SlideShare a Scribd company logo

Hi-Lite erts2012

Download as PPTX, PDF
AdaCore
AdaCore

Yannick Moy's presentation on the Hi-Lite project at the ERTS 2012 event in Toulouse France. The paper "Integrating Formal Program Verification with Testing" can be found at http://www.erts2012.org/Site/0P2RUC89/7A-1.pdf

Technology
1 of 25
Integrating Formal Program Verification with Testing Cyrille Comar, Johannes Kanig and Yannick Moy
Integrating Formal Program with Testing Verification Cyrille Comar, Johannes Kanig and Yannick Moy
Integrating Formal Program with Verification Cyrille Comar, Johannes Kanig and Yannick Moy
Motivation
Cost of testing • Cost of testing greater than cost of development • 10% increase each year for avionics software (Boeing META Project) • Uneven repartition: 20%  80% of effort! 80% • Uneven quality: 80% of errors traced to 20% of code (NASA Software Safety Guidebook) • Need to reduce and focus the cost of testing
DO-178C: formal methods can replace testing Formal methods […] might be the primary source of evidence for the satisfaction of many of the objectives concerned with development and verification. 2011: Formal Methods Supplement (DO-333)
Myths of formal methods • Myth 4: Formal methods require highly trained mathematicians • Myth 5: Formal methods increase the cost of development • Myth 6: Formal methods are unacceptable to users • Myth 7: Formal methods are not used on real, large-scale software (Anthony Hall, Praxis Systems, 1990)
Practice of formal methods Since 2001, Airbus has been integrating several tool supported formal verification techniques into the development process of avionics software products. 2009: Formal Verification of Avionics Software Products (Souyris, Wiels, Delmas, Delseny)
Cost of verification 20%  80% of 20%  80% of 80% testing effort 80% formal effort Hi-Lite goal: using formal verification first, then testing… 4% 16% testing 80% formal … to reduce and focus the cost of verification
Proof + Test
Programming Contracts {P}C{Q} Hoare logic (1969) logic contracts executable contracts for proofs for tests SPARK (1987) Eiffel DbC (1986) Hi-Lite: executable annotation language???
Project
Ada 2012
Testing vs. Formal Verification prove pre of Q use Q code assume post of Q cover P constructs P calls Q P calls Q P P Q Q assume pre of Q actual body of Q prove post of Q or stub… local exhaustivity argument: global soundness argument: each function covered P all functions proved  enough behaviors  all assumptions justified explored Q R
Combining tests and proofs P is tested P calls Q How so we justify assumptions made P during proof? Q Q calls P Q is proved verification combining tests and proofs should be AT LEAST AS GOOD AS verification based on tests only
Caution: contracts are not only pre/post! strong typing parameters not aliased )… parameters initialized data dependences
Combination 1: tested calls proved P is tested P calls Q during testing: check that P precondition of Q Q is respected Q is proved assumption for proof: precondition of Q is respected
Combination 2: proved calls tested P is tested during testing: check that P postcondition of P Q is respected Q calls P Q is proved assumption for proof: postcondition of P is respected
Testing + Formal Verification tested P proved Q R proved local exhaustivity argument: global soundness argument: - test: function covered - proof: assumptions proved - proof: by nature of proof - test: assumptions tested Testing must check additional properties Done by compiler instrumentation
GNAT toolsuite executable GNAT GNATtest compiler unit testing aggregated verification results GNATprove unit proof
Conclusion
Airbus 5 “must-have” of formal methods • Soundness • Applicability to the code • Usability by normal engineers on normal computers • Improve on classical methods current work • Certifiability
Benefits of openness .org • announcements • public: • all code • meeting slides  meeting minutes • dev docs • articles / docs  technical work • user docs  69 members • private:  management  partner code  external collaborations with industry and academia
Project Partners
www.open-do.org/projects/hi-lite

Recommended

Boogie 2011 Hi-Lite
Boogie 2011 Hi-LiteBoogie 2011 Hi-Lite
Boogie 2011 Hi-LiteAdaCore
 
Vlsi lab manual_new
Vlsi lab manual_newVlsi lab manual_new
Vlsi lab manual_newNaveen Gouda
 
Kanban by Mayur Gupta
Kanban by Mayur GuptaKanban by Mayur Gupta
Kanban by Mayur GuptaXebia IT Architects
 
Harton-Presentation
Harton-PresentationHarton-Presentation
Harton-PresentationHeather Harton
 
Parrot -- "one bytecode to rule them all"
Parrot -- "one bytecode to rule them all"Parrot -- "one bytecode to rule them all"
Parrot -- "one bytecode to rule them all"Nuno Carvalho
 
Open-DO Update
Open-DO UpdateOpen-DO Update
Open-DO UpdateAdaCore
 
At&t research at trecvid 2009
At&t research at trecvid 2009At&t research at trecvid 2009
At&t research at trecvid 2009Kirill Lazarev
 
SAP Offshore Delivery Services
SAP Offshore Delivery ServicesSAP Offshore Delivery Services
SAP Offshore Delivery ServicesJerome Le Gall
 

Recommended

Boogie 2011 Hi-Lite
Boogie 2011 Hi-LiteBoogie 2011 Hi-Lite
Boogie 2011 Hi-LiteAdaCore
 
Vlsi lab manual_new
Vlsi lab manual_newVlsi lab manual_new
Vlsi lab manual_newNaveen Gouda
 
Kanban by Mayur Gupta
Kanban by Mayur GuptaKanban by Mayur Gupta
Kanban by Mayur GuptaXebia IT Architects
 
Harton-Presentation
Harton-PresentationHarton-Presentation
Harton-PresentationHeather Harton
 
Parrot -- "one bytecode to rule them all"
Parrot -- "one bytecode to rule them all"Parrot -- "one bytecode to rule them all"
Parrot -- "one bytecode to rule them all"Nuno Carvalho
 
Open-DO Update
Open-DO UpdateOpen-DO Update
Open-DO UpdateAdaCore
 
At&t research at trecvid 2009
At&t research at trecvid 2009At&t research at trecvid 2009
At&t research at trecvid 2009Kirill Lazarev
 
SAP Offshore Delivery Services
SAP Offshore Delivery ServicesSAP Offshore Delivery Services
SAP Offshore Delivery ServicesJerome Le Gall
 
santhosh popshetwar
santhosh popshetwarsanthosh popshetwar
santhosh popshetwarSanthosh Kumar Popshetwar
 
Avid_Venue
Avid_VenueAvid_Venue
Avid_VenueCole Bradley
 
Generazione Automatica di Test - S. Vuotto (Università di Sassari)
Generazione Automatica di Test - S. Vuotto (Università di Sassari)Generazione Automatica di Test - S. Vuotto (Università di Sassari)
Generazione Automatica di Test - S. Vuotto (Università di Sassari)Sardegna Ricerche
 
Elixir
ElixirElixir
ElixirChangwook Park
 
Lab3 s2
Lab3 s2Lab3 s2
Lab3 s2rajbabureliance
 
Lean and Kanban Principles for Software Developers
Lean and Kanban Principles for Software DevelopersLean and Kanban Principles for Software Developers
Lean and Kanban Principles for Software DevelopersCory Foy
 
Challenges in Debugging Bootstraps of Reflective Kernels
Challenges in Debugging Bootstraps of Reflective KernelsChallenges in Debugging Bootstraps of Reflective Kernels
Challenges in Debugging Bootstraps of Reflective KernelsESUG
 
Tail Call Elimination in Open Smalltalk
Tail Call Elimination in Open SmalltalkTail Call Elimination in Open Smalltalk
Tail Call Elimination in Open SmalltalkESUG
 
IPv6 Development and Testing Services
IPv6 Development and Testing ServicesIPv6 Development and Testing Services
IPv6 Development and Testing ServicesTMA Solutions
 
Funcargs & other fun with pytest
Funcargs & other fun with pytestFuncargs & other fun with pytest
Funcargs & other fun with pytestBrianna Laugher
 
WGDC QA Kapitanenko-Rebrov
WGDC QA Kapitanenko-RebrovWGDC QA Kapitanenko-Rebrov
WGDC QA Kapitanenko-RebrovAnton Kapitanenko
 
TMA Software Testing Competency
TMA Software Testing CompetencyTMA Software Testing Competency
TMA Software Testing CompetencyTMA Solutions
 
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAUTest Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAUInfinIT - Innovationsnetværket for it
 
Test Driven Agile
Test Driven AgileTest Driven Agile
Test Driven AgileNigel Thurlow
 
Формальная верификация как средство тестирования (в Java)
Формальная верификация как средство тестирования (в Java)Формальная верификация как средство тестирования (в Java)
Формальная верификация как средство тестирования (в Java)SQALab
 
Benjamin q4 2008_bristol
Benjamin q4 2008_bristolBenjamin q4 2008_bristol
Benjamin q4 2008_bristolObsidian Software
 
Deploying Functional Qualification at STMicroelectronics
Deploying Functional Qualification at STMicroelectronicsDeploying Functional Qualification at STMicroelectronics
Deploying Functional Qualification at STMicroelectronicsDVClub
 
Sistemas operacionais 12
Sistemas operacionais 12Sistemas operacionais 12
Sistemas operacionais 12Nauber Gois
 
Software development practices in python
Software development practices in pythonSoftware development practices in python
Software development practices in pythonJimmy Lai
 
Agile testing principles and practices - Anil Karade
Agile testing principles and practices - Anil KaradeAgile testing principles and practices - Anil Karade
Agile testing principles and practices - Anil KaradeIndicThreads
 
Continuous deployment
Continuous deploymentContinuous deployment
Continuous deploymentDaniel
 
ITS-Fidel
ITS-FidelITS-Fidel
ITS-FidelFidel Softech P. Ltd
 

More Related Content

What's hot

Generazione Automatica di Test - S. Vuotto (Università di Sassari)
Generazione Automatica di Test - S. Vuotto (Università di Sassari)Generazione Automatica di Test - S. Vuotto (Università di Sassari)
Generazione Automatica di Test - S. Vuotto (Università di Sassari)Sardegna Ricerche
 
Lean and Kanban Principles for Software Developers
Lean and Kanban Principles for Software DevelopersLean and Kanban Principles for Software Developers
Lean and Kanban Principles for Software DevelopersCory Foy
 
Challenges in Debugging Bootstraps of Reflective Kernels
Challenges in Debugging Bootstraps of Reflective KernelsChallenges in Debugging Bootstraps of Reflective Kernels
Challenges in Debugging Bootstraps of Reflective KernelsESUG
 
Tail Call Elimination in Open Smalltalk
Tail Call Elimination in Open SmalltalkTail Call Elimination in Open Smalltalk
Tail Call Elimination in Open SmalltalkESUG
 

What's hot (8)

santhosh popshetwar
santhosh popshetwarsanthosh popshetwar
santhosh popshetwar
 
Avid_Venue
Avid_VenueAvid_Venue
Avid_Venue
 
Generazione Automatica di Test - S. Vuotto (Università di Sassari)
Generazione Automatica di Test - S. Vuotto (Università di Sassari)Generazione Automatica di Test - S. Vuotto (Università di Sassari)
Generazione Automatica di Test - S. Vuotto (Università di Sassari)
 
Elixir
ElixirElixir
Elixir
 
Lab3 s2
Lab3 s2Lab3 s2
Lab3 s2
 
Lean and Kanban Principles for Software Developers
Lean and Kanban Principles for Software DevelopersLean and Kanban Principles for Software Developers
Lean and Kanban Principles for Software Developers
 
Challenges in Debugging Bootstraps of Reflective Kernels
Challenges in Debugging Bootstraps of Reflective KernelsChallenges in Debugging Bootstraps of Reflective Kernels
Challenges in Debugging Bootstraps of Reflective Kernels
 
Tail Call Elimination in Open Smalltalk
Tail Call Elimination in Open SmalltalkTail Call Elimination in Open Smalltalk
Tail Call Elimination in Open Smalltalk
 

Similar to Hi-Lite erts2012

IPv6 Development and Testing Services
IPv6 Development and Testing ServicesIPv6 Development and Testing Services
IPv6 Development and Testing ServicesTMA Solutions
 
Funcargs & other fun with pytest
Funcargs & other fun with pytestFuncargs & other fun with pytest
Funcargs & other fun with pytestBrianna Laugher
 
TMA Software Testing Competency
TMA Software Testing CompetencyTMA Software Testing Competency
TMA Software Testing CompetencyTMA Solutions
 
Формальная верификация как средство тестирования (в Java)
Формальная верификация как средство тестирования (в Java)Формальная верификация как средство тестирования (в Java)
Формальная верификация как средство тестирования (в Java)SQALab
 
Deploying Functional Qualification at STMicroelectronics
Deploying Functional Qualification at STMicroelectronicsDeploying Functional Qualification at STMicroelectronics
Deploying Functional Qualification at STMicroelectronicsDVClub
 
Sistemas operacionais 12
Sistemas operacionais 12Sistemas operacionais 12
Sistemas operacionais 12Nauber Gois
 
Software development practices in python
Software development practices in pythonSoftware development practices in python
Software development practices in pythonJimmy Lai
 
Agile testing principles and practices - Anil Karade
Agile testing principles and practices - Anil KaradeAgile testing principles and practices - Anil Karade
Agile testing principles and practices - Anil KaradeIndicThreads
 
Continuous deployment
Continuous deploymentContinuous deployment
Continuous deploymentDaniel
 
Leveling Up With Unit Testing - LonghornPHP 2022
Leveling Up With Unit Testing - LonghornPHP 2022Leveling Up With Unit Testing - LonghornPHP 2022
Leveling Up With Unit Testing - LonghornPHP 2022Mark Niebergall
 
Signal and System - Convolution in Linear Time-Invariant System.pdf
Signal and System - Convolution in Linear Time-Invariant System.pdfSignal and System - Convolution in Linear Time-Invariant System.pdf
Signal and System - Convolution in Linear Time-Invariant System.pdf22004598
 
Pragmatic Introduction to Python Unit Testing (PyDays 2018)
Pragmatic Introduction to Python Unit Testing (PyDays 2018)Pragmatic Introduction to Python Unit Testing (PyDays 2018)
Pragmatic Introduction to Python Unit Testing (PyDays 2018)Peter Kofler
 
MUTANTS KILLER - PIT: state of the art of mutation testing system
MUTANTS KILLER - PIT: state of the art of mutation testing system MUTANTS KILLER - PIT: state of the art of mutation testing system
MUTANTS KILLER - PIT: state of the art of mutation testing system Tarin Gamberini
 
Releasing fast code - The DevOps approach
Releasing fast code - The DevOps approachReleasing fast code - The DevOps approach
Releasing fast code - The DevOps approachMichael Kopp
 

Similar to Hi-Lite erts2012 (20)

IPv6 Development and Testing Services
IPv6 Development and Testing ServicesIPv6 Development and Testing Services
IPv6 Development and Testing Services
 
Funcargs & other fun with pytest
Funcargs & other fun with pytestFuncargs & other fun with pytest
Funcargs & other fun with pytest
 
WGDC QA Kapitanenko-Rebrov
WGDC QA Kapitanenko-RebrovWGDC QA Kapitanenko-Rebrov
WGDC QA Kapitanenko-Rebrov
 
TMA Software Testing Competency
TMA Software Testing CompetencyTMA Software Testing Competency
TMA Software Testing Competency
 
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAUTest Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU
 
Test Driven Agile
Test Driven AgileTest Driven Agile
Test Driven Agile
 
Формальная верификация как средство тестирования (в Java)
Формальная верификация как средство тестирования (в Java)Формальная верификация как средство тестирования (в Java)
Формальная верификация как средство тестирования (в Java)
 
Benjamin q4 2008_bristol
Benjamin q4 2008_bristolBenjamin q4 2008_bristol
Benjamin q4 2008_bristol
 
Deploying Functional Qualification at STMicroelectronics
Deploying Functional Qualification at STMicroelectronicsDeploying Functional Qualification at STMicroelectronics
Deploying Functional Qualification at STMicroelectronics
 
Sistemas operacionais 12
Sistemas operacionais 12Sistemas operacionais 12
Sistemas operacionais 12
 
Software development practices in python
Software development practices in pythonSoftware development practices in python
Software development practices in python
 
Agile testing principles and practices - Anil Karade
Agile testing principles and practices - Anil KaradeAgile testing principles and practices - Anil Karade
Agile testing principles and practices - Anil Karade
 
Continuous deployment
Continuous deploymentContinuous deployment
Continuous deployment
 
ITS-Fidel
ITS-FidelITS-Fidel
ITS-Fidel
 
Leveling Up With Unit Testing - LonghornPHP 2022
Leveling Up With Unit Testing - LonghornPHP 2022Leveling Up With Unit Testing - LonghornPHP 2022
Leveling Up With Unit Testing - LonghornPHP 2022
 
Signal and System - Convolution in Linear Time-Invariant System.pdf
Signal and System - Convolution in Linear Time-Invariant System.pdfSignal and System - Convolution in Linear Time-Invariant System.pdf
Signal and System - Convolution in Linear Time-Invariant System.pdf
 
Pragmatic Introduction to Python Unit Testing (PyDays 2018)
Pragmatic Introduction to Python Unit Testing (PyDays 2018)Pragmatic Introduction to Python Unit Testing (PyDays 2018)
Pragmatic Introduction to Python Unit Testing (PyDays 2018)
 
TMA Brochure IPv6
TMA Brochure IPv6TMA Brochure IPv6
TMA Brochure IPv6
 
MUTANTS KILLER - PIT: state of the art of mutation testing system
MUTANTS KILLER - PIT: state of the art of mutation testing system MUTANTS KILLER - PIT: state of the art of mutation testing system
MUTANTS KILLER - PIT: state of the art of mutation testing system
 
Releasing fast code - The DevOps approach
Releasing fast code - The DevOps approachReleasing fast code - The DevOps approach
Releasing fast code - The DevOps approach
 

More from AdaCore

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?AdaCore
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic libraryAdaCore
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsAdaCore
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verificationAdaCore
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofAdaCore
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationAdaCore
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareAdaCore
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentAdaCore
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...AdaCore
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!AdaCore
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaCore
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...AdaCore
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologyAdaCore
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextAdaCore
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareAdaCore
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareAdaCore
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentAdaCore
 

More from AdaCore (20)

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing Solutions
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verification
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program Proof
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configuration
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware Development
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 context
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle software
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise Environment
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 

Hi-Lite erts2012

  • 1. Integrating Formal Program Verification with Testing Cyrille Comar, Johannes Kanig and Yannick Moy
  • 2. Integrating Formal Program with Testing Verification Cyrille Comar, Johannes Kanig and Yannick Moy
  • 3. Integrating Formal Program with Verification Cyrille Comar, Johannes Kanig and Yannick Moy
  • 5. Cost of testing • Cost of testing greater than cost of development • 10% increase each year for avionics software (Boeing META Project) • Uneven repartition: 20%  80% of effort! 80% • Uneven quality: 80% of errors traced to 20% of code (NASA Software Safety Guidebook) • Need to reduce and focus the cost of testing
  • 6. DO-178C: formal methods can replace testing Formal methods […] might be the primary source of evidence for the satisfaction of many of the objectives concerned with development and verification. 2011: Formal Methods Supplement (DO-333)
  • 7. Myths of formal methods • Myth 4: Formal methods require highly trained mathematicians • Myth 5: Formal methods increase the cost of development • Myth 6: Formal methods are unacceptable to users • Myth 7: Formal methods are not used on real, large-scale software (Anthony Hall, Praxis Systems, 1990)
  • 8. Practice of formal methods Since 2001, Airbus has been integrating several tool supported formal verification techniques into the development process of avionics software products. 2009: Formal Verification of Avionics Software Products (Souyris, Wiels, Delmas, Delseny)
  • 9. Cost of verification 20%  80% of 20%  80% of 80% testing effort 80% formal effort Hi-Lite goal: using formal verification first, then testing… 4% 16% testing 80% formal … to reduce and focus the cost of verification
  • 11. Programming Contracts {P}C{Q} Hoare logic (1969) logic contracts executable contracts for proofs for tests SPARK (1987) Eiffel DbC (1986) Hi-Lite: executable annotation language???
  • 14. Testing vs. Formal Verification prove pre of Q use Q code assume post of Q cover P constructs P calls Q P calls Q P P Q Q assume pre of Q actual body of Q prove post of Q or stub… local exhaustivity argument: global soundness argument: each function covered P all functions proved  enough behaviors  all assumptions justified explored Q R
  • 15. Combining tests and proofs P is tested P calls Q How so we justify assumptions made P during proof? Q Q calls P Q is proved verification combining tests and proofs should be AT LEAST AS GOOD AS verification based on tests only
  • 16. Caution: contracts are not only pre/post! strong typing parameters not aliased )… parameters initialized data dependences
  • 17. Combination 1: tested calls proved P is tested P calls Q during testing: check that P precondition of Q Q is respected Q is proved assumption for proof: precondition of Q is respected
  • 18. Combination 2: proved calls tested P is tested during testing: check that P postcondition of P Q is respected Q calls P Q is proved assumption for proof: postcondition of P is respected
  • 19. Testing + Formal Verification tested P proved Q R proved local exhaustivity argument: global soundness argument: - test: function covered - proof: assumptions proved - proof: by nature of proof - test: assumptions tested Testing must check additional properties Done by compiler instrumentation
  • 20. GNAT toolsuite executable GNAT GNATtest compiler unit testing aggregated verification results GNATprove unit proof
  • 22. Airbus 5 “must-have” of formal methods • Soundness • Applicability to the code • Usability by normal engineers on normal computers • Improve on classical methods current work • Certifiability
  • 23. Benefits of openness .org • announcements • public: • all code • meeting slides  meeting minutes • dev docs • articles / docs  technical work • user docs  69 members • private:  management  partner code  external collaborations with industry and academia