DOCSLIB.ORG

Extracting Scalable Program Models for TLA Model Checking

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Extracting Scalable Program Models for TLA Model Checking DEGREE PROJECT IN TECHNOLOGY, FIRST CYCLE, 15 CREDITS STOCKHOLM, SWEDEN 2020 Extracting scalable program models for TLA model checking THEO PURANEN ÅHFELDT ANDERS ÅGREN THUNÉ KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE Extracting scalable program models for TLA model checking THEO PURANEN ÅHFELDT ANDERS ÅGREN THUNÉ Bachelor in Computer Science Date: June 5, 2020 Supervisor: Dilian Gurov Examiner: Pawel Herman School of Electrical Engineering and Computer Science Swedish title: Extrahering av skalbara programmodeller för TLA-modellprövning iii Abstract Program verification has long been of interest to researchers and practition- ers for its role in asserting reliability in critical systems. Many such systems feature reactive behavior, where temporal properties are of interest. Conse- quently, a number of systems and program verification tools for dealing with temporal logic have been developed. One such is TLA, whose main purpose is to verify temporal properties of systems using model checking. A TLA model is determined by a logical formula that describes all possible behaviors of a system. TLA is primarily used to verify abstract system designs, as it is considered ill-suited for implementation code in real programming languages. This thesis investigates how TLA models can be extracted from real code, in order to verify temporal properties of the code. The main problem is get- ting the model size to scale well with the size of the code, while still being representative. The paper presents a general method for achieving this, which utilizes deductive verification to abstract away unnecessary implementation details from the model. Specifically, blocks which can be considered atomic are identified in the original code and replaced with Hoare-style assertions rep- resenting only the data transformation performed in the block. The result can then be translated to a more compact TLA model. The assertions, known as block contracts, are verified separately using deductive verification, ensuring the model remains representative. We successfully instantiate the method on a simple C program, using the tool Frama-C to perform deductive verification on blocks of code and translat- ing the result to a TLA model in several steps. The PlusCal algorithm language is used as an intermediary to simplify the translation, and block contracts are successfully translated to TLA using a simple encoding. The results show promise, but there is future work to be done. iv Sammanfattning Programverifiering har länge varit av intresse för att kunna försäkra sig om tillförlitligheten hos kritiska system. Många sådana system uppvisar ett reak- tivt beteende, där temporala egenskaper är av intresse. Som följd har ett antal system och programverifieringsverktyg för hantering av temporallogik utveck- lats. Ett sådant är TLA, vars huvudsakliga syfte är att verifiera egenskaper hos abstrakta algoritmer med hjälp av modellprövning. En TLA-modell bestäms av en logisk formel som beskriver alla möjliga beteenden av ett visst system. TLA anses mindre lämpligt för riktig implementationskod och används främst för att verifiera egenskaper hos abstrakta systemmodeller. Denna uppsats undersöker hur TLA-modeller kan extraheras från verklig kod för att verifiera kodens temporala egenskaper. Det huvudsakliga proble- met är att även för större program kunna skapa en modell av hanterbar storlek som ändå är representativ. Vi presenterar en allmän metod för att uppnå det- ta som använder deduktiv verifiering för att abstrahera onödiga implemente- ringsdetaljer från modellen. Kodblock som kan betraktas som atomiska i den ursprungliga koden identifieras och ersätts med blockkontrakt som represente- rar datatransformationen som utförs i blocket. Resultatet kan sedan översättas till en mera kompakt TLA-modell. Kontrakten verifieras separat med deduktiv verifiering, vilket säkerställer att modellen behålls representativ. Vi instantierar med framgång metoden på ett enkelt C-program. Verkty- get Frama-C används för att utföra deduktiv verifiering på kodblock och flera steg genomförs för att översätta resultatet till en TLA-modell. Algoritmspråket PlusCal används som ett mellansteg för att förenkla översättningen, och block- kontrakt översätts till TLA med en enkel kodning. Resultaten är lovande, men det finns flera punkter som kräver ytterligare arbete. Contents 1 Introduction 1 1.1 Research Problem . .2 1.2 Thesis Organization . .2 2 Background 3 2.1 Deductive Verification . .3 2.1.1 Hoare Logic . .3 2.1.2 Frama-C . .5 2.2 Model Checking . .6 2.3 The Temporal Logic of Actions . .6 2.4 TLA+ ..............................9 2.4.1 PlusCal . 10 2.5 Combining Approaches . 11 3 Method 14 3.1 Problem Statement . 14 3.2 Approach . 15 3.2.1 General Approach . 15 3.2.2 Instantiation . 15 3.2.3 Motivation . 16 4 Results 18 4.1 A Server Example . 18 4.2 A Truck Example . 22 5 Discussion 24 5.1 Related Work . 25 6 Conclusion 27 v vi CONTENTS Bibliography 28 Acknowledgment 30 A TLA+ Specifications 31 A.1 The Server Example . 31 A.2 The Truck Example . 33 Chapter 1 Introduction Digital systems are growing more and more complex, and we often depend on these systems being reliable. This is especially true in critical systems like self-driving cars, where an error could lead to lives being lost. Program verifi- cation is the study of making sure programs, such as these, work in the intended manner. This is usually done by first specifying exactly what the intended be- havior of the program is, and then formally verifying that the program adheres to the specification using logic. Typically, there are two primary aspects of program behavior that are verified in this way: how a program transforms data and how the program state changes over time. The difference between the two may seem insignificant, but when larger programs involving concurrency are considered, they become more pronounced. Sequential procedures that only transform data, without other side effects, can be described with a Hoare-style assertion, which is simply a relation be- tween the state before the procedure and the state after (Hoare 1969). This relation can then be verified using a set of rules, a process called deductive ver- ification. However, for many concurrent systems it is also of interest to verify temporal properties, such as safety properties (asserting bad things never hap- pen) and liveness properties (asserting good things eventually happen) (Lam- port 1994). Verifying such properties requires reasoning about time, using temporal logic. One framework for modelling programs in temporal logic is TLA, the Tem- poral Logic of Actions (Lamport 1994), where programs are represented by logical formulas. PlusCal is a language that allows smaller concurrent pro- grams to be automatically translated to TLA, after which they can be checked by existing TLA verification tools (Lamport 2009). However, this does not scale for large concurrent applications: Lamport states that PlusCal would be 1 2 CHAPTER 1. INTRODUCTION unlikely to work well for algorithms of over one or two thousand lines. In- stead, TLA typically works on a higher level of abstraction, containing as few unessential implementation details as possible. 1.1 Research Problem In order to verify large programs using TLA, it is only feasible to verify the abstract algorithm, which might hide faults in the implementation. The pur- pose of this thesis is to present an approach that could be used to verify such large programs without ignoring implementation details, by combining TLA with deductive verification using Hoare-style assertions. This aims to provide a clear connection between the abstract TLA model and the concrete imple- mentation, in a way that is not possible using only TLA. While the approach should be applicable to any program, in this thesis, the scope is limited to simple, sequential C programs. 1.2 Thesis Organization First, Chapter 2 explains the concepts of deductive verification, model check- ing and the temporal logic TLA, and their relationship. It also describes exist- ing tools for automatic verification in these logics that makes them practical. Chapter 3 then restates the problem addressed by the thesis and presents the ap- proach proposed for solving it. The abstract approach proposed is described in detail, and a workflow for implementing it on C programs using specific tools is proposed. Chapter 4 implements the proposed workflow for a repre- sentative example program. Chapter 5 discusses the strengths and weaknesses of the proposed approach, and relates this to other work and suggestions for future work. Finally, Chapter 6 presents the conclusion of the thesis. Chapter 2 Background When verifying correctness properties of systems, two principal approaches are algorithmic verification and deductive verification. Deductive verification relies on using a set of rules to formulate proofs about the system. Algorithmic verification, or model checking, is based on constructing a model of the system to be verified, which can then be used to (computationally) check properties of interest. This has the advantage of requiring less input from the programmer at the cost of generality and computational efficiency (Pnueli and Shahar 1996). This chapter describes deductive verification and model checking to the reader and then proceeds to introduce the main background matter, TLA. It also touches upon the tools that are used when working with program verifi- cation. 2.1 Deductive Verification This section gives an overview of Hoare logic (Hoare 1969), a formal sys- tem for deductive verification, and Frama-C (Kirchner et al. 2015), a tool for automating deductive verification proofs. 2.1.1 Hoare Logic When it comes to procedures that can be fully specified by how they transform data, in the form of a relation between the state of the involved variables before and after the execution of the procedure, Hoare logic is sufficient for verifica- tion. In Hoare logic one specifies a program, or part of a program (referred to as a block) in terms of an assertion. An assertion is a triple fPgφfQg where P and Q are predicates, and φ is a code block (H.
Load more

Recommended publications
  • Model Checking
    Lecture 1: Model Checking Edmund Clarke School of Computer Science Carnegie Mellon University 1 Cost of Software Errors June 2002 “Software bugs, or errors, are so prevalent and so detrimental that they cost the U.S. economy an estimated $59.5 billion annually, or about 0.6 percent of the gross domestic product … At the national level, over half of the costs are borne by software users and the remainder by software developers/vendors.” NIST Planning Report 02-3 The Economic Impacts of Inadequate Infrastructure for Software Testing 2 Cost of Software Errors “The study also found that, although all errors cannot be removed, more than a third of these costs, or an estimated $22.2 billion, could be eliminated by an improved testing infrastructure that enables earlier and more effective identification and removal of software defects.” 3 Model Checking • Developed independently by Clarke and Emerson and by Queille and Sifakis in early 1980’s. • Properties are written in propositional temporal logic. • Systems are modeled by finite state machines. • Verification procedure is an exhaustive search of the state space of the design. • Model checking complements testing/simulation. 4 Advantages of Model Checking • No proofs!!! • Fast (compared to other rigorous methods) • Diagnostic counterexamples • No problem with partial specifications / properties • Logics can easily express many concurrency properties 5 Model of computation Microwave Oven Example State-transition graph describes system evolving ~ Start ~ Close over time. ~ Heat st ~ Error Start ~ Start ~ Start ~ Close Close Close ~ Heat Heat ~ Heat Error ~ Error ~ Error Start Start Start Close Close Close ~ Heat ~ Heat Heat Error ~ Error ~ Error 6 Temporal Logic l The oven doesn’t heat up until the door is closed.
    [Show full text]
  • Model Checking TLA Specifications
    Model Checking TLA+ Specifications Yuan Yu1, Panagiotis Manolios2, and Leslie Lamport1 1 Compaq Systems Research Center {yuanyu,lamport}@pa.dec.com 2 Department of Computer Sciences, University of Texas at Austin [email protected] Abstract. TLA+ is a specification language for concurrent and reac- tive systems that combines the temporal logic TLA with full first-order logic and ZF set theory. TLC is a new model checker for debugging a TLA+ specification by checking invariance properties of a finite-state model of the specification. It accepts a subclass of TLA+ specifications that should include most descriptions of real system designs. It has been used by engineers to find errors in the cache coherence protocol for a new Compaq multiprocessor. We describe TLA+ specifications and their TLC models, how TLC works, and our experience using it. 1 Introduction Model checkers are usually judged by the size of system they can handle and the class of properties they can check [3,16,4]. The system is generally described in either a hardware-description language or a language tailored to the needs of the model checker. The criteria that inspired the model checker TLC are completely different. TLC checks specifications written in TLA+, a rich language with a well-defined semantics that was designed for expressiveness and ease of formal reasoning, not model checking. Two main goals led us to this approach: – The systems that interest us are too large and complicated to be completely verified by model checking; they may contain errors that can be found only by formal reasoning. We want to apply a model checker to finite-state models of the high-level design, both to catch simple design errors and to help us write a proof.
    [Show full text]
  • Verification of Concurrent Programs in Dafny
    Bachelor’s Degree in Informatics Engineering Computation Bachelor’s End Project Verification of Concurrent Programs in Dafny Author Jon Mediero Iturrioz 2017 Abstract This report documents the Bachelor’s End Project of Jon Mediero Iturrioz for the Bachelor in Informatics Engineering of the UPV/EHU. The project was made under the supervision of Francisca Lucio Carrasco. The project belongs to the domain of formal methods. In the project a methodology to prove the correctness of concurrent programs called Local Rely-Guarantee reasoning is analyzed. Afterwards, the methodology is implemented over Dagny automatic program verification tool, which was introduced to me in the Formal Methods for Software Devel- opments optional course of the fourth year of the bachelor. In addition to Local Rely-Guarantee reasoning, in the report Hoare logic, Separation logic and Variables as Resource logic are explained, in order to have a good foundation to understand the new methodology. Finally, the Dafny implementation is explained, and some examples are presented. i Acknowledgments First of all, I would like to thank to my supervisor, Paqui Lucio Carrasco, for all the help and orientation she has offered me during the project. Lastly, but not least, I would also like to thank my parents, who had supported me through all the stressful months while I was working in the project. iii Contents Abstracti Contentsv 1 Introduction1 1.1 Objectives..................................3 1.2 Work plan..................................3 1.3 Content...................................4 2 Foundations5 2.1 Hoare Logic.................................5 2.1.1 Assertions..............................5 2.1.2 Programming language.......................7 2.1.3 Inference rules...........................9 2.1.4 Recursion.............................
    [Show full text]
  • Introduction to Model Checking and Temporal Logic¹
    Formal Verification Lecture 1: Introduction to Model Checking and Temporal Logic¹ Jacques Fleuriot [email protected] ¹Acknowledgement: Adapted from original material by Paul Jackson, including some additions by Bob Atkey. I Describe formally a specification that we desire the model to satisfy I Check the model satisfies the specification I theorem proving (usually interactive but not necessarily) I Model checking Formal Verification (in a nutshell) I Create a formal model of some system of interest I Hardware I Communication protocol I Software, esp. concurrent software I Check the model satisfies the specification I theorem proving (usually interactive but not necessarily) I Model checking Formal Verification (in a nutshell) I Create a formal model of some system of interest I Hardware I Communication protocol I Software, esp. concurrent software I Describe formally a specification that we desire the model to satisfy Formal Verification (in a nutshell) I Create a formal model of some system of interest I Hardware I Communication protocol I Software, esp. concurrent software I Describe formally a specification that we desire the model to satisfy I Check the model satisfies the specification I theorem proving (usually interactive but not necessarily) I Model checking Introduction to Model Checking I Specifications as Formulas, Programs as Models I Programs are abstracted as Finite State Machines I Formulas are in Temporal Logic 1. For a fixed ϕ, is M j= ϕ true for all M? I Validity of ϕ I This can be done via proof in a theorem prover e.g. Isabelle. 2. For a fixed ϕ, is M j= ϕ true for some M? I Satisfiability 3.
    [Show full text]
  • Model Checking and the Curse of Dimensionality
    Model Checking and the Curse of Dimensionality Edmund M. Clarke School of Computer Science Carnegie Mellon University Turing's Quote on Program Verification . “How can one check a routine in the sense of making sure that it is right?” . “The programmer should make a number of definite assertions which can be checked individually, and from which the correctness of the whole program easily follows.” Quote by A. M. Turing on 24 June 1949 at the inaugural conference of the EDSAC computer at the Mathematical Laboratory, Cambridge. 3 Temporal Logic Model Checking . Model checking is an automatic verification technique for finite state concurrent systems. Developed independently by Clarke and Emerson and by Queille and Sifakis in early 1980’s. The assertions written as formulas in propositional temporal logic. (Pnueli 77) . Verification procedure is algorithmic rather than deductive in nature. 4 Main Disadvantage Curse of Dimensionality: “In view of all that we have said in the foregoing sections, the many obstacles we appear to have surmounted, what casts the pall over our victory celebration? It is the curse of dimensionality, a malediction that has plagued the scientist from the earliest days.” Richard E. Bellman. Adaptive Control Processes: A Guided Tour. Princeton University Press, 1961. Image courtesy Time Inc. 6 Photographer Alfred Eisenstaedt. Main Disadvantage (Cont.) Curse of Dimensionality: 0,0 0,1 1,0 1,1 2-bit counter n-bit counter has 2n states 7 Main Disadvantage (Cont.) 1 a 2 | b n states, m processes | 3 c 1,a nm states 2,a 1,b 3,a 2,b 1,c 3,b 2,c 3,c 8 Main Disadvantage (Cont.) Curse of Dimensionality: The number of states in a system grows exponentially with its dimensionality (i.e.
    [Show full text]
  • Formal Verification, Model Checking
    Introduction Modeling Specification Algorithms Conclusions Formal Verification, Model Checking Radek Pel´anek Introduction Modeling Specification Algorithms Conclusions Motivation Formal Methods: Motivation examples of what can go wrong { first lecture non-intuitiveness of concurrency (particularly with shared resources) mutual exclusion adding puzzle Introduction Modeling Specification Algorithms Conclusions Motivation Formal Methods Formal Methods `Formal Methods' refers to mathematically rigorous techniques and tools for specification design verification of software and hardware systems. Introduction Modeling Specification Algorithms Conclusions Motivation Formal Verification Formal Verification Formal verification is the act of proving or disproving the correctness of a system with respect to a certain formal specification or property. Introduction Modeling Specification Algorithms Conclusions Motivation Formal Verification vs Testing formal verification testing finding bugs medium good proving correctness good - cost high small Introduction Modeling Specification Algorithms Conclusions Motivation Types of Bugs likely rare harmless testing not important catastrophic testing, FVFV Introduction Modeling Specification Algorithms Conclusions Motivation Formal Verification Techniques manual human tries to produce a proof of correctness semi-automatic theorem proving automatic algorithm takes a model (program) and a property; decides whether the model satisfies the property We focus on automatic techniques. Introduction Modeling Specification Algorithms Conclusions
    [Show full text]
  • Transforming Event-B Models to Dafny Contracts
    Electronic Communications of the EASST Volume XXX (2015) Proceedings of the 15th International Workshop on Automated Verification of Critical Systems (AVoCS 2015) Transforming Event-B Models to Dafny Contracts Mohammadsadegh Dalvandi, Michael Butler, Abdolbaghi Rezazadeh 15 pages Guest Editors: Gudmund Grov, Andrew Ireland Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 ECEASST Transforming Event-B Models to Dafny Contracts Mohammadsadegh Dalvandi1, Michael Butler2, Abdolbaghi Rezazadeh3 School of Electronic & Computer Science, University of Southampton 1 2 3 md5g11,mjb,[email protected] Abstract: Our work aims to build a bridge between constructive (top-down) and analytical (bottom-up) approaches to software verification. This paper presents a tool-supported method for linking two existing verification methods: Event-B (con- structive) and Dafny (analytical). This method combines Event-B abstraction and refinement with the code-level verification features of Dafny. The link transforms Event-B models to Dafny contracts by providing a framework in which Event-B models can be implemented correctly. The paper presents a method for transforma- tion of Event-B models of abstract data types to Dafny contracts. Also a prototype tool implementing the transformation method is outlined. The paper also defines and proves a formal link between property verification in Event-B and Dafny. Our approach is illustrated with a small case study. Keywords: Formal Methods, Hoare Logic, Program Verification, Event-B, Dafny 1 Introduction Various formal methods communities [CW96, HMLS09, LAB+06] have suggested that no single formal method can cover all aspects of a verification problem therefore engineering bridges be- tween complementary verification tools to enable their effective interoperability may increase the verification capabilities of verification tools.
    [Show full text]
  • Formal Verification of Diagnosability Via Symbolic Model Checking
    Formal Verification of Diagnosability via Symbolic Model Checking Alessandro Cimatti Charles Pecheur Roberto Cavada ITC-irst RIACS/NASA Ames Research Center ITC-irst Povo, Trento, Italy Moffett Field, CA, U.S.A. Povo, Trento, Italy mailto:[email protected] [email protected] [email protected] Abstract observed system. We propose a new, practical approach to the verification of diagnosability, making the following contribu• This paper addresses the formal verification of di• tions. First, we provide a formal characterization of diagnos• agnosis systems. We tackle the problem of diagnos• ability problem, using the idea of context, that explicitly takes ability: given a partially observable dynamic sys• into account the run-time conditions under which it should be tem, and a diagnosis system observing its evolution possible to acquire certain information. over time, we discuss how to verify (at design time) Second, we show that a diagnosability condition for a given if the diagnosis system will be able to infer (at run• plant is violated if and only if a critical pair can be found. A time) the required information on the hidden part of critical pair is a pair of executions that are indistinguishable the dynamic state. We tackle the problem by look• (i.e. share the same inputs and outputs), but hide conditions ing for pairs of scenarios that are observationally that should be distinguished (for instance, to prevent simple indistinguishable, but lead to situations that are re• failures to stay undetected and degenerate into catastrophic quired to be distinguished. We reduce the problem events). We define the coupled twin model of the plant, and to a model checking problem.
    [Show full text]
  • Verification and Specification of Concurrent Programs
    Verification and Specification of Concurrent Programs Leslie Lamport 16 November 1993 To appear in the proceedings of a REX Workshop held in The Netherlands in June, 1993. Verification and Specification of Concurrent Programs Leslie Lamport Digital Equipment Corporation Systems Research Center Abstract. I explore the history of, and lessons learned from, eighteen years of assertional methods for specifying and verifying concurrent pro- grams. I then propose a Utopian future in which mathematics prevails. Keywords. Assertional methods, fairness, formal methods, mathemat- ics, Owicki-Gries method, temporal logic, TLA. Table of Contents 1 A Brief and Rather Biased History of State-Based Methods for Verifying Concurrent Systems .................. 2 1.1 From Floyd to Owicki and Gries, and Beyond ........... 2 1.2Temporal Logic ............................ 4 1.3 Unity ................................. 5 2 An Even Briefer and More Biased History of State-Based Specification Methods for Concurrent Systems ......... 6 2.1 Axiomatic Specifications ....................... 6 2.2 Operational Specifications ...................... 7 2.3 Finite-State Methods ........................ 8 3 What We Have Learned ........................ 8 3.1 Not Sequential vs. Concurrent, but Functional vs. Reactive ... 8 3.2Invariance Under Stuttering ..................... 8 3.3 The Definitions of Safety and Liveness ............... 9 3.4 Fairness is Machine Closure ..................... 10 3.5 Hiding is Existential Quantification ................ 10 3.6 Specification Methods that Don’t Work .............. 11 3.7 Specification Methods that Work for the Wrong Reason ..... 12 4 Other Methods ............................. 14 5 A Brief Advertisement for My Approach to State-Based Ver- ification and Specification of Concurrent Systems ....... 16 5.1 The Power of Formal Mathematics ................. 16 5.2Specifying Programs with Mathematical Formulas ........ 17 5.3 TLA .................................
    [Show full text]
  • Specifying Loops with Contracts Reasoning About Loops As Recursive Procedures
    Chair for Software Systems Institute for Informatics LMU Munich Bachelor Thesis in Computer Science: Specifying Loops With Contracts Reasoning about loops as recursive procedures Gregor Cassian Alexandru August 8, 2019 I dedicate this work to the memory of Prof. Martin Hofmann, who was an amazing teacher and inspiration, and left us all too soon. Hiermit versichere ich, dass ich die vorliegende Bachelorarbeit selbstständig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel verwendet habe. ............................................... (Unterschrift des Kandidaten) München, den 8. August 2019 5 Abstract Recursive procedures can be inductively verified to fulfill some contract, by assuming that contract for recursive calls. Since loops correspond essentially to linear recursion, they ought to be verifiable in an analogous manner. Rules that allow this have been proposed, but are incomplete in some aspect, or do not lend themselves to straight- forward implementation. We propose some implementation-oriented derivatives of the existing verification rules and further illustrate the advantages of contract-based loop specification by means of examples. Contents 1 Introduction 11 2 Motivating Example 12 2.1 Verification using an Invariant . 12 2.2 Using a local Recursive Procedure . 13 2.3 Comparison . 15 3 Preliminaries 16 4 Predicate transformer semantics 17 4.1 Prerequisites . 17 4.2 Loop specification rule for weakest precondition . 20 4.3 Soundness proof . 20 4.4 Context-aware rule . 22 4.5 Rules in strongest postcondition . 22 5 Rules in Hoare Logic 24 5.1 Preliminaries . 24 5.2 Loop specification rule in Hoare logic . 25 6 Implementation 26 7 Example Application to Textbook Algorithms 29 7.1 Euclid’s algorithm .
    [Show full text]
  • ACM 2007 Turing Award Edmund Clarke, Allen Emerson, and Joseph Sifakis Model Checking: Algorithmic Verification and Debugging
    ACM 2007 Turing Award Edmund Clarke, Allen Emerson, and Joseph Sifakis Model Checking: Algorithmic Verification and Debugging ACM Turing Award Citation precisely describe what constitutes correct behavior. This In 1981, Edmund M. Clarke and E. Allen Emerson, work- makes it possible to contemplate mathematically establish- ing in the USA, and Joseph Sifakis working independently ing that the program behavior conforms to the correctness in France, authored seminal papers that founded what has specification. In most early work, this entailed constructing become the highly successful field of Model Checking. This a formal proof of correctness. In contradistinction, Model verification technology provides an algorithmic means of de- Checking avoids proofs. termining whether an abstract model|representing, for ex- ample, a hardware or software design|satisfies a formal Hoare-style verification was the prevailing mode of formal specification expressed as a temporal logic formula. More- verification going back from the late-1960s until the 1980s. over, if the property does not hold, the method identifies This classic and elegant approach entailed manual proof con- a counterexample execution that shows the source of the struction, using axioms and inference rules in a formal de- problem. ductive system, oriented toward sequential programs. Such proof construction was tedious, difficult, and required hu- The progression of Model Checking to the point where it man ingenuity. This field was a great academic success, can be successfully used for complex systems has required spawning work on compositional or modular proof systems, the development of sophisticated means of coping with what soundness of program proof systems, and their completeness; is known as the state explosion problem.
    [Show full text]
  • KAT and Hoare Logic
    Introduction to Kleene Algebra Lecture 14 CS786 Spring 2004 March 15, 2004 KAT and Hoare Logic In this lecture and the next we show that KAT subsumes propositional Hoare logic (PHL). Thus the specialized syntax and deductive apparatus of Hoare logic are inessential and can be replaced by simple equational reasoning. Moreover, all relationally valid Hoare-style inference rules are derivable in KAT (this is false for PHL). The results of this lecture are from [8, 7]. In a future lecture we will show that deciding the relational validity of such rules is PSPACE-complete. Hoare logic, introduced by C. A. R. Hoare in 1969 [6], was the first formal system for the specification and verification of well-structured programs. This pioneering work initiated the field of program correctness and inspired dozens of technical articles [2, 1, 3]. For this achievement among others, Hoare received the Turing Award in 1980. A comprehensive introduction to Hoare logic can be found in [3]. Hoare logic uses a specialized syntax involving partial correctness assertions (PCAs) of the form {b} p {c} and a deductive apparatus consisting of a system of specialized rules of inference. Under certain conditions, these rules are relatively complete [2]; essentially, the propositional fragment of the logic can be used to reduce partial correctness assertions to static assertions about the underlying domain of computation. The propositional fragment of Hoare logic, called propositional Hoare logic (PHL), is subsumed by KAT. The reduction transforms PCAs to ordinary equations and the specialized rules of inference to equational implications (universal Horn formulas). The transformed rules are all derivable in KAT by pure equational reasoning.
    [Show full text]