the future of formal software verification in...
TRANSCRIPT
![Page 1: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/1.jpg)
The Future of Formal
Software Verification in Avionics
Yannick Moy
Formal Methods 2012 Industry Day
![Page 2: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/2.jpg)
Background
![Page 3: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/3.jpg)
Formal methods […] might be the
primary source of evidence for
the satisfaction of many of the
objectives concerned with
development and verification.
2011: Formal Methods Supplement (DO-333)
DO-178C: formal methods can replace testing
![Page 4: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/4.jpg)
Programming Contracts
{P}C{Q} Hoare logic (1969)
logic contracts
for proofs
SPARK (1987)
executable contracts
for tests
Eiffel DbC (1986)
Hi-Lite: executable annotation language???
![Page 5: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/5.jpg)
Project
![Page 6: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/6.jpg)
Ada 2012
![Page 7: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/7.jpg)
![Page 8: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/8.jpg)
GNAT compiler support for Ada 2012
• Run-time checking of new assertions
• New aspect to formally specify test cases
• New switch to choose semantics of integers in assertions, e.g.
unbounded integers or largest machine integers
• New library of containers adapted to formal verification (lists, sets,
maps, vectors)
• New run-time checks for integrating tests and proofs
![Page 9: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/9.jpg)
Proof + Test
![Page 10: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/10.jpg)
Testing vs. Formal Verification
R Q
P
P Q
P calls Q
prove pre of Q
assume post of Q
assume pre of Q
prove post of Q
P Q
P calls Q
use Q code
cover P constructs
actual body of Q
or stub…
global soundness argument:
all functions proved
all assumptions justified
local exhaustivity argument:
each function covered
enough behaviors
explored
![Page 11: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/11.jpg)
Combining tests and proofs
verification combining tests and proofs should be
AT LEAST AS GOOD AS
verification based on tests only
P Q
P calls Q
P is tested
Q is proved Q calls P
How so we justify
assumptions made
during proof?
![Page 12: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/12.jpg)
Combination 1: tested calls proved
P Q
P calls Q
P is tested
Q is proved
during testing:
check that
precondition of Q
is respected
assumption for proof:
precondition of Q
is respected
![Page 13: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/13.jpg)
Combination 2: proved calls tested
P Q
P is tested
Q is proved Q calls P
during testing:
check that
postcondition of P
is respected
assumption for proof:
postcondition of P
is respected
![Page 14: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/14.jpg)
) …
Caution: contracts are not only pre/post!
data dependences
parameters
not aliased
parameters
initialized
strong typing
Testing must check additional properties
Done by compiler instrumentation
![Page 15: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/15.jpg)
Testing + Formal Verification
R Q
P
global soundness argument:
- proof: assumptions proved
- test: assumptions tested
tested
proved
proved
local exhaustivity argument:
- test: function covered
- proof: by nature of proof
![Page 16: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/16.jpg)
GNAT toolsuite
GNAT
compiler
GNATtest
unit testing
GNATprove
unit proof
executable
GNATmerge
aggregate
results
![Page 17: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/17.jpg)
GNATmerge result
![Page 18: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/18.jpg)
Conclusion
![Page 19: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/19.jpg)
• Soundness
• Applicability to the code
• Usability by normal engineers on normal computers
• Improve on classical methods
• Certifiability
Airbus 5 “must-have” of formal methods
current work
![Page 20: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/20.jpg)
Project Partners
![Page 21: The Future of Formal Software Verification in Avionicsfm2012.cnam.fr/fm2012/ID2012-Yannick-Moy.pdf · 2013. 6. 18. · Formal methods […] might be the primary source of evidence](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc4dccbf3bb2e5e9271ebbe/html5/thumbnails/21.jpg)
www.open-do.org/projects/hi-lite