37
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh
An Integration of Program Analysis and Automated Theorem Proving
Bill J. Ellis & Andrew IrelandSchool of Mathematical & Computer Sciences
Heriot-Watt UniversityEdinburgh
Context
• Investigate the role of proof planning within the SPARK approach to high integrity software
• Funded by the EPSRC Critical Systems programme (GR/R24081) in collaboration with Praxis Critical Systems Ltd.
• www.macs.hw.ac.uk/~air/nuspade
Overview
• The SPARK approach• Program verification in SPARK• NuSPADE: Our Approach
– Proof planning
– Program analysis
– Example
• Results and future work• Conclusions
The SPARK Approach
• Developed by Praxis Critical Systems Ltd.• For high integrity software:
– Safety, security and mission critical software, e.g. SHOLIS - UK MoD Def Standard 00-55
• SPARK is a programming language:– Defined as a subset of Ada that:
• Eliminates ambiguities to make static analysis possible• Eliminates complexities to makes static analysis feasible• Can be compiled by any Ada compiler!
– Specification via code level annotations
The SPARK Tools
• Examiner:– Checks conformance to the SPARK subset
– Performs information and data flow static analysis
– Generates Verification Conditions (VCs) for both:• partial correctness (correct if program terminates)
• Exception freedom (no run time errors)
• SPADE proof tools:– SPADE Simplifier a special purpose theorem prover
– SPADE Proof Checker an interactive theorem prover
SPARKcode +
specification
Examiner
Program Verification in SPARK
Verification Conditions
SPADE Simplifier
Typically 93% of exception freedom VCs are discharged automatically following this process
Proof!
Program Verification in SPARK
But the remaining 7% still account for hundreds of VCs ...
SPARKcode +
specification
Verification Conditions
SPADE Simplifier
Remaining Verification Conditions
Examiner
Proof!
Why the Simplifier can Fail
• VC not provable:– Bug in the code– Bug in the specification
• The Simplifier is not strong enough:– Stronger invariant required– Stronger proof methods required
Program Verification in SPARK
Proof Script
SPADE Proof Checker
Strengtheninvariant
Discover proof
User intervention
User intervention
SPARKcode +
specification
Verification Conditions
Proof!SPADE Simplifier
Remaining Verification Conditions
Examiner
Proof!
NuSPADE: Our Approach
Proof Script
SPADE Proof Checker
Strengtheninvariant
Discover proof
SPARKcode +
specification
Verification Conditions
Proof!SPADE Simplifier
Remaining Verification Conditions
Examiner
Proof!Still remaining
Verification Conditions!
NuSPADE
NuSPADE
• Increase proof automation
• Integrates proof and program analysis:– Proof planner– Program analysis oracle
Proof Planning
• Use of high-level proof outlines, known as proof plans, to guide proof search
• Supports middle-out reasoning, i.e. the use of meta variables to delay choice during proof search
• Automatic proof patching via proof failure analysis, e.g. conjecture generalization, lemma discovery, induction revision, case splitting, loop invariant discovery
• Inductive and non-inductive applications
Conjectures
Proof checking:
Methods + Critics
Tactics
Theory
Proof planning:
Proof Planning
Program Analysis
• Program analysis automatically finds interesting properties about source code
• Program analysis in practice:– Flow analysis– Performance analysis– Discovering constraints on variables (Abstract
Interpretation)– Discovery code properties (invariant discovery)
NuSPADE Behaviour
Strengtheninvariant
Discover proof
SPARKcode +
specification
SPADE Proof Checker
Verification Conditions
Proof!SPADE Simplifier
Examiner
Proof!
Remaining Verification Conditions
Proof Script
Still remaining Verification Conditions!
NuSPADE
NuSPADE Behaviour
Strengtheninvariant
Discover proof
SPARKcode +
specification
Remaining Verification Conditions
Proof Script
Still remaining Verification Conditions!
NuSPADE
NuSPADE Behaviour
NuSPADE
Remaining Verification Conditions
Discover proof
Proof Script
Proof planner
NuSPADE Behaviour
NuSPADE
Remaining Verification Conditions
Inequality / general
reasoning tool
Recurrence relation solver
Strengtheninvariant
SPARK code + specification
Program analysis oracle
Proof planner
NuSPADE Behaviour
NuSPADE
Remaining Verification Conditions
Discover proof
Proof Script
Proof planner
NuSPADE Behaviour
NuSPADE
Remaining Verification Conditions
Still remaining
Verification Conditions!
No proof found
Proof planner
Examplesubtype Index is Integer range 0 .. 9;
type D_Type is array (Index) of Integer;
subtype R_Type is Integer;
…
R:=0;
For I in Index loop
if D(I) >= 0 and D(I) <= 100 then
R:= R+D(I);
end if;
end loop;
subtype Index is Integer range 0 .. 9;
type D_Type is array (Index) of Integer;
subtype R_Type is Integer;
…
R:=0;
For I in Index loop
if D(I) >= 0 and D(I) <= 100 then
R:= R+D(I);
end if;
end loop; Integer’first R+D(I) Integer’last
Example
• Elementary: Pre: Trivial goal
Effect: Assume provable in proof checker
• Fertilise: Pre: Part of the goal matches a hypothesis
Effect: Simplify the goal
• Decomposition: Pre: The goal has a transitive relation
Effect: Decompose the transitive relation
• Transitivity: Pre: The goal has a transitive relation and related hypotheses
Effect: Apply transitive step
Exception Freedom Proof Methods
Preconditions:there exists a conclusion of the form:Expression RelationOp Constant
For every Variablei in Expression there exists a hypothesis of the form:Variablei RelationOp Expresssioni
Transitivity Method and CriticMethod
Method applicable - apply the method!
X
Critic
Method not applicable – critic extracts hypothesis schemas and invokes program analysis oracle
100, idelement
lastintidelementr _ ,
Example: Proof FailureHypotheses:
Conclusion:
None of the methods are applicable.
However, the transitivity critic fires as:occurs in:but there is no hypothesis of the form:
r idelementr ,
upExpressionr
(Similarly the lower bound causes the critic to fire as there is no hypothesis of the form: )lowExpressionr
• Discover a property that introduces hypotheses of the form: and
• Program analysis heuristics:– Type and other immediate information– Non looping code– Looping code (Involves recurrence relations)– Exiting loops (Consider loop guards)
Example: Program Analysis
upExpressionr lowExpressionr
R:=0;
For I in Index loop
if D(I) >= 0 and D(I) <= 100
then
R:= R+D(I);
end if;
end loop;
Example: Program Analysis
1 nRnR
11 nInI
11
1
nIDnRnRnRnR
1 nInI
Example: Program Analysis (Variable I)
R:=0;
For I in Index loop
if D(I) >= 0 and D(I) <= 100
then
R:= R+D(I);
end if;
end loop;
11 nInI
10 nInI
nnI
Example: Program Analysis (Variable R, first disjunct)
R:=0;
For I in Index loop
if D(I) >= 0 and D(I) <= 100
then
R:= R+D(I);
end if;
end loop;
1 nRnR
0RnR
0nR
Example: Program Analysis (Variable R, second disjunct)
R:=0;
For I in Index loop
if D(I) >= 0 and D(I) <= 100
then
R:= R+D(I);
end if;
end loop;
01 nRnR 1001 nRnR
1000 nRnR00 nRnR
0nR
1000 nnRnR
11 nIDnRnR
100nnR
Example: Program Analysis (Variable R, combine disjuncts)
R:=0;
For I in Index loop
if D(I) >= 0 and D(I) <= 100
then
R:= R+D(I);
end if;
end loop;
1000 nnRnR
1000 nnRnR
10000 nnRnRnR
0nR
Example: Program Analysis (Eliminate n)
R:=0;
For I in Index loop
if D(I) >= 0 and D(I) <= 100
then
R:= R+D(I);
end if;
end loop;
1000 nnRnRnnI
1000 nInRnR
Revised codesubtype Index is Integer range 0 .. 9;
type D_Type is array (Index) of Integer;
subtype R_Type is Integer;
…
R:=0;
For I in Index loop
--# assert R >= 0 and R <= I*100;
if D(I) >= 0 and D(I) <= 100 then
R:= R+D(I);
end if;
end loop;
100,100 idelementir
lastintidelementr _ ,
Example: Proof Planning Success
Transitivity:
lastint X Xidelementr _ 0 0 ,
lastint 2XXXidelement Xr _ 1 2 , 1 Decomposition:
Fertilise:
}/100/100{_ 100100 2,1 XXilastint i Elementary:
true
Hypotheses:
Conclusion:
Results & Future Work
• Prototype system – Demo Available!
• Integration partial
• Development corpus includes programs with simple loops and conditionals, i.e. typical style of critical software applications
• Evaluation corpus supplied by Praxis Critical Systems – evaluation phase to begin shortly
Future Work
• Strengthen recurrence relation solver and experiment with other external reasoners, e.g. inequality reasoning
• Explore program analysis as a basis for bug finding (ongoing)
• Explore program analysis as a basis for reducing VC complexity
Conclusions
• An integrated approach to software verification:– Proof planning– Program analysis oracle– Proof checking– External reasoners
• Proof planning and program analysis are generic
