Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming...

Are We There Yet? 20 Years of Formal Verification

in Critical Software

Roderick Chapman Principal Engineer, Altran UK

• Our world…

• An opening thought…

• So why Formalize?

• Examples of FV in Software

• Encouraging signs…

• Homework

• A Closing Thought…

Agenda

•Our world… • An opening thought…

• Homework

Agenda

No defects please!

Our World – Crit ical Software

• Our world…

•An opening thought… • So why Formalize?

• Homework

Agenda

A Opening Thought…

Professor Martyn Thomas CBE

Every software project

uses Formal Methods…

A Opening Thought…

• Our world…

• So why Formalize? • Examples of FV in Software

• Homework

Agenda

Why Bother with Formal Methods?

Thinking and Tool ing exposes…

Ambiguity…

Contradiction…

Incompleteness…

#include “customer_call.h”;

Thinking and Tool ing enables…

• What’s stopping us?

• Fear of maths?

• Snake-oil?

• Oversold promises in the 1980s?

• Something else?

• “Software is a fashion industry with delusions of grandeur”

Prof. Les Hatton, Author of “Safer C”

The Catch…

• Big problem – most “notations” that we deal with (mostly Programming Languages)…

• Are not formal or unambiguous…

• Are poorly defined…

• Contain hard-to-avoid features that are intrinsically hostile to sound and fast formal verification.

• e.g. undefined behaviour, pointers, un-disciplined use of concurrency etc.

The Catch…

• Consider the following code in C or C++

int i;

int a[10];

i = … ; /* initialize i */

a = { … }; /* initialize a fully */

i = a[i++]; /* ??????? */

The Catch… Quiz Time!

• Our world…

• Examples of FV in Software • Encouraging signs…

• Homework

Agenda

• So are there any “properly formal” programming languages?

• Yes! An incomplete list…

• OCAML

• Scheme

• SPARK (the Ada subset, not Apache-SPARK)

• Eiffel

• JVM Bytecode

• All machine code (e.g. ARM ISA)

Formal Languages?

• What if we include specification or “modelling” languages? OK… then…

• SCADE (Lustre)

• B and Event-B

• CSP

• Subset(s) of MATLAB/Simulink

• Escher Perfect

• ..and many more…

Formal Languages?

• Here are some examples of systems using formal software verification…

Formally Verif ied Software?

• Our world…

• Encouraging signs… • Homework

Agenda

• Formal Methods tend to “disappear” as they become accepted… to the point where you don’t even know you’re using them…

• For example…

• Compiler optimization.

• Basic Static Code Analysis/Verification.

• Bounded Model Checking and Constraint Solving for test data generation.

Encouraging Signs…

• Security Changes Everything…

• Against a malicious and capable attacker, a “test it lots” verification approach will never be good enough.

• Finally, people at realizing that sound formal verification can deal with this, because a sound verification prevents all the bugs…

Encouraging Signs…

• Our world…

•Homework • A Closing Thought…

Agenda

Homework Assignment 1…

Homework Assignment 2…

• Check out www.fbinfer.com

• Infer – facebook’s static code analysis tool for C/C++/Java/Objective-C

• Our world…

• Homework

•A Closing Thought…

Agenda

A Closing Thought…

Professor Martyn Thomas CBE

Every software project

uses Formal Methods…

MOV R0, #1024

MOV R1, #0

MOV R2, #0x19000000

ORR R2, R2, #0x00990000

ORR R2, R2, #0x00009900

ORR R2, R2, #0x0000009A

MOV R3, #10

loop UMULL R4, R5, R0, R2

UMULL R4, R6, R5, R3

SUB R4, R0, R4

ADD R1, R1, R4

MOVS R0, R5

BNE loop

Here’s a Formal Language that you all use

A Closing Thought…

The big question is not if to

use Formal Methods, but

when to start…

• R. Chapman and F. Schanda

“Are we there yet? 20 years of industrial theorem proving with SPARK.” Invited Keynote Paper, Proceedings of Interactive Theorem Proving (ITP) 2014. Springer-Verlag LNCS Vol. 8558, pp. 17-26.

• Full details, data, and references for SHOLIS, C130J, Tokeneer, iFACTS projects, and how SPARK developed over the years.

• PDF available from me:

rod.chapman@altran.com

References

Questions…

Are We There Yet? 20 Years of Formal Verification in ... · deal with (mostly Programming...

Documents

Unambiguous Power System Modeling and Simulation using ...604313/FULLTEXT01.pdf · Unambiguous Power System Modeling and Simulation using Modelica Tools Dr.-Ing. Luigi Vanfretti

Sensitivity booster for mass detection enables unambiguous analysis … · 2019-07-26 · Sensitivity booster for mass detection enables unambiguous analysis of peptides, proteins,

Formal institutional factors are underestimated in

Formal Specification zTechniques for the unambiguous ...spiros/teaching/CS451/pdf/formal.pdf · Seven Myths of Formal Methods zPerfect software results from formal methods – Nonsense

Generation and Comprehension of Unambiguous Object ...Generation and Comprehension of Unambiguous Object Descriptions Junhua Mao2 Jonathan Huang 1Alexander Toshev Oana Camburu3 Alan

Unambiguous DNFs and Alon–Saks–Seymour

Formal Specification u Techniques for the unambiguous ...bmitchell/course/mcs451/Ch_9.pdf©Ian Sommerville 1995 Software Engineering, 5th edition. Chapter 9 Slide Seven myths of formal

Unambiguous Identifiers for Semantic Web

dfzljdn9uc3pi.cloudfront.net · Web viewAmbiguous (syn)apomorphies are indicated by a simple arrow (-->), and unambiguous (syn)apomorphies by a double arrow (==>). Node numbers are

Slide 1 Formal Specification - Techniques for the unambiguous specification of software Objectives: l To explain why formal specification techniques help

Unambiguous Power System Dynamic Modeling and Simulation

An unambiguous expression method of the surface textureeprints.hud.ac.uk/.../10166/1/An_unambiguous_expression_method_of_the_surface_texture.pdfAn unambiguous expression method of

Unambiguous Finite Automata - RWTH Aachen Universityold.automata.rwth-aachen.de/users/loeding/unambiguous-dlt13.pdf · state. determinism unambiguity nondeterminism big automata inclusion,

UNAMBIGUOUS COMPUTATION: BOOLEAN HIERARCHIES AND - …

Generation and Comprehension of Unambiguous Object … · 2016-05-16 · Generation and Comprehension of Unambiguous Object Descriptions Junhua Mao2∗ Jonathan Huang1 Alexander Toshev1

Formal Specification - Techniques for the unambiguous specification of software

A Far-Red Emitting Probe for Unambiguous Detection of

Unambiguous determination of the Vs profile via joint ...download.winmasw.com/documents/Dal_Moro-Keller... · Unambiguous determination of the Vs profile via joint analysis of multi-component

Unambiguous Collapse Operator of Digital … Workshop on Generalisation and Map Production, Dresden, Germany, 2013 1 Unambiguous Collapse Operator of Digital Cartographic Generalisation

Diapositive 1 - open-DO...concurrency, distributed processing, redundancy management and synchronization The use of formal specifications alone forces requirements to be unambiguous