Download presentation
Presentation is loading. Please wait.
Published byLillian Pierce Modified over 9 years ago
1
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh
2
© Andrew IrelandDependable Systems Group Outline Cooperative reasoning & proof planning NuSPADE project CORE Project
3
© Andrew IrelandDependable Systems Group Cooperative Reasoning +=
4
© Andrew IrelandDependable Systems Group Cooperative Reasoning +=
5
© Andrew IrelandDependable Systems Group Cooperative Reasoning += = Complementary techniques compensating for each other’s weaknesses
6
© Andrew IrelandDependable Systems Group Automatic Theorem Proving Proof planning Methods + Critics Proof checking Tactics Conjectures Theory Proof plans promote reuse, robustness and tool integration
7
© Andrew IrelandDependable Systems Group Proof Planning Middle-out reasoning: use of meta-variables in delaying choice during proof planning Proof critics: automatic proof patching via proof- failure analysis, e.g. generalization, lemma and loop invariant discovery Cooperative reasoning: –Clam/HOL: proof by mathematical induction (Boulton, Bundy, Gordon, Slind 1996-99) –SPADEase: program analysis & proof planning for SPARK
8
© Andrew IrelandDependable Systems Group The SPARK Approach A subset of Ada that eliminates potential ambiguities and insecurities (PRAXIS) Expressive enough for industrial applications, but restrictive enough to support rigorous analysis SPARK toolset supports data & information flow analysis and formal verification Partial correctness & exception freedom proof, e.g. proving code is free from buffer overflows, range violations, division by zero.
9
© Andrew IrelandDependable Systems Group SPARK Applications Advanced avionics (Eurofighter Typhoon), transportation, air traffic control, security (MONDEX) Ship Helicopter Operating Limits Information System (SHOLIS): first system developed to meet UK MOD Defence Standard 00-55 Supports “correctness-by-construction” and is advocated by US National Cyber Security Partnership (NSA) as one of three software development processes that can deliver sufficient assurance for security critical systems
10
© Andrew IrelandDependable Systems Group The SPARK Approach SPARK Examiner SPADE Simplifier SPADE Proof Checker VCs Cmds Unproven VCs SPARK code Proofs
11
© Andrew IrelandDependable Systems Group NuSPADE Project SPARK Examiner SPADE Simplifier SPADE Proof Checker Bill J. Ellis (RA) EPSRC Critical Systems programme (GR/R24081) EPSRC RAIS Scheme (GR/T11289) www.macs.hw.ac.uk/nuspade VCs Cmds Unproven VCs Refinement Abstraction SPADEase SPARK code Proofs
12
© Andrew IrelandDependable Systems Group SPADEase Program Analysis Proof Planning Exception freedom proofs Automatic loop invariant discovery
13
© Andrew IrelandDependable Systems Group NuSPADE Results Our evaluation was based upon examples drawn from industrial data provided by Praxis, e.g. SHOLIS SPADE Simplifier is very effective on exception freedom VC, i.e. typical hit-rate of 92% SPADEase targeted the VCs which the SPADE Simplifier failed to prove, i.e. loop-based code While critical software is engineered to minimize the number and complexity of loops, we found that 80% of the loops we encountered were provable using SPADEase
14
© Andrew IrelandDependable Systems Group Program AnalysisProof Planning constraints not available post-VCGen soundness equational reasoning extensibility Compensating for Weaknesses?
15
© Andrew IrelandDependable Systems Group CORE Project Proof automation for separation logic Project details: Ewen Maclean & Ianthe Hind EPSRC EP/F037597 www.macs.hw.ac.uk/core Focus on proof automation challenges
16
© Andrew IrelandDependable Systems Group Singly-linked Lists list ( [],Y,Z ) ↔ emp Y=Z list ( [W|X],Y,Z)↔ ( ∃ p.( Y ↦ W,p ) *list ( X,p,Z )) a1a1 a2a2 anan … i list([a 1, a 2, …, a n ],i,j) j
17
© Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil)} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} Frame Axiom Discovery
18
© Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} shape Frame Axiom Discovery
19
© Andrew IrelandDependable Systems Group {list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(A t,i t,nil)} copylist(it; jt); {R ∗ list(A t,i t,nil) * list(A t,j t,nil} j := cons(ih, jt) end if end copylist {list(A,i,nil) * list(A,j,nil)} { ∃ A h, A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil)} copylist(it; jt); { ∃ A h,A t.([A h |A t ]=A) ∧ (i h =A h ) ∧ (i ↦ i h,i t ) ∗ list(A t,i t,nil) ∗ list(A t,j t,nil)} content Frame Axiom Discovery
20
© Andrew IrelandDependable Systems Group { ∃ A. list(A,i,nil) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} Loop Invariant Discovery R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)}
21
© Andrew IrelandDependable Systems Group { ∃ A. list(A,i) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)} Loop Invariant Discovery shape
22
© Andrew IrelandDependable Systems Group { ∃ A. list(A,i) ∧ A init = A} j := nil; {R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop { ∃ B.list(B,j,nil) ∧ rev(A init )= B)} R : { ∃ A,B.list(A,i,nil)*list(B,j,nil) ∧ rev(A init )=app(rev(A),B)} Loop Invariant Discovery content
23
© Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(X,V,W)*list(Y,W,nil) ↔ list(app(X,Y),V,nil)
24
© Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(V,W,X)*list(Y,Z,nil) ↔ list(app(V,Y),W,nil) shape
25
© Andrew IrelandDependable Systems Group { ∃ A,B. list(A,x,nil)* list(B,y,nil) ∧ A = A init ∧ B = B init } if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y; { ∃ C.list(C,x,nil) ∧ C = app(A init,B init )} Inductive Lemma Discovery list(V,W,X)*list(Y,Z,nil) ↔ list(app(V,Y),W,nil) content
26
© Andrew IrelandDependable Systems Group Cooperative Approach Build upon the Smallfoot family of program analysis tools, i.e. use SmallfootRG to generate shape invariants (Matthew Parkinson) Adapt and extend existing proof plans for use within separation logic, in particular the proof patching capabilities Specification = shape + content
27
© Andrew IrelandDependable Systems Group Symbolic ExecutionProof Planning shape invariants content invariants soundness extensibility Compensating for Weaknesses?
28
© Andrew IrelandDependable Systems Group Conclusion Proof planning is a powerful technique for exploiting common patterns of reasoning, i.e. – searching for proofs and – analyzing & patching failed-proofs Proof planning provides a natural level for combining multiple reasoning processes, e.g. reasoning about shape and content Separation logic provides opportunities and challenges for automated reasoning and program analysis
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.