Proof Automation for the SPARK Approach to High Integrity Ada

Slides:



Advertisements
Similar presentations
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Advertisements

Demand-driven inference of loop invariants in a theorem prover
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Omnibus: A clean language and supporting tool for integrating different assertion-based verification techniques Thomas Wilson, Savi Maharaj, Robert G.
B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,
Slide: 1 Copyright © 2014 AdaCore Claire Dross, Pavlos Efstathopoulos, David Lesens, David Mentré and Yannick Moy Embedded Real Time Software and Systems.
ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Language Specfication and Implementation - PART II: Semantics of Procedural Programming Languages Lee McCluskey Department of Computing and Mathematical.
CoLaB 22nd December 2005 Secure Access to Service-based Collaborative Workflow for DAME Duncan Russell Informatics Institute University of Leeds, UK.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Overview of the Multos construction process Chad R. Meiners.
Describing Syntax and Semantics
Mechanized Metatheory for User- Defined Type Extensions Dan Marino, Brian Chin, Todd Millstein UCLA Gang Tan Boston College Robert J. Simmons, David Walker.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Is Proof More Cost-Effective Than Testing? Presented by Yin Shi.
© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.
© Andrew IrelandDependable Systems Group. © Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew.
25 November 2002 DeSIRE, Pisa Methods and Tools for Formal Design and Validation Michael Butler University of Southampton
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group ITI Techmedia and Technology Transfer Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
(On secondment at) Praxis High Integrity Systems Bath Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland Dependable Systems Group School of Mathematical.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.
© Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for System Development Gudmund Grov & Andrew Ireland Dependable Systems Group School.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.
© Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
Reasoning about programs March CSE 403, Winter 2011, Brun.
Chapter 3 Part II Describing Syntax and Semantics.
© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.
SPADEase: The Good, the Bad and the Ugly Bill J Ellis Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.
Version 02U-1 Computer Security: Art and Science1 Correctness by Construction: Developing a Commercial Secure System by Anthony Hall Roderick Chapman.
Access Control for Dynamic Virtual Organisations Duncan Russell, Peter Dew & Karim Djemame University of Leeds.
System Monitoring using Constraint Checking as part of Model Based System Management 2007 Monitoring using Constraint Checking as part.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
© Andrew IrelandGrand Challenges for Computing Research 2004 The Verifying Compiler Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
© Andrew IrelandDependable Systems Group The Use of Patterns to Guide Code Certification: A Proposal Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group Increasing Automation for Exception Freedom Proofs Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
A Review of Software Testing - P. David Coward
Formal Specification.
SDN Network Updates Minimum updates within a single switch
Arab Open University 2nd Semester, M301 Unit 5
Reasoning About Code.
Reasoning about code CSE 331 University of Washington.
Formal Methods in Software Engineering 1
Automating Induction for Solving Horn Clauses
Daniel Amyot and Jun Biao Yan
Levels of Software Assurance in SPARK
The Extensible Tool-chain for Evaluation of Architectural Models
Cooperative Reasoning for Automatic Software Verification
AdaCore Technologies for Cyber Security
A Verification Condition Visualizer
Hoare-style program verification
An Introduction to Software Architecture
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
Language-based Security
Automatic Software Verification: A Renaissance
Co-OPR – Compendium and I-X
Formal Methods Lecture 16 March 22, 2011 CS 315 Spring 2011
Rich Model Toolkit – An Infrastructure for Reliable Computer Systems
Presentation transcript:

Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering Heriot-Watt Univeristy Edinburgh

Executive Summary Investigate the role of proof planning within the SPARK approach to high integrity Ada Funded by the EPSRC Critical Systems programme (GR/R24081) in collaboration with Praxis Critical Systems Julian Richardson (Co-investigator) and Bill Ellis (Research Associate)

Outline Background and basic approach Proposed verification architecture Initial investigation into proof automation Future work

Program Verification Long history dating back to 70s, Wegbreit, German, Katz & Manna, … Theorem proving and heuristic components were kept separate Adopting a proof planning approach integrates high-level theorem proving and heuristic components

Ada Verification Systems ANNA: Stanford University PAVG Penelope: Odyssey Research Associates MALPAS: TA Group (RSRE Malvern) SPARK: Praxis Critical Systems (PVL)

Praxis Critical Systems Internationally leading within the sector Aerospace, Defence, Transportation, Finance, Energy and Utilities. Boeing, Lockheed-Martin, CAA, FAA, QinetiQ (DERA), Westinghouse Signals, MONDEX,...

SPARK Projects SHOLIS: Ship Helicopter Operating Limits Instrumentation System, UK MoD’s first Def Standard 00-55 project C130J: Lockheed Martin military transport aircraft MONDEX: International smart card security, developed to ITSEC E6 standard

The SPARK Language A subset of Ada that eliminates potential ambiguities and insecurities Specification supported via code level annotations

Static Analysis Data flow analysis: checks basic integrity constraints, e.g. definition-usage Information flow analysis: checks various interdependencies via program annotations Formal verification: generates verification conditions (VCs) based upon program annotations and SPARK semantics

The SPARK Tools path functions user SPADE SPARK VCs Proof Examiner Checker VCs proof code flow analysis feedback rules (lemmas) SPADE Simplifier

Clam-Oyster user conjectures planner checker tactic proof theory

NuSPADE conjectures user planner VCs checker proof cmd theory

NuSPADE: High-Level Aims Integrity: only modify the SPADE proof state via SPADE commands Compatibility: preserve SPADE at its core Transparency: provide users with the look-and-feel of a SPADE session

Proof Plans ind-strat inv-strat induction simplify ripple simplify tautology fertilize tautology fertilize

Polish Flag Problem --# pre (for all I in IndexRange => (Flag(I)=Red or Flag(I)=White)) --# post for some P in Integer range (Flag'First) .. (Flag'Last+1) => --# ((for all Q in Integer range Flag'First..(P-1) => (Flag(Q)=Red)) and --# (for all R in Integer range P..Flag'Last => (Flag(R)=White)));

Loop Invariant Flag'First I J Flag'Last --# assert Flag'First<=I and --# J<=(Flag'Last+1) and --# I<=J and --# (for all Q in Integer range Flag'First..(I-1) => (Flag(Q)=Red)) and --# (for all R in Integer range J..Flag'Last => (Flag(R)=White));

SPARK Code loop … if else J:=J-1; T:=Flag(I); Flag(I):=Flag(J); Flag(J):=T; end if; end loop; SPARK Code procedure Partition_Section(Flag: in out ArrayOfColours) is subtype JustBiggerRange is Integer range Flag'First .. Flag'Last+1; I: JustBiggerRange; J: JustBiggerRange; T: Colour; begin I:=Flag'First; J:=Flag'Last+1; loop --# assert Flag'First<=I and --# J<=(Flag'Last+1) and --# I<=J and --# (for all Q in Integer range Flag'First..(I-1) => (Flag(Q)=Red)) and --# (for all R in Integer range J..Flag'Last => (Flag(R)=White)); exit when I=J; if Flag(I)=Red then I:=I+1; else J:=J-1;T:=Flag(I); Flag(I):=Flag(J); Flag(J):=T; end if; end loop; end Partition_Section Flag(I)=White

Verification Condition procedure_partition_section_3. H1: indexrange__first <= i . H2: j <= indexrange__last + 1 . H3: i <= j . H4: for_all (q_: integer, ((q_ >= indexrange__first) and (q_ <= i - 1)) -> (element(flag, [q_]) = red)) . H5: for_all (r_: integer, ((r_ >= j) and (r_ <= indexrange__last)) -> (element(flag, [r_]) = white)) . H6: not (i = j) . H7: not (element(flag, [i]) = red) . -> C1: indexrange__first <= i . C2: j - 1 <= indexrange__last + 1 . C3: i <= j - 1 . C4: for_all (q_: integer, ((q_ >= indexrange__first) and (q_ <= i - 1)) -> element(update(update(flag, [i], element(flag, [j - 1])), [j - 1], element(flag, [i])), [q_]) = red)) . C5: for_all (r_: integer, ((r_ >= j - 1) and (r_ <= indexrange__last)) -> (element(update(update(flag, [i], element(flag, [j-1])), [j-1], element(flag, [i])), [r_]) = white)) .

Given Goal Ripple plan = difference identification + reduction

Rewrite Rules

Ripple Preconditions there exists a subterm T of the goal formula that contains a wave-front there exists a wave-rule that matches T any wave-rule conditions follow from the proof context Resulting inward directed wave-fronts are potentially cancellable Note: Stronger decision procedure required for 3

Speculative Loop Invariant Flag'First P Flag'Last --# assert Flag'First<=P and --# P<=(Flag'Last+1) and --# (for all Q in Integer range Flag'First..(P-1) => (Flag(Q)=Red)) and --# (for all R in Integer range P..Flag'Last => (Flag(R)=White));

Proof Failure Given Goal

Failure Analysis Blocked wave-front Matching wave-rule Failed precondition 3. any wave-rule conditions follow from the proof context

Productive Use Of Failure Generalization Case split Revise Induction Lemma speculation Precondition 1 2 3 4 Patch X X X X

Proof Patch Find minimal instantiation for P such that i and (j-1) lie out side r, i.e. P becomes j Ripple plan applicable to revised invariant conjecture

Range Splitting Proof Critic While the goal concerned with “white” gives rise to P = j, the complementary “red” goal gives rise to P = i This inconsistency suggests the required 3-way range split, i.e. i j

Extending Critics Mechanism Build upon current capability to analyse failures over multiple branches Integrate a constraint solving capability Develop a bottom-up invariant generation capability - also important for reasoning about the absence of run-time errors.

Future Work Complete first prototype of NuSPADE Adapt existing proof plans for SPADE Develop corresponding generic proof cmd templates (tactics) Extend critics mechanism Address proof management issues Investigate industrial strength case studies

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.