SlideShare a Scribd company logo

Integrating Proofs, Testing & Verification Strategies

AdaCore
AdaCore

This document discusses integrating formal proofs and testing in software verification strategies. It describes how executable contracts can be used to test requirements at different levels, from low-level to high-level, more easily than traditional testing. A hybrid verification approach is proposed that uses both formal proofs and testing, with contracts protecting assumptions, to gradually introduce formal methods and gain their benefits while maintaining assurance from traditional testing.

1 of 20
Download to read offline
Integrating Proof & Testing in Verification Strategies Cyrille Comar
Agenda •  Place of Testing in Safety Standards •  Programming with executable Contracts •  Executable Contracts vs Formal Contracts •  Reducing Testing with Formal Proofs
Place of Testing in DO-178 DO-178 define mainly 6 sets of objectives related to •  Planning (7) •  Development (7) •  Verification (43) •  Configuration Management (6) ü  Various reviews & analysis •  Quality Assurance (5) ü  Requirements-Based Testing •  Certification Liaison (3) SLR HLR LLR
Requirements in DO-178 •  There are 3 levels requirements •  System Requirements (SLR) •  High-Level Requirements (HLR) •  Low-Level Requirements (LLR) LLRs SLRs HLRs Allocated to Software Software Architecture
Requirements- Based (RB) Testing in DO-178 RB Test Generation LLR HLR Hardware / Low-Level Software Software Tests Integration Integration Tests Tests RBTest Coverage Analysis Statements Structural Decisions Coverage Analysis MCDC
Robustness vs functional test cases in DO-178 •  2 kinds of test cases •  Normal Range Test Cases •  Robustness Test Cases normal    “  …  ability  of  the  software  to  respond  to                              inputs  and  conditions  …  ”   abnormal   From outside From inside (response should be specified in SLR/HLR) (Software error) Integrated software comp1 comp2 comp3
Low-Level Testing is long & difficult •  Is it as relevant as HLR based testing ? •  LLR verification is important but is “testing” the most appropriate one? subp2   subp1   subp5   subp3   subp4   Test subp6   harness Subp3 Subp4 stub
Programming by Contract •  Precondition     •  Postcondition     •  A CONTRACT is •  Invariant     •  Predicate     •  A logical property •  Assertion   •  subprogram   •  type   •  Associated with a program entity •  statement   •  It can be verified •  It can be relied upon
Programming By Contract ( Ada examples) procedure Square_Root (Input : Integer; Res : out Natural) with pre => Input >= 0, post => Res * Res <= Input and (Res+1)*(Res+1) > Input; Implicit contract Explicit contract type Positive_Stack is private with Invariant => Is_Empty (Stack) or else Top (Stack) > 0; subtype Odd_Positive is Natural with Predicate => (Odd_Positive/2)*2 /= Odd_Positive;
What can Contracts be used for? •  Adding user-defined dynamic checks at runtime •  A way of expressing constraints, properties LLRs “When a low level requirement can be expressed as a contract, it can be tested much more easily”
Robustness Testing & Contracts • Internal Robustness issues are related to Run-Time Errors • Ada guarantees (most cases of) RTEs è run-time exception • Preconditions are better than “defensive coding” • The more runtime checks the better Robustness Testing is
Requirement Testing & Contracts •  LLR is expressed as a subprogram contract •  Successful execution of Postcondition è Test successful •  No need for collecting & verifying output
Executable Contracts vs Formal Contracts procedure  Square_Root     procedure  Square_Root        (Input  :  Integer;  Res  :  out  Natural)      (Input  :  Integer;  Res  :  out  Natural)   with     -­‐-­‐#  pre    Input  >=  0;      pre    =>  Input  >=  0,   -­‐-­‐#  post        Res      *  Res        <=  Input        post  =>    Res      *  Res        <=  Input     -­‐-­‐#        and  (Res+1)*(Res+1)  >    Input;                and  (Res+1)*(Res+1)  >    Input;           (Ada  2012)   (SPARK  2005)   •  Execution of “executable” contracts can be disabled •  The syntactic difference is not relevant •  The same contracts can be interpreted in 2 different world Executable boolean expression First order logic formula
Requirement based Verification & Formal Contracts •  LLR is expressed as a subprogram formal contract •  Successful proof of Postcondition è LLR verified for any input •  Approach allowed by DO-333 •  Proof of absence of RTEs provides for some Robustness verification
Hybrid Verification (1) •  Some LLRs are tested •  Some LLRs are proved •  Is the combination as “strong” as all LLRs are tested?
Hybrid Verification (2) Modular Formal verification is based on assumptions: •  My Precondition is never violated by Callers •  Postconditions of callees are true after the call •  all outputs are known •  Direct or Indirect •  Explicit (out parameters) or Implicit (globals) •  No surprises (e.g. unexpected aliasing)
Hybrid Verification (3) Tested_Function   calls Proved_Function   Precondition must be executed Proved_Function   calls Tested_Function   Postcondition must be executed •  Executable contracts “protect” assumptions of formal verification •  Globals can be computed by static analysis •  Surprises can be eliminated by subsetting
Conclusion: Hybrid Verification Benefits •  Helps with gradual introduction of Formal proofs •  The traditional 80 / 20 % rule is true for both formal verification and testing 80% remaining easily tested 80% easily proved
Extra information •  Open-DO Initiative •  www.open-do.org •  http://www.open-do.org/projects/hi-lite/
Cyrille Comar +33-1-49-70-67-16 comar@adacore.com 46 Rue d’Amsterdam Paris 75009

Recommended

02 test automation functional testing (qtp)
02 test automation functional testing (qtp)02 test automation functional testing (qtp)
02 test automation functional testing (qtp)Siddireddy Balu
 
Manual testing
Manual testingManual testing
Manual testingKrishna Gurjar
 
Bangalore march07
Bangalore march07Bangalore march07
Bangalore march07Obsidian Software
 
Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Engineering Software Lab
 
Synopsys jul1411
Synopsys jul1411Synopsys jul1411
Synopsys jul1411Samsung Electronics Egypt
 
Agilent flash programming agilent utility card versus deep serial memory-ca...
Agilent flash programming agilent utility card versus deep serial memory-ca...Agilent flash programming agilent utility card versus deep serial memory-ca...
Agilent flash programming agilent utility card versus deep serial memory-ca...AgilentT&amp;M EMEA
 
Construction of sfiCAN: a star-based fault-injection infrastructure for the C...
Construction of sfiCAN: a star-based fault-injection infrastructure for the C...Construction of sfiCAN: a star-based fault-injection infrastructure for the C...
Construction of sfiCAN: a star-based fault-injection infrastructure for the C...balDYxan
 
system verilog
system verilogsystem verilog
system verilogVinchipsytm Vlsitraining
 

Recommended

02 test automation functional testing (qtp)
02 test automation functional testing (qtp)02 test automation functional testing (qtp)
02 test automation functional testing (qtp)Siddireddy Balu
 
Manual testing
Manual testingManual testing
Manual testingKrishna Gurjar
 
Bangalore march07
Bangalore march07Bangalore march07
Bangalore march07Obsidian Software
 
Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Engineering Software Lab
 
Synopsys jul1411
Synopsys jul1411Synopsys jul1411
Synopsys jul1411Samsung Electronics Egypt
 
Agilent flash programming agilent utility card versus deep serial memory-ca...
Agilent flash programming agilent utility card versus deep serial memory-ca...Agilent flash programming agilent utility card versus deep serial memory-ca...
Agilent flash programming agilent utility card versus deep serial memory-ca...AgilentT&amp;M EMEA
 
Construction of sfiCAN: a star-based fault-injection infrastructure for the C...
Construction of sfiCAN: a star-based fault-injection infrastructure for the C...Construction of sfiCAN: a star-based fault-injection infrastructure for the C...
Construction of sfiCAN: a star-based fault-injection infrastructure for the C...balDYxan
 
system verilog
system verilogsystem verilog
system verilogVinchipsytm Vlsitraining
 
Uvm cookbook-systemverilog-guidelines-verification-academy
Uvm cookbook-systemverilog-guidelines-verification-academyUvm cookbook-systemverilog-guidelines-verification-academy
Uvm cookbook-systemverilog-guidelines-verification-academyRaghavendra Kamath
 
Neil Tompson - SoftTest Ireland
Neil Tompson - SoftTest IrelandNeil Tompson - SoftTest Ireland
Neil Tompson - SoftTest IrelandDavid O'Dowd
 
07 Outsource To India Independent Testing
07 Outsource To India Independent Testing07 Outsource To India Independent Testing
07 Outsource To India Independent TestingoutsourceToIndia
 
Bristol 2009 q1_blackmore_tim
Bristol 2009 q1_blackmore_timBristol 2009 q1_blackmore_tim
Bristol 2009 q1_blackmore_timObsidian Software
 
Sharam salamian
Sharam salamianSharam salamian
Sharam salamianObsidian Software
 
A comprehensive formal verification solution for ARM based SOC design
A comprehensive formal verification solution for ARM based SOC design A comprehensive formal verification solution for ARM based SOC design
A comprehensive formal verification solution for ARM based SOC design chiportal
 
System verilog important
System verilog importantSystem verilog important
System verilog importantelumalai7
 
Analogue Behavioral Modelling: An Inconvenient Truth
Analogue Behavioral Modelling: An Inconvenient TruthAnalogue Behavioral Modelling: An Inconvenient Truth
Analogue Behavioral Modelling: An Inconvenient TruthDVClub
 
Functional verification techniques EW16 session
Functional verification techniques EW16 sessionFunctional verification techniques EW16 session
Functional verification techniques EW16 sessionSameh El-Ashry
 
Functial Verification Tutorials
Functial Verification TutorialsFunctial Verification Tutorials
Functial Verification Tutorialsguestbcfac5
 
Validation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentValidation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentObsidian Software
 
Jonathan bromley doulos
Jonathan bromley doulosJonathan bromley doulos
Jonathan bromley doulosObsidian Software
 
Dependable Systems - Hardware Dependability with Redundancy (14/16)
Dependable Systems - Hardware Dependability with Redundancy (14/16)Dependable Systems - Hardware Dependability with Redundancy (14/16)
Dependable Systems - Hardware Dependability with Redundancy (14/16)Peter Tröger
 
SOC Verification using SystemVerilog
SOC Verification using SystemVerilog SOC Verification using SystemVerilog
SOC Verification using SystemVerilog Ramdas Mozhikunnath
 
Coverage Solutions on Emulators
Coverage Solutions on EmulatorsCoverage Solutions on Emulators
Coverage Solutions on EmulatorsDVClub
 
Stinson post si and verification
Stinson post si and verificationStinson post si and verification
Stinson post si and verificationObsidian Software
 
System verilog verification building blocks
System verilog verification building blocksSystem verilog verification building blocks
System verilog verification building blocksNirav Desai
 
H S
H SH S
H SJEDAmarketing
 
Below And Beneath Tdd Test Last Development And Other Real World Test Patter...
Below And Beneath Tdd Test Last Development And Other Real World Test Patter...Below And Beneath Tdd Test Last Development And Other Real World Test Patter...
Below And Beneath Tdd Test Last Development And Other Real World Test Patter...railsconf
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineeringSaswat Padhi
 
When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?ISA Interchange
 
35958867 safety-instrumented-systems
35958867 safety-instrumented-systems35958867 safety-instrumented-systems
35958867 safety-instrumented-systemsMowaten Masry
 

More Related Content

What's hot

Uvm cookbook-systemverilog-guidelines-verification-academy
Uvm cookbook-systemverilog-guidelines-verification-academyUvm cookbook-systemverilog-guidelines-verification-academy
Uvm cookbook-systemverilog-guidelines-verification-academyRaghavendra Kamath
 
Neil Tompson - SoftTest Ireland
Neil Tompson - SoftTest IrelandNeil Tompson - SoftTest Ireland
Neil Tompson - SoftTest IrelandDavid O'Dowd
 
07 Outsource To India Independent Testing
07 Outsource To India Independent Testing07 Outsource To India Independent Testing
07 Outsource To India Independent TestingoutsourceToIndia
 
Bristol 2009 q1_blackmore_tim
Bristol 2009 q1_blackmore_timBristol 2009 q1_blackmore_tim
Bristol 2009 q1_blackmore_timObsidian Software
 
A comprehensive formal verification solution for ARM based SOC design
A comprehensive formal verification solution for ARM based SOC design A comprehensive formal verification solution for ARM based SOC design
A comprehensive formal verification solution for ARM based SOC design chiportal
 
System verilog important
System verilog importantSystem verilog important
System verilog importantelumalai7
 
Analogue Behavioral Modelling: An Inconvenient Truth
Analogue Behavioral Modelling: An Inconvenient TruthAnalogue Behavioral Modelling: An Inconvenient Truth
Analogue Behavioral Modelling: An Inconvenient TruthDVClub
 
Functional verification techniques EW16 session
Functional verification techniques EW16 sessionFunctional verification techniques EW16 session
Functional verification techniques EW16 sessionSameh El-Ashry
 
Functial Verification Tutorials
Functial Verification TutorialsFunctial Verification Tutorials
Functial Verification Tutorialsguestbcfac5
 
Validation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentValidation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentObsidian Software
 
Dependable Systems - Hardware Dependability with Redundancy (14/16)
Dependable Systems - Hardware Dependability with Redundancy (14/16)Dependable Systems - Hardware Dependability with Redundancy (14/16)
Dependable Systems - Hardware Dependability with Redundancy (14/16)Peter Tröger
 
SOC Verification using SystemVerilog
SOC Verification using SystemVerilog SOC Verification using SystemVerilog
SOC Verification using SystemVerilog Ramdas Mozhikunnath
 
Coverage Solutions on Emulators
Coverage Solutions on EmulatorsCoverage Solutions on Emulators
Coverage Solutions on EmulatorsDVClub
 
Stinson post si and verification
Stinson post si and verificationStinson post si and verification
Stinson post si and verificationObsidian Software
 
System verilog verification building blocks
System verilog verification building blocksSystem verilog verification building blocks
System verilog verification building blocksNirav Desai
 
Below And Beneath Tdd Test Last Development And Other Real World Test Patter...
Below And Beneath Tdd Test Last Development And Other Real World Test Patter...Below And Beneath Tdd Test Last Development And Other Real World Test Patter...
Below And Beneath Tdd Test Last Development And Other Real World Test Patter...railsconf
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineeringSaswat Padhi
 

What's hot (20)

Uvm cookbook-systemverilog-guidelines-verification-academy
Uvm cookbook-systemverilog-guidelines-verification-academyUvm cookbook-systemverilog-guidelines-verification-academy
Uvm cookbook-systemverilog-guidelines-verification-academy
 
Neil Tompson - SoftTest Ireland
Neil Tompson - SoftTest IrelandNeil Tompson - SoftTest Ireland
Neil Tompson - SoftTest Ireland
 
07 Outsource To India Independent Testing
07 Outsource To India Independent Testing07 Outsource To India Independent Testing
07 Outsource To India Independent Testing
 
Bristol 2009 q1_blackmore_tim
Bristol 2009 q1_blackmore_timBristol 2009 q1_blackmore_tim
Bristol 2009 q1_blackmore_tim
 
Sharam salamian
Sharam salamianSharam salamian
Sharam salamian
 
A comprehensive formal verification solution for ARM based SOC design
A comprehensive formal verification solution for ARM based SOC design A comprehensive formal verification solution for ARM based SOC design
A comprehensive formal verification solution for ARM based SOC design
 
System verilog important
System verilog importantSystem verilog important
System verilog important
 
Analogue Behavioral Modelling: An Inconvenient Truth
Analogue Behavioral Modelling: An Inconvenient TruthAnalogue Behavioral Modelling: An Inconvenient Truth
Analogue Behavioral Modelling: An Inconvenient Truth
 
Functional verification techniques EW16 session
Functional verification techniques EW16 sessionFunctional verification techniques EW16 session
Functional verification techniques EW16 session
 
Functial Verification Tutorials
Functial Verification TutorialsFunctial Verification Tutorials
Functial Verification Tutorials
 
Validation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentValidation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environment
 
Jonathan bromley doulos
Jonathan bromley doulosJonathan bromley doulos
Jonathan bromley doulos
 
Dependable Systems - Hardware Dependability with Redundancy (14/16)
Dependable Systems - Hardware Dependability with Redundancy (14/16)Dependable Systems - Hardware Dependability with Redundancy (14/16)
Dependable Systems - Hardware Dependability with Redundancy (14/16)
 
SOC Verification using SystemVerilog
SOC Verification using SystemVerilog SOC Verification using SystemVerilog
SOC Verification using SystemVerilog
 
Coverage Solutions on Emulators
Coverage Solutions on EmulatorsCoverage Solutions on Emulators
Coverage Solutions on Emulators
 
Stinson post si and verification
Stinson post si and verificationStinson post si and verification
Stinson post si and verification
 
System verilog verification building blocks
System verilog verification building blocksSystem verilog verification building blocks
System verilog verification building blocks
 
H S
H SH S
H S
 
Below And Beneath Tdd Test Last Development And Other Real World Test Patter...
Below And Beneath Tdd Test Last Development And Other Real World Test Patter...Below And Beneath Tdd Test Last Development And Other Real World Test Patter...
Below And Beneath Tdd Test Last Development And Other Real World Test Patter...
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 

Viewers also liked

When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?ISA Interchange
 
35958867 safety-instrumented-systems
35958867 safety-instrumented-systems35958867 safety-instrumented-systems
35958867 safety-instrumented-systemsMowaten Masry
 
Understanding Safety Level Integrity Levels (SIL)
Understanding Safety Level Integrity Levels (SIL)Understanding Safety Level Integrity Levels (SIL)
Understanding Safety Level Integrity Levels (SIL)Power Specialties, Inc.
 
Process Safety Kpi
Process Safety KpiProcess Safety Kpi
Process Safety KpiArthurGroot
 
Sil target selection verification exida
Sil target selection verification exidaSil target selection verification exida
Sil target selection verification exidaKoenLeekens
 

Viewers also liked (10)

When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?
 
35958867 safety-instrumented-systems
35958867 safety-instrumented-systems35958867 safety-instrumented-systems
35958867 safety-instrumented-systems
 
SIL in the practice: Safety by design
SIL in the practice: Safety by designSIL in the practice: Safety by design
SIL in the practice: Safety by design
 
Sil presentation
Sil presentationSil presentation
Sil presentation
 
LAYER OF PROTECTION ANALYSIS
LAYER OF PROTECTION ANALYSISLAYER OF PROTECTION ANALYSIS
LAYER OF PROTECTION ANALYSIS
 
Understanding Safety Level Integrity Levels (SIL)
Understanding Safety Level Integrity Levels (SIL)Understanding Safety Level Integrity Levels (SIL)
Understanding Safety Level Integrity Levels (SIL)
 
Safety Integrity Levels
Safety Integrity LevelsSafety Integrity Levels
Safety Integrity Levels
 
What is a LOPA?
What is a LOPA?What is a LOPA?
What is a LOPA?
 
Process Safety Kpi
Process Safety KpiProcess Safety Kpi
Process Safety Kpi
 
Sil target selection verification exida
Sil target selection verification exidaSil target selection verification exida
Sil target selection verification exida
 

Similar to Integrating Proofs, Testing & Verification Strategies

Session 9 advance_verification_features
Session 9 advance_verification_featuresSession 9 advance_verification_features
Session 9 advance_verification_featuresNirav Desai
 
Contract-oriented PLSQL Programming
Contract-oriented PLSQL ProgrammingContract-oriented PLSQL Programming
Contract-oriented PLSQL ProgrammingJohn Beresniewicz
 
21E-WhatsTheFuss_UsingProceduresAndServicePrograms.pdf
21E-WhatsTheFuss_UsingProceduresAndServicePrograms.pdf21E-WhatsTheFuss_UsingProceduresAndServicePrograms.pdf
21E-WhatsTheFuss_UsingProceduresAndServicePrograms.pdfMiguelAngelMacas1
 
Judge: Identifying, Understanding, and Evaluating Sources of Unsoundness in C...
Judge: Identifying, Understanding, and Evaluating Sources of Unsoundness in C...Judge: Identifying, Understanding, and Evaluating Sources of Unsoundness in C...
Judge: Identifying, Understanding, and Evaluating Sources of Unsoundness in C...Michael Reif
 
Code Review with Sonar
Code Review with SonarCode Review with Sonar
Code Review with SonarMax Kleiner
 
Олексій Павленко. CONTRACT PROTECTION ON THE FRONTEND SIDE: HOW TO ORGANIZE R...
Олексій Павленко. CONTRACT PROTECTION ON THE FRONTEND SIDE: HOW TO ORGANIZE R...Олексій Павленко. CONTRACT PROTECTION ON THE FRONTEND SIDE: HOW TO ORGANIZE R...
Олексій Павленко. CONTRACT PROTECTION ON THE FRONTEND SIDE: HOW TO ORGANIZE R...OdessaJS Conf
 
SANER 2015 ERA track: Differential Flame Graphs
SANER 2015 ERA track: Differential Flame GraphsSANER 2015 ERA track: Differential Flame Graphs
SANER 2015 ERA track: Differential Flame Graphscorpaulbezemer
 
DFR a case study using a physics of failure
DFR a case study using a physics of failure DFR a case study using a physics of failure
DFR a case study using a physics of failure ASQ Reliability Division
 
CMMI High Maturity Best Practices HMBP 2010: Demystifying High Maturity Imple...
CMMI High Maturity Best Practices HMBP 2010: Demystifying High Maturity Imple...CMMI High Maturity Best Practices HMBP 2010: Demystifying High Maturity Imple...
CMMI High Maturity Best Practices HMBP 2010: Demystifying High Maturity Imple...QAI
 
Enter the mind of an Agile Developer
Enter the mind of an Agile DeveloperEnter the mind of an Agile Developer
Enter the mind of an Agile DeveloperBSGAfrica
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingRISC-V International
 
Software Testing , levels, Techniques, Tools
Software Testing , levels, Techniques, ToolsSoftware Testing , levels, Techniques, Tools
Software Testing , levels, Techniques, ToolsAli Raza
 
Client Side Unit Testing
Client Side Unit TestingClient Side Unit Testing
Client Side Unit Testingcloud chen
 

Similar to Integrating Proofs, Testing & Verification Strategies (20)

Session 9 advance_verification_features
Session 9 advance_verification_featuresSession 9 advance_verification_features
Session 9 advance_verification_features
 
Contract-oriented PLSQL Programming
Contract-oriented PLSQL ProgrammingContract-oriented PLSQL Programming
Contract-oriented PLSQL Programming
 
21E-WhatsTheFuss_UsingProceduresAndServicePrograms.pdf
21E-WhatsTheFuss_UsingProceduresAndServicePrograms.pdf21E-WhatsTheFuss_UsingProceduresAndServicePrograms.pdf
21E-WhatsTheFuss_UsingProceduresAndServicePrograms.pdf
 
Judge: Identifying, Understanding, and Evaluating Sources of Unsoundness in C...
Judge: Identifying, Understanding, and Evaluating Sources of Unsoundness in C...Judge: Identifying, Understanding, and Evaluating Sources of Unsoundness in C...
Judge: Identifying, Understanding, and Evaluating Sources of Unsoundness in C...
 
Code Review with Sonar
Code Review with SonarCode Review with Sonar
Code Review with Sonar
 
Олексій Павленко. CONTRACT PROTECTION ON THE FRONTEND SIDE: HOW TO ORGANIZE R...
Олексій Павленко. CONTRACT PROTECTION ON THE FRONTEND SIDE: HOW TO ORGANIZE R...Олексій Павленко. CONTRACT PROTECTION ON THE FRONTEND SIDE: HOW TO ORGANIZE R...
Олексій Павленко. CONTRACT PROTECTION ON THE FRONTEND SIDE: HOW TO ORGANIZE R...
 
SANER 2015 ERA track: Differential Flame Graphs
SANER 2015 ERA track: Differential Flame GraphsSANER 2015 ERA track: Differential Flame Graphs
SANER 2015 ERA track: Differential Flame Graphs
 
DFR a case study using a physics of failure
DFR a case study using a physics of failure DFR a case study using a physics of failure
DFR a case study using a physics of failure
 
CMMI High Maturity Best Practices HMBP 2010: Demystifying High Maturity Imple...
CMMI High Maturity Best Practices HMBP 2010: Demystifying High Maturity Imple...CMMI High Maturity Best Practices HMBP 2010: Demystifying High Maturity Imple...
CMMI High Maturity Best Practices HMBP 2010: Demystifying High Maturity Imple...
 
ITS-Fidel
ITS-FidelITS-Fidel
ITS-Fidel
 
Enter the mind of an Agile Developer
Enter the mind of an Agile DeveloperEnter the mind of an Agile Developer
Enter the mind of an Agile Developer
 
Software testing basics and its types
Software testing basics and its typesSoftware testing basics and its types
Software testing basics and its types
 
Embedded c
Embedded cEmbedded c
Embedded c
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testing
 
Unit 6
Unit 6Unit 6
Unit 6
 
Software Testing , levels, Techniques, Tools
Software Testing , levels, Techniques, ToolsSoftware Testing , levels, Techniques, Tools
Software Testing , levels, Techniques, Tools
 
ASIC design verification
ASIC design verificationASIC design verification
ASIC design verification
 
Cucumber presenation
Cucumber presenationCucumber presenation
Cucumber presenation
 
Client Side Unit Testing
Client Side Unit TestingClient Side Unit Testing
Client Side Unit Testing
 
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAUTest Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU
Test Automation and Keyword-driven testing af Brian Nielsen, CISS/AAU
 

More from AdaCore

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?AdaCore
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic libraryAdaCore
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsAdaCore
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verificationAdaCore
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofAdaCore
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationAdaCore
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareAdaCore
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentAdaCore
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...AdaCore
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!AdaCore
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaCore
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...AdaCore
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologyAdaCore
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextAdaCore
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareAdaCore
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareAdaCore
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentAdaCore
 

More from AdaCore (20)

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing Solutions
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verification
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program Proof
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configuration
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware Development
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 context
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle software
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise Environment
 

Integrating Proofs, Testing & Verification Strategies

  • 1. Integrating Proof & Testing in Verification Strategies Cyrille Comar
  • 2. Agenda •  Place of Testing in Safety Standards •  Programming with executable Contracts •  Executable Contracts vs Formal Contracts •  Reducing Testing with Formal Proofs
  • 3. Place of Testing in DO-178 DO-178 define mainly 6 sets of objectives related to •  Planning (7) •  Development (7) •  Verification (43) •  Configuration Management (6) ü  Various reviews & analysis •  Quality Assurance (5) ü  Requirements-Based Testing •  Certification Liaison (3) SLR HLR LLR
  • 4. Requirements in DO-178 •  There are 3 levels requirements •  System Requirements (SLR) •  High-Level Requirements (HLR) •  Low-Level Requirements (LLR) LLRs SLRs HLRs Allocated to Software Software Architecture
  • 5. Requirements- Based (RB) Testing in DO-178 RB Test Generation LLR HLR Hardware / Low-Level Software Software Tests Integration Integration Tests Tests RBTest Coverage Analysis Statements Structural Decisions Coverage Analysis MCDC
  • 6. Robustness vs functional test cases in DO-178 •  2 kinds of test cases •  Normal Range Test Cases •  Robustness Test Cases normal    “  …  ability  of  the  software  to  respond  to                              inputs  and  conditions  …  ”   abnormal   From outside From inside (response should be specified in SLR/HLR) (Software error) Integrated software comp1 comp2 comp3
  • 7. Low-Level Testing is long & difficult •  Is it as relevant as HLR based testing ? •  LLR verification is important but is “testing” the most appropriate one? subp2   subp1   subp5   subp3   subp4   Test subp6   harness Subp3 Subp4 stub
  • 8. Programming by Contract •  Precondition     •  Postcondition     •  A CONTRACT is •  Invariant     •  Predicate     •  A logical property •  Assertion   •  subprogram   •  type   •  Associated with a program entity •  statement   •  It can be verified •  It can be relied upon
  • 9. Programming By Contract ( Ada examples) procedure Square_Root (Input : Integer; Res : out Natural) with pre => Input >= 0, post => Res * Res <= Input and (Res+1)*(Res+1) > Input; Implicit contract Explicit contract type Positive_Stack is private with Invariant => Is_Empty (Stack) or else Top (Stack) > 0; subtype Odd_Positive is Natural with Predicate => (Odd_Positive/2)*2 /= Odd_Positive;
  • 10. What can Contracts be used for? •  Adding user-defined dynamic checks at runtime •  A way of expressing constraints, properties LLRs “When a low level requirement can be expressed as a contract, it can be tested much more easily”
  • 11. Robustness Testing & Contracts • Internal Robustness issues are related to Run-Time Errors • Ada guarantees (most cases of) RTEs è run-time exception • Preconditions are better than “defensive coding” • The more runtime checks the better Robustness Testing is
  • 12. Requirement Testing & Contracts •  LLR is expressed as a subprogram contract •  Successful execution of Postcondition è Test successful •  No need for collecting & verifying output
  • 13. Executable Contracts vs Formal Contracts procedure  Square_Root     procedure  Square_Root        (Input  :  Integer;  Res  :  out  Natural)      (Input  :  Integer;  Res  :  out  Natural)   with     -­‐-­‐#  pre    Input  >=  0;      pre    =>  Input  >=  0,   -­‐-­‐#  post        Res      *  Res        <=  Input        post  =>    Res      *  Res        <=  Input     -­‐-­‐#        and  (Res+1)*(Res+1)  >    Input;                and  (Res+1)*(Res+1)  >    Input;           (Ada  2012)   (SPARK  2005)   •  Execution of “executable” contracts can be disabled •  The syntactic difference is not relevant •  The same contracts can be interpreted in 2 different world Executable boolean expression First order logic formula
  • 14. Requirement based Verification & Formal Contracts •  LLR is expressed as a subprogram formal contract •  Successful proof of Postcondition è LLR verified for any input •  Approach allowed by DO-333 •  Proof of absence of RTEs provides for some Robustness verification
  • 15. Hybrid Verification (1) •  Some LLRs are tested •  Some LLRs are proved •  Is the combination as “strong” as all LLRs are tested?
  • 16. Hybrid Verification (2) Modular Formal verification is based on assumptions: •  My Precondition is never violated by Callers •  Postconditions of callees are true after the call •  all outputs are known •  Direct or Indirect •  Explicit (out parameters) or Implicit (globals) •  No surprises (e.g. unexpected aliasing)
  • 17. Hybrid Verification (3) Tested_Function   calls Proved_Function   Precondition must be executed Proved_Function   calls Tested_Function   Postcondition must be executed •  Executable contracts “protect” assumptions of formal verification •  Globals can be computed by static analysis •  Surprises can be eliminated by subsetting
  • 18. Conclusion: Hybrid Verification Benefits •  Helps with gradual introduction of Formal proofs •  The traditional 80 / 20 % rule is true for both formal verification and testing 80% remaining easily tested 80% easily proved
  • 19. Extra information •  Open-DO Initiative •  www.open-do.org •  http://www.open-do.org/projects/hi-lite/