Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.

Published byLillian Pierce Modified over 9 years ago

Similar presentations

Presentation on theme: "© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences."— Presentation transcript:

1 © Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh

2 © Andrew IrelandDependable Systems Group Outline Cooperative reasoning & proof planning NuSPADE project CORE Project

3 © Andrew IrelandDependable Systems Group Cooperative Reasoning +=

4 © Andrew IrelandDependable Systems Group Cooperative Reasoning +=

5 © Andrew IrelandDependable Systems Group Cooperative Reasoning += = Complementary techniques compensating for each other’s weaknesses

6 © Andrew IrelandDependable Systems Group Automatic Theorem Proving Proof planning Methods + Critics Proof checking Tactics Conjectures Theory Proof plans promote reuse, robustness and tool integration

7 © Andrew IrelandDependable Systems Group Proof Planning Middle-out reasoning: use of meta-variables in delaying choice during proof planning Proof critics: automatic proof patching via proof- failure analysis, e.g. generalization, lemma and loop invariant discovery Cooperative reasoning: –Clam/HOL: proof by mathematical induction (Boulton, Bundy, Gordon, Slind 1996-99) –SPADEase: program analysis & proof planning for SPARK

8 © Andrew IrelandDependable Systems Group The SPARK Approach A subset of Ada that eliminates potential ambiguities and insecurities (PRAXIS) Expressive enough for industrial applications, but restrictive enough to support rigorous analysis SPARK toolset supports data & information flow analysis and formal verification Partial correctness & exception freedom proof, e.g. proving code is free from buffer overflows, range violations, division by zero.

9 © Andrew IrelandDependable Systems Group SPARK Applications Advanced avionics (Eurofighter Typhoon), transportation, air traffic control, security (MONDEX) Ship Helicopter Operating Limits Information System (SHOLIS): first system developed to meet UK MOD Defence Standard 00-55 Supports “correctness-by-construction” and is advocated by US National Cyber Security Partnership (NSA) as one of three software development processes that can deliver sufficient assurance for security critical systems

10 © Andrew IrelandDependable Systems Group The SPARK Approach SPARK Examiner SPADE Simplifier SPADE Proof Checker VCs Cmds Unproven VCs  SPARK code Proofs

11 © Andrew IrelandDependable Systems Group NuSPADE Project SPARK Examiner SPADE Simplifier SPADE Proof Checker Bill J. Ellis (RA) EPSRC Critical Systems programme (GR/R24081) EPSRC RAIS Scheme (GR/T11289) www.macs.hw.ac.uk/nuspade VCs Cmds Unproven VCs  Refinement Abstraction SPADEase SPARK code Proofs

12 © Andrew IrelandDependable Systems Group SPADEase Program Analysis Proof Planning Exception freedom proofs Automatic loop invariant discovery

13 © Andrew IrelandDependable Systems Group NuSPADE Results Our evaluation was based upon examples drawn from industrial data provided by Praxis, e.g. SHOLIS SPADE Simplifier is very effective on exception freedom VC, i.e. typical hit-rate of 92% SPADEase targeted the VCs which the SPADE Simplifier failed to prove, i.e. loop-based code While critical software is engineered to minimize the number and complexity of loops, we found that 80% of the loops we encountered were provable using SPADEase

14 © Andrew IrelandDependable Systems Group Program AnalysisProof Planning constraints not available post-VCGen soundness equational reasoning extensibility Compensating for Weaknesses?

15 © Andrew IrelandDependable Systems Group CORE Project Proof automation for separation logic Project details: Ewen Maclean & Ianthe Hind EPSRC EP/F037597 www.macs.hw.ac.uk/core Focus on proof automation challenges

16 © Andrew IrelandDependable Systems Group Singly-linked Lists list ( [],Y,Z ) ↔ emp  Y=Z list ( [W|X],Y,Z)↔ ( ∃ p.( Y ↦ W,p ) *list ( X,p,Z )) a1a1 a2a2 anan … i list([a 1, a 2, …, a n ],i,j) j

17 © Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil)} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} Frame Axiom Discovery

18 © Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} shape Frame Axiom Discovery

19 © Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} content Frame Axiom Discovery

20 © Andrew IrelandDependable Systems Group { ∃ A. list(A,i,nil) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} Loop Invariant Discovery R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)}

21 © Andrew IrelandDependable Systems Group { ∃ A. list(A,i) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)} Loop Invariant Discovery shape

22 © Andrew IrelandDependable Systems Group { ∃ A. list(A,i) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)} Loop Invariant Discovery content

23 © Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(X,V,W)*list(Y,W,nil) ↔ list(app(X,Y),V,nil)

24 © Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(V,W,X)*list(Y,Z,nil) ↔ list(app(V,Y),W,nil) shape

25 © Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(V,W,X)*list(Y,Z,nil) ↔ list(app(V,Y),W,nil) content

26 © Andrew IrelandDependable Systems Group Cooperative Approach Build upon the Smallfoot family of program analysis tools, i.e. use SmallfootRG to generate shape invariants (Matthew Parkinson) Adapt and extend existing proof plans for use within separation logic, in particular the proof patching capabilities Specification = shape + content

27 © Andrew IrelandDependable Systems Group Symbolic ExecutionProof Planning shape invariants content invariants soundness extensibility Compensating for Weaknesses?

28 © Andrew IrelandDependable Systems Group Conclusion Proof planning is a powerful technique for exploiting common patterns of reasoning, i.e. – searching for proofs and – analyzing & patching failed-proofs Proof planning provides a natural level for combining multiple reasoning processes, e.g. reasoning about shape and content Separation logic provides opportunities and challenges for automated reasoning and program analysis

Download ppt "© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
The ideal of program correctness Tony Hoare CAVSeattleAugust 2006.

The ideal of program correctness Tony Hoare CAVSeattleAugust 2006.
Omnibus: A clean language and supporting tool for integrating different assertion-based verification techniques Thomas Wilson, Savi Maharaj, Robert G.

Omnibus: A clean language and supporting tool for integrating different assertion-based verification techniques Thomas Wilson, Savi Maharaj, Robert G.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
LIFE CYCLE MODELS FORMAL TRANSFORMATION

LIFE CYCLE MODELS FORMAL TRANSFORMATION
The ideal of program correctness Tony Hoare BudapestSeptember 2006.

The ideal of program correctness Tony Hoare BudapestSeptember 2006.
B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,

B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,
Job No/ 1 © British Crown Copyright 2008/MOD Developing a High Integrity Code Generator Using iUML/iCCG Sam Moody AWE plc, Aldermaston, Berkshire, United.

Job No/ 1 © British Crown Copyright 2008/MOD Developing a High Integrity Code Generator Using iUML/iCCG Sam Moody AWE plc, Aldermaston, Berkshire, United.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
CS 355 – Programming Languages

CS 355 – Programming Languages
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA.

HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA.
PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.

PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.
Safety as a Software Metric Matthias Felleisen and Robert Corky Cartwright Rice University.

Safety as a Software Metric Matthias Felleisen and Robert Corky Cartwright Rice University.
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
Overview of the Multos construction process Chad R. Meiners.

Overview of the Multos construction process Chad R. Meiners.
Describing Syntax and Semantics

Describing Syntax and Semantics
The Systems Assurance Group Dr Jaspal Sagoo Systems Assurance Group QinetiQ Trusted Information Management Malvern Technology Centre.

The Systems Assurance Group Dr Jaspal Sagoo Systems Assurance Group QinetiQ Trusted Information Management Malvern Technology Centre.

Similar presentations

Ads by Google