Abstract
SPARK 2014 is a subset of the Ada 2012 programming language that is supported by the GNAT compilation toolchain and multiple open source static analysis and verification tools. These tools can be used to verify that a SPARK 2014 program does not raise language-defined run-time exceptions and that it complies with formal specifications expressed as subprogram contracts. The results of analyses at source code level are valid for the final executable only if it can be shown that compilation/verification tools comply with a common deterministic programming language semantics.
In this paper, we present: (a) a mechanized formal semantics for a large subset of SPARK 2014, (b) an architecture for creating certified/certifying analysis and verification tools for SPARK, and (c) tools and mechanized proofs that instantiate that architecture to demonstrate that SPARK-relevant Ada run-time checks inserted by the GNAT compiler are correct; this includes mechanized proofs of correctness for abstract interpretation-based static analyses that are used to certify correctness of GNAT run-time check optimizations.
A by-product of this work is a substantial amount of open source infrastructure that others in academia and industry can use to develop mechanized semantics, and mechanically verified correctness proofs for analyzers/verifiers for realistic programming languages.
This material is based upon work supported by the US Air Force Office of Scientific Research (AFOSR) under contract FA9550-09-1-0138.
Notes
- 1.
- 2.
Language-specified run-time errors that are relevant for all programs in the language can be contrasted with application-specific run-time errors that correspond to violations of a program’s application-specific requirements. Our work addresses the former notion.
- 3.
- 4.
By “mechanized”, we mean the construction of formal definitions (of semantics, translations, analysis, etc.) and formal proofs of associated properties in a proof assistant that enables correctness to be checked automatically by the proof assistant.
- 5.
Certified here means that there are formal mathematical artifacts (such as machine-checked proofs) that serve as rigorous evidence that an implementation is consistent with its specification [5].
- 6.
Certifying here means that the tool generates evidence testifying that it is in fact consistent with its specification for a particular use of the tool.
- 7.
References
Barnes, J.: SPARK: The Proven Approach to High Integrity Software. Altran Praxis (2012)
Barnes, J.: Ada 2012 Rationale - The Language, The Standard Libraries, Lecture Notes in Computer Science, vol. 8338. Springer, Heidelberg (2013)
Belt, J., Hatcliff, J., Robby, Chalin, P., Hardin, D., Deng, X.: Bakar kiasan: flexible contract checking for critical systems using symbolic execution. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 58–72. Springer, Heidelberg (2011). doi:10.1007/978-3-642-20398-5_6
Chapman, R., Botcazou, E., Wallenburg, A.: SPARKSkein: a formal and fast reference implementation of skein. In: Simao, A., Morgan, C. (eds.) SBMF 2011. LNCS, vol. 7021, pp. 16–27. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25032-3_2
Chlipala, A.: Certified Programming with Dependent Types - A Pragmatic Introduction to the Coq Proof Assistant. MIT Press, Cambridge (2013)
Courtieu, P., Aponte, M., Crolard, T., Zhang, Z., Robby, Belt, J., Hatcliff, J., Guitton, J., Jennings, T.: Towards the formalization of SPARK 2014 semantics with explicit run-time checks using coq. In: HILT, pp. 21–22 (2013)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252 (1977)
Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: The astreé analyzer. In: ESOP, pp. 21–30 (2005)
Hatcliff, J., Wassyng, A., Kelly, T., Comar, C., Jones, P.L.: Certifiably safe software-dependent systems: challenges and directions. In: FOSE, pp. 182–200 (2014)
Jourdan, J., Laporte, V., Blazy, S., Leroy, X., Pichardie, D.: A formally-verified C static analyzer. In: POPL, pp. 247–259 (2015)
Leroy, X.: Formal verification of a realistic compiler. Commun. ACM 52(7), 107–115 (2009)
McCormick, J.W., Chapin, P.C.: Building High Integrity Applications with SPARK. Cambridge University Press, Cambridge (2015)
Moy, Y., Ledinot, E., Delseny, H., Wiels, V., Monate, B.: Testing or formal verification: DO-178C alternatives and industrial experience. IEEE Software, pp. 50–56 (2013)
Necula, G.C.: Proof-carrying code. In: POPL, pp. 106–119 (1997)
O’Neill, I.: SPARK - a language and tool-set for high-integrity software development. In: Industrial Use of Formal Methods: Formal Verification. Wiley (2012)
Ada conformity assessment test suite (ACATS). http://www.ada-auth.org/acats.html
Ada reference manual. http://www.ada-auth.org/standards/ada12.html
Compcert-c. http://compcert.inria.fr/compcert-C.html
The Coq proof assistant. http://coq.inria.fr
SPARK 2014 reference manual. http://docs.adacore.com/spark2014-docs/html/lrm/
Why3 - where programs meet provers. http://why3.lri.fr/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Zhang, Z., Robby, Hatcliff, J., Moy, Y., Courtieu, P. (2017). Focused Certification of an Industrial Compilation and Static Verification Toolchain. In: Cimatti, A., Sirjani, M. (eds) Software Engineering and Formal Methods. SEFM 2017. Lecture Notes in Computer Science(), vol 10469. Springer, Cham. https://doi.org/10.1007/978-3-319-66197-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-66197-1_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66196-4
Online ISBN: 978-3-319-66197-1
eBook Packages: Computer ScienceComputer Science (R0)