Embed Size (px)
Citation preview
@}H!Z;Q
ITRqrY(kpW;Q#D!{YKen-etsu FUJITA2011.07.29. btgXfujita� s.gunma-u.a .jphttp://www. s.gunma-u.a .jp/�fujita/Department of Computer S ien eGunma University
@}H!Z;Q � p.1/38
@}Q:k
H$KNIAib$Db\vN3Hr@&+$$Db&=P
+j@&+NIAi+G"k%H'VHHKN&A/J/HblMO&=D-@W/,&=D-+)
@}H!Z;Q � p.2/38
@}Q:k
H$KNIAib$Db\vN3Hr@&+$$Db&=P
+j@&+NIAi+G"k%H'VHHKN&A/J/HblMO&=D-@W/,&=D-+)
H,&=D-@H>j
JHN/@bFN]jr>jK9kH$HHKN>}Hb&=D-GOJ$%=)HO&=D-GOJ$%=) H,&=D-G"k>jK7b%) HO&=D-GOJ$%>CF$K,&=D-G"k%
@}H!Z;Q � p.3/38
@}Q:k
H$KNIAib$Db\vN3Hr@&+$$Db&=P
+j@&+NIAi+G"k%H'VHHKN&A/J/HblMO&=D-@WP �VH,&=D-G"kW$Q �VK,&=D-G"kW(1) P ) :(P _Q); (2) :P ) (P _Q)VH,&=D-G"kWH>j9kH'[P ℄ P ) :(P _Q):(P _Q) () E) [P ℄P _Q (_I)? (:E):P (:I)7b (?),3+l$HO&=D-GOJ$3H,Z@5lk%
@}H!Z;Q � p.4/38
d@,'HZ@
d@,'J3~,' I$|n,'E)!
A A) BB () E) [A℄....BA) B () I)A ^BA (^E1) A ^BB (^E2) A :A? (:E) [A℄....?:A (:I)
AA _B (_I1) BA _B (_I2) A _B [A℄....C [B℄....CC (_E) ?A (?I)@}H!Z;Q � p.5/38
Z@@+iN"Wm<A(1) P ) :(P _Q) ` :P (HO&=D-GOJ$):[P ℄ P ) :(P _Q):(P _Q) () E) [P ℄P _Q (_I)? (:E):P (:I)(1); (2) :P ) (P _Q) ` Q (K,&=D-):
....:P :P ) P _QP _Q () E) ....:P [P ℄?Q (?I) [Q℄Q (_E)v8r-f=9kH0NA@1r+Fd@G-k @}H!Z;Q � p.6/38
U#@+iN"Wm<A
H$KNIAib$Db\vN3Hr@&+$$Db&=P
+j@&+NIAi+G"k%/,&=D-+)H'VHHKN&A/J/HblMO&=D-@WP'VH,&=D-G"kW$Q'VK,&=D-G"kW(1) P ) :(P _Q); (2) :P ) (P _Q)P Q P )�(P _Q) �P ) (P _Q)0 00 11 01 1@}H!Z;Q � p.7/38
@}i;'AND, OR, NOT@}Q' A ^B A / B 0 10 0 01 0 1@}B'A _B A / B 0 10 0 11 1 1]j':A A :A0 11 0
@}H!Z;Q � p.8/38
@}i;'=>
^U'A) BJAJiPBK A / B 0 10 1 11 0 1UM v : PropVar! f0; 1gUMr$eN=r~?9h&K$@}04NN8gXH%
9k%
@}0 AOH<Hm8<J1?K'$UNUM vKP7F v(A) = 1.@}0 AO<-D='"kUM vKP7F v(A) = 1.
@}H!Z;Q � p.9/38
U#@+iN"Wm<A'<-D=-
H$KNIAib$Db\vN3Hr@&+$$Db&=P
+j@&+NIAi+G"k%/,&=D-+)H'VHHKN&A/J/HblMO&=D-@WP'VH,&=D-G"kW$Q'VK,&=D-G"kW(1) P ) :(P _Q); (2) :P ) (P _Q)P Q P ) :(P _Q) :P ) (P _Q)0 0 1 00 1 1 11 0 0 11 1 0 1
@}H!Z;Q � p.10/38
@}Q:k
H: VH,&=D-+^?O K,&=D-GJ$+NIAi+@W
@}H!Z;Q � p.11/38
@}Q:k'!Zdj
H:VH,&=D-+^?OK,&=D-GJ$+NIAi+@W'0sro(ro0$bGk
Z@@*"Wm<AHoare@}$@sKhk_WJDbC)$j}Z@79F`JCoq, Isabelle, agda, et .KU#@JbGk@K*"Wm<A
~j@}$Mj@}$et . /jW-bGk$bGk!:D<kJSpin, Uppaal, Prism, et .K
@}H!Z;Q � p.12/38
A0*;!&t}*!Z!
A0*!Z CF.F9H$lSe<!1. P]NbGk='P]-R@l2. !Z5lk-AN-R'EM-R@l3. P]N-R,EMr~?9+'!Z;!Z@O � ` ��'@}0KhkP]N-R$�'EM-RbGkO M j= �M'P]r==9kbGkJuV+\O$/jW-bGkK$�'EM-R
04+0$>+0$PC*$04^Ke"k
@}H!Z;Q � p.13/38
3sTe<?rhQ7?!Z79F`
j}Z@O
l,&b,Rl@}$?}@$Hoare@}$$$Isabelle$HOL$Coq$Agda$$$FQ*J79F`'tX&@}X
>+0Z@$PC*Z@
bGk!:O
Mj&~j@}$$$LTLJSpinNEM-R@l PromelaK$CTLJNuSMVKuV+\OJKripke=$Kt,*-AN4+0Z@$-BuVNVe*5w$?cN
8.@}H!Z;Q � p.14/38
!=B4HA0*;!Safty- riti al'6RO/Ej$RuI)$$$CF. Commear ially riti alIntel Pentium hip FDIV bug (1994)! CF.j3<k39HHSECJSO503i, P503i, SO502iWMKTqgJ2001K!=B4KX9kq],JJ'98�'00K'IEC615083sTe<?;QrQ$?B4X"OrHQ9k4FN:H
B4i$U5$/kJ=UH&'"NB4WaEMK
!=B4Jfun tional saftyK CF.G-B4B4-rN]9kEH_&!=$j9/NvFOOXNZ:
B4Ye`JSafty Integrity LevelKHA0*;!g! ! SIL1, SIL2, SIL3, SIL4!!!!=:TN(.SIL3, SIL4'A0*;!, HRJ//d)KEx. SIL4'SCADE(Safty Criti al Appli ation Development Environment)Khk C3<I8. @}H!Z;Q � p.15/38
LTL'~A~j@}@}0'p\?j$A ^B$A _B$:A$GAJ$DbA,.)K$FAJ$D+A,.)K$XA$AUBJB,.j)D^GA,:CH.)K/jW-&bGkM = hS;R; I; Atom;LiM;� j= A
IM NQ9 � = s0 ! s1 ! � � �G LTL0A,.j)DI1. M;� j= p() p 2 L(s0)2. M;� j= :A()M;� j= AGJ$3. M;� j= A ^B ()M;� j= A+DM;� j= B4. M;� j= A _B ()M;� j= A^?OM;� j= B
@}H!Z;Q � p.16/38
LTL'~A~j@}/jW-&bGkM = hS;R; I; Atom;LiM;� j= A
IM NQ9 � = s0 ! s1 ! � � �G LTL0A,.j)DI1. M;� j= GA()$UN iKP7FM;�(i) j= A2. M;� j= FA() "k iKP7FM;�(i) j= A3. M;� j= XA() M;�(1) j= A4. M;� j= AUB () "k iKP7FM;�(i) j= B+D0 � j < iG"k$UN jKP7FM;�(j) j= AM j= AM Ni|uV+iO^k4FNQ9 �GM;� j= ANB. �(0) = � and �(i) = si ! si+1 ! � � �
@}H!Z;Q � p.17/38
LTL'~A~j@}G(:(p ^ q))'pH q,1~K.j)D3HOJ$JB4-KG(p) Fq)'p,.j)FP$=Ne$D+ q,.j)DJh-KGFp'$DN~@Gb=N&A p,.j)DJx?-KFGp'"k~@+i:CH p,.j)A31kM;� j= G(:(p ^ q))()$UN iKP7FM;�(i) 6j= p ^ qM; � j= :G(p ^ q)()"k iKP7FM;�(i) 6j= p ^ q@}H!Z;Q � p.18/38
uV+\OJ/jW-bGkK
Mm = hSm; Rm; Im; Atomm; LmiSm = fW0;W1; B0; B1g, Im = fB1gRm = fW0 !W1;W1 ! B0; B0 ! B1; B1 !W0g� : B1 ! W0 ! W1 ! B0 ! B1 ! � � �M = hS ; R ; I ; Atom ; L iS = Sm [ fW2g, I = fW0gR = fW0 !W1 ! B0 ! B1 !W0 !W2 !W0gM = Mm M 'Mm;M N1|g.B1,W0!W0,W1!W1,B0! B0,B1! B1,W0!! � � �
@}H!Z;Q � p.19/38
bGkNc=)1|g.&j]=X@}H!Z;Q � p.20/38
Hoare@}!Z8 fv0ro gPfvero gv0roNbHGWm0i` P rBT9kH$BTevero,.)JP Nt,5v-K@sKhk_WJDbCK
/i9TQro
/i9TQro
v0ro
vero
a=CI\N
FSP7&N
a=CI
FPlk
a=CI
*V8'/H *V8'/H
FSP7
{nQ
zt
VjM
@}H!Z;Q � p.21/38
Hoare@}x}Hd@,'
e~8Nx}f�(e)gx := ef�(x)g #g8Nd@,'f�gP1f�g f�gP2f gf�gP1;P2f gro8Nd@,'f� ^QgP1f�g f� ^ :QgP2f�gf�gif Q then P1 else P2f�g +jV78Nd@,'f� ^QgPf�gf�gwhile Q do Pf�^ :Qg"kN,'�) �0 f�0gPf�0g �0 ) �f�gPf�g
@}H!Z;Q � p.22/38
Hoare@}e~8Nx} f (e)gx := ef (x)g
x = E
ψ[E/x]
ψfx > 0gx := x+ 1fx > 1gfx+ 1 > 1gx := x+ 1fx > 1g@}H!Z;Q � p.23/38
Hoare@}#g8N,' f�gC1f�g f�gC2f gf�gC1;C2f g
C1
C2
φ
η
ψ
@}H!Z;Q � p.24/38
Hoare@}
if8N,' f� ^BgC1f g f� ^ :BgC2f gf�gif B then C1 else C2f gB
C1 C2
φ
ψ
true
φ ∧ B
false
φ ∧ ¬B
@}H!Z;Q � p.25/38
Hoare@}
while8N,' f ^BgCf gf gwhile B do Cf ^ :BgB
C
ψ
true
ψ ∧ B
false
ψ ∧ ¬B 'k<WTQroCF. If8KhkawJ8+K@}H!Z;Q � p.26/38
Hoare@}"kN,' �) �0 f�0gPf 0g 0 ) f�gPf g}@ SNbHG`S x > 0) x+ 1 > 1 e~8Nx}fx+ 1 > 1gx := x+ 1fx > 1gfx > 0gx := x+ 1fx > 1g!Z8NZ@N=$O$"kN,'r|-Wm0i`N=$
Gh^k%
@}H!Z;Q � p.27/38
Java and JML
JML (Java Modeling Language)JavaWm0i`NEM-R@l/*� JMLEMO JavaWm0i`fKq/�*/JML=8a=CINv0ro requiresa=CINvero ensuresTQro invariantc0h} signalsa=CINBT0eGQ=9kM modifiable
@}H!Z;Q � p.28/38
sqrt (1/3)
publi stati int sqrt (int x) { a=CI sqrtint ount = 0, sum = 1;while (sum <=x) { ount++; Let n be ount:k<Wstsum = sum + 2* ount+1; sum=�n0 (2i + 1)}return ount;}
@}H!Z;Q � p.29/38
sqrt + pre,post- ond (2/3)
/*� publi normal_behavior� requires x >= 0; v0ro� ensures! vero� result >= 0 && result * result <= x� && x < (result + 1) * (result + 1); result=bpx �*/publi stati int sqrt (int x) { a=CI sqrtint ount = 0, sum = 1;while (sum <=x) { ount++;sum = sum + 2* ount+1; sum=� odd}return ount;}
@}H!Z;Q � p.30/38
sqrt + loop invariant (3/3)publi stati int sqrt (int x) { a=CI sqrtint ount = 0, sum = 1;/*� loop_invariant k<WTQL� ount >= 0 && x >= ount* ount &&� sum == ( ount+1)*( ount+1); sum(qtNB)O?}t� de reases x - sum; d_ro�*/while (sum <=x) { ount++;sum = sum + 2* ount+1; sum=� odd}return ount;}
@}H!Z;Q � p.31/38
JMLD<kNc=) JMLD<kN4:X
@}H!Z;Q � p.32/38
JavaWm0i`N!Z
Krakatoa Why Coq
Java=<9+JMLEM Hoare!Z8(OCaml) proof obligation(Rl@})
Krakatoa Why
Krakatoa � � � Java/JML=<9 7�! Hoare!Z8Why � � � Hoare!Z8 7�! proof obligationCoq (j}Z@O) � � � proof obligationrPC*KZ@ta ti sNhQ@}H!Z;Q � p.33/38
Proof obligation� � � � � � � � � � � � � � � k<WTQLO.)) ount1 : Z Var1'BT0sum1 : ZPre3 : Variant1 = x - sum1Test2 : sum1 <= xH0 : sum1 = ( ount1 + 1) * ( ount1 + 1)H1 : ount1 >= 0H2 : x >= ount1 * ount1 ount2 : Z Var2'BTePost1 : ount2 = ount1 + 1sum2 : ZPost2 : sum2 = sum1 + 2 * ount2 + 1�������������������(1/2)x >= ount2 * ount2 goal1�������������������(2/2)sum2 = ( ount2 + 1) * ( ount2 + 1) goal2@}H!Z;Q � p.34/38
Proof obligation� � � � � � � � � � � � � � � k<WTQLO.)) ount1 : Z Var1'BT0sum1 : ZPre3 : Variant1 = x - sum1H0 : sum1 = ( ount1 + 1) * ( ount1 + 1)H1 : ount1 >= 0H2 : x >= ount1 * ount1 k<W>0NroTest2 : sum1 <= x k<WM~ro ount2 : Z Var2'BTePost1 : ount2 = ount1 + 1sum2 : ZPost2 : sum2 = sum1 + 2 * ount2 + 1�������������������(1/2)x >= ount2 * ount2 goal1 by Test2,H0, Post1�������������������(2/2)sum2 = ( ount2 + 1) * ( ount2 + 1) goal2@}H!Z;Q � p.35/38
Proof obligation� � � � � � � � � � � � � � � k<WTQLO.)) ount1 : Z Var1'BT0sum1 : ZPre3 : Variant1 = x - sum1H0 : sum1 = ( ount1 + 1) * ( ount1 + 1)H1 : ount1 >= 0H2 : x >= ount1 * ount1 k<W>0NroTest2 : sum1 <= x k<WM~ro ount2 : Z Var2'BTePost1 : ount2 = ount1 + 1sum2 : ZPost2 : sum2 = sum1 + 2 * ount2 + 1�������������������(1/2)x >= ount2 * ount2 goal1�������������������(2/2)sum2 = ( ount2 + 1) * ( ount2 + 1) goal2 by Post1,2,H0@}H!Z;Q � p.36/38
Java CardQERb[Nvc=)ERb["WlCHNcX
@}H!Z;Q � p.37/38
2M8%C. Breunesse, N. Catano, M. Huisman, B. Ja obs:Formal methods for smart ards: an experien e report,S ien e of Computer Programming 55, 53�80, 2005.G. Klein, J. Androni k, K. Elphinstone, G. Heiser, D. Co k, P.Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T.Sewell, H. Tu h, S. Windood:seL4: Formal Veri� ation of an Operating-System Kernel,Communi ations of the ACM 53 (6) 2010.X. Leroy: Formal veri� ation of a realisti ompiler,Communi ations of the ACM 52 (7) 2009.D. A. Peled: Software Reliability Methods, Spriner, 2001.The Seventeen Provers of the World: Agda, Coq, HOL, et .http://www. s.ru.nl/Afreek/ omparison/Survey: Veri� ation tools for Java+JML:http://www. s.gunma-u.a .jp/Afujita/ @}H!Z;Q � p.38/38
