Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.

Published byHilary Hubbard Modified over 9 years ago

Similar presentations

Presentation on theme: "© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering."— Presentation transcript:

1 © Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering Heriot-Watt Univeristy Edinburgh

2 © Andrew IrelandDependable Systems Group Executive Summary Funded by the EPSRC Critical Systems programme ( GR/R24081 ) in collaboration with Praxis Critical Systems Julian Richardson (Co-investigator) and Bill Ellis (Research Associate) Investigate the role of proof planning within the SPARK approach to high integrity Ada

3 © Andrew IrelandDependable Systems Group Outline Background and basic approach Proposed verification architecture Initial investigation into proof automation Future work

4 © Andrew IrelandDependable Systems Group Program Verification Long history dating back to 70s, Wegbreit, German, Katz & Manna, … Theorem proving and heuristic components were kept separate Adopting a proof planning approach integrates high-level theorem proving and heuristic components

5 © Andrew IrelandDependable Systems Group Ada Verification Systems ANNA: Stanford University PAVG Penelope: Odyssey Research Associates MALPAS: TA Group (RSRE Malvern) SPARK: Praxis Critical Systems (PVL)

6 © Andrew IrelandDependable Systems Group Static Analysis Data flow analysis: checks basic integrity constraints, e.g. definition-usage Information flow analysis: checks various interdependencies via program annotations Formal verification: generates verification conditions (VCs) based upon program annotations and SPARK semantics

7 © Andrew IrelandDependable Systems Group The SPARK Tools SPADE Simplifier SPARK Examiner SPADE Proof Checker proof code VCs user rules (lemmas) path functions flow analysis feedback

8 © Andrew IrelandDependable Systems Group Benefits: reduces the level of user guided search by automating the “big steps” within a proof Proof Automation Proof Plans: AI technique for mechanizing formal reasoning based upon high-level proof patterns Proof Plan = Methods + Critics + Tactics

9 © Andrew IrelandDependable Systems Group Mathematical induction: program verification, synthesis, and optimization; hardware verification; correction of faulty specifications. Non-inductive proof: summing series; limit theorems. Automatic proof patching: conjecture generalization, lemma discovery, induction revision, case splitting, invariant discovery. Applications of Proof Plans

10 © Andrew IrelandDependable Systems Group Example Generalization Initial conjecture Generalized conjecture Schematic conjecture

11 © Andrew IrelandDependable Systems Group Clam-Oyster plannerchecker tactic conjectures theory proof user

12 © Andrew IrelandDependable Systems Group NuSPADE plannerchecker cmd s VCs conjectures theory proof user

13 © Andrew IrelandDependable Systems Group NuSPADE: High-Level Aims Integrity: only modify the SPADE proof state via SPADE commands Compatibility: preserve SPADE at its core Transparency: provide users with the look- and-feel of a SPADE session

14 © Andrew IrelandDependable Systems Group Proof Plans ripple fertilize simplify induction ripple fertilize simplify tautology ind-stratinv-strat

15 © Andrew IrelandDependable Systems Group Polish Flag Problem --# pre (for all I in IndexRange => (Flag(I)=Red or Flag(I)=White)) --# post for some P in Integer range (Flag'First).. (Flag'Last+1) => --# ((for all Q in Integer range Flag'First..(P-1) => (Flag(Q)=Red)) and --# (for all R in Integer range P..Flag'Last => (Flag(R)=White)));

16 © Andrew IrelandDependable Systems Group Loop Invariant --# assert Flag'First<=I and --# J<=(Flag'Last+1) and --# I<=J and --# (for all Q in Integer range Flag'First..(I-1) => (Flag(Q)=Red)) and --# (for all R in Integer range J..Flag'Last => (Flag(R)=White)); IFlag'FirstFlag'LastJ

17 © Andrew IrelandDependable Systems Group SPARK Code procedure Partition_Section(Flag: in out ArrayOfColours) is subtype JustBiggerRange is Integer range Flag'First.. Flag'Last+1; I: JustBiggerRange; J: JustBiggerRange; T: Colour; begin I:=Flag'First; J:=Flag'Last+1; loop --# assert Flag'First<=I and --# J<=(Flag'Last+1) and --# I<=J and --# (for all Q in Integer range Flag'First..(I-1) => (Flag(Q)=Red)) and --# (for all R in Integer range J..Flag'Last => (Flag(R)=White)); exit when I=J; if Flag(I)=Red then I:=I+1; else J:=J-1;T:=Flag(I); Flag(I):=Flag(J); Flag(J):=T; end if; end loop; end Partition_Section loop … if … else J:=J-1; T:=Flag(I); Flag(I):=Flag(J); Flag(J):=T; end if; end loop; Flag(I)=White

18 © Andrew IrelandDependable Systems Group procedure_partition_section_3. H1: indexrange__first <= i. H2: j <= indexrange__last + 1. H3: i <= j. H4: for_all (q_: integer, ((q_ >= indexrange__first) and (q_ (element(flag, [q_]) = red)). H5: for_all (r_: integer, ((r_ >= j) and (r_ (element(flag, [r_]) = white)). H6: not (i = j). H7: not (element(flag, [i]) = red). -> C1: indexrange__first <= i. C2: j - 1 <= indexrange__last + 1. C3: i <= j - 1. C4: for_all (q_: integer, ((q_ >= indexrange__first) and (q_ element(update(update(flag, [i], element(flag, [j - 1])), [j - 1], element(flag, [i])), [q_]) = red)). C5: for_all (r_: integer, ((r_ >= j - 1) and (r_ (element(update(update(flag, [i], element(flag, [j-1])), [j-1], element(flag, [i])), [r_]) = white)). Verification Condition

19 © Andrew IrelandDependable Systems Group Given Goal Ripple plan+ reduction= difference identification

20 © Andrew IrelandDependable Systems Group Speculative Loop Invariant --# assert Flag'First<=P and --# P<=(Flag'Last+1) and --# (for all Q in Integer range Flag'First..(P-1) => (Flag(Q)=Red)) and --# (for all R in Integer range P..Flag'Last => (Flag(R)=White)); PFlag'FirstFlag'Last

21 © Andrew IrelandDependable Systems Group Range Splitting Proof Critic While the goal concerned with “white” gives rise to P = j, the complementary “red” goal gives rise to P = i This inconsistency suggests the required 3-way range split, i.e. i j

22 © Andrew IrelandDependable Systems Group Extending Critics Mechanism Build upon current capability to analyse failures over multiple branches Integrate a constraint solving capability Develop a bottom-up invariant generation capability - also important for reasoning about the absence of run-time errors.

23 © Andrew IrelandDependable Systems Group Future Work Complete first prototype of NuSPADE Adapt existing proof plans for SPADE Develop corresponding generic proof cmd templates (tactics) Extend critics mechanism Address proof management issues Investigate industrial strength case studies

Download ppt "© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Omnibus: A clean language and supporting tool for integrating different assertion-based verification techniques Thomas Wilson, Savi Maharaj, Robert G.

Omnibus: A clean language and supporting tool for integrating different assertion-based verification techniques Thomas Wilson, Savi Maharaj, Robert G.
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?

Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
© 2009 IBM Corporation 19-20 July, 2009 | PADTAD Chicago, Illinois A Proposal of Operation History Management System for Source-to-Source Optimization.

© 2009 IBM Corporation July, 2009 | PADTAD Chicago, Illinois A Proposal of Operation History Management System for Source-to-Source Optimization.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,

B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,
Software Failure: Reasons Incorrect, missing, impossible requirements * Requirement validation. Incorrect specification * Specification verification. Faulty.

Software Failure: Reasons Incorrect, missing, impossible requirements * Requirement validation. Incorrect specification * Specification verification. Faulty.
Slide: 1 Copyright © 2014 AdaCore Claire Dross, Pavlos Efstathopoulos, David Lesens, David Mentré and Yannick Moy Embedded Real Time Software and Systems.

Slide: 1 Copyright © 2014 AdaCore Claire Dross, Pavlos Efstathopoulos, David Lesens, David Mentré and Yannick Moy Embedded Real Time Software and Systems.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages

CS 355 – Programming Languages
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
May 11, 2009 1 ACL2 Panel: What is the Future of Theorem Proving? Arvind Computer Science & Artificial Intelligence Laboratory.

May 11, ACL2 Panel: What is the Future of Theorem Proving? Arvind Computer Science & Artificial Intelligence Laboratory.
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Language Specfication and Implementation - PART II: Semantics of Procedural Programming Languages Lee McCluskey Department of Computing and Mathematical.

Language Specfication and Implementation - PART II: Semantics of Procedural Programming Languages Lee McCluskey Department of Computing and Mathematical.
VIDE Integrated Environment for Development and Verification of Programs.

VIDE Integrated Environment for Development and Verification of Programs.
Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.

Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Automatically Extracting and Verifying Design Patterns in Java Code James Norris Ruchika Agrawal Computer Science Department Stanford University {jcn,

Automatically Extracting and Verifying Design Patterns in Java Code James Norris Ruchika Agrawal Computer Science Department Stanford University {jcn,

Similar presentations

Ads by Google