Categories
Open-DO Projects
Want to get involved?
Contact
Formal Containers
We have added a new page describing Formal Containers to the Hi-Lite project. It describes a new version of the API for Ada definite containers, designed to simplify the annotation process. An implementation of these containers will be usable in critical programs. It is really interesting to have containers for critical systems, since they are often a good trade-off for ad-hoc, pointer-based structures which make users’ code hard to certify. Since they have been formally axiomatized, these containers will be part of the Ada subset that can be formally proved correct in the context of Hi-Lite.
Posted in Open-DO News Leave a comment
SPARK Ada in High SIL Active Life Support (Alex Deas – Deep Life Ltd.)
From a talk given at the SPARK User Group 2010 High Assurance Software Symposium, Alex Deas from Deep Life talks about developing software for deep water rebreathers which must meet the rigorous European safety standard SIL3.
Autocoding – Do we still need software design? (Rod White – MBDA)
From a talk given at the SPARK User Group 2010 High Assurance Software Symposium, Rod White from MBDA talks about Autocoding and raises the question: Do we still need software design?
Designing and Implementing a Verifiable High Assurance Workstation (Alex Senier – secunet)
From a talk given at the SPARK User Group 2010 High Assurance Software Symposium, Alex Senier from secunet talks about their experiences building High Assurance workstations.
Posted in Events, Open-DO News, Videos Leave a comment
Couverture end of project event
17:30 CET January 27th, 2011 – AdaCore Paris offices, 46 rue d’Amsterdam, 75009 Paris.
Project Couverture has officially come to an end. It’s objectives were to produce a Free Software coverage analysis toolset together with artifacts that allow the tools to be used by developers of safety-critical and mission-critical projects, including systems that need to be certified under safety standards such as DO-178B. The 2 year project was partially funded by the regional authorities of Paris and the Ile-de-France district and the French Ministry of Industry.
The event will highlight the results of the project and showcase the products that have subsequently been developed. If you are interested in attending, please send email to events @ adacore.com.
Posted in Open-DO News Leave a comment
Equivalence of source and object coverage
Last time I met John Chilenski at the SC-205 (DO-178C) working group, I mentioned to him the concrete and theoretical results of the couverture project. Since our work had been partly inspired by the research studies he worked on for the FAA (http://www.faa.gov/aircraft/air_cert/design_approvals/air_software/research), I was convinced that our results would be of interest to him. I suggested that he take a look at the paper we published at ERTS 2010 (http://www2.adacore.com/wp-content/uploads/2010/06/couverture_ertss2010.pdf) and he came back with an interesting question:
‘Hi Cyrille,
I hope you had a Merry Christmas and a Happy New Year!
I have a question for you. In the paper you state: “When some conditions involve multiple conditional branch instructions, OBC still implies MC/DC, but becomes in effect an even stronger property: MC/DC could potentially be established by a test set that does not achieve OBC.”
When does a condition involve multiple conditional branch instructions? I would appreciate an example to help me understand this.
Thanks,
-John’
to which I answered:
‘the code generator may have to generate multiple conditions for various constructs of a language depending on what this construct does. For instance, in Ada :
if Table (I) > 3 then
there is clearly a single condition here but if checks are enabled, the object code for this condition will contain additional branches because of the index check. Basically anything that is supposed to be detected by a good Source-to-Object traceability analysis as “non immediately traceable” is a likely candidate. another example that doesn’t involve Ada dynamic checks:
if (A mod B) = 0 then ….
if you look at the code generated by such a sequence, you might be surprised by the number of conditionals that might be generated for such a trivial expression 
’
Posted in Certification 1 Comment
Proving Alt-Ergo prover in Coq
I attended yesterday the PhD defense of Stéphane Lescuyer, who presented his work on the proof of prover Alt-Ergo, pushing the boundary of what’s feasible with today’s proof technology.
First, a few words of why this is interesting for us at AdaCore, in an industrial setting. Starting with SPARK Pro 9.1, users now have the possibility to call the prover Alt-Ergo to prove some formulas generated by the SPARK tool-set, in addition to the existing SPARK prover. Proving these formulas ensures that there are no run-time errors and that subprograms properly implement their contracts. Thus, it is crucial that the prover used is correct: whenever it says a formula is true, it must be the case. In project Hi-Lite (hosted on Open-DO), we also aim at using Alt-Ergo to prove functional properties of interest to a user on parts of an Ada codebase.
Second, the inner algorithms of such automatic provers are very tricky, so it is quite hard to show a convincing proof that they are correct. The well-known case is the Shostak’s method on which Alt-Ergo’s main algorithm is based: Shostak published his algorithm in 84, and despite many papers discussing the approach, the algorithm was erroneous on various accounts; it was corrected in two steps, in 1996 by Cyrluk, Lincoln and Shankar and in 2001 by Rueß and Shankar. Only a formal proof like the one done by Stéphane Lescuyer can then provide a strong argument for correctness.
Bottom line is that Alt-Ergo is built around a proven core, and that’s great news in order to use it in safety-critical software development and verification.
Case Study: Can you afford to ignore formal analysis?
This is a title I’d like to reuse some day for a case study in Hi-Lite, but right now it is the title of a very interesting paper published by EE Times: people from Alcatel-Lucent formally verified many properties of an ASIC design in a large communication system.
What is stricking is the similarity of the findings and the challenges with what we do in Hi-Lite, despite the very different nature of the properties verified in hardware and in software, and the different techniques involved. Pages 3 and 4, they detail the additional errors found by formal verification on a codebase already simulated, with actual examples of what simulation missed and why. Very instructive. Which leads them to propose to bring together simulation and formal verification on page 5.
Interestingly, the difficulties to bring these two worlds together are the same as the ones in software: different semantics in simulation and formal verification (ex 1 p 5) and non-executable annotations (ex 2 p 5). Good thing that we insisted on the same semantics in Hi-Lite for execution and formal verification, as well as executable annotations!
Posted in Certification, Open-DO News, Papers and Slides Tagged Formal verification, Hi-Lite, Testing Leave a comment
DO-178C: the OOT supplement
Below are a couple of presentations from the recent Certification Together conference. Both concern the OOT supplement of the upcoming DO-178C avionics standard.
DO-178C: the OOT supplement
View more presentations from AdaCore.
DO-178C OOT supplement: A user's perspective
View more presentations from AdaCore.
Posted in Certification Leave a comment