An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh

Context Investigate the role of proof planning within the SPARK approach to high integrity software Funded by the EPSRC Critical Systems programme (GR/R24081) in collaboration with Praxis Critical Systems Ltd.

Overview The SPARK approach Program verification in SPARK NuSPADE: Our Approach –Proof planning –Program analysis –Example Results and future work Conclusions

The SPARK Approach Developed by Praxis Critical Systems Ltd. For high integrity software: –Safety, security and mission critical software, e.g. SHOLIS - UK MoD Def Standard SPARK is a programming language: –Defined as a subset of Ada that: Eliminates ambiguities to make static analysis possible Eliminates complexities to makes static analysis feasible Can be compiled by any Ada compiler! –Specification via code level annotations

The SPARK Tools Examiner: –Checks conformance to the SPARK subset –Performs information and data flow static analysis –Generates Verification Conditions (VCs) for both: partial correctness (correct if program terminates) Exception freedom (no run time errors) SPADE proof tools: –SPADE Simplifier a special purpose theorem prover –SPADE Proof Checker an interactive theorem prover

SPARK code + specification Examiner Program Verification in SPARK Verification Conditions SPADE Simplifier Typically 93% of exception freedom VCs are discharged automatically following this process Proof!

Program Verification in SPARK But the remaining 7% still account for hundreds of VCs... SPARK code + specification Verification Conditions SPADE Simplifier Remaining Verification Conditions Examiner Proof!

Why the Simplifier can Fail VC not provable: –Bug in the code –Bug in the specification The Simplifier is not strong enough: –Stronger invariant required –Stronger proof methods required

Program Verification in SPARK Proof Script SPADE Proof Checker Strengthen invariant Discover proof User intervention SPARK code + specification Verification Conditions Proof!SPADE Simplifier Remaining Verification Conditions Examiner Proof!

NuSPADE: Our Approach Proof Script SPADE Proof Checker Strengthen invariant Discover proof SPARK code + specification Verification Conditions Proof!SPADE Simplifier Remaining Verification Conditions Examiner Proof! Still remaining Verification Conditions! NuSPADE

Increase proof automation Integrates proof and program analysis: –Proof planner –Program analysis oracle

Proof Planning Use of high-level proof outlines, known as proof plans, to guide proof search Supports middle-out reasoning, i.e. the use of meta variables to delay choice during proof search Automatic proof patching via proof failure analysis, e.g. conjecture generalization, lemma discovery, induction revision, case splitting, loop invariant discovery Inductive and non-inductive applications

Conjectures Proof checking: Methods + Critics Tactics Theory Proof planning: Proof Planning

Program Analysis Program analysis automatically finds interesting properties about source code Program analysis in practice: –Flow analysis –Performance analysis –Discovering constraints on variables (Abstract Interpretation) –Discovery code properties (invariant discovery)

NuSPADE Behaviour Strengthen invariant Discover proof SPARK code + specification SPADE Proof Checker Verification Conditions Proof!SPADE Simplifier Examiner Proof! Remaining Verification Conditions Proof Script Still remaining Verification Conditions! NuSPADE

NuSPADE Behaviour Strengthen invariant Discover proof SPARK code + specification Remaining Verification Conditions Proof Script Still remaining Verification Conditions! NuSPADE

NuSPADE Behaviour NuSPADE Remaining Verification Conditions Discover proof Proof Script Proof planner

NuSPADE Behaviour NuSPADE Remaining Verification Conditions Inequality / general reasoning tool Recurrence relation solver Strengthen invariant SPARK code + specification Program analysis oracle Proof planner

NuSPADE Behaviour NuSPADE Remaining Verification Conditions Discover proof Proof Script Proof planner

NuSPADE Behaviour NuSPADE Remaining Verification Conditions Still remaining Verification Conditions! No proof found Proof planner

Example subtype Index is Integer range 0.. 9; type D_Type is array (Index) of Integer; subtype R_Type is Integer; … R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

subtype Index is Integer range 0.. 9; type D_Type is array (Index) of Integer; subtype R_Type is Integer; … R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop; Integer’first  R+D(I)  Integer’last Example

Elementary: Pre: Trivial goal Effect: Assume provable in proof checker Fertilise: Pre: Part of the goal matches a hypothesis Effect: Simplify the goal Decomposition: Pre: The goal has a transitive relation Effect: Decompose the transitive relation Transitivity: Pre: The goal has a transitive relation and related hypotheses Effect: Apply transitive step Exception Freedom Proof Methods

Preconditions: there exists a conclusion of the form: Expression RelationOp Constant For every Variable i in Expression there exists a hypothesis of the form: Variable i RelationOp Expresssion i Transitivity Method and Critic Method Method applicable - apply the method! X Critic Method not applicable – critic extracts hypothesis schemas and invokes program analysis oracle

Example: Proof Failure Hypotheses: Conclusion: None of the methods are applicable. However, the transitivity critic fires as: occurs in: but there is no hypothesis of the form: (Similarly the lower bound causes the critic to fire as there is no hypothesis of the form: )

Discover a property that introduces hypotheses of the form: and Program analysis heuristics: –Type and other immediate information –Non looping code –Looping code (Involves recurrence relations) –Exiting loops (Consider loop guards) Example: Program Analysis

R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop; Example: Program Analysis

Example: Program Analysis (Variable I) R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

Example: Program Analysis (Variable R, first disjunct) R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

Example: Program Analysis (Variable R, second disjunct) R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

Example: Program Analysis (Variable R, combine disjuncts) R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

Example: Program Analysis (Eliminate n) R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

Revised code subtype Index is Integer range 0.. 9; type D_Type is array (Index) of Integer; subtype R_Type is Integer; … R:=0; For I in Index loop --# assert R >= 0 and R <= I*100; if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

Example: Proof Planning Success Transitivity: Decomposition: Fertilise: Elementary: Hypotheses: Conclusion:

Results & Future Work Prototype system – Demo Available! Integration partial Development corpus includes programs with simple loops and conditionals, i.e. typical style of critical software applications Evaluation corpus supplied by Praxis Critical Systems – evaluation phase to begin shortly

Future Work Strengthen recurrence relation solver and experiment with other external reasoners, e.g. inequality reasoning Explore program analysis as a basis for bug finding (ongoing) Explore program analysis as a basis for reducing VC complexity

Conclusions An integrated approach to software verification: –Proof planning –Program analysis oracle –Proof checking –External reasoners Proof planning and program analysis are generic