When testing just doesn't cut it (Lambda Days edition)

Slide 1

Slide 1 text

When testing just doesn't cut it Lars Hupel Lambda Days 2023-06-05

Slide 2

Slide 2 text

Where would this line be used? int mid = (low + high) / 2

Slide 3

Slide 3 text

… and what’s wrong with it? int mid = (low + high) / 2

Slide 4

Slide 4 text

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

Sorting in Java 6 list.sort((x, y) -> x.beard.compareTo(y.beard) )

Slide 7

Slide 7 text

7 CAV 2015

Slide 8

Slide 8 text

Programming & Bugs 8

Slide 9

Slide 9 text

Requirements Design/Architecture Implementation Testing Operation

Slide 10

Slide 10 text

Requirements Design/Architecture Implementation Testing Operation “Debugging”

Slide 11

Slide 11 text

11 OSDI 2014

Slide 12

Slide 12 text

“Program testing can be a very effective way to show the presence of bugs, but it is hopelessly inadequate for showing their absence”

Slide 13

Slide 13 text

Formal Methods 13

Slide 14

Slide 14 text

“Formal Methods refers to mathematically rigorous techniques and tools for the specification, design and verification of software and hardware systems”

Slide 15

Slide 15 text

15 You have already used Formal Methods! You have already used Formal Methods! … without knowing it … without knowing it

Slide 16

Slide 16 text

ISO 5807 Flowchart 16

Slide 17

Slide 17 text

ISO 5807:1985 17 Syntax Semantics

Slide 18

Slide 18 text

Slide 19

Slide 19 text

What is verification? Specification Implementation Proof

Slide 20

Slide 20 text

Binary search, again! 20 int mid = (low + high) / 2;

Slide 21

Slide 21 text

Binary search, again! 21 assert low <= high; assert 0 <= low; int mid = (low + high) / 2; assert low <= mid; assert mid <= high; Specification Specification Implementation

Slide 22

Slide 22 text

Binary search, again! 22 ∀𝑙𝑜𝑤, ℎ𝑖𝑔ℎ ∈ 𝐼𝑛𝑡32 . 𝑙𝑜𝑤 ≤ ℎ𝑖𝑔ℎ ⇒ 0 ≤ 𝑙𝑜𝑤 ⇒ 𝑙𝑜𝑤 ≤ 𝑙𝑜𝑤 +32 ℎ𝑖𝑔ℎ 2

Slide 23

Slide 23 text

Formal Methods in practice 23

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Central Bank Digital Currency 25 CBDC Banknotes Bank deposits and e-money Issued by the central bank Digital money

Slide 26

Slide 26 text

Our customers ● central banks ● commercial/retail banks ● payment service providers 26

Slide 27

Slide 27 text

Slide 28

Slide 28 text

How money is represented in G+D Filia® 28

Slide 29

Slide 29 text

Slide 30

Slide 30 text

Slide 31

Slide 31 text

Slide 32

Slide 32 text

From specification to implementation Specification Implementation Proof

Slide 33

Slide 33 text

From specification to implementation Abstract specification Implementation Proof Executable specification Proof

Slide 34

Slide 34 text

Isabelle to the rescue! 34

Slide 35

Slide 35 text

“Isabelle/HOL = Functional Programming + Logic”

Slide 36

Slide 36 text

36 “unspent” “unspent”

Slide 37

Slide 37 text

Example: Money in circulation definition graph_balance :: nat where ‹graph_balance = (∑N ∈ unspent. value N)› 37

Slide 38

Slide 38 text

38 value_difference = 10 value_difference = 0

Slide 39

Slide 39 text

Example: Money in circulation lemma graph_balance_eq_value_difference: ‹graph_balance = ¦(∑c ∈ graph. value_difference c)¦› 39

Slide 40

Slide 40 text

Example: Money in circulation lemma graph_balance_eq_value_difference_pos: shows ‹0 ≤ (∑c ∈ graph. value_difference c)› shows ‹graph_balance = ¦(∑c ∈ graph. value_difference c)¦› proof (induction) (* ... *) qed 40 It looks like you are trying to do induction. Do you want me to generate a template?

Slide 41

Slide 41 text

Example: Money in circulation lemma graph_balance_eq_value_difference_pos: shows ‹0 ≤ (∑c ∈ graph. value_difference c)› shows ‹graph_balance = ¦(∑c ∈ graph. value_difference c)¦› proof (induction) case empty (* ... *) next (* ... *) qed 41 base case steps

Slide 42

Slide 42 text

It’s not just us 42

Slide 43

Slide 43 text

Proof-Driven Development (PDD) 43

Slide 44

Slide 44 text

Slide 45

Slide 45 text

Slide 46

Slide 46 text

Slide 47

Slide 47 text

Requirements Design/Architecture Implementation Testing Operation “PDD”

Slide 48

Slide 48 text

48 ● Roadmap

Slide 49

Slide 49 text

Questions? Answers! Lars Hupel https://lars.hupel.info [email protected]

Slide 50

Slide 50 text

Image sources ● Edsger W. Dijskstra: Hamilton Richards, CC-BY-SA 3.0, https://commons.wikimedia.org/w/index.php?title=File:Edsger_Wybe_Dijkstra.jpg&oldid=710250 942 ● César A. Muñoz: https://shemesh.larc.nasa.gov/people/cam/ ● Type error: Limboer, CC-BY-SA, https://stackoverflow.com/q/60000835