© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.

Slides:



Advertisements
Similar presentations
Demand-driven inference of loop invariants in a theorem prover
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
© Colin Potts C6-1 Some future trends in requirements engineering Colin Potts Georgia Tech.
B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.
Building Reliable Software Requirements and Methods.
VIDE Integrated Environment for Development and Verification of Programs.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
A Type System for Expressive Security Policies David Walker Cornell University.
Describing Syntax and Semantics
The Systems Assurance Group Dr Jaspal Sagoo Systems Assurance Group QinetiQ Trusted Information Management Malvern Technology Centre.
Mathematics throughout the CS Curriculum Support by NSF #
A Pragmatic View of Formal Methods The Hi-Lite Project Robert B K Dewar SSS ‘11 President & CEO, AdaCore Emeritus Professor of Computer.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.
CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Murali Sitaraman
Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Is Proof More Cost-Effective Than Testing? Presented by Yin Shi.
© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.
© Andrew IrelandDependable Systems Group. © Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group ITI Techmedia and Technology Transfer Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
(On secondment at) Praxis High Integrity Systems Bath Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.
Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland Dependable Systems Group School of Mathematical.
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.
© Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for System Development Gudmund Grov & Andrew Ireland Dependable Systems Group School.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
© Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.
SPADEase: The Good, the Bad and the Ugly Bill J Ellis Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.
Version 02U-1 Computer Security: Art and Science1 Correctness by Construction: Developing a Commercial Secure System by Anthony Hall Roderick Chapman.
Industrial Avionics Working Group 18/04/07 The Relationship Between the Design and Safety Domains in IAWG Modular Certification Part 2: Completeness of.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.
© Andrew IrelandGrand Challenges for Computing Research 2004 The Verifying Compiler Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
© Andrew IrelandDependable Systems Group The Use of Patterns to Guide Code Certification: A Proposal Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group Increasing Automation for Exception Freedom Proofs Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
Formal Verification – Robust and Efficient Code Lecture 1
Dafny An automatic program verifier for functional correctness
Types for Programs and Proofs
State your reasons or how to keep proofs while optimizing code
Levels of Software Assurance in SPARK
CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet
Lecture 5 Floyd-Hoare Style Verification
Cooperative Reasoning for Automatic Software Verification
CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet
A Verification Condition Visualizer
Programming Languages 2nd edition Tucker and Noonan
Dafny An automatic program verifier for functional correctness
Proof Automation for the SPARK Approach to High Integrity Ada
Automatic Software Verification: A Renaissance
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh

© Andrew IrelandDependable Systems Group Outline Static analysis and program proof Automated reasoning and proof planning Industrial strength program proof Observations & conclusions

© Andrew IrelandDependable Systems Group Static Analysis Program Proof Program Analysis

© Andrew IrelandDependable Systems Group Static Analysis Program Proof Program Analysis Precision

© Andrew IrelandDependable Systems Group Static Analysis Program Proof Program Analysis Automation Precision

© Andrew IrelandDependable Systems Group Proof Development Goal Givens

© Andrew IrelandDependable Systems Group Proof Development Goal Givens Proof Rules & Tactics

© Andrew IrelandDependable Systems Group Proof Automation In general, the search for a proof gives rise to a combinatorial explosion in terms of proof rule applications. Heuristics are required in order to manage the search for a proof. Proof planning represents an approach to managing proof search.

© Andrew IrelandDependable Systems Group Proof Plans Proof planning Methods + Critics Proof checking Tactics Conjectures Theory Proof plans promote reuse, robustness and tool integration

© Andrew IrelandDependable Systems Group Mathematical domains: program verification, synthesis, and optimization; hardware verification; correction of faulty specifications. summing series; limit theorems. Non-mathematical domains: game playing (Bridge & Go); configuration management problems. Applications of Proof Plans

© Andrew IrelandDependable Systems Group Investigate the role of proof planning within the SPARK Approach to high integrity software Funded by EPSRC Critical Systems programme (GR/R24081) Follow-on industrial secondment funded by EPSRC RAIS Scheme (GR/T11289/01) Praxis High Integrity Systems Ltd (collaborator) Proof Plans & Industry

© Andrew IrelandDependable Systems Group The SPARK Approach A subset of Ada that eliminates potential ambiguities and insecurities. Supports “correctness-by-construction” and is advocated by US National Cyber Security Partnership (NSA). Applications include: –SHOLIS: UK MoD’s first Def Stan project. –Eurofighter Typhoon. –MONDEX smart card security.

© Andrew IrelandDependable Systems Group SPARK Toolset Data flow, e.g. variables defined before read. Information flow, i.e. code checked against program annotations, e.g. --# derives X from Y, Z; Formal verification, i.e. code is proved correct with respect to proof annotations: –Pre- and postconditions. –Assertions such as loop invariants. –Declaration of proof functions.

© Andrew IrelandDependable Systems Group Program Proofs Partial correctness proofs: –Guarantees that if preconditions hold then the postconditions will hold (if program terminates). –Requires user specified pre- and postconditions. Exception freedom proofs: –Guarantees that no exceptions occur at run-time, e.g. buffer overflows, index violations etc –Exception freedom properties are pre-defined. Note that user may be required to provide intermediate assertions in both cases.

© Andrew IrelandDependable Systems Group The SPARK Approach SPARK Examiner SPADE Simplifier SPADE Proof Checker SPARK Examiner supports data & information flow analysis, and generates verification conditions (VCs). SPADE Simplifier supports automatic proof. SPADE Proof Checker supports interactive proof. VCs Cmds Unproven VCs  SPARK code Proofs Revisions ✗

© Andrew IrelandDependable Systems Group SPADEase SPARK Examiner SPADE Simplifier SPADE Proof Checker SPADEase = proof planning + program analysis. Main focus on exception freedom proofs. Annotation generation motivated by proof-failure analysis. VCs Cmds Unproven VCs  SPARK code Proofs SPADEase Annotations ✗

© Andrew IrelandDependable Systems Group SPADEase Unproven VCs Cmds Abstract Predicates Annotations Co-operative style of integration, i.e. “productive use of failure” Proof Planner Program Analyzer

© Andrew IrelandDependable Systems Group subtype AR_T is Integer range 0..9; type A_T is array (AR_T) of Integer;... procedure Filter(A: in A_T; R: out Integer) is begin R:=0; for I in AR_T loop if A(I)>=0 and A(I)<=100 then R:=R+A(I); end if; end loop; end Filter; An Example

© Andrew IrelandDependable Systems Group H1: for_all (i___1: integer, ((i___1 >= ar_t__first) and (i___1 ((element(a, [i___1]) >= integer__first) and (element(a, [i___1]) <= integer__last))). H2: loop__1__i >= ar_t__first. H3: loop__1__i <= ar_t__last. H4: element(a, [loop__1__i]) >= 0. H5: element(a, [loop__1__i]) <= 100. H6: r >= integer__first. H7: r <= integer__last. -> C1: r + element(a, [loop__1__i]) >= integer__first. C2: r + element(a, [loop__1__i]) <= integer__last. C3: loop__1__i >= ar_t__first. C4: loop__1__i <= ar_t__last.... H4: element(a, [loop__1__i]) >= 0. H5: element(a, [loop__1__i]) <= 100. H6: r >= integer__first. H7: r <= integer__last. ->... C2: r + element(a,[loop__1__i]) <= integer__last... Exception Freedom VC

© Andrew IrelandDependable Systems Group H1: for_all (i___1: integer, ((i___1 >= ar_t__first) and (i___1 ((element(a, [i___1]) >= integer__first) and (element(a, [i___1]) <= integer__last))). H2: loop__1__i >= ar_t__first. H3: loop__1__i <= ar_t__last. H4: element(a, [loop__1__i]) >= 0. H5: element(a, [loop__1__i]) <= 100. H6: r >= integer__first. H7: r <= integer__last. -> C1: r + element(a, [loop__1__i]) >= integer__first. C2: r + element(a, [loop__1__i]) <= integer__last. C3: loop__1__i >= ar_t__first. C4: loop__1__i <= ar_t__last.... H4: element(a, [loop__1__i]) >= 0. H5: element(a, [loop__1__i]) <= 100. H6: r >= integer__first. H7: r <= integer__last. ->... C2: r + element(a,[loop__1__i]) <= integer__last... Exception Freedom VC

© Andrew IrelandDependable Systems Group H1: for_all (i___1: integer, ((i___1 >= ar_t__first) and (i___1 ((element(a, [i___1]) >= integer__first) and (element(a, [i___1]) <= integer__last))). H2: loop__1__i >= ar_t__first. H3: loop__1__i <= ar_t__last. H4: element(a, [loop__1__i]) >= 0. H5: element(a, [loop__1__i]) <= 100. H6: r >= integer__first. H7: r <= integer__last. -> C1: r + element(a, [loop__1__i]) >= integer__first. C2: r + element(a, [loop__1__i]) <= integer__last. C3: loop__1__i >= ar_t__first. C4: loop__1__i <= ar_t__last.... H4: element(a, [loop__1__i]) >= 0. H5: element(a, [loop__1__i]) <= 100. H6: r >= integer__first. H7: r <= integer__last. ->... C2: r + element(a,[loop__1__i]) <= integer__last... Exception Freedom VC If (32668 <= r <= 32767) then possible overflow, i.e. VC is unprovable

© Andrew IrelandDependable Systems Group SPADEase Unproven VCs Proof Planner Program Analyzer Abstract Predicates R >= ? and R <= ? subtype AR_T is Integer range 0..9; type A_T is array (AR_T) of Integer;... procedure Filter(A: in A_T; R: out Integer)is begin R:=0; for I in AR_T loop if A(I)>=0 and A(I)<=100 then R:=R+A(I); end if; end loop; end Filter;

© Andrew IrelandDependable Systems Group SPADEase Unproven VCs Proof Planner Program Analyzer Annotations --# assert R >= 0 and R <= I*100 Abstract Predicates subtype AR_T is Integer range 0..9; type A_T is array (AR_T) of Integer;... procedure Filter(A: in A_T; R: out Integer)is begin R:=0; for I in AR_T loop if A(I)>=0 and A(I)<=100 then R:=R+A(I); end if; end loop; end Filter; subtype AR_T is Integer range 0..9; type A_T is array (AR_T) of Integer;... procedure Filter(A: in A_T; R: out Integer)is begin R:=0; for I in AR_T loop --# assert R >= 0 and R <= I*100 if A(I)>=0 and A(I)<=100 then R:=R+A(I); end if; end loop; end Filter; R >= ? and R <= ?

© Andrew IrelandDependable Systems Group subtype AR_T is Integer range 0..9; type A_T is array (AR_T) of Integer;... procedure Filter(A: in A_T; R: out Integer) is begin R:=0; for I in AR_T loop --# assert R >= 0 and R <= I*100; if A(I)>=0 and A(I)<=100 then R:=R+A(I); end if; end loop; end Filter; Revised Filter Code

© Andrew IrelandDependable Systems Group Revised Exception Freedom VC H1: r >= 0. H2: r <= loop__1__i * 100. H3: for_all (i___1: integer, ((i___1 >= ar_t__first) and (i___1 ((element(a, [i___1]) >= integer__first) and (element(a, [i___1]) <= integer__last))). H4: loop__1__i >= ar_t__first. H5: loop__1__i <= ar_t__last. H6: element(a, [loop__1__i]) >= 0. H7: element(a, [loop__1__i]) <= 100. H8: r >= integer__first. H9: r <= integer__last. -> C1: r + element(a, [loop__1__i]) >= integer__first. C2: r + element(a, [loop__1__i]) <= integer__last. C3: loop__1__i >= ar_t__first. C4: loop__1__i <= ar_t__last. H1: r >= 0. H2: r <= loop__1__i * H6: element(a, [loop__1__i]) >= 0. H7: element(a, [loop__1__i]) <= 100. … ->... C2: r + element(a,[loop__1__i]) <= integer__last... Transitivity proof plan 

© Andrew IrelandDependable Systems Group Loop Invariant VC H1: r >= 0. H2: r <= loop__1__i * H6: element(a, [loop__1__i]) >= 0. H7: element(a, [loop__1__i]) <= 100. … -> C1: r + element(a,[loop__1__i]) >= 0. C2: r + element(a,[loop__1__i]) <= (loop__1__i + 1) * 100. … Rippling proof plan 

© Andrew IrelandDependable Systems Group Summary Code+ Spec Simplifier Proof Planner Program Analyzer Proofs Failure

© Andrew IrelandDependable Systems Group SPADEase Results Our evaluation was based upon examples drawn from industrial data provided by Praxis, e.g. SHOLIS. SPADE Simplifier is very effective on exception freedom VC, i.e. typical hit-rate of 92%. NuSPADE targeted the VCs which the SPADE Simplifier failed to prove, i.e. loop-based code. While critical software is engineered to minimize the number and complexity of loops, we found that 80% of the loops we encountered were provable using SPADEase.

© Andrew IrelandDependable Systems Group SPADEase Applicability SPARK was designed to meet the needs of advanced avionics while supporting formal analysis. Targeting language subsets: –Potential hearts-and-minds hurdle. –Limitations of niche markets. Targeting full languages: –Need to limit scope of analysis, i.e. focus on specific data and/or control properties. –Essential that the selected properties yield real value to the customer, i.e. properties where failure carries a significant cost and conventional prevention strategies are poor.

© Andrew IrelandDependable Systems Group Conclusions Static analysis benefits from an integrated approach. Other examples include Microsoft’s Static Device Verifier (SDV), Spec#, ESC/Java2. Current success stories focus on pre-defined properties, e.g. exception and deadlock freedom. More comprehensive properties will increase the need for tools that include a proof automation component. Proof planning provides a framework for integrating proof automation with a wide spectrum of program analysis techniques.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.