To mark the start of the joint lab ProofInUse between Inria and AdaCore, whose purpose is to co-develop the SPARK and Why3 technologies, we will be hosting a one-day workshop around SMT solvers on Monday, February 2nd 2015, in the center of Paris. Registration if free but mandatory to attend the event.
As part of our work towards the releases of SPARK Pro 15.1 and SPARK GPL 2015 in a few months, we have rewritten completely the overview of the SPARK language in the SPARK User's Guide. We have also rewritten the section called GNATprove by Example that shows concrete examples of use of formal verification.
In the first release of SPARK 2014, GNATprove only provided support for automatic provers, in particular Alt-Ergo. Automatic provers are very handy when it comes to perform a big numberof simple proof. But they can fail to prove valid formulas when the proof involves some advanced reasoning. As mentioned in a previous post, one check left unproved might invalidate assumptions on which are based the proofs of multiple other checks. This is a case where manual proof may be useful for SPARK 2014 users. The development version of GNATprove now supports Coq to perform manual proof.
The SPARK toolset is shipped with prover CVC4 in addition to Alt-Ergo. We found that attempting proof first with CVC4, and if this fails, with Alt-Ergo, provides the best compromise between running time and proof result. Therefore, we decided to set this as the default behavior, which can be changed with option --prover.
Ensuring that all variables, both the visible ones and the ones exposed through state abstractions, are initialized is not a trivial task. SPARK 2015 helps users get their design right by issuing a warning for every state abstraction that is impossible to initialize. This blog post explains how this new feature works.
Over its 20+ years of history, SPARK has known quite many cha(lle)nges. Rod Chapman, the "face" of SPARK for many years, wrote his account of this piece of history for a keynote presentation at ITP conference in July 2014. It's quite interesting to read after having just completed this year a major rewrite of the technology.
The messages issued by the SPARK toolset will change a bit in the next version of both SPARK Pro and SPARK GPL. This post explains the change and the motivation behind it.
It has just become easier to run several provers using the SPARK toolset. This post explains how.
GNATprove relies on subprogram contracts to be able to analyze subprograms independently from their callers and callees. But no contracts are compulsory: GNATprove can either generate a contract or use a default value when a contract is not provided by the user. Hence, it is important to know which contracts to write for which verification objectives.
Three upcoming conferences in Europe and USA have a strong focus on SPARK. For those of you who are curious about where and how SPARK can be used.