Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
(C)AntonSetzer2003(exceptforpictures)
A3.ProgrammingLanguages
forWritingSafety-CriticalSoftware
(a)Overview.
(b)SPARKAda.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-1
(C)AntonSetzer2003(exceptforpictures)
(a)Overview
MainCriteriaforChoiceofProgrammingLanguagesforCriticalSystems
•Logicalsoundness.
–Isthereasound,unambiguousdefinitionofthelanguage?
•Complexityofdefinition.
–Aretheresimple,formaldefinitionsofthelanguagefeatures?–Toohighcomplexityresultsinhighcomplexityandthereforeinerrorsin
compilersandsupporttools.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-2
(C)AntonSetzer2003(exceptforpictures)
MainCriteriaforChoiceofProgrammingLanguagesforCriticalSystems
•Expressivepower.
–Canprogramfeaturesbeexpressedeasilyandefficiently?–Theeasiertheprogramonehaswritten,theeasieritistoverifyit.
•Security.
–Canviolationsofthelanguagedefinitionsbedetectedbeforeexecution?
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-3
(C)AntonSetzer2003(exceptforpictures)
MainCriteriaforChoiceofProgrammingLanguagesforCriticalSystems
•Verifiability.
–Istheresupportforverifyingthatprogramcodemeetsthespecification?
•Boundedspaceandtimerequirements.
–Canitbeshownthattimeandmemoryconstraintsarenotexceeded?
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-4
(C)AntonSetzer2003(exceptforpictures)
CommonReasonsforProgramErrors
•Subprogramside-effects.
–Variablesinthecallingenvironmentareunexpectedlychanged.
•Aliasing.
–Twoormoredistinctnamesrefertothesamestoragelocation.Changingonevariablechangesaseeminglydifferentone.
•Failuretoinitialize.
–Variableisusedbeforeitisinitialized.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-5
(C)AntonSetzer2003(exceptforpictures)
CommonReasonsforProgramErrors(Cont.)
•Expressionevaluationerrors.
–E.g.out-of-rangearraysubscript,divisionbyzero,arithmeticoverflow.–Differentbehaviourofcompilersofthesamelanguageincaseofarithmetic
errors.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-6
(C)AntonSetzer2003(exceptforpictures)
ComparisonofProgrammingLanguages
Cullyer,Goodenough,Wichmanhavecomparedsuitabilityofprogramminglanguagesforhighintegritysoftwarebyusingthefollowingcriteria:
•Wildjumps.
–Canitbeguaranteedthataprogramcannotjumptoanarbitrarymemorylocation?
•Overwrites.
–Canalanguageoverwriteanarbitrarymemorylocation?
•Semantics.
–Issemanticsdefinedsufficientlysothatthecorrectnessofthecodecanbeanalyzed?
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-7
(C)AntonSetzer2003(exceptforpictures)
ComparisonofProgrammingLanguages(Cont.)
•Modelofmathematics.
–Istherearigorousdefinitionofintegerandfloatingpointarithmetic(overflow,errors)?
•Operationalarithmetic.
–Arethereproceduresforcheckingthattheoperationalprogramobeysthemodelofarithmeticwhenrunningonthetargetprocessor?
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-8
(C)AntonSetzer2003(exceptforpictures)
ComparisonofProgrammingLanguages(Cont.)
•Datatyping.
–Aretheremeansofdatatypingthatpreventmisuseofvariables?
•Exceptionhandling.
–Isthereanexceptionhandlingmechanisminordertofacilitaterecoveryifmalfunctionoccurs?
•Exhaustionofmemory.
–Aretherefacilitiestoguardagainstrunningoutofmemory?
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-9
(C)AntonSetzer2003(exceptforpictures)
ComparisonofProgrammingLanguages(Cont.)
•Safesubsets.
–Isthereasafesubsetofthelanguagethatsatisfiesrequirementsmoreadequatelythanthefulllanguage?
•Separatecompilation.
–Isitpossibletocompilemodulesseparately,withtypecheckingagainstmoduleboundaries?
•Well-understood.
–Willdesignersandprogrammersunderstandthelanguagesufficientlytowritesafetycriticalsoftware?
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-10
(C)AntonSetzer2003(exceptforpictures)
ComparisonofProgrammingLanguages(Cont.)
•Legendfornextslide:
–+meansprotectionavailable,
–?meanspartialprotection,
–-meansnoprotection.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-11
(C)AntonSetzer2003(exceptforpictures)
StructuredCCORALISOModu-Adaassembler66PASCALla2
Wildjumps+????+Overwrites?--???Semantics?-??+?Modelofmathematics?-?++?Operationalarithmetic?--???Datatyping?-???+Exceptionhandling-?--?+Safesubsets?---?-Exhaustionofmem.+????-Separatecompil.--??++Wellunderstood+??++?
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-12
(C)AntonSetzer2003(exceptforpictures)
RemarksonCORAL66
•CORAL66=compiledstructuredprogramminglanguagerelatedtoAlgol.
•DevelopedattheRoyalRadarEstablishmentRRE,Malvern,UK.
•Usedforreal-timesystems.
•Allowedinlineassemblycoe.
•NofreeCORAL66compilersseemtobeavailabletoday.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-13
(C)AntonSetzer2003(exceptforpictures)
Analysis
•Cmostunsuitablelanguage.
•Module-2mostsuitable.
–Problem:limitedindustrialuse.–Thereforelackoftools,compilers.∗Industrialusecontributestoreliabilityofcompilers.
•Onesolution:developmentofnewlanguagesforhighintegritysoftware.
–SameproblemasforModula-2:limitedindustrialuse.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-14
(C)AntonSetzer2003(exceptforpictures)
Analysis(Cont.)
•Bettersolution:introductionofsafesubsets.
–Relyonstandardcompilersandsupporttools.–Onlyadditionalchecker,whichverifiesthattheprogramisinthesubset.–Addannotationstothelanguage.–Problem:Arecompilerssafe?∗Casestudyrevealed:
Compilerfaultsareequivalenttooneundetectedfaultin50000linesofcode.
∗Especiallyproblemofoptimization.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-15
(C)AntonSetzer2003(exceptforpictures)
SafeSubsets
CORALSPADE-Modula2AdasubsetPascalsubsetsubset
Wildjumps++++Overwrites++++Semantics+++?Modelofmathematics?+++Operationalarithmetic?+?+Datatyping?+++Exceptionhandling--?+Safesubsets?++?Exhaustionofmem.++??Separatecompil.??++Wellunderstood++++
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-16
(C)AntonSetzer2003(exceptforpictures)
ProgrammingLanguagesUsed
•Aerospace.
–TrendtowardsAda.–UseoflanguageslikeFORTRAN,Jovial,C,C++.–140languagesusedinthedevelopmentoftheBoeing757/767.
75languagesusedindevelopmentoftheBoeing747-400.E.g.C++fortheseatbackentertainmentsystemofBoeing777.
–NorthrupB2bombercontrolsystem:C++
•Spacecraft.
–EuropeanSpaceAgency:useofAdainmission-criticalsystems.–NASA:Assembler,Ada.–Spaceshuttle:Hal/sandAdaplusotherlanguages.–AirtrafficcontrolsystemsinUS,Canada,France:Ada.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-17
(C)AntonSetzer2003(exceptforpictures)
ProgrammingLanguagesUsed
•Automotivesystems:
–Muchassembler.AlsoC,C++,Modula-2
•Railwayindustry:
–Adaasde-factostandard.
•DenverAirportbaggagesystemwritteninC++,butinitialproblemsprobablynotdirectlyrelatedtotheuseofC++.
•Ingeneral:
–TrendtowardsAdaforthehigh-integritypartsofthesoftware.–Useofassemblerwherenecessary.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-18
(C)AntonSetzer2003(exceptforpictures)
(b)SPARKAda
MotivationforDevelopingAda
•OriginalproblemofDepartmentofDefenseinUSA(DOD):
–Toomanylanguagesusedandcreatedformilitaryapplications(>450).∗Languageslargelyincompatibleandnotportable.∗Oftenminimalsoftwareavailable.∗Competitionrestricted,sinceonlyonevendor.
–Existinglanguagestooprimitive.∗Nomodularity.∗Hardtoreuse.
–Problemsparticularlysevereinembeddedsystems.∗56%ofthesoftwarecostofDODin1973forembeddedsystems.∗Mostmoneyspentonmaintainingsoftware,notdevelopingit.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-19
(C)AntonSetzer2003(exceptforpictures)
Ada
•DecisionbyDOD:Developmentofnewstandardprogramminglanguageformilitaryapplications.
–NameAda=nameofAdaLovelace(1815-1852).∗WroteprogramsforBabbage’scomputer.∗Thereforecalled“thefirstcomputerprogrammer”.
•Firstrelease:Ada83(1983–sameyearC++wasreleased).
•Ada95:RevisionofAda,integrationofobject-orientation.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-20
(C)AntonSetzer2003(exceptforpictures)
SPARKAda
•SubsetofAda.
–OriginaldefinitionbyB.CarréandT.Jennings,Univ.ofSouthampton,1988.
–SeveralrevisionscarriedoutbyPraxisCriticalSystemsLtd.–AdaptedtoAda95–CommercialtoolsavailablefromPraxisCriticalSystems.
•AnnotationstoAda.
–Somerequiredfordataandinformationflowanalysis.–Othersallowtogenerateandproveverificationconditions.–ItisaswellpossibletointegrateuncheckedorevenunimplementedAda
code.
•SPARKAdacodecompileswithstandardAdacompilers.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-21
(C)AntonSetzer2003(exceptforpictures)
FactorsforProgrammingLanguagesAddressedbySPARKAda
•LogicalSoundness.
–Problem:statementlikeY:=F(X)+G(X):Orderofevaluationnotspecified.ProblemifF(X)andG(X)havesideeffects.∗E.g.F(X)haseffectZ:=0,G(X)haseffectZ:=1.
∗Solutioninmanylanguages:defineorderofevaluation.Notpossible,ifSPARKAdashouldcompileonstandardcompilers.
∗SolutioninSPARKAda:Functionsarenotallowedtohaveside-effects.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-22
(C)AntonSetzer2003(exceptforpictures)
FactorsforProgrammingLanguagesAddressedbySPARKAda(Cont.)
•Simplicityoflanguagedefinition.
–Omissionoftoocomplexprinciples.∗Novariantrecords.
·(Dependenttypes,butnocompletecompiletimechecking).∗Notasks(concurrency).∗Nogenerictypes.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-23
(C)AntonSetzer2003(exceptforpictures)
FactorsforProgrammingLanguagesAddressedbySPARKAda
•Expressivepower.
–Hidingofvariablesallowed.–Allowstospecifystrongassertionsaboutvariables
•Security.
–Arrayboundchecks.–Programsdoesnotstrayoutsidethecomputationalmodel–BothguaranteedbyAda.–Inordertobeverifiableatcompile-time:∗Constraints(arraybounds,ranges)havetobestatic(determinedat
compiletime).
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-24
(C)AntonSetzer2003(exceptforpictures)
FactorsforProgrammingLanguagesAddressedbySPARKAda
•Verifiability
–Extraannotations∗controlofdataflow,∗controlofinformationflow,∗proofannotations(morebelow).
–Everyfragmentofcodehasasingleentrypointandlimitedexitpoints.
•Boundedspaceandtimerequirements.
–Recursiondisallowed.–Noarrayswithoutbounds∗Canbedeclared,butonlysubtypesofitcanbeused.
–Nopointers(calledaccesstypesinAda).–Theaboveguaranteesboundedspace.
Boundedtimedifficulttoguarantee.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-25
(C)AntonSetzer2003(exceptforpictures)
FactorsforProgrammingLanguagesAddressedbySPARKAda
•Languageshouldbeasexplicitaspossible.
–Nopolymorphism(ie.thatanoperationisdefinedfordifferenttypes):∗Nooverloadingoffunctions.∗Noarraysliding:
Assignment,comparison,operationsonarraysonlyallowedonarrayswithsamearrayindexsets.·Aswellnoconcatenationofarrays.·However,forstringsallowed.
∗Nodefaultparameters,defaultrecordcomponents.∗Howeverstandard+,∗areoverloaded.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-26
(C)AntonSetzer2003(exceptforpictures)
FactorsforProgrammingLanguagesAddressedbySPARKAda
•(Languageshouldbeasexplicitaspossible,cont.)
–Noanonymoussubtypes.∗Insteadof:
typeVectorisarray(0...100)ofInteger;onehastowritetypeVectorindexisrange0...100;typeVectorisarray(Vectorindex)ofInteger;
∗Exception:loopvariablescanbeelementsofananonymousrange.–Uniquenamesofentitiesatagivenplace:∗Packagevariableshavetousedexplicitly:
AvariableXofapackageMypackagehastobereferencedasMypackage.X
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-27
(C)AntonSetzer2003(exceptforpictures)
FactorsforProgrammingLanguagesAddressedbySPARKAda
•Nostructureswhicharetoocomplextograsp.
–Notypehierarchies.∗Noderivedtypes(essentiallyacopyofatype).∗Notypeextension(subtypesinobject-orientedprogr.)∗Noclass-widetypes(classeswhichhavesubclasses).
Thereforenoinheritance.·Problemofinheritance:propertiesareinheritedremotely.
∗Howeversubtypes(restrictionoftherangeofatype)allowed.–Restrictiononreturnstatementsandexits.∗Noreturnstatementsinprocedures.∗Exactlyonereturnstatementinfunctions.∗Exitfromloopsonlypossibletoinnermostloop.∗Noexitoutofifcondition(sincetheretheinnermostloopisthe
if-statement).
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-28
(C)AntonSetzer2003(exceptforpictures)
ArchitectureoftheSPARKAda
•SPARK-examiner.
–Verifiesthefollowing:∗CorrectAdasyntax.∗SPARK-subsetofAdachosen,asdescribedabove.
–Carriesoutthreelevelsofanalysis:∗Dataflowanalysis.∗Informationflowanalysis.∗Generationofverificationconditions.
⇓
•SPADE-simplifier
–Simplifiesverificationconditionsoftheexaminer.Trivialonesarealreadyproved.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-29
(C)AntonSetzer2003(exceptforpictures)
ArchitectureoftheSPARKAda(Cont.)
⇓
•SPADE-proof-checker
–Prooftoolforinteractivelyprovingverificationconditions.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-30
(C)AntonSetzer2003(exceptforpictures)
ThreeLevelsofAnalysis
•Dataflowanalysis.
–Checksinput/outputbehaviourofparametersandvariables.–Checksinitializationofvariables.–Checksthatchangedandimportedvariablesareusedlater(possiblyas
outputvariables).
•Informationflowanalysis.
–Verifiesinterdependenciesbetweenvariables.
•Verificationconditions.
–Generationofproofconditions,whichallowtoprovecorrectnessofprograms.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-31
(C)AntonSetzer2003(exceptforpictures)
ThreeLevelsofAnalysis(Cont.)
Ideaisthatthe3differentlevelsofanalysisareapplieddependentonthecriticalityoftheprogram.(Somepartsmightnotbecheckedatall).
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-32
(C)AntonSetzer2003(exceptforpictures)
Annotations
•Certainannotationsareaddedtotheprograms.
–Specifictothe3levelsofanalysis.
•WrittenasAdacomments:
–IgnoredbyAdacompilers.–UsedbytheSPARKAdatools.–Syntax:startwith--#,e.g.∗--#globalinoutMyGlobalVariable;
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-33
(C)AntonSetzer2003(exceptforpictures)
DataFlowAnalysis–Parameters
•InAdaallparametershavetobelabeledas
–inputparameters;symbol:in,–outputparameters;symbol:out,–input/outputparameters;symbol:inout.
•Example:
procedureABC(A:inFloat;B:outInteger;C:inoutColour)
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-34
(C)AntonSetzer2003(exceptforpictures)
DataFlowAnalysis–Parameters(Cont.)
•Examinerverifiesthat
–Inputparametersare∗notmodified,∗butusedatleastonce,
–outputparametersare∗notreadbeforebeinginitialized,∗initialized.
–input/outputparametersare∗read,∗andmodified.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-35
(C)AntonSetzer2003(exceptforpictures)
DataFlowAnalysis–GlobalVariables
•Globalvariablesmustbegivenstatusasinputoroutputorinput/outputvariablesbyannotations.
–Syntaxexamples:∗--#globalinA;∗--#globaloutB;∗--#globalinoutC;
•Dataflowanalysiscarriesoutthesameanalysisasforparameters.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-36
(C)AntonSetzer2003(exceptforpictures)
DataFlowAnalysis–Functions
•Functionscanhaveonlyinputparameters(nokeywordrequired).
•Functionshaveonlyreadaccesstoglobalparameters.Thereforethesyntaxforglobalparametersissimply--#globalA;or--#globalA,B,C;
•Neitherparametersnorglobalvariablescanbechanged.Thereforefunctionsdon’thavesideeffects.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-37
(C)AntonSetzer2003(exceptforpictures)
DataFlowAnalysis–Packages
•Packagevariables=variablesglobaltoapackage.
•Packagevariablesmustbedeclaredbyannotations.Syntaxexample:--#ownX,Y;
•Ifavariableisinitializedithastobedeclared;whetheritisinitializedwillbeverified.Syntaxexample:--#initializesX;
–However,evenanuninitializedpackagevariableisallowedtobeusedbyaprocedure.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-38
(C)AntonSetzer2003(exceptforpictures)
DataFlowAnalysis–Packages(Cont.)
•Ifapackageisusedithastobedeclared:Syntaxexample:--#inheritsMypackage;
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-39
(C)AntonSetzer2003(exceptforpictures)
Example(DataFlowAnalysis)
•Considerthefollowingwrongprogram,whichshouldexchangeXandY:
procedureExchange(X,Y:inoutFloat)is
T:Floatbegin
T:=X;X:=Y;Y:=XendExchange;
•Mistake:bodyshouldbe:T:=X;X:=Y;Y:=T
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-40
(C)AntonSetzer2003(exceptforpictures)
Example(DataFlowAnalysis;Cont.)
•Dataflowanalysisresultsin3errormessages:
–T:=Xisineffectivestatement.–ImportofinitialvalueofXisineffective.–Tisneitherreferencednorused.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-41
(C)AntonSetzer2003(exceptforpictures)
Example2(DataFlowAnalysis)
•Hereisanotherwrongprogram,whichshouldexchangeXandY:
procedureExchange(X,Y:inoutFloat)isbeginX:=Y;Y:=XendExchange;
•Dataflowanalysisresultsinerrormessage:
–ImportationofinitialvalueofXisineffective.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-42
(C)AntonSetzer2003(exceptforpictures)
InformationFlowAnalysis
•Additionalannotationsonhowvariablesdependoneachother.Syntaxexamples:--#derivesXfromY;or
--#derivesXfromY&--#YfromX;
or,ifnothingisused--#derivesXfrom;
•Informationflowverifiesthatthesedependenciesarefulfilled
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-43
(C)AntonSetzer2003(exceptforpictures)
Example(InformationFlowAnalysis)
•Considerthefollowingwrongprogram,whichshouldexchangeXandYandcountthenumberofexchangesinZ:
procedureExchangeAndCount(X,Y,Z:inoutInteger)--#derivesXfromY&--#YfromX&--#ZfromZ;isT:Integer;begin
T:=X;Y:=X;Y:=T;Z:=Z+T;endExchangeAndCount;
•TheerroristhatZ:=Z+T;shouldbereplacedbyZ:=Z+1;
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-44
(C)AntonSetzer2003(exceptforpictures)
Example(InformationFlowAnalysis;Cont.)
•Dataflowanalysissucceedswithoutproblems.
•Informationflowanalysisgiveswarning,sinceZdependsonZandX.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-45
(C)AntonSetzer2003(exceptforpictures)
ProofConditions–ProcedureswithoutLoops
•Forprocedureswithoutloops,twokindsofannotationsarerelevant:
–Pre-conditions,e.g.:--#preM>=0andM>0;
–Post-conditions,e.g.:--#postM=M∼+1;
•Thenexaminergeneratesformulaswhichexpress:
–Ifthepre-conditionshold,andtheprocedureisexecuted,afterwardsthepost-conditionholds.
•Iftherearenopre-conditions,thentheformulaexpressesthatthepost-conditionholdsalways.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-46
(C)AntonSetzer2003(exceptforpictures)
ProofConditions–ProcedureswithoutLoops(Cont.)
•Inthepost-conditions,
–X∼standsforthevalueofXbeforeexecutingtheprocedure,–Xstandsforthevalueafterexecutingit,–e.g.X=X∼+1;expresses:
ThevalueofXafterexecutingtheprocedureisthevalueofXbeforeexecutingit+1.
•Formulasarebuiltusing:
–Booleanconnectivesand,or,not,xor,->,–quantifiersforall,forsome.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-47
(C)AntonSetzer2003(exceptforpictures)
Example(ProofConditions)
•Assumethefollowingwrongprogram:
procedureExchange(X,Y:inoutFloat);--#derivesXfromX&--#YfromY;--#preX>=0.0;--#postX=Y∼andY=X∼;isT:Floatbegin
T:=X;X:=T;T:=Y;Y:=T;endExchange;
•Thepostconditionisnotfulfilledingeneral.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-48
(C)AntonSetzer2003(exceptforpictures)
Example(ProofConditions,Cont.)
•Theexaminergeneratestheformula:
H1:x>=0.0.H2:true.H3:true.->
C1:x=y.C2:y=x.
whichisnotprovable.
•(Thedataandinformationflowcheckissogood,thatitisdifficulttofindsimplebutwrongprograms,whichpassit).
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-49
(C)AntonSetzer2003(exceptforpictures)
Example2(ProofConditions)
•Assumethecorrectprogram:
procedureExchange(X,Y:inoutFloat);--#derivesXfromY--#YfromX;--#postX=Y∼andY=X∼;isT:Floatbegin
T:=X;X:=Y;Y:=T;endExchange;
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-50
(C)AntonSetzer2003(exceptforpictures)
Example2(ProofConditions;Cont.)
•Theexaminergeneratestheformula:
H1:true.H2:true.H3:true.->
C1:x=x.C2:y=y.
•Thesimplifiershowsthatthisisprovable
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-51
(C)AntonSetzer2003(exceptforpictures)
ProofConditions–CheckConditions
•Onecaninsertinbetweentheproceduresacheckcondition.E.g.,inthepreviousexample,insertbetweenT:=XandX:=Y:--#checkT>0.0;
•Nowtheformulasexpress:
–Fromthepre-conditionfollowsatthatpositionthecheck-condition.–Fromthepre-conditionandthecheck-conditionatthatpositionfollows
thepost-condition.–Checkconditionsservethereforeasintermediateproof-goals.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-52
(C)AntonSetzer2003(exceptforpictures)
ProofConditions–ReturnConditions
•Ifonehasfunctions,onecaneitherstatetheresultofthefunction:E.g.--#returnX+1expresses:theresultisX+1.oronecanassociatewiththeresultavariableandacondition.E.g.onecanwrite:--#returnX=>X>Y;ifYisaparameteroraglobalparameter.Theexampleexpresses:thereturnedvalueis>Y.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-53
(C)AntonSetzer2003(exceptforpictures)
ProofConditions–ProcedureswithLoops
•Ifonehasaloop,aloopinvariantisrequired.Thesyntaxisforinstance:--#assertX+Y=X∼+Y∼;
•Ifonehasoneprecondition,oneloopandonepostcondition,theexaminergeneratesproofconditionsexpressing:
–Fromthepre-conditionfollows,whenfirstenteringtheloop,theconditionofassert.
–Fromassertfollows,ifexitconditionsarefalse,theconditionofassertafteronestep.
–Fromassertfollows,ifoneexitconditionistrue,thepostcondition.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-54
(C)AntonSetzer2003(exceptforpictures)
Example(ProofConditionswithLoop)
proceduretest(X,Y:inoutFloat)--#derivesXfromX&--#YfromX,Y;--#preX>0.0;--#postX+Y=X∼+Y∼andX
(C)AntonSetzer2003(exceptforpictures)
GeneratedProofConditions
Theexaminergeneratesinthelastexamplethefollowingproofconditions:
•H1:x>0.H2:true.H3:true.
->
C1:x+y=x+y.
•H1:x+y=x∼+y∼H2:not(x-1
C1:x-1+(y+1)=x∼+y∼.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-56
(C)AntonSetzer2003(exceptforpictures)
GeneratedProofConditions;Cont.)
•H1:x+y=x∼+y∼H2:x-1
C1:x-1+(y+1)=x∼+y∼.C2:x-1
(C)AntonSetzer2003(exceptforpictures)
OtherAnnotations
•Themainprogramisdeclaredby:--#mainprogram;
•Partswhichshouldn’tbeexaminedcanbedeclaredby:--#hide;
–Allowsespeciallydirectinteractionwithnon-criticalandthereforenon-verifiedAdaprograms.
–Allowsaswelltointegratenotyetimplementedcode.
CriticalSystems,CS411,Lentterm2003,Sec.A3A3-58