The Use of Patterns to Guide Code Certification: A Proposal

1
The Use of Patterns to Guide Code Certification
A Proposal

• Andrew Ireland
• School of Mathematical Computer Sciences
• Heriot-Watt University
• Edinburgh

2
Outline

• Context
• Research hypothesis
• Basic approach

3
Program Proof - Past

• Foundations
• Turing 49, Floyd 67, Hoare 69
• Mechanization
• King 69, Waldinger Levitt 74, German
  Wegbreit 75, Luckham et al 79, 86, Good et al
  84,
• Heuristics
• Katz Manna 73, Wegbreit 73,

4
Program Proof - Present

• Debugging
• ESC/Java,
• Development
• Perfect Developer, SPARK,
• Certification
• AutoFilter, AutoBayes, Proof Carrying Code,
  Compliance Toolset,

5
Simplified Compliance Process
high-level code
high-level model
code generator

Simulink ClawZ
SPARK Ada
Systems Assurance

Group, QinetiQ


VCs
6
Hypothesis

• Domain specific code generation tools give rise
  to common patterns of program code
• Common program patterns give rise to common
  patterns of proof
• Combining patterns of program and proof provides
  an effective basis for increasing the automation
  of code certification

7
Proof Patterns
Proof Plan Tactics Methods Critics
Proof planning
Methods Critics
Proof checking
Tactics
Note proof planning can use meta-variables to
delay choice
8
Applications of Proof Plans

• Mathematical induction program verification,
  synthesis, and optimization hardware
  verification correction of faulty
  specifications.
• Non-inductive proof summing series limit
  theorems.
• Automatic proof patching conjecture
  generalization, lemma discovery, induction
  revision, case splitting, loop invariant
  discovery.

9
Program Patterns

• Bottom-up analysis i.e. generation of properties
  directly from program code that support proof
  construction
• Extend bottom-up analysis to include the
  generation of properties that support proof search

10
NuSPADE
SPARK code
VCs
SPARK Examiner
meta data
Proof Planner
AutoGap
SPADE
Praxis Critical Systems
11
Polish Flag Problem
-- pre (for all I in IndexRange gt (Flag(I)Red
or Flag(I)White))
12
Polish Flag Problem
-- pre (for all I in IndexRange gt (Flag(I)Red
or Flag(I)White))
P
-- post for some P in Integer range (Flag'First)
.. (Flag'Last1) gt -- ((for all Q in
Integer range Flag'First..(P-1) gt (Flag(Q)Red))
and -- (for all R in Integer range
P..Flag'Last gt (Flag(R)White)))
13
Loop Invariant
I
Flag'Last
J
Flag'First
-- assert Flag'FirstltI and --
Jlt(Flag'Last1) and -- IltJ and --
(for all Q in Integer range
Flag'First..(I-1) gt (Flag(Q)Red)) and --
(for all R in Integer range J..Flag'Last gt
(Flag(R)White))
14
Bottom-Up Analysis

• Program properties
• Flag'FirstltI Jlt(Flag'Last1) IltJ
• Meta-data
• index_var(Flag, I) index_var(Flag, J)
• mono_inc(I) mono_dec(J)
• partition(Flag, Flag'First, I)
• partition(Flag, J, Flag'First)

15
Loop Invariant
-- assert Flag'FirstltI and --
Jlt(Flag'Last1) and -- IltJ
and -- (for all Q in Integer range
Flag'First..(P-1) gt (Flag(Q)Red)) and --
(for all R in Integer range
P..Flag'Last gt (Flag(R)White))
16
Loop Invariant
-- assert Flag'FirstltI and --
Jlt(Flag'Last1) and -- IltJ
and -- (for all Q in Integer range
Flag'First..(P-1) gt (Flag(Q)Red)) and --
(for all R in Integer range
P..Flag'Last gt (Flag(R)White))
Bottom-up analysis
Top-down analysis (schematic invariant)
Note P and P denote meta-variables
17
Proof Planning Failure
Given
Goal
18
Proof Patching
Proof pattern Instantiate (lower bound of r
) such that difference reduction is applicable
i
j
Program pattern Exploit properties of array
partitions within the program to constrain search
for an appropriate
i.e. becomes j
19
Proposal Summary

• Develop proof automation for domain specific code
  certification
• Focus on commercial code generators
• Extend proof planning to support program patterns
  (or model patterns?)
• Exploit and extend early work on bottom-up
  analysis