Re: [SystemSafety] systemsafety Digest, Vol 34, Issue 5

From: Steve Tockey < >
Date: Mon, 4 May 2015 20:57:33 +0000

Can static analysis catch this kind of defect:


From: jean-louis Boulanger <jean.louis.boulanger_at_xxxxxx Date: Monday, May 4, 2015 1:03 PM
To: Roderick Chapman <roderick.chapman_at_xxxxxx Subject: Re: [SystemSafety] systemsafety Digest, Vol 34, Issue 5

In the book "static analysis", I presented some trues experiences from railway and aeronautics with POLYSPACE, ASTREE and FRAMAC on industrial applications (from AIRBUS, DASSAULT and THALES) with very good results. in the example from THALES we replaced unit test and some integration tests by static analysis and properties verification ... in this application in C (pointer, complex data structures, one master and slave application produce by the same C code (used of #define) ...) it worked and it's possible to apply it to any code ... see the new DO 178 and the formal method book ...

2015-05-04 21:04 GMT+02:00 Roderick Chapman <roderick.chapman_at_xxxxxx

On 04/05/2015 16:42, systemsafety-request_at_xxxxxx lots of memory.
Derek's experience of strong static analysis may be based on retrospective analysis of badly written or unsubsetted C or C++, but that's nothing like our experience with SPARK.

The key is modularity and contracts in the programming language - get that right, and the rest falls into place. (Hint: start with a programming language which actually _has_ a module system... :-) ) Modularity also gets us the ability to aggressively parallelize the theorem-proving work, so the more processor cores you can throw at it the better...

Here's some data for an operational build of the NATS iFACTS system, published in our keynote at the ITP conference last year. The analysis basically shows that the software is "type safe" - meaning no crashes, no undefined behaviour, and no exceptions (including all buffer overflows, arithmetic overflows, range violations, and division by zero.)

Size: 250kloc logical of SPARK (measured by GNATMetric)

Verification Conditions: 152927

Completeness 98.76% are proven completely automatically by the "out of the box" SPARK toolset. The remainder are proved with either the addition of user-defined lemmas to help the prover or manual review.

Proof time: 3 hours, starting from scratch, or about 15 minutes average for a small change with persistent caching of the proof results from an earlier run.

In short - we're down to "coffee break" timescales to re-prove the whole thing, so the developers always re-run the proof _before_ the commit any change to the CM system.

This is all done on desktop class machines, or a single server that costs about 2k today (16 processor cores and about 32GB RAM...nothing special at all...)

More metrics from other projects are in the paper, PDF of which is on<>

The System Safety Mailing List
Mr Jean-louis Boulanger

The System Safety Mailing List systemsafety_at_xxxxxx
Received on Mon May 04 2015 - 22:57:47 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:07 CEST