opportunities for industrial applications of formal
play

Opportunities for Industrial Applications of Formal Methods John - PowerPoint PPT Presentation

Mar 06, 2024 •288 likes •740 views

Opportunities for Industrial Applications of Formal Methods John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I CAL Inauguration Seminar: 1 Formal Methods These are ways for exploring properties

  1. Opportunities for Industrial Applications of Formal Methods John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I CAL Inauguration Seminar: 1

  2. Formal Methods • These are ways for exploring properties of computational systems for all possible executions • As opposed to testing or simulation ◦ These just sample the space of executions • Formal methods use symbolic methods of calculation, e.g., ◦ Abstract interpretation ◦ Model checking ◦ Theorem proving • Cf. x 2 − y 2 = ( x − y )( x + y ) vs. 5*5-3*3 = (5-3)*(5+3) John Rushby, SR I CAL Inauguration Seminar: 2

  3. Practical Formal Methods • Symbolic calculations have high computational complexity ◦ NP Hard or worse, often superexponential, sometimes undecidable • So to make them practical we have to compromise ◦ Accept some wrong answers ⋆ Incompleteness (false alarms) ⋆ Unsoundness (undetected bugs) ◦ Consider only very simple properties (not full correctness) ◦ Focus on models of the software, not the actual code ◦ Use human guidance • Let’s look at some of these John Rushby, SR I CAL Inauguration Seminar: 3

  4. Bug Finding by Static Analysis • Many commercial tools are available for this ◦ E.g., Coverity, KlocWork, CodeSonar, . . . FindBugs, . . . Lint ◦ These work on C, C++, Java • Most are tuned to reduce the number of false alarms • Even at the cost of missing some real bugs (i.e., unsound) • Because the main market is in bug finding John Rushby, SR I CAL Inauguration Seminar: 4

  5. Example: Bug Finding by Static Analysis unsigned int X, Y; int x, y, z; while (1) { y = 1; while (1) { /* ... */ if (x > 0) { B = (X == 0); /* ... */ y = y+x if (B) { } else { Y = 1 / X y = y-x } ; } /* ... */ z = 1 / y } ; } A simple static analyzer will find the bug on the left, but will probably give a false alarm for the correct program on the right • Or else fail to find the bug when y is initialized to 0 John Rushby, SR I CAL Inauguration Seminar: 5

  6. Verification by Static Analysis • Some tools are tuned the other way • Mostly for safety-critical applications • Guarantee to find all bugs in a certain class (i.e., sound) • Possibly at the cost of false alarms • For example Spark Examiner: guarantee absence of runtime errors (e.g., divide by zero) in Ada Astr´ ee guarantee no over/underflow or loss of precision in floating point calculations (in C generated from SCADE) John Rushby, SR I CAL Inauguration Seminar: 6

  7. Example: Verification by Static Analysis We abstract integers by their signs x, y in { neg, zero, pos } int x, y, z; y = 1; y is pos while (1) { if (x > 0) { y ← pos ⊕ pos; i.e., pos y = y+x x is pos; } else { x ∈ { zero, neg } ; y ← pos ⊖ { zero, neg } , y = y-x } i.e., pos z = 1 / y division is ok } This is an example of data abstraction; other methods include predicate abstraction, and abstract interpretation John Rushby, SR I CAL Inauguration Seminar: 7

  8. Model Checking • Most static analyzers consider only simple properties ◦ Often the properties are built-in and fixed ◦ E.g., range of values each variable may take • Model checking is more versatile • User can specify property • There are model checkers for C and Java • But most work on more abstract models of software (typically state machines) • We’ll do an example John Rushby, SR I CAL Inauguration Seminar: 8

  9. Car Door Locking Example • Highly simplified from an example by Philipps and Scholz • Controller for door locks ◦ To keep it simple, we’ll have just one door • The lock can be in one of four states: locking, unlocking, locked, unlocked Starts in the unlocked state • At each time step it takes an input with one of three values open, close, idle And asserts a signal ready when it is locked or unlocked • The controller receives the ready signal from the lock, a crash signal from the airbag, and a command from the user open, close, idle • Safety requirement: ◦ Door is unlocked following open command, or crash John Rushby, SR I CAL Inauguration Seminar: 9

  10. Car Door Locking Example (ctd) • The lock is given, it behaves as follows ◦ When it receives a close input: ⋆ Does nothing if already locked ⋆ If it is unlocked , goes to the intermediate locking state ⋆ If it is locking , goes to locked ⋆ If it is unlocking , nondeterministically continues to unlocked , or reverses to locking ◦ Mutatis mutandis for open input ◦ See state machine on next page • Our task is to design the controller ◦ Lock may still be performing a previous action ◦ Only visibility into the lock’s state is the ready signal ◦ Which it sees with one cycle delay John Rushby, SR I CAL Inauguration Seminar: 10

  11. Lock and Controller Lock (given) Controller (designed) Inputs output unlocked locking crash open close open open close close open idle & ready idle unlocking locked else repeat last Output ready in green states John Rushby, SR I CAL Inauguration Seminar: 11

  12. Model Checking the Car Door Locking Example • Typically, we would specify this in a statecharts-like graphical formalism (e.g., StateFlow) • But I will use the textual input to the SAL model checkers so we can see more of what is going on • It’s fairly easy to build translators and GUIs from engineering notations to the raw notation of a model checker John Rushby, SR I CAL Inauguration Seminar: 12

  13. The Car Door Locking Example: Model Checker Input Ideally, use an integrated front end; here we look at raw model-checker input Integrated front−end development environment Ideally AADL, UML2, Matlab TOPCASED, SSIV etc. Evidential Tool Bus (ETB) This example SAL PVS Yices John Rushby, SR I CAL Inauguration Seminar: 13

  14. Beginning of the lock Module in SAL lock: MODULE = BEGIN INPUT action: lockaction OUTPUT ready: BOOLEAN LOCAL state: lockstate INITIALIZATION state = unlocked DEFINITION ready = (state = locked OR state = unlocked); TRANSITION [ locking: action = close AND state = unlocked --> state’ = locking; [] reverse_unlocking: action = close AND state = unlocking --> state’ IN { s: lockstate | s = locking OR s = unlocked } John Rushby, SR I CAL Inauguration Seminar: 14

  15. Rest of the lock Module in SAL [] lock: state = locking --> state’ = locked; [] unlocking: action = open AND state = locked --> state’ = unlocking; [] reverse_locking: action = open AND state = locking --> state’ IN { s: lockstate | s = unlocking OR s = locked } [] unlock: state = unlocking --> state’ = unlocked; [] ELSE --> ] END; John Rushby, SR I CAL Inauguration Seminar: 15

  16. Beginning of the controller Module in SAL controller: MODULE = BEGIN INPUT user: lockaction, ready: BOOLEAN, crash: BOOLEAN OUTPUT action: lockaction INITIALIZATION action = idle; John Rushby, SR I CAL Inauguration Seminar: 16

  17. Rest of the controller Module in SAL TRANSITION [ crash: crash --> action’ = open; [] open: user = open --> action’ = open; [] close: user = close --> action’ = close; [] return_to_idle: user = idle AND ready --> action’ = idle; [] ELSE --> ] END; John Rushby, SR I CAL Inauguration Seminar: 17

  18. Specifying The System and a Property • The system is the synchronous composition of the two modules system: MODULE = lock || controller; • Inputs and outputs with matching names (i.e., lockaction and ready ) are automatically “wired up” • Now we’ll check a property: whenever the user gives an open input, then the state will eventually be unlocked ◦ We need to be careful that the user doesn’t immediately cancel the open with a close ◦ So we’ll require that there are no close inputs following the open • We could have GUI for specifying properties, but here we’ll use Linear Temporal Logic (LTL) which is the raw input to a model checker John Rushby, SR I CAL Inauguration Seminar: 18

  19. A Formal Analysis • We specify the property in LTL as follows: prop1: LEMMA system |- G(user=open AND X(G(user /= close)) => F(state=unlocked)); • In LTL, G means always, F means eventually, and X means next state ◦ These are sometimes written ✷ , ✸ , and ◦ , respectively • We put all the SAL text into a file door.sal • Then we can ask the SAL symbolic model checker to check the property prop1 : sal-smc -v 3 door prop1 • In a fraction of a second it says: proved • Unlike a simulation, this has considered all possible scenarios satisfying the hypothesis (e.g., whether lock is ready or not). John Rushby, SR I CAL Inauguration Seminar: 19

  20. More Analyses • We can check that the door eventually always stays unlocked prop1a: LEMMA system |- G(user = open AND X(G(user /= close)) => F(G(state = unlocked))); • And we can sharpen eventually to four steps prop1b: LEMMA system |- G(user=open AND X(G(user/=close)) => XXXX(G(state = unlocked))); ( XXXX is a macro for four applications of X ) • We can check that four is the minimum by trying three prop1c: LEMMA system |- G(user=open AND X(G(user/=close)) => XXX(state = unlocked)); • Sure enough, SAL says invalid John Rushby, SR I CAL Inauguration Seminar: 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless

Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless

Honeywell is Making Industrial Wireless Real Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless Exciting Opportunities/Benefits from Wireless Choosing a Wireless Solution Why Honeywell?

851 views • 38 slides
Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless

Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless

Honeywell is Making Industrial Wireless Real Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless Exciting Opportunities/Benefits from Wireless Choosing a Wireless Solution Why Honeywell?

763 views • 35 slides
Chapter Four: DFA Applications Formal Language, chapter 4, slide 1 1 We have seen how DFAs

Chapter Four: DFA Applications Formal Language, chapter 4, slide 1 1 We have seen how DFAs

Chapter Four: DFA Applications Formal Language, chapter 4, slide 1 1 We have seen how DFAs can be used to define formal languages. In addition to this formal use, DFAs have practical applications. DFA- based pieces of code lie at the

463 views • 20 slides
New Opportunities in Industrial Cooperation in Israel Th The indus e industrial cooperat trial

New Opportunities in Industrial Cooperation in Israel Th The indus e industrial cooperat trial

New Opportunities in Industrial Cooperation in Israel Th The indus e industrial cooperat trial cooperation ion re regu gulations lations Thre hreshold shold Valu alue 35%-50% of transaction value Initial transaction: $5m (20%

180 views • 13 slides
Real numbers in the real world Industrial applications of theorem proving John Harrison Intel

Real numbers in the real world Industrial applications of theorem proving John Harrison Intel

Real numbers in the real world Industrial applications of theorem proving John Harrison Intel Corporation 30th May 2006 0 Overview Famous computer arithmetic failures Formal verification and theorem proving Floating-point

627 views • 34 slides
B3: INDUSTRIAL LEASING VS STRATA OWNERSHIP OPPORTUNITIES MODERATOR:

B3: INDUSTRIAL LEASING VS STRATA OWNERSHIP OPPORTUNITIES MODERATOR:

B3: INDUSTRIAL LEASING VS STRATA OWNERSHIP OPPORTUNITIES MODERATOR: RON BAGAN, EXECUTIVE VICE PRESIDENT | VANCOUVER INDUSTRIAL, COLLIERS INTERNATIONAL

322 views • 10 slides
Parnas Tables: An Experience with Formal Verification in an Industrial Setting Bill Kelly OPGI

Parnas Tables: An Experience with Formal Verification in an Industrial Setting Bill Kelly OPGI

Parnas Tables: An Experience with Formal Verification in an Industrial Setting Bill Kelly OPGI ( retired) Parnas Tables An Experience with Formal Verification in an Industrial Setting This talk describes the use of a method of formal

427 views • 29 slides
Efficient IoT Framework for Industrial Applications Pablo Pual Pereira Industrial Electronics

Efficient IoT Framework for Industrial Applications Pablo Pual Pereira Industrial Electronics

DOCTORAL THESIS Efficient IoT Framework for Industrial Applications Pablo Pual Pereira Industrial Electronics Department of Computer Science, Electrical and Space Engineering Division of EISLAB Lule University of Technology, Lule,

453 views • 41 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Deploying Machine Translation in an Industrial Setting: Challenges and Opportunities

Deploying Machine Translation in an Industrial Setting: Challenges and Opportunities

Deploying Machine Translation in an Industrial Setting: Challenges and Opportunities Opportunities Opportunity 1 On-line spending power 2020 - $16 trillion English only! ( Source: PracticalEcommerce ) Industry without borders 2020 -

379 views • 19 slides
Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS

Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS

Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS & IoT Roland Groz, Jean-Luc Richier, Maxime Puys, Laurent Mounier Univ. Grenoble Alpes LIG/Vasco + Vrimag/PACSS Kobe Universit

1.02k views • 33 slides
Challenges & Opportunities for the Challenges & Opportunities for the Pharmaceutical

Challenges & Opportunities for the Challenges & Opportunities for the Pharmaceutical

Challenges & Opportunities for the Challenges & Opportunities for the Pharmaceutical Industry Dr Gino Martini FRPharmS EIPG President Why do I enjoy being an Industrial Pharmacist? Something happened here Sir Alexander Fleming & his

647 views • 46 slides
Empowering the Commercial & Industrial Customer: New Opportunities, New Technologies

Empowering the Commercial & Industrial Customer: New Opportunities, New Technologies

Empowering the Commercial & Industrial Customer: New Opportunities, New Technologies EURELECTRIC Annual Conference Berlin, June 1 st , 2015 Dr. Arndt Neuhaus CEO of RWE Deutschland and RWE Retail Fundamental changes towards a new energy

512 views • 10 slides
Industrial use of a safe and efficient formal method based software engineering process in

Industrial use of a safe and efficient formal method based software engineering process in

Industrial use of a safe and efficient formal method based software engineering process in avionics Presented by Jean Souyris Airbus Operations SAS Abderrahmane Brahmi*, Marie-Jo Carolus*, David Delmas*, Mohamed Habib Essoussi*, Pascal

547 views • 16 slides
ITW SYSTEMS: Optimal LED lighting solution for industrial and commercial applications About us

ITW SYSTEMS: Optimal LED lighting solution for industrial and commercial applications About us

ITW SYSTEMS: Optimal LED lighting solution for industrial and commercial applications About us IntelTech Worldwide (ITW) is a US-owned Ukraine-based manufacturer of energy efficient industrial Light Emitting Diode (LED) lighting

1.07k views • 19 slides
INDUSTRIAL PHOTOGRAMMETRY FOR APPLICATIONS IN AUTOMOTIVE AND AEROSPACE INDUSTRY 56th

INDUSTRIAL PHOTOGRAMMETRY FOR APPLICATIONS IN AUTOMOTIVE AND AEROSPACE INDUSTRY 56th

INDUSTRIAL PHOTOGRAMMETRY FOR APPLICATIONS IN AUTOMOTIVE AND AEROSPACE INDUSTRY 56th Photogrammetric Week 1 22/08/2017 INDUSTRIAL PHOTOGRAMMETRY FOR APPLICATIONS IN AUTOMOTIVE AND AEROSPACE INDUSTRY Werner Bsemann AICON 3D Systems GmbH

472 views • 46 slides
3.1. Strategic Behavior Matilde Machado Slides available from:

3.1. Strategic Behavior Matilde Machado Slides available from:

3.1. Strategic Behavior Matilde Machado Slides available from: http://www.eco.uc3m.es/mmachado/Teaching/OI-I-MEI/index.html 1 3.1. Strategic Behavior The analysis of strategic behavior starts by formulating a game. A game is made of:

547 views • 10 slides
25 Years of Change in British Employment Relations John Forth (NIESR) John Forth (NIESR)

25 Years of Change in British Employment Relations John Forth (NIESR) John Forth (NIESR)

25 Years of Change in British Employment Relations John Forth (NIESR) John Forth (NIESR) Brussels 19 th March 2009 Overview What are the main trends in collective employee representation in Britain since 1980? Has the declining

254 views • 22 slides
Examining the economic impact of Industrial Action activities in South Africa, 2003-2014 Megan

Examining the economic impact of Industrial Action activities in South Africa, 2003-2014 Megan

Examining the economic impact of Industrial Action activities in South Africa, 2003-2014 Megan Williams Derek Yu 1 Outline Conceptual framework Theoretical framework Legislative framework Review of past empirical studies (very

717 views • 24 slides
Outline of New GOJ Privacy Framework JIM FOSTER KEIO INTERNATIONAL PROJECT FOR THE INTERNET &

Outline of New GOJ Privacy Framework JIM FOSTER KEIO INTERNATIONAL PROJECT FOR THE INTERNET &

Outline of New GOJ Privacy Framework JIM FOSTER KEIO INTERNATIONAL PROJECT FOR THE INTERNET & SOCIETY Basic Outline Proposed revisions to Personal Information Privacy Law released June 24 by IT Strategy HQ; 30-day public comment period ends

364 views • 12 slides
What are the stakes? Join today! https://www.ucu.org.uk/join www.facebook.com/cambridgeucu

What are the stakes? Join today! https://www.ucu.org.uk/join www.facebook.com/cambridgeucu

2018 Pay and Equality Ballot: What are the stakes? Join today! https://www.ucu.org.uk/join www.facebook.com/cambridgeucu www.ucu.cam.ac.uk Twitter @CambridgeUCU What does UCU do? The trade union in HE and FE for: National bargaining

666 views • 14 slides
UPPAAL Model Checking, Performance Analysis and Testing of Real Time Systems Kim G. Larsen CISS

UPPAAL Model Checking, Performance Analysis and Testing of Real Time Systems Kim G. Larsen CISS

UPPAAL Model Checking, Performance Analysis and Testing of Real Time Systems Kim G. Larsen CISS Aalborg University DENMARK CISS Center For Embedded Software Systems Regional ICT Center (2002- ) 3 research groups

536 views • 49 slides
Collaboration: Engaging Members and Partners Shannon Studden Program Specialist July 31, 2018

Collaboration: Engaging Members and Partners Shannon Studden Program Specialist July 31, 2018

Collaboration: Engaging Members and Partners Shannon Studden Program Specialist July 31, 2018 1 Rural Health Innovations (RHI), LLC, is a subsidiary of the National Rural Health Resource Center (The Center), a non-profit organization.

447 views • 32 slides
Researching the Scope of an Issue Know Your Issue Modules (Part 1) Workshop Goals: Understand

Researching the Scope of an Issue Know Your Issue Modules (Part 1) Workshop Goals: Understand

Bonner Education Curriculum Researching the Scope of an Issue Know Your Issue Modules (Part 1) Workshop Goals: Understand the following: How your chosen issue area affects the local community Skills: Community-Based Research Methods

471 views • 31 slides

More recommend