© andrew irelanddependable systems group invariant patterns for program reasoning andrew ireland...
TRANSCRIPT
![Page 1: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/1.jpg)
© Andrew IrelandDependable Systems Group
Invariant Patterns for Program Reasoning
Andrew IrelandDependable Systems Group
School of Mathematical & Computer Sciences Heriot-Watt University
Edinburgh
![Page 2: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/2.jpg)
© Andrew IrelandDependable Systems Group
Outline
• Context and background • The problem• Our approach
• Results and future horizons
![Page 3: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/3.jpg)
© Andrew IrelandDependable Systems Group
• Investigate the role of proof planning within the
SPARK approach to high integrity software • EPSRC Critical Systems programme (GR/R24081)
• Praxis Critical Systems (collaborator)
• Bill Ellis (Research Associate)
• Tommy Ingulfsen (Undergraduate Student)
Context
![Page 4: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/4.jpg)
© Andrew IrelandDependable Systems Group
The SPARK Approach• A subset of Ada that eliminates potential
ambiguities and insecurities (Praxis Critical Systems)
• Supports data & information flow analysis and formal verification via code level annotations
• Supports “correctness-by-construction” and is advocated by US National Cyber Security Partnership (April 2004)
• Applications include SHOLIS: UK MoD’s first Def Standard 00-55 project
![Page 5: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/5.jpg)
© Andrew IrelandDependable Systems Group
SPARKcode
Verificationconditions
Examiner
SPADE Simplifier
Proofs
![Page 6: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/6.jpg)
© Andrew IrelandDependable Systems Group
Failure!
SPARKcode
Verificationconditions
Examiner
SPADE Simplifier
![Page 7: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/7.jpg)
© Andrew IrelandDependable Systems Group
SPARKcode
Verificationconditions
SPADEProof Checker
Examiner
Failure!
![Page 8: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/8.jpg)
© Andrew IrelandDependable Systems Group
SPARKcode
Verificationconditions
SPADEProof Checker
Examiner
![Page 9: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/9.jpg)
© Andrew IrelandDependable Systems Group
SPARKcode
Verificationconditions
NuSPADE
SPADEProof Checker
Examiner
Commandfile
![Page 10: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/10.jpg)
© Andrew IrelandDependable Systems Group
Achievements
• Partial correctness proofs: prove program correct with respect to a Floyd-Hoare style specification [ MICAI-2004 ]
• Exception freedom proofs: prove that no exceptions will be raised at runtime, e.g. buffer overflows [ ASE-2003, IFM-2004 ]
Proof automation with respect to:
![Page 11: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/11.jpg)
© Andrew IrelandDependable Systems Group
Program Reasoning Challenge• Long history: Goldstine & von Neumann 1947,
Turing 1949, Floyd 1967, Hoare 1969• Strong AI focus dating back to 1970s: Wegbreit,
German, Katz & Manna, …• Renewed interest: proof carrying code, SLAM
(Microsoft), ESC/Java (HP), SPARK (Praxis), Verifying Compiler – UK “grand challenges” in computing (Hoare)
• Key challenges: proof automation and proof annotations, e.g. loop invariants
![Page 12: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/12.jpg)
© Andrew IrelandDependable Systems Group
Investigate the role of proof planning within the SPARK approach to high integrity software
NuSPADE
program analysis
specification analysis
proof-failure analysis
NuSPADE
![Page 13: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/13.jpg)
© Andrew IrelandDependable Systems Group
Proof Planning
• Use of high-level proof outlines, known as proof plans, to guide proof search
• Supports middle-out reasoning, i.e. the use of meta variables to delay choice during proof search
• Automatic proof patching via proof failure analysis, e.g. conjecture generalization, lemma discovery, induction revision, case splitting, loop invariant discovery, fixing faulty conjectures
• Inductive and non-inductive applications
![Page 14: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/14.jpg)
© Andrew IrelandDependable Systems Group
A Broader View Of Proof Planning
Proof planningmethods + critics
Proof checkingtactics
Conjectures Theory
Invariant Patterns
![Page 15: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/15.jpg)
© Andrew IrelandDependable Systems Group
Bubble Sort Example
package BubbleSort is Min: constant:= 0; Max: constant:= 9; subtype Index_Type is Integer range Min..Max; type Array_Type is array(Index_Type) of Integer; … procedure Bubble_Sort(Table: in out Array_Type); --# derives Table from Table; --# pre true; --# post Ordered(Table, Min, Max) and --# Perm(Table, Table~); end BubbleSort;
![Page 16: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/16.jpg)
© Andrew IrelandDependable Systems Group
Bubble Sortpackage body BubbleSort is…procedure Bubble_Sort(Table: in out Array_Type)is T: Integer;begin for I in Index_Type range 1..Max loop for J in reverse Index_Type range I..Max loop if Table(J-1) > Table(J) then T:= Table(J-1); Table(J-1):= Table(J); Table(J):= T; end if; end loop; end loop;end Bubble_Sort;end BubbleSort;
![Page 17: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/17.jpg)
© Andrew IrelandDependable Systems Group
Program Analysis
maxjji
maxii
1
for_loop_ji,constant
for_loop_jj,mono_dec
for_loop_ii,mono_inc
• Proof construction properties
• Proof search properties
![Page 18: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/18.jpg)
© Andrew IrelandDependable Systems Group
Specification Analysis
1,,:
,,
PAelePAeleUPPLint.P
ULAordered
1,,: ptableeleptableelemaxpp0int.p
1,,: ptableeleptableeleiFpp0int.p 1
1,,: ptableeleptableelemaxppjGint.p 1
• Definition
• Unfolded specification
• Schematic specification
• Schematic specification
![Page 19: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/19.jpg)
© Andrew IrelandDependable Systems Group
1. A goal is unprovable within the current proof context and matches the following pattern:
2. Terms T1 and T2 contain a counter variable in common
Proof-Failure Pattern
blocked
2, 1, TAele RelTAele
T1 T2L U
![Page 20: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/20.jpg)
© Andrew IrelandDependable Systems Group
Proof patch involves generalizing the goal, i.e.
Generalized goal represents an auxiliary invariant
Proof Patch
YAele Rel XAele
U YYTintY
TXXLintX
,,
1.:
1.:
![Page 21: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/21.jpg)
© Andrew IrelandDependable Systems Group
Alternative Generalizes
T1 T2L U
![Page 22: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/22.jpg)
© Andrew IrelandDependable Systems Group
Proof-Failure Analysis
11,1, 22 iFitableeleiFitableele
qtableeleptableele
maxqqiFiintq
iFippintp
,,
1.:
10.:
2
2
![Page 23: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/23.jpg)
© Andrew IrelandDependable Systems Group
Outer-Loop Invariant
maxii
qtableeleptableele
maxqqiintq
ippintp
1
,,
2.:
20.:
• Invariant states that the array table is partitioned into two parts, i.e. all elements in the lower part are less-than-or-equal to those in the upper part• Invariant generated via program, specification and proof-failure analysis
![Page 24: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/24.jpg)
© Andrew IrelandDependable Systems Group
• Industrial focus is on exception freedom proofs, so partial correctness examples drawn mainly from text books
• Currently exploring the use of external reasoners to support planning and program analysis, e.g. CLP, Simplify (ESC/Java)
• Building on NuSPADE project: Knowledge transfer project with Praxis (2005) NASA Ames potential collaboration
Results & Future Horizons
![Page 25: © Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer](https://reader031.vdocuments.site/reader031/viewer/2022013012/56649f285503460f94c4042c/html5/thumbnails/25.jpg)
© Andrew IrelandDependable Systems Group
Conclusion
• Integrated approach to program reasoning, i.e.
program, specification and proof-failure analysis• Proof planning provides the basis for integration• Integration broadens the role of proof planning,
i.e. proof planning exploits program knowledge