Increasing Automation for Exception Freedom Proofs

1
Increasing Automation for Exception Freedom Proofs

• Andrew Ireland
• School of Mathematical Computer Sciences
• Heriot-Watt University
• Edinburgh

2
Context

• Investigate the role of proof planning within the
  SPARK approach to high integrity software
• Funded by the EPSRC Critical Systems programme
  (GR/R24081) in collaboration with Praxis Critical
  Systems
• Bill Ellis (Research Associate)

3
Outline

• Current limits of proof automation
• More code level analysis
• Proof planning perspective
• Future work
• Demo partial implementation

4
Example
subtype Index is Integer range 0 .. 9 type
D_Type is array (Index) of Integer R0 For I
in Index loop if D(I) gt 0 and D(I) lt 100
then R RD(I) end if end loop
5
Example
subtype Index is Integer range 0 .. 9 type
D_Type is array (Index) of Integer R0 For I
in Index loop if D(I) gt 0 and D(I) lt 100
then R RD(I) end if end loop
integer_first lt RD(I)lt integer_last?
6
Run-Time Check VC
H2 for_all (i___1integer,((i___1gtindex_type__
first) and (i___1 lt
index_type__last)) -gt
((element(d,i___1) gt integer__first)
and (element(d,i___1) lt integer__last)))
. H7 loop__1__i gt index_type__first . H8
loop__1__i lt index_type__last . H9 element(d,
loop__1__i) gt 0 . H10element(d, loop__1__i)
lt 100 . -gt C1 r element(d,loop__1__i) gt
integer__first. C2 r element(d,loop__1__i)
lt integer__last.
Problem missing hypotheses R gt ? and R lt ?
7
Problem Solving

• User identifies the need for a loop invariant
• User generates an appropriate loop invariant
• User constructs proofs for the loop invariant and
  run-time check VCs via the SPADE Proof Checker

8
Our Approach

• Proof planning identifies the need for a loop
  invariant
• Code level analysis generates an appropriate loop
  invariant
• Proof planning constructs proofs for the loop
  invariant and run-time check VCs, i.e.
• proof planning generates a SPADE tactic

9
Loop Invariant Discovery
SPARK
proof failure analysis
10
Loop Invariant Discovery
SPARK
construct extreme recurrence relations for each
variable on Nth iteration
proof failure analysis
11
Loop Invariant Discovery
SPARK
construct extreme recurrence relations for each
variable on Nth iteration
proof failure analysis
solve recurrence relations
12
Loop Invariant Discovery
SPARK
construct extreme recurrence relations for each
variable on Nth iteration
proof failure analysis
solve recurrence relations
combine solutions to eliminate N
13
Loop Invariant Discovery
SPARK
construct extreme recurrence relations for each
variable on Nth iteration
proof failure analysis
solve recurrence relations
SPARK invariants
combine solutions to eliminate N
14
Construct Recurrence Relations
subtype Index is Integer range 0 .. 9 type
D_Type is array (Index) of Integer R0 For I
in Index loop if D(I) gt 0 and D(I) lt 100
then R R D(I) end if end loop
15
Extreme Recurrence Relations

• specialization is guided by interval information
• interval information gathered via abstract
• interpretation and interval analysis

16
Solve Recurrence Relations

• Focus on linear recurrence relations
• where coefficients are
  constant,
• and is optional

• Off the shelf solvers available, e.g.
  Mathematica, PURRS (Parma University)

17
Solve Recurrence Relations
18
Combine Solutions
Eliminate from solutions to
using
R gt 0 and R lt I100
19
Revised Code
subtype Index is Integer range 0 .. 9 type
D_Type is array (Index) of Integer R0 For I
in Index loop -- assert R gt 0 and R lt
I100 if D(I) gt 0 and D(I) lt 100 then
R RD(I) end if end loop
20
Revised RTC VC
H1 r gt 0 . H2 r lt loop__1__i 100
. H3for_all(i___1 integer,((i___1 gt
index_type__first)and (i___1 lt
index_type__last)) -gt
((element(d,i___1) gt integer__first)
and (element(d,i___1) lt integer__last))) .
H8 loop__1__i gt index_type__first . H9
loop__1__i lt index_type__last . H10element(d,
loop__1__i) gt 0 . H11element(d, loop__1__i)
lt 100 . -gt C1 r element(d,loop__1__i) gt
integer__first. C2 r element(d,loop__1__i)
lt integer__last.
21
Revised Loop Invariant VC
H1 r gt 0 . H2 r lt loop__1__i 100 . H10
element(d, loop__1__i) gt 0 . H11 element(d,
loop__1__i) lt 100 . -gt C1 r
element(d,loop__1__i)gt 0 . C2 r
element(d,loop__1__i)lt(loop__1__i 1) 100.
22
Revised Loop Invariant VC
H1 r gt 0 . H2 r lt loop__1__i 100 . H10
not((element(d, loop__1__i) gt 0) and
(element(d, loop__1__i) lt 100)) . -gt C1 r
gt 0 . C2 r lt (loop__1__i 1) 100 .
23
Proof Planning
Proof Plan Tactics Methods Critics
Proof planning
Methods Critics
Proof checking
Tactics
Note proof planning can use meta-variables to
delay choice
24
Proof Planning RTC VC
Given
Goal
Method trans
25
Proof Planning RTC VC
Given
Goal
Method decomp
26
Proof Planning RTC VC
Given
Goal
Method fertilize
27
Proof Planning RTC VC
Given
Goal
Method isolate
28
Proof Planning RTC VC
Given
Goal
Method elementary
29
Preconditions for trans Method

• there exists a conclusion of the form
• E1 Rel C
• for all variables Vi that occur within E1
  there exists a hypothesis of the form
• Vi Rel Ei
• where E ranges over expressions
• C ranges over constants
• Rel denotes a transitive relation

30
Productive Use Of Failure

• there exists a conclusion of the form
• E1 Rel C
• for all variables Vi that occur within E1
  there exists a hypothesis of the form
• Vi Rel Ei

X
31
NuSPADE Architecture
conjectures
user
VCs
SPADE-PP
SPADE-PC
proofs
tactics
theory
32
What Next?

• Continue implementation within NuSPADE
• Use industrial strength applications to guide
  ongoing development of heuristics for loop
  invariant discovery
• Investigate automatic debugging potential, e.g.
  use interval analysis to detect potential
  run-time defects
• Comparisons Polyspace, MERLE,

33
Summary

• Recurrence relations abstract interpretation
  (interval analysis) provides basis for loop
  invariant discovery
• Proof planning identifies the need for loop
  invariants guides proof search
• Combined approach increases automation for
  exception freedom proofs