Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Andrew IrelandDependable Systems Group Increasing Automation for Exception Freedom Proofs Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

Published byAnabel Wilkerson Modified over 8 years ago

Similar presentations

Presentation on theme: "© Andrew IrelandDependable Systems Group Increasing Automation for Exception Freedom Proofs Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt."— Presentation transcript:

1 © Andrew IrelandDependable Systems Group Increasing Automation for Exception Freedom Proofs Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh

2 © Andrew IrelandDependable Systems Group Context Investigate the role of proof planning within the SPARK approach to high integrity software Funded by the EPSRC Critical Systems programme ( GR/R24081 ) in collaboration with Praxis Critical Systems Bill Ellis (Research Associate)

3 © Andrew IrelandDependable Systems Group Outline Current limits of proof automation More code level analysis Proof planning perspective Future work Demo partial implementation

4 © Andrew IrelandDependable Systems Group subtype Index is Integer range 0.. 9; type D_Type is array (Index) of Integer; … R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop; Example

5 © Andrew IrelandDependable Systems Group subtype Index is Integer range 0.. 9; type D_Type is array (Index) of Integer; … R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop; Example integer_first <= R+D(I)<= integer_last?

6 © Andrew IrelandDependable Systems Group Run-Time Check VC … H2: for_all (i___1:integer,((i___1>=index_type__first) and (i___1 ((element(d,[i___1]) >= integer__first) and (element(d,[i___1]) <= integer__last))). … H7: loop__1__i >= index_type__first. H8: loop__1__i <= index_type__last. H9: element(d, [loop__1__i]) >= 0. H10:element(d, [loop__1__i]) <= 100. -> C1: r + element(d,[loop__1__i]) >= integer__first. C2: r + element(d,[loop__1__i]) <= integer__last. Problem: missing hypotheses R >= ? and R <= ?

7 © Andrew IrelandDependable Systems Group Problem Solving User identifies the need for a loop invariant User generates an appropriate loop invariant User constructs proofs for the loop invariant and run-time check VCs via the SPADE Proof Checker

8 © Andrew IrelandDependable Systems Group Our Approach Proof planning identifies the need for a loop invariant Code level analysis generates an appropriate loop invariant Proof planning constructs proofs for the loop invariant and run-time check VCs, i.e. proof planning generates a SPADE tactic

9 © Andrew IrelandDependable Systems Group Loop Invariant Discovery SPARK proof failure analysis

10 © Andrew IrelandDependable Systems Group Loop Invariant Discovery SPARK construct extreme recurrence relations for each variable on Nth iteration proof failure analysis

11 © Andrew IrelandDependable Systems Group Loop Invariant Discovery SPARK construct extreme recurrence relations for each variable on Nth iteration solve recurrence relations proof failure analysis

12 © Andrew IrelandDependable Systems Group Loop Invariant Discovery SPARK construct extreme recurrence relations for each variable on Nth iteration solve recurrence relations combine solutions to eliminate N proof failure analysis

13 © Andrew IrelandDependable Systems Group Loop Invariant Discovery SPARK SPARK + invariants construct extreme recurrence relations for each variable on Nth iteration solve recurrence relations combine solutions to eliminate N proof failure analysis

14 © Andrew IrelandDependable Systems Group Construct Recurrence Relations subtype Index is Integer range 0.. 9; type D_Type is array (Index) of Integer; … R:=0; For I in Index loop if D(I) >= 0 and D(I) <= 100 then R := R + D(I); end if; end loop;

15 © Andrew IrelandDependable Systems Group Extreme Recurrence Relations specialization is guided by interval information interval information gathered via abstract interpretation and interval analysis

16 © Andrew IrelandDependable Systems Group Focus on linear recurrence relations: where coefficients are constant, and is optional Solve Recurrence Relations Off the shelf solvers available, e.g. Mathematica, PURRS (Parma University)

17 © Andrew IrelandDependable Systems Group Solve Recurrence Relations Recurrence RelationSolution

18 © Andrew IrelandDependable Systems Group Combine Solutions Eliminate from solutions to using R >= 0 and R <= I*100

19 © Andrew IrelandDependable Systems Group Revised Code subtype Index is Integer range 0.. 9; type D_Type is array (Index) of Integer; … R:=0; For I in Index loop --# assert R >= 0 and R <= I*100; if D(I) >= 0 and D(I) <= 100 then R:= R+D(I); end if; end loop;

20 © Andrew IrelandDependable Systems Group Revised RTC VC H1: r >= 0. H2: r <= loop__1__i * 100. H3:for_all(i___1: integer,((i___1 >= index_type__first)and (i___1 ((element(d,[i___1]) >= integer__first) and (element(d,[i___1]) <= integer__last))). … H8: loop__1__i >= index_type__first. H9: loop__1__i <= index_type__last. H10:element(d, [loop__1__i]) >= 0. H11:element(d, [loop__1__i]) <= 100. -> C1: r + element(d,[loop__1__i]) >= integer__first. C2: r + element(d,[loop__1__i]) <= integer__last.

21 © Andrew IrelandDependable Systems Group Revised Loop Invariant VC H1: r >= 0. H2: r <= loop__1__i * 100. … H10: element(d, [loop__1__i]) >= 0. H11: element(d, [loop__1__i]) <= 100. … -> C1: r + element(d,[loop__1__i])>= 0. C2: r + element(d,[loop__1__i])<=(loop__1__i + 1) * 100.

22 © Andrew IrelandDependable Systems Group Revised Loop Invariant VC H1: r >= 0. H2: r <= loop__1__i * 100. … H10: not((element(d, [loop__1__i]) >= 0) and (element(d, [loop__1__i]) <= 100)). … -> C1: r >= 0. C2: r <= (loop__1__i + 1) * 100.

23 © Andrew IrelandDependable Systems Group Proof Planning Proof Plan = Tactics + Methods + Critics Proof planning: Proof checking: Methods + Critics Tactics Note: proof planning can use meta-variables to delay choice

24 © Andrew IrelandDependable Systems Group Proof Planning RTC VC Given: Goal: Method: trans

25 © Andrew IrelandDependable Systems Group Proof Planning RTC VC Given: Goal: Method: decomp

26 © Andrew IrelandDependable Systems Group Proof Planning RTC VC Given: Goal: Method: fertilize

27 © Andrew IrelandDependable Systems Group Proof Planning RTC VC Given: Goal: Method: isolate

28 © Andrew IrelandDependable Systems Group Proof Planning RTC VC Given: Goal: Method: elementary

29 © Andrew IrelandDependable Systems Group Preconditions for trans Method there exists a conclusion of the form: E 1 Rel C for all variables V i that occur within E 1 there exists a hypothesis of the form: V i Rel E i where E ranges over expressions C ranges over constants Rel denotes a transitive relation

30 © Andrew IrelandDependable Systems Group there exists a conclusion of the form: E 1 Rel C for all variables V i that occur within E 1 there exists a hypothesis of the form: V i Rel E i Productive Use Of Failure X

31 © Andrew IrelandDependable Systems Group NuSPADE Architecture SPADE-PPSPADE-PC tactics VCs conjectures theory proofs user

32 © Andrew IrelandDependable Systems Group What Next? Continue implementation within NuSPADE Use industrial strength applications to guide ongoing development of heuristics for loop invariant discovery Investigate automatic debugging potential, e.g. use interval analysis to detect potential run-time defects Comparisons: Polyspace, MERLE, …

33 © Andrew IrelandDependable Systems Group Summary Recurrence relations & abstract interpretation (interval analysis) provides basis for loop invariant discovery Proof planning identifies the need for loop invariants & guides proof search Combined approach increases automation for exception freedom proofs

Download ppt "© Andrew IrelandDependable Systems Group Increasing Automation for Exception Freedom Proofs Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Technology from seed Automatic Equivalence Checking of UF+IA Programs Nuno Lopes and José Monteiro.

Technology from seed Automatic Equivalence Checking of UF+IA Programs Nuno Lopes and José Monteiro.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.

© Anvesh Komuravelli Quantified Invariants in Rich Domains using Model Checking and Abstract Interpretation Anvesh Komuravelli, CMU Joint work with Ken.
CS 355 – Programming Languages

CS 355 – Programming Languages
Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University.

Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.

Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
Automated Changes of Problem Representation Eugene Fink LTI Retreat 2007.

Automated Changes of Problem Representation Eugene Fink LTI Retreat 2007.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
Describing Syntax and Semantics

Describing Syntax and Semantics
Science Inquiry Minds-on Hands-on.

Science Inquiry Minds-on Hands-on.
State coverage: an empirical analysis based on a user study Dries Vanoverberghe, Emma Eyckmans, and Frank Piessens.

State coverage: an empirical analysis based on a user study Dries Vanoverberghe, Emma Eyckmans, and Frank Piessens.
Chapter 1 Algorithm Analysis

Chapter 1 Algorithm Analysis
The Scientific Community Game for STEM Innovation and Education (STEM: Science, Technology, Engineering and Mathematics) Karl Lieberherr Ahmed Abdelmeged.

The Scientific Community Game for STEM Innovation and Education (STEM: Science, Technology, Engineering and Mathematics) Karl Lieberherr Ahmed Abdelmeged.
© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.

© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.
© Andrew IrelandDependable Systems Group. © Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew.

© Andrew IrelandDependable Systems Group. © Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.

© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.

Similar presentations

Ads by Google