EN100-web

More documents

Recommendations

Info

Research and Innovation Bridging the Gap between testing and formal verification in Ada Development by Claude Marché and Johannes Kanig European Research and Innovation Recent technological advances in formal deductive verification are benefiting industry users of programming language “Ada”. Mathematical proof complements existing test activities whilst reducing costs. The Ada programming language was the winner of a call issued by the US Department of Defence in the late 1970’s, aiming at replacing the various languages that were used in mission-critical embedded software at that time. It was named in honour of Ada Lovelace, who is recognized by the scientific community as the first computer programmer. The first ANSI standard for Ada appeared in 1983. SPARK, a subset of Ada, which has been around for nearly as long as Ada, was originally developed by Praxis (UK) and is currently co-developed by Altran UK and AdaCore (France and USA). Compared to Ada, SPARK imposes restrictions regarding the absence of name aliasing, allowing precise static analyses of data- and information-flow. These restrictions make SPARK well-suited to the development of mission-critical systems. Unlike Ada, SPARK allows developers to attach contracts to procedures. A contract is a set of formal logic formulas expressing either requirements (pre-conditions) or guarantees (post-conditions) of the procedure to which it is attached. SPARK comes with a verification condition generator, allowing the user to statically check that contracts are fulfilled, using computer-assisted mathematical proof techniques. SPARK has been used in several safety-critical systems, covering avionics (jet engines, air-traffic management), rail and space applications [1]. SPARK has also been used in the development of security-critical systems. Representative case studies include the NSA Tokeneer demonstrator (Microsoft Research Verified Software Milestone Award 2011) and the iFACTS system for assisting air-traffic controllers in the UK. The AdaCore company leads the development of the GNAT Ada compiler and the many development tools around it. These tools are distributed under an open-source licence, which means no commitment for customers. Since AdaCore's business model is based on yearly subscriptions, the company must continually improve the technology and offer professional high-quality support. To maximize the potential dissemination of the innovative solutions, AdaCore also provides a free version of the tools suitable for development under the GNU public licence. ERCIM NEWS 100 January 2015
market. This technology has enabled fully automatic discharge of a far greater percentage of verification conditions. Figure 1: The SPARK2014 triptych. Ada2012, the current version of Ada language reference, now incorporates in its core the concept of contracts in the form of regular Ada Boolean expressions rather than formal logic formulas. The primary use of such contracts is for checking their validity during execution, so that their violation can be detected by testing instead of mathematical proof. SPARK2014 is the most recent generation of the SPARK tool suite (Figure 1). It is a full reimplementation of SPARK, developed jointly by Altran UK, AdaCore and the Toccata research team at the Inria-Saclay research centre in Orsay, France. Its main goal is to close the gap between testing and proving contracts: contracts can be checked for validity using computer-assisted proof, and testing can complement proofs when they fail [2] (Figure 2). An additional novelty is the incorporation of state-of-the-art technologies for automated theorem proving, thanks to the use of Toccata's Why3 environment and its ability to call the best SMT solvers in the SPARK2014 will continue to evolve in the near future. A new 3-year project "ProofInUse", funded by the French National Research Agency, started in April 2014. Its aim is to promote the replacement of testing activities by proof methods to the Ada industry community. To this end, a significant effort will be made to even further automate the approach. We also plan to enlarge the subset of Ada covered by the SPARK language, enabling more applications to be developed using SPARK2014’s powerful hybrid approach of test and proof. Among the new features, the SPARK verification condition generator will fully support the IEEE-754 standard for floating-point arithmetic, thanks to the expertise of the Toccata team in this domain [3]. Thus, applications making important use of numerical computations, such as in avionics and space control software, will be able to reach a very high level of assurance in the precision of computations. Links: http://libre.adacore.com/ http://www.spark-2014.org/ References: [1] R. Chapman, F. Schanda: “Are We There Yet? 20 Years of Industrial Theorem Proving with SPARK”, 5th Int. Conf. on Interactive Theorem Proving, 2014. [2] C. Dross et al.: “Rail, Space, Security: Three Case Studies for SPARK2014”, 7th European Congress on Embedded Real Time Software and Systems, 2014. [3] S. Boldo, C. Marché: “Formal verification of numerical programs: from C annotated programs to mechanical proofs”, Mathematics in Computer Science, 2011. Please contact: Claude Marché, Inria, France Tel: +33 172 925 969 E-mail: Claude.Marche@inria.fr Figure 2: Snapshot of the GPS user interface for Ada and SPARK, displaying a program under development. The red line corresponds to a warning issued by the proof tool. ERCIM NEWS 100 January 2015 39
Page 1 and 2: Number 100 January 2015 ERCIM NEWS
Page 3 and 4: 23 RDA: The Importance of Metadata
Page 5 and 6: these unique characteristics, ERCIM
Page 7 and 8: The panelists. From left: Carlo Ghe
Page 9 and 10: ERCIM White Paper Big Data Analytic
Page 11 and 12: emphasis should be placed on the *-
Page 13 and 14: Special theme: Scientific Data Shar
Page 15 and 16: All these people and organisations
Page 17 and 18: with an efficient way to pursue his
Page 19 and 20: Researchers will benefit by working
Page 21 and 22: their products, but rather should i
Page 23 and 24: two years from data creation, shoul
Page 25 and 26: RDA: Brokering with Metadata by Ste
Page 27 and 28: This approach not only allows retri
Page 29 and 30: In this process, we provide the dat
Page 31 and 32: ments, i.e. Virtual Research Enviro
Page 33 and 34: While the user is free to still ret
Page 35 and 36: e-Infrastructure across Photon and
Page 37: How Openness can Change Scientific
Page 41 and 42: electric potential differences in t
Page 43 and 44: European Cyber-Security Research an
Page 45 and 46: SIREN - A Network Infrastructure fo
Page 47 and 48: Figure 1: MYVISITPLANNER itinerary
Page 49 and 50: Optimizing text Quantifiers for Mul
Page 51 and 52: Events At the garbage truck, a noti
Page 53 and 54: and Retinal image processing and an
Page 55 and 56: In Brief Matthias Heyde/ Fraunhofer

EN100-web

Create successful ePaper yourself

Delete template?

Save as template?