Slashdot Mirror
High Integrity Software
What is SPARK? It's a language, a subset of Ada that will run on any Ada compiler, with extensions that automated tools can analyze to prove the correctness of programs. As the author says in his Preface, "I would like my programs to work without spending ages debugging the wretched things." SPARK is designed to minimize debugging time (which averages 50% of a project's duration in most cases).
SPARK relies on Ada's idea of "programming by contract," which separates the ability to describe a software interface (the contract) from its implementation (the code). This permits each to be compiled and analyzed separately.
It specifically attempts to insure the program is correct as built, in contrast to modern Agile methods which stress cranking a lot of code fast and then making it work via testing. Though Agility is appealing in some areas, I believe that, especially for safety critical system, focus on careful design and implementation beats a code-centric view hands down.
SPARK mandates adding numerous instrumentation constructs to the code for the sake of analysis. An example from the book:
Procedure Add(X: In Integer);
--#global in out Total;
--#post Total=Total~ + X;
--#pre X > 0;
The procedure definition statement is pure Ada, but the following three statements SPARK-specific tags. The first tells the analysis tool that the only global used is Total, and that it's both an input and output variable. The next tag tells the tool how the procedure will use and modify Total. Finally a precondition is specified for the passed argument X.
Wow! Sounds like a TON of work! Not only do we have to write all of the normal code, we're also constructing an almost parallel pseudo-execution stream for the analysis tool. But isn't this what we do (much more crudely) when building unit tests? In effect we're putting the system specification into the code, in a clear manner that the tool can use to automatically check against the code. What a powerful and interesting idea!
And it's similar to some approaches we already use, like strong typing and function prototyping (though God knows C mandates nothing and encourages any level of software anarchy).
There's no dynamic memory usage in SPARK -- not that malloc() is inherently evil, but because use of those sorts of constructs can't be automatically analyzed. SPARK's philosophy is one of provable correctness. Again -- WOW!
SPARK isn't perfect, of course. It's possible for a code terrorist to cheat the language, defining, for instance, that all globals are used everywhere as in and out parameters. A good program of code inspections would serve as a valuable deterrent to lazy abuse. And it is very wordy; in some cases the excess of instrumentation seems to make the software less readable. Yet SPARK is still concise compared to, say, the specifications document. Where C allows a starkness that makes code incomprehensible, SPARK lies in a domain between absolute computerese and some level of embedded specification.
The book has some flaws: it assumes the reader knows Ada, or can at least stumble through the language. That's not a valid assumption any more. And I'd like to see real-life examples of SPARK's successes, though there's more info on that at www.sparkada.com.
I found myself making hundreds of comments and annotations in the book, underlining powerful points and turning down corners of pages I wanted to reread and think about more deeply.
A great deal of the book covers SPARK's syntax and the use of the automated analysis tools. If you're not planning to actually use the language, your eyes may glaze over in these chapters. But Part 1 of the tome, the first 80 pages which describes the philosophy and fundamentals of the language and the tools, is breathtaking. I'd love to see Mr. Barnes publish just this section as a manifesto of sorts, a document for advocates of great software to rally around. For I fear the real issue facing software development today is a focus on code ueber alles, versus creating provably correct code from the outset.
You can purchase High Integrity Software from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.
The very first page quotes C.A.R Hoare's famous and profound statement
Not to be confused with C.A.M. Hoare's famous and profound statement: "Want to see my boobies?"
Or do they sit around thinking of methodologies to write books about?
Those who can, do, those who can't, teach?
Seriously, I'm not one to complain, but this isn't a review; it's a guy saying "WOW" repeatedly.
"High Integrity Software"
SCO should adopt that as their motto.
Trolling is a art,
..if the contract itself is wrong?
I thought car whores are the girl who pose for all the car magazines. Or the ones that sleep with the guy with the coolest car.
Ok, I know nothing about SPARK, so forgive my ignorance. Why is the "contract" paradigm different from standard object oriented languages with public class interfaces?
Now, is there a language to ensure that your boss asks you to program the right thing?
In General, if you want info, RTFA. However for those of you who just want some links to check things out quickly:
Hereis a PDF that contains samble chapters of the book reviewed.
Also from the same site is the following text and links for those of you wanting "real world examples":
"Industrial Experience with SPARK (PDF 234kb) Dr. Roderick Chapman, Praxis Critical Systems Limted. Presented at ACM SigAda 2000 conference. This paper discusses three large, real-world projects (C130J, SHOLIS and the MULTOS CA) where SPARK has made a contribution to meeting stringent software engineering standards. "
The Army reading list
Let's see: massively complex, but with obvious deficiencies.
The Army reading list
SPARK is used heavily in the safety critical software in the Eurofighter amongst other projects. It is a complete pain to type all of the annotation, takes forever to run the tool and it very rarely comes up with any real problems in the code. I would pay good money never to have to go near it again. It was used to meet contractual requirements, not engineering requirements.
One neat trick is to generate a large proportion of the annotation from the output error messages. Sort of defeats using the tool though but since it doesn't find much anyway the time freed up can be used to do some real testing.
Why not use a language that's smart enough to prove code written in a useful language, not just a toy?
Everybody's a libertarian 'till their neighbour's becomes a crack house.
I would have been interested if all this instrumentation had been grafted onto a language like Java, or C++. But to have to switch to Ada just to be able to add in instrumentation that helps in code analysis? It's also funny that he WOW's at the idea of no dynamic memory allocation... Why not just use a type safe language?
This sounds a bit like Alloy. Alloy is both a code modelling language (like UML), but structured in such a way that the model can be analysed automatically using SAT solvers (yeah, I didn't know what those were at first either. Here's a site with some good info on them).
Alloy's cool because you can use it to model code at a very abstract, high level (much like SPARK, it seems), although with Alloy you aren't tied to any specific language. The downside is that since the model isn't embedded in the code it's more useful as a design tool than something which will "guarantee" correctness every time you compile.
This seems rather a waste of time. You either first describe exactly what the code does, then write the code, or you write a simplification of what the code does, then the code.
In the first case, you write the exact same thing twice, in different languages. That sounds like an immense waste of time to me.
In the second case, your specification does not cover every aspect, which introduces loopholes, defeating the purpose of the contract.
In either case, you get in trouble if there are errors in the contract.
Please correct me if I got my facts wrong.
It's not so much that they can figure them out as it is they don't care to.
The best available modern system for formal verification is the Extended Static Checking system for Java developed at DEC SRL. This was developed at DEC before HP shut down that research operation. It's still available as a free download.
What all this machinery does is put teeth into "design by contract". With systems like this, you can tell if a function implements its contract, and you can tell if a caller complies with the contract of each thing they call. Before running the program.
Developing in this mode means spending forever getting rid of the static analysis errors. Then, the program usually just runs. That's exactly what you want for embedded systems. But it's painful for low-grade programming like web site development, where "cosmetic errors" are tolerable and time-to-market matters more than correctness.
This sounds very much like (looks very much like, as well) a project that some of my professors were working on a few years back at Ohio State University, called Resolve C++. I also recall that they were working with another university (can't remember which... maybe U Penn?) on Resolve Ada.
The basic idea was that they added a whole ton of syntactic sugar to C++ (not by structured comments, but by adding a bunch of key words that were #defined into nothing). I'm curious if this is related to that work at all. (At the time I was convinced that it was total crap, but several years of experience have shown me what they were trying to accomplish, if poorly.)
:Wq
Not an editor command: Wq
Whatever the test application is doing to run those tests, why not just convert its output to an EXE/binary and use THAT as the program? Then you only have to write the tests to get both the test and the code that passes the test! That's copyright me, today, by the way.
stuff |
Crappy software is all around us (obviously). It may not seem like a huge tragedy that, say, Microsoft Windows has so many security problems but the unfortunate reality is that the entire Western Economy heavily relies upon software that is so fragile that fresh installations become compromised within minutes.
Since so much of what we depend on these days is powered by software, I can't help but feel that industrial software development should be taken under the wing of Engineering. Why, you say? Well, professional fields like medicine, law, and engineering associate a duty to public safety with the job, and the regulatory bodies for the professions ensure that individuals who practice irresponsibly will lose their profesional status.
There is no such accountability for software development. Look at Microsoft Windows, that our banks and governments rely upon! I think such a product would be much higher quality if the coders working on it were professionals and had to adhere to Codes; violating their professional duties would mean severe personal consequences. And the firm itself (Microsoft) would be legally liable if it produced a shoddy, dangerous product!
1. Global vars: BAD.
2. Borland Delphi has had some of this for while with the assert function.
It's basicly a way of making sure that all the things that can't go wrong, actually doesn't.
TC - My Photos..
I've been using ada for a little while now. Its actually a good language, with many features that provided self checking code. SPARK seems a bit excessive.
:integer range 0..15) . If x goes above 15 or under 0 during runtime you get a constraint error.
For example ada already had constrained types (x
The ada compiler checks alot of things during compile time that I've never seen before.
One thing I note that the review does not mention is the fact that SPARK is, while Turing-complete, not very much fun to program in. Starting with Ada, a pretty B&D langauge to start with, SPARK removes all the remaining pointy bits, including: "the goto statement, aliasing, default parameters for subprograms (i.e. procedures and functions), side-effects in functions, recursion, tasks, user-defined exceptions, exception handlers and generics" (list taken from here, emphasis mine), plus dynamic allocation, which is mentioned in the review.
:)
/. a while back (which I didn't read). Even if you did read it, read it again.
Basically the only excuse you could possibly have for writing something in SPARK is extremely critical code (ie, if it fails, many people die). Even then I'd be skeptical it would provide much benefit, but at least it would provide some ass-covering ability.
For a alternatve view of the practicality of correctness proofs, see chapter 4 of Peter Guttman's thesis. IIRC there was a book review of it on
"No programming language can save you from yourself."
- Me
"Many computer scientists have fallen into the trap of trying to define languages like George Orwell's Newspeak, in which it is impossible to think bad thoughts. What they end up doing is killing the creativity of programming." --Larry Wall
SPARK seems to be an extreme example. Though I've never used it, I venture to guess that in a quixotic effort to avoid all bugs SPARK only buries real bugs underneath a mountain of its own pedantry.
People interested in this should also check out Eiffel and Sather as well.
My last software project ran off with my wife, stole all my money, and crashed my new corvette. Damn! I really could have used this, instead I hired a bunch of Klingon programmers.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I thought the correct quote was:
Those who can, do. Those who can't, teach.
Those who can't teach, teach gym.
(At least according to Woody Allen).
myke
Mimetics Inc. Twitter
"The true measure of a good coder is not how complex his code is, but how simple."
Today's software systems become bigger, bigger, and bigger. Maybe single components are simplified, debugged or optimised, but not a system as a hole. The results we see today, in many systems, a single slip in one place, can screw up the entire system.
IMHO the logical way to combat this, would be to design software using methods that can be formally proven to do what they're supposed to do. Such methods do exist.
Today's security measures in operating systems (like running apps as non-root user under *nix) are in place at least for one reason: an assumption is made, that as a piece of software grows bigger, it's simply not possible to guarantee that there are no bugs in there, that it will always work as expected.
That assumption is flawed: it is possible to design software such, that it always works as expected (hardware failures aside, that is). Doing so is just very hard. Not impossible.
And how, exactly, does a static compiler prove that a certain code sequence correctly computes a square root?
Does the book go into whether or not SPARK is used anywhere in practice, or is it someone's toy compiler?
//jbaltz
I am the Lorvax, I speak for the machines.
I see, so theSpoke is an MS "community" site where one can find polls like "what car would Visual Basic be?" and view entries in the Imagine Cup short film festival which has a logo very much like the XBox.
How crappy.
Thanks for the linkage.
The D programming language has design by contract. It seems pretty similar to the SPARK idea...
Check this out.
It's part of a presentation that can be found here
-Reuben
already has, as part of the language, Design by Contract and unit testing. The D Programming Language. These provide the robustness capabilities, but while having the power of a C++ like language.
and it's called the D Programming Language. It has Design by Contract and unit testing built in to a C++ like language.
WRT: SPARK check out this report: http://www.cyberpartnership.org/SDLCFULL.pdf The report's task force was co-chaired by Microsoft and Computer Associates people and is being submitted to the DHS. It explicitly recommends SPARK as one method of increasing reliability/security. It also states "A programming language with significantly fewer possibilities for mistakes than C or C++ should be used where possible."
"Beware of bugs in the above code. I have only proven it correct, not tested it."
In aerospace, there is rarely any need for dynamic memory management (post "initialisation") - you know how many of any kind of object you are going to be dealing with at compilation time. In Ada you just don't need to resort to pointers 99 times out of 100 as the compiler will hid all that for you.
Yeah, they can be a little intense. Ada was the first language they taught at my college. Avoided it like the plauge it is. It was incredible what students didn't know how to do after two years of ada. Good programers can program in ada while ada programers can... program in ada.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Or rather, in aerospace, safety critical system have been limited to the kind of problem that can be solved without dynamic memory management.
I could imagine plenty of problems which are open-ended, safety critical, which you might want to build a computer system to solve, but dare not. Free routing, for example. Every plane has a GPS and tells every other plane where it is and where it is goint, and all the planes agree to adjusrt their speeds to avoid each other. Unlimited number of other planes transmitting routes of arbitrary complexity - and if you get it wrong, doom. On the other hand, in crowded airspace, fuel savings of up to 25% - big bucks. But too dangerous for today's software technologies. The hardware is up to it, but we cannot write the software.
Consciousness is an illusion caused by an excess of self consciousness.
> while 10 do ...
> How can I ensure that this cannot be exploited?
First ensure that it does what you expect. You wrote an endless loop. Who needs hackers to exploit code when programmers can't even write code that works?
Here's a (necessarily trivial) example, taken from the website:
To expand on the point made above...
Let us assume that we have a magic proof system that will prove that our software matches our specification.
So what do we use to define the specification? Certainly not a natural language like english. Natural languages are full of ambiguity. So we'll use a formal specification language. However, such a language is basicly like a programming language, perhaps supporting more mathematical formalism (maybe single assignment). While our formal proof system can prove that the specification is equal to our executable software, we still can't show that the specification is what we intended (e.g., the specification may have bugs).
Even if our specification is magically guaranteed to be exactly what we intended, properly specifying the design as we understand it, this does not address the problem that systems fail because of the unexpected.
There are language systems that allow some level of proof. For example, in logic synthesis, where binary logic networks for VLSI can be generated from the subsets of Verilog and VHDL languages, it is possible to prove that two designs are or are not the same by using logical reduction. This can be useful in verification and testing. But it does not change the fact that VLSI designs, just like software designs, have bugs (also known as design errors).
Even leaving the concerns about the notation to specify a problem, software perfection could only be theoretically achieved when the problem can be completely specified. Many of the critical systems where there is a lot of interest in software correctness are very complicated (e.g., modern fighter jets). The exact requirements for these systems cannot be specified since their behavior under all conditions cannot be known. So the software will always be imperfect. What we hope is that the software is not imperfect in ways that cause death.
in contrast to modern Agile methods which stress cranking a lot of code fast and then making it work via testing
I have to disagree here, the agile methodologies I'm aware of stress automated unit testing to ensure the code that follows meets the specifications. They are agile because the "contract" enforced by the unit tests allow you to see what you have broken easily after a change. If your unit tests pass then you've either not broken anything or your test coverage is insufficient. It seems that these SPARK "tags" have some of the benefits and all the problems that a good suite of automated unit tests provides.
I do however like the idea that your assumptions and dependencies are explicitly mentioned nearby where they occur. These are things that definitely sting you, especially in code you are new to (written by someone else.) All the little interdependencies and unexpected side-effects that make their way into code can really make life difficult sometimes.
I have a feeling though that this would take discipline, and if all team members were skilled and disciplined then you would likely have much of these things stated anyway.
"What we hope is that the software is not imperfect in ways that cause death." I'm copying that into my code file. That really says it.
I agree with your other points by the way. The code is the least of your worries. If it does what the requirements says, that leaves you more time to worry about whether the requirements are right, especially in the face of all the things that can screw up while it is running.
replying to an AC....
In our ada code constraint errors are handled by the exception handling. Also note that a lot of our messages/values are comming from hardware from external hardware, so we have little control over what we're getting, so read in the message into unconstrained types and then convert. We test each potential incomming message against max/min theoretically posibly values. So we think we have most of it handled.
I'm not saying I'm against the idea of SPARK, it just seems to duplicate all the testing we do. If I have a procedure that returns a float from 1.0 to 5.0 I don't need to test if its going to kick back a 6.0.
No, he's just the publicity guru of them. He came late to that technology. C.A. Hoare is probably the "father", back in the 1970s.
Oracle's proprietary extension to SQL, PL/SQL, is based on Ada. Its "package" concept borrows the contract/implementation dichotomy. First the public interfaces to the package are declared in the PACKAGE object; then the implementation is defined in the matching PACKAGE BODY.
This enables procedures to be public in scope (present in both PACKAGE and PACKAGE BODY) or private in scope (present in PACKAGE BODY only). Other elements, such as user-defined data types, constants and cursor definitions, can be part of a package as well as procedures and functions. Overloading is supported by creating multiple definitions in the PACKAGE with different "signatures" (name plus calling sequence).
So, yes, this concept is being used every day, though not with the extensive rigor of SPARKS.
We are now poised to move forward with type inference based on full blown inference engines, thereby dispensing with the nonterminating arguments over statically vs dynamically typed languages that allowed Steve Jobs's spawn such as Object-Pascal/Objective-C/Java to get its nose in the tent. If you want to declare a "type" in a declarative language, just make another declaration and let the inference engine figure out what it can do with that information prior to run time. See how easy that was? Well, there is more to it than that, but not that much: Assertions have implications and assertions made prior to run time have implications prior to run time. Live with it and don't repeat the mistakes of the past.
Seastead this.
I am not an authority in programming/engineering, but here's my guess why most software is crap despite all that talk of Software Engineering and those brilliant ideas:
Engineering World:
1) design
2) blueprint
3) plastic/clay/3D models
4) Real Thing
Software World:
1) design
2) Sell as version 1.0
3) Sell as version 2.0
4) Sell as version 3.1
Here's the biggie: the blueprints, plastic models cost about the same amount to make as the "real thing".
Willing to pay X times more for software and wait Y times longer? Will programming teams actually be allowed to do those Engineering steps?
No? Well you have to settle for the crappy plastic model then, or the scribbles on a sheet of blue paper.
As soon as we started programming, we found to our surprise that it wasn't as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs.
-- Maurice Wilkes
Damn, my mod points just expired, and the parent post is VERY informative to anyone interested in this thread. And it's too late to hope than other moderators might be reading this thread.
Software sucks. Open Source sucks less.
As I understand it, Spark is not Turing-complete. You can't make dynamic data structures in Spark. Otherwise, the halting problem would still be unsolvable in this subset of Ada, and so the strict verification which is the purpose of Spark would be impossible.
So yes, it's definitely not a general purpose PL, but for those rare applications where it is warranted, it does what it's supposed to (give immunity from a large class of software problems in exchange for a _lot_ of hard work). Perhaps you're not convinced, but they seem to be at lockheed martin etc.
xkcd is not in the sudoers file. This incident will be reported.