The Course.

Transcription

1 The Course

2 Lecturers Dr Peter Höfner NICTA L5 building Prof Rob van Glabbeek NICTA L5 building Dr Ralf Huuck NICTA ATP building 2

3 Plan/Schedule (1) Where and When Tuesday, 2pm 4pm, Civil Engineering 102 (K-H20-102) Wednesday, 12pm 1pm, Australian School Business 119 (K-E12-119) Assessment Criteria Assignments: 50%, 100 marks, 4 assignments (see Table below) Final Exam: 50%, 100 marks, 2h, written, June Week Topics Lecturer Assignments 1: March 3, 4 2h - Introduction 1h Automata Peter 2: March 10, 11 2h Temporal Logics (CTL, LTL) 1h Expressiveness and Fairness Peter 3: March 17, 18 2h LTL Model Checking (1) 1h LTL Model Checking (2) Peter Assignment 1, 20 marks Due: March 31 4: March 24, 25 2h Tool: Spin 1h tba Peter 5: March 31, April 1 2h - CTL Model-Checking 1h Summary, Assignment 1 (Solution) ) Peter Assignment 2, 30 marks Due: April 21 3

4 Plan/Schedule (2) Week Topics Lecturer Assignments Mid-Semester Break April 3 -April 12 6: April 14, 15 2h Abstract/Refinement (1) 1h Abstract/Refinement (2) 6: April 21, 22 2h Static Analysis 1h Static Analysis Tools (Goanna) 7: April 28, 29 2h Symbolic CTL Model Checking (1) 1h Binary Decision Diagrams 8: May 5, 6 2h Symbolic CTL Model Checking (2) 1h Tool: CBMC or nusmv 10: May 12, 13 2h Timed Automata 1h Timed Languages 11: May 19, 20 2h- Model Checking for Timed Automata 1h Assignment 2 (Solution) 12: May 26, 27 2h Real-time model checker UPPAAL (tool) 1h Assignment 3 (Solution) 13: June 2, 3 2h Summary Q & A 1h Assignment 4 (Solution) Ralf Ralf Rob Rob Peter Peter Peter Peter Assignment 3, 30 marks Due: May 13 Assignment 4, 20 marks Due: June 2 4

5 Algorithmic Verification COMP 3153 Lecture 1 Introduction (many slides are thanks to F. Cassez)

6 Content for this lecture 1. Famous bugs in software/hardware systems 2. What is verification about? 3. What is algorithmic verification? 4. Some verification techniques and tools 5. Useful mathematical techniques/tools 6

7 Famous Bugs

8 Famous Hardware Bug Intel P5, 1994 Pentium floating point unit flawed Cause: missing entries in a lookup table 3 to 5 million defective FPU Consequences Intel image badly damaged Replacement of defective FPUs: $US450 million 8

9 Famous Software Bugs (1) Therac-25, X-ray radiation therapy machine Two modes of operation: high/low energy High energy requires metal shield Software error: high energy generated without metal shield Consequences: at least 5 patients died Others were irradiated (overdose of radiation x100) 9

10 Famous Software Bugs (2) Toyota Prius, 2005 Sudden stalling/stopping at highway speeds Cause: software error causing the program to switch to fail-safe mode Consequence Recall of cars for software updates Cost: unknown but high 10

11 Famous Software Bugs (3) Ariane 5 rocket, Flight 501, 1996 Re-use of Ariane 4 software Cause: overflow when converting 64-bits to 16-bits unsigned (horizontal part of calculation, vertical part was correct) Consequences After 37 seconds, rocket veered off, and self-destructed Cost: $US370 million 11

12 Famous Software Bugs (4) Northeast blackout, 2003 Alarm went unnoticed Bug in the alarm system Cause: probably race condition Consequences: Power failure from 4pm to 11pm (up to 2 days) 55 million people affected Cost: more than $US6 billion 12

13 Famous Software Bugs (5) Zune MP3 30GB player, 2008 On December 31 st, 2008, Zune MP3 players failed Cause: infinite loop in clock driver Year with more than 365 days not handled properly Consequences One day off for player Product discontinued in

14 What is Verification?

15 Software Verification Software verification is a discipline of software engineering whose goal is to assure that software fully satisfies all the expected requirements. (wikipedia) Requirements R What the system is expected to do Software S (note: same applies for hardware) A set of interacting processes (programs) Satisfaction Check that S satisfies R 15

16 The Need for Verification Computers are increasingly complex Difficult to prove hardware correctness Difficult to prove software correctness Programs with million of lines of codes Concurrent programs (threads) Software/hardware controlled systems are everywhere, some safety-critical Complex interaction of processes (concurrent systems) Certification mandatory (e.g. aircraft software) Subject to attacks (e.g. banks) 16

17 Approaches to Verification Testing: Build the software Run experiments (infinitely many ) Drawback: not exhaustive Advantages: only requires the software (and tests) Are there better approaches? Rigorous? Exhaustive? Automatic? 17

18 Requirements for Formal Verification Software Verification e.g. C/C++ programs Goal: Rigorous proof that the system satisfies the requirements Requires: Clear/unambiguous requirements R A Program P Clear/unambiguous semantics of P: [[ P ]] Proof techniques to derive proofs/theorems like [[P ]] satisfies R 18

19 The Big Picture Abstract Mathematical Model of P Mathematically Satisfies Logical Formula For Requirement Formal Semantics Formalisation Program P C/C++ code Hand waving Satisfies Requirements Plain English 19

20 What is Algorithmic Verification?

21 Formal Verification Techniques Technique Complexity of requirements Scalability Automation Speed Confidence Mathematical proof (By hand) Unbounded Low None Low Low/High Theorem Provers Unbounded Medium Medium Medium High Model Checking Medium High Full Very High High Static Analysis Medium High Full Very High High Algorithmic / Automated Verification 21

22 Brief (and biased) History of Model Checking and Static Analysis

23 Model Checking (1980) Introduced independently by Clarke, Emerson, Sistla and Queille and Sifakis in 1980 Formal Model: finite state machine S Requirements: Temporal logics R Introduced by Pnueli, 1977 Model Checking algorithm: Check dynamic requirements on executions Automatically verifies that S satisfies R If not gives a counter example Exhaustive search of state space Turing Award 2007 Turing Award 1996 Large system: State Explosion Problem 23

24 State Explosion Problem Program with 100 integer variables within [0,10] 10^100 states size of the universe: 10^78 atoms 100 concurrent components, 10 states each 10^100 states How to combat state explosion problem: Symbolic model checking, McMillan, 1987 Abstraction/Refinement, Clarke, 1990 SAT-based techniques, 2000 Compositionality (e.g. Rely/Guarantee) 24

25 State Explosion Problem Program with 100 integer variables within [0,10] 10^100 states size of the universe: 10^78 atoms 100 concurrent components, 10 states each 10^100 states How to combat state explosion problem: Symbolic model checking, McMillan, 1987 Abstraction/Refinement, Clarke, 1990 SAT-based techniques, 2000 Compositionality (e.g. Rely/Guarantee) 25

26 Model Checking Tools (1) SMV, McMillan, 1987 NuSMW, Cimatti, 2002 Symbolic: processes symbolic representation of sets of states Data structure: Binary Decision Diagrams Used in hardware verification 26

27 Model Checking Tools (2) SPIN, Holtzmann, 1990 Explicit model checker Check C-like communicating programs Promela language Heuristics to control state explosion Partial order reduction techniques Hashing Used in protocol verification 27

28 Model Checking Tools (3) SAT-based tools Bounded model-checking Executions of length bounded by integer N Encode model checking as a SAT problem SLAM, T. Ball and S. Rajamani, Microsoft, 2000 Verifies drivers C-BMC, Kroenig, 2002 Verifies ANSI-C programs 28

29 Static Analysis Check static requirements on program E.g. no NULL pointer dereference No Array out-of-bound access Compute (loop) invariants Based on Abstract Interpretation, Cousot and Cousot, 1977 Control flow analysis Data flow analysis 29

30 Static Analysis Tools ASTREE, Absint, 2003 Coverity, 2003 Grammatech, 2005 Polyspace PVS-Studio Goanna 30

31 Useful Mathematical Tools

32 Set Theory 32

33 Functions 33

34 More on Functions Composition Monotonicity 34

35 Propositional Logics Semantics 35

36 Automata Theory (1) 36

37 Automata Theory (2) 37

38 Automata Theory (3) 38