SPARK 2014

Expanding the boundaries of safe and secure programming.

Learn more about SPARK 2014

SPARK GPL 2016 Is Available

by Yannick Moy in News – June 1, 2016

The annual releases of GNAT GPL and SPARK GPL have just been announced, and can be downloaded from For SPARK, this means support of concurrency with Ravenscar, generation of counterexamples and better proof automation. Enjoy!

GNATprove Tips and Tricks: Using the Lemma Library

by Yannick Moy in Formal Verification – May 25, 2016

A well-know result of computing theory is that the theory of arithmetic is undecidable. This has practical consequences in automatic proof of programs which manipulate numbers. The provers that we use in SPARK have a good support for addition and subtraction, but much weaker support for multiplication and division. This means that as soon as the program has multiplications and divisions, it is likely that some checks won't be proved automatically. Until recently, the only way forward was either to complete the proof using an interactive prover (like Coq or Isabelle/HOL) or to justify manually the message about an unproved check. There is now a better way to prove automatically such checks, using the recent SPARK lemma library.

Quantifying over Elements of a Container

by Claire Dross in Formal Verification – May 17, 2016

Containers holding several items of the same type such as arrays, lists, or sets are a common occurrence in computer programs. Stating a property over such containers often involves quantifying over the elements they contain. The way quantified formulas over containers are translated for proof can be tuned in GNATprove using a specific annotation.

SPARKSMT - An SMTLIB processing tool written in SPARK - Part I

by Florian Schanda in Dev Projects, Formal Verification – April 21, 2016

Today I will write the first article in a short series about the development of an SMTLIB processing tool in SPARK. Instead of focusing on features, I intend to focus on the how I have proved absence of run-time errors in the name table and lexer. I had two objectives: show absence of run-time errors, and do not write useless defensive code. Today's blog will be about the name table, a data structure found in many compilers that can map strings to a unique integer and back. The next blog post will talk about the lexical analyzer.

Did SPARK 2014 Rethink Formal Methods?

by Yannick Moy in Formal Verification, Papers and Slides – April 3, 2016

David Parnas is a well-known researcher in formal methods, who famously contributed to the analysis of the shut-down software for the Darlington nuclear power plant and designed the specification method known as Parnas tables and the development method called Software Cost Reduction. In 2010, the magazine CACM asked him to identify what was preventing more widespread adoption of formal methods in industry, and in this article on Really Rethinking Formal Methods he listed 17 areas that needed rethinking. The same year, we started a project to recreate SPARK with new ideas and new technology, which lead to SPARK 2014 as it is today. Parnas's article influenced some critical design decisions. Six years later, it's interesting to see how the choices we made in SPARK 2014 address (or not) Parnas's concerns.