Expressive Multi-theory Reasoning for Interactive Verification
Lead Research Organisation:
University of Cambridge
Department Name: Computer Science and Technology
Abstract
As established by a panel of distinguished researchers and industrial users, Grand Challenge #6 for computer science is Dependable Systems Evolution: The vision of GC6 is of a future in which all computer systems justify the trust that society increasingly places in them. One of the key notions of what it means to be dependable is verifiability, i.e., one can guarantee that the computer system does what it is supposed to do. The highest possible level of verifiability is called formal verification , which produces a mathematical proof of a system's reliability.Formal verification for hardware and software is now widely used in mission-critical real-world applications. These include the embedded code in NASA deep space probes, the arithmetic chips in Intel and AMD CPUs, and device driver code in large consumer operating systems such as Microsoft Windows. To achieve the highest level of quality assurance, formal verification is now an essential complement to testing and simulation.Formal verification relies critically on the automation of proof methods for the mathematical theories that are used to describe systems. Automated proof can be done deductively, by proceeding via composition of simple proof rules, or non-deductively, by directly exploiting our knowledge of these theories. Non-deductive proof is fast, but the reliability of deductive proof is more obvious because it can be broken up into simple pieces.In an ideal world, non-deductive proof automation programs are used as oracles for deductive ones. The difficulty is in coming up with deductive versions of the non-deductive program's answers. Achieving a clean and useful integration of non-deductive and deductive proof automation programs is a non-trivial problem.Our research looks at proofs for a relatively new but widely deployed class of non-deductive prover programs called SMT solvers . These are specialised programs for automatically proving assertions about the behaviour of computer systems, when these assertions are expressed as mathematical formulae. We plan to augment SMT solvers to allow more complex assertions to be expressed, and then to explore methods for speeding up the deductive analysis of the answers produced by SMT solvers. Both these objectives will improve the effectiveness of industrial-strength formal verification. In this endeavour we have strong support from both industry and academia. In related previous work we achieved thousands-fold speed-ups in the deductive analysis of Boolean problem solvers, for the first time making deductive verification feasible for industrial Boolean problems. We have high hopes for repeating this success. Success would mean a vastly improved capability for deductive verification, and hence the ability to provide reliable high-level quality-assurance tool kits for considerably more complicated computer systems than is currently possible.
People |
ORCID iD |
| Mike Gordon (Principal Investigator) | |
| Hasan Amjad (Researcher) |
Publications
Michael Gordon (Author)
(2012)
EPSRC Final Report
Weber T
(2011)
SMT solvers: new oracles for the HOL theorem prover
in International Journal on Software Tools for Technology Transfer
| Description | Interactive theorem provers are software tools that assist with the development of formal proofs. Their applications range from pure mathematics to the verification of safety-critical computer systems. A human expert guides the overall proof search, and the details are filled in by the tool. With proper guidance, interactive theorem provers can prove the most difficult theorems. Man-machine cooperation is indispensable: many deep theorems will be out of reach of fully automatic provers for the foreseeable future. However, because interactive theorem proving relies on human experts, it is a labour-intensive and therefore costly technology. More automation is needed. In this project, we integrated Satisfiability Modulo Theories (SMT) solvers with two popular interactive theorem provers. SMT solvers are fully automatic provers. By restricting themselves to properties of a certain kind, SMT solvers achieve astonishing performance even on very large problems. Our integration allows users of interactive theorem provers to simply hand over proof obligations to the SMT solvers, which will then prove them without further guidance. Proofs that previously would have required dozens of user interactions can now be proved automatically, often in seconds. SMT solvers, like any other complex software, harbour bugs. When verifying safety-critical systems, a bug in the SMT solver could lead to a bug in our reasoning, with potentially catastrophic consequences: we might be led to believe that a system is safe when, in fact, it is not. To address this issue, we adopted a sceptical approach in this project: beyond a mere yes/no answer, we require the SMT solver to produce a proof of its result. The proof is then automatically checked in the interactive theorem prover. Proof checking is ultimately performed by a very small - and therefore highly trustworthy - piece of code. SMT solvers may generate proofs that consist of millions of individual reasoning steps; one of the challenges that we had to solve was efficient checking for such large proofs. We also integrated Quantified Boolean Formulae (QBF) solvers with interactive theorem provers in a similar fashion. QBF solvers are akin to SMT solvers in that they are highly specialized, fully automatic provers. However, QBF solvers tackle problems that are more complex (in a precise technical sense) than most SMT problems. Their integration therefore posed a different challenge, whose efficient solution required new ideas. To evaluate our integrations of automatic solvers, we conducted two substantial case studies. The first case study established a fine-grained hierarchy of algebraic structures in the interactive theorem prover Isabelle/HOL, together with a repository of more than 1000 facts obtained by automated theorem proving. Our results show that Isabelle's tool integration makes automated algebraic reasoning particularly simple. The second case study established a mathematical (yet readable) semantics for C++ concurrency. Our formal semantics exposed several flaws in the C++11 Draft standard; these have now been fixed in the final (ISO-approved) version of C++11. |
| Sectors | Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software) |
| Description | In this project, we integrated Satisfiability Modulo Theories (SMT) solvers with two popular interactive theorem provers. SMT solvers are fully automatic provers. By restricting themselves to properties of a certain kind, SMT solvers achieve astonishing performance even on very large problems. SMT solvers, like any other complex software, harbour bugs. When verifying safety-critical systems, a bug in the SMT solver could lead to a bug in our reasoning, with potentially catastrophic consequences: we might be led to believe that a system is safe when, in fact, it is not. We also integrated Quantified Boolean Formulae (QBF) solvers with interactive theorem provers in a similar fashion. QBF solvers are akin to SMT solvers in that they are highly specialized, fully automatic provers. However, QBF solvers tackle problems that are more complex (in a precise technical sense) than most SMT problems. Their integration therefore posed a different challenge, whose efficient solution required new ideas. To evaluate our integrations of automatic solvers, we conducted twosubstantial case studies. The first case study established a fine-grained hierarchy of algebraic structures in the interactive theorem prover Isabelle/HOL, together with a repository of more than 1000 facts obtained by automated theorem proving. Our results show that Isabelle's tool integration makes automated algebraic reasoning particularly simple. The second case study established a mathematical (yet readable) semantics for C++ concurrency. Our formal semantics exposed several flaws in the C++11 Draft standard; these have now been fixed in the final (ISO-approved) version of C++11. |
| First Year Of Impact | 2004 |
| Sector | Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software) |