© Andrew IrelandDependable Systems Group

Proof Automation for the SPARK Approach to High Integrity Ada

Andrew IrelandComputing & Electrical Engineering

Heriot-Watt UniveristyEdinburgh

© Andrew IrelandDependable Systems Group

Executive Summary

• Funded by the EPSRC Critical Systems programme (GR/R24081) in collaboration with Praxis Critical Systems

• Julian Richardson (Co-investigator) and Bill Ellis (Research Associate)

Investigate the role of proof planning withinthe SPARK approach to high integrity Ada

© Andrew IrelandDependable Systems Group

Outline

• Background and basic approach

• Proposed verification architecture

• Initial investigation into proof automation

• Future work

© Andrew IrelandDependable Systems Group

Program Verification• Long history dating back to 70s, Wegbreit,

German, Katz & Manna, …

• Theorem proving and heuristic components were kept separate

• Adopting a proof planning approach integrates high-level theorem proving and heuristic components

© Andrew IrelandDependable Systems Group

Ada Verification Systems

• ANNA: Stanford University PAVG

• Penelope: Odyssey Research Associates

• MALPAS: TA Group (RSRE Malvern)

• SPARK: Praxis Critical Systems (PVL)

© Andrew IrelandDependable Systems Group

Static Analysis

• Data flow analysis: checks basic integrity constraints, e.g. definition-usage

• Information flow analysis: checks various interdependencies via program annotations

• Formal verification: generates verification conditions (VCs) based upon program annotations and SPARK semantics

© Andrew IrelandDependable Systems Group

The SPARK Tools

SPADESimplifier

SPARKExaminer

SPADEProof

Checker proof

code

VCs

user

rules (lemmas)

path functions

flow analysis feedback

© Andrew IrelandDependable Systems Group

• Benefits: reduces the level of user guided search by automating the “big steps” within a proof

Proof Automation

• Proof Plans: AI technique for mechanizing formal reasoning based upon high-level proof patterns

Proof Plan = Methods + Critics + Tactics

© Andrew IrelandDependable Systems Group

• Mathematical induction: program verification, synthesis, and optimization; hardware verification; correction of faulty specifications.

• Non-inductive proof: summing series; limit theorems.

• Automatic proof patching: conjecture generalization, lemma discovery, induction revision, case splitting, invariant discovery.

Applications of Proof Plans

© Andrew IrelandDependable Systems Group

Example Generalization• Initial conjecture

• Generalized conjecture

tnilnsplitxfmapxmapyxappyxreduce

tfmap

,,,1,,.,,..

,

tlMnlMsplitxfmapxmapyxappyxreduce

lltMfmap

,,,,,.,,..

,,,

2211

213

• Schematic conjecture

tlnlsplitxfmapxmapyxappyxreduce

tlappfmap

,,,,,.,,..

,,

21

2

© Andrew IrelandDependable Systems Group

Clam-Oyster

planner checkertactic

conjectures

theory

proof

user

© Andrew IrelandDependable Systems Group

NuSPADE

planner checkercmds

VCs

conjectures

theory

proof

user

© Andrew IrelandDependable Systems Group

NuSPADE: High-Level Aims

• Integrity: only modify the SPADE proof state via SPADE commands

• Compatibility: preserve SPADE at its core

• Transparency: provide users with the look-and-feel of a SPADE session

© Andrew IrelandDependable Systems Group

Proof Plans

ripple

fertilize

simplify

induction

ripple

fertilize

simplify

tautology tautology

ind-strat inv-strat

© Andrew IrelandDependable Systems Group

Polish Flag Problem

--# pre (for all I in IndexRange => (Flag(I)=Red or Flag(I)=White))

--# post for some P in Integer range (Flag'First) .. (Flag'Last+1) =>--# ((for all Q in Integer range Flag'First..(P-1) => (Flag(Q)=Red)) and--# (for all R in Integer range P..Flag'Last => (Flag(R)=White)));

© Andrew IrelandDependable Systems Group

Loop Invariant

--# assert Flag'First<=I and --# J<=(Flag'Last+1) and --# I<=J and--# (for all Q in Integer range Flag'First..(I-1) => (Flag(Q)=Red)) and--# (for all R in Integer range J..Flag'Last => (Flag(R)=White));

IFlag'First

Flag'LastJ

© Andrew IrelandDependable Systems Group

SPARK Codeprocedure Partition_Section(Flag: in out ArrayOfColours) is subtype JustBiggerRange is Integer range Flag'First .. Flag'Last+1; I: JustBiggerRange; J: JustBiggerRange; T: Colour; begin I:=Flag'First; J:=Flag'Last+1; loop --# assert Flag'First<=I and --# J<=(Flag'Last+1) and --# I<=J and --# (for all Q in Integer range Flag'First..(I-1) => (Flag(Q)=Red)) and --# (for all R in Integer range J..Flag'Last => (Flag(R)=White)); exit when I=J; if Flag(I)=Red then I:=I+1; else J:=J-1;T:=Flag(I); Flag(I):=Flag(J); Flag(J):=T; end if; end loop; end Partition_Section

loop

…

if

…

else

J:=J-1; T:=Flag(I);

Flag(I):=Flag(J); Flag(J):=T;

end if;

end loop;

Flag(I)=White

© Andrew IrelandDependable Systems Group

procedure_partition_section_3.H1: indexrange__first <= i .H2: j <= indexrange__last + 1 .H3: i <= j .H4: for_all (q_: integer, ((q_ >= indexrange__first) and (q_ <= i - 1)) -> (element(flag, [q_]) = red)) .H5: for_all (r_: integer, ((r_ >= j) and (r_ <= indexrange__last)) -> (element(flag, [r_]) = white)) .H6: not (i = j) .H7: not (element(flag, [i]) = red) . ->C1: indexrange__first <= i .C2: j - 1 <= indexrange__last + 1 .C3: i <= j - 1 .C4: for_all (q_: integer, ((q_ >= indexrange__first) and (q_ <= i - 1)) -> element(update(update(flag, [i], element(flag, [j - 1])), [j - 1], element(flag, [i])), [q_]) = red)) .C5: for_all (r_: integer, ((r_ >= j - 1) and (r_ <= indexrange__last)) -> (element(update(update(flag, [i], element(flag, [j-1])), [j-1], element(flag, [i])), [r_]) = white)) .

Verification Condition

© Andrew IrelandDependable Systems Group

whiterflageleindexfirstrjrr , .:

rediflagele ][,

Given

Goal

ji

ji

Ripple plan + reduction= difference identification

whiteriflagelej

jflageleiflagupdupdele

indexfirstrjrr

,,,1

,1,,,

1 .:

© Andrew IrelandDependable Systems Group

Speculative Loop Invariant

--# assert Flag'First<=P and --# P<=(Flag'Last+1) and --# (for all Q in Integer range Flag'First..(P-1) => (Flag(Q)=Red)) and--# (for all R in Integer range P..Flag'Last => (Flag(R)=White));

PFlag'First

Flag'Last

© Andrew IrelandDependable Systems Group

Range Splitting Proof Critic

• While the goal concerned with “white” gives rise to P = j, the complementary “red” goal gives rise to P = i

• This inconsistency suggests the required 3-way range split, i.e.

i j

© Andrew IrelandDependable Systems Group

Extending Critics Mechanism

• Build upon current capability to analyse failures over multiple branches

• Integrate a constraint solving capability

• Develop a bottom-up invariant generation capability - also important for reasoning about the absence of run-time errors.

© Andrew IrelandDependable Systems Group

Future Work

• Complete first prototype of NuSPADE

• Adapt existing proof plans for SPADE

• Develop corresponding generic proof cmd templates (tactics)

• Extend critics mechanism

• Address proof management issues

• Investigate industrial strength case studies