Bill J. Ellis - PowerPoint PPT Presentation

About This Presentation
Title:

Bill J. Ellis

Description:

Proving Exception Freedom within High Integrity Software Systems Bill J. Ellis (bill_at_macs.hw.ac.uk) Dependable Systems Group Heriot-Watt University – PowerPoint PPT presentation

Number of Views:83
Avg rating:3.0/5.0
Slides: 25
Provided by: BillJ80
Category:

less

Transcript and Presenter's Notes

Title: Bill J. Ellis


1
Proving Exception Freedom within High Integrity
Software Systems
  • Bill J. Ellis
  • (bill_at_macs.hw.ac.uk)
  • Dependable Systems Group
  • Heriot-Watt University
  • (Project page http//www.macs.hw.ac.uk/air/clams
    park/)

2
Overview
  • High integrity software
  • Proving exception freedom in SPARK
  • Property discovery
  • Abstract interpretation
  • Recurrence relations
  • Interval arithmetic
  • Proofs
  • Conclusions

3
High Integrity Software
  • Software standards encourage or enforce proof for
    high integrity software
  • MOD 00-55 requirements for the procurement of
    safety critical software in defence equipment.
  • Formal methods and proof mandatory
  • ITSEC Information technology security evaluation
    criteria
  • Formal methods mandatory

4
Praxis and SPARK
  • SPARK is developed by Praxis Critical Systems for
    building high integrity software
  • Formally defined safe subset of Ada
  • Information and data flow static analysis
  • Supports proofs of
  • Partial correctness
  • Exception freedom (No run time errors)
  • SPARK is used in industry
  • BAE prove exception freedom (Unnamed project)
  • Praxis completed SHOLLIS and MULTOS CA
  • Many more...

5
SPARK Proof In Industry
  • Partial correctness (Rare)
  • User supplied specification
  • Proofs usually deep
  • Very limited automation
  • Exception freedom (Increasingly common)
  • Automatic specification
  • Proofs usually shallow
  • Good (90) automation via Praxis Simplifier
  • Remaining 10 may number in the thousands...

6
Exception Freedom in SPARK
  • Storage_Error ? (Static memory requirement)
  • Program_Error ?
  • Tasking_Error ?
  • Constraint_Error ? (Some can occur in SPARK)
  • Access_Check ?
  • Discriminant_Check ?
  • Tag_Check ?
  • Division_Check ?
  • Index_Check ?
  • Range_Check ?
  • Overflow_Check ?

Proving exception freedom in SPARK is proving
variables stay within legal bounds
7
Example Code
subtype Index is Integer range 0 .. 9 type D is
array (Index) of Integer R0 For I in Index
loop if D(I) gt 0 and D(I) lt 100 then
R R D(I) end if end loop
8
Example Code(Exception Freedom Checks)
subtype Index is Integer range 0 .. 9 type D is
array (Index) of Integer --check 0gt-32768 and
0lt32767 R0 For I in Index loop --invariant
Igt0 and Ilt9 and --forall J in 0..9
D(J)gt-32768 and D(J)lt32767 --check Igt0
and Ilt9 if D(I) gt 0 and D(I) lt 100 then
--check Igt0 and Ilt9 --check
RD(I)gt-32768 and RD(I)lt32767 R R
D(I) end if end loop
9
Exception Freedom VCs
10
Proof Strategy
Success!
Prove Exception Freedom VCs
Try proof again
Fail
Discover properties (Typically invariants)
Prove properties
11
Abstract Interpretation (AI)
  • Evaluate a program, replacing concrete variables
    with abstract values.
  • Concrete integer variable -32768 to 32767
  • An abstract integer variable -,0,.
  • Abstract interpretation provides a framework to
    reason about programs in the abstract.

12
Example (AI Flowchart)
Pre-condition
R0
I0
Invariant N
Loop junction node
Simple junction node
D(I)? 0 and D(I)? 100
II1
RRD(I)
Normalised form of a SPARK for loop
Post-condition
I9
13
Recurrence Relations
  • Fibonacci sequence 0, 1, 1, 2, 3, 5, 8, 13, 21,
    34, 55, 89, 144..
  • Recurrence relation A00, A11, AnA(n-1)
    A(n-2)
  • Liner recurrence relations with constant
    coefficients (LRRCs)
  • Anc1A(n-1)ckA(n-k)f(n)
  • n ? k
  • Only use first powers of previous terms
    (A(n-1)1)
  • Coefficients ck are constants
  • f(n) is a function
  • Can automatically solve LRRCs (and a few other
    special cases) using
  • Mathematica
  • The Parma University's Recurrence Relation Solver
    (PURRS)

14
Interval Arithmetic/Algebra
  • A theory for reasoning about bounds.
  • Bounds on x x?1 and x ?5
  • Interval X?1, 5, lower X?1, upper X?5
  • Operations are defined on intervals
  • X?Y? X?Y?, X?Y?
  • X?-Y? X?-Y?, X?-Y?
  • Example
  • 0, 2 -4, 6 0(-4), 26 -4, 8
  • 0, 2 - -4, 6 0-6, 2-(-4) -6, 6

15
Property Discovery
  • Abstract interpretation
  • Focus on bounds of variables and arrays.
  • Discover and propagate bounds
  • Using code semantics. (Of assignment, test, )
  • Exploit semantics of exception freedom.
  • Use interval algebra and proof planning.
  • Loop junction nodes (Invariant discovery)
  • Exploit recurrence relation solvers.
  • Replace n with program variables.

16
Example (Variable R)
Pre-condition
R0
I0
Invariant N
D(I)? 0 and D(I)? 100
II1
RRD(I)
R?(R (n-1))?(D(0))?, ((R (n-1))? (D(0))?
R?(R (n-1))?0, ((R (n-1))? 100
I9
Post-condition
17
Example (Variable R)
Solve lower Rn R (n-1)0 RnR0 ? 0
R ?0, 0
Arriving at the loop
Solve upper Rn R (n-1)100 RnR0 100n ? 0
100n ? 100n
R?merge( (R (n-1))?0, (R (n-1))? 100, 0, 0)
R?merge(0, 100n, 0, 0)
R?0, 100n
Returning from first iteration
Starting second iteration...
18
Invariant Discovery (Eliminate n)
Properties for I
Invariant N
Some details...
R?0, 100n
I ? 0 and I ? 9
I?n,n exit(min(I), 9) or exit(10,
max(I))
Properties for R
Express n in terms of I In ? nI
Substitute n for I in R R?0, 100I
Stabilised abstract values for R and I at the
invariant
R ? 0 and R ? 100I
19
Example (Discovered invariant)
subtype Index is Integer range 0 .. 9 type D is
array (Index) of Integer --check 0gt-32768 and
0lt32767 R0 For I in Index loop --invariant
Igt0 and Ilt9 and Rgt0 and Rlt100I and --forall
J in 0..9 D(J)gt-32768 and D(J)lt32767
--check Igt0 and Ilt9 if D(I) gt 0 and D(I)
lt 100 then --check RD(I)gt-32768 and
RD(I)lt32767 --Igt0 and Ilt9
R R D(I) end if end loop
20
And the proofs?
  • Invariant property VCs
  • Rippling reduces VC to a residue
  • Prove residue using proof planning
  • Exception freedom VCs
  • Middle-out reasoning?
  • Look ahead using interval algebra?

21
Implementation (Underway)
SPARK code
Add new properties to code
Light weight SPARK Parser
Praxis Examiner
VCs
Rule files
SPARK structure
NuSPADE
Subprogram Spider
Method Abstracting to bounds
Proof Planner
Subprogram Details
Method Rippling
Proof scripts
CLAM
22
Related Work
  • RUNCHECK (Steven M. German) (1981)
  • Proves exception freedom VCs for Pascal
  • Uses a few rewrite rules (7) to solve recurrence
    relations as a final stage
  • Does not exploit program context
  • Limited treatment of arrays (Considered array
    initialisation)
  • Abstract Interpretation (Patrick Cousot, Radhia
    Cousot) (1976)
  • Is algorithmic and always generates correct
    results
  • Good automatic linear property generation for
    programs with linear assignments and no arrays
  • Used for compiler optimisation, exception
    detection, program documentation, program
    visualisation...

23
Conclusions
  • Abstract Interpretation (Framework)
  • Interval Algebra (Theory)
  • Recurrence Relations (Off the shelf tools)
  • Proof Planning (Light reasoning)
  • Property generation for exception freedom
  • Properties
  • Rippling (For invariants)
  • Proof Planning (Suitable methods)
  • Automated exception freedom proof
  • Note Is not complete -- Can fail!

24
EOF
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Bill J. Ellis" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!