AdaCore, profile picture
Uploaded byAdaCore
PDF, PPTX163 views

Taming event-driven software via formal verification

The document discusses the complexities of event-driven software, highlighting the challenges in testing and diagnosing issues due to the multitude of possible message orderings. It proposes formal verification as a mathematical approach to prove software correctness, emphasizing the importance of accurately describing events and the use of state machines in this verification process. Additionally, it outlines the development of a language called Coco, designed to facilitate verification-driven development of event-driven software, and addresses challenges such as data abstraction and handling liveness properties.

Embed presentation

Download as PDF, PPTX
TAMING EVENT-DRIVEN SOFTWARE VIA FORMAL VERIFICATION Dr Tom Gibson-Robinson CTO, Cocotec Limited
2 | © Cocotec Ltd 2022 EVENT-DRIVEN SOFTWARE Event-driven software is any software that consists of a number of components that communicate by sending messages. It’s often: • Stateful: sometimes handled by an “interesting” hand-written state machine implementation. • Asynchronous: requests start and complete later. • Concurrent: requests overlap – two peripherals might be sent commands that complete in either order. It can be found all over the software stack: • Drivers are often event driven. • User interfaces are event driven. • The core of hardware-centric systems often need to coordinate the other components via events. Hardware Drivers Algorithms User Interface Coordination Software Data Storage Communication
3 | © Cocotec Ltd 2022 CHALLENGES WITH EVENT-DRIVEN SOFTWARE Imagine there are three processes: • One producer who produces a sequence of n messages; • One producer who produces a sequence of m messages; • One consumer who reads these messages. In total, there are (n + m) C n possible orderings the consumer can receive the messages in. n m Interleavings 7 3 120 17 13 119 × 106 70 30 3 x 1025 Testing struggles to adequately cover the possible behaviours. Issues are also hard to diagnose if they happen in the field, since it requires fine-grained logging to know the entire history of events.
Testing Formal Verification 4 | © Cocotec Ltd 2022 An alternative approach is formal verification where the system is instead analysed mathematically and proven correct. FORMAL VERIFICATION
5 | © Cocotec Ltd 2022 An alternative approach is formal verification where the system is instead analysed mathematically and proven correct. To apply formal verification we have to: • Formally describe what we want to prove; • Formally describe what we can assume. Most verification tools for conventional programs use per-function contracts based on pre- and post- conditions to formalise this. FORMAL VERIFICATION /** * pre size > 0 * post size' = size – 1 && return_value == contents[size - 1] */ template <typename T> T stack<T>::pop_front() { … }
EVENT-DRIVEN CONTRACTS For event-driven software, this means we need to be able to describe: • The events, including any data in them; • The order that events will be seen in. State machines are good techniques for describing such properties. State machines can either be described graphically, or textually. State machines can act as either the specification or the assumption, depending on the context. port Executable { /// Starts the action function start() : Nil /// If the action is running, cancels it. function cancel() : Nil /// Sent when the action finishes. outgoing signal done() } 6 | © Cocotec Ltd 2022 This shows Coco, a language we have developed for developing event-driven software. • It facilitates verification-driven development. • Once correct, C and C++ code can be generated.
EVENT-DRIVEN CONTRACTS For event-driven software, this means we need to be able to describe: • The events, including any data in them; • The order that events will be seen in. State machines are good techniques for describing such properties. State machines can either be described graphically, or textually. State machines can act as either the specification or the assumption, depending on the context. port Executable { function start() : Nil function cancel() : Nil outgoing signal done() machine { state Idle { start() = setNextState(Running) } state Running { cancel() = setNextState(Idle) spontaneous = { done(); setNextState(Idle); } } } } 7 | © Cocotec Ltd 2022
EVENT-DRIVEN IMPLEMENTATIONS Executable is a convenient interface to use, but low-level hardware devices might not be able to send events directly. 8 | © Cocotec Ltd 2022 @runtime(.MultiThreaded) component PollerImpl { val client : Provided<Executable> val pollable : Required<Pollable> machine { state Idle { client.start() = { pollable.start(); setNextState(Running); } } state Running { client.cancel() = { … } periodic(milliseconds(100)) = { if (!pollable.isRunning()) { client.done(); setNextState(Idle); } } } } } port Pollable { function start() : Nil function cancel() : Nil function isRunning() : Bool machine { state Idle { start() = setNextState(Running) } state Running { cancel() = setNextState(Idle) isRunning() = nondet { { return true; }, @eventually { setNextState(Idle); return false; }, } } } } The component must implement the Executable state machine The component can assume pollable behaves as per the state machine
9 | © Cocotec Ltd 2022 TYPICAL ERRORS: DESYNCHRONISATION barrier[1] detects an obstruction Component handles the obstruction and considers the request cancelled When a new open() request starts, the component calls close on the still-closing barrier[0]
10 | © Cocotec Ltd 2022 TYPICAL ERRORS: MULTIPLE USERS Another user starts maintenance on the lift The bridge tries to start opening the lift, whilst the lift is still under maintenance. One user starts a request to open the bridge
11 | © Cocotec Ltd 2022 CHALLENGES
12 | © Cocotec Ltd 2022 CHALLENGE: LIVENESS Liveness properties are generally difficult to handle in formal verification tools. • Safety properties say nothing bad will happen. • Liveness properties say something good will eventually happen. port Pollable { function start() : Nil function cancel() : Nil function isRunning() : Bool machine { state Running { isRunning() = nondet { { return true; }, @eventually { setNextState(Idle); return false; }, } } } }
13 | © Cocotec Ltd 2022 CHALLENGE: DATA Data can cause verification time to increase. • Often the exact data values are not relevant to the stateful behaviour of the system. What we need is a way of abstracting the data so that only the the parts relevant to the verification remain. external val kThresholdPressure : Pressure = Pressure{ value = .OutOfRange } @runtime(.MultiThreaded) component PumpControllerImpl { val client : Provided<PumpController> val gauge : Required<PressureGauge> val pump : Required<Pump> machine { state Monitoring { periodic(milliseconds(100)) = { if (gauge.measure() >= kThresholdPressure) { pump.stop(); client.emergencyStop(); setNextState(Stopped); } } } … } }
14 | © Cocotec Ltd 2022 CHALLENGE: DATA enum AbstractPressure { case WithinRange case OutOfRange } @CPP.mapToType("uint32_t", .Value) external type Pressure { var value : AbstractPressure } port PressureGauge { function measure() : Pressure machine { measure() = Pressure{ value = nondet { .WithinRange, .OutOfRange } } } } external val kThresholdPressure : Pressure = Pressure{ value = .OutOfRange } @runtime(.MultiThreaded) component PumpControllerImpl { val client : Provided<PumpController> val gauge : Required<PressureGauge> val pump : Required<Pump> machine { state Monitoring { periodic(milliseconds(100)) = { if (gauge.measure() >= kThresholdPressure) { pump.stop(); client.emergencyStop(); setNextState(Stopped); } } } … } } External types have two relevant types: • The type at runtime • The type during verification Ports are specifications, so operate on the abstract verification types
15 | © Cocotec Ltd 2022 CHALLENGE: SCALING Large systems can be efficiently verified due to compositional verification. This means that each component is verified in isolation, using only the local ports: • This naturally corresponds to other formal verification techniques based around pre/post conditions. For Coco, the soundness of this is guaranteed by the underlying theory (which is based on CSP). There isn’t a limit to the scaling offered by this. The largest Coco system (we know of) has ~700 components, and is around 300k lines of code.
16 | © Cocotec Ltd 2022 LESSONS LEARNT • On applying formal verification: • Different verification tools have different capabilities, so choose the right tool for the right job! • Identifying a clear boundary is hard: • Existing software has often evolved away from a clean design. • Sometimes easier on new projects. • Scaling is less of an issue than thought: in practice humans fail to scale first! • On building Coco: • Language has to be defined around formal verification rather than bolted on. • Simulation and programmer-like debugging tools are vital for adoption beyond formal verification fanatics. • Liveness properties are hard, both for users and for the verification. • Open challenges: • Better ways of making assumptions about behaviour over multiple components. • Better ways of specifying bespoke properties.

More Related Content

PPTX
Testing Event Driven Architecture Presentation
byKnoldus Inc.
 
PPTX
Testing Event Driven Architecture Presentation
byKnoldus Inc.
 
PDF
AI for Program Specifications UW PLSE 2025 - final.pdf
byshuvendulahiri1
 
PDF
IPT Reactive Java IoT Demo - BGOUG 2018
byTrayan Iliev
 
PDF
Voxxed Days Vienna - The Why and How of Reactive Web-Applications on the JVM
byManuel Bernhardt
 
PDF
A VNF modeling approach for verification purposes
byIJECEIAES
 
PDF
Go Reactive: Event-Driven, Scalable, Resilient & Responsive Systems
byJonas Bonér
 
PPTX
Concurrency Constructs Overview
bystasimus
 
Testing Event Driven Architecture Presentation
byKnoldus Inc.
 
Testing Event Driven Architecture Presentation
byKnoldus Inc.
 
AI for Program Specifications UW PLSE 2025 - final.pdf
byshuvendulahiri1
 
IPT Reactive Java IoT Demo - BGOUG 2018
byTrayan Iliev
 
Voxxed Days Vienna - The Why and How of Reactive Web-Applications on the JVM
byManuel Bernhardt
 
A VNF modeling approach for verification purposes
byIJECEIAES
 
Go Reactive: Event-Driven, Scalable, Resilient & Responsive Systems
byJonas Bonér
 
Concurrency Constructs Overview
bystasimus
 

Similar to Taming event-driven software via formal verification

PDF
Model Testing of Executable Statecharts using SISMIC
byTom Mens
 
PDF
Modern Embedded Software
byQuantum Leaps, LLC
 
PDF
Harton-Presentation
byHeather Harton
 
PDF
Reactive Microservices with Spring 5: WebFlux
byTrayan Iliev
 
PDF
Reactive Java Robotics and IoT - IPT Presentation @ Voxxed Days 2016
byTrayan Iliev
 
PPT
Reactive programming with examples
byPeter Lawrey
 
PDF
AI for Program Specifications Berkeley May 2025.pdf
byshuvendulahiri1
 
PDF
Reactive Web-Applications @ LambdaDays
byManuel Bernhardt
 
PDF
A Runtime Monitoring Framework for Event Streams with Non-Primitive Arguments
bySylvain Hallé
 
PPTX
IoT Supercharged: Complex event processing for MQTT with Eclipse technologies
byIstvan Rath
 
PPT
Devoxx
byMartin Odersky
 
PDF
IRJET- Verification of AXI IP Core(Protocol) using System Verilog
byIRJET Journal
 
PDF
IPT High Performance Reactive Java BGOUG 2016
byTrayan Iliev
 
PDF
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
bya001
 
PDF
A Survey of Concurrency Constructs
byTed Leung
 
PDF
Functional Systems @ Twitter
byC4Media
 
PDF
Predictive Datacenter Analytics with Strymon
byVasia Kalavri
 
PDF
SE 20016 - programming languages landscape.
byRuslan Shevchenko
 
PDF
Scala Days Highlights | BoldRadius
byBoldRadius Solutions
 
PDF
Ruslan.shevchenko: most functional-day-kiev 2014
byRuslan Shevchenko
 
Model Testing of Executable Statecharts using SISMIC
byTom Mens
 
Modern Embedded Software
byQuantum Leaps, LLC
 
Harton-Presentation
byHeather Harton
 
Reactive Microservices with Spring 5: WebFlux
byTrayan Iliev
 
Reactive Java Robotics and IoT - IPT Presentation @ Voxxed Days 2016
byTrayan Iliev
 
Reactive programming with examples
byPeter Lawrey
 
AI for Program Specifications Berkeley May 2025.pdf
byshuvendulahiri1
 
Reactive Web-Applications @ LambdaDays
byManuel Bernhardt
 
A Runtime Monitoring Framework for Event Streams with Non-Primitive Arguments
bySylvain Hallé
 
IoT Supercharged: Complex event processing for MQTT with Eclipse technologies
byIstvan Rath
 
Devoxx
byMartin Odersky
 
IRJET- Verification of AXI IP Core(Protocol) using System Verilog
byIRJET Journal
 
IPT High Performance Reactive Java BGOUG 2016
byTrayan Iliev
 
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
bya001
 
A Survey of Concurrency Constructs
byTed Leung
 
Functional Systems @ Twitter
byC4Media
 
Predictive Datacenter Analytics with Strymon
byVasia Kalavri
 
SE 20016 - programming languages landscape.
byRuslan Shevchenko
 
Scala Days Highlights | BoldRadius
byBoldRadius Solutions
 
Ruslan.shevchenko: most functional-day-kiev 2014
byRuslan Shevchenko
 

More from AdaCore

PPTX
Application of theorem proving for safety-critical vehicle software
byAdaCore
 
PDF
MISRA C in an ISO 26262 context
byAdaCore
 
PDF
Bounded Model Checking for C Programs in an Enterprise Environment
byAdaCore
 
PDF
RCA OCORA: Safe Computing Platform using open standards
byAdaCore
 
PDF
Adaptive AUTOSAR - The New AUTOSAR Architecture
byAdaCore
 
PDF
RCA OCORA: Safe Computing Platform using open standards
byAdaCore
 
PDF
Developing Future High Integrity Processing Solutions
byAdaCore
 
PDF
Multi-Core (MC) Processor Qualification for Safety Critical Systems
byAdaCore
 
PDF
Spark / Ada for Safe and Secure Firmware Development
byAdaCore
 
PDF
Software Engineering for Robotics - The RoboStar Technology
byAdaCore
 
PDF
Securing the Future of Safety and Security of Embedded Software
byAdaCore
 
PDF
The Application of Formal Methods to Railway Signalling Software
byAdaCore
 
PDF
The Future of Aerospace – More Software Please!
byAdaCore
 
PDF
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
byAdaCore
 
PDF
SPARKNaCl: A verified, fast cryptographic library
byAdaCore
 
PDF
Pushing the Boundary of Mostly Automatic Program Proof
byAdaCore
 
PDF
Product Lines and Ecosystems: from customization to configuration
byAdaCore
 
PDF
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
byAdaCore
 
PDF
Have we a Human Ecosystem?
byAdaCore
 
PDF
Rust and the coming age of high integrity languages
byAdaCore
 
Application of theorem proving for safety-critical vehicle software
byAdaCore
 
MISRA C in an ISO 26262 context
byAdaCore
 
Bounded Model Checking for C Programs in an Enterprise Environment
byAdaCore
 
RCA OCORA: Safe Computing Platform using open standards
byAdaCore
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
byAdaCore
 
RCA OCORA: Safe Computing Platform using open standards
byAdaCore
 
Developing Future High Integrity Processing Solutions
byAdaCore
 
Multi-Core (MC) Processor Qualification for Safety Critical Systems
byAdaCore
 
Spark / Ada for Safe and Secure Firmware Development
byAdaCore
 
Software Engineering for Robotics - The RoboStar Technology
byAdaCore
 
Securing the Future of Safety and Security of Embedded Software
byAdaCore
 
The Application of Formal Methods to Railway Signalling Software
byAdaCore
 
The Future of Aerospace – More Software Please!
byAdaCore
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
byAdaCore
 
SPARKNaCl: A verified, fast cryptographic library
byAdaCore
 
Pushing the Boundary of Mostly Automatic Program Proof
byAdaCore
 
Product Lines and Ecosystems: from customization to configuration
byAdaCore
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
byAdaCore
 
Have we a Human Ecosystem?
byAdaCore
 
Rust and the coming age of high integrity languages
byAdaCore
 

Recently uploaded

PDF
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
PDF
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
PDF
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PDF
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
PDF
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
PPTX
Neo4j Fraud GraphTalk Singapore Nov 2025
bygourisachdeva2
 
PPTX
Agentic AI presentation with Python Exercises
byParth Mane
 
PDF
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
PDF
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
PDF
Raj Jain, Recent Advances, Issues, and Challenges in Cybersecurity, Keynote a...
byrjain51
 
PDF
Building Powerful Web Apps to Improve Productivity and Engagement - Esri UK W...
byEsri UK
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
PPTX
Redcentric Data Centres: vision, mission and values
byRedcentric
 
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
Neo4j Fraud GraphTalk Singapore Nov 2025
bygourisachdeva2
 
Agentic AI presentation with Python Exercises
byParth Mane
 
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
Raj Jain, Recent Advances, Issues, and Challenges in Cybersecurity, Keynote a...
byrjain51
 
Building Powerful Web Apps to Improve Productivity and Engagement - Esri UK W...
byEsri UK
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
Redcentric Data Centres: vision, mission and values
byRedcentric
 

Taming event-driven software via formal verification

  • 1.
    TAMING EVENT-DRIVEN SOFTWARE VIAFORMAL VERIFICATION Dr Tom Gibson-Robinson CTO, Cocotec Limited
  • 2.
    2 | ©Cocotec Ltd 2022 EVENT-DRIVEN SOFTWARE Event-driven software is any software that consists of a number of components that communicate by sending messages. It’s often: • Stateful: sometimes handled by an “interesting” hand-written state machine implementation. • Asynchronous: requests start and complete later. • Concurrent: requests overlap – two peripherals might be sent commands that complete in either order. It can be found all over the software stack: • Drivers are often event driven. • User interfaces are event driven. • The core of hardware-centric systems often need to coordinate the other components via events. Hardware Drivers Algorithms User Interface Coordination Software Data Storage Communication
  • 3.
    3 | ©Cocotec Ltd 2022 CHALLENGES WITH EVENT-DRIVEN SOFTWARE Imagine there are three processes: • One producer who produces a sequence of n messages; • One producer who produces a sequence of m messages; • One consumer who reads these messages. In total, there are (n + m) C n possible orderings the consumer can receive the messages in. n m Interleavings 7 3 120 17 13 119 × 106 70 30 3 x 1025 Testing struggles to adequately cover the possible behaviours. Issues are also hard to diagnose if they happen in the field, since it requires fine-grained logging to know the entire history of events.
  • 4.
    Testing Formal Verification 4| © Cocotec Ltd 2022 An alternative approach is formal verification where the system is instead analysed mathematically and proven correct. FORMAL VERIFICATION
  • 5.
    5 | ©Cocotec Ltd 2022 An alternative approach is formal verification where the system is instead analysed mathematically and proven correct. To apply formal verification we have to: • Formally describe what we want to prove; • Formally describe what we can assume. Most verification tools for conventional programs use per-function contracts based on pre- and post- conditions to formalise this. FORMAL VERIFICATION /** * pre size > 0 * post size' = size – 1 && return_value == contents[size - 1] */ template <typename T> T stack<T>::pop_front() { … }
  • 6.
    EVENT-DRIVEN CONTRACTS For event-drivensoftware, this means we need to be able to describe: • The events, including any data in them; • The order that events will be seen in. State machines are good techniques for describing such properties. State machines can either be described graphically, or textually. State machines can act as either the specification or the assumption, depending on the context. port Executable { /// Starts the action function start() : Nil /// If the action is running, cancels it. function cancel() : Nil /// Sent when the action finishes. outgoing signal done() } 6 | © Cocotec Ltd 2022 This shows Coco, a language we have developed for developing event-driven software. • It facilitates verification-driven development. • Once correct, C and C++ code can be generated.
  • 7.
    EVENT-DRIVEN CONTRACTS For event-drivensoftware, this means we need to be able to describe: • The events, including any data in them; • The order that events will be seen in. State machines are good techniques for describing such properties. State machines can either be described graphically, or textually. State machines can act as either the specification or the assumption, depending on the context. port Executable { function start() : Nil function cancel() : Nil outgoing signal done() machine { state Idle { start() = setNextState(Running) } state Running { cancel() = setNextState(Idle) spontaneous = { done(); setNextState(Idle); } } } } 7 | © Cocotec Ltd 2022
  • 8.
    EVENT-DRIVEN IMPLEMENTATIONS Executable isa convenient interface to use, but low-level hardware devices might not be able to send events directly. 8 | © Cocotec Ltd 2022 @runtime(.MultiThreaded) component PollerImpl { val client : Provided<Executable> val pollable : Required<Pollable> machine { state Idle { client.start() = { pollable.start(); setNextState(Running); } } state Running { client.cancel() = { … } periodic(milliseconds(100)) = { if (!pollable.isRunning()) { client.done(); setNextState(Idle); } } } } } port Pollable { function start() : Nil function cancel() : Nil function isRunning() : Bool machine { state Idle { start() = setNextState(Running) } state Running { cancel() = setNextState(Idle) isRunning() = nondet { { return true; }, @eventually { setNextState(Idle); return false; }, } } } } The component must implement the Executable state machine The component can assume pollable behaves as per the state machine
  • 9.
    9 | ©Cocotec Ltd 2022 TYPICAL ERRORS: DESYNCHRONISATION barrier[1] detects an obstruction Component handles the obstruction and considers the request cancelled When a new open() request starts, the component calls close on the still-closing barrier[0]
  • 10.
    10 | ©Cocotec Ltd 2022 TYPICAL ERRORS: MULTIPLE USERS Another user starts maintenance on the lift The bridge tries to start opening the lift, whilst the lift is still under maintenance. One user starts a request to open the bridge
  • 11.
    11 | ©Cocotec Ltd 2022 CHALLENGES
  • 12.
    12 | ©Cocotec Ltd 2022 CHALLENGE: LIVENESS Liveness properties are generally difficult to handle in formal verification tools. • Safety properties say nothing bad will happen. • Liveness properties say something good will eventually happen. port Pollable { function start() : Nil function cancel() : Nil function isRunning() : Bool machine { state Running { isRunning() = nondet { { return true; }, @eventually { setNextState(Idle); return false; }, } } } }
  • 13.
    13 | ©Cocotec Ltd 2022 CHALLENGE: DATA Data can cause verification time to increase. • Often the exact data values are not relevant to the stateful behaviour of the system. What we need is a way of abstracting the data so that only the the parts relevant to the verification remain. external val kThresholdPressure : Pressure = Pressure{ value = .OutOfRange } @runtime(.MultiThreaded) component PumpControllerImpl { val client : Provided<PumpController> val gauge : Required<PressureGauge> val pump : Required<Pump> machine { state Monitoring { periodic(milliseconds(100)) = { if (gauge.measure() >= kThresholdPressure) { pump.stop(); client.emergencyStop(); setNextState(Stopped); } } } … } }
  • 14.
    14 | ©Cocotec Ltd 2022 CHALLENGE: DATA enum AbstractPressure { case WithinRange case OutOfRange } @CPP.mapToType("uint32_t", .Value) external type Pressure { var value : AbstractPressure } port PressureGauge { function measure() : Pressure machine { measure() = Pressure{ value = nondet { .WithinRange, .OutOfRange } } } } external val kThresholdPressure : Pressure = Pressure{ value = .OutOfRange } @runtime(.MultiThreaded) component PumpControllerImpl { val client : Provided<PumpController> val gauge : Required<PressureGauge> val pump : Required<Pump> machine { state Monitoring { periodic(milliseconds(100)) = { if (gauge.measure() >= kThresholdPressure) { pump.stop(); client.emergencyStop(); setNextState(Stopped); } } } … } } External types have two relevant types: • The type at runtime • The type during verification Ports are specifications, so operate on the abstract verification types
  • 15.
    15 | ©Cocotec Ltd 2022 CHALLENGE: SCALING Large systems can be efficiently verified due to compositional verification. This means that each component is verified in isolation, using only the local ports: • This naturally corresponds to other formal verification techniques based around pre/post conditions. For Coco, the soundness of this is guaranteed by the underlying theory (which is based on CSP). There isn’t a limit to the scaling offered by this. The largest Coco system (we know of) has ~700 components, and is around 300k lines of code.
  • 16.
    16 | ©Cocotec Ltd 2022 LESSONS LEARNT • On applying formal verification: • Different verification tools have different capabilities, so choose the right tool for the right job! • Identifying a clear boundary is hard: • Existing software has often evolved away from a clean design. • Sometimes easier on new projects. • Scaling is less of an issue than thought: in practice humans fail to scale first! • On building Coco: • Language has to be defined around formal verification rather than bolted on. • Simulation and programmer-like debugging tools are vital for adoption beyond formal verification fanatics. • Liveness properties are hard, both for users and for the verification. • Open challenges: • Better ways of making assumptions about behaviour over multiple components. • Better ways of specifying bespoke properties.