The document discusses the latest advances in static analysis tools from AdaCore, including CodePeer and SPARK. CodePeer performs advanced static analysis to detect runtime and logic errors in Ada programs. SPARK is a formally verified subset of Ada that can be used to prove absence of errors and verify functional properties. The latest versions of CodePeer and SPARK have new capabilities like floating point support, qualification for safety standards, and improved proof and debugging features.

1. Latest Advances in
AdaCore Static Analysis
Tools
Presented by
Arnaud Charlet

2. What is Static Analysis?
• Basic Static Analysis: coding standard checking, metrics, compiler
warnings and style checks
• Advanced Static Analysis: symbolic execution/interpretation of source
code, whole program analysis to perform software verification
• Formal Verification: verify high level or abstract properties on your
application, give strong guarantees

3. Why Use Static Analysis?
• Make software more reliable at reasonable cost
• Full coverage of your code
• No missing check (no “false negatives”)
• Anticipate problems (get results before testing)
• Automate part of code review
• Express and verify your requirements and architecture

4. CodePeer Overview
• Advanced static analysis tool for Ada
• Includes also basic static analysis (gnatcheck, gnatmetric)
• Detects runtime and logic errors
• Buffer overflow, division by zero, dead code, …
• Analyzes complete or partial programs (full Ada)
• Generates human readable annotations

5. Why Use CodePeer?
• Early testing (detect errors earlier on code modifications/new code)
• Find bugs (on existing code)
• Impact analysis
• Code review: help focusing on potential problems/complex code

6. Why Use CodePeer?
• Race conditions
• Provide evidence for program verification

7. SPARK Overview
• Formal verification tool and language
developed by AdaCore and Altran
• Subset of Ada 2012: no pointers, no exceptions
• New aspects, pragmas, attributes
• Can add (executable) contracts for more precise analysis
• Can combine test and proof at subprogram level
• Allows 100% automatic proof

8. Why Use SPARK?
• Guarantee no runtime errors, no uninitialized variables
• Functional verification
• Check data flows (data coupling)
• Express and verify high level properties

9. Why Use SPARK?
When starting from existing code:
• You can start by adding incrementally annotations (pre/post)
• Get immediate benefit from tests
• Incrementally get additional benefits from the SPARK toolset

10. Why Use SPARK?
When (re)writing (new) code:
• Express your requirements in a way that can be reviewed by humans,
checked by testing, and verified by SPARK
• Express your software architecture, and verify it automatically

11. SPARK CodePeer
• Ada subset (no pointers/exceptions)
• Requires more effort (add contracts)
• Find (and prove) all runtime errors
• Verify functional correctness and
security properties
• Full Ada
• Very easy to run (easier than
writing tests)
• Find possible runtime errors and
suspicious code worth reviewing
• No functional error detection
• Can tune level of detection/false
alarms

12. Next Release
SPARK 15.0 and CodePeer 3.0

13. What’s New in SPARK 15.0
• Improved proof capability
• Improved user interface
• New language features

14. Improved Proof Capability
• Local subprograms can be used without contracts
• Improved parallelism
• Use of Ada functions in contracts
• Improved handling of arrays, integers, floating-point

15. Improved User Interface
• Improved handling of error and warning messages
• More precise generation of contracts (Globals/Depends)
• Support for manual provers (e.g. Coq, Isabelle)
• Computation and display of remaining assumptions
• Improved documentation (examples, tutorials, …)

16. New Language Features
• Support for tagged types and dynamic dispatching
• Library of (un)bounded indefinite containers
• Support for dynamic constants/types
• Improved usability of volatile objects
• Support for simple raise statements
• Support for proof-only (“ghost”) code

17. What’s New in CodePeer 3.0
• DO178B and EN50128 qualification
• Support for IEEE 754 floating point semantics
• Symbolic debugger
• Enhanced project file support
• Improved support for non GNAT compilers
• Enhanced Messages

18. DO178B Qualification
• CodePeer can be used to automate part of DO178B 6.3.4.f
The objective is to determine the correctness and consistency of the Source Code
• Qualified as a verification tool (TQL 5 in DO178C)
• Most checks have been qualified: overflow, range, index, division by
zero, uninitialized variables
• Generation of a detailed report file (date of run, switches, messages,
limitations, …)

19. EN50128 Qualification
• Qualified as a tool class T2
• Boundary value analysis
• Null dereference, buffer overflow, numeric overflow, …
• Control flow analysis
• Unreachable code, redundant conditionals, …
• Data flow analysis
• Uninitialized variables, redundant assignments, …

20. IEEE 754 Floating Point
• CodePeer used to approximate floating point using infinite precision
values (mathematical results)
• This could lead to missing potential errors, or false alarms
• IEEE 754 rounding and loss of precision now taken into account
• Reliable detection of possible overflows, division by zero
• Understand properties of mathematical functions (cos, sin, sqrt, …)

21. Symbolic Debugger
• Display of Backtraces on precondition messages
• Display of possible values for any variable

22. Enhanced Project File Support
• Aggregate projects
• Specifying main files on command line
• Analyzing closure of project
• Excluding some files from analysis
• Improved documentation on getting started with project files

23. Support for Other Compilers
• Compiler specific libraries
• Support for a target configuration file
• Ability to generate a target configuration file using target compiler
• Support for Ada 83 non portable or invalid code

24. Enhanced Messages
• New message: check on possible parameter aliasing
• New filter on security related vulnerabilities
• Support for CWE (Common Weakness Enumeration) cwe.mitre.org
• Compiler-like behavior: file by file quick incremental analysis
• More accurate messages, fewer false positives

25. Future Plans
SPARK 16.0 and CodePeer 3.1

26. SPARK 16.0
• Generation of counter examples
• Integration with tests
• Symbolic debugger
• Improved proof
• Support for tasking

27. CodePeer 3.1
• Detection of dangling references
• Incremental (re)analysis
• Integration with GNATtest
• New HTML interface
• Integration with Jenkins

28. Questions?