introducing-formal-methods

Transcript

1. ܗࣜख๏(formal-methods)ೖ໳ hbstyle 2016/06/09 - Yoshikawa Ryota ( @rrreeeyyy ) 1

2. ܗࣜख๏(formal-methods) • ਺ֶΛج൫ͱͨ͠ιϑτ΢ΣΞͷ࢓༷هड़ɾ։ൃɾݕূͷٕज़ • ଞͷ޻ֶ෼໺(ػց޻ֶͱ͔Ͷ)ಉ༷ʹ਺ֶతղੳΛ৘ใ޻ֶͰ΋ग़དྷΔʁ • ઃܭͷ৴པੑɾݎ࿚ੑͷ޲্Λ໨తͱ͍ͯ͠Δ • ܗࣜݴޠɾ਺ཧ࿦ཧֶɾܕγεςϜɾ୅਺తσʔλܕͳͲΛ࢖༻ •

   ͜ͷลͷ͜ͱʹ΋ڵຯ͕͋Δ • ֶ෦࣌୅ʹ TaPL 1 ͱ͍͏ຊΛྠಡͨ͠ܦݧΑΓ • ݎ࿚Ͱґଘੑͷඇৗʹߴ͍γεςϜ(ۜߦͱ͔ߤۭػͱ͔ϩέοτͱ͔)ͰΑ͘༻͍ΒΕΔ • NASA/AWS/FeliCa/TradeOne(ূ݊)/SHOLIS(ߤۭ) [^2] • ਎ۙͳͱ͜ΖͰݴ͑͹ CCS Injection(OpenSSL) ͷ੬ऑੑͳΜ͔΋ 1 https://www.cis.upenn.edu/~bcpierce/tapl/ [^2]: http://www.ipa.go.jp/files/000026875.pdf hbstyle 2016/06/09 - Yoshikawa Ryota ( @rrreeeyyy ) 2

3. ܗࣜख๏ͷछྨ • Ͳͷਫ४Ͱ΍Δ͔ɺͱ͍͏ͷ͕େ͖͘෼͚ͯ 3 ͭ • ܗࣜ࢓༷هड़ (Formal specification) •

   ܗࣜత։ൃ͓Αͼݕূ (Formal development and formal verification) • ࣗಈݕূ (Theorem provers) • Ξϓϩʔν͕େ͖͘෼͚ͯ 2 ͭ • ఆཧূ໌ (Explicit Model Checker) • Ϟσϧݕࠪ (Symbolic Model Checker) hbstyle 2016/06/09 - Yoshikawa Ryota ( @rrreeeyyy ) 3

4. ܗࣜख๏ͷਫ४ • ܗࣜ࢓༷هड़ (Formal specification) • ܗࣜख๏Λ༻͍ͯ࢓༷Λهड़͢Δ • ϓϩάϥϜͷ։ൃࣗମ͸ܗࣜख๏ͱরΒ͠߹Θͤͳ͕Βߦ͏ •

   ܗࣜత։ൃ͓Αͼݕূ (Formal development and formal verification) • ܗࣜख๏Λ༻͍ͯ࢓༷Λهड़͢Δ(B-method3 ͳͲ) • هड़ͨ͠࢓༷ΛߋʹৄࡉԽ͍͖ͯ͠ϓϩάϥϜΛ࡞੒͢ΔͳͲ • ࣗಈݕূ (Theorem provers) • ࣗಈఆཧূ໌ʹͯػցతͳূ໌Λߦ͏ • ఆཧΛ༩͑ΔͱϓϩάϥϜ͕ؤுͬͯূ໌ͯ͘͠ΕΔΑ͏ͳ΋ͷ 3 ύϦͷϝτϩ 14 ߸ઢͳͲͰ࢖ΘΕ͍ͯΔΒ͍͠ hbstyle 2016/06/09 - Yoshikawa Ryota ( @rrreeeyyy ) 4

5. ܗࣜख๏ͷΞϓϩʔν • ఆཧূ໌ • γεςϜΛ࿦ཧࣜͷू߹ͱͯ͠هड़͢Δ • ࿦ཧࣜΛެཧͱਪ࿦نଇʹ΋ͱ͍ͮͯূ໌͍ͯ͘͠ • େମͷ৔߹ͰࣗಈͰ͸ূ໌Ͱ͖ͳ͍ͷͰਓ͕ؒࢧԉ͠ͳ͕Βূ໌͢Δ •

   B-method ͳͲ͕༗໊ • Ϟσϧݕࠪ • ର৅ͱ͢ΔγεςϜΛঢ়ଶભҠਤͰϞσϧԽ • ࣌૬࿦ཧࣜ4ͱݺ͹ΕΔࣜͰੑ࣭Λهड़ • ঢ়ଶભҠͷঢ়ଶΛ໢ཏ୳ࡧͯ࣌͠૬࿦ཧࣜΛຬ͔ͨ͢ݕࠪ͢Δ • SPIN ͳͲ͕༗໊ 4 ࣌ؒͱͷؔ܎ͰมԽ͢Δঢ়ଶΛهड़͢Δ࿦ཧࣜͷ͜ͱ hbstyle 2016/06/09 - Yoshikawa Ryota ( @rrreeeyyy ) 5

6. ܰྔͳܗࣜख๏ • ܗࣜख๏͸೉͍͠ • Ϟσϧݕࠪ͸૊Έ߹Θͤരൃ͕ى͖Δ • ఆཧূ໌͸େମͷ৔߹ͰࣗಈͰূ໌Ͱ͖ͳ͍ • ιϑτ΢ΣΞͷҰ෦ͷঢ়ଶΛ໢ཏతʹݕࠪ͢Δ •

   ΄ͱΜͲͷܽؕ͸ɺখ͍͞୳ࡧൣғͰ͋ͬͯ΋൓ྫͱͯ͠ൃݟ͞ΕΔ (Small Scope Hypothesis) • ࠷΋ܽؕͷى͖ͦ͏ͳ৔ॴΛूதతʹݕࠪ͢Δͷ͕ྑ͍ͩΖ͏ͱ͍͏ൃ૝ (Daniel Jackson) • Alloy Analyzer ͳͲ͕༗໊ • Πϯϑϥߏ੒Ͱ΋ܗࣜख๏ΛऔΓೖΕΑ͏ͱ͢Δਓ΋͍Δ 5 5 http://ccvanishing.hateblo.jp/entry/2016/06/06/051120 hbstyle 2016/06/09 - Yoshikawa Ryota ( @rrreeeyyy ) 6

7. AWS ͷྫ • AWS Ͱ͸ 2011 ೥͔Βܗࣜख๏Λ࠾༻͍ͯ͠Δ 6 • ෼ࢄγεςϜͷΞϧΰϦζϜઃܭͳͲ

   • DynamoDB/S3/EBS ͳͲ • AWS Ͱ͸ TLA+ ͱ͍͏΋ͷΛ࢖ͬͯܗࣜख๏Λѻ͍ͬͯΔ • ࠷ॳʹ༗༻ੑ͕࣮ূ͞Εͨͷ͸ DynamoDB • େମೋि͙ؒΒ͍Ͱ TLA+ ͰΞϧΰϦζϜ͕ॻ͚ͨΒ͍͠ • ݕূ༷ͯ͠ʑͳো֐ύλʔϯͷચ͍ग़͠ʹ੒ޭ • DynamoDB ͷ੒ޭΛड͚ͯ S3/EBS ͳͲͰ΋ܗࣜख๏͕औΓೖΕΒΕΔ 6 How Amazon web services uses formal methods: http://dl.acm.org/citation.cfm?id=2749359.2699417 hbstyle 2016/06/09 - Yoshikawa Ryota ( @rrreeeyyy ) 7

8. Raft Λ TLA+ Ͱهड़ͨ͠ྫ • https://github.com/ongardie/raft.tla/blob/master/raft.tla CONSTANTS RequestVoteRequest, RequestVoteResponse, AppendEntriesRequest,

   AppendEntriesResponse Quorum == {i \in SUBSET(Server) : Cardinality(i) * 2 > Cardinality(Server)} InitHistoryVars == /\ elections = {} /\ allLogs = {} /\ voterLog = [i \in Server |-> [j \in {} |-> <<>>]] InitServerVars == /\ currentTerm = [i \in Server |-> 1] /\ state = [i \in Server |-> Follower] /\ votedFor = [i \in Server |-> Nil] InitCandidateVars == /\ votesResponded = [i \in Server |-> {}] /\ votesGranted = [i \in Server |-> {}] hbstyle 2016/06/09 - Yoshikawa Ryota ( @rrreeeyyy ) 8

9. ܕγεςϜ΍ฒྻॲཧͱ͔ͷྫ • ܕγεςϜ: ू߹࿦ͱͯ͠ߟ͑Δ • ܕ(Int ͱ͔)͸ू߹ɾͦͷܕʹॴଐ͢Δม਺͸ू߹ཁૉ • ܭࢉϞσϧ: ϥϜμܭࢉͱ͍͏ܭࢉ໛ܕΛ࢖͏

   • (͜Ε͸ Python ͷ lambda x: x ͷҙຯ) • ฒߦܭࢉϞσϧ: πܭࢉͳͲͷܭࢉ໛ܕΛ࢖͏ • (͜Ε͸νϟωϧ x ʹ஋ ΛૹΔͱ͍͏ҙຯ) hbstyle 2016/06/09 - Yoshikawa Ryota ( @rrreeeyyy ) 9

10. ·ͱΊ • ܗࣜख๏ʹೖ໳ͨ͠ • ΑΓ҆શͰݎ࿚ͳιϑτ΢ΣΞΛ࡞Δʹ͸ܗࣜख๏͕༗ޮͰ͋Δ • ݱঢ়͸೉͗͢͠Δ͕೔ʑͷۀ຿ͳͲʹ΋ద༻Ͱ͖ΔͷͰ͸ʁ • ιϑτ΢ΣΞςετͰঢ়ଶΛ͢΂ͯ໢ཏ͢Δͷ͸೉͍͠ •

    ܕγεςϜ΍ϥϜμܭࢉ΍πܭࢉ΋ීஈͷϓϩάϥϛϯάͱؔ࿈͍ͯͯ͠໘ന͍ • ͳͥ Rust ͸ܕ҆શͱ͞Ε͍ͯΔͷ͔ʁͳͥ C ͸ܕ҆શͰ͸ͳ͍ͷ͔ʁ • ΋ͬͱܗࣜख๏͕؆୯ʹͳΕ͹͍͍ͳ͋ͱࢥ͍ͬͯΔ hbstyle 2016/06/09 - Yoshikawa Ryota ( @rrreeeyyy ) 10

11. ࢀߟࢿྉ • http://dl.acm.org/citation.cfm?id=2749359.2699417 • http://research.microsoft.com/en-us/um/people/lamport/tla/ amazon.html • https://brooker.co.za/blog/2014/08/09/formal-methods.html • http://brooker.co.za/blog/2015/03/29/formal.html

    • https://www.infoq.com/presentations/aws-testing-tla • http://perspectives.mvdirona.com/2014/07/challenges-in-designing- at-scale-formal-methods-in-building-robust-distributed-systems/ hbstyle 2016/06/09 - Yoshikawa Ryota ( @rrreeeyyy ) 11