People from the group developing Spec# at Microsoft Research finally published an article on their new Code Contracts approach.
Chosen excerpts: “embedding of contracts as code is a better approach”; “The language of conditions is just the language of expressions
in the programming language used”; “ForAll and Exists that work over integer ranges and collections”; “Any methods called from within contract expressions
should be pure methods”; “Runtime contract checking is particularly
effective in conjunction with automated testing”; “generating good documentation from the embedded
contracts is a key scenario”.
And the conclusion: “Since contract expressions are compiled by the existing
compiler, the typical problem of having the specifications
and the code drift apart due to edits, refactoring, etc., is
avoided.”
All of this supports the vision of project Hi-Lite, and provides valuable experience reports which should inspire us in Hi-Lite.
XReq – Executable Requirements for DO-178B – is the latest project to join the Open-DO initiative. XReq, first contributed by Sogilis, is a tool designed to help testing and verifying a project. It has been specifically adapted for the DO-178B context but can be used by a much wider audience. To help DO-178B projects, it bring together the tests (HLT/LLT) with their requirements, thus helping traceability of the tests.
I spent a very interesting week in Toulouse last week. It started with a day of conference in which INRIA research labs showed a host of products and advanced research applicable to the domains of modeling and safety. There was in particular demos of Astrée (static analyzer for C, now sold by AbsInt Gmbh), Frama-C (framework for analyses on C, partner in Hi-Lite) and Alt-Ergo (prover SMT, partner in Hi-Lite).
It continued with the conference ERTS² during 3 days, which gathered many French and European providers and customers of embedded solutions. I’d like to highlight 3 presentations:
the Formal Methods Subgroup of the upcoming DO-178C standard presented how formal methods may be used in a certification context
The recently launched project Hi-Lite is based on powerful industrial tools that have been developed by the different partners for the last 10 to 25 years. This means in particular that it is not obvious to grasp the “vision” of Hi-Lite without knowing how all these tools work. To share this vision as broadly as possible, we have come up with a “light” (one may even say humorous) introduction to Hi-Lite in which we describe the application of the various tools and techniques that are part of Hi-Lite to a very simple program.
In case you missed the very interesting blog that David Crocker of Escher Technologies is writing since January of this year, I have put a link to it in the Blogroll that you find on the right of the Open-DO main page. David’s ArC system reads C code together with annotations written in special macros in order to formally prove properties of C code. Many similarities with Frama-C, yet a different interesting point of view. Plus David’s choice of examples and tone makes it a very nice reading.
The next talk in our series from the recent Open-DO Conference is from Hervé Delseny, an expert in Avionics Software Aspects of Certification at Airbus. In his talk he gives examples of Airbus’ use of Formal Methods to verify avionics software, and summarises the integration of Formal Methods in the upcoming ED-12/DO-178 issue C.
You can also view the presentation slides if you want to follow along.
The next talk in our series from the recent Open-DO Conference is from Cyrille Comar, Managing Director of AdaCore EU, who gives an update on the latest happenings with the Open-DO initiative and talks about AdaCore’s new French government funded project, Hi-Lite, which has the goal of promoting the use of formal methods in developing high-integrity software.
You can also view the presentation slides if you want to follow along.
Earlier this month, on March 3rd, AdaCore was awarded a grant by the French government and local
authorities to develop an innovative set of tools integrated with its GNAT Pro
platform. AdaCore is leading a consortium of 2 research institutes (CEA-List,
the ProVal team of INRIA) and 4 industrial companies (AdaCore, Altran, Astrium
and Thales Communications) in this effort. The project, named Hi-Lite, is
starting in mid-2010 and will continue for 3 years.
Hi-Lite’s goal is to promote the use of formal methods in developing
high-integrity software. It loosely integrates formal proofs with testing and
static analysis, thus allowing developers to combine different techniques around
a common expression of properties and constraints.
Hi-Lite is completely based on free software. The project is structured as two
different toolchains for Ada and C based on GNAT/GCC compilers (Ada and C), the
CodePeer static analyzer (Ada), the SPARK verification toolset (Ada) and the
Frama-C platform (C).
A big thank you to all those who attended the very successful Open-DO event in Paris on March 11, 2010. And if you missed it, don’t worry. We’ll be posting videos of all the talks over the coming weeks.
The conference was dedicated to exploring the possibilities of combining formality with agility for critical software development. We start with Paul Boca from Hornbill Systems Ltd, who makes the case that formal methods can complement agile practices and vice versa.
Each week we will post a new talk from this event. Enjoy!
You can also view the presentation slides if you want to follow along.
We are pleased to welcome the HiberSource project to Open-DO. This configuration management system is used to manage project data in accordance with DO-178B and supports the full software life cycle.
There are many free version control systems (such as SVN) but there are no free configuration systems to support projects (like Razor or PVCS). HiberSource was started to be a configuration system to support full software life cycle with developing, verification and other certification activities.
For more information, please visit the project on the Open-DO forge.