COQHOTT A NEW PROOF-ASSISTANT THAT REVISITS THE THEORETICAL FOUNDATIONS OF COQ USING HOMOTOPY TYPE THEORY NICOLAS TABAREAU The CoqHoTT project Design and implement a brand-new proof assistant by revisiting
More informationCourse notes for Data Compression - 2 Kolmogorov complexity Fall 2005
Course notes for Data Compression - 2 Kolmogorov complexity Fall 2005 Peter Bro Miltersen September 29, 2005 Version 2.0 1 Kolmogorov Complexity In this section, we present the concept of Kolmogorov Complexity
More informationChapter 4 Objectives
Chapter 4 Objectives Eliciting requirements from the customers Modeling requirements Reviewing requirements to ensure their quality Documenting requirements for use by the design and test teams 4.1 The
More informationSystem Debugging and Verification : A New Challenge. Center for Embedded Computer Systems University of California, Irvine
System Debugging and Verification : A New Challenge Daniel Gajski Samar Abdi Center for Embedded Computer Systems http://www.cecs.uci.edu University of California, Irvine Overview Simulation and debugging
More informationProcesses as Types: A Generic Framework of Behavioral Type Systems for Concurrent Processes
Processes as Types: A Generic Framework of Behavioral Type Systems for Concurrent Processes Atsushi Igarashi (Kyoto Univ.) based on joint work [POPL2001, TCS2003] with Naoki Kobayashi (Tohoku Univ.) Programming
More informationTool demonstration: Spin
Tool demonstration: Spin 1 Spin Spin is a model checker which implements the LTL model-checking procedure described previously (and much more besides). Developed by Gerard Holzmann of Bell Labs Has won
More informationXVIII. Software Testing. Laurea Triennale in Informatica Corso di Ingegneria del Software I A.A. 2006/2007 Andrea Polini
XVIII. Software Testing Laurea Triennale in Informatica Corso di Objective General discussion on Testing Testing Phases Approaches to testing Structural testing Functional testing Testing non functional
More information(x 2)(3x + 1) = 3x + 1
Chapter 10 2-way Bounding In high school and early college mathematics, we are often proving equalities and we often prove them by manipulating a sequence of equalities. For example 3x 2 5x 2 x 2 = (x
More information