Hoare logic, preconditions, postconditions 3. Formal verification of safety critical systems 4. Automated proofs with Microsoft Z3 theorem prover Homework: theory test, Z3 basics 4
A, B, C - the distributive property 2. AB = BA, A+B=B+A for all A, B - the commutative property 3. A=B and B=C implies A=C for all A, B, C - the transitivity axiom 4. A=B and C=D implies A+C=B+D for all A, B, C, D 5. 1A = A, 0A = 0, A+0 = A, A-A=0 for any A 6. (x + 1)(x - 1) = x(x - 1) + 1(x - 1) - follows from 1, 2 7. x(x - 1) = x2 - x - follows from 1 8. x(x - 1) + 1(x - 1) = x2 - x + x - 1 - follows from 4, 5, 6 9. (x + 1)(x - 1) = x2 - 1 - follows from 3, 5, 6, 8 9
A, B, C - the distributive property 2. AB = BA, A+B=B+A for all A, B - the commutative property 3. A=B and B=C implies A=C for all A, B, C - the transitivity axiom 4. A=B and C=D implies A+C=B+D for all A, B, C, D 5. 1A = A, 0A = 0, A+0 = A, A-A=0 for any A 6. (x + 1)(x - 1) = x(x - 1) + 1(x - 1) - follows from 1, 2 7. x(x - 1) = x2 - x - follows from 1 8. x(x - 1) + 1(x - 1) = x2 - x + x - 1 - follows from 4, 5, 6 9. (x + 1)(x - 1) = x2 - 1 - follows from 3, 5, 6, 8 10 domain axioms truisms postulates basic rules
C - the distributive property 2. AB = BA, A+B=B+A for all A, B - the commutative property 3. A=B and B=C implies A=C for all A, B, C - the transitivity axiom 4. A=B and C=D implies A+C=B+D for all A, B, C, D 5. 1A = A, 0A = 0, A+0 = A, A-A=0 for any A 6. (x + 1)(x - 1) = x(x - 1) + 1(x - 1) - follows from 1, 2 7. x(x - 1) = x2 - x - follows from 1 8. x(x - 1) + 1(x - 1) = x2 - x + x - 1 - follows from 4, 5, 6, 7 9. (x + 1)(x - 1) = x2 - 1 - follows from 3, 5, 6, 8 Axiomatic method 11 theorems conclusions statements assertions claims
and straightforward Laborious and difficult Teachable and accessible Knowledgeable and competent Always applicable Domain formalization is necessary Never complete Convincing and complete Hardly reusable Prove once, use forever SUT a b c
and straightforward Laborious and difficult Teachable and accessible Knowledgeable and competent Always applicable Domain formalization is necessary Never complete Convincing and complete Hardly reusable Prove once, use forever SUT a b c
and straightforward Laborious and difficult Teachable and accessible Knowledgeable and competent Always applicable Domain formalization is necessary Never complete Convincing and complete Hardly reusable Prove once, use forever SUT a b c
A, B, C - the distributive property 2. AB = BA, A+B=B+A for all A, B - the commutative property 3. A=B and B=C implies A=C for all A, B, C - the transitivity axiom 4. A=B and C=D implies A+C=B+D for all A, B, C, D 5. 1A = A, 0A = 0, A+0 = A, A-A=0 for any A 6. (x + 1)(x - 1) = x(x - 1) + 1(x - 1) - follows from 1, 2 7. x(x - 1) = x2 - x - follows from 1 8. x(x - 1) + 1(x - 1) = x2 - x + x - 1 - follows from 4, 5, 6 9. (x + 1)(x - 1) = x2 - 1 - follows from 3, 5, 6, 8 16 domain axioms truisms postulates basic rules theorems conclusions statements assertions claims
a piece of code changes the state of the computation: precondition postcondition program Meaning: when the precondition is met, executing the command establishes the postcondition
contributions to • programming languages, • algorithms, • operating systems, • formal verification, and • concurrent computing Worked at the University of Oxford and Microsoft Research in Cambridge Born 11 January 1934 in Colombo, his mother was the daughter of a tea planter
Electricity generation, transmission and distribution • Heart-lung machines • Mechanical ventilation systems • Infusion pumps and Insulin pumps • Radiation therapy machines • Robotic surgery machines • Pacemaker devices • Railway signalling and control systems • Platform detection to control train doors • Automatic train stop 22 • Airbag systems • Braking systems • Power steering systems • Advanced driver-assistance systems • Electronic throttle control • Battery management system for hybrids and electric vehicles • Electric park brake • Air traffic control systems • Avionics, fly-by-wire systems • Engine control systems • Aircrew life support systems • Nuclear reactor control systems
correctness of intended algorithms underlying a system with respect to a certain formal specification or property, using formal methods of mathematics 23
Organizational structure and business process • Good specification ◦ Precise and complete ◦ Validated by the stakeholders • Professional team ◦ Educated, experienced, well-coordinated • Functional testing ◦ Test plan ◦ Manual and automated tests ◦ Formal verification • Non-functional testing • Support 24
cache-coherent protocol • 2005 - CompCert, a formally verified optimizing compiler for a large subset of the C99 programming language • 2011 - several operating systems have been formally verified • 2016 - CertiKOS, a formal verification protocol for blockchain • 2017 - formal verification has been applied to the design of large computer networks • Formal verification is used by most of leading hardware companies 25
20 years of TACAS” (> 3500 citations) • Programming Languages Software Award from ACM SIGPLAN Ships with many popular systems • Isabelle, Pex, SAGE, SLAM/SDV, Visual Studio, … Solved more than 5 billion constraints created by SAGE when checking Win8/Office Leonardo de Moura, Microsoft Research, 19 July 2017 Z3 impact
Check in Z3 if for any integer x and y the following holds, or provide a counterexample: (x + y > -5) and (x - y < 5) → (2x - y < 15) or (x + 3y > 7) 33
exactpro
yuki_ink
salaboy
isaoshimizu
neuecc
oracle4engineer
sonatard
takumiogawa
kamina_zzz
sugamasao
ebiken
onk
maimyyym
panda_program
paigeccino
eileencodes
jonrohan
paulrobertlloyd
philnash
destraynor
tammyeverts
kneath
sferik
erikaheidi
mza
