open-DO » Yannick Moy

Embedded Contract Languages by Microsoft Research

Yannick Moy — Wed, 09 Jun 2010 07:45:19 +0000

People from the group developing Spec# at Microsoft Research finally published an article on their new Code Contracts approach.

Chosen excerpts: “embedding of contracts as code is a better approach”; “The language of conditions is just the language of expressions in the programming language used”; “ForAll and Exists that work over integer ranges and collections”; “Any methods called from within contract expressions should be pure methods”; “Runtime contract checking is particularly effective in conjunction with automated testing”; “generating good documentation from the embedded contracts is a key scenario”.

And the conclusion: “Since contract expressions are compiled by the existing compiler, the typical problem of having the specications and the code drift apart due to edits, refactoring, etc., is avoided.”

All of this supports the vision of project Hi-Lite, and provides valuable experience reports which should inspire us in Hi-Lite.

ERTS² conference week

Yannick Moy — Mon, 24 May 2010 14:18:39 +0000

I spent a very interesting week in Toulouse last week. It started with a day of conference in which INRIA research labs showed a host of products and advanced research applicable to the domains of modeling and safety. There was in particular demos of Astrée (static analyzer for C, now sold by AbsInt Gmbh), Frama-C (framework for analyses on C, partner in Hi-Lite) and Alt-Ergo (prover SMT, partner in Hi-Lite).

It continued with the conference ERTS² during 3 days, which gathered many French and European providers and customers of embedded solutions. I’d like to highlight 3 presentations:

the Formal Methods Subgroup of the upcoming DO-178C standard presented how formal methods may be used in a certification context
PolySpace and automotive stakeholders presented the use of static analysis tools to ensure levels of quality from subcontractors
the initiative “Certification Together” presented the goals of their initiative to share the cost of certification

A “Lighter” Introduction to Hi-Lite

Yannick Moy — Mon, 10 May 2010 10:50:39 +0000

The recently launched project Hi-Lite is based on powerful industrial tools that have been developed by the different partners for the last 10 to 25 years. This means in particular that it is not obvious to grasp the “vision” of Hi-Lite without knowing how all these tools work. To share this vision as broadly as possible, we have come up with a “light” (one may even say humorous) introduction to Hi-Lite in which we describe the application of the various tools and techniques that are part of Hi-Lite to a very simple program.

David Crocker’s Verification Blog

Yannick Moy — Fri, 07 May 2010 23:08:30 +0000

In case you missed the very interesting blog that David Crocker of Escher Technologies is writing since January of this year, I have put a link to it in the Blogroll that you find on the right of the Open-DO main page. David’s ArC system reads C code together with annotations written in special macros in order to formally prove properties of C code. Many similarities with Frama-C, yet a different interesting point of view. Plus David’s choice of examples and tone makes it a very nice reading.

AdaCore Awarded Grant for Hi-Lite Project

Yannick Moy — Thu, 25 Mar 2010 09:48:18 +0000

Earlier this month, on March 3rd, AdaCore was awarded a grant by the French government and local authorities to develop an innovative set of tools integrated with its GNAT Pro platform. AdaCore is leading a consortium of 2 research institutes (CEA-List, the ProVal team of INRIA) and 4 industrial companies (AdaCore, Altran, Astrium and Thales Communications) in this effort. The project, named Hi-Lite, is starting in mid-2010 and will continue for 3 years.

Hi-Lite’s goal is to promote the use of formal methods in developing high-integrity software. It loosely integrates formal proofs with testing and static analysis, thus allowing developers to combine different techniques around a common expression of properties and constraints.

Hi-Lite is completely based on free software. The project is structured as two different toolchains for Ada and C based on GNAT/GCC compilers (Ada and C), the CodePeer static analyzer (Ada), the SPARK verification toolset (Ada) and the Frama-C platform (C).

Formal Methods Week 2009

Yannick Moy — Mon, 30 Nov 2009 14:39:03 +0000

Last month I attended part of the Formal Methods Week 2009 in Eindhoven. Each year the FMWeek brings the world of formal verification together, with an emphasis on academic and industrial partnerships.

Although I am familiar with the field, I was still impressed by what is currently possible with tools based on formal methods. Although it will never be 100% automated, you can already get very strong guarantees on industrial products with high levels of automation.

Two examples show it better:

Airbus presented their use of formal verification tools for DO-178B software. Five of the six tools that were presented are in use within operational units. This presentation echoed, 10 years later, the presentation they gave at FM 1999 about their first trial with formal verification. With a decade of experience in industrial use of such tools, they have defined 5 “must-have” criteria: soundness, applicability to the code, usability by “normal” engineers on “normal” computers, improve on classical methods, certifiability. Very important lessons indeed.

André Platzer from CMU presented his work on formal verification of flight collision avoidance maneuvers which won the best paper award. This is quite a leap in coverage of formal methods: verifying nonlinear properties involving curves, differential equations etc. with almost complete automation.

Just to give you a flavor of it: