Proof-by-Instance for Embedded Network Design From Prototype to Tool Roadmap. Marc Boyer, Loïc Fejoz. 1, Stephan Merz 3

Transcription

1 Proof-by-Instance for Embedded Network Design From Prototype to Tool Roadmap 2 Marc Boyer, Loïc Fejoz 1 1, Stephan Merz 3 RealTime at Work, Nancy, France 2 ONERA The French aerospace Lab, 3 Inria & LORIA, Nancy, France Congress on Embedded Real-Time Software and Systems (ERTSs 20014) 1/19 Boyer, Fejoz, Merz Proof-by-Instance

2 Outline Certicate-based condence / Proof by instance Encoding in Isabelle Generating and checking traces From Prototype to Tool Roadmap Conclusion 2/19 Boyer, Fejoz, Merz Proof-by-Instance

3 Software qualication/certication Process based quality: Per domain standards: DO 178, ECSS-Q-ST specication, tests, documentation generation/transformation tools verication tools high cost Proof by instance / certicate-based condence product based quality provides arguments to verify computation for o-line computations 3/19 Boyer, Fejoz, Merz Proof-by-Instance

4 Proof by instance Idea: for each run, provide a proof of correctness Benets: requires some automatic proof environment (Isabelle, Coq) requires modelling of the context ( specication) proof/certicate generation while computing result transfers condence from tool to proof environment Checking a solution is simpler than proving full correctness of a program Computing software is used as a black box: Open choice of the programming environment Software can evolve without re-qualication Not exactly a verication tool: based on formal proof checker (verier) help the verication tool to makes the proof 4/19 Boyer, Fejoz, Merz Proof-by-Instance

5 The full picture Research Books Network Calculus Theory Articles Current process Network Topology (flows and servers) Tool Specification Network Calculus Tool Bounds (delay and memory) Network Calculus in Isabelle Computation traces Contribution Isabelle/HOL Tool OK/KO 5/19 Boyer, Fejoz, Merz Proof-by-Instance

6 Outline Certicate-based condence / Proof by instance Encoding in Isabelle Generating and checking traces From Prototype to Tool Roadmap Conclusion 6/19 Boyer, Fejoz, Merz Proof-by-Instance

7 Encoding Objects R S R R b(t) v(r,r ) d(t) R R(t) : amount of data send up to time t h(r,r ) Flow R : R R +, x 0 = R(x) = 0, x < y = R(x) R(y) typedef ndf = { f :: ereal ereal. ( r 0. f r = 0) mono f } Server, input/output relation such that R S R = R R t typedef server = { s :: (ndf ndf ) set. ( in. out. (in, out) s) ( (in, out) s. out in) } 7/19 Boyer, Fejoz, Merz Proof-by-Instance

8 Encoding contracts Real behaviour (R, R ) unknown at design = use of contracts Consider (min, +) convolution (f g)(t) = inf {f (t s) + g(s)} 0 s t Trac contract: arrival curve R α def R R α (1) Service contract: service curve ( ) S β def R S R = R R β (2) 8/19 Boyer, Fejoz, Merz Proof-by-Instance

9 Encoding results Network calculus theorem: if a ow R with arrival curve α goes through a server S of service curve β, its delay is not greater than h(α, β). theorem d-h-bound: assumes in α and S β shows worst-delay-server in S h-dev α β 9/19 Boyer, Fejoz, Merz Proof-by-Instance

10 Outline Certicate-based condence / Proof by instance Encoding in Isabelle Generating and checking traces From Prototype to Tool Roadmap Conclusion 10/19 Boyer, Fejoz, Merz Proof-by-Instance

11 Computing and checking Initial set of hypotheses Successive application of theorems: choose an adequate theorem instantiate variables check hypotheses compute operations (sums, convolutions...) generate new facts 11/19 Boyer, Fejoz, Merz Proof-by-Instance

12 Computing and checking Initial set of hypotheses Successive application of theorems: chose an adequate consider one theorem instantiate variables check hypotheses compute check operations (sums, convolutions...) generate store new facts 12/19 Boyer, Fejoz, Merz Proof-by-Instance

13 Running prototype Generates bounds and proofs Able to handle a realistic industrial network: 8 switches 5000 ows Experiment results: Bound accuracy: 2 times greater (i.e. worse) than state-of-the-art RTaW-PEGASE tool Computation time: computing and generating traces: a few minutes check traces: 8 hours Development eort: 1 for 7KLoc of Java 4 3 for 3KLoc of Isabelle theories 4 overhead 2x-3x for formal condence 13/19 Boyer, Fejoz, Merz Proof-by-Instance

14 Outline Certicate-based condence / Proof by instance Encoding in Isabelle Generating and checking traces From Prototype to Tool Roadmap Conclusion 14/19 Boyer, Fejoz, Merz Proof-by-Instance

15 Extend Isabelle theories More theorems statements into Isabelle: more accurate bounds handle more scheduling policies With or without proofs: Without: condence comes from paper-pencil published proofs still prove that tool respects specication With: increase condence contribution to Isabelle theories 15/19 Boyer, Fejoz, Merz Proof-by-Instance

16 Classes of functions Network calculus handles functions How to represent a function? How to compute operations on functions (sum, convolutions)? Simpler to check result than prove algorithm correctness 16/19 Boyer, Fejoz, Merz Proof-by-Instance

17 Intermediate proof format Network Calculus Tool Computation traces (NC proof format) Converter Converter Human readable proof (LaTeX?) Computation proof (Isabelle) Isabelle/HOL Tool Expert Current tool directly generates Isabelle proofs Plan to dene intermediate format: independence wrt the checker engine more compact, more ecient generate human-readable proofs (certication authorities) 17/19 Boyer, Fejoz, Merz Proof-by-Instance

18 Outline Certicate-based condence / Proof by instance Encoding in Isabelle Generating and checking traces From Prototype to Tool Roadmap Conclusion 18/19 Boyer, Fejoz, Merz Proof-by-Instance

19 Conclusion Proof by instance a way to avoid long, costly and boring development process decouple computation and certication well suited for tools based on formal methods Implementation Prototype developed Proof-of-concept validated Road-map for industrial tool Integration into RTaW-PEGASE 19/19 Boyer, Fejoz, Merz Proof-by-Instance