© andrew irelanddependable systems group proof automation for the spark approach to high integrity...
TRANSCRIPT
© Andrew IrelandDependable Systems Group
Proof Automation for the SPARK Approach to High Integrity Ada
Andrew IrelandComputing & Electrical Engineering
Heriot-Watt UniveristyEdinburgh
© Andrew IrelandDependable Systems Group
Executive Summary
• Funded by the EPSRC Critical Systems programme (GR/R24081) in collaboration with Praxis Critical Systems
• Julian Richardson (Co-investigator) and Bill Ellis (Research Associate)
Investigate the role of proof planning withinthe SPARK approach to high integrity Ada
© Andrew IrelandDependable Systems Group
Outline
• Background and basic approach
• Proposed verification architecture
• Initial investigation into proof automation
• Future work
© Andrew IrelandDependable Systems Group
Program Verification• Long history dating back to 70s, Wegbreit,
German, Katz & Manna, …
• Theorem proving and heuristic components were kept separate
• Adopting a proof planning approach integrates high-level theorem proving and heuristic components
© Andrew IrelandDependable Systems Group
Ada Verification Systems
• ANNA: Stanford University PAVG
• Penelope: Odyssey Research Associates
• MALPAS: TA Group (RSRE Malvern)
• SPARK: Praxis Critical Systems (PVL)
© Andrew IrelandDependable Systems Group
Static Analysis
• Data flow analysis: checks basic integrity constraints, e.g. definition-usage
• Information flow analysis: checks various interdependencies via program annotations
• Formal verification: generates verification conditions (VCs) based upon program annotations and SPARK semantics
© Andrew IrelandDependable Systems Group
The SPARK Tools
SPADESimplifier
SPARKExaminer
SPADEProof
Checker proof
code
VCs
user
rules (lemmas)
path functions
flow analysis feedback
© Andrew IrelandDependable Systems Group
• Benefits: reduces the level of user guided search by automating the “big steps” within a proof
Proof Automation
• Proof Plans: AI technique for mechanizing formal reasoning based upon high-level proof patterns
Proof Plan = Methods + Critics + Tactics
© Andrew IrelandDependable Systems Group
• Mathematical induction: program verification, synthesis, and optimization; hardware verification; correction of faulty specifications.
• Non-inductive proof: summing series; limit theorems.
• Automatic proof patching: conjecture generalization, lemma discovery, induction revision, case splitting, invariant discovery.
Applications of Proof Plans
© Andrew IrelandDependable Systems Group
Example Generalization• Initial conjecture
• Generalized conjecture
tnilnsplitxfmapxmapyxappyxreduce
tfmap
,,,1,,.,,..
,
tlMnlMsplitxfmapxmapyxappyxreduce
lltMfmap
,,,,,.,,..
,,,
2211
213
• Schematic conjecture
tlnlsplitxfmapxmapyxappyxreduce
tlappfmap
,,,,,.,,..
,,
21
2
© Andrew IrelandDependable Systems Group
Clam-Oyster
planner checkertactic
conjectures
theory
proof
user
© Andrew IrelandDependable Systems Group
NuSPADE
planner checkercmds
VCs
conjectures
theory
proof
user
© Andrew IrelandDependable Systems Group
NuSPADE: High-Level Aims
• Integrity: only modify the SPADE proof state via SPADE commands
• Compatibility: preserve SPADE at its core
• Transparency: provide users with the look-and-feel of a SPADE session
© Andrew IrelandDependable Systems Group
Proof Plans
ripple
fertilize
simplify
induction
ripple
fertilize
simplify
tautology tautology
ind-strat inv-strat
© Andrew IrelandDependable Systems Group
Polish Flag Problem
--# pre (for all I in IndexRange => (Flag(I)=Red or Flag(I)=White))
--# post for some P in Integer range (Flag'First) .. (Flag'Last+1) =>--# ((for all Q in Integer range Flag'First..(P-1) => (Flag(Q)=Red)) and--# (for all R in Integer range P..Flag'Last => (Flag(R)=White)));
© Andrew IrelandDependable Systems Group
Loop Invariant
--# assert Flag'First<=I and --# J<=(Flag'Last+1) and --# I<=J and--# (for all Q in Integer range Flag'First..(I-1) => (Flag(Q)=Red)) and--# (for all R in Integer range J..Flag'Last => (Flag(R)=White));
IFlag'First
Flag'LastJ
© Andrew IrelandDependable Systems Group
SPARK Codeprocedure Partition_Section(Flag: in out ArrayOfColours) is subtype JustBiggerRange is Integer range Flag'First .. Flag'Last+1; I: JustBiggerRange; J: JustBiggerRange; T: Colour; begin I:=Flag'First; J:=Flag'Last+1; loop --# assert Flag'First<=I and --# J<=(Flag'Last+1) and --# I<=J and --# (for all Q in Integer range Flag'First..(I-1) => (Flag(Q)=Red)) and --# (for all R in Integer range J..Flag'Last => (Flag(R)=White)); exit when I=J; if Flag(I)=Red then I:=I+1; else J:=J-1;T:=Flag(I); Flag(I):=Flag(J); Flag(J):=T; end if; end loop; end Partition_Section
loop
…
if
…
else
J:=J-1; T:=Flag(I);
Flag(I):=Flag(J); Flag(J):=T;
end if;
end loop;
Flag(I)=White
© Andrew IrelandDependable Systems Group
procedure_partition_section_3.H1: indexrange__first <= i .H2: j <= indexrange__last + 1 .H3: i <= j .H4: for_all (q_: integer, ((q_ >= indexrange__first) and (q_ <= i - 1)) -> (element(flag, [q_]) = red)) .H5: for_all (r_: integer, ((r_ >= j) and (r_ <= indexrange__last)) -> (element(flag, [r_]) = white)) .H6: not (i = j) .H7: not (element(flag, [i]) = red) . ->C1: indexrange__first <= i .C2: j - 1 <= indexrange__last + 1 .C3: i <= j - 1 .C4: for_all (q_: integer, ((q_ >= indexrange__first) and (q_ <= i - 1)) -> element(update(update(flag, [i], element(flag, [j - 1])), [j - 1], element(flag, [i])), [q_]) = red)) .C5: for_all (r_: integer, ((r_ >= j - 1) and (r_ <= indexrange__last)) -> (element(update(update(flag, [i], element(flag, [j-1])), [j-1], element(flag, [i])), [r_]) = white)) .
Verification Condition
© Andrew IrelandDependable Systems Group
whiterflageleindexfirstrjrr , .:
rediflagele ][,
Given
Goal
ji
ji
Ripple plan + reduction= difference identification
whiteriflagelej
jflageleiflagupdupdele
indexfirstrjrr
,,,1
,1,,,
1 .:
© Andrew IrelandDependable Systems Group
Speculative Loop Invariant
--# assert Flag'First<=P and --# P<=(Flag'Last+1) and --# (for all Q in Integer range Flag'First..(P-1) => (Flag(Q)=Red)) and--# (for all R in Integer range P..Flag'Last => (Flag(R)=White));
PFlag'First
Flag'Last
© Andrew IrelandDependable Systems Group
Range Splitting Proof Critic
• While the goal concerned with “white” gives rise to P = j, the complementary “red” goal gives rise to P = i
• This inconsistency suggests the required 3-way range split, i.e.
i j
© Andrew IrelandDependable Systems Group
Extending Critics Mechanism
• Build upon current capability to analyse failures over multiple branches
• Integrate a constraint solving capability
• Develop a bottom-up invariant generation capability - also important for reasoning about the absence of run-time errors.
© Andrew IrelandDependable Systems Group
Future Work
• Complete first prototype of NuSPADE
• Adapt existing proof plans for SPADE
• Develop corresponding generic proof cmd templates (tactics)
• Extend critics mechanism
• Address proof management issues
• Investigate industrial strength case studies