CS745/ECE-725: Computer-Aided Verification Overview, Motivation, and Outline http://www.student.cs.uwaterloo.ca/˜cs745 uw.cs.cs745 [email protected] Nancy Day CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 1/64 Today’s Agenda ◮ What is this course about? ◮ Motivation ◮ Course Organization CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 2/64 What are “formal methods” (FM)? Also know as “computer-aided verification”. In a nutshell, formal methods strive to provide for computer-based systems (digital-hardware / software) what engineering mathematics has provided in other fields of engineering: ◮ the ability to express specifications precisely, ◮ the ability to clearly define when an implementation meets the specification (“correctness”), and ◮ the ability to understand the specification and the implementation better through “calculations”. Definition adapted from: course notes, G. Gopalakrishnan. CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 3/64 What is computer-aided verification? In CAV, ◮ we research techniques for discovering bugs in systems. These techniques can prove that a system has certain desirable functional properties such as: lack of bugs, safety and liveness properties. ◮ we apply these techniques to all kinds of systems (e.g., software, hardware, protocols, web-based distributed applications). ◮ we use logical reasoning to symbolically analyze systems without running the system. ◮ we add these techniques to computer-based tools (CASE and CAD tools), which provide analysis capabilities to users. CAV provides an analytic side to computer system development. CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 4/64 What is logical reasoning? According to Webster’s (New World, 1984), logic is “the science of correct reasoning”. According to the Free On-Line Dictionary of Computing, “logic is concerned with what is true and how we can know whether something is true”. Using logic, we can reason about a system. Reasoning about situations means constructing arguments about them: we want to do this formally, so that the arguments are valid and can be defended rigorously, or executed on a machine. – Huth and Ryan CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 5/64 Trivial Example of Logical Reasoning Example: ◮ If the train arrives late and there are no taxis at the station, then John is late for his meeting. ◮ John is not late for his meeting. ◮ The train did arrive late. Were there taxis at the station or not? Therefore, there were taxis at the station. – Huth and Ryan This argument has a structure of facts and a conclusion. The conclusion logically follows from the facts. CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 6/64 Are Taxis at the Station? A1 If train late and no taxis, then John late. A2 John is not late. A3 Train is late. train late taxis at station John late A1 A2 A3 F F F F F T F T F F T T T F F T F T T T F T T T CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 7/64 Alternative scenario A1 If train late and no taxis, then John late. A2 John is late. A3 Train is not late. train late taxis at station John late A1 A2 A3 F F F T F T F F T T T T F T F T F T F T T T T T T F F F F F T F T T T F T T F T F F T T T T T F CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 8/64 Logical Arguments Example 1: If the train arrives late and there are no taxis at the station, then John is late for his meeting. John is not late for his meeting. The train did arrive late. Therefore, there were taxis at the station. – Huth and Ryan Here’s another example of a logical argument: Example 2: If it is raining and Jane does not have her umbrella with her, then she will get wet. Jane is not wet. It is raining. Therefore, Jane has her umbrella with her. – Huth and Ryan These two arguments have the same structure, but use different sentence fragments. CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 9/64 Logical Arguments Example 1: If the train arrives late and there are no taxis at the station, then John is late for his meeting. John is not late for his meeting. The train did arrive late. Therefore, there were taxis at the station. Example 2: If it is raining and Jane does not have her umbrella with her, then she will get wet. Jane is not wet. It is raining. Therefore, Jane has her umbrella with her. Example 1 Example 2 the train is late it is raining there are taxis at the station Jane has her umbrella with her John is late for his meeting Jane gets wet CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 10/64 Logical Arguments The argument can be stated independently of Jane and John and umbrellas and trains and taxis by substituting letters for the sentence fragments as in: Letter Example 1 Example 2 p the train is late it is raining q there are taxis at the station Jane has her umbrella with her r John is late for his meeting Jane gets wet The valid argument is then: if p and not q then r. not r. where the horizontal bar means p. therefore. This is an argument in propositional logic. q CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 11/64 Logical Arguments Logic is concerned with the structure of the argument, not the meaning of the sentences. ◮ If 37 is a prime number and I am not the most if p and not q then r. intelligent person in the not r. world, then 7 is divisible by p. 3. ◮ 7 is not divisible by 3. q ◮ 37 is prime Therefore, I am the most intelligent person in the world. CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 12/64 Logic In a logic, there are rules about which structures of arguments are valid and which are not. In logics, we use symbols to represent the sentences fragments. A logical argument holds for all values (true or false) of the symbols used in the argument. Computers are very good symbol manipulators. We can use computers to help us do logical reasoning. CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 13/64 Formalization Everyone loves my baby, ... but my baby loves only me. 1. Everyone loves my baby For all people, that person loves my baby. 2. My baby loves only me For all people, if my baby loves that person, then that person is me. ◮ From 1, using “my baby”: My baby loves my baby. ◮ From 2, using “my baby”: If my baby loves my baby, then my baby is me. ◮ From modus ponens on 2 using 1: My baby is me! Source: M. Jackson and D. Gries CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 14/64 Formalization ◮ First example: All Canadians wear toques. Counterexample: Joe is Canadian. Joe does not wear a toque. ◮ Second example: There is a person, such that if that person is Canadian, then they wear a toque. Joe is not Canadian. Joe does not wear a toque. Is this a counterexample? ◮ There is a person, such that the person is Canadian and they wear a toque. To prove, must find a toque-wearing Canadian. CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 15/64 Formalization How would you formalize the sentence: “I have my umbrella with me unless it is sunny.” Question: If it is sunny, do I have my umbrella? CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 16/64 Logical Reasoning and Verification? Using logical reasoning, we can calculate/reason about computer-based systems to determine whether the system has certain desirable properties. In formal verification, we are checking these properties for all possible behaviours of our model of the system. Thus, formal verification is able to do an exhaustive analysis of the model of the system, whereas testing (or simulation) is only able to check a finite number of behaviours. By reasoning symbolically, exhaustive analysis becomes possible. Note: in formal verification we are checking a model of the system, not necessarily the real system. For example, formal verification doesn’t help us find physical defects resulting from the manufacturing of a chip. CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 17/64 What is computer-aided verification? Recall: Formal methods strive to provide for computer-based systems (digital-hardware / software) what engineering mathematics has provided in other fields of engineering: ◮ the ability to express specifications precisely, ◮ the ability to clearly define when an implementation meets the specification (“correctness”), and ◮ the ability to understand the specification and the implementation better through “calculations”. Definition adapted from: course notes, G. Gopalakrishnan. CS745/ECE-725, Fall 2009, University of Waterloo, Lecture 1, Page 18/64 Logical Reasoning and Verification Verification involves checking a satisfaction relation, usually of the form of a sequent: M |= φ where ◮ M is a model (or implementation) describing the possible behaviours of the system ◮ φ is a property (or specification) ◮ |= is a relationship that should hold between M and φ – what does it mean for the system to be “correct”? Logic can be used to express the model, property, and relation, and valid arguments of the logic are used to deduce whether the relation holds for the particular model and particular property.