Stuart Matthews

Future Directions of the SPARK Technology

High Assurance Software Symposium

SPARK – A Distinguished Track Record • The origins of SPARK are in research started over 25

years ago …

SPARK’s Success

• SPARK has achieved success across industry

domains …

• and in high-profile mission-critical systems …

SPARK Evolution

• The SPARK language has evolved over the years:

SPARK‘83, ’95, 2005 – and RavenSPARK

• In 2009 the release of SPARK Pro provided an

updated interface to the tool environment:

•GNAT Tracker

•GPS & GNATbench IDEs

Current Context & Influences • Our desire to innovate and extend SPARK’s

capabilities continues today

• Strong links with academic and research

communities:

•Collaborative research

•SPARK community projects

• Opportunities and challenges in the high-assurance

software domain …

Challenges & Opportunities

• Requirement for more efficient assurance tools &

techniques for high-grade secure software

• Increasing demand for security in safety & mission-

critical software

• Ada 2012 – contract-based programming

• Success of Hi-Lite project – combination of unit

testing and formal proof

The Next Generation SPARK Technology • Now under development …

• A new framework for high assurance software

development, comprising:

•Updated SPARK Language

•Powerful Verification Toolset

•Software Engineering Method

•Training for software engineers

Next Generation SPARK Language • Convergence with Ada 2012 syntax …

package Ex05

--# own Counter;

--# initializes Counter;

is

procedure Exchange (X, Y : in out Integer);

--# global in out Counter;

--# derives X from Y &

--# Y from X &

--# Counter from Counter;

--# pre X /= Y;

--# post X = Y~ and Y = X~;

end Ex05;

package Ex14

with Abstract_State => Counter,

Initializes => Counter

is

procedure Exchange (X, Y : in out Integer)

with Global => (In_Out => Counter),

Depends => (X => Y,

Y => X,

Counter => Counter),

Pre => X /= Y,

Post => X = Y'Old and Y = X'Old;

end Ex14;

• Support for executable and mathematical/provable

contracts

Next Generation SPARK

• Bigger Language Subset …

Next Gen.

SPARK

•Early subprogram

returns

•More OO support

Profiles •Discriminant

records

New Toolset Features:

• Replacement of unit and robustness testing by

automated proof

• A Formal Analysis compatible with D0-333

• Formal container library

• …

Advanced Information Flow Analysis

• Designed to support secure systems assurance

• Visualisation of information flows

• Increased refinement of information flow contracts

procedure Q (X, Y, Z in : Integer;

A, B, C, D, E : out Integer);

Generative Mode

• A generative mode for data and information flow

analysis

procedure Q (X, Y, Z in : Integer;

A, B, C, D, E : out Integer)

with Depends => ((A, B) => (X, Y),

C => (X, Z),

D => Y,

E => null);

Powerful Verification Tools

• Higher levels of automation for proof of functional

properties

• Improved diagnostics for unproved VCs

• Interactive path display

• Counter example

generation

*** Found a counter-example to

function_example_1_1, conclusion C2:

(For path(s) from start to run-time check

associated with statement of line 30:)

This conclusion is false if:

x = -2147483648

Next Generation SPARK Will Be … • Released in Q1 of 2014

• Available alongside the current SPARK and SPARK

Pro toolsets

• Developed in collaboration with research partners

and an industrial advisory panel

• Previewed in a β-Release for SPARK Pro customers in

2013

Further Information

• Questions

• SPARK Team members are available today!

• For further detailed information, please contact

•Michaël Friess michael.friess@adacore.com

or

•Stuart Matthews stuart.matthews@altran-

praxis.com

Altran Praxis Limited

22 St Lawrence Street

Bath BA1 1AN

United Kingdom

+44 (0) 1225 466991

+44 (0) 1225 469006

altran-praxis.com

stuart.matthews@altran-praxis.com

Telephone

Facsimile

Website

Email