© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Omnibus: A clean language and supporting tool for integrating different assertion-based verification techniques Thomas Wilson, Savi Maharaj, Robert G.
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
© 2009 IBM Corporation July, 2009 | PADTAD Chicago, Illinois A Proposal of Operation History Management System for Source-to-Source Optimization.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,
Software Failure: Reasons Incorrect, missing, impossible requirements * Requirement validation. Incorrect specification * Specification verification. Faulty.
Slide: 1 Copyright © 2014 AdaCore Claire Dross, Pavlos Efstathopoulos, David Lesens, David Mentré and Yannick Moy Embedded Real Time Software and Systems.
ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
May 11, ACL2 Panel: What is the Future of Theorem Proving? Arvind Computer Science & Artificial Intelligence Laboratory.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Language Specfication and Implementation - PART II: Semantics of Procedural Programming Languages Lee McCluskey Department of Computing and Mathematical.
VIDE Integrated Environment for Development and Verification of Programs.
Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Automatically Extracting and Verifying Design Patterns in Java Code James Norris Ruchika Agrawal Computer Science Department Stanford University {jcn,
Overview of program analysis Mooly Sagiv html://
Describing Syntax and Semantics
Mechanized Metatheory for User- Defined Type Extensions Dan Marino, Brian Chin, Todd Millstein UCLA Gang Tan Boston College Robert J. Simmons, David Walker.
Unit Testing CS 414 – Software Engineering I Don Bagert Rose-Hulman Institute of Technology January 16, 2003.
MCA –Software Engineering Kantipur City College. Topics include  Formal Methods Concept  Formal Specification Language Test plan creation Test-case.
Mathematics throughout the CS Curriculum Support by NSF #
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Murali Sitaraman
CSI315 Web Applications and Technology Overview of Systems Development (342)
Software Testing.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Topic (1)Software Engineering (601321)1 Introduction Complex and large SW. SW crises Expensive HW. Custom SW. Batch execution.
Is Proof More Cost-Effective Than Testing? Presented by Yin Shi.
© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.
1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.
© Andrew IrelandDependable Systems Group. © Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group ITI Techmedia and Technology Transfer Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
(On secondment at) Praxis High Integrity Systems Bath Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Framework for the Development and Testing of Dependable and Safety-Critical Systems IKTA 065/ Supported by the Information and Communication.
Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland Dependable Systems Group School of Mathematical.
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Joseph E. Hollingsworth
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.
© Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for System Development Gudmund Grov & Andrew Ireland Dependable Systems Group School.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
High Integrity Ada in a UML and C world Peter Amey, Neil White Presented by Liping Cai.
© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.
Slide: 1 Copyright © 2009 AdaCore GeneAuto for Ada and SPARK A verifying model compiler GeneAuto2 meeting (Toulouse) September 2009 Matteo Bordin
© Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
Chapter 3 Part II Describing Syntax and Semantics.
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
SPADEase: The Good, the Bad and the Ugly Bill J Ellis Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.
System Monitoring using Constraint Checking as part of Model Based System Management 2007 Monitoring using Constraint Checking as part.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Chapter 12: Software Testing Omar Meqdadi SE 273 Lecture 12 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
© Andrew IrelandGrand Challenges for Computing Research 2004 The Verifying Compiler Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
© Andrew IrelandDependable Systems Group The Use of Patterns to Guide Code Certification: A Proposal Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group Increasing Automation for Exception Freedom Proofs Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
A Review of Software Testing - P. David Coward
Automating Induction for Solving Horn Clauses
State your reasons or how to keep proofs while optimizing code
Cooperative Reasoning for Automatic Software Verification
A Verification Condition Visualizer
Proof Automation for the SPARK Approach to High Integrity Ada
Automatic Software Verification: A Renaissance
Presentation transcript:

© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering Heriot-Watt Univeristy Edinburgh

© Andrew IrelandDependable Systems Group Executive Summary Funded by the EPSRC Critical Systems programme ( GR/R24081 ) in collaboration with Praxis Critical Systems Julian Richardson (Co-investigator) and Bill Ellis (Research Associate) Investigate the role of proof planning within the SPARK approach to high integrity Ada

© Andrew IrelandDependable Systems Group Outline Background and basic approach Proposed verification architecture Initial investigation into proof automation Future work

© Andrew IrelandDependable Systems Group Program Verification Long history dating back to 70s, Wegbreit, German, Katz & Manna, … Theorem proving and heuristic components were kept separate Adopting a proof planning approach integrates high-level theorem proving and heuristic components

© Andrew IrelandDependable Systems Group Ada Verification Systems ANNA: Stanford University PAVG Penelope: Odyssey Research Associates MALPAS: TA Group (RSRE Malvern) SPARK: Praxis Critical Systems (PVL)

© Andrew IrelandDependable Systems Group Static Analysis Data flow analysis: checks basic integrity constraints, e.g. definition-usage Information flow analysis: checks various interdependencies via program annotations Formal verification: generates verification conditions (VCs) based upon program annotations and SPARK semantics

© Andrew IrelandDependable Systems Group The SPARK Tools SPADE Simplifier SPARK Examiner SPADE Proof Checker proof code VCs user rules (lemmas) path functions flow analysis feedback

© Andrew IrelandDependable Systems Group Benefits: reduces the level of user guided search by automating the “big steps” within a proof Proof Automation Proof Plans: AI technique for mechanizing formal reasoning based upon high-level proof patterns Proof Plan = Methods + Critics + Tactics

© Andrew IrelandDependable Systems Group Mathematical induction: program verification, synthesis, and optimization; hardware verification; correction of faulty specifications. Non-inductive proof: summing series; limit theorems. Automatic proof patching: conjecture generalization, lemma discovery, induction revision, case splitting, invariant discovery. Applications of Proof Plans

© Andrew IrelandDependable Systems Group Example Generalization Initial conjecture Generalized conjecture Schematic conjecture

© Andrew IrelandDependable Systems Group Clam-Oyster plannerchecker tactic conjectures theory proof user

© Andrew IrelandDependable Systems Group NuSPADE plannerchecker cmd s VCs conjectures theory proof user

© Andrew IrelandDependable Systems Group NuSPADE: High-Level Aims Integrity: only modify the SPADE proof state via SPADE commands Compatibility: preserve SPADE at its core Transparency: provide users with the look- and-feel of a SPADE session

© Andrew IrelandDependable Systems Group Proof Plans ripple fertilize simplify induction ripple fertilize simplify tautology ind-stratinv-strat

© Andrew IrelandDependable Systems Group Polish Flag Problem --# pre (for all I in IndexRange => (Flag(I)=Red or Flag(I)=White)) --# post for some P in Integer range (Flag'First).. (Flag'Last+1) => --# ((for all Q in Integer range Flag'First..(P-1) => (Flag(Q)=Red)) and --# (for all R in Integer range P..Flag'Last => (Flag(R)=White)));

© Andrew IrelandDependable Systems Group Loop Invariant --# assert Flag'First<=I and --# J<=(Flag'Last+1) and --# I<=J and --# (for all Q in Integer range Flag'First..(I-1) => (Flag(Q)=Red)) and --# (for all R in Integer range J..Flag'Last => (Flag(R)=White)); IFlag'FirstFlag'LastJ

© Andrew IrelandDependable Systems Group SPARK Code procedure Partition_Section(Flag: in out ArrayOfColours) is subtype JustBiggerRange is Integer range Flag'First.. Flag'Last+1; I: JustBiggerRange; J: JustBiggerRange; T: Colour; begin I:=Flag'First; J:=Flag'Last+1; loop --# assert Flag'First<=I and --# J<=(Flag'Last+1) and --# I<=J and --# (for all Q in Integer range Flag'First..(I-1) => (Flag(Q)=Red)) and --# (for all R in Integer range J..Flag'Last => (Flag(R)=White)); exit when I=J; if Flag(I)=Red then I:=I+1; else J:=J-1;T:=Flag(I); Flag(I):=Flag(J); Flag(J):=T; end if; end loop; end Partition_Section loop … if … else J:=J-1; T:=Flag(I); Flag(I):=Flag(J); Flag(J):=T; end if; end loop; Flag(I)=White

© Andrew IrelandDependable Systems Group procedure_partition_section_3. H1: indexrange__first <= i. H2: j <= indexrange__last + 1. H3: i <= j. H4: for_all (q_: integer, ((q_ >= indexrange__first) and (q_ (element(flag, [q_]) = red)). H5: for_all (r_: integer, ((r_ >= j) and (r_ (element(flag, [r_]) = white)). H6: not (i = j). H7: not (element(flag, [i]) = red). -> C1: indexrange__first <= i. C2: j - 1 <= indexrange__last + 1. C3: i <= j - 1. C4: for_all (q_: integer, ((q_ >= indexrange__first) and (q_ element(update(update(flag, [i], element(flag, [j - 1])), [j - 1], element(flag, [i])), [q_]) = red)). C5: for_all (r_: integer, ((r_ >= j - 1) and (r_ (element(update(update(flag, [i], element(flag, [j-1])), [j-1], element(flag, [i])), [r_]) = white)). Verification Condition

© Andrew IrelandDependable Systems Group Given Goal Ripple plan+ reduction= difference identification

© Andrew IrelandDependable Systems Group Speculative Loop Invariant --# assert Flag'First<=P and --# P<=(Flag'Last+1) and --# (for all Q in Integer range Flag'First..(P-1) => (Flag(Q)=Red)) and --# (for all R in Integer range P..Flag'Last => (Flag(R)=White)); PFlag'FirstFlag'Last

© Andrew IrelandDependable Systems Group Range Splitting Proof Critic While the goal concerned with “white” gives rise to P = j, the complementary “red” goal gives rise to P = i This inconsistency suggests the required 3-way range split, i.e. i j

© Andrew IrelandDependable Systems Group Extending Critics Mechanism Build upon current capability to analyse failures over multiple branches Integrate a constraint solving capability Develop a bottom-up invariant generation capability - also important for reasoning about the absence of run-time errors.

© Andrew IrelandDependable Systems Group Future Work Complete first prototype of NuSPADE Adapt existing proof plans for SPADE Develop corresponding generic proof cmd templates (tactics) Extend critics mechanism Address proof management issues Investigate industrial strength case studies

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.