Management of Change in Structured Verification - Semantic Scholar

Management of Change in Structured Verification Dieter Hutter German Research Center for Artificial Intelligence Stuhlsatzenhausweg 3, D 66213 Saarbr¨ucken

Abstract The use of formal methods in large complex applications implies the need for an evolutionary formal program development in which specification and verification phases are interleaved. But any change of a specification either by adding new parts or by changing erroneous parts affects existing verification work in a subtle way. In this paper we present a truth maintenance system for structured specification and verification. It is based on the simple but powerful notion of a development graph as an underlying datastructure to represent an actual consistent state of a formal development. Based on this notion we try to minimize the consequences of changes of existing verification work.

1. Introduction The application of formal methods in an industrial setting results in an increased complexity of the specification and the corresponding verification. It comprises on the one hand different layers of specifications reflecting the iterated process to refine the requirement specification towards an implementation. On the other hand each layer is divided into different units representing different modules of the program under construction. From a practical point of view we cannot assume that any formal program development can be done in a strictly top-down manner developing one layer after the other. In a realistic scenario, the development is done simultaneously on various layers intertwining specification and verification phases. Failed attempts to establish proof obligations uncover errors of the specification giving rise to changes of already existing parts of the specification and thus, rendering existing proofs invalid. In realistic applications such changes can invalidate days or even weeks of proof work and it is indispensable to restrict the effects of these changes to a minimum. In this paper we present a structured, logical data base for structured specifications. This data base, which we call a development-graph, is independent of a specific specification language and serves as the underlying data base of

the deduction system INKA 5.0 [1]. Besides the already mentioned structured specification it contains information about speculated properties between different theories (or speculated properties of a particular theory) and — in case they have been proven — the related proofs. The development graph can only be changed by a limited set of basic operations which automatically keep track of the validity of the stored properties and proofs. Using logical relations between theories we can minimize the effort which has to be spent in reproving properties, the proofs of which have been invalidated after changing the data base. Hence, the purpose of the development graph is twofold. On one hand it is like a truth maintenance system for structured specification which makes use of an underlying theorem prover (INKA) to validate postulated properties. On the other hand, this development graph is also an underlying data base on which a theorem prover can operate.

2. Formal Preliminaries To introduce the formal notion of a development graph, we start with some (well-known) terminology. Similar to [3, 10] we define deductive systems using consequence relations which are binary relations between finite subsets and elements of a set of sentences satisfying specific conditions.

( )


Definition 1 A consequence relation is a pair S; ` where S is a set of sentences and `  F in S  S is a binary relation such that: fg `  (Reflexivity), if ` and fg [ 0 ` , then [ 0 ` (Transitivity), and if ` , then fg [ ` (Weakening). A consequence relation S; ` induces a closure opera` tion on sets of sentences  S by f j `  for some finite set  g

( )









( ) 



[℄ =




[℄` denotes the set of all sentences which are entailed by  wrt. `. Mappings between consequence relations are done with the help of morphisms. They allow us to specify possible connections between different consequence relations.

:

Definition 2 A morphism of consequence relations  S1 ; `1 ! S2 ; `2 is a function  S1 ! S2 such that `1  implies  `2   .

(


)

(

) (
)

()

:

Throughout this paper we use id to denote the identity morphism. As a consequence of this definition, morphisms com`1 mute with the closure operation as for instance   `2  holds for all morphisms  S1 ; `1 ! S2 ; `2 and all  S1 and  S2 (cf. [10]). Also, morphisms are closed with respect to functional compositions: given morphisms 1 S1 ; `1 ! S2 ; `2 and 2 S2 ; `2 ! S3 ; `3 , also 2 Æ 1 is a morphism.

[ ()℄





:(

) (

)

:(

([℄ ) ) ( )

:(

)

(

)

3. Development Graph As mentioned above, the notion of a development graph serves as a structured data base for a verification system. The structure of the data base reflects the structuring given by the original specification. Common specification techniques provide means for constructing specifications of complex theories in an inductive way. Starting with basic specifications denoting elementary specifications, new theory specifications are constructed by combining theory specifications, renaming a theory specification, or hiding symbols of a theory specification. The specification of a theory is in general a term constructed by “constants” (representing the basic specifications) and functions, like union, rename, or hide, denoting the principles of constructing new theory specifications from existing ones. For instance, given a basic specification N for natural numbers, rename N;  denotes the theory specification in which the signature of N has been renamed by  . The development graph reflects the term structure of such composed specification as the structure of the graph coincides more or less with the structure of the term. Each node of the graph corresponds to a subterm of the specification. The links encode the operations performed on specifications to get new ones. For instance a combined specification union(N, M) which combines two specifications results in a development graph of three nodes, representing N, M, and union(N, M). The logical representation of the basic specification of N (and M respectively) is given by a set of logical formulas which we call the local axioms of a node. In constrast, the node of union(N, M) contains no individual local axioms but “imports” the theories from the nodes N and M only. This import is indicated by directed links from the nodes of N and M to the node of union(N, M). Introducing names to refer to theory specifications, the same theory can be used in different theory specifications which results in a graph representation. Combined specifications are represented by terms. Hence the theory of a node is denoted by its subgraph, i.e.

(

)

the theory of a node N depends on the theory of a node M if N is reachable from M. Now suppose there is a link from M to N then all the local axioms of nodes within the subgraph of M will contribute to the theory of N. Therefore we call this link a global link. In order to organize a management of change we have to determine how each single node within the subgraph of M will influence the theory of N. Therefore we introduce also so-called local links which export only the local axioms of the source node to the target node but neglect all imported theories of the source node which allows us to describe the influence of an individual node to another node. We are now ready to introduce the formal definition of a development graph: Definition 3 A development graph G is an acyclic, directed graph hN ; Li. N is a set of nodes. Each node N 2 N is a tuple S N ; `N ; N such that S N ; `N is a consequence relation and N  S N is the set of local axioms of N . L is a set of directed links, so-called definition links, between elements of N . Each definition link from a node N to a node M is either global (denoted N  M ) or local (denoted N  M ) and is annotated with a morphism  S N ; `N ! S M ; `M

(

 ) 

(

) (

(

)

:

)

To simplify matters, we use the notation N  M 2 G instead of N  M 2 L with L being the links of G . The proof theoretical semantics of a development graph is given by the following definition:

=

Definition 4 Let G hN ; Li be a development graph. Let N 2 N , then the theory ThG N of a node N wrt. a development graph G is defined by ThG N

"

N [

[ K



N 2G

( )

( )=

( ( )) [

 ThG K

[ K  N 2G



(K )

#`N

Hence, the theory of a node N depends on both, the theories of all nodes which are connected via global links to N , and the local axioms of all nodes which are connected via local links to N . Notice, that the definition 4 distinguishes between parallel links with different morphisms. The definition of the development graph, and thus the underlying structuring concepts, is independent of the selection of a concrete specification language. In order to support such a specification language, several things have to be done. Basic specifications have to be translated into a set of logic formulas within the language of a suitable consequence relation which allows us to reason about the theory of these specifications. The constructs for combining specifications have to be translated to specific graph patterns which are used to build up the development graphs for compound specifications. The institution underlying

the specification language also determines the consequence morphisms attached to the links. Usually specification languages provide preconditions when it is admissible to combine specifications. For instance, we may only combine two specifications by union if their signatures are compatible. These checks have to be done on the level of the specification language to guarantee that the obtained development graph reflects adequately the semantics of the specification. Since these checks depends on the selected specification language we will not discuss this issue further. The reader is referred to [2] for translating CASL-specifications [6] into development graphs. The next definition captures how a node N can influence the theory of any other node M. We distinguish two cases. Either the complete theory of N is inherited (wrt. the consequence morphisms along the path from N to M) to M, or a series of definition links from N to M may also start with a local link and it is only guaranteed that the local axioms of N are inherited to M. Definition 5 Let G be a development graph. A node M is globally reachable from a node N via a consequence morM and phism  , N  M 2 G for short, iff either N 0 00  id, or N  K 2 G , K  M 2 G , with   00 Æ  0 . A node M is locally reachable from a node N via a consequence morphism  , N  M 2 G for short, iff 0 N  M 2 G or there is a node K with N  K 2 G , 00 00 0 M 2 G , with   Æ  . K

= =

=

=

Obviously global reachability implies local reachability since the theory of a node is defined with the help of its local axioms. Proof Obligations Up to now we introduced the development graph as a structured data base for combined specifications. In a next step we provide means to postulate and maintain proof obligations within such a development graph. In theory, each node of the development graph comes along with its own proof system to reason about the theory of the node. Within each node we may postulate formulas as local theorems and use this proof system to verify these statements. Each node maintains the list of (proven) theorems which can be used as lemmata. On the development graph level we introduced definition links to define a theory with the help of other theories. Now we use the same mechanism to postulate relations between different theories. Therefore we introduce the notion of a theorem link which is used to represent proof obligations arising in formal developments. Similar to definition links, theorem links are attached by a consequence morphism and we distinguish between local and global theorem links. A global theorem link from a node N to a node M postulates that all members of the theory of N are (translated by the

attached consequence morphism) also members of the theory of M. In contrast a local theorem link postulates this property only for the local axioms of N. Security Model

System Specification

SP

Sec

SPA

Sec A

SP B

Sec B

Adt 1

Adt 2

Generic abstract datatypes

Figure 1. Development Graph Translating proof obligations in formal methods, like for instance the property that a requirement specification satisfies a security model, or an abstract program implements a requirement specification, results in global theorem links between the top-level nodes of requirement specification, security model, or abstract program. But in order to verify these properties of subgraphs we have to decompose these properties into properties about nodes. To formulate these properties we need local theorem links corresponding to the needs of local definition links. Thus we define: Definition 6 Let G be a development graph and N , M nodes in G . G implies a global theorem link N  M (denoted G ` M ) iff ThG M `   for all  2 ThG N . N G implies a local theorem link N  M (denoted G ` N  M ) iff ThG M `   for all  2 N .

( ) ( )

() ()

( )



In the following we use the phrases that a theorem link is proven or established to indicate that it is implied by the development graph under consideration. We extend the notion of global reachability of definition 5 in the following way. Let T be a set of global theorem links, then N  T M 2 hN ; Li iff N  M 2 hN ; L [ T i. Common proof obligations in a formal development can be encoded into properties that specific global theorem links are implied by the actual development graph. In CASL for instance, a VIEW between two specifications can be translated into a global theorem link between the corresponding nodes of the development graph. Figure 1 sketches a common development graph in a formal development. Both, security model and the system specification are specified via

theories which make use of common algebraic datastructures (e.g. queues, stacks, etc.) also defined with the help of theories. The notion that the system specification satisfies the security model is denoted by a global theorem link between their corresponding top-level nodes.

4. Removing Structural Redundancies The construction of a development graph for larger applications is an incremental process. Starting with a specification of basic theories we establish relations between them by proposing global theorem links and proving them (as it will be described later). Next we build up new theories thereby using the already specified once and propose again properties about them by introducing new global theorem links. The theory of a node N is a non-local property as it depends on the theories or axioms of other nodes connected with N . In Figure 1 for instance, the theory of Se depends on Se A , Se B and the underlying abstract datatypes. Hence, global theorem links describe properties between subgraphs. To prove such properties we want to reuse already proven properties between parts of these subgraphs. That means to prove a postulated relation between two theories we use already proven properties between inherited theories as lemmata on a graph level. Therefore we have to trace back the property proposed by the new global theorem link, for instance between Se and SP to already known properties established by theorem links between related theories, for instance between Se A and SPA or between Se B and SPB . Technically speaking, we have to decompose the property between subgraphs into properties between nodes and subgraphs. Local theorem links are used to describe such properties. The sketched decomposition of global theorem links will be specified in the following lemmata. First, the next lemma specifies the relation between global and local theorem links. Lemma 1 Let G be a development graph. Then G ` 0 N  M iff G ` K  Æ M holds for all K;  0 with 0 N. K The proof of lemma 1 is done by induction and is straightforward. Lemma 1 allows us to reduce the proof of the global theorem link from Se to SP to the proofs of local theorem links between Se , Se A , Se B , Adt1 , and Adt2 respectively to SP . As global theorem links describe properties on graphs we can prove theorem links by inspecting the reachability between two nodes. Consider, for instance, the theory Adt1 . To prove that the security model is satisfied by the system specification, we have to prove in particular that the mapped

axioms of Adt1 are theorems of SP (as Adt1 is imported from Se via Se A ). On the other hand Adt1 is imported from SP via SPA . In case the consequence morphisms on both paths (Adt1 ! Se A ! Se ! SP and Adt1 ! SPA ! SP ) coincide, the proposed property holds trivially and the corresponding local theorem link is subsumed by the already existing development graph. The next lemma gives us a formal criterion to eliminate such subsumed local theorem links. Lemma 2 (Subsumption) Let G be a development graph. 0 0 Then G ` N  K and K  M implies G ` N Æ M .

( ( )) ( ( ))

( )

( )

Obviously,  0  N  ThG M is implied by  N  ThG K and  0 ThG K . We are now ready to define a proof calculus for development graphs, operating on a set of theorem links, which minimizes the amount of proof obligations as far as possible. Lemma 1 allows us to replace each global theorem link N  M by an appropriate set of local theorem links: each theory K , from which N is reachable via some morphism  0 , has to be connected to M by a direct local theorem link attached with a combined morphism  0 Æ  . Notice that by definition N is reachable from itself via the identity morphism id.

( )

Definition 7 The development graph proof calculus on sets of theorem links is defined by the following rules: Glob-Decomposition:

S

K

fG ` N  M g [ T Æ M g [ T  N fG ` K 0

0

Loc-Decomposition I:

fG ` K  M g [ fG ` K  Lg [ T fG ` K  Lg [ T 00

0 if L  T M and  00

(K ) = 0((K )).

Loc-Decomposition II:

fG ` N 0 if N  T M and 

Elementary:



T

Mg [ T

(N ) = 0 (N ).

fG ` N

Mg [ T T if ThG M `   for all  2 N .

( )

()





Using this proof calculus we obtain a two-step approach for establishing the relations proposed by introducing new (global) theorem links. In a first step we reason only on

Security Model

System Specification

Sec

SP

SecA

SPA SPB

SecB

Adt 1

Adt 2

Generic abstract datatypes

proven theorems. In most existing systems, the proofs of all theorems are rendered invalid which are in some way related to the changed parts of the specification. Typically a large number of proofs are lost which in case of industrial applications might end up in an economic disaster. In this section we present methods to incrementally adjust the proof obligations and their proofs once we change parts of the development graph. Therefore we introduce “basic” operations with the help of which we change a development graph preserving as much of our proof work as possible. In particular these basic operations allow one



Figure 2. Decomposition of Global Links



the graph level. We make use of the decomposition rules of the proof calculus to split up global theorem links into local theorem links and to determine which links are already consequences of other links using the loc-decomposition rules. At the end of this process we are left with a set of independent, so-called elementary, local theorem links which are not immediate consequences of other links. We prove these links using the Elementary rule of the calculus, i.e. by proving that each mapped local axioms of the source node is a theorem of the theory of the target node. Consider our example in Figure 1 and suppose that the structure of the security model corresponds to the structure of the system specification. Se A denotes the security properties of SPA while Se B corresponds to SPB . Then, the proof that SP satisfies Se (global theorem link) can be decomposed to “smaller” proofs (local theorem links) that the mapped local security properties (formulated within the local axioms) of Se , Se A and SPB are theorems in SP , Se A and Se B respectively (provided that the consequence morphisms of the corresponding paths coincide). Thus, we have to prove the corresponding local theorem links shown in Figure 2. Note that for instance Adt1 does not contribute any proof obligation if the resulting consequence morphisms of the paths from Adt to SP (via Se A and SPA respectively) coincide.



5. Changing the Development Graph As mentioned in the introduction, complex specifications are always subject to modifications. Errors in specifications are typically revealed when the attempt to establish the arising proof obligations fails. They are typically detected in all phases of the verification and we might have already spent weeks or even months to establish a reasonable number of local and global theorem links. Changing parts of the development graph affects the correctness of related, already



to delete an existing global/local definition link from the development graph, to change the morphism of an existing definition link, to insert a new local axiom to a node of the development graph, and to delete a local axiom from a node of the development graph. σ K

ρ

...

1



to insert a new global/local definition link into the development graph,

M

K’

ρτ σρτ

σρτµ

τ N

µ

N’

Figure 3. Changing Definition Links Summing up, we have to reprove only a single local theory link in our example. Since the proofs of all other theorem links are done purely with the decomposition rules of our calculus, they can be taken over to the new graph provided the properties which were used to establish these links are still valid. To check the preconditions for this reasoning, we need an explicit representation of the proofs in our calculus. In this case the management of change can reuse the

former proofs to adjust the proof obligations once the development graph has changed. Therefore each established theorem link is attached by its validation, i.e. the applied decomposition rule and its actual instantiation. For example, in case of a global theorem link from N to M, this validation contains the list of corresponding local theorem links starting at some node N’, from which N is reachable, to the target node M. Additionally we store for each of these local theorem links the corresponding path of definition links which established its reachability property. In case of elementary local theorem links the validation contains the proofs of the mapped local axioms of the source node within the target node. In the following we discuss the effects of basic changes of the development graph in more detail. Since the globdecomposition rule is always applicable on global theorem links, we assume in the following that all global theorem links have been already decomposed to sets of local theorem links. We use Figure 3 to illustrate the effects of the basic operations on a development graph. In this example a node N is locally reachable from N’ via a morphism  while a chain of global definition links connects N to K. K itself is connected to K’ by a global theorem link. For sake of readability we present these operations in an informal way. We like to emphasize that these operations have been formally specified and verified. For lack of space and also because these proofs do not reveal any additional insight, we do not present them in this paper. In principle we distinguish between two different kinds of basic operations:





Adding or deleting definition links or changing the morphism of some definition link changes the graph properties. We have to inspect affected proofs on graph level but also the proofs of theorems inside related nodes. Adding or deleting local axioms does not affect graph properties. Thus all proofs which operate on a graph level by using decomposition rules are still valid. However elementary local theorem links and local theorems the proofs of which may be based on changed parts of the axiomatization are affected.

Adding a Definition Link. Suppose we add a new global definition link N  M from N to M. This changes the reachability relations inside the graph. Thus we have to visit all nodes K which are globally reachable from M because only the theories of these nodes are affected by the new link. Consider a global theorem link K  K 0 like in Figure 3. Its decomposition gets incomplete because it does not contain for instance a local theorem link from N to K’ labeled with the combined morphisms on the path

from N to K’. Thus, for each node N 0 and morphism   N we have to add a new local theorem link with N 0

0 0 N K with  Æ  Æ  Æ  to the decomposition of the global theorem link. The soundness of applications of Loc-decomposition rules is obviously not affected by adding new links. The proof obligations of an elementary local theorem link depend on the local axioms of the source node. Insertion of a new definition link does not change the set of local axioms in any node. However, the theory of the target node may have been expanded by the new definition link making new axioms accessible. Since the consequence relations possess the weakening property, already existing proofs are still valid in the enlarged theory. Summing up, we only have to check the decomposition of global theorem links and propose additional new local theorem links. Analogously, we deal with the insertion of local definition links.

=

Deleting a Definition Link. Suppose we delete an existing global definition link N  M from N to M. This changes again the reachability relations inside the graph. Only nodes K which are globally reachable from M can change their theories. Hence, for each node K which is globally reachable from M we have to check whether there is a global theorem link K  K 0 . In this case its decomposition contains too many local theorem links; like for instance a local theorem link from N’ to K’ although N’ is no more reachable from K. We have to inspect the validation of global theorem links starting at K and remove all local theorem links from its validation if its corresponding path of definition links contains the removed definition link. For each node N’ from which N is locally reachable, we have to inspect the validation of local theorem links starting at N’. We have to check their validations if they have been proven by applying the Loc-decomposition rule using the deleted link for verifying the reachability. In this case the application of the rule is no longer possible, the local theorem link gets an unproven status and its validation is deleted. Either we find new paths such that some decomposition rule is applicable or this link has to be proven by the elementary rule. Finally, for each node K which is globally reachable from M we have to invalidate the proofs of all elementary  K as these proofs may have used imtheorem links Q ported axioms via the deleted link. Also proofs of the local theorems have to be invalidated. In section 5.2 we present additional refinements of this approach which allows us to retain some of these proofs. Changing a Morphism. Suppose we change the morphism of an existing global definition link from N to M.

This causes a change of the reachability relation inside the graph. Analogously to the above cases, we have to inspect all global theorem links K  K 0 for each node K which is globally reachable from M. In this case its decomposition may contain local theorem links with the property that their attached morphism do no longer satisfy the needs of the glob-decomposition rule. In this case new appropriate (unproven) local theorem links with appropriate morphisms have to be inserted and the validation of the global theorem link has to be adapted. For each node N’ from which N is locally reachable, we have to inspect the validation of local theorem links starting at N’. We have to check their validation if this link has been proven by applying some decomposition rule using the changed morphism. In this case its validation is no longer admissible, the local theorem link gets an unproven status, and its validation is deleted.  Also the proofs of all elementary theorem links Q K and the proofs of the local theorems of K where K is globally reachable from M are invalidated as they may have used imported axioms via the changed link. Adding a New Local Axiom. Adding a new local axiom into a node N does not change the reachability relations of the graph. Thus, all applications of the reduction rules are still valid. For each elementary theorem link N  M we have to add a new proof obligation that  holds in ThG M . Existing proofs are not affected.

( )

( )

Deleting a Local Axiom. Deleting an existing axiom from a node N does not change the reachability relations of the graph. Thus, all applications of the reduction rules are still valid. For each elementary theorem link N  M the proof obligation that  holds in ThG M is removed. Finally, for each node K which is locally reachable from N we have to invalidate the proofs of all elementary theorem  K as these proofs may have used the deleted links Q axiom. Also the proofs of local theorems of K have to be invalidated.

( )

( )

5.1. Example As an example, consider the problem of implementing finite sets of natural numbers by using generic ordered lists (see picture 4). We define the theory Elem containing a datatype elem and an ordering < on elem. Using Elem, we define generic finite sets Set and generic lists List. Set contains local axioms specifying the constructors ; and insert, while the local axioms of List consist of both, the specifications of the list-constructors nil and cons, and also the specifications of the implementations empty and ins of ; and insert using ordered lists. The import of Elem in List

Nat e

f 5

NSet

NList

c

2

d

3

4 Set

List a

1 b Elem

Figure 4. Implementing sets of natural numbers

and Set is indicated by the global definition links from Elem to List and Set, respectively. To define lists NList of natural numbers (or sets NSet of natural numbers, respectively), we inherit the local axioms of List (or Set, respectively) by a local definition link and also the theory of Nat by a global definition link. The global theorem link 1, mapping elem to nat and < to an ordering