Presented by David LESENS and Johannes KANIG Thursday, 16 May 2013 Astrium Space Transportation AdaCore Formal Validation of Aerospace Software DASIA 2013.

Slides:



Advertisements
Similar presentations
Advanced programming tools at Microsoft
Advertisements

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Detecting Bugs Using Assertions Ben Scribner. Defining the Problem  Bugs exist  Unexpected errors happen Hardware failures Loss of data Data may exist.
Semantics Static semantics Dynamic semantics attribute grammars
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Slide: 1 Copyright © 2014 AdaCore Claire Dross, Pavlos Efstathopoulos, David Lesens, David Mentré and Yannick Moy Embedded Real Time Software and Systems.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
Software Engineering and Design Principles Chapter 1.
Building Reliable Software Requirements and Methods.
Copyright W. Howden1 Lecture 13: Programming by Contract.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Managed Assertions : language-neutral behavioral contracts for components 2 nd Rotor Workshop 25 April 2003 Nam Tran Monash University
Describing Syntax and Semantics
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
MCA –Software Engineering Kantipur City College. Topics include  Formal Methods Concept  Formal Specification Language Test plan creation Test-case.
1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.
Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.
Ranga Rodrigo. Class is central to object oriented programming.
Language Evaluation Criteria
Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.
1. Topics to be discussed Introduction Objectives Testing Life Cycle Verification Vs Validation Testing Methodology Testing Levels 2.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
1 Debugging and Testing Overview Defensive Programming The goal is to prevent failures Debugging The goal is to find cause of failures and fix it Testing.
Is Proof More Cost-Effective Than Testing? Presented by Yin Shi.
Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.
B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.
Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.
VDM++ Tutorial Model Quality. Overview Introduction Assessing internal consistency Assessing external consistency.
CS Data Structures I Chapter 2 Principles of Programming & Software Engineering.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
1 cs205: engineering software university of virginia fall 2006 Avoiding Software Disasters.
QuickCheck: A Lightweight Tool for Random Testing of Haskell Programs By Koen Claessen, Juhn Hughes ME: Mike Izbicki.
High Integrity Ada in a UML and C world Peter Amey, Neil White Presented by Liping Cai.
© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.
Reasoning about programs March CSE 403, Winter 2011, Brun.
Chapter 3 Part II Describing Syntax and Semantics.
Presented by David LESENS Tuesday 29 November 2011 Hi-Lite project – Case Study ASTRIUM Space Transportation.
Formal Methods in SE Software Verification Using Formal Methods By: Qaisar Javaid, Assistant Professor Formal Methods1.
SWE 4743 Abstract Data Types Richard Gesick. SWE Abstract Data Types Object-oriented design is based on the theory of abstract data types Domain.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
1 The Software Development Process ► Systems analysis ► Systems design ► Implementation ► Testing ► Documentation ► Evaluation ► Maintenance.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
Design by Contract. The Goal Ensure the correctness of our software (correctness) Recover when it is not correct anyway (robustness) Correctness: Assertions.
Chapter 1: Preliminaries Lecture # 2. Chapter 1: Preliminaries Reasons for Studying Concepts of Programming Languages Programming Domains Language Evaluation.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
SOFTWARE TESTING LECTURE 9. OBSERVATIONS ABOUT TESTING “ Testing is the process of executing a program with the intention of finding errors. ” – Myers.
Software Design and Development Development Methodoligies Computing Science.
© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.
J-P. Rosen Adalog J-P. Rosen Adalog The contract model of Ada 2012.
SWEN421 – Lecture 3 Building High Integrity Software with SPARK Ada
Software Verification and Validation
Component Based Software Engineering
Levels of Software Assurance in SPARK
Rail, Space, Security: Three Case Studies for SPARK 2014
Presentation transcript:

Presented by David LESENS and Johannes KANIG Thursday, 16 May 2013 Astrium Space Transportation AdaCore Formal Validation of Aerospace Software DASIA 2013

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p2 Software was of low quality Software often did not meet requirements Projects were unmanageable and code difficult to maintain … Software was of low quality Software often did not meet requirements Projects were unmanageable and code difficult to maintain … Software crisis in space

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p3 Where is the software crisis?

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p4 The software crisis is everywhere Topics of this presentation

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p5 Agenda  Implementation in C or in Ada?    Ada 2012 and SPARK 2014    Application – On Board Control Procedure    Conclusion  

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p6 How to chose a programming language?  Availability of a compiler for the target  Quality of the compiler  Training of the development teams  What about the intrinsic qualities of the language? Ada is known to be safer than C

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p7 ISO format French format C syntax is not always perfectly clear C syntax is not always perfectly clear

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p8 C syntax is not always perfectly clear C syntax is not always perfectly clear

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p9 C syntax is sometimes not understandable by a non expert C syntax is sometimes not understandable by a non expert

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p10 C syntax is sometimes not understandable by a non expert C syntax is sometimes not understandable by a non expert

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p11 C syntax is sometimes not understandable by a non expert C syntax is sometimes not understandable by a non expert Can this code be reviewed by a non software engineer?

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p12 Ada has a less ambiguous syntax Ada has a less ambiguous syntax

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p13 Ada has a less ambiguous syntax and a stronger semantics Ada has a less ambiguous syntax and a stronger semantics Does it really matter?

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p14 Does it really matter?

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p15 An Ada compiler may detect bugs… …even before testing An Ada compiler may detect bugs… …even before testing

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p16 Is Ada the perfect programming language? Unfortunately no!

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p17 Correct if Y / Z is evaluated first Run time error if F(X) is evaluated first !

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p18 Objectives: Improve the quality thanks to formal proof Improve the quality thanks to formal proof Prepare SPARK 2014 Prepare SPARK 2014

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p19 There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. Professor C. A. R. Hoare The 1980 Turing award lecture Professor C. A. R. Hoare The 1980 Turing award lecture Our approach Applicable to  Requirements Baseline  Technical Specification  Design  Coding  Validation & Verification Applicable to  Requirements Baseline  Technical Specification  Design  Coding  Validation & Verification

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p20 SPARK is a restriction of Ada

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p21 Function with side effects are potentially dangerous and thus not in SPARK Function with side effects are potentially dangerous and thus not in SPARK SPARK is a restriction of Ada

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p22 Limitations of testing Testing shows the presence, not the absence of bugs Edsger Wybe Dijkstra

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p23 SPARK allows formal proof

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p24 SPARK allows formal proof That is still SPARK 2005! Why SPARK 2014?

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p25 Agenda  Implementation in C or in Ada?    Ada 2012 and SPARK 2014    Application – On Board Control Procedure    Conclusion  

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p26 Ada 2012 and SPARK 2014  SPARK has been based on the notion of contract  Pre- and Postcondition as logical formulas for formal proof  Ada 2012, inspired by SPARK, introduces executable contracts  Pre- and Postconditions as Boolean expressions for dynamic verification  SPARK 2014 introduces formal proof for Ada 2012  Ease of use (e.g. Boolean expressions instead of logical formulas)  Support for dynamic verification (executable contracts)  Automation of proof  Mixing of dynamic and static verification

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p27 How can we avoid such incorrect setting?

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p28 We can define a validity function New in (expression function, case expression)

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p29 …and use it in a contract New in (contract) “Set_Year” can be called only if its Precondition is true Then, it ensures that its Postcondition will be true

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p30 The correctness of contracts can then be formally proved

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p31Proved! Not proved!

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p32 The contract shall be complete

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p33 The code is now correct Proved! Proved! Proved!

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p34 The proof tool checks that the user respects the contract

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p35 The proof tool checks that the user respects the contract Proved! Not proved!

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p36 The proof tool checks that the user respects the contract Proved! Proved! Proved!

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p37 Express properties of arrays New in (quantified expressions)

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p38 Avoid to write Is_Valid all the time New in (type invariants) Not supported by current version of proof tool

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p39 Keep track of global variables New in SPARK 2014 (globals annotations) Z is also read

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p40 Incorrect flow Keep track of information flow New in SPARK 2014 (information flow)

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p41 SPARK 2014 – The tools  Automatic proof  Execution of annotations possible  Allows dynamic verification of properties  Integration with tool chain:  Compiler  GUI  Target configuration

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p42 SPARK 2014 Restrictions  Forbidden features:  Access types (pointers)  Exceptions  Aliasing between variables  Concurrency features of Ada (Tasking)  Side effects in expressions and functions  But free mixing of SPARK and non-SPARK code possible  Combination of verification results possible

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p43 SPARK Methodology  Proof as a means to increase confidence and cut cost  Use proof when it is really required or cheaper than test  Unit Test as a fallback method  Use test when full proof of some code is too complex or not applicable  Mixing of test and proof is supported  Assumptions of proof can be verified by testing  Avoid cost explosion of formal methods (All or nothing)

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p44 Agenda  Implementation in C or in Ada?    Ada 2012 and SPARK 2014    Application – On Board Control Procedure    Conclusion  

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p45  On-board control procedure  Software program designed to be executed by an OBCP engine, which can easily be loaded, executed, and also replaced, on-board the spacecraft  OBCP code  Complete representation of an OBCP, in a form that can be loaded on- board for subsequent execution  OBCP engine  Application of the on-board software handling the execution of OBCPs  OBCP language  Programming language in which OBCP source code is expressed by human programmers

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p46 OBCP architecture Functional Unit 1 Functional Unit 2 Functional Unit 3 Functional Unit n OBCP engine Init S1 S2Init S1 S2Init S1 S2Init S1 S2

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p47 Event1Event2Event3 Not detectedDetected Event1 Event2 Event3 Not detected Detected Event1 Event2 Event3 Not detected Detected Event1 Event2 Event3 Not detected Detected Example of contract procedure Reset_Event_Status (Event : in T_Event) with Post => not Event_Status (Event).Detection and (for all Other_Event in T_Event => (if Other_Event /= Event then Event_Status (Other_Event) = Event_Status'Old (Other_Event))); Example: A list of event detection statuses Request to reset the detection status for Event The detection status is unchanged Post-condition The detection of event is reset For all other events

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p48 Example of results FeaturesTotal cheksNumber proved Percent proved assertion discriminant_check loop_invariant_initialization22100 loop_invariant_preservation22100 overflow_check22100 postcondition precondition range_check22100 Total

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p49 Some limitations of the proof tool subtypeisrange subtype R is Integer range ; typeisarrayrangeof type T_Array is array (R range <>) of Boolean; typeis type T_Record (L : R) is record A : T_Array (1.. L); endrecord end record; functionreturnis function G (X : T_Record) return Boolean is forallin (for all I in X.A'Range => X.A (I)); subtypeisrange subtype R is Integer range ; typeisarrayrangeof type T_Array is array (R range <>) of Boolean; typeis type T_Record (L : R) is record A : T_Array (1.. L); endrecord end record; functionreturnis function G (X : T_Record) return Boolean is forallin (for all I in X.A'Range => X.A (I)); pragmaandthen pragma Assert(X >= 0.0 and then x <= 180.0); pragmaandthen pragma Assert(Y >= and then Y <= 0.0); pragmaandthen pragma Assert(Z >= 0.0 and then Z <= 1.0); pragma pragma Assert(X + Y >= 0.0); Result := X + Y * Z; pragmaandthen pragma Assert (Result >= 0.0 and then Result <= 360.0); pragmaandthen pragma Assert(X >= 0.0 and then x <= 180.0); pragmaandthen pragma Assert(Y >= and then Y <= 0.0); pragmaandthen pragma Assert(Z >= 0.0 and then Z <= 1.0); pragma pragma Assert(X + Y >= 0.0); Result := X + Y * Z; pragmaandthen pragma Assert (Result >= 0.0 and then Result <= 360.0); The size of an array depends on a discriminant The size of an array depends on a discriminant Non linear expression expression Not proved with the current tool version

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p50 Agenda  Implementation in C or in Ada?    Ada 2012 and SPARK 2014    Application – On Board Control Procedure    Conclusion  

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p51 Formal Validation of Aerospace Software: Conclusion  A programming language with a formal semantics  Increases the quality of the software  Decreases the development costs  Formal proof can be used  For complex software  As an efficient complement of tests  SPARK 2014 is foreseen in … 2014  Some developments are still in progress

David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p52 Thank you for your attention Any question ? Thank you for your attention Any question ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.