by Yannick Moy – Mar 02, 2014

GNATprove Tips and Tricks: How to Write Loop Invariants

Having already presented in previous posts why loop invariants are necessary for formal verification of programs with loops, and what loop invariants are necessary for various loops, we detail here a methodology for how users can come up with the right loop invariants for their loops. This methodology in four steps allows users to progressively add the necessary information in their loop invariants, with the tool GNATprove providing the required feedback at each step on whether the information provided is sufficient or not.

#Formal Verification #SPARK

by Yannick Moy – Jan 21, 2014

Case Study for System to Software Integrity Includes SPARK 2014

My colleague Matteo Bordin will present at the upcoming Embedded Real Time Software and Systems conference in Toulouse in February a case study showing how formal verification with SPARK can be included in a larger process to show preservation of properties from the system level down to the software level. The case study is based on the Nose Gear challenge from the Workshop on Theorem Proving in Certification.

#Formal Verification #Certification #SPARK

by Claire Dross – Jan 17, 2014

SPARK 2014 Rationale: Verifying Properties over Formal Containers

We saw in a previous post how we could express complex properties over formal containers using quantified expressions. In this post, I present how these properties can be verified by the proof tool called GNATprove.

#Language #Formal Verification #SPARK

by Yannick Moy – Dec 19, 2013

Muen Separation Kernel Written in SPARK

The University of Applied Sciences Rapperswil in Switzerland has released last week an open-source separation kernel written in SPARK, which has been proved free from run-time errors. This project is part of the secure multilevel workstation project by Secunet, a German security company, which is using SPARK and Isabelle to create the next generation of secure workstations providing different levels of security to government employees and military personnel. I present why I think this project is worth following closely.

#Language #Formal Verification #SPARK

by Claire Dross – Dec 13, 2013

SPARK 2014 Rationale: Expressing Properties over Formal Containers

We saw in a previous post how formal containers can be used in SPARK code. In this post, I describe how to express properties over the content of these containers, using quantified expressions.

#Language #Formal Verification #SPARK

by Yannick Moy – Dec 05, 2013

Rail, Space, Security: Three Case Studies for SPARK 2014

We will present three case studies using SPARK 2014 at the upcoming Embedded Real Time Software and Systems conference in Toulouse in February 2014, in three different domains: rail, space and security. The lessons learned in those three case studies are particularly interesting. Here is the companion paper that we wrote.

#Language #Formal Verification #SPARK

by Claire Dross – Nov 29, 2013

SPARK 2014 Rationale: Formal Containers

SPARK 2014 excludes data structures based on pointers. Instead, one can use the library of formal containers. They are variant of the Ada 2012 bounded containers, specifically designed and annotated to facilitate the proof of programs using them.

#Language #Formal Verification #SPARK

by Yannick Moy – Nov 20, 2013

GNATprove Tips and Tricks: Referring to Input in Contracts

In a previous post about pre-call values, I described how the Ada language rules implemented in the compiler prevent surprises when referring to input values in the postcondition, using the Old attribute. Unfortunately, these rules also make it difficult to express some complex postconditions that may be useful when doing formal verification. In this post, I describe how contract cases allow the expression of these complex contracts, while still detecting potential problems with uses of the Old attribute.

#Language #Formal Verification #SPARK

by Yannick Moy – Nov 13, 2013

SPARK 2014 Rationale: Global State

Global variables are a common source of programming errors: they may fail to be initialized properly, they can be modified in unexpected ways, sequences of modifications may be illegal, etc. SPARK 2014 provides a way to define abstractly the global state of a unit, so that it can be referred to in subprogram specifications. The associated toolset checks correct access to global variables in the implementation.

#Language #Formal Verification #SPARK

by Yannick Moy – Oct 20, 2013

SPARK 2014 Rationale: Mixing SPARK and Ada Code

The first step before any formal verification work with SPARK is to delimitate the part of the code that will be subject to formal verification within the overall Ada application. This post presents the solution we've come up with for SPARK 2014.

#Language #Formal Verification #SPARK

by Yannick Moy – Oct 04, 2013

SPARK 2014 Rationale: Loop Variants

Loop variants are the little-known cousins of the loop invariants, used for proving termination of subprograms. Although they may not look very useful at first, they can prove effective as I show with a simple binary search example. And we came up with both an elegant syntax and a slick refinement for loop variants in SPARK 2014, compared to similar constructs in other languages.

#Language #Formal Verification #SPARK

by Yannick Moy – Sep 29, 2013

SPARK 2014 Rationale: Loop Invariants

Formal verification tools like GNATprove rely on two main inputs from programmers: subprogram contracts (preconditions and postconditions) and loop invariants. While the first ones are easy to understand (based on the "contract" analogy, in which a subprogram and its caller have mutual obligations), the second ones are not so simple to grasp. This post presents loop invariants and the choices we made in SPARK 2014.

#Language #Formal Verification #SPARK

by Yannick Moy – Sep 14, 2013

SPARK 2014 Rationale: Pre-call and Pre-loop Values

Subprogram contracts are commonly presented as special assertions: the precondition is an assertion checked at subprogram entry, while the postcondition is an assertion checked at subprogram exit. A subtlety not covered by this simplified presentation is that postconditions are really two-state assertions: they assert properties over values at subprogram exit and values at subprogram entry. A special attribute Old is defined in Ada 2012 to support these special assertions. A special attribute Loop_Entry is defined in SPARK 2014 to support similar special assertions for loops.

#Formal Verification #SPARK

by Yannick Moy – Aug 04, 2013

MISRA-C 2012 vs SPARK 2014, the Subset Matching Game

The MISRA C subset of C defines around 150 rules that restrict C programs for critical software development. Of these, 27 rules are classified as undecidable, which means that few MISRA C checkers (if any) will help checking those hardest rules. Here is how SPARK 2014 can help checking similar rules in Ada programs.

#Formal Verification #SPARK #MISRA-C

by Florian Schanda – Jul 25, 2013Guest Author

SPARK 2014 Flow Analysis

We have nearly finished implementing a central component of the SPARK 2014 analysis tools: the flow analysis engine; so this is a good time to introduce some of the analysis it will carry out.

#Language #SPARK

by Yannick Moy – Jul 15, 2013

SPARK 2014 Rationale: Specification Functions

Specifying a program's behavior is seldom expressible in a satisfiable way without the capability of abstraction provided by function calls. Yet, specification functions must obey specific constraints like absence of side-effects and termination, that have led to different solutions in various specification languages. Here is what we did in SPARK 2014.

#Formal Verification #SPARK

by Yannick Moy – Jul 07, 2013

SPARK 2014 Rationale: Contract Cases

Besides the usual expression of a subprogram contract as a pair of a precondition and a postcondition, SPARK 2014 provides a way to express such a contract by cases. A little history helps understanding how we came up with this new feature.

#Formal Verification #SPARK

by Johannes Kanig – Jul 07, 2013

SPARK 2014 goes to Space!

David Lesens from Astrium was a member of the Hi-Lite project ("was" because the project is finished now, see the previous post), and has tried GNATprove - the formal verification tool for SPARK 2014 - on space vehicle software as an industrial case study of the project. And it turns out GNATprove performed pretty well!

#Formal Verification #SPARK

by Yannick Moy – Jun 02, 2013

Project Hi-Lite Wrap-up

After three years of hard work, we have reached last week the end of project Hi-Lite, whose goal was to simplify the use of formal methods. We're proud to publicize the results obtained, in particular the new version of SPARK and the associated tool GNATprove. Here's a summary of the wrap-up meeting.

#Formal Verification #SPARK

« Previous Page

AdaCore Blog

An Insight Into the AdaCore Ecosystem

GNATprove Tips and Tricks: How to Write Loop Invariants

Case Study for System to Software Integrity Includes SPARK 2014

SPARK 2014 Rationale: Verifying Properties over Formal Containers

Muen Separation Kernel Written in SPARK

SPARK 2014 Rationale: Expressing Properties over Formal Containers

Rail, Space, Security: Three Case Studies for SPARK 2014

SPARK 2014 Rationale: Formal Containers

GNATprove Tips and Tricks: Referring to Input in Contracts

SPARK 2014 Rationale: Global State

SPARK 2014 Rationale: Mixing SPARK and Ada Code

SPARK 2014 Rationale: Loop Variants

SPARK 2014 Rationale: Loop Invariants

SPARK 2014 Rationale: Pre-call and Pre-loop Values

MISRA-C 2012 vs SPARK 2014, the Subset Matching Game

SPARK 2014 Flow Analysis

SPARK 2014 Rationale: Specification Functions

SPARK 2014 Rationale: Contract Cases

SPARK 2014 goes to Space!

Project Hi-Lite Wrap-up