Bill J. Ellis(bill@macs.hw.ac.uk)

Dependable Systems Group

Heriot-Watt University

(Project page: http://www.macs.hw.ac.uk/~air/clamspark/)

Proving Exception Freedom within High Integrity Software

Systems

Overview

• High integrity software• Proving exception freedom in SPARK• Property discovery

– Abstract interpretation– Recurrence relations– Interval arithmetic

• Proofs• Conclusions

High Integrity Software

• Software standards encourage or enforce proof for high integrity software:

– MOD 00-55: requirements for the procurement of safety critical software in defence equipment.

• Formal methods and proof mandatory

– ITSEC: Information technology security evaluation criteria• Formal methods mandatory

Praxis and SPARK

• SPARK is developed by Praxis Critical Systems for building high integrity software:– Formally defined safe subset of Ada– Information and data flow static analysis– Supports proofs of:

• Partial correctness• Exception freedom (No run time errors)

• SPARK is used in industry:– BAE prove exception freedom (Unnamed project)– Praxis completed SHOLLIS and MULTOS CA– Many more...

SPARK Proof In Industry

• Partial correctness (Rare):

– User supplied specification

– Proofs usually deep

– Very limited automation

• Exception freedom (Increasingly common):

– Automatic specification

– Proofs usually shallow

– Good (90%) automation via Praxis Simplifier

– Remaining 10% may number in the thousands...

Exception Freedom in SPARK

• Storage_Error (Static memory requirement)

• Program_Error

• Tasking_Error

• Constraint_Error (Some can occur in SPARK)– Access_Check – Discriminant_Check – Tag_Check – Division_Check – Index_Check – Range_Check – Overflow_Check

Proving exception freedom in SPARK

isproving variables stay

within legal bounds

Example Codesubtype Index is Integer range 0 .. 9;type D is array (Index) of Integer;R:=0;For I in Index loop if D(I) >= 0 and D(I) <= 100 then R := R + D(I); end if;end loop;

Example Code(Exception Freedom Checks)

subtype Index is Integer range 0 .. 9;type D is array (Index) of Integer;--#check 0>=-32768 and 0<=32767;R:=0;For I in Index loop--#invariant I>=0 and I<=9 and--#forall J in 0..9 D(J)>=-32768 and D(J)<=32767; --#check I>=0 and I<=9; if D(I) >= 0 and D(I) <= 100 then --#check I>=0 and I<=9; --#check R+D(I)>=-32768 and R+D(I)<=32767; R := R + D(I); end if;end loop;

Exception Freedom VCs

Pre-condition

Post-condition

Invariant

Prove properties hold between between cut

points

Check

Check...

Check

Check...

Check

Check... Prove exception freedom

VCs using properties

Proof Strategy

Prove Exception Freedom VCs

Discover properties(Typically invariants)

Prove properties

FailTry

proof again

Success!

Abstract Interpretation (AI)

• Evaluate a program, replacing concrete variables with abstract values. – Concrete integer variable: -32768 to +32767

– An abstract integer variable: {-,0,+}.

• Abstract interpretation provides a framework to reason about programs in the abstract.

Example (AI Flowchart)

I:=I+1

Invariant N

Pre-condition R:=0 I:=0

R:=R+D(I)

D(I) 0 andD(I) 100

I=9Post-

condition

Loop junction

nodeSimple

junction node

Normalised form of a SPARK for

loop

Recurrence Relations

• Fibonacci sequence: 0, 1, 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144..– Recurrence relation: A0=0, A1=1, An=A(n-1) +A(n-2)

• Liner recurrence relations with constant coefficients (LRRCs):

– An=c1*A(n-1)+…+ck*A(n-k)+f(n)

• n k

• Only use first powers of previous terms (A(n-1)^1)

• Coefficients ck are constants

• f(n) is a function

• Can automatically solve LRRCs (and a few other special cases) using:

– Mathematica

– The Parma University's Recurrence Relation Solver (PURRS)

Interval Arithmetic/Algebra

• A theory for reasoning about bounds.

• Bounds on x: x1 and x 5

– Interval: X=[1, 5], lower: X=1, upper: X=5

• Operations are defined on intervals:

– X+Y = [X+Y, X+Y]

– X-Y = [X-Y, X-Y]

• Example:– [0, 2] + [-4, 6] = [0+(-4), 2+6] = [-4, 8]

– [0, 2] - [-4, 6] = [0-6, 2-(-4)] = [-6, 6]

Property Discovery

• Abstract interpretation:– Focus on bounds of variables and arrays.

• Discover and propagate bounds:– Using code semantics. (Of assignment, test, …)

– Exploit semantics of exception freedom.

– Use interval algebra and proof planning.

• Loop junction nodes (Invariant discovery):– Exploit recurrence relation solvers.

– Replace ‘n’ with program variables.

Example (Variable R)

I:=I+1

Invariant N

Pre-condition R:=0 I:=0

R:=R+D(I)

D(I) 0 andD(I) 100

I=9

Post-condition

R:[min(R), max(R)]

R :[0,0]

D[0,0]:[0, 100]

R:[(R (n-1))+(D(0)), ((R (n-1)) +(D(0))]

R:[(R (n-1))+0, ((R (n-1)) +100]

R:[(R (n-1))+(D(I)), ((R (n-1)) +(D(I))]

R:merge([(R (n-1))+0, (R (n-1)) +100], [0, 0])

Example (Variable R)

Solve lower: Rn = R (n-1)+0Rn=R0 0

R:merge([(R (n-1))+0, (R (n-1)) +100], [0, 0])

R :[0, 0]

Returning from first iteration

Arriving at the loop

Starting second iteration...

Solve upper: Rn = R (n-1)+100Rn=R0 + 100*n 0 + 100*n 100*n

R:merge([0, 100*n], [0, 0])

R:[0, 100*n]

Invariant Discovery (Eliminate n)

Express n in terms of I:I=n n=I

Substitute n for I in R:R:[0, 100*I]

Properties for R

R 0 and R 100*I

R:[0, 100*n]

I:[n,n] |{exit([min(I), 9]) or exit([10, max(I)])}

Properties for I

I 0 and I 9

Some details...

Stabilised abstract values for R and I at the

invariant

Invariant N

Example (Discovered invariant)subtype Index is Integer range 0 .. 9;type D is array (Index) of Integer;--#check 0>=-32768 and 0<=32767;R:=0;For I in Index loop--#invariant I>=0 and I<=9 and R>=0 and R<=100*I and--#forall J in 0..9 D(J)>=-32768 and D(J)<=32767; --#check I>=0 and I<=9; if D(I) >= 0 and D(I) <= 100 then --#check R+D(I)>=-32768 and R+D(I)<=32767; --#I>=0 and I<=9; R := R + D(I); end if;end loop;

And the proofs?

• Invariant property VCs:– Rippling reduces VC to a residue

• Prove residue using proof planning

• Exception freedom VCs:– Middle-out reasoning?– ‘Look ahead’ using interval algebra?

NuSPADE

Implementation (Underway…)

Light weight SPARK Parser

Subprogram Spider

VCs

SPARK code

Rule files

Proof Planne

r

SPARK structure

Subprogram Details

Method:Rippling

Method:Abstracting to bounds

Praxis ExaminerAdd new properties to code

Proof scriptsCLAM

Related Work

• RUNCHECK (Steven M. German) (1981)– Proves exception freedom VCs for Pascal

– Uses a few rewrite rules (7) to solve recurrence relations as a final stage

– Does not exploit program context

– Limited treatment of arrays (Considered array initialisation)

• Abstract Interpretation (Patrick Cousot, Radhia Cousot) (1976)– Is algorithmic and always generates correct results

– Good automatic linear property generation for programs with linear assignments and no arrays

– Used for compiler optimisation, exception detection, program documentation, program visualisation...

Conclusions

Abstract Interpretation (Framework) +

Interval Algebra (Theory) +

Recurrence Relations (Off the shelf tools) +

Proof Planning (Light reasoning) =

Property generation for exception freedom

Properties +

Rippling (For invariants) +

Proof Planning (Suitable methods) =

Automated exception freedom proof

Note: Is not complete -- Can fail!

EOF