PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 1

Getting Startedwith SPARK

Rod Chapman, Praxis High Integrity Systems

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 2

Agenda

•What is SPARK?

•SPARK Pro, GPL and GAP

•Teaching SPARK

•Current research with SPARK

•Demo – visualizing Hoare-Logic with SPARK and GraphViz

•Questions

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 3

What is SPARK?

•SPARK is…

•A programming language,

•A set of static verification tools,

•A design approach for high-assurance software,

•A means of enforcing discipline in software process.

•…All of the above

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 4

SPARK

•What’s special about SPARK?

•SPARK takes the unusual step of designing a programming language from scratch with verification as the primary design goal.

•SPARK has mathematical, formal, and unambiguous semantics, therefore…

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 5

SPARK

•The SPARK tools provide verification which is

•Sound (no “false negatives”)

•Complete (very few “false alarms”)

•Deep (tells you something useful)

•Fast (tells you it now)

•Modular (for incomplete programs)

•No other language and toolset can offer this combination.

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 6

SPARK

•No other language and toolset can offer this combination.

•How?

•The language design deliberately excludes features that are hard or impossible to analyse.

•The SPARK languages embodies a strict subset of Ada, with a system of contracts that enable modular and efficient verification.

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 7

What’s the catch?

•As ever, there’s no free lunch.

•You must have the discipline to adopt, learn and use SPARK properly.

•SPARK is most suited to high-assurance embedded, critical and real-time systems, not web servers or database applications (yet…)

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 8

SPARK Applications

•SPARK is most widely used in high-assurance embedded systems, such as

• Commercial Avionics (Rolls-Royce, LM C130J…)

• Military Avionics (EuroFighter Typhoon, AerMacchi M346…)

• Rail Signalling (ALSTOM, Invensys…)

• High-Grade Secure Systems (Rockwell-Collins, NSA, CESG, NATO C3 Agency…)

•While SPARK is most commonly associated with safety-critical systems, its roots actually come from the info-sec community (e.g. 1977 CACM paper on info flow by Denning & Denning).

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 9

SPARK Pro, GPL and GAP

•There are two major releases of the technology, aimed at three communities:

• SPARK Pro is the professional, supported product from the AdaCore/Praxis partnership.

• SPARK GPL is aimed at the open-source community. No formal support.

• The AdaCore GAP Programme offers support to academic faculty using GNAT and/or SPARK GPL in teaching and research.

• All available with the GPL licence, so full availability of sources.

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 10

SPARK Pro, GPL and GAP

•This webinar will concentrate on the use of SPARK in the academic and open-source communities.

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 11

Teaching SPARK…

•So why teach SPARK?

•Well…SPARK can be seen as a vehicle for teaching:

• Safety-Critical Software Engineering

• Security-Critical Software Engineering

• Design-by-Contract™

• Embedded and Real-Time Systems

• “Formal Methods”

• Semantics and “Proof” of Programs

• Programming Language Design

•Oh…and there’s a good book…

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 12

Teaching SPARK…

•Examples:

• Manchester University, UK – SPARK used in first year undergraduate course to teach design-by-contract style programming. (Dr Kung-Kiu Lau).

• Kansas State University – Critical Systems course (Prof John Hatcliff).

• University of York, UK – SPARK used in post-graduate MSc in Safety-Critical Systems Engineering (Prof John McDermid and others).

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 13

Research with SPARK…

•SPARK provides a formal basis for many interesting research problems.

• As a target language for formal refinement.

• Theorem-Proving (e.g. SAT and SMTLib style provers).

• Counter-example finding.

• Automatic test-case generation.

• “Hard” language issues (e.g. generics, interfaces) currently beyond the SPARK subset.

• Proof of floating-point algorithms.

• Program slicing and visualization.

• Any many many more things that we haven’t even thought of yet…

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 14

Research with SPARK…

•Prior to SPARK GPL, it was difficult to use SPARK in research:

• Proprietary nature of tools

• Very little publicly visible SPARK code

•But…times have changed:

• GPL release of technology.

• “Open Source” Release of Tokeneer project as a model-example of SPARK code for research challenges.

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 15

Some current research projects

•Specification refinement from PVS (Prof John Knight, Virginia).

•Model-checking of Tokeneer security properties and (Prof Jim Woodcock, Uni of York).

•Program slicing and value-dependent information flow analysis (Prof John Hatcliff, KSU).

•SMTLib prover interface (Dr Paul Jackson, Uni of Edinburgh).

•Decision procedures for non-linear arithmetic in CVC3 prover (Dr Clark Barrett, NYU).

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 16

Demo – Visualizing Hoare-Logic withSPARK and GraphViz

•Teaching program verification can be kinda dull…especially if done “pencil and paper” style.

•Students like to have tools and pictures…

•SPARK GPL provides a means to visualize the semantics of SPARK and the action of the Verification Condition Generator using the GraphViz package.

•Demo time…

PARTNERSHIP

Copyright © 2009 Praxis & AdaCore 17

Questions and Answers

Contact details

GAP: gap-contact@adacore.com

www.adacore.com/home/academia

Tokeneer reports and downloads

www.adacore.com/tokeneer

SPARK Pro: sales@adacore.com

www.adacore.com/home/products/sparkpro