© andrew irelanddependable systems group cooperative reasoning for automatic software verification...
TRANSCRIPT
© Andrew IrelandDependable Systems Group
Cooperative Reasoning for Automatic Software Verification
Andrew IrelandSchool of Mathematical & Computer Sciences
Heriot-Watt UniversityEdinburgh
© Andrew IrelandDependable Systems Group
Outline
• Cooperative reasoning & proof planning
• NuSPADE project• CORE Project
© Andrew IrelandDependable Systems Group
Cooperative Reasoning
+ =
© Andrew IrelandDependable Systems Group
Cooperative Reasoning
+ =
© Andrew IrelandDependable Systems Group
Cooperative Reasoning
+ =
=
Complementary techniques compensating for each other’s weaknesses
© Andrew IrelandDependable Systems Group
Automatic Theorem Proving
Proof planningMethods + Critics
Proof checkingTactics
Conjectures Theory
Proof plans promote reuse, robustness and tool integration
© Andrew IrelandDependable Systems Group
Proof Planning • Middle-out reasoning: use of meta-variables in
delaying choice during proof planning• Proof critics: automatic proof patching via proof-
failure analysis, e.g. generalization, lemma and loop invariant discovery
• Cooperative reasoning:– Clam/HOL: proof by mathematical induction (Boulton,
Bundy, Gordon, Slind 1996-99)– SPADEase: program analysis & proof planning for SPARK
© Andrew IrelandDependable Systems Group
The SPARK Approach• A subset of Ada that eliminates potential ambiguities
and insecurities (PRAXIS) • Expressive enough for industrial applications, but
restrictive enough to support rigorous analysis• SPARK toolset supports data & information flow
analysis and formal verification• Partial correctness & exception freedom proof, e.g.
proving code is free from buffer overflows, range violations, division by zero.
© Andrew IrelandDependable Systems Group
SPARK Applications • Advanced avionics (Eurofighter Typhoon),
transportation, air traffic control, security (MONDEX)• Ship Helicopter Operating Limits Information System
(SHOLIS): first system developed to meet UK MOD Defence Standard 00-55
• Supports “correctness-by-construction” and is advocated by US National Cyber Security Partnership (NSA) as one of three software development processes that can deliver sufficient assurance for security critical systems
© Andrew IrelandDependable Systems Group
The SPARK ApproachSPARK
ExaminerSPADE Simplifier
SPADEProof Checker
VCs
Cmds
UnprovenVCs
SPARK
codeProofs
© Andrew IrelandDependable Systems Group
NuSPADE ProjectSPARK
ExaminerSPADE Simplifier
SPADEProof Checker
• Bill J. Ellis (RA)• EPSRC Critical Systems programme (GR/R24081)• EPSRC RAIS Scheme (GR/T11289)• www.macs.hw.ac.uk/nuspade
VCs
Cmds
UnprovenVCs
RefinementAbstraction
SPADEase
SPARKcode
Proofs
© Andrew IrelandDependable Systems Group
SPADEase
Program Analysis
Proof Planning
• Exception freedom proofs• Automatic loop invariant discovery
© Andrew IrelandDependable Systems Group
NuSPADE Results
• Our evaluation was based upon examples drawn from industrial data provided by Praxis, e.g. SHOLIS
• SPADE Simplifier is very effective on exception freedom VC, i.e. typical hit-rate of 92%
• SPADEase targeted the VCs which the SPADE Simplifier failed to prove, i.e. loop-based code
• While critical software is engineered to minimize the number and complexity of loops, we found that 80% of the loops we encountered were provable using SPADEase
© Andrew IrelandDependable Systems Group
Program Analysis Proof Planning
constraintsnot available post-VCGen
• soundness• equational reasoning • extensibility
Compensating for Weaknesses?
© Andrew IrelandDependable Systems Group
CORE Project
• Proof automation for separation logic• Project details:
• Ewen Maclean & Ianthe Hind• EPSRC EP/F037597• www.macs.hw.ac.uk/core
• Focus on proof automation challenges
© Andrew IrelandDependable Systems Group
Singly-linked Lists
list([],Y,Z)↔ emp Y=Zlist([W|X],Y,Z)↔(∃p.(Y ↦ W,p)*list(X,p,Z))
a1 a2 an…i
list([a1, a2, …, an],i,j)
j
© Andrew IrelandDependable Systems Group
{list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(At,it,nil)} copylist(it; jt); {R ∗ list(At,it,nil)* list(At,jt,nil)} j := cons(ih, jt) end if end copylist{list(A,i,nil) * list(A,j,nil)}
{ A∃ h,At.([Ah|At]=A) (i∧ h=Ah) (i i∧ ↦ h,it)∗ list(At,it,nil)}
copylist(it; jt);
{∃Ah,At.([Ah|
At]=A)∧(ih=Ah)∧(i↦ih,it)∗ list(At,it,nil) list(A∗ t,jt,nil)}
Frame Axiom Discovery
© Andrew IrelandDependable Systems Group
{list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(At,it,nil)} copylist(it; jt); {R ∗ list(At,it,nil)* list(At,jt,nil} j := cons(ih, jt) end if end copylist{list(A,i,nil) * list(A,j,nil)}
{ A∃ h,At.([Ah|At]=A) (i∧ h=Ah)∧(i↦ih,it) ∗list(At,it,nil)}
copylist(it; jt);
{∃Ah,At.([Ah|
At]=A)∧(ih=Ah)∧(i↦ih,it)∗ list(At,it,nil) list(A∗ t,jt,nil)}
shape
Frame Axiom Discovery
© Andrew IrelandDependable Systems Group
{list(A,i,nil)} procedure copylist(i; j) is if i = nil then j := i else newvar ih, it, jt in ih := [i]; it := [i+1]; {R ∗ list(At,it,nil)} copylist(it; jt); {R ∗ list(At,it,nil)* list(At,jt,nil} j := cons(ih, jt) end if end copylist{list(A,i,nil) * list(A,j,nil)}
{ A∃ h,At.([Ah|At]=A) (i∧ h=Ah) (i∧ ↦ih,it) ∗list(At,it,nil)}
copylist(it; jt);
{∃Ah,At.([Ah|
At]=A)∧(ih=Ah)∧(i↦ih,it)∗ list(At,it,nil) list(A∗ t,jt,nil)}
content
Frame Axiom Discovery
© Andrew IrelandDependable Systems Group
{∃A. list(A,i,nil)∧ Ainit= A} j := nil;{R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop{∃B.list(B,j,nil)∧ rev(Ainit)= B)}
Loop Invariant Discovery
R:{∃A,B.list(A,i,nil)*list(B,j,nil)∧ rev(Ainit)=app(rev(A),B)}
© Andrew IrelandDependable Systems Group
{∃A. list(A,i)∧ Ainit= A} j := nil;{R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop{∃B.list(B,j,nil)∧ rev(Ainit)= B)}
R:{∃A,B.list(A,i,nil)*list(B,j,nil)∧ rev(Ainit)=app(rev(A),B)}
Loop Invariant Discovery
shape
© Andrew IrelandDependable Systems Group
{∃A. list(A,i)∧ Ainit= A} j := nil;{R} while not(i = nil) loop k := [i+1]; [i+1] := j; j := i; i := k end loop{∃B.list(B,j,nil)∧ rev(Ainit)= B)}
R:{∃A,B.list(A,i,nil)*list(B,j,nil)∧ rev(Ainit)=app(rev(A),B)}
Loop Invariant Discovery
content
© Andrew IrelandDependable Systems Group
{∃A,B. list(A,x,nil)* list(B,y,nil)∧ A = Ainit ∧ B = Binit} if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y;{∃C.list(C,x,nil)∧ C = app(Ainit,Binit)}
Inductive Lemma Discovery
list(X,V,W)*list(Y,W,nil)↔ list(app(X,Y),V,nil)
© Andrew IrelandDependable Systems Group
{∃A,B. list(A,x,nil)* list(B,y,nil)∧ A = Ainit ∧ B = Binit} if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y;{∃C.list(C,x,nil)∧ C = app(Ainit,Binit)}
Inductive Lemma Discovery
list(V,W,X)*list(Y,Z,nil)↔ list(app(V,Y),W,nil)
shape
© Andrew IrelandDependable Systems Group
{∃A,B. list(A,x,nil)* list(B,y,nil)∧ A = Ainit ∧ B = Binit} if (x = 0) then x := y; else t:= x; u:= [t+1]; {R} while not(u = nil) loop t:= u;u:= [t+1]; end loop; [t+1]:= y;{∃C.list(C,x,nil)∧ C = app(Ainit,Binit)}
Inductive Lemma Discovery
list(V,W,X)*list(Y,Z,nil)↔ list(app(V,Y),W,nil)
content
© Andrew IrelandDependable Systems Group
Cooperative Approach
• Build upon the Smallfoot family of program analysis tools, i.e. use SmallfootRG to generate shape invariants (Matthew Parkinson)
• Adapt and extend existing proof plans for use within separation logic, in particular the proof patching capabilities
Specification = shape + content
© Andrew IrelandDependable Systems Group
Symbolic Execution Proof Planning
shape invariants
• content invariants• soundness• extensibility
Compensating for Weaknesses?
© Andrew IrelandDependable Systems Group
Conclusion
• Proof planning is a powerful technique for exploiting common patterns of reasoning, i.e.– searching for proofs and – analyzing & patching failed-proofs
• Proof planning provides a natural level for combining multiple reasoning processes, e.g. reasoning about shape and content
• Separation logic provides opportunities and challenges for automated reasoning and program analysis