Are We There Yet? 20 Years of Industrial Theorem Proving with SPARK

Chapman, Roderick; Schanda, Florian

doi:10.1007/978-3-319-08970-6_2

Cited by 31 publications

(25 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This version adds new features for specifying the behavior of programs, such as subprogram contracts and type invariants. SPARK is a subset of Ada targeting formal verification [11,21]. Its restrictions ensure that the behavior of a SPARK program is unambiguously defined.…”

Section: Strategy For Isolating Bit-level Reasoningmentioning

confidence: 99%

Specification and Proof of High-Level Functional Properties of Bit-Level Programs

Fumex

Dross

Gerlach

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In a computer program, basic functionalities may be implemented using bit-wise operations. To formally specify the expected behavior of such a lowlevel program, it is desirable that the specification should be at a more abstract level. Formally proving that low-level code conforms to a higher-level specification is challenging, because of the gap between the different levels of abstraction. We address this challenge by designing a rich formal theory of fixed-sized bit vectors, which on the one hand allows a user to write abstract specifications close to the human-or mathematical-level of thinking, while on the other hand permits a close connection to decision procedures and tools for bit vectors, as they exist in the context of the Satisfiability Modulo Theory framework. This approach is implemented in the Why3 environment for deductive program verification, and also in its front-end environment SPARK for the development of safety-critical Ada programs. We report on several case studies used to validate our approach.

show abstract

Section: Strategy For Isolating Bit-level Reasoningmentioning

confidence: 99%

Specification and Proof of High-Level Functional Properties of Bit-Level Programs

Fumex

Dross

Gerlach

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…This paper presents an approach that we designed in the context of the SPARK verifier for industrial development of safety-critical Ada code [7,12]. The goal is to provide simplified interactions between the user and the failing VC, so as to investigate a proof task without the need to rely on an external interactive prover.…”

Section: Introductionmentioning

confidence: 99%

Lightweight Interactive Proving inside an Automatic Program Verifier

Dailler

Marché

Moy

2018

Electron. Proc. Theor. Comput. Sci.

View full text Add to dashboard Cite

Among formal methods, the deductive verification approach allows establishing the strongest possible formal guarantees on critical software. The downside is the cost in terms of human effort required to design adequate formal specifications and to successfully discharge the required proof obligations. To popularize deductive verification in an industrial software development environment, it is essential to provide means to progressively transition from simple and automated approaches to deductive verification. The SPARK environment, for development of critical software written in Ada, goes towards this goal by providing automated tools for formally proving that some code fulfills the requirements expressed in Ada contracts.In a program verifier that makes use of automatic provers to discharge the proof obligations, a need for some additional user interaction with proof tasks shows up: either to help analyzing the reason of a proof failure or, ultimately, to discharge the verification conditions that are out-of-reach of state-of-the-art automatic provers. Adding interactive proof features in SPARK appears to be complicated by the fact that the proof toolchain makes use of the independent, intermediate verification tool Why3, which is generic enough to accept multiple front-ends for different input languages. This paper reports on our approach to extend Why3 with interactive proof features and also with a generic client-server infrastructure allowing integration of proof interaction into an external, front-end graphical user interface such as the one of SPARK. * Work partly supported by the Joint Laboratory ProofInUse (ANR-13-LAB3-0007, https://www.adacore.com/ proofinuse) of the French national research organization

show abstract

“…The SPARK language is a subset of Ada dedicated to real-time embedded software that requires a high level of safety, security, and reliability. It has been applied for many years in on-board aircraft systems, control systems, cryptographic systems, and rail systems [9]. Ada 2012 is the latest version of the Ada language [1], adding new features for specifying the behavior of programs, such as subprogram contracts and type invariants.…”

Section: Introductionmentioning

confidence: 99%

Static versus Dynamic Verification in Why3, Frama-C and SPARK 2014

Kosmatov¹,

Marché²,

Moy³

et al. 2016

Leveraging Applications of Formal Methods, Verification and Validation: Foundational Techniques

View full text Add to dashboard Cite

Why3 is an environment for static verification, generic in the sense that it is used as an intermediate tool by different front-ends for the verification of Java, C or Ada programs. Yet, the choices made when designing the specification languages provided by those front-ends differ significantly, in particular with respect to the executability of specifications. We review these differences and the issues that result from these choices. We emphasize the specific feature of ghost code which turns out to be extremely useful for both static and dynamic verification. We also present techniques, combining static and dynamic features, that help users understand why static verification fails.Work partly supported by the Joint Laboratory ProofInUse (ANR-13-LAB3-0007, http:// www.spark-2014.org/proofinuse) of the French national research organization

show abstract

Are We There Yet? 20 Years of Industrial Theorem Proving with SPARK

Cited by 31 publications

References 10 publications

Specification and Proof of High-Level Functional Properties of Bit-Level Programs

Specification and Proof of High-Level Functional Properties of Bit-Level Programs

Lightweight Interactive Proving inside an Automatic Program Verifier

Static versus Dynamic Verification in Why3, Frama-C and SPARK 2014

Contact Info

Product

Resources

About