SlideShare a Scribd company logo

Pushing the Boundary of Mostly Automatic Program Proof

AdaCore
AdaCore

With the large-scale verification of complex programs like compilers and microkernels, program proof has realised the grand challenge of creating a “verifying compiler” proposed by Sir Tony Hoare in 2003. Still, the effort and expertise required for developing the program and its proof to feed to the “verifying compiler” will exceed the V&V budget of most projects. Another approach gaining traction is to automate the proof as much as possible. More specifically, by tailoring the proof tool to the strengths of a target programming language, leveraging an array of automatic provers, and limiting the ambition of proof to those properties for which proof can be mostly automated. This is the approach we are following in SPARK. In this talk, we will survey what properties can be “mostly” proved automatically, and what this means in terms of effort and expertise.

Technology
1 of 38
Download to read offline
info@adacore.com adacore.com Pushing the Boundary of Mostly Automatic Program Proof Yannick Moy Copyright © AdaCore High Integrity Software 2022 Conference - October 11, 2022
info@adacore.com adacore.com The Verifying Compiler A verifying compiler uses mathematical and logical reasoning to check the correctness of the programs that it compiles. Sir Tony Hoare, Journal of the ACM, 2003 2 Copyright © AdaCore
info@adacore.com adacore.com Our formally verified microkernel, seL4, is now used across the world in a number of applications that keeps growing. June Andronick, Successes in Deployed Verified Software, 2019 The Verifying Compiler in Practice 3 Copyright © AdaCore
info@adacore.com adacore.com The Auto-Active Approach 4 Copyright © AdaCore
info@adacore.com adacore.com The Auto-Active Approach • Use programming language as specification language 5 Copyright © AdaCore
info@adacore.com adacore.com The Auto-Active Approach • Use programming language as specification language • Leverage array of automatic provers 6 Copyright © AdaCore
info@adacore.com adacore.com The Auto-Active Approach • Use programming language as specification language • Leverage array of automatic provers • Limit specifications to what can be “mostly” automated 7 Copyright © AdaCore
info@adacore.com adacore.com The Auto-Active Approach • Use programming language as specification language • Leverage array of automatic provers • Limit specifications to what can be “mostly” automated • Use “ghost code” to reach fully automatic proof 8 Copyright © AdaCore
info@adacore.com adacore.com The Auto-Active Approach in SPARK • Use Ada as programming language and specification language (contracts) • Leverage automatic provers Alt-Ergo, COLIBRI, cvc5, Z3 • Specifications are limited by the language (“contracts”) and best practices • Code marked as “ghost” is only used for verification 9 Copyright © AdaCore
info@adacore.com adacore.com Low-Hanging Fruits with Program Proof 10 Copyright © AdaCore
info@adacore.com adacore.com Low-Hanging Fruits with Program Proof • Absence of runtime errors • no exception raised (predefined or explicitly in the code) • no reads of uninitialized data 11 Copyright © AdaCore
info@adacore.com adacore.com Low-Hanging Fruits with Program Proof • Absence of runtime errors • no exception raised (predefined or explicitly in the code) • no reads of uninitialized data • Correct API usage • correct input context when calling functions • correct sequencing of calls on data 12 Copyright © AdaCore
info@adacore.com adacore.com Low-Hanging Fruits with Program Proof • Absence of runtime errors • no exception raised (predefined or explicitly in the code) • no reads of uninitialized data • Correct API usage • correct input context when calling functions • correct sequencing of calls on data • Data invariants respected • “permanent” invariants that should hold always • “boundary” invariants that should hold for client code 13 Copyright © AdaCore
info@adacore.com adacore.com Initialization is in general guaranteed by sticking to an initialization policy checked by a data-flow algorithm More complex initialization patterns require specifying: • what parts of objects are initialized • under which conditions Mix of boolean conditions and arithmetic is a strong suit of automatic provers SPARK programming language has constraints and specification features that make it straightforward: • memory safety amounts to checking non-nullity of pointers and that indexes are in bounds • numerical type safety amounts to checking that computations don’t divide by zero or exceed bounds (Integer) (Linear) Arithmetic is a strong suit of automatic provers Absence of Runtime Errors 14 Copyright © AdaCore
info@adacore.com adacore.com Initialization is in general guaranteed by sticking to an initialization policy checked by a data-flow algorithm More complex initialization patterns require specifying: • what parts of objects are initialized • under which conditions Mix of boolean conditions and arithmetic is a strong suit of automatic provers SPARK programming language has constraints and specification features that make it straightforward: • memory safety amounts to checking non-nullity of pointers and that indexes are in bounds • numerical type safety amounts to checking that computations don’t divide by zero or exceed bounds (Integer) (Linear) Arithmetic is a strong suit of automatic provers Absence of Runtime Errors 15 Copyright © AdaCore
info@adacore.com adacore.com Correct sequencing of calls expressed in preconditions and postconditions: • state of parameters wrt prescribed automaton • global state wrt prescribed automaton Possibly using imported ghost functions to express state Resource reclamation (e.g. dynamic memory deallocation) Based on simple boolean conditions Correct input context: • value of parameters respect conditions beyond type safety • lifetime of pointer parameters consistent with their use • relations between parameters are respected • global state respects constraints Preconditions that usually rely on mix of arithmetic and boolean conditions Correct API Usage 16 Copyright © AdaCore
info@adacore.com adacore.com Correct sequencing of calls expressed in preconditions and postconditions: • state of parameters wrt prescribed automaton • global state wrt prescribed automaton Possibly using imported ghost functions to express state Resource reclamation (e.g. dynamic memory deallocation) Based on simple boolean conditions Correct input context: • value of parameters respect conditions beyond type safety • lifetime of pointer parameters consistent with their use • relations between parameters are respected • global state respects constraints Preconditions that usually rely on mix of arithmetic and boolean conditions Correct API Usage 17 Copyright © AdaCore
info@adacore.com adacore.com Type invariants (“boundary” invariants) only hold outside the unit: • possibly violated locally • restored before returning to client Used to hide data invariant from client unit Same kinds of properties as predicates Type predicates (“permanent” invariants) always hold: • subset of values from the base type • conditions on bounds of arrays • relations between fields of structures (e.g. inequality comparisons) • conditions on field initialization Same mix of arithmetic and boolean conditions as before Data Invariants Respected 18 Copyright © AdaCore
info@adacore.com adacore.com Type invariants (“boundary” invariants) only hold outside the unit: • possibly violated locally • restored before returning to client Used to hide data invariant from client unit Same kinds of properties as predicates Type predicates (“permanent” invariants) always hold: • subset of values from the base type • conditions on bounds of arrays • relations between fields of structures (e.g. inequality comparisons) • conditions on field initialization Same mix of arithmetic and boolean conditions as before Data Invariants Respected 19 Copyright © AdaCore
info@adacore.com adacore.com Stretch Goals with Program Proof 20 Copyright © AdaCore
info@adacore.com adacore.com Stretch Goals with Program Proof • Prove full functional behavior 21 Copyright © AdaCore
info@adacore.com adacore.com Stretch Goals with Program Proof • Prove full functional behavior • Prove the implementation of complex data structures • absence of runtime errors • data invariants respected • functional behavior 22 Copyright © AdaCore
info@adacore.com adacore.com Stretch Goals with Program Proof • Prove full functional behavior • Prove the implementation of complex data structures • absence of runtime errors • data invariants respected • functional behavior • Prove numerical algorithms • exact result of computations • bounds on the approximation wrt mathematical computation 23 Copyright © AdaCore
info@adacore.com adacore.com Need to express the specification as contracts, usually as a form of refinement: • concrete types refine an ideal model (mathematical integers, sets, maps…) • concrete implementation respects the ideal computation on models • contracts can use quantification and abstraction Best practices: no existential, abstract important properties Need to write ghost code (assertions, loop invariants) through interaction with automatic provers Prove Full Functional Behavior 24 Copyright © AdaCore https://blog.adacore.com/i-cant-believe-that-i-can-prove-that-it-can-sort
info@adacore.com adacore.com Example: sorting algorithms • ideal model of bag / multiset • sorting preserves model • property uses quantification • property should use abstraction: being sorted on subrange, being the maximum on subrange With suitable properties, and little adequate ghost code, this is easily proved by automatic provers Need to express the specification as contracts, usually as a form of refinement: • concrete types refine an ideal model (mathematical integers, sets, maps…) • concrete implementation respects the ideal computation on models • contracts can use quantification and abstraction Best practices: no existential, abstract important properties Need to write ghost code (assertions, loop invariants) through interaction with automatic provers Prove Full Functional Behavior 25 Copyright © AdaCore https://blog.adacore.com/i-cant-believe-that-i-can-prove-that-it-can-sort
info@adacore.com adacore.com Need to structure the code to separate concerns: • different types provide different views of the data with different models • complexity is encapsulated at each level through abstraction Best practices: use privacy to hide implementation and verification details Need to write ghost code (lemmas for induction) through interaction with automatic provers Prove Complex Data Structures 26 Copyright © AdaCore https://blog.adacore.com/research-corner-auto-active-verification-in-spark
info@adacore.com adacore.com Example: red-black trees for bare-metal • level 1: binary trees • level 2: sorted trees • level 3: balanced trees • properties at each level encoded as type invariants on private types size of contracts = 2 x size of code size of ghost code = 5 x size of code Implementation constraints matter: same with dynamic allocation has four times less ghost code Need to structure the code to separate concerns: • different types provide different views of the data with different models • complexity is encapsulated at each level through abstraction Best practices: use privacy to hide implementation and verification details Need to write ghost code (lemmas for induction) through interaction with automatic provers Prove Complex Data Structures 27 Copyright © AdaCore https://blog.adacore.com/research-corner-auto-active-verification-in-spark
info@adacore.com adacore.com Algorithms on integers: • refine mathematical operations • efficient implementations on machine integers require bitwise manipulations Exploit dedicated support of bitvectors in automatic provers Algorithms on reals: • implement control algorithms • expectation is to remain “close” to the ideal computation on reals despite rounding errors and approximations Exploit dedicated support of floats in automatic provers Prove Numerical Algorithms 28 Copyright © AdaCore https://blog.adacore.com/proving-the-correctness-of-gnat-light-runtime-library
info@adacore.com adacore.com Example: multi-place integer arithmetic • mix of signed integers and modular integers • a lot of non-linear operations (multiplications, shifting, division, mod) size of contracts = 0.15 x size of code size of ghost code = 5 x size of code Proof of ≈100 lemmas requires use of all four automatic provers: Alt-Ergo, COLIBRI, cvc5, Z3 Algorithms on integers: • refine mathematical operations • efficient implementations on machine integers require bitwise manipulations Exploit dedicated support of bitvectors in automatic provers Algorithms on reals: • implement control algorithms • expectation is to remain “close” to the ideal computation on reals despite rounding errors and approximations Exploit dedicated support of floats in automatic provers Prove Numerical Algorithms 29 Copyright © AdaCore https://blog.adacore.com/proving-the-correctness-of-gnat-light-runtime-library
info@adacore.com adacore.com Challenges with Program Proof 30 Copyright © AdaCore
info@adacore.com adacore.com Challenges with Program Proof • Left-Over Principle of automation • automation fails humans on the more complex cases • solution: … 31 Copyright © AdaCore
info@adacore.com adacore.com Challenges with Program Proof • Left-Over Principle of automation • automation fails humans on the more complex cases • solution: better interaction mechanisms 32 Copyright © AdaCore
info@adacore.com adacore.com Challenges with Program Proof • Left-Over Principle of automation • automation fails humans on the more complex cases • solution: better interaction mechanisms • Predictability of proof results • automatic provers are based on heuristic search • solution: … 33 Copyright © AdaCore
info@adacore.com adacore.com Challenges with Program Proof • Left-Over Principle of automation • automation fails humans on the more complex cases • solution: better interaction mechanisms • Predictability of proof results • automatic provers are based on heuristic search • solution: know the low-hanging fruits from the stretch goals 34 Copyright © AdaCore
info@adacore.com adacore.com Challenges with Program Proof • Left-Over Principle of automation • automation fails humans on the more complex cases • solution: better interaction mechanisms • Predictability of proof results • automatic provers are based on heuristic search • solution: know the low-hanging fruits from the stretch goals • Stability of proof results • minor changes in code or tool can lead to losing proofs • solution: … 35 Copyright © AdaCore
info@adacore.com adacore.com Challenges with Program Proof • Left-Over Principle of automation • automation fails humans on the more complex cases • solution: better interaction mechanisms • Predictability of proof results • automatic provers are based on heuristic search • solution: know the low-hanging fruits from the stretch goals • Stability of proof results • minor changes in code or tool can lead to losing proofs • solution: prover redundancy and advances in automatic proof technology 36 Copyright © AdaCore
info@adacore.com adacore.com The Verifying Compiler If the project is successful, a verifying compiler will be available as a standard tool in some widely used programming productivity toolset. Sir Tony Hoare, Journal of the ACM, 2003 37 Copyright © AdaCore
Thank you Yannick Moy moy@adacore.com 38 info@adacore.com Copyright © AdaCore adacore.com

Recommended

Design patterns for salesforce app decomposition
Design patterns for salesforce app decompositionDesign patterns for salesforce app decomposition
Design patterns for salesforce app decompositionSai Jithesh ☁️
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeDevOps.com
 
AngularJS 1.x - your first application (problems and solutions)
AngularJS 1.x - your first application (problems and solutions)AngularJS 1.x - your first application (problems and solutions)
AngularJS 1.x - your first application (problems and solutions)Igor Talevski
 
Serverless patterns
Serverless patternsServerless patterns
Serverless patternsJesse Butler
 
Beginners overview of automated testing with Rspec
Beginners overview of automated testing with RspecBeginners overview of automated testing with Rspec
Beginners overview of automated testing with Rspecjeffrey1ross
 
Designing a Future-proof API Program
Designing a Future-proof API ProgramDesigning a Future-proof API Program
Designing a Future-proof API ProgramPronovix
 
Monitor the World: Meaningful Metrics for Containerized Apps and Clusters (CO...
Monitor the World: Meaningful Metrics for Containerized Apps and Clusters (CO...Monitor the World: Meaningful Metrics for Containerized Apps and Clusters (CO...
Monitor the World: Meaningful Metrics for Containerized Apps and Clusters (CO...Amazon Web Services
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 

Recommended

Design patterns for salesforce app decomposition
Design patterns for salesforce app decompositionDesign patterns for salesforce app decomposition
Design patterns for salesforce app decompositionSai Jithesh ☁️
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeDevOps.com
 
AngularJS 1.x - your first application (problems and solutions)
AngularJS 1.x - your first application (problems and solutions)AngularJS 1.x - your first application (problems and solutions)
AngularJS 1.x - your first application (problems and solutions)Igor Talevski
 
Serverless patterns
Serverless patternsServerless patterns
Serverless patternsJesse Butler
 
Beginners overview of automated testing with Rspec
Beginners overview of automated testing with RspecBeginners overview of automated testing with Rspec
Beginners overview of automated testing with Rspecjeffrey1ross
 
Designing a Future-proof API Program
Designing a Future-proof API ProgramDesigning a Future-proof API Program
Designing a Future-proof API ProgramPronovix
 
Monitor the World: Meaningful Metrics for Containerized Apps and Clusters (CO...
Monitor the World: Meaningful Metrics for Containerized Apps and Clusters (CO...Monitor the World: Meaningful Metrics for Containerized Apps and Clusters (CO...
Monitor the World: Meaningful Metrics for Containerized Apps and Clusters (CO...Amazon Web Services
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Application Architecture
Application ArchitectureApplication Architecture
Application ArchitectureLars-Erik Kindblad
 
CI/CD for Serverless and Containerized Applications (DEV309-R1) - AWS re:Inve...
CI/CD for Serverless and Containerized Applications (DEV309-R1) - AWS re:Inve...CI/CD for Serverless and Containerized Applications (DEV309-R1) - AWS re:Inve...
CI/CD for Serverless and Containerized Applications (DEV309-R1) - AWS re:Inve...Amazon Web Services
 
Too Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsToo Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsAmazon Web Services
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPADiemShin
 
Single Source of Truth for Network Automation
Single Source of Truth for Network AutomationSingle Source of Truth for Network Automation
Single Source of Truth for Network AutomationAndy Davidson
 
Salesforce Multitenant Architecture: How We Do the Magic We Do
Salesforce Multitenant Architecture: How We Do the Magic We DoSalesforce Multitenant Architecture: How We Do the Magic We Do
Salesforce Multitenant Architecture: How We Do the Magic We DoSalesforce Developers
 
Secure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSecure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSalesforce Developers
 
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...Curiosity Software Ireland
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldMaria Colgan
 
NDepend Public PPT (2008)
NDepend Public PPT (2008)NDepend Public PPT (2008)
NDepend Public PPT (2008)NDepend
 
Continuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerContinuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerAmazon Web Services
 
Mobx Internals
Mobx InternalsMobx Internals
Mobx Internals500Tech
 
Software design with Domain-driven design
Software design with Domain-driven design Software design with Domain-driven design
Software design with Domain-driven design Allan Mangune
 
CIM Compliance.pptx
CIM Compliance.pptxCIM Compliance.pptx
CIM Compliance.pptxRinaldi Rampen
 
Group meeting: Identifying Information Disclosure in Web Applications with Re...
Group meeting: Identifying Information Disclosure in Web Applications with Re...Group meeting: Identifying Information Disclosure in Web Applications with Re...
Group meeting: Identifying Information Disclosure in Web Applications with Re...Yu-Hsin Hung
 
Improving the Quality of Existing Software
Improving the Quality of Existing SoftwareImproving the Quality of Existing Software
Improving the Quality of Existing SoftwareSteven Smith
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
Polaris presentation ioc - code conference
Polaris presentation ioc - code conferencePolaris presentation ioc - code conference
Polaris presentation ioc - code conferenceSteven Contos
 
O365Con18 - Using ARM Templates to Deploy Solutions on Azure - Kevin Timmermann
O365Con18 - Using ARM Templates to Deploy Solutions on Azure - Kevin TimmermannO365Con18 - Using ARM Templates to Deploy Solutions on Azure - Kevin Timmermann
O365Con18 - Using ARM Templates to Deploy Solutions on Azure - Kevin TimmermannNCCOMMS
 
5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis 5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis Perforce
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?AdaCore
 

More Related Content

Similar to Pushing the Boundary of Mostly Automatic Program Proof

CI/CD for Serverless and Containerized Applications (DEV309-R1) - AWS re:Inve...
CI/CD for Serverless and Containerized Applications (DEV309-R1) - AWS re:Inve...CI/CD for Serverless and Containerized Applications (DEV309-R1) - AWS re:Inve...
CI/CD for Serverless and Containerized Applications (DEV309-R1) - AWS re:Inve...Amazon Web Services
 
Too Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsToo Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsAmazon Web Services
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPADiemShin
 
Single Source of Truth for Network Automation
Single Source of Truth for Network AutomationSingle Source of Truth for Network Automation
Single Source of Truth for Network AutomationAndy Davidson
 
Salesforce Multitenant Architecture: How We Do the Magic We Do
Salesforce Multitenant Architecture: How We Do the Magic We DoSalesforce Multitenant Architecture: How We Do the Magic We Do
Salesforce Multitenant Architecture: How We Do the Magic We DoSalesforce Developers
 
Secure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSecure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSalesforce Developers
 
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...Curiosity Software Ireland
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldMaria Colgan
 
NDepend Public PPT (2008)
NDepend Public PPT (2008)NDepend Public PPT (2008)
NDepend Public PPT (2008)NDepend
 
Continuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerContinuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerAmazon Web Services
 
Mobx Internals
Mobx InternalsMobx Internals
Mobx Internals500Tech
 
Software design with Domain-driven design
Software design with Domain-driven design Software design with Domain-driven design
Software design with Domain-driven design Allan Mangune
 
Group meeting: Identifying Information Disclosure in Web Applications with Re...
Group meeting: Identifying Information Disclosure in Web Applications with Re...Group meeting: Identifying Information Disclosure in Web Applications with Re...
Group meeting: Identifying Information Disclosure in Web Applications with Re...Yu-Hsin Hung
 
Improving the Quality of Existing Software
Improving the Quality of Existing SoftwareImproving the Quality of Existing Software
Improving the Quality of Existing SoftwareSteven Smith
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
Polaris presentation ioc - code conference
Polaris presentation ioc - code conferencePolaris presentation ioc - code conference
Polaris presentation ioc - code conferenceSteven Contos
 
O365Con18 - Using ARM Templates to Deploy Solutions on Azure - Kevin Timmermann
O365Con18 - Using ARM Templates to Deploy Solutions on Azure - Kevin TimmermannO365Con18 - Using ARM Templates to Deploy Solutions on Azure - Kevin Timmermann
O365Con18 - Using ARM Templates to Deploy Solutions on Azure - Kevin TimmermannNCCOMMS
 
5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis 5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis Perforce
 

Similar to Pushing the Boundary of Mostly Automatic Program Proof (20)

Application Architecture
Application ArchitectureApplication Architecture
Application Architecture
 
CI/CD for Serverless and Containerized Applications (DEV309-R1) - AWS re:Inve...
CI/CD for Serverless and Containerized Applications (DEV309-R1) - AWS re:Inve...CI/CD for Serverless and Containerized Applications (DEV309-R1) - AWS re:Inve...
CI/CD for Serverless and Containerized Applications (DEV309-R1) - AWS re:Inve...
 
Too Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational ModelsToo Many Tools - How AWS Systems Manager Bridges Operational Models
Too Many Tools - How AWS Systems Manager Bridges Operational Models
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPA
 
Single Source of Truth for Network Automation
Single Source of Truth for Network AutomationSingle Source of Truth for Network Automation
Single Source of Truth for Network Automation
 
Salesforce Multitenant Architecture: How We Do the Magic We Do
Salesforce Multitenant Architecture: How We Do the Magic We DoSalesforce Multitenant Architecture: How We Do the Magic We Do
Salesforce Multitenant Architecture: How We Do the Magic We Do
 
Secure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with CheckmarxSecure Salesforce: Code Scanning with Checkmarx
Secure Salesforce: Code Scanning with Checkmarx
 
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...
Curiosity and fourTheorem present: From Coverage Guesswork to Targeted Test G...
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous World
 
NDepend Public PPT (2008)
NDepend Public PPT (2008)NDepend Public PPT (2008)
NDepend Public PPT (2008)
 
Continuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerContinuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and Docker
 
Mobx Internals
Mobx InternalsMobx Internals
Mobx Internals
 
Software design with Domain-driven design
Software design with Domain-driven design Software design with Domain-driven design
Software design with Domain-driven design
 
CIM Compliance.pptx
CIM Compliance.pptxCIM Compliance.pptx
CIM Compliance.pptx
 
Group meeting: Identifying Information Disclosure in Web Applications with Re...
Group meeting: Identifying Information Disclosure in Web Applications with Re...Group meeting: Identifying Information Disclosure in Web Applications with Re...
Group meeting: Identifying Information Disclosure in Web Applications with Re...
 
Improving the Quality of Existing Software
Improving the Quality of Existing SoftwareImproving the Quality of Existing Software
Improving the Quality of Existing Software
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
Polaris presentation ioc - code conference
Polaris presentation ioc - code conferencePolaris presentation ioc - code conference
Polaris presentation ioc - code conference
 
O365Con18 - Using ARM Templates to Deploy Solutions on Azure - Kevin Timmermann
O365Con18 - Using ARM Templates to Deploy Solutions on Azure - Kevin TimmermannO365Con18 - Using ARM Templates to Deploy Solutions on Azure - Kevin Timmermann
O365Con18 - Using ARM Templates to Deploy Solutions on Azure - Kevin Timmermann
 
5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis 5 Ways to Accelerate Standards Compliance with Static Code Analysis
5 Ways to Accelerate Standards Compliance with Static Code Analysis
 

More from AdaCore

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?AdaCore
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic libraryAdaCore
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsAdaCore
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verificationAdaCore
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationAdaCore
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareAdaCore
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentAdaCore
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...AdaCore
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!AdaCore
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaCore
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...AdaCore
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologyAdaCore
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextAdaCore
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareAdaCore
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareAdaCore
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentAdaCore
 
Multi-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical SystemsMulti-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical SystemsAdaCore
 

More from AdaCore (20)

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing Solutions
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verification
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configuration
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware Development
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 context
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle software
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise Environment
 
Multi-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical SystemsMulti-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical Systems
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Pushing the Boundary of Mostly Automatic Program Proof

  • 1. info@adacore.com adacore.com Pushing the Boundary of Mostly Automatic Program Proof Yannick Moy Copyright © AdaCore High Integrity Software 2022 Conference - October 11, 2022
  • 2. info@adacore.com adacore.com The Verifying Compiler A verifying compiler uses mathematical and logical reasoning to check the correctness of the programs that it compiles. Sir Tony Hoare, Journal of the ACM, 2003 2 Copyright © AdaCore
  • 3. info@adacore.com adacore.com Our formally verified microkernel, seL4, is now used across the world in a number of applications that keeps growing. June Andronick, Successes in Deployed Verified Software, 2019 The Verifying Compiler in Practice 3 Copyright © AdaCore
  • 4. info@adacore.com adacore.com The Auto-Active Approach 4 Copyright © AdaCore
  • 5. info@adacore.com adacore.com The Auto-Active Approach • Use programming language as specification language 5 Copyright © AdaCore
  • 6. info@adacore.com adacore.com The Auto-Active Approach • Use programming language as specification language • Leverage array of automatic provers 6 Copyright © AdaCore
  • 7. info@adacore.com adacore.com The Auto-Active Approach • Use programming language as specification language • Leverage array of automatic provers • Limit specifications to what can be “mostly” automated 7 Copyright © AdaCore
  • 8. info@adacore.com adacore.com The Auto-Active Approach • Use programming language as specification language • Leverage array of automatic provers • Limit specifications to what can be “mostly” automated • Use “ghost code” to reach fully automatic proof 8 Copyright © AdaCore
  • 9. info@adacore.com adacore.com The Auto-Active Approach in SPARK • Use Ada as programming language and specification language (contracts) • Leverage automatic provers Alt-Ergo, COLIBRI, cvc5, Z3 • Specifications are limited by the language (“contracts”) and best practices • Code marked as “ghost” is only used for verification 9 Copyright © AdaCore
  • 10. info@adacore.com adacore.com Low-Hanging Fruits with Program Proof 10 Copyright © AdaCore
  • 11. info@adacore.com adacore.com Low-Hanging Fruits with Program Proof • Absence of runtime errors • no exception raised (predefined or explicitly in the code) • no reads of uninitialized data 11 Copyright © AdaCore
  • 12. info@adacore.com adacore.com Low-Hanging Fruits with Program Proof • Absence of runtime errors • no exception raised (predefined or explicitly in the code) • no reads of uninitialized data • Correct API usage • correct input context when calling functions • correct sequencing of calls on data 12 Copyright © AdaCore
  • 13. info@adacore.com adacore.com Low-Hanging Fruits with Program Proof • Absence of runtime errors • no exception raised (predefined or explicitly in the code) • no reads of uninitialized data • Correct API usage • correct input context when calling functions • correct sequencing of calls on data • Data invariants respected • “permanent” invariants that should hold always • “boundary” invariants that should hold for client code 13 Copyright © AdaCore
  • 14. info@adacore.com adacore.com Initialization is in general guaranteed by sticking to an initialization policy checked by a data-flow algorithm More complex initialization patterns require specifying: • what parts of objects are initialized • under which conditions Mix of boolean conditions and arithmetic is a strong suit of automatic provers SPARK programming language has constraints and specification features that make it straightforward: • memory safety amounts to checking non-nullity of pointers and that indexes are in bounds • numerical type safety amounts to checking that computations don’t divide by zero or exceed bounds (Integer) (Linear) Arithmetic is a strong suit of automatic provers Absence of Runtime Errors 14 Copyright © AdaCore
  • 15. info@adacore.com adacore.com Initialization is in general guaranteed by sticking to an initialization policy checked by a data-flow algorithm More complex initialization patterns require specifying: • what parts of objects are initialized • under which conditions Mix of boolean conditions and arithmetic is a strong suit of automatic provers SPARK programming language has constraints and specification features that make it straightforward: • memory safety amounts to checking non-nullity of pointers and that indexes are in bounds • numerical type safety amounts to checking that computations don’t divide by zero or exceed bounds (Integer) (Linear) Arithmetic is a strong suit of automatic provers Absence of Runtime Errors 15 Copyright © AdaCore
  • 16. info@adacore.com adacore.com Correct sequencing of calls expressed in preconditions and postconditions: • state of parameters wrt prescribed automaton • global state wrt prescribed automaton Possibly using imported ghost functions to express state Resource reclamation (e.g. dynamic memory deallocation) Based on simple boolean conditions Correct input context: • value of parameters respect conditions beyond type safety • lifetime of pointer parameters consistent with their use • relations between parameters are respected • global state respects constraints Preconditions that usually rely on mix of arithmetic and boolean conditions Correct API Usage 16 Copyright © AdaCore
  • 17. info@adacore.com adacore.com Correct sequencing of calls expressed in preconditions and postconditions: • state of parameters wrt prescribed automaton • global state wrt prescribed automaton Possibly using imported ghost functions to express state Resource reclamation (e.g. dynamic memory deallocation) Based on simple boolean conditions Correct input context: • value of parameters respect conditions beyond type safety • lifetime of pointer parameters consistent with their use • relations between parameters are respected • global state respects constraints Preconditions that usually rely on mix of arithmetic and boolean conditions Correct API Usage 17 Copyright © AdaCore
  • 18. info@adacore.com adacore.com Type invariants (“boundary” invariants) only hold outside the unit: • possibly violated locally • restored before returning to client Used to hide data invariant from client unit Same kinds of properties as predicates Type predicates (“permanent” invariants) always hold: • subset of values from the base type • conditions on bounds of arrays • relations between fields of structures (e.g. inequality comparisons) • conditions on field initialization Same mix of arithmetic and boolean conditions as before Data Invariants Respected 18 Copyright © AdaCore
  • 19. info@adacore.com adacore.com Type invariants (“boundary” invariants) only hold outside the unit: • possibly violated locally • restored before returning to client Used to hide data invariant from client unit Same kinds of properties as predicates Type predicates (“permanent” invariants) always hold: • subset of values from the base type • conditions on bounds of arrays • relations between fields of structures (e.g. inequality comparisons) • conditions on field initialization Same mix of arithmetic and boolean conditions as before Data Invariants Respected 19 Copyright © AdaCore
  • 20. info@adacore.com adacore.com Stretch Goals with Program Proof 20 Copyright © AdaCore
  • 21. info@adacore.com adacore.com Stretch Goals with Program Proof • Prove full functional behavior 21 Copyright © AdaCore
  • 22. info@adacore.com adacore.com Stretch Goals with Program Proof • Prove full functional behavior • Prove the implementation of complex data structures • absence of runtime errors • data invariants respected • functional behavior 22 Copyright © AdaCore
  • 23. info@adacore.com adacore.com Stretch Goals with Program Proof • Prove full functional behavior • Prove the implementation of complex data structures • absence of runtime errors • data invariants respected • functional behavior • Prove numerical algorithms • exact result of computations • bounds on the approximation wrt mathematical computation 23 Copyright © AdaCore
  • 24. info@adacore.com adacore.com Need to express the specification as contracts, usually as a form of refinement: • concrete types refine an ideal model (mathematical integers, sets, maps…) • concrete implementation respects the ideal computation on models • contracts can use quantification and abstraction Best practices: no existential, abstract important properties Need to write ghost code (assertions, loop invariants) through interaction with automatic provers Prove Full Functional Behavior 24 Copyright © AdaCore https://blog.adacore.com/i-cant-believe-that-i-can-prove-that-it-can-sort
  • 25. info@adacore.com adacore.com Example: sorting algorithms • ideal model of bag / multiset • sorting preserves model • property uses quantification • property should use abstraction: being sorted on subrange, being the maximum on subrange With suitable properties, and little adequate ghost code, this is easily proved by automatic provers Need to express the specification as contracts, usually as a form of refinement: • concrete types refine an ideal model (mathematical integers, sets, maps…) • concrete implementation respects the ideal computation on models • contracts can use quantification and abstraction Best practices: no existential, abstract important properties Need to write ghost code (assertions, loop invariants) through interaction with automatic provers Prove Full Functional Behavior 25 Copyright © AdaCore https://blog.adacore.com/i-cant-believe-that-i-can-prove-that-it-can-sort
  • 26. info@adacore.com adacore.com Need to structure the code to separate concerns: • different types provide different views of the data with different models • complexity is encapsulated at each level through abstraction Best practices: use privacy to hide implementation and verification details Need to write ghost code (lemmas for induction) through interaction with automatic provers Prove Complex Data Structures 26 Copyright © AdaCore https://blog.adacore.com/research-corner-auto-active-verification-in-spark
  • 27. info@adacore.com adacore.com Example: red-black trees for bare-metal • level 1: binary trees • level 2: sorted trees • level 3: balanced trees • properties at each level encoded as type invariants on private types size of contracts = 2 x size of code size of ghost code = 5 x size of code Implementation constraints matter: same with dynamic allocation has four times less ghost code Need to structure the code to separate concerns: • different types provide different views of the data with different models • complexity is encapsulated at each level through abstraction Best practices: use privacy to hide implementation and verification details Need to write ghost code (lemmas for induction) through interaction with automatic provers Prove Complex Data Structures 27 Copyright © AdaCore https://blog.adacore.com/research-corner-auto-active-verification-in-spark
  • 28. info@adacore.com adacore.com Algorithms on integers: • refine mathematical operations • efficient implementations on machine integers require bitwise manipulations Exploit dedicated support of bitvectors in automatic provers Algorithms on reals: • implement control algorithms • expectation is to remain “close” to the ideal computation on reals despite rounding errors and approximations Exploit dedicated support of floats in automatic provers Prove Numerical Algorithms 28 Copyright © AdaCore https://blog.adacore.com/proving-the-correctness-of-gnat-light-runtime-library
  • 29. info@adacore.com adacore.com Example: multi-place integer arithmetic • mix of signed integers and modular integers • a lot of non-linear operations (multiplications, shifting, division, mod) size of contracts = 0.15 x size of code size of ghost code = 5 x size of code Proof of ≈100 lemmas requires use of all four automatic provers: Alt-Ergo, COLIBRI, cvc5, Z3 Algorithms on integers: • refine mathematical operations • efficient implementations on machine integers require bitwise manipulations Exploit dedicated support of bitvectors in automatic provers Algorithms on reals: • implement control algorithms • expectation is to remain “close” to the ideal computation on reals despite rounding errors and approximations Exploit dedicated support of floats in automatic provers Prove Numerical Algorithms 29 Copyright © AdaCore https://blog.adacore.com/proving-the-correctness-of-gnat-light-runtime-library
  • 30. info@adacore.com adacore.com Challenges with Program Proof 30 Copyright © AdaCore
  • 31. info@adacore.com adacore.com Challenges with Program Proof • Left-Over Principle of automation • automation fails humans on the more complex cases • solution: … 31 Copyright © AdaCore
  • 32. info@adacore.com adacore.com Challenges with Program Proof • Left-Over Principle of automation • automation fails humans on the more complex cases • solution: better interaction mechanisms 32 Copyright © AdaCore
  • 33. info@adacore.com adacore.com Challenges with Program Proof • Left-Over Principle of automation • automation fails humans on the more complex cases • solution: better interaction mechanisms • Predictability of proof results • automatic provers are based on heuristic search • solution: … 33 Copyright © AdaCore
  • 34. info@adacore.com adacore.com Challenges with Program Proof • Left-Over Principle of automation • automation fails humans on the more complex cases • solution: better interaction mechanisms • Predictability of proof results • automatic provers are based on heuristic search • solution: know the low-hanging fruits from the stretch goals 34 Copyright © AdaCore
  • 35. info@adacore.com adacore.com Challenges with Program Proof • Left-Over Principle of automation • automation fails humans on the more complex cases • solution: better interaction mechanisms • Predictability of proof results • automatic provers are based on heuristic search • solution: know the low-hanging fruits from the stretch goals • Stability of proof results • minor changes in code or tool can lead to losing proofs • solution: … 35 Copyright © AdaCore
  • 36. info@adacore.com adacore.com Challenges with Program Proof • Left-Over Principle of automation • automation fails humans on the more complex cases • solution: better interaction mechanisms • Predictability of proof results • automatic provers are based on heuristic search • solution: know the low-hanging fruits from the stretch goals • Stability of proof results • minor changes in code or tool can lead to losing proofs • solution: prover redundancy and advances in automatic proof technology 36 Copyright © AdaCore
  • 37. info@adacore.com adacore.com The Verifying Compiler If the project is successful, a verifying compiler will be available as a standard tool in some widely used programming productivity toolset. Sir Tony Hoare, Journal of the ACM, 2003 37 Copyright © AdaCore