Re: SPARK Proof - Tutorials and Tools

comp.lang.ada
 help / color / mirror / Atom feed

From: "Michael" <fvit@shaw.ca>
Subject: Re: SPARK Proof - Tutorials and Tools
Date: Mon, 23 Mar 2009 07:55:41 -0700
Date: 2009-03-23T07:55:41-07:00	[thread overview]
Message-ID: <RpNxl.49955$eT1.33481@newsfe20.iad> (raw)
In-Reply-To: b+M9J4BFcjwJJw2$@diphi.demon.co.uk

Thank you Phil,

It is the best documentation and "how to use guide" ever made on this 
subject.

That is a long overdue and great clarification on the SPARK purpose, 
constraints and limitations.

(i.e.: Proof of Absence of Run-time Error).

"The Simplifier does not prove all provable Verification Conditions (a 
provable VC is one where the conclusions can be shown to be logical 
consequences of the hypotheses). Any VCs remaining after simplification may 
be provable (but beyond the capability of the Simplifier to prove) or 
unprovable."

That's start to make sense.

Mathematical approximations sometimes don't deal easily with computer 
calculation errors.

I was assuming that is a flight trajectory/airspace intersection instability 
risk that SPARK or Praxis's Correctness by construction can't easily 
evaluate.

I think that shall confirm SPARK as one programming insurance tool (doing it 
right), and don't compromise the use of Ada like a Computer Assisted 
Engineering tool (doing the right thing).

Now, about knowing what we are doing, did you suggest the proof must be 
elaborated once the functional behaviour has been thoroughly tested (unit, 
non-regression, integration, verification, (validation) testing - all the 
kit indeed)?

i.e.: "Proof Checker, (This option may lead to proofs that are difficult to 
maintain.)"

Indeed, that is what could have prevented the Praxis's iFACTS project from 
entering the wall.  (see above for a plausible explanation)

And about project as complex and big than iFACTS, (I have another similar in 
mind, and mind a responsible answer) would you suggest SPARK could still be 
an affordable option, e.g.: taking into account the overhead that 
annotations and proofs shall require (quite twice of the project's level of 
effort, as I would figure - learning curve not entirely included)

Cheers,

Michael,

Vancouver, British Columbia

Praxis's Tokeneer demo is also available - example is still instructive, but 
SPARK usage and limitations are poorly documented:

http://www.adacore.com/home/products/gnatpro/tokeneer/

next prev parent reply	other threads:[~2009-03-23 14:55 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-03-19 12:13 ANN: SPARK Proof - Tutorials and Tools JP Thornley
2009-03-20 16:31 ` John McCormick
2009-03-23 14:55 ` Michael [this message]
2009-03-23 19:38 ` Tim Rowe

replies disabled

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox