Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by David LESENS and Johannes KANIG Thursday, 16 May 2013 Astrium Space Transportation AdaCore Formal Validation of Aerospace Software DASIA 2013.

Published byBennett Matthews Modified over 9 years ago

Similar presentations

Presentation on theme: "Presented by David LESENS and Johannes KANIG Thursday, 16 May 2013 Astrium Space Transportation AdaCore Formal Validation of Aerospace Software DASIA 2013."— Presentation transcript:

1 Presented by David LESENS and Johannes KANIG Thursday, 16 May 2013 Astrium Space Transportation AdaCore Formal Validation of Aerospace Software DASIA 2013

2 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p2 Software was of low quality Software often did not meet requirements Projects were unmanageable and code difficult to maintain … Software was of low quality Software often did not meet requirements Projects were unmanageable and code difficult to maintain … Software crisis in space

3 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p3 Where is the software crisis?

4 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p4 The software crisis is everywhere Topics of this presentation

5 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p5 Agenda  Implementation in C or in Ada?    Ada 2012 and SPARK 2014    Application – On Board Control Procedure    Conclusion  

6 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p6 How to chose a programming language?  Availability of a compiler for the target  Quality of the compiler  Training of the development teams  What about the intrinsic qualities of the language? Ada is known to be safer than C

7 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p7 ISO format French format C syntax is not always perfectly clear C syntax is not always perfectly clear

8 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p8 C syntax is not always perfectly clear C syntax is not always perfectly clear

9 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p9 C syntax is sometimes not understandable by a non expert C syntax is sometimes not understandable by a non expert

10 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p10 C syntax is sometimes not understandable by a non expert C syntax is sometimes not understandable by a non expert

11 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p11 C syntax is sometimes not understandable by a non expert C syntax is sometimes not understandable by a non expert Can this code be reviewed by a non software engineer?

12 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p12 Ada has a less ambiguous syntax Ada has a less ambiguous syntax

13 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p13 Ada has a less ambiguous syntax and a stronger semantics Ada has a less ambiguous syntax and a stronger semantics Does it really matter?

14 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p14 Does it really matter?

15 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p15 An Ada compiler may detect bugs… …even before testing An Ada compiler may detect bugs… …even before testing

16 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p16 Is Ada the perfect programming language? Unfortunately no!

17 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p17 Correct if Y / Z is evaluated first Run time error if F(X) is evaluated first !

18 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p18 Objectives: Improve the quality thanks to formal proof Improve the quality thanks to formal proof Prepare SPARK 2014 Prepare SPARK 2014

19 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p19 There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. Professor C. A. R. Hoare The 1980 Turing award lecture Professor C. A. R. Hoare The 1980 Turing award lecture Our approach Applicable to  Requirements Baseline  Technical Specification  Design  Coding  Validation & Verification Applicable to  Requirements Baseline  Technical Specification  Design  Coding  Validation & Verification

20 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p20 SPARK is a restriction of Ada

21 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p21 Function with side effects are potentially dangerous and thus not in SPARK Function with side effects are potentially dangerous and thus not in SPARK SPARK is a restriction of Ada

22 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p22 Limitations of testing Testing shows the presence, not the absence of bugs Edsger Wybe Dijkstra

23 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p23 SPARK allows formal proof

24 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p24 SPARK allows formal proof That is still SPARK 2005! Why SPARK 2014?

25 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p25 Agenda  Implementation in C or in Ada?    Ada 2012 and SPARK 2014    Application – On Board Control Procedure    Conclusion  

26 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p26 Ada 2012 and SPARK 2014  SPARK has been based on the notion of contract  Pre- and Postcondition as logical formulas for formal proof  Ada 2012, inspired by SPARK, introduces executable contracts  Pre- and Postconditions as Boolean expressions for dynamic verification  SPARK 2014 introduces formal proof for Ada 2012  Ease of use (e.g. Boolean expressions instead of logical formulas)  Support for dynamic verification (executable contracts)  Automation of proof  Mixing of dynamic and static verification

27 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p27 How can we avoid such incorrect setting?

28 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p28 We can define a validity function New in (expression function, case expression)

29 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p29 …and use it in a contract New in (contract) “Set_Year” can be called only if its Precondition is true Then, it ensures that its Postcondition will be true

30 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p30 The correctness of contracts can then be formally proved

31 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p31Proved! Not proved!

32 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p32 The contract shall be complete

33 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p33 The code is now correct Proved! Proved! Proved!

34 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p34 The proof tool checks that the user respects the contract

35 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p35 The proof tool checks that the user respects the contract Proved! Not proved!

36 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p36 The proof tool checks that the user respects the contract Proved! Proved! Proved!

37 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p37 Express properties of arrays New in (quantified expressions)

38 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p38 Avoid to write Is_Valid all the time New in (type invariants) Not supported by current version of proof tool

39 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p39 Keep track of global variables New in SPARK 2014 (globals annotations) Z is also read

40 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p40 Incorrect flow Keep track of information flow New in SPARK 2014 (information flow)

41 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p41 SPARK 2014 – The tools  Automatic proof  Execution of annotations possible  Allows dynamic verification of properties  Integration with tool chain:  Compiler  GUI  Target configuration

42 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p42 SPARK 2014 Restrictions  Forbidden features:  Access types (pointers)  Exceptions  Aliasing between variables  Concurrency features of Ada (Tasking)  Side effects in expressions and functions  But free mixing of SPARK and non-SPARK code possible  Combination of verification results possible

43 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p43 SPARK 2014 - Methodology  Proof as a means to increase confidence and cut cost  Use proof when it is really required or cheaper than test  Unit Test as a fallback method  Use test when full proof of some code is too complex or not applicable  Mixing of test and proof is supported  Assumptions of proof can be verified by testing  Avoid cost explosion of formal methods (All or nothing)

44 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p44 Agenda  Implementation in C or in Ada?    Ada 2012 and SPARK 2014    Application – On Board Control Procedure    Conclusion  

45 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p45  On-board control procedure  Software program designed to be executed by an OBCP engine, which can easily be loaded, executed, and also replaced, on-board the spacecraft  OBCP code  Complete representation of an OBCP, in a form that can be loaded on- board for subsequent execution  OBCP engine  Application of the on-board software handling the execution of OBCPs  OBCP language  Programming language in which OBCP source code is expressed by human programmers

46 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p46 OBCP architecture Functional Unit 1 Functional Unit 2 Functional Unit 3 Functional Unit n OBCP engine Init S1 S2Init S1 S2Init S1 S2Init S1 S2

47 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p47 Event1Event2Event3 Not detectedDetected Event1 Event2 Event3 Not detected Detected Event1 Event2 Event3 Not detected Detected Event1 Event2 Event3 Not detected Detected Example of contract procedure Reset_Event_Status (Event : in T_Event) with Post => not Event_Status (Event).Detection and (for all Other_Event in T_Event => (if Other_Event /= Event then Event_Status (Other_Event) = Event_Status'Old (Other_Event))); Example: A list of event detection statuses Request to reset the detection status for Event The detection status is unchanged Post-condition The detection of event is reset For all other events

48 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p48 Example of results FeaturesTotal cheksNumber proved Percent proved assertion385 100 discriminant_check767 100 loop_invariant_initialization22100 loop_invariant_preservation22100 overflow_check22100 postcondition97 100 precondition413 100 range_check22100 Total1670 100

49 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p49 Some limitations of the proof tool subtypeisrange subtype R is Integer range 1.. 100; typeisarrayrangeof type T_Array is array (R range <>) of Boolean; typeis type T_Record (L : R) is record A : T_Array (1.. L); endrecord end record; functionreturnis function G (X : T_Record) return Boolean is forallin (for all I in X.A'Range => X.A (I)); subtypeisrange subtype R is Integer range 1.. 100; typeisarrayrangeof type T_Array is array (R range <>) of Boolean; typeis type T_Record (L : R) is record A : T_Array (1.. L); endrecord end record; functionreturnis function G (X : T_Record) return Boolean is forallin (for all I in X.A'Range => X.A (I)); pragmaandthen pragma Assert(X >= 0.0 and then x <= 180.0); pragmaandthen pragma Assert(Y >= -180.0 and then Y <= 0.0); pragmaandthen pragma Assert(Z >= 0.0 and then Z <= 1.0); pragma pragma Assert(X + Y >= 0.0); Result := X + Y * Z; pragmaandthen pragma Assert (Result >= 0.0 and then Result <= 360.0); pragmaandthen pragma Assert(X >= 0.0 and then x <= 180.0); pragmaandthen pragma Assert(Y >= -180.0 and then Y <= 0.0); pragmaandthen pragma Assert(Z >= 0.0 and then Z <= 1.0); pragma pragma Assert(X + Y >= 0.0); Result := X + Y * Z; pragmaandthen pragma Assert (Result >= 0.0 and then Result <= 360.0); The size of an array depends on a discriminant The size of an array depends on a discriminant Non linear expression expression Not proved with the current tool version

50 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p50 Agenda  Implementation in C or in Ada?    Ada 2012 and SPARK 2014    Application – On Board Control Procedure    Conclusion  

51 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p51 Formal Validation of Aerospace Software: Conclusion  A programming language with a formal semantics  Increases the quality of the software  Decreases the development costs  Formal proof can be used  For complex software  As an efficient complement of tests  SPARK 2014 is foreseen in … 2014  Some developments are still in progress

52 David LESENS and Johannes KANIG Formal Validation of Aerospace Software 15/05/2013p52 Thank you for your attention Any question ? david.lesens@astrium.eads.netkanig@adacore.com Thank you for your attention Any question ? david.lesens@astrium.eads.netkanig@adacore.com

Download ppt "Presented by David LESENS and Johannes KANIG Thursday, 16 May 2013 Astrium Space Transportation AdaCore Formal Validation of Aerospace Software DASIA 2013."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.

Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Detecting Bugs Using Assertions Ben Scribner. Defining the Problem  Bugs exist  Unexpected errors happen Hardware failures Loss of data Data may exist.

Detecting Bugs Using Assertions Ben Scribner. Defining the Problem  Bugs exist  Unexpected errors happen Hardware failures Loss of data Data may exist.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.

1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,

B. Sharma, S.D. Dhodapkar, S. Ramesh 1 Assertion Checking Environment (ACE) for Formal Verification of C Programs Babita Sharma, S.D.Dhodapkar RCnD, BARC,
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Slide: 1 Copyright © 2014 AdaCore Claire Dross, Pavlos Efstathopoulos, David Lesens, David Mentré and Yannick Moy Embedded Real Time Software and Systems.

Slide: 1 Copyright © 2014 AdaCore Claire Dross, Pavlos Efstathopoulos, David Lesens, David Mentré and Yannick Moy Embedded Real Time Software and Systems.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages

CS 355 – Programming Languages
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
Software Engineering and Design Principles Chapter 1.

Software Engineering and Design Principles Chapter 1.

Similar presentations

Ads by Google