Proof Transformations for Evolutionary Formal Software Development

Proof Transformations for Evolutionary Formal Software Development Axel Schairer

Dieter Hutter

[email protected], [email protected] German Research Center for Artificial Intelligence (DFKI GmbH) Stuhlsatzenhausweg 3, 66123 Saarbrucken, ¨ Germany

AMAST’2002, September 9-13, 2002

Overview Background and motivation Problem description Solution: proof transformations Example transformations Conclusions and future work

Schairer/Hutter

AMAST’2002

Background: Formal Development Formal Methods in early phases of development process Security model – (axiomatic) specifications of – high level system functionality/behaviour – (security) properties of the system Proof Security Properties

System Specification sat

Model of computation/spec. formalism

Schairer/Hutter

AMAST’2002

Background: Formal Development Security models – What properties is the system supposed to have? – Which details do I need to model to express them? – Iterate! ˆ of rigorous inspections to (Interactive) proofs play the role – find errors – assess design decision Changes are core part of process, not accidental

Schairer/Hutter

AMAST’2002

Background: Formal Development Large, structured specifications Translation of specification into verification conditions (VCs) VCs discharged with theorem prover (partially interactive)

tool support needed (e.g. Verification Support Environment, Inka & Maya, . . . ) Need support for: – Incremental development: add functionality in stages – Evolutionary development: change specification according to experience gained in preceding steps, e.g. failed proof attempts

Schairer/Hutter

AMAST’2002

Problem Several aspects, typically specified incrementally E.g.: file store, access control, memory management, process management, . . . Several intuitive ‘dimensions’ E.g.: state space, commands, properties, . . . Aspects and dimensions partly independent of each other intuitively, but not formally

Schairer/Hutter

AMAST’2002

Examples for Dependencies Adding/changing a command – Many properties are invariants over execution of command sequences – These proofs affected because induction axiom (case distinction) is changed Adding or removing slot of state space (used by some commands and for some properties only) – All properties affected – All commands affected Dependencies orthogonal to structure of specification Many dependencies are not deep (e.g. syntactical) Schairer/Hutter

AMAST’2002

State of the Art Change specification Compute new verification conditions Reconsider proofs – Some are still valid – Some have to be patched trivially – Some have to be heavily re-engineered – Some can be repaired by heuristic replay – Some have to be constructed from scratch

Patching (of proofs, proof scripts etc.) done ad hoc/manually

Works, but: Changes are prohibitively expensive Evolutionary development difficult

Schairer/Hutter

AMAST’2002

Motivation Situation handled quite well in informal reasoning Claim: We can support the same kind of reasoning in a formal setting! Example: assume interpreter for set of commands – Commands specified by pre- and postconditions on interpreter state – Properties proved for execution traces, e.g. invariants

Schairer/Hutter

AMAST’2002

Motivation

case split

ind

Add a new command! Schairer/Hutter

AMAST’2002

Motivation

Schairer/Hutter

case split

ind

AMAST’2002

Motivation

∆ ψ

Γ ϕ

!

∆

Γ ϕ

Γϕ

∆ "

Need to strengthen precondition ϕ of command i to ϕ ψ Schairer/Hutter

AMAST’2002

Motivation

∆

Γ ϕ ψ

"

∆ ψ

Γ ϕ ψ

*

)

+

(

'

&

"

% $

#

Schairer/Hutter

"

Γϕ ψ

∆

AMAST’2002

Proposed Solution Transformation of developments (specification together with proofs) Provide preconceived basic transformation steps Use specialized knowledge to support repair of proofs according to specification change Take care of low-level changes May introduce new open goals Result: Tool to simulate the informal mode of reasoning in a completely rigorous way Turns out to be quite general Schairer/Hutter

AMAST’2002

Proposed Solution

,

,

, -

Sig: Sent:

.

/ 0

Schairer/Hutter

AMAST’2002

Proposed Solution

, -

-

4

1 -

5

2 6

3

Schairer/Hutter

,

,

Sig: Sent:

,

,

,

Sig: Sent:

AMAST’2002

Proposed Solution

, -

-

:

7 -

;

8
=

ind

Add a new command!

Schairer/Hutter

AMAST’2002

Proposed Solution

N

M

L

K

J I H

G F

Schairer/Hutter

case split

ind

AMAST’2002

Proposed Solution

, -

-

R

O -

S

P T

Q

Schairer/Hutter

,

,

Sig: Sent:

,

,

,

Sig: Sent:

AMAST’2002

Proposed Solution

, -

-

X

U -

Y

V Z

W

Schairer/Hutter

,

,

Sig: Sent:

,

,

,

Sig: Sent:

AMAST’2002

Proposed Solution

, -

-

^

[ -

_

\ `

]

Schairer/Hutter

,

,

Sig: Sent:

,

,

,

Sig: Sent:

AMAST’2002

Proposed Solution

, -

-

d

a -

e

b f

c

Schairer/Hutter

,

,

Sig: Sent:

,

,

,

Sig: Sent:

AMAST’2002

Proposed Solution

, -

-

j

g -

k

h l

i

Schairer/Hutter

,

,

Sig: Sent:

,

,

,

Sig: Sent:

AMAST’2002

Proposed Solution

, -

-

p

m -

q

n r

o

Schairer/Hutter

,

,

Sig: Sent:

,

,

,

Sig: Sent:

AMAST’2002

Example Set of Basic Transformations add/remove type, add/remove function, add/remove predicate add/remove axiom, add/remove lemma add/remove constructor rename type/function/predicate/constructor add/remove argument swap arguments replace occurrence, with special cases – wrap – capture Schairer/Hutter

AMAST’2002

Example Set of Basic Transformations Basic transformations extracted from examples and problems that occurred frequently in past projects and case studies Additional basic transformations due to symmetry reasons This example set is: – Dependent on specification formalism – Dependent on relation between specification and proof obligations – Not dependent on application domain

Schairer/Hutter

AMAST’2002

Example Set of Basic Transformations Different effects of transformations – Extending/restricting signature – Changing existing signature items – In particular: changing induction scheme – Adding/removing assumptions and proof obligations – Replacing (sub-)formulae Basic transformation can have more than one effect

Schairer/Hutter

AMAST’2002

Changing Signature Item

s

Example: Add argument, e.g. change operation f : τ1 τ2 τ to f : τ1 τ2 τ3 τ t

s

s

t

Add new (dummy) constant a : τ3 to specification v

Replace each (sub-) term of the form f t1 t2 by f t1 t2 a throughout specification and proofs w

u

v

v

w

u

All objects (formulae, terms) well-formed (type-correct) Proofs again valid, structure unchanged Occurrences of a can later be changed into appropriate terms using change occurrence Schairer/Hutter

AMAST’2002

Changing Formulae

Pi

x

Pi (T-3) Ti A

z

y

x y

Ti A

z P2

x

P2 P1

x

P1

(T-2)

{ x { x

y

y

|{

||

z

z

T A

z

x y

S

x}

y

z

T X

z

T A

y

}

S

Q A P1 Pn

x

P

{ z zz z y y y y { || { |

Q X @ T1 X @ Tn X

x}

P

(T-4)

For details see [EFSD 2002] Schairer/Hutter

AMAST’2002

Changing Formulae – Dependent Subproof Example for wrap formula (same polarity)

Γ1 ϕ ψ Γ2 "

v

v

v

v

Schairer/Hutter

∆

~

Γ1 ϕ Γ2

∆

AMAST’2002

Changing Formulae – Dependent Subproof Example for wrap formula, same polarity

v

v

v

"

v

v

v

v

Schairer/Hutter

∆

~

Γ1 ϕ Γ2

∆ ∆

"

Γ1 ϕ ψ Γ2 Γ1 ϕ ψ Γ2

:l

AMAST’2002


v

v

v

"

v

v

v

v

Schairer/Hutter

∆

~

Γ1 ϕ Γ2

∆ ∆

"


:l

AMAST’2002


Γ1 ϕ ψ Γ2

∆

v

"

v

v

v

v

v

v

v

v

Schairer/Hutter

v

v

∆

~

Γ1 ϕ Γ2

~

∆

Γ1 ϕ Γ2

"

∆ ∆


:l

AMAST’2002


v

v

v

"

v

v

v

v

∆

~

Γ1 ϕ Γ2

:l

v

v

v

∆

Γ1 ϕ Γ2 ∆ Γ1 ψ Γ2 Γ1 ϕ ψ Γ2 ∆ v

:l

v

v

v

v

Schairer/Hutter

∆

~

Γ1 ϕ Γ2

"

∆ ∆


AMAST’2002


v

v

v

"

v

v

v

v

∆

~

Γ1 ϕ Γ2

:l

v

v

v

∆

Γ1 ϕ Γ2 ∆ Γ1 ψ Γ2 Γ1 ϕ ψ Γ2 ∆ v

:l

v

v

v

v

Schairer/Hutter

∆

~

Γ1 ϕ Γ2

"

∆ ∆


AMAST’2002

Changing Induction Scheme Example: Add constructor ci to τ For each induction over τ, add new subgoal, corresponding to the new constructor

ind τ

Schairer/Hutter

ind τ

AMAST’2002

Changing Induction Scheme τ

t

Example: Add argument to constructor function c : τ1

For each induction over τ .. ξ Γ ∆ y : τ1 A c y Γ ∆ x:τ A x

v

w

w

u

u

ind τ

v

w

u

.. ξ ∆ y : τ1 z : τ2 A c y z Γ ∆ x:τ A x

v

v

v

w

w

u

u

Γ

ind τ

v

w

u

ξ transformed to ξ by combination of wrap quantifier and add argument for non-constructor Schairer/Hutter

AMAST’2002

Completeness and Adequacy Can transform any specification into any other? Yes, but . . . (pointless) Without losing proof effort unless absolutely necessary? No, but . . . (ill-defined) Interested in adequacy: – Definitely no worse than without – Common gotchas in past projects and case studies work – Reconstruction of a case study for incremental development works – Open ended: if a transformation is missing, we simply provide it Schairer/Hutter

AMAST’2002

Example (Sketch) ¨ Simplified reconstruction of Failure Transformation [Gartner/Mantel, 2000]

First: – Network of reliable processes – Each process runs a local, non-deterministic program – Verify: reliable broadcast

Then: – Add auxiliary datatypes, functions, and definitions – Add failure to possible state of processes – Add crash action as an additional command – Strengthen preconditions of other commands – Weaken property (reliable broadcast for running processes only) – Tackle new open goals (same as in paper)

Schairer/Hutter

AMAST’2002

Implementational Issues Transformations need not be part of trusted kernel (check proofs afterwards) Independent of paradigm for proof search Transformation can produce proofs that cannot be produced by search heuristics directly Dependent on “appropriate” explicit representation of proofs and interface Depends on rich and flexible interface to specification front-end and theorem prover

Schairer/Hutter

AMAST’2002

Future Work Consider more complicated dependency between specification and verification conditions Better integration with structuring mechanism (exploiting modularity of systems or specifications) Extend to equality reasoning Implement into existing verification tool More examples

Schairer/Hutter

AMAST’2002

Conclusions Basic specification transformations – Restricted set of changes – Change language, change subformulae Extended to proof transformations – Use knowledge about particular specification transformation – Minimal changes, structurally similar proof, possibly new open goals Complements other methods to minimize effort for changing specifications Works and is extremely useful! Schairer/Hutter

AMAST’2002

Proof Transformations for Evolutionary Formal Software Development Axel Schairer

Dieter Hutter

[email protected], [email protected] German Research Center for Artificial Intelligence (DFKI GmbH) Stuhlsatzenhausweg 3, 66123 Saarbrucken, ¨ Germany

AMAST’2002, September 9-13, 2002

Changing Formulae – Dependent Subproof Example for capture, γ-formula

Γ1 z ϕ z Γ2 v

v

v

v

Schairer/Hutter

∆

~

Γ1 ϕ c Γ2

∆

AMAST’2002


Γ1 z ϕ z ϕ c Γ2 ∆ :l Γ1 z ϕ z Γ2 ∆ v

v

v

v

v

v

v

Schairer/Hutter

∆

~

Γ1 ϕ c Γ2

AMAST’2002


Γ1 z ϕ z ϕ c Γ2 ∆ :l Γ1 z ϕ z Γ2 ∆ v

v

v

v

v

v

v

Schairer/Hutter

∆

~

Γ1 ϕ c Γ2

AMAST’2002

Related Work Idea similar to Cynthia (an SML program editor) [Whittle 97, 99] Different from correctness-preserving transformations Orthogonal to – Heuristic replay – Proof scripts and script maintenance Proof transformations technically similar to low-level reuse, in particular extension of [Felty/Howe 94]

Schairer/Hutter

AMAST’2002