the s park way to correctness is via abstraction
play

The S PARK Way to Correctness is Via Abstraction John Barnes - PowerPoint PPT Presentation

Feb 05, 2023 •232 likes •526 views

The S PARK Way to Correctness is Via Abstraction 1 The S PARK Way to Correctness is Via Abstraction John Barnes SIGAda, Laurel, November 2000 John Barnes Informatics & Praxis Critical Systems The S PARK Way to Correctness is Via Abstraction

  1. The S PARK Way to Correctness is Via Abstraction 1 The S PARK Way to Correctness is Via Abstraction John Barnes SIGAda, Laurel, November 2000 John Barnes Informatics & Praxis Critical Systems

  2. The S PARK Way to Correctness is Via Abstraction 2 Our itinerary A bit of background to S PARK . Basic ideas of abstraction and refinement. Enough proof to show that it works with refinement. Back to basics for visibility and design. Finishing remarks. John Barnes Informatics & Praxis Critical Systems

  3. The S PARK Way to Correctness is Via Abstraction 3 S PARK Origins in research on program analysis done by Ministry of Defence in 1970s. Extended by Southampton University in 1980s. Now developed and supported by Praxis Critical Systems Ltd. Has the form of a subset of Ada (83 and 95); subset chosen to enable rigorous analysis. Additional information supplied as annotations which are Ada comments. Programs are compiled by normal Ada compiler. Programs are analysed by the S PARK Examiner. Proof (optional) done by Simplifier and Proof Checker. Used extensively for Avionics, Railroads, Banking, for systems where getting it correct matters. John Barnes Informatics & Praxis Critical Systems

  4. The S PARK Way to Correctness is Via Abstraction 4 Abstraction Tell the whole truth - and nothing but the truth (on a need to know basis). Hide the irrelevant detail. Reveal the relevant detail. Ada interfaces do not tell us enough. John Barnes Informatics & Praxis Critical Systems

  5. The S PARK Way to Correctness is Via Abstraction 5 Simple example What does this specification tell us? procedure Add(X: in Integer); Frankly - not much! There is a procedure Add. It has a parameter of type Integer . But it doesn't say anything about what it does or to whom it does it. It might print the date; It might subtract two fixed point numbers; It might launch a missile; it might ... John Barnes Informatics & Praxis Critical Systems

  6. The S PARK Way to Correctness is Via Abstraction 6 Add the lowest S PARK annotation - visibility procedure Add(X: in Integer); --# global in out Total; Global annotation must mention all globals that Add accesses. Mode information is stronger than in Ada. In Ada, modes give permission to access. In S PARK , modes state that values must be used or produced. So now we know Total will get a new value, nothing else will be changed. Old value of Total will be used. Value of parameter X will be used. In summary, Add computes a new value of Total using its original value and X. John Barnes Informatics & Praxis Critical Systems

  7. The S PARK Way to Correctness is Via Abstraction 7 Add dependency annotation The next level of annotation gives explicit dependency relations. procedure Add(X: in Integer); --# global in out Total; --# derives Total from Total, X; Adds no further information in this simple example (because only one out parameter). Think of globals as extra parameters where actual parameter is always the same. John Barnes Informatics & Praxis Critical Systems

  8. The S PARK Way to Correctness is Via Abstraction 8 Add proof annotation Add the third level of annotation. procedure Add(X: in Integer); --# global in out Total; --# derives Total from Total, X; --# post Total = Total~ + X; Postcondition explicitly says that the final val ue of Total is its initial value added to the value of X. Note the tilde only used with mode in out Total~ means initial value Total means final value. The specification is now complete - it tells the whole truth. John Barnes Informatics & Praxis Critical Systems

  9. The S PARK Way to Correctness is Via Abstraction 9 Specification is the Interface Annotations are part of the subprogram specification. Since they are part of the interface. Not generally repeated in body. If no distinct spec then occur in body before "is". Annotations separate interaction between caller and spec from that between spec and implementation in body. caller spec body Examiner carries out two lots of checks. Checks that all calls are consistent with spec. Checks that body conforms to spec. So if body of Add uses a global other than Total or misuses the modes, the Examiner will complain. John Barnes Informatics & Praxis Critical Systems

  10. The S PARK Way to Correctness is Via Abstraction 10 State package body Random_Numbers is package Random_Numbers Seed: Integer; --# own Seed; Seed_Max: constant Integer := ... ; --# initializes Seed; is procedure Random(X: out Float) is begin procedure Random(X: out Float); Seed := ... ; --# global in out Seed; X := Float(Seed) / Float(Seed_Max); --# derives X, Seed from Seed; end Random; end Random_Numbers; begin Seed := 12345; end Random_Numbers; own annotation - announces Seed declared in body used in annotations in spec. initializes annotation - promises that it will be initialized at elaboration could be in declaration of Seed rather than initialization part of package. The existence of Seed (the state) is made known but full details are not revealed. Note that no annotations in body. John Barnes Informatics & Praxis Critical Systems

  11. The S PARK Way to Correctness is Via Abstraction 11 Abstract State Machine package body The_Stack is package The_Stack Stack_Size: constant := 100; --# own S, Pointer; type Pointer_Range is range 0 .. Stack_Size; --# initializes Pointer; subtype Index_Range is is Pointer_Range range 1 .. Stack_Size; procedure Push(X: in Integer); type Vector is array (Index_Range) of Integer; --# global in out S, Pointer; S: Vector; --# derives S from S, Pointer, X & Pointer: Pointer_Range; --# derives Pointer from Pointer; procedure Push(X: in Integer) is procedure Pop(X: out Integer); begin --# global in S; in out Pointer; Pointer := Pointer + 1; --# derives Pointer from Pointer & S(Pointer) := X; --# derives X from S, Pointer; end Push; end The_Stack; procedure Pop(X: out Integer) is begin X := S(Pointer); Pointer := Pointer - 1; end Pop; begin Pointer := 0; end The_Stack; Bad style. The existence of S and Pointer are revealed. Bad implications if implementation be changed. John Barnes Informatics & Praxis Critical Systems

  12. The S PARK Way to Correctness is Via Abstraction 12 Refinement package The_Stack package body The_Stack --# own State; -- abstract variable --# own State is S, Pointer; -- refinement definition --# initializes State; is is ...-- as before procedure Push(X: in Integer); procedure Push(X: in Integer) --# global in out State; --# global in out S, Pointer; --# derives State from State, X; --# derives S from S, Pointer, X & --# derives Pointer from Pointer; procedure Pop(X: out Integer); is --# global in out State; begin --# derives State, X from State; Pointer := Pointer + 1; end The_Stack; S(Pointer) := X; end Push; ...-- Pop similarly begin Pointer := 0; S := Vector'(Index_Range => 0); end The_Stack; The abstract State is mapped onto S and Pointer. Annotations on Push and Pop rewritten. The existence of the State is now visible but the irrelevant details are kept hidden. John Barnes Informatics & Praxis Critical Systems

  13. The S PARK Way to Correctness is Via Abstraction 13 Analogy with records Refinement is analogous to private types. type Position is private; ... type Position is record X_Coord, Y_Coord: Float; end record; There are two views of the type Position. One shows the inner components. There are two views of State. One reveals S and Pointer. John Barnes Informatics & Praxis Critical Systems

  14. The S PARK Way to Correctness is Via Abstraction 14 Transitivity and scalability The consituents of refinement can also be in an embedded package or private child package. Refinement can be repeated. Key point Annotations of subprograms external to a package which (indirectly) read or update its state (by executing subprograms of the package ) must indicate that they import or export the state. So procedure Use_Stack --# global in out The_Stack.State; --# derives The_Stack.State from The_Stack.State; is begin The_Stack.Push( ... ); ... The_Stack.Pop( ... ); ... end Use_Stack; Only the existence of the state (and its reading or updating) is significant in this context. The details are hidden by refinement. John Barnes Informatics & Praxis Critical Systems

  15. The S PARK Way to Correctness is Via Abstraction 15 Location of state Standard example procedure Exchange(X, Y: in out Float) --# derives X from Y & --# derives Y from X; is T: Float; begin T := X; X := Y; Y := T; end Exchange; The parameters X and Y have mode in out. This requires them to be both read and updated. The (optional) derives annotation in addition states that the final value of X depends upon the initial value of Y and vice versa. T is local and thus hidden. It does not occur in the annotations because it is hidden irrelevant detail. John Barnes Informatics & Praxis Critical Systems

Recommend

Program Correctness Department of Computer Science University of Maryland, College Park

Program Correctness Department of Computer Science University of Maryland, College Park

CMSC 132: Object-Oriented Programming II Program Correctness Department of Computer Science University of Maryland, College Park Announcements We update slides/example often. Always get class material from the web site Remember that

432 views • 21 slides
Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a

Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a

Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a general quality or characteristic, apart from concrete realities, specific objects, or actual instances. 2 Abstraction Abstraction is

478 views • 21 slides
Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Outline Introduction Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software Counterexample-Guided Abstraction Refinement Computing Existential Abstractions of Programs Version 1.0, 2010 Checking the

429 views • 12 slides
Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness:

Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness:

3/10/10 Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness: partial correctness + termination Partial correctness: Program implements its specification 1 3/10/10 Proving Partial Correctness

420 views • 13 slides
Data Abstraction Announcements Data Abstraction Data Abstraction Programmers Compound

Data Abstraction Announcements Data Abstraction Data Abstraction Programmers Compound

Data Abstraction Announcements Data Abstraction Data Abstraction Programmers Compound values combine other values together All A date: a year, a month, and a day A geographic position: latitude and longitude Data abstraction

430 views • 19 slides
MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors Pedro

MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors Pedro

MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors Pedro Fonseca, Xi Wang, Arvind Krishnamurthy Hypervisor correctness is critical Hypervisors need to virtualize correctly all the architecture details

388 views • 19 slides
Cell Analogies Using abstraction to show off your creativity and your knowledge of cells Project

Cell Analogies Using abstraction to show off your creativity and your knowledge of cells Project

Cell Analogies Using abstraction to show off your creativity and your knowledge of cells Project goal: Use abstraction to represent a cell through the use of an analogy. Possible analogies A real or fictional place - city, amusement park,

103 views • 9 slides
LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho

LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho

LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon and Taesoo Kim INTRODUCTION SECURITY CRITICAL MEMORY REGIONS NEED PROTECTION JIT page To achieve code execution,

327 views • 32 slides
CS137: Today Electronic Design Automation Specification/Implementation Abstraction

CS137: Today Electronic Design Automation Specification/Implementation Abstraction

CS137: Today Electronic Design Automation Specification/Implementation Abstraction Functions Correctness Condition Day 15: February 13, 2006 Verification Processor Verification Self-Consistency 1 2 CALTECH CS137

334 views • 7 slides
08Program Verification II CS 5209: Foundation in Logic and AI Martin Henz and Aquinas Hobor

08Program Verification II CS 5209: Foundation in Logic and AI Martin Henz and Aquinas Hobor

Review Hoare Triples; Partial and Total Correctness Practical Aspects of Correctness Proofs Correctness of the Factorial Function Proof Calculus for Total Correctness 08Program Verification II CS 5209: Foundation in Logic and AI Martin

778 views • 39 slides
Program Correctness Assert formal correctness statements about

Program Correctness Assert formal correctness statements about

Program Correctness Assert formal correctness statements about cri4cal parts of a program and reason effec4vely A program is intended to carry out a

1.01k views • 57 slides
What is abstraction? What is abstraction? Workable answer a blurring of details Idea:

What is abstraction? What is abstraction? Workable answer a blurring of details Idea:

What is abstraction? What is abstraction? Workable answer a blurring of details Idea: agree to ignore certain details ( for now ) e.g., with procedural abstraction idea is to convert original problem to a series of simpler

229 views • 12 slides
Lecture 11: Abstraction I ntro. to Programming, lecture 11: Abstraction 2 Topics for today

Lecture 11: Abstraction I ntro. to Programming, lecture 11: Abstraction 2 Topics for today

Chair of Softw are Engineering Einfhrung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 11: Abstraction I ntro. to Programming, lecture 11: Abstraction 2 Topics for today Abstraction, especially

167 views • 12 slides
On Visual Abstraction Ivan Viola Visual Abstraction Fundamental concept in visualization and

On Visual Abstraction Ivan Viola Visual Abstraction Fundamental concept in visualization and

On Visual Abstraction Ivan Viola Visual Abstraction Fundamental concept in visualization and visual arts Somewhat intuitively understood A formal definition not available VAD textbook refers to task and data abstraction Map generalization:

387 views • 11 slides
Announcements Data Abstraction Data Abstraction Compound values combine other values together

Announcements Data Abstraction Data Abstraction Compound values combine other values together

Announcements Data Abstraction Data Abstraction Compound values combine other values together Programmers A date: a year, a month, and a day All A geographic position: latitude and longitude Data abstraction lets us manipulate

383 views • 3 slides
Data Abstraction Announcements Data Abstraction Data Abstraction 4 Data Abstraction

Data Abstraction Announcements Data Abstraction Data Abstraction 4 Data Abstraction

Data Abstraction Announcements Data Abstraction Data Abstraction 4 Data Abstraction Compound values combine other values together 4 Data Abstraction Compound values combine other values together A date: a year, a month, and

1.38k views • 124 slides
www.webinos.org Use existing standards where ever possible Functional abstraction vs

www.webinos.org Use existing standards where ever possible Functional abstraction vs

www.webinos.org Use existing standards where ever possible Functional abstraction vs Data abstraction Functional abstraction better for legacy and performance (JavaScript: Geolocation example) Connectivity: URI naming

212 views • 3 slides
Predicate Abstraction with SATABS Version 1.0, 2010 Outline Introduction Existential

Predicate Abstraction with SATABS Version 1.0, 2010 Outline Introduction Existential

Predicate Abstraction with SATABS Version 1.0, 2010 Outline Introduction Existential Abstraction Predicate Abstraction for Software Counterexample-Guided Abstraction Refinement Computing Existential Abstractions of Programs Checking the

1.66k views • 162 slides
Object-Oriented Programming 1908 Harry Beck, 1933 Abstraction Abstraction is the process of

Object-Oriented Programming 1908 Harry Beck, 1933 Abstraction Abstraction is the process of

Object-Oriented Programming 1908 Harry Beck, 1933 Abstraction Abstraction is the process of capturing only those ideas about a concept that are relevant to the current situation. Irrelevant ideas are left out. Abstraction Control

336 views • 14 slides
HW-SW Interfaces HW-SW Interfaces Abstraction and Design Abstraction and Design for

HW-SW Interfaces HW-SW Interfaces Abstraction and Design Abstraction and Design for

HW-SW Interfaces HW-SW Interfaces Abstraction and Design Abstraction and Design for Multi-Processor SoC for Multi-Processor SoC Dr. Ahmed Amine JERRAYA TIMA Laboratory 46 Avenue Felix Viallet 38031 Grenoble Cedex France Tel: +33 476 57 47

634 views • 36 slides
Abstraction and OOP Tiziana Ligorio 1 Todays Plan Announcements Recap Abstraction OOP

Abstraction and OOP Tiziana Ligorio 1 Todays Plan Announcements Recap Abstraction OOP

Abstraction and OOP Tiziana Ligorio 1 Todays Plan Announcements Recap Abstraction OOP 2 Recap Minimize software size and interactions Simplify complex program to manageable level Break down into smaller problems Isolate

650 views • 54 slides
The Power of Abstraction The Power of Abstraction Barbara Liskov October 2009 October 2009

The Power of Abstraction The Power of Abstraction Barbara Liskov October 2009 October 2009

The Power of Abstraction The Power of Abstraction Barbara Liskov October 2009 October 2009 Outline Inventing abstract data types CLU CLU Type hierarchy What next h Data Abstraction Prehistory The Venus machine The

750 views • 64 slides
Abstraction 1/ 45 Abstraction the interactions of difgerent components can be simplifjed by

Abstraction 1/ 45 Abstraction the interactions of difgerent components can be simplifjed by

Abstraction 1/ 45 Abstraction the interactions of difgerent components can be simplifjed by hiding the details of each components implementation from the rest of the system. protecting it with an interface . system is invariant to changes

691 views • 47 slides
Reducing Total Correctness to Partial Correctness by a Transformation of the Language Semantics a

Reducing Total Correctness to Partial Correctness by a Transformation of the Language Semantics a

Reducing Total Correctness to Partial Correctness by a Transformation of the Language Semantics a 1 a 2 Sebastian Buruian S , tefan Ciob ac 1 Alexandru Ioan Cuza University Bitedefender 2 Alexandru Ioan Cuza University WPTE 2018

435 views • 21 slides

More recommend