Download presentation

Presentation is loading. Please wait.

Published byRuby May Modified over 4 years ago

1
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh

2
Context Investigate the role of proof planning within the SPARK approach to high integrity software Funded by the EPSRC Critical Systems programme (GR/R24081) in collaboration with Praxis Critical Systems Ltd. www.macs.hw.ac.uk/~air/nuspade

3
Overview The SPARK approach Program verification in SPARK NuSPADE: Our Approach –Proof planning –Program analysis –Example Results and future work Conclusions

4
The SPARK Approach Developed by Praxis Critical Systems Ltd. For high integrity software: –Safety, security and mission critical software, e.g. SHOLIS - UK MoD Def Standard 00-55 SPARK is a programming language: –Defined as a subset of Ada that: Eliminates ambiguities to make static analysis possible Eliminates complexities to makes static analysis feasible Can be compiled by any Ada compiler! –Specification via code level annotations

5
The SPARK Tools Examiner: –Checks conformance to the SPARK subset –Performs information and data flow static analysis –Generates Verification Conditions (VCs) for both: partial correctness (correct if program terminates) Exception freedom (no run time errors) SPADE proof tools: –SPADE Simplifier a special purpose theorem prover –SPADE Proof Checker an interactive theorem prover

6
SPARK code + specification Examiner Program Verification in SPARK Verification Conditions SPADE Simplifier Typically 93% of exception freedom VCs are discharged automatically following this process Proof!

7
Program Verification in SPARK But the remaining 7% still account for hundreds of VCs... SPARK code + specification Verification Conditions SPADE Simplifier Remaining Verification Conditions Examiner Proof!

8
Why the Simplifier can Fail VC not provable: –Bug in the code –Bug in the specification The Simplifier is not strong enough: –Stronger invariant required –Stronger proof methods required

9
Program Verification in SPARK Proof Script SPADE Proof Checker Strengthen invariant Discover proof User intervention SPARK code + specification Verification Conditions Proof!SPADE Simplifier Remaining Verification Conditions Examiner Proof!

10
NuSPADE: Our Approach Proof Script SPADE Proof Checker Strengthen invariant Discover proof SPARK code + specification Verification Conditions Proof!SPADE Simplifier Remaining Verification Conditions Examiner Proof! Still remaining Verification Conditions! NuSPADE

11
Increase proof automation Integrates proof and program analysis: –Proof planner –Program analysis oracle

12
Proof Planning Use of high-level proof outlines, known as proof plans, to guide proof search Supports middle-out reasoning, i.e. the use of meta variables to delay choice during proof search Automatic proof patching via proof failure analysis, e.g. conjecture generalization, lemma discovery, induction revision, case splitting, loop invariant discovery Inductive and non-inductive applications

13
Conjectures Proof checking: Methods + Critics Tactics Theory Proof planning: Proof Planning

14
Program Analysis Program analysis automatically finds interesting properties about source code Program analysis in practice: –Flow analysis –Performance analysis –Discovering constraints on variables (Abstract Interpretation) –Discovery code properties (invariant discovery)

15
NuSPADE Behaviour Strengthen invariant Discover proof SPARK code + specification SPADE Proof Checker Verification Conditions Proof!SPADE Simplifier Examiner Proof! Remaining Verification Conditions Proof Script Still remaining Verification Conditions! NuSPADE

16
NuSPADE Behaviour Strengthen invariant Discover proof SPARK code + specification Remaining Verification Conditions Proof Script Still remaining Verification Conditions! NuSPADE

17
NuSPADE Behaviour NuSPADE Remaining Verification Conditions Discover proof Proof Script Proof planner

18
NuSPADE Behaviour NuSPADE Remaining Verification Conditions Inequality / general reasoning tool Recurrence relation solver Strengthen invariant SPARK code + specification Program analysis oracle Proof planner

19
NuSPADE Behaviour NuSPADE Remaining Verification Conditions Discover proof Proof Script Proof planner

20
NuSPADE Behaviour NuSPADE Remaining Verification Conditions Still remaining Verification Conditions! No proof found Proof planner

21
Example subtype Index is Integer range 0.. 9; type D_Type is array (Index) of Integer; subtype R_Type is Integer; … R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

22
subtype Index is Integer range 0.. 9; type D_Type is array (Index) of Integer; subtype R_Type is Integer; … R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop; Integer’first R+D(I) Integer’last Example

23
Elementary: Pre: Trivial goal Effect: Assume provable in proof checker Fertilise: Pre: Part of the goal matches a hypothesis Effect: Simplify the goal Decomposition: Pre: The goal has a transitive relation Effect: Decompose the transitive relation Transitivity: Pre: The goal has a transitive relation and related hypotheses Effect: Apply transitive step Exception Freedom Proof Methods

24
Preconditions: there exists a conclusion of the form: Expression RelationOp Constant For every Variable i in Expression there exists a hypothesis of the form: Variable i RelationOp Expresssion i Transitivity Method and Critic Method Method applicable - apply the method! X Critic Method not applicable – critic extracts hypothesis schemas and invokes program analysis oracle

25
Example: Proof Failure Hypotheses: Conclusion: None of the methods are applicable. However, the transitivity critic fires as: occurs in: but there is no hypothesis of the form: (Similarly the lower bound causes the critic to fire as there is no hypothesis of the form: )

26
Discover a property that introduces hypotheses of the form: and Program analysis heuristics: –Type and other immediate information –Non looping code –Looping code (Involves recurrence relations) –Exiting loops (Consider loop guards) Example: Program Analysis

27
R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop; Example: Program Analysis

28
Example: Program Analysis (Variable I) R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

29
Example: Program Analysis (Variable R, first disjunct) R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

30
Example: Program Analysis (Variable R, second disjunct) R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

31
Example: Program Analysis (Variable R, combine disjuncts) R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

32
Example: Program Analysis (Eliminate n) R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

33
Revised code subtype Index is Integer range 0.. 9; type D_Type is array (Index) of Integer; subtype R_Type is Integer; … R:=0; For I in Index loop --# assert R >= 0 and R <= I*100; if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

34
Example: Proof Planning Success Transitivity: Decomposition: Fertilise: Elementary: Hypotheses: Conclusion:

35
Results & Future Work Prototype system – Demo Available! Integration partial Development corpus includes programs with simple loops and conditionals, i.e. typical style of critical software applications Evaluation corpus supplied by Praxis Critical Systems – evaluation phase to begin shortly

36
Future Work Strengthen recurrence relation solver and experiment with other external reasoners, e.g. inequality reasoning Explore program analysis as a basis for bug finding (ongoing) Explore program analysis as a basis for reducing VC complexity

37
Conclusions An integrated approach to software verification: –Proof planning –Program analysis oracle –Proof checking –External reasoners Proof planning and program analysis are generic

Similar presentations

© 2019 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google