Hi-Lite erts2012

AdaCore
AdaCoreAdaCore
Integrating Formal Program Verification with Testing Cyrille Comar, Johannes Kanig and Yannick Moy
Integrating Formal Program with Testing Verification Cyrille Comar, Johannes Kanig and Yannick Moy
Integrating Formal Program with Verification Cyrille Comar, Johannes Kanig and Yannick Moy
Motivation
Cost of testing • Cost of testing greater than cost of development • 10% increase each year for avionics software (Boeing META Project) • Uneven repartition: 20%  80% of effort! 80% • Uneven quality: 80% of errors traced to 20% of code (NASA Software Safety Guidebook) • Need to reduce and focus the cost of testing
DO-178C: formal methods can replace testing Formal methods […] might be the primary source of evidence for the satisfaction of many of the objectives concerned with development and verification. 2011: Formal Methods Supplement (DO-333)
Myths of formal methods • Myth 4: Formal methods require highly trained mathematicians • Myth 5: Formal methods increase the cost of development • Myth 6: Formal methods are unacceptable to users • Myth 7: Formal methods are not used on real, large-scale software (Anthony Hall, Praxis Systems, 1990)
Practice of formal methods Since 2001, Airbus has been integrating several tool supported formal verification techniques into the development process of avionics software products. 2009: Formal Verification of Avionics Software Products (Souyris, Wiels, Delmas, Delseny)
Cost of verification 20%  80% of 20%  80% of 80% testing effort 80% formal effort Hi-Lite goal: using formal verification first, then testing… 4% 16% testing 80% formal … to reduce and focus the cost of verification
Proof + Test
Programming Contracts {P}C{Q} Hoare logic (1969) logic contracts executable contracts for proofs for tests SPARK (1987) Eiffel DbC (1986) Hi-Lite: executable annotation language???
Project
Ada 2012
Testing vs. Formal Verification prove pre of Q use Q code assume post of Q cover P constructs P calls Q P calls Q P P Q Q assume pre of Q actual body of Q prove post of Q or stub… local exhaustivity argument: global soundness argument: each function covered P all functions proved  enough behaviors  all assumptions justified explored Q R
Combining tests and proofs P is tested P calls Q How so we justify assumptions made P during proof? Q Q calls P Q is proved verification combining tests and proofs should be AT LEAST AS GOOD AS verification based on tests only
Caution: contracts are not only pre/post! strong typing parameters not aliased )… parameters initialized data dependences
Combination 1: tested calls proved P is tested P calls Q during testing: check that P precondition of Q Q is respected Q is proved assumption for proof: precondition of Q is respected
Combination 2: proved calls tested P is tested during testing: check that P postcondition of P Q is respected Q calls P Q is proved assumption for proof: postcondition of P is respected
Testing + Formal Verification tested P proved Q R proved local exhaustivity argument: global soundness argument: - test: function covered - proof: assumptions proved - proof: by nature of proof - test: assumptions tested Testing must check additional properties Done by compiler instrumentation
GNAT toolsuite executable GNAT GNATtest compiler unit testing aggregated verification results GNATprove unit proof
Conclusion
Airbus 5 “must-have” of formal methods • Soundness • Applicability to the code • Usability by normal engineers on normal computers • Improve on classical methods current work • Certifiability
Benefits of openness .org • announcements • public: • all code • meeting slides  meeting minutes • dev docs • articles / docs  technical work • user docs  69 members • private:  management  partner code  external collaborations with industry and academia
Project Partners
www.open-do.org/projects/hi-lite
1 of 25

Hi-Lite erts2012

Download to read offline
Technology

Yannick Moy's presentation on the Hi-Lite project at the ERTS 2012 event in Toulouse France. The paper "Integrating Formal Program Verification with Testing" can be found at http://www.erts2012.org/Site/0P2RUC89/7A-1.pdf

AdaCore
AdaCoreAdaCore

Recommended

Boogie 2011 Hi-Lite by
Boogie 2011 Hi-LiteBoogie 2011 Hi-Lite
Boogie 2011 Hi-LiteAdaCore
332 views39 slides
Vlsi lab manual_new by
Vlsi lab manual_newVlsi lab manual_new
Vlsi lab manual_newNaveen Gouda
1.9K views57 slides
Kanban by Mayur Gupta by
Kanban by Mayur GuptaKanban by Mayur Gupta
Kanban by Mayur GuptaXebia IT Architects
430 views26 slides
Harton-Presentation by
Harton-PresentationHarton-Presentation
Harton-PresentationHeather Harton
69 views89 slides
Parrot -- "one bytecode to rule them all" by
Parrot -- "one bytecode to rule them all"Parrot -- "one bytecode to rule them all"
Parrot -- "one bytecode to rule them all"Nuno Carvalho
2.2K views37 slides
Open-DO Update by
Open-DO UpdateOpen-DO Update
Open-DO UpdateAdaCore
3.3K views35 slides

More Related Content

What's hot

santhosh popshetwar by
santhosh popshetwarsanthosh popshetwar
santhosh popshetwarSanthosh Kumar Popshetwar
398 views7 slides
Avid_Venue by
Avid_VenueAvid_Venue
Avid_VenueCole Bradley
67 views1 slide
Generazione Automatica di Test - S. Vuotto (Università di Sassari) by
Generazione Automatica di Test - S. Vuotto (Università di Sassari)Generazione Automatica di Test - S. Vuotto (Università di Sassari)
Generazione Automatica di Test - S. Vuotto (Università di Sassari)Sardegna Ricerche
143 views19 slides
Elixir by
ElixirElixir
ElixirChangwook Park
348 views118 slides
Lab3 s2 by
Lab3 s2Lab3 s2
Lab3 s2rajbabureliance
194 views1 slide
Lean and Kanban Principles for Software Developers by
Lean and Kanban Principles for Software DevelopersLean and Kanban Principles for Software Developers
Lean and Kanban Principles for Software DevelopersCory Foy
2.4K views116 slides

What's hot(8)

santhosh popshetwar by Santhosh Kumar Popshetwar
santhosh popshetwarsanthosh popshetwar
santhosh popshetwar
Santhosh Kumar Popshetwar398 views
Avid_Venue by Cole Bradley
Avid_VenueAvid_Venue
Avid_Venue
Cole Bradley67 views
Generazione Automatica di Test - S. Vuotto (Università di Sassari) by Sardegna Ricerche
Generazione Automatica di Test - S. Vuotto (Università di Sassari)Generazione Automatica di Test - S. Vuotto (Università di Sassari)
Generazione Automatica di Test - S. Vuotto (Università di Sassari)
Sardegna Ricerche143 views
Elixir by Changwook Park
ElixirElixir
Elixir
Changwook Park348 views
Lab3 s2 by rajbabureliance
Lab3 s2Lab3 s2
Lab3 s2
rajbabureliance194 views
Lean and Kanban Principles for Software Developers by Cory Foy
Lean and Kanban Principles for Software DevelopersLean and Kanban Principles for Software Developers
Lean and Kanban Principles for Software Developers
Cory Foy2.4K views
Challenges in Debugging Bootstraps of Reflective Kernels by ESUG
Challenges in Debugging Bootstraps of Reflective KernelsChallenges in Debugging Bootstraps of Reflective Kernels
Challenges in Debugging Bootstraps of Reflective Kernels
ESUG471 views
Tail Call Elimination in Open Smalltalk by ESUG
Tail Call Elimination in Open SmalltalkTail Call Elimination in Open Smalltalk
Tail Call Elimination in Open Smalltalk
ESUG690 views

Similar to Hi-Lite erts2012

IPv6 Development and Testing Services by
IPv6 Development and Testing ServicesIPv6 Development and Testing Services
IPv6 Development and Testing ServicesTMA Solutions
324 views8 slides
Funcargs & other fun with pytest by
Funcargs & other fun with pytestFuncargs & other fun with pytest
Funcargs & other fun with pytestBrianna Laugher
14K views60 slides
WGDC QA Kapitanenko-Rebrov by
WGDC QA Kapitanenko-RebrovWGDC QA Kapitanenko-Rebrov
WGDC QA Kapitanenko-RebrovAnton Kapitanenko
204 views13 slides
TMA Software Testing Competency by
TMA Software Testing CompetencyTMA Software Testing Competency
TMA Software Testing CompetencyTMA Solutions
421 views7 slides
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU by
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAUTest Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAUInfinIT - Innovationsnetværket for it
2.9K views19 slides
Test Driven Agile by
Test Driven AgileTest Driven Agile
Test Driven AgileNigel Thurlow
757 views1 slide

Similar to Hi-Lite erts2012(20)

IPv6 Development and Testing Services by TMA Solutions
IPv6 Development and Testing ServicesIPv6 Development and Testing Services
IPv6 Development and Testing Services
TMA Solutions324 views
Funcargs & other fun with pytest by Brianna Laugher
Funcargs & other fun with pytestFuncargs & other fun with pytest
Funcargs & other fun with pytest
Brianna Laugher14K views
WGDC QA Kapitanenko-Rebrov by Anton Kapitanenko
WGDC QA Kapitanenko-RebrovWGDC QA Kapitanenko-Rebrov
WGDC QA Kapitanenko-Rebrov
Anton Kapitanenko204 views
TMA Software Testing Competency by TMA Solutions
TMA Software Testing CompetencyTMA Software Testing Competency
TMA Software Testing Competency
TMA Solutions421 views
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU by InfinIT - Innovationsnetværket for it
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAUTest Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU
InfinIT - Innovationsnetværket for it2.9K views
Test Driven Agile by Nigel Thurlow
Test Driven AgileTest Driven Agile
Test Driven Agile
Nigel Thurlow757 views
Формальная верификация как средство тестирования (в Java) by SQALab
Формальная верификация как средство тестирования (в Java)Формальная верификация как средство тестирования (в Java)
Формальная верификация как средство тестирования (в Java)
SQALab1.7K views
Deploying Functional Qualification at STMicroelectronics by DVClub
Deploying Functional Qualification at STMicroelectronicsDeploying Functional Qualification at STMicroelectronics
Deploying Functional Qualification at STMicroelectronics
DVClub418 views
Benjamin q4 2008_bristol by Obsidian Software
Benjamin q4 2008_bristolBenjamin q4 2008_bristol
Benjamin q4 2008_bristol
Obsidian Software224 views
Sistemas operacionais 12 by Nauber Gois
Sistemas operacionais 12Sistemas operacionais 12
Sistemas operacionais 12
Nauber Gois88 views
Software development practices in python by Jimmy Lai
Software development practices in pythonSoftware development practices in python
Software development practices in python
Jimmy Lai1.3K views
Agile testing principles and practices - Anil Karade by IndicThreads
Agile testing principles and practices - Anil KaradeAgile testing principles and practices - Anil Karade
Agile testing principles and practices - Anil Karade
IndicThreads9K views
Continuous deployment by Daniel
Continuous deploymentContinuous deployment
Continuous deployment
Daniel8.5K views
ITS-Fidel by Fidel Softech P. Ltd
ITS-FidelITS-Fidel
ITS-Fidel
Fidel Softech P. Ltd931 views
Leveling Up With Unit Testing - LonghornPHP 2022 by Mark Niebergall
Leveling Up With Unit Testing - LonghornPHP 2022Leveling Up With Unit Testing - LonghornPHP 2022
Leveling Up With Unit Testing - LonghornPHP 2022
Mark Niebergall35 views
Pragmatic Introduction to Python Unit Testing (PyDays 2018) by Peter Kofler
Pragmatic Introduction to Python Unit Testing (PyDays 2018)Pragmatic Introduction to Python Unit Testing (PyDays 2018)
Pragmatic Introduction to Python Unit Testing (PyDays 2018)
Peter Kofler564 views
TMA Brochure IPv6 by TMA Solutions
TMA Brochure IPv6TMA Brochure IPv6
TMA Brochure IPv6
TMA Solutions200 views
MUTANTS KILLER - PIT: state of the art of mutation testing system by Tarin Gamberini
MUTANTS KILLER - PIT: state of the art of mutation testing system MUTANTS KILLER - PIT: state of the art of mutation testing system
MUTANTS KILLER - PIT: state of the art of mutation testing system
Tarin Gamberini3.1K views
Releasing fast code - The DevOps approach by Michael Kopp
Releasing fast code - The DevOps approachReleasing fast code - The DevOps approach
Releasing fast code - The DevOps approach
Michael Kopp746 views
Copilot to Cover: Why AI can't replace developers with robots, but can make l... by Andy Piper
Copilot to Cover: Why AI can't replace developers with robots, but can make l...Copilot to Cover: Why AI can't replace developers with robots, but can make l...
Copilot to Cover: Why AI can't replace developers with robots, but can make l...
Andy Piper629 views

More from AdaCore

RCA OCORA: Safe Computing Platform using open standards by
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
281 views27 slides
Have we a Human Ecosystem? by
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?AdaCore
43 views70 slides
Rust and the coming age of high integrity languages by
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
113 views29 slides
SPARKNaCl: A verified, fast cryptographic library by
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic libraryAdaCore
57 views36 slides
Developing Future High Integrity Processing Solutions by
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsAdaCore
127 views13 slides
Taming event-driven software via formal verification by
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verificationAdaCore
68 views16 slides

More from AdaCore(20)

RCA OCORA: Safe Computing Platform using open standards by AdaCore
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
AdaCore281 views
Have we a Human Ecosystem? by AdaCore
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?
AdaCore43 views
Rust and the coming age of high integrity languages by AdaCore
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
AdaCore113 views
SPARKNaCl: A verified, fast cryptographic library by AdaCore
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
AdaCore57 views
Developing Future High Integrity Processing Solutions by AdaCore
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing Solutions
AdaCore127 views
Taming event-driven software via formal verification by AdaCore
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verification
AdaCore68 views
Pushing the Boundary of Mostly Automatic Program Proof by AdaCore
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program Proof
AdaCore29 views
RCA OCORA: Safe Computing Platform using open standards by AdaCore
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
AdaCore21 views
Product Lines and Ecosystems: from customization to configuration by AdaCore
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configuration
AdaCore87 views
Securing the Future of Safety and Security of Embedded Software by AdaCore
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
AdaCore2.4K views
Spark / Ada for Safe and Secure Firmware Development by AdaCore
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware Development
AdaCore360 views
Introducing the HICLASS Research Programme - Enabling Development of Complex ... by AdaCore
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
AdaCore1K views
The Future of Aerospace – More Software Please! by AdaCore
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
AdaCore381 views
Adaptive AUTOSAR - The New AUTOSAR Architecture by AdaCore
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
AdaCore4K views
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of... by AdaCore
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
AdaCore397 views
Software Engineering for Robotics - The RoboStar Technology by AdaCore
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
AdaCore316 views
MISRA C in an ISO 26262 context by AdaCore
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 context
AdaCore3.6K views
Application of theorem proving for safety-critical vehicle software by AdaCore
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle software
AdaCore427 views
The Application of Formal Methods to Railway Signalling Software by AdaCore
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
AdaCore1.6K views
Bounded Model Checking for C Programs in an Enterprise Environment by AdaCore
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise Environment
AdaCore1.1K views

Recently uploaded

Empathic Computing: Delivering the Potential of the Metaverse by
Empathic Computing: Delivering the Potential of the MetaverseEmpathic Computing: Delivering the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the MetaverseMark Billinghurst
449 views80 slides
JCon Live 2023 - Lice coding some integration problems by
JCon Live 2023 - Lice coding some integration problemsJCon Live 2023 - Lice coding some integration problems
JCon Live 2023 - Lice coding some integration problemsBernd Ruecker
67 views85 slides
Combining Orchestration and Choreography for a Clean Architecture by
Combining Orchestration and Choreography for a Clean ArchitectureCombining Orchestration and Choreography for a Clean Architecture
Combining Orchestration and Choreography for a Clean ArchitectureThomasHeinrichs1
68 views24 slides
PharoJS - Zürich Smalltalk Group Meetup November 2023 by
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023Noury Bouraqadi
113 views17 slides
The Research Portal of Catalonia: Growing more (information) & more (services) by
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)CSUC - Consorci de Serveis Universitaris de Catalunya
66 views25 slides
Five Things You SHOULD Know About Postman by
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About PostmanPostman
25 views43 slides

Recently uploaded(20)

Empathic Computing: Delivering the Potential of the Metaverse by Mark Billinghurst
Empathic Computing: Delivering the Potential of the MetaverseEmpathic Computing: Delivering the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the Metaverse
Mark Billinghurst449 views
JCon Live 2023 - Lice coding some integration problems by Bernd Ruecker
JCon Live 2023 - Lice coding some integration problemsJCon Live 2023 - Lice coding some integration problems
JCon Live 2023 - Lice coding some integration problems
Bernd Ruecker67 views
Combining Orchestration and Choreography for a Clean Architecture by ThomasHeinrichs1
Combining Orchestration and Choreography for a Clean ArchitectureCombining Orchestration and Choreography for a Clean Architecture
Combining Orchestration and Choreography for a Clean Architecture
ThomasHeinrichs168 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi113 views
The Research Portal of Catalonia: Growing more (information) & more (services) by CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya66 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman25 views
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10165 views
Java Platform Approach 1.0 - Picnic Meetup by Rick Ossendrijver
Java Platform Approach 1.0 - Picnic MeetupJava Platform Approach 1.0 - Picnic Meetup
Java Platform Approach 1.0 - Picnic Meetup
Rick Ossendrijver25 views
CXL at OCP by CXL Forum
CXL at OCPCXL at OCP
CXL at OCP
CXL Forum208 views
.conf Go 2023 - Data analysis as a routine by Splunk
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk90 views
Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa... by The Digital Insurer
Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa...Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa...
Webinar : Competing for tomorrow’s leaders – How MENA insurers can win the wa...
The Digital Insurer28 views
Web Dev - 1 PPT.pdf by gdsczhcet
Web Dev - 1 PPT.pdfWeb Dev - 1 PPT.pdf
Web Dev - 1 PPT.pdf
gdsczhcet52 views
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu... by NUS-ISS
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
Architecting CX Measurement Frameworks and Ensuring CX Metrics are fit for Pu...
NUS-ISS32 views
Throughput by Moisés Armani Ramírez
ThroughputThroughput
Throughput
Moisés Armani Ramírez32 views
TE Connectivity: Card Edge Interconnects by CXL Forum
TE Connectivity: Card Edge InterconnectsTE Connectivity: Card Edge Interconnects
TE Connectivity: Card Edge Interconnects
CXL Forum96 views
MemVerge: Past Present and Future of CXL by CXL Forum
MemVerge: Past Present and Future of CXLMemVerge: Past Present and Future of CXL
MemVerge: Past Present and Future of CXL
CXL Forum110 views
"Ukrainian Mobile Banking Scaling in Practice. From 0 to 100 and beyond", Vad... by Fwdays
"Ukrainian Mobile Banking Scaling in Practice. From 0 to 100 and beyond", Vad..."Ukrainian Mobile Banking Scaling in Practice. From 0 to 100 and beyond", Vad...
"Ukrainian Mobile Banking Scaling in Practice. From 0 to 100 and beyond", Vad...
Fwdays40 views
ChatGPT and AI for Web Developers by Maximiliano Firtman
ChatGPT and AI for Web DevelopersChatGPT and AI for Web Developers
ChatGPT and AI for Web Developers
Maximiliano Firtman174 views
"How we switched to Kanban and how it integrates with product planning", Vady... by Fwdays
"How we switched to Kanban and how it integrates with product planning", Vady..."How we switched to Kanban and how it integrates with product planning", Vady...
"How we switched to Kanban and how it integrates with product planning", Vady...
Fwdays61 views
MemVerge: Gismo (Global IO-free Shared Memory Objects) by CXL Forum
MemVerge: Gismo (Global IO-free Shared Memory Objects)MemVerge: Gismo (Global IO-free Shared Memory Objects)
MemVerge: Gismo (Global IO-free Shared Memory Objects)
CXL Forum112 views

Hi-Lite erts2012

  • 1. Integrating Formal Program Verification with Testing Cyrille Comar, Johannes Kanig and Yannick Moy
  • 2. Integrating Formal Program with Testing Verification Cyrille Comar, Johannes Kanig and Yannick Moy
  • 3. Integrating Formal Program with Verification Cyrille Comar, Johannes Kanig and Yannick Moy
  • 5. Cost of testing • Cost of testing greater than cost of development • 10% increase each year for avionics software (Boeing META Project) • Uneven repartition: 20%  80% of effort! 80% • Uneven quality: 80% of errors traced to 20% of code (NASA Software Safety Guidebook) • Need to reduce and focus the cost of testing
  • 6. DO-178C: formal methods can replace testing Formal methods […] might be the primary source of evidence for the satisfaction of many of the objectives concerned with development and verification. 2011: Formal Methods Supplement (DO-333)
  • 7. Myths of formal methods • Myth 4: Formal methods require highly trained mathematicians • Myth 5: Formal methods increase the cost of development • Myth 6: Formal methods are unacceptable to users • Myth 7: Formal methods are not used on real, large-scale software (Anthony Hall, Praxis Systems, 1990)
  • 8. Practice of formal methods Since 2001, Airbus has been integrating several tool supported formal verification techniques into the development process of avionics software products. 2009: Formal Verification of Avionics Software Products (Souyris, Wiels, Delmas, Delseny)
  • 9. Cost of verification 20%  80% of 20%  80% of 80% testing effort 80% formal effort Hi-Lite goal: using formal verification first, then testing… 4% 16% testing 80% formal … to reduce and focus the cost of verification
  • 11. Programming Contracts {P}C{Q} Hoare logic (1969) logic contracts executable contracts for proofs for tests SPARK (1987) Eiffel DbC (1986) Hi-Lite: executable annotation language???
  • 14. Testing vs. Formal Verification prove pre of Q use Q code assume post of Q cover P constructs P calls Q P calls Q P P Q Q assume pre of Q actual body of Q prove post of Q or stub… local exhaustivity argument: global soundness argument: each function covered P all functions proved  enough behaviors  all assumptions justified explored Q R
  • 15. Combining tests and proofs P is tested P calls Q How so we justify assumptions made P during proof? Q Q calls P Q is proved verification combining tests and proofs should be AT LEAST AS GOOD AS verification based on tests only
  • 16. Caution: contracts are not only pre/post! strong typing parameters not aliased )… parameters initialized data dependences
  • 17. Combination 1: tested calls proved P is tested P calls Q during testing: check that P precondition of Q Q is respected Q is proved assumption for proof: precondition of Q is respected
  • 18. Combination 2: proved calls tested P is tested during testing: check that P postcondition of P Q is respected Q calls P Q is proved assumption for proof: postcondition of P is respected
  • 19. Testing + Formal Verification tested P proved Q R proved local exhaustivity argument: global soundness argument: - test: function covered - proof: assumptions proved - proof: by nature of proof - test: assumptions tested Testing must check additional properties Done by compiler instrumentation
  • 20. GNAT toolsuite executable GNAT GNATtest compiler unit testing aggregated verification results GNATprove unit proof
  • 22. Airbus 5 “must-have” of formal methods • Soundness • Applicability to the code • Usability by normal engineers on normal computers • Improve on classical methods current work • Certifiability
  • 23. Benefits of openness .org • announcements • public: • all code • meeting slides  meeting minutes • dev docs • articles / docs  technical work • user docs  69 members • private:  management  partner code  external collaborations with industry and academia