Formal Methods: Model Checkers and Theorem Provers Emerson Murphy-Hill (Slides from Travis Breaux)

Verification The process of verification involves identifying inconsistencies and ambiguities in a system, which are otherwise likely to go undetected. Some of the formal verification techniques include: Model checking and Theorem proving [3] Edmund M. Clarke, Jeannette M. Wing: Formal Methods: State of the Art and Future Directions. 626-643  2

Model Checking Model checking involves building a finite model of the system to verify its properties. Involves an exhaustive state-space search. Primarily used in hardware and protocol verification. What are the different approaches to model checking? Temporal model checking : specifications are represented as temporal logic expressions and systems modeled as finite state machines and the two are compared to ensure that the finite state machine correctly models the specifications. Second approach: Both specifications and the system are represented by an automaton and compared to identify conformance. [3] Edmund M. Clarke, Jeannette M. Wing: Formal Methods: State of the Art and Future Directions. 626-643  3

State space explosion problem The number of states in a system grows exponentially with an increase in the number of variables in a program. For instance, consider a program with 5 boolean variables and 6 integers. The number of states that would need to be checked = 2 ^ 5 * 10 ^ 6 = 32000000 states. Since every value that the variable is likely to take should be checked, it results in an explosion of states. Heuristics can be used to prioritize state space search. For instance, identifying and exploring important states first. 4

Case study Formal modeling and verification techniques were applied to the International Telecommunications Union (formerly CCITT) ISDN/IUPP (ISDN User Part Protocol). 145 requirements were formalized using temporal logic and proofs were produced by automated model checkers. 112 errors were detected and fixed and about 55% of the original design was found to be logically inconsistent. [3] Edmund M. Clarke, Jeannette M. Wing: Formal Methods: State of the Art and Future Directions. 626-643  5

Theorem Proving Theorem proving is the technique in which both the system and its properties are expressed as formulae. It defines a set of axioms and inference rules for the system. Theorem proving involves obtaining a proof for a system’s property by making use of its axioms and rules. Theorem provers could be highly automated for general purpose operations or be interactive in nature, to assist in special-purpose operations. [3] Edmund M. Clarke, Jeannette M. Wing: Formal Methods: State of the Art and Future Directions. 626-643  6

Case study Nqthm - a theorem prover, has been used to check a proof of Godel’s first incompleteness theorem, and in a variety of large-scale verification efforts. Boyer and Yu used Nqthm’s specification of the Motorola 68020 microprocessor (binary machine code programs) to verify their correctness. [3] Edmund M. Clarke, Jeannette M. Wing: Formal Methods: State of the Art and Future Directions. 626-643  7

Comparison of Model Checkers and Theorem Provers Model checkers are completely automatic and generate results faster than theorem provers. They can be used to verify partial specifications, even if a system’s full specifications are not available. Model checkers face the state space explosion problem whereas theorem proving can deal with infinite state spaces. Interactive theorem provers allow humans to interact with the provers, which might result in a slow and error-prone process. [3] Edmund M. Clarke, Jeannette M. Wing: Formal Methods: State of the Art and Future Directions. 626-643  8