SlideShare una empresa de Scribd logo

Boogie 2011 Hi-Lite

AdaCore
AdaCore
TecnologíaEducación
1 de 39
Descargar para leer sin conexión
Why Hi-Lite Ada? J´rˆme Guitton, Johannes Kanig, eo Yannick Moy (AdaCore) Boogie Workshop - August 1st, 2011
Overview Introduction Ada 2012 and Alfa Ada and Why The translation
Outline Introduction Ada 2012 and Alfa Ada and Why The translation
Unit Proof - I Motivation Allow gradual replacement of tests by program verification Provide other means of verification when formal verification fails: VCs too complex for automated tools manual proofs too costly program constructs out of scope aspects to be proved out of scope (timing, memory, termination) Concept Apply formal verification and tests on a per-function basis Tests still available to complement program verification Has been applied at Airbus to avionics software Level A
Unit Proof - II Problems Expertise: required for writing contracts and carrying proof Duplication: contract not shared between testing and proof Isolation: unit test and unit proof cannot be combined Confusion: not the same semantics for testing and proof Debugging: contracts and proof cannot be executed
Hi-Lite : Test and Proof French research project started in May 2010, over 3 years Motivation Source language: Ada Combine test and proof in a single contract based technology Same language and semantics for test and proof Application to existing projects should be possible Ease of use: Automation The upcoming avionics standard DO-178C
Outline Introduction Ada 2012 and Alfa Ada and Why The translation
New Forms of Expressions in Ada 2012 if-expressions: ( if X = 0 then 0 else 1 / X ) case-expressions: type Week_Day is ( Mon , Tue , Wed , Thu , Fri , Sat , Sun ) ; ... ( case X is when Mon .. Fri = > True when others = > False ) quantified expressions: ( for all I in X ’ Range = > X ( I ) > 0) ( for some I in X ’ Range = > X ( I ) > 0)
Contracts A function with pre- and postcondition function Search ( S : String ; C : Character ) return Natural with Pre = > ( S /= " " ) , Post = > (( if Search ’ Result /= 0 then S ( Search ’ Result ) = C ) and ( for all X in S ’ First .. Search ’ Result - 1 = > S ( X ) /= C ) ) ;
The Alfa Subset of Ada Definition Includes all features suitable for program verification Excludes pointers, concurrency, exceptions No side effects in annotations No ambiguous expressions Classification of each function Non-Alfa: only very light restrictions Partially in Alfa: signature and contract of the function are in Alfa, no restriction on the body (Entirely) in Alfa: signature, contract and body of the function are in Alfa, only functions at least partially in Alfa are called
Alfa and Ada Alfa and Non-Alfa code can be freely mixed Automatic detection of functions that are (partially or fully) in Alfa Only those functions are translated to Why Remaining code can be covered by testing Rationale You don’t need to write all your code in Alfa Application to legacy code base Allow packages with complex code (pointers, concurrency)
Outline Introduction Ada 2012 and Alfa Ada and Why The translation
The GNATprove tool
Automatic Effects Computation Procedure First phase of GNATprove Compute localized effects of each function (do not take into account effects of called functions) A few restrictions to Ada to maintain correctness No function pointers No implicit aliasing These situations are recognized by the compiler (work in progress)
An Ada Program Spec for package A types global vars function decls contracts Body for package A local types local vars functions
An Ada Program Spec for package A types Spec for package B global vars function decls contracts Body for package A local types Body for package B local vars functions
An Ada Program Spec for package A types Spec for package B global vars function decls contracts Body for package A local types Body for package B local vars functions
An Ada Program Spec for package A types Spec for package B global vars function decls contracts Body for package A local types Body for package B local vars functions
A First Idea for Why Files code for spec of A code for body of A
A First Idea for Why Files code for code for spec of A spec of B code for code for body of A body of B
A First Idea for Why Files code for code for spec of A spec of B code for code for body of A body of B
A First Idea for Why Files code for code for spec of A spec of B code for code for body of A body of B
A First Idea for Why Files code for code for spec of A spec of B Achieved Ada visibility modeled circular dependencies avoided code for code for (mutual) recursion even body of A body of B across packages
A First Idea for Why Files code for code for spec of A spec of B Achieved Ada visibility modeled circular dependencies avoided code for code for (mutual) recursion even body of A body of B across packages Problem Effects on local variables introduce new dependencies Example: function in B modifies indirectly local variable of A
A First Idea for Why Files code for code for spec of A spec of B Achieved Ada visibility modeled circular dependencies avoided code for code for (mutual) recursion even body of A body of B across packages Problem Effects on local variables introduce new dependencies Example: function in B modifies indirectly local variable of A circular dependency!
Our Proposed Solution code for types and vars in spec of A code for types and vars in body of A code for funcs in spec of A code for funcs in body of A
Our Proposed Solution code for types and vars in spec of A code for types and vars in body of A code for funcs in spec of A code for funcs in body of A
Our Proposed Solution code for types and code for types and vars in spec of A vars in spec of B code for types and code for types and vars in body of A vars in body of B code for funcs code for funcs in spec of A in spec of B code for funcs code for funcs in body of A in body of B
Our Proposed Solution code for types and code for types and vars in spec of A vars in spec of B code for types and code for types and vars in body of A vars in body of B code for funcs code for funcs in spec of A in spec of B code for funcs code for funcs in body of A in body of B
Our Proposed Solution code for types and code for types and vars in spec of A vars in spec of B code for types and code for types and vars in body of A vars in body of B code for funcs code for funcs in spec of A in spec of B code for funcs code for funcs in body of A in body of B
Outline Introduction Ada 2012 and Alfa Ada and Why The translation
Ada Integer Types New type definition: type One_Ten is range 1 .. 10; Subtype (inherits base range): subtype One_Ten_Integer is Integer range 1 .. 10; Inserted checks Range check on assignment (or parameter passing) Overflow check on intermediate operations on the base type
Ada Integer Types in Why type t predicate t_in_range (x : int) = -128 <= x <= 127 logic t_to_int : t -> int logic t_of_int : int -> t parameter t_of_int_ : n : int -> { t_in_range (n) } t { t_to_int (result) = n } parameter t_in_range_ : n : int -> { t_in_range (n) } int { result = n } axiom t_range : forall x : t. t_in_range (t_to_int (x)) ...
Execution Semantics for Assertions - I Objective Same semantics for test and proof Assertions should be runtime error free Possibilities Consider assertions with runtime errors as false Implicit assumptions in the case of preconditions Consider assertions with runtime errors as incorrect Additional VCs to prove absence of runtime errors in specs No implicit assumptions Hi-Lite: second possibility has been chosen for clarity
Execution Semantics for Assertions - II Example in Ada function Add (X , Y : One_Ten ) return One_Ten with Pre = > ( X + Y < 10) ; Translation to Why let add (x : one_ten) (y : one_ten) = { true } ignore (one_ten_range_ (one_ten_to_int (x) + one_ten_to_int (y)) < 10); assume { one_ten_to_int (x) + one_ten_to_int (y) < 10 }; ... (* translated body of function Add *)
Loop Assertions - I The trivial translation: Ada loop Why translation while C loop pragma Assert ( P ) ; while C do ... { P } end loop ; ... done Does not reflect runtime behavior: Assertion not executed when C is always false Assertion not executed after end of loop
Loop Assertions - II Our translation if c then try while true do (* infinite loop *) { invariant c and p} ... if not c then raise Exit done with Exit -> ();
Quantified Expressions A pathological example ( for all J in 1 .. 10 = > ( if J = 5 then J /= 1 / 0 else False ) ) A simple approach ∀ 1 ≤ j ≤ 10. if j = 5 then 0 = 0 else true Proposed by an anonymous referee ∀ 1 ≤ j ≤ 10. (∀ 1 ≤ j ≤ j − 1. if j = 5 then 0 = 0 else true) and (∀ 1 ≤ j ≤ j − 1. if j = 5 then j = 1/0 else false) ⇒ if j = 5 then 0 = 0 else true
Conclusion Hi-Lite Allow combining test and proof Easy adoption of formal verification, applied to new and existing projects Future Work Migration to Why3 Verification of consistency of contracts

Recomendados

Kostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program DevelopmenKostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program DevelopmenKonstantin Sorokin
 
Perl Development (Sample Courseware)
Perl Development (Sample Courseware)Perl Development (Sample Courseware)
Perl Development (Sample Courseware)Garth Gilmour
 
Android training in Nagpur
Android training in Nagpur Android training in Nagpur
Android training in Nagpur letsleadsand
 
Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Remedy IT
 
Javascript by Yahoo
Javascript by YahooJavascript by Yahoo
Javascript by Yahoobirbal
 
Silicon Valley Code Camp - Do you C what I C
Silicon Valley Code Camp - Do you C what I CSilicon Valley Code Camp - Do you C what I C
Silicon Valley Code Camp - Do you C what I CEmbarcadero Technologies
 
2013 bookmatter learn_javaforandroiddevelopment
2013 bookmatter learn_javaforandroiddevelopment2013 bookmatter learn_javaforandroiddevelopment
2013 bookmatter learn_javaforandroiddevelopmentCarlosPineda729332
 
System Programming Unit IV
System Programming Unit IVSystem Programming Unit IV
System Programming Unit IVManoj Patil
 

Recomendados

Kostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program DevelopmenKostis Sagonas: Cool Tools for Modern Erlang Program Developmen
Kostis Sagonas: Cool Tools for Modern Erlang Program DevelopmenKonstantin Sorokin
 
Perl Development (Sample Courseware)
Perl Development (Sample Courseware)Perl Development (Sample Courseware)
Perl Development (Sample Courseware)Garth Gilmour
 
Android training in Nagpur
Android training in Nagpur Android training in Nagpur
Android training in Nagpur letsleadsand
 
Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Comparing IDL to C++ with IDL to C++11
Comparing IDL to C++ with IDL to C++11Remedy IT
 
Javascript by Yahoo
Javascript by YahooJavascript by Yahoo
Javascript by Yahoobirbal
 
Silicon Valley Code Camp - Do you C what I C
Silicon Valley Code Camp - Do you C what I CSilicon Valley Code Camp - Do you C what I C
Silicon Valley Code Camp - Do you C what I CEmbarcadero Technologies
 
2013 bookmatter learn_javaforandroiddevelopment
2013 bookmatter learn_javaforandroiddevelopment2013 bookmatter learn_javaforandroiddevelopment
2013 bookmatter learn_javaforandroiddevelopmentCarlosPineda729332
 
System Programming Unit IV
System Programming Unit IVSystem Programming Unit IV
System Programming Unit IVManoj Patil
 
4.languagebasics
4.languagebasics4.languagebasics
4.languagebasicsSINGH PROJECTS
 
C# 3.0 and 4.0
C# 3.0 and 4.0C# 3.0 and 4.0
C# 3.0 and 4.0Buu Nguyen
 
Parrot -- "one bytecode to rule them all"
Parrot -- "one bytecode to rule them all"Parrot -- "one bytecode to rule them all"
Parrot -- "one bytecode to rule them all"Nuno Carvalho
 
1 hour dive into Erlang/OTP
1 hour dive into Erlang/OTP1 hour dive into Erlang/OTP
1 hour dive into Erlang/OTPJordi Llonch
 
Hi-Lite erts2012
Hi-Lite erts2012Hi-Lite erts2012
Hi-Lite erts2012AdaCore
 
Language-Independent Detection of Object-Oriented Design Patterns
Language-Independent Detection of Object-Oriented Design PatternsLanguage-Independent Detection of Object-Oriented Design Patterns
Language-Independent Detection of Object-Oriented Design PatternsESUG
 
Building DSLs On CLR and DLR (Microsoft.NET)
Building DSLs On CLR and DLR (Microsoft.NET)Building DSLs On CLR and DLR (Microsoft.NET)
Building DSLs On CLR and DLR (Microsoft.NET)Vitaly Baum
 
Inside Python
Inside PythonInside Python
Inside PythonAlexey Ivanov
 
Learning c - An extensive guide to learn the C Language
Learning c - An extensive guide to learn the C LanguageLearning c - An extensive guide to learn the C Language
Learning c - An extensive guide to learn the C LanguageAbhishek Dwivedi
 
CS4200 2019 Lecture 1: Introduction
CS4200 2019 Lecture 1: IntroductionCS4200 2019 Lecture 1: Introduction
CS4200 2019 Lecture 1: IntroductionEelco Visser
 
pebble - Building apps on pebble
pebble - Building apps on pebblepebble - Building apps on pebble
pebble - Building apps on pebbleAniruddha Chakrabarti
 
CORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialCORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialRemedy IT
 
args_types
args_typesargs_types
args_typesAhmed Abd El-Mawgood
 
1 hour dive into erlang
1 hour dive into erlang1 hour dive into erlang
1 hour dive into erlangJoan Valduvieco
 
Basic C Programming language
Basic C Programming languageBasic C Programming language
Basic C Programming languageAbhishek Soni
 
High Performance Ruby - Golden Gate RubyConf 2012
High Performance Ruby - Golden Gate RubyConf 2012High Performance Ruby - Golden Gate RubyConf 2012
High Performance Ruby - Golden Gate RubyConf 2012Charles Nutter
 
Pragmatic Smalltalk
Pragmatic SmalltalkPragmatic Smalltalk
Pragmatic SmalltalkESUG
 
Climb - Property-based dispatch in functional languages [Slides]
Climb - Property-based dispatch in functional languages [Slides]Climb - Property-based dispatch in functional languages [Slides]
Climb - Property-based dispatch in functional languages [Slides]Christopher Chedeau
 
HDR Defence - Software Abstractions for Parallel Architectures
HDR Defence - Software Abstractions for Parallel ArchitecturesHDR Defence - Software Abstractions for Parallel Architectures
HDR Defence - Software Abstractions for Parallel ArchitecturesJoel Falcou
 
Perl And Unicode
Perl And UnicodePerl And Unicode
Perl And UnicodeMike Whitaker
 
The SOUL Tool Suite for Querying Programs in Symbiosis with Eclipse
The SOUL Tool Suite for Querying Programs in Symbiosis with EclipseThe SOUL Tool Suite for Querying Programs in Symbiosis with Eclipse
The SOUL Tool Suite for Querying Programs in Symbiosis with EclipseCoen De Roover
 
Architecting Domain-Specific Languages
Architecting Domain-Specific LanguagesArchitecting Domain-Specific Languages
Architecting Domain-Specific LanguagesMarkus Voelter
 

Más contenido relacionado

La actualidad más candente

C# 3.0 and 4.0
C# 3.0 and 4.0C# 3.0 and 4.0
C# 3.0 and 4.0Buu Nguyen
 
Parrot -- "one bytecode to rule them all"
Parrot -- "one bytecode to rule them all"Parrot -- "one bytecode to rule them all"
Parrot -- "one bytecode to rule them all"Nuno Carvalho
 
1 hour dive into Erlang/OTP
1 hour dive into Erlang/OTP1 hour dive into Erlang/OTP
1 hour dive into Erlang/OTPJordi Llonch
 
Hi-Lite erts2012
Hi-Lite erts2012Hi-Lite erts2012
Hi-Lite erts2012AdaCore
 
Language-Independent Detection of Object-Oriented Design Patterns
Language-Independent Detection of Object-Oriented Design PatternsLanguage-Independent Detection of Object-Oriented Design Patterns
Language-Independent Detection of Object-Oriented Design PatternsESUG
 
Building DSLs On CLR and DLR (Microsoft.NET)
Building DSLs On CLR and DLR (Microsoft.NET)Building DSLs On CLR and DLR (Microsoft.NET)
Building DSLs On CLR and DLR (Microsoft.NET)Vitaly Baum
 
Learning c - An extensive guide to learn the C Language
Learning c - An extensive guide to learn the C LanguageLearning c - An extensive guide to learn the C Language
Learning c - An extensive guide to learn the C LanguageAbhishek Dwivedi
 
CS4200 2019 Lecture 1: Introduction
CS4200 2019 Lecture 1: IntroductionCS4200 2019 Lecture 1: Introduction
CS4200 2019 Lecture 1: IntroductionEelco Visser
 
CORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialCORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialRemedy IT
 
Basic C Programming language
Basic C Programming languageBasic C Programming language
Basic C Programming languageAbhishek Soni
 
High Performance Ruby - Golden Gate RubyConf 2012
High Performance Ruby - Golden Gate RubyConf 2012High Performance Ruby - Golden Gate RubyConf 2012
High Performance Ruby - Golden Gate RubyConf 2012Charles Nutter
 
Pragmatic Smalltalk
Pragmatic SmalltalkPragmatic Smalltalk
Pragmatic SmalltalkESUG
 
Climb - Property-based dispatch in functional languages [Slides]
Climb - Property-based dispatch in functional languages [Slides]Climb - Property-based dispatch in functional languages [Slides]
Climb - Property-based dispatch in functional languages [Slides]Christopher Chedeau
 
HDR Defence - Software Abstractions for Parallel Architectures
HDR Defence - Software Abstractions for Parallel ArchitecturesHDR Defence - Software Abstractions for Parallel Architectures
HDR Defence - Software Abstractions for Parallel ArchitecturesJoel Falcou
 

La actualidad más candente (20)

4.languagebasics
4.languagebasics4.languagebasics
4.languagebasics
 
C# 3.0 and 4.0
C# 3.0 and 4.0C# 3.0 and 4.0
C# 3.0 and 4.0
 
Parrot -- "one bytecode to rule them all"
Parrot -- "one bytecode to rule them all"Parrot -- "one bytecode to rule them all"
Parrot -- "one bytecode to rule them all"
 
1 hour dive into Erlang/OTP
1 hour dive into Erlang/OTP1 hour dive into Erlang/OTP
1 hour dive into Erlang/OTP
 
Hi-Lite erts2012
Hi-Lite erts2012Hi-Lite erts2012
Hi-Lite erts2012
 
Language-Independent Detection of Object-Oriented Design Patterns
Language-Independent Detection of Object-Oriented Design PatternsLanguage-Independent Detection of Object-Oriented Design Patterns
Language-Independent Detection of Object-Oriented Design Patterns
 
Building DSLs On CLR and DLR (Microsoft.NET)
Building DSLs On CLR and DLR (Microsoft.NET)Building DSLs On CLR and DLR (Microsoft.NET)
Building DSLs On CLR and DLR (Microsoft.NET)
 
Inside Python
Inside PythonInside Python
Inside Python
 
Learning c - An extensive guide to learn the C Language
Learning c - An extensive guide to learn the C LanguageLearning c - An extensive guide to learn the C Language
Learning c - An extensive guide to learn the C Language
 
CS4200 2019 Lecture 1: Introduction
CS4200 2019 Lecture 1: IntroductionCS4200 2019 Lecture 1: Introduction
CS4200 2019 Lecture 1: Introduction
 
pebble - Building apps on pebble
pebble - Building apps on pebblepebble - Building apps on pebble
pebble - Building apps on pebble
 
CORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorialCORBA Programming with TAOX11/C++11 tutorial
CORBA Programming with TAOX11/C++11 tutorial
 
args_types
args_typesargs_types
args_types
 
1 hour dive into erlang
1 hour dive into erlang1 hour dive into erlang
1 hour dive into erlang
 
Basic C Programming language
Basic C Programming languageBasic C Programming language
Basic C Programming language
 
High Performance Ruby - Golden Gate RubyConf 2012
High Performance Ruby - Golden Gate RubyConf 2012High Performance Ruby - Golden Gate RubyConf 2012
High Performance Ruby - Golden Gate RubyConf 2012
 
Pragmatic Smalltalk
Pragmatic SmalltalkPragmatic Smalltalk
Pragmatic Smalltalk
 
Climb - Property-based dispatch in functional languages [Slides]
Climb - Property-based dispatch in functional languages [Slides]Climb - Property-based dispatch in functional languages [Slides]
Climb - Property-based dispatch in functional languages [Slides]
 
HDR Defence - Software Abstractions for Parallel Architectures
HDR Defence - Software Abstractions for Parallel ArchitecturesHDR Defence - Software Abstractions for Parallel Architectures
HDR Defence - Software Abstractions for Parallel Architectures
 
Perl And Unicode
Perl And UnicodePerl And Unicode
Perl And Unicode
 

Similar a Boogie 2011 Hi-Lite

The SOUL Tool Suite for Querying Programs in Symbiosis with Eclipse
The SOUL Tool Suite for Querying Programs in Symbiosis with EclipseThe SOUL Tool Suite for Querying Programs in Symbiosis with Eclipse
The SOUL Tool Suite for Querying Programs in Symbiosis with EclipseCoen De Roover
 
Architecting Domain-Specific Languages
Architecting Domain-Specific LanguagesArchitecting Domain-Specific Languages
Architecting Domain-Specific LanguagesMarkus Voelter
 
Programming Paradigms
Programming ParadigmsProgramming Paradigms
Programming ParadigmsDirecti Group
 
Introduction to c_sharp
Introduction to c_sharpIntroduction to c_sharp
Introduction to c_sharpHEM Sothon
 
Introduction to c_sharp
Introduction to c_sharpIntroduction to c_sharp
Introduction to c_sharpJayanta Basak
 
Programming Paradigms
Programming ParadigmsProgramming Paradigms
Programming ParadigmsJaneve George
 
Object oriented slides
Object oriented slidesObject oriented slides
Object oriented slidesahad nadeem
 
.NET Overview
.NET Overview.NET Overview
.NET OverviewGreg Sohl
 
Community Tech Days C# 4.0
Community Tech Days C# 4.0Community Tech Days C# 4.0
Community Tech Days C# 4.0SANKARSAN BOSE
 
(Costless) Software Abstractions for Parallel Architectures
(Costless) Software Abstractions for Parallel Architectures(Costless) Software Abstractions for Parallel Architectures
(Costless) Software Abstractions for Parallel ArchitecturesJoel Falcou
 
F# Type Provider for R Statistical Platform
F# Type Provider for R Statistical PlatformF# Type Provider for R Statistical Platform
F# Type Provider for R Statistical PlatformHoward Mansell
 
PIL - A Platform Independent Language
PIL - A Platform Independent LanguagePIL - A Platform Independent Language
PIL - A Platform Independent Languagezefhemel
 
Corba and-java
Corba and-javaCorba and-java
Corba and-javaafreen58
 
7 expressions and assignment statements
7 expressions and assignment statements7 expressions and assignment statements
7 expressions and assignment statementsjigeno
 
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...Maarten Balliauw
 

Similar a Boogie 2011 Hi-Lite (20)

The SOUL Tool Suite for Querying Programs in Symbiosis with Eclipse
The SOUL Tool Suite for Querying Programs in Symbiosis with EclipseThe SOUL Tool Suite for Querying Programs in Symbiosis with Eclipse
The SOUL Tool Suite for Querying Programs in Symbiosis with Eclipse
 
Architecting Domain-Specific Languages
Architecting Domain-Specific LanguagesArchitecting Domain-Specific Languages
Architecting Domain-Specific Languages
 
Programming Paradigms
Programming ParadigmsProgramming Paradigms
Programming Paradigms
 
Introduction to c_sharp
Introduction to c_sharpIntroduction to c_sharp
Introduction to c_sharp
 
Introduction to c_sharp
Introduction to c_sharpIntroduction to c_sharp
Introduction to c_sharp
 
Intro dotnet
Intro dotnetIntro dotnet
Intro dotnet
 
Programming Paradigms
Programming ParadigmsProgramming Paradigms
Programming Paradigms
 
C Course Material0209
C Course Material0209C Course Material0209
C Course Material0209
 
Preparing for Scala 3
Preparing for Scala 3Preparing for Scala 3
Preparing for Scala 3
 
Object oriented slides
Object oriented slidesObject oriented slides
Object oriented slides
 
Lecture 11
Lecture 11Lecture 11
Lecture 11
 
.NET Overview
.NET Overview.NET Overview
.NET Overview
 
Community Tech Days C# 4.0
Community Tech Days C# 4.0Community Tech Days C# 4.0
Community Tech Days C# 4.0
 
(Costless) Software Abstractions for Parallel Architectures
(Costless) Software Abstractions for Parallel Architectures(Costless) Software Abstractions for Parallel Architectures
(Costless) Software Abstractions for Parallel Architectures
 
F# Type Provider for R Statistical Platform
F# Type Provider for R Statistical PlatformF# Type Provider for R Statistical Platform
F# Type Provider for R Statistical Platform
 
PIL - A Platform Independent Language
PIL - A Platform Independent LanguagePIL - A Platform Independent Language
PIL - A Platform Independent Language
 
Corba and-java
Corba and-javaCorba and-java
Corba and-java
 
Java Starting
Java StartingJava Starting
Java Starting
 
7 expressions and assignment statements
7 expressions and assignment statements7 expressions and assignment statements
7 expressions and assignment statements
 
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
 

Más de AdaCore

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?AdaCore
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic libraryAdaCore
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsAdaCore
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verificationAdaCore
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofAdaCore
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationAdaCore
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareAdaCore
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentAdaCore
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...AdaCore
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!AdaCore
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaCore
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...AdaCore
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologyAdaCore
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextAdaCore
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareAdaCore
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareAdaCore
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentAdaCore
 

Más de AdaCore (20)

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing Solutions
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verification
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program Proof
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configuration
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware Development
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 context
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle software
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise Environment
 

Último

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 

Último (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

Boogie 2011 Hi-Lite

  • 1. Why Hi-Lite Ada? J´rˆme Guitton, Johannes Kanig, eo Yannick Moy (AdaCore) Boogie Workshop - August 1st, 2011
  • 2. Overview Introduction Ada 2012 and Alfa Ada and Why The translation
  • 3. Outline Introduction Ada 2012 and Alfa Ada and Why The translation
  • 4. Unit Proof - I Motivation Allow gradual replacement of tests by program verification Provide other means of verification when formal verification fails: VCs too complex for automated tools manual proofs too costly program constructs out of scope aspects to be proved out of scope (timing, memory, termination) Concept Apply formal verification and tests on a per-function basis Tests still available to complement program verification Has been applied at Airbus to avionics software Level A
  • 5. Unit Proof - II Problems Expertise: required for writing contracts and carrying proof Duplication: contract not shared between testing and proof Isolation: unit test and unit proof cannot be combined Confusion: not the same semantics for testing and proof Debugging: contracts and proof cannot be executed
  • 6. Hi-Lite : Test and Proof French research project started in May 2010, over 3 years Motivation Source language: Ada Combine test and proof in a single contract based technology Same language and semantics for test and proof Application to existing projects should be possible Ease of use: Automation The upcoming avionics standard DO-178C
  • 7. Outline Introduction Ada 2012 and Alfa Ada and Why The translation
  • 8. New Forms of Expressions in Ada 2012 if-expressions: ( if X = 0 then 0 else 1 / X ) case-expressions: type Week_Day is ( Mon , Tue , Wed , Thu , Fri , Sat , Sun ) ; ... ( case X is when Mon .. Fri = > True when others = > False ) quantified expressions: ( for all I in X ’ Range = > X ( I ) > 0) ( for some I in X ’ Range = > X ( I ) > 0)
  • 9. Contracts A function with pre- and postcondition function Search ( S : String ; C : Character ) return Natural with Pre = > ( S /= " " ) , Post = > (( if Search ’ Result /= 0 then S ( Search ’ Result ) = C ) and ( for all X in S ’ First .. Search ’ Result - 1 = > S ( X ) /= C ) ) ;
  • 10. The Alfa Subset of Ada Definition Includes all features suitable for program verification Excludes pointers, concurrency, exceptions No side effects in annotations No ambiguous expressions Classification of each function Non-Alfa: only very light restrictions Partially in Alfa: signature and contract of the function are in Alfa, no restriction on the body (Entirely) in Alfa: signature, contract and body of the function are in Alfa, only functions at least partially in Alfa are called
  • 11. Alfa and Ada Alfa and Non-Alfa code can be freely mixed Automatic detection of functions that are (partially or fully) in Alfa Only those functions are translated to Why Remaining code can be covered by testing Rationale You don’t need to write all your code in Alfa Application to legacy code base Allow packages with complex code (pointers, concurrency)
  • 12. Outline Introduction Ada 2012 and Alfa Ada and Why The translation
  • 14. Automatic Effects Computation Procedure First phase of GNATprove Compute localized effects of each function (do not take into account effects of called functions) A few restrictions to Ada to maintain correctness No function pointers No implicit aliasing These situations are recognized by the compiler (work in progress)
  • 15. An Ada Program Spec for package A types global vars function decls contracts Body for package A local types local vars functions
  • 16. An Ada Program Spec for package A types Spec for package B global vars function decls contracts Body for package A local types Body for package B local vars functions
  • 17. An Ada Program Spec for package A types Spec for package B global vars function decls contracts Body for package A local types Body for package B local vars functions
  • 18. An Ada Program Spec for package A types Spec for package B global vars function decls contracts Body for package A local types Body for package B local vars functions
  • 19. A First Idea for Why Files code for spec of A code for body of A
  • 20. A First Idea for Why Files code for code for spec of A spec of B code for code for body of A body of B
  • 21. A First Idea for Why Files code for code for spec of A spec of B code for code for body of A body of B
  • 22. A First Idea for Why Files code for code for spec of A spec of B code for code for body of A body of B
  • 23. A First Idea for Why Files code for code for spec of A spec of B Achieved Ada visibility modeled circular dependencies avoided code for code for (mutual) recursion even body of A body of B across packages
  • 24. A First Idea for Why Files code for code for spec of A spec of B Achieved Ada visibility modeled circular dependencies avoided code for code for (mutual) recursion even body of A body of B across packages Problem Effects on local variables introduce new dependencies Example: function in B modifies indirectly local variable of A
  • 25. A First Idea for Why Files code for code for spec of A spec of B Achieved Ada visibility modeled circular dependencies avoided code for code for (mutual) recursion even body of A body of B across packages Problem Effects on local variables introduce new dependencies Example: function in B modifies indirectly local variable of A circular dependency!
  • 26. Our Proposed Solution code for types and vars in spec of A code for types and vars in body of A code for funcs in spec of A code for funcs in body of A
  • 27. Our Proposed Solution code for types and vars in spec of A code for types and vars in body of A code for funcs in spec of A code for funcs in body of A
  • 28. Our Proposed Solution code for types and code for types and vars in spec of A vars in spec of B code for types and code for types and vars in body of A vars in body of B code for funcs code for funcs in spec of A in spec of B code for funcs code for funcs in body of A in body of B
  • 29. Our Proposed Solution code for types and code for types and vars in spec of A vars in spec of B code for types and code for types and vars in body of A vars in body of B code for funcs code for funcs in spec of A in spec of B code for funcs code for funcs in body of A in body of B
  • 30. Our Proposed Solution code for types and code for types and vars in spec of A vars in spec of B code for types and code for types and vars in body of A vars in body of B code for funcs code for funcs in spec of A in spec of B code for funcs code for funcs in body of A in body of B
  • 31. Outline Introduction Ada 2012 and Alfa Ada and Why The translation
  • 32. Ada Integer Types New type definition: type One_Ten is range 1 .. 10; Subtype (inherits base range): subtype One_Ten_Integer is Integer range 1 .. 10; Inserted checks Range check on assignment (or parameter passing) Overflow check on intermediate operations on the base type
  • 33. Ada Integer Types in Why type t predicate t_in_range (x : int) = -128 <= x <= 127 logic t_to_int : t -> int logic t_of_int : int -> t parameter t_of_int_ : n : int -> { t_in_range (n) } t { t_to_int (result) = n } parameter t_in_range_ : n : int -> { t_in_range (n) } int { result = n } axiom t_range : forall x : t. t_in_range (t_to_int (x)) ...
  • 34. Execution Semantics for Assertions - I Objective Same semantics for test and proof Assertions should be runtime error free Possibilities Consider assertions with runtime errors as false Implicit assumptions in the case of preconditions Consider assertions with runtime errors as incorrect Additional VCs to prove absence of runtime errors in specs No implicit assumptions Hi-Lite: second possibility has been chosen for clarity
  • 35. Execution Semantics for Assertions - II Example in Ada function Add (X , Y : One_Ten ) return One_Ten with Pre = > ( X + Y < 10) ; Translation to Why let add (x : one_ten) (y : one_ten) = { true } ignore (one_ten_range_ (one_ten_to_int (x) + one_ten_to_int (y)) < 10); assume { one_ten_to_int (x) + one_ten_to_int (y) < 10 }; ... (* translated body of function Add *)
  • 36. Loop Assertions - I The trivial translation: Ada loop Why translation while C loop pragma Assert ( P ) ; while C do ... { P } end loop ; ... done Does not reflect runtime behavior: Assertion not executed when C is always false Assertion not executed after end of loop
  • 37. Loop Assertions - II Our translation if c then try while true do (* infinite loop *) { invariant c and p} ... if not c then raise Exit done with Exit -> ();
  • 38. Quantified Expressions A pathological example ( for all J in 1 .. 10 = > ( if J = 5 then J /= 1 / 0 else False ) ) A simple approach ∀ 1 ≤ j ≤ 10. if j = 5 then 0 = 0 else true Proposed by an anonymous referee ∀ 1 ≤ j ≤ 10. (∀ 1 ≤ j ≤ j − 1. if j = 5 then 0 = 0 else true) and (∀ 1 ≤ j ≤ j − 1. if j = 5 then j = 1/0 else false) ⇒ if j = 5 then 0 = 0 else true
  • 39. Conclusion Hi-Lite Allow combining test and proof Easy adoption of formal verification, applied to new and existing projects Future Work Migration to Why3 Verification of consistency of contracts