Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.

Published bySilvia Goodman Modified over 8 years ago

Similar presentations

Presentation on theme: "Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception."— Presentation transcript:

1 Bill J. Ellis (bill@macs.hw.ac.uk) Dependable Systems Group Heriot-Watt University (Project page: http://www.macs.hw.ac.uk/~air/clamspark/) Proving Exception Freedom within High Integrity Software Systems

2 High Integrity Software Software standards encourage or enforce proof for high integrity software: –MOD 00-55: requirements for the procurement of safety critical software in defence equipment. Formal methods and proof mandatory –ITSEC: Information technology security evaluation criteria Formal methods mandatory

3 Praxis and SPARK SPARK is developed by Praxis Critical Systems for building high integrity software: –Formally defined safe subset of Ada –Information and data flow static analysis –Supports proofs of: Partial correctness Exception freedom (No run time errors) SPARK is used in industry: –BAE prove exception freedom (Unnamed project) –Praxis completed SHOLLIS and MULTOS CA –Many more...

4 SPARK Proof In Industry Partial correctness (Rare): –User supplied specification –Proofs usually deep –Very limited automation Exception freedom (Increasingly common): –Automatic specification –Proofs usually shallow –Good (90%) automation via Praxis Simplifier –Remaining 10% may number in the thousands...

5 Exception Freedom in SPARK Storage_Error  (Static memory requirement) Program_Error  Tasking_Error  Constraint_Error  (Some can occur in SPARK) –Access_Check  –Discriminant_Check  –Tag_Check  –Division_Check  –Index_Check  –Range_Check  –Overflow_Check  Proving exception freedom in SPARK is proving variables stay within legal bounds

6 Exception Freedom VCs Pre-condition Post-condition Invariant Prove properties hold between between cut points Check... Check... Check... Prove exception freedom VCs using properties

7 The Strategy Prove Exception Freedom VCs Discover properties (Typically invariants) Prove properties Fail Try proof again Success!

8 Abstract Interpretation (AI) Evaluate a program, replacing concrete variables with abstract values. –Concrete integer variable: -32768 to +32767 –An abstract integer variable: {-,0,+}. Abstract interpretation provides a framework to reason about programs in the abstract.

9 Abstracting to Bounds Variable: –type(lower, upper) –equal(expression) –fromto(lower, upper)... –between(expression, expression)… Array: –As many variables Generalise across ranges where possible

10 subtype Index is Integer range 0.. 9; type D is array (Index) of Integer; R:=0; --#check R>=-32768 and R<=32767; For I in Index loop --# Want to discover invariant here! --#I>=0 and I<=9; if D(I) >= 0 and D(I) <= 100 then R := R + D(I); --#check R>=-32768 and R<=32767; end if; end loop; subtype Index is Integer range 0.. 9; type D is array (Index) of Integer; R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R := R + D(I); end if; end loop; Example

11 subtype Index is Integer range 0.. 9; type D is array (Index) of Integer; R:=0; --#check R>=-32768 and R<=32767; For I in Index loop --#invariant I>=0 and I<=9 and --#forall J in 0..9 D(J)>=-32768 and D(J)<=32767; --#check I>=0 and I<=9; if D(I) >= 0 and D(I) <= 100 then R := R + D(I); --#check R>=-32768 and R<=32767; end if; end loop;

12 Example (AI Flowchart) I:=I+1 Invariant N Pre-condition R:=0 I:=0 R:=R+D(I) D(I)  0 and D(I)  100 I=9 Post- condition Loop junction node Simple junction node Normalised form of a SPARK for loop

13 Recurrence Relations (Loop junction) Liner recurrence relations with constant coefficients (LRRCs): –a n =c 1 *a n-1 +…c k *a n-k +f(n) n>=k Only use first powers of previous terms (a n-1 ^1) Coefficients c k are constants f(n) is a function –Example: a n =a (n-1) +1 Can automatically solve LRRCs (and a few other special cases) using: –Mathematica –The Parma University's Recurrence Relation Solver (PURRS) –Others?

14 Assignment First assignment to a variable inside a loop: –Build recurrence relations. –The assignment A:=f(A) is recorded as A n = {equal(recurrence(f(A n-1 )))} All other assignments: –Perform the assignment. –The assignment A:=f(A) is applied to all expressions in A. Eliminate non-constants from expressions: –Generalise to extreme bounds. –Replace non-constant f(B) in A={equal(f(B))} with bounds of f(B). –A = {fromto(extreme-lower(B), extreme-upper(B))}

15 Example (Variable R) I:=I+1 Invariant N Pre-condition R:=0 I:=0 R:=R+D(I) D(I)  0 and D(I)  100 I=9 Post- condition R={Type(-32768, 32767)} R={Type(-32768, 32767), equal(0)} R n ={Type(-32768, 32767), equal(recurrence(R (n-1) +D(I n )))  between(recurrence(R (n-1) +0), recurrence(R (n-1) +100))} R n ={Type(-32768, 32767), merge([equal(0), between(recurrence(R (n-1) +0), recurrence(R (n-1) +100))])}

16 Example (Variable R) R n ={Type(-32768, 32767), fromto(0, 100*n)} recurrence(R (n-1) +0)  R n =R (n-1) +0 R n =R 0  0 recurrence(R (n-1) +100)  R n =R (n-1) +100 R n =R 0 +100*n  0+100*n  100*n between(0, 100*n) n is in range 0 to infinity 0<=100*n merge([equal(0), fromto(0, 100*n)]) equal(0) is inside fromto(0, 100*n) fromto(0, 100*n) R n ={Type(-32768, 32767), merge([equal(0), between(recurrence(R (n-1) +0), recurrence(R (n-1) +100))])} R n ={Type(-32768, 32767), equal(0)} Returning from first iteration Arriving at the loop Starting second iteration...

17 Property Discovery (Eliminate n) Express n in terms of I: I n =n  n=I n Replace n with I in R: R n ={Type(-32768, 32767), fromto(0, 100* I)} Properties for R Rule out type: 0  -32768 100* I  32767  100* 9  32767 R  0 and R  100*I R n ={Type(-32768, 32767), fromto(0, 100*n)} I n ={Type(-32768, 32767), equal(n), fromto exit (-32768+1, exc(9+1)), fromto exit (exc(9+1), 32767+1)} Properties for I I  0 and I < 10 Some details...

18 Example (Discovered invariant) subtype Index is Integer range 0.. 9; type D is array (Index) of Integer; R:=0; --#check R>=-32768 and R<=32767; For I in Index loop --#invariant I>=0 and I =0 and R<=100*I and --#forall J in 0..9 D(J)>=-32768 and D(J)<=32767; --#check I>=0 and I<=9; if D(I) >= 0 and D(I) <= 100 then R := R + D(I); --#check R>=-32768 and R<=32767; end if; end loop;

19 And the proofs? Invariant property VCs: –Rippling reduces VC to a residue Prove residue using proof planning Exception freedom VCs: –Transitivity based proof planning

20 NuSPADE Implementation (Underway…) Light weight SPARK Parser Subprogram Spider VCs SPARK code Rule files Proof Planne r SPARK structure Subprogram Details Method: Rippling Method: Abstracting to bounds Praxis Examiner Add new properties to code Proof scripts CLAM

21 Related Work RUNCHECK (Steven M. German) (1981) –Proves exception freedom VCs for Pascal –Uses a few rewrite rules (7) to solve recurrence relations as a final stage –Does not exploit program context –Limited treatment of arrays (Considered array initialisation) Abstract Interpretation (Patrick Cousot, Radhia Cousot) (1976) –Is algorithmic and always generates correct results –No heuristics –Good automatic linear property generation for programs with linear assignments and no arrays –Used for compiler optimisation, exception detection, program documentation, program visualisation...

22 Conclusions Generate properties via (unsound) abstract interpretation: –Will contain heuristics –Exploit off the shelf recurrence relation solvers –More powerful (Include arrays, generate non-linear relationships) –Can fail! Prove via: –Proof planning –Automated –Can fail!

23 EOF

Download ppt "Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Technology from seed Automatic Equivalence Checking of UF+IA Programs Nuno Lopes and José Monteiro.

Technology from seed Automatic Equivalence Checking of UF+IA Programs Nuno Lopes and José Monteiro.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Presented by David LESENS and Johannes KANIG Thursday, 16 May 2013 Astrium Space Transportation AdaCore Formal Validation of Aerospace Software DASIA 2013.

Presented by David LESENS and Johannes KANIG Thursday, 16 May 2013 Astrium Space Transportation AdaCore Formal Validation of Aerospace Software DASIA 2013.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA.

HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.

Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Describing Syntax and Semantics

Describing Syntax and Semantics
CSC 8310 Programming Languages Meeting 2 September 2/3, 2014.

CSC 8310 Programming Languages Meeting 2 September 2/3, 2014.

Similar presentations

Ads by Google