Presentation is loading. Please wait.

Presentation is loading. Please wait.

SPADEase: The Good, the Bad and the Ugly Bill J Ellis Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.

Published byMercy Cummings Modified over 8 years ago

Similar presentations

Presentation on theme: "SPADEase: The Good, the Bad and the Ugly Bill J Ellis Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh."— Presentation transcript:

1 SPADEase: The Good, the Bad and the Ugly Bill J Ellis Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh (On secondment at) Praxis High Integrity Systems Bath

2 Introduction Overview Introduction –Context –Objectives Background –Program proof in SPARK –Proof Planning SPADEase features –Good, Bad, and Ugly Ongoing Work Conclusions

3 Introduction NuSPADE Duration: 2001  2004 Funding: EPSRC critical systems programme (GR/R24081) Aim: Investigate the role of proof planning within the SPARK approach to high integrity software Nature: Traditional research project Research associate: Bill Ellis Principle investigator: Andrew Ireland Collaboration: Praxis

4 Introduction SPADEase Duration: Jan 2005  July 2005 Funding: EPSRC research assistant industrial secondment scheme (RAIS) (GR/T11289/01) Context: Builds upon the NuSPADE project Aim: Towards increased verification automation for high integrity software engineering Nature: Knowledge transfer, industrial secondment Research associate: Bill Ellis (Seconded to Praxis) Principle investigator: Andrew Ireland Collaboration: Praxis

5 Introduction SPADEase Objectives Key RAIS Goals: –Transfer knowledge from original research project: Demonstrate viable industrial system Implement this system as an extension to the SPARK approach Evaluate and publish –Training in an industrial environment: Seek out industrial training within Praxis Work in the SPARK corner for six months

6 Background Program proof in SPARK SPARK Examiner: Takes SPARK, Generates Verification Conditions (VCs) Proving the VCs true proves the code correct SPADE Simplifier: Tries to prove that VCs are true SPADE Proof Checker: Allows the user to prove any remaining VCs SPADE Simplifier VCGSPARK SPARK Examiner VCG SPADE Proof Checker Proof? SIV CMD

7 Traditional automated theorem proves combine: –Searching for a proof –Checking a discovered proof Proof planning decouples proof search and proof checking: Supports: –Flexible searching (Not burdened with observing strict soundness) –Strong checking (Focus entirely on logic and soundness) Search + Check Background Proof planning (Decouple searching and checking) Prover Goal Proof? Search Proof Planner Goal Proof? Check Proof Checker Proof plan

8 Traditional automated theorem proves have internal, fixed, proof heuristics: Proof planning has external, configurable, heuristics: –Methods: Describe available proof steps –Critics: Describe how to patch otherwise failed methods Supports: –Understanding of proof heuristics –Reuse of proof heuristics –Rapid development of proof heuristics Background Proof planning (External heuristics) Prover Goal Proof? Heuristics Proof planner Goal Proof plan MethodsCritics

9 NuSPADE: –Automatically proves SPARK VCs Proof planning –Automatically discovers invariants Program analysis SPADEase: –Focus on automatically proving SPARK VCs As only a six month project… –Some invariant discovery may be explored By accepting manual encoding of examples for analysis SPADEase Summary

10 Goal: Integrate effectively with the SPARK tools Problem: –NuSPADE is a research system with a very ad-hoc architecture Solution: –Total overhaul of the NuSPADE Architecture! SPADEase Features High level architecture (Good!)

11 SPADEase Features High Level Architecture (Good!) SPADE Simplifier SIV SPADEase SPADE Proof Checker Proof? VCG Parser Planner Verifier Finalizer SIV CMD RulesMethodsCriticsStrategyCache PropGen

12 Goal: Eliminate hand crafted initialisation files Problem: –NuSPADE initialisation files selects the top level proof strategy Solution: –Automatically select proof strategy based on VC kind –Invoke exception freedom proof strategy –Invoke invariant proof strategy SPADEase Features Streamlined initialisation (Good!) For path(s) from start to run-time check associated with statement of line 9: For path(s) from assertion of line 11 to assertion of line 11:

13 Problem: –NuSPADE initialisation files filter the available rules Solution: –Do not perform any rule filtering Problem: –Every visible rule requires time consuming pre-processing –No rule filtering creates a lengthy initialisation phase… Solution: –Rule processing is cached Takes a few hours to generate the rule cache Takes a few seconds to load the rule cache SPADEase Features Streamlined initialisation (Good!)

14 M2 SPADEase Features Configurable strategies (Good!) Goal: Provide more control over proof strategies In proof search methods are applied to goals –Successful methods: Prove a goal is true Create sub-goals (which are hopefully easier to prove true) Goal 1 Goal 2 Goal 1 Goal 2 M1 Goal 1 Proof! G GG GG P Strategies control which methods are applied to which goals and when G

15 SPADEase Features Configurable strategies (Good!) Proof search can create many goals before finding a proof! So controlling the application of methods is important A real example…

16 StrategyMethod… Ma SPADEase Features Configurable strategies (Good!) StrategyMethod Goal 1 MdMcMbMa Goal 1 … Begin with a strategy Mb Goal 1 Md NuSPADE: –Adopt the same strategy for all goals –Always considers every method application to every goal before terminating S1 MdMcMbS1 McS1 Goal 1 MdMcS1 Goal 2 MdMcMbMaS1 Method fails Method succeeds Strategies in NuSPADE:

17 SPADEase Features Configurable strategies (Good!) Problem: –Some sub-goals are (heuristically) better than their parents So do not always want to search alternative methods at the parent –Some sub-goals are (heuristically) best tackled with particular methods So do not always want to adopt the same strategy as for the parent Solution: –Replace list of methods with a list of method callers, that: Select which method to call If the method is successful: –What strategy to adopt at any sub-goals –If remaining methods at the parent should be removed (cut) StrategyCaller… StrategyCaller… MethodStrategyCut

18 StrategyCaller… SPADEase Features Configurable strategies (Good!) StrategyCaller… MethodStrategyCut Cb MbS2Yes Ca MaS2no Ma Goal 1 CdCcCbCa Goal 1 Mb Goal 1 Cd S1 CdCcCbS1 CcS1 Goal 1 Begin with a strategy Method fails Method succeeds Goal 2 CzCyCxS2 SPADEase: –Can select strategy for sub-goals (improved control) –Can chose to cut remaining method applications (more efficient) Strategies in SPADEase: S1

19 SPADEase Features Initial simplification methods (Good!) Goal: Improve SPADEase Performance Problem: –NuSPADE avoids some key simplifications Solution: –New simplification methods Applied only at the beginning of a proof search Made possible by new strategy mechanism –Simplifications considered are: Delete duplicate hypotheses (Ignored in NuSPADE) Replace all named constants in one step (Done incrementally in NuSPADE) Normalise inequality hypotheses (Ignored in NuSPADE)

20 SPADEase Features Poor performance? (Ugly!) Goal: Improve SPADEase Performance Problem: –Despite enhancements, SPADEase is slower than the Simplifier Reasons: –All discovered proofs are explicitly checked Need to record all proof actions –Complex heuristics are considered in SPADEase Rippling Middle-out-reasoning

21 SPADEase Features Poor performance? (Ugly!) However: –SPADEase is invoked on the problems not proved by the Simplifier –Perhaps difficult problems warrant a more thorough search? Observations: –For industrial proof Use a fast/light proof strategy Followed by a slow/deep proof strategy –Both of these strategies may be achieved in the proof planning paradigm!

22 SPADEase Features Simplification explodes (Ugly!) Goal: Support term simplification Problem: –Rules are not manually filtered in SPADEase –Many more rules are visible in SPADEase than in NuSPADE –Leads to a search explosion in NuSPADE’s term simplification method… Solution: –Introduce a new term simplification method –Exploit the heuristic of bringing together related terms –This method exists on paper… but not in code

23 SPADEase Features Modifying the Proof Checker (Bad!) Goal: Check plans in the SPADE Proof Checker Problem: –The Checker’s behaviour is not (realistically) predictable Solution: –NuSPADE: Many small changes to the Checker Complex CMD Files Does not address all areas of unpredictably –SPADEase: One large change to the Checker Clear CMD files Fully predictable Checker But is it sound?! –Ideally: Proof Checker should be predictable out-of-the-box

24 Ongoing Work Complete SPADEase: –Create new term simplification method –Improve/finish critics –Finish the finalizer Evaluation: –Explore the behaviour of SPADEase on real examples –Compare SPADEase and NuSPADE PropGen: –Explore a light weight version of PropGen

25 Conclusions Proof planning: –Is a coherent component based system (Methods / Critics / Strategies) –Demonstrates soundness through explicitly checked proofs SPADEase addresses various problems in NuSPADE –To create an industrially viable proof planning system Proof planning is applicable within the Spark Approach –Although more control of the SPADE Proof Checker is desired…

Download ppt "SPADEase: The Good, the Bad and the Ugly Bill J Ellis Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh."

Similar presentations

1 jNIK IT tool for electronic audit papers 17th meeting of the INTOSAI Working Group on IT Audit (WGITA) SAI POLAND (the Supreme Chamber of Control)

1 jNIK IT tool for electronic audit papers 17th meeting of the INTOSAI Working Group on IT Audit (WGITA) SAI POLAND (the Supreme Chamber of Control)
Verification and Validation

Verification and Validation
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Software Engineering Session 14 INFM 603. Software Software represents an aspect of reality –Input and output represent the state of the world –Software.

Software Engineering Session 14 INFM 603. Software Software represents an aspect of reality –Input and output represent the state of the world –Software.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
Alternate Software Development Methodologies

Alternate Software Development Methodologies
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
July 11 th, 2005 Software Engineering with Reusable Components RiSE’s Seminars Sametinger’s book :: Chapters 16, 17 and 18 Fred Durão.

July 11 th, 2005 Software Engineering with Reusable Components RiSE’s Seminars Sametinger’s book :: Chapters 16, 17 and 18 Fred Durão.
Presenter : Shih-Tung Huang Tsung-Cheng Lin Kuan-Fu Kuo 2015/6/15 EICE team Model-Level Debugging of Embedded Real-Time Systems Wolfgang Haberl, Markus.

Presenter : Shih-Tung Huang Tsung-Cheng Lin Kuan-Fu Kuo 2015/6/15 EICE team Model-Level Debugging of Embedded Real-Time Systems Wolfgang Haberl, Markus.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.

©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
PDDL: A Language with a Purpose? Lee McCluskey Department of Computing and Mathematical Sciences, The University of Huddersfield.

PDDL: A Language with a Purpose? Lee McCluskey Department of Computing and Mathematical Sciences, The University of Huddersfield.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.

MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
Fundamentals of Information Systems, Second Edition

Fundamentals of Information Systems, Second Edition
Chapter 1 Principles of Programming and Software Engineering.

Chapter 1 Principles of Programming and Software Engineering.
Iterative development and The Unified process

Iterative development and The Unified process
Describing Syntax and Semantics

Describing Syntax and Semantics
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.

© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Similar presentations

Ads by Google