Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception Freedom within High Integrity Software Systems

High Integrity Software Software standards encourage or enforce proof for high integrity software: –MOD 00-55: requirements for the procurement of safety critical software in defence equipment. Formal methods and proof mandatory –ITSEC: Information technology security evaluation criteria Formal methods mandatory

Praxis and SPARK SPARK is developed by Praxis Critical Systems for building high integrity software: –Formally defined safe subset of Ada –Information and data flow static analysis –Supports proofs of: Partial correctness Exception freedom (No run time errors) SPARK is used in industry: –BAE prove exception freedom (Unnamed project) –Praxis completed SHOLLIS and MULTOS CA –Many more...

SPARK Proof In Industry Partial correctness (Rare): –User supplied specification –Proofs usually deep –Very limited automation Exception freedom (Increasingly common): –Automatic specification –Proofs usually shallow –Good (90%) automation via Praxis Simplifier –Remaining 10% may number in the thousands...

Exception Freedom in SPARK Storage_Error  (Static memory requirement) Program_Error  Tasking_Error  Constraint_Error  (Some can occur in SPARK) –Access_Check  –Discriminant_Check  –Tag_Check  –Division_Check  –Index_Check  –Range_Check  –Overflow_Check  Proving exception freedom in SPARK is proving variables stay within legal bounds

Exception Freedom VCs Pre-condition Post-condition Invariant Prove properties hold between between cut points Check... Check... Check... Prove exception freedom VCs using properties

The Strategy Prove Exception Freedom VCs Discover properties (Typically invariants) Prove properties Fail Try proof again Success!

Abstract Interpretation (AI) Evaluate a program, replacing concrete variables with abstract values. –Concrete integer variable: to –An abstract integer variable: {-,0,+}. Abstract interpretation provides a framework to reason about programs in the abstract.

Abstracting to Bounds Variable: –type(lower, upper) –equal(expression) –fromto(lower, upper)... –between(expression, expression)… Array: –As many variables Generalise across ranges where possible

subtype Index is Integer range 0.. 9; type D is array (Index) of Integer; R:=0; --#check R>= and R<=32767; For I in Index loop --# Want to discover invariant here! --#I>=0 and I<=9; if D(I) >= 0 and D(I) <= 100 then R := R + D(I); --#check R>= and R<=32767; end if; end loop; subtype Index is Integer range 0.. 9; type D is array (Index) of Integer; R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R := R + D(I); end if; end loop; Example

subtype Index is Integer range 0.. 9; type D is array (Index) of Integer; R:=0; --#check R>= and R<=32767; For I in Index loop --#invariant I>=0 and I<=9 and --#forall J in 0..9 D(J)>= and D(J)<=32767; --#check I>=0 and I<=9; if D(I) >= 0 and D(I) <= 100 then R := R + D(I); --#check R>= and R<=32767; end if; end loop;

Example (AI Flowchart) I:=I+1 Invariant N Pre-condition R:=0 I:=0 R:=R+D(I) D(I)  0 and D(I)  100 I=9 Post- condition Loop junction node Simple junction node Normalised form of a SPARK for loop

Recurrence Relations (Loop junction) Liner recurrence relations with constant coefficients (LRRCs): –a n =c 1 *a n-1 +…c k *a n-k +f(n) n>=k Only use first powers of previous terms (a n-1 ^1) Coefficients c k are constants f(n) is a function –Example: a n =a (n-1) +1 Can automatically solve LRRCs (and a few other special cases) using: –Mathematica –The Parma University's Recurrence Relation Solver (PURRS) –Others?

Assignment First assignment to a variable inside a loop: –Build recurrence relations. –The assignment A:=f(A) is recorded as A n = {equal(recurrence(f(A n-1 )))} All other assignments: –Perform the assignment. –The assignment A:=f(A) is applied to all expressions in A. Eliminate non-constants from expressions: –Generalise to extreme bounds. –Replace non-constant f(B) in A={equal(f(B))} with bounds of f(B). –A = {fromto(extreme-lower(B), extreme-upper(B))}

Example (Variable R) I:=I+1 Invariant N Pre-condition R:=0 I:=0 R:=R+D(I) D(I)  0 and D(I)  100 I=9 Post- condition R={Type(-32768, 32767)} R={Type(-32768, 32767), equal(0)} R n ={Type(-32768, 32767), equal(recurrence(R (n-1) +D(I n )))  between(recurrence(R (n-1) +0), recurrence(R (n-1) +100))} R n ={Type(-32768, 32767), merge([equal(0), between(recurrence(R (n-1) +0), recurrence(R (n-1) +100))])}

Example (Variable R) R n ={Type(-32768, 32767), fromto(0, 100*n)} recurrence(R (n-1) +0)  R n =R (n-1) +0 R n =R 0  0 recurrence(R (n-1) +100)  R n =R (n-1) +100 R n =R *n  0+100*n  100*n between(0, 100*n) n is in range 0 to infinity 0<=100*n merge([equal(0), fromto(0, 100*n)]) equal(0) is inside fromto(0, 100*n) fromto(0, 100*n) R n ={Type(-32768, 32767), merge([equal(0), between(recurrence(R (n-1) +0), recurrence(R (n-1) +100))])} R n ={Type(-32768, 32767), equal(0)} Returning from first iteration Arriving at the loop Starting second iteration...

Property Discovery (Eliminate n) Express n in terms of I: I n =n  n=I n Replace n with I in R: R n ={Type(-32768, 32767), fromto(0, 100* I)} Properties for R Rule out type: 0  * I   100* 9  R  0 and R  100*I R n ={Type(-32768, 32767), fromto(0, 100*n)} I n ={Type(-32768, 32767), equal(n), fromto exit ( , exc(9+1)), fromto exit (exc(9+1), )} Properties for I I  0 and I < 10 Some details...

Example (Discovered invariant) subtype Index is Integer range 0.. 9; type D is array (Index) of Integer; R:=0; --#check R>= and R<=32767; For I in Index loop --#invariant I>=0 and I =0 and R<=100*I and --#forall J in 0..9 D(J)>= and D(J)<=32767; --#check I>=0 and I<=9; if D(I) >= 0 and D(I) <= 100 then R := R + D(I); --#check R>= and R<=32767; end if; end loop;

And the proofs? Invariant property VCs: –Rippling reduces VC to a residue Prove residue using proof planning Exception freedom VCs: –Transitivity based proof planning

NuSPADE Implementation (Underway…) Light weight SPARK Parser Subprogram Spider VCs SPARK code Rule files Proof Planne r SPARK structure Subprogram Details Method: Rippling Method: Abstracting to bounds Praxis Examiner Add new properties to code Proof scripts CLAM

Related Work RUNCHECK (Steven M. German) (1981) –Proves exception freedom VCs for Pascal –Uses a few rewrite rules (7) to solve recurrence relations as a final stage –Does not exploit program context –Limited treatment of arrays (Considered array initialisation) Abstract Interpretation (Patrick Cousot, Radhia Cousot) (1976) –Is algorithmic and always generates correct results –No heuristics –Good automatic linear property generation for programs with linear assignments and no arrays –Used for compiler optimisation, exception detection, program documentation, program visualisation...

Conclusions Generate properties via (unsound) abstract interpretation: –Will contain heuristics –Exploit off the shelf recurrence relation solvers –More powerful (Include arrays, generate non-linear relationships) –Can fail! Prove via: –Proof planning –Automated –Can fail!

EOF